projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add state to hci_chan
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 59 struct sk_buff_head *skbs, u8 event);
608bcc6d 60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
2d792818
GP		 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
64 u16 cid)
0139418c 65{
3df91ea2 66 struct l2cap_chan *c;
3d57dc68 67
3df91ea2
AE		 68 list_for_each_entry(c, &conn->chan_l, list) {
69 if (c->dcid == cid)
70 return c;
0139418c 71 }
3df91ea2 72 return NULL;
0139418c
MH		 73}
74
2d792818
GP		 75static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
76 u16 cid)
0139418c 77{
3df91ea2 78 struct l2cap_chan *c;
3d57dc68 79
3df91ea2
AE		 80 list_for_each_entry(c, &conn->chan_l, list) {
81 if (c->scid == cid)
82 return c;
0139418c 83 }
3df91ea2 84 return NULL;
0139418c
MH		 85}
86
87/* Find channel with given SCID.
ef191ade 88 * Returns locked channel. */
2d792818
GP		 89static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
90 u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa 93
3df91ea2 94 mutex_lock(&conn->chan_lock);
baa7e1fa 95 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 96 if (c)
97 l2cap_chan_lock(c);
3df91ea2
AE		 98 mutex_unlock(&conn->chan_lock);
99
48454079 100 return c;
0139418c
MH		 101}
102
b1a130b7
MM		 103/* Find channel with given DCID.
104 * Returns locked channel.
105 */
106static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
107 u16 cid)
108{
109 struct l2cap_chan *c;
110
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_dcid(conn, cid);
113 if (c)
114 l2cap_chan_lock(c);
115 mutex_unlock(&conn->chan_lock);
116
117 return c;
118}
119
2d792818
GP		 120static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
121 u8 ident)
0139418c 122{
3df91ea2 123 struct l2cap_chan *c;
3d57dc68 124
3df91ea2
AE		 125 list_for_each_entry(c, &conn->chan_l, list) {
126 if (c->ident == ident)
127 return c;
0139418c 128 }
3df91ea2 129 return NULL;
0139418c
MH		 130}
131
23691d75 132static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 133{
23691d75 134 struct l2cap_chan *c;
9e4425ff 135
23691d75
GP		 136 list_for_each_entry(c, &chan_list, global_l) {
137 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 138 return c;
9e4425ff 139 }
250938cb 140 return NULL;
9e4425ff
GP		 141}
142
143int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
144{
73b2ec18
GP		 145 int err;
146
333055f2 147 write_lock(&chan_list_lock);
9e4425ff 148
23691d75 149 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 150 err = -EADDRINUSE;
151 goto done;
9e4425ff
GP		 152 }
153
73b2ec18
GP		 154 if (psm) {
155 chan->psm = psm;
156 chan->sport = psm;
157 err = 0;
158 } else {
159 u16 p;
160
161 err = -EINVAL;
162 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 163 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 164 chan->psm = cpu_to_le16(p);
165 chan->sport = cpu_to_le16(p);
166 err = 0;
167 break;
168 }
169 }
9e4425ff 170
73b2ec18 171done:
333055f2 172 write_unlock(&chan_list_lock);
73b2ec18 173 return err;
9e4425ff
GP		 174}
175
176int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
177{
333055f2 178 write_lock(&chan_list_lock);
9e4425ff
GP		 179
180 chan->scid = scid;
181
333055f2 182 write_unlock(&chan_list_lock);
9e4425ff
GP		 183
184 return 0;
185}
186
baa7e1fa 187static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 188{
8db4dc46 189 u16 cid = L2CAP_CID_DYN_START;
0139418c 190
8db4dc46 191 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 192 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 193 return cid;
194 }
195
196 return 0;
197}
198
0e587be7 199static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 200{
42d2d87c 201 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 202 state_to_string(state));
badaaa00 203
89bc500e 204 chan->state = state;
80b98027 205 chan->ops->state_change(chan, state);
89bc500e
GP		 206}
207
0e587be7
AE		 208static void l2cap_state_change(struct l2cap_chan *chan, int state)
209{
210 struct sock *sk = chan->sk;
211
212 lock_sock(sk);
213 __l2cap_state_change(chan, state);
214 release_sock(sk);
215}
216
2e0052e4
AE		 217static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
218{
219 struct sock *sk = chan->sk;
220
221 sk->sk_err = err;
222}
223
224static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
225{
226 struct sock *sk = chan->sk;
227
228 lock_sock(sk);
229 __l2cap_chan_set_err(chan, err);
230 release_sock(sk);
231}
232
4239d16f
MM		 233static void __set_retrans_timer(struct l2cap_chan *chan)
234{
235 if (!delayed_work_pending(&chan->monitor_timer) &&
236 chan->retrans_timeout) {
237 l2cap_set_timer(chan, &chan->retrans_timer,
238 msecs_to_jiffies(chan->retrans_timeout));
239 }
240}
241
242static void __set_monitor_timer(struct l2cap_chan *chan)
243{
244 __clear_retrans_timer(chan);
245 if (chan->monitor_timeout) {
246 l2cap_set_timer(chan, &chan->monitor_timer,
247 msecs_to_jiffies(chan->monitor_timeout));
248 }
249}
250
608bcc6d
MM		 251static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
252 u16 seq)
253{
254 struct sk_buff *skb;
255
256 skb_queue_walk(head, skb) {
257 if (bt_cb(skb)->control.txseq == seq)
258 return skb;
259 }
260
261 return NULL;
262}
263
3c588192
MM		 264/* ---- L2CAP sequence number lists ---- */
265
266/* For ERTM, ordered lists of sequence numbers must be tracked for
267 * SREJ requests that are received and for frames that are to be
268 * retransmitted. These seq_list functions implement a singly-linked
269 * list in an array, where membership in the list can also be checked
270 * in constant time. Items can also be added to the tail of the list
271 * and removed from the head in constant time, without further memory
272 * allocs or frees.
273 */
274
275static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
276{
277 size_t alloc_size, i;
278
279 /* Allocated size is a power of 2 to map sequence numbers
280 * (which may be up to 14 bits) in to a smaller array that is
281 * sized for the negotiated ERTM transmit windows.
282 */
283 alloc_size = roundup_pow_of_two(size);
284
285 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
286 if (!seq_list->list)
287 return -ENOMEM;
288
289 seq_list->mask = alloc_size - 1;
290 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
291 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
292 for (i = 0; i < alloc_size; i++)
293 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
294
295 return 0;
296}
297
298static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
299{
300 kfree(seq_list->list);
301}
302
303static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
304 u16 seq)
305{
306 /* Constant-time check for list membership */
307 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
308}
309
310static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
311{
312 u16 mask = seq_list->mask;
313
314 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
315 /* In case someone tries to pop the head of an empty list */
316 return L2CAP_SEQ_LIST_CLEAR;
317 } else if (seq_list->head == seq) {
318 /* Head can be removed in constant time */
319 seq_list->head = seq_list->list[seq & mask];
320 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
321
322 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
323 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
324 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
325 }
326 } else {
327 /* Walk the list to find the sequence number */
328 u16 prev = seq_list->head;
329 while (seq_list->list[prev & mask] != seq) {
330 prev = seq_list->list[prev & mask];
331 if (prev == L2CAP_SEQ_LIST_TAIL)
332 return L2CAP_SEQ_LIST_CLEAR;
333 }
334
335 /* Unlink the number from the list and clear it */
336 seq_list->list[prev & mask] = seq_list->list[seq & mask];
337 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
338 if (seq_list->tail == seq)
339 seq_list->tail = prev;
340 }
341 return seq;
342}
343
344static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
345{
346 /* Remove the head in constant time */
347 return l2cap_seq_list_remove(seq_list, seq_list->head);
348}
349
350static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
351{
f522ae36 352 u16 i;
3c588192 353
f522ae36
GP		 354 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
355 return;
356
357 for (i = 0; i <= seq_list->mask; i++)
358 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
359
360 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
361 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 362}
363
364static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
365{
366 u16 mask = seq_list->mask;
367
368 /* All appends happen in constant time */
369
f522ae36
GP		 370 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
371 return;
3c588192 372
f522ae36
GP		 373 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
374 seq_list->head = seq;
375 else
376 seq_list->list[seq_list->tail & mask] = seq;
377
378 seq_list->tail = seq;
379 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 380}
381
721c4181 382static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 383{
721c4181 384 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 385 chan_timer.work);
3df91ea2 386 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 387 int reason;
388
e05dcc32 389 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 390
3df91ea2 391 mutex_lock(&conn->chan_lock);
6be36555 392 l2cap_chan_lock(chan);
ab07801d 393
89bc500e 394 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 395 reason = ECONNREFUSED;
89bc500e 396 else if (chan->state == BT_CONNECT &&
2d792818 397 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 398 reason = ECONNREFUSED;
399 else
400 reason = ETIMEDOUT;
401
0f852724 402 l2cap_chan_close(chan, reason);
ab07801d 403
6be36555 404 l2cap_chan_unlock(chan);
ab07801d 405
80b98027 406 chan->ops->close(chan);
3df91ea2
AE		 407 mutex_unlock(&conn->chan_lock);
408
371fd835 409 l2cap_chan_put(chan);
ab07801d
GP		 410}
411
eef1d9b6 412struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 413{
414 struct l2cap_chan *chan;
415
416 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
417 if (!chan)
418 return NULL;
419
c03b355e
AE		 420 mutex_init(&chan->lock);
421
333055f2 422 write_lock(&chan_list_lock);
23691d75 423 list_add(&chan->global_l, &chan_list);
333055f2 424 write_unlock(&chan_list_lock);
23691d75 425
721c4181 426 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 427
89bc500e
GP		 428 chan->state = BT_OPEN;
429
144ad330 430 kref_init(&chan->kref);
71ba0e56 431
2827011f
MM		 432 /* This flag is cleared in l2cap_chan_ready() */
433 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
434
eef1d9b6 435 BT_DBG("chan %p", chan);
abc545b8 436
48454079
GP		 437 return chan;
438}
439
144ad330 440static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 441{
144ad330
SS		 442 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
443
4af66c69
JK		 444 BT_DBG("chan %p", chan);
445
333055f2 446 write_lock(&chan_list_lock);
23691d75 447 list_del(&chan->global_l);
333055f2 448 write_unlock(&chan_list_lock);
23691d75 449
4af66c69 450 kfree(chan);
6ff5abbf
GP		 451}
452
30648372
JK		 453void l2cap_chan_hold(struct l2cap_chan *c)
454{
144ad330 455 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 456
144ad330 457 kref_get(&c->kref);
30648372
JK		 458}
459
460void l2cap_chan_put(struct l2cap_chan *c)
461{
144ad330 462 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 463
144ad330 464 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 465}
466
bd4b1653
AE		 467void l2cap_chan_set_defaults(struct l2cap_chan *chan)
468{
469 chan->fcs = L2CAP_FCS_CRC16;
470 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
471 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
472 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 473 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 474 chan->sec_level = BT_SECURITY_LOW;
475
476 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
477}
478
93c3e8f5 479void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 480{
af05b30b 481 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 482 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 483
9f5a0d7b 484 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 485
8c1d787b 486 chan->conn = conn;
0139418c 487
5491120e
AE		 488 switch (chan->chan_type) {
489 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 490 if (conn->hcon->type == LE_LINK) {
491 /* LE connection */
6fcb06a2 492 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 493 chan->scid = L2CAP_CID_LE_DATA;
494 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 495 } else {
496 /* Alloc CID for connection-oriented socket */
fe4128e0 497 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 498 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 499 }
5491120e
AE		 500 break;
501
502 case L2CAP_CHAN_CONN_LESS:
0139418c 503 /* Connectionless socket */
fe4128e0
GP		 504 chan->scid = L2CAP_CID_CONN_LESS;
505 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 506 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 507 break;
508
416fa752
AE		 509 case L2CAP_CHAN_CONN_FIX_A2MP:
510 chan->scid = L2CAP_CID_A2MP;
511 chan->dcid = L2CAP_CID_A2MP;
512 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
513 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
514 break;
515
5491120e 516 default:
0139418c 517 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 518 chan->scid = L2CAP_CID_SIGNALING;
519 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 520 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 521 }
522
8f7975b1
AE		 523 chan->local_id = L2CAP_BESTEFFORT_ID;
524 chan->local_stype = L2CAP_SERV_BESTEFFORT;
525 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
526 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
527 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 528 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 529
371fd835 530 l2cap_chan_hold(chan);
baa7e1fa 531
3df91ea2 532 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 533}
534
466f8004 535void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 536{
537 mutex_lock(&conn->chan_lock);
538 __l2cap_chan_add(conn, chan);
3df91ea2 539 mutex_unlock(&conn->chan_lock);
0139418c
MH		 540}
541
466f8004 542void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 543{
8c1d787b 544 struct l2cap_conn *conn = chan->conn;
0139418c 545
c9b66675 546 __clear_chan_timer(chan);
0139418c 547
49208c9c 548 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 549
8e87d142 550 if (conn) {
56f60984 551 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 552 /* Delete from channel list */
3df91ea2 553 list_del(&chan->list);
3d57dc68 554
371fd835 555 l2cap_chan_put(chan);
baa7e1fa 556
8c1d787b 557 chan->conn = NULL;
3cabbfda
AE		 558
559 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
560 hci_conn_put(conn->hcon);
56f60984
AE		 561
562 if (mgr && mgr->bredr_chan == chan)
563 mgr->bredr_chan = NULL;
0139418c
MH		 564 }
565
b699ec0d 566 chan->ops->teardown(chan, err);
6be36555 567
2827011f 568 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 569 return;
2ead70b8 570
ee556f66
GP		 571 switch(chan->mode) {
572 case L2CAP_MODE_BASIC:
573 break;
c13ffa62 574
ee556f66 575 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 576 __clear_retrans_timer(chan);
577 __clear_monitor_timer(chan);
578 __clear_ack_timer(chan);
c13ffa62 579
f1c6775b 580 skb_queue_purge(&chan->srej_q);
c13ffa62 581
3c588192
MM		 582 l2cap_seq_list_free(&chan->srej_list);
583 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 584
585 /* fall through */
586
587 case L2CAP_MODE_STREAMING:
588 skb_queue_purge(&chan->tx_q);
589 break;
c13ffa62 590 }
ee556f66
GP		 591
592 return;
0139418c
MH		 593}
594
0f852724 595void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 596{
597 struct l2cap_conn *conn = chan->conn;
598 struct sock *sk = chan->sk;
599
2d792818
GP		 600 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
601 sk);
4519de9a 602
89bc500e 603 switch (chan->state) {
4519de9a 604 case BT_LISTEN:
b699ec0d 605 chan->ops->teardown(chan, 0);
4519de9a
GP		 606 break;
607
608 case BT_CONNECTED:
609 case BT_CONFIG:
715ec005 610 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 611 conn->hcon->type == ACL_LINK) {
c9b66675 612 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 613 l2cap_send_disconn_req(conn, chan, reason);
614 } else
615 l2cap_chan_del(chan, reason);
616 break;
617
618 case BT_CONNECT2:
715ec005 619 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 620 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 621 struct l2cap_conn_rsp rsp;
622 __u16 result;
623
c5daa683 624 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 625 result = L2CAP_CR_SEC_BLOCK;
626 else
627 result = L2CAP_CR_BAD_PSM;
89bc500e 628 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 629
630 rsp.scid = cpu_to_le16(chan->dcid);
631 rsp.dcid = cpu_to_le16(chan->scid);
632 rsp.result = cpu_to_le16(result);
ac73498c 633 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 634 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 635 sizeof(rsp), &rsp);
4519de9a
GP		 636 }
637
638 l2cap_chan_del(chan, reason);
639 break;
640
641 case BT_CONNECT:
642 case BT_DISCONN:
643 l2cap_chan_del(chan, reason);
644 break;
645
646 default:
b699ec0d 647 chan->ops->teardown(chan, 0);
4519de9a
GP		 648 break;
649 }
650}
651
4343478f 652static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 653{
715ec005 654 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 655 switch (chan->sec_level) {
8556edd3
JH		 656 case BT_SECURITY_HIGH:
657 return HCI_AT_DEDICATED_BONDING_MITM;
658 case BT_SECURITY_MEDIUM:
659 return HCI_AT_DEDICATED_BONDING;
660 default:
661 return HCI_AT_NO_BONDING;
662 }
2983fd68 663 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 664 if (chan->sec_level == BT_SECURITY_LOW)
665 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 666
4343478f 667 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 668 return HCI_AT_NO_BONDING_MITM;
00ae4af9 669 else
8556edd3 670 return HCI_AT_NO_BONDING;
00ae4af9 671 } else {
4343478f 672 switch (chan->sec_level) {
00ae4af9 673 case BT_SECURITY_HIGH:
8556edd3 674 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 675 case BT_SECURITY_MEDIUM:
8556edd3 676 return HCI_AT_GENERAL_BONDING;
00ae4af9 677 default:
8556edd3 678 return HCI_AT_NO_BONDING;
00ae4af9 679 }
0684e5f9 680 }
8556edd3
JH		 681}
682
683/* Service level security */
d45fc423 684int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 685{
8c1d787b 686 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 687 __u8 auth_type;
688
4343478f 689 auth_type = l2cap_get_auth_type(chan);
79d554a6 690
4343478f 691 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 692}
693
b5ad8b7f 694static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 695{
696 u8 id;
697
698 /* Get next available identificator.
699 * 1 - 128 are used by kernel.
700 * 129 - 199 are reserved.
701 * 200 - 254 are used by utilities like l2ping, etc.
