projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Move channel response
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 59 struct sk_buff_head *skbs, u8 event);
608bcc6d 60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
2d792818
GP		 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
64 u16 cid)
0139418c 65{
3df91ea2 66 struct l2cap_chan *c;
3d57dc68 67
3df91ea2
AE		 68 list_for_each_entry(c, &conn->chan_l, list) {
69 if (c->dcid == cid)
70 return c;
0139418c 71 }
3df91ea2 72 return NULL;
0139418c
MH		 73}
74
2d792818
GP		 75static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
76 u16 cid)
0139418c 77{
3df91ea2 78 struct l2cap_chan *c;
3d57dc68 79
3df91ea2
AE		 80 list_for_each_entry(c, &conn->chan_l, list) {
81 if (c->scid == cid)
82 return c;
0139418c 83 }
3df91ea2 84 return NULL;
0139418c
MH		 85}
86
87/* Find channel with given SCID.
ef191ade 88 * Returns locked channel. */
2d792818
GP		 89static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
90 u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa 93
3df91ea2 94 mutex_lock(&conn->chan_lock);
baa7e1fa 95 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 96 if (c)
97 l2cap_chan_lock(c);
3df91ea2
AE		 98 mutex_unlock(&conn->chan_lock);
99
48454079 100 return c;
0139418c
MH		 101}
102
b1a130b7
MM		 103/* Find channel with given DCID.
104 * Returns locked channel.
105 */
106static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
107 u16 cid)
108{
109 struct l2cap_chan *c;
110
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_dcid(conn, cid);
113 if (c)
114 l2cap_chan_lock(c);
115 mutex_unlock(&conn->chan_lock);
116
117 return c;
118}
119
2d792818
GP		 120static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
121 u8 ident)
0139418c 122{
3df91ea2 123 struct l2cap_chan *c;
3d57dc68 124
3df91ea2
AE		 125 list_for_each_entry(c, &conn->chan_l, list) {
126 if (c->ident == ident)
127 return c;
0139418c 128 }
3df91ea2 129 return NULL;
0139418c
MH		 130}
131
5b155ef9
MM		 132static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
133 u8 ident)
134{
135 struct l2cap_chan *c;
136
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_ident(conn, ident);
139 if (c)
140 l2cap_chan_lock(c);
141 mutex_unlock(&conn->chan_lock);
142
143 return c;
144}
145
23691d75 146static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 147{
23691d75 148 struct l2cap_chan *c;
9e4425ff 149
23691d75
GP		 150 list_for_each_entry(c, &chan_list, global_l) {
151 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 152 return c;
9e4425ff 153 }
250938cb 154 return NULL;
9e4425ff
GP		 155}
156
157int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
158{
73b2ec18
GP		 159 int err;
160
333055f2 161 write_lock(&chan_list_lock);
9e4425ff 162
23691d75 163 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 164 err = -EADDRINUSE;
165 goto done;
9e4425ff
GP		 166 }
167
73b2ec18
GP		 168 if (psm) {
169 chan->psm = psm;
170 chan->sport = psm;
171 err = 0;
172 } else {
173 u16 p;
174
175 err = -EINVAL;
176 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 177 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 178 chan->psm = cpu_to_le16(p);
179 chan->sport = cpu_to_le16(p);
180 err = 0;
181 break;
182 }
183 }
9e4425ff 184
73b2ec18 185done:
333055f2 186 write_unlock(&chan_list_lock);
73b2ec18 187 return err;
9e4425ff
GP		 188}
189
190int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
191{
333055f2 192 write_lock(&chan_list_lock);
9e4425ff
GP		 193
194 chan->scid = scid;
195
333055f2 196 write_unlock(&chan_list_lock);
9e4425ff
GP		 197
198 return 0;
199}
200
baa7e1fa 201static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 202{
8db4dc46 203 u16 cid = L2CAP_CID_DYN_START;
0139418c 204
8db4dc46 205 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 206 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 207 return cid;
208 }
209
210 return 0;
211}
212
0e587be7 213static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 214{
42d2d87c 215 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 216 state_to_string(state));
badaaa00 217
89bc500e 218 chan->state = state;
80b98027 219 chan->ops->state_change(chan, state);
89bc500e
GP		 220}
221
0e587be7
AE		 222static void l2cap_state_change(struct l2cap_chan *chan, int state)
223{
224 struct sock *sk = chan->sk;
225
226 lock_sock(sk);
227 __l2cap_state_change(chan, state);
228 release_sock(sk);
229}
230
2e0052e4
AE		 231static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
232{
233 struct sock *sk = chan->sk;
234
235 sk->sk_err = err;
236}
237
238static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
239{
240 struct sock *sk = chan->sk;
241
242 lock_sock(sk);
243 __l2cap_chan_set_err(chan, err);
244 release_sock(sk);
245}
246
4239d16f
MM		 247static void __set_retrans_timer(struct l2cap_chan *chan)
248{
249 if (!delayed_work_pending(&chan->monitor_timer) &&
250 chan->retrans_timeout) {
251 l2cap_set_timer(chan, &chan->retrans_timer,
252 msecs_to_jiffies(chan->retrans_timeout));
253 }
254}
255
256static void __set_monitor_timer(struct l2cap_chan *chan)
257{
258 __clear_retrans_timer(chan);
259 if (chan->monitor_timeout) {
260 l2cap_set_timer(chan, &chan->monitor_timer,
261 msecs_to_jiffies(chan->monitor_timeout));
262 }
263}
264
608bcc6d
MM		 265static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
266 u16 seq)
267{
268 struct sk_buff *skb;
269
270 skb_queue_walk(head, skb) {
271 if (bt_cb(skb)->control.txseq == seq)
272 return skb;
273 }
274
275 return NULL;
276}
277
3c588192
MM		 278/* ---- L2CAP sequence number lists ---- */
279
280/* For ERTM, ordered lists of sequence numbers must be tracked for
281 * SREJ requests that are received and for frames that are to be
282 * retransmitted. These seq_list functions implement a singly-linked
283 * list in an array, where membership in the list can also be checked
284 * in constant time. Items can also be added to the tail of the list
285 * and removed from the head in constant time, without further memory
286 * allocs or frees.
287 */
288
289static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
290{
291 size_t alloc_size, i;
292
293 /* Allocated size is a power of 2 to map sequence numbers
294 * (which may be up to 14 bits) in to a smaller array that is
295 * sized for the negotiated ERTM transmit windows.
296 */
297 alloc_size = roundup_pow_of_two(size);
298
299 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
300 if (!seq_list->list)
301 return -ENOMEM;
302
303 seq_list->mask = alloc_size - 1;
304 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
305 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
306 for (i = 0; i < alloc_size; i++)
307 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
308
309 return 0;
310}
311
312static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
313{
314 kfree(seq_list->list);
315}
316
317static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
318 u16 seq)
319{
320 /* Constant-time check for list membership */
321 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
322}
323
324static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
325{
326 u16 mask = seq_list->mask;
327
328 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
329 /* In case someone tries to pop the head of an empty list */
330 return L2CAP_SEQ_LIST_CLEAR;
331 } else if (seq_list->head == seq) {
332 /* Head can be removed in constant time */
333 seq_list->head = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
335
336 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
339 }
340 } else {
341 /* Walk the list to find the sequence number */
342 u16 prev = seq_list->head;
343 while (seq_list->list[prev & mask] != seq) {
344 prev = seq_list->list[prev & mask];
345 if (prev == L2CAP_SEQ_LIST_TAIL)
346 return L2CAP_SEQ_LIST_CLEAR;
347 }
348
349 /* Unlink the number from the list and clear it */
350 seq_list->list[prev & mask] = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352 if (seq_list->tail == seq)
353 seq_list->tail = prev;
354 }
355 return seq;
356}
357
358static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
359{
360 /* Remove the head in constant time */
361 return l2cap_seq_list_remove(seq_list, seq_list->head);
362}
363
364static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
365{
f522ae36 366 u16 i;
3c588192 367
f522ae36
GP		 368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
369 return;
370
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
373
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 376}
377
378static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
379{
380 u16 mask = seq_list->mask;
381
382 /* All appends happen in constant time */
383
f522ae36
GP		 384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
385 return;
3c588192 386
f522ae36
GP		 387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
389 else
390 seq_list->list[seq_list->tail & mask] = seq;
391
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 394}
395
721c4181 396static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 397{
721c4181 398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 399 chan_timer.work);
3df91ea2 400 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 401 int reason;
402
e05dcc32 403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 404
3df91ea2 405 mutex_lock(&conn->chan_lock);
6be36555 406 l2cap_chan_lock(chan);
ab07801d 407
89bc500e 408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 409 reason = ECONNREFUSED;
89bc500e 410 else if (chan->state == BT_CONNECT &&
2d792818 411 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 412 reason = ECONNREFUSED;
413 else
414 reason = ETIMEDOUT;
415
0f852724 416 l2cap_chan_close(chan, reason);
ab07801d 417
6be36555 418 l2cap_chan_unlock(chan);
ab07801d 419
80b98027 420 chan->ops->close(chan);
3df91ea2
AE		 421 mutex_unlock(&conn->chan_lock);
422
371fd835 423 l2cap_chan_put(chan);
ab07801d
GP		 424}
425
eef1d9b6 426struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 427{
428 struct l2cap_chan *chan;
429
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
431 if (!chan)
432 return NULL;
433
c03b355e
AE		 434 mutex_init(&chan->lock);
435
333055f2 436 write_lock(&chan_list_lock);
23691d75 437 list_add(&chan->global_l, &chan_list);
333055f2 438 write_unlock(&chan_list_lock);
23691d75 439
721c4181 440 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 441
89bc500e
GP		 442 chan->state = BT_OPEN;
443
144ad330 444 kref_init(&chan->kref);
71ba0e56 445
2827011f
MM		 446 /* This flag is cleared in l2cap_chan_ready() */
447 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
448
eef1d9b6 449 BT_DBG("chan %p", chan);
abc545b8 450
48454079
GP		 451 return chan;
452}
453
144ad330 454static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 455{
144ad330
SS		 456 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
457
4af66c69
JK		 458 BT_DBG("chan %p", chan);
459
333055f2 460 write_lock(&chan_list_lock);
23691d75 461 list_del(&chan->global_l);
333055f2 462 write_unlock(&chan_list_lock);
23691d75 463
4af66c69 464 kfree(chan);
6ff5abbf
GP		 465}
466
30648372
JK		 467void l2cap_chan_hold(struct l2cap_chan *c)
468{
144ad330 469 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 470
144ad330 471 kref_get(&c->kref);
30648372
JK		 472}
473
474void l2cap_chan_put(struct l2cap_chan *c)
475{
144ad330 476 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 477
144ad330 478 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 479}
480
bd4b1653
AE		 481void l2cap_chan_set_defaults(struct l2cap_chan *chan)
482{
483 chan->fcs = L2CAP_FCS_CRC16;
484 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
485 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
486 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 487 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 488 chan->sec_level = BT_SECURITY_LOW;
489
490 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
491}
492
93c3e8f5 493void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 494{
af05b30b 495 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 496 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 497
9f5a0d7b 498 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 499
8c1d787b 500 chan->conn = conn;
0139418c 501
5491120e
AE		 502 switch (chan->chan_type) {
503 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 504 if (conn->hcon->type == LE_LINK) {
505 /* LE connection */
6fcb06a2 506 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 507 chan->scid = L2CAP_CID_LE_DATA;
508 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 509 } else {
510 /* Alloc CID for connection-oriented socket */
fe4128e0 511 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 512 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 513 }
5491120e
AE		 514 break;
515
516 case L2CAP_CHAN_CONN_LESS:
0139418c 517 /* Connectionless socket */
fe4128e0
GP		 518 chan->scid = L2CAP_CID_CONN_LESS;
519 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 520 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 521 break;
522
416fa752
AE		 523 case L2CAP_CHAN_CONN_FIX_A2MP:
524 chan->scid = L2CAP_CID_A2MP;
525 chan->dcid = L2CAP_CID_A2MP;
526 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
527 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
528 break;
529
5491120e 530 default:
0139418c 531 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 532 chan->scid = L2CAP_CID_SIGNALING;
533 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 534 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 535 }
536
8f7975b1
AE		 537 chan->local_id = L2CAP_BESTEFFORT_ID;
538 chan->local_stype = L2CAP_SERV_BESTEFFORT;
539 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
540 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
541 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 542 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 543
371fd835 544 l2cap_chan_hold(chan);
baa7e1fa 545
3df91ea2 546 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 547}
548
466f8004 549void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 550{
551 mutex_lock(&conn->chan_lock);
552 __l2cap_chan_add(conn, chan);
3df91ea2 553 mutex_unlock(&conn->chan_lock);
0139418c
MH		 554}
555
466f8004 556void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 557{
8c1d787b 558 struct l2cap_conn *conn = chan->conn;
0139418c 559
c9b66675 560 __clear_chan_timer(chan);
0139418c 561
49208c9c 562 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 563
8e87d142 564 if (conn) {
56f60984 565 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 566 /* Delete from channel list */
3df91ea2 567 list_del(&chan->list);
3d57dc68 568
371fd835 569 l2cap_chan_put(chan);
baa7e1fa 570
8c1d787b 571 chan->conn = NULL;
3cabbfda
AE		 572
573 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
574 hci_conn_put(conn->hcon);
56f60984
AE		 575
576 if (mgr && mgr->bredr_chan == chan)
577 mgr->bredr_chan = NULL;
0139418c
MH		 578 }
579
b699ec0d 580 chan->ops->teardown(chan, err);
6be36555 581
2827011f 582 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 583 return;
2ead70b8 584
ee556f66
GP		 585 switch(chan->mode) {
586 case L2CAP_MODE_BASIC:
587 break;
c13ffa62 588
ee556f66 589 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 590 __clear_retrans_timer(chan);
591 __clear_monitor_timer(chan);
592 __clear_ack_timer(chan);
c13ffa62 593
f1c6775b 594 skb_queue_purge(&chan->srej_q);
c13ffa62 595
3c588192
MM		 596 l2cap_seq_list_free(&chan->srej_list);
597 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 598
599 /* fall through */
600
601 case L2CAP_MODE_STREAMING:
602 skb_queue_purge(&chan->tx_q);
603 break;
c13ffa62 604 }
ee556f66
GP		 605
606 return;
0139418c
MH		 607}
608
0f852724 609void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 610{
611 struct l2cap_conn *conn = chan->conn;
612 struct sock *sk = chan->sk;
613
2d792818
GP		 614 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
615 sk);
4519de9a 616
89bc500e 617 switch (chan->state) {
4519de9a 618 case BT_LISTEN:
b699ec0d 619 chan->ops->teardown(chan, 0);
4519de9a
GP		 620 break;
621
622 case BT_CONNECTED:
623 case BT_CONFIG:
715ec005 624 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 625 conn->hcon->type == ACL_LINK) {
c9b66675 626 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 627 l2cap_send_disconn_req(conn, chan, reason);
628 } else
629 l2cap_chan_del(chan, reason);
630 break;
631
632 case BT_CONNECT2:
715ec005 633 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 634 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 635 struct l2cap_conn_rsp rsp;
636 __u16 result;
637
c5daa683 638 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 639 result = L2CAP_CR_SEC_BLOCK;
640 else
641 result = L2CAP_CR_BAD_PSM;
89bc500e 642 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 643
644 rsp.scid = cpu_to_le16(chan->dcid);
645 rsp.dcid = cpu_to_le16(chan->scid);
646 rsp.result = cpu_to_le16(result);
ac73498c 647 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 648 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 649 sizeof(rsp), &rsp);
4519de9a
GP		 650 }
651
652 l2cap_chan_del(chan, reason);
653 break;
654
655 case BT_CONNECT:
656 case BT_DISCONN:
657 l2cap_chan_del(chan, reason);
658 break;
659
660 default:
b699ec0d 661 chan->ops->teardown(chan, 0);
4519de9a
GP		 662 break;
663 }
664}
665
4343478f 666static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 667{
715ec005 668 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 669 switch (chan->sec_level) {
8556edd3
JH		 670 case BT_SECURITY_HIGH:
671 return HCI_AT_DEDICATED_BONDING_MITM;
672 case BT_SECURITY_MEDIUM:
673 return HCI_AT_DEDICATED_BONDING;
674 default:
675 return HCI_AT_NO_BONDING;
676 }
2983fd68 677 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 678 if (chan->sec_level == BT_SECURITY_LOW)
679 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 680
4343478f 681 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 682 return HCI_AT_NO_BONDING_MITM;
00ae4af9 683 else
8556edd3 684 return HCI_AT_NO_BONDING;
00ae4af9 685 } else {
4343478f 686 switch (chan->sec_level) {
00ae4af9 687 case BT_SECURITY_HIGH:
8556edd3 688 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 689 case BT_SECURITY_MEDIUM:
8556edd3 690 return HCI_AT_GENERAL_BONDING;
00ae4af9 691 default:
8556edd3 692 return HCI_AT_NO_BONDING;
00ae4af9 693 }
0684e5f9 694 }
8556edd3
JH		 695}
696
697/* Service level security */
d45fc423 698int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 699{
8c1d787b 700 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 701 __u8 auth_type;
702
4343478f 703 auth_type = l2cap_get_auth_type(chan);
79d554a6 704
4343478f 705 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 706}
707
b5ad8b7f 708static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 709{
710 u8 id;
711
712 /* Get next available identificator.
713 * 1 - 128 are used by kernel.
714 * 129 - 199 are reserved.
715 * 200 - 254 are used by utilities like l2ping, etc.
