projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: mgmt: Fix enabling LE while powered off
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4
LT		 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
608bcc6d
MM		 59 struct sk_buff_head *skbs, u8 event);
60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
baa7e1fa 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 64{
3df91ea2 65 struct l2cap_chan *c;
3d57dc68 66
3df91ea2
AE		 67 list_for_each_entry(c, &conn->chan_l, list) {
68 if (c->dcid == cid)
69 return c;
0139418c 70 }
3df91ea2 71 return NULL;
0139418c
MH		 72}
73
baa7e1fa 74static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 75{
3df91ea2 76 struct l2cap_chan *c;
3d57dc68 77
3df91ea2
AE		 78 list_for_each_entry(c, &conn->chan_l, list) {
79 if (c->scid == cid)
80 return c;
0139418c 81 }
3df91ea2 82 return NULL;
0139418c
MH		 83}
84
85/* Find channel with given SCID.
ef191ade 86 * Returns locked channel. */
baa7e1fa 87static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 88{
48454079 89 struct l2cap_chan *c;
baa7e1fa 90
3df91ea2 91 mutex_lock(&conn->chan_lock);
baa7e1fa 92 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 93 if (c)
94 l2cap_chan_lock(c);
3df91ea2
AE		 95 mutex_unlock(&conn->chan_lock);
96
48454079 97 return c;
0139418c
MH		 98}
99
baa7e1fa 100static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 101{
3df91ea2 102 struct l2cap_chan *c;
3d57dc68 103
3df91ea2
AE		 104 list_for_each_entry(c, &conn->chan_l, list) {
105 if (c->ident == ident)
106 return c;
0139418c 107 }
3df91ea2 108 return NULL;
0139418c
MH		 109}
110
23691d75 111static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 112{
23691d75 113 struct l2cap_chan *c;
9e4425ff 114
23691d75
GP		 115 list_for_each_entry(c, &chan_list, global_l) {
116 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 117 return c;
9e4425ff 118 }
250938cb 119 return NULL;
9e4425ff
GP		 120}
121
122int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
123{
73b2ec18
GP		 124 int err;
125
333055f2 126 write_lock(&chan_list_lock);
9e4425ff 127
23691d75 128 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 129 err = -EADDRINUSE;
130 goto done;
9e4425ff
GP		 131 }
132
73b2ec18
GP		 133 if (psm) {
134 chan->psm = psm;
135 chan->sport = psm;
136 err = 0;
137 } else {
138 u16 p;
139
140 err = -EINVAL;
141 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 142 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 143 chan->psm = cpu_to_le16(p);
144 chan->sport = cpu_to_le16(p);
145 err = 0;
146 break;
147 }
148 }
9e4425ff 149
73b2ec18 150done:
333055f2 151 write_unlock(&chan_list_lock);
73b2ec18 152 return err;
9e4425ff
GP		 153}
154
155int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
156{
333055f2 157 write_lock(&chan_list_lock);
9e4425ff
GP		 158
159 chan->scid = scid;
160
333055f2 161 write_unlock(&chan_list_lock);
9e4425ff
GP		 162
163 return 0;
164}
165
baa7e1fa 166static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 167{
8db4dc46 168 u16 cid = L2CAP_CID_DYN_START;
0139418c 169
8db4dc46 170 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 171 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 172 return cid;
173 }
174
175 return 0;
176}
177
0e587be7 178static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 179{
42d2d87c 180 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 181 state_to_string(state));
182
89bc500e 183 chan->state = state;
80b98027 184 chan->ops->state_change(chan, state);
89bc500e
GP		 185}
186
0e587be7
AE		 187static void l2cap_state_change(struct l2cap_chan *chan, int state)
188{
189 struct sock *sk = chan->sk;
190
191 lock_sock(sk);
192 __l2cap_state_change(chan, state);
193 release_sock(sk);
194}
195
2e0052e4
AE		 196static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
197{
198 struct sock *sk = chan->sk;
199
200 sk->sk_err = err;
201}
202
203static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
204{
205 struct sock *sk = chan->sk;
206
207 lock_sock(sk);
208 __l2cap_chan_set_err(chan, err);
209 release_sock(sk);
210}
211
4239d16f
MM		 212static void __set_retrans_timer(struct l2cap_chan *chan)
213{
214 if (!delayed_work_pending(&chan->monitor_timer) &&
215 chan->retrans_timeout) {
216 l2cap_set_timer(chan, &chan->retrans_timer,
217 msecs_to_jiffies(chan->retrans_timeout));
218 }
219}
220
221static void __set_monitor_timer(struct l2cap_chan *chan)
222{
223 __clear_retrans_timer(chan);
224 if (chan->monitor_timeout) {
225 l2cap_set_timer(chan, &chan->monitor_timer,
226 msecs_to_jiffies(chan->monitor_timeout));
227 }
228}
229
608bcc6d
MM		 230static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
231 u16 seq)
232{
233 struct sk_buff *skb;
234
235 skb_queue_walk(head, skb) {
236 if (bt_cb(skb)->control.txseq == seq)
237 return skb;
238 }
239
240 return NULL;
241}
242
3c588192
MM		 243/* ---- L2CAP sequence number lists ---- */
244
245/* For ERTM, ordered lists of sequence numbers must be tracked for
246 * SREJ requests that are received and for frames that are to be
247 * retransmitted. These seq_list functions implement a singly-linked
248 * list in an array, where membership in the list can also be checked
249 * in constant time. Items can also be added to the tail of the list
250 * and removed from the head in constant time, without further memory
251 * allocs or frees.
252 */
253
254static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
255{
256 size_t alloc_size, i;
257
258 /* Allocated size is a power of 2 to map sequence numbers
259 * (which may be up to 14 bits) in to a smaller array that is
260 * sized for the negotiated ERTM transmit windows.
261 */
262 alloc_size = roundup_pow_of_two(size);
263
264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
265 if (!seq_list->list)
266 return -ENOMEM;
267
268 seq_list->mask = alloc_size - 1;
269 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
271 for (i = 0; i < alloc_size; i++)
272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
273
274 return 0;
275}
276
277static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
278{
279 kfree(seq_list->list);
280}
281
282static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
283 u16 seq)
284{
285 /* Constant-time check for list membership */
286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
287}
288
289static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
290{
291 u16 mask = seq_list->mask;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
294 /* In case someone tries to pop the head of an empty list */
295 return L2CAP_SEQ_LIST_CLEAR;
296 } else if (seq_list->head == seq) {
297 /* Head can be removed in constant time */
298 seq_list->head = seq_list->list[seq & mask];
299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
300
301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
302 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
304 }
305 } else {
306 /* Walk the list to find the sequence number */
307 u16 prev = seq_list->head;
308 while (seq_list->list[prev & mask] != seq) {
309 prev = seq_list->list[prev & mask];
310 if (prev == L2CAP_SEQ_LIST_TAIL)
311 return L2CAP_SEQ_LIST_CLEAR;
312 }
313
314 /* Unlink the number from the list and clear it */
315 seq_list->list[prev & mask] = seq_list->list[seq & mask];
316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
317 if (seq_list->tail == seq)
318 seq_list->tail = prev;
319 }
320 return seq;
321}
322
323static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
324{
325 /* Remove the head in constant time */
326 return l2cap_seq_list_remove(seq_list, seq_list->head);
327}
328
329static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
330{
f522ae36 331 u16 i;
3c588192 332
f522ae36
GP		 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 for (i = 0; i <= seq_list->mask; i++)
337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
338
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 341}
342
343static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
344{
345 u16 mask = seq_list->mask;
346
347 /* All appends happen in constant time */
348
f522ae36
GP		 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
350 return;
3c588192 351
f522ae36
GP		 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
353 seq_list->head = seq;
354 else
355 seq_list->list[seq_list->tail & mask] = seq;
356
357 seq_list->tail = seq;
358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 359}
360
721c4181 361static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 362{
721c4181
GP		 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
364 chan_timer.work);
3df91ea2 365 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 366 int reason;
367
e05dcc32 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 369
3df91ea2 370 mutex_lock(&conn->chan_lock);
6be36555 371 l2cap_chan_lock(chan);
ab07801d 372
89bc500e 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 374 reason = ECONNREFUSED;
89bc500e 375 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 376 chan->sec_level != BT_SECURITY_SDP)
377 reason = ECONNREFUSED;
378 else
379 reason = ETIMEDOUT;
380
0f852724 381 l2cap_chan_close(chan, reason);
ab07801d 382
6be36555 383 l2cap_chan_unlock(chan);
ab07801d 384
80b98027 385 chan->ops->close(chan);
3df91ea2
AE		 386 mutex_unlock(&conn->chan_lock);
387
371fd835 388 l2cap_chan_put(chan);
ab07801d
GP		 389}
390
eef1d9b6 391struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 392{
393 struct l2cap_chan *chan;
394
395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
396 if (!chan)
397 return NULL;
398
c03b355e
AE		 399 mutex_init(&chan->lock);
400
333055f2 401 write_lock(&chan_list_lock);
23691d75 402 list_add(&chan->global_l, &chan_list);
333055f2 403 write_unlock(&chan_list_lock);
23691d75 404
721c4181 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 406
89bc500e
GP		 407 chan->state = BT_OPEN;
408
71ba0e56
GP		 409 atomic_set(&chan->refcnt, 1);
410
2827011f
MM		 411 /* This flag is cleared in l2cap_chan_ready() */
412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
413
eef1d9b6 414 BT_DBG("chan %p", chan);
abc545b8 415
48454079
GP		 416 return chan;
417}
418
23691d75 419void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 420{
333055f2 421 write_lock(&chan_list_lock);
23691d75 422 list_del(&chan->global_l);
333055f2 423 write_unlock(&chan_list_lock);
23691d75 424
371fd835 425 l2cap_chan_put(chan);
6ff5abbf
GP		 426}
427
bd4b1653
AE		 428void l2cap_chan_set_defaults(struct l2cap_chan *chan)
429{
430 chan->fcs = L2CAP_FCS_CRC16;
431 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
432 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
433 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 434 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 435 chan->sec_level = BT_SECURITY_LOW;
436
437 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
438}
439
14a28491 440static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 441{
af05b30b 442 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 443 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 444
9f5a0d7b 445 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 446
8c1d787b 447 chan->conn = conn;
0139418c 448
5491120e
AE		 449 switch (chan->chan_type) {
450 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 451 if (conn->hcon->type == LE_LINK) {
452 /* LE connection */
6fcb06a2 453 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 454 chan->scid = L2CAP_CID_LE_DATA;
455 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 456 } else {
457 /* Alloc CID for connection-oriented socket */
fe4128e0 458 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 459 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 460 }
5491120e
AE		 461 break;
462
463 case L2CAP_CHAN_CONN_LESS:
0139418c 464 /* Connectionless socket */
fe4128e0
GP		 465 chan->scid = L2CAP_CID_CONN_LESS;
466 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 467 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 468 break;
469
416fa752
AE		 470 case L2CAP_CHAN_CONN_FIX_A2MP:
471 chan->scid = L2CAP_CID_A2MP;
472 chan->dcid = L2CAP_CID_A2MP;
473 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
474 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
475 break;
476
5491120e 477 default:
0139418c 478 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 479 chan->scid = L2CAP_CID_SIGNALING;
480 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 481 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 482 }
483
8f7975b1
AE		 484 chan->local_id = L2CAP_BESTEFFORT_ID;
485 chan->local_stype = L2CAP_SERV_BESTEFFORT;
486 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
487 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
488 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
489 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
490
371fd835 491 l2cap_chan_hold(chan);
baa7e1fa 492
3df91ea2 493 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 494}
495
466f8004 496void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 497{
498 mutex_lock(&conn->chan_lock);
499 __l2cap_chan_add(conn, chan);
3df91ea2 500 mutex_unlock(&conn->chan_lock);
0139418c
MH		 501}
502
466f8004 503void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 504{
8c1d787b 505 struct l2cap_conn *conn = chan->conn;
0139418c 506
c9b66675 507 __clear_chan_timer(chan);
0139418c 508
49208c9c 509 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 510
8e87d142 511 if (conn) {
baa7e1fa 512 /* Delete from channel list */
3df91ea2 513 list_del(&chan->list);
3d57dc68 514
371fd835 515 l2cap_chan_put(chan);
baa7e1fa 516
8c1d787b 517 chan->conn = NULL;
3cabbfda
AE		 518
519 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
520 hci_conn_put(conn->hcon);
0139418c
MH		 521 }
522
c0df7f6e
AE		 523 if (chan->ops->teardown)
524 chan->ops->teardown(chan, err);
6be36555 525
2827011f 526 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 527 return;
2ead70b8 528
ee556f66
GP		 529 switch(chan->mode) {
530 case L2CAP_MODE_BASIC:
531 break;
c13ffa62 532
ee556f66 533 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 534 __clear_retrans_timer(chan);
535 __clear_monitor_timer(chan);
536 __clear_ack_timer(chan);
c13ffa62 537
f1c6775b 538 skb_queue_purge(&chan->srej_q);
c13ffa62 539
3c588192
MM		 540 l2cap_seq_list_free(&chan->srej_list);
541 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 542
543 /* fall through */
544
545 case L2CAP_MODE_STREAMING:
546 skb_queue_purge(&chan->tx_q);
547 break;
c13ffa62 548 }
ee556f66
GP		 549
550 return;
0139418c
MH		 551}
552
0f852724 553void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 554{
555 struct l2cap_conn *conn = chan->conn;
556 struct sock *sk = chan->sk;
557
e05dcc32
AE		 558 BT_DBG("chan %p state %s sk %p", chan,
559 state_to_string(chan->state), sk);
4519de9a 560
89bc500e 561 switch (chan->state) {
4519de9a 562 case BT_LISTEN:
c0df7f6e
AE		 563 if (chan->ops->teardown)
564 chan->ops->teardown(chan, 0);
4519de9a
GP		 565 break;
566
567 case BT_CONNECTED:
568 case BT_CONFIG:
715ec005 569 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 570 conn->hcon->type == ACL_LINK) {
c9b66675 571 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 572 l2cap_send_disconn_req(conn, chan, reason);
573 } else
574 l2cap_chan_del(chan, reason);
575 break;
576
577 case BT_CONNECT2:
715ec005 578 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 579 conn->hcon->type == ACL_LINK) {
580 struct l2cap_conn_rsp rsp;
581 __u16 result;
582
c5daa683 583 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 584 result = L2CAP_CR_SEC_BLOCK;
585 else
586 result = L2CAP_CR_BAD_PSM;
89bc500e 587 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 588
589 rsp.scid = cpu_to_le16(chan->dcid);
590 rsp.dcid = cpu_to_le16(chan->scid);
591 rsp.result = cpu_to_le16(result);
ac73498c 592 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a
GP		 593 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
594 sizeof(rsp), &rsp);
595 }
596
597 l2cap_chan_del(chan, reason);
598 break;
599
600 case BT_CONNECT:
601 case BT_DISCONN:
602 l2cap_chan_del(chan, reason);
603 break;
604
605 default:
c0df7f6e
AE		 606 if (chan->ops->teardown)
607 chan->ops->teardown(chan, 0);
4519de9a
GP		 608 break;
609 }
610}
611
4343478f 612static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 613{
715ec005 614 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 615 switch (chan->sec_level) {
8556edd3
JH		 616 case BT_SECURITY_HIGH:
617 return HCI_AT_DEDICATED_BONDING_MITM;
618 case BT_SECURITY_MEDIUM:
619 return HCI_AT_DEDICATED_BONDING;
620 default:
621 return HCI_AT_NO_BONDING;
622 }
2983fd68 623 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 624 if (chan->sec_level == BT_SECURITY_LOW)
625 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 626
4343478f 627 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 628 return HCI_AT_NO_BONDING_MITM;
00ae4af9 629 else
8556edd3 630 return HCI_AT_NO_BONDING;
00ae4af9 631 } else {
4343478f 632 switch (chan->sec_level) {
00ae4af9 633 case BT_SECURITY_HIGH:
8556edd3 634 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 635 case BT_SECURITY_MEDIUM:
8556edd3 636 return HCI_AT_GENERAL_BONDING;
00ae4af9 637 default:
8556edd3 638 return HCI_AT_NO_BONDING;
00ae4af9 639 }
0684e5f9 640 }
8556edd3
JH		 641}
642
643/* Service level security */
d45fc423 644int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 645{
8c1d787b 646 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 647 __u8 auth_type;
648
4343478f 649 auth_type = l2cap_get_auth_type(chan);
79d554a6 650
4343478f 651 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 652}
653
b5ad8b7f 654static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 655{
656 u8 id;
657
658 /* Get next available identificator.
659 * 1 - 128 are used by kernel.
660 * 129 - 199 are reserved.
661 * 200 - 254 are used by utilities like l2ping, etc.
