projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add the ERTM receive state machine
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
33#include <linux/types.h>
4fc268d2 34#include <linux/capability.h>
1da177e4
LT		 35#include <linux/errno.h>
36#include <linux/kernel.h>
1da177e4
LT		 37#include <linux/sched.h>
38#include <linux/slab.h>
39#include <linux/poll.h>
40#include <linux/fcntl.h>
41#include <linux/init.h>
42#include <linux/interrupt.h>
43#include <linux/socket.h>
44#include <linux/skbuff.h>
1da177e4 45#include <linux/list.h>
be9d1227 46#include <linux/device.h>
aef7d97c
MH		 47#include <linux/debugfs.h>
48#include <linux/seq_file.h>
af05b30b 49#include <linux/uaccess.h>
fcc203c3 50#include <linux/crc16.h>
1da177e4
LT		 51#include <net/sock.h>
52
1da177e4
LT		 53#include <asm/unaligned.h>
54
55#include <net/bluetooth/bluetooth.h>
56#include <net/bluetooth/hci_core.h>
57#include <net/bluetooth/l2cap.h>
b501d6a1 58#include <net/bluetooth/smp.h>
1da177e4 59
b191e031 60bool disable_ertm = 1;
f0709e03 61
47ec1dcd 62static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 63static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 64
b5ad8b7f
JB		 65static LIST_HEAD(chan_list);
66static DEFINE_RWLOCK(chan_list_lock);
1da177e4 67
1da177e4
LT		 68static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
4519de9a
GP		 70static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
710f9b0a 72static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 73static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 74 struct l2cap_chan *chan, int err);
1da177e4 75
608bcc6d
MM		 76static int l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
77 struct sk_buff_head *skbs, u8 event);
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
baa7e1fa 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
0139418c 82{
3df91ea2 83 struct l2cap_chan *c;
3d57dc68 84
3df91ea2
AE		 85 list_for_each_entry(c, &conn->chan_l, list) {
86 if (c->dcid == cid)
87 return c;
0139418c 88 }
3df91ea2 89 return NULL;
0139418c
MH		 90}
91
baa7e1fa 92static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 93{
3df91ea2 94 struct l2cap_chan *c;
3d57dc68 95
3df91ea2
AE		 96 list_for_each_entry(c, &conn->chan_l, list) {
97 if (c->scid == cid)
98 return c;
0139418c 99 }
3df91ea2 100 return NULL;
0139418c
MH		 101}
102
103/* Find channel with given SCID.
ef191ade 104 * Returns locked channel. */
baa7e1fa 105static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
0139418c 106{
48454079 107 struct l2cap_chan *c;
baa7e1fa 108
3df91ea2 109 mutex_lock(&conn->chan_lock);
baa7e1fa 110 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 111 if (c)
112 l2cap_chan_lock(c);
3df91ea2
AE		 113 mutex_unlock(&conn->chan_lock);
114
48454079 115 return c;
0139418c
MH		 116}
117
baa7e1fa 118static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
0139418c 119{
3df91ea2 120 struct l2cap_chan *c;
3d57dc68 121
3df91ea2
AE		 122 list_for_each_entry(c, &conn->chan_l, list) {
123 if (c->ident == ident)
124 return c;
0139418c 125 }
3df91ea2 126 return NULL;
0139418c
MH		 127}
128
23691d75 129static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 130{
23691d75 131 struct l2cap_chan *c;
9e4425ff 132
23691d75
GP		 133 list_for_each_entry(c, &chan_list, global_l) {
134 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 135 return c;
9e4425ff 136 }
250938cb 137 return NULL;
9e4425ff
GP		 138}
139
140int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
141{
73b2ec18
GP		 142 int err;
143
333055f2 144 write_lock(&chan_list_lock);
9e4425ff 145
23691d75 146 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 147 err = -EADDRINUSE;
148 goto done;
9e4425ff
GP		 149 }
150
73b2ec18
GP		 151 if (psm) {
152 chan->psm = psm;
153 chan->sport = psm;
154 err = 0;
155 } else {
156 u16 p;
157
158 err = -EINVAL;
159 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 160 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 161 chan->psm = cpu_to_le16(p);
162 chan->sport = cpu_to_le16(p);
163 err = 0;
164 break;
165 }
166 }
9e4425ff 167
73b2ec18 168done:
333055f2 169 write_unlock(&chan_list_lock);
73b2ec18 170 return err;
9e4425ff
GP		 171}
172
173int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
174{
333055f2 175 write_lock(&chan_list_lock);
9e4425ff
GP		 176
177 chan->scid = scid;
178
333055f2 179 write_unlock(&chan_list_lock);
9e4425ff
GP		 180
181 return 0;
182}
183
baa7e1fa 184static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 185{
8db4dc46 186 u16 cid = L2CAP_CID_DYN_START;
0139418c 187
8db4dc46 188 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 189 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 190 return cid;
191 }
192
193 return 0;
194}
195
0e587be7 196static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 197{
42d2d87c 198 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
badaaa00
GP		 199 state_to_string(state));
200
89bc500e
GP		 201 chan->state = state;
202 chan->ops->state_change(chan->data, state);
203}
204
0e587be7
AE		 205static void l2cap_state_change(struct l2cap_chan *chan, int state)
206{
207 struct sock *sk = chan->sk;
208
209 lock_sock(sk);
210 __l2cap_state_change(chan, state);
211 release_sock(sk);
212}
213
2e0052e4
AE		 214static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
215{
216 struct sock *sk = chan->sk;
217
218 sk->sk_err = err;
219}
220
221static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
222{
223 struct sock *sk = chan->sk;
224
225 lock_sock(sk);
226 __l2cap_chan_set_err(chan, err);
227 release_sock(sk);
228}
229
608bcc6d
MM		 230static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
231 u16 seq)
232{
233 struct sk_buff *skb;
234
235 skb_queue_walk(head, skb) {
236 if (bt_cb(skb)->control.txseq == seq)
237 return skb;
238 }
239
240 return NULL;
241}
242
3c588192
MM		 243/* ---- L2CAP sequence number lists ---- */
244
245/* For ERTM, ordered lists of sequence numbers must be tracked for
246 * SREJ requests that are received and for frames that are to be
247 * retransmitted. These seq_list functions implement a singly-linked
248 * list in an array, where membership in the list can also be checked
249 * in constant time. Items can also be added to the tail of the list
250 * and removed from the head in constant time, without further memory
251 * allocs or frees.
252 */
253
254static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
255{
256 size_t alloc_size, i;
257
258 /* Allocated size is a power of 2 to map sequence numbers
259 * (which may be up to 14 bits) in to a smaller array that is
260 * sized for the negotiated ERTM transmit windows.
261 */
262 alloc_size = roundup_pow_of_two(size);
263
264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
265 if (!seq_list->list)
266 return -ENOMEM;
267
268 seq_list->mask = alloc_size - 1;
269 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
271 for (i = 0; i < alloc_size; i++)
272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
273
274 return 0;
275}
276
277static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
278{
279 kfree(seq_list->list);
280}
281
282static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
283 u16 seq)
284{
285 /* Constant-time check for list membership */
286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
287}
288
289static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
290{
291 u16 mask = seq_list->mask;
292
293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
294 /* In case someone tries to pop the head of an empty list */
295 return L2CAP_SEQ_LIST_CLEAR;
296 } else if (seq_list->head == seq) {
297 /* Head can be removed in constant time */
298 seq_list->head = seq_list->list[seq & mask];
299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
300
301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
302 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
304 }
305 } else {
306 /* Walk the list to find the sequence number */
307 u16 prev = seq_list->head;
308 while (seq_list->list[prev & mask] != seq) {
309 prev = seq_list->list[prev & mask];
310 if (prev == L2CAP_SEQ_LIST_TAIL)
311 return L2CAP_SEQ_LIST_CLEAR;
312 }
313
314 /* Unlink the number from the list and clear it */
315 seq_list->list[prev & mask] = seq_list->list[seq & mask];
316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
317 if (seq_list->tail == seq)
318 seq_list->tail = prev;
319 }
320 return seq;
321}
322
323static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
324{
325 /* Remove the head in constant time */
326 return l2cap_seq_list_remove(seq_list, seq_list->head);
327}
328
329static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
330{
f522ae36 331 u16 i;
3c588192 332
f522ae36
GP		 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 for (i = 0; i <= seq_list->mask; i++)
337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
338
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 341}
342
343static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
344{
345 u16 mask = seq_list->mask;
346
347 /* All appends happen in constant time */
348
f522ae36
GP		 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
350 return;
3c588192 351
f522ae36
GP		 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
353 seq_list->head = seq;
354 else
355 seq_list->list[seq_list->tail & mask] = seq;
356
357 seq_list->tail = seq;
358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 359}
360
721c4181 361static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 362{
721c4181
GP		 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
364 chan_timer.work);
3df91ea2 365 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 366 int reason;
367
e05dcc32 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 369
3df91ea2 370 mutex_lock(&conn->chan_lock);
6be36555 371 l2cap_chan_lock(chan);
ab07801d 372
89bc500e 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 374 reason = ECONNREFUSED;
89bc500e 375 else if (chan->state == BT_CONNECT &&
ab07801d
GP		 376 chan->sec_level != BT_SECURITY_SDP)
377 reason = ECONNREFUSED;
378 else
379 reason = ETIMEDOUT;
380
0f852724 381 l2cap_chan_close(chan, reason);
ab07801d 382
6be36555 383 l2cap_chan_unlock(chan);
ab07801d 384
ba3bd0ee 385 chan->ops->close(chan->data);
3df91ea2
AE		 386 mutex_unlock(&conn->chan_lock);
387
371fd835 388 l2cap_chan_put(chan);
ab07801d
GP		 389}
390
eef1d9b6 391struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 392{
393 struct l2cap_chan *chan;
394
395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
396 if (!chan)
397 return NULL;
398
c03b355e
AE		 399 mutex_init(&chan->lock);
400
333055f2 401 write_lock(&chan_list_lock);
23691d75 402 list_add(&chan->global_l, &chan_list);
333055f2 403 write_unlock(&chan_list_lock);
23691d75 404
721c4181 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 406
89bc500e
GP		 407 chan->state = BT_OPEN;
408
71ba0e56
GP		 409 atomic_set(&chan->refcnt, 1);
410
2827011f
MM		 411 /* This flag is cleared in l2cap_chan_ready() */
412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
413
eef1d9b6 414 BT_DBG("chan %p", chan);
abc545b8 415
48454079
GP		 416 return chan;
417}
418
23691d75 419void l2cap_chan_destroy(struct l2cap_chan *chan)
6ff5abbf 420{
333055f2 421 write_lock(&chan_list_lock);
23691d75 422 list_del(&chan->global_l);
333055f2 423 write_unlock(&chan_list_lock);
23691d75 424
371fd835 425 l2cap_chan_put(chan);
6ff5abbf
GP		 426}
427
bd4b1653
AE		 428void l2cap_chan_set_defaults(struct l2cap_chan *chan)
429{
430 chan->fcs = L2CAP_FCS_CRC16;
431 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
432 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
433 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
434 chan->sec_level = BT_SECURITY_LOW;
435
436 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
437}
438
14a28491 439static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 440{
af05b30b 441 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 442 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 443
9f5a0d7b 444 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 445
8c1d787b 446 chan->conn = conn;
0139418c 447
5491120e
AE		 448 switch (chan->chan_type) {
449 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 450 if (conn->hcon->type == LE_LINK) {
451 /* LE connection */
0c1bc5c6 452 chan->omtu = L2CAP_LE_DEFAULT_MTU;
fe4128e0
GP		 453 chan->scid = L2CAP_CID_LE_DATA;
454 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 455 } else {
456 /* Alloc CID for connection-oriented socket */
fe4128e0 457 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 458 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 459 }
5491120e
AE		 460 break;
461
462 case L2CAP_CHAN_CONN_LESS:
0139418c 463 /* Connectionless socket */
fe4128e0
GP		 464 chan->scid = L2CAP_CID_CONN_LESS;
465 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 466 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 467 break;
468
469 default:
0139418c 470 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 471 chan->scid = L2CAP_CID_SIGNALING;
472 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 473 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 474 }
475
8f7975b1
AE		 476 chan->local_id = L2CAP_BESTEFFORT_ID;
477 chan->local_stype = L2CAP_SERV_BESTEFFORT;
478 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
479 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
480 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
481 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
482
371fd835 483 l2cap_chan_hold(chan);
baa7e1fa 484
3df91ea2 485 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 486}
487
14a28491 488static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 489{
490 mutex_lock(&conn->chan_lock);
491 __l2cap_chan_add(conn, chan);
3df91ea2 492 mutex_unlock(&conn->chan_lock);
0139418c
MH		 493}
494
4519de9a 495static void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 496{
48454079 497 struct sock *sk = chan->sk;
8c1d787b 498 struct l2cap_conn *conn = chan->conn;
0139418c
MH		 499 struct sock *parent = bt_sk(sk)->parent;
500
c9b66675 501 __clear_chan_timer(chan);
0139418c 502
49208c9c 503 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 504
8e87d142 505 if (conn) {
baa7e1fa 506 /* Delete from channel list */
3df91ea2 507 list_del(&chan->list);
3d57dc68 508
371fd835 509 l2cap_chan_put(chan);
baa7e1fa 510
8c1d787b 511 chan->conn = NULL;
0139418c
MH		 512 hci_conn_put(conn->hcon);
513 }
514
6be36555
AE		 515 lock_sock(sk);
516
0e587be7 517 __l2cap_state_change(chan, BT_CLOSED);
0139418c
MH		 518 sock_set_flag(sk, SOCK_ZAPPED);
519
520 if (err)
2e0052e4 521 __l2cap_chan_set_err(chan, err);
0139418c
MH		 522
523 if (parent) {
524 bt_accept_unlink(sk);
525 parent->sk_data_ready(parent, 0);
526 } else
527 sk->sk_state_change(sk);
c13ffa62 528
6be36555
AE		 529 release_sock(sk);
530
2827011f 531 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 532 return;
2ead70b8 533
58d35f87 534 skb_queue_purge(&chan->tx_q);
c13ffa62 535
0c1bc5c6 536 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 537 __clear_retrans_timer(chan);
538 __clear_monitor_timer(chan);
539 __clear_ack_timer(chan);
c13ffa62 540
f1c6775b 541 skb_queue_purge(&chan->srej_q);
c13ffa62 542
3c588192
MM		 543 l2cap_seq_list_free(&chan->srej_list);
544 l2cap_seq_list_free(&chan->retrans_list);
c13ffa62 545 }
0139418c
MH		 546}
547
4519de9a
GP		 548static void l2cap_chan_cleanup_listen(struct sock *parent)
549{
550 struct sock *sk;
551
552 BT_DBG("parent %p", parent);
553
554 /* Close not yet accepted channels */
0f852724 555 while ((sk = bt_accept_dequeue(parent, NULL))) {
ba3bd0ee 556 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3df91ea2 557
6be36555 558 l2cap_chan_lock(chan);
c9b66675 559 __clear_chan_timer(chan);
ba3bd0ee 560 l2cap_chan_close(chan, ECONNRESET);
6be36555 561 l2cap_chan_unlock(chan);
3df91ea2 562
ba3bd0ee 563 chan->ops->close(chan->data);
0f852724 564 }
4519de9a
GP		 565}
566
0f852724 567void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 568{
569 struct l2cap_conn *conn = chan->conn;
570 struct sock *sk = chan->sk;
571
e05dcc32
AE		 572 BT_DBG("chan %p state %s sk %p", chan,
573 state_to_string(chan->state), sk);
4519de9a 574
89bc500e 575 switch (chan->state) {
4519de9a 576 case BT_LISTEN:
6be36555 577 lock_sock(sk);
4519de9a 578 l2cap_chan_cleanup_listen(sk);
89bc500e 579
0e587be7 580 __l2cap_state_change(chan, BT_CLOSED);
89bc500e 581 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 582 release_sock(sk);
4519de9a
GP		 583 break;
584
585 case BT_CONNECTED:
586 case BT_CONFIG:
715ec005 587 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a 588 conn->hcon->type == ACL_LINK) {
c9b66675 589 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 590 l2cap_send_disconn_req(conn, chan, reason);
591 } else
592 l2cap_chan_del(chan, reason);
593 break;
594
595 case BT_CONNECT2:
715ec005 596 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
4519de9a
GP		 597 conn->hcon->type == ACL_LINK) {
598 struct l2cap_conn_rsp rsp;
599 __u16 result;
600
c5daa683 601 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 602 result = L2CAP_CR_SEC_BLOCK;
603 else
604 result = L2CAP_CR_BAD_PSM;
89bc500e 605 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 606
607 rsp.scid = cpu_to_le16(chan->dcid);
608 rsp.dcid = cpu_to_le16(chan->scid);
609 rsp.result = cpu_to_le16(result);
610 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
611 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
612 sizeof(rsp), &rsp);
613 }
614
615 l2cap_chan_del(chan, reason);
616 break;
617
618 case BT_CONNECT:
619 case BT_DISCONN:
620 l2cap_chan_del(chan, reason);
621 break;
622
623 default:
6be36555 624 lock_sock(sk);
4519de9a 625 sock_set_flag(sk, SOCK_ZAPPED);
6be36555 626 release_sock(sk);
4519de9a
GP		 627 break;
628 }
629}
630
4343478f 631static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 632{
715ec005 633 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 634 switch (chan->sec_level) {
8556edd3
JH		 635 case BT_SECURITY_HIGH:
636 return HCI_AT_DEDICATED_BONDING_MITM;
637 case BT_SECURITY_MEDIUM:
638 return HCI_AT_DEDICATED_BONDING;
639 default:
640 return HCI_AT_NO_BONDING;
641 }
fe4128e0 642 } else if (chan->psm == cpu_to_le16(0x0001)) {
4343478f
GP		 643 if (chan->sec_level == BT_SECURITY_LOW)
644 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 645
4343478f 646 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 647 return HCI_AT_NO_BONDING_MITM;
00ae4af9 648 else
8556edd3 649 return HCI_AT_NO_BONDING;
00ae4af9 650 } else {
4343478f 651 switch (chan->sec_level) {
00ae4af9 652 case BT_SECURITY_HIGH:
8556edd3 653 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 654 case BT_SECURITY_MEDIUM:
8556edd3 655 return HCI_AT_GENERAL_BONDING;
00ae4af9 656 default:
8556edd3 657 return HCI_AT_NO_BONDING;
00ae4af9 658 }
0684e5f9 659 }
8556edd3
JH		 660}
661
662/* Service level security */
d45fc423 663int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 664{
8c1d787b 665 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 666 __u8 auth_type;
667
4343478f 668 auth_type = l2cap_get_auth_type(chan);
79d554a6 669
4343478f 670 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 671}
672
b5ad8b7f 673static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 674{
675 u8 id;
676
677 /* Get next available identificator.
678 * 1 - 128 are used by kernel.
679 * 129 - 199 are reserved.
680 * 200 - 254 are used by utilities like l2ping, etc.
