projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Move bt_accept_enqueue() to l2cap_sock.c
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 59 struct sk_buff_head *skbs, u8 event);
608bcc6d 60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
2d792818
GP		 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
64 u16 cid)
0139418c 65{
3df91ea2 66 struct l2cap_chan *c;
3d57dc68 67
3df91ea2
AE		 68 list_for_each_entry(c, &conn->chan_l, list) {
69 if (c->dcid == cid)
70 return c;
0139418c 71 }
3df91ea2 72 return NULL;
0139418c
MH		 73}
74
2d792818
GP		 75static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
76 u16 cid)
0139418c 77{
3df91ea2 78 struct l2cap_chan *c;
3d57dc68 79
3df91ea2
AE		 80 list_for_each_entry(c, &conn->chan_l, list) {
81 if (c->scid == cid)
82 return c;
0139418c 83 }
3df91ea2 84 return NULL;
0139418c
MH		 85}
86
87/* Find channel with given SCID.
ef191ade 88 * Returns locked channel. */
2d792818
GP		 89static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
90 u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa 93
3df91ea2 94 mutex_lock(&conn->chan_lock);
baa7e1fa 95 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 96 if (c)
97 l2cap_chan_lock(c);
3df91ea2
AE		 98 mutex_unlock(&conn->chan_lock);
99
48454079 100 return c;
0139418c
MH		 101}
102
2d792818
GP		 103static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
104 u8 ident)
0139418c 105{
3df91ea2 106 struct l2cap_chan *c;
3d57dc68 107
3df91ea2
AE		 108 list_for_each_entry(c, &conn->chan_l, list) {
109 if (c->ident == ident)
110 return c;
0139418c 111 }
3df91ea2 112 return NULL;
0139418c
MH		 113}
114
23691d75 115static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 116{
23691d75 117 struct l2cap_chan *c;
9e4425ff 118
23691d75
GP		 119 list_for_each_entry(c, &chan_list, global_l) {
120 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 121 return c;
9e4425ff 122 }
250938cb 123 return NULL;
9e4425ff
GP		 124}
125
126int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
127{
73b2ec18
GP		 128 int err;
129
333055f2 130 write_lock(&chan_list_lock);
9e4425ff 131
23691d75 132 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 133 err = -EADDRINUSE;
134 goto done;
9e4425ff
GP		 135 }
136
73b2ec18
GP		 137 if (psm) {
138 chan->psm = psm;
139 chan->sport = psm;
140 err = 0;
141 } else {
142 u16 p;
143
144 err = -EINVAL;
145 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 146 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 147 chan->psm = cpu_to_le16(p);
148 chan->sport = cpu_to_le16(p);
149 err = 0;
150 break;
151 }
152 }
9e4425ff 153
73b2ec18 154done:
333055f2 155 write_unlock(&chan_list_lock);
73b2ec18 156 return err;
9e4425ff
GP		 157}
158
159int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
160{
333055f2 161 write_lock(&chan_list_lock);
9e4425ff
GP		 162
163 chan->scid = scid;
164
333055f2 165 write_unlock(&chan_list_lock);
9e4425ff
GP		 166
167 return 0;
168}
169
baa7e1fa 170static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 171{
8db4dc46 172 u16 cid = L2CAP_CID_DYN_START;
0139418c 173
8db4dc46 174 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 175 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 176 return cid;
177 }
178
179 return 0;
180}
181
0e587be7 182static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 183{
42d2d87c 184 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 185 state_to_string(state));
badaaa00 186
89bc500e 187 chan->state = state;
80b98027 188 chan->ops->state_change(chan, state);
89bc500e
GP		 189}
190
0e587be7
AE		 191static void l2cap_state_change(struct l2cap_chan *chan, int state)
192{
193 struct sock *sk = chan->sk;
194
195 lock_sock(sk);
196 __l2cap_state_change(chan, state);
197 release_sock(sk);
198}
199
2e0052e4
AE		 200static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
201{
202 struct sock *sk = chan->sk;
203
204 sk->sk_err = err;
205}
206
207static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
208{
209 struct sock *sk = chan->sk;
210
211 lock_sock(sk);
212 __l2cap_chan_set_err(chan, err);
213 release_sock(sk);
214}
215
4239d16f
MM		 216static void __set_retrans_timer(struct l2cap_chan *chan)
217{
218 if (!delayed_work_pending(&chan->monitor_timer) &&
219 chan->retrans_timeout) {
220 l2cap_set_timer(chan, &chan->retrans_timer,
221 msecs_to_jiffies(chan->retrans_timeout));
222 }
223}
224
225static void __set_monitor_timer(struct l2cap_chan *chan)
226{
227 __clear_retrans_timer(chan);
228 if (chan->monitor_timeout) {
229 l2cap_set_timer(chan, &chan->monitor_timer,
230 msecs_to_jiffies(chan->monitor_timeout));
231 }
232}
233
608bcc6d
MM		 234static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
235 u16 seq)
236{
237 struct sk_buff *skb;
238
239 skb_queue_walk(head, skb) {
240 if (bt_cb(skb)->control.txseq == seq)
241 return skb;
242 }
243
244 return NULL;
245}
246
3c588192
MM		 247/* ---- L2CAP sequence number lists ---- */
248
249/* For ERTM, ordered lists of sequence numbers must be tracked for
250 * SREJ requests that are received and for frames that are to be
251 * retransmitted. These seq_list functions implement a singly-linked
252 * list in an array, where membership in the list can also be checked
253 * in constant time. Items can also be added to the tail of the list
254 * and removed from the head in constant time, without further memory
255 * allocs or frees.
256 */
257
258static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
259{
260 size_t alloc_size, i;
261
262 /* Allocated size is a power of 2 to map sequence numbers
263 * (which may be up to 14 bits) in to a smaller array that is
264 * sized for the negotiated ERTM transmit windows.
265 */
266 alloc_size = roundup_pow_of_two(size);
267
268 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
269 if (!seq_list->list)
270 return -ENOMEM;
271
272 seq_list->mask = alloc_size - 1;
273 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
274 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
275 for (i = 0; i < alloc_size; i++)
276 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
277
278 return 0;
279}
280
281static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
282{
283 kfree(seq_list->list);
284}
285
286static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
287 u16 seq)
288{
289 /* Constant-time check for list membership */
290 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
291}
292
293static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
294{
295 u16 mask = seq_list->mask;
296
297 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
298 /* In case someone tries to pop the head of an empty list */
299 return L2CAP_SEQ_LIST_CLEAR;
300 } else if (seq_list->head == seq) {
301 /* Head can be removed in constant time */
302 seq_list->head = seq_list->list[seq & mask];
303 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
304
305 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
306 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
307 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
308 }
309 } else {
310 /* Walk the list to find the sequence number */
311 u16 prev = seq_list->head;
312 while (seq_list->list[prev & mask] != seq) {
313 prev = seq_list->list[prev & mask];
314 if (prev == L2CAP_SEQ_LIST_TAIL)
315 return L2CAP_SEQ_LIST_CLEAR;
316 }
317
318 /* Unlink the number from the list and clear it */
319 seq_list->list[prev & mask] = seq_list->list[seq & mask];
320 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
321 if (seq_list->tail == seq)
322 seq_list->tail = prev;
323 }
324 return seq;
325}
326
327static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
328{
329 /* Remove the head in constant time */
330 return l2cap_seq_list_remove(seq_list, seq_list->head);
331}
332
333static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
334{
f522ae36 335 u16 i;
3c588192 336
f522ae36
GP		 337 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
338 return;
339
340 for (i = 0; i <= seq_list->mask; i++)
341 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
342
343 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
344 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 345}
346
347static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
348{
349 u16 mask = seq_list->mask;
350
351 /* All appends happen in constant time */
352
f522ae36
GP		 353 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
354 return;
3c588192 355
f522ae36
GP		 356 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
357 seq_list->head = seq;
358 else
359 seq_list->list[seq_list->tail & mask] = seq;
360
361 seq_list->tail = seq;
362 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 363}
364
721c4181 365static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 366{
721c4181 367 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 368 chan_timer.work);
3df91ea2 369 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 370 int reason;
371
e05dcc32 372 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 373
3df91ea2 374 mutex_lock(&conn->chan_lock);
6be36555 375 l2cap_chan_lock(chan);
ab07801d 376
89bc500e 377 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 378 reason = ECONNREFUSED;
89bc500e 379 else if (chan->state == BT_CONNECT &&
2d792818 380 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 381 reason = ECONNREFUSED;
382 else
383 reason = ETIMEDOUT;
384
0f852724 385 l2cap_chan_close(chan, reason);
ab07801d 386
6be36555 387 l2cap_chan_unlock(chan);
ab07801d 388
80b98027 389 chan->ops->close(chan);
3df91ea2
AE		 390 mutex_unlock(&conn->chan_lock);
391
371fd835 392 l2cap_chan_put(chan);
ab07801d
GP		 393}
394
eef1d9b6 395struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 396{
397 struct l2cap_chan *chan;
398
399 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
400 if (!chan)
401 return NULL;
402
c03b355e
AE		 403 mutex_init(&chan->lock);
404
333055f2 405 write_lock(&chan_list_lock);
23691d75 406 list_add(&chan->global_l, &chan_list);
333055f2 407 write_unlock(&chan_list_lock);
23691d75 408
721c4181 409 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 410
89bc500e
GP		 411 chan->state = BT_OPEN;
412
144ad330 413 kref_init(&chan->kref);
71ba0e56 414
2827011f
MM		 415 /* This flag is cleared in l2cap_chan_ready() */
416 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
417
eef1d9b6 418 BT_DBG("chan %p", chan);
abc545b8 419
48454079
GP		 420 return chan;
421}
422
144ad330 423static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 424{
144ad330
SS		 425 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
426
4af66c69
JK		 427 BT_DBG("chan %p", chan);
428
333055f2 429 write_lock(&chan_list_lock);
23691d75 430 list_del(&chan->global_l);
333055f2 431 write_unlock(&chan_list_lock);
23691d75 432
4af66c69 433 kfree(chan);
6ff5abbf
GP		 434}
435
30648372
JK		 436void l2cap_chan_hold(struct l2cap_chan *c)
437{
144ad330 438 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 439
144ad330 440 kref_get(&c->kref);
30648372
JK		 441}
442
443void l2cap_chan_put(struct l2cap_chan *c)
444{
144ad330 445 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 446
144ad330 447 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 448}
449
bd4b1653
AE		 450void l2cap_chan_set_defaults(struct l2cap_chan *chan)
451{
452 chan->fcs = L2CAP_FCS_CRC16;
453 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
454 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
455 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 456 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 457 chan->sec_level = BT_SECURITY_LOW;
458
459 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
460}
461
93c3e8f5 462void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 463{
af05b30b 464 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 465 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 466
9f5a0d7b 467 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 468
8c1d787b 469 chan->conn = conn;
0139418c 470
5491120e
AE		 471 switch (chan->chan_type) {
472 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 473 if (conn->hcon->type == LE_LINK) {
474 /* LE connection */
6fcb06a2 475 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 476 chan->scid = L2CAP_CID_LE_DATA;
477 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 478 } else {
479 /* Alloc CID for connection-oriented socket */
fe4128e0 480 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 481 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 482 }
5491120e
AE		 483 break;
484
485 case L2CAP_CHAN_CONN_LESS:
0139418c 486 /* Connectionless socket */
fe4128e0
GP		 487 chan->scid = L2CAP_CID_CONN_LESS;
488 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 489 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 490 break;
491
416fa752
AE		 492 case L2CAP_CHAN_CONN_FIX_A2MP:
493 chan->scid = L2CAP_CID_A2MP;
494 chan->dcid = L2CAP_CID_A2MP;
495 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
496 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
497 break;
498
5491120e 499 default:
0139418c 500 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 501 chan->scid = L2CAP_CID_SIGNALING;
502 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 503 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 504 }
505
8f7975b1
AE		 506 chan->local_id = L2CAP_BESTEFFORT_ID;
507 chan->local_stype = L2CAP_SERV_BESTEFFORT;
508 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
509 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
510 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 511 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 512
371fd835 513 l2cap_chan_hold(chan);
baa7e1fa 514
3df91ea2 515 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 516}
517
466f8004 518void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 519{
520 mutex_lock(&conn->chan_lock);
521 __l2cap_chan_add(conn, chan);
3df91ea2 522 mutex_unlock(&conn->chan_lock);
0139418c
MH		 523}
524
466f8004 525void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 526{
8c1d787b 527 struct l2cap_conn *conn = chan->conn;
0139418c 528
c9b66675 529 __clear_chan_timer(chan);
0139418c 530
49208c9c 531 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 532
8e87d142 533 if (conn) {
baa7e1fa 534 /* Delete from channel list */
3df91ea2 535 list_del(&chan->list);
3d57dc68 536
371fd835 537 l2cap_chan_put(chan);
baa7e1fa 538
8c1d787b 539 chan->conn = NULL;
3cabbfda
AE		 540
541 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
542 hci_conn_put(conn->hcon);
0139418c
MH		 543 }
544
b699ec0d 545 chan->ops->teardown(chan, err);
6be36555 546
2827011f 547 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 548 return;
2ead70b8 549
ee556f66
GP		 550 switch(chan->mode) {
551 case L2CAP_MODE_BASIC:
552 break;
c13ffa62 553
ee556f66 554 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 555 __clear_retrans_timer(chan);
556 __clear_monitor_timer(chan);
557 __clear_ack_timer(chan);
c13ffa62 558
f1c6775b 559 skb_queue_purge(&chan->srej_q);
c13ffa62 560
3c588192
MM		 561 l2cap_seq_list_free(&chan->srej_list);
562 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 563
564 /* fall through */
565
566 case L2CAP_MODE_STREAMING:
567 skb_queue_purge(&chan->tx_q);
568 break;
c13ffa62 569 }
ee556f66
GP		 570
571 return;
0139418c
MH		 572}
573
0f852724 574void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 575{
576 struct l2cap_conn *conn = chan->conn;
577 struct sock *sk = chan->sk;
578
2d792818
GP		 579 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
580 sk);
4519de9a 581
89bc500e 582 switch (chan->state) {
4519de9a 583 case BT_LISTEN:
b699ec0d 584 chan->ops->teardown(chan, 0);
4519de9a
GP		 585 break;
586
587 case BT_CONNECTED:
588 case BT_CONFIG:
715ec005 589 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 590 conn->hcon->type == ACL_LINK) {
c9b66675 591 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 592 l2cap_send_disconn_req(conn, chan, reason);
593 } else
594 l2cap_chan_del(chan, reason);
595 break;
596
597 case BT_CONNECT2:
715ec005 598 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 599 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 600 struct l2cap_conn_rsp rsp;
601 __u16 result;
602
c5daa683 603 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 604 result = L2CAP_CR_SEC_BLOCK;
605 else
606 result = L2CAP_CR_BAD_PSM;
89bc500e 607 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 608
609 rsp.scid = cpu_to_le16(chan->dcid);
610 rsp.dcid = cpu_to_le16(chan->scid);
611 rsp.result = cpu_to_le16(result);
ac73498c 612 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 613 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 614 sizeof(rsp), &rsp);
4519de9a
GP		 615 }
616
617 l2cap_chan_del(chan, reason);
618 break;
619
620 case BT_CONNECT:
621 case BT_DISCONN:
622 l2cap_chan_del(chan, reason);
623 break;
624
625 default:
b699ec0d 626 chan->ops->teardown(chan, 0);
4519de9a
GP		 627 break;
628 }
629}
630
4343478f 631static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 632{
715ec005 633 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 634 switch (chan->sec_level) {
8556edd3
JH		 635 case BT_SECURITY_HIGH:
636 return HCI_AT_DEDICATED_BONDING_MITM;
637 case BT_SECURITY_MEDIUM:
638 return HCI_AT_DEDICATED_BONDING;
639 default:
640 return HCI_AT_NO_BONDING;
641 }
2983fd68 642 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 643 if (chan->sec_level == BT_SECURITY_LOW)
644 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 645
4343478f 646 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 647 return HCI_AT_NO_BONDING_MITM;
00ae4af9 648 else
8556edd3 649 return HCI_AT_NO_BONDING;
00ae4af9 650 } else {
4343478f 651 switch (chan->sec_level) {
00ae4af9 652 case BT_SECURITY_HIGH:
8556edd3 653 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 654 case BT_SECURITY_MEDIUM:
8556edd3 655 return HCI_AT_GENERAL_BONDING;
00ae4af9 656 default:
8556edd3 657 return HCI_AT_NO_BONDING;
00ae4af9 658 }
0684e5f9 659 }
8556edd3
JH		 660}
661
662/* Service level security */
d45fc423 663int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 664{
8c1d787b 665 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 666 __u8 auth_type;
667
4343478f 668 auth_type = l2cap_get_auth_type(chan);
79d554a6 669
4343478f 670 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 671}
672
b5ad8b7f 673static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 674{
675 u8 id;
676
677 /* Get next available identificator.
678 * 1 - 128 are used by kernel.
679 * 129 - 199 are reserved.
680 * 200 - 254 are used by utilities like l2ping, etc.
