projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Lookup channel structure based on DCID
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 59 struct sk_buff_head *skbs, u8 event);
608bcc6d 60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
2d792818
GP		 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
64 u16 cid)
0139418c 65{
3df91ea2 66 struct l2cap_chan *c;
3d57dc68 67
3df91ea2
AE		 68 list_for_each_entry(c, &conn->chan_l, list) {
69 if (c->dcid == cid)
70 return c;
0139418c 71 }
3df91ea2 72 return NULL;
0139418c
MH		 73}
74
2d792818
GP		 75static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
76 u16 cid)
0139418c 77{
3df91ea2 78 struct l2cap_chan *c;
3d57dc68 79
3df91ea2
AE		 80 list_for_each_entry(c, &conn->chan_l, list) {
81 if (c->scid == cid)
82 return c;
0139418c 83 }
3df91ea2 84 return NULL;
0139418c
MH		 85}
86
87/* Find channel with given SCID.
ef191ade 88 * Returns locked channel. */
2d792818
GP		 89static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
90 u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa 93
3df91ea2 94 mutex_lock(&conn->chan_lock);
baa7e1fa 95 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 96 if (c)
97 l2cap_chan_lock(c);
3df91ea2
AE		 98 mutex_unlock(&conn->chan_lock);
99
48454079 100 return c;
0139418c
MH		 101}
102
b1a130b7
MM		 103/* Find channel with given DCID.
104 * Returns locked channel.
105 */
106static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
107 u16 cid)
108{
109 struct l2cap_chan *c;
110
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_dcid(conn, cid);
113 if (c)
114 l2cap_chan_lock(c);
115 mutex_unlock(&conn->chan_lock);
116
117 return c;
118}
119
2d792818
GP		 120static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
121 u8 ident)
0139418c 122{
3df91ea2 123 struct l2cap_chan *c;
3d57dc68 124
3df91ea2
AE		 125 list_for_each_entry(c, &conn->chan_l, list) {
126 if (c->ident == ident)
127 return c;
0139418c 128 }
3df91ea2 129 return NULL;
0139418c
MH		 130}
131
23691d75 132static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 133{
23691d75 134 struct l2cap_chan *c;
9e4425ff 135
23691d75
GP		 136 list_for_each_entry(c, &chan_list, global_l) {
137 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 138 return c;
9e4425ff 139 }
250938cb 140 return NULL;
9e4425ff
GP		 141}
142
143int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
144{
73b2ec18
GP		 145 int err;
146
333055f2 147 write_lock(&chan_list_lock);
9e4425ff 148
23691d75 149 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 150 err = -EADDRINUSE;
151 goto done;
9e4425ff
GP		 152 }
153
73b2ec18
GP		 154 if (psm) {
155 chan->psm = psm;
156 chan->sport = psm;
157 err = 0;
158 } else {
159 u16 p;
160
161 err = -EINVAL;
162 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 163 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 164 chan->psm = cpu_to_le16(p);
165 chan->sport = cpu_to_le16(p);
166 err = 0;
167 break;
168 }
169 }
9e4425ff 170
73b2ec18 171done:
333055f2 172 write_unlock(&chan_list_lock);
73b2ec18 173 return err;
9e4425ff
GP		 174}
175
176int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
177{
333055f2 178 write_lock(&chan_list_lock);
9e4425ff
GP		 179
180 chan->scid = scid;
181
333055f2 182 write_unlock(&chan_list_lock);
9e4425ff
GP		 183
184 return 0;
185}
186
baa7e1fa 187static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 188{
8db4dc46 189 u16 cid = L2CAP_CID_DYN_START;
0139418c 190
8db4dc46 191 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 192 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 193 return cid;
194 }
195
196 return 0;
197}
198
0e587be7 199static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 200{
42d2d87c 201 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 202 state_to_string(state));
badaaa00 203
89bc500e 204 chan->state = state;
80b98027 205 chan->ops->state_change(chan, state);
89bc500e
GP		 206}
207
0e587be7
AE		 208static void l2cap_state_change(struct l2cap_chan *chan, int state)
209{
210 struct sock *sk = chan->sk;
211
212 lock_sock(sk);
213 __l2cap_state_change(chan, state);
214 release_sock(sk);
215}
216
2e0052e4
AE		 217static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
218{
219 struct sock *sk = chan->sk;
220
221 sk->sk_err = err;
222}
223
224static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
225{
226 struct sock *sk = chan->sk;
227
228 lock_sock(sk);
229 __l2cap_chan_set_err(chan, err);
230 release_sock(sk);
231}
232
4239d16f
MM		 233static void __set_retrans_timer(struct l2cap_chan *chan)
234{
235 if (!delayed_work_pending(&chan->monitor_timer) &&
236 chan->retrans_timeout) {
237 l2cap_set_timer(chan, &chan->retrans_timer,
238 msecs_to_jiffies(chan->retrans_timeout));
239 }
240}
241
242static void __set_monitor_timer(struct l2cap_chan *chan)
243{
244 __clear_retrans_timer(chan);
245 if (chan->monitor_timeout) {
246 l2cap_set_timer(chan, &chan->monitor_timer,
247 msecs_to_jiffies(chan->monitor_timeout));
248 }
249}
250
608bcc6d
MM		 251static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
252 u16 seq)
253{
254 struct sk_buff *skb;
255
256 skb_queue_walk(head, skb) {
257 if (bt_cb(skb)->control.txseq == seq)
258 return skb;
259 }
260
261 return NULL;
262}
263
3c588192
MM		 264/* ---- L2CAP sequence number lists ---- */
265
266/* For ERTM, ordered lists of sequence numbers must be tracked for
267 * SREJ requests that are received and for frames that are to be
268 * retransmitted. These seq_list functions implement a singly-linked
269 * list in an array, where membership in the list can also be checked
270 * in constant time. Items can also be added to the tail of the list
271 * and removed from the head in constant time, without further memory
272 * allocs or frees.
273 */
274
275static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
276{
277 size_t alloc_size, i;
278
279 /* Allocated size is a power of 2 to map sequence numbers
280 * (which may be up to 14 bits) in to a smaller array that is
281 * sized for the negotiated ERTM transmit windows.
282 */
283 alloc_size = roundup_pow_of_two(size);
284
285 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
286 if (!seq_list->list)
287 return -ENOMEM;
288
289 seq_list->mask = alloc_size - 1;
290 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
291 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
292 for (i = 0; i < alloc_size; i++)
293 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
294
295 return 0;
296}
297
298static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
299{
300 kfree(seq_list->list);
301}
302
303static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
304 u16 seq)
305{
306 /* Constant-time check for list membership */
307 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
308}
309
310static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
311{
312 u16 mask = seq_list->mask;
313
314 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
315 /* In case someone tries to pop the head of an empty list */
316 return L2CAP_SEQ_LIST_CLEAR;
317 } else if (seq_list->head == seq) {
318 /* Head can be removed in constant time */
319 seq_list->head = seq_list->list[seq & mask];
320 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
321
322 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
323 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
324 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
325 }
326 } else {
327 /* Walk the list to find the sequence number */
328 u16 prev = seq_list->head;
329 while (seq_list->list[prev & mask] != seq) {
330 prev = seq_list->list[prev & mask];
331 if (prev == L2CAP_SEQ_LIST_TAIL)
332 return L2CAP_SEQ_LIST_CLEAR;
333 }
334
335 /* Unlink the number from the list and clear it */
336 seq_list->list[prev & mask] = seq_list->list[seq & mask];
337 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
338 if (seq_list->tail == seq)
339 seq_list->tail = prev;
340 }
341 return seq;
342}
343
344static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
345{
346 /* Remove the head in constant time */
347 return l2cap_seq_list_remove(seq_list, seq_list->head);
348}
349
350static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
351{
f522ae36 352 u16 i;
3c588192 353
f522ae36
GP		 354 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
355 return;
356
357 for (i = 0; i <= seq_list->mask; i++)
358 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
359
360 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
361 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 362}
363
364static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
365{
366 u16 mask = seq_list->mask;
367
368 /* All appends happen in constant time */
369
f522ae36
GP		 370 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
371 return;
3c588192 372
f522ae36
GP		 373 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
374 seq_list->head = seq;
375 else
376 seq_list->list[seq_list->tail & mask] = seq;
377
378 seq_list->tail = seq;
379 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 380}
381
721c4181 382static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 383{
721c4181 384 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 385 chan_timer.work);
3df91ea2 386 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 387 int reason;
388
e05dcc32 389 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 390
3df91ea2 391 mutex_lock(&conn->chan_lock);
6be36555 392 l2cap_chan_lock(chan);
ab07801d 393
89bc500e 394 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 395 reason = ECONNREFUSED;
89bc500e 396 else if (chan->state == BT_CONNECT &&
2d792818 397 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 398 reason = ECONNREFUSED;
399 else
400 reason = ETIMEDOUT;
401
0f852724 402 l2cap_chan_close(chan, reason);
ab07801d 403
6be36555 404 l2cap_chan_unlock(chan);
ab07801d 405
80b98027 406 chan->ops->close(chan);
3df91ea2
AE		 407 mutex_unlock(&conn->chan_lock);
408
371fd835 409 l2cap_chan_put(chan);
ab07801d
GP		 410}
411
eef1d9b6 412struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 413{
414 struct l2cap_chan *chan;
415
416 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
417 if (!chan)
418 return NULL;
419
c03b355e
AE		 420 mutex_init(&chan->lock);
421
333055f2 422 write_lock(&chan_list_lock);
23691d75 423 list_add(&chan->global_l, &chan_list);
333055f2 424 write_unlock(&chan_list_lock);
23691d75 425
721c4181 426 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 427
89bc500e
GP		 428 chan->state = BT_OPEN;
429
144ad330 430 kref_init(&chan->kref);
71ba0e56 431
2827011f
MM		 432 /* This flag is cleared in l2cap_chan_ready() */
433 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
434
eef1d9b6 435 BT_DBG("chan %p", chan);
abc545b8 436
48454079
GP		 437 return chan;
438}
439
144ad330 440static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 441{
144ad330
SS		 442 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
443
4af66c69
JK		 444 BT_DBG("chan %p", chan);
445
333055f2 446 write_lock(&chan_list_lock);
23691d75 447 list_del(&chan->global_l);
333055f2 448 write_unlock(&chan_list_lock);
23691d75 449
4af66c69 450 kfree(chan);
6ff5abbf
GP		 451}
452
30648372
JK		 453void l2cap_chan_hold(struct l2cap_chan *c)
454{
144ad330 455 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 456
144ad330 457 kref_get(&c->kref);
30648372
JK		 458}
459
460void l2cap_chan_put(struct l2cap_chan *c)
461{
144ad330 462 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 463
144ad330 464 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 465}
466
bd4b1653
AE		 467void l2cap_chan_set_defaults(struct l2cap_chan *chan)
468{
469 chan->fcs = L2CAP_FCS_CRC16;
470 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
471 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
472 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 473 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 474 chan->sec_level = BT_SECURITY_LOW;
475
476 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
477}
478
93c3e8f5 479void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 480{
af05b30b 481 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 482 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 483
9f5a0d7b 484 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 485
8c1d787b 486 chan->conn = conn;
0139418c 487
5491120e
AE		 488 switch (chan->chan_type) {
489 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 490 if (conn->hcon->type == LE_LINK) {
491 /* LE connection */
6fcb06a2 492 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 493 chan->scid = L2CAP_CID_LE_DATA;
494 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 495 } else {
496 /* Alloc CID for connection-oriented socket */
fe4128e0 497 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 498 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 499 }
5491120e
AE		 500 break;
501
502 case L2CAP_CHAN_CONN_LESS:
0139418c 503 /* Connectionless socket */
fe4128e0
GP		 504 chan->scid = L2CAP_CID_CONN_LESS;
505 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 506 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 507 break;
508
416fa752
AE		 509 case L2CAP_CHAN_CONN_FIX_A2MP:
510 chan->scid = L2CAP_CID_A2MP;
511 chan->dcid = L2CAP_CID_A2MP;
512 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
513 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
514 break;
515
5491120e 516 default:
0139418c 517 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 518 chan->scid = L2CAP_CID_SIGNALING;
519 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 520 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 521 }
522
8f7975b1
AE		 523 chan->local_id = L2CAP_BESTEFFORT_ID;
524 chan->local_stype = L2CAP_SERV_BESTEFFORT;
525 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
526 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
527 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 528 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 529
371fd835 530 l2cap_chan_hold(chan);
baa7e1fa 531
3df91ea2 532 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 533}
534
466f8004 535void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 536{
537 mutex_lock(&conn->chan_lock);
538 __l2cap_chan_add(conn, chan);
3df91ea2 539 mutex_unlock(&conn->chan_lock);
0139418c
MH		 540}
541
466f8004 542void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 543{
8c1d787b 544 struct l2cap_conn *conn = chan->conn;
0139418c 545
c9b66675 546 __clear_chan_timer(chan);
0139418c 547
49208c9c 548 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 549
8e87d142 550 if (conn) {
56f60984 551 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 552 /* Delete from channel list */
3df91ea2 553 list_del(&chan->list);
3d57dc68 554
371fd835 555 l2cap_chan_put(chan);
baa7e1fa 556
8c1d787b 557 chan->conn = NULL;
3cabbfda
AE		 558
559 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
560 hci_conn_put(conn->hcon);
56f60984
AE		 561
562 if (mgr && mgr->bredr_chan == chan)
563 mgr->bredr_chan = NULL;
0139418c
MH		 564 }
565
b699ec0d 566 chan->ops->teardown(chan, err);
6be36555 567
2827011f 568 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 569 return;
2ead70b8 570
ee556f66
GP		 571 switch(chan->mode) {
572 case L2CAP_MODE_BASIC:
573 break;
c13ffa62 574
ee556f66 575 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 576 __clear_retrans_timer(chan);
577 __clear_monitor_timer(chan);
578 __clear_ack_timer(chan);
c13ffa62 579
f1c6775b 580 skb_queue_purge(&chan->srej_q);
c13ffa62 581
3c588192
MM		 582 l2cap_seq_list_free(&chan->srej_list);
583 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 584
585 /* fall through */
586
587 case L2CAP_MODE_STREAMING:
588 skb_queue_purge(&chan->tx_q);
589 break;
c13ffa62 590 }
ee556f66
GP		 591
592 return;
0139418c
MH		 593}
594
0f852724 595void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 596{
597 struct l2cap_conn *conn = chan->conn;
598 struct sock *sk = chan->sk;
599
2d792818
GP		 600 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
601 sk);
4519de9a 602
89bc500e 603 switch (chan->state) {
4519de9a 604 case BT_LISTEN:
b699ec0d 605 chan->ops->teardown(chan, 0);
4519de9a
GP		 606 break;
607
608 case BT_CONNECTED:
609 case BT_CONFIG:
715ec005 610 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 611 conn->hcon->type == ACL_LINK) {
c9b66675 612 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 613 l2cap_send_disconn_req(conn, chan, reason);
614 } else
615 l2cap_chan_del(chan, reason);
616 break;
617
618 case BT_CONNECT2:
715ec005 619 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 620 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 621 struct l2cap_conn_rsp rsp;
622 __u16 result;
623
c5daa683 624 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 625 result = L2CAP_CR_SEC_BLOCK;
626 else
627 result = L2CAP_CR_BAD_PSM;
89bc500e 628 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 629
630 rsp.scid = cpu_to_le16(chan->dcid);
631 rsp.dcid = cpu_to_le16(chan->scid);
632 rsp.result = cpu_to_le16(result);
ac73498c 633 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 634 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 635 sizeof(rsp), &rsp);
4519de9a
GP		 636 }
637
638 l2cap_chan_del(chan, reason);
639 break;
640
641 case BT_CONNECT:
642 case BT_DISCONN:
643 l2cap_chan_del(chan, reason);
644 break;
645
646 default:
b699ec0d 647 chan->ops->teardown(chan, 0);
4519de9a
GP		 648 break;
649 }
650}
651
4343478f 652static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 653{
715ec005 654 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 655 switch (chan->sec_level) {
8556edd3
JH		 656 case BT_SECURITY_HIGH:
657 return HCI_AT_DEDICATED_BONDING_MITM;
658 case BT_SECURITY_MEDIUM:
659 return HCI_AT_DEDICATED_BONDING;
660 default:
661 return HCI_AT_NO_BONDING;
662 }
2983fd68 663 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 664 if (chan->sec_level == BT_SECURITY_LOW)
665 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 666
4343478f 667 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 668 return HCI_AT_NO_BONDING_MITM;
00ae4af9 669 else
8556edd3 670 return HCI_AT_NO_BONDING;
00ae4af9 671 } else {
4343478f 672 switch (chan->sec_level) {
00ae4af9 673 case BT_SECURITY_HIGH:
8556edd3 674 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 675 case BT_SECURITY_MEDIUM:
8556edd3 676 return HCI_AT_GENERAL_BONDING;
00ae4af9 677 default:
8556edd3 678 return HCI_AT_NO_BONDING;
00ae4af9 679 }
0684e5f9 680 }
8556edd3
JH		 681}
682
683/* Service level security */
d45fc423 684int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 685{
8c1d787b 686 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 687 __u8 auth_type;
688
4343478f 689 auth_type = l2cap_get_auth_type(chan);
79d554a6 690
4343478f 691 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 692}
693
b5ad8b7f 694static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 695{
696 u8 id;
697
698 /* Get next available identificator.
699 * 1 - 128 are used by kernel.
700 * 129 - 199 are reserved.
701 * 200 - 254 are used by utilities like l2ping, etc.
