projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Factor out common L2CAP connection code
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4
LT		 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
608bcc6d
MM		 59 struct sk_buff_head *skbs, u8 event);
60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
baa7e1fa 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 64{
3df91ea2 65 struct l2cap_chan *c;
3d57dc68 66
3df91ea2
AE		 67 list_for_each_entry(c, &conn->chan_l, list) {
68 if (c->dcid == cid)
69 return c;
0139418c 70 }
3df91ea2 71 return NULL;
0139418c
MH		 72}
73
baa7e1fa 74static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 75{
3df91ea2 76 struct l2cap_chan *c;
3d57dc68 77
3df91ea2
AE		 78 list_for_each_entry(c, &conn->chan_l, list) {
79 if (c->scid == cid)
80 return c;
0139418c 81 }
3df91ea2 82 return NULL;
0139418c
MH		 83}
84
85/* Find channel with given SCID.
ef191ade 86 * Returns locked channel. */
baa7e1fa 87static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 88{
48454079 89 struct l2cap_chan *c;
baa7e1fa 90
3df91ea2 91 mutex_lock(&conn->chan_lock);
baa7e1fa 92 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 93 if (c)
94 l2cap_chan_lock(c);
3df91ea2
AE		 95 mutex_unlock(&conn->chan_lock);
96
48454079 97 return c;
0139418c
MH		 98}
99
baa7e1fa 100static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 101{
3df91ea2 102 struct l2cap_chan *c;
3d57dc68 103
3df91ea2
AE		 104 list_for_each_entry(c, &conn->chan_l, list) {
105 if (c->ident == ident)
106 return c;
0139418c 107 }
3df91ea2 108 return NULL;
0139418c
MH		 109}
110
23691d75 111static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 112{
23691d75 113 struct l2cap_chan *c;
9e4425ff 114
23691d75
GP		 115 list_for_each_entry(c, &chan_list, global_l) {
116 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 117 return c;
9e4425ff 118 }
250938cb 119 return NULL;
9e4425ff
GP		 120}
121
122int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
123{
73b2ec18
GP		 124 int err;
125
333055f2 126 write_lock(&chan_list_lock);
9e4425ff 127
23691d75 128 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 129 err = -EADDRINUSE;
130 goto done;
9e4425ff
GP		 131 }
132
73b2ec18
GP		 133 if (psm) {
134 chan->psm = psm;
135 chan->sport = psm;
136 err = 0;
137 } else {
138 u16 p;
139
140 err = -EINVAL;
141 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 142 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 143 chan->psm = cpu_to_le16(p);
144 chan->sport = cpu_to_le16(p);
145 err = 0;
146 break;
147 }
148 }
9e4425ff 149
73b2ec18 150done:
333055f2 151 write_unlock(&chan_list_lock);
73b2ec18 152 return err;
9e4425ff
GP		 153}
154
155int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
156{
333055f2 157 write_lock(&chan_list_lock);
9e4425ff
GP		 158
159 chan->scid = scid;
160
333055f2 161 write_unlock(&chan_list_lock);
9e4425ff
GP		 162
163 return 0;
164}
165
baa7e1fa 166static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 167{
8db4dc46 168 u16 cid = L2CAP_CID_DYN_START;
0139418c 169
8db4dc46 170 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 171 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 172 return cid;
173 }
174
175 return 0;
176}
177
0e587be7 178static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 179{
42d2d87c 180 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 181 state_to_string(state));
182
89bc500e 183 chan->state = state;
80b98027 184 chan->ops->state_change(chan, state);
89bc500e
GP		 185}
186
0e587be7
AE		 187static void l2cap_state_change(struct l2cap_chan *chan, int state)
188{
189 struct sock *sk = chan->sk;
190
191 lock_sock(sk);
192 __l2cap_state_change(chan, state);
193 release_sock(sk);
194}
195
2e0052e4
AE		 196static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
197{
198 struct sock *sk = chan->sk;
199
200 sk->sk_err = err;
201}
202
203static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
204{
205 struct sock *sk = chan->sk;
206
207 lock_sock(sk);
208 __l2cap_chan_set_err(chan, err);
209 release_sock(sk);
210}
211
4239d16f
MM		 212static void __set_retrans_timer(struct l2cap_chan *chan)
213{
214 if (!delayed_work_pending(&chan->monitor_timer) &&
215 chan->retrans_timeout) {
216 l2cap_set_timer(chan, &chan->retrans_timer,
217 msecs_to_jiffies(chan->retrans_timeout));
218 }
219}
220
221static void __set_monitor_timer(struct l2cap_chan *chan)
222{
223 __clear_retrans_timer(chan);
224 if (chan->monitor_timeout) {
225 l2cap_set_timer(chan, &chan->monitor_timer,
226 msecs_to_jiffies(chan->monitor_timeout));
227 }
228}
229
608bcc6d
MM		 230static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
231 u16 seq)
232{
233 struct sk_buff *skb;
234
235 skb_queue_walk(head, skb) {
236 if (bt_cb(skb)->control.txseq == seq)
237 return skb;
238 }
239
240 return NULL;
241}
242
3c588192
MM		 243/* ---- L2CAP sequence number lists ---- */
244
245/* For ERTM, ordered lists of sequence numbers must be tracked for
246 * SREJ requests that are received and for frames that are to be
247 * retransmitted. These seq_list functions implement a singly-linked
248 * list in an array, where membership in the list can also be checked
249 * in constant time. Items can also be added to the tail of the list
250 * and removed from the head in constant time, without further memory
251 * allocs or frees.
252 */
253
254static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
255{
256 size_t alloc_size, i;
257
258 /* Allocated size is a power of 2 to map sequence numbers
259 * (which may be up to 14 bits) in to a smaller array that is
260 * sized for the negotiated ERTM transmit windows.
261 */
262 alloc_size = roundup_pow_of_two(size);
263
264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
265 if (!seq_list->list)
266 return -ENOMEM;
267
268 seq_list->mask = alloc_size - 1;
269 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
271 for (i = 0; i < alloc_size; i++)
272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
273
274 return 0;
275}
276
277static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
278{
279 kfree(seq_list->list);
280}
281
282static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
283 u16 seq)
284{
285 /* Constant-time check for list membership */
286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
287}
288
289static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
290{
291 u16 mask = seq_list->mask;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
294 /* In case someone tries to pop the head of an empty list */
295 return L2CAP_SEQ_LIST_CLEAR;
296 } else if (seq_list->head == seq) {
297 /* Head can be removed in constant time */
298 seq_list->head = seq_list->list[seq & mask];
299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
300
301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
302 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
304 }
305 } else {
306 /* Walk the list to find the sequence number */
307 u16 prev = seq_list->head;
308 while (seq_list->list[prev & mask] != seq) {
309 prev = seq_list->list[prev & mask];
310 if (prev == L2CAP_SEQ_LIST_TAIL)
311 return L2CAP_SEQ_LIST_CLEAR;
312 }
313
314 /* Unlink the number from the list and clear it */
315 seq_list->list[prev & mask] = seq_list->list[seq & mask];
316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
317 if (seq_list->tail == seq)
318 seq_list->tail = prev;
319 }
320 return seq;
321}
322
323static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
324{
325 /* Remove the head in constant time */
326 return l2cap_seq_list_remove(seq_list, seq_list->head);
327}
328
329static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
330{
f522ae36 331 u16 i;
3c588192 332
f522ae36
GP		 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 for (i = 0; i <= seq_list->mask; i++)
337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
338
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 341}
342
343static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
344{
345 u16 mask = seq_list->mask;
346
347 /* All appends happen in constant time */
348
f522ae36
GP		 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
350 return;
3c588192 351
f522ae36
GP		 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
353 seq_list->head = seq;
354 else
355 seq_list->list[seq_list->tail & mask] = seq;
356
357 seq_list->tail = seq;
358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 359}
360
721c4181 361static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 362{
721c4181
GP		 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
364 chan_timer.work);
3df91ea2 365 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 366 int reason;
367
e05dcc32 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 369
3df91ea2 370 mutex_lock(&conn->chan_lock);
6be36555 371 l2cap_chan_lock(chan);
ab07801d 372
89bc500e 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 374 reason = ECONNREFUSED;
89bc500e 375 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 376 chan->sec_level != BT_SECURITY_SDP)
377 reason = ECONNREFUSED;
378 else
379 reason = ETIMEDOUT;
380
0f852724 381 l2cap_chan_close(chan, reason);
ab07801d 382
6be36555 383 l2cap_chan_unlock(chan);
ab07801d 384
80b98027 385 chan->ops->close(chan);
3df91ea2
AE		 386 mutex_unlock(&conn->chan_lock);
387
371fd835 388 l2cap_chan_put(chan);
ab07801d
GP		 389}
390
eef1d9b6 391struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 392{
393 struct l2cap_chan *chan;
394
395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
396 if (!chan)
397 return NULL;
398
c03b355e
AE		 399 mutex_init(&chan->lock);
400
333055f2 401 write_lock(&chan_list_lock);
23691d75 402 list_add(&chan->global_l, &chan_list);
333055f2 403 write_unlock(&chan_list_lock);
23691d75 404
721c4181 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 406
89bc500e
GP		 407 chan->state = BT_OPEN;
408
144ad330 409 kref_init(&chan->kref);
71ba0e56 410
2827011f
MM		 411 /* This flag is cleared in l2cap_chan_ready() */
412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
413
eef1d9b6 414 BT_DBG("chan %p", chan);
abc545b8 415
48454079
GP		 416 return chan;
417}
418
144ad330 419static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 420{
144ad330
SS		 421 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
422
4af66c69
JK		 423 BT_DBG("chan %p", chan);
424
333055f2 425 write_lock(&chan_list_lock);
23691d75 426 list_del(&chan->global_l);
333055f2 427 write_unlock(&chan_list_lock);
23691d75 428
4af66c69 429 kfree(chan);
6ff5abbf
GP		 430}
431
30648372
JK		 432void l2cap_chan_hold(struct l2cap_chan *c)
433{
144ad330 434 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 435
144ad330 436 kref_get(&c->kref);
30648372
JK		 437}
438
439void l2cap_chan_put(struct l2cap_chan *c)
440{
144ad330 441 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 442
144ad330 443 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 444}
445
bd4b1653
AE		 446void l2cap_chan_set_defaults(struct l2cap_chan *chan)
447{
448 chan->fcs = L2CAP_FCS_CRC16;
449 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
450 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
451 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 452 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 453 chan->sec_level = BT_SECURITY_LOW;
454
455 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
456}
457
93c3e8f5 458void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 459{
af05b30b 460 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 461 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 462
9f5a0d7b 463 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 464
8c1d787b 465 chan->conn = conn;
0139418c 466
5491120e
AE		 467 switch (chan->chan_type) {
468 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 469 if (conn->hcon->type == LE_LINK) {
470 /* LE connection */
6fcb06a2 471 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 472 chan->scid = L2CAP_CID_LE_DATA;
473 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 474 } else {
475 /* Alloc CID for connection-oriented socket */
fe4128e0 476 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 477 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 478 }
5491120e
AE		 479 break;
480
481 case L2CAP_CHAN_CONN_LESS:
0139418c 482 /* Connectionless socket */
fe4128e0
GP		 483 chan->scid = L2CAP_CID_CONN_LESS;
484 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 485 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 486 break;
487
416fa752
AE		 488 case L2CAP_CHAN_CONN_FIX_A2MP:
489 chan->scid = L2CAP_CID_A2MP;
490 chan->dcid = L2CAP_CID_A2MP;
491 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
492 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
493 break;
494
5491120e 495 default:
0139418c 496 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 497 chan->scid = L2CAP_CID_SIGNALING;
498 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 499 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 500 }
501
8f7975b1
AE		 502 chan->local_id = L2CAP_BESTEFFORT_ID;
503 chan->local_stype = L2CAP_SERV_BESTEFFORT;
504 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
505 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
506 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 507 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 508
371fd835 509 l2cap_chan_hold(chan);
baa7e1fa 510
3df91ea2 511 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 512}
513
466f8004 514void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 515{
516 mutex_lock(&conn->chan_lock);
517 __l2cap_chan_add(conn, chan);
3df91ea2 518 mutex_unlock(&conn->chan_lock);
0139418c
MH		 519}
520
466f8004 521void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 522{
8c1d787b 523 struct l2cap_conn *conn = chan->conn;
0139418c 524
c9b66675 525 __clear_chan_timer(chan);
0139418c 526
49208c9c 527 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 528
8e87d142 529 if (conn) {
baa7e1fa 530 /* Delete from channel list */
3df91ea2 531 list_del(&chan->list);
3d57dc68 532
371fd835 533 l2cap_chan_put(chan);
baa7e1fa 534
8c1d787b 535 chan->conn = NULL;
3cabbfda
AE		 536
537 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
538 hci_conn_put(conn->hcon);
0139418c
MH		 539 }
540
c0df7f6e
AE		 541 if (chan->ops->teardown)
542 chan->ops->teardown(chan, err);
6be36555 543
2827011f 544 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 545 return;
2ead70b8 546
ee556f66
GP		 547 switch(chan->mode) {
548 case L2CAP_MODE_BASIC:
549 break;
c13ffa62 550
ee556f66 551 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 552 __clear_retrans_timer(chan);
553 __clear_monitor_timer(chan);
554 __clear_ack_timer(chan);
c13ffa62 555
f1c6775b 556 skb_queue_purge(&chan->srej_q);
c13ffa62 557
3c588192
MM		 558 l2cap_seq_list_free(&chan->srej_list);
559 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 560
561 /* fall through */
562
563 case L2CAP_MODE_STREAMING:
564 skb_queue_purge(&chan->tx_q);
565 break;
c13ffa62 566 }
ee556f66
GP		 567
568 return;
0139418c
MH		 569}
570
0f852724 571void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 572{
573 struct l2cap_conn *conn = chan->conn;
574 struct sock *sk = chan->sk;
575
e05dcc32
AE		 576 BT_DBG("chan %p state %s sk %p", chan,
577 state_to_string(chan->state), sk);
4519de9a 578
89bc500e 579 switch (chan->state) {
4519de9a 580 case BT_LISTEN:
c0df7f6e
AE		 581 if (chan->ops->teardown)
582 chan->ops->teardown(chan, 0);
4519de9a
GP		 583 break;
584
585 case BT_CONNECTED:
586 case BT_CONFIG:
715ec005 587 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 588 conn->hcon->type == ACL_LINK) {
c9b66675 589 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 590 l2cap_send_disconn_req(conn, chan, reason);
591 } else
592 l2cap_chan_del(chan, reason);
593 break;
594
595 case BT_CONNECT2:
715ec005 596 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 597 conn->hcon->type == ACL_LINK) {
598 struct l2cap_conn_rsp rsp;
599 __u16 result;
600
c5daa683 601 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 602 result = L2CAP_CR_SEC_BLOCK;
603 else
604 result = L2CAP_CR_BAD_PSM;
89bc500e 605 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 606
607 rsp.scid = cpu_to_le16(chan->dcid);
608 rsp.dcid = cpu_to_le16(chan->scid);
609 rsp.result = cpu_to_le16(result);
ac73498c 610 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a
GP		 611 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
612 sizeof(rsp), &rsp);
613 }
614
615 l2cap_chan_del(chan, reason);
616 break;
617
618 case BT_CONNECT:
619 case BT_DISCONN:
620 l2cap_chan_del(chan, reason);
621 break;
622
623 default:
c0df7f6e
AE		 624 if (chan->ops->teardown)
625 chan->ops->teardown(chan, 0);
4519de9a
GP		 626 break;
627 }
628}
629
4343478f 630static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 631{
715ec005 632 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 633 switch (chan->sec_level) {
8556edd3
JH		 634 case BT_SECURITY_HIGH:
635 return HCI_AT_DEDICATED_BONDING_MITM;
636 case BT_SECURITY_MEDIUM:
637 return HCI_AT_DEDICATED_BONDING;
638 default:
639 return HCI_AT_NO_BONDING;
640 }
2983fd68 641 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 642 if (chan->sec_level == BT_SECURITY_LOW)
643 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 644
4343478f 645 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 646 return HCI_AT_NO_BONDING_MITM;
00ae4af9 647 else
8556edd3 648 return HCI_AT_NO_BONDING;
00ae4af9 649 } else {
4343478f 650 switch (chan->sec_level) {
00ae4af9 651 case BT_SECURITY_HIGH:
8556edd3 652 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 653 case BT_SECURITY_MEDIUM:
8556edd3 654 return HCI_AT_GENERAL_BONDING;
00ae4af9 655 default:
8556edd3 656 return HCI_AT_NO_BONDING;
00ae4af9 657 }
0684e5f9 658 }
8556edd3
JH		 659}
660
661/* Service level security */
d45fc423 662int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 663{
8c1d787b 664 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 665 __u8 auth_type;
666
4343478f 667 auth_type = l2cap_get_auth_type(chan);
79d554a6 668
4343478f 669 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 670}
671
b5ad8b7f 672static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 673{
674 u8 id;
675
676 /* Get next available identificator.
677 * 1 - 128 are used by kernel.
678 * 129 - 199 are reserved.
679 * 200 - 254 are used by utilities like l2ping, etc.