681 */
682
333055f2 683 spin_lock(&conn->lock);
4e8402a3
MH		 684
685 if (++conn->tx_ident > 128)
686 conn->tx_ident = 1;
687
688 id = conn->tx_ident;
689
333055f2 690 spin_unlock(&conn->lock);
4e8402a3
MH		 691
692 return id;
693}
694
2d792818
GP		 695static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
696 void *data)
4e8402a3
MH		 697{
698 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 699 u8 flags;
4e8402a3
MH		 700
701 BT_DBG("code 0x%2.2x", code);
702
703 if (!skb)
9a9c6a34 704 return;
4e8402a3 705
e702112f
AE		 706 if (lmp_no_flush_capable(conn->hcon->hdev))
707 flags = ACL_START_NO_FLUSH;
708 else
709 flags = ACL_START;
710
14b12d0b 711 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 712 skb->priority = HCI_PRIO_MAX;
14b12d0b 713
73d80deb
LAD		 714 hci_send_acl(conn->hchan, skb, flags);
715}
716
717static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
718{
719 struct hci_conn *hcon = chan->conn->hcon;
720 u16 flags;
721
722 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 723 skb->priority);
73d80deb
LAD		 724
725 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 726 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 727 flags = ACL_START_NO_FLUSH;
728 else
729 flags = ACL_START;
14b12d0b 730
73d80deb
LAD		 731 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
732 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 733}
734
b76bbd66
MM		 735static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
736{
737 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
738 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
739
740 if (enh & L2CAP_CTRL_FRAME_TYPE) {
741 /* S-Frame */
742 control->sframe = 1;
743 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
744 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
745
746 control->sar = 0;
747 control->txseq = 0;
748 } else {
749 /* I-Frame */
750 control->sframe = 0;
751 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
752 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
753
754 control->poll = 0;
755 control->super = 0;
756 }
757}
758
b76bbd66
MM		 759static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
760{
761 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
762 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
763
764 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
765 /* S-Frame */
766 control->sframe = 1;
767 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
768 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
769
770 control->sar = 0;
771 control->txseq = 0;
772 } else {
773 /* I-Frame */
774 control->sframe = 0;
775 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
776 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
777
778 control->poll = 0;
779 control->super = 0;
780 }
781}
782
783static inline void __unpack_control(struct l2cap_chan *chan,
784 struct sk_buff *skb)
785{
786 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
787 __unpack_extended_control(get_unaligned_le32(skb->data),
788 &bt_cb(skb)->control);
cec8ab6e 789 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 790 } else {
791 __unpack_enhanced_control(get_unaligned_le16(skb->data),
792 &bt_cb(skb)->control);
cec8ab6e 793 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 794 }
795}
796
b5c6aaed
MM		 797static u32 __pack_extended_control(struct l2cap_ctrl *control)
798{
799 u32 packed;
800
801 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
802 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
803
804 if (control->sframe) {
805 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
806 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
807 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
808 } else {
809 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
810 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
811 }
812
813 return packed;
814}
815
816static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
817{
818 u16 packed;
819
820 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
821 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
822
823 if (control->sframe) {
824 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
825 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
826 packed |= L2CAP_CTRL_FRAME_TYPE;
827 } else {
828 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
829 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
830 }
831
832 return packed;
833}
834
b76bbd66
MM		 835static inline void __pack_control(struct l2cap_chan *chan,
836 struct l2cap_ctrl *control,
837 struct sk_buff *skb)
838{
839 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
840 put_unaligned_le32(__pack_extended_control(control),
841 skb->data + L2CAP_HDR_SIZE);
842 } else {
843 put_unaligned_le16(__pack_enhanced_control(control),
844 skb->data + L2CAP_HDR_SIZE);
845 }
846}
847
ba7aa64f
GP		 848static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
849{
850 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
851 return L2CAP_EXT_HDR_SIZE;
852 else
853 return L2CAP_ENH_HDR_SIZE;
854}
855
a67d7f6f
MM		 856static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
857 u32 control)
b5c6aaed
MM		 858{
859 struct sk_buff *skb;
860 struct l2cap_hdr *lh;
ba7aa64f 861 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 862
863 if (chan->fcs == L2CAP_FCS_CRC16)
864 hlen += L2CAP_FCS_SIZE;
865
a67d7f6f 866 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 867
b5c6aaed 868 if (!skb)
a67d7f6f 869 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 870
871 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
872 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
873 lh->cid = cpu_to_le16(chan->dcid);
874
a67d7f6f
MM		 875 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
876 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
877 else
878 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 879
880 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 881 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 882 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
883 }
884
885 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 886 return skb;
887}
888
889static void l2cap_send_sframe(struct l2cap_chan *chan,
890 struct l2cap_ctrl *control)
891{
892 struct sk_buff *skb;
893 u32 control_field;
894
895 BT_DBG("chan %p, control %p", chan, control);
896
897 if (!control->sframe)
898 return;
899
900 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
901 !control->poll)
902 control->final = 1;
903
904 if (control->super == L2CAP_SUPER_RR)
905 clear_bit(CONN_RNR_SENT, &chan->conn_state);
906 else if (control->super == L2CAP_SUPER_RNR)
907 set_bit(CONN_RNR_SENT, &chan->conn_state);
908
909 if (control->super != L2CAP_SUPER_SREJ) {
910 chan->last_acked_seq = control->reqseq;
911 __clear_ack_timer(chan);
912 }
913
914 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
915 control->final, control->poll, control->super);
916
917 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
918 control_field = __pack_extended_control(control);
919 else
920 control_field = __pack_enhanced_control(control);
921
922 skb = l2cap_create_sframe_pdu(chan, control_field);
923 if (!IS_ERR(skb))
924 l2cap_do_send(chan, skb);
b5c6aaed
MM		 925}
926
c9e3d5e0 927static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 928{
c9e3d5e0
MM		 929 struct l2cap_ctrl control;
930
931 BT_DBG("chan %p, poll %d", chan, poll);
932
933 memset(&control, 0, sizeof(control));
934 control.sframe = 1;
935 control.poll = poll;
936
937 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
938 control.super = L2CAP_SUPER_RNR;
939 else
940 control.super = L2CAP_SUPER_RR;
b5c6aaed 941
c9e3d5e0
MM		 942 control.reqseq = chan->buffer_seq;
943 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 944}
945
b4450035 946static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 947{
c1360a1c 948 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 949}
950
93c3e8f5
AE		 951static bool __amp_capable(struct l2cap_chan *chan)
952{
953 struct l2cap_conn *conn = chan->conn;
954
955 if (enable_hs &&
956 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
957 conn->fixed_chan_mask & L2CAP_FC_A2MP)
958 return true;
959 else
960 return false;
961}
962
2766be48 963void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 964{
965 struct l2cap_conn *conn = chan->conn;
966 struct l2cap_conn_req req;
967
968 req.scid = cpu_to_le16(chan->scid);
969 req.psm = chan->psm;
970
971 chan->ident = l2cap_get_ident(conn);
972
973 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
974
975 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
976}
977
9f0caeb1
VCG		 978static void l2cap_chan_ready(struct l2cap_chan *chan)
979{
2827011f 980 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 981 chan->conf_state = 0;
982 __clear_chan_timer(chan);
983
54a59aa2 984 chan->state = BT_CONNECTED;
9f0caeb1 985
fd83e2c2 986 chan->ops->ready(chan);
9f0caeb1
VCG		 987}
988
93c3e8f5
AE		 989static void l2cap_start_connection(struct l2cap_chan *chan)
990{
991 if (__amp_capable(chan)) {
992 BT_DBG("chan %p AMP capable: discover AMPs", chan);
993 a2mp_discover_amp(chan);
994 } else {
995 l2cap_send_conn_req(chan);
996 }
997}
998
fc7f8a7e 999static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1000{
8c1d787b 1001 struct l2cap_conn *conn = chan->conn;
79d554a6 1002
9f0caeb1
VCG		 1003 if (conn->hcon->type == LE_LINK) {
1004 l2cap_chan_ready(chan);
1005 return;
1006 }
1007
79d554a6 1008 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1009 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1010 return;
1011
d45fc423 1012 if (l2cap_chan_check_security(chan) &&
2d792818 1013 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1014 l2cap_start_connection(chan);
1015 }
79d554a6
MH		 1016 } else {
1017 struct l2cap_info_req req;
ac73498c 1018 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1019
1020 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1021 conn->info_ident = l2cap_get_ident(conn);
1022
ba13ccd9 1023 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1024
2d792818
GP		 1025 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1026 sizeof(req), &req);
79d554a6
MH		 1027 }
1028}
1029
cf6c2c0b
GP		 1030static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1031{
1032 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1033 if (!disable_ertm)
cf6c2c0b
GP		 1034 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1035
1036 switch (mode) {
1037 case L2CAP_MODE_ERTM:
1038 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1039 case L2CAP_MODE_STREAMING:
1040 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1041 default:
1042 return 0x00;
1043 }
1044}
1045
2d792818
GP		 1046static void l2cap_send_disconn_req(struct l2cap_conn *conn,
1047 struct l2cap_chan *chan, int err)
22121fc9 1048{
6be36555 1049 struct sock *sk = chan->sk;
22121fc9
GP		 1050 struct l2cap_disconn_req req;
1051
c13ffa62
GP		 1052 if (!conn)
1053 return;
1054
0c1bc5c6 1055 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1056 __clear_retrans_timer(chan);
1057 __clear_monitor_timer(chan);
1058 __clear_ack_timer(chan);
c13ffa62
GP		 1059 }
1060
416fa752 1061 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1062 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1063 return;
1064 }
1065
fe4128e0
GP		 1066 req.dcid = cpu_to_le16(chan->dcid);
1067 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1068 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1069 sizeof(req), &req);
c13ffa62 1070
6be36555 1071 lock_sock(sk);
0e587be7 1072 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1073 __l2cap_chan_set_err(chan, err);
6be36555 1074 release_sock(sk);
22121fc9
GP		 1075}
1076
1da177e4 1077/* ---- L2CAP connections ---- */
4e8402a3
MH		 1078static void l2cap_conn_start(struct l2cap_conn *conn)
1079{
3df91ea2 1080 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1081
1082 BT_DBG("conn %p", conn);
1083
3df91ea2 1084 mutex_lock(&conn->chan_lock);
4e8402a3 1085
3df91ea2 1086 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1087 struct sock *sk = chan->sk;
baa7e1fa 1088
6be36555 1089 l2cap_chan_lock(chan);
4e8402a3 1090
715ec005 1091 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1092 l2cap_chan_unlock(chan);
79d554a6
MH		 1093 continue;
1094 }
1095
89bc500e 1096 if (chan->state == BT_CONNECT) {
d45fc423 1097 if (!l2cap_chan_check_security(chan) ||
2d792818 1098 !__l2cap_no_conn_pending(chan)) {
6be36555 1099 l2cap_chan_unlock(chan);
47731de7
GP		 1100 continue;
1101 }
79d554a6 1102
c1360a1c 1103 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1104 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1105 &chan->conf_state)) {
89bc500e 1106 l2cap_chan_close(chan, ECONNRESET);
6be36555 1107 l2cap_chan_unlock(chan);
47731de7 1108 continue;
b1235d79 1109 }
47731de7 1110
93c3e8f5 1111 l2cap_start_connection(chan);
47731de7 1112
89bc500e 1113 } else if (chan->state == BT_CONNECT2) {
79d554a6 1114 struct l2cap_conn_rsp rsp;
e9aeb2dd 1115 char buf[128];
fe4128e0
GP		 1116 rsp.scid = cpu_to_le16(chan->dcid);
1117 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1118
d45fc423 1119 if (l2cap_chan_check_security(chan)) {
6be36555 1120 lock_sock(sk);
c5daa683
GP		 1121 if (test_bit(BT_SK_DEFER_SETUP,
1122 &bt_sk(sk)->flags)) {
f66dc81f 1123 struct sock *parent = bt_sk(sk)->parent;
ac73498c
AE		 1124 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1125 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1126 if (parent)
1127 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1128
1129 } else {
0e587be7 1130 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1131 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1132 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1133 }
6be36555 1134 release_sock(sk);
79d554a6 1135 } else {
ac73498c
AE		 1136 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1137 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1138 }
1139
fc7f8a7e 1140 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1141 sizeof(rsp), &rsp);
e9aeb2dd 1142
c1360a1c 1143 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1144 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1145 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1146 continue;
1147 }
1148
c1360a1c 1149 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1150 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1151 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1152 chan->num_conf_req++;
4e8402a3
MH		 1153 }
1154
6be36555 1155 l2cap_chan_unlock(chan);
4e8402a3
MH		 1156 }
1157
3df91ea2 1158 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1159}
1160
c2287681 1161/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1162 * Returns closest match, locked.
1163 */
d9b88702 1164static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1165 bdaddr_t *src,
1166 bdaddr_t *dst)
b62f328b 1167{
23691d75 1168 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1169
23691d75 1170 read_lock(&chan_list_lock);
b62f328b 1171
23691d75
GP		 1172 list_for_each_entry(c, &chan_list, global_l) {
1173 struct sock *sk = c->sk;
fe4128e0 1174
89bc500e 1175 if (state && c->state != state)
b62f328b
VT		 1176 continue;
1177
23691d75 1178 if (c->scid == cid) {
c2287681
IY		 1179 int src_match, dst_match;
1180 int src_any, dst_any;
1181
b62f328b 1182 /* Exact match. */
c2287681
IY		 1183 src_match = !bacmp(&bt_sk(sk)->src, src);
1184 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1185 if (src_match && dst_match) {
23691d75
GP		 1186 read_unlock(&chan_list_lock);
1187 return c;
1188 }
b62f328b
VT		 1189
1190 /* Closest match */
c2287681
IY		 1191 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1192 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1193 if ((src_match && dst_any) || (src_any && dst_match) ||
1194 (src_any && dst_any))
23691d75 1195 c1 = c;
b62f328b
VT		 1196 }
1197 }
280f294f 1198
23691d75 1199 read_unlock(&chan_list_lock);
b62f328b 1200
23691d75 1201 return c1;
b62f328b
VT		 1202}
1203
1204static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1205{
c916fbe4 1206 struct sock *parent, *sk;
23691d75 1207 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1208
1209 BT_DBG("");
1210
1211 /* Check if we have socket listening on cid */
23691d75 1212 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1213 conn->src, conn->dst);
23691d75 1214 if (!pchan)
b62f328b
VT		 1215 return;
1216
23691d75
GP		 1217 parent = pchan->sk;
1218
aa2ac881 1219 lock_sock(parent);
62f3a2cf 1220
80b98027 1221 chan = pchan->ops->new_connection(pchan);
80808e43 1222 if (!chan)
b62f328b
VT		 1223 goto clean;
1224
80808e43 1225 sk = chan->sk;
5d41ce1d 1226
b62f328b 1227 hci_conn_hold(conn->hcon);
a9ea3ed9 1228 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1229
b62f328b
VT		 1230 bacpy(&bt_sk(sk)->src, conn->src);
1231 bacpy(&bt_sk(sk)->dst, conn->dst);
1232
3d57dc68 1233 l2cap_chan_add(conn, chan);
48454079 1234
6754e0df 1235 l2cap_chan_ready(chan);
b62f328b 1236
b62f328b 1237clean:
aa2ac881 1238 release_sock(parent);
b62f328b
VT		 1239}
1240
4e8402a3
MH		 1241static void l2cap_conn_ready(struct l2cap_conn *conn)
1242{
48454079 1243 struct l2cap_chan *chan;
cc110922 1244 struct hci_conn *hcon = conn->hcon;
4e8402a3 1245
79d554a6 1246 BT_DBG("conn %p", conn);
4e8402a3 1247
cc110922 1248 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1249 l2cap_le_conn_ready(conn);
1250
cc110922
VCG		 1251 if (hcon->out && hcon->type == LE_LINK)
1252 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1253
3df91ea2 1254 mutex_lock(&conn->chan_lock);
4e8402a3 1255
3df91ea2 1256 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1257
6be36555 1258 l2cap_chan_lock(chan);
4e8402a3 1259
416fa752
AE		 1260 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1261 l2cap_chan_unlock(chan);
1262 continue;
1263 }
1264
cc110922
VCG		 1265 if (hcon->type == LE_LINK) {
1266 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1267 l2cap_chan_ready(chan);
acd7d370 1268
63128451 1269 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1270 struct sock *sk = chan->sk;
c9b66675 1271 __clear_chan_timer(chan);
6be36555 1272 lock_sock(sk);
0e587be7 1273 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1274 sk->sk_state_change(sk);
6be36555 1275 release_sock(sk);
b501d6a1 1276
89bc500e 1277 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1278 l2cap_do_start(chan);
4e8402a3 1279
6be36555 1280 l2cap_chan_unlock(chan);
4e8402a3 1281 }
79d554a6 1282
3df91ea2 1283 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1284}
1285
1286/* Notify sockets that we cannot guaranty reliability anymore */
1287static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1288{
48454079 1289 struct l2cap_chan *chan;
4e8402a3
MH		 1290
1291 BT_DBG("conn %p", conn);
1292
3df91ea2 1293 mutex_lock(&conn->chan_lock);
4e8402a3 1294
3df91ea2 1295 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1296 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1297 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1298 }
1299
3df91ea2 1300 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1301}
1302
f878fcad 1303static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1304{
f878fcad 1305 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1306 info_timer.work);
4e8402a3 1307
984947dc 1308 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1309 conn->info_ident = 0;
984947dc 1310
4e8402a3
MH		 1311 l2cap_conn_start(conn);
1312}
1313
5d3de7df
VCG		 1314static void l2cap_conn_del(struct hci_conn *hcon, int err)
1315{
1316 struct l2cap_conn *conn = hcon->l2cap_data;
1317 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1318
1319 if (!conn)
1320 return;
1321
1322 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1323
1324 kfree_skb(conn->rx_skb);
1325
3df91ea2
AE		 1326 mutex_lock(&conn->chan_lock);
1327
5d3de7df
VCG		 1328 /* Kill channels */
1329 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1330 l2cap_chan_hold(chan);
6be36555
AE		 1331 l2cap_chan_lock(chan);
1332
5d3de7df 1333 l2cap_chan_del(chan, err);
6be36555
AE		 1334
1335 l2cap_chan_unlock(chan);
1336
80b98027 1337 chan->ops->close(chan);
61d6ef3e 1338 l2cap_chan_put(chan);
5d3de7df
VCG		 1339 }
1340
3df91ea2
AE		 1341 mutex_unlock(&conn->chan_lock);
1342
73d80deb
LAD		 1343 hci_chan_del(conn->hchan);
1344
5d3de7df 1345 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1346 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1347
51a8efd7 1348 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1349 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1350 smp_chan_destroy(conn);
d26a2345 1351 }
5d3de7df
VCG		 1352
1353 hcon->l2cap_data = NULL;
1354 kfree(conn);
1355}
1356
6c9d42a1 1357static void security_timeout(struct work_struct *work)
5d3de7df 1358{
6c9d42a1 1359 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1360 security_timer.work);
5d3de7df 1361
d06cc416
JH		 1362 BT_DBG("conn %p", conn);
1363
1364 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1365 smp_chan_destroy(conn);
1366 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1367 }
5d3de7df
VCG		 1368}
1369
1da177e4
LT		 1370static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1371{
0139418c 1372 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1373 struct hci_chan *hchan;
1da177e4 1374
0139418c 1375 if (conn || status)
1da177e4
LT		 1376 return conn;
1377
73d80deb
LAD		 1378 hchan = hci_chan_create(hcon);
1379 if (!hchan)
1380 return NULL;
1381
8bcde1f2 1382 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1383 if (!conn) {
1384 hci_chan_del(hchan);
1da177e4 1385 return NULL;
73d80deb 1386 }
1da177e4
LT		 1387
1388 hcon->l2cap_data = conn;
1389 conn->hcon = hcon;
73d80deb 1390 conn->hchan = hchan;
1da177e4 1391
73d80deb 1392 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1393
dcc042d5
AE		 1394 switch (hcon->type) {
1395 case AMP_LINK:
1396 conn->mtu = hcon->hdev->block_mtu;
1397 break;
1398
1399 case LE_LINK:
1400 if (hcon->hdev->le_mtu) {
1401 conn->mtu = hcon->hdev->le_mtu;
1402 break;
1403 }
1404 /* fall through */
1405
1406 default:
acd7d370 1407 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1408 break;
1409 }
acd7d370 1410
1da177e4
LT		 1411 conn->src = &hcon->hdev->bdaddr;
1412 conn->dst = &hcon->dst;
1413
4e8402a3
MH		 1414 conn->feat_mask = 0;
1415
1da177e4 1416 spin_lock_init(&conn->lock);
3df91ea2 1417 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1418
1419 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1420
5d3de7df 1421 if (hcon->type == LE_LINK)
6c9d42a1 1422 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1423 else
030013d8 1424 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1425
9f5a0d7b 1426 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1427
1da177e4
LT		 1428 return conn;
1429}
1430
1da177e4 1431/* ---- Socket interface ---- */
1da177e4 1432
c2287681 1433/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1434 * Returns closest match.