716 */
717
333055f2 718 spin_lock(&conn->lock);
4e8402a3
MH		 719
720 if (++conn->tx_ident > 128)
721 conn->tx_ident = 1;
722
723 id = conn->tx_ident;
724
333055f2 725 spin_unlock(&conn->lock);
4e8402a3
MH		 726
727 return id;
728}
729
2d792818
GP		 730static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
731 void *data)
4e8402a3
MH		 732{
733 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 734 u8 flags;
4e8402a3
MH		 735
736 BT_DBG("code 0x%2.2x", code);
737
738 if (!skb)
9a9c6a34 739 return;
4e8402a3 740
e702112f
AE		 741 if (lmp_no_flush_capable(conn->hcon->hdev))
742 flags = ACL_START_NO_FLUSH;
743 else
744 flags = ACL_START;
745
14b12d0b 746 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 747 skb->priority = HCI_PRIO_MAX;
14b12d0b 748
73d80deb
LAD		 749 hci_send_acl(conn->hchan, skb, flags);
750}
751
02b0fbb9
MM		 752static bool __chan_is_moving(struct l2cap_chan *chan)
753{
754 return chan->move_state != L2CAP_MOVE_STABLE &&
755 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
756}
757
73d80deb
LAD		 758static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
759{
760 struct hci_conn *hcon = chan->conn->hcon;
761 u16 flags;
762
763 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 764 skb->priority);
73d80deb
LAD		 765
766 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 767 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 768 flags = ACL_START_NO_FLUSH;
769 else
770 flags = ACL_START;
14b12d0b 771
73d80deb
LAD		 772 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
773 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 774}
775
b76bbd66
MM		 776static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
777{
778 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
779 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
780
781 if (enh & L2CAP_CTRL_FRAME_TYPE) {
782 /* S-Frame */
783 control->sframe = 1;
784 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
785 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
786
787 control->sar = 0;
788 control->txseq = 0;
789 } else {
790 /* I-Frame */
791 control->sframe = 0;
792 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
793 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
794
795 control->poll = 0;
796 control->super = 0;
797 }
798}
799
b76bbd66
MM		 800static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
801{
802 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
803 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
804
805 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
806 /* S-Frame */
807 control->sframe = 1;
808 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
809 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
810
811 control->sar = 0;
812 control->txseq = 0;
813 } else {
814 /* I-Frame */
815 control->sframe = 0;
816 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
817 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
818
819 control->poll = 0;
820 control->super = 0;
821 }
822}
823
824static inline void __unpack_control(struct l2cap_chan *chan,
825 struct sk_buff *skb)
826{
827 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
828 __unpack_extended_control(get_unaligned_le32(skb->data),
829 &bt_cb(skb)->control);
cec8ab6e 830 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 831 } else {
832 __unpack_enhanced_control(get_unaligned_le16(skb->data),
833 &bt_cb(skb)->control);
cec8ab6e 834 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 835 }
836}
837
b5c6aaed
MM		 838static u32 __pack_extended_control(struct l2cap_ctrl *control)
839{
840 u32 packed;
841
842 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
843 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
844
845 if (control->sframe) {
846 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
847 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
848 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
849 } else {
850 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
851 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
852 }
853
854 return packed;
855}
856
857static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
858{
859 u16 packed;
860
861 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
862 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
863
864 if (control->sframe) {
865 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
866 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
867 packed |= L2CAP_CTRL_FRAME_TYPE;
868 } else {
869 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
870 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
871 }
872
873 return packed;
874}
875
b76bbd66
MM		 876static inline void __pack_control(struct l2cap_chan *chan,
877 struct l2cap_ctrl *control,
878 struct sk_buff *skb)
879{
880 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
881 put_unaligned_le32(__pack_extended_control(control),
882 skb->data + L2CAP_HDR_SIZE);
883 } else {
884 put_unaligned_le16(__pack_enhanced_control(control),
885 skb->data + L2CAP_HDR_SIZE);
886 }
887}
888
ba7aa64f
GP		 889static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
890{
891 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
892 return L2CAP_EXT_HDR_SIZE;
893 else
894 return L2CAP_ENH_HDR_SIZE;
895}
896
a67d7f6f
MM		 897static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
898 u32 control)
b5c6aaed
MM		 899{
900 struct sk_buff *skb;
901 struct l2cap_hdr *lh;
ba7aa64f 902 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 903
904 if (chan->fcs == L2CAP_FCS_CRC16)
905 hlen += L2CAP_FCS_SIZE;
906
a67d7f6f 907 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 908
b5c6aaed 909 if (!skb)
a67d7f6f 910 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 911
912 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
913 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
914 lh->cid = cpu_to_le16(chan->dcid);
915
a67d7f6f
MM		 916 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
917 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
918 else
919 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 920
921 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 922 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 923 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
924 }
925
926 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 927 return skb;
928}
929
930static void l2cap_send_sframe(struct l2cap_chan *chan,
931 struct l2cap_ctrl *control)
932{
933 struct sk_buff *skb;
934 u32 control_field;
935
936 BT_DBG("chan %p, control %p", chan, control);
937
938 if (!control->sframe)
939 return;
940
941 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
942 !control->poll)
943 control->final = 1;
944
945 if (control->super == L2CAP_SUPER_RR)
946 clear_bit(CONN_RNR_SENT, &chan->conn_state);
947 else if (control->super == L2CAP_SUPER_RNR)
948 set_bit(CONN_RNR_SENT, &chan->conn_state);
949
950 if (control->super != L2CAP_SUPER_SREJ) {
951 chan->last_acked_seq = control->reqseq;
952 __clear_ack_timer(chan);
953 }
954
955 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
956 control->final, control->poll, control->super);
957
958 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
959 control_field = __pack_extended_control(control);
960 else
961 control_field = __pack_enhanced_control(control);
962
963 skb = l2cap_create_sframe_pdu(chan, control_field);
964 if (!IS_ERR(skb))
965 l2cap_do_send(chan, skb);
b5c6aaed
MM		 966}
967
c9e3d5e0 968static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 969{
c9e3d5e0
MM		 970 struct l2cap_ctrl control;
971
972 BT_DBG("chan %p, poll %d", chan, poll);
973
974 memset(&control, 0, sizeof(control));
975 control.sframe = 1;
976 control.poll = poll;
977
978 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
979 control.super = L2CAP_SUPER_RNR;
980 else
981 control.super = L2CAP_SUPER_RR;
b5c6aaed 982
c9e3d5e0
MM		 983 control.reqseq = chan->buffer_seq;
984 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 985}
986
b4450035 987static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 988{
c1360a1c 989 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 990}
991
93c3e8f5
AE		 992static bool __amp_capable(struct l2cap_chan *chan)
993{
994 struct l2cap_conn *conn = chan->conn;
995
996 if (enable_hs &&
997 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
998 conn->fixed_chan_mask & L2CAP_FC_A2MP)
999 return true;
1000 else
1001 return false;
1002}
1003
2766be48 1004void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1005{
1006 struct l2cap_conn *conn = chan->conn;
1007 struct l2cap_conn_req req;
1008
1009 req.scid = cpu_to_le16(chan->scid);
1010 req.psm = chan->psm;
1011
1012 chan->ident = l2cap_get_ident(conn);
1013
1014 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1015
1016 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1017}
1018
02b0fbb9
MM		 1019static void l2cap_move_setup(struct l2cap_chan *chan)
1020{
1021 struct sk_buff *skb;
1022
1023 BT_DBG("chan %p", chan);
1024
1025 if (chan->mode != L2CAP_MODE_ERTM)
1026 return;
1027
1028 __clear_retrans_timer(chan);
1029 __clear_monitor_timer(chan);
1030 __clear_ack_timer(chan);
1031
1032 chan->retry_count = 0;
1033 skb_queue_walk(&chan->tx_q, skb) {
1034 if (bt_cb(skb)->control.retries)
1035 bt_cb(skb)->control.retries = 1;
1036 else
1037 break;
1038 }
1039
1040 chan->expected_tx_seq = chan->buffer_seq;
1041
1042 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1043 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1044 l2cap_seq_list_clear(&chan->retrans_list);
1045 l2cap_seq_list_clear(&chan->srej_list);
1046 skb_queue_purge(&chan->srej_q);
1047
1048 chan->tx_state = L2CAP_TX_STATE_XMIT;
1049 chan->rx_state = L2CAP_RX_STATE_MOVE;
1050
1051 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1052}
1053
5f3847a4
MM		 1054static void l2cap_move_done(struct l2cap_chan *chan)
1055{
1056 u8 move_role = chan->move_role;
1057 BT_DBG("chan %p", chan);
1058
1059 chan->move_state = L2CAP_MOVE_STABLE;
1060 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1061
1062 if (chan->mode != L2CAP_MODE_ERTM)
1063 return;
1064
1065 switch (move_role) {
1066 case L2CAP_MOVE_ROLE_INITIATOR:
1067 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1068 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1069 break;
1070 case L2CAP_MOVE_ROLE_RESPONDER:
1071 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1072 break;
1073 }
1074}
1075
9f0caeb1
VCG		 1076static void l2cap_chan_ready(struct l2cap_chan *chan)
1077{
2827011f 1078 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1079 chan->conf_state = 0;
1080 __clear_chan_timer(chan);
1081
54a59aa2 1082 chan->state = BT_CONNECTED;
9f0caeb1 1083
fd83e2c2 1084 chan->ops->ready(chan);
9f0caeb1
VCG		 1085}
1086
93c3e8f5
AE		 1087static void l2cap_start_connection(struct l2cap_chan *chan)
1088{
1089 if (__amp_capable(chan)) {
1090 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1091 a2mp_discover_amp(chan);
1092 } else {
1093 l2cap_send_conn_req(chan);
1094 }
1095}
1096
fc7f8a7e 1097static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1098{
8c1d787b 1099 struct l2cap_conn *conn = chan->conn;
79d554a6 1100
9f0caeb1
VCG		 1101 if (conn->hcon->type == LE_LINK) {
1102 l2cap_chan_ready(chan);
1103 return;
1104 }
1105
79d554a6 1106 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1107 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1108 return;
1109
d45fc423 1110 if (l2cap_chan_check_security(chan) &&
2d792818 1111 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1112 l2cap_start_connection(chan);
1113 }
79d554a6
MH		 1114 } else {
1115 struct l2cap_info_req req;
ac73498c 1116 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1117
1118 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1119 conn->info_ident = l2cap_get_ident(conn);
1120
ba13ccd9 1121 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1122
2d792818
GP		 1123 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1124 sizeof(req), &req);
79d554a6
MH		 1125 }
1126}
1127
cf6c2c0b
GP		 1128static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1129{
1130 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1131 if (!disable_ertm)
cf6c2c0b
GP		 1132 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1133
1134 switch (mode) {
1135 case L2CAP_MODE_ERTM:
1136 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1137 case L2CAP_MODE_STREAMING:
1138 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1139 default:
1140 return 0x00;
1141 }
1142}
1143
2d792818
GP		 1144static void l2cap_send_disconn_req(struct l2cap_conn *conn,
1145 struct l2cap_chan *chan, int err)
22121fc9 1146{
6be36555 1147 struct sock *sk = chan->sk;
22121fc9
GP		 1148 struct l2cap_disconn_req req;
1149
c13ffa62
GP		 1150 if (!conn)
1151 return;
1152
aad3d0e3 1153 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1154 __clear_retrans_timer(chan);
1155 __clear_monitor_timer(chan);
1156 __clear_ack_timer(chan);
c13ffa62
GP		 1157 }
1158
416fa752 1159 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1160 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1161 return;
1162 }
1163
fe4128e0
GP		 1164 req.dcid = cpu_to_le16(chan->dcid);
1165 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1166 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1167 sizeof(req), &req);
c13ffa62 1168
6be36555 1169 lock_sock(sk);
0e587be7 1170 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1171 __l2cap_chan_set_err(chan, err);
6be36555 1172 release_sock(sk);
22121fc9
GP		 1173}
1174
1da177e4 1175/* ---- L2CAP connections ---- */
4e8402a3
MH		 1176static void l2cap_conn_start(struct l2cap_conn *conn)
1177{
3df91ea2 1178 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1179
1180 BT_DBG("conn %p", conn);
1181
3df91ea2 1182 mutex_lock(&conn->chan_lock);
4e8402a3 1183
3df91ea2 1184 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1185 struct sock *sk = chan->sk;
baa7e1fa 1186
6be36555 1187 l2cap_chan_lock(chan);
4e8402a3 1188
715ec005 1189 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1190 l2cap_chan_unlock(chan);
79d554a6
MH		 1191 continue;
1192 }
1193
89bc500e 1194 if (chan->state == BT_CONNECT) {
d45fc423 1195 if (!l2cap_chan_check_security(chan) ||
2d792818 1196 !__l2cap_no_conn_pending(chan)) {
6be36555 1197 l2cap_chan_unlock(chan);
47731de7
GP		 1198 continue;
1199 }
79d554a6 1200
c1360a1c 1201 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1202 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1203 &chan->conf_state)) {
89bc500e 1204 l2cap_chan_close(chan, ECONNRESET);
6be36555 1205 l2cap_chan_unlock(chan);
47731de7 1206 continue;
b1235d79 1207 }
47731de7 1208
93c3e8f5 1209 l2cap_start_connection(chan);
47731de7 1210
89bc500e 1211 } else if (chan->state == BT_CONNECT2) {
79d554a6 1212 struct l2cap_conn_rsp rsp;
e9aeb2dd 1213 char buf[128];
fe4128e0
GP		 1214 rsp.scid = cpu_to_le16(chan->dcid);
1215 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1216
d45fc423 1217 if (l2cap_chan_check_security(chan)) {
6be36555 1218 lock_sock(sk);
c5daa683
GP		 1219 if (test_bit(BT_SK_DEFER_SETUP,
1220 &bt_sk(sk)->flags)) {
ac73498c
AE		 1221 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1222 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1223 chan->ops->defer(chan);
f66dc81f
MH		 1224
1225 } else {
0e587be7 1226 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1227 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1228 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1229 }
6be36555 1230 release_sock(sk);
79d554a6 1231 } else {
ac73498c
AE		 1232 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1233 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1234 }
1235
fc7f8a7e 1236 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1237 sizeof(rsp), &rsp);
e9aeb2dd 1238
c1360a1c 1239 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1240 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1241 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1242 continue;
1243 }
1244
c1360a1c 1245 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1246 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1247 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1248 chan->num_conf_req++;
4e8402a3
MH		 1249 }
1250
6be36555 1251 l2cap_chan_unlock(chan);
4e8402a3
MH		 1252 }
1253
3df91ea2 1254 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1255}
1256
c2287681 1257/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1258 * Returns closest match, locked.
1259 */
d9b88702 1260static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1261 bdaddr_t *src,
1262 bdaddr_t *dst)
b62f328b 1263{
23691d75 1264 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1265
23691d75 1266 read_lock(&chan_list_lock);
b62f328b 1267
23691d75
GP		 1268 list_for_each_entry(c, &chan_list, global_l) {
1269 struct sock *sk = c->sk;
fe4128e0 1270
89bc500e 1271 if (state && c->state != state)
b62f328b
VT		 1272 continue;
1273
23691d75 1274 if (c->scid == cid) {
c2287681
IY		 1275 int src_match, dst_match;
1276 int src_any, dst_any;
1277
b62f328b 1278 /* Exact match. */
c2287681
IY		 1279 src_match = !bacmp(&bt_sk(sk)->src, src);
1280 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1281 if (src_match && dst_match) {
23691d75
GP		 1282 read_unlock(&chan_list_lock);
1283 return c;
1284 }
b62f328b
VT		 1285
1286 /* Closest match */
c2287681
IY		 1287 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1288 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1289 if ((src_match && dst_any) || (src_any && dst_match) ||
1290 (src_any && dst_any))
23691d75 1291 c1 = c;
b62f328b
VT		 1292 }
1293 }
280f294f 1294
23691d75 1295 read_unlock(&chan_list_lock);
b62f328b 1296
23691d75 1297 return c1;
b62f328b
VT		 1298}
1299
1300static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1301{
c916fbe4 1302 struct sock *parent, *sk;
23691d75 1303 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1304
1305 BT_DBG("");
1306
1307 /* Check if we have socket listening on cid */
23691d75 1308 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1309 conn->src, conn->dst);
23691d75 1310 if (!pchan)
b62f328b
VT		 1311 return;
1312
23691d75
GP		 1313 parent = pchan->sk;
1314
aa2ac881 1315 lock_sock(parent);
62f3a2cf 1316
80b98027 1317 chan = pchan->ops->new_connection(pchan);
80808e43 1318 if (!chan)
b62f328b
VT		 1319 goto clean;
1320
80808e43 1321 sk = chan->sk;
5d41ce1d 1322
b62f328b 1323 hci_conn_hold(conn->hcon);
a9ea3ed9 1324 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1325
b62f328b
VT		 1326 bacpy(&bt_sk(sk)->src, conn->src);
1327 bacpy(&bt_sk(sk)->dst, conn->dst);
1328
3d57dc68 1329 l2cap_chan_add(conn, chan);
48454079 1330
6754e0df 1331 l2cap_chan_ready(chan);
b62f328b 1332
b62f328b 1333clean:
aa2ac881 1334 release_sock(parent);
b62f328b
VT		 1335}
1336
4e8402a3
MH		 1337static void l2cap_conn_ready(struct l2cap_conn *conn)
1338{
48454079 1339 struct l2cap_chan *chan;
cc110922 1340 struct hci_conn *hcon = conn->hcon;
4e8402a3 1341
79d554a6 1342 BT_DBG("conn %p", conn);
4e8402a3 1343
cc110922 1344 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1345 l2cap_le_conn_ready(conn);
1346
cc110922
VCG		 1347 if (hcon->out && hcon->type == LE_LINK)
1348 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1349
3df91ea2 1350 mutex_lock(&conn->chan_lock);
4e8402a3 1351
3df91ea2 1352 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1353
6be36555 1354 l2cap_chan_lock(chan);
4e8402a3 1355
416fa752
AE		 1356 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1357 l2cap_chan_unlock(chan);
1358 continue;
1359 }
1360
cc110922
VCG		 1361 if (hcon->type == LE_LINK) {
1362 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1363 l2cap_chan_ready(chan);
acd7d370 1364
63128451 1365 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1366 struct sock *sk = chan->sk;
c9b66675 1367 __clear_chan_timer(chan);
6be36555 1368 lock_sock(sk);
0e587be7 1369 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1370 sk->sk_state_change(sk);
6be36555 1371 release_sock(sk);
b501d6a1 1372
89bc500e 1373 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1374 l2cap_do_start(chan);
4e8402a3 1375
6be36555 1376 l2cap_chan_unlock(chan);
4e8402a3 1377 }
79d554a6 1378
3df91ea2 1379 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1380}
1381
1382/* Notify sockets that we cannot guaranty reliability anymore */
1383static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1384{
48454079 1385 struct l2cap_chan *chan;
4e8402a3
MH		 1386
1387 BT_DBG("conn %p", conn);
1388
3df91ea2 1389 mutex_lock(&conn->chan_lock);
4e8402a3 1390
3df91ea2 1391 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1392 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1393 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1394 }
1395
3df91ea2 1396 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1397}
1398
f878fcad 1399static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1400{
f878fcad 1401 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1402 info_timer.work);
4e8402a3 1403
984947dc 1404 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1405 conn->info_ident = 0;
984947dc 1406
4e8402a3
MH		 1407 l2cap_conn_start(conn);
1408}
1409
5d3de7df
VCG		 1410static void l2cap_conn_del(struct hci_conn *hcon, int err)
1411{
1412 struct l2cap_conn *conn = hcon->l2cap_data;
1413 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1414
1415 if (!conn)
1416 return;
1417
1418 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1419
1420 kfree_skb(conn->rx_skb);
1421
3df91ea2
AE		 1422 mutex_lock(&conn->chan_lock);
1423
5d3de7df
VCG		 1424 /* Kill channels */
1425 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1426 l2cap_chan_hold(chan);
6be36555
AE		 1427 l2cap_chan_lock(chan);
1428
5d3de7df 1429 l2cap_chan_del(chan, err);
6be36555
AE		 1430
1431 l2cap_chan_unlock(chan);
1432
80b98027 1433 chan->ops->close(chan);
61d6ef3e 1434 l2cap_chan_put(chan);
5d3de7df
VCG		 1435 }
1436
3df91ea2
AE		 1437 mutex_unlock(&conn->chan_lock);
1438
73d80deb
LAD		 1439 hci_chan_del(conn->hchan);
1440
5d3de7df 1441 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1442 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1443
51a8efd7 1444 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1445 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1446 smp_chan_destroy(conn);
d26a2345 1447 }
5d3de7df
VCG		 1448
1449 hcon->l2cap_data = NULL;
1450 kfree(conn);
1451}
1452
6c9d42a1 1453static void security_timeout(struct work_struct *work)
5d3de7df 1454{
6c9d42a1 1455 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1456 security_timer.work);
5d3de7df 1457
d06cc416
JH		 1458 BT_DBG("conn %p", conn);
1459
1460 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1461 smp_chan_destroy(conn);
1462 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1463 }
5d3de7df
VCG		 1464}
1465
1da177e4
LT		 1466static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1467{
0139418c 1468 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1469 struct hci_chan *hchan;
1da177e4 1470
0139418c 1471 if (conn || status)
1da177e4
LT		 1472 return conn;
1473
73d80deb
LAD		 1474 hchan = hci_chan_create(hcon);
1475 if (!hchan)
1476 return NULL;
1477
8bcde1f2 1478 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1479 if (!conn) {
1480 hci_chan_del(hchan);
1da177e4 1481 return NULL;
73d80deb 1482 }
1da177e4
LT		 1483
1484 hcon->l2cap_data = conn;
1485 conn->hcon = hcon;
73d80deb 1486 conn->hchan = hchan;
1da177e4 1487
73d80deb 1488 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1489
dcc042d5
AE		 1490 switch (hcon->type) {
1491 case AMP_LINK:
1492 conn->mtu = hcon->hdev->block_mtu;
1493 break;
1494
1495 case LE_LINK:
1496 if (hcon->hdev->le_mtu) {
1497 conn->mtu = hcon->hdev->le_mtu;
1498 break;
1499 }
1500 /* fall through */
1501
1502 default:
acd7d370 1503 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1504 break;
1505 }
acd7d370 1506
1da177e4
LT		 1507 conn->src = &hcon->hdev->bdaddr;
1508 conn->dst = &hcon->dst;
1509
4e8402a3
MH		 1510 conn->feat_mask = 0;
1511
1da177e4 1512 spin_lock_init(&conn->lock);
3df91ea2 1513 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1514
1515 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1516
5d3de7df 1517 if (hcon->type == LE_LINK)
6c9d42a1 1518 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1519 else
030013d8 1520 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1521
9f5a0d7b 1522 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1523
1da177e4
LT		 1524 return conn;
1525}
1526
1da177e4 1527/* ---- Socket interface ---- */
1da177e4 1528
c2287681 1529/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1530 * Returns closest match.
