projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: AMP: Factor out phylink_add
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4
LT		 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
608bcc6d
MM		 59 struct sk_buff_head *skbs, u8 event);
60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
baa7e1fa 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 64{
3df91ea2 65 struct l2cap_chan *c;
3d57dc68 66
3df91ea2
AE		 67 list_for_each_entry(c, &conn->chan_l, list) {
68 if (c->dcid == cid)
69 return c;
0139418c 70 }
3df91ea2 71 return NULL;
0139418c
MH		 72}
73
baa7e1fa 74static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 75{
3df91ea2 76 struct l2cap_chan *c;
3d57dc68 77
3df91ea2
AE		 78 list_for_each_entry(c, &conn->chan_l, list) {
79 if (c->scid == cid)
80 return c;
0139418c 81 }
3df91ea2 82 return NULL;
0139418c
MH		 83}
84
85/* Find channel with given SCID.
ef191ade 86 * Returns locked channel. */
baa7e1fa 87static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 88{
48454079 89 struct l2cap_chan *c;
baa7e1fa 90
3df91ea2 91 mutex_lock(&conn->chan_lock);
baa7e1fa 92 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 93 if (c)
94 l2cap_chan_lock(c);
3df91ea2
AE		 95 mutex_unlock(&conn->chan_lock);
96
48454079 97 return c;
0139418c
MH		 98}
99
baa7e1fa 100static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 101{
3df91ea2 102 struct l2cap_chan *c;
3d57dc68 103
3df91ea2
AE		 104 list_for_each_entry(c, &conn->chan_l, list) {
105 if (c->ident == ident)
106 return c;
0139418c 107 }
3df91ea2 108 return NULL;
0139418c
MH		 109}
110
23691d75 111static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 112{
23691d75 113 struct l2cap_chan *c;
9e4425ff 114
23691d75
GP		 115 list_for_each_entry(c, &chan_list, global_l) {
116 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 117 return c;
9e4425ff 118 }
250938cb 119 return NULL;
9e4425ff
GP		 120}
121
122int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
123{
73b2ec18
GP		 124 int err;
125
333055f2 126 write_lock(&chan_list_lock);
9e4425ff 127
23691d75 128 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 129 err = -EADDRINUSE;
130 goto done;
9e4425ff
GP		 131 }
132
73b2ec18
GP		 133 if (psm) {
134 chan->psm = psm;
135 chan->sport = psm;
136 err = 0;
137 } else {
138 u16 p;
139
140 err = -EINVAL;
141 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 142 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 143 chan->psm = cpu_to_le16(p);
144 chan->sport = cpu_to_le16(p);
145 err = 0;
146 break;
147 }
148 }
9e4425ff 149
73b2ec18 150done:
333055f2 151 write_unlock(&chan_list_lock);
73b2ec18 152 return err;
9e4425ff
GP		 153}
154
155int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
156{
333055f2 157 write_lock(&chan_list_lock);
9e4425ff
GP		 158
159 chan->scid = scid;
160
333055f2 161 write_unlock(&chan_list_lock);
9e4425ff
GP		 162
163 return 0;
164}
165
baa7e1fa 166static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 167{
8db4dc46 168 u16 cid = L2CAP_CID_DYN_START;
0139418c 169
8db4dc46 170 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 171 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 172 return cid;
173 }
174
175 return 0;
176}
177
0e587be7 178static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 179{
42d2d87c 180 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 181 state_to_string(state));
182
89bc500e 183 chan->state = state;
80b98027 184 chan->ops->state_change(chan, state);
89bc500e
GP		 185}
186
0e587be7
AE		 187static void l2cap_state_change(struct l2cap_chan *chan, int state)
188{
189 struct sock *sk = chan->sk;
190
191 lock_sock(sk);
192 __l2cap_state_change(chan, state);
193 release_sock(sk);
194}
195
2e0052e4
AE		 196static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
197{
198 struct sock *sk = chan->sk;
199
200 sk->sk_err = err;
201}
202
203static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
204{
205 struct sock *sk = chan->sk;
206
207 lock_sock(sk);
208 __l2cap_chan_set_err(chan, err);
209 release_sock(sk);
210}
211
4239d16f
MM		 212static void __set_retrans_timer(struct l2cap_chan *chan)
213{
214 if (!delayed_work_pending(&chan->monitor_timer) &&
215 chan->retrans_timeout) {
216 l2cap_set_timer(chan, &chan->retrans_timer,
217 msecs_to_jiffies(chan->retrans_timeout));
218 }
219}
220
221static void __set_monitor_timer(struct l2cap_chan *chan)
222{
223 __clear_retrans_timer(chan);
224 if (chan->monitor_timeout) {
225 l2cap_set_timer(chan, &chan->monitor_timer,
226 msecs_to_jiffies(chan->monitor_timeout));
227 }
228}
229
608bcc6d
MM		 230static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
231 u16 seq)
232{
233 struct sk_buff *skb;
234
235 skb_queue_walk(head, skb) {
236 if (bt_cb(skb)->control.txseq == seq)
237 return skb;
238 }
239
240 return NULL;
241}
242
3c588192
MM		 243/* ---- L2CAP sequence number lists ---- */
244
245/* For ERTM, ordered lists of sequence numbers must be tracked for
246 * SREJ requests that are received and for frames that are to be
247 * retransmitted. These seq_list functions implement a singly-linked
248 * list in an array, where membership in the list can also be checked
249 * in constant time. Items can also be added to the tail of the list
250 * and removed from the head in constant time, without further memory
251 * allocs or frees.
252 */
253
254static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
255{
256 size_t alloc_size, i;
257
258 /* Allocated size is a power of 2 to map sequence numbers
259 * (which may be up to 14 bits) in to a smaller array that is
260 * sized for the negotiated ERTM transmit windows.
261 */
262 alloc_size = roundup_pow_of_two(size);
263
264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
265 if (!seq_list->list)
266 return -ENOMEM;
267
268 seq_list->mask = alloc_size - 1;
269 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
271 for (i = 0; i < alloc_size; i++)
272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
273
274 return 0;
275}
276
277static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
278{
279 kfree(seq_list->list);
280}
281
282static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
283 u16 seq)
284{
285 /* Constant-time check for list membership */
286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
287}
288
289static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
290{
291 u16 mask = seq_list->mask;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
294 /* In case someone tries to pop the head of an empty list */
295 return L2CAP_SEQ_LIST_CLEAR;
296 } else if (seq_list->head == seq) {
297 /* Head can be removed in constant time */
298 seq_list->head = seq_list->list[seq & mask];
299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
300
301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
302 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
304 }
305 } else {
306 /* Walk the list to find the sequence number */
307 u16 prev = seq_list->head;
308 while (seq_list->list[prev & mask] != seq) {
309 prev = seq_list->list[prev & mask];
310 if (prev == L2CAP_SEQ_LIST_TAIL)
311 return L2CAP_SEQ_LIST_CLEAR;
312 }
313
314 /* Unlink the number from the list and clear it */
315 seq_list->list[prev & mask] = seq_list->list[seq & mask];
316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
317 if (seq_list->tail == seq)
318 seq_list->tail = prev;
319 }
320 return seq;
321}
322
323static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
324{
325 /* Remove the head in constant time */
326 return l2cap_seq_list_remove(seq_list, seq_list->head);
327}
328
329static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
330{
f522ae36 331 u16 i;
3c588192 332
f522ae36
GP		 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 for (i = 0; i <= seq_list->mask; i++)
337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
338
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 341}
342
343static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
344{
345 u16 mask = seq_list->mask;
346
347 /* All appends happen in constant time */
348
f522ae36
GP		 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
350 return;
3c588192 351
f522ae36
GP		 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
353 seq_list->head = seq;
354 else
355 seq_list->list[seq_list->tail & mask] = seq;
356
357 seq_list->tail = seq;
358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 359}
360
721c4181 361static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 362{
721c4181
GP		 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
364 chan_timer.work);
3df91ea2 365 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 366 int reason;
367
e05dcc32 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 369
3df91ea2 370 mutex_lock(&conn->chan_lock);
6be36555 371 l2cap_chan_lock(chan);
ab07801d 372
89bc500e 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 374 reason = ECONNREFUSED;
89bc500e 375 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 376 chan->sec_level != BT_SECURITY_SDP)
377 reason = ECONNREFUSED;
378 else
379 reason = ETIMEDOUT;
380
0f852724 381 l2cap_chan_close(chan, reason);
ab07801d 382
6be36555 383 l2cap_chan_unlock(chan);
ab07801d 384
80b98027 385 chan->ops->close(chan);
3df91ea2
AE		 386 mutex_unlock(&conn->chan_lock);
387
371fd835 388 l2cap_chan_put(chan);
ab07801d
GP		 389}
390
eef1d9b6 391struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 392{
393 struct l2cap_chan *chan;
394
395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
396 if (!chan)
397 return NULL;
398
c03b355e
AE		 399 mutex_init(&chan->lock);
400
333055f2 401 write_lock(&chan_list_lock);
23691d75 402 list_add(&chan->global_l, &chan_list);
333055f2 403 write_unlock(&chan_list_lock);
23691d75 404
721c4181 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 406
89bc500e
GP		 407 chan->state = BT_OPEN;
408
144ad330 409 kref_init(&chan->kref);
71ba0e56 410
2827011f
MM		 411 /* This flag is cleared in l2cap_chan_ready() */
412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
413
eef1d9b6 414 BT_DBG("chan %p", chan);
abc545b8 415
48454079
GP		 416 return chan;
417}
418
144ad330 419static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 420{
144ad330
SS		 421 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
422
4af66c69
JK		 423 BT_DBG("chan %p", chan);
424
333055f2 425 write_lock(&chan_list_lock);
23691d75 426 list_del(&chan->global_l);
333055f2 427 write_unlock(&chan_list_lock);
23691d75 428
4af66c69 429 kfree(chan);
6ff5abbf
GP		 430}
431
30648372
JK		 432void l2cap_chan_hold(struct l2cap_chan *c)
433{
144ad330 434 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 435
144ad330 436 kref_get(&c->kref);
30648372
JK		 437}
438
439void l2cap_chan_put(struct l2cap_chan *c)
440{
144ad330 441 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 442
144ad330 443 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 444}
445
bd4b1653
AE		 446void l2cap_chan_set_defaults(struct l2cap_chan *chan)
447{
448 chan->fcs = L2CAP_FCS_CRC16;
449 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
450 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
451 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 452 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 453 chan->sec_level = BT_SECURITY_LOW;
454
455 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
456}
457
93c3e8f5 458void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 459{
af05b30b 460 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 461 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 462
9f5a0d7b 463 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 464
8c1d787b 465 chan->conn = conn;
0139418c 466
5491120e
AE		 467 switch (chan->chan_type) {
468 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 469 if (conn->hcon->type == LE_LINK) {
470 /* LE connection */
6fcb06a2 471 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 472 chan->scid = L2CAP_CID_LE_DATA;
473 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 474 } else {
475 /* Alloc CID for connection-oriented socket */
fe4128e0 476 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 477 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 478 }
5491120e
AE		 479 break;
480
481 case L2CAP_CHAN_CONN_LESS:
0139418c 482 /* Connectionless socket */
fe4128e0
GP		 483 chan->scid = L2CAP_CID_CONN_LESS;
484 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 485 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 486 break;
487
416fa752
AE		 488 case L2CAP_CHAN_CONN_FIX_A2MP:
489 chan->scid = L2CAP_CID_A2MP;
490 chan->dcid = L2CAP_CID_A2MP;
491 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
492 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
493 break;
494
5491120e 495 default:
0139418c 496 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 497 chan->scid = L2CAP_CID_SIGNALING;
498 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 499 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 500 }
501
8f7975b1
AE		 502 chan->local_id = L2CAP_BESTEFFORT_ID;
503 chan->local_stype = L2CAP_SERV_BESTEFFORT;
504 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
505 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
506 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
507 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
508
371fd835 509 l2cap_chan_hold(chan);
baa7e1fa 510
3df91ea2 511 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 512}
513
466f8004 514void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 515{
516 mutex_lock(&conn->chan_lock);
517 __l2cap_chan_add(conn, chan);
3df91ea2 518 mutex_unlock(&conn->chan_lock);
0139418c
MH		 519}
520
466f8004 521void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 522{
8c1d787b 523 struct l2cap_conn *conn = chan->conn;
0139418c 524
c9b66675 525 __clear_chan_timer(chan);
0139418c 526
49208c9c 527 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 528
8e87d142 529 if (conn) {
baa7e1fa 530 /* Delete from channel list */
3df91ea2 531 list_del(&chan->list);
3d57dc68 532
371fd835 533 l2cap_chan_put(chan);
baa7e1fa 534
8c1d787b 535 chan->conn = NULL;
3cabbfda
AE		 536
537 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
538 hci_conn_put(conn->hcon);
0139418c
MH		 539 }
540
c0df7f6e
AE		 541 if (chan->ops->teardown)
542 chan->ops->teardown(chan, err);
6be36555 543
2827011f 544 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 545 return;
2ead70b8 546
ee556f66
GP		 547 switch(chan->mode) {
548 case L2CAP_MODE_BASIC:
549 break;
c13ffa62 550
ee556f66 551 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 552 __clear_retrans_timer(chan);
553 __clear_monitor_timer(chan);
554 __clear_ack_timer(chan);
c13ffa62 555
f1c6775b 556 skb_queue_purge(&chan->srej_q);
c13ffa62 557
3c588192
MM		 558 l2cap_seq_list_free(&chan->srej_list);
559 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 560
561 /* fall through */
562
563 case L2CAP_MODE_STREAMING:
564 skb_queue_purge(&chan->tx_q);
565 break;
c13ffa62 566 }
ee556f66
GP		 567
568 return;
0139418c
MH		 569}
570
0f852724 571void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 572{
573 struct l2cap_conn *conn = chan->conn;
574 struct sock *sk = chan->sk;
575
e05dcc32
AE		 576 BT_DBG("chan %p state %s sk %p", chan,
577 state_to_string(chan->state), sk);
4519de9a 578
89bc500e 579 switch (chan->state) {
4519de9a 580 case BT_LISTEN:
c0df7f6e
AE		 581 if (chan->ops->teardown)
582 chan->ops->teardown(chan, 0);
4519de9a
GP		 583 break;
584
585 case BT_CONNECTED:
586 case BT_CONFIG:
715ec005 587 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 588 conn->hcon->type == ACL_LINK) {
c9b66675 589 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 590 l2cap_send_disconn_req(conn, chan, reason);
591 } else
592 l2cap_chan_del(chan, reason);
593 break;
594
595 case BT_CONNECT2:
715ec005 596 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 597 conn->hcon->type == ACL_LINK) {
598 struct l2cap_conn_rsp rsp;
599 __u16 result;
600
c5daa683 601 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 602 result = L2CAP_CR_SEC_BLOCK;
603 else
604 result = L2CAP_CR_BAD_PSM;
89bc500e 605 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 606
607 rsp.scid = cpu_to_le16(chan->dcid);
608 rsp.dcid = cpu_to_le16(chan->scid);
609 rsp.result = cpu_to_le16(result);
ac73498c 610 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a
GP		 611 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
612 sizeof(rsp), &rsp);
613 }
614
615 l2cap_chan_del(chan, reason);
616 break;
617
618 case BT_CONNECT:
619 case BT_DISCONN:
620 l2cap_chan_del(chan, reason);
621 break;
622
623 default:
c0df7f6e
AE		 624 if (chan->ops->teardown)
625 chan->ops->teardown(chan, 0);
4519de9a
GP		 626 break;
627 }
628}
629
4343478f 630static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 631{
715ec005 632 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 633 switch (chan->sec_level) {
8556edd3
JH		 634 case BT_SECURITY_HIGH:
635 return HCI_AT_DEDICATED_BONDING_MITM;
636 case BT_SECURITY_MEDIUM:
637 return HCI_AT_DEDICATED_BONDING;
638 default:
639 return HCI_AT_NO_BONDING;
640 }
2983fd68 641 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 642 if (chan->sec_level == BT_SECURITY_LOW)
643 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 644
4343478f 645 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 646 return HCI_AT_NO_BONDING_MITM;
00ae4af9 647 else
8556edd3 648 return HCI_AT_NO_BONDING;
00ae4af9 649 } else {
4343478f 650 switch (chan->sec_level) {
00ae4af9 651 case BT_SECURITY_HIGH:
8556edd3 652 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 653 case BT_SECURITY_MEDIUM:
8556edd3 654 return HCI_AT_GENERAL_BONDING;
00ae4af9 655 default:
8556edd3 656 return HCI_AT_NO_BONDING;
00ae4af9 657 }
0684e5f9 658 }
8556edd3
JH		 659}
660
661/* Service level security */
d45fc423 662int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 663{
8c1d787b 664 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 665 __u8 auth_type;
666
4343478f 667 auth_type = l2cap_get_auth_type(chan);
79d554a6 668
4343478f 669 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 670}
671
b5ad8b7f 672static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 673{
674 u8 id;
675
676 /* Get next available identificator.
677 * 1 - 128 are used by kernel.
678 * 129 - 199 are reserved.
679 * 200 - 254 are used by utilities like l2ping, etc.