702 */
703
333055f2 704 spin_lock(&conn->lock);
4e8402a3
MH		 705
706 if (++conn->tx_ident > 128)
707 conn->tx_ident = 1;
708
709 id = conn->tx_ident;
710
333055f2 711 spin_unlock(&conn->lock);
4e8402a3
MH		 712
713 return id;
714}
715
2d792818
GP		 716static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
717 void *data)
4e8402a3
MH		 718{
719 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 720 u8 flags;
4e8402a3
MH		 721
722 BT_DBG("code 0x%2.2x", code);
723
724 if (!skb)
9a9c6a34 725 return;
4e8402a3 726
e702112f
AE		 727 if (lmp_no_flush_capable(conn->hcon->hdev))
728 flags = ACL_START_NO_FLUSH;
729 else
730 flags = ACL_START;
731
14b12d0b 732 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 733 skb->priority = HCI_PRIO_MAX;
14b12d0b 734
73d80deb
LAD		 735 hci_send_acl(conn->hchan, skb, flags);
736}
737
02b0fbb9
MM		 738static bool __chan_is_moving(struct l2cap_chan *chan)
739{
740 return chan->move_state != L2CAP_MOVE_STABLE &&
741 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
742}
743
73d80deb
LAD		 744static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
745{
746 struct hci_conn *hcon = chan->conn->hcon;
747 u16 flags;
748
749 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 750 skb->priority);
73d80deb
LAD		 751
752 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 753 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 754 flags = ACL_START_NO_FLUSH;
755 else
756 flags = ACL_START;
14b12d0b 757
73d80deb
LAD		 758 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
759 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 760}
761
b76bbd66
MM		 762static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
763{
764 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
765 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
766
767 if (enh & L2CAP_CTRL_FRAME_TYPE) {
768 /* S-Frame */
769 control->sframe = 1;
770 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
771 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
772
773 control->sar = 0;
774 control->txseq = 0;
775 } else {
776 /* I-Frame */
777 control->sframe = 0;
778 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
779 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
780
781 control->poll = 0;
782 control->super = 0;
783 }
784}
785
b76bbd66
MM		 786static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
787{
788 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
789 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
790
791 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
792 /* S-Frame */
793 control->sframe = 1;
794 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
795 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
796
797 control->sar = 0;
798 control->txseq = 0;
799 } else {
800 /* I-Frame */
801 control->sframe = 0;
802 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
803 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
804
805 control->poll = 0;
806 control->super = 0;
807 }
808}
809
810static inline void __unpack_control(struct l2cap_chan *chan,
811 struct sk_buff *skb)
812{
813 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
814 __unpack_extended_control(get_unaligned_le32(skb->data),
815 &bt_cb(skb)->control);
cec8ab6e 816 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 817 } else {
818 __unpack_enhanced_control(get_unaligned_le16(skb->data),
819 &bt_cb(skb)->control);
cec8ab6e 820 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 821 }
822}
823
b5c6aaed
MM		 824static u32 __pack_extended_control(struct l2cap_ctrl *control)
825{
826 u32 packed;
827
828 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
829 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
830
831 if (control->sframe) {
832 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
833 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
834 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
835 } else {
836 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
837 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
838 }
839
840 return packed;
841}
842
843static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
844{
845 u16 packed;
846
847 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
848 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
849
850 if (control->sframe) {
851 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
852 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
853 packed |= L2CAP_CTRL_FRAME_TYPE;
854 } else {
855 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
856 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
857 }
858
859 return packed;
860}
861
b76bbd66
MM		 862static inline void __pack_control(struct l2cap_chan *chan,
863 struct l2cap_ctrl *control,
864 struct sk_buff *skb)
865{
866 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
867 put_unaligned_le32(__pack_extended_control(control),
868 skb->data + L2CAP_HDR_SIZE);
869 } else {
870 put_unaligned_le16(__pack_enhanced_control(control),
871 skb->data + L2CAP_HDR_SIZE);
872 }
873}
874
ba7aa64f
GP		 875static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
876{
877 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
878 return L2CAP_EXT_HDR_SIZE;
879 else
880 return L2CAP_ENH_HDR_SIZE;
881}
882
a67d7f6f
MM		 883static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
884 u32 control)
b5c6aaed
MM		 885{
886 struct sk_buff *skb;
887 struct l2cap_hdr *lh;
ba7aa64f 888 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 889
890 if (chan->fcs == L2CAP_FCS_CRC16)
891 hlen += L2CAP_FCS_SIZE;
892
a67d7f6f 893 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 894
b5c6aaed 895 if (!skb)
a67d7f6f 896 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 897
898 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
899 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
900 lh->cid = cpu_to_le16(chan->dcid);
901
a67d7f6f
MM		 902 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
903 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
904 else
905 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 906
907 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 908 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 909 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
910 }
911
912 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 913 return skb;
914}
915
916static void l2cap_send_sframe(struct l2cap_chan *chan,
917 struct l2cap_ctrl *control)
918{
919 struct sk_buff *skb;
920 u32 control_field;
921
922 BT_DBG("chan %p, control %p", chan, control);
923
924 if (!control->sframe)
925 return;
926
927 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
928 !control->poll)
929 control->final = 1;
930
931 if (control->super == L2CAP_SUPER_RR)
932 clear_bit(CONN_RNR_SENT, &chan->conn_state);
933 else if (control->super == L2CAP_SUPER_RNR)
934 set_bit(CONN_RNR_SENT, &chan->conn_state);
935
936 if (control->super != L2CAP_SUPER_SREJ) {
937 chan->last_acked_seq = control->reqseq;
938 __clear_ack_timer(chan);
939 }
940
941 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
942 control->final, control->poll, control->super);
943
944 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
945 control_field = __pack_extended_control(control);
946 else
947 control_field = __pack_enhanced_control(control);
948
949 skb = l2cap_create_sframe_pdu(chan, control_field);
950 if (!IS_ERR(skb))
951 l2cap_do_send(chan, skb);
b5c6aaed
MM		 952}
953
c9e3d5e0 954static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 955{
c9e3d5e0
MM		 956 struct l2cap_ctrl control;
957
958 BT_DBG("chan %p, poll %d", chan, poll);
959
960 memset(&control, 0, sizeof(control));
961 control.sframe = 1;
962 control.poll = poll;
963
964 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
965 control.super = L2CAP_SUPER_RNR;
966 else
967 control.super = L2CAP_SUPER_RR;
b5c6aaed 968
c9e3d5e0
MM		 969 control.reqseq = chan->buffer_seq;
970 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 971}
972
b4450035 973static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 974{
c1360a1c 975 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 976}
977
93c3e8f5
AE		 978static bool __amp_capable(struct l2cap_chan *chan)
979{
980 struct l2cap_conn *conn = chan->conn;
981
982 if (enable_hs &&
983 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
984 conn->fixed_chan_mask & L2CAP_FC_A2MP)
985 return true;
986 else
987 return false;
988}
989
2766be48 990void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 991{
992 struct l2cap_conn *conn = chan->conn;
993 struct l2cap_conn_req req;
994
995 req.scid = cpu_to_le16(chan->scid);
996 req.psm = chan->psm;
997
998 chan->ident = l2cap_get_ident(conn);
999
1000 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1001
1002 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1003}
1004
02b0fbb9
MM		 1005static void l2cap_move_setup(struct l2cap_chan *chan)
1006{
1007 struct sk_buff *skb;
1008
1009 BT_DBG("chan %p", chan);
1010
1011 if (chan->mode != L2CAP_MODE_ERTM)
1012 return;
1013
1014 __clear_retrans_timer(chan);
1015 __clear_monitor_timer(chan);
1016 __clear_ack_timer(chan);
1017
1018 chan->retry_count = 0;
1019 skb_queue_walk(&chan->tx_q, skb) {
1020 if (bt_cb(skb)->control.retries)
1021 bt_cb(skb)->control.retries = 1;
1022 else
1023 break;
1024 }
1025
1026 chan->expected_tx_seq = chan->buffer_seq;
1027
1028 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1029 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1030 l2cap_seq_list_clear(&chan->retrans_list);
1031 l2cap_seq_list_clear(&chan->srej_list);
1032 skb_queue_purge(&chan->srej_q);
1033
1034 chan->tx_state = L2CAP_TX_STATE_XMIT;
1035 chan->rx_state = L2CAP_RX_STATE_MOVE;
1036
1037 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1038}
1039
5f3847a4
MM		 1040static void l2cap_move_done(struct l2cap_chan *chan)
1041{
1042 u8 move_role = chan->move_role;
1043 BT_DBG("chan %p", chan);
1044
1045 chan->move_state = L2CAP_MOVE_STABLE;
1046 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1047
1048 if (chan->mode != L2CAP_MODE_ERTM)
1049 return;
1050
1051 switch (move_role) {
1052 case L2CAP_MOVE_ROLE_INITIATOR:
1053 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1054 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1055 break;
1056 case L2CAP_MOVE_ROLE_RESPONDER:
1057 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1058 break;
1059 }
1060}
1061
9f0caeb1
VCG		 1062static void l2cap_chan_ready(struct l2cap_chan *chan)
1063{
2827011f 1064 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1065 chan->conf_state = 0;
1066 __clear_chan_timer(chan);
1067
54a59aa2 1068 chan->state = BT_CONNECTED;
9f0caeb1 1069
fd83e2c2 1070 chan->ops->ready(chan);
9f0caeb1
VCG		 1071}
1072
93c3e8f5
AE		 1073static void l2cap_start_connection(struct l2cap_chan *chan)
1074{
1075 if (__amp_capable(chan)) {
1076 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1077 a2mp_discover_amp(chan);
1078 } else {
1079 l2cap_send_conn_req(chan);
1080 }
1081}
1082
fc7f8a7e 1083static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1084{
8c1d787b 1085 struct l2cap_conn *conn = chan->conn;
79d554a6 1086
9f0caeb1
VCG		 1087 if (conn->hcon->type == LE_LINK) {
1088 l2cap_chan_ready(chan);
1089 return;
1090 }
1091
79d554a6 1092 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1093 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1094 return;
1095
d45fc423 1096 if (l2cap_chan_check_security(chan) &&
2d792818 1097 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1098 l2cap_start_connection(chan);
1099 }
79d554a6
MH		 1100 } else {
1101 struct l2cap_info_req req;
ac73498c 1102 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1103
1104 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1105 conn->info_ident = l2cap_get_ident(conn);
1106
ba13ccd9 1107 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1108
2d792818
GP		 1109 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1110 sizeof(req), &req);
79d554a6
MH		 1111 }
1112}
1113
cf6c2c0b
GP		 1114static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1115{
1116 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1117 if (!disable_ertm)
cf6c2c0b
GP		 1118 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1119
1120 switch (mode) {
1121 case L2CAP_MODE_ERTM:
1122 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1123 case L2CAP_MODE_STREAMING:
1124 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1125 default:
1126 return 0x00;
1127 }
1128}
1129
2d792818
GP		 1130static void l2cap_send_disconn_req(struct l2cap_conn *conn,
1131 struct l2cap_chan *chan, int err)
22121fc9 1132{
6be36555 1133 struct sock *sk = chan->sk;
22121fc9
GP		 1134 struct l2cap_disconn_req req;
1135
c13ffa62
GP		 1136 if (!conn)
1137 return;
1138
aad3d0e3 1139 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1140 __clear_retrans_timer(chan);
1141 __clear_monitor_timer(chan);
1142 __clear_ack_timer(chan);
c13ffa62
GP		 1143 }
1144
416fa752 1145 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1146 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1147 return;
1148 }
1149
fe4128e0
GP		 1150 req.dcid = cpu_to_le16(chan->dcid);
1151 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1152 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1153 sizeof(req), &req);
c13ffa62 1154
6be36555 1155 lock_sock(sk);
0e587be7 1156 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1157 __l2cap_chan_set_err(chan, err);
6be36555 1158 release_sock(sk);
22121fc9
GP		 1159}
1160
1da177e4 1161/* ---- L2CAP connections ---- */
4e8402a3
MH		 1162static void l2cap_conn_start(struct l2cap_conn *conn)
1163{
3df91ea2 1164 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1165
1166 BT_DBG("conn %p", conn);
1167
3df91ea2 1168 mutex_lock(&conn->chan_lock);
4e8402a3 1169
3df91ea2 1170 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1171 struct sock *sk = chan->sk;
baa7e1fa 1172
6be36555 1173 l2cap_chan_lock(chan);
4e8402a3 1174
715ec005 1175 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1176 l2cap_chan_unlock(chan);
79d554a6
MH		 1177 continue;
1178 }
1179
89bc500e 1180 if (chan->state == BT_CONNECT) {
d45fc423 1181 if (!l2cap_chan_check_security(chan) ||
2d792818 1182 !__l2cap_no_conn_pending(chan)) {
6be36555 1183 l2cap_chan_unlock(chan);
47731de7
GP		 1184 continue;
1185 }
79d554a6 1186
c1360a1c 1187 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1188 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1189 &chan->conf_state)) {
89bc500e 1190 l2cap_chan_close(chan, ECONNRESET);
6be36555 1191 l2cap_chan_unlock(chan);
47731de7 1192 continue;
b1235d79 1193 }
47731de7 1194
93c3e8f5 1195 l2cap_start_connection(chan);
47731de7 1196
89bc500e 1197 } else if (chan->state == BT_CONNECT2) {
79d554a6 1198 struct l2cap_conn_rsp rsp;
e9aeb2dd 1199 char buf[128];
fe4128e0
GP		 1200 rsp.scid = cpu_to_le16(chan->dcid);
1201 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1202
d45fc423 1203 if (l2cap_chan_check_security(chan)) {
6be36555 1204 lock_sock(sk);
c5daa683
GP		 1205 if (test_bit(BT_SK_DEFER_SETUP,
1206 &bt_sk(sk)->flags)) {
ac73498c
AE		 1207 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1208 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1209 chan->ops->defer(chan);
f66dc81f
MH		 1210
1211 } else {
0e587be7 1212 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1213 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1214 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1215 }
6be36555 1216 release_sock(sk);
79d554a6 1217 } else {
ac73498c
AE		 1218 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1219 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1220 }
1221
fc7f8a7e 1222 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1223 sizeof(rsp), &rsp);
e9aeb2dd 1224
c1360a1c 1225 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1226 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1227 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1228 continue;
1229 }
1230
c1360a1c 1231 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1232 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1233 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1234 chan->num_conf_req++;
4e8402a3
MH		 1235 }
1236
6be36555 1237 l2cap_chan_unlock(chan);
4e8402a3
MH		 1238 }
1239
3df91ea2 1240 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1241}
1242
c2287681 1243/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1244 * Returns closest match, locked.
1245 */
d9b88702 1246static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1247 bdaddr_t *src,
1248 bdaddr_t *dst)
b62f328b 1249{
23691d75 1250 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1251
23691d75 1252 read_lock(&chan_list_lock);
b62f328b 1253
23691d75
GP		 1254 list_for_each_entry(c, &chan_list, global_l) {
1255 struct sock *sk = c->sk;
fe4128e0 1256
89bc500e 1257 if (state && c->state != state)
b62f328b
VT		 1258 continue;
1259
23691d75 1260 if (c->scid == cid) {
c2287681
IY		 1261 int src_match, dst_match;
1262 int src_any, dst_any;
1263
b62f328b 1264 /* Exact match. */
c2287681
IY		 1265 src_match = !bacmp(&bt_sk(sk)->src, src);
1266 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1267 if (src_match && dst_match) {
23691d75
GP		 1268 read_unlock(&chan_list_lock);
1269 return c;
1270 }
b62f328b
VT		 1271
1272 /* Closest match */
c2287681
IY		 1273 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1274 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1275 if ((src_match && dst_any) || (src_any && dst_match) ||
1276 (src_any && dst_any))
23691d75 1277 c1 = c;
b62f328b
VT		 1278 }
1279 }
280f294f 1280
23691d75 1281 read_unlock(&chan_list_lock);
b62f328b 1282
23691d75 1283 return c1;
b62f328b
VT		 1284}
1285
1286static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1287{
c916fbe4 1288 struct sock *parent, *sk;
23691d75 1289 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1290
1291 BT_DBG("");
1292
1293 /* Check if we have socket listening on cid */
23691d75 1294 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1295 conn->src, conn->dst);
23691d75 1296 if (!pchan)
b62f328b
VT		 1297 return;
1298
23691d75
GP		 1299 parent = pchan->sk;
1300
aa2ac881 1301 lock_sock(parent);
62f3a2cf 1302
80b98027 1303 chan = pchan->ops->new_connection(pchan);
80808e43 1304 if (!chan)
b62f328b
VT		 1305 goto clean;
1306
80808e43 1307 sk = chan->sk;
5d41ce1d 1308
b62f328b 1309 hci_conn_hold(conn->hcon);
a9ea3ed9 1310 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1311
b62f328b
VT		 1312 bacpy(&bt_sk(sk)->src, conn->src);
1313 bacpy(&bt_sk(sk)->dst, conn->dst);
1314
3d57dc68 1315 l2cap_chan_add(conn, chan);
48454079 1316
6754e0df 1317 l2cap_chan_ready(chan);
b62f328b 1318
b62f328b 1319clean:
aa2ac881 1320 release_sock(parent);
b62f328b
VT		 1321}
1322
4e8402a3
MH		 1323static void l2cap_conn_ready(struct l2cap_conn *conn)
1324{
48454079 1325 struct l2cap_chan *chan;
cc110922 1326 struct hci_conn *hcon = conn->hcon;
4e8402a3 1327
79d554a6 1328 BT_DBG("conn %p", conn);
4e8402a3 1329
cc110922 1330 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1331 l2cap_le_conn_ready(conn);
1332
cc110922
VCG		 1333 if (hcon->out && hcon->type == LE_LINK)
1334 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1335
3df91ea2 1336 mutex_lock(&conn->chan_lock);
4e8402a3 1337
3df91ea2 1338 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1339
6be36555 1340 l2cap_chan_lock(chan);
4e8402a3 1341
416fa752
AE		 1342 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1343 l2cap_chan_unlock(chan);
1344 continue;
1345 }
1346
cc110922
VCG		 1347 if (hcon->type == LE_LINK) {
1348 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1349 l2cap_chan_ready(chan);
acd7d370 1350
63128451 1351 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1352 struct sock *sk = chan->sk;
c9b66675 1353 __clear_chan_timer(chan);
6be36555 1354 lock_sock(sk);
0e587be7 1355 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1356 sk->sk_state_change(sk);
6be36555 1357 release_sock(sk);
b501d6a1 1358
89bc500e 1359 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1360 l2cap_do_start(chan);
4e8402a3 1361
6be36555 1362 l2cap_chan_unlock(chan);
4e8402a3 1363 }
79d554a6 1364
3df91ea2 1365 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1366}
1367
1368/* Notify sockets that we cannot guaranty reliability anymore */
1369static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1370{
48454079 1371 struct l2cap_chan *chan;
4e8402a3
MH		 1372
1373 BT_DBG("conn %p", conn);
1374
3df91ea2 1375 mutex_lock(&conn->chan_lock);
4e8402a3 1376
3df91ea2 1377 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1378 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1379 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1380 }
1381
3df91ea2 1382 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1383}
1384
f878fcad 1385static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1386{
f878fcad 1387 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1388 info_timer.work);
4e8402a3 1389
984947dc 1390 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1391 conn->info_ident = 0;
984947dc 1392
4e8402a3
MH		 1393 l2cap_conn_start(conn);
1394}
1395
5d3de7df
VCG		 1396static void l2cap_conn_del(struct hci_conn *hcon, int err)
1397{
1398 struct l2cap_conn *conn = hcon->l2cap_data;
1399 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1400
1401 if (!conn)
1402 return;
1403
1404 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1405
1406 kfree_skb(conn->rx_skb);
1407
3df91ea2
AE		 1408 mutex_lock(&conn->chan_lock);
1409
5d3de7df
VCG		 1410 /* Kill channels */
1411 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1412 l2cap_chan_hold(chan);
6be36555
AE		 1413 l2cap_chan_lock(chan);
1414
5d3de7df 1415 l2cap_chan_del(chan, err);
6be36555
AE		 1416
1417 l2cap_chan_unlock(chan);
1418
80b98027 1419 chan->ops->close(chan);
61d6ef3e 1420 l2cap_chan_put(chan);
5d3de7df
VCG		 1421 }
1422
3df91ea2
AE		 1423 mutex_unlock(&conn->chan_lock);
1424
73d80deb
LAD		 1425 hci_chan_del(conn->hchan);
1426
5d3de7df 1427 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1428 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1429
51a8efd7 1430 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1431 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1432 smp_chan_destroy(conn);
d26a2345 1433 }
5d3de7df
VCG		 1434
1435 hcon->l2cap_data = NULL;
1436 kfree(conn);
1437}
1438
6c9d42a1 1439static void security_timeout(struct work_struct *work)
5d3de7df 1440{
6c9d42a1 1441 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1442 security_timer.work);
5d3de7df 1443
d06cc416
JH		 1444 BT_DBG("conn %p", conn);
1445
1446 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1447 smp_chan_destroy(conn);
1448 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1449 }
5d3de7df
VCG		 1450}
1451
1da177e4
LT		 1452static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1453{
0139418c 1454 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1455 struct hci_chan *hchan;
1da177e4 1456
0139418c 1457 if (conn || status)
1da177e4
LT		 1458 return conn;
1459
73d80deb
LAD		 1460 hchan = hci_chan_create(hcon);
1461 if (!hchan)
1462 return NULL;
1463
8bcde1f2 1464 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1465 if (!conn) {
1466 hci_chan_del(hchan);
1da177e4 1467 return NULL;
73d80deb 1468 }
1da177e4
LT		 1469
1470 hcon->l2cap_data = conn;
1471 conn->hcon = hcon;
73d80deb 1472 conn->hchan = hchan;
1da177e4 1473
73d80deb 1474 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1475
dcc042d5
AE		 1476 switch (hcon->type) {
1477 case AMP_LINK:
1478 conn->mtu = hcon->hdev->block_mtu;
1479 break;
1480
1481 case LE_LINK:
1482 if (hcon->hdev->le_mtu) {
1483 conn->mtu = hcon->hdev->le_mtu;
1484 break;
1485 }
1486 /* fall through */
1487
1488 default:
acd7d370 1489 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1490 break;
1491 }
acd7d370 1492
1da177e4
LT		 1493 conn->src = &hcon->hdev->bdaddr;
1494 conn->dst = &hcon->dst;
1495
4e8402a3
MH		 1496 conn->feat_mask = 0;
1497
1da177e4 1498 spin_lock_init(&conn->lock);
3df91ea2 1499 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1500
1501 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1502
5d3de7df 1503 if (hcon->type == LE_LINK)
6c9d42a1 1504 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1505 else
030013d8 1506 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1507
9f5a0d7b 1508 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1509
1da177e4
LT		 1510 return conn;
1511}
1512
1da177e4 1513/* ---- Socket interface ---- */
1da177e4 1514
c2287681 1515/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1516 * Returns closest match.
