projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: AMP: Drop packets when no l2cap conn exist
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 59 struct sk_buff_head *skbs, u8 event);
608bcc6d 60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
2d792818
GP		 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
64 u16 cid)
0139418c 65{
3df91ea2 66 struct l2cap_chan *c;
3d57dc68 67
3df91ea2
AE		 68 list_for_each_entry(c, &conn->chan_l, list) {
69 if (c->dcid == cid)
70 return c;
0139418c 71 }
3df91ea2 72 return NULL;
0139418c
MH		 73}
74
2d792818
GP		 75static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
76 u16 cid)
0139418c 77{
3df91ea2 78 struct l2cap_chan *c;
3d57dc68 79
3df91ea2
AE		 80 list_for_each_entry(c, &conn->chan_l, list) {
81 if (c->scid == cid)
82 return c;
0139418c 83 }
3df91ea2 84 return NULL;
0139418c
MH		 85}
86
87/* Find channel with given SCID.
ef191ade 88 * Returns locked channel. */
2d792818
GP		 89static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
90 u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa 93
3df91ea2 94 mutex_lock(&conn->chan_lock);
baa7e1fa 95 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 96 if (c)
97 l2cap_chan_lock(c);
3df91ea2
AE		 98 mutex_unlock(&conn->chan_lock);
99
48454079 100 return c;
0139418c
MH		 101}
102
2d792818
GP		 103static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
104 u8 ident)
0139418c 105{
3df91ea2 106 struct l2cap_chan *c;
3d57dc68 107
3df91ea2
AE		 108 list_for_each_entry(c, &conn->chan_l, list) {
109 if (c->ident == ident)
110 return c;
0139418c 111 }
3df91ea2 112 return NULL;
0139418c
MH		 113}
114
23691d75 115static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 116{
23691d75 117 struct l2cap_chan *c;
9e4425ff 118
23691d75
GP		 119 list_for_each_entry(c, &chan_list, global_l) {
120 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 121 return c;
9e4425ff 122 }
250938cb 123 return NULL;
9e4425ff
GP		 124}
125
126int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
127{
73b2ec18
GP		 128 int err;
129
333055f2 130 write_lock(&chan_list_lock);
9e4425ff 131
23691d75 132 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 133 err = -EADDRINUSE;
134 goto done;
9e4425ff
GP		 135 }
136
73b2ec18
GP		 137 if (psm) {
138 chan->psm = psm;
139 chan->sport = psm;
140 err = 0;
141 } else {
142 u16 p;
143
144 err = -EINVAL;
145 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 146 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 147 chan->psm = cpu_to_le16(p);
148 chan->sport = cpu_to_le16(p);
149 err = 0;
150 break;
151 }
152 }
9e4425ff 153
73b2ec18 154done:
333055f2 155 write_unlock(&chan_list_lock);
73b2ec18 156 return err;
9e4425ff
GP		 157}
158
159int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
160{
333055f2 161 write_lock(&chan_list_lock);
9e4425ff
GP		 162
163 chan->scid = scid;
164
333055f2 165 write_unlock(&chan_list_lock);
9e4425ff
GP		 166
167 return 0;
168}
169
baa7e1fa 170static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 171{
8db4dc46 172 u16 cid = L2CAP_CID_DYN_START;
0139418c 173
8db4dc46 174 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 175 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 176 return cid;
177 }
178
179 return 0;
180}
181
0e587be7 182static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 183{
42d2d87c 184 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 185 state_to_string(state));
badaaa00 186
89bc500e 187 chan->state = state;
80b98027 188 chan->ops->state_change(chan, state);
89bc500e
GP		 189}
190
0e587be7
AE		 191static void l2cap_state_change(struct l2cap_chan *chan, int state)
192{
193 struct sock *sk = chan->sk;
194
195 lock_sock(sk);
196 __l2cap_state_change(chan, state);
197 release_sock(sk);
198}
199
2e0052e4
AE		 200static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
201{
202 struct sock *sk = chan->sk;
203
204 sk->sk_err = err;
205}
206
207static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
208{
209 struct sock *sk = chan->sk;
210
211 lock_sock(sk);
212 __l2cap_chan_set_err(chan, err);
213 release_sock(sk);
214}
215
4239d16f
MM		 216static void __set_retrans_timer(struct l2cap_chan *chan)
217{
218 if (!delayed_work_pending(&chan->monitor_timer) &&
219 chan->retrans_timeout) {
220 l2cap_set_timer(chan, &chan->retrans_timer,
221 msecs_to_jiffies(chan->retrans_timeout));
222 }
223}
224
225static void __set_monitor_timer(struct l2cap_chan *chan)
226{
227 __clear_retrans_timer(chan);
228 if (chan->monitor_timeout) {
229 l2cap_set_timer(chan, &chan->monitor_timer,
230 msecs_to_jiffies(chan->monitor_timeout));
231 }
232}
233
608bcc6d
MM		 234static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
235 u16 seq)
236{
237 struct sk_buff *skb;
238
239 skb_queue_walk(head, skb) {
240 if (bt_cb(skb)->control.txseq == seq)
241 return skb;
242 }
243
244 return NULL;
245}
246
3c588192
MM		 247/* ---- L2CAP sequence number lists ---- */
248
249/* For ERTM, ordered lists of sequence numbers must be tracked for
250 * SREJ requests that are received and for frames that are to be
251 * retransmitted. These seq_list functions implement a singly-linked
252 * list in an array, where membership in the list can also be checked
253 * in constant time. Items can also be added to the tail of the list
254 * and removed from the head in constant time, without further memory
255 * allocs or frees.
256 */
257
258static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
259{
260 size_t alloc_size, i;
261
262 /* Allocated size is a power of 2 to map sequence numbers
263 * (which may be up to 14 bits) in to a smaller array that is
264 * sized for the negotiated ERTM transmit windows.
265 */
266 alloc_size = roundup_pow_of_two(size);
267
268 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
269 if (!seq_list->list)
270 return -ENOMEM;
271
272 seq_list->mask = alloc_size - 1;
273 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
274 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
275 for (i = 0; i < alloc_size; i++)
276 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
277
278 return 0;
279}
280
281static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
282{
283 kfree(seq_list->list);
284}
285
286static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
287 u16 seq)
288{
289 /* Constant-time check for list membership */
290 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
291}
292
293static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
294{
295 u16 mask = seq_list->mask;
296
297 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
298 /* In case someone tries to pop the head of an empty list */
299 return L2CAP_SEQ_LIST_CLEAR;
300 } else if (seq_list->head == seq) {
301 /* Head can be removed in constant time */
302 seq_list->head = seq_list->list[seq & mask];
303 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
304
305 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
306 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
307 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
308 }
309 } else {
310 /* Walk the list to find the sequence number */
311 u16 prev = seq_list->head;
312 while (seq_list->list[prev & mask] != seq) {
313 prev = seq_list->list[prev & mask];
314 if (prev == L2CAP_SEQ_LIST_TAIL)
315 return L2CAP_SEQ_LIST_CLEAR;
316 }
317
318 /* Unlink the number from the list and clear it */
319 seq_list->list[prev & mask] = seq_list->list[seq & mask];
320 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
321 if (seq_list->tail == seq)
322 seq_list->tail = prev;
323 }
324 return seq;
325}
326
327static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
328{
329 /* Remove the head in constant time */
330 return l2cap_seq_list_remove(seq_list, seq_list->head);
331}
332
333static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
334{
f522ae36 335 u16 i;
3c588192 336
f522ae36
GP		 337 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
338 return;
339
340 for (i = 0; i <= seq_list->mask; i++)
341 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
342
343 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
344 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 345}
346
347static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
348{
349 u16 mask = seq_list->mask;
350
351 /* All appends happen in constant time */
352
f522ae36
GP		 353 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
354 return;
3c588192 355
f522ae36
GP		 356 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
357 seq_list->head = seq;
358 else
359 seq_list->list[seq_list->tail & mask] = seq;
360
361 seq_list->tail = seq;
362 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 363}
364
721c4181 365static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 366{
721c4181 367 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 368 chan_timer.work);
3df91ea2 369 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 370 int reason;
371
e05dcc32 372 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 373
3df91ea2 374 mutex_lock(&conn->chan_lock);
6be36555 375 l2cap_chan_lock(chan);
ab07801d 376
89bc500e 377 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 378 reason = ECONNREFUSED;
89bc500e 379 else if (chan->state == BT_CONNECT &&
2d792818 380 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 381 reason = ECONNREFUSED;
382 else
383 reason = ETIMEDOUT;
384
0f852724 385 l2cap_chan_close(chan, reason);
ab07801d 386
6be36555 387 l2cap_chan_unlock(chan);
ab07801d 388
80b98027 389 chan->ops->close(chan);
3df91ea2
AE		 390 mutex_unlock(&conn->chan_lock);
391
371fd835 392 l2cap_chan_put(chan);
ab07801d
GP		 393}
394
eef1d9b6 395struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 396{
397 struct l2cap_chan *chan;
398
399 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
400 if (!chan)
401 return NULL;
402
c03b355e
AE		 403 mutex_init(&chan->lock);
404
333055f2 405 write_lock(&chan_list_lock);
23691d75 406 list_add(&chan->global_l, &chan_list);
333055f2 407 write_unlock(&chan_list_lock);
23691d75 408
721c4181 409 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 410
89bc500e
GP		 411 chan->state = BT_OPEN;
412
144ad330 413 kref_init(&chan->kref);
71ba0e56 414
2827011f
MM		 415 /* This flag is cleared in l2cap_chan_ready() */
416 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
417
eef1d9b6 418 BT_DBG("chan %p", chan);
abc545b8 419
48454079
GP		 420 return chan;
421}
422
144ad330 423static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 424{
144ad330
SS		 425 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
426
4af66c69
JK		 427 BT_DBG("chan %p", chan);
428
333055f2 429 write_lock(&chan_list_lock);
23691d75 430 list_del(&chan->global_l);
333055f2 431 write_unlock(&chan_list_lock);
23691d75 432
4af66c69 433 kfree(chan);
6ff5abbf
GP		 434}
435
30648372
JK		 436void l2cap_chan_hold(struct l2cap_chan *c)
437{
144ad330 438 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 439
144ad330 440 kref_get(&c->kref);
30648372
JK		 441}
442
443void l2cap_chan_put(struct l2cap_chan *c)
444{
144ad330 445 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 446
144ad330 447 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 448}
449
bd4b1653
AE		 450void l2cap_chan_set_defaults(struct l2cap_chan *chan)
451{
452 chan->fcs = L2CAP_FCS_CRC16;
453 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
454 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
455 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 456 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 457 chan->sec_level = BT_SECURITY_LOW;
458
459 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
460}
461
93c3e8f5 462void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 463{
af05b30b 464 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 465 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 466
9f5a0d7b 467 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 468
8c1d787b 469 chan->conn = conn;
0139418c 470
5491120e
AE		 471 switch (chan->chan_type) {
472 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 473 if (conn->hcon->type == LE_LINK) {
474 /* LE connection */
6fcb06a2 475 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 476 chan->scid = L2CAP_CID_LE_DATA;
477 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 478 } else {
479 /* Alloc CID for connection-oriented socket */
fe4128e0 480 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 481 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 482 }
5491120e
AE		 483 break;
484
485 case L2CAP_CHAN_CONN_LESS:
0139418c 486 /* Connectionless socket */
fe4128e0
GP		 487 chan->scid = L2CAP_CID_CONN_LESS;
488 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 489 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 490 break;
491
416fa752
AE		 492 case L2CAP_CHAN_CONN_FIX_A2MP:
493 chan->scid = L2CAP_CID_A2MP;
494 chan->dcid = L2CAP_CID_A2MP;
495 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
496 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
497 break;
498
5491120e 499 default:
0139418c 500 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 501 chan->scid = L2CAP_CID_SIGNALING;
502 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 503 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 504 }
505
8f7975b1
AE		 506 chan->local_id = L2CAP_BESTEFFORT_ID;
507 chan->local_stype = L2CAP_SERV_BESTEFFORT;
508 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
509 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
510 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 511 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 512
371fd835 513 l2cap_chan_hold(chan);
baa7e1fa 514
3df91ea2 515 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 516}
517
466f8004 518void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 519{
520 mutex_lock(&conn->chan_lock);
521 __l2cap_chan_add(conn, chan);
3df91ea2 522 mutex_unlock(&conn->chan_lock);
0139418c
MH		 523}
524
466f8004 525void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 526{
8c1d787b 527 struct l2cap_conn *conn = chan->conn;
0139418c 528
c9b66675 529 __clear_chan_timer(chan);
0139418c 530
49208c9c 531 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 532
8e87d142 533 if (conn) {
baa7e1fa 534 /* Delete from channel list */
3df91ea2 535 list_del(&chan->list);
3d57dc68 536
371fd835 537 l2cap_chan_put(chan);
baa7e1fa 538
8c1d787b 539 chan->conn = NULL;
3cabbfda
AE		 540
541 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
542 hci_conn_put(conn->hcon);
0139418c
MH		 543 }
544
b699ec0d 545 chan->ops->teardown(chan, err);
6be36555 546
2827011f 547 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 548 return;
2ead70b8 549
ee556f66
GP		 550 switch(chan->mode) {
551 case L2CAP_MODE_BASIC:
552 break;
c13ffa62 553
ee556f66 554 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 555 __clear_retrans_timer(chan);
556 __clear_monitor_timer(chan);
557 __clear_ack_timer(chan);
c13ffa62 558
f1c6775b 559 skb_queue_purge(&chan->srej_q);
c13ffa62 560
3c588192
MM		 561 l2cap_seq_list_free(&chan->srej_list);
562 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 563
564 /* fall through */
565
566 case L2CAP_MODE_STREAMING:
567 skb_queue_purge(&chan->tx_q);
568 break;
c13ffa62 569 }
ee556f66
GP		 570
571 return;
0139418c
MH		 572}
573
0f852724 574void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 575{
576 struct l2cap_conn *conn = chan->conn;
577 struct sock *sk = chan->sk;
578
2d792818
GP		 579 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
580 sk);
4519de9a 581
89bc500e 582 switch (chan->state) {
4519de9a 583 case BT_LISTEN:
b699ec0d 584 chan->ops->teardown(chan, 0);
4519de9a
GP		 585 break;
586
587 case BT_CONNECTED:
588 case BT_CONFIG:
715ec005 589 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 590 conn->hcon->type == ACL_LINK) {
c9b66675 591 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 592 l2cap_send_disconn_req(conn, chan, reason);
593 } else
594 l2cap_chan_del(chan, reason);
595 break;
596
597 case BT_CONNECT2:
715ec005 598 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 599 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 600 struct l2cap_conn_rsp rsp;
601 __u16 result;
602
c5daa683 603 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 604 result = L2CAP_CR_SEC_BLOCK;
605 else
606 result = L2CAP_CR_BAD_PSM;
89bc500e 607 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 608
609 rsp.scid = cpu_to_le16(chan->dcid);
610 rsp.dcid = cpu_to_le16(chan->scid);
611 rsp.result = cpu_to_le16(result);
ac73498c 612 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 613 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 614 sizeof(rsp), &rsp);
4519de9a
GP		 615 }
616
617 l2cap_chan_del(chan, reason);
618 break;
619
620 case BT_CONNECT:
621 case BT_DISCONN:
622 l2cap_chan_del(chan, reason);
623 break;
624
625 default:
b699ec0d 626 chan->ops->teardown(chan, 0);
4519de9a
GP		 627 break;
628 }
629}
630
4343478f 631static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 632{
715ec005 633 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 634 switch (chan->sec_level) {
8556edd3
JH		 635 case BT_SECURITY_HIGH:
636 return HCI_AT_DEDICATED_BONDING_MITM;
637 case BT_SECURITY_MEDIUM:
638 return HCI_AT_DEDICATED_BONDING;
639 default:
640 return HCI_AT_NO_BONDING;
641 }
2983fd68 642 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 643 if (chan->sec_level == BT_SECURITY_LOW)
644 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 645
4343478f 646 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 647 return HCI_AT_NO_BONDING_MITM;
00ae4af9 648 else
8556edd3 649 return HCI_AT_NO_BONDING;
00ae4af9 650 } else {
4343478f 651 switch (chan->sec_level) {
00ae4af9 652 case BT_SECURITY_HIGH:
8556edd3 653 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 654 case BT_SECURITY_MEDIUM:
8556edd3 655 return HCI_AT_GENERAL_BONDING;
00ae4af9 656 default:
8556edd3 657 return HCI_AT_NO_BONDING;
00ae4af9 658 }
0684e5f9 659 }
8556edd3
JH		 660}
661
662/* Service level security */
d45fc423 663int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 664{
8c1d787b 665 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 666 __u8 auth_type;
667
4343478f 668 auth_type = l2cap_get_auth_type(chan);
79d554a6 669
4343478f 670 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 671}
672
b5ad8b7f 673static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 674{
675 u8 id;
676
677 /* Get next available identificator.
678 * 1 - 128 are used by kernel.
679 * 129 - 199 are reserved.
680 * 200 - 254 are used by utilities like l2ping, etc.