680 */
681
333055f2 682 spin_lock(&conn->lock);
4e8402a3
MH		 683
684 if (++conn->tx_ident > 128)
685 conn->tx_ident = 1;
686
687 id = conn->tx_ident;
688
333055f2 689 spin_unlock(&conn->lock);
4e8402a3
MH		 690
691 return id;
692}
693
4519de9a 694static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 695{
696 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 697 u8 flags;
4e8402a3
MH		 698
699 BT_DBG("code 0x%2.2x", code);
700
701 if (!skb)
9a9c6a34 702 return;
4e8402a3 703
e702112f
AE		 704 if (lmp_no_flush_capable(conn->hcon->hdev))
705 flags = ACL_START_NO_FLUSH;
706 else
707 flags = ACL_START;
708
14b12d0b 709 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 710 skb->priority = HCI_PRIO_MAX;
14b12d0b 711
73d80deb
LAD		 712 hci_send_acl(conn->hchan, skb, flags);
713}
714
715static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
716{
717 struct hci_conn *hcon = chan->conn->hcon;
718 u16 flags;
719
720 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
721 skb->priority);
722
723 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
724 lmp_no_flush_capable(hcon->hdev))
725 flags = ACL_START_NO_FLUSH;
726 else
727 flags = ACL_START;
14b12d0b 728
73d80deb
LAD		 729 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
730 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 731}
732
b76bbd66
MM		 733static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
734{
735 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
736 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
737
738 if (enh & L2CAP_CTRL_FRAME_TYPE) {
739 /* S-Frame */
740 control->sframe = 1;
741 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
742 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
743
744 control->sar = 0;
745 control->txseq = 0;
746 } else {
747 /* I-Frame */
748 control->sframe = 0;
749 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
750 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
751
752 control->poll = 0;
753 control->super = 0;
754 }
755}
756
b76bbd66
MM		 757static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
758{
759 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
760 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
761
762 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
763 /* S-Frame */
764 control->sframe = 1;
765 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
766 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
767
768 control->sar = 0;
769 control->txseq = 0;
770 } else {
771 /* I-Frame */
772 control->sframe = 0;
773 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
774 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
775
776 control->poll = 0;
777 control->super = 0;
778 }
779}
780
781static inline void __unpack_control(struct l2cap_chan *chan,
782 struct sk_buff *skb)
783{
784 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
785 __unpack_extended_control(get_unaligned_le32(skb->data),
786 &bt_cb(skb)->control);
cec8ab6e 787 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 788 } else {
789 __unpack_enhanced_control(get_unaligned_le16(skb->data),
790 &bt_cb(skb)->control);
cec8ab6e 791 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 792 }
793}
794
b5c6aaed
MM		 795static u32 __pack_extended_control(struct l2cap_ctrl *control)
796{
797 u32 packed;
798
799 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
800 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
801
802 if (control->sframe) {
803 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
804 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
805 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
806 } else {
807 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
808 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
809 }
810
811 return packed;
812}
813
814static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
815{
816 u16 packed;
817
818 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
819 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
820
821 if (control->sframe) {
822 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
823 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
824 packed |= L2CAP_CTRL_FRAME_TYPE;
825 } else {
826 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
827 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
828 }
829
830 return packed;
831}
832
b76bbd66
MM		 833static inline void __pack_control(struct l2cap_chan *chan,
834 struct l2cap_ctrl *control,
835 struct sk_buff *skb)
836{
837 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
838 put_unaligned_le32(__pack_extended_control(control),
839 skb->data + L2CAP_HDR_SIZE);
840 } else {
841 put_unaligned_le16(__pack_enhanced_control(control),
842 skb->data + L2CAP_HDR_SIZE);
843 }
844}
845
ba7aa64f
GP		 846static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
847{
848 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
849 return L2CAP_EXT_HDR_SIZE;
850 else
851 return L2CAP_ENH_HDR_SIZE;
852}
853
a67d7f6f
MM		 854static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
855 u32 control)
b5c6aaed
MM		 856{
857 struct sk_buff *skb;
858 struct l2cap_hdr *lh;
ba7aa64f 859 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 860
861 if (chan->fcs == L2CAP_FCS_CRC16)
862 hlen += L2CAP_FCS_SIZE;
863
a67d7f6f 864 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 865
b5c6aaed 866 if (!skb)
a67d7f6f 867 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 868
869 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
870 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
871 lh->cid = cpu_to_le16(chan->dcid);
872
a67d7f6f
MM		 873 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
874 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
875 else
876 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 877
878 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 879 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 880 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
881 }
882
883 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 884 return skb;
885}
886
887static void l2cap_send_sframe(struct l2cap_chan *chan,
888 struct l2cap_ctrl *control)
889{
890 struct sk_buff *skb;
891 u32 control_field;
892
893 BT_DBG("chan %p, control %p", chan, control);
894
895 if (!control->sframe)
896 return;
897
898 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
899 !control->poll)
900 control->final = 1;
901
902 if (control->super == L2CAP_SUPER_RR)
903 clear_bit(CONN_RNR_SENT, &chan->conn_state);
904 else if (control->super == L2CAP_SUPER_RNR)
905 set_bit(CONN_RNR_SENT, &chan->conn_state);
906
907 if (control->super != L2CAP_SUPER_SREJ) {
908 chan->last_acked_seq = control->reqseq;
909 __clear_ack_timer(chan);
910 }
911
912 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
913 control->final, control->poll, control->super);
914
915 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
916 control_field = __pack_extended_control(control);
917 else
918 control_field = __pack_enhanced_control(control);
919
920 skb = l2cap_create_sframe_pdu(chan, control_field);
921 if (!IS_ERR(skb))
922 l2cap_do_send(chan, skb);
b5c6aaed
MM		 923}
924
c9e3d5e0 925static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 926{
c9e3d5e0
MM		 927 struct l2cap_ctrl control;
928
929 BT_DBG("chan %p, poll %d", chan, poll);
930
931 memset(&control, 0, sizeof(control));
932 control.sframe = 1;
933 control.poll = poll;
934
935 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
936 control.super = L2CAP_SUPER_RNR;
937 else
938 control.super = L2CAP_SUPER_RR;
b5c6aaed 939
c9e3d5e0
MM		 940 control.reqseq = chan->buffer_seq;
941 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 942}
943
b4450035 944static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 945{
c1360a1c 946 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 947}
948
93c3e8f5
AE		 949static bool __amp_capable(struct l2cap_chan *chan)
950{
951 struct l2cap_conn *conn = chan->conn;
952
953 if (enable_hs &&
954 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
955 conn->fixed_chan_mask & L2CAP_FC_A2MP)
956 return true;
957 else
958 return false;
959}
960
2766be48 961void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 962{
963 struct l2cap_conn *conn = chan->conn;
964 struct l2cap_conn_req req;
965
966 req.scid = cpu_to_le16(chan->scid);
967 req.psm = chan->psm;
968
969 chan->ident = l2cap_get_ident(conn);
970
971 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
972
973 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
974}
975
9f0caeb1
VCG		 976static void l2cap_chan_ready(struct l2cap_chan *chan)
977{
2827011f 978 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 979 chan->conf_state = 0;
980 __clear_chan_timer(chan);
981
54a59aa2 982 chan->state = BT_CONNECTED;
9f0caeb1 983
fd83e2c2 984 chan->ops->ready(chan);
9f0caeb1
VCG		 985}
986
93c3e8f5
AE		 987static void l2cap_start_connection(struct l2cap_chan *chan)
988{
989 if (__amp_capable(chan)) {
990 BT_DBG("chan %p AMP capable: discover AMPs", chan);
991 a2mp_discover_amp(chan);
992 } else {
993 l2cap_send_conn_req(chan);
994 }
995}
996
fc7f8a7e 997static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 998{
8c1d787b 999 struct l2cap_conn *conn = chan->conn;
79d554a6 1000
9f0caeb1
VCG		 1001 if (conn->hcon->type == LE_LINK) {
1002 l2cap_chan_ready(chan);
1003 return;
1004 }
1005
79d554a6 1006 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1007 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1008 return;
1009
d45fc423 1010 if (l2cap_chan_check_security(chan) &&
93c3e8f5
AE		 1011 __l2cap_no_conn_pending(chan)) {
1012 l2cap_start_connection(chan);
1013 }
79d554a6
MH		 1014 } else {
1015 struct l2cap_info_req req;
ac73498c 1016 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1017
1018 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1019 conn->info_ident = l2cap_get_ident(conn);
1020
ba13ccd9 1021 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 1022
1023 l2cap_send_cmd(conn, conn->info_ident,
1024 L2CAP_INFO_REQ, sizeof(req), &req);
1025 }
1026}
1027
cf6c2c0b
GP		 1028static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1029{
1030 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1031 if (!disable_ertm)
cf6c2c0b
GP		 1032 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1033
1034 switch (mode) {
1035 case L2CAP_MODE_ERTM:
1036 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1037 case L2CAP_MODE_STREAMING:
1038 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1039 default:
1040 return 0x00;
1041 }
1042}
1043
4519de9a 1044static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1045{
6be36555 1046 struct sock *sk = chan->sk;
22121fc9
GP		 1047 struct l2cap_disconn_req req;
1048
c13ffa62
GP		 1049 if (!conn)
1050 return;
1051
0c1bc5c6 1052 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1053 __clear_retrans_timer(chan);
1054 __clear_monitor_timer(chan);
1055 __clear_ack_timer(chan);
c13ffa62
GP		 1056 }
1057
416fa752
AE		 1058 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1059 __l2cap_state_change(chan, BT_DISCONN);
1060 return;
1061 }
1062
fe4128e0
GP		 1063 req.dcid = cpu_to_le16(chan->dcid);
1064 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1065 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1066 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1067
6be36555 1068 lock_sock(sk);
0e587be7 1069 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1070 __l2cap_chan_set_err(chan, err);
6be36555 1071 release_sock(sk);
22121fc9
GP		 1072}
1073
1da177e4 1074/* ---- L2CAP connections ---- */
4e8402a3
MH		 1075static void l2cap_conn_start(struct l2cap_conn *conn)
1076{
3df91ea2 1077 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1078
1079 BT_DBG("conn %p", conn);
1080
3df91ea2 1081 mutex_lock(&conn->chan_lock);
4e8402a3 1082
3df91ea2 1083 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1084 struct sock *sk = chan->sk;
baa7e1fa 1085
6be36555 1086 l2cap_chan_lock(chan);
4e8402a3 1087
715ec005 1088 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1089 l2cap_chan_unlock(chan);
79d554a6
MH		 1090 continue;
1091 }
1092
89bc500e 1093 if (chan->state == BT_CONNECT) {
d45fc423 1094 if (!l2cap_chan_check_security(chan) ||
b4450035 1095 !__l2cap_no_conn_pending(chan)) {
6be36555 1096 l2cap_chan_unlock(chan);
47731de7
GP		 1097 continue;
1098 }
79d554a6 1099
c1360a1c
GP		 1100 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1101 && test_bit(CONF_STATE2_DEVICE,
1102 &chan->conf_state)) {
89bc500e 1103 l2cap_chan_close(chan, ECONNRESET);
6be36555 1104 l2cap_chan_unlock(chan);
47731de7 1105 continue;
b1235d79 1106 }
47731de7 1107
93c3e8f5 1108 l2cap_start_connection(chan);
47731de7 1109
89bc500e 1110 } else if (chan->state == BT_CONNECT2) {
79d554a6 1111 struct l2cap_conn_rsp rsp;
e9aeb2dd 1112 char buf[128];
fe4128e0
GP		 1113 rsp.scid = cpu_to_le16(chan->dcid);
1114 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1115
d45fc423 1116 if (l2cap_chan_check_security(chan)) {
6be36555 1117 lock_sock(sk);
c5daa683
GP		 1118 if (test_bit(BT_SK_DEFER_SETUP,
1119 &bt_sk(sk)->flags)) {
f66dc81f 1120 struct sock *parent = bt_sk(sk)->parent;
ac73498c
AE		 1121 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1122 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1123 if (parent)
1124 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1125
1126 } else {
0e587be7 1127 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1128 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1129 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1130 }
6be36555 1131 release_sock(sk);
79d554a6 1132 } else {
ac73498c
AE		 1133 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1134 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1135 }
1136
fc7f8a7e
GP		 1137 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1138 sizeof(rsp), &rsp);
e9aeb2dd 1139
c1360a1c 1140 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1141 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1142 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1143 continue;
1144 }
1145
c1360a1c 1146 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1147 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1148 l2cap_build_conf_req(chan, buf), buf);
1149 chan->num_conf_req++;
4e8402a3
MH		 1150 }
1151
6be36555 1152 l2cap_chan_unlock(chan);
4e8402a3
MH		 1153 }
1154
3df91ea2 1155 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1156}
1157
c2287681 1158/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1159 * Returns closest match, locked.
1160 */
d9b88702 1161static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1162 bdaddr_t *src,
1163 bdaddr_t *dst)
b62f328b 1164{
23691d75 1165 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1166
23691d75 1167 read_lock(&chan_list_lock);
b62f328b 1168
23691d75
GP		 1169 list_for_each_entry(c, &chan_list, global_l) {
1170 struct sock *sk = c->sk;
fe4128e0 1171
89bc500e 1172 if (state && c->state != state)
b62f328b
VT		 1173 continue;
1174
23691d75 1175 if (c->scid == cid) {
c2287681
IY		 1176 int src_match, dst_match;
1177 int src_any, dst_any;
1178
b62f328b 1179 /* Exact match. */
c2287681
IY		 1180 src_match = !bacmp(&bt_sk(sk)->src, src);
1181 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1182 if (src_match && dst_match) {
23691d75
GP		 1183 read_unlock(&chan_list_lock);
1184 return c;
1185 }
b62f328b
VT		 1186
1187 /* Closest match */
c2287681
IY		 1188 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1189 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1190 if ((src_match && dst_any) || (src_any && dst_match) ||
1191 (src_any && dst_any))
23691d75 1192 c1 = c;
b62f328b
VT		 1193 }
1194 }
280f294f 1195
23691d75 1196 read_unlock(&chan_list_lock);
b62f328b 1197
23691d75 1198 return c1;
b62f328b
VT		 1199}
1200
1201static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1202{
c916fbe4 1203 struct sock *parent, *sk;
23691d75 1204 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1205
1206 BT_DBG("");
1207
1208 /* Check if we have socket listening on cid */
23691d75 1209 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1210 conn->src, conn->dst);
23691d75 1211 if (!pchan)
b62f328b
VT		 1212 return;
1213
23691d75
GP		 1214 parent = pchan->sk;
1215
aa2ac881 1216 lock_sock(parent);
62f3a2cf 1217
80b98027 1218 chan = pchan->ops->new_connection(pchan);
80808e43 1219 if (!chan)
b62f328b
VT		 1220 goto clean;
1221
80808e43 1222 sk = chan->sk;
5d41ce1d 1223
b62f328b 1224 hci_conn_hold(conn->hcon);
a9ea3ed9 1225 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1226
b62f328b
VT		 1227 bacpy(&bt_sk(sk)->src, conn->src);
1228 bacpy(&bt_sk(sk)->dst, conn->dst);
1229
d1010240
GP		 1230 bt_accept_enqueue(parent, sk);
1231
3d57dc68 1232 l2cap_chan_add(conn, chan);
48454079 1233
6754e0df 1234 l2cap_chan_ready(chan);
b62f328b 1235
b62f328b 1236clean:
aa2ac881 1237 release_sock(parent);
b62f328b
VT		 1238}
1239
4e8402a3
MH		 1240static void l2cap_conn_ready(struct l2cap_conn *conn)
1241{
48454079 1242 struct l2cap_chan *chan;
cc110922 1243 struct hci_conn *hcon = conn->hcon;
4e8402a3 1244
79d554a6 1245 BT_DBG("conn %p", conn);
4e8402a3 1246
cc110922 1247 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1248 l2cap_le_conn_ready(conn);
1249
cc110922
VCG		 1250 if (hcon->out && hcon->type == LE_LINK)
1251 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1252
3df91ea2 1253 mutex_lock(&conn->chan_lock);
4e8402a3 1254
3df91ea2 1255 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1256
6be36555 1257 l2cap_chan_lock(chan);
4e8402a3 1258
416fa752
AE		 1259 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1260 l2cap_chan_unlock(chan);
1261 continue;
1262 }
1263
cc110922
VCG		 1264 if (hcon->type == LE_LINK) {
1265 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1266 l2cap_chan_ready(chan);
acd7d370 1267
63128451 1268 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1269 struct sock *sk = chan->sk;
c9b66675 1270 __clear_chan_timer(chan);
6be36555 1271 lock_sock(sk);
0e587be7 1272 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1273 sk->sk_state_change(sk);
6be36555 1274 release_sock(sk);
b501d6a1 1275
89bc500e 1276 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1277 l2cap_do_start(chan);
4e8402a3 1278
6be36555 1279 l2cap_chan_unlock(chan);
4e8402a3 1280 }
79d554a6 1281
3df91ea2 1282 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1283}
1284
1285/* Notify sockets that we cannot guaranty reliability anymore */
1286static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1287{
48454079 1288 struct l2cap_chan *chan;
4e8402a3
MH		 1289
1290 BT_DBG("conn %p", conn);
1291
3df91ea2 1292 mutex_lock(&conn->chan_lock);
4e8402a3 1293
3df91ea2 1294 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1295 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1296 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1297 }
1298
3df91ea2 1299 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1300}
1301
f878fcad 1302static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1303{
f878fcad 1304 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1305 info_timer.work);
4e8402a3 1306
984947dc 1307 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1308 conn->info_ident = 0;
984947dc 1309
4e8402a3
MH		 1310 l2cap_conn_start(conn);
1311}
1312
5d3de7df
VCG		 1313static void l2cap_conn_del(struct hci_conn *hcon, int err)
1314{
1315 struct l2cap_conn *conn = hcon->l2cap_data;
1316 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1317
1318 if (!conn)
1319 return;
1320
1321 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1322
1323 kfree_skb(conn->rx_skb);
1324
3df91ea2
AE		 1325 mutex_lock(&conn->chan_lock);
1326
5d3de7df
VCG		 1327 /* Kill channels */
1328 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1329 l2cap_chan_hold(chan);
6be36555
AE		 1330 l2cap_chan_lock(chan);
1331
5d3de7df 1332 l2cap_chan_del(chan, err);
6be36555
AE		 1333
1334 l2cap_chan_unlock(chan);
1335
80b98027 1336 chan->ops->close(chan);
61d6ef3e 1337 l2cap_chan_put(chan);
5d3de7df
VCG		 1338 }
1339
3df91ea2
AE		 1340 mutex_unlock(&conn->chan_lock);
1341
73d80deb
LAD		 1342 hci_chan_del(conn->hchan);
1343
5d3de7df 1344 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1345 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1346
51a8efd7 1347 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1348 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1349 smp_chan_destroy(conn);
d26a2345 1350 }
5d3de7df
VCG		 1351
1352 hcon->l2cap_data = NULL;
1353 kfree(conn);
1354}
1355
6c9d42a1 1356static void security_timeout(struct work_struct *work)
5d3de7df 1357{
6c9d42a1
GP		 1358 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1359 security_timer.work);
5d3de7df 1360
d06cc416
JH		 1361 BT_DBG("conn %p", conn);
1362
1363 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1364 smp_chan_destroy(conn);
1365 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1366 }
5d3de7df
VCG		 1367}
1368
1da177e4
LT		 1369static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1370{
0139418c 1371 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1372 struct hci_chan *hchan;
1da177e4 1373
0139418c 1374 if (conn || status)
1da177e4
LT		 1375 return conn;
1376
73d80deb
LAD		 1377 hchan = hci_chan_create(hcon);
1378 if (!hchan)
1379 return NULL;
1380
0139418c 1381 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1382 if (!conn) {
1383 hci_chan_del(hchan);
1da177e4 1384 return NULL;
73d80deb 1385 }
1da177e4
LT		 1386
1387 hcon->l2cap_data = conn;
1388 conn->hcon = hcon;
73d80deb 1389 conn->hchan = hchan;
1da177e4 1390
73d80deb 1391 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1392
acd7d370
VT		 1393 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1394 conn->mtu = hcon->hdev->le_mtu;
1395 else
1396 conn->mtu = hcon->hdev->acl_mtu;
1397
1da177e4
LT		 1398 conn->src = &hcon->hdev->bdaddr;
1399 conn->dst = &hcon->dst;
1400
4e8402a3
MH		 1401 conn->feat_mask = 0;
1402
1da177e4 1403 spin_lock_init(&conn->lock);
3df91ea2 1404 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1405
1406 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1407
5d3de7df 1408 if (hcon->type == LE_LINK)
6c9d42a1 1409 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1410 else
030013d8 1411 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1412
9f5a0d7b 1413 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1414
1da177e4
LT		 1415 return conn;
1416}
1417
1da177e4 1418/* ---- Socket interface ---- */
1da177e4 1419
c2287681 1420/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1421 * Returns closest match.
