projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Remove receive code that has been superceded
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
33#include <linux/types.h>
4fc268d2 34#include <linux/capability.h>
1da177e4
LT		 35#include <linux/errno.h>
36#include <linux/kernel.h>
1da177e4
LT		 37#include <linux/sched.h>
38#include <linux/slab.h>
39#include <linux/poll.h>
40#include <linux/fcntl.h>
41#include <linux/init.h>
42#include <linux/interrupt.h>
43#include <linux/socket.h>
44#include <linux/skbuff.h>
1da177e4 45#include <linux/list.h>
be9d1227 46#include <linux/device.h>
aef7d97c
MH		 47#include <linux/debugfs.h>
48#include <linux/seq_file.h>
af05b30b 49#include <linux/uaccess.h>
fcc203c3 50#include <linux/crc16.h>
1da177e4
LT		 51#include <net/sock.h>
52
1da177e4
LT		 53#include <asm/unaligned.h>
54
55#include <net/bluetooth/bluetooth.h>
56#include <net/bluetooth/hci_core.h>
57#include <net/bluetooth/l2cap.h>
b501d6a1 58#include <net/bluetooth/smp.h>
1da177e4 59
b191e031 60bool disable_ertm = 1;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 74 struct l2cap_chan *chan, int err);
1da177e4 75
608bcc6d
MM		 76static int l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
77 struct sk_buff_head *skbs, u8 event);
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
baa7e1fa 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 82{
3df91ea2 83 struct l2cap_chan *c;
3d57dc68 84
3df91ea2
AE		 85 list_for_each_entry(c, &conn->chan_l, list) {
86 if (c->dcid == cid)
87 return c;
0139418c 88 }
3df91ea2 89 return NULL;
0139418c
MH		 90}
91
baa7e1fa 92static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 93{
3df91ea2 94 struct l2cap_chan *c;
3d57dc68 95
3df91ea2
AE		 96 list_for_each_entry(c, &conn->chan_l, list) {
97 if (c->scid == cid)
98 return c;
0139418c 99 }
3df91ea2 100 return NULL;
0139418c
MH		 101}
102
103/* Find channel with given SCID.
ef191ade 104 * Returns locked channel. */
baa7e1fa 105static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 106{
48454079 107 struct l2cap_chan *c;
baa7e1fa 108
3df91ea2 109 mutex_lock(&conn->chan_lock);
baa7e1fa 110 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 111 if (c)
112 l2cap_chan_lock(c);
3df91ea2
AE		 113 mutex_unlock(&conn->chan_lock);
114
48454079 115 return c;
0139418c
MH		 116}
117
baa7e1fa 118static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 119{
3df91ea2 120 struct l2cap_chan *c;
3d57dc68 121
3df91ea2
AE		 122 list_for_each_entry(c, &conn->chan_l, list) {
123 if (c->ident == ident)
124 return c;
0139418c 125 }
3df91ea2 126 return NULL;
0139418c
MH		 127}
128
23691d75 129static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 130{
23691d75 131 struct l2cap_chan *c;
9e4425ff 132
23691d75
GP		 133 list_for_each_entry(c, &chan_list, global_l) {
134 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 135 return c;
9e4425ff 136 }
250938cb 137 return NULL;
9e4425ff
GP		 138}
139
140int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
141{
73b2ec18
GP		 142 int err;
143
333055f2 144 write_lock(&chan_list_lock);
9e4425ff 145
23691d75 146 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 147 err = -EADDRINUSE;
148 goto done;
9e4425ff
GP		 149 }
150
73b2ec18
GP		 151 if (psm) {
152 chan->psm = psm;
153 chan->sport = psm;
154 err = 0;
155 } else {
156 u16 p;
157
158 err = -EINVAL;
159 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 160 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 161 chan->psm = cpu_to_le16(p);
162 chan->sport = cpu_to_le16(p);
163 err = 0;
164 break;
165 }
166 }
9e4425ff 167
73b2ec18 168done:
333055f2 169 write_unlock(&chan_list_lock);
73b2ec18 170 return err;
9e4425ff
GP		 171}
172
173int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
174{
333055f2 175 write_lock(&chan_list_lock);
9e4425ff
GP		 176
177 chan->scid = scid;
178
333055f2 179 write_unlock(&chan_list_lock);
9e4425ff
GP		 180
181 return 0;
182}
183
baa7e1fa 184static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 185{
8db4dc46 186 u16 cid = L2CAP_CID_DYN_START;
0139418c 187
8db4dc46 188 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 189 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 190 return cid;
191 }
192
193 return 0;
194}
195
0e587be7 196static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 197{
42d2d87c 198 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 199 state_to_string(state));
200
89bc500e
GP		 201 chan->state = state;
202 chan->ops->state_change(chan->data, state);
203}
204
0e587be7
AE		 205static void l2cap_state_change(struct l2cap_chan *chan, int state)
206{
207 struct sock *sk = chan->sk;
208
209 lock_sock(sk);
210 __l2cap_state_change(chan, state);
211 release_sock(sk);
212}
213
2e0052e4
AE		 214static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
215{
216 struct sock *sk = chan->sk;
217
218 sk->sk_err = err;
219}
220
221static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
222{
223 struct sock *sk = chan->sk;
224
225 lock_sock(sk);
226 __l2cap_chan_set_err(chan, err);
227 release_sock(sk);
228}
229
608bcc6d
MM		 230static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
231 u16 seq)
232{
233 struct sk_buff *skb;
234
235 skb_queue_walk(head, skb) {
236 if (bt_cb(skb)->control.txseq == seq)
237 return skb;
238 }
239
240 return NULL;
241}
242
3c588192
MM		 243/* ---- L2CAP sequence number lists ---- */
244
245/* For ERTM, ordered lists of sequence numbers must be tracked for
246 * SREJ requests that are received and for frames that are to be
247 * retransmitted. These seq_list functions implement a singly-linked
248 * list in an array, where membership in the list can also be checked
249 * in constant time. Items can also be added to the tail of the list
250 * and removed from the head in constant time, without further memory
251 * allocs or frees.
252 */
253
254static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
255{
256 size_t alloc_size, i;
257
258 /* Allocated size is a power of 2 to map sequence numbers
259 * (which may be up to 14 bits) in to a smaller array that is
260 * sized for the negotiated ERTM transmit windows.
261 */
262 alloc_size = roundup_pow_of_two(size);
263
264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
265 if (!seq_list->list)
266 return -ENOMEM;
267
268 seq_list->mask = alloc_size - 1;
269 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
271 for (i = 0; i < alloc_size; i++)
272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
273
274 return 0;
275}
276
277static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
278{
279 kfree(seq_list->list);
280}
281
282static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
283 u16 seq)
284{
285 /* Constant-time check for list membership */
286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
287}
288
289static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
290{
291 u16 mask = seq_list->mask;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
294 /* In case someone tries to pop the head of an empty list */
295 return L2CAP_SEQ_LIST_CLEAR;
296 } else if (seq_list->head == seq) {
297 /* Head can be removed in constant time */
298 seq_list->head = seq_list->list[seq & mask];
299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
300
301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
302 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
304 }
305 } else {
306 /* Walk the list to find the sequence number */
307 u16 prev = seq_list->head;
308 while (seq_list->list[prev & mask] != seq) {
309 prev = seq_list->list[prev & mask];
310 if (prev == L2CAP_SEQ_LIST_TAIL)
311 return L2CAP_SEQ_LIST_CLEAR;
312 }
313
314 /* Unlink the number from the list and clear it */
315 seq_list->list[prev & mask] = seq_list->list[seq & mask];
316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
317 if (seq_list->tail == seq)
318 seq_list->tail = prev;
319 }
320 return seq;
321}
322
323static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
324{
325 /* Remove the head in constant time */
326 return l2cap_seq_list_remove(seq_list, seq_list->head);
327}
328
329static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
330{
f522ae36 331 u16 i;
3c588192 332
f522ae36
GP		 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 for (i = 0; i <= seq_list->mask; i++)
337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
338
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 341}
342
343static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
344{
345 u16 mask = seq_list->mask;
346
347 /* All appends happen in constant time */
348
f522ae36
GP		 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
350 return;
3c588192 351
f522ae36
GP		 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
353 seq_list->head = seq;
354 else
355 seq_list->list[seq_list->tail & mask] = seq;
356
357 seq_list->tail = seq;
358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 359}
360
721c4181 361static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 362{
721c4181
GP		 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
364 chan_timer.work);
3df91ea2 365 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 366 int reason;
367
e05dcc32 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 369
3df91ea2 370 mutex_lock(&conn->chan_lock);
6be36555 371 l2cap_chan_lock(chan);
ab07801d 372
89bc500e 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 374 reason = ECONNREFUSED;
89bc500e 375 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 376 chan->sec_level != BT_SECURITY_SDP)
377 reason = ECONNREFUSED;
378 else
379 reason = ETIMEDOUT;
380
0f852724 381 l2cap_chan_close(chan, reason);
ab07801d 382
6be36555 383 l2cap_chan_unlock(chan);
ab07801d 384
ba3bd0ee 385 chan->ops->close(chan->data);
3df91ea2
AE		 386 mutex_unlock(&conn->chan_lock);
387
371fd835 388 l2cap_chan_put(chan);
ab07801d
GP		 389}
390
eef1d9b6 391struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 392{
393 struct l2cap_chan *chan;
394
395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
396 if (!chan)
397 return NULL;
398
c03b355e
AE		 399 mutex_init(&chan->lock);
400
333055f2 401 write_lock(&chan_list_lock);
23691d75 402 list_add(&chan->global_l, &chan_list);
333055f2 403 write_unlock(&chan_list_lock);
23691d75 404
721c4181 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 406
89bc500e
GP		 407 chan->state = BT_OPEN;
408
71ba0e56
GP		 409 atomic_set(&chan->refcnt, 1);
410
2827011f
MM		 411 /* This flag is cleared in l2cap_chan_ready() */
412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
413
eef1d9b6 414 BT_DBG("chan %p", chan);
abc545b8 415
48454079
GP		 416 return chan;
417}
418
23691d75 419void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 420{
333055f2 421 write_lock(&chan_list_lock);
23691d75 422 list_del(&chan->global_l);
333055f2 423 write_unlock(&chan_list_lock);
23691d75 424
371fd835 425 l2cap_chan_put(chan);
6ff5abbf
GP		 426}
427
bd4b1653
AE		 428void l2cap_chan_set_defaults(struct l2cap_chan *chan)
429{
430 chan->fcs = L2CAP_FCS_CRC16;
431 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
432 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
433 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
434 chan->sec_level = BT_SECURITY_LOW;
435
436 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
437}
438
14a28491 439static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 440{
af05b30b 441 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 442 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 443
9f5a0d7b 444 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 445
8c1d787b 446 chan->conn = conn;
0139418c 447
5491120e
AE		 448 switch (chan->chan_type) {
449 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 450 if (conn->hcon->type == LE_LINK) {
451 /* LE connection */
0c1bc5c6 452 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 453 chan->scid = L2CAP_CID_LE_DATA;
454 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 455 } else {
456 /* Alloc CID for connection-oriented socket */
fe4128e0 457 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 458 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 459 }
5491120e
AE		 460 break;
461
462 case L2CAP_CHAN_CONN_LESS:
0139418c 463 /* Connectionless socket */
fe4128e0
GP		 464 chan->scid = L2CAP_CID_CONN_LESS;
465 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 466 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 467 break;
468
469 default:
0139418c 470 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 471 chan->scid = L2CAP_CID_SIGNALING;
472 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 473 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 474 }
475
8f7975b1
AE		 476 chan->local_id = L2CAP_BESTEFFORT_ID;
477 chan->local_stype = L2CAP_SERV_BESTEFFORT;
478 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
479 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
480 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
481 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
482
371fd835 483 l2cap_chan_hold(chan);
baa7e1fa 484
3df91ea2 485 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 486}
487
14a28491 488static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 489{
490 mutex_lock(&conn->chan_lock);
491 __l2cap_chan_add(conn, chan);
3df91ea2 492 mutex_unlock(&conn->chan_lock);
0139418c
MH		 493}
494
4519de9a 495static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 496{
48454079 497 struct sock *sk = chan->sk;
8c1d787b 498 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 499 struct sock *parent = bt_sk(sk)->parent;
500
c9b66675 501 __clear_chan_timer(chan);
0139418c 502
49208c9c 503 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 504
8e87d142 505 if (conn) {
baa7e1fa 506 /* Delete from channel list */
3df91ea2 507 list_del(&chan->list);
3d57dc68 508
371fd835 509 l2cap_chan_put(chan);
baa7e1fa 510
8c1d787b 511 chan->conn = NULL;
0139418c
MH		 512 hci_conn_put(conn->hcon);
513 }
514
6be36555
AE		 515 lock_sock(sk);
516
0e587be7 517 __l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 518 sock_set_flag(sk, SOCK_ZAPPED);
519
520 if (err)
2e0052e4 521 __l2cap_chan_set_err(chan, err);
0139418c
MH		 522
523 if (parent) {
524 bt_accept_unlink(sk);
525 parent->sk_data_ready(parent, 0);
526 } else
527 sk->sk_state_change(sk);
c13ffa62 528
6be36555
AE		 529 release_sock(sk);
530
2827011f 531 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 532 return;
2ead70b8 533
58d35f87 534 skb_queue_purge(&chan->tx_q);
c13ffa62 535
0c1bc5c6 536 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 537 __clear_retrans_timer(chan);
538 __clear_monitor_timer(chan);
539 __clear_ack_timer(chan);
c13ffa62 540
f1c6775b 541 skb_queue_purge(&chan->srej_q);
c13ffa62 542
3c588192
MM		 543 l2cap_seq_list_free(&chan->srej_list);
544 l2cap_seq_list_free(&chan->retrans_list);
c13ffa62 545 }
0139418c
MH		 546}
547
4519de9a
GP		 548static void l2cap_chan_cleanup_listen(struct sock *parent)
549{
550 struct sock *sk;
551
552 BT_DBG("parent %p", parent);
553
554 /* Close not yet accepted channels */
0f852724 555 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 556 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3df91ea2 557
6be36555 558 l2cap_chan_lock(chan);
c9b66675 559 __clear_chan_timer(chan);
ba3bd0ee 560 l2cap_chan_close(chan, ECONNRESET);
6be36555 561 l2cap_chan_unlock(chan);
3df91ea2 562
ba3bd0ee 563 chan->ops->close(chan->data);
0f852724 564 }
4519de9a
GP		 565}
566
0f852724 567void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 568{
569 struct l2cap_conn *conn = chan->conn;
570 struct sock *sk = chan->sk;
571
e05dcc32
AE		 572 BT_DBG("chan %p state %s sk %p", chan,
573 state_to_string(chan->state), sk);
4519de9a 574
89bc500e 575 switch (chan->state) {
4519de9a 576 case BT_LISTEN:
6be36555 577 lock_sock(sk);
4519de9a 578 l2cap_chan_cleanup_listen(sk);
89bc500e 579
0e587be7 580 __l2cap_state_change(chan, BT_CLOSED);
89bc500e 581 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 582 release_sock(sk);
4519de9a
GP		 583 break;
584
585 case BT_CONNECTED:
586 case BT_CONFIG:
715ec005 587 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 588 conn->hcon->type == ACL_LINK) {
c9b66675 589 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 590 l2cap_send_disconn_req(conn, chan, reason);
591 } else
592 l2cap_chan_del(chan, reason);
593 break;
594
595 case BT_CONNECT2:
715ec005 596 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 597 conn->hcon->type == ACL_LINK) {
598 struct l2cap_conn_rsp rsp;
599 __u16 result;
600
c5daa683 601 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 602 result = L2CAP_CR_SEC_BLOCK;
603 else
604 result = L2CAP_CR_BAD_PSM;
89bc500e 605 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 606
607 rsp.scid = cpu_to_le16(chan->dcid);
608 rsp.dcid = cpu_to_le16(chan->scid);
609 rsp.result = cpu_to_le16(result);
610 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
611 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
612 sizeof(rsp), &rsp);
613 }
614
615 l2cap_chan_del(chan, reason);
616 break;
617
618 case BT_CONNECT:
619 case BT_DISCONN:
620 l2cap_chan_del(chan, reason);
621 break;
622
623 default:
6be36555 624 lock_sock(sk);
4519de9a 625 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 626 release_sock(sk);
4519de9a
GP		 627 break;
628 }
629}
630
4343478f 631static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 632{
715ec005 633 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 634 switch (chan->sec_level) {
8556edd3
JH		 635 case BT_SECURITY_HIGH:
636 return HCI_AT_DEDICATED_BONDING_MITM;
637 case BT_SECURITY_MEDIUM:
638 return HCI_AT_DEDICATED_BONDING;
639 default:
640 return HCI_AT_NO_BONDING;
641 }
fe4128e0 642 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 643 if (chan->sec_level == BT_SECURITY_LOW)
644 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 645
4343478f 646 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 647 return HCI_AT_NO_BONDING_MITM;
00ae4af9 648 else
8556edd3 649 return HCI_AT_NO_BONDING;
00ae4af9 650 } else {
4343478f 651 switch (chan->sec_level) {
00ae4af9 652 case BT_SECURITY_HIGH:
8556edd3 653 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 654 case BT_SECURITY_MEDIUM:
8556edd3 655 return HCI_AT_GENERAL_BONDING;
00ae4af9 656 default:
8556edd3 657 return HCI_AT_NO_BONDING;
00ae4af9 658 }
0684e5f9 659 }
8556edd3
JH		 660}
661
662/* Service level security */
d45fc423 663int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 664{
8c1d787b 665 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 666 __u8 auth_type;
667
4343478f 668 auth_type = l2cap_get_auth_type(chan);
79d554a6 669
4343478f 670 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 671}
672
b5ad8b7f 673static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 674{
675 u8 id;
676
677 /* Get next available identificator.
678 * 1 - 128 are used by kernel.
679 * 129 - 199 are reserved.
680 * 200 - 254 are used by utilities like l2ping, etc.
