projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Do not check func ready existence
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4
LT		 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
608bcc6d
MM		 59 struct sk_buff_head *skbs, u8 event);
60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
baa7e1fa 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 64{
3df91ea2 65 struct l2cap_chan *c;
3d57dc68 66
3df91ea2
AE		 67 list_for_each_entry(c, &conn->chan_l, list) {
68 if (c->dcid == cid)
69 return c;
0139418c 70 }
3df91ea2 71 return NULL;
0139418c
MH		 72}
73
baa7e1fa 74static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 75{
3df91ea2 76 struct l2cap_chan *c;
3d57dc68 77
3df91ea2
AE		 78 list_for_each_entry(c, &conn->chan_l, list) {
79 if (c->scid == cid)
80 return c;
0139418c 81 }
3df91ea2 82 return NULL;
0139418c
MH		 83}
84
85/* Find channel with given SCID.
ef191ade 86 * Returns locked channel. */
baa7e1fa 87static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 88{
48454079 89 struct l2cap_chan *c;
baa7e1fa 90
3df91ea2 91 mutex_lock(&conn->chan_lock);
baa7e1fa 92 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 93 if (c)
94 l2cap_chan_lock(c);
3df91ea2
AE		 95 mutex_unlock(&conn->chan_lock);
96
48454079 97 return c;
0139418c
MH		 98}
99
baa7e1fa 100static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 101{
3df91ea2 102 struct l2cap_chan *c;
3d57dc68 103
3df91ea2
AE		 104 list_for_each_entry(c, &conn->chan_l, list) {
105 if (c->ident == ident)
106 return c;
0139418c 107 }
3df91ea2 108 return NULL;
0139418c
MH		 109}
110
23691d75 111static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 112{
23691d75 113 struct l2cap_chan *c;
9e4425ff 114
23691d75
GP		 115 list_for_each_entry(c, &chan_list, global_l) {
116 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 117 return c;
9e4425ff 118 }
250938cb 119 return NULL;
9e4425ff
GP		 120}
121
122int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
123{
73b2ec18
GP		 124 int err;
125
333055f2 126 write_lock(&chan_list_lock);
9e4425ff 127
23691d75 128 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 129 err = -EADDRINUSE;
130 goto done;
9e4425ff
GP		 131 }
132
73b2ec18
GP		 133 if (psm) {
134 chan->psm = psm;
135 chan->sport = psm;
136 err = 0;
137 } else {
138 u16 p;
139
140 err = -EINVAL;
141 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 142 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 143 chan->psm = cpu_to_le16(p);
144 chan->sport = cpu_to_le16(p);
145 err = 0;
146 break;
147 }
148 }
9e4425ff 149
73b2ec18 150done:
333055f2 151 write_unlock(&chan_list_lock);
73b2ec18 152 return err;
9e4425ff
GP		 153}
154
155int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
156{
333055f2 157 write_lock(&chan_list_lock);
9e4425ff
GP		 158
159 chan->scid = scid;
160
333055f2 161 write_unlock(&chan_list_lock);
9e4425ff
GP		 162
163 return 0;
164}
165
baa7e1fa 166static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 167{
8db4dc46 168 u16 cid = L2CAP_CID_DYN_START;
0139418c 169
8db4dc46 170 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 171 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 172 return cid;
173 }
174
175 return 0;
176}
177
0e587be7 178static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 179{
42d2d87c 180 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 181 state_to_string(state));
182
89bc500e 183 chan->state = state;
80b98027 184 chan->ops->state_change(chan, state);
89bc500e
GP		 185}
186
0e587be7
AE		 187static void l2cap_state_change(struct l2cap_chan *chan, int state)
188{
189 struct sock *sk = chan->sk;
190
191 lock_sock(sk);
192 __l2cap_state_change(chan, state);
193 release_sock(sk);
194}
195
2e0052e4
AE		 196static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
197{
198 struct sock *sk = chan->sk;
199
200 sk->sk_err = err;
201}
202
203static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
204{
205 struct sock *sk = chan->sk;
206
207 lock_sock(sk);
208 __l2cap_chan_set_err(chan, err);
209 release_sock(sk);
210}
211
4239d16f
MM		 212static void __set_retrans_timer(struct l2cap_chan *chan)
213{
214 if (!delayed_work_pending(&chan->monitor_timer) &&
215 chan->retrans_timeout) {
216 l2cap_set_timer(chan, &chan->retrans_timer,
217 msecs_to_jiffies(chan->retrans_timeout));
218 }
219}
220
221static void __set_monitor_timer(struct l2cap_chan *chan)
222{
223 __clear_retrans_timer(chan);
224 if (chan->monitor_timeout) {
225 l2cap_set_timer(chan, &chan->monitor_timer,
226 msecs_to_jiffies(chan->monitor_timeout));
227 }
228}
229
608bcc6d
MM		 230static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
231 u16 seq)
232{
233 struct sk_buff *skb;
234
235 skb_queue_walk(head, skb) {
236 if (bt_cb(skb)->control.txseq == seq)
237 return skb;
238 }
239
240 return NULL;
241}
242
3c588192
MM		 243/* ---- L2CAP sequence number lists ---- */
244
245/* For ERTM, ordered lists of sequence numbers must be tracked for
246 * SREJ requests that are received and for frames that are to be
247 * retransmitted. These seq_list functions implement a singly-linked
248 * list in an array, where membership in the list can also be checked
249 * in constant time. Items can also be added to the tail of the list
250 * and removed from the head in constant time, without further memory
251 * allocs or frees.
252 */
253
254static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
255{
256 size_t alloc_size, i;
257
258 /* Allocated size is a power of 2 to map sequence numbers
259 * (which may be up to 14 bits) in to a smaller array that is
260 * sized for the negotiated ERTM transmit windows.
261 */
262 alloc_size = roundup_pow_of_two(size);
263
264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
265 if (!seq_list->list)
266 return -ENOMEM;
267
268 seq_list->mask = alloc_size - 1;
269 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
271 for (i = 0; i < alloc_size; i++)
272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
273
274 return 0;
275}
276
277static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
278{
279 kfree(seq_list->list);
280}
281
282static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
283 u16 seq)
284{
285 /* Constant-time check for list membership */
286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
287}
288
289static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
290{
291 u16 mask = seq_list->mask;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
294 /* In case someone tries to pop the head of an empty list */
295 return L2CAP_SEQ_LIST_CLEAR;
296 } else if (seq_list->head == seq) {
297 /* Head can be removed in constant time */
298 seq_list->head = seq_list->list[seq & mask];
299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
300
301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
302 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
304 }
305 } else {
306 /* Walk the list to find the sequence number */
307 u16 prev = seq_list->head;
308 while (seq_list->list[prev & mask] != seq) {
309 prev = seq_list->list[prev & mask];
310 if (prev == L2CAP_SEQ_LIST_TAIL)
311 return L2CAP_SEQ_LIST_CLEAR;
312 }
313
314 /* Unlink the number from the list and clear it */
315 seq_list->list[prev & mask] = seq_list->list[seq & mask];
316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
317 if (seq_list->tail == seq)
318 seq_list->tail = prev;
319 }
320 return seq;
321}
322
323static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
324{
325 /* Remove the head in constant time */
326 return l2cap_seq_list_remove(seq_list, seq_list->head);
327}
328
329static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
330{
f522ae36 331 u16 i;
3c588192 332
f522ae36
GP		 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 for (i = 0; i <= seq_list->mask; i++)
337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
338
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 341}
342
343static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
344{
345 u16 mask = seq_list->mask;
346
347 /* All appends happen in constant time */
348
f522ae36
GP		 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
350 return;
3c588192 351
f522ae36
GP		 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
353 seq_list->head = seq;
354 else
355 seq_list->list[seq_list->tail & mask] = seq;
356
357 seq_list->tail = seq;
358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 359}
360
721c4181 361static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 362{
721c4181
GP		 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
364 chan_timer.work);
3df91ea2 365 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 366 int reason;
367
e05dcc32 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 369
3df91ea2 370 mutex_lock(&conn->chan_lock);
6be36555 371 l2cap_chan_lock(chan);
ab07801d 372
89bc500e 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 374 reason = ECONNREFUSED;
89bc500e 375 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 376 chan->sec_level != BT_SECURITY_SDP)
377 reason = ECONNREFUSED;
378 else
379 reason = ETIMEDOUT;
380
0f852724 381 l2cap_chan_close(chan, reason);
ab07801d 382
6be36555 383 l2cap_chan_unlock(chan);
ab07801d 384
80b98027 385 chan->ops->close(chan);
3df91ea2
AE		 386 mutex_unlock(&conn->chan_lock);
387
371fd835 388 l2cap_chan_put(chan);
ab07801d
GP		 389}
390
eef1d9b6 391struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 392{
393 struct l2cap_chan *chan;
394
395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
396 if (!chan)
397 return NULL;
398
c03b355e
AE		 399 mutex_init(&chan->lock);
400
333055f2 401 write_lock(&chan_list_lock);
23691d75 402 list_add(&chan->global_l, &chan_list);
333055f2 403 write_unlock(&chan_list_lock);
23691d75 404
721c4181 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 406
89bc500e
GP		 407 chan->state = BT_OPEN;
408
71ba0e56
GP		 409 atomic_set(&chan->refcnt, 1);
410
2827011f
MM		 411 /* This flag is cleared in l2cap_chan_ready() */
412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
413
eef1d9b6 414 BT_DBG("chan %p", chan);
abc545b8 415
48454079
GP		 416 return chan;
417}
418
23691d75 419void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 420{
333055f2 421 write_lock(&chan_list_lock);
23691d75 422 list_del(&chan->global_l);
333055f2 423 write_unlock(&chan_list_lock);
23691d75 424
371fd835 425 l2cap_chan_put(chan);
6ff5abbf
GP		 426}
427
bd4b1653
AE		 428void l2cap_chan_set_defaults(struct l2cap_chan *chan)
429{
430 chan->fcs = L2CAP_FCS_CRC16;
431 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
432 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
433 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
434 chan->sec_level = BT_SECURITY_LOW;
435
436 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
437}
438
14a28491 439static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 440{
af05b30b 441 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 442 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 443
9f5a0d7b 444 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 445
8c1d787b 446 chan->conn = conn;
0139418c 447
5491120e
AE		 448 switch (chan->chan_type) {
449 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 450 if (conn->hcon->type == LE_LINK) {
451 /* LE connection */
0c1bc5c6 452 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 453 chan->scid = L2CAP_CID_LE_DATA;
454 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 455 } else {
456 /* Alloc CID for connection-oriented socket */
fe4128e0 457 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 458 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 459 }
5491120e
AE		 460 break;
461
462 case L2CAP_CHAN_CONN_LESS:
0139418c 463 /* Connectionless socket */
fe4128e0
GP		 464 chan->scid = L2CAP_CID_CONN_LESS;
465 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 466 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 467 break;
468
416fa752
AE		 469 case L2CAP_CHAN_CONN_FIX_A2MP:
470 chan->scid = L2CAP_CID_A2MP;
471 chan->dcid = L2CAP_CID_A2MP;
472 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
473 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
474 break;
475
5491120e 476 default:
0139418c 477 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 478 chan->scid = L2CAP_CID_SIGNALING;
479 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 480 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 481 }
482
8f7975b1
AE		 483 chan->local_id = L2CAP_BESTEFFORT_ID;
484 chan->local_stype = L2CAP_SERV_BESTEFFORT;
485 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
486 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
487 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
488 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
489
371fd835 490 l2cap_chan_hold(chan);
baa7e1fa 491
3df91ea2 492 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 493}
494
466f8004 495void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 496{
497 mutex_lock(&conn->chan_lock);
498 __l2cap_chan_add(conn, chan);
3df91ea2 499 mutex_unlock(&conn->chan_lock);
0139418c
MH		 500}
501
466f8004 502void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 503{
8c1d787b 504 struct l2cap_conn *conn = chan->conn;
0139418c 505
c9b66675 506 __clear_chan_timer(chan);
0139418c 507
49208c9c 508 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 509
8e87d142 510 if (conn) {
baa7e1fa 511 /* Delete from channel list */
3df91ea2 512 list_del(&chan->list);
3d57dc68 513
371fd835 514 l2cap_chan_put(chan);
baa7e1fa 515
8c1d787b 516 chan->conn = NULL;
0139418c
MH		 517 hci_conn_put(conn->hcon);
518 }
519
c0df7f6e
AE		 520 if (chan->ops->teardown)
521 chan->ops->teardown(chan, err);
6be36555 522
2827011f 523 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 524 return;
2ead70b8 525
ee556f66
GP		 526 switch(chan->mode) {
527 case L2CAP_MODE_BASIC:
528 break;
c13ffa62 529
ee556f66 530 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 531 __clear_retrans_timer(chan);
532 __clear_monitor_timer(chan);
533 __clear_ack_timer(chan);
c13ffa62 534
f1c6775b 535 skb_queue_purge(&chan->srej_q);
c13ffa62 536
3c588192
MM		 537 l2cap_seq_list_free(&chan->srej_list);
538 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 539
540 /* fall through */
541
542 case L2CAP_MODE_STREAMING:
543 skb_queue_purge(&chan->tx_q);
544 break;
c13ffa62 545 }
ee556f66
GP		 546
547 return;
0139418c
MH		 548}
549
0f852724 550void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 551{
552 struct l2cap_conn *conn = chan->conn;
553 struct sock *sk = chan->sk;
554
e05dcc32
AE		 555 BT_DBG("chan %p state %s sk %p", chan,
556 state_to_string(chan->state), sk);
4519de9a 557
89bc500e 558 switch (chan->state) {
4519de9a 559 case BT_LISTEN:
c0df7f6e
AE		 560 if (chan->ops->teardown)
561 chan->ops->teardown(chan, 0);
4519de9a
GP		 562 break;
563
564 case BT_CONNECTED:
565 case BT_CONFIG:
715ec005 566 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 567 conn->hcon->type == ACL_LINK) {
c9b66675 568 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 569 l2cap_send_disconn_req(conn, chan, reason);
570 } else
571 l2cap_chan_del(chan, reason);
572 break;
573
574 case BT_CONNECT2:
715ec005 575 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 576 conn->hcon->type == ACL_LINK) {
577 struct l2cap_conn_rsp rsp;
578 __u16 result;
579
c5daa683 580 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 581 result = L2CAP_CR_SEC_BLOCK;
582 else
583 result = L2CAP_CR_BAD_PSM;
89bc500e 584 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 585
586 rsp.scid = cpu_to_le16(chan->dcid);
587 rsp.dcid = cpu_to_le16(chan->scid);
588 rsp.result = cpu_to_le16(result);
ac73498c 589 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a
GP		 590 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
591 sizeof(rsp), &rsp);
592 }
593
594 l2cap_chan_del(chan, reason);
595 break;
596
597 case BT_CONNECT:
598 case BT_DISCONN:
599 l2cap_chan_del(chan, reason);
600 break;
601
602 default:
c0df7f6e
AE		 603 if (chan->ops->teardown)
604 chan->ops->teardown(chan, 0);
4519de9a
GP		 605 break;
606 }
607}
608
4343478f 609static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 610{
715ec005 611 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 612 switch (chan->sec_level) {
8556edd3
JH		 613 case BT_SECURITY_HIGH:
614 return HCI_AT_DEDICATED_BONDING_MITM;
615 case BT_SECURITY_MEDIUM:
616 return HCI_AT_DEDICATED_BONDING;
617 default:
618 return HCI_AT_NO_BONDING;
619 }
2983fd68 620 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 621 if (chan->sec_level == BT_SECURITY_LOW)
622 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 623
4343478f 624 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 625 return HCI_AT_NO_BONDING_MITM;
00ae4af9 626 else
8556edd3 627 return HCI_AT_NO_BONDING;
00ae4af9 628 } else {
4343478f 629 switch (chan->sec_level) {
00ae4af9 630 case BT_SECURITY_HIGH:
8556edd3 631 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 632 case BT_SECURITY_MEDIUM:
8556edd3 633 return HCI_AT_GENERAL_BONDING;
00ae4af9 634 default:
8556edd3 635 return HCI_AT_NO_BONDING;
00ae4af9 636 }
0684e5f9 637 }
8556edd3
JH		 638}
639
640/* Service level security */
d45fc423 641int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 642{
8c1d787b 643 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 644 __u8 auth_type;
645
4343478f 646 auth_type = l2cap_get_auth_type(chan);
79d554a6 647
4343478f 648 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 649}
650
b5ad8b7f 651static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 652{
653 u8 id;
654
655 /* Get next available identificator.
656 * 1 - 128 are used by kernel.
657 * 129 - 199 are reserved.
658 * 200 - 254 are used by utilities like l2ping, etc.