680 */
681
333055f2 682 spin_lock(&conn->lock);
4e8402a3
MH		 683
684 if (++conn->tx_ident > 128)
685 conn->tx_ident = 1;
686
687 id = conn->tx_ident;
688
333055f2 689 spin_unlock(&conn->lock);
4e8402a3
MH		 690
691 return id;
692}
693
4519de9a 694static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 695{
696 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 697 u8 flags;
4e8402a3
MH		 698
699 BT_DBG("code 0x%2.2x", code);
700
701 if (!skb)
9a9c6a34 702 return;
4e8402a3 703
e702112f
AE		 704 if (lmp_no_flush_capable(conn->hcon->hdev))
705 flags = ACL_START_NO_FLUSH;
706 else
707 flags = ACL_START;
708
14b12d0b 709 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 710 skb->priority = HCI_PRIO_MAX;
14b12d0b 711
73d80deb
LAD		 712 hci_send_acl(conn->hchan, skb, flags);
713}
714
715static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
716{
717 struct hci_conn *hcon = chan->conn->hcon;
718 u16 flags;
719
720 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
721 skb->priority);
722
723 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
724 lmp_no_flush_capable(hcon->hdev))
725 flags = ACL_START_NO_FLUSH;
726 else
727 flags = ACL_START;
14b12d0b 728
73d80deb
LAD		 729 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
730 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 731}
732
b76bbd66
MM		 733static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
734{
735 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
736 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
737
738 if (enh & L2CAP_CTRL_FRAME_TYPE) {
739 /* S-Frame */
740 control->sframe = 1;
741 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
742 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
743
744 control->sar = 0;
745 control->txseq = 0;
746 } else {
747 /* I-Frame */
748 control->sframe = 0;
749 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
750 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
751
752 control->poll = 0;
753 control->super = 0;
754 }
755}
756
b76bbd66
MM		 757static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
758{
759 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
760 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
761
762 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
763 /* S-Frame */
764 control->sframe = 1;
765 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
766 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
767
768 control->sar = 0;
769 control->txseq = 0;
770 } else {
771 /* I-Frame */
772 control->sframe = 0;
773 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
774 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
775
776 control->poll = 0;
777 control->super = 0;
778 }
779}
780
781static inline void __unpack_control(struct l2cap_chan *chan,
782 struct sk_buff *skb)
783{
784 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
785 __unpack_extended_control(get_unaligned_le32(skb->data),
786 &bt_cb(skb)->control);
cec8ab6e 787 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 788 } else {
789 __unpack_enhanced_control(get_unaligned_le16(skb->data),
790 &bt_cb(skb)->control);
cec8ab6e 791 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 792 }
793}
794
b5c6aaed
MM		 795static u32 __pack_extended_control(struct l2cap_ctrl *control)
796{
797 u32 packed;
798
799 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
800 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
801
802 if (control->sframe) {
803 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
804 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
805 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
806 } else {
807 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
808 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
809 }
810
811 return packed;
812}
813
814static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
815{
816 u16 packed;
817
818 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
819 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
820
821 if (control->sframe) {
822 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
823 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
824 packed |= L2CAP_CTRL_FRAME_TYPE;
825 } else {
826 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
827 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
828 }
829
830 return packed;
831}
832
b76bbd66
MM		 833static inline void __pack_control(struct l2cap_chan *chan,
834 struct l2cap_ctrl *control,
835 struct sk_buff *skb)
836{
837 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
838 put_unaligned_le32(__pack_extended_control(control),
839 skb->data + L2CAP_HDR_SIZE);
840 } else {
841 put_unaligned_le16(__pack_enhanced_control(control),
842 skb->data + L2CAP_HDR_SIZE);
843 }
844}
845
ba7aa64f
GP		 846static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
847{
848 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
849 return L2CAP_EXT_HDR_SIZE;
850 else
851 return L2CAP_ENH_HDR_SIZE;
852}
853
a67d7f6f
MM		 854static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
855 u32 control)
b5c6aaed
MM		 856{
857 struct sk_buff *skb;
858 struct l2cap_hdr *lh;
ba7aa64f 859 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 860
861 if (chan->fcs == L2CAP_FCS_CRC16)
862 hlen += L2CAP_FCS_SIZE;
863
a67d7f6f 864 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 865
b5c6aaed 866 if (!skb)
a67d7f6f 867 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 868
869 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
870 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
871 lh->cid = cpu_to_le16(chan->dcid);
872
a67d7f6f
MM		 873 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
874 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
875 else
876 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 877
878 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 879 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 880 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
881 }
882
883 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 884 return skb;
885}
886
887static void l2cap_send_sframe(struct l2cap_chan *chan,
888 struct l2cap_ctrl *control)
889{
890 struct sk_buff *skb;
891 u32 control_field;
892
893 BT_DBG("chan %p, control %p", chan, control);
894
895 if (!control->sframe)
896 return;
897
898 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
899 !control->poll)
900 control->final = 1;
901
902 if (control->super == L2CAP_SUPER_RR)
903 clear_bit(CONN_RNR_SENT, &chan->conn_state);
904 else if (control->super == L2CAP_SUPER_RNR)
905 set_bit(CONN_RNR_SENT, &chan->conn_state);
906
907 if (control->super != L2CAP_SUPER_SREJ) {
908 chan->last_acked_seq = control->reqseq;
909 __clear_ack_timer(chan);
910 }
911
912 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
913 control->final, control->poll, control->super);
914
915 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
916 control_field = __pack_extended_control(control);
917 else
918 control_field = __pack_enhanced_control(control);
919
920 skb = l2cap_create_sframe_pdu(chan, control_field);
921 if (!IS_ERR(skb))
922 l2cap_do_send(chan, skb);
b5c6aaed
MM		 923}
924
c9e3d5e0 925static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 926{
c9e3d5e0
MM		 927 struct l2cap_ctrl control;
928
929 BT_DBG("chan %p, poll %d", chan, poll);
930
931 memset(&control, 0, sizeof(control));
932 control.sframe = 1;
933 control.poll = poll;
934
935 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
936 control.super = L2CAP_SUPER_RNR;
937 else
938 control.super = L2CAP_SUPER_RR;
b5c6aaed 939
c9e3d5e0
MM		 940 control.reqseq = chan->buffer_seq;
941 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 942}
943
b4450035 944static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 945{
c1360a1c 946 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 947}
948
93c3e8f5
AE		 949static bool __amp_capable(struct l2cap_chan *chan)
950{
951 struct l2cap_conn *conn = chan->conn;
952
953 if (enable_hs &&
954 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
955 conn->fixed_chan_mask & L2CAP_FC_A2MP)
956 return true;
957 else
958 return false;
959}
960
2766be48 961void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 962{
963 struct l2cap_conn *conn = chan->conn;
964 struct l2cap_conn_req req;
965
966 req.scid = cpu_to_le16(chan->scid);
967 req.psm = chan->psm;
968
969 chan->ident = l2cap_get_ident(conn);
970
971 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
972
973 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
974}
975
9f0caeb1
VCG		 976static void l2cap_chan_ready(struct l2cap_chan *chan)
977{
2827011f 978 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 979 chan->conf_state = 0;
980 __clear_chan_timer(chan);
981
54a59aa2 982 chan->state = BT_CONNECTED;
9f0caeb1 983
fd83e2c2 984 chan->ops->ready(chan);
9f0caeb1
VCG		 985}
986
93c3e8f5
AE		 987static void l2cap_start_connection(struct l2cap_chan *chan)
988{
989 if (__amp_capable(chan)) {
990 BT_DBG("chan %p AMP capable: discover AMPs", chan);
991 a2mp_discover_amp(chan);
992 } else {
993 l2cap_send_conn_req(chan);
994 }
995}
996
fc7f8a7e 997static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 998{
8c1d787b 999 struct l2cap_conn *conn = chan->conn;
79d554a6 1000
9f0caeb1
VCG		 1001 if (conn->hcon->type == LE_LINK) {
1002 l2cap_chan_ready(chan);
1003 return;
1004 }
1005
79d554a6 1006 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1007 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1008 return;
1009
d45fc423 1010 if (l2cap_chan_check_security(chan) &&
93c3e8f5
AE		 1011 __l2cap_no_conn_pending(chan)) {
1012 l2cap_start_connection(chan);
1013 }
79d554a6
MH		 1014 } else {
1015 struct l2cap_info_req req;
ac73498c 1016 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1017
1018 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1019 conn->info_ident = l2cap_get_ident(conn);
1020
ba13ccd9 1021 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 1022
1023 l2cap_send_cmd(conn, conn->info_ident,
1024 L2CAP_INFO_REQ, sizeof(req), &req);
1025 }
1026}
1027
cf6c2c0b
GP		 1028static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1029{
1030 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1031 if (!disable_ertm)
cf6c2c0b
GP		 1032 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1033
1034 switch (mode) {
1035 case L2CAP_MODE_ERTM:
1036 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1037 case L2CAP_MODE_STREAMING:
1038 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1039 default:
1040 return 0x00;
1041 }
1042}
1043
4519de9a 1044static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1045{
6be36555 1046 struct sock *sk = chan->sk;
22121fc9
GP		 1047 struct l2cap_disconn_req req;
1048
c13ffa62
GP		 1049 if (!conn)
1050 return;
1051
0c1bc5c6 1052 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1053 __clear_retrans_timer(chan);
1054 __clear_monitor_timer(chan);
1055 __clear_ack_timer(chan);
c13ffa62
GP		 1056 }
1057
416fa752
AE		 1058 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1059 __l2cap_state_change(chan, BT_DISCONN);
1060 return;
1061 }
1062
fe4128e0
GP		 1063 req.dcid = cpu_to_le16(chan->dcid);
1064 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1065 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1066 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1067
6be36555 1068 lock_sock(sk);
0e587be7 1069 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1070 __l2cap_chan_set_err(chan, err);
6be36555 1071 release_sock(sk);
22121fc9
GP		 1072}
1073
1da177e4 1074/* ---- L2CAP connections ---- */
4e8402a3
MH		 1075static void l2cap_conn_start(struct l2cap_conn *conn)
1076{
3df91ea2 1077 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1078
1079 BT_DBG("conn %p", conn);
1080
3df91ea2 1081 mutex_lock(&conn->chan_lock);
4e8402a3 1082
3df91ea2 1083 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1084 struct sock *sk = chan->sk;
baa7e1fa 1085
6be36555 1086 l2cap_chan_lock(chan);
4e8402a3 1087
715ec005 1088 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1089 l2cap_chan_unlock(chan);
79d554a6
MH		 1090 continue;
1091 }
1092
89bc500e 1093 if (chan->state == BT_CONNECT) {
d45fc423 1094 if (!l2cap_chan_check_security(chan) ||
b4450035 1095 !__l2cap_no_conn_pending(chan)) {
6be36555 1096 l2cap_chan_unlock(chan);
47731de7
GP		 1097 continue;
1098 }
79d554a6 1099
c1360a1c
GP		 1100 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1101 && test_bit(CONF_STATE2_DEVICE,
1102 &chan->conf_state)) {
89bc500e 1103 l2cap_chan_close(chan, ECONNRESET);
6be36555 1104 l2cap_chan_unlock(chan);
47731de7 1105 continue;
b1235d79 1106 }
47731de7 1107
93c3e8f5 1108 l2cap_start_connection(chan);
47731de7 1109
89bc500e 1110 } else if (chan->state == BT_CONNECT2) {
79d554a6 1111 struct l2cap_conn_rsp rsp;
e9aeb2dd 1112 char buf[128];
fe4128e0
GP		 1113 rsp.scid = cpu_to_le16(chan->dcid);
1114 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1115
d45fc423 1116 if (l2cap_chan_check_security(chan)) {
6be36555 1117 lock_sock(sk);
c5daa683
GP		 1118 if (test_bit(BT_SK_DEFER_SETUP,
1119 &bt_sk(sk)->flags)) {
f66dc81f 1120 struct sock *parent = bt_sk(sk)->parent;
ac73498c
AE		 1121 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1122 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1123 if (parent)
1124 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1125
1126 } else {
0e587be7 1127 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1128 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1129 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1130 }
6be36555 1131 release_sock(sk);
79d554a6 1132 } else {
ac73498c
AE		 1133 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1134 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1135 }
1136
fc7f8a7e
GP		 1137 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1138 sizeof(rsp), &rsp);
e9aeb2dd 1139
c1360a1c 1140 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1141 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1142 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1143 continue;
1144 }
1145
c1360a1c 1146 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1147 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1148 l2cap_build_conf_req(chan, buf), buf);
1149 chan->num_conf_req++;
4e8402a3
MH		 1150 }
1151
6be36555 1152 l2cap_chan_unlock(chan);
4e8402a3
MH		 1153 }
1154
3df91ea2 1155 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1156}
1157
c2287681 1158/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1159 * Returns closest match, locked.
1160 */
d9b88702 1161static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1162 bdaddr_t *src,
1163 bdaddr_t *dst)
b62f328b 1164{
23691d75 1165 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1166
23691d75 1167 read_lock(&chan_list_lock);
b62f328b 1168
23691d75
GP		 1169 list_for_each_entry(c, &chan_list, global_l) {
1170 struct sock *sk = c->sk;
fe4128e0 1171
89bc500e 1172 if (state && c->state != state)
b62f328b
VT		 1173 continue;
1174
23691d75 1175 if (c->scid == cid) {
c2287681
IY		 1176 int src_match, dst_match;
1177 int src_any, dst_any;
1178
b62f328b 1179 /* Exact match. */
c2287681
IY		 1180 src_match = !bacmp(&bt_sk(sk)->src, src);
1181 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1182 if (src_match && dst_match) {
23691d75
GP		 1183 read_unlock(&chan_list_lock);
1184 return c;
1185 }
b62f328b
VT		 1186
1187 /* Closest match */
c2287681
IY		 1188 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1189 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1190 if ((src_match && dst_any) || (src_any && dst_match) ||
1191 (src_any && dst_any))
23691d75 1192 c1 = c;
b62f328b
VT		 1193 }
1194 }
280f294f 1195
23691d75 1196 read_unlock(&chan_list_lock);
b62f328b 1197
23691d75 1198 return c1;
b62f328b
VT		 1199}
1200
1201static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1202{
c916fbe4 1203 struct sock *parent, *sk;
23691d75 1204 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1205
1206 BT_DBG("");
1207
1208 /* Check if we have socket listening on cid */
23691d75 1209 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1210 conn->src, conn->dst);
23691d75 1211 if (!pchan)
b62f328b
VT		 1212 return;
1213
23691d75
GP		 1214 parent = pchan->sk;
1215
aa2ac881 1216 lock_sock(parent);
62f3a2cf 1217
80b98027 1218 chan = pchan->ops->new_connection(pchan);
80808e43 1219 if (!chan)
b62f328b
VT		 1220 goto clean;
1221
80808e43 1222 sk = chan->sk;
5d41ce1d 1223
b62f328b 1224 hci_conn_hold(conn->hcon);
a9ea3ed9 1225 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1226
b62f328b
VT		 1227 bacpy(&bt_sk(sk)->src, conn->src);
1228 bacpy(&bt_sk(sk)->dst, conn->dst);
1229
d1010240
GP		 1230 bt_accept_enqueue(parent, sk);
1231
3d57dc68 1232 l2cap_chan_add(conn, chan);
48454079 1233
6754e0df 1234 l2cap_chan_ready(chan);
b62f328b 1235
b62f328b 1236clean:
aa2ac881 1237 release_sock(parent);
b62f328b
VT		 1238}
1239
4e8402a3
MH		 1240static void l2cap_conn_ready(struct l2cap_conn *conn)
1241{
48454079 1242 struct l2cap_chan *chan;
cc110922 1243 struct hci_conn *hcon = conn->hcon;
4e8402a3 1244
79d554a6 1245 BT_DBG("conn %p", conn);
4e8402a3 1246
cc110922 1247 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1248 l2cap_le_conn_ready(conn);
1249
cc110922
VCG		 1250 if (hcon->out && hcon->type == LE_LINK)
1251 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1252
3df91ea2 1253 mutex_lock(&conn->chan_lock);
4e8402a3 1254
3df91ea2 1255 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1256
6be36555 1257 l2cap_chan_lock(chan);
4e8402a3 1258
416fa752
AE		 1259 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1260 l2cap_chan_unlock(chan);
1261 continue;
1262 }
1263
cc110922
VCG		 1264 if (hcon->type == LE_LINK) {
1265 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1266 l2cap_chan_ready(chan);
acd7d370 1267
63128451 1268 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1269 struct sock *sk = chan->sk;
c9b66675 1270 __clear_chan_timer(chan);
6be36555 1271 lock_sock(sk);
0e587be7 1272 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1273 sk->sk_state_change(sk);
6be36555 1274 release_sock(sk);
b501d6a1 1275
89bc500e 1276 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1277 l2cap_do_start(chan);
4e8402a3 1278
6be36555 1279 l2cap_chan_unlock(chan);
4e8402a3 1280 }
79d554a6 1281
3df91ea2 1282 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1283}
1284
1285/* Notify sockets that we cannot guaranty reliability anymore */
1286static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1287{
48454079 1288 struct l2cap_chan *chan;
4e8402a3
MH		 1289
1290 BT_DBG("conn %p", conn);
1291
3df91ea2 1292 mutex_lock(&conn->chan_lock);
4e8402a3 1293
3df91ea2 1294 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1295 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1296 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1297 }
1298
3df91ea2 1299 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1300}
1301
f878fcad 1302static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1303{
f878fcad 1304 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1305 info_timer.work);
4e8402a3 1306
984947dc 1307 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1308 conn->info_ident = 0;
984947dc 1309
4e8402a3
MH		 1310 l2cap_conn_start(conn);
1311}
1312
5d3de7df
VCG		 1313static void l2cap_conn_del(struct hci_conn *hcon, int err)
1314{
1315 struct l2cap_conn *conn = hcon->l2cap_data;
1316 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1317
1318 if (!conn)
1319 return;
1320
1321 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1322
1323 kfree_skb(conn->rx_skb);
1324
3df91ea2
AE		 1325 mutex_lock(&conn->chan_lock);
1326
5d3de7df
VCG		 1327 /* Kill channels */
1328 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1329 l2cap_chan_hold(chan);
6be36555
AE		 1330 l2cap_chan_lock(chan);
1331
5d3de7df 1332 l2cap_chan_del(chan, err);
6be36555
AE		 1333
1334 l2cap_chan_unlock(chan);
1335
80b98027 1336 chan->ops->close(chan);
61d6ef3e 1337 l2cap_chan_put(chan);
5d3de7df
VCG		 1338 }
1339
3df91ea2
AE		 1340 mutex_unlock(&conn->chan_lock);
1341
73d80deb
LAD		 1342 hci_chan_del(conn->hchan);
1343
5d3de7df 1344 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1345 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1346
51a8efd7 1347 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1348 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1349 smp_chan_destroy(conn);
d26a2345 1350 }
5d3de7df
VCG		 1351
1352 hcon->l2cap_data = NULL;
1353 kfree(conn);
1354}
1355
6c9d42a1 1356static void security_timeout(struct work_struct *work)
5d3de7df 1357{
6c9d42a1
GP		 1358 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1359 security_timer.work);
5d3de7df 1360
d06cc416
JH		 1361 BT_DBG("conn %p", conn);
1362
1363 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1364 smp_chan_destroy(conn);
1365 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1366 }
5d3de7df
VCG		 1367}
1368
1da177e4
LT		 1369static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1370{
0139418c 1371 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1372 struct hci_chan *hchan;
1da177e4 1373
0139418c 1374 if (conn || status)
1da177e4
LT		 1375 return conn;
1376
73d80deb
LAD		 1377 hchan = hci_chan_create(hcon);
1378 if (!hchan)
1379 return NULL;
1380
0139418c 1381 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1382 if (!conn) {
1383 hci_chan_del(hchan);
1da177e4 1384 return NULL;
73d80deb 1385 }
1da177e4
LT		 1386
1387 hcon->l2cap_data = conn;
1388 conn->hcon = hcon;
73d80deb 1389 conn->hchan = hchan;
1da177e4 1390
73d80deb 1391 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1392
dcc042d5
AE		 1393 switch (hcon->type) {
1394 case AMP_LINK:
1395 conn->mtu = hcon->hdev->block_mtu;
1396 break;
1397
1398 case LE_LINK:
1399 if (hcon->hdev->le_mtu) {
1400 conn->mtu = hcon->hdev->le_mtu;
1401 break;
1402 }
1403 /* fall through */
1404
1405 default:
acd7d370 1406 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1407 break;
1408 }
acd7d370 1409
1da177e4
LT		 1410 conn->src = &hcon->hdev->bdaddr;
1411 conn->dst = &hcon->dst;
1412
4e8402a3
MH		 1413 conn->feat_mask = 0;
1414
1da177e4 1415 spin_lock_init(&conn->lock);
3df91ea2 1416 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1417
1418 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1419
5d3de7df 1420 if (hcon->type == LE_LINK)
6c9d42a1 1421 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1422 else
030013d8 1423 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1424
9f5a0d7b 1425 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1426
1da177e4
LT		 1427 return conn;
1428}
1429
1da177e4 1430/* ---- Socket interface ---- */
1da177e4 1431
c2287681 1432/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1433 * Returns closest match.