681 */
682
333055f2 683 spin_lock(&conn->lock);
4e8402a3
MH		 684
685 if (++conn->tx_ident > 128)
686 conn->tx_ident = 1;
687
688 id = conn->tx_ident;
689
333055f2 690 spin_unlock(&conn->lock);
4e8402a3
MH		 691
692 return id;
693}
694
4519de9a 695static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 696{
697 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 698 u8 flags;
4e8402a3
MH		 699
700 BT_DBG("code 0x%2.2x", code);
701
702 if (!skb)
9a9c6a34 703 return;
4e8402a3 704
e702112f
AE		 705 if (lmp_no_flush_capable(conn->hcon->hdev))
706 flags = ACL_START_NO_FLUSH;
707 else
708 flags = ACL_START;
709
14b12d0b 710 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 711 skb->priority = HCI_PRIO_MAX;
14b12d0b 712
73d80deb
LAD		 713 hci_send_acl(conn->hchan, skb, flags);
714}
715
716static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
717{
718 struct hci_conn *hcon = chan->conn->hcon;
719 u16 flags;
720
721 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
722 skb->priority);
723
724 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
725 lmp_no_flush_capable(hcon->hdev))
726 flags = ACL_START_NO_FLUSH;
727 else
728 flags = ACL_START;
14b12d0b 729
73d80deb
LAD		 730 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
731 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 732}
733
b76bbd66
MM		 734static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
735{
736 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
737 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
738
739 if (enh & L2CAP_CTRL_FRAME_TYPE) {
740 /* S-Frame */
741 control->sframe = 1;
742 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
743 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
744
745 control->sar = 0;
746 control->txseq = 0;
747 } else {
748 /* I-Frame */
749 control->sframe = 0;
750 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
751 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
752
753 control->poll = 0;
754 control->super = 0;
755 }
756}
757
b76bbd66
MM		 758static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
759{
760 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
761 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
762
763 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
764 /* S-Frame */
765 control->sframe = 1;
766 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
767 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
768
769 control->sar = 0;
770 control->txseq = 0;
771 } else {
772 /* I-Frame */
773 control->sframe = 0;
774 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
775 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
776
777 control->poll = 0;
778 control->super = 0;
779 }
780}
781
782static inline void __unpack_control(struct l2cap_chan *chan,
783 struct sk_buff *skb)
784{
785 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
786 __unpack_extended_control(get_unaligned_le32(skb->data),
787 &bt_cb(skb)->control);
cec8ab6e 788 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 789 } else {
790 __unpack_enhanced_control(get_unaligned_le16(skb->data),
791 &bt_cb(skb)->control);
cec8ab6e 792 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 793 }
794}
795
b5c6aaed
MM		 796static u32 __pack_extended_control(struct l2cap_ctrl *control)
797{
798 u32 packed;
799
800 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
801 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
802
803 if (control->sframe) {
804 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
805 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
806 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
807 } else {
808 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
809 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
810 }
811
812 return packed;
813}
814
815static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
816{
817 u16 packed;
818
819 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
820 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
821
822 if (control->sframe) {
823 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
824 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
825 packed |= L2CAP_CTRL_FRAME_TYPE;
826 } else {
827 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
828 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
829 }
830
831 return packed;
832}
833
b76bbd66
MM		 834static inline void __pack_control(struct l2cap_chan *chan,
835 struct l2cap_ctrl *control,
836 struct sk_buff *skb)
837{
838 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
839 put_unaligned_le32(__pack_extended_control(control),
840 skb->data + L2CAP_HDR_SIZE);
841 } else {
842 put_unaligned_le16(__pack_enhanced_control(control),
843 skb->data + L2CAP_HDR_SIZE);
844 }
845}
846
a67d7f6f
MM		 847static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
848 u32 control)
b5c6aaed
MM		 849{
850 struct sk_buff *skb;
851 struct l2cap_hdr *lh;
a67d7f6f 852 int hlen;
b5c6aaed
MM		 853
854 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
855 hlen = L2CAP_EXT_HDR_SIZE;
856 else
857 hlen = L2CAP_ENH_HDR_SIZE;
858
859 if (chan->fcs == L2CAP_FCS_CRC16)
860 hlen += L2CAP_FCS_SIZE;
861
a67d7f6f 862 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 863
b5c6aaed 864 if (!skb)
a67d7f6f 865 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 866
867 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
868 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
869 lh->cid = cpu_to_le16(chan->dcid);
870
a67d7f6f
MM		 871 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
872 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
873 else
874 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 875
876 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 877 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 878 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
879 }
880
881 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 882 return skb;
883}
884
885static void l2cap_send_sframe(struct l2cap_chan *chan,
886 struct l2cap_ctrl *control)
887{
888 struct sk_buff *skb;
889 u32 control_field;
890
891 BT_DBG("chan %p, control %p", chan, control);
892
893 if (!control->sframe)
894 return;
895
896 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
897 !control->poll)
898 control->final = 1;
899
900 if (control->super == L2CAP_SUPER_RR)
901 clear_bit(CONN_RNR_SENT, &chan->conn_state);
902 else if (control->super == L2CAP_SUPER_RNR)
903 set_bit(CONN_RNR_SENT, &chan->conn_state);
904
905 if (control->super != L2CAP_SUPER_SREJ) {
906 chan->last_acked_seq = control->reqseq;
907 __clear_ack_timer(chan);
908 }
909
910 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
911 control->final, control->poll, control->super);
912
913 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
914 control_field = __pack_extended_control(control);
915 else
916 control_field = __pack_enhanced_control(control);
917
918 skb = l2cap_create_sframe_pdu(chan, control_field);
919 if (!IS_ERR(skb))
920 l2cap_do_send(chan, skb);
b5c6aaed
MM		 921}
922
923static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
924{
925 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
926 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
927 set_bit(CONN_RNR_SENT, &chan->conn_state);
928 } else
929 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
930
931 control |= __set_reqseq(chan, chan->buffer_seq);
b5c6aaed
MM		 932}
933
b4450035 934static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 935{
c1360a1c 936 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 937}
938
9b27f350
AE		 939static void l2cap_send_conn_req(struct l2cap_chan *chan)
940{
941 struct l2cap_conn *conn = chan->conn;
942 struct l2cap_conn_req req;
943
944 req.scid = cpu_to_le16(chan->scid);
945 req.psm = chan->psm;
946
947 chan->ident = l2cap_get_ident(conn);
948
949 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
950
951 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
952}
953
9f0caeb1
VCG		 954static void l2cap_chan_ready(struct l2cap_chan *chan)
955{
956 struct sock *sk = chan->sk;
957 struct sock *parent;
958
959 lock_sock(sk);
960
961 parent = bt_sk(sk)->parent;
962
963 BT_DBG("sk %p, parent %p", sk, parent);
964
2827011f 965 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 966 chan->conf_state = 0;
967 __clear_chan_timer(chan);
968
969 __l2cap_state_change(chan, BT_CONNECTED);
970 sk->sk_state_change(sk);
971
972 if (parent)
973 parent->sk_data_ready(parent, 0);
974
975 release_sock(sk);
976}
977
fc7f8a7e 978static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 979{
8c1d787b 980 struct l2cap_conn *conn = chan->conn;
79d554a6 981
9f0caeb1
VCG		 982 if (conn->hcon->type == LE_LINK) {
983 l2cap_chan_ready(chan);
984 return;
985 }
986
79d554a6 987 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 988 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
989 return;
990
d45fc423 991 if (l2cap_chan_check_security(chan) &&
9b27f350
AE		 992 __l2cap_no_conn_pending(chan))
993 l2cap_send_conn_req(chan);
79d554a6
MH		 994 } else {
995 struct l2cap_info_req req;
996 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
997
998 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
999 conn->info_ident = l2cap_get_ident(conn);
1000
ba13ccd9 1001 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 1002
1003 l2cap_send_cmd(conn, conn->info_ident,
1004 L2CAP_INFO_REQ, sizeof(req), &req);
1005 }
1006}
1007
cf6c2c0b
GP		 1008static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1009{
1010 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1011 if (!disable_ertm)
cf6c2c0b
GP		 1012 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1013
1014 switch (mode) {
1015 case L2CAP_MODE_ERTM:
1016 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1017 case L2CAP_MODE_STREAMING:
1018 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1019 default:
1020 return 0x00;
1021 }
1022}
1023
4519de9a 1024static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
22121fc9 1025{
6be36555 1026 struct sock *sk = chan->sk;
22121fc9
GP		 1027 struct l2cap_disconn_req req;
1028
c13ffa62
GP		 1029 if (!conn)
1030 return;
1031
0c1bc5c6 1032 if (chan->mode == L2CAP_MODE_ERTM) {
1a09bcb9
GP		 1033 __clear_retrans_timer(chan);
1034 __clear_monitor_timer(chan);
1035 __clear_ack_timer(chan);
c13ffa62
GP		 1036 }
1037
fe4128e0
GP		 1038 req.dcid = cpu_to_le16(chan->dcid);
1039 req.scid = cpu_to_le16(chan->scid);
22121fc9
GP		 1040 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1041 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62 1042
6be36555 1043 lock_sock(sk);
0e587be7 1044 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1045 __l2cap_chan_set_err(chan, err);
6be36555 1046 release_sock(sk);
22121fc9
GP		 1047}
1048
1da177e4 1049/* ---- L2CAP connections ---- */
4e8402a3
MH		 1050static void l2cap_conn_start(struct l2cap_conn *conn)
1051{
3df91ea2 1052 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1053
1054 BT_DBG("conn %p", conn);
1055
3df91ea2 1056 mutex_lock(&conn->chan_lock);
4e8402a3 1057
3df91ea2 1058 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1059 struct sock *sk = chan->sk;
baa7e1fa 1060
6be36555 1061 l2cap_chan_lock(chan);
4e8402a3 1062
715ec005 1063 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1064 l2cap_chan_unlock(chan);
79d554a6
MH		 1065 continue;
1066 }
1067
89bc500e 1068 if (chan->state == BT_CONNECT) {
d45fc423 1069 if (!l2cap_chan_check_security(chan) ||
b4450035 1070 !__l2cap_no_conn_pending(chan)) {
6be36555 1071 l2cap_chan_unlock(chan);
47731de7
GP		 1072 continue;
1073 }
79d554a6 1074
c1360a1c
GP		 1075 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1076 && test_bit(CONF_STATE2_DEVICE,
1077 &chan->conf_state)) {
89bc500e 1078 l2cap_chan_close(chan, ECONNRESET);
6be36555 1079 l2cap_chan_unlock(chan);
47731de7 1080 continue;
b1235d79 1081 }
47731de7 1082
9b27f350 1083 l2cap_send_conn_req(chan);
47731de7 1084
89bc500e 1085 } else if (chan->state == BT_CONNECT2) {
79d554a6 1086 struct l2cap_conn_rsp rsp;
e9aeb2dd 1087 char buf[128];
fe4128e0
GP		 1088 rsp.scid = cpu_to_le16(chan->dcid);
1089 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1090
d45fc423 1091 if (l2cap_chan_check_security(chan)) {
6be36555 1092 lock_sock(sk);
c5daa683
GP		 1093 if (test_bit(BT_SK_DEFER_SETUP,
1094 &bt_sk(sk)->flags)) {
f66dc81f
MH		 1095 struct sock *parent = bt_sk(sk)->parent;
1096 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1097 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
05e9a2f6
IK		 1098 if (parent)
1099 parent->sk_data_ready(parent, 0);
f66dc81f
MH		 1100
1101 } else {
0e587be7 1102 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 1103 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1104 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1105 }
6be36555 1106 release_sock(sk);
79d554a6
MH		 1107 } else {
1108 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1109 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1110 }
1111
fc7f8a7e
GP		 1112 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1113 sizeof(rsp), &rsp);
e9aeb2dd 1114
c1360a1c 1115 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
e9aeb2dd 1116 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1117 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1118 continue;
1119 }
1120
c1360a1c 1121 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1122 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 1123 l2cap_build_conf_req(chan, buf), buf);
1124 chan->num_conf_req++;
4e8402a3
MH		 1125 }
1126
6be36555 1127 l2cap_chan_unlock(chan);
4e8402a3
MH		 1128 }
1129
3df91ea2 1130 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1131}
1132
c2287681 1133/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1134 * Returns closest match, locked.
1135 */
d9b88702 1136static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1137 bdaddr_t *src,
1138 bdaddr_t *dst)
b62f328b 1139{
23691d75 1140 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1141
23691d75 1142 read_lock(&chan_list_lock);
b62f328b 1143
23691d75
GP		 1144 list_for_each_entry(c, &chan_list, global_l) {
1145 struct sock *sk = c->sk;
fe4128e0 1146
89bc500e 1147 if (state && c->state != state)
b62f328b
VT		 1148 continue;
1149
23691d75 1150 if (c->scid == cid) {
c2287681
IY		 1151 int src_match, dst_match;
1152 int src_any, dst_any;
1153
b62f328b 1154 /* Exact match. */
c2287681
IY		 1155 src_match = !bacmp(&bt_sk(sk)->src, src);
1156 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1157 if (src_match && dst_match) {
23691d75
GP		 1158 read_unlock(&chan_list_lock);
1159 return c;
1160 }
b62f328b
VT		 1161
1162 /* Closest match */
c2287681
IY		 1163 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1164 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1165 if ((src_match && dst_any) || (src_any && dst_match) ||
1166 (src_any && dst_any))
23691d75 1167 c1 = c;
b62f328b
VT		 1168 }
1169 }
280f294f 1170
23691d75 1171 read_unlock(&chan_list_lock);
b62f328b 1172
23691d75 1173 return c1;
b62f328b
VT		 1174}
1175
1176static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1177{
c916fbe4 1178 struct sock *parent, *sk;
23691d75 1179 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1180
1181 BT_DBG("");
1182
1183 /* Check if we have socket listening on cid */
23691d75 1184 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1185 conn->src, conn->dst);
23691d75 1186 if (!pchan)
b62f328b
VT		 1187 return;
1188
23691d75
GP		 1189 parent = pchan->sk;
1190
aa2ac881 1191 lock_sock(parent);
62f3a2cf 1192
b62f328b
VT		 1193 /* Check for backlog size */
1194 if (sk_acceptq_is_full(parent)) {
1195 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1196 goto clean;
1197 }
1198
80808e43
GP		 1199 chan = pchan->ops->new_connection(pchan->data);
1200 if (!chan)
b62f328b
VT		 1201 goto clean;
1202
80808e43 1203 sk = chan->sk;
5d41ce1d 1204
b62f328b
VT		 1205 hci_conn_hold(conn->hcon);
1206
b62f328b
VT		 1207 bacpy(&bt_sk(sk)->src, conn->src);
1208 bacpy(&bt_sk(sk)->dst, conn->dst);
1209
d1010240
GP		 1210 bt_accept_enqueue(parent, sk);
1211
3d57dc68 1212 l2cap_chan_add(conn, chan);
48454079 1213
c9b66675 1214 __set_chan_timer(chan, sk->sk_sndtimeo);
b62f328b 1215
0e587be7 1216 __l2cap_state_change(chan, BT_CONNECTED);
b62f328b
VT		 1217 parent->sk_data_ready(parent, 0);
1218
b62f328b 1219clean:
aa2ac881 1220 release_sock(parent);
b62f328b
VT		 1221}
1222
4e8402a3
MH		 1223static void l2cap_conn_ready(struct l2cap_conn *conn)
1224{
48454079 1225 struct l2cap_chan *chan;
4e8402a3 1226
79d554a6 1227 BT_DBG("conn %p", conn);
4e8402a3 1228
b62f328b
VT		 1229 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1230 l2cap_le_conn_ready(conn);
1231
160dc6ac
VCG		 1232 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1233 smp_conn_security(conn, conn->hcon->pending_sec_level);
1234
3df91ea2 1235 mutex_lock(&conn->chan_lock);
4e8402a3 1236
3df91ea2 1237 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1238
6be36555 1239 l2cap_chan_lock(chan);
4e8402a3 1240
63128451 1241 if (conn->hcon->type == LE_LINK) {
b501d6a1 1242 if (smp_conn_security(conn, chan->sec_level))
cf4cd009 1243 l2cap_chan_ready(chan);
acd7d370 1244
63128451 1245 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1246 struct sock *sk = chan->sk;
c9b66675 1247 __clear_chan_timer(chan);
6be36555 1248 lock_sock(sk);
0e587be7 1249 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1250 sk->sk_state_change(sk);
6be36555 1251 release_sock(sk);
b501d6a1 1252
89bc500e 1253 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1254 l2cap_do_start(chan);
4e8402a3 1255
6be36555 1256 l2cap_chan_unlock(chan);
4e8402a3 1257 }
79d554a6 1258
3df91ea2 1259 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1260}
1261
1262/* Notify sockets that we cannot guaranty reliability anymore */
1263static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1264{
48454079 1265 struct l2cap_chan *chan;
4e8402a3
MH		 1266
1267 BT_DBG("conn %p", conn);
1268
3df91ea2 1269 mutex_lock(&conn->chan_lock);
4e8402a3 1270
3df91ea2 1271 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1272 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
2e0052e4 1273 __l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1274 }
1275
3df91ea2 1276 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1277}
1278
f878fcad 1279static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1280{
f878fcad 1281 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
030013d8 1282 info_timer.work);
4e8402a3 1283
984947dc 1284 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1285 conn->info_ident = 0;
984947dc 1286
4e8402a3
MH		 1287 l2cap_conn_start(conn);
1288}
1289
5d3de7df
VCG		 1290static void l2cap_conn_del(struct hci_conn *hcon, int err)
1291{
1292 struct l2cap_conn *conn = hcon->l2cap_data;
1293 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1294
1295 if (!conn)
1296 return;
1297
1298 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1299
1300 kfree_skb(conn->rx_skb);
1301
3df91ea2
AE		 1302 mutex_lock(&conn->chan_lock);
1303
5d3de7df
VCG		 1304 /* Kill channels */
1305 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1306 l2cap_chan_hold(chan);
6be36555
AE		 1307 l2cap_chan_lock(chan);
1308
5d3de7df 1309 l2cap_chan_del(chan, err);
6be36555
AE		 1310
1311 l2cap_chan_unlock(chan);
1312
5d3de7df 1313 chan->ops->close(chan->data);
61d6ef3e 1314 l2cap_chan_put(chan);
5d3de7df
VCG		 1315 }
1316
3df91ea2
AE		 1317 mutex_unlock(&conn->chan_lock);
1318
73d80deb
LAD		 1319 hci_chan_del(conn->hchan);
1320
5d3de7df 1321 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1322 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1323
51a8efd7 1324 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1325 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1326 smp_chan_destroy(conn);
d26a2345 1327 }
5d3de7df
VCG		 1328
1329 hcon->l2cap_data = NULL;
1330 kfree(conn);
1331}
1332
6c9d42a1 1333static void security_timeout(struct work_struct *work)
5d3de7df 1334{
6c9d42a1
GP		 1335 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1336 security_timer.work);
5d3de7df
VCG		 1337
1338 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1339}
1340
1da177e4
LT		 1341static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1342{
0139418c 1343 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1344 struct hci_chan *hchan;
1da177e4 1345
0139418c 1346 if (conn || status)
1da177e4
LT		 1347 return conn;
1348
73d80deb
LAD		 1349 hchan = hci_chan_create(hcon);
1350 if (!hchan)
1351 return NULL;
1352
0139418c 1353 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
73d80deb
LAD		 1354 if (!conn) {
1355 hci_chan_del(hchan);
1da177e4 1356 return NULL;
73d80deb 1357 }
1da177e4
LT		 1358
1359 hcon->l2cap_data = conn;
1360 conn->hcon = hcon;
73d80deb 1361 conn->hchan = hchan;
1da177e4 1362
73d80deb 1363 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1364
acd7d370
VT		 1365 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1366 conn->mtu = hcon->hdev->le_mtu;
1367 else
1368 conn->mtu = hcon->hdev->acl_mtu;
1369
1da177e4
LT		 1370 conn->src = &hcon->hdev->bdaddr;
1371 conn->dst = &hcon->dst;
1372
4e8402a3
MH		 1373 conn->feat_mask = 0;
1374
1da177e4 1375 spin_lock_init(&conn->lock);
3df91ea2 1376 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1377
1378 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1379
5d3de7df 1380 if (hcon->type == LE_LINK)
6c9d42a1 1381 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1382 else
030013d8 1383 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1384
9f5a0d7b 1385 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1386
1da177e4
LT		 1387 return conn;
1388}
1389
1da177e4 1390/* ---- Socket interface ---- */
1da177e4 1391
c2287681 1392/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1393 * Returns closest match.