1435 */
c2287681
IY		 1436static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1437 bdaddr_t *src,
1438 bdaddr_t *dst)
1da177e4 1439{
23691d75 1440 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1441
23691d75 1442 read_lock(&chan_list_lock);
e0f0cb56 1443
23691d75
GP		 1444 list_for_each_entry(c, &chan_list, global_l) {
1445 struct sock *sk = c->sk;
fe4128e0 1446
89bc500e 1447 if (state && c->state != state)
1da177e4
LT		 1448 continue;
1449
23691d75 1450 if (c->psm == psm) {
c2287681
IY		 1451 int src_match, dst_match;
1452 int src_any, dst_any;
1453
1da177e4 1454 /* Exact match. */
c2287681
IY		 1455 src_match = !bacmp(&bt_sk(sk)->src, src);
1456 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1457 if (src_match && dst_match) {
a7567b20 1458 read_unlock(&chan_list_lock);
23691d75
GP		 1459 return c;
1460 }
1da177e4
LT		 1461
1462 /* Closest match */
c2287681
IY		 1463 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1464 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1465 if ((src_match && dst_any) || (src_any && dst_match) ||
1466 (src_any && dst_any))
23691d75 1467 c1 = c;
1da177e4
LT		 1468 }
1469 }
1da177e4 1470
23691d75 1471 read_unlock(&chan_list_lock);
e0f0cb56 1472
23691d75 1473 return c1;
1da177e4
LT		 1474}
1475
8e9f9892
AG		 1476int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1477 bdaddr_t *dst, u8 dst_type)
1da177e4 1478{
5d41ce1d 1479 struct sock *sk = chan->sk;
1da177e4 1480 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1481 struct l2cap_conn *conn;
1482 struct hci_conn *hcon;
1483 struct hci_dev *hdev;
09ab6f4c 1484 __u8 auth_type;
44d0e48e 1485 int err;
1da177e4 1486
6ed93dc6 1487 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1488 dst_type, __le16_to_cpu(psm));
1da177e4 1489
af05b30b
GP		 1490 hdev = hci_get_route(dst, src);
1491 if (!hdev)
1da177e4
LT		 1492 return -EHOSTUNREACH;
1493
09fd0de5 1494 hci_dev_lock(hdev);
1da177e4 1495
6be36555 1496 l2cap_chan_lock(chan);
03a00194
GP		 1497
1498 /* PSM must be odd and lsb of upper byte must be 0 */
1499 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1500 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1501 err = -EINVAL;
1502 goto done;
1503 }
1504
1505 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1506 err = -EINVAL;
1507 goto done;
1508 }
1509
1510 switch (chan->mode) {
1511 case L2CAP_MODE_BASIC:
1512 break;
1513 case L2CAP_MODE_ERTM:
1514 case L2CAP_MODE_STREAMING:
1515 if (!disable_ertm)
1516 break;
1517 /* fall through */
1518 default:
1519 err = -ENOTSUPP;
1520 goto done;
1521 }
1522
0797e01d 1523 switch (chan->state) {
03a00194
GP		 1524 case BT_CONNECT:
1525 case BT_CONNECT2:
1526 case BT_CONFIG:
1527 /* Already connecting */
1528 err = 0;
1529 goto done;
1530
1531 case BT_CONNECTED:
1532 /* Already connected */
1533 err = -EISCONN;
1534 goto done;
1535
1536 case BT_OPEN:
1537 case BT_BOUND:
1538 /* Can connect */
1539 break;
1540
1541 default:
1542 err = -EBADFD;
1543 goto done;
1544 }
1545
1546 /* Set destination address and psm */
0797e01d 1547 lock_sock(sk);
9219b2a0 1548 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1549 release_sock(sk);
1550
03a00194
GP		 1551 chan->psm = psm;
1552 chan->dcid = cid;
1da177e4 1553
4343478f 1554 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1555
fe4128e0 1556 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1557 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1558 chan->sec_level, auth_type);
acd7d370 1559 else
8e9f9892 1560 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1561 chan->sec_level, auth_type);
acd7d370 1562
30e76272
VT		 1563 if (IS_ERR(hcon)) {
1564 err = PTR_ERR(hcon);
1da177e4 1565 goto done;
30e76272 1566 }
1da177e4
LT		 1567
1568 conn = l2cap_conn_add(hcon, 0);
1569 if (!conn) {
1570 hci_conn_put(hcon);
30e76272 1571 err = -ENOMEM;
1da177e4
LT		 1572 goto done;
1573 }
1574
9f0caeb1
VCG		 1575 if (hcon->type == LE_LINK) {
1576 err = 0;
1577
1578 if (!list_empty(&conn->chan_l)) {
1579 err = -EBUSY;
1580 hci_conn_put(hcon);
1581 }
1582
1583 if (err)
1584 goto done;
1585 }
1586
1da177e4
LT		 1587 /* Update source addr of the socket */
1588 bacpy(src, conn->src);
1589
6be36555 1590 l2cap_chan_unlock(chan);
48454079 1591 l2cap_chan_add(conn, chan);
6be36555 1592 l2cap_chan_lock(chan);
48454079 1593
6be36555 1594 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1595 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1596
1597 if (hcon->state == BT_CONNECTED) {
715ec005 1598 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1599 __clear_chan_timer(chan);
d45fc423 1600 if (l2cap_chan_check_security(chan))
6be36555 1601 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1602 } else
fc7f8a7e 1603 l2cap_do_start(chan);
1da177e4
LT		 1604 }
1605
30e76272
VT		 1606 err = 0;
1607
1da177e4 1608done:
6be36555 1609 l2cap_chan_unlock(chan);
09fd0de5 1610 hci_dev_unlock(hdev);
1da177e4
LT		 1611 hci_dev_put(hdev);
1612 return err;
1613}
1614
dcba0dba 1615int __l2cap_wait_ack(struct sock *sk)
6161c038 1616{
8c1d787b 1617 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1618 DECLARE_WAITQUEUE(wait, current);
1619 int err = 0;
1620 int timeo = HZ/5;
1621
2b0b05dd 1622 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1623 set_current_state(TASK_INTERRUPTIBLE);
1624 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1625 if (!timeo)
1626 timeo = HZ/5;
1627
1628 if (signal_pending(current)) {
1629 err = sock_intr_errno(timeo);
1630 break;
1631 }
1632
1633 release_sock(sk);
1634 timeo = schedule_timeout(timeo);
1635 lock_sock(sk);
a71a0cf4 1636 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1637
1638 err = sock_error(sk);
1639 if (err)
1640 break;
1641 }
1642 set_current_state(TASK_RUNNING);
2b0b05dd 1643 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1644 return err;
1645}
1646
721c4181 1647static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1648{
721c4181 1649 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1650 monitor_timer.work);
e90bac06 1651
525cd185 1652 BT_DBG("chan %p", chan);
0e98958d 1653
6be36555
AE		 1654 l2cap_chan_lock(chan);
1655
80909e04 1656 if (!chan->conn) {
6be36555 1657 l2cap_chan_unlock(chan);
8d7e1c7f 1658 l2cap_chan_put(chan);
e90bac06
GP		 1659 return;
1660 }
1661
401bb1f7 1662 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1663
6be36555 1664 l2cap_chan_unlock(chan);
8d7e1c7f 1665 l2cap_chan_put(chan);
e90bac06
GP		 1666}
1667
721c4181 1668static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1669{
721c4181 1670 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1671 retrans_timer.work);
e90bac06 1672
49208c9c 1673 BT_DBG("chan %p", chan);
0e98958d 1674
6be36555
AE		 1675 l2cap_chan_lock(chan);
1676
80909e04
MM		 1677 if (!chan->conn) {
1678 l2cap_chan_unlock(chan);
1679 l2cap_chan_put(chan);
1680 return;
1681 }
6be36555 1682
401bb1f7 1683 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1684 l2cap_chan_unlock(chan);
8d7e1c7f 1685 l2cap_chan_put(chan);
e90bac06
GP		 1686}
1687
d660366d
GP		 1688static void l2cap_streaming_send(struct l2cap_chan *chan,
1689 struct sk_buff_head *skbs)
6840ed07 1690{
ccbb84af 1691 struct sk_buff *skb;
3733937d 1692 struct l2cap_ctrl *control;
6840ed07 1693
3733937d
MM		 1694 BT_DBG("chan %p, skbs %p", chan, skbs);
1695
3733937d
MM		 1696 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1697
1698 while (!skb_queue_empty(&chan->tx_q)) {
1699
1700 skb = skb_dequeue(&chan->tx_q);
1701
1702 bt_cb(skb)->control.retries = 1;
1703 control = &bt_cb(skb)->control;
1704
1705 control->reqseq = 0;
1706 control->txseq = chan->next_tx_seq;
1707
1708 __pack_control(chan, control, skb);
6840ed07 1709
47d1ec61 1710 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1711 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1712 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1713 }
1714
4343478f 1715 l2cap_do_send(chan, skb);
6840ed07 1716
b4400672 1717 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1718
836be934 1719 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1720 chan->frames_sent++;
6840ed07 1721 }
6840ed07
GP		 1722}
1723
67c9e840 1724static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1725{
1726 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1727 struct l2cap_ctrl *control;
1728 int sent = 0;
1729
1730 BT_DBG("chan %p", chan);
1c2acffb 1731
89bc500e 1732 if (chan->state != BT_CONNECTED)
c13ffa62 1733 return -ENOTCONN;
e90bac06 1734
94122bbe
MM		 1735 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1736 return 0;
1737
18a48e76
MM		 1738 while (chan->tx_send_head &&
1739 chan->unacked_frames < chan->remote_tx_win &&
1740 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1741
18a48e76 1742 skb = chan->tx_send_head;
e90bac06 1743
18a48e76
MM		 1744 bt_cb(skb)->control.retries = 1;
1745 control = &bt_cb(skb)->control;
95ffa978 1746
e2ab4353 1747 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1748 control->final = 1;
e2ab4353 1749
18a48e76
MM		 1750 control->reqseq = chan->buffer_seq;
1751 chan->last_acked_seq = chan->buffer_seq;
1752 control->txseq = chan->next_tx_seq;
1c2acffb 1753
18a48e76 1754 __pack_control(chan, control, skb);
e90bac06 1755
47d1ec61 1756 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1757 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1758 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1759 }
1760
18a48e76
MM		 1761 /* Clone after data has been modified. Data is assumed to be
1762 read-only (for locking purposes) on cloned sk_buffs.
1763 */
1764 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1765
18a48e76
MM		 1766 if (!tx_skb)
1767 break;
1c2acffb 1768
18a48e76 1769 __set_retrans_timer(chan);
836be934
AE		 1770
1771 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1772 chan->unacked_frames++;
6a026610 1773 chan->frames_sent++;
18a48e76 1774 sent++;
1c2acffb 1775
58d35f87
GP		 1776 if (skb_queue_is_last(&chan->tx_q, skb))
1777 chan->tx_send_head = NULL;
1c2acffb 1778 else
58d35f87 1779 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1780
1781 l2cap_do_send(chan, tx_skb);
b4400672 1782 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1783 }
1784
b4400672
AE		 1785 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1786 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1787
1788 return sent;
9e917af1
GP		 1789}
1790
e1fbd4c1
MM		 1791static void l2cap_ertm_resend(struct l2cap_chan *chan)
1792{
1793 struct l2cap_ctrl control;
1794 struct sk_buff *skb;
1795 struct sk_buff *tx_skb;
1796 u16 seq;
1797
1798 BT_DBG("chan %p", chan);
1799
1800 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1801 return;
1802
1803 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1804 seq = l2cap_seq_list_pop(&chan->retrans_list);
1805
1806 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1807 if (!skb) {
1808 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1809 seq);
e1fbd4c1
MM		 1810 continue;
1811 }
1812
1813 bt_cb(skb)->control.retries++;
1814 control = bt_cb(skb)->control;
1815
1816 if (chan->max_tx != 0 &&
1817 bt_cb(skb)->control.retries > chan->max_tx) {
1818 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1819 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1820 l2cap_seq_list_clear(&chan->retrans_list);
1821 break;
1822 }
1823
1824 control.reqseq = chan->buffer_seq;
1825 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1826 control.final = 1;
1827 else
1828 control.final = 0;
1829
1830 if (skb_cloned(skb)) {
1831 /* Cloned sk_buffs are read-only, so we need a
1832 * writeable copy
1833 */
8bcde1f2 1834 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1835 } else {
8bcde1f2 1836 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1837 }
1838
1839 if (!tx_skb) {
1840 l2cap_seq_list_clear(&chan->retrans_list);
1841 break;
1842 }
1843
1844 /* Update skb contents */
1845 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1846 put_unaligned_le32(__pack_extended_control(&control),
1847 tx_skb->data + L2CAP_HDR_SIZE);
1848 } else {
1849 put_unaligned_le16(__pack_enhanced_control(&control),
1850 tx_skb->data + L2CAP_HDR_SIZE);
1851 }
1852
1853 if (chan->fcs == L2CAP_FCS_CRC16) {
1854 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1855 put_unaligned_le16(fcs, skb_put(tx_skb,
1856 L2CAP_FCS_SIZE));
1857 }
1858
1859 l2cap_do_send(chan, tx_skb);
1860
1861 BT_DBG("Resent txseq %d", control.txseq);
1862
1863 chan->last_acked_seq = chan->buffer_seq;
1864 }
1865}
1866
f80842a8
MM		 1867static void l2cap_retransmit(struct l2cap_chan *chan,
1868 struct l2cap_ctrl *control)
1869{
1870 BT_DBG("chan %p, control %p", chan, control);
1871
1872 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1873 l2cap_ertm_resend(chan);
1874}
1875
d2a7ac5d
MM		 1876static void l2cap_retransmit_all(struct l2cap_chan *chan,
1877 struct l2cap_ctrl *control)
1878{
e1fbd4c1
MM		 1879 struct sk_buff *skb;
1880
1881 BT_DBG("chan %p, control %p", chan, control);
1882
1883 if (control->poll)
1884 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1885
1886 l2cap_seq_list_clear(&chan->retrans_list);
1887
1888 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1889 return;
1890
1891 if (chan->unacked_frames) {
1892 skb_queue_walk(&chan->tx_q, skb) {
1893 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 1894 skb == chan->tx_send_head)
e1fbd4c1
MM		 1895 break;
1896 }
1897
1898 skb_queue_walk_from(&chan->tx_q, skb) {
1899 if (skb == chan->tx_send_head)
1900 break;
1901
1902 l2cap_seq_list_append(&chan->retrans_list,
1903 bt_cb(skb)->control.txseq);
1904 }
1905
1906 l2cap_ertm_resend(chan);
1907 }
d2a7ac5d
MM		 1908}
1909
0a0aba42 1910static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1911{
0a0aba42
MM		 1912 struct l2cap_ctrl control;
1913 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1914 chan->last_acked_seq);
1915 int threshold;
9e917af1 1916
0a0aba42
MM		 1917 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1918 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1919
0a0aba42
MM		 1920 memset(&control, 0, sizeof(control));
1921 control.sframe = 1;
dfc909be 1922
0a0aba42
MM		 1923 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1924 chan->rx_state == L2CAP_RX_STATE_RECV) {
1925 __clear_ack_timer(chan);
1926 control.super = L2CAP_SUPER_RNR;
1927 control.reqseq = chan->buffer_seq;
1928 l2cap_send_sframe(chan, &control);
1929 } else {
1930 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1931 l2cap_ertm_send(chan);
1932 /* If any i-frames were sent, they included an ack */
1933 if (chan->buffer_seq == chan->last_acked_seq)
1934 frames_to_ack = 0;
1935 }
dfc909be 1936
c20f8e35 1937 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 1938 * Calculate without mul or div
1939 */
c20f8e35 1940 threshold = chan->ack_win;
0a0aba42
MM		 1941 threshold += threshold << 1;
1942 threshold >>= 2;
1943
b4400672 1944 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 1945 threshold);
1946
1947 if (frames_to_ack >= threshold) {
1948 __clear_ack_timer(chan);
1949 control.super = L2CAP_SUPER_RR;
1950 control.reqseq = chan->buffer_seq;
1951 l2cap_send_sframe(chan, &control);
1952 frames_to_ack = 0;
1953 }
1c2acffb 1954
0a0aba42
MM		 1955 if (frames_to_ack)
1956 __set_ack_timer(chan);
1957 }
b17e73bb
SJ		 1958}
1959
04124681
GP		 1960static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1961 struct msghdr *msg, int len,
1962 int count, struct sk_buff *skb)
1c2acffb 1963{
0952a57a 1964 struct l2cap_conn *conn = chan->conn;
1c2acffb 1965 struct sk_buff **frag;
90338947 1966 int sent = 0;
1da177e4 1967
59203a21 1968 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1969 return -EFAULT;
1da177e4
LT		 1970
1971 sent += count;
1972 len -= count;
1973
1974 /* Continuation fragments (no L2CAP header) */
1975 frag = &skb_shinfo(skb)->frag_list;
1976 while (len) {
fbe00700
GP		 1977 struct sk_buff *tmp;
1978
1da177e4
LT		 1979 count = min_t(unsigned int, conn->mtu, len);
1980
fbe00700
GP		 1981 tmp = chan->ops->alloc_skb(chan, count,
1982 msg->msg_flags & MSG_DONTWAIT);
1983 if (IS_ERR(tmp))
1984 return PTR_ERR(tmp);
1985
1986 *frag = tmp;
2f7719ce 1987
1c2acffb
GP		 1988 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1989 return -EFAULT;
1da177e4 1990
5e59b791
LAD		 1991 (*frag)->priority = skb->priority;
1992
1da177e4
LT		 1993 sent += count;
1994 len -= count;
1995
2d0ed3d5
GP		 1996 skb->len += (*frag)->len;
1997 skb->data_len += (*frag)->len;
1998
1da177e4
LT		 1999 frag = &(*frag)->next;
2000 }
1da177e4
LT		 2001
2002 return sent;
1c2acffb 2003}
1da177e4 2004
5e59b791 2005static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2006 struct msghdr *msg, size_t len,
2007 u32 priority)
1c2acffb 2008{
8c1d787b 2009 struct l2cap_conn *conn = chan->conn;
1c2acffb 2010 struct sk_buff *skb;
03a51213 2011 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2012 struct l2cap_hdr *lh;
2013
b4400672 2014 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2015
2016 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2017
2018 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2019 msg->msg_flags & MSG_DONTWAIT);
2020 if (IS_ERR(skb))
2021 return skb;
1c2acffb 2022
5e59b791
LAD		 2023 skb->priority = priority;
2024
1c2acffb
GP		 2025 /* Create L2CAP header */
2026 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2027 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2028 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2029 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2030
0952a57a 2031 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2032 if (unlikely(err < 0)) {
2033 kfree_skb(skb);
2034 return ERR_PTR(err);
2035 }
2036 return skb;
2037}
2038
5e59b791 2039static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2040 struct msghdr *msg, size_t len,
2041 u32 priority)
1c2acffb 2042{
8c1d787b 2043 struct l2cap_conn *conn = chan->conn;
1c2acffb 2044 struct sk_buff *skb;
f2ba7fae 2045 int err, count;
1c2acffb
GP		 2046 struct l2cap_hdr *lh;
2047
b4400672 2048 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2049
f2ba7fae 2050 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2051
f2ba7fae 2052 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2053 msg->msg_flags & MSG_DONTWAIT);
2054 if (IS_ERR(skb))
2055 return skb;
1c2acffb 2056
5e59b791
LAD		 2057 skb->priority = priority;
2058
1c2acffb
GP		 2059 /* Create L2CAP header */
2060 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2061 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2062 lh->len = cpu_to_le16(len);
1c2acffb 2063
0952a57a 2064 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2065 if (unlikely(err < 0)) {
2066 kfree_skb(skb);
2067 return ERR_PTR(err);
2068 }
2069 return skb;
2070}
2071
ab0ff76d 2072static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2073 struct msghdr *msg, size_t len,
2074 u16 sdulen)
1c2acffb 2075{
8c1d787b 2076 struct l2cap_conn *conn = chan->conn;
1c2acffb 2077 struct sk_buff *skb;
e4ca6d98 2078 int err, count, hlen;
1c2acffb
GP		 2079 struct l2cap_hdr *lh;
2080
b4400672 2081 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2082
0ee0d208
GP		 2083 if (!conn)
2084 return ERR_PTR(-ENOTCONN);
2085
ba7aa64f 2086 hlen = __ertm_hdr_size(chan);
e4ca6d98 2087
c74e560c 2088 if (sdulen)
03a51213 2089 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2090
47d1ec61 2091 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2092 hlen += L2CAP_FCS_SIZE;
fcc203c3 2093
1c2acffb 2094 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2095
2096 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2097 msg->msg_flags & MSG_DONTWAIT);
2098 if (IS_ERR(skb))
2099 return skb;
1c2acffb
GP		 2100
2101 /* Create L2CAP header */
2102 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2103 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2104 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2105
18a48e76
MM		 2106 /* Control header is populated later */
2107 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2108 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2109 else
2110 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2111
c74e560c 2112 if (sdulen)
03a51213 2113 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2114
0952a57a 2115 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2116 if (unlikely(err < 0)) {
2117 kfree_skb(skb);
2118 return ERR_PTR(err);
2119 }
e90bac06 2120
18a48e76 2121 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2122 bt_cb(skb)->control.retries = 0;
1c2acffb 2123 return skb;
1da177e4
LT		 2124}
2125
94122bbe
MM		 2126static int l2cap_segment_sdu(struct l2cap_chan *chan,
2127 struct sk_buff_head *seg_queue,
2128 struct msghdr *msg, size_t len)
c74e560c 2129{
c74e560c 2130 struct sk_buff *skb;
94122bbe
MM		 2131 u16 sdu_len;
2132 size_t pdu_len;
94122bbe 2133 u8 sar;
c74e560c 2134
b4400672 2135 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2136
94122bbe
MM		 2137 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2138 * so fragmented skbs are not used. The HCI layer's handling
2139 * of fragmented skbs is not compatible with ERTM's queueing.
2140 */
c74e560c 2141
94122bbe
MM		 2142 /* PDU size is derived from the HCI MTU */
2143 pdu_len = chan->conn->mtu;
c74e560c 2144
94122bbe
MM		 2145 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2146
2147 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2148 if (chan->fcs)
2149 pdu_len -= L2CAP_FCS_SIZE;
2150
ba7aa64f 2151 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2152
2153 /* Remote device may have requested smaller PDUs */
2154 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2155
2156 if (len <= pdu_len) {
2157 sar = L2CAP_SAR_UNSEGMENTED;
2158 sdu_len = 0;
2159 pdu_len = len;
2160 } else {
2161 sar = L2CAP_SAR_START;
2162 sdu_len = len;
2163 pdu_len -= L2CAP_SDULEN_SIZE;
2164 }
2165
2166 while (len > 0) {
2167 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2168
c74e560c 2169 if (IS_ERR(skb)) {
94122bbe 2170 __skb_queue_purge(seg_queue);
c74e560c
GP		 2171 return PTR_ERR(skb);
2172 }
2173
94122bbe
MM		 2174 bt_cb(skb)->control.sar = sar;
2175 __skb_queue_tail(seg_queue, skb);
2176
2177 len -= pdu_len;
2178 if (sdu_len) {
2179 sdu_len = 0;
2180 pdu_len += L2CAP_SDULEN_SIZE;
2181 }
2182
2183 if (len <= pdu_len) {
2184 sar = L2CAP_SAR_END;
2185 pdu_len = len;
2186 } else {
2187 sar = L2CAP_SAR_CONTINUE;
2188 }
c74e560c 2189 }
c74e560c 2190
f0f62799 2191 return 0;
c74e560c
GP		 2192}
2193
5e59b791 2194int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2195 u32 priority)
9a91a04a 2196{
9a91a04a 2197 struct sk_buff *skb;
9a91a04a 2198 int err;
94122bbe 2199 struct sk_buff_head seg_queue;
9a91a04a
GP		 2200
2201 /* Connectionless channel */
715ec005 2202 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2203 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2204 if (IS_ERR(skb))
2205 return PTR_ERR(skb);
2206
2207 l2cap_do_send(chan, skb);
2208 return len;
2209 }
2210
2211 switch (chan->mode) {
2212 case L2CAP_MODE_BASIC:
2213 /* Check outgoing MTU */
2214 if (len > chan->omtu)
2215 return -EMSGSIZE;
2216
2217 /* Create a basic PDU */
5e59b791 2218 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2219 if (IS_ERR(skb))
2220 return PTR_ERR(skb);
2221
2222 l2cap_do_send(chan, skb);
2223 err = len;
2224 break;
2225
2226 case L2CAP_MODE_ERTM:
2227 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2228 /* Check outgoing MTU */
2229 if (len > chan->omtu) {
2230 err = -EMSGSIZE;
2231 break;
2232 }
9a91a04a 2233
94122bbe 2234 __skb_queue_head_init(&seg_queue);
9a91a04a 2235
94122bbe
MM		 2236 /* Do segmentation before calling in to the state machine,
2237 * since it's possible to block while waiting for memory
2238 * allocation.