1434 */
c2287681
IY		 1435static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1436 bdaddr_t *src,
1437 bdaddr_t *dst)
1da177e4 1438{
23691d75 1439 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1440
23691d75 1441 read_lock(&chan_list_lock);
e0f0cb56 1442
23691d75
GP		 1443 list_for_each_entry(c, &chan_list, global_l) {
1444 struct sock *sk = c->sk;
fe4128e0 1445
89bc500e 1446 if (state && c->state != state)
1da177e4
LT		 1447 continue;
1448
23691d75 1449 if (c->psm == psm) {
c2287681
IY		 1450 int src_match, dst_match;
1451 int src_any, dst_any;
1452
1da177e4 1453 /* Exact match. */
c2287681
IY		 1454 src_match = !bacmp(&bt_sk(sk)->src, src);
1455 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1456 if (src_match && dst_match) {
a7567b20 1457 read_unlock(&chan_list_lock);
23691d75
GP		 1458 return c;
1459 }
1da177e4
LT		 1460
1461 /* Closest match */
c2287681
IY		 1462 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1463 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1464 if ((src_match && dst_any) || (src_any && dst_match) ||
1465 (src_any && dst_any))
23691d75 1466 c1 = c;
1da177e4
LT		 1467 }
1468 }
1da177e4 1469
23691d75 1470 read_unlock(&chan_list_lock);
e0f0cb56 1471
23691d75 1472 return c1;
1da177e4
LT		 1473}
1474
8e9f9892
AG		 1475int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1476 bdaddr_t *dst, u8 dst_type)
1da177e4 1477{
5d41ce1d 1478 struct sock *sk = chan->sk;
1da177e4 1479 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1480 struct l2cap_conn *conn;
1481 struct hci_conn *hcon;
1482 struct hci_dev *hdev;
09ab6f4c 1483 __u8 auth_type;
44d0e48e 1484 int err;
1da177e4 1485
6ed93dc6 1486 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1487 dst_type, __le16_to_cpu(psm));
1da177e4 1488
af05b30b
GP		 1489 hdev = hci_get_route(dst, src);
1490 if (!hdev)
1da177e4
LT		 1491 return -EHOSTUNREACH;
1492
09fd0de5 1493 hci_dev_lock(hdev);
1da177e4 1494
6be36555 1495 l2cap_chan_lock(chan);
03a00194
GP		 1496
1497 /* PSM must be odd and lsb of upper byte must be 0 */
1498 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1499 chan->chan_type != L2CAP_CHAN_RAW) {
1500 err = -EINVAL;
1501 goto done;
1502 }
1503
1504 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1505 err = -EINVAL;
1506 goto done;
1507 }
1508
1509 switch (chan->mode) {
1510 case L2CAP_MODE_BASIC:
1511 break;
1512 case L2CAP_MODE_ERTM:
1513 case L2CAP_MODE_STREAMING:
1514 if (!disable_ertm)
1515 break;
1516 /* fall through */
1517 default:
1518 err = -ENOTSUPP;
1519 goto done;
1520 }
1521
0797e01d 1522 switch (chan->state) {
03a00194
GP		 1523 case BT_CONNECT:
1524 case BT_CONNECT2:
1525 case BT_CONFIG:
1526 /* Already connecting */
1527 err = 0;
1528 goto done;
1529
1530 case BT_CONNECTED:
1531 /* Already connected */
1532 err = -EISCONN;
1533 goto done;
1534
1535 case BT_OPEN:
1536 case BT_BOUND:
1537 /* Can connect */
1538 break;
1539
1540 default:
1541 err = -EBADFD;
1542 goto done;
1543 }
1544
1545 /* Set destination address and psm */
0797e01d 1546 lock_sock(sk);
9219b2a0 1547 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1548 release_sock(sk);
1549
03a00194
GP		 1550 chan->psm = psm;
1551 chan->dcid = cid;
1da177e4 1552
4343478f 1553 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1554
fe4128e0 1555 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1556 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1557 chan->sec_level, auth_type);
acd7d370 1558 else
8e9f9892 1559 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1560 chan->sec_level, auth_type);
acd7d370 1561
30e76272
VT		 1562 if (IS_ERR(hcon)) {
1563 err = PTR_ERR(hcon);
1da177e4 1564 goto done;
30e76272 1565 }
1da177e4
LT		 1566
1567 conn = l2cap_conn_add(hcon, 0);
1568 if (!conn) {
1569 hci_conn_put(hcon);
30e76272 1570 err = -ENOMEM;
1da177e4
LT		 1571 goto done;
1572 }
1573
9f0caeb1
VCG		 1574 if (hcon->type == LE_LINK) {
1575 err = 0;
1576
1577 if (!list_empty(&conn->chan_l)) {
1578 err = -EBUSY;
1579 hci_conn_put(hcon);
1580 }
1581
1582 if (err)
1583 goto done;
1584 }
1585
1da177e4
LT		 1586 /* Update source addr of the socket */
1587 bacpy(src, conn->src);
1588
6be36555 1589 l2cap_chan_unlock(chan);
48454079 1590 l2cap_chan_add(conn, chan);
6be36555 1591 l2cap_chan_lock(chan);
48454079 1592
6be36555 1593 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1594 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1595
1596 if (hcon->state == BT_CONNECTED) {
715ec005 1597 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1598 __clear_chan_timer(chan);
d45fc423 1599 if (l2cap_chan_check_security(chan))
6be36555 1600 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1601 } else
fc7f8a7e 1602 l2cap_do_start(chan);
1da177e4
LT		 1603 }
1604
30e76272
VT		 1605 err = 0;
1606
1da177e4 1607done:
6be36555 1608 l2cap_chan_unlock(chan);
09fd0de5 1609 hci_dev_unlock(hdev);
1da177e4
LT		 1610 hci_dev_put(hdev);
1611 return err;
1612}
1613
dcba0dba 1614int __l2cap_wait_ack(struct sock *sk)
6161c038 1615{
8c1d787b 1616 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1617 DECLARE_WAITQUEUE(wait, current);
1618 int err = 0;
1619 int timeo = HZ/5;
1620
2b0b05dd 1621 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1622 set_current_state(TASK_INTERRUPTIBLE);
1623 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1624 if (!timeo)
1625 timeo = HZ/5;
1626
1627 if (signal_pending(current)) {
1628 err = sock_intr_errno(timeo);
1629 break;
1630 }
1631
1632 release_sock(sk);
1633 timeo = schedule_timeout(timeo);
1634 lock_sock(sk);
a71a0cf4 1635 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1636
1637 err = sock_error(sk);
1638 if (err)
1639 break;
1640 }
1641 set_current_state(TASK_RUNNING);
2b0b05dd 1642 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1643 return err;
1644}
1645
721c4181 1646static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1647{
721c4181 1648 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1649 monitor_timer.work);
e90bac06 1650
525cd185 1651 BT_DBG("chan %p", chan);
0e98958d 1652
6be36555
AE		 1653 l2cap_chan_lock(chan);
1654
80909e04 1655 if (!chan->conn) {
6be36555 1656 l2cap_chan_unlock(chan);
8d7e1c7f 1657 l2cap_chan_put(chan);
e90bac06
GP		 1658 return;
1659 }
1660
401bb1f7 1661 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1662
6be36555 1663 l2cap_chan_unlock(chan);
8d7e1c7f 1664 l2cap_chan_put(chan);
e90bac06
GP		 1665}
1666
721c4181 1667static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1668{
721c4181 1669 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1670 retrans_timer.work);
e90bac06 1671
49208c9c 1672 BT_DBG("chan %p", chan);
0e98958d 1673
6be36555
AE		 1674 l2cap_chan_lock(chan);
1675
80909e04
MM		 1676 if (!chan->conn) {
1677 l2cap_chan_unlock(chan);
1678 l2cap_chan_put(chan);
1679 return;
1680 }
6be36555 1681
401bb1f7 1682 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1683 l2cap_chan_unlock(chan);
8d7e1c7f 1684 l2cap_chan_put(chan);
e90bac06
GP		 1685}
1686
d660366d
GP		 1687static void l2cap_streaming_send(struct l2cap_chan *chan,
1688 struct sk_buff_head *skbs)
6840ed07 1689{
ccbb84af 1690 struct sk_buff *skb;
3733937d 1691 struct l2cap_ctrl *control;
6840ed07 1692
3733937d
MM		 1693 BT_DBG("chan %p, skbs %p", chan, skbs);
1694
3733937d
MM		 1695 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1696
1697 while (!skb_queue_empty(&chan->tx_q)) {
1698
1699 skb = skb_dequeue(&chan->tx_q);
1700
1701 bt_cb(skb)->control.retries = 1;
1702 control = &bt_cb(skb)->control;
1703
1704 control->reqseq = 0;
1705 control->txseq = chan->next_tx_seq;
1706
1707 __pack_control(chan, control, skb);
6840ed07 1708
47d1ec61 1709 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1710 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1711 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1712 }
1713
4343478f 1714 l2cap_do_send(chan, skb);
6840ed07 1715
b4400672 1716 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1717
836be934 1718 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1719 chan->frames_sent++;
6840ed07 1720 }
6840ed07
GP		 1721}
1722
67c9e840 1723static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1724{
1725 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1726 struct l2cap_ctrl *control;
1727 int sent = 0;
1728
1729 BT_DBG("chan %p", chan);
1c2acffb 1730
89bc500e 1731 if (chan->state != BT_CONNECTED)
c13ffa62 1732 return -ENOTCONN;
e90bac06 1733
94122bbe
MM		 1734 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1735 return 0;
1736
18a48e76
MM		 1737 while (chan->tx_send_head &&
1738 chan->unacked_frames < chan->remote_tx_win &&
1739 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1740
18a48e76 1741 skb = chan->tx_send_head;
e90bac06 1742
18a48e76
MM		 1743 bt_cb(skb)->control.retries = 1;
1744 control = &bt_cb(skb)->control;
95ffa978 1745
e2ab4353 1746 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1747 control->final = 1;
e2ab4353 1748
18a48e76
MM		 1749 control->reqseq = chan->buffer_seq;
1750 chan->last_acked_seq = chan->buffer_seq;
1751 control->txseq = chan->next_tx_seq;
1c2acffb 1752
18a48e76 1753 __pack_control(chan, control, skb);
e90bac06 1754
47d1ec61 1755 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1756 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1757 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1758 }
1759
18a48e76
MM		 1760 /* Clone after data has been modified. Data is assumed to be
1761 read-only (for locking purposes) on cloned sk_buffs.
1762 */
1763 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1764
18a48e76
MM		 1765 if (!tx_skb)
1766 break;
1c2acffb 1767
18a48e76 1768 __set_retrans_timer(chan);
836be934
AE		 1769
1770 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1771 chan->unacked_frames++;
6a026610 1772 chan->frames_sent++;
18a48e76 1773 sent++;
1c2acffb 1774
58d35f87
GP		 1775 if (skb_queue_is_last(&chan->tx_q, skb))
1776 chan->tx_send_head = NULL;
1c2acffb 1777 else
58d35f87 1778 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1779
1780 l2cap_do_send(chan, tx_skb);
b4400672 1781 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1782 }
1783
b4400672
AE		 1784 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1785 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1786
1787 return sent;
9e917af1
GP		 1788}
1789
e1fbd4c1
MM		 1790static void l2cap_ertm_resend(struct l2cap_chan *chan)
1791{
1792 struct l2cap_ctrl control;
1793 struct sk_buff *skb;
1794 struct sk_buff *tx_skb;
1795 u16 seq;
1796
1797 BT_DBG("chan %p", chan);
1798
1799 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1800 return;
1801
1802 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1803 seq = l2cap_seq_list_pop(&chan->retrans_list);
1804
1805 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1806 if (!skb) {
1807 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1808 seq);
1809 continue;
1810 }
1811
1812 bt_cb(skb)->control.retries++;
1813 control = bt_cb(skb)->control;
1814
1815 if (chan->max_tx != 0 &&
1816 bt_cb(skb)->control.retries > chan->max_tx) {
1817 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1818 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1819 l2cap_seq_list_clear(&chan->retrans_list);
1820 break;
1821 }
1822
1823 control.reqseq = chan->buffer_seq;
1824 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1825 control.final = 1;
1826 else
1827 control.final = 0;
1828
1829 if (skb_cloned(skb)) {
1830 /* Cloned sk_buffs are read-only, so we need a
1831 * writeable copy
1832 */
1833 tx_skb = skb_copy(skb, GFP_ATOMIC);
1834 } else {
1835 tx_skb = skb_clone(skb, GFP_ATOMIC);
1836 }
1837
1838 if (!tx_skb) {
1839 l2cap_seq_list_clear(&chan->retrans_list);
1840 break;
1841 }
1842
1843 /* Update skb contents */
1844 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1845 put_unaligned_le32(__pack_extended_control(&control),
1846 tx_skb->data + L2CAP_HDR_SIZE);
1847 } else {
1848 put_unaligned_le16(__pack_enhanced_control(&control),
1849 tx_skb->data + L2CAP_HDR_SIZE);
1850 }
1851
1852 if (chan->fcs == L2CAP_FCS_CRC16) {
1853 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1854 put_unaligned_le16(fcs, skb_put(tx_skb,
1855 L2CAP_FCS_SIZE));
1856 }
1857
1858 l2cap_do_send(chan, tx_skb);
1859
1860 BT_DBG("Resent txseq %d", control.txseq);
1861
1862 chan->last_acked_seq = chan->buffer_seq;
1863 }
1864}
1865
f80842a8
MM		 1866static void l2cap_retransmit(struct l2cap_chan *chan,
1867 struct l2cap_ctrl *control)
1868{
1869 BT_DBG("chan %p, control %p", chan, control);
1870
1871 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1872 l2cap_ertm_resend(chan);
1873}
1874
d2a7ac5d
MM		 1875static void l2cap_retransmit_all(struct l2cap_chan *chan,
1876 struct l2cap_ctrl *control)
1877{
e1fbd4c1
MM		 1878 struct sk_buff *skb;
1879
1880 BT_DBG("chan %p, control %p", chan, control);
1881
1882 if (control->poll)
1883 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1884
1885 l2cap_seq_list_clear(&chan->retrans_list);
1886
1887 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1888 return;
1889
1890 if (chan->unacked_frames) {
1891 skb_queue_walk(&chan->tx_q, skb) {
1892 if (bt_cb(skb)->control.txseq == control->reqseq ||
1893 skb == chan->tx_send_head)
1894 break;
1895 }
1896
1897 skb_queue_walk_from(&chan->tx_q, skb) {
1898 if (skb == chan->tx_send_head)
1899 break;
1900
1901 l2cap_seq_list_append(&chan->retrans_list,
1902 bt_cb(skb)->control.txseq);
1903 }
1904
1905 l2cap_ertm_resend(chan);
1906 }
d2a7ac5d
MM		 1907}
1908
0a0aba42 1909static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1910{
0a0aba42
MM		 1911 struct l2cap_ctrl control;
1912 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1913 chan->last_acked_seq);
1914 int threshold;
9e917af1 1915
0a0aba42
MM		 1916 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1917 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1918
0a0aba42
MM		 1919 memset(&control, 0, sizeof(control));
1920 control.sframe = 1;
dfc909be 1921
0a0aba42
MM		 1922 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1923 chan->rx_state == L2CAP_RX_STATE_RECV) {
1924 __clear_ack_timer(chan);
1925 control.super = L2CAP_SUPER_RNR;
1926 control.reqseq = chan->buffer_seq;
1927 l2cap_send_sframe(chan, &control);
1928 } else {
1929 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1930 l2cap_ertm_send(chan);
1931 /* If any i-frames were sent, they included an ack */
1932 if (chan->buffer_seq == chan->last_acked_seq)
1933 frames_to_ack = 0;
1934 }
dfc909be 1935
c20f8e35 1936 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 1937 * Calculate without mul or div
1938 */
c20f8e35 1939 threshold = chan->ack_win;
0a0aba42
MM		 1940 threshold += threshold << 1;
1941 threshold >>= 2;
1942
b4400672 1943 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 1944 threshold);
1945
1946 if (frames_to_ack >= threshold) {
1947 __clear_ack_timer(chan);
1948 control.super = L2CAP_SUPER_RR;
1949 control.reqseq = chan->buffer_seq;
1950 l2cap_send_sframe(chan, &control);
1951 frames_to_ack = 0;
1952 }
1c2acffb 1953
0a0aba42
MM		 1954 if (frames_to_ack)
1955 __set_ack_timer(chan);
1956 }
b17e73bb
SJ		 1957}
1958
04124681
GP		 1959static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1960 struct msghdr *msg, int len,
1961 int count, struct sk_buff *skb)
1c2acffb 1962{
0952a57a 1963 struct l2cap_conn *conn = chan->conn;
1c2acffb 1964 struct sk_buff **frag;
90338947 1965 int sent = 0;
1da177e4 1966
59203a21 1967 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1968 return -EFAULT;
1da177e4
LT		 1969
1970 sent += count;
1971 len -= count;
1972
1973 /* Continuation fragments (no L2CAP header) */
1974 frag = &skb_shinfo(skb)->frag_list;
1975 while (len) {
fbe00700
GP		 1976 struct sk_buff *tmp;
1977
1da177e4
LT		 1978 count = min_t(unsigned int, conn->mtu, len);
1979
fbe00700
GP		 1980 tmp = chan->ops->alloc_skb(chan, count,
1981 msg->msg_flags & MSG_DONTWAIT);
1982 if (IS_ERR(tmp))
1983 return PTR_ERR(tmp);
1984
1985 *frag = tmp;
2f7719ce 1986
1c2acffb
GP		 1987 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1988 return -EFAULT;
1da177e4 1989
5e59b791
LAD		 1990 (*frag)->priority = skb->priority;
1991
1da177e4
LT		 1992 sent += count;
1993 len -= count;
1994
2d0ed3d5
GP		 1995 skb->len += (*frag)->len;
1996 skb->data_len += (*frag)->len;
1997
1da177e4
LT		 1998 frag = &(*frag)->next;
1999 }
1da177e4
LT		 2000
2001 return sent;
1c2acffb 2002}
1da177e4 2003
5e59b791 2004static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2005 struct msghdr *msg, size_t len,
2006 u32 priority)
1c2acffb 2007{
8c1d787b 2008 struct l2cap_conn *conn = chan->conn;
1c2acffb 2009 struct sk_buff *skb;
03a51213 2010 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2011 struct l2cap_hdr *lh;
2012
b4400672 2013 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2014
2015 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2016
2017 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2018 msg->msg_flags & MSG_DONTWAIT);
2019 if (IS_ERR(skb))
2020 return skb;
1c2acffb 2021
5e59b791
LAD		 2022 skb->priority = priority;
2023
1c2acffb
GP		 2024 /* Create L2CAP header */
2025 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2026 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2027 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2028 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2029
0952a57a 2030 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2031 if (unlikely(err < 0)) {
2032 kfree_skb(skb);
2033 return ERR_PTR(err);
2034 }
2035 return skb;
2036}
2037
5e59b791 2038static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2039 struct msghdr *msg, size_t len,
2040 u32 priority)
1c2acffb 2041{
8c1d787b 2042 struct l2cap_conn *conn = chan->conn;
1c2acffb 2043 struct sk_buff *skb;
f2ba7fae 2044 int err, count;
1c2acffb
GP		 2045 struct l2cap_hdr *lh;
2046
b4400672 2047 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2048
f2ba7fae 2049 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2050
f2ba7fae 2051 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2052 msg->msg_flags & MSG_DONTWAIT);
2053 if (IS_ERR(skb))
2054 return skb;
1c2acffb 2055
5e59b791
LAD		 2056 skb->priority = priority;
2057
1c2acffb
GP		 2058 /* Create L2CAP header */
2059 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2060 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2061 lh->len = cpu_to_le16(len);
1c2acffb 2062
0952a57a 2063 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2064 if (unlikely(err < 0)) {
2065 kfree_skb(skb);
2066 return ERR_PTR(err);
2067 }
2068 return skb;
2069}
2070
ab0ff76d 2071static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2072 struct msghdr *msg, size_t len,
2073 u16 sdulen)
1c2acffb 2074{
8c1d787b 2075 struct l2cap_conn *conn = chan->conn;
1c2acffb 2076 struct sk_buff *skb;
e4ca6d98 2077 int err, count, hlen;
1c2acffb
GP		 2078 struct l2cap_hdr *lh;
2079
b4400672 2080 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2081
0ee0d208
GP		 2082 if (!conn)
2083 return ERR_PTR(-ENOTCONN);
2084
ba7aa64f 2085 hlen = __ertm_hdr_size(chan);
e4ca6d98 2086
c74e560c 2087 if (sdulen)
03a51213 2088 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2089
47d1ec61 2090 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2091 hlen += L2CAP_FCS_SIZE;
fcc203c3 2092
1c2acffb 2093 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2094
2095 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2096 msg->msg_flags & MSG_DONTWAIT);
2097 if (IS_ERR(skb))
2098 return skb;
1c2acffb
GP		 2099
2100 /* Create L2CAP header */
2101 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2102 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2103 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2104
18a48e76
MM		 2105 /* Control header is populated later */
2106 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2107 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2108 else
2109 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2110
c74e560c 2111 if (sdulen)
03a51213 2112 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2113
0952a57a 2114 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2115 if (unlikely(err < 0)) {
2116 kfree_skb(skb);
2117 return ERR_PTR(err);
2118 }
e90bac06 2119
18a48e76 2120 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2121 bt_cb(skb)->control.retries = 0;
1c2acffb 2122 return skb;
1da177e4
LT		 2123}
2124
94122bbe
MM		 2125static int l2cap_segment_sdu(struct l2cap_chan *chan,
2126 struct sk_buff_head *seg_queue,
2127 struct msghdr *msg, size_t len)
c74e560c 2128{
c74e560c 2129 struct sk_buff *skb;
94122bbe
MM		 2130 u16 sdu_len;
2131 size_t pdu_len;
94122bbe 2132 u8 sar;
c74e560c 2133
b4400672 2134 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2135
94122bbe
MM		 2136 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2137 * so fragmented skbs are not used. The HCI layer's handling
2138 * of fragmented skbs is not compatible with ERTM's queueing.