1394 */
c2287681
IY		 1395static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1396 bdaddr_t *src,
1397 bdaddr_t *dst)
1da177e4 1398{
23691d75 1399 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1400
23691d75 1401 read_lock(&chan_list_lock);
e0f0cb56 1402
23691d75
GP		 1403 list_for_each_entry(c, &chan_list, global_l) {
1404 struct sock *sk = c->sk;
fe4128e0 1405
89bc500e 1406 if (state && c->state != state)
1da177e4
LT		 1407 continue;
1408
23691d75 1409 if (c->psm == psm) {
c2287681
IY		 1410 int src_match, dst_match;
1411 int src_any, dst_any;
1412
1da177e4 1413 /* Exact match. */
c2287681
IY		 1414 src_match = !bacmp(&bt_sk(sk)->src, src);
1415 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1416 if (src_match && dst_match) {
a7567b20 1417 read_unlock(&chan_list_lock);
23691d75
GP		 1418 return c;
1419 }
1da177e4
LT		 1420
1421 /* Closest match */
c2287681
IY		 1422 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1423 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1424 if ((src_match && dst_any) || (src_any && dst_match) ||
1425 (src_any && dst_any))
23691d75 1426 c1 = c;
1da177e4
LT		 1427 }
1428 }
1da177e4 1429
23691d75 1430 read_unlock(&chan_list_lock);
e0f0cb56 1431
23691d75 1432 return c1;
1da177e4
LT		 1433}
1434
8e9f9892
AG		 1435int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1436 bdaddr_t *dst, u8 dst_type)
1da177e4 1437{
5d41ce1d 1438 struct sock *sk = chan->sk;
1da177e4 1439 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1440 struct l2cap_conn *conn;
1441 struct hci_conn *hcon;
1442 struct hci_dev *hdev;
09ab6f4c 1443 __u8 auth_type;
44d0e48e 1444 int err;
1da177e4 1445
8e9f9892
AG		 1446 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1447 dst_type, __le16_to_cpu(chan->psm));
1da177e4 1448
af05b30b
GP		 1449 hdev = hci_get_route(dst, src);
1450 if (!hdev)
1da177e4
LT		 1451 return -EHOSTUNREACH;
1452
09fd0de5 1453 hci_dev_lock(hdev);
1da177e4 1454
6be36555 1455 l2cap_chan_lock(chan);
03a00194
GP		 1456
1457 /* PSM must be odd and lsb of upper byte must be 0 */
1458 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1459 chan->chan_type != L2CAP_CHAN_RAW) {
1460 err = -EINVAL;
1461 goto done;
1462 }
1463
1464 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1465 err = -EINVAL;
1466 goto done;
1467 }
1468
1469 switch (chan->mode) {
1470 case L2CAP_MODE_BASIC:
1471 break;
1472 case L2CAP_MODE_ERTM:
1473 case L2CAP_MODE_STREAMING:
1474 if (!disable_ertm)
1475 break;
1476 /* fall through */
1477 default:
1478 err = -ENOTSUPP;
1479 goto done;
1480 }
1481
6be36555
AE		 1482 lock_sock(sk);
1483
03a00194
GP		 1484 switch (sk->sk_state) {
1485 case BT_CONNECT:
1486 case BT_CONNECT2:
1487 case BT_CONFIG:
1488 /* Already connecting */
1489 err = 0;
6be36555 1490 release_sock(sk);
03a00194
GP		 1491 goto done;
1492
1493 case BT_CONNECTED:
1494 /* Already connected */
1495 err = -EISCONN;
6be36555 1496 release_sock(sk);
03a00194
GP		 1497 goto done;
1498
1499 case BT_OPEN:
1500 case BT_BOUND:
1501 /* Can connect */
1502 break;
1503
1504 default:
1505 err = -EBADFD;
6be36555 1506 release_sock(sk);
03a00194
GP		 1507 goto done;
1508 }
1509
1510 /* Set destination address and psm */
9219b2a0 1511 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1512
1513 release_sock(sk);
1514
03a00194
GP		 1515 chan->psm = psm;
1516 chan->dcid = cid;
1da177e4 1517
4343478f 1518 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1519
fe4128e0 1520 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1521 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1522 chan->sec_level, auth_type);
acd7d370 1523 else
8e9f9892 1524 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1525 chan->sec_level, auth_type);
acd7d370 1526
30e76272
VT		 1527 if (IS_ERR(hcon)) {
1528 err = PTR_ERR(hcon);
1da177e4 1529 goto done;
30e76272 1530 }
1da177e4
LT		 1531
1532 conn = l2cap_conn_add(hcon, 0);
1533 if (!conn) {
1534 hci_conn_put(hcon);
30e76272 1535 err = -ENOMEM;
1da177e4
LT		 1536 goto done;
1537 }
1538
9f0caeb1
VCG		 1539 if (hcon->type == LE_LINK) {
1540 err = 0;
1541
1542 if (!list_empty(&conn->chan_l)) {
1543 err = -EBUSY;
1544 hci_conn_put(hcon);
1545 }
1546
1547 if (err)
1548 goto done;
1549 }
1550
1da177e4
LT		 1551 /* Update source addr of the socket */
1552 bacpy(src, conn->src);
1553
6be36555 1554 l2cap_chan_unlock(chan);
48454079 1555 l2cap_chan_add(conn, chan);
6be36555 1556 l2cap_chan_lock(chan);
48454079 1557
6be36555 1558 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1559 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1560
1561 if (hcon->state == BT_CONNECTED) {
715ec005 1562 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1563 __clear_chan_timer(chan);
d45fc423 1564 if (l2cap_chan_check_security(chan))
6be36555 1565 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1566 } else
fc7f8a7e 1567 l2cap_do_start(chan);
1da177e4
LT		 1568 }
1569
30e76272
VT		 1570 err = 0;
1571
1da177e4 1572done:
6be36555 1573 l2cap_chan_unlock(chan);
09fd0de5 1574 hci_dev_unlock(hdev);
1da177e4
LT		 1575 hci_dev_put(hdev);
1576 return err;
1577}
1578
dcba0dba 1579int __l2cap_wait_ack(struct sock *sk)
6161c038 1580{
8c1d787b 1581 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1582 DECLARE_WAITQUEUE(wait, current);
1583 int err = 0;
1584 int timeo = HZ/5;
1585
2b0b05dd 1586 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1587 set_current_state(TASK_INTERRUPTIBLE);
1588 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1589 if (!timeo)
1590 timeo = HZ/5;
1591
1592 if (signal_pending(current)) {
1593 err = sock_intr_errno(timeo);
1594 break;
1595 }
1596
1597 release_sock(sk);
1598 timeo = schedule_timeout(timeo);
1599 lock_sock(sk);
a71a0cf4 1600 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1601
1602 err = sock_error(sk);
1603 if (err)
1604 break;
1605 }
1606 set_current_state(TASK_RUNNING);
2b0b05dd 1607 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1608 return err;
1609}
1610
721c4181 1611static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1612{
721c4181
GP		 1613 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1614 monitor_timer.work);
e90bac06 1615
525cd185 1616 BT_DBG("chan %p", chan);
0e98958d 1617
6be36555
AE		 1618 l2cap_chan_lock(chan);
1619
2c03a7a4 1620 if (chan->retry_count >= chan->remote_max_tx) {
8c1d787b 1621 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
6be36555 1622 l2cap_chan_unlock(chan);
8d7e1c7f 1623 l2cap_chan_put(chan);
e90bac06
GP		 1624 return;
1625 }
1626
6a026610 1627 chan->retry_count++;
1a09bcb9 1628 __set_monitor_timer(chan);
e90bac06 1629
525cd185 1630 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555 1631 l2cap_chan_unlock(chan);
8d7e1c7f 1632 l2cap_chan_put(chan);
e90bac06
GP		 1633}
1634
721c4181 1635static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1636{
721c4181
GP		 1637 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1638 retrans_timer.work);
e90bac06 1639
49208c9c 1640 BT_DBG("chan %p", chan);
0e98958d 1641
6be36555
AE		 1642 l2cap_chan_lock(chan);
1643
6a026610 1644 chan->retry_count = 1;
1a09bcb9 1645 __set_monitor_timer(chan);
e90bac06 1646
e2ab4353 1647 set_bit(CONN_WAIT_F, &chan->conn_state);
e90bac06 1648
525cd185 1649 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
6be36555
AE		 1650
1651 l2cap_chan_unlock(chan);
8d7e1c7f 1652 l2cap_chan_put(chan);
e90bac06
GP		 1653}
1654
3733937d
MM		 1655static int l2cap_streaming_send(struct l2cap_chan *chan,
1656 struct sk_buff_head *skbs)
6840ed07 1657{
ccbb84af 1658 struct sk_buff *skb;
3733937d 1659 struct l2cap_ctrl *control;
6840ed07 1660
3733937d
MM		 1661 BT_DBG("chan %p, skbs %p", chan, skbs);
1662
1663 if (chan->state != BT_CONNECTED)
1664 return -ENOTCONN;
1665
1666 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1667
1668 while (!skb_queue_empty(&chan->tx_q)) {
1669
1670 skb = skb_dequeue(&chan->tx_q);
1671
1672 bt_cb(skb)->control.retries = 1;
1673 control = &bt_cb(skb)->control;
1674
1675 control->reqseq = 0;
1676 control->txseq = chan->next_tx_seq;
1677
1678 __pack_control(chan, control, skb);
6840ed07 1679
47d1ec61 1680 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1681 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1682 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1683 }
1684
4343478f 1685 l2cap_do_send(chan, skb);
6840ed07 1686
3733937d
MM		 1687 BT_DBG("Sent txseq %d", (int)control->txseq);
1688
836be934 1689 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1690 chan->frames_sent++;
6840ed07 1691 }
3733937d
MM		 1692
1693 return 0;
6840ed07
GP		 1694}
1695
67c9e840 1696static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1697{
1698 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1699 struct l2cap_ctrl *control;
1700 int sent = 0;
1701
1702 BT_DBG("chan %p", chan);
1c2acffb 1703
89bc500e 1704 if (chan->state != BT_CONNECTED)
c13ffa62 1705 return -ENOTCONN;
e90bac06 1706
94122bbe
MM		 1707 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1708 return 0;
1709
18a48e76
MM		 1710 while (chan->tx_send_head &&
1711 chan->unacked_frames < chan->remote_tx_win &&
1712 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1713
18a48e76 1714 skb = chan->tx_send_head;
e90bac06 1715
18a48e76
MM		 1716 bt_cb(skb)->control.retries = 1;
1717 control = &bt_cb(skb)->control;
95ffa978 1718
e2ab4353 1719 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1720 control->final = 1;
e2ab4353 1721
18a48e76
MM		 1722 control->reqseq = chan->buffer_seq;
1723 chan->last_acked_seq = chan->buffer_seq;
1724 control->txseq = chan->next_tx_seq;
1c2acffb 1725
18a48e76 1726 __pack_control(chan, control, skb);
e90bac06 1727
47d1ec61 1728 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1729 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1730 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1731 }
1732
18a48e76
MM		 1733 /* Clone after data has been modified. Data is assumed to be
1734 read-only (for locking purposes) on cloned sk_buffs.
1735 */
1736 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1737
18a48e76
MM		 1738 if (!tx_skb)
1739 break;
1c2acffb 1740
18a48e76 1741 __set_retrans_timer(chan);
836be934
AE		 1742
1743 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1744 chan->unacked_frames++;
6a026610 1745 chan->frames_sent++;
18a48e76 1746 sent++;
1c2acffb 1747
58d35f87
GP		 1748 if (skb_queue_is_last(&chan->tx_q, skb))
1749 chan->tx_send_head = NULL;
1c2acffb 1750 else
58d35f87 1751 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1752
1753 l2cap_do_send(chan, tx_skb);
1754 BT_DBG("Sent txseq %d", (int)control->txseq);
1c2acffb
GP		 1755 }
1756
18a48e76
MM		 1757 BT_DBG("Sent %d, %d unacked, %d in ERTM queue", sent,
1758 (int) chan->unacked_frames, skb_queue_len(&chan->tx_q));
1759
1760 return sent;
9e917af1
GP		 1761}
1762
d2a7ac5d
MM		 1763static void l2cap_retransmit_all(struct l2cap_chan *chan,
1764 struct l2cap_ctrl *control)
1765{
1766 /* Placeholder */
1767}
1768
0a0aba42 1769static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 1770{
0a0aba42
MM		 1771 struct l2cap_ctrl control;
1772 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
1773 chan->last_acked_seq);
1774 int threshold;
9e917af1 1775
0a0aba42
MM		 1776 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
1777 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 1778
0a0aba42
MM		 1779 memset(&control, 0, sizeof(control));
1780 control.sframe = 1;
dfc909be 1781
0a0aba42
MM		 1782 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
1783 chan->rx_state == L2CAP_RX_STATE_RECV) {
1784 __clear_ack_timer(chan);
1785 control.super = L2CAP_SUPER_RNR;
1786 control.reqseq = chan->buffer_seq;
1787 l2cap_send_sframe(chan, &control);
1788 } else {
1789 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
1790 l2cap_ertm_send(chan);
1791 /* If any i-frames were sent, they included an ack */
1792 if (chan->buffer_seq == chan->last_acked_seq)
1793 frames_to_ack = 0;
1794 }
dfc909be 1795
0a0aba42
MM		 1796 /* Ack now if the tx window is 3/4ths full.
1797 * Calculate without mul or div
1798 */
1799 threshold = chan->tx_win;
1800 threshold += threshold << 1;
1801 threshold >>= 2;
1802
1803 BT_DBG("frames_to_ack %d, threshold %d", (int)frames_to_ack,
1804 threshold);
1805
1806 if (frames_to_ack >= threshold) {
1807 __clear_ack_timer(chan);
1808 control.super = L2CAP_SUPER_RR;
1809 control.reqseq = chan->buffer_seq;
1810 l2cap_send_sframe(chan, &control);
1811 frames_to_ack = 0;
1812 }
1c2acffb 1813
0a0aba42
MM		 1814 if (frames_to_ack)
1815 __set_ack_timer(chan);
1816 }
b17e73bb
SJ		 1817}
1818
04124681
GP		 1819static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1820 struct msghdr *msg, int len,
1821 int count, struct sk_buff *skb)
1c2acffb 1822{
0952a57a 1823 struct l2cap_conn *conn = chan->conn;
1c2acffb 1824 struct sk_buff **frag;
90338947 1825 int sent = 0;
1da177e4 1826
59203a21 1827 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1828 return -EFAULT;
1da177e4
LT		 1829
1830 sent += count;
1831 len -= count;
1832
1833 /* Continuation fragments (no L2CAP header) */
1834 frag = &skb_shinfo(skb)->frag_list;
1835 while (len) {
fbe00700
GP		 1836 struct sk_buff *tmp;
1837
1da177e4
LT		 1838 count = min_t(unsigned int, conn->mtu, len);
1839
fbe00700
GP		 1840 tmp = chan->ops->alloc_skb(chan, count,
1841 msg->msg_flags & MSG_DONTWAIT);
1842 if (IS_ERR(tmp))
1843 return PTR_ERR(tmp);
1844
1845 *frag = tmp;
2f7719ce 1846
1c2acffb
GP		 1847 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1848 return -EFAULT;
1da177e4 1849
5e59b791
LAD		 1850 (*frag)->priority = skb->priority;
1851
1da177e4
LT		 1852 sent += count;
1853 len -= count;
1854
2d0ed3d5
GP		 1855 skb->len += (*frag)->len;
1856 skb->data_len += (*frag)->len;
1857
1da177e4
LT		 1858 frag = &(*frag)->next;
1859 }
1da177e4
LT		 1860
1861 return sent;
1c2acffb 1862}
1da177e4 1863
5e59b791
LAD		 1864static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1865 struct msghdr *msg, size_t len,
1866 u32 priority)
1c2acffb 1867{
8c1d787b 1868 struct l2cap_conn *conn = chan->conn;
1c2acffb 1869 struct sk_buff *skb;
03a51213 1870 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 1871 struct l2cap_hdr *lh;
1872
6d5922b0 1873 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1c2acffb
GP		 1874
1875 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1876
1877 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1878 msg->msg_flags & MSG_DONTWAIT);
1879 if (IS_ERR(skb))
1880 return skb;
1c2acffb 1881
5e59b791
LAD		 1882 skb->priority = priority;
1883
1c2acffb
GP		 1884 /* Create L2CAP header */
1885 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1886 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 1887 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1888 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 1889
0952a57a 1890 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1891 if (unlikely(err < 0)) {
1892 kfree_skb(skb);
1893 return ERR_PTR(err);
1894 }
1895 return skb;
1896}
1897
5e59b791
LAD		 1898static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1899 struct msghdr *msg, size_t len,
1900 u32 priority)
1c2acffb 1901{
8c1d787b 1902 struct l2cap_conn *conn = chan->conn;
1c2acffb 1903 struct sk_buff *skb;
f2ba7fae 1904 int err, count;
1c2acffb
GP		 1905 struct l2cap_hdr *lh;
1906
6d5922b0 1907 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1908
f2ba7fae 1909 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 1910
f2ba7fae 1911 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 1912 msg->msg_flags & MSG_DONTWAIT);
1913 if (IS_ERR(skb))
1914 return skb;
1c2acffb 1915
5e59b791
LAD		 1916 skb->priority = priority;
1917
1c2acffb
GP		 1918 /* Create L2CAP header */
1919 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1920 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 1921 lh->len = cpu_to_le16(len);
1c2acffb 1922
0952a57a 1923 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1924 if (unlikely(err < 0)) {
1925 kfree_skb(skb);
1926 return ERR_PTR(err);
1927 }
1928 return skb;
1929}
1930
ab0ff76d
LAD		 1931static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1932 struct msghdr *msg, size_t len,
94122bbe 1933 u16 sdulen)
1c2acffb 1934{
8c1d787b 1935 struct l2cap_conn *conn = chan->conn;
1c2acffb 1936 struct sk_buff *skb;
e4ca6d98 1937 int err, count, hlen;
1c2acffb
GP		 1938 struct l2cap_hdr *lh;
1939
6d5922b0 1940 BT_DBG("chan %p len %d", chan, (int)len);
1c2acffb 1941
0ee0d208
GP		 1942 if (!conn)
1943 return ERR_PTR(-ENOTCONN);
1944
e4ca6d98
AE		 1945 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1946 hlen = L2CAP_EXT_HDR_SIZE;
1947 else
1948 hlen = L2CAP_ENH_HDR_SIZE;
1949
c74e560c 1950 if (sdulen)
03a51213 1951 hlen += L2CAP_SDULEN_SIZE;
c74e560c 1952
47d1ec61 1953 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 1954 hlen += L2CAP_FCS_SIZE;
fcc203c3 1955
1c2acffb 1956 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 1957
1958 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 1959 msg->msg_flags & MSG_DONTWAIT);
1960 if (IS_ERR(skb))
1961 return skb;
1c2acffb
GP		 1962
1963 /* Create L2CAP header */
1964 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 1965 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 1966 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 1967
18a48e76
MM		 1968 /* Control header is populated later */
1969 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1970 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1971 else
1972 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 1973
c74e560c 1974 if (sdulen)
03a51213 1975 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 1976
0952a57a 1977 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 1978 if (unlikely(err < 0)) {
1979 kfree_skb(skb);
1980 return ERR_PTR(err);
1981 }
e90bac06 1982
18a48e76 1983 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 1984 bt_cb(skb)->control.retries = 0;
1c2acffb 1985 return skb;
1da177e4
LT		 1986}
1987
94122bbe
MM		 1988static int l2cap_segment_sdu(struct l2cap_chan *chan,
1989 struct sk_buff_head *seg_queue,
1990 struct msghdr *msg, size_t len)
c74e560c 1991{
c74e560c 1992 struct sk_buff *skb;
94122bbe
MM		 1993 u16 sdu_len;
1994 size_t pdu_len;
1995 int err = 0;
1996 u8 sar;
c74e560c 1997
94122bbe 1998 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
c74e560c 1999
94122bbe
MM		 2000 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2001 * so fragmented skbs are not used. The HCI layer's handling
2002 * of fragmented skbs is not compatible with ERTM's queueing.
