projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
arp: fix possible crash in arp_rcv()
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
5ce66b59 41#include <net/bluetooth/amp.h>
1da177e4 42
d1de6d46 43bool disable_ertm;
f0709e03 44
47ec1dcd 45static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 46static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 47
b5ad8b7f
JB		 48static LIST_HEAD(chan_list);
49static DEFINE_RWLOCK(chan_list_lock);
1da177e4 50
1da177e4 51static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 52 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 53static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 54 void *data);
710f9b0a 55static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 56static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 59 struct sk_buff_head *skbs, u8 event);
608bcc6d 60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
2d792818
GP		 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
64 u16 cid)
0139418c 65{
3df91ea2 66 struct l2cap_chan *c;
3d57dc68 67
3df91ea2
AE		 68 list_for_each_entry(c, &conn->chan_l, list) {
69 if (c->dcid == cid)
70 return c;
0139418c 71 }
3df91ea2 72 return NULL;
0139418c
MH		 73}
74
2d792818
GP		 75static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
76 u16 cid)
0139418c 77{
3df91ea2 78 struct l2cap_chan *c;
3d57dc68 79
3df91ea2
AE		 80 list_for_each_entry(c, &conn->chan_l, list) {
81 if (c->scid == cid)
82 return c;
0139418c 83 }
3df91ea2 84 return NULL;
0139418c
MH		 85}
86
87/* Find channel with given SCID.
ef191ade 88 * Returns locked channel. */
2d792818
GP		 89static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
90 u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa 93
3df91ea2 94 mutex_lock(&conn->chan_lock);
baa7e1fa 95 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 96 if (c)
97 l2cap_chan_lock(c);
3df91ea2
AE		 98 mutex_unlock(&conn->chan_lock);
99
48454079 100 return c;
0139418c
MH		 101}
102
b1a130b7
MM		 103/* Find channel with given DCID.
104 * Returns locked channel.
105 */
106static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
107 u16 cid)
108{
109 struct l2cap_chan *c;
110
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_dcid(conn, cid);
113 if (c)
114 l2cap_chan_lock(c);
115 mutex_unlock(&conn->chan_lock);
116
117 return c;
118}
119
2d792818
GP		 120static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
121 u8 ident)
0139418c 122{
3df91ea2 123 struct l2cap_chan *c;
3d57dc68 124
3df91ea2
AE		 125 list_for_each_entry(c, &conn->chan_l, list) {
126 if (c->ident == ident)
127 return c;
0139418c 128 }
3df91ea2 129 return NULL;
0139418c
MH		 130}
131
5b155ef9
MM		 132static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
133 u8 ident)
134{
135 struct l2cap_chan *c;
136
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_ident(conn, ident);
139 if (c)
140 l2cap_chan_lock(c);
141 mutex_unlock(&conn->chan_lock);
142
143 return c;
144}
145
23691d75 146static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 147{
23691d75 148 struct l2cap_chan *c;
9e4425ff 149
23691d75
GP		 150 list_for_each_entry(c, &chan_list, global_l) {
151 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 152 return c;
9e4425ff 153 }
250938cb 154 return NULL;
9e4425ff
GP		 155}
156
157int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
158{
73b2ec18
GP		 159 int err;
160
333055f2 161 write_lock(&chan_list_lock);
9e4425ff 162
23691d75 163 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 164 err = -EADDRINUSE;
165 goto done;
9e4425ff
GP		 166 }
167
73b2ec18
GP		 168 if (psm) {
169 chan->psm = psm;
170 chan->sport = psm;
171 err = 0;
172 } else {
173 u16 p;
174
175 err = -EINVAL;
176 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 177 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 178 chan->psm = cpu_to_le16(p);
179 chan->sport = cpu_to_le16(p);
180 err = 0;
181 break;
182 }
183 }
9e4425ff 184
73b2ec18 185done:
333055f2 186 write_unlock(&chan_list_lock);
73b2ec18 187 return err;
9e4425ff
GP		 188}
189
190int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
191{
333055f2 192 write_lock(&chan_list_lock);
9e4425ff
GP		 193
194 chan->scid = scid;
195
333055f2 196 write_unlock(&chan_list_lock);
9e4425ff
GP		 197
198 return 0;
199}
200
baa7e1fa 201static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 202{
8db4dc46 203 u16 cid = L2CAP_CID_DYN_START;
0139418c 204
8db4dc46 205 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 206 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 207 return cid;
208 }
209
210 return 0;
211}
212
0e587be7 213static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 214{
42d2d87c 215 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 216 state_to_string(state));
badaaa00 217
89bc500e 218 chan->state = state;
80b98027 219 chan->ops->state_change(chan, state);
89bc500e
GP		 220}
221
0e587be7
AE		 222static void l2cap_state_change(struct l2cap_chan *chan, int state)
223{
224 struct sock *sk = chan->sk;
225
226 lock_sock(sk);
227 __l2cap_state_change(chan, state);
228 release_sock(sk);
229}
230
2e0052e4
AE		 231static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
232{
233 struct sock *sk = chan->sk;
234
235 sk->sk_err = err;
236}
237
238static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
239{
240 struct sock *sk = chan->sk;
241
242 lock_sock(sk);
243 __l2cap_chan_set_err(chan, err);
244 release_sock(sk);
245}
246
4239d16f
MM		 247static void __set_retrans_timer(struct l2cap_chan *chan)
248{
249 if (!delayed_work_pending(&chan->monitor_timer) &&
250 chan->retrans_timeout) {
251 l2cap_set_timer(chan, &chan->retrans_timer,
252 msecs_to_jiffies(chan->retrans_timeout));
253 }
254}
255
256static void __set_monitor_timer(struct l2cap_chan *chan)
257{
258 __clear_retrans_timer(chan);
259 if (chan->monitor_timeout) {
260 l2cap_set_timer(chan, &chan->monitor_timer,
261 msecs_to_jiffies(chan->monitor_timeout));
262 }
263}
264
608bcc6d
MM		 265static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
266 u16 seq)
267{
268 struct sk_buff *skb;
269
270 skb_queue_walk(head, skb) {
271 if (bt_cb(skb)->control.txseq == seq)
272 return skb;
273 }
274
275 return NULL;
276}
277
3c588192
MM		 278/* ---- L2CAP sequence number lists ---- */
279
280/* For ERTM, ordered lists of sequence numbers must be tracked for
281 * SREJ requests that are received and for frames that are to be
282 * retransmitted. These seq_list functions implement a singly-linked
283 * list in an array, where membership in the list can also be checked
284 * in constant time. Items can also be added to the tail of the list
285 * and removed from the head in constant time, without further memory
286 * allocs or frees.
287 */
288
289static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
290{
291 size_t alloc_size, i;
292
293 /* Allocated size is a power of 2 to map sequence numbers
294 * (which may be up to 14 bits) in to a smaller array that is
295 * sized for the negotiated ERTM transmit windows.
296 */
297 alloc_size = roundup_pow_of_two(size);
298
299 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
300 if (!seq_list->list)
301 return -ENOMEM;
302
303 seq_list->mask = alloc_size - 1;
304 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
305 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
306 for (i = 0; i < alloc_size; i++)
307 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
308
309 return 0;
310}
311
312static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
313{
314 kfree(seq_list->list);
315}
316
317static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
318 u16 seq)
319{
320 /* Constant-time check for list membership */
321 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
322}
323
324static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
325{
326 u16 mask = seq_list->mask;
327
328 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
329 /* In case someone tries to pop the head of an empty list */
330 return L2CAP_SEQ_LIST_CLEAR;
331 } else if (seq_list->head == seq) {
332 /* Head can be removed in constant time */
333 seq_list->head = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
335
336 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
339 }
340 } else {
341 /* Walk the list to find the sequence number */
342 u16 prev = seq_list->head;
343 while (seq_list->list[prev & mask] != seq) {
344 prev = seq_list->list[prev & mask];
345 if (prev == L2CAP_SEQ_LIST_TAIL)
346 return L2CAP_SEQ_LIST_CLEAR;
347 }
348
349 /* Unlink the number from the list and clear it */
350 seq_list->list[prev & mask] = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352 if (seq_list->tail == seq)
353 seq_list->tail = prev;
354 }
355 return seq;
356}
357
358static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
359{
360 /* Remove the head in constant time */
361 return l2cap_seq_list_remove(seq_list, seq_list->head);
362}
363
364static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
365{
f522ae36 366 u16 i;
3c588192 367
f522ae36
GP		 368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
369 return;
370
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
373
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 376}
377
378static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
379{
380 u16 mask = seq_list->mask;
381
382 /* All appends happen in constant time */
383
f522ae36
GP		 384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
385 return;
3c588192 386
f522ae36
GP		 387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
389 else
390 seq_list->list[seq_list->tail & mask] = seq;
391
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 394}
395
721c4181 396static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 397{
721c4181 398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 399 chan_timer.work);
3df91ea2 400 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 401 int reason;
402
e05dcc32 403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 404
3df91ea2 405 mutex_lock(&conn->chan_lock);
6be36555 406 l2cap_chan_lock(chan);
ab07801d 407
89bc500e 408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 409 reason = ECONNREFUSED;
89bc500e 410 else if (chan->state == BT_CONNECT &&
2d792818 411 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 412 reason = ECONNREFUSED;
413 else
414 reason = ETIMEDOUT;
415
0f852724 416 l2cap_chan_close(chan, reason);
ab07801d 417
6be36555 418 l2cap_chan_unlock(chan);
ab07801d 419
80b98027 420 chan->ops->close(chan);
3df91ea2
AE		 421 mutex_unlock(&conn->chan_lock);
422
371fd835 423 l2cap_chan_put(chan);
ab07801d
GP		 424}
425
eef1d9b6 426struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 427{
428 struct l2cap_chan *chan;
429
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
431 if (!chan)
432 return NULL;
433
c03b355e
AE		 434 mutex_init(&chan->lock);
435
333055f2 436 write_lock(&chan_list_lock);
23691d75 437 list_add(&chan->global_l, &chan_list);
333055f2 438 write_unlock(&chan_list_lock);
23691d75 439
721c4181 440 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 441
89bc500e
GP		 442 chan->state = BT_OPEN;
443
144ad330 444 kref_init(&chan->kref);
71ba0e56 445
2827011f
MM		 446 /* This flag is cleared in l2cap_chan_ready() */
447 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
448
eef1d9b6 449 BT_DBG("chan %p", chan);
abc545b8 450
48454079
GP		 451 return chan;
452}
453
144ad330 454static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 455{
144ad330
SS		 456 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
457
4af66c69
JK		 458 BT_DBG("chan %p", chan);
459
333055f2 460 write_lock(&chan_list_lock);
23691d75 461 list_del(&chan->global_l);
333055f2 462 write_unlock(&chan_list_lock);
23691d75 463
4af66c69 464 kfree(chan);
6ff5abbf
GP		 465}
466
30648372
JK		 467void l2cap_chan_hold(struct l2cap_chan *c)
468{
144ad330 469 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 470
144ad330 471 kref_get(&c->kref);
30648372
JK		 472}
473
474void l2cap_chan_put(struct l2cap_chan *c)
475{
144ad330 476 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 477
144ad330 478 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 479}
480
bd4b1653
AE		 481void l2cap_chan_set_defaults(struct l2cap_chan *chan)
482{
483 chan->fcs = L2CAP_FCS_CRC16;
484 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
485 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
486 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 487 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 488 chan->sec_level = BT_SECURITY_LOW;
489
490 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
491}
492
93c3e8f5 493void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 494{
af05b30b 495 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 496 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 497
9f5a0d7b 498 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 499
8c1d787b 500 chan->conn = conn;
0139418c 501
5491120e
AE		 502 switch (chan->chan_type) {
503 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 504 if (conn->hcon->type == LE_LINK) {
505 /* LE connection */
6fcb06a2 506 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 507 chan->scid = L2CAP_CID_LE_DATA;
508 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 509 } else {
510 /* Alloc CID for connection-oriented socket */
fe4128e0 511 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 512 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 513 }
5491120e
AE		 514 break;
515
516 case L2CAP_CHAN_CONN_LESS:
0139418c 517 /* Connectionless socket */
fe4128e0
GP		 518 chan->scid = L2CAP_CID_CONN_LESS;
519 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 520 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 521 break;
522
416fa752
AE		 523 case L2CAP_CHAN_CONN_FIX_A2MP:
524 chan->scid = L2CAP_CID_A2MP;
525 chan->dcid = L2CAP_CID_A2MP;
526 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
527 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
528 break;
529
5491120e 530 default:
0139418c 531 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 532 chan->scid = L2CAP_CID_SIGNALING;
533 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 534 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 535 }
536
8f7975b1
AE		 537 chan->local_id = L2CAP_BESTEFFORT_ID;
538 chan->local_stype = L2CAP_SERV_BESTEFFORT;
539 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
540 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
541 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 542 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 543
371fd835 544 l2cap_chan_hold(chan);
baa7e1fa 545
3df91ea2 546 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 547}
548
466f8004 549void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 550{
551 mutex_lock(&conn->chan_lock);
552 __l2cap_chan_add(conn, chan);
3df91ea2 553 mutex_unlock(&conn->chan_lock);
0139418c
MH		 554}
555
466f8004 556void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 557{
8c1d787b 558 struct l2cap_conn *conn = chan->conn;
0139418c 559
c9b66675 560 __clear_chan_timer(chan);
0139418c 561
49208c9c 562 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 563