2239 */
2240 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2241
94122bbe
MM		 2242 /* The channel could have been closed while segmenting,
2243 * check that it is still connected.
2244 */
2245 if (chan->state != BT_CONNECTED) {
2246 __skb_queue_purge(&seg_queue);
2247 err = -ENOTCONN;
9a91a04a
GP		 2248 }
2249
94122bbe 2250 if (err)
9a91a04a 2251 break;
9a91a04a 2252
3733937d 2253 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2254 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2255 else
d660366d 2256 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2257
d660366d 2258 err = len;
9a91a04a 2259
94122bbe
MM		 2260 /* If the skbs were not queued for sending, they'll still be in
2261 * seg_queue and need to be purged.
2262 */
2263 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2264 break;
2265
2266 default:
2267 BT_DBG("bad state %1.1x", chan->mode);
2268 err = -EBADFD;
2269 }
2270
2271 return err;
2272}
2273
d2a7ac5d
MM		 2274static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2275{
bed68bde
MM		 2276 struct l2cap_ctrl control;
2277 u16 seq;
2278
b4400672 2279 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2280
2281 memset(&control, 0, sizeof(control));
2282 control.sframe = 1;
2283 control.super = L2CAP_SUPER_SREJ;
2284
2285 for (seq = chan->expected_tx_seq; seq != txseq;
2286 seq = __next_seq(chan, seq)) {
2287 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2288 control.reqseq = seq;
2289 l2cap_send_sframe(chan, &control);
2290 l2cap_seq_list_append(&chan->srej_list, seq);
2291 }
2292 }
2293
2294 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2295}
2296
2297static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2298{
bed68bde
MM		 2299 struct l2cap_ctrl control;
2300
2301 BT_DBG("chan %p", chan);
2302
2303 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2304 return;
2305
2306 memset(&control, 0, sizeof(control));
2307 control.sframe = 1;
2308 control.super = L2CAP_SUPER_SREJ;
2309 control.reqseq = chan->srej_list.tail;
2310 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2311}
2312
2313static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2314{
bed68bde
MM		 2315 struct l2cap_ctrl control;
2316 u16 initial_head;
2317 u16 seq;
2318
b4400672 2319 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2320
2321 memset(&control, 0, sizeof(control));
2322 control.sframe = 1;
2323 control.super = L2CAP_SUPER_SREJ;
2324
2325 /* Capture initial list head to allow only one pass through the list. */
2326 initial_head = chan->srej_list.head;
2327
2328 do {
2329 seq = l2cap_seq_list_pop(&chan->srej_list);
2330 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2331 break;
2332
2333 control.reqseq = seq;
2334 l2cap_send_sframe(chan, &control);
2335 l2cap_seq_list_append(&chan->srej_list, seq);
2336 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2337}
2338
608bcc6d
MM		 2339static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2340{
2341 struct sk_buff *acked_skb;
2342 u16 ackseq;
2343
b4400672 2344 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2345
2346 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2347 return;
2348
b4400672 2349 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2350 chan->expected_ack_seq, chan->unacked_frames);
2351
2352 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2353 ackseq = __next_seq(chan, ackseq)) {
2354
2355 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2356 if (acked_skb) {
2357 skb_unlink(acked_skb, &chan->tx_q);
2358 kfree_skb(acked_skb);
2359 chan->unacked_frames--;
2360 }
2361 }
2362
2363 chan->expected_ack_seq = reqseq;
2364
2365 if (chan->unacked_frames == 0)
2366 __clear_retrans_timer(chan);
2367
b4400672 2368 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2369}
2370
2371static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2372{
2373 BT_DBG("chan %p", chan);
2374
2375 chan->expected_tx_seq = chan->buffer_seq;
2376 l2cap_seq_list_clear(&chan->srej_list);
2377 skb_queue_purge(&chan->srej_q);
2378 chan->rx_state = L2CAP_RX_STATE_RECV;
2379}
2380
d660366d
GP		 2381static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2382 struct l2cap_ctrl *control,
2383 struct sk_buff_head *skbs, u8 event)
608bcc6d 2384{
608bcc6d
MM		 2385 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2386 event);
2387
2388 switch (event) {
2389 case L2CAP_EV_DATA_REQUEST:
2390 if (chan->tx_send_head == NULL)
2391 chan->tx_send_head = skb_peek(skbs);
2392
2393 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2394 l2cap_ertm_send(chan);
2395 break;
2396 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2397 BT_DBG("Enter LOCAL_BUSY");
2398 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2399
2400 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2401 /* The SREJ_SENT state must be aborted if we are to
2402 * enter the LOCAL_BUSY state.
2403 */
2404 l2cap_abort_rx_srej_sent(chan);
2405 }
2406
2407 l2cap_send_ack(chan);
2408
2409 break;
2410 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2411 BT_DBG("Exit LOCAL_BUSY");
2412 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2413
2414 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2415 struct l2cap_ctrl local_control;
2416
2417 memset(&local_control, 0, sizeof(local_control));
2418 local_control.sframe = 1;
2419 local_control.super = L2CAP_SUPER_RR;
2420 local_control.poll = 1;
2421 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2422 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2423
2424 chan->retry_count = 1;
2425 __set_monitor_timer(chan);
2426 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2427 }
2428 break;
2429 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2430 l2cap_process_reqseq(chan, control->reqseq);
2431 break;
2432 case L2CAP_EV_EXPLICIT_POLL:
2433 l2cap_send_rr_or_rnr(chan, 1);
2434 chan->retry_count = 1;
2435 __set_monitor_timer(chan);
2436 __clear_ack_timer(chan);
2437 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2438 break;
2439 case L2CAP_EV_RETRANS_TO:
2440 l2cap_send_rr_or_rnr(chan, 1);
2441 chan->retry_count = 1;
2442 __set_monitor_timer(chan);
2443 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2444 break;
2445 case L2CAP_EV_RECV_FBIT:
2446 /* Nothing to process */
2447 break;
2448 default:
2449 break;
2450 }
608bcc6d
MM		 2451}
2452
d660366d
GP		 2453static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2454 struct l2cap_ctrl *control,
2455 struct sk_buff_head *skbs, u8 event)
608bcc6d 2456{
608bcc6d
MM		 2457 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2458 event);
2459
2460 switch (event) {
2461 case L2CAP_EV_DATA_REQUEST:
2462 if (chan->tx_send_head == NULL)
2463 chan->tx_send_head = skb_peek(skbs);
2464 /* Queue data, but don't send. */
2465 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2466 break;
2467 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2468 BT_DBG("Enter LOCAL_BUSY");
2469 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2470
2471 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2472 /* The SREJ_SENT state must be aborted if we are to
2473 * enter the LOCAL_BUSY state.
2474 */
2475 l2cap_abort_rx_srej_sent(chan);
2476 }
2477
2478 l2cap_send_ack(chan);
2479
2480 break;
2481 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2482 BT_DBG("Exit LOCAL_BUSY");
2483 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2484
2485 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2486 struct l2cap_ctrl local_control;
2487 memset(&local_control, 0, sizeof(local_control));
2488 local_control.sframe = 1;
2489 local_control.super = L2CAP_SUPER_RR;
2490 local_control.poll = 1;
2491 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2492 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2493
2494 chan->retry_count = 1;
2495 __set_monitor_timer(chan);
2496 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2497 }
2498 break;
2499 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2500 l2cap_process_reqseq(chan, control->reqseq);
2501
2502 /* Fall through */
2503
2504 case L2CAP_EV_RECV_FBIT:
2505 if (control && control->final) {
2506 __clear_monitor_timer(chan);
2507 if (chan->unacked_frames > 0)
2508 __set_retrans_timer(chan);
2509 chan->retry_count = 0;
2510 chan->tx_state = L2CAP_TX_STATE_XMIT;
2511 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2512 }
2513 break;
2514 case L2CAP_EV_EXPLICIT_POLL:
2515 /* Ignore */
2516 break;
2517 case L2CAP_EV_MONITOR_TO:
2518 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2519 l2cap_send_rr_or_rnr(chan, 1);
2520 __set_monitor_timer(chan);
2521 chan->retry_count++;
2522 } else {
2523 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2524 }
2525 break;
2526 default:
2527 break;
2528 }
608bcc6d
MM		 2529}
2530
d660366d
GP		 2531static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2532 struct sk_buff_head *skbs, u8 event)
608bcc6d 2533{
608bcc6d
MM		 2534 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2535 chan, control, skbs, event, chan->tx_state);
2536
2537 switch (chan->tx_state) {
2538 case L2CAP_TX_STATE_XMIT:
d660366d 2539 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2540 break;
2541 case L2CAP_TX_STATE_WAIT_F:
d660366d 2542 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2543 break;
2544 default:
2545 /* Ignore event */
2546 break;
2547 }
608bcc6d
MM		 2548}
2549
4b51dae9
MM		 2550static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2551 struct l2cap_ctrl *control)
2552{
2553 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2554 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2555}
2556
f80842a8
MM		 2557static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2558 struct l2cap_ctrl *control)
2559{
2560 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2561 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2562}
2563
1da177e4
LT		 2564/* Copy frame to all raw sockets on that connection */
2565static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2566{
1da177e4 2567 struct sk_buff *nskb;
48454079 2568 struct l2cap_chan *chan;
1da177e4
LT		 2569
2570 BT_DBG("conn %p", conn);
2571
3df91ea2 2572 mutex_lock(&conn->chan_lock);
3d57dc68 2573
3df91ea2 2574 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2575 struct sock *sk = chan->sk;
715ec005 2576 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2577 continue;
2578
2579 /* Don't send frame to the socket it came from */
2580 if (skb->sk == sk)
2581 continue;
8bcde1f2 2582 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2583 if (!nskb)
1da177e4
LT		 2584 continue;
2585
80b98027 2586 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2587 kfree_skb(nskb);
2588 }
3d57dc68 2589
3df91ea2 2590 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2591}
2592
2593/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2594static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2595 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2596{
2597 struct sk_buff *skb, **frag;
2598 struct l2cap_cmd_hdr *cmd;
2599 struct l2cap_hdr *lh;
2600 int len, count;
2601
b4400672
AE		 2602 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2603 conn, code, ident, dlen);
1da177e4
LT		 2604
2605 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2606 count = min_t(unsigned int, conn->mtu, len);
2607
8bcde1f2 2608 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2609 if (!skb)
2610 return NULL;
2611
2612 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2613 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2614
2615 if (conn->hcon->type == LE_LINK)
ac73498c 2616 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2617 else
ac73498c 2618 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2619
2620 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2621 cmd->code = code;
2622 cmd->ident = ident;
aca3192c 2623 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2624
2625 if (dlen) {
2626 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2627 memcpy(skb_put(skb, count), data, count);
2628 data += count;
2629 }
2630
2631 len -= skb->len;
2632
2633 /* Continuation fragments (no L2CAP header) */
2634 frag = &skb_shinfo(skb)->frag_list;
2635 while (len) {
2636 count = min_t(unsigned int, conn->mtu, len);
2637
8bcde1f2 2638 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2639 if (!*frag)
2640 goto fail;
2641
2642 memcpy(skb_put(*frag, count), data, count);
2643
2644 len -= count;
2645 data += count;
2646
2647 frag = &(*frag)->next;
2648 }
2649
2650 return skb;
2651
2652fail:
2653 kfree_skb(skb);
2654 return NULL;
2655}
2656
2d792818
GP		 2657static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2658 unsigned long *val)
1da177e4
LT		 2659{
2660 struct l2cap_conf_opt *opt = *ptr;
2661 int len;
2662
2663 len = L2CAP_CONF_OPT_SIZE + opt->len;
2664 *ptr += len;
2665
2666 *type = opt->type;
2667 *olen = opt->len;
2668
2669 switch (opt->len) {
2670 case 1:
2671 *val = *((u8 *) opt->val);
2672 break;
2673
2674 case 2:
bfaaeb3e 2675 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2676 break;
2677
2678 case 4:
bfaaeb3e 2679 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2680 break;
2681
2682 default:
2683 *val = (unsigned long) opt->val;
2684 break;
2685 }
2686
b4400672 2687 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2688 return len;
2689}
2690
1da177e4
LT		 2691static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2692{
2693 struct l2cap_conf_opt *opt = *ptr;
2694
b4400672 2695 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2696
2697 opt->type = type;
2698 opt->len = len;
2699
2700 switch (len) {
2701 case 1:
2702 *((u8 *) opt->val) = val;
2703 break;
2704
2705 case 2:
4f8b691c 2706 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2707 break;
2708
2709 case 4:
4f8b691c 2710 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2711 break;
2712
2713 default:
2714 memcpy(opt->val, (void *) val, len);
2715 break;
2716 }
2717
2718 *ptr += L2CAP_CONF_OPT_SIZE + len;
2719}
2720
f89cef09
AE		 2721static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2722{
2723 struct l2cap_conf_efs efs;
2724
1ec918ce 2725 switch (chan->mode) {
f89cef09
AE		 2726 case L2CAP_MODE_ERTM:
2727 efs.id = chan->local_id;
2728 efs.stype = chan->local_stype;
2729 efs.msdu = cpu_to_le16(chan->local_msdu);
2730 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2731 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2732 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2733 break;
2734
2735 case L2CAP_MODE_STREAMING:
2736 efs.id = 1;
2737 efs.stype = L2CAP_SERV_BESTEFFORT;
2738 efs.msdu = cpu_to_le16(chan->local_msdu);
2739 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2740 efs.acc_lat = 0;
2741 efs.flush_to = 0;
2742 break;
2743
2744 default:
2745 return;
2746 }
2747
2748 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2749 (unsigned long) &efs);
f89cef09
AE		 2750}
2751
721c4181 2752static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2753{
721c4181 2754 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2755 ack_timer.work);
2756 u16 frames_to_ack;
c1b4f43b 2757
2fb9b3d4
GP		 2758 BT_DBG("chan %p", chan);
2759
6be36555
AE		 2760 l2cap_chan_lock(chan);
2761
0362520b
MM		 2762 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2763 chan->last_acked_seq);
6be36555 2764
0362520b
MM		 2765 if (frames_to_ack)
2766 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2767
0362520b 2768 l2cap_chan_unlock(chan);
09bfb2ee 2769 l2cap_chan_put(chan);
c1b4f43b
GP		 2770}
2771
466f8004 2772int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2773{
3c588192
MM		 2774 int err;
2775
105bdf9e
MM		 2776 chan->next_tx_seq = 0;
2777 chan->expected_tx_seq = 0;
42e5c802 2778 chan->expected_ack_seq = 0;
6a026610 2779 chan->unacked_frames = 0;
42e5c802 2780 chan->buffer_seq = 0;
6a026610 2781 chan->frames_sent = 0;
105bdf9e
MM		 2782 chan->last_acked_seq = 0;
2783 chan->sdu = NULL;
2784 chan->sdu_last_frag = NULL;
2785 chan->sdu_len = 0;
2786
d34c34fb
MM		 2787 skb_queue_head_init(&chan->tx_q);
2788
105bdf9e
MM		 2789 if (chan->mode != L2CAP_MODE_ERTM)
2790 return 0;
2791
2792 chan->rx_state = L2CAP_RX_STATE_RECV;
2793 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2794
721c4181
GP		 2795 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2796 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2797 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2798
f1c6775b 2799 skb_queue_head_init(&chan->srej_q);
1890d36b 2800
3c588192
MM		 2801 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2802 if (err < 0)
2803 return err;
2804
9dc9affc
MM		 2805 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2806 if (err < 0)
2807 l2cap_seq_list_free(&chan->srej_list);
2808
2809 return err;
0565c1c2
GP		 2810}
2811
f2fcfcd6
GP		 2812static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2813{
2814 switch (mode) {
2815 case L2CAP_MODE_STREAMING:
2816 case L2CAP_MODE_ERTM:
2817 if (l2cap_mode_supported(mode, remote_feat_mask))
2818 return mode;
2819 /* fall through */
2820 default:
2821 return L2CAP_MODE_BASIC;
2822 }
2823}
2824
6327eb98
AE		 2825static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2826{
2827 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2828}
2829
f89cef09
AE		 2830static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2831{
2832 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2833}
2834
6327eb98
AE		 2835static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2836{
2837 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 2838 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2839 /* use extended control field */
2840 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2841 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2842 } else {
6327eb98 2843 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 2844 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2845 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2846 }
c20f8e35 2847 chan->ack_win = chan->tx_win;
6327eb98
AE		 2848}
2849
710f9b0a 2850static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2851{
1da177e4 2852 struct l2cap_conf_req *req = data;
0c1bc5c6 2853 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2854 void *ptr = req->data;
c8f79162 2855 u16 size;
1da177e4 2856
49208c9c 2857 BT_DBG("chan %p", chan);
1da177e4 2858
73ffa904 2859 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2860 goto done;
2861
0c1bc5c6 2862 switch (chan->mode) {
f2fcfcd6
GP		 2863 case L2CAP_MODE_STREAMING:
2864 case L2CAP_MODE_ERTM:
c1360a1c 2865 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2866 break;
85eb53c6 2867
f89cef09
AE		 2868 if (__l2cap_efs_supported(chan))
2869 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2870
2ba13ed6 2871 /* fall through */
f2fcfcd6 2872 default:
8c1d787b 2873 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2874 break;
2875 }
2876
2877done:
0c1bc5c6
GP		 2878 if (chan->imtu != L2CAP_DEFAULT_MTU)
2879 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2880
0c1bc5c6 2881 switch (chan->mode) {
65c7c491 2882 case L2CAP_MODE_BASIC:
8c1d787b 2883 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 2884 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2885 break;
2886
62547752
GP		 2887 rfc.mode = L2CAP_MODE_BASIC;
2888 rfc.txwin_size = 0;
2889 rfc.max_transmit = 0;
2890 rfc.retrans_timeout = 0;
2891 rfc.monitor_timeout = 0;
2892 rfc.max_pdu_size = 0;
2893
63406504 2894 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 2895 (unsigned long) &rfc);
65c7c491
MH		 2896 break;
2897
2898 case L2CAP_MODE_ERTM:
2899 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2900 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2901 rfc.retrans_timeout = 0;
2902 rfc.monitor_timeout = 0;
c8f79162
AE		 2903
2904 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 2905 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
2906 L2CAP_FCS_SIZE);
c8f79162 2907 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2908
6327eb98
AE		 2909 l2cap_txwin_setup(chan);
2910
2911 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 2912 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2913
63406504 2914 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 2915 (unsigned long) &rfc);
63406504 2916
f89cef09
AE		 2917 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2918 l2cap_add_opt_efs(&ptr, chan);
2919
8c1d787b 2920 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2921 break;
2922
47d1ec61 2923 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 2924 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2925 chan->fcs = L2CAP_FCS_NONE;
2926 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2927 }
6327eb98
AE		 2928
2929 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2930 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 2931 chan->tx_win);
f2fcfcd6
GP		 2932 break;
2933
2934 case L2CAP_MODE_STREAMING:
273759e2 2935 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2936 rfc.mode = L2CAP_MODE_STREAMING;
2937 rfc.txwin_size = 0;
2938 rfc.max_transmit = 0;
2939 rfc.retrans_timeout = 0;
2940 rfc.monitor_timeout = 0;
c8f79162
AE		 2941
2942 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 2943 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
2944 L2CAP_FCS_SIZE);
c8f79162 2945 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2946
63406504 2947 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 2948 (unsigned long) &rfc);