2003 */
c74e560c 2004
94122bbe
MM		 2005 /* PDU size is derived from the HCI MTU */
2006 pdu_len = chan->conn->mtu;
c74e560c 2007
94122bbe
MM		 2008 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2009
2010 /* Adjust for largest possible L2CAP overhead. */
2011 pdu_len -= L2CAP_EXT_HDR_SIZE + L2CAP_FCS_SIZE;
2012
2013 /* Remote device may have requested smaller PDUs */
2014 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2015
2016 if (len <= pdu_len) {
2017 sar = L2CAP_SAR_UNSEGMENTED;
2018 sdu_len = 0;
2019 pdu_len = len;
2020 } else {
2021 sar = L2CAP_SAR_START;
2022 sdu_len = len;
2023 pdu_len -= L2CAP_SDULEN_SIZE;
2024 }
2025
2026 while (len > 0) {
2027 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2028
c74e560c 2029 if (IS_ERR(skb)) {
94122bbe 2030 __skb_queue_purge(seg_queue);
c74e560c
GP		 2031 return PTR_ERR(skb);
2032 }
2033
94122bbe
MM		 2034 bt_cb(skb)->control.sar = sar;
2035 __skb_queue_tail(seg_queue, skb);
2036
2037 len -= pdu_len;
2038 if (sdu_len) {
2039 sdu_len = 0;
2040 pdu_len += L2CAP_SDULEN_SIZE;
2041 }
2042
2043 if (len <= pdu_len) {
2044 sar = L2CAP_SAR_END;
2045 pdu_len = len;
2046 } else {
2047 sar = L2CAP_SAR_CONTINUE;
2048 }
c74e560c 2049 }
c74e560c 2050
94122bbe 2051 return err;
c74e560c
GP		 2052}
2053
5e59b791
LAD		 2054int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2055 u32 priority)
9a91a04a 2056{
9a91a04a 2057 struct sk_buff *skb;
9a91a04a 2058 int err;
94122bbe 2059 struct sk_buff_head seg_queue;
9a91a04a
GP		 2060
2061 /* Connectionless channel */
715ec005 2062 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2063 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2064 if (IS_ERR(skb))
2065 return PTR_ERR(skb);
2066
2067 l2cap_do_send(chan, skb);
2068 return len;
2069 }
2070
2071 switch (chan->mode) {
2072 case L2CAP_MODE_BASIC:
2073 /* Check outgoing MTU */
2074 if (len > chan->omtu)
2075 return -EMSGSIZE;
2076
2077 /* Create a basic PDU */
5e59b791 2078 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2079 if (IS_ERR(skb))
2080 return PTR_ERR(skb);
2081
2082 l2cap_do_send(chan, skb);
2083 err = len;
2084 break;
2085
2086 case L2CAP_MODE_ERTM:
2087 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2088 /* Check outgoing MTU */
2089 if (len > chan->omtu) {
2090 err = -EMSGSIZE;
2091 break;
2092 }
9a91a04a 2093
94122bbe 2094 __skb_queue_head_init(&seg_queue);
9a91a04a 2095
94122bbe
MM		 2096 /* Do segmentation before calling in to the state machine,
2097 * since it's possible to block while waiting for memory
2098 * allocation.
2099 */
2100 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2101
94122bbe
MM		 2102 /* The channel could have been closed while segmenting,
2103 * check that it is still connected.
2104 */
2105 if (chan->state != BT_CONNECTED) {
2106 __skb_queue_purge(&seg_queue);
2107 err = -ENOTCONN;
9a91a04a
GP		 2108 }
2109
94122bbe 2110 if (err)
9a91a04a 2111 break;
9a91a04a 2112
3733937d 2113 if (chan->mode == L2CAP_MODE_ERTM)
608bcc6d
MM		 2114 err = l2cap_tx(chan, 0, &seg_queue,
2115 L2CAP_EV_DATA_REQUEST);
3733937d
MM		 2116 else
2117 err = l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2118
608bcc6d 2119 if (!err)
9a91a04a
GP		 2120 err = len;
2121
94122bbe
MM		 2122 /* If the skbs were not queued for sending, they'll still be in
2123 * seg_queue and need to be purged.
2124 */
2125 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2126 break;
2127
2128 default:
2129 BT_DBG("bad state %1.1x", chan->mode);
2130 err = -EBADFD;
2131 }
2132
2133 return err;
2134}
2135
d2a7ac5d
MM		 2136static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2137{
2138 /* Placeholder */
2139}
2140
2141static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2142{
2143 /* Placeholder */
2144}
2145
2146static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2147{
2148 /* Placeholder */
2149}
2150
608bcc6d
MM		 2151static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2152{
2153 struct sk_buff *acked_skb;
2154 u16 ackseq;
2155
2156 BT_DBG("chan %p, reqseq %d", chan, reqseq);
2157
2158 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2159 return;
2160
2161 BT_DBG("expected_ack_seq %d, unacked_frames %d",
2162 chan->expected_ack_seq, chan->unacked_frames);
2163
2164 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2165 ackseq = __next_seq(chan, ackseq)) {
2166
2167 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2168 if (acked_skb) {
2169 skb_unlink(acked_skb, &chan->tx_q);
2170 kfree_skb(acked_skb);
2171 chan->unacked_frames--;
2172 }
2173 }
2174
2175 chan->expected_ack_seq = reqseq;
2176
2177 if (chan->unacked_frames == 0)
2178 __clear_retrans_timer(chan);
2179
2180 BT_DBG("unacked_frames %d", (int) chan->unacked_frames);
2181}
2182
2183static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2184{
2185 BT_DBG("chan %p", chan);
2186
2187 chan->expected_tx_seq = chan->buffer_seq;
2188 l2cap_seq_list_clear(&chan->srej_list);
2189 skb_queue_purge(&chan->srej_q);
2190 chan->rx_state = L2CAP_RX_STATE_RECV;
2191}
2192
2193static int l2cap_tx_state_xmit(struct l2cap_chan *chan,
2194 struct l2cap_ctrl *control,
2195 struct sk_buff_head *skbs, u8 event)
2196{
2197 int err = 0;
2198
2199 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2200 event);
2201
2202 switch (event) {
2203 case L2CAP_EV_DATA_REQUEST:
2204 if (chan->tx_send_head == NULL)
2205 chan->tx_send_head = skb_peek(skbs);
2206
2207 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2208 l2cap_ertm_send(chan);
2209 break;
2210 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2211 BT_DBG("Enter LOCAL_BUSY");
2212 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2213
2214 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2215 /* The SREJ_SENT state must be aborted if we are to
2216 * enter the LOCAL_BUSY state.
2217 */
2218 l2cap_abort_rx_srej_sent(chan);
2219 }
2220
2221 l2cap_send_ack(chan);
2222
2223 break;
2224 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2225 BT_DBG("Exit LOCAL_BUSY");
2226 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2227
2228 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2229 struct l2cap_ctrl local_control;
2230
2231 memset(&local_control, 0, sizeof(local_control));
2232 local_control.sframe = 1;
2233 local_control.super = L2CAP_SUPER_RR;
2234 local_control.poll = 1;
2235 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2236 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2237
2238 chan->retry_count = 1;
2239 __set_monitor_timer(chan);
2240 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2241 }
2242 break;
2243 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2244 l2cap_process_reqseq(chan, control->reqseq);
2245 break;
2246 case L2CAP_EV_EXPLICIT_POLL:
2247 l2cap_send_rr_or_rnr(chan, 1);
2248 chan->retry_count = 1;
2249 __set_monitor_timer(chan);
2250 __clear_ack_timer(chan);
2251 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2252 break;
2253 case L2CAP_EV_RETRANS_TO:
2254 l2cap_send_rr_or_rnr(chan, 1);
2255 chan->retry_count = 1;
2256 __set_monitor_timer(chan);
2257 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2258 break;
2259 case L2CAP_EV_RECV_FBIT:
2260 /* Nothing to process */
2261 break;
2262 default:
2263 break;
2264 }
2265
2266 return err;
2267}
2268
2269static int l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2270 struct l2cap_ctrl *control,
2271 struct sk_buff_head *skbs, u8 event)
2272{
2273 int err = 0;
2274
2275 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2276 event);
2277
2278 switch (event) {
2279 case L2CAP_EV_DATA_REQUEST:
2280 if (chan->tx_send_head == NULL)
2281 chan->tx_send_head = skb_peek(skbs);
2282 /* Queue data, but don't send. */
2283 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2284 break;
2285 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2286 BT_DBG("Enter LOCAL_BUSY");
2287 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2288
2289 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2290 /* The SREJ_SENT state must be aborted if we are to
2291 * enter the LOCAL_BUSY state.
2292 */
2293 l2cap_abort_rx_srej_sent(chan);
2294 }
2295
2296 l2cap_send_ack(chan);
2297
2298 break;
2299 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2300 BT_DBG("Exit LOCAL_BUSY");
2301 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2302
2303 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2304 struct l2cap_ctrl local_control;
2305 memset(&local_control, 0, sizeof(local_control));
2306 local_control.sframe = 1;
2307 local_control.super = L2CAP_SUPER_RR;
2308 local_control.poll = 1;
2309 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2310 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2311
2312 chan->retry_count = 1;
2313 __set_monitor_timer(chan);
2314 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2315 }
2316 break;
2317 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2318 l2cap_process_reqseq(chan, control->reqseq);
2319
2320 /* Fall through */
2321
2322 case L2CAP_EV_RECV_FBIT:
2323 if (control && control->final) {
2324 __clear_monitor_timer(chan);
2325 if (chan->unacked_frames > 0)
2326 __set_retrans_timer(chan);
2327 chan->retry_count = 0;
2328 chan->tx_state = L2CAP_TX_STATE_XMIT;
2329 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2330 }
2331 break;
2332 case L2CAP_EV_EXPLICIT_POLL:
2333 /* Ignore */
2334 break;
2335 case L2CAP_EV_MONITOR_TO:
2336 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2337 l2cap_send_rr_or_rnr(chan, 1);
2338 __set_monitor_timer(chan);
2339 chan->retry_count++;
2340 } else {
2341 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2342 }
2343 break;
2344 default:
2345 break;
2346 }
2347
2348 return err;
2349}
2350
2351static int l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2352 struct sk_buff_head *skbs, u8 event)
2353{
2354 int err = 0;
2355
2356 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2357 chan, control, skbs, event, chan->tx_state);
2358
2359 switch (chan->tx_state) {
2360 case L2CAP_TX_STATE_XMIT:
2361 err = l2cap_tx_state_xmit(chan, control, skbs, event);
2362 break;
2363 case L2CAP_TX_STATE_WAIT_F:
2364 err = l2cap_tx_state_wait_f(chan, control, skbs, event);
2365 break;
2366 default:
2367 /* Ignore event */
2368 break;
2369 }
2370
2371 return err;
2372}
2373
4b51dae9
MM		 2374static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2375 struct l2cap_ctrl *control)
2376{
2377 BT_DBG("chan %p, control %p", chan, control);
2378 l2cap_tx(chan, control, 0, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2379}
2380
1da177e4
LT		 2381/* Copy frame to all raw sockets on that connection */
2382static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2383{
1da177e4 2384 struct sk_buff *nskb;
48454079 2385 struct l2cap_chan *chan;
1da177e4
LT		 2386
2387 BT_DBG("conn %p", conn);
2388
3df91ea2 2389 mutex_lock(&conn->chan_lock);
3d57dc68 2390
3df91ea2 2391 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2392 struct sock *sk = chan->sk;
715ec005 2393 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2394 continue;
2395
2396 /* Don't send frame to the socket it came from */
2397 if (skb->sk == sk)
2398 continue;
af05b30b
GP		 2399 nskb = skb_clone(skb, GFP_ATOMIC);
2400 if (!nskb)
1da177e4
LT		 2401 continue;
2402
23070494 2403 if (chan->ops->recv(chan->data, nskb))
1da177e4
LT		 2404 kfree_skb(nskb);
2405 }
3d57dc68 2406
3df91ea2 2407 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2408}
2409
2410/* ---- L2CAP signalling commands ---- */
2411static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2412 u8 code, u8 ident, u16 dlen, void *data)
2413{
2414 struct sk_buff *skb, **frag;
2415 struct l2cap_cmd_hdr *cmd;
2416 struct l2cap_hdr *lh;
2417 int len, count;
2418
af05b30b
GP		 2419 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2420 conn, code, ident, dlen);
1da177e4
LT		 2421
2422 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2423 count = min_t(unsigned int, conn->mtu, len);
2424
2425 skb = bt_skb_alloc(count, GFP_ATOMIC);
2426 if (!skb)
2427 return NULL;
2428
2429 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2430 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2431
2432 if (conn->hcon->type == LE_LINK)
2433 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2434 else
2435 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2436
2437 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2438 cmd->code = code;
2439 cmd->ident = ident;
aca3192c 2440 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2441
2442 if (dlen) {
2443 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2444 memcpy(skb_put(skb, count), data, count);
2445 data += count;
2446 }
2447
2448 len -= skb->len;
2449
2450 /* Continuation fragments (no L2CAP header) */
2451 frag = &skb_shinfo(skb)->frag_list;
2452 while (len) {
2453 count = min_t(unsigned int, conn->mtu, len);
2454
2455 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2456 if (!*frag)
2457 goto fail;
2458
2459 memcpy(skb_put(*frag, count), data, count);
2460
2461 len -= count;
2462 data += count;
2463
2464 frag = &(*frag)->next;
2465 }
2466
2467 return skb;
2468
2469fail:
2470 kfree_skb(skb);
2471 return NULL;
2472}
2473
2474static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2475{
2476 struct l2cap_conf_opt *opt = *ptr;
2477 int len;
2478
2479 len = L2CAP_CONF_OPT_SIZE + opt->len;
2480 *ptr += len;
2481
2482 *type = opt->type;
2483 *olen = opt->len;
2484
2485 switch (opt->len) {
2486 case 1:
2487 *val = *((u8 *) opt->val);
2488 break;
2489
2490 case 2:
bfaaeb3e 2491 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2492 break;
2493
2494 case 4:
bfaaeb3e 2495 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2496 break;
2497
2498 default:
2499 *val = (unsigned long) opt->val;
2500 break;
2501 }
2502
2503 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2504 return len;
2505}
2506
1da177e4
LT		 2507static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2508{
2509 struct l2cap_conf_opt *opt = *ptr;
2510
2511 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2512
2513 opt->type = type;
2514 opt->len = len;
2515
2516 switch (len) {
2517 case 1:
2518 *((u8 *) opt->val) = val;
2519 break;
2520
2521 case 2:
4f8b691c 2522 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2523 break;
2524
2525 case 4:
4f8b691c 2526 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2527 break;
2528
2529 default:
2530 memcpy(opt->val, (void *) val, len);
2531 break;
2532 }
2533
2534 *ptr += L2CAP_CONF_OPT_SIZE + len;
2535}
2536
f89cef09
AE		 2537static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2538{
2539 struct l2cap_conf_efs efs;
2540
1ec918ce 2541 switch (chan->mode) {
f89cef09
AE		 2542 case L2CAP_MODE_ERTM:
2543 efs.id = chan->local_id;
2544 efs.stype = chan->local_stype;
2545 efs.msdu = cpu_to_le16(chan->local_msdu);
2546 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2547 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2548 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2549 break;
2550
2551 case L2CAP_MODE_STREAMING:
2552 efs.id = 1;
2553 efs.stype = L2CAP_SERV_BESTEFFORT;
2554 efs.msdu = cpu_to_le16(chan->local_msdu);
2555 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2556 efs.acc_lat = 0;
2557 efs.flush_to = 0;
2558 break;
2559
2560 default:
2561 return;
2562 }
2563
2564 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2565 (unsigned long) &efs);
2566}
2567
721c4181 2568static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2569{
721c4181
GP		 2570 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2571 ack_timer.work);
c1b4f43b 2572
2fb9b3d4
GP		 2573 BT_DBG("chan %p", chan);
2574
6be36555
AE		 2575 l2cap_chan_lock(chan);
2576
0a0aba42 2577 l2cap_send_ack(chan);
6be36555
AE		 2578
2579 l2cap_chan_unlock(chan);
09bfb2ee
SJ		 2580
2581 l2cap_chan_put(chan);
c1b4f43b
GP		 2582}
2583
3c588192 2584static inline int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2585{
3c588192
MM		 2586 int err;
2587
105bdf9e
MM		 2588 chan->next_tx_seq = 0;
2589 chan->expected_tx_seq = 0;
42e5c802 2590 chan->expected_ack_seq = 0;
6a026610 2591 chan->unacked_frames = 0;
42e5c802 2592 chan->buffer_seq = 0;
6a026610 2593 chan->frames_sent = 0;
105bdf9e
MM		 2594 chan->last_acked_seq = 0;
2595 chan->sdu = NULL;
2596 chan->sdu_last_frag = NULL;
2597 chan->sdu_len = 0;
2598
d34c34fb
MM		 2599 skb_queue_head_init(&chan->tx_q);
2600
105bdf9e
MM		 2601 if (chan->mode != L2CAP_MODE_ERTM)
2602 return 0;
2603
2604 chan->rx_state = L2CAP_RX_STATE_RECV;
2605 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2606
721c4181
GP		 2607 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2608 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2609 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2610
f1c6775b 2611 skb_queue_head_init(&chan->srej_q);
1890d36b 2612
3c588192
MM		 2613 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2614 if (err < 0)
2615 return err;
2616
9dc9affc
MM		 2617 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2618 if (err < 0)
2619 l2cap_seq_list_free(&chan->srej_list);
2620
2621 return err;
0565c1c2
GP		 2622}
2623
f2fcfcd6
GP		 2624static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2625{
2626 switch (mode) {
2627 case L2CAP_MODE_STREAMING:
2628 case L2CAP_MODE_ERTM:
2629 if (l2cap_mode_supported(mode, remote_feat_mask))
2630 return mode;
2631 /* fall through */
2632 default:
2633 return L2CAP_MODE_BASIC;
2634 }
2635}
2636
6327eb98
AE		 2637static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2638{
2639 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2640}
2641
f89cef09
AE		 2642static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2643{
2644 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2645}
2646
6327eb98
AE		 2647static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2648{
2649 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
836be934 2650 __l2cap_ews_supported(chan)) {
6327eb98
AE		 2651 /* use extended control field */
2652 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 2653 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2654 } else {
6327eb98
AE		 2655 chan->tx_win = min_t(u16, chan->tx_win,
2656 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 2657 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2658 }
6327eb98
AE		 2659}
2660
710f9b0a 2661static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2662{
1da177e4 2663 struct l2cap_conf_req *req = data;
0c1bc5c6 2664 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 2665 void *ptr = req->data;
c8f79162 2666 u16 size;
1da177e4 2667
49208c9c 2668 BT_DBG("chan %p", chan);
1da177e4 2669
73ffa904 2670 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 2671 goto done;
2672
0c1bc5c6 2673 switch (chan->mode) {
f2fcfcd6
GP		 2674 case L2CAP_MODE_STREAMING:
2675 case L2CAP_MODE_ERTM:
c1360a1c 2676 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 2677 break;
85eb53c6 2678
f89cef09
AE		 2679 if (__l2cap_efs_supported(chan))
2680 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2681
2ba13ed6 2682 /* fall through */
f2fcfcd6 2683 default:
8c1d787b 2684 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 2685 break;
2686 }
2687
2688done:
0c1bc5c6
GP		 2689 if (chan->imtu != L2CAP_DEFAULT_MTU)
2690 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 2691
0c1bc5c6 2692 switch (chan->mode) {
65c7c491 2693 case L2CAP_MODE_BASIC:
8c1d787b
GP		 2694 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2695 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 2696 break;
2697
62547752
GP		 2698 rfc.mode = L2CAP_MODE_BASIC;
2699 rfc.txwin_size = 0;
2700 rfc.max_transmit = 0;
2701 rfc.retrans_timeout = 0;
2702 rfc.monitor_timeout = 0;
2703 rfc.max_pdu_size = 0;
2704
63406504
GP		 2705 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2706 (unsigned long) &rfc);
65c7c491
MH		 2707 break;
2708
2709 case L2CAP_MODE_ERTM:
2710 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 2711 rfc.max_transmit = chan->max_tx;
f2fcfcd6
GP		 2712 rfc.retrans_timeout = 0;
2713 rfc.monitor_timeout = 0;
c8f79162
AE		 2714
2715 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2716 L2CAP_EXT_HDR_SIZE -
2717 L2CAP_SDULEN_SIZE -
2718 L2CAP_FCS_SIZE);
2719 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 2720
6327eb98
AE		 2721 l2cap_txwin_setup(chan);
2722
2723 rfc.txwin_size = min_t(u16, chan->tx_win,
2724 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 2725
63406504
GP		 2726 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2727 (unsigned long) &rfc);
2728
f89cef09
AE		 2729 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2730 l2cap_add_opt_efs(&ptr, chan);
2731
8c1d787b 2732 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2733 break;
2734
47d1ec61 2735 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2736 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2737 chan->fcs = L2CAP_FCS_NONE;
2738 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2739 }
6327eb98
AE		 2740