2139 */
c74e560c 2140
94122bbe
MM		 2141 /* PDU size is derived from the HCI MTU */
2142 pdu_len = chan->conn->mtu;
c74e560c 2143
94122bbe
MM		 2144 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2145
2146 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2147 if (chan->fcs)
2148 pdu_len -= L2CAP_FCS_SIZE;
2149
ba7aa64f 2150 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2151
2152 /* Remote device may have requested smaller PDUs */
2153 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2154
2155 if (len <= pdu_len) {
2156 sar = L2CAP_SAR_UNSEGMENTED;
2157 sdu_len = 0;
2158 pdu_len = len;
2159 } else {
2160 sar = L2CAP_SAR_START;
2161 sdu_len = len;
2162 pdu_len -= L2CAP_SDULEN_SIZE;
2163 }
2164
2165 while (len > 0) {
2166 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2167
c74e560c 2168 if (IS_ERR(skb)) {
94122bbe 2169 __skb_queue_purge(seg_queue);
c74e560c
GP		 2170 return PTR_ERR(skb);
2171 }
2172
94122bbe
MM		 2173 bt_cb(skb)->control.sar = sar;
2174 __skb_queue_tail(seg_queue, skb);
2175
2176 len -= pdu_len;
2177 if (sdu_len) {
2178 sdu_len = 0;
2179 pdu_len += L2CAP_SDULEN_SIZE;
2180 }
2181
2182 if (len <= pdu_len) {
2183 sar = L2CAP_SAR_END;
2184 pdu_len = len;
2185 } else {
2186 sar = L2CAP_SAR_CONTINUE;
2187 }
c74e560c 2188 }
c74e560c 2189
f0f62799 2190 return 0;
c74e560c
GP		 2191}
2192
5e59b791
LAD		 2193int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2194 u32 priority)
9a91a04a 2195{
9a91a04a 2196 struct sk_buff *skb;
9a91a04a 2197 int err;
94122bbe 2198 struct sk_buff_head seg_queue;
9a91a04a
GP		 2199
2200 /* Connectionless channel */
715ec005 2201 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2202 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2203 if (IS_ERR(skb))
2204 return PTR_ERR(skb);
2205
2206 l2cap_do_send(chan, skb);
2207 return len;
2208 }
2209
2210 switch (chan->mode) {
2211 case L2CAP_MODE_BASIC:
2212 /* Check outgoing MTU */
2213 if (len > chan->omtu)
2214 return -EMSGSIZE;
2215
2216 /* Create a basic PDU */
5e59b791 2217 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2218 if (IS_ERR(skb))
2219 return PTR_ERR(skb);
2220
2221 l2cap_do_send(chan, skb);
2222 err = len;
2223 break;
2224
2225 case L2CAP_MODE_ERTM:
2226 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2227 /* Check outgoing MTU */
2228 if (len > chan->omtu) {
2229 err = -EMSGSIZE;
2230 break;
2231 }
9a91a04a 2232
94122bbe 2233 __skb_queue_head_init(&seg_queue);
9a91a04a 2234
94122bbe
MM		 2235 /* Do segmentation before calling in to the state machine,
2236 * since it's possible to block while waiting for memory
2237 * allocation.
2238 */
2239 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2240
94122bbe
MM		 2241 /* The channel could have been closed while segmenting,
2242 * check that it is still connected.
2243 */
2244 if (chan->state != BT_CONNECTED) {
2245 __skb_queue_purge(&seg_queue);
2246 err = -ENOTCONN;
9a91a04a
GP		 2247 }
2248
94122bbe 2249 if (err)
9a91a04a 2250 break;
9a91a04a 2251
3733937d 2252 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2253 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2254 else
d660366d 2255 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2256
d660366d 2257 err = len;
9a91a04a 2258
94122bbe
MM		 2259 /* If the skbs were not queued for sending, they'll still be in
2260 * seg_queue and need to be purged.
2261 */
2262 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2263 break;
2264
2265 default:
2266 BT_DBG("bad state %1.1x", chan->mode);
2267 err = -EBADFD;
2268 }
2269
2270 return err;
2271}
2272
d2a7ac5d
MM		 2273static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2274{
bed68bde
MM		 2275 struct l2cap_ctrl control;
2276 u16 seq;
2277
b4400672 2278 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2279
2280 memset(&control, 0, sizeof(control));
2281 control.sframe = 1;
2282 control.super = L2CAP_SUPER_SREJ;
2283
2284 for (seq = chan->expected_tx_seq; seq != txseq;
2285 seq = __next_seq(chan, seq)) {
2286 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2287 control.reqseq = seq;
2288 l2cap_send_sframe(chan, &control);
2289 l2cap_seq_list_append(&chan->srej_list, seq);
2290 }
2291 }
2292
2293 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2294}
2295
2296static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2297{
bed68bde
MM		 2298 struct l2cap_ctrl control;
2299
2300 BT_DBG("chan %p", chan);
2301
2302 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2303 return;
2304
2305 memset(&control, 0, sizeof(control));
2306 control.sframe = 1;
2307 control.super = L2CAP_SUPER_SREJ;
2308 control.reqseq = chan->srej_list.tail;
2309 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2310}
2311
2312static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2313{
bed68bde
MM		 2314 struct l2cap_ctrl control;
2315 u16 initial_head;
2316 u16 seq;
2317
b4400672 2318 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2319
2320 memset(&control, 0, sizeof(control));
2321 control.sframe = 1;
2322 control.super = L2CAP_SUPER_SREJ;
2323
2324 /* Capture initial list head to allow only one pass through the list. */
2325 initial_head = chan->srej_list.head;
2326
2327 do {
2328 seq = l2cap_seq_list_pop(&chan->srej_list);
2329 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2330 break;
2331
2332 control.reqseq = seq;
2333 l2cap_send_sframe(chan, &control);
2334 l2cap_seq_list_append(&chan->srej_list, seq);
2335 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2336}
2337
608bcc6d
MM		 2338static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2339{
2340 struct sk_buff *acked_skb;
2341 u16 ackseq;
2342
b4400672 2343 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2344
2345 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2346 return;
2347
b4400672 2348 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2349 chan->expected_ack_seq, chan->unacked_frames);
2350
2351 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2352 ackseq = __next_seq(chan, ackseq)) {
2353
2354 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2355 if (acked_skb) {
2356 skb_unlink(acked_skb, &chan->tx_q);
2357 kfree_skb(acked_skb);
2358 chan->unacked_frames--;
2359 }
2360 }
2361
2362 chan->expected_ack_seq = reqseq;
2363
2364 if (chan->unacked_frames == 0)
2365 __clear_retrans_timer(chan);
2366
b4400672 2367 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2368}
2369
2370static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2371{
2372 BT_DBG("chan %p", chan);
2373
2374 chan->expected_tx_seq = chan->buffer_seq;
2375 l2cap_seq_list_clear(&chan->srej_list);
2376 skb_queue_purge(&chan->srej_q);
2377 chan->rx_state = L2CAP_RX_STATE_RECV;
2378}
2379
d660366d
GP		 2380static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2381 struct l2cap_ctrl *control,
2382 struct sk_buff_head *skbs, u8 event)
608bcc6d 2383{
608bcc6d
MM		 2384 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2385 event);
2386
2387 switch (event) {
2388 case L2CAP_EV_DATA_REQUEST:
2389 if (chan->tx_send_head == NULL)
2390 chan->tx_send_head = skb_peek(skbs);
2391
2392 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2393 l2cap_ertm_send(chan);
2394 break;
2395 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2396 BT_DBG("Enter LOCAL_BUSY");
2397 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2398
2399 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2400 /* The SREJ_SENT state must be aborted if we are to
2401 * enter the LOCAL_BUSY state.
2402 */
2403 l2cap_abort_rx_srej_sent(chan);
2404 }
2405
2406 l2cap_send_ack(chan);
2407
2408 break;
2409 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2410 BT_DBG("Exit LOCAL_BUSY");
2411 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2412
2413 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2414 struct l2cap_ctrl local_control;
2415
2416 memset(&local_control, 0, sizeof(local_control));
2417 local_control.sframe = 1;
2418 local_control.super = L2CAP_SUPER_RR;
2419 local_control.poll = 1;
2420 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2421 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2422
2423 chan->retry_count = 1;
2424 __set_monitor_timer(chan);
2425 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2426 }
2427 break;
2428 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2429 l2cap_process_reqseq(chan, control->reqseq);
2430 break;
2431 case L2CAP_EV_EXPLICIT_POLL:
2432 l2cap_send_rr_or_rnr(chan, 1);
2433 chan->retry_count = 1;
2434 __set_monitor_timer(chan);
2435 __clear_ack_timer(chan);
2436 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2437 break;
2438 case L2CAP_EV_RETRANS_TO:
2439 l2cap_send_rr_or_rnr(chan, 1);
2440 chan->retry_count = 1;
2441 __set_monitor_timer(chan);
2442 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2443 break;
2444 case L2CAP_EV_RECV_FBIT:
2445 /* Nothing to process */
2446 break;
2447 default:
2448 break;
2449 }
608bcc6d
MM		 2450}
2451
d660366d
GP		 2452static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2453 struct l2cap_ctrl *control,
2454 struct sk_buff_head *skbs, u8 event)
608bcc6d 2455{
608bcc6d
MM		 2456 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2457 event);
2458
2459 switch (event) {
2460 case L2CAP_EV_DATA_REQUEST:
2461 if (chan->tx_send_head == NULL)
2462 chan->tx_send_head = skb_peek(skbs);
2463 /* Queue data, but don't send. */
2464 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2465 break;
2466 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2467 BT_DBG("Enter LOCAL_BUSY");
2468 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2469
2470 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2471 /* The SREJ_SENT state must be aborted if we are to
2472 * enter the LOCAL_BUSY state.
2473 */
2474 l2cap_abort_rx_srej_sent(chan);
2475 }
2476
2477 l2cap_send_ack(chan);
2478
2479 break;
2480 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2481 BT_DBG("Exit LOCAL_BUSY");
2482 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2483
2484 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2485 struct l2cap_ctrl local_control;
2486 memset(&local_control, 0, sizeof(local_control));
2487 local_control.sframe = 1;
2488 local_control.super = L2CAP_SUPER_RR;
2489 local_control.poll = 1;
2490 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2491 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2492
2493 chan->retry_count = 1;
2494 __set_monitor_timer(chan);
2495 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2496 }
2497 break;
2498 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2499 l2cap_process_reqseq(chan, control->reqseq);
2500
2501 /* Fall through */
2502
2503 case L2CAP_EV_RECV_FBIT:
2504 if (control && control->final) {
2505 __clear_monitor_timer(chan);
2506 if (chan->unacked_frames > 0)
2507 __set_retrans_timer(chan);
2508 chan->retry_count = 0;
2509 chan->tx_state = L2CAP_TX_STATE_XMIT;
2510 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2511 }
2512 break;
2513 case L2CAP_EV_EXPLICIT_POLL:
2514 /* Ignore */
2515 break;
2516 case L2CAP_EV_MONITOR_TO:
2517 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2518 l2cap_send_rr_or_rnr(chan, 1);
2519 __set_monitor_timer(chan);
2520 chan->retry_count++;
2521 } else {
2522 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2523 }
2524 break;
2525 default:
2526 break;
2527 }
608bcc6d
MM		 2528}
2529
d660366d
GP		 2530static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2531 struct sk_buff_head *skbs, u8 event)
608bcc6d 2532{
608bcc6d
MM		 2533 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2534 chan, control, skbs, event, chan->tx_state);
2535
2536 switch (chan->tx_state) {
2537 case L2CAP_TX_STATE_XMIT:
d660366d 2538 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2539 break;
2540 case L2CAP_TX_STATE_WAIT_F:
d660366d 2541 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2542 break;
2543 default:
2544 /* Ignore event */
2545 break;
2546 }
608bcc6d
MM		 2547}
2548
4b51dae9
MM		 2549static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2550 struct l2cap_ctrl *control)
2551{
2552 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2553 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2554}
2555
f80842a8
MM		 2556static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2557 struct l2cap_ctrl *control)
2558{
2559 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2560 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2561}
2562
1da177e4
LT		 2563/* Copy frame to all raw sockets on that connection */
2564static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2565{
1da177e4 2566 struct sk_buff *nskb;
48454079 2567 struct l2cap_chan *chan;
1da177e4
LT		 2568
2569 BT_DBG("conn %p", conn);
2570
3df91ea2 2571 mutex_lock(&conn->chan_lock);
3d57dc68 2572
3df91ea2 2573 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2574 struct sock *sk = chan->sk;
715ec005 2575 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2576 continue;
2577
2578 /* Don't send frame to the socket it came from */
2579 if (skb->sk == sk)
2580 continue;
af05b30b
GP		 2581 nskb = skb_clone(skb, GFP_ATOMIC);
2582 if (!nskb)
1da177e4
LT		 2583 continue;
2584
80b98027 2585 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2586 kfree_skb(nskb);
2587 }
3d57dc68 2588
3df91ea2 2589 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2590}
2591
2592/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2593static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2594 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2595{
2596 struct sk_buff *skb, **frag;
2597 struct l2cap_cmd_hdr *cmd;
2598 struct l2cap_hdr *lh;
2599 int len, count;
2600
b4400672
AE		 2601 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2602 conn, code, ident, dlen);
1da177e4
LT		 2603
2604 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2605 count = min_t(unsigned int, conn->mtu, len);
2606
2607 skb = bt_skb_alloc(count, GFP_ATOMIC);
2608 if (!skb)
2609 return NULL;
2610
2611 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2612 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2613
2614 if (conn->hcon->type == LE_LINK)
ac73498c 2615 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2616 else
ac73498c 2617 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2618
2619 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2620 cmd->code = code;
2621 cmd->ident = ident;
aca3192c 2622 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2623
2624 if (dlen) {
2625 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2626 memcpy(skb_put(skb, count), data, count);
2627 data += count;
2628 }
2629
2630 len -= skb->len;
2631
2632 /* Continuation fragments (no L2CAP header) */
2633 frag = &skb_shinfo(skb)->frag_list;
2634 while (len) {
2635 count = min_t(unsigned int, conn->mtu, len);
2636
2637 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2638 if (!*frag)
2639 goto fail;
2640
2641 memcpy(skb_put(*frag, count), data, count);
2642
2643 len -= count;
2644 data += count;
2645
2646 frag = &(*frag)->next;
2647 }
2648
2649 return skb;
2650
2651fail:
2652 kfree_skb(skb);
2653 return NULL;
2654}
2655
2656static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2657{
2658 struct l2cap_conf_opt *opt = *ptr;
2659 int len;
2660
2661 len = L2CAP_CONF_OPT_SIZE + opt->len;
2662 *ptr += len;
2663
2664 *type = opt->type;
2665 *olen = opt->len;
2666
2667 switch (opt->len) {
2668 case 1:
2669 *val = *((u8 *) opt->val);
2670 break;
2671
2672 case 2:
bfaaeb3e 2673 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2674 break;
2675
2676 case 4:
bfaaeb3e 2677 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2678 break;
2679
2680 default:
2681 *val = (unsigned long) opt->val;
2682 break;
2683 }
2684
b4400672 2685 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2686 return len;
2687}
2688
1da177e4
LT		 2689static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2690{
2691 struct l2cap_conf_opt *opt = *ptr;
2692
b4400672 2693 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2694
2695 opt->type = type;
2696 opt->len = len;
2697
2698 switch (len) {
2699 case 1:
2700 *((u8 *) opt->val) = val;
2701 break;
2702
2703 case 2:
4f8b691c 2704 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2705 break;
2706
2707 case 4:
4f8b691c 2708 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2709 break;
2710
2711 default:
2712 memcpy(opt->val, (void *) val, len);
2713 break;
2714 }
2715
2716 *ptr += L2CAP_CONF_OPT_SIZE + len;
2717}
2718
f89cef09
AE		 2719static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2720{
2721 struct l2cap_conf_efs efs;
2722
1ec918ce 2723 switch (chan->mode) {
f89cef09
AE		 2724 case L2CAP_MODE_ERTM:
2725 efs.id = chan->local_id;
2726 efs.stype = chan->local_stype;
2727 efs.msdu = cpu_to_le16(chan->local_msdu);
2728 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2729 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2730 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2731 break;
2732
2733 case L2CAP_MODE_STREAMING:
2734 efs.id = 1;
2735 efs.stype = L2CAP_SERV_BESTEFFORT;
2736 efs.msdu = cpu_to_le16(chan->local_msdu);
2737 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2738 efs.acc_lat = 0;
2739 efs.flush_to = 0;
2740 break;
2741
2742 default:
2743 return;
2744 }
2745
2746 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2747 (unsigned long) &efs);
f89cef09
AE		 2748}
2749
721c4181 2750static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2751{
721c4181 2752 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2753 ack_timer.work);
2754 u16 frames_to_ack;
c1b4f43b 2755
2fb9b3d4
GP		 2756 BT_DBG("chan %p", chan);
2757
6be36555
AE		 2758 l2cap_chan_lock(chan);
2759
0362520b
MM		 2760 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2761 chan->last_acked_seq);
6be36555 2762
0362520b
MM		 2763 if (frames_to_ack)
2764 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2765
0362520b 2766 l2cap_chan_unlock(chan);
09bfb2ee 2767 l2cap_chan_put(chan);
c1b4f43b
GP		 2768}
2769
466f8004 2770int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2771{
3c588192
MM		 2772 int err;
2773
105bdf9e
MM		 2774 chan->next_tx_seq = 0;
2775 chan->expected_tx_seq = 0;
42e5c802 2776 chan->expected_ack_seq = 0;
6a026610 2777 chan->unacked_frames = 0;
42e5c802 2778 chan->buffer_seq = 0;
6a026610 2779 chan->frames_sent = 0;
105bdf9e
MM		 2780 chan->last_acked_seq = 0;
2781 chan->sdu = NULL;
2782 chan->sdu_last_frag = NULL;
2783 chan->sdu_len = 0;
2784
d34c34fb
MM		 2785 skb_queue_head_init(&chan->tx_q);
2786
105bdf9e
MM		 2787 if (chan->mode != L2CAP_MODE_ERTM)
2788 return 0;
2789
2790 chan->rx_state = L2CAP_RX_STATE_RECV;
2791 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2792
721c4181
GP		 2793 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2794 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2795 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2796
f1c6775b 2797 skb_queue_head_init(&chan->srej_q);
1890d36b 2798
3c588192
MM		 2799 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2800 if (err < 0)
2801 return err;
2802
9dc9affc
MM		 2803 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2804 if (err < 0)
2805 l2cap_seq_list_free(&chan->srej_list);
2806
2807 return err;
0565c1c2
GP		 2808}
2809
f2fcfcd6
GP		 2810static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2811{
2812 switch (mode) {
2813 case L2CAP_MODE_STREAMING:
2814 case L2CAP_MODE_ERTM:
2815 if (l2cap_mode_supported(mode, remote_feat_mask))
2816 return mode;
2817 /* fall through */
2818 default:
2819 return L2CAP_MODE_BASIC;
2820 }
2821}
2822
6327eb98
AE		 2823static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2824{
2825 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2826}
2827
f89cef09
AE		 2828static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2829{
2830 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2831}
2832
6327eb98
AE		 2833static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2834{
2835 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2836 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2837 /* use extended control field */
2838 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2839 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2840 } else {
6327eb98
AE		 2841 chan->tx_win = min_t(u16, chan->tx_win,
2842 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2843 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2844 }
c20f8e35 2845 chan->ack_win = chan->tx_win;
6327eb98
AE		 2846}
2847
710f9b0a 2848static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2849{
1da177e4 2850 struct l2cap_conf_req *req = data;
0c1bc5c6 2851 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2852 void *ptr = req->data;
c8f79162 2853 u16 size;
1da177e4 2854
49208c9c 2855 BT_DBG("chan %p", chan);
1da177e4 2856
73ffa904 2857 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2858 goto done;
2859
0c1bc5c6 2860 switch (chan->mode) {
f2fcfcd6
GP		 2861 case L2CAP_MODE_STREAMING:
2862 case L2CAP_MODE_ERTM:
c1360a1c 2863 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2864 break;
85eb53c6 2865
f89cef09
AE		 2866 if (__l2cap_efs_supported(chan))
2867 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2868
2ba13ed6 2869 /* fall through */
f2fcfcd6 2870 default:
8c1d787b 2871 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2872 break;
2873 }
2874
2875done:
0c1bc5c6
GP		 2876 if (chan->imtu != L2CAP_DEFAULT_MTU)
2877 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2878
0c1bc5c6 2879 switch (chan->mode) {
65c7c491 2880 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2881 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2882 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2883 break;
2884
62547752
GP		 2885 rfc.mode = L2CAP_MODE_BASIC;
2886 rfc.txwin_size = 0;
2887 rfc.max_transmit = 0;
2888 rfc.retrans_timeout = 0;
2889 rfc.monitor_timeout = 0;
2890 rfc.max_pdu_size = 0;
2891
63406504
GP		 2892 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2893 (unsigned long) &rfc);
65c7c491
MH		 2894 break;
2895
2896 case L2CAP_MODE_ERTM:
2897 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2898 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2899 rfc.retrans_timeout = 0;
2900 rfc.monitor_timeout = 0;
c8f79162
AE		 2901
2902 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2903 L2CAP_EXT_HDR_SIZE -
2904 L2CAP_SDULEN_SIZE -
2905 L2CAP_FCS_SIZE);
