projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Use lmp_no_flush_capable where applicable
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4
LT		 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
608bcc6d
MM		 59 struct sk_buff_head *skbs, u8 event);
60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
baa7e1fa 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 64{
3df91ea2 65 struct l2cap_chan *c;
3d57dc68 66
3df91ea2
AE		 67 list_for_each_entry(c, &conn->chan_l, list) {
68 if (c->dcid == cid)
69 return c;
0139418c 70 }
3df91ea2 71 return NULL;
0139418c
MH		 72}
73
baa7e1fa 74static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 75{
3df91ea2 76 struct l2cap_chan *c;
3d57dc68 77
3df91ea2
AE		 78 list_for_each_entry(c, &conn->chan_l, list) {
79 if (c->scid == cid)
80 return c;
0139418c 81 }
3df91ea2 82 return NULL;
0139418c
MH		 83}
84
85/* Find channel with given SCID.
ef191ade 86 * Returns locked channel. */
baa7e1fa 87static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 88{
48454079 89 struct l2cap_chan *c;
baa7e1fa 90
3df91ea2 91 mutex_lock(&conn->chan_lock);
baa7e1fa 92 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 93 if (c)
94 l2cap_chan_lock(c);
3df91ea2
AE		 95 mutex_unlock(&conn->chan_lock);
96
48454079 97 return c;
0139418c
MH		 98}
99
baa7e1fa 100static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 101{
3df91ea2 102 struct l2cap_chan *c;
3d57dc68 103
3df91ea2
AE		 104 list_for_each_entry(c, &conn->chan_l, list) {
105 if (c->ident == ident)
106 return c;
0139418c 107 }
3df91ea2 108 return NULL;
0139418c
MH		 109}
110
23691d75 111static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 112{
23691d75 113 struct l2cap_chan *c;
9e4425ff 114
23691d75
GP		 115 list_for_each_entry(c, &chan_list, global_l) {
116 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 117 return c;
9e4425ff 118 }
250938cb 119 return NULL;
9e4425ff
GP		 120}
121
122int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
123{
73b2ec18
GP		 124 int err;
125
333055f2 126 write_lock(&chan_list_lock);
9e4425ff 127
23691d75 128 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 129 err = -EADDRINUSE;
130 goto done;
9e4425ff
GP		 131 }
132
73b2ec18
GP		 133 if (psm) {
134 chan->psm = psm;
135 chan->sport = psm;
136 err = 0;
137 } else {
138 u16 p;
139
140 err = -EINVAL;
141 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 142 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 143 chan->psm = cpu_to_le16(p);
144 chan->sport = cpu_to_le16(p);
145 err = 0;
146 break;
147 }
148 }
9e4425ff 149
73b2ec18 150done:
333055f2 151 write_unlock(&chan_list_lock);
73b2ec18 152 return err;
9e4425ff
GP		 153}
154
155int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
156{
333055f2 157 write_lock(&chan_list_lock);
9e4425ff
GP		 158
159 chan->scid = scid;
160
333055f2 161 write_unlock(&chan_list_lock);
9e4425ff
GP		 162
163 return 0;
164}
165
baa7e1fa 166static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 167{
8db4dc46 168 u16 cid = L2CAP_CID_DYN_START;
0139418c 169
8db4dc46 170 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 171 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 172 return cid;
173 }
174
175 return 0;
176}
177
0e587be7 178static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 179{
42d2d87c 180 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 181 state_to_string(state));
182
89bc500e 183 chan->state = state;
80b98027 184 chan->ops->state_change(chan, state);
89bc500e
GP		 185}
186
0e587be7
AE		 187static void l2cap_state_change(struct l2cap_chan *chan, int state)
188{
189 struct sock *sk = chan->sk;
190
191 lock_sock(sk);
192 __l2cap_state_change(chan, state);
193 release_sock(sk);
194}
195
2e0052e4
AE		 196static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
197{
198 struct sock *sk = chan->sk;
199
200 sk->sk_err = err;
201}
202
203static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
204{
205 struct sock *sk = chan->sk;
206
207 lock_sock(sk);
208 __l2cap_chan_set_err(chan, err);
209 release_sock(sk);
210}
211
4239d16f
MM		 212static void __set_retrans_timer(struct l2cap_chan *chan)
213{
214 if (!delayed_work_pending(&chan->monitor_timer) &&
215 chan->retrans_timeout) {
216 l2cap_set_timer(chan, &chan->retrans_timer,
217 msecs_to_jiffies(chan->retrans_timeout));
218 }
219}
220
221static void __set_monitor_timer(struct l2cap_chan *chan)
222{
223 __clear_retrans_timer(chan);
224 if (chan->monitor_timeout) {
225 l2cap_set_timer(chan, &chan->monitor_timer,
226 msecs_to_jiffies(chan->monitor_timeout));
227 }
228}
229
608bcc6d
MM		 230static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
231 u16 seq)
232{
233 struct sk_buff *skb;
234
235 skb_queue_walk(head, skb) {
236 if (bt_cb(skb)->control.txseq == seq)
237 return skb;
238 }
239
240 return NULL;
241}
242
3c588192
MM		 243/* ---- L2CAP sequence number lists ---- */
244
245/* For ERTM, ordered lists of sequence numbers must be tracked for
246 * SREJ requests that are received and for frames that are to be
247 * retransmitted. These seq_list functions implement a singly-linked
248 * list in an array, where membership in the list can also be checked
249 * in constant time. Items can also be added to the tail of the list
250 * and removed from the head in constant time, without further memory
251 * allocs or frees.
252 */
253
254static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
255{
256 size_t alloc_size, i;
257
258 /* Allocated size is a power of 2 to map sequence numbers
259 * (which may be up to 14 bits) in to a smaller array that is
260 * sized for the negotiated ERTM transmit windows.
261 */
262 alloc_size = roundup_pow_of_two(size);
263
264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
265 if (!seq_list->list)
266 return -ENOMEM;
267
268 seq_list->mask = alloc_size - 1;
269 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
271 for (i = 0; i < alloc_size; i++)
272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
273
274 return 0;
275}
276
277static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
278{
279 kfree(seq_list->list);
280}
281
282static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
283 u16 seq)
284{
285 /* Constant-time check for list membership */
286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
287}
288
289static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
290{
291 u16 mask = seq_list->mask;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
294 /* In case someone tries to pop the head of an empty list */
295 return L2CAP_SEQ_LIST_CLEAR;
296 } else if (seq_list->head == seq) {
297 /* Head can be removed in constant time */
298 seq_list->head = seq_list->list[seq & mask];
299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
300
301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
302 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
304 }
305 } else {
306 /* Walk the list to find the sequence number */
307 u16 prev = seq_list->head;
308 while (seq_list->list[prev & mask] != seq) {
309 prev = seq_list->list[prev & mask];
310 if (prev == L2CAP_SEQ_LIST_TAIL)
311 return L2CAP_SEQ_LIST_CLEAR;
312 }
313
314 /* Unlink the number from the list and clear it */
315 seq_list->list[prev & mask] = seq_list->list[seq & mask];
316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
317 if (seq_list->tail == seq)
318 seq_list->tail = prev;
319 }
320 return seq;
321}
322
323static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
324{
325 /* Remove the head in constant time */
326 return l2cap_seq_list_remove(seq_list, seq_list->head);
327}
328
329static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
330{
f522ae36 331 u16 i;
3c588192 332
f522ae36
GP		 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 for (i = 0; i <= seq_list->mask; i++)
337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
338
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 341}
342
343static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
344{
345 u16 mask = seq_list->mask;
346
347 /* All appends happen in constant time */
348
f522ae36
GP		 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
350 return;
3c588192 351
f522ae36
GP		 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
353 seq_list->head = seq;
354 else
355 seq_list->list[seq_list->tail & mask] = seq;
356
357 seq_list->tail = seq;
358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 359}
360
721c4181 361static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 362{
721c4181
GP		 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
364 chan_timer.work);
3df91ea2 365 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 366 int reason;
367
e05dcc32 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 369
3df91ea2 370 mutex_lock(&conn->chan_lock);
6be36555 371 l2cap_chan_lock(chan);
ab07801d 372
89bc500e 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 374 reason = ECONNREFUSED;
89bc500e 375 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 376 chan->sec_level != BT_SECURITY_SDP)
377 reason = ECONNREFUSED;
378 else
379 reason = ETIMEDOUT;
380
0f852724 381 l2cap_chan_close(chan, reason);
ab07801d 382
6be36555 383 l2cap_chan_unlock(chan);
ab07801d 384
80b98027 385 chan->ops->close(chan);
3df91ea2
AE		 386 mutex_unlock(&conn->chan_lock);
387
371fd835 388 l2cap_chan_put(chan);
ab07801d
GP		 389}
390
eef1d9b6 391struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 392{
393 struct l2cap_chan *chan;
394
395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
396 if (!chan)
397 return NULL;
398
c03b355e
AE		 399 mutex_init(&chan->lock);
400
333055f2 401 write_lock(&chan_list_lock);
23691d75 402 list_add(&chan->global_l, &chan_list);
333055f2 403 write_unlock(&chan_list_lock);
23691d75 404
721c4181 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 406
89bc500e
GP		 407 chan->state = BT_OPEN;
408
71ba0e56
GP		 409 atomic_set(&chan->refcnt, 1);
410
2827011f
MM		 411 /* This flag is cleared in l2cap_chan_ready() */
412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
413
eef1d9b6 414 BT_DBG("chan %p", chan);
abc545b8 415
48454079
GP		 416 return chan;
417}
418
23691d75 419void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 420{
333055f2 421 write_lock(&chan_list_lock);
23691d75 422 list_del(&chan->global_l);
333055f2 423 write_unlock(&chan_list_lock);
23691d75 424
371fd835 425 l2cap_chan_put(chan);
6ff5abbf
GP		 426}
427
bd4b1653
AE		 428void l2cap_chan_set_defaults(struct l2cap_chan *chan)
429{
430 chan->fcs = L2CAP_FCS_CRC16;
431 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
432 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
433 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 434 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 435 chan->sec_level = BT_SECURITY_LOW;
436
437 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
438}
439
14a28491 440static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 441{
af05b30b 442 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 443 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 444
9f5a0d7b 445 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 446
8c1d787b 447 chan->conn = conn;
0139418c 448
5491120e
AE		 449 switch (chan->chan_type) {
450 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 451 if (conn->hcon->type == LE_LINK) {
452 /* LE connection */
6fcb06a2 453 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 454 chan->scid = L2CAP_CID_LE_DATA;
455 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 456 } else {
457 /* Alloc CID for connection-oriented socket */
fe4128e0 458 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 459 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 460 }
5491120e
AE		 461 break;
462
463 case L2CAP_CHAN_CONN_LESS:
0139418c 464 /* Connectionless socket */
fe4128e0
GP		 465 chan->scid = L2CAP_CID_CONN_LESS;
466 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 467 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 468 break;
469
416fa752
AE		 470 case L2CAP_CHAN_CONN_FIX_A2MP:
471 chan->scid = L2CAP_CID_A2MP;
472 chan->dcid = L2CAP_CID_A2MP;
473 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
474 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
475 break;
476
5491120e 477 default:
0139418c 478 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 479 chan->scid = L2CAP_CID_SIGNALING;
480 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 481 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 482 }
483
8f7975b1
AE		 484 chan->local_id = L2CAP_BESTEFFORT_ID;
485 chan->local_stype = L2CAP_SERV_BESTEFFORT;
486 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
487 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
488 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
489 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
490
371fd835 491 l2cap_chan_hold(chan);
baa7e1fa 492
3df91ea2 493 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 494}
495
466f8004 496void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 497{
498 mutex_lock(&conn->chan_lock);
499 __l2cap_chan_add(conn, chan);
3df91ea2 500 mutex_unlock(&conn->chan_lock);
0139418c
MH		 501}
502
466f8004 503void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 504{
8c1d787b 505 struct l2cap_conn *conn = chan->conn;
0139418c 506
c9b66675 507 __clear_chan_timer(chan);
0139418c 508
49208c9c 509 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 510
8e87d142 511 if (conn) {
baa7e1fa 512 /* Delete from channel list */
3df91ea2 513 list_del(&chan->list);
3d57dc68 514
371fd835 515 l2cap_chan_put(chan);
baa7e1fa 516
8c1d787b 517 chan->conn = NULL;
3cabbfda
AE		 518
519 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
520 hci_conn_put(conn->hcon);
0139418c
MH		 521 }
522
c0df7f6e
AE		 523 if (chan->ops->teardown)
524 chan->ops->teardown(chan, err);
6be36555 525
2827011f 526 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 527 return;
2ead70b8 528
ee556f66
GP		 529 switch(chan->mode) {
530 case L2CAP_MODE_BASIC:
531 break;
c13ffa62 532
ee556f66 533 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 534 __clear_retrans_timer(chan);
535 __clear_monitor_timer(chan);
536 __clear_ack_timer(chan);
c13ffa62 537
f1c6775b 538 skb_queue_purge(&chan->srej_q);
c13ffa62 539
3c588192
MM		 540 l2cap_seq_list_free(&chan->srej_list);
541 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 542
543 /* fall through */
544
545 case L2CAP_MODE_STREAMING:
546 skb_queue_purge(&chan->tx_q);
547 break;
c13ffa62 548 }
ee556f66
GP		 549
550 return;
0139418c
MH		 551}
552
0f852724 553void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 554{
555 struct l2cap_conn *conn = chan->conn;
556 struct sock *sk = chan->sk;
557
e05dcc32
AE		 558 BT_DBG("chan %p state %s sk %p", chan,
559 state_to_string(chan->state), sk);
4519de9a 560
89bc500e 561 switch (chan->state) {
4519de9a 562 case BT_LISTEN:
c0df7f6e
AE		 563 if (chan->ops->teardown)
564 chan->ops->teardown(chan, 0);
4519de9a
GP		 565 break;
566
567 case BT_CONNECTED:
568 case BT_CONFIG:
715ec005 569 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 570 conn->hcon->type == ACL_LINK) {
c9b66675 571 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 572 l2cap_send_disconn_req(conn, chan, reason);
573 } else
574 l2cap_chan_del(chan, reason);
575 break;
576
577 case BT_CONNECT2:
715ec005 578 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 579 conn->hcon->type == ACL_LINK) {
580 struct l2cap_conn_rsp rsp;
581 __u16 result;
582
c5daa683 583 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 584 result = L2CAP_CR_SEC_BLOCK;
585 else
586 result = L2CAP_CR_BAD_PSM;
89bc500e 587 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 588
589 rsp.scid = cpu_to_le16(chan->dcid);
590 rsp.dcid = cpu_to_le16(chan->scid);
591 rsp.result = cpu_to_le16(result);
ac73498c 592 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a
GP		 593 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
594 sizeof(rsp), &rsp);
595 }
596
597 l2cap_chan_del(chan, reason);
598 break;
599
600 case BT_CONNECT:
601 case BT_DISCONN:
602 l2cap_chan_del(chan, reason);
603 break;
604
605 default:
c0df7f6e
AE		 606 if (chan->ops->teardown)
607 chan->ops->teardown(chan, 0);
4519de9a
GP		 608 break;
609 }
610}
611
4343478f 612static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 613{
715ec005 614 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 615 switch (chan->sec_level) {
8556edd3
JH		 616 case BT_SECURITY_HIGH:
617 return HCI_AT_DEDICATED_BONDING_MITM;
618 case BT_SECURITY_MEDIUM:
619 return HCI_AT_DEDICATED_BONDING;
620 default:
621 return HCI_AT_NO_BONDING;
622 }
2983fd68 623 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 624 if (chan->sec_level == BT_SECURITY_LOW)
625 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 626
4343478f 627 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 628 return HCI_AT_NO_BONDING_MITM;
00ae4af9 629 else
8556edd3 630 return HCI_AT_NO_BONDING;
00ae4af9 631 } else {
4343478f 632 switch (chan->sec_level) {
00ae4af9 633 case BT_SECURITY_HIGH:
8556edd3 634 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 635 case BT_SECURITY_MEDIUM:
8556edd3 636 return HCI_AT_GENERAL_BONDING;
00ae4af9 637 default:
8556edd3 638 return HCI_AT_NO_BONDING;
00ae4af9 639 }
0684e5f9 640 }
8556edd3
JH		 641}
642
643/* Service level security */
d45fc423 644int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 645{
8c1d787b 646 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 647 __u8 auth_type;
648
4343478f 649 auth_type = l2cap_get_auth_type(chan);
79d554a6 650
4343478f 651 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 652}
653
b5ad8b7f 654static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 655{
656 u8 id;
657
658 /* Get next available identificator.
659 * 1 - 128 are used by kernel.
660 * 129 - 199 are reserved.
661 * 200 - 254 are used by utilities like l2ping, etc.