681 */
682
333055f2 683 spin_lock(&conn->lock);
4e8402a3
MH		 684
685 if (++conn->tx_ident > 128)
686 conn->tx_ident = 1;
687
688 id = conn->tx_ident;
689
333055f2 690 spin_unlock(&conn->lock);
4e8402a3
MH		 691
692 return id;
693}
694
4519de9a 695static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 696{
697 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 698 u8 flags;
4e8402a3
MH		 699
700 BT_DBG("code 0x%2.2x", code);
701
702 if (!skb)
9a9c6a34 703 return;
4e8402a3 704
e702112f
AE		 705 if (lmp_no_flush_capable(conn->hcon->hdev))
706 flags = ACL_START_NO_FLUSH;
707 else
708 flags = ACL_START;
709
14b12d0b 710 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 711 skb->priority = HCI_PRIO_MAX;
14b12d0b 712
73d80deb
LAD		 713 hci_send_acl(conn->hchan, skb, flags);
714}
715
716static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
717{
718 struct hci_conn *hcon = chan->conn->hcon;
719 u16 flags;
720
721 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
722 skb->priority);
723
724 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
725 lmp_no_flush_capable(hcon->hdev))
726 flags = ACL_START_NO_FLUSH;
727 else
728 flags = ACL_START;
14b12d0b 729
73d80deb
LAD		 730 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
731 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 732}
733
b76bbd66
MM		 734static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
735{
736 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
737 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
738
739 if (enh & L2CAP_CTRL_FRAME_TYPE) {
740 /* S-Frame */
741 control->sframe = 1;
742 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
743 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
744
745 control->sar = 0;
746 control->txseq = 0;
747 } else {
748 /* I-Frame */
749 control->sframe = 0;
750 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
751 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
752
753 control->poll = 0;
754 control->super = 0;
755 }
756}
757
b76bbd66
MM		 758static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
759{
760 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
761 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
762
763 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
764 /* S-Frame */
765 control->sframe = 1;
766 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
767 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
768
769 control->sar = 0;
770 control->txseq = 0;
771 } else {
772 /* I-Frame */
773 control->sframe = 0;
774 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
775 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
776
777 control->poll = 0;
778 control->super = 0;
779 }
780}
781
782static inline void __unpack_control(struct l2cap_chan *chan,
783 struct sk_buff *skb)
784{
785 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
786 __unpack_extended_control(get_unaligned_le32(skb->data),
787 &bt_cb(skb)->control);
cec8ab6e 788 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 789 } else {
790 __unpack_enhanced_control(get_unaligned_le16(skb->data),
791 &bt_cb(skb)->control);
cec8ab6e 792 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 793 }
794}
795
b5c6aaed
MM		 796static u32 __pack_extended_control(struct l2cap_ctrl *control)
797{
798 u32 packed;
799
800 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
801 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
802
803 if (control->sframe) {
804 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
805 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
806 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
807 } else {
808 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
809 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
810 }
811
812 return packed;
813}
814
815static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
816{
817 u16 packed;
818
819 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
820 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
821
822 if (control->sframe) {
823 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
824 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
825 packed |= L2CAP_CTRL_FRAME_TYPE;
826 } else {
827 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
828 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
829 }
830
831 return packed;
832}
833
b76bbd66
MM		 834static inline void __pack_control(struct l2cap_chan *chan,
835 struct l2cap_ctrl *control,
836 struct sk_buff *skb)
837{
838 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
839 put_unaligned_le32(__pack_extended_control(control),
840 skb->data + L2CAP_HDR_SIZE);
841 } else {
842 put_unaligned_le16(__pack_enhanced_control(control),
843 skb->data + L2CAP_HDR_SIZE);
844 }
845}
846
a67d7f6f
MM		 847static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
848 u32 control)
b5c6aaed
MM		 849{
850 struct sk_buff *skb;
851 struct l2cap_hdr *lh;
a67d7f6f 852 int hlen;
b5c6aaed
MM		 853
854 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
855 hlen = L2CAP_EXT_HDR_SIZE;
856 else
857 hlen = L2CAP_ENH_HDR_SIZE;
858
859 if (chan->fcs == L2CAP_FCS_CRC16)
860 hlen += L2CAP_FCS_SIZE;
861
a67d7f6f 862 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 863
b5c6aaed 864 if (!skb)
a67d7f6f 865 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 866
867 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
868 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
869 lh->cid = cpu_to_le16(chan->dcid);
870
a67d7f6f
MM		 871 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
872 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
873 else
874 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 875
876 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 877 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 878 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
879 }
880
881 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 882 return skb;
883}
884
885static void l2cap_send_sframe(struct l2cap_chan *chan,
886 struct l2cap_ctrl *control)
887{
888 struct sk_buff *skb;
889 u32 control_field;
890
891 BT_DBG("chan %p, control %p", chan, control);
892
893 if (!control->sframe)
894 return;
895
896 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
897 !control->poll)
898 control->final = 1;
899
900 if (control->super == L2CAP_SUPER_RR)
901 clear_bit(CONN_RNR_SENT, &chan->conn_state);
902 else if (control->super == L2CAP_SUPER_RNR)
903 set_bit(CONN_RNR_SENT, &chan->conn_state);
904
905 if (control->super != L2CAP_SUPER_SREJ) {
906 chan->last_acked_seq = control->reqseq;
907 __clear_ack_timer(chan);
908 }
909
910 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
911 control->final, control->poll, control->super);
912
913 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
914 control_field = __pack_extended_control(control);
915 else
916 control_field = __pack_enhanced_control(control);
917
918 skb = l2cap_create_sframe_pdu(chan, control_field);
919 if (!IS_ERR(skb))
920 l2cap_do_send(chan, skb);
b5c6aaed
MM		 921}
922
923static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
924{
925 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
926 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
927 set_bit(CONN_RNR_SENT, &chan->conn_state);
928 } else
929 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
930
931 control |= __set_reqseq(chan, chan->buffer_seq);
b5c6aaed
MM		 932}
933
b4450035 934static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 935{
c1360a1c 936 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 937}
938
9b27f350
AE		 939static void l2cap_send_conn_req(struct l2cap_chan *chan)
940{
941 struct l2cap_conn *conn = chan->conn;
942 struct l2cap_conn_req req;
943
944 req.scid = cpu_to_le16(chan->scid);
945 req.psm = chan->psm;
946
947 chan->ident = l2cap_get_ident(conn);
948
949 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
950
951 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
952}
953
9f0caeb1
VCG		 954static void l2cap_chan_ready(struct l2cap_chan *chan)
955{
956 struct sock *sk = chan->sk;
957 struct sock *parent;
958
959 lock_sock(sk);
960
961 parent = bt_sk(sk)->parent;
962
963 BT_DBG("sk %p, parent %p", sk, parent);
964
2827011f 965 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 966 chan->conf_state = 0;
967 __clear_chan_timer(chan);
968
969 __l2cap_state_change(chan, BT_CONNECTED);
970 sk->sk_state_change(sk);
971
972 if (parent)
973 parent->sk_data_ready(parent, 0);
974
975 release_sock(sk);
976}
977
fc7f8a7e 978static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 979{
8c1d787b 980 struct l2cap_conn *conn = chan->conn;
79d554a6 981
9f0caeb1
VCG		 982 if (conn->hcon->type == LE_LINK) {
983 l2cap_chan_ready(chan);
984 return;
985 }
986
79d554a6 987 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 988 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
989 return;
990
d45fc423 991 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 992 __l2cap_no_conn_pending(chan))
993 l2cap_send_conn_req(chan);
79d554a6
MH		 994 } else {
995 struct l2cap_info_req req;
996 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
997
998 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
999 conn->info_ident = l2cap_get_ident(conn);
1000
ba13ccd9 1001 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 1002
1003 l2cap_send_cmd(conn, conn->info_ident,
1004 L2CAP_INFO_REQ, sizeof(req), &req);
1005 }
1006}
1007
cf6c2c0b
GP		 1008static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1009{
1010 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1011 if (!disable_ertm)
cf6c2c0b
GP		 1012 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1013
1014 switch (mode) {
1015 case L2CAP_MODE_ERTM:
1016 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1017 case L2CAP_MODE_STREAMING:
1018 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1019 default:
1020 return 0x00;
1021 }
1022}
1023
4519de9a 1024static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1025{
6be36555 1026 struct sock *sk = chan->sk;
22121fc9
GP		 1027 struct l2cap_disconn_req req;
1028
c13ffa62
GP		 1029 if (!conn)
1030 return;
1031
0c1bc5c6 1032 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1033 __clear_retrans_timer(chan);
1034 __clear_monitor_timer(chan);
1035 __clear_ack_timer(chan);
c13ffa62
GP		 1036 }
1037
fe4128e0
GP		 1038 req.dcid = cpu_to_le16(chan->dcid);
1039 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1040 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1041 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1042
6be36555 1043 lock_sock(sk);
0e587be7 1044 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1045 __l2cap_chan_set_err(chan, err);
6be36555 1046 release_sock(sk);
22121fc9
GP		 1047}
1048
1da177e4 1049/* ---- L2CAP connections ---- */
4e8402a3
MH		 1050static void l2cap_conn_start(struct l2cap_conn *conn)
1051{
3df91ea2 1052 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1053
1054 BT_DBG("conn %p", conn);
1055
3df91ea2 1056 mutex_lock(&conn->chan_lock);
4e8402a3 1057
3df91ea2 1058 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1059 struct sock *sk = chan->sk;
baa7e1fa 1060
6be36555 1061 l2cap_chan_lock(chan);
4e8402a3 1062
715ec005 1063 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1064 l2cap_chan_unlock(chan);
79d554a6
MH		 1065 continue;
1066 }
1067
89bc500e 1068 if (chan->state == BT_CONNECT) {
d45fc423 1069 if (!l2cap_chan_check_security(chan) ||
b4450035 1070 !__l2cap_no_conn_pending(chan)) {
6be36555 1071 l2cap_chan_unlock(chan);
47731de7
GP		 1072 continue;
1073 }
79d554a6 1074
c1360a1c
GP		 1075 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1076 && test_bit(CONF_STATE2_DEVICE,
1077 &chan->conf_state)) {
89bc500e 1078 l2cap_chan_close(chan, ECONNRESET);
6be36555 1079 l2cap_chan_unlock(chan);
47731de7 1080 continue;
b1235d79 1081 }
47731de7 1082
9b27f350 1083 l2cap_send_conn_req(chan);
47731de7 1084
89bc500e 1085 } else if (chan->state == BT_CONNECT2) {
79d554a6 1086 struct l2cap_conn_rsp rsp;
e9aeb2dd 1087 char buf[128];
fe4128e0
GP		 1088 rsp.scid = cpu_to_le16(chan->dcid);
1089 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1090
d45fc423 1091 if (l2cap_chan_check_security(chan)) {
6be36555 1092 lock_sock(sk);
c5daa683
GP		 1093 if (test_bit(BT_SK_DEFER_SETUP,
1094 &bt_sk(sk)->flags)) {
f66dc81f
MH		 1095 struct sock *parent = bt_sk(sk)->parent;
1096 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1097 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1098 if (parent)
1099 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1100
1101 } else {
0e587be7 1102 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 1103 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1104 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1105 }
6be36555 1106 release_sock(sk);
79d554a6
MH		 1107 } else {
1108 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1109 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1110 }
1111
fc7f8a7e
GP		 1112 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1113 sizeof(rsp), &rsp);
e9aeb2dd 1114
c1360a1c 1115 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1116 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1117 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1118 continue;
1119 }
1120
c1360a1c 1121 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1122 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1123 l2cap_build_conf_req(chan, buf), buf);
1124 chan->num_conf_req++;
4e8402a3
MH		 1125 }
1126
6be36555 1127 l2cap_chan_unlock(chan);
4e8402a3
MH		 1128 }
1129
3df91ea2 1130 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1131}
1132
c2287681 1133/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1134 * Returns closest match, locked.
1135 */
d9b88702 1136static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1137 bdaddr_t *src,
1138 bdaddr_t *dst)
b62f328b 1139{
23691d75 1140 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1141
23691d75 1142 read_lock(&chan_list_lock);
b62f328b 1143
23691d75
GP		 1144 list_for_each_entry(c, &chan_list, global_l) {
1145 struct sock *sk = c->sk;
fe4128e0 1146
89bc500e 1147 if (state && c->state != state)
b62f328b
VT		 1148 continue;
1149
23691d75 1150 if (c->scid == cid) {
c2287681
IY		 1151 int src_match, dst_match;
1152 int src_any, dst_any;
1153
b62f328b 1154 /* Exact match. */
c2287681
IY		 1155 src_match = !bacmp(&bt_sk(sk)->src, src);
1156 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1157 if (src_match && dst_match) {
23691d75
GP		 1158 read_unlock(&chan_list_lock);
1159 return c;
1160 }
b62f328b
VT		 1161
1162 /* Closest match */
c2287681
IY		 1163 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1164 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1165 if ((src_match && dst_any) || (src_any && dst_match) ||
1166 (src_any && dst_any))
23691d75 1167 c1 = c;
b62f328b
VT		 1168 }
1169 }
280f294f 1170
23691d75 1171 read_unlock(&chan_list_lock);
b62f328b 1172
23691d75 1173 return c1;
b62f328b
VT		 1174}
1175
1176static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1177{
c916fbe4 1178 struct sock *parent, *sk;
23691d75 1179 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1180
1181 BT_DBG("");
1182
1183 /* Check if we have socket listening on cid */
23691d75 1184 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1185 conn->src, conn->dst);
23691d75 1186 if (!pchan)
b62f328b
VT		 1187 return;
1188
23691d75
GP		 1189 parent = pchan->sk;
1190
aa2ac881 1191 lock_sock(parent);
62f3a2cf 1192
b62f328b
VT		 1193 /* Check for backlog size */
1194 if (sk_acceptq_is_full(parent)) {
1195 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1196 goto clean;
1197 }
1198
80808e43
GP		 1199 chan = pchan->ops->new_connection(pchan->data);
1200 if (!chan)
b62f328b
VT		 1201 goto clean;
1202
80808e43 1203 sk = chan->sk;
5d41ce1d 1204
b62f328b
VT		 1205 hci_conn_hold(conn->hcon);
1206
b62f328b
VT		 1207 bacpy(&bt_sk(sk)->src, conn->src);
1208 bacpy(&bt_sk(sk)->dst, conn->dst);
1209
d1010240
GP		 1210 bt_accept_enqueue(parent, sk);
1211
3d57dc68 1212 l2cap_chan_add(conn, chan);
48454079 1213
c9b66675 1214 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 1215
0e587be7 1216 __l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 1217 parent->sk_data_ready(parent, 0);
1218
b62f328b 1219clean:
aa2ac881 1220 release_sock(parent);
b62f328b
VT		 1221}
1222
4e8402a3
MH		 1223static void l2cap_conn_ready(struct l2cap_conn *conn)
1224{
48454079 1225 struct l2cap_chan *chan;
4e8402a3 1226
79d554a6 1227 BT_DBG("conn %p", conn);
4e8402a3 1228
b62f328b
VT		 1229 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1230 l2cap_le_conn_ready(conn);
1231
160dc6ac
VCG		 1232 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1233 smp_conn_security(conn, conn->hcon->pending_sec_level);
1234
3df91ea2 1235 mutex_lock(&conn->chan_lock);
4e8402a3 1236
3df91ea2 1237 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1238
6be36555 1239 l2cap_chan_lock(chan);
4e8402a3 1240
63128451 1241 if (conn->hcon->type == LE_LINK) {
b501d6a1 1242 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1243 l2cap_chan_ready(chan);
acd7d370 1244
63128451 1245 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1246 struct sock *sk = chan->sk;
c9b66675 1247 __clear_chan_timer(chan);
6be36555 1248 lock_sock(sk);
0e587be7 1249 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1250 sk->sk_state_change(sk);
6be36555 1251 release_sock(sk);
b501d6a1 1252
89bc500e 1253 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1254 l2cap_do_start(chan);
4e8402a3 1255
6be36555 1256 l2cap_chan_unlock(chan);
4e8402a3 1257 }
79d554a6 1258
3df91ea2 1259 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1260}
1261
1262/* Notify sockets that we cannot guaranty reliability anymore */
1263static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1264{
48454079 1265 struct l2cap_chan *chan;
4e8402a3
MH		 1266
1267 BT_DBG("conn %p", conn);
1268
3df91ea2 1269 mutex_lock(&conn->chan_lock);
4e8402a3 1270
3df91ea2 1271 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1272 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1273 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1274 }
1275
3df91ea2 1276 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1277}
1278
f878fcad 1279static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1280{
f878fcad 1281 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1282 info_timer.work);
4e8402a3 1283
984947dc 1284 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1285 conn->info_ident = 0;
984947dc 1286
4e8402a3
MH		 1287 l2cap_conn_start(conn);
1288}
1289
5d3de7df
VCG		 1290static void l2cap_conn_del(struct hci_conn *hcon, int err)
1291{
1292 struct l2cap_conn *conn = hcon->l2cap_data;
1293 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1294
1295 if (!conn)
1296 return;
1297
1298 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1299
1300 kfree_skb(conn->rx_skb);
1301
3df91ea2
AE		 1302 mutex_lock(&conn->chan_lock);
1303
5d3de7df
VCG		 1304 /* Kill channels */
1305 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1306 l2cap_chan_hold(chan);
6be36555
AE		 1307 l2cap_chan_lock(chan);
1308
5d3de7df 1309 l2cap_chan_del(chan, err);
6be36555
AE		 1310
1311 l2cap_chan_unlock(chan);
1312
5d3de7df 1313 chan->ops->close(chan->data);
61d6ef3e 1314 l2cap_chan_put(chan);
5d3de7df
VCG		 1315 }
1316
3df91ea2
AE		 1317 mutex_unlock(&conn->chan_lock);
1318
73d80deb
LAD		 1319 hci_chan_del(conn->hchan);
1320
5d3de7df 1321 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1322 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1323
51a8efd7 1324 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1325 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1326 smp_chan_destroy(conn);
d26a2345 1327 }
5d3de7df
VCG		 1328
1329 hcon->l2cap_data = NULL;
1330 kfree(conn);
1331}
1332
6c9d42a1 1333static void security_timeout(struct work_struct *work)
5d3de7df 1334{
6c9d42a1
GP		 1335 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1336 security_timer.work);
5d3de7df
VCG		 1337
1338 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1339}
1340
1da177e4
LT		 1341static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1342{
0139418c 1343 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1344 struct hci_chan *hchan;
1da177e4 1345
0139418c 1346 if (conn || status)
1da177e4
LT		 1347 return conn;
1348
73d80deb
LAD		 1349 hchan = hci_chan_create(hcon);
1350 if (!hchan)
1351 return NULL;
1352
0139418c 1353 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1354 if (!conn) {
1355 hci_chan_del(hchan);
1da177e4 1356 return NULL;
73d80deb 1357 }
1da177e4
LT		 1358
1359 hcon->l2cap_data = conn;
1360 conn->hcon = hcon;
73d80deb 1361 conn->hchan = hchan;
1da177e4 1362
73d80deb 1363 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1364
acd7d370
VT		 1365 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1366 conn->mtu = hcon->hdev->le_mtu;
1367 else
1368 conn->mtu = hcon->hdev->acl_mtu;
1369
1da177e4
LT		 1370 conn->src = &hcon->hdev->bdaddr;
1371 conn->dst = &hcon->dst;
1372
4e8402a3
MH		 1373 conn->feat_mask = 0;
1374
1da177e4 1375 spin_lock_init(&conn->lock);
3df91ea2 1376 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1377
1378 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1379
5d3de7df 1380 if (hcon->type == LE_LINK)
6c9d42a1 1381 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1382 else
030013d8 1383 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1384
9f5a0d7b 1385 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1386
1da177e4
LT		 1387 return conn;
1388}
1389
1da177e4 1390/* ---- Socket interface ---- */
1da177e4 1391
c2287681 1392/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1393 * Returns closest match.