1531 */
c2287681
IY		 1532static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1533 bdaddr_t *src,
1534 bdaddr_t *dst)
1da177e4 1535{
23691d75 1536 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1537
23691d75 1538 read_lock(&chan_list_lock);
e0f0cb56 1539
23691d75
GP		 1540 list_for_each_entry(c, &chan_list, global_l) {
1541 struct sock *sk = c->sk;
fe4128e0 1542
89bc500e 1543 if (state && c->state != state)
1da177e4
LT		 1544 continue;
1545
23691d75 1546 if (c->psm == psm) {
c2287681
IY		 1547 int src_match, dst_match;
1548 int src_any, dst_any;
1549
1da177e4 1550 /* Exact match. */
c2287681
IY		 1551 src_match = !bacmp(&bt_sk(sk)->src, src);
1552 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1553 if (src_match && dst_match) {
a7567b20 1554 read_unlock(&chan_list_lock);
23691d75
GP		 1555 return c;
1556 }
1da177e4
LT		 1557
1558 /* Closest match */
c2287681
IY		 1559 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1560 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1561 if ((src_match && dst_any) || (src_any && dst_match) ||
1562 (src_any && dst_any))
23691d75 1563 c1 = c;
1da177e4
LT		 1564 }
1565 }
1da177e4 1566
23691d75 1567 read_unlock(&chan_list_lock);
e0f0cb56 1568
23691d75 1569 return c1;
1da177e4
LT		 1570}
1571
8e9f9892
AG		 1572int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1573 bdaddr_t *dst, u8 dst_type)
1da177e4 1574{
5d41ce1d 1575 struct sock *sk = chan->sk;
1da177e4 1576 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1577 struct l2cap_conn *conn;
1578 struct hci_conn *hcon;
1579 struct hci_dev *hdev;
09ab6f4c 1580 __u8 auth_type;
44d0e48e 1581 int err;
1da177e4 1582
6ed93dc6 1583 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1584 dst_type, __le16_to_cpu(psm));
1da177e4 1585
af05b30b
GP		 1586 hdev = hci_get_route(dst, src);
1587 if (!hdev)
1da177e4
LT		 1588 return -EHOSTUNREACH;
1589
09fd0de5 1590 hci_dev_lock(hdev);
1da177e4 1591
6be36555 1592 l2cap_chan_lock(chan);
03a00194
GP		 1593
1594 /* PSM must be odd and lsb of upper byte must be 0 */
1595 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1596 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1597 err = -EINVAL;
1598 goto done;
1599 }
1600
1601 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1602 err = -EINVAL;
1603 goto done;
1604 }
1605
1606 switch (chan->mode) {
1607 case L2CAP_MODE_BASIC:
1608 break;
1609 case L2CAP_MODE_ERTM:
1610 case L2CAP_MODE_STREAMING:
1611 if (!disable_ertm)
1612 break;
1613 /* fall through */
1614 default:
1615 err = -ENOTSUPP;
1616 goto done;
1617 }
1618
0797e01d 1619 switch (chan->state) {
03a00194
GP		 1620 case BT_CONNECT:
1621 case BT_CONNECT2:
1622 case BT_CONFIG:
1623 /* Already connecting */
1624 err = 0;
1625 goto done;
1626
1627 case BT_CONNECTED:
1628 /* Already connected */
1629 err = -EISCONN;
1630 goto done;
1631
1632 case BT_OPEN:
1633 case BT_BOUND:
1634 /* Can connect */
1635 break;
1636
1637 default:
1638 err = -EBADFD;
1639 goto done;
1640 }
1641
1642 /* Set destination address and psm */
0797e01d 1643 lock_sock(sk);
9219b2a0 1644 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1645 release_sock(sk);
1646
03a00194
GP		 1647 chan->psm = psm;
1648 chan->dcid = cid;
1da177e4 1649
4343478f 1650 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1651
fe4128e0 1652 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1653 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1654 chan->sec_level, auth_type);
acd7d370 1655 else
8e9f9892 1656 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1657 chan->sec_level, auth_type);
acd7d370 1658
30e76272
VT		 1659 if (IS_ERR(hcon)) {
1660 err = PTR_ERR(hcon);
1da177e4 1661 goto done;
30e76272 1662 }
1da177e4
LT		 1663
1664 conn = l2cap_conn_add(hcon, 0);
1665 if (!conn) {
1666 hci_conn_put(hcon);
30e76272 1667 err = -ENOMEM;
1da177e4
LT		 1668 goto done;
1669 }
1670
9f0caeb1
VCG		 1671 if (hcon->type == LE_LINK) {
1672 err = 0;
1673
1674 if (!list_empty(&conn->chan_l)) {
1675 err = -EBUSY;
1676 hci_conn_put(hcon);
1677 }
1678
1679 if (err)
1680 goto done;
1681 }
1682
1da177e4
LT		 1683 /* Update source addr of the socket */
1684 bacpy(src, conn->src);
1685
6be36555 1686 l2cap_chan_unlock(chan);
48454079 1687 l2cap_chan_add(conn, chan);
6be36555 1688 l2cap_chan_lock(chan);
48454079 1689
6be36555 1690 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1691 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1692
1693 if (hcon->state == BT_CONNECTED) {
715ec005 1694 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1695 __clear_chan_timer(chan);
d45fc423 1696 if (l2cap_chan_check_security(chan))
6be36555 1697 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1698 } else
fc7f8a7e 1699 l2cap_do_start(chan);
1da177e4
LT		 1700 }
1701
30e76272
VT		 1702 err = 0;
1703
1da177e4 1704done:
6be36555 1705 l2cap_chan_unlock(chan);
09fd0de5 1706 hci_dev_unlock(hdev);
1da177e4
LT		 1707 hci_dev_put(hdev);
1708 return err;
1709}
1710
dcba0dba 1711int __l2cap_wait_ack(struct sock *sk)
6161c038 1712{
8c1d787b 1713 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1714 DECLARE_WAITQUEUE(wait, current);
1715 int err = 0;
1716 int timeo = HZ/5;
1717
2b0b05dd 1718 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1719 set_current_state(TASK_INTERRUPTIBLE);
1720 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1721 if (!timeo)
1722 timeo = HZ/5;
1723
1724 if (signal_pending(current)) {
1725 err = sock_intr_errno(timeo);
1726 break;
1727 }
1728
1729 release_sock(sk);
1730 timeo = schedule_timeout(timeo);
1731 lock_sock(sk);
a71a0cf4 1732 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1733
1734 err = sock_error(sk);
1735 if (err)
1736 break;
1737 }
1738 set_current_state(TASK_RUNNING);
2b0b05dd 1739 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1740 return err;
1741}
1742
721c4181 1743static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1744{
721c4181 1745 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1746 monitor_timer.work);
e90bac06 1747
525cd185 1748 BT_DBG("chan %p", chan);
0e98958d 1749
6be36555
AE		 1750 l2cap_chan_lock(chan);
1751
80909e04 1752 if (!chan->conn) {
6be36555 1753 l2cap_chan_unlock(chan);
8d7e1c7f 1754 l2cap_chan_put(chan);
e90bac06
GP		 1755 return;
1756 }
1757
401bb1f7 1758 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1759
6be36555 1760 l2cap_chan_unlock(chan);
8d7e1c7f 1761 l2cap_chan_put(chan);
e90bac06
GP		 1762}
1763
721c4181 1764static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1765{
721c4181 1766 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1767 retrans_timer.work);
e90bac06 1768
49208c9c 1769 BT_DBG("chan %p", chan);
0e98958d 1770
6be36555
AE		 1771 l2cap_chan_lock(chan);
1772
80909e04
MM		 1773 if (!chan->conn) {
1774 l2cap_chan_unlock(chan);
1775 l2cap_chan_put(chan);
1776 return;
1777 }
6be36555 1778
401bb1f7 1779 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1780 l2cap_chan_unlock(chan);
8d7e1c7f 1781 l2cap_chan_put(chan);
e90bac06
GP		 1782}
1783
d660366d
GP		 1784static void l2cap_streaming_send(struct l2cap_chan *chan,
1785 struct sk_buff_head *skbs)
6840ed07 1786{
ccbb84af 1787 struct sk_buff *skb;
3733937d 1788 struct l2cap_ctrl *control;
6840ed07 1789
3733937d
MM		 1790 BT_DBG("chan %p, skbs %p", chan, skbs);
1791
3733937d
MM		 1792 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1793
1794 while (!skb_queue_empty(&chan->tx_q)) {
1795
1796 skb = skb_dequeue(&chan->tx_q);
1797
1798 bt_cb(skb)->control.retries = 1;
1799 control = &bt_cb(skb)->control;
1800
1801 control->reqseq = 0;
1802 control->txseq = chan->next_tx_seq;
1803
1804 __pack_control(chan, control, skb);
6840ed07 1805
47d1ec61 1806 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1807 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1808 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1809 }
1810
4343478f 1811 l2cap_do_send(chan, skb);
6840ed07 1812
b4400672 1813 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1814
836be934 1815 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1816 chan->frames_sent++;
6840ed07 1817 }
6840ed07
GP		 1818}
1819
67c9e840 1820static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1821{
1822 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1823 struct l2cap_ctrl *control;
1824 int sent = 0;
1825
1826 BT_DBG("chan %p", chan);
1c2acffb 1827
89bc500e 1828 if (chan->state != BT_CONNECTED)
c13ffa62 1829 return -ENOTCONN;
e90bac06 1830
94122bbe
MM		 1831 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1832 return 0;
1833
18a48e76
MM		 1834 while (chan->tx_send_head &&
1835 chan->unacked_frames < chan->remote_tx_win &&
1836 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1837
18a48e76 1838 skb = chan->tx_send_head;
e90bac06 1839
18a48e76
MM		 1840 bt_cb(skb)->control.retries = 1;
1841 control = &bt_cb(skb)->control;
95ffa978 1842
e2ab4353 1843 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1844 control->final = 1;
e2ab4353 1845
18a48e76
MM		 1846 control->reqseq = chan->buffer_seq;
1847 chan->last_acked_seq = chan->buffer_seq;
1848 control->txseq = chan->next_tx_seq;
1c2acffb 1849
18a48e76 1850 __pack_control(chan, control, skb);
e90bac06 1851
47d1ec61 1852 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1853 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1854 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1855 }
1856
18a48e76
MM		 1857 /* Clone after data has been modified. Data is assumed to be
1858 read-only (for locking purposes) on cloned sk_buffs.
1859 */
1860 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1861
18a48e76
MM		 1862 if (!tx_skb)
1863 break;
1c2acffb 1864
18a48e76 1865 __set_retrans_timer(chan);
836be934
AE		 1866
1867 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1868 chan->unacked_frames++;
6a026610 1869 chan->frames_sent++;
18a48e76 1870 sent++;
1c2acffb 1871
58d35f87
GP		 1872 if (skb_queue_is_last(&chan->tx_q, skb))
1873 chan->tx_send_head = NULL;
1c2acffb 1874 else
58d35f87 1875 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1876
1877 l2cap_do_send(chan, tx_skb);
b4400672 1878 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1879 }
1880
b4400672
AE		 1881 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1882 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1883
1884 return sent;
9e917af1
GP		 1885}
1886
e1fbd4c1
MM		 1887static void l2cap_ertm_resend(struct l2cap_chan *chan)
1888{
1889 struct l2cap_ctrl control;
1890 struct sk_buff *skb;
1891 struct sk_buff *tx_skb;
1892 u16 seq;
1893
1894 BT_DBG("chan %p", chan);
1895
1896 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1897 return;
1898
1899 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1900 seq = l2cap_seq_list_pop(&chan->retrans_list);
1901
1902 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1903 if (!skb) {
1904 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1905 seq);
e1fbd4c1
MM		 1906 continue;
1907 }
1908
1909 bt_cb(skb)->control.retries++;
1910 control = bt_cb(skb)->control;
1911
1912 if (chan->max_tx != 0 &&
1913 bt_cb(skb)->control.retries > chan->max_tx) {
1914 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1915 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1916 l2cap_seq_list_clear(&chan->retrans_list);
1917 break;
1918 }
1919
1920 control.reqseq = chan->buffer_seq;
1921 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1922 control.final = 1;
1923 else
1924 control.final = 0;
1925
1926 if (skb_cloned(skb)) {
1927 /* Cloned sk_buffs are read-only, so we need a
1928 * writeable copy
1929 */
8bcde1f2 1930 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1931 } else {
8bcde1f2 1932 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1933 }
1934
1935 if (!tx_skb) {
1936 l2cap_seq_list_clear(&chan->retrans_list);
1937 break;
1938 }
1939
1940 /* Update skb contents */
1941 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1942 put_unaligned_le32(__pack_extended_control(&control),
1943 tx_skb->data + L2CAP_HDR_SIZE);
1944 } else {
1945 put_unaligned_le16(__pack_enhanced_control(&control),
1946 tx_skb->data + L2CAP_HDR_SIZE);
1947 }
1948
1949 if (chan->fcs == L2CAP_FCS_CRC16) {
1950 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1951 put_unaligned_le16(fcs, skb_put(tx_skb,
1952 L2CAP_FCS_SIZE));
1953 }
1954
1955 l2cap_do_send(chan, tx_skb);
1956
1957 BT_DBG("Resent txseq %d", control.txseq);
1958
1959 chan->last_acked_seq = chan->buffer_seq;
1960 }
1961}
1962
f80842a8
MM		 1963static void l2cap_retransmit(struct l2cap_chan *chan,
1964 struct l2cap_ctrl *control)
1965{
1966 BT_DBG("chan %p, control %p", chan, control);
1967
1968 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1969 l2cap_ertm_resend(chan);
1970}
1971
d2a7ac5d
MM		 1972static void l2cap_retransmit_all(struct l2cap_chan *chan,
1973 struct l2cap_ctrl *control)
1974{
e1fbd4c1
MM		 1975 struct sk_buff *skb;
1976
1977 BT_DBG("chan %p, control %p", chan, control);
1978
1979 if (control->poll)
1980 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1981
1982 l2cap_seq_list_clear(&chan->retrans_list);
1983
1984 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1985 return;
1986
1987 if (chan->unacked_frames) {
1988 skb_queue_walk(&chan->tx_q, skb) {
1989 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 1990 skb == chan->tx_send_head)
e1fbd4c1
MM		 1991 break;
1992 }
1993
1994 skb_queue_walk_from(&chan->tx_q, skb) {
1995 if (skb == chan->tx_send_head)
1996 break;
1997
1998 l2cap_seq_list_append(&chan->retrans_list,
1999 bt_cb(skb)->control.txseq);
2000 }
2001
2002 l2cap_ertm_resend(chan);
2003 }
d2a7ac5d
MM		 2004}
2005
0a0aba42 2006static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2007{
0a0aba42
MM		 2008 struct l2cap_ctrl control;
2009 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2010 chan->last_acked_seq);
2011 int threshold;
9e917af1 2012
0a0aba42
MM		 2013 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2014 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2015
0a0aba42
MM		 2016 memset(&control, 0, sizeof(control));
2017 control.sframe = 1;
dfc909be 2018
0a0aba42
MM		 2019 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2020 chan->rx_state == L2CAP_RX_STATE_RECV) {
2021 __clear_ack_timer(chan);
2022 control.super = L2CAP_SUPER_RNR;
2023 control.reqseq = chan->buffer_seq;
2024 l2cap_send_sframe(chan, &control);
2025 } else {
2026 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2027 l2cap_ertm_send(chan);
2028 /* If any i-frames were sent, they included an ack */
2029 if (chan->buffer_seq == chan->last_acked_seq)
2030 frames_to_ack = 0;
2031 }
dfc909be 2032
c20f8e35 2033 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2034 * Calculate without mul or div
2035 */
c20f8e35 2036 threshold = chan->ack_win;
0a0aba42
MM		 2037 threshold += threshold << 1;
2038 threshold >>= 2;
2039
b4400672 2040 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2041 threshold);
2042
2043 if (frames_to_ack >= threshold) {
2044 __clear_ack_timer(chan);
2045 control.super = L2CAP_SUPER_RR;
2046 control.reqseq = chan->buffer_seq;
2047 l2cap_send_sframe(chan, &control);
2048 frames_to_ack = 0;
2049 }
1c2acffb 2050
0a0aba42
MM		 2051 if (frames_to_ack)
2052 __set_ack_timer(chan);
2053 }
b17e73bb
SJ		 2054}
2055
04124681
GP		 2056static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2057 struct msghdr *msg, int len,
2058 int count, struct sk_buff *skb)
1c2acffb 2059{
0952a57a 2060 struct l2cap_conn *conn = chan->conn;
1c2acffb 2061 struct sk_buff **frag;
90338947 2062 int sent = 0;
1da177e4 2063
59203a21 2064 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2065 return -EFAULT;
1da177e4
LT		 2066
2067 sent += count;
2068 len -= count;
2069
2070 /* Continuation fragments (no L2CAP header) */
2071 frag = &skb_shinfo(skb)->frag_list;
2072 while (len) {
fbe00700
GP		 2073 struct sk_buff *tmp;
2074
1da177e4
LT		 2075 count = min_t(unsigned int, conn->mtu, len);
2076
fbe00700
GP		 2077 tmp = chan->ops->alloc_skb(chan, count,
2078 msg->msg_flags & MSG_DONTWAIT);
2079 if (IS_ERR(tmp))
2080 return PTR_ERR(tmp);
2081
2082 *frag = tmp;
2f7719ce 2083
1c2acffb
GP		 2084 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2085 return -EFAULT;
1da177e4 2086
5e59b791
LAD		 2087 (*frag)->priority = skb->priority;
2088
1da177e4
LT		 2089 sent += count;
2090 len -= count;
2091
2d0ed3d5
GP		 2092 skb->len += (*frag)->len;
2093 skb->data_len += (*frag)->len;
2094
1da177e4
LT		 2095 frag = &(*frag)->next;
2096 }
1da177e4
LT		 2097
2098 return sent;
1c2acffb 2099}
1da177e4 2100
5e59b791 2101static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2102 struct msghdr *msg, size_t len,
2103 u32 priority)
1c2acffb 2104{
8c1d787b 2105 struct l2cap_conn *conn = chan->conn;
1c2acffb 2106 struct sk_buff *skb;
03a51213 2107 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2108 struct l2cap_hdr *lh;
2109
b4400672 2110 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2111
2112 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2113
2114 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2115 msg->msg_flags & MSG_DONTWAIT);
2116 if (IS_ERR(skb))
2117 return skb;
1c2acffb 2118
5e59b791
LAD		 2119 skb->priority = priority;
2120
1c2acffb
GP		 2121 /* Create L2CAP header */
2122 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2123 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2124 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2125 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2126
0952a57a 2127 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2128 if (unlikely(err < 0)) {
2129 kfree_skb(skb);
2130 return ERR_PTR(err);
2131 }
2132 return skb;
2133}
2134
5e59b791 2135static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2136 struct msghdr *msg, size_t len,
2137 u32 priority)
1c2acffb 2138{
8c1d787b 2139 struct l2cap_conn *conn = chan->conn;
1c2acffb 2140 struct sk_buff *skb;
f2ba7fae 2141 int err, count;
1c2acffb
GP		 2142 struct l2cap_hdr *lh;
2143
b4400672 2144 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2145
f2ba7fae 2146 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2147
f2ba7fae 2148 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2149 msg->msg_flags & MSG_DONTWAIT);
2150 if (IS_ERR(skb))
2151 return skb;
1c2acffb 2152
5e59b791
LAD		 2153 skb->priority = priority;
2154
1c2acffb
GP		 2155 /* Create L2CAP header */
2156 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2157 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2158 lh->len = cpu_to_le16(len);
1c2acffb 2159
0952a57a 2160 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2161 if (unlikely(err < 0)) {
2162 kfree_skb(skb);
2163 return ERR_PTR(err);
2164 }
2165 return skb;
2166}
2167
ab0ff76d 2168static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2169 struct msghdr *msg, size_t len,
2170 u16 sdulen)
1c2acffb 2171{
8c1d787b 2172 struct l2cap_conn *conn = chan->conn;
1c2acffb 2173 struct sk_buff *skb;
e4ca6d98 2174 int err, count, hlen;
1c2acffb
GP		 2175 struct l2cap_hdr *lh;
2176
b4400672 2177 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2178
0ee0d208
GP		 2179 if (!conn)
2180 return ERR_PTR(-ENOTCONN);
2181
ba7aa64f 2182 hlen = __ertm_hdr_size(chan);
e4ca6d98 2183
c74e560c 2184 if (sdulen)
03a51213 2185 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2186
47d1ec61 2187 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2188 hlen += L2CAP_FCS_SIZE;
fcc203c3 2189
1c2acffb 2190 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2191
2192 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2193 msg->msg_flags & MSG_DONTWAIT);
2194 if (IS_ERR(skb))
2195 return skb;
1c2acffb
GP		 2196
2197 /* Create L2CAP header */
2198 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2199 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2200 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2201
18a48e76
MM		 2202 /* Control header is populated later */
2203 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2204 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2205 else
2206 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2207
c74e560c 2208 if (sdulen)
03a51213 2209 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2210
0952a57a 2211 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2212 if (unlikely(err < 0)) {
2213 kfree_skb(skb);
2214 return ERR_PTR(err);
2215 }
e90bac06 2216
18a48e76 2217 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2218 bt_cb(skb)->control.retries = 0;
1c2acffb 2219 return skb;
1da177e4
LT		 2220}
2221
94122bbe
MM		 2222static int l2cap_segment_sdu(struct l2cap_chan *chan,
2223 struct sk_buff_head *seg_queue,
2224 struct msghdr *msg, size_t len)
c74e560c 2225{
c74e560c 2226 struct sk_buff *skb;
94122bbe
MM		 2227 u16 sdu_len;
2228 size_t pdu_len;
94122bbe 2229 u8 sar;
c74e560c 2230
b4400672 2231 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2232
94122bbe
MM		 2233 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2234 * so fragmented skbs are not used. The HCI layer's handling
2235 * of fragmented skbs is not compatible with ERTM's queueing.
2236 */
c74e560c 2237
94122bbe
MM		 2238 /* PDU size is derived from the HCI MTU */
2239 pdu_len = chan->conn->mtu;
c74e560c 2240
94122bbe
MM		 2241 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2242
2243 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2244 if (chan->fcs)
2245 pdu_len -= L2CAP_FCS_SIZE;
2246
ba7aa64f 2247 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2248
2249 /* Remote device may have requested smaller PDUs */
2250 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2251
2252 if (len <= pdu_len) {
2253 sar = L2CAP_SAR_UNSEGMENTED;
2254 sdu_len = 0;
2255 pdu_len = len;
2256 } else {
2257 sar = L2CAP_SAR_START;
2258 sdu_len = len;
2259 pdu_len -= L2CAP_SDULEN_SIZE;
2260 }
2261
2262 while (len > 0) {
2263 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2264
c74e560c 2265 if (IS_ERR(skb)) {
94122bbe 2266 __skb_queue_purge(seg_queue);
c74e560c
GP		 2267 return PTR_ERR(skb);
2268 }
2269
94122bbe
MM		 2270 bt_cb(skb)->control.sar = sar;
2271 __skb_queue_tail(seg_queue, skb);
2272
2273 len -= pdu_len;
2274 if (sdu_len) {
2275 sdu_len = 0;
2276 pdu_len += L2CAP_SDULEN_SIZE;
2277 }
2278
2279 if (len <= pdu_len) {
2280 sar = L2CAP_SAR_END;
2281 pdu_len = len;
2282 } else {
2283 sar = L2CAP_SAR_CONTINUE;
2284 }
c74e560c 2285 }
c74e560c 2286
f0f62799 2287 return 0;
c74e560c
GP		 2288}
2289
5e59b791 2290int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2291 u32 priority)
9a91a04a 2292{
9a91a04a 2293 struct sk_buff *skb;
9a91a04a 2294 int err;
94122bbe 2295 struct sk_buff_head seg_queue;
9a91a04a
GP		 2296
2297 /* Connectionless channel */
715ec005 2298 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2299 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2300 if (IS_ERR(skb))
2301 return PTR_ERR(skb);
2302
2303 l2cap_do_send(chan, skb);
2304 return len;
2305 }
2306
2307 switch (chan->mode) {
2308 case L2CAP_MODE_BASIC:
2309 /* Check outgoing MTU */
2310 if (len > chan->omtu)
2311 return -EMSGSIZE;
2312
2313 /* Create a basic PDU */
5e59b791 2314 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2315 if (IS_ERR(skb))
2316 return PTR_ERR(skb);
2317
2318 l2cap_do_send(chan, skb);
2319 err = len;
2320 break;
2321
2322 case L2CAP_MODE_ERTM:
2323 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2324 /* Check outgoing MTU */
2325 if (len > chan->omtu) {
2326 err = -EMSGSIZE;
2327 break;
2328 }
9a91a04a 2329
94122bbe 2330 __skb_queue_head_init(&seg_queue);
9a91a04a 2331
94122bbe
MM		 2332 /* Do segmentation before calling in to the state machine,
2333 * since it's possible to block while waiting for memory
2334 * allocation.
2335 */
2336 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2337
94122bbe
MM		 2338 /* The channel could have been closed while segmenting,
2339 * check that it is still connected.
2340 */
2341 if (chan->state != BT_CONNECTED) {
2342 __skb_queue_purge(&seg_queue);
2343 err = -ENOTCONN;
9a91a04a
GP		 2344 }
2345
94122bbe 2346 if (err)
9a91a04a 2347 break;
9a91a04a 2348
3733937d 2349 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2350 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2351 else
d660366d 2352 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2353
d660366d 2354 err = len;
9a91a04a 2355
94122bbe
MM		 2356 /* If the skbs were not queued for sending, they'll still be in
2357 * seg_queue and need to be purged.