659 */
660
333055f2 661 spin_lock(&conn->lock);
4e8402a3
MH		 662
663 if (++conn->tx_ident > 128)
664 conn->tx_ident = 1;
665
666 id = conn->tx_ident;
667
333055f2 668 spin_unlock(&conn->lock);
4e8402a3
MH		 669
670 return id;
671}
672
4519de9a 673static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 674{
675 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 676 u8 flags;
4e8402a3
MH		 677
678 BT_DBG("code 0x%2.2x", code);
679
680 if (!skb)
9a9c6a34 681 return;
4e8402a3 682
e702112f
AE		 683 if (lmp_no_flush_capable(conn->hcon->hdev))
684 flags = ACL_START_NO_FLUSH;
685 else
686 flags = ACL_START;
687
14b12d0b 688 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 689 skb->priority = HCI_PRIO_MAX;
14b12d0b 690
73d80deb
LAD		 691 hci_send_acl(conn->hchan, skb, flags);
692}
693
694static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
695{
696 struct hci_conn *hcon = chan->conn->hcon;
697 u16 flags;
698
699 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
700 skb->priority);
701
702 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
703 lmp_no_flush_capable(hcon->hdev))
704 flags = ACL_START_NO_FLUSH;
705 else
706 flags = ACL_START;
14b12d0b 707
73d80deb
LAD		 708 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
709 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 710}
711
b76bbd66
MM		 712static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
713{
714 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
715 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
716
717 if (enh & L2CAP_CTRL_FRAME_TYPE) {
718 /* S-Frame */
719 control->sframe = 1;
720 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
721 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
722
723 control->sar = 0;
724 control->txseq = 0;
725 } else {
726 /* I-Frame */
727 control->sframe = 0;
728 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
729 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
730
731 control->poll = 0;
732 control->super = 0;
733 }
734}
735
b76bbd66
MM		 736static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
737{
738 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
739 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
740
741 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
742 /* S-Frame */
743 control->sframe = 1;
744 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
745 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
746
747 control->sar = 0;
748 control->txseq = 0;
749 } else {
750 /* I-Frame */
751 control->sframe = 0;
752 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
753 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
754
755 control->poll = 0;
756 control->super = 0;
757 }
758}
759
760static inline void __unpack_control(struct l2cap_chan *chan,
761 struct sk_buff *skb)
762{
763 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
764 __unpack_extended_control(get_unaligned_le32(skb->data),
765 &bt_cb(skb)->control);
cec8ab6e 766 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 767 } else {
768 __unpack_enhanced_control(get_unaligned_le16(skb->data),
769 &bt_cb(skb)->control);
cec8ab6e 770 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 771 }
772}
773
b5c6aaed
MM		 774static u32 __pack_extended_control(struct l2cap_ctrl *control)
775{
776 u32 packed;
777
778 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
779 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
780
781 if (control->sframe) {
782 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
783 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
784 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
785 } else {
786 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
787 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
788 }
789
790 return packed;
791}
792
793static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
794{
795 u16 packed;
796
797 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
798 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
799
800 if (control->sframe) {
801 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
802 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
803 packed |= L2CAP_CTRL_FRAME_TYPE;
804 } else {
805 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
806 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
807 }
808
809 return packed;
810}
811
b76bbd66
MM		 812static inline void __pack_control(struct l2cap_chan *chan,
813 struct l2cap_ctrl *control,
814 struct sk_buff *skb)
815{
816 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
817 put_unaligned_le32(__pack_extended_control(control),
818 skb->data + L2CAP_HDR_SIZE);
819 } else {
820 put_unaligned_le16(__pack_enhanced_control(control),
821 skb->data + L2CAP_HDR_SIZE);
822 }
823}
824
a67d7f6f
MM		 825static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
826 u32 control)
b5c6aaed
MM		 827{
828 struct sk_buff *skb;
829 struct l2cap_hdr *lh;
a67d7f6f 830 int hlen;
b5c6aaed
MM		 831
832 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
833 hlen = L2CAP_EXT_HDR_SIZE;
834 else
835 hlen = L2CAP_ENH_HDR_SIZE;
836
837 if (chan->fcs == L2CAP_FCS_CRC16)
838 hlen += L2CAP_FCS_SIZE;
839
a67d7f6f 840 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 841
b5c6aaed 842 if (!skb)
a67d7f6f 843 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 844
845 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
846 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
847 lh->cid = cpu_to_le16(chan->dcid);
848
a67d7f6f
MM		 849 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
850 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
851 else
852 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 853
854 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 855 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 856 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
857 }
858
859 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 860 return skb;
861}
862
863static void l2cap_send_sframe(struct l2cap_chan *chan,
864 struct l2cap_ctrl *control)
865{
866 struct sk_buff *skb;
867 u32 control_field;
868
869 BT_DBG("chan %p, control %p", chan, control);
870
871 if (!control->sframe)
872 return;
873
874 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
875 !control->poll)
876 control->final = 1;
877
878 if (control->super == L2CAP_SUPER_RR)
879 clear_bit(CONN_RNR_SENT, &chan->conn_state);
880 else if (control->super == L2CAP_SUPER_RNR)
881 set_bit(CONN_RNR_SENT, &chan->conn_state);
882
883 if (control->super != L2CAP_SUPER_SREJ) {
884 chan->last_acked_seq = control->reqseq;
885 __clear_ack_timer(chan);
886 }
887
888 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
889 control->final, control->poll, control->super);
890
891 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
892 control_field = __pack_extended_control(control);
893 else
894 control_field = __pack_enhanced_control(control);
895
896 skb = l2cap_create_sframe_pdu(chan, control_field);
897 if (!IS_ERR(skb))
898 l2cap_do_send(chan, skb);
b5c6aaed
MM		 899}
900
c9e3d5e0 901static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 902{
c9e3d5e0
MM		 903 struct l2cap_ctrl control;
904
905 BT_DBG("chan %p, poll %d", chan, poll);
906
907 memset(&control, 0, sizeof(control));
908 control.sframe = 1;
909 control.poll = poll;
910
911 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
912 control.super = L2CAP_SUPER_RNR;
913 else
914 control.super = L2CAP_SUPER_RR;
b5c6aaed 915
c9e3d5e0
MM		 916 control.reqseq = chan->buffer_seq;
917 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 918}
919
b4450035 920static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 921{
c1360a1c 922 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 923}
924
9b27f350
AE		 925static void l2cap_send_conn_req(struct l2cap_chan *chan)
926{
927 struct l2cap_conn *conn = chan->conn;
928 struct l2cap_conn_req req;
929
930 req.scid = cpu_to_le16(chan->scid);
931 req.psm = chan->psm;
932
933 chan->ident = l2cap_get_ident(conn);
934
935 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
936
937 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
938}
939
9f0caeb1
VCG		 940static void l2cap_chan_ready(struct l2cap_chan *chan)
941{
2827011f 942 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 943 chan->conf_state = 0;
944 __clear_chan_timer(chan);
945
54a59aa2 946 chan->state = BT_CONNECTED;
9f0caeb1 947
fd83e2c2 948 chan->ops->ready(chan);
9f0caeb1
VCG		 949}
950
fc7f8a7e 951static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 952{
8c1d787b 953 struct l2cap_conn *conn = chan->conn;
79d554a6 954
9f0caeb1
VCG		 955 if (conn->hcon->type == LE_LINK) {
956 l2cap_chan_ready(chan);
957 return;
958 }
959
79d554a6 960 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 961 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
962 return;
963
d45fc423 964 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 965 __l2cap_no_conn_pending(chan))
966 l2cap_send_conn_req(chan);
79d554a6
MH		 967 } else {
968 struct l2cap_info_req req;
ac73498c 969 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 970
971 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
972 conn->info_ident = l2cap_get_ident(conn);
973
ba13ccd9 974 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 975
976 l2cap_send_cmd(conn, conn->info_ident,
977 L2CAP_INFO_REQ, sizeof(req), &req);
978 }
979}
980
cf6c2c0b
GP		 981static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
982{
983 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 984 if (!disable_ertm)
cf6c2c0b
GP		 985 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
986
987 switch (mode) {
988 case L2CAP_MODE_ERTM:
989 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
990 case L2CAP_MODE_STREAMING:
991 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
992 default:
993 return 0x00;
994 }
995}
996
4519de9a 997static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 998{
6be36555 999 struct sock *sk = chan->sk;
22121fc9
GP		 1000 struct l2cap_disconn_req req;
1001
c13ffa62
GP		 1002 if (!conn)
1003 return;
1004
0c1bc5c6 1005 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1006 __clear_retrans_timer(chan);
1007 __clear_monitor_timer(chan);
1008 __clear_ack_timer(chan);
c13ffa62
GP		 1009 }
1010
416fa752
AE		 1011 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1012 __l2cap_state_change(chan, BT_DISCONN);
1013 return;
1014 }
1015
fe4128e0
GP		 1016 req.dcid = cpu_to_le16(chan->dcid);
1017 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1018 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1019 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1020
6be36555 1021 lock_sock(sk);
0e587be7 1022 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1023 __l2cap_chan_set_err(chan, err);
6be36555 1024 release_sock(sk);
22121fc9
GP		 1025}
1026
1da177e4 1027/* ---- L2CAP connections ---- */
4e8402a3
MH		 1028static void l2cap_conn_start(struct l2cap_conn *conn)
1029{
3df91ea2 1030 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1031
1032 BT_DBG("conn %p", conn);
1033
3df91ea2 1034 mutex_lock(&conn->chan_lock);
4e8402a3 1035
3df91ea2 1036 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1037 struct sock *sk = chan->sk;
baa7e1fa 1038
6be36555 1039 l2cap_chan_lock(chan);
4e8402a3 1040
715ec005 1041 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1042 l2cap_chan_unlock(chan);
79d554a6
MH		 1043 continue;
1044 }
1045
89bc500e 1046 if (chan->state == BT_CONNECT) {
d45fc423 1047 if (!l2cap_chan_check_security(chan) ||
b4450035 1048 !__l2cap_no_conn_pending(chan)) {
6be36555 1049 l2cap_chan_unlock(chan);
47731de7
GP		 1050 continue;
1051 }
79d554a6 1052
c1360a1c
GP		 1053 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1054 && test_bit(CONF_STATE2_DEVICE,
1055 &chan->conf_state)) {
89bc500e 1056 l2cap_chan_close(chan, ECONNRESET);
6be36555 1057 l2cap_chan_unlock(chan);
47731de7 1058 continue;
b1235d79 1059 }
47731de7 1060
9b27f350 1061 l2cap_send_conn_req(chan);
47731de7 1062
89bc500e 1063 } else if (chan->state == BT_CONNECT2) {
79d554a6 1064 struct l2cap_conn_rsp rsp;
e9aeb2dd 1065 char buf[128];
fe4128e0
GP		 1066 rsp.scid = cpu_to_le16(chan->dcid);
1067 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1068
d45fc423 1069 if (l2cap_chan_check_security(chan)) {
6be36555 1070 lock_sock(sk);
c5daa683
GP		 1071 if (test_bit(BT_SK_DEFER_SETUP,
1072 &bt_sk(sk)->flags)) {
f66dc81f 1073 struct sock *parent = bt_sk(sk)->parent;
ac73498c
AE		 1074 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1075 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1076 if (parent)
1077 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1078
1079 } else {
0e587be7 1080 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1081 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1082 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1083 }
6be36555 1084 release_sock(sk);
79d554a6 1085 } else {
ac73498c
AE		 1086 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1087 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1088 }
1089
fc7f8a7e
GP		 1090 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1091 sizeof(rsp), &rsp);
e9aeb2dd 1092
c1360a1c 1093 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1094 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1095 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1096 continue;
1097 }
1098
c1360a1c 1099 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1100 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1101 l2cap_build_conf_req(chan, buf), buf);
1102 chan->num_conf_req++;
4e8402a3
MH		 1103 }
1104
6be36555 1105 l2cap_chan_unlock(chan);
4e8402a3
MH		 1106 }
1107
3df91ea2 1108 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1109}
1110
c2287681 1111/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1112 * Returns closest match, locked.
1113 */
d9b88702 1114static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1115 bdaddr_t *src,
1116 bdaddr_t *dst)
b62f328b 1117{
23691d75 1118 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1119
23691d75 1120 read_lock(&chan_list_lock);
b62f328b 1121
23691d75
GP		 1122 list_for_each_entry(c, &chan_list, global_l) {
1123 struct sock *sk = c->sk;
fe4128e0 1124
89bc500e 1125 if (state && c->state != state)
b62f328b
VT		 1126 continue;
1127
23691d75 1128 if (c->scid == cid) {
c2287681
IY		 1129 int src_match, dst_match;
1130 int src_any, dst_any;
1131
b62f328b 1132 /* Exact match. */
c2287681
IY		 1133 src_match = !bacmp(&bt_sk(sk)->src, src);
1134 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1135 if (src_match && dst_match) {
23691d75
GP		 1136 read_unlock(&chan_list_lock);
1137 return c;
1138 }
b62f328b
VT		 1139
1140 /* Closest match */
c2287681
IY		 1141 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1142 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1143 if ((src_match && dst_any) || (src_any && dst_match) ||
1144 (src_any && dst_any))
23691d75 1145 c1 = c;
b62f328b
VT		 1146 }
1147 }
280f294f 1148
23691d75 1149 read_unlock(&chan_list_lock);
b62f328b 1150
23691d75 1151 return c1;
b62f328b
VT		 1152}
1153
1154static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1155{
c916fbe4 1156 struct sock *parent, *sk;
23691d75 1157 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1158
1159 BT_DBG("");
1160
1161 /* Check if we have socket listening on cid */
23691d75 1162 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1163 conn->src, conn->dst);
23691d75 1164 if (!pchan)
b62f328b
VT		 1165 return;
1166
23691d75
GP		 1167 parent = pchan->sk;
1168
aa2ac881 1169 lock_sock(parent);
62f3a2cf 1170
80b98027 1171 chan = pchan->ops->new_connection(pchan);
80808e43 1172 if (!chan)
b62f328b
VT		 1173 goto clean;
1174
80808e43 1175 sk = chan->sk;
5d41ce1d 1176
b62f328b
VT		 1177 hci_conn_hold(conn->hcon);
1178
b62f328b
VT		 1179 bacpy(&bt_sk(sk)->src, conn->src);
1180 bacpy(&bt_sk(sk)->dst, conn->dst);
1181
d1010240
GP		 1182 bt_accept_enqueue(parent, sk);
1183
3d57dc68 1184 l2cap_chan_add(conn, chan);
48454079 1185
6754e0df 1186 l2cap_chan_ready(chan);
b62f328b 1187
b62f328b 1188clean:
aa2ac881 1189 release_sock(parent);
b62f328b
VT		 1190}
1191
4e8402a3
MH		 1192static void l2cap_conn_ready(struct l2cap_conn *conn)
1193{
48454079 1194 struct l2cap_chan *chan;
4e8402a3 1195
79d554a6 1196 BT_DBG("conn %p", conn);
4e8402a3 1197
b62f328b
VT		 1198 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1199 l2cap_le_conn_ready(conn);
1200
160dc6ac
VCG		 1201 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1202 smp_conn_security(conn, conn->hcon->pending_sec_level);
1203
3df91ea2 1204 mutex_lock(&conn->chan_lock);
4e8402a3 1205
3df91ea2 1206 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1207
6be36555 1208 l2cap_chan_lock(chan);
4e8402a3 1209
416fa752
AE		 1210 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1211 l2cap_chan_unlock(chan);
1212 continue;
1213 }
1214
63128451 1215 if (conn->hcon->type == LE_LINK) {
b501d6a1 1216 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1217 l2cap_chan_ready(chan);
acd7d370 1218
63128451 1219 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1220 struct sock *sk = chan->sk;
c9b66675 1221 __clear_chan_timer(chan);
6be36555 1222 lock_sock(sk);
0e587be7 1223 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1224 sk->sk_state_change(sk);
6be36555 1225 release_sock(sk);
b501d6a1 1226
89bc500e 1227 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1228 l2cap_do_start(chan);
4e8402a3 1229
6be36555 1230 l2cap_chan_unlock(chan);
4e8402a3 1231 }
79d554a6 1232
3df91ea2 1233 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1234}
1235
1236/* Notify sockets that we cannot guaranty reliability anymore */
1237static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1238{
48454079 1239 struct l2cap_chan *chan;
4e8402a3
MH		 1240
1241 BT_DBG("conn %p", conn);
1242
3df91ea2 1243 mutex_lock(&conn->chan_lock);
4e8402a3 1244
3df91ea2 1245 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1246 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1247 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1248 }
1249
3df91ea2 1250 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1251}
1252
f878fcad 1253static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1254{
f878fcad 1255 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1256 info_timer.work);
4e8402a3 1257
984947dc 1258 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1259 conn->info_ident = 0;
984947dc 1260
4e8402a3
MH		 1261 l2cap_conn_start(conn);
1262}
1263
5d3de7df
VCG		 1264static void l2cap_conn_del(struct hci_conn *hcon, int err)
1265{
1266 struct l2cap_conn *conn = hcon->l2cap_data;
1267 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1268
1269 if (!conn)
1270 return;
1271
1272 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1273
1274 kfree_skb(conn->rx_skb);
1275
3df91ea2
AE		 1276 mutex_lock(&conn->chan_lock);
1277
5d3de7df
VCG		 1278 /* Kill channels */
1279 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1280 l2cap_chan_hold(chan);
6be36555
AE		 1281 l2cap_chan_lock(chan);
1282
5d3de7df 1283 l2cap_chan_del(chan, err);
6be36555
AE		 1284
1285 l2cap_chan_unlock(chan);
1286
80b98027 1287 chan->ops->close(chan);
61d6ef3e 1288 l2cap_chan_put(chan);
5d3de7df
VCG		 1289 }
1290
3df91ea2
AE		 1291 mutex_unlock(&conn->chan_lock);
1292
73d80deb
LAD		 1293 hci_chan_del(conn->hchan);
1294
5d3de7df 1295 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1296 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1297
51a8efd7 1298 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1299 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1300 smp_chan_destroy(conn);
d26a2345 1301 }
5d3de7df
VCG		 1302
1303 hcon->l2cap_data = NULL;
1304 kfree(conn);
1305}
1306
6c9d42a1 1307static void security_timeout(struct work_struct *work)
5d3de7df 1308{
6c9d42a1
GP		 1309 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1310 security_timer.work);
5d3de7df
VCG		 1311
1312 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1313}
1314
1da177e4
LT		 1315static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1316{
0139418c 1317 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1318 struct hci_chan *hchan;
1da177e4 1319
0139418c 1320 if (conn || status)
1da177e4
LT		 1321 return conn;
1322
73d80deb
LAD		 1323 hchan = hci_chan_create(hcon);
1324 if (!hchan)
1325 return NULL;
1326
0139418c 1327 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1328 if (!conn) {
1329 hci_chan_del(hchan);
1da177e4 1330 return NULL;
73d80deb 1331 }
1da177e4
LT		 1332
1333 hcon->l2cap_data = conn;
1334 conn->hcon = hcon;
73d80deb 1335 conn->hchan = hchan;
1da177e4 1336
73d80deb 1337 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1338
acd7d370
VT		 1339 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1340 conn->mtu = hcon->hdev->le_mtu;
1341 else
1342 conn->mtu = hcon->hdev->acl_mtu;
1343
1da177e4
LT		 1344 conn->src = &hcon->hdev->bdaddr;
1345 conn->dst = &hcon->dst;
1346
4e8402a3
MH		 1347 conn->feat_mask = 0;
1348
1da177e4 1349 spin_lock_init(&conn->lock);
3df91ea2 1350 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1351
1352 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1353
5d3de7df 1354 if (hcon->type == LE_LINK)
6c9d42a1 1355 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1356 else
030013d8 1357 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1358
9f5a0d7b 1359 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1360
1da177e4
LT		 1361 return conn;
1362}
1363
1da177e4 1364/* ---- Socket interface ---- */
1da177e4 1365
c2287681 1366/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1367 * Returns closest match.