1517 */
c2287681
IY		 1518static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1519 bdaddr_t *src,
1520 bdaddr_t *dst)
1da177e4 1521{
23691d75 1522 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1523
23691d75 1524 read_lock(&chan_list_lock);
e0f0cb56 1525
23691d75
GP		 1526 list_for_each_entry(c, &chan_list, global_l) {
1527 struct sock *sk = c->sk;
fe4128e0 1528
89bc500e 1529 if (state && c->state != state)
1da177e4
LT		 1530 continue;
1531
23691d75 1532 if (c->psm == psm) {
c2287681
IY		 1533 int src_match, dst_match;
1534 int src_any, dst_any;
1535
1da177e4 1536 /* Exact match. */
c2287681
IY		 1537 src_match = !bacmp(&bt_sk(sk)->src, src);
1538 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1539 if (src_match && dst_match) {
a7567b20 1540 read_unlock(&chan_list_lock);
23691d75
GP		 1541 return c;
1542 }
1da177e4
LT		 1543
1544 /* Closest match */
c2287681
IY		 1545 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1546 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1547 if ((src_match && dst_any) || (src_any && dst_match) ||
1548 (src_any && dst_any))
23691d75 1549 c1 = c;
1da177e4
LT		 1550 }
1551 }
1da177e4 1552
23691d75 1553 read_unlock(&chan_list_lock);
e0f0cb56 1554
23691d75 1555 return c1;
1da177e4
LT		 1556}
1557
8e9f9892
AG		 1558int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1559 bdaddr_t *dst, u8 dst_type)
1da177e4 1560{
5d41ce1d 1561 struct sock *sk = chan->sk;
1da177e4 1562 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1563 struct l2cap_conn *conn;
1564 struct hci_conn *hcon;
1565 struct hci_dev *hdev;
09ab6f4c 1566 __u8 auth_type;
44d0e48e 1567 int err;
1da177e4 1568
6ed93dc6 1569 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1570 dst_type, __le16_to_cpu(psm));
1da177e4 1571
af05b30b
GP		 1572 hdev = hci_get_route(dst, src);
1573 if (!hdev)
1da177e4
LT		 1574 return -EHOSTUNREACH;
1575
09fd0de5 1576 hci_dev_lock(hdev);
1da177e4 1577
6be36555 1578 l2cap_chan_lock(chan);
03a00194
GP		 1579
1580 /* PSM must be odd and lsb of upper byte must be 0 */
1581 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1582 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1583 err = -EINVAL;
1584 goto done;
1585 }
1586
1587 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1588 err = -EINVAL;
1589 goto done;
1590 }
1591
1592 switch (chan->mode) {
1593 case L2CAP_MODE_BASIC:
1594 break;
1595 case L2CAP_MODE_ERTM:
1596 case L2CAP_MODE_STREAMING:
1597 if (!disable_ertm)
1598 break;
1599 /* fall through */
1600 default:
1601 err = -ENOTSUPP;
1602 goto done;
1603 }
1604
0797e01d 1605 switch (chan->state) {
03a00194
GP		 1606 case BT_CONNECT:
1607 case BT_CONNECT2:
1608 case BT_CONFIG:
1609 /* Already connecting */
1610 err = 0;
1611 goto done;
1612
1613 case BT_CONNECTED:
1614 /* Already connected */
1615 err = -EISCONN;
1616 goto done;
1617
1618 case BT_OPEN:
1619 case BT_BOUND:
1620 /* Can connect */
1621 break;
1622
1623 default:
1624 err = -EBADFD;
1625 goto done;
1626 }
1627
1628 /* Set destination address and psm */
0797e01d 1629 lock_sock(sk);
9219b2a0 1630 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1631 release_sock(sk);
1632
03a00194
GP		 1633 chan->psm = psm;
1634 chan->dcid = cid;
1da177e4 1635
4343478f 1636 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1637
fe4128e0 1638 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1639 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1640 chan->sec_level, auth_type);
acd7d370 1641 else
8e9f9892 1642 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1643 chan->sec_level, auth_type);
acd7d370 1644
30e76272
VT		 1645 if (IS_ERR(hcon)) {
1646 err = PTR_ERR(hcon);
1da177e4 1647 goto done;
30e76272 1648 }
1da177e4
LT		 1649
1650 conn = l2cap_conn_add(hcon, 0);
1651 if (!conn) {
1652 hci_conn_put(hcon);
30e76272 1653 err = -ENOMEM;
1da177e4
LT		 1654 goto done;
1655 }
1656
9f0caeb1
VCG		 1657 if (hcon->type == LE_LINK) {
1658 err = 0;
1659
1660 if (!list_empty(&conn->chan_l)) {
1661 err = -EBUSY;
1662 hci_conn_put(hcon);
1663 }
1664
1665 if (err)
1666 goto done;
1667 }
1668
1da177e4
LT		 1669 /* Update source addr of the socket */
1670 bacpy(src, conn->src);
1671
6be36555 1672 l2cap_chan_unlock(chan);
48454079 1673 l2cap_chan_add(conn, chan);
6be36555 1674 l2cap_chan_lock(chan);
48454079 1675
6be36555 1676 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1677 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1678
1679 if (hcon->state == BT_CONNECTED) {
715ec005 1680 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1681 __clear_chan_timer(chan);
d45fc423 1682 if (l2cap_chan_check_security(chan))
6be36555 1683 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1684 } else
fc7f8a7e 1685 l2cap_do_start(chan);
1da177e4
LT		 1686 }
1687
30e76272
VT		 1688 err = 0;
1689
1da177e4 1690done:
6be36555 1691 l2cap_chan_unlock(chan);
09fd0de5 1692 hci_dev_unlock(hdev);
1da177e4
LT		 1693 hci_dev_put(hdev);
1694 return err;
1695}
1696
dcba0dba 1697int __l2cap_wait_ack(struct sock *sk)
6161c038 1698{
8c1d787b 1699 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1700 DECLARE_WAITQUEUE(wait, current);
1701 int err = 0;
1702 int timeo = HZ/5;
1703
2b0b05dd 1704 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1705 set_current_state(TASK_INTERRUPTIBLE);
1706 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1707 if (!timeo)
1708 timeo = HZ/5;
1709
1710 if (signal_pending(current)) {
1711 err = sock_intr_errno(timeo);
1712 break;
1713 }
1714
1715 release_sock(sk);
1716 timeo = schedule_timeout(timeo);
1717 lock_sock(sk);
a71a0cf4 1718 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1719
1720 err = sock_error(sk);
1721 if (err)
1722 break;
1723 }
1724 set_current_state(TASK_RUNNING);
2b0b05dd 1725 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1726 return err;
1727}
1728
721c4181 1729static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1730{
721c4181 1731 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1732 monitor_timer.work);
e90bac06 1733
525cd185 1734 BT_DBG("chan %p", chan);
0e98958d 1735
6be36555
AE		 1736 l2cap_chan_lock(chan);
1737
80909e04 1738 if (!chan->conn) {
6be36555 1739 l2cap_chan_unlock(chan);
8d7e1c7f 1740 l2cap_chan_put(chan);
e90bac06
GP		 1741 return;
1742 }
1743
401bb1f7 1744 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1745
6be36555 1746 l2cap_chan_unlock(chan);
8d7e1c7f 1747 l2cap_chan_put(chan);
e90bac06
GP		 1748}
1749
721c4181 1750static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1751{
721c4181 1752 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1753 retrans_timer.work);
e90bac06 1754
49208c9c 1755 BT_DBG("chan %p", chan);
0e98958d 1756
6be36555
AE		 1757 l2cap_chan_lock(chan);
1758
80909e04
MM		 1759 if (!chan->conn) {
1760 l2cap_chan_unlock(chan);
1761 l2cap_chan_put(chan);
1762 return;
1763 }
6be36555 1764
401bb1f7 1765 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1766 l2cap_chan_unlock(chan);
8d7e1c7f 1767 l2cap_chan_put(chan);
e90bac06
GP		 1768}
1769
d660366d
GP		 1770static void l2cap_streaming_send(struct l2cap_chan *chan,
1771 struct sk_buff_head *skbs)
6840ed07 1772{
ccbb84af 1773 struct sk_buff *skb;
3733937d 1774 struct l2cap_ctrl *control;
6840ed07 1775
3733937d
MM		 1776 BT_DBG("chan %p, skbs %p", chan, skbs);
1777
3733937d
MM		 1778 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1779
1780 while (!skb_queue_empty(&chan->tx_q)) {
1781
1782 skb = skb_dequeue(&chan->tx_q);
1783
1784 bt_cb(skb)->control.retries = 1;
1785 control = &bt_cb(skb)->control;
1786
1787 control->reqseq = 0;
1788 control->txseq = chan->next_tx_seq;
1789
1790 __pack_control(chan, control, skb);
6840ed07 1791
47d1ec61 1792 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1793 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1794 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1795 }
1796
4343478f 1797 l2cap_do_send(chan, skb);
6840ed07 1798
b4400672 1799 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1800
836be934 1801 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1802 chan->frames_sent++;
6840ed07 1803 }
6840ed07
GP		 1804}
1805
67c9e840 1806static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1807{
1808 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1809 struct l2cap_ctrl *control;
1810 int sent = 0;
1811
1812 BT_DBG("chan %p", chan);
1c2acffb 1813
89bc500e 1814 if (chan->state != BT_CONNECTED)
c13ffa62 1815 return -ENOTCONN;
e90bac06 1816
94122bbe
MM		 1817 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1818 return 0;
1819
18a48e76
MM		 1820 while (chan->tx_send_head &&
1821 chan->unacked_frames < chan->remote_tx_win &&
1822 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1823
18a48e76 1824 skb = chan->tx_send_head;
e90bac06 1825
18a48e76
MM		 1826 bt_cb(skb)->control.retries = 1;
1827 control = &bt_cb(skb)->control;
95ffa978 1828
e2ab4353 1829 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1830 control->final = 1;
e2ab4353 1831
18a48e76
MM		 1832 control->reqseq = chan->buffer_seq;
1833 chan->last_acked_seq = chan->buffer_seq;
1834 control->txseq = chan->next_tx_seq;
1c2acffb 1835
18a48e76 1836 __pack_control(chan, control, skb);
e90bac06 1837
47d1ec61 1838 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1839 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1840 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1841 }
1842
18a48e76
MM		 1843 /* Clone after data has been modified. Data is assumed to be
1844 read-only (for locking purposes) on cloned sk_buffs.
1845 */
1846 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1847
18a48e76
MM		 1848 if (!tx_skb)
1849 break;
1c2acffb 1850
18a48e76 1851 __set_retrans_timer(chan);
836be934
AE		 1852
1853 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1854 chan->unacked_frames++;
6a026610 1855 chan->frames_sent++;
18a48e76 1856 sent++;
1c2acffb 1857
58d35f87
GP		 1858 if (skb_queue_is_last(&chan->tx_q, skb))
1859 chan->tx_send_head = NULL;
1c2acffb 1860 else
58d35f87 1861 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1862
1863 l2cap_do_send(chan, tx_skb);
b4400672 1864 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1865 }
1866
b4400672
AE		 1867 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1868 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1869
1870 return sent;
9e917af1
GP		 1871}
1872
e1fbd4c1
MM		 1873static void l2cap_ertm_resend(struct l2cap_chan *chan)
1874{
1875 struct l2cap_ctrl control;
1876 struct sk_buff *skb;
1877 struct sk_buff *tx_skb;
1878 u16 seq;
1879
1880 BT_DBG("chan %p", chan);
1881
1882 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1883 return;
1884
1885 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1886 seq = l2cap_seq_list_pop(&chan->retrans_list);
1887
1888 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1889 if (!skb) {
1890 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1891 seq);
e1fbd4c1
MM		 1892 continue;
1893 }
1894
1895 bt_cb(skb)->control.retries++;
1896 control = bt_cb(skb)->control;
1897
1898 if (chan->max_tx != 0 &&
1899 bt_cb(skb)->control.retries > chan->max_tx) {
1900 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1901 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1902 l2cap_seq_list_clear(&chan->retrans_list);
1903 break;
1904 }
1905
1906 control.reqseq = chan->buffer_seq;
1907 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1908 control.final = 1;
1909 else
1910 control.final = 0;
1911
1912 if (skb_cloned(skb)) {
1913 /* Cloned sk_buffs are read-only, so we need a
1914 * writeable copy
1915 */
8bcde1f2 1916 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1917 } else {
8bcde1f2 1918 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1919 }
1920
1921 if (!tx_skb) {
1922 l2cap_seq_list_clear(&chan->retrans_list);
1923 break;
1924 }
1925
1926 /* Update skb contents */
1927 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1928 put_unaligned_le32(__pack_extended_control(&control),
1929 tx_skb->data + L2CAP_HDR_SIZE);
1930 } else {
1931 put_unaligned_le16(__pack_enhanced_control(&control),
1932 tx_skb->data + L2CAP_HDR_SIZE);
1933 }
1934
1935 if (chan->fcs == L2CAP_FCS_CRC16) {
1936 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1937 put_unaligned_le16(fcs, skb_put(tx_skb,
1938 L2CAP_FCS_SIZE));
1939 }
1940
1941 l2cap_do_send(chan, tx_skb);
1942
1943 BT_DBG("Resent txseq %d", control.txseq);
1944
1945 chan->last_acked_seq = chan->buffer_seq;
1946 }
1947}
1948
f80842a8
MM		 1949static void l2cap_retransmit(struct l2cap_chan *chan,
1950 struct l2cap_ctrl *control)
1951{
1952 BT_DBG("chan %p, control %p", chan, control);
1953
1954 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1955 l2cap_ertm_resend(chan);
1956}
1957
d2a7ac5d
MM		 1958static void l2cap_retransmit_all(struct l2cap_chan *chan,
1959 struct l2cap_ctrl *control)
1960{
e1fbd4c1
MM		 1961 struct sk_buff *skb;
1962
1963 BT_DBG("chan %p, control %p", chan, control);
1964
1965 if (control->poll)
1966 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1967
1968 l2cap_seq_list_clear(&chan->retrans_list);
1969
1970 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1971 return;
1972
1973 if (chan->unacked_frames) {
1974 skb_queue_walk(&chan->tx_q, skb) {
1975 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 1976 skb == chan->tx_send_head)
e1fbd4c1
MM		 1977 break;
1978 }
1979
1980 skb_queue_walk_from(&chan->tx_q, skb) {
1981 if (skb == chan->tx_send_head)
1982 break;
1983
1984 l2cap_seq_list_append(&chan->retrans_list,
1985 bt_cb(skb)->control.txseq);
1986 }
1987
1988 l2cap_ertm_resend(chan);
1989 }
d2a7ac5d
MM		 1990}
1991
0a0aba42 1992static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1993{
0a0aba42
MM		 1994 struct l2cap_ctrl control;
1995 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1996 chan->last_acked_seq);
1997 int threshold;
9e917af1 1998
0a0aba42
MM		 1999 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2000 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2001
0a0aba42
MM		 2002 memset(&control, 0, sizeof(control));
2003 control.sframe = 1;
dfc909be 2004
0a0aba42
MM		 2005 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2006 chan->rx_state == L2CAP_RX_STATE_RECV) {
2007 __clear_ack_timer(chan);
2008 control.super = L2CAP_SUPER_RNR;
2009 control.reqseq = chan->buffer_seq;
2010 l2cap_send_sframe(chan, &control);
2011 } else {
2012 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2013 l2cap_ertm_send(chan);
2014 /* If any i-frames were sent, they included an ack */
2015 if (chan->buffer_seq == chan->last_acked_seq)
2016 frames_to_ack = 0;
2017 }
dfc909be 2018
c20f8e35 2019 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2020 * Calculate without mul or div
2021 */
c20f8e35 2022 threshold = chan->ack_win;
0a0aba42
MM		 2023 threshold += threshold << 1;
2024 threshold >>= 2;
2025
b4400672 2026 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2027 threshold);
2028
2029 if (frames_to_ack >= threshold) {
2030 __clear_ack_timer(chan);
2031 control.super = L2CAP_SUPER_RR;
2032 control.reqseq = chan->buffer_seq;
2033 l2cap_send_sframe(chan, &control);
2034 frames_to_ack = 0;
2035 }
1c2acffb 2036
0a0aba42
MM		 2037 if (frames_to_ack)
2038 __set_ack_timer(chan);
2039 }
b17e73bb
SJ		 2040}
2041
04124681
GP		 2042static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2043 struct msghdr *msg, int len,
2044 int count, struct sk_buff *skb)
1c2acffb 2045{
0952a57a 2046 struct l2cap_conn *conn = chan->conn;
1c2acffb 2047 struct sk_buff **frag;
90338947 2048 int sent = 0;
1da177e4 2049
59203a21 2050 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2051 return -EFAULT;
1da177e4
LT		 2052
2053 sent += count;
2054 len -= count;
2055
2056 /* Continuation fragments (no L2CAP header) */
2057 frag = &skb_shinfo(skb)->frag_list;
2058 while (len) {
fbe00700
GP		 2059 struct sk_buff *tmp;
2060
1da177e4
LT		 2061 count = min_t(unsigned int, conn->mtu, len);
2062
fbe00700
GP		 2063 tmp = chan->ops->alloc_skb(chan, count,
2064 msg->msg_flags & MSG_DONTWAIT);
2065 if (IS_ERR(tmp))
2066 return PTR_ERR(tmp);
2067
2068 *frag = tmp;
2f7719ce 2069
1c2acffb
GP		 2070 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2071 return -EFAULT;
1da177e4 2072
5e59b791
LAD		 2073 (*frag)->priority = skb->priority;
2074
1da177e4
LT		 2075 sent += count;
2076 len -= count;
2077
2d0ed3d5
GP		 2078 skb->len += (*frag)->len;
2079 skb->data_len += (*frag)->len;
2080
1da177e4
LT		 2081 frag = &(*frag)->next;
2082 }
1da177e4
LT		 2083
2084 return sent;
1c2acffb 2085}
1da177e4 2086
5e59b791 2087static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2088 struct msghdr *msg, size_t len,
2089 u32 priority)
1c2acffb 2090{
8c1d787b 2091 struct l2cap_conn *conn = chan->conn;
1c2acffb 2092 struct sk_buff *skb;
03a51213 2093 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2094 struct l2cap_hdr *lh;
2095
b4400672 2096 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2097
2098 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2099
2100 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2101 msg->msg_flags & MSG_DONTWAIT);
2102 if (IS_ERR(skb))
2103 return skb;
1c2acffb 2104
5e59b791
LAD		 2105 skb->priority = priority;
2106
1c2acffb
GP		 2107 /* Create L2CAP header */
2108 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2109 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2110 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2111 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2112
0952a57a 2113 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2114 if (unlikely(err < 0)) {
2115 kfree_skb(skb);
2116 return ERR_PTR(err);
2117 }
2118 return skb;
2119}
2120
5e59b791 2121static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2122 struct msghdr *msg, size_t len,
2123 u32 priority)
1c2acffb 2124{
8c1d787b 2125 struct l2cap_conn *conn = chan->conn;
1c2acffb 2126 struct sk_buff *skb;
f2ba7fae 2127 int err, count;
1c2acffb
GP		 2128 struct l2cap_hdr *lh;
2129
b4400672 2130 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2131
f2ba7fae 2132 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2133
f2ba7fae 2134 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2135 msg->msg_flags & MSG_DONTWAIT);
2136 if (IS_ERR(skb))
2137 return skb;
1c2acffb 2138
5e59b791
LAD		 2139 skb->priority = priority;
2140
1c2acffb
GP		 2141 /* Create L2CAP header */
2142 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2143 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2144 lh->len = cpu_to_le16(len);
1c2acffb 2145
0952a57a 2146 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2147 if (unlikely(err < 0)) {
2148 kfree_skb(skb);
2149 return ERR_PTR(err);
2150 }
2151 return skb;
2152}
2153
ab0ff76d 2154static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2155 struct msghdr *msg, size_t len,
2156 u16 sdulen)
1c2acffb 2157{
8c1d787b 2158 struct l2cap_conn *conn = chan->conn;
1c2acffb 2159 struct sk_buff *skb;
e4ca6d98 2160 int err, count, hlen;
1c2acffb
GP		 2161 struct l2cap_hdr *lh;
2162
b4400672 2163 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2164
0ee0d208
GP		 2165 if (!conn)
2166 return ERR_PTR(-ENOTCONN);
2167
ba7aa64f 2168 hlen = __ertm_hdr_size(chan);
e4ca6d98 2169
c74e560c 2170 if (sdulen)
03a51213 2171 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2172
47d1ec61 2173 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2174 hlen += L2CAP_FCS_SIZE;
fcc203c3 2175
1c2acffb 2176 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2177
2178 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2179 msg->msg_flags & MSG_DONTWAIT);
2180 if (IS_ERR(skb))
2181 return skb;
1c2acffb
GP		 2182
2183 /* Create L2CAP header */
2184 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2185 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2186 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2187
18a48e76
MM		 2188 /* Control header is populated later */
2189 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2190 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2191 else
2192 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2193
c74e560c 2194 if (sdulen)
03a51213 2195 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2196
0952a57a 2197 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2198 if (unlikely(err < 0)) {
2199 kfree_skb(skb);
2200 return ERR_PTR(err);
2201 }
e90bac06 2202
18a48e76 2203 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2204 bt_cb(skb)->control.retries = 0;
1c2acffb 2205 return skb;
1da177e4
LT		 2206}
2207
94122bbe
MM		 2208static int l2cap_segment_sdu(struct l2cap_chan *chan,
2209 struct sk_buff_head *seg_queue,
2210 struct msghdr *msg, size_t len)
c74e560c 2211{
c74e560c 2212 struct sk_buff *skb;
94122bbe
MM		 2213 u16 sdu_len;
2214 size_t pdu_len;
94122bbe 2215 u8 sar;
c74e560c 2216
b4400672 2217 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2218
94122bbe
MM		 2219 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2220 * so fragmented skbs are not used. The HCI layer's handling
2221 * of fragmented skbs is not compatible with ERTM's queueing.
2222 */
c74e560c 2223
94122bbe
MM		 2224 /* PDU size is derived from the HCI MTU */
2225 pdu_len = chan->conn->mtu;
c74e560c 2226
94122bbe
MM		 2227 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2228
2229 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2230 if (chan->fcs)
2231 pdu_len -= L2CAP_FCS_SIZE;
2232
ba7aa64f 2233 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2234
2235 /* Remote device may have requested smaller PDUs */
2236 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2237
2238 if (len <= pdu_len) {
2239 sar = L2CAP_SAR_UNSEGMENTED;
2240 sdu_len = 0;
2241 pdu_len = len;
2242 } else {
2243 sar = L2CAP_SAR_START;
2244 sdu_len = len;
2245 pdu_len -= L2CAP_SDULEN_SIZE;
2246 }
2247
2248 while (len > 0) {
2249 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2250
c74e560c 2251 if (IS_ERR(skb)) {
94122bbe 2252 __skb_queue_purge(seg_queue);
c74e560c
GP		 2253 return PTR_ERR(skb);
2254 }
2255
94122bbe
MM		 2256 bt_cb(skb)->control.sar = sar;
2257 __skb_queue_tail(seg_queue, skb);
2258
2259 len -= pdu_len;
2260 if (sdu_len) {
2261 sdu_len = 0;
2262 pdu_len += L2CAP_SDULEN_SIZE;
2263 }
2264
2265 if (len <= pdu_len) {
2266 sar = L2CAP_SAR_END;
2267 pdu_len = len;
2268 } else {
2269 sar = L2CAP_SAR_CONTINUE;
2270 }
c74e560c 2271 }
c74e560c 2272
f0f62799 2273 return 0;
c74e560c
GP		 2274}
2275
5e59b791 2276int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2277 u32 priority)
9a91a04a 2278{
9a91a04a 2279 struct sk_buff *skb;
9a91a04a 2280 int err;
94122bbe 2281 struct sk_buff_head seg_queue;
9a91a04a
GP		 2282
2283 /* Connectionless channel */
715ec005 2284 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2285 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2286 if (IS_ERR(skb))
2287 return PTR_ERR(skb);
2288
2289 l2cap_do_send(chan, skb);
2290 return len;
2291 }
2292
2293 switch (chan->mode) {
2294 case L2CAP_MODE_BASIC:
2295 /* Check outgoing MTU */
2296 if (len > chan->omtu)
2297 return -EMSGSIZE;
2298
2299 /* Create a basic PDU */
5e59b791 2300 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2301 if (IS_ERR(skb))
2302 return PTR_ERR(skb);
2303
2304 l2cap_do_send(chan, skb);
2305 err = len;
2306 break;
2307
2308 case L2CAP_MODE_ERTM:
2309 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2310 /* Check outgoing MTU */
2311 if (len > chan->omtu) {
2312 err = -EMSGSIZE;
2313 break;
2314 }
9a91a04a 2315
94122bbe 2316 __skb_queue_head_init(&seg_queue);
9a91a04a 2317
94122bbe
MM		 2318 /* Do segmentation before calling in to the state machine,
2319 * since it's possible to block while waiting for memory
2320 * allocation.
2321 */
2322 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2323
94122bbe
MM		 2324 /* The channel could have been closed while segmenting,
2325 * check that it is still connected.