681 */
682
333055f2 683 spin_lock(&conn->lock);
4e8402a3
MH		 684
685 if (++conn->tx_ident > 128)
686 conn->tx_ident = 1;
687
688 id = conn->tx_ident;
689
333055f2 690 spin_unlock(&conn->lock);
4e8402a3
MH		 691
692 return id;
693}
694
2d792818
GP		 695static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
696 void *data)
4e8402a3
MH		 697{
698 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 699 u8 flags;
4e8402a3
MH		 700
701 BT_DBG("code 0x%2.2x", code);
702
703 if (!skb)
9a9c6a34 704 return;
4e8402a3 705
e702112f
AE		 706 if (lmp_no_flush_capable(conn->hcon->hdev))
707 flags = ACL_START_NO_FLUSH;
708 else
709 flags = ACL_START;
710
14b12d0b 711 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 712 skb->priority = HCI_PRIO_MAX;
14b12d0b 713
73d80deb
LAD		 714 hci_send_acl(conn->hchan, skb, flags);
715}
716
717static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
718{
719 struct hci_conn *hcon = chan->conn->hcon;
720 u16 flags;
721
722 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 723 skb->priority);
73d80deb
LAD		 724
725 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 726 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 727 flags = ACL_START_NO_FLUSH;
728 else
729 flags = ACL_START;
14b12d0b 730
73d80deb
LAD		 731 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
732 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 733}
734
b76bbd66
MM		 735static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
736{
737 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
738 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
739
740 if (enh & L2CAP_CTRL_FRAME_TYPE) {
741 /* S-Frame */
742 control->sframe = 1;
743 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
744 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
745
746 control->sar = 0;
747 control->txseq = 0;
748 } else {
749 /* I-Frame */
750 control->sframe = 0;
751 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
752 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
753
754 control->poll = 0;
755 control->super = 0;
756 }
757}
758
b76bbd66
MM		 759static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
760{
761 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
762 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
763
764 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
765 /* S-Frame */
766 control->sframe = 1;
767 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
768 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
769
770 control->sar = 0;
771 control->txseq = 0;
772 } else {
773 /* I-Frame */
774 control->sframe = 0;
775 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
776 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
777
778 control->poll = 0;
779 control->super = 0;
780 }
781}
782
783static inline void __unpack_control(struct l2cap_chan *chan,
784 struct sk_buff *skb)
785{
786 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
787 __unpack_extended_control(get_unaligned_le32(skb->data),
788 &bt_cb(skb)->control);
cec8ab6e 789 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 790 } else {
791 __unpack_enhanced_control(get_unaligned_le16(skb->data),
792 &bt_cb(skb)->control);
cec8ab6e 793 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 794 }
795}
796
b5c6aaed
MM		 797static u32 __pack_extended_control(struct l2cap_ctrl *control)
798{
799 u32 packed;
800
801 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
802 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
803
804 if (control->sframe) {
805 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
806 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
807 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
808 } else {
809 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
810 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
811 }
812
813 return packed;
814}
815
816static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
817{
818 u16 packed;
819
820 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
821 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
822
823 if (control->sframe) {
824 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
825 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
826 packed |= L2CAP_CTRL_FRAME_TYPE;
827 } else {
828 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
829 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
830 }
831
832 return packed;
833}
834
b76bbd66
MM		 835static inline void __pack_control(struct l2cap_chan *chan,
836 struct l2cap_ctrl *control,
837 struct sk_buff *skb)
838{
839 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
840 put_unaligned_le32(__pack_extended_control(control),
841 skb->data + L2CAP_HDR_SIZE);
842 } else {
843 put_unaligned_le16(__pack_enhanced_control(control),
844 skb->data + L2CAP_HDR_SIZE);
845 }
846}
847
ba7aa64f
GP		 848static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
849{
850 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
851 return L2CAP_EXT_HDR_SIZE;
852 else
853 return L2CAP_ENH_HDR_SIZE;
854}
855
a67d7f6f
MM		 856static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
857 u32 control)
b5c6aaed
MM		 858{
859 struct sk_buff *skb;
860 struct l2cap_hdr *lh;
ba7aa64f 861 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 862
863 if (chan->fcs == L2CAP_FCS_CRC16)
864 hlen += L2CAP_FCS_SIZE;
865
a67d7f6f 866 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 867
b5c6aaed 868 if (!skb)
a67d7f6f 869 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 870
871 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
872 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
873 lh->cid = cpu_to_le16(chan->dcid);
874
a67d7f6f
MM		 875 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
876 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
877 else
878 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 879
880 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 881 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 882 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
883 }
884
885 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 886 return skb;
887}
888
889static void l2cap_send_sframe(struct l2cap_chan *chan,
890 struct l2cap_ctrl *control)
891{
892 struct sk_buff *skb;
893 u32 control_field;
894
895 BT_DBG("chan %p, control %p", chan, control);
896
897 if (!control->sframe)
898 return;
899
900 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
901 !control->poll)
902 control->final = 1;
903
904 if (control->super == L2CAP_SUPER_RR)
905 clear_bit(CONN_RNR_SENT, &chan->conn_state);
906 else if (control->super == L2CAP_SUPER_RNR)
907 set_bit(CONN_RNR_SENT, &chan->conn_state);
908
909 if (control->super != L2CAP_SUPER_SREJ) {
910 chan->last_acked_seq = control->reqseq;
911 __clear_ack_timer(chan);
912 }
913
914 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
915 control->final, control->poll, control->super);
916
917 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
918 control_field = __pack_extended_control(control);
919 else
920 control_field = __pack_enhanced_control(control);
921
922 skb = l2cap_create_sframe_pdu(chan, control_field);
923 if (!IS_ERR(skb))
924 l2cap_do_send(chan, skb);
b5c6aaed
MM		 925}
926
c9e3d5e0 927static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 928{
c9e3d5e0
MM		 929 struct l2cap_ctrl control;
930
931 BT_DBG("chan %p, poll %d", chan, poll);
932
933 memset(&control, 0, sizeof(control));
934 control.sframe = 1;
935 control.poll = poll;
936
937 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
938 control.super = L2CAP_SUPER_RNR;
939 else
940 control.super = L2CAP_SUPER_RR;
b5c6aaed 941
c9e3d5e0
MM		 942 control.reqseq = chan->buffer_seq;
943 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 944}
945
b4450035 946static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 947{
c1360a1c 948 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 949}
950
93c3e8f5
AE		 951static bool __amp_capable(struct l2cap_chan *chan)
952{
953 struct l2cap_conn *conn = chan->conn;
954
955 if (enable_hs &&
956 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
957 conn->fixed_chan_mask & L2CAP_FC_A2MP)
958 return true;
959 else
960 return false;
961}
962
2766be48 963void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 964{
965 struct l2cap_conn *conn = chan->conn;
966 struct l2cap_conn_req req;
967
968 req.scid = cpu_to_le16(chan->scid);
969 req.psm = chan->psm;
970
971 chan->ident = l2cap_get_ident(conn);
972
973 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
974
975 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
976}
977
9f0caeb1
VCG		 978static void l2cap_chan_ready(struct l2cap_chan *chan)
979{
2827011f 980 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 981 chan->conf_state = 0;
982 __clear_chan_timer(chan);
983
54a59aa2 984 chan->state = BT_CONNECTED;
9f0caeb1 985
fd83e2c2 986 chan->ops->ready(chan);
9f0caeb1
VCG		 987}
988
93c3e8f5
AE		 989static void l2cap_start_connection(struct l2cap_chan *chan)
990{
991 if (__amp_capable(chan)) {
992 BT_DBG("chan %p AMP capable: discover AMPs", chan);
993 a2mp_discover_amp(chan);
994 } else {
995 l2cap_send_conn_req(chan);
996 }
997}
998
fc7f8a7e 999static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1000{
8c1d787b 1001 struct l2cap_conn *conn = chan->conn;
79d554a6 1002
9f0caeb1
VCG		 1003 if (conn->hcon->type == LE_LINK) {
1004 l2cap_chan_ready(chan);
1005 return;
1006 }
1007
79d554a6 1008 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1009 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1010 return;
1011
d45fc423 1012 if (l2cap_chan_check_security(chan) &&
2d792818 1013 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1014 l2cap_start_connection(chan);
1015 }
79d554a6
MH		 1016 } else {
1017 struct l2cap_info_req req;
ac73498c 1018 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1019
1020 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1021 conn->info_ident = l2cap_get_ident(conn);
1022
ba13ccd9 1023 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1024
2d792818
GP		 1025 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1026 sizeof(req), &req);
79d554a6
MH		 1027 }
1028}
1029
cf6c2c0b
GP		 1030static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1031{
1032 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1033 if (!disable_ertm)
cf6c2c0b
GP		 1034 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1035
1036 switch (mode) {
1037 case L2CAP_MODE_ERTM:
1038 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1039 case L2CAP_MODE_STREAMING:
1040 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1041 default:
1042 return 0x00;
1043 }
1044}
1045
2d792818
GP		 1046static void l2cap_send_disconn_req(struct l2cap_conn *conn,
1047 struct l2cap_chan *chan, int err)
22121fc9 1048{
6be36555 1049 struct sock *sk = chan->sk;
22121fc9
GP		 1050 struct l2cap_disconn_req req;
1051
c13ffa62
GP		 1052 if (!conn)
1053 return;
1054
0c1bc5c6 1055 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1056 __clear_retrans_timer(chan);
1057 __clear_monitor_timer(chan);
1058 __clear_ack_timer(chan);
c13ffa62
GP		 1059 }
1060
416fa752 1061 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1062 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1063 return;
1064 }
1065
fe4128e0
GP		 1066 req.dcid = cpu_to_le16(chan->dcid);
1067 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1068 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1069 sizeof(req), &req);
c13ffa62 1070
6be36555 1071 lock_sock(sk);
0e587be7 1072 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1073 __l2cap_chan_set_err(chan, err);
6be36555 1074 release_sock(sk);
22121fc9
GP		 1075}
1076
1da177e4 1077/* ---- L2CAP connections ---- */
4e8402a3
MH		 1078static void l2cap_conn_start(struct l2cap_conn *conn)
1079{
3df91ea2 1080 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1081
1082 BT_DBG("conn %p", conn);
1083
3df91ea2 1084 mutex_lock(&conn->chan_lock);
4e8402a3 1085
3df91ea2 1086 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1087 struct sock *sk = chan->sk;
baa7e1fa 1088
6be36555 1089 l2cap_chan_lock(chan);
4e8402a3 1090
715ec005 1091 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1092 l2cap_chan_unlock(chan);
79d554a6
MH		 1093 continue;
1094 }
1095
89bc500e 1096 if (chan->state == BT_CONNECT) {
d45fc423 1097 if (!l2cap_chan_check_security(chan) ||
2d792818 1098 !__l2cap_no_conn_pending(chan)) {
6be36555 1099 l2cap_chan_unlock(chan);
47731de7
GP		 1100 continue;
1101 }
79d554a6 1102
c1360a1c 1103 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1104 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1105 &chan->conf_state)) {
89bc500e 1106 l2cap_chan_close(chan, ECONNRESET);
6be36555 1107 l2cap_chan_unlock(chan);
47731de7 1108 continue;
b1235d79 1109 }
47731de7 1110
93c3e8f5 1111 l2cap_start_connection(chan);
47731de7 1112
89bc500e 1113 } else if (chan->state == BT_CONNECT2) {
79d554a6 1114 struct l2cap_conn_rsp rsp;
e9aeb2dd 1115 char buf[128];
fe4128e0
GP		 1116 rsp.scid = cpu_to_le16(chan->dcid);
1117 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1118
d45fc423 1119 if (l2cap_chan_check_security(chan)) {
6be36555 1120 lock_sock(sk);
c5daa683
GP		 1121 if (test_bit(BT_SK_DEFER_SETUP,
1122 &bt_sk(sk)->flags)) {
ac73498c
AE		 1123 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1124 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1125 chan->ops->defer(chan);
f66dc81f
MH		 1126
1127 } else {
0e587be7 1128 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1129 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1130 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1131 }
6be36555 1132 release_sock(sk);
79d554a6 1133 } else {
ac73498c
AE		 1134 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1135 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1136 }
1137
fc7f8a7e 1138 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1139 sizeof(rsp), &rsp);
e9aeb2dd 1140
c1360a1c 1141 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1142 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1143 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1144 continue;
1145 }
1146
c1360a1c 1147 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1148 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1149 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1150 chan->num_conf_req++;
4e8402a3
MH		 1151 }
1152
6be36555 1153 l2cap_chan_unlock(chan);
4e8402a3
MH		 1154 }
1155
3df91ea2 1156 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1157}
1158
c2287681 1159/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1160 * Returns closest match, locked.
1161 */
d9b88702 1162static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1163 bdaddr_t *src,
1164 bdaddr_t *dst)
b62f328b 1165{
23691d75 1166 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1167
23691d75 1168 read_lock(&chan_list_lock);
b62f328b 1169
23691d75
GP		 1170 list_for_each_entry(c, &chan_list, global_l) {
1171 struct sock *sk = c->sk;
fe4128e0 1172
89bc500e 1173 if (state && c->state != state)
b62f328b
VT		 1174 continue;
1175
23691d75 1176 if (c->scid == cid) {
c2287681
IY		 1177 int src_match, dst_match;
1178 int src_any, dst_any;
1179
b62f328b 1180 /* Exact match. */
c2287681
IY		 1181 src_match = !bacmp(&bt_sk(sk)->src, src);
1182 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1183 if (src_match && dst_match) {
23691d75
GP		 1184 read_unlock(&chan_list_lock);
1185 return c;
1186 }
b62f328b
VT		 1187
1188 /* Closest match */
c2287681
IY		 1189 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1190 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1191 if ((src_match && dst_any) || (src_any && dst_match) ||
1192 (src_any && dst_any))
23691d75 1193 c1 = c;
b62f328b
VT		 1194 }
1195 }
280f294f 1196
23691d75 1197 read_unlock(&chan_list_lock);
b62f328b 1198
23691d75 1199 return c1;
b62f328b
VT		 1200}
1201
1202static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1203{
c916fbe4 1204 struct sock *parent, *sk;
23691d75 1205 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1206
1207 BT_DBG("");
1208
1209 /* Check if we have socket listening on cid */
23691d75 1210 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1211 conn->src, conn->dst);
23691d75 1212 if (!pchan)
b62f328b
VT		 1213 return;
1214
23691d75
GP		 1215 parent = pchan->sk;
1216
aa2ac881 1217 lock_sock(parent);
62f3a2cf 1218
80b98027 1219 chan = pchan->ops->new_connection(pchan);
80808e43 1220 if (!chan)
b62f328b
VT		 1221 goto clean;
1222
80808e43 1223 sk = chan->sk;
5d41ce1d 1224
b62f328b 1225 hci_conn_hold(conn->hcon);
a9ea3ed9 1226 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1227
b62f328b
VT		 1228 bacpy(&bt_sk(sk)->src, conn->src);
1229 bacpy(&bt_sk(sk)->dst, conn->dst);
1230
3d57dc68 1231 l2cap_chan_add(conn, chan);
48454079 1232
6754e0df 1233 l2cap_chan_ready(chan);
b62f328b 1234
b62f328b 1235clean:
aa2ac881 1236 release_sock(parent);
b62f328b
VT		 1237}
1238
4e8402a3
MH		 1239static void l2cap_conn_ready(struct l2cap_conn *conn)
1240{
48454079 1241 struct l2cap_chan *chan;
cc110922 1242 struct hci_conn *hcon = conn->hcon;
4e8402a3 1243
79d554a6 1244 BT_DBG("conn %p", conn);
4e8402a3 1245
cc110922 1246 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1247 l2cap_le_conn_ready(conn);
1248
cc110922
VCG		 1249 if (hcon->out && hcon->type == LE_LINK)
1250 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1251
3df91ea2 1252 mutex_lock(&conn->chan_lock);
4e8402a3 1253
3df91ea2 1254 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1255
6be36555 1256 l2cap_chan_lock(chan);
4e8402a3 1257
416fa752
AE		 1258 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1259 l2cap_chan_unlock(chan);
1260 continue;
1261 }
1262
cc110922
VCG		 1263 if (hcon->type == LE_LINK) {
1264 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1265 l2cap_chan_ready(chan);
acd7d370 1266
63128451 1267 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1268 struct sock *sk = chan->sk;
c9b66675 1269 __clear_chan_timer(chan);
6be36555 1270 lock_sock(sk);
0e587be7 1271 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1272 sk->sk_state_change(sk);
6be36555 1273 release_sock(sk);
b501d6a1 1274
89bc500e 1275 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1276 l2cap_do_start(chan);
4e8402a3 1277
6be36555 1278 l2cap_chan_unlock(chan);
4e8402a3 1279 }
79d554a6 1280
3df91ea2 1281 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1282}
1283
1284/* Notify sockets that we cannot guaranty reliability anymore */
1285static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1286{
48454079 1287 struct l2cap_chan *chan;
4e8402a3
MH		 1288
1289 BT_DBG("conn %p", conn);
1290
3df91ea2 1291 mutex_lock(&conn->chan_lock);
4e8402a3 1292
3df91ea2 1293 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1294 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1295 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1296 }
1297
3df91ea2 1298 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1299}
1300
f878fcad 1301static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1302{
f878fcad 1303 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1304 info_timer.work);
4e8402a3 1305
984947dc 1306 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1307 conn->info_ident = 0;
984947dc 1308
4e8402a3
MH		 1309 l2cap_conn_start(conn);
1310}
1311
5d3de7df
VCG		 1312static void l2cap_conn_del(struct hci_conn *hcon, int err)
1313{
1314 struct l2cap_conn *conn = hcon->l2cap_data;
1315 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1316
1317 if (!conn)
1318 return;
1319
1320 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1321
1322 kfree_skb(conn->rx_skb);
1323
3df91ea2
AE		 1324 mutex_lock(&conn->chan_lock);
1325
5d3de7df
VCG		 1326 /* Kill channels */
1327 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1328 l2cap_chan_hold(chan);
6be36555
AE		 1329 l2cap_chan_lock(chan);
1330
5d3de7df 1331 l2cap_chan_del(chan, err);
6be36555
AE		 1332
1333 l2cap_chan_unlock(chan);
1334
80b98027 1335 chan->ops->close(chan);
61d6ef3e 1336 l2cap_chan_put(chan);
5d3de7df
VCG		 1337 }
1338
3df91ea2
AE		 1339 mutex_unlock(&conn->chan_lock);
1340
73d80deb
LAD		 1341 hci_chan_del(conn->hchan);
1342
5d3de7df 1343 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1344 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1345
51a8efd7 1346 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1347 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1348 smp_chan_destroy(conn);
d26a2345 1349 }
5d3de7df
VCG		 1350
1351 hcon->l2cap_data = NULL;
1352 kfree(conn);
1353}
1354
6c9d42a1 1355static void security_timeout(struct work_struct *work)
5d3de7df 1356{
6c9d42a1 1357 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1358 security_timer.work);
5d3de7df 1359
d06cc416
JH		 1360 BT_DBG("conn %p", conn);
1361
1362 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1363 smp_chan_destroy(conn);
1364 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1365 }
5d3de7df
VCG		 1366}
1367
1da177e4
LT		 1368static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1369{
0139418c 1370 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1371 struct hci_chan *hchan;
1da177e4 1372
0139418c 1373 if (conn || status)
1da177e4
LT		 1374 return conn;
1375
73d80deb
LAD		 1376 hchan = hci_chan_create(hcon);
1377 if (!hchan)
1378 return NULL;
1379
8bcde1f2 1380 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1381 if (!conn) {
1382 hci_chan_del(hchan);
1da177e4 1383 return NULL;
73d80deb 1384 }
1da177e4
LT		 1385
1386 hcon->l2cap_data = conn;
1387 conn->hcon = hcon;
73d80deb 1388 conn->hchan = hchan;
1da177e4 1389
73d80deb 1390 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1391
dcc042d5
AE		 1392 switch (hcon->type) {
1393 case AMP_LINK:
1394 conn->mtu = hcon->hdev->block_mtu;
1395 break;
1396
1397 case LE_LINK:
1398 if (hcon->hdev->le_mtu) {
1399 conn->mtu = hcon->hdev->le_mtu;
1400 break;
1401 }
1402 /* fall through */
1403
1404 default:
acd7d370 1405 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1406 break;
1407 }
acd7d370 1408
1da177e4
LT		 1409 conn->src = &hcon->hdev->bdaddr;
1410 conn->dst = &hcon->dst;
1411
4e8402a3
MH		 1412 conn->feat_mask = 0;
1413
1da177e4 1414 spin_lock_init(&conn->lock);
3df91ea2 1415 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1416
1417 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1418
5d3de7df 1419 if (hcon->type == LE_LINK)
6c9d42a1 1420 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1421 else
030013d8 1422 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1423
9f5a0d7b 1424 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1425
1da177e4
LT		 1426 return conn;
1427}
1428
1da177e4 1429/* ---- Socket interface ---- */
1da177e4 1430
c2287681 1431/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1432 * Returns closest match.