662 */
663
333055f2 664 spin_lock(&conn->lock);
4e8402a3
MH		 665
666 if (++conn->tx_ident > 128)
667 conn->tx_ident = 1;
668
669 id = conn->tx_ident;
670
333055f2 671 spin_unlock(&conn->lock);
4e8402a3
MH		 672
673 return id;
674}
675
4519de9a 676static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 677{
678 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 679 u8 flags;
4e8402a3
MH		 680
681 BT_DBG("code 0x%2.2x", code);
682
683 if (!skb)
9a9c6a34 684 return;
4e8402a3 685
e702112f
AE		 686 if (lmp_no_flush_capable(conn->hcon->hdev))
687 flags = ACL_START_NO_FLUSH;
688 else
689 flags = ACL_START;
690
14b12d0b 691 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 692 skb->priority = HCI_PRIO_MAX;
14b12d0b 693
73d80deb
LAD		 694 hci_send_acl(conn->hchan, skb, flags);
695}
696
697static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
698{
699 struct hci_conn *hcon = chan->conn->hcon;
700 u16 flags;
701
702 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
703 skb->priority);
704
705 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
706 lmp_no_flush_capable(hcon->hdev))
707 flags = ACL_START_NO_FLUSH;
708 else
709 flags = ACL_START;
14b12d0b 710
73d80deb
LAD		 711 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
712 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 713}
714
b76bbd66
MM		 715static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
716{
717 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
718 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
719
720 if (enh & L2CAP_CTRL_FRAME_TYPE) {
721 /* S-Frame */
722 control->sframe = 1;
723 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
724 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
725
726 control->sar = 0;
727 control->txseq = 0;
728 } else {
729 /* I-Frame */
730 control->sframe = 0;
731 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
732 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
733
734 control->poll = 0;
735 control->super = 0;
736 }
737}
738
b76bbd66
MM		 739static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
740{
741 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
742 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
743
744 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
745 /* S-Frame */
746 control->sframe = 1;
747 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
748 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
749
750 control->sar = 0;
751 control->txseq = 0;
752 } else {
753 /* I-Frame */
754 control->sframe = 0;
755 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
756 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
757
758 control->poll = 0;
759 control->super = 0;
760 }
761}
762
763static inline void __unpack_control(struct l2cap_chan *chan,
764 struct sk_buff *skb)
765{
766 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
767 __unpack_extended_control(get_unaligned_le32(skb->data),
768 &bt_cb(skb)->control);
cec8ab6e 769 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 770 } else {
771 __unpack_enhanced_control(get_unaligned_le16(skb->data),
772 &bt_cb(skb)->control);
cec8ab6e 773 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 774 }
775}
776
b5c6aaed
MM		 777static u32 __pack_extended_control(struct l2cap_ctrl *control)
778{
779 u32 packed;
780
781 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
782 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
783
784 if (control->sframe) {
785 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
786 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
787 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
788 } else {
789 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
790 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
791 }
792
793 return packed;
794}
795
796static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
797{
798 u16 packed;
799
800 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
801 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
802
803 if (control->sframe) {
804 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
805 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
806 packed |= L2CAP_CTRL_FRAME_TYPE;
807 } else {
808 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
809 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
810 }
811
812 return packed;
813}
814
b76bbd66
MM		 815static inline void __pack_control(struct l2cap_chan *chan,
816 struct l2cap_ctrl *control,
817 struct sk_buff *skb)
818{
819 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
820 put_unaligned_le32(__pack_extended_control(control),
821 skb->data + L2CAP_HDR_SIZE);
822 } else {
823 put_unaligned_le16(__pack_enhanced_control(control),
824 skb->data + L2CAP_HDR_SIZE);
825 }
826}
827
ba7aa64f
GP		 828static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
829{
830 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
831 return L2CAP_EXT_HDR_SIZE;
832 else
833 return L2CAP_ENH_HDR_SIZE;
834}
835
a67d7f6f
MM		 836static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
837 u32 control)
b5c6aaed
MM		 838{
839 struct sk_buff *skb;
840 struct l2cap_hdr *lh;
ba7aa64f 841 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 842
843 if (chan->fcs == L2CAP_FCS_CRC16)
844 hlen += L2CAP_FCS_SIZE;
845
a67d7f6f 846 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 847
b5c6aaed 848 if (!skb)
a67d7f6f 849 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 850
851 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
852 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
853 lh->cid = cpu_to_le16(chan->dcid);
854
a67d7f6f
MM		 855 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
856 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
857 else
858 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 859
860 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 861 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 862 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
863 }
864
865 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 866 return skb;
867}
868
869static void l2cap_send_sframe(struct l2cap_chan *chan,
870 struct l2cap_ctrl *control)
871{
872 struct sk_buff *skb;
873 u32 control_field;
874
875 BT_DBG("chan %p, control %p", chan, control);
876
877 if (!control->sframe)
878 return;
879
880 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
881 !control->poll)
882 control->final = 1;
883
884 if (control->super == L2CAP_SUPER_RR)
885 clear_bit(CONN_RNR_SENT, &chan->conn_state);
886 else if (control->super == L2CAP_SUPER_RNR)
887 set_bit(CONN_RNR_SENT, &chan->conn_state);
888
889 if (control->super != L2CAP_SUPER_SREJ) {
890 chan->last_acked_seq = control->reqseq;
891 __clear_ack_timer(chan);
892 }
893
894 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
895 control->final, control->poll, control->super);
896
897 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
898 control_field = __pack_extended_control(control);
899 else
900 control_field = __pack_enhanced_control(control);
901
902 skb = l2cap_create_sframe_pdu(chan, control_field);
903 if (!IS_ERR(skb))
904 l2cap_do_send(chan, skb);
b5c6aaed
MM		 905}
906
c9e3d5e0 907static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 908{
c9e3d5e0
MM		 909 struct l2cap_ctrl control;
910
911 BT_DBG("chan %p, poll %d", chan, poll);
912
913 memset(&control, 0, sizeof(control));
914 control.sframe = 1;
915 control.poll = poll;
916
917 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
918 control.super = L2CAP_SUPER_RNR;
919 else
920 control.super = L2CAP_SUPER_RR;
b5c6aaed 921
c9e3d5e0
MM		 922 control.reqseq = chan->buffer_seq;
923 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 924}
925
b4450035 926static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 927{
c1360a1c 928 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 929}
930
9b27f350
AE		 931static void l2cap_send_conn_req(struct l2cap_chan *chan)
932{
933 struct l2cap_conn *conn = chan->conn;
934 struct l2cap_conn_req req;
935
936 req.scid = cpu_to_le16(chan->scid);
937 req.psm = chan->psm;
938
939 chan->ident = l2cap_get_ident(conn);
940
941 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
942
943 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
944}
945
9f0caeb1
VCG		 946static void l2cap_chan_ready(struct l2cap_chan *chan)
947{
2827011f 948 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 949 chan->conf_state = 0;
950 __clear_chan_timer(chan);
951
54a59aa2 952 chan->state = BT_CONNECTED;
9f0caeb1 953
fd83e2c2 954 chan->ops->ready(chan);
9f0caeb1
VCG		 955}
956
fc7f8a7e 957static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 958{
8c1d787b 959 struct l2cap_conn *conn = chan->conn;
79d554a6 960
9f0caeb1
VCG		 961 if (conn->hcon->type == LE_LINK) {
962 l2cap_chan_ready(chan);
963 return;
964 }
965
79d554a6 966 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 967 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
968 return;
969
d45fc423 970 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 971 __l2cap_no_conn_pending(chan))
972 l2cap_send_conn_req(chan);
79d554a6
MH		 973 } else {
974 struct l2cap_info_req req;
ac73498c 975 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 976
977 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
978 conn->info_ident = l2cap_get_ident(conn);
979
ba13ccd9 980 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 981
982 l2cap_send_cmd(conn, conn->info_ident,
983 L2CAP_INFO_REQ, sizeof(req), &req);
984 }
985}
986
cf6c2c0b
GP		 987static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
988{
989 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 990 if (!disable_ertm)
cf6c2c0b
GP		 991 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
992
993 switch (mode) {
994 case L2CAP_MODE_ERTM:
995 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
996 case L2CAP_MODE_STREAMING:
997 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
998 default:
999 return 0x00;
1000 }
1001}
1002
4519de9a 1003static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1004{
6be36555 1005 struct sock *sk = chan->sk;
22121fc9
GP		 1006 struct l2cap_disconn_req req;
1007
c13ffa62
GP		 1008 if (!conn)
1009 return;
1010
0c1bc5c6 1011 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1012 __clear_retrans_timer(chan);
1013 __clear_monitor_timer(chan);
1014 __clear_ack_timer(chan);
c13ffa62
GP		 1015 }
1016
416fa752
AE		 1017 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1018 __l2cap_state_change(chan, BT_DISCONN);
1019 return;
1020 }
1021
fe4128e0
GP		 1022 req.dcid = cpu_to_le16(chan->dcid);
1023 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1024 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1025 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1026
6be36555 1027 lock_sock(sk);
0e587be7 1028 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1029 __l2cap_chan_set_err(chan, err);
6be36555 1030 release_sock(sk);
22121fc9
GP		 1031}
1032
1da177e4 1033/* ---- L2CAP connections ---- */
4e8402a3
MH		 1034static void l2cap_conn_start(struct l2cap_conn *conn)
1035{
3df91ea2 1036 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1037
1038 BT_DBG("conn %p", conn);
1039
3df91ea2 1040 mutex_lock(&conn->chan_lock);
4e8402a3 1041
3df91ea2 1042 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1043 struct sock *sk = chan->sk;
baa7e1fa 1044
6be36555 1045 l2cap_chan_lock(chan);
4e8402a3 1046
715ec005 1047 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1048 l2cap_chan_unlock(chan);
79d554a6
MH		 1049 continue;
1050 }
1051
89bc500e 1052 if (chan->state == BT_CONNECT) {
d45fc423 1053 if (!l2cap_chan_check_security(chan) ||
b4450035 1054 !__l2cap_no_conn_pending(chan)) {
6be36555 1055 l2cap_chan_unlock(chan);
47731de7
GP		 1056 continue;
1057 }
79d554a6 1058
c1360a1c
GP		 1059 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1060 && test_bit(CONF_STATE2_DEVICE,
1061 &chan->conf_state)) {
89bc500e 1062 l2cap_chan_close(chan, ECONNRESET);
6be36555 1063 l2cap_chan_unlock(chan);
47731de7 1064 continue;
b1235d79 1065 }
47731de7 1066
9b27f350 1067 l2cap_send_conn_req(chan);
47731de7 1068
89bc500e 1069 } else if (chan->state == BT_CONNECT2) {
79d554a6 1070 struct l2cap_conn_rsp rsp;
e9aeb2dd 1071 char buf[128];
fe4128e0
GP		 1072 rsp.scid = cpu_to_le16(chan->dcid);
1073 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1074
d45fc423 1075 if (l2cap_chan_check_security(chan)) {
6be36555 1076 lock_sock(sk);
c5daa683
GP		 1077 if (test_bit(BT_SK_DEFER_SETUP,
1078 &bt_sk(sk)->flags)) {
f66dc81f 1079 struct sock *parent = bt_sk(sk)->parent;
ac73498c
AE		 1080 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1081 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1082 if (parent)
1083 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1084
1085 } else {
0e587be7 1086 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1087 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1088 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1089 }
6be36555 1090 release_sock(sk);
79d554a6 1091 } else {
ac73498c
AE		 1092 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1093 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1094 }
1095
fc7f8a7e
GP		 1096 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1097 sizeof(rsp), &rsp);
e9aeb2dd 1098
c1360a1c 1099 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1100 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1101 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1102 continue;
1103 }
1104
c1360a1c 1105 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1106 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1107 l2cap_build_conf_req(chan, buf), buf);
1108 chan->num_conf_req++;
4e8402a3
MH		 1109 }
1110
6be36555 1111 l2cap_chan_unlock(chan);
4e8402a3
MH		 1112 }
1113
3df91ea2 1114 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1115}
1116
c2287681 1117/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1118 * Returns closest match, locked.
1119 */
d9b88702 1120static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1121 bdaddr_t *src,
1122 bdaddr_t *dst)
b62f328b 1123{
23691d75 1124 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1125
23691d75 1126 read_lock(&chan_list_lock);
b62f328b 1127
23691d75
GP		 1128 list_for_each_entry(c, &chan_list, global_l) {
1129 struct sock *sk = c->sk;
fe4128e0 1130
89bc500e 1131 if (state && c->state != state)
b62f328b
VT		 1132 continue;
1133
23691d75 1134 if (c->scid == cid) {
c2287681
IY		 1135 int src_match, dst_match;
1136 int src_any, dst_any;
1137
b62f328b 1138 /* Exact match. */
c2287681
IY		 1139 src_match = !bacmp(&bt_sk(sk)->src, src);
1140 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1141 if (src_match && dst_match) {
23691d75
GP		 1142 read_unlock(&chan_list_lock);
1143 return c;
1144 }
b62f328b
VT		 1145
1146 /* Closest match */
c2287681
IY		 1147 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1148 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1149 if ((src_match && dst_any) || (src_any && dst_match) ||
1150 (src_any && dst_any))
23691d75 1151 c1 = c;
b62f328b
VT		 1152 }
1153 }
280f294f 1154
23691d75 1155 read_unlock(&chan_list_lock);
b62f328b 1156
23691d75 1157 return c1;
b62f328b
VT		 1158}
1159
1160static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1161{
c916fbe4 1162 struct sock *parent, *sk;
23691d75 1163 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1164
1165 BT_DBG("");
1166
1167 /* Check if we have socket listening on cid */
23691d75 1168 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1169 conn->src, conn->dst);
23691d75 1170 if (!pchan)
b62f328b
VT		 1171 return;
1172
23691d75
GP		 1173 parent = pchan->sk;
1174
aa2ac881 1175 lock_sock(parent);
62f3a2cf 1176
80b98027 1177 chan = pchan->ops->new_connection(pchan);
80808e43 1178 if (!chan)
b62f328b
VT		 1179 goto clean;
1180
80808e43 1181 sk = chan->sk;
5d41ce1d 1182
b62f328b
VT		 1183 hci_conn_hold(conn->hcon);
1184
b62f328b
VT		 1185 bacpy(&bt_sk(sk)->src, conn->src);
1186 bacpy(&bt_sk(sk)->dst, conn->dst);
1187
d1010240
GP		 1188 bt_accept_enqueue(parent, sk);
1189
3d57dc68 1190 l2cap_chan_add(conn, chan);
48454079 1191
6754e0df 1192 l2cap_chan_ready(chan);
b62f328b 1193
b62f328b 1194clean:
aa2ac881 1195 release_sock(parent);
b62f328b
VT		 1196}
1197
4e8402a3
MH		 1198static void l2cap_conn_ready(struct l2cap_conn *conn)
1199{
48454079 1200 struct l2cap_chan *chan;
4e8402a3 1201
79d554a6 1202 BT_DBG("conn %p", conn);
4e8402a3 1203
b62f328b
VT		 1204 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1205 l2cap_le_conn_ready(conn);
1206
160dc6ac
VCG		 1207 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1208 smp_conn_security(conn, conn->hcon->pending_sec_level);
1209
3df91ea2 1210 mutex_lock(&conn->chan_lock);
4e8402a3 1211
3df91ea2 1212 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1213
6be36555 1214 l2cap_chan_lock(chan);
4e8402a3 1215
416fa752
AE		 1216 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1217 l2cap_chan_unlock(chan);
1218 continue;
1219 }
1220
63128451 1221 if (conn->hcon->type == LE_LINK) {
b501d6a1 1222 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1223 l2cap_chan_ready(chan);
acd7d370 1224
63128451 1225 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1226 struct sock *sk = chan->sk;
c9b66675 1227 __clear_chan_timer(chan);
6be36555 1228 lock_sock(sk);
0e587be7 1229 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1230 sk->sk_state_change(sk);
6be36555 1231 release_sock(sk);
b501d6a1 1232
89bc500e 1233 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1234 l2cap_do_start(chan);
4e8402a3 1235
6be36555 1236 l2cap_chan_unlock(chan);
4e8402a3 1237 }
79d554a6 1238
3df91ea2 1239 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1240}
1241
1242/* Notify sockets that we cannot guaranty reliability anymore */
1243static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1244{
48454079 1245 struct l2cap_chan *chan;
4e8402a3
MH		 1246
1247 BT_DBG("conn %p", conn);
1248
3df91ea2 1249 mutex_lock(&conn->chan_lock);
4e8402a3 1250
3df91ea2 1251 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1252 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1253 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1254 }
1255
3df91ea2 1256 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1257}
1258
f878fcad 1259static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1260{
f878fcad 1261 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1262 info_timer.work);
4e8402a3 1263
984947dc 1264 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1265 conn->info_ident = 0;
984947dc 1266
4e8402a3
MH		 1267 l2cap_conn_start(conn);
1268}
1269
5d3de7df
VCG		 1270static void l2cap_conn_del(struct hci_conn *hcon, int err)
1271{
1272 struct l2cap_conn *conn = hcon->l2cap_data;
1273 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1274
1275 if (!conn)
1276 return;
1277
1278 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1279
1280 kfree_skb(conn->rx_skb);
1281
3df91ea2
AE		 1282 mutex_lock(&conn->chan_lock);
1283
5d3de7df
VCG		 1284 /* Kill channels */
1285 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1286 l2cap_chan_hold(chan);
6be36555
AE		 1287 l2cap_chan_lock(chan);
1288
5d3de7df 1289 l2cap_chan_del(chan, err);
6be36555
AE		 1290
1291 l2cap_chan_unlock(chan);
1292
80b98027 1293 chan->ops->close(chan);
61d6ef3e 1294 l2cap_chan_put(chan);
5d3de7df
VCG		 1295 }
1296
3df91ea2
AE		 1297 mutex_unlock(&conn->chan_lock);
1298
73d80deb
LAD		 1299 hci_chan_del(conn->hchan);
1300
5d3de7df 1301 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1302 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1303
51a8efd7 1304 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1305 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1306 smp_chan_destroy(conn);
d26a2345 1307 }
5d3de7df
VCG		 1308
1309 hcon->l2cap_data = NULL;
1310 kfree(conn);
1311}
1312
6c9d42a1 1313static void security_timeout(struct work_struct *work)
5d3de7df 1314{
6c9d42a1
GP		 1315 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1316 security_timer.work);
5d3de7df 1317
d06cc416
JH		 1318 BT_DBG("conn %p", conn);
1319
1320 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1321 smp_chan_destroy(conn);
1322 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1323 }
5d3de7df
VCG		 1324}
1325
1da177e4
LT		 1326static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1327{
0139418c 1328 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1329 struct hci_chan *hchan;
1da177e4 1330
0139418c 1331 if (conn || status)
1da177e4
LT		 1332 return conn;
1333
73d80deb
LAD		 1334 hchan = hci_chan_create(hcon);
1335 if (!hchan)
1336 return NULL;
1337
0139418c 1338 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1339 if (!conn) {
1340 hci_chan_del(hchan);
1da177e4 1341 return NULL;
73d80deb 1342 }
1da177e4
LT		 1343
1344 hcon->l2cap_data = conn;
1345 conn->hcon = hcon;
73d80deb 1346 conn->hchan = hchan;
1da177e4 1347
73d80deb 1348 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1349
acd7d370
VT		 1350 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1351 conn->mtu = hcon->hdev->le_mtu;
1352 else
1353 conn->mtu = hcon->hdev->acl_mtu;
1354
1da177e4
LT		 1355 conn->src = &hcon->hdev->bdaddr;
1356 conn->dst = &hcon->dst;
1357
4e8402a3
MH		 1358 conn->feat_mask = 0;
1359
1da177e4 1360 spin_lock_init(&conn->lock);
3df91ea2 1361 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1362
1363 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1364
5d3de7df 1365 if (hcon->type == LE_LINK)
6c9d42a1 1366 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1367 else
030013d8 1368 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1369
9f5a0d7b 1370 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1371
1da177e4
LT		 1372 return conn;
1373}
1374
1da177e4 1375/* ---- Socket interface ---- */
1da177e4 1376
c2287681 1377/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1378 * Returns closest match.