8e87d142 564 if (conn) {
56f60984 565 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 566 /* Delete from channel list */
3df91ea2 567 list_del(&chan->list);
3d57dc68 568
371fd835 569 l2cap_chan_put(chan);
baa7e1fa 570
8c1d787b 571 chan->conn = NULL;
3cabbfda
AE		 572
573 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
574 hci_conn_put(conn->hcon);
56f60984
AE		 575
576 if (mgr && mgr->bredr_chan == chan)
577 mgr->bredr_chan = NULL;
0139418c
MH		 578 }
579
419e08c1
AE		 580 if (chan->hs_hchan) {
581 struct hci_chan *hs_hchan = chan->hs_hchan;
582
583 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
584 amp_disconnect_logical_link(hs_hchan);
585 }
586
b699ec0d 587 chan->ops->teardown(chan, err);
6be36555 588
2827011f 589 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 590 return;
2ead70b8 591
ee556f66
GP		 592 switch(chan->mode) {
593 case L2CAP_MODE_BASIC:
594 break;
c13ffa62 595
ee556f66 596 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 597 __clear_retrans_timer(chan);
598 __clear_monitor_timer(chan);
599 __clear_ack_timer(chan);
c13ffa62 600
f1c6775b 601 skb_queue_purge(&chan->srej_q);
c13ffa62 602
3c588192
MM		 603 l2cap_seq_list_free(&chan->srej_list);
604 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 605
606 /* fall through */
607
608 case L2CAP_MODE_STREAMING:
609 skb_queue_purge(&chan->tx_q);
610 break;
c13ffa62 611 }
ee556f66
GP		 612
613 return;
0139418c
MH		 614}
615
0f852724 616void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 617{
618 struct l2cap_conn *conn = chan->conn;
619 struct sock *sk = chan->sk;
620
2d792818
GP		 621 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
622 sk);
4519de9a 623
89bc500e 624 switch (chan->state) {
4519de9a 625 case BT_LISTEN:
b699ec0d 626 chan->ops->teardown(chan, 0);
4519de9a
GP		 627 break;
628
629 case BT_CONNECTED:
630 case BT_CONFIG:
715ec005 631 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 632 conn->hcon->type == ACL_LINK) {
c9b66675 633 __set_chan_timer(chan, sk->sk_sndtimeo);
5e4e3972 634 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 635 } else
636 l2cap_chan_del(chan, reason);
637 break;
638
639 case BT_CONNECT2:
715ec005 640 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 641 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 642 struct l2cap_conn_rsp rsp;
643 __u16 result;
644
c5daa683 645 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 646 result = L2CAP_CR_SEC_BLOCK;
647 else
648 result = L2CAP_CR_BAD_PSM;
89bc500e 649 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 650
651 rsp.scid = cpu_to_le16(chan->dcid);
652 rsp.dcid = cpu_to_le16(chan->scid);
653 rsp.result = cpu_to_le16(result);
ac73498c 654 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 655 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 656 sizeof(rsp), &rsp);
4519de9a
GP		 657 }
658
659 l2cap_chan_del(chan, reason);
660 break;
661
662 case BT_CONNECT:
663 case BT_DISCONN:
664 l2cap_chan_del(chan, reason);
665 break;
666
667 default:
b699ec0d 668 chan->ops->teardown(chan, 0);
4519de9a
GP		 669 break;
670 }
671}
672
4343478f 673static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 674{
715ec005 675 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 676 switch (chan->sec_level) {
8556edd3
JH		 677 case BT_SECURITY_HIGH:
678 return HCI_AT_DEDICATED_BONDING_MITM;
679 case BT_SECURITY_MEDIUM:
680 return HCI_AT_DEDICATED_BONDING;
681 default:
682 return HCI_AT_NO_BONDING;
683 }
2983fd68 684 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 685 if (chan->sec_level == BT_SECURITY_LOW)
686 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 687
4343478f 688 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 689 return HCI_AT_NO_BONDING_MITM;
00ae4af9 690 else
8556edd3 691 return HCI_AT_NO_BONDING;
00ae4af9 692 } else {
4343478f 693 switch (chan->sec_level) {
00ae4af9 694 case BT_SECURITY_HIGH:
8556edd3 695 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 696 case BT_SECURITY_MEDIUM:
8556edd3 697 return HCI_AT_GENERAL_BONDING;
00ae4af9 698 default:
8556edd3 699 return HCI_AT_NO_BONDING;
00ae4af9 700 }
0684e5f9 701 }
8556edd3
JH		 702}
703
704/* Service level security */
d45fc423 705int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 706{
8c1d787b 707 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 708 __u8 auth_type;
709
4343478f 710 auth_type = l2cap_get_auth_type(chan);
79d554a6 711
4343478f 712 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 713}
714
b5ad8b7f 715static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 716{
717 u8 id;
718
719 /* Get next available identificator.
720 * 1 - 128 are used by kernel.
721 * 129 - 199 are reserved.
722 * 200 - 254 are used by utilities like l2ping, etc.
723 */
724
333055f2 725 spin_lock(&conn->lock);
4e8402a3
MH		 726
727 if (++conn->tx_ident > 128)
728 conn->tx_ident = 1;
729
730 id = conn->tx_ident;
731
333055f2 732 spin_unlock(&conn->lock);
4e8402a3
MH		 733
734 return id;
735}
736
2d792818
GP		 737static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
738 void *data)
4e8402a3
MH		 739{
740 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 741 u8 flags;
4e8402a3
MH		 742
743 BT_DBG("code 0x%2.2x", code);
744
745 if (!skb)
9a9c6a34 746 return;
4e8402a3 747
e702112f
AE		 748 if (lmp_no_flush_capable(conn->hcon->hdev))
749 flags = ACL_START_NO_FLUSH;
750 else
751 flags = ACL_START;
752
14b12d0b 753 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 754 skb->priority = HCI_PRIO_MAX;
14b12d0b 755
73d80deb
LAD		 756 hci_send_acl(conn->hchan, skb, flags);
757}
758
02b0fbb9
MM		 759static bool __chan_is_moving(struct l2cap_chan *chan)
760{
761 return chan->move_state != L2CAP_MOVE_STABLE &&
762 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
763}
764
73d80deb
LAD		 765static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
766{
767 struct hci_conn *hcon = chan->conn->hcon;
768 u16 flags;
769
770 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 771 skb->priority);
73d80deb 772
d5f8a75d
MM		 773 if (chan->hs_hcon && !__chan_is_moving(chan)) {
774 if (chan->hs_hchan)
775 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
776 else
777 kfree_skb(skb);
778
779 return;
780 }
781
73d80deb 782 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 783 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 784 flags = ACL_START_NO_FLUSH;
785 else
786 flags = ACL_START;
14b12d0b 787
73d80deb
LAD		 788 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
789 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 790}
791
b76bbd66
MM		 792static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
793{
794 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
795 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
796
797 if (enh & L2CAP_CTRL_FRAME_TYPE) {
798 /* S-Frame */
799 control->sframe = 1;
800 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
801 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
802
803 control->sar = 0;
804 control->txseq = 0;
805 } else {
806 /* I-Frame */
807 control->sframe = 0;
808 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
809 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
810
811 control->poll = 0;
812 control->super = 0;
813 }
814}
815
b76bbd66
MM		 816static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
817{
818 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
819 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
820
821 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
822 /* S-Frame */
823 control->sframe = 1;
824 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
825 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
826
827 control->sar = 0;
828 control->txseq = 0;
829 } else {
830 /* I-Frame */
831 control->sframe = 0;
832 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
833 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
834
835 control->poll = 0;
836 control->super = 0;
837 }
838}
839
840static inline void __unpack_control(struct l2cap_chan *chan,
841 struct sk_buff *skb)
842{
843 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
844 __unpack_extended_control(get_unaligned_le32(skb->data),
845 &bt_cb(skb)->control);
cec8ab6e 846 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 847 } else {
848 __unpack_enhanced_control(get_unaligned_le16(skb->data),
849 &bt_cb(skb)->control);
cec8ab6e 850 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 851 }
852}
853
b5c6aaed
MM		 854static u32 __pack_extended_control(struct l2cap_ctrl *control)
855{
856 u32 packed;
857
858 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
859 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
860
861 if (control->sframe) {
862 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
863 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
864 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
865 } else {
866 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
867 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
868 }
869
870 return packed;
871}
872
873static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
874{
875 u16 packed;
876
877 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
878 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
879
880 if (control->sframe) {
881 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
882 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
883 packed |= L2CAP_CTRL_FRAME_TYPE;
884 } else {
885 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
886 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
887 }
888
889 return packed;
890}
891
b76bbd66
MM		 892static inline void __pack_control(struct l2cap_chan *chan,
893 struct l2cap_ctrl *control,
894 struct sk_buff *skb)
895{
896 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
897 put_unaligned_le32(__pack_extended_control(control),
898 skb->data + L2CAP_HDR_SIZE);
899 } else {
900 put_unaligned_le16(__pack_enhanced_control(control),
901 skb->data + L2CAP_HDR_SIZE);
902 }
903}
904
ba7aa64f
GP		 905static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
906{
907 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
908 return L2CAP_EXT_HDR_SIZE;
909 else
910 return L2CAP_ENH_HDR_SIZE;
911}
912
a67d7f6f
MM		 913static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
914 u32 control)
b5c6aaed
MM		 915{
916 struct sk_buff *skb;
917 struct l2cap_hdr *lh;
ba7aa64f 918 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 919
920 if (chan->fcs == L2CAP_FCS_CRC16)
921 hlen += L2CAP_FCS_SIZE;
922
a67d7f6f 923 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 924
b5c6aaed 925 if (!skb)
a67d7f6f 926 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 927
928 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
929 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
930 lh->cid = cpu_to_le16(chan->dcid);
931
a67d7f6f
MM		 932 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
933 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
934 else
935 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 936
937 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 938 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 939 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
940 }
941
942 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 943 return skb;
944}
945
946static void l2cap_send_sframe(struct l2cap_chan *chan,
947 struct l2cap_ctrl *control)
948{
949 struct sk_buff *skb;
950 u32 control_field;
951
952 BT_DBG("chan %p, control %p", chan, control);
953
954 if (!control->sframe)
955 return;
956
b99e13ad
MM		 957 if (__chan_is_moving(chan))
958 return;
959
a67d7f6f
MM		 960 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
961 !control->poll)
962 control->final = 1;
963
964 if (control->super == L2CAP_SUPER_RR)
965 clear_bit(CONN_RNR_SENT, &chan->conn_state);
966 else if (control->super == L2CAP_SUPER_RNR)
967 set_bit(CONN_RNR_SENT, &chan->conn_state);
968
969 if (control->super != L2CAP_SUPER_SREJ) {
970 chan->last_acked_seq = control->reqseq;
971 __clear_ack_timer(chan);
972 }
973
974 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
975 control->final, control->poll, control->super);
976
977 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
978 control_field = __pack_extended_control(control);
979 else
980 control_field = __pack_enhanced_control(control);
981
982 skb = l2cap_create_sframe_pdu(chan, control_field);
983 if (!IS_ERR(skb))
984 l2cap_do_send(chan, skb);
b5c6aaed
MM		 985}
986
c9e3d5e0 987static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 988{
c9e3d5e0
MM		 989 struct l2cap_ctrl control;
990
991 BT_DBG("chan %p, poll %d", chan, poll);
992
993 memset(&control, 0, sizeof(control));
994 control.sframe = 1;
995 control.poll = poll;
996
997 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
998 control.super = L2CAP_SUPER_RNR;
999 else
1000 control.super = L2CAP_SUPER_RR;
b5c6aaed 1001
c9e3d5e0
MM		 1002 control.reqseq = chan->buffer_seq;
1003 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1004}
1005
b4450035 1006static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1007{
c1360a1c 1008 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1009}
1010
93c3e8f5
AE		 1011static bool __amp_capable(struct l2cap_chan *chan)
1012{
1013 struct l2cap_conn *conn = chan->conn;
1014
1015 if (enable_hs &&
5d05416e 1016 hci_amp_capable() &&
93c3e8f5
AE		 1017 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
1018 conn->fixed_chan_mask & L2CAP_FC_A2MP)
1019 return true;
1020 else
1021 return false;
1022}
1023
5ce66b59
AE		 1024static bool l2cap_check_efs(struct l2cap_chan *chan)
1025{
1026 /* Check EFS parameters */
1027 return true;
1028}
1029
2766be48 1030void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1031{
1032 struct l2cap_conn *conn = chan->conn;
1033 struct l2cap_conn_req req;
1034
1035 req.scid = cpu_to_le16(chan->scid);
1036 req.psm = chan->psm;
1037
1038 chan->ident = l2cap_get_ident(conn);
1039
1040 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1041
1042 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1043}
1044
8eb200bd
MM		 1045static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1046{
1047 struct l2cap_create_chan_req req;
1048 req.scid = cpu_to_le16(chan->scid);
1049 req.psm = chan->psm;
1050 req.amp_id = amp_id;
1051
1052 chan->ident = l2cap_get_ident(chan->conn);
1053
1054 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1055 sizeof(req), &req);
1056}
1057
02b0fbb9
MM		 1058static void l2cap_move_setup(struct l2cap_chan *chan)
1059{
1060 struct sk_buff *skb;
1061
1062 BT_DBG("chan %p", chan);
1063
1064 if (chan->mode != L2CAP_MODE_ERTM)
1065 return;
1066
1067 __clear_retrans_timer(chan);
1068 __clear_monitor_timer(chan);
1069 __clear_ack_timer(chan);
1070
1071 chan->retry_count = 0;
1072 skb_queue_walk(&chan->tx_q, skb) {
1073 if (bt_cb(skb)->control.retries)
1074 bt_cb(skb)->control.retries = 1;
1075 else
1076 break;
1077 }
1078
1079 chan->expected_tx_seq = chan->buffer_seq;
1080
1081 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1082 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1083 l2cap_seq_list_clear(&chan->retrans_list);
