projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add new ERTM receive states for channel move
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 59 struct sk_buff_head *skbs, u8 event);
608bcc6d 60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
2d792818
GP		 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
64 u16 cid)
0139418c 65{
3df91ea2 66 struct l2cap_chan *c;
3d57dc68 67
3df91ea2
AE		 68 list_for_each_entry(c, &conn->chan_l, list) {
69 if (c->dcid == cid)
70 return c;
0139418c 71 }
3df91ea2 72 return NULL;
0139418c
MH		 73}
74
2d792818
GP		 75static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
76 u16 cid)
0139418c 77{
3df91ea2 78 struct l2cap_chan *c;
3d57dc68 79
3df91ea2
AE		 80 list_for_each_entry(c, &conn->chan_l, list) {
81 if (c->scid == cid)
82 return c;
0139418c 83 }
3df91ea2 84 return NULL;
0139418c
MH		 85}
86
87/* Find channel with given SCID.
ef191ade 88 * Returns locked channel. */
2d792818
GP		 89static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
90 u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa 93
3df91ea2 94 mutex_lock(&conn->chan_lock);
baa7e1fa 95 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 96 if (c)
97 l2cap_chan_lock(c);
3df91ea2
AE		 98 mutex_unlock(&conn->chan_lock);
99
48454079 100 return c;
0139418c
MH		 101}
102
b1a130b7
MM		 103/* Find channel with given DCID.
104 * Returns locked channel.
105 */
106static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
107 u16 cid)
108{
109 struct l2cap_chan *c;
110
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_dcid(conn, cid);
113 if (c)
114 l2cap_chan_lock(c);
115 mutex_unlock(&conn->chan_lock);
116
117 return c;
118}
119
2d792818
GP		 120static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
121 u8 ident)
0139418c 122{
3df91ea2 123 struct l2cap_chan *c;
3d57dc68 124
3df91ea2
AE		 125 list_for_each_entry(c, &conn->chan_l, list) {
126 if (c->ident == ident)
127 return c;
0139418c 128 }
3df91ea2 129 return NULL;
0139418c
MH		 130}
131
23691d75 132static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 133{
23691d75 134 struct l2cap_chan *c;
9e4425ff 135
23691d75
GP		 136 list_for_each_entry(c, &chan_list, global_l) {
137 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 138 return c;
9e4425ff 139 }
250938cb 140 return NULL;
9e4425ff
GP		 141}
142
143int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
144{
73b2ec18
GP		 145 int err;
146
333055f2 147 write_lock(&chan_list_lock);
9e4425ff 148
23691d75 149 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 150 err = -EADDRINUSE;
151 goto done;
9e4425ff
GP		 152 }
153
73b2ec18
GP		 154 if (psm) {
155 chan->psm = psm;
156 chan->sport = psm;
157 err = 0;
158 } else {
159 u16 p;
160
161 err = -EINVAL;
162 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 163 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 164 chan->psm = cpu_to_le16(p);
165 chan->sport = cpu_to_le16(p);
166 err = 0;
167 break;
168 }
169 }
9e4425ff 170
73b2ec18 171done:
333055f2 172 write_unlock(&chan_list_lock);
73b2ec18 173 return err;
9e4425ff
GP		 174}
175
176int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
177{
333055f2 178 write_lock(&chan_list_lock);
9e4425ff
GP		 179
180 chan->scid = scid;
181
333055f2 182 write_unlock(&chan_list_lock);
9e4425ff
GP		 183
184 return 0;
185}
186
baa7e1fa 187static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 188{
8db4dc46 189 u16 cid = L2CAP_CID_DYN_START;
0139418c 190
8db4dc46 191 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 192 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 193 return cid;
194 }
195
196 return 0;
197}
198
0e587be7 199static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 200{
42d2d87c 201 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 202 state_to_string(state));
badaaa00 203
89bc500e 204 chan->state = state;
80b98027 205 chan->ops->state_change(chan, state);
89bc500e
GP		 206}
207
0e587be7
AE		 208static void l2cap_state_change(struct l2cap_chan *chan, int state)
209{
210 struct sock *sk = chan->sk;
211
212 lock_sock(sk);
213 __l2cap_state_change(chan, state);
214 release_sock(sk);
215}
216
2e0052e4
AE		 217static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
218{
219 struct sock *sk = chan->sk;
220
221 sk->sk_err = err;
222}
223
224static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
225{
226 struct sock *sk = chan->sk;
227
228 lock_sock(sk);
229 __l2cap_chan_set_err(chan, err);
230 release_sock(sk);
231}
232
4239d16f
MM		 233static void __set_retrans_timer(struct l2cap_chan *chan)
234{
235 if (!delayed_work_pending(&chan->monitor_timer) &&
236 chan->retrans_timeout) {
237 l2cap_set_timer(chan, &chan->retrans_timer,
238 msecs_to_jiffies(chan->retrans_timeout));
239 }
240}
241
242static void __set_monitor_timer(struct l2cap_chan *chan)
243{
244 __clear_retrans_timer(chan);
245 if (chan->monitor_timeout) {
246 l2cap_set_timer(chan, &chan->monitor_timer,
247 msecs_to_jiffies(chan->monitor_timeout));
248 }
249}
250
608bcc6d
MM		 251static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
252 u16 seq)
253{
254 struct sk_buff *skb;
255
256 skb_queue_walk(head, skb) {
257 if (bt_cb(skb)->control.txseq == seq)
258 return skb;
259 }
260
261 return NULL;
262}
263
3c588192
MM		 264/* ---- L2CAP sequence number lists ---- */
265
266/* For ERTM, ordered lists of sequence numbers must be tracked for
267 * SREJ requests that are received and for frames that are to be
268 * retransmitted. These seq_list functions implement a singly-linked
269 * list in an array, where membership in the list can also be checked
270 * in constant time. Items can also be added to the tail of the list
271 * and removed from the head in constant time, without further memory
272 * allocs or frees.
273 */
274
275static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
276{
277 size_t alloc_size, i;
278
279 /* Allocated size is a power of 2 to map sequence numbers
280 * (which may be up to 14 bits) in to a smaller array that is
281 * sized for the negotiated ERTM transmit windows.
282 */
283 alloc_size = roundup_pow_of_two(size);
284
285 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
286 if (!seq_list->list)
287 return -ENOMEM;
288
289 seq_list->mask = alloc_size - 1;
290 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
291 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
292 for (i = 0; i < alloc_size; i++)
293 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
294
295 return 0;
296}
297
298static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
299{
300 kfree(seq_list->list);
301}
302
303static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
304 u16 seq)
305{
306 /* Constant-time check for list membership */
307 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
308}
309
310static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
311{
312 u16 mask = seq_list->mask;
313
314 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
315 /* In case someone tries to pop the head of an empty list */
316 return L2CAP_SEQ_LIST_CLEAR;
317 } else if (seq_list->head == seq) {
318 /* Head can be removed in constant time */
319 seq_list->head = seq_list->list[seq & mask];
320 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
321
322 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
323 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
324 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
325 }
326 } else {
327 /* Walk the list to find the sequence number */
328 u16 prev = seq_list->head;
329 while (seq_list->list[prev & mask] != seq) {
330 prev = seq_list->list[prev & mask];
331 if (prev == L2CAP_SEQ_LIST_TAIL)
332 return L2CAP_SEQ_LIST_CLEAR;
333 }
334
335 /* Unlink the number from the list and clear it */
336 seq_list->list[prev & mask] = seq_list->list[seq & mask];
337 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
338 if (seq_list->tail == seq)
339 seq_list->tail = prev;
340 }
341 return seq;
342}
343
344static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
345{
346 /* Remove the head in constant time */
347 return l2cap_seq_list_remove(seq_list, seq_list->head);
348}
349
350static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
351{
f522ae36 352 u16 i;
3c588192 353
f522ae36
GP		 354 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
355 return;
356
357 for (i = 0; i <= seq_list->mask; i++)
358 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
359
360 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
361 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 362}
363
364static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
365{
366 u16 mask = seq_list->mask;
367
368 /* All appends happen in constant time */
369
f522ae36
GP		 370 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
371 return;
3c588192 372
f522ae36
GP		 373 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
374 seq_list->head = seq;
375 else
376 seq_list->list[seq_list->tail & mask] = seq;
377
378 seq_list->tail = seq;
379 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 380}
381
721c4181 382static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 383{
721c4181 384 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 385 chan_timer.work);
3df91ea2 386 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 387 int reason;
388
e05dcc32 389 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 390
3df91ea2 391 mutex_lock(&conn->chan_lock);
6be36555 392 l2cap_chan_lock(chan);
ab07801d 393
89bc500e 394 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 395 reason = ECONNREFUSED;
89bc500e 396 else if (chan->state == BT_CONNECT &&
2d792818 397 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 398 reason = ECONNREFUSED;
399 else
400 reason = ETIMEDOUT;
401
0f852724 402 l2cap_chan_close(chan, reason);
ab07801d 403
6be36555 404 l2cap_chan_unlock(chan);
ab07801d 405
80b98027 406 chan->ops->close(chan);
3df91ea2
AE		 407 mutex_unlock(&conn->chan_lock);
408
371fd835 409 l2cap_chan_put(chan);
ab07801d
GP		 410}
411
eef1d9b6 412struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 413{
414 struct l2cap_chan *chan;
415
416 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
417 if (!chan)
418 return NULL;
419
c03b355e
AE		 420 mutex_init(&chan->lock);
421
333055f2 422 write_lock(&chan_list_lock);
23691d75 423 list_add(&chan->global_l, &chan_list);
333055f2 424 write_unlock(&chan_list_lock);
23691d75 425
721c4181 426 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 427
89bc500e
GP		 428 chan->state = BT_OPEN;
429
144ad330 430 kref_init(&chan->kref);
71ba0e56 431
2827011f
MM		 432 /* This flag is cleared in l2cap_chan_ready() */
433 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
434
eef1d9b6 435 BT_DBG("chan %p", chan);
abc545b8 436
48454079
GP		 437 return chan;
438}
439
144ad330 440static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 441{
144ad330
SS		 442 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
443
4af66c69
JK		 444 BT_DBG("chan %p", chan);
445
333055f2 446 write_lock(&chan_list_lock);
23691d75 447 list_del(&chan->global_l);
333055f2 448 write_unlock(&chan_list_lock);
23691d75 449
4af66c69 450 kfree(chan);
6ff5abbf
GP		 451}
452
30648372
JK		 453void l2cap_chan_hold(struct l2cap_chan *c)
454{
144ad330 455 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 456
144ad330 457 kref_get(&c->kref);
30648372
JK		 458}
459
460void l2cap_chan_put(struct l2cap_chan *c)
461{
144ad330 462 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 463
144ad330 464 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 465}
466
bd4b1653
AE		 467void l2cap_chan_set_defaults(struct l2cap_chan *chan)
468{
469 chan->fcs = L2CAP_FCS_CRC16;
470 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
471 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
472 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 473 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 474 chan->sec_level = BT_SECURITY_LOW;
475
476 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
477}
478
93c3e8f5 479void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 480{
af05b30b 481 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 482 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 483
9f5a0d7b 484 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 485
8c1d787b 486 chan->conn = conn;
0139418c 487
5491120e
AE		 488 switch (chan->chan_type) {
489 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 490 if (conn->hcon->type == LE_LINK) {
491 /* LE connection */
6fcb06a2 492 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 493 chan->scid = L2CAP_CID_LE_DATA;
494 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 495 } else {
496 /* Alloc CID for connection-oriented socket */
fe4128e0 497 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 498 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 499 }
5491120e
AE		 500 break;
501
502 case L2CAP_CHAN_CONN_LESS:
0139418c 503 /* Connectionless socket */
fe4128e0
GP		 504 chan->scid = L2CAP_CID_CONN_LESS;
505 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 506 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 507 break;
508
416fa752
AE		 509 case L2CAP_CHAN_CONN_FIX_A2MP:
510 chan->scid = L2CAP_CID_A2MP;
511 chan->dcid = L2CAP_CID_A2MP;
512 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
513 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
514 break;
515
5491120e 516 default:
0139418c 517 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 518 chan->scid = L2CAP_CID_SIGNALING;
519 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 520 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 521 }
522
8f7975b1
AE		 523 chan->local_id = L2CAP_BESTEFFORT_ID;
524 chan->local_stype = L2CAP_SERV_BESTEFFORT;
525 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
526 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
527 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 528 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 529
371fd835 530 l2cap_chan_hold(chan);
baa7e1fa 531
3df91ea2 532 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 533}
534
466f8004 535void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 536{
537 mutex_lock(&conn->chan_lock);
538 __l2cap_chan_add(conn, chan);
3df91ea2 539 mutex_unlock(&conn->chan_lock);
0139418c
MH		 540}
541
466f8004 542void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 543{
8c1d787b 544 struct l2cap_conn *conn = chan->conn;
0139418c 545
c9b66675 546 __clear_chan_timer(chan);
0139418c 547
49208c9c 548 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 549
8e87d142 550 if (conn) {
56f60984 551 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 552 /* Delete from channel list */
3df91ea2 553 list_del(&chan->list);
3d57dc68 554
371fd835 555 l2cap_chan_put(chan);
baa7e1fa 556
8c1d787b 557 chan->conn = NULL;
3cabbfda
AE		 558
559 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
560 hci_conn_put(conn->hcon);
56f60984
AE		 561
562 if (mgr && mgr->bredr_chan == chan)
563 mgr->bredr_chan = NULL;
0139418c
MH		 564 }
565
b699ec0d 566 chan->ops->teardown(chan, err);
6be36555 567
2827011f 568 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 569 return;
2ead70b8 570
ee556f66
GP		 571 switch(chan->mode) {
572 case L2CAP_MODE_BASIC:
573 break;
c13ffa62 574
ee556f66 575 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 576 __clear_retrans_timer(chan);
577 __clear_monitor_timer(chan);
578 __clear_ack_timer(chan);
c13ffa62 579
f1c6775b 580 skb_queue_purge(&chan->srej_q);
c13ffa62 581
3c588192
MM		 582 l2cap_seq_list_free(&chan->srej_list);
583 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 584
585 /* fall through */
586
587 case L2CAP_MODE_STREAMING:
588 skb_queue_purge(&chan->tx_q);
589 break;
c13ffa62 590 }
ee556f66
GP		 591
592 return;
0139418c
MH		 593}
594
0f852724 595void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 596{
597 struct l2cap_conn *conn = chan->conn;
598 struct sock *sk = chan->sk;
599
2d792818
GP		 600 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
601 sk);
4519de9a 602
89bc500e 603 switch (chan->state) {
4519de9a 604 case BT_LISTEN:
b699ec0d 605 chan->ops->teardown(chan, 0);
4519de9a
GP		 606 break;
607
608 case BT_CONNECTED:
609 case BT_CONFIG:
715ec005 610 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 611 conn->hcon->type == ACL_LINK) {
c9b66675 612 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 613 l2cap_send_disconn_req(conn, chan, reason);
614 } else
615 l2cap_chan_del(chan, reason);
616 break;
617
618 case BT_CONNECT2:
715ec005 619 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 620 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 621 struct l2cap_conn_rsp rsp;
622 __u16 result;
623
c5daa683 624 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 625 result = L2CAP_CR_SEC_BLOCK;
626 else
627 result = L2CAP_CR_BAD_PSM;
89bc500e 628 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 629
630 rsp.scid = cpu_to_le16(chan->dcid);
631 rsp.dcid = cpu_to_le16(chan->scid);
632 rsp.result = cpu_to_le16(result);
ac73498c 633 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 634 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 635 sizeof(rsp), &rsp);
4519de9a
GP		 636 }
637
638 l2cap_chan_del(chan, reason);
639 break;
640
641 case BT_CONNECT:
642 case BT_DISCONN:
643 l2cap_chan_del(chan, reason);
644 break;
645
646 default:
b699ec0d 647 chan->ops->teardown(chan, 0);
4519de9a
GP		 648 break;
649 }
650}
651
4343478f 652static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 653{
715ec005 654 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 655 switch (chan->sec_level) {
8556edd3
JH		 656 case BT_SECURITY_HIGH:
657 return HCI_AT_DEDICATED_BONDING_MITM;
658 case BT_SECURITY_MEDIUM:
659 return HCI_AT_DEDICATED_BONDING;
660 default:
661 return HCI_AT_NO_BONDING;
662 }
2983fd68 663 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 664 if (chan->sec_level == BT_SECURITY_LOW)
665 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 666
4343478f 667 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 668 return HCI_AT_NO_BONDING_MITM;
00ae4af9 669 else
8556edd3 670 return HCI_AT_NO_BONDING;
00ae4af9 671 } else {
4343478f 672 switch (chan->sec_level) {
00ae4af9 673 case BT_SECURITY_HIGH:
8556edd3 674 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 675 case BT_SECURITY_MEDIUM:
8556edd3 676 return HCI_AT_GENERAL_BONDING;
00ae4af9 677 default:
8556edd3 678 return HCI_AT_NO_BONDING;
00ae4af9 679 }
0684e5f9 680 }
8556edd3
JH		 681}
682
683/* Service level security */
d45fc423 684int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 685{
8c1d787b 686 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 687 __u8 auth_type;
688
4343478f 689 auth_type = l2cap_get_auth_type(chan);
79d554a6 690
4343478f 691 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 692}
693
b5ad8b7f 694static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 695{
696 u8 id;
697
698 /* Get next available identificator.
699 * 1 - 128 are used by kernel.
700 * 129 - 199 are reserved.
701 * 200 - 254 are used by utilities like l2ping, etc.