2358 */
2359 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2360 break;
2361
2362 default:
2363 BT_DBG("bad state %1.1x", chan->mode);
2364 err = -EBADFD;
2365 }
2366
2367 return err;
2368}
2369
d2a7ac5d
MM		 2370static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2371{
bed68bde
MM		 2372 struct l2cap_ctrl control;
2373 u16 seq;
2374
b4400672 2375 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2376
2377 memset(&control, 0, sizeof(control));
2378 control.sframe = 1;
2379 control.super = L2CAP_SUPER_SREJ;
2380
2381 for (seq = chan->expected_tx_seq; seq != txseq;
2382 seq = __next_seq(chan, seq)) {
2383 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2384 control.reqseq = seq;
2385 l2cap_send_sframe(chan, &control);
2386 l2cap_seq_list_append(&chan->srej_list, seq);
2387 }
2388 }
2389
2390 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2391}
2392
2393static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2394{
bed68bde
MM		 2395 struct l2cap_ctrl control;
2396
2397 BT_DBG("chan %p", chan);
2398
2399 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2400 return;
2401
2402 memset(&control, 0, sizeof(control));
2403 control.sframe = 1;
2404 control.super = L2CAP_SUPER_SREJ;
2405 control.reqseq = chan->srej_list.tail;
2406 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2407}
2408
2409static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2410{
bed68bde
MM		 2411 struct l2cap_ctrl control;
2412 u16 initial_head;
2413 u16 seq;
2414
b4400672 2415 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2416
2417 memset(&control, 0, sizeof(control));
2418 control.sframe = 1;
2419 control.super = L2CAP_SUPER_SREJ;
2420
2421 /* Capture initial list head to allow only one pass through the list. */
2422 initial_head = chan->srej_list.head;
2423
2424 do {
2425 seq = l2cap_seq_list_pop(&chan->srej_list);
2426 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2427 break;
2428
2429 control.reqseq = seq;
2430 l2cap_send_sframe(chan, &control);
2431 l2cap_seq_list_append(&chan->srej_list, seq);
2432 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2433}
2434
608bcc6d
MM		 2435static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2436{
2437 struct sk_buff *acked_skb;
2438 u16 ackseq;
2439
b4400672 2440 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2441
2442 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2443 return;
2444
b4400672 2445 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2446 chan->expected_ack_seq, chan->unacked_frames);
2447
2448 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2449 ackseq = __next_seq(chan, ackseq)) {
2450
2451 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2452 if (acked_skb) {
2453 skb_unlink(acked_skb, &chan->tx_q);
2454 kfree_skb(acked_skb);
2455 chan->unacked_frames--;
2456 }
2457 }
2458
2459 chan->expected_ack_seq = reqseq;
2460
2461 if (chan->unacked_frames == 0)
2462 __clear_retrans_timer(chan);
2463
b4400672 2464 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2465}
2466
2467static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2468{
2469 BT_DBG("chan %p", chan);
2470
2471 chan->expected_tx_seq = chan->buffer_seq;
2472 l2cap_seq_list_clear(&chan->srej_list);
2473 skb_queue_purge(&chan->srej_q);
2474 chan->rx_state = L2CAP_RX_STATE_RECV;
2475}
2476
d660366d
GP		 2477static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2478 struct l2cap_ctrl *control,
2479 struct sk_buff_head *skbs, u8 event)
608bcc6d 2480{
608bcc6d
MM		 2481 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2482 event);
2483
2484 switch (event) {
2485 case L2CAP_EV_DATA_REQUEST:
2486 if (chan->tx_send_head == NULL)
2487 chan->tx_send_head = skb_peek(skbs);
2488
2489 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2490 l2cap_ertm_send(chan);
2491 break;
2492 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2493 BT_DBG("Enter LOCAL_BUSY");
2494 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2495
2496 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2497 /* The SREJ_SENT state must be aborted if we are to
2498 * enter the LOCAL_BUSY state.
2499 */
2500 l2cap_abort_rx_srej_sent(chan);
2501 }
2502
2503 l2cap_send_ack(chan);
2504
2505 break;
2506 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2507 BT_DBG("Exit LOCAL_BUSY");
2508 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2509
2510 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2511 struct l2cap_ctrl local_control;
2512
2513 memset(&local_control, 0, sizeof(local_control));
2514 local_control.sframe = 1;
2515 local_control.super = L2CAP_SUPER_RR;
2516 local_control.poll = 1;
2517 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2518 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2519
2520 chan->retry_count = 1;
2521 __set_monitor_timer(chan);
2522 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2523 }
2524 break;
2525 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2526 l2cap_process_reqseq(chan, control->reqseq);
2527 break;
2528 case L2CAP_EV_EXPLICIT_POLL:
2529 l2cap_send_rr_or_rnr(chan, 1);
2530 chan->retry_count = 1;
2531 __set_monitor_timer(chan);
2532 __clear_ack_timer(chan);
2533 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2534 break;
2535 case L2CAP_EV_RETRANS_TO:
2536 l2cap_send_rr_or_rnr(chan, 1);
2537 chan->retry_count = 1;
2538 __set_monitor_timer(chan);
2539 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2540 break;
2541 case L2CAP_EV_RECV_FBIT:
2542 /* Nothing to process */
2543 break;
2544 default:
2545 break;
2546 }
608bcc6d
MM		 2547}
2548
d660366d
GP		 2549static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2550 struct l2cap_ctrl *control,
2551 struct sk_buff_head *skbs, u8 event)
608bcc6d 2552{
608bcc6d
MM		 2553 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2554 event);
2555
2556 switch (event) {
2557 case L2CAP_EV_DATA_REQUEST:
2558 if (chan->tx_send_head == NULL)
2559 chan->tx_send_head = skb_peek(skbs);
2560 /* Queue data, but don't send. */
2561 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2562 break;
2563 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2564 BT_DBG("Enter LOCAL_BUSY");
2565 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2566
2567 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2568 /* The SREJ_SENT state must be aborted if we are to
2569 * enter the LOCAL_BUSY state.
2570 */
2571 l2cap_abort_rx_srej_sent(chan);
2572 }
2573
2574 l2cap_send_ack(chan);
2575
2576 break;
2577 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2578 BT_DBG("Exit LOCAL_BUSY");
2579 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2580
2581 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2582 struct l2cap_ctrl local_control;
2583 memset(&local_control, 0, sizeof(local_control));
2584 local_control.sframe = 1;
2585 local_control.super = L2CAP_SUPER_RR;
2586 local_control.poll = 1;
2587 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2588 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2589
2590 chan->retry_count = 1;
2591 __set_monitor_timer(chan);
2592 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2593 }
2594 break;
2595 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2596 l2cap_process_reqseq(chan, control->reqseq);
2597
2598 /* Fall through */
2599
2600 case L2CAP_EV_RECV_FBIT:
2601 if (control && control->final) {
2602 __clear_monitor_timer(chan);
2603 if (chan->unacked_frames > 0)
2604 __set_retrans_timer(chan);
2605 chan->retry_count = 0;
2606 chan->tx_state = L2CAP_TX_STATE_XMIT;
2607 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2608 }
2609 break;
2610 case L2CAP_EV_EXPLICIT_POLL:
2611 /* Ignore */
2612 break;
2613 case L2CAP_EV_MONITOR_TO:
2614 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2615 l2cap_send_rr_or_rnr(chan, 1);
2616 __set_monitor_timer(chan);
2617 chan->retry_count++;
2618 } else {
2619 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2620 }
2621 break;
2622 default:
2623 break;
2624 }
608bcc6d
MM		 2625}
2626
d660366d
GP		 2627static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2628 struct sk_buff_head *skbs, u8 event)
608bcc6d 2629{
608bcc6d
MM		 2630 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2631 chan, control, skbs, event, chan->tx_state);
2632
2633 switch (chan->tx_state) {
2634 case L2CAP_TX_STATE_XMIT:
d660366d 2635 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2636 break;
2637 case L2CAP_TX_STATE_WAIT_F:
d660366d 2638 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2639 break;
2640 default:
2641 /* Ignore event */
2642 break;
2643 }
608bcc6d
MM		 2644}
2645
4b51dae9
MM		 2646static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2647 struct l2cap_ctrl *control)
2648{
2649 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2650 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2651}
2652
f80842a8
MM		 2653static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2654 struct l2cap_ctrl *control)
2655{
2656 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2657 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2658}
2659
1da177e4
LT		 2660/* Copy frame to all raw sockets on that connection */
2661static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2662{
1da177e4 2663 struct sk_buff *nskb;
48454079 2664 struct l2cap_chan *chan;
1da177e4
LT		 2665
2666 BT_DBG("conn %p", conn);
2667
3df91ea2 2668 mutex_lock(&conn->chan_lock);
3d57dc68 2669
3df91ea2 2670 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2671 struct sock *sk = chan->sk;
715ec005 2672 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2673 continue;
2674
2675 /* Don't send frame to the socket it came from */
2676 if (skb->sk == sk)
2677 continue;
8bcde1f2 2678 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2679 if (!nskb)
1da177e4
LT		 2680 continue;
2681
80b98027 2682 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2683 kfree_skb(nskb);
2684 }
3d57dc68 2685
3df91ea2 2686 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2687}
2688
2689/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2690static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2691 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2692{
2693 struct sk_buff *skb, **frag;
2694 struct l2cap_cmd_hdr *cmd;
2695 struct l2cap_hdr *lh;
2696 int len, count;
2697
b4400672
AE		 2698 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2699 conn, code, ident, dlen);
1da177e4
LT		 2700
2701 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2702 count = min_t(unsigned int, conn->mtu, len);
2703
8bcde1f2 2704 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2705 if (!skb)
2706 return NULL;
2707
2708 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2709 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2710
2711 if (conn->hcon->type == LE_LINK)
ac73498c 2712 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2713 else
ac73498c 2714 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2715
2716 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2717 cmd->code = code;
2718 cmd->ident = ident;
aca3192c 2719 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2720
2721 if (dlen) {
2722 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2723 memcpy(skb_put(skb, count), data, count);
2724 data += count;
2725 }
2726
2727 len -= skb->len;
2728
2729 /* Continuation fragments (no L2CAP header) */
2730 frag = &skb_shinfo(skb)->frag_list;
2731 while (len) {
2732 count = min_t(unsigned int, conn->mtu, len);
2733
8bcde1f2 2734 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2735 if (!*frag)
2736 goto fail;
2737
2738 memcpy(skb_put(*frag, count), data, count);
2739
2740 len -= count;
2741 data += count;
2742
2743 frag = &(*frag)->next;
2744 }
2745
2746 return skb;
2747
2748fail:
2749 kfree_skb(skb);
2750 return NULL;
2751}
2752
2d792818
GP		 2753static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2754 unsigned long *val)
1da177e4
LT		 2755{
2756 struct l2cap_conf_opt *opt = *ptr;
2757 int len;
2758
2759 len = L2CAP_CONF_OPT_SIZE + opt->len;
2760 *ptr += len;
2761
2762 *type = opt->type;
2763 *olen = opt->len;
2764
2765 switch (opt->len) {
2766 case 1:
2767 *val = *((u8 *) opt->val);
2768 break;
2769
2770 case 2:
bfaaeb3e 2771 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2772 break;
2773
2774 case 4:
bfaaeb3e 2775 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2776 break;
2777
2778 default:
2779 *val = (unsigned long) opt->val;
2780 break;
2781 }
2782
b4400672 2783 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2784 return len;
2785}
2786
1da177e4
LT		 2787static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2788{
2789 struct l2cap_conf_opt *opt = *ptr;
2790
b4400672 2791 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2792
2793 opt->type = type;
2794 opt->len = len;
2795
2796 switch (len) {
2797 case 1:
2798 *((u8 *) opt->val) = val;
2799 break;
2800
2801 case 2:
4f8b691c 2802 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2803 break;
2804
2805 case 4:
4f8b691c 2806 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2807 break;
2808
2809 default:
2810 memcpy(opt->val, (void *) val, len);
2811 break;
2812 }
2813
2814 *ptr += L2CAP_CONF_OPT_SIZE + len;
2815}
2816
f89cef09
AE		 2817static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2818{
2819 struct l2cap_conf_efs efs;
2820
1ec918ce 2821 switch (chan->mode) {
f89cef09
AE		 2822 case L2CAP_MODE_ERTM:
2823 efs.id = chan->local_id;
2824 efs.stype = chan->local_stype;
2825 efs.msdu = cpu_to_le16(chan->local_msdu);
2826 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2827 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2828 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2829 break;
2830
2831 case L2CAP_MODE_STREAMING:
2832 efs.id = 1;
2833 efs.stype = L2CAP_SERV_BESTEFFORT;
2834 efs.msdu = cpu_to_le16(chan->local_msdu);
2835 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2836 efs.acc_lat = 0;
2837 efs.flush_to = 0;
2838 break;
2839
2840 default:
2841 return;
2842 }
2843
2844 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2845 (unsigned long) &efs);
f89cef09
AE		 2846}
2847
721c4181 2848static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2849{
721c4181 2850 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2851 ack_timer.work);
2852 u16 frames_to_ack;
c1b4f43b 2853
2fb9b3d4
GP		 2854 BT_DBG("chan %p", chan);
2855
6be36555
AE		 2856 l2cap_chan_lock(chan);
2857
0362520b
MM		 2858 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2859 chan->last_acked_seq);
6be36555 2860
0362520b
MM		 2861 if (frames_to_ack)
2862 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2863
0362520b 2864 l2cap_chan_unlock(chan);
09bfb2ee 2865 l2cap_chan_put(chan);
c1b4f43b
GP		 2866}
2867
466f8004 2868int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2869{
3c588192
MM		 2870 int err;
2871
105bdf9e
MM		 2872 chan->next_tx_seq = 0;
2873 chan->expected_tx_seq = 0;
42e5c802 2874 chan->expected_ack_seq = 0;
6a026610 2875 chan->unacked_frames = 0;
42e5c802 2876 chan->buffer_seq = 0;
6a026610 2877 chan->frames_sent = 0;
105bdf9e
MM		 2878 chan->last_acked_seq = 0;
2879 chan->sdu = NULL;
2880 chan->sdu_last_frag = NULL;
2881 chan->sdu_len = 0;
2882
d34c34fb
MM		 2883 skb_queue_head_init(&chan->tx_q);
2884
08333283
MM		 2885 chan->local_amp_id = 0;
2886 chan->move_id = 0;
2887 chan->move_state = L2CAP_MOVE_STABLE;
2888 chan->move_role = L2CAP_MOVE_ROLE_NONE;
2889
105bdf9e
MM		 2890 if (chan->mode != L2CAP_MODE_ERTM)
2891 return 0;
2892
2893 chan->rx_state = L2CAP_RX_STATE_RECV;
2894 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2895
721c4181
GP		 2896 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2897 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2898 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2899
f1c6775b 2900 skb_queue_head_init(&chan->srej_q);
1890d36b 2901
3c588192
MM		 2902 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2903 if (err < 0)
2904 return err;
2905
9dc9affc
MM		 2906 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2907 if (err < 0)
2908 l2cap_seq_list_free(&chan->srej_list);
2909
2910 return err;
0565c1c2
GP		 2911}
2912
f2fcfcd6
GP		 2913static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2914{
2915 switch (mode) {
2916 case L2CAP_MODE_STREAMING:
2917 case L2CAP_MODE_ERTM:
2918 if (l2cap_mode_supported(mode, remote_feat_mask))
2919 return mode;
2920 /* fall through */
2921 default:
2922 return L2CAP_MODE_BASIC;
2923 }
2924}
2925
6327eb98
AE		 2926static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2927{
2928 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2929}
2930
f89cef09
AE		 2931static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2932{
2933 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2934}
2935
6327eb98
AE		 2936static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2937{
2938 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 2939 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2940 /* use extended control field */
2941 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2942 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2943 } else {
6327eb98 2944 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 2945 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2946 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2947 }
c20f8e35 2948 chan->ack_win = chan->tx_win;
6327eb98
AE		 2949}
2950
710f9b0a 2951static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2952{
1da177e4 2953 struct l2cap_conf_req *req = data;
0c1bc5c6 2954 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2955 void *ptr = req->data;
c8f79162 2956 u16 size;
1da177e4 2957
49208c9c 2958 BT_DBG("chan %p", chan);
1da177e4 2959
73ffa904 2960 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2961 goto done;
2962
0c1bc5c6 2963 switch (chan->mode) {
f2fcfcd6
GP		 2964 case L2CAP_MODE_STREAMING:
2965 case L2CAP_MODE_ERTM:
c1360a1c 2966 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2967 break;
85eb53c6 2968
f89cef09
AE		 2969 if (__l2cap_efs_supported(chan))
2970 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2971
2ba13ed6 2972 /* fall through */
f2fcfcd6 2973 default:
8c1d787b 2974 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2975 break;
2976 }
2977
2978done:
0c1bc5c6
GP		 2979 if (chan->imtu != L2CAP_DEFAULT_MTU)
2980 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2981
0c1bc5c6 2982 switch (chan->mode) {
65c7c491 2983 case L2CAP_MODE_BASIC:
8c1d787b 2984 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 2985 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2986 break;
2987
62547752
GP		 2988 rfc.mode = L2CAP_MODE_BASIC;
2989 rfc.txwin_size = 0;
2990 rfc.max_transmit = 0;
2991 rfc.retrans_timeout = 0;
2992 rfc.monitor_timeout = 0;
2993 rfc.max_pdu_size = 0;
2994
63406504 2995 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 2996 (unsigned long) &rfc);
65c7c491
MH		 2997 break;
2998
2999 case L2CAP_MODE_ERTM:
3000 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3001 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 3002 rfc.retrans_timeout = 0;
3003 rfc.monitor_timeout = 0;
c8f79162
AE		 3004
3005 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3006 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3007 L2CAP_FCS_SIZE);
c8f79162 3008 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3009
6327eb98
AE		 3010 l2cap_txwin_setup(chan);
3011
3012 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3013 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3014
63406504 3015 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3016 (unsigned long) &rfc);
63406504 3017
f89cef09
AE		 3018 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3019 l2cap_add_opt_efs(&ptr, chan);
3020
8c1d787b 3021 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 3022 break;
3023
47d1ec61 3024 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 3025 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 3026 chan->fcs = L2CAP_FCS_NONE;
3027 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 3028 }
6327eb98
AE		 3029
3030 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3031 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3032 chan->tx_win);
f2fcfcd6
GP		 3033 break;
3034
3035 case L2CAP_MODE_STREAMING:
273759e2 3036 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3037 rfc.mode = L2CAP_MODE_STREAMING;
3038 rfc.txwin_size = 0;
3039 rfc.max_transmit = 0;
3040 rfc.retrans_timeout = 0;
3041 rfc.monitor_timeout = 0;
c8f79162
AE		 3042
3043 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3044 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3045 L2CAP_FCS_SIZE);
c8f79162 3046 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3047
63406504 3048 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3049 (unsigned long) &rfc);
63406504 3050
f89cef09
AE		 3051 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3052 l2cap_add_opt_efs(&ptr, chan);
3053
8c1d787b 3054 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 3055 break;
3056
47d1ec61 3057 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 3058 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 3059 chan->fcs = L2CAP_FCS_NONE;
3060 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 3061 }
65c7c491