1379 */
c2287681
IY		 1380static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1381 bdaddr_t *src,
1382 bdaddr_t *dst)
1da177e4 1383{
23691d75 1384 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1385
23691d75 1386 read_lock(&chan_list_lock);
e0f0cb56 1387
23691d75
GP		 1388 list_for_each_entry(c, &chan_list, global_l) {
1389 struct sock *sk = c->sk;
fe4128e0 1390
89bc500e 1391 if (state && c->state != state)
1da177e4
LT		 1392 continue;
1393
23691d75 1394 if (c->psm == psm) {
c2287681
IY		 1395 int src_match, dst_match;
1396 int src_any, dst_any;
1397
1da177e4 1398 /* Exact match. */
c2287681
IY		 1399 src_match = !bacmp(&bt_sk(sk)->src, src);
1400 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1401 if (src_match && dst_match) {
a7567b20 1402 read_unlock(&chan_list_lock);
23691d75
GP		 1403 return c;
1404 }
1da177e4
LT		 1405
1406 /* Closest match */
c2287681
IY		 1407 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1408 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1409 if ((src_match && dst_any) || (src_any && dst_match) ||
1410 (src_any && dst_any))
23691d75 1411 c1 = c;
1da177e4
LT		 1412 }
1413 }
1da177e4 1414
23691d75 1415 read_unlock(&chan_list_lock);
e0f0cb56 1416
23691d75 1417 return c1;
1da177e4
LT		 1418}
1419
8e9f9892
AG		 1420int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1421 bdaddr_t *dst, u8 dst_type)
1da177e4 1422{
5d41ce1d 1423 struct sock *sk = chan->sk;
1da177e4 1424 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1425 struct l2cap_conn *conn;
1426 struct hci_conn *hcon;
1427 struct hci_dev *hdev;
09ab6f4c 1428 __u8 auth_type;
44d0e48e 1429 int err;
1da177e4 1430
8e9f9892
AG		 1431 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1432 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1433
af05b30b
GP		 1434 hdev = hci_get_route(dst, src);
1435 if (!hdev)
1da177e4
LT		 1436 return -EHOSTUNREACH;
1437
09fd0de5 1438 hci_dev_lock(hdev);
1da177e4 1439
6be36555 1440 l2cap_chan_lock(chan);
03a00194
GP		 1441
1442 /* PSM must be odd and lsb of upper byte must be 0 */
1443 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1444 chan->chan_type != L2CAP_CHAN_RAW) {
1445 err = -EINVAL;
1446 goto done;
1447 }
1448
1449 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1450 err = -EINVAL;
1451 goto done;
1452 }
1453
1454 switch (chan->mode) {
1455 case L2CAP_MODE_BASIC:
1456 break;
1457 case L2CAP_MODE_ERTM:
1458 case L2CAP_MODE_STREAMING:
1459 if (!disable_ertm)
1460 break;
1461 /* fall through */
1462 default:
1463 err = -ENOTSUPP;
1464 goto done;
1465 }
1466
0797e01d 1467 switch (chan->state) {
03a00194
GP		 1468 case BT_CONNECT:
1469 case BT_CONNECT2:
1470 case BT_CONFIG:
1471 /* Already connecting */
1472 err = 0;
1473 goto done;
1474
1475 case BT_CONNECTED:
1476 /* Already connected */
1477 err = -EISCONN;
1478 goto done;
1479
1480 case BT_OPEN:
1481 case BT_BOUND:
1482 /* Can connect */
1483 break;
1484
1485 default:
1486 err = -EBADFD;
1487 goto done;
1488 }
1489
1490 /* Set destination address and psm */
0797e01d 1491 lock_sock(sk);
9219b2a0 1492 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1493 release_sock(sk);
1494
03a00194
GP		 1495 chan->psm = psm;
1496 chan->dcid = cid;
1da177e4 1497
4343478f 1498 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1499
fe4128e0 1500 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1501 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1502 chan->sec_level, auth_type);
acd7d370 1503 else
8e9f9892 1504 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1505 chan->sec_level, auth_type);
acd7d370 1506
30e76272
VT		 1507 if (IS_ERR(hcon)) {
1508 err = PTR_ERR(hcon);
1da177e4 1509 goto done;
30e76272 1510 }
1da177e4
LT		 1511
1512 conn = l2cap_conn_add(hcon, 0);
1513 if (!conn) {
1514 hci_conn_put(hcon);
30e76272 1515 err = -ENOMEM;
1da177e4
LT		 1516 goto done;
1517 }
1518
9f0caeb1
VCG		 1519 if (hcon->type == LE_LINK) {
1520 err = 0;
1521
1522 if (!list_empty(&conn->chan_l)) {
1523 err = -EBUSY;
1524 hci_conn_put(hcon);
1525 }
1526
1527 if (err)
1528 goto done;
1529 }
1530
1da177e4
LT		 1531 /* Update source addr of the socket */
1532 bacpy(src, conn->src);
1533
6be36555 1534 l2cap_chan_unlock(chan);
48454079 1535 l2cap_chan_add(conn, chan);
6be36555 1536 l2cap_chan_lock(chan);
48454079 1537
6be36555 1538 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1539 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1540
1541 if (hcon->state == BT_CONNECTED) {
715ec005 1542 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1543 __clear_chan_timer(chan);
d45fc423 1544 if (l2cap_chan_check_security(chan))
6be36555 1545 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1546 } else
fc7f8a7e 1547 l2cap_do_start(chan);
1da177e4
LT		 1548 }
1549
30e76272
VT		 1550 err = 0;
1551
1da177e4 1552done:
6be36555 1553 l2cap_chan_unlock(chan);
09fd0de5 1554 hci_dev_unlock(hdev);
1da177e4
LT		 1555 hci_dev_put(hdev);
1556 return err;
1557}
1558
dcba0dba 1559int __l2cap_wait_ack(struct sock *sk)
6161c038 1560{
8c1d787b 1561 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1562 DECLARE_WAITQUEUE(wait, current);
1563 int err = 0;
1564 int timeo = HZ/5;
1565
2b0b05dd 1566 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1567 set_current_state(TASK_INTERRUPTIBLE);
1568 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1569 if (!timeo)
1570 timeo = HZ/5;
1571
1572 if (signal_pending(current)) {
1573 err = sock_intr_errno(timeo);
1574 break;
1575 }
1576
1577 release_sock(sk);
1578 timeo = schedule_timeout(timeo);
1579 lock_sock(sk);
a71a0cf4 1580 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1581
1582 err = sock_error(sk);
1583 if (err)
1584 break;
1585 }
1586 set_current_state(TASK_RUNNING);
2b0b05dd 1587 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1588 return err;
1589}
1590
721c4181 1591static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1592{
721c4181 1593 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1594 monitor_timer.work);
e90bac06 1595
525cd185 1596 BT_DBG("chan %p", chan);
0e98958d 1597
6be36555
AE		 1598 l2cap_chan_lock(chan);
1599
80909e04 1600 if (!chan->conn) {
6be36555 1601 l2cap_chan_unlock(chan);
8d7e1c7f 1602 l2cap_chan_put(chan);
e90bac06
GP		 1603 return;
1604 }
1605
401bb1f7 1606 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1607
6be36555 1608 l2cap_chan_unlock(chan);
8d7e1c7f 1609 l2cap_chan_put(chan);
e90bac06
GP		 1610}
1611
721c4181 1612static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1613{
721c4181 1614 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1615 retrans_timer.work);
e90bac06 1616
49208c9c 1617 BT_DBG("chan %p", chan);
0e98958d 1618
6be36555
AE		 1619 l2cap_chan_lock(chan);
1620
80909e04
MM		 1621 if (!chan->conn) {
1622 l2cap_chan_unlock(chan);
1623 l2cap_chan_put(chan);
1624 return;
1625 }
6be36555 1626
401bb1f7 1627 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1628 l2cap_chan_unlock(chan);
8d7e1c7f 1629 l2cap_chan_put(chan);
e90bac06
GP		 1630}
1631
d660366d
GP		 1632static void l2cap_streaming_send(struct l2cap_chan *chan,
1633 struct sk_buff_head *skbs)
6840ed07 1634{
ccbb84af 1635 struct sk_buff *skb;
3733937d 1636 struct l2cap_ctrl *control;
6840ed07 1637
3733937d
MM		 1638 BT_DBG("chan %p, skbs %p", chan, skbs);
1639
3733937d
MM		 1640 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1641
1642 while (!skb_queue_empty(&chan->tx_q)) {
1643
1644 skb = skb_dequeue(&chan->tx_q);
1645
1646 bt_cb(skb)->control.retries = 1;
1647 control = &bt_cb(skb)->control;
1648
1649 control->reqseq = 0;
1650 control->txseq = chan->next_tx_seq;
1651
1652 __pack_control(chan, control, skb);
6840ed07 1653
47d1ec61 1654 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1655 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1656 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1657 }
1658
4343478f 1659 l2cap_do_send(chan, skb);
6840ed07 1660
b4400672 1661 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1662
836be934 1663 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1664 chan->frames_sent++;
6840ed07 1665 }
6840ed07
GP		 1666}
1667
67c9e840 1668static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1669{
1670 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1671 struct l2cap_ctrl *control;
1672 int sent = 0;
1673
1674 BT_DBG("chan %p", chan);
1c2acffb 1675
89bc500e 1676 if (chan->state != BT_CONNECTED)
c13ffa62 1677 return -ENOTCONN;
e90bac06 1678
94122bbe
MM		 1679 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1680 return 0;
1681
18a48e76
MM		 1682 while (chan->tx_send_head &&
1683 chan->unacked_frames < chan->remote_tx_win &&
1684 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1685
18a48e76 1686 skb = chan->tx_send_head;
e90bac06 1687
18a48e76
MM		 1688 bt_cb(skb)->control.retries = 1;
1689 control = &bt_cb(skb)->control;
95ffa978 1690
e2ab4353 1691 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1692 control->final = 1;
e2ab4353 1693
18a48e76
MM		 1694 control->reqseq = chan->buffer_seq;
1695 chan->last_acked_seq = chan->buffer_seq;
1696 control->txseq = chan->next_tx_seq;
1c2acffb 1697
18a48e76 1698 __pack_control(chan, control, skb);
e90bac06 1699
47d1ec61 1700 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1701 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1702 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1703 }
1704
18a48e76
MM		 1705 /* Clone after data has been modified. Data is assumed to be
1706 read-only (for locking purposes) on cloned sk_buffs.
1707 */
1708 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1709
18a48e76
MM		 1710 if (!tx_skb)
1711 break;
1c2acffb 1712
18a48e76 1713 __set_retrans_timer(chan);
836be934
AE		 1714
1715 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1716 chan->unacked_frames++;
6a026610 1717 chan->frames_sent++;
18a48e76 1718 sent++;
1c2acffb 1719
58d35f87
GP		 1720 if (skb_queue_is_last(&chan->tx_q, skb))
1721 chan->tx_send_head = NULL;
1c2acffb 1722 else
58d35f87 1723 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1724
1725 l2cap_do_send(chan, tx_skb);
b4400672 1726 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1727 }
1728
b4400672
AE		 1729 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1730 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1731
1732 return sent;
9e917af1
GP		 1733}
1734
e1fbd4c1
MM		 1735static void l2cap_ertm_resend(struct l2cap_chan *chan)
1736{
1737 struct l2cap_ctrl control;
1738 struct sk_buff *skb;
1739 struct sk_buff *tx_skb;
1740 u16 seq;
1741
1742 BT_DBG("chan %p", chan);
1743
1744 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1745 return;
1746
1747 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1748 seq = l2cap_seq_list_pop(&chan->retrans_list);
1749
1750 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1751 if (!skb) {
1752 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1753 seq);
1754 continue;
1755 }
1756
1757 bt_cb(skb)->control.retries++;
1758 control = bt_cb(skb)->control;
1759
1760 if (chan->max_tx != 0 &&
1761 bt_cb(skb)->control.retries > chan->max_tx) {
1762 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1763 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1764 l2cap_seq_list_clear(&chan->retrans_list);
1765 break;
1766 }
1767
1768 control.reqseq = chan->buffer_seq;
1769 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1770 control.final = 1;
1771 else
1772 control.final = 0;
1773
1774 if (skb_cloned(skb)) {
1775 /* Cloned sk_buffs are read-only, so we need a
1776 * writeable copy
1777 */
1778 tx_skb = skb_copy(skb, GFP_ATOMIC);
1779 } else {
1780 tx_skb = skb_clone(skb, GFP_ATOMIC);
1781 }
1782
1783 if (!tx_skb) {
1784 l2cap_seq_list_clear(&chan->retrans_list);
1785 break;
1786 }
1787
1788 /* Update skb contents */
1789 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1790 put_unaligned_le32(__pack_extended_control(&control),
1791 tx_skb->data + L2CAP_HDR_SIZE);
1792 } else {
1793 put_unaligned_le16(__pack_enhanced_control(&control),
1794 tx_skb->data + L2CAP_HDR_SIZE);
1795 }
1796
1797 if (chan->fcs == L2CAP_FCS_CRC16) {
1798 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1799 put_unaligned_le16(fcs, skb_put(tx_skb,
1800 L2CAP_FCS_SIZE));
1801 }
1802
1803 l2cap_do_send(chan, tx_skb);
1804
1805 BT_DBG("Resent txseq %d", control.txseq);
1806
1807 chan->last_acked_seq = chan->buffer_seq;
1808 }
1809}
1810
f80842a8
MM		 1811static void l2cap_retransmit(struct l2cap_chan *chan,
1812 struct l2cap_ctrl *control)
1813{
1814 BT_DBG("chan %p, control %p", chan, control);
1815
1816 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1817 l2cap_ertm_resend(chan);
1818}
1819
d2a7ac5d
MM		 1820static void l2cap_retransmit_all(struct l2cap_chan *chan,
1821 struct l2cap_ctrl *control)
1822{
e1fbd4c1
MM		 1823 struct sk_buff *skb;
1824
1825 BT_DBG("chan %p, control %p", chan, control);
1826
1827 if (control->poll)
1828 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1829
1830 l2cap_seq_list_clear(&chan->retrans_list);
1831
1832 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1833 return;
1834
1835 if (chan->unacked_frames) {
1836 skb_queue_walk(&chan->tx_q, skb) {
1837 if (bt_cb(skb)->control.txseq == control->reqseq ||
1838 skb == chan->tx_send_head)
1839 break;
1840 }
1841
1842 skb_queue_walk_from(&chan->tx_q, skb) {
1843 if (skb == chan->tx_send_head)
1844 break;
1845
1846 l2cap_seq_list_append(&chan->retrans_list,
1847 bt_cb(skb)->control.txseq);
1848 }
1849
1850 l2cap_ertm_resend(chan);
1851 }
d2a7ac5d
MM		 1852}
1853
0a0aba42 1854static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1855{
0a0aba42
MM		 1856 struct l2cap_ctrl control;
1857 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1858 chan->last_acked_seq);
1859 int threshold;
9e917af1 1860
0a0aba42
MM		 1861 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1862 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1863
0a0aba42
MM		 1864 memset(&control, 0, sizeof(control));
1865 control.sframe = 1;
dfc909be 1866
0a0aba42
MM		 1867 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1868 chan->rx_state == L2CAP_RX_STATE_RECV) {
1869 __clear_ack_timer(chan);
1870 control.super = L2CAP_SUPER_RNR;
1871 control.reqseq = chan->buffer_seq;
1872 l2cap_send_sframe(chan, &control);
1873 } else {
1874 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1875 l2cap_ertm_send(chan);
1876 /* If any i-frames were sent, they included an ack */
1877 if (chan->buffer_seq == chan->last_acked_seq)
1878 frames_to_ack = 0;
1879 }
dfc909be 1880
c20f8e35 1881 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 1882 * Calculate without mul or div
1883 */
c20f8e35 1884 threshold = chan->ack_win;
0a0aba42
MM		 1885 threshold += threshold << 1;
1886 threshold >>= 2;
1887
b4400672 1888 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 1889 threshold);
1890
1891 if (frames_to_ack >= threshold) {
1892 __clear_ack_timer(chan);
1893 control.super = L2CAP_SUPER_RR;
1894 control.reqseq = chan->buffer_seq;
1895 l2cap_send_sframe(chan, &control);
1896 frames_to_ack = 0;
1897 }
1c2acffb 1898
0a0aba42
MM		 1899 if (frames_to_ack)
1900 __set_ack_timer(chan);
1901 }
b17e73bb
SJ		 1902}
1903
04124681
GP		 1904static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1905 struct msghdr *msg, int len,
1906 int count, struct sk_buff *skb)
1c2acffb 1907{
0952a57a 1908 struct l2cap_conn *conn = chan->conn;
1c2acffb 1909 struct sk_buff **frag;
90338947 1910 int sent = 0;
1da177e4 1911
59203a21 1912 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1913 return -EFAULT;
1da177e4
LT		 1914
1915 sent += count;
1916 len -= count;
1917
1918 /* Continuation fragments (no L2CAP header) */
1919 frag = &skb_shinfo(skb)->frag_list;
1920 while (len) {
fbe00700
GP		 1921 struct sk_buff *tmp;
1922
1da177e4
LT		 1923 count = min_t(unsigned int, conn->mtu, len);
1924
fbe00700
GP		 1925 tmp = chan->ops->alloc_skb(chan, count,
1926 msg->msg_flags & MSG_DONTWAIT);
1927 if (IS_ERR(tmp))
1928 return PTR_ERR(tmp);
1929
1930 *frag = tmp;
2f7719ce 1931
1c2acffb
GP		 1932 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1933 return -EFAULT;
1da177e4 1934
5e59b791
LAD		 1935 (*frag)->priority = skb->priority;
1936
1da177e4
LT		 1937 sent += count;
1938 len -= count;
1939
2d0ed3d5
GP		 1940 skb->len += (*frag)->len;
1941 skb->data_len += (*frag)->len;
1942
1da177e4
LT		 1943 frag = &(*frag)->next;
1944 }
1da177e4
LT		 1945
1946 return sent;
1c2acffb 1947}
1da177e4 1948
5e59b791 1949static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 1950 struct msghdr *msg, size_t len,
1951 u32 priority)
1c2acffb 1952{
8c1d787b 1953 struct l2cap_conn *conn = chan->conn;
1c2acffb 1954 struct sk_buff *skb;
03a51213 1955 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1956 struct l2cap_hdr *lh;
1957
b4400672 1958 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 1959
1960 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1961
1962 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1963 msg->msg_flags & MSG_DONTWAIT);
1964 if (IS_ERR(skb))
1965 return skb;
1c2acffb 1966
5e59b791
LAD		 1967 skb->priority = priority;
1968
1c2acffb
GP		 1969 /* Create L2CAP header */
1970 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1971 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1972 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1973 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1974
0952a57a 1975 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1976 if (unlikely(err < 0)) {
1977 kfree_skb(skb);
1978 return ERR_PTR(err);
1979 }
1980 return skb;
1981}
1982
5e59b791 1983static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 1984 struct msghdr *msg, size_t len,
1985 u32 priority)
1c2acffb 1986{
8c1d787b 1987 struct l2cap_conn *conn = chan->conn;
1c2acffb 1988 struct sk_buff *skb;
f2ba7fae 1989 int err, count;
1c2acffb
GP		 1990 struct l2cap_hdr *lh;
1991
b4400672 1992 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 1993
f2ba7fae 1994 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 1995
f2ba7fae 1996 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 1997 msg->msg_flags & MSG_DONTWAIT);
1998 if (IS_ERR(skb))
1999 return skb;
1c2acffb 2000
5e59b791
LAD		 2001 skb->priority = priority;
2002
1c2acffb
GP		 2003 /* Create L2CAP header */
2004 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2005 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2006 lh->len = cpu_to_le16(len);
1c2acffb 2007
0952a57a 2008 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2009 if (unlikely(err < 0)) {
2010 kfree_skb(skb);
2011 return ERR_PTR(err);
2012 }
2013 return skb;
2014}
2015
ab0ff76d 2016static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2017 struct msghdr *msg, size_t len,
2018 u16 sdulen)
1c2acffb 2019{
8c1d787b 2020 struct l2cap_conn *conn = chan->conn;
1c2acffb 2021 struct sk_buff *skb;
e4ca6d98 2022 int err, count, hlen;
1c2acffb
GP		 2023 struct l2cap_hdr *lh;
2024
b4400672 2025 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2026
0ee0d208
GP		 2027 if (!conn)
2028 return ERR_PTR(-ENOTCONN);
2029
ba7aa64f 2030 hlen = __ertm_hdr_size(chan);
e4ca6d98 2031
c74e560c 2032 if (sdulen)
03a51213 2033 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2034
47d1ec61 2035 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2036 hlen += L2CAP_FCS_SIZE;
fcc203c3 2037
1c2acffb 2038 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2039
2040 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2041 msg->msg_flags & MSG_DONTWAIT);
2042 if (IS_ERR(skb))
2043 return skb;
1c2acffb
GP		 2044
2045 /* Create L2CAP header */
2046 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2047 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2048 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2049
18a48e76
MM		 2050 /* Control header is populated later */
2051 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2052 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2053 else
2054 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2055
c74e560c 2056 if (sdulen)
03a51213 2057 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2058
0952a57a 2059 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2060 if (unlikely(err < 0)) {
2061 kfree_skb(skb);
2062 return ERR_PTR(err);
2063 }
e90bac06 2064
18a48e76 2065 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2066 bt_cb(skb)->control.retries = 0;
1c2acffb 2067 return skb;
1da177e4
LT		 2068}
2069
94122bbe
MM		 2070static int l2cap_segment_sdu(struct l2cap_chan *chan,
2071 struct sk_buff_head *seg_queue,
2072 struct msghdr *msg, size_t len)
c74e560c 2073{
c74e560c 2074 struct sk_buff *skb;
94122bbe
MM		 2075 u16 sdu_len;
2076 size_t pdu_len;
94122bbe 2077 u8 sar;
c74e560c 2078
b4400672 2079 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2080
94122bbe
MM		 2081 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2082 * so fragmented skbs are not used. The HCI layer's handling
2083 * of fragmented skbs is not compatible with ERTM's queueing.
2084 */
c74e560c 2085
94122bbe
MM		 2086 /* PDU size is derived from the HCI MTU */
2087 pdu_len = chan->conn->mtu;
c74e560c 2088
94122bbe
MM		 2089 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2090
2091 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2092 if (chan->fcs)
2093 pdu_len -= L2CAP_FCS_SIZE;
2094
ba7aa64f 2095 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2096
2097 /* Remote device may have requested smaller PDUs */
2098 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2099
2100 if (len <= pdu_len) {
2101 sar = L2CAP_SAR_UNSEGMENTED;
2102 sdu_len = 0;
2103 pdu_len = len;
2104 } else {
2105 sar = L2CAP_SAR_START;
2106 sdu_len = len;
2107 pdu_len -= L2CAP_SDULEN_SIZE;
2108 }
2109
2110 while (len > 0) {
2111 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2112
c74e560c 2113 if (IS_ERR(skb)) {
94122bbe 2114 __skb_queue_purge(seg_queue);
c74e560c
GP		 2115 return PTR_ERR(skb);
2116 }
2117
94122bbe
MM		 2118 bt_cb(skb)->control.sar = sar;
2119 __skb_queue_tail(seg_queue, skb);
2120
2121 len -= pdu_len;
2122 if (sdu_len) {
2123 sdu_len = 0;
2124 pdu_len += L2CAP_SDULEN_SIZE;
2125 }
2126
2127 if (len <= pdu_len) {
2128 sar = L2CAP_SAR_END;
2129 pdu_len = len;
2130 } else {
2131 sar = L2CAP_SAR_CONTINUE;
2132 }
c74e560c 2133 }
c74e560c 2134
f0f62799 2135 return 0;
c74e560c
GP		 2136}
2137
5e59b791
LAD		 2138int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2139 u32 priority)
9a91a04a 2140{
9a91a04a 2141 struct sk_buff *skb;
9a91a04a 2142 int err;
94122bbe 2143 struct sk_buff_head seg_queue;
9a91a04a
GP		 2144
2145 /* Connectionless channel */
715ec005 2146 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2147 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2148 if (IS_ERR(skb))
2149 return PTR_ERR(skb);
2150
2151 l2cap_do_send(chan, skb);
2152 return len;
2153 }
2154
2155 switch (chan->mode) {
2156 case L2CAP_MODE_BASIC:
2157 /* Check outgoing MTU */
2158 if (len > chan->omtu)
2159 return -EMSGSIZE;
2160
2161 /* Create a basic PDU */
5e59b791 2162 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2163 if (IS_ERR(skb))
2164 return PTR_ERR(skb);
2165
2166 l2cap_do_send(chan, skb);
2167 err = len;
2168 break;
2169
2170 case L2CAP_MODE_ERTM:
2171 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2172 /* Check outgoing MTU */
2173 if (len > chan->omtu) {
2174 err = -EMSGSIZE;
2175 break;
2176 }
9a91a04a 2177
94122bbe 2178 __skb_queue_head_init(&seg_queue);
9a91a04a 2179
94122bbe
MM		 2180 /* Do segmentation before calling in to the state machine,
2181 * since it's possible to block while waiting for memory
2182 * allocation.