702 */
703
333055f2 704 spin_lock(&conn->lock);
4e8402a3
MH		 705
706 if (++conn->tx_ident > 128)
707 conn->tx_ident = 1;
708
709 id = conn->tx_ident;
710
333055f2 711 spin_unlock(&conn->lock);
4e8402a3
MH		 712
713 return id;
714}
715
2d792818
GP		 716static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
717 void *data)
4e8402a3
MH		 718{
719 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 720 u8 flags;
4e8402a3
MH		 721
722 BT_DBG("code 0x%2.2x", code);
723
724 if (!skb)
9a9c6a34 725 return;
4e8402a3 726
e702112f
AE		 727 if (lmp_no_flush_capable(conn->hcon->hdev))
728 flags = ACL_START_NO_FLUSH;
729 else
730 flags = ACL_START;
731
14b12d0b 732 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 733 skb->priority = HCI_PRIO_MAX;
14b12d0b 734
73d80deb
LAD		 735 hci_send_acl(conn->hchan, skb, flags);
736}
737
02b0fbb9
MM		 738static bool __chan_is_moving(struct l2cap_chan *chan)
739{
740 return chan->move_state != L2CAP_MOVE_STABLE &&
741 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
742}
743
73d80deb
LAD		 744static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
745{
746 struct hci_conn *hcon = chan->conn->hcon;
747 u16 flags;
748
749 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 750 skb->priority);
73d80deb
LAD		 751
752 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 753 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 754 flags = ACL_START_NO_FLUSH;
755 else
756 flags = ACL_START;
14b12d0b 757
73d80deb
LAD		 758 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
759 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 760}
761
b76bbd66
MM		 762static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
763{
764 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
765 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
766
767 if (enh & L2CAP_CTRL_FRAME_TYPE) {
768 /* S-Frame */
769 control->sframe = 1;
770 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
771 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
772
773 control->sar = 0;
774 control->txseq = 0;
775 } else {
776 /* I-Frame */
777 control->sframe = 0;
778 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
779 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
780
781 control->poll = 0;
782 control->super = 0;
783 }
784}
785
b76bbd66
MM		 786static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
787{
788 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
789 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
790
791 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
792 /* S-Frame */
793 control->sframe = 1;
794 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
795 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
796
797 control->sar = 0;
798 control->txseq = 0;
799 } else {
800 /* I-Frame */
801 control->sframe = 0;
802 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
803 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
804
805 control->poll = 0;
806 control->super = 0;
807 }
808}
809
810static inline void __unpack_control(struct l2cap_chan *chan,
811 struct sk_buff *skb)
812{
813 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
814 __unpack_extended_control(get_unaligned_le32(skb->data),
815 &bt_cb(skb)->control);
cec8ab6e 816 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 817 } else {
818 __unpack_enhanced_control(get_unaligned_le16(skb->data),
819 &bt_cb(skb)->control);
cec8ab6e 820 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 821 }
822}
823
b5c6aaed
MM		 824static u32 __pack_extended_control(struct l2cap_ctrl *control)
825{
826 u32 packed;
827
828 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
829 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
830
831 if (control->sframe) {
832 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
833 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
834 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
835 } else {
836 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
837 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
838 }
839
840 return packed;
841}
842
843static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
844{
845 u16 packed;
846
847 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
848 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
849
850 if (control->sframe) {
851 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
852 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
853 packed |= L2CAP_CTRL_FRAME_TYPE;
854 } else {
855 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
856 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
857 }
858
859 return packed;
860}
861
b76bbd66
MM		 862static inline void __pack_control(struct l2cap_chan *chan,
863 struct l2cap_ctrl *control,
864 struct sk_buff *skb)
865{
866 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
867 put_unaligned_le32(__pack_extended_control(control),
868 skb->data + L2CAP_HDR_SIZE);
869 } else {
870 put_unaligned_le16(__pack_enhanced_control(control),
871 skb->data + L2CAP_HDR_SIZE);
872 }
873}
874
ba7aa64f
GP		 875static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
876{
877 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
878 return L2CAP_EXT_HDR_SIZE;
879 else
880 return L2CAP_ENH_HDR_SIZE;
881}
882
a67d7f6f
MM		 883static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
884 u32 control)
b5c6aaed
MM		 885{
886 struct sk_buff *skb;
887 struct l2cap_hdr *lh;
ba7aa64f 888 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 889
890 if (chan->fcs == L2CAP_FCS_CRC16)
891 hlen += L2CAP_FCS_SIZE;
892
a67d7f6f 893 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 894
b5c6aaed 895 if (!skb)
a67d7f6f 896 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 897
898 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
899 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
900 lh->cid = cpu_to_le16(chan->dcid);
901
a67d7f6f
MM		 902 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
903 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
904 else
905 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 906
907 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 908 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 909 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
910 }
911
912 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 913 return skb;
914}
915
916static void l2cap_send_sframe(struct l2cap_chan *chan,
917 struct l2cap_ctrl *control)
918{
919 struct sk_buff *skb;
920 u32 control_field;
921
922 BT_DBG("chan %p, control %p", chan, control);
923
924 if (!control->sframe)
925 return;
926
927 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
928 !control->poll)
929 control->final = 1;
930
931 if (control->super == L2CAP_SUPER_RR)
932 clear_bit(CONN_RNR_SENT, &chan->conn_state);
933 else if (control->super == L2CAP_SUPER_RNR)
934 set_bit(CONN_RNR_SENT, &chan->conn_state);
935
936 if (control->super != L2CAP_SUPER_SREJ) {
937 chan->last_acked_seq = control->reqseq;
938 __clear_ack_timer(chan);
939 }
940
941 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
942 control->final, control->poll, control->super);
943
944 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
945 control_field = __pack_extended_control(control);
946 else
947 control_field = __pack_enhanced_control(control);
948
949 skb = l2cap_create_sframe_pdu(chan, control_field);
950 if (!IS_ERR(skb))
951 l2cap_do_send(chan, skb);
b5c6aaed
MM		 952}
953
c9e3d5e0 954static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 955{
c9e3d5e0
MM		 956 struct l2cap_ctrl control;
957
958 BT_DBG("chan %p, poll %d", chan, poll);
959
960 memset(&control, 0, sizeof(control));
961 control.sframe = 1;
962 control.poll = poll;
963
964 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
965 control.super = L2CAP_SUPER_RNR;
966 else
967 control.super = L2CAP_SUPER_RR;
b5c6aaed 968
c9e3d5e0
MM		 969 control.reqseq = chan->buffer_seq;
970 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 971}
972
b4450035 973static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 974{
c1360a1c 975 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 976}
977
93c3e8f5
AE		 978static bool __amp_capable(struct l2cap_chan *chan)
979{
980 struct l2cap_conn *conn = chan->conn;
981
982 if (enable_hs &&
983 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
984 conn->fixed_chan_mask & L2CAP_FC_A2MP)
985 return true;
986 else
987 return false;
988}
989
2766be48 990void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 991{
992 struct l2cap_conn *conn = chan->conn;
993 struct l2cap_conn_req req;
994
995 req.scid = cpu_to_le16(chan->scid);
996 req.psm = chan->psm;
997
998 chan->ident = l2cap_get_ident(conn);
999
1000 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1001
1002 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1003}
1004
02b0fbb9
MM		 1005static void l2cap_move_setup(struct l2cap_chan *chan)
1006{
1007 struct sk_buff *skb;
1008
1009 BT_DBG("chan %p", chan);
1010
1011 if (chan->mode != L2CAP_MODE_ERTM)
1012 return;
1013
1014 __clear_retrans_timer(chan);
1015 __clear_monitor_timer(chan);
1016 __clear_ack_timer(chan);
1017
1018 chan->retry_count = 0;
1019 skb_queue_walk(&chan->tx_q, skb) {
1020 if (bt_cb(skb)->control.retries)
1021 bt_cb(skb)->control.retries = 1;
1022 else
1023 break;
1024 }
1025
1026 chan->expected_tx_seq = chan->buffer_seq;
1027
1028 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1029 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1030 l2cap_seq_list_clear(&chan->retrans_list);
1031 l2cap_seq_list_clear(&chan->srej_list);
1032 skb_queue_purge(&chan->srej_q);
1033
1034 chan->tx_state = L2CAP_TX_STATE_XMIT;
1035 chan->rx_state = L2CAP_RX_STATE_MOVE;
1036
1037 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1038}
1039
9f0caeb1
VCG		 1040static void l2cap_chan_ready(struct l2cap_chan *chan)
1041{
2827011f 1042 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1043 chan->conf_state = 0;
1044 __clear_chan_timer(chan);
1045
54a59aa2 1046 chan->state = BT_CONNECTED;
9f0caeb1 1047
fd83e2c2 1048 chan->ops->ready(chan);
9f0caeb1
VCG		 1049}
1050
93c3e8f5
AE		 1051static void l2cap_start_connection(struct l2cap_chan *chan)
1052{
1053 if (__amp_capable(chan)) {
1054 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1055 a2mp_discover_amp(chan);
1056 } else {
1057 l2cap_send_conn_req(chan);
1058 }
1059}
1060
fc7f8a7e 1061static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1062{
8c1d787b 1063 struct l2cap_conn *conn = chan->conn;
79d554a6 1064
9f0caeb1
VCG		 1065 if (conn->hcon->type == LE_LINK) {
1066 l2cap_chan_ready(chan);
1067 return;
1068 }
1069
79d554a6 1070 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1071 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1072 return;
1073
d45fc423 1074 if (l2cap_chan_check_security(chan) &&
2d792818 1075 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1076 l2cap_start_connection(chan);
1077 }
79d554a6
MH		 1078 } else {
1079 struct l2cap_info_req req;
ac73498c 1080 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1081
1082 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1083 conn->info_ident = l2cap_get_ident(conn);
1084
ba13ccd9 1085 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1086
2d792818
GP		 1087 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1088 sizeof(req), &req);
79d554a6
MH		 1089 }
1090}
1091
cf6c2c0b
GP		 1092static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1093{
1094 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1095 if (!disable_ertm)
cf6c2c0b
GP		 1096 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1097
1098 switch (mode) {
1099 case L2CAP_MODE_ERTM:
1100 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1101 case L2CAP_MODE_STREAMING:
1102 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1103 default:
1104 return 0x00;
1105 }
1106}
1107
2d792818
GP		 1108static void l2cap_send_disconn_req(struct l2cap_conn *conn,
1109 struct l2cap_chan *chan, int err)
22121fc9 1110{
6be36555 1111 struct sock *sk = chan->sk;
22121fc9
GP		 1112 struct l2cap_disconn_req req;
1113
c13ffa62
GP		 1114 if (!conn)
1115 return;
1116
aad3d0e3 1117 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1118 __clear_retrans_timer(chan);
1119 __clear_monitor_timer(chan);
1120 __clear_ack_timer(chan);
c13ffa62
GP		 1121 }
1122
416fa752 1123 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1124 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1125 return;
1126 }
1127
fe4128e0
GP		 1128 req.dcid = cpu_to_le16(chan->dcid);
1129 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1130 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1131 sizeof(req), &req);
c13ffa62 1132
6be36555 1133 lock_sock(sk);
0e587be7 1134 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1135 __l2cap_chan_set_err(chan, err);
6be36555 1136 release_sock(sk);
22121fc9
GP		 1137}
1138
1da177e4 1139/* ---- L2CAP connections ---- */
4e8402a3
MH		 1140static void l2cap_conn_start(struct l2cap_conn *conn)
1141{
3df91ea2 1142 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1143
1144 BT_DBG("conn %p", conn);
1145
3df91ea2 1146 mutex_lock(&conn->chan_lock);
4e8402a3 1147
3df91ea2 1148 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1149 struct sock *sk = chan->sk;
baa7e1fa 1150
6be36555 1151 l2cap_chan_lock(chan);
4e8402a3 1152
715ec005 1153 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1154 l2cap_chan_unlock(chan);
79d554a6
MH		 1155 continue;
1156 }
1157
89bc500e 1158 if (chan->state == BT_CONNECT) {
d45fc423 1159 if (!l2cap_chan_check_security(chan) ||
2d792818 1160 !__l2cap_no_conn_pending(chan)) {
6be36555 1161 l2cap_chan_unlock(chan);
47731de7
GP		 1162 continue;
1163 }
79d554a6 1164
c1360a1c 1165 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1166 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1167 &chan->conf_state)) {
89bc500e 1168 l2cap_chan_close(chan, ECONNRESET);
6be36555 1169 l2cap_chan_unlock(chan);
47731de7 1170 continue;
b1235d79 1171 }
47731de7 1172
93c3e8f5 1173 l2cap_start_connection(chan);
47731de7 1174
89bc500e 1175 } else if (chan->state == BT_CONNECT2) {
79d554a6 1176 struct l2cap_conn_rsp rsp;
e9aeb2dd 1177 char buf[128];
fe4128e0
GP		 1178 rsp.scid = cpu_to_le16(chan->dcid);
1179 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1180
d45fc423 1181 if (l2cap_chan_check_security(chan)) {
6be36555 1182 lock_sock(sk);
c5daa683
GP		 1183 if (test_bit(BT_SK_DEFER_SETUP,
1184 &bt_sk(sk)->flags)) {
ac73498c
AE		 1185 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1186 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1187 chan->ops->defer(chan);
f66dc81f
MH		 1188
1189 } else {
0e587be7 1190 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1191 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1192 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1193 }
6be36555 1194 release_sock(sk);
79d554a6 1195 } else {
ac73498c
AE		 1196 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1197 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1198 }
1199
fc7f8a7e 1200 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1201 sizeof(rsp), &rsp);
e9aeb2dd 1202
c1360a1c 1203 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1204 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1205 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1206 continue;
1207 }
1208
c1360a1c 1209 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1210 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1211 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1212 chan->num_conf_req++;
4e8402a3
MH		 1213 }
1214
6be36555 1215 l2cap_chan_unlock(chan);
4e8402a3
MH		 1216 }
1217
3df91ea2 1218 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1219}
1220
c2287681 1221/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1222 * Returns closest match, locked.
1223 */
d9b88702 1224static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1225 bdaddr_t *src,
1226 bdaddr_t *dst)
b62f328b 1227{
23691d75 1228 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1229
23691d75 1230 read_lock(&chan_list_lock);
b62f328b 1231
23691d75
GP		 1232 list_for_each_entry(c, &chan_list, global_l) {
1233 struct sock *sk = c->sk;
fe4128e0 1234
89bc500e 1235 if (state && c->state != state)
b62f328b
VT		 1236 continue;
1237
23691d75 1238 if (c->scid == cid) {
c2287681
IY		 1239 int src_match, dst_match;
1240 int src_any, dst_any;
1241
b62f328b 1242 /* Exact match. */
c2287681
IY		 1243 src_match = !bacmp(&bt_sk(sk)->src, src);
1244 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1245 if (src_match && dst_match) {
23691d75
GP		 1246 read_unlock(&chan_list_lock);
1247 return c;
1248 }
b62f328b
VT		 1249
1250 /* Closest match */
c2287681
IY		 1251 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1252 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1253 if ((src_match && dst_any) || (src_any && dst_match) ||
1254 (src_any && dst_any))
23691d75 1255 c1 = c;
b62f328b
VT		 1256 }
1257 }
280f294f 1258
23691d75 1259 read_unlock(&chan_list_lock);
b62f328b 1260
23691d75 1261 return c1;
b62f328b
VT		 1262}
1263
1264static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1265{
c916fbe4 1266 struct sock *parent, *sk;
23691d75 1267 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1268
1269 BT_DBG("");
1270
1271 /* Check if we have socket listening on cid */
23691d75 1272 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1273 conn->src, conn->dst);
23691d75 1274 if (!pchan)
b62f328b
VT		 1275 return;
1276
23691d75
GP		 1277 parent = pchan->sk;
1278
aa2ac881 1279 lock_sock(parent);
62f3a2cf 1280
80b98027 1281 chan = pchan->ops->new_connection(pchan);
80808e43 1282 if (!chan)
b62f328b
VT		 1283 goto clean;
1284
80808e43 1285 sk = chan->sk;
5d41ce1d 1286
b62f328b 1287 hci_conn_hold(conn->hcon);
a9ea3ed9 1288 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1289
b62f328b
VT		 1290 bacpy(&bt_sk(sk)->src, conn->src);
1291 bacpy(&bt_sk(sk)->dst, conn->dst);
1292
3d57dc68 1293 l2cap_chan_add(conn, chan);
48454079 1294
6754e0df 1295 l2cap_chan_ready(chan);
b62f328b 1296
b62f328b 1297clean:
aa2ac881 1298 release_sock(parent);
b62f328b
VT		 1299}
1300
4e8402a3
MH		 1301static void l2cap_conn_ready(struct l2cap_conn *conn)
1302{
48454079 1303 struct l2cap_chan *chan;
cc110922 1304 struct hci_conn *hcon = conn->hcon;
4e8402a3 1305
79d554a6 1306 BT_DBG("conn %p", conn);
4e8402a3 1307
cc110922 1308 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1309 l2cap_le_conn_ready(conn);
1310
cc110922
VCG		 1311 if (hcon->out && hcon->type == LE_LINK)
1312 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1313
3df91ea2 1314 mutex_lock(&conn->chan_lock);
4e8402a3 1315
3df91ea2 1316 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1317
6be36555 1318 l2cap_chan_lock(chan);
4e8402a3 1319
416fa752
AE		 1320 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1321 l2cap_chan_unlock(chan);
1322 continue;
1323 }
1324
cc110922
VCG		 1325 if (hcon->type == LE_LINK) {
1326 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1327 l2cap_chan_ready(chan);
acd7d370 1328
63128451 1329 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1330 struct sock *sk = chan->sk;
c9b66675 1331 __clear_chan_timer(chan);
6be36555 1332 lock_sock(sk);
0e587be7 1333 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1334 sk->sk_state_change(sk);
6be36555 1335 release_sock(sk);
b501d6a1 1336
89bc500e 1337 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1338 l2cap_do_start(chan);
4e8402a3 1339
6be36555 1340 l2cap_chan_unlock(chan);
4e8402a3 1341 }
79d554a6 1342
3df91ea2 1343 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1344}
1345
1346/* Notify sockets that we cannot guaranty reliability anymore */
1347static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1348{
48454079 1349 struct l2cap_chan *chan;
4e8402a3
MH		 1350
1351 BT_DBG("conn %p", conn);
1352
3df91ea2 1353 mutex_lock(&conn->chan_lock);
4e8402a3 1354
3df91ea2 1355 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1356 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1357 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1358 }
1359
3df91ea2 1360 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1361}
1362
f878fcad 1363static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1364{
f878fcad 1365 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1366 info_timer.work);
4e8402a3 1367
984947dc 1368 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1369 conn->info_ident = 0;
984947dc 1370
4e8402a3
MH		 1371 l2cap_conn_start(conn);
1372}
1373
5d3de7df
VCG		 1374static void l2cap_conn_del(struct hci_conn *hcon, int err)
1375{
1376 struct l2cap_conn *conn = hcon->l2cap_data;
1377 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1378
1379 if (!conn)
1380 return;
1381
1382 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1383
1384 kfree_skb(conn->rx_skb);
1385
3df91ea2
AE		 1386 mutex_lock(&conn->chan_lock);
1387
5d3de7df
VCG		 1388 /* Kill channels */
1389 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1390 l2cap_chan_hold(chan);
6be36555
AE		 1391 l2cap_chan_lock(chan);
1392
5d3de7df 1393 l2cap_chan_del(chan, err);
6be36555
AE		 1394
1395 l2cap_chan_unlock(chan);
1396
80b98027 1397 chan->ops->close(chan);
61d6ef3e 1398 l2cap_chan_put(chan);
5d3de7df
VCG		 1399 }
1400
3df91ea2
AE		 1401 mutex_unlock(&conn->chan_lock);
1402
73d80deb
LAD		 1403 hci_chan_del(conn->hchan);
1404
5d3de7df 1405 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1406 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1407
51a8efd7 1408 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1409 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1410 smp_chan_destroy(conn);
d26a2345 1411 }
5d3de7df
VCG		 1412
1413 hcon->l2cap_data = NULL;
1414 kfree(conn);
1415}
1416
6c9d42a1 1417static void security_timeout(struct work_struct *work)
5d3de7df 1418{
6c9d42a1 1419 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1420 security_timer.work);
5d3de7df 1421
d06cc416
JH		 1422 BT_DBG("conn %p", conn);
1423
1424 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1425 smp_chan_destroy(conn);
1426 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1427 }
5d3de7df
VCG		 1428}
1429
1da177e4
LT		 1430static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1431{
0139418c 1432 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1433 struct hci_chan *hchan;
1da177e4 1434
0139418c 1435 if (conn || status)
1da177e4
LT		 1436 return conn;
1437
73d80deb
LAD		 1438 hchan = hci_chan_create(hcon);
1439 if (!hchan)
1440 return NULL;
1441
8bcde1f2 1442 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1443 if (!conn) {
1444 hci_chan_del(hchan);
1da177e4 1445 return NULL;
73d80deb 1446 }
1da177e4
LT		 1447
1448 hcon->l2cap_data = conn;
1449 conn->hcon = hcon;
73d80deb 1450 conn->hchan = hchan;
1da177e4 1451
73d80deb 1452 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1453
dcc042d5
AE		 1454 switch (hcon->type) {
1455 case AMP_LINK:
1456 conn->mtu = hcon->hdev->block_mtu;
1457 break;
1458
1459 case LE_LINK:
1460 if (hcon->hdev->le_mtu) {
1461 conn->mtu = hcon->hdev->le_mtu;
1462 break;
1463 }
1464 /* fall through */
1465
1466 default:
acd7d370 1467 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1468 break;
1469 }
acd7d370 1470
1da177e4
LT		 1471 conn->src = &hcon->hdev->bdaddr;
1472 conn->dst = &hcon->dst;
1473
4e8402a3
MH		 1474 conn->feat_mask = 0;
1475
1da177e4 1476 spin_lock_init(&conn->lock);
3df91ea2 1477 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1478
1479 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1480
5d3de7df 1481 if (hcon->type == LE_LINK)
6c9d42a1 1482 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1483 else
030013d8 1484 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1485
9f5a0d7b 1486 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1487
1da177e4
LT		 1488 return conn;
1489}
1490
1da177e4 1491/* ---- Socket interface ---- */
1da177e4 1492
c2287681 1493/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1494 * Returns closest match.