702 */
703
333055f2 704 spin_lock(&conn->lock);
4e8402a3
MH		 705
706 if (++conn->tx_ident > 128)
707 conn->tx_ident = 1;
708
709 id = conn->tx_ident;
710
333055f2 711 spin_unlock(&conn->lock);
4e8402a3
MH		 712
713 return id;
714}
715
2d792818
GP		 716static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
717 void *data)
4e8402a3
MH		 718{
719 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 720 u8 flags;
4e8402a3
MH		 721
722 BT_DBG("code 0x%2.2x", code);
723
724 if (!skb)
9a9c6a34 725 return;
4e8402a3 726
e702112f
AE		 727 if (lmp_no_flush_capable(conn->hcon->hdev))
728 flags = ACL_START_NO_FLUSH;
729 else
730 flags = ACL_START;
731
14b12d0b 732 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 733 skb->priority = HCI_PRIO_MAX;
14b12d0b 734
73d80deb
LAD		 735 hci_send_acl(conn->hchan, skb, flags);
736}
737
738static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
739{
740 struct hci_conn *hcon = chan->conn->hcon;
741 u16 flags;
742
743 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 744 skb->priority);
73d80deb
LAD		 745
746 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 747 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 748 flags = ACL_START_NO_FLUSH;
749 else
750 flags = ACL_START;
14b12d0b 751
73d80deb
LAD		 752 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
753 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 754}
755
b76bbd66
MM		 756static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
757{
758 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
759 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
760
761 if (enh & L2CAP_CTRL_FRAME_TYPE) {
762 /* S-Frame */
763 control->sframe = 1;
764 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
765 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
766
767 control->sar = 0;
768 control->txseq = 0;
769 } else {
770 /* I-Frame */
771 control->sframe = 0;
772 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
773 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
774
775 control->poll = 0;
776 control->super = 0;
777 }
778}
779
b76bbd66
MM		 780static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
781{
782 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
783 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
784
785 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
786 /* S-Frame */
787 control->sframe = 1;
788 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
789 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
790
791 control->sar = 0;
792 control->txseq = 0;
793 } else {
794 /* I-Frame */
795 control->sframe = 0;
796 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
797 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
798
799 control->poll = 0;
800 control->super = 0;
801 }
802}
803
804static inline void __unpack_control(struct l2cap_chan *chan,
805 struct sk_buff *skb)
806{
807 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
808 __unpack_extended_control(get_unaligned_le32(skb->data),
809 &bt_cb(skb)->control);
cec8ab6e 810 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 811 } else {
812 __unpack_enhanced_control(get_unaligned_le16(skb->data),
813 &bt_cb(skb)->control);
cec8ab6e 814 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 815 }
816}
817
b5c6aaed
MM		 818static u32 __pack_extended_control(struct l2cap_ctrl *control)
819{
820 u32 packed;
821
822 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
823 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
824
825 if (control->sframe) {
826 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
827 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
828 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
829 } else {
830 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
831 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
832 }
833
834 return packed;
835}
836
837static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
838{
839 u16 packed;
840
841 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
842 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
843
844 if (control->sframe) {
845 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
846 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
847 packed |= L2CAP_CTRL_FRAME_TYPE;
848 } else {
849 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
850 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
851 }
852
853 return packed;
854}
855
b76bbd66
MM		 856static inline void __pack_control(struct l2cap_chan *chan,
857 struct l2cap_ctrl *control,
858 struct sk_buff *skb)
859{
860 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
861 put_unaligned_le32(__pack_extended_control(control),
862 skb->data + L2CAP_HDR_SIZE);
863 } else {
864 put_unaligned_le16(__pack_enhanced_control(control),
865 skb->data + L2CAP_HDR_SIZE);
866 }
867}
868
ba7aa64f
GP		 869static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
870{
871 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
872 return L2CAP_EXT_HDR_SIZE;
873 else
874 return L2CAP_ENH_HDR_SIZE;
875}
876
a67d7f6f
MM		 877static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
878 u32 control)
b5c6aaed
MM		 879{
880 struct sk_buff *skb;
881 struct l2cap_hdr *lh;
ba7aa64f 882 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 883
884 if (chan->fcs == L2CAP_FCS_CRC16)
885 hlen += L2CAP_FCS_SIZE;
886
a67d7f6f 887 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 888
b5c6aaed 889 if (!skb)
a67d7f6f 890 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 891
892 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
893 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
894 lh->cid = cpu_to_le16(chan->dcid);
895
a67d7f6f
MM		 896 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
897 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
898 else
899 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 900
901 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 902 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 903 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
904 }
905
906 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 907 return skb;
908}
909
910static void l2cap_send_sframe(struct l2cap_chan *chan,
911 struct l2cap_ctrl *control)
912{
913 struct sk_buff *skb;
914 u32 control_field;
915
916 BT_DBG("chan %p, control %p", chan, control);
917
918 if (!control->sframe)
919 return;
920
921 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
922 !control->poll)
923 control->final = 1;
924
925 if (control->super == L2CAP_SUPER_RR)
926 clear_bit(CONN_RNR_SENT, &chan->conn_state);
927 else if (control->super == L2CAP_SUPER_RNR)
928 set_bit(CONN_RNR_SENT, &chan->conn_state);
929
930 if (control->super != L2CAP_SUPER_SREJ) {
931 chan->last_acked_seq = control->reqseq;
932 __clear_ack_timer(chan);
933 }
934
935 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
936 control->final, control->poll, control->super);
937
938 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
939 control_field = __pack_extended_control(control);
940 else
941 control_field = __pack_enhanced_control(control);
942
943 skb = l2cap_create_sframe_pdu(chan, control_field);
944 if (!IS_ERR(skb))
945 l2cap_do_send(chan, skb);
b5c6aaed
MM		 946}
947
c9e3d5e0 948static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 949{
c9e3d5e0
MM		 950 struct l2cap_ctrl control;
951
952 BT_DBG("chan %p, poll %d", chan, poll);
953
954 memset(&control, 0, sizeof(control));
955 control.sframe = 1;
956 control.poll = poll;
957
958 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
959 control.super = L2CAP_SUPER_RNR;
960 else
961 control.super = L2CAP_SUPER_RR;
b5c6aaed 962
c9e3d5e0
MM		 963 control.reqseq = chan->buffer_seq;
964 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 965}
966
b4450035 967static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 968{
c1360a1c 969 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 970}
971
93c3e8f5
AE		 972static bool __amp_capable(struct l2cap_chan *chan)
973{
974 struct l2cap_conn *conn = chan->conn;
975
976 if (enable_hs &&
977 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
978 conn->fixed_chan_mask & L2CAP_FC_A2MP)
979 return true;
980 else
981 return false;
982}
983
2766be48 984void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 985{
986 struct l2cap_conn *conn = chan->conn;
987 struct l2cap_conn_req req;
988
989 req.scid = cpu_to_le16(chan->scid);
990 req.psm = chan->psm;
991
992 chan->ident = l2cap_get_ident(conn);
993
994 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
995
996 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
997}
998
9f0caeb1
VCG		 999static void l2cap_chan_ready(struct l2cap_chan *chan)
1000{
2827011f 1001 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1002 chan->conf_state = 0;
1003 __clear_chan_timer(chan);
1004
54a59aa2 1005 chan->state = BT_CONNECTED;
9f0caeb1 1006
fd83e2c2 1007 chan->ops->ready(chan);
9f0caeb1
VCG		 1008}
1009
93c3e8f5
AE		 1010static void l2cap_start_connection(struct l2cap_chan *chan)
1011{
1012 if (__amp_capable(chan)) {
1013 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1014 a2mp_discover_amp(chan);
1015 } else {
1016 l2cap_send_conn_req(chan);
1017 }
1018}
1019
fc7f8a7e 1020static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1021{
8c1d787b 1022 struct l2cap_conn *conn = chan->conn;
79d554a6 1023
9f0caeb1
VCG		 1024 if (conn->hcon->type == LE_LINK) {
1025 l2cap_chan_ready(chan);
1026 return;
1027 }
1028
79d554a6 1029 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1030 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1031 return;
1032
d45fc423 1033 if (l2cap_chan_check_security(chan) &&
2d792818 1034 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1035 l2cap_start_connection(chan);
1036 }
79d554a6
MH		 1037 } else {
1038 struct l2cap_info_req req;
ac73498c 1039 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1040
1041 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1042 conn->info_ident = l2cap_get_ident(conn);
1043
ba13ccd9 1044 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1045
2d792818
GP		 1046 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1047 sizeof(req), &req);
79d554a6
MH		 1048 }
1049}
1050
cf6c2c0b
GP		 1051static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1052{
1053 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1054 if (!disable_ertm)
cf6c2c0b
GP		 1055 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1056
1057 switch (mode) {
1058 case L2CAP_MODE_ERTM:
1059 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1060 case L2CAP_MODE_STREAMING:
1061 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1062 default:
1063 return 0x00;
1064 }
1065}
1066
2d792818
GP		 1067static void l2cap_send_disconn_req(struct l2cap_conn *conn,
1068 struct l2cap_chan *chan, int err)
22121fc9 1069{
6be36555 1070 struct sock *sk = chan->sk;
22121fc9
GP		 1071 struct l2cap_disconn_req req;
1072
c13ffa62
GP		 1073 if (!conn)
1074 return;
1075
aad3d0e3 1076 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1077 __clear_retrans_timer(chan);
1078 __clear_monitor_timer(chan);
1079 __clear_ack_timer(chan);
c13ffa62
GP		 1080 }
1081
416fa752 1082 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1083 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1084 return;
1085 }
1086
fe4128e0
GP		 1087 req.dcid = cpu_to_le16(chan->dcid);
1088 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1089 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1090 sizeof(req), &req);
c13ffa62 1091
6be36555 1092 lock_sock(sk);
0e587be7 1093 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1094 __l2cap_chan_set_err(chan, err);
6be36555 1095 release_sock(sk);
22121fc9
GP		 1096}
1097
1da177e4 1098/* ---- L2CAP connections ---- */
4e8402a3
MH		 1099static void l2cap_conn_start(struct l2cap_conn *conn)
1100{
3df91ea2 1101 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1102
1103 BT_DBG("conn %p", conn);
1104
3df91ea2 1105 mutex_lock(&conn->chan_lock);
4e8402a3 1106
3df91ea2 1107 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1108 struct sock *sk = chan->sk;
baa7e1fa 1109
6be36555 1110 l2cap_chan_lock(chan);
4e8402a3 1111
715ec005 1112 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1113 l2cap_chan_unlock(chan);
79d554a6
MH		 1114 continue;
1115 }
1116
89bc500e 1117 if (chan->state == BT_CONNECT) {
d45fc423 1118 if (!l2cap_chan_check_security(chan) ||
2d792818 1119 !__l2cap_no_conn_pending(chan)) {
6be36555 1120 l2cap_chan_unlock(chan);
47731de7
GP		 1121 continue;
1122 }
79d554a6 1123
c1360a1c 1124 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1125 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1126 &chan->conf_state)) {
89bc500e 1127 l2cap_chan_close(chan, ECONNRESET);
6be36555 1128 l2cap_chan_unlock(chan);
47731de7 1129 continue;
b1235d79 1130 }
47731de7 1131
93c3e8f5 1132 l2cap_start_connection(chan);
47731de7 1133
89bc500e 1134 } else if (chan->state == BT_CONNECT2) {
79d554a6 1135 struct l2cap_conn_rsp rsp;
e9aeb2dd 1136 char buf[128];
fe4128e0
GP		 1137 rsp.scid = cpu_to_le16(chan->dcid);
1138 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1139
d45fc423 1140 if (l2cap_chan_check_security(chan)) {
6be36555 1141 lock_sock(sk);
c5daa683
GP		 1142 if (test_bit(BT_SK_DEFER_SETUP,
1143 &bt_sk(sk)->flags)) {
ac73498c
AE		 1144 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1145 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1146 chan->ops->defer(chan);
f66dc81f
MH		 1147
1148 } else {
0e587be7 1149 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1150 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1151 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1152 }
6be36555 1153 release_sock(sk);
79d554a6 1154 } else {
ac73498c
AE		 1155 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1156 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1157 }
1158
fc7f8a7e 1159 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1160 sizeof(rsp), &rsp);
e9aeb2dd 1161
c1360a1c 1162 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1163 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1164 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1165 continue;
1166 }
1167
c1360a1c 1168 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1169 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1170 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1171 chan->num_conf_req++;
4e8402a3
MH		 1172 }
1173
6be36555 1174 l2cap_chan_unlock(chan);
4e8402a3
MH		 1175 }
1176
3df91ea2 1177 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1178}
1179
c2287681 1180/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1181 * Returns closest match, locked.
1182 */
d9b88702 1183static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1184 bdaddr_t *src,
1185 bdaddr_t *dst)
b62f328b 1186{
23691d75 1187 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1188
23691d75 1189 read_lock(&chan_list_lock);
b62f328b 1190
23691d75
GP		 1191 list_for_each_entry(c, &chan_list, global_l) {
1192 struct sock *sk = c->sk;
fe4128e0 1193
89bc500e 1194 if (state && c->state != state)
b62f328b
VT		 1195 continue;
1196
23691d75 1197 if (c->scid == cid) {
c2287681
IY		 1198 int src_match, dst_match;
1199 int src_any, dst_any;
1200
b62f328b 1201 /* Exact match. */
c2287681
IY		 1202 src_match = !bacmp(&bt_sk(sk)->src, src);
1203 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1204 if (src_match && dst_match) {
23691d75
GP		 1205 read_unlock(&chan_list_lock);
1206 return c;
1207 }
b62f328b
VT		 1208
1209 /* Closest match */
c2287681
IY		 1210 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1211 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1212 if ((src_match && dst_any) || (src_any && dst_match) ||
1213 (src_any && dst_any))
23691d75 1214 c1 = c;
b62f328b
VT		 1215 }
1216 }
280f294f 1217
23691d75 1218 read_unlock(&chan_list_lock);
b62f328b 1219
23691d75 1220 return c1;
b62f328b
VT		 1221}
1222
1223static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1224{
c916fbe4 1225 struct sock *parent, *sk;
23691d75 1226 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1227
1228 BT_DBG("");
1229
1230 /* Check if we have socket listening on cid */
23691d75 1231 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1232 conn->src, conn->dst);
23691d75 1233 if (!pchan)
b62f328b
VT		 1234 return;
1235
23691d75
GP		 1236 parent = pchan->sk;
1237
aa2ac881 1238 lock_sock(parent);
62f3a2cf 1239
80b98027 1240 chan = pchan->ops->new_connection(pchan);
80808e43 1241 if (!chan)
b62f328b
VT		 1242 goto clean;
1243
80808e43 1244 sk = chan->sk;
5d41ce1d 1245
b62f328b 1246 hci_conn_hold(conn->hcon);
a9ea3ed9 1247 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1248
b62f328b
VT		 1249 bacpy(&bt_sk(sk)->src, conn->src);
1250 bacpy(&bt_sk(sk)->dst, conn->dst);
1251
3d57dc68 1252 l2cap_chan_add(conn, chan);
48454079 1253
6754e0df 1254 l2cap_chan_ready(chan);
b62f328b 1255
b62f328b 1256clean:
aa2ac881 1257 release_sock(parent);
b62f328b
VT		 1258}
1259
4e8402a3
MH		 1260static void l2cap_conn_ready(struct l2cap_conn *conn)
1261{
48454079 1262 struct l2cap_chan *chan;
cc110922 1263 struct hci_conn *hcon = conn->hcon;
4e8402a3 1264
79d554a6 1265 BT_DBG("conn %p", conn);
4e8402a3 1266
cc110922 1267 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1268 l2cap_le_conn_ready(conn);
1269
cc110922
VCG		 1270 if (hcon->out && hcon->type == LE_LINK)
1271 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1272
3df91ea2 1273 mutex_lock(&conn->chan_lock);
4e8402a3 1274
3df91ea2 1275 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1276
6be36555 1277 l2cap_chan_lock(chan);
4e8402a3 1278
416fa752
AE		 1279 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1280 l2cap_chan_unlock(chan);
1281 continue;
1282 }
1283
cc110922
VCG		 1284 if (hcon->type == LE_LINK) {
1285 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1286 l2cap_chan_ready(chan);
acd7d370 1287
63128451 1288 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1289 struct sock *sk = chan->sk;
c9b66675 1290 __clear_chan_timer(chan);
6be36555 1291 lock_sock(sk);
0e587be7 1292 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1293 sk->sk_state_change(sk);
6be36555 1294 release_sock(sk);
b501d6a1 1295
89bc500e 1296 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1297 l2cap_do_start(chan);
4e8402a3 1298
6be36555 1299 l2cap_chan_unlock(chan);
4e8402a3 1300 }
79d554a6 1301
3df91ea2 1302 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1303}
1304
1305/* Notify sockets that we cannot guaranty reliability anymore */
1306static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1307{
48454079 1308 struct l2cap_chan *chan;
4e8402a3
MH		 1309
1310 BT_DBG("conn %p", conn);
1311
3df91ea2 1312 mutex_lock(&conn->chan_lock);
4e8402a3 1313
3df91ea2 1314 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1315 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1316 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1317 }
1318
3df91ea2 1319 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1320}
1321
f878fcad 1322static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1323{
f878fcad 1324 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1325 info_timer.work);
4e8402a3 1326
984947dc 1327 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1328 conn->info_ident = 0;
984947dc 1329
4e8402a3
MH		 1330 l2cap_conn_start(conn);
1331}
1332
5d3de7df
VCG		 1333static void l2cap_conn_del(struct hci_conn *hcon, int err)
1334{
1335 struct l2cap_conn *conn = hcon->l2cap_data;
1336 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1337
1338 if (!conn)
1339 return;
1340
1341 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1342
1343 kfree_skb(conn->rx_skb);
1344
3df91ea2
AE		 1345 mutex_lock(&conn->chan_lock);
1346
5d3de7df
VCG		 1347 /* Kill channels */
1348 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1349 l2cap_chan_hold(chan);
6be36555
AE		 1350 l2cap_chan_lock(chan);
1351
5d3de7df 1352 l2cap_chan_del(chan, err);
6be36555
AE		 1353
1354 l2cap_chan_unlock(chan);
1355
80b98027 1356 chan->ops->close(chan);
61d6ef3e 1357 l2cap_chan_put(chan);
5d3de7df
VCG		 1358 }
1359
3df91ea2
AE		 1360 mutex_unlock(&conn->chan_lock);
1361
73d80deb
LAD		 1362 hci_chan_del(conn->hchan);
1363
5d3de7df 1364 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1365 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1366
51a8efd7 1367 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1368 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1369 smp_chan_destroy(conn);
d26a2345 1370 }
5d3de7df
VCG		 1371
1372 hcon->l2cap_data = NULL;
1373 kfree(conn);
1374}
1375
6c9d42a1 1376static void security_timeout(struct work_struct *work)
5d3de7df 1377{
6c9d42a1 1378 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1379 security_timer.work);
5d3de7df 1380
d06cc416
JH		 1381 BT_DBG("conn %p", conn);
1382
1383 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1384 smp_chan_destroy(conn);
1385 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1386 }
5d3de7df
VCG		 1387}
1388
1da177e4
LT		 1389static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1390{
0139418c 1391 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1392 struct hci_chan *hchan;
1da177e4 1393
0139418c 1394 if (conn || status)
1da177e4
LT		 1395 return conn;
1396
73d80deb
LAD		 1397 hchan = hci_chan_create(hcon);
1398 if (!hchan)
1399 return NULL;
1400
8bcde1f2 1401 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1402 if (!conn) {
1403 hci_chan_del(hchan);
1da177e4 1404 return NULL;
73d80deb 1405 }
1da177e4
LT		 1406
1407 hcon->l2cap_data = conn;
1408 conn->hcon = hcon;
73d80deb 1409 conn->hchan = hchan;
1da177e4 1410
73d80deb 1411 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1412
dcc042d5
AE		 1413 switch (hcon->type) {
1414 case AMP_LINK:
1415 conn->mtu = hcon->hdev->block_mtu;
1416 break;
1417
1418 case LE_LINK:
1419 if (hcon->hdev->le_mtu) {
1420 conn->mtu = hcon->hdev->le_mtu;
1421 break;
1422 }
1423 /* fall through */
1424
1425 default:
acd7d370 1426 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1427 break;
1428 }
acd7d370 1429
1da177e4
LT		 1430 conn->src = &hcon->hdev->bdaddr;
1431 conn->dst = &hcon->dst;
1432
4e8402a3
MH		 1433 conn->feat_mask = 0;
1434
1da177e4 1435 spin_lock_init(&conn->lock);
3df91ea2 1436 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1437
1438 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1439
5d3de7df 1440 if (hcon->type == LE_LINK)
6c9d42a1 1441 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1442 else
030013d8 1443 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1444
9f5a0d7b 1445 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1446
1da177e4
LT		 1447 return conn;
1448}
1449
1da177e4 1450/* ---- Socket interface ---- */
1da177e4 1451
c2287681 1452/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1453 * Returns closest match.