1433 */
c2287681
IY		 1434static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1435 bdaddr_t *src,
1436 bdaddr_t *dst)
1da177e4 1437{
23691d75 1438 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1439
23691d75 1440 read_lock(&chan_list_lock);
e0f0cb56 1441
23691d75
GP		 1442 list_for_each_entry(c, &chan_list, global_l) {
1443 struct sock *sk = c->sk;
fe4128e0 1444
89bc500e 1445 if (state && c->state != state)
1da177e4
LT		 1446 continue;
1447
23691d75 1448 if (c->psm == psm) {
c2287681
IY		 1449 int src_match, dst_match;
1450 int src_any, dst_any;
1451
1da177e4 1452 /* Exact match. */
c2287681
IY		 1453 src_match = !bacmp(&bt_sk(sk)->src, src);
1454 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1455 if (src_match && dst_match) {
a7567b20 1456 read_unlock(&chan_list_lock);
23691d75
GP		 1457 return c;
1458 }
1da177e4
LT		 1459
1460 /* Closest match */
c2287681
IY		 1461 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1462 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1463 if ((src_match && dst_any) || (src_any && dst_match) ||
1464 (src_any && dst_any))
23691d75 1465 c1 = c;
1da177e4
LT		 1466 }
1467 }
1da177e4 1468
23691d75 1469 read_unlock(&chan_list_lock);
e0f0cb56 1470
23691d75 1471 return c1;
1da177e4
LT		 1472}
1473
8e9f9892
AG		 1474int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1475 bdaddr_t *dst, u8 dst_type)
1da177e4 1476{
5d41ce1d 1477 struct sock *sk = chan->sk;
1da177e4 1478 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1479 struct l2cap_conn *conn;
1480 struct hci_conn *hcon;
1481 struct hci_dev *hdev;
09ab6f4c 1482 __u8 auth_type;
44d0e48e 1483 int err;
1da177e4 1484
6ed93dc6 1485 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1486 dst_type, __le16_to_cpu(psm));
1da177e4 1487
af05b30b
GP		 1488 hdev = hci_get_route(dst, src);
1489 if (!hdev)
1da177e4
LT		 1490 return -EHOSTUNREACH;
1491
09fd0de5 1492 hci_dev_lock(hdev);
1da177e4 1493
6be36555 1494 l2cap_chan_lock(chan);
03a00194
GP		 1495
1496 /* PSM must be odd and lsb of upper byte must be 0 */
1497 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1498 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1499 err = -EINVAL;
1500 goto done;
1501 }
1502
1503 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1504 err = -EINVAL;
1505 goto done;
1506 }
1507
1508 switch (chan->mode) {
1509 case L2CAP_MODE_BASIC:
1510 break;
1511 case L2CAP_MODE_ERTM:
1512 case L2CAP_MODE_STREAMING:
1513 if (!disable_ertm)
1514 break;
1515 /* fall through */
1516 default:
1517 err = -ENOTSUPP;
1518 goto done;
1519 }
1520
0797e01d 1521 switch (chan->state) {
03a00194
GP		 1522 case BT_CONNECT:
1523 case BT_CONNECT2:
1524 case BT_CONFIG:
1525 /* Already connecting */
1526 err = 0;
1527 goto done;
1528
1529 case BT_CONNECTED:
1530 /* Already connected */
1531 err = -EISCONN;
1532 goto done;
1533
1534 case BT_OPEN:
1535 case BT_BOUND:
1536 /* Can connect */
1537 break;
1538
1539 default:
1540 err = -EBADFD;
1541 goto done;
1542 }
1543
1544 /* Set destination address and psm */
0797e01d 1545 lock_sock(sk);
9219b2a0 1546 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1547 release_sock(sk);
1548
03a00194
GP		 1549 chan->psm = psm;
1550 chan->dcid = cid;
1da177e4 1551
4343478f 1552 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1553
fe4128e0 1554 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1555 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1556 chan->sec_level, auth_type);
acd7d370 1557 else
8e9f9892 1558 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1559 chan->sec_level, auth_type);
acd7d370 1560
30e76272
VT		 1561 if (IS_ERR(hcon)) {
1562 err = PTR_ERR(hcon);
1da177e4 1563 goto done;
30e76272 1564 }
1da177e4
LT		 1565
1566 conn = l2cap_conn_add(hcon, 0);
1567 if (!conn) {
1568 hci_conn_put(hcon);
30e76272 1569 err = -ENOMEM;
1da177e4
LT		 1570 goto done;
1571 }
1572
9f0caeb1
VCG		 1573 if (hcon->type == LE_LINK) {
1574 err = 0;
1575
1576 if (!list_empty(&conn->chan_l)) {
1577 err = -EBUSY;
1578 hci_conn_put(hcon);
1579 }
1580
1581 if (err)
1582 goto done;
1583 }
1584
1da177e4
LT		 1585 /* Update source addr of the socket */
1586 bacpy(src, conn->src);
1587
6be36555 1588 l2cap_chan_unlock(chan);
48454079 1589 l2cap_chan_add(conn, chan);
6be36555 1590 l2cap_chan_lock(chan);
48454079 1591
6be36555 1592 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1593 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1594
1595 if (hcon->state == BT_CONNECTED) {
715ec005 1596 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1597 __clear_chan_timer(chan);
d45fc423 1598 if (l2cap_chan_check_security(chan))
6be36555 1599 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1600 } else
fc7f8a7e 1601 l2cap_do_start(chan);
1da177e4
LT		 1602 }
1603
30e76272
VT		 1604 err = 0;
1605
1da177e4 1606done:
6be36555 1607 l2cap_chan_unlock(chan);
09fd0de5 1608 hci_dev_unlock(hdev);
1da177e4
LT		 1609 hci_dev_put(hdev);
1610 return err;
1611}
1612
dcba0dba 1613int __l2cap_wait_ack(struct sock *sk)
6161c038 1614{
8c1d787b 1615 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1616 DECLARE_WAITQUEUE(wait, current);
1617 int err = 0;
1618 int timeo = HZ/5;
1619
2b0b05dd 1620 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1621 set_current_state(TASK_INTERRUPTIBLE);
1622 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1623 if (!timeo)
1624 timeo = HZ/5;
1625
1626 if (signal_pending(current)) {
1627 err = sock_intr_errno(timeo);
1628 break;
1629 }
1630
1631 release_sock(sk);
1632 timeo = schedule_timeout(timeo);
1633 lock_sock(sk);
a71a0cf4 1634 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1635
1636 err = sock_error(sk);
1637 if (err)
1638 break;
1639 }
1640 set_current_state(TASK_RUNNING);
2b0b05dd 1641 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1642 return err;
1643}
1644
721c4181 1645static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1646{
721c4181 1647 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1648 monitor_timer.work);
e90bac06 1649
525cd185 1650 BT_DBG("chan %p", chan);
0e98958d 1651
6be36555
AE		 1652 l2cap_chan_lock(chan);
1653
80909e04 1654 if (!chan->conn) {
6be36555 1655 l2cap_chan_unlock(chan);
8d7e1c7f 1656 l2cap_chan_put(chan);
e90bac06
GP		 1657 return;
1658 }
1659
401bb1f7 1660 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1661
6be36555 1662 l2cap_chan_unlock(chan);
8d7e1c7f 1663 l2cap_chan_put(chan);
e90bac06
GP		 1664}
1665
721c4181 1666static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1667{
721c4181 1668 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1669 retrans_timer.work);
e90bac06 1670
49208c9c 1671 BT_DBG("chan %p", chan);
0e98958d 1672
6be36555
AE		 1673 l2cap_chan_lock(chan);
1674
80909e04
MM		 1675 if (!chan->conn) {
1676 l2cap_chan_unlock(chan);
1677 l2cap_chan_put(chan);
1678 return;
1679 }
6be36555 1680
401bb1f7 1681 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1682 l2cap_chan_unlock(chan);
8d7e1c7f 1683 l2cap_chan_put(chan);
e90bac06
GP		 1684}
1685
d660366d
GP		 1686static void l2cap_streaming_send(struct l2cap_chan *chan,
1687 struct sk_buff_head *skbs)
6840ed07 1688{
ccbb84af 1689 struct sk_buff *skb;
3733937d 1690 struct l2cap_ctrl *control;
6840ed07 1691
3733937d
MM		 1692 BT_DBG("chan %p, skbs %p", chan, skbs);
1693
3733937d
MM		 1694 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1695
1696 while (!skb_queue_empty(&chan->tx_q)) {
1697
1698 skb = skb_dequeue(&chan->tx_q);
1699
1700 bt_cb(skb)->control.retries = 1;
1701 control = &bt_cb(skb)->control;
1702
1703 control->reqseq = 0;
1704 control->txseq = chan->next_tx_seq;
1705
1706 __pack_control(chan, control, skb);
6840ed07 1707
47d1ec61 1708 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1709 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1710 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1711 }
1712
4343478f 1713 l2cap_do_send(chan, skb);
6840ed07 1714
b4400672 1715 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1716
836be934 1717 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1718 chan->frames_sent++;
6840ed07 1719 }
6840ed07
GP		 1720}
1721
67c9e840 1722static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1723{
1724 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1725 struct l2cap_ctrl *control;
1726 int sent = 0;
1727
1728 BT_DBG("chan %p", chan);
1c2acffb 1729
89bc500e 1730 if (chan->state != BT_CONNECTED)
c13ffa62 1731 return -ENOTCONN;
e90bac06 1732
94122bbe
MM		 1733 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1734 return 0;
1735
18a48e76
MM		 1736 while (chan->tx_send_head &&
1737 chan->unacked_frames < chan->remote_tx_win &&
1738 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1739
18a48e76 1740 skb = chan->tx_send_head;
e90bac06 1741
18a48e76
MM		 1742 bt_cb(skb)->control.retries = 1;
1743 control = &bt_cb(skb)->control;
95ffa978 1744
e2ab4353 1745 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1746 control->final = 1;
e2ab4353 1747
18a48e76
MM		 1748 control->reqseq = chan->buffer_seq;
1749 chan->last_acked_seq = chan->buffer_seq;
1750 control->txseq = chan->next_tx_seq;
1c2acffb 1751
18a48e76 1752 __pack_control(chan, control, skb);
e90bac06 1753
47d1ec61 1754 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1755 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1756 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1757 }
1758
18a48e76
MM		 1759 /* Clone after data has been modified. Data is assumed to be
1760 read-only (for locking purposes) on cloned sk_buffs.
1761 */
1762 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1763
18a48e76
MM		 1764 if (!tx_skb)
1765 break;
1c2acffb 1766
18a48e76 1767 __set_retrans_timer(chan);
836be934
AE		 1768
1769 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1770 chan->unacked_frames++;
6a026610 1771 chan->frames_sent++;
18a48e76 1772 sent++;
1c2acffb 1773
58d35f87
GP		 1774 if (skb_queue_is_last(&chan->tx_q, skb))
1775 chan->tx_send_head = NULL;
1c2acffb 1776 else
58d35f87 1777 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1778
1779 l2cap_do_send(chan, tx_skb);
b4400672 1780 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1781 }
1782
b4400672
AE		 1783 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1784 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1785
1786 return sent;
9e917af1
GP		 1787}
1788
e1fbd4c1
MM		 1789static void l2cap_ertm_resend(struct l2cap_chan *chan)
1790{
1791 struct l2cap_ctrl control;
1792 struct sk_buff *skb;
1793 struct sk_buff *tx_skb;
1794 u16 seq;
1795
1796 BT_DBG("chan %p", chan);
1797
1798 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1799 return;
1800
1801 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1802 seq = l2cap_seq_list_pop(&chan->retrans_list);
1803
1804 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1805 if (!skb) {
1806 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1807 seq);
e1fbd4c1
MM		 1808 continue;
1809 }
1810
1811 bt_cb(skb)->control.retries++;
1812 control = bt_cb(skb)->control;
1813
1814 if (chan->max_tx != 0 &&
1815 bt_cb(skb)->control.retries > chan->max_tx) {
1816 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1817 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1818 l2cap_seq_list_clear(&chan->retrans_list);
1819 break;
1820 }
1821
1822 control.reqseq = chan->buffer_seq;
1823 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1824 control.final = 1;
1825 else
1826 control.final = 0;
1827
1828 if (skb_cloned(skb)) {
1829 /* Cloned sk_buffs are read-only, so we need a
1830 * writeable copy
1831 */
8bcde1f2 1832 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1833 } else {
8bcde1f2 1834 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1835 }
1836
1837 if (!tx_skb) {
1838 l2cap_seq_list_clear(&chan->retrans_list);
1839 break;
1840 }
1841
1842 /* Update skb contents */
1843 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1844 put_unaligned_le32(__pack_extended_control(&control),
1845 tx_skb->data + L2CAP_HDR_SIZE);
1846 } else {
1847 put_unaligned_le16(__pack_enhanced_control(&control),
1848 tx_skb->data + L2CAP_HDR_SIZE);
1849 }
1850
1851 if (chan->fcs == L2CAP_FCS_CRC16) {
1852 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1853 put_unaligned_le16(fcs, skb_put(tx_skb,
1854 L2CAP_FCS_SIZE));
1855 }
1856
1857 l2cap_do_send(chan, tx_skb);
1858
1859 BT_DBG("Resent txseq %d", control.txseq);
1860
1861 chan->last_acked_seq = chan->buffer_seq;
1862 }
1863}
1864
f80842a8
MM		 1865static void l2cap_retransmit(struct l2cap_chan *chan,
1866 struct l2cap_ctrl *control)
1867{
1868 BT_DBG("chan %p, control %p", chan, control);
1869
1870 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1871 l2cap_ertm_resend(chan);
1872}
1873
d2a7ac5d
MM		 1874static void l2cap_retransmit_all(struct l2cap_chan *chan,
1875 struct l2cap_ctrl *control)
1876{
e1fbd4c1
MM		 1877 struct sk_buff *skb;
1878
1879 BT_DBG("chan %p, control %p", chan, control);
1880
1881 if (control->poll)
1882 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1883
1884 l2cap_seq_list_clear(&chan->retrans_list);
1885
1886 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1887 return;
1888
1889 if (chan->unacked_frames) {
1890 skb_queue_walk(&chan->tx_q, skb) {
1891 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 1892 skb == chan->tx_send_head)
e1fbd4c1
MM		 1893 break;
1894 }
1895
1896 skb_queue_walk_from(&chan->tx_q, skb) {
1897 if (skb == chan->tx_send_head)
1898 break;
1899
1900 l2cap_seq_list_append(&chan->retrans_list,
1901 bt_cb(skb)->control.txseq);
1902 }
1903
1904 l2cap_ertm_resend(chan);
1905 }
d2a7ac5d
MM		 1906}
1907
0a0aba42 1908static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1909{
0a0aba42
MM		 1910 struct l2cap_ctrl control;
1911 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1912 chan->last_acked_seq);
1913 int threshold;
9e917af1 1914
0a0aba42
MM		 1915 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1916 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1917
0a0aba42
MM		 1918 memset(&control, 0, sizeof(control));
1919 control.sframe = 1;
dfc909be 1920
0a0aba42
MM		 1921 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1922 chan->rx_state == L2CAP_RX_STATE_RECV) {
1923 __clear_ack_timer(chan);
1924 control.super = L2CAP_SUPER_RNR;
1925 control.reqseq = chan->buffer_seq;
1926 l2cap_send_sframe(chan, &control);
1927 } else {
1928 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1929 l2cap_ertm_send(chan);
1930 /* If any i-frames were sent, they included an ack */
1931 if (chan->buffer_seq == chan->last_acked_seq)
1932 frames_to_ack = 0;
1933 }
dfc909be 1934
c20f8e35 1935 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 1936 * Calculate without mul or div
1937 */
c20f8e35 1938 threshold = chan->ack_win;
0a0aba42
MM		 1939 threshold += threshold << 1;
1940 threshold >>= 2;
1941
b4400672 1942 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 1943 threshold);
1944
1945 if (frames_to_ack >= threshold) {
1946 __clear_ack_timer(chan);
1947 control.super = L2CAP_SUPER_RR;
1948 control.reqseq = chan->buffer_seq;
1949 l2cap_send_sframe(chan, &control);
1950 frames_to_ack = 0;
1951 }
1c2acffb 1952
0a0aba42
MM		 1953 if (frames_to_ack)
1954 __set_ack_timer(chan);
1955 }
b17e73bb
SJ		 1956}
1957
04124681
GP		 1958static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1959 struct msghdr *msg, int len,
1960 int count, struct sk_buff *skb)
1c2acffb 1961{
0952a57a 1962 struct l2cap_conn *conn = chan->conn;
1c2acffb 1963 struct sk_buff **frag;
90338947 1964 int sent = 0;
1da177e4 1965
59203a21 1966 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1967 return -EFAULT;
1da177e4
LT		 1968
1969 sent += count;
1970 len -= count;
1971
1972 /* Continuation fragments (no L2CAP header) */
1973 frag = &skb_shinfo(skb)->frag_list;
1974 while (len) {
fbe00700
GP		 1975 struct sk_buff *tmp;
1976
1da177e4
LT		 1977 count = min_t(unsigned int, conn->mtu, len);
1978
fbe00700
GP		 1979 tmp = chan->ops->alloc_skb(chan, count,
1980 msg->msg_flags & MSG_DONTWAIT);
1981 if (IS_ERR(tmp))
1982 return PTR_ERR(tmp);
1983
1984 *frag = tmp;
2f7719ce 1985
1c2acffb
GP		 1986 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1987 return -EFAULT;
1da177e4 1988
5e59b791
LAD		 1989 (*frag)->priority = skb->priority;
1990
1da177e4
LT		 1991 sent += count;
1992 len -= count;
1993
2d0ed3d5
GP		 1994 skb->len += (*frag)->len;
1995 skb->data_len += (*frag)->len;
1996
1da177e4
LT		 1997 frag = &(*frag)->next;
1998 }
1da177e4
LT		 1999
2000 return sent;
1c2acffb 2001}
1da177e4 2002
5e59b791 2003static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2004 struct msghdr *msg, size_t len,
2005 u32 priority)
1c2acffb 2006{
8c1d787b 2007 struct l2cap_conn *conn = chan->conn;
1c2acffb 2008 struct sk_buff *skb;
03a51213 2009 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2010 struct l2cap_hdr *lh;
2011
b4400672 2012 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2013
2014 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2015
2016 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2017 msg->msg_flags & MSG_DONTWAIT);
2018 if (IS_ERR(skb))
2019 return skb;
1c2acffb 2020
5e59b791
LAD		 2021 skb->priority = priority;
2022
1c2acffb
GP		 2023 /* Create L2CAP header */
2024 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2025 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2026 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2027 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2028
0952a57a 2029 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2030 if (unlikely(err < 0)) {
2031 kfree_skb(skb);
2032 return ERR_PTR(err);
2033 }
2034 return skb;
2035}
2036
5e59b791 2037static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2038 struct msghdr *msg, size_t len,
2039 u32 priority)
1c2acffb 2040{
8c1d787b 2041 struct l2cap_conn *conn = chan->conn;
1c2acffb 2042 struct sk_buff *skb;
f2ba7fae 2043 int err, count;
1c2acffb
GP		 2044 struct l2cap_hdr *lh;
2045
b4400672 2046 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2047
f2ba7fae 2048 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2049
f2ba7fae 2050 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2051 msg->msg_flags & MSG_DONTWAIT);
2052 if (IS_ERR(skb))
2053 return skb;
1c2acffb 2054
5e59b791
LAD		 2055 skb->priority = priority;
2056
1c2acffb
GP		 2057 /* Create L2CAP header */
2058 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2059 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2060 lh->len = cpu_to_le16(len);
1c2acffb 2061
0952a57a 2062 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2063 if (unlikely(err < 0)) {
2064 kfree_skb(skb);
2065 return ERR_PTR(err);
2066 }
2067 return skb;
2068}
2069
ab0ff76d 2070static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2071 struct msghdr *msg, size_t len,
2072 u16 sdulen)
1c2acffb 2073{
8c1d787b 2074 struct l2cap_conn *conn = chan->conn;
1c2acffb 2075 struct sk_buff *skb;
e4ca6d98 2076 int err, count, hlen;
1c2acffb
GP		 2077 struct l2cap_hdr *lh;
2078
b4400672 2079 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2080
0ee0d208
GP		 2081 if (!conn)
2082 return ERR_PTR(-ENOTCONN);
2083
ba7aa64f 2084 hlen = __ertm_hdr_size(chan);
e4ca6d98 2085
c74e560c 2086 if (sdulen)
03a51213 2087 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2088
47d1ec61 2089 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2090 hlen += L2CAP_FCS_SIZE;
fcc203c3 2091
1c2acffb 2092 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2093
2094 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2095 msg->msg_flags & MSG_DONTWAIT);
2096 if (IS_ERR(skb))
2097 return skb;
1c2acffb
GP		 2098
2099 /* Create L2CAP header */
2100 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2101 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2102 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2103
18a48e76
MM		 2104 /* Control header is populated later */
2105 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2106 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2107 else
2108 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2109
c74e560c 2110 if (sdulen)
03a51213 2111 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2112
0952a57a 2113 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2114 if (unlikely(err < 0)) {
2115 kfree_skb(skb);
2116 return ERR_PTR(err);
2117 }
e90bac06 2118
18a48e76 2119 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2120 bt_cb(skb)->control.retries = 0;
1c2acffb 2121 return skb;
1da177e4
LT		 2122}
2123
94122bbe
MM		 2124static int l2cap_segment_sdu(struct l2cap_chan *chan,
2125 struct sk_buff_head *seg_queue,
2126 struct msghdr *msg, size_t len)
c74e560c 2127{
c74e560c 2128 struct sk_buff *skb;
94122bbe
MM		 2129 u16 sdu_len;
2130 size_t pdu_len;
94122bbe 2131 u8 sar;
c74e560c 2132
b4400672 2133 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2134
94122bbe
MM		 2135 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2136 * so fragmented skbs are not used. The HCI layer's handling
2137 * of fragmented skbs is not compatible with ERTM's queueing.
2138 */
c74e560c 2139
94122bbe
MM		 2140 /* PDU size is derived from the HCI MTU */
2141 pdu_len = chan->conn->mtu;
c74e560c 2142
94122bbe
MM		 2143 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2144
2145 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2146 if (chan->fcs)
2147 pdu_len -= L2CAP_FCS_SIZE;
2148
ba7aa64f 2149 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2150
2151 /* Remote device may have requested smaller PDUs */
2152 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2153
2154 if (len <= pdu_len) {
2155 sar = L2CAP_SAR_UNSEGMENTED;
2156 sdu_len = 0;
2157 pdu_len = len;
2158 } else {
2159 sar = L2CAP_SAR_START;
2160 sdu_len = len;
2161 pdu_len -= L2CAP_SDULEN_SIZE;
2162 }
2163
2164 while (len > 0) {
2165 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2166
c74e560c 2167 if (IS_ERR(skb)) {
94122bbe 2168 __skb_queue_purge(seg_queue);
c74e560c
GP		 2169 return PTR_ERR(skb);
2170 }
2171
94122bbe
MM		 2172 bt_cb(skb)->control.sar = sar;
2173 __skb_queue_tail(seg_queue, skb);
2174
2175 len -= pdu_len;
2176 if (sdu_len) {
2177 sdu_len = 0;
2178 pdu_len += L2CAP_SDULEN_SIZE;
2179 }
2180
2181 if (len <= pdu_len) {
2182 sar = L2CAP_SAR_END;
2183 pdu_len = len;
2184 } else {
2185 sar = L2CAP_SAR_CONTINUE;
2186 }
c74e560c 2187 }
c74e560c 2188
f0f62799 2189 return 0;
c74e560c
GP		 2190}
2191
5e59b791 2192int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2193 u32 priority)
9a91a04a 2194{
9a91a04a 2195 struct sk_buff *skb;
9a91a04a 2196 int err;
94122bbe 2197 struct sk_buff_head seg_queue;
9a91a04a
GP		 2198
2199 /* Connectionless channel */
715ec005 2200 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2201 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2202 if (IS_ERR(skb))
2203 return PTR_ERR(skb);
2204
2205 l2cap_do_send(chan, skb);
2206 return len;
2207 }
2208
2209 switch (chan->mode) {
2210 case L2CAP_MODE_BASIC:
2211 /* Check outgoing MTU */
2212 if (len > chan->omtu)
2213 return -EMSGSIZE;
2214
2215 /* Create a basic PDU */
5e59b791 2216 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2217 if (IS_ERR(skb))
2218 return PTR_ERR(skb);
2219
2220 l2cap_do_send(chan, skb);
2221 err = len;
2222 break;
2223
2224 case L2CAP_MODE_ERTM:
2225 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2226 /* Check outgoing MTU */
2227 if (len > chan->omtu) {
2228 err = -EMSGSIZE;
2229 break;
2230 }
9a91a04a 2231
94122bbe 2232 __skb_queue_head_init(&seg_queue);
9a91a04a 2233
94122bbe
MM		 2234 /* Do segmentation before calling in to the state machine,
2235 * since it's possible to block while waiting for memory
2236 * allocation.