1084 l2cap_seq_list_clear(&chan->srej_list);
1085 skb_queue_purge(&chan->srej_q);
1086
1087 chan->tx_state = L2CAP_TX_STATE_XMIT;
1088 chan->rx_state = L2CAP_RX_STATE_MOVE;
1089
1090 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1091}
1092
5f3847a4
MM		 1093static void l2cap_move_done(struct l2cap_chan *chan)
1094{
1095 u8 move_role = chan->move_role;
1096 BT_DBG("chan %p", chan);
1097
1098 chan->move_state = L2CAP_MOVE_STABLE;
1099 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1100
1101 if (chan->mode != L2CAP_MODE_ERTM)
1102 return;
1103
1104 switch (move_role) {
1105 case L2CAP_MOVE_ROLE_INITIATOR:
1106 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1107 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1108 break;
1109 case L2CAP_MOVE_ROLE_RESPONDER:
1110 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1111 break;
1112 }
1113}
1114
9f0caeb1
VCG		 1115static void l2cap_chan_ready(struct l2cap_chan *chan)
1116{
2827011f 1117 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1118 chan->conf_state = 0;
1119 __clear_chan_timer(chan);
1120
54a59aa2 1121 chan->state = BT_CONNECTED;
9f0caeb1 1122
fd83e2c2 1123 chan->ops->ready(chan);
9f0caeb1
VCG		 1124}
1125
93c3e8f5
AE		 1126static void l2cap_start_connection(struct l2cap_chan *chan)
1127{
1128 if (__amp_capable(chan)) {
1129 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1130 a2mp_discover_amp(chan);
1131 } else {
1132 l2cap_send_conn_req(chan);
1133 }
1134}
1135
fc7f8a7e 1136static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1137{
8c1d787b 1138 struct l2cap_conn *conn = chan->conn;
79d554a6 1139
9f0caeb1
VCG		 1140 if (conn->hcon->type == LE_LINK) {
1141 l2cap_chan_ready(chan);
1142 return;
1143 }
1144
79d554a6 1145 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1146 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1147 return;
1148
d45fc423 1149 if (l2cap_chan_check_security(chan) &&
2d792818 1150 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1151 l2cap_start_connection(chan);
1152 }
79d554a6
MH		 1153 } else {
1154 struct l2cap_info_req req;
ac73498c 1155 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1156
1157 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1158 conn->info_ident = l2cap_get_ident(conn);
1159
ba13ccd9 1160 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1161
2d792818
GP		 1162 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1163 sizeof(req), &req);
79d554a6
MH		 1164 }
1165}
1166
cf6c2c0b
GP		 1167static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1168{
1169 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1170 if (!disable_ertm)
cf6c2c0b
GP		 1171 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1172
1173 switch (mode) {
1174 case L2CAP_MODE_ERTM:
1175 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1176 case L2CAP_MODE_STREAMING:
1177 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1178 default:
1179 return 0x00;
1180 }
1181}
1182
5e4e3972 1183static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1184{
6be36555 1185 struct sock *sk = chan->sk;
5e4e3972 1186 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1187 struct l2cap_disconn_req req;
1188
c13ffa62
GP		 1189 if (!conn)
1190 return;
1191
aad3d0e3 1192 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1193 __clear_retrans_timer(chan);
1194 __clear_monitor_timer(chan);
1195 __clear_ack_timer(chan);
c13ffa62
GP		 1196 }
1197
416fa752 1198 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1199 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1200 return;
1201 }
1202
fe4128e0
GP		 1203 req.dcid = cpu_to_le16(chan->dcid);
1204 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1205 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1206 sizeof(req), &req);
c13ffa62 1207
6be36555 1208 lock_sock(sk);
0e587be7 1209 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1210 __l2cap_chan_set_err(chan, err);
6be36555 1211 release_sock(sk);
22121fc9
GP		 1212}
1213
1da177e4 1214/* ---- L2CAP connections ---- */
4e8402a3
MH		 1215static void l2cap_conn_start(struct l2cap_conn *conn)
1216{
3df91ea2 1217 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1218
1219 BT_DBG("conn %p", conn);
1220
3df91ea2 1221 mutex_lock(&conn->chan_lock);
4e8402a3 1222
3df91ea2 1223 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1224 struct sock *sk = chan->sk;
baa7e1fa 1225
6be36555 1226 l2cap_chan_lock(chan);
4e8402a3 1227
715ec005 1228 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1229 l2cap_chan_unlock(chan);
79d554a6
MH		 1230 continue;
1231 }
1232
89bc500e 1233 if (chan->state == BT_CONNECT) {
d45fc423 1234 if (!l2cap_chan_check_security(chan) ||
2d792818 1235 !__l2cap_no_conn_pending(chan)) {
6be36555 1236 l2cap_chan_unlock(chan);
47731de7
GP		 1237 continue;
1238 }
79d554a6 1239
c1360a1c 1240 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1241 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1242 &chan->conf_state)) {
89bc500e 1243 l2cap_chan_close(chan, ECONNRESET);
6be36555 1244 l2cap_chan_unlock(chan);
47731de7 1245 continue;
b1235d79 1246 }
47731de7 1247
93c3e8f5 1248 l2cap_start_connection(chan);
47731de7 1249
89bc500e 1250 } else if (chan->state == BT_CONNECT2) {
79d554a6 1251 struct l2cap_conn_rsp rsp;
e9aeb2dd 1252 char buf[128];
fe4128e0
GP		 1253 rsp.scid = cpu_to_le16(chan->dcid);
1254 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1255
d45fc423 1256 if (l2cap_chan_check_security(chan)) {
6be36555 1257 lock_sock(sk);
c5daa683
GP		 1258 if (test_bit(BT_SK_DEFER_SETUP,
1259 &bt_sk(sk)->flags)) {
ac73498c
AE		 1260 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1261 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1262 chan->ops->defer(chan);
f66dc81f
MH		 1263
1264 } else {
0e587be7 1265 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1266 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1267 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1268 }
6be36555 1269 release_sock(sk);
79d554a6 1270 } else {
ac73498c
AE		 1271 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1272 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1273 }
1274
fc7f8a7e 1275 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1276 sizeof(rsp), &rsp);
e9aeb2dd 1277
c1360a1c 1278 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1279 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1280 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1281 continue;
1282 }
1283
c1360a1c 1284 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1285 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1286 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1287 chan->num_conf_req++;
4e8402a3
MH		 1288 }
1289
6be36555 1290 l2cap_chan_unlock(chan);
4e8402a3
MH		 1291 }
1292
3df91ea2 1293 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1294}
1295
c2287681 1296/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1297 * Returns closest match, locked.
1298 */
d9b88702 1299static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1300 bdaddr_t *src,
1301 bdaddr_t *dst)
b62f328b 1302{
23691d75 1303 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1304
23691d75 1305 read_lock(&chan_list_lock);
b62f328b 1306
23691d75
GP		 1307 list_for_each_entry(c, &chan_list, global_l) {
1308 struct sock *sk = c->sk;
fe4128e0 1309
89bc500e 1310 if (state && c->state != state)
b62f328b
VT		 1311 continue;
1312
23691d75 1313 if (c->scid == cid) {
c2287681
IY		 1314 int src_match, dst_match;
1315 int src_any, dst_any;
1316
b62f328b 1317 /* Exact match. */
c2287681
IY		 1318 src_match = !bacmp(&bt_sk(sk)->src, src);
1319 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1320 if (src_match && dst_match) {
23691d75
GP		 1321 read_unlock(&chan_list_lock);
1322 return c;
1323 }
b62f328b
VT		 1324
1325 /* Closest match */
c2287681
IY		 1326 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1327 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1328 if ((src_match && dst_any) || (src_any && dst_match) ||
1329 (src_any && dst_any))
23691d75 1330 c1 = c;
b62f328b
VT		 1331 }
1332 }
280f294f 1333
23691d75 1334 read_unlock(&chan_list_lock);
b62f328b 1335
23691d75 1336 return c1;
b62f328b
VT		 1337}
1338
1339static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1340{
c916fbe4 1341 struct sock *parent, *sk;
23691d75 1342 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1343
1344 BT_DBG("");
1345
1346 /* Check if we have socket listening on cid */
23691d75 1347 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1348 conn->src, conn->dst);
23691d75 1349 if (!pchan)
b62f328b
VT		 1350 return;
1351
23691d75
GP		 1352 parent = pchan->sk;
1353
aa2ac881 1354 lock_sock(parent);
62f3a2cf 1355
80b98027 1356 chan = pchan->ops->new_connection(pchan);
80808e43 1357 if (!chan)
b62f328b
VT		 1358 goto clean;
1359
80808e43 1360 sk = chan->sk;
5d41ce1d 1361
b62f328b 1362 hci_conn_hold(conn->hcon);
a9ea3ed9 1363 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1364
b62f328b
VT		 1365 bacpy(&bt_sk(sk)->src, conn->src);
1366 bacpy(&bt_sk(sk)->dst, conn->dst);
1367
3d57dc68 1368 l2cap_chan_add(conn, chan);
48454079 1369
6754e0df 1370 l2cap_chan_ready(chan);
b62f328b 1371
b62f328b 1372clean:
aa2ac881 1373 release_sock(parent);
b62f328b
VT		 1374}
1375
4e8402a3
MH		 1376static void l2cap_conn_ready(struct l2cap_conn *conn)
1377{
48454079 1378 struct l2cap_chan *chan;
cc110922 1379 struct hci_conn *hcon = conn->hcon;
4e8402a3 1380
79d554a6 1381 BT_DBG("conn %p", conn);
4e8402a3 1382
cc110922 1383 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1384 l2cap_le_conn_ready(conn);
1385
cc110922
VCG		 1386 if (hcon->out && hcon->type == LE_LINK)
1387 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1388
3df91ea2 1389 mutex_lock(&conn->chan_lock);
4e8402a3 1390
3df91ea2 1391 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1392
6be36555 1393 l2cap_chan_lock(chan);
4e8402a3 1394
416fa752
AE		 1395 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1396 l2cap_chan_unlock(chan);
1397 continue;
1398 }
1399
cc110922
VCG		 1400 if (hcon->type == LE_LINK) {
1401 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1402 l2cap_chan_ready(chan);
acd7d370 1403
63128451 1404 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1405 struct sock *sk = chan->sk;
c9b66675 1406 __clear_chan_timer(chan);
6be36555 1407 lock_sock(sk);
0e587be7 1408 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1409 sk->sk_state_change(sk);
6be36555 1410 release_sock(sk);
b501d6a1 1411
89bc500e 1412 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1413 l2cap_do_start(chan);
4e8402a3 1414
6be36555 1415 l2cap_chan_unlock(chan);
4e8402a3 1416 }
79d554a6 1417
3df91ea2 1418 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1419}
1420
1421/* Notify sockets that we cannot guaranty reliability anymore */
1422static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1423{
48454079 1424 struct l2cap_chan *chan;
4e8402a3
MH		 1425
1426 BT_DBG("conn %p", conn);
1427
3df91ea2 1428 mutex_lock(&conn->chan_lock);
4e8402a3 1429
3df91ea2 1430 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1431 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1432 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1433 }
1434
3df91ea2 1435 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1436}
1437
f878fcad 1438static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1439{
f878fcad 1440 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1441 info_timer.work);
4e8402a3 1442
984947dc 1443 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1444 conn->info_ident = 0;
984947dc 1445
4e8402a3
MH		 1446 l2cap_conn_start(conn);
1447}
1448
5d3de7df
VCG		 1449static void l2cap_conn_del(struct hci_conn *hcon, int err)
1450{
1451 struct l2cap_conn *conn = hcon->l2cap_data;
1452 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1453
1454 if (!conn)
1455 return;
1456
1457 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1458
1459 kfree_skb(conn->rx_skb);
1460
3df91ea2
AE		 1461 mutex_lock(&conn->chan_lock);
1462
5d3de7df
VCG		 1463 /* Kill channels */
1464 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1465 l2cap_chan_hold(chan);
6be36555
AE		 1466 l2cap_chan_lock(chan);
1467
5d3de7df 1468 l2cap_chan_del(chan, err);
6be36555
AE		 1469
1470 l2cap_chan_unlock(chan);
1471
80b98027 1472 chan->ops->close(chan);
61d6ef3e 1473 l2cap_chan_put(chan);
5d3de7df
VCG		 1474 }
1475
3df91ea2
AE		 1476 mutex_unlock(&conn->chan_lock);
1477
73d80deb
LAD		 1478 hci_chan_del(conn->hchan);
1479
5d3de7df 1480 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1481 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1482
51a8efd7 1483 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1484 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1485 smp_chan_destroy(conn);
d26a2345 1486 }
5d3de7df
VCG		 1487
1488 hcon->l2cap_data = NULL;
1489 kfree(conn);
1490}
1491
6c9d42a1 1492static void security_timeout(struct work_struct *work)
5d3de7df 1493{
6c9d42a1 1494 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1495 security_timer.work);
5d3de7df 1496
d06cc416
JH		 1497 BT_DBG("conn %p", conn);
1498
1499 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1500 smp_chan_destroy(conn);
1501 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1502 }
5d3de7df
VCG		 1503}
1504
1da177e4
LT		 1505static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1506{
0139418c 1507 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1508 struct hci_chan *hchan;
1da177e4 1509
0139418c 1510 if (conn || status)
1da177e4
LT		 1511 return conn;
1512
73d80deb
LAD		 1513 hchan = hci_chan_create(hcon);
1514 if (!hchan)
1515 return NULL;
1516
8bcde1f2 1517 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1518 if (!conn) {
1519 hci_chan_del(hchan);
1da177e4 1520 return NULL;
73d80deb 1521 }
1da177e4
LT		 1522
1523 hcon->l2cap_data = conn;
1524 conn->hcon = hcon;
73d80deb 1525 conn->hchan = hchan;
1da177e4 1526
73d80deb 1527 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1528
dcc042d5
AE		 1529 switch (hcon->type) {
1530 case AMP_LINK:
1531 conn->mtu = hcon->hdev->block_mtu;
1532 break;
1533
1534 case LE_LINK:
1535 if (hcon->hdev->le_mtu) {
1536 conn->mtu = hcon->hdev->le_mtu;
1537 break;
1538 }
1539 /* fall through */
1540
1541 default:
acd7d370 1542 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1543 break;
1544 }
acd7d370 1545
1da177e4
LT		 1546 conn->src = &hcon->hdev->bdaddr;
1547 conn->dst = &hcon->dst;
1548
4e8402a3
MH		 1549 conn->feat_mask = 0;
1550
1da177e4 1551 spin_lock_init(&conn->lock);
3df91ea2 1552 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1553
1554 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1555
5d3de7df 1556 if (hcon->type == LE_LINK)
6c9d42a1 1557 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1558 else
030013d8 1559 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1560
9f5a0d7b 1561 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1562
1da177e4
LT		 1563 return conn;
1564}
1565
1da177e4 1566/* ---- Socket interface ---- */
1da177e4 1567
c2287681 1568/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1569 * Returns closest match.