63406504 2949
f89cef09
AE		 2950 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2951 l2cap_add_opt_efs(&ptr, chan);
2952
8c1d787b 2953 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2954 break;
2955
47d1ec61 2956 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 2957 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2958 chan->fcs = L2CAP_FCS_NONE;
2959 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2960 }
65c7c491
MH		 2961 break;
2962 }
1da177e4 2963
fe4128e0 2964 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2965 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2966
2967 return ptr - data;
2968}
2969
73ffa904 2970static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2971{
5dee9e7c
MH		 2972 struct l2cap_conf_rsp *rsp = data;
2973 void *ptr = rsp->data;
73ffa904
GP		 2974 void *req = chan->conf_req;
2975 int len = chan->conf_len;
5dee9e7c
MH		 2976 int type, hint, olen;
2977 unsigned long val;
6464f35f 2978 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2979 struct l2cap_conf_efs efs;
2980 u8 remote_efs = 0;
861d6882 2981 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2982 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2983 u16 size;
1da177e4 2984
73ffa904 2985 BT_DBG("chan %p", chan);
820ae1b8 2986
5dee9e7c
MH		 2987 while (len >= L2CAP_CONF_OPT_SIZE) {
2988 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2989
589d2746 2990 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2991 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2992
2993 switch (type) {
2994 case L2CAP_CONF_MTU:
861d6882 2995 mtu = val;
5dee9e7c
MH		 2996 break;
2997
2998 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2999 chan->flush_to = val;
5dee9e7c
MH		 3000 break;
3001
3002 case L2CAP_CONF_QOS:
3003 break;
3004
6464f35f
MH		 3005 case L2CAP_CONF_RFC:
3006 if (olen == sizeof(rfc))
3007 memcpy(&rfc, (void *) val, olen);
3008 break;
3009
fcc203c3
GP		 3010 case L2CAP_CONF_FCS:
3011 if (val == L2CAP_FCS_NONE)
c1360a1c 3012 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 3013 break;
fcc203c3 3014
42dceae2
AE		 3015 case L2CAP_CONF_EFS:
3016 remote_efs = 1;
3017 if (olen == sizeof(efs))
3018 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3019 break;
3020
6327eb98
AE		 3021 case L2CAP_CONF_EWS:
3022 if (!enable_hs)
3023 return -ECONNREFUSED;
fcc203c3 3024
6327eb98
AE		 3025 set_bit(FLAG_EXT_CTRL, &chan->flags);
3026 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3027 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3028 chan->remote_tx_win = val;
fcc203c3
GP		 3029 break;
3030
5dee9e7c
MH		 3031 default:
3032 if (hint)
3033 break;
3034
3035 result = L2CAP_CONF_UNKNOWN;
3036 *((u8 *) ptr++) = type;
3037 break;
3038 }
3039 }
3040
73ffa904 3041 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3042 goto done;
3043
0c1bc5c6 3044 switch (chan->mode) {
f2fcfcd6
GP		 3045 case L2CAP_MODE_STREAMING:
3046 case L2CAP_MODE_ERTM:
c1360a1c 3047 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3048 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3049 chan->conn->feat_mask);
85eb53c6
GP		 3050 break;
3051 }
3052
42dceae2
AE		 3053 if (remote_efs) {
3054 if (__l2cap_efs_supported(chan))
3055 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3056 else
3057 return -ECONNREFUSED;
3058 }
3059
0c1bc5c6 3060 if (chan->mode != rfc.mode)
f2fcfcd6 3061 return -ECONNREFUSED;
742e519b 3062
f2fcfcd6 3063 break;
f2fcfcd6
GP		 3064 }
3065
3066done:
0c1bc5c6 3067 if (chan->mode != rfc.mode) {
f2fcfcd6 3068 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3069 rfc.mode = chan->mode;
f2fcfcd6 3070
73ffa904 3071 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3072 return -ECONNREFUSED;
3073
2d792818
GP		 3074 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3075 (unsigned long) &rfc);
f2fcfcd6
GP		 3076 }
3077
5dee9e7c
MH		 3078 if (result == L2CAP_CONF_SUCCESS) {
3079 /* Configure output options and let the other side know
3080 * which ones we don't like. */
3081
f2fcfcd6
GP		 3082 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3083 result = L2CAP_CONF_UNACCEPT;
3084 else {
0c1bc5c6 3085 chan->omtu = mtu;
c1360a1c 3086 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3087 }
0c1bc5c6 3088 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3089
42dceae2
AE		 3090 if (remote_efs) {
3091 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3092 efs.stype != L2CAP_SERV_NOTRAFIC &&
3093 efs.stype != chan->local_stype) {
42dceae2
AE		 3094
3095 result = L2CAP_CONF_UNACCEPT;
3096
3097 if (chan->num_conf_req >= 1)
3098 return -ECONNREFUSED;
3099
3100 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3101 sizeof(efs),
3102 (unsigned long) &efs);
0e8b207e 3103 } else {
3e6b3b95 3104 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3105 result = L2CAP_CONF_PENDING;
3106 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3107 }
3108 }
3109
f2fcfcd6
GP		 3110 switch (rfc.mode) {
3111 case L2CAP_MODE_BASIC:
47d1ec61 3112 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3113 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3114 break;
3115
3116 case L2CAP_MODE_ERTM:
6327eb98
AE		 3117 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3118 chan->remote_tx_win = rfc.txwin_size;
3119 else
3120 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3121
2c03a7a4 3122 chan->remote_max_tx = rfc.max_transmit;
1c762159 3123
c8f79162 3124 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3125 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3126 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3127 rfc.max_pdu_size = cpu_to_le16(size);
3128 chan->remote_mps = size;
f2fcfcd6 3129
10467e9e 3130 rfc.retrans_timeout =
4fd21a88 3131 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3132 rfc.monitor_timeout =
4fd21a88 3133 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3134
c1360a1c 3135 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3136
3137 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3138 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3139
42dceae2
AE		 3140 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3141 chan->remote_id = efs.id;
3142 chan->remote_stype = efs.stype;
3143 chan->remote_msdu = le16_to_cpu(efs.msdu);
3144 chan->remote_flush_to =
2d792818 3145 le32_to_cpu(efs.flush_to);
42dceae2 3146 chan->remote_acc_lat =
2d792818 3147 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3148 chan->remote_sdu_itime =
3149 le32_to_cpu(efs.sdu_itime);
3150 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3151 sizeof(efs),
3152 (unsigned long) &efs);
42dceae2 3153 }
f2fcfcd6
GP		 3154 break;
3155
3156 case L2CAP_MODE_STREAMING:
c8f79162 3157 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3158 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3159 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3160 rfc.max_pdu_size = cpu_to_le16(size);
3161 chan->remote_mps = size;
f2fcfcd6 3162
c1360a1c 3163 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3164
2d792818
GP		 3165 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3166 (unsigned long) &rfc);
68ae6639 3167
f2fcfcd6
GP		 3168 break;
3169
3170 default:
5dee9e7c 3171 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3172
6464f35f 3173 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3174 rfc.mode = chan->mode;
f2fcfcd6 3175 }
6464f35f 3176
f2fcfcd6 3177 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3178 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3179 }
fe4128e0 3180 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3181 rsp->result = cpu_to_le16(result);
59e54bd1 3182 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3183
3184 return ptr - data;
1da177e4
LT		 3185}
3186
2d792818
GP		 3187static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3188 void *data, u16 *result)
f2fcfcd6 3189{
f2fcfcd6
GP		 3190 struct l2cap_conf_req *req = data;
3191 void *ptr = req->data;
3192 int type, olen;
3193 unsigned long val;
36e999a8 3194 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3195 struct l2cap_conf_efs efs;
f2fcfcd6 3196
fe4128e0 3197 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3198
3199 while (len >= L2CAP_CONF_OPT_SIZE) {
3200 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3201
3202 switch (type) {
3203 case L2CAP_CONF_MTU:
3204 if (val < L2CAP_DEFAULT_MIN_MTU) {
3205 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3206 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3207 } else
0c1bc5c6
GP		 3208 chan->imtu = val;
3209 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3210 break;
3211
3212 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3213 chan->flush_to = val;
f2fcfcd6 3214 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3215 2, chan->flush_to);
f2fcfcd6
GP		 3216 break;
3217
3218 case L2CAP_CONF_RFC:
3219 if (olen == sizeof(rfc))
3220 memcpy(&rfc, (void *)val, olen);
3221
c1360a1c 3222 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3223 rfc.mode != chan->mode)
f2fcfcd6
GP		 3224 return -ECONNREFUSED;
3225
47d1ec61 3226 chan->fcs = 0;
f2fcfcd6
GP		 3227
3228 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3229 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3230 break;
6327eb98
AE		 3231
3232 case L2CAP_CONF_EWS:
c20f8e35 3233 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3234 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3235 chan->tx_win);
6327eb98 3236 break;
66af7aaf
AE		 3237
3238 case L2CAP_CONF_EFS:
3239 if (olen == sizeof(efs))
3240 memcpy(&efs, (void *)val, olen);
3241
3242 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3243 efs.stype != L2CAP_SERV_NOTRAFIC &&
3244 efs.stype != chan->local_stype)
66af7aaf
AE		 3245 return -ECONNREFUSED;
3246
2d792818
GP		 3247 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3248 (unsigned long) &efs);
66af7aaf 3249 break;
f2fcfcd6
GP		 3250 }
3251 }
3252
0c1bc5c6 3253 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3254 return -ECONNREFUSED;
3255
0c1bc5c6 3256 chan->mode = rfc.mode;
6c2ea7a8 3257
0e8b207e 3258 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3259 switch (rfc.mode) {
3260 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3261 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3262 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3263 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3264 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3265 chan->ack_win = min_t(u16, chan->ack_win,
3266 rfc.txwin_size);
66af7aaf
AE		 3267
3268 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3269 chan->local_msdu = le16_to_cpu(efs.msdu);
3270 chan->local_sdu_itime =
2d792818 3271 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3272 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3273 chan->local_flush_to =
2d792818 3274 le32_to_cpu(efs.flush_to);
66af7aaf 3275 }
f2fcfcd6 3276 break;
66af7aaf 3277
f2fcfcd6 3278 case L2CAP_MODE_STREAMING:
47d1ec61 3279 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3280 }
3281 }
3282
fe4128e0 3283 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3284 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3285
3286 return ptr - data;
3287}
3288
2d792818
GP		 3289static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3290 u16 result, u16 flags)
1da177e4
LT		 3291{
3292 struct l2cap_conf_rsp *rsp = data;
3293 void *ptr = rsp->data;
1da177e4 3294
fe4128e0 3295 BT_DBG("chan %p", chan);
1da177e4 3296
fe4128e0 3297 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3298 rsp->result = cpu_to_le16(result);
aca3192c 3299 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3300
3301 return ptr - data;
3302}
3303
8c1d787b 3304void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3305{
3306 struct l2cap_conn_rsp rsp;
8c1d787b 3307 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3308 u8 buf[128];
3309
fe4128e0
GP		 3310 rsp.scid = cpu_to_le16(chan->dcid);
3311 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3312 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3313 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
2d792818 3314 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
710f9b0a 3315
c1360a1c 3316 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3317 return;
3318
710f9b0a 3319 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3320 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3321 chan->num_conf_req++;
3322}
3323
47d1ec61 3324static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3325{
7b1c0049
GP		 3326 int type, olen;
3327 unsigned long val;
c20f8e35
MM		 3328 /* Use sane default values in case a misbehaving remote device
3329 * did not send an RFC or extended window size option.
3330 */
3331 u16 txwin_ext = chan->ack_win;
3332 struct l2cap_conf_rfc rfc = {
3333 .mode = chan->mode,
3334 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3335 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3336 .max_pdu_size = cpu_to_le16(chan->imtu),
3337 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3338 };
7b1c0049 3339
47d1ec61 3340 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3341
0c1bc5c6 3342 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3343 return;
3344
3345 while (len >= L2CAP_CONF_OPT_SIZE) {
3346 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3347
c20f8e35
MM		 3348 switch (type) {
3349 case L2CAP_CONF_RFC:
3350 if (olen == sizeof(rfc))
3351 memcpy(&rfc, (void *)val, olen);
8f321f85 3352 break;
c20f8e35
MM		 3353 case L2CAP_CONF_EWS:
3354 txwin_ext = val;
3355 break;
3356 }
7b1c0049
GP		 3357 }
3358
7b1c0049
GP		 3359 switch (rfc.mode) {
3360 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3361 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3362 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3363 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3364 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3365 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3366 else
3367 chan->ack_win = min_t(u16, chan->ack_win,
3368 rfc.txwin_size);
7b1c0049
GP		 3369 break;
3370 case L2CAP_MODE_STREAMING:
47d1ec61 3371 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3372 }
3373}
3374
2d792818
GP		 3375static inline int l2cap_command_rej(struct l2cap_conn *conn,
3376 struct l2cap_cmd_hdr *cmd, u8 *data)
4e8402a3 3377{
e2fd318e 3378 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3379
e2fd318e 3380 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3381 return 0;
3382
3383 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3384 cmd->ident == conn->info_ident) {
17cd3f37 3385 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3386
3387 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3388 conn->info_ident = 0;
984947dc 3389
4e8402a3
MH		 3390 l2cap_conn_start(conn);
3391 }
3392
3393 return 0;
3394}
3395
4c89b6aa
MM		 3396static void __l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
3397 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3398{
1da177e4
LT		 3399 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3400 struct l2cap_conn_rsp rsp;
23691d75 3401 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3402 struct sock *parent, *sk = NULL;
e7c29cb1 3403 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3404
3405 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3406 __le16 psm = req->psm;
1da177e4 3407
097db76c 3408 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3409
3410 /* Check if we have socket listening on psm */
c2287681 3411 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3412 if (!pchan) {
1da177e4
LT		 3413 result = L2CAP_CR_BAD_PSM;
3414 goto sendresp;
3415 }
3416
23691d75
GP		 3417 parent = pchan->sk;
3418
3df91ea2 3419 mutex_lock(&conn->chan_lock);
aa2ac881 3420 lock_sock(parent);
e0f0cb56 3421
e7c29cb1 3422 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3423 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3424 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3425 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3426 result = L2CAP_CR_SEC_BLOCK;
3427 goto response;
3428 }
3429
1da177e4
LT		 3430 result = L2CAP_CR_NO_MEM;
3431
2dfa1003
GP		 3432 /* Check if we already have channel with that dcid */
3433 if (__l2cap_get_chan_by_dcid(conn, scid))
3434 goto response;
3435
80b98027 3436 chan = pchan->ops->new_connection(pchan);
80808e43 3437 if (!chan)
1da177e4
LT		 3438 goto response;
3439
80808e43
GP		 3440 sk = chan->sk;
3441
1da177e4
LT		 3442 hci_conn_hold(conn->hcon);
3443
1da177e4
LT		 3444 bacpy(&bt_sk(sk)->src, conn->src);
3445 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3446 chan->psm = psm;
3447 chan->dcid = scid;
1da177e4 3448
6be36555 3449 __l2cap_chan_add(conn, chan);
48454079 3450
fe4128e0 3451 dcid = chan->scid;
1da177e4 3452
c9b66675 3453 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3454
fc7f8a7e 3455 chan->ident = cmd->ident;
1da177e4 3456
984947dc 3457 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3458 if (l2cap_chan_check_security(chan)) {
c5daa683 3459 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3460 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3461 result = L2CAP_CR_PEND;
3462 status = L2CAP_CS_AUTHOR_PEND;
3463 parent->sk_data_ready(parent, 0);
3464 } else {
0e587be7 3465 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3466 result = L2CAP_CR_SUCCESS;
3467 status = L2CAP_CS_NO_INFO;
3468 }
79d554a6 3469 } else {
0e587be7 3470 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3471 result = L2CAP_CR_PEND;
3472 status = L2CAP_CS_AUTHEN_PEND;
3473 }
3474 } else {
0e587be7 3475 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3476 result = L2CAP_CR_PEND;
3477 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3478 }
3479
1da177e4 3480response:
aa2ac881 3481 release_sock(parent);
3df91ea2 3482 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3483
3484sendresp:
aca3192c
YH		 3485 rsp.scid = cpu_to_le16(scid);
3486 rsp.dcid = cpu_to_le16(dcid);
3487 rsp.result = cpu_to_le16(result);
3488 rsp.status = cpu_to_le16(status);
4c89b6aa 3489 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3490
3491 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3492 struct l2cap_info_req info;
ac73498c 3493 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3494
3495 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3496 conn->info_ident = l2cap_get_ident(conn);
3497
ba13ccd9 3498 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3499
2d792818
GP		 3500 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3501 sizeof(info), &info);
79d554a6
MH		 3502 }
3503
c1360a1c 3504 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3505 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3506 u8 buf[128];
c1360a1c 3507 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3508 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3509 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3510 chan->num_conf_req++;
e9aeb2dd 3511 }
4c89b6aa 3512}
e9aeb2dd 3513
4c89b6aa
MM		 3514static int l2cap_connect_req(struct l2cap_conn *conn,
3515 struct l2cap_cmd_hdr *cmd, u8 *data)
3516{
3517 __l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3518 return 0;
3519}
3520
2d792818
GP		 3521static inline int l2cap_connect_rsp(struct l2cap_conn *conn,
3522 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3523{
3524 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3525 u16 scid, dcid, result, status;
48454079 3526 struct l2cap_chan *chan;
1da177e4 3527 u8 req[128];
3df91ea2 3528 int err;
1da177e4
LT		 3529
3530 scid = __le16_to_cpu(rsp->scid);
3531 dcid = __le16_to_cpu(rsp->dcid);
3532 result = __le16_to_cpu(rsp->result);
3533 status = __le16_to_cpu(rsp->status);
3534
1b009c98 3535 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3536 dcid, scid, result, status);
1da177e4 3537
3df91ea2
AE		 3538 mutex_lock(&conn->chan_lock);
3539
1da177e4 3540 if (scid) {
3df91ea2
AE		 3541 chan = __l2cap_get_chan_by_scid(conn, scid);
3542 if (!chan) {
3543 err = -EFAULT;
3544 goto unlock;
3545 }
1da177e4 3546 } else {
3df91ea2
AE		 3547 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3548 if (!chan) {
3549 err = -EFAULT;
3550 goto unlock;
3551 }
1da177e4
LT		 3552 }
3553
3df91ea2
AE		 3554 err = 0;
3555
6be36555 3556 l2cap_chan_lock(chan);
48454079 3557
1da177e4
LT		 3558 switch (result) {
3559 case L2CAP_CR_SUCCESS:
89bc500e 3560 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3561 chan->ident = 0;
fe4128e0 3562 chan->dcid = dcid;
c1360a1c 3563 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3564
c1360a1c 3565 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3566 break;
3567
1da177e4 3568 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3569 l2cap_build_conf_req(chan, req), req);
73ffa904 3570 chan->num_conf_req++;
1da177e4
LT		 3571 break;
3572
3573 case L2CAP_CR_PEND:
c1360a1c 3574 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3575 break;
3576
3577 default:
48454079 3578 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3579 break;
3580 }
3581
6be36555 3582 l2cap_chan_unlock(chan);
3df91ea2
AE		 3583
3584unlock:
3585 mutex_unlock(&conn->chan_lock);
3586
3587 return err;
1da177e4
LT		 3588}
3589
47d1ec61 3590static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3591{
3592 /* FCS is enabled only in ERTM or streaming mode, if one or both
3593 * sides request it.