1368 */
c2287681
IY		 1369static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1370 bdaddr_t *src,
1371 bdaddr_t *dst)
1da177e4 1372{
23691d75 1373 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1374
23691d75 1375 read_lock(&chan_list_lock);
e0f0cb56 1376
23691d75
GP		 1377 list_for_each_entry(c, &chan_list, global_l) {
1378 struct sock *sk = c->sk;
fe4128e0 1379
89bc500e 1380 if (state && c->state != state)
1da177e4
LT		 1381 continue;
1382
23691d75 1383 if (c->psm == psm) {
c2287681
IY		 1384 int src_match, dst_match;
1385 int src_any, dst_any;
1386
1da177e4 1387 /* Exact match. */
c2287681
IY		 1388 src_match = !bacmp(&bt_sk(sk)->src, src);
1389 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1390 if (src_match && dst_match) {
a7567b20 1391 read_unlock(&chan_list_lock);
23691d75
GP		 1392 return c;
1393 }
1da177e4
LT		 1394
1395 /* Closest match */
c2287681
IY		 1396 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1397 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1398 if ((src_match && dst_any) || (src_any && dst_match) ||
1399 (src_any && dst_any))
23691d75 1400 c1 = c;
1da177e4
LT		 1401 }
1402 }
1da177e4 1403
23691d75 1404 read_unlock(&chan_list_lock);
e0f0cb56 1405
23691d75 1406 return c1;
1da177e4
LT		 1407}
1408
8e9f9892
AG		 1409int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1410 bdaddr_t *dst, u8 dst_type)
1da177e4 1411{
5d41ce1d 1412 struct sock *sk = chan->sk;
1da177e4 1413 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1414 struct l2cap_conn *conn;
1415 struct hci_conn *hcon;
1416 struct hci_dev *hdev;
09ab6f4c 1417 __u8 auth_type;
44d0e48e 1418 int err;
1da177e4 1419
8e9f9892
AG		 1420 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1421 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1422
af05b30b
GP		 1423 hdev = hci_get_route(dst, src);
1424 if (!hdev)
1da177e4
LT		 1425 return -EHOSTUNREACH;
1426
09fd0de5 1427 hci_dev_lock(hdev);
1da177e4 1428
6be36555 1429 l2cap_chan_lock(chan);
03a00194
GP		 1430
1431 /* PSM must be odd and lsb of upper byte must be 0 */
1432 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1433 chan->chan_type != L2CAP_CHAN_RAW) {
1434 err = -EINVAL;
1435 goto done;
1436 }
1437
1438 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1439 err = -EINVAL;
1440 goto done;
1441 }
1442
1443 switch (chan->mode) {
1444 case L2CAP_MODE_BASIC:
1445 break;
1446 case L2CAP_MODE_ERTM:
1447 case L2CAP_MODE_STREAMING:
1448 if (!disable_ertm)
1449 break;
1450 /* fall through */
1451 default:
1452 err = -ENOTSUPP;
1453 goto done;
1454 }
1455
0797e01d 1456 switch (chan->state) {
03a00194
GP		 1457 case BT_CONNECT:
1458 case BT_CONNECT2:
1459 case BT_CONFIG:
1460 /* Already connecting */
1461 err = 0;
1462 goto done;
1463
1464 case BT_CONNECTED:
1465 /* Already connected */
1466 err = -EISCONN;
1467 goto done;
1468
1469 case BT_OPEN:
1470 case BT_BOUND:
1471 /* Can connect */
1472 break;
1473
1474 default:
1475 err = -EBADFD;
1476 goto done;
1477 }
1478
1479 /* Set destination address and psm */
0797e01d 1480 lock_sock(sk);
9219b2a0 1481 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1482 release_sock(sk);
1483
03a00194
GP		 1484 chan->psm = psm;
1485 chan->dcid = cid;
1da177e4 1486
4343478f 1487 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1488
fe4128e0 1489 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1490 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1491 chan->sec_level, auth_type);
acd7d370 1492 else
8e9f9892 1493 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1494 chan->sec_level, auth_type);
acd7d370 1495
30e76272
VT		 1496 if (IS_ERR(hcon)) {
1497 err = PTR_ERR(hcon);
1da177e4 1498 goto done;
30e76272 1499 }
1da177e4
LT		 1500
1501 conn = l2cap_conn_add(hcon, 0);
1502 if (!conn) {
1503 hci_conn_put(hcon);
30e76272 1504 err = -ENOMEM;
1da177e4
LT		 1505 goto done;
1506 }
1507
9f0caeb1
VCG		 1508 if (hcon->type == LE_LINK) {
1509 err = 0;
1510
1511 if (!list_empty(&conn->chan_l)) {
1512 err = -EBUSY;
1513 hci_conn_put(hcon);
1514 }
1515
1516 if (err)
1517 goto done;
1518 }
1519
1da177e4
LT		 1520 /* Update source addr of the socket */
1521 bacpy(src, conn->src);
1522
6be36555 1523 l2cap_chan_unlock(chan);
48454079 1524 l2cap_chan_add(conn, chan);
6be36555 1525 l2cap_chan_lock(chan);
48454079 1526
6be36555 1527 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1528 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1529
1530 if (hcon->state == BT_CONNECTED) {
715ec005 1531 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1532 __clear_chan_timer(chan);
d45fc423 1533 if (l2cap_chan_check_security(chan))
6be36555 1534 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1535 } else
fc7f8a7e 1536 l2cap_do_start(chan);
1da177e4
LT		 1537 }
1538
30e76272
VT		 1539 err = 0;
1540
1da177e4 1541done:
6be36555 1542 l2cap_chan_unlock(chan);
09fd0de5 1543 hci_dev_unlock(hdev);
1da177e4
LT		 1544 hci_dev_put(hdev);
1545 return err;
1546}
1547
dcba0dba 1548int __l2cap_wait_ack(struct sock *sk)
6161c038 1549{
8c1d787b 1550 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1551 DECLARE_WAITQUEUE(wait, current);
1552 int err = 0;
1553 int timeo = HZ/5;
1554
2b0b05dd 1555 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1556 set_current_state(TASK_INTERRUPTIBLE);
1557 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1558 if (!timeo)
1559 timeo = HZ/5;
1560
1561 if (signal_pending(current)) {
1562 err = sock_intr_errno(timeo);
1563 break;
1564 }
1565
1566 release_sock(sk);
1567 timeo = schedule_timeout(timeo);
1568 lock_sock(sk);
a71a0cf4 1569 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1570
1571 err = sock_error(sk);
1572 if (err)
1573 break;
1574 }
1575 set_current_state(TASK_RUNNING);
2b0b05dd 1576 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1577 return err;
1578}
1579
721c4181 1580static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1581{
721c4181 1582 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1583 monitor_timer.work);
e90bac06 1584
525cd185 1585 BT_DBG("chan %p", chan);
0e98958d 1586
6be36555
AE		 1587 l2cap_chan_lock(chan);
1588
80909e04 1589 if (!chan->conn) {
6be36555 1590 l2cap_chan_unlock(chan);
8d7e1c7f 1591 l2cap_chan_put(chan);
e90bac06
GP		 1592 return;
1593 }
1594
401bb1f7 1595 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1596
6be36555 1597 l2cap_chan_unlock(chan);
8d7e1c7f 1598 l2cap_chan_put(chan);
e90bac06
GP		 1599}
1600
721c4181 1601static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1602{
721c4181 1603 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1604 retrans_timer.work);
e90bac06 1605
49208c9c 1606 BT_DBG("chan %p", chan);
0e98958d 1607
6be36555
AE		 1608 l2cap_chan_lock(chan);
1609
80909e04
MM		 1610 if (!chan->conn) {
1611 l2cap_chan_unlock(chan);
1612 l2cap_chan_put(chan);
1613 return;
1614 }
6be36555 1615
401bb1f7 1616 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1617 l2cap_chan_unlock(chan);
8d7e1c7f 1618 l2cap_chan_put(chan);
e90bac06
GP		 1619}
1620
d660366d
GP		 1621static void l2cap_streaming_send(struct l2cap_chan *chan,
1622 struct sk_buff_head *skbs)
6840ed07 1623{
ccbb84af 1624 struct sk_buff *skb;
3733937d 1625 struct l2cap_ctrl *control;
6840ed07 1626
3733937d
MM		 1627 BT_DBG("chan %p, skbs %p", chan, skbs);
1628
3733937d
MM		 1629 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1630
1631 while (!skb_queue_empty(&chan->tx_q)) {
1632
1633 skb = skb_dequeue(&chan->tx_q);
1634
1635 bt_cb(skb)->control.retries = 1;
1636 control = &bt_cb(skb)->control;
1637
1638 control->reqseq = 0;
1639 control->txseq = chan->next_tx_seq;
1640
1641 __pack_control(chan, control, skb);
6840ed07 1642
47d1ec61 1643 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1644 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1645 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1646 }
1647
4343478f 1648 l2cap_do_send(chan, skb);
6840ed07 1649
3733937d
MM		 1650 BT_DBG("Sent txseq %d", (int)control->txseq);
1651
836be934 1652 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1653 chan->frames_sent++;
6840ed07 1654 }
6840ed07
GP		 1655}
1656
67c9e840 1657static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1658{
1659 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1660 struct l2cap_ctrl *control;
1661 int sent = 0;
1662
1663 BT_DBG("chan %p", chan);
1c2acffb 1664
89bc500e 1665 if (chan->state != BT_CONNECTED)
c13ffa62 1666 return -ENOTCONN;
e90bac06 1667
94122bbe
MM		 1668 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1669 return 0;
1670
18a48e76
MM		 1671 while (chan->tx_send_head &&
1672 chan->unacked_frames < chan->remote_tx_win &&
1673 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1674
18a48e76 1675 skb = chan->tx_send_head;
e90bac06 1676
18a48e76
MM		 1677 bt_cb(skb)->control.retries = 1;
1678 control = &bt_cb(skb)->control;
95ffa978 1679
e2ab4353 1680 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1681 control->final = 1;
e2ab4353 1682
18a48e76
MM		 1683 control->reqseq = chan->buffer_seq;
1684 chan->last_acked_seq = chan->buffer_seq;
1685 control->txseq = chan->next_tx_seq;
1c2acffb 1686
18a48e76 1687 __pack_control(chan, control, skb);
e90bac06 1688
47d1ec61 1689 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1690 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1691 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1692 }
1693
18a48e76
MM		 1694 /* Clone after data has been modified. Data is assumed to be
1695 read-only (for locking purposes) on cloned sk_buffs.
1696 */
1697 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1698
18a48e76
MM		 1699 if (!tx_skb)
1700 break;
1c2acffb 1701
18a48e76 1702 __set_retrans_timer(chan);
836be934
AE		 1703
1704 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1705 chan->unacked_frames++;
6a026610 1706 chan->frames_sent++;
18a48e76 1707 sent++;
1c2acffb 1708
58d35f87
GP		 1709 if (skb_queue_is_last(&chan->tx_q, skb))
1710 chan->tx_send_head = NULL;
1c2acffb 1711 else
58d35f87 1712 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1713
1714 l2cap_do_send(chan, tx_skb);
1715 BT_DBG("Sent txseq %d", (int)control->txseq);
1c2acffb
GP		 1716 }
1717
18a48e76
MM		 1718 BT_DBG("Sent %d, %d unacked, %d in ERTM queue", sent,
1719 (int) chan->unacked_frames, skb_queue_len(&chan->tx_q));
1720
1721 return sent;
9e917af1
GP		 1722}
1723
e1fbd4c1
MM		 1724static void l2cap_ertm_resend(struct l2cap_chan *chan)
1725{
1726 struct l2cap_ctrl control;
1727 struct sk_buff *skb;
1728 struct sk_buff *tx_skb;
1729 u16 seq;
1730
1731 BT_DBG("chan %p", chan);
1732
1733 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1734 return;
1735
1736 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1737 seq = l2cap_seq_list_pop(&chan->retrans_list);
1738
1739 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1740 if (!skb) {
1741 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1742 seq);
1743 continue;
1744 }
1745
1746 bt_cb(skb)->control.retries++;
1747 control = bt_cb(skb)->control;
1748
1749 if (chan->max_tx != 0 &&
1750 bt_cb(skb)->control.retries > chan->max_tx) {
1751 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1752 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1753 l2cap_seq_list_clear(&chan->retrans_list);
1754 break;
1755 }
1756
1757 control.reqseq = chan->buffer_seq;
1758 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1759 control.final = 1;
1760 else
1761 control.final = 0;
1762
1763 if (skb_cloned(skb)) {
1764 /* Cloned sk_buffs are read-only, so we need a
1765 * writeable copy
1766 */
1767 tx_skb = skb_copy(skb, GFP_ATOMIC);
1768 } else {
1769 tx_skb = skb_clone(skb, GFP_ATOMIC);
1770 }
1771
1772 if (!tx_skb) {
1773 l2cap_seq_list_clear(&chan->retrans_list);
1774 break;
1775 }
1776
1777 /* Update skb contents */
1778 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1779 put_unaligned_le32(__pack_extended_control(&control),
1780 tx_skb->data + L2CAP_HDR_SIZE);
1781 } else {
1782 put_unaligned_le16(__pack_enhanced_control(&control),
1783 tx_skb->data + L2CAP_HDR_SIZE);
1784 }
1785
1786 if (chan->fcs == L2CAP_FCS_CRC16) {
1787 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1788 put_unaligned_le16(fcs, skb_put(tx_skb,
1789 L2CAP_FCS_SIZE));
1790 }
1791
1792 l2cap_do_send(chan, tx_skb);
1793
1794 BT_DBG("Resent txseq %d", control.txseq);
1795
1796 chan->last_acked_seq = chan->buffer_seq;
1797 }
1798}
1799
f80842a8
MM		 1800static void l2cap_retransmit(struct l2cap_chan *chan,
1801 struct l2cap_ctrl *control)
1802{
1803 BT_DBG("chan %p, control %p", chan, control);
1804
1805 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1806 l2cap_ertm_resend(chan);
1807}
1808
d2a7ac5d
MM		 1809static void l2cap_retransmit_all(struct l2cap_chan *chan,
1810 struct l2cap_ctrl *control)
1811{
e1fbd4c1
MM		 1812 struct sk_buff *skb;
1813
1814 BT_DBG("chan %p, control %p", chan, control);
1815
1816 if (control->poll)
1817 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1818
1819 l2cap_seq_list_clear(&chan->retrans_list);
1820
1821 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1822 return;
1823
1824 if (chan->unacked_frames) {
1825 skb_queue_walk(&chan->tx_q, skb) {
1826 if (bt_cb(skb)->control.txseq == control->reqseq ||
1827 skb == chan->tx_send_head)
1828 break;
1829 }
1830
1831 skb_queue_walk_from(&chan->tx_q, skb) {
1832 if (skb == chan->tx_send_head)
1833 break;
1834
1835 l2cap_seq_list_append(&chan->retrans_list,
1836 bt_cb(skb)->control.txseq);
1837 }
1838
1839 l2cap_ertm_resend(chan);
1840 }
d2a7ac5d
MM		 1841}
1842
0a0aba42 1843static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1844{
0a0aba42
MM		 1845 struct l2cap_ctrl control;
1846 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1847 chan->last_acked_seq);
1848 int threshold;
9e917af1 1849
0a0aba42
MM		 1850 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1851 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1852
0a0aba42
MM		 1853 memset(&control, 0, sizeof(control));
1854 control.sframe = 1;
dfc909be 1855
0a0aba42
MM		 1856 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1857 chan->rx_state == L2CAP_RX_STATE_RECV) {
1858 __clear_ack_timer(chan);
1859 control.super = L2CAP_SUPER_RNR;
1860 control.reqseq = chan->buffer_seq;
1861 l2cap_send_sframe(chan, &control);
1862 } else {
1863 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1864 l2cap_ertm_send(chan);
1865 /* If any i-frames were sent, they included an ack */
1866 if (chan->buffer_seq == chan->last_acked_seq)
1867 frames_to_ack = 0;
1868 }
dfc909be 1869
0a0aba42
MM		 1870 /* Ack now if the tx window is 3/4ths full.
1871 * Calculate without mul or div
1872 */
1873 threshold = chan->tx_win;
1874 threshold += threshold << 1;
1875 threshold >>= 2;
1876
1877 BT_DBG("frames_to_ack %d, threshold %d", (int)frames_to_ack,
1878 threshold);
1879
1880 if (frames_to_ack >= threshold) {
1881 __clear_ack_timer(chan);
1882 control.super = L2CAP_SUPER_RR;
1883 control.reqseq = chan->buffer_seq;
1884 l2cap_send_sframe(chan, &control);
1885 frames_to_ack = 0;
1886 }
1c2acffb 1887
0a0aba42
MM		 1888 if (frames_to_ack)
1889 __set_ack_timer(chan);
1890 }
b17e73bb
SJ		 1891}
1892
04124681
GP		 1893static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1894 struct msghdr *msg, int len,
1895 int count, struct sk_buff *skb)
1c2acffb 1896{
0952a57a 1897 struct l2cap_conn *conn = chan->conn;
1c2acffb 1898 struct sk_buff **frag;
90338947 1899 int sent = 0;
1da177e4 1900
59203a21 1901 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1902 return -EFAULT;
1da177e4
LT		 1903
1904 sent += count;
1905 len -= count;
1906
1907 /* Continuation fragments (no L2CAP header) */
1908 frag = &skb_shinfo(skb)->frag_list;
1909 while (len) {
fbe00700
GP		 1910 struct sk_buff *tmp;
1911
1da177e4
LT		 1912 count = min_t(unsigned int, conn->mtu, len);
1913
fbe00700
GP		 1914 tmp = chan->ops->alloc_skb(chan, count,
1915 msg->msg_flags & MSG_DONTWAIT);
1916 if (IS_ERR(tmp))
1917 return PTR_ERR(tmp);
1918
1919 *frag = tmp;
2f7719ce 1920
1c2acffb
GP		 1921 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1922 return -EFAULT;
1da177e4 1923
5e59b791
LAD		 1924 (*frag)->priority = skb->priority;
1925
1da177e4
LT		 1926 sent += count;
1927 len -= count;
1928
2d0ed3d5
GP		 1929 skb->len += (*frag)->len;
1930 skb->data_len += (*frag)->len;
1931
1da177e4
LT		 1932 frag = &(*frag)->next;
1933 }
1da177e4
LT		 1934
1935 return sent;
1c2acffb 1936}
1da177e4 1937
5e59b791
LAD		 1938static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1939 struct msghdr *msg, size_t len,
1940 u32 priority)
1c2acffb 1941{
8c1d787b 1942 struct l2cap_conn *conn = chan->conn;
1c2acffb 1943 struct sk_buff *skb;
03a51213 1944 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1945 struct l2cap_hdr *lh;
1946
6d5922b0 1947 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1948
1949 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1950
1951 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1952 msg->msg_flags & MSG_DONTWAIT);
1953 if (IS_ERR(skb))
1954 return skb;
1c2acffb 1955
5e59b791
LAD		 1956 skb->priority = priority;
1957
1c2acffb
GP		 1958 /* Create L2CAP header */
1959 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1960 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1961 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1962 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1963
0952a57a 1964 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1965 if (unlikely(err < 0)) {
1966 kfree_skb(skb);
1967 return ERR_PTR(err);
1968 }
1969 return skb;
1970}
1971
5e59b791
LAD		 1972static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1973 struct msghdr *msg, size_t len,
1974 u32 priority)
1c2acffb 1975{
8c1d787b 1976 struct l2cap_conn *conn = chan->conn;
1c2acffb 1977 struct sk_buff *skb;
f2ba7fae 1978 int err, count;
1c2acffb
GP		 1979 struct l2cap_hdr *lh;
1980
6d5922b0 1981 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1982
f2ba7fae 1983 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 1984
f2ba7fae 1985 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 1986 msg->msg_flags & MSG_DONTWAIT);
1987 if (IS_ERR(skb))
1988 return skb;
1c2acffb 1989
5e59b791
LAD		 1990 skb->priority = priority;
1991
1c2acffb
GP		 1992 /* Create L2CAP header */
1993 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1994 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 1995 lh->len = cpu_to_le16(len);
1c2acffb 1996
0952a57a 1997 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1998 if (unlikely(err < 0)) {
1999 kfree_skb(skb);
2000 return ERR_PTR(err);
2001 }
2002 return skb;
2003}
2004
ab0ff76d
LAD		 2005static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2006 struct msghdr *msg, size_t len,
94122bbe 2007 u16 sdulen)
1c2acffb 2008{
8c1d787b 2009 struct l2cap_conn *conn = chan->conn;
1c2acffb 2010 struct sk_buff *skb;
e4ca6d98 2011 int err, count, hlen;
1c2acffb
GP		 2012 struct l2cap_hdr *lh;
2013
6d5922b0 2014 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 2015
0ee0d208
GP		 2016 if (!conn)
2017 return ERR_PTR(-ENOTCONN);
2018
e4ca6d98
AE		 2019 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2020 hlen = L2CAP_EXT_HDR_SIZE;
2021 else
2022 hlen = L2CAP_ENH_HDR_SIZE;
2023
c74e560c 2024 if (sdulen)
03a51213 2025 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2026
47d1ec61 2027 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2028 hlen += L2CAP_FCS_SIZE;
fcc203c3 2029
1c2acffb 2030 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2031
2032 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2033 msg->msg_flags & MSG_DONTWAIT);
2034 if (IS_ERR(skb))
2035 return skb;
1c2acffb
GP		 2036
2037 /* Create L2CAP header */
2038 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2039 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2040 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2041
18a48e76
MM		 2042 /* Control header is populated later */
2043 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2044 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2045 else
2046 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2047
c74e560c 2048 if (sdulen)
03a51213 2049 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2050
0952a57a 2051 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2052 if (unlikely(err < 0)) {
2053 kfree_skb(skb);
2054 return ERR_PTR(err);
2055 }
e90bac06 2056
18a48e76 2057 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2058 bt_cb(skb)->control.retries = 0;
1c2acffb 2059 return skb;
1da177e4
LT		 2060}
2061
94122bbe
MM		 2062static int l2cap_segment_sdu(struct l2cap_chan *chan,
2063 struct sk_buff_head *seg_queue,
2064 struct msghdr *msg, size_t len)
c74e560c 2065{
c74e560c 2066 struct sk_buff *skb;
94122bbe
MM		 2067 u16 sdu_len;
2068 size_t pdu_len;
2069 int err = 0;
2070 u8 sar;
c74e560c 2071
94122bbe 2072 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 2073
94122bbe
MM		 2074 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2075 * so fragmented skbs are not used. The HCI layer's handling
2076 * of fragmented skbs is not compatible with ERTM's queueing.
2077 */
c74e560c 2078
94122bbe
MM		 2079 /* PDU size is derived from the HCI MTU */
2080 pdu_len = chan->conn->mtu;
c74e560c 2081
94122bbe
MM		 2082 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2083
2084 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2085 if (chan->fcs)
2086 pdu_len -= L2CAP_FCS_SIZE;
2087
2088 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2089 pdu_len -= L2CAP_EXT_HDR_SIZE;
2090 else
2091 pdu_len -= L2CAP_ENH_HDR_SIZE;
94122bbe
MM		 2092
2093 /* Remote device may have requested smaller PDUs */
2094 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2095
2096 if (len <= pdu_len) {
2097 sar = L2CAP_SAR_UNSEGMENTED;
2098 sdu_len = 0;
2099 pdu_len = len;
2100 } else {
2101 sar = L2CAP_SAR_START;
2102 sdu_len = len;
2103 pdu_len -= L2CAP_SDULEN_SIZE;
2104 }
2105
2106 while (len > 0) {
2107 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2108
c74e560c 2109 if (IS_ERR(skb)) {
94122bbe 2110 __skb_queue_purge(seg_queue);
c74e560c
GP		 2111 return PTR_ERR(skb);
2112 }
2113
94122bbe
MM		 2114 bt_cb(skb)->control.sar = sar;
2115 __skb_queue_tail(seg_queue, skb);
2116
2117 len -= pdu_len;
2118 if (sdu_len) {
2119 sdu_len = 0;
2120 pdu_len += L2CAP_SDULEN_SIZE;
2121 }
2122
2123 if (len <= pdu_len) {
2124 sar = L2CAP_SAR_END;
2125 pdu_len = len;
2126 } else {
2127 sar = L2CAP_SAR_CONTINUE;
2128 }
c74e560c 2129 }
c74e560c 2130
94122bbe 2131 return err;
c74e560c
GP		 2132}
2133
5e59b791
LAD		 2134int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2135 u32 priority)
9a91a04a 2136{
9a91a04a 2137 struct sk_buff *skb;
9a91a04a 2138 int err;
94122bbe 2139 struct sk_buff_head seg_queue;
9a91a04a
GP		 2140
2141 /* Connectionless channel */
715ec005 2142 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2143 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2144 if (IS_ERR(skb))
2145 return PTR_ERR(skb);
2146
2147 l2cap_do_send(chan, skb);
2148 return len;
2149 }
2150
2151 switch (chan->mode) {
2152 case L2CAP_MODE_BASIC:
2153 /* Check outgoing MTU */
2154 if (len > chan->omtu)
2155 return -EMSGSIZE;
2156
2157 /* Create a basic PDU */
5e59b791 2158 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2159 if (IS_ERR(skb))
2160 return PTR_ERR(skb);
2161
2162 l2cap_do_send(chan, skb);
2163 err = len;
2164 break;
2165
2166 case L2CAP_MODE_ERTM:
2167 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2168 /* Check outgoing MTU */
2169 if (len > chan->omtu) {
2170 err = -EMSGSIZE;
2171 break;
2172 }
9a91a04a 2173
94122bbe 2174 __skb_queue_head_init(&seg_queue);
9a91a04a 2175
94122bbe
MM		 2176 /* Do segmentation before calling in to the state machine,
2177 * since it's possible to block while waiting for memory
2178 * allocation.