662 */
663
333055f2 664 spin_lock(&conn->lock);
4e8402a3
MH		 665
666 if (++conn->tx_ident > 128)
667 conn->tx_ident = 1;
668
669 id = conn->tx_ident;
670
333055f2 671 spin_unlock(&conn->lock);
4e8402a3
MH		 672
673 return id;
674}
675
4519de9a 676static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 677{
678 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 679 u8 flags;
4e8402a3
MH		 680
681 BT_DBG("code 0x%2.2x", code);
682
683 if (!skb)
9a9c6a34 684 return;
4e8402a3 685
e702112f
AE		 686 if (lmp_no_flush_capable(conn->hcon->hdev))
687 flags = ACL_START_NO_FLUSH;
688 else
689 flags = ACL_START;
690
14b12d0b 691 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 692 skb->priority = HCI_PRIO_MAX;
14b12d0b 693
73d80deb
LAD		 694 hci_send_acl(conn->hchan, skb, flags);
695}
696
697static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
698{
699 struct hci_conn *hcon = chan->conn->hcon;
700 u16 flags;
701
702 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
703 skb->priority);
704
705 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
706 lmp_no_flush_capable(hcon->hdev))
707 flags = ACL_START_NO_FLUSH;
708 else
709 flags = ACL_START;
14b12d0b 710
73d80deb
LAD		 711 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
712 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 713}
714
b76bbd66
MM		 715static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
716{
717 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
718 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
719
720 if (enh & L2CAP_CTRL_FRAME_TYPE) {
721 /* S-Frame */
722 control->sframe = 1;
723 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
724 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
725
726 control->sar = 0;
727 control->txseq = 0;
728 } else {
729 /* I-Frame */
730 control->sframe = 0;
731 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
732 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
733
734 control->poll = 0;
735 control->super = 0;
736 }
737}
738
b76bbd66
MM		 739static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
740{
741 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
742 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
743
744 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
745 /* S-Frame */
746 control->sframe = 1;
747 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
748 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
749
750 control->sar = 0;
751 control->txseq = 0;
752 } else {
753 /* I-Frame */
754 control->sframe = 0;
755 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
756 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
757
758 control->poll = 0;
759 control->super = 0;
760 }
761}
762
763static inline void __unpack_control(struct l2cap_chan *chan,
764 struct sk_buff *skb)
765{
766 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
767 __unpack_extended_control(get_unaligned_le32(skb->data),
768 &bt_cb(skb)->control);
cec8ab6e 769 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 770 } else {
771 __unpack_enhanced_control(get_unaligned_le16(skb->data),
772 &bt_cb(skb)->control);
cec8ab6e 773 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 774 }
775}
776
b5c6aaed
MM		 777static u32 __pack_extended_control(struct l2cap_ctrl *control)
778{
779 u32 packed;
780
781 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
782 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
783
784 if (control->sframe) {
785 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
786 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
787 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
788 } else {
789 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
790 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
791 }
792
793 return packed;
794}
795
796static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
797{
798 u16 packed;
799
800 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
801 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
802
803 if (control->sframe) {
804 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
805 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
806 packed |= L2CAP_CTRL_FRAME_TYPE;
807 } else {
808 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
809 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
810 }
811
812 return packed;
813}
814
b76bbd66
MM		 815static inline void __pack_control(struct l2cap_chan *chan,
816 struct l2cap_ctrl *control,
817 struct sk_buff *skb)
818{
819 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
820 put_unaligned_le32(__pack_extended_control(control),
821 skb->data + L2CAP_HDR_SIZE);
822 } else {
823 put_unaligned_le16(__pack_enhanced_control(control),
824 skb->data + L2CAP_HDR_SIZE);
825 }
826}
827
ba7aa64f
GP		 828static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
829{
830 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
831 return L2CAP_EXT_HDR_SIZE;
832 else
833 return L2CAP_ENH_HDR_SIZE;
834}
835
a67d7f6f
MM		 836static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
837 u32 control)
b5c6aaed
MM		 838{
839 struct sk_buff *skb;
840 struct l2cap_hdr *lh;
ba7aa64f 841 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 842
843 if (chan->fcs == L2CAP_FCS_CRC16)
844 hlen += L2CAP_FCS_SIZE;
845
a67d7f6f 846 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 847
b5c6aaed 848 if (!skb)
a67d7f6f 849 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 850
851 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
852 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
853 lh->cid = cpu_to_le16(chan->dcid);
854
a67d7f6f
MM		 855 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
856 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
857 else
858 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 859
860 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 861 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 862 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
863 }
864
865 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 866 return skb;
867}
868
869static void l2cap_send_sframe(struct l2cap_chan *chan,
870 struct l2cap_ctrl *control)
871{
872 struct sk_buff *skb;
873 u32 control_field;
874
875 BT_DBG("chan %p, control %p", chan, control);
876
877 if (!control->sframe)
878 return;
879
880 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
881 !control->poll)
882 control->final = 1;
883
884 if (control->super == L2CAP_SUPER_RR)
885 clear_bit(CONN_RNR_SENT, &chan->conn_state);
886 else if (control->super == L2CAP_SUPER_RNR)
887 set_bit(CONN_RNR_SENT, &chan->conn_state);
888
889 if (control->super != L2CAP_SUPER_SREJ) {
890 chan->last_acked_seq = control->reqseq;
891 __clear_ack_timer(chan);
892 }
893
894 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
895 control->final, control->poll, control->super);
896
897 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
898 control_field = __pack_extended_control(control);
899 else
900 control_field = __pack_enhanced_control(control);
901
902 skb = l2cap_create_sframe_pdu(chan, control_field);
903 if (!IS_ERR(skb))
904 l2cap_do_send(chan, skb);
b5c6aaed
MM		 905}
906
c9e3d5e0 907static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 908{
c9e3d5e0
MM		 909 struct l2cap_ctrl control;
910
911 BT_DBG("chan %p, poll %d", chan, poll);
912
913 memset(&control, 0, sizeof(control));
914 control.sframe = 1;
915 control.poll = poll;
916
917 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
918 control.super = L2CAP_SUPER_RNR;
919 else
920 control.super = L2CAP_SUPER_RR;
b5c6aaed 921
c9e3d5e0
MM		 922 control.reqseq = chan->buffer_seq;
923 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 924}
925
b4450035 926static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 927{
c1360a1c 928 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 929}
930
9b27f350
AE		 931static void l2cap_send_conn_req(struct l2cap_chan *chan)
932{
933 struct l2cap_conn *conn = chan->conn;
934 struct l2cap_conn_req req;
935
936 req.scid = cpu_to_le16(chan->scid);
937 req.psm = chan->psm;
938
939 chan->ident = l2cap_get_ident(conn);
940
941 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
942
943 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
944}
945
9f0caeb1
VCG		 946static void l2cap_chan_ready(struct l2cap_chan *chan)
947{
2827011f 948 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 949 chan->conf_state = 0;
950 __clear_chan_timer(chan);
951
54a59aa2 952 chan->state = BT_CONNECTED;
9f0caeb1 953
fd83e2c2 954 chan->ops->ready(chan);
9f0caeb1
VCG		 955}
956
fc7f8a7e 957static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 958{
8c1d787b 959 struct l2cap_conn *conn = chan->conn;
79d554a6 960
9f0caeb1
VCG		 961 if (conn->hcon->type == LE_LINK) {
962 l2cap_chan_ready(chan);
963 return;
964 }
965
79d554a6 966 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 967 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
968 return;
969
d45fc423 970 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 971 __l2cap_no_conn_pending(chan))
972 l2cap_send_conn_req(chan);
79d554a6
MH		 973 } else {
974 struct l2cap_info_req req;
ac73498c 975 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 976
977 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
978 conn->info_ident = l2cap_get_ident(conn);
979
ba13ccd9 980 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 981
982 l2cap_send_cmd(conn, conn->info_ident,
983 L2CAP_INFO_REQ, sizeof(req), &req);
984 }
985}
986
cf6c2c0b
GP		 987static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
988{
989 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 990 if (!disable_ertm)
cf6c2c0b
GP		 991 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
992
993 switch (mode) {
994 case L2CAP_MODE_ERTM:
995 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
996 case L2CAP_MODE_STREAMING:
997 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
998 default:
999 return 0x00;
1000 }
1001}
1002
4519de9a 1003static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1004{
6be36555 1005 struct sock *sk = chan->sk;
22121fc9
GP		 1006 struct l2cap_disconn_req req;
1007
c13ffa62
GP		 1008 if (!conn)
1009 return;
1010
0c1bc5c6 1011 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1012 __clear_retrans_timer(chan);
1013 __clear_monitor_timer(chan);
1014 __clear_ack_timer(chan);
c13ffa62
GP		 1015 }
1016
416fa752
AE		 1017 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1018 __l2cap_state_change(chan, BT_DISCONN);
1019 return;
1020 }
1021
fe4128e0
GP		 1022 req.dcid = cpu_to_le16(chan->dcid);
1023 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1024 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1025 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1026
6be36555 1027 lock_sock(sk);
0e587be7 1028 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1029 __l2cap_chan_set_err(chan, err);
6be36555 1030 release_sock(sk);
22121fc9
GP		 1031}
1032
1da177e4 1033/* ---- L2CAP connections ---- */
4e8402a3
MH		 1034static void l2cap_conn_start(struct l2cap_conn *conn)
1035{
3df91ea2 1036 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1037
1038 BT_DBG("conn %p", conn);
1039
3df91ea2 1040 mutex_lock(&conn->chan_lock);
4e8402a3 1041
3df91ea2 1042 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1043 struct sock *sk = chan->sk;
baa7e1fa 1044
6be36555 1045 l2cap_chan_lock(chan);
4e8402a3 1046
715ec005 1047 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1048 l2cap_chan_unlock(chan);
79d554a6
MH		 1049 continue;
1050 }
1051
89bc500e 1052 if (chan->state == BT_CONNECT) {
d45fc423 1053 if (!l2cap_chan_check_security(chan) ||
b4450035 1054 !__l2cap_no_conn_pending(chan)) {
6be36555 1055 l2cap_chan_unlock(chan);
47731de7
GP		 1056 continue;
1057 }
79d554a6 1058
c1360a1c
GP		 1059 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1060 && test_bit(CONF_STATE2_DEVICE,
1061 &chan->conf_state)) {
89bc500e 1062 l2cap_chan_close(chan, ECONNRESET);
6be36555 1063 l2cap_chan_unlock(chan);
47731de7 1064 continue;
b1235d79 1065 }
47731de7 1066
9b27f350 1067 l2cap_send_conn_req(chan);
47731de7 1068
89bc500e 1069 } else if (chan->state == BT_CONNECT2) {
79d554a6 1070 struct l2cap_conn_rsp rsp;
e9aeb2dd 1071 char buf[128];
fe4128e0
GP		 1072 rsp.scid = cpu_to_le16(chan->dcid);
1073 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1074
d45fc423 1075 if (l2cap_chan_check_security(chan)) {
6be36555 1076 lock_sock(sk);
c5daa683
GP		 1077 if (test_bit(BT_SK_DEFER_SETUP,
1078 &bt_sk(sk)->flags)) {
f66dc81f 1079 struct sock *parent = bt_sk(sk)->parent;
ac73498c
AE		 1080 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1081 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1082 if (parent)
1083 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1084
1085 } else {
0e587be7 1086 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1087 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1088 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1089 }
6be36555 1090 release_sock(sk);
79d554a6 1091 } else {
ac73498c
AE		 1092 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1093 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1094 }
1095
fc7f8a7e
GP		 1096 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1097 sizeof(rsp), &rsp);
e9aeb2dd 1098
c1360a1c 1099 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1100 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1101 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1102 continue;
1103 }
1104
c1360a1c 1105 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1106 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1107 l2cap_build_conf_req(chan, buf), buf);
1108 chan->num_conf_req++;
4e8402a3
MH		 1109 }
1110
6be36555 1111 l2cap_chan_unlock(chan);
4e8402a3
MH		 1112 }
1113
3df91ea2 1114 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1115}
1116
c2287681 1117/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1118 * Returns closest match, locked.
1119 */
d9b88702 1120static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1121 bdaddr_t *src,
1122 bdaddr_t *dst)
b62f328b 1123{
23691d75 1124 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1125
23691d75 1126 read_lock(&chan_list_lock);
b62f328b 1127
23691d75
GP		 1128 list_for_each_entry(c, &chan_list, global_l) {
1129 struct sock *sk = c->sk;
fe4128e0 1130
89bc500e 1131 if (state && c->state != state)
b62f328b
VT		 1132 continue;
1133
23691d75 1134 if (c->scid == cid) {
c2287681
IY		 1135 int src_match, dst_match;
1136 int src_any, dst_any;
1137
b62f328b 1138 /* Exact match. */
c2287681
IY		 1139 src_match = !bacmp(&bt_sk(sk)->src, src);
1140 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1141 if (src_match && dst_match) {
23691d75
GP		 1142 read_unlock(&chan_list_lock);
1143 return c;
1144 }
b62f328b
VT		 1145
1146 /* Closest match */
c2287681
IY		 1147 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1148 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1149 if ((src_match && dst_any) || (src_any && dst_match) ||
1150 (src_any && dst_any))
23691d75 1151 c1 = c;
b62f328b
VT		 1152 }
1153 }
280f294f 1154
23691d75 1155 read_unlock(&chan_list_lock);
b62f328b 1156
23691d75 1157 return c1;
b62f328b
VT		 1158}
1159
1160static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1161{
c916fbe4 1162 struct sock *parent, *sk;
23691d75 1163 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1164
1165 BT_DBG("");
1166
1167 /* Check if we have socket listening on cid */
23691d75 1168 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1169 conn->src, conn->dst);
23691d75 1170 if (!pchan)
b62f328b
VT		 1171 return;
1172
23691d75
GP		 1173 parent = pchan->sk;
1174
aa2ac881 1175 lock_sock(parent);
62f3a2cf 1176
80b98027 1177 chan = pchan->ops->new_connection(pchan);
80808e43 1178 if (!chan)
b62f328b
VT		 1179 goto clean;
1180
80808e43 1181 sk = chan->sk;
5d41ce1d 1182
b62f328b 1183 hci_conn_hold(conn->hcon);
a9ea3ed9 1184 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1185
b62f328b
VT		 1186 bacpy(&bt_sk(sk)->src, conn->src);
1187 bacpy(&bt_sk(sk)->dst, conn->dst);
1188
d1010240
GP		 1189 bt_accept_enqueue(parent, sk);
1190
3d57dc68 1191 l2cap_chan_add(conn, chan);
48454079 1192
6754e0df 1193 l2cap_chan_ready(chan);
b62f328b 1194
b62f328b 1195clean:
aa2ac881 1196 release_sock(parent);
b62f328b
VT		 1197}
1198
4e8402a3
MH		 1199static void l2cap_conn_ready(struct l2cap_conn *conn)
1200{
48454079 1201 struct l2cap_chan *chan;
cc110922 1202 struct hci_conn *hcon = conn->hcon;
4e8402a3 1203
79d554a6 1204 BT_DBG("conn %p", conn);
4e8402a3 1205
cc110922 1206 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1207 l2cap_le_conn_ready(conn);
1208
cc110922
VCG		 1209 if (hcon->out && hcon->type == LE_LINK)
1210 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1211
3df91ea2 1212 mutex_lock(&conn->chan_lock);
4e8402a3 1213
3df91ea2 1214 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1215
6be36555 1216 l2cap_chan_lock(chan);
4e8402a3 1217
416fa752
AE		 1218 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1219 l2cap_chan_unlock(chan);
1220 continue;
1221 }
1222
cc110922
VCG		 1223 if (hcon->type == LE_LINK) {
1224 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1225 l2cap_chan_ready(chan);
acd7d370 1226
63128451 1227 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1228 struct sock *sk = chan->sk;
c9b66675 1229 __clear_chan_timer(chan);
6be36555 1230 lock_sock(sk);
0e587be7 1231 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1232 sk->sk_state_change(sk);
6be36555 1233 release_sock(sk);
b501d6a1 1234
89bc500e 1235 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1236 l2cap_do_start(chan);
4e8402a3 1237
6be36555 1238 l2cap_chan_unlock(chan);
4e8402a3 1239 }
79d554a6 1240
3df91ea2 1241 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1242}
1243
1244/* Notify sockets that we cannot guaranty reliability anymore */
1245static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1246{
48454079 1247 struct l2cap_chan *chan;
4e8402a3
MH		 1248
1249 BT_DBG("conn %p", conn);
1250
3df91ea2 1251 mutex_lock(&conn->chan_lock);
4e8402a3 1252
3df91ea2 1253 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1254 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1255 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1256 }
1257
3df91ea2 1258 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1259}
1260
f878fcad 1261static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1262{
f878fcad 1263 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1264 info_timer.work);
4e8402a3 1265
984947dc 1266 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1267 conn->info_ident = 0;
984947dc 1268
4e8402a3
MH		 1269 l2cap_conn_start(conn);
1270}
1271
5d3de7df
VCG		 1272static void l2cap_conn_del(struct hci_conn *hcon, int err)
1273{
1274 struct l2cap_conn *conn = hcon->l2cap_data;
1275 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1276
1277 if (!conn)
1278 return;
1279
1280 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1281
1282 kfree_skb(conn->rx_skb);
1283
3df91ea2
AE		 1284 mutex_lock(&conn->chan_lock);
1285
5d3de7df
VCG		 1286 /* Kill channels */
1287 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1288 l2cap_chan_hold(chan);
6be36555
AE		 1289 l2cap_chan_lock(chan);
1290
5d3de7df 1291 l2cap_chan_del(chan, err);
6be36555
AE		 1292
1293 l2cap_chan_unlock(chan);
1294
80b98027 1295 chan->ops->close(chan);
61d6ef3e 1296 l2cap_chan_put(chan);
5d3de7df
VCG		 1297 }
1298
3df91ea2
AE		 1299 mutex_unlock(&conn->chan_lock);
1300
73d80deb
LAD		 1301 hci_chan_del(conn->hchan);
1302
5d3de7df 1303 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1304 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1305
51a8efd7 1306 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1307 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1308 smp_chan_destroy(conn);
d26a2345 1309 }
5d3de7df
VCG		 1310
1311 hcon->l2cap_data = NULL;
1312 kfree(conn);
1313}
1314
6c9d42a1 1315static void security_timeout(struct work_struct *work)
5d3de7df 1316{
6c9d42a1
GP		 1317 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1318 security_timer.work);
5d3de7df 1319
d06cc416
JH		 1320 BT_DBG("conn %p", conn);
1321
1322 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1323 smp_chan_destroy(conn);
1324 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1325 }
5d3de7df
VCG		 1326}
1327
1da177e4
LT		 1328static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1329{
0139418c 1330 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1331 struct hci_chan *hchan;
1da177e4 1332
0139418c 1333 if (conn || status)
1da177e4
LT		 1334 return conn;
1335
73d80deb
LAD		 1336 hchan = hci_chan_create(hcon);
1337 if (!hchan)
1338 return NULL;
1339
0139418c 1340 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1341 if (!conn) {
1342 hci_chan_del(hchan);
1da177e4 1343 return NULL;
73d80deb 1344 }
1da177e4
LT		 1345
1346 hcon->l2cap_data = conn;
1347 conn->hcon = hcon;
73d80deb 1348 conn->hchan = hchan;
1da177e4 1349
73d80deb 1350 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1351
acd7d370
VT		 1352 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1353 conn->mtu = hcon->hdev->le_mtu;
1354 else
1355 conn->mtu = hcon->hdev->acl_mtu;
1356
1da177e4
LT		 1357 conn->src = &hcon->hdev->bdaddr;
1358 conn->dst = &hcon->dst;
1359
4e8402a3
MH		 1360 conn->feat_mask = 0;
1361
1da177e4 1362 spin_lock_init(&conn->lock);
3df91ea2 1363 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1364
1365 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1366
5d3de7df 1367 if (hcon->type == LE_LINK)
6c9d42a1 1368 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1369 else
030013d8 1370 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1371
9f5a0d7b 1372 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1373
1da177e4
LT		 1374 return conn;
1375}
1376
1da177e4 1377/* ---- Socket interface ---- */
1da177e4 1378
c2287681 1379/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1380 * Returns closest match.