2237 */
2238 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2239
94122bbe
MM		 2240 /* The channel could have been closed while segmenting,
2241 * check that it is still connected.
2242 */
2243 if (chan->state != BT_CONNECTED) {
2244 __skb_queue_purge(&seg_queue);
2245 err = -ENOTCONN;
9a91a04a
GP		 2246 }
2247
94122bbe 2248 if (err)
9a91a04a 2249 break;
9a91a04a 2250
3733937d 2251 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2252 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2253 else
d660366d 2254 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2255
d660366d 2256 err = len;
9a91a04a 2257
94122bbe
MM		 2258 /* If the skbs were not queued for sending, they'll still be in
2259 * seg_queue and need to be purged.
2260 */
2261 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2262 break;
2263
2264 default:
2265 BT_DBG("bad state %1.1x", chan->mode);
2266 err = -EBADFD;
2267 }
2268
2269 return err;
2270}
2271
d2a7ac5d
MM		 2272static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2273{
bed68bde
MM		 2274 struct l2cap_ctrl control;
2275 u16 seq;
2276
b4400672 2277 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2278
2279 memset(&control, 0, sizeof(control));
2280 control.sframe = 1;
2281 control.super = L2CAP_SUPER_SREJ;
2282
2283 for (seq = chan->expected_tx_seq; seq != txseq;
2284 seq = __next_seq(chan, seq)) {
2285 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2286 control.reqseq = seq;
2287 l2cap_send_sframe(chan, &control);
2288 l2cap_seq_list_append(&chan->srej_list, seq);
2289 }
2290 }
2291
2292 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2293}
2294
2295static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2296{
bed68bde
MM		 2297 struct l2cap_ctrl control;
2298
2299 BT_DBG("chan %p", chan);
2300
2301 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2302 return;
2303
2304 memset(&control, 0, sizeof(control));
2305 control.sframe = 1;
2306 control.super = L2CAP_SUPER_SREJ;
2307 control.reqseq = chan->srej_list.tail;
2308 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2309}
2310
2311static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2312{
bed68bde
MM		 2313 struct l2cap_ctrl control;
2314 u16 initial_head;
2315 u16 seq;
2316
b4400672 2317 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2318
2319 memset(&control, 0, sizeof(control));
2320 control.sframe = 1;
2321 control.super = L2CAP_SUPER_SREJ;
2322
2323 /* Capture initial list head to allow only one pass through the list. */
2324 initial_head = chan->srej_list.head;
2325
2326 do {
2327 seq = l2cap_seq_list_pop(&chan->srej_list);
2328 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2329 break;
2330
2331 control.reqseq = seq;
2332 l2cap_send_sframe(chan, &control);
2333 l2cap_seq_list_append(&chan->srej_list, seq);
2334 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2335}
2336
608bcc6d
MM		 2337static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2338{
2339 struct sk_buff *acked_skb;
2340 u16 ackseq;
2341
b4400672 2342 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2343
2344 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2345 return;
2346
b4400672 2347 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2348 chan->expected_ack_seq, chan->unacked_frames);
2349
2350 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2351 ackseq = __next_seq(chan, ackseq)) {
2352
2353 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2354 if (acked_skb) {
2355 skb_unlink(acked_skb, &chan->tx_q);
2356 kfree_skb(acked_skb);
2357 chan->unacked_frames--;
2358 }
2359 }
2360
2361 chan->expected_ack_seq = reqseq;
2362
2363 if (chan->unacked_frames == 0)
2364 __clear_retrans_timer(chan);
2365
b4400672 2366 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2367}
2368
2369static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2370{
2371 BT_DBG("chan %p", chan);
2372
2373 chan->expected_tx_seq = chan->buffer_seq;
2374 l2cap_seq_list_clear(&chan->srej_list);
2375 skb_queue_purge(&chan->srej_q);
2376 chan->rx_state = L2CAP_RX_STATE_RECV;
2377}
2378
d660366d
GP		 2379static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2380 struct l2cap_ctrl *control,
2381 struct sk_buff_head *skbs, u8 event)
608bcc6d 2382{
608bcc6d
MM		 2383 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2384 event);
2385
2386 switch (event) {
2387 case L2CAP_EV_DATA_REQUEST:
2388 if (chan->tx_send_head == NULL)
2389 chan->tx_send_head = skb_peek(skbs);
2390
2391 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2392 l2cap_ertm_send(chan);
2393 break;
2394 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2395 BT_DBG("Enter LOCAL_BUSY");
2396 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2397
2398 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2399 /* The SREJ_SENT state must be aborted if we are to
2400 * enter the LOCAL_BUSY state.
2401 */
2402 l2cap_abort_rx_srej_sent(chan);
2403 }
2404
2405 l2cap_send_ack(chan);
2406
2407 break;
2408 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2409 BT_DBG("Exit LOCAL_BUSY");
2410 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2411
2412 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2413 struct l2cap_ctrl local_control;
2414
2415 memset(&local_control, 0, sizeof(local_control));
2416 local_control.sframe = 1;
2417 local_control.super = L2CAP_SUPER_RR;
2418 local_control.poll = 1;
2419 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2420 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2421
2422 chan->retry_count = 1;
2423 __set_monitor_timer(chan);
2424 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2425 }
2426 break;
2427 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2428 l2cap_process_reqseq(chan, control->reqseq);
2429 break;
2430 case L2CAP_EV_EXPLICIT_POLL:
2431 l2cap_send_rr_or_rnr(chan, 1);
2432 chan->retry_count = 1;
2433 __set_monitor_timer(chan);
2434 __clear_ack_timer(chan);
2435 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2436 break;
2437 case L2CAP_EV_RETRANS_TO:
2438 l2cap_send_rr_or_rnr(chan, 1);
2439 chan->retry_count = 1;
2440 __set_monitor_timer(chan);
2441 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2442 break;
2443 case L2CAP_EV_RECV_FBIT:
2444 /* Nothing to process */
2445 break;
2446 default:
2447 break;
2448 }
608bcc6d
MM		 2449}
2450
d660366d
GP		 2451static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2452 struct l2cap_ctrl *control,
2453 struct sk_buff_head *skbs, u8 event)
608bcc6d 2454{
608bcc6d
MM		 2455 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2456 event);
2457
2458 switch (event) {
2459 case L2CAP_EV_DATA_REQUEST:
2460 if (chan->tx_send_head == NULL)
2461 chan->tx_send_head = skb_peek(skbs);
2462 /* Queue data, but don't send. */
2463 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2464 break;
2465 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2466 BT_DBG("Enter LOCAL_BUSY");
2467 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2468
2469 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2470 /* The SREJ_SENT state must be aborted if we are to
2471 * enter the LOCAL_BUSY state.
2472 */
2473 l2cap_abort_rx_srej_sent(chan);
2474 }
2475
2476 l2cap_send_ack(chan);
2477
2478 break;
2479 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2480 BT_DBG("Exit LOCAL_BUSY");
2481 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2482
2483 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2484 struct l2cap_ctrl local_control;
2485 memset(&local_control, 0, sizeof(local_control));
2486 local_control.sframe = 1;
2487 local_control.super = L2CAP_SUPER_RR;
2488 local_control.poll = 1;
2489 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2490 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2491
2492 chan->retry_count = 1;
2493 __set_monitor_timer(chan);
2494 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2495 }
2496 break;
2497 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2498 l2cap_process_reqseq(chan, control->reqseq);
2499
2500 /* Fall through */
2501
2502 case L2CAP_EV_RECV_FBIT:
2503 if (control && control->final) {
2504 __clear_monitor_timer(chan);
2505 if (chan->unacked_frames > 0)
2506 __set_retrans_timer(chan);
2507 chan->retry_count = 0;
2508 chan->tx_state = L2CAP_TX_STATE_XMIT;
2509 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2510 }
2511 break;
2512 case L2CAP_EV_EXPLICIT_POLL:
2513 /* Ignore */
2514 break;
2515 case L2CAP_EV_MONITOR_TO:
2516 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2517 l2cap_send_rr_or_rnr(chan, 1);
2518 __set_monitor_timer(chan);
2519 chan->retry_count++;
2520 } else {
2521 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2522 }
2523 break;
2524 default:
2525 break;
2526 }
608bcc6d
MM		 2527}
2528
d660366d
GP		 2529static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2530 struct sk_buff_head *skbs, u8 event)
608bcc6d 2531{
608bcc6d
MM		 2532 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2533 chan, control, skbs, event, chan->tx_state);
2534
2535 switch (chan->tx_state) {
2536 case L2CAP_TX_STATE_XMIT:
d660366d 2537 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2538 break;
2539 case L2CAP_TX_STATE_WAIT_F:
d660366d 2540 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2541 break;
2542 default:
2543 /* Ignore event */
2544 break;
2545 }
608bcc6d
MM		 2546}
2547
4b51dae9
MM		 2548static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2549 struct l2cap_ctrl *control)
2550{
2551 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2552 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2553}
2554
f80842a8
MM		 2555static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2556 struct l2cap_ctrl *control)
2557{
2558 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2559 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2560}
2561
1da177e4
LT		 2562/* Copy frame to all raw sockets on that connection */
2563static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2564{
1da177e4 2565 struct sk_buff *nskb;
48454079 2566 struct l2cap_chan *chan;
1da177e4
LT		 2567
2568 BT_DBG("conn %p", conn);
2569
3df91ea2 2570 mutex_lock(&conn->chan_lock);
3d57dc68 2571
3df91ea2 2572 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2573 struct sock *sk = chan->sk;
715ec005 2574 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2575 continue;
2576
2577 /* Don't send frame to the socket it came from */
2578 if (skb->sk == sk)
2579 continue;
8bcde1f2 2580 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2581 if (!nskb)
1da177e4
LT		 2582 continue;
2583
80b98027 2584 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2585 kfree_skb(nskb);
2586 }
3d57dc68 2587
3df91ea2 2588 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2589}
2590
2591/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2592static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2593 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2594{
2595 struct sk_buff *skb, **frag;
2596 struct l2cap_cmd_hdr *cmd;
2597 struct l2cap_hdr *lh;
2598 int len, count;
2599
b4400672
AE		 2600 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2601 conn, code, ident, dlen);
1da177e4
LT		 2602
2603 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2604 count = min_t(unsigned int, conn->mtu, len);
2605
8bcde1f2 2606 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2607 if (!skb)
2608 return NULL;
2609
2610 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2611 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2612
2613 if (conn->hcon->type == LE_LINK)
ac73498c 2614 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2615 else
ac73498c 2616 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2617
2618 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2619 cmd->code = code;
2620 cmd->ident = ident;
aca3192c 2621 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2622
2623 if (dlen) {
2624 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2625 memcpy(skb_put(skb, count), data, count);
2626 data += count;
2627 }
2628
2629 len -= skb->len;
2630
2631 /* Continuation fragments (no L2CAP header) */
2632 frag = &skb_shinfo(skb)->frag_list;
2633 while (len) {
2634 count = min_t(unsigned int, conn->mtu, len);
2635
8bcde1f2 2636 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2637 if (!*frag)
2638 goto fail;
2639
2640 memcpy(skb_put(*frag, count), data, count);
2641
2642 len -= count;
2643 data += count;
2644
2645 frag = &(*frag)->next;
2646 }
2647
2648 return skb;
2649
2650fail:
2651 kfree_skb(skb);
2652 return NULL;
2653}
2654
2d792818
GP		 2655static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2656 unsigned long *val)
1da177e4
LT		 2657{
2658 struct l2cap_conf_opt *opt = *ptr;
2659 int len;
2660
2661 len = L2CAP_CONF_OPT_SIZE + opt->len;
2662 *ptr += len;
2663
2664 *type = opt->type;
2665 *olen = opt->len;
2666
2667 switch (opt->len) {
2668 case 1:
2669 *val = *((u8 *) opt->val);
2670 break;
2671
2672 case 2:
bfaaeb3e 2673 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2674 break;
2675
2676 case 4:
bfaaeb3e 2677 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2678 break;
2679
2680 default:
2681 *val = (unsigned long) opt->val;
2682 break;
2683 }
2684
b4400672 2685 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2686 return len;
2687}
2688
1da177e4
LT		 2689static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2690{
2691 struct l2cap_conf_opt *opt = *ptr;
2692
b4400672 2693 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2694
2695 opt->type = type;
2696 opt->len = len;
2697
2698 switch (len) {
2699 case 1:
2700 *((u8 *) opt->val) = val;
2701 break;
2702
2703 case 2:
4f8b691c 2704 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2705 break;
2706
2707 case 4:
4f8b691c 2708 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2709 break;
2710
2711 default:
2712 memcpy(opt->val, (void *) val, len);
2713 break;
2714 }
2715
2716 *ptr += L2CAP_CONF_OPT_SIZE + len;
2717}
2718
f89cef09
AE		 2719static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2720{
2721 struct l2cap_conf_efs efs;
2722
1ec918ce 2723 switch (chan->mode) {
f89cef09
AE		 2724 case L2CAP_MODE_ERTM:
2725 efs.id = chan->local_id;
2726 efs.stype = chan->local_stype;
2727 efs.msdu = cpu_to_le16(chan->local_msdu);
2728 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2729 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2730 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2731 break;
2732
2733 case L2CAP_MODE_STREAMING:
2734 efs.id = 1;
2735 efs.stype = L2CAP_SERV_BESTEFFORT;
2736 efs.msdu = cpu_to_le16(chan->local_msdu);
2737 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2738 efs.acc_lat = 0;
2739 efs.flush_to = 0;
2740 break;
2741
2742 default:
2743 return;
2744 }
2745
2746 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2747 (unsigned long) &efs);
f89cef09
AE		 2748}
2749
721c4181 2750static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2751{
721c4181 2752 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2753 ack_timer.work);
2754 u16 frames_to_ack;
c1b4f43b 2755
2fb9b3d4
GP		 2756 BT_DBG("chan %p", chan);
2757
6be36555
AE		 2758 l2cap_chan_lock(chan);
2759
0362520b
MM		 2760 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2761 chan->last_acked_seq);
6be36555 2762
0362520b
MM		 2763 if (frames_to_ack)
2764 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2765
0362520b 2766 l2cap_chan_unlock(chan);
09bfb2ee 2767 l2cap_chan_put(chan);
c1b4f43b
GP		 2768}
2769
466f8004 2770int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2771{
3c588192
MM		 2772 int err;
2773
105bdf9e
MM		 2774 chan->next_tx_seq = 0;
2775 chan->expected_tx_seq = 0;
42e5c802 2776 chan->expected_ack_seq = 0;
6a026610 2777 chan->unacked_frames = 0;
42e5c802 2778 chan->buffer_seq = 0;
6a026610 2779 chan->frames_sent = 0;
105bdf9e
MM		 2780 chan->last_acked_seq = 0;
2781 chan->sdu = NULL;
2782 chan->sdu_last_frag = NULL;
2783 chan->sdu_len = 0;
2784
d34c34fb
MM		 2785 skb_queue_head_init(&chan->tx_q);
2786
105bdf9e
MM		 2787 if (chan->mode != L2CAP_MODE_ERTM)
2788 return 0;
2789
2790 chan->rx_state = L2CAP_RX_STATE_RECV;
2791 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2792
721c4181
GP		 2793 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2794 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2795 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2796
f1c6775b 2797 skb_queue_head_init(&chan->srej_q);
1890d36b 2798
3c588192
MM		 2799 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2800 if (err < 0)
2801 return err;
2802
9dc9affc
MM		 2803 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2804 if (err < 0)
2805 l2cap_seq_list_free(&chan->srej_list);
2806
2807 return err;
0565c1c2
GP		 2808}
2809
f2fcfcd6
GP		 2810static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2811{
2812 switch (mode) {
2813 case L2CAP_MODE_STREAMING:
2814 case L2CAP_MODE_ERTM:
2815 if (l2cap_mode_supported(mode, remote_feat_mask))
2816 return mode;
2817 /* fall through */
2818 default:
2819 return L2CAP_MODE_BASIC;
2820 }
2821}
2822
6327eb98
AE		 2823static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2824{
2825 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2826}
2827
f89cef09
AE		 2828static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2829{
2830 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2831}
2832
6327eb98
AE		 2833static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2834{
2835 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 2836 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2837 /* use extended control field */
2838 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2839 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2840 } else {
6327eb98 2841 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 2842 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2843 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2844 }
c20f8e35 2845 chan->ack_win = chan->tx_win;
6327eb98
AE		 2846}
2847
710f9b0a 2848static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2849{
1da177e4 2850 struct l2cap_conf_req *req = data;
0c1bc5c6 2851 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2852 void *ptr = req->data;
c8f79162 2853 u16 size;
1da177e4 2854
49208c9c 2855 BT_DBG("chan %p", chan);
1da177e4 2856
73ffa904 2857 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2858 goto done;
2859
0c1bc5c6 2860 switch (chan->mode) {
f2fcfcd6
GP		 2861 case L2CAP_MODE_STREAMING:
2862 case L2CAP_MODE_ERTM:
c1360a1c 2863 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2864 break;
85eb53c6 2865
f89cef09
AE		 2866 if (__l2cap_efs_supported(chan))
2867 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2868
2ba13ed6 2869 /* fall through */
f2fcfcd6 2870 default:
8c1d787b 2871 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2872 break;
2873 }
2874
2875done:
0c1bc5c6
GP		 2876 if (chan->imtu != L2CAP_DEFAULT_MTU)
2877 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2878
0c1bc5c6 2879 switch (chan->mode) {
65c7c491 2880 case L2CAP_MODE_BASIC:
8c1d787b 2881 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 2882 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2883 break;
2884
62547752
GP		 2885 rfc.mode = L2CAP_MODE_BASIC;
2886 rfc.txwin_size = 0;
2887 rfc.max_transmit = 0;
2888 rfc.retrans_timeout = 0;
2889 rfc.monitor_timeout = 0;
2890 rfc.max_pdu_size = 0;
2891
63406504 2892 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 2893 (unsigned long) &rfc);
65c7c491
MH		 2894 break;
2895
2896 case L2CAP_MODE_ERTM:
2897 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2898 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2899 rfc.retrans_timeout = 0;
2900 rfc.monitor_timeout = 0;
c8f79162
AE		 2901
2902 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 2903 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
2904 L2CAP_FCS_SIZE);
c8f79162 2905 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2906
6327eb98
AE		 2907 l2cap_txwin_setup(chan);
2908
2909 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 2910 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2911
63406504 2912 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 2913 (unsigned long) &rfc);
63406504 2914
f89cef09
AE		 2915 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2916 l2cap_add_opt_efs(&ptr, chan);
2917
8c1d787b 2918 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2919 break;
2920
47d1ec61 2921 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 2922 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2923 chan->fcs = L2CAP_FCS_NONE;
2924 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2925 }
6327eb98
AE		 2926
2927 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2928 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 2929 chan->tx_win);
f2fcfcd6
GP		 2930 break;
2931
2932 case L2CAP_MODE_STREAMING:
273759e2 2933 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2934 rfc.mode = L2CAP_MODE_STREAMING;
2935 rfc.txwin_size = 0;
2936 rfc.max_transmit = 0;
2937 rfc.retrans_timeout = 0;
2938 rfc.monitor_timeout = 0;
c8f79162
AE		 2939
2940 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 2941 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
2942 L2CAP_FCS_SIZE);
c8f79162 2943 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2944
63406504 2945 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 2946 (unsigned long) &rfc);