1394 */
c2287681
IY		 1395static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1396 bdaddr_t *src,
1397 bdaddr_t *dst)
1da177e4 1398{
23691d75 1399 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1400
23691d75 1401 read_lock(&chan_list_lock);
e0f0cb56 1402
23691d75
GP		 1403 list_for_each_entry(c, &chan_list, global_l) {
1404 struct sock *sk = c->sk;
fe4128e0 1405
89bc500e 1406 if (state && c->state != state)
1da177e4
LT		 1407 continue;
1408
23691d75 1409 if (c->psm == psm) {
c2287681
IY		 1410 int src_match, dst_match;
1411 int src_any, dst_any;
1412
1da177e4 1413 /* Exact match. */
c2287681
IY		 1414 src_match = !bacmp(&bt_sk(sk)->src, src);
1415 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1416 if (src_match && dst_match) {
a7567b20 1417 read_unlock(&chan_list_lock);
23691d75
GP		 1418 return c;
1419 }
1da177e4
LT		 1420
1421 /* Closest match */
c2287681
IY		 1422 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1423 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1424 if ((src_match && dst_any) || (src_any && dst_match) ||
1425 (src_any && dst_any))
23691d75 1426 c1 = c;
1da177e4
LT		 1427 }
1428 }
1da177e4 1429
23691d75 1430 read_unlock(&chan_list_lock);
e0f0cb56 1431
23691d75 1432 return c1;
1da177e4
LT		 1433}
1434
8e9f9892
AG		 1435int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1436 bdaddr_t *dst, u8 dst_type)
1da177e4 1437{
5d41ce1d 1438 struct sock *sk = chan->sk;
1da177e4 1439 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1440 struct l2cap_conn *conn;
1441 struct hci_conn *hcon;
1442 struct hci_dev *hdev;
09ab6f4c 1443 __u8 auth_type;
44d0e48e 1444 int err;
1da177e4 1445
8e9f9892
AG		 1446 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1447 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1448
af05b30b
GP		 1449 hdev = hci_get_route(dst, src);
1450 if (!hdev)
1da177e4
LT		 1451 return -EHOSTUNREACH;
1452
09fd0de5 1453 hci_dev_lock(hdev);
1da177e4 1454
6be36555 1455 l2cap_chan_lock(chan);
03a00194
GP		 1456
1457 /* PSM must be odd and lsb of upper byte must be 0 */
1458 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1459 chan->chan_type != L2CAP_CHAN_RAW) {
1460 err = -EINVAL;
1461 goto done;
1462 }
1463
1464 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1465 err = -EINVAL;
1466 goto done;
1467 }
1468
1469 switch (chan->mode) {
1470 case L2CAP_MODE_BASIC:
1471 break;
1472 case L2CAP_MODE_ERTM:
1473 case L2CAP_MODE_STREAMING:
1474 if (!disable_ertm)
1475 break;
1476 /* fall through */
1477 default:
1478 err = -ENOTSUPP;
1479 goto done;
1480 }
1481
6be36555
AE		 1482 lock_sock(sk);
1483
03a00194
GP		 1484 switch (sk->sk_state) {
1485 case BT_CONNECT:
1486 case BT_CONNECT2:
1487 case BT_CONFIG:
1488 /* Already connecting */
1489 err = 0;
6be36555 1490 release_sock(sk);
03a00194
GP		 1491 goto done;
1492
1493 case BT_CONNECTED:
1494 /* Already connected */
1495 err = -EISCONN;
6be36555 1496 release_sock(sk);
03a00194
GP		 1497 goto done;
1498
1499 case BT_OPEN:
1500 case BT_BOUND:
1501 /* Can connect */
1502 break;
1503
1504 default:
1505 err = -EBADFD;
6be36555 1506 release_sock(sk);
03a00194
GP		 1507 goto done;
1508 }
1509
1510 /* Set destination address and psm */
9219b2a0 1511 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1512
1513 release_sock(sk);
1514
03a00194
GP		 1515 chan->psm = psm;
1516 chan->dcid = cid;
1da177e4 1517
4343478f 1518 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1519
fe4128e0 1520 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1521 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1522 chan->sec_level, auth_type);
acd7d370 1523 else
8e9f9892 1524 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1525 chan->sec_level, auth_type);
acd7d370 1526
30e76272
VT		 1527 if (IS_ERR(hcon)) {
1528 err = PTR_ERR(hcon);
1da177e4 1529 goto done;
30e76272 1530 }
1da177e4
LT		 1531
1532 conn = l2cap_conn_add(hcon, 0);
1533 if (!conn) {
1534 hci_conn_put(hcon);
30e76272 1535 err = -ENOMEM;
1da177e4
LT		 1536 goto done;
1537 }
1538
9f0caeb1
VCG		 1539 if (hcon->type == LE_LINK) {
1540 err = 0;
1541
1542 if (!list_empty(&conn->chan_l)) {
1543 err = -EBUSY;
1544 hci_conn_put(hcon);
1545 }
1546
1547 if (err)
1548 goto done;
1549 }
1550
1da177e4
LT		 1551 /* Update source addr of the socket */
1552 bacpy(src, conn->src);
1553
6be36555 1554 l2cap_chan_unlock(chan);
48454079 1555 l2cap_chan_add(conn, chan);
6be36555 1556 l2cap_chan_lock(chan);
48454079 1557
6be36555 1558 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1559 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1560
1561 if (hcon->state == BT_CONNECTED) {
715ec005 1562 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1563 __clear_chan_timer(chan);
d45fc423 1564 if (l2cap_chan_check_security(chan))
6be36555 1565 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1566 } else
fc7f8a7e 1567 l2cap_do_start(chan);
1da177e4
LT		 1568 }
1569
30e76272
VT		 1570 err = 0;
1571
1da177e4 1572done:
6be36555 1573 l2cap_chan_unlock(chan);
09fd0de5 1574 hci_dev_unlock(hdev);
1da177e4
LT		 1575 hci_dev_put(hdev);
1576 return err;
1577}
1578
dcba0dba 1579int __l2cap_wait_ack(struct sock *sk)
6161c038 1580{
8c1d787b 1581 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1582 DECLARE_WAITQUEUE(wait, current);
1583 int err = 0;
1584 int timeo = HZ/5;
1585
2b0b05dd 1586 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1587 set_current_state(TASK_INTERRUPTIBLE);
1588 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1589 if (!timeo)
1590 timeo = HZ/5;
1591
1592 if (signal_pending(current)) {
1593 err = sock_intr_errno(timeo);
1594 break;
1595 }
1596
1597 release_sock(sk);
1598 timeo = schedule_timeout(timeo);
1599 lock_sock(sk);
a71a0cf4 1600 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1601
1602 err = sock_error(sk);
1603 if (err)
1604 break;
1605 }
1606 set_current_state(TASK_RUNNING);
2b0b05dd 1607 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1608 return err;
1609}
1610
721c4181 1611static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1612{
721c4181
GP		 1613 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1614 monitor_timer.work);
e90bac06 1615
525cd185 1616 BT_DBG("chan %p", chan);
0e98958d 1617
6be36555
AE		 1618 l2cap_chan_lock(chan);
1619
2c03a7a4 1620 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1621 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
6be36555 1622 l2cap_chan_unlock(chan);
8d7e1c7f 1623 l2cap_chan_put(chan);
e90bac06
GP		 1624 return;
1625 }
1626
6a026610 1627 chan->retry_count++;
1a09bcb9 1628 __set_monitor_timer(chan);
e90bac06 1629
525cd185 1630 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555 1631 l2cap_chan_unlock(chan);
8d7e1c7f 1632 l2cap_chan_put(chan);
e90bac06
GP		 1633}
1634
721c4181 1635static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1636{
721c4181
GP		 1637 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1638 retrans_timer.work);
e90bac06 1639
49208c9c 1640 BT_DBG("chan %p", chan);
0e98958d 1641
6be36555
AE		 1642 l2cap_chan_lock(chan);
1643
6a026610 1644 chan->retry_count = 1;
1a09bcb9 1645 __set_monitor_timer(chan);
e90bac06 1646
e2ab4353 1647 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1648
525cd185 1649 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555
AE		 1650
1651 l2cap_chan_unlock(chan);
8d7e1c7f 1652 l2cap_chan_put(chan);
e90bac06
GP		 1653}
1654
3733937d
MM		 1655static int l2cap_streaming_send(struct l2cap_chan *chan,
1656 struct sk_buff_head *skbs)
6840ed07 1657{
ccbb84af 1658 struct sk_buff *skb;
3733937d 1659 struct l2cap_ctrl *control;
6840ed07 1660
3733937d
MM		 1661 BT_DBG("chan %p, skbs %p", chan, skbs);
1662
1663 if (chan->state != BT_CONNECTED)
1664 return -ENOTCONN;
1665
1666 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1667
1668 while (!skb_queue_empty(&chan->tx_q)) {
1669
1670 skb = skb_dequeue(&chan->tx_q);
1671
1672 bt_cb(skb)->control.retries = 1;
1673 control = &bt_cb(skb)->control;
1674
1675 control->reqseq = 0;
1676 control->txseq = chan->next_tx_seq;
1677
1678 __pack_control(chan, control, skb);
6840ed07 1679
47d1ec61 1680 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1681 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1682 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1683 }
1684
4343478f 1685 l2cap_do_send(chan, skb);
6840ed07 1686
3733937d
MM		 1687 BT_DBG("Sent txseq %d", (int)control->txseq);
1688
836be934 1689 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1690 chan->frames_sent++;
6840ed07 1691 }
3733937d
MM		 1692
1693 return 0;
6840ed07
GP		 1694}
1695
67c9e840 1696static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1697{
1698 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1699 struct l2cap_ctrl *control;
1700 int sent = 0;
1701
1702 BT_DBG("chan %p", chan);
1c2acffb 1703
89bc500e 1704 if (chan->state != BT_CONNECTED)
c13ffa62 1705 return -ENOTCONN;
e90bac06 1706
94122bbe
MM		 1707 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1708 return 0;
1709
18a48e76
MM		 1710 while (chan->tx_send_head &&
1711 chan->unacked_frames < chan->remote_tx_win &&
1712 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1713
18a48e76 1714 skb = chan->tx_send_head;
e90bac06 1715
18a48e76
MM		 1716 bt_cb(skb)->control.retries = 1;
1717 control = &bt_cb(skb)->control;
95ffa978 1718
e2ab4353 1719 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1720 control->final = 1;
e2ab4353 1721
18a48e76
MM		 1722 control->reqseq = chan->buffer_seq;
1723 chan->last_acked_seq = chan->buffer_seq;
1724 control->txseq = chan->next_tx_seq;
1c2acffb 1725
18a48e76 1726 __pack_control(chan, control, skb);
e90bac06 1727
47d1ec61 1728 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1729 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1730 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1731 }
1732
18a48e76
MM		 1733 /* Clone after data has been modified. Data is assumed to be
1734 read-only (for locking purposes) on cloned sk_buffs.
1735 */
1736 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1737
18a48e76
MM		 1738 if (!tx_skb)
1739 break;
1c2acffb 1740
18a48e76 1741 __set_retrans_timer(chan);
836be934
AE		 1742
1743 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1744 chan->unacked_frames++;
6a026610 1745 chan->frames_sent++;
18a48e76 1746 sent++;
1c2acffb 1747
58d35f87
GP		 1748 if (skb_queue_is_last(&chan->tx_q, skb))
1749 chan->tx_send_head = NULL;
1c2acffb 1750 else
58d35f87 1751 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1752
1753 l2cap_do_send(chan, tx_skb);
1754 BT_DBG("Sent txseq %d", (int)control->txseq);
1c2acffb
GP		 1755 }
1756
18a48e76
MM		 1757 BT_DBG("Sent %d, %d unacked, %d in ERTM queue", sent,
1758 (int) chan->unacked_frames, skb_queue_len(&chan->tx_q));
1759
1760 return sent;
9e917af1
GP		 1761}
1762
525cd185 1763static int l2cap_retransmit_frames(struct l2cap_chan *chan)
dfc909be 1764{
dfc909be
GP		 1765 int ret;
1766
58d35f87
GP		 1767 if (!skb_queue_empty(&chan->tx_q))
1768 chan->tx_send_head = chan->tx_q.next;
dfc909be 1769
42e5c802 1770 chan->next_tx_seq = chan->expected_ack_seq;
525cd185 1771 ret = l2cap_ertm_send(chan);
dfc909be
GP		 1772 return ret;
1773}
1774
b17e73bb 1775static void __l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1776{
88843ab0 1777 u32 control = 0;
9e917af1 1778
0b209fae 1779 control |= __set_reqseq(chan, chan->buffer_seq);
9e917af1 1780
e2ab4353 1781 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 1782 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 1783 set_bit(CONN_RNR_SENT, &chan->conn_state);
9a9c6a34 1784 return;
9e917af1 1785 }
dfc909be 1786
525cd185 1787 if (l2cap_ertm_send(chan) > 0)
dfc909be
GP		 1788 return;
1789
ab784b73 1790 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
1c2acffb
GP		 1791}
1792
b17e73bb
SJ		 1793static void l2cap_send_ack(struct l2cap_chan *chan)
1794{
1795 __clear_ack_timer(chan);
1796 __l2cap_send_ack(chan);
1797}
1798
04124681
GP		 1799static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1800 struct msghdr *msg, int len,
1801 int count, struct sk_buff *skb)
1c2acffb 1802{
0952a57a 1803 struct l2cap_conn *conn = chan->conn;
1c2acffb 1804 struct sk_buff **frag;
90338947 1805 int sent = 0;
1da177e4 1806
59203a21 1807 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1808 return -EFAULT;
1da177e4
LT		 1809
1810 sent += count;
1811 len -= count;
1812
1813 /* Continuation fragments (no L2CAP header) */
1814 frag = &skb_shinfo(skb)->frag_list;
1815 while (len) {
fbe00700
GP		 1816 struct sk_buff *tmp;
1817
1da177e4
LT		 1818 count = min_t(unsigned int, conn->mtu, len);
1819
fbe00700
GP		 1820 tmp = chan->ops->alloc_skb(chan, count,
1821 msg->msg_flags & MSG_DONTWAIT);
1822 if (IS_ERR(tmp))
1823 return PTR_ERR(tmp);
1824
1825 *frag = tmp;
2f7719ce 1826
1c2acffb
GP		 1827 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1828 return -EFAULT;
1da177e4 1829
5e59b791
LAD		 1830 (*frag)->priority = skb->priority;
1831
1da177e4
LT		 1832 sent += count;
1833 len -= count;
1834
2d0ed3d5
GP		 1835 skb->len += (*frag)->len;
1836 skb->data_len += (*frag)->len;
1837
1da177e4
LT		 1838 frag = &(*frag)->next;
1839 }
1da177e4
LT		 1840
1841 return sent;
1c2acffb 1842}
1da177e4 1843
5e59b791
LAD		 1844static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1845 struct msghdr *msg, size_t len,
1846 u32 priority)
1c2acffb 1847{
8c1d787b 1848 struct l2cap_conn *conn = chan->conn;
1c2acffb 1849 struct sk_buff *skb;
03a51213 1850 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1851 struct l2cap_hdr *lh;
1852
6d5922b0 1853 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1854
1855 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1856
1857 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1858 msg->msg_flags & MSG_DONTWAIT);
1859 if (IS_ERR(skb))
1860 return skb;
1c2acffb 1861
5e59b791
LAD		 1862 skb->priority = priority;
1863
1c2acffb
GP		 1864 /* Create L2CAP header */
1865 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1866 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1867 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1868 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1869
0952a57a 1870 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1871 if (unlikely(err < 0)) {
1872 kfree_skb(skb);
1873 return ERR_PTR(err);
1874 }
1875 return skb;
1876}
1877
5e59b791
LAD		 1878static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1879 struct msghdr *msg, size_t len,
1880 u32 priority)
1c2acffb 1881{
8c1d787b 1882 struct l2cap_conn *conn = chan->conn;
1c2acffb 1883 struct sk_buff *skb;
f2ba7fae 1884 int err, count;
1c2acffb
GP		 1885 struct l2cap_hdr *lh;
1886
6d5922b0 1887 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1888
f2ba7fae 1889 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 1890
f2ba7fae 1891 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 1892 msg->msg_flags & MSG_DONTWAIT);
1893 if (IS_ERR(skb))
1894 return skb;
1c2acffb 1895
5e59b791
LAD		 1896 skb->priority = priority;
1897
1c2acffb
GP		 1898 /* Create L2CAP header */
1899 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1900 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 1901 lh->len = cpu_to_le16(len);
1c2acffb 1902
0952a57a 1903 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1904 if (unlikely(err < 0)) {
1905 kfree_skb(skb);
1906 return ERR_PTR(err);
1907 }
1908 return skb;
1909}
1910
ab0ff76d
LAD		 1911static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1912 struct msghdr *msg, size_t len,
94122bbe 1913 u16 sdulen)
1c2acffb 1914{
8c1d787b 1915 struct l2cap_conn *conn = chan->conn;
1c2acffb 1916 struct sk_buff *skb;
e4ca6d98 1917 int err, count, hlen;
1c2acffb
GP		 1918 struct l2cap_hdr *lh;
1919
6d5922b0 1920 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1921
0ee0d208
GP		 1922 if (!conn)
1923 return ERR_PTR(-ENOTCONN);
1924
e4ca6d98
AE		 1925 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1926 hlen = L2CAP_EXT_HDR_SIZE;
1927 else
1928 hlen = L2CAP_ENH_HDR_SIZE;
1929
c74e560c 1930 if (sdulen)
03a51213 1931 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1932
47d1ec61 1933 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1934 hlen += L2CAP_FCS_SIZE;
fcc203c3 1935
1c2acffb 1936 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1937
1938 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1939 msg->msg_flags & MSG_DONTWAIT);
1940 if (IS_ERR(skb))
1941 return skb;
1c2acffb
GP		 1942
1943 /* Create L2CAP header */
1944 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1945 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1946 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 1947
18a48e76
MM		 1948 /* Control header is populated later */
1949 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1950 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1951 else
1952 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 1953
c74e560c 1954 if (sdulen)
03a51213 1955 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 1956
0952a57a 1957 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1958 if (unlikely(err < 0)) {
1959 kfree_skb(skb);
1960 return ERR_PTR(err);
1961 }
e90bac06 1962
18a48e76 1963 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 1964 bt_cb(skb)->control.retries = 0;
1c2acffb 1965 return skb;
1da177e4
LT		 1966}
1967
94122bbe
MM		 1968static int l2cap_segment_sdu(struct l2cap_chan *chan,
1969 struct sk_buff_head *seg_queue,
1970 struct msghdr *msg, size_t len)
c74e560c 1971{
c74e560c 1972 struct sk_buff *skb;
94122bbe
MM		 1973 u16 sdu_len;
1974 size_t pdu_len;
1975 int err = 0;
1976 u8 sar;
c74e560c 1977
94122bbe 1978 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 1979
94122bbe
MM		 1980 /* It is critical that ERTM PDUs fit in a single HCI fragment,
1981 * so fragmented skbs are not used. The HCI layer's handling
1982 * of fragmented skbs is not compatible with ERTM's queueing.