1570 */
c2287681
IY		 1571static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1572 bdaddr_t *src,
1573 bdaddr_t *dst)
1da177e4 1574{
23691d75 1575 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1576
23691d75 1577 read_lock(&chan_list_lock);
e0f0cb56 1578
23691d75
GP		 1579 list_for_each_entry(c, &chan_list, global_l) {
1580 struct sock *sk = c->sk;
fe4128e0 1581
89bc500e 1582 if (state && c->state != state)
1da177e4
LT		 1583 continue;
1584
23691d75 1585 if (c->psm == psm) {
c2287681
IY		 1586 int src_match, dst_match;
1587 int src_any, dst_any;
1588
1da177e4 1589 /* Exact match. */
c2287681
IY		 1590 src_match = !bacmp(&bt_sk(sk)->src, src);
1591 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1592 if (src_match && dst_match) {
a7567b20 1593 read_unlock(&chan_list_lock);
23691d75
GP		 1594 return c;
1595 }
1da177e4
LT		 1596
1597 /* Closest match */
c2287681
IY		 1598 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1599 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1600 if ((src_match && dst_any) || (src_any && dst_match) ||
1601 (src_any && dst_any))
23691d75 1602 c1 = c;
1da177e4
LT		 1603 }
1604 }
1da177e4 1605
23691d75 1606 read_unlock(&chan_list_lock);
e0f0cb56 1607
23691d75 1608 return c1;
1da177e4
LT		 1609}
1610
8e9f9892
AG		 1611int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1612 bdaddr_t *dst, u8 dst_type)
1da177e4 1613{
5d41ce1d 1614 struct sock *sk = chan->sk;
1da177e4 1615 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1616 struct l2cap_conn *conn;
1617 struct hci_conn *hcon;
1618 struct hci_dev *hdev;
09ab6f4c 1619 __u8 auth_type;
44d0e48e 1620 int err;
1da177e4 1621
6ed93dc6 1622 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1623 dst_type, __le16_to_cpu(psm));
1da177e4 1624
af05b30b
GP		 1625 hdev = hci_get_route(dst, src);
1626 if (!hdev)
1da177e4
LT		 1627 return -EHOSTUNREACH;
1628
09fd0de5 1629 hci_dev_lock(hdev);
1da177e4 1630
6be36555 1631 l2cap_chan_lock(chan);
03a00194
GP		 1632
1633 /* PSM must be odd and lsb of upper byte must be 0 */
1634 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1635 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1636 err = -EINVAL;
1637 goto done;
1638 }
1639
1640 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1641 err = -EINVAL;
1642 goto done;
1643 }
1644
1645 switch (chan->mode) {
1646 case L2CAP_MODE_BASIC:
1647 break;
1648 case L2CAP_MODE_ERTM:
1649 case L2CAP_MODE_STREAMING:
1650 if (!disable_ertm)
1651 break;
1652 /* fall through */
1653 default:
1654 err = -ENOTSUPP;
1655 goto done;
1656 }
1657
0797e01d 1658 switch (chan->state) {
03a00194
GP		 1659 case BT_CONNECT:
1660 case BT_CONNECT2:
1661 case BT_CONFIG:
1662 /* Already connecting */
1663 err = 0;
1664 goto done;
1665
1666 case BT_CONNECTED:
1667 /* Already connected */
1668 err = -EISCONN;
1669 goto done;
1670
1671 case BT_OPEN:
1672 case BT_BOUND:
1673 /* Can connect */
1674 break;
1675
1676 default:
1677 err = -EBADFD;
1678 goto done;
1679 }
1680
1681 /* Set destination address and psm */
0797e01d 1682 lock_sock(sk);
9219b2a0 1683 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1684 release_sock(sk);
1685
03a00194
GP		 1686 chan->psm = psm;
1687 chan->dcid = cid;
1da177e4 1688
4343478f 1689 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1690
fe4128e0 1691 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1692 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1693 chan->sec_level, auth_type);
acd7d370 1694 else
8e9f9892 1695 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1696 chan->sec_level, auth_type);
acd7d370 1697
30e76272
VT		 1698 if (IS_ERR(hcon)) {
1699 err = PTR_ERR(hcon);
1da177e4 1700 goto done;
30e76272 1701 }
1da177e4
LT		 1702
1703 conn = l2cap_conn_add(hcon, 0);
1704 if (!conn) {
1705 hci_conn_put(hcon);
30e76272 1706 err = -ENOMEM;
1da177e4
LT		 1707 goto done;
1708 }
1709
9f0caeb1
VCG		 1710 if (hcon->type == LE_LINK) {
1711 err = 0;
1712
1713 if (!list_empty(&conn->chan_l)) {
1714 err = -EBUSY;
1715 hci_conn_put(hcon);
1716 }
1717
1718 if (err)
1719 goto done;
1720 }
1721
1da177e4
LT		 1722 /* Update source addr of the socket */
1723 bacpy(src, conn->src);
1724
6be36555 1725 l2cap_chan_unlock(chan);
48454079 1726 l2cap_chan_add(conn, chan);
6be36555 1727 l2cap_chan_lock(chan);
48454079 1728
6be36555 1729 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1730 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1731
1732 if (hcon->state == BT_CONNECTED) {
715ec005 1733 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1734 __clear_chan_timer(chan);
d45fc423 1735 if (l2cap_chan_check_security(chan))
6be36555 1736 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1737 } else
fc7f8a7e 1738 l2cap_do_start(chan);
1da177e4
LT		 1739 }
1740
30e76272
VT		 1741 err = 0;
1742
1da177e4 1743done:
6be36555 1744 l2cap_chan_unlock(chan);
09fd0de5 1745 hci_dev_unlock(hdev);
1da177e4
LT		 1746 hci_dev_put(hdev);
1747 return err;
1748}
1749
dcba0dba 1750int __l2cap_wait_ack(struct sock *sk)
6161c038 1751{
8c1d787b 1752 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1753 DECLARE_WAITQUEUE(wait, current);
1754 int err = 0;
1755 int timeo = HZ/5;
1756
2b0b05dd 1757 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1758 set_current_state(TASK_INTERRUPTIBLE);
1759 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1760 if (!timeo)
1761 timeo = HZ/5;
1762
1763 if (signal_pending(current)) {
1764 err = sock_intr_errno(timeo);
1765 break;
1766 }
1767
1768 release_sock(sk);
1769 timeo = schedule_timeout(timeo);
1770 lock_sock(sk);
a71a0cf4 1771 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1772
1773 err = sock_error(sk);
1774 if (err)
1775 break;
1776 }
1777 set_current_state(TASK_RUNNING);
2b0b05dd 1778 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1779 return err;
1780}
1781
721c4181 1782static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1783{
721c4181 1784 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1785 monitor_timer.work);
e90bac06 1786
525cd185 1787 BT_DBG("chan %p", chan);
0e98958d 1788
6be36555
AE		 1789 l2cap_chan_lock(chan);
1790
80909e04 1791 if (!chan->conn) {
6be36555 1792 l2cap_chan_unlock(chan);
8d7e1c7f 1793 l2cap_chan_put(chan);
e90bac06
GP		 1794 return;
1795 }
1796
401bb1f7 1797 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1798
6be36555 1799 l2cap_chan_unlock(chan);
8d7e1c7f 1800 l2cap_chan_put(chan);
e90bac06
GP		 1801}
1802
721c4181 1803static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1804{
721c4181 1805 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1806 retrans_timer.work);
e90bac06 1807
49208c9c 1808 BT_DBG("chan %p", chan);
0e98958d 1809
6be36555
AE		 1810 l2cap_chan_lock(chan);
1811
80909e04
MM		 1812 if (!chan->conn) {
1813 l2cap_chan_unlock(chan);
1814 l2cap_chan_put(chan);
1815 return;
1816 }
6be36555 1817
401bb1f7 1818 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1819 l2cap_chan_unlock(chan);
8d7e1c7f 1820 l2cap_chan_put(chan);
e90bac06
GP		 1821}
1822
d660366d
GP		 1823static void l2cap_streaming_send(struct l2cap_chan *chan,
1824 struct sk_buff_head *skbs)
6840ed07 1825{
ccbb84af 1826 struct sk_buff *skb;
3733937d 1827 struct l2cap_ctrl *control;
6840ed07 1828
3733937d
MM		 1829 BT_DBG("chan %p, skbs %p", chan, skbs);
1830
b99e13ad
MM		 1831 if (__chan_is_moving(chan))
1832 return;
1833
3733937d
MM		 1834 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1835
1836 while (!skb_queue_empty(&chan->tx_q)) {
1837
1838 skb = skb_dequeue(&chan->tx_q);
1839
1840 bt_cb(skb)->control.retries = 1;
1841 control = &bt_cb(skb)->control;
1842
1843 control->reqseq = 0;
1844 control->txseq = chan->next_tx_seq;
1845
1846 __pack_control(chan, control, skb);
6840ed07 1847
47d1ec61 1848 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1849 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1850 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1851 }
1852
4343478f 1853 l2cap_do_send(chan, skb);
6840ed07 1854
b4400672 1855 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1856
836be934 1857 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1858 chan->frames_sent++;
6840ed07 1859 }
6840ed07
GP		 1860}
1861
67c9e840 1862static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1863{
1864 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1865 struct l2cap_ctrl *control;
1866 int sent = 0;
1867
1868 BT_DBG("chan %p", chan);
1c2acffb 1869
89bc500e 1870 if (chan->state != BT_CONNECTED)
c13ffa62 1871 return -ENOTCONN;
e90bac06 1872
94122bbe
MM		 1873 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1874 return 0;
1875
b99e13ad
MM		 1876 if (__chan_is_moving(chan))
1877 return 0;
1878
18a48e76
MM		 1879 while (chan->tx_send_head &&
1880 chan->unacked_frames < chan->remote_tx_win &&
1881 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1882
18a48e76 1883 skb = chan->tx_send_head;
e90bac06 1884
18a48e76
MM		 1885 bt_cb(skb)->control.retries = 1;
1886 control = &bt_cb(skb)->control;
95ffa978 1887
e2ab4353 1888 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1889 control->final = 1;
e2ab4353 1890
18a48e76
MM		 1891 control->reqseq = chan->buffer_seq;
1892 chan->last_acked_seq = chan->buffer_seq;
1893 control->txseq = chan->next_tx_seq;
1c2acffb 1894
18a48e76 1895 __pack_control(chan, control, skb);
e90bac06 1896
47d1ec61 1897 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1898 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1899 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1900 }
1901
18a48e76
MM		 1902 /* Clone after data has been modified. Data is assumed to be
1903 read-only (for locking purposes) on cloned sk_buffs.