2326 */
2327 if (chan->state != BT_CONNECTED) {
2328 __skb_queue_purge(&seg_queue);
2329 err = -ENOTCONN;
9a91a04a
GP		 2330 }
2331
94122bbe 2332 if (err)
9a91a04a 2333 break;
9a91a04a 2334
3733937d 2335 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2336 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2337 else
d660366d 2338 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2339
d660366d 2340 err = len;
9a91a04a 2341
94122bbe
MM		 2342 /* If the skbs were not queued for sending, they'll still be in
2343 * seg_queue and need to be purged.
2344 */
2345 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2346 break;
2347
2348 default:
2349 BT_DBG("bad state %1.1x", chan->mode);
2350 err = -EBADFD;
2351 }
2352
2353 return err;
2354}
2355
d2a7ac5d
MM		 2356static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2357{
bed68bde
MM		 2358 struct l2cap_ctrl control;
2359 u16 seq;
2360
b4400672 2361 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2362
2363 memset(&control, 0, sizeof(control));
2364 control.sframe = 1;
2365 control.super = L2CAP_SUPER_SREJ;
2366
2367 for (seq = chan->expected_tx_seq; seq != txseq;
2368 seq = __next_seq(chan, seq)) {
2369 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2370 control.reqseq = seq;
2371 l2cap_send_sframe(chan, &control);
2372 l2cap_seq_list_append(&chan->srej_list, seq);
2373 }
2374 }
2375
2376 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2377}
2378
2379static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2380{
bed68bde
MM		 2381 struct l2cap_ctrl control;
2382
2383 BT_DBG("chan %p", chan);
2384
2385 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2386 return;
2387
2388 memset(&control, 0, sizeof(control));
2389 control.sframe = 1;
2390 control.super = L2CAP_SUPER_SREJ;
2391 control.reqseq = chan->srej_list.tail;
2392 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2393}
2394
2395static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2396{
bed68bde
MM		 2397 struct l2cap_ctrl control;
2398 u16 initial_head;
2399 u16 seq;
2400
b4400672 2401 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2402
2403 memset(&control, 0, sizeof(control));
2404 control.sframe = 1;
2405 control.super = L2CAP_SUPER_SREJ;
2406
2407 /* Capture initial list head to allow only one pass through the list. */
2408 initial_head = chan->srej_list.head;
2409
2410 do {
2411 seq = l2cap_seq_list_pop(&chan->srej_list);
2412 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2413 break;
2414
2415 control.reqseq = seq;
2416 l2cap_send_sframe(chan, &control);
2417 l2cap_seq_list_append(&chan->srej_list, seq);
2418 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2419}
2420
608bcc6d
MM		 2421static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2422{
2423 struct sk_buff *acked_skb;
2424 u16 ackseq;
2425
b4400672 2426 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2427
2428 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2429 return;
2430
b4400672 2431 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2432 chan->expected_ack_seq, chan->unacked_frames);
2433
2434 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2435 ackseq = __next_seq(chan, ackseq)) {
2436
2437 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2438 if (acked_skb) {
2439 skb_unlink(acked_skb, &chan->tx_q);
2440 kfree_skb(acked_skb);
2441 chan->unacked_frames--;
2442 }
2443 }
2444
2445 chan->expected_ack_seq = reqseq;
2446
2447 if (chan->unacked_frames == 0)
2448 __clear_retrans_timer(chan);
2449
b4400672 2450 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2451}
2452
2453static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2454{
2455 BT_DBG("chan %p", chan);
2456
2457 chan->expected_tx_seq = chan->buffer_seq;
2458 l2cap_seq_list_clear(&chan->srej_list);
2459 skb_queue_purge(&chan->srej_q);
2460 chan->rx_state = L2CAP_RX_STATE_RECV;
2461}
2462
d660366d
GP		 2463static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2464 struct l2cap_ctrl *control,
2465 struct sk_buff_head *skbs, u8 event)
608bcc6d 2466{
608bcc6d
MM		 2467 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2468 event);
2469
2470 switch (event) {
2471 case L2CAP_EV_DATA_REQUEST:
2472 if (chan->tx_send_head == NULL)
2473 chan->tx_send_head = skb_peek(skbs);
2474
2475 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2476 l2cap_ertm_send(chan);
2477 break;
2478 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2479 BT_DBG("Enter LOCAL_BUSY");
2480 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2481
2482 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2483 /* The SREJ_SENT state must be aborted if we are to
2484 * enter the LOCAL_BUSY state.
2485 */
2486 l2cap_abort_rx_srej_sent(chan);
2487 }
2488
2489 l2cap_send_ack(chan);
2490
2491 break;
2492 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2493 BT_DBG("Exit LOCAL_BUSY");
2494 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2495
2496 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2497 struct l2cap_ctrl local_control;
2498
2499 memset(&local_control, 0, sizeof(local_control));
2500 local_control.sframe = 1;
2501 local_control.super = L2CAP_SUPER_RR;
2502 local_control.poll = 1;
2503 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2504 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2505
2506 chan->retry_count = 1;
2507 __set_monitor_timer(chan);
2508 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2509 }
2510 break;
2511 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2512 l2cap_process_reqseq(chan, control->reqseq);
2513 break;
2514 case L2CAP_EV_EXPLICIT_POLL:
2515 l2cap_send_rr_or_rnr(chan, 1);
2516 chan->retry_count = 1;
2517 __set_monitor_timer(chan);
2518 __clear_ack_timer(chan);
2519 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2520 break;
2521 case L2CAP_EV_RETRANS_TO:
2522 l2cap_send_rr_or_rnr(chan, 1);
2523 chan->retry_count = 1;
2524 __set_monitor_timer(chan);
2525 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2526 break;
2527 case L2CAP_EV_RECV_FBIT:
2528 /* Nothing to process */
2529 break;
2530 default:
2531 break;
2532 }
608bcc6d
MM		 2533}
2534
d660366d
GP		 2535static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2536 struct l2cap_ctrl *control,
2537 struct sk_buff_head *skbs, u8 event)
608bcc6d 2538{
608bcc6d
MM		 2539 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2540 event);
2541
2542 switch (event) {
2543 case L2CAP_EV_DATA_REQUEST:
2544 if (chan->tx_send_head == NULL)
2545 chan->tx_send_head = skb_peek(skbs);
2546 /* Queue data, but don't send. */
2547 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2548 break;
2549 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2550 BT_DBG("Enter LOCAL_BUSY");
2551 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2552
2553 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2554 /* The SREJ_SENT state must be aborted if we are to
2555 * enter the LOCAL_BUSY state.
2556 */
2557 l2cap_abort_rx_srej_sent(chan);
2558 }
2559
2560 l2cap_send_ack(chan);
2561
2562 break;
2563 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2564 BT_DBG("Exit LOCAL_BUSY");
2565 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2566
2567 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2568 struct l2cap_ctrl local_control;
2569 memset(&local_control, 0, sizeof(local_control));
2570 local_control.sframe = 1;
2571 local_control.super = L2CAP_SUPER_RR;
2572 local_control.poll = 1;
2573 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2574 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2575
2576 chan->retry_count = 1;
2577 __set_monitor_timer(chan);
2578 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2579 }
2580 break;
2581 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2582 l2cap_process_reqseq(chan, control->reqseq);
2583
2584 /* Fall through */
2585
2586 case L2CAP_EV_RECV_FBIT:
2587 if (control && control->final) {
2588 __clear_monitor_timer(chan);
2589 if (chan->unacked_frames > 0)
2590 __set_retrans_timer(chan);
2591 chan->retry_count = 0;
2592 chan->tx_state = L2CAP_TX_STATE_XMIT;
2593 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2594 }
2595 break;
2596 case L2CAP_EV_EXPLICIT_POLL:
2597 /* Ignore */
2598 break;
2599 case L2CAP_EV_MONITOR_TO:
2600 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2601 l2cap_send_rr_or_rnr(chan, 1);
2602 __set_monitor_timer(chan);
2603 chan->retry_count++;
2604 } else {
2605 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2606 }
2607 break;
2608 default:
2609 break;
2610 }
608bcc6d
MM		 2611}
2612
d660366d
GP		 2613static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2614 struct sk_buff_head *skbs, u8 event)
608bcc6d 2615{
608bcc6d
MM		 2616 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2617 chan, control, skbs, event, chan->tx_state);
2618
2619 switch (chan->tx_state) {
2620 case L2CAP_TX_STATE_XMIT:
d660366d 2621 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2622 break;
2623 case L2CAP_TX_STATE_WAIT_F:
d660366d 2624 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2625 break;
2626 default:
2627 /* Ignore event */
2628 break;
2629 }
608bcc6d
MM		 2630}
2631
4b51dae9
MM		 2632static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2633 struct l2cap_ctrl *control)
2634{
2635 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2636 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2637}
2638
f80842a8
MM		 2639static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2640 struct l2cap_ctrl *control)
2641{
2642 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2643 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2644}
2645
1da177e4
LT		 2646/* Copy frame to all raw sockets on that connection */
2647static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2648{
1da177e4 2649 struct sk_buff *nskb;
48454079 2650 struct l2cap_chan *chan;
1da177e4
LT		 2651
2652 BT_DBG("conn %p", conn);
2653
3df91ea2 2654 mutex_lock(&conn->chan_lock);
3d57dc68 2655
3df91ea2 2656 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2657 struct sock *sk = chan->sk;
715ec005 2658 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2659 continue;
2660
2661 /* Don't send frame to the socket it came from */
2662 if (skb->sk == sk)
2663 continue;
8bcde1f2 2664 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2665 if (!nskb)
1da177e4
LT		 2666 continue;
2667
80b98027 2668 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2669 kfree_skb(nskb);
2670 }
3d57dc68 2671
3df91ea2 2672 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2673}
2674
2675/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2676static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2677 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2678{
2679 struct sk_buff *skb, **frag;
2680 struct l2cap_cmd_hdr *cmd;
2681 struct l2cap_hdr *lh;
2682 int len, count;
2683
b4400672
AE		 2684 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2685 conn, code, ident, dlen);
1da177e4
LT		 2686
2687 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2688 count = min_t(unsigned int, conn->mtu, len);
2689
8bcde1f2 2690 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2691 if (!skb)
2692 return NULL;
2693
2694 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2695 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2696
2697 if (conn->hcon->type == LE_LINK)
ac73498c 2698 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2699 else
ac73498c 2700 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2701
2702 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2703 cmd->code = code;
2704 cmd->ident = ident;
aca3192c 2705 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2706
2707 if (dlen) {
2708 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2709 memcpy(skb_put(skb, count), data, count);
2710 data += count;
2711 }
2712
2713 len -= skb->len;
2714
2715 /* Continuation fragments (no L2CAP header) */
2716 frag = &skb_shinfo(skb)->frag_list;
2717 while (len) {
2718 count = min_t(unsigned int, conn->mtu, len);
2719
8bcde1f2 2720 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2721 if (!*frag)
2722 goto fail;
2723
2724 memcpy(skb_put(*frag, count), data, count);
2725
2726 len -= count;
2727 data += count;
2728
2729 frag = &(*frag)->next;
2730 }
2731
2732 return skb;
2733
2734fail:
2735 kfree_skb(skb);
2736 return NULL;
2737}
2738
2d792818
GP		 2739static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2740 unsigned long *val)
1da177e4
LT		 2741{
2742 struct l2cap_conf_opt *opt = *ptr;
2743 int len;
2744
2745 len = L2CAP_CONF_OPT_SIZE + opt->len;
2746 *ptr += len;
2747
2748 *type = opt->type;
2749 *olen = opt->len;
2750
2751 switch (opt->len) {
2752 case 1:
2753 *val = *((u8 *) opt->val);
2754 break;
2755
2756 case 2:
bfaaeb3e 2757 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2758 break;
2759
2760 case 4:
bfaaeb3e 2761 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2762 break;
2763
2764 default:
2765 *val = (unsigned long) opt->val;
2766 break;
2767 }
2768
b4400672 2769 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2770 return len;
2771}
2772
1da177e4
LT		 2773static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2774{
2775 struct l2cap_conf_opt *opt = *ptr;
2776
b4400672 2777 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2778
2779 opt->type = type;
2780 opt->len = len;
2781
2782 switch (len) {
2783 case 1:
2784 *((u8 *) opt->val) = val;
2785 break;
2786
2787 case 2:
4f8b691c 2788 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2789 break;
2790
2791 case 4:
4f8b691c 2792 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2793 break;
2794
2795 default:
2796 memcpy(opt->val, (void *) val, len);
2797 break;
2798 }
2799
2800 *ptr += L2CAP_CONF_OPT_SIZE + len;
2801}
2802
f89cef09
AE		 2803static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2804{
2805 struct l2cap_conf_efs efs;
2806
1ec918ce 2807 switch (chan->mode) {
f89cef09
AE		 2808 case L2CAP_MODE_ERTM:
2809 efs.id = chan->local_id;
2810 efs.stype = chan->local_stype;
2811 efs.msdu = cpu_to_le16(chan->local_msdu);
2812 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2813 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2814 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2815 break;
2816
2817 case L2CAP_MODE_STREAMING:
2818 efs.id = 1;
2819 efs.stype = L2CAP_SERV_BESTEFFORT;
2820 efs.msdu = cpu_to_le16(chan->local_msdu);
2821 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2822 efs.acc_lat = 0;
2823 efs.flush_to = 0;
2824 break;
2825
2826 default:
2827 return;
2828 }
2829
2830 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2831 (unsigned long) &efs);
f89cef09
AE		 2832}
2833
721c4181 2834static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2835{
721c4181 2836 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2837 ack_timer.work);
2838 u16 frames_to_ack;
c1b4f43b 2839
2fb9b3d4
GP		 2840 BT_DBG("chan %p", chan);
2841
6be36555
AE		 2842 l2cap_chan_lock(chan);
2843
0362520b
MM		 2844 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2845 chan->last_acked_seq);
6be36555 2846
0362520b
MM		 2847 if (frames_to_ack)
2848 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2849
0362520b 2850 l2cap_chan_unlock(chan);
09bfb2ee 2851 l2cap_chan_put(chan);
c1b4f43b
GP		 2852}
2853
466f8004 2854int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2855{
3c588192
MM		 2856 int err;
2857
105bdf9e
MM		 2858 chan->next_tx_seq = 0;
2859 chan->expected_tx_seq = 0;
42e5c802 2860 chan->expected_ack_seq = 0;
6a026610 2861 chan->unacked_frames = 0;
42e5c802 2862 chan->buffer_seq = 0;
6a026610 2863 chan->frames_sent = 0;
105bdf9e
MM		 2864 chan->last_acked_seq = 0;
2865 chan->sdu = NULL;
2866 chan->sdu_last_frag = NULL;
2867 chan->sdu_len = 0;
2868
d34c34fb
MM		 2869 skb_queue_head_init(&chan->tx_q);
2870
08333283
MM		 2871 chan->local_amp_id = 0;
2872 chan->move_id = 0;
2873 chan->move_state = L2CAP_MOVE_STABLE;
2874 chan->move_role = L2CAP_MOVE_ROLE_NONE;
2875
105bdf9e
MM		 2876 if (chan->mode != L2CAP_MODE_ERTM)
2877 return 0;
2878
2879 chan->rx_state = L2CAP_RX_STATE_RECV;
2880 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2881
721c4181
GP		 2882 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2883 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2884 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2885
f1c6775b 2886 skb_queue_head_init(&chan->srej_q);
1890d36b 2887
3c588192
MM		 2888 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2889 if (err < 0)
2890 return err;
2891
9dc9affc
MM		 2892 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2893 if (err < 0)
2894 l2cap_seq_list_free(&chan->srej_list);
2895
2896 return err;
0565c1c2
GP		 2897}
2898
f2fcfcd6
GP		 2899static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2900{
2901 switch (mode) {
2902 case L2CAP_MODE_STREAMING:
2903 case L2CAP_MODE_ERTM:
2904 if (l2cap_mode_supported(mode, remote_feat_mask))
2905 return mode;
2906 /* fall through */
2907 default:
2908 return L2CAP_MODE_BASIC;
2909 }
2910}
2911
6327eb98
AE		 2912static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2913{
2914 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2915}
2916
f89cef09
AE		 2917static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2918{
2919 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2920}
2921
6327eb98
AE		 2922static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2923{
2924 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 2925 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2926 /* use extended control field */
2927 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2928 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2929 } else {
6327eb98 2930 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 2931 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2932 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2933 }
c20f8e35 2934 chan->ack_win = chan->tx_win;
6327eb98
AE		 2935}
2936
710f9b0a 2937static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2938{
1da177e4 2939 struct l2cap_conf_req *req = data;
0c1bc5c6 2940 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2941 void *ptr = req->data;
c8f79162 2942 u16 size;
1da177e4 2943
49208c9c 2944 BT_DBG("chan %p", chan);
1da177e4 2945
73ffa904 2946 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2947 goto done;
2948
0c1bc5c6 2949 switch (chan->mode) {
f2fcfcd6
GP		 2950 case L2CAP_MODE_STREAMING:
2951 case L2CAP_MODE_ERTM:
c1360a1c 2952 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2953 break;
85eb53c6 2954
f89cef09
AE		 2955 if (__l2cap_efs_supported(chan))
2956 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2957
2ba13ed6 2958 /* fall through */
f2fcfcd6 2959 default:
8c1d787b 2960 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2961 break;
2962 }
2963
2964done:
0c1bc5c6
GP		 2965 if (chan->imtu != L2CAP_DEFAULT_MTU)
2966 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2967
0c1bc5c6 2968 switch (chan->mode) {
65c7c491 2969 case L2CAP_MODE_BASIC:
8c1d787b 2970 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 2971 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2972 break;
2973
62547752
GP		 2974 rfc.mode = L2CAP_MODE_BASIC;
2975 rfc.txwin_size = 0;
2976 rfc.max_transmit = 0;
2977 rfc.retrans_timeout = 0;
2978 rfc.monitor_timeout = 0;
2979 rfc.max_pdu_size = 0;
2980
63406504 2981 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 2982 (unsigned long) &rfc);
65c7c491
MH		 2983 break;
2984
2985 case L2CAP_MODE_ERTM:
2986 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2987 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2988 rfc.retrans_timeout = 0;
2989 rfc.monitor_timeout = 0;
c8f79162
AE		 2990
2991 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 2992 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
2993 L2CAP_FCS_SIZE);
c8f79162 2994 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2995
6327eb98
AE		 2996 l2cap_txwin_setup(chan);
2997
2998 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 2999 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3000
63406504 3001 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3002 (unsigned long) &rfc);
63406504 3003
f89cef09
AE		 3004 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3005 l2cap_add_opt_efs(&ptr, chan);
3006
8c1d787b 3007 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 3008 break;
3009
47d1ec61 3010 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 3011 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 3012 chan->fcs = L2CAP_FCS_NONE;
3013 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 3014 }
6327eb98
AE		 3015
3016 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3017 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3018 chan->tx_win);
f2fcfcd6
GP		 3019 break;
3020
3021 case L2CAP_MODE_STREAMING:
273759e2 3022 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3023 rfc.mode = L2CAP_MODE_STREAMING;
3024 rfc.txwin_size = 0;
3025 rfc.max_transmit = 0;
3026 rfc.retrans_timeout = 0;
3027 rfc.monitor_timeout = 0;
c8f79162
AE		 3028
3029 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3030 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3031 L2CAP_FCS_SIZE);
c8f79162 3032 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3033
63406504 3034 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3035 (unsigned long) &rfc);
63406504 3036
f89cef09
AE		 3037 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3038 l2cap_add_opt_efs(&ptr, chan);
3039