1454 */
c2287681
IY		 1455static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1456 bdaddr_t *src,
1457 bdaddr_t *dst)
1da177e4 1458{
23691d75 1459 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1460
23691d75 1461 read_lock(&chan_list_lock);
e0f0cb56 1462
23691d75
GP		 1463 list_for_each_entry(c, &chan_list, global_l) {
1464 struct sock *sk = c->sk;
fe4128e0 1465
89bc500e 1466 if (state && c->state != state)
1da177e4
LT		 1467 continue;
1468
23691d75 1469 if (c->psm == psm) {
c2287681
IY		 1470 int src_match, dst_match;
1471 int src_any, dst_any;
1472
1da177e4 1473 /* Exact match. */
c2287681
IY		 1474 src_match = !bacmp(&bt_sk(sk)->src, src);
1475 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1476 if (src_match && dst_match) {
a7567b20 1477 read_unlock(&chan_list_lock);
23691d75
GP		 1478 return c;
1479 }
1da177e4
LT		 1480
1481 /* Closest match */
c2287681
IY		 1482 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1483 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1484 if ((src_match && dst_any) || (src_any && dst_match) ||
1485 (src_any && dst_any))
23691d75 1486 c1 = c;
1da177e4
LT		 1487 }
1488 }
1da177e4 1489
23691d75 1490 read_unlock(&chan_list_lock);
e0f0cb56 1491
23691d75 1492 return c1;
1da177e4
LT		 1493}
1494
8e9f9892
AG		 1495int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1496 bdaddr_t *dst, u8 dst_type)
1da177e4 1497{
5d41ce1d 1498 struct sock *sk = chan->sk;
1da177e4 1499 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1500 struct l2cap_conn *conn;
1501 struct hci_conn *hcon;
1502 struct hci_dev *hdev;
09ab6f4c 1503 __u8 auth_type;
44d0e48e 1504 int err;
1da177e4 1505
6ed93dc6 1506 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1507 dst_type, __le16_to_cpu(psm));
1da177e4 1508
af05b30b
GP		 1509 hdev = hci_get_route(dst, src);
1510 if (!hdev)
1da177e4
LT		 1511 return -EHOSTUNREACH;
1512
09fd0de5 1513 hci_dev_lock(hdev);
1da177e4 1514
6be36555 1515 l2cap_chan_lock(chan);
03a00194
GP		 1516
1517 /* PSM must be odd and lsb of upper byte must be 0 */
1518 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1519 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1520 err = -EINVAL;
1521 goto done;
1522 }
1523
1524 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1525 err = -EINVAL;
1526 goto done;
1527 }
1528
1529 switch (chan->mode) {
1530 case L2CAP_MODE_BASIC:
1531 break;
1532 case L2CAP_MODE_ERTM:
1533 case L2CAP_MODE_STREAMING:
1534 if (!disable_ertm)
1535 break;
1536 /* fall through */
1537 default:
1538 err = -ENOTSUPP;
1539 goto done;
1540 }
1541
0797e01d 1542 switch (chan->state) {
03a00194
GP		 1543 case BT_CONNECT:
1544 case BT_CONNECT2:
1545 case BT_CONFIG:
1546 /* Already connecting */
1547 err = 0;
1548 goto done;
1549
1550 case BT_CONNECTED:
1551 /* Already connected */
1552 err = -EISCONN;
1553 goto done;
1554
1555 case BT_OPEN:
1556 case BT_BOUND:
1557 /* Can connect */
1558 break;
1559
1560 default:
1561 err = -EBADFD;
1562 goto done;
1563 }
1564
1565 /* Set destination address and psm */
0797e01d 1566 lock_sock(sk);
9219b2a0 1567 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1568 release_sock(sk);
1569
03a00194
GP		 1570 chan->psm = psm;
1571 chan->dcid = cid;
1da177e4 1572
4343478f 1573 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1574
fe4128e0 1575 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1576 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1577 chan->sec_level, auth_type);
acd7d370 1578 else
8e9f9892 1579 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1580 chan->sec_level, auth_type);
acd7d370 1581
30e76272
VT		 1582 if (IS_ERR(hcon)) {
1583 err = PTR_ERR(hcon);
1da177e4 1584 goto done;
30e76272 1585 }
1da177e4
LT		 1586
1587 conn = l2cap_conn_add(hcon, 0);
1588 if (!conn) {
1589 hci_conn_put(hcon);
30e76272 1590 err = -ENOMEM;
1da177e4
LT		 1591 goto done;
1592 }
1593
9f0caeb1
VCG		 1594 if (hcon->type == LE_LINK) {
1595 err = 0;
1596
1597 if (!list_empty(&conn->chan_l)) {
1598 err = -EBUSY;
1599 hci_conn_put(hcon);
1600 }
1601
1602 if (err)
1603 goto done;
1604 }
1605
1da177e4
LT		 1606 /* Update source addr of the socket */
1607 bacpy(src, conn->src);
1608
6be36555 1609 l2cap_chan_unlock(chan);
48454079 1610 l2cap_chan_add(conn, chan);
6be36555 1611 l2cap_chan_lock(chan);
48454079 1612
6be36555 1613 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1614 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1615
1616 if (hcon->state == BT_CONNECTED) {
715ec005 1617 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1618 __clear_chan_timer(chan);
d45fc423 1619 if (l2cap_chan_check_security(chan))
6be36555 1620 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1621 } else
fc7f8a7e 1622 l2cap_do_start(chan);
1da177e4
LT		 1623 }
1624
30e76272
VT		 1625 err = 0;
1626
1da177e4 1627done:
6be36555 1628 l2cap_chan_unlock(chan);
09fd0de5 1629 hci_dev_unlock(hdev);
1da177e4
LT		 1630 hci_dev_put(hdev);
1631 return err;
1632}
1633
dcba0dba 1634int __l2cap_wait_ack(struct sock *sk)
6161c038 1635{
8c1d787b 1636 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1637 DECLARE_WAITQUEUE(wait, current);
1638 int err = 0;
1639 int timeo = HZ/5;
1640
2b0b05dd 1641 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1642 set_current_state(TASK_INTERRUPTIBLE);
1643 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1644 if (!timeo)
1645 timeo = HZ/5;
1646
1647 if (signal_pending(current)) {
1648 err = sock_intr_errno(timeo);
1649 break;
1650 }
1651
1652 release_sock(sk);
1653 timeo = schedule_timeout(timeo);
1654 lock_sock(sk);
a71a0cf4 1655 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1656
1657 err = sock_error(sk);
1658 if (err)
1659 break;
1660 }
1661 set_current_state(TASK_RUNNING);
2b0b05dd 1662 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1663 return err;
1664}
1665
721c4181 1666static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1667{
721c4181 1668 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1669 monitor_timer.work);
e90bac06 1670
525cd185 1671 BT_DBG("chan %p", chan);
0e98958d 1672
6be36555
AE		 1673 l2cap_chan_lock(chan);
1674
80909e04 1675 if (!chan->conn) {
6be36555 1676 l2cap_chan_unlock(chan);
8d7e1c7f 1677 l2cap_chan_put(chan);
e90bac06
GP		 1678 return;
1679 }
1680
401bb1f7 1681 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1682
6be36555 1683 l2cap_chan_unlock(chan);
8d7e1c7f 1684 l2cap_chan_put(chan);
e90bac06
GP		 1685}
1686
721c4181 1687static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1688{
721c4181 1689 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1690 retrans_timer.work);
e90bac06 1691
49208c9c 1692 BT_DBG("chan %p", chan);
0e98958d 1693
6be36555
AE		 1694 l2cap_chan_lock(chan);
1695
80909e04
MM		 1696 if (!chan->conn) {
1697 l2cap_chan_unlock(chan);
1698 l2cap_chan_put(chan);
1699 return;
1700 }
6be36555 1701
401bb1f7 1702 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1703 l2cap_chan_unlock(chan);
8d7e1c7f 1704 l2cap_chan_put(chan);
e90bac06
GP		 1705}
1706
d660366d
GP		 1707static void l2cap_streaming_send(struct l2cap_chan *chan,
1708 struct sk_buff_head *skbs)
6840ed07 1709{
ccbb84af 1710 struct sk_buff *skb;
3733937d 1711 struct l2cap_ctrl *control;
6840ed07 1712
3733937d
MM		 1713 BT_DBG("chan %p, skbs %p", chan, skbs);
1714
3733937d
MM		 1715 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1716
1717 while (!skb_queue_empty(&chan->tx_q)) {
1718
1719 skb = skb_dequeue(&chan->tx_q);
1720
1721 bt_cb(skb)->control.retries = 1;
1722 control = &bt_cb(skb)->control;
1723
1724 control->reqseq = 0;
1725 control->txseq = chan->next_tx_seq;
1726
1727 __pack_control(chan, control, skb);
6840ed07 1728
47d1ec61 1729 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1730 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1731 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1732 }
1733
4343478f 1734 l2cap_do_send(chan, skb);
6840ed07 1735
b4400672 1736 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1737
836be934 1738 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1739 chan->frames_sent++;
6840ed07 1740 }
6840ed07
GP		 1741}
1742
67c9e840 1743static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1744{
1745 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1746 struct l2cap_ctrl *control;
1747 int sent = 0;
1748
1749 BT_DBG("chan %p", chan);
1c2acffb 1750
89bc500e 1751 if (chan->state != BT_CONNECTED)
c13ffa62 1752 return -ENOTCONN;
e90bac06 1753
94122bbe
MM		 1754 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1755 return 0;
1756
18a48e76
MM		 1757 while (chan->tx_send_head &&
1758 chan->unacked_frames < chan->remote_tx_win &&
1759 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1760
18a48e76 1761 skb = chan->tx_send_head;
e90bac06 1762
18a48e76
MM		 1763 bt_cb(skb)->control.retries = 1;
1764 control = &bt_cb(skb)->control;
95ffa978 1765
e2ab4353 1766 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1767 control->final = 1;
e2ab4353 1768
18a48e76
MM		 1769 control->reqseq = chan->buffer_seq;
1770 chan->last_acked_seq = chan->buffer_seq;
1771 control->txseq = chan->next_tx_seq;
1c2acffb 1772
18a48e76 1773 __pack_control(chan, control, skb);
e90bac06 1774
47d1ec61 1775 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1776 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1777 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1778 }
1779
18a48e76
MM		 1780 /* Clone after data has been modified. Data is assumed to be
1781 read-only (for locking purposes) on cloned sk_buffs.
1782 */
1783 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1784
18a48e76
MM		 1785 if (!tx_skb)
1786 break;
1c2acffb 1787
18a48e76 1788 __set_retrans_timer(chan);
836be934
AE		 1789
1790 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1791 chan->unacked_frames++;
6a026610 1792 chan->frames_sent++;
18a48e76 1793 sent++;
1c2acffb 1794
58d35f87
GP		 1795 if (skb_queue_is_last(&chan->tx_q, skb))
1796 chan->tx_send_head = NULL;
1c2acffb 1797 else
58d35f87 1798 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1799
1800 l2cap_do_send(chan, tx_skb);
b4400672 1801 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1802 }
1803
b4400672
AE		 1804 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1805 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1806
1807 return sent;
9e917af1
GP		 1808}
1809
e1fbd4c1
MM		 1810static void l2cap_ertm_resend(struct l2cap_chan *chan)
1811{
1812 struct l2cap_ctrl control;
1813 struct sk_buff *skb;
1814 struct sk_buff *tx_skb;
1815 u16 seq;
1816
1817 BT_DBG("chan %p", chan);
1818
1819 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1820 return;
1821
1822 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1823 seq = l2cap_seq_list_pop(&chan->retrans_list);
1824
1825 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1826 if (!skb) {
1827 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1828 seq);
e1fbd4c1
MM		 1829 continue;
1830 }
1831
1832 bt_cb(skb)->control.retries++;
1833 control = bt_cb(skb)->control;
1834
1835 if (chan->max_tx != 0 &&
1836 bt_cb(skb)->control.retries > chan->max_tx) {
1837 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1838 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1839 l2cap_seq_list_clear(&chan->retrans_list);
1840 break;
1841 }
1842
1843 control.reqseq = chan->buffer_seq;
1844 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1845 control.final = 1;
1846 else
1847 control.final = 0;
1848
1849 if (skb_cloned(skb)) {
1850 /* Cloned sk_buffs are read-only, so we need a
1851 * writeable copy
1852 */
8bcde1f2 1853 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1854 } else {
8bcde1f2 1855 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1856 }
1857
1858 if (!tx_skb) {
1859 l2cap_seq_list_clear(&chan->retrans_list);
1860 break;
1861 }
1862
1863 /* Update skb contents */
1864 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1865 put_unaligned_le32(__pack_extended_control(&control),
1866 tx_skb->data + L2CAP_HDR_SIZE);
1867 } else {
1868 put_unaligned_le16(__pack_enhanced_control(&control),
1869 tx_skb->data + L2CAP_HDR_SIZE);
1870 }
1871
1872 if (chan->fcs == L2CAP_FCS_CRC16) {
1873 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1874 put_unaligned_le16(fcs, skb_put(tx_skb,
1875 L2CAP_FCS_SIZE));
1876 }
1877
1878 l2cap_do_send(chan, tx_skb);
1879
1880 BT_DBG("Resent txseq %d", control.txseq);
1881
1882 chan->last_acked_seq = chan->buffer_seq;
1883 }
1884}
1885
f80842a8
MM		 1886static void l2cap_retransmit(struct l2cap_chan *chan,
1887 struct l2cap_ctrl *control)
1888{
1889 BT_DBG("chan %p, control %p", chan, control);
1890
1891 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1892 l2cap_ertm_resend(chan);
1893}
1894
d2a7ac5d
MM		 1895static void l2cap_retransmit_all(struct l2cap_chan *chan,
1896 struct l2cap_ctrl *control)
1897{
e1fbd4c1
MM		 1898 struct sk_buff *skb;
1899
1900 BT_DBG("chan %p, control %p", chan, control);
1901
1902 if (control->poll)
1903 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1904
1905 l2cap_seq_list_clear(&chan->retrans_list);
1906
1907 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1908 return;
1909
1910 if (chan->unacked_frames) {
1911 skb_queue_walk(&chan->tx_q, skb) {
1912 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 1913 skb == chan->tx_send_head)
e1fbd4c1
MM		 1914 break;
1915 }
1916
1917 skb_queue_walk_from(&chan->tx_q, skb) {
1918 if (skb == chan->tx_send_head)
1919 break;
1920
1921 l2cap_seq_list_append(&chan->retrans_list,
1922 bt_cb(skb)->control.txseq);
1923 }
1924
1925 l2cap_ertm_resend(chan);
1926 }
d2a7ac5d
MM		 1927}
1928
0a0aba42 1929static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1930{
0a0aba42
MM		 1931 struct l2cap_ctrl control;
1932 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1933 chan->last_acked_seq);
1934 int threshold;
9e917af1 1935
0a0aba42
MM		 1936 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1937 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1938
0a0aba42
MM		 1939 memset(&control, 0, sizeof(control));
1940 control.sframe = 1;
dfc909be 1941
0a0aba42
MM		 1942 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1943 chan->rx_state == L2CAP_RX_STATE_RECV) {
1944 __clear_ack_timer(chan);
1945 control.super = L2CAP_SUPER_RNR;
1946 control.reqseq = chan->buffer_seq;
1947 l2cap_send_sframe(chan, &control);
1948 } else {
1949 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1950 l2cap_ertm_send(chan);
1951 /* If any i-frames were sent, they included an ack */
1952 if (chan->buffer_seq == chan->last_acked_seq)
1953 frames_to_ack = 0;
1954 }
dfc909be 1955
c20f8e35 1956 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 1957 * Calculate without mul or div
1958 */
c20f8e35 1959 threshold = chan->ack_win;
0a0aba42
MM		 1960 threshold += threshold << 1;
1961 threshold >>= 2;
1962
b4400672 1963 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 1964 threshold);
1965
1966 if (frames_to_ack >= threshold) {
1967 __clear_ack_timer(chan);
1968 control.super = L2CAP_SUPER_RR;
1969 control.reqseq = chan->buffer_seq;
1970 l2cap_send_sframe(chan, &control);
1971 frames_to_ack = 0;
1972 }
1c2acffb 1973
0a0aba42
MM		 1974 if (frames_to_ack)
1975 __set_ack_timer(chan);
1976 }
b17e73bb
SJ		 1977}
1978
04124681
GP		 1979static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1980 struct msghdr *msg, int len,
1981 int count, struct sk_buff *skb)
1c2acffb 1982{
0952a57a 1983 struct l2cap_conn *conn = chan->conn;
1c2acffb 1984 struct sk_buff **frag;
90338947 1985 int sent = 0;
1da177e4 1986
59203a21 1987 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1988 return -EFAULT;
1da177e4
LT		 1989
1990 sent += count;
1991 len -= count;
1992
1993 /* Continuation fragments (no L2CAP header) */
1994 frag = &skb_shinfo(skb)->frag_list;
1995 while (len) {
fbe00700
GP		 1996 struct sk_buff *tmp;
1997
1da177e4
LT		 1998 count = min_t(unsigned int, conn->mtu, len);
1999
fbe00700
GP		 2000 tmp = chan->ops->alloc_skb(chan, count,
2001 msg->msg_flags & MSG_DONTWAIT);
2002 if (IS_ERR(tmp))
2003 return PTR_ERR(tmp);
2004
2005 *frag = tmp;
2f7719ce 2006
1c2acffb
GP		 2007 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2008 return -EFAULT;
1da177e4 2009
5e59b791
LAD		 2010 (*frag)->priority = skb->priority;
2011
1da177e4
LT		 2012 sent += count;
2013 len -= count;
2014
2d0ed3d5
GP		 2015 skb->len += (*frag)->len;
2016 skb->data_len += (*frag)->len;
2017
1da177e4
LT		 2018 frag = &(*frag)->next;
2019 }
1da177e4
LT		 2020
2021 return sent;
1c2acffb 2022}
1da177e4 2023
5e59b791 2024static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2025 struct msghdr *msg, size_t len,
2026 u32 priority)
1c2acffb 2027{
8c1d787b 2028 struct l2cap_conn *conn = chan->conn;
1c2acffb 2029 struct sk_buff *skb;
03a51213 2030 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2031 struct l2cap_hdr *lh;
2032
b4400672 2033 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2034
2035 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2036
2037 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2038 msg->msg_flags & MSG_DONTWAIT);
2039 if (IS_ERR(skb))
2040 return skb;
1c2acffb 2041
5e59b791
LAD		 2042 skb->priority = priority;
2043
1c2acffb
GP		 2044 /* Create L2CAP header */
2045 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2046 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2047 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2048 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2049
0952a57a 2050 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2051 if (unlikely(err < 0)) {
2052 kfree_skb(skb);
2053 return ERR_PTR(err);
2054 }
2055 return skb;
2056}
2057
5e59b791 2058static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2059 struct msghdr *msg, size_t len,
2060 u32 priority)
1c2acffb 2061{
8c1d787b 2062 struct l2cap_conn *conn = chan->conn;
1c2acffb 2063 struct sk_buff *skb;
f2ba7fae 2064 int err, count;
1c2acffb
GP		 2065 struct l2cap_hdr *lh;
2066
b4400672 2067 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2068
f2ba7fae 2069 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2070
f2ba7fae 2071 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2072 msg->msg_flags & MSG_DONTWAIT);
2073 if (IS_ERR(skb))
2074 return skb;
1c2acffb 2075
5e59b791
LAD		 2076 skb->priority = priority;
2077
1c2acffb
GP		 2078 /* Create L2CAP header */
2079 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2080 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2081 lh->len = cpu_to_le16(len);
1c2acffb 2082
0952a57a 2083 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2084 if (unlikely(err < 0)) {
2085 kfree_skb(skb);
2086 return ERR_PTR(err);
2087 }
2088 return skb;
2089}
2090
ab0ff76d 2091static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2092 struct msghdr *msg, size_t len,
2093 u16 sdulen)
1c2acffb 2094{
8c1d787b 2095 struct l2cap_conn *conn = chan->conn;
1c2acffb 2096 struct sk_buff *skb;
e4ca6d98 2097 int err, count, hlen;
1c2acffb
GP		 2098 struct l2cap_hdr *lh;
2099
b4400672 2100 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2101
0ee0d208
GP		 2102 if (!conn)
2103 return ERR_PTR(-ENOTCONN);
2104
ba7aa64f 2105 hlen = __ertm_hdr_size(chan);
e4ca6d98 2106
c74e560c 2107 if (sdulen)
03a51213 2108 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2109
47d1ec61 2110 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2111 hlen += L2CAP_FCS_SIZE;
fcc203c3 2112
1c2acffb 2113 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2114
2115 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2116 msg->msg_flags & MSG_DONTWAIT);
2117 if (IS_ERR(skb))
2118 return skb;
1c2acffb
GP		 2119
2120 /* Create L2CAP header */
2121 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2122 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2123 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2124
18a48e76
MM		 2125 /* Control header is populated later */
2126 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2127 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2128 else
2129 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2130
c74e560c 2131 if (sdulen)
03a51213 2132 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2133
0952a57a 2134 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2135 if (unlikely(err < 0)) {
2136 kfree_skb(skb);
2137 return ERR_PTR(err);
2138 }
e90bac06 2139
18a48e76 2140 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2141 bt_cb(skb)->control.retries = 0;
1c2acffb 2142 return skb;
1da177e4
LT		 2143}
2144
94122bbe
MM		 2145static int l2cap_segment_sdu(struct l2cap_chan *chan,
2146 struct sk_buff_head *seg_queue,
2147 struct msghdr *msg, size_t len)
c74e560c 2148{
c74e560c 2149 struct sk_buff *skb;
94122bbe
MM		 2150 u16 sdu_len;
2151 size_t pdu_len;
94122bbe 2152 u8 sar;
c74e560c 2153
b4400672 2154 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2155
94122bbe
MM		 2156 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2157 * so fragmented skbs are not used. The HCI layer's handling
2158 * of fragmented skbs is not compatible with ERTM's queueing.
2159 */
c74e560c 2160
94122bbe
MM		 2161 /* PDU size is derived from the HCI MTU */
2162 pdu_len = chan->conn->mtu;
c74e560c 2163
94122bbe
MM		 2164 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2165
2166 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2167 if (chan->fcs)
2168 pdu_len -= L2CAP_FCS_SIZE;
2169
ba7aa64f 2170 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2171
2172 /* Remote device may have requested smaller PDUs */
2173 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2174
2175 if (len <= pdu_len) {
2176 sar = L2CAP_SAR_UNSEGMENTED;
2177 sdu_len = 0;
2178 pdu_len = len;
2179 } else {
2180 sar = L2CAP_SAR_START;
2181 sdu_len = len;
2182 pdu_len -= L2CAP_SDULEN_SIZE;
2183 }
2184
2185 while (len > 0) {
2186 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2187
c74e560c 2188 if (IS_ERR(skb)) {
94122bbe 2189 __skb_queue_purge(seg_queue);
c74e560c
GP		 2190 return PTR_ERR(skb);
2191 }
2192
94122bbe
MM		 2193 bt_cb(skb)->control.sar = sar;
2194 __skb_queue_tail(seg_queue, skb);
2195
2196 len -= pdu_len;
2197 if (sdu_len) {
2198 sdu_len = 0;
2199 pdu_len += L2CAP_SDULEN_SIZE;
2200 }
2201
2202 if (len <= pdu_len) {
2203 sar = L2CAP_SAR_END;
2204 pdu_len = len;
2205 } else {
2206 sar = L2CAP_SAR_CONTINUE;
2207 }
c74e560c 2208 }
c74e560c 2209
f0f62799 2210 return 0;
c74e560c
GP		 2211}
2212
5e59b791 2213int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2214 u32 priority)
9a91a04a 2215{
9a91a04a 2216 struct sk_buff *skb;
9a91a04a 2217 int err;
94122bbe 2218 struct sk_buff_head seg_queue;
9a91a04a
GP		 2219
2220 /* Connectionless channel */
715ec005 2221 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2222 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2223 if (IS_ERR(skb))
2224 return PTR_ERR(skb);
2225
2226 l2cap_do_send(chan, skb);
2227 return len;
2228 }
2229
2230 switch (chan->mode) {
2231 case L2CAP_MODE_BASIC:
2232 /* Check outgoing MTU */
2233 if (len > chan->omtu)
2234 return -EMSGSIZE;
2235
2236 /* Create a basic PDU */
5e59b791 2237 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2238 if (IS_ERR(skb))
2239 return PTR_ERR(skb);
2240
2241 l2cap_do_send(chan, skb);
2242 err = len;
2243 break;
2244
2245 case L2CAP_MODE_ERTM:
2246 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2247 /* Check outgoing MTU */
2248 if (len > chan->omtu) {
2249 err = -EMSGSIZE;
2250 break;
2251 }
9a91a04a 2252
94122bbe 2253 __skb_queue_head_init(&seg_queue);
9a91a04a 2254
94122bbe
MM		 2255 /* Do segmentation before calling in to the state machine,
2256 * since it's possible to block while waiting for memory
2257 * allocation.