2179 */
2180 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2181
94122bbe
MM		 2182 /* The channel could have been closed while segmenting,
2183 * check that it is still connected.
2184 */
2185 if (chan->state != BT_CONNECTED) {
2186 __skb_queue_purge(&seg_queue);
2187 err = -ENOTCONN;
9a91a04a
GP		 2188 }
2189
94122bbe 2190 if (err)
9a91a04a 2191 break;
9a91a04a 2192
3733937d 2193 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2194 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2195 else
d660366d 2196 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2197
d660366d 2198 err = len;
9a91a04a 2199
94122bbe
MM		 2200 /* If the skbs were not queued for sending, they'll still be in
2201 * seg_queue and need to be purged.
2202 */
2203 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2204 break;
2205
2206 default:
2207 BT_DBG("bad state %1.1x", chan->mode);
2208 err = -EBADFD;
2209 }
2210
2211 return err;
2212}
2213
d2a7ac5d
MM		 2214static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2215{
bed68bde
MM		 2216 struct l2cap_ctrl control;
2217 u16 seq;
2218
2219 BT_DBG("chan %p, txseq %d", chan, txseq);
2220
2221 memset(&control, 0, sizeof(control));
2222 control.sframe = 1;
2223 control.super = L2CAP_SUPER_SREJ;
2224
2225 for (seq = chan->expected_tx_seq; seq != txseq;
2226 seq = __next_seq(chan, seq)) {
2227 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2228 control.reqseq = seq;
2229 l2cap_send_sframe(chan, &control);
2230 l2cap_seq_list_append(&chan->srej_list, seq);
2231 }
2232 }
2233
2234 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2235}
2236
2237static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2238{
bed68bde
MM		 2239 struct l2cap_ctrl control;
2240
2241 BT_DBG("chan %p", chan);
2242
2243 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2244 return;
2245
2246 memset(&control, 0, sizeof(control));
2247 control.sframe = 1;
2248 control.super = L2CAP_SUPER_SREJ;
2249 control.reqseq = chan->srej_list.tail;
2250 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2251}
2252
2253static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2254{
bed68bde
MM		 2255 struct l2cap_ctrl control;
2256 u16 initial_head;
2257 u16 seq;
2258
2259 BT_DBG("chan %p, txseq %d", chan, txseq);
2260
2261 memset(&control, 0, sizeof(control));
2262 control.sframe = 1;
2263 control.super = L2CAP_SUPER_SREJ;
2264
2265 /* Capture initial list head to allow only one pass through the list. */
2266 initial_head = chan->srej_list.head;
2267
2268 do {
2269 seq = l2cap_seq_list_pop(&chan->srej_list);
2270 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2271 break;
2272
2273 control.reqseq = seq;
2274 l2cap_send_sframe(chan, &control);
2275 l2cap_seq_list_append(&chan->srej_list, seq);
2276 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2277}
2278
608bcc6d
MM		 2279static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2280{
2281 struct sk_buff *acked_skb;
2282 u16 ackseq;
2283
2284 BT_DBG("chan %p, reqseq %d", chan, reqseq);
2285
2286 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2287 return;
2288
2289 BT_DBG("expected_ack_seq %d, unacked_frames %d",
2290 chan->expected_ack_seq, chan->unacked_frames);
2291
2292 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2293 ackseq = __next_seq(chan, ackseq)) {
2294
2295 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2296 if (acked_skb) {
2297 skb_unlink(acked_skb, &chan->tx_q);
2298 kfree_skb(acked_skb);
2299 chan->unacked_frames--;
2300 }
2301 }
2302
2303 chan->expected_ack_seq = reqseq;
2304
2305 if (chan->unacked_frames == 0)
2306 __clear_retrans_timer(chan);
2307
2308 BT_DBG("unacked_frames %d", (int) chan->unacked_frames);
2309}
2310
2311static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2312{
2313 BT_DBG("chan %p", chan);
2314
2315 chan->expected_tx_seq = chan->buffer_seq;
2316 l2cap_seq_list_clear(&chan->srej_list);
2317 skb_queue_purge(&chan->srej_q);
2318 chan->rx_state = L2CAP_RX_STATE_RECV;
2319}
2320
d660366d
GP		 2321static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2322 struct l2cap_ctrl *control,
2323 struct sk_buff_head *skbs, u8 event)
608bcc6d 2324{
608bcc6d
MM		 2325 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2326 event);
2327
2328 switch (event) {
2329 case L2CAP_EV_DATA_REQUEST:
2330 if (chan->tx_send_head == NULL)
2331 chan->tx_send_head = skb_peek(skbs);
2332
2333 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2334 l2cap_ertm_send(chan);
2335 break;
2336 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2337 BT_DBG("Enter LOCAL_BUSY");
2338 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2339
2340 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2341 /* The SREJ_SENT state must be aborted if we are to
2342 * enter the LOCAL_BUSY state.
2343 */
2344 l2cap_abort_rx_srej_sent(chan);
2345 }
2346
2347 l2cap_send_ack(chan);
2348
2349 break;
2350 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2351 BT_DBG("Exit LOCAL_BUSY");
2352 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2353
2354 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2355 struct l2cap_ctrl local_control;
2356
2357 memset(&local_control, 0, sizeof(local_control));
2358 local_control.sframe = 1;
2359 local_control.super = L2CAP_SUPER_RR;
2360 local_control.poll = 1;
2361 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2362 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2363
2364 chan->retry_count = 1;
2365 __set_monitor_timer(chan);
2366 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2367 }
2368 break;
2369 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2370 l2cap_process_reqseq(chan, control->reqseq);
2371 break;
2372 case L2CAP_EV_EXPLICIT_POLL:
2373 l2cap_send_rr_or_rnr(chan, 1);
2374 chan->retry_count = 1;
2375 __set_monitor_timer(chan);
2376 __clear_ack_timer(chan);
2377 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2378 break;
2379 case L2CAP_EV_RETRANS_TO:
2380 l2cap_send_rr_or_rnr(chan, 1);
2381 chan->retry_count = 1;
2382 __set_monitor_timer(chan);
2383 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2384 break;
2385 case L2CAP_EV_RECV_FBIT:
2386 /* Nothing to process */
2387 break;
2388 default:
2389 break;
2390 }
608bcc6d
MM		 2391}
2392
d660366d
GP		 2393static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2394 struct l2cap_ctrl *control,
2395 struct sk_buff_head *skbs, u8 event)
608bcc6d 2396{
608bcc6d
MM		 2397 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2398 event);
2399
2400 switch (event) {
2401 case L2CAP_EV_DATA_REQUEST:
2402 if (chan->tx_send_head == NULL)
2403 chan->tx_send_head = skb_peek(skbs);
2404 /* Queue data, but don't send. */
2405 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2406 break;
2407 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2408 BT_DBG("Enter LOCAL_BUSY");
2409 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2410
2411 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2412 /* The SREJ_SENT state must be aborted if we are to
2413 * enter the LOCAL_BUSY state.
2414 */
2415 l2cap_abort_rx_srej_sent(chan);
2416 }
2417
2418 l2cap_send_ack(chan);
2419
2420 break;
2421 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2422 BT_DBG("Exit LOCAL_BUSY");
2423 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2424
2425 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2426 struct l2cap_ctrl local_control;
2427 memset(&local_control, 0, sizeof(local_control));
2428 local_control.sframe = 1;
2429 local_control.super = L2CAP_SUPER_RR;
2430 local_control.poll = 1;
2431 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2432 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2433
2434 chan->retry_count = 1;
2435 __set_monitor_timer(chan);
2436 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2437 }
2438 break;
2439 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2440 l2cap_process_reqseq(chan, control->reqseq);
2441
2442 /* Fall through */
2443
2444 case L2CAP_EV_RECV_FBIT:
2445 if (control && control->final) {
2446 __clear_monitor_timer(chan);
2447 if (chan->unacked_frames > 0)
2448 __set_retrans_timer(chan);
2449 chan->retry_count = 0;
2450 chan->tx_state = L2CAP_TX_STATE_XMIT;
2451 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2452 }
2453 break;
2454 case L2CAP_EV_EXPLICIT_POLL:
2455 /* Ignore */
2456 break;
2457 case L2CAP_EV_MONITOR_TO:
2458 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2459 l2cap_send_rr_or_rnr(chan, 1);
2460 __set_monitor_timer(chan);
2461 chan->retry_count++;
2462 } else {
2463 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2464 }
2465 break;
2466 default:
2467 break;
2468 }
608bcc6d
MM		 2469}
2470
d660366d
GP		 2471static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2472 struct sk_buff_head *skbs, u8 event)
608bcc6d 2473{
608bcc6d
MM		 2474 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2475 chan, control, skbs, event, chan->tx_state);
2476
2477 switch (chan->tx_state) {
2478 case L2CAP_TX_STATE_XMIT:
d660366d 2479 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2480 break;
2481 case L2CAP_TX_STATE_WAIT_F:
d660366d 2482 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2483 break;
2484 default:
2485 /* Ignore event */
2486 break;
2487 }
608bcc6d
MM		 2488}
2489
4b51dae9
MM		 2490static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2491 struct l2cap_ctrl *control)
2492{
2493 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2494 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2495}
2496
f80842a8
MM		 2497static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2498 struct l2cap_ctrl *control)
2499{
2500 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2501 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2502}
2503
1da177e4
LT		 2504/* Copy frame to all raw sockets on that connection */
2505static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2506{
1da177e4 2507 struct sk_buff *nskb;
48454079 2508 struct l2cap_chan *chan;
1da177e4
LT		 2509
2510 BT_DBG("conn %p", conn);
2511
3df91ea2 2512 mutex_lock(&conn->chan_lock);
3d57dc68 2513
3df91ea2 2514 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2515 struct sock *sk = chan->sk;
715ec005 2516 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2517 continue;
2518
2519 /* Don't send frame to the socket it came from */
2520 if (skb->sk == sk)
2521 continue;
af05b30b
GP		 2522 nskb = skb_clone(skb, GFP_ATOMIC);
2523 if (!nskb)
1da177e4
LT		 2524 continue;
2525
80b98027 2526 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2527 kfree_skb(nskb);
2528 }
3d57dc68 2529
3df91ea2 2530 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2531}
2532
2533/* ---- L2CAP signalling commands ---- */
2534static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2535 u8 code, u8 ident, u16 dlen, void *data)
2536{
2537 struct sk_buff *skb, **frag;
2538 struct l2cap_cmd_hdr *cmd;
2539 struct l2cap_hdr *lh;
2540 int len, count;
2541
af05b30b
GP		 2542 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2543 conn, code, ident, dlen);
1da177e4
LT		 2544
2545 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2546 count = min_t(unsigned int, conn->mtu, len);
2547
2548 skb = bt_skb_alloc(count, GFP_ATOMIC);
2549 if (!skb)
2550 return NULL;
2551
2552 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2553 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2554
2555 if (conn->hcon->type == LE_LINK)
ac73498c 2556 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2557 else
ac73498c 2558 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2559
2560 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2561 cmd->code = code;
2562 cmd->ident = ident;
aca3192c 2563 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2564
2565 if (dlen) {
2566 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2567 memcpy(skb_put(skb, count), data, count);
2568 data += count;
2569 }
2570
2571 len -= skb->len;
2572
2573 /* Continuation fragments (no L2CAP header) */
2574 frag = &skb_shinfo(skb)->frag_list;
2575 while (len) {
2576 count = min_t(unsigned int, conn->mtu, len);
2577
2578 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2579 if (!*frag)
2580 goto fail;
2581
2582 memcpy(skb_put(*frag, count), data, count);
2583
2584 len -= count;
2585 data += count;
2586
2587 frag = &(*frag)->next;
2588 }
2589
2590 return skb;
2591
2592fail:
2593 kfree_skb(skb);
2594 return NULL;
2595}
2596
2597static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2598{
2599 struct l2cap_conf_opt *opt = *ptr;
2600 int len;
2601
2602 len = L2CAP_CONF_OPT_SIZE + opt->len;
2603 *ptr += len;
2604
2605 *type = opt->type;
2606 *olen = opt->len;
2607
2608 switch (opt->len) {
2609 case 1:
2610 *val = *((u8 *) opt->val);
2611 break;
2612
2613 case 2:
bfaaeb3e 2614 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2615 break;
2616
2617 case 4:
bfaaeb3e 2618 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2619 break;
2620
2621 default:
2622 *val = (unsigned long) opt->val;
2623 break;
2624 }
2625
2626 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2627 return len;
2628}
2629
1da177e4
LT		 2630static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2631{
2632 struct l2cap_conf_opt *opt = *ptr;
2633
2634 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2635
2636 opt->type = type;
2637 opt->len = len;
2638
2639 switch (len) {
2640 case 1:
2641 *((u8 *) opt->val) = val;
2642 break;
2643
2644 case 2:
4f8b691c 2645 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2646 break;
2647
2648 case 4:
4f8b691c 2649 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2650 break;
2651
2652 default:
2653 memcpy(opt->val, (void *) val, len);
2654 break;
2655 }
2656
2657 *ptr += L2CAP_CONF_OPT_SIZE + len;
2658}
2659
f89cef09
AE		 2660static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2661{
2662 struct l2cap_conf_efs efs;
2663
1ec918ce 2664 switch (chan->mode) {
f89cef09
AE		 2665 case L2CAP_MODE_ERTM:
2666 efs.id = chan->local_id;
2667 efs.stype = chan->local_stype;
2668 efs.msdu = cpu_to_le16(chan->local_msdu);
2669 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c
AE		 2670 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2671 efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
f89cef09
AE		 2672 break;
2673
2674 case L2CAP_MODE_STREAMING:
2675 efs.id = 1;
2676 efs.stype = L2CAP_SERV_BESTEFFORT;
2677 efs.msdu = cpu_to_le16(chan->local_msdu);
2678 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2679 efs.acc_lat = 0;
2680 efs.flush_to = 0;
2681 break;
2682
2683 default:
2684 return;
2685 }
2686
2687 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2688 (unsigned long) &efs);
2689}
2690
721c4181 2691static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2692{
721c4181 2693 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2694 ack_timer.work);
2695 u16 frames_to_ack;
c1b4f43b 2696
2fb9b3d4
GP		 2697 BT_DBG("chan %p", chan);
2698
6be36555
AE		 2699 l2cap_chan_lock(chan);
2700
0362520b
MM		 2701 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2702 chan->last_acked_seq);
6be36555 2703
0362520b
MM		 2704 if (frames_to_ack)
2705 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2706
0362520b 2707 l2cap_chan_unlock(chan);
09bfb2ee 2708 l2cap_chan_put(chan);
c1b4f43b
GP		 2709}
2710
466f8004 2711int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2712{
3c588192
MM		 2713 int err;
2714
105bdf9e
MM		 2715 chan->next_tx_seq = 0;
2716 chan->expected_tx_seq = 0;
42e5c802 2717 chan->expected_ack_seq = 0;
6a026610 2718 chan->unacked_frames = 0;
42e5c802 2719 chan->buffer_seq = 0;
6a026610 2720 chan->frames_sent = 0;
105bdf9e
MM		 2721 chan->last_acked_seq = 0;
2722 chan->sdu = NULL;
2723 chan->sdu_last_frag = NULL;
2724 chan->sdu_len = 0;
2725
d34c34fb
MM		 2726 skb_queue_head_init(&chan->tx_q);
2727
105bdf9e
MM		 2728 if (chan->mode != L2CAP_MODE_ERTM)
2729 return 0;
2730
2731 chan->rx_state = L2CAP_RX_STATE_RECV;
2732 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2733
721c4181
GP		 2734 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2735 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2736 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2737
f1c6775b 2738 skb_queue_head_init(&chan->srej_q);
1890d36b 2739
3c588192
MM		 2740 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2741 if (err < 0)
2742 return err;
2743
9dc9affc
MM		 2744 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2745 if (err < 0)
2746 l2cap_seq_list_free(&chan->srej_list);
2747
2748 return err;
0565c1c2
GP		 2749}
2750
f2fcfcd6
GP		 2751static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2752{
2753 switch (mode) {
2754 case L2CAP_MODE_STREAMING:
2755 case L2CAP_MODE_ERTM:
2756 if (l2cap_mode_supported(mode, remote_feat_mask))
2757 return mode;
2758 /* fall through */
2759 default:
2760 return L2CAP_MODE_BASIC;
2761 }
2762}
2763
6327eb98
AE		 2764static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2765{
2766 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2767}
2768
f89cef09
AE		 2769static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2770{
2771 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2772}
2773
6327eb98
AE		 2774static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2775{
2776 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2777 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2778 /* use extended control field */
2779 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2780 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2781 } else {
6327eb98
AE		 2782 chan->tx_win = min_t(u16, chan->tx_win,
2783 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2784 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2785 }
6327eb98
AE		 2786}
2787
710f9b0a 2788static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2789{
1da177e4 2790 struct l2cap_conf_req *req = data;
0c1bc5c6 2791 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2792 void *ptr = req->data;
c8f79162 2793 u16 size;
1da177e4 2794
49208c9c 2795 BT_DBG("chan %p", chan);
1da177e4 2796
73ffa904 2797 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2798 goto done;
2799
0c1bc5c6 2800 switch (chan->mode) {
f2fcfcd6
GP		 2801 case L2CAP_MODE_STREAMING:
2802 case L2CAP_MODE_ERTM:
c1360a1c 2803 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2804 break;
85eb53c6 2805
f89cef09
AE		 2806 if (__l2cap_efs_supported(chan))
2807 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2808
2ba13ed6 2809 /* fall through */
f2fcfcd6 2810 default:
8c1d787b 2811 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2812 break;
2813 }
2814
2815done:
0c1bc5c6
GP		 2816 if (chan->imtu != L2CAP_DEFAULT_MTU)
2817 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2818
0c1bc5c6 2819 switch (chan->mode) {
65c7c491 2820 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2821 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2822 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2823 break;
2824
62547752
GP		 2825 rfc.mode = L2CAP_MODE_BASIC;
2826 rfc.txwin_size = 0;
2827 rfc.max_transmit = 0;
2828 rfc.retrans_timeout = 0;
2829 rfc.monitor_timeout = 0;
2830 rfc.max_pdu_size = 0;
2831
63406504
GP		 2832 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2833 (unsigned long) &rfc);
65c7c491
MH		 2834 break;
2835
2836 case L2CAP_MODE_ERTM:
2837 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2838 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2839 rfc.retrans_timeout = 0;
2840 rfc.monitor_timeout = 0;
c8f79162
AE		 2841
2842 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2843 L2CAP_EXT_HDR_SIZE -
2844 L2CAP_SDULEN_SIZE -
2845 L2CAP_FCS_SIZE);
2846 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2847
6327eb98
AE		 2848 l2cap_txwin_setup(chan);
2849
2850 rfc.txwin_size = min_t(u16, chan->tx_win,
2851 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2852
63406504
GP		 2853 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2854 (unsigned long) &rfc);
2855
f89cef09
AE		 2856 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2857 l2cap_add_opt_efs(&ptr, chan);
2858
8c1d787b 2859 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2860 break;
2861
47d1ec61 2862 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2863 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2864 chan->fcs = L2CAP_FCS_NONE;
2865 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2866 }
6327eb98
AE		 2867
2868 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2869 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2870 chan->tx_win);
f2fcfcd6
GP		 2871 break;
2872
2873 case L2CAP_MODE_STREAMING:
273759e2 2874 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2875 rfc.mode = L2CAP_MODE_STREAMING;