2741 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2742 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2743 chan->tx_win);
f2fcfcd6
GP		 2744 break;
2745
2746 case L2CAP_MODE_STREAMING:
2747 rfc.mode = L2CAP_MODE_STREAMING;
2748 rfc.txwin_size = 0;
2749 rfc.max_transmit = 0;
2750 rfc.retrans_timeout = 0;
2751 rfc.monitor_timeout = 0;
c8f79162
AE		 2752
2753 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2754 L2CAP_EXT_HDR_SIZE -
2755 L2CAP_SDULEN_SIZE -
2756 L2CAP_FCS_SIZE);
2757 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 2758
63406504
GP		 2759 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2760 (unsigned long) &rfc);
2761
f89cef09
AE		 2762 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2763 l2cap_add_opt_efs(&ptr, chan);
2764
8c1d787b 2765 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 2766 break;
2767
47d1ec61 2768 if (chan->fcs == L2CAP_FCS_NONE ||
c1360a1c 2769 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 2770 chan->fcs = L2CAP_FCS_NONE;
2771 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 2772 }
65c7c491
MH		 2773 break;
2774 }
1da177e4 2775
fe4128e0 2776 req->dcid = cpu_to_le16(chan->dcid);
aca3192c 2777 req->flags = cpu_to_le16(0);
1da177e4
LT		 2778
2779 return ptr - data;
2780}
2781
73ffa904 2782static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 2783{
5dee9e7c
MH		 2784 struct l2cap_conf_rsp *rsp = data;
2785 void *ptr = rsp->data;
73ffa904
GP		 2786 void *req = chan->conf_req;
2787 int len = chan->conf_len;
5dee9e7c
MH		 2788 int type, hint, olen;
2789 unsigned long val;
6464f35f 2790 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 2791 struct l2cap_conf_efs efs;
2792 u8 remote_efs = 0;
861d6882 2793 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2794 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 2795 u16 size;
1da177e4 2796
73ffa904 2797 BT_DBG("chan %p", chan);
820ae1b8 2798
5dee9e7c
MH		 2799 while (len >= L2CAP_CONF_OPT_SIZE) {
2800 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2801
589d2746 2802 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2803 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2804
2805 switch (type) {
2806 case L2CAP_CONF_MTU:
861d6882 2807 mtu = val;
5dee9e7c
MH		 2808 break;
2809
2810 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 2811 chan->flush_to = val;
5dee9e7c
MH		 2812 break;
2813
2814 case L2CAP_CONF_QOS:
2815 break;
2816
6464f35f
MH		 2817 case L2CAP_CONF_RFC:
2818 if (olen == sizeof(rfc))
2819 memcpy(&rfc, (void *) val, olen);
2820 break;
2821
fcc203c3
GP		 2822 case L2CAP_CONF_FCS:
2823 if (val == L2CAP_FCS_NONE)
c1360a1c 2824 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 2825 break;
fcc203c3 2826
42dceae2
AE		 2827 case L2CAP_CONF_EFS:
2828 remote_efs = 1;
2829 if (olen == sizeof(efs))
2830 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 2831 break;
2832
6327eb98
AE		 2833 case L2CAP_CONF_EWS:
2834 if (!enable_hs)
2835 return -ECONNREFUSED;
fcc203c3 2836
6327eb98
AE		 2837 set_bit(FLAG_EXT_CTRL, &chan->flags);
2838 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 2839 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 2840 chan->remote_tx_win = val;
fcc203c3
GP		 2841 break;
2842
5dee9e7c
MH		 2843 default:
2844 if (hint)
2845 break;
2846
2847 result = L2CAP_CONF_UNKNOWN;
2848 *((u8 *) ptr++) = type;
2849 break;
2850 }
2851 }
2852
73ffa904 2853 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 2854 goto done;
2855
0c1bc5c6 2856 switch (chan->mode) {
f2fcfcd6
GP		 2857 case L2CAP_MODE_STREAMING:
2858 case L2CAP_MODE_ERTM:
c1360a1c 2859 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 2860 chan->mode = l2cap_select_mode(rfc.mode,
8c1d787b 2861 chan->conn->feat_mask);
85eb53c6
GP		 2862 break;
2863 }
2864
42dceae2
AE		 2865 if (remote_efs) {
2866 if (__l2cap_efs_supported(chan))
2867 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2868 else
2869 return -ECONNREFUSED;
2870 }
2871
0c1bc5c6 2872 if (chan->mode != rfc.mode)
f2fcfcd6 2873 return -ECONNREFUSED;
742e519b 2874
f2fcfcd6 2875 break;
f2fcfcd6
GP		 2876 }
2877
2878done:
0c1bc5c6 2879 if (chan->mode != rfc.mode) {
f2fcfcd6 2880 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 2881 rfc.mode = chan->mode;
f2fcfcd6 2882
73ffa904 2883 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 2884 return -ECONNREFUSED;
2885
2886 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2887 sizeof(rfc), (unsigned long) &rfc);
2888 }
2889
5dee9e7c
MH		 2890 if (result == L2CAP_CONF_SUCCESS) {
2891 /* Configure output options and let the other side know
2892 * which ones we don't like. */
2893
f2fcfcd6
GP		 2894 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2895 result = L2CAP_CONF_UNACCEPT;
2896 else {
0c1bc5c6 2897 chan->omtu = mtu;
c1360a1c 2898 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 2899 }
0c1bc5c6 2900 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 2901
42dceae2
AE		 2902 if (remote_efs) {
2903 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2904 efs.stype != L2CAP_SERV_NOTRAFIC &&
2905 efs.stype != chan->local_stype) {
2906
2907 result = L2CAP_CONF_UNACCEPT;
2908
2909 if (chan->num_conf_req >= 1)
2910 return -ECONNREFUSED;
2911
2912 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3e6b3b95 2913 sizeof(efs),
42dceae2 2914 (unsigned long) &efs);
0e8b207e 2915 } else {
3e6b3b95 2916 /* Send PENDING Conf Rsp */
0e8b207e
AE		 2917 result = L2CAP_CONF_PENDING;
2918 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 2919 }
2920 }
2921
f2fcfcd6
GP		 2922 switch (rfc.mode) {
2923 case L2CAP_MODE_BASIC:
47d1ec61 2924 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 2925 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 2926 break;
2927
2928 case L2CAP_MODE_ERTM:
6327eb98
AE		 2929 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2930 chan->remote_tx_win = rfc.txwin_size;
2931 else
2932 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 2933
2c03a7a4 2934 chan->remote_max_tx = rfc.max_transmit;
1c762159 2935
c8f79162
AE		 2936 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2937 chan->conn->mtu -
2938 L2CAP_EXT_HDR_SIZE -
2939 L2CAP_SDULEN_SIZE -
2940 L2CAP_FCS_SIZE);
2941 rfc.max_pdu_size = cpu_to_le16(size);
2942 chan->remote_mps = size;
f2fcfcd6 2943
10467e9e 2944 rfc.retrans_timeout =
4fd21a88 2945 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
10467e9e 2946 rfc.monitor_timeout =
4fd21a88 2947 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6 2948
c1360a1c 2949 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2950
2951 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2952 sizeof(rfc), (unsigned long) &rfc);
2953
42dceae2
AE		 2954 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2955 chan->remote_id = efs.id;
2956 chan->remote_stype = efs.stype;
2957 chan->remote_msdu = le16_to_cpu(efs.msdu);
2958 chan->remote_flush_to =
2959 le32_to_cpu(efs.flush_to);
2960 chan->remote_acc_lat =
2961 le32_to_cpu(efs.acc_lat);
2962 chan->remote_sdu_itime =
2963 le32_to_cpu(efs.sdu_itime);
2964 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2965 sizeof(efs), (unsigned long) &efs);
2966 }
f2fcfcd6
GP		 2967 break;
2968
2969 case L2CAP_MODE_STREAMING:
c8f79162
AE		 2970 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2971 chan->conn->mtu -
2972 L2CAP_EXT_HDR_SIZE -
2973 L2CAP_SDULEN_SIZE -
2974 L2CAP_FCS_SIZE);
2975 rfc.max_pdu_size = cpu_to_le16(size);
2976 chan->remote_mps = size;
f2fcfcd6 2977
c1360a1c 2978 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 2979
2980 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2981 sizeof(rfc), (unsigned long) &rfc);
2982
f2fcfcd6
GP		 2983 break;
2984
2985 default:
5dee9e7c 2986 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2987
6464f35f 2988 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 2989 rfc.mode = chan->mode;
f2fcfcd6 2990 }
6464f35f 2991
f2fcfcd6 2992 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 2993 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 2994 }
fe4128e0 2995 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c
MH		 2996 rsp->result = cpu_to_le16(result);
2997 rsp->flags = cpu_to_le16(0x0000);
2998
2999 return ptr - data;
1da177e4
LT		 3000}
3001
b4450035 3002static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
f2fcfcd6 3003{
f2fcfcd6
GP		 3004 struct l2cap_conf_req *req = data;
3005 void *ptr = req->data;
3006 int type, olen;
3007 unsigned long val;
36e999a8 3008 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3009 struct l2cap_conf_efs efs;
f2fcfcd6 3010
fe4128e0 3011 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3012
3013 while (len >= L2CAP_CONF_OPT_SIZE) {
3014 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3015
3016 switch (type) {
3017 case L2CAP_CONF_MTU:
3018 if (val < L2CAP_DEFAULT_MIN_MTU) {
3019 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3020 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3021 } else
0c1bc5c6
GP		 3022 chan->imtu = val;
3023 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3024 break;
3025
3026 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3027 chan->flush_to = val;
f2fcfcd6 3028 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
0c1bc5c6 3029 2, chan->flush_to);
f2fcfcd6
GP		 3030 break;
3031
3032 case L2CAP_CONF_RFC:
3033 if (olen == sizeof(rfc))
3034 memcpy(&rfc, (void *)val, olen);
3035
c1360a1c 3036 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
0c1bc5c6 3037 rfc.mode != chan->mode)
f2fcfcd6
GP		 3038 return -ECONNREFUSED;
3039
47d1ec61 3040 chan->fcs = 0;
f2fcfcd6
GP		 3041
3042 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3043 sizeof(rfc), (unsigned long) &rfc);
3044 break;
6327eb98
AE		 3045
3046 case L2CAP_CONF_EWS:
3047 chan->tx_win = min_t(u16, val,
3048 L2CAP_DEFAULT_EXT_WINDOW);
3e6b3b95
GP		 3049 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3050 chan->tx_win);
6327eb98 3051 break;
66af7aaf
AE		 3052
3053 case L2CAP_CONF_EFS:
3054 if (olen == sizeof(efs))
3055 memcpy(&efs, (void *)val, olen);
3056
3057 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3058 efs.stype != L2CAP_SERV_NOTRAFIC &&
3059 efs.stype != chan->local_stype)
3060 return -ECONNREFUSED;
3061
3062 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3063 sizeof(efs), (unsigned long) &efs);
3064 break;
f2fcfcd6
GP		 3065 }
3066 }
3067
0c1bc5c6 3068 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3069 return -ECONNREFUSED;
3070
0c1bc5c6 3071 chan->mode = rfc.mode;
6c2ea7a8 3072
0e8b207e 3073 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3074 switch (rfc.mode) {
3075 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3076 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3077 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3078 chan->mps = le16_to_cpu(rfc.max_pdu_size);
66af7aaf
AE		 3079
3080 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3081 chan->local_msdu = le16_to_cpu(efs.msdu);
3082 chan->local_sdu_itime =
3083 le32_to_cpu(efs.sdu_itime);
3084 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3085 chan->local_flush_to =
3086 le32_to_cpu(efs.flush_to);
3087 }
f2fcfcd6 3088 break;
66af7aaf 3089
f2fcfcd6 3090 case L2CAP_MODE_STREAMING:
47d1ec61 3091 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3092 }
3093 }
3094
fe4128e0 3095 req->dcid = cpu_to_le16(chan->dcid);
f2fcfcd6
GP		 3096 req->flags = cpu_to_le16(0x0000);
3097
3098 return ptr - data;
3099}
3100
fe4128e0 3101static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
1da177e4
LT		 3102{
3103 struct l2cap_conf_rsp *rsp = data;
3104 void *ptr = rsp->data;
1da177e4 3105
fe4128e0 3106 BT_DBG("chan %p", chan);
1da177e4 3107
fe4128e0 3108 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3109 rsp->result = cpu_to_le16(result);
aca3192c 3110 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3111
3112 return ptr - data;
3113}
3114
8c1d787b 3115void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3116{
3117 struct l2cap_conn_rsp rsp;
8c1d787b 3118 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3119 u8 buf[128];
3120
fe4128e0
GP		 3121 rsp.scid = cpu_to_le16(chan->dcid);
3122 rsp.dcid = cpu_to_le16(chan->scid);
710f9b0a
GP		 3123 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3124 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3125 l2cap_send_cmd(conn, chan->ident,
3126 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3127
c1360a1c 3128 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3129 return;
3130
710f9b0a
GP		 3131 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3132 l2cap_build_conf_req(chan, buf), buf);
3133 chan->num_conf_req++;
3134}
3135
47d1ec61 3136static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3137{
7b1c0049
GP		 3138 int type, olen;
3139 unsigned long val;
3140 struct l2cap_conf_rfc rfc;
3141
47d1ec61 3142 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3143
0c1bc5c6 3144 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3145 return;
3146
3147 while (len >= L2CAP_CONF_OPT_SIZE) {
3148 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3149
3150 switch (type) {
3151 case L2CAP_CONF_RFC:
3152 if (olen == sizeof(rfc))
3153 memcpy(&rfc, (void *)val, olen);
3154 goto done;
3155 }
3156 }
3157
36e999a8
MM		 3158 /* Use sane default values in case a misbehaving remote device
3159 * did not send an RFC option.
3160 */
3161 rfc.mode = chan->mode;
3162 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3163 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3164 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
3165
3166 BT_ERR("Expected RFC option was not found, using defaults");
3167
7b1c0049
GP		 3168done:
3169 switch (rfc.mode) {
3170 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3171 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3172 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3173 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3174 break;
3175 case L2CAP_MODE_STREAMING:
47d1ec61 3176 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3177 }
3178}
3179
4e8402a3
MH		 3180static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3181{
e2fd318e 3182 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3183
e2fd318e 3184 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3185 return 0;
3186
3187 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3188 cmd->ident == conn->info_ident) {
17cd3f37 3189 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3190
3191 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3192 conn->info_ident = 0;
984947dc 3193
4e8402a3
MH		 3194 l2cap_conn_start(conn);
3195 }
3196
3197 return 0;
3198}
3199
1da177e4
LT		 3200static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3201{
1da177e4
LT		 3202 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3203 struct l2cap_conn_rsp rsp;
23691d75 3204 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3205 struct sock *parent, *sk = NULL;
e7c29cb1 3206 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3207
3208 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3209 __le16 psm = req->psm;
1da177e4 3210
097db76c 3211 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3212
3213 /* Check if we have socket listening on psm */
c2287681 3214 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3215 if (!pchan) {
1da177e4
LT		 3216 result = L2CAP_CR_BAD_PSM;
3217 goto sendresp;
3218 }
3219
23691d75
GP		 3220 parent = pchan->sk;
3221
3df91ea2 3222 mutex_lock(&conn->chan_lock);
aa2ac881 3223 lock_sock(parent);
e0f0cb56 3224
e7c29cb1
MH		 3225 /* Check if the ACL is secure enough (if not SDP) */
3226 if (psm != cpu_to_le16(0x0001) &&
3227 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3228 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3229 result = L2CAP_CR_SEC_BLOCK;
3230 goto response;
3231 }
3232
1da177e4
LT		 3233 result = L2CAP_CR_NO_MEM;
3234
3235 /* Check for backlog size */
3236 if (sk_acceptq_is_full(parent)) {
8e87d142 3237 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 3238 goto response;
3239 }
3240
80808e43
GP		 3241 chan = pchan->ops->new_connection(pchan->data);
3242 if (!chan)
1da177e4
LT		 3243 goto response;
3244
80808e43
GP		 3245 sk = chan->sk;
3246
1da177e4 3247 /* Check if we already have channel with that dcid */
baa7e1fa 3248 if (__l2cap_get_chan_by_dcid(conn, scid)) {
1da177e4 3249 sock_set_flag(sk, SOCK_ZAPPED);
ba3bd0ee 3250 chan->ops->close(chan->data);
1da177e4
LT		 3251 goto response;
3252 }
3253
3254 hci_conn_hold(conn->hcon);
3255
1da177e4
LT		 3256 bacpy(&bt_sk(sk)->src, conn->src);
3257 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3258 chan->psm = psm;
3259 chan->dcid = scid;
1da177e4 3260
d1010240
GP		 3261 bt_accept_enqueue(parent, sk);
3262
6be36555 3263 __l2cap_chan_add(conn, chan);
48454079 3264
fe4128e0 3265 dcid = chan->scid;
1da177e4 3266
c9b66675 3267 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3268
fc7f8a7e 3269 chan->ident = cmd->ident;
1da177e4 3270
984947dc 3271 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3272 if (l2cap_chan_check_security(chan)) {
c5daa683 3273 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3274 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3275 result = L2CAP_CR_PEND;
3276 status = L2CAP_CS_AUTHOR_PEND;
3277 parent->sk_data_ready(parent, 0);
3278 } else {
0e587be7 3279 __l2cap_state_change(chan, BT_CONFIG);
f66dc81f
MH		 3280 result = L2CAP_CR_SUCCESS;
3281 status = L2CAP_CS_NO_INFO;
3282 }
79d554a6 3283 } else {
0e587be7 3284 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3285 result = L2CAP_CR_PEND;
3286 status = L2CAP_CS_AUTHEN_PEND;
3287 }
3288 } else {
0e587be7 3289 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3290 result = L2CAP_CR_PEND;
3291 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3292 }
3293
1da177e4 3294response:
aa2ac881 3295 release_sock(parent);
3df91ea2 3296 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3297
3298sendresp:
aca3192c
YH		 3299 rsp.scid = cpu_to_le16(scid);
3300 rsp.dcid = cpu_to_le16(dcid);
3301 rsp.result = cpu_to_le16(result);
3302 rsp.status = cpu_to_le16(status);
1da177e4 3303 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 3304
3305 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3306 struct l2cap_info_req info;
3307 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3308
3309 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3310 conn->info_ident = l2cap_get_ident(conn);
3311
ba13ccd9 3312 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6
MH		 3313
3314 l2cap_send_cmd(conn, conn->info_ident,
3315 L2CAP_INFO_REQ, sizeof(info), &info);
3316 }
3317
c1360a1c 3318 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
e9aeb2dd
GP		 3319 result == L2CAP_CR_SUCCESS) {
3320 u8 buf[128];
c1360a1c 3321 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3322 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3323 l2cap_build_conf_req(chan, buf), buf);
3324 chan->num_conf_req++;
e9aeb2dd
GP		 3325 }
3326
1da177e4
LT		 3327 return 0;
3328}
3329
3330static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3331{
3332 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3333 u16 scid, dcid, result, status;
48454079 3334 struct l2cap_chan *chan;
1da177e4 3335 u8 req[128];
3df91ea2 3336 int err;
1da177e4
LT		 3337
3338 scid = __le16_to_cpu(rsp->scid);
3339 dcid = __le16_to_cpu(rsp->dcid);
3340 result = __le16_to_cpu(rsp->result);
3341 status = __le16_to_cpu(rsp->status);
3342
1b009c98
AE		 3343 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3344 dcid, scid, result, status);
1da177e4 3345
3df91ea2
AE		 3346 mutex_lock(&conn->chan_lock);
3347
1da177e4 3348 if (scid) {
3df91ea2
AE		 3349 chan = __l2cap_get_chan_by_scid(conn, scid);
3350 if (!chan) {
3351 err = -EFAULT;
3352 goto unlock;
3353 }
1da177e4 3354 } else {
3df91ea2
AE		 3355 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3356 if (!chan) {
3357 err = -EFAULT;
3358 goto unlock;
3359 }
1da177e4
LT		 3360 }
3361
3df91ea2
AE		 3362 err = 0;
3363
6be36555 3364 l2cap_chan_lock(chan);
48454079 3365
1da177e4
LT		 3366 switch (result) {
3367 case L2CAP_CR_SUCCESS:
89bc500e 3368 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3369 chan->ident = 0;
fe4128e0 3370 chan->dcid = dcid;
c1360a1c 3371 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3372
c1360a1c 3373 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3374 break;
3375
1da177e4 3376 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3377 l2cap_build_conf_req(chan, req), req);
3378 chan->num_conf_req++;
1da177e4
LT		 3379 break;
3380
3381 case L2CAP_CR_PEND:
c1360a1c 3382 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3383 break;
3384
3385 default:
48454079 3386 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3387 break;
3388 }
3389
6be36555 3390 l2cap_chan_unlock(chan);
3df91ea2
AE		 3391
3392unlock:
3393 mutex_unlock(&conn->chan_lock);
3394
3395 return err;
1da177e4
LT		 3396}
3397
47d1ec61 3398static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3399{
3400 /* FCS is enabled only in ERTM or streaming mode, if one or both
3401 * sides request it.