1381 */
c2287681
IY		 1382static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1383 bdaddr_t *src,
1384 bdaddr_t *dst)
1da177e4 1385{
23691d75 1386 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1387
23691d75 1388 read_lock(&chan_list_lock);
e0f0cb56 1389
23691d75
GP		 1390 list_for_each_entry(c, &chan_list, global_l) {
1391 struct sock *sk = c->sk;
fe4128e0 1392
89bc500e 1393 if (state && c->state != state)
1da177e4
LT		 1394 continue;
1395
23691d75 1396 if (c->psm == psm) {
c2287681
IY		 1397 int src_match, dst_match;
1398 int src_any, dst_any;
1399
1da177e4 1400 /* Exact match. */
c2287681
IY		 1401 src_match = !bacmp(&bt_sk(sk)->src, src);
1402 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1403 if (src_match && dst_match) {
a7567b20 1404 read_unlock(&chan_list_lock);
23691d75
GP		 1405 return c;
1406 }
1da177e4
LT		 1407
1408 /* Closest match */
c2287681
IY		 1409 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1410 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1411 if ((src_match && dst_any) || (src_any && dst_match) ||
1412 (src_any && dst_any))
23691d75 1413 c1 = c;
1da177e4
LT		 1414 }
1415 }
1da177e4 1416
23691d75 1417 read_unlock(&chan_list_lock);
e0f0cb56 1418
23691d75 1419 return c1;
1da177e4
LT		 1420}
1421
8e9f9892
AG		 1422int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1423 bdaddr_t *dst, u8 dst_type)
1da177e4 1424{
5d41ce1d 1425 struct sock *sk = chan->sk;
1da177e4 1426 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1427 struct l2cap_conn *conn;
1428 struct hci_conn *hcon;
1429 struct hci_dev *hdev;
09ab6f4c 1430 __u8 auth_type;
44d0e48e 1431 int err;
1da177e4 1432
8e9f9892
AG		 1433 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1434 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1435
af05b30b
GP		 1436 hdev = hci_get_route(dst, src);
1437 if (!hdev)
1da177e4
LT		 1438 return -EHOSTUNREACH;
1439
09fd0de5 1440 hci_dev_lock(hdev);
1da177e4 1441
6be36555 1442 l2cap_chan_lock(chan);
03a00194
GP		 1443
1444 /* PSM must be odd and lsb of upper byte must be 0 */
1445 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1446 chan->chan_type != L2CAP_CHAN_RAW) {
1447 err = -EINVAL;
1448 goto done;
1449 }
1450
1451 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1452 err = -EINVAL;
1453 goto done;
1454 }
1455
1456 switch (chan->mode) {
1457 case L2CAP_MODE_BASIC:
1458 break;
1459 case L2CAP_MODE_ERTM:
1460 case L2CAP_MODE_STREAMING:
1461 if (!disable_ertm)
1462 break;
1463 /* fall through */
1464 default:
1465 err = -ENOTSUPP;
1466 goto done;
1467 }
1468
0797e01d 1469 switch (chan->state) {
03a00194
GP		 1470 case BT_CONNECT:
1471 case BT_CONNECT2:
1472 case BT_CONFIG:
1473 /* Already connecting */
1474 err = 0;
1475 goto done;
1476
1477 case BT_CONNECTED:
1478 /* Already connected */
1479 err = -EISCONN;
1480 goto done;
1481
1482 case BT_OPEN:
1483 case BT_BOUND:
1484 /* Can connect */
1485 break;
1486
1487 default:
1488 err = -EBADFD;
1489 goto done;
1490 }
1491
1492 /* Set destination address and psm */
0797e01d 1493 lock_sock(sk);
9219b2a0 1494 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1495 release_sock(sk);
1496
03a00194
GP		 1497 chan->psm = psm;
1498 chan->dcid = cid;
1da177e4 1499
4343478f 1500 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1501
fe4128e0 1502 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1503 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1504 chan->sec_level, auth_type);
acd7d370 1505 else
8e9f9892 1506 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1507 chan->sec_level, auth_type);
acd7d370 1508
30e76272
VT		 1509 if (IS_ERR(hcon)) {
1510 err = PTR_ERR(hcon);
1da177e4 1511 goto done;
30e76272 1512 }
1da177e4
LT		 1513
1514 conn = l2cap_conn_add(hcon, 0);
1515 if (!conn) {
1516 hci_conn_put(hcon);
30e76272 1517 err = -ENOMEM;
1da177e4
LT		 1518 goto done;
1519 }
1520
9f0caeb1
VCG		 1521 if (hcon->type == LE_LINK) {
1522 err = 0;
1523
1524 if (!list_empty(&conn->chan_l)) {
1525 err = -EBUSY;
1526 hci_conn_put(hcon);
1527 }
1528
1529 if (err)
1530 goto done;
1531 }
1532
1da177e4
LT		 1533 /* Update source addr of the socket */
1534 bacpy(src, conn->src);
1535
6be36555 1536 l2cap_chan_unlock(chan);
48454079 1537 l2cap_chan_add(conn, chan);
6be36555 1538 l2cap_chan_lock(chan);
48454079 1539
6be36555 1540 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1541 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1542
1543 if (hcon->state == BT_CONNECTED) {
715ec005 1544 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1545 __clear_chan_timer(chan);
d45fc423 1546 if (l2cap_chan_check_security(chan))
6be36555 1547 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1548 } else
fc7f8a7e 1549 l2cap_do_start(chan);
1da177e4
LT		 1550 }
1551
30e76272
VT		 1552 err = 0;
1553
1da177e4 1554done:
6be36555 1555 l2cap_chan_unlock(chan);
09fd0de5 1556 hci_dev_unlock(hdev);
1da177e4
LT		 1557 hci_dev_put(hdev);
1558 return err;
1559}
1560
dcba0dba 1561int __l2cap_wait_ack(struct sock *sk)
6161c038 1562{
8c1d787b 1563 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1564 DECLARE_WAITQUEUE(wait, current);
1565 int err = 0;
1566 int timeo = HZ/5;
1567
2b0b05dd 1568 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1569 set_current_state(TASK_INTERRUPTIBLE);
1570 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1571 if (!timeo)
1572 timeo = HZ/5;
1573
1574 if (signal_pending(current)) {
1575 err = sock_intr_errno(timeo);
1576 break;
1577 }
1578
1579 release_sock(sk);
1580 timeo = schedule_timeout(timeo);
1581 lock_sock(sk);
a71a0cf4 1582 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1583
1584 err = sock_error(sk);
1585 if (err)
1586 break;
1587 }
1588 set_current_state(TASK_RUNNING);
2b0b05dd 1589 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1590 return err;
1591}
1592
721c4181 1593static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1594{
721c4181 1595 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1596 monitor_timer.work);
e90bac06 1597
525cd185 1598 BT_DBG("chan %p", chan);
0e98958d 1599
6be36555
AE		 1600 l2cap_chan_lock(chan);
1601
80909e04 1602 if (!chan->conn) {
6be36555 1603 l2cap_chan_unlock(chan);
8d7e1c7f 1604 l2cap_chan_put(chan);
e90bac06
GP		 1605 return;
1606 }
1607
401bb1f7 1608 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1609
6be36555 1610 l2cap_chan_unlock(chan);
8d7e1c7f 1611 l2cap_chan_put(chan);
e90bac06
GP		 1612}
1613
721c4181 1614static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1615{
721c4181 1616 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1617 retrans_timer.work);
e90bac06 1618
49208c9c 1619 BT_DBG("chan %p", chan);
0e98958d 1620
6be36555
AE		 1621 l2cap_chan_lock(chan);
1622
80909e04
MM		 1623 if (!chan->conn) {
1624 l2cap_chan_unlock(chan);
1625 l2cap_chan_put(chan);
1626 return;
1627 }
6be36555 1628
401bb1f7 1629 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1630 l2cap_chan_unlock(chan);
8d7e1c7f 1631 l2cap_chan_put(chan);
e90bac06
GP		 1632}
1633
d660366d
GP		 1634static void l2cap_streaming_send(struct l2cap_chan *chan,
1635 struct sk_buff_head *skbs)
6840ed07 1636{
ccbb84af 1637 struct sk_buff *skb;
3733937d 1638 struct l2cap_ctrl *control;
6840ed07 1639
3733937d
MM		 1640 BT_DBG("chan %p, skbs %p", chan, skbs);
1641
3733937d
MM		 1642 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1643
1644 while (!skb_queue_empty(&chan->tx_q)) {
1645
1646 skb = skb_dequeue(&chan->tx_q);
1647
1648 bt_cb(skb)->control.retries = 1;
1649 control = &bt_cb(skb)->control;
1650
1651 control->reqseq = 0;
1652 control->txseq = chan->next_tx_seq;
1653
1654 __pack_control(chan, control, skb);
6840ed07 1655
47d1ec61 1656 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1657 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1658 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1659 }
1660
4343478f 1661 l2cap_do_send(chan, skb);
6840ed07 1662
b4400672 1663 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1664
836be934 1665 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1666 chan->frames_sent++;
6840ed07 1667 }
6840ed07
GP		 1668}
1669
67c9e840 1670static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1671{
1672 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1673 struct l2cap_ctrl *control;
1674 int sent = 0;
1675
1676 BT_DBG("chan %p", chan);
1c2acffb 1677
89bc500e 1678 if (chan->state != BT_CONNECTED)
c13ffa62 1679 return -ENOTCONN;
e90bac06 1680
94122bbe
MM		 1681 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1682 return 0;
1683
18a48e76
MM		 1684 while (chan->tx_send_head &&
1685 chan->unacked_frames < chan->remote_tx_win &&
1686 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1687
18a48e76 1688 skb = chan->tx_send_head;
e90bac06 1689
18a48e76
MM		 1690 bt_cb(skb)->control.retries = 1;
1691 control = &bt_cb(skb)->control;
95ffa978 1692
e2ab4353 1693 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1694 control->final = 1;
e2ab4353 1695
18a48e76
MM		 1696 control->reqseq = chan->buffer_seq;
1697 chan->last_acked_seq = chan->buffer_seq;
1698 control->txseq = chan->next_tx_seq;
1c2acffb 1699
18a48e76 1700 __pack_control(chan, control, skb);
e90bac06 1701
47d1ec61 1702 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1703 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1704 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1705 }
1706
18a48e76
MM		 1707 /* Clone after data has been modified. Data is assumed to be
1708 read-only (for locking purposes) on cloned sk_buffs.
1709 */
1710 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1711
18a48e76
MM		 1712 if (!tx_skb)
1713 break;
1c2acffb 1714
18a48e76 1715 __set_retrans_timer(chan);
836be934
AE		 1716
1717 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1718 chan->unacked_frames++;
6a026610 1719 chan->frames_sent++;
18a48e76 1720 sent++;
1c2acffb 1721
58d35f87
GP		 1722 if (skb_queue_is_last(&chan->tx_q, skb))
1723 chan->tx_send_head = NULL;
1c2acffb 1724 else
58d35f87 1725 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1726
1727 l2cap_do_send(chan, tx_skb);
b4400672 1728 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1729 }
1730
b4400672
AE		 1731 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1732 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1733
1734 return sent;
9e917af1
GP		 1735}
1736
e1fbd4c1
MM		 1737static void l2cap_ertm_resend(struct l2cap_chan *chan)
1738{
1739 struct l2cap_ctrl control;
1740 struct sk_buff *skb;
1741 struct sk_buff *tx_skb;
1742 u16 seq;
1743
1744 BT_DBG("chan %p", chan);
1745
1746 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1747 return;
1748
1749 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1750 seq = l2cap_seq_list_pop(&chan->retrans_list);
1751
1752 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1753 if (!skb) {
1754 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1755 seq);
1756 continue;
1757 }
1758
1759 bt_cb(skb)->control.retries++;
1760 control = bt_cb(skb)->control;
1761
1762 if (chan->max_tx != 0 &&
1763 bt_cb(skb)->control.retries > chan->max_tx) {
1764 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1765 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1766 l2cap_seq_list_clear(&chan->retrans_list);
1767 break;
1768 }
1769
1770 control.reqseq = chan->buffer_seq;
1771 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1772 control.final = 1;
1773 else
1774 control.final = 0;
1775
1776 if (skb_cloned(skb)) {
1777 /* Cloned sk_buffs are read-only, so we need a
1778 * writeable copy
1779 */
1780 tx_skb = skb_copy(skb, GFP_ATOMIC);
1781 } else {
1782 tx_skb = skb_clone(skb, GFP_ATOMIC);
1783 }
1784
1785 if (!tx_skb) {
1786 l2cap_seq_list_clear(&chan->retrans_list);
1787 break;
1788 }
1789
1790 /* Update skb contents */
1791 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1792 put_unaligned_le32(__pack_extended_control(&control),
1793 tx_skb->data + L2CAP_HDR_SIZE);
1794 } else {
1795 put_unaligned_le16(__pack_enhanced_control(&control),
1796 tx_skb->data + L2CAP_HDR_SIZE);
1797 }
1798
1799 if (chan->fcs == L2CAP_FCS_CRC16) {
1800 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1801 put_unaligned_le16(fcs, skb_put(tx_skb,
1802 L2CAP_FCS_SIZE));
1803 }
1804
1805 l2cap_do_send(chan, tx_skb);
1806
1807 BT_DBG("Resent txseq %d", control.txseq);
1808
1809 chan->last_acked_seq = chan->buffer_seq;
1810 }
1811}
1812
f80842a8
MM		 1813static void l2cap_retransmit(struct l2cap_chan *chan,
1814 struct l2cap_ctrl *control)
1815{
1816 BT_DBG("chan %p, control %p", chan, control);
1817
1818 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1819 l2cap_ertm_resend(chan);
1820}
1821
d2a7ac5d
MM		 1822static void l2cap_retransmit_all(struct l2cap_chan *chan,
1823 struct l2cap_ctrl *control)
1824{
e1fbd4c1
MM		 1825 struct sk_buff *skb;
1826
1827 BT_DBG("chan %p, control %p", chan, control);
1828
1829 if (control->poll)
1830 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1831
1832 l2cap_seq_list_clear(&chan->retrans_list);
1833
1834 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1835 return;
1836
1837 if (chan->unacked_frames) {
1838 skb_queue_walk(&chan->tx_q, skb) {
1839 if (bt_cb(skb)->control.txseq == control->reqseq ||
1840 skb == chan->tx_send_head)
1841 break;
1842 }
1843
1844 skb_queue_walk_from(&chan->tx_q, skb) {
1845 if (skb == chan->tx_send_head)
1846 break;
1847
1848 l2cap_seq_list_append(&chan->retrans_list,
1849 bt_cb(skb)->control.txseq);
1850 }
1851
1852 l2cap_ertm_resend(chan);
1853 }
d2a7ac5d
MM		 1854}
1855
0a0aba42 1856static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1857{
0a0aba42
MM		 1858 struct l2cap_ctrl control;
1859 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1860 chan->last_acked_seq);
1861 int threshold;
9e917af1 1862
0a0aba42
MM		 1863 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1864 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1865
0a0aba42
MM		 1866 memset(&control, 0, sizeof(control));
1867 control.sframe = 1;
dfc909be 1868
0a0aba42
MM		 1869 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1870 chan->rx_state == L2CAP_RX_STATE_RECV) {
1871 __clear_ack_timer(chan);
1872 control.super = L2CAP_SUPER_RNR;
1873 control.reqseq = chan->buffer_seq;
1874 l2cap_send_sframe(chan, &control);
1875 } else {
1876 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1877 l2cap_ertm_send(chan);
1878 /* If any i-frames were sent, they included an ack */
1879 if (chan->buffer_seq == chan->last_acked_seq)
1880 frames_to_ack = 0;
1881 }
dfc909be 1882
c20f8e35 1883 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 1884 * Calculate without mul or div
1885 */
c20f8e35 1886 threshold = chan->ack_win;
0a0aba42
MM		 1887 threshold += threshold << 1;
1888 threshold >>= 2;
1889
b4400672 1890 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 1891 threshold);
1892
1893 if (frames_to_ack >= threshold) {
1894 __clear_ack_timer(chan);
1895 control.super = L2CAP_SUPER_RR;
1896 control.reqseq = chan->buffer_seq;
1897 l2cap_send_sframe(chan, &control);
1898 frames_to_ack = 0;
1899 }
1c2acffb 1900
0a0aba42
MM		 1901 if (frames_to_ack)
1902 __set_ack_timer(chan);
1903 }
b17e73bb
SJ		 1904}
1905
04124681
GP		 1906static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1907 struct msghdr *msg, int len,
1908 int count, struct sk_buff *skb)
1c2acffb 1909{
0952a57a 1910 struct l2cap_conn *conn = chan->conn;
1c2acffb 1911 struct sk_buff **frag;
90338947 1912 int sent = 0;
1da177e4 1913
59203a21 1914 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1915 return -EFAULT;
1da177e4
LT		 1916
1917 sent += count;
1918 len -= count;
1919
1920 /* Continuation fragments (no L2CAP header) */
1921 frag = &skb_shinfo(skb)->frag_list;
1922 while (len) {
fbe00700
GP		 1923 struct sk_buff *tmp;
1924
1da177e4
LT		 1925 count = min_t(unsigned int, conn->mtu, len);
1926
fbe00700
GP		 1927 tmp = chan->ops->alloc_skb(chan, count,
1928 msg->msg_flags & MSG_DONTWAIT);
1929 if (IS_ERR(tmp))
1930 return PTR_ERR(tmp);
1931
1932 *frag = tmp;
2f7719ce 1933
1c2acffb
GP		 1934 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1935 return -EFAULT;
1da177e4 1936
5e59b791
LAD		 1937 (*frag)->priority = skb->priority;
1938
1da177e4
LT		 1939 sent += count;
1940 len -= count;
1941
2d0ed3d5
GP		 1942 skb->len += (*frag)->len;
1943 skb->data_len += (*frag)->len;
1944
1da177e4
LT		 1945 frag = &(*frag)->next;
1946 }
1da177e4
LT		 1947
1948 return sent;
1c2acffb 1949}
1da177e4 1950
5e59b791 1951static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 1952 struct msghdr *msg, size_t len,
1953 u32 priority)
1c2acffb 1954{
8c1d787b 1955 struct l2cap_conn *conn = chan->conn;
1c2acffb 1956 struct sk_buff *skb;
03a51213 1957 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1958 struct l2cap_hdr *lh;
1959
b4400672 1960 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 1961
1962 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1963
1964 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1965 msg->msg_flags & MSG_DONTWAIT);
1966 if (IS_ERR(skb))
1967 return skb;
1c2acffb 1968
5e59b791
LAD		 1969 skb->priority = priority;
1970
1c2acffb
GP		 1971 /* Create L2CAP header */
1972 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1973 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1974 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1975 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1976
0952a57a 1977 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1978 if (unlikely(err < 0)) {
1979 kfree_skb(skb);
1980 return ERR_PTR(err);
1981 }
1982 return skb;
1983}
1984
5e59b791 1985static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 1986 struct msghdr *msg, size_t len,
1987 u32 priority)
1c2acffb 1988{
8c1d787b 1989 struct l2cap_conn *conn = chan->conn;
1c2acffb 1990 struct sk_buff *skb;
f2ba7fae 1991 int err, count;
1c2acffb
GP		 1992 struct l2cap_hdr *lh;
1993
b4400672 1994 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 1995
f2ba7fae 1996 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 1997
f2ba7fae 1998 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 1999 msg->msg_flags & MSG_DONTWAIT);
2000 if (IS_ERR(skb))
2001 return skb;
1c2acffb 2002
5e59b791
LAD		 2003 skb->priority = priority;
2004
1c2acffb
GP		 2005 /* Create L2CAP header */
2006 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2007 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2008 lh->len = cpu_to_le16(len);
1c2acffb 2009
0952a57a 2010 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2011 if (unlikely(err < 0)) {
2012 kfree_skb(skb);
2013 return ERR_PTR(err);
2014 }
2015 return skb;
2016}
2017
ab0ff76d 2018static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2019 struct msghdr *msg, size_t len,
2020 u16 sdulen)
1c2acffb 2021{
8c1d787b 2022 struct l2cap_conn *conn = chan->conn;
1c2acffb 2023 struct sk_buff *skb;
e4ca6d98 2024 int err, count, hlen;
1c2acffb
GP		 2025 struct l2cap_hdr *lh;
2026
b4400672 2027 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2028
0ee0d208
GP		 2029 if (!conn)
2030 return ERR_PTR(-ENOTCONN);
2031
ba7aa64f 2032 hlen = __ertm_hdr_size(chan);
e4ca6d98 2033
c74e560c 2034 if (sdulen)
03a51213 2035 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2036
47d1ec61 2037 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2038 hlen += L2CAP_FCS_SIZE;
fcc203c3 2039
1c2acffb 2040 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2041
2042 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2043 msg->msg_flags & MSG_DONTWAIT);
2044 if (IS_ERR(skb))
2045 return skb;
1c2acffb
GP		 2046
2047 /* Create L2CAP header */
2048 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2049 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2050 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2051
18a48e76
MM		 2052 /* Control header is populated later */
2053 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2054 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2055 else
2056 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2057
c74e560c 2058 if (sdulen)
03a51213 2059 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2060
0952a57a 2061 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2062 if (unlikely(err < 0)) {
2063 kfree_skb(skb);
2064 return ERR_PTR(err);
2065 }
e90bac06 2066
18a48e76 2067 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2068 bt_cb(skb)->control.retries = 0;
1c2acffb 2069 return skb;
1da177e4
LT		 2070}
2071
94122bbe
MM		 2072static int l2cap_segment_sdu(struct l2cap_chan *chan,
2073 struct sk_buff_head *seg_queue,
2074 struct msghdr *msg, size_t len)
c74e560c 2075{
c74e560c 2076 struct sk_buff *skb;
94122bbe
MM		 2077 u16 sdu_len;
2078 size_t pdu_len;
94122bbe 2079 u8 sar;
c74e560c 2080
b4400672 2081 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2082
94122bbe
MM		 2083 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2084 * so fragmented skbs are not used. The HCI layer's handling
2085 * of fragmented skbs is not compatible with ERTM's queueing.
2086 */
c74e560c 2087
94122bbe
MM		 2088 /* PDU size is derived from the HCI MTU */
2089 pdu_len = chan->conn->mtu;
c74e560c 2090
94122bbe
MM		 2091 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2092
2093 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2094 if (chan->fcs)
2095 pdu_len -= L2CAP_FCS_SIZE;
2096
ba7aa64f 2097 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2098
2099 /* Remote device may have requested smaller PDUs */
2100 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2101
2102 if (len <= pdu_len) {
2103 sar = L2CAP_SAR_UNSEGMENTED;
2104 sdu_len = 0;
2105 pdu_len = len;
2106 } else {
2107 sar = L2CAP_SAR_START;
2108 sdu_len = len;
2109 pdu_len -= L2CAP_SDULEN_SIZE;
2110 }
2111
2112 while (len > 0) {
2113 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2114
c74e560c 2115 if (IS_ERR(skb)) {
94122bbe 2116 __skb_queue_purge(seg_queue);
c74e560c
GP		 2117 return PTR_ERR(skb);
2118 }
2119
94122bbe
MM		 2120 bt_cb(skb)->control.sar = sar;
2121 __skb_queue_tail(seg_queue, skb);
2122
2123 len -= pdu_len;
2124 if (sdu_len) {
2125 sdu_len = 0;
2126 pdu_len += L2CAP_SDULEN_SIZE;
2127 }
2128
2129 if (len <= pdu_len) {
2130 sar = L2CAP_SAR_END;
2131 pdu_len = len;
2132 } else {
2133 sar = L2CAP_SAR_CONTINUE;
2134 }
c74e560c 2135 }
c74e560c 2136
f0f62799 2137 return 0;
c74e560c
GP		 2138}
2139
5e59b791
LAD		 2140int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2141 u32 priority)
9a91a04a 2142{
9a91a04a 2143 struct sk_buff *skb;
9a91a04a 2144 int err;
94122bbe 2145 struct sk_buff_head seg_queue;
9a91a04a
GP		 2146
2147 /* Connectionless channel */
715ec005 2148 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2149 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2150 if (IS_ERR(skb))
2151 return PTR_ERR(skb);
2152
2153 l2cap_do_send(chan, skb);
2154 return len;
2155 }
2156
2157 switch (chan->mode) {
2158 case L2CAP_MODE_BASIC:
2159 /* Check outgoing MTU */
2160 if (len > chan->omtu)
2161 return -EMSGSIZE;
2162
2163 /* Create a basic PDU */
5e59b791 2164 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2165 if (IS_ERR(skb))
2166 return PTR_ERR(skb);
2167
2168 l2cap_do_send(chan, skb);
2169 err = len;
2170 break;
2171
2172 case L2CAP_MODE_ERTM:
2173 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2174 /* Check outgoing MTU */
2175 if (len > chan->omtu) {
2176 err = -EMSGSIZE;
2177 break;
2178 }
9a91a04a 2179
94122bbe 2180 __skb_queue_head_init(&seg_queue);
9a91a04a 2181
94122bbe
MM		 2182 /* Do segmentation before calling in to the state machine,
2183 * since it's possible to block while waiting for memory
2184 * allocation.