1495 */
c2287681
IY		 1496static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1497 bdaddr_t *src,
1498 bdaddr_t *dst)
1da177e4 1499{
23691d75 1500 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1501
23691d75 1502 read_lock(&chan_list_lock);
e0f0cb56 1503
23691d75
GP		 1504 list_for_each_entry(c, &chan_list, global_l) {
1505 struct sock *sk = c->sk;
fe4128e0 1506
89bc500e 1507 if (state && c->state != state)
1da177e4
LT		 1508 continue;
1509
23691d75 1510 if (c->psm == psm) {
c2287681
IY		 1511 int src_match, dst_match;
1512 int src_any, dst_any;
1513
1da177e4 1514 /* Exact match. */
c2287681
IY		 1515 src_match = !bacmp(&bt_sk(sk)->src, src);
1516 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1517 if (src_match && dst_match) {
a7567b20 1518 read_unlock(&chan_list_lock);
23691d75
GP		 1519 return c;
1520 }
1da177e4
LT		 1521
1522 /* Closest match */
c2287681
IY		 1523 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1524 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1525 if ((src_match && dst_any) || (src_any && dst_match) ||
1526 (src_any && dst_any))
23691d75 1527 c1 = c;
1da177e4
LT		 1528 }
1529 }
1da177e4 1530
23691d75 1531 read_unlock(&chan_list_lock);
e0f0cb56 1532
23691d75 1533 return c1;
1da177e4
LT		 1534}
1535
8e9f9892
AG		 1536int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1537 bdaddr_t *dst, u8 dst_type)
1da177e4 1538{
5d41ce1d 1539 struct sock *sk = chan->sk;
1da177e4 1540 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1541 struct l2cap_conn *conn;
1542 struct hci_conn *hcon;
1543 struct hci_dev *hdev;
09ab6f4c 1544 __u8 auth_type;
44d0e48e 1545 int err;
1da177e4 1546
6ed93dc6 1547 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1548 dst_type, __le16_to_cpu(psm));
1da177e4 1549
af05b30b
GP		 1550 hdev = hci_get_route(dst, src);
1551 if (!hdev)
1da177e4
LT		 1552 return -EHOSTUNREACH;
1553
09fd0de5 1554 hci_dev_lock(hdev);
1da177e4 1555
6be36555 1556 l2cap_chan_lock(chan);
03a00194
GP		 1557
1558 /* PSM must be odd and lsb of upper byte must be 0 */
1559 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1560 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1561 err = -EINVAL;
1562 goto done;
1563 }
1564
1565 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1566 err = -EINVAL;
1567 goto done;
1568 }
1569
1570 switch (chan->mode) {
1571 case L2CAP_MODE_BASIC:
1572 break;
1573 case L2CAP_MODE_ERTM:
1574 case L2CAP_MODE_STREAMING:
1575 if (!disable_ertm)
1576 break;
1577 /* fall through */
1578 default:
1579 err = -ENOTSUPP;
1580 goto done;
1581 }
1582
0797e01d 1583 switch (chan->state) {
03a00194
GP		 1584 case BT_CONNECT:
1585 case BT_CONNECT2:
1586 case BT_CONFIG:
1587 /* Already connecting */
1588 err = 0;
1589 goto done;
1590
1591 case BT_CONNECTED:
1592 /* Already connected */
1593 err = -EISCONN;
1594 goto done;
1595
1596 case BT_OPEN:
1597 case BT_BOUND:
1598 /* Can connect */
1599 break;
1600
1601 default:
1602 err = -EBADFD;
1603 goto done;
1604 }
1605
1606 /* Set destination address and psm */
0797e01d 1607 lock_sock(sk);
9219b2a0 1608 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1609 release_sock(sk);
1610
03a00194
GP		 1611 chan->psm = psm;
1612 chan->dcid = cid;
1da177e4 1613
4343478f 1614 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1615
fe4128e0 1616 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1617 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1618 chan->sec_level, auth_type);
acd7d370 1619 else
8e9f9892 1620 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1621 chan->sec_level, auth_type);
acd7d370 1622
30e76272
VT		 1623 if (IS_ERR(hcon)) {
1624 err = PTR_ERR(hcon);
1da177e4 1625 goto done;
30e76272 1626 }
1da177e4
LT		 1627
1628 conn = l2cap_conn_add(hcon, 0);
1629 if (!conn) {
1630 hci_conn_put(hcon);
30e76272 1631 err = -ENOMEM;
1da177e4
LT		 1632 goto done;
1633 }
1634
9f0caeb1
VCG		 1635 if (hcon->type == LE_LINK) {
1636 err = 0;
1637
1638 if (!list_empty(&conn->chan_l)) {
1639 err = -EBUSY;
1640 hci_conn_put(hcon);
1641 }
1642
1643 if (err)
1644 goto done;
1645 }
1646
1da177e4
LT		 1647 /* Update source addr of the socket */
1648 bacpy(src, conn->src);
1649
6be36555 1650 l2cap_chan_unlock(chan);
48454079 1651 l2cap_chan_add(conn, chan);
6be36555 1652 l2cap_chan_lock(chan);
48454079 1653
6be36555 1654 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1655 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1656
1657 if (hcon->state == BT_CONNECTED) {
715ec005 1658 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1659 __clear_chan_timer(chan);
d45fc423 1660 if (l2cap_chan_check_security(chan))
6be36555 1661 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1662 } else
fc7f8a7e 1663 l2cap_do_start(chan);
1da177e4
LT		 1664 }
1665
30e76272
VT		 1666 err = 0;
1667
1da177e4 1668done:
6be36555 1669 l2cap_chan_unlock(chan);
09fd0de5 1670 hci_dev_unlock(hdev);
1da177e4
LT		 1671 hci_dev_put(hdev);
1672 return err;
1673}
1674
dcba0dba 1675int __l2cap_wait_ack(struct sock *sk)
6161c038 1676{
8c1d787b 1677 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1678 DECLARE_WAITQUEUE(wait, current);
1679 int err = 0;
1680 int timeo = HZ/5;
1681
2b0b05dd 1682 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1683 set_current_state(TASK_INTERRUPTIBLE);
1684 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1685 if (!timeo)
1686 timeo = HZ/5;
1687
1688 if (signal_pending(current)) {
1689 err = sock_intr_errno(timeo);
1690 break;
1691 }
1692
1693 release_sock(sk);
1694 timeo = schedule_timeout(timeo);
1695 lock_sock(sk);
a71a0cf4 1696 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1697
1698 err = sock_error(sk);
1699 if (err)
1700 break;
1701 }
1702 set_current_state(TASK_RUNNING);
2b0b05dd 1703 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1704 return err;
1705}
1706
721c4181 1707static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1708{
721c4181 1709 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1710 monitor_timer.work);
e90bac06 1711
525cd185 1712 BT_DBG("chan %p", chan);
0e98958d 1713
6be36555
AE		 1714 l2cap_chan_lock(chan);
1715
80909e04 1716 if (!chan->conn) {
6be36555 1717 l2cap_chan_unlock(chan);
8d7e1c7f 1718 l2cap_chan_put(chan);
e90bac06
GP		 1719 return;
1720 }
1721
401bb1f7 1722 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1723
6be36555 1724 l2cap_chan_unlock(chan);
8d7e1c7f 1725 l2cap_chan_put(chan);
e90bac06
GP		 1726}
1727
721c4181 1728static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1729{
721c4181 1730 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1731 retrans_timer.work);
e90bac06 1732
49208c9c 1733 BT_DBG("chan %p", chan);
0e98958d 1734
6be36555
AE		 1735 l2cap_chan_lock(chan);
1736
80909e04
MM		 1737 if (!chan->conn) {
1738 l2cap_chan_unlock(chan);
1739 l2cap_chan_put(chan);
1740 return;
1741 }
6be36555 1742
401bb1f7 1743 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1744 l2cap_chan_unlock(chan);
8d7e1c7f 1745 l2cap_chan_put(chan);
e90bac06
GP		 1746}
1747
d660366d
GP		 1748static void l2cap_streaming_send(struct l2cap_chan *chan,
1749 struct sk_buff_head *skbs)
6840ed07 1750{
ccbb84af 1751 struct sk_buff *skb;
3733937d 1752 struct l2cap_ctrl *control;
6840ed07 1753
3733937d
MM		 1754 BT_DBG("chan %p, skbs %p", chan, skbs);
1755
3733937d
MM		 1756 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1757
1758 while (!skb_queue_empty(&chan->tx_q)) {
1759
1760 skb = skb_dequeue(&chan->tx_q);
1761
1762 bt_cb(skb)->control.retries = 1;
1763 control = &bt_cb(skb)->control;
1764
1765 control->reqseq = 0;
1766 control->txseq = chan->next_tx_seq;
1767
1768 __pack_control(chan, control, skb);
6840ed07 1769
47d1ec61 1770 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1771 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1772 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1773 }
1774
4343478f 1775 l2cap_do_send(chan, skb);
6840ed07 1776
b4400672 1777 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1778
836be934 1779 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1780 chan->frames_sent++;
6840ed07 1781 }
6840ed07
GP		 1782}
1783
67c9e840 1784static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1785{
1786 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1787 struct l2cap_ctrl *control;
1788 int sent = 0;
1789
1790 BT_DBG("chan %p", chan);
1c2acffb 1791
89bc500e 1792 if (chan->state != BT_CONNECTED)
c13ffa62 1793 return -ENOTCONN;
e90bac06 1794
94122bbe
MM		 1795 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1796 return 0;
1797
18a48e76
MM		 1798 while (chan->tx_send_head &&
1799 chan->unacked_frames < chan->remote_tx_win &&
1800 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1801
18a48e76 1802 skb = chan->tx_send_head;
e90bac06 1803
18a48e76
MM		 1804 bt_cb(skb)->control.retries = 1;
1805 control = &bt_cb(skb)->control;
95ffa978 1806
e2ab4353 1807 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1808 control->final = 1;
e2ab4353 1809
18a48e76
MM		 1810 control->reqseq = chan->buffer_seq;
1811 chan->last_acked_seq = chan->buffer_seq;
1812 control->txseq = chan->next_tx_seq;
1c2acffb 1813
18a48e76 1814 __pack_control(chan, control, skb);
e90bac06 1815
47d1ec61 1816 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1817 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1818 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1819 }
1820
18a48e76
MM		 1821 /* Clone after data has been modified. Data is assumed to be
1822 read-only (for locking purposes) on cloned sk_buffs.
1823 */
1824 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1825
18a48e76
MM		 1826 if (!tx_skb)
1827 break;
1c2acffb 1828
18a48e76 1829 __set_retrans_timer(chan);
836be934
AE		 1830
1831 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1832 chan->unacked_frames++;
6a026610 1833 chan->frames_sent++;
18a48e76 1834 sent++;
1c2acffb 1835
58d35f87
GP		 1836 if (skb_queue_is_last(&chan->tx_q, skb))
1837 chan->tx_send_head = NULL;
1c2acffb 1838 else
58d35f87 1839 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1840
1841 l2cap_do_send(chan, tx_skb);
b4400672 1842 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1843 }
1844
b4400672
AE		 1845 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1846 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1847
1848 return sent;
9e917af1
GP		 1849}
1850
e1fbd4c1
MM		 1851static void l2cap_ertm_resend(struct l2cap_chan *chan)
1852{
1853 struct l2cap_ctrl control;
1854 struct sk_buff *skb;
1855 struct sk_buff *tx_skb;
1856 u16 seq;
1857
1858 BT_DBG("chan %p", chan);
1859
1860 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1861 return;
1862
1863 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1864 seq = l2cap_seq_list_pop(&chan->retrans_list);
1865
1866 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1867 if (!skb) {
1868 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1869 seq);
e1fbd4c1
MM		 1870 continue;
1871 }
1872
1873 bt_cb(skb)->control.retries++;
1874 control = bt_cb(skb)->control;
1875
1876 if (chan->max_tx != 0 &&
1877 bt_cb(skb)->control.retries > chan->max_tx) {
1878 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1879 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1880 l2cap_seq_list_clear(&chan->retrans_list);
1881 break;
1882 }
1883
1884 control.reqseq = chan->buffer_seq;
1885 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1886 control.final = 1;
1887 else
1888 control.final = 0;
1889
1890 if (skb_cloned(skb)) {
1891 /* Cloned sk_buffs are read-only, so we need a
1892 * writeable copy
1893 */
8bcde1f2 1894 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1895 } else {
8bcde1f2 1896 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1897 }
1898
1899 if (!tx_skb) {
1900 l2cap_seq_list_clear(&chan->retrans_list);
1901 break;
1902 }
1903
1904 /* Update skb contents */
1905 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1906 put_unaligned_le32(__pack_extended_control(&control),
1907 tx_skb->data + L2CAP_HDR_SIZE);
1908 } else {
1909 put_unaligned_le16(__pack_enhanced_control(&control),
1910 tx_skb->data + L2CAP_HDR_SIZE);
1911 }
1912
1913 if (chan->fcs == L2CAP_FCS_CRC16) {
1914 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1915 put_unaligned_le16(fcs, skb_put(tx_skb,
1916 L2CAP_FCS_SIZE));
1917 }
1918
1919 l2cap_do_send(chan, tx_skb);
1920
1921 BT_DBG("Resent txseq %d", control.txseq);
1922
1923 chan->last_acked_seq = chan->buffer_seq;
1924 }
1925}
1926
f80842a8
MM		 1927static void l2cap_retransmit(struct l2cap_chan *chan,
1928 struct l2cap_ctrl *control)
1929{
1930 BT_DBG("chan %p, control %p", chan, control);
1931
1932 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1933 l2cap_ertm_resend(chan);
1934}
1935
d2a7ac5d
MM		 1936static void l2cap_retransmit_all(struct l2cap_chan *chan,
1937 struct l2cap_ctrl *control)
1938{
e1fbd4c1
MM		 1939 struct sk_buff *skb;
1940
1941 BT_DBG("chan %p, control %p", chan, control);
1942
1943 if (control->poll)
1944 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1945
1946 l2cap_seq_list_clear(&chan->retrans_list);
1947
1948 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1949 return;
1950
1951 if (chan->unacked_frames) {
1952 skb_queue_walk(&chan->tx_q, skb) {
1953 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 1954 skb == chan->tx_send_head)
e1fbd4c1
MM		 1955 break;
1956 }
1957
1958 skb_queue_walk_from(&chan->tx_q, skb) {
1959 if (skb == chan->tx_send_head)
1960 break;
1961
1962 l2cap_seq_list_append(&chan->retrans_list,
1963 bt_cb(skb)->control.txseq);
1964 }
1965
1966 l2cap_ertm_resend(chan);
1967 }
d2a7ac5d
MM		 1968}
1969
0a0aba42 1970static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1971{
0a0aba42
MM		 1972 struct l2cap_ctrl control;
1973 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1974 chan->last_acked_seq);
1975 int threshold;
9e917af1 1976
0a0aba42
MM		 1977 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1978 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1979
0a0aba42
MM		 1980 memset(&control, 0, sizeof(control));
1981 control.sframe = 1;
dfc909be 1982
0a0aba42
MM		 1983 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1984 chan->rx_state == L2CAP_RX_STATE_RECV) {
1985 __clear_ack_timer(chan);
1986 control.super = L2CAP_SUPER_RNR;
1987 control.reqseq = chan->buffer_seq;
1988 l2cap_send_sframe(chan, &control);
1989 } else {
1990 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1991 l2cap_ertm_send(chan);
1992 /* If any i-frames were sent, they included an ack */
1993 if (chan->buffer_seq == chan->last_acked_seq)
1994 frames_to_ack = 0;
1995 }
dfc909be 1996
c20f8e35 1997 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 1998 * Calculate without mul or div
1999 */
c20f8e35 2000 threshold = chan->ack_win;
0a0aba42
MM		 2001 threshold += threshold << 1;
2002 threshold >>= 2;
2003
b4400672 2004 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2005 threshold);
2006
2007 if (frames_to_ack >= threshold) {
2008 __clear_ack_timer(chan);
2009 control.super = L2CAP_SUPER_RR;
2010 control.reqseq = chan->buffer_seq;
2011 l2cap_send_sframe(chan, &control);
2012 frames_to_ack = 0;
2013 }
1c2acffb 2014
0a0aba42
MM		 2015 if (frames_to_ack)
2016 __set_ack_timer(chan);
2017 }
b17e73bb
SJ		 2018}
2019
04124681
GP		 2020static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2021 struct msghdr *msg, int len,
2022 int count, struct sk_buff *skb)
1c2acffb 2023{
0952a57a 2024 struct l2cap_conn *conn = chan->conn;
1c2acffb 2025 struct sk_buff **frag;
90338947 2026 int sent = 0;
1da177e4 2027
59203a21 2028 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2029 return -EFAULT;
1da177e4
LT		 2030
2031 sent += count;
2032 len -= count;
2033
2034 /* Continuation fragments (no L2CAP header) */
2035 frag = &skb_shinfo(skb)->frag_list;
2036 while (len) {
fbe00700
GP		 2037 struct sk_buff *tmp;
2038
1da177e4
LT		 2039 count = min_t(unsigned int, conn->mtu, len);
2040
fbe00700
GP		 2041 tmp = chan->ops->alloc_skb(chan, count,
2042 msg->msg_flags & MSG_DONTWAIT);
2043 if (IS_ERR(tmp))
2044 return PTR_ERR(tmp);
2045
2046 *frag = tmp;
2f7719ce 2047
1c2acffb
GP		 2048 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2049 return -EFAULT;
1da177e4 2050
5e59b791
LAD		 2051 (*frag)->priority = skb->priority;
2052
1da177e4
LT		 2053 sent += count;
2054 len -= count;
2055
2d0ed3d5
GP		 2056 skb->len += (*frag)->len;
2057 skb->data_len += (*frag)->len;
2058
1da177e4
LT		 2059 frag = &(*frag)->next;
2060 }
1da177e4
LT		 2061
2062 return sent;
1c2acffb 2063}
1da177e4 2064
5e59b791 2065static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2066 struct msghdr *msg, size_t len,
2067 u32 priority)
1c2acffb 2068{
8c1d787b 2069 struct l2cap_conn *conn = chan->conn;
1c2acffb 2070 struct sk_buff *skb;
03a51213 2071 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2072 struct l2cap_hdr *lh;
2073
b4400672 2074 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2075
2076 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2077
2078 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2079 msg->msg_flags & MSG_DONTWAIT);
2080 if (IS_ERR(skb))
2081 return skb;
1c2acffb 2082
5e59b791
LAD		 2083 skb->priority = priority;
2084
1c2acffb
GP		 2085 /* Create L2CAP header */
2086 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2087 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2088 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2089 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2090
0952a57a 2091 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2092 if (unlikely(err < 0)) {
2093 kfree_skb(skb);
2094 return ERR_PTR(err);
2095 }
2096 return skb;
2097}
2098
5e59b791 2099static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2100 struct msghdr *msg, size_t len,
2101 u32 priority)
1c2acffb 2102{
8c1d787b 2103 struct l2cap_conn *conn = chan->conn;
1c2acffb 2104 struct sk_buff *skb;
f2ba7fae 2105 int err, count;
1c2acffb
GP		 2106 struct l2cap_hdr *lh;
2107
b4400672 2108 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2109
f2ba7fae 2110 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2111
f2ba7fae 2112 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2113 msg->msg_flags & MSG_DONTWAIT);
2114 if (IS_ERR(skb))
2115 return skb;
1c2acffb 2116
5e59b791
LAD		 2117 skb->priority = priority;
2118
1c2acffb
GP		 2119 /* Create L2CAP header */
2120 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2121 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2122 lh->len = cpu_to_le16(len);
1c2acffb 2123
0952a57a 2124 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2125 if (unlikely(err < 0)) {
2126 kfree_skb(skb);
2127 return ERR_PTR(err);
2128 }
2129 return skb;
2130}
2131
ab0ff76d 2132static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2133 struct msghdr *msg, size_t len,
2134 u16 sdulen)
1c2acffb 2135{
8c1d787b 2136 struct l2cap_conn *conn = chan->conn;
1c2acffb 2137 struct sk_buff *skb;
e4ca6d98 2138 int err, count, hlen;
1c2acffb
GP		 2139 struct l2cap_hdr *lh;
2140
b4400672 2141 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2142
0ee0d208
GP		 2143 if (!conn)
2144 return ERR_PTR(-ENOTCONN);
2145
ba7aa64f 2146 hlen = __ertm_hdr_size(chan);
e4ca6d98 2147
c74e560c 2148 if (sdulen)
03a51213 2149 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2150
47d1ec61 2151 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2152 hlen += L2CAP_FCS_SIZE;
fcc203c3 2153
1c2acffb 2154 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2155
2156 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2157 msg->msg_flags & MSG_DONTWAIT);
2158 if (IS_ERR(skb))
2159 return skb;
1c2acffb
GP		 2160
2161 /* Create L2CAP header */
2162 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2163 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2164 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2165
18a48e76
MM		 2166 /* Control header is populated later */
2167 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2168 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2169 else
2170 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2171
c74e560c 2172 if (sdulen)
03a51213 2173 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2174
0952a57a 2175 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2176 if (unlikely(err < 0)) {
2177 kfree_skb(skb);
2178 return ERR_PTR(err);
2179 }
e90bac06 2180
18a48e76 2181 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2182 bt_cb(skb)->control.retries = 0;
1c2acffb 2183 return skb;
1da177e4
LT		 2184}
2185
94122bbe
MM		 2186static int l2cap_segment_sdu(struct l2cap_chan *chan,
2187 struct sk_buff_head *seg_queue,
2188 struct msghdr *msg, size_t len)
c74e560c 2189{
c74e560c 2190 struct sk_buff *skb;
94122bbe
MM		 2191 u16 sdu_len;
2192 size_t pdu_len;
94122bbe 2193 u8 sar;
c74e560c 2194
b4400672 2195 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2196
94122bbe
MM		 2197 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2198 * so fragmented skbs are not used. The HCI layer's handling
2199 * of fragmented skbs is not compatible with ERTM's queueing.
2200 */
c74e560c 2201
94122bbe
MM		 2202 /* PDU size is derived from the HCI MTU */
2203 pdu_len = chan->conn->mtu;
c74e560c 2204
94122bbe
MM		 2205 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2206
2207 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2208 if (chan->fcs)
2209 pdu_len -= L2CAP_FCS_SIZE;
2210
ba7aa64f 2211 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2212
2213 /* Remote device may have requested smaller PDUs */
2214 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2215
2216 if (len <= pdu_len) {
2217 sar = L2CAP_SAR_UNSEGMENTED;
2218 sdu_len = 0;
2219 pdu_len = len;
2220 } else {
2221 sar = L2CAP_SAR_START;
2222 sdu_len = len;
2223 pdu_len -= L2CAP_SDULEN_SIZE;
2224 }
2225
2226 while (len > 0) {
2227 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2228
c74e560c 2229 if (IS_ERR(skb)) {
94122bbe 2230 __skb_queue_purge(seg_queue);
c74e560c
GP		 2231 return PTR_ERR(skb);
2232 }
2233
94122bbe
MM		 2234 bt_cb(skb)->control.sar = sar;
2235 __skb_queue_tail(seg_queue, skb);
2236
2237 len -= pdu_len;
2238 if (sdu_len) {
2239 sdu_len = 0;
2240 pdu_len += L2CAP_SDULEN_SIZE;
2241 }
2242
2243 if (len <= pdu_len) {
2244 sar = L2CAP_SAR_END;
2245 pdu_len = len;
2246 } else {
2247 sar = L2CAP_SAR_CONTINUE;
2248 }
c74e560c 2249 }
c74e560c 2250
f0f62799 2251 return 0;
c74e560c
GP		 2252}
2253
5e59b791 2254int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2255 u32 priority)
9a91a04a 2256{
9a91a04a 2257 struct sk_buff *skb;
9a91a04a 2258 int err;
94122bbe 2259 struct sk_buff_head seg_queue;
9a91a04a
GP		 2260
2261 /* Connectionless channel */
715ec005 2262 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2263 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2264 if (IS_ERR(skb))
2265 return PTR_ERR(skb);
2266
2267 l2cap_do_send(chan, skb);
2268 return len;
2269 }
2270
2271 switch (chan->mode) {
2272 case L2CAP_MODE_BASIC:
2273 /* Check outgoing MTU */
2274 if (len > chan->omtu)
2275 return -EMSGSIZE;
2276
2277 /* Create a basic PDU */
5e59b791 2278 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2279 if (IS_ERR(skb))
2280 return PTR_ERR(skb);
2281
2282 l2cap_do_send(chan, skb);
2283 err = len;
2284 break;
2285
2286 case L2CAP_MODE_ERTM:
2287 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2288 /* Check outgoing MTU */
2289 if (len > chan->omtu) {
2290 err = -EMSGSIZE;
2291 break;
2292 }
9a91a04a 2293
94122bbe 2294 __skb_queue_head_init(&seg_queue);
9a91a04a 2295
94122bbe
MM		 2296 /* Do segmentation before calling in to the state machine,
2297 * since it's possible to block while waiting for memory
2298 * allocation.
2299 */
2300 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2301
94122bbe
MM		 2302 /* The channel could have been closed while segmenting,
2303 * check that it is still connected.