1422 */
c2287681
IY		 1423static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1424 bdaddr_t *src,
1425 bdaddr_t *dst)
1da177e4 1426{
23691d75 1427 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1428
23691d75 1429 read_lock(&chan_list_lock);
e0f0cb56 1430
23691d75
GP		 1431 list_for_each_entry(c, &chan_list, global_l) {
1432 struct sock *sk = c->sk;
fe4128e0 1433
89bc500e 1434 if (state && c->state != state)
1da177e4
LT		 1435 continue;
1436
23691d75 1437 if (c->psm == psm) {
c2287681
IY		 1438 int src_match, dst_match;
1439 int src_any, dst_any;
1440
1da177e4 1441 /* Exact match. */
c2287681
IY		 1442 src_match = !bacmp(&bt_sk(sk)->src, src);
1443 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1444 if (src_match && dst_match) {
a7567b20 1445 read_unlock(&chan_list_lock);
23691d75
GP		 1446 return c;
1447 }
1da177e4
LT		 1448
1449 /* Closest match */
c2287681
IY		 1450 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1451 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1452 if ((src_match && dst_any) || (src_any && dst_match) ||
1453 (src_any && dst_any))
23691d75 1454 c1 = c;
1da177e4
LT		 1455 }
1456 }
1da177e4 1457
23691d75 1458 read_unlock(&chan_list_lock);
e0f0cb56 1459
23691d75 1460 return c1;
1da177e4
LT		 1461}
1462
8e9f9892
AG		 1463int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1464 bdaddr_t *dst, u8 dst_type)
1da177e4 1465{
5d41ce1d 1466 struct sock *sk = chan->sk;
1da177e4 1467 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1468 struct l2cap_conn *conn;
1469 struct hci_conn *hcon;
1470 struct hci_dev *hdev;
09ab6f4c 1471 __u8 auth_type;
44d0e48e 1472 int err;
1da177e4 1473
6ed93dc6 1474 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1475 dst_type, __le16_to_cpu(psm));
1da177e4 1476
af05b30b
GP		 1477 hdev = hci_get_route(dst, src);
1478 if (!hdev)
1da177e4
LT		 1479 return -EHOSTUNREACH;
1480
09fd0de5 1481 hci_dev_lock(hdev);
1da177e4 1482
6be36555 1483 l2cap_chan_lock(chan);
03a00194
GP		 1484
1485 /* PSM must be odd and lsb of upper byte must be 0 */
1486 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1487 chan->chan_type != L2CAP_CHAN_RAW) {
1488 err = -EINVAL;
1489 goto done;
1490 }
1491
1492 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1493 err = -EINVAL;
1494 goto done;
1495 }
1496
1497 switch (chan->mode) {
1498 case L2CAP_MODE_BASIC:
1499 break;
1500 case L2CAP_MODE_ERTM:
1501 case L2CAP_MODE_STREAMING:
1502 if (!disable_ertm)
1503 break;
1504 /* fall through */
1505 default:
1506 err = -ENOTSUPP;
1507 goto done;
1508 }
1509
0797e01d 1510 switch (chan->state) {
03a00194
GP		 1511 case BT_CONNECT:
1512 case BT_CONNECT2:
1513 case BT_CONFIG:
1514 /* Already connecting */
1515 err = 0;
1516 goto done;
1517
1518 case BT_CONNECTED:
1519 /* Already connected */
1520 err = -EISCONN;
1521 goto done;
1522
1523 case BT_OPEN:
1524 case BT_BOUND:
1525 /* Can connect */
1526 break;
1527
1528 default:
1529 err = -EBADFD;
1530 goto done;
1531 }
1532
1533 /* Set destination address and psm */
0797e01d 1534 lock_sock(sk);
9219b2a0 1535 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1536 release_sock(sk);
1537
03a00194
GP		 1538 chan->psm = psm;
1539 chan->dcid = cid;
1da177e4 1540
4343478f 1541 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1542
fe4128e0 1543 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1544 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1545 chan->sec_level, auth_type);
acd7d370 1546 else
8e9f9892 1547 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1548 chan->sec_level, auth_type);
acd7d370 1549
30e76272
VT		 1550 if (IS_ERR(hcon)) {
1551 err = PTR_ERR(hcon);
1da177e4 1552 goto done;
30e76272 1553 }
1da177e4
LT		 1554
1555 conn = l2cap_conn_add(hcon, 0);
1556 if (!conn) {
1557 hci_conn_put(hcon);
30e76272 1558 err = -ENOMEM;
1da177e4
LT		 1559 goto done;
1560 }
1561
9f0caeb1
VCG		 1562 if (hcon->type == LE_LINK) {
1563 err = 0;
1564
1565 if (!list_empty(&conn->chan_l)) {
1566 err = -EBUSY;
1567 hci_conn_put(hcon);
1568 }
1569
1570 if (err)
1571 goto done;
1572 }
1573
1da177e4
LT		 1574 /* Update source addr of the socket */
1575 bacpy(src, conn->src);
1576
6be36555 1577 l2cap_chan_unlock(chan);
48454079 1578 l2cap_chan_add(conn, chan);
6be36555 1579 l2cap_chan_lock(chan);
48454079 1580
6be36555 1581 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1582 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1583
1584 if (hcon->state == BT_CONNECTED) {
715ec005 1585 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1586 __clear_chan_timer(chan);
d45fc423 1587 if (l2cap_chan_check_security(chan))
6be36555 1588 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1589 } else
fc7f8a7e 1590 l2cap_do_start(chan);
1da177e4
LT		 1591 }
1592
30e76272
VT		 1593 err = 0;
1594
1da177e4 1595done:
6be36555 1596 l2cap_chan_unlock(chan);
09fd0de5 1597 hci_dev_unlock(hdev);
1da177e4
LT		 1598 hci_dev_put(hdev);
1599 return err;
1600}
1601
dcba0dba 1602int __l2cap_wait_ack(struct sock *sk)
6161c038 1603{
8c1d787b 1604 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1605 DECLARE_WAITQUEUE(wait, current);
1606 int err = 0;
1607 int timeo = HZ/5;
1608
2b0b05dd 1609 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1610 set_current_state(TASK_INTERRUPTIBLE);
1611 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1612 if (!timeo)
1613 timeo = HZ/5;
1614
1615 if (signal_pending(current)) {
1616 err = sock_intr_errno(timeo);
1617 break;
1618 }
1619
1620 release_sock(sk);
1621 timeo = schedule_timeout(timeo);
1622 lock_sock(sk);
a71a0cf4 1623 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1624
1625 err = sock_error(sk);
1626 if (err)
1627 break;
1628 }
1629 set_current_state(TASK_RUNNING);
2b0b05dd 1630 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1631 return err;
1632}
1633
721c4181 1634static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1635{
721c4181 1636 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1637 monitor_timer.work);
e90bac06 1638
525cd185 1639 BT_DBG("chan %p", chan);
0e98958d 1640
6be36555
AE		 1641 l2cap_chan_lock(chan);
1642
80909e04 1643 if (!chan->conn) {
6be36555 1644 l2cap_chan_unlock(chan);
8d7e1c7f 1645 l2cap_chan_put(chan);
e90bac06
GP		 1646 return;
1647 }
1648
401bb1f7 1649 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1650
6be36555 1651 l2cap_chan_unlock(chan);
8d7e1c7f 1652 l2cap_chan_put(chan);
e90bac06
GP		 1653}
1654
721c4181 1655static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1656{
721c4181 1657 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1658 retrans_timer.work);
e90bac06 1659
49208c9c 1660 BT_DBG("chan %p", chan);
0e98958d 1661
6be36555
AE		 1662 l2cap_chan_lock(chan);
1663
80909e04
MM		 1664 if (!chan->conn) {
1665 l2cap_chan_unlock(chan);
1666 l2cap_chan_put(chan);
1667 return;
1668 }
6be36555 1669
401bb1f7 1670 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1671 l2cap_chan_unlock(chan);
8d7e1c7f 1672 l2cap_chan_put(chan);
e90bac06
GP		 1673}
1674
d660366d
GP		 1675static void l2cap_streaming_send(struct l2cap_chan *chan,
1676 struct sk_buff_head *skbs)
6840ed07 1677{
ccbb84af 1678 struct sk_buff *skb;
3733937d 1679 struct l2cap_ctrl *control;
6840ed07 1680
3733937d
MM		 1681 BT_DBG("chan %p, skbs %p", chan, skbs);
1682
3733937d
MM		 1683 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1684
1685 while (!skb_queue_empty(&chan->tx_q)) {
1686
1687 skb = skb_dequeue(&chan->tx_q);
1688
1689 bt_cb(skb)->control.retries = 1;
1690 control = &bt_cb(skb)->control;
1691
1692 control->reqseq = 0;
1693 control->txseq = chan->next_tx_seq;
1694
1695 __pack_control(chan, control, skb);
6840ed07 1696
47d1ec61 1697 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1698 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1699 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1700 }
1701
4343478f 1702 l2cap_do_send(chan, skb);
6840ed07 1703
b4400672 1704 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1705
836be934 1706 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1707 chan->frames_sent++;
6840ed07 1708 }
6840ed07
GP		 1709}
1710
67c9e840 1711static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1712{
1713 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1714 struct l2cap_ctrl *control;
1715 int sent = 0;
1716
1717 BT_DBG("chan %p", chan);
1c2acffb 1718
89bc500e 1719 if (chan->state != BT_CONNECTED)
c13ffa62 1720 return -ENOTCONN;
e90bac06 1721
94122bbe
MM		 1722 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1723 return 0;
1724
18a48e76
MM		 1725 while (chan->tx_send_head &&
1726 chan->unacked_frames < chan->remote_tx_win &&
1727 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1728
18a48e76 1729 skb = chan->tx_send_head;
e90bac06 1730
18a48e76
MM		 1731 bt_cb(skb)->control.retries = 1;
1732 control = &bt_cb(skb)->control;
95ffa978 1733
e2ab4353 1734 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1735 control->final = 1;
e2ab4353 1736
18a48e76
MM		 1737 control->reqseq = chan->buffer_seq;
1738 chan->last_acked_seq = chan->buffer_seq;
1739 control->txseq = chan->next_tx_seq;
1c2acffb 1740
18a48e76 1741 __pack_control(chan, control, skb);
e90bac06 1742
47d1ec61 1743 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1744 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1745 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1746 }
1747
18a48e76
MM		 1748 /* Clone after data has been modified. Data is assumed to be
1749 read-only (for locking purposes) on cloned sk_buffs.
1750 */
1751 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1752
18a48e76
MM		 1753 if (!tx_skb)
1754 break;
1c2acffb 1755
18a48e76 1756 __set_retrans_timer(chan);
836be934
AE		 1757
1758 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1759 chan->unacked_frames++;
6a026610 1760 chan->frames_sent++;
18a48e76 1761 sent++;
1c2acffb 1762
58d35f87
GP		 1763 if (skb_queue_is_last(&chan->tx_q, skb))
1764 chan->tx_send_head = NULL;
1c2acffb 1765 else
58d35f87 1766 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1767
1768 l2cap_do_send(chan, tx_skb);
b4400672 1769 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1770 }
1771
b4400672
AE		 1772 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1773 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1774
1775 return sent;
9e917af1
GP		 1776}
1777
e1fbd4c1
MM		 1778static void l2cap_ertm_resend(struct l2cap_chan *chan)
1779{
1780 struct l2cap_ctrl control;
1781 struct sk_buff *skb;
1782 struct sk_buff *tx_skb;
1783 u16 seq;
1784
1785 BT_DBG("chan %p", chan);
1786
1787 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1788 return;
1789
1790 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1791 seq = l2cap_seq_list_pop(&chan->retrans_list);
1792
1793 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1794 if (!skb) {
1795 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1796 seq);
1797 continue;
1798 }
1799
1800 bt_cb(skb)->control.retries++;
1801 control = bt_cb(skb)->control;
1802
1803 if (chan->max_tx != 0 &&
1804 bt_cb(skb)->control.retries > chan->max_tx) {
1805 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1806 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1807 l2cap_seq_list_clear(&chan->retrans_list);
1808 break;
1809 }
1810
1811 control.reqseq = chan->buffer_seq;
1812 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1813 control.final = 1;
1814 else
1815 control.final = 0;
1816
1817 if (skb_cloned(skb)) {
1818 /* Cloned sk_buffs are read-only, so we need a
1819 * writeable copy
1820 */
1821 tx_skb = skb_copy(skb, GFP_ATOMIC);
1822 } else {
1823 tx_skb = skb_clone(skb, GFP_ATOMIC);
1824 }
1825
1826 if (!tx_skb) {
1827 l2cap_seq_list_clear(&chan->retrans_list);
1828 break;
1829 }
1830
1831 /* Update skb contents */
1832 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1833 put_unaligned_le32(__pack_extended_control(&control),
1834 tx_skb->data + L2CAP_HDR_SIZE);
1835 } else {
1836 put_unaligned_le16(__pack_enhanced_control(&control),
1837 tx_skb->data + L2CAP_HDR_SIZE);
1838 }
1839
1840 if (chan->fcs == L2CAP_FCS_CRC16) {
1841 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1842 put_unaligned_le16(fcs, skb_put(tx_skb,
1843 L2CAP_FCS_SIZE));
1844 }
1845
1846 l2cap_do_send(chan, tx_skb);
1847
1848 BT_DBG("Resent txseq %d", control.txseq);
1849
1850 chan->last_acked_seq = chan->buffer_seq;
1851 }
1852}
1853
f80842a8
MM		 1854static void l2cap_retransmit(struct l2cap_chan *chan,
1855 struct l2cap_ctrl *control)
1856{
1857 BT_DBG("chan %p, control %p", chan, control);
1858
1859 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1860 l2cap_ertm_resend(chan);
1861}
1862
d2a7ac5d
MM		 1863static void l2cap_retransmit_all(struct l2cap_chan *chan,
1864 struct l2cap_ctrl *control)
1865{
e1fbd4c1
MM		 1866 struct sk_buff *skb;
1867
1868 BT_DBG("chan %p, control %p", chan, control);
1869
1870 if (control->poll)
1871 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1872
1873 l2cap_seq_list_clear(&chan->retrans_list);
1874
1875 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1876 return;
1877
1878 if (chan->unacked_frames) {
1879 skb_queue_walk(&chan->tx_q, skb) {
1880 if (bt_cb(skb)->control.txseq == control->reqseq ||
1881 skb == chan->tx_send_head)
1882 break;
1883 }
1884
1885 skb_queue_walk_from(&chan->tx_q, skb) {
1886 if (skb == chan->tx_send_head)
1887 break;
1888
1889 l2cap_seq_list_append(&chan->retrans_list,
1890 bt_cb(skb)->control.txseq);
1891 }
1892
1893 l2cap_ertm_resend(chan);
1894 }
d2a7ac5d
MM		 1895}
1896
0a0aba42 1897static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1898{
0a0aba42
MM		 1899 struct l2cap_ctrl control;
1900 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1901 chan->last_acked_seq);
1902 int threshold;
9e917af1 1903
0a0aba42
MM		 1904 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1905 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1906
0a0aba42
MM		 1907 memset(&control, 0, sizeof(control));
1908 control.sframe = 1;
dfc909be 1909
0a0aba42
MM		 1910 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1911 chan->rx_state == L2CAP_RX_STATE_RECV) {
1912 __clear_ack_timer(chan);
1913 control.super = L2CAP_SUPER_RNR;
1914 control.reqseq = chan->buffer_seq;
1915 l2cap_send_sframe(chan, &control);
1916 } else {
1917 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1918 l2cap_ertm_send(chan);
1919 /* If any i-frames were sent, they included an ack */
1920 if (chan->buffer_seq == chan->last_acked_seq)
1921 frames_to_ack = 0;
1922 }
dfc909be 1923
c20f8e35 1924 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 1925 * Calculate without mul or div
1926 */
c20f8e35 1927 threshold = chan->ack_win;
0a0aba42
MM		 1928 threshold += threshold << 1;
1929 threshold >>= 2;
1930
b4400672 1931 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 1932 threshold);
1933
1934 if (frames_to_ack >= threshold) {
1935 __clear_ack_timer(chan);
1936 control.super = L2CAP_SUPER_RR;
1937 control.reqseq = chan->buffer_seq;
1938 l2cap_send_sframe(chan, &control);
1939 frames_to_ack = 0;
1940 }
1c2acffb 1941
0a0aba42
MM		 1942 if (frames_to_ack)
1943 __set_ack_timer(chan);
1944 }
b17e73bb
SJ		 1945}
1946
04124681
GP		 1947static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1948 struct msghdr *msg, int len,
1949 int count, struct sk_buff *skb)
1c2acffb 1950{
0952a57a 1951 struct l2cap_conn *conn = chan->conn;
1c2acffb 1952 struct sk_buff **frag;
90338947 1953 int sent = 0;
1da177e4 1954
59203a21 1955 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1956 return -EFAULT;
1da177e4
LT		 1957
1958 sent += count;
1959 len -= count;
1960
1961 /* Continuation fragments (no L2CAP header) */
1962 frag = &skb_shinfo(skb)->frag_list;
1963 while (len) {
fbe00700
GP		 1964 struct sk_buff *tmp;
1965
1da177e4
LT		 1966 count = min_t(unsigned int, conn->mtu, len);
1967
fbe00700
GP		 1968 tmp = chan->ops->alloc_skb(chan, count,
1969 msg->msg_flags & MSG_DONTWAIT);
1970 if (IS_ERR(tmp))
1971 return PTR_ERR(tmp);
1972
1973 *frag = tmp;
2f7719ce 1974
1c2acffb
GP		 1975 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1976 return -EFAULT;
1da177e4 1977
5e59b791
LAD		 1978 (*frag)->priority = skb->priority;
1979
1da177e4
LT		 1980 sent += count;
1981 len -= count;
1982
2d0ed3d5
GP		 1983 skb->len += (*frag)->len;
1984 skb->data_len += (*frag)->len;
1985
1da177e4
LT		 1986 frag = &(*frag)->next;
1987 }
1da177e4
LT		 1988
1989 return sent;
1c2acffb 1990}
1da177e4 1991
5e59b791 1992static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 1993 struct msghdr *msg, size_t len,
1994 u32 priority)
1c2acffb 1995{
8c1d787b 1996 struct l2cap_conn *conn = chan->conn;
1c2acffb 1997 struct sk_buff *skb;
03a51213 1998 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1999 struct l2cap_hdr *lh;
2000
b4400672 2001 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2002
2003 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2004
2005 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2006 msg->msg_flags & MSG_DONTWAIT);
2007 if (IS_ERR(skb))
2008 return skb;
1c2acffb 2009
5e59b791
LAD		 2010 skb->priority = priority;
2011
1c2acffb
GP		 2012 /* Create L2CAP header */
2013 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2014 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2015 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2016 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2017
0952a57a 2018 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2019 if (unlikely(err < 0)) {
2020 kfree_skb(skb);
2021 return ERR_PTR(err);
2022 }
2023 return skb;
2024}
2025
5e59b791 2026static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2027 struct msghdr *msg, size_t len,
2028 u32 priority)
1c2acffb 2029{
8c1d787b 2030 struct l2cap_conn *conn = chan->conn;
1c2acffb 2031 struct sk_buff *skb;
f2ba7fae 2032 int err, count;
1c2acffb
GP		 2033 struct l2cap_hdr *lh;
2034
b4400672 2035 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2036
f2ba7fae 2037 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2038
f2ba7fae 2039 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2040 msg->msg_flags & MSG_DONTWAIT);
2041 if (IS_ERR(skb))
2042 return skb;
1c2acffb 2043
5e59b791
LAD		 2044 skb->priority = priority;
2045
1c2acffb
GP		 2046 /* Create L2CAP header */
2047 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2048 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2049 lh->len = cpu_to_le16(len);
1c2acffb 2050
0952a57a 2051 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2052 if (unlikely(err < 0)) {
2053 kfree_skb(skb);
2054 return ERR_PTR(err);
2055 }
2056 return skb;
2057}
2058
ab0ff76d 2059static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2060 struct msghdr *msg, size_t len,
2061 u16 sdulen)
1c2acffb 2062{
8c1d787b 2063 struct l2cap_conn *conn = chan->conn;
1c2acffb 2064 struct sk_buff *skb;
e4ca6d98 2065 int err, count, hlen;
1c2acffb
GP		 2066 struct l2cap_hdr *lh;
2067
b4400672 2068 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2069
0ee0d208
GP		 2070 if (!conn)
2071 return ERR_PTR(-ENOTCONN);
2072
ba7aa64f 2073 hlen = __ertm_hdr_size(chan);
e4ca6d98 2074
c74e560c 2075 if (sdulen)
03a51213 2076 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2077
47d1ec61 2078 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2079 hlen += L2CAP_FCS_SIZE;
fcc203c3 2080
1c2acffb 2081 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2082
2083 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2084 msg->msg_flags & MSG_DONTWAIT);
2085 if (IS_ERR(skb))
2086 return skb;
1c2acffb
GP		 2087
2088 /* Create L2CAP header */
2089 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2090 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2091 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2092
18a48e76
MM		 2093 /* Control header is populated later */
2094 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2095 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2096 else
2097 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2098
c74e560c 2099 if (sdulen)
03a51213 2100 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2101
0952a57a 2102 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2103 if (unlikely(err < 0)) {
2104 kfree_skb(skb);
2105 return ERR_PTR(err);
2106 }
e90bac06 2107
18a48e76 2108 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2109 bt_cb(skb)->control.retries = 0;
1c2acffb 2110 return skb;
1da177e4
LT		 2111}
2112
94122bbe
MM		 2113static int l2cap_segment_sdu(struct l2cap_chan *chan,
2114 struct sk_buff_head *seg_queue,
2115 struct msghdr *msg, size_t len)
c74e560c 2116{
c74e560c 2117 struct sk_buff *skb;
94122bbe
MM		 2118 u16 sdu_len;
2119 size_t pdu_len;
94122bbe 2120 u8 sar;
c74e560c 2121
b4400672 2122 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2123
94122bbe
MM		 2124 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2125 * so fragmented skbs are not used. The HCI layer's handling
2126 * of fragmented skbs is not compatible with ERTM's queueing.
2127 */
c74e560c 2128
94122bbe
MM		 2129 /* PDU size is derived from the HCI MTU */
2130 pdu_len = chan->conn->mtu;
c74e560c 2131
94122bbe
MM		 2132 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2133
2134 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2135 if (chan->fcs)
2136 pdu_len -= L2CAP_FCS_SIZE;
2137
ba7aa64f 2138 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2139
2140 /* Remote device may have requested smaller PDUs */
2141 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2142
2143 if (len <= pdu_len) {
2144 sar = L2CAP_SAR_UNSEGMENTED;
2145 sdu_len = 0;
2146 pdu_len = len;
2147 } else {
2148 sar = L2CAP_SAR_START;
2149 sdu_len = len;
2150 pdu_len -= L2CAP_SDULEN_SIZE;
2151 }
2152
2153 while (len > 0) {
2154 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2155
c74e560c 2156 if (IS_ERR(skb)) {
94122bbe 2157 __skb_queue_purge(seg_queue);
c74e560c
GP		 2158 return PTR_ERR(skb);
2159 }
2160
94122bbe
MM		 2161 bt_cb(skb)->control.sar = sar;
2162 __skb_queue_tail(seg_queue, skb);
2163
2164 len -= pdu_len;
2165 if (sdu_len) {
2166 sdu_len = 0;
2167 pdu_len += L2CAP_SDULEN_SIZE;
2168 }
2169
2170 if (len <= pdu_len) {
2171 sar = L2CAP_SAR_END;
2172 pdu_len = len;
2173 } else {
2174 sar = L2CAP_SAR_CONTINUE;
2175 }
c74e560c 2176 }
c74e560c 2177
f0f62799 2178 return 0;
c74e560c
GP		 2179}
2180
5e59b791
LAD		 2181int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2182 u32 priority)
9a91a04a 2183{
9a91a04a 2184 struct sk_buff *skb;
9a91a04a 2185 int err;
94122bbe 2186 struct sk_buff_head seg_queue;
9a91a04a
GP		 2187
2188 /* Connectionless channel */
715ec005 2189 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2190 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2191 if (IS_ERR(skb))
2192 return PTR_ERR(skb);
2193
2194 l2cap_do_send(chan, skb);
2195 return len;
2196 }
2197
2198 switch (chan->mode) {
2199 case L2CAP_MODE_BASIC:
2200 /* Check outgoing MTU */
2201 if (len > chan->omtu)
2202 return -EMSGSIZE;
2203
2204 /* Create a basic PDU */
5e59b791 2205 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2206 if (IS_ERR(skb))
2207 return PTR_ERR(skb);
2208
2209 l2cap_do_send(chan, skb);
2210 err = len;
2211 break;
2212
2213 case L2CAP_MODE_ERTM:
2214 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2215 /* Check outgoing MTU */
2216 if (len > chan->omtu) {
2217 err = -EMSGSIZE;
2218 break;
2219 }
9a91a04a 2220
94122bbe 2221 __skb_queue_head_init(&seg_queue);
9a91a04a 2222
94122bbe
MM		 2223 /* Do segmentation before calling in to the state machine,
2224 * since it's possible to block while waiting for memory
2225 * allocation.