2876 rfc.txwin_size = 0;
2877 rfc.max_transmit = 0;
2878 rfc.retrans_timeout = 0;
2879 rfc.monitor_timeout = 0;
c8f79162
AE		 2880
2881 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2882 L2CAP_EXT_HDR_SIZE -
2883 L2CAP_SDULEN_SIZE -
2884 L2CAP_FCS_SIZE);
2885 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2886
63406504
GP		 2887 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2888 (unsigned long) &rfc);
2889
f89cef09
AE		 2890 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2891 l2cap_add_opt_efs(&ptr, chan);
2892
8c1d787b 2893 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2894 break;
2895
47d1ec61 2896 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2897 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2898 chan->fcs = L2CAP_FCS_NONE;
2899 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2900 }
65c7c491
MH		 2901 break;
2902 }
1da177e4 2903
fe4128e0 2904 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2905 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2906
2907 return ptr - data;
2908}
2909
73ffa904 2910static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2911{
5dee9e7c
MH		 2912 struct l2cap_conf_rsp *rsp = data;
2913 void *ptr = rsp->data;
73ffa904
GP		 2914 void *req = chan->conf_req;
2915 int len = chan->conf_len;
5dee9e7c
MH		 2916 int type, hint, olen;
2917 unsigned long val;
6464f35f 2918 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2919 struct l2cap_conf_efs efs;
2920 u8 remote_efs = 0;
861d6882 2921 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2922 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2923 u16 size;
1da177e4 2924
73ffa904 2925 BT_DBG("chan %p", chan);
820ae1b8 2926
5dee9e7c
MH		 2927 while (len >= L2CAP_CONF_OPT_SIZE) {
2928 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2929
589d2746 2930 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2931 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2932
2933 switch (type) {
2934 case L2CAP_CONF_MTU:
861d6882 2935 mtu = val;
5dee9e7c
MH		 2936 break;
2937
2938 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2939 chan->flush_to = val;
5dee9e7c
MH		 2940 break;
2941
2942 case L2CAP_CONF_QOS:
2943 break;
2944
6464f35f
MH		 2945 case L2CAP_CONF_RFC:
2946 if (olen == sizeof(rfc))
2947 memcpy(&rfc, (void *) val, olen);
2948 break;
2949
fcc203c3
GP		 2950 case L2CAP_CONF_FCS:
2951 if (val == L2CAP_FCS_NONE)
c1360a1c 2952 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2953 break;
fcc203c3 2954
42dceae2
AE		 2955 case L2CAP_CONF_EFS:
2956 remote_efs = 1;
2957 if (olen == sizeof(efs))
2958 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2959 break;
2960
6327eb98
AE		 2961 case L2CAP_CONF_EWS:
2962 if (!enable_hs)
2963 return -ECONNREFUSED;
fcc203c3 2964
6327eb98
AE		 2965 set_bit(FLAG_EXT_CTRL, &chan->flags);
2966 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2967 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2968 chan->remote_tx_win = val;
fcc203c3
GP		 2969 break;
2970
5dee9e7c
MH		 2971 default:
2972 if (hint)
2973 break;
2974
2975 result = L2CAP_CONF_UNKNOWN;
2976 *((u8 *) ptr++) = type;
2977 break;
2978 }
2979 }
2980
73ffa904 2981 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2982 goto done;
2983
0c1bc5c6 2984 switch (chan->mode) {
f2fcfcd6
GP		 2985 case L2CAP_MODE_STREAMING:
2986 case L2CAP_MODE_ERTM:
c1360a1c 2987 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2988 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2989 chan->conn->feat_mask);
85eb53c6
GP		 2990 break;
2991 }
2992
42dceae2
AE		 2993 if (remote_efs) {
2994 if (__l2cap_efs_supported(chan))
2995 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2996 else
2997 return -ECONNREFUSED;
2998 }
2999
0c1bc5c6 3000 if (chan->mode != rfc.mode)
f2fcfcd6 3001 return -ECONNREFUSED;
742e519b 3002
f2fcfcd6 3003 break;
f2fcfcd6
GP		 3004 }
3005
3006done:
0c1bc5c6 3007 if (chan->mode != rfc.mode) {
f2fcfcd6 3008 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3009 rfc.mode = chan->mode;
f2fcfcd6 3010
73ffa904 3011 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3012 return -ECONNREFUSED;
3013
3014 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3015 sizeof(rfc), (unsigned long) &rfc);
3016 }
3017
5dee9e7c
MH		 3018 if (result == L2CAP_CONF_SUCCESS) {
3019 /* Configure output options and let the other side know
3020 * which ones we don't like. */
3021
f2fcfcd6
GP		 3022 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3023 result = L2CAP_CONF_UNACCEPT;
3024 else {
0c1bc5c6 3025 chan->omtu = mtu;
c1360a1c 3026 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3027 }
0c1bc5c6 3028 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3029
42dceae2
AE		 3030 if (remote_efs) {
3031 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3032 efs.stype != L2CAP_SERV_NOTRAFIC &&
3033 efs.stype != chan->local_stype) {
3034
3035 result = L2CAP_CONF_UNACCEPT;
3036
3037 if (chan->num_conf_req >= 1)
3038 return -ECONNREFUSED;
3039
3040 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3041 sizeof(efs),
42dceae2 3042 (unsigned long) &efs);
0e8b207e 3043 } else {
3e6b3b95 3044 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3045 result = L2CAP_CONF_PENDING;
3046 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3047 }
3048 }
3049
f2fcfcd6
GP		 3050 switch (rfc.mode) {
3051 case L2CAP_MODE_BASIC:
47d1ec61 3052 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3053 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3054 break;
3055
3056 case L2CAP_MODE_ERTM:
6327eb98
AE		 3057 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3058 chan->remote_tx_win = rfc.txwin_size;
3059 else
3060 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3061
2c03a7a4 3062 chan->remote_max_tx = rfc.max_transmit;
1c762159 3063
c8f79162
AE		 3064 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3065 chan->conn->mtu -
3066 L2CAP_EXT_HDR_SIZE -
3067 L2CAP_SDULEN_SIZE -
3068 L2CAP_FCS_SIZE);
3069 rfc.max_pdu_size = cpu_to_le16(size);
3070 chan->remote_mps = size;
f2fcfcd6 3071
10467e9e 3072 rfc.retrans_timeout =
4fd21a88 3073 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3074 rfc.monitor_timeout =
4fd21a88 3075 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3076
c1360a1c 3077 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3078
3079 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3080 sizeof(rfc), (unsigned long) &rfc);
3081
42dceae2
AE		 3082 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3083 chan->remote_id = efs.id;
3084 chan->remote_stype = efs.stype;
3085 chan->remote_msdu = le16_to_cpu(efs.msdu);
3086 chan->remote_flush_to =
3087 le32_to_cpu(efs.flush_to);
3088 chan->remote_acc_lat =
3089 le32_to_cpu(efs.acc_lat);
3090 chan->remote_sdu_itime =
3091 le32_to_cpu(efs.sdu_itime);
3092 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3093 sizeof(efs), (unsigned long) &efs);
3094 }
f2fcfcd6
GP		 3095 break;
3096
3097 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3098 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3099 chan->conn->mtu -
3100 L2CAP_EXT_HDR_SIZE -
3101 L2CAP_SDULEN_SIZE -
3102 L2CAP_FCS_SIZE);
3103 rfc.max_pdu_size = cpu_to_le16(size);
3104 chan->remote_mps = size;
f2fcfcd6 3105
c1360a1c 3106 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3107
3108 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3109 sizeof(rfc), (unsigned long) &rfc);
3110
f2fcfcd6
GP		 3111 break;
3112
3113 default:
5dee9e7c 3114 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3115
6464f35f 3116 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3117 rfc.mode = chan->mode;
f2fcfcd6 3118 }
6464f35f 3119
f2fcfcd6 3120 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3121 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3122 }
fe4128e0 3123 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3124 rsp->result = cpu_to_le16(result);
59e54bd1 3125 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3126
3127 return ptr - data;
1da177e4
LT		 3128}
3129
b4450035 3130static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3131{
f2fcfcd6
GP		 3132 struct l2cap_conf_req *req = data;
3133 void *ptr = req->data;
3134 int type, olen;
3135 unsigned long val;
36e999a8 3136 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3137 struct l2cap_conf_efs efs;
f2fcfcd6 3138
fe4128e0 3139 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3140
3141 while (len >= L2CAP_CONF_OPT_SIZE) {
3142 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3143
3144 switch (type) {
3145 case L2CAP_CONF_MTU:
3146 if (val < L2CAP_DEFAULT_MIN_MTU) {
3147 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3148 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3149 } else
0c1bc5c6
GP		 3150 chan->imtu = val;
3151 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3152 break;
3153
3154 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3155 chan->flush_to = val;
f2fcfcd6 3156 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3157 2, chan->flush_to);
f2fcfcd6
GP		 3158 break;
3159
3160 case L2CAP_CONF_RFC:
3161 if (olen == sizeof(rfc))
3162 memcpy(&rfc, (void *)val, olen);
3163
c1360a1c 3164 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3165 rfc.mode != chan->mode)
f2fcfcd6
GP		 3166 return -ECONNREFUSED;
3167
47d1ec61 3168 chan->fcs = 0;
f2fcfcd6
GP		 3169
3170 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3171 sizeof(rfc), (unsigned long) &rfc);
3172 break;
6327eb98
AE		 3173
3174 case L2CAP_CONF_EWS:
3175 chan->tx_win = min_t(u16, val,
3176 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 3177 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3178 chan->tx_win);
6327eb98 3179 break;
66af7aaf
AE		 3180
3181 case L2CAP_CONF_EFS:
3182 if (olen == sizeof(efs))
3183 memcpy(&efs, (void *)val, olen);
3184
3185 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3186 efs.stype != L2CAP_SERV_NOTRAFIC &&
3187 efs.stype != chan->local_stype)
3188 return -ECONNREFUSED;
3189
3190 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3191 sizeof(efs), (unsigned long) &efs);
3192 break;
f2fcfcd6
GP		 3193 }
3194 }
3195
0c1bc5c6 3196 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3197 return -ECONNREFUSED;
3198
0c1bc5c6 3199 chan->mode = rfc.mode;
6c2ea7a8 3200
0e8b207e 3201 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3202 switch (rfc.mode) {
3203 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3204 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3205 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3206 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 3207
3208 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3209 chan->local_msdu = le16_to_cpu(efs.msdu);
3210 chan->local_sdu_itime =
3211 le32_to_cpu(efs.sdu_itime);
3212 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3213 chan->local_flush_to =
3214 le32_to_cpu(efs.flush_to);
3215 }
f2fcfcd6 3216 break;
66af7aaf 3217
f2fcfcd6 3218 case L2CAP_MODE_STREAMING:
47d1ec61 3219 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3220 }
3221 }
3222
fe4128e0 3223 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3224 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3225
3226 return ptr - data;
3227}
3228
fe4128e0 3229static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3230{
3231 struct l2cap_conf_rsp *rsp = data;
3232 void *ptr = rsp->data;
1da177e4 3233
fe4128e0 3234 BT_DBG("chan %p", chan);
1da177e4 3235
fe4128e0 3236 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3237 rsp->result = cpu_to_le16(result);
aca3192c 3238 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3239
3240 return ptr - data;
3241}
3242
8c1d787b 3243void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3244{
3245 struct l2cap_conn_rsp rsp;
8c1d787b 3246 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3247 u8 buf[128];
3248
fe4128e0
GP		 3249 rsp.scid = cpu_to_le16(chan->dcid);
3250 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3251 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3252 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
710f9b0a
GP		 3253 l2cap_send_cmd(conn, chan->ident,
3254 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3255
c1360a1c 3256 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3257 return;
3258
710f9b0a
GP		 3259 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3260 l2cap_build_conf_req(chan, buf), buf);
3261 chan->num_conf_req++;
3262}
3263
47d1ec61 3264static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3265{
7b1c0049
GP		 3266 int type, olen;
3267 unsigned long val;
3268 struct l2cap_conf_rfc rfc;
3269
47d1ec61 3270 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3271
0c1bc5c6 3272 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3273 return;
3274
3275 while (len >= L2CAP_CONF_OPT_SIZE) {
3276 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3277
3278 switch (type) {
3279 case L2CAP_CONF_RFC:
3280 if (olen == sizeof(rfc))
3281 memcpy(&rfc, (void *)val, olen);
3282 goto done;
3283 }
3284 }
3285
36e999a8
MM		 3286 /* Use sane default values in case a misbehaving remote device
3287 * did not send an RFC option.
3288 */
3289 rfc.mode = chan->mode;
ac73498c
AE		 3290 rfc.retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3291 rfc.monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36e999a8
MM		 3292 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
3293
3294 BT_ERR("Expected RFC option was not found, using defaults");
3295
7b1c0049
GP		 3296done:
3297 switch (rfc.mode) {
3298 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3299 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3300 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3301 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3302 break;
3303 case L2CAP_MODE_STREAMING:
47d1ec61 3304 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3305 }
3306}
3307
4e8402a3
MH		 3308static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3309{
e2fd318e 3310 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3311
e2fd318e 3312 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3313 return 0;
3314
3315 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3316 cmd->ident == conn->info_ident) {
17cd3f37 3317 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3318
3319 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3320 conn->info_ident = 0;
984947dc 3321
4e8402a3
MH		 3322 l2cap_conn_start(conn);
3323 }
3324
3325 return 0;
3326}
3327
1da177e4
LT		 3328static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3329{
1da177e4
LT		 3330 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3331 struct l2cap_conn_rsp rsp;
23691d75 3332 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3333 struct sock *parent, *sk = NULL;
e7c29cb1 3334 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3335
3336 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3337 __le16 psm = req->psm;
1da177e4 3338
097db76c 3339 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3340
3341 /* Check if we have socket listening on psm */
c2287681 3342 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3343 if (!pchan) {
1da177e4
LT		 3344 result = L2CAP_CR_BAD_PSM;
3345 goto sendresp;
3346 }
3347
23691d75
GP		 3348 parent = pchan->sk;
3349
3df91ea2 3350 mutex_lock(&conn->chan_lock);
aa2ac881 3351 lock_sock(parent);
e0f0cb56 3352
e7c29cb1 3353 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3354 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
e7c29cb1 3355 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3356 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3357 result = L2CAP_CR_SEC_BLOCK;
3358 goto response;
3359 }
3360
1da177e4
LT		 3361 result = L2CAP_CR_NO_MEM;
3362
2dfa1003
GP		 3363 /* Check if we already have channel with that dcid */
3364 if (__l2cap_get_chan_by_dcid(conn, scid))
3365 goto response;
3366
80b98027 3367 chan = pchan->ops->new_connection(pchan);
80808e43 3368 if (!chan)
1da177e4
LT		 3369 goto response;
3370
80808e43
GP		 3371 sk = chan->sk;
3372
1da177e4
LT		 3373 hci_conn_hold(conn->hcon);
3374
1da177e4
LT		 3375 bacpy(&bt_sk(sk)->src, conn->src);
3376 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3377 chan->psm = psm;
3378 chan->dcid = scid;
1da177e4 3379
d1010240
GP		 3380 bt_accept_enqueue(parent, sk);
3381
6be36555 3382 __l2cap_chan_add(conn, chan);
48454079 3383
fe4128e0 3384 dcid = chan->scid;
1da177e4 3385
c9b66675 3386 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3387
fc7f8a7e 3388 chan->ident = cmd->ident;
1da177e4 3389
984947dc 3390 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3391 if (l2cap_chan_check_security(chan)) {
c5daa683 3392 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3393 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3394 result = L2CAP_CR_PEND;
3395 status = L2CAP_CS_AUTHOR_PEND;
3396 parent->sk_data_ready(parent, 0);
3397 } else {
0e587be7 3398 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3399 result = L2CAP_CR_SUCCESS;
3400 status = L2CAP_CS_NO_INFO;
3401 }
79d554a6 3402 } else {
0e587be7 3403 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3404 result = L2CAP_CR_PEND;
3405 status = L2CAP_CS_AUTHEN_PEND;
3406 }
3407 } else {
0e587be7 3408 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3409 result = L2CAP_CR_PEND;
3410 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3411 }
3412
1da177e4 3413response:
aa2ac881 3414 release_sock(parent);
3df91ea2 3415 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3416
3417sendresp:
aca3192c
YH		 3418 rsp.scid = cpu_to_le16(scid);
3419 rsp.dcid = cpu_to_le16(dcid);
3420 rsp.result = cpu_to_le16(result);
3421 rsp.status = cpu_to_le16(status);
1da177e4 3422 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3423
3424 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3425 struct l2cap_info_req info;
ac73498c 3426 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3427
3428 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3429 conn->info_ident = l2cap_get_ident(conn);
3430
ba13ccd9 3431 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3432
3433 l2cap_send_cmd(conn, conn->info_ident,
3434 L2CAP_INFO_REQ, sizeof(info), &info);
3435 }
3436
c1360a1c 3437 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3438 result == L2CAP_CR_SUCCESS) {
3439 u8 buf[128];
c1360a1c 3440 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3441 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3442 l2cap_build_conf_req(chan, buf), buf);
3443 chan->num_conf_req++;
e9aeb2dd
GP		 3444 }
3445
1da177e4
LT		 3446 return 0;
3447}
3448
3449static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3450{
3451 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3452 u16 scid, dcid, result, status;
48454079 3453 struct l2cap_chan *chan;
1da177e4 3454 u8 req[128];
3df91ea2 3455 int err;
1da177e4
LT		 3456
3457 scid = __le16_to_cpu(rsp->scid);
3458 dcid = __le16_to_cpu(rsp->dcid);
3459 result = __le16_to_cpu(rsp->result);
3460 status = __le16_to_cpu(rsp->status);
3461
1b009c98
AE		 3462 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3463 dcid, scid, result, status);
1da177e4 3464
3df91ea2
AE		 3465 mutex_lock(&conn->chan_lock);
3466
1da177e4 3467 if (scid) {
3df91ea2
AE		 3468 chan = __l2cap_get_chan_by_scid(conn, scid);
3469 if (!chan) {
3470 err = -EFAULT;
3471 goto unlock;
3472 }
1da177e4 3473 } else {
3df91ea2
AE		 3474 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3475 if (!chan) {
3476 err = -EFAULT;
3477 goto unlock;
3478 }
1da177e4
LT		 3479 }
3480
3df91ea2
AE		 3481 err = 0;
3482
6be36555 3483 l2cap_chan_lock(chan);
48454079 3484
1da177e4
LT		 3485 switch (result) {
3486 case L2CAP_CR_SUCCESS:
89bc500e 3487 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3488 chan->ident = 0;
fe4128e0 3489 chan->dcid = dcid;
c1360a1c 3490 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3491
c1360a1c 3492 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3493 break;
3494
1da177e4 3495 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3496 l2cap_build_conf_req(chan, req), req);
3497 chan->num_conf_req++;
1da177e4
LT		 3498 break;
3499
3500 case L2CAP_CR_PEND:
c1360a1c 3501 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3502 break;
3503
3504 default:
48454079 3505 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3506 break;
3507 }
3508
6be36555 3509 l2cap_chan_unlock(chan);
3df91ea2
AE		 3510
3511unlock:
3512 mutex_unlock(&conn->chan_lock);
3513
3514 return err;
1da177e4
LT		 3515}
3516
47d1ec61 3517static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3518{
3519 /* FCS is enabled only in ERTM or streaming mode, if one or both
3520 * sides request it.