2304 */
2305 if (chan->state != BT_CONNECTED) {
2306 __skb_queue_purge(&seg_queue);
2307 err = -ENOTCONN;
9a91a04a
GP		 2308 }
2309
94122bbe 2310 if (err)
9a91a04a 2311 break;
9a91a04a 2312
3733937d 2313 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2314 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2315 else
d660366d 2316 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2317
d660366d 2318 err = len;
9a91a04a 2319
94122bbe
MM		 2320 /* If the skbs were not queued for sending, they'll still be in
2321 * seg_queue and need to be purged.
2322 */
2323 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2324 break;
2325
2326 default:
2327 BT_DBG("bad state %1.1x", chan->mode);
2328 err = -EBADFD;
2329 }
2330
2331 return err;
2332}
2333
d2a7ac5d
MM		 2334static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2335{
bed68bde
MM		 2336 struct l2cap_ctrl control;
2337 u16 seq;
2338
b4400672 2339 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2340
2341 memset(&control, 0, sizeof(control));
2342 control.sframe = 1;
2343 control.super = L2CAP_SUPER_SREJ;
2344
2345 for (seq = chan->expected_tx_seq; seq != txseq;
2346 seq = __next_seq(chan, seq)) {
2347 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2348 control.reqseq = seq;
2349 l2cap_send_sframe(chan, &control);
2350 l2cap_seq_list_append(&chan->srej_list, seq);
2351 }
2352 }
2353
2354 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2355}
2356
2357static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2358{
bed68bde
MM		 2359 struct l2cap_ctrl control;
2360
2361 BT_DBG("chan %p", chan);
2362
2363 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2364 return;
2365
2366 memset(&control, 0, sizeof(control));
2367 control.sframe = 1;
2368 control.super = L2CAP_SUPER_SREJ;
2369 control.reqseq = chan->srej_list.tail;
2370 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2371}
2372
2373static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2374{
bed68bde
MM		 2375 struct l2cap_ctrl control;
2376 u16 initial_head;
2377 u16 seq;
2378
b4400672 2379 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2380
2381 memset(&control, 0, sizeof(control));
2382 control.sframe = 1;
2383 control.super = L2CAP_SUPER_SREJ;
2384
2385 /* Capture initial list head to allow only one pass through the list. */
2386 initial_head = chan->srej_list.head;
2387
2388 do {
2389 seq = l2cap_seq_list_pop(&chan->srej_list);
2390 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2391 break;
2392
2393 control.reqseq = seq;
2394 l2cap_send_sframe(chan, &control);
2395 l2cap_seq_list_append(&chan->srej_list, seq);
2396 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2397}
2398
608bcc6d
MM		 2399static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2400{
2401 struct sk_buff *acked_skb;
2402 u16 ackseq;
2403
b4400672 2404 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2405
2406 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2407 return;
2408
b4400672 2409 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2410 chan->expected_ack_seq, chan->unacked_frames);
2411
2412 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2413 ackseq = __next_seq(chan, ackseq)) {
2414
2415 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2416 if (acked_skb) {
2417 skb_unlink(acked_skb, &chan->tx_q);
2418 kfree_skb(acked_skb);
2419 chan->unacked_frames--;
2420 }
2421 }
2422
2423 chan->expected_ack_seq = reqseq;
2424
2425 if (chan->unacked_frames == 0)
2426 __clear_retrans_timer(chan);
2427
b4400672 2428 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2429}
2430
2431static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2432{
2433 BT_DBG("chan %p", chan);
2434
2435 chan->expected_tx_seq = chan->buffer_seq;
2436 l2cap_seq_list_clear(&chan->srej_list);
2437 skb_queue_purge(&chan->srej_q);
2438 chan->rx_state = L2CAP_RX_STATE_RECV;
2439}
2440
d660366d
GP		 2441static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2442 struct l2cap_ctrl *control,
2443 struct sk_buff_head *skbs, u8 event)
608bcc6d 2444{
608bcc6d
MM		 2445 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2446 event);
2447
2448 switch (event) {
2449 case L2CAP_EV_DATA_REQUEST:
2450 if (chan->tx_send_head == NULL)
2451 chan->tx_send_head = skb_peek(skbs);
2452
2453 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2454 l2cap_ertm_send(chan);
2455 break;
2456 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2457 BT_DBG("Enter LOCAL_BUSY");
2458 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2459
2460 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2461 /* The SREJ_SENT state must be aborted if we are to
2462 * enter the LOCAL_BUSY state.
2463 */
2464 l2cap_abort_rx_srej_sent(chan);
2465 }
2466
2467 l2cap_send_ack(chan);
2468
2469 break;
2470 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2471 BT_DBG("Exit LOCAL_BUSY");
2472 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2473
2474 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2475 struct l2cap_ctrl local_control;
2476
2477 memset(&local_control, 0, sizeof(local_control));
2478 local_control.sframe = 1;
2479 local_control.super = L2CAP_SUPER_RR;
2480 local_control.poll = 1;
2481 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2482 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2483
2484 chan->retry_count = 1;
2485 __set_monitor_timer(chan);
2486 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2487 }
2488 break;
2489 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2490 l2cap_process_reqseq(chan, control->reqseq);
2491 break;
2492 case L2CAP_EV_EXPLICIT_POLL:
2493 l2cap_send_rr_or_rnr(chan, 1);
2494 chan->retry_count = 1;
2495 __set_monitor_timer(chan);
2496 __clear_ack_timer(chan);
2497 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2498 break;
2499 case L2CAP_EV_RETRANS_TO:
2500 l2cap_send_rr_or_rnr(chan, 1);
2501 chan->retry_count = 1;
2502 __set_monitor_timer(chan);
2503 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2504 break;
2505 case L2CAP_EV_RECV_FBIT:
2506 /* Nothing to process */
2507 break;
2508 default:
2509 break;
2510 }
608bcc6d
MM		 2511}
2512
d660366d
GP		 2513static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2514 struct l2cap_ctrl *control,
2515 struct sk_buff_head *skbs, u8 event)
608bcc6d 2516{
608bcc6d
MM		 2517 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2518 event);
2519
2520 switch (event) {
2521 case L2CAP_EV_DATA_REQUEST:
2522 if (chan->tx_send_head == NULL)
2523 chan->tx_send_head = skb_peek(skbs);
2524 /* Queue data, but don't send. */
2525 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2526 break;
2527 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2528 BT_DBG("Enter LOCAL_BUSY");
2529 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2530
2531 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2532 /* The SREJ_SENT state must be aborted if we are to
2533 * enter the LOCAL_BUSY state.
2534 */
2535 l2cap_abort_rx_srej_sent(chan);
2536 }
2537
2538 l2cap_send_ack(chan);
2539
2540 break;
2541 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2542 BT_DBG("Exit LOCAL_BUSY");
2543 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2544
2545 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2546 struct l2cap_ctrl local_control;
2547 memset(&local_control, 0, sizeof(local_control));
2548 local_control.sframe = 1;
2549 local_control.super = L2CAP_SUPER_RR;
2550 local_control.poll = 1;
2551 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2552 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2553
2554 chan->retry_count = 1;
2555 __set_monitor_timer(chan);
2556 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2557 }
2558 break;
2559 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2560 l2cap_process_reqseq(chan, control->reqseq);
2561
2562 /* Fall through */
2563
2564 case L2CAP_EV_RECV_FBIT:
2565 if (control && control->final) {
2566 __clear_monitor_timer(chan);
2567 if (chan->unacked_frames > 0)
2568 __set_retrans_timer(chan);
2569 chan->retry_count = 0;
2570 chan->tx_state = L2CAP_TX_STATE_XMIT;
2571 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2572 }
2573 break;
2574 case L2CAP_EV_EXPLICIT_POLL:
2575 /* Ignore */
2576 break;
2577 case L2CAP_EV_MONITOR_TO:
2578 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2579 l2cap_send_rr_or_rnr(chan, 1);
2580 __set_monitor_timer(chan);
2581 chan->retry_count++;
2582 } else {
2583 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2584 }
2585 break;
2586 default:
2587 break;
2588 }
608bcc6d
MM		 2589}
2590
d660366d
GP		 2591static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2592 struct sk_buff_head *skbs, u8 event)
608bcc6d 2593{
608bcc6d
MM		 2594 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2595 chan, control, skbs, event, chan->tx_state);
2596
2597 switch (chan->tx_state) {
2598 case L2CAP_TX_STATE_XMIT:
d660366d 2599 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2600 break;
2601 case L2CAP_TX_STATE_WAIT_F:
d660366d 2602 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2603 break;
2604 default:
2605 /* Ignore event */
2606 break;
2607 }
608bcc6d
MM		 2608}
2609
4b51dae9
MM		 2610static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2611 struct l2cap_ctrl *control)
2612{
2613 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2614 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2615}
2616
f80842a8
MM		 2617static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2618 struct l2cap_ctrl *control)
2619{
2620 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2621 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2622}
2623
1da177e4
LT		 2624/* Copy frame to all raw sockets on that connection */
2625static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2626{
1da177e4 2627 struct sk_buff *nskb;
48454079 2628 struct l2cap_chan *chan;
1da177e4
LT		 2629
2630 BT_DBG("conn %p", conn);
2631
3df91ea2 2632 mutex_lock(&conn->chan_lock);
3d57dc68 2633
3df91ea2 2634 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2635 struct sock *sk = chan->sk;
715ec005 2636 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2637 continue;
2638
2639 /* Don't send frame to the socket it came from */
2640 if (skb->sk == sk)
2641 continue;
8bcde1f2 2642 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2643 if (!nskb)
1da177e4
LT		 2644 continue;
2645
80b98027 2646 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2647 kfree_skb(nskb);
2648 }
3d57dc68 2649
3df91ea2 2650 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2651}
2652
2653/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2654static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2655 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2656{
2657 struct sk_buff *skb, **frag;
2658 struct l2cap_cmd_hdr *cmd;
2659 struct l2cap_hdr *lh;
2660 int len, count;
2661
b4400672
AE		 2662 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2663 conn, code, ident, dlen);
1da177e4
LT		 2664
2665 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2666 count = min_t(unsigned int, conn->mtu, len);
2667
8bcde1f2 2668 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2669 if (!skb)
2670 return NULL;
2671
2672 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2673 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2674
2675 if (conn->hcon->type == LE_LINK)
ac73498c 2676 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2677 else
ac73498c 2678 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2679
2680 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2681 cmd->code = code;
2682 cmd->ident = ident;
aca3192c 2683 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2684
2685 if (dlen) {
2686 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2687 memcpy(skb_put(skb, count), data, count);
2688 data += count;
2689 }
2690
2691 len -= skb->len;
2692
2693 /* Continuation fragments (no L2CAP header) */
2694 frag = &skb_shinfo(skb)->frag_list;
2695 while (len) {
2696 count = min_t(unsigned int, conn->mtu, len);
2697
8bcde1f2 2698 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2699 if (!*frag)
2700 goto fail;
2701
2702 memcpy(skb_put(*frag, count), data, count);
2703
2704 len -= count;
2705 data += count;
2706
2707 frag = &(*frag)->next;
2708 }
2709
2710 return skb;
2711
2712fail:
2713 kfree_skb(skb);
2714 return NULL;
2715}
2716
2d792818
GP		 2717static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2718 unsigned long *val)
1da177e4
LT		 2719{
2720 struct l2cap_conf_opt *opt = *ptr;
2721 int len;
2722
2723 len = L2CAP_CONF_OPT_SIZE + opt->len;
2724 *ptr += len;
2725
2726 *type = opt->type;
2727 *olen = opt->len;
2728
2729 switch (opt->len) {
2730 case 1:
2731 *val = *((u8 *) opt->val);
2732 break;
2733
2734 case 2:
bfaaeb3e 2735 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2736 break;
2737
2738 case 4:
bfaaeb3e 2739 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2740 break;
2741
2742 default:
2743 *val = (unsigned long) opt->val;
2744 break;
2745 }
2746
b4400672 2747 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2748 return len;
2749}
2750
1da177e4
LT		 2751static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2752{
2753 struct l2cap_conf_opt *opt = *ptr;
2754
b4400672 2755 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2756
2757 opt->type = type;
2758 opt->len = len;
2759
2760 switch (len) {
2761 case 1:
2762 *((u8 *) opt->val) = val;
2763 break;
2764
2765 case 2:
4f8b691c 2766 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2767 break;
2768
2769 case 4:
4f8b691c 2770 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2771 break;
2772
2773 default:
2774 memcpy(opt->val, (void *) val, len);
2775 break;
2776 }
2777
2778 *ptr += L2CAP_CONF_OPT_SIZE + len;
2779}
2780
f89cef09
AE		 2781static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2782{
2783 struct l2cap_conf_efs efs;
2784
1ec918ce 2785 switch (chan->mode) {
f89cef09
AE		 2786 case L2CAP_MODE_ERTM:
2787 efs.id = chan->local_id;
2788 efs.stype = chan->local_stype;
2789 efs.msdu = cpu_to_le16(chan->local_msdu);
2790 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2791 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2792 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2793 break;
2794
2795 case L2CAP_MODE_STREAMING:
2796 efs.id = 1;
2797 efs.stype = L2CAP_SERV_BESTEFFORT;
2798 efs.msdu = cpu_to_le16(chan->local_msdu);
2799 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2800 efs.acc_lat = 0;
2801 efs.flush_to = 0;
2802 break;
2803
2804 default:
2805 return;
2806 }
2807
2808 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2809 (unsigned long) &efs);
f89cef09
AE		 2810}
2811
721c4181 2812static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2813{
721c4181 2814 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2815 ack_timer.work);
2816 u16 frames_to_ack;
c1b4f43b 2817
2fb9b3d4
GP		 2818 BT_DBG("chan %p", chan);
2819
6be36555
AE		 2820 l2cap_chan_lock(chan);
2821
0362520b
MM		 2822 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2823 chan->last_acked_seq);
6be36555 2824
0362520b
MM		 2825 if (frames_to_ack)
2826 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2827
0362520b 2828 l2cap_chan_unlock(chan);
09bfb2ee 2829 l2cap_chan_put(chan);
c1b4f43b
GP		 2830}
2831
466f8004 2832int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2833{
3c588192
MM		 2834 int err;
2835
105bdf9e
MM		 2836 chan->next_tx_seq = 0;
2837 chan->expected_tx_seq = 0;
42e5c802 2838 chan->expected_ack_seq = 0;
6a026610 2839 chan->unacked_frames = 0;
42e5c802 2840 chan->buffer_seq = 0;
6a026610 2841 chan->frames_sent = 0;
105bdf9e
MM		 2842 chan->last_acked_seq = 0;
2843 chan->sdu = NULL;
2844 chan->sdu_last_frag = NULL;
2845 chan->sdu_len = 0;
2846
d34c34fb
MM		 2847 skb_queue_head_init(&chan->tx_q);
2848
08333283
MM		 2849 chan->local_amp_id = 0;
2850 chan->move_id = 0;
2851 chan->move_state = L2CAP_MOVE_STABLE;
2852 chan->move_role = L2CAP_MOVE_ROLE_NONE;
2853
105bdf9e
MM		 2854 if (chan->mode != L2CAP_MODE_ERTM)
2855 return 0;
2856
2857 chan->rx_state = L2CAP_RX_STATE_RECV;
2858 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2859
721c4181
GP		 2860 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2861 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2862 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2863
f1c6775b 2864 skb_queue_head_init(&chan->srej_q);
1890d36b 2865
3c588192
MM		 2866 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2867 if (err < 0)
2868 return err;
2869
9dc9affc
MM		 2870 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2871 if (err < 0)
2872 l2cap_seq_list_free(&chan->srej_list);
2873
2874 return err;
0565c1c2
GP		 2875}
2876
f2fcfcd6
GP		 2877static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2878{
2879 switch (mode) {
2880 case L2CAP_MODE_STREAMING:
2881 case L2CAP_MODE_ERTM:
2882 if (l2cap_mode_supported(mode, remote_feat_mask))
2883 return mode;
2884 /* fall through */
2885 default:
2886 return L2CAP_MODE_BASIC;
2887 }
2888}
2889
6327eb98
AE		 2890static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2891{
2892 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2893}
2894
f89cef09
AE		 2895static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2896{
2897 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2898}
2899
6327eb98
AE		 2900static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2901{
2902 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 2903 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2904 /* use extended control field */
2905 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2906 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2907 } else {
6327eb98 2908 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 2909 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2910 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2911 }
c20f8e35 2912 chan->ack_win = chan->tx_win;
6327eb98
AE		 2913}
2914
710f9b0a 2915static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2916{
1da177e4 2917 struct l2cap_conf_req *req = data;
0c1bc5c6 2918 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2919 void *ptr = req->data;
c8f79162 2920 u16 size;
1da177e4 2921
49208c9c 2922 BT_DBG("chan %p", chan);
1da177e4 2923
73ffa904 2924 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2925 goto done;
2926
0c1bc5c6 2927 switch (chan->mode) {
f2fcfcd6
GP		 2928 case L2CAP_MODE_STREAMING:
2929 case L2CAP_MODE_ERTM:
c1360a1c 2930 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2931 break;
85eb53c6 2932
f89cef09
AE		 2933 if (__l2cap_efs_supported(chan))
2934 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2935
2ba13ed6 2936 /* fall through */
f2fcfcd6 2937 default:
8c1d787b 2938 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2939 break;
2940 }
2941
2942done:
0c1bc5c6
GP		 2943 if (chan->imtu != L2CAP_DEFAULT_MTU)
2944 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2945
0c1bc5c6 2946 switch (chan->mode) {
65c7c491 2947 case L2CAP_MODE_BASIC:
8c1d787b 2948 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 2949 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2950 break;
2951
62547752
GP		 2952 rfc.mode = L2CAP_MODE_BASIC;
2953 rfc.txwin_size = 0;
2954 rfc.max_transmit = 0;
2955 rfc.retrans_timeout = 0;
2956 rfc.monitor_timeout = 0;
2957 rfc.max_pdu_size = 0;
2958
63406504 2959 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 2960 (unsigned long) &rfc);
65c7c491
MH		 2961 break;
2962
2963 case L2CAP_MODE_ERTM:
2964 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2965 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2966 rfc.retrans_timeout = 0;
2967 rfc.monitor_timeout = 0;
c8f79162
AE		 2968
2969 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 2970 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
2971 L2CAP_FCS_SIZE);
c8f79162 2972 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2973
6327eb98
AE		 2974 l2cap_txwin_setup(chan);
2975
2976 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 2977 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2978
63406504 2979 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 2980 (unsigned long) &rfc);
63406504 2981
f89cef09
AE		 2982 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2983 l2cap_add_opt_efs(&ptr, chan);
2984
8c1d787b 2985 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2986 break;
2987
47d1ec61 2988 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 2989 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2990 chan->fcs = L2CAP_FCS_NONE;
2991 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2992 }
6327eb98
AE		 2993
2994 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2995 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 2996 chan->tx_win);
f2fcfcd6
GP		 2997 break;
2998
2999 case L2CAP_MODE_STREAMING:
273759e2 3000 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3001 rfc.mode = L2CAP_MODE_STREAMING;
3002 rfc.txwin_size = 0;
3003 rfc.max_transmit = 0;
3004 rfc.retrans_timeout = 0;
3005 rfc.monitor_timeout = 0;
c8f79162
AE		 3006
3007 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3008 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3009 L2CAP_FCS_SIZE);
c8f79162 3010 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3011
63406504 3012 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3013 (unsigned long) &rfc);
63406504 3014
f89cef09
AE		 3015 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3016 l2cap_add_opt_efs(&ptr, chan);
3017