MH		 3062 break;
3063 }
1da177e4 3064
fe4128e0 3065 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3066 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3067
3068 return ptr - data;
3069}
3070
73ffa904 3071static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3072{
5dee9e7c
MH		 3073 struct l2cap_conf_rsp *rsp = data;
3074 void *ptr = rsp->data;
73ffa904
GP		 3075 void *req = chan->conf_req;
3076 int len = chan->conf_len;
5dee9e7c
MH		 3077 int type, hint, olen;
3078 unsigned long val;
6464f35f 3079 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3080 struct l2cap_conf_efs efs;
3081 u8 remote_efs = 0;
861d6882 3082 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3083 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3084 u16 size;
1da177e4 3085
73ffa904 3086 BT_DBG("chan %p", chan);
820ae1b8 3087
5dee9e7c
MH		 3088 while (len >= L2CAP_CONF_OPT_SIZE) {
3089 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3090
589d2746 3091 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3092 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3093
3094 switch (type) {
3095 case L2CAP_CONF_MTU:
861d6882 3096 mtu = val;
5dee9e7c
MH		 3097 break;
3098
3099 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3100 chan->flush_to = val;
5dee9e7c
MH		 3101 break;
3102
3103 case L2CAP_CONF_QOS:
3104 break;
3105
6464f35f
MH		 3106 case L2CAP_CONF_RFC:
3107 if (olen == sizeof(rfc))
3108 memcpy(&rfc, (void *) val, olen);
3109 break;
3110
fcc203c3
GP		 3111 case L2CAP_CONF_FCS:
3112 if (val == L2CAP_FCS_NONE)
c1360a1c 3113 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 3114 break;
fcc203c3 3115
42dceae2
AE		 3116 case L2CAP_CONF_EFS:
3117 remote_efs = 1;
3118 if (olen == sizeof(efs))
3119 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3120 break;
3121
6327eb98
AE		 3122 case L2CAP_CONF_EWS:
3123 if (!enable_hs)
3124 return -ECONNREFUSED;
fcc203c3 3125
6327eb98
AE		 3126 set_bit(FLAG_EXT_CTRL, &chan->flags);
3127 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3128 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3129 chan->remote_tx_win = val;
fcc203c3
GP		 3130 break;
3131
5dee9e7c
MH		 3132 default:
3133 if (hint)
3134 break;
3135
3136 result = L2CAP_CONF_UNKNOWN;
3137 *((u8 *) ptr++) = type;
3138 break;
3139 }
3140 }
3141
73ffa904 3142 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3143 goto done;
3144
0c1bc5c6 3145 switch (chan->mode) {
f2fcfcd6
GP		 3146 case L2CAP_MODE_STREAMING:
3147 case L2CAP_MODE_ERTM:
c1360a1c 3148 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3149 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3150 chan->conn->feat_mask);
85eb53c6
GP		 3151 break;
3152 }
3153
42dceae2
AE		 3154 if (remote_efs) {
3155 if (__l2cap_efs_supported(chan))
3156 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3157 else
3158 return -ECONNREFUSED;
3159 }
3160
0c1bc5c6 3161 if (chan->mode != rfc.mode)
f2fcfcd6 3162 return -ECONNREFUSED;
742e519b 3163
f2fcfcd6 3164 break;
f2fcfcd6
GP		 3165 }
3166
3167done:
0c1bc5c6 3168 if (chan->mode != rfc.mode) {
f2fcfcd6 3169 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3170 rfc.mode = chan->mode;
f2fcfcd6 3171
73ffa904 3172 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3173 return -ECONNREFUSED;
3174
2d792818
GP		 3175 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3176 (unsigned long) &rfc);
f2fcfcd6
GP		 3177 }
3178
5dee9e7c
MH		 3179 if (result == L2CAP_CONF_SUCCESS) {
3180 /* Configure output options and let the other side know
3181 * which ones we don't like. */
3182
f2fcfcd6
GP		 3183 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3184 result = L2CAP_CONF_UNACCEPT;
3185 else {
0c1bc5c6 3186 chan->omtu = mtu;
c1360a1c 3187 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3188 }
0c1bc5c6 3189 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3190
42dceae2
AE		 3191 if (remote_efs) {
3192 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3193 efs.stype != L2CAP_SERV_NOTRAFIC &&
3194 efs.stype != chan->local_stype) {
42dceae2
AE		 3195
3196 result = L2CAP_CONF_UNACCEPT;
3197
3198 if (chan->num_conf_req >= 1)
3199 return -ECONNREFUSED;
3200
3201 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3202 sizeof(efs),
3203 (unsigned long) &efs);
0e8b207e 3204 } else {
3e6b3b95 3205 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3206 result = L2CAP_CONF_PENDING;
3207 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3208 }
3209 }
3210
f2fcfcd6
GP		 3211 switch (rfc.mode) {
3212 case L2CAP_MODE_BASIC:
47d1ec61 3213 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3214 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3215 break;
3216
3217 case L2CAP_MODE_ERTM:
6327eb98
AE		 3218 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3219 chan->remote_tx_win = rfc.txwin_size;
3220 else
3221 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3222
2c03a7a4 3223 chan->remote_max_tx = rfc.max_transmit;
1c762159 3224
c8f79162 3225 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3226 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3227 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3228 rfc.max_pdu_size = cpu_to_le16(size);
3229 chan->remote_mps = size;
f2fcfcd6 3230
10467e9e 3231 rfc.retrans_timeout =
4fd21a88 3232 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3233 rfc.monitor_timeout =
4fd21a88 3234 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3235
c1360a1c 3236 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3237
3238 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3239 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3240
42dceae2
AE		 3241 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3242 chan->remote_id = efs.id;
3243 chan->remote_stype = efs.stype;
3244 chan->remote_msdu = le16_to_cpu(efs.msdu);
3245 chan->remote_flush_to =
2d792818 3246 le32_to_cpu(efs.flush_to);
42dceae2 3247 chan->remote_acc_lat =
2d792818 3248 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3249 chan->remote_sdu_itime =
3250 le32_to_cpu(efs.sdu_itime);
3251 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3252 sizeof(efs),
3253 (unsigned long) &efs);
42dceae2 3254 }
f2fcfcd6
GP		 3255 break;
3256
3257 case L2CAP_MODE_STREAMING:
c8f79162 3258 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3259 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3260 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3261 rfc.max_pdu_size = cpu_to_le16(size);
3262 chan->remote_mps = size;
f2fcfcd6 3263
c1360a1c 3264 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3265
2d792818
GP		 3266 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3267 (unsigned long) &rfc);
68ae6639 3268
f2fcfcd6
GP		 3269 break;
3270
3271 default:
5dee9e7c 3272 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3273
6464f35f 3274 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3275 rfc.mode = chan->mode;
f2fcfcd6 3276 }
6464f35f 3277
f2fcfcd6 3278 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3279 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3280 }
fe4128e0 3281 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3282 rsp->result = cpu_to_le16(result);
59e54bd1 3283 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3284
3285 return ptr - data;
1da177e4
LT		 3286}
3287
2d792818
GP		 3288static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3289 void *data, u16 *result)
f2fcfcd6 3290{
f2fcfcd6
GP		 3291 struct l2cap_conf_req *req = data;
3292 void *ptr = req->data;
3293 int type, olen;
3294 unsigned long val;
36e999a8 3295 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3296 struct l2cap_conf_efs efs;
f2fcfcd6 3297
fe4128e0 3298 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3299
3300 while (len >= L2CAP_CONF_OPT_SIZE) {
3301 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3302
3303 switch (type) {
3304 case L2CAP_CONF_MTU:
3305 if (val < L2CAP_DEFAULT_MIN_MTU) {
3306 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3307 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3308 } else
0c1bc5c6
GP		 3309 chan->imtu = val;
3310 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3311 break;
3312
3313 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3314 chan->flush_to = val;
f2fcfcd6 3315 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3316 2, chan->flush_to);
f2fcfcd6
GP		 3317 break;
3318
3319 case L2CAP_CONF_RFC:
3320 if (olen == sizeof(rfc))
3321 memcpy(&rfc, (void *)val, olen);
3322
c1360a1c 3323 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3324 rfc.mode != chan->mode)
f2fcfcd6
GP		 3325 return -ECONNREFUSED;
3326
47d1ec61 3327 chan->fcs = 0;
f2fcfcd6
GP		 3328
3329 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3330 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3331 break;
6327eb98
AE		 3332
3333 case L2CAP_CONF_EWS:
c20f8e35 3334 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3335 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3336 chan->tx_win);
6327eb98 3337 break;
66af7aaf
AE		 3338
3339 case L2CAP_CONF_EFS:
3340 if (olen == sizeof(efs))
3341 memcpy(&efs, (void *)val, olen);
3342
3343 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3344 efs.stype != L2CAP_SERV_NOTRAFIC &&
3345 efs.stype != chan->local_stype)
66af7aaf
AE		 3346 return -ECONNREFUSED;
3347
2d792818
GP		 3348 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3349 (unsigned long) &efs);
66af7aaf 3350 break;
f2fcfcd6
GP		 3351 }
3352 }
3353
0c1bc5c6 3354 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3355 return -ECONNREFUSED;
3356
0c1bc5c6 3357 chan->mode = rfc.mode;
6c2ea7a8 3358
0e8b207e 3359 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3360 switch (rfc.mode) {
3361 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3362 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3363 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3364 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3365 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3366 chan->ack_win = min_t(u16, chan->ack_win,
3367 rfc.txwin_size);
66af7aaf
AE		 3368
3369 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3370 chan->local_msdu = le16_to_cpu(efs.msdu);
3371 chan->local_sdu_itime =
2d792818 3372 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3373 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3374 chan->local_flush_to =
2d792818 3375 le32_to_cpu(efs.flush_to);
66af7aaf 3376 }
f2fcfcd6 3377 break;
66af7aaf 3378
f2fcfcd6 3379 case L2CAP_MODE_STREAMING:
47d1ec61 3380 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3381 }
3382 }
3383
fe4128e0 3384 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3385 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3386
3387 return ptr - data;
3388}
3389
2d792818
GP		 3390static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3391 u16 result, u16 flags)
1da177e4
LT		 3392{
3393 struct l2cap_conf_rsp *rsp = data;
3394 void *ptr = rsp->data;
1da177e4 3395
fe4128e0 3396 BT_DBG("chan %p", chan);
1da177e4 3397
fe4128e0 3398 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3399 rsp->result = cpu_to_le16(result);
aca3192c 3400 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3401
3402 return ptr - data;
3403}
3404
8c1d787b 3405void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3406{
3407 struct l2cap_conn_rsp rsp;
8c1d787b 3408 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3409 u8 buf[128];
3410
fe4128e0
GP		 3411 rsp.scid = cpu_to_le16(chan->dcid);
3412 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3413 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3414 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
2d792818 3415 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
710f9b0a 3416
c1360a1c 3417 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3418 return;
3419
710f9b0a 3420 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3421 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3422 chan->num_conf_req++;
3423}
3424
47d1ec61 3425static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3426{
7b1c0049
GP		 3427 int type, olen;
3428 unsigned long val;
c20f8e35
MM		 3429 /* Use sane default values in case a misbehaving remote device
3430 * did not send an RFC or extended window size option.
3431 */
3432 u16 txwin_ext = chan->ack_win;
3433 struct l2cap_conf_rfc rfc = {
3434 .mode = chan->mode,
3435 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3436 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3437 .max_pdu_size = cpu_to_le16(chan->imtu),
3438 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3439 };
7b1c0049 3440
47d1ec61 3441 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3442
0c1bc5c6 3443 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3444 return;
3445
3446 while (len >= L2CAP_CONF_OPT_SIZE) {
3447 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3448
c20f8e35
MM		 3449 switch (type) {
3450 case L2CAP_CONF_RFC:
3451 if (olen == sizeof(rfc))
3452 memcpy(&rfc, (void *)val, olen);
8f321f85 3453 break;
c20f8e35
MM		 3454 case L2CAP_CONF_EWS:
3455 txwin_ext = val;
3456 break;
3457 }
7b1c0049
GP		 3458 }
3459
7b1c0049
GP		 3460 switch (rfc.mode) {
3461 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3462 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3463 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3464 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3465 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3466 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3467 else
3468 chan->ack_win = min_t(u16, chan->ack_win,
3469 rfc.txwin_size);
7b1c0049
GP		 3470 break;
3471 case L2CAP_MODE_STREAMING:
47d1ec61 3472 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3473 }
3474}
3475
2d792818
GP		 3476static inline int l2cap_command_rej(struct l2cap_conn *conn,
3477 struct l2cap_cmd_hdr *cmd, u8 *data)
4e8402a3 3478{
e2fd318e 3479 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3480
e2fd318e 3481 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3482 return 0;
3483
3484 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3485 cmd->ident == conn->info_ident) {
17cd3f37 3486 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3487
3488 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3489 conn->info_ident = 0;
984947dc 3490
4e8402a3
MH		 3491 l2cap_conn_start(conn);
3492 }
3493
3494 return 0;
3495}
3496
1700915f
MM		 3497static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3498 struct l2cap_cmd_hdr *cmd,
3499 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3500{
1da177e4
LT		 3501 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3502 struct l2cap_conn_rsp rsp;
23691d75 3503 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3504 struct sock *parent, *sk = NULL;
e7c29cb1 3505 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3506
3507 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3508 __le16 psm = req->psm;
1da177e4 3509
097db76c 3510 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3511
3512 /* Check if we have socket listening on psm */
c2287681 3513 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3514 if (!pchan) {
1da177e4
LT		 3515 result = L2CAP_CR_BAD_PSM;
3516 goto sendresp;
3517 }
3518
23691d75
GP		 3519 parent = pchan->sk;
3520
3df91ea2 3521 mutex_lock(&conn->chan_lock);
aa2ac881 3522 lock_sock(parent);
e0f0cb56 3523
e7c29cb1 3524 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3525 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3526 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3527 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3528 result = L2CAP_CR_SEC_BLOCK;
3529 goto response;
3530 }
3531
1da177e4
LT		 3532 result = L2CAP_CR_NO_MEM;
3533
2dfa1003
GP		 3534 /* Check if we already have channel with that dcid */
3535 if (__l2cap_get_chan_by_dcid(conn, scid))
3536 goto response;
3537
80b98027 3538 chan = pchan->ops->new_connection(pchan);
80808e43 3539 if (!chan)
1da177e4
LT		 3540 goto response;
3541
80808e43
GP		 3542 sk = chan->sk;
3543
1da177e4
LT		 3544 hci_conn_hold(conn->hcon);
3545
1da177e4
LT		 3546 bacpy(&bt_sk(sk)->src, conn->src);
3547 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3548 chan->psm = psm;
3549 chan->dcid = scid;
1700915f 3550 chan->local_amp_id = amp_id;
1da177e4 3551
6be36555 3552 __l2cap_chan_add(conn, chan);
48454079 3553
fe4128e0 3554 dcid = chan->scid;
1da177e4 3555
c9b66675 3556 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3557
fc7f8a7e 3558 chan->ident = cmd->ident;
1da177e4 3559
984947dc 3560 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3561 if (l2cap_chan_check_security(chan)) {
c5daa683 3562 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3563 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3564 result = L2CAP_CR_PEND;
3565 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3566 chan->ops->defer(chan);
f66dc81f 3567 } else {
1700915f
MM		 3568 /* Force pending result for AMP controllers.
3569 * The connection will succeed after the
3570 * physical link is up.
3571 */
3572 if (amp_id) {
3573 __l2cap_state_change(chan, BT_CONNECT2);
3574 result = L2CAP_CR_PEND;
3575 } else {
3576 __l2cap_state_change(chan, BT_CONFIG);
3577 result = L2CAP_CR_SUCCESS;
3578 }
f66dc81f
MH		 3579 status = L2CAP_CS_NO_INFO;
3580 }
79d554a6 3581 } else {
0e587be7 3582 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3583 result = L2CAP_CR_PEND;
3584 status = L2CAP_CS_AUTHEN_PEND;
3585 }
3586 } else {
0e587be7 3587 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3588 result = L2CAP_CR_PEND;
3589 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3590 }
3591
1da177e4 3592response:
aa2ac881 3593 release_sock(parent);
3df91ea2 3594 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3595
3596sendresp:
aca3192c
YH		 3597 rsp.scid = cpu_to_le16(scid);
3598 rsp.dcid = cpu_to_le16(dcid);
3599 rsp.result = cpu_to_le16(result);
3600 rsp.status = cpu_to_le16(status);
4c89b6aa 3601 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3602
3603 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3604 struct l2cap_info_req info;
ac73498c 3605 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3606
3607 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3608 conn->info_ident = l2cap_get_ident(conn);
3609
ba13ccd9 3610 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3611
2d792818
GP		 3612 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3613 sizeof(info), &info);
79d554a6
MH		 3614 }
3615
c1360a1c 3616 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3617 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3618 u8 buf[128];
c1360a1c 3619 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3620 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3621 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3622 chan->num_conf_req++;
e9aeb2dd 3623 }
1700915f
MM		 3624
3625 return chan;
4c89b6aa 3626}
e9aeb2dd 3627
4c89b6aa
MM		 3628static int l2cap_connect_req(struct l2cap_conn *conn,
3629 struct l2cap_cmd_hdr *cmd, u8 *data)
3630{
300229f9 3631 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3632 return 0;
3633}
3634
5909cf30 3635static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
2d792818 3636 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3637{
3638 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3639 u16 scid, dcid, result, status;
48454079 3640 struct l2cap_chan *chan;
1da177e4 3641 u8 req[128];
3df91ea2 3642 int err;
1da177e4
LT		 3643
3644 scid = __le16_to_cpu(rsp->scid);
3645 dcid = __le16_to_cpu(rsp->dcid);
3646 result = __le16_to_cpu(rsp->result);
3647 status = __le16_to_cpu(rsp->status);
3648
1b009c98 3649 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3650 dcid, scid, result, status);
1da177e4 3651
3df91ea2
AE		 3652 mutex_lock(&conn->chan_lock);
3653
1da177e4 3654 if (scid) {
3df91ea2
AE		 3655 chan = __l2cap_get_chan_by_scid(conn, scid);
3656 if (!chan) {
3657 err = -EFAULT;
3658 goto unlock;
3659 }
1da177e4 3660 } else {
3df91ea2
AE		 3661 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3662 if (!chan) {
3663 err = -EFAULT;
3664 goto unlock;
3665 }
1da177e4
LT		 3666 }
3667
3df91ea2
AE		 3668 err = 0;
3669
6be36555 3670 l2cap_chan_lock(chan);
48454079 3671
1da177e4
LT		 3672 switch (result) {
3673 case L2CAP_CR_SUCCESS:
89bc500e 3674 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3675 chan->ident = 0;
fe4128e0 3676 chan->dcid = dcid;
c1360a1c 3677 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3678
c1360a1c 3679 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3680 break;
3681
1da177e4 3682 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3683 l2cap_build_conf_req(chan, req), req);
73ffa904 3684 chan->num_conf_req++;
1da177e4
LT		 3685 break;
3686
3687 case L2CAP_CR_PEND:
c1360a1c 3688 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3689 break;
3690
3691 default:
48454079 3692 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3693 break;
3694 }
3695
6be36555 3696 l2cap_chan_unlock(chan);
3df91ea2
AE		 3697
3698unlock:
3699 mutex_unlock(&conn->chan_lock);
3700
3701 return err;
1da177e4
LT		 3702}
3703
47d1ec61 3704static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3705{
3706 /* FCS is enabled only in ERTM or streaming mode, if one or both
3707 * sides request it.