8c1d787b 3040 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 3041 break;
3042
47d1ec61 3043 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 3044 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 3045 chan->fcs = L2CAP_FCS_NONE;
3046 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 3047 }
65c7c491
MH		 3048 break;
3049 }
1da177e4 3050
fe4128e0 3051 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3052 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3053
3054 return ptr - data;
3055}
3056
73ffa904 3057static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3058{
5dee9e7c
MH		 3059 struct l2cap_conf_rsp *rsp = data;
3060 void *ptr = rsp->data;
73ffa904
GP		 3061 void *req = chan->conf_req;
3062 int len = chan->conf_len;
5dee9e7c
MH		 3063 int type, hint, olen;
3064 unsigned long val;
6464f35f 3065 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3066 struct l2cap_conf_efs efs;
3067 u8 remote_efs = 0;
861d6882 3068 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3069 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3070 u16 size;
1da177e4 3071
73ffa904 3072 BT_DBG("chan %p", chan);
820ae1b8 3073
5dee9e7c
MH		 3074 while (len >= L2CAP_CONF_OPT_SIZE) {
3075 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3076
589d2746 3077 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3078 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3079
3080 switch (type) {
3081 case L2CAP_CONF_MTU:
861d6882 3082 mtu = val;
5dee9e7c
MH		 3083 break;
3084
3085 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3086 chan->flush_to = val;
5dee9e7c
MH		 3087 break;
3088
3089 case L2CAP_CONF_QOS:
3090 break;
3091
6464f35f
MH		 3092 case L2CAP_CONF_RFC:
3093 if (olen == sizeof(rfc))
3094 memcpy(&rfc, (void *) val, olen);
3095 break;
3096
fcc203c3
GP		 3097 case L2CAP_CONF_FCS:
3098 if (val == L2CAP_FCS_NONE)
c1360a1c 3099 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 3100 break;
fcc203c3 3101
42dceae2
AE		 3102 case L2CAP_CONF_EFS:
3103 remote_efs = 1;
3104 if (olen == sizeof(efs))
3105 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3106 break;
3107
6327eb98
AE		 3108 case L2CAP_CONF_EWS:
3109 if (!enable_hs)
3110 return -ECONNREFUSED;
fcc203c3 3111
6327eb98
AE		 3112 set_bit(FLAG_EXT_CTRL, &chan->flags);
3113 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3114 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3115 chan->remote_tx_win = val;
fcc203c3
GP		 3116 break;
3117
5dee9e7c
MH		 3118 default:
3119 if (hint)
3120 break;
3121
3122 result = L2CAP_CONF_UNKNOWN;
3123 *((u8 *) ptr++) = type;
3124 break;
3125 }
3126 }
3127
73ffa904 3128 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3129 goto done;
3130
0c1bc5c6 3131 switch (chan->mode) {
f2fcfcd6
GP		 3132 case L2CAP_MODE_STREAMING:
3133 case L2CAP_MODE_ERTM:
c1360a1c 3134 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3135 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3136 chan->conn->feat_mask);
85eb53c6
GP		 3137 break;
3138 }
3139
42dceae2
AE		 3140 if (remote_efs) {
3141 if (__l2cap_efs_supported(chan))
3142 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3143 else
3144 return -ECONNREFUSED;
3145 }
3146
0c1bc5c6 3147 if (chan->mode != rfc.mode)
f2fcfcd6 3148 return -ECONNREFUSED;
742e519b 3149
f2fcfcd6 3150 break;
f2fcfcd6
GP		 3151 }
3152
3153done:
0c1bc5c6 3154 if (chan->mode != rfc.mode) {
f2fcfcd6 3155 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3156 rfc.mode = chan->mode;
f2fcfcd6 3157
73ffa904 3158 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3159 return -ECONNREFUSED;
3160
2d792818
GP		 3161 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3162 (unsigned long) &rfc);
f2fcfcd6
GP		 3163 }
3164
5dee9e7c
MH		 3165 if (result == L2CAP_CONF_SUCCESS) {
3166 /* Configure output options and let the other side know
3167 * which ones we don't like. */
3168
f2fcfcd6
GP		 3169 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3170 result = L2CAP_CONF_UNACCEPT;
3171 else {
0c1bc5c6 3172 chan->omtu = mtu;
c1360a1c 3173 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3174 }
0c1bc5c6 3175 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3176
42dceae2
AE		 3177 if (remote_efs) {
3178 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3179 efs.stype != L2CAP_SERV_NOTRAFIC &&
3180 efs.stype != chan->local_stype) {
42dceae2
AE		 3181
3182 result = L2CAP_CONF_UNACCEPT;
3183
3184 if (chan->num_conf_req >= 1)
3185 return -ECONNREFUSED;
3186
3187 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3188 sizeof(efs),
3189 (unsigned long) &efs);
0e8b207e 3190 } else {
3e6b3b95 3191 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3192 result = L2CAP_CONF_PENDING;
3193 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3194 }
3195 }
3196
f2fcfcd6
GP		 3197 switch (rfc.mode) {
3198 case L2CAP_MODE_BASIC:
47d1ec61 3199 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3200 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3201 break;
3202
3203 case L2CAP_MODE_ERTM:
6327eb98
AE		 3204 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3205 chan->remote_tx_win = rfc.txwin_size;
3206 else
3207 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3208
2c03a7a4 3209 chan->remote_max_tx = rfc.max_transmit;
1c762159 3210
c8f79162 3211 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3212 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3213 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3214 rfc.max_pdu_size = cpu_to_le16(size);
3215 chan->remote_mps = size;
f2fcfcd6 3216
10467e9e 3217 rfc.retrans_timeout =
4fd21a88 3218 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3219 rfc.monitor_timeout =
4fd21a88 3220 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3221
c1360a1c 3222 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3223
3224 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3225 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3226
42dceae2
AE		 3227 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3228 chan->remote_id = efs.id;
3229 chan->remote_stype = efs.stype;
3230 chan->remote_msdu = le16_to_cpu(efs.msdu);
3231 chan->remote_flush_to =
2d792818 3232 le32_to_cpu(efs.flush_to);
42dceae2 3233 chan->remote_acc_lat =
2d792818 3234 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3235 chan->remote_sdu_itime =
3236 le32_to_cpu(efs.sdu_itime);
3237 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3238 sizeof(efs),
3239 (unsigned long) &efs);
42dceae2 3240 }
f2fcfcd6
GP		 3241 break;
3242
3243 case L2CAP_MODE_STREAMING:
c8f79162 3244 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3245 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3246 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3247 rfc.max_pdu_size = cpu_to_le16(size);
3248 chan->remote_mps = size;
f2fcfcd6 3249
c1360a1c 3250 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3251
2d792818
GP		 3252 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3253 (unsigned long) &rfc);
68ae6639 3254
f2fcfcd6
GP		 3255 break;
3256
3257 default:
5dee9e7c 3258 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3259
6464f35f 3260 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3261 rfc.mode = chan->mode;
f2fcfcd6 3262 }
6464f35f 3263
f2fcfcd6 3264 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3265 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3266 }
fe4128e0 3267 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3268 rsp->result = cpu_to_le16(result);
59e54bd1 3269 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3270
3271 return ptr - data;
1da177e4
LT		 3272}
3273
2d792818
GP		 3274static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3275 void *data, u16 *result)
f2fcfcd6 3276{
f2fcfcd6
GP		 3277 struct l2cap_conf_req *req = data;
3278 void *ptr = req->data;
3279 int type, olen;
3280 unsigned long val;
36e999a8 3281 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3282 struct l2cap_conf_efs efs;
f2fcfcd6 3283
fe4128e0 3284 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3285
3286 while (len >= L2CAP_CONF_OPT_SIZE) {
3287 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3288
3289 switch (type) {
3290 case L2CAP_CONF_MTU:
3291 if (val < L2CAP_DEFAULT_MIN_MTU) {
3292 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3293 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3294 } else
0c1bc5c6
GP		 3295 chan->imtu = val;
3296 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3297 break;
3298
3299 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3300 chan->flush_to = val;
f2fcfcd6 3301 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3302 2, chan->flush_to);
f2fcfcd6
GP		 3303 break;
3304
3305 case L2CAP_CONF_RFC:
3306 if (olen == sizeof(rfc))
3307 memcpy(&rfc, (void *)val, olen);
3308
c1360a1c 3309 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3310 rfc.mode != chan->mode)
f2fcfcd6
GP		 3311 return -ECONNREFUSED;
3312
47d1ec61 3313 chan->fcs = 0;
f2fcfcd6
GP		 3314
3315 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3316 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3317 break;
6327eb98
AE		 3318
3319 case L2CAP_CONF_EWS:
c20f8e35 3320 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3321 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3322 chan->tx_win);
6327eb98 3323 break;
66af7aaf
AE		 3324
3325 case L2CAP_CONF_EFS:
3326 if (olen == sizeof(efs))
3327 memcpy(&efs, (void *)val, olen);
3328
3329 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3330 efs.stype != L2CAP_SERV_NOTRAFIC &&
3331 efs.stype != chan->local_stype)
66af7aaf
AE		 3332 return -ECONNREFUSED;
3333
2d792818
GP		 3334 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3335 (unsigned long) &efs);
66af7aaf 3336 break;
f2fcfcd6
GP		 3337 }
3338 }
3339
0c1bc5c6 3340 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3341 return -ECONNREFUSED;
3342
0c1bc5c6 3343 chan->mode = rfc.mode;
6c2ea7a8 3344
0e8b207e 3345 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3346 switch (rfc.mode) {
3347 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3348 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3349 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3350 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3351 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3352 chan->ack_win = min_t(u16, chan->ack_win,
3353 rfc.txwin_size);
66af7aaf
AE		 3354
3355 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3356 chan->local_msdu = le16_to_cpu(efs.msdu);
3357 chan->local_sdu_itime =
2d792818 3358 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3359 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3360 chan->local_flush_to =
2d792818 3361 le32_to_cpu(efs.flush_to);
66af7aaf 3362 }
f2fcfcd6 3363 break;
66af7aaf 3364
f2fcfcd6 3365 case L2CAP_MODE_STREAMING:
47d1ec61 3366 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3367 }
3368 }
3369
fe4128e0 3370 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3371 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3372
3373 return ptr - data;
3374}
3375
2d792818
GP		 3376static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3377 u16 result, u16 flags)
1da177e4
LT		 3378{
3379 struct l2cap_conf_rsp *rsp = data;
3380 void *ptr = rsp->data;
1da177e4 3381
fe4128e0 3382 BT_DBG("chan %p", chan);
1da177e4 3383
fe4128e0 3384 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3385 rsp->result = cpu_to_le16(result);
aca3192c 3386 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3387
3388 return ptr - data;
3389}
3390
8c1d787b 3391void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3392{
3393 struct l2cap_conn_rsp rsp;
8c1d787b 3394 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3395 u8 buf[128];
3396
fe4128e0
GP		 3397 rsp.scid = cpu_to_le16(chan->dcid);
3398 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3399 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3400 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
2d792818 3401 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
710f9b0a 3402
c1360a1c 3403 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3404 return;
3405
710f9b0a 3406 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3407 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3408 chan->num_conf_req++;
3409}
3410
47d1ec61 3411static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3412{
7b1c0049
GP		 3413 int type, olen;
3414 unsigned long val;
c20f8e35
MM		 3415 /* Use sane default values in case a misbehaving remote device
3416 * did not send an RFC or extended window size option.
3417 */
3418 u16 txwin_ext = chan->ack_win;
3419 struct l2cap_conf_rfc rfc = {
3420 .mode = chan->mode,
3421 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3422 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3423 .max_pdu_size = cpu_to_le16(chan->imtu),
3424 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3425 };
7b1c0049 3426
47d1ec61 3427 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3428
0c1bc5c6 3429 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3430 return;
3431
3432 while (len >= L2CAP_CONF_OPT_SIZE) {
3433 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3434
c20f8e35
MM		 3435 switch (type) {
3436 case L2CAP_CONF_RFC:
3437 if (olen == sizeof(rfc))
3438 memcpy(&rfc, (void *)val, olen);
8f321f85 3439 break;
c20f8e35
MM		 3440 case L2CAP_CONF_EWS:
3441 txwin_ext = val;
3442 break;
3443 }
7b1c0049
GP		 3444 }
3445
7b1c0049
GP		 3446 switch (rfc.mode) {
3447 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3448 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3449 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3450 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3451 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3452 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3453 else
3454 chan->ack_win = min_t(u16, chan->ack_win,
3455 rfc.txwin_size);
7b1c0049
GP		 3456 break;
3457 case L2CAP_MODE_STREAMING:
47d1ec61 3458 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3459 }
3460}
3461
2d792818
GP		 3462static inline int l2cap_command_rej(struct l2cap_conn *conn,
3463 struct l2cap_cmd_hdr *cmd, u8 *data)
4e8402a3 3464{
e2fd318e 3465 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3466
e2fd318e 3467 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3468 return 0;
3469
3470 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3471 cmd->ident == conn->info_ident) {
17cd3f37 3472 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3473
3474 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3475 conn->info_ident = 0;
984947dc 3476
4e8402a3
MH		 3477 l2cap_conn_start(conn);
3478 }
3479
3480 return 0;
3481}
3482
1700915f
MM		 3483static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3484 struct l2cap_cmd_hdr *cmd,
3485 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3486{
1da177e4
LT		 3487 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3488 struct l2cap_conn_rsp rsp;
23691d75 3489 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3490 struct sock *parent, *sk = NULL;
e7c29cb1 3491 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3492
3493 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3494 __le16 psm = req->psm;
1da177e4 3495
097db76c 3496 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3497
3498 /* Check if we have socket listening on psm */
c2287681 3499 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3500 if (!pchan) {
1da177e4
LT		 3501 result = L2CAP_CR_BAD_PSM;
3502 goto sendresp;
3503 }
3504
23691d75
GP		 3505 parent = pchan->sk;
3506
3df91ea2 3507 mutex_lock(&conn->chan_lock);
aa2ac881 3508 lock_sock(parent);
e0f0cb56 3509
e7c29cb1 3510 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3511 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3512 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3513 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3514 result = L2CAP_CR_SEC_BLOCK;
3515 goto response;
3516 }
3517
1da177e4
LT		 3518 result = L2CAP_CR_NO_MEM;
3519
2dfa1003
GP		 3520 /* Check if we already have channel with that dcid */
3521 if (__l2cap_get_chan_by_dcid(conn, scid))
3522 goto response;
3523
80b98027 3524 chan = pchan->ops->new_connection(pchan);
80808e43 3525 if (!chan)
1da177e4
LT		 3526 goto response;
3527
80808e43
GP		 3528 sk = chan->sk;
3529
1da177e4
LT		 3530 hci_conn_hold(conn->hcon);
3531
1da177e4
LT		 3532 bacpy(&bt_sk(sk)->src, conn->src);
3533 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3534 chan->psm = psm;
3535 chan->dcid = scid;
1700915f 3536 chan->local_amp_id = amp_id;
1da177e4 3537
6be36555 3538 __l2cap_chan_add(conn, chan);
48454079 3539
fe4128e0 3540 dcid = chan->scid;
1da177e4 3541
c9b66675 3542 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3543
fc7f8a7e 3544 chan->ident = cmd->ident;
1da177e4 3545
984947dc 3546 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3547 if (l2cap_chan_check_security(chan)) {
c5daa683 3548 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3549 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3550 result = L2CAP_CR_PEND;
3551 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3552 chan->ops->defer(chan);
f66dc81f 3553 } else {
1700915f
MM		 3554 /* Force pending result for AMP controllers.
3555 * The connection will succeed after the
3556 * physical link is up.
3557 */
3558 if (amp_id) {
3559 __l2cap_state_change(chan, BT_CONNECT2);
3560 result = L2CAP_CR_PEND;
3561 } else {
3562 __l2cap_state_change(chan, BT_CONFIG);
3563 result = L2CAP_CR_SUCCESS;
3564 }
f66dc81f
MH		 3565 status = L2CAP_CS_NO_INFO;
3566 }
79d554a6 3567 } else {
0e587be7 3568 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3569 result = L2CAP_CR_PEND;
3570 status = L2CAP_CS_AUTHEN_PEND;
3571 }
3572 } else {
0e587be7 3573 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3574 result = L2CAP_CR_PEND;
3575 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3576 }
3577
1da177e4 3578response:
aa2ac881 3579 release_sock(parent);
3df91ea2 3580 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3581
3582sendresp:
aca3192c
YH		 3583 rsp.scid = cpu_to_le16(scid);
3584 rsp.dcid = cpu_to_le16(dcid);
3585 rsp.result = cpu_to_le16(result);
3586 rsp.status = cpu_to_le16(status);
4c89b6aa 3587 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3588
3589 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3590 struct l2cap_info_req info;
ac73498c 3591 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3592
3593 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3594 conn->info_ident = l2cap_get_ident(conn);
3595
ba13ccd9 3596 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3597
2d792818
GP		 3598 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3599 sizeof(info), &info);
79d554a6
MH		 3600 }
3601
c1360a1c 3602 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3603 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3604 u8 buf[128];
c1360a1c 3605 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3606 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3607 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3608 chan->num_conf_req++;
e9aeb2dd 3609 }
1700915f
MM		 3610
3611 return chan;
4c89b6aa 3612}
e9aeb2dd 3613
4c89b6aa
MM		 3614static int l2cap_connect_req(struct l2cap_conn *conn,
3615 struct l2cap_cmd_hdr *cmd, u8 *data)
3616{
300229f9 3617 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3618 return 0;
3619}
3620
5909cf30 3621static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
2d792818 3622 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3623{
3624 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3625 u16 scid, dcid, result, status;
48454079 3626 struct l2cap_chan *chan;
1da177e4 3627 u8 req[128];
3df91ea2 3628 int err;
1da177e4
LT		 3629
3630 scid = __le16_to_cpu(rsp->scid);
3631 dcid = __le16_to_cpu(rsp->dcid);
3632 result = __le16_to_cpu(rsp->result);
3633 status = __le16_to_cpu(rsp->status);
3634
1b009c98 3635 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3636 dcid, scid, result, status);
1da177e4 3637
3df91ea2
AE		 3638 mutex_lock(&conn->chan_lock);
3639
1da177e4 3640 if (scid) {
3df91ea2
AE		 3641 chan = __l2cap_get_chan_by_scid(conn, scid);
3642 if (!chan) {
3643 err = -EFAULT;
3644 goto unlock;
3645 }
1da177e4 3646 } else {
3df91ea2
AE		 3647 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3648 if (!chan) {
3649 err = -EFAULT;
3650 goto unlock;
3651 }
1da177e4
LT		 3652 }
3653
3df91ea2
AE		 3654 err = 0;
3655
6be36555 3656 l2cap_chan_lock(chan);
48454079 3657
1da177e4
LT		 3658 switch (result) {
3659 case L2CAP_CR_SUCCESS:
89bc500e 3660 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3661 chan->ident = 0;
fe4128e0 3662 chan->dcid = dcid;
c1360a1c 3663 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3664
c1360a1c 3665 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3666 break;
3667
1da177e4 3668 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3669 l2cap_build_conf_req(chan, req), req);
73ffa904 3670 chan->num_conf_req++;
1da177e4
LT		 3671 break;
3672
3673 case L2CAP_CR_PEND:
c1360a1c 3674 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3675 break;
3676
3677 default:
48454079 3678 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3679 break;
3680 }
3681
6be36555 3682 l2cap_chan_unlock(chan);
3df91ea2
AE		 3683
3684unlock:
3685 mutex_unlock(&conn->chan_lock);
3686
3687 return err;
1da177e4
LT		 3688}
3689
47d1ec61 3690static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3691{
3692 /* FCS is enabled only in ERTM or streaming mode, if one or both
3693 * sides request it.