8c1d787b 3018 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 3019 break;
3020
47d1ec61 3021 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 3022 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 3023 chan->fcs = L2CAP_FCS_NONE;
3024 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 3025 }
65c7c491
MH		 3026 break;
3027 }
1da177e4 3028
fe4128e0 3029 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3030 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3031
3032 return ptr - data;
3033}
3034
73ffa904 3035static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3036{
5dee9e7c
MH		 3037 struct l2cap_conf_rsp *rsp = data;
3038 void *ptr = rsp->data;
73ffa904
GP		 3039 void *req = chan->conf_req;
3040 int len = chan->conf_len;
5dee9e7c
MH		 3041 int type, hint, olen;
3042 unsigned long val;
6464f35f 3043 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3044 struct l2cap_conf_efs efs;
3045 u8 remote_efs = 0;
861d6882 3046 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3047 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3048 u16 size;
1da177e4 3049
73ffa904 3050 BT_DBG("chan %p", chan);
820ae1b8 3051
5dee9e7c
MH		 3052 while (len >= L2CAP_CONF_OPT_SIZE) {
3053 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3054
589d2746 3055 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3056 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3057
3058 switch (type) {
3059 case L2CAP_CONF_MTU:
861d6882 3060 mtu = val;
5dee9e7c
MH		 3061 break;
3062
3063 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3064 chan->flush_to = val;
5dee9e7c
MH		 3065 break;
3066
3067 case L2CAP_CONF_QOS:
3068 break;
3069
6464f35f
MH		 3070 case L2CAP_CONF_RFC:
3071 if (olen == sizeof(rfc))
3072 memcpy(&rfc, (void *) val, olen);
3073 break;
3074
fcc203c3
GP		 3075 case L2CAP_CONF_FCS:
3076 if (val == L2CAP_FCS_NONE)
c1360a1c 3077 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 3078 break;
fcc203c3 3079
42dceae2
AE		 3080 case L2CAP_CONF_EFS:
3081 remote_efs = 1;
3082 if (olen == sizeof(efs))
3083 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3084 break;
3085
6327eb98
AE		 3086 case L2CAP_CONF_EWS:
3087 if (!enable_hs)
3088 return -ECONNREFUSED;
fcc203c3 3089
6327eb98
AE		 3090 set_bit(FLAG_EXT_CTRL, &chan->flags);
3091 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3092 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3093 chan->remote_tx_win = val;
fcc203c3
GP		 3094 break;
3095
5dee9e7c
MH		 3096 default:
3097 if (hint)
3098 break;
3099
3100 result = L2CAP_CONF_UNKNOWN;
3101 *((u8 *) ptr++) = type;
3102 break;
3103 }
3104 }
3105
73ffa904 3106 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3107 goto done;
3108
0c1bc5c6 3109 switch (chan->mode) {
f2fcfcd6
GP		 3110 case L2CAP_MODE_STREAMING:
3111 case L2CAP_MODE_ERTM:
c1360a1c 3112 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3113 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3114 chan->conn->feat_mask);
85eb53c6
GP		 3115 break;
3116 }
3117
42dceae2
AE		 3118 if (remote_efs) {
3119 if (__l2cap_efs_supported(chan))
3120 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3121 else
3122 return -ECONNREFUSED;
3123 }
3124
0c1bc5c6 3125 if (chan->mode != rfc.mode)
f2fcfcd6 3126 return -ECONNREFUSED;
742e519b 3127
f2fcfcd6 3128 break;
f2fcfcd6
GP		 3129 }
3130
3131done:
0c1bc5c6 3132 if (chan->mode != rfc.mode) {
f2fcfcd6 3133 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3134 rfc.mode = chan->mode;
f2fcfcd6 3135
73ffa904 3136 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3137 return -ECONNREFUSED;
3138
2d792818
GP		 3139 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3140 (unsigned long) &rfc);
f2fcfcd6
GP		 3141 }
3142
5dee9e7c
MH		 3143 if (result == L2CAP_CONF_SUCCESS) {
3144 /* Configure output options and let the other side know
3145 * which ones we don't like. */
3146
f2fcfcd6
GP		 3147 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3148 result = L2CAP_CONF_UNACCEPT;
3149 else {
0c1bc5c6 3150 chan->omtu = mtu;
c1360a1c 3151 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3152 }
0c1bc5c6 3153 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3154
42dceae2
AE		 3155 if (remote_efs) {
3156 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3157 efs.stype != L2CAP_SERV_NOTRAFIC &&
3158 efs.stype != chan->local_stype) {
42dceae2
AE		 3159
3160 result = L2CAP_CONF_UNACCEPT;
3161
3162 if (chan->num_conf_req >= 1)
3163 return -ECONNREFUSED;
3164
3165 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3166 sizeof(efs),
3167 (unsigned long) &efs);
0e8b207e 3168 } else {
3e6b3b95 3169 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3170 result = L2CAP_CONF_PENDING;
3171 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3172 }
3173 }
3174
f2fcfcd6
GP		 3175 switch (rfc.mode) {
3176 case L2CAP_MODE_BASIC:
47d1ec61 3177 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3178 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3179 break;
3180
3181 case L2CAP_MODE_ERTM:
6327eb98
AE		 3182 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3183 chan->remote_tx_win = rfc.txwin_size;
3184 else
3185 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3186
2c03a7a4 3187 chan->remote_max_tx = rfc.max_transmit;
1c762159 3188
c8f79162 3189 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3190 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3191 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3192 rfc.max_pdu_size = cpu_to_le16(size);
3193 chan->remote_mps = size;
f2fcfcd6 3194
10467e9e 3195 rfc.retrans_timeout =
4fd21a88 3196 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3197 rfc.monitor_timeout =
4fd21a88 3198 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3199
c1360a1c 3200 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3201
3202 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3203 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3204
42dceae2
AE		 3205 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3206 chan->remote_id = efs.id;
3207 chan->remote_stype = efs.stype;
3208 chan->remote_msdu = le16_to_cpu(efs.msdu);
3209 chan->remote_flush_to =
2d792818 3210 le32_to_cpu(efs.flush_to);
42dceae2 3211 chan->remote_acc_lat =
2d792818 3212 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3213 chan->remote_sdu_itime =
3214 le32_to_cpu(efs.sdu_itime);
3215 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3216 sizeof(efs),
3217 (unsigned long) &efs);
42dceae2 3218 }
f2fcfcd6
GP		 3219 break;
3220
3221 case L2CAP_MODE_STREAMING:
c8f79162 3222 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3223 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3224 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3225 rfc.max_pdu_size = cpu_to_le16(size);
3226 chan->remote_mps = size;
f2fcfcd6 3227
c1360a1c 3228 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3229
2d792818
GP		 3230 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3231 (unsigned long) &rfc);
68ae6639 3232
f2fcfcd6
GP		 3233 break;
3234
3235 default:
5dee9e7c 3236 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3237
6464f35f 3238 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3239 rfc.mode = chan->mode;
f2fcfcd6 3240 }
6464f35f 3241
f2fcfcd6 3242 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3243 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3244 }
fe4128e0 3245 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3246 rsp->result = cpu_to_le16(result);
59e54bd1 3247 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3248
3249 return ptr - data;
1da177e4
LT		 3250}
3251
2d792818
GP		 3252static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3253 void *data, u16 *result)
f2fcfcd6 3254{
f2fcfcd6
GP		 3255 struct l2cap_conf_req *req = data;
3256 void *ptr = req->data;
3257 int type, olen;
3258 unsigned long val;
36e999a8 3259 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3260 struct l2cap_conf_efs efs;
f2fcfcd6 3261
fe4128e0 3262 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3263
3264 while (len >= L2CAP_CONF_OPT_SIZE) {
3265 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3266
3267 switch (type) {
3268 case L2CAP_CONF_MTU:
3269 if (val < L2CAP_DEFAULT_MIN_MTU) {
3270 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3271 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3272 } else
0c1bc5c6
GP		 3273 chan->imtu = val;
3274 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3275 break;
3276
3277 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3278 chan->flush_to = val;
f2fcfcd6 3279 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3280 2, chan->flush_to);
f2fcfcd6
GP		 3281 break;
3282
3283 case L2CAP_CONF_RFC:
3284 if (olen == sizeof(rfc))
3285 memcpy(&rfc, (void *)val, olen);
3286
c1360a1c 3287 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3288 rfc.mode != chan->mode)
f2fcfcd6
GP		 3289 return -ECONNREFUSED;
3290
47d1ec61 3291 chan->fcs = 0;
f2fcfcd6
GP		 3292
3293 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3294 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3295 break;
6327eb98
AE		 3296
3297 case L2CAP_CONF_EWS:
c20f8e35 3298 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3299 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3300 chan->tx_win);
6327eb98 3301 break;
66af7aaf
AE		 3302
3303 case L2CAP_CONF_EFS:
3304 if (olen == sizeof(efs))
3305 memcpy(&efs, (void *)val, olen);
3306
3307 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3308 efs.stype != L2CAP_SERV_NOTRAFIC &&
3309 efs.stype != chan->local_stype)
66af7aaf
AE		 3310 return -ECONNREFUSED;
3311
2d792818
GP		 3312 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3313 (unsigned long) &efs);
66af7aaf 3314 break;
f2fcfcd6
GP		 3315 }
3316 }
3317
0c1bc5c6 3318 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3319 return -ECONNREFUSED;
3320
0c1bc5c6 3321 chan->mode = rfc.mode;
6c2ea7a8 3322
0e8b207e 3323 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3324 switch (rfc.mode) {
3325 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3326 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3327 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3328 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3329 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3330 chan->ack_win = min_t(u16, chan->ack_win,
3331 rfc.txwin_size);
66af7aaf
AE		 3332
3333 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3334 chan->local_msdu = le16_to_cpu(efs.msdu);
3335 chan->local_sdu_itime =
2d792818 3336 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3337 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3338 chan->local_flush_to =
2d792818 3339 le32_to_cpu(efs.flush_to);
66af7aaf 3340 }
f2fcfcd6 3341 break;
66af7aaf 3342
f2fcfcd6 3343 case L2CAP_MODE_STREAMING:
47d1ec61 3344 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3345 }
3346 }
3347
fe4128e0 3348 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3349 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3350
3351 return ptr - data;
3352}
3353
2d792818
GP		 3354static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3355 u16 result, u16 flags)
1da177e4
LT		 3356{
3357 struct l2cap_conf_rsp *rsp = data;
3358 void *ptr = rsp->data;
1da177e4 3359
fe4128e0 3360 BT_DBG("chan %p", chan);
1da177e4 3361
fe4128e0 3362 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3363 rsp->result = cpu_to_le16(result);
aca3192c 3364 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3365
3366 return ptr - data;
3367}
3368
8c1d787b 3369void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3370{
3371 struct l2cap_conn_rsp rsp;
8c1d787b 3372 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3373 u8 buf[128];
3374
fe4128e0
GP		 3375 rsp.scid = cpu_to_le16(chan->dcid);
3376 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3377 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3378 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
2d792818 3379 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
710f9b0a 3380
c1360a1c 3381 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3382 return;
3383
710f9b0a 3384 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3385 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3386 chan->num_conf_req++;
3387}
3388
47d1ec61 3389static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3390{
7b1c0049
GP		 3391 int type, olen;
3392 unsigned long val;
c20f8e35
MM		 3393 /* Use sane default values in case a misbehaving remote device
3394 * did not send an RFC or extended window size option.
3395 */
3396 u16 txwin_ext = chan->ack_win;
3397 struct l2cap_conf_rfc rfc = {
3398 .mode = chan->mode,
3399 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3400 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3401 .max_pdu_size = cpu_to_le16(chan->imtu),
3402 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3403 };
7b1c0049 3404
47d1ec61 3405 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3406
0c1bc5c6 3407 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3408 return;
3409
3410 while (len >= L2CAP_CONF_OPT_SIZE) {
3411 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3412
c20f8e35
MM		 3413 switch (type) {
3414 case L2CAP_CONF_RFC:
3415 if (olen == sizeof(rfc))
3416 memcpy(&rfc, (void *)val, olen);
8f321f85 3417 break;
c20f8e35
MM		 3418 case L2CAP_CONF_EWS:
3419 txwin_ext = val;
3420 break;
3421 }
7b1c0049
GP		 3422 }
3423
7b1c0049
GP		 3424 switch (rfc.mode) {
3425 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3426 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3427 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3428 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3429 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3430 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3431 else
3432 chan->ack_win = min_t(u16, chan->ack_win,
3433 rfc.txwin_size);
7b1c0049
GP		 3434 break;
3435 case L2CAP_MODE_STREAMING:
47d1ec61 3436 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3437 }
3438}
3439
2d792818
GP		 3440static inline int l2cap_command_rej(struct l2cap_conn *conn,
3441 struct l2cap_cmd_hdr *cmd, u8 *data)
4e8402a3 3442{
e2fd318e 3443 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3444
e2fd318e 3445 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3446 return 0;
3447
3448 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3449 cmd->ident == conn->info_ident) {
17cd3f37 3450 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3451
3452 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3453 conn->info_ident = 0;
984947dc 3454
4e8402a3
MH		 3455 l2cap_conn_start(conn);
3456 }
3457
3458 return 0;
3459}
3460
1700915f
MM		 3461static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3462 struct l2cap_cmd_hdr *cmd,
3463 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3464{
1da177e4
LT		 3465 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3466 struct l2cap_conn_rsp rsp;
23691d75 3467 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3468 struct sock *parent, *sk = NULL;
e7c29cb1 3469 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3470
3471 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3472 __le16 psm = req->psm;
1da177e4 3473
097db76c 3474 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3475
3476 /* Check if we have socket listening on psm */
c2287681 3477 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3478 if (!pchan) {
1da177e4
LT		 3479 result = L2CAP_CR_BAD_PSM;
3480 goto sendresp;
3481 }
3482
23691d75
GP		 3483 parent = pchan->sk;
3484
3df91ea2 3485 mutex_lock(&conn->chan_lock);
aa2ac881 3486 lock_sock(parent);
e0f0cb56 3487
e7c29cb1 3488 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3489 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3490 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3491 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3492 result = L2CAP_CR_SEC_BLOCK;
3493 goto response;
3494 }
3495
1da177e4
LT		 3496 result = L2CAP_CR_NO_MEM;
3497
2dfa1003
GP		 3498 /* Check if we already have channel with that dcid */
3499 if (__l2cap_get_chan_by_dcid(conn, scid))
3500 goto response;
3501
80b98027 3502 chan = pchan->ops->new_connection(pchan);
80808e43 3503 if (!chan)
1da177e4
LT		 3504 goto response;
3505
80808e43
GP		 3506 sk = chan->sk;
3507
1da177e4
LT		 3508 hci_conn_hold(conn->hcon);
3509
1da177e4
LT		 3510 bacpy(&bt_sk(sk)->src, conn->src);
3511 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3512 chan->psm = psm;
3513 chan->dcid = scid;
1700915f 3514 chan->local_amp_id = amp_id;
1da177e4 3515
6be36555 3516 __l2cap_chan_add(conn, chan);
48454079 3517
fe4128e0 3518 dcid = chan->scid;
1da177e4 3519
c9b66675 3520 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3521
fc7f8a7e 3522 chan->ident = cmd->ident;
1da177e4 3523
984947dc 3524 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3525 if (l2cap_chan_check_security(chan)) {
c5daa683 3526 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3527 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3528 result = L2CAP_CR_PEND;
3529 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3530 chan->ops->defer(chan);
f66dc81f 3531 } else {
1700915f
MM		 3532 /* Force pending result for AMP controllers.
3533 * The connection will succeed after the
3534 * physical link is up.
3535 */
3536 if (amp_id) {
3537 __l2cap_state_change(chan, BT_CONNECT2);
3538 result = L2CAP_CR_PEND;
3539 } else {
3540 __l2cap_state_change(chan, BT_CONFIG);
3541 result = L2CAP_CR_SUCCESS;
3542 }
f66dc81f
MH		 3543 status = L2CAP_CS_NO_INFO;
3544 }
79d554a6 3545 } else {
0e587be7 3546 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3547 result = L2CAP_CR_PEND;
3548 status = L2CAP_CS_AUTHEN_PEND;
3549 }
3550 } else {
0e587be7 3551 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3552 result = L2CAP_CR_PEND;
3553 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3554 }
3555
1da177e4 3556response:
aa2ac881 3557 release_sock(parent);
3df91ea2 3558 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3559
3560sendresp:
aca3192c
YH		 3561 rsp.scid = cpu_to_le16(scid);
3562 rsp.dcid = cpu_to_le16(dcid);
3563 rsp.result = cpu_to_le16(result);
3564 rsp.status = cpu_to_le16(status);
4c89b6aa 3565 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3566
3567 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3568 struct l2cap_info_req info;
ac73498c 3569 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3570
3571 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3572 conn->info_ident = l2cap_get_ident(conn);
3573
ba13ccd9 3574 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3575
2d792818
GP		 3576 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3577 sizeof(info), &info);
79d554a6
MH		 3578 }
3579
c1360a1c 3580 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3581 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3582 u8 buf[128];
c1360a1c 3583 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3584 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3585 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3586 chan->num_conf_req++;
e9aeb2dd 3587 }
1700915f
MM		 3588
3589 return chan;
4c89b6aa 3590}
e9aeb2dd 3591
4c89b6aa
MM		 3592static int l2cap_connect_req(struct l2cap_conn *conn,
3593 struct l2cap_cmd_hdr *cmd, u8 *data)
3594{
300229f9 3595 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3596 return 0;
3597}
3598
5909cf30 3599static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
2d792818 3600 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3601{
3602 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3603 u16 scid, dcid, result, status;
48454079 3604 struct l2cap_chan *chan;
1da177e4 3605 u8 req[128];
3df91ea2 3606 int err;
1da177e4
LT		 3607
3608 scid = __le16_to_cpu(rsp->scid);
3609 dcid = __le16_to_cpu(rsp->dcid);
3610 result = __le16_to_cpu(rsp->result);
3611 status = __le16_to_cpu(rsp->status);
3612
1b009c98 3613 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3614 dcid, scid, result, status);
1da177e4 3615
3df91ea2
AE		 3616 mutex_lock(&conn->chan_lock);
3617
1da177e4 3618 if (scid) {
3df91ea2
AE		 3619 chan = __l2cap_get_chan_by_scid(conn, scid);
3620 if (!chan) {
3621 err = -EFAULT;
3622 goto unlock;
3623 }
1da177e4 3624 } else {
3df91ea2
AE		 3625 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3626 if (!chan) {
3627 err = -EFAULT;
3628 goto unlock;
3629 }
1da177e4
LT		 3630 }
3631
3df91ea2
AE		 3632 err = 0;
3633
6be36555 3634 l2cap_chan_lock(chan);
48454079 3635
1da177e4
LT		 3636 switch (result) {
3637 case L2CAP_CR_SUCCESS:
89bc500e 3638 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3639 chan->ident = 0;
fe4128e0 3640 chan->dcid = dcid;
c1360a1c 3641 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3642
c1360a1c 3643 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3644 break;
3645
1da177e4 3646 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3647 l2cap_build_conf_req(chan, req), req);
73ffa904 3648 chan->num_conf_req++;
1da177e4
LT		 3649 break;
3650
3651 case L2CAP_CR_PEND:
c1360a1c 3652 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3653 break;
3654
3655 default:
48454079 3656 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3657 break;
3658 }
3659
6be36555 3660 l2cap_chan_unlock(chan);
3df91ea2
AE		 3661
3662unlock:
3663 mutex_unlock(&conn->chan_lock);
3664
3665 return err;
1da177e4
LT		 3666}
3667
47d1ec61 3668static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3669{
3670 /* FCS is enabled only in ERTM or streaming mode, if one or both
3671 * sides request it.