2183 */
2184 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2185
94122bbe
MM		 2186 /* The channel could have been closed while segmenting,
2187 * check that it is still connected.
2188 */
2189 if (chan->state != BT_CONNECTED) {
2190 __skb_queue_purge(&seg_queue);
2191 err = -ENOTCONN;
9a91a04a
GP		 2192 }
2193
94122bbe 2194 if (err)
9a91a04a 2195 break;
9a91a04a 2196
3733937d 2197 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2198 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2199 else
d660366d 2200 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2201
d660366d 2202 err = len;
9a91a04a 2203
94122bbe
MM		 2204 /* If the skbs were not queued for sending, they'll still be in
2205 * seg_queue and need to be purged.
2206 */
2207 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2208 break;
2209
2210 default:
2211 BT_DBG("bad state %1.1x", chan->mode);
2212 err = -EBADFD;
2213 }
2214
2215 return err;
2216}
2217
d2a7ac5d
MM		 2218static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2219{
bed68bde
MM		 2220 struct l2cap_ctrl control;
2221 u16 seq;
2222
b4400672 2223 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2224
2225 memset(&control, 0, sizeof(control));
2226 control.sframe = 1;
2227 control.super = L2CAP_SUPER_SREJ;
2228
2229 for (seq = chan->expected_tx_seq; seq != txseq;
2230 seq = __next_seq(chan, seq)) {
2231 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2232 control.reqseq = seq;
2233 l2cap_send_sframe(chan, &control);
2234 l2cap_seq_list_append(&chan->srej_list, seq);
2235 }
2236 }
2237
2238 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2239}
2240
2241static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2242{
bed68bde
MM		 2243 struct l2cap_ctrl control;
2244
2245 BT_DBG("chan %p", chan);
2246
2247 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2248 return;
2249
2250 memset(&control, 0, sizeof(control));
2251 control.sframe = 1;
2252 control.super = L2CAP_SUPER_SREJ;
2253 control.reqseq = chan->srej_list.tail;
2254 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2255}
2256
2257static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2258{
bed68bde
MM		 2259 struct l2cap_ctrl control;
2260 u16 initial_head;
2261 u16 seq;
2262
b4400672 2263 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2264
2265 memset(&control, 0, sizeof(control));
2266 control.sframe = 1;
2267 control.super = L2CAP_SUPER_SREJ;
2268
2269 /* Capture initial list head to allow only one pass through the list. */
2270 initial_head = chan->srej_list.head;
2271
2272 do {
2273 seq = l2cap_seq_list_pop(&chan->srej_list);
2274 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2275 break;
2276
2277 control.reqseq = seq;
2278 l2cap_send_sframe(chan, &control);
2279 l2cap_seq_list_append(&chan->srej_list, seq);
2280 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2281}
2282
608bcc6d
MM		 2283static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2284{
2285 struct sk_buff *acked_skb;
2286 u16 ackseq;
2287
b4400672 2288 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2289
2290 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2291 return;
2292
b4400672 2293 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2294 chan->expected_ack_seq, chan->unacked_frames);
2295
2296 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2297 ackseq = __next_seq(chan, ackseq)) {
2298
2299 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2300 if (acked_skb) {
2301 skb_unlink(acked_skb, &chan->tx_q);
2302 kfree_skb(acked_skb);
2303 chan->unacked_frames--;
2304 }
2305 }
2306
2307 chan->expected_ack_seq = reqseq;
2308
2309 if (chan->unacked_frames == 0)
2310 __clear_retrans_timer(chan);
2311
b4400672 2312 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2313}
2314
2315static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2316{
2317 BT_DBG("chan %p", chan);
2318
2319 chan->expected_tx_seq = chan->buffer_seq;
2320 l2cap_seq_list_clear(&chan->srej_list);
2321 skb_queue_purge(&chan->srej_q);
2322 chan->rx_state = L2CAP_RX_STATE_RECV;
2323}
2324
d660366d
GP		 2325static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2326 struct l2cap_ctrl *control,
2327 struct sk_buff_head *skbs, u8 event)
608bcc6d 2328{
608bcc6d
MM		 2329 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2330 event);
2331
2332 switch (event) {
2333 case L2CAP_EV_DATA_REQUEST:
2334 if (chan->tx_send_head == NULL)
2335 chan->tx_send_head = skb_peek(skbs);
2336
2337 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2338 l2cap_ertm_send(chan);
2339 break;
2340 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2341 BT_DBG("Enter LOCAL_BUSY");
2342 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2343
2344 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2345 /* The SREJ_SENT state must be aborted if we are to
2346 * enter the LOCAL_BUSY state.
2347 */
2348 l2cap_abort_rx_srej_sent(chan);
2349 }
2350
2351 l2cap_send_ack(chan);
2352
2353 break;
2354 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2355 BT_DBG("Exit LOCAL_BUSY");
2356 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2357
2358 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2359 struct l2cap_ctrl local_control;
2360
2361 memset(&local_control, 0, sizeof(local_control));
2362 local_control.sframe = 1;
2363 local_control.super = L2CAP_SUPER_RR;
2364 local_control.poll = 1;
2365 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2366 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2367
2368 chan->retry_count = 1;
2369 __set_monitor_timer(chan);
2370 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2371 }
2372 break;
2373 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2374 l2cap_process_reqseq(chan, control->reqseq);
2375 break;
2376 case L2CAP_EV_EXPLICIT_POLL:
2377 l2cap_send_rr_or_rnr(chan, 1);
2378 chan->retry_count = 1;
2379 __set_monitor_timer(chan);
2380 __clear_ack_timer(chan);
2381 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2382 break;
2383 case L2CAP_EV_RETRANS_TO:
2384 l2cap_send_rr_or_rnr(chan, 1);
2385 chan->retry_count = 1;
2386 __set_monitor_timer(chan);
2387 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2388 break;
2389 case L2CAP_EV_RECV_FBIT:
2390 /* Nothing to process */
2391 break;
2392 default:
2393 break;
2394 }
608bcc6d
MM		 2395}
2396
d660366d
GP		 2397static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2398 struct l2cap_ctrl *control,
2399 struct sk_buff_head *skbs, u8 event)
608bcc6d 2400{
608bcc6d
MM		 2401 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2402 event);
2403
2404 switch (event) {
2405 case L2CAP_EV_DATA_REQUEST:
2406 if (chan->tx_send_head == NULL)
2407 chan->tx_send_head = skb_peek(skbs);
2408 /* Queue data, but don't send. */
2409 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2410 break;
2411 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2412 BT_DBG("Enter LOCAL_BUSY");
2413 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2414
2415 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2416 /* The SREJ_SENT state must be aborted if we are to
2417 * enter the LOCAL_BUSY state.
2418 */
2419 l2cap_abort_rx_srej_sent(chan);
2420 }
2421
2422 l2cap_send_ack(chan);
2423
2424 break;
2425 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2426 BT_DBG("Exit LOCAL_BUSY");
2427 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2428
2429 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2430 struct l2cap_ctrl local_control;
2431 memset(&local_control, 0, sizeof(local_control));
2432 local_control.sframe = 1;
2433 local_control.super = L2CAP_SUPER_RR;
2434 local_control.poll = 1;
2435 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2436 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2437
2438 chan->retry_count = 1;
2439 __set_monitor_timer(chan);
2440 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2441 }
2442 break;
2443 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2444 l2cap_process_reqseq(chan, control->reqseq);
2445
2446 /* Fall through */
2447
2448 case L2CAP_EV_RECV_FBIT:
2449 if (control && control->final) {
2450 __clear_monitor_timer(chan);
2451 if (chan->unacked_frames > 0)
2452 __set_retrans_timer(chan);
2453 chan->retry_count = 0;
2454 chan->tx_state = L2CAP_TX_STATE_XMIT;
2455 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2456 }
2457 break;
2458 case L2CAP_EV_EXPLICIT_POLL:
2459 /* Ignore */
2460 break;
2461 case L2CAP_EV_MONITOR_TO:
2462 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2463 l2cap_send_rr_or_rnr(chan, 1);
2464 __set_monitor_timer(chan);
2465 chan->retry_count++;
2466 } else {
2467 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2468 }
2469 break;
2470 default:
2471 break;
2472 }
608bcc6d
MM		 2473}
2474
d660366d
GP		 2475static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2476 struct sk_buff_head *skbs, u8 event)
608bcc6d 2477{
608bcc6d
MM		 2478 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2479 chan, control, skbs, event, chan->tx_state);
2480
2481 switch (chan->tx_state) {
2482 case L2CAP_TX_STATE_XMIT:
d660366d 2483 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2484 break;
2485 case L2CAP_TX_STATE_WAIT_F:
d660366d 2486 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2487 break;
2488 default:
2489 /* Ignore event */
2490 break;
2491 }
608bcc6d
MM		 2492}
2493
4b51dae9
MM		 2494static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2495 struct l2cap_ctrl *control)
2496{
2497 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2498 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2499}
2500
f80842a8
MM		 2501static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2502 struct l2cap_ctrl *control)
2503{
2504 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2505 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2506}
2507
1da177e4
LT		 2508/* Copy frame to all raw sockets on that connection */
2509static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2510{
1da177e4 2511 struct sk_buff *nskb;
48454079 2512 struct l2cap_chan *chan;
1da177e4
LT		 2513
2514 BT_DBG("conn %p", conn);
2515
3df91ea2 2516 mutex_lock(&conn->chan_lock);
3d57dc68 2517
3df91ea2 2518 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2519 struct sock *sk = chan->sk;
715ec005 2520 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2521 continue;
2522
2523 /* Don't send frame to the socket it came from */
2524 if (skb->sk == sk)
2525 continue;
af05b30b
GP		 2526 nskb = skb_clone(skb, GFP_ATOMIC);
2527 if (!nskb)
1da177e4
LT		 2528 continue;
2529
80b98027 2530 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2531 kfree_skb(nskb);
2532 }
3d57dc68 2533
3df91ea2 2534 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2535}
2536
2537/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2538static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2539 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2540{
2541 struct sk_buff *skb, **frag;
2542 struct l2cap_cmd_hdr *cmd;
2543 struct l2cap_hdr *lh;
2544 int len, count;
2545
b4400672
AE		 2546 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2547 conn, code, ident, dlen);
1da177e4
LT		 2548
2549 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2550 count = min_t(unsigned int, conn->mtu, len);
2551
2552 skb = bt_skb_alloc(count, GFP_ATOMIC);
2553 if (!skb)
2554 return NULL;
2555
2556 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2557 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2558
2559 if (conn->hcon->type == LE_LINK)
ac73498c 2560 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2561 else
ac73498c 2562 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2563
2564 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2565 cmd->code = code;
2566 cmd->ident = ident;
aca3192c 2567 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2568
2569 if (dlen) {
2570 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2571 memcpy(skb_put(skb, count), data, count);
2572 data += count;
2573 }
2574
2575 len -= skb->len;
2576
2577 /* Continuation fragments (no L2CAP header) */
2578 frag = &skb_shinfo(skb)->frag_list;
2579 while (len) {
2580 count = min_t(unsigned int, conn->mtu, len);
2581
2582 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2583 if (!*frag)
2584 goto fail;
2585
2586 memcpy(skb_put(*frag, count), data, count);
2587
2588 len -= count;
2589 data += count;
2590
2591 frag = &(*frag)->next;
2592 }
2593
2594 return skb;
2595
2596fail:
2597 kfree_skb(skb);
2598 return NULL;
2599}
2600
2601static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2602{
2603 struct l2cap_conf_opt *opt = *ptr;
2604 int len;
2605
2606 len = L2CAP_CONF_OPT_SIZE + opt->len;
2607 *ptr += len;
2608
2609 *type = opt->type;
2610 *olen = opt->len;
2611
2612 switch (opt->len) {
2613 case 1:
2614 *val = *((u8 *) opt->val);
2615 break;
2616
2617 case 2:
bfaaeb3e 2618 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2619 break;
2620
2621 case 4:
bfaaeb3e 2622 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2623 break;
2624
2625 default:
2626 *val = (unsigned long) opt->val;
2627 break;
2628 }
2629
b4400672 2630 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2631 return len;
2632}
2633
1da177e4
LT		 2634static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2635{
2636 struct l2cap_conf_opt *opt = *ptr;
2637
b4400672 2638 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2639
2640 opt->type = type;
2641 opt->len = len;
2642
2643 switch (len) {
2644 case 1:
2645 *((u8 *) opt->val) = val;
2646 break;
2647
2648 case 2:
4f8b691c 2649 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2650 break;
2651
2652 case 4:
4f8b691c 2653 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2654 break;
2655
2656 default:
2657 memcpy(opt->val, (void *) val, len);
2658 break;
2659 }
2660
2661 *ptr += L2CAP_CONF_OPT_SIZE + len;
2662}
2663
f89cef09
AE		 2664static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2665{
2666 struct l2cap_conf_efs efs;
2667
1ec918ce 2668 switch (chan->mode) {
f89cef09
AE		 2669 case L2CAP_MODE_ERTM:
2670 efs.id = chan->local_id;
2671 efs.stype = chan->local_stype;
2672 efs.msdu = cpu_to_le16(chan->local_msdu);
2673 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c
AE		 2674 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2675 efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
f89cef09
AE		 2676 break;
2677
2678 case L2CAP_MODE_STREAMING:
2679 efs.id = 1;
2680 efs.stype = L2CAP_SERV_BESTEFFORT;
2681 efs.msdu = cpu_to_le16(chan->local_msdu);
2682 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2683 efs.acc_lat = 0;
2684 efs.flush_to = 0;
2685 break;
2686
2687 default:
2688 return;
2689 }
2690
2691 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2692 (unsigned long) &efs);
2693}
2694
721c4181 2695static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2696{
721c4181 2697 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2698 ack_timer.work);
2699 u16 frames_to_ack;
c1b4f43b 2700
2fb9b3d4
GP		 2701 BT_DBG("chan %p", chan);
2702
6be36555
AE		 2703 l2cap_chan_lock(chan);
2704
0362520b
MM		 2705 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2706 chan->last_acked_seq);
6be36555 2707
0362520b
MM		 2708 if (frames_to_ack)
2709 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2710
0362520b 2711 l2cap_chan_unlock(chan);
09bfb2ee 2712 l2cap_chan_put(chan);
c1b4f43b
GP		 2713}
2714
466f8004 2715int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2716{
3c588192
MM		 2717 int err;
2718
105bdf9e
MM		 2719 chan->next_tx_seq = 0;
2720 chan->expected_tx_seq = 0;
42e5c802 2721 chan->expected_ack_seq = 0;
6a026610 2722 chan->unacked_frames = 0;
42e5c802 2723 chan->buffer_seq = 0;
6a026610 2724 chan->frames_sent = 0;
105bdf9e
MM		 2725 chan->last_acked_seq = 0;
2726 chan->sdu = NULL;
2727 chan->sdu_last_frag = NULL;
2728 chan->sdu_len = 0;
2729
d34c34fb
MM		 2730 skb_queue_head_init(&chan->tx_q);
2731
105bdf9e
MM		 2732 if (chan->mode != L2CAP_MODE_ERTM)
2733 return 0;
2734
2735 chan->rx_state = L2CAP_RX_STATE_RECV;
2736 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2737
721c4181
GP		 2738 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2739 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2740 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2741
f1c6775b 2742 skb_queue_head_init(&chan->srej_q);
1890d36b 2743
3c588192
MM		 2744 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2745 if (err < 0)
2746 return err;
2747
9dc9affc
MM		 2748 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2749 if (err < 0)
2750 l2cap_seq_list_free(&chan->srej_list);
2751
2752 return err;
0565c1c2
GP		 2753}
2754
f2fcfcd6
GP		 2755static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2756{
2757 switch (mode) {
2758 case L2CAP_MODE_STREAMING:
2759 case L2CAP_MODE_ERTM:
2760 if (l2cap_mode_supported(mode, remote_feat_mask))
2761 return mode;
2762 /* fall through */
2763 default:
2764 return L2CAP_MODE_BASIC;
2765 }
2766}
2767
6327eb98
AE		 2768static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2769{
2770 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2771}
2772
f89cef09
AE		 2773static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2774{
2775 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2776}
2777
6327eb98
AE		 2778static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2779{
2780 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2781 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2782 /* use extended control field */
2783 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2784 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2785 } else {
6327eb98
AE		 2786 chan->tx_win = min_t(u16, chan->tx_win,
2787 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2788 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2789 }
c20f8e35 2790 chan->ack_win = chan->tx_win;
6327eb98
AE		 2791}
2792
710f9b0a 2793static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2794{
1da177e4 2795 struct l2cap_conf_req *req = data;
0c1bc5c6 2796 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2797 void *ptr = req->data;
c8f79162 2798 u16 size;
1da177e4 2799
49208c9c 2800 BT_DBG("chan %p", chan);
1da177e4 2801
73ffa904 2802 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2803 goto done;
2804
0c1bc5c6 2805 switch (chan->mode) {
f2fcfcd6
GP		 2806 case L2CAP_MODE_STREAMING:
2807 case L2CAP_MODE_ERTM:
c1360a1c 2808 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2809 break;
85eb53c6 2810
f89cef09
AE		 2811 if (__l2cap_efs_supported(chan))
2812 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2813
2ba13ed6 2814 /* fall through */
f2fcfcd6 2815 default:
8c1d787b 2816 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2817 break;
2818 }
2819
2820done:
0c1bc5c6
GP		 2821 if (chan->imtu != L2CAP_DEFAULT_MTU)
2822 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2823
0c1bc5c6 2824 switch (chan->mode) {
65c7c491 2825 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2826 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2827 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2828 break;
2829
62547752
GP		 2830 rfc.mode = L2CAP_MODE_BASIC;
2831 rfc.txwin_size = 0;
2832 rfc.max_transmit = 0;
2833 rfc.retrans_timeout = 0;
2834 rfc.monitor_timeout = 0;
2835 rfc.max_pdu_size = 0;
2836
63406504
GP		 2837 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2838 (unsigned long) &rfc);
65c7c491
MH		 2839 break;
2840
2841 case L2CAP_MODE_ERTM:
2842 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2843 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2844 rfc.retrans_timeout = 0;
2845 rfc.monitor_timeout = 0;
c8f79162
AE		 2846
2847 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2848 L2CAP_EXT_HDR_SIZE -
2849 L2CAP_SDULEN_SIZE -
2850 L2CAP_FCS_SIZE);
2851 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2852
6327eb98
AE		 2853 l2cap_txwin_setup(chan);
2854
2855 rfc.txwin_size = min_t(u16, chan->tx_win,
2856 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2857
63406504
GP		 2858 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2859 (unsigned long) &rfc);
2860
f89cef09
AE		 2861 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2862 l2cap_add_opt_efs(&ptr, chan);
2863
8c1d787b 2864 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2865 break;
2866
47d1ec61 2867 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2868 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2869 chan->fcs = L2CAP_FCS_NONE;
2870 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2871 }
6327eb98
AE		 2872
2873 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2874 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2875 chan->tx_win);
f2fcfcd6
GP		 2876 break;
2877
2878 case L2CAP_MODE_STREAMING:
273759e2 2879 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 2880 rfc.mode = L2CAP_MODE_STREAMING;
2881 rfc.txwin_size = 0;
2882 rfc.max_transmit = 0;
2883 rfc.retrans_timeout = 0;
2884 rfc.monitor_timeout = 0;