2258 */
2259 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2260
94122bbe
MM		 2261 /* The channel could have been closed while segmenting,
2262 * check that it is still connected.
2263 */
2264 if (chan->state != BT_CONNECTED) {
2265 __skb_queue_purge(&seg_queue);
2266 err = -ENOTCONN;
9a91a04a
GP		 2267 }
2268
94122bbe 2269 if (err)
9a91a04a 2270 break;
9a91a04a 2271
3733937d 2272 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2273 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2274 else
d660366d 2275 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2276
d660366d 2277 err = len;
9a91a04a 2278
94122bbe
MM		 2279 /* If the skbs were not queued for sending, they'll still be in
2280 * seg_queue and need to be purged.
2281 */
2282 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2283 break;
2284
2285 default:
2286 BT_DBG("bad state %1.1x", chan->mode);
2287 err = -EBADFD;
2288 }
2289
2290 return err;
2291}
2292
d2a7ac5d
MM		 2293static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2294{
bed68bde
MM		 2295 struct l2cap_ctrl control;
2296 u16 seq;
2297
b4400672 2298 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2299
2300 memset(&control, 0, sizeof(control));
2301 control.sframe = 1;
2302 control.super = L2CAP_SUPER_SREJ;
2303
2304 for (seq = chan->expected_tx_seq; seq != txseq;
2305 seq = __next_seq(chan, seq)) {
2306 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2307 control.reqseq = seq;
2308 l2cap_send_sframe(chan, &control);
2309 l2cap_seq_list_append(&chan->srej_list, seq);
2310 }
2311 }
2312
2313 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2314}
2315
2316static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2317{
bed68bde
MM		 2318 struct l2cap_ctrl control;
2319
2320 BT_DBG("chan %p", chan);
2321
2322 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2323 return;
2324
2325 memset(&control, 0, sizeof(control));
2326 control.sframe = 1;
2327 control.super = L2CAP_SUPER_SREJ;
2328 control.reqseq = chan->srej_list.tail;
2329 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2330}
2331
2332static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2333{
bed68bde
MM		 2334 struct l2cap_ctrl control;
2335 u16 initial_head;
2336 u16 seq;
2337
b4400672 2338 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2339
2340 memset(&control, 0, sizeof(control));
2341 control.sframe = 1;
2342 control.super = L2CAP_SUPER_SREJ;
2343
2344 /* Capture initial list head to allow only one pass through the list. */
2345 initial_head = chan->srej_list.head;
2346
2347 do {
2348 seq = l2cap_seq_list_pop(&chan->srej_list);
2349 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2350 break;
2351
2352 control.reqseq = seq;
2353 l2cap_send_sframe(chan, &control);
2354 l2cap_seq_list_append(&chan->srej_list, seq);
2355 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2356}
2357
608bcc6d
MM		 2358static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2359{
2360 struct sk_buff *acked_skb;
2361 u16 ackseq;
2362
b4400672 2363 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2364
2365 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2366 return;
2367
b4400672 2368 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2369 chan->expected_ack_seq, chan->unacked_frames);
2370
2371 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2372 ackseq = __next_seq(chan, ackseq)) {
2373
2374 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2375 if (acked_skb) {
2376 skb_unlink(acked_skb, &chan->tx_q);
2377 kfree_skb(acked_skb);
2378 chan->unacked_frames--;
2379 }
2380 }
2381
2382 chan->expected_ack_seq = reqseq;
2383
2384 if (chan->unacked_frames == 0)
2385 __clear_retrans_timer(chan);
2386
b4400672 2387 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2388}
2389
2390static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2391{
2392 BT_DBG("chan %p", chan);
2393
2394 chan->expected_tx_seq = chan->buffer_seq;
2395 l2cap_seq_list_clear(&chan->srej_list);
2396 skb_queue_purge(&chan->srej_q);
2397 chan->rx_state = L2CAP_RX_STATE_RECV;
2398}
2399
d660366d
GP		 2400static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2401 struct l2cap_ctrl *control,
2402 struct sk_buff_head *skbs, u8 event)
608bcc6d 2403{
608bcc6d
MM		 2404 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2405 event);
2406
2407 switch (event) {
2408 case L2CAP_EV_DATA_REQUEST:
2409 if (chan->tx_send_head == NULL)
2410 chan->tx_send_head = skb_peek(skbs);
2411
2412 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2413 l2cap_ertm_send(chan);
2414 break;
2415 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2416 BT_DBG("Enter LOCAL_BUSY");
2417 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2418
2419 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2420 /* The SREJ_SENT state must be aborted if we are to
2421 * enter the LOCAL_BUSY state.
2422 */
2423 l2cap_abort_rx_srej_sent(chan);
2424 }
2425
2426 l2cap_send_ack(chan);
2427
2428 break;
2429 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2430 BT_DBG("Exit LOCAL_BUSY");
2431 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2432
2433 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2434 struct l2cap_ctrl local_control;
2435
2436 memset(&local_control, 0, sizeof(local_control));
2437 local_control.sframe = 1;
2438 local_control.super = L2CAP_SUPER_RR;
2439 local_control.poll = 1;
2440 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2441 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2442
2443 chan->retry_count = 1;
2444 __set_monitor_timer(chan);
2445 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2446 }
2447 break;
2448 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2449 l2cap_process_reqseq(chan, control->reqseq);
2450 break;
2451 case L2CAP_EV_EXPLICIT_POLL:
2452 l2cap_send_rr_or_rnr(chan, 1);
2453 chan->retry_count = 1;
2454 __set_monitor_timer(chan);
2455 __clear_ack_timer(chan);
2456 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2457 break;
2458 case L2CAP_EV_RETRANS_TO:
2459 l2cap_send_rr_or_rnr(chan, 1);
2460 chan->retry_count = 1;
2461 __set_monitor_timer(chan);
2462 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2463 break;
2464 case L2CAP_EV_RECV_FBIT:
2465 /* Nothing to process */
2466 break;
2467 default:
2468 break;
2469 }
608bcc6d
MM		 2470}
2471
d660366d
GP		 2472static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2473 struct l2cap_ctrl *control,
2474 struct sk_buff_head *skbs, u8 event)
608bcc6d 2475{
608bcc6d
MM		 2476 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2477 event);
2478
2479 switch (event) {
2480 case L2CAP_EV_DATA_REQUEST:
2481 if (chan->tx_send_head == NULL)
2482 chan->tx_send_head = skb_peek(skbs);
2483 /* Queue data, but don't send. */
2484 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2485 break;
2486 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2487 BT_DBG("Enter LOCAL_BUSY");
2488 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2489
2490 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2491 /* The SREJ_SENT state must be aborted if we are to
2492 * enter the LOCAL_BUSY state.
2493 */
2494 l2cap_abort_rx_srej_sent(chan);
2495 }
2496
2497 l2cap_send_ack(chan);
2498
2499 break;
2500 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2501 BT_DBG("Exit LOCAL_BUSY");
2502 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2503
2504 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2505 struct l2cap_ctrl local_control;
2506 memset(&local_control, 0, sizeof(local_control));
2507 local_control.sframe = 1;
2508 local_control.super = L2CAP_SUPER_RR;
2509 local_control.poll = 1;
2510 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2511 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2512
2513 chan->retry_count = 1;
2514 __set_monitor_timer(chan);
2515 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2516 }
2517 break;
2518 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2519 l2cap_process_reqseq(chan, control->reqseq);
2520
2521 /* Fall through */
2522
2523 case L2CAP_EV_RECV_FBIT:
2524 if (control && control->final) {
2525 __clear_monitor_timer(chan);
2526 if (chan->unacked_frames > 0)
2527 __set_retrans_timer(chan);
2528 chan->retry_count = 0;
2529 chan->tx_state = L2CAP_TX_STATE_XMIT;
2530 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2531 }
2532 break;
2533 case L2CAP_EV_EXPLICIT_POLL:
2534 /* Ignore */
2535 break;
2536 case L2CAP_EV_MONITOR_TO:
2537 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2538 l2cap_send_rr_or_rnr(chan, 1);
2539 __set_monitor_timer(chan);
2540 chan->retry_count++;
2541 } else {
2542 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2543 }
2544 break;
2545 default:
2546 break;
2547 }
608bcc6d
MM		 2548}
2549
d660366d
GP		 2550static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2551 struct sk_buff_head *skbs, u8 event)
608bcc6d 2552{
608bcc6d
MM		 2553 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2554 chan, control, skbs, event, chan->tx_state);
2555
2556 switch (chan->tx_state) {
2557 case L2CAP_TX_STATE_XMIT:
d660366d 2558 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2559 break;
2560 case L2CAP_TX_STATE_WAIT_F:
d660366d 2561 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2562 break;
2563 default:
2564 /* Ignore event */
2565 break;
2566 }
608bcc6d
MM		 2567}
2568
4b51dae9
MM		 2569static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2570 struct l2cap_ctrl *control)
2571{
2572 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2573 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2574}
2575
f80842a8
MM		 2576static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2577 struct l2cap_ctrl *control)
2578{
2579 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2580 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2581}
2582
1da177e4
LT		 2583/* Copy frame to all raw sockets on that connection */
2584static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2585{
1da177e4 2586 struct sk_buff *nskb;
48454079 2587 struct l2cap_chan *chan;
1da177e4
LT		 2588
2589 BT_DBG("conn %p", conn);
2590
3df91ea2 2591 mutex_lock(&conn->chan_lock);
3d57dc68 2592
3df91ea2 2593 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2594 struct sock *sk = chan->sk;
715ec005 2595 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2596 continue;
2597
2598 /* Don't send frame to the socket it came from */
2599 if (skb->sk == sk)
2600 continue;
8bcde1f2 2601 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2602 if (!nskb)
1da177e4
LT		 2603 continue;
2604
80b98027 2605 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2606 kfree_skb(nskb);
2607 }
3d57dc68 2608
3df91ea2 2609 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2610}
2611
2612/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2613static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2614 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2615{
2616 struct sk_buff *skb, **frag;
2617 struct l2cap_cmd_hdr *cmd;
2618 struct l2cap_hdr *lh;
2619 int len, count;
2620
b4400672
AE		 2621 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2622 conn, code, ident, dlen);
1da177e4
LT		 2623
2624 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2625 count = min_t(unsigned int, conn->mtu, len);
2626
8bcde1f2 2627 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2628 if (!skb)
2629 return NULL;
2630
2631 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2632 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2633
2634 if (conn->hcon->type == LE_LINK)
ac73498c 2635 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2636 else
ac73498c 2637 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2638
2639 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2640 cmd->code = code;
2641 cmd->ident = ident;
aca3192c 2642 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2643
2644 if (dlen) {
2645 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2646 memcpy(skb_put(skb, count), data, count);
2647 data += count;
2648 }
2649
2650 len -= skb->len;
2651
2652 /* Continuation fragments (no L2CAP header) */
2653 frag = &skb_shinfo(skb)->frag_list;
2654 while (len) {
2655 count = min_t(unsigned int, conn->mtu, len);
2656
8bcde1f2 2657 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2658 if (!*frag)
2659 goto fail;
2660
2661 memcpy(skb_put(*frag, count), data, count);
2662
2663 len -= count;
2664 data += count;
2665
2666 frag = &(*frag)->next;
2667 }
2668
2669 return skb;
2670
2671fail:
2672 kfree_skb(skb);
2673 return NULL;
2674}
2675
2d792818
GP		 2676static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2677 unsigned long *val)
1da177e4
LT		 2678{
2679 struct l2cap_conf_opt *opt = *ptr;
2680 int len;
2681
2682 len = L2CAP_CONF_OPT_SIZE + opt->len;
2683 *ptr += len;
2684
2685 *type = opt->type;
2686 *olen = opt->len;
2687
2688 switch (opt->len) {
2689 case 1:
2690 *val = *((u8 *) opt->val);
2691 break;
2692
2693 case 2:
bfaaeb3e 2694 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2695 break;
2696
2697 case 4:
bfaaeb3e 2698 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2699 break;
2700
2701 default:
2702 *val = (unsigned long) opt->val;
2703 break;
2704 }
2705
b4400672 2706 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2707 return len;
2708}
2709
1da177e4
LT		 2710static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2711{
2712 struct l2cap_conf_opt *opt = *ptr;
2713
b4400672 2714 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2715
2716 opt->type = type;
2717 opt->len = len;
2718
2719 switch (len) {
2720 case 1:
2721 *((u8 *) opt->val) = val;
2722 break;
2723
2724 case 2:
4f8b691c 2725 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2726 break;
2727
2728 case 4:
4f8b691c 2729 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2730 break;
2731
2732 default:
2733 memcpy(opt->val, (void *) val, len);
2734 break;
2735 }
2736
2737 *ptr += L2CAP_CONF_OPT_SIZE + len;
2738}
2739
f89cef09
AE		 2740static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2741{
2742 struct l2cap_conf_efs efs;
2743
1ec918ce 2744 switch (chan->mode) {
f89cef09
AE		 2745 case L2CAP_MODE_ERTM:
2746 efs.id = chan->local_id;
2747 efs.stype = chan->local_stype;
2748 efs.msdu = cpu_to_le16(chan->local_msdu);
2749 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2750 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2751 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2752 break;
2753
2754 case L2CAP_MODE_STREAMING:
2755 efs.id = 1;
2756 efs.stype = L2CAP_SERV_BESTEFFORT;
2757 efs.msdu = cpu_to_le16(chan->local_msdu);
2758 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2759 efs.acc_lat = 0;
2760 efs.flush_to = 0;
2761 break;
2762
2763 default:
2764 return;
2765 }
2766
2767 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2768 (unsigned long) &efs);
f89cef09
AE		 2769}
2770
721c4181 2771static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2772{
721c4181 2773 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2774 ack_timer.work);
2775 u16 frames_to_ack;
c1b4f43b 2776
2fb9b3d4
GP		 2777 BT_DBG("chan %p", chan);
2778
6be36555
AE		 2779 l2cap_chan_lock(chan);
2780
0362520b
MM		 2781 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2782 chan->last_acked_seq);
6be36555 2783
0362520b
MM		 2784 if (frames_to_ack)
2785 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2786
0362520b 2787 l2cap_chan_unlock(chan);
09bfb2ee 2788 l2cap_chan_put(chan);
c1b4f43b
GP		 2789}
2790
466f8004 2791int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2792{
3c588192
MM		 2793 int err;
2794
105bdf9e
MM		 2795 chan->next_tx_seq = 0;
2796 chan->expected_tx_seq = 0;
42e5c802 2797 chan->expected_ack_seq = 0;
6a026610 2798 chan->unacked_frames = 0;
42e5c802 2799 chan->buffer_seq = 0;
6a026610 2800 chan->frames_sent = 0;
105bdf9e
MM		 2801 chan->last_acked_seq = 0;
2802 chan->sdu = NULL;
2803 chan->sdu_last_frag = NULL;
2804 chan->sdu_len = 0;
2805
d34c34fb
MM		 2806 skb_queue_head_init(&chan->tx_q);
2807
08333283
MM		 2808 chan->local_amp_id = 0;
2809 chan->move_id = 0;
2810 chan->move_state = L2CAP_MOVE_STABLE;
2811 chan->move_role = L2CAP_MOVE_ROLE_NONE;
2812
105bdf9e
MM		 2813 if (chan->mode != L2CAP_MODE_ERTM)
2814 return 0;
2815
2816 chan->rx_state = L2CAP_RX_STATE_RECV;
2817 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2818
721c4181
GP		 2819 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2820 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2821 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2822
f1c6775b 2823 skb_queue_head_init(&chan->srej_q);
1890d36b 2824
3c588192
MM		 2825 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2826 if (err < 0)
2827 return err;
2828
9dc9affc
MM		 2829 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2830 if (err < 0)
2831 l2cap_seq_list_free(&chan->srej_list);
2832
2833 return err;
0565c1c2
GP		 2834}
2835
f2fcfcd6
GP		 2836static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2837{
2838 switch (mode) {
2839 case L2CAP_MODE_STREAMING:
2840 case L2CAP_MODE_ERTM:
2841 if (l2cap_mode_supported(mode, remote_feat_mask))
2842 return mode;
2843 /* fall through */
2844 default:
2845 return L2CAP_MODE_BASIC;
2846 }
2847}
2848
6327eb98
AE		 2849static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2850{
2851 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2852}
2853
f89cef09
AE		 2854static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2855{
2856 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2857}
2858
6327eb98
AE		 2859static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2860{
2861 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 2862 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2863 /* use extended control field */
2864 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2865 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2866 } else {
6327eb98 2867 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 2868 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2869 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2870 }
c20f8e35 2871 chan->ack_win = chan->tx_win;
6327eb98
AE		 2872}
2873
710f9b0a 2874static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2875{
1da177e4 2876 struct l2cap_conf_req *req = data;
0c1bc5c6 2877 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2878 void *ptr = req->data;
c8f79162 2879 u16 size;
1da177e4 2880
49208c9c 2881 BT_DBG("chan %p", chan);
1da177e4 2882
73ffa904 2883 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2884 goto done;
2885
0c1bc5c6 2886 switch (chan->mode) {
f2fcfcd6
GP		 2887 case L2CAP_MODE_STREAMING:
2888 case L2CAP_MODE_ERTM:
c1360a1c 2889 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2890 break;
85eb53c6 2891
f89cef09
AE		 2892 if (__l2cap_efs_supported(chan))
2893 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2894
2ba13ed6 2895 /* fall through */
f2fcfcd6 2896 default:
8c1d787b 2897 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2898 break;
2899 }
2900
2901done:
0c1bc5c6
GP		 2902 if (chan->imtu != L2CAP_DEFAULT_MTU)
2903 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2904
0c1bc5c6 2905 switch (chan->mode) {
65c7c491 2906 case L2CAP_MODE_BASIC:
8c1d787b 2907 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 2908 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2909 break;
2910
62547752
GP		 2911 rfc.mode = L2CAP_MODE_BASIC;
2912 rfc.txwin_size = 0;
2913 rfc.max_transmit = 0;
2914 rfc.retrans_timeout = 0;
2915 rfc.monitor_timeout = 0;
2916 rfc.max_pdu_size = 0;
2917
63406504 2918 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 2919 (unsigned long) &rfc);
65c7c491
MH		 2920 break;
2921
2922 case L2CAP_MODE_ERTM:
2923 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2924 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2925 rfc.retrans_timeout = 0;
2926 rfc.monitor_timeout = 0;
c8f79162
AE		 2927
2928 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 2929 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
2930 L2CAP_FCS_SIZE);
c8f79162 2931 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2932
6327eb98
AE		 2933 l2cap_txwin_setup(chan);
2934
2935 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 2936 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2937
63406504 2938 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 2939 (unsigned long) &rfc);
63406504 2940
f89cef09
AE		 2941 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2942 l2cap_add_opt_efs(&ptr, chan);
2943
8c1d787b 2944 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2945 break;
2946
47d1ec61 2947 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 2948 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2949 chan->fcs = L2CAP_FCS_NONE;
2950 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2951 }
6327eb98
AE		 2952
2953 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2954 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 2955 chan->tx_win);
f2fcfcd6
GP		 2956 break;
2957
2958 case L2CAP_MODE_STREAMING:
273759e2 2959 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2960 rfc.mode = L2CAP_MODE_STREAMING;
2961 rfc.txwin_size = 0;
2962 rfc.max_transmit = 0;
2963 rfc.retrans_timeout = 0;
2964 rfc.monitor_timeout = 0;
c8f79162
AE		 2965
2966 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 2967 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
2968 L2CAP_FCS_SIZE);
c8f79162 2969 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2970
63406504 2971 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 2972 (unsigned long) &rfc);
63406504 2973
f89cef09