1983 */
c74e560c 1984
94122bbe
MM		 1985 /* PDU size is derived from the HCI MTU */
1986 pdu_len = chan->conn->mtu;
c74e560c 1987
94122bbe
MM		 1988 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
1989
1990 /* Adjust for largest possible L2CAP overhead. */
1991 pdu_len -= L2CAP_EXT_HDR_SIZE + L2CAP_FCS_SIZE;
1992
1993 /* Remote device may have requested smaller PDUs */
1994 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
1995
1996 if (len <= pdu_len) {
1997 sar = L2CAP_SAR_UNSEGMENTED;
1998 sdu_len = 0;
1999 pdu_len = len;
2000 } else {
2001 sar = L2CAP_SAR_START;
2002 sdu_len = len;
2003 pdu_len -= L2CAP_SDULEN_SIZE;
2004 }
2005
2006 while (len > 0) {
2007 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2008
c74e560c 2009 if (IS_ERR(skb)) {
94122bbe 2010 __skb_queue_purge(seg_queue);
c74e560c
GP		 2011 return PTR_ERR(skb);
2012 }
2013
94122bbe
MM		 2014 bt_cb(skb)->control.sar = sar;
2015 __skb_queue_tail(seg_queue, skb);
2016
2017 len -= pdu_len;
2018 if (sdu_len) {
2019 sdu_len = 0;
2020 pdu_len += L2CAP_SDULEN_SIZE;
2021 }
2022
2023 if (len <= pdu_len) {
2024 sar = L2CAP_SAR_END;
2025 pdu_len = len;
2026 } else {
2027 sar = L2CAP_SAR_CONTINUE;
2028 }
c74e560c 2029 }
c74e560c 2030
94122bbe 2031 return err;
c74e560c
GP		 2032}
2033
5e59b791
LAD		 2034int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2035 u32 priority)
9a91a04a 2036{
9a91a04a 2037 struct sk_buff *skb;
9a91a04a 2038 int err;
94122bbe 2039 struct sk_buff_head seg_queue;
9a91a04a
GP		 2040
2041 /* Connectionless channel */
715ec005 2042 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2043 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2044 if (IS_ERR(skb))
2045 return PTR_ERR(skb);
2046
2047 l2cap_do_send(chan, skb);
2048 return len;
2049 }
2050
2051 switch (chan->mode) {
2052 case L2CAP_MODE_BASIC:
2053 /* Check outgoing MTU */
2054 if (len > chan->omtu)
2055 return -EMSGSIZE;
2056
2057 /* Create a basic PDU */
5e59b791 2058 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2059 if (IS_ERR(skb))
2060 return PTR_ERR(skb);
2061
2062 l2cap_do_send(chan, skb);
2063 err = len;
2064 break;
2065
2066 case L2CAP_MODE_ERTM:
2067 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2068 /* Check outgoing MTU */
2069 if (len > chan->omtu) {
2070 err = -EMSGSIZE;
2071 break;
2072 }
9a91a04a 2073
94122bbe 2074 __skb_queue_head_init(&seg_queue);
9a91a04a 2075
94122bbe
MM		 2076 /* Do segmentation before calling in to the state machine,
2077 * since it's possible to block while waiting for memory
2078 * allocation.
2079 */
2080 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2081
94122bbe
MM		 2082 /* The channel could have been closed while segmenting,
2083 * check that it is still connected.
2084 */
2085 if (chan->state != BT_CONNECTED) {
2086 __skb_queue_purge(&seg_queue);
2087 err = -ENOTCONN;
9a91a04a
GP		 2088 }
2089
94122bbe 2090 if (err)
9a91a04a 2091 break;
9a91a04a 2092
3733937d 2093 if (chan->mode == L2CAP_MODE_ERTM)
608bcc6d
MM		 2094 err = l2cap_tx(chan, 0, &seg_queue,
2095 L2CAP_EV_DATA_REQUEST);
3733937d
MM		 2096 else
2097 err = l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2098
608bcc6d 2099 if (!err)
9a91a04a
GP		 2100 err = len;
2101
94122bbe
MM		 2102 /* If the skbs were not queued for sending, they'll still be in
2103 * seg_queue and need to be purged.
2104 */
2105 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2106 break;
2107
2108 default:
2109 BT_DBG("bad state %1.1x", chan->mode);
2110 err = -EBADFD;
2111 }
2112
2113 return err;
2114}
2115
608bcc6d
MM		 2116static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2117{
2118 struct sk_buff *acked_skb;
2119 u16 ackseq;
2120
2121 BT_DBG("chan %p, reqseq %d", chan, reqseq);
2122
2123 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2124 return;
2125
2126 BT_DBG("expected_ack_seq %d, unacked_frames %d",
2127 chan->expected_ack_seq, chan->unacked_frames);
2128
2129 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2130 ackseq = __next_seq(chan, ackseq)) {
2131
2132 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2133 if (acked_skb) {
2134 skb_unlink(acked_skb, &chan->tx_q);
2135 kfree_skb(acked_skb);
2136 chan->unacked_frames--;
2137 }
2138 }
2139
2140 chan->expected_ack_seq = reqseq;
2141
2142 if (chan->unacked_frames == 0)
2143 __clear_retrans_timer(chan);
2144
2145 BT_DBG("unacked_frames %d", (int) chan->unacked_frames);
2146}
2147
2148static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2149{
2150 BT_DBG("chan %p", chan);
2151
2152 chan->expected_tx_seq = chan->buffer_seq;
2153 l2cap_seq_list_clear(&chan->srej_list);
2154 skb_queue_purge(&chan->srej_q);
2155 chan->rx_state = L2CAP_RX_STATE_RECV;
2156}
2157
2158static int l2cap_tx_state_xmit(struct l2cap_chan *chan,
2159 struct l2cap_ctrl *control,
2160 struct sk_buff_head *skbs, u8 event)
2161{
2162 int err = 0;
2163
2164 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2165 event);
2166
2167 switch (event) {
2168 case L2CAP_EV_DATA_REQUEST:
2169 if (chan->tx_send_head == NULL)
2170 chan->tx_send_head = skb_peek(skbs);
2171
2172 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2173 l2cap_ertm_send(chan);
2174 break;
2175 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2176 BT_DBG("Enter LOCAL_BUSY");
2177 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2178
2179 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2180 /* The SREJ_SENT state must be aborted if we are to
2181 * enter the LOCAL_BUSY state.
2182 */
2183 l2cap_abort_rx_srej_sent(chan);
2184 }
2185
2186 l2cap_send_ack(chan);
2187
2188 break;
2189 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2190 BT_DBG("Exit LOCAL_BUSY");
2191 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2192
2193 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2194 struct l2cap_ctrl local_control;
2195
2196 memset(&local_control, 0, sizeof(local_control));
2197 local_control.sframe = 1;
2198 local_control.super = L2CAP_SUPER_RR;
2199 local_control.poll = 1;
2200 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2201 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2202
2203 chan->retry_count = 1;
2204 __set_monitor_timer(chan);
2205 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2206 }
2207 break;
2208 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2209 l2cap_process_reqseq(chan, control->reqseq);
2210 break;
2211 case L2CAP_EV_EXPLICIT_POLL:
2212 l2cap_send_rr_or_rnr(chan, 1);
2213 chan->retry_count = 1;
2214 __set_monitor_timer(chan);
2215 __clear_ack_timer(chan);
2216 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2217 break;
2218 case L2CAP_EV_RETRANS_TO:
2219 l2cap_send_rr_or_rnr(chan, 1);
2220 chan->retry_count = 1;
2221 __set_monitor_timer(chan);
2222 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2223 break;
2224 case L2CAP_EV_RECV_FBIT:
2225 /* Nothing to process */
2226 break;
2227 default:
2228 break;
2229 }
2230
2231 return err;
2232}
2233
2234static int l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2235 struct l2cap_ctrl *control,
2236 struct sk_buff_head *skbs, u8 event)
2237{
2238 int err = 0;
2239
2240 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2241 event);
2242
2243 switch (event) {
2244 case L2CAP_EV_DATA_REQUEST:
2245 if (chan->tx_send_head == NULL)
2246 chan->tx_send_head = skb_peek(skbs);
2247 /* Queue data, but don't send. */
2248 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2249 break;
2250 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2251 BT_DBG("Enter LOCAL_BUSY");
2252 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2253
2254 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2255 /* The SREJ_SENT state must be aborted if we are to
2256 * enter the LOCAL_BUSY state.
2257 */
2258 l2cap_abort_rx_srej_sent(chan);
2259 }
2260
2261 l2cap_send_ack(chan);
2262
2263 break;
2264 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2265 BT_DBG("Exit LOCAL_BUSY");
2266 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2267
2268 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2269 struct l2cap_ctrl local_control;
2270 memset(&local_control, 0, sizeof(local_control));
2271 local_control.sframe = 1;
2272 local_control.super = L2CAP_SUPER_RR;
2273 local_control.poll = 1;
2274 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2275 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2276
2277 chan->retry_count = 1;
2278 __set_monitor_timer(chan);
2279 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2280 }
2281 break;
2282 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2283 l2cap_process_reqseq(chan, control->reqseq);
2284
2285 /* Fall through */
2286
2287 case L2CAP_EV_RECV_FBIT:
2288 if (control && control->final) {
2289 __clear_monitor_timer(chan);
2290 if (chan->unacked_frames > 0)
2291 __set_retrans_timer(chan);
2292 chan->retry_count = 0;
2293 chan->tx_state = L2CAP_TX_STATE_XMIT;
2294 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2295 }
2296 break;
2297 case L2CAP_EV_EXPLICIT_POLL:
2298 /* Ignore */
2299 break;
2300 case L2CAP_EV_MONITOR_TO:
2301 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2302 l2cap_send_rr_or_rnr(chan, 1);
2303 __set_monitor_timer(chan);
2304 chan->retry_count++;
2305 } else {
2306 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2307 }
2308 break;
2309 default:
2310 break;
2311 }
2312
2313 return err;
2314}
2315
2316static int l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2317 struct sk_buff_head *skbs, u8 event)
2318{
2319 int err = 0;
2320
2321 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2322 chan, control, skbs, event, chan->tx_state);
2323
2324 switch (chan->tx_state) {
2325 case L2CAP_TX_STATE_XMIT:
2326 err = l2cap_tx_state_xmit(chan, control, skbs, event);
2327 break;
2328 case L2CAP_TX_STATE_WAIT_F:
2329 err = l2cap_tx_state_wait_f(chan, control, skbs, event);
2330 break;
2331 default:
2332 /* Ignore event */
2333 break;
2334 }
2335
2336 return err;
2337}
2338
4b51dae9
MM		 2339static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2340 struct l2cap_ctrl *control)
2341{
2342 BT_DBG("chan %p, control %p", chan, control);
2343 l2cap_tx(chan, control, 0, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2344}
2345
1da177e4
LT		 2346/* Copy frame to all raw sockets on that connection */
2347static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2348{
1da177e4 2349 struct sk_buff *nskb;
48454079 2350 struct l2cap_chan *chan;
1da177e4
LT		 2351
2352 BT_DBG("conn %p", conn);
2353
3df91ea2 2354 mutex_lock(&conn->chan_lock);
3d57dc68 2355
3df91ea2 2356 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2357 struct sock *sk = chan->sk;
715ec005 2358 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2359 continue;
2360
2361 /* Don't send frame to the socket it came from */
2362 if (skb->sk == sk)
2363 continue;
af05b30b
GP		 2364 nskb = skb_clone(skb, GFP_ATOMIC);
2365 if (!nskb)
1da177e4
LT		 2366 continue;
2367
23070494 2368 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 2369 kfree_skb(nskb);
2370 }
3d57dc68 2371
3df91ea2 2372 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2373}
2374
2375/* ---- L2CAP signalling commands ---- */
2376static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2377 u8 code, u8 ident, u16 dlen, void *data)
2378{
2379 struct sk_buff *skb, **frag;
2380 struct l2cap_cmd_hdr *cmd;
2381 struct l2cap_hdr *lh;
2382 int len, count;
2383
af05b30b
GP		 2384 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2385 conn, code, ident, dlen);
1da177e4
LT		 2386
2387 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2388 count = min_t(unsigned int, conn->mtu, len);
2389
2390 skb = bt_skb_alloc(count, GFP_ATOMIC);
2391 if (!skb)
2392 return NULL;
2393
2394 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2395 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2396
2397 if (conn->hcon->type == LE_LINK)
2398 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2399 else
2400 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2401
2402 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2403 cmd->code = code;
2404 cmd->ident = ident;
aca3192c 2405 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2406
2407 if (dlen) {
2408 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2409 memcpy(skb_put(skb, count), data, count);
2410 data += count;
2411 }
2412
2413 len -= skb->len;
2414
2415 /* Continuation fragments (no L2CAP header) */
2416 frag = &skb_shinfo(skb)->frag_list;
2417 while (len) {
2418 count = min_t(unsigned int, conn->mtu, len);
2419
2420 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2421 if (!*frag)
2422 goto fail;
2423
2424 memcpy(skb_put(*frag, count), data, count);
2425
2426 len -= count;
2427 data += count;
2428
2429 frag = &(*frag)->next;
2430 }
2431
2432 return skb;
2433
2434fail:
2435 kfree_skb(skb);
2436 return NULL;
2437}
2438
2439static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2440{
2441 struct l2cap_conf_opt *opt = *ptr;
2442 int len;
2443
2444 len = L2CAP_CONF_OPT_SIZE + opt->len;
2445 *ptr += len;
2446
2447 *type = opt->type;
2448 *olen = opt->len;
2449
2450 switch (opt->len) {
2451 case 1:
2452 *val = *((u8 *) opt->val);
2453 break;
2454
2455 case 2:
bfaaeb3e 2456 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2457 break;
2458
2459 case 4:
bfaaeb3e 2460 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2461 break;
2462
2463 default:
2464 *val = (unsigned long) opt->val;
2465 break;
2466 }
2467
2468 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2469 return len;
2470}
2471
1da177e4
LT		 2472static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2473{
2474 struct l2cap_conf_opt *opt = *ptr;
2475
2476 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2477
2478 opt->type = type;
2479 opt->len = len;
2480
2481 switch (len) {
2482 case 1:
2483 *((u8 *) opt->val) = val;
2484 break;
2485
2486 case 2:
4f8b691c 2487 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2488 break;
2489
2490 case 4:
4f8b691c 2491 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2492 break;
2493
2494 default:
2495 memcpy(opt->val, (void *) val, len);
2496 break;
2497 }
2498
2499 *ptr += L2CAP_CONF_OPT_SIZE + len;
2500}
2501
f89cef09
AE		 2502static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2503{
2504 struct l2cap_conf_efs efs;
2505
1ec918ce 2506 switch (chan->mode) {
f89cef09
AE		 2507 case L2CAP_MODE_ERTM:
2508 efs.id = chan->local_id;
2509 efs.stype = chan->local_stype;
2510 efs.msdu = cpu_to_le16(chan->local_msdu);
2511 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2512 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2513 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2514 break;
2515
2516 case L2CAP_MODE_STREAMING:
2517 efs.id = 1;
2518 efs.stype = L2CAP_SERV_BESTEFFORT;
2519 efs.msdu = cpu_to_le16(chan->local_msdu);
2520 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2521 efs.acc_lat = 0;
2522 efs.flush_to = 0;
2523 break;
2524
2525 default:
2526 return;
2527 }
2528
2529 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2530 (unsigned long) &efs);
2531}
2532
721c4181 2533static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2534{
721c4181
GP		 2535 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2536 ack_timer.work);
c1b4f43b 2537
2fb9b3d4
GP		 2538 BT_DBG("chan %p", chan);
2539
6be36555
AE		 2540 l2cap_chan_lock(chan);
2541
b17e73bb 2542 __l2cap_send_ack(chan);
6be36555
AE		 2543
2544 l2cap_chan_unlock(chan);
09bfb2ee
SJ		 2545
2546 l2cap_chan_put(chan);
c1b4f43b
GP		 2547}
2548
3c588192 2549static inline int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2550{
3c588192
MM		 2551 int err;
2552
105bdf9e
MM		 2553 chan->next_tx_seq = 0;
2554 chan->expected_tx_seq = 0;
42e5c802 2555 chan->expected_ack_seq = 0;
6a026610 2556 chan->unacked_frames = 0;
42e5c802 2557 chan->buffer_seq = 0;
6a026610 2558 chan->frames_sent = 0;
105bdf9e
MM		 2559 chan->last_acked_seq = 0;
2560 chan->sdu = NULL;
2561 chan->sdu_last_frag = NULL;
2562 chan->sdu_len = 0;
2563
d34c34fb
MM		 2564 skb_queue_head_init(&chan->tx_q);
2565
105bdf9e
MM		 2566 if (chan->mode != L2CAP_MODE_ERTM)
2567 return 0;
2568
2569 chan->rx_state = L2CAP_RX_STATE_RECV;
2570 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2571
721c4181
GP		 2572 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2573 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2574 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2575
f1c6775b 2576 skb_queue_head_init(&chan->srej_q);
1890d36b 2577
3c588192
MM		 2578 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2579 if (err < 0)
2580 return err;
2581
9dc9affc
MM		 2582 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2583 if (err < 0)
2584 l2cap_seq_list_free(&chan->srej_list);
2585
2586 return err;
0565c1c2
GP		 2587}
2588
f2fcfcd6
GP		 2589static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2590{
2591 switch (mode) {
2592 case L2CAP_MODE_STREAMING:
2593 case L2CAP_MODE_ERTM:
2594 if (l2cap_mode_supported(mode, remote_feat_mask))