c8f79162
AE		 2885
2886 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2887 L2CAP_EXT_HDR_SIZE -
2888 L2CAP_SDULEN_SIZE -
2889 L2CAP_FCS_SIZE);
2890 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2891
63406504
GP		 2892 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2893 (unsigned long) &rfc);
2894
f89cef09
AE		 2895 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2896 l2cap_add_opt_efs(&ptr, chan);
2897
8c1d787b 2898 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2899 break;
2900
47d1ec61 2901 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2902 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2903 chan->fcs = L2CAP_FCS_NONE;
2904 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2905 }
65c7c491
MH		 2906 break;
2907 }
1da177e4 2908
fe4128e0 2909 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 2910 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 2911
2912 return ptr - data;
2913}
2914
73ffa904 2915static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2916{
5dee9e7c
MH		 2917 struct l2cap_conf_rsp *rsp = data;
2918 void *ptr = rsp->data;
73ffa904
GP		 2919 void *req = chan->conf_req;
2920 int len = chan->conf_len;
5dee9e7c
MH		 2921 int type, hint, olen;
2922 unsigned long val;
6464f35f 2923 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2924 struct l2cap_conf_efs efs;
2925 u8 remote_efs = 0;
861d6882 2926 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2927 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2928 u16 size;
1da177e4 2929
73ffa904 2930 BT_DBG("chan %p", chan);
820ae1b8 2931
5dee9e7c
MH		 2932 while (len >= L2CAP_CONF_OPT_SIZE) {
2933 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2934
589d2746 2935 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2936 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2937
2938 switch (type) {
2939 case L2CAP_CONF_MTU:
861d6882 2940 mtu = val;
5dee9e7c
MH		 2941 break;
2942
2943 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2944 chan->flush_to = val;
5dee9e7c
MH		 2945 break;
2946
2947 case L2CAP_CONF_QOS:
2948 break;
2949
6464f35f
MH		 2950 case L2CAP_CONF_RFC:
2951 if (olen == sizeof(rfc))
2952 memcpy(&rfc, (void *) val, olen);
2953 break;
2954
fcc203c3
GP		 2955 case L2CAP_CONF_FCS:
2956 if (val == L2CAP_FCS_NONE)
c1360a1c 2957 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2958 break;
fcc203c3 2959
42dceae2
AE		 2960 case L2CAP_CONF_EFS:
2961 remote_efs = 1;
2962 if (olen == sizeof(efs))
2963 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2964 break;
2965
6327eb98
AE		 2966 case L2CAP_CONF_EWS:
2967 if (!enable_hs)
2968 return -ECONNREFUSED;
fcc203c3 2969
6327eb98
AE		 2970 set_bit(FLAG_EXT_CTRL, &chan->flags);
2971 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2972 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2973 chan->remote_tx_win = val;
fcc203c3
GP		 2974 break;
2975
5dee9e7c
MH		 2976 default:
2977 if (hint)
2978 break;
2979
2980 result = L2CAP_CONF_UNKNOWN;
2981 *((u8 *) ptr++) = type;
2982 break;
2983 }
2984 }
2985
73ffa904 2986 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2987 goto done;
2988
0c1bc5c6 2989 switch (chan->mode) {
f2fcfcd6
GP		 2990 case L2CAP_MODE_STREAMING:
2991 case L2CAP_MODE_ERTM:
c1360a1c 2992 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2993 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2994 chan->conn->feat_mask);
85eb53c6
GP		 2995 break;
2996 }
2997
42dceae2
AE		 2998 if (remote_efs) {
2999 if (__l2cap_efs_supported(chan))
3000 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3001 else
3002 return -ECONNREFUSED;
3003 }
3004
0c1bc5c6 3005 if (chan->mode != rfc.mode)
f2fcfcd6 3006 return -ECONNREFUSED;
742e519b 3007
f2fcfcd6 3008 break;
f2fcfcd6
GP		 3009 }
3010
3011done:
0c1bc5c6 3012 if (chan->mode != rfc.mode) {
f2fcfcd6 3013 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3014 rfc.mode = chan->mode;
f2fcfcd6 3015
73ffa904 3016 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3017 return -ECONNREFUSED;
3018
3019 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3020 sizeof(rfc), (unsigned long) &rfc);
3021 }
3022
5dee9e7c
MH		 3023 if (result == L2CAP_CONF_SUCCESS) {
3024 /* Configure output options and let the other side know
3025 * which ones we don't like. */
3026
f2fcfcd6
GP		 3027 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3028 result = L2CAP_CONF_UNACCEPT;
3029 else {
0c1bc5c6 3030 chan->omtu = mtu;
c1360a1c 3031 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3032 }
0c1bc5c6 3033 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3034
42dceae2
AE		 3035 if (remote_efs) {
3036 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3037 efs.stype != L2CAP_SERV_NOTRAFIC &&
3038 efs.stype != chan->local_stype) {
3039
3040 result = L2CAP_CONF_UNACCEPT;
3041
3042 if (chan->num_conf_req >= 1)
3043 return -ECONNREFUSED;
3044
3045 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 3046 sizeof(efs),
42dceae2 3047 (unsigned long) &efs);
0e8b207e 3048 } else {
3e6b3b95 3049 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3050 result = L2CAP_CONF_PENDING;
3051 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3052 }
3053 }
3054
f2fcfcd6
GP		 3055 switch (rfc.mode) {
3056 case L2CAP_MODE_BASIC:
47d1ec61 3057 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3058 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3059 break;
3060
3061 case L2CAP_MODE_ERTM:
6327eb98
AE		 3062 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3063 chan->remote_tx_win = rfc.txwin_size;
3064 else
3065 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3066
2c03a7a4 3067 chan->remote_max_tx = rfc.max_transmit;
1c762159 3068
c8f79162
AE		 3069 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3070 chan->conn->mtu -
3071 L2CAP_EXT_HDR_SIZE -
3072 L2CAP_SDULEN_SIZE -
3073 L2CAP_FCS_SIZE);
3074 rfc.max_pdu_size = cpu_to_le16(size);
3075 chan->remote_mps = size;
f2fcfcd6 3076
10467e9e 3077 rfc.retrans_timeout =
4fd21a88 3078 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 3079 rfc.monitor_timeout =
4fd21a88 3080 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 3081
c1360a1c 3082 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3083
3084 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3085 sizeof(rfc), (unsigned long) &rfc);
3086
42dceae2
AE		 3087 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3088 chan->remote_id = efs.id;
3089 chan->remote_stype = efs.stype;
3090 chan->remote_msdu = le16_to_cpu(efs.msdu);
3091 chan->remote_flush_to =
3092 le32_to_cpu(efs.flush_to);
3093 chan->remote_acc_lat =
3094 le32_to_cpu(efs.acc_lat);
3095 chan->remote_sdu_itime =
3096 le32_to_cpu(efs.sdu_itime);
3097 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3098 sizeof(efs), (unsigned long) &efs);
3099 }
f2fcfcd6
GP		 3100 break;
3101
3102 case L2CAP_MODE_STREAMING:
c8f79162
AE		 3103 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3104 chan->conn->mtu -
3105 L2CAP_EXT_HDR_SIZE -
3106 L2CAP_SDULEN_SIZE -
3107 L2CAP_FCS_SIZE);
3108 rfc.max_pdu_size = cpu_to_le16(size);
3109 chan->remote_mps = size;
f2fcfcd6 3110
c1360a1c 3111 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3112
3113 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3114 sizeof(rfc), (unsigned long) &rfc);
3115
f2fcfcd6
GP		 3116 break;
3117
3118 default:
5dee9e7c 3119 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3120
6464f35f 3121 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3122 rfc.mode = chan->mode;
f2fcfcd6 3123 }
6464f35f 3124
f2fcfcd6 3125 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3126 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3127 }
fe4128e0 3128 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3129 rsp->result = cpu_to_le16(result);
59e54bd1 3130 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3131
3132 return ptr - data;
1da177e4
LT		 3133}
3134
b4450035 3135static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3136{
f2fcfcd6
GP		 3137 struct l2cap_conf_req *req = data;
3138 void *ptr = req->data;
3139 int type, olen;
3140 unsigned long val;
36e999a8 3141 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3142 struct l2cap_conf_efs efs;
f2fcfcd6 3143
fe4128e0 3144 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3145
3146 while (len >= L2CAP_CONF_OPT_SIZE) {
3147 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3148
3149 switch (type) {
3150 case L2CAP_CONF_MTU:
3151 if (val < L2CAP_DEFAULT_MIN_MTU) {
3152 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3153 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3154 } else
0c1bc5c6
GP		 3155 chan->imtu = val;
3156 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3157 break;
3158
3159 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3160 chan->flush_to = val;
f2fcfcd6 3161 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3162 2, chan->flush_to);
f2fcfcd6
GP		 3163 break;
3164
3165 case L2CAP_CONF_RFC:
3166 if (olen == sizeof(rfc))
3167 memcpy(&rfc, (void *)val, olen);
3168
c1360a1c 3169 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3170 rfc.mode != chan->mode)
f2fcfcd6
GP		 3171 return -ECONNREFUSED;
3172
47d1ec61 3173 chan->fcs = 0;
f2fcfcd6
GP		 3174
3175 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3176 sizeof(rfc), (unsigned long) &rfc);
3177 break;
6327eb98
AE		 3178
3179 case L2CAP_CONF_EWS:
c20f8e35 3180 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3181 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3182 chan->tx_win);
6327eb98 3183 break;
66af7aaf
AE		 3184
3185 case L2CAP_CONF_EFS:
3186 if (olen == sizeof(efs))
3187 memcpy(&efs, (void *)val, olen);
3188
3189 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3190 efs.stype != L2CAP_SERV_NOTRAFIC &&
3191 efs.stype != chan->local_stype)
3192 return -ECONNREFUSED;
3193
3194 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3195 sizeof(efs), (unsigned long) &efs);
3196 break;
f2fcfcd6
GP		 3197 }
3198 }
3199
0c1bc5c6 3200 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3201 return -ECONNREFUSED;
3202
0c1bc5c6 3203 chan->mode = rfc.mode;
6c2ea7a8 3204
0e8b207e 3205 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3206 switch (rfc.mode) {
3207 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3208 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3209 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3210 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3211 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3212 chan->ack_win = min_t(u16, chan->ack_win,
3213 rfc.txwin_size);
66af7aaf
AE		 3214
3215 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3216 chan->local_msdu = le16_to_cpu(efs.msdu);
3217 chan->local_sdu_itime =
3218 le32_to_cpu(efs.sdu_itime);
3219 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3220 chan->local_flush_to =
3221 le32_to_cpu(efs.flush_to);
3222 }
f2fcfcd6 3223 break;
66af7aaf 3224
f2fcfcd6 3225 case L2CAP_MODE_STREAMING:
47d1ec61 3226 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3227 }
3228 }
3229
fe4128e0 3230 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3231 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3232
3233 return ptr - data;
3234}
3235
fe4128e0 3236static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3237{
3238 struct l2cap_conf_rsp *rsp = data;
3239 void *ptr = rsp->data;
1da177e4 3240
fe4128e0 3241 BT_DBG("chan %p", chan);
1da177e4 3242
fe4128e0 3243 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3244 rsp->result = cpu_to_le16(result);
aca3192c 3245 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3246
3247 return ptr - data;
3248}
3249
8c1d787b 3250void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3251{
3252 struct l2cap_conn_rsp rsp;
8c1d787b 3253 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3254 u8 buf[128];
3255
fe4128e0
GP		 3256 rsp.scid = cpu_to_le16(chan->dcid);
3257 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3258 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3259 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
710f9b0a
GP		 3260 l2cap_send_cmd(conn, chan->ident,
3261 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3262
c1360a1c 3263 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3264 return;
3265
710f9b0a
GP		 3266 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3267 l2cap_build_conf_req(chan, buf), buf);
3268 chan->num_conf_req++;
3269}
3270
47d1ec61 3271static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3272{
7b1c0049
GP		 3273 int type, olen;
3274 unsigned long val;
c20f8e35
MM		 3275 /* Use sane default values in case a misbehaving remote device
3276 * did not send an RFC or extended window size option.
3277 */
3278 u16 txwin_ext = chan->ack_win;
3279 struct l2cap_conf_rfc rfc = {
3280 .mode = chan->mode,
3281 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3282 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3283 .max_pdu_size = cpu_to_le16(chan->imtu),
3284 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3285 };
7b1c0049 3286
47d1ec61 3287 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3288
0c1bc5c6 3289 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3290 return;
3291
3292 while (len >= L2CAP_CONF_OPT_SIZE) {
3293 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3294
c20f8e35
MM		 3295 switch (type) {
3296 case L2CAP_CONF_RFC:
3297 if (olen == sizeof(rfc))
3298 memcpy(&rfc, (void *)val, olen);
8f321f85 3299 break;
c20f8e35
MM		 3300 case L2CAP_CONF_EWS:
3301 txwin_ext = val;
3302 break;
3303 }
7b1c0049
GP		 3304 }
3305
7b1c0049
GP		 3306 switch (rfc.mode) {
3307 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3308 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3309 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3310 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3311 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3312 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3313 else
3314 chan->ack_win = min_t(u16, chan->ack_win,
3315 rfc.txwin_size);
7b1c0049
GP		 3316 break;
3317 case L2CAP_MODE_STREAMING:
47d1ec61 3318 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3319 }
3320}
3321
4e8402a3
MH		 3322static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3323{
e2fd318e 3324 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3325
e2fd318e 3326 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3327 return 0;
3328
3329 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3330 cmd->ident == conn->info_ident) {
17cd3f37 3331 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3332
3333 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3334 conn->info_ident = 0;
984947dc 3335
4e8402a3
MH		 3336 l2cap_conn_start(conn);
3337 }
3338
3339 return 0;
3340}
3341
1da177e4
LT		 3342static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3343{
1da177e4
LT		 3344 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3345 struct l2cap_conn_rsp rsp;
23691d75 3346 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3347 struct sock *parent, *sk = NULL;
e7c29cb1 3348 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3349
3350 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3351 __le16 psm = req->psm;
1da177e4 3352
097db76c 3353 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3354
3355 /* Check if we have socket listening on psm */
c2287681 3356 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3357 if (!pchan) {
1da177e4
LT		 3358 result = L2CAP_CR_BAD_PSM;
3359 goto sendresp;
3360 }
3361
23691d75
GP		 3362 parent = pchan->sk;
3363
3df91ea2 3364 mutex_lock(&conn->chan_lock);
aa2ac881 3365 lock_sock(parent);
e0f0cb56 3366
e7c29cb1 3367 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3368 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
e7c29cb1 3369 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3370 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3371 result = L2CAP_CR_SEC_BLOCK;
3372 goto response;
3373 }
3374
1da177e4
LT		 3375 result = L2CAP_CR_NO_MEM;
3376
2dfa1003
GP		 3377 /* Check if we already have channel with that dcid */
3378 if (__l2cap_get_chan_by_dcid(conn, scid))
3379 goto response;
3380
80b98027 3381 chan = pchan->ops->new_connection(pchan);
80808e43 3382 if (!chan)
1da177e4
LT		 3383 goto response;
3384
80808e43
GP		 3385 sk = chan->sk;
3386
1da177e4
LT		 3387 hci_conn_hold(conn->hcon);
3388
1da177e4
LT		 3389 bacpy(&bt_sk(sk)->src, conn->src);
3390 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3391 chan->psm = psm;
3392 chan->dcid = scid;
1da177e4 3393
d1010240
GP		 3394 bt_accept_enqueue(parent, sk);
3395
6be36555 3396 __l2cap_chan_add(conn, chan);
48454079 3397
fe4128e0 3398 dcid = chan->scid;
1da177e4 3399
c9b66675 3400 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3401
fc7f8a7e 3402 chan->ident = cmd->ident;
1da177e4 3403
984947dc 3404 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3405 if (l2cap_chan_check_security(chan)) {
c5daa683 3406 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3407 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3408 result = L2CAP_CR_PEND;
3409 status = L2CAP_CS_AUTHOR_PEND;
3410 parent->sk_data_ready(parent, 0);
3411 } else {
0e587be7 3412 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3413 result = L2CAP_CR_SUCCESS;
3414 status = L2CAP_CS_NO_INFO;
3415 }
79d554a6 3416 } else {
0e587be7 3417 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3418 result = L2CAP_CR_PEND;
3419 status = L2CAP_CS_AUTHEN_PEND;
3420 }
3421 } else {
0e587be7 3422 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3423 result = L2CAP_CR_PEND;
3424 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3425 }
3426
1da177e4 3427response:
aa2ac881 3428 release_sock(parent);
3df91ea2 3429 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3430
3431sendresp:
aca3192c
YH		 3432 rsp.scid = cpu_to_le16(scid);
3433 rsp.dcid = cpu_to_le16(dcid);
3434 rsp.result = cpu_to_le16(result);
3435 rsp.status = cpu_to_le16(status);
1da177e4 3436 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3437
3438 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3439 struct l2cap_info_req info;
ac73498c 3440 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3441
3442 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3443 conn->info_ident = l2cap_get_ident(conn);
3444
ba13ccd9 3445 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3446
3447 l2cap_send_cmd(conn, conn->info_ident,
3448 L2CAP_INFO_REQ, sizeof(info), &info);
3449 }
3450
c1360a1c 3451 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3452 result == L2CAP_CR_SUCCESS) {
3453 u8 buf[128];
c1360a1c 3454 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3455 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3456 l2cap_build_conf_req(chan, buf), buf);
3457 chan->num_conf_req++;
e9aeb2dd
GP		 3458 }
3459
1da177e4
LT		 3460 return 0;
3461}
3462
3463static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3464{
3465 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3466 u16 scid, dcid, result, status;
48454079 3467 struct l2cap_chan *chan;
1da177e4 3468 u8 req[128];
3df91ea2 3469 int err;
1da177e4
LT		 3470
3471 scid = __le16_to_cpu(rsp->scid);
3472 dcid = __le16_to_cpu(rsp->dcid);
3473 result = __le16_to_cpu(rsp->result);
3474 status = __le16_to_cpu(rsp->status);
3475
1b009c98
AE		 3476 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3477 dcid, scid, result, status);
1da177e4 3478
3df91ea2
AE		 3479 mutex_lock(&conn->chan_lock);
3480
1da177e4 3481 if (scid) {
3df91ea2
AE		 3482 chan = __l2cap_get_chan_by_scid(conn, scid);
3483 if (!chan) {
3484 err = -EFAULT;
3485 goto unlock;
3486 }
1da177e4 3487 } else {
3df91ea2
AE		 3488 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3489 if (!chan) {
3490 err = -EFAULT;
3491 goto unlock;
3492 }
1da177e4
LT		 3493 }
3494
3df91ea2
AE		 3495 err = 0;
3496
6be36555 3497 l2cap_chan_lock(chan);
48454079 3498
1da177e4
LT		 3499 switch (result) {
3500 case L2CAP_CR_SUCCESS:
89bc500e 3501 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3502 chan->ident = 0;
fe4128e0 3503 chan->dcid = dcid;
c1360a1c 3504 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3505
c1360a1c 3506 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3507 break;
3508
1da177e4 3509 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3510 l2cap_build_conf_req(chan, req), req);
3511 chan->num_conf_req++;
1da177e4
LT		 3512 break;
3513
3514 case L2CAP_CR_PEND:
c1360a1c 3515 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3516 break;
3517
3518 default:
48454079 3519 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3520 break;
3521 }
3522
6be36555 3523 l2cap_chan_unlock(chan);
3df91ea2
AE		 3524
3525unlock:
3526 mutex_unlock(&conn->chan_lock);
3527
3528 return err;
1da177e4
LT		 3529}
3530
47d1ec61 3531static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3532{
3533 /* FCS is enabled only in ERTM or streaming mode, if one or both
3534 * sides request it.