3402 */
0c1bc5c6 3403 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3404 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3405 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3406 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3407}
3408
88219a0f 3409static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3410{
3411 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3412 u16 dcid, flags;
3413 u8 rsp[64];
48454079 3414 struct l2cap_chan *chan;
3c588192 3415 int len, err = 0;
1da177e4
LT		 3416
3417 dcid = __le16_to_cpu(req->dcid);
3418 flags = __le16_to_cpu(req->flags);
3419
3420 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3421
baa7e1fa 3422 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3423 if (!chan)
1da177e4
LT		 3424 return -ENOENT;
3425
033b1142 3426 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3427 struct l2cap_cmd_rej_cid rej;
3428
3429 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
3430 rej.scid = cpu_to_le16(chan->scid);
3431 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3432
df6bd743
GP		 3433 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3434 sizeof(rej), &rej);
354f60a9 3435 goto unlock;
df6bd743 3436 }
354f60a9 3437
5dee9e7c 3438 /* Reject if config buffer is too small. */
88219a0f 3439 len = cmd_len - sizeof(*req);
7ac28817 3440 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3441 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3442 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c
MH		 3443 L2CAP_CONF_REJECT, flags), rsp);
3444 goto unlock;
3445 }
3446
3447 /* Store config. */
73ffa904
GP		 3448 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3449 chan->conf_len += len;
1da177e4
LT		 3450
3451 if (flags & 0x0001) {
3452 /* Incomplete config. Send empty response. */
3453 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
fe4128e0 3454 l2cap_build_conf_rsp(chan, rsp,
5dee9e7c 3455 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3456 goto unlock;
3457 }
3458
3459 /* Complete config. */
73ffa904 3460 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3461 if (len < 0) {
e92c8e70 3462 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3463 goto unlock;
f2fcfcd6 3464 }
1da177e4 3465
5dee9e7c 3466 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3467 chan->num_conf_rsp++;
5dee9e7c 3468
5dee9e7c 3469 /* Reset config buffer. */
73ffa904 3470 chan->conf_len = 0;
5dee9e7c 3471
c1360a1c 3472 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3473 goto unlock;
3474
c1360a1c 3475 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3476 set_default_fcs(chan);
fcc203c3 3477
89bc500e 3478 l2cap_state_change(chan, BT_CONNECTED);
e90bac06 3479
105bdf9e
MM		 3480 if (chan->mode == L2CAP_MODE_ERTM ||
3481 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3482 err = l2cap_ertm_init(chan);
3483
3484 if (err < 0)
3485 l2cap_send_disconn_req(chan->conn, chan, -err);
3486 else
3487 l2cap_chan_ready(chan);
0565c1c2 3488
876d9484
MH		 3489 goto unlock;
3490 }
3491
c1360a1c 3492 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3493 u8 buf[64];
1da177e4 3494 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
73ffa904
GP		 3495 l2cap_build_conf_req(chan, buf), buf);
3496 chan->num_conf_req++;
1da177e4
LT		 3497 }
3498
0e8b207e
AE		 3499 /* Got Conf Rsp PENDING from remote side and asume we sent
3500 Conf Rsp PENDING in the code above */
3501 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3502 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3503
3504 /* check compatibility */
3505
3506 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3507 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3508
3509 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3510 l2cap_build_conf_rsp(chan, rsp,
0e8b207e
AE		 3511 L2CAP_CONF_SUCCESS, 0x0000), rsp);
3512 }
3513
1da177e4 3514unlock:
6be36555 3515 l2cap_chan_unlock(chan);
3c588192 3516 return err;
1da177e4
LT		 3517}
3518
3519static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3520{
3521 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3522 u16 scid, flags, result;
48454079 3523 struct l2cap_chan *chan;
61386cba 3524 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3525 int err = 0;
1da177e4
LT		 3526
3527 scid = __le16_to_cpu(rsp->scid);
3528 flags = __le16_to_cpu(rsp->flags);
3529 result = __le16_to_cpu(rsp->result);
3530
61386cba
AE		 3531 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3532 result, len);
1da177e4 3533
baa7e1fa 3534 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3535 if (!chan)
1da177e4
LT		 3536 return 0;
3537
3538 switch (result) {
3539 case L2CAP_CONF_SUCCESS:
47d1ec61 3540 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3541 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3542 break;
3543
0e8b207e
AE		 3544 case L2CAP_CONF_PENDING:
3545 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3546
3547 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3548 char buf[64];
3549
3550 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3551 buf, &result);
3552 if (len < 0) {
3553 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3554 goto done;
3555 }
3556
3557 /* check compatibility */
3558
3559 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3560 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3561
3562 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3e6b3b95 3563 l2cap_build_conf_rsp(chan, buf,
0e8b207e
AE		 3564 L2CAP_CONF_SUCCESS, 0x0000), buf);
3565 }
3566 goto done;
3567
1da177e4 3568 case L2CAP_CONF_UNACCEPT:
73ffa904 3569 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3570 char req[64];
3571
c2c77ec8 3572 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3573 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3574 goto done;
3575 }
3576
f2fcfcd6
GP		 3577 /* throw out any old stored conf requests */
3578 result = L2CAP_CONF_SUCCESS;
b4450035
GP		 3579 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3580 req, &result);
f2fcfcd6 3581 if (len < 0) {
e92c8e70 3582 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3583 goto done;
3584 }
3585
3586 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3587 L2CAP_CONF_REQ, len, req);
73ffa904 3588 chan->num_conf_req++;
f2fcfcd6
GP		 3589 if (result != L2CAP_CONF_SUCCESS)
3590 goto done;
3591 break;
1da177e4
LT		 3592 }
3593
8e87d142 3594 default:
6be36555 3595 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3596
ba13ccd9 3597 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3598 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3599 goto done;
3600 }
3601
3602 if (flags & 0x01)
3603 goto done;
3604
c1360a1c 3605 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3606
c1360a1c 3607 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3608 set_default_fcs(chan);
fcc203c3 3609
89bc500e 3610 l2cap_state_change(chan, BT_CONNECTED);
105bdf9e
MM		 3611 if (chan->mode == L2CAP_MODE_ERTM ||
3612 chan->mode == L2CAP_MODE_STREAMING)
3c588192 3613 err = l2cap_ertm_init(chan);
0565c1c2 3614
3c588192
MM		 3615 if (err < 0)
3616 l2cap_send_disconn_req(chan->conn, chan, -err);
3617 else
3618 l2cap_chan_ready(chan);
1da177e4
LT		 3619 }
3620
3621done:
6be36555 3622 l2cap_chan_unlock(chan);
3c588192 3623 return err;
1da177e4
LT		 3624}
3625
3626static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3627{
3628 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3629 struct l2cap_disconn_rsp rsp;
3630 u16 dcid, scid;
48454079 3631 struct l2cap_chan *chan;
1da177e4
LT		 3632 struct sock *sk;
3633
3634 scid = __le16_to_cpu(req->scid);
3635 dcid = __le16_to_cpu(req->dcid);
3636
3637 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3638
3df91ea2
AE		 3639 mutex_lock(&conn->chan_lock);
3640
3641 chan = __l2cap_get_chan_by_scid(conn, dcid);
3642 if (!chan) {
3643 mutex_unlock(&conn->chan_lock);
1da177e4 3644 return 0;
3df91ea2 3645 }
1da177e4 3646
6be36555
AE		 3647 l2cap_chan_lock(chan);
3648
48454079
GP		 3649 sk = chan->sk;
3650
fe4128e0
GP		 3651 rsp.dcid = cpu_to_le16(chan->scid);
3652 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 3653 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3654
6be36555 3655 lock_sock(sk);
1da177e4 3656 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 3657 release_sock(sk);
1da177e4 3658
61d6ef3e 3659 l2cap_chan_hold(chan);
48454079 3660 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 3661
3662 l2cap_chan_unlock(chan);
1da177e4 3663
ba3bd0ee 3664 chan->ops->close(chan->data);
61d6ef3e 3665 l2cap_chan_put(chan);
3df91ea2
AE		 3666
3667 mutex_unlock(&conn->chan_lock);
3668
1da177e4
LT		 3669 return 0;
3670}
3671
3672static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3673{
3674 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3675 u16 dcid, scid;
48454079 3676 struct l2cap_chan *chan;
1da177e4
LT		 3677
3678 scid = __le16_to_cpu(rsp->scid);
3679 dcid = __le16_to_cpu(rsp->dcid);
3680
3681 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3682
3df91ea2
AE		 3683 mutex_lock(&conn->chan_lock);
3684
3685 chan = __l2cap_get_chan_by_scid(conn, scid);
3686 if (!chan) {
3687 mutex_unlock(&conn->chan_lock);
1da177e4 3688 return 0;
3df91ea2 3689 }
1da177e4 3690
6be36555 3691 l2cap_chan_lock(chan);
48454079 3692
61d6ef3e 3693 l2cap_chan_hold(chan);
48454079 3694 l2cap_chan_del(chan, 0);
6be36555
AE		 3695
3696 l2cap_chan_unlock(chan);
1da177e4 3697
ba3bd0ee 3698 chan->ops->close(chan->data);
61d6ef3e 3699 l2cap_chan_put(chan);
3df91ea2
AE		 3700
3701 mutex_unlock(&conn->chan_lock);
3702
1da177e4
LT		 3703 return 0;
3704}
3705
3706static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3707{
3708 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3709 u16 type;
3710
3711 type = __le16_to_cpu(req->type);
3712
3713 BT_DBG("type 0x%4.4x", type);
3714
f0709e03
MH		 3715 if (type == L2CAP_IT_FEAT_MASK) {
3716 u8 buf[8];
44dd46de 3717 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3718 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3719 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3720 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 3721 if (!disable_ertm)
fcc203c3
GP		 3722 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3723 | L2CAP_FEAT_FCS;
a5fd6f30 3724 if (enable_hs)
6327eb98
AE		 3725 feat_mask |= L2CAP_FEAT_EXT_FLOW
3726 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 3727
1b7bf4ed 3728 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3729 l2cap_send_cmd(conn, cmd->ident,
3730 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3731 } else if (type == L2CAP_IT_FIXED_CHAN) {
3732 u8 buf[12];
3733 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 3734
3735 if (enable_hs)
3736 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3737 else
3738 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3739
e1027a7c
MH		 3740 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3741 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 3742 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
e1027a7c
MH		 3743 l2cap_send_cmd(conn, cmd->ident,
3744 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3745 } else {
3746 struct l2cap_info_rsp rsp;
3747 rsp.type = cpu_to_le16(type);
3748 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3749 l2cap_send_cmd(conn, cmd->ident,
3750 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3751 }
1da177e4
LT		 3752
3753 return 0;
3754}
3755
3756static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3757{
3758 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3759 u16 type, result;
3760
3761 type = __le16_to_cpu(rsp->type);
3762 result = __le16_to_cpu(rsp->result);
3763
3764 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3765
e90165be
AE		 3766 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3767 if (cmd->ident != conn->info_ident ||
3768 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3769 return 0;
3770
17cd3f37 3771 cancel_delayed_work(&conn->info_timer);
4e8402a3 3772
adb08ede
VT		 3773 if (result != L2CAP_IR_SUCCESS) {
3774 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3775 conn->info_ident = 0;
3776
3777 l2cap_conn_start(conn);
3778
3779 return 0;
3780 }
3781
978c93b9
AE		 3782 switch (type) {
3783 case L2CAP_IT_FEAT_MASK:
83985319 3784 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3785
47ec1dcd 3786 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3787 struct l2cap_info_req req;
3788 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3789
3790 conn->info_ident = l2cap_get_ident(conn);
3791
3792 l2cap_send_cmd(conn, conn->info_ident,
3793 L2CAP_INFO_REQ, sizeof(req), &req);
3794 } else {
3795 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3796 conn->info_ident = 0;
3797
3798 l2cap_conn_start(conn);
3799 }
978c93b9
AE		 3800 break;
3801
3802 case L2CAP_IT_FIXED_CHAN:
3803 conn->fixed_chan_mask = rsp->data[0];
984947dc 3804 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3805 conn->info_ident = 0;
984947dc
MH		 3806
3807 l2cap_conn_start(conn);
978c93b9 3808 break;
984947dc 3809 }
4e8402a3 3810
1da177e4
LT		 3811 return 0;
3812}
3813
f94ff6ff
MM		 3814static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3815 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3816 void *data)
3817{
3818 struct l2cap_create_chan_req *req = data;
3819 struct l2cap_create_chan_rsp rsp;
3820 u16 psm, scid;
3821
3822 if (cmd_len != sizeof(*req))
3823 return -EPROTO;
3824
3825 if (!enable_hs)
3826 return -EINVAL;
3827
3828 psm = le16_to_cpu(req->psm);
3829 scid = le16_to_cpu(req->scid);
3830
3831 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3832
3833 /* Placeholder: Always reject */
3834 rsp.dcid = 0;
3835 rsp.scid = cpu_to_le16(scid);
8ce0c498
AE		 3836 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3837 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f94ff6ff
MM		 3838
3839 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3840 sizeof(rsp), &rsp);
3841
3842 return 0;
3843}
3844
3845static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3846 struct l2cap_cmd_hdr *cmd, void *data)
3847{
3848 BT_DBG("conn %p", conn);
3849
3850 return l2cap_connect_rsp(conn, cmd, data);
3851}
3852
8d5a04a1
MM		 3853static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3854 u16 icid, u16 result)
3855{
3856 struct l2cap_move_chan_rsp rsp;
3857
3858 BT_DBG("icid %d, result %d", icid, result);
3859
3860 rsp.icid = cpu_to_le16(icid);
3861 rsp.result = cpu_to_le16(result);
3862
3863 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3864}
3865
3866static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3867 struct l2cap_chan *chan, u16 icid, u16 result)
3868{
3869 struct l2cap_move_chan_cfm cfm;
3870 u8 ident;
3871
3872 BT_DBG("icid %d, result %d", icid, result);
3873
3874 ident = l2cap_get_ident(conn);
3875 if (chan)
3876 chan->ident = ident;
3877
3878 cfm.icid = cpu_to_le16(icid);
3879 cfm.result = cpu_to_le16(result);
3880
3881 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3882}
3883
3884static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3885 u16 icid)
3886{
3887 struct l2cap_move_chan_cfm_rsp rsp;
3888
3889 BT_DBG("icid %d", icid);
3890
3891 rsp.icid = cpu_to_le16(icid);
3892 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3893}
3894
3895static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3896 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3897{
3898 struct l2cap_move_chan_req *req = data;
3899 u16 icid = 0;
3900 u16 result = L2CAP_MR_NOT_ALLOWED;
3901
3902 if (cmd_len != sizeof(*req))
3903 return -EPROTO;
3904
3905 icid = le16_to_cpu(req->icid);
3906
3907 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3908
3909 if (!enable_hs)
3910 return -EINVAL;
3911
3912 /* Placeholder: Always refuse */
3913 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3914
3915 return 0;
3916}
3917
3918static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3919 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3920{
3921 struct l2cap_move_chan_rsp *rsp = data;
3922 u16 icid, result;
3923
3924 if (cmd_len != sizeof(*rsp))
3925 return -EPROTO;
3926
3927 icid = le16_to_cpu(rsp->icid);
3928 result = le16_to_cpu(rsp->result);
3929
3930 BT_DBG("icid %d, result %d", icid, result);
3931
3932 /* Placeholder: Always unconfirmed */
3933 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3934
3935 return 0;
3936}
3937
3938static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3939 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3940{
3941 struct l2cap_move_chan_cfm *cfm = data;
3942 u16 icid, result;
3943
3944 if (cmd_len != sizeof(*cfm))
3945 return -EPROTO;
3946
3947 icid = le16_to_cpu(cfm->icid);
3948 result = le16_to_cpu(cfm->result);
3949
3950 BT_DBG("icid %d, result %d", icid, result);
3951
3952 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3953
3954 return 0;
3955}
3956
3957static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3958 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3959{
3960 struct l2cap_move_chan_cfm_rsp *rsp = data;
3961 u16 icid;
3962
3963 if (cmd_len != sizeof(*rsp))
3964 return -EPROTO;
3965
3966 icid = le16_to_cpu(rsp->icid);
3967
3968 BT_DBG("icid %d", icid);
3969
3970 return 0;
3971}
3972
e2174ca4 3973static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
de73115a
CT		 3974 u16 to_multiplier)
3975{
3976 u16 max_latency;
3977
3978 if (min > max || min < 6 || max > 3200)
3979 return -EINVAL;
3980
3981 if (to_multiplier < 10 || to_multiplier > 3200)
3982 return -EINVAL;
3983
3984 if (max >= to_multiplier * 8)
3985 return -EINVAL;
3986
3987 max_latency = (to_multiplier * 8 / max) - 1;
3988 if (latency > 499 || latency > max_latency)
3989 return -EINVAL;
3990
3991 return 0;
3992}
3993
3994static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3995 struct l2cap_cmd_hdr *cmd, u8 *data)
3996{
3997 struct hci_conn *hcon = conn->hcon;
3998 struct l2cap_conn_param_update_req *req;
3999 struct l2cap_conn_param_update_rsp rsp;
4000 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4001 int err;
de73115a
CT		 4002
4003 if (!(hcon->link_mode & HCI_LM_MASTER))
4004 return -EINVAL;
4005
4006 cmd_len = __le16_to_cpu(cmd->len);
4007 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4008 return -EPROTO;
4009
4010 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4011 min = __le16_to_cpu(req->min);
4012 max = __le16_to_cpu(req->max);
de73115a
CT		 4013 latency = __le16_to_cpu(req->latency);
4014 to_multiplier = __le16_to_cpu(req->to_multiplier);
4015
4016 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4017 min, max, latency, to_multiplier);
4018
4019 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4020
4021 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4022 if (err)
de73115a
CT		 4023 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
4024 else
4025 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
4026
4027 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4028 sizeof(rsp), &rsp);
4029
2ce603eb
CT		 4030 if (!err)
4031 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4032
de73115a
CT		 4033 return 0;
4034}
4035
3300d9a9
CT		 4036static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4037 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4038{
4039 int err = 0;
4040
4041 switch (cmd->code) {
4042 case L2CAP_COMMAND_REJ:
4043 l2cap_command_rej(conn, cmd, data);
4044 break;
4045
4046 case L2CAP_CONN_REQ:
4047 err = l2cap_connect_req(conn, cmd, data);
4048 break;
4049
4050 case L2CAP_CONN_RSP:
4051 err = l2cap_connect_rsp(conn, cmd, data);
4052 break;
4053
4054 case L2CAP_CONF_REQ:
4055 err = l2cap_config_req(conn, cmd, cmd_len, data);
4056 break;
4057
4058 case L2CAP_CONF_RSP:
4059 err = l2cap_config_rsp(conn, cmd, data);
4060 break;
4061
4062 case L2CAP_DISCONN_REQ:
4063 err = l2cap_disconnect_req(conn, cmd, data);
4064 break;
4065
4066 case L2CAP_DISCONN_RSP:
4067 err = l2cap_disconnect_rsp(conn, cmd, data);
4068 break;
4069
4070 case L2CAP_ECHO_REQ:
4071 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4072 break;
4073
4074 case L2CAP_ECHO_RSP:
4075 break;
4076
4077 case L2CAP_INFO_REQ:
4078 err = l2cap_information_req(conn, cmd, data);
4079 break;
4080
4081 case L2CAP_INFO_RSP:
4082 err = l2cap_information_rsp(conn, cmd, data);
4083 break;
4084
f94ff6ff
MM		 4085 case L2CAP_CREATE_CHAN_REQ:
4086 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
4087 break;
4088
4089 case L2CAP_CREATE_CHAN_RSP:
4090 err = l2cap_create_channel_rsp(conn, cmd, data);
4091 break;
4092
8d5a04a1
MM		 4093 case L2CAP_MOVE_CHAN_REQ:
4094 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
4095 break;
4096
4097 case L2CAP_MOVE_CHAN_RSP:
4098 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
4099 break;
4100
4101 case L2CAP_MOVE_CHAN_CFM:
4102 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
4103 break;
4104
4105 case L2CAP_MOVE_CHAN_CFM_RSP:
4106 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
4107 break;
4108
3300d9a9
CT		 4109 default:
4110 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4111 err = -EINVAL;
4112 break;
4113 }
4114
4115 return err;
4116}
4117
4118static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
4119 struct l2cap_cmd_hdr *cmd, u8 *data)
4120{
4121 switch (cmd->code) {
4122 case L2CAP_COMMAND_REJ:
4123 return 0;
4124
4125 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 4126 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 4127
4128 case L2CAP_CONN_PARAM_UPDATE_RSP:
4129 return 0;
4130
4131 default:
4132 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
4133 return -EINVAL;
4134 }
4135}
4136
4137static inline void l2cap_sig_channel(struct l2cap_conn *conn,
4138 struct sk_buff *skb)
1da177e4
LT		 4139{
4140 u8 *data = skb->data;
4141 int len = skb->len;
4142 struct l2cap_cmd_hdr cmd;
3300d9a9 4143 int err;
1da177e4
LT		 4144
4145 l2cap_raw_recv(conn, skb);
4146
4147 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 4148 u16 cmd_len;
1da177e4
LT		 4149 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
4150 data += L2CAP_CMD_HDR_SIZE;
4151 len -= L2CAP_CMD_HDR_SIZE;
4152
88219a0f 4153 cmd_len = le16_to_cpu(cmd.len);
1da177e4 4154
88219a0f 4155 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 4156
88219a0f 4157 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 4158 BT_DBG("corrupted command");
4159 break;
4160 }
4161
3300d9a9
CT		 4162 if (conn->hcon->type == LE_LINK)
4163 err = l2cap_le_sig_cmd(conn, &cmd, data);
4164 else
4165 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 4166
4167 if (err) {
e2fd318e 4168 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 4169
4170 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 4171
4172 /* FIXME: Map err to a valid reason */
e2fd318e 4173 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
1da177e4
LT		 4174 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4175 }
4176
88219a0f
AV		 4177 data += cmd_len;
4178 len -= cmd_len;
1da177e4
LT		 4179 }
4180
4181 kfree_skb(skb);
4182}
4183
47d1ec61 4184static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 4185{
4186 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 4187 int hdr_size;
4188
4189 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4190 hdr_size = L2CAP_EXT_HDR_SIZE;
4191 else
4192 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 4193
47d1ec61 4194 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 4195 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 4196 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
4197 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
4198
4199 if (our_fcs != rcv_fcs)
7a560e5c 4200 return -EBADMSG;
fcc203c3
GP		 4201 }
4202 return 0;
4203}
4204
525cd185 4205static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 4206{
e31f7633 4207 struct l2cap_ctrl control;
d5392c8f 4208
e31f7633 4209 BT_DBG("chan %p", chan);
d5392c8f 4210
e31f7633
MM		 4211 memset(&control, 0, sizeof(control));
4212 control.sframe = 1;
4213 control.final = 1;
4214 control.reqseq = chan->buffer_seq;
4215 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 4216
e2ab4353 4217 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 4218 control.super = L2CAP_SUPER_RNR;
4219 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4220 }
4221
e31f7633
MM		 4222 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4223 chan->unacked_frames > 0)
4224 __set_retrans_timer(chan);
d5392c8f 4225
e31f7633 4226 /* Send pending iframes */
525cd185 4227 l2cap_ertm_send(chan);
d5392c8f 4228
e2ab4353 4229 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 4230 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
4231 /* F-bit wasn't sent in an s-frame or i-frame yet, so
4232 * send it now.