3594 */
0c1bc5c6 3595 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3596 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3597 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3598 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3599}
3600
29d8a590
AE		 3601static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3602 u8 ident, u16 flags)
3603{
3604 struct l2cap_conn *conn = chan->conn;
3605
3606 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3607 flags);
3608
3609 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3610 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3611
3612 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3613 l2cap_build_conf_rsp(chan, data,
3614 L2CAP_CONF_SUCCESS, flags), data);
3615}
3616
2d792818
GP		 3617static inline int l2cap_config_req(struct l2cap_conn *conn,
3618 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3619 u8 *data)
1da177e4
LT		 3620{
3621 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3622 u16 dcid, flags;
3623 u8 rsp[64];
48454079 3624 struct l2cap_chan *chan;
3c588192 3625 int len, err = 0;
1da177e4
LT		 3626
3627 dcid = __le16_to_cpu(req->dcid);
3628 flags = __le16_to_cpu(req->flags);
3629
3630 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3631
baa7e1fa 3632 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3633 if (!chan)
1da177e4
LT		 3634 return -ENOENT;
3635
033b1142 3636 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3637 struct l2cap_cmd_rej_cid rej;
3638
ac73498c 3639 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3640 rej.scid = cpu_to_le16(chan->scid);
3641 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3642
df6bd743 3643 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3644 sizeof(rej), &rej);
354f60a9 3645 goto unlock;
df6bd743 3646 }
354f60a9 3647
5dee9e7c 3648 /* Reject if config buffer is too small. */
88219a0f 3649 len = cmd_len - sizeof(*req);
7ac28817 3650 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3651 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3652 l2cap_build_conf_rsp(chan, rsp,
3653 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 3654 goto unlock;
3655 }
3656
3657 /* Store config. */
73ffa904
GP		 3658 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3659 chan->conf_len += len;
1da177e4 3660
59e54bd1 3661 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3662 /* Incomplete config. Send empty response. */
3663 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3664 l2cap_build_conf_rsp(chan, rsp,
3665 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3666 goto unlock;
3667 }
3668
3669 /* Complete config. */
73ffa904 3670 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3671 if (len < 0) {
e92c8e70 3672 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3673 goto unlock;
f2fcfcd6 3674 }
1da177e4 3675
5dee9e7c 3676 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3677 chan->num_conf_rsp++;
5dee9e7c 3678
5dee9e7c 3679 /* Reset config buffer. */
73ffa904 3680 chan->conf_len = 0;
5dee9e7c 3681
c1360a1c 3682 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3683 goto unlock;
3684
c1360a1c 3685 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3686 set_default_fcs(chan);
fcc203c3 3687
105bdf9e
MM		 3688 if (chan->mode == L2CAP_MODE_ERTM ||
3689 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3690 err = l2cap_ertm_init(chan);
3691
3692 if (err < 0)
3693 l2cap_send_disconn_req(chan->conn, chan, -err);
3694 else
3695 l2cap_chan_ready(chan);
0565c1c2 3696
876d9484
MH		 3697 goto unlock;
3698 }
3699
c1360a1c 3700 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3701 u8 buf[64];
1da177e4 3702 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3703 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3704 chan->num_conf_req++;
1da177e4
LT		 3705 }
3706
0e8b207e
AE		 3707 /* Got Conf Rsp PENDING from remote side and asume we sent
3708 Conf Rsp PENDING in the code above */
3709 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 3710 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 3711
3712 /* check compatibility */
3713
29d8a590 3714 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
0e8b207e
AE		 3715 }
3716
1da177e4 3717unlock:
6be36555 3718 l2cap_chan_unlock(chan);
3c588192 3719 return err;
1da177e4
LT		 3720}
3721
2d792818
GP		 3722static inline int l2cap_config_rsp(struct l2cap_conn *conn,
3723 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3724{
3725 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3726 u16 scid, flags, result;
48454079 3727 struct l2cap_chan *chan;
61386cba 3728 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3729 int err = 0;
1da177e4
LT		 3730
3731 scid = __le16_to_cpu(rsp->scid);
3732 flags = __le16_to_cpu(rsp->flags);
3733 result = __le16_to_cpu(rsp->result);
3734
61386cba
AE		 3735 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3736 result, len);
1da177e4 3737
baa7e1fa 3738 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3739 if (!chan)
1da177e4
LT		 3740 return 0;
3741
3742 switch (result) {
3743 case L2CAP_CONF_SUCCESS:
47d1ec61 3744 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3745 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3746 break;
3747
0e8b207e
AE		 3748 case L2CAP_CONF_PENDING:
3749 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3750
3751 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3752 char buf[64];
3753
3754 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3755 buf, &result);
0e8b207e
AE		 3756 if (len < 0) {
3757 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3758 goto done;
3759 }
3760
3761 /* check compatibility */
3762
29d8a590 3763 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident, 0);
0e8b207e
AE		 3764 }
3765 goto done;
3766
1da177e4 3767 case L2CAP_CONF_UNACCEPT:
73ffa904 3768 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3769 char req[64];
3770
c2c77ec8 3771 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3772 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3773 goto done;
3774 }
3775
f2fcfcd6
GP		 3776 /* throw out any old stored conf requests */
3777 result = L2CAP_CONF_SUCCESS;
b4450035 3778 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3779 req, &result);
f2fcfcd6 3780 if (len < 0) {
e92c8e70 3781 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3782 goto done;
3783 }
3784
3785 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 3786 L2CAP_CONF_REQ, len, req);
73ffa904 3787 chan->num_conf_req++;
f2fcfcd6
GP		 3788 if (result != L2CAP_CONF_SUCCESS)
3789 goto done;
3790 break;
1da177e4
LT		 3791 }
3792
8e87d142 3793 default:
6be36555 3794 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3795
ba13ccd9 3796 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3797 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3798 goto done;
3799 }
3800
59e54bd1 3801 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3802 goto done;
3803
c1360a1c 3804 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3805
c1360a1c 3806 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3807 set_default_fcs(chan);
fcc203c3 3808
105bdf9e
MM		 3809 if (chan->mode == L2CAP_MODE_ERTM ||
3810 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3811 err = l2cap_ertm_init(chan);
0565c1c2 3812
3c588192
MM		 3813 if (err < 0)
3814 l2cap_send_disconn_req(chan->conn, chan, -err);
3815 else
3816 l2cap_chan_ready(chan);
1da177e4
LT		 3817 }
3818
3819done:
6be36555 3820 l2cap_chan_unlock(chan);
3c588192 3821 return err;
1da177e4
LT		 3822}
3823
2d792818
GP		 3824static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
3825 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3826{
3827 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3828 struct l2cap_disconn_rsp rsp;
3829 u16 dcid, scid;
48454079 3830 struct l2cap_chan *chan;
1da177e4
LT		 3831 struct sock *sk;
3832
3833 scid = __le16_to_cpu(req->scid);
3834 dcid = __le16_to_cpu(req->dcid);
3835
3836 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3837
3df91ea2
AE		 3838 mutex_lock(&conn->chan_lock);
3839
3840 chan = __l2cap_get_chan_by_scid(conn, dcid);
3841 if (!chan) {
3842 mutex_unlock(&conn->chan_lock);
1da177e4 3843 return 0;
3df91ea2 3844 }
1da177e4 3845
6be36555
AE		 3846 l2cap_chan_lock(chan);
3847
48454079
GP		 3848 sk = chan->sk;
3849
fe4128e0
GP		 3850 rsp.dcid = cpu_to_le16(chan->scid);
3851 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3852 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3853
6be36555 3854 lock_sock(sk);
1da177e4 3855 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3856 release_sock(sk);
1da177e4 3857
61d6ef3e 3858 l2cap_chan_hold(chan);
48454079 3859 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3860
3861 l2cap_chan_unlock(chan);
1da177e4 3862
80b98027 3863 chan->ops->close(chan);
61d6ef3e 3864 l2cap_chan_put(chan);
3df91ea2
AE		 3865
3866 mutex_unlock(&conn->chan_lock);
3867
1da177e4
LT		 3868 return 0;
3869}
3870
2d792818
GP		 3871static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
3872 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3873{
3874 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3875 u16 dcid, scid;
48454079 3876 struct l2cap_chan *chan;
1da177e4
LT		 3877
3878 scid = __le16_to_cpu(rsp->scid);
3879 dcid = __le16_to_cpu(rsp->dcid);
3880
3881 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3882
3df91ea2
AE		 3883 mutex_lock(&conn->chan_lock);
3884
3885 chan = __l2cap_get_chan_by_scid(conn, scid);
3886 if (!chan) {
3887 mutex_unlock(&conn->chan_lock);
1da177e4 3888 return 0;
3df91ea2 3889 }
1da177e4 3890
6be36555 3891 l2cap_chan_lock(chan);
48454079 3892
61d6ef3e 3893 l2cap_chan_hold(chan);
48454079 3894 l2cap_chan_del(chan, 0);
6be36555
AE		 3895
3896 l2cap_chan_unlock(chan);
1da177e4 3897
80b98027 3898 chan->ops->close(chan);
61d6ef3e 3899 l2cap_chan_put(chan);
3df91ea2
AE		 3900
3901 mutex_unlock(&conn->chan_lock);
3902
1da177e4
LT		 3903 return 0;
3904}
3905
2d792818
GP		 3906static inline int l2cap_information_req(struct l2cap_conn *conn,
3907 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3908{
3909 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3910 u16 type;
3911
3912 type = __le16_to_cpu(req->type);
3913
3914 BT_DBG("type 0x%4.4x", type);
3915
f0709e03
MH		 3916 if (type == L2CAP_IT_FEAT_MASK) {
3917 u8 buf[8];
44dd46de 3918 u32 feat_mask = l2cap_feat_mask;
f0709e03 3919 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3920 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3921 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3922 if (!disable_ertm)
fcc203c3 3923 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 3924 | L2CAP_FEAT_FCS;
a5fd6f30 3925 if (enable_hs)
6327eb98 3926 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 3927 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3928
1b7bf4ed 3929 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 3930 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
3931 buf);
e1027a7c
MH		 3932 } else if (type == L2CAP_IT_FIXED_CHAN) {
3933 u8 buf[12];
3934 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3935
3936 if (enable_hs)
3937 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3938 else
3939 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3940
ac73498c
AE		 3941 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3942 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3943 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 3944 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
3945 buf);
f0709e03
MH		 3946 } else {
3947 struct l2cap_info_rsp rsp;
3948 rsp.type = cpu_to_le16(type);
ac73498c 3949 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 3950 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
3951 &rsp);
f0709e03 3952 }
1da177e4
LT		 3953
3954 return 0;
3955}
3956
2d792818
GP		 3957static inline int l2cap_information_rsp(struct l2cap_conn *conn,
3958 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3959{
3960 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3961 u16 type, result;
3962
3963 type = __le16_to_cpu(rsp->type);
3964 result = __le16_to_cpu(rsp->result);
3965
3966 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3967
e90165be
AE		 3968 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3969 if (cmd->ident != conn->info_ident ||
2d792818 3970 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 3971 return 0;
3972
17cd3f37 3973 cancel_delayed_work(&conn->info_timer);
4e8402a3 3974
adb08ede
VT		 3975 if (result != L2CAP_IR_SUCCESS) {
3976 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3977 conn->info_ident = 0;
3978
3979 l2cap_conn_start(conn);
3980
3981 return 0;
3982 }
3983
978c93b9
AE		 3984 switch (type) {
3985 case L2CAP_IT_FEAT_MASK:
83985319 3986 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3987
47ec1dcd 3988 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 3989 struct l2cap_info_req req;
ac73498c 3990 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 3991
3992 conn->info_ident = l2cap_get_ident(conn);
3993
3994 l2cap_send_cmd(conn, conn->info_ident,
2d792818 3995 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 3996 } else {
3997 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3998 conn->info_ident = 0;
3999
4000 l2cap_conn_start(conn);
4001 }
978c93b9
AE		 4002 break;
4003
4004 case L2CAP_IT_FIXED_CHAN:
4005 conn->fixed_chan_mask = rsp->data[0];
984947dc 4006 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4007 conn->info_ident = 0;
984947dc
MH		 4008
4009 l2cap_conn_start(conn);
978c93b9 4010 break;
984947dc 4011 }
4e8402a3 4012
1da177e4
LT		 4013 return 0;
4014}
4015
f94ff6ff 4016static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
2d792818
GP		 4017 struct l2cap_cmd_hdr *cmd,
4018 u16 cmd_len, void *data)
f94ff6ff
MM		 4019{
4020 struct l2cap_create_chan_req *req = data;
4021 struct l2cap_create_chan_rsp rsp;
4022 u16 psm, scid;
4023
4024 if (cmd_len != sizeof(*req))
4025 return -EPROTO;
4026
4027 if (!enable_hs)
4028 return -EINVAL;
4029
4030 psm = le16_to_cpu(req->psm);
4031 scid = le16_to_cpu(req->scid);
4032
ad0ac6ca 4033 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff
MM		 4034
4035 /* Placeholder: Always reject */
4036 rsp.dcid = 0;
4037 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 4038 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4039 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 4040
4041 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4042 sizeof(rsp), &rsp);
4043
4044 return 0;
4045}
4046
2d792818
GP		 4047static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
4048 struct l2cap_cmd_hdr *cmd,
4049 void *data)
4050{
4051 BT_DBG("conn %p", conn);
4052
4053 return l2cap_connect_rsp(conn, cmd, data);
4054}
4055
8d5a04a1 4056static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4057 u16 icid, u16 result)
8d5a04a1
MM		 4058{
4059 struct l2cap_move_chan_rsp rsp;
4060
ad0ac6ca 4061 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4062
4063 rsp.icid = cpu_to_le16(icid);
4064 rsp.result = cpu_to_le16(result);
4065
4066 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
4067}
4068
4069static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4070 struct l2cap_chan *chan,
4071 u16 icid, u16 result)
8d5a04a1
MM		 4072{
4073 struct l2cap_move_chan_cfm cfm;
4074 u8 ident;
4075
ad0ac6ca 4076 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4077
4078 ident = l2cap_get_ident(conn);
4079 if (chan)
4080 chan->ident = ident;
4081
4082 cfm.icid = cpu_to_le16(icid);
4083 cfm.result = cpu_to_le16(result);
4084
4085 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4086}
4087
4088static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4089 u16 icid)
8d5a04a1
MM		 4090{
4091 struct l2cap_move_chan_cfm_rsp rsp;
4092
ad0ac6ca 4093 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4094
4095 rsp.icid = cpu_to_le16(icid);
4096 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4097}
4098
4099static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4100 struct l2cap_cmd_hdr *cmd,
4101 u16 cmd_len, void *data)
8d5a04a1
MM		 4102{
4103 struct l2cap_move_chan_req *req = data;
4104 u16 icid = 0;
4105 u16 result = L2CAP_MR_NOT_ALLOWED;
4106
4107 if (cmd_len != sizeof(*req))
4108 return -EPROTO;
4109
4110 icid = le16_to_cpu(req->icid);
4111
ad0ac6ca 4112 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4113
4114 if (!enable_hs)
4115 return -EINVAL;
4116
4117 /* Placeholder: Always refuse */
4118 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4119
4120 return 0;
4121}
4122
4123static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4124 struct l2cap_cmd_hdr *cmd,
4125 u16 cmd_len, void *data)
8d5a04a1
MM		 4126{
4127 struct l2cap_move_chan_rsp *rsp = data;
4128 u16 icid, result;
4129
4130 if (cmd_len != sizeof(*rsp))
4131 return -EPROTO;
4132
4133 icid = le16_to_cpu(rsp->icid);
4134 result = le16_to_cpu(rsp->result);
4135
ad0ac6ca 4136 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4137
4138 /* Placeholder: Always unconfirmed */
4139 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4140
4141 return 0;
4142}
4143
4144static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4145 struct l2cap_cmd_hdr *cmd,
4146 u16 cmd_len, void *data)
8d5a04a1
MM		 4147{
4148 struct l2cap_move_chan_cfm *cfm = data;
4149 u16 icid, result;
4150
4151 if (cmd_len != sizeof(*cfm))
4152 return -EPROTO;
4153
4154 icid = le16_to_cpu(cfm->icid);
4155 result = le16_to_cpu(cfm->result);
4156
ad0ac6ca 4157 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4158
4159 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4160
4161 return 0;
4162}
4163
4164static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4165 struct l2cap_cmd_hdr *cmd,
4166 u16 cmd_len, void *data)
8d5a04a1
MM		 4167{
4168 struct l2cap_move_chan_cfm_rsp *rsp = data;
4169 u16 icid;
4170
4171 if (cmd_len != sizeof(*rsp))
4172 return -EPROTO;
4173
4174 icid = le16_to_cpu(rsp->icid);
4175
ad0ac6ca 4176 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4177
4178 return 0;
4179}
4180
e2174ca4 4181static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 4182 u16 to_multiplier)
de73115a
CT		 4183{
4184 u16 max_latency;
4185
4186 if (min > max || min < 6 || max > 3200)
4187 return -EINVAL;
4188
4189 if (to_multiplier < 10 || to_multiplier > 3200)
4190 return -EINVAL;
4191
4192 if (max >= to_multiplier * 8)
4193 return -EINVAL;
4194
4195 max_latency = (to_multiplier * 8 / max) - 1;
4196 if (latency > 499 || latency > max_latency)
4197 return -EINVAL;
4198
4199 return 0;
4200}
4201
4202static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 4203 struct l2cap_cmd_hdr *cmd,
4204 u8 *data)
de73115a
CT		 4205{
4206 struct hci_conn *hcon = conn->hcon;
4207 struct l2cap_conn_param_update_req *req;
4208 struct l2cap_conn_param_update_rsp rsp;
4209 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4210 int err;
de73115a
CT		 4211
4212 if (!(hcon->link_mode & HCI_LM_MASTER))
4213 return -EINVAL;
4214
4215 cmd_len = __le16_to_cpu(cmd->len);
4216 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4217 return -EPROTO;
4218
4219 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4220 min = __le16_to_cpu(req->min);
4221 max = __le16_to_cpu(req->max);
de73115a
CT		 4222 latency = __le16_to_cpu(req->latency);
4223 to_multiplier = __le16_to_cpu(req->to_multiplier);
4224
4225 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 4226 min, max, latency, to_multiplier);
de73115a
CT		 4227
4228 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4229
4230 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4231 if (err)
ac73498c 4232 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4233 else
ac73498c 4234 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4235
4236 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 4237 sizeof(rsp), &rsp);
de73115a 4238
2ce603eb
CT		 4239 if (!err)
4240 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4241
de73115a
CT		 4242 return 0;
4243}
4244
3300d9a9 4245static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 4246 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4247 u8 *data)
3300d9a9
CT		 4248{
4249 int err = 0;
4250
4251 switch (cmd->code) {
4252 case L2CAP_COMMAND_REJ:
4253 l2cap_command_rej(conn, cmd, data);
4254 break;
4255
4256 case L2CAP_CONN_REQ:
4257 err = l2cap_connect_req(conn, cmd, data);
4258 break;
4259
4260 case L2CAP_CONN_RSP:
f5a2598d 4261 case L2CAP_CREATE_CHAN_RSP:
3300d9a9
CT		 4262 err = l2cap_connect_rsp(conn, cmd, data);
4263 break;
4264
4265 case L2CAP_CONF_REQ:
4266 err = l2cap_config_req(conn, cmd, cmd_len, data);
4267 break;
4268
4269 case L2CAP_CONF_RSP:
4270 err = l2cap_config_rsp(conn, cmd, data);
4271 break;
4272
4273 case L2CAP_DISCONN_REQ:
4274 err = l2cap_disconnect_req(conn, cmd, data);
4275 break;
4276
4277 case L2CAP_DISCONN_RSP:
4278 err = l2cap_disconnect_rsp(conn, cmd, data);
4279 break;
4280
4281 case L2CAP_ECHO_REQ:
4282 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4283 break;
4284
4285 case L2CAP_ECHO_RSP:
4286 break;
4287
4288 case L2CAP_INFO_REQ:
4289 err = l2cap_information_req(conn, cmd, data);
4290 break;
4291
4292 case L2CAP_INFO_RSP:
4293 err = l2cap_information_rsp(conn, cmd, data);
4294 break;
4295
f94ff6ff
MM		 4296 case L2CAP_CREATE_CHAN_REQ:
4297 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4298 break;
4299
8d5a04a1
MM		 4300 case L2CAP_MOVE_CHAN_REQ:
4301 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4302 break;
4303
4304 case L2CAP_MOVE_CHAN_RSP:
4305 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4306 break;
4307
4308 case L2CAP_MOVE_CHAN_CFM:
4309 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4310 break;
4311
4312 case L2CAP_MOVE_CHAN_CFM_RSP:
4313 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4314 break;
4315
3300d9a9
CT		 4316 default:
4317 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4318 err = -EINVAL;
4319 break;
4320 }
4321
4322 return err;
4323}
4324
4325static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 4326 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 4327{
4328 switch (cmd->code) {
4329 case L2CAP_COMMAND_REJ:
4330 return 0;
4331
4332 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4333 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4334
4335 case L2CAP_CONN_PARAM_UPDATE_RSP:
4336 return 0;
4337
4338 default:
4339 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4340 return -EINVAL;
4341 }
4342}
4343
4344static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 4345 struct sk_buff *skb)
1da177e4
LT		 4346{
4347 u8 *data = skb->data;
4348 int len = skb->len;
4349 struct l2cap_cmd_hdr cmd;
3300d9a9 4350 int err;
1da177e4
LT		 4351
4352 l2cap_raw_recv(conn, skb);
4353
4354 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4355 u16 cmd_len;
1da177e4
LT		 4356 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4357 data += L2CAP_CMD_HDR_SIZE;
4358 len -= L2CAP_CMD_HDR_SIZE;
4359
88219a0f 4360 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4361
2d792818
GP		 4362 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
4363 cmd.ident);
1da177e4 4364
88219a0f 4365 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4366 BT_DBG("corrupted command");
4367 break;
4368 }
4369
3300d9a9
CT		 4370 if (conn->hcon->type == LE_LINK)
4371 err = l2cap_le_sig_cmd(conn, &cmd, data);
4372 else
4373 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4374
4375 if (err) {
e2fd318e 4376 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4377
4378 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4379
4380 /* FIXME: Map err to a valid reason */
ac73498c 4381 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 4382 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
4383 sizeof(rej), &rej);
1da177e4
LT		 4384 }
4385
88219a0f
AV		 4386 data += cmd_len;
4387 len -= cmd_len;
1da177e4
LT		 4388 }
4389
4390 kfree_skb(skb);
4391}
4392
47d1ec61 4393static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4394{
4395 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4396 int hdr_size;
4397
4398 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4399 hdr_size = L2CAP_EXT_HDR_SIZE;
4400 else
4401 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4402
47d1ec61 4403 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4404 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4405 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4406 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4407
4408 if (our_fcs != rcv_fcs)
7a560e5c 4409 return -EBADMSG;
fcc203c3
GP		 4410 }
4411 return 0;
4412}
4413
6ea00485 4414static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4415{
e31f7633 4416 struct l2cap_ctrl control;
d5392c8f 4417
e31f7633 4418 BT_DBG("chan %p", chan);
d5392c8f 4419
e31f7633
MM		 4420 memset(&control, 0, sizeof(control));
4421 control.sframe = 1;
4422 control.final = 1;
4423 control.reqseq = chan->buffer_seq;
4424 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4425
e2ab4353 4426 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4427 control.super = L2CAP_SUPER_RNR;
4428 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4429 }
4430
e31f7633
MM		 4431 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4432 chan->unacked_frames > 0)
4433 __set_retrans_timer(chan);
d5392c8f 4434
e31f7633 4435 /* Send pending iframes */
525cd185 4436 l2cap_ertm_send(chan);
d5392c8f 4437
e2ab4353 4438 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4439 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4440 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4441 * send it now.