3535 */
0c1bc5c6 3536 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3537 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3538 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3539 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3540}
3541
88219a0f 3542static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3543{
3544 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3545 u16 dcid, flags;
3546 u8 rsp[64];
48454079 3547 struct l2cap_chan *chan;
3c588192 3548 int len, err = 0;
1da177e4
LT		 3549
3550 dcid = __le16_to_cpu(req->dcid);
3551 flags = __le16_to_cpu(req->flags);
3552
3553 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3554
baa7e1fa 3555 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3556 if (!chan)
1da177e4
LT		 3557 return -ENOENT;
3558
033b1142 3559 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3560 struct l2cap_cmd_rej_cid rej;
3561
ac73498c 3562 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3563 rej.scid = cpu_to_le16(chan->scid);
3564 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3565
df6bd743
GP		 3566 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3567 sizeof(rej), &rej);
354f60a9 3568 goto unlock;
df6bd743 3569 }
354f60a9 3570
5dee9e7c 3571 /* Reject if config buffer is too small. */
88219a0f 3572 len = cmd_len - sizeof(*req);
7ac28817 3573 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3574 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3575 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3576 L2CAP_CONF_REJECT, flags), rsp);
3577 goto unlock;
3578 }
3579
3580 /* Store config. */
73ffa904
GP		 3581 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3582 chan->conf_len += len;
1da177e4 3583
59e54bd1 3584 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3585 /* Incomplete config. Send empty response. */
3586 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3587 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3588 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3589 goto unlock;
3590 }
3591
3592 /* Complete config. */
73ffa904 3593 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3594 if (len < 0) {
e92c8e70 3595 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3596 goto unlock;
f2fcfcd6 3597 }
1da177e4 3598
5dee9e7c 3599 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3600 chan->num_conf_rsp++;
5dee9e7c 3601
5dee9e7c 3602 /* Reset config buffer. */
73ffa904 3603 chan->conf_len = 0;
5dee9e7c 3604
c1360a1c 3605 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3606 goto unlock;
3607
c1360a1c 3608 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3609 set_default_fcs(chan);
fcc203c3 3610
105bdf9e
MM		 3611 if (chan->mode == L2CAP_MODE_ERTM ||
3612 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3613 err = l2cap_ertm_init(chan);
3614
3615 if (err < 0)
3616 l2cap_send_disconn_req(chan->conn, chan, -err);
3617 else
3618 l2cap_chan_ready(chan);
0565c1c2 3619
876d9484
MH		 3620 goto unlock;
3621 }
3622
c1360a1c 3623 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3624 u8 buf[64];
1da177e4 3625 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3626 l2cap_build_conf_req(chan, buf), buf);
3627 chan->num_conf_req++;
1da177e4
LT		 3628 }
3629
0e8b207e
AE		 3630 /* Got Conf Rsp PENDING from remote side and asume we sent
3631 Conf Rsp PENDING in the code above */
3632 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3633 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3634
3635 /* check compatibility */
3636
3637 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3638 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3639
3640 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3641 l2cap_build_conf_rsp(chan, rsp,
5325e5bb 3642 L2CAP_CONF_SUCCESS, flags), rsp);
0e8b207e
AE		 3643 }
3644
1da177e4 3645unlock:
6be36555 3646 l2cap_chan_unlock(chan);
3c588192 3647 return err;
1da177e4
LT		 3648}
3649
3650static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3651{
3652 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3653 u16 scid, flags, result;
48454079 3654 struct l2cap_chan *chan;
61386cba 3655 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3656 int err = 0;
1da177e4
LT		 3657
3658 scid = __le16_to_cpu(rsp->scid);
3659 flags = __le16_to_cpu(rsp->flags);
3660 result = __le16_to_cpu(rsp->result);
3661
61386cba
AE		 3662 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3663 result, len);
1da177e4 3664
baa7e1fa 3665 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3666 if (!chan)
1da177e4
LT		 3667 return 0;
3668
3669 switch (result) {
3670 case L2CAP_CONF_SUCCESS:
47d1ec61 3671 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3672 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3673 break;
3674
0e8b207e
AE		 3675 case L2CAP_CONF_PENDING:
3676 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3677
3678 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3679 char buf[64];
3680
3681 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3682 buf, &result);
3683 if (len < 0) {
3684 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3685 goto done;
3686 }
3687
3688 /* check compatibility */
3689
3690 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3691 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3692
3693 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3694 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3695 L2CAP_CONF_SUCCESS, 0x0000), buf);
3696 }
3697 goto done;
3698
1da177e4 3699 case L2CAP_CONF_UNACCEPT:
73ffa904 3700 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3701 char req[64];
3702
c2c77ec8 3703 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3704 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3705 goto done;
3706 }
3707
f2fcfcd6
GP		 3708 /* throw out any old stored conf requests */
3709 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3710 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3711 req, &result);
f2fcfcd6 3712 if (len < 0) {
e92c8e70 3713 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3714 goto done;
3715 }
3716
3717 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3718 L2CAP_CONF_REQ, len, req);
73ffa904 3719 chan->num_conf_req++;
f2fcfcd6
GP		 3720 if (result != L2CAP_CONF_SUCCESS)
3721 goto done;
3722 break;
1da177e4
LT		 3723 }
3724
8e87d142 3725 default:
6be36555 3726 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3727
ba13ccd9 3728 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3729 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3730 goto done;
3731 }
3732
59e54bd1 3733 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3734 goto done;
3735
c1360a1c 3736 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3737
c1360a1c 3738 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3739 set_default_fcs(chan);
fcc203c3 3740
105bdf9e
MM		 3741 if (chan->mode == L2CAP_MODE_ERTM ||
3742 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3743 err = l2cap_ertm_init(chan);
0565c1c2 3744
3c588192
MM		 3745 if (err < 0)
3746 l2cap_send_disconn_req(chan->conn, chan, -err);
3747 else
3748 l2cap_chan_ready(chan);
1da177e4
LT		 3749 }
3750
3751done:
6be36555 3752 l2cap_chan_unlock(chan);
3c588192 3753 return err;
1da177e4
LT		 3754}
3755
3756static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3757{
3758 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3759 struct l2cap_disconn_rsp rsp;
3760 u16 dcid, scid;
48454079 3761 struct l2cap_chan *chan;
1da177e4
LT		 3762 struct sock *sk;
3763
3764 scid = __le16_to_cpu(req->scid);
3765 dcid = __le16_to_cpu(req->dcid);
3766
3767 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3768
3df91ea2
AE		 3769 mutex_lock(&conn->chan_lock);
3770
3771 chan = __l2cap_get_chan_by_scid(conn, dcid);
3772 if (!chan) {
3773 mutex_unlock(&conn->chan_lock);
1da177e4 3774 return 0;
3df91ea2 3775 }
1da177e4 3776
6be36555
AE		 3777 l2cap_chan_lock(chan);
3778
48454079
GP		 3779 sk = chan->sk;
3780
fe4128e0
GP		 3781 rsp.dcid = cpu_to_le16(chan->scid);
3782 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3783 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3784
6be36555 3785 lock_sock(sk);
1da177e4 3786 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3787 release_sock(sk);
1da177e4 3788
61d6ef3e 3789 l2cap_chan_hold(chan);
48454079 3790 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3791
3792 l2cap_chan_unlock(chan);
1da177e4 3793
80b98027 3794 chan->ops->close(chan);
61d6ef3e 3795 l2cap_chan_put(chan);
3df91ea2
AE		 3796
3797 mutex_unlock(&conn->chan_lock);
3798
1da177e4
LT		 3799 return 0;
3800}
3801
3802static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3803{
3804 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3805 u16 dcid, scid;
48454079 3806 struct l2cap_chan *chan;
1da177e4
LT		 3807
3808 scid = __le16_to_cpu(rsp->scid);
3809 dcid = __le16_to_cpu(rsp->dcid);
3810
3811 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3812
3df91ea2
AE		 3813 mutex_lock(&conn->chan_lock);
3814
3815 chan = __l2cap_get_chan_by_scid(conn, scid);
3816 if (!chan) {
3817 mutex_unlock(&conn->chan_lock);
1da177e4 3818 return 0;
3df91ea2 3819 }
1da177e4 3820
6be36555 3821 l2cap_chan_lock(chan);
48454079 3822
61d6ef3e 3823 l2cap_chan_hold(chan);
48454079 3824 l2cap_chan_del(chan, 0);
6be36555
AE		 3825
3826 l2cap_chan_unlock(chan);
1da177e4 3827
80b98027 3828 chan->ops->close(chan);
61d6ef3e 3829 l2cap_chan_put(chan);
3df91ea2
AE		 3830
3831 mutex_unlock(&conn->chan_lock);
3832
1da177e4
LT		 3833 return 0;
3834}
3835
3836static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3837{
3838 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3839 u16 type;
3840
3841 type = __le16_to_cpu(req->type);
3842
3843 BT_DBG("type 0x%4.4x", type);
3844
f0709e03
MH		 3845 if (type == L2CAP_IT_FEAT_MASK) {
3846 u8 buf[8];
44dd46de 3847 u32 feat_mask = l2cap_feat_mask;
f0709e03 3848 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 3849 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3850 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3851 if (!disable_ertm)
fcc203c3
GP		 3852 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3853 | L2CAP_FEAT_FCS;
a5fd6f30 3854 if (enable_hs)
6327eb98
AE		 3855 feat_mask |= L2CAP_FEAT_EXT_FLOW
3856 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3857
1b7bf4ed 3858 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3859 l2cap_send_cmd(conn, cmd->ident,
3860 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3861 } else if (type == L2CAP_IT_FIXED_CHAN) {
3862 u8 buf[12];
3863 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3864
3865 if (enable_hs)
3866 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3867 else
3868 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3869
ac73498c
AE		 3870 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3871 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3872 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3873 l2cap_send_cmd(conn, cmd->ident,
3874 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3875 } else {
3876 struct l2cap_info_rsp rsp;
3877 rsp.type = cpu_to_le16(type);
ac73498c 3878 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
f0709e03
MH		 3879 l2cap_send_cmd(conn, cmd->ident,
3880 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3881 }
1da177e4
LT		 3882
3883 return 0;
3884}
3885
3886static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3887{
3888 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3889 u16 type, result;
3890
3891 type = __le16_to_cpu(rsp->type);
3892 result = __le16_to_cpu(rsp->result);
3893
3894 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3895
e90165be
AE		 3896 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3897 if (cmd->ident != conn->info_ident ||
3898 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3899 return 0;
3900
17cd3f37 3901 cancel_delayed_work(&conn->info_timer);
4e8402a3 3902
adb08ede
VT		 3903 if (result != L2CAP_IR_SUCCESS) {
3904 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3905 conn->info_ident = 0;
3906
3907 l2cap_conn_start(conn);
3908
3909 return 0;
3910 }
3911
978c93b9
AE		 3912 switch (type) {
3913 case L2CAP_IT_FEAT_MASK:
83985319 3914 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3915
47ec1dcd 3916 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 3917 struct l2cap_info_req req;
ac73498c 3918 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 3919
3920 conn->info_ident = l2cap_get_ident(conn);
3921
3922 l2cap_send_cmd(conn, conn->info_ident,
3923 L2CAP_INFO_REQ, sizeof(req), &req);
3924 } else {
3925 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3926 conn->info_ident = 0;
3927
3928 l2cap_conn_start(conn);
3929 }
978c93b9
AE		 3930 break;
3931
3932 case L2CAP_IT_FIXED_CHAN:
3933 conn->fixed_chan_mask = rsp->data[0];
984947dc 3934 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3935 conn->info_ident = 0;
984947dc
MH		 3936
3937 l2cap_conn_start(conn);
978c93b9 3938 break;
984947dc 3939 }
4e8402a3 3940
1da177e4
LT		 3941 return 0;
3942}
3943
f94ff6ff
MM		 3944static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3945 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3946 void *data)
3947{
3948 struct l2cap_create_chan_req *req = data;
3949 struct l2cap_create_chan_rsp rsp;
3950 u16 psm, scid;
3951
3952 if (cmd_len != sizeof(*req))
3953 return -EPROTO;
3954
3955 if (!enable_hs)
3956 return -EINVAL;
3957
3958 psm = le16_to_cpu(req->psm);
3959 scid = le16_to_cpu(req->scid);
3960
ad0ac6ca 3961 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff
MM		 3962
3963 /* Placeholder: Always reject */
3964 rsp.dcid = 0;
3965 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3966 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3967 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3968
3969 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3970 sizeof(rsp), &rsp);
3971
3972 return 0;
3973}
3974
3975static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3976 struct l2cap_cmd_hdr *cmd, void *data)
3977{
3978 BT_DBG("conn %p", conn);
3979
3980 return l2cap_connect_rsp(conn, cmd, data);
3981}
3982
8d5a04a1 3983static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 3984 u16 icid, u16 result)
8d5a04a1
MM		 3985{
3986 struct l2cap_move_chan_rsp rsp;
3987
ad0ac6ca 3988 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 3989
3990 rsp.icid = cpu_to_le16(icid);
3991 rsp.result = cpu_to_le16(result);
3992
3993 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3994}
3995
3996static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
ad0ac6ca
AE		 3997 struct l2cap_chan *chan,
3998 u16 icid, u16 result)
8d5a04a1
MM		 3999{
4000 struct l2cap_move_chan_cfm cfm;
4001 u8 ident;
4002
ad0ac6ca 4003 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4004
4005 ident = l2cap_get_ident(conn);
4006 if (chan)
4007 chan->ident = ident;
4008
4009 cfm.icid = cpu_to_le16(icid);
4010 cfm.result = cpu_to_le16(result);
4011
4012 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
4013}
4014
4015static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4016 u16 icid)
8d5a04a1
MM		 4017{
4018 struct l2cap_move_chan_cfm_rsp rsp;
4019
ad0ac6ca 4020 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4021
4022 rsp.icid = cpu_to_le16(icid);
4023 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4024}
4025
4026static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4027 struct l2cap_cmd_hdr *cmd,
4028 u16 cmd_len, void *data)
8d5a04a1
MM		 4029{
4030 struct l2cap_move_chan_req *req = data;
4031 u16 icid = 0;
4032 u16 result = L2CAP_MR_NOT_ALLOWED;
4033
4034 if (cmd_len != sizeof(*req))
4035 return -EPROTO;
4036
4037 icid = le16_to_cpu(req->icid);
4038
ad0ac6ca 4039 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4040
4041 if (!enable_hs)
4042 return -EINVAL;
4043
4044 /* Placeholder: Always refuse */
4045 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
4046
4047 return 0;
4048}
4049
4050static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4051 struct l2cap_cmd_hdr *cmd,
4052 u16 cmd_len, void *data)
8d5a04a1
MM		 4053{
4054 struct l2cap_move_chan_rsp *rsp = data;
4055 u16 icid, result;
4056
4057 if (cmd_len != sizeof(*rsp))
4058 return -EPROTO;
4059
4060 icid = le16_to_cpu(rsp->icid);
4061 result = le16_to_cpu(rsp->result);
4062
ad0ac6ca 4063 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4064
4065 /* Placeholder: Always unconfirmed */
4066 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
4067
4068 return 0;
4069}
4070
4071static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
ad0ac6ca
AE		 4072 struct l2cap_cmd_hdr *cmd,
4073 u16 cmd_len, void *data)
8d5a04a1
MM		 4074{
4075 struct l2cap_move_chan_cfm *cfm = data;
4076 u16 icid, result;
4077
4078 if (cmd_len != sizeof(*cfm))
4079 return -EPROTO;
4080
4081 icid = le16_to_cpu(cfm->icid);
4082 result = le16_to_cpu(cfm->result);
4083
ad0ac6ca 4084 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1
MM		 4085
4086 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4087
4088 return 0;
4089}
4090
4091static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4092 struct l2cap_cmd_hdr *cmd,
4093 u16 cmd_len, void *data)
8d5a04a1
MM		 4094{
4095 struct l2cap_move_chan_cfm_rsp *rsp = data;
4096 u16 icid;
4097
4098 if (cmd_len != sizeof(*rsp))
4099 return -EPROTO;
4100
4101 icid = le16_to_cpu(rsp->icid);
4102
ad0ac6ca 4103 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4104
4105 return 0;
4106}
4107
e2174ca4 4108static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 4109 u16 to_multiplier)
4110{
4111 u16 max_latency;
4112
4113 if (min > max || min < 6 || max > 3200)
4114 return -EINVAL;
4115
4116 if (to_multiplier < 10 || to_multiplier > 3200)
4117 return -EINVAL;
4118
4119 if (max >= to_multiplier * 8)
4120 return -EINVAL;
4121
4122 max_latency = (to_multiplier * 8 / max) - 1;
4123 if (latency > 499 || latency > max_latency)
4124 return -EINVAL;
4125
4126 return 0;
4127}
4128
4129static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4130 struct l2cap_cmd_hdr *cmd, u8 *data)
4131{
4132 struct hci_conn *hcon = conn->hcon;
4133 struct l2cap_conn_param_update_req *req;
4134 struct l2cap_conn_param_update_rsp rsp;
4135 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4136 int err;
de73115a
CT		 4137
4138 if (!(hcon->link_mode & HCI_LM_MASTER))
4139 return -EINVAL;
4140
4141 cmd_len = __le16_to_cpu(cmd->len);
4142 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4143 return -EPROTO;
4144
4145 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4146 min = __le16_to_cpu(req->min);
4147 max = __le16_to_cpu(req->max);
de73115a
CT		 4148 latency = __le16_to_cpu(req->latency);
4149 to_multiplier = __le16_to_cpu(req->to_multiplier);
4150
4151 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4152 min, max, latency, to_multiplier);
4153
4154 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4155
4156 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4157 if (err)
ac73498c 4158 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4159 else
ac73498c 4160 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4161
4162 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4163 sizeof(rsp), &rsp);
4164
2ce603eb
CT		 4165 if (!err)
4166 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4167
de73115a
CT		 4168 return 0;
4169}
4170
3300d9a9
CT		 4171static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4172 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4173{
4174 int err = 0;
4175
4176 switch (cmd->code) {
4177 case L2CAP_COMMAND_REJ:
4178 l2cap_command_rej(conn, cmd, data);
4179 break;
4180
4181 case L2CAP_CONN_REQ:
4182 err = l2cap_connect_req(conn, cmd, data);
4183 break;
4184
4185 case L2CAP_CONN_RSP:
4186 err = l2cap_connect_rsp(conn, cmd, data);
4187 break;
4188
4189 case L2CAP_CONF_REQ:
4190 err = l2cap_config_req(conn, cmd, cmd_len, data);
4191 break;
4192
4193 case L2CAP_CONF_RSP:
4194 err = l2cap_config_rsp(conn, cmd, data);
4195 break;
4196
4197 case L2CAP_DISCONN_REQ:
4198 err = l2cap_disconnect_req(conn, cmd, data);
4199 break;
4200
4201 case L2CAP_DISCONN_RSP:
4202 err = l2cap_disconnect_rsp(conn, cmd, data);
4203 break;
4204
4205 case L2CAP_ECHO_REQ:
4206 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4207 break;
4208
4209 case L2CAP_ECHO_RSP:
4210 break;
4211
4212 case L2CAP_INFO_REQ:
4213 err = l2cap_information_req(conn, cmd, data);
4214 break;
4215
4216 case L2CAP_INFO_RSP:
4217 err = l2cap_information_rsp(conn, cmd, data);
4218 break;
4219
f94ff6ff
MM		 4220 case L2CAP_CREATE_CHAN_REQ:
4221 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4222 break;
4223
4224 case L2CAP_CREATE_CHAN_RSP:
4225 err = l2cap_create_channel_rsp(conn, cmd, data);
4226 break;
4227
8d5a04a1
MM		 4228 case L2CAP_MOVE_CHAN_REQ:
4229 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4230 break;
4231
4232 case L2CAP_MOVE_CHAN_RSP:
4233 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4234 break;
4235
4236 case L2CAP_MOVE_CHAN_CFM:
4237 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4238 break;
4239
4240 case L2CAP_MOVE_CHAN_CFM_RSP:
4241 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4242 break;
4243
3300d9a9
CT		 4244 default:
4245 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4246 err = -EINVAL;
4247 break;
4248 }
4249
4250 return err;
4251}
4252
4253static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4254 struct l2cap_cmd_hdr *cmd, u8 *data)
4255{
4256 switch (cmd->code) {
4257 case L2CAP_COMMAND_REJ:
4258 return 0;
4259
4260 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4261 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4262
4263 case L2CAP_CONN_PARAM_UPDATE_RSP:
4264 return 0;
4265
4266 default:
4267 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4268 return -EINVAL;
4269 }
4270}
4271
4272static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4273 struct sk_buff *skb)
1da177e4
LT		 4274{
4275 u8 *data = skb->data;
4276 int len = skb->len;
4277 struct l2cap_cmd_hdr cmd;
3300d9a9 4278 int err;
1da177e4
LT		 4279
4280 l2cap_raw_recv(conn, skb);
4281
4282 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4283 u16 cmd_len;
1da177e4
LT		 4284 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4285 data += L2CAP_CMD_HDR_SIZE;
4286 len -= L2CAP_CMD_HDR_SIZE;
4287
88219a0f 4288 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4289
88219a0f 4290 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4291
88219a0f 4292 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4293 BT_DBG("corrupted command");
4294 break;
4295 }
4296
3300d9a9
CT		 4297 if (conn->hcon->type == LE_LINK)
4298 err = l2cap_le_sig_cmd(conn, &cmd, data);
4299 else
4300 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4301
4302 if (err) {
e2fd318e 4303 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4304
4305 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4306
4307 /* FIXME: Map err to a valid reason */
ac73498c 4308 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4309 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4310 }
4311
88219a0f
AV		 4312 data += cmd_len;
4313 len -= cmd_len;
1da177e4
LT		 4314 }
4315
4316 kfree_skb(skb);
4317}
4318
47d1ec61 4319static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4320{
4321 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4322 int hdr_size;
4323
4324 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4325 hdr_size = L2CAP_EXT_HDR_SIZE;
4326 else
4327 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4328
47d1ec61 4329 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4330 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4331 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4332 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4333
4334 if (our_fcs != rcv_fcs)
7a560e5c 4335 return -EBADMSG;
fcc203c3
GP		 4336 }
4337 return 0;
4338}
4339
6ea00485 4340static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4341{
e31f7633 4342 struct l2cap_ctrl control;
d5392c8f 4343
e31f7633 4344 BT_DBG("chan %p", chan);
d5392c8f 4345
e31f7633
MM		 4346 memset(&control, 0, sizeof(control));
4347 control.sframe = 1;
4348 control.final = 1;
4349 control.reqseq = chan->buffer_seq;
4350 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4351
e2ab4353 4352 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4353 control.super = L2CAP_SUPER_RNR;
4354 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4355 }
4356
e31f7633
MM		 4357 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4358 chan->unacked_frames > 0)
4359 __set_retrans_timer(chan);
d5392c8f 4360
e31f7633 4361 /* Send pending iframes */
525cd185 4362 l2cap_ertm_send(chan);
d5392c8f 4363
e2ab4353 4364 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4365 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4366 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4367 * send it now.