3521 */
0c1bc5c6 3522 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3523 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3524 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3525 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3526}
3527
88219a0f 3528static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3529{
3530 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3531 u16 dcid, flags;
3532 u8 rsp[64];
48454079 3533 struct l2cap_chan *chan;
3c588192 3534 int len, err = 0;
1da177e4
LT		 3535
3536 dcid = __le16_to_cpu(req->dcid);
3537 flags = __le16_to_cpu(req->flags);
3538
3539 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3540
baa7e1fa 3541 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3542 if (!chan)
1da177e4
LT		 3543 return -ENOENT;
3544
033b1142 3545 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3546 struct l2cap_cmd_rej_cid rej;
3547
ac73498c 3548 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3549 rej.scid = cpu_to_le16(chan->scid);
3550 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3551
df6bd743
GP		 3552 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3553 sizeof(rej), &rej);
354f60a9 3554 goto unlock;
df6bd743 3555 }
354f60a9 3556
5dee9e7c 3557 /* Reject if config buffer is too small. */
88219a0f 3558 len = cmd_len - sizeof(*req);
7ac28817 3559 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3560 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3561 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3562 L2CAP_CONF_REJECT, flags), rsp);
3563 goto unlock;
3564 }
3565
3566 /* Store config. */
73ffa904
GP		 3567 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3568 chan->conf_len += len;
1da177e4 3569
59e54bd1 3570 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3571 /* Incomplete config. Send empty response. */
3572 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3573 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3574 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3575 goto unlock;
3576 }
3577
3578 /* Complete config. */
73ffa904 3579 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3580 if (len < 0) {
e92c8e70 3581 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3582 goto unlock;
f2fcfcd6 3583 }
1da177e4 3584
5dee9e7c 3585 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3586 chan->num_conf_rsp++;
5dee9e7c 3587
5dee9e7c 3588 /* Reset config buffer. */
73ffa904 3589 chan->conf_len = 0;
5dee9e7c 3590
c1360a1c 3591 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3592 goto unlock;
3593
c1360a1c 3594 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3595 set_default_fcs(chan);
fcc203c3 3596
105bdf9e
MM		 3597 if (chan->mode == L2CAP_MODE_ERTM ||
3598 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3599 err = l2cap_ertm_init(chan);
3600
3601 if (err < 0)
3602 l2cap_send_disconn_req(chan->conn, chan, -err);
3603 else
3604 l2cap_chan_ready(chan);
0565c1c2 3605
876d9484
MH		 3606 goto unlock;
3607 }
3608
c1360a1c 3609 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3610 u8 buf[64];
1da177e4 3611 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3612 l2cap_build_conf_req(chan, buf), buf);
3613 chan->num_conf_req++;
1da177e4
LT		 3614 }
3615
0e8b207e
AE		 3616 /* Got Conf Rsp PENDING from remote side and asume we sent
3617 Conf Rsp PENDING in the code above */
3618 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3619 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3620
3621 /* check compatibility */
3622
3623 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3624 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3625
3626 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3627 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3628 L2CAP_CONF_SUCCESS, flags), rsp);
0e8b207e
AE		 3629 }
3630
1da177e4 3631unlock:
6be36555 3632 l2cap_chan_unlock(chan);
3c588192 3633 return err;
1da177e4
LT		 3634}
3635
3636static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3637{
3638 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3639 u16 scid, flags, result;
48454079 3640 struct l2cap_chan *chan;
61386cba 3641 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3642 int err = 0;
1da177e4
LT		 3643
3644 scid = __le16_to_cpu(rsp->scid);
3645 flags = __le16_to_cpu(rsp->flags);
3646 result = __le16_to_cpu(rsp->result);
3647
61386cba
AE		 3648 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3649 result, len);
1da177e4 3650
baa7e1fa 3651 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3652 if (!chan)
1da177e4
LT		 3653 return 0;
3654
3655 switch (result) {
3656 case L2CAP_CONF_SUCCESS:
47d1ec61 3657 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3658 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3659 break;
3660
0e8b207e
AE		 3661 case L2CAP_CONF_PENDING:
3662 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3663
3664 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3665 char buf[64];
3666
3667 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3668 buf, &result);
3669 if (len < 0) {
3670 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3671 goto done;
3672 }
3673
3674 /* check compatibility */
3675
3676 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3677 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3678
3679 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3680 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3681 L2CAP_CONF_SUCCESS, 0x0000), buf);
3682 }
3683 goto done;
3684
1da177e4 3685 case L2CAP_CONF_UNACCEPT:
73ffa904 3686 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3687 char req[64];
3688
c2c77ec8 3689 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3690 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3691 goto done;
3692 }
3693
f2fcfcd6
GP		 3694 /* throw out any old stored conf requests */
3695 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3696 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3697 req, &result);
f2fcfcd6 3698 if (len < 0) {
e92c8e70 3699 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3700 goto done;
3701 }
3702
3703 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3704 L2CAP_CONF_REQ, len, req);
73ffa904 3705 chan->num_conf_req++;
f2fcfcd6
GP		 3706 if (result != L2CAP_CONF_SUCCESS)
3707 goto done;
3708 break;
1da177e4
LT		 3709 }
3710
8e87d142 3711 default:
6be36555 3712 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3713
ba13ccd9 3714 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3715 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3716 goto done;
3717 }
3718
59e54bd1 3719 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3720 goto done;
3721
c1360a1c 3722 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3723
c1360a1c 3724 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3725 set_default_fcs(chan);
fcc203c3 3726
105bdf9e
MM		 3727 if (chan->mode == L2CAP_MODE_ERTM ||
3728 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3729 err = l2cap_ertm_init(chan);
0565c1c2 3730
3c588192
MM		 3731 if (err < 0)
3732 l2cap_send_disconn_req(chan->conn, chan, -err);
3733 else
3734 l2cap_chan_ready(chan);
1da177e4
LT		 3735 }
3736
3737done:
6be36555 3738 l2cap_chan_unlock(chan);
3c588192 3739 return err;
1da177e4
LT		 3740}
3741
3742static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3743{
3744 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3745 struct l2cap_disconn_rsp rsp;
3746 u16 dcid, scid;
48454079 3747 struct l2cap_chan *chan;
1da177e4
LT		 3748 struct sock *sk;
3749
3750 scid = __le16_to_cpu(req->scid);
3751 dcid = __le16_to_cpu(req->dcid);
3752
3753 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3754
3df91ea2
AE		 3755 mutex_lock(&conn->chan_lock);
3756
3757 chan = __l2cap_get_chan_by_scid(conn, dcid);
3758 if (!chan) {
3759 mutex_unlock(&conn->chan_lock);
1da177e4 3760 return 0;
3df91ea2 3761 }
1da177e4 3762
6be36555
AE		 3763 l2cap_chan_lock(chan);
3764
48454079
GP		 3765 sk = chan->sk;
3766
fe4128e0
GP		 3767 rsp.dcid = cpu_to_le16(chan->scid);
3768 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3769 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3770
6be36555 3771 lock_sock(sk);
1da177e4 3772 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3773 release_sock(sk);
1da177e4 3774
61d6ef3e 3775 l2cap_chan_hold(chan);
48454079 3776 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3777
3778 l2cap_chan_unlock(chan);
1da177e4 3779
80b98027 3780 chan->ops->close(chan);
61d6ef3e 3781 l2cap_chan_put(chan);
3df91ea2
AE		 3782
3783 mutex_unlock(&conn->chan_lock);
3784
1da177e4
LT		 3785 return 0;
3786}
3787
3788static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3789{
3790 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3791 u16 dcid, scid;
48454079 3792 struct l2cap_chan *chan;
1da177e4
LT		 3793
3794 scid = __le16_to_cpu(rsp->scid);
3795 dcid = __le16_to_cpu(rsp->dcid);
3796
3797 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3798
3df91ea2
AE		 3799 mutex_lock(&conn->chan_lock);
3800
3801 chan = __l2cap_get_chan_by_scid(conn, scid);
3802 if (!chan) {
3803 mutex_unlock(&conn->chan_lock);
1da177e4 3804 return 0;
3df91ea2 3805 }
1da177e4 3806
6be36555 3807 l2cap_chan_lock(chan);
48454079 3808
61d6ef3e 3809 l2cap_chan_hold(chan);
48454079 3810 l2cap_chan_del(chan, 0);
6be36555
AE		 3811
3812 l2cap_chan_unlock(chan);
1da177e4 3813
80b98027 3814 chan->ops->close(chan);
61d6ef3e 3815 l2cap_chan_put(chan);
3df91ea2
AE		 3816
3817 mutex_unlock(&conn->chan_lock);
3818
1da177e4
LT		 3819 return 0;
3820}
3821
3822static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3823{
3824 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3825 u16 type;
3826
3827 type = __le16_to_cpu(req->type);
3828
3829 BT_DBG("type 0x%4.4x", type);
3830
f0709e03
MH		 3831 if (type == L2CAP_IT_FEAT_MASK) {
3832 u8 buf[8];
44dd46de 3833 u32 feat_mask = l2cap_feat_mask;
f0709e03 3834 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3835 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3836 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3837 if (!disable_ertm)
fcc203c3
GP		 3838 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3839 | L2CAP_FEAT_FCS;
a5fd6f30 3840 if (enable_hs)
6327eb98
AE		 3841 feat_mask |= L2CAP_FEAT_EXT_FLOW
3842 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3843
1b7bf4ed 3844 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3845 l2cap_send_cmd(conn, cmd->ident,
3846 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3847 } else if (type == L2CAP_IT_FIXED_CHAN) {
3848 u8 buf[12];
3849 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3850
3851 if (enable_hs)
3852 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3853 else
3854 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3855
ac73498c
AE		 3856 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3857 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3858 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3859 l2cap_send_cmd(conn, cmd->ident,
3860 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3861 } else {
3862 struct l2cap_info_rsp rsp;
3863 rsp.type = cpu_to_le16(type);
ac73498c 3864 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
f0709e03
MH		 3865 l2cap_send_cmd(conn, cmd->ident,
3866 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3867 }
1da177e4
LT		 3868
3869 return 0;
3870}
3871
3872static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3873{
3874 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3875 u16 type, result;
3876
3877 type = __le16_to_cpu(rsp->type);
3878 result = __le16_to_cpu(rsp->result);
3879
3880 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3881
e90165be
AE		 3882 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3883 if (cmd->ident != conn->info_ident ||
3884 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3885 return 0;
3886
17cd3f37 3887 cancel_delayed_work(&conn->info_timer);
4e8402a3 3888
adb08ede
VT		 3889 if (result != L2CAP_IR_SUCCESS) {
3890 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3891 conn->info_ident = 0;
3892
3893 l2cap_conn_start(conn);
3894
3895 return 0;
3896 }
3897
978c93b9
AE		 3898 switch (type) {
3899 case L2CAP_IT_FEAT_MASK:
83985319 3900 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3901
47ec1dcd 3902 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 3903 struct l2cap_info_req req;
ac73498c 3904 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 3905
3906 conn->info_ident = l2cap_get_ident(conn);
3907
3908 l2cap_send_cmd(conn, conn->info_ident,
3909 L2CAP_INFO_REQ, sizeof(req), &req);
3910 } else {
3911 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3912 conn->info_ident = 0;
3913
3914 l2cap_conn_start(conn);
3915 }
978c93b9
AE		 3916 break;
3917
3918 case L2CAP_IT_FIXED_CHAN:
3919 conn->fixed_chan_mask = rsp->data[0];
984947dc 3920 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3921 conn->info_ident = 0;
984947dc
MH		 3922
3923 l2cap_conn_start(conn);
978c93b9 3924 break;
984947dc 3925 }
4e8402a3 3926
1da177e4
LT		 3927 return 0;
3928}
3929
f94ff6ff
MM		 3930static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3931 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3932 void *data)
3933{
3934 struct l2cap_create_chan_req *req = data;
3935 struct l2cap_create_chan_rsp rsp;
3936 u16 psm, scid;
3937
3938 if (cmd_len != sizeof(*req))
3939 return -EPROTO;
3940
3941 if (!enable_hs)
3942 return -EINVAL;
3943
3944 psm = le16_to_cpu(req->psm);
3945 scid = le16_to_cpu(req->scid);
3946
3947 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3948
3949 /* Placeholder: Always reject */
3950 rsp.dcid = 0;
3951 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3952 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3953 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3954
3955 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3956 sizeof(rsp), &rsp);
3957
3958 return 0;
3959}
3960
3961static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3962 struct l2cap_cmd_hdr *cmd, void *data)
3963{
3964 BT_DBG("conn %p", conn);
3965
3966 return l2cap_connect_rsp(conn, cmd, data);
3967}
3968
8d5a04a1
MM		 3969static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3970 u16 icid, u16 result)
3971{
3972 struct l2cap_move_chan_rsp rsp;
3973
3974 BT_DBG("icid %d, result %d", icid, result);
3975
3976 rsp.icid = cpu_to_le16(icid);
3977 rsp.result = cpu_to_le16(result);
3978
3979 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3980}
3981
3982static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3983 struct l2cap_chan *chan, u16 icid, u16 result)
3984{
3985 struct l2cap_move_chan_cfm cfm;
3986 u8 ident;
3987
3988 BT_DBG("icid %d, result %d", icid, result);
3989
3990 ident = l2cap_get_ident(conn);
3991 if (chan)
3992 chan->ident = ident;
3993
3994 cfm.icid = cpu_to_le16(icid);
3995 cfm.result = cpu_to_le16(result);
3996
3997 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3998}
3999
4000static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4001 u16 icid)
4002{
4003 struct l2cap_move_chan_cfm_rsp rsp;
4004
4005 BT_DBG("icid %d", icid);
4006
4007 rsp.icid = cpu_to_le16(icid);
4008 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4009}
4010
4011static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4012 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4013{
4014 struct l2cap_move_chan_req *req = data;
4015 u16 icid = 0;
4016 u16 result = L2CAP_MR_NOT_ALLOWED;
4017
4018 if (cmd_len != sizeof(*req))
4019 return -EPROTO;
4020
4021 icid = le16_to_cpu(req->icid);
4022
4023 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
4024
4025 if (!enable_hs)
4026 return -EINVAL;
4027
4028 /* Placeholder: Always refuse */
4029 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4030
4031 return 0;
4032}
4033
4034static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4035 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4036{
4037 struct l2cap_move_chan_rsp *rsp = data;
4038 u16 icid, result;
4039
4040 if (cmd_len != sizeof(*rsp))
4041 return -EPROTO;
4042
4043 icid = le16_to_cpu(rsp->icid);
4044 result = le16_to_cpu(rsp->result);
4045
4046 BT_DBG("icid %d, result %d", icid, result);
4047
4048 /* Placeholder: Always unconfirmed */
4049 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4050
4051 return 0;
4052}
4053
4054static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4055 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4056{
4057 struct l2cap_move_chan_cfm *cfm = data;
4058 u16 icid, result;
4059
4060 if (cmd_len != sizeof(*cfm))
4061 return -EPROTO;
4062
4063 icid = le16_to_cpu(cfm->icid);
4064 result = le16_to_cpu(cfm->result);
4065
4066 BT_DBG("icid %d, result %d", icid, result);
4067
4068 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4069
4070 return 0;
4071}
4072
4073static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
4074 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
4075{
4076 struct l2cap_move_chan_cfm_rsp *rsp = data;
4077 u16 icid;
4078
4079 if (cmd_len != sizeof(*rsp))
4080 return -EPROTO;
4081
4082 icid = le16_to_cpu(rsp->icid);
4083
4084 BT_DBG("icid %d", icid);
4085
4086 return 0;
4087}
4088
e2174ca4 4089static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4090 u16 to_multiplier)
4091{
4092 u16 max_latency;
4093
4094 if (min > max || min < 6 || max > 3200)
4095 return -EINVAL;
4096
4097 if (to_multiplier < 10 || to_multiplier > 3200)
4098 return -EINVAL;
4099
4100 if (max >= to_multiplier * 8)
4101 return -EINVAL;
4102
4103 max_latency = (to_multiplier * 8 / max) - 1;
4104 if (latency > 499 || latency > max_latency)
4105 return -EINVAL;
4106
4107 return 0;
4108}
4109
4110static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4111 struct l2cap_cmd_hdr *cmd, u8 *data)
4112{
4113 struct hci_conn *hcon = conn->hcon;
4114 struct l2cap_conn_param_update_req *req;
4115 struct l2cap_conn_param_update_rsp rsp;
4116 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4117 int err;
de73115a
CT		 4118
4119 if (!(hcon->link_mode & HCI_LM_MASTER))
4120 return -EINVAL;
4121
4122 cmd_len = __le16_to_cpu(cmd->len);
4123 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4124 return -EPROTO;
4125
4126 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4127 min = __le16_to_cpu(req->min);
4128 max = __le16_to_cpu(req->max);
de73115a
CT		 4129 latency = __le16_to_cpu(req->latency);
4130 to_multiplier = __le16_to_cpu(req->to_multiplier);
4131
4132 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4133 min, max, latency, to_multiplier);
4134
4135 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4136
4137 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4138 if (err)
ac73498c 4139 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4140 else
ac73498c 4141 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4142
4143 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4144 sizeof(rsp), &rsp);
4145
2ce603eb
CT		 4146 if (!err)
4147 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4148
de73115a
CT		 4149 return 0;
4150}
4151
3300d9a9
CT		 4152static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4153 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4154{
4155 int err = 0;
4156
4157 switch (cmd->code) {
4158 case L2CAP_COMMAND_REJ:
4159 l2cap_command_rej(conn, cmd, data);
4160 break;
4161
4162 case L2CAP_CONN_REQ:
4163 err = l2cap_connect_req(conn, cmd, data);
4164 break;
4165
4166 case L2CAP_CONN_RSP:
4167 err = l2cap_connect_rsp(conn, cmd, data);
4168 break;
4169
4170 case L2CAP_CONF_REQ:
4171 err = l2cap_config_req(conn, cmd, cmd_len, data);
4172 break;
4173
4174 case L2CAP_CONF_RSP:
4175 err = l2cap_config_rsp(conn, cmd, data);
4176 break;
4177
4178 case L2CAP_DISCONN_REQ:
4179 err = l2cap_disconnect_req(conn, cmd, data);
4180 break;
4181
4182 case L2CAP_DISCONN_RSP:
4183 err = l2cap_disconnect_rsp(conn, cmd, data);
4184 break;
4185
4186 case L2CAP_ECHO_REQ:
4187 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4188 break;
4189
4190 case L2CAP_ECHO_RSP:
4191 break;
4192
4193 case L2CAP_INFO_REQ:
4194 err = l2cap_information_req(conn, cmd, data);
4195 break;
4196
4197 case L2CAP_INFO_RSP:
4198 err = l2cap_information_rsp(conn, cmd, data);
4199 break;
4200
f94ff6ff
MM		 4201 case L2CAP_CREATE_CHAN_REQ:
4202 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4203 break;
4204
4205 case L2CAP_CREATE_CHAN_RSP:
4206 err = l2cap_create_channel_rsp(conn, cmd, data);
4207 break;
4208
8d5a04a1
MM		 4209 case L2CAP_MOVE_CHAN_REQ:
4210 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4211 break;
4212
4213 case L2CAP_MOVE_CHAN_RSP:
4214 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4215 break;
4216
4217 case L2CAP_MOVE_CHAN_CFM:
4218 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4219 break;
4220
4221 case L2CAP_MOVE_CHAN_CFM_RSP:
4222 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4223 break;
4224
3300d9a9
CT		 4225 default:
4226 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4227 err = -EINVAL;
4228 break;
4229 }
4230
4231 return err;
4232}
4233
4234static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4235 struct l2cap_cmd_hdr *cmd, u8 *data)
4236{
4237 switch (cmd->code) {
4238 case L2CAP_COMMAND_REJ:
4239 return 0;
4240
4241 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4242 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4243
4244 case L2CAP_CONN_PARAM_UPDATE_RSP:
4245 return 0;
4246
4247 default:
4248 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4249 return -EINVAL;
4250 }
4251}
4252
4253static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4254 struct sk_buff *skb)
1da177e4
LT		 4255{
4256 u8 *data = skb->data;
4257 int len = skb->len;
4258 struct l2cap_cmd_hdr cmd;
3300d9a9 4259 int err;
1da177e4
LT		 4260
4261 l2cap_raw_recv(conn, skb);
4262
4263 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4264 u16 cmd_len;
1da177e4
LT		 4265 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4266 data += L2CAP_CMD_HDR_SIZE;
4267 len -= L2CAP_CMD_HDR_SIZE;
4268
88219a0f 4269 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4270
88219a0f 4271 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4272
88219a0f 4273 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4274 BT_DBG("corrupted command");
4275 break;
4276 }
4277
3300d9a9
CT		 4278 if (conn->hcon->type == LE_LINK)
4279 err = l2cap_le_sig_cmd(conn, &cmd, data);
4280 else
4281 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4282
4283 if (err) {
e2fd318e 4284 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4285
4286 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4287
4288 /* FIXME: Map err to a valid reason */
ac73498c 4289 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4290 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4291 }
4292
88219a0f
AV		 4293 data += cmd_len;
4294 len -= cmd_len;
1da177e4
LT		 4295 }
4296
4297 kfree_skb(skb);
4298}
4299
47d1ec61 4300static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4301{
4302 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4303 int hdr_size;
4304
4305 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4306 hdr_size = L2CAP_EXT_HDR_SIZE;
4307 else
4308 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4309
47d1ec61 4310 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4311 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4312 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4313 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4314
4315 if (our_fcs != rcv_fcs)
7a560e5c 4316 return -EBADMSG;
fcc203c3
GP		 4317 }
4318 return 0;
4319}
4320
6ea00485 4321static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4322{
e31f7633 4323 struct l2cap_ctrl control;
d5392c8f 4324
e31f7633 4325 BT_DBG("chan %p", chan);
d5392c8f 4326
e31f7633
MM		 4327 memset(&control, 0, sizeof(control));
4328 control.sframe = 1;
4329 control.final = 1;
4330 control.reqseq = chan->buffer_seq;
4331 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4332
e2ab4353 4333 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4334 control.super = L2CAP_SUPER_RNR;
4335 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4336 }
4337
e31f7633
MM		 4338 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4339 chan->unacked_frames > 0)
4340 __set_retrans_timer(chan);
d5392c8f 4341
e31f7633 4342 /* Send pending iframes */
525cd185 4343 l2cap_ertm_send(chan);
d5392c8f 4344
e2ab4353 4345 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4346 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4347 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4348 * send it now.