AE		 2974 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2975 l2cap_add_opt_efs(&ptr, chan);
2976
8c1d787b 2977 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2978 break;
2979
47d1ec61 2980 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 2981 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2982 chan->fcs = L2CAP_FCS_NONE;
2983 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2984 }
65c7c491
MH		 2985 break;
2986 }
1da177e4 2987
fe4128e0 2988 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2989 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2990
2991 return ptr - data;
2992}
2993
73ffa904 2994static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2995{
5dee9e7c
MH		 2996 struct l2cap_conf_rsp *rsp = data;
2997 void *ptr = rsp->data;
73ffa904
GP		 2998 void *req = chan->conf_req;
2999 int len = chan->conf_len;
5dee9e7c
MH		 3000 int type, hint, olen;
3001 unsigned long val;
6464f35f 3002 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3003 struct l2cap_conf_efs efs;
3004 u8 remote_efs = 0;
861d6882 3005 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3006 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3007 u16 size;
1da177e4 3008
73ffa904 3009 BT_DBG("chan %p", chan);
820ae1b8 3010
5dee9e7c
MH		 3011 while (len >= L2CAP_CONF_OPT_SIZE) {
3012 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3013
589d2746 3014 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3015 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3016
3017 switch (type) {
3018 case L2CAP_CONF_MTU:
861d6882 3019 mtu = val;
5dee9e7c
MH		 3020 break;
3021
3022 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3023 chan->flush_to = val;
5dee9e7c
MH		 3024 break;
3025
3026 case L2CAP_CONF_QOS:
3027 break;
3028
6464f35f
MH		 3029 case L2CAP_CONF_RFC:
3030 if (olen == sizeof(rfc))
3031 memcpy(&rfc, (void *) val, olen);
3032 break;
3033
fcc203c3
GP		 3034 case L2CAP_CONF_FCS:
3035 if (val == L2CAP_FCS_NONE)
c1360a1c 3036 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 3037 break;
fcc203c3 3038
42dceae2
AE		 3039 case L2CAP_CONF_EFS:
3040 remote_efs = 1;
3041 if (olen == sizeof(efs))
3042 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3043 break;
3044
6327eb98
AE		 3045 case L2CAP_CONF_EWS:
3046 if (!enable_hs)
3047 return -ECONNREFUSED;
fcc203c3 3048
6327eb98
AE		 3049 set_bit(FLAG_EXT_CTRL, &chan->flags);
3050 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3051 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3052 chan->remote_tx_win = val;
fcc203c3
GP		 3053 break;
3054
5dee9e7c
MH		 3055 default:
3056 if (hint)
3057 break;
3058
3059 result = L2CAP_CONF_UNKNOWN;
3060 *((u8 *) ptr++) = type;
3061 break;
3062 }
3063 }
3064
73ffa904 3065 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3066 goto done;
3067
0c1bc5c6 3068 switch (chan->mode) {
f2fcfcd6
GP		 3069 case L2CAP_MODE_STREAMING:
3070 case L2CAP_MODE_ERTM:
c1360a1c 3071 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3072 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3073 chan->conn->feat_mask);
85eb53c6
GP		 3074 break;
3075 }
3076
42dceae2
AE		 3077 if (remote_efs) {
3078 if (__l2cap_efs_supported(chan))
3079 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3080 else
3081 return -ECONNREFUSED;
3082 }
3083
0c1bc5c6 3084 if (chan->mode != rfc.mode)
f2fcfcd6 3085 return -ECONNREFUSED;
742e519b 3086
f2fcfcd6 3087 break;
f2fcfcd6
GP		 3088 }
3089
3090done:
0c1bc5c6 3091 if (chan->mode != rfc.mode) {
f2fcfcd6 3092 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3093 rfc.mode = chan->mode;
f2fcfcd6 3094
73ffa904 3095 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3096 return -ECONNREFUSED;
3097
2d792818
GP		 3098 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3099 (unsigned long) &rfc);
f2fcfcd6
GP		 3100 }
3101
5dee9e7c
MH		 3102 if (result == L2CAP_CONF_SUCCESS) {
3103 /* Configure output options and let the other side know
3104 * which ones we don't like. */
3105
f2fcfcd6
GP		 3106 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3107 result = L2CAP_CONF_UNACCEPT;
3108 else {
0c1bc5c6 3109 chan->omtu = mtu;
c1360a1c 3110 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3111 }
0c1bc5c6 3112 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3113
42dceae2
AE		 3114 if (remote_efs) {
3115 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3116 efs.stype != L2CAP_SERV_NOTRAFIC &&
3117 efs.stype != chan->local_stype) {
42dceae2
AE		 3118
3119 result = L2CAP_CONF_UNACCEPT;
3120
3121 if (chan->num_conf_req >= 1)
3122 return -ECONNREFUSED;
3123
3124 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3125 sizeof(efs),
3126 (unsigned long) &efs);
0e8b207e 3127 } else {
3e6b3b95 3128 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3129 result = L2CAP_CONF_PENDING;
3130 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3131 }
3132 }
3133
f2fcfcd6
GP		 3134 switch (rfc.mode) {
3135 case L2CAP_MODE_BASIC:
47d1ec61 3136 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3137 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3138 break;
3139
3140 case L2CAP_MODE_ERTM:
6327eb98
AE		 3141 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3142 chan->remote_tx_win = rfc.txwin_size;
3143 else
3144 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3145
2c03a7a4 3146 chan->remote_max_tx = rfc.max_transmit;
1c762159 3147
c8f79162 3148 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3149 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3150 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3151 rfc.max_pdu_size = cpu_to_le16(size);
3152 chan->remote_mps = size;
f2fcfcd6 3153
10467e9e 3154 rfc.retrans_timeout =
4fd21a88 3155 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3156 rfc.monitor_timeout =
4fd21a88 3157 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3158
c1360a1c 3159 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3160
3161 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3162 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3163
42dceae2
AE		 3164 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3165 chan->remote_id = efs.id;
3166 chan->remote_stype = efs.stype;
3167 chan->remote_msdu = le16_to_cpu(efs.msdu);
3168 chan->remote_flush_to =
2d792818 3169 le32_to_cpu(efs.flush_to);
42dceae2 3170 chan->remote_acc_lat =
2d792818 3171 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3172 chan->remote_sdu_itime =
3173 le32_to_cpu(efs.sdu_itime);
3174 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3175 sizeof(efs),
3176 (unsigned long) &efs);
42dceae2 3177 }
f2fcfcd6
GP		 3178 break;
3179
3180 case L2CAP_MODE_STREAMING:
c8f79162 3181 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3182 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3183 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3184 rfc.max_pdu_size = cpu_to_le16(size);
3185 chan->remote_mps = size;
f2fcfcd6 3186
c1360a1c 3187 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3188
2d792818
GP		 3189 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3190 (unsigned long) &rfc);
68ae6639 3191
f2fcfcd6
GP		 3192 break;
3193
3194 default:
5dee9e7c 3195 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3196
6464f35f 3197 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3198 rfc.mode = chan->mode;
f2fcfcd6 3199 }
6464f35f 3200
f2fcfcd6 3201 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3202 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3203 }
fe4128e0 3204 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3205 rsp->result = cpu_to_le16(result);
59e54bd1 3206 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3207
3208 return ptr - data;
1da177e4
LT		 3209}
3210
2d792818
GP		 3211static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3212 void *data, u16 *result)
f2fcfcd6 3213{
f2fcfcd6
GP		 3214 struct l2cap_conf_req *req = data;
3215 void *ptr = req->data;
3216 int type, olen;
3217 unsigned long val;
36e999a8 3218 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3219 struct l2cap_conf_efs efs;
f2fcfcd6 3220
fe4128e0 3221 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3222
3223 while (len >= L2CAP_CONF_OPT_SIZE) {
3224 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3225
3226 switch (type) {
3227 case L2CAP_CONF_MTU:
3228 if (val < L2CAP_DEFAULT_MIN_MTU) {
3229 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3230 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3231 } else
0c1bc5c6
GP		 3232 chan->imtu = val;
3233 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3234 break;
3235
3236 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3237 chan->flush_to = val;
f2fcfcd6 3238 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3239 2, chan->flush_to);
f2fcfcd6
GP		 3240 break;
3241
3242 case L2CAP_CONF_RFC:
3243 if (olen == sizeof(rfc))
3244 memcpy(&rfc, (void *)val, olen);
3245
c1360a1c 3246 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3247 rfc.mode != chan->mode)
f2fcfcd6
GP		 3248 return -ECONNREFUSED;
3249
47d1ec61 3250 chan->fcs = 0;
f2fcfcd6
GP		 3251
3252 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3253 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3254 break;
6327eb98
AE		 3255
3256 case L2CAP_CONF_EWS:
c20f8e35 3257 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3258 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3259 chan->tx_win);
6327eb98 3260 break;
66af7aaf
AE		 3261
3262 case L2CAP_CONF_EFS:
3263 if (olen == sizeof(efs))
3264 memcpy(&efs, (void *)val, olen);
3265
3266 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3267 efs.stype != L2CAP_SERV_NOTRAFIC &&
3268 efs.stype != chan->local_stype)
66af7aaf
AE		 3269 return -ECONNREFUSED;
3270
2d792818
GP		 3271 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3272 (unsigned long) &efs);
66af7aaf 3273 break;
f2fcfcd6
GP		 3274 }
3275 }
3276
0c1bc5c6 3277 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3278 return -ECONNREFUSED;
3279
0c1bc5c6 3280 chan->mode = rfc.mode;
6c2ea7a8 3281
0e8b207e 3282 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3283 switch (rfc.mode) {
3284 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3285 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3286 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3287 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3288 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3289 chan->ack_win = min_t(u16, chan->ack_win,
3290 rfc.txwin_size);
66af7aaf
AE		 3291
3292 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3293 chan->local_msdu = le16_to_cpu(efs.msdu);
3294 chan->local_sdu_itime =
2d792818 3295 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3296 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3297 chan->local_flush_to =
2d792818 3298 le32_to_cpu(efs.flush_to);
66af7aaf 3299 }
f2fcfcd6 3300 break;
66af7aaf 3301
f2fcfcd6 3302 case L2CAP_MODE_STREAMING:
47d1ec61 3303 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3304 }
3305 }
3306
fe4128e0 3307 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3308 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3309
3310 return ptr - data;
3311}
3312
2d792818
GP		 3313static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3314 u16 result, u16 flags)
1da177e4
LT		 3315{
3316 struct l2cap_conf_rsp *rsp = data;
3317 void *ptr = rsp->data;
1da177e4 3318
fe4128e0 3319 BT_DBG("chan %p", chan);
1da177e4 3320
fe4128e0 3321 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3322 rsp->result = cpu_to_le16(result);
aca3192c 3323 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3324
3325 return ptr - data;
3326}
3327
8c1d787b 3328void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3329{
3330 struct l2cap_conn_rsp rsp;
8c1d787b 3331 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3332 u8 buf[128];
3333
fe4128e0
GP		 3334 rsp.scid = cpu_to_le16(chan->dcid);
3335 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3336 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3337 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
2d792818 3338 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
710f9b0a 3339
c1360a1c 3340 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3341 return;
3342
710f9b0a 3343 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3344 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3345 chan->num_conf_req++;
3346}
3347
47d1ec61 3348static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3349{
7b1c0049
GP		 3350 int type, olen;
3351 unsigned long val;
c20f8e35
MM		 3352 /* Use sane default values in case a misbehaving remote device
3353 * did not send an RFC or extended window size option.
3354 */
3355 u16 txwin_ext = chan->ack_win;
3356 struct l2cap_conf_rfc rfc = {
3357 .mode = chan->mode,
3358 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3359 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3360 .max_pdu_size = cpu_to_le16(chan->imtu),
3361 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3362 };
7b1c0049 3363
47d1ec61 3364 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3365
0c1bc5c6 3366 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3367 return;
3368
3369 while (len >= L2CAP_CONF_OPT_SIZE) {
3370 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3371
c20f8e35
MM		 3372 switch (type) {
3373 case L2CAP_CONF_RFC:
3374 if (olen == sizeof(rfc))
3375 memcpy(&rfc, (void *)val, olen);
8f321f85 3376 break;
c20f8e35
MM		 3377 case L2CAP_CONF_EWS:
3378 txwin_ext = val;
3379 break;
3380 }
7b1c0049
GP		 3381 }
3382
7b1c0049
GP		 3383 switch (rfc.mode) {
3384 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3385 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3386 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3387 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3388 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3389 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3390 else
3391 chan->ack_win = min_t(u16, chan->ack_win,
3392 rfc.txwin_size);
7b1c0049
GP		 3393 break;
3394 case L2CAP_MODE_STREAMING:
47d1ec61 3395 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3396 }
3397}
3398
2d792818
GP		 3399static inline int l2cap_command_rej(struct l2cap_conn *conn,
3400 struct l2cap_cmd_hdr *cmd, u8 *data)
4e8402a3 3401{
e2fd318e 3402 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3403
e2fd318e 3404 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3405 return 0;
3406
3407 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3408 cmd->ident == conn->info_ident) {
17cd3f37 3409 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3410
3411 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3412 conn->info_ident = 0;
984947dc 3413
4e8402a3
MH		 3414 l2cap_conn_start(conn);
3415 }
3416
3417 return 0;
3418}
3419
1700915f
MM		 3420static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3421 struct l2cap_cmd_hdr *cmd,
3422 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3423{
1da177e4
LT		 3424 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3425 struct l2cap_conn_rsp rsp;
23691d75 3426 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3427 struct sock *parent, *sk = NULL;
e7c29cb1 3428 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3429
3430 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3431 __le16 psm = req->psm;
1da177e4 3432
097db76c 3433 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3434
3435 /* Check if we have socket listening on psm */
c2287681 3436 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3437 if (!pchan) {
1da177e4
LT		 3438 result = L2CAP_CR_BAD_PSM;
3439 goto sendresp;
3440 }
3441
23691d75
GP		 3442 parent = pchan->sk;
3443
3df91ea2 3444 mutex_lock(&conn->chan_lock);
aa2ac881 3445 lock_sock(parent);
e0f0cb56 3446
e7c29cb1 3447 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3448 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3449 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3450 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3451 result = L2CAP_CR_SEC_BLOCK;
3452 goto response;
3453 }
3454
1da177e4
LT		 3455 result = L2CAP_CR_NO_MEM;
3456
2dfa1003
GP		 3457 /* Check if we already have channel with that dcid */
3458 if (__l2cap_get_chan_by_dcid(conn, scid))
3459 goto response;
3460
80b98027 3461 chan = pchan->ops->new_connection(pchan);
80808e43 3462 if (!chan)
1da177e4
LT		 3463 goto response;
3464
80808e43
GP		 3465 sk = chan->sk;
3466
1da177e4
LT		 3467 hci_conn_hold(conn->hcon);
3468
1da177e4
LT		 3469 bacpy(&bt_sk(sk)->src, conn->src);
3470 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3471 chan->psm = psm;
3472 chan->dcid = scid;
1700915f 3473 chan->local_amp_id = amp_id;
1da177e4 3474
6be36555 3475 __l2cap_chan_add(conn, chan);
48454079 3476
fe4128e0 3477 dcid = chan->scid;
1da177e4 3478
c9b66675 3479 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3480
fc7f8a7e 3481 chan->ident = cmd->ident;
1da177e4 3482
984947dc 3483 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3484 if (l2cap_chan_check_security(chan)) {
c5daa683 3485 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3486 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3487 result = L2CAP_CR_PEND;
3488 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3489 chan->ops->defer(chan);
f66dc81f 3490 } else {
1700915f
MM		 3491 /* Force pending result for AMP controllers.
3492 * The connection will succeed after the
3493 * physical link is up.
3494 */
3495 if (amp_id) {
3496 __l2cap_state_change(chan, BT_CONNECT2);
3497 result = L2CAP_CR_PEND;
3498 } else {
3499 __l2cap_state_change(chan, BT_CONFIG);
3500 result = L2CAP_CR_SUCCESS;
3501 }
f66dc81f
MH		 3502 status = L2CAP_CS_NO_INFO;
3503 }
79d554a6 3504 } else {
0e587be7 3505 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3506 result = L2CAP_CR_PEND;
3507 status = L2CAP_CS_AUTHEN_PEND;
3508 }
3509 } else {
0e587be7 3510 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3511 result = L2CAP_CR_PEND;
3512 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3513 }
3514
1da177e4 3515response:
aa2ac881 3516 release_sock(parent);
3df91ea2 3517 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3518
3519sendresp:
aca3192c
YH		 3520 rsp.scid = cpu_to_le16(scid);
3521 rsp.dcid = cpu_to_le16(dcid);
3522 rsp.result = cpu_to_le16(result);
3523 rsp.status = cpu_to_le16(status);
4c89b6aa 3524 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3525
3526 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3527 struct l2cap_info_req info;
ac73498c 3528 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3529
3530 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3531 conn->info_ident = l2cap_get_ident(conn);
3532
ba13ccd9 3533 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3534
2d792818
GP		 3535 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3536 sizeof(info), &info);
79d554a6
MH		 3537 }
3538
c1360a1c 3539 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3540 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3541 u8 buf[128];
c1360a1c 3542 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3543 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3544 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3545 chan->num_conf_req++;
e9aeb2dd 3546 }
1700915f
MM		 3547
3548 return chan;
4c89b6aa 3549}
e9aeb2dd 3550
4c89b6aa
MM		 3551static int l2cap_connect_req(struct l2cap_conn *conn,
3552 struct l2cap_cmd_hdr *cmd, u8 *data)
3553{
300229f9 3554 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3555 return 0;
3556}
3557
5909cf30 3558static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
2d792818 3559 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3560{
3561 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3562 u16 scid, dcid, result, status;
48454079 3563 struct l2cap_chan *chan;
1da177e4 3564 u8 req[128];
3df91ea2 3565 int err;
1da177e4
LT		 3566
3567 scid = __le16_to_cpu(rsp->scid);
3568 dcid = __le16_to_cpu(rsp->dcid);
3569 result = __le16_to_cpu(rsp->result);
3570 status = __le16_to_cpu(rsp->status);
3571
1b009c98 3572 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3573 dcid, scid, result, status);
1da177e4 3574
3df91ea2
AE		 3575 mutex_lock(&conn->chan_lock);
3576
1da177e4 3577 if (scid) {
3df91ea2
AE		 3578 chan = __l2cap_get_chan_by_scid(conn, scid);
3579 if (!chan) {
3580 err = -EFAULT;
3581 goto unlock;
3582 }
1da177e4 3583 } else {
3df91ea2
AE		 3584 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3585 if (!chan) {
3586 err = -EFAULT;
3587 goto unlock;
3588 }
1da177e4
LT		 3589 }
3590
3df91ea2
AE		 3591 err = 0;
3592
6be36555 3593 l2cap_chan_lock(chan);
48454079 3594
1da177e4
LT		 3595 switch (result) {
3596 case L2CAP_CR_SUCCESS:
89bc500e 3597 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3598 chan->ident = 0;
fe4128e0 3599 chan->dcid = dcid;
c1360a1c 3600 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3601
c1360a1c 3602 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3603 break;
3604
1da177e4 3605 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3606 l2cap_build_conf_req(chan, req), req);
73ffa904 3607 chan->num_conf_req++;
1da177e4
LT		 3608 break;
3609
3610 case L2CAP_CR_PEND:
c1360a1c 3611 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3612 break;
3613
3614 default:
48454079 3615 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3616 break;
3617 }
3618
6be36555 3619 l2cap_chan_unlock(chan);
3df91ea2
AE		 3620
3621unlock:
3622 mutex_unlock(&conn->chan_lock);
3623
3624 return err;
1da177e4
LT		 3625}
3626
47d1ec61 3627static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3628{
3629 /* FCS is enabled only in ERTM or streaming mode, if one or both
3630 * sides request it.