3694 */
0c1bc5c6 3695 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3696 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3697 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3698 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3699}
3700
29d8a590
AE		 3701static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3702 u8 ident, u16 flags)
3703{
3704 struct l2cap_conn *conn = chan->conn;
3705
3706 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3707 flags);
3708
3709 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3710 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3711
3712 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3713 l2cap_build_conf_rsp(chan, data,
3714 L2CAP_CONF_SUCCESS, flags), data);
3715}
3716
2d792818
GP		 3717static inline int l2cap_config_req(struct l2cap_conn *conn,
3718 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3719 u8 *data)
1da177e4
LT		 3720{
3721 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3722 u16 dcid, flags;
3723 u8 rsp[64];
48454079 3724 struct l2cap_chan *chan;
3c588192 3725 int len, err = 0;
1da177e4
LT		 3726
3727 dcid = __le16_to_cpu(req->dcid);
3728 flags = __le16_to_cpu(req->flags);
3729
3730 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3731
baa7e1fa 3732 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3733 if (!chan)
1da177e4
LT		 3734 return -ENOENT;
3735
033b1142 3736 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3737 struct l2cap_cmd_rej_cid rej;
3738
ac73498c 3739 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3740 rej.scid = cpu_to_le16(chan->scid);
3741 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3742
df6bd743 3743 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3744 sizeof(rej), &rej);
354f60a9 3745 goto unlock;
df6bd743 3746 }
354f60a9 3747
5dee9e7c 3748 /* Reject if config buffer is too small. */
88219a0f 3749 len = cmd_len - sizeof(*req);
7ac28817 3750 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3751 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3752 l2cap_build_conf_rsp(chan, rsp,
3753 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 3754 goto unlock;
3755 }
3756
3757 /* Store config. */
73ffa904
GP		 3758 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3759 chan->conf_len += len;
1da177e4 3760
59e54bd1 3761 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3762 /* Incomplete config. Send empty response. */
3763 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3764 l2cap_build_conf_rsp(chan, rsp,
3765 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3766 goto unlock;
3767 }
3768
3769 /* Complete config. */
73ffa904 3770 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3771 if (len < 0) {
e92c8e70 3772 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3773 goto unlock;
f2fcfcd6 3774 }
1da177e4 3775
5dee9e7c 3776 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3777 chan->num_conf_rsp++;
5dee9e7c 3778
5dee9e7c 3779 /* Reset config buffer. */
73ffa904 3780 chan->conf_len = 0;
5dee9e7c 3781
c1360a1c 3782 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3783 goto unlock;
3784
c1360a1c 3785 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3786 set_default_fcs(chan);
fcc203c3 3787
105bdf9e
MM		 3788 if (chan->mode == L2CAP_MODE_ERTM ||
3789 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3790 err = l2cap_ertm_init(chan);
3791
3792 if (err < 0)
3793 l2cap_send_disconn_req(chan->conn, chan, -err);
3794 else
3795 l2cap_chan_ready(chan);
0565c1c2 3796
876d9484
MH		 3797 goto unlock;
3798 }
3799
c1360a1c 3800 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3801 u8 buf[64];
1da177e4 3802 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3803 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3804 chan->num_conf_req++;
1da177e4
LT		 3805 }
3806
0e8b207e
AE		 3807 /* Got Conf Rsp PENDING from remote side and asume we sent
3808 Conf Rsp PENDING in the code above */
3809 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 3810 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 3811
3812 /* check compatibility */
3813
79de886d
AE		 3814 /* Send rsp for BR/EDR channel */
3815 if (!chan->ctrl_id)
3816 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
3817 else
3818 chan->ident = cmd->ident;
0e8b207e
AE		 3819 }
3820
1da177e4 3821unlock:
6be36555 3822 l2cap_chan_unlock(chan);
3c588192 3823 return err;
1da177e4
LT		 3824}
3825
2d792818
GP		 3826static inline int l2cap_config_rsp(struct l2cap_conn *conn,
3827 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3828{
3829 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3830 u16 scid, flags, result;
48454079 3831 struct l2cap_chan *chan;
61386cba 3832 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3833 int err = 0;
1da177e4
LT		 3834
3835 scid = __le16_to_cpu(rsp->scid);
3836 flags = __le16_to_cpu(rsp->flags);
3837 result = __le16_to_cpu(rsp->result);
3838
61386cba
AE		 3839 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3840 result, len);
1da177e4 3841
baa7e1fa 3842 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3843 if (!chan)
1da177e4
LT		 3844 return 0;
3845
3846 switch (result) {
3847 case L2CAP_CONF_SUCCESS:
47d1ec61 3848 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3849 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3850 break;
3851
0e8b207e
AE		 3852 case L2CAP_CONF_PENDING:
3853 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3854
3855 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3856 char buf[64];
3857
3858 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3859 buf, &result);
0e8b207e
AE		 3860 if (len < 0) {
3861 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3862 goto done;
3863 }
3864
3865 /* check compatibility */
3866
79de886d
AE		 3867 if (!chan->ctrl_id)
3868 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
3869 0);
3870 else
3871 chan->ident = cmd->ident;
0e8b207e
AE		 3872 }
3873 goto done;
3874
1da177e4 3875 case L2CAP_CONF_UNACCEPT:
73ffa904 3876 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3877 char req[64];
3878
c2c77ec8 3879 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3880 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3881 goto done;
3882 }
3883
f2fcfcd6
GP		 3884 /* throw out any old stored conf requests */
3885 result = L2CAP_CONF_SUCCESS;
b4450035 3886 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3887 req, &result);
f2fcfcd6 3888 if (len < 0) {
e92c8e70 3889 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3890 goto done;
3891 }
3892
3893 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 3894 L2CAP_CONF_REQ, len, req);
73ffa904 3895 chan->num_conf_req++;
f2fcfcd6
GP		 3896 if (result != L2CAP_CONF_SUCCESS)
3897 goto done;
3898 break;
1da177e4
LT		 3899 }
3900
8e87d142 3901 default:
6be36555 3902 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3903
ba13ccd9 3904 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3905 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3906 goto done;
3907 }
3908
59e54bd1 3909 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3910 goto done;
3911
c1360a1c 3912 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3913
c1360a1c 3914 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3915 set_default_fcs(chan);
fcc203c3 3916
105bdf9e
MM		 3917 if (chan->mode == L2CAP_MODE_ERTM ||
3918 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3919 err = l2cap_ertm_init(chan);
0565c1c2 3920
3c588192
MM		 3921 if (err < 0)
3922 l2cap_send_disconn_req(chan->conn, chan, -err);
3923 else
3924 l2cap_chan_ready(chan);
1da177e4
LT		 3925 }
3926
3927done:
6be36555 3928 l2cap_chan_unlock(chan);
3c588192 3929 return err;
1da177e4
LT		 3930}
3931
2d792818
GP		 3932static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
3933 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3934{
3935 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3936 struct l2cap_disconn_rsp rsp;
3937 u16 dcid, scid;
48454079 3938 struct l2cap_chan *chan;
1da177e4
LT		 3939 struct sock *sk;
3940
3941 scid = __le16_to_cpu(req->scid);
3942 dcid = __le16_to_cpu(req->dcid);
3943
3944 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3945
3df91ea2
AE		 3946 mutex_lock(&conn->chan_lock);
3947
3948 chan = __l2cap_get_chan_by_scid(conn, dcid);
3949 if (!chan) {
3950 mutex_unlock(&conn->chan_lock);
1da177e4 3951 return 0;
3df91ea2 3952 }
1da177e4 3953
6be36555
AE		 3954 l2cap_chan_lock(chan);
3955
48454079
GP		 3956 sk = chan->sk;
3957
fe4128e0
GP		 3958 rsp.dcid = cpu_to_le16(chan->scid);
3959 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3960 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3961
6be36555 3962 lock_sock(sk);
1da177e4 3963 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3964 release_sock(sk);
1da177e4 3965
61d6ef3e 3966 l2cap_chan_hold(chan);
48454079 3967 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3968
3969 l2cap_chan_unlock(chan);
1da177e4 3970
80b98027 3971 chan->ops->close(chan);
61d6ef3e 3972 l2cap_chan_put(chan);
3df91ea2
AE		 3973
3974 mutex_unlock(&conn->chan_lock);
3975
1da177e4
LT		 3976 return 0;
3977}
3978
2d792818
GP		 3979static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
3980 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3981{
3982 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3983 u16 dcid, scid;
48454079 3984 struct l2cap_chan *chan;
1da177e4
LT		 3985
3986 scid = __le16_to_cpu(rsp->scid);
3987 dcid = __le16_to_cpu(rsp->dcid);
3988
3989 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3990
3df91ea2
AE		 3991 mutex_lock(&conn->chan_lock);
3992
3993 chan = __l2cap_get_chan_by_scid(conn, scid);
3994 if (!chan) {
3995 mutex_unlock(&conn->chan_lock);
1da177e4 3996 return 0;
3df91ea2 3997 }
1da177e4 3998
6be36555 3999 l2cap_chan_lock(chan);
48454079 4000
61d6ef3e 4001 l2cap_chan_hold(chan);
48454079 4002 l2cap_chan_del(chan, 0);
6be36555
AE		 4003
4004 l2cap_chan_unlock(chan);
1da177e4 4005
80b98027 4006 chan->ops->close(chan);
61d6ef3e 4007 l2cap_chan_put(chan);
3df91ea2
AE		 4008
4009 mutex_unlock(&conn->chan_lock);
4010
1da177e4
LT		 4011 return 0;
4012}
4013
2d792818
GP		 4014static inline int l2cap_information_req(struct l2cap_conn *conn,
4015 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4016{
4017 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4018 u16 type;
4019
4020 type = __le16_to_cpu(req->type);
4021
4022 BT_DBG("type 0x%4.4x", type);
4023
f0709e03
MH		 4024 if (type == L2CAP_IT_FEAT_MASK) {
4025 u8 buf[8];
44dd46de 4026 u32 feat_mask = l2cap_feat_mask;
f0709e03 4027 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4028 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4029 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4030 if (!disable_ertm)
fcc203c3 4031 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4032 | L2CAP_FEAT_FCS;
a5fd6f30 4033 if (enable_hs)
6327eb98 4034 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4035 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4036
1b7bf4ed 4037 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4038 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4039 buf);
e1027a7c
MH		 4040 } else if (type == L2CAP_IT_FIXED_CHAN) {
4041 u8 buf[12];
4042 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 4043
4044 if (enable_hs)
4045 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4046 else
4047 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4048
ac73498c
AE		 4049 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4050 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4051 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4052 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4053 buf);
f0709e03
MH		 4054 } else {
4055 struct l2cap_info_rsp rsp;
4056 rsp.type = cpu_to_le16(type);
ac73498c 4057 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4058 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4059 &rsp);
f0709e03 4060 }
1da177e4
LT		 4061
4062 return 0;
4063}
4064
2d792818
GP		 4065static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4066 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4067{
4068 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4069 u16 type, result;
4070
4071 type = __le16_to_cpu(rsp->type);
4072 result = __le16_to_cpu(rsp->result);
4073
4074 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4075
e90165be
AE		 4076 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4077 if (cmd->ident != conn->info_ident ||
2d792818 4078 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4079 return 0;
4080
17cd3f37 4081 cancel_delayed_work(&conn->info_timer);
4e8402a3 4082
adb08ede
VT		 4083 if (result != L2CAP_IR_SUCCESS) {
4084 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4085 conn->info_ident = 0;
4086
4087 l2cap_conn_start(conn);
4088
4089 return 0;
4090 }
4091
978c93b9
AE		 4092 switch (type) {
4093 case L2CAP_IT_FEAT_MASK:
83985319 4094 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4095
47ec1dcd 4096 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4097 struct l2cap_info_req req;
ac73498c 4098 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4099
4100 conn->info_ident = l2cap_get_ident(conn);
4101
4102 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4103 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4104 } else {
4105 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4106 conn->info_ident = 0;
4107
4108 l2cap_conn_start(conn);
4109 }
978c93b9
AE		 4110 break;
4111
4112 case L2CAP_IT_FIXED_CHAN:
4113 conn->fixed_chan_mask = rsp->data[0];
984947dc 4114 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4115 conn->info_ident = 0;
984947dc
MH		 4116
4117 l2cap_conn_start(conn);
978c93b9 4118 break;
984947dc 4119 }
4e8402a3 4120
1da177e4
LT		 4121 return 0;
4122}
4123
1700915f
MM		 4124static int l2cap_create_channel_req(struct l2cap_conn *conn,
4125 struct l2cap_cmd_hdr *cmd,
4126 u16 cmd_len, void *data)
f94ff6ff
MM		 4127{
4128 struct l2cap_create_chan_req *req = data;
1700915f 4129 struct l2cap_chan *chan;
f94ff6ff
MM		 4130 u16 psm, scid;
4131
4132 if (cmd_len != sizeof(*req))
4133 return -EPROTO;
4134
4135 if (!enable_hs)
4136 return -EINVAL;
4137
4138 psm = le16_to_cpu(req->psm);
4139 scid = le16_to_cpu(req->scid);
4140
ad0ac6ca 4141 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4142
1700915f
MM		 4143 if (req->amp_id) {
4144 struct hci_dev *hdev;
4145
4146 /* Validate AMP controller id */
4147 hdev = hci_dev_get(req->amp_id);
4148 if (!hdev || hdev->dev_type != HCI_AMP ||
4149 !test_bit(HCI_UP, &hdev->flags)) {
4150 struct l2cap_create_chan_rsp rsp;
4151
4152 rsp.dcid = 0;
4153 rsp.scid = cpu_to_le16(scid);
4154 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4155 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4156
4157 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4158 sizeof(rsp), &rsp);
4159
4160 if (hdev)
4161 hci_dev_put(hdev);
4162
4163 return 0;
4164 }
4165
4166 hci_dev_put(hdev);
4167 }
f94ff6ff 4168
1700915f
MM		 4169 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4170 req->amp_id);
f94ff6ff
MM		 4171
4172 return 0;
4173}
4174
8d5a04a1 4175static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4176 u16 icid, u16 result)
8d5a04a1
MM		 4177{
4178 struct l2cap_move_chan_rsp rsp;
4179
ad0ac6ca 4180 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4181
4182 rsp.icid = cpu_to_le16(icid);
4183 rsp.result = cpu_to_le16(result);
4184
4185 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
4186}
4187
4188static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4189 struct l2cap_chan *chan,
4190 u16 icid, u16 result)
8d5a04a1
MM		 4191{
4192 struct l2cap_move_chan_cfm cfm;
4193 u8 ident;
4194
ad0ac6ca 4195 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4196
4197 ident = l2cap_get_ident(conn);
4198 if (chan)
4199 chan->ident = ident;
4200
4201 cfm.icid = cpu_to_le16(icid);
4202 cfm.result = cpu_to_le16(result);
4203
4204 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4205}
4206
4207static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4208 u16 icid)
8d5a04a1
MM		 4209{
4210 struct l2cap_move_chan_cfm_rsp rsp;
4211
ad0ac6ca 4212 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4213
4214 rsp.icid = cpu_to_le16(icid);
4215 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4216}
4217
5f3847a4
MM		 4218static void __release_logical_link(struct l2cap_chan *chan)
4219{
4220 chan->hs_hchan = NULL;
4221 chan->hs_hcon = NULL;
4222
4223 /* Placeholder - release the logical link */
4224}
4225
8d5a04a1 4226static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4227 struct l2cap_cmd_hdr *cmd,
4228 u16 cmd_len, void *data)
8d5a04a1
MM		 4229{
4230 struct l2cap_move_chan_req *req = data;
02b0fbb9 4231 struct l2cap_chan *chan;
8d5a04a1
MM		 4232 u16 icid = 0;
4233 u16 result = L2CAP_MR_NOT_ALLOWED;
4234
4235 if (cmd_len != sizeof(*req))
4236 return -EPROTO;
4237
4238 icid = le16_to_cpu(req->icid);
4239
ad0ac6ca 4240 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4241
4242 if (!enable_hs)
4243 return -EINVAL;
4244
02b0fbb9
MM		 4245 chan = l2cap_get_chan_by_dcid(conn, icid);
4246 if (!chan) {
4247 l2cap_send_move_chan_rsp(conn, cmd->ident, icid,
4248 L2CAP_MR_NOT_ALLOWED);
4249 return 0;
4250 }
4251
4252 if (chan->scid < L2CAP_CID_DYN_START ||
4253 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4254 (chan->mode != L2CAP_MODE_ERTM &&
4255 chan->mode != L2CAP_MODE_STREAMING)) {
4256 result = L2CAP_MR_NOT_ALLOWED;
4257 goto send_move_response;
4258 }
4259
4260 if (chan->local_amp_id == req->dest_amp_id) {
4261 result = L2CAP_MR_SAME_ID;
4262 goto send_move_response;
4263 }
4264
4265 if (req->dest_amp_id) {
4266 struct hci_dev *hdev;
4267 hdev = hci_dev_get(req->dest_amp_id);
4268 if (!hdev || hdev->dev_type != HCI_AMP ||
4269 !test_bit(HCI_UP, &hdev->flags)) {
4270 if (hdev)
4271 hci_dev_put(hdev);
4272
4273 result = L2CAP_MR_BAD_ID;
4274 goto send_move_response;
4275 }
4276 hci_dev_put(hdev);
4277 }
4278
4279 /* Detect a move collision. Only send a collision response
4280 * if this side has "lost", otherwise proceed with the move.
4281 * The winner has the larger bd_addr.
4282 */
4283 if ((__chan_is_moving(chan) ||
4284 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4285 bacmp(conn->src, conn->dst) > 0) {
4286 result = L2CAP_MR_COLLISION;
4287 goto send_move_response;
4288 }
4289
4290 chan->ident = cmd->ident;
4291 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4292 l2cap_move_setup(chan);
4293 chan->move_id = req->dest_amp_id;
4294 icid = chan->dcid;
4295
4296 if (!req->dest_amp_id) {
4297 /* Moving to BR/EDR */
4298 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4299 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4300 result = L2CAP_MR_PEND;
4301 } else {
4302 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4303 result = L2CAP_MR_SUCCESS;
4304 }
4305 } else {
4306 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4307 /* Placeholder - uncomment when amp functions are available */
4308 /*amp_accept_physical(chan, req->dest_amp_id);*/
4309 result = L2CAP_MR_PEND;
4310 }
4311
4312send_move_response:
8d5a04a1
MM		 4313 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4314
02b0fbb9
MM		 4315 l2cap_chan_unlock(chan);
4316
8d5a04a1
MM		 4317 return 0;
4318}
4319
4320static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4321 struct l2cap_cmd_hdr *cmd,
4322 u16 cmd_len, void *data)
8d5a04a1
MM		 4323{
4324 struct l2cap_move_chan_rsp *rsp = data;
4325 u16 icid, result;
4326
4327 if (cmd_len != sizeof(*rsp))
4328 return -EPROTO;
4329
4330 icid = le16_to_cpu(rsp->icid);
4331 result = le16_to_cpu(rsp->result);
4332
ad0ac6ca 4333 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4334
4335 /* Placeholder: Always unconfirmed */
4336 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4337
4338 return 0;
4339}
4340
5f3847a4
MM		 4341static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4342 struct l2cap_cmd_hdr *cmd,
4343 u16 cmd_len, void *data)
8d5a04a1
MM		 4344{
4345 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 4346 struct l2cap_chan *chan;
8d5a04a1
MM		 4347 u16 icid, result;
4348
4349 if (cmd_len != sizeof(*cfm))
4350 return -EPROTO;
4351
4352 icid = le16_to_cpu(cfm->icid);
4353 result = le16_to_cpu(cfm->result);
4354
ad0ac6ca 4355 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4356
5f3847a4
MM		 4357 chan = l2cap_get_chan_by_dcid(conn, icid);
4358 if (!chan) {
4359 /* Spec requires a response even if the icid was not found */
4360 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4361 return 0;
4362 }
4363
4364 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
4365 if (result == L2CAP_MC_CONFIRMED) {
4366 chan->local_amp_id = chan->move_id;
4367 if (!chan->local_amp_id)
4368 __release_logical_link(chan);
4369 } else {
4370 chan->move_id = chan->local_amp_id;
4371 }
4372
4373 l2cap_move_done(chan);
4374 }
4375
8d5a04a1
MM		 4376 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4377
5f3847a4
MM		 4378 l2cap_chan_unlock(chan);
4379
8d5a04a1
MM		 4380 return 0;
4381}
4382
4383static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4384 struct l2cap_cmd_hdr *cmd,
4385 u16 cmd_len, void *data)
8d5a04a1
MM		 4386{
4387 struct l2cap_move_chan_cfm_rsp *rsp = data;
4388 u16 icid;
4389
4390 if (cmd_len != sizeof(*rsp))
4391 return -EPROTO;
4392
4393 icid = le16_to_cpu(rsp->icid);
4394
ad0ac6ca 4395 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4396
4397 return 0;
4398}
4399
e2174ca4 4400static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 4401 u16 to_multiplier)
de73115a
CT		 4402{
4403 u16 max_latency;
4404
4405 if (min > max || min < 6 || max > 3200)
4406 return -EINVAL;
4407
4408 if (to_multiplier < 10 || to_multiplier > 3200)
4409 return -EINVAL;
4410
4411 if (max >= to_multiplier * 8)
4412 return -EINVAL;
4413
4414 max_latency = (to_multiplier * 8 / max) - 1;
4415 if (latency > 499 || latency > max_latency)
4416 return -EINVAL;
4417
4418 return 0;
4419}
4420
4421static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 4422 struct l2cap_cmd_hdr *cmd,
4423 u8 *data)
de73115a
CT		 4424{
4425 struct hci_conn *hcon = conn->hcon;
4426 struct l2cap_conn_param_update_req *req;
4427 struct l2cap_conn_param_update_rsp rsp;
4428 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4429 int err;
de73115a
CT		 4430
4431 if (!(hcon->link_mode & HCI_LM_MASTER))
4432 return -EINVAL;
4433
4434 cmd_len = __le16_to_cpu(cmd->len);
4435 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4436 return -EPROTO;
4437
4438 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4439 min = __le16_to_cpu(req->min);
4440 max = __le16_to_cpu(req->max);
de73115a
CT		 4441 latency = __le16_to_cpu(req->latency);
4442 to_multiplier = __le16_to_cpu(req->to_multiplier);
4443
4444 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 4445 min, max, latency, to_multiplier);
de73115a
CT		 4446
4447 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4448
4449 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4450 if (err)
ac73498c 4451 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4452 else
ac73498c 4453 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4454
4455 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 4456 sizeof(rsp), &rsp);
de73115a 4457
2ce603eb
CT		 4458 if (!err)
4459 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4460
de73115a
CT		 4461 return 0;
4462}
4463
3300d9a9 4464static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 4465 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4466 u8 *data)
3300d9a9
CT		 4467{
4468 int err = 0;
4469
4470 switch (cmd->code) {
4471 case L2CAP_COMMAND_REJ:
4472 l2cap_command_rej(conn, cmd, data);
4473 break;
4474
4475 case L2CAP_CONN_REQ:
4476 err = l2cap_connect_req(conn, cmd, data);
4477 break;
4478
4479 case L2CAP_CONN_RSP:
f5a2598d 4480 case L2CAP_CREATE_CHAN_RSP:
5909cf30 4481 err = l2cap_connect_create_rsp(conn, cmd, data);
3300d9a9
CT		 4482 break;
4483
4484 case L2CAP_CONF_REQ:
4485 err = l2cap_config_req(conn, cmd, cmd_len, data);
4486 break;
4487
4488 case L2CAP_CONF_RSP:
4489 err = l2cap_config_rsp(conn, cmd, data);
4490 break;
4491
4492 case L2CAP_DISCONN_REQ:
4493 err = l2cap_disconnect_req(conn, cmd, data);
4494 break;
4495
4496 case L2CAP_DISCONN_RSP:
4497 err = l2cap_disconnect_rsp(conn, cmd, data);
4498 break;
4499
4500 case L2CAP_ECHO_REQ:
4501 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4502 break;
4503
4504 case L2CAP_ECHO_RSP:
4505 break;
4506
4507 case L2CAP_INFO_REQ:
4508 err = l2cap_information_req(conn, cmd, data);
4509 break;
4510
4511 case L2CAP_INFO_RSP:
4512 err = l2cap_information_rsp(conn, cmd, data);
4513 break;
4514
f94ff6ff
MM		 4515 case L2CAP_CREATE_CHAN_REQ:
4516 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4517 break;
4518
8d5a04a1
MM		 4519 case L2CAP_MOVE_CHAN_REQ:
4520 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4521 break;
4522
4523 case L2CAP_MOVE_CHAN_RSP:
4524 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4525 break;
4526
4527 case L2CAP_MOVE_CHAN_CFM:
4528 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4529 break;
4530
4531 case L2CAP_MOVE_CHAN_CFM_RSP:
4532 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4533 break;
4534
3300d9a9
CT		 4535 default:
4536 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4537 err = -EINVAL;
4538 break;
4539 }
4540
4541 return err;
4542}
4543
4544static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 4545 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 4546{
4547 switch (cmd->code) {
4548 case L2CAP_COMMAND_REJ:
4549 return 0;
4550
4551 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4552 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4553
4554 case L2CAP_CONN_PARAM_UPDATE_RSP:
4555 return 0;
4556
4557 default:
4558 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4559 return -EINVAL;
4560 }
4561}
4562
4563static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 4564 struct sk_buff *skb)
1da177e4
LT		 4565{
4566 u8 *data = skb->data;
4567 int len = skb->len;
4568 struct l2cap_cmd_hdr cmd;
3300d9a9 4569 int err;
1da177e4
LT		 4570
4571 l2cap_raw_recv(conn, skb);
4572
4573 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4574 u16 cmd_len;
1da177e4
LT		 4575 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4576 data += L2CAP_CMD_HDR_SIZE;
4577 len -= L2CAP_CMD_HDR_SIZE;
4578
88219a0f 4579 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4580
2d792818
GP		 4581 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
4582 cmd.ident);
1da177e4 4583
88219a0f 4584 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4585 BT_DBG("corrupted command");
4586 break;
4587 }
4588
3300d9a9
CT		 4589 if (conn->hcon->type == LE_LINK)
4590 err = l2cap_le_sig_cmd(conn, &cmd, data);
4591 else
4592 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4593
4594 if (err) {
e2fd318e 4595 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4596
4597 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4598
4599 /* FIXME: Map err to a valid reason */
ac73498c 4600 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 4601 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
4602 sizeof(rej), &rej);
1da177e4
LT		 4603 }
4604
88219a0f
AV		 4605 data += cmd_len;
4606 len -= cmd_len;
1da177e4
LT		 4607 }
4608
4609 kfree_skb(skb);
4610}
4611
47d1ec61 4612static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4613{
4614 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4615 int hdr_size;
4616
4617 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4618 hdr_size = L2CAP_EXT_HDR_SIZE;
4619 else
4620 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4621
47d1ec61 4622 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4623 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4624 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4625 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4626
4627 if (our_fcs != rcv_fcs)
7a560e5c 4628 return -EBADMSG;
fcc203c3
GP		 4629 }
4630 return 0;
4631}
4632
6ea00485 4633static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4634{
e31f7633 4635 struct l2cap_ctrl control;
d5392c8f 4636
e31f7633 4637 BT_DBG("chan %p", chan);
d5392c8f 4638
e31f7633
MM		 4639 memset(&control, 0, sizeof(control));
4640 control.sframe = 1;
4641 control.final = 1;
4642 control.reqseq = chan->buffer_seq;
4643 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4644
e2ab4353 4645 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4646 control.super = L2CAP_SUPER_RNR;
4647 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4648 }
4649
e31f7633
MM		 4650 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4651 chan->unacked_frames > 0)
4652 __set_retrans_timer(chan);
d5392c8f 4653
e31f7633 4654 /* Send pending iframes */
525cd185 4655 l2cap_ertm_send(chan);
d5392c8f 4656
e2ab4353 4657 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4658 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4659 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4660 * send it now.