4349 */
4350 control.super = L2CAP_SUPER_RR;
4351 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4352 }
4353}
4354
84084a31
MM		 4355static void append_skb_frag(struct sk_buff *skb,
4356 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4357{
84084a31
MM		 4358 /* skb->len reflects data in skb as well as all fragments
4359 * skb->data_len reflects only data in fragments
4360 */
4361 if (!skb_has_frag_list(skb))
4362 skb_shinfo(skb)->frag_list = new_frag;
4363
4364 new_frag->next = NULL;
4365
4366 (*last_frag)->next = new_frag;
4367 *last_frag = new_frag;
4368
4369 skb->len += new_frag->len;
4370 skb->data_len += new_frag->len;
4371 skb->truesize += new_frag->truesize;
4372}
4373
4b51dae9
MM		 4374static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4375 struct l2cap_ctrl *control)
84084a31
MM		 4376{
4377 int err = -EINVAL;
18778a63 4378
4b51dae9 4379 switch (control->sar) {
7e0ef6ee 4380 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4381 if (chan->sdu)
4382 break;
18778a63 4383
80b98027 4384 err = chan->ops->recv(chan, skb);
84084a31 4385 break;
18778a63 4386
7e0ef6ee 4387 case L2CAP_SAR_START:
84084a31
MM		 4388 if (chan->sdu)
4389 break;
18778a63 4390
6f61fd47 4391 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4392 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4393
84084a31
MM		 4394 if (chan->sdu_len > chan->imtu) {
4395 err = -EMSGSIZE;
4396 break;
4397 }
1890d36b 4398
84084a31
MM		 4399 if (skb->len >= chan->sdu_len)
4400 break;
18778a63 4401
84084a31
MM		 4402 chan->sdu = skb;
4403 chan->sdu_last_frag = skb;
18778a63 4404
84084a31
MM		 4405 skb = NULL;
4406 err = 0;
18778a63
GP		 4407 break;
4408
7e0ef6ee 4409 case L2CAP_SAR_CONTINUE:
6f61fd47 4410 if (!chan->sdu)
84084a31 4411 break;
18778a63 4412
84084a31
MM		 4413 append_skb_frag(chan->sdu, skb,
4414 &chan->sdu_last_frag);
4415 skb = NULL;
18778a63 4416
84084a31
MM		 4417 if (chan->sdu->len >= chan->sdu_len)
4418 break;
4178ba46 4419
84084a31 4420 err = 0;
18778a63
GP		 4421 break;
4422
7e0ef6ee 4423 case L2CAP_SAR_END:
6f61fd47 4424 if (!chan->sdu)
84084a31 4425 break;
18778a63 4426
84084a31
MM		 4427 append_skb_frag(chan->sdu, skb,
4428 &chan->sdu_last_frag);
4429 skb = NULL;
4178ba46 4430
84084a31
MM		 4431 if (chan->sdu->len != chan->sdu_len)
4432 break;
18778a63 4433
80b98027 4434 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4435
84084a31
MM		 4436 if (!err) {
4437 /* Reassembly complete */
4438 chan->sdu = NULL;
4439 chan->sdu_last_frag = NULL;
4440 chan->sdu_len = 0;
1890d36b 4441 }
18778a63
GP		 4442 break;
4443 }
4444
84084a31
MM		 4445 if (err) {
4446 kfree_skb(skb);
4447 kfree_skb(chan->sdu);
4448 chan->sdu = NULL;
4449 chan->sdu_last_frag = NULL;
4450 chan->sdu_len = 0;
4451 }
18778a63 4452
84084a31 4453 return err;
18778a63
GP		 4454}
4455
61aa4f5b 4456void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4457{
61aa4f5b 4458 u8 event;
712132eb 4459
61aa4f5b
MM		 4460 if (chan->mode != L2CAP_MODE_ERTM)
4461 return;
712132eb 4462
61aa4f5b 4463 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4464 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4465}
4466
d2a7ac5d
MM		 4467static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4468{
63838725
MM		 4469 int err = 0;
4470 /* Pass sequential frames to l2cap_reassemble_sdu()
4471 * until a gap is encountered.
4472 */
4473
4474 BT_DBG("chan %p", chan);
4475
4476 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4477 struct sk_buff *skb;
4478 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4479 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4480
4481 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4482
4483 if (!skb)
4484 break;
4485
4486 skb_unlink(skb, &chan->srej_q);
4487 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4488 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4489 if (err)
4490 break;
4491 }
4492
4493 if (skb_queue_empty(&chan->srej_q)) {
4494 chan->rx_state = L2CAP_RX_STATE_RECV;
4495 l2cap_send_ack(chan);
4496 }
4497
4498 return err;
d2a7ac5d
MM		 4499}
4500
4501static void l2cap_handle_srej(struct l2cap_chan *chan,
4502 struct l2cap_ctrl *control)
4503{
f80842a8
MM		 4504 struct sk_buff *skb;
4505
4506 BT_DBG("chan %p, control %p", chan, control);
4507
4508 if (control->reqseq == chan->next_tx_seq) {
4509 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4510 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4511 return;
4512 }
4513
4514 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4515
4516 if (skb == NULL) {
4517 BT_DBG("Seq %d not available for retransmission",
4518 control->reqseq);
4519 return;
4520 }
4521
4522 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4523 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4524 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4525 return;
4526 }
4527
4528 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4529
4530 if (control->poll) {
4531 l2cap_pass_to_tx(chan, control);
4532
4533 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4534 l2cap_retransmit(chan, control);
4535 l2cap_ertm_send(chan);
4536
4537 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4538 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4539 chan->srej_save_reqseq = control->reqseq;
4540 }
4541 } else {
4542 l2cap_pass_to_tx_fbit(chan, control);
4543
4544 if (control->final) {
4545 if (chan->srej_save_reqseq != control->reqseq ||
4546 !test_and_clear_bit(CONN_SREJ_ACT,
4547 &chan->conn_state))
4548 l2cap_retransmit(chan, control);
4549 } else {
4550 l2cap_retransmit(chan, control);
4551 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4552 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4553 chan->srej_save_reqseq = control->reqseq;
4554 }
4555 }
4556 }
d2a7ac5d
MM		 4557}
4558
4559static void l2cap_handle_rej(struct l2cap_chan *chan,
4560 struct l2cap_ctrl *control)
4561{
fcd289df
MM		 4562 struct sk_buff *skb;
4563
4564 BT_DBG("chan %p, control %p", chan, control);
4565
4566 if (control->reqseq == chan->next_tx_seq) {
4567 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4568 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4569 return;
4570 }
4571
4572 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4573
4574 if (chan->max_tx && skb &&
4575 bt_cb(skb)->control.retries >= chan->max_tx) {
4576 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4577 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4578 return;
4579 }
4580
4581 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4582
4583 l2cap_pass_to_tx(chan, control);
4584
4585 if (control->final) {
4586 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4587 l2cap_retransmit_all(chan, control);
4588 } else {
4589 l2cap_retransmit_all(chan, control);
4590 l2cap_ertm_send(chan);
4591 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4592 set_bit(CONN_REJ_ACT, &chan->conn_state);
4593 }
d2a7ac5d
MM		 4594}
4595
4b51dae9
MM		 4596static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4597{
4598 BT_DBG("chan %p, txseq %d", chan, txseq);
4599
4600 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4601 chan->expected_tx_seq);
4602
4603 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4604 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4605 chan->tx_win) {
4606 /* See notes below regarding "double poll" and
4607 * invalid packets.
4608 */
4609 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4610 BT_DBG("Invalid/Ignore - after SREJ");
4611 return L2CAP_TXSEQ_INVALID_IGNORE;
4612 } else {
4613 BT_DBG("Invalid - in window after SREJ sent");
4614 return L2CAP_TXSEQ_INVALID;
4615 }
4616 }
4617
4618 if (chan->srej_list.head == txseq) {
4619 BT_DBG("Expected SREJ");
4620 return L2CAP_TXSEQ_EXPECTED_SREJ;
4621 }
4622
4623 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4624 BT_DBG("Duplicate SREJ - txseq already stored");
4625 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4626 }
4627
4628 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4629 BT_DBG("Unexpected SREJ - not requested");
4630 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4631 }
4632 }
4633
4634 if (chan->expected_tx_seq == txseq) {
4635 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4636 chan->tx_win) {
4637 BT_DBG("Invalid - txseq outside tx window");
4638 return L2CAP_TXSEQ_INVALID;
4639 } else {
4640 BT_DBG("Expected");
4641 return L2CAP_TXSEQ_EXPECTED;
4642 }
4643 }
4644
4645 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4646 __seq_offset(chan, chan->expected_tx_seq,
4647 chan->last_acked_seq)){
4648 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4649 return L2CAP_TXSEQ_DUPLICATE;
4650 }
4651
4652 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4653 /* A source of invalid packets is a "double poll" condition,
4654 * where delays cause us to send multiple poll packets. If
4655 * the remote stack receives and processes both polls,
4656 * sequence numbers can wrap around in such a way that a
4657 * resent frame has a sequence number that looks like new data
4658 * with a sequence gap. This would trigger an erroneous SREJ
4659 * request.
4660 *
4661 * Fortunately, this is impossible with a tx window that's
4662 * less than half of the maximum sequence number, which allows
4663 * invalid frames to be safely ignored.
4664 *
4665 * With tx window sizes greater than half of the tx window
4666 * maximum, the frame is invalid and cannot be ignored. This
4667 * causes a disconnect.
4668 */
4669
4670 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4671 BT_DBG("Invalid/Ignore - txseq outside tx window");
4672 return L2CAP_TXSEQ_INVALID_IGNORE;
4673 } else {
4674 BT_DBG("Invalid - txseq outside tx window");
4675 return L2CAP_TXSEQ_INVALID;
4676 }
4677 } else {
4678 BT_DBG("Unexpected - txseq indicates missing frames");
4679 return L2CAP_TXSEQ_UNEXPECTED;
4680 }
4681}
4682
d2a7ac5d
MM		 4683static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4684 struct l2cap_ctrl *control,
4685 struct sk_buff *skb, u8 event)
4686{
4687 int err = 0;
4688 bool skb_in_use = 0;
4689
4690 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4691 event);
4692
4693 switch (event) {
4694 case L2CAP_EV_RECV_IFRAME:
4695 switch (l2cap_classify_txseq(chan, control->txseq)) {
4696 case L2CAP_TXSEQ_EXPECTED:
4697 l2cap_pass_to_tx(chan, control);
4698
4699 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4700 BT_DBG("Busy, discarding expected seq %d",
4701 control->txseq);
4702 break;
4703 }
4704
4705 chan->expected_tx_seq = __next_seq(chan,
4706 control->txseq);
4707
4708 chan->buffer_seq = chan->expected_tx_seq;
4709 skb_in_use = 1;
4710
4711 err = l2cap_reassemble_sdu(chan, skb, control);
4712 if (err)
4713 break;
4714
4715 if (control->final) {
4716 if (!test_and_clear_bit(CONN_REJ_ACT,
4717 &chan->conn_state)) {
4718 control->final = 0;
4719 l2cap_retransmit_all(chan, control);
4720 l2cap_ertm_send(chan);
4721 }
4722 }
4723
4724 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4725 l2cap_send_ack(chan);
4726 break;
4727 case L2CAP_TXSEQ_UNEXPECTED:
4728 l2cap_pass_to_tx(chan, control);
4729
4730 /* Can't issue SREJ frames in the local busy state.
4731 * Drop this frame, it will be seen as missing
4732 * when local busy is exited.
4733 */
4734 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4735 BT_DBG("Busy, discarding unexpected seq %d",
4736 control->txseq);
4737 break;
4738 }
4739
4740 /* There was a gap in the sequence, so an SREJ
4741 * must be sent for each missing frame. The
4742 * current frame is stored for later use.
4743 */
4744 skb_queue_tail(&chan->srej_q, skb);
4745 skb_in_use = 1;
4746 BT_DBG("Queued %p (queue len %d)", skb,
4747 skb_queue_len(&chan->srej_q));
4748
4749 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4750 l2cap_seq_list_clear(&chan->srej_list);
4751 l2cap_send_srej(chan, control->txseq);
4752
4753 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4754 break;
4755 case L2CAP_TXSEQ_DUPLICATE:
4756 l2cap_pass_to_tx(chan, control);
4757 break;
4758 case L2CAP_TXSEQ_INVALID_IGNORE:
4759 break;
4760 case L2CAP_TXSEQ_INVALID:
4761 default:
4762 l2cap_send_disconn_req(chan->conn, chan,
4763 ECONNRESET);
4764 break;
4765 }
4766 break;
4767 case L2CAP_EV_RECV_RR:
4768 l2cap_pass_to_tx(chan, control);
4769 if (control->final) {
4770 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4771
4772 if (!test_and_clear_bit(CONN_REJ_ACT,
4773 &chan->conn_state)) {
4774 control->final = 0;
4775 l2cap_retransmit_all(chan, control);
4776 }
4777
4778 l2cap_ertm_send(chan);
4779 } else if (control->poll) {
4780 l2cap_send_i_or_rr_or_rnr(chan);
4781 } else {
4782 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4783 &chan->conn_state) &&
4784 chan->unacked_frames)
4785 __set_retrans_timer(chan);
4786
4787 l2cap_ertm_send(chan);
4788 }
4789 break;
4790 case L2CAP_EV_RECV_RNR:
4791 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4792 l2cap_pass_to_tx(chan, control);
4793 if (control && control->poll) {
4794 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4795 l2cap_send_rr_or_rnr(chan, 0);
4796 }
4797 __clear_retrans_timer(chan);
4798 l2cap_seq_list_clear(&chan->retrans_list);
4799 break;
4800 case L2CAP_EV_RECV_REJ:
4801 l2cap_handle_rej(chan, control);
4802 break;
4803 case L2CAP_EV_RECV_SREJ:
4804 l2cap_handle_srej(chan, control);
4805 break;
4806 default:
4807 break;
4808 }
4809
4810 if (skb && !skb_in_use) {
4811 BT_DBG("Freeing %p", skb);
4812 kfree_skb(skb);
4813 }
4814
4815 return err;
4816}
4817
4818static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4819 struct l2cap_ctrl *control,
4820 struct sk_buff *skb, u8 event)
4821{
4822 int err = 0;
4823 u16 txseq = control->txseq;
4824 bool skb_in_use = 0;
4825
4826 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4827 event);
4828
4829 switch (event) {
4830 case L2CAP_EV_RECV_IFRAME:
4831 switch (l2cap_classify_txseq(chan, txseq)) {
4832 case L2CAP_TXSEQ_EXPECTED:
4833 /* Keep frame for reassembly later */
4834 l2cap_pass_to_tx(chan, control);
4835 skb_queue_tail(&chan->srej_q, skb);
4836 skb_in_use = 1;
4837 BT_DBG("Queued %p (queue len %d)", skb,
4838 skb_queue_len(&chan->srej_q));
4839
4840 chan->expected_tx_seq = __next_seq(chan, txseq);
4841 break;
4842 case L2CAP_TXSEQ_EXPECTED_SREJ:
4843 l2cap_seq_list_pop(&chan->srej_list);
4844
4845 l2cap_pass_to_tx(chan, control);
4846 skb_queue_tail(&chan->srej_q, skb);
4847 skb_in_use = 1;
4848 BT_DBG("Queued %p (queue len %d)", skb,
4849 skb_queue_len(&chan->srej_q));
4850
4851 err = l2cap_rx_queued_iframes(chan);
4852 if (err)
4853 break;
4854
4855 break;
4856 case L2CAP_TXSEQ_UNEXPECTED:
4857 /* Got a frame that can't be reassembled yet.
4858 * Save it for later, and send SREJs to cover
4859 * the missing frames.
4860 */
4861 skb_queue_tail(&chan->srej_q, skb);
4862 skb_in_use = 1;
4863 BT_DBG("Queued %p (queue len %d)", skb,
4864 skb_queue_len(&chan->srej_q));
4865
4866 l2cap_pass_to_tx(chan, control);
4867 l2cap_send_srej(chan, control->txseq);
4868 break;
4869 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4870 /* This frame was requested with an SREJ, but
4871 * some expected retransmitted frames are
4872 * missing. Request retransmission of missing
4873 * SREJ'd frames.
4874 */
4875 skb_queue_tail(&chan->srej_q, skb);
4876 skb_in_use = 1;
4877 BT_DBG("Queued %p (queue len %d)", skb,
4878 skb_queue_len(&chan->srej_q));
4879
4880 l2cap_pass_to_tx(chan, control);
4881 l2cap_send_srej_list(chan, control->txseq);
4882 break;
4883 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4884 /* We've already queued this frame. Drop this copy. */
4885 l2cap_pass_to_tx(chan, control);
4886 break;
4887 case L2CAP_TXSEQ_DUPLICATE:
4888 /* Expecting a later sequence number, so this frame
4889 * was already received. Ignore it completely.