3631 */
0c1bc5c6 3632 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3633 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3634 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3635 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3636}
3637
29d8a590
AE		 3638static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3639 u8 ident, u16 flags)
3640{
3641 struct l2cap_conn *conn = chan->conn;
3642
3643 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3644 flags);
3645
3646 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3647 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3648
3649 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3650 l2cap_build_conf_rsp(chan, data,
3651 L2CAP_CONF_SUCCESS, flags), data);
3652}
3653
2d792818
GP		 3654static inline int l2cap_config_req(struct l2cap_conn *conn,
3655 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3656 u8 *data)
1da177e4
LT		 3657{
3658 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3659 u16 dcid, flags;
3660 u8 rsp[64];
48454079 3661 struct l2cap_chan *chan;
3c588192 3662 int len, err = 0;
1da177e4
LT		 3663
3664 dcid = __le16_to_cpu(req->dcid);
3665 flags = __le16_to_cpu(req->flags);
3666
3667 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3668
baa7e1fa 3669 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3670 if (!chan)
1da177e4
LT		 3671 return -ENOENT;
3672
033b1142 3673 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3674 struct l2cap_cmd_rej_cid rej;
3675
ac73498c 3676 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3677 rej.scid = cpu_to_le16(chan->scid);
3678 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3679
df6bd743 3680 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3681 sizeof(rej), &rej);
354f60a9 3682 goto unlock;
df6bd743 3683 }
354f60a9 3684
5dee9e7c 3685 /* Reject if config buffer is too small. */
88219a0f 3686 len = cmd_len - sizeof(*req);
7ac28817 3687 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3688 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3689 l2cap_build_conf_rsp(chan, rsp,
3690 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 3691 goto unlock;
3692 }
3693
3694 /* Store config. */
73ffa904
GP		 3695 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3696 chan->conf_len += len;
1da177e4 3697
59e54bd1 3698 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3699 /* Incomplete config. Send empty response. */
3700 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3701 l2cap_build_conf_rsp(chan, rsp,
3702 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3703 goto unlock;
3704 }
3705
3706 /* Complete config. */
73ffa904 3707 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3708 if (len < 0) {
e92c8e70 3709 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3710 goto unlock;
f2fcfcd6 3711 }
1da177e4 3712
5dee9e7c 3713 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3714 chan->num_conf_rsp++;
5dee9e7c 3715
5dee9e7c 3716 /* Reset config buffer. */
73ffa904 3717 chan->conf_len = 0;
5dee9e7c 3718
c1360a1c 3719 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3720 goto unlock;
3721
c1360a1c 3722 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3723 set_default_fcs(chan);
fcc203c3 3724
105bdf9e
MM		 3725 if (chan->mode == L2CAP_MODE_ERTM ||
3726 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3727 err = l2cap_ertm_init(chan);
3728
3729 if (err < 0)
3730 l2cap_send_disconn_req(chan->conn, chan, -err);
3731 else
3732 l2cap_chan_ready(chan);
0565c1c2 3733
876d9484
MH		 3734 goto unlock;
3735 }
3736
c1360a1c 3737 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3738 u8 buf[64];
1da177e4 3739 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3740 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3741 chan->num_conf_req++;
1da177e4
LT		 3742 }
3743
0e8b207e
AE		 3744 /* Got Conf Rsp PENDING from remote side and asume we sent
3745 Conf Rsp PENDING in the code above */
3746 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 3747 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 3748
3749 /* check compatibility */
3750
79de886d
AE		 3751 /* Send rsp for BR/EDR channel */
3752 if (!chan->ctrl_id)
3753 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
3754 else
3755 chan->ident = cmd->ident;
0e8b207e
AE		 3756 }
3757
1da177e4 3758unlock:
6be36555 3759 l2cap_chan_unlock(chan);
3c588192 3760 return err;
1da177e4
LT		 3761}
3762
2d792818
GP		 3763static inline int l2cap_config_rsp(struct l2cap_conn *conn,
3764 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3765{
3766 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3767 u16 scid, flags, result;
48454079 3768 struct l2cap_chan *chan;
61386cba 3769 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3770 int err = 0;
1da177e4
LT		 3771
3772 scid = __le16_to_cpu(rsp->scid);
3773 flags = __le16_to_cpu(rsp->flags);
3774 result = __le16_to_cpu(rsp->result);
3775
61386cba
AE		 3776 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3777 result, len);
1da177e4 3778
baa7e1fa 3779 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3780 if (!chan)
1da177e4
LT		 3781 return 0;
3782
3783 switch (result) {
3784 case L2CAP_CONF_SUCCESS:
47d1ec61 3785 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3786 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3787 break;
3788
0e8b207e
AE		 3789 case L2CAP_CONF_PENDING:
3790 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3791
3792 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3793 char buf[64];
3794
3795 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3796 buf, &result);
0e8b207e
AE		 3797 if (len < 0) {
3798 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3799 goto done;
3800 }
3801
3802 /* check compatibility */
3803
79de886d
AE		 3804 if (!chan->ctrl_id)
3805 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
3806 0);
3807 else
3808 chan->ident = cmd->ident;
0e8b207e
AE		 3809 }
3810 goto done;
3811
1da177e4 3812 case L2CAP_CONF_UNACCEPT:
73ffa904 3813 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3814 char req[64];
3815
c2c77ec8 3816 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3817 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3818 goto done;
3819 }
3820
f2fcfcd6
GP		 3821 /* throw out any old stored conf requests */
3822 result = L2CAP_CONF_SUCCESS;
b4450035 3823 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3824 req, &result);
f2fcfcd6 3825 if (len < 0) {
e92c8e70 3826 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3827 goto done;
3828 }
3829
3830 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 3831 L2CAP_CONF_REQ, len, req);
73ffa904 3832 chan->num_conf_req++;
f2fcfcd6
GP		 3833 if (result != L2CAP_CONF_SUCCESS)
3834 goto done;
3835 break;
1da177e4
LT		 3836 }
3837
8e87d142 3838 default:
6be36555 3839 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3840
ba13ccd9 3841 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3842 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3843 goto done;
3844 }
3845
59e54bd1 3846 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3847 goto done;
3848
c1360a1c 3849 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3850
c1360a1c 3851 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3852 set_default_fcs(chan);
fcc203c3 3853
105bdf9e
MM		 3854 if (chan->mode == L2CAP_MODE_ERTM ||
3855 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3856 err = l2cap_ertm_init(chan);
0565c1c2 3857
3c588192
MM		 3858 if (err < 0)
3859 l2cap_send_disconn_req(chan->conn, chan, -err);
3860 else
3861 l2cap_chan_ready(chan);
1da177e4
LT		 3862 }
3863
3864done:
6be36555 3865 l2cap_chan_unlock(chan);
3c588192 3866 return err;
1da177e4
LT		 3867}
3868
2d792818
GP		 3869static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
3870 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3871{
3872 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3873 struct l2cap_disconn_rsp rsp;
3874 u16 dcid, scid;
48454079 3875 struct l2cap_chan *chan;
1da177e4
LT		 3876 struct sock *sk;
3877
3878 scid = __le16_to_cpu(req->scid);
3879 dcid = __le16_to_cpu(req->dcid);
3880
3881 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3882
3df91ea2
AE		 3883 mutex_lock(&conn->chan_lock);
3884
3885 chan = __l2cap_get_chan_by_scid(conn, dcid);
3886 if (!chan) {
3887 mutex_unlock(&conn->chan_lock);
1da177e4 3888 return 0;
3df91ea2 3889 }
1da177e4 3890
6be36555
AE		 3891 l2cap_chan_lock(chan);
3892
48454079
GP		 3893 sk = chan->sk;
3894
fe4128e0
GP		 3895 rsp.dcid = cpu_to_le16(chan->scid);
3896 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3897 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3898
6be36555 3899 lock_sock(sk);
1da177e4 3900 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3901 release_sock(sk);
1da177e4 3902
61d6ef3e 3903 l2cap_chan_hold(chan);
48454079 3904 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3905
3906 l2cap_chan_unlock(chan);
1da177e4 3907
80b98027 3908 chan->ops->close(chan);
61d6ef3e 3909 l2cap_chan_put(chan);
3df91ea2
AE		 3910
3911 mutex_unlock(&conn->chan_lock);
3912
1da177e4
LT		 3913 return 0;
3914}
3915
2d792818
GP		 3916static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
3917 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3918{
3919 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3920 u16 dcid, scid;
48454079 3921 struct l2cap_chan *chan;
1da177e4
LT		 3922
3923 scid = __le16_to_cpu(rsp->scid);
3924 dcid = __le16_to_cpu(rsp->dcid);
3925
3926 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3927
3df91ea2
AE		 3928 mutex_lock(&conn->chan_lock);
3929
3930 chan = __l2cap_get_chan_by_scid(conn, scid);
3931 if (!chan) {
3932 mutex_unlock(&conn->chan_lock);
1da177e4 3933 return 0;
3df91ea2 3934 }
1da177e4 3935
6be36555 3936 l2cap_chan_lock(chan);
48454079 3937
61d6ef3e 3938 l2cap_chan_hold(chan);
48454079 3939 l2cap_chan_del(chan, 0);
6be36555
AE		 3940
3941 l2cap_chan_unlock(chan);
1da177e4 3942
80b98027 3943 chan->ops->close(chan);
61d6ef3e 3944 l2cap_chan_put(chan);
3df91ea2
AE		 3945
3946 mutex_unlock(&conn->chan_lock);
3947
1da177e4
LT		 3948 return 0;
3949}
3950
2d792818
GP		 3951static inline int l2cap_information_req(struct l2cap_conn *conn,
3952 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3953{
3954 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3955 u16 type;
3956
3957 type = __le16_to_cpu(req->type);
3958
3959 BT_DBG("type 0x%4.4x", type);
3960
f0709e03
MH		 3961 if (type == L2CAP_IT_FEAT_MASK) {
3962 u8 buf[8];
44dd46de 3963 u32 feat_mask = l2cap_feat_mask;
f0709e03 3964 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3965 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3966 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3967 if (!disable_ertm)
fcc203c3 3968 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 3969 | L2CAP_FEAT_FCS;
a5fd6f30 3970 if (enable_hs)
6327eb98 3971 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 3972 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3973
1b7bf4ed 3974 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 3975 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
3976 buf);
e1027a7c
MH		 3977 } else if (type == L2CAP_IT_FIXED_CHAN) {
3978 u8 buf[12];
3979 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3980
3981 if (enable_hs)
3982 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3983 else
3984 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3985
ac73498c
AE		 3986 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3987 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3988 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 3989 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
3990 buf);
f0709e03
MH		 3991 } else {
3992 struct l2cap_info_rsp rsp;
3993 rsp.type = cpu_to_le16(type);
ac73498c 3994 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 3995 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
3996 &rsp);
f0709e03 3997 }
1da177e4
LT		 3998
3999 return 0;
4000}
4001
2d792818
GP		 4002static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4003 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4004{
4005 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4006 u16 type, result;
4007
4008 type = __le16_to_cpu(rsp->type);
4009 result = __le16_to_cpu(rsp->result);
4010
4011 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4012
e90165be
AE		 4013 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4014 if (cmd->ident != conn->info_ident ||
2d792818 4015 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4016 return 0;
4017
17cd3f37 4018 cancel_delayed_work(&conn->info_timer);
4e8402a3 4019
adb08ede
VT		 4020 if (result != L2CAP_IR_SUCCESS) {
4021 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4022 conn->info_ident = 0;
4023
4024 l2cap_conn_start(conn);
4025
4026 return 0;
4027 }
4028
978c93b9
AE		 4029 switch (type) {
4030 case L2CAP_IT_FEAT_MASK:
83985319 4031 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4032
47ec1dcd 4033 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4034 struct l2cap_info_req req;
ac73498c 4035 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4036
4037 conn->info_ident = l2cap_get_ident(conn);
4038
4039 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4040 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4041 } else {
4042 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4043 conn->info_ident = 0;
4044
4045 l2cap_conn_start(conn);
4046 }
978c93b9
AE		 4047 break;
4048
4049 case L2CAP_IT_FIXED_CHAN:
4050 conn->fixed_chan_mask = rsp->data[0];
984947dc 4051 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4052 conn->info_ident = 0;
984947dc
MH		 4053
4054 l2cap_conn_start(conn);
978c93b9 4055 break;
984947dc 4056 }
4e8402a3 4057
1da177e4
LT		 4058 return 0;
4059}
4060
1700915f
MM		 4061static int l2cap_create_channel_req(struct l2cap_conn *conn,
4062 struct l2cap_cmd_hdr *cmd,
4063 u16 cmd_len, void *data)
f94ff6ff
MM		 4064{
4065 struct l2cap_create_chan_req *req = data;
1700915f 4066 struct l2cap_chan *chan;
f94ff6ff
MM		 4067 u16 psm, scid;
4068
4069 if (cmd_len != sizeof(*req))
4070 return -EPROTO;
4071
4072 if (!enable_hs)
4073 return -EINVAL;
4074
4075 psm = le16_to_cpu(req->psm);
4076 scid = le16_to_cpu(req->scid);
4077
ad0ac6ca 4078 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4079
1700915f
MM		 4080 if (req->amp_id) {
4081 struct hci_dev *hdev;
4082
4083 /* Validate AMP controller id */
4084 hdev = hci_dev_get(req->amp_id);
4085 if (!hdev || hdev->dev_type != HCI_AMP ||
4086 !test_bit(HCI_UP, &hdev->flags)) {
4087 struct l2cap_create_chan_rsp rsp;
4088
4089 rsp.dcid = 0;
4090 rsp.scid = cpu_to_le16(scid);
4091 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4092 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4093
4094 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4095 sizeof(rsp), &rsp);
4096
4097 if (hdev)
4098 hci_dev_put(hdev);
4099
4100 return 0;
4101 }
4102
4103 hci_dev_put(hdev);
4104 }
f94ff6ff 4105
1700915f
MM		 4106 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4107 req->amp_id);
f94ff6ff
MM		 4108
4109 return 0;
4110}
4111
8d5a04a1 4112static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4113 u16 icid, u16 result)
8d5a04a1
MM		 4114{
4115 struct l2cap_move_chan_rsp rsp;
4116
ad0ac6ca 4117 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4118
4119 rsp.icid = cpu_to_le16(icid);
4120 rsp.result = cpu_to_le16(result);
4121
4122 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
4123}
4124
4125static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4126 struct l2cap_chan *chan,
4127 u16 icid, u16 result)
8d5a04a1
MM		 4128{
4129 struct l2cap_move_chan_cfm cfm;
4130 u8 ident;
4131
ad0ac6ca 4132 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4133
4134 ident = l2cap_get_ident(conn);
4135 if (chan)
4136 chan->ident = ident;
4137
4138 cfm.icid = cpu_to_le16(icid);
4139 cfm.result = cpu_to_le16(result);
4140
4141 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4142}
4143
4144static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4145 u16 icid)
8d5a04a1
MM		 4146{
4147 struct l2cap_move_chan_cfm_rsp rsp;
4148
ad0ac6ca 4149 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4150
4151 rsp.icid = cpu_to_le16(icid);
4152 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4153}
4154
4155static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4156 struct l2cap_cmd_hdr *cmd,
4157 u16 cmd_len, void *data)
8d5a04a1
MM		 4158{
4159 struct l2cap_move_chan_req *req = data;
4160 u16 icid = 0;
4161 u16 result = L2CAP_MR_NOT_ALLOWED;
4162
4163 if (cmd_len != sizeof(*req))
4164 return -EPROTO;
4165
4166 icid = le16_to_cpu(req->icid);
4167
ad0ac6ca 4168 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4169
4170 if (!enable_hs)
4171 return -EINVAL;
4172
4173 /* Placeholder: Always refuse */
4174 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4175
4176 return 0;
4177}
4178
4179static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4180 struct l2cap_cmd_hdr *cmd,
4181 u16 cmd_len, void *data)
8d5a04a1
MM		 4182{
4183 struct l2cap_move_chan_rsp *rsp = data;
4184 u16 icid, result;
4185
4186 if (cmd_len != sizeof(*rsp))
4187 return -EPROTO;
4188
4189 icid = le16_to_cpu(rsp->icid);
4190 result = le16_to_cpu(rsp->result);
4191
ad0ac6ca 4192 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4193
4194 /* Placeholder: Always unconfirmed */
4195 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4196
4197 return 0;
4198}
4199
4200static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4201 struct l2cap_cmd_hdr *cmd,
4202 u16 cmd_len, void *data)
8d5a04a1
MM		 4203{
4204 struct l2cap_move_chan_cfm *cfm = data;
4205 u16 icid, result;
4206
4207 if (cmd_len != sizeof(*cfm))
4208 return -EPROTO;
4209
4210 icid = le16_to_cpu(cfm->icid);
4211 result = le16_to_cpu(cfm->result);
4212
ad0ac6ca 4213 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4214
4215 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4216
4217 return 0;
4218}
4219
4220static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4221 struct l2cap_cmd_hdr *cmd,
4222 u16 cmd_len, void *data)
8d5a04a1
MM		 4223{
4224 struct l2cap_move_chan_cfm_rsp *rsp = data;
4225 u16 icid;
4226
4227 if (cmd_len != sizeof(*rsp))
4228 return -EPROTO;
4229
4230 icid = le16_to_cpu(rsp->icid);
4231
ad0ac6ca 4232 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4233
4234 return 0;
4235}
4236
e2174ca4 4237static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 4238 u16 to_multiplier)
de73115a
CT		 4239{
4240 u16 max_latency;
4241
4242 if (min > max || min < 6 || max > 3200)
4243 return -EINVAL;
4244
4245 if (to_multiplier < 10 || to_multiplier > 3200)
4246 return -EINVAL;
4247
4248 if (max >= to_multiplier * 8)
4249 return -EINVAL;
4250
4251 max_latency = (to_multiplier * 8 / max) - 1;
4252 if (latency > 499 || latency > max_latency)
4253 return -EINVAL;
4254
4255 return 0;
4256}
4257
4258static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 4259 struct l2cap_cmd_hdr *cmd,
4260 u8 *data)
de73115a
CT		 4261{
4262 struct hci_conn *hcon = conn->hcon;
4263 struct l2cap_conn_param_update_req *req;
4264 struct l2cap_conn_param_update_rsp rsp;
4265 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4266 int err;
de73115a
CT		 4267
4268 if (!(hcon->link_mode & HCI_LM_MASTER))
4269 return -EINVAL;
4270
4271 cmd_len = __le16_to_cpu(cmd->len);
4272 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4273 return -EPROTO;
4274
4275 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4276 min = __le16_to_cpu(req->min);
4277 max = __le16_to_cpu(req->max);
de73115a
CT		 4278 latency = __le16_to_cpu(req->latency);
4279 to_multiplier = __le16_to_cpu(req->to_multiplier);
4280
4281 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 4282 min, max, latency, to_multiplier);
de73115a
CT		 4283
4284 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4285
4286 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4287 if (err)
ac73498c 4288 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4289 else
ac73498c 4290 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4291
4292 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 4293 sizeof(rsp), &rsp);
de73115a 4294
2ce603eb
CT		 4295 if (!err)
4296 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4297
de73115a
CT		 4298 return 0;
4299}
4300
3300d9a9 4301static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 4302 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4303 u8 *data)
3300d9a9
CT		 4304{
4305 int err = 0;
4306
4307 switch (cmd->code) {
4308 case L2CAP_COMMAND_REJ:
4309 l2cap_command_rej(conn, cmd, data);
4310 break;
4311
4312 case L2CAP_CONN_REQ:
4313 err = l2cap_connect_req(conn, cmd, data);
4314 break;
4315
4316 case L2CAP_CONN_RSP:
f5a2598d 4317 case L2CAP_CREATE_CHAN_RSP:
5909cf30 4318 err = l2cap_connect_create_rsp(conn, cmd, data);
3300d9a9
CT		 4319 break;
4320
4321 case L2CAP_CONF_REQ:
4322 err = l2cap_config_req(conn, cmd, cmd_len, data);
4323 break;
4324
4325 case L2CAP_CONF_RSP:
4326 err = l2cap_config_rsp(conn, cmd, data);
4327 break;
4328
4329 case L2CAP_DISCONN_REQ:
4330 err = l2cap_disconnect_req(conn, cmd, data);
4331 break;
4332
4333 case L2CAP_DISCONN_RSP:
4334 err = l2cap_disconnect_rsp(conn, cmd, data);
4335 break;
4336
4337 case L2CAP_ECHO_REQ:
4338 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4339 break;
4340
4341 case L2CAP_ECHO_RSP:
4342 break;
4343
4344 case L2CAP_INFO_REQ:
4345 err = l2cap_information_req(conn, cmd, data);
4346 break;
4347
4348 case L2CAP_INFO_RSP:
4349 err = l2cap_information_rsp(conn, cmd, data);
4350 break;
4351
f94ff6ff
MM		 4352 case L2CAP_CREATE_CHAN_REQ:
4353 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4354 break;
4355
8d5a04a1
MM		 4356 case L2CAP_MOVE_CHAN_REQ:
4357 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4358 break;
4359
4360 case L2CAP_MOVE_CHAN_RSP:
4361 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4362 break;
4363
4364 case L2CAP_MOVE_CHAN_CFM:
4365 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4366 break;
4367
4368 case L2CAP_MOVE_CHAN_CFM_RSP:
4369 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4370 break;
4371
3300d9a9
CT		 4372 default:
4373 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4374 err = -EINVAL;
4375 break;
4376 }
4377
4378 return err;
4379}
4380
4381static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 4382 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 4383{
4384 switch (cmd->code) {
4385 case L2CAP_COMMAND_REJ:
4386 return 0;
4387
4388 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4389 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4390
4391 case L2CAP_CONN_PARAM_UPDATE_RSP:
4392 return 0;
4393
4394 default:
4395 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4396 return -EINVAL;
4397 }
4398}
4399
4400static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 4401 struct sk_buff *skb)
1da177e4
LT		 4402{
4403 u8 *data = skb->data;
4404 int len = skb->len;
4405 struct l2cap_cmd_hdr cmd;
3300d9a9 4406 int err;
1da177e4
LT		 4407
4408 l2cap_raw_recv(conn, skb);
4409
4410 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4411 u16 cmd_len;
1da177e4
LT		 4412 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4413 data += L2CAP_CMD_HDR_SIZE;
4414 len -= L2CAP_CMD_HDR_SIZE;
4415
88219a0f 4416 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4417
2d792818
GP		 4418 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
4419 cmd.ident);
1da177e4 4420
88219a0f 4421 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4422 BT_DBG("corrupted command");
4423 break;
4424 }
4425
3300d9a9
CT		 4426 if (conn->hcon->type == LE_LINK)
4427 err = l2cap_le_sig_cmd(conn, &cmd, data);
4428 else
4429 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4430
4431 if (err) {
e2fd318e 4432 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4433
4434 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4435
4436 /* FIXME: Map err to a valid reason */
ac73498c 4437 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 4438 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
4439 sizeof(rej), &rej);
1da177e4
LT		 4440 }
4441
88219a0f
AV		 4442 data += cmd_len;
4443 len -= cmd_len;
1da177e4
LT		 4444 }
4445
4446 kfree_skb(skb);
4447}
4448
47d1ec61 4449static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4450{
4451 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4452 int hdr_size;
4453
4454 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4455 hdr_size = L2CAP_EXT_HDR_SIZE;
4456 else
4457 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4458
47d1ec61 4459 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4460 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4461 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4462 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4463
4464 if (our_fcs != rcv_fcs)
7a560e5c 4465 return -EBADMSG;
fcc203c3
GP		 4466 }
4467 return 0;
4468}
4469
6ea00485 4470static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4471{
e31f7633 4472 struct l2cap_ctrl control;
d5392c8f 4473
e31f7633 4474 BT_DBG("chan %p", chan);
d5392c8f 4475
e31f7633
MM		 4476 memset(&control, 0, sizeof(control));
4477 control.sframe = 1;
4478 control.final = 1;
4479 control.reqseq = chan->buffer_seq;
4480 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4481
e2ab4353 4482 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4483 control.super = L2CAP_SUPER_RNR;
4484 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4485 }
4486
e31f7633
MM		 4487 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4488 chan->unacked_frames > 0)
4489 __set_retrans_timer(chan);
d5392c8f 4490
e31f7633 4491 /* Send pending iframes */
525cd185 4492 l2cap_ertm_send(chan);
d5392c8f 4493
e2ab4353 4494 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4495 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4496 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4497 * send it now.