1904 */
1905 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1906
18a48e76
MM		 1907 if (!tx_skb)
1908 break;
1c2acffb 1909
18a48e76 1910 __set_retrans_timer(chan);
836be934
AE		 1911
1912 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1913 chan->unacked_frames++;
6a026610 1914 chan->frames_sent++;
18a48e76 1915 sent++;
1c2acffb 1916
58d35f87
GP		 1917 if (skb_queue_is_last(&chan->tx_q, skb))
1918 chan->tx_send_head = NULL;
1c2acffb 1919 else
58d35f87 1920 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1921
1922 l2cap_do_send(chan, tx_skb);
b4400672 1923 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1924 }
1925
b4400672
AE		 1926 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1927 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1928
1929 return sent;
9e917af1
GP		 1930}
1931
e1fbd4c1
MM		 1932static void l2cap_ertm_resend(struct l2cap_chan *chan)
1933{
1934 struct l2cap_ctrl control;
1935 struct sk_buff *skb;
1936 struct sk_buff *tx_skb;
1937 u16 seq;
1938
1939 BT_DBG("chan %p", chan);
1940
1941 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1942 return;
1943
b99e13ad
MM		 1944 if (__chan_is_moving(chan))
1945 return;
1946
e1fbd4c1
MM		 1947 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1948 seq = l2cap_seq_list_pop(&chan->retrans_list);
1949
1950 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1951 if (!skb) {
1952 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1953 seq);
e1fbd4c1
MM		 1954 continue;
1955 }
1956
1957 bt_cb(skb)->control.retries++;
1958 control = bt_cb(skb)->control;
1959
1960 if (chan->max_tx != 0 &&
1961 bt_cb(skb)->control.retries > chan->max_tx) {
1962 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1963 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1964 l2cap_seq_list_clear(&chan->retrans_list);
1965 break;
1966 }
1967
1968 control.reqseq = chan->buffer_seq;
1969 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1970 control.final = 1;
1971 else
1972 control.final = 0;
1973
1974 if (skb_cloned(skb)) {
1975 /* Cloned sk_buffs are read-only, so we need a
1976 * writeable copy
1977 */
8bcde1f2 1978 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1979 } else {
8bcde1f2 1980 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1981 }
1982
1983 if (!tx_skb) {
1984 l2cap_seq_list_clear(&chan->retrans_list);
1985 break;
1986 }
1987
1988 /* Update skb contents */
1989 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1990 put_unaligned_le32(__pack_extended_control(&control),
1991 tx_skb->data + L2CAP_HDR_SIZE);
1992 } else {
1993 put_unaligned_le16(__pack_enhanced_control(&control),
1994 tx_skb->data + L2CAP_HDR_SIZE);
1995 }
1996
1997 if (chan->fcs == L2CAP_FCS_CRC16) {
1998 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1999 put_unaligned_le16(fcs, skb_put(tx_skb,
2000 L2CAP_FCS_SIZE));
2001 }
2002
2003 l2cap_do_send(chan, tx_skb);
2004
2005 BT_DBG("Resent txseq %d", control.txseq);
2006
2007 chan->last_acked_seq = chan->buffer_seq;
2008 }
2009}
2010
f80842a8
MM		 2011static void l2cap_retransmit(struct l2cap_chan *chan,
2012 struct l2cap_ctrl *control)
2013{
2014 BT_DBG("chan %p, control %p", chan, control);
2015
2016 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2017 l2cap_ertm_resend(chan);
2018}
2019
d2a7ac5d
MM		 2020static void l2cap_retransmit_all(struct l2cap_chan *chan,
2021 struct l2cap_ctrl *control)
2022{
e1fbd4c1
MM		 2023 struct sk_buff *skb;
2024
2025 BT_DBG("chan %p, control %p", chan, control);
2026
2027 if (control->poll)
2028 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2029
2030 l2cap_seq_list_clear(&chan->retrans_list);
2031
2032 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2033 return;
2034
2035 if (chan->unacked_frames) {
2036 skb_queue_walk(&chan->tx_q, skb) {
2037 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2038 skb == chan->tx_send_head)
e1fbd4c1
MM		 2039 break;
2040 }
2041
2042 skb_queue_walk_from(&chan->tx_q, skb) {
2043 if (skb == chan->tx_send_head)
2044 break;
2045
2046 l2cap_seq_list_append(&chan->retrans_list,
2047 bt_cb(skb)->control.txseq);
2048 }
2049
2050 l2cap_ertm_resend(chan);
2051 }
d2a7ac5d
MM		 2052}
2053
0a0aba42 2054static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2055{
0a0aba42
MM		 2056 struct l2cap_ctrl control;
2057 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2058 chan->last_acked_seq);
2059 int threshold;
9e917af1 2060
0a0aba42
MM		 2061 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2062 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2063
0a0aba42
MM		 2064 memset(&control, 0, sizeof(control));
2065 control.sframe = 1;
dfc909be 2066
0a0aba42
MM		 2067 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2068 chan->rx_state == L2CAP_RX_STATE_RECV) {
2069 __clear_ack_timer(chan);
2070 control.super = L2CAP_SUPER_RNR;
2071 control.reqseq = chan->buffer_seq;
2072 l2cap_send_sframe(chan, &control);
2073 } else {
2074 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2075 l2cap_ertm_send(chan);
2076 /* If any i-frames were sent, they included an ack */
2077 if (chan->buffer_seq == chan->last_acked_seq)
2078 frames_to_ack = 0;
2079 }
dfc909be 2080
c20f8e35 2081 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2082 * Calculate without mul or div
2083 */
c20f8e35 2084 threshold = chan->ack_win;
0a0aba42
MM		 2085 threshold += threshold << 1;
2086 threshold >>= 2;
2087
b4400672 2088 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2089 threshold);
2090
2091 if (frames_to_ack >= threshold) {
2092 __clear_ack_timer(chan);
2093 control.super = L2CAP_SUPER_RR;
2094 control.reqseq = chan->buffer_seq;
2095 l2cap_send_sframe(chan, &control);
2096 frames_to_ack = 0;
2097 }
1c2acffb 2098
0a0aba42
MM		 2099 if (frames_to_ack)
2100 __set_ack_timer(chan);
2101 }
b17e73bb
SJ		 2102}
2103
04124681
GP		 2104static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2105 struct msghdr *msg, int len,
2106 int count, struct sk_buff *skb)
1c2acffb 2107{
0952a57a 2108 struct l2cap_conn *conn = chan->conn;
1c2acffb 2109 struct sk_buff **frag;
90338947 2110 int sent = 0;
1da177e4 2111
59203a21 2112 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2113 return -EFAULT;
1da177e4
LT		 2114
2115 sent += count;
2116 len -= count;
2117
2118 /* Continuation fragments (no L2CAP header) */
2119 frag = &skb_shinfo(skb)->frag_list;
2120 while (len) {
fbe00700
GP		 2121 struct sk_buff *tmp;
2122
1da177e4
LT		 2123 count = min_t(unsigned int, conn->mtu, len);
2124
fbe00700
GP		 2125 tmp = chan->ops->alloc_skb(chan, count,
2126 msg->msg_flags & MSG_DONTWAIT);
2127 if (IS_ERR(tmp))
2128 return PTR_ERR(tmp);
2129
2130 *frag = tmp;
2f7719ce 2131
1c2acffb
GP		 2132 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2133 return -EFAULT;
1da177e4 2134
5e59b791
LAD		 2135 (*frag)->priority = skb->priority;
2136
1da177e4
LT		 2137 sent += count;
2138 len -= count;
2139
2d0ed3d5
GP		 2140 skb->len += (*frag)->len;
2141 skb->data_len += (*frag)->len;
2142
1da177e4
LT		 2143 frag = &(*frag)->next;
2144 }
1da177e4
LT		 2145
2146 return sent;
1c2acffb 2147}
1da177e4 2148
5e59b791 2149static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2150 struct msghdr *msg, size_t len,
2151 u32 priority)
1c2acffb 2152{
8c1d787b 2153 struct l2cap_conn *conn = chan->conn;
1c2acffb 2154 struct sk_buff *skb;
03a51213 2155 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2156 struct l2cap_hdr *lh;
2157
b4400672 2158 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2159
2160 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2161
2162 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2163 msg->msg_flags & MSG_DONTWAIT);
2164 if (IS_ERR(skb))
2165 return skb;
1c2acffb 2166
5e59b791
LAD		 2167 skb->priority = priority;
2168
1c2acffb
GP		 2169 /* Create L2CAP header */
2170 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2171 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2172 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2173 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2174
0952a57a 2175 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2176 if (unlikely(err < 0)) {
2177 kfree_skb(skb);
2178 return ERR_PTR(err);
2179 }
2180 return skb;
2181}
2182
5e59b791 2183static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2184 struct msghdr *msg, size_t len,
2185 u32 priority)
1c2acffb 2186{
8c1d787b 2187 struct l2cap_conn *conn = chan->conn;
1c2acffb 2188 struct sk_buff *skb;
f2ba7fae 2189 int err, count;
1c2acffb
GP		 2190 struct l2cap_hdr *lh;
2191
b4400672 2192 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2193
f2ba7fae 2194 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2195
f2ba7fae 2196 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2197 msg->msg_flags & MSG_DONTWAIT);
2198 if (IS_ERR(skb))
2199 return skb;
1c2acffb 2200
5e59b791
LAD		 2201 skb->priority = priority;
2202
1c2acffb
GP		 2203 /* Create L2CAP header */
2204 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2205 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2206 lh->len = cpu_to_le16(len);
1c2acffb 2207
0952a57a 2208 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2209 if (unlikely(err < 0)) {
2210 kfree_skb(skb);
2211 return ERR_PTR(err);
2212 }
2213 return skb;
2214}
2215
ab0ff76d 2216static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2217 struct msghdr *msg, size_t len,
2218 u16 sdulen)
1c2acffb 2219{
8c1d787b 2220 struct l2cap_conn *conn = chan->conn;
1c2acffb 2221 struct sk_buff *skb;
e4ca6d98 2222 int err, count, hlen;
1c2acffb
GP		 2223 struct l2cap_hdr *lh;
2224
b4400672 2225 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2226
0ee0d208
GP		 2227 if (!conn)
2228 return ERR_PTR(-ENOTCONN);
2229
ba7aa64f 2230 hlen = __ertm_hdr_size(chan);
e4ca6d98 2231
c74e560c 2232 if (sdulen)
03a51213 2233 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2234
47d1ec61 2235 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2236 hlen += L2CAP_FCS_SIZE;
fcc203c3 2237
1c2acffb 2238 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2239
2240 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2241 msg->msg_flags & MSG_DONTWAIT);
2242 if (IS_ERR(skb))
2243 return skb;
1c2acffb
GP		 2244
2245 /* Create L2CAP header */
2246 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2247 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2248 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2249
18a48e76
MM		 2250 /* Control header is populated later */
2251 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2252 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2253 else
2254 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2255
c74e560c 2256 if (sdulen)
03a51213 2257 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2258
0952a57a 2259 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2260 if (unlikely(err < 0)) {
2261 kfree_skb(skb);
2262 return ERR_PTR(err);
2263 }
e90bac06 2264
18a48e76 2265 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2266 bt_cb(skb)->control.retries = 0;
1c2acffb 2267 return skb;
1da177e4
LT		 2268}
2269
94122bbe
MM		 2270static int l2cap_segment_sdu(struct l2cap_chan *chan,
2271 struct sk_buff_head *seg_queue,
2272 struct msghdr *msg, size_t len)
c74e560c 2273{
c74e560c 2274 struct sk_buff *skb;
94122bbe
MM		 2275 u16 sdu_len;
2276 size_t pdu_len;
94122bbe 2277 u8 sar;
c74e560c 2278
b4400672 2279 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2280
94122bbe
MM		 2281 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2282 * so fragmented skbs are not used. The HCI layer's handling
2283 * of fragmented skbs is not compatible with ERTM's queueing.