2185 */
2186 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2187
94122bbe
MM		 2188 /* The channel could have been closed while segmenting,
2189 * check that it is still connected.
2190 */
2191 if (chan->state != BT_CONNECTED) {
2192 __skb_queue_purge(&seg_queue);
2193 err = -ENOTCONN;
9a91a04a
GP		 2194 }
2195
94122bbe 2196 if (err)
9a91a04a 2197 break;
9a91a04a 2198
3733937d 2199 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2200 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2201 else
d660366d 2202 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2203
d660366d 2204 err = len;
9a91a04a 2205
94122bbe
MM		 2206 /* If the skbs were not queued for sending, they'll still be in
2207 * seg_queue and need to be purged.
2208 */
2209 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2210 break;
2211
2212 default:
2213 BT_DBG("bad state %1.1x", chan->mode);
2214 err = -EBADFD;
2215 }
2216
2217 return err;
2218}
2219
d2a7ac5d
MM		 2220static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2221{
bed68bde
MM		 2222 struct l2cap_ctrl control;
2223 u16 seq;
2224
b4400672 2225 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2226
2227 memset(&control, 0, sizeof(control));
2228 control.sframe = 1;
2229 control.super = L2CAP_SUPER_SREJ;
2230
2231 for (seq = chan->expected_tx_seq; seq != txseq;
2232 seq = __next_seq(chan, seq)) {
2233 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2234 control.reqseq = seq;
2235 l2cap_send_sframe(chan, &control);
2236 l2cap_seq_list_append(&chan->srej_list, seq);
2237 }
2238 }
2239
2240 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2241}
2242
2243static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2244{
bed68bde
MM		 2245 struct l2cap_ctrl control;
2246
2247 BT_DBG("chan %p", chan);
2248
2249 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2250 return;
2251
2252 memset(&control, 0, sizeof(control));
2253 control.sframe = 1;
2254 control.super = L2CAP_SUPER_SREJ;
2255 control.reqseq = chan->srej_list.tail;
2256 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2257}
2258
2259static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2260{
bed68bde
MM		 2261 struct l2cap_ctrl control;
2262 u16 initial_head;
2263 u16 seq;
2264
b4400672 2265 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2266
2267 memset(&control, 0, sizeof(control));
2268 control.sframe = 1;
2269 control.super = L2CAP_SUPER_SREJ;
2270
2271 /* Capture initial list head to allow only one pass through the list. */
2272 initial_head = chan->srej_list.head;
2273
2274 do {
2275 seq = l2cap_seq_list_pop(&chan->srej_list);
2276 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2277 break;
2278
2279 control.reqseq = seq;
2280 l2cap_send_sframe(chan, &control);
2281 l2cap_seq_list_append(&chan->srej_list, seq);
2282 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2283}
2284
608bcc6d
MM		 2285static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2286{
2287 struct sk_buff *acked_skb;
2288 u16 ackseq;
2289
b4400672 2290 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2291
2292 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2293 return;
2294
b4400672 2295 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2296 chan->expected_ack_seq, chan->unacked_frames);
2297
2298 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2299 ackseq = __next_seq(chan, ackseq)) {
2300
2301 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2302 if (acked_skb) {
2303 skb_unlink(acked_skb, &chan->tx_q);
2304 kfree_skb(acked_skb);
2305 chan->unacked_frames--;
2306 }
2307 }
2308
2309 chan->expected_ack_seq = reqseq;
2310
2311 if (chan->unacked_frames == 0)
2312 __clear_retrans_timer(chan);
2313
b4400672 2314 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2315}
2316
2317static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2318{
2319 BT_DBG("chan %p", chan);
2320
2321 chan->expected_tx_seq = chan->buffer_seq;
2322 l2cap_seq_list_clear(&chan->srej_list);
2323 skb_queue_purge(&chan->srej_q);
2324 chan->rx_state = L2CAP_RX_STATE_RECV;
2325}
2326
d660366d
GP		 2327static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2328 struct l2cap_ctrl *control,
2329 struct sk_buff_head *skbs, u8 event)
608bcc6d 2330{
608bcc6d
MM		 2331 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2332 event);
2333
2334 switch (event) {
2335 case L2CAP_EV_DATA_REQUEST:
2336 if (chan->tx_send_head == NULL)
2337 chan->tx_send_head = skb_peek(skbs);
2338
2339 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2340 l2cap_ertm_send(chan);
2341 break;
2342 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2343 BT_DBG("Enter LOCAL_BUSY");
2344 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2345
2346 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2347 /* The SREJ_SENT state must be aborted if we are to
2348 * enter the LOCAL_BUSY state.
2349 */
2350 l2cap_abort_rx_srej_sent(chan);
2351 }
2352
2353 l2cap_send_ack(chan);
2354
2355 break;
2356 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2357 BT_DBG("Exit LOCAL_BUSY");
2358 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2359
2360 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2361 struct l2cap_ctrl local_control;
2362
2363 memset(&local_control, 0, sizeof(local_control));
2364 local_control.sframe = 1;
2365 local_control.super = L2CAP_SUPER_RR;
2366 local_control.poll = 1;
2367 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2368 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2369
2370 chan->retry_count = 1;
2371 __set_monitor_timer(chan);
2372 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2373 }
2374 break;
2375 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2376 l2cap_process_reqseq(chan, control->reqseq);
2377 break;
2378 case L2CAP_EV_EXPLICIT_POLL:
2379 l2cap_send_rr_or_rnr(chan, 1);
2380 chan->retry_count = 1;
2381 __set_monitor_timer(chan);
2382 __clear_ack_timer(chan);
2383 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2384 break;
2385 case L2CAP_EV_RETRANS_TO:
2386 l2cap_send_rr_or_rnr(chan, 1);
2387 chan->retry_count = 1;
2388 __set_monitor_timer(chan);
2389 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2390 break;
2391 case L2CAP_EV_RECV_FBIT:
2392 /* Nothing to process */
2393 break;
2394 default:
2395 break;
2396 }
608bcc6d
MM		 2397}
2398
d660366d
GP		 2399static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2400 struct l2cap_ctrl *control,
2401 struct sk_buff_head *skbs, u8 event)
608bcc6d 2402{
608bcc6d
MM		 2403 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2404 event);
2405
2406 switch (event) {
2407 case L2CAP_EV_DATA_REQUEST:
2408 if (chan->tx_send_head == NULL)
2409 chan->tx_send_head = skb_peek(skbs);
2410 /* Queue data, but don't send. */
2411 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2412 break;
2413 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2414 BT_DBG("Enter LOCAL_BUSY");
2415 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2416
2417 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2418 /* The SREJ_SENT state must be aborted if we are to
2419 * enter the LOCAL_BUSY state.
2420 */
2421 l2cap_abort_rx_srej_sent(chan);
2422 }
2423
2424 l2cap_send_ack(chan);
2425
2426 break;
2427 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2428 BT_DBG("Exit LOCAL_BUSY");
2429 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2430
2431 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2432 struct l2cap_ctrl local_control;
2433 memset(&local_control, 0, sizeof(local_control));
2434 local_control.sframe = 1;
2435 local_control.super = L2CAP_SUPER_RR;
2436 local_control.poll = 1;
2437 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2438 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2439
2440 chan->retry_count = 1;
2441 __set_monitor_timer(chan);
2442 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2443 }
2444 break;
2445 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2446 l2cap_process_reqseq(chan, control->reqseq);
2447
2448 /* Fall through */
2449
2450 case L2CAP_EV_RECV_FBIT:
2451 if (control && control->final) {
2452 __clear_monitor_timer(chan);
2453 if (chan->unacked_frames > 0)
2454 __set_retrans_timer(chan);
2455 chan->retry_count = 0;
2456 chan->tx_state = L2CAP_TX_STATE_XMIT;
2457 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2458 }
2459 break;
2460 case L2CAP_EV_EXPLICIT_POLL:
2461 /* Ignore */
2462 break;
2463 case L2CAP_EV_MONITOR_TO:
2464 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2465 l2cap_send_rr_or_rnr(chan, 1);
2466 __set_monitor_timer(chan);
2467 chan->retry_count++;
2468 } else {
2469 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2470 }
2471 break;
2472 default:
2473 break;
2474 }
608bcc6d
MM		 2475}
2476
d660366d
GP		 2477static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2478 struct sk_buff_head *skbs, u8 event)
608bcc6d 2479{
608bcc6d
MM		 2480 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2481 chan, control, skbs, event, chan->tx_state);
2482
2483 switch (chan->tx_state) {
2484 case L2CAP_TX_STATE_XMIT:
d660366d 2485 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2486 break;
2487 case L2CAP_TX_STATE_WAIT_F:
d660366d 2488 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2489 break;
2490 default:
2491 /* Ignore event */
2492 break;
2493 }
608bcc6d
MM		 2494}
2495
4b51dae9
MM		 2496static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2497 struct l2cap_ctrl *control)
2498{
2499 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2500 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2501}
2502
f80842a8
MM		 2503static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2504 struct l2cap_ctrl *control)
2505{
2506 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2507 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2508}
2509
1da177e4
LT		 2510/* Copy frame to all raw sockets on that connection */
2511static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2512{
1da177e4 2513 struct sk_buff *nskb;
48454079 2514 struct l2cap_chan *chan;
1da177e4
LT		 2515
2516 BT_DBG("conn %p", conn);
2517
3df91ea2 2518 mutex_lock(&conn->chan_lock);
3d57dc68 2519
3df91ea2 2520 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2521 struct sock *sk = chan->sk;
715ec005 2522 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2523 continue;
2524
2525 /* Don't send frame to the socket it came from */
2526 if (skb->sk == sk)
2527 continue;
af05b30b
GP		 2528 nskb = skb_clone(skb, GFP_ATOMIC);
2529 if (!nskb)
1da177e4
LT		 2530 continue;
2531
80b98027 2532 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2533 kfree_skb(nskb);
2534 }
3d57dc68 2535
3df91ea2 2536 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2537}
2538
2539/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2540static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2541 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2542{
2543 struct sk_buff *skb, **frag;
2544 struct l2cap_cmd_hdr *cmd;
2545 struct l2cap_hdr *lh;
2546 int len, count;
2547
b4400672
AE		 2548 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2549 conn, code, ident, dlen);
1da177e4
LT		 2550
2551 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2552 count = min_t(unsigned int, conn->mtu, len);
2553
2554 skb = bt_skb_alloc(count, GFP_ATOMIC);
2555 if (!skb)
2556 return NULL;
2557
2558 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2559 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2560
2561 if (conn->hcon->type == LE_LINK)
ac73498c 2562 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2563 else
ac73498c 2564 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2565
2566 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2567 cmd->code = code;
2568 cmd->ident = ident;
aca3192c 2569 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2570
2571 if (dlen) {
2572 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2573 memcpy(skb_put(skb, count), data, count);
2574 data += count;
2575 }
2576
2577 len -= skb->len;
2578
2579 /* Continuation fragments (no L2CAP header) */
2580 frag = &skb_shinfo(skb)->frag_list;
2581 while (len) {
2582 count = min_t(unsigned int, conn->mtu, len);
2583
2584 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2585 if (!*frag)
2586 goto fail;
2587
2588 memcpy(skb_put(*frag, count), data, count);
2589
2590 len -= count;
2591 data += count;
2592
2593 frag = &(*frag)->next;
2594 }
2595
2596 return skb;
2597
2598fail:
2599 kfree_skb(skb);
2600 return NULL;
2601}
2602
2603static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2604{
2605 struct l2cap_conf_opt *opt = *ptr;
2606 int len;
2607
2608 len = L2CAP_CONF_OPT_SIZE + opt->len;
2609 *ptr += len;
2610
2611 *type = opt->type;
2612 *olen = opt->len;
2613
2614 switch (opt->len) {
2615 case 1:
2616 *val = *((u8 *) opt->val);
2617 break;
2618
2619 case 2:
bfaaeb3e 2620 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2621 break;
2622
2623 case 4:
bfaaeb3e 2624 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2625 break;
2626
2627 default:
2628 *val = (unsigned long) opt->val;
2629 break;
2630 }
2631
b4400672 2632 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2633 return len;
2634}
2635
1da177e4
LT		 2636static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2637{
2638 struct l2cap_conf_opt *opt = *ptr;
2639
b4400672 2640 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2641
2642 opt->type = type;
2643 opt->len = len;
2644
2645 switch (len) {
2646 case 1:
2647 *((u8 *) opt->val) = val;
2648 break;
2649
2650 case 2:
4f8b691c 2651 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2652 break;
2653
2654 case 4:
4f8b691c 2655 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2656 break;
2657
2658 default:
2659 memcpy(opt->val, (void *) val, len);
2660 break;
2661 }
2662
2663 *ptr += L2CAP_CONF_OPT_SIZE + len;
2664}
2665
f89cef09
AE		 2666static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2667{
2668 struct l2cap_conf_efs efs;
2669
1ec918ce 2670 switch (chan->mode) {
f89cef09
AE		 2671 case L2CAP_MODE_ERTM:
2672 efs.id = chan->local_id;
2673 efs.stype = chan->local_stype;
2674 efs.msdu = cpu_to_le16(chan->local_msdu);
2675 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c
AE		 2676 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2677 efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
f89cef09
AE		 2678 break;
2679
2680 case L2CAP_MODE_STREAMING:
2681 efs.id = 1;
2682 efs.stype = L2CAP_SERV_BESTEFFORT;
2683 efs.msdu = cpu_to_le16(chan->local_msdu);
2684 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2685 efs.acc_lat = 0;
2686 efs.flush_to = 0;
2687 break;
2688
2689 default:
2690 return;
2691 }
2692
2693 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2694 (unsigned long) &efs);
2695}
2696
721c4181 2697static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2698{
721c4181 2699 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2700 ack_timer.work);
2701 u16 frames_to_ack;
c1b4f43b 2702
2fb9b3d4
GP		 2703 BT_DBG("chan %p", chan);
2704
6be36555
AE		 2705 l2cap_chan_lock(chan);
2706
0362520b
MM		 2707 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2708 chan->last_acked_seq);
6be36555 2709
0362520b
MM		 2710 if (frames_to_ack)
2711 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2712
0362520b 2713 l2cap_chan_unlock(chan);
09bfb2ee 2714 l2cap_chan_put(chan);
c1b4f43b
GP		 2715}
2716
466f8004 2717int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2718{
3c588192
MM		 2719 int err;
2720
105bdf9e
MM		 2721 chan->next_tx_seq = 0;
2722 chan->expected_tx_seq = 0;
42e5c802 2723 chan->expected_ack_seq = 0;
6a026610 2724 chan->unacked_frames = 0;
42e5c802 2725 chan->buffer_seq = 0;
6a026610 2726 chan->frames_sent = 0;
105bdf9e
MM		 2727 chan->last_acked_seq = 0;
2728 chan->sdu = NULL;
2729 chan->sdu_last_frag = NULL;
2730 chan->sdu_len = 0;
2731
d34c34fb
MM		 2732 skb_queue_head_init(&chan->tx_q);
2733
105bdf9e
MM		 2734 if (chan->mode != L2CAP_MODE_ERTM)
2735 return 0;
2736
2737 chan->rx_state = L2CAP_RX_STATE_RECV;
2738 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2739
721c4181
GP		 2740 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2741 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2742 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2743
f1c6775b 2744 skb_queue_head_init(&chan->srej_q);
1890d36b 2745
3c588192
MM		 2746 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2747 if (err < 0)
2748 return err;
2749
9dc9affc
MM		 2750 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2751 if (err < 0)
2752 l2cap_seq_list_free(&chan->srej_list);
2753
2754 return err;
0565c1c2
GP		 2755}
2756
f2fcfcd6
GP		 2757static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2758{
2759 switch (mode) {
2760 case L2CAP_MODE_STREAMING:
2761 case L2CAP_MODE_ERTM:
2762 if (l2cap_mode_supported(mode, remote_feat_mask))
2763 return mode;
2764 /* fall through */
2765 default:
2766 return L2CAP_MODE_BASIC;
2767 }
2768}
2769
6327eb98
AE		 2770static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2771{
2772 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2773}
2774
f89cef09
AE		 2775static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2776{
2777 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2778}
2779
6327eb98
AE		 2780static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2781{
2782 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2783 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2784 /* use extended control field */
2785 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2786 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2787 } else {
6327eb98
AE		 2788 chan->tx_win = min_t(u16, chan->tx_win,
2789 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2790 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2791 }
c20f8e35 2792 chan->ack_win = chan->tx_win;
6327eb98
AE		 2793}
2794
710f9b0a 2795static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2796{
1da177e4 2797 struct l2cap_conf_req *req = data;
0c1bc5c6 2798 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2799 void *ptr = req->data;
c8f79162 2800 u16 size;
1da177e4 2801
49208c9c 2802 BT_DBG("chan %p", chan);
1da177e4 2803
73ffa904 2804 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2805 goto done;
2806
0c1bc5c6 2807 switch (chan->mode) {
f2fcfcd6
GP		 2808 case L2CAP_MODE_STREAMING:
2809 case L2CAP_MODE_ERTM:
c1360a1c 2810 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2811 break;
85eb53c6 2812
f89cef09
AE		 2813 if (__l2cap_efs_supported(chan))
2814 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2815
2ba13ed6 2816 /* fall through */
f2fcfcd6 2817 default:
8c1d787b 2818 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2819 break;
2820 }
2821
2822done:
0c1bc5c6
GP		 2823 if (chan->imtu != L2CAP_DEFAULT_MTU)
2824 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2825
0c1bc5c6 2826 switch (chan->mode) {
65c7c491 2827 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2828 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2829 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2830 break;
2831
62547752
GP		 2832 rfc.mode = L2CAP_MODE_BASIC;
2833 rfc.txwin_size = 0;
2834 rfc.max_transmit = 0;
2835 rfc.retrans_timeout = 0;
2836 rfc.monitor_timeout = 0;
2837 rfc.max_pdu_size = 0;
2838
63406504
GP		 2839 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2840 (unsigned long) &rfc);
65c7c491
MH		 2841 break;
2842
2843 case L2CAP_MODE_ERTM:
2844 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2845 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2846 rfc.retrans_timeout = 0;
2847 rfc.monitor_timeout = 0;
c8f79162
AE		 2848
2849 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2850 L2CAP_EXT_HDR_SIZE -
2851 L2CAP_SDULEN_SIZE -
2852 L2CAP_FCS_SIZE);
2853 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2854
6327eb98
AE		 2855 l2cap_txwin_setup(chan);
2856
2857 rfc.txwin_size = min_t(u16, chan->tx_win,
2858 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2859
63406504
GP		 2860 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2861 (unsigned long) &rfc);
2862
f89cef09
AE		 2863 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2864 l2cap_add_opt_efs(&ptr, chan);
2865
8c1d787b 2866 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2867 break;
2868
47d1ec61 2869 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2870 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2871 chan->fcs = L2CAP_FCS_NONE;
2872 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2873 }
6327eb98
AE		 2874
2875 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2876 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2877 chan->tx_win);
f2fcfcd6
GP		 2878 break;
2879
2880 case L2CAP_MODE_STREAMING:
273759e2 2881 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2882 rfc.mode = L2CAP_MODE_STREAMING;
2883 rfc.txwin_size = 0;
2884 rfc.max_transmit = 0;
2885 rfc.retrans_timeout = 0;
2886 rfc.monitor_timeout = 0;