2906 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2907
6327eb98
AE		 2908 l2cap_txwin_setup(chan);
2909
2910 rfc.txwin_size = min_t(u16, chan->tx_win,
2911 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2912
63406504
GP		 2913 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2914 (unsigned long) &rfc);
2915
f89cef09
AE		 2916 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2917 l2cap_add_opt_efs(&ptr, chan);
2918
8c1d787b 2919 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2920 break;
2921
47d1ec61 2922 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2923 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2924 chan->fcs = L2CAP_FCS_NONE;
2925 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2926 }
6327eb98
AE		 2927
2928 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2929 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2930 chan->tx_win);
f2fcfcd6
GP		 2931 break;
2932
2933 case L2CAP_MODE_STREAMING:
273759e2 2934 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2935 rfc.mode = L2CAP_MODE_STREAMING;
2936 rfc.txwin_size = 0;
2937 rfc.max_transmit = 0;
2938 rfc.retrans_timeout = 0;
2939 rfc.monitor_timeout = 0;
c8f79162
AE		 2940
2941 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2942 L2CAP_EXT_HDR_SIZE -
2943 L2CAP_SDULEN_SIZE -
2944 L2CAP_FCS_SIZE);
2945 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2946
63406504
GP		 2947 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2948 (unsigned long) &rfc);
2949
f89cef09
AE		 2950 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2951 l2cap_add_opt_efs(&ptr, chan);
2952
8c1d787b 2953 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2954 break;
2955
47d1ec61 2956 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2957 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2958 chan->fcs = L2CAP_FCS_NONE;
2959 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2960 }
65c7c491
MH		 2961 break;
2962 }
1da177e4 2963
fe4128e0 2964 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2965 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2966
2967 return ptr - data;
2968}
2969
73ffa904 2970static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2971{
5dee9e7c
MH		 2972 struct l2cap_conf_rsp *rsp = data;
2973 void *ptr = rsp->data;
73ffa904
GP		 2974 void *req = chan->conf_req;
2975 int len = chan->conf_len;
5dee9e7c
MH		 2976 int type, hint, olen;
2977 unsigned long val;
6464f35f 2978 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2979 struct l2cap_conf_efs efs;
2980 u8 remote_efs = 0;
861d6882 2981 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2982 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2983 u16 size;
1da177e4 2984
73ffa904 2985 BT_DBG("chan %p", chan);
820ae1b8 2986
5dee9e7c
MH		 2987 while (len >= L2CAP_CONF_OPT_SIZE) {
2988 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2989
589d2746 2990 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2991 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2992
2993 switch (type) {
2994 case L2CAP_CONF_MTU:
861d6882 2995 mtu = val;
5dee9e7c
MH		 2996 break;
2997
2998 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2999 chan->flush_to = val;
5dee9e7c
MH		 3000 break;
3001
3002 case L2CAP_CONF_QOS:
3003 break;
3004
6464f35f
MH		 3005 case L2CAP_CONF_RFC:
3006 if (olen == sizeof(rfc))
3007 memcpy(&rfc, (void *) val, olen);
3008 break;
3009
fcc203c3
GP		 3010 case L2CAP_CONF_FCS:
3011 if (val == L2CAP_FCS_NONE)
c1360a1c 3012 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 3013 break;
fcc203c3 3014
42dceae2
AE		 3015 case L2CAP_CONF_EFS:
3016 remote_efs = 1;
3017 if (olen == sizeof(efs))
3018 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3019 break;
3020
6327eb98
AE		 3021 case L2CAP_CONF_EWS:
3022 if (!enable_hs)
3023 return -ECONNREFUSED;
fcc203c3 3024
6327eb98
AE		 3025 set_bit(FLAG_EXT_CTRL, &chan->flags);
3026 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3027 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3028 chan->remote_tx_win = val;
fcc203c3
GP		 3029 break;
3030
5dee9e7c
MH		 3031 default:
3032 if (hint)
3033 break;
3034
3035 result = L2CAP_CONF_UNKNOWN;
3036 *((u8 *) ptr++) = type;
3037 break;
3038 }
3039 }
3040
73ffa904 3041 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3042 goto done;
3043
0c1bc5c6 3044 switch (chan->mode) {
f2fcfcd6
GP		 3045 case L2CAP_MODE_STREAMING:
3046 case L2CAP_MODE_ERTM:
c1360a1c 3047 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3048 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 3049 chan->conn->feat_mask);
85eb53c6
GP		 3050 break;
3051 }
3052
42dceae2
AE		 3053 if (remote_efs) {
3054 if (__l2cap_efs_supported(chan))
3055 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3056 else
3057 return -ECONNREFUSED;
3058 }
3059
0c1bc5c6 3060 if (chan->mode != rfc.mode)
f2fcfcd6 3061 return -ECONNREFUSED;
742e519b 3062
f2fcfcd6 3063 break;
f2fcfcd6
GP		 3064 }
3065
3066done:
0c1bc5c6 3067 if (chan->mode != rfc.mode) {
f2fcfcd6 3068 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3069 rfc.mode = chan->mode;
f2fcfcd6 3070
73ffa904 3071 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3072 return -ECONNREFUSED;
3073
3074 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3075 sizeof(rfc), (unsigned long) &rfc);
3076 }
3077
5dee9e7c
MH		 3078 if (result == L2CAP_CONF_SUCCESS) {
3079 /* Configure output options and let the other side know
3080 * which ones we don't like. */
3081
f2fcfcd6
GP		 3082 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3083 result = L2CAP_CONF_UNACCEPT;
3084 else {
0c1bc5c6 3085 chan->omtu = mtu;
c1360a1c 3086 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3087 }
0c1bc5c6 3088 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3089
42dceae2
AE		 3090 if (remote_efs) {
3091 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3092 efs.stype != L2CAP_SERV_NOTRAFIC &&
3093 efs.stype != chan->local_stype) {
3094
3095 result = L2CAP_CONF_UNACCEPT;
3096
3097 if (chan->num_conf_req >= 1)
3098 return -ECONNREFUSED;
3099
3100 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3101 sizeof(efs),
42dceae2 3102 (unsigned long) &efs);
0e8b207e 3103 } else {
3e6b3b95 3104 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3105 result = L2CAP_CONF_PENDING;
3106 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3107 }
3108 }
3109
f2fcfcd6
GP		 3110 switch (rfc.mode) {
3111 case L2CAP_MODE_BASIC:
47d1ec61 3112 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3113 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3114 break;
3115
3116 case L2CAP_MODE_ERTM:
6327eb98
AE		 3117 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3118 chan->remote_tx_win = rfc.txwin_size;
3119 else
3120 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3121
2c03a7a4 3122 chan->remote_max_tx = rfc.max_transmit;
1c762159 3123
c8f79162
AE		 3124 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3125 chan->conn->mtu -
3126 L2CAP_EXT_HDR_SIZE -
3127 L2CAP_SDULEN_SIZE -
3128 L2CAP_FCS_SIZE);
3129 rfc.max_pdu_size = cpu_to_le16(size);
3130 chan->remote_mps = size;
f2fcfcd6 3131
10467e9e 3132 rfc.retrans_timeout =
4fd21a88 3133 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3134 rfc.monitor_timeout =
4fd21a88 3135 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3136
c1360a1c 3137 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3138
3139 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3140 sizeof(rfc), (unsigned long) &rfc);
3141
42dceae2
AE		 3142 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3143 chan->remote_id = efs.id;
3144 chan->remote_stype = efs.stype;
3145 chan->remote_msdu = le16_to_cpu(efs.msdu);
3146 chan->remote_flush_to =
3147 le32_to_cpu(efs.flush_to);
3148 chan->remote_acc_lat =
3149 le32_to_cpu(efs.acc_lat);
3150 chan->remote_sdu_itime =
3151 le32_to_cpu(efs.sdu_itime);
3152 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3153 sizeof(efs), (unsigned long) &efs);
3154 }
f2fcfcd6
GP		 3155 break;
3156
3157 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3158 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3159 chan->conn->mtu -
3160 L2CAP_EXT_HDR_SIZE -
3161 L2CAP_SDULEN_SIZE -
3162 L2CAP_FCS_SIZE);
3163 rfc.max_pdu_size = cpu_to_le16(size);
3164 chan->remote_mps = size;
f2fcfcd6 3165
c1360a1c 3166 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3167
3168 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3169 sizeof(rfc), (unsigned long) &rfc);
3170
f2fcfcd6
GP		 3171 break;
3172
3173 default:
5dee9e7c 3174 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3175
6464f35f 3176 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3177 rfc.mode = chan->mode;
f2fcfcd6 3178 }
6464f35f 3179
f2fcfcd6 3180 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3181 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3182 }
fe4128e0 3183 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3184 rsp->result = cpu_to_le16(result);
59e54bd1 3185 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3186
3187 return ptr - data;
1da177e4
LT		 3188}
3189
b4450035 3190static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3191{
f2fcfcd6
GP		 3192 struct l2cap_conf_req *req = data;
3193 void *ptr = req->data;
3194 int type, olen;
3195 unsigned long val;
36e999a8 3196 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3197 struct l2cap_conf_efs efs;
f2fcfcd6 3198
fe4128e0 3199 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3200
3201 while (len >= L2CAP_CONF_OPT_SIZE) {
3202 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3203
3204 switch (type) {
3205 case L2CAP_CONF_MTU:
3206 if (val < L2CAP_DEFAULT_MIN_MTU) {
3207 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3208 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3209 } else
0c1bc5c6
GP		 3210 chan->imtu = val;
3211 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3212 break;
3213
3214 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3215 chan->flush_to = val;
f2fcfcd6 3216 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3217 2, chan->flush_to);
f2fcfcd6
GP		 3218 break;
3219
3220 case L2CAP_CONF_RFC:
3221 if (olen == sizeof(rfc))
3222 memcpy(&rfc, (void *)val, olen);
3223
c1360a1c 3224 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3225 rfc.mode != chan->mode)
f2fcfcd6
GP		 3226 return -ECONNREFUSED;
3227
47d1ec61 3228 chan->fcs = 0;
f2fcfcd6
GP		 3229
3230 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3231 sizeof(rfc), (unsigned long) &rfc);
3232 break;
6327eb98
AE		 3233
3234 case L2CAP_CONF_EWS:
c20f8e35 3235 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3236 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3237 chan->tx_win);
6327eb98 3238 break;
66af7aaf
AE		 3239
3240 case L2CAP_CONF_EFS:
3241 if (olen == sizeof(efs))
3242 memcpy(&efs, (void *)val, olen);
3243
3244 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3245 efs.stype != L2CAP_SERV_NOTRAFIC &&
3246 efs.stype != chan->local_stype)
3247 return -ECONNREFUSED;
3248
3249 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3250 sizeof(efs), (unsigned long) &efs);
3251 break;
f2fcfcd6
GP		 3252 }
3253 }
3254
0c1bc5c6 3255 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3256 return -ECONNREFUSED;
3257
0c1bc5c6 3258 chan->mode = rfc.mode;
6c2ea7a8 3259
0e8b207e 3260 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3261 switch (rfc.mode) {
3262 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3263 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3264 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3265 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3266 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3267 chan->ack_win = min_t(u16, chan->ack_win,
3268 rfc.txwin_size);
66af7aaf
AE		 3269
3270 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3271 chan->local_msdu = le16_to_cpu(efs.msdu);
3272 chan->local_sdu_itime =
3273 le32_to_cpu(efs.sdu_itime);
3274 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3275 chan->local_flush_to =
3276 le32_to_cpu(efs.flush_to);
3277 }
f2fcfcd6 3278 break;
66af7aaf 3279
f2fcfcd6 3280 case L2CAP_MODE_STREAMING:
47d1ec61 3281 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3282 }
3283 }
3284
fe4128e0 3285 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3286 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3287
3288 return ptr - data;
3289}
3290
fe4128e0 3291static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3292{
3293 struct l2cap_conf_rsp *rsp = data;
3294 void *ptr = rsp->data;
1da177e4 3295
fe4128e0 3296 BT_DBG("chan %p", chan);
1da177e4 3297
fe4128e0 3298 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3299 rsp->result = cpu_to_le16(result);
aca3192c 3300 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3301
3302 return ptr - data;
3303}
3304
8c1d787b 3305void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3306{
3307 struct l2cap_conn_rsp rsp;
8c1d787b 3308 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3309 u8 buf[128];
3310
fe4128e0
GP		 3311 rsp.scid = cpu_to_le16(chan->dcid);
3312 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3313 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3314 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
710f9b0a
GP		 3315 l2cap_send_cmd(conn, chan->ident,
3316 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3317
c1360a1c 3318 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3319 return;
3320
710f9b0a
GP		 3321 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3322 l2cap_build_conf_req(chan, buf), buf);
3323 chan->num_conf_req++;
3324}
3325
47d1ec61 3326static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3327{
7b1c0049
GP		 3328 int type, olen;
3329 unsigned long val;
c20f8e35
MM		 3330 /* Use sane default values in case a misbehaving remote device
3331 * did not send an RFC or extended window size option.
3332 */
3333 u16 txwin_ext = chan->ack_win;
3334 struct l2cap_conf_rfc rfc = {
3335 .mode = chan->mode,
3336 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3337 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3338 .max_pdu_size = cpu_to_le16(chan->imtu),
3339 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3340 };
7b1c0049 3341
47d1ec61 3342 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3343
0c1bc5c6 3344 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3345 return;
3346
3347 while (len >= L2CAP_CONF_OPT_SIZE) {
3348 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3349
c20f8e35
MM		 3350 switch (type) {
3351 case L2CAP_CONF_RFC:
3352 if (olen == sizeof(rfc))
3353 memcpy(&rfc, (void *)val, olen);
8f321f85 3354 break;
c20f8e35
MM		 3355 case L2CAP_CONF_EWS:
3356 txwin_ext = val;
3357 break;
3358 }
7b1c0049
GP		 3359 }
3360
7b1c0049
GP		 3361 switch (rfc.mode) {
3362 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3363 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3364 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3365 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3366 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3367 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3368 else
3369 chan->ack_win = min_t(u16, chan->ack_win,
3370 rfc.txwin_size);
7b1c0049
GP		 3371 break;
3372 case L2CAP_MODE_STREAMING:
47d1ec61 3373 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3374 }
3375}
3376
4e8402a3
MH		 3377static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3378{
e2fd318e 3379 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3380
e2fd318e 3381 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3382 return 0;
3383
3384 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3385 cmd->ident == conn->info_ident) {
17cd3f37 3386 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3387
3388 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3389 conn->info_ident = 0;
984947dc 3390
4e8402a3
MH		 3391 l2cap_conn_start(conn);
3392 }
3393
3394 return 0;
3395}
3396
4c89b6aa
MM		 3397static void __l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
3398 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3399{
1da177e4
LT		 3400 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3401 struct l2cap_conn_rsp rsp;
23691d75 3402 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3403 struct sock *parent, *sk = NULL;
e7c29cb1 3404 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3405
3406 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3407 __le16 psm = req->psm;
1da177e4 3408
097db76c 3409 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3410
3411 /* Check if we have socket listening on psm */
c2287681 3412 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3413 if (!pchan) {
1da177e4
LT		 3414 result = L2CAP_CR_BAD_PSM;
3415 goto sendresp;
3416 }
3417
23691d75
GP		 3418 parent = pchan->sk;
3419
3df91ea2 3420 mutex_lock(&conn->chan_lock);
aa2ac881 3421 lock_sock(parent);
e0f0cb56 3422
e7c29cb1 3423 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3424 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
e7c29cb1 3425 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3426 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3427 result = L2CAP_CR_SEC_BLOCK;
3428 goto response;
3429 }
3430
1da177e4
LT		 3431 result = L2CAP_CR_NO_MEM;
3432
2dfa1003
GP		 3433 /* Check if we already have channel with that dcid */
3434 if (__l2cap_get_chan_by_dcid(conn, scid))
3435 goto response;
3436
80b98027 3437 chan = pchan->ops->new_connection(pchan);
80808e43 3438 if (!chan)
1da177e4
LT		 3439 goto response;
3440
80808e43
GP		 3441 sk = chan->sk;
3442
1da177e4
LT		 3443 hci_conn_hold(conn->hcon);
3444
1da177e4
LT		 3445 bacpy(&bt_sk(sk)->src, conn->src);
3446 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3447 chan->psm = psm;
3448 chan->dcid = scid;
1da177e4 3449
d1010240
GP		 3450 bt_accept_enqueue(parent, sk);
3451
6be36555 3452 __l2cap_chan_add(conn, chan);
48454079 3453
fe4128e0 3454 dcid = chan->scid;
1da177e4 3455
c9b66675 3456 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3457
fc7f8a7e 3458 chan->ident = cmd->ident;
1da177e4 3459
984947dc 3460 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3461 if (l2cap_chan_check_security(chan)) {
c5daa683 3462 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3463 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3464 result = L2CAP_CR_PEND;
3465 status = L2CAP_CS_AUTHOR_PEND;
3466 parent->sk_data_ready(parent, 0);
3467 } else {
0e587be7 3468 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3469 result = L2CAP_CR_SUCCESS;
3470 status = L2CAP_CS_NO_INFO;
3471 }
79d554a6 3472 } else {
0e587be7 3473 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3474 result = L2CAP_CR_PEND;
3475 status = L2CAP_CS_AUTHEN_PEND;
3476 }
3477 } else {
0e587be7 3478 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3479 result = L2CAP_CR_PEND;
3480 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3481 }
3482
1da177e4 3483response:
aa2ac881 3484 release_sock(parent);
3df91ea2 3485 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3486
3487sendresp:
aca3192c
YH		 3488 rsp.scid = cpu_to_le16(scid);
3489 rsp.dcid = cpu_to_le16(dcid);
3490 rsp.result = cpu_to_le16(result);
3491 rsp.status = cpu_to_le16(status);
4c89b6aa 3492 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3493
3494 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3495 struct l2cap_info_req info;
ac73498c 3496 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3497
3498 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3499 conn->info_ident = l2cap_get_ident(conn);
3500
ba13ccd9 3501 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3502
3503 l2cap_send_cmd(conn, conn->info_ident,
3504 L2CAP_INFO_REQ, sizeof(info), &info);
3505 }
3506
c1360a1c 3507 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3508 result == L2CAP_CR_SUCCESS) {
3509 u8 buf[128];
c1360a1c 3510 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3511 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3512 l2cap_build_conf_req(chan, buf), buf);
3513 chan->num_conf_req++;
e9aeb2dd 3514 }
4c89b6aa 3515}
e9aeb2dd 3516
4c89b6aa
MM		 3517static int l2cap_connect_req(struct l2cap_conn *conn,
3518 struct l2cap_cmd_hdr *cmd, u8 *data)
3519{
3520 __l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3521 return 0;
3522}
3523
3524static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3525{
3526 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3527 u16 scid, dcid, result, status;
48454079 3528 struct l2cap_chan *chan;
1da177e4 3529 u8 req[128];
3df91ea2 3530 int err;
1da177e4
LT		 3531
3532 scid = __le16_to_cpu(rsp->scid);
3533 dcid = __le16_to_cpu(rsp->dcid);
3534 result = __le16_to_cpu(rsp->result);
3535 status = __le16_to_cpu(rsp->status);
3536
1b009c98
AE		 3537 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3538 dcid, scid, result, status);
1da177e4 3539
3df91ea2
AE		 3540 mutex_lock(&conn->chan_lock);
3541
1da177e4 3542 if (scid) {
3df91ea2
AE		 3543 chan = __l2cap_get_chan_by_scid(conn, scid);
3544 if (!chan) {
3545 err = -EFAULT;
3546 goto unlock;
3547 }
1da177e4 3548 } else {
3df91ea2
AE		 3549 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3550 if (!chan) {
3551 err = -EFAULT;
3552 goto unlock;
3553 }
1da177e4
LT		 3554 }
3555
3df91ea2
AE		 3556 err = 0;
3557
6be36555 3558 l2cap_chan_lock(chan);
48454079 3559
1da177e4
LT		 3560 switch (result) {
3561 case L2CAP_CR_SUCCESS:
89bc500e 3562 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3563 chan->ident = 0;
fe4128e0 3564 chan->dcid = dcid;
c1360a1c 3565 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3566
c1360a1c 3567 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3568 break;
3569
1da177e4 3570 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3571 l2cap_build_conf_req(chan, req), req);
3572 chan->num_conf_req++;
1da177e4
LT		 3573 break;
3574
3575 case L2CAP_CR_PEND:
c1360a1c 3576 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3577 break;
3578
3579 default:
48454079 3580 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3581 break;
3582 }
3583
6be36555 3584 l2cap_chan_unlock(chan);
3df91ea2
AE		 3585
3586unlock:
3587 mutex_unlock(&conn->chan_lock);
3588
3589 return err;
1da177e4
LT		 3590}
3591
47d1ec61 3592static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3593{
3594 /* FCS is enabled only in ERTM or streaming mode, if one or both
3595 * sides request it.