3708 */
0c1bc5c6 3709 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3710 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3711 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3712 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3713}
3714
29d8a590
AE		 3715static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3716 u8 ident, u16 flags)
3717{
3718 struct l2cap_conn *conn = chan->conn;
3719
3720 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3721 flags);
3722
3723 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3724 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3725
3726 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3727 l2cap_build_conf_rsp(chan, data,
3728 L2CAP_CONF_SUCCESS, flags), data);
3729}
3730
2d792818
GP		 3731static inline int l2cap_config_req(struct l2cap_conn *conn,
3732 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3733 u8 *data)
1da177e4
LT		 3734{
3735 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3736 u16 dcid, flags;
3737 u8 rsp[64];
48454079 3738 struct l2cap_chan *chan;
3c588192 3739 int len, err = 0;
1da177e4
LT		 3740
3741 dcid = __le16_to_cpu(req->dcid);
3742 flags = __le16_to_cpu(req->flags);
3743
3744 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3745
baa7e1fa 3746 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3747 if (!chan)
1da177e4
LT		 3748 return -ENOENT;
3749
033b1142 3750 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3751 struct l2cap_cmd_rej_cid rej;
3752
ac73498c 3753 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3754 rej.scid = cpu_to_le16(chan->scid);
3755 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3756
df6bd743 3757 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3758 sizeof(rej), &rej);
354f60a9 3759 goto unlock;
df6bd743 3760 }
354f60a9 3761
5dee9e7c 3762 /* Reject if config buffer is too small. */
88219a0f 3763 len = cmd_len - sizeof(*req);
7ac28817 3764 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3765 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3766 l2cap_build_conf_rsp(chan, rsp,
3767 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 3768 goto unlock;
3769 }
3770
3771 /* Store config. */
73ffa904
GP		 3772 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3773 chan->conf_len += len;
1da177e4 3774
59e54bd1 3775 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3776 /* Incomplete config. Send empty response. */
3777 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3778 l2cap_build_conf_rsp(chan, rsp,
3779 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3780 goto unlock;
3781 }
3782
3783 /* Complete config. */
73ffa904 3784 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3785 if (len < 0) {
e92c8e70 3786 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3787 goto unlock;
f2fcfcd6 3788 }
1da177e4 3789
5dee9e7c 3790 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3791 chan->num_conf_rsp++;
5dee9e7c 3792
5dee9e7c 3793 /* Reset config buffer. */
73ffa904 3794 chan->conf_len = 0;
5dee9e7c 3795
c1360a1c 3796 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3797 goto unlock;
3798
c1360a1c 3799 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3800 set_default_fcs(chan);
fcc203c3 3801
105bdf9e
MM		 3802 if (chan->mode == L2CAP_MODE_ERTM ||
3803 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3804 err = l2cap_ertm_init(chan);
3805
3806 if (err < 0)
3807 l2cap_send_disconn_req(chan->conn, chan, -err);
3808 else
3809 l2cap_chan_ready(chan);
0565c1c2 3810
876d9484
MH		 3811 goto unlock;
3812 }
3813
c1360a1c 3814 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3815 u8 buf[64];
1da177e4 3816 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3817 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3818 chan->num_conf_req++;
1da177e4
LT		 3819 }
3820
0e8b207e
AE		 3821 /* Got Conf Rsp PENDING from remote side and asume we sent
3822 Conf Rsp PENDING in the code above */
3823 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 3824 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 3825
3826 /* check compatibility */
3827
79de886d
AE		 3828 /* Send rsp for BR/EDR channel */
3829 if (!chan->ctrl_id)
3830 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
3831 else
3832 chan->ident = cmd->ident;
0e8b207e
AE		 3833 }
3834
1da177e4 3835unlock:
6be36555 3836 l2cap_chan_unlock(chan);
3c588192 3837 return err;
1da177e4
LT		 3838}
3839
2d792818
GP		 3840static inline int l2cap_config_rsp(struct l2cap_conn *conn,
3841 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3842{
3843 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3844 u16 scid, flags, result;
48454079 3845 struct l2cap_chan *chan;
61386cba 3846 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3847 int err = 0;
1da177e4
LT		 3848
3849 scid = __le16_to_cpu(rsp->scid);
3850 flags = __le16_to_cpu(rsp->flags);
3851 result = __le16_to_cpu(rsp->result);
3852
61386cba
AE		 3853 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3854 result, len);
1da177e4 3855
baa7e1fa 3856 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3857 if (!chan)
1da177e4
LT		 3858 return 0;
3859
3860 switch (result) {
3861 case L2CAP_CONF_SUCCESS:
47d1ec61 3862 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3863 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3864 break;
3865
0e8b207e
AE		 3866 case L2CAP_CONF_PENDING:
3867 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3868
3869 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3870 char buf[64];
3871
3872 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3873 buf, &result);
0e8b207e
AE		 3874 if (len < 0) {
3875 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3876 goto done;
3877 }
3878
3879 /* check compatibility */
3880
79de886d
AE		 3881 if (!chan->ctrl_id)
3882 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
3883 0);
3884 else
3885 chan->ident = cmd->ident;
0e8b207e
AE		 3886 }
3887 goto done;
3888
1da177e4 3889 case L2CAP_CONF_UNACCEPT:
73ffa904 3890 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3891 char req[64];
3892
c2c77ec8 3893 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3894 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3895 goto done;
3896 }
3897
f2fcfcd6
GP		 3898 /* throw out any old stored conf requests */
3899 result = L2CAP_CONF_SUCCESS;
b4450035 3900 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3901 req, &result);
f2fcfcd6 3902 if (len < 0) {
e92c8e70 3903 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3904 goto done;
3905 }
3906
3907 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 3908 L2CAP_CONF_REQ, len, req);
73ffa904 3909 chan->num_conf_req++;
f2fcfcd6
GP		 3910 if (result != L2CAP_CONF_SUCCESS)
3911 goto done;
3912 break;
1da177e4
LT		 3913 }
3914
8e87d142 3915 default:
6be36555 3916 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3917
ba13ccd9 3918 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3919 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3920 goto done;
3921 }
3922
59e54bd1 3923 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3924 goto done;
3925
c1360a1c 3926 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3927
c1360a1c 3928 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3929 set_default_fcs(chan);
fcc203c3 3930
105bdf9e
MM		 3931 if (chan->mode == L2CAP_MODE_ERTM ||
3932 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3933 err = l2cap_ertm_init(chan);
0565c1c2 3934
3c588192
MM		 3935 if (err < 0)
3936 l2cap_send_disconn_req(chan->conn, chan, -err);
3937 else
3938 l2cap_chan_ready(chan);
1da177e4
LT		 3939 }
3940
3941done:
6be36555 3942 l2cap_chan_unlock(chan);
3c588192 3943 return err;
1da177e4
LT		 3944}
3945
2d792818
GP		 3946static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
3947 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3948{
3949 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3950 struct l2cap_disconn_rsp rsp;
3951 u16 dcid, scid;
48454079 3952 struct l2cap_chan *chan;
1da177e4
LT		 3953 struct sock *sk;
3954
3955 scid = __le16_to_cpu(req->scid);
3956 dcid = __le16_to_cpu(req->dcid);
3957
3958 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3959
3df91ea2
AE		 3960 mutex_lock(&conn->chan_lock);
3961
3962 chan = __l2cap_get_chan_by_scid(conn, dcid);
3963 if (!chan) {
3964 mutex_unlock(&conn->chan_lock);
1da177e4 3965 return 0;
3df91ea2 3966 }
1da177e4 3967
6be36555
AE		 3968 l2cap_chan_lock(chan);
3969
48454079
GP		 3970 sk = chan->sk;
3971
fe4128e0
GP		 3972 rsp.dcid = cpu_to_le16(chan->scid);
3973 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3974 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3975
6be36555 3976 lock_sock(sk);
1da177e4 3977 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3978 release_sock(sk);
1da177e4 3979
61d6ef3e 3980 l2cap_chan_hold(chan);
48454079 3981 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3982
3983 l2cap_chan_unlock(chan);
1da177e4 3984
80b98027 3985 chan->ops->close(chan);
61d6ef3e 3986 l2cap_chan_put(chan);
3df91ea2
AE		 3987
3988 mutex_unlock(&conn->chan_lock);
3989
1da177e4
LT		 3990 return 0;
3991}
3992
2d792818
GP		 3993static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
3994 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3995{
3996 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3997 u16 dcid, scid;
48454079 3998 struct l2cap_chan *chan;
1da177e4
LT		 3999
4000 scid = __le16_to_cpu(rsp->scid);
4001 dcid = __le16_to_cpu(rsp->dcid);
4002
4003 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4004
3df91ea2
AE		 4005 mutex_lock(&conn->chan_lock);
4006
4007 chan = __l2cap_get_chan_by_scid(conn, scid);
4008 if (!chan) {
4009 mutex_unlock(&conn->chan_lock);
1da177e4 4010 return 0;
3df91ea2 4011 }
1da177e4 4012
6be36555 4013 l2cap_chan_lock(chan);
48454079 4014
61d6ef3e 4015 l2cap_chan_hold(chan);
48454079 4016 l2cap_chan_del(chan, 0);
6be36555
AE		 4017
4018 l2cap_chan_unlock(chan);
1da177e4 4019
80b98027 4020 chan->ops->close(chan);
61d6ef3e 4021 l2cap_chan_put(chan);
3df91ea2
AE		 4022
4023 mutex_unlock(&conn->chan_lock);
4024
1da177e4
LT		 4025 return 0;
4026}
4027
2d792818
GP		 4028static inline int l2cap_information_req(struct l2cap_conn *conn,
4029 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4030{
4031 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4032 u16 type;
4033
4034 type = __le16_to_cpu(req->type);
4035
4036 BT_DBG("type 0x%4.4x", type);
4037
f0709e03
MH		 4038 if (type == L2CAP_IT_FEAT_MASK) {
4039 u8 buf[8];
44dd46de 4040 u32 feat_mask = l2cap_feat_mask;
f0709e03 4041 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4042 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4043 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4044 if (!disable_ertm)
fcc203c3 4045 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4046 | L2CAP_FEAT_FCS;
a5fd6f30 4047 if (enable_hs)
6327eb98 4048 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4049 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4050
1b7bf4ed 4051 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4052 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4053 buf);
e1027a7c
MH		 4054 } else if (type == L2CAP_IT_FIXED_CHAN) {
4055 u8 buf[12];
4056 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 4057
4058 if (enable_hs)
4059 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4060 else
4061 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4062
ac73498c
AE		 4063 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4064 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4065 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4066 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4067 buf);
f0709e03
MH		 4068 } else {
4069 struct l2cap_info_rsp rsp;
4070 rsp.type = cpu_to_le16(type);
ac73498c 4071 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4072 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4073 &rsp);
f0709e03 4074 }
1da177e4
LT		 4075
4076 return 0;
4077}
4078
2d792818
GP		 4079static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4080 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4081{
4082 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4083 u16 type, result;
4084
4085 type = __le16_to_cpu(rsp->type);
4086 result = __le16_to_cpu(rsp->result);
4087
4088 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4089
e90165be
AE		 4090 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4091 if (cmd->ident != conn->info_ident ||
2d792818 4092 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4093 return 0;
4094
17cd3f37 4095 cancel_delayed_work(&conn->info_timer);
4e8402a3 4096
adb08ede
VT		 4097 if (result != L2CAP_IR_SUCCESS) {
4098 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4099 conn->info_ident = 0;
4100
4101 l2cap_conn_start(conn);
4102
4103 return 0;
4104 }
4105
978c93b9
AE		 4106 switch (type) {
4107 case L2CAP_IT_FEAT_MASK:
83985319 4108 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4109
47ec1dcd 4110 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4111 struct l2cap_info_req req;
ac73498c 4112 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4113
4114 conn->info_ident = l2cap_get_ident(conn);
4115
4116 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4117 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4118 } else {
4119 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4120 conn->info_ident = 0;
4121
4122 l2cap_conn_start(conn);
4123 }
978c93b9
AE		 4124 break;
4125
4126 case L2CAP_IT_FIXED_CHAN:
4127 conn->fixed_chan_mask = rsp->data[0];
984947dc 4128 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4129 conn->info_ident = 0;
984947dc
MH		 4130
4131 l2cap_conn_start(conn);
978c93b9 4132 break;
984947dc 4133 }
4e8402a3 4134
1da177e4
LT		 4135 return 0;
4136}
4137
1700915f
MM		 4138static int l2cap_create_channel_req(struct l2cap_conn *conn,
4139 struct l2cap_cmd_hdr *cmd,
4140 u16 cmd_len, void *data)
f94ff6ff
MM		 4141{
4142 struct l2cap_create_chan_req *req = data;
1700915f 4143 struct l2cap_chan *chan;
f94ff6ff
MM		 4144 u16 psm, scid;
4145
4146 if (cmd_len != sizeof(*req))
4147 return -EPROTO;
4148
4149 if (!enable_hs)
4150 return -EINVAL;
4151
4152 psm = le16_to_cpu(req->psm);
4153 scid = le16_to_cpu(req->scid);
4154
ad0ac6ca 4155 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4156
1700915f
MM		 4157 if (req->amp_id) {
4158 struct hci_dev *hdev;
4159
4160 /* Validate AMP controller id */
4161 hdev = hci_dev_get(req->amp_id);
4162 if (!hdev || hdev->dev_type != HCI_AMP ||
4163 !test_bit(HCI_UP, &hdev->flags)) {
4164 struct l2cap_create_chan_rsp rsp;
4165
4166 rsp.dcid = 0;
4167 rsp.scid = cpu_to_le16(scid);
4168 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4169 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4170
4171 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4172 sizeof(rsp), &rsp);
4173
4174 if (hdev)
4175 hci_dev_put(hdev);
4176
4177 return 0;
4178 }
4179
4180 hci_dev_put(hdev);
4181 }
f94ff6ff 4182
1700915f
MM		 4183 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4184 req->amp_id);
f94ff6ff
MM		 4185
4186 return 0;
4187}
4188
8d5a04a1 4189static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4190 u16 icid, u16 result)
8d5a04a1
MM		 4191{
4192 struct l2cap_move_chan_rsp rsp;
4193
ad0ac6ca 4194 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4195
4196 rsp.icid = cpu_to_le16(icid);
4197 rsp.result = cpu_to_le16(result);
4198
4199 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
4200}
4201
5b155ef9 4202static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4203{
4204 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4205
5b155ef9 4206 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4207
5b155ef9 4208 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4209
5b155ef9 4210 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4211 cfm.result = cpu_to_le16(result);
4212
5b155ef9
MM		 4213 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4214 sizeof(cfm), &cfm);
4215
4216 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4217}
4218
4219static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4220{
4221 struct l2cap_move_chan_cfm cfm;
4222
4223 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4224
4225 cfm.icid = cpu_to_le16(icid);
4226 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4227
4228 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4229 sizeof(cfm), &cfm);
8d5a04a1
MM		 4230}
4231
4232static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4233 u16 icid)
8d5a04a1
MM		 4234{
4235 struct l2cap_move_chan_cfm_rsp rsp;
4236
ad0ac6ca 4237 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4238
4239 rsp.icid = cpu_to_le16(icid);
4240 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4241}
4242
5f3847a4
MM		 4243static void __release_logical_link(struct l2cap_chan *chan)
4244{
4245 chan->hs_hchan = NULL;
4246 chan->hs_hcon = NULL;
4247
4248 /* Placeholder - release the logical link */
4249}
4250
5b155ef9
MM		 4251static void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4252 u8 status)
4253{
4254 /* Placeholder */
4255 return;
4256}
4257
8d5a04a1 4258static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4259 struct l2cap_cmd_hdr *cmd,
4260 u16 cmd_len, void *data)
8d5a04a1
MM		 4261{
4262 struct l2cap_move_chan_req *req = data;
02b0fbb9 4263 struct l2cap_chan *chan;
8d5a04a1
MM		 4264 u16 icid = 0;
4265 u16 result = L2CAP_MR_NOT_ALLOWED;
4266
4267 if (cmd_len != sizeof(*req))
4268 return -EPROTO;
4269
4270 icid = le16_to_cpu(req->icid);
4271
ad0ac6ca 4272 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4273
4274 if (!enable_hs)
4275 return -EINVAL;
4276
02b0fbb9
MM		 4277 chan = l2cap_get_chan_by_dcid(conn, icid);
4278 if (!chan) {
4279 l2cap_send_move_chan_rsp(conn, cmd->ident, icid,
4280 L2CAP_MR_NOT_ALLOWED);
4281 return 0;
4282 }
4283
4284 if (chan->scid < L2CAP_CID_DYN_START ||
4285 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4286 (chan->mode != L2CAP_MODE_ERTM &&
4287 chan->mode != L2CAP_MODE_STREAMING)) {
4288 result = L2CAP_MR_NOT_ALLOWED;
4289 goto send_move_response;
4290 }
4291
4292 if (chan->local_amp_id == req->dest_amp_id) {
4293 result = L2CAP_MR_SAME_ID;
4294 goto send_move_response;
4295 }
4296
4297 if (req->dest_amp_id) {
4298 struct hci_dev *hdev;
4299 hdev = hci_dev_get(req->dest_amp_id);
4300 if (!hdev || hdev->dev_type != HCI_AMP ||
4301 !test_bit(HCI_UP, &hdev->flags)) {
4302 if (hdev)
4303 hci_dev_put(hdev);
4304
4305 result = L2CAP_MR_BAD_ID;
4306 goto send_move_response;
4307 }
4308 hci_dev_put(hdev);
4309 }
4310
4311 /* Detect a move collision. Only send a collision response
4312 * if this side has "lost", otherwise proceed with the move.
4313 * The winner has the larger bd_addr.
4314 */
4315 if ((__chan_is_moving(chan) ||
4316 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4317 bacmp(conn->src, conn->dst) > 0) {
4318 result = L2CAP_MR_COLLISION;
4319 goto send_move_response;
4320 }
4321
4322 chan->ident = cmd->ident;
4323 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4324 l2cap_move_setup(chan);
4325 chan->move_id = req->dest_amp_id;
4326 icid = chan->dcid;
4327
4328 if (!req->dest_amp_id) {
4329 /* Moving to BR/EDR */
4330 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4331 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4332 result = L2CAP_MR_PEND;
4333 } else {
4334 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4335 result = L2CAP_MR_SUCCESS;
4336 }
4337 } else {
4338 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4339 /* Placeholder - uncomment when amp functions are available */
4340 /*amp_accept_physical(chan, req->dest_amp_id);*/
4341 result = L2CAP_MR_PEND;
4342 }
4343
4344send_move_response:
8d5a04a1
MM		 4345 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4346
02b0fbb9
MM		 4347 l2cap_chan_unlock(chan);
4348
8d5a04a1
MM		 4349 return 0;
4350}
4351
5b155ef9
MM		 4352static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4353{
4354 struct l2cap_chan *chan;
4355 struct hci_chan *hchan = NULL;
4356
4357 chan = l2cap_get_chan_by_scid(conn, icid);
4358 if (!chan) {
4359 l2cap_send_move_chan_cfm_icid(conn, icid);
4360 return;
4361 }
4362
4363 __clear_chan_timer(chan);
4364 if (result == L2CAP_MR_PEND)
4365 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4366
4367 switch (chan->move_state) {
4368 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4369 /* Move confirm will be sent when logical link
4370 * is complete.
4371 */
4372 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4373 break;
4374 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4375 if (result == L2CAP_MR_PEND) {
4376 break;
4377 } else if (test_bit(CONN_LOCAL_BUSY,
4378 &chan->conn_state)) {
4379 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4380 } else {
4381 /* Logical link is up or moving to BR/EDR,
4382 * proceed with move
4383 */
4384 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4385 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4386 }
4387 break;
4388 case L2CAP_MOVE_WAIT_RSP:
4389 /* Moving to AMP */
4390 if (result == L2CAP_MR_SUCCESS) {
4391 /* Remote is ready, send confirm immediately
4392 * after logical link is ready
4393 */
4394 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4395 } else {
4396 /* Both logical link and move success
4397 * are required to confirm
4398 */
4399 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4400 }
4401
4402 /* Placeholder - get hci_chan for logical link */
4403 if (!hchan) {
4404 /* Logical link not available */
4405 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4406 break;
4407 }
4408
4409 /* If the logical link is not yet connected, do not
4410 * send confirmation.
4411 */
4412 if (hchan->state != BT_CONNECTED)
4413 break;
4414
4415 /* Logical link is already ready to go */
4416
4417 chan->hs_hcon = hchan->conn;
4418 chan->hs_hcon->l2cap_data = chan->conn;
4419
4420 if (result == L2CAP_MR_SUCCESS) {
4421 /* Can confirm now */
4422 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4423 } else {
4424 /* Now only need move success
4425 * to confirm
4426 */
4427 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4428 }
4429
4430 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4431 break;
4432 default:
4433 /* Any other amp move state means the move failed. */
4434 chan->move_id = chan->local_amp_id;
4435 l2cap_move_done(chan);
4436 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4437 }
4438
4439 l2cap_chan_unlock(chan);
4440}
4441
4442static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
4443 u16 result)
4444{
4445 struct l2cap_chan *chan;
4446
4447 chan = l2cap_get_chan_by_ident(conn, ident);
4448 if (!chan) {
4449 /* Could not locate channel, icid is best guess */
4450 l2cap_send_move_chan_cfm_icid(conn, icid);
4451 return;
4452 }
4453
4454 __clear_chan_timer(chan);
4455
4456 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4457 if (result == L2CAP_MR_COLLISION) {
4458 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4459 } else {
4460 /* Cleanup - cancel move */
4461 chan->move_id = chan->local_amp_id;
4462 l2cap_move_done(chan);
4463 }
4464 }
4465
4466 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4467
4468 l2cap_chan_unlock(chan);
4469}
4470
4471static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4472 struct l2cap_cmd_hdr *cmd,
4473 u16 cmd_len, void *data)
8d5a04a1
MM		 4474{
4475 struct l2cap_move_chan_rsp *rsp = data;
4476 u16 icid, result;
4477
4478 if (cmd_len != sizeof(*rsp))
4479 return -EPROTO;
4480
4481 icid = le16_to_cpu(rsp->icid);
4482 result = le16_to_cpu(rsp->result);
4483
ad0ac6ca 4484 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4485
5b155ef9
MM		 4486 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
4487 l2cap_move_continue(conn, icid, result);
4488 else
4489 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 4490
4491 return 0;
4492}
4493
5f3847a4
MM		 4494static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4495 struct l2cap_cmd_hdr *cmd,
4496 u16 cmd_len, void *data)
8d5a04a1
MM		 4497{
4498 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 4499 struct l2cap_chan *chan;
8d5a04a1
MM		 4500 u16 icid, result;
4501
4502 if (cmd_len != sizeof(*cfm))
4503 return -EPROTO;
4504
4505 icid = le16_to_cpu(cfm->icid);
4506 result = le16_to_cpu(cfm->result);
4507
ad0ac6ca 4508 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4509
5f3847a4
MM		 4510 chan = l2cap_get_chan_by_dcid(conn, icid);
4511 if (!chan) {
4512 /* Spec requires a response even if the icid was not found */
4513 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4514 return 0;
4515 }
4516
4517 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
4518 if (result == L2CAP_MC_CONFIRMED) {
4519 chan->local_amp_id = chan->move_id;
4520 if (!chan->local_amp_id)
4521 __release_logical_link(chan);
4522 } else {
4523 chan->move_id = chan->local_amp_id;
4524 }
4525
4526 l2cap_move_done(chan);
4527 }
4528
8d5a04a1
MM		 4529 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4530
5f3847a4
MM		 4531 l2cap_chan_unlock(chan);
4532
8d5a04a1
MM		 4533 return 0;
4534}
4535
4536static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4537 struct l2cap_cmd_hdr *cmd,
4538 u16 cmd_len, void *data)
8d5a04a1
MM		 4539{
4540 struct l2cap_move_chan_cfm_rsp *rsp = data;
4541 u16 icid;
4542
4543 if (cmd_len != sizeof(*rsp))
4544 return -EPROTO;
4545
4546 icid = le16_to_cpu(rsp->icid);
4547
ad0ac6ca 4548 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4549
4550 return 0;
4551}
4552
e2174ca4 4553static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 4554 u16 to_multiplier)
de73115a
CT		 4555{
4556 u16 max_latency;
4557
4558 if (min > max || min < 6 || max > 3200)
4559 return -EINVAL;
4560
4561 if (to_multiplier < 10 || to_multiplier > 3200)
4562 return -EINVAL;
4563
4564 if (max >= to_multiplier * 8)
4565 return -EINVAL;
4566
4567 max_latency = (to_multiplier * 8 / max) - 1;
4568 if (latency > 499 || latency > max_latency)
4569 return -EINVAL;
4570
4571 return 0;
4572}
4573
4574static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 4575 struct l2cap_cmd_hdr *cmd,
4576 u8 *data)
de73115a
CT		 4577{
4578 struct hci_conn *hcon = conn->hcon;
4579 struct l2cap_conn_param_update_req *req;
4580 struct l2cap_conn_param_update_rsp rsp;
4581 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4582 int err;
de73115a
CT		 4583
4584 if (!(hcon->link_mode & HCI_LM_MASTER))
4585 return -EINVAL;
4586
4587 cmd_len = __le16_to_cpu(cmd->len);
4588 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4589 return -EPROTO;
4590
4591 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4592 min = __le16_to_cpu(req->min);
4593 max = __le16_to_cpu(req->max);
de73115a
CT		 4594 latency = __le16_to_cpu(req->latency);
4595 to_multiplier = __le16_to_cpu(req->to_multiplier);
4596
4597 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 4598 min, max, latency, to_multiplier);
de73115a
CT		 4599
4600 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4601
4602 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4603 if (err)
ac73498c 4604 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4605 else
ac73498c 4606 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4607
4608 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 4609 sizeof(rsp), &rsp);
de73115a 4610
2ce603eb
CT		 4611 if (!err)
4612 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4613
de73115a
CT		 4614 return 0;
4615}
4616
3300d9a9 4617static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 4618 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4619 u8 *data)
3300d9a9
CT		 4620{
4621 int err = 0;
4622
4623 switch (cmd->code) {
4624 case L2CAP_COMMAND_REJ:
4625 l2cap_command_rej(conn, cmd, data);
4626 break;
4627
4628 case L2CAP_CONN_REQ:
4629 err = l2cap_connect_req(conn, cmd, data);
4630 break;
4631
4632 case L2CAP_CONN_RSP:
f5a2598d 4633 case L2CAP_CREATE_CHAN_RSP:
5909cf30 4634 err = l2cap_connect_create_rsp(conn, cmd, data);
3300d9a9
CT		 4635 break;
4636
4637 case L2CAP_CONF_REQ:
4638 err = l2cap_config_req(conn, cmd, cmd_len, data);
4639 break;
4640
4641 case L2CAP_CONF_RSP:
4642 err = l2cap_config_rsp(conn, cmd, data);
4643 break;
4644
4645 case L2CAP_DISCONN_REQ:
4646 err = l2cap_disconnect_req(conn, cmd, data);
4647 break;
4648
4649 case L2CAP_DISCONN_RSP:
4650 err = l2cap_disconnect_rsp(conn, cmd, data);
4651 break;
4652
4653 case L2CAP_ECHO_REQ:
4654 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4655 break;
4656
4657 case L2CAP_ECHO_RSP:
4658 break;
4659
4660 case L2CAP_INFO_REQ:
4661 err = l2cap_information_req(conn, cmd, data);
4662 break;
4663
4664 case L2CAP_INFO_RSP:
4665 err = l2cap_information_rsp(conn, cmd, data);
4666 break;
4667
f94ff6ff
MM		 4668 case L2CAP_CREATE_CHAN_REQ:
4669 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4670 break;
4671
8d5a04a1
MM		 4672 case L2CAP_MOVE_CHAN_REQ:
4673 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4674 break;
4675
4676 case L2CAP_MOVE_CHAN_RSP:
4677 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4678 break;
4679
4680 case L2CAP_MOVE_CHAN_CFM:
4681 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4682 break;
4683
4684 case L2CAP_MOVE_CHAN_CFM_RSP:
4685 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4686 break;
4687
3300d9a9
CT		 4688 default:
4689 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4690 err = -EINVAL;
4691 break;
4692 }
4693
4694 return err;
4695}
4696
4697static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 4698 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 4699{
4700 switch (cmd->code) {
4701 case L2CAP_COMMAND_REJ:
4702 return 0;
4703
4704 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4705 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4706
4707 case L2CAP_CONN_PARAM_UPDATE_RSP:
4708 return 0;
4709
4710 default:
4711 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4712 return -EINVAL;
4713 }
4714}
4715
4716static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 4717 struct sk_buff *skb)
1da177e4
LT		 4718{
4719 u8 *data = skb->data;
4720 int len = skb->len;
4721 struct l2cap_cmd_hdr cmd;
3300d9a9 4722 int err;
1da177e4
LT		 4723
4724 l2cap_raw_recv(conn, skb);
4725
4726 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4727 u16 cmd_len;
1da177e4
LT		 4728 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4729 data += L2CAP_CMD_HDR_SIZE;
4730 len -= L2CAP_CMD_HDR_SIZE;
4731
88219a0f 4732 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4733
2d792818
GP		 4734 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
4735 cmd.ident);
1da177e4 4736
88219a0f 4737 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4738 BT_DBG("corrupted command");
4739 break;
4740 }
4741
3300d9a9
CT		 4742 if (conn->hcon->type == LE_LINK)
4743 err = l2cap_le_sig_cmd(conn, &cmd, data);
4744 else
4745 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4746
4747 if (err) {
e2fd318e 4748 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4749
4750 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4751
4752 /* FIXME: Map err to a valid reason */
ac73498c 4753 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 4754 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
4755 sizeof(rej), &rej);
1da177e4
LT		 4756 }
4757
88219a0f
AV		 4758 data += cmd_len;
4759 len -= cmd_len;
1da177e4
LT		 4760 }
4761
4762 kfree_skb(skb);
4763}
4764
47d1ec61 4765static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4766{
4767 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4768 int hdr_size;
4769
4770 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4771 hdr_size = L2CAP_EXT_HDR_SIZE;
4772 else
4773 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4774
47d1ec61 4775 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4776 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4777 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4778 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4779
4780 if (our_fcs != rcv_fcs)
7a560e5c 4781 return -EBADMSG;
fcc203c3
GP		 4782 }
4783 return 0;
4784}
4785
6ea00485 4786static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4787{
e31f7633 4788 struct l2cap_ctrl control;
d5392c8f 4789
e31f7633 4790 BT_DBG("chan %p", chan);
d5392c8f 4791
e31f7633
MM		 4792 memset(&control, 0, sizeof(control));
4793 control.sframe = 1;
4794 control.final = 1;
4795 control.reqseq = chan->buffer_seq;
4796 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4797
e2ab4353 4798 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4799 control.super = L2CAP_SUPER_RNR;
4800 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4801 }
4802
e31f7633
MM		 4803 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4804 chan->unacked_frames > 0)
4805 __set_retrans_timer(chan);
d5392c8f 4806
e31f7633 4807 /* Send pending iframes */
525cd185 4808 l2cap_ertm_send(chan);
d5392c8f 4809
e2ab4353 4810 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4811 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4812 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4813 * send it now.