c8f79162
AE		 2887
2888 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2889 L2CAP_EXT_HDR_SIZE -
2890 L2CAP_SDULEN_SIZE -
2891 L2CAP_FCS_SIZE);
2892 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2893
63406504
GP		 2894 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2895 (unsigned long) &rfc);
2896
f89cef09
AE		 2897 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2898 l2cap_add_opt_efs(&ptr, chan);
2899
8c1d787b 2900 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2901 break;
2902
47d1ec61 2903 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2904 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2905 chan->fcs = L2CAP_FCS_NONE;
2906 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2907 }
65c7c491
MH		 2908 break;
2909 }
1da177e4 2910
fe4128e0 2911 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2912 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2913
2914 return ptr - data;
2915}
2916
73ffa904 2917static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2918{
5dee9e7c
MH		 2919 struct l2cap_conf_rsp *rsp = data;
2920 void *ptr = rsp->data;
73ffa904
GP		 2921 void *req = chan->conf_req;
2922 int len = chan->conf_len;
5dee9e7c
MH		 2923 int type, hint, olen;
2924 unsigned long val;
6464f35f 2925 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2926 struct l2cap_conf_efs efs;
2927 u8 remote_efs = 0;
861d6882 2928 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2929 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2930 u16 size;
1da177e4 2931
73ffa904 2932 BT_DBG("chan %p", chan);
820ae1b8 2933
5dee9e7c
MH		 2934 while (len >= L2CAP_CONF_OPT_SIZE) {
2935 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2936
589d2746 2937 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2938 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2939
2940 switch (type) {
2941 case L2CAP_CONF_MTU:
861d6882 2942 mtu = val;
5dee9e7c
MH		 2943 break;
2944
2945 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2946 chan->flush_to = val;
5dee9e7c
MH		 2947 break;
2948
2949 case L2CAP_CONF_QOS:
2950 break;
2951
6464f35f
MH		 2952 case L2CAP_CONF_RFC:
2953 if (olen == sizeof(rfc))
2954 memcpy(&rfc, (void *) val, olen);
2955 break;
2956
fcc203c3
GP		 2957 case L2CAP_CONF_FCS:
2958 if (val == L2CAP_FCS_NONE)
c1360a1c 2959 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2960 break;
fcc203c3 2961
42dceae2
AE		 2962 case L2CAP_CONF_EFS:
2963 remote_efs = 1;
2964 if (olen == sizeof(efs))
2965 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2966 break;
2967
6327eb98
AE		 2968 case L2CAP_CONF_EWS:
2969 if (!enable_hs)
2970 return -ECONNREFUSED;
fcc203c3 2971
6327eb98
AE		 2972 set_bit(FLAG_EXT_CTRL, &chan->flags);
2973 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2974 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2975 chan->remote_tx_win = val;
fcc203c3
GP		 2976 break;
2977
5dee9e7c
MH		 2978 default:
2979 if (hint)
2980 break;
2981
2982 result = L2CAP_CONF_UNKNOWN;
2983 *((u8 *) ptr++) = type;
2984 break;
2985 }
2986 }
2987
73ffa904 2988 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2989 goto done;
2990
0c1bc5c6 2991 switch (chan->mode) {
f2fcfcd6
GP		 2992 case L2CAP_MODE_STREAMING:
2993 case L2CAP_MODE_ERTM:
c1360a1c 2994 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2995 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2996 chan->conn->feat_mask);
85eb53c6
GP		 2997 break;
2998 }
2999
42dceae2
AE		 3000 if (remote_efs) {
3001 if (__l2cap_efs_supported(chan))
3002 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3003 else
3004 return -ECONNREFUSED;
3005 }
3006
0c1bc5c6 3007 if (chan->mode != rfc.mode)
f2fcfcd6 3008 return -ECONNREFUSED;
742e519b 3009
f2fcfcd6 3010 break;
f2fcfcd6
GP		 3011 }
3012
3013done:
0c1bc5c6 3014 if (chan->mode != rfc.mode) {
f2fcfcd6 3015 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3016 rfc.mode = chan->mode;
f2fcfcd6 3017
73ffa904 3018 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3019 return -ECONNREFUSED;
3020
3021 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3022 sizeof(rfc), (unsigned long) &rfc);
3023 }
3024
5dee9e7c
MH		 3025 if (result == L2CAP_CONF_SUCCESS) {
3026 /* Configure output options and let the other side know
3027 * which ones we don't like. */
3028
f2fcfcd6
GP		 3029 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3030 result = L2CAP_CONF_UNACCEPT;
3031 else {
0c1bc5c6 3032 chan->omtu = mtu;
c1360a1c 3033 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3034 }
0c1bc5c6 3035 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3036
42dceae2
AE		 3037 if (remote_efs) {
3038 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3039 efs.stype != L2CAP_SERV_NOTRAFIC &&
3040 efs.stype != chan->local_stype) {
3041
3042 result = L2CAP_CONF_UNACCEPT;
3043
3044 if (chan->num_conf_req >= 1)
3045 return -ECONNREFUSED;
3046
3047 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3048 sizeof(efs),
42dceae2 3049 (unsigned long) &efs);
0e8b207e 3050 } else {
3e6b3b95 3051 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3052 result = L2CAP_CONF_PENDING;
3053 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3054 }
3055 }
3056
f2fcfcd6
GP		 3057 switch (rfc.mode) {
3058 case L2CAP_MODE_BASIC:
47d1ec61 3059 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3060 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3061 break;
3062
3063 case L2CAP_MODE_ERTM:
6327eb98
AE		 3064 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3065 chan->remote_tx_win = rfc.txwin_size;
3066 else
3067 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3068
2c03a7a4 3069 chan->remote_max_tx = rfc.max_transmit;
1c762159 3070
c8f79162
AE		 3071 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3072 chan->conn->mtu -
3073 L2CAP_EXT_HDR_SIZE -
3074 L2CAP_SDULEN_SIZE -
3075 L2CAP_FCS_SIZE);
3076 rfc.max_pdu_size = cpu_to_le16(size);
3077 chan->remote_mps = size;
f2fcfcd6 3078
10467e9e 3079 rfc.retrans_timeout =
4fd21a88 3080 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3081 rfc.monitor_timeout =
4fd21a88 3082 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3083
c1360a1c 3084 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3085
3086 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3087 sizeof(rfc), (unsigned long) &rfc);
3088
42dceae2
AE		 3089 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3090 chan->remote_id = efs.id;
3091 chan->remote_stype = efs.stype;
3092 chan->remote_msdu = le16_to_cpu(efs.msdu);
3093 chan->remote_flush_to =
3094 le32_to_cpu(efs.flush_to);
3095 chan->remote_acc_lat =
3096 le32_to_cpu(efs.acc_lat);
3097 chan->remote_sdu_itime =
3098 le32_to_cpu(efs.sdu_itime);
3099 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3100 sizeof(efs), (unsigned long) &efs);
3101 }
f2fcfcd6
GP		 3102 break;
3103
3104 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3105 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3106 chan->conn->mtu -
3107 L2CAP_EXT_HDR_SIZE -
3108 L2CAP_SDULEN_SIZE -
3109 L2CAP_FCS_SIZE);
3110 rfc.max_pdu_size = cpu_to_le16(size);
3111 chan->remote_mps = size;
f2fcfcd6 3112
c1360a1c 3113 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3114
3115 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3116 sizeof(rfc), (unsigned long) &rfc);
3117
f2fcfcd6
GP		 3118 break;
3119
3120 default:
5dee9e7c 3121 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3122
6464f35f 3123 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3124 rfc.mode = chan->mode;
f2fcfcd6 3125 }
6464f35f 3126
f2fcfcd6 3127 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3128 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3129 }
fe4128e0 3130 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3131 rsp->result = cpu_to_le16(result);
59e54bd1 3132 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3133
3134 return ptr - data;
1da177e4
LT		 3135}
3136
b4450035 3137static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3138{
f2fcfcd6
GP		 3139 struct l2cap_conf_req *req = data;
3140 void *ptr = req->data;
3141 int type, olen;
3142 unsigned long val;
36e999a8 3143 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3144 struct l2cap_conf_efs efs;
f2fcfcd6 3145
fe4128e0 3146 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3147
3148 while (len >= L2CAP_CONF_OPT_SIZE) {
3149 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3150
3151 switch (type) {
3152 case L2CAP_CONF_MTU:
3153 if (val < L2CAP_DEFAULT_MIN_MTU) {
3154 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3155 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3156 } else
0c1bc5c6
GP		 3157 chan->imtu = val;
3158 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3159 break;
3160
3161 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3162 chan->flush_to = val;
f2fcfcd6 3163 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3164 2, chan->flush_to);
f2fcfcd6
GP		 3165 break;
3166
3167 case L2CAP_CONF_RFC:
3168 if (olen == sizeof(rfc))
3169 memcpy(&rfc, (void *)val, olen);
3170
c1360a1c 3171 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3172 rfc.mode != chan->mode)
f2fcfcd6
GP		 3173 return -ECONNREFUSED;
3174
47d1ec61 3175 chan->fcs = 0;
f2fcfcd6
GP		 3176
3177 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3178 sizeof(rfc), (unsigned long) &rfc);
3179 break;
6327eb98
AE		 3180
3181 case L2CAP_CONF_EWS:
c20f8e35 3182 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3183 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3184 chan->tx_win);
6327eb98 3185 break;
66af7aaf
AE		 3186
3187 case L2CAP_CONF_EFS:
3188 if (olen == sizeof(efs))
3189 memcpy(&efs, (void *)val, olen);
3190
3191 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3192 efs.stype != L2CAP_SERV_NOTRAFIC &&
3193 efs.stype != chan->local_stype)
3194 return -ECONNREFUSED;
3195
3196 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3197 sizeof(efs), (unsigned long) &efs);
3198 break;
f2fcfcd6
GP		 3199 }
3200 }
3201
0c1bc5c6 3202 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3203 return -ECONNREFUSED;
3204
0c1bc5c6 3205 chan->mode = rfc.mode;
6c2ea7a8 3206
0e8b207e 3207 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3208 switch (rfc.mode) {
3209 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3210 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3211 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3212 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3213 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3214 chan->ack_win = min_t(u16, chan->ack_win,
3215 rfc.txwin_size);
66af7aaf
AE		 3216
3217 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3218 chan->local_msdu = le16_to_cpu(efs.msdu);
3219 chan->local_sdu_itime =
3220 le32_to_cpu(efs.sdu_itime);
3221 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3222 chan->local_flush_to =
3223 le32_to_cpu(efs.flush_to);
3224 }
f2fcfcd6 3225 break;
66af7aaf 3226
f2fcfcd6 3227 case L2CAP_MODE_STREAMING:
47d1ec61 3228 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3229 }
3230 }
3231
fe4128e0 3232 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3233 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3234
3235 return ptr - data;
3236}
3237
fe4128e0 3238static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3239{
3240 struct l2cap_conf_rsp *rsp = data;
3241 void *ptr = rsp->data;
1da177e4 3242
fe4128e0 3243 BT_DBG("chan %p", chan);
1da177e4 3244
fe4128e0 3245 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3246 rsp->result = cpu_to_le16(result);
aca3192c 3247 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3248
3249 return ptr - data;
3250}
3251
8c1d787b 3252void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3253{
3254 struct l2cap_conn_rsp rsp;
8c1d787b 3255 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3256 u8 buf[128];
3257
fe4128e0
GP		 3258 rsp.scid = cpu_to_le16(chan->dcid);
3259 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3260 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3261 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
710f9b0a
GP		 3262 l2cap_send_cmd(conn, chan->ident,
3263 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3264
c1360a1c 3265 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3266 return;
3267
710f9b0a
GP		 3268 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3269 l2cap_build_conf_req(chan, buf), buf);
3270 chan->num_conf_req++;
3271}
3272
47d1ec61 3273static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3274{
7b1c0049
GP		 3275 int type, olen;
3276 unsigned long val;
c20f8e35
MM		 3277 /* Use sane default values in case a misbehaving remote device
3278 * did not send an RFC or extended window size option.
3279 */
3280 u16 txwin_ext = chan->ack_win;
3281 struct l2cap_conf_rfc rfc = {
3282 .mode = chan->mode,
3283 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3284 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3285 .max_pdu_size = cpu_to_le16(chan->imtu),
3286 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3287 };
7b1c0049 3288
47d1ec61 3289 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3290
0c1bc5c6 3291 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3292 return;
3293
3294 while (len >= L2CAP_CONF_OPT_SIZE) {
3295 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3296
c20f8e35
MM		 3297 switch (type) {
3298 case L2CAP_CONF_RFC:
3299 if (olen == sizeof(rfc))
3300 memcpy(&rfc, (void *)val, olen);
8f321f85 3301 break;
c20f8e35
MM		 3302 case L2CAP_CONF_EWS:
3303 txwin_ext = val;
3304 break;
3305 }
7b1c0049
GP		 3306 }
3307
7b1c0049
GP		 3308 switch (rfc.mode) {
3309 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3310 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3311 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3312 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3313 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3314 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3315 else
3316 chan->ack_win = min_t(u16, chan->ack_win,
3317 rfc.txwin_size);
7b1c0049
GP		 3318 break;
3319 case L2CAP_MODE_STREAMING:
47d1ec61 3320 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3321 }
3322}
3323
4e8402a3
MH		 3324static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3325{
e2fd318e 3326 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3327
e2fd318e 3328 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3329 return 0;
3330
3331 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3332 cmd->ident == conn->info_ident) {
17cd3f37 3333 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3334
3335 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3336 conn->info_ident = 0;
984947dc 3337
4e8402a3
MH		 3338 l2cap_conn_start(conn);
3339 }
3340
3341 return 0;
3342}
3343
1da177e4
LT		 3344static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3345{
1da177e4
LT		 3346 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3347 struct l2cap_conn_rsp rsp;
23691d75 3348 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3349 struct sock *parent, *sk = NULL;
e7c29cb1 3350 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3351
3352 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3353 __le16 psm = req->psm;
1da177e4 3354
097db76c 3355 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3356
3357 /* Check if we have socket listening on psm */
c2287681 3358 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3359 if (!pchan) {
1da177e4
LT		 3360 result = L2CAP_CR_BAD_PSM;
3361 goto sendresp;
3362 }
3363
23691d75
GP		 3364 parent = pchan->sk;
3365
3df91ea2 3366 mutex_lock(&conn->chan_lock);
aa2ac881 3367 lock_sock(parent);
e0f0cb56 3368
e7c29cb1 3369 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3370 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
e7c29cb1 3371 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3372 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3373 result = L2CAP_CR_SEC_BLOCK;
3374 goto response;
3375 }
3376
1da177e4
LT		 3377 result = L2CAP_CR_NO_MEM;
3378
2dfa1003
GP		 3379 /* Check if we already have channel with that dcid */
3380 if (__l2cap_get_chan_by_dcid(conn, scid))
3381 goto response;
3382
80b98027 3383 chan = pchan->ops->new_connection(pchan);
80808e43 3384 if (!chan)
1da177e4
LT		 3385 goto response;
3386
80808e43
GP		 3387 sk = chan->sk;
3388
1da177e4
LT		 3389 hci_conn_hold(conn->hcon);
3390
1da177e4
LT		 3391 bacpy(&bt_sk(sk)->src, conn->src);
3392 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3393 chan->psm = psm;
3394 chan->dcid = scid;
1da177e4 3395
d1010240
GP		 3396 bt_accept_enqueue(parent, sk);
3397
6be36555 3398 __l2cap_chan_add(conn, chan);
48454079 3399
fe4128e0 3400 dcid = chan->scid;
1da177e4 3401
c9b66675 3402 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3403
fc7f8a7e 3404 chan->ident = cmd->ident;
1da177e4 3405
984947dc 3406 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3407 if (l2cap_chan_check_security(chan)) {
c5daa683 3408 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3409 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3410 result = L2CAP_CR_PEND;
3411 status = L2CAP_CS_AUTHOR_PEND;
3412 parent->sk_data_ready(parent, 0);
3413 } else {
0e587be7 3414 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3415 result = L2CAP_CR_SUCCESS;
3416 status = L2CAP_CS_NO_INFO;
3417 }
79d554a6 3418 } else {
0e587be7 3419 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3420 result = L2CAP_CR_PEND;
3421 status = L2CAP_CS_AUTHEN_PEND;
3422 }
3423 } else {
0e587be7 3424 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3425 result = L2CAP_CR_PEND;
3426 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3427 }
3428
1da177e4 3429response:
aa2ac881 3430 release_sock(parent);
3df91ea2 3431 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3432
3433sendresp:
aca3192c
YH		 3434 rsp.scid = cpu_to_le16(scid);
3435 rsp.dcid = cpu_to_le16(dcid);
3436 rsp.result = cpu_to_le16(result);
3437 rsp.status = cpu_to_le16(status);
1da177e4 3438 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3439
3440 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3441 struct l2cap_info_req info;
ac73498c 3442 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3443
3444 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3445 conn->info_ident = l2cap_get_ident(conn);
3446
ba13ccd9 3447 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3448
3449 l2cap_send_cmd(conn, conn->info_ident,
3450 L2CAP_INFO_REQ, sizeof(info), &info);
3451 }
3452
c1360a1c 3453 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3454 result == L2CAP_CR_SUCCESS) {
3455 u8 buf[128];
c1360a1c 3456 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3457 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3458 l2cap_build_conf_req(chan, buf), buf);
3459 chan->num_conf_req++;
e9aeb2dd
GP		 3460 }
3461
1da177e4
LT		 3462 return 0;
3463}
3464
3465static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3466{
3467 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3468 u16 scid, dcid, result, status;
48454079 3469 struct l2cap_chan *chan;
1da177e4 3470 u8 req[128];
3df91ea2 3471 int err;
1da177e4
LT		 3472
3473 scid = __le16_to_cpu(rsp->scid);
3474 dcid = __le16_to_cpu(rsp->dcid);
3475 result = __le16_to_cpu(rsp->result);
3476 status = __le16_to_cpu(rsp->status);
3477
1b009c98
AE		 3478 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3479 dcid, scid, result, status);
1da177e4 3480
3df91ea2
AE		 3481 mutex_lock(&conn->chan_lock);
3482
1da177e4 3483 if (scid) {
3df91ea2
AE		 3484 chan = __l2cap_get_chan_by_scid(conn, scid);
3485 if (!chan) {
3486 err = -EFAULT;
3487 goto unlock;
3488 }
1da177e4 3489 } else {
3df91ea2
AE		 3490 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3491 if (!chan) {
3492 err = -EFAULT;
3493 goto unlock;
3494 }
1da177e4
LT		 3495 }
3496
3df91ea2
AE		 3497 err = 0;
3498
6be36555 3499 l2cap_chan_lock(chan);
48454079 3500
1da177e4
LT		 3501 switch (result) {
3502 case L2CAP_CR_SUCCESS:
89bc500e 3503 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3504 chan->ident = 0;
fe4128e0 3505 chan->dcid = dcid;
c1360a1c 3506 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3507
c1360a1c 3508 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3509 break;
3510
1da177e4 3511 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3512 l2cap_build_conf_req(chan, req), req);
3513 chan->num_conf_req++;
1da177e4
LT		 3514 break;
3515
3516 case L2CAP_CR_PEND:
c1360a1c 3517 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3518 break;
3519
3520 default:
48454079 3521 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3522 break;
3523 }
3524
6be36555 3525 l2cap_chan_unlock(chan);
3df91ea2
AE		 3526
3527unlock:
3528 mutex_unlock(&conn->chan_lock);
3529
3530 return err;
1da177e4
LT		 3531}
3532
47d1ec61 3533static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3534{
3535 /* FCS is enabled only in ERTM or streaming mode, if one or both
3536 * sides request it.