4233 */
4234 control.super = L2CAP_SUPER_RR;
4235 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 4236 }
4237}
4238
84084a31
MM		 4239static void append_skb_frag(struct sk_buff *skb,
4240 struct sk_buff *new_frag, struct sk_buff **last_frag)
18778a63 4241{
84084a31
MM		 4242 /* skb->len reflects data in skb as well as all fragments
4243 * skb->data_len reflects only data in fragments
4244 */
4245 if (!skb_has_frag_list(skb))
4246 skb_shinfo(skb)->frag_list = new_frag;
4247
4248 new_frag->next = NULL;
4249
4250 (*last_frag)->next = new_frag;
4251 *last_frag = new_frag;
4252
4253 skb->len += new_frag->len;
4254 skb->data_len += new_frag->len;
4255 skb->truesize += new_frag->truesize;
4256}
4257
4b51dae9
MM		 4258static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
4259 struct l2cap_ctrl *control)
84084a31
MM		 4260{
4261 int err = -EINVAL;
18778a63 4262
4b51dae9 4263 switch (control->sar) {
7e0ef6ee 4264 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 4265 if (chan->sdu)
4266 break;
18778a63 4267
84084a31
MM		 4268 err = chan->ops->recv(chan->data, skb);
4269 break;
18778a63 4270
7e0ef6ee 4271 case L2CAP_SAR_START:
84084a31
MM		 4272 if (chan->sdu)
4273 break;
18778a63 4274
6f61fd47 4275 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 4276 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 4277
84084a31
MM		 4278 if (chan->sdu_len > chan->imtu) {
4279 err = -EMSGSIZE;
4280 break;
4281 }
1890d36b 4282
84084a31
MM		 4283 if (skb->len >= chan->sdu_len)
4284 break;
18778a63 4285
84084a31
MM		 4286 chan->sdu = skb;
4287 chan->sdu_last_frag = skb;
18778a63 4288
84084a31
MM		 4289 skb = NULL;
4290 err = 0;
18778a63
GP		 4291 break;
4292
7e0ef6ee 4293 case L2CAP_SAR_CONTINUE:
6f61fd47 4294 if (!chan->sdu)
84084a31 4295 break;
18778a63 4296
84084a31
MM		 4297 append_skb_frag(chan->sdu, skb,
4298 &chan->sdu_last_frag);
4299 skb = NULL;
18778a63 4300
84084a31
MM		 4301 if (chan->sdu->len >= chan->sdu_len)
4302 break;
4178ba46 4303
84084a31 4304 err = 0;
18778a63
GP		 4305 break;
4306
7e0ef6ee 4307 case L2CAP_SAR_END:
6f61fd47 4308 if (!chan->sdu)
84084a31 4309 break;
18778a63 4310
84084a31
MM		 4311 append_skb_frag(chan->sdu, skb,
4312 &chan->sdu_last_frag);
4313 skb = NULL;
4178ba46 4314
84084a31
MM		 4315 if (chan->sdu->len != chan->sdu_len)
4316 break;
18778a63 4317
84084a31 4318 err = chan->ops->recv(chan->data, chan->sdu);
1890d36b 4319
84084a31
MM		 4320 if (!err) {
4321 /* Reassembly complete */
4322 chan->sdu = NULL;
4323 chan->sdu_last_frag = NULL;
4324 chan->sdu_len = 0;
1890d36b 4325 }
18778a63
GP		 4326 break;
4327 }
4328
84084a31
MM		 4329 if (err) {
4330 kfree_skb(skb);
4331 kfree_skb(chan->sdu);
4332 chan->sdu = NULL;
4333 chan->sdu_last_frag = NULL;
4334 chan->sdu_len = 0;
4335 }
18778a63 4336
84084a31 4337 return err;
18778a63
GP		 4338}
4339
61aa4f5b 4340void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 4341{
61aa4f5b 4342 u8 event;
712132eb 4343
61aa4f5b
MM		 4344 if (chan->mode != L2CAP_MODE_ERTM)
4345 return;
712132eb 4346
61aa4f5b
MM		 4347 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
4348 l2cap_tx(chan, 0, 0, event);
1890d36b
GP		 4349}
4350
d2a7ac5d
MM		 4351static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
4352{
4353 /* Placeholder */
4354 return 0;
4355}
4356
4357static void l2cap_handle_srej(struct l2cap_chan *chan,
4358 struct l2cap_ctrl *control)
4359{
4360 /* Placeholder */
4361}
4362
4363static void l2cap_handle_rej(struct l2cap_chan *chan,
4364 struct l2cap_ctrl *control)
4365{
4366 /* Placeholder */
4367}
4368
4b51dae9
MM		 4369static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
4370{
4371 BT_DBG("chan %p, txseq %d", chan, txseq);
4372
4373 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
4374 chan->expected_tx_seq);
4375
4376 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
4377 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4378 chan->tx_win) {
4379 /* See notes below regarding "double poll" and
4380 * invalid packets.
4381 */
4382 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4383 BT_DBG("Invalid/Ignore - after SREJ");
4384 return L2CAP_TXSEQ_INVALID_IGNORE;
4385 } else {
4386 BT_DBG("Invalid - in window after SREJ sent");
4387 return L2CAP_TXSEQ_INVALID;
4388 }
4389 }
4390
4391 if (chan->srej_list.head == txseq) {
4392 BT_DBG("Expected SREJ");
4393 return L2CAP_TXSEQ_EXPECTED_SREJ;
4394 }
4395
4396 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
4397 BT_DBG("Duplicate SREJ - txseq already stored");
4398 return L2CAP_TXSEQ_DUPLICATE_SREJ;
4399 }
4400
4401 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
4402 BT_DBG("Unexpected SREJ - not requested");
4403 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
4404 }
4405 }
4406
4407 if (chan->expected_tx_seq == txseq) {
4408 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
4409 chan->tx_win) {
4410 BT_DBG("Invalid - txseq outside tx window");
4411 return L2CAP_TXSEQ_INVALID;
4412 } else {
4413 BT_DBG("Expected");
4414 return L2CAP_TXSEQ_EXPECTED;
4415 }
4416 }
4417
4418 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
4419 __seq_offset(chan, chan->expected_tx_seq,
4420 chan->last_acked_seq)){
4421 BT_DBG("Duplicate - expected_tx_seq later than txseq");
4422 return L2CAP_TXSEQ_DUPLICATE;
4423 }
4424
4425 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
4426 /* A source of invalid packets is a "double poll" condition,
4427 * where delays cause us to send multiple poll packets. If
4428 * the remote stack receives and processes both polls,
4429 * sequence numbers can wrap around in such a way that a
4430 * resent frame has a sequence number that looks like new data
4431 * with a sequence gap. This would trigger an erroneous SREJ
4432 * request.
4433 *
4434 * Fortunately, this is impossible with a tx window that's
4435 * less than half of the maximum sequence number, which allows
4436 * invalid frames to be safely ignored.
4437 *
4438 * With tx window sizes greater than half of the tx window
4439 * maximum, the frame is invalid and cannot be ignored. This
4440 * causes a disconnect.
4441 */
4442
4443 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
4444 BT_DBG("Invalid/Ignore - txseq outside tx window");
4445 return L2CAP_TXSEQ_INVALID_IGNORE;
4446 } else {
4447 BT_DBG("Invalid - txseq outside tx window");
4448 return L2CAP_TXSEQ_INVALID;
4449 }
4450 } else {
4451 BT_DBG("Unexpected - txseq indicates missing frames");
4452 return L2CAP_TXSEQ_UNEXPECTED;
4453 }
4454}
4455
d2a7ac5d
MM		 4456static int l2cap_rx_state_recv(struct l2cap_chan *chan,
4457 struct l2cap_ctrl *control,
4458 struct sk_buff *skb, u8 event)
4459{
4460 int err = 0;
4461 bool skb_in_use = 0;
4462
4463 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4464 event);
4465
4466 switch (event) {
4467 case L2CAP_EV_RECV_IFRAME:
4468 switch (l2cap_classify_txseq(chan, control->txseq)) {
4469 case L2CAP_TXSEQ_EXPECTED:
4470 l2cap_pass_to_tx(chan, control);
4471
4472 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4473 BT_DBG("Busy, discarding expected seq %d",
4474 control->txseq);
4475 break;
4476 }
4477
4478 chan->expected_tx_seq = __next_seq(chan,
4479 control->txseq);
4480
4481 chan->buffer_seq = chan->expected_tx_seq;
4482 skb_in_use = 1;
4483
4484 err = l2cap_reassemble_sdu(chan, skb, control);
4485 if (err)
4486 break;
4487
4488 if (control->final) {
4489 if (!test_and_clear_bit(CONN_REJ_ACT,
4490 &chan->conn_state)) {
4491 control->final = 0;
4492 l2cap_retransmit_all(chan, control);
4493 l2cap_ertm_send(chan);
4494 }
4495 }
4496
4497 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
4498 l2cap_send_ack(chan);
4499 break;
4500 case L2CAP_TXSEQ_UNEXPECTED:
4501 l2cap_pass_to_tx(chan, control);
4502
4503 /* Can't issue SREJ frames in the local busy state.
4504 * Drop this frame, it will be seen as missing
4505 * when local busy is exited.
4506 */
4507 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4508 BT_DBG("Busy, discarding unexpected seq %d",
4509 control->txseq);
4510 break;
4511 }
4512
4513 /* There was a gap in the sequence, so an SREJ
4514 * must be sent for each missing frame. The
4515 * current frame is stored for later use.
4516 */
4517 skb_queue_tail(&chan->srej_q, skb);
4518 skb_in_use = 1;
4519 BT_DBG("Queued %p (queue len %d)", skb,
4520 skb_queue_len(&chan->srej_q));
4521
4522 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4523 l2cap_seq_list_clear(&chan->srej_list);
4524 l2cap_send_srej(chan, control->txseq);
4525
4526 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
4527 break;
4528 case L2CAP_TXSEQ_DUPLICATE:
4529 l2cap_pass_to_tx(chan, control);
4530 break;
4531 case L2CAP_TXSEQ_INVALID_IGNORE:
4532 break;
4533 case L2CAP_TXSEQ_INVALID:
4534 default:
4535 l2cap_send_disconn_req(chan->conn, chan,
4536 ECONNRESET);
4537 break;
4538 }
4539 break;
4540 case L2CAP_EV_RECV_RR:
4541 l2cap_pass_to_tx(chan, control);
4542 if (control->final) {
4543 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4544
4545 if (!test_and_clear_bit(CONN_REJ_ACT,
4546 &chan->conn_state)) {
4547 control->final = 0;
4548 l2cap_retransmit_all(chan, control);
4549 }
4550
4551 l2cap_ertm_send(chan);
4552 } else if (control->poll) {
4553 l2cap_send_i_or_rr_or_rnr(chan);
4554 } else {
4555 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4556 &chan->conn_state) &&
4557 chan->unacked_frames)
4558 __set_retrans_timer(chan);
4559
4560 l2cap_ertm_send(chan);
4561 }
4562 break;
4563 case L2CAP_EV_RECV_RNR:
4564 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4565 l2cap_pass_to_tx(chan, control);
4566 if (control && control->poll) {
4567 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4568 l2cap_send_rr_or_rnr(chan, 0);
4569 }
4570 __clear_retrans_timer(chan);
4571 l2cap_seq_list_clear(&chan->retrans_list);
4572 break;
4573 case L2CAP_EV_RECV_REJ:
4574 l2cap_handle_rej(chan, control);
4575 break;
4576 case L2CAP_EV_RECV_SREJ:
4577 l2cap_handle_srej(chan, control);
4578 break;
4579 default:
4580 break;
4581 }
4582
4583 if (skb && !skb_in_use) {
4584 BT_DBG("Freeing %p", skb);
4585 kfree_skb(skb);
4586 }
4587
4588 return err;
4589}
4590
4591static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
4592 struct l2cap_ctrl *control,
4593 struct sk_buff *skb, u8 event)
4594{
4595 int err = 0;
4596 u16 txseq = control->txseq;
4597 bool skb_in_use = 0;
4598
4599 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
4600 event);
4601
4602 switch (event) {
4603 case L2CAP_EV_RECV_IFRAME:
4604 switch (l2cap_classify_txseq(chan, txseq)) {
4605 case L2CAP_TXSEQ_EXPECTED:
4606 /* Keep frame for reassembly later */
4607 l2cap_pass_to_tx(chan, control);
4608 skb_queue_tail(&chan->srej_q, skb);
4609 skb_in_use = 1;
4610 BT_DBG("Queued %p (queue len %d)", skb,
4611 skb_queue_len(&chan->srej_q));
4612
4613 chan->expected_tx_seq = __next_seq(chan, txseq);
4614 break;
4615 case L2CAP_TXSEQ_EXPECTED_SREJ:
4616 l2cap_seq_list_pop(&chan->srej_list);
4617
4618 l2cap_pass_to_tx(chan, control);
4619 skb_queue_tail(&chan->srej_q, skb);
4620 skb_in_use = 1;
4621 BT_DBG("Queued %p (queue len %d)", skb,
4622 skb_queue_len(&chan->srej_q));
4623
4624 err = l2cap_rx_queued_iframes(chan);
4625 if (err)
4626 break;
4627
4628 break;
4629 case L2CAP_TXSEQ_UNEXPECTED:
4630 /* Got a frame that can't be reassembled yet.
4631 * Save it for later, and send SREJs to cover
4632 * the missing frames.
4633 */
4634 skb_queue_tail(&chan->srej_q, skb);
4635 skb_in_use = 1;
4636 BT_DBG("Queued %p (queue len %d)", skb,
4637 skb_queue_len(&chan->srej_q));
4638
4639 l2cap_pass_to_tx(chan, control);
4640 l2cap_send_srej(chan, control->txseq);
4641 break;
4642 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
4643 /* This frame was requested with an SREJ, but
4644 * some expected retransmitted frames are
4645 * missing. Request retransmission of missing
4646 * SREJ'd frames.
4647 */
4648 skb_queue_tail(&chan->srej_q, skb);
4649 skb_in_use = 1;
4650 BT_DBG("Queued %p (queue len %d)", skb,
4651 skb_queue_len(&chan->srej_q));
4652
4653 l2cap_pass_to_tx(chan, control);
4654 l2cap_send_srej_list(chan, control->txseq);
4655 break;
4656 case L2CAP_TXSEQ_DUPLICATE_SREJ:
4657 /* We've already queued this frame. Drop this copy. */
4658 l2cap_pass_to_tx(chan, control);
4659 break;
4660 case L2CAP_TXSEQ_DUPLICATE:
4661 /* Expecting a later sequence number, so this frame
4662 * was already received. Ignore it completely.
4663 */
4664 break;
4665 case L2CAP_TXSEQ_INVALID_IGNORE:
4666 break;
4667 case L2CAP_TXSEQ_INVALID:
4668 default:
4669 l2cap_send_disconn_req(chan->conn, chan,
4670 ECONNRESET);
4671 break;
4672 }
4673 break;
4674 case L2CAP_EV_RECV_RR:
4675 l2cap_pass_to_tx(chan, control);
4676 if (control->final) {
4677 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4678
4679 if (!test_and_clear_bit(CONN_REJ_ACT,
4680 &chan->conn_state)) {
4681 control->final = 0;
4682 l2cap_retransmit_all(chan, control);
4683 }
4684
4685 l2cap_ertm_send(chan);
4686 } else if (control->poll) {
4687 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4688 &chan->conn_state) &&
4689 chan->unacked_frames) {
4690 __set_retrans_timer(chan);
4691 }
4692
4693 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4694 l2cap_send_srej_tail(chan);
4695 } else {
4696 if (test_and_clear_bit(CONN_REMOTE_BUSY,
4697 &chan->conn_state) &&
4698 chan->unacked_frames)
4699 __set_retrans_timer(chan);
4700
4701 l2cap_send_ack(chan);
4702 }
4703 break;
4704 case L2CAP_EV_RECV_RNR:
4705 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4706 l2cap_pass_to_tx(chan, control);
4707 if (control->poll) {
4708 l2cap_send_srej_tail(chan);
4709 } else {
4710 struct l2cap_ctrl rr_control;
4711 memset(&rr_control, 0, sizeof(rr_control));
4712 rr_control.sframe = 1;
4713 rr_control.super = L2CAP_SUPER_RR;
4714 rr_control.reqseq = chan->buffer_seq;
4715 l2cap_send_sframe(chan, &rr_control);
4716 }
4717
4718 break;
4719 case L2CAP_EV_RECV_REJ:
4720 l2cap_handle_rej(chan, control);
4721 break;
4722 case L2CAP_EV_RECV_SREJ:
4723 l2cap_handle_srej(chan, control);
4724 break;
4725 }
4726
4727 if (skb && !skb_in_use) {
4728 BT_DBG("Freeing %p", skb);
4729 kfree_skb(skb);
4730 }
4731
4732 return err;
4733}
4734
4735static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
4736{
4737 /* Make sure reqseq is for a packet that has been sent but not acked */
4738 u16 unacked;
4739
4740 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
4741 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
4742}
4743
cec8ab6e
MM		 4744static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4745 struct sk_buff *skb, u8 event)
218bb9df 4746{
d2a7ac5d
MM		 4747 int err = 0;
4748
4749 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
4750 control, skb, event, chan->rx_state);
4751
4752 if (__valid_reqseq(chan, control->reqseq)) {
4753 switch (chan->rx_state) {
4754 case L2CAP_RX_STATE_RECV:
4755 err = l2cap_rx_state_recv(chan, control, skb, event);
4756 break;
4757 case L2CAP_RX_STATE_SREJ_SENT:
4758 err = l2cap_rx_state_srej_sent(chan, control, skb,
4759 event);
4760 break;
4761 default:
4762 /* shut it down */
4763 break;
4764 }
4765 } else {
4766 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
4767 control->reqseq, chan->next_tx_seq,
4768 chan->expected_ack_seq);
4769 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4770 }
4771
4772 return err;
cec8ab6e
MM		 4773}
4774
4775static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
4776 struct sk_buff *skb)
4777{
4b51dae9
MM		 4778 int err = 0;
4779
4780 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
4781 chan->rx_state);
4782
4783 if (l2cap_classify_txseq(chan, control->txseq) ==
4784 L2CAP_TXSEQ_EXPECTED) {
4785 l2cap_pass_to_tx(chan, control);
4786
4787 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
4788 __next_seq(chan, chan->buffer_seq));
4789
4790 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4791
4792 l2cap_reassemble_sdu(chan, skb, control);
4793 } else {
4794 if (chan->sdu) {
4795 kfree_skb(chan->sdu);
4796 chan->sdu = NULL;
4797 }
4798 chan->sdu_last_frag = NULL;
4799 chan->sdu_len = 0;
4800
4801 if (skb) {
4802 BT_DBG("Freeing %p", skb);
4803 kfree_skb(skb);
4804 }
4805 }
4806
4807 chan->last_acked_seq = control->txseq;
4808 chan->expected_tx_seq = __next_seq(chan, control->txseq);
4809
4810 return err;
cec8ab6e
MM		 4811}
4812
4813static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
4814{
4815 struct l2cap_ctrl *control = &bt_cb(skb)->control;
4816 u16 len;
4817 u8 event;
218bb9df 4818
b76bbd66
MM		 4819 __unpack_control(chan, skb);
4820
218bb9df
GP		 4821 len = skb->len;
4822
4823 /*
4824 * We can just drop the corrupted I-frame here.