2226 */
2227 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2228
94122bbe
MM		 2229 /* The channel could have been closed while segmenting,
2230 * check that it is still connected.
2231 */
2232 if (chan->state != BT_CONNECTED) {
2233 __skb_queue_purge(&seg_queue);
2234 err = -ENOTCONN;
9a91a04a
GP		 2235 }
2236
94122bbe 2237 if (err)
9a91a04a 2238 break;
9a91a04a 2239
3733937d 2240 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2241 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2242 else
d660366d 2243 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2244
d660366d 2245 err = len;
9a91a04a 2246
94122bbe
MM		 2247 /* If the skbs were not queued for sending, they'll still be in
2248 * seg_queue and need to be purged.
2249 */
2250 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2251 break;
2252
2253 default:
2254 BT_DBG("bad state %1.1x", chan->mode);
2255 err = -EBADFD;
2256 }
2257
2258 return err;
2259}
2260
d2a7ac5d
MM		 2261static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2262{
bed68bde
MM		 2263 struct l2cap_ctrl control;
2264 u16 seq;
2265
b4400672 2266 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2267
2268 memset(&control, 0, sizeof(control));
2269 control.sframe = 1;
2270 control.super = L2CAP_SUPER_SREJ;
2271
2272 for (seq = chan->expected_tx_seq; seq != txseq;
2273 seq = __next_seq(chan, seq)) {
2274 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2275 control.reqseq = seq;
2276 l2cap_send_sframe(chan, &control);
2277 l2cap_seq_list_append(&chan->srej_list, seq);
2278 }
2279 }
2280
2281 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2282}
2283
2284static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2285{
bed68bde
MM		 2286 struct l2cap_ctrl control;
2287
2288 BT_DBG("chan %p", chan);
2289
2290 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2291 return;
2292
2293 memset(&control, 0, sizeof(control));
2294 control.sframe = 1;
2295 control.super = L2CAP_SUPER_SREJ;
2296 control.reqseq = chan->srej_list.tail;
2297 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2298}
2299
2300static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2301{
bed68bde
MM		 2302 struct l2cap_ctrl control;
2303 u16 initial_head;
2304 u16 seq;
2305
b4400672 2306 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2307
2308 memset(&control, 0, sizeof(control));
2309 control.sframe = 1;
2310 control.super = L2CAP_SUPER_SREJ;
2311
2312 /* Capture initial list head to allow only one pass through the list. */
2313 initial_head = chan->srej_list.head;
2314
2315 do {
2316 seq = l2cap_seq_list_pop(&chan->srej_list);
2317 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2318 break;
2319
2320 control.reqseq = seq;
2321 l2cap_send_sframe(chan, &control);
2322 l2cap_seq_list_append(&chan->srej_list, seq);
2323 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2324}
2325
608bcc6d
MM		 2326static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2327{
2328 struct sk_buff *acked_skb;
2329 u16 ackseq;
2330
b4400672 2331 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2332
2333 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2334 return;
2335
b4400672 2336 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2337 chan->expected_ack_seq, chan->unacked_frames);
2338
2339 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2340 ackseq = __next_seq(chan, ackseq)) {
2341
2342 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2343 if (acked_skb) {
2344 skb_unlink(acked_skb, &chan->tx_q);
2345 kfree_skb(acked_skb);
2346 chan->unacked_frames--;
2347 }
2348 }
2349
2350 chan->expected_ack_seq = reqseq;
2351
2352 if (chan->unacked_frames == 0)
2353 __clear_retrans_timer(chan);
2354
b4400672 2355 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2356}
2357
2358static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2359{
2360 BT_DBG("chan %p", chan);
2361
2362 chan->expected_tx_seq = chan->buffer_seq;
2363 l2cap_seq_list_clear(&chan->srej_list);
2364 skb_queue_purge(&chan->srej_q);
2365 chan->rx_state = L2CAP_RX_STATE_RECV;
2366}
2367
d660366d
GP		 2368static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2369 struct l2cap_ctrl *control,
2370 struct sk_buff_head *skbs, u8 event)
608bcc6d 2371{
608bcc6d
MM		 2372 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2373 event);
2374
2375 switch (event) {
2376 case L2CAP_EV_DATA_REQUEST:
2377 if (chan->tx_send_head == NULL)
2378 chan->tx_send_head = skb_peek(skbs);
2379
2380 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2381 l2cap_ertm_send(chan);
2382 break;
2383 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2384 BT_DBG("Enter LOCAL_BUSY");
2385 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2386
2387 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2388 /* The SREJ_SENT state must be aborted if we are to
2389 * enter the LOCAL_BUSY state.
2390 */
2391 l2cap_abort_rx_srej_sent(chan);
2392 }
2393
2394 l2cap_send_ack(chan);
2395
2396 break;
2397 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2398 BT_DBG("Exit LOCAL_BUSY");
2399 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2400
2401 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2402 struct l2cap_ctrl local_control;
2403
2404 memset(&local_control, 0, sizeof(local_control));
2405 local_control.sframe = 1;
2406 local_control.super = L2CAP_SUPER_RR;
2407 local_control.poll = 1;
2408 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2409 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2410
2411 chan->retry_count = 1;
2412 __set_monitor_timer(chan);
2413 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2414 }
2415 break;
2416 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2417 l2cap_process_reqseq(chan, control->reqseq);
2418 break;
2419 case L2CAP_EV_EXPLICIT_POLL:
2420 l2cap_send_rr_or_rnr(chan, 1);
2421 chan->retry_count = 1;
2422 __set_monitor_timer(chan);
2423 __clear_ack_timer(chan);
2424 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2425 break;
2426 case L2CAP_EV_RETRANS_TO:
2427 l2cap_send_rr_or_rnr(chan, 1);
2428 chan->retry_count = 1;
2429 __set_monitor_timer(chan);
2430 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2431 break;
2432 case L2CAP_EV_RECV_FBIT:
2433 /* Nothing to process */
2434 break;
2435 default:
2436 break;
2437 }
608bcc6d
MM		 2438}
2439
d660366d
GP		 2440static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2441 struct l2cap_ctrl *control,
2442 struct sk_buff_head *skbs, u8 event)
608bcc6d 2443{
608bcc6d
MM		 2444 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2445 event);
2446
2447 switch (event) {
2448 case L2CAP_EV_DATA_REQUEST:
2449 if (chan->tx_send_head == NULL)
2450 chan->tx_send_head = skb_peek(skbs);
2451 /* Queue data, but don't send. */
2452 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2453 break;
2454 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2455 BT_DBG("Enter LOCAL_BUSY");
2456 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2457
2458 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2459 /* The SREJ_SENT state must be aborted if we are to
2460 * enter the LOCAL_BUSY state.
2461 */
2462 l2cap_abort_rx_srej_sent(chan);
2463 }
2464
2465 l2cap_send_ack(chan);
2466
2467 break;
2468 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2469 BT_DBG("Exit LOCAL_BUSY");
2470 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2471
2472 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2473 struct l2cap_ctrl local_control;
2474 memset(&local_control, 0, sizeof(local_control));
2475 local_control.sframe = 1;
2476 local_control.super = L2CAP_SUPER_RR;
2477 local_control.poll = 1;
2478 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2479 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2480
2481 chan->retry_count = 1;
2482 __set_monitor_timer(chan);
2483 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2484 }
2485 break;
2486 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2487 l2cap_process_reqseq(chan, control->reqseq);
2488
2489 /* Fall through */
2490
2491 case L2CAP_EV_RECV_FBIT:
2492 if (control && control->final) {
2493 __clear_monitor_timer(chan);
2494 if (chan->unacked_frames > 0)
2495 __set_retrans_timer(chan);
2496 chan->retry_count = 0;
2497 chan->tx_state = L2CAP_TX_STATE_XMIT;
2498 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2499 }
2500 break;
2501 case L2CAP_EV_EXPLICIT_POLL:
2502 /* Ignore */
2503 break;
2504 case L2CAP_EV_MONITOR_TO:
2505 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2506 l2cap_send_rr_or_rnr(chan, 1);
2507 __set_monitor_timer(chan);
2508 chan->retry_count++;
2509 } else {
2510 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2511 }
2512 break;
2513 default:
2514 break;
2515 }
608bcc6d
MM		 2516}
2517
d660366d
GP		 2518static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2519 struct sk_buff_head *skbs, u8 event)
608bcc6d 2520{
608bcc6d
MM		 2521 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2522 chan, control, skbs, event, chan->tx_state);
2523
2524 switch (chan->tx_state) {
2525 case L2CAP_TX_STATE_XMIT:
d660366d 2526 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2527 break;
2528 case L2CAP_TX_STATE_WAIT_F:
d660366d 2529 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2530 break;
2531 default:
2532 /* Ignore event */
2533 break;
2534 }
608bcc6d
MM		 2535}
2536
4b51dae9
MM		 2537static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2538 struct l2cap_ctrl *control)
2539{
2540 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2541 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2542}
2543
f80842a8
MM		 2544static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2545 struct l2cap_ctrl *control)
2546{
2547 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2548 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2549}
2550
1da177e4
LT		 2551/* Copy frame to all raw sockets on that connection */
2552static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2553{
1da177e4 2554 struct sk_buff *nskb;
48454079 2555 struct l2cap_chan *chan;
1da177e4
LT		 2556
2557 BT_DBG("conn %p", conn);
2558
3df91ea2 2559 mutex_lock(&conn->chan_lock);
3d57dc68 2560
3df91ea2 2561 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2562 struct sock *sk = chan->sk;
715ec005 2563 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2564 continue;
2565
2566 /* Don't send frame to the socket it came from */
2567 if (skb->sk == sk)
2568 continue;
af05b30b
GP		 2569 nskb = skb_clone(skb, GFP_ATOMIC);
2570 if (!nskb)
1da177e4
LT		 2571 continue;
2572
80b98027 2573 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2574 kfree_skb(nskb);
2575 }
3d57dc68 2576
3df91ea2 2577 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2578}
2579
2580/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2581static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2582 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2583{
2584 struct sk_buff *skb, **frag;
2585 struct l2cap_cmd_hdr *cmd;
2586 struct l2cap_hdr *lh;
2587 int len, count;
2588
b4400672
AE		 2589 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2590 conn, code, ident, dlen);
1da177e4
LT		 2591
2592 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2593 count = min_t(unsigned int, conn->mtu, len);
2594
2595 skb = bt_skb_alloc(count, GFP_ATOMIC);
2596 if (!skb)
2597 return NULL;
2598
2599 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2600 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2601
2602 if (conn->hcon->type == LE_LINK)
ac73498c 2603 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2604 else
ac73498c 2605 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2606
2607 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2608 cmd->code = code;
2609 cmd->ident = ident;
aca3192c 2610 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2611
2612 if (dlen) {
2613 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2614 memcpy(skb_put(skb, count), data, count);
2615 data += count;
2616 }
2617
2618 len -= skb->len;
2619
2620 /* Continuation fragments (no L2CAP header) */
2621 frag = &skb_shinfo(skb)->frag_list;
2622 while (len) {
2623 count = min_t(unsigned int, conn->mtu, len);
2624
2625 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2626 if (!*frag)
2627 goto fail;
2628
2629 memcpy(skb_put(*frag, count), data, count);
2630
2631 len -= count;
2632 data += count;
2633
2634 frag = &(*frag)->next;
2635 }
2636
2637 return skb;
2638
2639fail:
2640 kfree_skb(skb);
2641 return NULL;
2642}
2643
2644static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2645{
2646 struct l2cap_conf_opt *opt = *ptr;
2647 int len;
2648
2649 len = L2CAP_CONF_OPT_SIZE + opt->len;
2650 *ptr += len;
2651
2652 *type = opt->type;
2653 *olen = opt->len;
2654
2655 switch (opt->len) {
2656 case 1:
2657 *val = *((u8 *) opt->val);
2658 break;
2659
2660 case 2:
bfaaeb3e 2661 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2662 break;
2663
2664 case 4:
bfaaeb3e 2665 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2666 break;
2667
2668 default:
2669 *val = (unsigned long) opt->val;
2670 break;
2671 }
2672
b4400672 2673 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2674 return len;
2675}
2676
1da177e4
LT		 2677static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2678{
2679 struct l2cap_conf_opt *opt = *ptr;
2680
b4400672 2681 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2682
2683 opt->type = type;
2684 opt->len = len;
2685
2686 switch (len) {
2687 case 1:
2688 *((u8 *) opt->val) = val;
2689 break;
2690
2691 case 2:
4f8b691c 2692 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2693 break;
2694
2695 case 4:
4f8b691c 2696 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2697 break;
2698
2699 default:
2700 memcpy(opt->val, (void *) val, len);
2701 break;
2702 }
2703
2704 *ptr += L2CAP_CONF_OPT_SIZE + len;
2705}
2706
f89cef09
AE		 2707static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2708{
2709 struct l2cap_conf_efs efs;
2710
1ec918ce 2711 switch (chan->mode) {
f89cef09
AE		 2712 case L2CAP_MODE_ERTM:
2713 efs.id = chan->local_id;
2714 efs.stype = chan->local_stype;
2715 efs.msdu = cpu_to_le16(chan->local_msdu);
2716 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c
AE		 2717 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2718 efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
f89cef09
AE		 2719 break;
2720
2721 case L2CAP_MODE_STREAMING:
2722 efs.id = 1;
2723 efs.stype = L2CAP_SERV_BESTEFFORT;
2724 efs.msdu = cpu_to_le16(chan->local_msdu);
2725 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2726 efs.acc_lat = 0;
2727 efs.flush_to = 0;
2728 break;
2729
2730 default:
2731 return;
2732 }
2733
2734 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2735 (unsigned long) &efs);
2736}
2737
721c4181 2738static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2739{
721c4181 2740 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2741 ack_timer.work);
2742 u16 frames_to_ack;
c1b4f43b 2743
2fb9b3d4
GP		 2744 BT_DBG("chan %p", chan);
2745
6be36555
AE		 2746 l2cap_chan_lock(chan);
2747
0362520b
MM		 2748 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2749 chan->last_acked_seq);
6be36555 2750
0362520b
MM		 2751 if (frames_to_ack)
2752 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2753
0362520b 2754 l2cap_chan_unlock(chan);
09bfb2ee 2755 l2cap_chan_put(chan);
c1b4f43b
GP		 2756}
2757
466f8004 2758int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2759{
3c588192
MM		 2760 int err;
2761
105bdf9e
MM		 2762 chan->next_tx_seq = 0;
2763 chan->expected_tx_seq = 0;
42e5c802 2764 chan->expected_ack_seq = 0;
6a026610 2765 chan->unacked_frames = 0;
42e5c802 2766 chan->buffer_seq = 0;
6a026610 2767 chan->frames_sent = 0;
105bdf9e
MM		 2768 chan->last_acked_seq = 0;
2769 chan->sdu = NULL;
2770 chan->sdu_last_frag = NULL;
2771 chan->sdu_len = 0;
2772
d34c34fb
MM		 2773 skb_queue_head_init(&chan->tx_q);
2774
105bdf9e
MM		 2775 if (chan->mode != L2CAP_MODE_ERTM)
2776 return 0;
2777
2778 chan->rx_state = L2CAP_RX_STATE_RECV;
2779 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2780
721c4181
GP		 2781 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2782 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2783 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2784
f1c6775b 2785 skb_queue_head_init(&chan->srej_q);
1890d36b 2786
3c588192
MM		 2787 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2788 if (err < 0)
2789 return err;
2790
9dc9affc
MM		 2791 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2792 if (err < 0)
2793 l2cap_seq_list_free(&chan->srej_list);
2794
2795 return err;
0565c1c2
GP		 2796}
2797
f2fcfcd6
GP		 2798static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2799{
2800 switch (mode) {
2801 case L2CAP_MODE_STREAMING:
2802 case L2CAP_MODE_ERTM:
2803 if (l2cap_mode_supported(mode, remote_feat_mask))
2804 return mode;
2805 /* fall through */
2806 default:
2807 return L2CAP_MODE_BASIC;
2808 }
2809}
2810
6327eb98
AE		 2811static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2812{
2813 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2814}
2815
f89cef09
AE		 2816static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2817{
2818 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2819}
2820
6327eb98
AE		 2821static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2822{
2823 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2824 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2825 /* use extended control field */
2826 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2827 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2828 } else {
6327eb98
AE		 2829 chan->tx_win = min_t(u16, chan->tx_win,
2830 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2831 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2832 }
c20f8e35 2833 chan->ack_win = chan->tx_win;
6327eb98
AE		 2834}
2835
710f9b0a 2836static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2837{
1da177e4 2838 struct l2cap_conf_req *req = data;
0c1bc5c6 2839 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2840 void *ptr = req->data;
c8f79162 2841 u16 size;
1da177e4 2842
49208c9c 2843 BT_DBG("chan %p", chan);
1da177e4 2844
73ffa904 2845 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2846 goto done;
2847
0c1bc5c6 2848 switch (chan->mode) {
f2fcfcd6
GP		 2849 case L2CAP_MODE_STREAMING:
2850 case L2CAP_MODE_ERTM:
c1360a1c 2851 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2852 break;
85eb53c6 2853
f89cef09
AE		 2854 if (__l2cap_efs_supported(chan))
2855 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2856
2ba13ed6 2857 /* fall through */
f2fcfcd6 2858 default:
8c1d787b 2859 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2860 break;
2861 }
2862
2863done:
0c1bc5c6
GP		 2864 if (chan->imtu != L2CAP_DEFAULT_MTU)
2865 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2866
0c1bc5c6 2867 switch (chan->mode) {
65c7c491 2868 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2869 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2870 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2871 break;
2872
62547752
GP		 2873 rfc.mode = L2CAP_MODE_BASIC;
2874 rfc.txwin_size = 0;
2875 rfc.max_transmit = 0;
2876 rfc.retrans_timeout = 0;
2877 rfc.monitor_timeout = 0;
2878 rfc.max_pdu_size = 0;
2879
63406504
GP		 2880 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2881 (unsigned long) &rfc);
65c7c491
MH		 2882 break;
2883
2884 case L2CAP_MODE_ERTM:
2885 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2886 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2887 rfc.retrans_timeout = 0;
2888 rfc.monitor_timeout = 0;
c8f79162
AE		 2889
2890 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2891 L2CAP_EXT_HDR_SIZE -
2892 L2CAP_SDULEN_SIZE -
2893 L2CAP_FCS_SIZE);
2894 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2895
6327eb98
AE		 2896 l2cap_txwin_setup(chan);
2897
2898 rfc.txwin_size = min_t(u16, chan->tx_win,
2899 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2900
63406504
GP		 2901 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2902 (unsigned long) &rfc);
2903
f89cef09
AE		 2904 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2905 l2cap_add_opt_efs(&ptr, chan);
2906
8c1d787b 2907 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2908 break;
2909
47d1ec61 2910 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2911 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2912 chan->fcs = L2CAP_FCS_NONE;
2913 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2914 }
6327eb98
AE		 2915
2916 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2917 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2918 chan->tx_win);
f2fcfcd6
GP		 2919 break;
2920
2921 case L2CAP_MODE_STREAMING:
273759e2 2922 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2923 rfc.mode = L2CAP_MODE_STREAMING;
2924 rfc.txwin_size = 0;
2925 rfc.max_transmit = 0;
2926 rfc.retrans_timeout = 0;
2927 rfc.monitor_timeout = 0;