3672 */
0c1bc5c6 3673 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3674 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3675 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3676 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3677}
3678
29d8a590
AE		 3679static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3680 u8 ident, u16 flags)
3681{
3682 struct l2cap_conn *conn = chan->conn;
3683
3684 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3685 flags);
3686
3687 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3688 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3689
3690 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3691 l2cap_build_conf_rsp(chan, data,
3692 L2CAP_CONF_SUCCESS, flags), data);
3693}
3694
2d792818
GP		 3695static inline int l2cap_config_req(struct l2cap_conn *conn,
3696 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3697 u8 *data)
1da177e4
LT		 3698{
3699 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3700 u16 dcid, flags;
3701 u8 rsp[64];
48454079 3702 struct l2cap_chan *chan;
3c588192 3703 int len, err = 0;
1da177e4
LT		 3704
3705 dcid = __le16_to_cpu(req->dcid);
3706 flags = __le16_to_cpu(req->flags);
3707
3708 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3709
baa7e1fa 3710 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3711 if (!chan)
1da177e4
LT		 3712 return -ENOENT;
3713
033b1142 3714 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3715 struct l2cap_cmd_rej_cid rej;
3716
ac73498c 3717 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3718 rej.scid = cpu_to_le16(chan->scid);
3719 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3720
df6bd743 3721 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3722 sizeof(rej), &rej);
354f60a9 3723 goto unlock;
df6bd743 3724 }
354f60a9 3725
5dee9e7c 3726 /* Reject if config buffer is too small. */
88219a0f 3727 len = cmd_len - sizeof(*req);
7ac28817 3728 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3729 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3730 l2cap_build_conf_rsp(chan, rsp,
3731 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 3732 goto unlock;
3733 }
3734
3735 /* Store config. */
73ffa904
GP		 3736 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3737 chan->conf_len += len;
1da177e4 3738
59e54bd1 3739 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3740 /* Incomplete config. Send empty response. */
3741 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3742 l2cap_build_conf_rsp(chan, rsp,
3743 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3744 goto unlock;
3745 }
3746
3747 /* Complete config. */
73ffa904 3748 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3749 if (len < 0) {
e92c8e70 3750 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3751 goto unlock;
f2fcfcd6 3752 }
1da177e4 3753
5dee9e7c 3754 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3755 chan->num_conf_rsp++;
5dee9e7c 3756
5dee9e7c 3757 /* Reset config buffer. */
73ffa904 3758 chan->conf_len = 0;
5dee9e7c 3759
c1360a1c 3760 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3761 goto unlock;
3762
c1360a1c 3763 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3764 set_default_fcs(chan);
fcc203c3 3765
105bdf9e
MM		 3766 if (chan->mode == L2CAP_MODE_ERTM ||
3767 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3768 err = l2cap_ertm_init(chan);
3769
3770 if (err < 0)
3771 l2cap_send_disconn_req(chan->conn, chan, -err);
3772 else
3773 l2cap_chan_ready(chan);
0565c1c2 3774
876d9484
MH		 3775 goto unlock;
3776 }
3777
c1360a1c 3778 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3779 u8 buf[64];
1da177e4 3780 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3781 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3782 chan->num_conf_req++;
1da177e4
LT		 3783 }
3784
0e8b207e
AE		 3785 /* Got Conf Rsp PENDING from remote side and asume we sent
3786 Conf Rsp PENDING in the code above */
3787 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 3788 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 3789
3790 /* check compatibility */
3791
79de886d
AE		 3792 /* Send rsp for BR/EDR channel */
3793 if (!chan->ctrl_id)
3794 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
3795 else
3796 chan->ident = cmd->ident;
0e8b207e
AE		 3797 }
3798
1da177e4 3799unlock:
6be36555 3800 l2cap_chan_unlock(chan);
3c588192 3801 return err;
1da177e4
LT		 3802}
3803
2d792818
GP		 3804static inline int l2cap_config_rsp(struct l2cap_conn *conn,
3805 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3806{
3807 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3808 u16 scid, flags, result;
48454079 3809 struct l2cap_chan *chan;
61386cba 3810 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3811 int err = 0;
1da177e4
LT		 3812
3813 scid = __le16_to_cpu(rsp->scid);
3814 flags = __le16_to_cpu(rsp->flags);
3815 result = __le16_to_cpu(rsp->result);
3816
61386cba
AE		 3817 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3818 result, len);
1da177e4 3819
baa7e1fa 3820 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3821 if (!chan)
1da177e4
LT		 3822 return 0;
3823
3824 switch (result) {
3825 case L2CAP_CONF_SUCCESS:
47d1ec61 3826 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3827 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3828 break;
3829
0e8b207e
AE		 3830 case L2CAP_CONF_PENDING:
3831 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3832
3833 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3834 char buf[64];
3835
3836 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3837 buf, &result);
0e8b207e
AE		 3838 if (len < 0) {
3839 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3840 goto done;
3841 }
3842
3843 /* check compatibility */
3844
79de886d
AE		 3845 if (!chan->ctrl_id)
3846 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
3847 0);
3848 else
3849 chan->ident = cmd->ident;
0e8b207e
AE		 3850 }
3851 goto done;
3852
1da177e4 3853 case L2CAP_CONF_UNACCEPT:
73ffa904 3854 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3855 char req[64];
3856
c2c77ec8 3857 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3858 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3859 goto done;
3860 }
3861
f2fcfcd6
GP		 3862 /* throw out any old stored conf requests */
3863 result = L2CAP_CONF_SUCCESS;
b4450035 3864 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3865 req, &result);
f2fcfcd6 3866 if (len < 0) {
e92c8e70 3867 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3868 goto done;
3869 }
3870
3871 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 3872 L2CAP_CONF_REQ, len, req);
73ffa904 3873 chan->num_conf_req++;
f2fcfcd6
GP		 3874 if (result != L2CAP_CONF_SUCCESS)
3875 goto done;
3876 break;
1da177e4
LT		 3877 }
3878
8e87d142 3879 default:
6be36555 3880 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3881
ba13ccd9 3882 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3883 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3884 goto done;
3885 }
3886
59e54bd1 3887 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3888 goto done;
3889
c1360a1c 3890 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3891
c1360a1c 3892 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3893 set_default_fcs(chan);
fcc203c3 3894
105bdf9e
MM		 3895 if (chan->mode == L2CAP_MODE_ERTM ||
3896 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3897 err = l2cap_ertm_init(chan);
0565c1c2 3898
3c588192
MM		 3899 if (err < 0)
3900 l2cap_send_disconn_req(chan->conn, chan, -err);
3901 else
3902 l2cap_chan_ready(chan);
1da177e4
LT		 3903 }
3904
3905done:
6be36555 3906 l2cap_chan_unlock(chan);
3c588192 3907 return err;
1da177e4
LT		 3908}
3909
2d792818
GP		 3910static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
3911 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3912{
3913 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3914 struct l2cap_disconn_rsp rsp;
3915 u16 dcid, scid;
48454079 3916 struct l2cap_chan *chan;
1da177e4
LT		 3917 struct sock *sk;
3918
3919 scid = __le16_to_cpu(req->scid);
3920 dcid = __le16_to_cpu(req->dcid);
3921
3922 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3923
3df91ea2
AE		 3924 mutex_lock(&conn->chan_lock);
3925
3926 chan = __l2cap_get_chan_by_scid(conn, dcid);
3927 if (!chan) {
3928 mutex_unlock(&conn->chan_lock);
1da177e4 3929 return 0;
3df91ea2 3930 }
1da177e4 3931
6be36555
AE		 3932 l2cap_chan_lock(chan);
3933
48454079
GP		 3934 sk = chan->sk;
3935
fe4128e0
GP		 3936 rsp.dcid = cpu_to_le16(chan->scid);
3937 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3938 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3939
6be36555 3940 lock_sock(sk);
1da177e4 3941 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3942 release_sock(sk);
1da177e4 3943
61d6ef3e 3944 l2cap_chan_hold(chan);
48454079 3945 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3946
3947 l2cap_chan_unlock(chan);
1da177e4 3948
80b98027 3949 chan->ops->close(chan);
61d6ef3e 3950 l2cap_chan_put(chan);
3df91ea2
AE		 3951
3952 mutex_unlock(&conn->chan_lock);
3953
1da177e4
LT		 3954 return 0;
3955}
3956
2d792818
GP		 3957static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
3958 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3959{
3960 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3961 u16 dcid, scid;
48454079 3962 struct l2cap_chan *chan;
1da177e4
LT		 3963
3964 scid = __le16_to_cpu(rsp->scid);
3965 dcid = __le16_to_cpu(rsp->dcid);
3966
3967 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3968
3df91ea2
AE		 3969 mutex_lock(&conn->chan_lock);
3970
3971 chan = __l2cap_get_chan_by_scid(conn, scid);
3972 if (!chan) {
3973 mutex_unlock(&conn->chan_lock);
1da177e4 3974 return 0;
3df91ea2 3975 }
1da177e4 3976
6be36555 3977 l2cap_chan_lock(chan);
48454079 3978
61d6ef3e 3979 l2cap_chan_hold(chan);
48454079 3980 l2cap_chan_del(chan, 0);
6be36555
AE		 3981
3982 l2cap_chan_unlock(chan);
1da177e4 3983
80b98027 3984 chan->ops->close(chan);
61d6ef3e 3985 l2cap_chan_put(chan);
3df91ea2
AE		 3986
3987 mutex_unlock(&conn->chan_lock);
3988
1da177e4
LT		 3989 return 0;
3990}
3991
2d792818
GP		 3992static inline int l2cap_information_req(struct l2cap_conn *conn,
3993 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3994{
3995 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3996 u16 type;
3997
3998 type = __le16_to_cpu(req->type);
3999
4000 BT_DBG("type 0x%4.4x", type);
4001
f0709e03
MH		 4002 if (type == L2CAP_IT_FEAT_MASK) {
4003 u8 buf[8];
44dd46de 4004 u32 feat_mask = l2cap_feat_mask;
f0709e03 4005 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4006 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4007 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4008 if (!disable_ertm)
fcc203c3 4009 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4010 | L2CAP_FEAT_FCS;
a5fd6f30 4011 if (enable_hs)
6327eb98 4012 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4013 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4014
1b7bf4ed 4015 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4016 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4017 buf);
e1027a7c
MH		 4018 } else if (type == L2CAP_IT_FIXED_CHAN) {
4019 u8 buf[12];
4020 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 4021
4022 if (enable_hs)
4023 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4024 else
4025 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4026
ac73498c
AE		 4027 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4028 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4029 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4030 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4031 buf);
f0709e03
MH		 4032 } else {
4033 struct l2cap_info_rsp rsp;
4034 rsp.type = cpu_to_le16(type);
ac73498c 4035 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4036 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4037 &rsp);
f0709e03 4038 }
1da177e4
LT		 4039
4040 return 0;
4041}
4042
2d792818
GP		 4043static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4044 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4045{
4046 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4047 u16 type, result;
4048
4049 type = __le16_to_cpu(rsp->type);
4050 result = __le16_to_cpu(rsp->result);
4051
4052 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4053
e90165be
AE		 4054 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4055 if (cmd->ident != conn->info_ident ||
2d792818 4056 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4057 return 0;
4058
17cd3f37 4059 cancel_delayed_work(&conn->info_timer);
4e8402a3 4060
adb08ede
VT		 4061 if (result != L2CAP_IR_SUCCESS) {
4062 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4063 conn->info_ident = 0;
4064
4065 l2cap_conn_start(conn);
4066
4067 return 0;
4068 }
4069
978c93b9
AE		 4070 switch (type) {
4071 case L2CAP_IT_FEAT_MASK:
83985319 4072 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4073
47ec1dcd 4074 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4075 struct l2cap_info_req req;
ac73498c 4076 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4077
4078 conn->info_ident = l2cap_get_ident(conn);
4079
4080 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4081 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4082 } else {
4083 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4084 conn->info_ident = 0;
4085
4086 l2cap_conn_start(conn);
4087 }
978c93b9
AE		 4088 break;
4089
4090 case L2CAP_IT_FIXED_CHAN:
4091 conn->fixed_chan_mask = rsp->data[0];
984947dc 4092 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4093 conn->info_ident = 0;
984947dc
MH		 4094
4095 l2cap_conn_start(conn);
978c93b9 4096 break;
984947dc 4097 }
4e8402a3 4098
1da177e4
LT		 4099 return 0;
4100}
4101
1700915f
MM		 4102static int l2cap_create_channel_req(struct l2cap_conn *conn,
4103 struct l2cap_cmd_hdr *cmd,
4104 u16 cmd_len, void *data)
f94ff6ff
MM		 4105{
4106 struct l2cap_create_chan_req *req = data;
1700915f 4107 struct l2cap_chan *chan;
f94ff6ff
MM		 4108 u16 psm, scid;
4109
4110 if (cmd_len != sizeof(*req))
4111 return -EPROTO;
4112
4113 if (!enable_hs)
4114 return -EINVAL;
4115
4116 psm = le16_to_cpu(req->psm);
4117 scid = le16_to_cpu(req->scid);
4118
ad0ac6ca 4119 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4120
1700915f
MM		 4121 if (req->amp_id) {
4122 struct hci_dev *hdev;
4123
4124 /* Validate AMP controller id */
4125 hdev = hci_dev_get(req->amp_id);
4126 if (!hdev || hdev->dev_type != HCI_AMP ||
4127 !test_bit(HCI_UP, &hdev->flags)) {
4128 struct l2cap_create_chan_rsp rsp;
4129
4130 rsp.dcid = 0;
4131 rsp.scid = cpu_to_le16(scid);
4132 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4133 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4134
4135 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4136 sizeof(rsp), &rsp);
4137
4138 if (hdev)
4139 hci_dev_put(hdev);
4140
4141 return 0;
4142 }
4143
4144 hci_dev_put(hdev);
4145 }
f94ff6ff 4146
1700915f
MM		 4147 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4148 req->amp_id);
f94ff6ff
MM		 4149
4150 return 0;
4151}
4152
8d5a04a1 4153static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4154 u16 icid, u16 result)
8d5a04a1
MM		 4155{
4156 struct l2cap_move_chan_rsp rsp;
4157
ad0ac6ca 4158 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4159
4160 rsp.icid = cpu_to_le16(icid);
4161 rsp.result = cpu_to_le16(result);
4162
4163 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
4164}
4165
4166static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4167 struct l2cap_chan *chan,
4168 u16 icid, u16 result)
8d5a04a1
MM		 4169{
4170 struct l2cap_move_chan_cfm cfm;
4171 u8 ident;
4172
ad0ac6ca 4173 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4174
4175 ident = l2cap_get_ident(conn);
4176 if (chan)
4177 chan->ident = ident;
4178
4179 cfm.icid = cpu_to_le16(icid);
4180 cfm.result = cpu_to_le16(result);
4181
4182 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4183}
4184
4185static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4186 u16 icid)
8d5a04a1
MM		 4187{
4188 struct l2cap_move_chan_cfm_rsp rsp;
4189
ad0ac6ca 4190 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4191
4192 rsp.icid = cpu_to_le16(icid);
4193 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4194}
4195
4196static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4197 struct l2cap_cmd_hdr *cmd,
4198 u16 cmd_len, void *data)
8d5a04a1
MM		 4199{
4200 struct l2cap_move_chan_req *req = data;
02b0fbb9 4201 struct l2cap_chan *chan;
8d5a04a1
MM		 4202 u16 icid = 0;
4203 u16 result = L2CAP_MR_NOT_ALLOWED;
4204
4205 if (cmd_len != sizeof(*req))
4206 return -EPROTO;
4207
4208 icid = le16_to_cpu(req->icid);
4209
ad0ac6ca 4210 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4211
4212 if (!enable_hs)
4213 return -EINVAL;
4214
02b0fbb9
MM		 4215 chan = l2cap_get_chan_by_dcid(conn, icid);
4216 if (!chan) {
4217 l2cap_send_move_chan_rsp(conn, cmd->ident, icid,
4218 L2CAP_MR_NOT_ALLOWED);
4219 return 0;
4220 }
4221
4222 if (chan->scid < L2CAP_CID_DYN_START ||
4223 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4224 (chan->mode != L2CAP_MODE_ERTM &&
4225 chan->mode != L2CAP_MODE_STREAMING)) {
4226 result = L2CAP_MR_NOT_ALLOWED;
4227 goto send_move_response;
4228 }
4229
4230 if (chan->local_amp_id == req->dest_amp_id) {
4231 result = L2CAP_MR_SAME_ID;
4232 goto send_move_response;
4233 }
4234
4235 if (req->dest_amp_id) {
4236 struct hci_dev *hdev;
4237 hdev = hci_dev_get(req->dest_amp_id);
4238 if (!hdev || hdev->dev_type != HCI_AMP ||
4239 !test_bit(HCI_UP, &hdev->flags)) {
4240 if (hdev)
4241 hci_dev_put(hdev);
4242
4243 result = L2CAP_MR_BAD_ID;
4244 goto send_move_response;
4245 }
4246 hci_dev_put(hdev);
4247 }
4248
4249 /* Detect a move collision. Only send a collision response
4250 * if this side has "lost", otherwise proceed with the move.
4251 * The winner has the larger bd_addr.
4252 */
4253 if ((__chan_is_moving(chan) ||
4254 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4255 bacmp(conn->src, conn->dst) > 0) {
4256 result = L2CAP_MR_COLLISION;
4257 goto send_move_response;
4258 }
4259
4260 chan->ident = cmd->ident;
4261 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4262 l2cap_move_setup(chan);
4263 chan->move_id = req->dest_amp_id;
4264 icid = chan->dcid;
4265
4266 if (!req->dest_amp_id) {
4267 /* Moving to BR/EDR */
4268 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4269 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4270 result = L2CAP_MR_PEND;
4271 } else {
4272 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4273 result = L2CAP_MR_SUCCESS;
4274 }
4275 } else {
4276 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4277 /* Placeholder - uncomment when amp functions are available */
4278 /*amp_accept_physical(chan, req->dest_amp_id);*/
4279 result = L2CAP_MR_PEND;
4280 }
4281
4282send_move_response:
8d5a04a1
MM		 4283 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4284
02b0fbb9
MM		 4285 l2cap_chan_unlock(chan);
4286
8d5a04a1
MM		 4287 return 0;
4288}
4289
4290static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4291 struct l2cap_cmd_hdr *cmd,
4292 u16 cmd_len, void *data)
8d5a04a1
MM		 4293{
4294 struct l2cap_move_chan_rsp *rsp = data;
4295 u16 icid, result;
4296
4297 if (cmd_len != sizeof(*rsp))
4298 return -EPROTO;
4299
4300 icid = le16_to_cpu(rsp->icid);
4301 result = le16_to_cpu(rsp->result);
4302
ad0ac6ca 4303 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4304
4305 /* Placeholder: Always unconfirmed */
4306 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4307
4308 return 0;
4309}
4310
4311static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4312 struct l2cap_cmd_hdr *cmd,
4313 u16 cmd_len, void *data)
8d5a04a1
MM		 4314{
4315 struct l2cap_move_chan_cfm *cfm = data;
4316 u16 icid, result;
4317
4318 if (cmd_len != sizeof(*cfm))
4319 return -EPROTO;
4320
4321 icid = le16_to_cpu(cfm->icid);
4322 result = le16_to_cpu(cfm->result);
4323
ad0ac6ca 4324 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4325
4326 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4327
4328 return 0;
4329}
4330
4331static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4332 struct l2cap_cmd_hdr *cmd,
4333 u16 cmd_len, void *data)
8d5a04a1
MM		 4334{
4335 struct l2cap_move_chan_cfm_rsp *rsp = data;
4336 u16 icid;
4337
4338 if (cmd_len != sizeof(*rsp))
4339 return -EPROTO;
4340
4341 icid = le16_to_cpu(rsp->icid);
4342
ad0ac6ca 4343 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4344
4345 return 0;
4346}
4347
e2174ca4 4348static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 4349 u16 to_multiplier)
de73115a
CT		 4350{
4351 u16 max_latency;
4352
4353 if (min > max || min < 6 || max > 3200)
4354 return -EINVAL;
4355
4356 if (to_multiplier < 10 || to_multiplier > 3200)
4357 return -EINVAL;
4358
4359 if (max >= to_multiplier * 8)
4360 return -EINVAL;
4361
4362 max_latency = (to_multiplier * 8 / max) - 1;
4363 if (latency > 499 || latency > max_latency)
4364 return -EINVAL;
4365
4366 return 0;
4367}
4368
4369static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 4370 struct l2cap_cmd_hdr *cmd,
4371 u8 *data)
de73115a
CT		 4372{
4373 struct hci_conn *hcon = conn->hcon;
4374 struct l2cap_conn_param_update_req *req;
4375 struct l2cap_conn_param_update_rsp rsp;
4376 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4377 int err;
de73115a
CT		 4378
4379 if (!(hcon->link_mode & HCI_LM_MASTER))
4380 return -EINVAL;
4381
4382 cmd_len = __le16_to_cpu(cmd->len);
4383 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4384 return -EPROTO;
4385
4386 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4387 min = __le16_to_cpu(req->min);
4388 max = __le16_to_cpu(req->max);
de73115a
CT		 4389 latency = __le16_to_cpu(req->latency);
4390 to_multiplier = __le16_to_cpu(req->to_multiplier);
4391
4392 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 4393 min, max, latency, to_multiplier);
de73115a
CT		 4394
4395 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4396
4397 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4398 if (err)
ac73498c 4399 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4400 else
ac73498c 4401 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4402
4403 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 4404 sizeof(rsp), &rsp);
de73115a 4405
2ce603eb
CT		 4406 if (!err)
4407 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4408
de73115a
CT		 4409 return 0;
4410}
4411
3300d9a9 4412static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 4413 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4414 u8 *data)
3300d9a9
CT		 4415{
4416 int err = 0;
4417
4418 switch (cmd->code) {
4419 case L2CAP_COMMAND_REJ:
4420 l2cap_command_rej(conn, cmd, data);
4421 break;
4422
4423 case L2CAP_CONN_REQ:
4424 err = l2cap_connect_req(conn, cmd, data);
4425 break;
4426
4427 case L2CAP_CONN_RSP:
f5a2598d 4428 case L2CAP_CREATE_CHAN_RSP:
5909cf30 4429 err = l2cap_connect_create_rsp(conn, cmd, data);
3300d9a9
CT		 4430 break;
4431
4432 case L2CAP_CONF_REQ:
4433 err = l2cap_config_req(conn, cmd, cmd_len, data);
4434 break;
4435
4436 case L2CAP_CONF_RSP:
4437 err = l2cap_config_rsp(conn, cmd, data);
4438 break;
4439
4440 case L2CAP_DISCONN_REQ:
4441 err = l2cap_disconnect_req(conn, cmd, data);
4442 break;
4443
4444 case L2CAP_DISCONN_RSP:
4445 err = l2cap_disconnect_rsp(conn, cmd, data);
4446 break;
4447
4448 case L2CAP_ECHO_REQ:
4449 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4450 break;
4451
4452 case L2CAP_ECHO_RSP:
4453 break;
4454
4455 case L2CAP_INFO_REQ:
4456 err = l2cap_information_req(conn, cmd, data);
4457 break;
4458
4459 case L2CAP_INFO_RSP:
4460 err = l2cap_information_rsp(conn, cmd, data);
4461 break;
4462
f94ff6ff
MM		 4463 case L2CAP_CREATE_CHAN_REQ:
4464 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4465 break;
4466
8d5a04a1
MM		 4467 case L2CAP_MOVE_CHAN_REQ:
4468 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4469 break;
4470
4471 case L2CAP_MOVE_CHAN_RSP:
4472 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4473 break;
4474
4475 case L2CAP_MOVE_CHAN_CFM:
4476 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4477 break;
4478
4479 case L2CAP_MOVE_CHAN_CFM_RSP:
4480 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4481 break;
4482
3300d9a9
CT		 4483 default:
4484 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4485 err = -EINVAL;
4486 break;
4487 }
4488
4489 return err;
4490}
4491
4492static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 4493 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 4494{
4495 switch (cmd->code) {
4496 case L2CAP_COMMAND_REJ:
4497 return 0;
4498
4499 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4500 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4501
4502 case L2CAP_CONN_PARAM_UPDATE_RSP:
4503 return 0;
4504
4505 default:
4506 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4507 return -EINVAL;
4508 }
4509}
4510
4511static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 4512 struct sk_buff *skb)
1da177e4
LT		 4513{
4514 u8 *data = skb->data;
4515 int len = skb->len;
4516 struct l2cap_cmd_hdr cmd;
3300d9a9 4517 int err;
1da177e4
LT		 4518
4519 l2cap_raw_recv(conn, skb);
4520
4521 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4522 u16 cmd_len;
1da177e4
LT		 4523 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4524 data += L2CAP_CMD_HDR_SIZE;
4525 len -= L2CAP_CMD_HDR_SIZE;
4526
88219a0f 4527 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4528
2d792818
GP		 4529 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
4530 cmd.ident);
1da177e4 4531
88219a0f 4532 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4533 BT_DBG("corrupted command");
4534 break;
4535 }
4536
3300d9a9
CT		 4537 if (conn->hcon->type == LE_LINK)
4538 err = l2cap_le_sig_cmd(conn, &cmd, data);
4539 else
4540 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4541
4542 if (err) {
e2fd318e 4543 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4544
4545 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4546
4547 /* FIXME: Map err to a valid reason */
ac73498c 4548 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 4549 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
4550 sizeof(rej), &rej);
1da177e4
LT		 4551 }
4552
88219a0f
AV		 4553 data += cmd_len;
4554 len -= cmd_len;
1da177e4
LT		 4555 }
4556
4557 kfree_skb(skb);
4558}
4559
47d1ec61 4560static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4561{
4562 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4563 int hdr_size;
4564
4565 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4566 hdr_size = L2CAP_EXT_HDR_SIZE;
4567 else
4568 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4569
47d1ec61 4570 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4571 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4572 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4573 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4574
4575 if (our_fcs != rcv_fcs)
7a560e5c 4576 return -EBADMSG;
fcc203c3
GP		 4577 }
4578 return 0;
4579}
4580
6ea00485 4581static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4582{
e31f7633 4583 struct l2cap_ctrl control;
d5392c8f 4584
e31f7633 4585 BT_DBG("chan %p", chan);
d5392c8f 4586
e31f7633
MM		 4587 memset(&control, 0, sizeof(control));
4588 control.sframe = 1;
4589 control.final = 1;
4590 control.reqseq = chan->buffer_seq;
4591 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4592
e2ab4353 4593 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4594 control.super = L2CAP_SUPER_RNR;
4595 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4596 }
4597
e31f7633
MM		 4598 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4599 chan->unacked_frames > 0)
4600 __set_retrans_timer(chan);
d5392c8f 4601
e31f7633 4602 /* Send pending iframes */
525cd185 4603 l2cap_ertm_send(chan);
d5392c8f 4604
e2ab4353 4605 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4606 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4607 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4608 * send it now.