3596 */
0c1bc5c6 3597 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3598 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3599 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3600 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3601}
3602
29d8a590
AE		 3603static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3604 u8 ident, u16 flags)
3605{
3606 struct l2cap_conn *conn = chan->conn;
3607
3608 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3609 flags);
3610
3611 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3612 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3613
3614 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3615 l2cap_build_conf_rsp(chan, data,
3616 L2CAP_CONF_SUCCESS, flags), data);
3617}
3618
88219a0f 3619static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3620{
3621 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3622 u16 dcid, flags;
3623 u8 rsp[64];
48454079 3624 struct l2cap_chan *chan;
3c588192 3625 int len, err = 0;
1da177e4
LT		 3626
3627 dcid = __le16_to_cpu(req->dcid);
3628 flags = __le16_to_cpu(req->flags);
3629
3630 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3631
baa7e1fa 3632 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3633 if (!chan)
1da177e4
LT		 3634 return -ENOENT;
3635
033b1142 3636 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3637 struct l2cap_cmd_rej_cid rej;
3638
ac73498c 3639 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3640 rej.scid = cpu_to_le16(chan->scid);
3641 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3642
df6bd743
GP		 3643 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3644 sizeof(rej), &rej);
354f60a9 3645 goto unlock;
df6bd743 3646 }
354f60a9 3647
5dee9e7c 3648 /* Reject if config buffer is too small. */
88219a0f 3649 len = cmd_len - sizeof(*req);
7ac28817 3650 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3651 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3652 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3653 L2CAP_CONF_REJECT, flags), rsp);
3654 goto unlock;
3655 }
3656
3657 /* Store config. */
73ffa904
GP		 3658 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3659 chan->conf_len += len;
1da177e4 3660
59e54bd1 3661 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3662 /* Incomplete config. Send empty response. */
3663 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3664 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3665 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3666 goto unlock;
3667 }
3668
3669 /* Complete config. */
73ffa904 3670 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3671 if (len < 0) {
e92c8e70 3672 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3673 goto unlock;
f2fcfcd6 3674 }
1da177e4 3675
5dee9e7c 3676 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3677 chan->num_conf_rsp++;
5dee9e7c 3678
5dee9e7c 3679 /* Reset config buffer. */
73ffa904 3680 chan->conf_len = 0;
5dee9e7c 3681
c1360a1c 3682 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3683 goto unlock;
3684
c1360a1c 3685 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3686 set_default_fcs(chan);
fcc203c3 3687
105bdf9e
MM		 3688 if (chan->mode == L2CAP_MODE_ERTM ||
3689 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3690 err = l2cap_ertm_init(chan);
3691
3692 if (err < 0)
3693 l2cap_send_disconn_req(chan->conn, chan, -err);
3694 else
3695 l2cap_chan_ready(chan);
0565c1c2 3696
876d9484
MH		 3697 goto unlock;
3698 }
3699
c1360a1c 3700 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3701 u8 buf[64];
1da177e4 3702 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3703 l2cap_build_conf_req(chan, buf), buf);
3704 chan->num_conf_req++;
1da177e4
LT		 3705 }
3706
0e8b207e
AE		 3707 /* Got Conf Rsp PENDING from remote side and asume we sent
3708 Conf Rsp PENDING in the code above */
3709 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 3710 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 3711
3712 /* check compatibility */
3713
29d8a590 3714 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
0e8b207e
AE		 3715 }
3716
1da177e4 3717unlock:
6be36555 3718 l2cap_chan_unlock(chan);
3c588192 3719 return err;
1da177e4
LT		 3720}
3721
3722static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3723{
3724 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3725 u16 scid, flags, result;
48454079 3726 struct l2cap_chan *chan;
61386cba 3727 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3728 int err = 0;
1da177e4
LT		 3729
3730 scid = __le16_to_cpu(rsp->scid);
3731 flags = __le16_to_cpu(rsp->flags);
3732 result = __le16_to_cpu(rsp->result);
3733
61386cba
AE		 3734 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3735 result, len);
1da177e4 3736
baa7e1fa 3737 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3738 if (!chan)
1da177e4
LT		 3739 return 0;
3740
3741 switch (result) {
3742 case L2CAP_CONF_SUCCESS:
47d1ec61 3743 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3744 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3745 break;
3746
0e8b207e
AE		 3747 case L2CAP_CONF_PENDING:
3748 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3749
3750 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3751 char buf[64];
3752
3753 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3754 buf, &result);
3755 if (len < 0) {
3756 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3757 goto done;
3758 }
3759
3760 /* check compatibility */
3761
29d8a590 3762 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident, 0);
0e8b207e
AE		 3763 }
3764 goto done;
3765
1da177e4 3766 case L2CAP_CONF_UNACCEPT:
73ffa904 3767 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3768 char req[64];
3769
c2c77ec8 3770 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3771 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3772 goto done;
3773 }
3774
f2fcfcd6
GP		 3775 /* throw out any old stored conf requests */
3776 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3777 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3778 req, &result);
f2fcfcd6 3779 if (len < 0) {
e92c8e70 3780 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3781 goto done;
3782 }
3783
3784 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3785 L2CAP_CONF_REQ, len, req);
73ffa904 3786 chan->num_conf_req++;
f2fcfcd6
GP		 3787 if (result != L2CAP_CONF_SUCCESS)
3788 goto done;
3789 break;
1da177e4
LT		 3790 }
3791
8e87d142 3792 default:
6be36555 3793 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3794
ba13ccd9 3795 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3796 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3797 goto done;
3798 }
3799
59e54bd1 3800 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3801 goto done;
3802
c1360a1c 3803 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3804
c1360a1c 3805 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3806 set_default_fcs(chan);
fcc203c3 3807
105bdf9e
MM		 3808 if (chan->mode == L2CAP_MODE_ERTM ||
3809 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3810 err = l2cap_ertm_init(chan);
0565c1c2 3811
3c588192
MM		 3812 if (err < 0)
3813 l2cap_send_disconn_req(chan->conn, chan, -err);
3814 else
3815 l2cap_chan_ready(chan);
1da177e4
LT		 3816 }
3817
3818done:
6be36555 3819 l2cap_chan_unlock(chan);
3c588192 3820 return err;
1da177e4
LT		 3821}
3822
3823static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3824{
3825 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3826 struct l2cap_disconn_rsp rsp;
3827 u16 dcid, scid;
48454079 3828 struct l2cap_chan *chan;
1da177e4
LT		 3829 struct sock *sk;
3830
3831 scid = __le16_to_cpu(req->scid);
3832 dcid = __le16_to_cpu(req->dcid);
3833
3834 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3835
3df91ea2
AE		 3836 mutex_lock(&conn->chan_lock);
3837
3838 chan = __l2cap_get_chan_by_scid(conn, dcid);
3839 if (!chan) {
3840 mutex_unlock(&conn->chan_lock);
1da177e4 3841 return 0;
3df91ea2 3842 }
1da177e4 3843
6be36555
AE		 3844 l2cap_chan_lock(chan);
3845
48454079
GP		 3846 sk = chan->sk;
3847
fe4128e0
GP		 3848 rsp.dcid = cpu_to_le16(chan->scid);
3849 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3850 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3851
6be36555 3852 lock_sock(sk);
1da177e4 3853 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3854 release_sock(sk);
1da177e4 3855
61d6ef3e 3856 l2cap_chan_hold(chan);
48454079 3857 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3858
3859 l2cap_chan_unlock(chan);
1da177e4 3860
80b98027 3861 chan->ops->close(chan);
61d6ef3e 3862 l2cap_chan_put(chan);
3df91ea2
AE		 3863
3864 mutex_unlock(&conn->chan_lock);
3865
1da177e4
LT		 3866 return 0;
3867}
3868
3869static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3870{
3871 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3872 u16 dcid, scid;
48454079 3873 struct l2cap_chan *chan;
1da177e4
LT		 3874
3875 scid = __le16_to_cpu(rsp->scid);
3876 dcid = __le16_to_cpu(rsp->dcid);
3877
3878 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3879
3df91ea2
AE		 3880 mutex_lock(&conn->chan_lock);
3881
3882 chan = __l2cap_get_chan_by_scid(conn, scid);
3883 if (!chan) {
3884 mutex_unlock(&conn->chan_lock);
1da177e4 3885 return 0;
3df91ea2 3886 }
1da177e4 3887
6be36555 3888 l2cap_chan_lock(chan);
48454079 3889
61d6ef3e 3890 l2cap_chan_hold(chan);
48454079 3891 l2cap_chan_del(chan, 0);
6be36555
AE		 3892
3893 l2cap_chan_unlock(chan);
1da177e4 3894
80b98027 3895 chan->ops->close(chan);
61d6ef3e 3896 l2cap_chan_put(chan);
3df91ea2
AE		 3897
3898 mutex_unlock(&conn->chan_lock);
3899
1da177e4
LT		 3900 return 0;
3901}
3902
3903static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3904{
3905 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3906 u16 type;
3907
3908 type = __le16_to_cpu(req->type);
3909
3910 BT_DBG("type 0x%4.4x", type);
3911
f0709e03
MH		 3912 if (type == L2CAP_IT_FEAT_MASK) {
3913 u8 buf[8];
44dd46de 3914 u32 feat_mask = l2cap_feat_mask;
f0709e03 3915 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3916 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3917 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3918 if (!disable_ertm)
fcc203c3
GP		 3919 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3920 | L2CAP_FEAT_FCS;
a5fd6f30 3921 if (enable_hs)
6327eb98
AE		 3922 feat_mask |= L2CAP_FEAT_EXT_FLOW
3923 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3924
1b7bf4ed 3925 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3926 l2cap_send_cmd(conn, cmd->ident,
3927 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3928 } else if (type == L2CAP_IT_FIXED_CHAN) {
3929 u8 buf[12];
3930 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3931
3932 if (enable_hs)
3933 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3934 else
3935 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3936
ac73498c
AE		 3937 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3938 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3939 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3940 l2cap_send_cmd(conn, cmd->ident,
3941 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3942 } else {
3943 struct l2cap_info_rsp rsp;
3944 rsp.type = cpu_to_le16(type);
ac73498c 3945 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
f0709e03
MH		 3946 l2cap_send_cmd(conn, cmd->ident,
3947 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3948 }
1da177e4
LT		 3949
3950 return 0;
3951}
3952
3953static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3954{
3955 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3956 u16 type, result;
3957
3958 type = __le16_to_cpu(rsp->type);
3959 result = __le16_to_cpu(rsp->result);
3960
3961 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3962
e90165be
AE		 3963 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3964 if (cmd->ident != conn->info_ident ||
3965 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3966 return 0;
3967
17cd3f37 3968 cancel_delayed_work(&conn->info_timer);
4e8402a3 3969
adb08ede
VT		 3970 if (result != L2CAP_IR_SUCCESS) {
3971 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3972 conn->info_ident = 0;
3973
3974 l2cap_conn_start(conn);
3975
3976 return 0;
3977 }
3978
978c93b9
AE		 3979 switch (type) {
3980 case L2CAP_IT_FEAT_MASK:
83985319 3981 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3982
47ec1dcd 3983 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 3984 struct l2cap_info_req req;
ac73498c 3985 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 3986
3987 conn->info_ident = l2cap_get_ident(conn);
3988
3989 l2cap_send_cmd(conn, conn->info_ident,
3990 L2CAP_INFO_REQ, sizeof(req), &req);
3991 } else {
3992 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3993 conn->info_ident = 0;
3994
3995 l2cap_conn_start(conn);
3996 }
978c93b9
AE		 3997 break;
3998
3999 case L2CAP_IT_FIXED_CHAN:
4000 conn->fixed_chan_mask = rsp->data[0];
984947dc 4001 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4002 conn->info_ident = 0;
984947dc
MH		 4003
4004 l2cap_conn_start(conn);
978c93b9 4005 break;
984947dc 4006 }
4e8402a3 4007
1da177e4
LT		 4008 return 0;
4009}
4010
f94ff6ff
MM		 4011static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
4012 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4013 void *data)
4014{
4015 struct l2cap_create_chan_req *req = data;
4016 struct l2cap_create_chan_rsp rsp;
4017 u16 psm, scid;
4018
4019 if (cmd_len != sizeof(*req))
4020 return -EPROTO;
4021
4022 if (!enable_hs)
4023 return -EINVAL;
4024
4025 psm = le16_to_cpu(req->psm);
4026 scid = le16_to_cpu(req->scid);
4027
ad0ac6ca 4028 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff
MM		 4029
4030 /* Placeholder: Always reject */
4031 rsp.dcid = 0;
4032 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 4033 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4034 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 4035
4036 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4037 sizeof(rsp), &rsp);
4038
4039 return 0;
4040}
4041
8d5a04a1 4042static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4043 u16 icid, u16 result)
8d5a04a1
MM		 4044{
4045 struct l2cap_move_chan_rsp rsp;
4046
ad0ac6ca 4047 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4048
4049 rsp.icid = cpu_to_le16(icid);
4050 rsp.result = cpu_to_le16(result);
4051
4052 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
4053}
4054
4055static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4056 struct l2cap_chan *chan,
4057 u16 icid, u16 result)
8d5a04a1
MM		 4058{
4059 struct l2cap_move_chan_cfm cfm;
4060 u8 ident;
4061
ad0ac6ca 4062 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4063
4064 ident = l2cap_get_ident(conn);
4065 if (chan)
4066 chan->ident = ident;
4067
4068 cfm.icid = cpu_to_le16(icid);
4069 cfm.result = cpu_to_le16(result);
4070
4071 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4072}
4073
4074static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4075 u16 icid)
8d5a04a1
MM		 4076{
4077 struct l2cap_move_chan_cfm_rsp rsp;
4078
ad0ac6ca 4079 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4080
4081 rsp.icid = cpu_to_le16(icid);
4082 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4083}
4084
4085static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4086 struct l2cap_cmd_hdr *cmd,
4087 u16 cmd_len, void *data)
8d5a04a1
MM		 4088{
4089 struct l2cap_move_chan_req *req = data;
4090 u16 icid = 0;
4091 u16 result = L2CAP_MR_NOT_ALLOWED;
4092
4093 if (cmd_len != sizeof(*req))
4094 return -EPROTO;
4095
4096 icid = le16_to_cpu(req->icid);
4097
ad0ac6ca 4098 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4099
4100 if (!enable_hs)
4101 return -EINVAL;
4102
4103 /* Placeholder: Always refuse */
4104 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4105
4106 return 0;
4107}
4108
4109static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4110 struct l2cap_cmd_hdr *cmd,
4111 u16 cmd_len, void *data)
8d5a04a1
MM		 4112{
4113 struct l2cap_move_chan_rsp *rsp = data;
4114 u16 icid, result;
4115
4116 if (cmd_len != sizeof(*rsp))
4117 return -EPROTO;
4118
4119 icid = le16_to_cpu(rsp->icid);
4120 result = le16_to_cpu(rsp->result);
4121
ad0ac6ca 4122 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4123
4124 /* Placeholder: Always unconfirmed */
4125 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4126
4127 return 0;
4128}
4129
4130static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4131 struct l2cap_cmd_hdr *cmd,
4132 u16 cmd_len, void *data)
8d5a04a1
MM		 4133{
4134 struct l2cap_move_chan_cfm *cfm = data;
4135 u16 icid, result;
4136
4137 if (cmd_len != sizeof(*cfm))
4138 return -EPROTO;
4139
4140 icid = le16_to_cpu(cfm->icid);
4141 result = le16_to_cpu(cfm->result);
4142
ad0ac6ca 4143 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4144
4145 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4146
4147 return 0;
4148}
4149
4150static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4151 struct l2cap_cmd_hdr *cmd,
4152 u16 cmd_len, void *data)
8d5a04a1
MM		 4153{
4154 struct l2cap_move_chan_cfm_rsp *rsp = data;
4155 u16 icid;
4156
4157 if (cmd_len != sizeof(*rsp))
4158 return -EPROTO;
4159
4160 icid = le16_to_cpu(rsp->icid);
4161
ad0ac6ca 4162 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4163
4164 return 0;
4165}
4166
e2174ca4 4167static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4168 u16 to_multiplier)
4169{
4170 u16 max_latency;
4171
4172 if (min > max || min < 6 || max > 3200)
4173 return -EINVAL;
4174
4175 if (to_multiplier < 10 || to_multiplier > 3200)
4176 return -EINVAL;
4177
4178 if (max >= to_multiplier * 8)
4179 return -EINVAL;
4180
4181 max_latency = (to_multiplier * 8 / max) - 1;
4182 if (latency > 499 || latency > max_latency)
4183 return -EINVAL;
4184
4185 return 0;
4186}
4187
4188static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4189 struct l2cap_cmd_hdr *cmd, u8 *data)
4190{
4191 struct hci_conn *hcon = conn->hcon;
4192 struct l2cap_conn_param_update_req *req;
4193 struct l2cap_conn_param_update_rsp rsp;
4194 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4195 int err;
de73115a
CT		 4196
4197 if (!(hcon->link_mode & HCI_LM_MASTER))
4198 return -EINVAL;
4199
4200 cmd_len = __le16_to_cpu(cmd->len);
4201 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4202 return -EPROTO;
4203
4204 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4205 min = __le16_to_cpu(req->min);
4206 max = __le16_to_cpu(req->max);
de73115a
CT		 4207 latency = __le16_to_cpu(req->latency);
4208 to_multiplier = __le16_to_cpu(req->to_multiplier);
4209
4210 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4211 min, max, latency, to_multiplier);
4212
4213 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4214
4215 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4216 if (err)
ac73498c 4217 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4218 else
ac73498c 4219 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4220
4221 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4222 sizeof(rsp), &rsp);
4223
2ce603eb
CT		 4224 if (!err)
4225 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4226
de73115a
CT		 4227 return 0;
4228}
4229
3300d9a9
CT		 4230static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4231 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4232{
4233 int err = 0;
4234
4235 switch (cmd->code) {
4236 case L2CAP_COMMAND_REJ:
4237 l2cap_command_rej(conn, cmd, data);
4238 break;
4239
4240 case L2CAP_CONN_REQ:
4241 err = l2cap_connect_req(conn, cmd, data);
4242 break;
4243
4244 case L2CAP_CONN_RSP:
f5a2598d 4245 case L2CAP_CREATE_CHAN_RSP:
3300d9a9
CT		 4246 err = l2cap_connect_rsp(conn, cmd, data);
4247 break;
4248
4249 case L2CAP_CONF_REQ:
4250 err = l2cap_config_req(conn, cmd, cmd_len, data);
4251 break;
4252
4253 case L2CAP_CONF_RSP:
4254 err = l2cap_config_rsp(conn, cmd, data);
4255 break;
4256
4257 case L2CAP_DISCONN_REQ:
4258 err = l2cap_disconnect_req(conn, cmd, data);
4259 break;
4260
4261 case L2CAP_DISCONN_RSP:
4262 err = l2cap_disconnect_rsp(conn, cmd, data);
4263 break;
4264
4265 case L2CAP_ECHO_REQ:
4266 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4267 break;
4268
4269 case L2CAP_ECHO_RSP:
4270 break;
4271
4272 case L2CAP_INFO_REQ:
4273 err = l2cap_information_req(conn, cmd, data);
4274 break;
4275
4276 case L2CAP_INFO_RSP:
4277 err = l2cap_information_rsp(conn, cmd, data);
4278 break;
4279
f94ff6ff
MM		 4280 case L2CAP_CREATE_CHAN_REQ:
4281 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4282 break;
4283
8d5a04a1
MM		 4284 case L2CAP_MOVE_CHAN_REQ:
4285 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4286 break;
4287
4288 case L2CAP_MOVE_CHAN_RSP:
4289 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4290 break;
4291
4292 case L2CAP_MOVE_CHAN_CFM:
4293 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4294 break;
4295
4296 case L2CAP_MOVE_CHAN_CFM_RSP:
4297 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4298 break;
4299
3300d9a9
CT		 4300 default:
4301 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4302 err = -EINVAL;
4303 break;
4304 }
4305
4306 return err;
4307}
4308
4309static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4310 struct l2cap_cmd_hdr *cmd, u8 *data)
4311{
4312 switch (cmd->code) {
4313 case L2CAP_COMMAND_REJ:
4314 return 0;
4315
4316 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4317 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4318
4319 case L2CAP_CONN_PARAM_UPDATE_RSP:
4320 return 0;
4321
4322 default:
4323 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4324 return -EINVAL;
4325 }
4326}
4327
4328static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4329 struct sk_buff *skb)
1da177e4
LT		 4330{
4331 u8 *data = skb->data;
4332 int len = skb->len;
4333 struct l2cap_cmd_hdr cmd;
3300d9a9 4334 int err;
1da177e4
LT		 4335
4336 l2cap_raw_recv(conn, skb);
4337
4338 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4339 u16 cmd_len;
1da177e4
LT		 4340 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4341 data += L2CAP_CMD_HDR_SIZE;
4342 len -= L2CAP_CMD_HDR_SIZE;
4343
88219a0f 4344 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4345
88219a0f 4346 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4347
88219a0f 4348 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4349 BT_DBG("corrupted command");
4350 break;
4351 }
4352
3300d9a9
CT		 4353 if (conn->hcon->type == LE_LINK)
4354 err = l2cap_le_sig_cmd(conn, &cmd, data);
4355 else
4356 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4357
4358 if (err) {
e2fd318e 4359 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4360
4361 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4362
4363 /* FIXME: Map err to a valid reason */
ac73498c 4364 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4365 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4366 }
4367
88219a0f
AV		 4368 data += cmd_len;
4369 len -= cmd_len;
1da177e4
LT		 4370 }
4371
4372 kfree_skb(skb);
4373}
4374
47d1ec61 4375static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4376{
4377 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4378 int hdr_size;
4379
4380 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4381 hdr_size = L2CAP_EXT_HDR_SIZE;
4382 else
4383 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4384
47d1ec61 4385 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4386 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4387 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4388 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4389
4390 if (our_fcs != rcv_fcs)
7a560e5c 4391 return -EBADMSG;
fcc203c3
GP		 4392 }
4393 return 0;
4394}
4395
6ea00485 4396static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4397{
e31f7633 4398 struct l2cap_ctrl control;
d5392c8f 4399
e31f7633 4400 BT_DBG("chan %p", chan);
d5392c8f 4401
e31f7633
MM		 4402 memset(&control, 0, sizeof(control));
4403 control.sframe = 1;
4404 control.final = 1;
4405 control.reqseq = chan->buffer_seq;
4406 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4407
e2ab4353 4408 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4409 control.super = L2CAP_SUPER_RNR;
4410 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4411 }
4412
e31f7633
MM		 4413 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4414 chan->unacked_frames > 0)
4415 __set_retrans_timer(chan);
d5392c8f 4416
e31f7633 4417 /* Send pending iframes */
525cd185 4418 l2cap_ertm_send(chan);
d5392c8f 4419
e2ab4353 4420 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4421 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4422 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4423 * send it now.