4368 */
4369 control.super = L2CAP_SUPER_RR;
4370 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4371 }
4372}
4373
84084a31
MM		 4374static void append_skb_frag(struct sk_buff *skb,
4375 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4376{
84084a31
MM		 4377 /* skb->len reflects data in skb as well as all fragments
4378 * skb->data_len reflects only data in fragments
4379 */
4380 if (!skb_has_frag_list(skb))
4381 skb_shinfo(skb)->frag_list = new_frag;
4382
4383 new_frag->next = NULL;
4384
4385 (*last_frag)->next = new_frag;
4386 *last_frag = new_frag;
4387
4388 skb->len += new_frag->len;
4389 skb->data_len += new_frag->len;
4390 skb->truesize += new_frag->truesize;
4391}
4392
4b51dae9
MM		 4393static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4394 struct l2cap_ctrl *control)
84084a31
MM		 4395{
4396 int err = -EINVAL;
18778a63 4397
4b51dae9 4398 switch (control->sar) {
7e0ef6ee 4399 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4400 if (chan->sdu)
4401 break;
18778a63 4402
80b98027 4403 err = chan->ops->recv(chan, skb);
84084a31 4404 break;
18778a63 4405
7e0ef6ee 4406 case L2CAP_SAR_START:
84084a31
MM		 4407 if (chan->sdu)
4408 break;
18778a63 4409
6f61fd47 4410 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4411 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4412
84084a31
MM		 4413 if (chan->sdu_len > chan->imtu) {
4414 err = -EMSGSIZE;
4415 break;
4416 }
1890d36b 4417
84084a31
MM		 4418 if (skb->len >= chan->sdu_len)
4419 break;
18778a63 4420
84084a31
MM		 4421 chan->sdu = skb;
4422 chan->sdu_last_frag = skb;
18778a63 4423
84084a31
MM		 4424 skb = NULL;
4425 err = 0;
18778a63
GP		 4426 break;
4427
7e0ef6ee 4428 case L2CAP_SAR_CONTINUE:
6f61fd47 4429 if (!chan->sdu)
84084a31 4430 break;
18778a63 4431
84084a31
MM		 4432 append_skb_frag(chan->sdu, skb,
4433 &chan->sdu_last_frag);
4434 skb = NULL;
18778a63 4435
84084a31
MM		 4436 if (chan->sdu->len >= chan->sdu_len)
4437 break;
4178ba46 4438
84084a31 4439 err = 0;
18778a63
GP		 4440 break;
4441
7e0ef6ee 4442 case L2CAP_SAR_END:
6f61fd47 4443 if (!chan->sdu)
84084a31 4444 break;
18778a63 4445
84084a31
MM		 4446 append_skb_frag(chan->sdu, skb,
4447 &chan->sdu_last_frag);
4448 skb = NULL;
4178ba46 4449
84084a31
MM		 4450 if (chan->sdu->len != chan->sdu_len)
4451 break;
18778a63 4452
80b98027 4453 err = chan->ops->recv(chan, chan->sdu);
1890d36b 4454
84084a31
MM		 4455 if (!err) {
4456 /* Reassembly complete */
4457 chan->sdu = NULL;
4458 chan->sdu_last_frag = NULL;
4459 chan->sdu_len = 0;
1890d36b 4460 }
18778a63
GP		 4461 break;
4462 }
4463
84084a31
MM		 4464 if (err) {
4465 kfree_skb(skb);
4466 kfree_skb(chan->sdu);
4467 chan->sdu = NULL;
4468 chan->sdu_last_frag = NULL;
4469 chan->sdu_len = 0;
4470 }
18778a63 4471
84084a31 4472 return err;
18778a63
GP		 4473}
4474
61aa4f5b 4475void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4476{
61aa4f5b 4477 u8 event;
712132eb 4478
61aa4f5b
MM		 4479 if (chan->mode != L2CAP_MODE_ERTM)
4480 return;
712132eb 4481
61aa4f5b 4482 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 4483 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 4484}
4485
d2a7ac5d
MM		 4486static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4487{
63838725
MM		 4488 int err = 0;
4489 /* Pass sequential frames to l2cap_reassemble_sdu()
4490 * until a gap is encountered.
4491 */
4492
4493 BT_DBG("chan %p", chan);
4494
4495 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4496 struct sk_buff *skb;
4497 BT_DBG("Searching for skb with txseq %d (queue len %d)",
4498 chan->buffer_seq, skb_queue_len(&chan->srej_q));
4499
4500 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
4501
4502 if (!skb)
4503 break;
4504
4505 skb_unlink(skb, &chan->srej_q);
4506 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4507 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
4508 if (err)
4509 break;
4510 }
4511
4512 if (skb_queue_empty(&chan->srej_q)) {
4513 chan->rx_state = L2CAP_RX_STATE_RECV;
4514 l2cap_send_ack(chan);
4515 }
4516
4517 return err;
d2a7ac5d
MM		 4518}
4519
4520static void l2cap_handle_srej(struct l2cap_chan *chan,
4521 struct l2cap_ctrl *control)
4522{
f80842a8
MM		 4523 struct sk_buff *skb;
4524
4525 BT_DBG("chan %p, control %p", chan, control);
4526
4527 if (control->reqseq == chan->next_tx_seq) {
4528 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4529 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4530 return;
4531 }
4532
4533 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4534
4535 if (skb == NULL) {
4536 BT_DBG("Seq %d not available for retransmission",
4537 control->reqseq);
4538 return;
4539 }
4540
4541 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
4542 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4543 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4544 return;
4545 }
4546
4547 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4548
4549 if (control->poll) {
4550 l2cap_pass_to_tx(chan, control);
4551
4552 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4553 l2cap_retransmit(chan, control);
4554 l2cap_ertm_send(chan);
4555
4556 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4557 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4558 chan->srej_save_reqseq = control->reqseq;
4559 }
4560 } else {
4561 l2cap_pass_to_tx_fbit(chan, control);
4562
4563 if (control->final) {
4564 if (chan->srej_save_reqseq != control->reqseq ||
4565 !test_and_clear_bit(CONN_SREJ_ACT,
4566 &chan->conn_state))
4567 l2cap_retransmit(chan, control);
4568 } else {
4569 l2cap_retransmit(chan, control);
4570 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
4571 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4572 chan->srej_save_reqseq = control->reqseq;
4573 }
4574 }
4575 }
d2a7ac5d
MM		 4576}
4577
4578static void l2cap_handle_rej(struct l2cap_chan *chan,
4579 struct l2cap_ctrl *control)
4580{
fcd289df
MM		 4581 struct sk_buff *skb;
4582
4583 BT_DBG("chan %p, control %p", chan, control);
4584
4585 if (control->reqseq == chan->next_tx_seq) {
4586 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
4587 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4588 return;
4589 }
4590
4591 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
4592
4593 if (chan->max_tx && skb &&
4594 bt_cb(skb)->control.retries >= chan->max_tx) {
4595 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
4596 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4597 return;
4598 }
4599
4600 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4601
4602 l2cap_pass_to_tx(chan, control);
4603
4604 if (control->final) {
4605 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4606 l2cap_retransmit_all(chan, control);
4607 } else {
4608 l2cap_retransmit_all(chan, control);
4609 l2cap_ertm_send(chan);
4610 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
4611 set_bit(CONN_REJ_ACT, &chan->conn_state);
4612 }
d2a7ac5d
MM		 4613}
4614
4b51dae9
MM		 4615static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4616{
4617 BT_DBG("chan %p, txseq %d", chan, txseq);
4618
4619 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4620 chan->expected_tx_seq);
4621
4622 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4623 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4624 chan->tx_win) {
4625 /* See notes below regarding "double poll" and
4626 * invalid packets.
4627 */
4628 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4629 BT_DBG("Invalid/Ignore - after SREJ");
4630 return L2CAP_TXSEQ_INVALID_IGNORE;
4631 } else {
4632 BT_DBG("Invalid - in window after SREJ sent");
4633 return L2CAP_TXSEQ_INVALID;
4634 }
4635 }
4636
4637 if (chan->srej_list.head == txseq) {
4638 BT_DBG("Expected SREJ");
4639 return L2CAP_TXSEQ_EXPECTED_SREJ;
4640 }
4641
4642 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4643 BT_DBG("Duplicate SREJ - txseq already stored");
4644 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4645 }
4646
4647 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4648 BT_DBG("Unexpected SREJ - not requested");
4649 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4650 }
4651 }
4652
4653 if (chan->expected_tx_seq == txseq) {
4654 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4655 chan->tx_win) {
4656 BT_DBG("Invalid - txseq outside tx window");
4657 return L2CAP_TXSEQ_INVALID;
4658 } else {
4659 BT_DBG("Expected");
4660 return L2CAP_TXSEQ_EXPECTED;
4661 }
4662 }
4663
4664 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4665 __seq_offset(chan, chan->expected_tx_seq,
4666 chan->last_acked_seq)){
4667 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4668 return L2CAP_TXSEQ_DUPLICATE;
4669 }
4670
4671 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4672 /* A source of invalid packets is a "double poll" condition,
4673 * where delays cause us to send multiple poll packets. If
4674 * the remote stack receives and processes both polls,
4675 * sequence numbers can wrap around in such a way that a
4676 * resent frame has a sequence number that looks like new data
4677 * with a sequence gap. This would trigger an erroneous SREJ
4678 * request.
4679 *
4680 * Fortunately, this is impossible with a tx window that's
4681 * less than half of the maximum sequence number, which allows
4682 * invalid frames to be safely ignored.
4683 *
4684 * With tx window sizes greater than half of the tx window
4685 * maximum, the frame is invalid and cannot be ignored. This
4686 * causes a disconnect.
4687 */
4688
4689 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4690 BT_DBG("Invalid/Ignore - txseq outside tx window");
4691 return L2CAP_TXSEQ_INVALID_IGNORE;
4692 } else {
4693 BT_DBG("Invalid - txseq outside tx window");
4694 return L2CAP_TXSEQ_INVALID;
4695 }
4696 } else {
4697 BT_DBG("Unexpected - txseq indicates missing frames");
4698 return L2CAP_TXSEQ_UNEXPECTED;
4699 }
4700}
4701
d2a7ac5d
MM		 4702static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4703 struct l2cap_ctrl *control,
4704 struct sk_buff *skb, u8 event)
4705{
4706 int err = 0;
4707 bool skb_in_use = 0;
4708
4709 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4710 event);
4711
4712 switch (event) {
4713 case L2CAP_EV_RECV_IFRAME:
4714 switch (l2cap_classify_txseq(chan, control->txseq)) {
4715 case L2CAP_TXSEQ_EXPECTED:
4716 l2cap_pass_to_tx(chan, control);
4717
4718 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4719 BT_DBG("Busy, discarding expected seq %d",
4720 control->txseq);
4721 break;
4722 }
4723
4724 chan->expected_tx_seq = __next_seq(chan,
4725 control->txseq);
4726
4727 chan->buffer_seq = chan->expected_tx_seq;
4728 skb_in_use = 1;
4729
4730 err = l2cap_reassemble_sdu(chan, skb, control);
4731 if (err)
4732 break;
4733
4734 if (control->final) {
4735 if (!test_and_clear_bit(CONN_REJ_ACT,
4736 &chan->conn_state)) {
4737 control->final = 0;
4738 l2cap_retransmit_all(chan, control);
4739 l2cap_ertm_send(chan);
4740 }
4741 }
4742
4743 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4744 l2cap_send_ack(chan);
4745 break;
4746 case L2CAP_TXSEQ_UNEXPECTED:
4747 l2cap_pass_to_tx(chan, control);
4748
4749 /* Can't issue SREJ frames in the local busy state.
4750 * Drop this frame, it will be seen as missing
4751 * when local busy is exited.
4752 */
4753 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4754 BT_DBG("Busy, discarding unexpected seq %d",
4755 control->txseq);
4756 break;
4757 }
4758
4759 /* There was a gap in the sequence, so an SREJ
4760 * must be sent for each missing frame. The
4761 * current frame is stored for later use.
4762 */
4763 skb_queue_tail(&chan->srej_q, skb);
4764 skb_in_use = 1;
4765 BT_DBG("Queued %p (queue len %d)", skb,
4766 skb_queue_len(&chan->srej_q));
4767
4768 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4769 l2cap_seq_list_clear(&chan->srej_list);
4770 l2cap_send_srej(chan, control->txseq);
4771
4772 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4773 break;
4774 case L2CAP_TXSEQ_DUPLICATE:
4775 l2cap_pass_to_tx(chan, control);
4776 break;
4777 case L2CAP_TXSEQ_INVALID_IGNORE:
4778 break;
4779 case L2CAP_TXSEQ_INVALID:
4780 default:
4781 l2cap_send_disconn_req(chan->conn, chan,
4782 ECONNRESET);
4783 break;
4784 }
4785 break;
4786 case L2CAP_EV_RECV_RR:
4787 l2cap_pass_to_tx(chan, control);
4788 if (control->final) {
4789 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4790
4791 if (!test_and_clear_bit(CONN_REJ_ACT,
4792 &chan->conn_state)) {
4793 control->final = 0;
4794 l2cap_retransmit_all(chan, control);
4795 }
4796
4797 l2cap_ertm_send(chan);
4798 } else if (control->poll) {
4799 l2cap_send_i_or_rr_or_rnr(chan);
4800 } else {
4801 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4802 &chan->conn_state) &&
4803 chan->unacked_frames)
4804 __set_retrans_timer(chan);
4805
4806 l2cap_ertm_send(chan);
4807 }
4808 break;
4809 case L2CAP_EV_RECV_RNR:
4810 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4811 l2cap_pass_to_tx(chan, control);
4812 if (control && control->poll) {
4813 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4814 l2cap_send_rr_or_rnr(chan, 0);
4815 }
4816 __clear_retrans_timer(chan);
4817 l2cap_seq_list_clear(&chan->retrans_list);
4818 break;
4819 case L2CAP_EV_RECV_REJ:
4820 l2cap_handle_rej(chan, control);
4821 break;
4822 case L2CAP_EV_RECV_SREJ:
4823 l2cap_handle_srej(chan, control);
4824 break;
4825 default:
4826 break;
4827 }
4828
4829 if (skb && !skb_in_use) {
4830 BT_DBG("Freeing %p", skb);
4831 kfree_skb(skb);
4832 }
4833
4834 return err;
4835}
4836
4837static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4838 struct l2cap_ctrl *control,
4839 struct sk_buff *skb, u8 event)
4840{
4841 int err = 0;
4842 u16 txseq = control->txseq;
4843 bool skb_in_use = 0;
4844
4845 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4846 event);
4847
4848 switch (event) {
4849 case L2CAP_EV_RECV_IFRAME:
4850 switch (l2cap_classify_txseq(chan, txseq)) {
4851 case L2CAP_TXSEQ_EXPECTED:
4852 /* Keep frame for reassembly later */
4853 l2cap_pass_to_tx(chan, control);
4854 skb_queue_tail(&chan->srej_q, skb);
4855 skb_in_use = 1;
4856 BT_DBG("Queued %p (queue len %d)", skb,
4857 skb_queue_len(&chan->srej_q));
4858
4859 chan->expected_tx_seq = __next_seq(chan, txseq);
4860 break;
4861 case L2CAP_TXSEQ_EXPECTED_SREJ:
4862 l2cap_seq_list_pop(&chan->srej_list);
4863
4864 l2cap_pass_to_tx(chan, control);
4865 skb_queue_tail(&chan->srej_q, skb);
4866 skb_in_use = 1;
4867 BT_DBG("Queued %p (queue len %d)", skb,
4868 skb_queue_len(&chan->srej_q));
4869
4870 err = l2cap_rx_queued_iframes(chan);
4871 if (err)
4872 break;
4873
4874 break;
4875 case L2CAP_TXSEQ_UNEXPECTED:
4876 /* Got a frame that can't be reassembled yet.
4877 * Save it for later, and send SREJs to cover
4878 * the missing frames.
4879 */
4880 skb_queue_tail(&chan->srej_q, skb);
4881 skb_in_use = 1;
4882 BT_DBG("Queued %p (queue len %d)", skb,
4883 skb_queue_len(&chan->srej_q));
4884
4885 l2cap_pass_to_tx(chan, control);
4886 l2cap_send_srej(chan, control->txseq);
4887 break;
4888 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4889 /* This frame was requested with an SREJ, but
4890 * some expected retransmitted frames are
4891 * missing. Request retransmission of missing
4892 * SREJ'd frames.
4893 */
4894 skb_queue_tail(&chan->srej_q, skb);
4895 skb_in_use = 1;
4896 BT_DBG("Queued %p (queue len %d)", skb,
4897 skb_queue_len(&chan->srej_q));
4898
4899 l2cap_pass_to_tx(chan, control);
4900 l2cap_send_srej_list(chan, control->txseq);
4901 break;
4902 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4903 /* We've already queued this frame. Drop this copy. */
4904 l2cap_pass_to_tx(chan, control);
4905 break;
4906 case L2CAP_TXSEQ_DUPLICATE:
4907 /* Expecting a later sequence number, so this frame
4908 * was already received. Ignore it completely.