c8f79162
AE		 2928
2929 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2930 L2CAP_EXT_HDR_SIZE -
2931 L2CAP_SDULEN_SIZE -
2932 L2CAP_FCS_SIZE);
2933 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2934
63406504
GP		 2935 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2936 (unsigned long) &rfc);
2937
f89cef09
AE		 2938 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2939 l2cap_add_opt_efs(&ptr, chan);
2940
8c1d787b 2941 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2942 break;
2943
47d1ec61 2944 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2945 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2946 chan->fcs = L2CAP_FCS_NONE;
2947 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2948 }
65c7c491
MH		 2949 break;
2950 }
1da177e4 2951
fe4128e0 2952 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2953 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2954
2955 return ptr - data;
2956}
2957
73ffa904 2958static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2959{
5dee9e7c
MH		 2960 struct l2cap_conf_rsp *rsp = data;
2961 void *ptr = rsp->data;
73ffa904
GP		 2962 void *req = chan->conf_req;
2963 int len = chan->conf_len;
5dee9e7c
MH		 2964 int type, hint, olen;
2965 unsigned long val;
6464f35f 2966 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2967 struct l2cap_conf_efs efs;
2968 u8 remote_efs = 0;
861d6882 2969 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2970 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2971 u16 size;
1da177e4 2972
73ffa904 2973 BT_DBG("chan %p", chan);
820ae1b8 2974
5dee9e7c
MH		 2975 while (len >= L2CAP_CONF_OPT_SIZE) {
2976 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2977
589d2746 2978 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2979 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2980
2981 switch (type) {
2982 case L2CAP_CONF_MTU:
861d6882 2983 mtu = val;
5dee9e7c
MH		 2984 break;
2985
2986 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2987 chan->flush_to = val;
5dee9e7c
MH		 2988 break;
2989
2990 case L2CAP_CONF_QOS:
2991 break;
2992
6464f35f
MH		 2993 case L2CAP_CONF_RFC:
2994 if (olen == sizeof(rfc))
2995 memcpy(&rfc, (void *) val, olen);
2996 break;
2997
fcc203c3
GP		 2998 case L2CAP_CONF_FCS:
2999 if (val == L2CAP_FCS_NONE)
c1360a1c 3000 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 3001 break;
fcc203c3 3002
42dceae2
AE		 3003 case L2CAP_CONF_EFS:
3004 remote_efs = 1;
3005 if (olen == sizeof(efs))
3006 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3007 break;
3008
6327eb98
AE		 3009 case L2CAP_CONF_EWS:
3010 if (!enable_hs)
3011 return -ECONNREFUSED;
fcc203c3 3012
6327eb98
AE		 3013 set_bit(FLAG_EXT_CTRL, &chan->flags);
3014 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3015 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3016 chan->remote_tx_win = val;
fcc203c3
GP		 3017 break;
3018
5dee9e7c
MH		 3019 default:
3020 if (hint)
3021 break;
3022
3023 result = L2CAP_CONF_UNKNOWN;
3024 *((u8 *) ptr++) = type;
3025 break;
3026 }
3027 }
3028
73ffa904 3029 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3030 goto done;
3031
0c1bc5c6 3032 switch (chan->mode) {
f2fcfcd6
GP		 3033 case L2CAP_MODE_STREAMING:
3034 case L2CAP_MODE_ERTM:
c1360a1c 3035 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3036 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 3037 chan->conn->feat_mask);
85eb53c6
GP		 3038 break;
3039 }
3040
42dceae2
AE		 3041 if (remote_efs) {
3042 if (__l2cap_efs_supported(chan))
3043 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3044 else
3045 return -ECONNREFUSED;
3046 }
3047
0c1bc5c6 3048 if (chan->mode != rfc.mode)
f2fcfcd6 3049 return -ECONNREFUSED;
742e519b 3050
f2fcfcd6 3051 break;
f2fcfcd6
GP		 3052 }
3053
3054done:
0c1bc5c6 3055 if (chan->mode != rfc.mode) {
f2fcfcd6 3056 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3057 rfc.mode = chan->mode;
f2fcfcd6 3058
73ffa904 3059 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3060 return -ECONNREFUSED;
3061
3062 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3063 sizeof(rfc), (unsigned long) &rfc);
3064 }
3065
5dee9e7c
MH		 3066 if (result == L2CAP_CONF_SUCCESS) {
3067 /* Configure output options and let the other side know
3068 * which ones we don't like. */
3069
f2fcfcd6
GP		 3070 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3071 result = L2CAP_CONF_UNACCEPT;
3072 else {
0c1bc5c6 3073 chan->omtu = mtu;
c1360a1c 3074 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3075 }
0c1bc5c6 3076 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3077
42dceae2
AE		 3078 if (remote_efs) {
3079 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3080 efs.stype != L2CAP_SERV_NOTRAFIC &&
3081 efs.stype != chan->local_stype) {
3082
3083 result = L2CAP_CONF_UNACCEPT;
3084
3085 if (chan->num_conf_req >= 1)
3086 return -ECONNREFUSED;
3087
3088 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3089 sizeof(efs),
42dceae2 3090 (unsigned long) &efs);
0e8b207e 3091 } else {
3e6b3b95 3092 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3093 result = L2CAP_CONF_PENDING;
3094 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3095 }
3096 }
3097
f2fcfcd6
GP		 3098 switch (rfc.mode) {
3099 case L2CAP_MODE_BASIC:
47d1ec61 3100 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3101 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3102 break;
3103
3104 case L2CAP_MODE_ERTM:
6327eb98
AE		 3105 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3106 chan->remote_tx_win = rfc.txwin_size;
3107 else
3108 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3109
2c03a7a4 3110 chan->remote_max_tx = rfc.max_transmit;
1c762159 3111
c8f79162
AE		 3112 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3113 chan->conn->mtu -
3114 L2CAP_EXT_HDR_SIZE -
3115 L2CAP_SDULEN_SIZE -
3116 L2CAP_FCS_SIZE);
3117 rfc.max_pdu_size = cpu_to_le16(size);
3118 chan->remote_mps = size;
f2fcfcd6 3119
10467e9e 3120 rfc.retrans_timeout =
4fd21a88 3121 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3122 rfc.monitor_timeout =
4fd21a88 3123 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3124
c1360a1c 3125 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3126
3127 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3128 sizeof(rfc), (unsigned long) &rfc);
3129
42dceae2
AE		 3130 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3131 chan->remote_id = efs.id;
3132 chan->remote_stype = efs.stype;
3133 chan->remote_msdu = le16_to_cpu(efs.msdu);
3134 chan->remote_flush_to =
3135 le32_to_cpu(efs.flush_to);
3136 chan->remote_acc_lat =
3137 le32_to_cpu(efs.acc_lat);
3138 chan->remote_sdu_itime =
3139 le32_to_cpu(efs.sdu_itime);
3140 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3141 sizeof(efs), (unsigned long) &efs);
3142 }
f2fcfcd6
GP		 3143 break;
3144
3145 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3146 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3147 chan->conn->mtu -
3148 L2CAP_EXT_HDR_SIZE -
3149 L2CAP_SDULEN_SIZE -
3150 L2CAP_FCS_SIZE);
3151 rfc.max_pdu_size = cpu_to_le16(size);
3152 chan->remote_mps = size;
f2fcfcd6 3153
c1360a1c 3154 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3155
3156 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3157 sizeof(rfc), (unsigned long) &rfc);
3158
f2fcfcd6
GP		 3159 break;
3160
3161 default:
5dee9e7c 3162 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3163
6464f35f 3164 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3165 rfc.mode = chan->mode;
f2fcfcd6 3166 }
6464f35f 3167
f2fcfcd6 3168 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3169 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3170 }
fe4128e0 3171 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3172 rsp->result = cpu_to_le16(result);
59e54bd1 3173 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3174
3175 return ptr - data;
1da177e4
LT		 3176}
3177
b4450035 3178static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3179{
f2fcfcd6
GP		 3180 struct l2cap_conf_req *req = data;
3181 void *ptr = req->data;
3182 int type, olen;
3183 unsigned long val;
36e999a8 3184 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3185 struct l2cap_conf_efs efs;
f2fcfcd6 3186
fe4128e0 3187 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3188
3189 while (len >= L2CAP_CONF_OPT_SIZE) {
3190 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3191
3192 switch (type) {
3193 case L2CAP_CONF_MTU:
3194 if (val < L2CAP_DEFAULT_MIN_MTU) {
3195 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3196 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3197 } else
0c1bc5c6
GP		 3198 chan->imtu = val;
3199 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3200 break;
3201
3202 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3203 chan->flush_to = val;
f2fcfcd6 3204 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3205 2, chan->flush_to);
f2fcfcd6
GP		 3206 break;
3207
3208 case L2CAP_CONF_RFC:
3209 if (olen == sizeof(rfc))
3210 memcpy(&rfc, (void *)val, olen);
3211
c1360a1c 3212 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3213 rfc.mode != chan->mode)
f2fcfcd6
GP		 3214 return -ECONNREFUSED;
3215
47d1ec61 3216 chan->fcs = 0;
f2fcfcd6
GP		 3217
3218 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3219 sizeof(rfc), (unsigned long) &rfc);
3220 break;
6327eb98
AE		 3221
3222 case L2CAP_CONF_EWS:
c20f8e35 3223 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3224 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3225 chan->tx_win);
6327eb98 3226 break;
66af7aaf
AE		 3227
3228 case L2CAP_CONF_EFS:
3229 if (olen == sizeof(efs))
3230 memcpy(&efs, (void *)val, olen);
3231
3232 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3233 efs.stype != L2CAP_SERV_NOTRAFIC &&
3234 efs.stype != chan->local_stype)
3235 return -ECONNREFUSED;
3236
3237 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3238 sizeof(efs), (unsigned long) &efs);
3239 break;
f2fcfcd6
GP		 3240 }
3241 }
3242
0c1bc5c6 3243 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3244 return -ECONNREFUSED;
3245
0c1bc5c6 3246 chan->mode = rfc.mode;
6c2ea7a8 3247
0e8b207e 3248 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3249 switch (rfc.mode) {
3250 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3251 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3252 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3253 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3254 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3255 chan->ack_win = min_t(u16, chan->ack_win,
3256 rfc.txwin_size);
66af7aaf
AE		 3257
3258 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3259 chan->local_msdu = le16_to_cpu(efs.msdu);
3260 chan->local_sdu_itime =
3261 le32_to_cpu(efs.sdu_itime);
3262 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3263 chan->local_flush_to =
3264 le32_to_cpu(efs.flush_to);
3265 }
f2fcfcd6 3266 break;
66af7aaf 3267
f2fcfcd6 3268 case L2CAP_MODE_STREAMING:
47d1ec61 3269 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3270 }
3271 }
3272
fe4128e0 3273 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3274 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3275
3276 return ptr - data;
3277}
3278
fe4128e0 3279static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3280{
3281 struct l2cap_conf_rsp *rsp = data;
3282 void *ptr = rsp->data;
1da177e4 3283
fe4128e0 3284 BT_DBG("chan %p", chan);
1da177e4 3285
fe4128e0 3286 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3287 rsp->result = cpu_to_le16(result);
aca3192c 3288 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3289
3290 return ptr - data;
3291}
3292
8c1d787b 3293void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3294{
3295 struct l2cap_conn_rsp rsp;
8c1d787b 3296 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3297 u8 buf[128];
3298
fe4128e0
GP		 3299 rsp.scid = cpu_to_le16(chan->dcid);
3300 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3301 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3302 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
710f9b0a
GP		 3303 l2cap_send_cmd(conn, chan->ident,
3304 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3305
c1360a1c 3306 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3307 return;
3308
710f9b0a
GP		 3309 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3310 l2cap_build_conf_req(chan, buf), buf);
3311 chan->num_conf_req++;
3312}
3313
47d1ec61 3314static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3315{
7b1c0049
GP		 3316 int type, olen;
3317 unsigned long val;
c20f8e35
MM		 3318 /* Use sane default values in case a misbehaving remote device
3319 * did not send an RFC or extended window size option.
3320 */
3321 u16 txwin_ext = chan->ack_win;
3322 struct l2cap_conf_rfc rfc = {
3323 .mode = chan->mode,
3324 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3325 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3326 .max_pdu_size = cpu_to_le16(chan->imtu),
3327 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3328 };
7b1c0049 3329
47d1ec61 3330 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3331
0c1bc5c6 3332 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3333 return;
3334
3335 while (len >= L2CAP_CONF_OPT_SIZE) {
3336 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3337
c20f8e35
MM		 3338 switch (type) {
3339 case L2CAP_CONF_RFC:
3340 if (olen == sizeof(rfc))
3341 memcpy(&rfc, (void *)val, olen);
8f321f85 3342 break;
c20f8e35
MM		 3343 case L2CAP_CONF_EWS:
3344 txwin_ext = val;
3345 break;
3346 }
7b1c0049
GP		 3347 }
3348
7b1c0049
GP		 3349 switch (rfc.mode) {
3350 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3351 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3352 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3353 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3354 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3355 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3356 else
3357 chan->ack_win = min_t(u16, chan->ack_win,
3358 rfc.txwin_size);
7b1c0049
GP		 3359 break;
3360 case L2CAP_MODE_STREAMING:
47d1ec61 3361 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3362 }
3363}
3364
4e8402a3
MH		 3365static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3366{
e2fd318e 3367 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3368
e2fd318e 3369 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3370 return 0;
3371
3372 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3373 cmd->ident == conn->info_ident) {
17cd3f37 3374 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3375
3376 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3377 conn->info_ident = 0;
984947dc 3378
4e8402a3
MH		 3379 l2cap_conn_start(conn);
3380 }
3381
3382 return 0;
3383}
3384
1da177e4
LT		 3385static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3386{
1da177e4
LT		 3387 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3388 struct l2cap_conn_rsp rsp;
23691d75 3389 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3390 struct sock *parent, *sk = NULL;
e7c29cb1 3391 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3392
3393 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3394 __le16 psm = req->psm;
1da177e4 3395
097db76c 3396 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3397
3398 /* Check if we have socket listening on psm */
c2287681 3399 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3400 if (!pchan) {
1da177e4
LT		 3401 result = L2CAP_CR_BAD_PSM;
3402 goto sendresp;
3403 }
3404
23691d75
GP		 3405 parent = pchan->sk;
3406
3df91ea2 3407 mutex_lock(&conn->chan_lock);
aa2ac881 3408 lock_sock(parent);
e0f0cb56 3409
e7c29cb1 3410 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3411 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
e7c29cb1 3412 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3413 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3414 result = L2CAP_CR_SEC_BLOCK;
3415 goto response;
3416 }
3417
1da177e4
LT		 3418 result = L2CAP_CR_NO_MEM;
3419
2dfa1003
GP		 3420 /* Check if we already have channel with that dcid */
3421 if (__l2cap_get_chan_by_dcid(conn, scid))
3422 goto response;
3423
80b98027 3424 chan = pchan->ops->new_connection(pchan);
80808e43 3425 if (!chan)
1da177e4
LT		 3426 goto response;
3427
80808e43
GP		 3428 sk = chan->sk;
3429
1da177e4
LT		 3430 hci_conn_hold(conn->hcon);
3431
1da177e4
LT		 3432 bacpy(&bt_sk(sk)->src, conn->src);
3433 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3434 chan->psm = psm;
3435 chan->dcid = scid;
1da177e4 3436
d1010240
GP		 3437 bt_accept_enqueue(parent, sk);
3438
6be36555 3439 __l2cap_chan_add(conn, chan);
48454079 3440
fe4128e0 3441 dcid = chan->scid;
1da177e4 3442
c9b66675 3443 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3444
fc7f8a7e 3445 chan->ident = cmd->ident;
1da177e4 3446
984947dc 3447 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3448 if (l2cap_chan_check_security(chan)) {
c5daa683 3449 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3450 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3451 result = L2CAP_CR_PEND;
3452 status = L2CAP_CS_AUTHOR_PEND;
3453 parent->sk_data_ready(parent, 0);
3454 } else {
0e587be7 3455 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3456 result = L2CAP_CR_SUCCESS;
3457 status = L2CAP_CS_NO_INFO;
3458 }
79d554a6 3459 } else {
0e587be7 3460 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3461 result = L2CAP_CR_PEND;
3462 status = L2CAP_CS_AUTHEN_PEND;
3463 }
3464 } else {
0e587be7 3465 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3466 result = L2CAP_CR_PEND;
3467 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3468 }
3469
1da177e4 3470response:
aa2ac881 3471 release_sock(parent);
3df91ea2 3472 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3473
3474sendresp:
aca3192c
YH		 3475 rsp.scid = cpu_to_le16(scid);
3476 rsp.dcid = cpu_to_le16(dcid);
3477 rsp.result = cpu_to_le16(result);
3478 rsp.status = cpu_to_le16(status);
1da177e4 3479 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3480
3481 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3482 struct l2cap_info_req info;
ac73498c 3483 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3484
3485 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3486 conn->info_ident = l2cap_get_ident(conn);
3487
ba13ccd9 3488 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3489
3490 l2cap_send_cmd(conn, conn->info_ident,
3491 L2CAP_INFO_REQ, sizeof(info), &info);
3492 }
3493
c1360a1c 3494 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3495 result == L2CAP_CR_SUCCESS) {
3496 u8 buf[128];
c1360a1c 3497 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3498 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3499 l2cap_build_conf_req(chan, buf), buf);
3500 chan->num_conf_req++;
e9aeb2dd
GP		 3501 }
3502
1da177e4
LT		 3503 return 0;
3504}
3505
3506static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3507{
3508 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3509 u16 scid, dcid, result, status;
48454079 3510 struct l2cap_chan *chan;
1da177e4 3511 u8 req[128];
3df91ea2 3512 int err;
1da177e4
LT		 3513
3514 scid = __le16_to_cpu(rsp->scid);
3515 dcid = __le16_to_cpu(rsp->dcid);
3516 result = __le16_to_cpu(rsp->result);
3517 status = __le16_to_cpu(rsp->status);
3518
1b009c98
AE		 3519 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3520 dcid, scid, result, status);
1da177e4 3521
3df91ea2
AE		 3522 mutex_lock(&conn->chan_lock);
3523
1da177e4 3524 if (scid) {
3df91ea2
AE		 3525 chan = __l2cap_get_chan_by_scid(conn, scid);
3526 if (!chan) {
3527 err = -EFAULT;
3528 goto unlock;
3529 }
1da177e4 3530 } else {
3df91ea2
AE		 3531 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3532 if (!chan) {
3533 err = -EFAULT;
3534 goto unlock;
3535 }
1da177e4
LT		 3536 }
3537
3df91ea2
AE		 3538 err = 0;
3539
6be36555 3540 l2cap_chan_lock(chan);
48454079 3541
1da177e4
LT		 3542 switch (result) {
3543 case L2CAP_CR_SUCCESS:
89bc500e 3544 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3545 chan->ident = 0;
fe4128e0 3546 chan->dcid = dcid;
c1360a1c 3547 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3548
c1360a1c 3549 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3550 break;
3551
1da177e4 3552 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3553 l2cap_build_conf_req(chan, req), req);
3554 chan->num_conf_req++;
1da177e4
LT		 3555 break;
3556
3557 case L2CAP_CR_PEND:
c1360a1c 3558 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3559 break;
3560
3561 default:
48454079 3562 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3563 break;
3564 }
3565
6be36555 3566 l2cap_chan_unlock(chan);
3df91ea2
AE		 3567
3568unlock:
3569 mutex_unlock(&conn->chan_lock);
3570
3571 return err;
1da177e4
LT		 3572}
3573
47d1ec61 3574static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3575{
3576 /* FCS is enabled only in ERTM or streaming mode, if one or both
3577 * sides request it.