63406504 2947
f89cef09
AE		 2948 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2949 l2cap_add_opt_efs(&ptr, chan);
2950
8c1d787b 2951 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2952 break;
2953
47d1ec61 2954 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 2955 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2956 chan->fcs = L2CAP_FCS_NONE;
2957 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2958 }
65c7c491
MH		 2959 break;
2960 }
1da177e4 2961
fe4128e0 2962 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2963 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2964
2965 return ptr - data;
2966}
2967
73ffa904 2968static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2969{
5dee9e7c
MH		 2970 struct l2cap_conf_rsp *rsp = data;
2971 void *ptr = rsp->data;
73ffa904
GP		 2972 void *req = chan->conf_req;
2973 int len = chan->conf_len;
5dee9e7c
MH		 2974 int type, hint, olen;
2975 unsigned long val;
6464f35f 2976 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2977 struct l2cap_conf_efs efs;
2978 u8 remote_efs = 0;
861d6882 2979 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2980 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2981 u16 size;
1da177e4 2982
73ffa904 2983 BT_DBG("chan %p", chan);
820ae1b8 2984
5dee9e7c
MH		 2985 while (len >= L2CAP_CONF_OPT_SIZE) {
2986 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2987
589d2746 2988 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2989 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2990
2991 switch (type) {
2992 case L2CAP_CONF_MTU:
861d6882 2993 mtu = val;
5dee9e7c
MH		 2994 break;
2995
2996 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2997 chan->flush_to = val;
5dee9e7c
MH		 2998 break;
2999
3000 case L2CAP_CONF_QOS:
3001 break;
3002
6464f35f
MH		 3003 case L2CAP_CONF_RFC:
3004 if (olen == sizeof(rfc))
3005 memcpy(&rfc, (void *) val, olen);
3006 break;
3007
fcc203c3
GP		 3008 case L2CAP_CONF_FCS:
3009 if (val == L2CAP_FCS_NONE)
c1360a1c 3010 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 3011 break;
fcc203c3 3012
42dceae2
AE		 3013 case L2CAP_CONF_EFS:
3014 remote_efs = 1;
3015 if (olen == sizeof(efs))
3016 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3017 break;
3018
6327eb98
AE		 3019 case L2CAP_CONF_EWS:
3020 if (!enable_hs)
3021 return -ECONNREFUSED;
fcc203c3 3022
6327eb98
AE		 3023 set_bit(FLAG_EXT_CTRL, &chan->flags);
3024 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3025 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3026 chan->remote_tx_win = val;
fcc203c3
GP		 3027 break;
3028
5dee9e7c
MH		 3029 default:
3030 if (hint)
3031 break;
3032
3033 result = L2CAP_CONF_UNKNOWN;
3034 *((u8 *) ptr++) = type;
3035 break;
3036 }
3037 }
3038
73ffa904 3039 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3040 goto done;
3041
0c1bc5c6 3042 switch (chan->mode) {
f2fcfcd6
GP		 3043 case L2CAP_MODE_STREAMING:
3044 case L2CAP_MODE_ERTM:
c1360a1c 3045 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3046 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3047 chan->conn->feat_mask);
85eb53c6
GP		 3048 break;
3049 }
3050
42dceae2
AE		 3051 if (remote_efs) {
3052 if (__l2cap_efs_supported(chan))
3053 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3054 else
3055 return -ECONNREFUSED;
3056 }
3057
0c1bc5c6 3058 if (chan->mode != rfc.mode)
f2fcfcd6 3059 return -ECONNREFUSED;
742e519b 3060
f2fcfcd6 3061 break;
f2fcfcd6
GP		 3062 }
3063
3064done:
0c1bc5c6 3065 if (chan->mode != rfc.mode) {
f2fcfcd6 3066 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3067 rfc.mode = chan->mode;
f2fcfcd6 3068
73ffa904 3069 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3070 return -ECONNREFUSED;
3071
2d792818
GP		 3072 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3073 (unsigned long) &rfc);
f2fcfcd6
GP		 3074 }
3075
5dee9e7c
MH		 3076 if (result == L2CAP_CONF_SUCCESS) {
3077 /* Configure output options and let the other side know
3078 * which ones we don't like. */
3079
f2fcfcd6
GP		 3080 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3081 result = L2CAP_CONF_UNACCEPT;
3082 else {
0c1bc5c6 3083 chan->omtu = mtu;
c1360a1c 3084 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3085 }
0c1bc5c6 3086 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3087
42dceae2
AE		 3088 if (remote_efs) {
3089 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3090 efs.stype != L2CAP_SERV_NOTRAFIC &&
3091 efs.stype != chan->local_stype) {
42dceae2
AE		 3092
3093 result = L2CAP_CONF_UNACCEPT;
3094
3095 if (chan->num_conf_req >= 1)
3096 return -ECONNREFUSED;
3097
3098 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3099 sizeof(efs),
3100 (unsigned long) &efs);
0e8b207e 3101 } else {
3e6b3b95 3102 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3103 result = L2CAP_CONF_PENDING;
3104 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3105 }
3106 }
3107
f2fcfcd6
GP		 3108 switch (rfc.mode) {
3109 case L2CAP_MODE_BASIC:
47d1ec61 3110 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3111 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3112 break;
3113
3114 case L2CAP_MODE_ERTM:
6327eb98
AE		 3115 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3116 chan->remote_tx_win = rfc.txwin_size;
3117 else
3118 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3119
2c03a7a4 3120 chan->remote_max_tx = rfc.max_transmit;
1c762159 3121
c8f79162 3122 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3123 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3124 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3125 rfc.max_pdu_size = cpu_to_le16(size);
3126 chan->remote_mps = size;
f2fcfcd6 3127
10467e9e 3128 rfc.retrans_timeout =
4fd21a88 3129 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3130 rfc.monitor_timeout =
4fd21a88 3131 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3132
c1360a1c 3133 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3134
3135 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3136 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3137
42dceae2
AE		 3138 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3139 chan->remote_id = efs.id;
3140 chan->remote_stype = efs.stype;
3141 chan->remote_msdu = le16_to_cpu(efs.msdu);
3142 chan->remote_flush_to =
2d792818 3143 le32_to_cpu(efs.flush_to);
42dceae2 3144 chan->remote_acc_lat =
2d792818 3145 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3146 chan->remote_sdu_itime =
3147 le32_to_cpu(efs.sdu_itime);
3148 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3149 sizeof(efs),
3150 (unsigned long) &efs);
42dceae2 3151 }
f2fcfcd6
GP		 3152 break;
3153
3154 case L2CAP_MODE_STREAMING:
c8f79162 3155 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3156 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3157 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3158 rfc.max_pdu_size = cpu_to_le16(size);
3159 chan->remote_mps = size;
f2fcfcd6 3160
c1360a1c 3161 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3162
2d792818
GP		 3163 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3164 (unsigned long) &rfc);
68ae6639 3165
f2fcfcd6
GP		 3166 break;
3167
3168 default:
5dee9e7c 3169 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3170
6464f35f 3171 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3172 rfc.mode = chan->mode;
f2fcfcd6 3173 }
6464f35f 3174
f2fcfcd6 3175 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3176 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3177 }
fe4128e0 3178 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3179 rsp->result = cpu_to_le16(result);
59e54bd1 3180 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3181
3182 return ptr - data;
1da177e4
LT		 3183}
3184
2d792818
GP		 3185static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3186 void *data, u16 *result)
f2fcfcd6 3187{
f2fcfcd6
GP		 3188 struct l2cap_conf_req *req = data;
3189 void *ptr = req->data;
3190 int type, olen;
3191 unsigned long val;
36e999a8 3192 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3193 struct l2cap_conf_efs efs;
f2fcfcd6 3194
fe4128e0 3195 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3196
3197 while (len >= L2CAP_CONF_OPT_SIZE) {
3198 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3199
3200 switch (type) {
3201 case L2CAP_CONF_MTU:
3202 if (val < L2CAP_DEFAULT_MIN_MTU) {
3203 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3204 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3205 } else
0c1bc5c6
GP		 3206 chan->imtu = val;
3207 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3208 break;
3209
3210 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3211 chan->flush_to = val;
f2fcfcd6 3212 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3213 2, chan->flush_to);
f2fcfcd6
GP		 3214 break;
3215
3216 case L2CAP_CONF_RFC:
3217 if (olen == sizeof(rfc))
3218 memcpy(&rfc, (void *)val, olen);
3219
c1360a1c 3220 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3221 rfc.mode != chan->mode)
f2fcfcd6
GP		 3222 return -ECONNREFUSED;
3223
47d1ec61 3224 chan->fcs = 0;
f2fcfcd6
GP		 3225
3226 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3227 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3228 break;
6327eb98
AE		 3229
3230 case L2CAP_CONF_EWS:
c20f8e35 3231 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3232 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3233 chan->tx_win);
6327eb98 3234 break;
66af7aaf
AE		 3235
3236 case L2CAP_CONF_EFS:
3237 if (olen == sizeof(efs))
3238 memcpy(&efs, (void *)val, olen);
3239
3240 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3241 efs.stype != L2CAP_SERV_NOTRAFIC &&
3242 efs.stype != chan->local_stype)
66af7aaf
AE		 3243 return -ECONNREFUSED;
3244
2d792818
GP		 3245 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3246 (unsigned long) &efs);
66af7aaf 3247 break;
f2fcfcd6
GP		 3248 }
3249 }
3250
0c1bc5c6 3251 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3252 return -ECONNREFUSED;
3253
0c1bc5c6 3254 chan->mode = rfc.mode;
6c2ea7a8 3255
0e8b207e 3256 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3257 switch (rfc.mode) {
3258 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3259 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3260 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3261 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3262 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3263 chan->ack_win = min_t(u16, chan->ack_win,
3264 rfc.txwin_size);
66af7aaf
AE		 3265
3266 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3267 chan->local_msdu = le16_to_cpu(efs.msdu);
3268 chan->local_sdu_itime =
2d792818 3269 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3270 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3271 chan->local_flush_to =
2d792818 3272 le32_to_cpu(efs.flush_to);
66af7aaf 3273 }
f2fcfcd6 3274 break;
66af7aaf 3275
f2fcfcd6 3276 case L2CAP_MODE_STREAMING:
47d1ec61 3277 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3278 }
3279 }
3280
fe4128e0 3281 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3282 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3283
3284 return ptr - data;
3285}
3286
2d792818
GP		 3287static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3288 u16 result, u16 flags)
1da177e4
LT		 3289{
3290 struct l2cap_conf_rsp *rsp = data;
3291 void *ptr = rsp->data;
1da177e4 3292
fe4128e0 3293 BT_DBG("chan %p", chan);
1da177e4 3294
fe4128e0 3295 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3296 rsp->result = cpu_to_le16(result);
aca3192c 3297 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3298
3299 return ptr - data;
3300}
3301
8c1d787b 3302void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3303{
3304 struct l2cap_conn_rsp rsp;
8c1d787b 3305 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3306 u8 buf[128];
3307
fe4128e0
GP		 3308 rsp.scid = cpu_to_le16(chan->dcid);
3309 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3310 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3311 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
2d792818 3312 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
710f9b0a 3313
c1360a1c 3314 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3315 return;
3316
710f9b0a 3317 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3318 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3319 chan->num_conf_req++;
3320}
3321
47d1ec61 3322static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3323{
7b1c0049
GP		 3324 int type, olen;
3325 unsigned long val;
c20f8e35
MM		 3326 /* Use sane default values in case a misbehaving remote device
3327 * did not send an RFC or extended window size option.
3328 */
3329 u16 txwin_ext = chan->ack_win;
3330 struct l2cap_conf_rfc rfc = {
3331 .mode = chan->mode,
3332 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3333 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3334 .max_pdu_size = cpu_to_le16(chan->imtu),
3335 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3336 };
7b1c0049 3337
47d1ec61 3338 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3339
0c1bc5c6 3340 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3341 return;
3342
3343 while (len >= L2CAP_CONF_OPT_SIZE) {
3344 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3345
c20f8e35
MM		 3346 switch (type) {
3347 case L2CAP_CONF_RFC:
3348 if (olen == sizeof(rfc))
3349 memcpy(&rfc, (void *)val, olen);
8f321f85 3350 break;
c20f8e35
MM		 3351 case L2CAP_CONF_EWS:
3352 txwin_ext = val;
3353 break;
3354 }
7b1c0049
GP		 3355 }
3356
7b1c0049
GP		 3357 switch (rfc.mode) {
3358 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3359 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3360 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3361 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3362 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3363 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3364 else
3365 chan->ack_win = min_t(u16, chan->ack_win,
3366 rfc.txwin_size);
7b1c0049
GP		 3367 break;
3368 case L2CAP_MODE_STREAMING:
47d1ec61 3369 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3370 }
3371}
3372
2d792818
GP		 3373static inline int l2cap_command_rej(struct l2cap_conn *conn,
3374 struct l2cap_cmd_hdr *cmd, u8 *data)
4e8402a3 3375{
e2fd318e 3376 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3377
e2fd318e 3378 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3379 return 0;
3380
3381 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3382 cmd->ident == conn->info_ident) {
17cd3f37 3383 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3384
3385 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3386 conn->info_ident = 0;
984947dc 3387
4e8402a3
MH		 3388 l2cap_conn_start(conn);
3389 }
3390
3391 return 0;
3392}
3393
300229f9
GP		 3394static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
3395 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3396{
1da177e4
LT		 3397 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3398 struct l2cap_conn_rsp rsp;
23691d75 3399 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3400 struct sock *parent, *sk = NULL;
e7c29cb1 3401 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3402
3403 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3404 __le16 psm = req->psm;
1da177e4 3405
097db76c 3406 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3407
3408 /* Check if we have socket listening on psm */
c2287681 3409 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3410 if (!pchan) {
1da177e4
LT		 3411 result = L2CAP_CR_BAD_PSM;
3412 goto sendresp;
3413 }
3414
23691d75
GP		 3415 parent = pchan->sk;
3416
3df91ea2 3417 mutex_lock(&conn->chan_lock);
aa2ac881 3418 lock_sock(parent);
e0f0cb56 3419
e7c29cb1 3420 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3421 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3422 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3423 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3424 result = L2CAP_CR_SEC_BLOCK;
3425 goto response;
3426 }
3427
1da177e4
LT		 3428 result = L2CAP_CR_NO_MEM;
3429
2dfa1003
GP		 3430 /* Check if we already have channel with that dcid */
3431 if (__l2cap_get_chan_by_dcid(conn, scid))
3432 goto response;
3433
80b98027 3434 chan = pchan->ops->new_connection(pchan);
80808e43 3435 if (!chan)
1da177e4
LT		 3436 goto response;
3437
80808e43
GP		 3438 sk = chan->sk;
3439
1da177e4
LT		 3440 hci_conn_hold(conn->hcon);
3441
1da177e4
LT		 3442 bacpy(&bt_sk(sk)->src, conn->src);
3443 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3444 chan->psm = psm;
3445 chan->dcid = scid;
1da177e4 3446
6be36555 3447 __l2cap_chan_add(conn, chan);
48454079 3448
fe4128e0 3449 dcid = chan->scid;
1da177e4 3450
c9b66675 3451 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3452
fc7f8a7e 3453 chan->ident = cmd->ident;
1da177e4 3454
984947dc 3455 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3456 if (l2cap_chan_check_security(chan)) {
c5daa683 3457 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3458 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3459 result = L2CAP_CR_PEND;
3460 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3461 chan->ops->defer(chan);
f66dc81f 3462 } else {
0e587be7 3463 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3464 result = L2CAP_CR_SUCCESS;
3465 status = L2CAP_CS_NO_INFO;
3466 }
79d554a6 3467 } else {
0e587be7 3468 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3469 result = L2CAP_CR_PEND;
3470 status = L2CAP_CS_AUTHEN_PEND;
3471 }
3472 } else {
0e587be7 3473 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3474 result = L2CAP_CR_PEND;
3475 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3476 }
3477
1da177e4 3478response:
aa2ac881 3479 release_sock(parent);
3df91ea2 3480 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3481
3482sendresp:
aca3192c
YH		 3483 rsp.scid = cpu_to_le16(scid);
3484 rsp.dcid = cpu_to_le16(dcid);
3485 rsp.result = cpu_to_le16(result);
3486 rsp.status = cpu_to_le16(status);
4c89b6aa 3487 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3488
3489 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3490 struct l2cap_info_req info;
ac73498c 3491 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3492
3493 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3494 conn->info_ident = l2cap_get_ident(conn);
3495
ba13ccd9 3496 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3497
2d792818
GP		 3498 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3499 sizeof(info), &info);
79d554a6
MH		 3500 }
3501
c1360a1c 3502 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3503 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3504 u8 buf[128];
c1360a1c 3505 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3506 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3507 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3508 chan->num_conf_req++;
e9aeb2dd 3509 }
4c89b6aa 3510}
e9aeb2dd 3511
4c89b6aa
MM		 3512static int l2cap_connect_req(struct l2cap_conn *conn,
3513 struct l2cap_cmd_hdr *cmd, u8 *data)
3514{
300229f9 3515 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3516 return 0;
3517}
3518
2d792818
GP		 3519static inline int l2cap_connect_rsp(struct l2cap_conn *conn,
3520 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3521{
3522 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3523 u16 scid, dcid, result, status;
48454079 3524 struct l2cap_chan *chan;
1da177e4 3525 u8 req[128];
3df91ea2 3526 int err;
1da177e4
LT		 3527
3528 scid = __le16_to_cpu(rsp->scid);
3529 dcid = __le16_to_cpu(rsp->dcid);
3530 result = __le16_to_cpu(rsp->result);
3531 status = __le16_to_cpu(rsp->status);
3532
1b009c98 3533 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3534 dcid, scid, result, status);
1da177e4 3535
3df91ea2
AE		 3536 mutex_lock(&conn->chan_lock);
3537
1da177e4 3538 if (scid) {
3df91ea2
AE		 3539 chan = __l2cap_get_chan_by_scid(conn, scid);
3540 if (!chan) {
3541 err = -EFAULT;
3542 goto unlock;
3543 }
1da177e4 3544 } else {
3df91ea2
AE		 3545 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3546 if (!chan) {
3547 err = -EFAULT;
3548 goto unlock;
3549 }
1da177e4
LT		 3550 }
3551
3df91ea2
AE		 3552 err = 0;
3553
6be36555 3554 l2cap_chan_lock(chan);
48454079 3555
1da177e4
LT		 3556 switch (result) {
3557 case L2CAP_CR_SUCCESS:
89bc500e 3558 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3559 chan->ident = 0;
fe4128e0 3560 chan->dcid = dcid;
c1360a1c 3561 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3562
c1360a1c 3563 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3564 break;
3565
1da177e4 3566 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3567 l2cap_build_conf_req(chan, req), req);
73ffa904 3568 chan->num_conf_req++;
1da177e4
LT		 3569 break;
3570
3571 case L2CAP_CR_PEND:
c1360a1c 3572 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3573 break;
3574
3575 default:
48454079 3576 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3577 break;
3578 }
3579
6be36555 3580 l2cap_chan_unlock(chan);
3df91ea2
AE		 3581
3582unlock:
3583 mutex_unlock(&conn->chan_lock);
3584
3585 return err;
1da177e4
LT		 3586}
3587
47d1ec61 3588static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3589{
3590 /* FCS is enabled only in ERTM or streaming mode, if one or both
3591 * sides request it.