2595 return mode;
2596 /* fall through */
2597 default:
2598 return L2CAP_MODE_BASIC;
2599 }
2600}
2601
6327eb98
AE		 2602static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2603{
2604 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2605}
2606
f89cef09
AE		 2607static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2608{
2609 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2610}
2611
6327eb98
AE		 2612static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2613{
2614 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2615 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2616 /* use extended control field */
2617 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2618 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2619 } else {
6327eb98
AE		 2620 chan->tx_win = min_t(u16, chan->tx_win,
2621 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2622 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2623 }
6327eb98
AE		 2624}
2625
710f9b0a 2626static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2627{
1da177e4 2628 struct l2cap_conf_req *req = data;
0c1bc5c6 2629 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2630 void *ptr = req->data;
c8f79162 2631 u16 size;
1da177e4 2632
49208c9c 2633 BT_DBG("chan %p", chan);
1da177e4 2634
73ffa904 2635 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2636 goto done;
2637
0c1bc5c6 2638 switch (chan->mode) {
f2fcfcd6
GP		 2639 case L2CAP_MODE_STREAMING:
2640 case L2CAP_MODE_ERTM:
c1360a1c 2641 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2642 break;
85eb53c6 2643
f89cef09
AE		 2644 if (__l2cap_efs_supported(chan))
2645 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2646
2ba13ed6 2647 /* fall through */
f2fcfcd6 2648 default:
8c1d787b 2649 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2650 break;
2651 }
2652
2653done:
0c1bc5c6
GP		 2654 if (chan->imtu != L2CAP_DEFAULT_MTU)
2655 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2656
0c1bc5c6 2657 switch (chan->mode) {
65c7c491 2658 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2659 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2660 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2661 break;
2662
62547752
GP		 2663 rfc.mode = L2CAP_MODE_BASIC;
2664 rfc.txwin_size = 0;
2665 rfc.max_transmit = 0;
2666 rfc.retrans_timeout = 0;
2667 rfc.monitor_timeout = 0;
2668 rfc.max_pdu_size = 0;
2669
63406504
GP		 2670 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2671 (unsigned long) &rfc);
65c7c491
MH		 2672 break;
2673
2674 case L2CAP_MODE_ERTM:
2675 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2676 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2677 rfc.retrans_timeout = 0;
2678 rfc.monitor_timeout = 0;
c8f79162
AE		 2679
2680 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2681 L2CAP_EXT_HDR_SIZE -
2682 L2CAP_SDULEN_SIZE -
2683 L2CAP_FCS_SIZE);
2684 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2685
6327eb98
AE		 2686 l2cap_txwin_setup(chan);
2687
2688 rfc.txwin_size = min_t(u16, chan->tx_win,
2689 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2690
63406504
GP		 2691 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2692 (unsigned long) &rfc);
2693
f89cef09
AE		 2694 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2695 l2cap_add_opt_efs(&ptr, chan);
2696
8c1d787b 2697 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2698 break;
2699
47d1ec61 2700 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2701 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2702 chan->fcs = L2CAP_FCS_NONE;
2703 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2704 }
6327eb98
AE		 2705
2706 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2707 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2708 chan->tx_win);
f2fcfcd6
GP		 2709 break;
2710
2711 case L2CAP_MODE_STREAMING:
2712 rfc.mode = L2CAP_MODE_STREAMING;
2713 rfc.txwin_size = 0;
2714 rfc.max_transmit = 0;
2715 rfc.retrans_timeout = 0;
2716 rfc.monitor_timeout = 0;
c8f79162
AE		 2717
2718 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2719 L2CAP_EXT_HDR_SIZE -
2720 L2CAP_SDULEN_SIZE -
2721 L2CAP_FCS_SIZE);
2722 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2723
63406504
GP		 2724 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2725 (unsigned long) &rfc);
2726
f89cef09
AE		 2727 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2728 l2cap_add_opt_efs(&ptr, chan);
2729
8c1d787b 2730 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2731 break;
2732
47d1ec61 2733 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2734 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2735 chan->fcs = L2CAP_FCS_NONE;
2736 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2737 }
65c7c491
MH		 2738 break;
2739 }
1da177e4 2740
fe4128e0 2741 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2742 req->flags = cpu_to_le16(0);
1da177e4
LT		 2743
2744 return ptr - data;
2745}
2746
73ffa904 2747static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2748{
5dee9e7c
MH		 2749 struct l2cap_conf_rsp *rsp = data;
2750 void *ptr = rsp->data;
73ffa904
GP		 2751 void *req = chan->conf_req;
2752 int len = chan->conf_len;
5dee9e7c
MH		 2753 int type, hint, olen;
2754 unsigned long val;
6464f35f 2755 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2756 struct l2cap_conf_efs efs;
2757 u8 remote_efs = 0;
861d6882 2758 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2759 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2760 u16 size;
1da177e4 2761
73ffa904 2762 BT_DBG("chan %p", chan);
820ae1b8 2763
5dee9e7c
MH		 2764 while (len >= L2CAP_CONF_OPT_SIZE) {
2765 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2766
589d2746 2767 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2768 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2769
2770 switch (type) {
2771 case L2CAP_CONF_MTU:
861d6882 2772 mtu = val;
5dee9e7c
MH		 2773 break;
2774
2775 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2776 chan->flush_to = val;
5dee9e7c
MH		 2777 break;
2778
2779 case L2CAP_CONF_QOS:
2780 break;
2781
6464f35f
MH		 2782 case L2CAP_CONF_RFC:
2783 if (olen == sizeof(rfc))
2784 memcpy(&rfc, (void *) val, olen);
2785 break;
2786
fcc203c3
GP		 2787 case L2CAP_CONF_FCS:
2788 if (val == L2CAP_FCS_NONE)
c1360a1c 2789 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2790 break;
fcc203c3 2791
42dceae2
AE		 2792 case L2CAP_CONF_EFS:
2793 remote_efs = 1;
2794 if (olen == sizeof(efs))
2795 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2796 break;
2797
6327eb98
AE		 2798 case L2CAP_CONF_EWS:
2799 if (!enable_hs)
2800 return -ECONNREFUSED;
fcc203c3 2801
6327eb98
AE		 2802 set_bit(FLAG_EXT_CTRL, &chan->flags);
2803 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2804 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2805 chan->remote_tx_win = val;
fcc203c3
GP		 2806 break;
2807
5dee9e7c
MH		 2808 default:
2809 if (hint)
2810 break;
2811
2812 result = L2CAP_CONF_UNKNOWN;
2813 *((u8 *) ptr++) = type;
2814 break;
2815 }
2816 }
2817
73ffa904 2818 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2819 goto done;
2820
0c1bc5c6 2821 switch (chan->mode) {
f2fcfcd6
GP		 2822 case L2CAP_MODE_STREAMING:
2823 case L2CAP_MODE_ERTM:
c1360a1c 2824 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2825 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2826 chan->conn->feat_mask);
85eb53c6
GP		 2827 break;
2828 }
2829
42dceae2
AE		 2830 if (remote_efs) {
2831 if (__l2cap_efs_supported(chan))
2832 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2833 else
2834 return -ECONNREFUSED;
2835 }
2836
0c1bc5c6 2837 if (chan->mode != rfc.mode)
f2fcfcd6 2838 return -ECONNREFUSED;
742e519b 2839
f2fcfcd6 2840 break;
f2fcfcd6
GP		 2841 }
2842
2843done:
0c1bc5c6 2844 if (chan->mode != rfc.mode) {
f2fcfcd6 2845 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2846 rfc.mode = chan->mode;
f2fcfcd6 2847
73ffa904 2848 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2849 return -ECONNREFUSED;
2850
2851 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2852 sizeof(rfc), (unsigned long) &rfc);
2853 }
2854
5dee9e7c
MH		 2855 if (result == L2CAP_CONF_SUCCESS) {
2856 /* Configure output options and let the other side know
2857 * which ones we don't like. */
2858
f2fcfcd6
GP		 2859 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2860 result = L2CAP_CONF_UNACCEPT;
2861 else {
0c1bc5c6 2862 chan->omtu = mtu;
c1360a1c 2863 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2864 }
0c1bc5c6 2865 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2866
42dceae2
AE		 2867 if (remote_efs) {
2868 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2869 efs.stype != L2CAP_SERV_NOTRAFIC &&
2870 efs.stype != chan->local_stype) {
2871
2872 result = L2CAP_CONF_UNACCEPT;
2873
2874 if (chan->num_conf_req >= 1)
2875 return -ECONNREFUSED;
2876
2877 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2878 sizeof(efs),
42dceae2 2879 (unsigned long) &efs);
0e8b207e 2880 } else {
3e6b3b95 2881 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2882 result = L2CAP_CONF_PENDING;
2883 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2884 }
2885 }
2886
f2fcfcd6
GP		 2887 switch (rfc.mode) {
2888 case L2CAP_MODE_BASIC:
47d1ec61 2889 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2890 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2891 break;
2892
2893 case L2CAP_MODE_ERTM:
6327eb98
AE		 2894 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2895 chan->remote_tx_win = rfc.txwin_size;
2896 else
2897 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2898
2c03a7a4 2899 chan->remote_max_tx = rfc.max_transmit;
1c762159 2900
c8f79162
AE		 2901 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2902 chan->conn->mtu -
2903 L2CAP_EXT_HDR_SIZE -
2904 L2CAP_SDULEN_SIZE -
2905 L2CAP_FCS_SIZE);
2906 rfc.max_pdu_size = cpu_to_le16(size);
2907 chan->remote_mps = size;
f2fcfcd6 2908
10467e9e 2909 rfc.retrans_timeout =
4fd21a88 2910 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 2911 rfc.monitor_timeout =
4fd21a88 2912 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2913
c1360a1c 2914 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2915
2916 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2917 sizeof(rfc), (unsigned long) &rfc);
2918
42dceae2
AE		 2919 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2920 chan->remote_id = efs.id;
2921 chan->remote_stype = efs.stype;
2922 chan->remote_msdu = le16_to_cpu(efs.msdu);
2923 chan->remote_flush_to =
2924 le32_to_cpu(efs.flush_to);
2925 chan->remote_acc_lat =
2926 le32_to_cpu(efs.acc_lat);
2927 chan->remote_sdu_itime =
2928 le32_to_cpu(efs.sdu_itime);
2929 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2930 sizeof(efs), (unsigned long) &efs);
2931 }
f2fcfcd6
GP		 2932 break;
2933
2934 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2935 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2936 chan->conn->mtu -
2937 L2CAP_EXT_HDR_SIZE -
2938 L2CAP_SDULEN_SIZE -
2939 L2CAP_FCS_SIZE);
2940 rfc.max_pdu_size = cpu_to_le16(size);
2941 chan->remote_mps = size;
f2fcfcd6 2942
c1360a1c 2943 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2944
2945 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2946 sizeof(rfc), (unsigned long) &rfc);
2947
f2fcfcd6
GP		 2948 break;
2949
2950 default:
5dee9e7c 2951 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2952
6464f35f 2953 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2954 rfc.mode = chan->mode;
f2fcfcd6 2955 }
6464f35f 2956
f2fcfcd6 2957 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2958 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2959 }
fe4128e0 2960 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2961 rsp->result = cpu_to_le16(result);
2962 rsp->flags = cpu_to_le16(0x0000);
2963
2964 return ptr - data;
1da177e4
LT		 2965}
2966
b4450035 2967static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 2968{
f2fcfcd6
GP		 2969 struct l2cap_conf_req *req = data;
2970 void *ptr = req->data;
2971 int type, olen;
2972 unsigned long val;
36e999a8 2973 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 2974 struct l2cap_conf_efs efs;
f2fcfcd6 2975
fe4128e0 2976 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 2977
2978 while (len >= L2CAP_CONF_OPT_SIZE) {
2979 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2980
2981 switch (type) {
2982 case L2CAP_CONF_MTU:
2983 if (val < L2CAP_DEFAULT_MIN_MTU) {
2984 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2985 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 2986 } else
0c1bc5c6
GP		 2987 chan->imtu = val;
2988 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 2989 break;
2990
2991 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2992 chan->flush_to = val;
f2fcfcd6 2993 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 2994 2, chan->flush_to);
f2fcfcd6
GP		 2995 break;
2996
2997 case L2CAP_CONF_RFC:
2998 if (olen == sizeof(rfc))
2999 memcpy(&rfc, (void *)val, olen);
3000
c1360a1c 3001 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3002 rfc.mode != chan->mode)
f2fcfcd6
GP		 3003 return -ECONNREFUSED;
3004
47d1ec61 3005 chan->fcs = 0;
f2fcfcd6
GP		 3006
3007 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3008 sizeof(rfc), (unsigned long) &rfc);
3009 break;
6327eb98
AE		 3010
3011 case L2CAP_CONF_EWS:
3012 chan->tx_win = min_t(u16, val,
3013 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 3014 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3015 chan->tx_win);
6327eb98 3016 break;
66af7aaf
AE		 3017
3018 case L2CAP_CONF_EFS:
3019 if (olen == sizeof(efs))
3020 memcpy(&efs, (void *)val, olen);
3021
3022 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3023 efs.stype != L2CAP_SERV_NOTRAFIC &&
3024 efs.stype != chan->local_stype)
3025 return -ECONNREFUSED;
3026
3027 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3028 sizeof(efs), (unsigned long) &efs);
3029 break;
f2fcfcd6
GP		 3030 }
3031 }
3032
0c1bc5c6 3033 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3034 return -ECONNREFUSED;
3035
0c1bc5c6 3036 chan->mode = rfc.mode;
6c2ea7a8 3037
0e8b207e 3038 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3039 switch (rfc.mode) {
3040 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3041 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3042 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3043 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 3044
3045 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3046 chan->local_msdu = le16_to_cpu(efs.msdu);
3047 chan->local_sdu_itime =
3048 le32_to_cpu(efs.sdu_itime);
3049 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3050 chan->local_flush_to =
3051 le32_to_cpu(efs.flush_to);
3052 }
f2fcfcd6 3053 break;
66af7aaf 3054
f2fcfcd6 3055 case L2CAP_MODE_STREAMING:
47d1ec61 3056 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3057 }
3058 }
3059
fe4128e0 3060 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 3061 req->flags = cpu_to_le16(0x0000);
3062
3063 return ptr - data;
3064}
3065
fe4128e0 3066static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3067{
3068 struct l2cap_conf_rsp *rsp = data;
3069 void *ptr = rsp->data;
1da177e4 3070
fe4128e0 3071 BT_DBG("chan %p", chan);
1da177e4 3072
fe4128e0 3073 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3074 rsp->result = cpu_to_le16(result);
aca3192c 3075 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3076
3077 return ptr - data;
3078}
3079
8c1d787b 3080void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3081{
3082 struct l2cap_conn_rsp rsp;
8c1d787b 3083 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3084 u8 buf[128];
3085
fe4128e0
GP		 3086 rsp.scid = cpu_to_le16(chan->dcid);
3087 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 3088 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3089 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3090 l2cap_send_cmd(conn, chan->ident,
3091 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3092
c1360a1c 3093 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3094 return;
3095
710f9b0a
GP		 3096 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3097 l2cap_build_conf_req(chan, buf), buf);
3098 chan->num_conf_req++;
3099}
3100
47d1ec61 3101static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3102{
7b1c0049
GP		 3103 int type, olen;
3104 unsigned long val;
3105 struct l2cap_conf_rfc rfc;
3106
47d1ec61 3107 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3108
0c1bc5c6 3109 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3110 return;
3111
3112 while (len >= L2CAP_CONF_OPT_SIZE) {
3113 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3114
3115 switch (type) {
3116 case L2CAP_CONF_RFC:
3117 if (olen == sizeof(rfc))
3118 memcpy(&rfc, (void *)val, olen);
3119 goto done;
3120 }
3121 }
3122
36e999a8
MM		 3123 /* Use sane default values in case a misbehaving remote device
3124 * did not send an RFC option.