3578 */
0c1bc5c6 3579 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3580 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3581 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3582 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3583}
3584
29d8a590
AE		 3585static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3586 u8 ident, u16 flags)
3587{
3588 struct l2cap_conn *conn = chan->conn;
3589
3590 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3591 flags);
3592
3593 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3594 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3595
3596 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3597 l2cap_build_conf_rsp(chan, data,
3598 L2CAP_CONF_SUCCESS, flags), data);
3599}
3600
88219a0f 3601static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3602{
3603 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3604 u16 dcid, flags;
3605 u8 rsp[64];
48454079 3606 struct l2cap_chan *chan;
3c588192 3607 int len, err = 0;
1da177e4
LT		 3608
3609 dcid = __le16_to_cpu(req->dcid);
3610 flags = __le16_to_cpu(req->flags);
3611
3612 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3613
baa7e1fa 3614 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3615 if (!chan)
1da177e4
LT		 3616 return -ENOENT;
3617
033b1142 3618 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3619 struct l2cap_cmd_rej_cid rej;
3620
ac73498c 3621 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3622 rej.scid = cpu_to_le16(chan->scid);
3623 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3624
df6bd743
GP		 3625 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3626 sizeof(rej), &rej);
354f60a9 3627 goto unlock;
df6bd743 3628 }
354f60a9 3629
5dee9e7c 3630 /* Reject if config buffer is too small. */
88219a0f 3631 len = cmd_len - sizeof(*req);
7ac28817 3632 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3633 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3634 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3635 L2CAP_CONF_REJECT, flags), rsp);
3636 goto unlock;
3637 }
3638
3639 /* Store config. */
73ffa904
GP		 3640 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3641 chan->conf_len += len;
1da177e4 3642
59e54bd1 3643 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3644 /* Incomplete config. Send empty response. */
3645 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3646 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3647 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3648 goto unlock;
3649 }
3650
3651 /* Complete config. */
73ffa904 3652 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3653 if (len < 0) {
e92c8e70 3654 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3655 goto unlock;
f2fcfcd6 3656 }
1da177e4 3657
5dee9e7c 3658 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3659 chan->num_conf_rsp++;
5dee9e7c 3660
5dee9e7c 3661 /* Reset config buffer. */
73ffa904 3662 chan->conf_len = 0;
5dee9e7c 3663
c1360a1c 3664 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3665 goto unlock;
3666
c1360a1c 3667 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3668 set_default_fcs(chan);
fcc203c3 3669
105bdf9e
MM		 3670 if (chan->mode == L2CAP_MODE_ERTM ||
3671 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3672 err = l2cap_ertm_init(chan);
3673
3674 if (err < 0)
3675 l2cap_send_disconn_req(chan->conn, chan, -err);
3676 else
3677 l2cap_chan_ready(chan);
0565c1c2 3678
876d9484
MH		 3679 goto unlock;
3680 }
3681
c1360a1c 3682 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3683 u8 buf[64];
1da177e4 3684 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3685 l2cap_build_conf_req(chan, buf), buf);
3686 chan->num_conf_req++;
1da177e4
LT		 3687 }
3688
0e8b207e
AE		 3689 /* Got Conf Rsp PENDING from remote side and asume we sent
3690 Conf Rsp PENDING in the code above */
3691 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 3692 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 3693
3694 /* check compatibility */
3695
29d8a590 3696 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
0e8b207e
AE		 3697 }
3698
1da177e4 3699unlock:
6be36555 3700 l2cap_chan_unlock(chan);
3c588192 3701 return err;
1da177e4
LT		 3702}
3703
3704static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3705{
3706 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3707 u16 scid, flags, result;
48454079 3708 struct l2cap_chan *chan;
61386cba 3709 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3710 int err = 0;
1da177e4
LT		 3711
3712 scid = __le16_to_cpu(rsp->scid);
3713 flags = __le16_to_cpu(rsp->flags);
3714 result = __le16_to_cpu(rsp->result);
3715
61386cba
AE		 3716 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3717 result, len);
1da177e4 3718
baa7e1fa 3719 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3720 if (!chan)
1da177e4
LT		 3721 return 0;
3722
3723 switch (result) {
3724 case L2CAP_CONF_SUCCESS:
47d1ec61 3725 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3726 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3727 break;
3728
0e8b207e
AE		 3729 case L2CAP_CONF_PENDING:
3730 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3731
3732 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3733 char buf[64];
3734
3735 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3736 buf, &result);
3737 if (len < 0) {
3738 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3739 goto done;
3740 }
3741
3742 /* check compatibility */
3743
29d8a590 3744 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident, 0);
0e8b207e
AE		 3745 }
3746 goto done;
3747
1da177e4 3748 case L2CAP_CONF_UNACCEPT:
73ffa904 3749 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3750 char req[64];
3751
c2c77ec8 3752 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3753 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3754 goto done;
3755 }
3756
f2fcfcd6
GP		 3757 /* throw out any old stored conf requests */
3758 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3759 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3760 req, &result);
f2fcfcd6 3761 if (len < 0) {
e92c8e70 3762 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3763 goto done;
3764 }
3765
3766 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3767 L2CAP_CONF_REQ, len, req);
73ffa904 3768 chan->num_conf_req++;
f2fcfcd6
GP		 3769 if (result != L2CAP_CONF_SUCCESS)
3770 goto done;
3771 break;
1da177e4
LT		 3772 }
3773
8e87d142 3774 default:
6be36555 3775 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3776
ba13ccd9 3777 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3778 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3779 goto done;
3780 }
3781
59e54bd1 3782 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3783 goto done;
3784
c1360a1c 3785 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3786
c1360a1c 3787 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3788 set_default_fcs(chan);
fcc203c3 3789
105bdf9e
MM		 3790 if (chan->mode == L2CAP_MODE_ERTM ||
3791 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3792 err = l2cap_ertm_init(chan);
0565c1c2 3793
3c588192
MM		 3794 if (err < 0)
3795 l2cap_send_disconn_req(chan->conn, chan, -err);
3796 else
3797 l2cap_chan_ready(chan);
1da177e4
LT		 3798 }
3799
3800done:
6be36555 3801 l2cap_chan_unlock(chan);
3c588192 3802 return err;
1da177e4
LT		 3803}
3804
3805static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3806{
3807 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3808 struct l2cap_disconn_rsp rsp;
3809 u16 dcid, scid;
48454079 3810 struct l2cap_chan *chan;
1da177e4
LT		 3811 struct sock *sk;
3812
3813 scid = __le16_to_cpu(req->scid);
3814 dcid = __le16_to_cpu(req->dcid);
3815
3816 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3817
3df91ea2
AE		 3818 mutex_lock(&conn->chan_lock);
3819
3820 chan = __l2cap_get_chan_by_scid(conn, dcid);
3821 if (!chan) {
3822 mutex_unlock(&conn->chan_lock);
1da177e4 3823 return 0;
3df91ea2 3824 }
1da177e4 3825
6be36555
AE		 3826 l2cap_chan_lock(chan);
3827
48454079
GP		 3828 sk = chan->sk;
3829
fe4128e0
GP		 3830 rsp.dcid = cpu_to_le16(chan->scid);
3831 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3832 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3833
6be36555 3834 lock_sock(sk);
1da177e4 3835 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3836 release_sock(sk);
1da177e4 3837
61d6ef3e 3838 l2cap_chan_hold(chan);
48454079 3839 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3840
3841 l2cap_chan_unlock(chan);
1da177e4 3842
80b98027 3843 chan->ops->close(chan);
61d6ef3e 3844 l2cap_chan_put(chan);
3df91ea2
AE		 3845
3846 mutex_unlock(&conn->chan_lock);
3847
1da177e4
LT		 3848 return 0;
3849}
3850
3851static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3852{
3853 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3854 u16 dcid, scid;
48454079 3855 struct l2cap_chan *chan;
1da177e4
LT		 3856
3857 scid = __le16_to_cpu(rsp->scid);
3858 dcid = __le16_to_cpu(rsp->dcid);
3859
3860 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3861
3df91ea2
AE		 3862 mutex_lock(&conn->chan_lock);
3863
3864 chan = __l2cap_get_chan_by_scid(conn, scid);
3865 if (!chan) {
3866 mutex_unlock(&conn->chan_lock);
1da177e4 3867 return 0;
3df91ea2 3868 }
1da177e4 3869
6be36555 3870 l2cap_chan_lock(chan);
48454079 3871
61d6ef3e 3872 l2cap_chan_hold(chan);
48454079 3873 l2cap_chan_del(chan, 0);
6be36555
AE		 3874
3875 l2cap_chan_unlock(chan);
1da177e4 3876
80b98027 3877 chan->ops->close(chan);
61d6ef3e 3878 l2cap_chan_put(chan);
3df91ea2
AE		 3879
3880 mutex_unlock(&conn->chan_lock);
3881
1da177e4
LT		 3882 return 0;
3883}
3884
3885static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3886{
3887 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3888 u16 type;
3889
3890 type = __le16_to_cpu(req->type);
3891
3892 BT_DBG("type 0x%4.4x", type);
3893
f0709e03
MH		 3894 if (type == L2CAP_IT_FEAT_MASK) {
3895 u8 buf[8];
44dd46de 3896 u32 feat_mask = l2cap_feat_mask;
f0709e03 3897 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3898 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3899 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3900 if (!disable_ertm)
fcc203c3
GP		 3901 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3902 | L2CAP_FEAT_FCS;
a5fd6f30 3903 if (enable_hs)
6327eb98
AE		 3904 feat_mask |= L2CAP_FEAT_EXT_FLOW
3905 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3906
1b7bf4ed 3907 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3908 l2cap_send_cmd(conn, cmd->ident,
3909 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3910 } else if (type == L2CAP_IT_FIXED_CHAN) {
3911 u8 buf[12];
3912 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3913
3914 if (enable_hs)
3915 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3916 else
3917 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3918
ac73498c
AE		 3919 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3920 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3921 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3922 l2cap_send_cmd(conn, cmd->ident,
3923 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3924 } else {
3925 struct l2cap_info_rsp rsp;
3926 rsp.type = cpu_to_le16(type);
ac73498c 3927 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
f0709e03
MH		 3928 l2cap_send_cmd(conn, cmd->ident,
3929 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3930 }
1da177e4
LT		 3931
3932 return 0;
3933}
3934
3935static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3936{
3937 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3938 u16 type, result;
3939
3940 type = __le16_to_cpu(rsp->type);
3941 result = __le16_to_cpu(rsp->result);
3942
3943 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3944
e90165be
AE		 3945 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3946 if (cmd->ident != conn->info_ident ||
3947 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3948 return 0;
3949
17cd3f37 3950 cancel_delayed_work(&conn->info_timer);
4e8402a3 3951
adb08ede
VT		 3952 if (result != L2CAP_IR_SUCCESS) {
3953 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3954 conn->info_ident = 0;
3955
3956 l2cap_conn_start(conn);
3957
3958 return 0;
3959 }
3960
978c93b9
AE		 3961 switch (type) {
3962 case L2CAP_IT_FEAT_MASK:
83985319 3963 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3964
47ec1dcd 3965 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 3966 struct l2cap_info_req req;
ac73498c 3967 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 3968
3969 conn->info_ident = l2cap_get_ident(conn);
3970
3971 l2cap_send_cmd(conn, conn->info_ident,
3972 L2CAP_INFO_REQ, sizeof(req), &req);
3973 } else {
3974 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3975 conn->info_ident = 0;
3976
3977 l2cap_conn_start(conn);
3978 }
978c93b9
AE		 3979 break;
3980
3981 case L2CAP_IT_FIXED_CHAN:
3982 conn->fixed_chan_mask = rsp->data[0];
984947dc 3983 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3984 conn->info_ident = 0;
984947dc
MH		 3985
3986 l2cap_conn_start(conn);
978c93b9 3987 break;
984947dc 3988 }
4e8402a3 3989
1da177e4
LT		 3990 return 0;
3991}
3992
f94ff6ff
MM		 3993static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3994 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3995 void *data)
3996{
3997 struct l2cap_create_chan_req *req = data;
3998 struct l2cap_create_chan_rsp rsp;
3999 u16 psm, scid;
4000
4001 if (cmd_len != sizeof(*req))
4002 return -EPROTO;
4003
4004 if (!enable_hs)
4005 return -EINVAL;
4006
4007 psm = le16_to_cpu(req->psm);
4008 scid = le16_to_cpu(req->scid);
4009
ad0ac6ca 4010 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff
MM		 4011
4012 /* Placeholder: Always reject */
4013 rsp.dcid = 0;
4014 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 4015 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4016 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 4017
4018 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4019 sizeof(rsp), &rsp);
4020
4021 return 0;
4022}
4023
4024static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
4025 struct l2cap_cmd_hdr *cmd, void *data)
4026{
4027 BT_DBG("conn %p", conn);
4028
4029 return l2cap_connect_rsp(conn, cmd, data);
4030}
4031
8d5a04a1 4032static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4033 u16 icid, u16 result)
8d5a04a1
MM		 4034{
4035 struct l2cap_move_chan_rsp rsp;
4036
ad0ac6ca 4037 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4038
4039 rsp.icid = cpu_to_le16(icid);
4040 rsp.result = cpu_to_le16(result);
4041
4042 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
4043}
4044
4045static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4046 struct l2cap_chan *chan,
4047 u16 icid, u16 result)
8d5a04a1
MM		 4048{
4049 struct l2cap_move_chan_cfm cfm;
4050 u8 ident;
4051
ad0ac6ca 4052 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4053
4054 ident = l2cap_get_ident(conn);
4055 if (chan)
4056 chan->ident = ident;
4057
4058 cfm.icid = cpu_to_le16(icid);
4059 cfm.result = cpu_to_le16(result);
4060
4061 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4062}
4063
4064static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4065 u16 icid)
8d5a04a1
MM		 4066{
4067 struct l2cap_move_chan_cfm_rsp rsp;
4068
ad0ac6ca 4069 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4070
4071 rsp.icid = cpu_to_le16(icid);
4072 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4073}
4074
4075static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4076 struct l2cap_cmd_hdr *cmd,
4077 u16 cmd_len, void *data)
8d5a04a1
MM		 4078{
4079 struct l2cap_move_chan_req *req = data;
4080 u16 icid = 0;
4081 u16 result = L2CAP_MR_NOT_ALLOWED;
4082
4083 if (cmd_len != sizeof(*req))
4084 return -EPROTO;
4085
4086 icid = le16_to_cpu(req->icid);
4087
ad0ac6ca 4088 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4089
4090 if (!enable_hs)
4091 return -EINVAL;
4092
4093 /* Placeholder: Always refuse */
4094 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4095
4096 return 0;
4097}
4098
4099static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4100 struct l2cap_cmd_hdr *cmd,
4101 u16 cmd_len, void *data)
8d5a04a1
MM		 4102{
4103 struct l2cap_move_chan_rsp *rsp = data;
4104 u16 icid, result;
4105
4106 if (cmd_len != sizeof(*rsp))
4107 return -EPROTO;
4108
4109 icid = le16_to_cpu(rsp->icid);
4110 result = le16_to_cpu(rsp->result);
4111
ad0ac6ca 4112 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4113
4114 /* Placeholder: Always unconfirmed */
4115 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4116
4117 return 0;
4118}
4119
4120static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4121 struct l2cap_cmd_hdr *cmd,
4122 u16 cmd_len, void *data)
8d5a04a1
MM		 4123{
4124 struct l2cap_move_chan_cfm *cfm = data;
4125 u16 icid, result;
4126
4127 if (cmd_len != sizeof(*cfm))
4128 return -EPROTO;
4129
4130 icid = le16_to_cpu(cfm->icid);
4131 result = le16_to_cpu(cfm->result);
4132
ad0ac6ca 4133 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4134
4135 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4136
4137 return 0;
4138}
4139
4140static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4141 struct l2cap_cmd_hdr *cmd,
4142 u16 cmd_len, void *data)
8d5a04a1
MM		 4143{
4144 struct l2cap_move_chan_cfm_rsp *rsp = data;
4145 u16 icid;
4146
4147 if (cmd_len != sizeof(*rsp))
4148 return -EPROTO;
4149
4150 icid = le16_to_cpu(rsp->icid);
4151
ad0ac6ca 4152 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4153
4154 return 0;
4155}
4156
e2174ca4 4157static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4158 u16 to_multiplier)
4159{
4160 u16 max_latency;
4161
4162 if (min > max || min < 6 || max > 3200)
4163 return -EINVAL;
4164
4165 if (to_multiplier < 10 || to_multiplier > 3200)
4166 return -EINVAL;
4167
4168 if (max >= to_multiplier * 8)
4169 return -EINVAL;
4170
4171 max_latency = (to_multiplier * 8 / max) - 1;
4172 if (latency > 499 || latency > max_latency)
4173 return -EINVAL;
4174
4175 return 0;
4176}
4177
4178static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4179 struct l2cap_cmd_hdr *cmd, u8 *data)
4180{
4181 struct hci_conn *hcon = conn->hcon;
4182 struct l2cap_conn_param_update_req *req;
4183 struct l2cap_conn_param_update_rsp rsp;
4184 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4185 int err;
de73115a
CT		 4186
4187 if (!(hcon->link_mode & HCI_LM_MASTER))
4188 return -EINVAL;
4189
4190 cmd_len = __le16_to_cpu(cmd->len);
4191 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4192 return -EPROTO;
4193
4194 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4195 min = __le16_to_cpu(req->min);
4196 max = __le16_to_cpu(req->max);
de73115a
CT		 4197 latency = __le16_to_cpu(req->latency);
4198 to_multiplier = __le16_to_cpu(req->to_multiplier);
4199
4200 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4201 min, max, latency, to_multiplier);
4202
4203 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4204
4205 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4206 if (err)
ac73498c 4207 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4208 else
ac73498c 4209 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4210
4211 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4212 sizeof(rsp), &rsp);
4213
2ce603eb
CT		 4214 if (!err)
4215 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4216
de73115a
CT		 4217 return 0;
4218}
4219
3300d9a9
CT		 4220static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4221 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4222{
4223 int err = 0;
4224
4225 switch (cmd->code) {
4226 case L2CAP_COMMAND_REJ:
4227 l2cap_command_rej(conn, cmd, data);
4228 break;
4229
4230 case L2CAP_CONN_REQ:
4231 err = l2cap_connect_req(conn, cmd, data);
4232 break;
4233
4234 case L2CAP_CONN_RSP:
4235 err = l2cap_connect_rsp(conn, cmd, data);
4236 break;
4237
4238 case L2CAP_CONF_REQ:
4239 err = l2cap_config_req(conn, cmd, cmd_len, data);
4240 break;
4241
4242 case L2CAP_CONF_RSP:
4243 err = l2cap_config_rsp(conn, cmd, data);
4244 break;
4245
4246 case L2CAP_DISCONN_REQ:
4247 err = l2cap_disconnect_req(conn, cmd, data);
4248 break;
4249
4250 case L2CAP_DISCONN_RSP:
4251 err = l2cap_disconnect_rsp(conn, cmd, data);
4252 break;
4253
4254 case L2CAP_ECHO_REQ:
4255 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4256 break;
4257
4258 case L2CAP_ECHO_RSP:
4259 break;
4260
4261 case L2CAP_INFO_REQ:
4262 err = l2cap_information_req(conn, cmd, data);
4263 break;
4264
4265 case L2CAP_INFO_RSP:
4266 err = l2cap_information_rsp(conn, cmd, data);
4267 break;
4268
f94ff6ff
MM		 4269 case L2CAP_CREATE_CHAN_REQ:
4270 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4271 break;
4272
4273 case L2CAP_CREATE_CHAN_RSP:
4274 err = l2cap_create_channel_rsp(conn, cmd, data);
4275 break;
4276
8d5a04a1
MM		 4277 case L2CAP_MOVE_CHAN_REQ:
4278 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4279 break;
4280
4281 case L2CAP_MOVE_CHAN_RSP:
4282 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4283 break;
4284
4285 case L2CAP_MOVE_CHAN_CFM:
4286 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4287 break;
4288
4289 case L2CAP_MOVE_CHAN_CFM_RSP:
4290 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4291 break;
4292
3300d9a9
CT		 4293 default:
4294 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4295 err = -EINVAL;
4296 break;
4297 }
4298
4299 return err;
4300}
4301
4302static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4303 struct l2cap_cmd_hdr *cmd, u8 *data)
4304{
4305 switch (cmd->code) {
4306 case L2CAP_COMMAND_REJ:
4307 return 0;
4308
4309 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4310 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4311
4312 case L2CAP_CONN_PARAM_UPDATE_RSP:
4313 return 0;
4314
4315 default:
4316 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4317 return -EINVAL;
4318 }
4319}
4320
4321static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4322 struct sk_buff *skb)
1da177e4
LT		 4323{
4324 u8 *data = skb->data;
4325 int len = skb->len;
4326 struct l2cap_cmd_hdr cmd;
3300d9a9 4327 int err;
1da177e4
LT		 4328
4329 l2cap_raw_recv(conn, skb);
4330
4331 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4332 u16 cmd_len;
1da177e4
LT		 4333 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4334 data += L2CAP_CMD_HDR_SIZE;
4335 len -= L2CAP_CMD_HDR_SIZE;
4336
88219a0f 4337 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4338
88219a0f 4339 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4340
88219a0f 4341 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4342 BT_DBG("corrupted command");
4343 break;
4344 }
4345
3300d9a9
CT		 4346 if (conn->hcon->type == LE_LINK)
4347 err = l2cap_le_sig_cmd(conn, &cmd, data);
4348 else
4349 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4350
4351 if (err) {
e2fd318e 4352 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4353
4354 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4355
4356 /* FIXME: Map err to a valid reason */
ac73498c 4357 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4358 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4359 }
4360
88219a0f
AV		 4361 data += cmd_len;
4362 len -= cmd_len;
1da177e4
LT		 4363 }
4364
4365 kfree_skb(skb);
4366}
4367
47d1ec61 4368static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4369{
4370 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4371 int hdr_size;
4372
4373 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4374 hdr_size = L2CAP_EXT_HDR_SIZE;
4375 else
4376 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4377
47d1ec61 4378 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4379 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4380 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4381 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4382
4383 if (our_fcs != rcv_fcs)
7a560e5c 4384 return -EBADMSG;
fcc203c3
GP		 4385 }
4386 return 0;
4387}
4388
6ea00485 4389static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4390{
e31f7633 4391 struct l2cap_ctrl control;
d5392c8f 4392
e31f7633 4393 BT_DBG("chan %p", chan);
d5392c8f 4394
e31f7633
MM		 4395 memset(&control, 0, sizeof(control));
4396 control.sframe = 1;
4397 control.final = 1;
4398 control.reqseq = chan->buffer_seq;
4399 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4400
e2ab4353 4401 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4402 control.super = L2CAP_SUPER_RNR;
4403 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4404 }
4405
e31f7633
MM		 4406 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4407 chan->unacked_frames > 0)
4408 __set_retrans_timer(chan);
d5392c8f 4409
e31f7633 4410 /* Send pending iframes */
525cd185 4411 l2cap_ertm_send(chan);
d5392c8f 4412
e2ab4353 4413 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4414 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4415 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4416 * send it now.