2284 */
c74e560c 2285
94122bbe
MM		 2286 /* PDU size is derived from the HCI MTU */
2287 pdu_len = chan->conn->mtu;
c74e560c 2288
a549574d
MM		 2289 /* Constrain PDU size for BR/EDR connections */
2290 if (!chan->hs_hcon)
2291 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2292
2293 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2294 if (chan->fcs)
2295 pdu_len -= L2CAP_FCS_SIZE;
2296
ba7aa64f 2297 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2298
2299 /* Remote device may have requested smaller PDUs */
2300 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2301
2302 if (len <= pdu_len) {
2303 sar = L2CAP_SAR_UNSEGMENTED;
2304 sdu_len = 0;
2305 pdu_len = len;
2306 } else {
2307 sar = L2CAP_SAR_START;
2308 sdu_len = len;
2309 pdu_len -= L2CAP_SDULEN_SIZE;
2310 }
2311
2312 while (len > 0) {
2313 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2314
c74e560c 2315 if (IS_ERR(skb)) {
94122bbe 2316 __skb_queue_purge(seg_queue);
c74e560c
GP		 2317 return PTR_ERR(skb);
2318 }
2319
94122bbe
MM		 2320 bt_cb(skb)->control.sar = sar;
2321 __skb_queue_tail(seg_queue, skb);
2322
2323 len -= pdu_len;
2324 if (sdu_len) {
2325 sdu_len = 0;
2326 pdu_len += L2CAP_SDULEN_SIZE;
2327 }
2328
2329 if (len <= pdu_len) {
2330 sar = L2CAP_SAR_END;
2331 pdu_len = len;
2332 } else {
2333 sar = L2CAP_SAR_CONTINUE;
2334 }
c74e560c 2335 }
c74e560c 2336
f0f62799 2337 return 0;
c74e560c
GP		 2338}
2339
5e59b791 2340int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2341 u32 priority)
9a91a04a 2342{
9a91a04a 2343 struct sk_buff *skb;
9a91a04a 2344 int err;
94122bbe 2345 struct sk_buff_head seg_queue;
9a91a04a
GP		 2346
2347 /* Connectionless channel */
715ec005 2348 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2349 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2350 if (IS_ERR(skb))
2351 return PTR_ERR(skb);
2352
2353 l2cap_do_send(chan, skb);
2354 return len;
2355 }
2356
2357 switch (chan->mode) {
2358 case L2CAP_MODE_BASIC:
2359 /* Check outgoing MTU */
2360 if (len > chan->omtu)
2361 return -EMSGSIZE;
2362
2363 /* Create a basic PDU */
5e59b791 2364 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2365 if (IS_ERR(skb))
2366 return PTR_ERR(skb);
2367
2368 l2cap_do_send(chan, skb);
2369 err = len;
2370 break;
2371
2372 case L2CAP_MODE_ERTM:
2373 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2374 /* Check outgoing MTU */
2375 if (len > chan->omtu) {
2376 err = -EMSGSIZE;
2377 break;
2378 }
9a91a04a 2379
94122bbe 2380 __skb_queue_head_init(&seg_queue);
9a91a04a 2381
94122bbe
MM		 2382 /* Do segmentation before calling in to the state machine,
2383 * since it's possible to block while waiting for memory
2384 * allocation.
2385 */
2386 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2387
94122bbe
MM		 2388 /* The channel could have been closed while segmenting,
2389 * check that it is still connected.
2390 */
2391 if (chan->state != BT_CONNECTED) {
2392 __skb_queue_purge(&seg_queue);
2393 err = -ENOTCONN;
9a91a04a
GP		 2394 }
2395
94122bbe 2396 if (err)
9a91a04a 2397 break;
9a91a04a 2398
3733937d 2399 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2400 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2401 else
d660366d 2402 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2403
d660366d 2404 err = len;
9a91a04a 2405
94122bbe
MM		 2406 /* If the skbs were not queued for sending, they'll still be in
2407 * seg_queue and need to be purged.
2408 */
2409 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2410 break;
2411
2412 default:
2413 BT_DBG("bad state %1.1x", chan->mode);
2414 err = -EBADFD;
2415 }
2416
2417 return err;
2418}
2419
d2a7ac5d
MM		 2420static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2421{
bed68bde
MM		 2422 struct l2cap_ctrl control;
2423 u16 seq;
2424
b4400672 2425 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2426
2427 memset(&control, 0, sizeof(control));
2428 control.sframe = 1;
2429 control.super = L2CAP_SUPER_SREJ;
2430
2431 for (seq = chan->expected_tx_seq; seq != txseq;
2432 seq = __next_seq(chan, seq)) {
2433 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2434 control.reqseq = seq;
2435 l2cap_send_sframe(chan, &control);
2436 l2cap_seq_list_append(&chan->srej_list, seq);
2437 }
2438 }
2439
2440 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2441}
2442
2443static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2444{
bed68bde
MM		 2445 struct l2cap_ctrl control;
2446
2447 BT_DBG("chan %p", chan);
2448
2449 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2450 return;
2451
2452 memset(&control, 0, sizeof(control));
2453 control.sframe = 1;
2454 control.super = L2CAP_SUPER_SREJ;
2455 control.reqseq = chan->srej_list.tail;
2456 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2457}
2458
2459static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2460{
bed68bde
MM		 2461 struct l2cap_ctrl control;
2462 u16 initial_head;
2463 u16 seq;
2464
b4400672 2465 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2466
2467 memset(&control, 0, sizeof(control));
2468 control.sframe = 1;
2469 control.super = L2CAP_SUPER_SREJ;
2470
2471 /* Capture initial list head to allow only one pass through the list. */
2472 initial_head = chan->srej_list.head;
2473
2474 do {
2475 seq = l2cap_seq_list_pop(&chan->srej_list);
2476 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2477 break;
2478
2479 control.reqseq = seq;
2480 l2cap_send_sframe(chan, &control);
2481 l2cap_seq_list_append(&chan->srej_list, seq);
2482 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2483}
2484
608bcc6d
MM		 2485static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2486{
2487 struct sk_buff *acked_skb;
2488 u16 ackseq;
2489
b4400672 2490 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2491
2492 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2493 return;
2494
b4400672 2495 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2496 chan->expected_ack_seq, chan->unacked_frames);
2497
2498 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2499 ackseq = __next_seq(chan, ackseq)) {
2500
2501 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2502 if (acked_skb) {
2503 skb_unlink(acked_skb, &chan->tx_q);
2504 kfree_skb(acked_skb);
2505 chan->unacked_frames--;
2506 }
2507 }
2508
2509 chan->expected_ack_seq = reqseq;
2510
2511 if (chan->unacked_frames == 0)
2512 __clear_retrans_timer(chan);
2513
b4400672 2514 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2515}
2516
2517static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2518{
2519 BT_DBG("chan %p", chan);
2520
2521 chan->expected_tx_seq = chan->buffer_seq;
2522 l2cap_seq_list_clear(&chan->srej_list);
2523 skb_queue_purge(&chan->srej_q);
2524 chan->rx_state = L2CAP_RX_STATE_RECV;
2525}
2526
d660366d
GP		 2527static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2528 struct l2cap_ctrl *control,
2529 struct sk_buff_head *skbs, u8 event)
608bcc6d 2530{
608bcc6d
MM		 2531 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2532 event);
2533
2534 switch (event) {
2535 case L2CAP_EV_DATA_REQUEST:
2536 if (chan->tx_send_head == NULL)
2537 chan->tx_send_head = skb_peek(skbs);
2538
2539 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2540 l2cap_ertm_send(chan);
2541 break;
2542 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2543 BT_DBG("Enter LOCAL_BUSY");
2544 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2545
2546 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2547 /* The SREJ_SENT state must be aborted if we are to
2548 * enter the LOCAL_BUSY state.
2549 */
2550 l2cap_abort_rx_srej_sent(chan);
2551 }
2552
2553 l2cap_send_ack(chan);
2554
2555 break;
2556 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2557 BT_DBG("Exit LOCAL_BUSY");
2558 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2559
2560 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2561 struct l2cap_ctrl local_control;
2562
2563 memset(&local_control, 0, sizeof(local_control));
2564 local_control.sframe = 1;
2565 local_control.super = L2CAP_SUPER_RR;
2566 local_control.poll = 1;
2567 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2568 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2569
2570 chan->retry_count = 1;
2571 __set_monitor_timer(chan);
2572 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2573 }
2574 break;
2575 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2576 l2cap_process_reqseq(chan, control->reqseq);
2577 break;
2578 case L2CAP_EV_EXPLICIT_POLL:
2579 l2cap_send_rr_or_rnr(chan, 1);
2580 chan->retry_count = 1;
2581 __set_monitor_timer(chan);
2582 __clear_ack_timer(chan);
2583 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2584 break;
2585 case L2CAP_EV_RETRANS_TO:
2586 l2cap_send_rr_or_rnr(chan, 1);
2587 chan->retry_count = 1;
2588 __set_monitor_timer(chan);
2589 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2590 break;
2591 case L2CAP_EV_RECV_FBIT:
2592 /* Nothing to process */
2593 break;
2594 default:
2595 break;
2596 }
608bcc6d
MM		 2597}
2598
d660366d
GP		 2599static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2600 struct l2cap_ctrl *control,
2601 struct sk_buff_head *skbs, u8 event)
608bcc6d 2602{
608bcc6d
MM		 2603 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2604 event);
2605
2606 switch (event) {
2607 case L2CAP_EV_DATA_REQUEST:
2608 if (chan->tx_send_head == NULL)
2609 chan->tx_send_head = skb_peek(skbs);
2610 /* Queue data, but don't send. */
2611 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2612 break;
2613 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2614 BT_DBG("Enter LOCAL_BUSY");
2615 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2616
2617 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2618 /* The SREJ_SENT state must be aborted if we are to
2619 * enter the LOCAL_BUSY state.