4814 */
4815 control.super = L2CAP_SUPER_RR;
4816 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4817 }
4818}
4819
2d792818
GP		 4820static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
4821 struct sk_buff **last_frag)
18778a63 4822{
84084a31
MM		 4823 /* skb->len reflects data in skb as well as all fragments
4824 * skb->data_len reflects only data in fragments
4825 */
4826 if (!skb_has_frag_list(skb))
4827 skb_shinfo(skb)->frag_list = new_frag;
4828
4829 new_frag->next = NULL;
4830
4831 (*last_frag)->next = new_frag;
4832 *last_frag = new_frag;
4833
4834 skb->len += new_frag->len;
4835 skb->data_len += new_frag->len;
4836 skb->truesize += new_frag->truesize;
4837}
4838
4b51dae9
MM		 4839static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4840 struct l2cap_ctrl *control)
84084a31
MM		 4841{
4842 int err = -EINVAL;
18778a63 4843
4b51dae9 4844 switch (control->sar) {
7e0ef6ee 4845 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4846 if (chan->sdu)
4847 break;
18778a63 4848
80b98027 4849 err = chan->ops->recv(chan, skb);
84084a31 4850 break;
18778a63 4851
7e0ef6ee 4852 case L2CAP_SAR_START:
84084a31
MM		 4853 if (chan->sdu)
4854 break;
18778a63 4855
6f61fd47 4856 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4857 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4858
84084a31
MM		 4859 if (chan->sdu_len > chan->imtu) {
4860 err = -EMSGSIZE;
4861 break;
4862 }
1890d36b 4863
84084a31
MM		 4864 if (skb->len >= chan->sdu_len)
4865 break;
18778a63 4866
84084a31
MM		 4867 chan->sdu = skb;
4868 chan->sdu_last_frag = skb;
18778a63 4869
84084a31
MM		 4870 skb = NULL;
4871 err = 0;
18778a63
GP		 4872 break;
4873
7e0ef6ee 4874 case L2CAP_SAR_CONTINUE:
6f61fd47 4875 if (!chan->sdu)
84084a31 4876 break;
18778a63 4877
84084a31
MM		 4878 append_skb_frag(chan->sdu, skb,
4879 &chan->sdu_last_frag);
4880 skb = NULL;
18778a63 4881
84084a31
MM		 4882 if (chan->sdu->len >= chan->sdu_len)
4883 break;
4178ba46 4884
84084a31 4885 err = 0;
18778a63
GP		 4886 break;
4887
7e0ef6ee 4888 case L2CAP_SAR_END:
6f61fd47 4889 if (!chan->sdu)
84084a31 4890 break;
18778a63 4891
84084a31
MM		 4892 append_skb_frag(chan->sdu, skb,
4893 &chan->sdu_last_frag);
4894 skb = NULL;
4178ba46 4895
84084a31
MM		 4896 if (chan->sdu->len != chan->sdu_len)
4897 break;
18778a63 4898
80b98027 4899 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4900
84084a31
MM		 4901 if (!err) {
4902 /* Reassembly complete */
4903 chan->sdu = NULL;
4904 chan->sdu_last_frag = NULL;
4905 chan->sdu_len = 0;
1890d36b 4906 }
18778a63
GP		 4907 break;
4908 }
4909
84084a31
MM		 4910 if (err) {
4911 kfree_skb(skb);
4912 kfree_skb(chan->sdu);
4913 chan->sdu = NULL;
4914 chan->sdu_last_frag = NULL;
4915 chan->sdu_len = 0;
4916 }
18778a63 4917
84084a31 4918 return err;
18778a63
GP		 4919}
4920
32b32735
MM		 4921static int l2cap_resegment(struct l2cap_chan *chan)
4922{
4923 /* Placeholder */
4924 return 0;
4925}
4926
61aa4f5b 4927void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4928{
61aa4f5b 4929 u8 event;
712132eb 4930
61aa4f5b
MM		 4931 if (chan->mode != L2CAP_MODE_ERTM)
4932 return;
712132eb 4933
61aa4f5b 4934 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4935 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4936}
4937
d2a7ac5d
MM		 4938static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4939{
63838725
MM		 4940 int err = 0;
4941 /* Pass sequential frames to l2cap_reassemble_sdu()
4942 * until a gap is encountered.
4943 */
4944
4945 BT_DBG("chan %p", chan);
4946
4947 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4948 struct sk_buff *skb;
4949 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4950 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4951
4952 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4953
4954 if (!skb)
4955 break;
4956
4957 skb_unlink(skb, &chan->srej_q);
4958 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4959 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4960 if (err)
4961 break;
4962 }
4963
4964 if (skb_queue_empty(&chan->srej_q)) {
4965 chan->rx_state = L2CAP_RX_STATE_RECV;
4966 l2cap_send_ack(chan);
4967 }
4968
4969 return err;
d2a7ac5d
MM		 4970}
4971
4972static void l2cap_handle_srej(struct l2cap_chan *chan,
4973 struct l2cap_ctrl *control)
4974{
f80842a8
MM		 4975 struct sk_buff *skb;
4976
4977 BT_DBG("chan %p, control %p", chan, control);
4978
4979 if (control->reqseq == chan->next_tx_seq) {
4980 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4981 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4982 return;
4983 }
4984
4985 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4986
4987 if (skb == NULL) {
4988 BT_DBG("Seq %d not available for retransmission",
4989 control->reqseq);
4990 return;
4991 }
4992
4993 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4994 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4995 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4996 return;
4997 }
4998
4999 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5000
5001 if (control->poll) {
5002 l2cap_pass_to_tx(chan, control);
5003
5004 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5005 l2cap_retransmit(chan, control);
5006 l2cap_ertm_send(chan);
5007
5008 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5009 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5010 chan->srej_save_reqseq = control->reqseq;
5011 }
5012 } else {
5013 l2cap_pass_to_tx_fbit(chan, control);
5014
5015 if (control->final) {
5016 if (chan->srej_save_reqseq != control->reqseq ||
5017 !test_and_clear_bit(CONN_SREJ_ACT,
5018 &chan->conn_state))
5019 l2cap_retransmit(chan, control);
5020 } else {
5021 l2cap_retransmit(chan, control);
5022 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5023 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5024 chan->srej_save_reqseq = control->reqseq;
5025 }
5026 }
5027 }
d2a7ac5d
MM		 5028}
5029
5030static void l2cap_handle_rej(struct l2cap_chan *chan,
5031 struct l2cap_ctrl *control)
5032{
fcd289df
MM		 5033 struct sk_buff *skb;
5034
5035 BT_DBG("chan %p, control %p", chan, control);
5036
5037 if (control->reqseq == chan->next_tx_seq) {
5038 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5039 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5040 return;
5041 }
5042
5043 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5044
5045 if (chan->max_tx && skb &&
5046 bt_cb(skb)->control.retries >= chan->max_tx) {
5047 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5048 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5049 return;
5050 }
5051
5052 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5053
5054 l2cap_pass_to_tx(chan, control);
5055
5056 if (control->final) {
5057 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5058 l2cap_retransmit_all(chan, control);
5059 } else {
5060 l2cap_retransmit_all(chan, control);
5061 l2cap_ertm_send(chan);
5062 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5063 set_bit(CONN_REJ_ACT, &chan->conn_state);
5064 }
d2a7ac5d
MM		 5065}
5066
4b51dae9
MM		 5067static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5068{
5069 BT_DBG("chan %p, txseq %d", chan, txseq);
5070
5071 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5072 chan->expected_tx_seq);
5073
5074 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5075 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5076 chan->tx_win) {
4b51dae9
MM		 5077 /* See notes below regarding "double poll" and
5078 * invalid packets.
5079 */
5080 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5081 BT_DBG("Invalid/Ignore - after SREJ");
5082 return L2CAP_TXSEQ_INVALID_IGNORE;
5083 } else {
5084 BT_DBG("Invalid - in window after SREJ sent");
5085 return L2CAP_TXSEQ_INVALID;
5086 }
5087 }
5088
5089 if (chan->srej_list.head == txseq) {
5090 BT_DBG("Expected SREJ");
5091 return L2CAP_TXSEQ_EXPECTED_SREJ;
5092 }
5093
5094 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5095 BT_DBG("Duplicate SREJ - txseq already stored");
5096 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5097 }
5098
5099 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5100 BT_DBG("Unexpected SREJ - not requested");
5101 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5102 }
5103 }
5104
5105 if (chan->expected_tx_seq == txseq) {
5106 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5107 chan->tx_win) {
5108 BT_DBG("Invalid - txseq outside tx window");
5109 return L2CAP_TXSEQ_INVALID;
5110 } else {
5111 BT_DBG("Expected");
5112 return L2CAP_TXSEQ_EXPECTED;
5113 }
5114 }
5115
5116 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5117 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5118 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5119 return L2CAP_TXSEQ_DUPLICATE;
5120 }
5121
5122 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5123 /* A source of invalid packets is a "double poll" condition,
5124 * where delays cause us to send multiple poll packets. If
5125 * the remote stack receives and processes both polls,
5126 * sequence numbers can wrap around in such a way that a
5127 * resent frame has a sequence number that looks like new data
5128 * with a sequence gap. This would trigger an erroneous SREJ
5129 * request.
5130 *
5131 * Fortunately, this is impossible with a tx window that's
5132 * less than half of the maximum sequence number, which allows
5133 * invalid frames to be safely ignored.
5134 *
5135 * With tx window sizes greater than half of the tx window
5136 * maximum, the frame is invalid and cannot be ignored. This
5137 * causes a disconnect.
5138 */
5139
5140 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5141 BT_DBG("Invalid/Ignore - txseq outside tx window");
5142 return L2CAP_TXSEQ_INVALID_IGNORE;
5143 } else {
5144 BT_DBG("Invalid - txseq outside tx window");
5145 return L2CAP_TXSEQ_INVALID;
5146 }
5147 } else {
5148 BT_DBG("Unexpected - txseq indicates missing frames");
5149 return L2CAP_TXSEQ_UNEXPECTED;
5150 }
5151}
5152
d2a7ac5d
MM		 5153static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5154 struct l2cap_ctrl *control,
5155 struct sk_buff *skb, u8 event)
5156{
5157 int err = 0;
5158 bool skb_in_use = 0;
5159
5160 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5161 event);
5162
5163 switch (event) {
5164 case L2CAP_EV_RECV_IFRAME:
5165 switch (l2cap_classify_txseq(chan, control->txseq)) {
5166 case L2CAP_TXSEQ_EXPECTED:
5167 l2cap_pass_to_tx(chan, control);
5168
5169 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5170 BT_DBG("Busy, discarding expected seq %d",
5171 control->txseq);
5172 break;
5173 }
5174
5175 chan->expected_tx_seq = __next_seq(chan,
5176 control->txseq);
5177
5178 chan->buffer_seq = chan->expected_tx_seq;
5179 skb_in_use = 1;
5180
5181 err = l2cap_reassemble_sdu(chan, skb, control);
5182 if (err)
5183 break;
5184
5185 if (control->final) {
5186 if (!test_and_clear_bit(CONN_REJ_ACT,
5187 &chan->conn_state)) {
5188 control->final = 0;
5189 l2cap_retransmit_all(chan, control);
5190 l2cap_ertm_send(chan);
5191 }
5192 }
5193
5194 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5195 l2cap_send_ack(chan);
5196 break;
5197 case L2CAP_TXSEQ_UNEXPECTED:
5198 l2cap_pass_to_tx(chan, control);
5199
5200 /* Can't issue SREJ frames in the local busy state.
5201 * Drop this frame, it will be seen as missing
5202 * when local busy is exited.
5203 */
5204 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5205 BT_DBG("Busy, discarding unexpected seq %d",
5206 control->txseq);
5207 break;
5208 }
5209
5210 /* There was a gap in the sequence, so an SREJ
5211 * must be sent for each missing frame. The
5212 * current frame is stored for later use.
5213 */
5214 skb_queue_tail(&chan->srej_q, skb);
5215 skb_in_use = 1;
5216 BT_DBG("Queued %p (queue len %d)", skb,
5217 skb_queue_len(&chan->srej_q));
5218
5219 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5220 l2cap_seq_list_clear(&chan->srej_list);
5221 l2cap_send_srej(chan, control->txseq);
5222
5223 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5224 break;
5225 case L2CAP_TXSEQ_DUPLICATE:
5226 l2cap_pass_to_tx(chan, control);
5227 break;
5228 case L2CAP_TXSEQ_INVALID_IGNORE:
5229 break;
5230 case L2CAP_TXSEQ_INVALID:
5231 default:
5232 l2cap_send_disconn_req(chan->conn, chan,
5233 ECONNRESET);
5234 break;
5235 }
5236 break;
5237 case L2CAP_EV_RECV_RR:
5238 l2cap_pass_to_tx(chan, control);
5239 if (control->final) {
5240 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5241
5242 if (!test_and_clear_bit(CONN_REJ_ACT,
5243 &chan->conn_state)) {
5244 control->final = 0;
5245 l2cap_retransmit_all(chan, control);
5246 }
5247
5248 l2cap_ertm_send(chan);
5249 } else if (control->poll) {
5250 l2cap_send_i_or_rr_or_rnr(chan);
5251 } else {
5252 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5253 &chan->conn_state) &&
5254 chan->unacked_frames)
5255 __set_retrans_timer(chan);
5256
5257 l2cap_ertm_send(chan);
5258 }
5259 break;
5260 case L2CAP_EV_RECV_RNR:
5261 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5262 l2cap_pass_to_tx(chan, control);
5263 if (control && control->poll) {
5264 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5265 l2cap_send_rr_or_rnr(chan, 0);
5266 }
5267 __clear_retrans_timer(chan);
5268 l2cap_seq_list_clear(&chan->retrans_list);
5269 break;
5270 case L2CAP_EV_RECV_REJ:
5271 l2cap_handle_rej(chan, control);
5272 break;
5273 case L2CAP_EV_RECV_SREJ:
5274 l2cap_handle_srej(chan, control);
5275 break;
5276 default:
5277 break;
5278 }
5279
5280 if (skb && !skb_in_use) {
5281 BT_DBG("Freeing %p", skb);
5282 kfree_skb(skb);
5283 }
5284
5285 return err;
5286}
5287
5288static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5289 struct l2cap_ctrl *control,
5290 struct sk_buff *skb, u8 event)
5291{
5292 int err = 0;
5293 u16 txseq = control->txseq;
5294 bool skb_in_use = 0;
5295
5296 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5297 event);
5298
5299 switch (event) {
5300 case L2CAP_EV_RECV_IFRAME:
5301 switch (l2cap_classify_txseq(chan, txseq)) {
5302 case L2CAP_TXSEQ_EXPECTED:
5303 /* Keep frame for reassembly later */
5304 l2cap_pass_to_tx(chan, control);
5305 skb_queue_tail(&chan->srej_q, skb);
5306 skb_in_use = 1;
5307 BT_DBG("Queued %p (queue len %d)", skb,
5308 skb_queue_len(&chan->srej_q));
5309
5310 chan->expected_tx_seq = __next_seq(chan, txseq);
5311 break;
5312 case L2CAP_TXSEQ_EXPECTED_SREJ:
5313 l2cap_seq_list_pop(&chan->srej_list);
5314
5315 l2cap_pass_to_tx(chan, control);
5316 skb_queue_tail(&chan->srej_q, skb);
5317 skb_in_use = 1;
5318 BT_DBG("Queued %p (queue len %d)", skb,
5319 skb_queue_len(&chan->srej_q));
5320
5321 err = l2cap_rx_queued_iframes(chan);
5322 if (err)
5323 break;
5324
5325 break;
5326 case L2CAP_TXSEQ_UNEXPECTED:
5327 /* Got a frame that can't be reassembled yet.
5328 * Save it for later, and send SREJs to cover
5329 * the missing frames.
5330 */
5331 skb_queue_tail(&chan->srej_q, skb);
5332 skb_in_use = 1;
5333 BT_DBG("Queued %p (queue len %d)", skb,
5334 skb_queue_len(&chan->srej_q));
5335
5336 l2cap_pass_to_tx(chan, control);
5337 l2cap_send_srej(chan, control->txseq);
5338 break;
5339 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5340 /* This frame was requested with an SREJ, but
5341 * some expected retransmitted frames are
5342 * missing. Request retransmission of missing
5343 * SREJ'd frames.
5344 */
5345 skb_queue_tail(&chan->srej_q, skb);
5346 skb_in_use = 1;
5347 BT_DBG("Queued %p (queue len %d)", skb,
5348 skb_queue_len(&chan->srej_q));
5349
5350 l2cap_pass_to_tx(chan, control);
5351 l2cap_send_srej_list(chan, control->txseq);
5352 break;
5353 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5354 /* We've already queued this frame. Drop this copy. */
5355 l2cap_pass_to_tx(chan, control);
5356 break;
5357 case L2CAP_TXSEQ_DUPLICATE:
5358 /* Expecting a later sequence number, so this frame
5359 * was already received. Ignore it completely.
5360 */
5361 break;
5362 case L2CAP_TXSEQ_INVALID_IGNORE:
5363 break;
5364 case L2CAP_TXSEQ_INVALID:
5365 default:
5366 l2cap_send_disconn_req(chan->conn, chan,
5367 ECONNRESET);
5368 break;
5369 }
5370 break;
5371 case L2CAP_EV_RECV_RR:
5372 l2cap_pass_to_tx(chan, control);
5373 if (control->final) {
5374 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5375
5376 if (!test_and_clear_bit(CONN_REJ_ACT,
5377 &chan->conn_state)) {
5378 control->final = 0;
5379 l2cap_retransmit_all(chan, control);
5380 }
5381
5382 l2cap_ertm_send(chan);
5383 } else if (control->poll) {
5384 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5385 &chan->conn_state) &&
5386 chan->unacked_frames) {
5387 __set_retrans_timer(chan);
5388 }
5389
5390 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5391 l2cap_send_srej_tail(chan);
5392 } else {
5393 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5394 &chan->conn_state) &&
5395 chan->unacked_frames)
5396 __set_retrans_timer(chan);
5397
5398 l2cap_send_ack(chan);
5399 }
5400 break;
5401 case L2CAP_EV_RECV_RNR:
5402 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5403 l2cap_pass_to_tx(chan, control);
5404 if (control->poll) {
5405 l2cap_send_srej_tail(chan);
5406 } else {
5407 struct l2cap_ctrl rr_control;
5408 memset(&rr_control, 0, sizeof(rr_control));
5409 rr_control.sframe = 1;
5410 rr_control.super = L2CAP_SUPER_RR;
5411 rr_control.reqseq = chan->buffer_seq;
5412 l2cap_send_sframe(chan, &rr_control);
5413 }
5414
5415 break;
5416 case L2CAP_EV_RECV_REJ:
5417 l2cap_handle_rej(chan, control);
5418 break;
5419 case L2CAP_EV_RECV_SREJ:
5420 l2cap_handle_srej(chan, control);
5421 break;
5422 }
5423
5424 if (skb && !skb_in_use) {
5425 BT_DBG("Freeing %p", skb);
5426 kfree_skb(skb);
5427 }
5428
5429 return err;
5430}
5431
32b32735
MM		 5432static int l2cap_finish_move(struct l2cap_chan *chan)
5433{
5434 BT_DBG("chan %p", chan);
5435
5436 chan->rx_state = L2CAP_RX_STATE_RECV;
5437
5438 if (chan->hs_hcon)
5439 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5440 else
5441 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5442
5443 return l2cap_resegment(chan);
5444}
5445
5446static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
5447 struct l2cap_ctrl *control,
5448 struct sk_buff *skb, u8 event)
5449{
5450 int err;
5451
5452 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5453 event);
5454
5455 if (!control->poll)
5456 return -EPROTO;
5457
5458 l2cap_process_reqseq(chan, control->reqseq);
5459
5460 if (!skb_queue_empty(&chan->tx_q))
5461 chan->tx_send_head = skb_peek(&chan->tx_q);
5462 else
5463 chan->tx_send_head = NULL;
5464
5465 /* Rewind next_tx_seq to the point expected
5466 * by the receiver.