4825 * Receiver will miss it and start proper recovery
cec8ab6e 4826 * procedures and ask for retransmission.
218bb9df 4827 */
47d1ec61 4828 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 4829 goto drop;
4830
cec8ab6e 4831 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 4832 len -= L2CAP_SDULEN_SIZE;
218bb9df 4833
47d1ec61 4834 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 4835 len -= L2CAP_FCS_SIZE;
218bb9df 4836
47d1ec61 4837 if (len > chan->mps) {
8c1d787b 4838 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4839 goto drop;
4840 }
4841
cec8ab6e
MM		 4842 if (!control->sframe) {
4843 int err;
218bb9df 4844
cec8ab6e
MM		 4845 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
4846 control->sar, control->reqseq, control->final,
4847 control->txseq);
218bb9df 4848
cec8ab6e
MM		 4849 /* Validate F-bit - F=0 always valid, F=1 only
4850 * valid in TX WAIT_F
4851 */
4852 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 4853 goto drop;
cec8ab6e
MM		 4854
4855 if (chan->mode != L2CAP_MODE_STREAMING) {
4856 event = L2CAP_EV_RECV_IFRAME;
4857 err = l2cap_rx(chan, control, skb, event);
4858 } else {
4859 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 4860 }
4861
cec8ab6e
MM		 4862 if (err)
4863 l2cap_send_disconn_req(chan->conn, chan,
4864 ECONNRESET);
218bb9df 4865 } else {
cec8ab6e
MM		 4866 const u8 rx_func_to_event[4] = {
4867 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
4868 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
4869 };
4870
4871 /* Only I-frames are expected in streaming mode */
4872 if (chan->mode == L2CAP_MODE_STREAMING)
4873 goto drop;
4874
4875 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
4876 control->reqseq, control->final, control->poll,
4877 control->super);
4878
218bb9df
GP		 4879 if (len != 0) {
4880 BT_ERR("%d", len);
8c1d787b 4881 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4882 goto drop;
4883 }
4884
cec8ab6e
MM		 4885 /* Validate F and P bits */
4886 if (control->final && (control->poll ||
4887 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
4888 goto drop;
4889
4890 event = rx_func_to_event[control->super];
4891 if (l2cap_rx(chan, control, skb, event))
4892 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 4893 }
4894
4895 return 0;
4896
4897drop:
4898 kfree_skb(skb);
4899 return 0;
4900}
4901
1da177e4
LT		 4902static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4903{
48454079 4904 struct l2cap_chan *chan;
1da177e4 4905
baa7e1fa 4906 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 4907 if (!chan) {
1da177e4 4908 BT_DBG("unknown cid 0x%4.4x", cid);
6be36555 4909 /* Drop packet and return */
3379013b 4910 kfree_skb(skb);
6be36555 4911 return 0;
1da177e4
LT		 4912 }
4913
49208c9c 4914 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4915
89bc500e 4916 if (chan->state != BT_CONNECTED)
1da177e4
LT		 4917 goto drop;
4918
0c1bc5c6 4919 switch (chan->mode) {
1c2acffb
GP		 4920 case L2CAP_MODE_BASIC:
4921 /* If socket recv buffers overflows we drop data here
4922 * which is *bad* because L2CAP has to be reliable.
4923 * But we don't have any other choice. L2CAP doesn't
4924 * provide flow control mechanism. */
1da177e4 4925
0c1bc5c6 4926 if (chan->imtu < skb->len)
1c2acffb 4927 goto drop;
1da177e4 4928
23070494 4929 if (!chan->ops->recv(chan->data, skb))
1c2acffb
GP		 4930 goto done;
4931 break;
4932
4933 case L2CAP_MODE_ERTM:
6840ed07 4934 case L2CAP_MODE_STREAMING:
cec8ab6e 4935 l2cap_data_rcv(chan, skb);
6840ed07
GP		 4936 goto done;
4937
1c2acffb 4938 default:
0c1bc5c6 4939 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 4940 break;
4941 }
1da177e4
LT		 4942
4943drop:
4944 kfree_skb(skb);
4945
4946done:
6be36555 4947 l2cap_chan_unlock(chan);
0139418c 4948
1da177e4
LT		 4949 return 0;
4950}
4951
8e036fc3 4952static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4 4953{
23691d75 4954 struct l2cap_chan *chan;
1da177e4 4955
c2287681 4956 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 4957 if (!chan)
1da177e4
LT		 4958 goto drop;
4959
5b4cedaa 4960 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 4961
89bc500e 4962 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 4963 goto drop;
4964
e13e21dc 4965 if (chan->imtu < skb->len)
1da177e4
LT		 4966 goto drop;
4967
23070494 4968 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4969 return 0;
1da177e4
LT		 4970
4971drop:
4972 kfree_skb(skb);
4973
1da177e4
LT		 4974 return 0;
4975}
4976
d9b88702
AE		 4977static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
4978 struct sk_buff *skb)
9f69bda6 4979{
23691d75 4980 struct l2cap_chan *chan;
9f69bda6 4981
c2287681 4982 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 4983 if (!chan)
9f69bda6
GP		 4984 goto drop;
4985
5b4cedaa 4986 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 4987
89bc500e 4988 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 4989 goto drop;
4990
e13e21dc 4991 if (chan->imtu < skb->len)
9f69bda6
GP		 4992 goto drop;
4993
23070494 4994 if (!chan->ops->recv(chan->data, skb))
5b4cedaa 4995 return 0;
9f69bda6
GP		 4996
4997drop:
4998 kfree_skb(skb);
4999
9f69bda6
GP		 5000 return 0;
5001}
5002
1da177e4
LT		 5003static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
5004{
5005 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 5006 u16 cid, len;
5007 __le16 psm;
1da177e4
LT		 5008
5009 skb_pull(skb, L2CAP_HDR_SIZE);
5010 cid = __le16_to_cpu(lh->cid);
5011 len = __le16_to_cpu(lh->len);
5012
1c2acffb
GP		 5013 if (len != skb->len) {
5014 kfree_skb(skb);
5015 return;
5016 }
5017
1da177e4
LT		 5018 BT_DBG("len %d, cid 0x%4.4x", len, cid);
5019
5020 switch (cid) {
3300d9a9 5021 case L2CAP_CID_LE_SIGNALING:
8db4dc46 5022 case L2CAP_CID_SIGNALING:
1da177e4
LT		 5023 l2cap_sig_channel(conn, skb);
5024 break;
5025
8db4dc46 5026 case L2CAP_CID_CONN_LESS:
097db76c 5027 psm = get_unaligned((__le16 *) skb->data);
1da177e4
LT		 5028 skb_pull(skb, 2);
5029 l2cap_conless_channel(conn, psm, skb);
5030 break;
5031
9f69bda6
GP		 5032 case L2CAP_CID_LE_DATA:
5033 l2cap_att_channel(conn, cid, skb);
5034 break;
5035
b501d6a1
AB		 5036 case L2CAP_CID_SMP:
5037 if (smp_sig_channel(conn, skb))
5038 l2cap_conn_del(conn->hcon, EACCES);
5039 break;
5040
1da177e4
LT		 5041 default:
5042 l2cap_data_channel(conn, cid, skb);
5043 break;
5044 }
5045}
5046
5047/* ---- L2CAP interface with lower layer (HCI) ---- */
5048
686ebf28 5049int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 5050{
5051 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 5052 struct l2cap_chan *c;
1da177e4 5053
1da177e4
LT		 5054 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
5055
5056 /* Find listening sockets and check their link_mode */
23691d75
GP		 5057 read_lock(&chan_list_lock);
5058 list_for_each_entry(c, &chan_list, global_l) {
5059 struct sock *sk = c->sk;
4343478f 5060
89bc500e 5061 if (c->state != BT_LISTEN)
1da177e4
LT		 5062 continue;
5063
5064 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 5065 lm1 |= HCI_LM_ACCEPT;
43bd0f32 5066 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 5067 lm1 |= HCI_LM_MASTER;
1da177e4 5068 exact++;
2af6b9d5
MH		 5069 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
5070 lm2 |= HCI_LM_ACCEPT;
43bd0f32 5071 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 5072 lm2 |= HCI_LM_MASTER;
5073 }
1da177e4 5074 }
23691d75 5075 read_unlock(&chan_list_lock);
1da177e4
LT		 5076
5077 return exact ? lm1 : lm2;
5078}
5079
686ebf28 5080int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 5081{
0139418c
MH		 5082 struct l2cap_conn *conn;
5083
1da177e4
LT		 5084 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
5085
1da177e4 5086 if (!status) {
1da177e4
LT		 5087 conn = l2cap_conn_add(hcon, status);
5088 if (conn)
5089 l2cap_conn_ready(conn);
0139418c 5090 } else
e175072f 5091 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4
LT		 5092
5093 return 0;
5094}
5095
686ebf28 5096int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 5097{
5098 struct l2cap_conn *conn = hcon->l2cap_data;
5099
5100 BT_DBG("hcon %p", hcon);
5101
686ebf28 5102 if (!conn)
9f5a0d7b 5103 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 5104 return conn->disc_reason;
5105}
5106
686ebf28 5107int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 5108{
5109 BT_DBG("hcon %p reason %d", hcon, reason);
5110
e175072f 5111 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 5112 return 0;
5113}
5114
4343478f 5115static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 5116{
715ec005 5117 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 5118 return;
5119
f62e4323 5120 if (encrypt == 0x00) {
4343478f 5121 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 5122 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 5123 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 5124 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 5125 } else {
4343478f 5126 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 5127 __clear_chan_timer(chan);
f62e4323
MH		 5128 }
5129}
5130
686ebf28 5131int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 5132{
0139418c 5133 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 5134 struct l2cap_chan *chan;
1da177e4 5135
0139418c 5136 if (!conn)
1da177e4 5137 return 0;
0139418c 5138
1da177e4
LT		 5139 BT_DBG("conn %p", conn);
5140
160dc6ac 5141 if (hcon->type == LE_LINK) {
35d4adcc
HG		 5142 if (!status && encrypt)
5143 smp_distribute_keys(conn, 0);
17cd3f37 5144 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 5145 }
5146
3df91ea2 5147 mutex_lock(&conn->chan_lock);
1da177e4 5148
3df91ea2 5149 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 5150 l2cap_chan_lock(chan);
1da177e4 5151
f1cb9af5
VCG		 5152 BT_DBG("chan->scid %d", chan->scid);
5153
5154 if (chan->scid == L2CAP_CID_LE_DATA) {
5155 if (!status && encrypt) {
5156 chan->sec_level = hcon->sec_level;
cf4cd009 5157 l2cap_chan_ready(chan);
f1cb9af5
VCG		 5158 }
5159
6be36555 5160 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 5161 continue;
5162 }
5163
c1360a1c 5164 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 5165 l2cap_chan_unlock(chan);
6a8d3010
MH		 5166 continue;
5167 }
5168
89bc500e
GP		 5169 if (!status && (chan->state == BT_CONNECTED ||
5170 chan->state == BT_CONFIG)) {
a7d7723a
GP		 5171 struct sock *sk = chan->sk;
5172
c5daa683 5173 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 5174 sk->sk_state_change(sk);
5175
4343478f 5176 l2cap_check_encryption(chan, encrypt);
6be36555 5177 l2cap_chan_unlock(chan);
9719f8af
MH		 5178 continue;
5179 }
5180
89bc500e 5181 if (chan->state == BT_CONNECT) {
b1235d79 5182 if (!status) {
9b27f350 5183 l2cap_send_conn_req(chan);
b1235d79 5184 } else {
ba13ccd9 5185 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 5186 }
89bc500e 5187 } else if (chan->state == BT_CONNECT2) {
6be36555 5188 struct sock *sk = chan->sk;
b1235d79 5189 struct l2cap_conn_rsp rsp;
df3c3931 5190 __u16 res, stat;
1da177e4 5191
6be36555
AE		 5192 lock_sock(sk);
5193
b1235d79 5194 if (!status) {
c5daa683
GP		 5195 if (test_bit(BT_SK_DEFER_SETUP,
5196 &bt_sk(sk)->flags)) {
df3c3931
JH		 5197 struct sock *parent = bt_sk(sk)->parent;
5198 res = L2CAP_CR_PEND;
5199 stat = L2CAP_CS_AUTHOR_PEND;
05e9a2f6
IK		 5200 if (parent)
5201 parent->sk_data_ready(parent, 0);
df3c3931 5202 } else {
0e587be7 5203 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 5204 res = L2CAP_CR_SUCCESS;
5205 stat = L2CAP_CS_NO_INFO;
5206 }
b1235d79 5207 } else {
0e587be7 5208 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 5209 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 5210 res = L2CAP_CR_SEC_BLOCK;
5211 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 5212 }
5213
6be36555
AE		 5214 release_sock(sk);
5215
fe4128e0
GP		 5216 rsp.scid = cpu_to_le16(chan->dcid);
5217 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 5218 rsp.result = cpu_to_le16(res);
5219 rsp.status = cpu_to_le16(stat);
fc7f8a7e
GP		 5220 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
5221 sizeof(rsp), &rsp);
b1235d79 5222 }
1da177e4 5223
6be36555 5224 l2cap_chan_unlock(chan);
1da177e4
LT		 5225 }
5226
3df91ea2 5227 mutex_unlock(&conn->chan_lock);
b1235d79 5228
1da177e4
LT		 5229 return 0;
5230}
5231
686ebf28 5232int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 5233{
5234 struct l2cap_conn *conn = hcon->l2cap_data;
5235
5a08ecce
AE		 5236 if (!conn)
5237 conn = l2cap_conn_add(hcon, 0);
5238
5239 if (!conn)
1da177e4
LT		 5240 goto drop;
5241
5242 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
5243
e702112f 5244 if (!(flags & ACL_CONT)) {
1da177e4
LT		 5245 struct l2cap_hdr *hdr;
5246 int len;
5247
5248 if (conn->rx_len) {
5249 BT_ERR("Unexpected start frame (len %d)", skb->len);
5250 kfree_skb(conn->rx_skb);
5251 conn->rx_skb = NULL;
5252 conn->rx_len = 0;
5253 l2cap_conn_unreliable(conn, ECOMM);
5254 }
5255
aae7fe22
AE		 5256 /* Start fragment always begin with Basic L2CAP header */
5257 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 5258 BT_ERR("Frame is too short (len %d)", skb->len);
5259 l2cap_conn_unreliable(conn, ECOMM);
5260 goto drop;
5261 }
5262
5263 hdr = (struct l2cap_hdr *) skb->data;
5264 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5265
5266 if (len == skb->len) {
5267 /* Complete frame received */
5268 l2cap_recv_frame(conn, skb);
5269 return 0;
5270 }
5271
5272 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5273
5274 if (skb->len > len) {
5275 BT_ERR("Frame is too long (len %d, expected len %d)",
5276 skb->len, len);
5277 l2cap_conn_unreliable(conn, ECOMM);
5278 goto drop;
5279 }
5280
5281 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 5282 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5283 if (!conn->rx_skb)
1da177e4
LT		 5284 goto drop;
5285
d626f62b 5286 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5287 skb->len);
1da177e4
LT		 5288 conn->rx_len = len - skb->len;
5289 } else {
5290 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5291
5292 if (!conn->rx_len) {
5293 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5294 l2cap_conn_unreliable(conn, ECOMM);
5295 goto drop;
5296 }
5297
5298 if (skb->len > conn->rx_len) {
5299 BT_ERR("Fragment is too long (len %d, expected %d)",
5300 skb->len, conn->rx_len);
5301 kfree_skb(conn->rx_skb);
5302 conn->rx_skb = NULL;
5303 conn->rx_len = 0;
5304 l2cap_conn_unreliable(conn, ECOMM);
5305 goto drop;
5306 }
5307
d626f62b 5308 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 5309 skb->len);
1da177e4
LT		 5310 conn->rx_len -= skb->len;
5311
5312 if (!conn->rx_len) {
5313 /* Complete frame received */
5314 l2cap_recv_frame(conn, conn->rx_skb);
5315 conn->rx_skb = NULL;
5316 }
5317 }
5318
5319drop:
5320 kfree_skb(skb);
5321 return 0;
5322}
5323
aef7d97c 5324static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 5325{
23691d75 5326 struct l2cap_chan *c;
1da177e4 5327
333055f2 5328 read_lock(&chan_list_lock);
1da177e4 5329
23691d75
GP		 5330 list_for_each_entry(c, &chan_list, global_l) {
5331 struct sock *sk = c->sk;
101545f6 5332
903d343e 5333 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
aef7d97c
MH		 5334 batostr(&bt_sk(sk)->src),
5335 batostr(&bt_sk(sk)->dst),
89bc500e 5336 c->state, __le16_to_cpu(c->psm),
23691d75
GP		 5337 c->scid, c->dcid, c->imtu, c->omtu,
5338 c->sec_level, c->mode);
61e1b4b7 5339 }
1da177e4 5340
333055f2 5341 read_unlock(&chan_list_lock);
1da177e4 5342
aef7d97c 5343 return 0;
1da177e4
LT		 5344}
5345
aef7d97c
MH		 5346static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5347{
5348 return single_open(file, l2cap_debugfs_show, inode->i_private);
5349}
5350
5351static const struct file_operations l2cap_debugfs_fops = {
5352 .open = l2cap_debugfs_open,
5353 .read = seq_read,
5354 .llseek = seq_lseek,
5355 .release = single_release,
5356};
5357
5358static struct dentry *l2cap_debugfs;
1da177e4 5359
64274518 5360int __init l2cap_init(void)
1da177e4
LT		 5361{
5362 int err;
be9d1227 5363
bb58f747 5364 err = l2cap_init_sockets();
1da177e4
LT		 5365 if (err < 0)
5366 return err;
5367
aef7d97c
MH		 5368 if (bt_debugfs) {
5369 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5370 bt_debugfs, NULL, &l2cap_debugfs_fops);
5371 if (!l2cap_debugfs)
5372 BT_ERR("Failed to create L2CAP debug file");
5373 }
1da177e4 5374
1da177e4 5375 return 0;
1da177e4
LT		 5376}
5377
64274518 5378void l2cap_exit(void)
1da177e4 5379{
aef7d97c 5380 debugfs_remove(l2cap_debugfs);
bb58f747 5381 l2cap_cleanup_sockets();
1da177e4
LT		 5382}
5383
d1c4a17d
GP		 5384module_param(disable_ertm, bool, 0644);
5385MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)