3537 */
0c1bc5c6 3538 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3539 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3540 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3541 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3542}
3543
88219a0f 3544static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3545{
3546 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3547 u16 dcid, flags;
3548 u8 rsp[64];
48454079 3549 struct l2cap_chan *chan;
3c588192 3550 int len, err = 0;
1da177e4
LT		 3551
3552 dcid = __le16_to_cpu(req->dcid);
3553 flags = __le16_to_cpu(req->flags);
3554
3555 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3556
baa7e1fa 3557 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3558 if (!chan)
1da177e4
LT		 3559 return -ENOENT;
3560
033b1142 3561 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3562 struct l2cap_cmd_rej_cid rej;
3563
ac73498c 3564 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3565 rej.scid = cpu_to_le16(chan->scid);
3566 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3567
df6bd743
GP		 3568 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3569 sizeof(rej), &rej);
354f60a9 3570 goto unlock;
df6bd743 3571 }
354f60a9 3572
5dee9e7c 3573 /* Reject if config buffer is too small. */
88219a0f 3574 len = cmd_len - sizeof(*req);
7ac28817 3575 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3576 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3577 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3578 L2CAP_CONF_REJECT, flags), rsp);
3579 goto unlock;
3580 }
3581
3582 /* Store config. */
73ffa904
GP		 3583 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3584 chan->conf_len += len;
1da177e4 3585
59e54bd1 3586 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3587 /* Incomplete config. Send empty response. */
3588 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3589 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3590 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3591 goto unlock;
3592 }
3593
3594 /* Complete config. */
73ffa904 3595 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3596 if (len < 0) {
e92c8e70 3597 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3598 goto unlock;
f2fcfcd6 3599 }
1da177e4 3600
5dee9e7c 3601 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3602 chan->num_conf_rsp++;
5dee9e7c 3603
5dee9e7c 3604 /* Reset config buffer. */
73ffa904 3605 chan->conf_len = 0;
5dee9e7c 3606
c1360a1c 3607 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3608 goto unlock;
3609
c1360a1c 3610 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3611 set_default_fcs(chan);
fcc203c3 3612
105bdf9e
MM		 3613 if (chan->mode == L2CAP_MODE_ERTM ||
3614 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3615 err = l2cap_ertm_init(chan);
3616
3617 if (err < 0)
3618 l2cap_send_disconn_req(chan->conn, chan, -err);
3619 else
3620 l2cap_chan_ready(chan);
0565c1c2 3621
876d9484
MH		 3622 goto unlock;
3623 }
3624
c1360a1c 3625 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3626 u8 buf[64];
1da177e4 3627 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3628 l2cap_build_conf_req(chan, buf), buf);
3629 chan->num_conf_req++;
1da177e4
LT		 3630 }
3631
0e8b207e
AE		 3632 /* Got Conf Rsp PENDING from remote side and asume we sent
3633 Conf Rsp PENDING in the code above */
3634 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3635 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3636
3637 /* check compatibility */
3638
3639 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3640 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3641
3642 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3643 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3644 L2CAP_CONF_SUCCESS, flags), rsp);
0e8b207e
AE		 3645 }
3646
1da177e4 3647unlock:
6be36555 3648 l2cap_chan_unlock(chan);
3c588192 3649 return err;
1da177e4
LT		 3650}
3651
3652static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3653{
3654 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3655 u16 scid, flags, result;
48454079 3656 struct l2cap_chan *chan;
61386cba 3657 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3658 int err = 0;
1da177e4
LT		 3659
3660 scid = __le16_to_cpu(rsp->scid);
3661 flags = __le16_to_cpu(rsp->flags);
3662 result = __le16_to_cpu(rsp->result);
3663
61386cba
AE		 3664 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3665 result, len);
1da177e4 3666
baa7e1fa 3667 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3668 if (!chan)
1da177e4
LT		 3669 return 0;
3670
3671 switch (result) {
3672 case L2CAP_CONF_SUCCESS:
47d1ec61 3673 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3674 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3675 break;
3676
0e8b207e
AE		 3677 case L2CAP_CONF_PENDING:
3678 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3679
3680 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3681 char buf[64];
3682
3683 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3684 buf, &result);
3685 if (len < 0) {
3686 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3687 goto done;
3688 }
3689
3690 /* check compatibility */
3691
3692 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3693 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3694
3695 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3696 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3697 L2CAP_CONF_SUCCESS, 0x0000), buf);
3698 }
3699 goto done;
3700
1da177e4 3701 case L2CAP_CONF_UNACCEPT:
73ffa904 3702 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3703 char req[64];
3704
c2c77ec8 3705 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3706 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3707 goto done;
3708 }
3709
f2fcfcd6
GP		 3710 /* throw out any old stored conf requests */
3711 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3712 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3713 req, &result);
f2fcfcd6 3714 if (len < 0) {
e92c8e70 3715 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3716 goto done;
3717 }
3718
3719 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3720 L2CAP_CONF_REQ, len, req);
73ffa904 3721 chan->num_conf_req++;
f2fcfcd6
GP		 3722 if (result != L2CAP_CONF_SUCCESS)
3723 goto done;
3724 break;
1da177e4
LT		 3725 }
3726
8e87d142 3727 default:
6be36555 3728 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3729
ba13ccd9 3730 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3731 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3732 goto done;
3733 }
3734
59e54bd1 3735 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3736 goto done;
3737
c1360a1c 3738 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3739
c1360a1c 3740 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3741 set_default_fcs(chan);
fcc203c3 3742
105bdf9e
MM		 3743 if (chan->mode == L2CAP_MODE_ERTM ||
3744 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3745 err = l2cap_ertm_init(chan);
0565c1c2 3746
3c588192
MM		 3747 if (err < 0)
3748 l2cap_send_disconn_req(chan->conn, chan, -err);
3749 else
3750 l2cap_chan_ready(chan);
1da177e4
LT		 3751 }
3752
3753done:
6be36555 3754 l2cap_chan_unlock(chan);
3c588192 3755 return err;
1da177e4
LT		 3756}
3757
3758static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3759{
3760 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3761 struct l2cap_disconn_rsp rsp;
3762 u16 dcid, scid;
48454079 3763 struct l2cap_chan *chan;
1da177e4
LT		 3764 struct sock *sk;
3765
3766 scid = __le16_to_cpu(req->scid);
3767 dcid = __le16_to_cpu(req->dcid);
3768
3769 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3770
3df91ea2
AE		 3771 mutex_lock(&conn->chan_lock);
3772
3773 chan = __l2cap_get_chan_by_scid(conn, dcid);
3774 if (!chan) {
3775 mutex_unlock(&conn->chan_lock);
1da177e4 3776 return 0;
3df91ea2 3777 }
1da177e4 3778
6be36555
AE		 3779 l2cap_chan_lock(chan);
3780
48454079
GP		 3781 sk = chan->sk;
3782
fe4128e0
GP		 3783 rsp.dcid = cpu_to_le16(chan->scid);
3784 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3785 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3786
6be36555 3787 lock_sock(sk);
1da177e4 3788 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3789 release_sock(sk);
1da177e4 3790
61d6ef3e 3791 l2cap_chan_hold(chan);
48454079 3792 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3793
3794 l2cap_chan_unlock(chan);
1da177e4 3795
80b98027 3796 chan->ops->close(chan);
61d6ef3e 3797 l2cap_chan_put(chan);
3df91ea2
AE		 3798
3799 mutex_unlock(&conn->chan_lock);
3800
1da177e4
LT		 3801 return 0;
3802}
3803
3804static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3805{
3806 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3807 u16 dcid, scid;
48454079 3808 struct l2cap_chan *chan;
1da177e4
LT		 3809
3810 scid = __le16_to_cpu(rsp->scid);
3811 dcid = __le16_to_cpu(rsp->dcid);
3812
3813 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3814
3df91ea2
AE		 3815 mutex_lock(&conn->chan_lock);
3816
3817 chan = __l2cap_get_chan_by_scid(conn, scid);
3818 if (!chan) {
3819 mutex_unlock(&conn->chan_lock);
1da177e4 3820 return 0;
3df91ea2 3821 }
1da177e4 3822
6be36555 3823 l2cap_chan_lock(chan);
48454079 3824
61d6ef3e 3825 l2cap_chan_hold(chan);
48454079 3826 l2cap_chan_del(chan, 0);
6be36555
AE		 3827
3828 l2cap_chan_unlock(chan);
1da177e4 3829
80b98027 3830 chan->ops->close(chan);
61d6ef3e 3831 l2cap_chan_put(chan);
3df91ea2
AE		 3832
3833 mutex_unlock(&conn->chan_lock);
3834
1da177e4
LT		 3835 return 0;
3836}
3837
3838static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3839{
3840 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3841 u16 type;
3842
3843 type = __le16_to_cpu(req->type);
3844
3845 BT_DBG("type 0x%4.4x", type);
3846
f0709e03
MH		 3847 if (type == L2CAP_IT_FEAT_MASK) {
3848 u8 buf[8];
44dd46de 3849 u32 feat_mask = l2cap_feat_mask;
f0709e03 3850 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3851 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3852 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3853 if (!disable_ertm)
fcc203c3
GP		 3854 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3855 | L2CAP_FEAT_FCS;
a5fd6f30 3856 if (enable_hs)
6327eb98
AE		 3857 feat_mask |= L2CAP_FEAT_EXT_FLOW
3858 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3859
1b7bf4ed 3860 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3861 l2cap_send_cmd(conn, cmd->ident,
3862 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3863 } else if (type == L2CAP_IT_FIXED_CHAN) {
3864 u8 buf[12];
3865 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3866
3867 if (enable_hs)
3868 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3869 else
3870 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3871
ac73498c
AE		 3872 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3873 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3874 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3875 l2cap_send_cmd(conn, cmd->ident,
3876 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3877 } else {
3878 struct l2cap_info_rsp rsp;
3879 rsp.type = cpu_to_le16(type);
ac73498c 3880 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
f0709e03
MH		 3881 l2cap_send_cmd(conn, cmd->ident,
3882 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3883 }
1da177e4
LT		 3884
3885 return 0;
3886}
3887
3888static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3889{
3890 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3891 u16 type, result;
3892
3893 type = __le16_to_cpu(rsp->type);
3894 result = __le16_to_cpu(rsp->result);
3895
3896 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3897
e90165be
AE		 3898 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3899 if (cmd->ident != conn->info_ident ||
3900 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3901 return 0;
3902
17cd3f37 3903 cancel_delayed_work(&conn->info_timer);
4e8402a3 3904
adb08ede
VT		 3905 if (result != L2CAP_IR_SUCCESS) {
3906 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3907 conn->info_ident = 0;
3908
3909 l2cap_conn_start(conn);
3910
3911 return 0;
3912 }
3913
978c93b9
AE		 3914 switch (type) {
3915 case L2CAP_IT_FEAT_MASK:
83985319 3916 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3917
47ec1dcd 3918 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 3919 struct l2cap_info_req req;
ac73498c 3920 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 3921
3922 conn->info_ident = l2cap_get_ident(conn);
3923
3924 l2cap_send_cmd(conn, conn->info_ident,
3925 L2CAP_INFO_REQ, sizeof(req), &req);
3926 } else {
3927 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3928 conn->info_ident = 0;
3929
3930 l2cap_conn_start(conn);
3931 }
978c93b9
AE		 3932 break;
3933
3934 case L2CAP_IT_FIXED_CHAN:
3935 conn->fixed_chan_mask = rsp->data[0];
984947dc 3936 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3937 conn->info_ident = 0;
984947dc
MH		 3938
3939 l2cap_conn_start(conn);
978c93b9 3940 break;
984947dc 3941 }
4e8402a3 3942
1da177e4
LT		 3943 return 0;
3944}
3945
f94ff6ff
MM		 3946static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3947 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3948 void *data)
3949{
3950 struct l2cap_create_chan_req *req = data;
3951 struct l2cap_create_chan_rsp rsp;
3952 u16 psm, scid;
3953
3954 if (cmd_len != sizeof(*req))
3955 return -EPROTO;
3956
3957 if (!enable_hs)
3958 return -EINVAL;
3959
3960 psm = le16_to_cpu(req->psm);
3961 scid = le16_to_cpu(req->scid);
3962
ad0ac6ca 3963 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff
MM		 3964
3965 /* Placeholder: Always reject */
3966 rsp.dcid = 0;
3967 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3968 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3969 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3970
3971 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3972 sizeof(rsp), &rsp);
3973
3974 return 0;
3975}
3976
3977static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3978 struct l2cap_cmd_hdr *cmd, void *data)
3979{
3980 BT_DBG("conn %p", conn);
3981
3982 return l2cap_connect_rsp(conn, cmd, data);
3983}
3984
8d5a04a1 3985static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 3986 u16 icid, u16 result)
8d5a04a1
MM		 3987{
3988 struct l2cap_move_chan_rsp rsp;
3989
ad0ac6ca 3990 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 3991
3992 rsp.icid = cpu_to_le16(icid);
3993 rsp.result = cpu_to_le16(result);
3994
3995 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3996}
3997
3998static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
ad0ac6ca
AE		 3999 struct l2cap_chan *chan,
4000 u16 icid, u16 result)
8d5a04a1
MM		 4001{
4002 struct l2cap_move_chan_cfm cfm;
4003 u8 ident;
4004
ad0ac6ca 4005 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4006
4007 ident = l2cap_get_ident(conn);
4008 if (chan)
4009 chan->ident = ident;
4010
4011 cfm.icid = cpu_to_le16(icid);
4012 cfm.result = cpu_to_le16(result);
4013
4014 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4015}
4016
4017static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4018 u16 icid)
8d5a04a1
MM		 4019{
4020 struct l2cap_move_chan_cfm_rsp rsp;
4021
ad0ac6ca 4022 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4023
4024 rsp.icid = cpu_to_le16(icid);
4025 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4026}
4027
4028static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4029 struct l2cap_cmd_hdr *cmd,
4030 u16 cmd_len, void *data)
8d5a04a1
MM		 4031{
4032 struct l2cap_move_chan_req *req = data;
4033 u16 icid = 0;
4034 u16 result = L2CAP_MR_NOT_ALLOWED;
4035
4036 if (cmd_len != sizeof(*req))
4037 return -EPROTO;
4038
4039 icid = le16_to_cpu(req->icid);
4040
ad0ac6ca 4041 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4042
4043 if (!enable_hs)
4044 return -EINVAL;
4045
4046 /* Placeholder: Always refuse */
4047 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4048
4049 return 0;
4050}
4051
4052static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4053 struct l2cap_cmd_hdr *cmd,
4054 u16 cmd_len, void *data)
8d5a04a1
MM		 4055{
4056 struct l2cap_move_chan_rsp *rsp = data;
4057 u16 icid, result;
4058
4059 if (cmd_len != sizeof(*rsp))
4060 return -EPROTO;
4061
4062 icid = le16_to_cpu(rsp->icid);
4063 result = le16_to_cpu(rsp->result);
4064
ad0ac6ca 4065 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4066
4067 /* Placeholder: Always unconfirmed */
4068 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4069
4070 return 0;
4071}
4072
4073static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4074 struct l2cap_cmd_hdr *cmd,
4075 u16 cmd_len, void *data)
8d5a04a1
MM		 4076{
4077 struct l2cap_move_chan_cfm *cfm = data;
4078 u16 icid, result;
4079
4080 if (cmd_len != sizeof(*cfm))
4081 return -EPROTO;
4082
4083 icid = le16_to_cpu(cfm->icid);
4084 result = le16_to_cpu(cfm->result);
4085
ad0ac6ca 4086 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4087
4088 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4089
4090 return 0;
4091}
4092
4093static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4094 struct l2cap_cmd_hdr *cmd,
4095 u16 cmd_len, void *data)
8d5a04a1
MM		 4096{
4097 struct l2cap_move_chan_cfm_rsp *rsp = data;
4098 u16 icid;
4099
4100 if (cmd_len != sizeof(*rsp))
4101 return -EPROTO;
4102
4103 icid = le16_to_cpu(rsp->icid);
4104
ad0ac6ca 4105 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4106
4107 return 0;
4108}
4109
e2174ca4 4110static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4111 u16 to_multiplier)
4112{
4113 u16 max_latency;
4114
4115 if (min > max || min < 6 || max > 3200)
4116 return -EINVAL;
4117
4118 if (to_multiplier < 10 || to_multiplier > 3200)
4119 return -EINVAL;
4120
4121 if (max >= to_multiplier * 8)
4122 return -EINVAL;
4123
4124 max_latency = (to_multiplier * 8 / max) - 1;
4125 if (latency > 499 || latency > max_latency)
4126 return -EINVAL;
4127
4128 return 0;
4129}
4130
4131static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4132 struct l2cap_cmd_hdr *cmd, u8 *data)
4133{
4134 struct hci_conn *hcon = conn->hcon;
4135 struct l2cap_conn_param_update_req *req;
4136 struct l2cap_conn_param_update_rsp rsp;
4137 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4138 int err;
de73115a
CT		 4139
4140 if (!(hcon->link_mode & HCI_LM_MASTER))
4141 return -EINVAL;
4142
4143 cmd_len = __le16_to_cpu(cmd->len);
4144 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4145 return -EPROTO;
4146
4147 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4148 min = __le16_to_cpu(req->min);
4149 max = __le16_to_cpu(req->max);
de73115a
CT		 4150 latency = __le16_to_cpu(req->latency);
4151 to_multiplier = __le16_to_cpu(req->to_multiplier);
4152
4153 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4154 min, max, latency, to_multiplier);
4155
4156 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4157
4158 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4159 if (err)
ac73498c 4160 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4161 else
ac73498c 4162 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4163
4164 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4165 sizeof(rsp), &rsp);
4166
2ce603eb
CT		 4167 if (!err)
4168 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4169
de73115a
CT		 4170 return 0;
4171}
4172
3300d9a9
CT		 4173static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4174 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4175{
4176 int err = 0;
4177
4178 switch (cmd->code) {
4179 case L2CAP_COMMAND_REJ:
4180 l2cap_command_rej(conn, cmd, data);
4181 break;
4182
4183 case L2CAP_CONN_REQ:
4184 err = l2cap_connect_req(conn, cmd, data);
4185 break;
4186
4187 case L2CAP_CONN_RSP:
4188 err = l2cap_connect_rsp(conn, cmd, data);
4189 break;
4190
4191 case L2CAP_CONF_REQ:
4192 err = l2cap_config_req(conn, cmd, cmd_len, data);
4193 break;
4194
4195 case L2CAP_CONF_RSP:
4196 err = l2cap_config_rsp(conn, cmd, data);
4197 break;
4198
4199 case L2CAP_DISCONN_REQ:
4200 err = l2cap_disconnect_req(conn, cmd, data);
4201 break;
4202
4203 case L2CAP_DISCONN_RSP:
4204 err = l2cap_disconnect_rsp(conn, cmd, data);
4205 break;
4206
4207 case L2CAP_ECHO_REQ:
4208 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4209 break;
4210
4211 case L2CAP_ECHO_RSP:
4212 break;
4213
4214 case L2CAP_INFO_REQ:
4215 err = l2cap_information_req(conn, cmd, data);
4216 break;
4217
4218 case L2CAP_INFO_RSP:
4219 err = l2cap_information_rsp(conn, cmd, data);
4220 break;
4221
f94ff6ff
MM		 4222 case L2CAP_CREATE_CHAN_REQ:
4223 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4224 break;
4225
4226 case L2CAP_CREATE_CHAN_RSP:
4227 err = l2cap_create_channel_rsp(conn, cmd, data);
4228 break;
4229
8d5a04a1
MM		 4230 case L2CAP_MOVE_CHAN_REQ:
4231 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4232 break;
4233
4234 case L2CAP_MOVE_CHAN_RSP:
4235 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4236 break;
4237
4238 case L2CAP_MOVE_CHAN_CFM:
4239 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4240 break;
4241
4242 case L2CAP_MOVE_CHAN_CFM_RSP:
4243 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4244 break;
4245
3300d9a9
CT		 4246 default:
4247 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4248 err = -EINVAL;
4249 break;
4250 }
4251
4252 return err;
4253}
4254
4255static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4256 struct l2cap_cmd_hdr *cmd, u8 *data)
4257{
4258 switch (cmd->code) {
4259 case L2CAP_COMMAND_REJ:
4260 return 0;
4261
4262 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4263 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4264
4265 case L2CAP_CONN_PARAM_UPDATE_RSP:
4266 return 0;
4267
4268 default:
4269 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4270 return -EINVAL;
4271 }
4272}
4273
4274static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4275 struct sk_buff *skb)
1da177e4
LT		 4276{
4277 u8 *data = skb->data;
4278 int len = skb->len;
4279 struct l2cap_cmd_hdr cmd;
3300d9a9 4280 int err;
1da177e4
LT		 4281
4282 l2cap_raw_recv(conn, skb);
4283
4284 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4285 u16 cmd_len;
1da177e4
LT		 4286 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4287 data += L2CAP_CMD_HDR_SIZE;
4288 len -= L2CAP_CMD_HDR_SIZE;
4289
88219a0f 4290 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4291
88219a0f 4292 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4293
88219a0f 4294 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4295 BT_DBG("corrupted command");
4296 break;
4297 }
4298
3300d9a9
CT		 4299 if (conn->hcon->type == LE_LINK)
4300 err = l2cap_le_sig_cmd(conn, &cmd, data);
4301 else
4302 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4303
4304 if (err) {
e2fd318e 4305 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4306
4307 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4308
4309 /* FIXME: Map err to a valid reason */
ac73498c 4310 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4311 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4312 }
4313
88219a0f
AV		 4314 data += cmd_len;
4315 len -= cmd_len;
1da177e4
LT		 4316 }
4317
4318 kfree_skb(skb);
4319}
4320
47d1ec61 4321static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4322{
4323 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4324 int hdr_size;
4325
4326 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4327 hdr_size = L2CAP_EXT_HDR_SIZE;
4328 else
4329 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4330
47d1ec61 4331 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4332 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4333 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4334 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4335
4336 if (our_fcs != rcv_fcs)
7a560e5c 4337 return -EBADMSG;
fcc203c3
GP		 4338 }
4339 return 0;
4340}
4341
6ea00485 4342static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4343{
e31f7633 4344 struct l2cap_ctrl control;
d5392c8f 4345
e31f7633 4346 BT_DBG("chan %p", chan);
d5392c8f 4347
e31f7633
MM		 4348 memset(&control, 0, sizeof(control));
4349 control.sframe = 1;
4350 control.final = 1;
4351 control.reqseq = chan->buffer_seq;
4352 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4353
e2ab4353 4354 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4355 control.super = L2CAP_SUPER_RNR;
4356 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4357 }
4358
e31f7633
MM		 4359 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4360 chan->unacked_frames > 0)
4361 __set_retrans_timer(chan);
d5392c8f 4362
e31f7633 4363 /* Send pending iframes */
525cd185 4364 l2cap_ertm_send(chan);
d5392c8f 4365
e2ab4353 4366 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4367 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4368 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4369 * send it now.