3592 */
0c1bc5c6 3593 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3594 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3595 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3596 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3597}
3598
29d8a590
AE		 3599static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3600 u8 ident, u16 flags)
3601{
3602 struct l2cap_conn *conn = chan->conn;
3603
3604 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3605 flags);
3606
3607 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3608 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3609
3610 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3611 l2cap_build_conf_rsp(chan, data,
3612 L2CAP_CONF_SUCCESS, flags), data);
3613}
3614
2d792818
GP		 3615static inline int l2cap_config_req(struct l2cap_conn *conn,
3616 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3617 u8 *data)
1da177e4
LT		 3618{
3619 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3620 u16 dcid, flags;
3621 u8 rsp[64];
48454079 3622 struct l2cap_chan *chan;
3c588192 3623 int len, err = 0;
1da177e4
LT		 3624
3625 dcid = __le16_to_cpu(req->dcid);
3626 flags = __le16_to_cpu(req->flags);
3627
3628 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3629
baa7e1fa 3630 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3631 if (!chan)
1da177e4
LT		 3632 return -ENOENT;
3633
033b1142 3634 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3635 struct l2cap_cmd_rej_cid rej;
3636
ac73498c 3637 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3638 rej.scid = cpu_to_le16(chan->scid);
3639 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3640
df6bd743 3641 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3642 sizeof(rej), &rej);
354f60a9 3643 goto unlock;
df6bd743 3644 }
354f60a9 3645
5dee9e7c 3646 /* Reject if config buffer is too small. */
88219a0f 3647 len = cmd_len - sizeof(*req);
7ac28817 3648 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3649 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3650 l2cap_build_conf_rsp(chan, rsp,
3651 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 3652 goto unlock;
3653 }
3654
3655 /* Store config. */
73ffa904
GP		 3656 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3657 chan->conf_len += len;
1da177e4 3658
59e54bd1 3659 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3660 /* Incomplete config. Send empty response. */
3661 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3662 l2cap_build_conf_rsp(chan, rsp,
3663 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3664 goto unlock;
3665 }
3666
3667 /* Complete config. */
73ffa904 3668 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3669 if (len < 0) {
e92c8e70 3670 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3671 goto unlock;
f2fcfcd6 3672 }
1da177e4 3673
5dee9e7c 3674 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3675 chan->num_conf_rsp++;
5dee9e7c 3676
5dee9e7c 3677 /* Reset config buffer. */
73ffa904 3678 chan->conf_len = 0;
5dee9e7c 3679
c1360a1c 3680 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3681 goto unlock;
3682
c1360a1c 3683 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3684 set_default_fcs(chan);
fcc203c3 3685
105bdf9e
MM		 3686 if (chan->mode == L2CAP_MODE_ERTM ||
3687 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3688 err = l2cap_ertm_init(chan);
3689
3690 if (err < 0)
3691 l2cap_send_disconn_req(chan->conn, chan, -err);
3692 else
3693 l2cap_chan_ready(chan);
0565c1c2 3694
876d9484
MH		 3695 goto unlock;
3696 }
3697
c1360a1c 3698 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3699 u8 buf[64];
1da177e4 3700 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3701 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3702 chan->num_conf_req++;
1da177e4
LT		 3703 }
3704
0e8b207e
AE		 3705 /* Got Conf Rsp PENDING from remote side and asume we sent
3706 Conf Rsp PENDING in the code above */
3707 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 3708 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 3709
3710 /* check compatibility */
3711
29d8a590 3712 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
0e8b207e
AE		 3713 }
3714
1da177e4 3715unlock:
6be36555 3716 l2cap_chan_unlock(chan);
3c588192 3717 return err;
1da177e4
LT		 3718}
3719
2d792818
GP		 3720static inline int l2cap_config_rsp(struct l2cap_conn *conn,
3721 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3722{
3723 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3724 u16 scid, flags, result;
48454079 3725 struct l2cap_chan *chan;
61386cba 3726 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3727 int err = 0;
1da177e4
LT		 3728
3729 scid = __le16_to_cpu(rsp->scid);
3730 flags = __le16_to_cpu(rsp->flags);
3731 result = __le16_to_cpu(rsp->result);
3732
61386cba
AE		 3733 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3734 result, len);
1da177e4 3735
baa7e1fa 3736 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3737 if (!chan)
1da177e4
LT		 3738 return 0;
3739
3740 switch (result) {
3741 case L2CAP_CONF_SUCCESS:
47d1ec61 3742 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3743 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3744 break;
3745
0e8b207e
AE		 3746 case L2CAP_CONF_PENDING:
3747 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3748
3749 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3750 char buf[64];
3751
3752 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3753 buf, &result);
0e8b207e
AE		 3754 if (len < 0) {
3755 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3756 goto done;
3757 }
3758
3759 /* check compatibility */
3760
29d8a590 3761 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident, 0);
0e8b207e
AE		 3762 }
3763 goto done;
3764
1da177e4 3765 case L2CAP_CONF_UNACCEPT:
73ffa904 3766 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3767 char req[64];
3768
c2c77ec8 3769 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3770 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3771 goto done;
3772 }
3773
f2fcfcd6
GP		 3774 /* throw out any old stored conf requests */
3775 result = L2CAP_CONF_SUCCESS;
b4450035 3776 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3777 req, &result);
f2fcfcd6 3778 if (len < 0) {
e92c8e70 3779 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3780 goto done;
3781 }
3782
3783 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 3784 L2CAP_CONF_REQ, len, req);
73ffa904 3785 chan->num_conf_req++;
f2fcfcd6
GP		 3786 if (result != L2CAP_CONF_SUCCESS)
3787 goto done;
3788 break;
1da177e4
LT		 3789 }
3790
8e87d142 3791 default:
6be36555 3792 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3793
ba13ccd9 3794 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3795 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3796 goto done;
3797 }
3798
59e54bd1 3799 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3800 goto done;
3801
c1360a1c 3802 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3803
c1360a1c 3804 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3805 set_default_fcs(chan);
fcc203c3 3806
105bdf9e
MM		 3807 if (chan->mode == L2CAP_MODE_ERTM ||
3808 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3809 err = l2cap_ertm_init(chan);
0565c1c2 3810
3c588192
MM		 3811 if (err < 0)
3812 l2cap_send_disconn_req(chan->conn, chan, -err);
3813 else
3814 l2cap_chan_ready(chan);
1da177e4
LT		 3815 }
3816
3817done:
6be36555 3818 l2cap_chan_unlock(chan);
3c588192 3819 return err;
1da177e4
LT		 3820}
3821
2d792818
GP		 3822static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
3823 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3824{
3825 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3826 struct l2cap_disconn_rsp rsp;
3827 u16 dcid, scid;
48454079 3828 struct l2cap_chan *chan;
1da177e4
LT		 3829 struct sock *sk;
3830
3831 scid = __le16_to_cpu(req->scid);
3832 dcid = __le16_to_cpu(req->dcid);
3833
3834 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3835
3df91ea2
AE		 3836 mutex_lock(&conn->chan_lock);
3837
3838 chan = __l2cap_get_chan_by_scid(conn, dcid);
3839 if (!chan) {
3840 mutex_unlock(&conn->chan_lock);
1da177e4 3841 return 0;
3df91ea2 3842 }
1da177e4 3843
6be36555
AE		 3844 l2cap_chan_lock(chan);
3845
48454079
GP		 3846 sk = chan->sk;
3847
fe4128e0
GP		 3848 rsp.dcid = cpu_to_le16(chan->scid);
3849 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3850 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3851
6be36555 3852 lock_sock(sk);
1da177e4 3853 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3854 release_sock(sk);
1da177e4 3855
61d6ef3e 3856 l2cap_chan_hold(chan);
48454079 3857 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3858
3859 l2cap_chan_unlock(chan);
1da177e4 3860
80b98027 3861 chan->ops->close(chan);
61d6ef3e 3862 l2cap_chan_put(chan);
3df91ea2
AE		 3863
3864 mutex_unlock(&conn->chan_lock);
3865
1da177e4
LT		 3866 return 0;
3867}
3868
2d792818
GP		 3869static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
3870 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3871{
3872 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3873 u16 dcid, scid;
48454079 3874 struct l2cap_chan *chan;
1da177e4
LT		 3875
3876 scid = __le16_to_cpu(rsp->scid);
3877 dcid = __le16_to_cpu(rsp->dcid);
3878
3879 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3880
3df91ea2
AE		 3881 mutex_lock(&conn->chan_lock);
3882
3883 chan = __l2cap_get_chan_by_scid(conn, scid);
3884 if (!chan) {
3885 mutex_unlock(&conn->chan_lock);
1da177e4 3886 return 0;
3df91ea2 3887 }
1da177e4 3888
6be36555 3889 l2cap_chan_lock(chan);
48454079 3890
61d6ef3e 3891 l2cap_chan_hold(chan);
48454079 3892 l2cap_chan_del(chan, 0);
6be36555
AE		 3893
3894 l2cap_chan_unlock(chan);
1da177e4 3895
80b98027 3896 chan->ops->close(chan);
61d6ef3e 3897 l2cap_chan_put(chan);
3df91ea2
AE		 3898
3899 mutex_unlock(&conn->chan_lock);
3900
1da177e4
LT		 3901 return 0;
3902}
3903
2d792818
GP		 3904static inline int l2cap_information_req(struct l2cap_conn *conn,
3905 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3906{
3907 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3908 u16 type;
3909
3910 type = __le16_to_cpu(req->type);
3911
3912 BT_DBG("type 0x%4.4x", type);
3913
f0709e03
MH		 3914 if (type == L2CAP_IT_FEAT_MASK) {
3915 u8 buf[8];
44dd46de 3916 u32 feat_mask = l2cap_feat_mask;
f0709e03 3917 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3918 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3919 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3920 if (!disable_ertm)
fcc203c3 3921 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 3922 | L2CAP_FEAT_FCS;
a5fd6f30 3923 if (enable_hs)
6327eb98 3924 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 3925 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3926
1b7bf4ed 3927 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 3928 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
3929 buf);
e1027a7c
MH		 3930 } else if (type == L2CAP_IT_FIXED_CHAN) {
3931 u8 buf[12];
3932 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3933
3934 if (enable_hs)
3935 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3936 else
3937 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3938
ac73498c
AE		 3939 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3940 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3941 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 3942 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
3943 buf);
f0709e03
MH		 3944 } else {
3945 struct l2cap_info_rsp rsp;
3946 rsp.type = cpu_to_le16(type);
ac73498c 3947 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 3948 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
3949 &rsp);
f0709e03 3950 }
1da177e4
LT		 3951
3952 return 0;
3953}
3954
2d792818
GP		 3955static inline int l2cap_information_rsp(struct l2cap_conn *conn,
3956 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3957{
3958 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3959 u16 type, result;
3960
3961 type = __le16_to_cpu(rsp->type);
3962 result = __le16_to_cpu(rsp->result);
3963
3964 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3965
e90165be
AE		 3966 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3967 if (cmd->ident != conn->info_ident ||
2d792818 3968 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 3969 return 0;
3970
17cd3f37 3971 cancel_delayed_work(&conn->info_timer);
4e8402a3 3972
adb08ede
VT		 3973 if (result != L2CAP_IR_SUCCESS) {
3974 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3975 conn->info_ident = 0;
3976
3977 l2cap_conn_start(conn);
3978
3979 return 0;
3980 }
3981
978c93b9
AE		 3982 switch (type) {
3983 case L2CAP_IT_FEAT_MASK:
83985319 3984 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3985
47ec1dcd 3986 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 3987 struct l2cap_info_req req;
ac73498c 3988 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 3989
3990 conn->info_ident = l2cap_get_ident(conn);
3991
3992 l2cap_send_cmd(conn, conn->info_ident,
2d792818 3993 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 3994 } else {
3995 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3996 conn->info_ident = 0;
3997
3998 l2cap_conn_start(conn);
3999 }
978c93b9
AE		 4000 break;
4001
4002 case L2CAP_IT_FIXED_CHAN:
4003 conn->fixed_chan_mask = rsp->data[0];
984947dc 4004 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4005 conn->info_ident = 0;
984947dc
MH		 4006
4007 l2cap_conn_start(conn);
978c93b9 4008 break;
984947dc 4009 }
4e8402a3 4010
1da177e4
LT		 4011 return 0;
4012}
4013
f94ff6ff 4014static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
2d792818
GP		 4015 struct l2cap_cmd_hdr *cmd,
4016 u16 cmd_len, void *data)
f94ff6ff
MM		 4017{
4018 struct l2cap_create_chan_req *req = data;
4019 struct l2cap_create_chan_rsp rsp;
4020 u16 psm, scid;
4021
4022 if (cmd_len != sizeof(*req))
4023 return -EPROTO;
4024
4025 if (!enable_hs)
4026 return -EINVAL;
4027
4028 psm = le16_to_cpu(req->psm);
4029 scid = le16_to_cpu(req->scid);
4030
ad0ac6ca 4031 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff
MM		 4032
4033 /* Placeholder: Always reject */
4034 rsp.dcid = 0;
4035 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 4036 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4037 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 4038
4039 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4040 sizeof(rsp), &rsp);
4041
4042 return 0;
4043}
4044
2d792818
GP		 4045static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
4046 struct l2cap_cmd_hdr *cmd,
4047 void *data)
4048{
4049 BT_DBG("conn %p", conn);
4050
4051 return l2cap_connect_rsp(conn, cmd, data);
4052}
4053
8d5a04a1 4054static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4055 u16 icid, u16 result)
8d5a04a1
MM		 4056{
4057 struct l2cap_move_chan_rsp rsp;
4058
ad0ac6ca 4059 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4060
4061 rsp.icid = cpu_to_le16(icid);
4062 rsp.result = cpu_to_le16(result);
4063
4064 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
4065}
4066
4067static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4068 struct l2cap_chan *chan,
4069 u16 icid, u16 result)
8d5a04a1
MM		 4070{
4071 struct l2cap_move_chan_cfm cfm;
4072 u8 ident;
4073
ad0ac6ca 4074 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4075
4076 ident = l2cap_get_ident(conn);
4077 if (chan)
4078 chan->ident = ident;
4079
4080 cfm.icid = cpu_to_le16(icid);
4081 cfm.result = cpu_to_le16(result);
4082
4083 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4084}
4085
4086static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4087 u16 icid)
8d5a04a1
MM		 4088{
4089 struct l2cap_move_chan_cfm_rsp rsp;
4090
ad0ac6ca 4091 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4092
4093 rsp.icid = cpu_to_le16(icid);
4094 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4095}
4096
4097static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4098 struct l2cap_cmd_hdr *cmd,
4099 u16 cmd_len, void *data)
8d5a04a1
MM		 4100{
4101 struct l2cap_move_chan_req *req = data;
4102 u16 icid = 0;
4103 u16 result = L2CAP_MR_NOT_ALLOWED;
4104
4105 if (cmd_len != sizeof(*req))
4106 return -EPROTO;
4107
4108 icid = le16_to_cpu(req->icid);
4109
ad0ac6ca 4110 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4111
4112 if (!enable_hs)
4113 return -EINVAL;
4114
4115 /* Placeholder: Always refuse */
4116 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4117
4118 return 0;
4119}
4120
4121static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4122 struct l2cap_cmd_hdr *cmd,
4123 u16 cmd_len, void *data)
8d5a04a1
MM		 4124{
4125 struct l2cap_move_chan_rsp *rsp = data;
4126 u16 icid, result;
4127
4128 if (cmd_len != sizeof(*rsp))
4129 return -EPROTO;
4130
4131 icid = le16_to_cpu(rsp->icid);
4132 result = le16_to_cpu(rsp->result);
4133
ad0ac6ca 4134 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4135
4136 /* Placeholder: Always unconfirmed */
4137 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4138
4139 return 0;
4140}
4141
4142static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4143 struct l2cap_cmd_hdr *cmd,
4144 u16 cmd_len, void *data)
8d5a04a1
MM		 4145{
4146 struct l2cap_move_chan_cfm *cfm = data;
4147 u16 icid, result;
4148
4149 if (cmd_len != sizeof(*cfm))
4150 return -EPROTO;
4151
4152 icid = le16_to_cpu(cfm->icid);
4153 result = le16_to_cpu(cfm->result);
4154
ad0ac6ca 4155 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4156
4157 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4158
4159 return 0;
4160}
4161
4162static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4163 struct l2cap_cmd_hdr *cmd,
4164 u16 cmd_len, void *data)
8d5a04a1
MM		 4165{
4166 struct l2cap_move_chan_cfm_rsp *rsp = data;
4167 u16 icid;
4168
4169 if (cmd_len != sizeof(*rsp))
4170 return -EPROTO;
4171
4172 icid = le16_to_cpu(rsp->icid);
4173
ad0ac6ca 4174 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4175
4176 return 0;
4177}
4178
e2174ca4 4179static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 4180 u16 to_multiplier)
de73115a
CT		 4181{
4182 u16 max_latency;
4183
4184 if (min > max || min < 6 || max > 3200)
4185 return -EINVAL;
4186
4187 if (to_multiplier < 10 || to_multiplier > 3200)
4188 return -EINVAL;
4189
4190 if (max >= to_multiplier * 8)
4191 return -EINVAL;
4192
4193 max_latency = (to_multiplier * 8 / max) - 1;
4194 if (latency > 499 || latency > max_latency)
4195 return -EINVAL;
4196
4197 return 0;
4198}
4199
4200static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 4201 struct l2cap_cmd_hdr *cmd,
4202 u8 *data)
de73115a
CT		 4203{
4204 struct hci_conn *hcon = conn->hcon;
4205 struct l2cap_conn_param_update_req *req;
4206 struct l2cap_conn_param_update_rsp rsp;
4207 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4208 int err;
de73115a
CT		 4209
4210 if (!(hcon->link_mode & HCI_LM_MASTER))
4211 return -EINVAL;
4212
4213 cmd_len = __le16_to_cpu(cmd->len);
4214 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4215 return -EPROTO;
4216
4217 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4218 min = __le16_to_cpu(req->min);
4219 max = __le16_to_cpu(req->max);
de73115a
CT		 4220 latency = __le16_to_cpu(req->latency);
4221 to_multiplier = __le16_to_cpu(req->to_multiplier);
4222
4223 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 4224 min, max, latency, to_multiplier);
de73115a
CT		 4225
4226 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4227
4228 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4229 if (err)
ac73498c 4230 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4231 else
ac73498c 4232 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4233
4234 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 4235 sizeof(rsp), &rsp);
de73115a 4236
2ce603eb
CT		 4237 if (!err)
4238 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4239
de73115a
CT		 4240 return 0;
4241}
4242
3300d9a9 4243static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 4244 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4245 u8 *data)
3300d9a9
CT		 4246{
4247 int err = 0;
4248
4249 switch (cmd->code) {
4250 case L2CAP_COMMAND_REJ:
4251 l2cap_command_rej(conn, cmd, data);
4252 break;
4253
4254 case L2CAP_CONN_REQ:
4255 err = l2cap_connect_req(conn, cmd, data);
4256 break;
4257
4258 case L2CAP_CONN_RSP:
f5a2598d 4259 case L2CAP_CREATE_CHAN_RSP:
3300d9a9
CT		 4260 err = l2cap_connect_rsp(conn, cmd, data);
4261 break;
4262
4263 case L2CAP_CONF_REQ:
4264 err = l2cap_config_req(conn, cmd, cmd_len, data);
4265 break;
4266
4267 case L2CAP_CONF_RSP:
4268 err = l2cap_config_rsp(conn, cmd, data);
4269 break;
4270
4271 case L2CAP_DISCONN_REQ:
4272 err = l2cap_disconnect_req(conn, cmd, data);
4273 break;
4274
4275 case L2CAP_DISCONN_RSP:
4276 err = l2cap_disconnect_rsp(conn, cmd, data);
4277 break;
4278
4279 case L2CAP_ECHO_REQ:
4280 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4281 break;
4282
4283 case L2CAP_ECHO_RSP:
4284 break;
4285
4286 case L2CAP_INFO_REQ:
4287 err = l2cap_information_req(conn, cmd, data);
4288 break;
4289
4290 case L2CAP_INFO_RSP:
4291 err = l2cap_information_rsp(conn, cmd, data);
4292 break;
4293
f94ff6ff
MM		 4294 case L2CAP_CREATE_CHAN_REQ:
4295 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4296 break;
4297
8d5a04a1
MM		 4298 case L2CAP_MOVE_CHAN_REQ:
4299 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4300 break;
4301
4302 case L2CAP_MOVE_CHAN_RSP:
4303 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4304 break;
4305
4306 case L2CAP_MOVE_CHAN_CFM:
4307 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4308 break;
4309
4310 case L2CAP_MOVE_CHAN_CFM_RSP:
4311 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4312 break;
4313
3300d9a9
CT		 4314 default:
4315 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4316 err = -EINVAL;
4317 break;
4318 }
4319
4320 return err;
4321}
4322
4323static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 4324 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 4325{
4326 switch (cmd->code) {
4327 case L2CAP_COMMAND_REJ:
4328 return 0;
4329
4330 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4331 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4332
4333 case L2CAP_CONN_PARAM_UPDATE_RSP:
4334 return 0;
4335
4336 default:
4337 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4338 return -EINVAL;
4339 }
4340}
4341
4342static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 4343 struct sk_buff *skb)
1da177e4
LT		 4344{
4345 u8 *data = skb->data;
4346 int len = skb->len;
4347 struct l2cap_cmd_hdr cmd;
3300d9a9 4348 int err;
1da177e4
LT		 4349
4350 l2cap_raw_recv(conn, skb);
4351
4352 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4353 u16 cmd_len;
1da177e4
LT		 4354 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4355 data += L2CAP_CMD_HDR_SIZE;
4356 len -= L2CAP_CMD_HDR_SIZE;
4357
88219a0f 4358 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4359
2d792818
GP		 4360 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
4361 cmd.ident);
1da177e4 4362
88219a0f 4363 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4364 BT_DBG("corrupted command");
4365 break;
4366 }
4367
3300d9a9
CT		 4368 if (conn->hcon->type == LE_LINK)
4369 err = l2cap_le_sig_cmd(conn, &cmd, data);
4370 else
4371 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4372
4373 if (err) {
e2fd318e 4374 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4375
4376 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4377
4378 /* FIXME: Map err to a valid reason */
ac73498c 4379 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 4380 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
4381 sizeof(rej), &rej);
1da177e4
LT		 4382 }
4383
88219a0f
AV		 4384 data += cmd_len;
4385 len -= cmd_len;
1da177e4
LT		 4386 }
4387
4388 kfree_skb(skb);
4389}
4390
47d1ec61 4391static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4392{
4393 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4394 int hdr_size;
4395
4396 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4397 hdr_size = L2CAP_EXT_HDR_SIZE;
4398 else
4399 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4400
47d1ec61 4401 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4402 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4403 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4404 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4405
4406 if (our_fcs != rcv_fcs)
7a560e5c 4407 return -EBADMSG;
fcc203c3
GP		 4408 }
4409 return 0;
4410}
4411
6ea00485 4412static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4413{
e31f7633 4414 struct l2cap_ctrl control;
d5392c8f 4415
e31f7633 4416 BT_DBG("chan %p", chan);
d5392c8f 4417
e31f7633
MM		 4418 memset(&control, 0, sizeof(control));
4419 control.sframe = 1;
4420 control.final = 1;
4421 control.reqseq = chan->buffer_seq;
4422 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4423
e2ab4353 4424 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4425 control.super = L2CAP_SUPER_RNR;
4426 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4427 }
4428
e31f7633
MM		 4429 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4430 chan->unacked_frames > 0)
4431 __set_retrans_timer(chan);
d5392c8f 4432
e31f7633 4433 /* Send pending iframes */
525cd185 4434 l2cap_ertm_send(chan);
d5392c8f 4435
e2ab4353 4436 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4437 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4438 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4439 * send it now.