4417 */
4418 control.super = L2CAP_SUPER_RR;
4419 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4420 }
4421}
4422
84084a31
MM		 4423static void append_skb_frag(struct sk_buff *skb,
4424 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4425{
84084a31
MM		 4426 /* skb->len reflects data in skb as well as all fragments
4427 * skb->data_len reflects only data in fragments
4428 */
4429 if (!skb_has_frag_list(skb))
4430 skb_shinfo(skb)->frag_list = new_frag;
4431
4432 new_frag->next = NULL;
4433
4434 (*last_frag)->next = new_frag;
4435 *last_frag = new_frag;
4436
4437 skb->len += new_frag->len;
4438 skb->data_len += new_frag->len;
4439 skb->truesize += new_frag->truesize;
4440}
4441
4b51dae9
MM		 4442static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4443 struct l2cap_ctrl *control)
84084a31
MM		 4444{
4445 int err = -EINVAL;
18778a63 4446
4b51dae9 4447 switch (control->sar) {
7e0ef6ee 4448 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4449 if (chan->sdu)
4450 break;
18778a63 4451
80b98027 4452 err = chan->ops->recv(chan, skb);
84084a31 4453 break;
18778a63 4454
7e0ef6ee 4455 case L2CAP_SAR_START:
84084a31
MM		 4456 if (chan->sdu)
4457 break;
18778a63 4458
6f61fd47 4459 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4460 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4461
84084a31
MM		 4462 if (chan->sdu_len > chan->imtu) {
4463 err = -EMSGSIZE;
4464 break;
4465 }
1890d36b 4466
84084a31
MM		 4467 if (skb->len >= chan->sdu_len)
4468 break;
18778a63 4469
84084a31
MM		 4470 chan->sdu = skb;
4471 chan->sdu_last_frag = skb;
18778a63 4472
84084a31
MM		 4473 skb = NULL;
4474 err = 0;
18778a63
GP		 4475 break;
4476
7e0ef6ee 4477 case L2CAP_SAR_CONTINUE:
6f61fd47 4478 if (!chan->sdu)
84084a31 4479 break;
18778a63 4480
84084a31
MM		 4481 append_skb_frag(chan->sdu, skb,
4482 &chan->sdu_last_frag);
4483 skb = NULL;
18778a63 4484
84084a31
MM		 4485 if (chan->sdu->len >= chan->sdu_len)
4486 break;
4178ba46 4487
84084a31 4488 err = 0;
18778a63
GP		 4489 break;
4490
7e0ef6ee 4491 case L2CAP_SAR_END:
6f61fd47 4492 if (!chan->sdu)
84084a31 4493 break;
18778a63 4494
84084a31
MM		 4495 append_skb_frag(chan->sdu, skb,
4496 &chan->sdu_last_frag);
4497 skb = NULL;
4178ba46 4498
84084a31
MM		 4499 if (chan->sdu->len != chan->sdu_len)
4500 break;
18778a63 4501
80b98027 4502 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4503
84084a31
MM		 4504 if (!err) {
4505 /* Reassembly complete */
4506 chan->sdu = NULL;
4507 chan->sdu_last_frag = NULL;
4508 chan->sdu_len = 0;
1890d36b 4509 }
18778a63
GP		 4510 break;
4511 }
4512
84084a31
MM		 4513 if (err) {
4514 kfree_skb(skb);
4515 kfree_skb(chan->sdu);
4516 chan->sdu = NULL;
4517 chan->sdu_last_frag = NULL;
4518 chan->sdu_len = 0;
4519 }
18778a63 4520
84084a31 4521 return err;
18778a63
GP		 4522}
4523
61aa4f5b 4524void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4525{
61aa4f5b 4526 u8 event;
712132eb 4527
61aa4f5b
MM		 4528 if (chan->mode != L2CAP_MODE_ERTM)
4529 return;
712132eb 4530
61aa4f5b 4531 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4532 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4533}
4534
d2a7ac5d
MM		 4535static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4536{
63838725
MM		 4537 int err = 0;
4538 /* Pass sequential frames to l2cap_reassemble_sdu()
4539 * until a gap is encountered.
4540 */
4541
4542 BT_DBG("chan %p", chan);
4543
4544 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4545 struct sk_buff *skb;
4546 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4547 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4548
4549 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4550
4551 if (!skb)
4552 break;
4553
4554 skb_unlink(skb, &chan->srej_q);
4555 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4556 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4557 if (err)
4558 break;
4559 }
4560
4561 if (skb_queue_empty(&chan->srej_q)) {
4562 chan->rx_state = L2CAP_RX_STATE_RECV;
4563 l2cap_send_ack(chan);
4564 }
4565
4566 return err;
d2a7ac5d
MM		 4567}
4568
4569static void l2cap_handle_srej(struct l2cap_chan *chan,
4570 struct l2cap_ctrl *control)
4571{
f80842a8
MM		 4572 struct sk_buff *skb;
4573
4574 BT_DBG("chan %p, control %p", chan, control);
4575
4576 if (control->reqseq == chan->next_tx_seq) {
4577 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4578 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4579 return;
4580 }
4581
4582 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4583
4584 if (skb == NULL) {
4585 BT_DBG("Seq %d not available for retransmission",
4586 control->reqseq);
4587 return;
4588 }
4589
4590 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4591 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4592 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4593 return;
4594 }
4595
4596 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4597
4598 if (control->poll) {
4599 l2cap_pass_to_tx(chan, control);
4600
4601 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4602 l2cap_retransmit(chan, control);
4603 l2cap_ertm_send(chan);
4604
4605 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4606 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4607 chan->srej_save_reqseq = control->reqseq;
4608 }
4609 } else {
4610 l2cap_pass_to_tx_fbit(chan, control);
4611
4612 if (control->final) {
4613 if (chan->srej_save_reqseq != control->reqseq ||
4614 !test_and_clear_bit(CONN_SREJ_ACT,
4615 &chan->conn_state))
4616 l2cap_retransmit(chan, control);
4617 } else {
4618 l2cap_retransmit(chan, control);
4619 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4620 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4621 chan->srej_save_reqseq = control->reqseq;
4622 }
4623 }
4624 }
d2a7ac5d
MM		 4625}
4626
4627static void l2cap_handle_rej(struct l2cap_chan *chan,
4628 struct l2cap_ctrl *control)
4629{
fcd289df
MM		 4630 struct sk_buff *skb;
4631
4632 BT_DBG("chan %p, control %p", chan, control);
4633
4634 if (control->reqseq == chan->next_tx_seq) {
4635 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4636 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4637 return;
4638 }
4639
4640 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4641
4642 if (chan->max_tx && skb &&
4643 bt_cb(skb)->control.retries >= chan->max_tx) {
4644 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4645 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4646 return;
4647 }
4648
4649 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4650
4651 l2cap_pass_to_tx(chan, control);
4652
4653 if (control->final) {
4654 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4655 l2cap_retransmit_all(chan, control);
4656 } else {
4657 l2cap_retransmit_all(chan, control);
4658 l2cap_ertm_send(chan);
4659 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4660 set_bit(CONN_REJ_ACT, &chan->conn_state);
4661 }
d2a7ac5d
MM		 4662}
4663
4b51dae9
MM		 4664static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4665{
4666 BT_DBG("chan %p, txseq %d", chan, txseq);
4667
4668 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4669 chan->expected_tx_seq);
4670
4671 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4672 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4673 chan->tx_win) {
4674 /* See notes below regarding "double poll" and
4675 * invalid packets.
4676 */
4677 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4678 BT_DBG("Invalid/Ignore - after SREJ");
4679 return L2CAP_TXSEQ_INVALID_IGNORE;
4680 } else {
4681 BT_DBG("Invalid - in window after SREJ sent");
4682 return L2CAP_TXSEQ_INVALID;
4683 }
4684 }
4685
4686 if (chan->srej_list.head == txseq) {
4687 BT_DBG("Expected SREJ");
4688 return L2CAP_TXSEQ_EXPECTED_SREJ;
4689 }
4690
4691 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4692 BT_DBG("Duplicate SREJ - txseq already stored");
4693 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4694 }
4695
4696 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4697 BT_DBG("Unexpected SREJ - not requested");
4698 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4699 }
4700 }
4701
4702 if (chan->expected_tx_seq == txseq) {
4703 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4704 chan->tx_win) {
4705 BT_DBG("Invalid - txseq outside tx window");
4706 return L2CAP_TXSEQ_INVALID;
4707 } else {
4708 BT_DBG("Expected");
4709 return L2CAP_TXSEQ_EXPECTED;
4710 }
4711 }
4712
4713 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4714 __seq_offset(chan, chan->expected_tx_seq,
4715 chan->last_acked_seq)){
4716 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4717 return L2CAP_TXSEQ_DUPLICATE;
4718 }
4719
4720 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4721 /* A source of invalid packets is a "double poll" condition,
4722 * where delays cause us to send multiple poll packets. If
4723 * the remote stack receives and processes both polls,
4724 * sequence numbers can wrap around in such a way that a
4725 * resent frame has a sequence number that looks like new data
4726 * with a sequence gap. This would trigger an erroneous SREJ
4727 * request.
4728 *
4729 * Fortunately, this is impossible with a tx window that's
4730 * less than half of the maximum sequence number, which allows
4731 * invalid frames to be safely ignored.
4732 *
4733 * With tx window sizes greater than half of the tx window
4734 * maximum, the frame is invalid and cannot be ignored. This
4735 * causes a disconnect.
4736 */
4737
4738 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4739 BT_DBG("Invalid/Ignore - txseq outside tx window");
4740 return L2CAP_TXSEQ_INVALID_IGNORE;
4741 } else {
4742 BT_DBG("Invalid - txseq outside tx window");
4743 return L2CAP_TXSEQ_INVALID;
4744 }
4745 } else {
4746 BT_DBG("Unexpected - txseq indicates missing frames");
4747 return L2CAP_TXSEQ_UNEXPECTED;
4748 }
4749}
4750
d2a7ac5d
MM		 4751static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4752 struct l2cap_ctrl *control,
4753 struct sk_buff *skb, u8 event)
4754{
4755 int err = 0;
4756 bool skb_in_use = 0;
4757
4758 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4759 event);
4760
4761 switch (event) {
4762 case L2CAP_EV_RECV_IFRAME:
4763 switch (l2cap_classify_txseq(chan, control->txseq)) {
4764 case L2CAP_TXSEQ_EXPECTED:
4765 l2cap_pass_to_tx(chan, control);
4766
4767 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4768 BT_DBG("Busy, discarding expected seq %d",
4769 control->txseq);
4770 break;
4771 }
4772
4773 chan->expected_tx_seq = __next_seq(chan,
4774 control->txseq);
4775
4776 chan->buffer_seq = chan->expected_tx_seq;
4777 skb_in_use = 1;
4778
4779 err = l2cap_reassemble_sdu(chan, skb, control);
4780 if (err)
4781 break;
4782
4783 if (control->final) {
4784 if (!test_and_clear_bit(CONN_REJ_ACT,
4785 &chan->conn_state)) {
4786 control->final = 0;
4787 l2cap_retransmit_all(chan, control);
4788 l2cap_ertm_send(chan);
4789 }
4790 }
4791
4792 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4793 l2cap_send_ack(chan);
4794 break;
4795 case L2CAP_TXSEQ_UNEXPECTED:
4796 l2cap_pass_to_tx(chan, control);
4797
4798 /* Can't issue SREJ frames in the local busy state.
4799 * Drop this frame, it will be seen as missing
4800 * when local busy is exited.
4801 */
4802 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4803 BT_DBG("Busy, discarding unexpected seq %d",
4804 control->txseq);
4805 break;
4806 }
4807
4808 /* There was a gap in the sequence, so an SREJ
4809 * must be sent for each missing frame. The
4810 * current frame is stored for later use.
4811 */
4812 skb_queue_tail(&chan->srej_q, skb);
4813 skb_in_use = 1;
4814 BT_DBG("Queued %p (queue len %d)", skb,
4815 skb_queue_len(&chan->srej_q));
4816
4817 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4818 l2cap_seq_list_clear(&chan->srej_list);
4819 l2cap_send_srej(chan, control->txseq);
4820
4821 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4822 break;
4823 case L2CAP_TXSEQ_DUPLICATE:
4824 l2cap_pass_to_tx(chan, control);
4825 break;
4826 case L2CAP_TXSEQ_INVALID_IGNORE:
4827 break;
4828 case L2CAP_TXSEQ_INVALID:
4829 default:
4830 l2cap_send_disconn_req(chan->conn, chan,
4831 ECONNRESET);
4832 break;
4833 }
4834 break;
4835 case L2CAP_EV_RECV_RR:
4836 l2cap_pass_to_tx(chan, control);
4837 if (control->final) {
4838 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4839
4840 if (!test_and_clear_bit(CONN_REJ_ACT,
4841 &chan->conn_state)) {
4842 control->final = 0;
4843 l2cap_retransmit_all(chan, control);
4844 }
4845
4846 l2cap_ertm_send(chan);
4847 } else if (control->poll) {
4848 l2cap_send_i_or_rr_or_rnr(chan);
4849 } else {
4850 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4851 &chan->conn_state) &&
4852 chan->unacked_frames)
4853 __set_retrans_timer(chan);
4854
4855 l2cap_ertm_send(chan);
4856 }
4857 break;
4858 case L2CAP_EV_RECV_RNR:
4859 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4860 l2cap_pass_to_tx(chan, control);
4861 if (control && control->poll) {
4862 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4863 l2cap_send_rr_or_rnr(chan, 0);
4864 }
4865 __clear_retrans_timer(chan);
4866 l2cap_seq_list_clear(&chan->retrans_list);
4867 break;
4868 case L2CAP_EV_RECV_REJ:
4869 l2cap_handle_rej(chan, control);
4870 break;
4871 case L2CAP_EV_RECV_SREJ:
4872 l2cap_handle_srej(chan, control);
4873 break;
4874 default:
4875 break;
4876 }
4877
4878 if (skb && !skb_in_use) {
4879 BT_DBG("Freeing %p", skb);
4880 kfree_skb(skb);
4881 }
4882
4883 return err;
4884}
4885
4886static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4887 struct l2cap_ctrl *control,
4888 struct sk_buff *skb, u8 event)
4889{
4890 int err = 0;
4891 u16 txseq = control->txseq;
4892 bool skb_in_use = 0;
4893
4894 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4895 event);
4896
4897 switch (event) {
4898 case L2CAP_EV_RECV_IFRAME:
4899 switch (l2cap_classify_txseq(chan, txseq)) {
4900 case L2CAP_TXSEQ_EXPECTED:
4901 /* Keep frame for reassembly later */
4902 l2cap_pass_to_tx(chan, control);
4903 skb_queue_tail(&chan->srej_q, skb);
4904 skb_in_use = 1;
4905 BT_DBG("Queued %p (queue len %d)", skb,
4906 skb_queue_len(&chan->srej_q));
4907
4908 chan->expected_tx_seq = __next_seq(chan, txseq);
4909 break;
4910 case L2CAP_TXSEQ_EXPECTED_SREJ:
4911 l2cap_seq_list_pop(&chan->srej_list);
4912
4913 l2cap_pass_to_tx(chan, control);
4914 skb_queue_tail(&chan->srej_q, skb);
4915 skb_in_use = 1;
4916 BT_DBG("Queued %p (queue len %d)", skb,
4917 skb_queue_len(&chan->srej_q));
4918
4919 err = l2cap_rx_queued_iframes(chan);
4920 if (err)
4921 break;
4922
4923 break;
4924 case L2CAP_TXSEQ_UNEXPECTED:
4925 /* Got a frame that can't be reassembled yet.
4926 * Save it for later, and send SREJs to cover
4927 * the missing frames.
4928 */
4929 skb_queue_tail(&chan->srej_q, skb);
4930 skb_in_use = 1;
4931 BT_DBG("Queued %p (queue len %d)", skb,
4932 skb_queue_len(&chan->srej_q));
4933
4934 l2cap_pass_to_tx(chan, control);
4935 l2cap_send_srej(chan, control->txseq);
4936 break;
4937 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4938 /* This frame was requested with an SREJ, but
4939 * some expected retransmitted frames are
4940 * missing. Request retransmission of missing
4941 * SREJ'd frames.
4942 */
4943 skb_queue_tail(&chan->srej_q, skb);
4944 skb_in_use = 1;
4945 BT_DBG("Queued %p (queue len %d)", skb,
4946 skb_queue_len(&chan->srej_q));
4947
4948 l2cap_pass_to_tx(chan, control);
4949 l2cap_send_srej_list(chan, control->txseq);
4950 break;
4951 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4952 /* We've already queued this frame. Drop this copy. */
4953 l2cap_pass_to_tx(chan, control);
4954 break;
4955 case L2CAP_TXSEQ_DUPLICATE:
4956 /* Expecting a later sequence number, so this frame
4957 * was already received. Ignore it completely.