4498 */
4499 control.super = L2CAP_SUPER_RR;
4500 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4501 }
4502}
4503
2d792818
GP		 4504static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
4505 struct sk_buff **last_frag)
18778a63 4506{
84084a31
MM		 4507 /* skb->len reflects data in skb as well as all fragments
4508 * skb->data_len reflects only data in fragments
4509 */
4510 if (!skb_has_frag_list(skb))
4511 skb_shinfo(skb)->frag_list = new_frag;
4512
4513 new_frag->next = NULL;
4514
4515 (*last_frag)->next = new_frag;
4516 *last_frag = new_frag;
4517
4518 skb->len += new_frag->len;
4519 skb->data_len += new_frag->len;
4520 skb->truesize += new_frag->truesize;
4521}
4522
4b51dae9
MM		 4523static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4524 struct l2cap_ctrl *control)
84084a31
MM		 4525{
4526 int err = -EINVAL;
18778a63 4527
4b51dae9 4528 switch (control->sar) {
7e0ef6ee 4529 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4530 if (chan->sdu)
4531 break;
18778a63 4532
80b98027 4533 err = chan->ops->recv(chan, skb);
84084a31 4534 break;
18778a63 4535
7e0ef6ee 4536 case L2CAP_SAR_START:
84084a31
MM		 4537 if (chan->sdu)
4538 break;
18778a63 4539
6f61fd47 4540 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4541 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4542
84084a31
MM		 4543 if (chan->sdu_len > chan->imtu) {
4544 err = -EMSGSIZE;
4545 break;
4546 }
1890d36b 4547
84084a31
MM		 4548 if (skb->len >= chan->sdu_len)
4549 break;
18778a63 4550
84084a31
MM		 4551 chan->sdu = skb;
4552 chan->sdu_last_frag = skb;
18778a63 4553
84084a31
MM		 4554 skb = NULL;
4555 err = 0;
18778a63
GP		 4556 break;
4557
7e0ef6ee 4558 case L2CAP_SAR_CONTINUE:
6f61fd47 4559 if (!chan->sdu)
84084a31 4560 break;
18778a63 4561
84084a31
MM		 4562 append_skb_frag(chan->sdu, skb,
4563 &chan->sdu_last_frag);
4564 skb = NULL;
18778a63 4565
84084a31
MM		 4566 if (chan->sdu->len >= chan->sdu_len)
4567 break;
4178ba46 4568
84084a31 4569 err = 0;
18778a63
GP		 4570 break;
4571
7e0ef6ee 4572 case L2CAP_SAR_END:
6f61fd47 4573 if (!chan->sdu)
84084a31 4574 break;
18778a63 4575
84084a31
MM		 4576 append_skb_frag(chan->sdu, skb,
4577 &chan->sdu_last_frag);
4578 skb = NULL;
4178ba46 4579
84084a31
MM		 4580 if (chan->sdu->len != chan->sdu_len)
4581 break;
18778a63 4582
80b98027 4583 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4584
84084a31
MM		 4585 if (!err) {
4586 /* Reassembly complete */
4587 chan->sdu = NULL;
4588 chan->sdu_last_frag = NULL;
4589 chan->sdu_len = 0;
1890d36b 4590 }
18778a63
GP		 4591 break;
4592 }
4593
84084a31
MM		 4594 if (err) {
4595 kfree_skb(skb);
4596 kfree_skb(chan->sdu);
4597 chan->sdu = NULL;
4598 chan->sdu_last_frag = NULL;
4599 chan->sdu_len = 0;
4600 }
18778a63 4601
84084a31 4602 return err;
18778a63
GP		 4603}
4604
61aa4f5b 4605void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4606{
61aa4f5b 4607 u8 event;
712132eb 4608
61aa4f5b
MM		 4609 if (chan->mode != L2CAP_MODE_ERTM)
4610 return;
712132eb 4611
61aa4f5b 4612 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4613 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4614}
4615
d2a7ac5d
MM		 4616static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4617{
63838725
MM		 4618 int err = 0;
4619 /* Pass sequential frames to l2cap_reassemble_sdu()
4620 * until a gap is encountered.
4621 */
4622
4623 BT_DBG("chan %p", chan);
4624
4625 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4626 struct sk_buff *skb;
4627 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4628 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4629
4630 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4631
4632 if (!skb)
4633 break;
4634
4635 skb_unlink(skb, &chan->srej_q);
4636 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4637 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4638 if (err)
4639 break;
4640 }
4641
4642 if (skb_queue_empty(&chan->srej_q)) {
4643 chan->rx_state = L2CAP_RX_STATE_RECV;
4644 l2cap_send_ack(chan);
4645 }
4646
4647 return err;
d2a7ac5d
MM		 4648}
4649
4650static void l2cap_handle_srej(struct l2cap_chan *chan,
4651 struct l2cap_ctrl *control)
4652{
f80842a8
MM		 4653 struct sk_buff *skb;
4654
4655 BT_DBG("chan %p, control %p", chan, control);
4656
4657 if (control->reqseq == chan->next_tx_seq) {
4658 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4659 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4660 return;
4661 }
4662
4663 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4664
4665 if (skb == NULL) {
4666 BT_DBG("Seq %d not available for retransmission",
4667 control->reqseq);
4668 return;
4669 }
4670
4671 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4672 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4673 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4674 return;
4675 }
4676
4677 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4678
4679 if (control->poll) {
4680 l2cap_pass_to_tx(chan, control);
4681
4682 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4683 l2cap_retransmit(chan, control);
4684 l2cap_ertm_send(chan);
4685
4686 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4687 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4688 chan->srej_save_reqseq = control->reqseq;
4689 }
4690 } else {
4691 l2cap_pass_to_tx_fbit(chan, control);
4692
4693 if (control->final) {
4694 if (chan->srej_save_reqseq != control->reqseq ||
4695 !test_and_clear_bit(CONN_SREJ_ACT,
4696 &chan->conn_state))
4697 l2cap_retransmit(chan, control);
4698 } else {
4699 l2cap_retransmit(chan, control);
4700 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4701 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4702 chan->srej_save_reqseq = control->reqseq;
4703 }
4704 }
4705 }
d2a7ac5d
MM		 4706}
4707
4708static void l2cap_handle_rej(struct l2cap_chan *chan,
4709 struct l2cap_ctrl *control)
4710{
fcd289df
MM		 4711 struct sk_buff *skb;
4712
4713 BT_DBG("chan %p, control %p", chan, control);
4714
4715 if (control->reqseq == chan->next_tx_seq) {
4716 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4717 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4718 return;
4719 }
4720
4721 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4722
4723 if (chan->max_tx && skb &&
4724 bt_cb(skb)->control.retries >= chan->max_tx) {
4725 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4726 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4727 return;
4728 }
4729
4730 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4731
4732 l2cap_pass_to_tx(chan, control);
4733
4734 if (control->final) {
4735 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4736 l2cap_retransmit_all(chan, control);
4737 } else {
4738 l2cap_retransmit_all(chan, control);
4739 l2cap_ertm_send(chan);
4740 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4741 set_bit(CONN_REJ_ACT, &chan->conn_state);
4742 }
d2a7ac5d
MM		 4743}
4744
4b51dae9
MM		 4745static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4746{
4747 BT_DBG("chan %p, txseq %d", chan, txseq);
4748
4749 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4750 chan->expected_tx_seq);
4751
4752 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4753 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 4754 chan->tx_win) {
4b51dae9
MM		 4755 /* See notes below regarding "double poll" and
4756 * invalid packets.
4757 */
4758 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4759 BT_DBG("Invalid/Ignore - after SREJ");
4760 return L2CAP_TXSEQ_INVALID_IGNORE;
4761 } else {
4762 BT_DBG("Invalid - in window after SREJ sent");
4763 return L2CAP_TXSEQ_INVALID;
4764 }
4765 }
4766
4767 if (chan->srej_list.head == txseq) {
4768 BT_DBG("Expected SREJ");
4769 return L2CAP_TXSEQ_EXPECTED_SREJ;
4770 }
4771
4772 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4773 BT_DBG("Duplicate SREJ - txseq already stored");
4774 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4775 }
4776
4777 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4778 BT_DBG("Unexpected SREJ - not requested");
4779 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4780 }
4781 }
4782
4783 if (chan->expected_tx_seq == txseq) {
4784 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4785 chan->tx_win) {
4786 BT_DBG("Invalid - txseq outside tx window");
4787 return L2CAP_TXSEQ_INVALID;
4788 } else {
4789 BT_DBG("Expected");
4790 return L2CAP_TXSEQ_EXPECTED;
4791 }
4792 }
4793
4794 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 4795 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 4796 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4797 return L2CAP_TXSEQ_DUPLICATE;
4798 }
4799
4800 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4801 /* A source of invalid packets is a "double poll" condition,
4802 * where delays cause us to send multiple poll packets. If
4803 * the remote stack receives and processes both polls,
4804 * sequence numbers can wrap around in such a way that a
4805 * resent frame has a sequence number that looks like new data
4806 * with a sequence gap. This would trigger an erroneous SREJ
4807 * request.
4808 *
4809 * Fortunately, this is impossible with a tx window that's
4810 * less than half of the maximum sequence number, which allows
4811 * invalid frames to be safely ignored.
4812 *
4813 * With tx window sizes greater than half of the tx window
4814 * maximum, the frame is invalid and cannot be ignored. This
4815 * causes a disconnect.
4816 */
4817
4818 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4819 BT_DBG("Invalid/Ignore - txseq outside tx window");
4820 return L2CAP_TXSEQ_INVALID_IGNORE;
4821 } else {
4822 BT_DBG("Invalid - txseq outside tx window");
4823 return L2CAP_TXSEQ_INVALID;
4824 }
4825 } else {
4826 BT_DBG("Unexpected - txseq indicates missing frames");
4827 return L2CAP_TXSEQ_UNEXPECTED;
4828 }
4829}
4830
d2a7ac5d
MM		 4831static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4832 struct l2cap_ctrl *control,
4833 struct sk_buff *skb, u8 event)
4834{
4835 int err = 0;
4836 bool skb_in_use = 0;
4837
4838 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4839 event);
4840
4841 switch (event) {
4842 case L2CAP_EV_RECV_IFRAME:
4843 switch (l2cap_classify_txseq(chan, control->txseq)) {
4844 case L2CAP_TXSEQ_EXPECTED:
4845 l2cap_pass_to_tx(chan, control);
4846
4847 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4848 BT_DBG("Busy, discarding expected seq %d",
4849 control->txseq);
4850 break;
4851 }
4852
4853 chan->expected_tx_seq = __next_seq(chan,
4854 control->txseq);
4855
4856 chan->buffer_seq = chan->expected_tx_seq;
4857 skb_in_use = 1;
4858
4859 err = l2cap_reassemble_sdu(chan, skb, control);
4860 if (err)
4861 break;
4862
4863 if (control->final) {
4864 if (!test_and_clear_bit(CONN_REJ_ACT,
4865 &chan->conn_state)) {
4866 control->final = 0;
4867 l2cap_retransmit_all(chan, control);
4868 l2cap_ertm_send(chan);
4869 }
4870 }
4871
4872 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4873 l2cap_send_ack(chan);
4874 break;
4875 case L2CAP_TXSEQ_UNEXPECTED:
4876 l2cap_pass_to_tx(chan, control);
4877
4878 /* Can't issue SREJ frames in the local busy state.
4879 * Drop this frame, it will be seen as missing
4880 * when local busy is exited.
4881 */
4882 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4883 BT_DBG("Busy, discarding unexpected seq %d",
4884 control->txseq);
4885 break;
4886 }
4887
4888 /* There was a gap in the sequence, so an SREJ
4889 * must be sent for each missing frame. The
4890 * current frame is stored for later use.
4891 */
4892 skb_queue_tail(&chan->srej_q, skb);
4893 skb_in_use = 1;
4894 BT_DBG("Queued %p (queue len %d)", skb,
4895 skb_queue_len(&chan->srej_q));
4896
4897 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4898 l2cap_seq_list_clear(&chan->srej_list);
4899 l2cap_send_srej(chan, control->txseq);
4900
4901 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4902 break;
4903 case L2CAP_TXSEQ_DUPLICATE:
4904 l2cap_pass_to_tx(chan, control);
4905 break;
4906 case L2CAP_TXSEQ_INVALID_IGNORE:
4907 break;
4908 case L2CAP_TXSEQ_INVALID:
4909 default:
4910 l2cap_send_disconn_req(chan->conn, chan,
4911 ECONNRESET);
4912 break;
4913 }
4914 break;
4915 case L2CAP_EV_RECV_RR:
4916 l2cap_pass_to_tx(chan, control);
4917 if (control->final) {
4918 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4919
4920 if (!test_and_clear_bit(CONN_REJ_ACT,
4921 &chan->conn_state)) {
4922 control->final = 0;
4923 l2cap_retransmit_all(chan, control);
4924 }
4925
4926 l2cap_ertm_send(chan);
4927 } else if (control->poll) {
4928 l2cap_send_i_or_rr_or_rnr(chan);
4929 } else {
4930 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4931 &chan->conn_state) &&
4932 chan->unacked_frames)
4933 __set_retrans_timer(chan);
4934
4935 l2cap_ertm_send(chan);
4936 }
4937 break;
4938 case L2CAP_EV_RECV_RNR:
4939 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4940 l2cap_pass_to_tx(chan, control);
4941 if (control && control->poll) {
4942 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4943 l2cap_send_rr_or_rnr(chan, 0);
4944 }
4945 __clear_retrans_timer(chan);
4946 l2cap_seq_list_clear(&chan->retrans_list);
4947 break;
4948 case L2CAP_EV_RECV_REJ:
4949 l2cap_handle_rej(chan, control);
4950 break;
4951 case L2CAP_EV_RECV_SREJ:
4952 l2cap_handle_srej(chan, control);
4953 break;
4954 default:
4955 break;
4956 }
4957
4958 if (skb && !skb_in_use) {
4959 BT_DBG("Freeing %p", skb);
4960 kfree_skb(skb);
4961 }
4962
4963 return err;
4964}
4965
4966static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4967 struct l2cap_ctrl *control,
4968 struct sk_buff *skb, u8 event)
4969{
4970 int err = 0;
4971 u16 txseq = control->txseq;
4972 bool skb_in_use = 0;
4973
4974 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4975 event);
4976
4977 switch (event) {
4978 case L2CAP_EV_RECV_IFRAME:
4979 switch (l2cap_classify_txseq(chan, txseq)) {
4980 case L2CAP_TXSEQ_EXPECTED:
4981 /* Keep frame for reassembly later */
4982 l2cap_pass_to_tx(chan, control);
4983 skb_queue_tail(&chan->srej_q, skb);
4984 skb_in_use = 1;
4985 BT_DBG("Queued %p (queue len %d)", skb,
4986 skb_queue_len(&chan->srej_q));
4987
4988 chan->expected_tx_seq = __next_seq(chan, txseq);
4989 break;
4990 case L2CAP_TXSEQ_EXPECTED_SREJ:
4991 l2cap_seq_list_pop(&chan->srej_list);
4992
4993 l2cap_pass_to_tx(chan, control);
4994 skb_queue_tail(&chan->srej_q, skb);
4995 skb_in_use = 1;
4996 BT_DBG("Queued %p (queue len %d)", skb,
4997 skb_queue_len(&chan->srej_q));
4998
4999 err = l2cap_rx_queued_iframes(chan);
5000 if (err)
5001 break;
5002
5003 break;
5004 case L2CAP_TXSEQ_UNEXPECTED:
5005 /* Got a frame that can't be reassembled yet.
5006 * Save it for later, and send SREJs to cover
5007 * the missing frames.
5008 */
5009 skb_queue_tail(&chan->srej_q, skb);
5010 skb_in_use = 1;
5011 BT_DBG("Queued %p (queue len %d)", skb,
5012 skb_queue_len(&chan->srej_q));
5013
5014 l2cap_pass_to_tx(chan, control);
5015 l2cap_send_srej(chan, control->txseq);
5016 break;
5017 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5018 /* This frame was requested with an SREJ, but
5019 * some expected retransmitted frames are
5020 * missing. Request retransmission of missing
5021 * SREJ'd frames.
5022 */
5023 skb_queue_tail(&chan->srej_q, skb);
5024 skb_in_use = 1;
5025 BT_DBG("Queued %p (queue len %d)", skb,
5026 skb_queue_len(&chan->srej_q));
5027
5028 l2cap_pass_to_tx(chan, control);
5029 l2cap_send_srej_list(chan, control->txseq);
5030 break;
5031 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5032 /* We've already queued this frame. Drop this copy. */
5033 l2cap_pass_to_tx(chan, control);
5034 break;
5035 case L2CAP_TXSEQ_DUPLICATE:
5036 /* Expecting a later sequence number, so this frame
5037 * was already received. Ignore it completely.