4370 */
4371 control.super = L2CAP_SUPER_RR;
4372 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4373 }
4374}
4375
84084a31
MM		 4376static void append_skb_frag(struct sk_buff *skb,
4377 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4378{
84084a31
MM		 4379 /* skb->len reflects data in skb as well as all fragments
4380 * skb->data_len reflects only data in fragments
4381 */
4382 if (!skb_has_frag_list(skb))
4383 skb_shinfo(skb)->frag_list = new_frag;
4384
4385 new_frag->next = NULL;
4386
4387 (*last_frag)->next = new_frag;
4388 *last_frag = new_frag;
4389
4390 skb->len += new_frag->len;
4391 skb->data_len += new_frag->len;
4392 skb->truesize += new_frag->truesize;
4393}
4394
4b51dae9
MM		 4395static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4396 struct l2cap_ctrl *control)
84084a31
MM		 4397{
4398 int err = -EINVAL;
18778a63 4399
4b51dae9 4400 switch (control->sar) {
7e0ef6ee 4401 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4402 if (chan->sdu)
4403 break;
18778a63 4404
80b98027 4405 err = chan->ops->recv(chan, skb);
84084a31 4406 break;
18778a63 4407
7e0ef6ee 4408 case L2CAP_SAR_START:
84084a31
MM		 4409 if (chan->sdu)
4410 break;
18778a63 4411
6f61fd47 4412 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4413 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4414
84084a31
MM		 4415 if (chan->sdu_len > chan->imtu) {
4416 err = -EMSGSIZE;
4417 break;
4418 }
1890d36b 4419
84084a31
MM		 4420 if (skb->len >= chan->sdu_len)
4421 break;
18778a63 4422
84084a31
MM		 4423 chan->sdu = skb;
4424 chan->sdu_last_frag = skb;
18778a63 4425
84084a31
MM		 4426 skb = NULL;
4427 err = 0;
18778a63
GP		 4428 break;
4429
7e0ef6ee 4430 case L2CAP_SAR_CONTINUE:
6f61fd47 4431 if (!chan->sdu)
84084a31 4432 break;
18778a63 4433
84084a31
MM		 4434 append_skb_frag(chan->sdu, skb,
4435 &chan->sdu_last_frag);
4436 skb = NULL;
18778a63 4437
84084a31
MM		 4438 if (chan->sdu->len >= chan->sdu_len)
4439 break;
4178ba46 4440
84084a31 4441 err = 0;
18778a63
GP		 4442 break;
4443
7e0ef6ee 4444 case L2CAP_SAR_END:
6f61fd47 4445 if (!chan->sdu)
84084a31 4446 break;
18778a63 4447
84084a31
MM		 4448 append_skb_frag(chan->sdu, skb,
4449 &chan->sdu_last_frag);
4450 skb = NULL;
4178ba46 4451
84084a31
MM		 4452 if (chan->sdu->len != chan->sdu_len)
4453 break;
18778a63 4454
80b98027 4455 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4456
84084a31
MM		 4457 if (!err) {
4458 /* Reassembly complete */
4459 chan->sdu = NULL;
4460 chan->sdu_last_frag = NULL;
4461 chan->sdu_len = 0;
1890d36b 4462 }
18778a63
GP		 4463 break;
4464 }
4465
84084a31
MM		 4466 if (err) {
4467 kfree_skb(skb);
4468 kfree_skb(chan->sdu);
4469 chan->sdu = NULL;
4470 chan->sdu_last_frag = NULL;
4471 chan->sdu_len = 0;
4472 }
18778a63 4473
84084a31 4474 return err;
18778a63
GP		 4475}
4476
61aa4f5b 4477void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4478{
61aa4f5b 4479 u8 event;
712132eb 4480
61aa4f5b
MM		 4481 if (chan->mode != L2CAP_MODE_ERTM)
4482 return;
712132eb 4483
61aa4f5b 4484 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4485 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4486}
4487
d2a7ac5d
MM		 4488static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4489{
63838725
MM		 4490 int err = 0;
4491 /* Pass sequential frames to l2cap_reassemble_sdu()
4492 * until a gap is encountered.
4493 */
4494
4495 BT_DBG("chan %p", chan);
4496
4497 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4498 struct sk_buff *skb;
4499 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4500 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4501
4502 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4503
4504 if (!skb)
4505 break;
4506
4507 skb_unlink(skb, &chan->srej_q);
4508 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4509 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4510 if (err)
4511 break;
4512 }
4513
4514 if (skb_queue_empty(&chan->srej_q)) {
4515 chan->rx_state = L2CAP_RX_STATE_RECV;
4516 l2cap_send_ack(chan);
4517 }
4518
4519 return err;
d2a7ac5d
MM		 4520}
4521
4522static void l2cap_handle_srej(struct l2cap_chan *chan,
4523 struct l2cap_ctrl *control)
4524{
f80842a8
MM		 4525 struct sk_buff *skb;
4526
4527 BT_DBG("chan %p, control %p", chan, control);
4528
4529 if (control->reqseq == chan->next_tx_seq) {
4530 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4531 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4532 return;
4533 }
4534
4535 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4536
4537 if (skb == NULL) {
4538 BT_DBG("Seq %d not available for retransmission",
4539 control->reqseq);
4540 return;
4541 }
4542
4543 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4544 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4545 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4546 return;
4547 }
4548
4549 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4550
4551 if (control->poll) {
4552 l2cap_pass_to_tx(chan, control);
4553
4554 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4555 l2cap_retransmit(chan, control);
4556 l2cap_ertm_send(chan);
4557
4558 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4559 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4560 chan->srej_save_reqseq = control->reqseq;
4561 }
4562 } else {
4563 l2cap_pass_to_tx_fbit(chan, control);
4564
4565 if (control->final) {
4566 if (chan->srej_save_reqseq != control->reqseq ||
4567 !test_and_clear_bit(CONN_SREJ_ACT,
4568 &chan->conn_state))
4569 l2cap_retransmit(chan, control);
4570 } else {
4571 l2cap_retransmit(chan, control);
4572 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4573 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4574 chan->srej_save_reqseq = control->reqseq;
4575 }
4576 }
4577 }
d2a7ac5d
MM		 4578}
4579
4580static void l2cap_handle_rej(struct l2cap_chan *chan,
4581 struct l2cap_ctrl *control)
4582{
fcd289df
MM		 4583 struct sk_buff *skb;
4584
4585 BT_DBG("chan %p, control %p", chan, control);
4586
4587 if (control->reqseq == chan->next_tx_seq) {
4588 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4589 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4590 return;
4591 }
4592
4593 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4594
4595 if (chan->max_tx && skb &&
4596 bt_cb(skb)->control.retries >= chan->max_tx) {
4597 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4598 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4599 return;
4600 }
4601
4602 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4603
4604 l2cap_pass_to_tx(chan, control);
4605
4606 if (control->final) {
4607 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4608 l2cap_retransmit_all(chan, control);
4609 } else {
4610 l2cap_retransmit_all(chan, control);
4611 l2cap_ertm_send(chan);
4612 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4613 set_bit(CONN_REJ_ACT, &chan->conn_state);
4614 }
d2a7ac5d
MM		 4615}
4616
4b51dae9
MM		 4617static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4618{
4619 BT_DBG("chan %p, txseq %d", chan, txseq);
4620
4621 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4622 chan->expected_tx_seq);
4623
4624 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4625 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4626 chan->tx_win) {
4627 /* See notes below regarding "double poll" and
4628 * invalid packets.
4629 */
4630 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4631 BT_DBG("Invalid/Ignore - after SREJ");
4632 return L2CAP_TXSEQ_INVALID_IGNORE;
4633 } else {
4634 BT_DBG("Invalid - in window after SREJ sent");
4635 return L2CAP_TXSEQ_INVALID;
4636 }
4637 }
4638
4639 if (chan->srej_list.head == txseq) {
4640 BT_DBG("Expected SREJ");
4641 return L2CAP_TXSEQ_EXPECTED_SREJ;
4642 }
4643
4644 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4645 BT_DBG("Duplicate SREJ - txseq already stored");
4646 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4647 }
4648
4649 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4650 BT_DBG("Unexpected SREJ - not requested");
4651 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4652 }
4653 }
4654
4655 if (chan->expected_tx_seq == txseq) {
4656 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4657 chan->tx_win) {
4658 BT_DBG("Invalid - txseq outside tx window");
4659 return L2CAP_TXSEQ_INVALID;
4660 } else {
4661 BT_DBG("Expected");
4662 return L2CAP_TXSEQ_EXPECTED;
4663 }
4664 }
4665
4666 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4667 __seq_offset(chan, chan->expected_tx_seq,
4668 chan->last_acked_seq)){
4669 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4670 return L2CAP_TXSEQ_DUPLICATE;
4671 }
4672
4673 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4674 /* A source of invalid packets is a "double poll" condition,
4675 * where delays cause us to send multiple poll packets. If
4676 * the remote stack receives and processes both polls,
4677 * sequence numbers can wrap around in such a way that a
4678 * resent frame has a sequence number that looks like new data
4679 * with a sequence gap. This would trigger an erroneous SREJ
4680 * request.
4681 *
4682 * Fortunately, this is impossible with a tx window that's
4683 * less than half of the maximum sequence number, which allows
4684 * invalid frames to be safely ignored.
4685 *
4686 * With tx window sizes greater than half of the tx window
4687 * maximum, the frame is invalid and cannot be ignored. This
4688 * causes a disconnect.
4689 */
4690
4691 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4692 BT_DBG("Invalid/Ignore - txseq outside tx window");
4693 return L2CAP_TXSEQ_INVALID_IGNORE;
4694 } else {
4695 BT_DBG("Invalid - txseq outside tx window");
4696 return L2CAP_TXSEQ_INVALID;
4697 }
4698 } else {
4699 BT_DBG("Unexpected - txseq indicates missing frames");
4700 return L2CAP_TXSEQ_UNEXPECTED;
4701 }
4702}
4703
d2a7ac5d
MM		 4704static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4705 struct l2cap_ctrl *control,
4706 struct sk_buff *skb, u8 event)
4707{
4708 int err = 0;
4709 bool skb_in_use = 0;
4710
4711 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4712 event);
4713
4714 switch (event) {
4715 case L2CAP_EV_RECV_IFRAME:
4716 switch (l2cap_classify_txseq(chan, control->txseq)) {
4717 case L2CAP_TXSEQ_EXPECTED:
4718 l2cap_pass_to_tx(chan, control);
4719
4720 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4721 BT_DBG("Busy, discarding expected seq %d",
4722 control->txseq);
4723 break;
4724 }
4725
4726 chan->expected_tx_seq = __next_seq(chan,
4727 control->txseq);
4728
4729 chan->buffer_seq = chan->expected_tx_seq;
4730 skb_in_use = 1;
4731
4732 err = l2cap_reassemble_sdu(chan, skb, control);
4733 if (err)
4734 break;
4735
4736 if (control->final) {
4737 if (!test_and_clear_bit(CONN_REJ_ACT,
4738 &chan->conn_state)) {
4739 control->final = 0;
4740 l2cap_retransmit_all(chan, control);
4741 l2cap_ertm_send(chan);
4742 }
4743 }
4744
4745 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4746 l2cap_send_ack(chan);
4747 break;
4748 case L2CAP_TXSEQ_UNEXPECTED:
4749 l2cap_pass_to_tx(chan, control);
4750
4751 /* Can't issue SREJ frames in the local busy state.
4752 * Drop this frame, it will be seen as missing
4753 * when local busy is exited.
4754 */
4755 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4756 BT_DBG("Busy, discarding unexpected seq %d",
4757 control->txseq);
4758 break;
4759 }
4760
4761 /* There was a gap in the sequence, so an SREJ
4762 * must be sent for each missing frame. The
4763 * current frame is stored for later use.
4764 */
4765 skb_queue_tail(&chan->srej_q, skb);
4766 skb_in_use = 1;
4767 BT_DBG("Queued %p (queue len %d)", skb,
4768 skb_queue_len(&chan->srej_q));
4769
4770 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4771 l2cap_seq_list_clear(&chan->srej_list);
4772 l2cap_send_srej(chan, control->txseq);
4773
4774 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4775 break;
4776 case L2CAP_TXSEQ_DUPLICATE:
4777 l2cap_pass_to_tx(chan, control);
4778 break;
4779 case L2CAP_TXSEQ_INVALID_IGNORE:
4780 break;
4781 case L2CAP_TXSEQ_INVALID:
4782 default:
4783 l2cap_send_disconn_req(chan->conn, chan,
4784 ECONNRESET);
4785 break;
4786 }
4787 break;
4788 case L2CAP_EV_RECV_RR:
4789 l2cap_pass_to_tx(chan, control);
4790 if (control->final) {
4791 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4792
4793 if (!test_and_clear_bit(CONN_REJ_ACT,
4794 &chan->conn_state)) {
4795 control->final = 0;
4796 l2cap_retransmit_all(chan, control);
4797 }
4798
4799 l2cap_ertm_send(chan);
4800 } else if (control->poll) {
4801 l2cap_send_i_or_rr_or_rnr(chan);
4802 } else {
4803 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4804 &chan->conn_state) &&
4805 chan->unacked_frames)
4806 __set_retrans_timer(chan);
4807
4808 l2cap_ertm_send(chan);
4809 }
4810 break;
4811 case L2CAP_EV_RECV_RNR:
4812 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4813 l2cap_pass_to_tx(chan, control);
4814 if (control && control->poll) {
4815 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4816 l2cap_send_rr_or_rnr(chan, 0);
4817 }
4818 __clear_retrans_timer(chan);
4819 l2cap_seq_list_clear(&chan->retrans_list);
4820 break;
4821 case L2CAP_EV_RECV_REJ:
4822 l2cap_handle_rej(chan, control);
4823 break;
4824 case L2CAP_EV_RECV_SREJ:
4825 l2cap_handle_srej(chan, control);
4826 break;
4827 default:
4828 break;
4829 }
4830
4831 if (skb && !skb_in_use) {
4832 BT_DBG("Freeing %p", skb);
4833 kfree_skb(skb);
4834 }
4835
4836 return err;
4837}
4838
4839static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4840 struct l2cap_ctrl *control,
4841 struct sk_buff *skb, u8 event)
4842{
4843 int err = 0;
4844 u16 txseq = control->txseq;
4845 bool skb_in_use = 0;
4846
4847 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4848 event);
4849
4850 switch (event) {
4851 case L2CAP_EV_RECV_IFRAME:
4852 switch (l2cap_classify_txseq(chan, txseq)) {
4853 case L2CAP_TXSEQ_EXPECTED:
4854 /* Keep frame for reassembly later */
4855 l2cap_pass_to_tx(chan, control);
4856 skb_queue_tail(&chan->srej_q, skb);
4857 skb_in_use = 1;
4858 BT_DBG("Queued %p (queue len %d)", skb,
4859 skb_queue_len(&chan->srej_q));
4860
4861 chan->expected_tx_seq = __next_seq(chan, txseq);
4862 break;
4863 case L2CAP_TXSEQ_EXPECTED_SREJ:
4864 l2cap_seq_list_pop(&chan->srej_list);
4865
4866 l2cap_pass_to_tx(chan, control);
4867 skb_queue_tail(&chan->srej_q, skb);
4868 skb_in_use = 1;
4869 BT_DBG("Queued %p (queue len %d)", skb,
4870 skb_queue_len(&chan->srej_q));
4871
4872 err = l2cap_rx_queued_iframes(chan);
4873 if (err)
4874 break;
4875
4876 break;
4877 case L2CAP_TXSEQ_UNEXPECTED:
4878 /* Got a frame that can't be reassembled yet.
4879 * Save it for later, and send SREJs to cover
4880 * the missing frames.
4881 */
4882 skb_queue_tail(&chan->srej_q, skb);
4883 skb_in_use = 1;
4884 BT_DBG("Queued %p (queue len %d)", skb,
4885 skb_queue_len(&chan->srej_q));
4886
4887 l2cap_pass_to_tx(chan, control);
4888 l2cap_send_srej(chan, control->txseq);
4889 break;
4890 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4891 /* This frame was requested with an SREJ, but
4892 * some expected retransmitted frames are
4893 * missing. Request retransmission of missing
4894 * SREJ'd frames.
4895 */
4896 skb_queue_tail(&chan->srej_q, skb);
4897 skb_in_use = 1;
4898 BT_DBG("Queued %p (queue len %d)", skb,
4899 skb_queue_len(&chan->srej_q));
4900
4901 l2cap_pass_to_tx(chan, control);
4902 l2cap_send_srej_list(chan, control->txseq);
4903 break;
4904 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4905 /* We've already queued this frame. Drop this copy. */
4906 l2cap_pass_to_tx(chan, control);
4907 break;
4908 case L2CAP_TXSEQ_DUPLICATE:
4909 /* Expecting a later sequence number, so this frame
4910 * was already received. Ignore it completely.