4609 */
4610 control.super = L2CAP_SUPER_RR;
4611 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4612 }
4613}
4614
2d792818
GP		 4615static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
4616 struct sk_buff **last_frag)
18778a63 4617{
84084a31
MM		 4618 /* skb->len reflects data in skb as well as all fragments
4619 * skb->data_len reflects only data in fragments
4620 */
4621 if (!skb_has_frag_list(skb))
4622 skb_shinfo(skb)->frag_list = new_frag;
4623
4624 new_frag->next = NULL;
4625
4626 (*last_frag)->next = new_frag;
4627 *last_frag = new_frag;
4628
4629 skb->len += new_frag->len;
4630 skb->data_len += new_frag->len;
4631 skb->truesize += new_frag->truesize;
4632}
4633
4b51dae9
MM		 4634static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4635 struct l2cap_ctrl *control)
84084a31
MM		 4636{
4637 int err = -EINVAL;
18778a63 4638
4b51dae9 4639 switch (control->sar) {
7e0ef6ee 4640 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4641 if (chan->sdu)
4642 break;
18778a63 4643
80b98027 4644 err = chan->ops->recv(chan, skb);
84084a31 4645 break;
18778a63 4646
7e0ef6ee 4647 case L2CAP_SAR_START:
84084a31
MM		 4648 if (chan->sdu)
4649 break;
18778a63 4650
6f61fd47 4651 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4652 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4653
84084a31
MM		 4654 if (chan->sdu_len > chan->imtu) {
4655 err = -EMSGSIZE;
4656 break;
4657 }
1890d36b 4658
84084a31
MM		 4659 if (skb->len >= chan->sdu_len)
4660 break;
18778a63 4661
84084a31
MM		 4662 chan->sdu = skb;
4663 chan->sdu_last_frag = skb;
18778a63 4664
84084a31
MM		 4665 skb = NULL;
4666 err = 0;
18778a63
GP		 4667 break;
4668
7e0ef6ee 4669 case L2CAP_SAR_CONTINUE:
6f61fd47 4670 if (!chan->sdu)
84084a31 4671 break;
18778a63 4672
84084a31
MM		 4673 append_skb_frag(chan->sdu, skb,
4674 &chan->sdu_last_frag);
4675 skb = NULL;
18778a63 4676
84084a31
MM		 4677 if (chan->sdu->len >= chan->sdu_len)
4678 break;
4178ba46 4679
84084a31 4680 err = 0;
18778a63
GP		 4681 break;
4682
7e0ef6ee 4683 case L2CAP_SAR_END:
6f61fd47 4684 if (!chan->sdu)
84084a31 4685 break;
18778a63 4686
84084a31
MM		 4687 append_skb_frag(chan->sdu, skb,
4688 &chan->sdu_last_frag);
4689 skb = NULL;
4178ba46 4690
84084a31
MM		 4691 if (chan->sdu->len != chan->sdu_len)
4692 break;
18778a63 4693
80b98027 4694 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4695
84084a31
MM		 4696 if (!err) {
4697 /* Reassembly complete */
4698 chan->sdu = NULL;
4699 chan->sdu_last_frag = NULL;
4700 chan->sdu_len = 0;
1890d36b 4701 }
18778a63
GP		 4702 break;
4703 }
4704
84084a31
MM		 4705 if (err) {
4706 kfree_skb(skb);
4707 kfree_skb(chan->sdu);
4708 chan->sdu = NULL;
4709 chan->sdu_last_frag = NULL;
4710 chan->sdu_len = 0;
4711 }
18778a63 4712
84084a31 4713 return err;
18778a63
GP		 4714}
4715
32b32735
MM		 4716static int l2cap_resegment(struct l2cap_chan *chan)
4717{
4718 /* Placeholder */
4719 return 0;
4720}
4721
61aa4f5b 4722void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4723{
61aa4f5b 4724 u8 event;
712132eb 4725
61aa4f5b
MM		 4726 if (chan->mode != L2CAP_MODE_ERTM)
4727 return;
712132eb 4728
61aa4f5b 4729 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4730 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4731}
4732
d2a7ac5d
MM		 4733static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4734{
63838725
MM		 4735 int err = 0;
4736 /* Pass sequential frames to l2cap_reassemble_sdu()
4737 * until a gap is encountered.
4738 */
4739
4740 BT_DBG("chan %p", chan);
4741
4742 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4743 struct sk_buff *skb;
4744 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4745 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4746
4747 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4748
4749 if (!skb)
4750 break;
4751
4752 skb_unlink(skb, &chan->srej_q);
4753 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4754 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4755 if (err)
4756 break;
4757 }
4758
4759 if (skb_queue_empty(&chan->srej_q)) {
4760 chan->rx_state = L2CAP_RX_STATE_RECV;
4761 l2cap_send_ack(chan);
4762 }
4763
4764 return err;
d2a7ac5d
MM		 4765}
4766
4767static void l2cap_handle_srej(struct l2cap_chan *chan,
4768 struct l2cap_ctrl *control)
4769{
f80842a8
MM		 4770 struct sk_buff *skb;
4771
4772 BT_DBG("chan %p, control %p", chan, control);
4773
4774 if (control->reqseq == chan->next_tx_seq) {
4775 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4776 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4777 return;
4778 }
4779
4780 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4781
4782 if (skb == NULL) {
4783 BT_DBG("Seq %d not available for retransmission",
4784 control->reqseq);
4785 return;
4786 }
4787
4788 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4789 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4790 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4791 return;
4792 }
4793
4794 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4795
4796 if (control->poll) {
4797 l2cap_pass_to_tx(chan, control);
4798
4799 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4800 l2cap_retransmit(chan, control);
4801 l2cap_ertm_send(chan);
4802
4803 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4804 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4805 chan->srej_save_reqseq = control->reqseq;
4806 }
4807 } else {
4808 l2cap_pass_to_tx_fbit(chan, control);
4809
4810 if (control->final) {
4811 if (chan->srej_save_reqseq != control->reqseq ||
4812 !test_and_clear_bit(CONN_SREJ_ACT,
4813 &chan->conn_state))
4814 l2cap_retransmit(chan, control);
4815 } else {
4816 l2cap_retransmit(chan, control);
4817 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4818 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4819 chan->srej_save_reqseq = control->reqseq;
4820 }
4821 }
4822 }
d2a7ac5d
MM		 4823}
4824
4825static void l2cap_handle_rej(struct l2cap_chan *chan,
4826 struct l2cap_ctrl *control)
4827{
fcd289df
MM		 4828 struct sk_buff *skb;
4829
4830 BT_DBG("chan %p, control %p", chan, control);
4831
4832 if (control->reqseq == chan->next_tx_seq) {
4833 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4834 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4835 return;
4836 }
4837
4838 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4839
4840 if (chan->max_tx && skb &&
4841 bt_cb(skb)->control.retries >= chan->max_tx) {
4842 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4843 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4844 return;
4845 }
4846
4847 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4848
4849 l2cap_pass_to_tx(chan, control);
4850
4851 if (control->final) {
4852 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4853 l2cap_retransmit_all(chan, control);
4854 } else {
4855 l2cap_retransmit_all(chan, control);
4856 l2cap_ertm_send(chan);
4857 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4858 set_bit(CONN_REJ_ACT, &chan->conn_state);
4859 }
d2a7ac5d
MM		 4860}
4861
4b51dae9
MM		 4862static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4863{
4864 BT_DBG("chan %p, txseq %d", chan, txseq);
4865
4866 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4867 chan->expected_tx_seq);
4868
4869 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4870 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 4871 chan->tx_win) {
4b51dae9
MM		 4872 /* See notes below regarding "double poll" and
4873 * invalid packets.
4874 */
4875 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4876 BT_DBG("Invalid/Ignore - after SREJ");
4877 return L2CAP_TXSEQ_INVALID_IGNORE;
4878 } else {
4879 BT_DBG("Invalid - in window after SREJ sent");
4880 return L2CAP_TXSEQ_INVALID;
4881 }
4882 }
4883
4884 if (chan->srej_list.head == txseq) {
4885 BT_DBG("Expected SREJ");
4886 return L2CAP_TXSEQ_EXPECTED_SREJ;
4887 }
4888
4889 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4890 BT_DBG("Duplicate SREJ - txseq already stored");
4891 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4892 }
4893
4894 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4895 BT_DBG("Unexpected SREJ - not requested");
4896 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4897 }
4898 }
4899
4900 if (chan->expected_tx_seq == txseq) {
4901 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4902 chan->tx_win) {
4903 BT_DBG("Invalid - txseq outside tx window");
4904 return L2CAP_TXSEQ_INVALID;
4905 } else {
4906 BT_DBG("Expected");
4907 return L2CAP_TXSEQ_EXPECTED;
4908 }
4909 }
4910
4911 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 4912 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 4913 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4914 return L2CAP_TXSEQ_DUPLICATE;
4915 }
4916
4917 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4918 /* A source of invalid packets is a "double poll" condition,
4919 * where delays cause us to send multiple poll packets. If
4920 * the remote stack receives and processes both polls,
4921 * sequence numbers can wrap around in such a way that a
4922 * resent frame has a sequence number that looks like new data
4923 * with a sequence gap. This would trigger an erroneous SREJ
4924 * request.
4925 *
4926 * Fortunately, this is impossible with a tx window that's
4927 * less than half of the maximum sequence number, which allows
4928 * invalid frames to be safely ignored.
4929 *
4930 * With tx window sizes greater than half of the tx window
4931 * maximum, the frame is invalid and cannot be ignored. This
4932 * causes a disconnect.
4933 */
4934
4935 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4936 BT_DBG("Invalid/Ignore - txseq outside tx window");
4937 return L2CAP_TXSEQ_INVALID_IGNORE;
4938 } else {
4939 BT_DBG("Invalid - txseq outside tx window");
4940 return L2CAP_TXSEQ_INVALID;
4941 }
4942 } else {
4943 BT_DBG("Unexpected - txseq indicates missing frames");
4944 return L2CAP_TXSEQ_UNEXPECTED;
4945 }
4946}
4947
d2a7ac5d
MM		 4948static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4949 struct l2cap_ctrl *control,
4950 struct sk_buff *skb, u8 event)
4951{
4952 int err = 0;
4953 bool skb_in_use = 0;
4954
4955 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4956 event);
4957
4958 switch (event) {
4959 case L2CAP_EV_RECV_IFRAME:
4960 switch (l2cap_classify_txseq(chan, control->txseq)) {
4961 case L2CAP_TXSEQ_EXPECTED:
4962 l2cap_pass_to_tx(chan, control);
4963
4964 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4965 BT_DBG("Busy, discarding expected seq %d",
4966 control->txseq);
4967 break;
4968 }
4969
4970 chan->expected_tx_seq = __next_seq(chan,
4971 control->txseq);
4972
4973 chan->buffer_seq = chan->expected_tx_seq;
4974 skb_in_use = 1;
4975
4976 err = l2cap_reassemble_sdu(chan, skb, control);
4977 if (err)
4978 break;
4979
4980 if (control->final) {
4981 if (!test_and_clear_bit(CONN_REJ_ACT,
4982 &chan->conn_state)) {
4983 control->final = 0;
4984 l2cap_retransmit_all(chan, control);
4985 l2cap_ertm_send(chan);
4986 }
4987 }
4988
4989 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4990 l2cap_send_ack(chan);
4991 break;
4992 case L2CAP_TXSEQ_UNEXPECTED:
4993 l2cap_pass_to_tx(chan, control);
4994
4995 /* Can't issue SREJ frames in the local busy state.
4996 * Drop this frame, it will be seen as missing
4997 * when local busy is exited.
4998 */
4999 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5000 BT_DBG("Busy, discarding unexpected seq %d",
5001 control->txseq);
5002 break;
5003 }
5004
5005 /* There was a gap in the sequence, so an SREJ
5006 * must be sent for each missing frame. The
5007 * current frame is stored for later use.
5008 */
5009 skb_queue_tail(&chan->srej_q, skb);
5010 skb_in_use = 1;
5011 BT_DBG("Queued %p (queue len %d)", skb,
5012 skb_queue_len(&chan->srej_q));
5013
5014 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5015 l2cap_seq_list_clear(&chan->srej_list);
5016 l2cap_send_srej(chan, control->txseq);
5017
5018 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5019 break;
5020 case L2CAP_TXSEQ_DUPLICATE:
5021 l2cap_pass_to_tx(chan, control);
5022 break;
5023 case L2CAP_TXSEQ_INVALID_IGNORE:
5024 break;
5025 case L2CAP_TXSEQ_INVALID:
5026 default:
5027 l2cap_send_disconn_req(chan->conn, chan,
5028 ECONNRESET);
5029 break;
5030 }
5031 break;
5032 case L2CAP_EV_RECV_RR:
5033 l2cap_pass_to_tx(chan, control);
5034 if (control->final) {
5035 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5036
5037 if (!test_and_clear_bit(CONN_REJ_ACT,
5038 &chan->conn_state)) {
5039 control->final = 0;
5040 l2cap_retransmit_all(chan, control);
5041 }
5042
5043 l2cap_ertm_send(chan);
5044 } else if (control->poll) {
5045 l2cap_send_i_or_rr_or_rnr(chan);
5046 } else {
5047 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5048 &chan->conn_state) &&
5049 chan->unacked_frames)
5050 __set_retrans_timer(chan);
5051
5052 l2cap_ertm_send(chan);
5053 }
5054 break;
5055 case L2CAP_EV_RECV_RNR:
5056 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5057 l2cap_pass_to_tx(chan, control);
5058 if (control && control->poll) {
5059 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5060 l2cap_send_rr_or_rnr(chan, 0);
5061 }
5062 __clear_retrans_timer(chan);
5063 l2cap_seq_list_clear(&chan->retrans_list);
5064 break;
5065 case L2CAP_EV_RECV_REJ:
5066 l2cap_handle_rej(chan, control);
5067 break;
5068 case L2CAP_EV_RECV_SREJ:
5069 l2cap_handle_srej(chan, control);
5070 break;
5071 default:
5072 break;
5073 }
5074
5075 if (skb && !skb_in_use) {
5076 BT_DBG("Freeing %p", skb);
5077 kfree_skb(skb);
5078 }
5079
5080 return err;
5081}
5082
5083static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5084 struct l2cap_ctrl *control,
5085 struct sk_buff *skb, u8 event)
5086{
5087 int err = 0;
5088 u16 txseq = control->txseq;
5089 bool skb_in_use = 0;
5090
5091 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5092 event);
5093
5094 switch (event) {
5095 case L2CAP_EV_RECV_IFRAME:
5096 switch (l2cap_classify_txseq(chan, txseq)) {
5097 case L2CAP_TXSEQ_EXPECTED:
5098 /* Keep frame for reassembly later */
5099 l2cap_pass_to_tx(chan, control);
5100 skb_queue_tail(&chan->srej_q, skb);
5101 skb_in_use = 1;
5102 BT_DBG("Queued %p (queue len %d)", skb,
5103 skb_queue_len(&chan->srej_q));
5104
5105 chan->expected_tx_seq = __next_seq(chan, txseq);
5106 break;
5107 case L2CAP_TXSEQ_EXPECTED_SREJ:
5108 l2cap_seq_list_pop(&chan->srej_list);
5109
5110 l2cap_pass_to_tx(chan, control);
5111 skb_queue_tail(&chan->srej_q, skb);
5112 skb_in_use = 1;
5113 BT_DBG("Queued %p (queue len %d)", skb,
5114 skb_queue_len(&chan->srej_q));
5115
5116 err = l2cap_rx_queued_iframes(chan);
5117 if (err)
5118 break;
5119
5120 break;
5121 case L2CAP_TXSEQ_UNEXPECTED:
5122 /* Got a frame that can't be reassembled yet.
5123 * Save it for later, and send SREJs to cover
5124 * the missing frames.
5125 */
5126 skb_queue_tail(&chan->srej_q, skb);
5127 skb_in_use = 1;
5128 BT_DBG("Queued %p (queue len %d)", skb,
5129 skb_queue_len(&chan->srej_q));
5130
5131 l2cap_pass_to_tx(chan, control);
5132 l2cap_send_srej(chan, control->txseq);
5133 break;
5134 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5135 /* This frame was requested with an SREJ, but
5136 * some expected retransmitted frames are
5137 * missing. Request retransmission of missing
5138 * SREJ'd frames.
5139 */
5140 skb_queue_tail(&chan->srej_q, skb);
5141 skb_in_use = 1;
5142 BT_DBG("Queued %p (queue len %d)", skb,
5143 skb_queue_len(&chan->srej_q));
5144
5145 l2cap_pass_to_tx(chan, control);
5146 l2cap_send_srej_list(chan, control->txseq);
5147 break;
5148 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5149 /* We've already queued this frame. Drop this copy. */
5150 l2cap_pass_to_tx(chan, control);
5151 break;
5152 case L2CAP_TXSEQ_DUPLICATE:
5153 /* Expecting a later sequence number, so this frame
5154 * was already received. Ignore it completely.
5155 */
5156 break;
5157 case L2CAP_TXSEQ_INVALID_IGNORE:
5158 break;
5159 case L2CAP_TXSEQ_INVALID:
5160 default:
5161 l2cap_send_disconn_req(chan->conn, chan,
5162 ECONNRESET);
5163 break;
5164 }
5165 break;
5166 case L2CAP_EV_RECV_RR:
5167 l2cap_pass_to_tx(chan, control);
5168 if (control->final) {
5169 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5170
5171 if (!test_and_clear_bit(CONN_REJ_ACT,
5172 &chan->conn_state)) {
5173 control->final = 0;
5174 l2cap_retransmit_all(chan, control);
5175 }
5176
5177 l2cap_ertm_send(chan);
5178 } else if (control->poll) {
5179 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5180 &chan->conn_state) &&
5181 chan->unacked_frames) {
5182 __set_retrans_timer(chan);
5183 }
5184
5185 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5186 l2cap_send_srej_tail(chan);
5187 } else {
5188 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5189 &chan->conn_state) &&
5190 chan->unacked_frames)
5191 __set_retrans_timer(chan);
5192
5193 l2cap_send_ack(chan);
5194 }
5195 break;
5196 case L2CAP_EV_RECV_RNR:
5197 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5198 l2cap_pass_to_tx(chan, control);
5199 if (control->poll) {
5200 l2cap_send_srej_tail(chan);
5201 } else {
5202 struct l2cap_ctrl rr_control;
5203 memset(&rr_control, 0, sizeof(rr_control));
5204 rr_control.sframe = 1;
5205 rr_control.super = L2CAP_SUPER_RR;
5206 rr_control.reqseq = chan->buffer_seq;
5207 l2cap_send_sframe(chan, &rr_control);
5208 }
5209
5210 break;
5211 case L2CAP_EV_RECV_REJ:
5212 l2cap_handle_rej(chan, control);
5213 break;
5214 case L2CAP_EV_RECV_SREJ:
5215 l2cap_handle_srej(chan, control);
5216 break;
5217 }
5218
5219 if (skb && !skb_in_use) {
5220 BT_DBG("Freeing %p", skb);
5221 kfree_skb(skb);
5222 }
5223
5224 return err;
5225}
5226
32b32735
MM		 5227static int l2cap_finish_move(struct l2cap_chan *chan)
5228{
5229 BT_DBG("chan %p", chan);
5230
5231 chan->rx_state = L2CAP_RX_STATE_RECV;
5232
5233 if (chan->hs_hcon)
5234 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5235 else
5236 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5237
5238 return l2cap_resegment(chan);
5239}
5240
5241static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
5242 struct l2cap_ctrl *control,
5243 struct sk_buff *skb, u8 event)
5244{
5245 int err;
5246
5247 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5248 event);
5249
5250 if (!control->poll)
5251 return -EPROTO;
5252
5253 l2cap_process_reqseq(chan, control->reqseq);
5254
5255 if (!skb_queue_empty(&chan->tx_q))
5256 chan->tx_send_head = skb_peek(&chan->tx_q);
5257 else
5258 chan->tx_send_head = NULL;
5259
5260 /* Rewind next_tx_seq to the point expected
5261 * by the receiver.
5262 */
5263 chan->next_tx_seq = control->reqseq;
5264 chan->unacked_frames = 0;
5265
5266 err = l2cap_finish_move(chan);
5267 if (err)
5268 return err;
5269
5270 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5271 l2cap_send_i_or_rr_or_rnr(chan);
5272
5273 if (event == L2CAP_EV_RECV_IFRAME)
5274 return -EPROTO;
5275
5276 return l2cap_rx_state_recv(chan, control, NULL, event);
5277}
5278
5279static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
5280 struct l2cap_ctrl *control,
5281 struct sk_buff *skb, u8 event)
5282{
5283 int err;
5284
5285 if (!control->final)
5286 return -EPROTO;
5287
5288 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5289
5290 chan->rx_state = L2CAP_RX_STATE_RECV;
5291 l2cap_process_reqseq(chan, control->reqseq);
5292
5293 if (!skb_queue_empty(&chan->tx_q))
5294 chan->tx_send_head = skb_peek(&chan->tx_q);
5295 else
5296 chan->tx_send_head = NULL;
5297
5298 /* Rewind next_tx_seq to the point expected
5299 * by the receiver.