3125 */
3126 rfc.mode = chan->mode;
3127 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3128 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3129 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
3130
3131 BT_ERR("Expected RFC option was not found, using defaults");
3132
7b1c0049
GP		 3133done:
3134 switch (rfc.mode) {
3135 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3136 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3137 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3138 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3139 break;
3140 case L2CAP_MODE_STREAMING:
47d1ec61 3141 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3142 }
3143}
3144
4e8402a3
MH		 3145static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3146{
e2fd318e 3147 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3148
e2fd318e 3149 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3150 return 0;
3151
3152 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3153 cmd->ident == conn->info_ident) {
17cd3f37 3154 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3155
3156 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3157 conn->info_ident = 0;
984947dc 3158
4e8402a3
MH		 3159 l2cap_conn_start(conn);
3160 }
3161
3162 return 0;
3163}
3164
1da177e4
LT		 3165static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3166{
1da177e4
LT		 3167 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3168 struct l2cap_conn_rsp rsp;
23691d75 3169 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3170 struct sock *parent, *sk = NULL;
e7c29cb1 3171 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3172
3173 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3174 __le16 psm = req->psm;
1da177e4 3175
097db76c 3176 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3177
3178 /* Check if we have socket listening on psm */
c2287681 3179 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3180 if (!pchan) {
1da177e4
LT		 3181 result = L2CAP_CR_BAD_PSM;
3182 goto sendresp;
3183 }
3184
23691d75
GP		 3185 parent = pchan->sk;
3186
3df91ea2 3187 mutex_lock(&conn->chan_lock);
aa2ac881 3188 lock_sock(parent);
e0f0cb56 3189
e7c29cb1
MH		 3190 /* Check if the ACL is secure enough (if not SDP) */
3191 if (psm != cpu_to_le16(0x0001) &&
3192 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3193 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3194 result = L2CAP_CR_SEC_BLOCK;
3195 goto response;
3196 }
3197
1da177e4
LT		 3198 result = L2CAP_CR_NO_MEM;
3199
3200 /* Check for backlog size */
3201 if (sk_acceptq_is_full(parent)) {
8e87d142 3202 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 3203 goto response;
3204 }
3205
80808e43
GP		 3206 chan = pchan->ops->new_connection(pchan->data);
3207 if (!chan)
1da177e4
LT		 3208 goto response;
3209
80808e43
GP		 3210 sk = chan->sk;
3211
1da177e4 3212 /* Check if we already have channel with that dcid */
baa7e1fa 3213 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 3214 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 3215 chan->ops->close(chan->data);
1da177e4
LT		 3216 goto response;
3217 }
3218
3219 hci_conn_hold(conn->hcon);
3220
1da177e4
LT		 3221 bacpy(&bt_sk(sk)->src, conn->src);
3222 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3223 chan->psm = psm;
3224 chan->dcid = scid;
1da177e4 3225
d1010240
GP		 3226 bt_accept_enqueue(parent, sk);
3227
6be36555 3228 __l2cap_chan_add(conn, chan);
48454079 3229
fe4128e0 3230 dcid = chan->scid;
1da177e4 3231
c9b66675 3232 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3233
fc7f8a7e 3234 chan->ident = cmd->ident;
1da177e4 3235
984947dc 3236 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3237 if (l2cap_chan_check_security(chan)) {
c5daa683 3238 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3239 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3240 result = L2CAP_CR_PEND;
3241 status = L2CAP_CS_AUTHOR_PEND;
3242 parent->sk_data_ready(parent, 0);
3243 } else {
0e587be7 3244 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3245 result = L2CAP_CR_SUCCESS;
3246 status = L2CAP_CS_NO_INFO;
3247 }
79d554a6 3248 } else {
0e587be7 3249 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3250 result = L2CAP_CR_PEND;
3251 status = L2CAP_CS_AUTHEN_PEND;
3252 }
3253 } else {
0e587be7 3254 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3255 result = L2CAP_CR_PEND;
3256 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3257 }
3258
1da177e4 3259response:
aa2ac881 3260 release_sock(parent);
3df91ea2 3261 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3262
3263sendresp:
aca3192c
YH		 3264 rsp.scid = cpu_to_le16(scid);
3265 rsp.dcid = cpu_to_le16(dcid);
3266 rsp.result = cpu_to_le16(result);
3267 rsp.status = cpu_to_le16(status);
1da177e4 3268 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3269
3270 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3271 struct l2cap_info_req info;
3272 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3273
3274 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3275 conn->info_ident = l2cap_get_ident(conn);
3276
ba13ccd9 3277 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3278
3279 l2cap_send_cmd(conn, conn->info_ident,
3280 L2CAP_INFO_REQ, sizeof(info), &info);
3281 }
3282
c1360a1c 3283 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3284 result == L2CAP_CR_SUCCESS) {
3285 u8 buf[128];
c1360a1c 3286 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3287 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3288 l2cap_build_conf_req(chan, buf), buf);
3289 chan->num_conf_req++;
e9aeb2dd
GP		 3290 }
3291
1da177e4
LT		 3292 return 0;
3293}
3294
3295static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3296{
3297 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3298 u16 scid, dcid, result, status;
48454079 3299 struct l2cap_chan *chan;
1da177e4 3300 u8 req[128];
3df91ea2 3301 int err;
1da177e4
LT		 3302
3303 scid = __le16_to_cpu(rsp->scid);
3304 dcid = __le16_to_cpu(rsp->dcid);
3305 result = __le16_to_cpu(rsp->result);
3306 status = __le16_to_cpu(rsp->status);
3307
1b009c98
AE		 3308 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3309 dcid, scid, result, status);
1da177e4 3310
3df91ea2
AE		 3311 mutex_lock(&conn->chan_lock);
3312
1da177e4 3313 if (scid) {
3df91ea2
AE		 3314 chan = __l2cap_get_chan_by_scid(conn, scid);
3315 if (!chan) {
3316 err = -EFAULT;
3317 goto unlock;
3318 }
1da177e4 3319 } else {
3df91ea2
AE		 3320 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3321 if (!chan) {
3322 err = -EFAULT;
3323 goto unlock;
3324 }
1da177e4
LT		 3325 }
3326
3df91ea2
AE		 3327 err = 0;
3328
6be36555 3329 l2cap_chan_lock(chan);
48454079 3330
1da177e4
LT		 3331 switch (result) {
3332 case L2CAP_CR_SUCCESS:
89bc500e 3333 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3334 chan->ident = 0;
fe4128e0 3335 chan->dcid = dcid;
c1360a1c 3336 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3337
c1360a1c 3338 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3339 break;
3340
1da177e4 3341 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3342 l2cap_build_conf_req(chan, req), req);
3343 chan->num_conf_req++;
1da177e4
LT		 3344 break;
3345
3346 case L2CAP_CR_PEND:
c1360a1c 3347 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3348 break;
3349
3350 default:
48454079 3351 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3352 break;
3353 }
3354
6be36555 3355 l2cap_chan_unlock(chan);
3df91ea2
AE		 3356
3357unlock:
3358 mutex_unlock(&conn->chan_lock);
3359
3360 return err;
1da177e4
LT		 3361}
3362
47d1ec61 3363static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3364{
3365 /* FCS is enabled only in ERTM or streaming mode, if one or both
3366 * sides request it.
3367 */
0c1bc5c6 3368 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3369 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3370 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3371 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3372}
3373
88219a0f 3374static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3375{
3376 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3377 u16 dcid, flags;
3378 u8 rsp[64];
48454079 3379 struct l2cap_chan *chan;
3c588192 3380 int len, err = 0;
1da177e4
LT		 3381
3382 dcid = __le16_to_cpu(req->dcid);
3383 flags = __le16_to_cpu(req->flags);
3384
3385 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3386
baa7e1fa 3387 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3388 if (!chan)
1da177e4
LT		 3389 return -ENOENT;
3390
033b1142 3391 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3392 struct l2cap_cmd_rej_cid rej;
3393
3394 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
3395 rej.scid = cpu_to_le16(chan->scid);
3396 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3397
df6bd743
GP		 3398 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3399 sizeof(rej), &rej);
354f60a9 3400 goto unlock;
df6bd743 3401 }
354f60a9 3402
5dee9e7c 3403 /* Reject if config buffer is too small. */
88219a0f 3404 len = cmd_len - sizeof(*req);
7ac28817 3405 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3406 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3407 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3408 L2CAP_CONF_REJECT, flags), rsp);
3409 goto unlock;
3410 }
3411
3412 /* Store config. */
73ffa904
GP		 3413 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3414 chan->conf_len += len;
1da177e4
LT		 3415
3416 if (flags & 0x0001) {
3417 /* Incomplete config. Send empty response. */
3418 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3419 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 3420 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3421 goto unlock;
3422 }
3423
3424 /* Complete config. */
73ffa904 3425 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3426 if (len < 0) {
e92c8e70 3427 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3428 goto unlock;
f2fcfcd6 3429 }
1da177e4 3430
5dee9e7c 3431 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3432 chan->num_conf_rsp++;
5dee9e7c 3433
5dee9e7c 3434 /* Reset config buffer. */
73ffa904 3435 chan->conf_len = 0;
5dee9e7c 3436
c1360a1c 3437 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3438 goto unlock;
3439
c1360a1c 3440 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3441 set_default_fcs(chan);
fcc203c3 3442
89bc500e 3443 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 3444
105bdf9e
MM		 3445 if (chan->mode == L2CAP_MODE_ERTM ||
3446 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3447 err = l2cap_ertm_init(chan);
3448
3449 if (err < 0)
3450 l2cap_send_disconn_req(chan->conn, chan, -err);
3451 else
3452 l2cap_chan_ready(chan);
0565c1c2 3453
876d9484
MH		 3454 goto unlock;
3455 }
3456
c1360a1c 3457 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3458 u8 buf[64];
1da177e4 3459 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3460 l2cap_build_conf_req(chan, buf), buf);
3461 chan->num_conf_req++;
1da177e4
LT		 3462 }
3463
0e8b207e
AE		 3464 /* Got Conf Rsp PENDING from remote side and asume we sent
3465 Conf Rsp PENDING in the code above */
3466 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3467 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3468
3469 /* check compatibility */
3470
3471 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3472 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3473
3474 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3475 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 3476 L2CAP_CONF_SUCCESS, 0x0000), rsp);
3477 }
3478
1da177e4 3479unlock:
6be36555 3480 l2cap_chan_unlock(chan);
3c588192 3481 return err;
1da177e4
LT		 3482}
3483
3484static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3485{
3486 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3487 u16 scid, flags, result;
48454079 3488 struct l2cap_chan *chan;
61386cba 3489 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3490 int err = 0;
1da177e4
LT		 3491
3492 scid = __le16_to_cpu(rsp->scid);
3493 flags = __le16_to_cpu(rsp->flags);
3494 result = __le16_to_cpu(rsp->result);
3495
61386cba
AE		 3496 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3497 result, len);
1da177e4 3498
baa7e1fa 3499 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3500 if (!chan)
1da177e4
LT		 3501 return 0;
3502
3503 switch (result) {
3504 case L2CAP_CONF_SUCCESS:
47d1ec61 3505 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3506 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3507 break;
3508
0e8b207e
AE		 3509 case L2CAP_CONF_PENDING:
3510 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3511
3512 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3513 char buf[64];
3514
3515 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3516 buf, &result);
3517 if (len < 0) {
3518 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3519 goto done;
3520 }
3521
3522 /* check compatibility */
3523
3524 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3525 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3526
3527 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3528 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3529 L2CAP_CONF_SUCCESS, 0x0000), buf);
3530 }
3531 goto done;
3532
1da177e4 3533 case L2CAP_CONF_UNACCEPT:
73ffa904 3534 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3535 char req[64];
3536
c2c77ec8 3537 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3538 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3539 goto done;
3540 }
3541
f2fcfcd6
GP		 3542 /* throw out any old stored conf requests */
3543 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3544 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3545 req, &result);
f2fcfcd6 3546 if (len < 0) {
e92c8e70 3547 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3548 goto done;
3549 }
3550
3551 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3552 L2CAP_CONF_REQ, len, req);
73ffa904 3553 chan->num_conf_req++;
f2fcfcd6
GP		 3554 if (result != L2CAP_CONF_SUCCESS)
3555 goto done;
3556 break;
1da177e4
LT		 3557 }
3558
8e87d142 3559 default:
6be36555 3560 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3561
ba13ccd9 3562 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3563 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3564 goto done;
3565 }
3566
3567 if (flags & 0x01)
3568 goto done;
3569
c1360a1c 3570 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3571
c1360a1c 3572 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3573 set_default_fcs(chan);
fcc203c3 3574
89bc500e 3575 l2cap_state_change(chan, BT_CONNECTED);
105bdf9e
MM		 3576 if (chan->mode == L2CAP_MODE_ERTM ||
3577 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3578 err = l2cap_ertm_init(chan);
0565c1c2 3579
3c588192
MM		 3580 if (err < 0)
3581 l2cap_send_disconn_req(chan->conn, chan, -err);
3582 else
3583 l2cap_chan_ready(chan);
1da177e4
LT		 3584 }
3585
3586done:
6be36555 3587 l2cap_chan_unlock(chan);
3c588192 3588 return err;
1da177e4
LT		 3589}
3590
3591static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3592{
3593 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3594 struct l2cap_disconn_rsp rsp;
3595 u16 dcid, scid;
48454079 3596 struct l2cap_chan *chan;
1da177e4
LT		 3597 struct sock *sk;
3598
3599 scid = __le16_to_cpu(req->scid);
3600 dcid = __le16_to_cpu(req->dcid);
3601
3602 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3603
3df91ea2
AE		 3604 mutex_lock(&conn->chan_lock);
3605
3606 chan = __l2cap_get_chan_by_scid(conn, dcid);
3607 if (!chan) {
3608 mutex_unlock(&conn->chan_lock);
1da177e4 3609 return 0;
3df91ea2 3610 }
1da177e4 3611
6be36555
AE		 3612 l2cap_chan_lock(chan);
3613
48454079
GP		 3614 sk = chan->sk;
3615
fe4128e0
GP		 3616 rsp.dcid = cpu_to_le16(chan->scid);
3617 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3618 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3619
6be36555 3620 lock_sock(sk);
1da177e4 3621 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3622 release_sock(sk);
1da177e4 3623
61d6ef3e 3624 l2cap_chan_hold(chan);
48454079 3625 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3626
3627 l2cap_chan_unlock(chan);
1da177e4 3628
ba3bd0ee 3629 chan->ops->close(chan->data);
61d6ef3e 3630 l2cap_chan_put(chan);
3df91ea2
AE		 3631
3632 mutex_unlock(&conn->chan_lock);
3633
1da177e4
LT		 3634 return 0;
3635}
3636
3637static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3638{
3639 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3640 u16 dcid, scid;
48454079 3641 struct l2cap_chan *chan;
1da177e4
LT		 3642
3643 scid = __le16_to_cpu(rsp->scid);
3644 dcid = __le16_to_cpu(rsp->dcid);
3645
3646 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3647
3df91ea2
AE		 3648 mutex_lock(&conn->chan_lock);
3649
3650 chan = __l2cap_get_chan_by_scid(conn, scid);
3651 if (!chan) {
3652 mutex_unlock(&conn->chan_lock);
1da177e4 3653 return 0;
3df91ea2 3654 }
1da177e4 3655
6be36555 3656 l2cap_chan_lock(chan);
48454079 3657
61d6ef3e 3658 l2cap_chan_hold(chan);
48454079 3659 l2cap_chan_del(chan, 0);
6be36555
AE		 3660
3661 l2cap_chan_unlock(chan);
1da177e4 3662
ba3bd0ee 3663 chan->ops->close(chan->data);
61d6ef3e 3664 l2cap_chan_put(chan);
3df91ea2
AE		 3665
3666 mutex_unlock(&conn->chan_lock);
3667
1da177e4
LT		 3668 return 0;
3669}
3670
3671static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3672{
3673 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3674 u16 type;
3675
3676 type = __le16_to_cpu(req->type);
3677
3678 BT_DBG("type 0x%4.4x", type);
3679
f0709e03
MH		 3680 if (type == L2CAP_IT_FEAT_MASK) {
3681 u8 buf[8];
44dd46de 3682 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3683 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3684 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3685 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3686 if (!disable_ertm)
fcc203c3
GP		 3687 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3688 | L2CAP_FEAT_FCS;
a5fd6f30 3689 if (enable_hs)
6327eb98
AE		 3690 feat_mask |= L2CAP_FEAT_EXT_FLOW
3691 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3692
1b7bf4ed 3693 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3694 l2cap_send_cmd(conn, cmd->ident,
3695 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3696 } else if (type == L2CAP_IT_FIXED_CHAN) {
3697 u8 buf[12];
3698 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3699
3700 if (enable_hs)
3701 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3702 else
3703 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3704
e1027a7c
MH		 3705 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3706 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3707 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3708 l2cap_send_cmd(conn, cmd->ident,
3709 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3710 } else {
3711 struct l2cap_info_rsp rsp;
3712 rsp.type = cpu_to_le16(type);
3713 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3714 l2cap_send_cmd(conn, cmd->ident,
3715 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3716 }
1da177e4
LT		 3717
3718 return 0;
3719}
3720
3721static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3722{
3723 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3724 u16 type, result;
3725
3726 type = __le16_to_cpu(rsp->type);
3727 result = __le16_to_cpu(rsp->result);
3728
3729 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3730
e90165be
AE		 3731 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3732 if (cmd->ident != conn->info_ident ||
3733 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3734 return 0;
3735
17cd3f37 3736 cancel_delayed_work(&conn->info_timer);
4e8402a3 3737
adb08ede
VT		 3738 if (result != L2CAP_IR_SUCCESS) {
3739 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3740 conn->info_ident = 0;
3741
3742 l2cap_conn_start(conn);
3743
3744 return 0;
3745 }
3746
978c93b9
AE		 3747 switch (type) {
3748 case L2CAP_IT_FEAT_MASK:
83985319 3749 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3750
47ec1dcd 3751 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3752 struct l2cap_info_req req;
3753 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3754
3755 conn->info_ident = l2cap_get_ident(conn);
3756
3757 l2cap_send_cmd(conn, conn->info_ident,
3758 L2CAP_INFO_REQ, sizeof(req), &req);
3759 } else {