4440 */
4441 control.super = L2CAP_SUPER_RR;
4442 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4443 }
4444}
4445
2d792818
GP		 4446static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
4447 struct sk_buff **last_frag)
18778a63 4448{
84084a31
MM		 4449 /* skb->len reflects data in skb as well as all fragments
4450 * skb->data_len reflects only data in fragments
4451 */
4452 if (!skb_has_frag_list(skb))
4453 skb_shinfo(skb)->frag_list = new_frag;
4454
4455 new_frag->next = NULL;
4456
4457 (*last_frag)->next = new_frag;
4458 *last_frag = new_frag;
4459
4460 skb->len += new_frag->len;
4461 skb->data_len += new_frag->len;
4462 skb->truesize += new_frag->truesize;
4463}
4464
4b51dae9
MM		 4465static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4466 struct l2cap_ctrl *control)
84084a31
MM		 4467{
4468 int err = -EINVAL;
18778a63 4469
4b51dae9 4470 switch (control->sar) {
7e0ef6ee 4471 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4472 if (chan->sdu)
4473 break;
18778a63 4474
80b98027 4475 err = chan->ops->recv(chan, skb);
84084a31 4476 break;
18778a63 4477
7e0ef6ee 4478 case L2CAP_SAR_START:
84084a31
MM		 4479 if (chan->sdu)
4480 break;
18778a63 4481
6f61fd47 4482 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4483 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4484
84084a31
MM		 4485 if (chan->sdu_len > chan->imtu) {
4486 err = -EMSGSIZE;
4487 break;
4488 }
1890d36b 4489
84084a31
MM		 4490 if (skb->len >= chan->sdu_len)
4491 break;
18778a63 4492
84084a31
MM		 4493 chan->sdu = skb;
4494 chan->sdu_last_frag = skb;
18778a63 4495
84084a31
MM		 4496 skb = NULL;
4497 err = 0;
18778a63
GP		 4498 break;
4499
7e0ef6ee 4500 case L2CAP_SAR_CONTINUE:
6f61fd47 4501 if (!chan->sdu)
84084a31 4502 break;
18778a63 4503
84084a31
MM		 4504 append_skb_frag(chan->sdu, skb,
4505 &chan->sdu_last_frag);
4506 skb = NULL;
18778a63 4507
84084a31
MM		 4508 if (chan->sdu->len >= chan->sdu_len)
4509 break;
4178ba46 4510
84084a31 4511 err = 0;
18778a63
GP		 4512 break;
4513
7e0ef6ee 4514 case L2CAP_SAR_END:
6f61fd47 4515 if (!chan->sdu)
84084a31 4516 break;
18778a63 4517
84084a31
MM		 4518 append_skb_frag(chan->sdu, skb,
4519 &chan->sdu_last_frag);
4520 skb = NULL;
4178ba46 4521
84084a31
MM		 4522 if (chan->sdu->len != chan->sdu_len)
4523 break;
18778a63 4524
80b98027 4525 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4526
84084a31
MM		 4527 if (!err) {
4528 /* Reassembly complete */
4529 chan->sdu = NULL;
4530 chan->sdu_last_frag = NULL;
4531 chan->sdu_len = 0;
1890d36b 4532 }
18778a63
GP		 4533 break;
4534 }
4535
84084a31
MM		 4536 if (err) {
4537 kfree_skb(skb);
4538 kfree_skb(chan->sdu);
4539 chan->sdu = NULL;
4540 chan->sdu_last_frag = NULL;
4541 chan->sdu_len = 0;
4542 }
18778a63 4543
84084a31 4544 return err;
18778a63
GP		 4545}
4546
61aa4f5b 4547void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4548{
61aa4f5b 4549 u8 event;
712132eb 4550
61aa4f5b
MM		 4551 if (chan->mode != L2CAP_MODE_ERTM)
4552 return;
712132eb 4553
61aa4f5b 4554 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4555 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4556}
4557
d2a7ac5d
MM		 4558static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4559{
63838725
MM		 4560 int err = 0;
4561 /* Pass sequential frames to l2cap_reassemble_sdu()
4562 * until a gap is encountered.
4563 */
4564
4565 BT_DBG("chan %p", chan);
4566
4567 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4568 struct sk_buff *skb;
4569 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4570 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4571
4572 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4573
4574 if (!skb)
4575 break;
4576
4577 skb_unlink(skb, &chan->srej_q);
4578 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4579 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4580 if (err)
4581 break;
4582 }
4583
4584 if (skb_queue_empty(&chan->srej_q)) {
4585 chan->rx_state = L2CAP_RX_STATE_RECV;
4586 l2cap_send_ack(chan);
4587 }
4588
4589 return err;
d2a7ac5d
MM		 4590}
4591
4592static void l2cap_handle_srej(struct l2cap_chan *chan,
4593 struct l2cap_ctrl *control)
4594{
f80842a8
MM		 4595 struct sk_buff *skb;
4596
4597 BT_DBG("chan %p, control %p", chan, control);
4598
4599 if (control->reqseq == chan->next_tx_seq) {
4600 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4601 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4602 return;
4603 }
4604
4605 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4606
4607 if (skb == NULL) {
4608 BT_DBG("Seq %d not available for retransmission",
4609 control->reqseq);
4610 return;
4611 }
4612
4613 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4614 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4615 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4616 return;
4617 }
4618
4619 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4620
4621 if (control->poll) {
4622 l2cap_pass_to_tx(chan, control);
4623
4624 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4625 l2cap_retransmit(chan, control);
4626 l2cap_ertm_send(chan);
4627
4628 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4629 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4630 chan->srej_save_reqseq = control->reqseq;
4631 }
4632 } else {
4633 l2cap_pass_to_tx_fbit(chan, control);
4634
4635 if (control->final) {
4636 if (chan->srej_save_reqseq != control->reqseq ||
4637 !test_and_clear_bit(CONN_SREJ_ACT,
4638 &chan->conn_state))
4639 l2cap_retransmit(chan, control);
4640 } else {
4641 l2cap_retransmit(chan, control);
4642 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4643 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4644 chan->srej_save_reqseq = control->reqseq;
4645 }
4646 }
4647 }
d2a7ac5d
MM		 4648}
4649
4650static void l2cap_handle_rej(struct l2cap_chan *chan,
4651 struct l2cap_ctrl *control)
4652{
fcd289df
MM		 4653 struct sk_buff *skb;
4654
4655 BT_DBG("chan %p, control %p", chan, control);
4656
4657 if (control->reqseq == chan->next_tx_seq) {
4658 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4659 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4660 return;
4661 }
4662
4663 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4664
4665 if (chan->max_tx && skb &&
4666 bt_cb(skb)->control.retries >= chan->max_tx) {
4667 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4668 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4669 return;
4670 }
4671
4672 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4673
4674 l2cap_pass_to_tx(chan, control);
4675
4676 if (control->final) {
4677 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4678 l2cap_retransmit_all(chan, control);
4679 } else {
4680 l2cap_retransmit_all(chan, control);
4681 l2cap_ertm_send(chan);
4682 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4683 set_bit(CONN_REJ_ACT, &chan->conn_state);
4684 }
d2a7ac5d
MM		 4685}
4686
4b51dae9
MM		 4687static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4688{
4689 BT_DBG("chan %p, txseq %d", chan, txseq);
4690
4691 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4692 chan->expected_tx_seq);
4693
4694 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4695 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 4696 chan->tx_win) {
4b51dae9
MM		 4697 /* See notes below regarding "double poll" and
4698 * invalid packets.
4699 */
4700 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4701 BT_DBG("Invalid/Ignore - after SREJ");
4702 return L2CAP_TXSEQ_INVALID_IGNORE;
4703 } else {
4704 BT_DBG("Invalid - in window after SREJ sent");
4705 return L2CAP_TXSEQ_INVALID;
4706 }
4707 }
4708
4709 if (chan->srej_list.head == txseq) {
4710 BT_DBG("Expected SREJ");
4711 return L2CAP_TXSEQ_EXPECTED_SREJ;
4712 }
4713
4714 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4715 BT_DBG("Duplicate SREJ - txseq already stored");
4716 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4717 }
4718
4719 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4720 BT_DBG("Unexpected SREJ - not requested");
4721 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4722 }
4723 }
4724
4725 if (chan->expected_tx_seq == txseq) {
4726 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4727 chan->tx_win) {
4728 BT_DBG("Invalid - txseq outside tx window");
4729 return L2CAP_TXSEQ_INVALID;
4730 } else {
4731 BT_DBG("Expected");
4732 return L2CAP_TXSEQ_EXPECTED;
4733 }
4734 }
4735
4736 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 4737 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 4738 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4739 return L2CAP_TXSEQ_DUPLICATE;
4740 }
4741
4742 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4743 /* A source of invalid packets is a "double poll" condition,
4744 * where delays cause us to send multiple poll packets. If
4745 * the remote stack receives and processes both polls,
4746 * sequence numbers can wrap around in such a way that a
4747 * resent frame has a sequence number that looks like new data
4748 * with a sequence gap. This would trigger an erroneous SREJ
4749 * request.
4750 *
4751 * Fortunately, this is impossible with a tx window that's
4752 * less than half of the maximum sequence number, which allows
4753 * invalid frames to be safely ignored.
4754 *
4755 * With tx window sizes greater than half of the tx window
4756 * maximum, the frame is invalid and cannot be ignored. This
4757 * causes a disconnect.
4758 */
4759
4760 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4761 BT_DBG("Invalid/Ignore - txseq outside tx window");
4762 return L2CAP_TXSEQ_INVALID_IGNORE;
4763 } else {
4764 BT_DBG("Invalid - txseq outside tx window");
4765 return L2CAP_TXSEQ_INVALID;
4766 }
4767 } else {
4768 BT_DBG("Unexpected - txseq indicates missing frames");
4769 return L2CAP_TXSEQ_UNEXPECTED;
4770 }
4771}
4772
d2a7ac5d
MM		 4773static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4774 struct l2cap_ctrl *control,
4775 struct sk_buff *skb, u8 event)
4776{
4777 int err = 0;
4778 bool skb_in_use = 0;
4779
4780 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4781 event);
4782
4783 switch (event) {
4784 case L2CAP_EV_RECV_IFRAME:
4785 switch (l2cap_classify_txseq(chan, control->txseq)) {
4786 case L2CAP_TXSEQ_EXPECTED:
4787 l2cap_pass_to_tx(chan, control);
4788
4789 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4790 BT_DBG("Busy, discarding expected seq %d",
4791 control->txseq);
4792 break;
4793 }
4794
4795 chan->expected_tx_seq = __next_seq(chan,
4796 control->txseq);
4797
4798 chan->buffer_seq = chan->expected_tx_seq;
4799 skb_in_use = 1;
4800
4801 err = l2cap_reassemble_sdu(chan, skb, control);
4802 if (err)
4803 break;
4804
4805 if (control->final) {
4806 if (!test_and_clear_bit(CONN_REJ_ACT,
4807 &chan->conn_state)) {
4808 control->final = 0;
4809 l2cap_retransmit_all(chan, control);
4810 l2cap_ertm_send(chan);
4811 }
4812 }
4813
4814 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4815 l2cap_send_ack(chan);
4816 break;
4817 case L2CAP_TXSEQ_UNEXPECTED:
4818 l2cap_pass_to_tx(chan, control);
4819
4820 /* Can't issue SREJ frames in the local busy state.
4821 * Drop this frame, it will be seen as missing
4822 * when local busy is exited.
4823 */
4824 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4825 BT_DBG("Busy, discarding unexpected seq %d",
4826 control->txseq);
4827 break;
4828 }
4829
4830 /* There was a gap in the sequence, so an SREJ
4831 * must be sent for each missing frame. The
4832 * current frame is stored for later use.
4833 */
4834 skb_queue_tail(&chan->srej_q, skb);
4835 skb_in_use = 1;
4836 BT_DBG("Queued %p (queue len %d)", skb,
4837 skb_queue_len(&chan->srej_q));
4838
4839 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4840 l2cap_seq_list_clear(&chan->srej_list);
4841 l2cap_send_srej(chan, control->txseq);
4842
4843 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4844 break;
4845 case L2CAP_TXSEQ_DUPLICATE:
4846 l2cap_pass_to_tx(chan, control);
4847 break;
4848 case L2CAP_TXSEQ_INVALID_IGNORE:
4849 break;
4850 case L2CAP_TXSEQ_INVALID:
4851 default:
4852 l2cap_send_disconn_req(chan->conn, chan,
4853 ECONNRESET);
4854 break;
4855 }
4856 break;
4857 case L2CAP_EV_RECV_RR:
4858 l2cap_pass_to_tx(chan, control);
4859 if (control->final) {
4860 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4861
4862 if (!test_and_clear_bit(CONN_REJ_ACT,
4863 &chan->conn_state)) {
4864 control->final = 0;
4865 l2cap_retransmit_all(chan, control);
4866 }
4867
4868 l2cap_ertm_send(chan);
4869 } else if (control->poll) {
4870 l2cap_send_i_or_rr_or_rnr(chan);
4871 } else {
4872 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4873 &chan->conn_state) &&
4874 chan->unacked_frames)
4875 __set_retrans_timer(chan);
4876
4877 l2cap_ertm_send(chan);
4878 }
4879 break;
4880 case L2CAP_EV_RECV_RNR:
4881 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4882 l2cap_pass_to_tx(chan, control);
4883 if (control && control->poll) {
4884 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4885 l2cap_send_rr_or_rnr(chan, 0);
4886 }
4887 __clear_retrans_timer(chan);
4888 l2cap_seq_list_clear(&chan->retrans_list);
4889 break;
4890 case L2CAP_EV_RECV_REJ:
4891 l2cap_handle_rej(chan, control);
4892 break;
4893 case L2CAP_EV_RECV_SREJ:
4894 l2cap_handle_srej(chan, control);
4895 break;
4896 default:
4897 break;
4898 }
4899
4900 if (skb && !skb_in_use) {
4901 BT_DBG("Freeing %p", skb);
4902 kfree_skb(skb);
4903 }
4904
4905 return err;
4906}
4907
4908static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4909 struct l2cap_ctrl *control,
4910 struct sk_buff *skb, u8 event)
4911{
4912 int err = 0;
4913 u16 txseq = control->txseq;
4914 bool skb_in_use = 0;
4915
4916 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4917 event);
4918
4919 switch (event) {
4920 case L2CAP_EV_RECV_IFRAME:
4921 switch (l2cap_classify_txseq(chan, txseq)) {
4922 case L2CAP_TXSEQ_EXPECTED:
4923 /* Keep frame for reassembly later */
4924 l2cap_pass_to_tx(chan, control);
4925 skb_queue_tail(&chan->srej_q, skb);
4926 skb_in_use = 1;
4927 BT_DBG("Queued %p (queue len %d)", skb,
4928 skb_queue_len(&chan->srej_q));
4929
4930 chan->expected_tx_seq = __next_seq(chan, txseq);
4931 break;
4932 case L2CAP_TXSEQ_EXPECTED_SREJ:
4933 l2cap_seq_list_pop(&chan->srej_list);
4934
4935 l2cap_pass_to_tx(chan, control);
4936 skb_queue_tail(&chan->srej_q, skb);
4937 skb_in_use = 1;
4938 BT_DBG("Queued %p (queue len %d)", skb,
4939 skb_queue_len(&chan->srej_q));
4940
4941 err = l2cap_rx_queued_iframes(chan);
4942 if (err)
4943 break;
4944
4945 break;
4946 case L2CAP_TXSEQ_UNEXPECTED:
4947 /* Got a frame that can't be reassembled yet.
4948 * Save it for later, and send SREJs to cover
4949 * the missing frames.
4950 */
4951 skb_queue_tail(&chan->srej_q, skb);
4952 skb_in_use = 1;
4953 BT_DBG("Queued %p (queue len %d)", skb,
4954 skb_queue_len(&chan->srej_q));
4955
4956 l2cap_pass_to_tx(chan, control);
4957 l2cap_send_srej(chan, control->txseq);
4958 break;
4959 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4960 /* This frame was requested with an SREJ, but
4961 * some expected retransmitted frames are
4962 * missing. Request retransmission of missing
4963 * SREJ'd frames.
4964 */
4965 skb_queue_tail(&chan->srej_q, skb);
4966 skb_in_use = 1;
4967 BT_DBG("Queued %p (queue len %d)", skb,
4968 skb_queue_len(&chan->srej_q));
4969
4970 l2cap_pass_to_tx(chan, control);
4971 l2cap_send_srej_list(chan, control->txseq);
4972 break;
4973 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4974 /* We've already queued this frame. Drop this copy. */
4975 l2cap_pass_to_tx(chan, control);
4976 break;
4977 case L2CAP_TXSEQ_DUPLICATE:
4978 /* Expecting a later sequence number, so this frame
4979 * was already received. Ignore it completely.