4890 */
4891 break;
4892 case L2CAP_TXSEQ_INVALID_IGNORE:
4893 break;
4894 case L2CAP_TXSEQ_INVALID:
4895 default:
4896 l2cap_send_disconn_req(chan->conn, chan,
4897 ECONNRESET);
4898 break;
4899 }
4900 break;
4901 case L2CAP_EV_RECV_RR:
4902 l2cap_pass_to_tx(chan, control);
4903 if (control->final) {
4904 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4905
4906 if (!test_and_clear_bit(CONN_REJ_ACT,
4907 &chan->conn_state)) {
4908 control->final = 0;
4909 l2cap_retransmit_all(chan, control);
4910 }
4911
4912 l2cap_ertm_send(chan);
4913 } else if (control->poll) {
4914 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4915 &chan->conn_state) &&
4916 chan->unacked_frames) {
4917 __set_retrans_timer(chan);
4918 }
4919
4920 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4921 l2cap_send_srej_tail(chan);
4922 } else {
4923 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4924 &chan->conn_state) &&
4925 chan->unacked_frames)
4926 __set_retrans_timer(chan);
4927
4928 l2cap_send_ack(chan);
4929 }
4930 break;
4931 case L2CAP_EV_RECV_RNR:
4932 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4933 l2cap_pass_to_tx(chan, control);
4934 if (control->poll) {
4935 l2cap_send_srej_tail(chan);
4936 } else {
4937 struct l2cap_ctrl rr_control;
4938 memset(&rr_control, 0, sizeof(rr_control));
4939 rr_control.sframe = 1;
4940 rr_control.super = L2CAP_SUPER_RR;
4941 rr_control.reqseq = chan->buffer_seq;
4942 l2cap_send_sframe(chan, &rr_control);
4943 }
4944
4945 break;
4946 case L2CAP_EV_RECV_REJ:
4947 l2cap_handle_rej(chan, control);
4948 break;
4949 case L2CAP_EV_RECV_SREJ:
4950 l2cap_handle_srej(chan, control);
4951 break;
4952 }
4953
4954 if (skb && !skb_in_use) {
4955 BT_DBG("Freeing %p", skb);
4956 kfree_skb(skb);
4957 }
4958
4959 return err;
4960}
4961
4962static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
4963{
4964 /* Make sure reqseq is for a packet that has been sent but not acked */
4965 u16 unacked;
4966
4967 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
4968 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
4969}
4970
cec8ab6e
MM		 4971static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4972 struct sk_buff *skb, u8 event)
218bb9df 4973{
d2a7ac5d
MM		 4974 int err = 0;
4975
4976 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
4977 control, skb, event, chan->rx_state);
4978
4979 if (__valid_reqseq(chan, control->reqseq)) {
4980 switch (chan->rx_state) {
4981 case L2CAP_RX_STATE_RECV:
4982 err = l2cap_rx_state_recv(chan, control, skb, event);
4983 break;
4984 case L2CAP_RX_STATE_SREJ_SENT:
4985 err = l2cap_rx_state_srej_sent(chan, control, skb,
4986 event);
4987 break;
4988 default:
4989 /* shut it down */
4990 break;
4991 }
4992 } else {
4993 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
4994 control->reqseq, chan->next_tx_seq,
4995 chan->expected_ack_seq);
4996 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4997 }
4998
4999 return err;
cec8ab6e
MM		 5000}
5001
5002static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5003 struct sk_buff *skb)
5004{
4b51dae9
MM		 5005 int err = 0;
5006
5007 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5008 chan->rx_state);
5009
5010 if (l2cap_classify_txseq(chan, control->txseq) ==
5011 L2CAP_TXSEQ_EXPECTED) {
5012 l2cap_pass_to_tx(chan, control);
5013
5014 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5015 __next_seq(chan, chan->buffer_seq));
5016
5017 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5018
5019 l2cap_reassemble_sdu(chan, skb, control);
5020 } else {
5021 if (chan->sdu) {
5022 kfree_skb(chan->sdu);
5023 chan->sdu = NULL;
5024 }
5025 chan->sdu_last_frag = NULL;
5026 chan->sdu_len = 0;
5027
5028 if (skb) {
5029 BT_DBG("Freeing %p", skb);
5030 kfree_skb(skb);
5031 }
5032 }
5033
5034 chan->last_acked_seq = control->txseq;
5035 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5036
5037 return err;
cec8ab6e
MM		 5038}
5039
5040static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5041{
5042 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5043 u16 len;
5044 u8 event;
218bb9df 5045
b76bbd66
MM		 5046 __unpack_control(chan, skb);
5047
218bb9df
GP		 5048 len = skb->len;
5049
5050 /*
5051 * We can just drop the corrupted I-frame here.
5052 * Receiver will miss it and start proper recovery
cec8ab6e 5053 * procedures and ask for retransmission.
218bb9df 5054 */
47d1ec61 5055 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5056 goto drop;
5057
cec8ab6e 5058 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5059 len -= L2CAP_SDULEN_SIZE;
218bb9df 5060
47d1ec61 5061 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5062 len -= L2CAP_FCS_SIZE;
218bb9df 5063
47d1ec61 5064 if (len > chan->mps) {
8c1d787b 5065 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5066 goto drop;
5067 }
5068
cec8ab6e
MM		 5069 if (!control->sframe) {
5070 int err;
218bb9df 5071
cec8ab6e
MM		 5072 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5073 control->sar, control->reqseq, control->final,
5074 control->txseq);
218bb9df 5075
cec8ab6e
MM		 5076 /* Validate F-bit - F=0 always valid, F=1 only
5077 * valid in TX WAIT_F
5078 */
5079 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5080 goto drop;
cec8ab6e
MM		 5081
5082 if (chan->mode != L2CAP_MODE_STREAMING) {
5083 event = L2CAP_EV_RECV_IFRAME;
5084 err = l2cap_rx(chan, control, skb, event);
5085 } else {
5086 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5087 }
5088
cec8ab6e
MM		 5089 if (err)
5090 l2cap_send_disconn_req(chan->conn, chan,
5091 ECONNRESET);
218bb9df 5092 } else {
cec8ab6e
MM		 5093 const u8 rx_func_to_event[4] = {
5094 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5095 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5096 };
5097
5098 /* Only I-frames are expected in streaming mode */
5099 if (chan->mode == L2CAP_MODE_STREAMING)
5100 goto drop;
5101
5102 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5103 control->reqseq, control->final, control->poll,
5104 control->super);
5105
218bb9df
GP		 5106 if (len != 0) {
5107 BT_ERR("%d", len);
8c1d787b 5108 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5109 goto drop;
5110 }
5111
cec8ab6e
MM		 5112 /* Validate F and P bits */
5113 if (control->final && (control->poll ||
5114 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5115 goto drop;
5116
5117 event = rx_func_to_event[control->super];
5118 if (l2cap_rx(chan, control, skb, event))
5119 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5120 }
5121
5122 return 0;
5123
5124drop:
5125 kfree_skb(skb);
5126 return 0;
5127}
5128
1da177e4
LT		 5129static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
5130{
48454079 5131 struct l2cap_chan *chan;
1da177e4 5132
baa7e1fa 5133 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5134 if (!chan) {
97e8e89d
AE		 5135 if (cid == L2CAP_CID_A2MP) {
5136 chan = a2mp_channel_create(conn, skb);
5137 if (!chan) {
5138 kfree_skb(skb);
5139 return 0;
5140 }
5141
5142 l2cap_chan_lock(chan);
5143 } else {
5144 BT_DBG("unknown cid 0x%4.4x", cid);
5145 /* Drop packet and return */
5146 kfree_skb(skb);
5147 return 0;
5148 }
1da177e4
LT		 5149 }
5150
49208c9c 5151 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5152
89bc500e 5153 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5154 goto drop;
5155
0c1bc5c6 5156 switch (chan->mode) {
1c2acffb
GP		 5157 case L2CAP_MODE_BASIC:
5158 /* If socket recv buffers overflows we drop data here
5159 * which is *bad* because L2CAP has to be reliable.
5160 * But we don't have any other choice. L2CAP doesn't
5161 * provide flow control mechanism. */
1da177e4 5162
0c1bc5c6 5163 if (chan->imtu < skb->len)
1c2acffb 5164 goto drop;
1da177e4 5165
80b98027 5166 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5167 goto done;
5168 break;
5169
5170 case L2CAP_MODE_ERTM:
6840ed07 5171 case L2CAP_MODE_STREAMING:
cec8ab6e 5172 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5173 goto done;
5174
1c2acffb 5175 default:
0c1bc5c6 5176 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5177 break;
5178 }
1da177e4
LT		 5179
5180drop:
5181 kfree_skb(skb);
5182
5183done:
6be36555 5184 l2cap_chan_unlock(chan);
0139418c 5185
1da177e4
LT		 5186 return 0;
5187}
5188
8e036fc3 5189static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 5190{
23691d75 5191 struct l2cap_chan *chan;
1da177e4 5192
c2287681 5193 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5194 if (!chan)
1da177e4
LT		 5195 goto drop;
5196
5b4cedaa 5197 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5198
89bc500e 5199 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5200 goto drop;
5201
e13e21dc 5202 if (chan->imtu < skb->len)
1da177e4
LT		 5203 goto drop;
5204
80b98027 5205 if (!chan->ops->recv(chan, skb))
5b4cedaa 5206 return 0;
1da177e4
LT		 5207
5208drop:
5209 kfree_skb(skb);
5210
1da177e4
LT		 5211 return 0;
5212}
5213
d9b88702
AE		 5214static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5215 struct sk_buff *skb)
9f69bda6 5216{
23691d75 5217 struct l2cap_chan *chan;
9f69bda6 5218
c2287681 5219 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5220 if (!chan)
9f69bda6
GP		 5221 goto drop;
5222
5b4cedaa 5223 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5224
89bc500e 5225 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5226 goto drop;
5227
e13e21dc 5228 if (chan->imtu < skb->len)
9f69bda6
GP		 5229 goto drop;
5230
80b98027 5231 if (!chan->ops->recv(chan, skb))
5b4cedaa 5232 return 0;
9f69bda6
GP		 5233
5234drop:
5235 kfree_skb(skb);
5236
9f69bda6
GP		 5237 return 0;
5238}
5239
1da177e4
LT		 5240static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5241{
5242 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5243 u16 cid, len;
5244 __le16 psm;
1da177e4
LT		 5245
5246 skb_pull(skb, L2CAP_HDR_SIZE);
5247 cid = __le16_to_cpu(lh->cid);
5248 len = __le16_to_cpu(lh->len);
5249
1c2acffb
GP		 5250 if (len != skb->len) {
5251 kfree_skb(skb);
5252 return;
5253 }
5254
1da177e4
LT		 5255 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5256
5257 switch (cid) {
3300d9a9 5258 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5259 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5260 l2cap_sig_channel(conn, skb);
5261 break;
5262
8db4dc46 5263 case L2CAP_CID_CONN_LESS:
097db76c 5264 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5265 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5266 l2cap_conless_channel(conn, psm, skb);
5267 break;
5268
9f69bda6
GP		 5269 case L2CAP_CID_LE_DATA:
5270 l2cap_att_channel(conn, cid, skb);
5271 break;
5272
b501d6a1
AB		 5273 case L2CAP_CID_SMP:
5274 if (smp_sig_channel(conn, skb))
5275 l2cap_conn_del(conn->hcon, EACCES);
5276 break;
5277
1da177e4
LT		 5278 default:
5279 l2cap_data_channel(conn, cid, skb);
5280 break;
5281 }
5282}
5283
5284/* ---- L2CAP interface with lower layer (HCI) ---- */
5285
686ebf28 5286int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5287{
5288 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5289 struct l2cap_chan *c;
1da177e4 5290
1da177e4
LT		 5291 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
5292
5293 /* Find listening sockets and check their link_mode */
23691d75
GP		 5294 read_lock(&chan_list_lock);
5295 list_for_each_entry(c, &chan_list, global_l) {
5296 struct sock *sk = c->sk;
4343478f 5297
89bc500e 5298 if (c->state != BT_LISTEN)
1da177e4
LT		 5299 continue;
5300
5301 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5302 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5303 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5304 lm1 |= HCI_LM_MASTER;
1da177e4 5305 exact++;
2af6b9d5
MH		 5306 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5307 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5308 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5309 lm2 |= HCI_LM_MASTER;
5310 }
1da177e4 5311 }
23691d75 5312 read_unlock(&chan_list_lock);
1da177e4
LT		 5313
5314 return exact ? lm1 : lm2;
5315}
5316
686ebf28 5317int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5318{
0139418c
MH		 5319 struct l2cap_conn *conn;
5320
1da177e4
LT		 5321 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
5322
1da177e4 5323 if (!status) {
1da177e4
LT		 5324 conn = l2cap_conn_add(hcon, status);
5325 if (conn)
5326 l2cap_conn_ready(conn);
0139418c 5327 } else
e175072f 5328 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 5329
5330 return 0;
5331}
5332
686ebf28 5333int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5334{
5335 struct l2cap_conn *conn = hcon->l2cap_data;
5336
5337 BT_DBG("hcon %p", hcon);
5338
686ebf28 5339 if (!conn)
9f5a0d7b 5340 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5341 return conn->disc_reason;
5342}
5343
686ebf28 5344int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5345{
5346 BT_DBG("hcon %p reason %d", hcon, reason);
5347
e175072f 5348 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5349 return 0;
5350}
5351
4343478f 5352static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5353{
715ec005 5354 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5355 return;
5356
f62e4323 5357 if (encrypt == 0x00) {
4343478f 5358 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5359 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5360 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5361 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5362 } else {
4343478f 5363 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5364 __clear_chan_timer(chan);
f62e4323
MH		 5365 }
5366}
5367
686ebf28 5368int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5369{
0139418c 5370 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5371 struct l2cap_chan *chan;
1da177e4 5372
0139418c 5373 if (!conn)
1da177e4 5374 return 0;
0139418c 5375
1da177e4
LT		 5376 BT_DBG("conn %p", conn);
5377
160dc6ac 5378 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5379 if (!status && encrypt)
5380 smp_distribute_keys(conn, 0);
17cd3f37 5381 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5382 }
5383
3df91ea2 5384 mutex_lock(&conn->chan_lock);
1da177e4 5385
3df91ea2 5386 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5387 l2cap_chan_lock(chan);
1da177e4 5388
f1cb9af5
VCG		 5389 BT_DBG("chan->scid %d", chan->scid);
5390
5391 if (chan->scid == L2CAP_CID_LE_DATA) {
5392 if (!status && encrypt) {
5393 chan->sec_level = hcon->sec_level;
cf4cd009 5394 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5395 }
5396
6be36555 5397 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5398 continue;
5399 }
5400
c1360a1c 5401 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5402 l2cap_chan_unlock(chan);
6a8d3010
MH		 5403 continue;
5404 }
5405
89bc500e
GP		 5406 if (!status && (chan->state == BT_CONNECTED ||
5407 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5408 struct sock *sk = chan->sk;
5409
c5daa683 5410 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5411 sk->sk_state_change(sk);
5412
4343478f 5413 l2cap_check_encryption(chan, encrypt);
6be36555 5414 l2cap_chan_unlock(chan);
9719f8af
MH		 5415 continue;
5416 }
5417
89bc500e 5418 if (chan->state == BT_CONNECT) {
b1235d79 5419 if (!status) {
9b27f350 5420 l2cap_send_conn_req(chan);
b1235d79 5421 } else {
ba13ccd9 5422 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5423 }
89bc500e 5424 } else if (chan->state == BT_CONNECT2) {
6be36555 5425 struct sock *sk = chan->sk;
b1235d79 5426 struct l2cap_conn_rsp rsp;
df3c3931 5427 __u16 res, stat;
1da177e4 5428
6be36555
AE		 5429 lock_sock(sk);
5430
b1235d79 5431 if (!status) {
c5daa683
GP		 5432 if (test_bit(BT_SK_DEFER_SETUP,
5433 &bt_sk(sk)->flags)) {
df3c3931
JH		 5434 struct sock *parent = bt_sk(sk)->parent;
5435 res = L2CAP_CR_PEND;
5436 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5437 if (parent)
5438 parent->sk_data_ready(parent, 0);
df3c3931 5439 } else {
0e587be7 5440 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5441 res = L2CAP_CR_SUCCESS;
5442 stat = L2CAP_CS_NO_INFO;
5443 }
b1235d79 5444 } else {
0e587be7 5445 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5446 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5447 res = L2CAP_CR_SEC_BLOCK;
5448 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5449 }
5450
6be36555
AE		 5451 release_sock(sk);
5452
fe4128e0
GP		 5453 rsp.scid = cpu_to_le16(chan->dcid);
5454 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5455 rsp.result = cpu_to_le16(res);
5456 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5457 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5458 sizeof(rsp), &rsp);
2d369359
MM		 5459
5460 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5461 res == L2CAP_CR_SUCCESS) {
5462 char buf[128];
5463 set_bit(CONF_REQ_SENT, &chan->conf_state);
5464 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5465 L2CAP_CONF_REQ,
5466 l2cap_build_conf_req(chan, buf),
5467 buf);
5468 chan->num_conf_req++;
5469 }
b1235d79 5470 }
1da177e4 5471
6be36555 5472 l2cap_chan_unlock(chan);
1da177e4
LT		 5473 }
5474
3df91ea2 5475 mutex_unlock(&conn->chan_lock);
b1235d79 5476
1da177e4
LT		 5477 return 0;
5478}
5479
686ebf28 5480int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5481{
5482 struct l2cap_conn *conn = hcon->l2cap_data;
5483
5a08ecce
AE		 5484 if (!conn)
5485 conn = l2cap_conn_add(hcon, 0);
5486
5487 if (!conn)
1da177e4
LT		 5488 goto drop;
5489
5490 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5491
e702112f 5492 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5493 struct l2cap_hdr *hdr;
5494 int len;
5495
5496 if (conn->rx_len) {
5497 BT_ERR("Unexpected start frame (len %d)", skb->len);
5498 kfree_skb(conn->rx_skb);
5499 conn->rx_skb = NULL;
5500 conn->rx_len = 0;
5501 l2cap_conn_unreliable(conn, ECOMM);
5502 }
5503
aae7fe22
AE		 5504 /* Start fragment always begin with Basic L2CAP header */
5505 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5506 BT_ERR("Frame is too short (len %d)", skb->len);
5507 l2cap_conn_unreliable(conn, ECOMM);
5508 goto drop;
5509 }
5510
5511 hdr = (struct l2cap_hdr *) skb->data;
5512 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5513
5514 if (len == skb->len) {
5515 /* Complete frame received */
5516 l2cap_recv_frame(conn, skb);
5517 return 0;
5518 }
5519
5520 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5521
5522 if (skb->len > len) {
5523 BT_ERR("Frame is too long (len %d, expected len %d)",
5524 skb->len, len);
5525 l2cap_conn_unreliable(conn, ECOMM);
5526 goto drop;
5527 }
5528
5529 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5530 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5531 if (!conn->rx_skb)
1da177e4
LT		 5532 goto drop;
5533
d626f62b 5534 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5535 skb->len);
1da177e4
LT		 5536 conn->rx_len = len - skb->len;
5537 } else {
5538 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5539
5540 if (!conn->rx_len) {
5541 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5542 l2cap_conn_unreliable(conn, ECOMM);
5543 goto drop;
5544 }
5545
5546 if (skb->len > conn->rx_len) {
5547 BT_ERR("Fragment is too long (len %d, expected %d)",
5548 skb->len, conn->rx_len);
5549 kfree_skb(conn->rx_skb);
5550 conn->rx_skb = NULL;
5551 conn->rx_len = 0;
5552 l2cap_conn_unreliable(conn, ECOMM);
5553 goto drop;
5554 }
5555
d626f62b 5556 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5557 skb->len);
1da177e4
LT		 5558 conn->rx_len -= skb->len;
5559
5560 if (!conn->rx_len) {
5561 /* Complete frame received */
5562 l2cap_recv_frame(conn, conn->rx_skb);
5563 conn->rx_skb = NULL;
5564 }
5565 }
5566
5567drop:
5568 kfree_skb(skb);
5569 return 0;
5570}
5571
aef7d97c 5572static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5573{
23691d75 5574 struct l2cap_chan *c;
1da177e4 5575
333055f2 5576 read_lock(&chan_list_lock);
1da177e4 5577
23691d75
GP		 5578 list_for_each_entry(c, &chan_list, global_l) {
5579 struct sock *sk = c->sk;
101545f6 5580
903d343e 5581 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5582 batostr(&bt_sk(sk)->src),
5583 batostr(&bt_sk(sk)->dst),
89bc500e 5584 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5585 c->scid, c->dcid, c->imtu, c->omtu,
5586 c->sec_level, c->mode);
61e1b4b7 5587 }
1da177e4 5588
333055f2 5589 read_unlock(&chan_list_lock);
1da177e4 5590
aef7d97c 5591 return 0;
1da177e4
LT		 5592}
5593
aef7d97c
MH		 5594static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5595{
5596 return single_open(file, l2cap_debugfs_show, inode->i_private);
5597}
5598
5599static const struct file_operations l2cap_debugfs_fops = {
5600 .open = l2cap_debugfs_open,
5601 .read = seq_read,
5602 .llseek = seq_lseek,
5603 .release = single_release,
5604};
5605
5606static struct dentry *l2cap_debugfs;
1da177e4 5607
64274518 5608int __init l2cap_init(void)
1da177e4
LT		 5609{
5610 int err;
be9d1227 5611
bb58f747 5612 err = l2cap_init_sockets();
1da177e4
LT		 5613 if (err < 0)
5614 return err;
5615
aef7d97c
MH		 5616 if (bt_debugfs) {
5617 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5618 bt_debugfs, NULL, &l2cap_debugfs_fops);
5619 if (!l2cap_debugfs)
5620 BT_ERR("Failed to create L2CAP debug file");
5621 }
1da177e4 5622
1da177e4 5623 return 0;
1da177e4
LT		 5624}
5625
64274518 5626void l2cap_exit(void)
1da177e4 5627{
aef7d97c 5628 debugfs_remove(l2cap_debugfs);
bb58f747 5629 l2cap_cleanup_sockets();
1da177e4
LT		 5630}
5631
d1c4a17d
GP		 5632module_param(disable_ertm, bool, 0644);
5633MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)