4442 */
4443 control.super = L2CAP_SUPER_RR;
4444 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4445 }
4446}
4447
2d792818
GP		 4448static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
4449 struct sk_buff **last_frag)
18778a63 4450{
84084a31
MM		 4451 /* skb->len reflects data in skb as well as all fragments
4452 * skb->data_len reflects only data in fragments
4453 */
4454 if (!skb_has_frag_list(skb))
4455 skb_shinfo(skb)->frag_list = new_frag;
4456
4457 new_frag->next = NULL;
4458
4459 (*last_frag)->next = new_frag;
4460 *last_frag = new_frag;
4461
4462 skb->len += new_frag->len;
4463 skb->data_len += new_frag->len;
4464 skb->truesize += new_frag->truesize;
4465}
4466
4b51dae9
MM		 4467static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4468 struct l2cap_ctrl *control)
84084a31
MM		 4469{
4470 int err = -EINVAL;
18778a63 4471
4b51dae9 4472 switch (control->sar) {
7e0ef6ee 4473 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4474 if (chan->sdu)
4475 break;
18778a63 4476
80b98027 4477 err = chan->ops->recv(chan, skb);
84084a31 4478 break;
18778a63 4479
7e0ef6ee 4480 case L2CAP_SAR_START:
84084a31
MM		 4481 if (chan->sdu)
4482 break;
18778a63 4483
6f61fd47 4484 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4485 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4486
84084a31
MM		 4487 if (chan->sdu_len > chan->imtu) {
4488 err = -EMSGSIZE;
4489 break;
4490 }
1890d36b 4491
84084a31
MM		 4492 if (skb->len >= chan->sdu_len)
4493 break;
18778a63 4494
84084a31
MM		 4495 chan->sdu = skb;
4496 chan->sdu_last_frag = skb;
18778a63 4497
84084a31
MM		 4498 skb = NULL;
4499 err = 0;
18778a63
GP		 4500 break;
4501
7e0ef6ee 4502 case L2CAP_SAR_CONTINUE:
6f61fd47 4503 if (!chan->sdu)
84084a31 4504 break;
18778a63 4505
84084a31
MM		 4506 append_skb_frag(chan->sdu, skb,
4507 &chan->sdu_last_frag);
4508 skb = NULL;
18778a63 4509
84084a31
MM		 4510 if (chan->sdu->len >= chan->sdu_len)
4511 break;
4178ba46 4512
84084a31 4513 err = 0;
18778a63
GP		 4514 break;
4515
7e0ef6ee 4516 case L2CAP_SAR_END:
6f61fd47 4517 if (!chan->sdu)
84084a31 4518 break;
18778a63 4519
84084a31
MM		 4520 append_skb_frag(chan->sdu, skb,
4521 &chan->sdu_last_frag);
4522 skb = NULL;
4178ba46 4523
84084a31
MM		 4524 if (chan->sdu->len != chan->sdu_len)
4525 break;
18778a63 4526
80b98027 4527 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4528
84084a31
MM		 4529 if (!err) {
4530 /* Reassembly complete */
4531 chan->sdu = NULL;
4532 chan->sdu_last_frag = NULL;
4533 chan->sdu_len = 0;
1890d36b 4534 }
18778a63
GP		 4535 break;
4536 }
4537
84084a31
MM		 4538 if (err) {
4539 kfree_skb(skb);
4540 kfree_skb(chan->sdu);
4541 chan->sdu = NULL;
4542 chan->sdu_last_frag = NULL;
4543 chan->sdu_len = 0;
4544 }
18778a63 4545
84084a31 4546 return err;
18778a63
GP		 4547}
4548
61aa4f5b 4549void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4550{
61aa4f5b 4551 u8 event;
712132eb 4552
61aa4f5b
MM		 4553 if (chan->mode != L2CAP_MODE_ERTM)
4554 return;
712132eb 4555
61aa4f5b 4556 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4557 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4558}
4559
d2a7ac5d
MM		 4560static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4561{
63838725
MM		 4562 int err = 0;
4563 /* Pass sequential frames to l2cap_reassemble_sdu()
4564 * until a gap is encountered.
4565 */
4566
4567 BT_DBG("chan %p", chan);
4568
4569 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4570 struct sk_buff *skb;
4571 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4572 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4573
4574 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4575
4576 if (!skb)
4577 break;
4578
4579 skb_unlink(skb, &chan->srej_q);
4580 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4581 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4582 if (err)
4583 break;
4584 }
4585
4586 if (skb_queue_empty(&chan->srej_q)) {
4587 chan->rx_state = L2CAP_RX_STATE_RECV;
4588 l2cap_send_ack(chan);
4589 }
4590
4591 return err;
d2a7ac5d
MM		 4592}
4593
4594static void l2cap_handle_srej(struct l2cap_chan *chan,
4595 struct l2cap_ctrl *control)
4596{
f80842a8
MM		 4597 struct sk_buff *skb;
4598
4599 BT_DBG("chan %p, control %p", chan, control);
4600
4601 if (control->reqseq == chan->next_tx_seq) {
4602 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4603 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4604 return;
4605 }
4606
4607 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4608
4609 if (skb == NULL) {
4610 BT_DBG("Seq %d not available for retransmission",
4611 control->reqseq);
4612 return;
4613 }
4614
4615 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4616 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4617 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4618 return;
4619 }
4620
4621 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4622
4623 if (control->poll) {
4624 l2cap_pass_to_tx(chan, control);
4625
4626 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4627 l2cap_retransmit(chan, control);
4628 l2cap_ertm_send(chan);
4629
4630 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4631 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4632 chan->srej_save_reqseq = control->reqseq;
4633 }
4634 } else {
4635 l2cap_pass_to_tx_fbit(chan, control);
4636
4637 if (control->final) {
4638 if (chan->srej_save_reqseq != control->reqseq ||
4639 !test_and_clear_bit(CONN_SREJ_ACT,
4640 &chan->conn_state))
4641 l2cap_retransmit(chan, control);
4642 } else {
4643 l2cap_retransmit(chan, control);
4644 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4645 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4646 chan->srej_save_reqseq = control->reqseq;
4647 }
4648 }
4649 }
d2a7ac5d
MM		 4650}
4651
4652static void l2cap_handle_rej(struct l2cap_chan *chan,
4653 struct l2cap_ctrl *control)
4654{
fcd289df
MM		 4655 struct sk_buff *skb;
4656
4657 BT_DBG("chan %p, control %p", chan, control);
4658
4659 if (control->reqseq == chan->next_tx_seq) {
4660 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4661 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4662 return;
4663 }
4664
4665 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4666
4667 if (chan->max_tx && skb &&
4668 bt_cb(skb)->control.retries >= chan->max_tx) {
4669 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4670 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4671 return;
4672 }
4673
4674 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4675
4676 l2cap_pass_to_tx(chan, control);
4677
4678 if (control->final) {
4679 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4680 l2cap_retransmit_all(chan, control);
4681 } else {
4682 l2cap_retransmit_all(chan, control);
4683 l2cap_ertm_send(chan);
4684 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4685 set_bit(CONN_REJ_ACT, &chan->conn_state);
4686 }
d2a7ac5d
MM		 4687}
4688
4b51dae9
MM		 4689static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4690{
4691 BT_DBG("chan %p, txseq %d", chan, txseq);
4692
4693 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4694 chan->expected_tx_seq);
4695
4696 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4697 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 4698 chan->tx_win) {
4b51dae9
MM		 4699 /* See notes below regarding "double poll" and
4700 * invalid packets.
4701 */
4702 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4703 BT_DBG("Invalid/Ignore - after SREJ");
4704 return L2CAP_TXSEQ_INVALID_IGNORE;
4705 } else {
4706 BT_DBG("Invalid - in window after SREJ sent");
4707 return L2CAP_TXSEQ_INVALID;
4708 }
4709 }
4710
4711 if (chan->srej_list.head == txseq) {
4712 BT_DBG("Expected SREJ");
4713 return L2CAP_TXSEQ_EXPECTED_SREJ;
4714 }
4715
4716 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4717 BT_DBG("Duplicate SREJ - txseq already stored");
4718 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4719 }
4720
4721 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4722 BT_DBG("Unexpected SREJ - not requested");
4723 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4724 }
4725 }
4726
4727 if (chan->expected_tx_seq == txseq) {
4728 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4729 chan->tx_win) {
4730 BT_DBG("Invalid - txseq outside tx window");
4731 return L2CAP_TXSEQ_INVALID;
4732 } else {
4733 BT_DBG("Expected");
4734 return L2CAP_TXSEQ_EXPECTED;
4735 }
4736 }
4737
4738 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 4739 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 4740 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4741 return L2CAP_TXSEQ_DUPLICATE;
4742 }
4743
4744 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4745 /* A source of invalid packets is a "double poll" condition,
4746 * where delays cause us to send multiple poll packets. If
4747 * the remote stack receives and processes both polls,
4748 * sequence numbers can wrap around in such a way that a
4749 * resent frame has a sequence number that looks like new data
4750 * with a sequence gap. This would trigger an erroneous SREJ
4751 * request.
4752 *
4753 * Fortunately, this is impossible with a tx window that's
4754 * less than half of the maximum sequence number, which allows
4755 * invalid frames to be safely ignored.
4756 *
4757 * With tx window sizes greater than half of the tx window
4758 * maximum, the frame is invalid and cannot be ignored. This
4759 * causes a disconnect.
4760 */
4761
4762 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4763 BT_DBG("Invalid/Ignore - txseq outside tx window");
4764 return L2CAP_TXSEQ_INVALID_IGNORE;
4765 } else {
4766 BT_DBG("Invalid - txseq outside tx window");
4767 return L2CAP_TXSEQ_INVALID;
4768 }
4769 } else {
4770 BT_DBG("Unexpected - txseq indicates missing frames");
4771 return L2CAP_TXSEQ_UNEXPECTED;
4772 }
4773}
4774
d2a7ac5d
MM		 4775static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4776 struct l2cap_ctrl *control,
4777 struct sk_buff *skb, u8 event)
4778{
4779 int err = 0;
4780 bool skb_in_use = 0;
4781
4782 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4783 event);
4784
4785 switch (event) {
4786 case L2CAP_EV_RECV_IFRAME:
4787 switch (l2cap_classify_txseq(chan, control->txseq)) {
4788 case L2CAP_TXSEQ_EXPECTED:
4789 l2cap_pass_to_tx(chan, control);
4790
4791 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4792 BT_DBG("Busy, discarding expected seq %d",
4793 control->txseq);
4794 break;
4795 }
4796
4797 chan->expected_tx_seq = __next_seq(chan,
4798 control->txseq);
4799
4800 chan->buffer_seq = chan->expected_tx_seq;
4801 skb_in_use = 1;
4802
4803 err = l2cap_reassemble_sdu(chan, skb, control);
4804 if (err)
4805 break;
4806
4807 if (control->final) {
4808 if (!test_and_clear_bit(CONN_REJ_ACT,
4809 &chan->conn_state)) {
4810 control->final = 0;
4811 l2cap_retransmit_all(chan, control);
4812 l2cap_ertm_send(chan);
4813 }
4814 }
4815
4816 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4817 l2cap_send_ack(chan);
4818 break;
4819 case L2CAP_TXSEQ_UNEXPECTED:
4820 l2cap_pass_to_tx(chan, control);
4821
4822 /* Can't issue SREJ frames in the local busy state.
4823 * Drop this frame, it will be seen as missing
4824 * when local busy is exited.
4825 */
4826 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4827 BT_DBG("Busy, discarding unexpected seq %d",
4828 control->txseq);
4829 break;
4830 }
4831
4832 /* There was a gap in the sequence, so an SREJ
4833 * must be sent for each missing frame. The
4834 * current frame is stored for later use.
4835 */
4836 skb_queue_tail(&chan->srej_q, skb);
4837 skb_in_use = 1;
4838 BT_DBG("Queued %p (queue len %d)", skb,
4839 skb_queue_len(&chan->srej_q));
4840
4841 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4842 l2cap_seq_list_clear(&chan->srej_list);
4843 l2cap_send_srej(chan, control->txseq);
4844
4845 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4846 break;
4847 case L2CAP_TXSEQ_DUPLICATE:
4848 l2cap_pass_to_tx(chan, control);
4849 break;
4850 case L2CAP_TXSEQ_INVALID_IGNORE:
4851 break;
4852 case L2CAP_TXSEQ_INVALID:
4853 default:
4854 l2cap_send_disconn_req(chan->conn, chan,
4855 ECONNRESET);
4856 break;
4857 }
4858 break;
4859 case L2CAP_EV_RECV_RR:
4860 l2cap_pass_to_tx(chan, control);
4861 if (control->final) {
4862 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4863
4864 if (!test_and_clear_bit(CONN_REJ_ACT,
4865 &chan->conn_state)) {
4866 control->final = 0;
4867 l2cap_retransmit_all(chan, control);
4868 }
4869
4870 l2cap_ertm_send(chan);
4871 } else if (control->poll) {
4872 l2cap_send_i_or_rr_or_rnr(chan);
4873 } else {
4874 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4875 &chan->conn_state) &&
4876 chan->unacked_frames)
4877 __set_retrans_timer(chan);
4878
4879 l2cap_ertm_send(chan);
4880 }
4881 break;
4882 case L2CAP_EV_RECV_RNR:
4883 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4884 l2cap_pass_to_tx(chan, control);
4885 if (control && control->poll) {
4886 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4887 l2cap_send_rr_or_rnr(chan, 0);
4888 }
4889 __clear_retrans_timer(chan);
4890 l2cap_seq_list_clear(&chan->retrans_list);
4891 break;
4892 case L2CAP_EV_RECV_REJ:
4893 l2cap_handle_rej(chan, control);
4894 break;
4895 case L2CAP_EV_RECV_SREJ:
4896 l2cap_handle_srej(chan, control);
4897 break;
4898 default:
4899 break;
4900 }
4901
4902 if (skb && !skb_in_use) {
4903 BT_DBG("Freeing %p", skb);
4904 kfree_skb(skb);
4905 }
4906
4907 return err;
4908}
4909
4910static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4911 struct l2cap_ctrl *control,
4912 struct sk_buff *skb, u8 event)
4913{
4914 int err = 0;
4915 u16 txseq = control->txseq;
4916 bool skb_in_use = 0;
4917
4918 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4919 event);
4920
4921 switch (event) {
4922 case L2CAP_EV_RECV_IFRAME:
4923 switch (l2cap_classify_txseq(chan, txseq)) {
4924 case L2CAP_TXSEQ_EXPECTED:
4925 /* Keep frame for reassembly later */
4926 l2cap_pass_to_tx(chan, control);
4927 skb_queue_tail(&chan->srej_q, skb);
4928 skb_in_use = 1;
4929 BT_DBG("Queued %p (queue len %d)", skb,
4930 skb_queue_len(&chan->srej_q));
4931
4932 chan->expected_tx_seq = __next_seq(chan, txseq);
4933 break;
4934 case L2CAP_TXSEQ_EXPECTED_SREJ:
4935 l2cap_seq_list_pop(&chan->srej_list);
4936
4937 l2cap_pass_to_tx(chan, control);
4938 skb_queue_tail(&chan->srej_q, skb);
4939 skb_in_use = 1;
4940 BT_DBG("Queued %p (queue len %d)", skb,
4941 skb_queue_len(&chan->srej_q));
4942
4943 err = l2cap_rx_queued_iframes(chan);
4944 if (err)
4945 break;
4946
4947 break;
4948 case L2CAP_TXSEQ_UNEXPECTED:
4949 /* Got a frame that can't be reassembled yet.
4950 * Save it for later, and send SREJs to cover
4951 * the missing frames.
4952 */
4953 skb_queue_tail(&chan->srej_q, skb);
4954 skb_in_use = 1;
4955 BT_DBG("Queued %p (queue len %d)", skb,
4956 skb_queue_len(&chan->srej_q));
4957
4958 l2cap_pass_to_tx(chan, control);
4959 l2cap_send_srej(chan, control->txseq);
4960 break;
4961 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4962 /* This frame was requested with an SREJ, but
4963 * some expected retransmitted frames are
4964 * missing. Request retransmission of missing
4965 * SREJ'd frames.
4966 */
4967 skb_queue_tail(&chan->srej_q, skb);
4968 skb_in_use = 1;
4969 BT_DBG("Queued %p (queue len %d)", skb,
4970 skb_queue_len(&chan->srej_q));
4971
4972 l2cap_pass_to_tx(chan, control);
4973 l2cap_send_srej_list(chan, control->txseq);
4974 break;
4975 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4976 /* We've already queued this frame. Drop this copy. */
4977 l2cap_pass_to_tx(chan, control);
4978 break;
4979 case L2CAP_TXSEQ_DUPLICATE:
4980 /* Expecting a later sequence number, so this frame
4981 * was already received. Ignore it completely.