2620 */
2621 l2cap_abort_rx_srej_sent(chan);
2622 }
2623
2624 l2cap_send_ack(chan);
2625
2626 break;
2627 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2628 BT_DBG("Exit LOCAL_BUSY");
2629 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2630
2631 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2632 struct l2cap_ctrl local_control;
2633 memset(&local_control, 0, sizeof(local_control));
2634 local_control.sframe = 1;
2635 local_control.super = L2CAP_SUPER_RR;
2636 local_control.poll = 1;
2637 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2638 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2639
2640 chan->retry_count = 1;
2641 __set_monitor_timer(chan);
2642 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2643 }
2644 break;
2645 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2646 l2cap_process_reqseq(chan, control->reqseq);
2647
2648 /* Fall through */
2649
2650 case L2CAP_EV_RECV_FBIT:
2651 if (control && control->final) {
2652 __clear_monitor_timer(chan);
2653 if (chan->unacked_frames > 0)
2654 __set_retrans_timer(chan);
2655 chan->retry_count = 0;
2656 chan->tx_state = L2CAP_TX_STATE_XMIT;
2657 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2658 }
2659 break;
2660 case L2CAP_EV_EXPLICIT_POLL:
2661 /* Ignore */
2662 break;
2663 case L2CAP_EV_MONITOR_TO:
2664 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2665 l2cap_send_rr_or_rnr(chan, 1);
2666 __set_monitor_timer(chan);
2667 chan->retry_count++;
2668 } else {
5e4e3972 2669 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2670 }
2671 break;
2672 default:
2673 break;
2674 }
608bcc6d
MM		 2675}
2676
d660366d
GP		 2677static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2678 struct sk_buff_head *skbs, u8 event)
608bcc6d 2679{
608bcc6d
MM		 2680 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2681 chan, control, skbs, event, chan->tx_state);
2682
2683 switch (chan->tx_state) {
2684 case L2CAP_TX_STATE_XMIT:
d660366d 2685 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2686 break;
2687 case L2CAP_TX_STATE_WAIT_F:
d660366d 2688 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2689 break;
2690 default:
2691 /* Ignore event */
2692 break;
2693 }
608bcc6d
MM		 2694}
2695
4b51dae9
MM		 2696static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2697 struct l2cap_ctrl *control)
2698{
2699 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2700 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2701}
2702
f80842a8
MM		 2703static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2704 struct l2cap_ctrl *control)
2705{
2706 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2707 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2708}
2709
1da177e4
LT		 2710/* Copy frame to all raw sockets on that connection */
2711static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2712{
1da177e4 2713 struct sk_buff *nskb;
48454079 2714 struct l2cap_chan *chan;
1da177e4
LT		 2715
2716 BT_DBG("conn %p", conn);
2717
3df91ea2 2718 mutex_lock(&conn->chan_lock);
3d57dc68 2719
3df91ea2 2720 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2721 struct sock *sk = chan->sk;
715ec005 2722 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2723 continue;
2724
2725 /* Don't send frame to the socket it came from */
2726 if (skb->sk == sk)
2727 continue;
8bcde1f2 2728 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2729 if (!nskb)
1da177e4
LT		 2730 continue;
2731
80b98027 2732 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2733 kfree_skb(nskb);
2734 }
3d57dc68 2735
3df91ea2 2736 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2737}
2738
2739/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2740static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2741 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2742{
2743 struct sk_buff *skb, **frag;
2744 struct l2cap_cmd_hdr *cmd;
2745 struct l2cap_hdr *lh;
2746 int len, count;
2747
b4400672
AE		 2748 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2749 conn, code, ident, dlen);
1da177e4
LT		 2750
2751 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2752 count = min_t(unsigned int, conn->mtu, len);
2753
8bcde1f2 2754 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2755 if (!skb)
2756 return NULL;
2757
2758 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2759 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2760
2761 if (conn->hcon->type == LE_LINK)
ac73498c 2762 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2763 else
ac73498c 2764 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2765
2766 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2767 cmd->code = code;
2768 cmd->ident = ident;
aca3192c 2769 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2770
2771 if (dlen) {
2772 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2773 memcpy(skb_put(skb, count), data, count);
2774 data += count;
2775 }
2776
2777 len -= skb->len;
2778
2779 /* Continuation fragments (no L2CAP header) */
2780 frag = &skb_shinfo(skb)->frag_list;
2781 while (len) {
2782 count = min_t(unsigned int, conn->mtu, len);
2783
8bcde1f2 2784 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2785 if (!*frag)
2786 goto fail;
2787
2788 memcpy(skb_put(*frag, count), data, count);
2789
2790 len -= count;
2791 data += count;
2792
2793 frag = &(*frag)->next;
2794 }
2795
2796 return skb;
2797
2798fail:
2799 kfree_skb(skb);
2800 return NULL;
2801}
2802
2d792818
GP		 2803static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2804 unsigned long *val)
1da177e4
LT		 2805{
2806 struct l2cap_conf_opt *opt = *ptr;
2807 int len;
2808
2809 len = L2CAP_CONF_OPT_SIZE + opt->len;
2810 *ptr += len;
2811
2812 *type = opt->type;
2813 *olen = opt->len;
2814
2815 switch (opt->len) {
2816 case 1:
2817 *val = *((u8 *) opt->val);
2818 break;
2819
2820 case 2:
bfaaeb3e 2821 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2822 break;
2823
2824 case 4:
bfaaeb3e 2825 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2826 break;
2827
2828 default:
2829 *val = (unsigned long) opt->val;
2830 break;
2831 }
2832
b4400672 2833 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2834 return len;
2835}
2836
1da177e4
LT		 2837static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2838{
2839 struct l2cap_conf_opt *opt = *ptr;
2840
b4400672 2841 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2842
2843 opt->type = type;
2844 opt->len = len;
2845
2846 switch (len) {
2847 case 1:
2848 *((u8 *) opt->val) = val;
2849 break;
2850
2851 case 2:
4f8b691c 2852 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2853 break;
2854
2855 case 4:
4f8b691c 2856 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2857 break;
2858
2859 default:
2860 memcpy(opt->val, (void *) val, len);
2861 break;
2862 }
2863
2864 *ptr += L2CAP_CONF_OPT_SIZE + len;
2865}
2866
f89cef09
AE		 2867static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2868{
2869 struct l2cap_conf_efs efs;
2870
1ec918ce 2871 switch (chan->mode) {
f89cef09
AE		 2872 case L2CAP_MODE_ERTM:
2873 efs.id = chan->local_id;
2874 efs.stype = chan->local_stype;
2875 efs.msdu = cpu_to_le16(chan->local_msdu);
2876 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2877 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2878 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2879 break;
2880
2881 case L2CAP_MODE_STREAMING:
2882 efs.id = 1;
2883 efs.stype = L2CAP_SERV_BESTEFFORT;
2884 efs.msdu = cpu_to_le16(chan->local_msdu);
2885 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2886 efs.acc_lat = 0;
2887 efs.flush_to = 0;
2888 break;
2889
2890 default:
2891 return;
2892 }
2893
2894 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2895 (unsigned long) &efs);
f89cef09
AE		 2896}
2897
721c4181 2898static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2899{
721c4181 2900 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2901 ack_timer.work);
2902 u16 frames_to_ack;
c1b4f43b 2903
2fb9b3d4
GP		 2904 BT_DBG("chan %p", chan);
2905
6be36555
AE		 2906 l2cap_chan_lock(chan);
2907
0362520b
MM		 2908 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2909 chan->last_acked_seq);
6be36555 2910
0362520b
MM		 2911 if (frames_to_ack)
2912 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2913
0362520b 2914 l2cap_chan_unlock(chan);
09bfb2ee 2915 l2cap_chan_put(chan);
c1b4f43b
GP		 2916}
2917
466f8004 2918int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2919{
3c588192
MM		 2920 int err;
2921
105bdf9e
MM		 2922 chan->next_tx_seq = 0;
2923 chan->expected_tx_seq = 0;
42e5c802 2924 chan->expected_ack_seq = 0;
6a026610 2925 chan->unacked_frames = 0;
42e5c802 2926 chan->buffer_seq = 0;
6a026610 2927 chan->frames_sent = 0;
105bdf9e
MM		 2928 chan->last_acked_seq = 0;
2929 chan->sdu = NULL;
2930 chan->sdu_last_frag = NULL;
2931 chan->sdu_len = 0;
2932
d34c34fb
MM		 2933 skb_queue_head_init(&chan->tx_q);
2934
08333283
MM		 2935 chan->local_amp_id = 0;
2936 chan->move_id = 0;
2937 chan->move_state = L2CAP_MOVE_STABLE;
2938 chan->move_role = L2CAP_MOVE_ROLE_NONE;
2939
105bdf9e
MM		 2940 if (chan->mode != L2CAP_MODE_ERTM)
2941 return 0;
2942
2943 chan->rx_state = L2CAP_RX_STATE_RECV;
2944 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2945
721c4181
GP		 2946 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2947 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2948 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2949
f1c6775b 2950 skb_queue_head_init(&chan->srej_q);
1890d36b 2951
3c588192
MM		 2952 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2953 if (err < 0)
2954 return err;
2955
9dc9affc
MM		 2956 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2957 if (err < 0)
2958 l2cap_seq_list_free(&chan->srej_list);
2959
2960 return err;
0565c1c2
GP		 2961}
2962
f2fcfcd6
GP		 2963static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2964{
2965 switch (mode) {
2966 case L2CAP_MODE_STREAMING:
2967 case L2CAP_MODE_ERTM:
2968 if (l2cap_mode_supported(mode, remote_feat_mask))
2969 return mode;
2970 /* fall through */
2971 default:
2972 return L2CAP_MODE_BASIC;
2973 }
2974}
2975
6327eb98
AE		 2976static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2977{
2978 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2979}
2980
f89cef09
AE		 2981static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2982{
2983 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2984}
2985
36c86c85
MM		 2986static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
2987 struct l2cap_conf_rfc *rfc)
2988{
2989 if (chan->local_amp_id && chan->hs_hcon) {
2990 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
2991
2992 /* Class 1 devices have must have ERTM timeouts
2993 * exceeding the Link Supervision Timeout. The
2994 * default Link Supervision Timeout for AMP
2995 * controllers is 10 seconds.
2996 *
2997 * Class 1 devices use 0xffffffff for their
2998 * best-effort flush timeout, so the clamping logic
2999 * will result in a timeout that meets the above
3000 * requirement. ERTM timeouts are 16-bit values, so
3001 * the maximum timeout is 65.535 seconds.
3002 */
3003
3004 /* Convert timeout to milliseconds and round */
3005 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3006
3007 /* This is the recommended formula for class 2 devices
3008 * that start ERTM timers when packets are sent to the
3009 * controller.
3010 */
3011 ertm_to = 3 * ertm_to + 500;
3012
3013 if (ertm_to > 0xffff)
3014 ertm_to = 0xffff;
3015
3016 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3017 rfc->monitor_timeout = rfc->retrans_timeout;
3018 } else {
3019 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3020 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3021 }
3022}
3023
6327eb98
AE		 3024static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3025{
3026 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 3027 __l2cap_ews_supported(chan)) {
6327eb98
AE		 3028 /* use extended control field */
3029 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3030 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3031 } else {
6327eb98 3032 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3033 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3034 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3035 }
c20f8e35 3036 chan->ack_win = chan->tx_win;
6327eb98
AE		 3037}
3038
710f9b0a 3039static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3040{
1da177e4 3041 struct l2cap_conf_req *req = data;
0c1bc5c6 3042 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3043 void *ptr = req->data;
c8f79162 3044 u16 size;
1da177e4 3045
49208c9c 3046 BT_DBG("chan %p", chan);
1da177e4 3047
73ffa904 3048 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3049 goto done;
3050
0c1bc5c6 3051 switch (chan->mode) {
f2fcfcd6
GP		 3052 case L2CAP_MODE_STREAMING:
3053 case L2CAP_MODE_ERTM:
c1360a1c 3054 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3055 break;
85eb53c6 3056
f89cef09
AE		 3057 if (__l2cap_efs_supported(chan))
3058 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3059
2ba13ed6 3060 /* fall through */
f2fcfcd6 3061 default:
8c1d787b 3062 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3063 break;
3064 }
3065
3066done:
0c1bc5c6
GP		 3067 if (chan->imtu != L2CAP_DEFAULT_MTU)
3068 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3069
0c1bc5c6 3070 switch (chan->mode) {
65c7c491 3071 case L2CAP_MODE_BASIC:
8c1d787b 3072 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3073 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3074 break;
3075
62547752
GP		 3076 rfc.mode = L2CAP_MODE_BASIC;
3077 rfc.txwin_size = 0;
3078 rfc.max_transmit = 0;
3079 rfc.retrans_timeout = 0;
3080 rfc.monitor_timeout = 0;
3081 rfc.max_pdu_size = 0;
3082
63406504 3083 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3084 (unsigned long) &rfc);
65c7c491
MH		 3085 break;
3086
3087 case L2CAP_MODE_ERTM:
3088 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3089 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3090
3091 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3092
3093 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3094 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3095 L2CAP_FCS_SIZE);
c8f79162 3096 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3097
6327eb98
AE		 3098 l2cap_txwin_setup(chan);
3099
3100 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3101 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3102
63406504 3103 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3104 (unsigned long) &rfc);
63406504 3105
f89cef09
AE		 3106 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3107 l2cap_add_opt_efs(&ptr, chan);
3108
6327eb98
AE		 3109 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3110 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3111 chan->tx_win);
60918918
AE		 3112
3113 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3114 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3115 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3116 chan->fcs = L2CAP_FCS_NONE;
3117 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3118 chan->fcs);
3119 }
f2fcfcd6
GP		 3120 break;
3121
3122 case L2CAP_MODE_STREAMING:
273759e2 3123 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3124 rfc.mode = L2CAP_MODE_STREAMING;
3125 rfc.txwin_size = 0;
3126 rfc.max_transmit = 0;
3127 rfc.retrans_timeout = 0;
3128 rfc.monitor_timeout = 0;
c8f79162
AE		 3129
3130 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3131 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3132 L2CAP_FCS_SIZE);
c8f79162 3133 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3134
63406504 3135 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3136 (unsigned long) &rfc);