4661 */
4662 control.super = L2CAP_SUPER_RR;
4663 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4664 }
4665}
4666
2d792818
GP		 4667static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
4668 struct sk_buff **last_frag)
18778a63 4669{
84084a31
MM		 4670 /* skb->len reflects data in skb as well as all fragments
4671 * skb->data_len reflects only data in fragments
4672 */
4673 if (!skb_has_frag_list(skb))
4674 skb_shinfo(skb)->frag_list = new_frag;
4675
4676 new_frag->next = NULL;
4677
4678 (*last_frag)->next = new_frag;
4679 *last_frag = new_frag;
4680
4681 skb->len += new_frag->len;
4682 skb->data_len += new_frag->len;
4683 skb->truesize += new_frag->truesize;
4684}
4685
4b51dae9
MM		 4686static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4687 struct l2cap_ctrl *control)
84084a31
MM		 4688{
4689 int err = -EINVAL;
18778a63 4690
4b51dae9 4691 switch (control->sar) {
7e0ef6ee 4692 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4693 if (chan->sdu)
4694 break;
18778a63 4695
80b98027 4696 err = chan->ops->recv(chan, skb);
84084a31 4697 break;
18778a63 4698
7e0ef6ee 4699 case L2CAP_SAR_START:
84084a31
MM		 4700 if (chan->sdu)
4701 break;
18778a63 4702
6f61fd47 4703 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4704 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4705
84084a31
MM		 4706 if (chan->sdu_len > chan->imtu) {
4707 err = -EMSGSIZE;
4708 break;
4709 }
1890d36b 4710
84084a31
MM		 4711 if (skb->len >= chan->sdu_len)
4712 break;
18778a63 4713
84084a31
MM		 4714 chan->sdu = skb;
4715 chan->sdu_last_frag = skb;
18778a63 4716
84084a31
MM		 4717 skb = NULL;
4718 err = 0;
18778a63
GP		 4719 break;
4720
7e0ef6ee 4721 case L2CAP_SAR_CONTINUE:
6f61fd47 4722 if (!chan->sdu)
84084a31 4723 break;
18778a63 4724
84084a31
MM		 4725 append_skb_frag(chan->sdu, skb,
4726 &chan->sdu_last_frag);
4727 skb = NULL;
18778a63 4728
84084a31
MM		 4729 if (chan->sdu->len >= chan->sdu_len)
4730 break;
4178ba46 4731
84084a31 4732 err = 0;
18778a63
GP		 4733 break;
4734
7e0ef6ee 4735 case L2CAP_SAR_END:
6f61fd47 4736 if (!chan->sdu)
84084a31 4737 break;
18778a63 4738
84084a31
MM		 4739 append_skb_frag(chan->sdu, skb,
4740 &chan->sdu_last_frag);
4741 skb = NULL;
4178ba46 4742
84084a31
MM		 4743 if (chan->sdu->len != chan->sdu_len)
4744 break;
18778a63 4745
80b98027 4746 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4747
84084a31
MM		 4748 if (!err) {
4749 /* Reassembly complete */
4750 chan->sdu = NULL;
4751 chan->sdu_last_frag = NULL;
4752 chan->sdu_len = 0;
1890d36b 4753 }
18778a63
GP		 4754 break;
4755 }
4756
84084a31
MM		 4757 if (err) {
4758 kfree_skb(skb);
4759 kfree_skb(chan->sdu);
4760 chan->sdu = NULL;
4761 chan->sdu_last_frag = NULL;
4762 chan->sdu_len = 0;
4763 }
18778a63 4764
84084a31 4765 return err;
18778a63
GP		 4766}
4767
32b32735
MM		 4768static int l2cap_resegment(struct l2cap_chan *chan)
4769{
4770 /* Placeholder */
4771 return 0;
4772}
4773
61aa4f5b 4774void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4775{
61aa4f5b 4776 u8 event;
712132eb 4777
61aa4f5b
MM		 4778 if (chan->mode != L2CAP_MODE_ERTM)
4779 return;
712132eb 4780
61aa4f5b 4781 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4782 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4783}
4784
d2a7ac5d
MM		 4785static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4786{
63838725
MM		 4787 int err = 0;
4788 /* Pass sequential frames to l2cap_reassemble_sdu()
4789 * until a gap is encountered.
4790 */
4791
4792 BT_DBG("chan %p", chan);
4793
4794 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4795 struct sk_buff *skb;
4796 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4797 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4798
4799 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4800
4801 if (!skb)
4802 break;
4803
4804 skb_unlink(skb, &chan->srej_q);
4805 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4806 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4807 if (err)
4808 break;
4809 }
4810
4811 if (skb_queue_empty(&chan->srej_q)) {
4812 chan->rx_state = L2CAP_RX_STATE_RECV;
4813 l2cap_send_ack(chan);
4814 }
4815
4816 return err;
d2a7ac5d
MM		 4817}
4818
4819static void l2cap_handle_srej(struct l2cap_chan *chan,
4820 struct l2cap_ctrl *control)
4821{
f80842a8
MM		 4822 struct sk_buff *skb;
4823
4824 BT_DBG("chan %p, control %p", chan, control);
4825
4826 if (control->reqseq == chan->next_tx_seq) {
4827 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4828 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4829 return;
4830 }
4831
4832 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4833
4834 if (skb == NULL) {
4835 BT_DBG("Seq %d not available for retransmission",
4836 control->reqseq);
4837 return;
4838 }
4839
4840 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4841 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4842 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4843 return;
4844 }
4845
4846 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4847
4848 if (control->poll) {
4849 l2cap_pass_to_tx(chan, control);
4850
4851 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4852 l2cap_retransmit(chan, control);
4853 l2cap_ertm_send(chan);
4854
4855 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4856 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4857 chan->srej_save_reqseq = control->reqseq;
4858 }
4859 } else {
4860 l2cap_pass_to_tx_fbit(chan, control);
4861
4862 if (control->final) {
4863 if (chan->srej_save_reqseq != control->reqseq ||
4864 !test_and_clear_bit(CONN_SREJ_ACT,
4865 &chan->conn_state))
4866 l2cap_retransmit(chan, control);
4867 } else {
4868 l2cap_retransmit(chan, control);
4869 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4870 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4871 chan->srej_save_reqseq = control->reqseq;
4872 }
4873 }
4874 }
d2a7ac5d
MM		 4875}
4876
4877static void l2cap_handle_rej(struct l2cap_chan *chan,
4878 struct l2cap_ctrl *control)
4879{
fcd289df
MM		 4880 struct sk_buff *skb;
4881
4882 BT_DBG("chan %p, control %p", chan, control);
4883
4884 if (control->reqseq == chan->next_tx_seq) {
4885 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4886 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4887 return;
4888 }
4889
4890 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4891
4892 if (chan->max_tx && skb &&
4893 bt_cb(skb)->control.retries >= chan->max_tx) {
4894 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4895 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4896 return;
4897 }
4898
4899 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4900
4901 l2cap_pass_to_tx(chan, control);
4902
4903 if (control->final) {
4904 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4905 l2cap_retransmit_all(chan, control);
4906 } else {
4907 l2cap_retransmit_all(chan, control);
4908 l2cap_ertm_send(chan);
4909 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4910 set_bit(CONN_REJ_ACT, &chan->conn_state);
4911 }
d2a7ac5d
MM		 4912}
4913
4b51dae9
MM		 4914static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4915{
4916 BT_DBG("chan %p, txseq %d", chan, txseq);
4917
4918 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4919 chan->expected_tx_seq);
4920
4921 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4922 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 4923 chan->tx_win) {
4b51dae9
MM		 4924 /* See notes below regarding "double poll" and
4925 * invalid packets.
4926 */
4927 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4928 BT_DBG("Invalid/Ignore - after SREJ");
4929 return L2CAP_TXSEQ_INVALID_IGNORE;
4930 } else {
4931 BT_DBG("Invalid - in window after SREJ sent");
4932 return L2CAP_TXSEQ_INVALID;
4933 }
4934 }
4935
4936 if (chan->srej_list.head == txseq) {
4937 BT_DBG("Expected SREJ");
4938 return L2CAP_TXSEQ_EXPECTED_SREJ;
4939 }
4940
4941 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4942 BT_DBG("Duplicate SREJ - txseq already stored");
4943 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4944 }
4945
4946 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4947 BT_DBG("Unexpected SREJ - not requested");
4948 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4949 }
4950 }
4951
4952 if (chan->expected_tx_seq == txseq) {
4953 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4954 chan->tx_win) {
4955 BT_DBG("Invalid - txseq outside tx window");
4956 return L2CAP_TXSEQ_INVALID;
4957 } else {
4958 BT_DBG("Expected");
4959 return L2CAP_TXSEQ_EXPECTED;
4960 }
4961 }
4962
4963 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 4964 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 4965 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4966 return L2CAP_TXSEQ_DUPLICATE;
4967 }
4968
4969 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4970 /* A source of invalid packets is a "double poll" condition,
4971 * where delays cause us to send multiple poll packets. If
4972 * the remote stack receives and processes both polls,
4973 * sequence numbers can wrap around in such a way that a
4974 * resent frame has a sequence number that looks like new data
4975 * with a sequence gap. This would trigger an erroneous SREJ
4976 * request.
4977 *
4978 * Fortunately, this is impossible with a tx window that's
4979 * less than half of the maximum sequence number, which allows
4980 * invalid frames to be safely ignored.
4981 *
4982 * With tx window sizes greater than half of the tx window
4983 * maximum, the frame is invalid and cannot be ignored. This
4984 * causes a disconnect.
4985 */
4986
4987 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4988 BT_DBG("Invalid/Ignore - txseq outside tx window");
4989 return L2CAP_TXSEQ_INVALID_IGNORE;
4990 } else {
4991 BT_DBG("Invalid - txseq outside tx window");
4992 return L2CAP_TXSEQ_INVALID;
4993 }
4994 } else {
4995 BT_DBG("Unexpected - txseq indicates missing frames");
4996 return L2CAP_TXSEQ_UNEXPECTED;
4997 }
4998}
4999
d2a7ac5d
MM		 5000static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5001 struct l2cap_ctrl *control,
5002 struct sk_buff *skb, u8 event)
5003{
5004 int err = 0;
5005 bool skb_in_use = 0;
5006
5007 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5008 event);
5009
5010 switch (event) {
5011 case L2CAP_EV_RECV_IFRAME:
5012 switch (l2cap_classify_txseq(chan, control->txseq)) {
5013 case L2CAP_TXSEQ_EXPECTED:
5014 l2cap_pass_to_tx(chan, control);
5015
5016 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5017 BT_DBG("Busy, discarding expected seq %d",
5018 control->txseq);
5019 break;
5020 }
5021
5022 chan->expected_tx_seq = __next_seq(chan,
5023 control->txseq);
5024
5025 chan->buffer_seq = chan->expected_tx_seq;
5026 skb_in_use = 1;
5027
5028 err = l2cap_reassemble_sdu(chan, skb, control);
5029 if (err)
5030 break;
5031
5032 if (control->final) {
5033 if (!test_and_clear_bit(CONN_REJ_ACT,
5034 &chan->conn_state)) {
5035 control->final = 0;
5036 l2cap_retransmit_all(chan, control);
5037 l2cap_ertm_send(chan);
5038 }
5039 }
5040
5041 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5042 l2cap_send_ack(chan);
5043 break;
5044 case L2CAP_TXSEQ_UNEXPECTED:
5045 l2cap_pass_to_tx(chan, control);
5046
5047 /* Can't issue SREJ frames in the local busy state.
5048 * Drop this frame, it will be seen as missing
5049 * when local busy is exited.
5050 */
5051 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5052 BT_DBG("Busy, discarding unexpected seq %d",
5053 control->txseq);
5054 break;
5055 }
5056
5057 /* There was a gap in the sequence, so an SREJ
5058 * must be sent for each missing frame. The
5059 * current frame is stored for later use.
5060 */
5061 skb_queue_tail(&chan->srej_q, skb);
5062 skb_in_use = 1;
5063 BT_DBG("Queued %p (queue len %d)", skb,
5064 skb_queue_len(&chan->srej_q));
5065
5066 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5067 l2cap_seq_list_clear(&chan->srej_list);
5068 l2cap_send_srej(chan, control->txseq);
5069
5070 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5071 break;
5072 case L2CAP_TXSEQ_DUPLICATE:
5073 l2cap_pass_to_tx(chan, control);
5074 break;
5075 case L2CAP_TXSEQ_INVALID_IGNORE:
5076 break;
5077 case L2CAP_TXSEQ_INVALID:
5078 default:
5079 l2cap_send_disconn_req(chan->conn, chan,
5080 ECONNRESET);
5081 break;
5082 }
5083 break;
5084 case L2CAP_EV_RECV_RR:
5085 l2cap_pass_to_tx(chan, control);
5086 if (control->final) {
5087 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5088
5089 if (!test_and_clear_bit(CONN_REJ_ACT,
5090 &chan->conn_state)) {
5091 control->final = 0;
5092 l2cap_retransmit_all(chan, control);
5093 }
5094
5095 l2cap_ertm_send(chan);
5096 } else if (control->poll) {
5097 l2cap_send_i_or_rr_or_rnr(chan);
5098 } else {
5099 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5100 &chan->conn_state) &&
5101 chan->unacked_frames)
5102 __set_retrans_timer(chan);
5103
5104 l2cap_ertm_send(chan);
5105 }
5106 break;
5107 case L2CAP_EV_RECV_RNR:
5108 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5109 l2cap_pass_to_tx(chan, control);
5110 if (control && control->poll) {
5111 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5112 l2cap_send_rr_or_rnr(chan, 0);
5113 }
5114 __clear_retrans_timer(chan);
5115 l2cap_seq_list_clear(&chan->retrans_list);
5116 break;
5117 case L2CAP_EV_RECV_REJ:
5118 l2cap_handle_rej(chan, control);
5119 break;
5120 case L2CAP_EV_RECV_SREJ:
5121 l2cap_handle_srej(chan, control);
5122 break;
5123 default:
5124 break;
5125 }
5126
5127 if (skb && !skb_in_use) {
5128 BT_DBG("Freeing %p", skb);
5129 kfree_skb(skb);
5130 }
5131
5132 return err;
5133}
5134
5135static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5136 struct l2cap_ctrl *control,
5137 struct sk_buff *skb, u8 event)
5138{
5139 int err = 0;
5140 u16 txseq = control->txseq;
5141 bool skb_in_use = 0;
5142
5143 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5144 event);
5145
5146 switch (event) {
5147 case L2CAP_EV_RECV_IFRAME:
5148 switch (l2cap_classify_txseq(chan, txseq)) {
5149 case L2CAP_TXSEQ_EXPECTED:
5150 /* Keep frame for reassembly later */
5151 l2cap_pass_to_tx(chan, control);
5152 skb_queue_tail(&chan->srej_q, skb);
5153 skb_in_use = 1;
5154 BT_DBG("Queued %p (queue len %d)", skb,
5155 skb_queue_len(&chan->srej_q));
5156
5157 chan->expected_tx_seq = __next_seq(chan, txseq);
5158 break;
5159 case L2CAP_TXSEQ_EXPECTED_SREJ:
5160 l2cap_seq_list_pop(&chan->srej_list);
5161
5162 l2cap_pass_to_tx(chan, control);
5163 skb_queue_tail(&chan->srej_q, skb);
5164 skb_in_use = 1;
5165 BT_DBG("Queued %p (queue len %d)", skb,
5166 skb_queue_len(&chan->srej_q));
5167
5168 err = l2cap_rx_queued_iframes(chan);
5169 if (err)
5170 break;
5171
5172 break;
5173 case L2CAP_TXSEQ_UNEXPECTED:
5174 /* Got a frame that can't be reassembled yet.
5175 * Save it for later, and send SREJs to cover
5176 * the missing frames.
5177 */
5178 skb_queue_tail(&chan->srej_q, skb);
5179 skb_in_use = 1;
5180 BT_DBG("Queued %p (queue len %d)", skb,
5181 skb_queue_len(&chan->srej_q));
5182
5183 l2cap_pass_to_tx(chan, control);
5184 l2cap_send_srej(chan, control->txseq);
5185 break;
5186 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5187 /* This frame was requested with an SREJ, but
5188 * some expected retransmitted frames are
5189 * missing. Request retransmission of missing
5190 * SREJ'd frames.
5191 */
5192 skb_queue_tail(&chan->srej_q, skb);
5193 skb_in_use = 1;
5194 BT_DBG("Queued %p (queue len %d)", skb,
5195 skb_queue_len(&chan->srej_q));
5196
5197 l2cap_pass_to_tx(chan, control);
5198 l2cap_send_srej_list(chan, control->txseq);
5199 break;
5200 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5201 /* We've already queued this frame. Drop this copy. */
5202 l2cap_pass_to_tx(chan, control);
5203 break;
5204 case L2CAP_TXSEQ_DUPLICATE:
5205 /* Expecting a later sequence number, so this frame
5206 * was already received. Ignore it completely.
5207 */
5208 break;
5209 case L2CAP_TXSEQ_INVALID_IGNORE:
5210 break;
5211 case L2CAP_TXSEQ_INVALID:
5212 default:
5213 l2cap_send_disconn_req(chan->conn, chan,
5214 ECONNRESET);
5215 break;
5216 }
5217 break;
5218 case L2CAP_EV_RECV_RR:
5219 l2cap_pass_to_tx(chan, control);
5220 if (control->final) {
5221 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5222
5223 if (!test_and_clear_bit(CONN_REJ_ACT,
5224 &chan->conn_state)) {
5225 control->final = 0;
5226 l2cap_retransmit_all(chan, control);
5227 }
5228
5229 l2cap_ertm_send(chan);
5230 } else if (control->poll) {
5231 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5232 &chan->conn_state) &&
5233 chan->unacked_frames) {
5234 __set_retrans_timer(chan);
5235 }
5236
5237 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5238 l2cap_send_srej_tail(chan);
5239 } else {
5240 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5241 &chan->conn_state) &&
5242 chan->unacked_frames)
5243 __set_retrans_timer(chan);
5244
5245 l2cap_send_ack(chan);
5246 }
5247 break;
5248 case L2CAP_EV_RECV_RNR:
5249 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5250 l2cap_pass_to_tx(chan, control);
5251 if (control->poll) {
5252 l2cap_send_srej_tail(chan);
5253 } else {
5254 struct l2cap_ctrl rr_control;
5255 memset(&rr_control, 0, sizeof(rr_control));
5256 rr_control.sframe = 1;
5257 rr_control.super = L2CAP_SUPER_RR;
5258 rr_control.reqseq = chan->buffer_seq;
5259 l2cap_send_sframe(chan, &rr_control);
5260 }
5261
5262 break;
5263 case L2CAP_EV_RECV_REJ:
5264 l2cap_handle_rej(chan, control);
5265 break;
5266 case L2CAP_EV_RECV_SREJ:
5267 l2cap_handle_srej(chan, control);
5268 break;
5269 }
5270
5271 if (skb && !skb_in_use) {
5272 BT_DBG("Freeing %p", skb);
5273 kfree_skb(skb);
5274 }
5275
5276 return err;
5277}
5278
32b32735
MM		 5279static int l2cap_finish_move(struct l2cap_chan *chan)
5280{
5281 BT_DBG("chan %p", chan);
5282
5283 chan->rx_state = L2CAP_RX_STATE_RECV;
5284
5285 if (chan->hs_hcon)
5286 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5287 else
5288 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5289
5290 return l2cap_resegment(chan);
5291}
5292
5293static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
5294 struct l2cap_ctrl *control,
5295 struct sk_buff *skb, u8 event)
5296{
5297 int err;
5298
5299 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5300 event);
5301
5302 if (!control->poll)
5303 return -EPROTO;
5304
5305 l2cap_process_reqseq(chan, control->reqseq);
5306
5307 if (!skb_queue_empty(&chan->tx_q))
5308 chan->tx_send_head = skb_peek(&chan->tx_q);
5309 else
5310 chan->tx_send_head = NULL;
5311
5312 /* Rewind next_tx_seq to the point expected
5313 * by the receiver.