5467 */
5468 chan->next_tx_seq = control->reqseq;
5469 chan->unacked_frames = 0;
5470
5471 err = l2cap_finish_move(chan);
5472 if (err)
5473 return err;
5474
5475 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5476 l2cap_send_i_or_rr_or_rnr(chan);
5477
5478 if (event == L2CAP_EV_RECV_IFRAME)
5479 return -EPROTO;
5480
5481 return l2cap_rx_state_recv(chan, control, NULL, event);
5482}
5483
5484static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
5485 struct l2cap_ctrl *control,
5486 struct sk_buff *skb, u8 event)
5487{
5488 int err;
5489
5490 if (!control->final)
5491 return -EPROTO;
5492
5493 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5494
5495 chan->rx_state = L2CAP_RX_STATE_RECV;
5496 l2cap_process_reqseq(chan, control->reqseq);
5497
5498 if (!skb_queue_empty(&chan->tx_q))
5499 chan->tx_send_head = skb_peek(&chan->tx_q);
5500 else
5501 chan->tx_send_head = NULL;
5502
5503 /* Rewind next_tx_seq to the point expected
5504 * by the receiver.
5505 */
5506 chan->next_tx_seq = control->reqseq;
5507 chan->unacked_frames = 0;
5508
5509 if (chan->hs_hcon)
5510 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5511 else
5512 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5513
5514 err = l2cap_resegment(chan);
5515
5516 if (!err)
5517 err = l2cap_rx_state_recv(chan, control, skb, event);
5518
5519 return err;
5520}
5521
d2a7ac5d
MM		 5522static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5523{
5524 /* Make sure reqseq is for a packet that has been sent but not acked */
5525 u16 unacked;
5526
5527 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5528 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5529}
5530
cec8ab6e
MM		 5531static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5532 struct sk_buff *skb, u8 event)
218bb9df 5533{
d2a7ac5d
MM		 5534 int err = 0;
5535
5536 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5537 control, skb, event, chan->rx_state);
5538
5539 if (__valid_reqseq(chan, control->reqseq)) {
5540 switch (chan->rx_state) {
5541 case L2CAP_RX_STATE_RECV:
5542 err = l2cap_rx_state_recv(chan, control, skb, event);
5543 break;
5544 case L2CAP_RX_STATE_SREJ_SENT:
5545 err = l2cap_rx_state_srej_sent(chan, control, skb,
5546 event);
5547 break;
32b32735
MM		 5548 case L2CAP_RX_STATE_WAIT_P:
5549 err = l2cap_rx_state_wait_p(chan, control, skb, event);
5550 break;
5551 case L2CAP_RX_STATE_WAIT_F:
5552 err = l2cap_rx_state_wait_f(chan, control, skb, event);
5553 break;
d2a7ac5d
MM		 5554 default:
5555 /* shut it down */
5556 break;
5557 }
5558 } else {
5559 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5560 control->reqseq, chan->next_tx_seq,
5561 chan->expected_ack_seq);
5562 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5563 }
5564
5565 return err;
cec8ab6e
MM		 5566}
5567
5568static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5569 struct sk_buff *skb)
5570{
4b51dae9
MM		 5571 int err = 0;
5572
5573 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5574 chan->rx_state);
5575
5576 if (l2cap_classify_txseq(chan, control->txseq) ==
5577 L2CAP_TXSEQ_EXPECTED) {
5578 l2cap_pass_to_tx(chan, control);
5579
5580 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5581 __next_seq(chan, chan->buffer_seq));
5582
5583 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5584
5585 l2cap_reassemble_sdu(chan, skb, control);
5586 } else {
5587 if (chan->sdu) {
5588 kfree_skb(chan->sdu);
5589 chan->sdu = NULL;
5590 }
5591 chan->sdu_last_frag = NULL;
5592 chan->sdu_len = 0;
5593
5594 if (skb) {
5595 BT_DBG("Freeing %p", skb);
5596 kfree_skb(skb);
5597 }
5598 }
5599
5600 chan->last_acked_seq = control->txseq;
5601 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5602
5603 return err;
cec8ab6e
MM		 5604}
5605
5606static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5607{
5608 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5609 u16 len;
5610 u8 event;
218bb9df 5611
b76bbd66
MM		 5612 __unpack_control(chan, skb);
5613
218bb9df
GP		 5614 len = skb->len;
5615
5616 /*
5617 * We can just drop the corrupted I-frame here.
5618 * Receiver will miss it and start proper recovery
cec8ab6e 5619 * procedures and ask for retransmission.
218bb9df 5620 */
47d1ec61 5621 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5622 goto drop;
5623
cec8ab6e 5624 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5625 len -= L2CAP_SDULEN_SIZE;
218bb9df 5626
47d1ec61 5627 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5628 len -= L2CAP_FCS_SIZE;
218bb9df 5629
47d1ec61 5630 if (len > chan->mps) {
8c1d787b 5631 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5632 goto drop;
5633 }
5634
cec8ab6e
MM		 5635 if (!control->sframe) {
5636 int err;
218bb9df 5637
cec8ab6e
MM		 5638 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5639 control->sar, control->reqseq, control->final,
5640 control->txseq);
218bb9df 5641
cec8ab6e
MM		 5642 /* Validate F-bit - F=0 always valid, F=1 only
5643 * valid in TX WAIT_F
5644 */
5645 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5646 goto drop;
cec8ab6e
MM		 5647
5648 if (chan->mode != L2CAP_MODE_STREAMING) {
5649 event = L2CAP_EV_RECV_IFRAME;
5650 err = l2cap_rx(chan, control, skb, event);
5651 } else {
5652 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5653 }
5654
cec8ab6e
MM		 5655 if (err)
5656 l2cap_send_disconn_req(chan->conn, chan,
5657 ECONNRESET);
218bb9df 5658 } else {
cec8ab6e
MM		 5659 const u8 rx_func_to_event[4] = {
5660 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5661 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5662 };
5663
5664 /* Only I-frames are expected in streaming mode */
5665 if (chan->mode == L2CAP_MODE_STREAMING)
5666 goto drop;
5667
5668 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5669 control->reqseq, control->final, control->poll,
5670 control->super);
5671
218bb9df
GP		 5672 if (len != 0) {
5673 BT_ERR("%d", len);
8c1d787b 5674 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5675 goto drop;
5676 }
5677
cec8ab6e
MM		 5678 /* Validate F and P bits */
5679 if (control->final && (control->poll ||
5680 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5681 goto drop;
5682
5683 event = rx_func_to_event[control->super];
5684 if (l2cap_rx(chan, control, skb, event))
5685 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5686 }
5687
5688 return 0;
5689
5690drop:
5691 kfree_skb(skb);
5692 return 0;
5693}
5694
13ca56e0
AE		 5695static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
5696 struct sk_buff *skb)
1da177e4 5697{
48454079 5698 struct l2cap_chan *chan;
1da177e4 5699
baa7e1fa 5700 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5701 if (!chan) {
97e8e89d
AE		 5702 if (cid == L2CAP_CID_A2MP) {
5703 chan = a2mp_channel_create(conn, skb);
5704 if (!chan) {
5705 kfree_skb(skb);
13ca56e0 5706 return;
97e8e89d
AE		 5707 }
5708
5709 l2cap_chan_lock(chan);
5710 } else {
5711 BT_DBG("unknown cid 0x%4.4x", cid);
5712 /* Drop packet and return */
5713 kfree_skb(skb);
13ca56e0 5714 return;
97e8e89d 5715 }
1da177e4
LT		 5716 }
5717
49208c9c 5718 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5719
89bc500e 5720 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5721 goto drop;
5722
0c1bc5c6 5723 switch (chan->mode) {
1c2acffb
GP		 5724 case L2CAP_MODE_BASIC:
5725 /* If socket recv buffers overflows we drop data here
5726 * which is *bad* because L2CAP has to be reliable.
5727 * But we don't have any other choice. L2CAP doesn't
5728 * provide flow control mechanism. */
1da177e4 5729
0c1bc5c6 5730 if (chan->imtu < skb->len)
1c2acffb 5731 goto drop;
1da177e4 5732
80b98027 5733 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5734 goto done;
5735 break;
5736
5737 case L2CAP_MODE_ERTM:
6840ed07 5738 case L2CAP_MODE_STREAMING:
cec8ab6e 5739 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5740 goto done;
5741
1c2acffb 5742 default:
0c1bc5c6 5743 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5744 break;
5745 }
1da177e4
LT		 5746
5747drop:
5748 kfree_skb(skb);
5749
5750done:
6be36555 5751 l2cap_chan_unlock(chan);
1da177e4
LT		 5752}
5753
84104b24
AE		 5754static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
5755 struct sk_buff *skb)
1da177e4 5756{
23691d75 5757 struct l2cap_chan *chan;
1da177e4 5758
c2287681 5759 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5760 if (!chan)
1da177e4
LT		 5761 goto drop;
5762
5b4cedaa 5763 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5764
89bc500e 5765 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5766 goto drop;
5767
e13e21dc 5768 if (chan->imtu < skb->len)
1da177e4
LT		 5769 goto drop;
5770
80b98027 5771 if (!chan->ops->recv(chan, skb))
84104b24 5772 return;
1da177e4
LT		 5773
5774drop:
5775 kfree_skb(skb);
1da177e4
LT		 5776}
5777
6810fca7
AE		 5778static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5779 struct sk_buff *skb)
9f69bda6 5780{
23691d75 5781 struct l2cap_chan *chan;
9f69bda6 5782
c2287681 5783 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5784 if (!chan)
9f69bda6
GP		 5785 goto drop;
5786
5b4cedaa 5787 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5788
89bc500e 5789 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5790 goto drop;
5791
e13e21dc 5792 if (chan->imtu < skb->len)
9f69bda6
GP		 5793 goto drop;
5794
80b98027 5795 if (!chan->ops->recv(chan, skb))
6810fca7 5796 return;
9f69bda6
GP		 5797
5798drop:
5799 kfree_skb(skb);
9f69bda6
GP		 5800}
5801
1da177e4
LT		 5802static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5803{
5804 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5805 u16 cid, len;
5806 __le16 psm;
1da177e4
LT		 5807
5808 skb_pull(skb, L2CAP_HDR_SIZE);
5809 cid = __le16_to_cpu(lh->cid);
5810 len = __le16_to_cpu(lh->len);
5811
1c2acffb
GP		 5812 if (len != skb->len) {
5813 kfree_skb(skb);
5814 return;
5815 }
5816
1da177e4
LT		 5817 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5818
5819 switch (cid) {
3300d9a9 5820 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5821 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5822 l2cap_sig_channel(conn, skb);
5823 break;
5824
8db4dc46 5825 case L2CAP_CID_CONN_LESS:
097db76c 5826 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5827 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5828 l2cap_conless_channel(conn, psm, skb);
5829 break;
5830
9f69bda6
GP		 5831 case L2CAP_CID_LE_DATA:
5832 l2cap_att_channel(conn, cid, skb);
5833 break;
5834
b501d6a1
AB		 5835 case L2CAP_CID_SMP:
5836 if (smp_sig_channel(conn, skb))
5837 l2cap_conn_del(conn->hcon, EACCES);
5838 break;
5839
1da177e4
LT		 5840 default:
5841 l2cap_data_channel(conn, cid, skb);
5842 break;
5843 }
5844}
5845
5846/* ---- L2CAP interface with lower layer (HCI) ---- */
5847
686ebf28 5848int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5849{
5850 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5851 struct l2cap_chan *c;
1da177e4 5852
6ed93dc6 5853 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 5854
5855 /* Find listening sockets and check their link_mode */
23691d75
GP		 5856 read_lock(&chan_list_lock);
5857 list_for_each_entry(c, &chan_list, global_l) {
5858 struct sock *sk = c->sk;
4343478f 5859
89bc500e 5860 if (c->state != BT_LISTEN)
1da177e4
LT		 5861 continue;
5862
5863 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5864 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5865 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5866 lm1 |= HCI_LM_MASTER;
1da177e4 5867 exact++;
2af6b9d5
MH		 5868 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5869 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5870 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5871 lm2 |= HCI_LM_MASTER;
5872 }
1da177e4 5873 }
23691d75 5874 read_unlock(&chan_list_lock);
1da177e4
LT		 5875
5876 return exact ? lm1 : lm2;
5877}
5878
9e664631 5879void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5880{
0139418c
MH		 5881 struct l2cap_conn *conn;
5882
6ed93dc6 5883 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 5884
1da177e4 5885 if (!status) {
1da177e4
LT		 5886 conn = l2cap_conn_add(hcon, status);
5887 if (conn)
5888 l2cap_conn_ready(conn);
0139418c 5889 } else
e175072f 5890 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4 5891
1da177e4
LT		 5892}
5893
686ebf28 5894int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5895{
5896 struct l2cap_conn *conn = hcon->l2cap_data;
5897
5898 BT_DBG("hcon %p", hcon);
5899
686ebf28 5900 if (!conn)
9f5a0d7b 5901 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5902 return conn->disc_reason;
5903}
5904
9e664631 5905void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5906{
5907 BT_DBG("hcon %p reason %d", hcon, reason);
5908
e175072f 5909 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5910}
5911
4343478f 5912static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5913{
715ec005 5914 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5915 return;
5916
f62e4323 5917 if (encrypt == 0x00) {
4343478f 5918 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5919 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5920 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5921 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5922 } else {
4343478f 5923 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5924 __clear_chan_timer(chan);
f62e4323
MH		 5925 }
5926}
5927
686ebf28 5928int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5929{
0139418c 5930 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5931 struct l2cap_chan *chan;
1da177e4 5932
0139418c 5933 if (!conn)
1da177e4 5934 return 0;
0139418c 5935
89d8b407 5936 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 5937
160dc6ac 5938 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5939 if (!status && encrypt)
5940 smp_distribute_keys(conn, 0);
17cd3f37 5941 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5942 }
5943
3df91ea2 5944 mutex_lock(&conn->chan_lock);
1da177e4 5945
3df91ea2 5946 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5947 l2cap_chan_lock(chan);
1da177e4 5948
89d8b407
AE		 5949 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
5950 state_to_string(chan->state));
f1cb9af5 5951
78eb2f98
AE		 5952 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
5953 l2cap_chan_unlock(chan);
5954 continue;
5955 }
5956
f1cb9af5
VCG		 5957 if (chan->scid == L2CAP_CID_LE_DATA) {
5958 if (!status && encrypt) {
5959 chan->sec_level = hcon->sec_level;
cf4cd009 5960 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5961 }
5962
6be36555 5963 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5964 continue;
5965 }
5966
c1360a1c 5967 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5968 l2cap_chan_unlock(chan);
6a8d3010
MH		 5969 continue;
5970 }
5971
89bc500e 5972 if (!status && (chan->state == BT_CONNECTED ||
2d792818 5973 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5974 struct sock *sk = chan->sk;
5975
c5daa683 5976 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5977 sk->sk_state_change(sk);
5978
4343478f 5979 l2cap_check_encryption(chan, encrypt);
6be36555 5980 l2cap_chan_unlock(chan);
9719f8af
MH		 5981 continue;
5982 }
5983
89bc500e 5984 if (chan->state == BT_CONNECT) {
b1235d79 5985 if (!status) {
93c3e8f5 5986 l2cap_start_connection(chan);
b1235d79 5987 } else {
ba13ccd9 5988 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5989 }
89bc500e 5990 } else if (chan->state == BT_CONNECT2) {
6be36555 5991 struct sock *sk = chan->sk;
b1235d79 5992 struct l2cap_conn_rsp rsp;
df3c3931 5993 __u16 res, stat;
1da177e4 5994
6be36555
AE		 5995 lock_sock(sk);
5996
b1235d79 5997 if (!status) {
c5daa683
GP		 5998 if (test_bit(BT_SK_DEFER_SETUP,
5999 &bt_sk(sk)->flags)) {
df3c3931
JH		 6000 res = L2CAP_CR_PEND;
6001 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6002 chan->ops->defer(chan);
df3c3931 6003 } else {
0e587be7 6004 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6005 res = L2CAP_CR_SUCCESS;
6006 stat = L2CAP_CS_NO_INFO;
6007 }
b1235d79 6008 } else {
0e587be7 6009 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6010 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6011 res = L2CAP_CR_SEC_BLOCK;
6012 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6013 }
6014
6be36555
AE		 6015 release_sock(sk);
6016
fe4128e0
GP		 6017 rsp.scid = cpu_to_le16(chan->dcid);
6018 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6019 rsp.result = cpu_to_le16(res);
6020 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6021 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6022 sizeof(rsp), &rsp);
2d369359
MM		 6023
6024 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6025 res == L2CAP_CR_SUCCESS) {
6026 char buf[128];
6027 set_bit(CONF_REQ_SENT, &chan->conf_state);
6028 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6029 L2CAP_CONF_REQ,
6030 l2cap_build_conf_req(chan, buf),
6031 buf);
6032 chan->num_conf_req++;
6033 }
b1235d79 6034 }
1da177e4 6035
6be36555 6036 l2cap_chan_unlock(chan);
1da177e4
LT		 6037 }
6038
3df91ea2 6039 mutex_unlock(&conn->chan_lock);
b1235d79 6040
1da177e4
LT		 6041 return 0;
6042}
6043
686ebf28 6044int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6045{
6046 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6047 struct l2cap_hdr *hdr;
6048 int len;
1da177e4 6049
1d13a254
AE		 6050 /* For AMP controller do not create l2cap conn */
6051 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6052 goto drop;
1da177e4 6053
5a08ecce
AE		 6054 if (!conn)
6055 conn = l2cap_conn_add(hcon, 0);
6056
6057 if (!conn)
1da177e4
LT		 6058 goto drop;
6059
6060 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6061
d73a0988
AE		 6062 switch (flags) {
6063 case ACL_START:
6064 case ACL_START_NO_FLUSH:
6065 case ACL_COMPLETE:
1da177e4
LT		 6066 if (conn->rx_len) {
6067 BT_ERR("Unexpected start frame (len %d)", skb->len);
6068 kfree_skb(conn->rx_skb);
6069 conn->rx_skb = NULL;
6070 conn->rx_len = 0;
6071 l2cap_conn_unreliable(conn, ECOMM);
6072 }
6073
aae7fe22
AE		 6074 /* Start fragment always begin with Basic L2CAP header */
6075 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6076 BT_ERR("Frame is too short (len %d)", skb->len);
6077 l2cap_conn_unreliable(conn, ECOMM);
6078 goto drop;
6079 }
6080
6081 hdr = (struct l2cap_hdr *) skb->data;
6082 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6083
6084 if (len == skb->len) {
6085 /* Complete frame received */
6086 l2cap_recv_frame(conn, skb);
6087 return 0;
6088 }
6089
6090 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6091
6092 if (skb->len > len) {
6093 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6094 skb->len, len);
1da177e4
LT		 6095 l2cap_conn_unreliable(conn, ECOMM);
6096 goto drop;
6097 }
6098
6099 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6100 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6101 if (!conn->rx_skb)
1da177e4
LT		 6102 goto drop;
6103
d626f62b 6104 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6105 skb->len);
1da177e4 6106 conn->rx_len = len - skb->len;
d73a0988
AE		 6107 break;
6108
6109 case ACL_CONT:
1da177e4
LT		 6110 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6111
6112 if (!conn->rx_len) {
6113 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6114 l2cap_conn_unreliable(conn, ECOMM);
6115 goto drop;
6116 }
6117
6118 if (skb->len > conn->rx_len) {
6119 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6120 skb->len, conn->rx_len);
1da177e4
LT		 6121 kfree_skb(conn->rx_skb);
6122 conn->rx_skb = NULL;
6123 conn->rx_len = 0;
6124 l2cap_conn_unreliable(conn, ECOMM);
6125 goto drop;
6126 }
6127
d626f62b 6128 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6129 skb->len);
1da177e4
LT		 6130 conn->rx_len -= skb->len;
6131
6132 if (!conn->rx_len) {
6133 /* Complete frame received */
6134 l2cap_recv_frame(conn, conn->rx_skb);
6135 conn->rx_skb = NULL;
6136 }
d73a0988 6137 break;
1da177e4
LT		 6138 }
6139
6140drop:
6141 kfree_skb(skb);
6142 return 0;
6143}
6144
aef7d97c 6145static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6146{
23691d75 6147 struct l2cap_chan *c;
1da177e4 6148
333055f2 6149 read_lock(&chan_list_lock);
1da177e4 6150
23691d75
GP		 6151 list_for_each_entry(c, &chan_list, global_l) {
6152 struct sock *sk = c->sk;
101545f6 6153
fcb73338
AE		 6154 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6155 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6156 c->state, __le16_to_cpu(c->psm),
6157 c->scid, c->dcid, c->imtu, c->omtu,
6158 c->sec_level, c->mode);
61e1b4b7 6159 }
1da177e4 6160
333055f2 6161 read_unlock(&chan_list_lock);
1da177e4 6162
aef7d97c 6163 return 0;
1da177e4
LT		 6164}
6165
aef7d97c
MH		 6166static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6167{
6168 return single_open(file, l2cap_debugfs_show, inode->i_private);
6169}
6170
6171static const struct file_operations l2cap_debugfs_fops = {
6172 .open = l2cap_debugfs_open,
6173 .read = seq_read,
6174 .llseek = seq_lseek,
6175 .release = single_release,
6176};
6177
6178static struct dentry *l2cap_debugfs;
1da177e4 6179
64274518 6180int __init l2cap_init(void)
1da177e4
LT		 6181{
6182 int err;
be9d1227 6183
bb58f747 6184 err = l2cap_init_sockets();
1da177e4
LT		 6185 if (err < 0)
6186 return err;
6187
aef7d97c 6188 if (bt_debugfs) {
2d792818
GP		 6189 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6190 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 6191 if (!l2cap_debugfs)
6192 BT_ERR("Failed to create L2CAP debug file");
6193 }
1da177e4 6194
1da177e4 6195 return 0;
1da177e4
LT		 6196}
6197
64274518 6198void l2cap_exit(void)
1da177e4 6199{
aef7d97c 6200 debugfs_remove(l2cap_debugfs);
bb58f747 6201 l2cap_cleanup_sockets();
1da177e4
LT		 6202}
6203
d1c4a17d
GP		 6204module_param(disable_ertm, bool, 0644);
6205MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)