3760 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3761 conn->info_ident = 0;
3762
3763 l2cap_conn_start(conn);
3764 }
978c93b9
AE		 3765 break;
3766
3767 case L2CAP_IT_FIXED_CHAN:
3768 conn->fixed_chan_mask = rsp->data[0];
984947dc 3769 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3770 conn->info_ident = 0;
984947dc
MH		 3771
3772 l2cap_conn_start(conn);
978c93b9 3773 break;
984947dc 3774 }
4e8402a3 3775
1da177e4
LT		 3776 return 0;
3777}
3778
f94ff6ff
MM		 3779static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3780 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3781 void *data)
3782{
3783 struct l2cap_create_chan_req *req = data;
3784 struct l2cap_create_chan_rsp rsp;
3785 u16 psm, scid;
3786
3787 if (cmd_len != sizeof(*req))
3788 return -EPROTO;
3789
3790 if (!enable_hs)
3791 return -EINVAL;
3792
3793 psm = le16_to_cpu(req->psm);
3794 scid = le16_to_cpu(req->scid);
3795
3796 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3797
3798 /* Placeholder: Always reject */
3799 rsp.dcid = 0;
3800 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3801 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3802 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3803
3804 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3805 sizeof(rsp), &rsp);
3806
3807 return 0;
3808}
3809
3810static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3811 struct l2cap_cmd_hdr *cmd, void *data)
3812{
3813 BT_DBG("conn %p", conn);
3814
3815 return l2cap_connect_rsp(conn, cmd, data);
3816}
3817
8d5a04a1
MM		 3818static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3819 u16 icid, u16 result)
3820{
3821 struct l2cap_move_chan_rsp rsp;
3822
3823 BT_DBG("icid %d, result %d", icid, result);
3824
3825 rsp.icid = cpu_to_le16(icid);
3826 rsp.result = cpu_to_le16(result);
3827
3828 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3829}
3830
3831static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3832 struct l2cap_chan *chan, u16 icid, u16 result)
3833{
3834 struct l2cap_move_chan_cfm cfm;
3835 u8 ident;
3836
3837 BT_DBG("icid %d, result %d", icid, result);
3838
3839 ident = l2cap_get_ident(conn);
3840 if (chan)
3841 chan->ident = ident;
3842
3843 cfm.icid = cpu_to_le16(icid);
3844 cfm.result = cpu_to_le16(result);
3845
3846 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3847}
3848
3849static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3850 u16 icid)
3851{
3852 struct l2cap_move_chan_cfm_rsp rsp;
3853
3854 BT_DBG("icid %d", icid);
3855
3856 rsp.icid = cpu_to_le16(icid);
3857 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3858}
3859
3860static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3861 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3862{
3863 struct l2cap_move_chan_req *req = data;
3864 u16 icid = 0;
3865 u16 result = L2CAP_MR_NOT_ALLOWED;
3866
3867 if (cmd_len != sizeof(*req))
3868 return -EPROTO;
3869
3870 icid = le16_to_cpu(req->icid);
3871
3872 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3873
3874 if (!enable_hs)
3875 return -EINVAL;
3876
3877 /* Placeholder: Always refuse */
3878 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3879
3880 return 0;
3881}
3882
3883static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3884 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3885{
3886 struct l2cap_move_chan_rsp *rsp = data;
3887 u16 icid, result;
3888
3889 if (cmd_len != sizeof(*rsp))
3890 return -EPROTO;
3891
3892 icid = le16_to_cpu(rsp->icid);
3893 result = le16_to_cpu(rsp->result);
3894
3895 BT_DBG("icid %d, result %d", icid, result);
3896
3897 /* Placeholder: Always unconfirmed */
3898 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3899
3900 return 0;
3901}
3902
3903static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3904 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3905{
3906 struct l2cap_move_chan_cfm *cfm = data;
3907 u16 icid, result;
3908
3909 if (cmd_len != sizeof(*cfm))
3910 return -EPROTO;
3911
3912 icid = le16_to_cpu(cfm->icid);
3913 result = le16_to_cpu(cfm->result);
3914
3915 BT_DBG("icid %d, result %d", icid, result);
3916
3917 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3918
3919 return 0;
3920}
3921
3922static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3923 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3924{
3925 struct l2cap_move_chan_cfm_rsp *rsp = data;
3926 u16 icid;
3927
3928 if (cmd_len != sizeof(*rsp))
3929 return -EPROTO;
3930
3931 icid = le16_to_cpu(rsp->icid);
3932
3933 BT_DBG("icid %d", icid);
3934
3935 return 0;
3936}
3937
e2174ca4 3938static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3939 u16 to_multiplier)
3940{
3941 u16 max_latency;
3942
3943 if (min > max || min < 6 || max > 3200)
3944 return -EINVAL;
3945
3946 if (to_multiplier < 10 || to_multiplier > 3200)
3947 return -EINVAL;
3948
3949 if (max >= to_multiplier * 8)
3950 return -EINVAL;
3951
3952 max_latency = (to_multiplier * 8 / max) - 1;
3953 if (latency > 499 || latency > max_latency)
3954 return -EINVAL;
3955
3956 return 0;
3957}
3958
3959static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3960 struct l2cap_cmd_hdr *cmd, u8 *data)
3961{
3962 struct hci_conn *hcon = conn->hcon;
3963 struct l2cap_conn_param_update_req *req;
3964 struct l2cap_conn_param_update_rsp rsp;
3965 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 3966 int err;
de73115a
CT		 3967
3968 if (!(hcon->link_mode & HCI_LM_MASTER))
3969 return -EINVAL;
3970
3971 cmd_len = __le16_to_cpu(cmd->len);
3972 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3973 return -EPROTO;
3974
3975 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 3976 min = __le16_to_cpu(req->min);
3977 max = __le16_to_cpu(req->max);
de73115a
CT		 3978 latency = __le16_to_cpu(req->latency);
3979 to_multiplier = __le16_to_cpu(req->to_multiplier);
3980
3981 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3982 min, max, latency, to_multiplier);
3983
3984 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 3985
3986 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3987 if (err)
de73115a
CT		 3988 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3989 else
3990 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3991
3992 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3993 sizeof(rsp), &rsp);
3994
2ce603eb
CT		 3995 if (!err)
3996 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3997
de73115a
CT		 3998 return 0;
3999}
4000
3300d9a9
CT		 4001static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4002 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4003{
4004 int err = 0;
4005
4006 switch (cmd->code) {
4007 case L2CAP_COMMAND_REJ:
4008 l2cap_command_rej(conn, cmd, data);
4009 break;
4010
4011 case L2CAP_CONN_REQ:
4012 err = l2cap_connect_req(conn, cmd, data);
4013 break;
4014
4015 case L2CAP_CONN_RSP:
4016 err = l2cap_connect_rsp(conn, cmd, data);
4017 break;
4018
4019 case L2CAP_CONF_REQ:
4020 err = l2cap_config_req(conn, cmd, cmd_len, data);
4021 break;
4022
4023 case L2CAP_CONF_RSP:
4024 err = l2cap_config_rsp(conn, cmd, data);
4025 break;
4026
4027 case L2CAP_DISCONN_REQ:
4028 err = l2cap_disconnect_req(conn, cmd, data);
4029 break;
4030
4031 case L2CAP_DISCONN_RSP:
4032 err = l2cap_disconnect_rsp(conn, cmd, data);
4033 break;
4034
4035 case L2CAP_ECHO_REQ:
4036 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4037 break;
4038
4039 case L2CAP_ECHO_RSP:
4040 break;
4041
4042 case L2CAP_INFO_REQ:
4043 err = l2cap_information_req(conn, cmd, data);
4044 break;
4045
4046 case L2CAP_INFO_RSP:
4047 err = l2cap_information_rsp(conn, cmd, data);
4048 break;
4049
f94ff6ff
MM		 4050 case L2CAP_CREATE_CHAN_REQ:
4051 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4052 break;
4053
4054 case L2CAP_CREATE_CHAN_RSP:
4055 err = l2cap_create_channel_rsp(conn, cmd, data);
4056 break;
4057
8d5a04a1
MM		 4058 case L2CAP_MOVE_CHAN_REQ:
4059 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4060 break;
4061
4062 case L2CAP_MOVE_CHAN_RSP:
4063 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4064 break;
4065
4066 case L2CAP_MOVE_CHAN_CFM:
4067 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4068 break;
4069
4070 case L2CAP_MOVE_CHAN_CFM_RSP:
4071 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4072 break;
4073
3300d9a9
CT		 4074 default:
4075 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4076 err = -EINVAL;
4077 break;
4078 }
4079
4080 return err;
4081}
4082
4083static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4084 struct l2cap_cmd_hdr *cmd, u8 *data)
4085{
4086 switch (cmd->code) {
4087 case L2CAP_COMMAND_REJ:
4088 return 0;
4089
4090 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4091 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4092
4093 case L2CAP_CONN_PARAM_UPDATE_RSP:
4094 return 0;
4095
4096 default:
4097 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4098 return -EINVAL;
4099 }
4100}
4101
4102static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4103 struct sk_buff *skb)
1da177e4
LT		 4104{
4105 u8 *data = skb->data;
4106 int len = skb->len;
4107 struct l2cap_cmd_hdr cmd;
3300d9a9 4108 int err;
1da177e4
LT		 4109
4110 l2cap_raw_recv(conn, skb);
4111
4112 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4113 u16 cmd_len;
1da177e4
LT		 4114 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4115 data += L2CAP_CMD_HDR_SIZE;
4116 len -= L2CAP_CMD_HDR_SIZE;
4117
88219a0f 4118 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4119
88219a0f 4120 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4121
88219a0f 4122 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4123 BT_DBG("corrupted command");
4124 break;
4125 }
4126
3300d9a9
CT		 4127 if (conn->hcon->type == LE_LINK)
4128 err = l2cap_le_sig_cmd(conn, &cmd, data);
4129 else
4130 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4131
4132 if (err) {
e2fd318e 4133 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4134
4135 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4136
4137 /* FIXME: Map err to a valid reason */
e2fd318e 4138 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4139 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4140 }
4141
88219a0f
AV		 4142 data += cmd_len;
4143 len -= cmd_len;
1da177e4
LT		 4144 }
4145
4146 kfree_skb(skb);
4147}
4148
47d1ec61 4149static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4150{
4151 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4152 int hdr_size;
4153
4154 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4155 hdr_size = L2CAP_EXT_HDR_SIZE;
4156 else
4157 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4158
47d1ec61 4159 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4160 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4161 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4162 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4163
4164 if (our_fcs != rcv_fcs)
7a560e5c 4165 return -EBADMSG;
fcc203c3
GP		 4166 }
4167 return 0;
4168}
4169
525cd185 4170static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4171{
88843ab0 4172 u32 control = 0;
d5392c8f 4173
6a026610 4174 chan->frames_sent = 0;
d5392c8f 4175
0b209fae 4176 control |= __set_reqseq(chan, chan->buffer_seq);
d5392c8f 4177
e2ab4353 4178 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
ab784b73 4179 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
e2ab4353 4180 set_bit(CONN_RNR_SENT, &chan->conn_state);
d5392c8f
GP		 4181 }
4182
e2ab4353 4183 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
525cd185 4184 l2cap_retransmit_frames(chan);
d5392c8f 4185
525cd185 4186 l2cap_ertm_send(chan);
d5392c8f 4187
e2ab4353 4188 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6a026610 4189 chan->frames_sent == 0) {
ab784b73 4190 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
d5392c8f
GP		 4191 }
4192}
4193
84084a31
MM		 4194static void append_skb_frag(struct sk_buff *skb,
4195 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4196{
84084a31
MM		 4197 /* skb->len reflects data in skb as well as all fragments
4198 * skb->data_len reflects only data in fragments
4199 */
4200 if (!skb_has_frag_list(skb))
4201 skb_shinfo(skb)->frag_list = new_frag;
4202
4203 new_frag->next = NULL;
4204
4205 (*last_frag)->next = new_frag;
4206 *last_frag = new_frag;
4207
4208 skb->len += new_frag->len;
4209 skb->data_len += new_frag->len;
4210 skb->truesize += new_frag->truesize;
4211}
4212
4b51dae9
MM		 4213static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4214 struct l2cap_ctrl *control)
84084a31
MM		 4215{
4216 int err = -EINVAL;
18778a63 4217
4b51dae9 4218 switch (control->sar) {
7e0ef6ee 4219 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4220 if (chan->sdu)
4221 break;
18778a63 4222
84084a31
MM		 4223 err = chan->ops->recv(chan->data, skb);
4224 break;
18778a63 4225
7e0ef6ee 4226 case L2CAP_SAR_START:
84084a31
MM		 4227 if (chan->sdu)
4228 break;
18778a63 4229
6f61fd47 4230 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4231 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4232
84084a31
MM		 4233 if (chan->sdu_len > chan->imtu) {
4234 err = -EMSGSIZE;
4235 break;
4236 }
1890d36b 4237
84084a31
MM		 4238 if (skb->len >= chan->sdu_len)
4239 break;
18778a63 4240
84084a31
MM		 4241 chan->sdu = skb;
4242 chan->sdu_last_frag = skb;
18778a63 4243
84084a31
MM		 4244 skb = NULL;
4245 err = 0;
18778a63
GP		 4246 break;
4247
7e0ef6ee 4248 case L2CAP_SAR_CONTINUE:
6f61fd47 4249 if (!chan->sdu)
84084a31 4250 break;
18778a63 4251
84084a31
MM		 4252 append_skb_frag(chan->sdu, skb,
4253 &chan->sdu_last_frag);
4254 skb = NULL;
18778a63 4255
84084a31
MM		 4256 if (chan->sdu->len >= chan->sdu_len)
4257 break;
4178ba46 4258
84084a31 4259 err = 0;
18778a63
GP		 4260 break;
4261
7e0ef6ee 4262 case L2CAP_SAR_END:
6f61fd47 4263 if (!chan->sdu)
84084a31 4264 break;
18778a63 4265
84084a31
MM		 4266 append_skb_frag(chan->sdu, skb,
4267 &chan->sdu_last_frag);
4268 skb = NULL;
4178ba46 4269
84084a31
MM		 4270 if (chan->sdu->len != chan->sdu_len)
4271 break;
18778a63 4272
84084a31 4273 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 4274
84084a31
MM		 4275 if (!err) {
4276 /* Reassembly complete */
4277 chan->sdu = NULL;
4278 chan->sdu_last_frag = NULL;
4279 chan->sdu_len = 0;
1890d36b 4280 }
18778a63
GP		 4281 break;
4282 }
4283
84084a31
MM		 4284 if (err) {
4285 kfree_skb(skb);
4286 kfree_skb(chan->sdu);
4287 chan->sdu = NULL;
4288 chan->sdu_last_frag = NULL;
4289 chan->sdu_len = 0;
4290 }
18778a63 4291
84084a31 4292 return err;
18778a63
GP		 4293}
4294
26f880d2 4295static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
712132eb 4296{
26f880d2 4297 BT_DBG("chan %p, Enter local busy", chan);
712132eb 4298
26f880d2 4299 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3c588192 4300 l2cap_seq_list_clear(&chan->srej_list);
26f880d2 4301
77f918bc 4302 __set_ack_timer(chan);
26f880d2
MM		 4303}
4304
4305static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
4306{
88843ab0 4307 u32 control;
712132eb 4308
e2ab4353 4309 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
712132eb
GP		 4310 goto done;
4311
0b209fae 4312 control = __set_reqseq(chan, chan->buffer_seq);
e3781735 4313 control |= __set_ctrl_poll(chan);
ab784b73 4314 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
6a026610 4315 chan->retry_count = 1;
712132eb 4316
1a09bcb9
GP		 4317 __clear_retrans_timer(chan);
4318 __set_monitor_timer(chan);
712132eb 4319
e2ab4353 4320 set_bit(CONN_WAIT_F, &chan->conn_state);
712132eb
GP		 4321
4322done:
e2ab4353
GP		 4323 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
4324 clear_bit(CONN_RNR_SENT, &chan->conn_state);
712132eb 4325
49208c9c 4326 BT_DBG("chan %p, Exit local busy", chan);
712132eb
GP		 4327}
4328
e328140f 4329void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
1890d36b 4330{
e328140f
MM		 4331 if (chan->mode == L2CAP_MODE_ERTM) {
4332 if (busy)
4333 l2cap_ertm_enter_local_busy(chan);
4334 else
4335 l2cap_ertm_exit_local_busy(chan);
1890d36b 4336 }
1890d36b
GP		 4337}
4338
4b51dae9
MM		 4339static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4340{
4341 BT_DBG("chan %p, txseq %d", chan, txseq);
4342
4343 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4344 chan->expected_tx_seq);
4345
4346 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4347 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4348 chan->tx_win) {
4349 /* See notes below regarding "double poll" and
4350 * invalid packets.
4351 */
4352 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4353 BT_DBG("Invalid/Ignore - after SREJ");
4354 return L2CAP_TXSEQ_INVALID_IGNORE;
4355 } else {
4356 BT_DBG("Invalid - in window after SREJ sent");
4357 return L2CAP_TXSEQ_INVALID;
4358 }
4359 }
4360
4361 if (chan->srej_list.head == txseq) {
4362 BT_DBG("Expected SREJ");
4363 return L2CAP_TXSEQ_EXPECTED_SREJ;
4364 }
4365
4366 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4367 BT_DBG("Duplicate SREJ - txseq already stored");
4368 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4369 }
4370
4371 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4372 BT_DBG("Unexpected SREJ - not requested");
4373 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4374 }
4375 }
4376
4377 if (chan->expected_tx_seq == txseq) {
4378 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4379 chan->tx_win) {
4380 BT_DBG("Invalid - txseq outside tx window");
4381 return L2CAP_TXSEQ_INVALID;
4382 } else {
4383 BT_DBG("Expected");
4384 return L2CAP_TXSEQ_EXPECTED;
4385 }
4386 }
4387
4388 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4389 __seq_offset(chan, chan->expected_tx_seq,
4390 chan->last_acked_seq)){
4391 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4392 return L2CAP_TXSEQ_DUPLICATE;
4393 }
4394
4395 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4396 /* A source of invalid packets is a "double poll" condition,
4397 * where delays cause us to send multiple poll packets. If
4398 * the remote stack receives and processes both polls,
4399 * sequence numbers can wrap around in such a way that a
4400 * resent frame has a sequence number that looks like new data
4401 * with a sequence gap. This would trigger an erroneous SREJ
4402 * request.
4403 *
4404 * Fortunately, this is impossible with a tx window that's
4405 * less than half of the maximum sequence number, which allows
4406 * invalid frames to be safely ignored.
4407 *
4408 * With tx window sizes greater than half of the tx window
4409 * maximum, the frame is invalid and cannot be ignored. This
4410 * causes a disconnect.
4411 */
4412
4413 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4414 BT_DBG("Invalid/Ignore - txseq outside tx window");
4415 return L2CAP_TXSEQ_INVALID_IGNORE;
4416 } else {
4417 BT_DBG("Invalid - txseq outside tx window");
4418 return L2CAP_TXSEQ_INVALID;
4419 }
4420 } else {
4421 BT_DBG("Unexpected - txseq indicates missing frames");
4422 return L2CAP_TXSEQ_UNEXPECTED;
4423 }
4424}
4425
cec8ab6e
MM		 4426static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4427 struct sk_buff *skb, u8 event)
218bb9df 4428{
cec8ab6e
MM		 4429 /* Placeholder */
4430 return -ENOTSUPP;
4431}
4432
4433static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4434 struct sk_buff *skb)
4435{
4b51dae9
MM		 4436 int err = 0;
4437
4438 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
4439 chan->rx_state);
4440
4441 if (l2cap_classify_txseq(chan, control->txseq) ==
4442 L2CAP_TXSEQ_EXPECTED) {
4443 l2cap_pass_to_tx(chan, control);
4444
4445 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
4446 __next_seq(chan, chan->buffer_seq));
4447
4448 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4449
4450 l2cap_reassemble_sdu(chan, skb, control);
4451 } else {
4452 if (chan->sdu) {
4453 kfree_skb(chan->sdu);
4454 chan->sdu = NULL;
4455 }
4456 chan->sdu_last_frag = NULL;
4457 chan->sdu_len = 0;
4458
4459 if (skb) {
4460 BT_DBG("Freeing %p", skb);
4461 kfree_skb(skb);
4462 }
4463 }
4464
4465 chan->last_acked_seq = control->txseq;
4466 chan->expected_tx_seq = __next_seq(chan, control->txseq);
4467
4468 return err;
cec8ab6e
MM		 4469}
4470
4471static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
4472{
4473 struct l2cap_ctrl *control = &bt_cb(skb)->control;
4474 u16 len;
4475 u8 event;
218bb9df 4476
b76bbd66
MM		 4477 __unpack_control(chan, skb);
4478
218bb9df
GP		 4479 len = skb->len;
4480
4481 /*
4482 * We can just drop the corrupted I-frame here.