5300 */
5301 chan->next_tx_seq = control->reqseq;
5302 chan->unacked_frames = 0;
5303
5304 if (chan->hs_hcon)
5305 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5306 else
5307 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5308
5309 err = l2cap_resegment(chan);
5310
5311 if (!err)
5312 err = l2cap_rx_state_recv(chan, control, skb, event);
5313
5314 return err;
5315}
5316
d2a7ac5d
MM		 5317static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5318{
5319 /* Make sure reqseq is for a packet that has been sent but not acked */
5320 u16 unacked;
5321
5322 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5323 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5324}
5325
cec8ab6e
MM		 5326static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5327 struct sk_buff *skb, u8 event)
218bb9df 5328{
d2a7ac5d
MM		 5329 int err = 0;
5330
5331 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5332 control, skb, event, chan->rx_state);
5333
5334 if (__valid_reqseq(chan, control->reqseq)) {
5335 switch (chan->rx_state) {
5336 case L2CAP_RX_STATE_RECV:
5337 err = l2cap_rx_state_recv(chan, control, skb, event);
5338 break;
5339 case L2CAP_RX_STATE_SREJ_SENT:
5340 err = l2cap_rx_state_srej_sent(chan, control, skb,
5341 event);
5342 break;
32b32735
MM		 5343 case L2CAP_RX_STATE_WAIT_P:
5344 err = l2cap_rx_state_wait_p(chan, control, skb, event);
5345 break;
5346 case L2CAP_RX_STATE_WAIT_F:
5347 err = l2cap_rx_state_wait_f(chan, control, skb, event);
5348 break;
d2a7ac5d
MM		 5349 default:
5350 /* shut it down */
5351 break;
5352 }
5353 } else {
5354 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5355 control->reqseq, chan->next_tx_seq,
5356 chan->expected_ack_seq);
5357 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5358 }
5359
5360 return err;
cec8ab6e
MM		 5361}
5362
5363static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5364 struct sk_buff *skb)
5365{
4b51dae9
MM		 5366 int err = 0;
5367
5368 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5369 chan->rx_state);
5370
5371 if (l2cap_classify_txseq(chan, control->txseq) ==
5372 L2CAP_TXSEQ_EXPECTED) {
5373 l2cap_pass_to_tx(chan, control);
5374
5375 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5376 __next_seq(chan, chan->buffer_seq));
5377
5378 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5379
5380 l2cap_reassemble_sdu(chan, skb, control);
5381 } else {
5382 if (chan->sdu) {
5383 kfree_skb(chan->sdu);
5384 chan->sdu = NULL;
5385 }
5386 chan->sdu_last_frag = NULL;
5387 chan->sdu_len = 0;
5388
5389 if (skb) {
5390 BT_DBG("Freeing %p", skb);
5391 kfree_skb(skb);
5392 }
5393 }
5394
5395 chan->last_acked_seq = control->txseq;
5396 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5397
5398 return err;
cec8ab6e
MM		 5399}
5400
5401static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5402{
5403 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5404 u16 len;
5405 u8 event;
218bb9df 5406
b76bbd66
MM		 5407 __unpack_control(chan, skb);
5408
218bb9df
GP		 5409 len = skb->len;
5410
5411 /*
5412 * We can just drop the corrupted I-frame here.
5413 * Receiver will miss it and start proper recovery
cec8ab6e 5414 * procedures and ask for retransmission.
218bb9df 5415 */
47d1ec61 5416 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5417 goto drop;
5418
cec8ab6e 5419 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5420 len -= L2CAP_SDULEN_SIZE;
218bb9df 5421
47d1ec61 5422 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5423 len -= L2CAP_FCS_SIZE;
218bb9df 5424
47d1ec61 5425 if (len > chan->mps) {
8c1d787b 5426 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5427 goto drop;
5428 }
5429
cec8ab6e
MM		 5430 if (!control->sframe) {
5431 int err;
218bb9df 5432
cec8ab6e
MM		 5433 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5434 control->sar, control->reqseq, control->final,
5435 control->txseq);
218bb9df 5436
cec8ab6e
MM		 5437 /* Validate F-bit - F=0 always valid, F=1 only
5438 * valid in TX WAIT_F
5439 */
5440 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5441 goto drop;
cec8ab6e
MM		 5442
5443 if (chan->mode != L2CAP_MODE_STREAMING) {
5444 event = L2CAP_EV_RECV_IFRAME;
5445 err = l2cap_rx(chan, control, skb, event);
5446 } else {
5447 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5448 }
5449
cec8ab6e
MM		 5450 if (err)
5451 l2cap_send_disconn_req(chan->conn, chan,
5452 ECONNRESET);
218bb9df 5453 } else {
cec8ab6e
MM		 5454 const u8 rx_func_to_event[4] = {
5455 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5456 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5457 };
5458
5459 /* Only I-frames are expected in streaming mode */
5460 if (chan->mode == L2CAP_MODE_STREAMING)
5461 goto drop;
5462
5463 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5464 control->reqseq, control->final, control->poll,
5465 control->super);
5466
218bb9df
GP		 5467 if (len != 0) {
5468 BT_ERR("%d", len);
8c1d787b 5469 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5470 goto drop;
5471 }
5472
cec8ab6e
MM		 5473 /* Validate F and P bits */
5474 if (control->final && (control->poll ||
5475 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5476 goto drop;
5477
5478 event = rx_func_to_event[control->super];
5479 if (l2cap_rx(chan, control, skb, event))
5480 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5481 }
5482
5483 return 0;
5484
5485drop:
5486 kfree_skb(skb);
5487 return 0;
5488}
5489
13ca56e0
AE		 5490static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
5491 struct sk_buff *skb)
1da177e4 5492{
48454079 5493 struct l2cap_chan *chan;
1da177e4 5494
baa7e1fa 5495 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5496 if (!chan) {
97e8e89d
AE		 5497 if (cid == L2CAP_CID_A2MP) {
5498 chan = a2mp_channel_create(conn, skb);
5499 if (!chan) {
5500 kfree_skb(skb);
13ca56e0 5501 return;
97e8e89d
AE		 5502 }
5503
5504 l2cap_chan_lock(chan);
5505 } else {
5506 BT_DBG("unknown cid 0x%4.4x", cid);
5507 /* Drop packet and return */
5508 kfree_skb(skb);
13ca56e0 5509 return;
97e8e89d 5510 }
1da177e4
LT		 5511 }
5512
49208c9c 5513 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5514
89bc500e 5515 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5516 goto drop;
5517
0c1bc5c6 5518 switch (chan->mode) {
1c2acffb
GP		 5519 case L2CAP_MODE_BASIC:
5520 /* If socket recv buffers overflows we drop data here
5521 * which is *bad* because L2CAP has to be reliable.
5522 * But we don't have any other choice. L2CAP doesn't
5523 * provide flow control mechanism. */
1da177e4 5524
0c1bc5c6 5525 if (chan->imtu < skb->len)
1c2acffb 5526 goto drop;
1da177e4 5527
80b98027 5528 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5529 goto done;
5530 break;
5531
5532 case L2CAP_MODE_ERTM:
6840ed07 5533 case L2CAP_MODE_STREAMING:
cec8ab6e 5534 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5535 goto done;
5536
1c2acffb 5537 default:
0c1bc5c6 5538 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5539 break;
5540 }
1da177e4
LT		 5541
5542drop:
5543 kfree_skb(skb);
5544
5545done:
6be36555 5546 l2cap_chan_unlock(chan);
1da177e4
LT		 5547}
5548
84104b24
AE		 5549static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
5550 struct sk_buff *skb)
1da177e4 5551{
23691d75 5552 struct l2cap_chan *chan;
1da177e4 5553
c2287681 5554 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5555 if (!chan)
1da177e4
LT		 5556 goto drop;
5557
5b4cedaa 5558 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5559
89bc500e 5560 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5561 goto drop;
5562
e13e21dc 5563 if (chan->imtu < skb->len)
1da177e4
LT		 5564 goto drop;
5565
80b98027 5566 if (!chan->ops->recv(chan, skb))
84104b24 5567 return;
1da177e4
LT		 5568
5569drop:
5570 kfree_skb(skb);
1da177e4
LT		 5571}
5572
6810fca7
AE		 5573static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5574 struct sk_buff *skb)
9f69bda6 5575{
23691d75 5576 struct l2cap_chan *chan;
9f69bda6 5577
c2287681 5578 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5579 if (!chan)
9f69bda6
GP		 5580 goto drop;
5581
5b4cedaa 5582 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5583
89bc500e 5584 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5585 goto drop;
5586
e13e21dc 5587 if (chan->imtu < skb->len)
9f69bda6
GP		 5588 goto drop;
5589
80b98027 5590 if (!chan->ops->recv(chan, skb))
6810fca7 5591 return;
9f69bda6
GP		 5592
5593drop:
5594 kfree_skb(skb);
9f69bda6
GP		 5595}
5596
1da177e4
LT		 5597static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5598{
5599 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5600 u16 cid, len;
5601 __le16 psm;
1da177e4
LT		 5602
5603 skb_pull(skb, L2CAP_HDR_SIZE);
5604 cid = __le16_to_cpu(lh->cid);
5605 len = __le16_to_cpu(lh->len);
5606
1c2acffb
GP		 5607 if (len != skb->len) {
5608 kfree_skb(skb);
5609 return;
5610 }
5611
1da177e4
LT		 5612 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5613
5614 switch (cid) {
3300d9a9 5615 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5616 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5617 l2cap_sig_channel(conn, skb);
5618 break;
5619
8db4dc46 5620 case L2CAP_CID_CONN_LESS:
097db76c 5621 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5622 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5623 l2cap_conless_channel(conn, psm, skb);
5624 break;
5625
9f69bda6
GP		 5626 case L2CAP_CID_LE_DATA:
5627 l2cap_att_channel(conn, cid, skb);
5628 break;
5629
b501d6a1
AB		 5630 case L2CAP_CID_SMP:
5631 if (smp_sig_channel(conn, skb))
5632 l2cap_conn_del(conn->hcon, EACCES);
5633 break;
5634
1da177e4
LT		 5635 default:
5636 l2cap_data_channel(conn, cid, skb);
5637 break;
5638 }
5639}
5640
5641/* ---- L2CAP interface with lower layer (HCI) ---- */
5642
686ebf28 5643int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5644{
5645 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5646 struct l2cap_chan *c;
1da177e4 5647
6ed93dc6 5648 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 5649
5650 /* Find listening sockets and check their link_mode */
23691d75
GP		 5651 read_lock(&chan_list_lock);
5652 list_for_each_entry(c, &chan_list, global_l) {
5653 struct sock *sk = c->sk;
4343478f 5654
89bc500e 5655 if (c->state != BT_LISTEN)
1da177e4
LT		 5656 continue;
5657
5658 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5659 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5660 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5661 lm1 |= HCI_LM_MASTER;
1da177e4 5662 exact++;
2af6b9d5
MH		 5663 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5664 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5665 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5666 lm2 |= HCI_LM_MASTER;
5667 }
1da177e4 5668 }
23691d75 5669 read_unlock(&chan_list_lock);
1da177e4
LT		 5670
5671 return exact ? lm1 : lm2;
5672}
5673
9e664631 5674void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5675{
0139418c
MH		 5676 struct l2cap_conn *conn;
5677
6ed93dc6 5678 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 5679
1da177e4 5680 if (!status) {
1da177e4
LT		 5681 conn = l2cap_conn_add(hcon, status);
5682 if (conn)
5683 l2cap_conn_ready(conn);
0139418c 5684 } else
e175072f 5685 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4 5686
1da177e4
LT		 5687}
5688
686ebf28 5689int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5690{
5691 struct l2cap_conn *conn = hcon->l2cap_data;
5692
5693 BT_DBG("hcon %p", hcon);
5694
686ebf28 5695 if (!conn)
9f5a0d7b 5696 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5697 return conn->disc_reason;
5698}
5699
9e664631 5700void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5701{
5702 BT_DBG("hcon %p reason %d", hcon, reason);
5703
e175072f 5704 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5705}
5706
4343478f 5707static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5708{
715ec005 5709 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5710 return;
5711
f62e4323 5712 if (encrypt == 0x00) {
4343478f 5713 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5714 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5715 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5716 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5717 } else {
4343478f 5718 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5719 __clear_chan_timer(chan);
f62e4323
MH		 5720 }
5721}
5722
686ebf28 5723int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5724{
0139418c 5725 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5726 struct l2cap_chan *chan;
1da177e4 5727
0139418c 5728 if (!conn)
1da177e4 5729 return 0;
0139418c 5730
89d8b407 5731 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 5732
160dc6ac 5733 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5734 if (!status && encrypt)
5735 smp_distribute_keys(conn, 0);
17cd3f37 5736 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5737 }
5738
3df91ea2 5739 mutex_lock(&conn->chan_lock);
1da177e4 5740
3df91ea2 5741 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5742 l2cap_chan_lock(chan);
1da177e4 5743
89d8b407
AE		 5744 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
5745 state_to_string(chan->state));
f1cb9af5 5746
78eb2f98
AE		 5747 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
5748 l2cap_chan_unlock(chan);
5749 continue;
5750 }
5751
f1cb9af5
VCG		 5752 if (chan->scid == L2CAP_CID_LE_DATA) {
5753 if (!status && encrypt) {
5754 chan->sec_level = hcon->sec_level;
cf4cd009 5755 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5756 }
5757
6be36555 5758 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5759 continue;
5760 }
5761
c1360a1c 5762 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5763 l2cap_chan_unlock(chan);
6a8d3010
MH		 5764 continue;
5765 }
5766
89bc500e 5767 if (!status && (chan->state == BT_CONNECTED ||
2d792818 5768 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5769 struct sock *sk = chan->sk;
5770
c5daa683 5771 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5772 sk->sk_state_change(sk);
5773
4343478f 5774 l2cap_check_encryption(chan, encrypt);
6be36555 5775 l2cap_chan_unlock(chan);
9719f8af
MH		 5776 continue;
5777 }
5778
89bc500e 5779 if (chan->state == BT_CONNECT) {
b1235d79 5780 if (!status) {
93c3e8f5 5781 l2cap_start_connection(chan);
b1235d79 5782 } else {
ba13ccd9 5783 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5784 }
89bc500e 5785 } else if (chan->state == BT_CONNECT2) {
6be36555 5786 struct sock *sk = chan->sk;
b1235d79 5787 struct l2cap_conn_rsp rsp;
df3c3931 5788 __u16 res, stat;
1da177e4 5789
6be36555
AE		 5790 lock_sock(sk);
5791
b1235d79 5792 if (!status) {
c5daa683
GP		 5793 if (test_bit(BT_SK_DEFER_SETUP,
5794 &bt_sk(sk)->flags)) {
df3c3931
JH		 5795 res = L2CAP_CR_PEND;
5796 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 5797 chan->ops->defer(chan);
df3c3931 5798 } else {
0e587be7 5799 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5800 res = L2CAP_CR_SUCCESS;
5801 stat = L2CAP_CS_NO_INFO;
5802 }
b1235d79 5803 } else {
0e587be7 5804 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5805 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5806 res = L2CAP_CR_SEC_BLOCK;
5807 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5808 }
5809
6be36555
AE		 5810 release_sock(sk);
5811
fe4128e0
GP		 5812 rsp.scid = cpu_to_le16(chan->dcid);
5813 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5814 rsp.result = cpu_to_le16(res);
5815 rsp.status = cpu_to_le16(stat);
fc7f8a7e 5816 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 5817 sizeof(rsp), &rsp);
2d369359
MM		 5818
5819 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5820 res == L2CAP_CR_SUCCESS) {
5821 char buf[128];
5822 set_bit(CONF_REQ_SENT, &chan->conf_state);
5823 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5824 L2CAP_CONF_REQ,
5825 l2cap_build_conf_req(chan, buf),
5826 buf);
5827 chan->num_conf_req++;
5828 }
b1235d79 5829 }
1da177e4 5830
6be36555 5831 l2cap_chan_unlock(chan);
1da177e4
LT		 5832 }
5833
3df91ea2 5834 mutex_unlock(&conn->chan_lock);
b1235d79 5835
1da177e4
LT		 5836 return 0;
5837}
5838
686ebf28 5839int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5840{
5841 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 5842 struct l2cap_hdr *hdr;
5843 int len;
1da177e4 5844
1d13a254
AE		 5845 /* For AMP controller do not create l2cap conn */
5846 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
5847 goto drop;
1da177e4 5848
5a08ecce
AE		 5849 if (!conn)
5850 conn = l2cap_conn_add(hcon, 0);
5851
5852 if (!conn)
1da177e4
LT		 5853 goto drop;
5854
5855 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5856
d73a0988
AE		 5857 switch (flags) {
5858 case ACL_START:
5859 case ACL_START_NO_FLUSH:
5860 case ACL_COMPLETE:
1da177e4
LT		 5861 if (conn->rx_len) {
5862 BT_ERR("Unexpected start frame (len %d)", skb->len);
5863 kfree_skb(conn->rx_skb);
5864 conn->rx_skb = NULL;
5865 conn->rx_len = 0;
5866 l2cap_conn_unreliable(conn, ECOMM);
5867 }
5868
aae7fe22
AE		 5869 /* Start fragment always begin with Basic L2CAP header */
5870 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5871 BT_ERR("Frame is too short (len %d)", skb->len);
5872 l2cap_conn_unreliable(conn, ECOMM);
5873 goto drop;
5874 }
5875
5876 hdr = (struct l2cap_hdr *) skb->data;
5877 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5878
5879 if (len == skb->len) {
5880 /* Complete frame received */
5881 l2cap_recv_frame(conn, skb);
5882 return 0;
5883 }
5884
5885 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5886
5887 if (skb->len > len) {
5888 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 5889 skb->len, len);
1da177e4
LT		 5890 l2cap_conn_unreliable(conn, ECOMM);
5891 goto drop;
5892 }
5893
5894 /* Allocate skb for the complete frame (with header) */
8bcde1f2 5895 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 5896 if (!conn->rx_skb)
1da177e4
LT		 5897 goto drop;
5898
d626f62b 5899 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 5900 skb->len);
1da177e4 5901 conn->rx_len = len - skb->len;
d73a0988
AE		 5902 break;
5903
5904 case ACL_CONT:
1da177e4
LT		 5905 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5906
5907 if (!conn->rx_len) {
5908 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5909 l2cap_conn_unreliable(conn, ECOMM);
5910 goto drop;
5911 }
5912
5913 if (skb->len > conn->rx_len) {
5914 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 5915 skb->len, conn->rx_len);
1da177e4
LT		 5916 kfree_skb(conn->rx_skb);
5917 conn->rx_skb = NULL;
5918 conn->rx_len = 0;
5919 l2cap_conn_unreliable(conn, ECOMM);
5920 goto drop;
5921 }
5922
d626f62b 5923 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 5924 skb->len);
1da177e4
LT		 5925 conn->rx_len -= skb->len;
5926
5927 if (!conn->rx_len) {
5928 /* Complete frame received */
5929 l2cap_recv_frame(conn, conn->rx_skb);
5930 conn->rx_skb = NULL;
5931 }
d73a0988 5932 break;
1da177e4
LT		 5933 }
5934
5935drop:
5936 kfree_skb(skb);
5937 return 0;
5938}
5939
aef7d97c 5940static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5941{
23691d75 5942 struct l2cap_chan *c;
1da177e4 5943
333055f2 5944 read_lock(&chan_list_lock);
1da177e4 5945
23691d75
GP		 5946 list_for_each_entry(c, &chan_list, global_l) {
5947 struct sock *sk = c->sk;
101545f6 5948
fcb73338
AE		 5949 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
5950 &bt_sk(sk)->src, &bt_sk(sk)->dst,
5951 c->state, __le16_to_cpu(c->psm),
5952 c->scid, c->dcid, c->imtu, c->omtu,
5953 c->sec_level, c->mode);
61e1b4b7 5954 }
1da177e4 5955
333055f2 5956 read_unlock(&chan_list_lock);
1da177e4 5957
aef7d97c 5958 return 0;
1da177e4
LT		 5959}
5960
aef7d97c
MH		 5961static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5962{
5963 return single_open(file, l2cap_debugfs_show, inode->i_private);
5964}
5965
5966static const struct file_operations l2cap_debugfs_fops = {
5967 .open = l2cap_debugfs_open,
5968 .read = seq_read,
5969 .llseek = seq_lseek,
5970 .release = single_release,
5971};
5972
5973static struct dentry *l2cap_debugfs;
1da177e4 5974
64274518 5975int __init l2cap_init(void)
1da177e4
LT		 5976{
5977 int err;
be9d1227 5978
bb58f747 5979 err = l2cap_init_sockets();
1da177e4
LT		 5980 if (err < 0)
5981 return err;
5982
aef7d97c 5983 if (bt_debugfs) {
2d792818
GP		 5984 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
5985 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 5986 if (!l2cap_debugfs)
5987 BT_ERR("Failed to create L2CAP debug file");
5988 }
1da177e4 5989
1da177e4 5990 return 0;
1da177e4
LT		 5991}
5992
64274518 5993void l2cap_exit(void)
1da177e4 5994{
aef7d97c 5995 debugfs_remove(l2cap_debugfs);
bb58f747 5996 l2cap_cleanup_sockets();
1da177e4
LT		 5997}
5998
d1c4a17d
GP		 5999module_param(disable_ertm, bool, 0644);
6000MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)