4424 */
4425 control.super = L2CAP_SUPER_RR;
4426 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4427 }
4428}
4429
84084a31
MM		 4430static void append_skb_frag(struct sk_buff *skb,
4431 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4432{
84084a31
MM		 4433 /* skb->len reflects data in skb as well as all fragments
4434 * skb->data_len reflects only data in fragments
4435 */
4436 if (!skb_has_frag_list(skb))
4437 skb_shinfo(skb)->frag_list = new_frag;
4438
4439 new_frag->next = NULL;
4440
4441 (*last_frag)->next = new_frag;
4442 *last_frag = new_frag;
4443
4444 skb->len += new_frag->len;
4445 skb->data_len += new_frag->len;
4446 skb->truesize += new_frag->truesize;
4447}
4448
4b51dae9
MM		 4449static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4450 struct l2cap_ctrl *control)
84084a31
MM		 4451{
4452 int err = -EINVAL;
18778a63 4453
4b51dae9 4454 switch (control->sar) {
7e0ef6ee 4455 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4456 if (chan->sdu)
4457 break;
18778a63 4458
80b98027 4459 err = chan->ops->recv(chan, skb);
84084a31 4460 break;
18778a63 4461
7e0ef6ee 4462 case L2CAP_SAR_START:
84084a31
MM		 4463 if (chan->sdu)
4464 break;
18778a63 4465
6f61fd47 4466 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4467 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4468
84084a31
MM		 4469 if (chan->sdu_len > chan->imtu) {
4470 err = -EMSGSIZE;
4471 break;
4472 }
1890d36b 4473
84084a31
MM		 4474 if (skb->len >= chan->sdu_len)
4475 break;
18778a63 4476
84084a31
MM		 4477 chan->sdu = skb;
4478 chan->sdu_last_frag = skb;
18778a63 4479
84084a31
MM		 4480 skb = NULL;
4481 err = 0;
18778a63
GP		 4482 break;
4483
7e0ef6ee 4484 case L2CAP_SAR_CONTINUE:
6f61fd47 4485 if (!chan->sdu)
84084a31 4486 break;
18778a63 4487
84084a31
MM		 4488 append_skb_frag(chan->sdu, skb,
4489 &chan->sdu_last_frag);
4490 skb = NULL;
18778a63 4491
84084a31
MM		 4492 if (chan->sdu->len >= chan->sdu_len)
4493 break;
4178ba46 4494
84084a31 4495 err = 0;
18778a63
GP		 4496 break;
4497
7e0ef6ee 4498 case L2CAP_SAR_END:
6f61fd47 4499 if (!chan->sdu)
84084a31 4500 break;
18778a63 4501
84084a31
MM		 4502 append_skb_frag(chan->sdu, skb,
4503 &chan->sdu_last_frag);
4504 skb = NULL;
4178ba46 4505
84084a31
MM		 4506 if (chan->sdu->len != chan->sdu_len)
4507 break;
18778a63 4508
80b98027 4509 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4510
84084a31
MM		 4511 if (!err) {
4512 /* Reassembly complete */
4513 chan->sdu = NULL;
4514 chan->sdu_last_frag = NULL;
4515 chan->sdu_len = 0;
1890d36b 4516 }
18778a63
GP		 4517 break;
4518 }
4519
84084a31
MM		 4520 if (err) {
4521 kfree_skb(skb);
4522 kfree_skb(chan->sdu);
4523 chan->sdu = NULL;
4524 chan->sdu_last_frag = NULL;
4525 chan->sdu_len = 0;
4526 }
18778a63 4527
84084a31 4528 return err;
18778a63
GP		 4529}
4530
61aa4f5b 4531void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4532{
61aa4f5b 4533 u8 event;
712132eb 4534
61aa4f5b
MM		 4535 if (chan->mode != L2CAP_MODE_ERTM)
4536 return;
712132eb 4537
61aa4f5b 4538 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4539 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4540}
4541
d2a7ac5d
MM		 4542static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4543{
63838725
MM		 4544 int err = 0;
4545 /* Pass sequential frames to l2cap_reassemble_sdu()
4546 * until a gap is encountered.
4547 */
4548
4549 BT_DBG("chan %p", chan);
4550
4551 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4552 struct sk_buff *skb;
4553 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4554 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4555
4556 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4557
4558 if (!skb)
4559 break;
4560
4561 skb_unlink(skb, &chan->srej_q);
4562 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4563 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4564 if (err)
4565 break;
4566 }
4567
4568 if (skb_queue_empty(&chan->srej_q)) {
4569 chan->rx_state = L2CAP_RX_STATE_RECV;
4570 l2cap_send_ack(chan);
4571 }
4572
4573 return err;
d2a7ac5d
MM		 4574}
4575
4576static void l2cap_handle_srej(struct l2cap_chan *chan,
4577 struct l2cap_ctrl *control)
4578{
f80842a8
MM		 4579 struct sk_buff *skb;
4580
4581 BT_DBG("chan %p, control %p", chan, control);
4582
4583 if (control->reqseq == chan->next_tx_seq) {
4584 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4585 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4586 return;
4587 }
4588
4589 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4590
4591 if (skb == NULL) {
4592 BT_DBG("Seq %d not available for retransmission",
4593 control->reqseq);
4594 return;
4595 }
4596
4597 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4598 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4599 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4600 return;
4601 }
4602
4603 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4604
4605 if (control->poll) {
4606 l2cap_pass_to_tx(chan, control);
4607
4608 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4609 l2cap_retransmit(chan, control);
4610 l2cap_ertm_send(chan);
4611
4612 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4613 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4614 chan->srej_save_reqseq = control->reqseq;
4615 }
4616 } else {
4617 l2cap_pass_to_tx_fbit(chan, control);
4618
4619 if (control->final) {
4620 if (chan->srej_save_reqseq != control->reqseq ||
4621 !test_and_clear_bit(CONN_SREJ_ACT,
4622 &chan->conn_state))
4623 l2cap_retransmit(chan, control);
4624 } else {
4625 l2cap_retransmit(chan, control);
4626 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4627 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4628 chan->srej_save_reqseq = control->reqseq;
4629 }
4630 }
4631 }
d2a7ac5d
MM		 4632}
4633
4634static void l2cap_handle_rej(struct l2cap_chan *chan,
4635 struct l2cap_ctrl *control)
4636{
fcd289df
MM		 4637 struct sk_buff *skb;
4638
4639 BT_DBG("chan %p, control %p", chan, control);
4640
4641 if (control->reqseq == chan->next_tx_seq) {
4642 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4643 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4644 return;
4645 }
4646
4647 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4648
4649 if (chan->max_tx && skb &&
4650 bt_cb(skb)->control.retries >= chan->max_tx) {
4651 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4652 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4653 return;
4654 }
4655
4656 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4657
4658 l2cap_pass_to_tx(chan, control);
4659
4660 if (control->final) {
4661 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4662 l2cap_retransmit_all(chan, control);
4663 } else {
4664 l2cap_retransmit_all(chan, control);
4665 l2cap_ertm_send(chan);
4666 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4667 set_bit(CONN_REJ_ACT, &chan->conn_state);
4668 }
d2a7ac5d
MM		 4669}
4670
4b51dae9
MM		 4671static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4672{
4673 BT_DBG("chan %p, txseq %d", chan, txseq);
4674
4675 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4676 chan->expected_tx_seq);
4677
4678 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4679 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4680 chan->tx_win) {
4681 /* See notes below regarding "double poll" and
4682 * invalid packets.
4683 */
4684 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4685 BT_DBG("Invalid/Ignore - after SREJ");
4686 return L2CAP_TXSEQ_INVALID_IGNORE;
4687 } else {
4688 BT_DBG("Invalid - in window after SREJ sent");
4689 return L2CAP_TXSEQ_INVALID;
4690 }
4691 }
4692
4693 if (chan->srej_list.head == txseq) {
4694 BT_DBG("Expected SREJ");
4695 return L2CAP_TXSEQ_EXPECTED_SREJ;
4696 }
4697
4698 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4699 BT_DBG("Duplicate SREJ - txseq already stored");
4700 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4701 }
4702
4703 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4704 BT_DBG("Unexpected SREJ - not requested");
4705 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4706 }
4707 }
4708
4709 if (chan->expected_tx_seq == txseq) {
4710 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4711 chan->tx_win) {
4712 BT_DBG("Invalid - txseq outside tx window");
4713 return L2CAP_TXSEQ_INVALID;
4714 } else {
4715 BT_DBG("Expected");
4716 return L2CAP_TXSEQ_EXPECTED;
4717 }
4718 }
4719
4720 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4721 __seq_offset(chan, chan->expected_tx_seq,
4722 chan->last_acked_seq)){
4723 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4724 return L2CAP_TXSEQ_DUPLICATE;
4725 }
4726
4727 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4728 /* A source of invalid packets is a "double poll" condition,
4729 * where delays cause us to send multiple poll packets. If
4730 * the remote stack receives and processes both polls,
4731 * sequence numbers can wrap around in such a way that a
4732 * resent frame has a sequence number that looks like new data
4733 * with a sequence gap. This would trigger an erroneous SREJ
4734 * request.
4735 *
4736 * Fortunately, this is impossible with a tx window that's
4737 * less than half of the maximum sequence number, which allows
4738 * invalid frames to be safely ignored.
4739 *
4740 * With tx window sizes greater than half of the tx window
4741 * maximum, the frame is invalid and cannot be ignored. This
4742 * causes a disconnect.
4743 */
4744
4745 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4746 BT_DBG("Invalid/Ignore - txseq outside tx window");
4747 return L2CAP_TXSEQ_INVALID_IGNORE;
4748 } else {
4749 BT_DBG("Invalid - txseq outside tx window");
4750 return L2CAP_TXSEQ_INVALID;
4751 }
4752 } else {
4753 BT_DBG("Unexpected - txseq indicates missing frames");
4754 return L2CAP_TXSEQ_UNEXPECTED;
4755 }
4756}
4757
d2a7ac5d
MM		 4758static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4759 struct l2cap_ctrl *control,
4760 struct sk_buff *skb, u8 event)
4761{
4762 int err = 0;
4763 bool skb_in_use = 0;
4764
4765 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4766 event);
4767
4768 switch (event) {
4769 case L2CAP_EV_RECV_IFRAME:
4770 switch (l2cap_classify_txseq(chan, control->txseq)) {
4771 case L2CAP_TXSEQ_EXPECTED:
4772 l2cap_pass_to_tx(chan, control);
4773
4774 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4775 BT_DBG("Busy, discarding expected seq %d",
4776 control->txseq);
4777 break;
4778 }
4779
4780 chan->expected_tx_seq = __next_seq(chan,
4781 control->txseq);
4782
4783 chan->buffer_seq = chan->expected_tx_seq;
4784 skb_in_use = 1;
4785
4786 err = l2cap_reassemble_sdu(chan, skb, control);
4787 if (err)
4788 break;
4789
4790 if (control->final) {
4791 if (!test_and_clear_bit(CONN_REJ_ACT,
4792 &chan->conn_state)) {
4793 control->final = 0;
4794 l2cap_retransmit_all(chan, control);
4795 l2cap_ertm_send(chan);
4796 }
4797 }
4798
4799 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4800 l2cap_send_ack(chan);
4801 break;
4802 case L2CAP_TXSEQ_UNEXPECTED:
4803 l2cap_pass_to_tx(chan, control);
4804
4805 /* Can't issue SREJ frames in the local busy state.
4806 * Drop this frame, it will be seen as missing
4807 * when local busy is exited.
4808 */
4809 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4810 BT_DBG("Busy, discarding unexpected seq %d",
4811 control->txseq);
4812 break;
4813 }
4814
4815 /* There was a gap in the sequence, so an SREJ
4816 * must be sent for each missing frame. The
4817 * current frame is stored for later use.
4818 */
4819 skb_queue_tail(&chan->srej_q, skb);
4820 skb_in_use = 1;
4821 BT_DBG("Queued %p (queue len %d)", skb,
4822 skb_queue_len(&chan->srej_q));
4823
4824 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4825 l2cap_seq_list_clear(&chan->srej_list);
4826 l2cap_send_srej(chan, control->txseq);
4827
4828 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4829 break;
4830 case L2CAP_TXSEQ_DUPLICATE:
4831 l2cap_pass_to_tx(chan, control);
4832 break;
4833 case L2CAP_TXSEQ_INVALID_IGNORE:
4834 break;
4835 case L2CAP_TXSEQ_INVALID:
4836 default:
4837 l2cap_send_disconn_req(chan->conn, chan,
4838 ECONNRESET);
4839 break;
4840 }
4841 break;
4842 case L2CAP_EV_RECV_RR:
4843 l2cap_pass_to_tx(chan, control);
4844 if (control->final) {
4845 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4846
4847 if (!test_and_clear_bit(CONN_REJ_ACT,
4848 &chan->conn_state)) {
4849 control->final = 0;
4850 l2cap_retransmit_all(chan, control);
4851 }
4852
4853 l2cap_ertm_send(chan);
4854 } else if (control->poll) {
4855 l2cap_send_i_or_rr_or_rnr(chan);
4856 } else {
4857 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4858 &chan->conn_state) &&
4859 chan->unacked_frames)
4860 __set_retrans_timer(chan);
4861
4862 l2cap_ertm_send(chan);
4863 }
4864 break;
4865 case L2CAP_EV_RECV_RNR:
4866 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4867 l2cap_pass_to_tx(chan, control);
4868 if (control && control->poll) {
4869 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4870 l2cap_send_rr_or_rnr(chan, 0);
4871 }
4872 __clear_retrans_timer(chan);
4873 l2cap_seq_list_clear(&chan->retrans_list);
4874 break;
4875 case L2CAP_EV_RECV_REJ:
4876 l2cap_handle_rej(chan, control);
4877 break;
4878 case L2CAP_EV_RECV_SREJ:
4879 l2cap_handle_srej(chan, control);
4880 break;
4881 default:
4882 break;
4883 }
4884
4885 if (skb && !skb_in_use) {
4886 BT_DBG("Freeing %p", skb);
4887 kfree_skb(skb);
4888 }
4889
4890 return err;
4891}
4892
4893static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4894 struct l2cap_ctrl *control,
4895 struct sk_buff *skb, u8 event)
4896{
4897 int err = 0;
4898 u16 txseq = control->txseq;
4899 bool skb_in_use = 0;
4900
4901 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4902 event);
4903
4904 switch (event) {
4905 case L2CAP_EV_RECV_IFRAME:
4906 switch (l2cap_classify_txseq(chan, txseq)) {
4907 case L2CAP_TXSEQ_EXPECTED:
4908 /* Keep frame for reassembly later */
4909 l2cap_pass_to_tx(chan, control);
4910 skb_queue_tail(&chan->srej_q, skb);
4911 skb_in_use = 1;
4912 BT_DBG("Queued %p (queue len %d)", skb,
4913 skb_queue_len(&chan->srej_q));
4914
4915 chan->expected_tx_seq = __next_seq(chan, txseq);
4916 break;
4917 case L2CAP_TXSEQ_EXPECTED_SREJ:
4918 l2cap_seq_list_pop(&chan->srej_list);
4919
4920 l2cap_pass_to_tx(chan, control);
4921 skb_queue_tail(&chan->srej_q, skb);
4922 skb_in_use = 1;
4923 BT_DBG("Queued %p (queue len %d)", skb,
4924 skb_queue_len(&chan->srej_q));
4925
4926 err = l2cap_rx_queued_iframes(chan);
4927 if (err)
4928 break;
4929
4930 break;
4931 case L2CAP_TXSEQ_UNEXPECTED:
4932 /* Got a frame that can't be reassembled yet.
4933 * Save it for later, and send SREJs to cover
4934 * the missing frames.
4935 */
4936 skb_queue_tail(&chan->srej_q, skb);
4937 skb_in_use = 1;
4938 BT_DBG("Queued %p (queue len %d)", skb,
4939 skb_queue_len(&chan->srej_q));
4940
4941 l2cap_pass_to_tx(chan, control);
4942 l2cap_send_srej(chan, control->txseq);
4943 break;
4944 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4945 /* This frame was requested with an SREJ, but
4946 * some expected retransmitted frames are
4947 * missing. Request retransmission of missing
4948 * SREJ'd frames.
4949 */
4950 skb_queue_tail(&chan->srej_q, skb);
4951 skb_in_use = 1;
4952 BT_DBG("Queued %p (queue len %d)", skb,
4953 skb_queue_len(&chan->srej_q));
4954
4955 l2cap_pass_to_tx(chan, control);
4956 l2cap_send_srej_list(chan, control->txseq);
4957 break;
4958 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4959 /* We've already queued this frame. Drop this copy. */
4960 l2cap_pass_to_tx(chan, control);
4961 break;
4962 case L2CAP_TXSEQ_DUPLICATE:
4963 /* Expecting a later sequence number, so this frame
4964 * was already received. Ignore it completely.