4483 * Receiver will miss it and start proper recovery
cec8ab6e 4484 * procedures and ask for retransmission.
218bb9df 4485 */
47d1ec61 4486 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4487 goto drop;
4488
cec8ab6e 4489 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 4490 len -= L2CAP_SDULEN_SIZE;
218bb9df 4491
47d1ec61 4492 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4493 len -= L2CAP_FCS_SIZE;
218bb9df 4494
47d1ec61 4495 if (len > chan->mps) {
8c1d787b 4496 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4497 goto drop;
4498 }
4499
cec8ab6e
MM		 4500 if (!control->sframe) {
4501 int err;
218bb9df 4502
cec8ab6e
MM		 4503 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
4504 control->sar, control->reqseq, control->final,
4505 control->txseq);
218bb9df 4506
cec8ab6e
MM		 4507 /* Validate F-bit - F=0 always valid, F=1 only
4508 * valid in TX WAIT_F
4509 */
4510 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 4511 goto drop;
cec8ab6e
MM		 4512
4513 if (chan->mode != L2CAP_MODE_STREAMING) {
4514 event = L2CAP_EV_RECV_IFRAME;
4515 err = l2cap_rx(chan, control, skb, event);
4516 } else {
4517 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 4518 }
4519
cec8ab6e
MM		 4520 if (err)
4521 l2cap_send_disconn_req(chan->conn, chan,
4522 ECONNRESET);
218bb9df 4523 } else {
cec8ab6e
MM		 4524 const u8 rx_func_to_event[4] = {
4525 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
4526 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
4527 };
4528
4529 /* Only I-frames are expected in streaming mode */
4530 if (chan->mode == L2CAP_MODE_STREAMING)
4531 goto drop;
4532
4533 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
4534 control->reqseq, control->final, control->poll,
4535 control->super);
4536
218bb9df
GP		 4537 if (len != 0) {
4538 BT_ERR("%d", len);
8c1d787b 4539 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4540 goto drop;
4541 }
4542
cec8ab6e
MM		 4543 /* Validate F and P bits */
4544 if (control->final && (control->poll ||
4545 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
4546 goto drop;
4547
4548 event = rx_func_to_event[control->super];
4549 if (l2cap_rx(chan, control, skb, event))
4550 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4551 }
4552
4553 return 0;
4554
4555drop:
4556 kfree_skb(skb);
4557 return 0;
4558}
4559
1da177e4
LT		 4560static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4561{
48454079 4562 struct l2cap_chan *chan;
1da177e4 4563
baa7e1fa 4564 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4565 if (!chan) {
1da177e4 4566 BT_DBG("unknown cid 0x%4.4x", cid);
6be36555 4567 /* Drop packet and return */
3379013b 4568 kfree_skb(skb);
6be36555 4569 return 0;
1da177e4
LT		 4570 }
4571
49208c9c 4572 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4573
89bc500e 4574 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4575 goto drop;
4576
0c1bc5c6 4577 switch (chan->mode) {
1c2acffb
GP		 4578 case L2CAP_MODE_BASIC:
4579 /* If socket recv buffers overflows we drop data here
4580 * which is *bad* because L2CAP has to be reliable.
4581 * But we don't have any other choice. L2CAP doesn't
4582 * provide flow control mechanism. */
1da177e4 4583
0c1bc5c6 4584 if (chan->imtu < skb->len)
1c2acffb 4585 goto drop;
1da177e4 4586
23070494 4587 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4588 goto done;
4589 break;
4590
4591 case L2CAP_MODE_ERTM:
6840ed07 4592 case L2CAP_MODE_STREAMING:
cec8ab6e 4593 l2cap_data_rcv(chan, skb);
6840ed07
GP		 4594 goto done;
4595
1c2acffb 4596 default:
0c1bc5c6 4597 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4598 break;
4599 }
1da177e4
LT		 4600
4601drop:
4602 kfree_skb(skb);
4603
4604done:
6be36555 4605 l2cap_chan_unlock(chan);
0139418c 4606
1da177e4
LT		 4607 return 0;
4608}
4609
8e036fc3 4610static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4611{
23691d75 4612 struct l2cap_chan *chan;
1da177e4 4613
c2287681 4614 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 4615 if (!chan)
1da177e4
LT		 4616 goto drop;
4617
5b4cedaa 4618 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4619
89bc500e 4620 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4621 goto drop;
4622
e13e21dc 4623 if (chan->imtu < skb->len)
1da177e4
LT		 4624 goto drop;
4625
23070494 4626 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4627 return 0;
1da177e4
LT		 4628
4629drop:
4630 kfree_skb(skb);
4631
1da177e4
LT		 4632 return 0;
4633}
4634
d9b88702
AE		 4635static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
4636 struct sk_buff *skb)
9f69bda6 4637{
23691d75 4638 struct l2cap_chan *chan;
9f69bda6 4639
c2287681 4640 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 4641 if (!chan)
9f69bda6
GP		 4642 goto drop;
4643
5b4cedaa 4644 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 4645
89bc500e 4646 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4647 goto drop;
4648
e13e21dc 4649 if (chan->imtu < skb->len)
9f69bda6
GP		 4650 goto drop;
4651
23070494 4652 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4653 return 0;
9f69bda6
GP		 4654
4655drop:
4656 kfree_skb(skb);
4657
9f69bda6
GP		 4658 return 0;
4659}
4660
1da177e4
LT		 4661static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4662{
4663 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4664 u16 cid, len;
4665 __le16 psm;
1da177e4
LT		 4666
4667 skb_pull(skb, L2CAP_HDR_SIZE);
4668 cid = __le16_to_cpu(lh->cid);
4669 len = __le16_to_cpu(lh->len);
4670
1c2acffb
GP		 4671 if (len != skb->len) {
4672 kfree_skb(skb);
4673 return;
4674 }
4675
1da177e4
LT		 4676 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4677
4678 switch (cid) {
3300d9a9 4679 case L2CAP_CID_LE_SIGNALING:
8db4dc46 4680 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4681 l2cap_sig_channel(conn, skb);
4682 break;
4683
8db4dc46 4684 case L2CAP_CID_CONN_LESS:
097db76c 4685 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 4686 skb_pull(skb, 2);
4687 l2cap_conless_channel(conn, psm, skb);
4688 break;
4689
9f69bda6
GP		 4690 case L2CAP_CID_LE_DATA:
4691 l2cap_att_channel(conn, cid, skb);
4692 break;
4693
b501d6a1
AB		 4694 case L2CAP_CID_SMP:
4695 if (smp_sig_channel(conn, skb))
4696 l2cap_conn_del(conn->hcon, EACCES);
4697 break;
4698
1da177e4
LT		 4699 default:
4700 l2cap_data_channel(conn, cid, skb);
4701 break;
4702 }
4703}
4704
4705/* ---- L2CAP interface with lower layer (HCI) ---- */
4706
686ebf28 4707int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 4708{
4709 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 4710 struct l2cap_chan *c;
1da177e4 4711
1da177e4
LT		 4712 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4713
4714 /* Find listening sockets and check their link_mode */
23691d75
GP		 4715 read_lock(&chan_list_lock);
4716 list_for_each_entry(c, &chan_list, global_l) {
4717 struct sock *sk = c->sk;
4343478f 4718
89bc500e 4719 if (c->state != BT_LISTEN)
1da177e4
LT		 4720 continue;
4721
4722 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 4723 lm1 |= HCI_LM_ACCEPT;
43bd0f32 4724 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 4725 lm1 |= HCI_LM_MASTER;
1da177e4 4726 exact++;
2af6b9d5
MH		 4727 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4728 lm2 |= HCI_LM_ACCEPT;
43bd0f32 4729 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 4730 lm2 |= HCI_LM_MASTER;
4731 }
1da177e4 4732 }
23691d75 4733 read_unlock(&chan_list_lock);
1da177e4
LT		 4734
4735 return exact ? lm1 : lm2;
4736}
4737
686ebf28 4738int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 4739{
0139418c
MH		 4740 struct l2cap_conn *conn;
4741
1da177e4
LT		 4742 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4743
1da177e4 4744 if (!status) {
1da177e4
LT		 4745 conn = l2cap_conn_add(hcon, status);
4746 if (conn)
4747 l2cap_conn_ready(conn);
0139418c 4748 } else
e175072f 4749 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 4750
4751 return 0;
4752}
4753
686ebf28 4754int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 4755{
4756 struct l2cap_conn *conn = hcon->l2cap_data;
4757
4758 BT_DBG("hcon %p", hcon);
4759
686ebf28 4760 if (!conn)
9f5a0d7b 4761 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 4762 return conn->disc_reason;
4763}
4764
686ebf28 4765int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4766{
4767 BT_DBG("hcon %p reason %d", hcon, reason);
4768
e175072f 4769 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 4770 return 0;
4771}
4772
4343478f 4773static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 4774{
715ec005 4775 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 4776 return;
4777
f62e4323 4778 if (encrypt == 0x00) {
4343478f 4779 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 4780 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 4781 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 4782 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 4783 } else {
4343478f 4784 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 4785 __clear_chan_timer(chan);
f62e4323
MH		 4786 }
4787}
4788
686ebf28 4789int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 4790{
0139418c 4791 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 4792 struct l2cap_chan *chan;
1da177e4 4793
0139418c 4794 if (!conn)
1da177e4 4795 return 0;
0139418c 4796
1da177e4
LT		 4797 BT_DBG("conn %p", conn);
4798
160dc6ac 4799 if (hcon->type == LE_LINK) {
35d4adcc
HG		 4800 if (!status && encrypt)
4801 smp_distribute_keys(conn, 0);
17cd3f37 4802 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 4803 }
4804
3df91ea2 4805 mutex_lock(&conn->chan_lock);
1da177e4 4806
3df91ea2 4807 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 4808 l2cap_chan_lock(chan);
1da177e4 4809
f1cb9af5
VCG		 4810 BT_DBG("chan->scid %d", chan->scid);
4811
4812 if (chan->scid == L2CAP_CID_LE_DATA) {
4813 if (!status && encrypt) {
4814 chan->sec_level = hcon->sec_level;
cf4cd009 4815 l2cap_chan_ready(chan);
f1cb9af5
VCG		 4816 }
4817
6be36555 4818 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 4819 continue;
4820 }
4821
c1360a1c 4822 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 4823 l2cap_chan_unlock(chan);
6a8d3010
MH		 4824 continue;
4825 }
4826
89bc500e
GP		 4827 if (!status && (chan->state == BT_CONNECTED ||
4828 chan->state == BT_CONFIG)) {
a7d7723a
GP		 4829 struct sock *sk = chan->sk;
4830
c5daa683 4831 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 4832 sk->sk_state_change(sk);
4833
4343478f 4834 l2cap_check_encryption(chan, encrypt);
6be36555 4835 l2cap_chan_unlock(chan);
9719f8af
MH		 4836 continue;
4837 }
4838
89bc500e 4839 if (chan->state == BT_CONNECT) {
b1235d79 4840 if (!status) {
9b27f350 4841 l2cap_send_conn_req(chan);
b1235d79 4842 } else {
ba13ccd9 4843 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 4844 }
89bc500e 4845 } else if (chan->state == BT_CONNECT2) {
6be36555 4846 struct sock *sk = chan->sk;
b1235d79 4847 struct l2cap_conn_rsp rsp;
df3c3931 4848 __u16 res, stat;
1da177e4 4849
6be36555
AE		 4850 lock_sock(sk);
4851
b1235d79 4852 if (!status) {
c5daa683
GP		 4853 if (test_bit(BT_SK_DEFER_SETUP,
4854 &bt_sk(sk)->flags)) {
df3c3931
JH		 4855 struct sock *parent = bt_sk(sk)->parent;
4856 res = L2CAP_CR_PEND;
4857 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 4858 if (parent)
4859 parent->sk_data_ready(parent, 0);
df3c3931 4860 } else {
0e587be7 4861 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 4862 res = L2CAP_CR_SUCCESS;
4863 stat = L2CAP_CS_NO_INFO;
4864 }
b1235d79 4865 } else {
0e587be7 4866 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 4867 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 4868 res = L2CAP_CR_SEC_BLOCK;
4869 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 4870 }
4871
6be36555
AE		 4872 release_sock(sk);
4873
fe4128e0
GP		 4874 rsp.scid = cpu_to_le16(chan->dcid);
4875 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 4876 rsp.result = cpu_to_le16(res);
4877 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 4878 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4879 sizeof(rsp), &rsp);
b1235d79 4880 }
1da177e4 4881
6be36555 4882 l2cap_chan_unlock(chan);
1da177e4
LT		 4883 }
4884
3df91ea2 4885 mutex_unlock(&conn->chan_lock);
b1235d79 4886
1da177e4
LT		 4887 return 0;
4888}
4889
686ebf28 4890int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 4891{
4892 struct l2cap_conn *conn = hcon->l2cap_data;
4893
5a08ecce
AE		 4894 if (!conn)
4895 conn = l2cap_conn_add(hcon, 0);
4896
4897 if (!conn)
1da177e4
LT		 4898 goto drop;
4899
4900 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4901
e702112f 4902 if (!(flags & ACL_CONT)) {
1da177e4
LT		 4903 struct l2cap_hdr *hdr;
4904 int len;
4905
4906 if (conn->rx_len) {
4907 BT_ERR("Unexpected start frame (len %d)", skb->len);
4908 kfree_skb(conn->rx_skb);
4909 conn->rx_skb = NULL;
4910 conn->rx_len = 0;
4911 l2cap_conn_unreliable(conn, ECOMM);
4912 }
4913
aae7fe22
AE		 4914 /* Start fragment always begin with Basic L2CAP header */
4915 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 4916 BT_ERR("Frame is too short (len %d)", skb->len);
4917 l2cap_conn_unreliable(conn, ECOMM);
4918 goto drop;
4919 }
4920
4921 hdr = (struct l2cap_hdr *) skb->data;
4922 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4923
4924 if (len == skb->len) {
4925 /* Complete frame received */
4926 l2cap_recv_frame(conn, skb);
4927 return 0;
4928 }
4929
4930 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4931
4932 if (skb->len > len) {
4933 BT_ERR("Frame is too long (len %d, expected len %d)",
4934 skb->len, len);
4935 l2cap_conn_unreliable(conn, ECOMM);
4936 goto drop;
4937 }
4938
4939 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4940 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4941 if (!conn->rx_skb)
1da177e4
LT		 4942 goto drop;
4943
d626f62b 4944 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4945 skb->len);
1da177e4
LT		 4946 conn->rx_len = len - skb->len;
4947 } else {
4948 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4949
4950 if (!conn->rx_len) {
4951 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4952 l2cap_conn_unreliable(conn, ECOMM);
4953 goto drop;
4954 }
4955
4956 if (skb->len > conn->rx_len) {
4957 BT_ERR("Fragment is too long (len %d, expected %d)",
4958 skb->len, conn->rx_len);
4959 kfree_skb(conn->rx_skb);
4960 conn->rx_skb = NULL;
4961 conn->rx_len = 0;
4962 l2cap_conn_unreliable(conn, ECOMM);
4963 goto drop;
4964 }
4965
d626f62b 4966 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4967 skb->len);
1da177e4
LT		 4968 conn->rx_len -= skb->len;
4969
4970 if (!conn->rx_len) {
4971 /* Complete frame received */
4972 l2cap_recv_frame(conn, conn->rx_skb);
4973 conn->rx_skb = NULL;
4974 }
4975 }
4976
4977drop:
4978 kfree_skb(skb);
4979 return 0;
4980}
4981
aef7d97c 4982static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 4983{
23691d75 4984 struct l2cap_chan *c;
1da177e4 4985
333055f2 4986 read_lock(&chan_list_lock);
1da177e4 4987
23691d75
GP		 4988 list_for_each_entry(c, &chan_list, global_l) {
4989 struct sock *sk = c->sk;
101545f6 4990
903d343e 4991 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 4992 batostr(&bt_sk(sk)->src),
4993 batostr(&bt_sk(sk)->dst),
89bc500e 4994 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 4995 c->scid, c->dcid, c->imtu, c->omtu,
4996 c->sec_level, c->mode);
61e1b4b7 4997 }
1da177e4 4998
333055f2 4999 read_unlock(&chan_list_lock);
1da177e4 5000
aef7d97c 5001 return 0;
1da177e4
LT		 5002}
5003
aef7d97c
MH		 5004static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5005{
5006 return single_open(file, l2cap_debugfs_show, inode->i_private);
5007}
5008
5009static const struct file_operations l2cap_debugfs_fops = {
5010 .open = l2cap_debugfs_open,
5011 .read = seq_read,
5012 .llseek = seq_lseek,
5013 .release = single_release,
5014};
5015
5016static struct dentry *l2cap_debugfs;
1da177e4 5017
64274518 5018int __init l2cap_init(void)
1da177e4
LT		 5019{
5020 int err;
be9d1227 5021
bb58f747 5022 err = l2cap_init_sockets();
1da177e4
LT		 5023 if (err < 0)
5024 return err;
5025
aef7d97c
MH		 5026 if (bt_debugfs) {
5027 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5028 bt_debugfs, NULL, &l2cap_debugfs_fops);
5029 if (!l2cap_debugfs)
5030 BT_ERR("Failed to create L2CAP debug file");
5031 }
1da177e4 5032
1da177e4 5033 return 0;
1da177e4
LT		 5034}
5035
64274518 5036void l2cap_exit(void)
1da177e4 5037{
aef7d97c 5038 debugfs_remove(l2cap_debugfs);
bb58f747 5039 l2cap_cleanup_sockets();
1da177e4
LT		 5040}
5041
d1c4a17d
GP		 5042module_param(disable_ertm, bool, 0644);
5043MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)