4909 */
4910 break;
4911 case L2CAP_TXSEQ_INVALID_IGNORE:
4912 break;
4913 case L2CAP_TXSEQ_INVALID:
4914 default:
4915 l2cap_send_disconn_req(chan->conn, chan,
4916 ECONNRESET);
4917 break;
4918 }
4919 break;
4920 case L2CAP_EV_RECV_RR:
4921 l2cap_pass_to_tx(chan, control);
4922 if (control->final) {
4923 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4924
4925 if (!test_and_clear_bit(CONN_REJ_ACT,
4926 &chan->conn_state)) {
4927 control->final = 0;
4928 l2cap_retransmit_all(chan, control);
4929 }
4930
4931 l2cap_ertm_send(chan);
4932 } else if (control->poll) {
4933 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4934 &chan->conn_state) &&
4935 chan->unacked_frames) {
4936 __set_retrans_timer(chan);
4937 }
4938
4939 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4940 l2cap_send_srej_tail(chan);
4941 } else {
4942 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4943 &chan->conn_state) &&
4944 chan->unacked_frames)
4945 __set_retrans_timer(chan);
4946
4947 l2cap_send_ack(chan);
4948 }
4949 break;
4950 case L2CAP_EV_RECV_RNR:
4951 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4952 l2cap_pass_to_tx(chan, control);
4953 if (control->poll) {
4954 l2cap_send_srej_tail(chan);
4955 } else {
4956 struct l2cap_ctrl rr_control;
4957 memset(&rr_control, 0, sizeof(rr_control));
4958 rr_control.sframe = 1;
4959 rr_control.super = L2CAP_SUPER_RR;
4960 rr_control.reqseq = chan->buffer_seq;
4961 l2cap_send_sframe(chan, &rr_control);
4962 }
4963
4964 break;
4965 case L2CAP_EV_RECV_REJ:
4966 l2cap_handle_rej(chan, control);
4967 break;
4968 case L2CAP_EV_RECV_SREJ:
4969 l2cap_handle_srej(chan, control);
4970 break;
4971 }
4972
4973 if (skb && !skb_in_use) {
4974 BT_DBG("Freeing %p", skb);
4975 kfree_skb(skb);
4976 }
4977
4978 return err;
4979}
4980
4981static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
4982{
4983 /* Make sure reqseq is for a packet that has been sent but not acked */
4984 u16 unacked;
4985
4986 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
4987 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
4988}
4989
cec8ab6e
MM		 4990static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4991 struct sk_buff *skb, u8 event)
218bb9df 4992{
d2a7ac5d
MM		 4993 int err = 0;
4994
4995 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
4996 control, skb, event, chan->rx_state);
4997
4998 if (__valid_reqseq(chan, control->reqseq)) {
4999 switch (chan->rx_state) {
5000 case L2CAP_RX_STATE_RECV:
5001 err = l2cap_rx_state_recv(chan, control, skb, event);
5002 break;
5003 case L2CAP_RX_STATE_SREJ_SENT:
5004 err = l2cap_rx_state_srej_sent(chan, control, skb,
5005 event);
5006 break;
5007 default:
5008 /* shut it down */
5009 break;
5010 }
5011 } else {
5012 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5013 control->reqseq, chan->next_tx_seq,
5014 chan->expected_ack_seq);
5015 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5016 }
5017
5018 return err;
cec8ab6e
MM		 5019}
5020
5021static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5022 struct sk_buff *skb)
5023{
4b51dae9
MM		 5024 int err = 0;
5025
5026 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5027 chan->rx_state);
5028
5029 if (l2cap_classify_txseq(chan, control->txseq) ==
5030 L2CAP_TXSEQ_EXPECTED) {
5031 l2cap_pass_to_tx(chan, control);
5032
5033 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5034 __next_seq(chan, chan->buffer_seq));
5035
5036 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5037
5038 l2cap_reassemble_sdu(chan, skb, control);
5039 } else {
5040 if (chan->sdu) {
5041 kfree_skb(chan->sdu);
5042 chan->sdu = NULL;
5043 }
5044 chan->sdu_last_frag = NULL;
5045 chan->sdu_len = 0;
5046
5047 if (skb) {
5048 BT_DBG("Freeing %p", skb);
5049 kfree_skb(skb);
5050 }
5051 }
5052
5053 chan->last_acked_seq = control->txseq;
5054 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5055
5056 return err;
cec8ab6e
MM		 5057}
5058
5059static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5060{
5061 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5062 u16 len;
5063 u8 event;
218bb9df 5064
b76bbd66
MM		 5065 __unpack_control(chan, skb);
5066
218bb9df
GP		 5067 len = skb->len;
5068
5069 /*
5070 * We can just drop the corrupted I-frame here.
5071 * Receiver will miss it and start proper recovery
cec8ab6e 5072 * procedures and ask for retransmission.
218bb9df 5073 */
47d1ec61 5074 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5075 goto drop;
5076
cec8ab6e 5077 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5078 len -= L2CAP_SDULEN_SIZE;
218bb9df 5079
47d1ec61 5080 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5081 len -= L2CAP_FCS_SIZE;
218bb9df 5082
47d1ec61 5083 if (len > chan->mps) {
8c1d787b 5084 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5085 goto drop;
5086 }
5087
cec8ab6e
MM		 5088 if (!control->sframe) {
5089 int err;
218bb9df 5090
cec8ab6e
MM		 5091 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5092 control->sar, control->reqseq, control->final,
5093 control->txseq);
218bb9df 5094
cec8ab6e
MM		 5095 /* Validate F-bit - F=0 always valid, F=1 only
5096 * valid in TX WAIT_F
5097 */
5098 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5099 goto drop;
cec8ab6e
MM		 5100
5101 if (chan->mode != L2CAP_MODE_STREAMING) {
5102 event = L2CAP_EV_RECV_IFRAME;
5103 err = l2cap_rx(chan, control, skb, event);
5104 } else {
5105 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 5106 }
5107
cec8ab6e
MM		 5108 if (err)
5109 l2cap_send_disconn_req(chan->conn, chan,
5110 ECONNRESET);
218bb9df 5111 } else {
cec8ab6e
MM		 5112 const u8 rx_func_to_event[4] = {
5113 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
5114 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
5115 };
5116
5117 /* Only I-frames are expected in streaming mode */
5118 if (chan->mode == L2CAP_MODE_STREAMING)
5119 goto drop;
5120
5121 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
5122 control->reqseq, control->final, control->poll,
5123 control->super);
5124
218bb9df
GP		 5125 if (len != 0) {
5126 BT_ERR("%d", len);
8c1d787b 5127 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5128 goto drop;
5129 }
5130
cec8ab6e
MM		 5131 /* Validate F and P bits */
5132 if (control->final && (control->poll ||
5133 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
5134 goto drop;
5135
5136 event = rx_func_to_event[control->super];
5137 if (l2cap_rx(chan, control, skb, event))
5138 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5139 }
5140
5141 return 0;
5142
5143drop:
5144 kfree_skb(skb);
5145 return 0;
5146}
5147
13ca56e0
AE		 5148static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
5149 struct sk_buff *skb)
1da177e4 5150{
48454079 5151 struct l2cap_chan *chan;
1da177e4 5152
baa7e1fa 5153 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 5154 if (!chan) {
97e8e89d
AE		 5155 if (cid == L2CAP_CID_A2MP) {
5156 chan = a2mp_channel_create(conn, skb);
5157 if (!chan) {
5158 kfree_skb(skb);
13ca56e0 5159 return;
97e8e89d
AE		 5160 }
5161
5162 l2cap_chan_lock(chan);
5163 } else {
5164 BT_DBG("unknown cid 0x%4.4x", cid);
5165 /* Drop packet and return */
5166 kfree_skb(skb);
13ca56e0 5167 return;
97e8e89d 5168 }
1da177e4
LT		 5169 }
5170
49208c9c 5171 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5172
89bc500e 5173 if (chan->state != BT_CONNECTED)
1da177e4
LT		 5174 goto drop;
5175
0c1bc5c6 5176 switch (chan->mode) {
1c2acffb
GP		 5177 case L2CAP_MODE_BASIC:
5178 /* If socket recv buffers overflows we drop data here
5179 * which is *bad* because L2CAP has to be reliable.
5180 * But we don't have any other choice. L2CAP doesn't
5181 * provide flow control mechanism. */
1da177e4 5182
0c1bc5c6 5183 if (chan->imtu < skb->len)
1c2acffb 5184 goto drop;
1da177e4 5185
80b98027 5186 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 5187 goto done;
5188 break;
5189
5190 case L2CAP_MODE_ERTM:
6840ed07 5191 case L2CAP_MODE_STREAMING:
cec8ab6e 5192 l2cap_data_rcv(chan, skb);
6840ed07
GP		 5193 goto done;
5194
1c2acffb 5195 default:
0c1bc5c6 5196 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 5197 break;
5198 }
1da177e4
LT		 5199
5200drop:
5201 kfree_skb(skb);
5202
5203done:
6be36555 5204 l2cap_chan_unlock(chan);
1da177e4
LT		 5205}
5206
84104b24
AE		 5207static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
5208 struct sk_buff *skb)
1da177e4 5209{
23691d75 5210 struct l2cap_chan *chan;
1da177e4 5211
c2287681 5212 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 5213 if (!chan)
1da177e4
LT		 5214 goto drop;
5215
5b4cedaa 5216 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 5217
89bc500e 5218 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 5219 goto drop;
5220
e13e21dc 5221 if (chan->imtu < skb->len)
1da177e4
LT		 5222 goto drop;
5223
80b98027 5224 if (!chan->ops->recv(chan, skb))
84104b24 5225 return;
1da177e4
LT		 5226
5227drop:
5228 kfree_skb(skb);
1da177e4
LT		 5229}
5230
6810fca7
AE		 5231static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
5232 struct sk_buff *skb)
9f69bda6 5233{
23691d75 5234 struct l2cap_chan *chan;
9f69bda6 5235
c2287681 5236 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 5237 if (!chan)
9f69bda6
GP		 5238 goto drop;
5239
5b4cedaa 5240 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 5241
89bc500e 5242 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 5243 goto drop;
5244
e13e21dc 5245 if (chan->imtu < skb->len)
9f69bda6
GP		 5246 goto drop;
5247
80b98027 5248 if (!chan->ops->recv(chan, skb))
6810fca7 5249 return;
9f69bda6
GP		 5250
5251drop:
5252 kfree_skb(skb);
9f69bda6
GP		 5253}
5254
1da177e4
LT		 5255static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5256{
5257 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5258 u16 cid, len;
5259 __le16 psm;
1da177e4
LT		 5260
5261 skb_pull(skb, L2CAP_HDR_SIZE);
5262 cid = __le16_to_cpu(lh->cid);
5263 len = __le16_to_cpu(lh->len);
5264
1c2acffb
GP		 5265 if (len != skb->len) {
5266 kfree_skb(skb);
5267 return;
5268 }
5269
1da177e4
LT		 5270 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5271
5272 switch (cid) {
3300d9a9 5273 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5274 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5275 l2cap_sig_channel(conn, skb);
5276 break;
5277
8db4dc46 5278 case L2CAP_CID_CONN_LESS:
097db76c 5279 psm = get_unaligned((__le16 *) skb->data);
0181a70f 5280 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 5281 l2cap_conless_channel(conn, psm, skb);
5282 break;
5283
9f69bda6
GP		 5284 case L2CAP_CID_LE_DATA:
5285 l2cap_att_channel(conn, cid, skb);
5286 break;
5287
b501d6a1
AB		 5288 case L2CAP_CID_SMP:
5289 if (smp_sig_channel(conn, skb))
5290 l2cap_conn_del(conn->hcon, EACCES);
5291 break;
5292
1da177e4
LT		 5293 default:
5294 l2cap_data_channel(conn, cid, skb);
5295 break;
5296 }
5297}
5298
5299/* ---- L2CAP interface with lower layer (HCI) ---- */
5300
686ebf28 5301int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5302{
5303 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5304 struct l2cap_chan *c;
1da177e4 5305
1da177e4
LT		 5306 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
5307
5308 /* Find listening sockets and check their link_mode */
23691d75
GP		 5309 read_lock(&chan_list_lock);
5310 list_for_each_entry(c, &chan_list, global_l) {
5311 struct sock *sk = c->sk;
4343478f 5312
89bc500e 5313 if (c->state != BT_LISTEN)
1da177e4
LT		 5314 continue;
5315
5316 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5317 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5318 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5319 lm1 |= HCI_LM_MASTER;
1da177e4 5320 exact++;
2af6b9d5
MH		 5321 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5322 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5323 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5324 lm2 |= HCI_LM_MASTER;
5325 }
1da177e4 5326 }
23691d75 5327 read_unlock(&chan_list_lock);
1da177e4
LT		 5328
5329 return exact ? lm1 : lm2;
5330}
5331
686ebf28 5332int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5333{
0139418c
MH		 5334 struct l2cap_conn *conn;
5335
1da177e4
LT		 5336 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
5337
1da177e4 5338 if (!status) {
1da177e4
LT		 5339 conn = l2cap_conn_add(hcon, status);
5340 if (conn)
5341 l2cap_conn_ready(conn);
0139418c 5342 } else
e175072f 5343 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 5344
5345 return 0;
5346}
5347
686ebf28 5348int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5349{
5350 struct l2cap_conn *conn = hcon->l2cap_data;
5351
5352 BT_DBG("hcon %p", hcon);
5353
686ebf28 5354 if (!conn)
9f5a0d7b 5355 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5356 return conn->disc_reason;
5357}
5358
686ebf28 5359int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5360{
5361 BT_DBG("hcon %p reason %d", hcon, reason);
5362
e175072f 5363 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5364 return 0;
5365}
5366
4343478f 5367static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5368{
715ec005 5369 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5370 return;
5371
f62e4323 5372 if (encrypt == 0x00) {
4343478f 5373 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5374 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5375 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5376 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5377 } else {
4343478f 5378 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5379 __clear_chan_timer(chan);
f62e4323
MH		 5380 }
5381}
5382
686ebf28 5383int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5384{
0139418c 5385 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5386 struct l2cap_chan *chan;
1da177e4 5387
0139418c 5388 if (!conn)
1da177e4 5389 return 0;
0139418c 5390
89d8b407 5391 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 5392
160dc6ac 5393 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5394 if (!status && encrypt)
5395 smp_distribute_keys(conn, 0);
17cd3f37 5396 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5397 }
5398
3df91ea2 5399 mutex_lock(&conn->chan_lock);
1da177e4 5400
3df91ea2 5401 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5402 l2cap_chan_lock(chan);
1da177e4 5403
89d8b407
AE		 5404 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
5405 state_to_string(chan->state));
f1cb9af5 5406
78eb2f98
AE		 5407 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
5408 l2cap_chan_unlock(chan);
5409 continue;
5410 }
5411
f1cb9af5
VCG		 5412 if (chan->scid == L2CAP_CID_LE_DATA) {
5413 if (!status && encrypt) {
5414 chan->sec_level = hcon->sec_level;
cf4cd009 5415 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5416 }
5417
6be36555 5418 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5419 continue;
5420 }
5421
c1360a1c 5422 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5423 l2cap_chan_unlock(chan);
6a8d3010
MH		 5424 continue;
5425 }
5426
89bc500e
GP		 5427 if (!status && (chan->state == BT_CONNECTED ||
5428 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5429 struct sock *sk = chan->sk;
5430
c5daa683 5431 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5432 sk->sk_state_change(sk);
5433
4343478f 5434 l2cap_check_encryption(chan, encrypt);
6be36555 5435 l2cap_chan_unlock(chan);
9719f8af
MH		 5436 continue;
5437 }
5438
89bc500e 5439 if (chan->state == BT_CONNECT) {
b1235d79 5440 if (!status) {
9b27f350 5441 l2cap_send_conn_req(chan);
b1235d79 5442 } else {
ba13ccd9 5443 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5444 }
89bc500e 5445 } else if (chan->state == BT_CONNECT2) {
6be36555 5446 struct sock *sk = chan->sk;
b1235d79 5447 struct l2cap_conn_rsp rsp;
df3c3931 5448 __u16 res, stat;
1da177e4 5449
6be36555
AE		 5450 lock_sock(sk);
5451
b1235d79 5452 if (!status) {
c5daa683
GP		 5453 if (test_bit(BT_SK_DEFER_SETUP,
5454 &bt_sk(sk)->flags)) {
df3c3931
JH		 5455 struct sock *parent = bt_sk(sk)->parent;
5456 res = L2CAP_CR_PEND;
5457 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5458 if (parent)
5459 parent->sk_data_ready(parent, 0);
df3c3931 5460 } else {
0e587be7 5461 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5462 res = L2CAP_CR_SUCCESS;
5463 stat = L2CAP_CS_NO_INFO;
5464 }
b1235d79 5465 } else {
0e587be7 5466 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5467 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5468 res = L2CAP_CR_SEC_BLOCK;
5469 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5470 }
5471
6be36555
AE		 5472 release_sock(sk);
5473
fe4128e0
GP		 5474 rsp.scid = cpu_to_le16(chan->dcid);
5475 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5476 rsp.result = cpu_to_le16(res);
5477 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5478 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5479 sizeof(rsp), &rsp);
2d369359
MM		 5480
5481 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
5482 res == L2CAP_CR_SUCCESS) {
5483 char buf[128];
5484 set_bit(CONF_REQ_SENT, &chan->conf_state);
5485 l2cap_send_cmd(conn, l2cap_get_ident(conn),
5486 L2CAP_CONF_REQ,
5487 l2cap_build_conf_req(chan, buf),
5488 buf);
5489 chan->num_conf_req++;
5490 }
b1235d79 5491 }
1da177e4 5492
6be36555 5493 l2cap_chan_unlock(chan);
1da177e4
LT		 5494 }
5495
3df91ea2 5496 mutex_unlock(&conn->chan_lock);
b1235d79 5497
1da177e4
LT		 5498 return 0;
5499}
5500
686ebf28 5501int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5502{
5503 struct l2cap_conn *conn = hcon->l2cap_data;
5504
5a08ecce
AE		 5505 if (!conn)
5506 conn = l2cap_conn_add(hcon, 0);
5507
5508 if (!conn)
1da177e4
LT		 5509 goto drop;
5510
5511 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5512
e702112f 5513 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5514 struct l2cap_hdr *hdr;
5515 int len;
5516
5517 if (conn->rx_len) {
5518 BT_ERR("Unexpected start frame (len %d)", skb->len);
5519 kfree_skb(conn->rx_skb);
5520 conn->rx_skb = NULL;
5521 conn->rx_len = 0;
5522 l2cap_conn_unreliable(conn, ECOMM);
5523 }
5524
aae7fe22
AE		 5525 /* Start fragment always begin with Basic L2CAP header */
5526 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5527 BT_ERR("Frame is too short (len %d)", skb->len);
5528 l2cap_conn_unreliable(conn, ECOMM);
5529 goto drop;
5530 }
5531
5532 hdr = (struct l2cap_hdr *) skb->data;
5533 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5534
5535 if (len == skb->len) {
5536 /* Complete frame received */
5537 l2cap_recv_frame(conn, skb);
5538 return 0;
5539 }
5540
5541 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5542
5543 if (skb->len > len) {
5544 BT_ERR("Frame is too long (len %d, expected len %d)",
5545 skb->len, len);
5546 l2cap_conn_unreliable(conn, ECOMM);
5547 goto drop;
5548 }
5549
5550 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5551 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5552 if (!conn->rx_skb)
1da177e4
LT		 5553 goto drop;
5554
d626f62b 5555 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5556 skb->len);
1da177e4
LT		 5557 conn->rx_len = len - skb->len;
5558 } else {
5559 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5560
5561 if (!conn->rx_len) {
5562 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5563 l2cap_conn_unreliable(conn, ECOMM);
5564 goto drop;
5565 }
5566
5567 if (skb->len > conn->rx_len) {
5568 BT_ERR("Fragment is too long (len %d, expected %d)",
5569 skb->len, conn->rx_len);
5570 kfree_skb(conn->rx_skb);
5571 conn->rx_skb = NULL;
5572 conn->rx_len = 0;
5573 l2cap_conn_unreliable(conn, ECOMM);
5574 goto drop;
5575 }
5576
d626f62b 5577 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5578 skb->len);
1da177e4
LT		 5579 conn->rx_len -= skb->len;
5580
5581 if (!conn->rx_len) {
5582 /* Complete frame received */
5583 l2cap_recv_frame(conn, conn->rx_skb);
5584 conn->rx_skb = NULL;
5585 }
5586 }
5587
5588drop:
5589 kfree_skb(skb);
5590 return 0;
5591}
5592
aef7d97c 5593static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5594{
23691d75 5595 struct l2cap_chan *c;
1da177e4 5596
333055f2 5597 read_lock(&chan_list_lock);
1da177e4 5598
23691d75
GP		 5599 list_for_each_entry(c, &chan_list, global_l) {
5600 struct sock *sk = c->sk;
101545f6 5601
903d343e 5602 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5603 batostr(&bt_sk(sk)->src),
5604 batostr(&bt_sk(sk)->dst),
89bc500e 5605 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5606 c->scid, c->dcid, c->imtu, c->omtu,
5607 c->sec_level, c->mode);
61e1b4b7 5608 }
1da177e4 5609
333055f2 5610 read_unlock(&chan_list_lock);
1da177e4 5611
aef7d97c 5612 return 0;
1da177e4
LT		 5613}
5614
aef7d97c
MH		 5615static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5616{
5617 return single_open(file, l2cap_debugfs_show, inode->i_private);
5618}
5619
5620static const struct file_operations l2cap_debugfs_fops = {
5621 .open = l2cap_debugfs_open,
5622 .read = seq_read,
5623 .llseek = seq_lseek,
5624 .release = single_release,
5625};
5626
5627static struct dentry *l2cap_debugfs;
1da177e4 5628
64274518 5629int __init l2cap_init(void)
1da177e4
LT		 5630{
5631 int err;
be9d1227 5632
bb58f747 5633 err = l2cap_init_sockets();
1da177e4
LT		 5634 if (err < 0)
5635 return err;
5636
aef7d97c
MH		 5637 if (bt_debugfs) {
5638 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5639 bt_debugfs, NULL, &l2cap_debugfs_fops);
5640 if (!l2cap_debugfs)
5641 BT_ERR("Failed to create L2CAP debug file");
5642 }
1da177e4 5643
1da177e4 5644 return 0;
1da177e4
LT		 5645}
5646
64274518 5647void l2cap_exit(void)
1da177e4 5648{
aef7d97c 5649 debugfs_remove(l2cap_debugfs);
bb58f747 5650 l2cap_cleanup_sockets();
1da177e4
LT		 5651}
5652
d1c4a17d
GP		 5653module_param(disable_ertm, bool, 0644);
5654MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)