5314 */
5315 chan->next_tx_seq = control->reqseq;
5316 chan->unacked_frames = 0;
5317
5318 err = l2cap_finish_move(chan);
5319 if (err)
5320 return err;
5321
5322 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5323 l2cap_send_i_or_rr_or_rnr(chan);
5324
5325 if (event == L2CAP_EV_RECV_IFRAME)
5326 return -EPROTO;
5327
5328 return l2cap_rx_state_recv(chan, control, NULL, event);
5329}
5330
5331static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
5332 struct l2cap_ctrl *control,
5333 struct sk_buff *skb, u8 event)
5334{
5335 int err;
5336
5337 if (!control->final)
5338 return -EPROTO;
5339
5340 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5341
5342 chan->rx_state = L2CAP_RX_STATE_RECV;
5343 l2cap_process_reqseq(chan, control->reqseq);
5344
5345 if (!skb_queue_empty(&chan->tx_q))
5346 chan->tx_send_head = skb_peek(&chan->tx_q);
5347 else
5348 chan->tx_send_head = NULL;
5349
5350 /* Rewind next_tx_seq to the point expected
5351 * by the receiver.
5352 */
5353 chan->next_tx_seq = control->reqseq;
5354 chan->unacked_frames = 0;
5355
5356 if (chan->hs_hcon)
5357 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5358 else
5359 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5360
5361 err = l2cap_resegment(chan);
5362
5363 if (!err)
5364 err = l2cap_rx_state_recv(chan, control, skb, event);
5365
5366 return err;
5367}
5368
d2a7ac5d
MM		 5369static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5370{
5371 /* Make sure reqseq is for a packet that has been sent but not acked */
5372 u16 unacked;
5373
5374 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5375 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5376}
5377
cec8ab6e
MM		 5378static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5379 struct sk_buff *skb, u8 event)
218bb9df 5380{
d2a7ac5d
MM		 5381 int err = 0;
5382
5383 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5384 control, skb, event, chan->rx_state);
5385
5386 if (__valid_reqseq(chan, control->reqseq)) {
5387 switch (chan->rx_state) {
5388 case L2CAP_RX_STATE_RECV:
5389 err = l2cap_rx_state_recv(chan, control, skb, event);
5390 break;
5391 case L2CAP_RX_STATE_SREJ_SENT:
5392 err = l2cap_rx_state_srej_sent(chan, control, skb,
5393 event);
5394 break;
32b32735
MM		 5395 case L2CAP_RX_STATE_WAIT_P:
5396 err = l2cap_rx_state_wait_p(chan, control, skb, event);
5397 break;
5398 case L2CAP_RX_STATE_WAIT_F:
5399 err = l2cap_rx_state_wait_f(chan, control, skb, event);
5400 break;
d2a7ac5d
MM		 5401 default:
5402 /* shut it down */
5403 break;
5404 }
5405 } else {
5406 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5407 control->reqseq, chan->next_tx_seq,
5408 chan->expected_ack_seq);
5409 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5410 }
5411
5412 return err;
cec8ab6e
MM		 5413}
5414
5415static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5416 struct sk_buff *skb)
5417{
4b51dae9
MM		 5418 int err = 0;
5419
5420 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5421 chan->rx_state);
5422
5423 if (l2cap_classify_txseq(chan, control->txseq) ==
5424 L2CAP_TXSEQ_EXPECTED) {
5425 l2cap_pass_to_tx(chan, control);
5426
5427 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5428 __next_seq(chan, chan->buffer_seq));
5429
5430 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5431
5432 l2cap_reassemble_sdu(chan, skb, control);
5433 } else {
5434 if (chan->sdu) {
5435 kfree_skb(chan->sdu);
5436 chan->sdu = NULL;
5437 }
5438 chan->sdu_last_frag = NULL;
5439 chan->sdu_len = 0;
5440
5441 if (skb) {
5442 BT_DBG("Freeing %p", skb);
5443 kfree_skb(skb);
5444 }
5445 }
5446
5447 chan->last_acked_seq = control->txseq;
5448 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5449
5450 return err;
cec8ab6e
MM		 5451}
5452
5453static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5454{
5455 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5456 u16 len;
5457 u8 event;
218bb9df 5458
b76bbd66
MM		 5459 __unpack_control(chan, skb);
5460
218bb9df
GP		 5461 len = skb->len;
5462
5463 /*
5464 * We can just drop the corrupted I-frame here.
5465 * Receiver will miss it and start proper recovery
cec8ab6e 5466 * procedures and ask for retransmission.
218bb9df 5467 */
47d1ec61 5468 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5469 goto drop;
5470
cec8ab6e 5471 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5472 len -= L2CAP_SDULEN_SIZE;
218bb9df 5473
47d1ec61 5474 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5475 len -= L2CAP_FCS_SIZE;
218bb9df 5476
47d1ec61 5477 if (len > chan->mps) {
8c1d787b 5478 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5479 goto drop;
5480 }
5481
cec8ab6e
MM		 5482 if (!control->sframe) {
5483 int err;
218bb9df 5484
cec8ab6e
MM		 5485 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5486 control->sar, control->reqseq, control->final,
5487 control->txseq);
218bb9df 5488
cec8ab6e
MM		 5489 /* Validate F-bit - F=0 always valid, F=1 only
5490 * valid in TX WAIT_F
5491 */
5492 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5493 goto drop;
cec8ab6e
MM		 5494
5495 if (chan->mode != L2CAP_MODE_STREAMING) {
5496 event = L2CAP_EV_RECV_IFRAME;
5497 err = l2cap_rx(chan, control, skb, event);
5498 } else {
5499 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5500 }
5501
cec8ab6e
MM		 5502 if (err)
5503 l2cap_send_disconn_req(chan->conn, chan,
5504 ECONNRESET);
218bb9df 5505 } else {
cec8ab6e
MM		 5506 const u8 rx_func_to_event[4] = {
5507 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5508 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5509 };
5510
5511 /* Only I-frames are expected in streaming mode */
5512 if (chan->mode == L2CAP_MODE_STREAMING)
5513 goto drop;
5514
5515 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5516 control->reqseq, control->final, control->poll,
5517 control->super);
5518
218bb9df
GP		 5519 if (len != 0) {
5520 BT_ERR("%d", len);
8c1d787b 5521 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5522 goto drop;
5523 }
5524
cec8ab6e
MM		 5525 /* Validate F and P bits */
5526 if (control->final && (control->poll ||
5527 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5528 goto drop;
5529
5530 event = rx_func_to_event[control->super];
5531 if (l2cap_rx(chan, control, skb, event))
5532 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5533 }
5534
5535 return 0;
5536
5537drop:
5538 kfree_skb(skb);
5539 return 0;
5540}
5541
13ca56e0
AE		 5542static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
5543 struct sk_buff *skb)
1da177e4 5544{
48454079 5545 struct l2cap_chan *chan;
1da177e4 5546
baa7e1fa 5547 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5548 if (!chan) {
97e8e89d
AE		 5549 if (cid == L2CAP_CID_A2MP) {
5550 chan = a2mp_channel_create(conn, skb);
5551 if (!chan) {
5552 kfree_skb(skb);
13ca56e0 5553 return;
97e8e89d
AE		 5554 }
5555
5556 l2cap_chan_lock(chan);
5557 } else {
5558 BT_DBG("unknown cid 0x%4.4x", cid);
5559 /* Drop packet and return */
5560 kfree_skb(skb);
13ca56e0 5561 return;
97e8e89d 5562 }
1da177e4
LT		 5563 }
5564
49208c9c 5565 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5566
89bc500e 5567 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5568 goto drop;
5569
0c1bc5c6 5570 switch (chan->mode) {
1c2acffb
GP		 5571 case L2CAP_MODE_BASIC:
5572 /* If socket recv buffers overflows we drop data here
5573 * which is *bad* because L2CAP has to be reliable.
5574 * But we don't have any other choice. L2CAP doesn't
5575 * provide flow control mechanism. */
1da177e4 5576
0c1bc5c6 5577 if (chan->imtu < skb->len)
1c2acffb 5578 goto drop;
1da177e4 5579
80b98027 5580 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5581 goto done;
5582 break;
5583
5584 case L2CAP_MODE_ERTM:
6840ed07 5585 case L2CAP_MODE_STREAMING:
cec8ab6e 5586 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5587 goto done;
5588
1c2acffb 5589 default:
0c1bc5c6 5590 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5591 break;
5592 }
1da177e4
LT		 5593
5594drop:
5595 kfree_skb(skb);
5596
5597done:
6be36555 5598 l2cap_chan_unlock(chan);
1da177e4
LT		 5599}
5600
84104b24
AE		 5601static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
5602 struct sk_buff *skb)
1da177e4 5603{
23691d75 5604 struct l2cap_chan *chan;
1da177e4 5605
c2287681 5606 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5607 if (!chan)
1da177e4
LT		 5608 goto drop;
5609
5b4cedaa 5610 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5611
89bc500e 5612 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5613 goto drop;
5614
e13e21dc 5615 if (chan->imtu < skb->len)
1da177e4
LT		 5616 goto drop;
5617
80b98027 5618 if (!chan->ops->recv(chan, skb))
84104b24 5619 return;
1da177e4
LT		 5620
5621drop:
5622 kfree_skb(skb);
1da177e4
LT		 5623}
5624
6810fca7
AE		 5625static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5626 struct sk_buff *skb)
9f69bda6 5627{
23691d75 5628 struct l2cap_chan *chan;
9f69bda6 5629
c2287681 5630 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5631 if (!chan)
9f69bda6
GP		 5632 goto drop;
5633
5b4cedaa 5634 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5635
89bc500e 5636 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5637 goto drop;
5638
e13e21dc 5639 if (chan->imtu < skb->len)
9f69bda6
GP		 5640 goto drop;
5641
80b98027 5642 if (!chan->ops->recv(chan, skb))
6810fca7 5643 return;
9f69bda6
GP		 5644
5645drop:
5646 kfree_skb(skb);
9f69bda6
GP		 5647}
5648
1da177e4
LT		 5649static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5650{
5651 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5652 u16 cid, len;
5653 __le16 psm;
1da177e4
LT		 5654
5655 skb_pull(skb, L2CAP_HDR_SIZE);
5656 cid = __le16_to_cpu(lh->cid);
5657 len = __le16_to_cpu(lh->len);
5658
1c2acffb
GP		 5659 if (len != skb->len) {
5660 kfree_skb(skb);
5661 return;
5662 }
5663
1da177e4
LT		 5664 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5665
5666 switch (cid) {
3300d9a9 5667 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5668 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5669 l2cap_sig_channel(conn, skb);
5670 break;
5671
8db4dc46 5672 case L2CAP_CID_CONN_LESS:
097db76c 5673 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5674 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5675 l2cap_conless_channel(conn, psm, skb);
5676 break;
5677
9f69bda6
GP		 5678 case L2CAP_CID_LE_DATA:
5679 l2cap_att_channel(conn, cid, skb);
5680 break;
5681
b501d6a1
AB		 5682 case L2CAP_CID_SMP:
5683 if (smp_sig_channel(conn, skb))
5684 l2cap_conn_del(conn->hcon, EACCES);
5685 break;
5686
1da177e4
LT		 5687 default:
5688 l2cap_data_channel(conn, cid, skb);
5689 break;
5690 }
5691}
5692
5693/* ---- L2CAP interface with lower layer (HCI) ---- */
5694
686ebf28 5695int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5696{
5697 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5698 struct l2cap_chan *c;
1da177e4 5699
6ed93dc6 5700 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 5701
5702 /* Find listening sockets and check their link_mode */
23691d75
GP		 5703 read_lock(&chan_list_lock);
5704 list_for_each_entry(c, &chan_list, global_l) {
5705 struct sock *sk = c->sk;
4343478f 5706
89bc500e 5707 if (c->state != BT_LISTEN)
1da177e4
LT		 5708 continue;
5709
5710 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5711 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5712 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5713 lm1 |= HCI_LM_MASTER;
1da177e4 5714 exact++;
2af6b9d5
MH		 5715 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5716 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5717 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5718 lm2 |= HCI_LM_MASTER;
5719 }
1da177e4 5720 }
23691d75 5721 read_unlock(&chan_list_lock);
1da177e4
LT		 5722
5723 return exact ? lm1 : lm2;
5724}
5725
9e664631 5726void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5727{
0139418c
MH		 5728 struct l2cap_conn *conn;
5729
6ed93dc6 5730 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 5731
1da177e4 5732 if (!status) {
1da177e4
LT		 5733 conn = l2cap_conn_add(hcon, status);
5734 if (conn)
5735 l2cap_conn_ready(conn);
0139418c 5736 } else
e175072f 5737 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4 5738
1da177e4
LT		 5739}
5740
686ebf28 5741int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5742{
5743 struct l2cap_conn *conn = hcon->l2cap_data;
5744
5745 BT_DBG("hcon %p", hcon);
5746
686ebf28 5747 if (!conn)
9f5a0d7b 5748 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5749 return conn->disc_reason;
5750}
5751
9e664631 5752void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5753{
5754 BT_DBG("hcon %p reason %d", hcon, reason);
5755
e175072f 5756 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5757}
5758
4343478f 5759static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5760{
715ec005 5761 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5762 return;
5763
f62e4323 5764 if (encrypt == 0x00) {
4343478f 5765 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5766 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5767 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5768 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5769 } else {
4343478f 5770 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5771 __clear_chan_timer(chan);
f62e4323
MH		 5772 }
5773}
5774
686ebf28 5775int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5776{
0139418c 5777 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5778 struct l2cap_chan *chan;
1da177e4 5779
0139418c 5780 if (!conn)
1da177e4 5781 return 0;
0139418c 5782
89d8b407 5783 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 5784
160dc6ac 5785 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5786 if (!status && encrypt)
5787 smp_distribute_keys(conn, 0);
17cd3f37 5788 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5789 }
5790
3df91ea2 5791 mutex_lock(&conn->chan_lock);
1da177e4 5792
3df91ea2 5793 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5794 l2cap_chan_lock(chan);
1da177e4 5795
89d8b407
AE		 5796 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
5797 state_to_string(chan->state));
f1cb9af5 5798
78eb2f98
AE		 5799 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
5800 l2cap_chan_unlock(chan);
5801 continue;
5802 }
5803
f1cb9af5
VCG		 5804 if (chan->scid == L2CAP_CID_LE_DATA) {
5805 if (!status && encrypt) {
5806 chan->sec_level = hcon->sec_level;
cf4cd009 5807 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5808 }
5809
6be36555 5810 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5811 continue;
5812 }
5813
c1360a1c 5814 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5815 l2cap_chan_unlock(chan);
6a8d3010
MH		 5816 continue;
5817 }
5818
89bc500e 5819 if (!status && (chan->state == BT_CONNECTED ||
2d792818 5820 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5821 struct sock *sk = chan->sk;
5822
c5daa683 5823 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5824 sk->sk_state_change(sk);
5825
4343478f 5826 l2cap_check_encryption(chan, encrypt);
6be36555 5827 l2cap_chan_unlock(chan);
9719f8af
MH		 5828 continue;
5829 }
5830
89bc500e 5831 if (chan->state == BT_CONNECT) {
b1235d79 5832 if (!status) {
93c3e8f5 5833 l2cap_start_connection(chan);
b1235d79 5834 } else {
ba13ccd9 5835 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5836 }
89bc500e 5837 } else if (chan->state == BT_CONNECT2) {
6be36555 5838 struct sock *sk = chan->sk;
b1235d79 5839 struct l2cap_conn_rsp rsp;
df3c3931 5840 __u16 res, stat;
1da177e4 5841
6be36555
AE		 5842 lock_sock(sk);
5843
b1235d79 5844 if (!status) {
c5daa683
GP		 5845 if (test_bit(BT_SK_DEFER_SETUP,
5846 &bt_sk(sk)->flags)) {
df3c3931
JH		 5847 res = L2CAP_CR_PEND;
5848 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 5849 chan->ops->defer(chan);
df3c3931 5850 } else {
0e587be7 5851 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5852 res = L2CAP_CR_SUCCESS;
5853 stat = L2CAP_CS_NO_INFO;
5854 }
b1235d79 5855 } else {
0e587be7 5856 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5857 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5858 res = L2CAP_CR_SEC_BLOCK;
5859 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5860 }
5861
6be36555
AE		 5862 release_sock(sk);
5863
fe4128e0
GP		 5864 rsp.scid = cpu_to_le16(chan->dcid);
5865 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5866 rsp.result = cpu_to_le16(res);
5867 rsp.status = cpu_to_le16(stat);
fc7f8a7e 5868 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 5869 sizeof(rsp), &rsp);
2d369359
MM		 5870
5871 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5872 res == L2CAP_CR_SUCCESS) {
5873 char buf[128];
5874 set_bit(CONF_REQ_SENT, &chan->conf_state);
5875 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5876 L2CAP_CONF_REQ,
5877 l2cap_build_conf_req(chan, buf),
5878 buf);
5879 chan->num_conf_req++;
5880 }
b1235d79 5881 }
1da177e4 5882
6be36555 5883 l2cap_chan_unlock(chan);
1da177e4
LT		 5884 }
5885
3df91ea2 5886 mutex_unlock(&conn->chan_lock);
b1235d79 5887
1da177e4
LT		 5888 return 0;
5889}
5890
686ebf28 5891int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5892{
5893 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 5894 struct l2cap_hdr *hdr;
5895 int len;
1da177e4 5896
1d13a254
AE		 5897 /* For AMP controller do not create l2cap conn */
5898 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
5899 goto drop;
1da177e4 5900
5a08ecce
AE		 5901 if (!conn)
5902 conn = l2cap_conn_add(hcon, 0);
5903
5904 if (!conn)
1da177e4
LT		 5905 goto drop;
5906
5907 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5908
d73a0988
AE		 5909 switch (flags) {
5910 case ACL_START:
5911 case ACL_START_NO_FLUSH:
5912 case ACL_COMPLETE:
1da177e4
LT		 5913 if (conn->rx_len) {
5914 BT_ERR("Unexpected start frame (len %d)", skb->len);
5915 kfree_skb(conn->rx_skb);
5916 conn->rx_skb = NULL;
5917 conn->rx_len = 0;
5918 l2cap_conn_unreliable(conn, ECOMM);
5919 }
5920
aae7fe22
AE		 5921 /* Start fragment always begin with Basic L2CAP header */
5922 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5923 BT_ERR("Frame is too short (len %d)", skb->len);
5924 l2cap_conn_unreliable(conn, ECOMM);
5925 goto drop;
5926 }
5927
5928 hdr = (struct l2cap_hdr *) skb->data;
5929 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5930
5931 if (len == skb->len) {
5932 /* Complete frame received */
5933 l2cap_recv_frame(conn, skb);
5934 return 0;
5935 }
5936
5937 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5938
5939 if (skb->len > len) {
5940 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 5941 skb->len, len);
1da177e4
LT		 5942 l2cap_conn_unreliable(conn, ECOMM);
5943 goto drop;
5944 }
5945
5946 /* Allocate skb for the complete frame (with header) */
8bcde1f2 5947 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 5948 if (!conn->rx_skb)
1da177e4
LT		 5949 goto drop;
5950
d626f62b 5951 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 5952 skb->len);
1da177e4 5953 conn->rx_len = len - skb->len;
d73a0988
AE		 5954 break;
5955
5956 case ACL_CONT:
1da177e4
LT		 5957 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5958
5959 if (!conn->rx_len) {
5960 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5961 l2cap_conn_unreliable(conn, ECOMM);
5962 goto drop;
5963 }
5964
5965 if (skb->len > conn->rx_len) {
5966 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 5967 skb->len, conn->rx_len);
1da177e4
LT		 5968 kfree_skb(conn->rx_skb);
5969 conn->rx_skb = NULL;
5970 conn->rx_len = 0;
5971 l2cap_conn_unreliable(conn, ECOMM);
5972 goto drop;
5973 }
5974
d626f62b 5975 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 5976 skb->len);
1da177e4
LT		 5977 conn->rx_len -= skb->len;
5978
5979 if (!conn->rx_len) {
5980 /* Complete frame received */
5981 l2cap_recv_frame(conn, conn->rx_skb);
5982 conn->rx_skb = NULL;
5983 }
d73a0988 5984 break;
1da177e4
LT		 5985 }
5986
5987drop:
5988 kfree_skb(skb);
5989 return 0;
5990}
5991
aef7d97c 5992static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5993{
23691d75 5994 struct l2cap_chan *c;
1da177e4 5995
333055f2 5996 read_lock(&chan_list_lock);
1da177e4 5997
23691d75
GP		 5998 list_for_each_entry(c, &chan_list, global_l) {
5999 struct sock *sk = c->sk;
101545f6 6000
fcb73338
AE		 6001 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6002 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6003 c->state, __le16_to_cpu(c->psm),
6004 c->scid, c->dcid, c->imtu, c->omtu,
6005 c->sec_level, c->mode);
61e1b4b7 6006 }
1da177e4 6007
333055f2 6008 read_unlock(&chan_list_lock);
1da177e4 6009
aef7d97c 6010 return 0;
1da177e4
LT		 6011}
6012
aef7d97c
MH		 6013static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6014{
6015 return single_open(file, l2cap_debugfs_show, inode->i_private);
6016}
6017
6018static const struct file_operations l2cap_debugfs_fops = {
6019 .open = l2cap_debugfs_open,
6020 .read = seq_read,
6021 .llseek = seq_lseek,
6022 .release = single_release,
6023};
6024
6025static struct dentry *l2cap_debugfs;
1da177e4 6026
64274518 6027int __init l2cap_init(void)
1da177e4
LT		 6028{
6029 int err;
be9d1227 6030
bb58f747 6031 err = l2cap_init_sockets();
1da177e4
LT		 6032 if (err < 0)
6033 return err;
6034
aef7d97c 6035 if (bt_debugfs) {
2d792818
GP		 6036 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6037 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 6038 if (!l2cap_debugfs)
6039 BT_ERR("Failed to create L2CAP debug file");
6040 }
1da177e4 6041
1da177e4 6042 return 0;
1da177e4
LT		 6043}
6044
64274518 6045void l2cap_exit(void)
1da177e4 6046{
aef7d97c 6047 debugfs_remove(l2cap_debugfs);
bb58f747 6048 l2cap_cleanup_sockets();
1da177e4
LT		 6049}
6050
d1c4a17d
GP		 6051module_param(disable_ertm, bool, 0644);
6052MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)