4965 */
4966 break;
4967 case L2CAP_TXSEQ_INVALID_IGNORE:
4968 break;
4969 case L2CAP_TXSEQ_INVALID:
4970 default:
4971 l2cap_send_disconn_req(chan->conn, chan,
4972 ECONNRESET);
4973 break;
4974 }
4975 break;
4976 case L2CAP_EV_RECV_RR:
4977 l2cap_pass_to_tx(chan, control);
4978 if (control->final) {
4979 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4980
4981 if (!test_and_clear_bit(CONN_REJ_ACT,
4982 &chan->conn_state)) {
4983 control->final = 0;
4984 l2cap_retransmit_all(chan, control);
4985 }
4986
4987 l2cap_ertm_send(chan);
4988 } else if (control->poll) {
4989 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4990 &chan->conn_state) &&
4991 chan->unacked_frames) {
4992 __set_retrans_timer(chan);
4993 }
4994
4995 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4996 l2cap_send_srej_tail(chan);
4997 } else {
4998 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4999 &chan->conn_state) &&
5000 chan->unacked_frames)
5001 __set_retrans_timer(chan);
5002
5003 l2cap_send_ack(chan);
5004 }
5005 break;
5006 case L2CAP_EV_RECV_RNR:
5007 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5008 l2cap_pass_to_tx(chan, control);
5009 if (control->poll) {
5010 l2cap_send_srej_tail(chan);
5011 } else {
5012 struct l2cap_ctrl rr_control;
5013 memset(&rr_control, 0, sizeof(rr_control));
5014 rr_control.sframe = 1;
5015 rr_control.super = L2CAP_SUPER_RR;
5016 rr_control.reqseq = chan->buffer_seq;
5017 l2cap_send_sframe(chan, &rr_control);
5018 }
5019
5020 break;
5021 case L2CAP_EV_RECV_REJ:
5022 l2cap_handle_rej(chan, control);
5023 break;
5024 case L2CAP_EV_RECV_SREJ:
5025 l2cap_handle_srej(chan, control);
5026 break;
5027 }
5028
5029 if (skb && !skb_in_use) {
5030 BT_DBG("Freeing %p", skb);
5031 kfree_skb(skb);
5032 }
5033
5034 return err;
5035}
5036
5037static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5038{
5039 /* Make sure reqseq is for a packet that has been sent but not acked */
5040 u16 unacked;
5041
5042 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5043 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5044}
5045
cec8ab6e
MM		 5046static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5047 struct sk_buff *skb, u8 event)
218bb9df 5048{
d2a7ac5d
MM		 5049 int err = 0;
5050
5051 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5052 control, skb, event, chan->rx_state);
5053
5054 if (__valid_reqseq(chan, control->reqseq)) {
5055 switch (chan->rx_state) {
5056 case L2CAP_RX_STATE_RECV:
5057 err = l2cap_rx_state_recv(chan, control, skb, event);
5058 break;
5059 case L2CAP_RX_STATE_SREJ_SENT:
5060 err = l2cap_rx_state_srej_sent(chan, control, skb,
5061 event);
5062 break;
5063 default:
5064 /* shut it down */
5065 break;
5066 }
5067 } else {
5068 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5069 control->reqseq, chan->next_tx_seq,
5070 chan->expected_ack_seq);
5071 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5072 }
5073
5074 return err;
cec8ab6e
MM		 5075}
5076
5077static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5078 struct sk_buff *skb)
5079{
4b51dae9
MM		 5080 int err = 0;
5081
5082 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5083 chan->rx_state);
5084
5085 if (l2cap_classify_txseq(chan, control->txseq) ==
5086 L2CAP_TXSEQ_EXPECTED) {
5087 l2cap_pass_to_tx(chan, control);
5088
5089 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5090 __next_seq(chan, chan->buffer_seq));
5091
5092 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5093
5094 l2cap_reassemble_sdu(chan, skb, control);
5095 } else {
5096 if (chan->sdu) {
5097 kfree_skb(chan->sdu);
5098 chan->sdu = NULL;
5099 }
5100 chan->sdu_last_frag = NULL;
5101 chan->sdu_len = 0;
5102
5103 if (skb) {
5104 BT_DBG("Freeing %p", skb);
5105 kfree_skb(skb);
5106 }
5107 }
5108
5109 chan->last_acked_seq = control->txseq;
5110 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5111
5112 return err;
cec8ab6e
MM		 5113}
5114
5115static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5116{
5117 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5118 u16 len;
5119 u8 event;
218bb9df 5120
b76bbd66
MM		 5121 __unpack_control(chan, skb);
5122
218bb9df
GP		 5123 len = skb->len;
5124
5125 /*
5126 * We can just drop the corrupted I-frame here.
5127 * Receiver will miss it and start proper recovery
cec8ab6e 5128 * procedures and ask for retransmission.
218bb9df 5129 */
47d1ec61 5130 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5131 goto drop;
5132
cec8ab6e 5133 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5134 len -= L2CAP_SDULEN_SIZE;
218bb9df 5135
47d1ec61 5136 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5137 len -= L2CAP_FCS_SIZE;
218bb9df 5138
47d1ec61 5139 if (len > chan->mps) {
8c1d787b 5140 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5141 goto drop;
5142 }
5143
cec8ab6e
MM		 5144 if (!control->sframe) {
5145 int err;
218bb9df 5146
cec8ab6e
MM		 5147 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5148 control->sar, control->reqseq, control->final,
5149 control->txseq);
218bb9df 5150
cec8ab6e
MM		 5151 /* Validate F-bit - F=0 always valid, F=1 only
5152 * valid in TX WAIT_F
5153 */
5154 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5155 goto drop;
cec8ab6e
MM		 5156
5157 if (chan->mode != L2CAP_MODE_STREAMING) {
5158 event = L2CAP_EV_RECV_IFRAME;
5159 err = l2cap_rx(chan, control, skb, event);
5160 } else {
5161 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5162 }
5163
cec8ab6e
MM		 5164 if (err)
5165 l2cap_send_disconn_req(chan->conn, chan,
5166 ECONNRESET);
218bb9df 5167 } else {
cec8ab6e
MM		 5168 const u8 rx_func_to_event[4] = {
5169 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5170 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5171 };
5172
5173 /* Only I-frames are expected in streaming mode */
5174 if (chan->mode == L2CAP_MODE_STREAMING)
5175 goto drop;
5176
5177 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5178 control->reqseq, control->final, control->poll,
5179 control->super);
5180
218bb9df
GP		 5181 if (len != 0) {
5182 BT_ERR("%d", len);
8c1d787b 5183 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5184 goto drop;
5185 }
5186
cec8ab6e
MM		 5187 /* Validate F and P bits */
5188 if (control->final && (control->poll ||
5189 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5190 goto drop;
5191
5192 event = rx_func_to_event[control->super];
5193 if (l2cap_rx(chan, control, skb, event))
5194 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5195 }
5196
5197 return 0;
5198
5199drop:
5200 kfree_skb(skb);
5201 return 0;
5202}
5203
13ca56e0
AE		 5204static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
5205 struct sk_buff *skb)
1da177e4 5206{
48454079 5207 struct l2cap_chan *chan;
1da177e4 5208
baa7e1fa 5209 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5210 if (!chan) {
97e8e89d
AE		 5211 if (cid == L2CAP_CID_A2MP) {
5212 chan = a2mp_channel_create(conn, skb);
5213 if (!chan) {
5214 kfree_skb(skb);
13ca56e0 5215 return;
97e8e89d
AE		 5216 }
5217
5218 l2cap_chan_lock(chan);
5219 } else {
5220 BT_DBG("unknown cid 0x%4.4x", cid);
5221 /* Drop packet and return */
5222 kfree_skb(skb);
13ca56e0 5223 return;
97e8e89d 5224 }
1da177e4
LT		 5225 }
5226
49208c9c 5227 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5228
89bc500e 5229 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5230 goto drop;
5231
0c1bc5c6 5232 switch (chan->mode) {
1c2acffb
GP		 5233 case L2CAP_MODE_BASIC:
5234 /* If socket recv buffers overflows we drop data here
5235 * which is *bad* because L2CAP has to be reliable.
5236 * But we don't have any other choice. L2CAP doesn't
5237 * provide flow control mechanism. */
1da177e4 5238
0c1bc5c6 5239 if (chan->imtu < skb->len)
1c2acffb 5240 goto drop;
1da177e4 5241
80b98027 5242 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5243 goto done;
5244 break;
5245
5246 case L2CAP_MODE_ERTM:
6840ed07 5247 case L2CAP_MODE_STREAMING:
cec8ab6e 5248 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5249 goto done;
5250
1c2acffb 5251 default:
0c1bc5c6 5252 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5253 break;
5254 }
1da177e4
LT		 5255
5256drop:
5257 kfree_skb(skb);
5258
5259done:
6be36555 5260 l2cap_chan_unlock(chan);
1da177e4
LT		 5261}
5262
84104b24
AE		 5263static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
5264 struct sk_buff *skb)
1da177e4 5265{
23691d75 5266 struct l2cap_chan *chan;
1da177e4 5267
c2287681 5268 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5269 if (!chan)
1da177e4
LT		 5270 goto drop;
5271
5b4cedaa 5272 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5273
89bc500e 5274 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5275 goto drop;
5276
e13e21dc 5277 if (chan->imtu < skb->len)
1da177e4
LT		 5278 goto drop;
5279
80b98027 5280 if (!chan->ops->recv(chan, skb))
84104b24 5281 return;
1da177e4
LT		 5282
5283drop:
5284 kfree_skb(skb);
1da177e4
LT		 5285}
5286
6810fca7
AE		 5287static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5288 struct sk_buff *skb)
9f69bda6 5289{
23691d75 5290 struct l2cap_chan *chan;
9f69bda6 5291
c2287681 5292 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5293 if (!chan)
9f69bda6
GP		 5294 goto drop;
5295
5b4cedaa 5296 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5297
89bc500e 5298 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5299 goto drop;
5300
e13e21dc 5301 if (chan->imtu < skb->len)
9f69bda6
GP		 5302 goto drop;
5303
80b98027 5304 if (!chan->ops->recv(chan, skb))
6810fca7 5305 return;
9f69bda6
GP		 5306
5307drop:
5308 kfree_skb(skb);
9f69bda6
GP		 5309}
5310
1da177e4
LT		 5311static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5312{
5313 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5314 u16 cid, len;
5315 __le16 psm;
1da177e4
LT		 5316
5317 skb_pull(skb, L2CAP_HDR_SIZE);
5318 cid = __le16_to_cpu(lh->cid);
5319 len = __le16_to_cpu(lh->len);
5320
1c2acffb
GP		 5321 if (len != skb->len) {
5322 kfree_skb(skb);
5323 return;
5324 }
5325
1da177e4
LT		 5326 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5327
5328 switch (cid) {
3300d9a9 5329 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5330 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5331 l2cap_sig_channel(conn, skb);
5332 break;
5333
8db4dc46 5334 case L2CAP_CID_CONN_LESS:
097db76c 5335 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5336 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5337 l2cap_conless_channel(conn, psm, skb);
5338 break;
5339
9f69bda6
GP		 5340 case L2CAP_CID_LE_DATA:
5341 l2cap_att_channel(conn, cid, skb);
5342 break;
5343
b501d6a1
AB		 5344 case L2CAP_CID_SMP:
5345 if (smp_sig_channel(conn, skb))
5346 l2cap_conn_del(conn->hcon, EACCES);
5347 break;
5348
1da177e4
LT		 5349 default:
5350 l2cap_data_channel(conn, cid, skb);
5351 break;
5352 }
5353}
5354
5355/* ---- L2CAP interface with lower layer (HCI) ---- */
5356
686ebf28 5357int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5358{
5359 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5360 struct l2cap_chan *c;
1da177e4 5361
6ed93dc6 5362 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 5363
5364 /* Find listening sockets and check their link_mode */
23691d75
GP		 5365 read_lock(&chan_list_lock);
5366 list_for_each_entry(c, &chan_list, global_l) {
5367 struct sock *sk = c->sk;
4343478f 5368
89bc500e 5369 if (c->state != BT_LISTEN)
1da177e4
LT		 5370 continue;
5371
5372 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5373 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5374 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5375 lm1 |= HCI_LM_MASTER;
1da177e4 5376 exact++;
2af6b9d5
MH		 5377 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5378 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5379 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5380 lm2 |= HCI_LM_MASTER;
5381 }
1da177e4 5382 }
23691d75 5383 read_unlock(&chan_list_lock);
1da177e4
LT		 5384
5385 return exact ? lm1 : lm2;
5386}
5387
9e664631 5388void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5389{
0139418c
MH		 5390 struct l2cap_conn *conn;
5391
6ed93dc6 5392 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 5393
1da177e4 5394 if (!status) {
1da177e4
LT		 5395 conn = l2cap_conn_add(hcon, status);
5396 if (conn)
5397 l2cap_conn_ready(conn);
0139418c 5398 } else
e175072f 5399 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4 5400
1da177e4
LT		 5401}
5402
686ebf28 5403int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5404{
5405 struct l2cap_conn *conn = hcon->l2cap_data;
5406
5407 BT_DBG("hcon %p", hcon);
5408
686ebf28 5409 if (!conn)
9f5a0d7b 5410 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5411 return conn->disc_reason;
5412}
5413
9e664631 5414void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5415{
5416 BT_DBG("hcon %p reason %d", hcon, reason);
5417
e175072f 5418 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5419}
5420
4343478f 5421static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5422{
715ec005 5423 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5424 return;
5425
f62e4323 5426 if (encrypt == 0x00) {
4343478f 5427 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5428 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5429 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5430 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5431 } else {
4343478f 5432 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5433 __clear_chan_timer(chan);
f62e4323
MH		 5434 }
5435}
5436
686ebf28 5437int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5438{
0139418c 5439 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5440 struct l2cap_chan *chan;
1da177e4 5441
0139418c 5442 if (!conn)
1da177e4 5443 return 0;
0139418c 5444
89d8b407 5445 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 5446
160dc6ac 5447 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5448 if (!status && encrypt)
5449 smp_distribute_keys(conn, 0);
17cd3f37 5450 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5451 }
5452
3df91ea2 5453 mutex_lock(&conn->chan_lock);
1da177e4 5454
3df91ea2 5455 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5456 l2cap_chan_lock(chan);
1da177e4 5457
89d8b407
AE		 5458 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
5459 state_to_string(chan->state));
f1cb9af5 5460
78eb2f98
AE		 5461 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
5462 l2cap_chan_unlock(chan);
5463 continue;
5464 }
5465
f1cb9af5
VCG		 5466 if (chan->scid == L2CAP_CID_LE_DATA) {
5467 if (!status && encrypt) {
5468 chan->sec_level = hcon->sec_level;
cf4cd009 5469 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5470 }
5471
6be36555 5472 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5473 continue;
5474 }
5475
c1360a1c 5476 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5477 l2cap_chan_unlock(chan);
6a8d3010
MH		 5478 continue;
5479 }
5480
89bc500e
GP		 5481 if (!status && (chan->state == BT_CONNECTED ||
5482 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5483 struct sock *sk = chan->sk;
5484
c5daa683 5485 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5486 sk->sk_state_change(sk);
5487
4343478f 5488 l2cap_check_encryption(chan, encrypt);
6be36555 5489 l2cap_chan_unlock(chan);
9719f8af
MH		 5490 continue;
5491 }
5492
89bc500e 5493 if (chan->state == BT_CONNECT) {
b1235d79 5494 if (!status) {
93c3e8f5 5495 l2cap_start_connection(chan);
b1235d79 5496 } else {
ba13ccd9 5497 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5498 }
89bc500e 5499 } else if (chan->state == BT_CONNECT2) {
6be36555 5500 struct sock *sk = chan->sk;
b1235d79 5501 struct l2cap_conn_rsp rsp;
df3c3931 5502 __u16 res, stat;
1da177e4 5503
6be36555
AE		 5504 lock_sock(sk);
5505
b1235d79 5506 if (!status) {
c5daa683
GP		 5507 if (test_bit(BT_SK_DEFER_SETUP,
5508 &bt_sk(sk)->flags)) {
df3c3931
JH		 5509 struct sock *parent = bt_sk(sk)->parent;
5510 res = L2CAP_CR_PEND;
5511 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5512 if (parent)
5513 parent->sk_data_ready(parent, 0);
df3c3931 5514 } else {
0e587be7 5515 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5516 res = L2CAP_CR_SUCCESS;
5517 stat = L2CAP_CS_NO_INFO;
5518 }
b1235d79 5519 } else {
0e587be7 5520 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5521 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5522 res = L2CAP_CR_SEC_BLOCK;
5523 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5524 }
5525
6be36555
AE		 5526 release_sock(sk);
5527
fe4128e0
GP		 5528 rsp.scid = cpu_to_le16(chan->dcid);
5529 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5530 rsp.result = cpu_to_le16(res);
5531 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5532 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5533 sizeof(rsp), &rsp);
2d369359
MM		 5534
5535 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5536 res == L2CAP_CR_SUCCESS) {
5537 char buf[128];
5538 set_bit(CONF_REQ_SENT, &chan->conf_state);
5539 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5540 L2CAP_CONF_REQ,
5541 l2cap_build_conf_req(chan, buf),
5542 buf);
5543 chan->num_conf_req++;
5544 }
b1235d79 5545 }
1da177e4 5546
6be36555 5547 l2cap_chan_unlock(chan);
1da177e4
LT		 5548 }
5549
3df91ea2 5550 mutex_unlock(&conn->chan_lock);
b1235d79 5551
1da177e4
LT		 5552 return 0;
5553}
5554
686ebf28 5555int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5556{
5557 struct l2cap_conn *conn = hcon->l2cap_data;
5558
5a08ecce
AE		 5559 if (!conn)
5560 conn = l2cap_conn_add(hcon, 0);
5561
5562 if (!conn)
1da177e4
LT		 5563 goto drop;
5564
5565 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5566
e702112f 5567 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5568 struct l2cap_hdr *hdr;
5569 int len;
5570
5571 if (conn->rx_len) {
5572 BT_ERR("Unexpected start frame (len %d)", skb->len);
5573 kfree_skb(conn->rx_skb);
5574 conn->rx_skb = NULL;
5575 conn->rx_len = 0;
5576 l2cap_conn_unreliable(conn, ECOMM);
5577 }
5578
aae7fe22
AE		 5579 /* Start fragment always begin with Basic L2CAP header */
5580 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5581 BT_ERR("Frame is too short (len %d)", skb->len);
5582 l2cap_conn_unreliable(conn, ECOMM);
5583 goto drop;
5584 }
5585
5586 hdr = (struct l2cap_hdr *) skb->data;
5587 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5588
5589 if (len == skb->len) {
5590 /* Complete frame received */
5591 l2cap_recv_frame(conn, skb);
5592 return 0;
5593 }
5594
5595 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5596
5597 if (skb->len > len) {
5598 BT_ERR("Frame is too long (len %d, expected len %d)",
5599 skb->len, len);
5600 l2cap_conn_unreliable(conn, ECOMM);
5601 goto drop;
5602 }
5603
5604 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5605 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5606 if (!conn->rx_skb)
1da177e4
LT		 5607 goto drop;
5608
d626f62b 5609 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5610 skb->len);
1da177e4
LT		 5611 conn->rx_len = len - skb->len;
5612 } else {
5613 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5614
5615 if (!conn->rx_len) {
5616 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5617 l2cap_conn_unreliable(conn, ECOMM);
5618 goto drop;
5619 }
5620
5621 if (skb->len > conn->rx_len) {
5622 BT_ERR("Fragment is too long (len %d, expected %d)",
5623 skb->len, conn->rx_len);
5624 kfree_skb(conn->rx_skb);
5625 conn->rx_skb = NULL;
5626 conn->rx_len = 0;
5627 l2cap_conn_unreliable(conn, ECOMM);
5628 goto drop;
5629 }
5630
d626f62b 5631 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5632 skb->len);
1da177e4
LT		 5633 conn->rx_len -= skb->len;
5634
5635 if (!conn->rx_len) {
5636 /* Complete frame received */
5637 l2cap_recv_frame(conn, conn->rx_skb);
5638 conn->rx_skb = NULL;
5639 }
5640 }
5641
5642drop:
5643 kfree_skb(skb);
5644 return 0;
5645}
5646
aef7d97c 5647static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5648{
23691d75 5649 struct l2cap_chan *c;
1da177e4 5650
333055f2 5651 read_lock(&chan_list_lock);
1da177e4 5652
23691d75
GP		 5653 list_for_each_entry(c, &chan_list, global_l) {
5654 struct sock *sk = c->sk;
101545f6 5655
fcb73338
AE		 5656 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
5657 &bt_sk(sk)->src, &bt_sk(sk)->dst,
5658 c->state, __le16_to_cpu(c->psm),
5659 c->scid, c->dcid, c->imtu, c->omtu,
5660 c->sec_level, c->mode);
61e1b4b7 5661 }
1da177e4 5662
333055f2 5663 read_unlock(&chan_list_lock);
1da177e4 5664
aef7d97c 5665 return 0;
1da177e4
LT		 5666}
5667
aef7d97c
MH		 5668static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5669{
5670 return single_open(file, l2cap_debugfs_show, inode->i_private);
5671}
5672
5673static const struct file_operations l2cap_debugfs_fops = {
5674 .open = l2cap_debugfs_open,
5675 .read = seq_read,
5676 .llseek = seq_lseek,
5677 .release = single_release,
5678};
5679
5680static struct dentry *l2cap_debugfs;
1da177e4 5681
64274518 5682int __init l2cap_init(void)
1da177e4
LT		 5683{
5684 int err;
be9d1227 5685
bb58f747 5686 err = l2cap_init_sockets();
1da177e4
LT		 5687 if (err < 0)
5688 return err;
5689
aef7d97c
MH		 5690 if (bt_debugfs) {
5691 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5692 bt_debugfs, NULL, &l2cap_debugfs_fops);
5693 if (!l2cap_debugfs)
5694 BT_ERR("Failed to create L2CAP debug file");
5695 }
1da177e4 5696
1da177e4 5697 return 0;
1da177e4
LT		 5698}
5699
64274518 5700void l2cap_exit(void)
1da177e4 5701{
aef7d97c 5702 debugfs_remove(l2cap_debugfs);
bb58f747 5703 l2cap_cleanup_sockets();
1da177e4
LT		 5704}
5705
d1c4a17d
GP		 5706module_param(disable_ertm, bool, 0644);
5707MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)