4982 */
4983 break;
4984 case L2CAP_TXSEQ_INVALID_IGNORE:
4985 break;
4986 case L2CAP_TXSEQ_INVALID:
4987 default:
4988 l2cap_send_disconn_req(chan->conn, chan,
4989 ECONNRESET);
4990 break;
4991 }
4992 break;
4993 case L2CAP_EV_RECV_RR:
4994 l2cap_pass_to_tx(chan, control);
4995 if (control->final) {
4996 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4997
4998 if (!test_and_clear_bit(CONN_REJ_ACT,
4999 &chan->conn_state)) {
5000 control->final = 0;
5001 l2cap_retransmit_all(chan, control);
5002 }
5003
5004 l2cap_ertm_send(chan);
5005 } else if (control->poll) {
5006 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5007 &chan->conn_state) &&
5008 chan->unacked_frames) {
5009 __set_retrans_timer(chan);
5010 }
5011
5012 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5013 l2cap_send_srej_tail(chan);
5014 } else {
5015 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5016 &chan->conn_state) &&
5017 chan->unacked_frames)
5018 __set_retrans_timer(chan);
5019
5020 l2cap_send_ack(chan);
5021 }
5022 break;
5023 case L2CAP_EV_RECV_RNR:
5024 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5025 l2cap_pass_to_tx(chan, control);
5026 if (control->poll) {
5027 l2cap_send_srej_tail(chan);
5028 } else {
5029 struct l2cap_ctrl rr_control;
5030 memset(&rr_control, 0, sizeof(rr_control));
5031 rr_control.sframe = 1;
5032 rr_control.super = L2CAP_SUPER_RR;
5033 rr_control.reqseq = chan->buffer_seq;
5034 l2cap_send_sframe(chan, &rr_control);
5035 }
5036
5037 break;
5038 case L2CAP_EV_RECV_REJ:
5039 l2cap_handle_rej(chan, control);
5040 break;
5041 case L2CAP_EV_RECV_SREJ:
5042 l2cap_handle_srej(chan, control);
5043 break;
5044 }
5045
5046 if (skb && !skb_in_use) {
5047 BT_DBG("Freeing %p", skb);
5048 kfree_skb(skb);
5049 }
5050
5051 return err;
5052}
5053
5054static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5055{
5056 /* Make sure reqseq is for a packet that has been sent but not acked */
5057 u16 unacked;
5058
5059 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5060 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5061}
5062
cec8ab6e
MM		 5063static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5064 struct sk_buff *skb, u8 event)
218bb9df 5065{
d2a7ac5d
MM		 5066 int err = 0;
5067
5068 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5069 control, skb, event, chan->rx_state);
5070
5071 if (__valid_reqseq(chan, control->reqseq)) {
5072 switch (chan->rx_state) {
5073 case L2CAP_RX_STATE_RECV:
5074 err = l2cap_rx_state_recv(chan, control, skb, event);
5075 break;
5076 case L2CAP_RX_STATE_SREJ_SENT:
5077 err = l2cap_rx_state_srej_sent(chan, control, skb,
5078 event);
5079 break;
5080 default:
5081 /* shut it down */
5082 break;
5083 }
5084 } else {
5085 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5086 control->reqseq, chan->next_tx_seq,
5087 chan->expected_ack_seq);
5088 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5089 }
5090
5091 return err;
cec8ab6e
MM		 5092}
5093
5094static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5095 struct sk_buff *skb)
5096{
4b51dae9
MM		 5097 int err = 0;
5098
5099 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5100 chan->rx_state);
5101
5102 if (l2cap_classify_txseq(chan, control->txseq) ==
5103 L2CAP_TXSEQ_EXPECTED) {
5104 l2cap_pass_to_tx(chan, control);
5105
5106 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5107 __next_seq(chan, chan->buffer_seq));
5108
5109 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5110
5111 l2cap_reassemble_sdu(chan, skb, control);
5112 } else {
5113 if (chan->sdu) {
5114 kfree_skb(chan->sdu);
5115 chan->sdu = NULL;
5116 }
5117 chan->sdu_last_frag = NULL;
5118 chan->sdu_len = 0;
5119
5120 if (skb) {
5121 BT_DBG("Freeing %p", skb);
5122 kfree_skb(skb);
5123 }
5124 }
5125
5126 chan->last_acked_seq = control->txseq;
5127 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5128
5129 return err;
cec8ab6e
MM		 5130}
5131
5132static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5133{
5134 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5135 u16 len;
5136 u8 event;
218bb9df 5137
b76bbd66
MM		 5138 __unpack_control(chan, skb);
5139
218bb9df
GP		 5140 len = skb->len;
5141
5142 /*
5143 * We can just drop the corrupted I-frame here.
5144 * Receiver will miss it and start proper recovery
cec8ab6e 5145 * procedures and ask for retransmission.
218bb9df 5146 */
47d1ec61 5147 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5148 goto drop;
5149
cec8ab6e 5150 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5151 len -= L2CAP_SDULEN_SIZE;
218bb9df 5152
47d1ec61 5153 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5154 len -= L2CAP_FCS_SIZE;
218bb9df 5155
47d1ec61 5156 if (len > chan->mps) {
8c1d787b 5157 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5158 goto drop;
5159 }
5160
cec8ab6e
MM		 5161 if (!control->sframe) {
5162 int err;
218bb9df 5163
cec8ab6e
MM		 5164 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5165 control->sar, control->reqseq, control->final,
5166 control->txseq);
218bb9df 5167
cec8ab6e
MM		 5168 /* Validate F-bit - F=0 always valid, F=1 only
5169 * valid in TX WAIT_F
5170 */
5171 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5172 goto drop;
cec8ab6e
MM		 5173
5174 if (chan->mode != L2CAP_MODE_STREAMING) {
5175 event = L2CAP_EV_RECV_IFRAME;
5176 err = l2cap_rx(chan, control, skb, event);
5177 } else {
5178 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5179 }
5180
cec8ab6e
MM		 5181 if (err)
5182 l2cap_send_disconn_req(chan->conn, chan,
5183 ECONNRESET);
218bb9df 5184 } else {
cec8ab6e
MM		 5185 const u8 rx_func_to_event[4] = {
5186 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5187 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5188 };
5189
5190 /* Only I-frames are expected in streaming mode */
5191 if (chan->mode == L2CAP_MODE_STREAMING)
5192 goto drop;
5193
5194 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5195 control->reqseq, control->final, control->poll,
5196 control->super);
5197
218bb9df
GP		 5198 if (len != 0) {
5199 BT_ERR("%d", len);
8c1d787b 5200 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5201 goto drop;
5202 }
5203
cec8ab6e
MM		 5204 /* Validate F and P bits */
5205 if (control->final && (control->poll ||
5206 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5207 goto drop;
5208
5209 event = rx_func_to_event[control->super];
5210 if (l2cap_rx(chan, control, skb, event))
5211 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5212 }
5213
5214 return 0;
5215
5216drop:
5217 kfree_skb(skb);
5218 return 0;
5219}
5220
13ca56e0
AE		 5221static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
5222 struct sk_buff *skb)
1da177e4 5223{
48454079 5224 struct l2cap_chan *chan;
1da177e4 5225
baa7e1fa 5226 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5227 if (!chan) {
97e8e89d
AE		 5228 if (cid == L2CAP_CID_A2MP) {
5229 chan = a2mp_channel_create(conn, skb);
5230 if (!chan) {
5231 kfree_skb(skb);
13ca56e0 5232 return;
97e8e89d
AE		 5233 }
5234
5235 l2cap_chan_lock(chan);
5236 } else {
5237 BT_DBG("unknown cid 0x%4.4x", cid);
5238 /* Drop packet and return */
5239 kfree_skb(skb);
13ca56e0 5240 return;
97e8e89d 5241 }
1da177e4
LT		 5242 }
5243
49208c9c 5244 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5245
89bc500e 5246 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5247 goto drop;
5248
0c1bc5c6 5249 switch (chan->mode) {
1c2acffb
GP		 5250 case L2CAP_MODE_BASIC:
5251 /* If socket recv buffers overflows we drop data here
5252 * which is *bad* because L2CAP has to be reliable.
5253 * But we don't have any other choice. L2CAP doesn't
5254 * provide flow control mechanism. */
1da177e4 5255
0c1bc5c6 5256 if (chan->imtu < skb->len)
1c2acffb 5257 goto drop;
1da177e4 5258
80b98027 5259 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5260 goto done;
5261 break;
5262
5263 case L2CAP_MODE_ERTM:
6840ed07 5264 case L2CAP_MODE_STREAMING:
cec8ab6e 5265 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5266 goto done;
5267
1c2acffb 5268 default:
0c1bc5c6 5269 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5270 break;
5271 }
1da177e4
LT		 5272
5273drop:
5274 kfree_skb(skb);
5275
5276done:
6be36555 5277 l2cap_chan_unlock(chan);
1da177e4
LT		 5278}
5279
84104b24
AE		 5280static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
5281 struct sk_buff *skb)
1da177e4 5282{
23691d75 5283 struct l2cap_chan *chan;
1da177e4 5284
c2287681 5285 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5286 if (!chan)
1da177e4
LT		 5287 goto drop;
5288
5b4cedaa 5289 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5290
89bc500e 5291 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5292 goto drop;
5293
e13e21dc 5294 if (chan->imtu < skb->len)
1da177e4
LT		 5295 goto drop;
5296
80b98027 5297 if (!chan->ops->recv(chan, skb))
84104b24 5298 return;
1da177e4
LT		 5299
5300drop:
5301 kfree_skb(skb);
1da177e4
LT		 5302}
5303
6810fca7
AE		 5304static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5305 struct sk_buff *skb)
9f69bda6 5306{
23691d75 5307 struct l2cap_chan *chan;
9f69bda6 5308
c2287681 5309 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5310 if (!chan)
9f69bda6
GP		 5311 goto drop;
5312
5b4cedaa 5313 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5314
89bc500e 5315 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5316 goto drop;
5317
e13e21dc 5318 if (chan->imtu < skb->len)
9f69bda6
GP		 5319 goto drop;
5320
80b98027 5321 if (!chan->ops->recv(chan, skb))
6810fca7 5322 return;
9f69bda6
GP		 5323
5324drop:
5325 kfree_skb(skb);
9f69bda6
GP		 5326}
5327
1da177e4
LT		 5328static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5329{
5330 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5331 u16 cid, len;
5332 __le16 psm;
1da177e4
LT		 5333
5334 skb_pull(skb, L2CAP_HDR_SIZE);
5335 cid = __le16_to_cpu(lh->cid);
5336 len = __le16_to_cpu(lh->len);
5337
1c2acffb
GP		 5338 if (len != skb->len) {
5339 kfree_skb(skb);
5340 return;
5341 }
5342
1da177e4
LT		 5343 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5344
5345 switch (cid) {
3300d9a9 5346 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5347 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5348 l2cap_sig_channel(conn, skb);
5349 break;
5350
8db4dc46 5351 case L2CAP_CID_CONN_LESS:
097db76c 5352 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5353 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5354 l2cap_conless_channel(conn, psm, skb);
5355 break;
5356
9f69bda6
GP		 5357 case L2CAP_CID_LE_DATA:
5358 l2cap_att_channel(conn, cid, skb);
5359 break;
5360
b501d6a1
AB		 5361 case L2CAP_CID_SMP:
5362 if (smp_sig_channel(conn, skb))
5363 l2cap_conn_del(conn->hcon, EACCES);
5364 break;
5365
1da177e4
LT		 5366 default:
5367 l2cap_data_channel(conn, cid, skb);
5368 break;
5369 }
5370}
5371
5372/* ---- L2CAP interface with lower layer (HCI) ---- */
5373
686ebf28 5374int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5375{
5376 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5377 struct l2cap_chan *c;
1da177e4 5378
6ed93dc6 5379 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 5380
5381 /* Find listening sockets and check their link_mode */
23691d75
GP		 5382 read_lock(&chan_list_lock);
5383 list_for_each_entry(c, &chan_list, global_l) {
5384 struct sock *sk = c->sk;
4343478f 5385
89bc500e 5386 if (c->state != BT_LISTEN)
1da177e4
LT		 5387 continue;
5388
5389 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5390 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5391 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5392 lm1 |= HCI_LM_MASTER;
1da177e4 5393 exact++;
2af6b9d5
MH		 5394 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5395 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5396 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5397 lm2 |= HCI_LM_MASTER;
5398 }
1da177e4 5399 }
23691d75 5400 read_unlock(&chan_list_lock);
1da177e4
LT		 5401
5402 return exact ? lm1 : lm2;
5403}
5404
9e664631 5405void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5406{
0139418c
MH		 5407 struct l2cap_conn *conn;
5408
6ed93dc6 5409 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 5410
1da177e4 5411 if (!status) {
1da177e4
LT		 5412 conn = l2cap_conn_add(hcon, status);
5413 if (conn)
5414 l2cap_conn_ready(conn);
0139418c 5415 } else
e175072f 5416 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4 5417
1da177e4
LT		 5418}
5419
686ebf28 5420int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5421{
5422 struct l2cap_conn *conn = hcon->l2cap_data;
5423
5424 BT_DBG("hcon %p", hcon);
5425
686ebf28 5426 if (!conn)
9f5a0d7b 5427 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5428 return conn->disc_reason;
5429}
5430
9e664631 5431void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5432{
5433 BT_DBG("hcon %p reason %d", hcon, reason);
5434
e175072f 5435 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5436}
5437
4343478f 5438static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5439{
715ec005 5440 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5441 return;
5442
f62e4323 5443 if (encrypt == 0x00) {
4343478f 5444 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5445 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5446 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5447 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5448 } else {
4343478f 5449 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5450 __clear_chan_timer(chan);
f62e4323
MH		 5451 }
5452}
5453
686ebf28 5454int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5455{
0139418c 5456 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5457 struct l2cap_chan *chan;
1da177e4 5458
0139418c 5459 if (!conn)
1da177e4 5460 return 0;
0139418c 5461
89d8b407 5462 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 5463
160dc6ac 5464 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5465 if (!status && encrypt)
5466 smp_distribute_keys(conn, 0);
17cd3f37 5467 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5468 }
5469
3df91ea2 5470 mutex_lock(&conn->chan_lock);
1da177e4 5471
3df91ea2 5472 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5473 l2cap_chan_lock(chan);
1da177e4 5474
89d8b407
AE		 5475 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
5476 state_to_string(chan->state));
f1cb9af5 5477
78eb2f98
AE		 5478 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
5479 l2cap_chan_unlock(chan);
5480 continue;
5481 }
5482
f1cb9af5
VCG		 5483 if (chan->scid == L2CAP_CID_LE_DATA) {
5484 if (!status && encrypt) {
5485 chan->sec_level = hcon->sec_level;
cf4cd009 5486 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5487 }
5488
6be36555 5489 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5490 continue;
5491 }
5492
c1360a1c 5493 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5494 l2cap_chan_unlock(chan);
6a8d3010
MH		 5495 continue;
5496 }
5497
89bc500e 5498 if (!status && (chan->state == BT_CONNECTED ||
2d792818 5499 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5500 struct sock *sk = chan->sk;
5501
c5daa683 5502 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5503 sk->sk_state_change(sk);
5504
4343478f 5505 l2cap_check_encryption(chan, encrypt);
6be36555 5506 l2cap_chan_unlock(chan);
9719f8af
MH		 5507 continue;
5508 }
5509
89bc500e 5510 if (chan->state == BT_CONNECT) {
b1235d79 5511 if (!status) {
93c3e8f5 5512 l2cap_start_connection(chan);
b1235d79 5513 } else {
ba13ccd9 5514 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5515 }
89bc500e 5516 } else if (chan->state == BT_CONNECT2) {
6be36555 5517 struct sock *sk = chan->sk;
b1235d79 5518 struct l2cap_conn_rsp rsp;
df3c3931 5519 __u16 res, stat;
1da177e4 5520
6be36555
AE		 5521 lock_sock(sk);
5522
b1235d79 5523 if (!status) {
c5daa683
GP		 5524 if (test_bit(BT_SK_DEFER_SETUP,
5525 &bt_sk(sk)->flags)) {
df3c3931
JH		 5526 struct sock *parent = bt_sk(sk)->parent;
5527 res = L2CAP_CR_PEND;
5528 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5529 if (parent)
5530 parent->sk_data_ready(parent, 0);
df3c3931 5531 } else {
0e587be7 5532 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5533 res = L2CAP_CR_SUCCESS;
5534 stat = L2CAP_CS_NO_INFO;
5535 }
b1235d79 5536 } else {
0e587be7 5537 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5538 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5539 res = L2CAP_CR_SEC_BLOCK;
5540 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5541 }
5542
6be36555
AE		 5543 release_sock(sk);
5544
fe4128e0
GP		 5545 rsp.scid = cpu_to_le16(chan->dcid);
5546 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5547 rsp.result = cpu_to_le16(res);
5548 rsp.status = cpu_to_le16(stat);
fc7f8a7e 5549 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 5550 sizeof(rsp), &rsp);
2d369359
MM		 5551
5552 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5553 res == L2CAP_CR_SUCCESS) {
5554 char buf[128];
5555 set_bit(CONF_REQ_SENT, &chan->conf_state);
5556 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5557 L2CAP_CONF_REQ,
5558 l2cap_build_conf_req(chan, buf),
5559 buf);
5560 chan->num_conf_req++;
5561 }
b1235d79 5562 }
1da177e4 5563
6be36555 5564 l2cap_chan_unlock(chan);
1da177e4
LT		 5565 }
5566
3df91ea2 5567 mutex_unlock(&conn->chan_lock);
b1235d79 5568
1da177e4
LT		 5569 return 0;
5570}
5571
686ebf28 5572int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5573{
5574 struct l2cap_conn *conn = hcon->l2cap_data;
5575
5a08ecce
AE		 5576 if (!conn)
5577 conn = l2cap_conn_add(hcon, 0);
5578
5579 if (!conn)
1da177e4
LT		 5580 goto drop;
5581
5582 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5583
e702112f 5584 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5585 struct l2cap_hdr *hdr;
5586 int len;
5587
5588 if (conn->rx_len) {
5589 BT_ERR("Unexpected start frame (len %d)", skb->len);
5590 kfree_skb(conn->rx_skb);
5591 conn->rx_skb = NULL;
5592 conn->rx_len = 0;
5593 l2cap_conn_unreliable(conn, ECOMM);
5594 }
5595
aae7fe22
AE		 5596 /* Start fragment always begin with Basic L2CAP header */
5597 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5598 BT_ERR("Frame is too short (len %d)", skb->len);
5599 l2cap_conn_unreliable(conn, ECOMM);
5600 goto drop;
5601 }
5602
5603 hdr = (struct l2cap_hdr *) skb->data;
5604 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5605
5606 if (len == skb->len) {
5607 /* Complete frame received */
5608 l2cap_recv_frame(conn, skb);
5609 return 0;
5610 }
5611
5612 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5613
5614 if (skb->len > len) {
5615 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 5616 skb->len, len);
1da177e4
LT		 5617 l2cap_conn_unreliable(conn, ECOMM);
5618 goto drop;
5619 }
5620
5621 /* Allocate skb for the complete frame (with header) */
8bcde1f2 5622 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 5623 if (!conn->rx_skb)
1da177e4
LT		 5624 goto drop;
5625
d626f62b 5626 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 5627 skb->len);
1da177e4
LT		 5628 conn->rx_len = len - skb->len;
5629 } else {
5630 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5631
5632 if (!conn->rx_len) {
5633 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5634 l2cap_conn_unreliable(conn, ECOMM);
5635 goto drop;
5636 }
5637
5638 if (skb->len > conn->rx_len) {
5639 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 5640 skb->len, conn->rx_len);
1da177e4
LT		 5641 kfree_skb(conn->rx_skb);
5642 conn->rx_skb = NULL;
5643 conn->rx_len = 0;
5644 l2cap_conn_unreliable(conn, ECOMM);
5645 goto drop;
5646 }
5647
d626f62b 5648 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 5649 skb->len);
1da177e4
LT		 5650 conn->rx_len -= skb->len;
5651
5652 if (!conn->rx_len) {
5653 /* Complete frame received */
5654 l2cap_recv_frame(conn, conn->rx_skb);
5655 conn->rx_skb = NULL;
5656 }
5657 }
5658
5659drop:
5660 kfree_skb(skb);
5661 return 0;
5662}
5663
aef7d97c 5664static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5665{
23691d75 5666 struct l2cap_chan *c;
1da177e4 5667
333055f2 5668 read_lock(&chan_list_lock);
1da177e4 5669
23691d75
GP		 5670 list_for_each_entry(c, &chan_list, global_l) {
5671 struct sock *sk = c->sk;
101545f6 5672
fcb73338
AE		 5673 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
5674 &bt_sk(sk)->src, &bt_sk(sk)->dst,
5675 c->state, __le16_to_cpu(c->psm),
5676 c->scid, c->dcid, c->imtu, c->omtu,
5677 c->sec_level, c->mode);
61e1b4b7 5678 }
1da177e4 5679
333055f2 5680 read_unlock(&chan_list_lock);
1da177e4 5681
aef7d97c 5682 return 0;
1da177e4
LT		 5683}
5684
aef7d97c
MH		 5685static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5686{
5687 return single_open(file, l2cap_debugfs_show, inode->i_private);
5688}
5689
5690static const struct file_operations l2cap_debugfs_fops = {
5691 .open = l2cap_debugfs_open,
5692 .read = seq_read,
5693 .llseek = seq_lseek,
5694 .release = single_release,
5695};
5696
5697static struct dentry *l2cap_debugfs;
1da177e4 5698
64274518 5699int __init l2cap_init(void)
1da177e4
LT		 5700{
5701 int err;
be9d1227 5702
bb58f747 5703 err = l2cap_init_sockets();
1da177e4
LT		 5704 if (err < 0)
5705 return err;
5706
aef7d97c 5707 if (bt_debugfs) {
2d792818
GP		 5708 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
5709 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 5710 if (!l2cap_debugfs)
5711 BT_ERR("Failed to create L2CAP debug file");
5712 }
1da177e4 5713
1da177e4 5714 return 0;
1da177e4
LT		 5715}
5716
64274518 5717void l2cap_exit(void)
1da177e4 5718{
aef7d97c 5719 debugfs_remove(l2cap_debugfs);
bb58f747 5720 l2cap_cleanup_sockets();
1da177e4
LT		 5721}
5722
d1c4a17d
GP		 5723module_param(disable_ertm, bool, 0644);
5724MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)