4911 */
4912 break;
4913 case L2CAP_TXSEQ_INVALID_IGNORE:
4914 break;
4915 case L2CAP_TXSEQ_INVALID:
4916 default:
4917 l2cap_send_disconn_req(chan->conn, chan,
4918 ECONNRESET);
4919 break;
4920 }
4921 break;
4922 case L2CAP_EV_RECV_RR:
4923 l2cap_pass_to_tx(chan, control);
4924 if (control->final) {
4925 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4926
4927 if (!test_and_clear_bit(CONN_REJ_ACT,
4928 &chan->conn_state)) {
4929 control->final = 0;
4930 l2cap_retransmit_all(chan, control);
4931 }
4932
4933 l2cap_ertm_send(chan);
4934 } else if (control->poll) {
4935 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4936 &chan->conn_state) &&
4937 chan->unacked_frames) {
4938 __set_retrans_timer(chan);
4939 }
4940
4941 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4942 l2cap_send_srej_tail(chan);
4943 } else {
4944 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4945 &chan->conn_state) &&
4946 chan->unacked_frames)
4947 __set_retrans_timer(chan);
4948
4949 l2cap_send_ack(chan);
4950 }
4951 break;
4952 case L2CAP_EV_RECV_RNR:
4953 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4954 l2cap_pass_to_tx(chan, control);
4955 if (control->poll) {
4956 l2cap_send_srej_tail(chan);
4957 } else {
4958 struct l2cap_ctrl rr_control;
4959 memset(&rr_control, 0, sizeof(rr_control));
4960 rr_control.sframe = 1;
4961 rr_control.super = L2CAP_SUPER_RR;
4962 rr_control.reqseq = chan->buffer_seq;
4963 l2cap_send_sframe(chan, &rr_control);
4964 }
4965
4966 break;
4967 case L2CAP_EV_RECV_REJ:
4968 l2cap_handle_rej(chan, control);
4969 break;
4970 case L2CAP_EV_RECV_SREJ:
4971 l2cap_handle_srej(chan, control);
4972 break;
4973 }
4974
4975 if (skb && !skb_in_use) {
4976 BT_DBG("Freeing %p", skb);
4977 kfree_skb(skb);
4978 }
4979
4980 return err;
4981}
4982
4983static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
4984{
4985 /* Make sure reqseq is for a packet that has been sent but not acked */
4986 u16 unacked;
4987
4988 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
4989 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
4990}
4991
cec8ab6e
MM		 4992static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4993 struct sk_buff *skb, u8 event)
218bb9df 4994{
d2a7ac5d
MM		 4995 int err = 0;
4996
4997 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
4998 control, skb, event, chan->rx_state);
4999
5000 if (__valid_reqseq(chan, control->reqseq)) {
5001 switch (chan->rx_state) {
5002 case L2CAP_RX_STATE_RECV:
5003 err = l2cap_rx_state_recv(chan, control, skb, event);
5004 break;
5005 case L2CAP_RX_STATE_SREJ_SENT:
5006 err = l2cap_rx_state_srej_sent(chan, control, skb,
5007 event);
5008 break;
5009 default:
5010 /* shut it down */
5011 break;
5012 }
5013 } else {
5014 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5015 control->reqseq, chan->next_tx_seq,
5016 chan->expected_ack_seq);
5017 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5018 }
5019
5020 return err;
cec8ab6e
MM		 5021}
5022
5023static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5024 struct sk_buff *skb)
5025{
4b51dae9
MM		 5026 int err = 0;
5027
5028 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5029 chan->rx_state);
5030
5031 if (l2cap_classify_txseq(chan, control->txseq) ==
5032 L2CAP_TXSEQ_EXPECTED) {
5033 l2cap_pass_to_tx(chan, control);
5034
5035 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5036 __next_seq(chan, chan->buffer_seq));
5037
5038 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5039
5040 l2cap_reassemble_sdu(chan, skb, control);
5041 } else {
5042 if (chan->sdu) {
5043 kfree_skb(chan->sdu);
5044 chan->sdu = NULL;
5045 }
5046 chan->sdu_last_frag = NULL;
5047 chan->sdu_len = 0;
5048
5049 if (skb) {
5050 BT_DBG("Freeing %p", skb);
5051 kfree_skb(skb);
5052 }
5053 }
5054
5055 chan->last_acked_seq = control->txseq;
5056 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5057
5058 return err;
cec8ab6e
MM		 5059}
5060
5061static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5062{
5063 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5064 u16 len;
5065 u8 event;
218bb9df 5066
b76bbd66
MM		 5067 __unpack_control(chan, skb);
5068
218bb9df
GP		 5069 len = skb->len;
5070
5071 /*
5072 * We can just drop the corrupted I-frame here.
5073 * Receiver will miss it and start proper recovery
cec8ab6e 5074 * procedures and ask for retransmission.
218bb9df 5075 */
47d1ec61 5076 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5077 goto drop;
5078
cec8ab6e 5079 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5080 len -= L2CAP_SDULEN_SIZE;
218bb9df 5081
47d1ec61 5082 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5083 len -= L2CAP_FCS_SIZE;
218bb9df 5084
47d1ec61 5085 if (len > chan->mps) {
8c1d787b 5086 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5087 goto drop;
5088 }
5089
cec8ab6e
MM		 5090 if (!control->sframe) {
5091 int err;
218bb9df 5092
cec8ab6e
MM		 5093 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5094 control->sar, control->reqseq, control->final,
5095 control->txseq);
218bb9df 5096
cec8ab6e
MM		 5097 /* Validate F-bit - F=0 always valid, F=1 only
5098 * valid in TX WAIT_F
5099 */
5100 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5101 goto drop;
cec8ab6e
MM		 5102
5103 if (chan->mode != L2CAP_MODE_STREAMING) {
5104 event = L2CAP_EV_RECV_IFRAME;
5105 err = l2cap_rx(chan, control, skb, event);
5106 } else {
5107 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5108 }
5109
cec8ab6e
MM		 5110 if (err)
5111 l2cap_send_disconn_req(chan->conn, chan,
5112 ECONNRESET);
218bb9df 5113 } else {
cec8ab6e
MM		 5114 const u8 rx_func_to_event[4] = {
5115 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5116 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5117 };
5118
5119 /* Only I-frames are expected in streaming mode */
5120 if (chan->mode == L2CAP_MODE_STREAMING)
5121 goto drop;
5122
5123 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5124 control->reqseq, control->final, control->poll,
5125 control->super);
5126
218bb9df
GP		 5127 if (len != 0) {
5128 BT_ERR("%d", len);
8c1d787b 5129 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5130 goto drop;
5131 }
5132
cec8ab6e
MM		 5133 /* Validate F and P bits */
5134 if (control->final && (control->poll ||
5135 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5136 goto drop;
5137
5138 event = rx_func_to_event[control->super];
5139 if (l2cap_rx(chan, control, skb, event))
5140 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5141 }
5142
5143 return 0;
5144
5145drop:
5146 kfree_skb(skb);
5147 return 0;
5148}
5149
13ca56e0
AE		 5150static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
5151 struct sk_buff *skb)
1da177e4 5152{
48454079 5153 struct l2cap_chan *chan;
1da177e4 5154
baa7e1fa 5155 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5156 if (!chan) {
97e8e89d
AE		 5157 if (cid == L2CAP_CID_A2MP) {
5158 chan = a2mp_channel_create(conn, skb);
5159 if (!chan) {
5160 kfree_skb(skb);
13ca56e0 5161 return;
97e8e89d
AE		 5162 }
5163
5164 l2cap_chan_lock(chan);
5165 } else {
5166 BT_DBG("unknown cid 0x%4.4x", cid);
5167 /* Drop packet and return */
5168 kfree_skb(skb);
13ca56e0 5169 return;
97e8e89d 5170 }
1da177e4
LT		 5171 }
5172
49208c9c 5173 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5174
89bc500e 5175 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5176 goto drop;
5177
0c1bc5c6 5178 switch (chan->mode) {
1c2acffb
GP		 5179 case L2CAP_MODE_BASIC:
5180 /* If socket recv buffers overflows we drop data here
5181 * which is *bad* because L2CAP has to be reliable.
5182 * But we don't have any other choice. L2CAP doesn't
5183 * provide flow control mechanism. */
1da177e4 5184
0c1bc5c6 5185 if (chan->imtu < skb->len)
1c2acffb 5186 goto drop;
1da177e4 5187
80b98027 5188 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5189 goto done;
5190 break;
5191
5192 case L2CAP_MODE_ERTM:
6840ed07 5193 case L2CAP_MODE_STREAMING:
cec8ab6e 5194 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5195 goto done;
5196
1c2acffb 5197 default:
0c1bc5c6 5198 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5199 break;
5200 }
1da177e4
LT		 5201
5202drop:
5203 kfree_skb(skb);
5204
5205done:
6be36555 5206 l2cap_chan_unlock(chan);
1da177e4
LT		 5207}
5208
84104b24
AE		 5209static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
5210 struct sk_buff *skb)
1da177e4 5211{
23691d75 5212 struct l2cap_chan *chan;
1da177e4 5213
c2287681 5214 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5215 if (!chan)
1da177e4
LT		 5216 goto drop;
5217
5b4cedaa 5218 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5219
89bc500e 5220 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5221 goto drop;
5222
e13e21dc 5223 if (chan->imtu < skb->len)
1da177e4
LT		 5224 goto drop;
5225
80b98027 5226 if (!chan->ops->recv(chan, skb))
84104b24 5227 return;
1da177e4
LT		 5228
5229drop:
5230 kfree_skb(skb);
1da177e4
LT		 5231}
5232
6810fca7
AE		 5233static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5234 struct sk_buff *skb)
9f69bda6 5235{
23691d75 5236 struct l2cap_chan *chan;
9f69bda6 5237
c2287681 5238 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5239 if (!chan)
9f69bda6
GP		 5240 goto drop;
5241
5b4cedaa 5242 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5243
89bc500e 5244 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5245 goto drop;
5246
e13e21dc 5247 if (chan->imtu < skb->len)
9f69bda6
GP		 5248 goto drop;
5249
80b98027 5250 if (!chan->ops->recv(chan, skb))
6810fca7 5251 return;
9f69bda6
GP		 5252
5253drop:
5254 kfree_skb(skb);
9f69bda6
GP		 5255}
5256
1da177e4
LT		 5257static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5258{
5259 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5260 u16 cid, len;
5261 __le16 psm;
1da177e4
LT		 5262
5263 skb_pull(skb, L2CAP_HDR_SIZE);
5264 cid = __le16_to_cpu(lh->cid);
5265 len = __le16_to_cpu(lh->len);
5266
1c2acffb
GP		 5267 if (len != skb->len) {
5268 kfree_skb(skb);
5269 return;
5270 }
5271
1da177e4
LT		 5272 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5273
5274 switch (cid) {
3300d9a9 5275 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5276 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5277 l2cap_sig_channel(conn, skb);
5278 break;
5279
8db4dc46 5280 case L2CAP_CID_CONN_LESS:
097db76c 5281 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5282 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5283 l2cap_conless_channel(conn, psm, skb);
5284 break;
5285
9f69bda6
GP		 5286 case L2CAP_CID_LE_DATA:
5287 l2cap_att_channel(conn, cid, skb);
5288 break;
5289
b501d6a1
AB		 5290 case L2CAP_CID_SMP:
5291 if (smp_sig_channel(conn, skb))
5292 l2cap_conn_del(conn->hcon, EACCES);
5293 break;
5294
1da177e4
LT		 5295 default:
5296 l2cap_data_channel(conn, cid, skb);
5297 break;
5298 }
5299}
5300
5301/* ---- L2CAP interface with lower layer (HCI) ---- */
5302
686ebf28 5303int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5304{
5305 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5306 struct l2cap_chan *c;
1da177e4 5307
1da177e4
LT		 5308 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
5309
5310 /* Find listening sockets and check their link_mode */
23691d75
GP		 5311 read_lock(&chan_list_lock);
5312 list_for_each_entry(c, &chan_list, global_l) {
5313 struct sock *sk = c->sk;
4343478f 5314
89bc500e 5315 if (c->state != BT_LISTEN)
1da177e4
LT		 5316 continue;
5317
5318 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5319 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5320 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5321 lm1 |= HCI_LM_MASTER;
1da177e4 5322 exact++;
2af6b9d5
MH		 5323 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5324 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5325 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5326 lm2 |= HCI_LM_MASTER;
5327 }
1da177e4 5328 }
23691d75 5329 read_unlock(&chan_list_lock);
1da177e4
LT		 5330
5331 return exact ? lm1 : lm2;
5332}
5333
686ebf28 5334int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5335{
0139418c
MH		 5336 struct l2cap_conn *conn;
5337
1da177e4
LT		 5338 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
5339
1da177e4 5340 if (!status) {
1da177e4
LT		 5341 conn = l2cap_conn_add(hcon, status);
5342 if (conn)
5343 l2cap_conn_ready(conn);
0139418c 5344 } else
e175072f 5345 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 5346
5347 return 0;
5348}
5349
686ebf28 5350int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5351{
5352 struct l2cap_conn *conn = hcon->l2cap_data;
5353
5354 BT_DBG("hcon %p", hcon);
5355
686ebf28 5356 if (!conn)
9f5a0d7b 5357 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5358 return conn->disc_reason;
5359}
5360
686ebf28 5361int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5362{
5363 BT_DBG("hcon %p reason %d", hcon, reason);
5364
e175072f 5365 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5366 return 0;
5367}
5368
4343478f 5369static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5370{
715ec005 5371 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5372 return;
5373
f62e4323 5374 if (encrypt == 0x00) {
4343478f 5375 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5376 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5377 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5378 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5379 } else {
4343478f 5380 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5381 __clear_chan_timer(chan);
f62e4323
MH		 5382 }
5383}
5384
686ebf28 5385int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5386{
0139418c 5387 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5388 struct l2cap_chan *chan;
1da177e4 5389
0139418c 5390 if (!conn)
1da177e4 5391 return 0;
0139418c 5392
89d8b407 5393 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 5394
160dc6ac 5395 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5396 if (!status && encrypt)
5397 smp_distribute_keys(conn, 0);
17cd3f37 5398 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5399 }
5400
3df91ea2 5401 mutex_lock(&conn->chan_lock);
1da177e4 5402
3df91ea2 5403 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5404 l2cap_chan_lock(chan);
1da177e4 5405
89d8b407
AE		 5406 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
5407 state_to_string(chan->state));
f1cb9af5
VCG		 5408
5409 if (chan->scid == L2CAP_CID_LE_DATA) {
5410 if (!status && encrypt) {
5411 chan->sec_level = hcon->sec_level;
cf4cd009 5412 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5413 }
5414
6be36555 5415 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5416 continue;
5417 }
5418
c1360a1c 5419 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5420 l2cap_chan_unlock(chan);
6a8d3010
MH		 5421 continue;
5422 }
5423
89bc500e
GP		 5424 if (!status && (chan->state == BT_CONNECTED ||
5425 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5426 struct sock *sk = chan->sk;
5427
c5daa683 5428 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5429 sk->sk_state_change(sk);
5430
4343478f 5431 l2cap_check_encryption(chan, encrypt);
6be36555 5432 l2cap_chan_unlock(chan);
9719f8af
MH		 5433 continue;
5434 }
5435
89bc500e 5436 if (chan->state == BT_CONNECT) {
b1235d79 5437 if (!status) {
9b27f350 5438 l2cap_send_conn_req(chan);
b1235d79 5439 } else {
ba13ccd9 5440 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5441 }
89bc500e 5442 } else if (chan->state == BT_CONNECT2) {
6be36555 5443 struct sock *sk = chan->sk;
b1235d79 5444 struct l2cap_conn_rsp rsp;
df3c3931 5445 __u16 res, stat;
1da177e4 5446
6be36555
AE		 5447 lock_sock(sk);
5448
b1235d79 5449 if (!status) {
c5daa683
GP		 5450 if (test_bit(BT_SK_DEFER_SETUP,
5451 &bt_sk(sk)->flags)) {
df3c3931
JH		 5452 struct sock *parent = bt_sk(sk)->parent;
5453 res = L2CAP_CR_PEND;
5454 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5455 if (parent)
5456 parent->sk_data_ready(parent, 0);
df3c3931 5457 } else {
0e587be7 5458 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5459 res = L2CAP_CR_SUCCESS;
5460 stat = L2CAP_CS_NO_INFO;
5461 }
b1235d79 5462 } else {
0e587be7 5463 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5464 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5465 res = L2CAP_CR_SEC_BLOCK;
5466 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5467 }
5468
6be36555
AE		 5469 release_sock(sk);
5470
fe4128e0
GP		 5471 rsp.scid = cpu_to_le16(chan->dcid);
5472 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5473 rsp.result = cpu_to_le16(res);
5474 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5475 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5476 sizeof(rsp), &rsp);
2d369359
MM		 5477
5478 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5479 res == L2CAP_CR_SUCCESS) {
5480 char buf[128];
5481 set_bit(CONF_REQ_SENT, &chan->conf_state);
5482 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5483 L2CAP_CONF_REQ,
5484 l2cap_build_conf_req(chan, buf),
5485 buf);
5486 chan->num_conf_req++;
5487 }
b1235d79 5488 }
1da177e4 5489
6be36555 5490 l2cap_chan_unlock(chan);
1da177e4
LT		 5491 }
5492
3df91ea2 5493 mutex_unlock(&conn->chan_lock);
b1235d79 5494
1da177e4
LT		 5495 return 0;
5496}
5497
686ebf28 5498int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5499{
5500 struct l2cap_conn *conn = hcon->l2cap_data;
5501
5a08ecce
AE		 5502 if (!conn)
5503 conn = l2cap_conn_add(hcon, 0);
5504
5505 if (!conn)
1da177e4
LT		 5506 goto drop;
5507
5508 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5509
e702112f 5510 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5511 struct l2cap_hdr *hdr;
5512 int len;
5513
5514 if (conn->rx_len) {
5515 BT_ERR("Unexpected start frame (len %d)", skb->len);
5516 kfree_skb(conn->rx_skb);
5517 conn->rx_skb = NULL;
5518 conn->rx_len = 0;
5519 l2cap_conn_unreliable(conn, ECOMM);
5520 }
5521
aae7fe22
AE		 5522 /* Start fragment always begin with Basic L2CAP header */
5523 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5524 BT_ERR("Frame is too short (len %d)", skb->len);
5525 l2cap_conn_unreliable(conn, ECOMM);
5526 goto drop;
5527 }
5528
5529 hdr = (struct l2cap_hdr *) skb->data;
5530 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5531
5532 if (len == skb->len) {
5533 /* Complete frame received */
5534 l2cap_recv_frame(conn, skb);
5535 return 0;
5536 }
5537
5538 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5539
5540 if (skb->len > len) {
5541 BT_ERR("Frame is too long (len %d, expected len %d)",
5542 skb->len, len);
5543 l2cap_conn_unreliable(conn, ECOMM);
5544 goto drop;
5545 }
5546
5547 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5548 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5549 if (!conn->rx_skb)
1da177e4
LT		 5550 goto drop;
5551
d626f62b 5552 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5553 skb->len);
1da177e4
LT		 5554 conn->rx_len = len - skb->len;
5555 } else {
5556 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5557
5558 if (!conn->rx_len) {
5559 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5560 l2cap_conn_unreliable(conn, ECOMM);
5561 goto drop;
5562 }
5563
5564 if (skb->len > conn->rx_len) {
5565 BT_ERR("Fragment is too long (len %d, expected %d)",
5566 skb->len, conn->rx_len);
5567 kfree_skb(conn->rx_skb);
5568 conn->rx_skb = NULL;
5569 conn->rx_len = 0;
5570 l2cap_conn_unreliable(conn, ECOMM);
5571 goto drop;
5572 }
5573
d626f62b 5574 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5575 skb->len);
1da177e4
LT		 5576 conn->rx_len -= skb->len;
5577
5578 if (!conn->rx_len) {
5579 /* Complete frame received */
5580 l2cap_recv_frame(conn, conn->rx_skb);
5581 conn->rx_skb = NULL;
5582 }
5583 }
5584
5585drop:
5586 kfree_skb(skb);
5587 return 0;
5588}
5589
aef7d97c 5590static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5591{
23691d75 5592 struct l2cap_chan *c;
1da177e4 5593
333055f2 5594 read_lock(&chan_list_lock);
1da177e4 5595
23691d75
GP		 5596 list_for_each_entry(c, &chan_list, global_l) {
5597 struct sock *sk = c->sk;
101545f6 5598
903d343e 5599 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5600 batostr(&bt_sk(sk)->src),
5601 batostr(&bt_sk(sk)->dst),
89bc500e 5602 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5603 c->scid, c->dcid, c->imtu, c->omtu,
5604 c->sec_level, c->mode);
61e1b4b7 5605 }
1da177e4 5606
333055f2 5607 read_unlock(&chan_list_lock);
1da177e4 5608
aef7d97c 5609 return 0;
1da177e4
LT		 5610}
5611
aef7d97c
MH		 5612static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5613{
5614 return single_open(file, l2cap_debugfs_show, inode->i_private);
5615}
5616
5617static const struct file_operations l2cap_debugfs_fops = {
5618 .open = l2cap_debugfs_open,
5619 .read = seq_read,
5620 .llseek = seq_lseek,
5621 .release = single_release,
5622};
5623
5624static struct dentry *l2cap_debugfs;
1da177e4 5625
64274518 5626int __init l2cap_init(void)
1da177e4
LT		 5627{
5628 int err;
be9d1227 5629
bb58f747 5630 err = l2cap_init_sockets();
1da177e4
LT		 5631 if (err < 0)
5632 return err;
5633
aef7d97c
MH		 5634 if (bt_debugfs) {
5635 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5636 bt_debugfs, NULL, &l2cap_debugfs_fops);
5637 if (!l2cap_debugfs)
5638 BT_ERR("Failed to create L2CAP debug file");
5639 }
1da177e4 5640
1da177e4 5641 return 0;
1da177e4
LT		 5642}
5643
64274518 5644void l2cap_exit(void)
1da177e4 5645{
aef7d97c 5646 debugfs_remove(l2cap_debugfs);
bb58f747 5647 l2cap_cleanup_sockets();
1da177e4
LT		 5648}
5649
d1c4a17d
GP		 5650module_param(disable_ertm, bool, 0644);
5651MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)