4980 */
4981 break;
4982 case L2CAP_TXSEQ_INVALID_IGNORE:
4983 break;
4984 case L2CAP_TXSEQ_INVALID:
4985 default:
4986 l2cap_send_disconn_req(chan->conn, chan,
4987 ECONNRESET);
4988 break;
4989 }
4990 break;
4991 case L2CAP_EV_RECV_RR:
4992 l2cap_pass_to_tx(chan, control);
4993 if (control->final) {
4994 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4995
4996 if (!test_and_clear_bit(CONN_REJ_ACT,
4997 &chan->conn_state)) {
4998 control->final = 0;
4999 l2cap_retransmit_all(chan, control);
5000 }
5001
5002 l2cap_ertm_send(chan);
5003 } else if (control->poll) {
5004 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5005 &chan->conn_state) &&
5006 chan->unacked_frames) {
5007 __set_retrans_timer(chan);
5008 }
5009
5010 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5011 l2cap_send_srej_tail(chan);
5012 } else {
5013 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5014 &chan->conn_state) &&
5015 chan->unacked_frames)
5016 __set_retrans_timer(chan);
5017
5018 l2cap_send_ack(chan);
5019 }
5020 break;
5021 case L2CAP_EV_RECV_RNR:
5022 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5023 l2cap_pass_to_tx(chan, control);
5024 if (control->poll) {
5025 l2cap_send_srej_tail(chan);
5026 } else {
5027 struct l2cap_ctrl rr_control;
5028 memset(&rr_control, 0, sizeof(rr_control));
5029 rr_control.sframe = 1;
5030 rr_control.super = L2CAP_SUPER_RR;
5031 rr_control.reqseq = chan->buffer_seq;
5032 l2cap_send_sframe(chan, &rr_control);
5033 }
5034
5035 break;
5036 case L2CAP_EV_RECV_REJ:
5037 l2cap_handle_rej(chan, control);
5038 break;
5039 case L2CAP_EV_RECV_SREJ:
5040 l2cap_handle_srej(chan, control);
5041 break;
5042 }
5043
5044 if (skb && !skb_in_use) {
5045 BT_DBG("Freeing %p", skb);
5046 kfree_skb(skb);
5047 }
5048
5049 return err;
5050}
5051
5052static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5053{
5054 /* Make sure reqseq is for a packet that has been sent but not acked */
5055 u16 unacked;
5056
5057 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5058 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5059}
5060
cec8ab6e
MM		 5061static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5062 struct sk_buff *skb, u8 event)
218bb9df 5063{
d2a7ac5d
MM		 5064 int err = 0;
5065
5066 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5067 control, skb, event, chan->rx_state);
5068
5069 if (__valid_reqseq(chan, control->reqseq)) {
5070 switch (chan->rx_state) {
5071 case L2CAP_RX_STATE_RECV:
5072 err = l2cap_rx_state_recv(chan, control, skb, event);
5073 break;
5074 case L2CAP_RX_STATE_SREJ_SENT:
5075 err = l2cap_rx_state_srej_sent(chan, control, skb,
5076 event);
5077 break;
5078 default:
5079 /* shut it down */
5080 break;
5081 }
5082 } else {
5083 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5084 control->reqseq, chan->next_tx_seq,
5085 chan->expected_ack_seq);
5086 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5087 }
5088
5089 return err;
cec8ab6e
MM		 5090}
5091
5092static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5093 struct sk_buff *skb)
5094{
4b51dae9
MM		 5095 int err = 0;
5096
5097 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5098 chan->rx_state);
5099
5100 if (l2cap_classify_txseq(chan, control->txseq) ==
5101 L2CAP_TXSEQ_EXPECTED) {
5102 l2cap_pass_to_tx(chan, control);
5103
5104 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5105 __next_seq(chan, chan->buffer_seq));
5106
5107 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5108
5109 l2cap_reassemble_sdu(chan, skb, control);
5110 } else {
5111 if (chan->sdu) {
5112 kfree_skb(chan->sdu);
5113 chan->sdu = NULL;
5114 }
5115 chan->sdu_last_frag = NULL;
5116 chan->sdu_len = 0;
5117
5118 if (skb) {
5119 BT_DBG("Freeing %p", skb);
5120 kfree_skb(skb);
5121 }
5122 }
5123
5124 chan->last_acked_seq = control->txseq;
5125 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5126
5127 return err;
cec8ab6e
MM		 5128}
5129
5130static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5131{
5132 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5133 u16 len;
5134 u8 event;
218bb9df 5135
b76bbd66
MM		 5136 __unpack_control(chan, skb);
5137
218bb9df
GP		 5138 len = skb->len;
5139
5140 /*
5141 * We can just drop the corrupted I-frame here.
5142 * Receiver will miss it and start proper recovery
cec8ab6e 5143 * procedures and ask for retransmission.
218bb9df 5144 */
47d1ec61 5145 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5146 goto drop;
5147
cec8ab6e 5148 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5149 len -= L2CAP_SDULEN_SIZE;
218bb9df 5150
47d1ec61 5151 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5152 len -= L2CAP_FCS_SIZE;
218bb9df 5153
47d1ec61 5154 if (len > chan->mps) {
8c1d787b 5155 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5156 goto drop;
5157 }
5158
cec8ab6e
MM		 5159 if (!control->sframe) {
5160 int err;
218bb9df 5161
cec8ab6e
MM		 5162 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5163 control->sar, control->reqseq, control->final,
5164 control->txseq);
218bb9df 5165
cec8ab6e
MM		 5166 /* Validate F-bit - F=0 always valid, F=1 only
5167 * valid in TX WAIT_F
5168 */
5169 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5170 goto drop;
cec8ab6e
MM		 5171
5172 if (chan->mode != L2CAP_MODE_STREAMING) {
5173 event = L2CAP_EV_RECV_IFRAME;
5174 err = l2cap_rx(chan, control, skb, event);
5175 } else {
5176 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5177 }
5178
cec8ab6e
MM		 5179 if (err)
5180 l2cap_send_disconn_req(chan->conn, chan,
5181 ECONNRESET);
218bb9df 5182 } else {
cec8ab6e
MM		 5183 const u8 rx_func_to_event[4] = {
5184 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5185 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5186 };
5187
5188 /* Only I-frames are expected in streaming mode */
5189 if (chan->mode == L2CAP_MODE_STREAMING)
5190 goto drop;
5191
5192 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5193 control->reqseq, control->final, control->poll,
5194 control->super);
5195
218bb9df
GP		 5196 if (len != 0) {
5197 BT_ERR("%d", len);
8c1d787b 5198 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5199 goto drop;
5200 }
5201
cec8ab6e
MM		 5202 /* Validate F and P bits */
5203 if (control->final && (control->poll ||
5204 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5205 goto drop;
5206
5207 event = rx_func_to_event[control->super];
5208 if (l2cap_rx(chan, control, skb, event))
5209 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5210 }
5211
5212 return 0;
5213
5214drop:
5215 kfree_skb(skb);
5216 return 0;
5217}
5218
13ca56e0
AE		 5219static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
5220 struct sk_buff *skb)
1da177e4 5221{
48454079 5222 struct l2cap_chan *chan;
1da177e4 5223
baa7e1fa 5224 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5225 if (!chan) {
97e8e89d
AE		 5226 if (cid == L2CAP_CID_A2MP) {
5227 chan = a2mp_channel_create(conn, skb);
5228 if (!chan) {
5229 kfree_skb(skb);
13ca56e0 5230 return;
97e8e89d
AE		 5231 }
5232
5233 l2cap_chan_lock(chan);
5234 } else {
5235 BT_DBG("unknown cid 0x%4.4x", cid);
5236 /* Drop packet and return */
5237 kfree_skb(skb);
13ca56e0 5238 return;
97e8e89d 5239 }
1da177e4
LT		 5240 }
5241
49208c9c 5242 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5243
89bc500e 5244 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5245 goto drop;
5246
0c1bc5c6 5247 switch (chan->mode) {
1c2acffb
GP		 5248 case L2CAP_MODE_BASIC:
5249 /* If socket recv buffers overflows we drop data here
5250 * which is *bad* because L2CAP has to be reliable.
5251 * But we don't have any other choice. L2CAP doesn't
5252 * provide flow control mechanism. */
1da177e4 5253
0c1bc5c6 5254 if (chan->imtu < skb->len)
1c2acffb 5255 goto drop;
1da177e4 5256
80b98027 5257 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5258 goto done;
5259 break;
5260
5261 case L2CAP_MODE_ERTM:
6840ed07 5262 case L2CAP_MODE_STREAMING:
cec8ab6e 5263 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5264 goto done;
5265
1c2acffb 5266 default:
0c1bc5c6 5267 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5268 break;
5269 }
1da177e4
LT		 5270
5271drop:
5272 kfree_skb(skb);
5273
5274done:
6be36555 5275 l2cap_chan_unlock(chan);
1da177e4
LT		 5276}
5277
84104b24
AE		 5278static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
5279 struct sk_buff *skb)
1da177e4 5280{
23691d75 5281 struct l2cap_chan *chan;
1da177e4 5282
c2287681 5283 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5284 if (!chan)
1da177e4
LT		 5285 goto drop;
5286
5b4cedaa 5287 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5288
89bc500e 5289 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5290 goto drop;
5291
e13e21dc 5292 if (chan->imtu < skb->len)
1da177e4
LT		 5293 goto drop;
5294
80b98027 5295 if (!chan->ops->recv(chan, skb))
84104b24 5296 return;
1da177e4
LT		 5297
5298drop:
5299 kfree_skb(skb);
1da177e4
LT		 5300}
5301
6810fca7
AE		 5302static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5303 struct sk_buff *skb)
9f69bda6 5304{
23691d75 5305 struct l2cap_chan *chan;
9f69bda6 5306
c2287681 5307 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5308 if (!chan)
9f69bda6
GP		 5309 goto drop;
5310
5b4cedaa 5311 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5312
89bc500e 5313 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5314 goto drop;
5315
e13e21dc 5316 if (chan->imtu < skb->len)
9f69bda6
GP		 5317 goto drop;
5318
80b98027 5319 if (!chan->ops->recv(chan, skb))
6810fca7 5320 return;
9f69bda6
GP		 5321
5322drop:
5323 kfree_skb(skb);
9f69bda6
GP		 5324}
5325
1da177e4
LT		 5326static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5327{
5328 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5329 u16 cid, len;
5330 __le16 psm;
1da177e4
LT		 5331
5332 skb_pull(skb, L2CAP_HDR_SIZE);
5333 cid = __le16_to_cpu(lh->cid);
5334 len = __le16_to_cpu(lh->len);
5335
1c2acffb
GP		 5336 if (len != skb->len) {
5337 kfree_skb(skb);
5338 return;
5339 }
5340
1da177e4
LT		 5341 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5342
5343 switch (cid) {
3300d9a9 5344 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5345 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5346 l2cap_sig_channel(conn, skb);
5347 break;
5348
8db4dc46 5349 case L2CAP_CID_CONN_LESS:
097db76c 5350 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5351 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5352 l2cap_conless_channel(conn, psm, skb);
5353 break;
5354
9f69bda6
GP		 5355 case L2CAP_CID_LE_DATA:
5356 l2cap_att_channel(conn, cid, skb);
5357 break;
5358
b501d6a1
AB		 5359 case L2CAP_CID_SMP:
5360 if (smp_sig_channel(conn, skb))
5361 l2cap_conn_del(conn->hcon, EACCES);
5362 break;
5363
1da177e4
LT		 5364 default:
5365 l2cap_data_channel(conn, cid, skb);
5366 break;
5367 }
5368}
5369
5370/* ---- L2CAP interface with lower layer (HCI) ---- */
5371
686ebf28 5372int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5373{
5374 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5375 struct l2cap_chan *c;
1da177e4 5376
6ed93dc6 5377 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 5378
5379 /* Find listening sockets and check their link_mode */
23691d75
GP		 5380 read_lock(&chan_list_lock);
5381 list_for_each_entry(c, &chan_list, global_l) {
5382 struct sock *sk = c->sk;
4343478f 5383
89bc500e 5384 if (c->state != BT_LISTEN)
1da177e4
LT		 5385 continue;
5386
5387 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5388 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5389 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5390 lm1 |= HCI_LM_MASTER;
1da177e4 5391 exact++;
2af6b9d5
MH		 5392 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5393 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5394 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5395 lm2 |= HCI_LM_MASTER;
5396 }
1da177e4 5397 }
23691d75 5398 read_unlock(&chan_list_lock);
1da177e4
LT		 5399
5400 return exact ? lm1 : lm2;
5401}
5402
9e664631 5403void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5404{
0139418c
MH		 5405 struct l2cap_conn *conn;
5406
6ed93dc6 5407 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 5408
1da177e4 5409 if (!status) {
1da177e4
LT		 5410 conn = l2cap_conn_add(hcon, status);
5411 if (conn)
5412 l2cap_conn_ready(conn);
0139418c 5413 } else
e175072f 5414 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4 5415
1da177e4
LT		 5416}
5417
686ebf28 5418int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5419{
5420 struct l2cap_conn *conn = hcon->l2cap_data;
5421
5422 BT_DBG("hcon %p", hcon);
5423
686ebf28 5424 if (!conn)
9f5a0d7b 5425 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5426 return conn->disc_reason;
5427}
5428
9e664631 5429void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5430{
5431 BT_DBG("hcon %p reason %d", hcon, reason);
5432
e175072f 5433 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5434}
5435
4343478f 5436static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5437{
715ec005 5438 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5439 return;
5440
f62e4323 5441 if (encrypt == 0x00) {
4343478f 5442 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5443 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5444 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5445 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5446 } else {
4343478f 5447 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5448 __clear_chan_timer(chan);
f62e4323
MH		 5449 }
5450}
5451
686ebf28 5452int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5453{
0139418c 5454 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5455 struct l2cap_chan *chan;
1da177e4 5456
0139418c 5457 if (!conn)
1da177e4 5458 return 0;
0139418c 5459
89d8b407 5460 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 5461
160dc6ac 5462 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5463 if (!status && encrypt)
5464 smp_distribute_keys(conn, 0);
17cd3f37 5465 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5466 }
5467
3df91ea2 5468 mutex_lock(&conn->chan_lock);
1da177e4 5469
3df91ea2 5470 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5471 l2cap_chan_lock(chan);
1da177e4 5472
89d8b407
AE		 5473 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
5474 state_to_string(chan->state));
f1cb9af5 5475
78eb2f98
AE		 5476 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
5477 l2cap_chan_unlock(chan);
5478 continue;
5479 }
5480
f1cb9af5
VCG		 5481 if (chan->scid == L2CAP_CID_LE_DATA) {
5482 if (!status && encrypt) {
5483 chan->sec_level = hcon->sec_level;
cf4cd009 5484 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5485 }
5486
6be36555 5487 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5488 continue;
5489 }
5490
c1360a1c 5491 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5492 l2cap_chan_unlock(chan);
6a8d3010
MH		 5493 continue;
5494 }
5495
89bc500e 5496 if (!status && (chan->state == BT_CONNECTED ||
2d792818 5497 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5498 struct sock *sk = chan->sk;
5499
c5daa683 5500 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5501 sk->sk_state_change(sk);
5502
4343478f 5503 l2cap_check_encryption(chan, encrypt);
6be36555 5504 l2cap_chan_unlock(chan);
9719f8af
MH		 5505 continue;
5506 }
5507
89bc500e 5508 if (chan->state == BT_CONNECT) {
b1235d79 5509 if (!status) {
93c3e8f5 5510 l2cap_start_connection(chan);
b1235d79 5511 } else {
ba13ccd9 5512 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5513 }
89bc500e 5514 } else if (chan->state == BT_CONNECT2) {
6be36555 5515 struct sock *sk = chan->sk;
b1235d79 5516 struct l2cap_conn_rsp rsp;
df3c3931 5517 __u16 res, stat;
1da177e4 5518
6be36555
AE		 5519 lock_sock(sk);
5520
b1235d79 5521 if (!status) {
c5daa683
GP		 5522 if (test_bit(BT_SK_DEFER_SETUP,
5523 &bt_sk(sk)->flags)) {
df3c3931
JH		 5524 res = L2CAP_CR_PEND;
5525 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 5526 chan->ops->defer(chan);
df3c3931 5527 } else {
0e587be7 5528 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5529 res = L2CAP_CR_SUCCESS;
5530 stat = L2CAP_CS_NO_INFO;
5531 }
b1235d79 5532 } else {
0e587be7 5533 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5534 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5535 res = L2CAP_CR_SEC_BLOCK;
5536 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5537 }
5538
6be36555
AE		 5539 release_sock(sk);
5540
fe4128e0
GP		 5541 rsp.scid = cpu_to_le16(chan->dcid);
5542 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5543 rsp.result = cpu_to_le16(res);
5544 rsp.status = cpu_to_le16(stat);
fc7f8a7e 5545 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 5546 sizeof(rsp), &rsp);
2d369359
MM		 5547
5548 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5549 res == L2CAP_CR_SUCCESS) {
5550 char buf[128];
5551 set_bit(CONF_REQ_SENT, &chan->conf_state);
5552 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5553 L2CAP_CONF_REQ,
5554 l2cap_build_conf_req(chan, buf),
5555 buf);
5556 chan->num_conf_req++;
5557 }
b1235d79 5558 }
1da177e4 5559
6be36555 5560 l2cap_chan_unlock(chan);
1da177e4
LT		 5561 }
5562
3df91ea2 5563 mutex_unlock(&conn->chan_lock);
b1235d79 5564
1da177e4
LT		 5565 return 0;
5566}
5567
686ebf28 5568int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5569{
5570 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 5571 struct l2cap_hdr *hdr;
5572 int len;
1da177e4 5573
1d13a254
AE		 5574 /* For AMP controller do not create l2cap conn */
5575 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
5576 goto drop;
5577
5a08ecce
AE		 5578 if (!conn)
5579 conn = l2cap_conn_add(hcon, 0);
5580
5581 if (!conn)
1da177e4
LT		 5582 goto drop;
5583
5584 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5585
d73a0988
AE		 5586 switch (flags) {
5587 case ACL_START:
5588 case ACL_START_NO_FLUSH:
5589 case ACL_COMPLETE:
1da177e4
LT		 5590 if (conn->rx_len) {
5591 BT_ERR("Unexpected start frame (len %d)", skb->len);
5592 kfree_skb(conn->rx_skb);
5593 conn->rx_skb = NULL;
5594 conn->rx_len = 0;
5595 l2cap_conn_unreliable(conn, ECOMM);
5596 }
5597
aae7fe22
AE		 5598 /* Start fragment always begin with Basic L2CAP header */
5599 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5600 BT_ERR("Frame is too short (len %d)", skb->len);
5601 l2cap_conn_unreliable(conn, ECOMM);
5602 goto drop;
5603 }
5604
5605 hdr = (struct l2cap_hdr *) skb->data;
5606 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5607
5608 if (len == skb->len) {
5609 /* Complete frame received */
5610 l2cap_recv_frame(conn, skb);
5611 return 0;
5612 }
5613
5614 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5615
5616 if (skb->len > len) {
5617 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 5618 skb->len, len);
1da177e4
LT		 5619 l2cap_conn_unreliable(conn, ECOMM);
5620 goto drop;
5621 }
5622
5623 /* Allocate skb for the complete frame (with header) */
8bcde1f2 5624 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 5625 if (!conn->rx_skb)
1da177e4
LT		 5626 goto drop;
5627
d626f62b 5628 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 5629 skb->len);
1da177e4 5630 conn->rx_len = len - skb->len;
d73a0988
AE		 5631 break;
5632
5633 case ACL_CONT:
1da177e4
LT		 5634 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5635
5636 if (!conn->rx_len) {
5637 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5638 l2cap_conn_unreliable(conn, ECOMM);
5639 goto drop;
5640 }
5641
5642 if (skb->len > conn->rx_len) {
5643 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 5644 skb->len, conn->rx_len);
1da177e4
LT		 5645 kfree_skb(conn->rx_skb);
5646 conn->rx_skb = NULL;
5647 conn->rx_len = 0;
5648 l2cap_conn_unreliable(conn, ECOMM);
5649 goto drop;
5650 }
5651
d626f62b 5652 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 5653 skb->len);
1da177e4
LT		 5654 conn->rx_len -= skb->len;
5655
5656 if (!conn->rx_len) {
5657 /* Complete frame received */
5658 l2cap_recv_frame(conn, conn->rx_skb);
5659 conn->rx_skb = NULL;
5660 }
d73a0988 5661 break;
1da177e4
LT		 5662 }
5663
5664drop:
5665 kfree_skb(skb);
5666 return 0;
5667}
5668
aef7d97c 5669static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5670{
23691d75 5671 struct l2cap_chan *c;
1da177e4 5672
333055f2 5673 read_lock(&chan_list_lock);
1da177e4 5674
23691d75
GP		 5675 list_for_each_entry(c, &chan_list, global_l) {
5676 struct sock *sk = c->sk;
101545f6 5677
fcb73338
AE		 5678 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
5679 &bt_sk(sk)->src, &bt_sk(sk)->dst,
5680 c->state, __le16_to_cpu(c->psm),
5681 c->scid, c->dcid, c->imtu, c->omtu,
5682 c->sec_level, c->mode);
61e1b4b7 5683 }
1da177e4 5684
333055f2 5685 read_unlock(&chan_list_lock);
1da177e4 5686
aef7d97c 5687 return 0;
1da177e4
LT		 5688}
5689
aef7d97c
MH		 5690static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5691{
5692 return single_open(file, l2cap_debugfs_show, inode->i_private);
5693}
5694
5695static const struct file_operations l2cap_debugfs_fops = {
5696 .open = l2cap_debugfs_open,
5697 .read = seq_read,
5698 .llseek = seq_lseek,
5699 .release = single_release,
5700};
5701
5702static struct dentry *l2cap_debugfs;
1da177e4 5703
64274518 5704int __init l2cap_init(void)
1da177e4
LT		 5705{
5706 int err;
be9d1227 5707
bb58f747 5708 err = l2cap_init_sockets();
1da177e4
LT		 5709 if (err < 0)
5710 return err;
5711
aef7d97c 5712 if (bt_debugfs) {
2d792818
GP		 5713 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
5714 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 5715 if (!l2cap_debugfs)
5716 BT_ERR("Failed to create L2CAP debug file");
5717 }
1da177e4 5718
1da177e4 5719 return 0;
1da177e4
LT		 5720}
5721
64274518 5722void l2cap_exit(void)
1da177e4 5723{
aef7d97c 5724 debugfs_remove(l2cap_debugfs);
bb58f747 5725 l2cap_cleanup_sockets();
1da177e4
LT		 5726}
5727
d1c4a17d
GP		 5728module_param(disable_ertm, bool, 0644);
5729MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)