5038 */
5039 break;
5040 case L2CAP_TXSEQ_INVALID_IGNORE:
5041 break;
5042 case L2CAP_TXSEQ_INVALID:
5043 default:
5044 l2cap_send_disconn_req(chan->conn, chan,
5045 ECONNRESET);
5046 break;
5047 }
5048 break;
5049 case L2CAP_EV_RECV_RR:
5050 l2cap_pass_to_tx(chan, control);
5051 if (control->final) {
5052 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5053
5054 if (!test_and_clear_bit(CONN_REJ_ACT,
5055 &chan->conn_state)) {
5056 control->final = 0;
5057 l2cap_retransmit_all(chan, control);
5058 }
5059
5060 l2cap_ertm_send(chan);
5061 } else if (control->poll) {
5062 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5063 &chan->conn_state) &&
5064 chan->unacked_frames) {
5065 __set_retrans_timer(chan);
5066 }
5067
5068 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5069 l2cap_send_srej_tail(chan);
5070 } else {
5071 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5072 &chan->conn_state) &&
5073 chan->unacked_frames)
5074 __set_retrans_timer(chan);
5075
5076 l2cap_send_ack(chan);
5077 }
5078 break;
5079 case L2CAP_EV_RECV_RNR:
5080 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5081 l2cap_pass_to_tx(chan, control);
5082 if (control->poll) {
5083 l2cap_send_srej_tail(chan);
5084 } else {
5085 struct l2cap_ctrl rr_control;
5086 memset(&rr_control, 0, sizeof(rr_control));
5087 rr_control.sframe = 1;
5088 rr_control.super = L2CAP_SUPER_RR;
5089 rr_control.reqseq = chan->buffer_seq;
5090 l2cap_send_sframe(chan, &rr_control);
5091 }
5092
5093 break;
5094 case L2CAP_EV_RECV_REJ:
5095 l2cap_handle_rej(chan, control);
5096 break;
5097 case L2CAP_EV_RECV_SREJ:
5098 l2cap_handle_srej(chan, control);
5099 break;
5100 }
5101
5102 if (skb && !skb_in_use) {
5103 BT_DBG("Freeing %p", skb);
5104 kfree_skb(skb);
5105 }
5106
5107 return err;
5108}
5109
5110static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5111{
5112 /* Make sure reqseq is for a packet that has been sent but not acked */
5113 u16 unacked;
5114
5115 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5116 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5117}
5118
cec8ab6e
MM		 5119static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5120 struct sk_buff *skb, u8 event)
218bb9df 5121{
d2a7ac5d
MM		 5122 int err = 0;
5123
5124 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5125 control, skb, event, chan->rx_state);
5126
5127 if (__valid_reqseq(chan, control->reqseq)) {
5128 switch (chan->rx_state) {
5129 case L2CAP_RX_STATE_RECV:
5130 err = l2cap_rx_state_recv(chan, control, skb, event);
5131 break;
5132 case L2CAP_RX_STATE_SREJ_SENT:
5133 err = l2cap_rx_state_srej_sent(chan, control, skb,
5134 event);
5135 break;
5136 default:
5137 /* shut it down */
5138 break;
5139 }
5140 } else {
5141 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5142 control->reqseq, chan->next_tx_seq,
5143 chan->expected_ack_seq);
5144 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5145 }
5146
5147 return err;
cec8ab6e
MM		 5148}
5149
5150static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5151 struct sk_buff *skb)
5152{
4b51dae9
MM		 5153 int err = 0;
5154
5155 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5156 chan->rx_state);
5157
5158 if (l2cap_classify_txseq(chan, control->txseq) ==
5159 L2CAP_TXSEQ_EXPECTED) {
5160 l2cap_pass_to_tx(chan, control);
5161
5162 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5163 __next_seq(chan, chan->buffer_seq));
5164
5165 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5166
5167 l2cap_reassemble_sdu(chan, skb, control);
5168 } else {
5169 if (chan->sdu) {
5170 kfree_skb(chan->sdu);
5171 chan->sdu = NULL;
5172 }
5173 chan->sdu_last_frag = NULL;
5174 chan->sdu_len = 0;
5175
5176 if (skb) {
5177 BT_DBG("Freeing %p", skb);
5178 kfree_skb(skb);
5179 }
5180 }
5181
5182 chan->last_acked_seq = control->txseq;
5183 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5184
5185 return err;
cec8ab6e
MM		 5186}
5187
5188static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5189{
5190 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5191 u16 len;
5192 u8 event;
218bb9df 5193
b76bbd66
MM		 5194 __unpack_control(chan, skb);
5195
218bb9df
GP		 5196 len = skb->len;
5197
5198 /*
5199 * We can just drop the corrupted I-frame here.
5200 * Receiver will miss it and start proper recovery
cec8ab6e 5201 * procedures and ask for retransmission.
218bb9df 5202 */
47d1ec61 5203 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5204 goto drop;
5205
cec8ab6e 5206 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5207 len -= L2CAP_SDULEN_SIZE;
218bb9df 5208
47d1ec61 5209 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5210 len -= L2CAP_FCS_SIZE;
218bb9df 5211
47d1ec61 5212 if (len > chan->mps) {
8c1d787b 5213 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5214 goto drop;
5215 }
5216
cec8ab6e
MM		 5217 if (!control->sframe) {
5218 int err;
218bb9df 5219
cec8ab6e
MM		 5220 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5221 control->sar, control->reqseq, control->final,
5222 control->txseq);
218bb9df 5223
cec8ab6e
MM		 5224 /* Validate F-bit - F=0 always valid, F=1 only
5225 * valid in TX WAIT_F
5226 */
5227 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5228 goto drop;
cec8ab6e
MM		 5229
5230 if (chan->mode != L2CAP_MODE_STREAMING) {
5231 event = L2CAP_EV_RECV_IFRAME;
5232 err = l2cap_rx(chan, control, skb, event);
5233 } else {
5234 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5235 }
5236
cec8ab6e
MM		 5237 if (err)
5238 l2cap_send_disconn_req(chan->conn, chan,
5239 ECONNRESET);
218bb9df 5240 } else {
cec8ab6e
MM		 5241 const u8 rx_func_to_event[4] = {
5242 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5243 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5244 };
5245
5246 /* Only I-frames are expected in streaming mode */
5247 if (chan->mode == L2CAP_MODE_STREAMING)
5248 goto drop;
5249
5250 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5251 control->reqseq, control->final, control->poll,
5252 control->super);
5253
218bb9df
GP		 5254 if (len != 0) {
5255 BT_ERR("%d", len);
8c1d787b 5256 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5257 goto drop;
5258 }
5259
cec8ab6e
MM		 5260 /* Validate F and P bits */
5261 if (control->final && (control->poll ||
5262 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5263 goto drop;
5264
5265 event = rx_func_to_event[control->super];
5266 if (l2cap_rx(chan, control, skb, event))
5267 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5268 }
5269
5270 return 0;
5271
5272drop:
5273 kfree_skb(skb);
5274 return 0;
5275}
5276
13ca56e0
AE		 5277static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
5278 struct sk_buff *skb)
1da177e4 5279{
48454079 5280 struct l2cap_chan *chan;
1da177e4 5281
baa7e1fa 5282 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5283 if (!chan) {
97e8e89d
AE		 5284 if (cid == L2CAP_CID_A2MP) {
5285 chan = a2mp_channel_create(conn, skb);
5286 if (!chan) {
5287 kfree_skb(skb);
13ca56e0 5288 return;
97e8e89d
AE		 5289 }
5290
5291 l2cap_chan_lock(chan);
5292 } else {
5293 BT_DBG("unknown cid 0x%4.4x", cid);
5294 /* Drop packet and return */
5295 kfree_skb(skb);
13ca56e0 5296 return;
97e8e89d 5297 }
1da177e4
LT		 5298 }
5299
49208c9c 5300 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5301
89bc500e 5302 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5303 goto drop;
5304
0c1bc5c6 5305 switch (chan->mode) {
1c2acffb
GP		 5306 case L2CAP_MODE_BASIC:
5307 /* If socket recv buffers overflows we drop data here
5308 * which is *bad* because L2CAP has to be reliable.
5309 * But we don't have any other choice. L2CAP doesn't
5310 * provide flow control mechanism. */
1da177e4 5311
0c1bc5c6 5312 if (chan->imtu < skb->len)
1c2acffb 5313 goto drop;
1da177e4 5314
80b98027 5315 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5316 goto done;
5317 break;
5318
5319 case L2CAP_MODE_ERTM:
6840ed07 5320 case L2CAP_MODE_STREAMING:
cec8ab6e 5321 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5322 goto done;
5323
1c2acffb 5324 default:
0c1bc5c6 5325 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5326 break;
5327 }
1da177e4
LT		 5328
5329drop:
5330 kfree_skb(skb);
5331
5332done:
6be36555 5333 l2cap_chan_unlock(chan);
1da177e4
LT		 5334}
5335
84104b24
AE		 5336static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
5337 struct sk_buff *skb)
1da177e4 5338{
23691d75 5339 struct l2cap_chan *chan;
1da177e4 5340
c2287681 5341 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5342 if (!chan)
1da177e4
LT		 5343 goto drop;
5344
5b4cedaa 5345 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5346
89bc500e 5347 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5348 goto drop;
5349
e13e21dc 5350 if (chan->imtu < skb->len)
1da177e4
LT		 5351 goto drop;
5352
80b98027 5353 if (!chan->ops->recv(chan, skb))
84104b24 5354 return;
1da177e4
LT		 5355
5356drop:
5357 kfree_skb(skb);
1da177e4
LT		 5358}
5359
6810fca7
AE		 5360static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5361 struct sk_buff *skb)
9f69bda6 5362{
23691d75 5363 struct l2cap_chan *chan;
9f69bda6 5364
c2287681 5365 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5366 if (!chan)
9f69bda6
GP		 5367 goto drop;
5368
5b4cedaa 5369 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5370
89bc500e 5371 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5372 goto drop;
5373
e13e21dc 5374 if (chan->imtu < skb->len)
9f69bda6
GP		 5375 goto drop;
5376
80b98027 5377 if (!chan->ops->recv(chan, skb))
6810fca7 5378 return;
9f69bda6
GP		 5379
5380drop:
5381 kfree_skb(skb);
9f69bda6
GP		 5382}
5383
1da177e4
LT		 5384static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5385{
5386 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5387 u16 cid, len;
5388 __le16 psm;
1da177e4
LT		 5389
5390 skb_pull(skb, L2CAP_HDR_SIZE);
5391 cid = __le16_to_cpu(lh->cid);
5392 len = __le16_to_cpu(lh->len);
5393
1c2acffb
GP		 5394 if (len != skb->len) {
5395 kfree_skb(skb);
5396 return;
5397 }
5398
1da177e4
LT		 5399 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5400
5401 switch (cid) {
3300d9a9 5402 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5403 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5404 l2cap_sig_channel(conn, skb);
5405 break;
5406
8db4dc46 5407 case L2CAP_CID_CONN_LESS:
097db76c 5408 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5409 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5410 l2cap_conless_channel(conn, psm, skb);
5411 break;
5412
9f69bda6
GP		 5413 case L2CAP_CID_LE_DATA:
5414 l2cap_att_channel(conn, cid, skb);
5415 break;
5416
b501d6a1
AB		 5417 case L2CAP_CID_SMP:
5418 if (smp_sig_channel(conn, skb))
5419 l2cap_conn_del(conn->hcon, EACCES);
5420 break;
5421
1da177e4
LT		 5422 default:
5423 l2cap_data_channel(conn, cid, skb);
5424 break;
5425 }
5426}
5427
5428/* ---- L2CAP interface with lower layer (HCI) ---- */
5429
686ebf28 5430int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5431{
5432 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5433 struct l2cap_chan *c;
1da177e4 5434
6ed93dc6 5435 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 5436
5437 /* Find listening sockets and check their link_mode */
23691d75
GP		 5438 read_lock(&chan_list_lock);
5439 list_for_each_entry(c, &chan_list, global_l) {
5440 struct sock *sk = c->sk;
4343478f 5441
89bc500e 5442 if (c->state != BT_LISTEN)
1da177e4
LT		 5443 continue;
5444
5445 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5446 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5447 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5448 lm1 |= HCI_LM_MASTER;
1da177e4 5449 exact++;
2af6b9d5
MH		 5450 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5451 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5452 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5453 lm2 |= HCI_LM_MASTER;
5454 }
1da177e4 5455 }
23691d75 5456 read_unlock(&chan_list_lock);
1da177e4
LT		 5457
5458 return exact ? lm1 : lm2;
5459}
5460
9e664631 5461void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5462{
0139418c
MH		 5463 struct l2cap_conn *conn;
5464
6ed93dc6 5465 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 5466
1da177e4 5467 if (!status) {
1da177e4
LT		 5468 conn = l2cap_conn_add(hcon, status);
5469 if (conn)
5470 l2cap_conn_ready(conn);
0139418c 5471 } else
e175072f 5472 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4 5473
1da177e4
LT		 5474}
5475
686ebf28 5476int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5477{
5478 struct l2cap_conn *conn = hcon->l2cap_data;
5479
5480 BT_DBG("hcon %p", hcon);
5481
686ebf28 5482 if (!conn)
9f5a0d7b 5483 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5484 return conn->disc_reason;
5485}
5486
9e664631 5487void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5488{
5489 BT_DBG("hcon %p reason %d", hcon, reason);
5490
e175072f 5491 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5492}
5493
4343478f 5494static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5495{
715ec005 5496 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5497 return;
5498
f62e4323 5499 if (encrypt == 0x00) {
4343478f 5500 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5501 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5502 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5503 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5504 } else {
4343478f 5505 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5506 __clear_chan_timer(chan);
f62e4323
MH		 5507 }
5508}
5509
686ebf28 5510int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5511{
0139418c 5512 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5513 struct l2cap_chan *chan;
1da177e4 5514
0139418c 5515 if (!conn)
1da177e4 5516 return 0;
0139418c 5517
89d8b407 5518 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 5519
160dc6ac 5520 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5521 if (!status && encrypt)
5522 smp_distribute_keys(conn, 0);
17cd3f37 5523 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5524 }
5525
3df91ea2 5526 mutex_lock(&conn->chan_lock);
1da177e4 5527
3df91ea2 5528 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5529 l2cap_chan_lock(chan);
1da177e4 5530
89d8b407
AE		 5531 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
5532 state_to_string(chan->state));
f1cb9af5 5533
78eb2f98
AE		 5534 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
5535 l2cap_chan_unlock(chan);
5536 continue;
5537 }
5538
f1cb9af5
VCG		 5539 if (chan->scid == L2CAP_CID_LE_DATA) {
5540 if (!status && encrypt) {
5541 chan->sec_level = hcon->sec_level;
cf4cd009 5542 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5543 }
5544
6be36555 5545 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5546 continue;
5547 }
5548
c1360a1c 5549 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5550 l2cap_chan_unlock(chan);
6a8d3010
MH		 5551 continue;
5552 }
5553
89bc500e 5554 if (!status && (chan->state == BT_CONNECTED ||
2d792818 5555 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5556 struct sock *sk = chan->sk;
5557
c5daa683 5558 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5559 sk->sk_state_change(sk);
5560
4343478f 5561 l2cap_check_encryption(chan, encrypt);
6be36555 5562 l2cap_chan_unlock(chan);
9719f8af
MH		 5563 continue;
5564 }
5565
89bc500e 5566 if (chan->state == BT_CONNECT) {
b1235d79 5567 if (!status) {
93c3e8f5 5568 l2cap_start_connection(chan);
b1235d79 5569 } else {
ba13ccd9 5570 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5571 }
89bc500e 5572 } else if (chan->state == BT_CONNECT2) {
6be36555 5573 struct sock *sk = chan->sk;
b1235d79 5574 struct l2cap_conn_rsp rsp;
df3c3931 5575 __u16 res, stat;
1da177e4 5576
6be36555
AE		 5577 lock_sock(sk);
5578
b1235d79 5579 if (!status) {
c5daa683
GP		 5580 if (test_bit(BT_SK_DEFER_SETUP,
5581 &bt_sk(sk)->flags)) {
df3c3931
JH		 5582 res = L2CAP_CR_PEND;
5583 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 5584 chan->ops->defer(chan);
df3c3931 5585 } else {
0e587be7 5586 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5587 res = L2CAP_CR_SUCCESS;
5588 stat = L2CAP_CS_NO_INFO;
5589 }
b1235d79 5590 } else {
0e587be7 5591 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5592 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5593 res = L2CAP_CR_SEC_BLOCK;
5594 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5595 }
5596
6be36555
AE		 5597 release_sock(sk);
5598
fe4128e0
GP		 5599 rsp.scid = cpu_to_le16(chan->dcid);
5600 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5601 rsp.result = cpu_to_le16(res);
5602 rsp.status = cpu_to_le16(stat);
fc7f8a7e 5603 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 5604 sizeof(rsp), &rsp);
2d369359
MM		 5605
5606 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5607 res == L2CAP_CR_SUCCESS) {
5608 char buf[128];
5609 set_bit(CONF_REQ_SENT, &chan->conf_state);
5610 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5611 L2CAP_CONF_REQ,
5612 l2cap_build_conf_req(chan, buf),
5613 buf);
5614 chan->num_conf_req++;
5615 }
b1235d79 5616 }
1da177e4 5617
6be36555 5618 l2cap_chan_unlock(chan);
1da177e4
LT		 5619 }
5620
3df91ea2 5621 mutex_unlock(&conn->chan_lock);
b1235d79 5622
1da177e4
LT		 5623 return 0;
5624}
5625
686ebf28 5626int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5627{
5628 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 5629 struct l2cap_hdr *hdr;
5630 int len;
1da177e4 5631
1d13a254
AE		 5632 /* For AMP controller do not create l2cap conn */
5633 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
5634 goto drop;
1da177e4 5635
5a08ecce
AE		 5636 if (!conn)
5637 conn = l2cap_conn_add(hcon, 0);
5638
5639 if (!conn)
1da177e4
LT		 5640 goto drop;
5641
5642 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5643
d73a0988
AE		 5644 switch (flags) {
5645 case ACL_START:
5646 case ACL_START_NO_FLUSH:
5647 case ACL_COMPLETE:
1da177e4
LT		 5648 if (conn->rx_len) {
5649 BT_ERR("Unexpected start frame (len %d)", skb->len);
5650 kfree_skb(conn->rx_skb);
5651 conn->rx_skb = NULL;
5652 conn->rx_len = 0;
5653 l2cap_conn_unreliable(conn, ECOMM);
5654 }
5655
aae7fe22
AE		 5656 /* Start fragment always begin with Basic L2CAP header */
5657 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5658 BT_ERR("Frame is too short (len %d)", skb->len);
5659 l2cap_conn_unreliable(conn, ECOMM);
5660 goto drop;
5661 }
5662
5663 hdr = (struct l2cap_hdr *) skb->data;
5664 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5665
5666 if (len == skb->len) {
5667 /* Complete frame received */
5668 l2cap_recv_frame(conn, skb);
5669 return 0;
5670 }
5671
5672 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5673
5674 if (skb->len > len) {
5675 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 5676 skb->len, len);
1da177e4
LT		 5677 l2cap_conn_unreliable(conn, ECOMM);
5678 goto drop;
5679 }
5680
5681 /* Allocate skb for the complete frame (with header) */
8bcde1f2 5682 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 5683 if (!conn->rx_skb)
1da177e4
LT		 5684 goto drop;
5685
d626f62b 5686 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 5687 skb->len);
1da177e4 5688 conn->rx_len = len - skb->len;
d73a0988
AE		 5689 break;
5690
5691 case ACL_CONT:
1da177e4
LT		 5692 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5693
5694 if (!conn->rx_len) {
5695 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5696 l2cap_conn_unreliable(conn, ECOMM);
5697 goto drop;
5698 }
5699
5700 if (skb->len > conn->rx_len) {
5701 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 5702 skb->len, conn->rx_len);
1da177e4
LT		 5703 kfree_skb(conn->rx_skb);
5704 conn->rx_skb = NULL;
5705 conn->rx_len = 0;
5706 l2cap_conn_unreliable(conn, ECOMM);
5707 goto drop;
5708 }
5709
d626f62b 5710 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 5711 skb->len);
1da177e4
LT		 5712 conn->rx_len -= skb->len;
5713
5714 if (!conn->rx_len) {
5715 /* Complete frame received */
5716 l2cap_recv_frame(conn, conn->rx_skb);
5717 conn->rx_skb = NULL;
5718 }
d73a0988 5719 break;
1da177e4
LT		 5720 }
5721
5722drop:
5723 kfree_skb(skb);
5724 return 0;
5725}
5726
aef7d97c 5727static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5728{
23691d75 5729 struct l2cap_chan *c;
1da177e4 5730
333055f2 5731 read_lock(&chan_list_lock);
1da177e4 5732
23691d75
GP		 5733 list_for_each_entry(c, &chan_list, global_l) {
5734 struct sock *sk = c->sk;
101545f6 5735
fcb73338
AE		 5736 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
5737 &bt_sk(sk)->src, &bt_sk(sk)->dst,
5738 c->state, __le16_to_cpu(c->psm),
5739 c->scid, c->dcid, c->imtu, c->omtu,
5740 c->sec_level, c->mode);
61e1b4b7 5741 }
1da177e4 5742
333055f2 5743 read_unlock(&chan_list_lock);
1da177e4 5744
aef7d97c 5745 return 0;
1da177e4
LT		 5746}
5747
aef7d97c
MH		 5748static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5749{
5750 return single_open(file, l2cap_debugfs_show, inode->i_private);
5751}
5752
5753static const struct file_operations l2cap_debugfs_fops = {
5754 .open = l2cap_debugfs_open,
5755 .read = seq_read,
5756 .llseek = seq_lseek,
5757 .release = single_release,
5758};
5759
5760static struct dentry *l2cap_debugfs;
1da177e4 5761
64274518 5762int __init l2cap_init(void)
1da177e4
LT		 5763{
5764 int err;
be9d1227 5765
bb58f747 5766 err = l2cap_init_sockets();
1da177e4
LT		 5767 if (err < 0)
5768 return err;
5769
aef7d97c 5770 if (bt_debugfs) {
2d792818
GP		 5771 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
5772 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 5773 if (!l2cap_debugfs)
5774 BT_ERR("Failed to create L2CAP debug file");
5775 }
1da177e4 5776
1da177e4 5777 return 0;
1da177e4
LT		 5778}
5779
64274518 5780void l2cap_exit(void)
1da177e4 5781{
aef7d97c 5782 debugfs_remove(l2cap_debugfs);
bb58f747 5783 l2cap_cleanup_sockets();
1da177e4
LT		 5784}
5785
d1c4a17d
GP		 5786module_param(disable_ertm, bool, 0644);
5787MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)