4958 */
4959 break;
4960 case L2CAP_TXSEQ_INVALID_IGNORE:
4961 break;
4962 case L2CAP_TXSEQ_INVALID:
4963 default:
4964 l2cap_send_disconn_req(chan->conn, chan,
4965 ECONNRESET);
4966 break;
4967 }
4968 break;
4969 case L2CAP_EV_RECV_RR:
4970 l2cap_pass_to_tx(chan, control);
4971 if (control->final) {
4972 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4973
4974 if (!test_and_clear_bit(CONN_REJ_ACT,
4975 &chan->conn_state)) {
4976 control->final = 0;
4977 l2cap_retransmit_all(chan, control);
4978 }
4979
4980 l2cap_ertm_send(chan);
4981 } else if (control->poll) {
4982 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4983 &chan->conn_state) &&
4984 chan->unacked_frames) {
4985 __set_retrans_timer(chan);
4986 }
4987
4988 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4989 l2cap_send_srej_tail(chan);
4990 } else {
4991 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4992 &chan->conn_state) &&
4993 chan->unacked_frames)
4994 __set_retrans_timer(chan);
4995
4996 l2cap_send_ack(chan);
4997 }
4998 break;
4999 case L2CAP_EV_RECV_RNR:
5000 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5001 l2cap_pass_to_tx(chan, control);
5002 if (control->poll) {
5003 l2cap_send_srej_tail(chan);
5004 } else {
5005 struct l2cap_ctrl rr_control;
5006 memset(&rr_control, 0, sizeof(rr_control));
5007 rr_control.sframe = 1;
5008 rr_control.super = L2CAP_SUPER_RR;
5009 rr_control.reqseq = chan->buffer_seq;
5010 l2cap_send_sframe(chan, &rr_control);
5011 }
5012
5013 break;
5014 case L2CAP_EV_RECV_REJ:
5015 l2cap_handle_rej(chan, control);
5016 break;
5017 case L2CAP_EV_RECV_SREJ:
5018 l2cap_handle_srej(chan, control);
5019 break;
5020 }
5021
5022 if (skb && !skb_in_use) {
5023 BT_DBG("Freeing %p", skb);
5024 kfree_skb(skb);
5025 }
5026
5027 return err;
5028}
5029
5030static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5031{
5032 /* Make sure reqseq is for a packet that has been sent but not acked */
5033 u16 unacked;
5034
5035 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5036 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5037}
5038
cec8ab6e
MM		 5039static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5040 struct sk_buff *skb, u8 event)
218bb9df 5041{
d2a7ac5d
MM		 5042 int err = 0;
5043
5044 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5045 control, skb, event, chan->rx_state);
5046
5047 if (__valid_reqseq(chan, control->reqseq)) {
5048 switch (chan->rx_state) {
5049 case L2CAP_RX_STATE_RECV:
5050 err = l2cap_rx_state_recv(chan, control, skb, event);
5051 break;
5052 case L2CAP_RX_STATE_SREJ_SENT:
5053 err = l2cap_rx_state_srej_sent(chan, control, skb,
5054 event);
5055 break;
5056 default:
5057 /* shut it down */
5058 break;
5059 }
5060 } else {
5061 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5062 control->reqseq, chan->next_tx_seq,
5063 chan->expected_ack_seq);
5064 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5065 }
5066
5067 return err;
cec8ab6e
MM		 5068}
5069
5070static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5071 struct sk_buff *skb)
5072{
4b51dae9
MM		 5073 int err = 0;
5074
5075 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5076 chan->rx_state);
5077
5078 if (l2cap_classify_txseq(chan, control->txseq) ==
5079 L2CAP_TXSEQ_EXPECTED) {
5080 l2cap_pass_to_tx(chan, control);
5081
5082 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5083 __next_seq(chan, chan->buffer_seq));
5084
5085 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5086
5087 l2cap_reassemble_sdu(chan, skb, control);
5088 } else {
5089 if (chan->sdu) {
5090 kfree_skb(chan->sdu);
5091 chan->sdu = NULL;
5092 }
5093 chan->sdu_last_frag = NULL;
5094 chan->sdu_len = 0;
5095
5096 if (skb) {
5097 BT_DBG("Freeing %p", skb);
5098 kfree_skb(skb);
5099 }
5100 }
5101
5102 chan->last_acked_seq = control->txseq;
5103 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5104
5105 return err;
cec8ab6e
MM		 5106}
5107
5108static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5109{
5110 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5111 u16 len;
5112 u8 event;
218bb9df 5113
b76bbd66
MM		 5114 __unpack_control(chan, skb);
5115
218bb9df
GP		 5116 len = skb->len;
5117
5118 /*
5119 * We can just drop the corrupted I-frame here.
5120 * Receiver will miss it and start proper recovery
cec8ab6e 5121 * procedures and ask for retransmission.
218bb9df 5122 */
47d1ec61 5123 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5124 goto drop;
5125
cec8ab6e 5126 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5127 len -= L2CAP_SDULEN_SIZE;
218bb9df 5128
47d1ec61 5129 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5130 len -= L2CAP_FCS_SIZE;
218bb9df 5131
47d1ec61 5132 if (len > chan->mps) {
8c1d787b 5133 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5134 goto drop;
5135 }
5136
cec8ab6e
MM		 5137 if (!control->sframe) {
5138 int err;
218bb9df 5139
cec8ab6e
MM		 5140 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5141 control->sar, control->reqseq, control->final,
5142 control->txseq);
218bb9df 5143
cec8ab6e
MM		 5144 /* Validate F-bit - F=0 always valid, F=1 only
5145 * valid in TX WAIT_F
5146 */
5147 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5148 goto drop;
cec8ab6e
MM		 5149
5150 if (chan->mode != L2CAP_MODE_STREAMING) {
5151 event = L2CAP_EV_RECV_IFRAME;
5152 err = l2cap_rx(chan, control, skb, event);
5153 } else {
5154 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5155 }
5156
cec8ab6e
MM		 5157 if (err)
5158 l2cap_send_disconn_req(chan->conn, chan,
5159 ECONNRESET);
218bb9df 5160 } else {
cec8ab6e
MM		 5161 const u8 rx_func_to_event[4] = {
5162 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5163 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5164 };
5165
5166 /* Only I-frames are expected in streaming mode */
5167 if (chan->mode == L2CAP_MODE_STREAMING)
5168 goto drop;
5169
5170 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5171 control->reqseq, control->final, control->poll,
5172 control->super);
5173
218bb9df
GP		 5174 if (len != 0) {
5175 BT_ERR("%d", len);
8c1d787b 5176 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5177 goto drop;
5178 }
5179
cec8ab6e
MM		 5180 /* Validate F and P bits */
5181 if (control->final && (control->poll ||
5182 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5183 goto drop;
5184
5185 event = rx_func_to_event[control->super];
5186 if (l2cap_rx(chan, control, skb, event))
5187 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5188 }
5189
5190 return 0;
5191
5192drop:
5193 kfree_skb(skb);
5194 return 0;
5195}
5196
13ca56e0
AE		 5197static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
5198 struct sk_buff *skb)
1da177e4 5199{
48454079 5200 struct l2cap_chan *chan;
1da177e4 5201
baa7e1fa 5202 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5203 if (!chan) {
97e8e89d
AE		 5204 if (cid == L2CAP_CID_A2MP) {
5205 chan = a2mp_channel_create(conn, skb);
5206 if (!chan) {
5207 kfree_skb(skb);
13ca56e0 5208 return;
97e8e89d
AE		 5209 }
5210
5211 l2cap_chan_lock(chan);
5212 } else {
5213 BT_DBG("unknown cid 0x%4.4x", cid);
5214 /* Drop packet and return */
5215 kfree_skb(skb);
13ca56e0 5216 return;
97e8e89d 5217 }
1da177e4
LT		 5218 }
5219
49208c9c 5220 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5221
89bc500e 5222 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5223 goto drop;
5224
0c1bc5c6 5225 switch (chan->mode) {
1c2acffb
GP		 5226 case L2CAP_MODE_BASIC:
5227 /* If socket recv buffers overflows we drop data here
5228 * which is *bad* because L2CAP has to be reliable.
5229 * But we don't have any other choice. L2CAP doesn't
5230 * provide flow control mechanism. */
1da177e4 5231
0c1bc5c6 5232 if (chan->imtu < skb->len)
1c2acffb 5233 goto drop;
1da177e4 5234
80b98027 5235 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5236 goto done;
5237 break;
5238
5239 case L2CAP_MODE_ERTM:
6840ed07 5240 case L2CAP_MODE_STREAMING:
cec8ab6e 5241 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5242 goto done;
5243
1c2acffb 5244 default:
0c1bc5c6 5245 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5246 break;
5247 }
1da177e4
LT		 5248
5249drop:
5250 kfree_skb(skb);
5251
5252done:
6be36555 5253 l2cap_chan_unlock(chan);
1da177e4
LT		 5254}
5255
84104b24
AE		 5256static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
5257 struct sk_buff *skb)
1da177e4 5258{
23691d75 5259 struct l2cap_chan *chan;
1da177e4 5260
c2287681 5261 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5262 if (!chan)
1da177e4
LT		 5263 goto drop;
5264
5b4cedaa 5265 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5266
89bc500e 5267 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5268 goto drop;
5269
e13e21dc 5270 if (chan->imtu < skb->len)
1da177e4
LT		 5271 goto drop;
5272
80b98027 5273 if (!chan->ops->recv(chan, skb))
84104b24 5274 return;
1da177e4
LT		 5275
5276drop:
5277 kfree_skb(skb);
1da177e4
LT		 5278}
5279
6810fca7
AE		 5280static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5281 struct sk_buff *skb)
9f69bda6 5282{
23691d75 5283 struct l2cap_chan *chan;
9f69bda6 5284
c2287681 5285 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5286 if (!chan)
9f69bda6
GP		 5287 goto drop;
5288
5b4cedaa 5289 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5290
89bc500e 5291 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5292 goto drop;
5293
e13e21dc 5294 if (chan->imtu < skb->len)
9f69bda6
GP		 5295 goto drop;
5296
80b98027 5297 if (!chan->ops->recv(chan, skb))
6810fca7 5298 return;
9f69bda6
GP		 5299
5300drop:
5301 kfree_skb(skb);
9f69bda6
GP		 5302}
5303
1da177e4
LT		 5304static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5305{
5306 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5307 u16 cid, len;
5308 __le16 psm;
1da177e4
LT		 5309
5310 skb_pull(skb, L2CAP_HDR_SIZE);
5311 cid = __le16_to_cpu(lh->cid);
5312 len = __le16_to_cpu(lh->len);
5313
1c2acffb
GP		 5314 if (len != skb->len) {
5315 kfree_skb(skb);
5316 return;
5317 }
5318
1da177e4
LT		 5319 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5320
5321 switch (cid) {
3300d9a9 5322 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5323 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5324 l2cap_sig_channel(conn, skb);
5325 break;
5326
8db4dc46 5327 case L2CAP_CID_CONN_LESS:
097db76c 5328 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5329 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5330 l2cap_conless_channel(conn, psm, skb);
5331 break;
5332
9f69bda6
GP		 5333 case L2CAP_CID_LE_DATA:
5334 l2cap_att_channel(conn, cid, skb);
5335 break;
5336
b501d6a1
AB		 5337 case L2CAP_CID_SMP:
5338 if (smp_sig_channel(conn, skb))
5339 l2cap_conn_del(conn->hcon, EACCES);
5340 break;
5341
1da177e4
LT		 5342 default:
5343 l2cap_data_channel(conn, cid, skb);
5344 break;
5345 }
5346}
5347
5348/* ---- L2CAP interface with lower layer (HCI) ---- */
5349
686ebf28 5350int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5351{
5352 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5353 struct l2cap_chan *c;
1da177e4 5354
6ed93dc6 5355 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 5356
5357 /* Find listening sockets and check their link_mode */
23691d75
GP		 5358 read_lock(&chan_list_lock);
5359 list_for_each_entry(c, &chan_list, global_l) {
5360 struct sock *sk = c->sk;
4343478f 5361
89bc500e 5362 if (c->state != BT_LISTEN)
1da177e4
LT		 5363 continue;
5364
5365 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5366 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5367 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5368 lm1 |= HCI_LM_MASTER;
1da177e4 5369 exact++;
2af6b9d5
MH		 5370 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5371 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5372 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5373 lm2 |= HCI_LM_MASTER;
5374 }
1da177e4 5375 }
23691d75 5376 read_unlock(&chan_list_lock);
1da177e4
LT		 5377
5378 return exact ? lm1 : lm2;
5379}
5380
9e664631 5381void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5382{
0139418c
MH		 5383 struct l2cap_conn *conn;
5384
6ed93dc6 5385 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 5386
1da177e4 5387 if (!status) {
1da177e4
LT		 5388 conn = l2cap_conn_add(hcon, status);
5389 if (conn)
5390 l2cap_conn_ready(conn);
0139418c 5391 } else
e175072f 5392 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4 5393
1da177e4
LT		 5394}
5395
686ebf28 5396int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5397{
5398 struct l2cap_conn *conn = hcon->l2cap_data;
5399
5400 BT_DBG("hcon %p", hcon);
5401
686ebf28 5402 if (!conn)
9f5a0d7b 5403 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5404 return conn->disc_reason;
5405}
5406
9e664631 5407void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5408{
5409 BT_DBG("hcon %p reason %d", hcon, reason);
5410
e175072f 5411 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5412}
5413
4343478f 5414static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5415{
715ec005 5416 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5417 return;
5418
f62e4323 5419 if (encrypt == 0x00) {
4343478f 5420 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5421 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5422 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5423 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5424 } else {
4343478f 5425 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5426 __clear_chan_timer(chan);
f62e4323
MH		 5427 }
5428}
5429
686ebf28 5430int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5431{
0139418c 5432 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5433 struct l2cap_chan *chan;
1da177e4 5434
0139418c 5435 if (!conn)
1da177e4 5436 return 0;
0139418c 5437
89d8b407 5438 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 5439
160dc6ac 5440 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5441 if (!status && encrypt)
5442 smp_distribute_keys(conn, 0);
17cd3f37 5443 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5444 }
5445
3df91ea2 5446 mutex_lock(&conn->chan_lock);
1da177e4 5447
3df91ea2 5448 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5449 l2cap_chan_lock(chan);
1da177e4 5450
89d8b407
AE		 5451 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
5452 state_to_string(chan->state));
f1cb9af5 5453
78eb2f98
AE		 5454 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
5455 l2cap_chan_unlock(chan);
5456 continue;
5457 }
5458
f1cb9af5
VCG		 5459 if (chan->scid == L2CAP_CID_LE_DATA) {
5460 if (!status && encrypt) {
5461 chan->sec_level = hcon->sec_level;
cf4cd009 5462 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5463 }
5464
6be36555 5465 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5466 continue;
5467 }
5468
c1360a1c 5469 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5470 l2cap_chan_unlock(chan);
6a8d3010
MH		 5471 continue;
5472 }
5473
89bc500e
GP		 5474 if (!status && (chan->state == BT_CONNECTED ||
5475 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5476 struct sock *sk = chan->sk;
5477
c5daa683 5478 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5479 sk->sk_state_change(sk);
5480
4343478f 5481 l2cap_check_encryption(chan, encrypt);
6be36555 5482 l2cap_chan_unlock(chan);
9719f8af
MH		 5483 continue;
5484 }
5485
89bc500e 5486 if (chan->state == BT_CONNECT) {
b1235d79 5487 if (!status) {
93c3e8f5 5488 l2cap_start_connection(chan);
b1235d79 5489 } else {
ba13ccd9 5490 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5491 }
89bc500e 5492 } else if (chan->state == BT_CONNECT2) {
6be36555 5493 struct sock *sk = chan->sk;
b1235d79 5494 struct l2cap_conn_rsp rsp;
df3c3931 5495 __u16 res, stat;
1da177e4 5496
6be36555
AE		 5497 lock_sock(sk);
5498
b1235d79 5499 if (!status) {
c5daa683
GP		 5500 if (test_bit(BT_SK_DEFER_SETUP,
5501 &bt_sk(sk)->flags)) {
df3c3931
JH		 5502 struct sock *parent = bt_sk(sk)->parent;
5503 res = L2CAP_CR_PEND;
5504 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5505 if (parent)
5506 parent->sk_data_ready(parent, 0);
df3c3931 5507 } else {
0e587be7 5508 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5509 res = L2CAP_CR_SUCCESS;
5510 stat = L2CAP_CS_NO_INFO;
5511 }
b1235d79 5512 } else {
0e587be7 5513 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5514 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5515 res = L2CAP_CR_SEC_BLOCK;
5516 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5517 }
5518
6be36555
AE		 5519 release_sock(sk);
5520
fe4128e0
GP		 5521 rsp.scid = cpu_to_le16(chan->dcid);
5522 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5523 rsp.result = cpu_to_le16(res);
5524 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5525 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5526 sizeof(rsp), &rsp);
2d369359
MM		 5527
5528 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5529 res == L2CAP_CR_SUCCESS) {
5530 char buf[128];
5531 set_bit(CONF_REQ_SENT, &chan->conf_state);
5532 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5533 L2CAP_CONF_REQ,
5534 l2cap_build_conf_req(chan, buf),
5535 buf);
5536 chan->num_conf_req++;
5537 }
b1235d79 5538 }
1da177e4 5539
6be36555 5540 l2cap_chan_unlock(chan);
1da177e4
LT		 5541 }
5542
3df91ea2 5543 mutex_unlock(&conn->chan_lock);
b1235d79 5544
1da177e4
LT		 5545 return 0;
5546}
5547
686ebf28 5548int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5549{
5550 struct l2cap_conn *conn = hcon->l2cap_data;
5551
5a08ecce
AE		 5552 if (!conn)
5553 conn = l2cap_conn_add(hcon, 0);
5554
5555 if (!conn)
1da177e4
LT		 5556 goto drop;
5557
5558 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5559
e702112f 5560 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5561 struct l2cap_hdr *hdr;
5562 int len;
5563
5564 if (conn->rx_len) {
5565 BT_ERR("Unexpected start frame (len %d)", skb->len);
5566 kfree_skb(conn->rx_skb);
5567 conn->rx_skb = NULL;
5568 conn->rx_len = 0;
5569 l2cap_conn_unreliable(conn, ECOMM);
5570 }
5571
aae7fe22
AE		 5572 /* Start fragment always begin with Basic L2CAP header */
5573 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5574 BT_ERR("Frame is too short (len %d)", skb->len);
5575 l2cap_conn_unreliable(conn, ECOMM);
5576 goto drop;
5577 }
5578
5579 hdr = (struct l2cap_hdr *) skb->data;
5580 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5581
5582 if (len == skb->len) {
5583 /* Complete frame received */
5584 l2cap_recv_frame(conn, skb);
5585 return 0;
5586 }
5587
5588 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5589
5590 if (skb->len > len) {
5591 BT_ERR("Frame is too long (len %d, expected len %d)",
5592 skb->len, len);
5593 l2cap_conn_unreliable(conn, ECOMM);
5594 goto drop;
5595 }
5596
5597 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5598 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5599 if (!conn->rx_skb)
1da177e4
LT		 5600 goto drop;
5601
d626f62b 5602 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5603 skb->len);
1da177e4
LT		 5604 conn->rx_len = len - skb->len;
5605 } else {
5606 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5607
5608 if (!conn->rx_len) {
5609 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5610 l2cap_conn_unreliable(conn, ECOMM);
5611 goto drop;
5612 }
5613
5614 if (skb->len > conn->rx_len) {
5615 BT_ERR("Fragment is too long (len %d, expected %d)",
5616 skb->len, conn->rx_len);
5617 kfree_skb(conn->rx_skb);
5618 conn->rx_skb = NULL;
5619 conn->rx_len = 0;
5620 l2cap_conn_unreliable(conn, ECOMM);
5621 goto drop;
5622 }
5623
d626f62b 5624 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5625 skb->len);
1da177e4
LT		 5626 conn->rx_len -= skb->len;
5627
5628 if (!conn->rx_len) {
5629 /* Complete frame received */
5630 l2cap_recv_frame(conn, conn->rx_skb);
5631 conn->rx_skb = NULL;
5632 }
5633 }
5634
5635drop:
5636 kfree_skb(skb);
5637 return 0;
5638}
5639
aef7d97c 5640static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5641{
23691d75 5642 struct l2cap_chan *c;
1da177e4 5643
333055f2 5644 read_lock(&chan_list_lock);
1da177e4 5645
23691d75
GP		 5646 list_for_each_entry(c, &chan_list, global_l) {
5647 struct sock *sk = c->sk;
101545f6 5648
fcb73338
AE		 5649 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
5650 &bt_sk(sk)->src, &bt_sk(sk)->dst,
5651 c->state, __le16_to_cpu(c->psm),
5652 c->scid, c->dcid, c->imtu, c->omtu,
5653 c->sec_level, c->mode);
61e1b4b7 5654 }
1da177e4 5655
333055f2 5656 read_unlock(&chan_list_lock);
1da177e4 5657
aef7d97c 5658 return 0;
1da177e4
LT		 5659}
5660
aef7d97c
MH		 5661static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5662{
5663 return single_open(file, l2cap_debugfs_show, inode->i_private);
5664}
5665
5666static const struct file_operations l2cap_debugfs_fops = {
5667 .open = l2cap_debugfs_open,
5668 .read = seq_read,
5669 .llseek = seq_lseek,
5670 .release = single_release,
5671};
5672
5673static struct dentry *l2cap_debugfs;
1da177e4 5674
64274518 5675int __init l2cap_init(void)
1da177e4
LT		 5676{
5677 int err;
be9d1227 5678
bb58f747 5679 err = l2cap_init_sockets();
1da177e4
LT		 5680 if (err < 0)
5681 return err;
5682
aef7d97c
MH		 5683 if (bt_debugfs) {
5684 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5685 bt_debugfs, NULL, &l2cap_debugfs_fops);
5686 if (!l2cap_debugfs)
5687 BT_ERR("Failed to create L2CAP debug file");
5688 }
1da177e4 5689
1da177e4 5690 return 0;
1da177e4
LT		 5691}
5692
64274518 5693void l2cap_exit(void)
1da177e4 5694{
aef7d97c 5695 debugfs_remove(l2cap_debugfs);
bb58f747 5696 l2cap_cleanup_sockets();
1da177e4
LT		 5697}
5698
d1c4a17d
GP		 5699module_param(disable_ertm, bool, 0644);
5700MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)