63406504 3137
f89cef09
AE		 3138 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3139 l2cap_add_opt_efs(&ptr, chan);
3140
60918918
AE		 3141 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3142 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3143 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3144 chan->fcs = L2CAP_FCS_NONE;
3145 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3146 chan->fcs);
3147 }
65c7c491
MH		 3148 break;
3149 }
1da177e4 3150
fe4128e0 3151 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3152 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3153
3154 return ptr - data;
3155}
3156
73ffa904 3157static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3158{
5dee9e7c
MH		 3159 struct l2cap_conf_rsp *rsp = data;
3160 void *ptr = rsp->data;
73ffa904
GP		 3161 void *req = chan->conf_req;
3162 int len = chan->conf_len;
5dee9e7c
MH		 3163 int type, hint, olen;
3164 unsigned long val;
6464f35f 3165 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3166 struct l2cap_conf_efs efs;
3167 u8 remote_efs = 0;
861d6882 3168 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3169 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3170 u16 size;
1da177e4 3171
73ffa904 3172 BT_DBG("chan %p", chan);
820ae1b8 3173
5dee9e7c
MH		 3174 while (len >= L2CAP_CONF_OPT_SIZE) {
3175 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3176
589d2746 3177 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3178 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3179
3180 switch (type) {
3181 case L2CAP_CONF_MTU:
861d6882 3182 mtu = val;
5dee9e7c
MH		 3183 break;
3184
3185 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3186 chan->flush_to = val;
5dee9e7c
MH		 3187 break;
3188
3189 case L2CAP_CONF_QOS:
3190 break;
3191
6464f35f
MH		 3192 case L2CAP_CONF_RFC:
3193 if (olen == sizeof(rfc))
3194 memcpy(&rfc, (void *) val, olen);
3195 break;
3196
fcc203c3
GP		 3197 case L2CAP_CONF_FCS:
3198 if (val == L2CAP_FCS_NONE)
f2592d3e 3199 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3200 break;
fcc203c3 3201
42dceae2
AE		 3202 case L2CAP_CONF_EFS:
3203 remote_efs = 1;
3204 if (olen == sizeof(efs))
3205 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3206 break;
3207
6327eb98
AE		 3208 case L2CAP_CONF_EWS:
3209 if (!enable_hs)
3210 return -ECONNREFUSED;
fcc203c3 3211
6327eb98
AE		 3212 set_bit(FLAG_EXT_CTRL, &chan->flags);
3213 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3214 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3215 chan->remote_tx_win = val;
fcc203c3
GP		 3216 break;
3217
5dee9e7c
MH		 3218 default:
3219 if (hint)
3220 break;
3221
3222 result = L2CAP_CONF_UNKNOWN;
3223 *((u8 *) ptr++) = type;
3224 break;
3225 }
3226 }
3227
73ffa904 3228 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3229 goto done;
3230
0c1bc5c6 3231 switch (chan->mode) {
f2fcfcd6
GP		 3232 case L2CAP_MODE_STREAMING:
3233 case L2CAP_MODE_ERTM:
c1360a1c 3234 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3235 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3236 chan->conn->feat_mask);
85eb53c6
GP		 3237 break;
3238 }
3239
42dceae2
AE		 3240 if (remote_efs) {
3241 if (__l2cap_efs_supported(chan))
3242 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3243 else
3244 return -ECONNREFUSED;
3245 }
3246
0c1bc5c6 3247 if (chan->mode != rfc.mode)
f2fcfcd6 3248 return -ECONNREFUSED;
742e519b 3249
f2fcfcd6 3250 break;
f2fcfcd6
GP		 3251 }
3252
3253done:
0c1bc5c6 3254 if (chan->mode != rfc.mode) {
f2fcfcd6 3255 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3256 rfc.mode = chan->mode;
f2fcfcd6 3257
73ffa904 3258 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3259 return -ECONNREFUSED;
3260
2d792818
GP		 3261 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3262 (unsigned long) &rfc);
f2fcfcd6
GP		 3263 }
3264
5dee9e7c
MH		 3265 if (result == L2CAP_CONF_SUCCESS) {
3266 /* Configure output options and let the other side know
3267 * which ones we don't like. */
3268
f2fcfcd6
GP		 3269 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3270 result = L2CAP_CONF_UNACCEPT;
3271 else {
0c1bc5c6 3272 chan->omtu = mtu;
c1360a1c 3273 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3274 }
0c1bc5c6 3275 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3276
42dceae2
AE		 3277 if (remote_efs) {
3278 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3279 efs.stype != L2CAP_SERV_NOTRAFIC &&
3280 efs.stype != chan->local_stype) {
42dceae2
AE		 3281
3282 result = L2CAP_CONF_UNACCEPT;
3283
3284 if (chan->num_conf_req >= 1)
3285 return -ECONNREFUSED;
3286
3287 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3288 sizeof(efs),
3289 (unsigned long) &efs);
0e8b207e 3290 } else {
3e6b3b95 3291 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3292 result = L2CAP_CONF_PENDING;
3293 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3294 }
3295 }
3296
f2fcfcd6
GP		 3297 switch (rfc.mode) {
3298 case L2CAP_MODE_BASIC:
47d1ec61 3299 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3300 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3301 break;
3302
3303 case L2CAP_MODE_ERTM:
6327eb98
AE		 3304 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3305 chan->remote_tx_win = rfc.txwin_size;
3306 else
3307 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3308
2c03a7a4 3309 chan->remote_max_tx = rfc.max_transmit;
1c762159 3310
c8f79162 3311 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3312 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3313 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3314 rfc.max_pdu_size = cpu_to_le16(size);
3315 chan->remote_mps = size;
f2fcfcd6 3316
36c86c85 3317 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3318
c1360a1c 3319 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3320
3321 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3322 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3323
42dceae2
AE		 3324 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3325 chan->remote_id = efs.id;
3326 chan->remote_stype = efs.stype;
3327 chan->remote_msdu = le16_to_cpu(efs.msdu);
3328 chan->remote_flush_to =
2d792818 3329 le32_to_cpu(efs.flush_to);
42dceae2 3330 chan->remote_acc_lat =
2d792818 3331 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3332 chan->remote_sdu_itime =
3333 le32_to_cpu(efs.sdu_itime);
3334 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3335 sizeof(efs),
3336 (unsigned long) &efs);
42dceae2 3337 }
f2fcfcd6
GP		 3338 break;
3339
3340 case L2CAP_MODE_STREAMING:
c8f79162 3341 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3342 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3343 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3344 rfc.max_pdu_size = cpu_to_le16(size);
3345 chan->remote_mps = size;
f2fcfcd6 3346
c1360a1c 3347 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3348
2d792818
GP		 3349 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3350 (unsigned long) &rfc);
68ae6639 3351
f2fcfcd6
GP		 3352 break;
3353
3354 default:
5dee9e7c 3355 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3356
6464f35f 3357 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3358 rfc.mode = chan->mode;
f2fcfcd6 3359 }
6464f35f 3360
f2fcfcd6 3361 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3362 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3363 }
fe4128e0 3364 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3365 rsp->result = cpu_to_le16(result);
59e54bd1 3366 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3367
3368 return ptr - data;
1da177e4
LT		 3369}
3370
2d792818
GP		 3371static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3372 void *data, u16 *result)
f2fcfcd6 3373{
f2fcfcd6
GP		 3374 struct l2cap_conf_req *req = data;
3375 void *ptr = req->data;
3376 int type, olen;
3377 unsigned long val;
36e999a8 3378 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3379 struct l2cap_conf_efs efs;
f2fcfcd6 3380
fe4128e0 3381 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3382
3383 while (len >= L2CAP_CONF_OPT_SIZE) {
3384 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3385
3386 switch (type) {
3387 case L2CAP_CONF_MTU:
3388 if (val < L2CAP_DEFAULT_MIN_MTU) {
3389 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3390 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3391 } else
0c1bc5c6
GP		 3392 chan->imtu = val;
3393 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3394 break;
3395
3396 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3397 chan->flush_to = val;
f2fcfcd6 3398 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3399 2, chan->flush_to);
f2fcfcd6
GP		 3400 break;
3401
3402 case L2CAP_CONF_RFC:
3403 if (olen == sizeof(rfc))
3404 memcpy(&rfc, (void *)val, olen);
3405
c1360a1c 3406 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3407 rfc.mode != chan->mode)
f2fcfcd6
GP		 3408 return -ECONNREFUSED;
3409
47d1ec61 3410 chan->fcs = 0;
f2fcfcd6
GP		 3411
3412 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3413 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3414 break;
6327eb98
AE		 3415
3416 case L2CAP_CONF_EWS:
c20f8e35 3417 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3418 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3419 chan->tx_win);
6327eb98 3420 break;
66af7aaf
AE		 3421
3422 case L2CAP_CONF_EFS:
3423 if (olen == sizeof(efs))
3424 memcpy(&efs, (void *)val, olen);
3425
3426 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3427 efs.stype != L2CAP_SERV_NOTRAFIC &&
3428 efs.stype != chan->local_stype)
66af7aaf
AE		 3429 return -ECONNREFUSED;
3430
2d792818
GP		 3431 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3432 (unsigned long) &efs);
66af7aaf 3433 break;
cbabee78
AE		 3434
3435 case L2CAP_CONF_FCS:
3436 if (*result == L2CAP_CONF_PENDING)
3437 if (val == L2CAP_FCS_NONE)
f2592d3e 3438 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3439 &chan->conf_state);
3440 break;
f2fcfcd6
GP		 3441 }
3442 }
3443
0c1bc5c6 3444 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3445 return -ECONNREFUSED;
3446
0c1bc5c6 3447 chan->mode = rfc.mode;
6c2ea7a8 3448
0e8b207e 3449 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3450 switch (rfc.mode) {
3451 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3452 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3453 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3454 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3455 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3456 chan->ack_win = min_t(u16, chan->ack_win,
3457 rfc.txwin_size);
66af7aaf
AE		 3458
3459 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3460 chan->local_msdu = le16_to_cpu(efs.msdu);
3461 chan->local_sdu_itime =
2d792818 3462 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3463 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3464 chan->local_flush_to =
2d792818 3465 le32_to_cpu(efs.flush_to);
66af7aaf 3466 }
f2fcfcd6 3467 break;
66af7aaf 3468
f2fcfcd6 3469 case L2CAP_MODE_STREAMING:
47d1ec61 3470 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3471 }
3472 }
3473
fe4128e0 3474 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3475 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3476
3477 return ptr - data;
3478}
3479
2d792818
GP		 3480static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3481 u16 result, u16 flags)
1da177e4
LT		 3482{
3483 struct l2cap_conf_rsp *rsp = data;
3484 void *ptr = rsp->data;
1da177e4 3485
fe4128e0 3486 BT_DBG("chan %p", chan);
1da177e4 3487
fe4128e0 3488 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3489 rsp->result = cpu_to_le16(result);
aca3192c 3490 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3491
3492 return ptr - data;
3493}
3494
8c1d787b 3495void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3496{
3497 struct l2cap_conn_rsp rsp;
8c1d787b 3498 struct l2cap_conn *conn = chan->conn;
710f9b0a 3499 u8 buf[128];
439f34ac 3500 u8 rsp_code;
710f9b0a 3501
fe4128e0
GP		 3502 rsp.scid = cpu_to_le16(chan->dcid);
3503 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3504 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3505 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3506
3507 if (chan->hs_hcon)
3508 rsp_code = L2CAP_CREATE_CHAN_RSP;
3509 else
3510 rsp_code = L2CAP_CONN_RSP;
3511
3512 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3513
3514 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3515
c1360a1c 3516 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3517 return;
3518
710f9b0a 3519 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3520 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3521 chan->num_conf_req++;
3522}
3523
47d1ec61 3524static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3525{
7b1c0049
GP		 3526 int type, olen;
3527 unsigned long val;
c20f8e35
MM		 3528 /* Use sane default values in case a misbehaving remote device
3529 * did not send an RFC or extended window size option.
3530 */
3531 u16 txwin_ext = chan->ack_win;
3532 struct l2cap_conf_rfc rfc = {
3533 .mode = chan->mode,
3534 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3535 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3536 .max_pdu_size = cpu_to_le16(chan->imtu),
3537 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3538 };
7b1c0049 3539
47d1ec61 3540 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3541
0c1bc5c6 3542 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3543 return;
3544
3545 while (len >= L2CAP_CONF_OPT_SIZE) {
3546 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3547
c20f8e35
MM		 3548 switch (type) {
3549 case L2CAP_CONF_RFC:
3550 if (olen == sizeof(rfc))
3551 memcpy(&rfc, (void *)val, olen);
8f321f85 3552 break;
c20f8e35
MM		 3553 case L2CAP_CONF_EWS:
3554 txwin_ext = val;
3555 break;
3556 }
7b1c0049
GP		 3557 }
3558
7b1c0049
GP		 3559 switch (rfc.mode) {
3560 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3561 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3562 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3563 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3564 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3565 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3566 else
3567 chan->ack_win = min_t(u16, chan->ack_win,
3568 rfc.txwin_size);
7b1c0049
GP		 3569 break;
3570 case L2CAP_MODE_STREAMING:
47d1ec61 3571 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3572 }
3573}
3574
2d792818
GP		 3575static inline int l2cap_command_rej(struct l2cap_conn *conn,
3576 struct l2cap_cmd_hdr *cmd, u8 *data)
4e8402a3 3577{
e2fd318e 3578 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3579
e2fd318e 3580 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3581 return 0;
3582
3583 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3584 cmd->ident == conn->info_ident) {
17cd3f37 3585 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3586
3587 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3588 conn->info_ident = 0;
984947dc 3589
4e8402a3
MH		 3590 l2cap_conn_start(conn);
3591 }
3592
3593 return 0;
3594}
3595
1700915f
MM		 3596static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3597 struct l2cap_cmd_hdr *cmd,
3598 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3599{
1da177e4
LT		 3600 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3601 struct l2cap_conn_rsp rsp;
23691d75 3602 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3603 struct sock *parent, *sk = NULL;
e7c29cb1 3604 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3605
3606 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3607 __le16 psm = req->psm;
1da177e4 3608
097db76c 3609 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3610
3611 /* Check if we have socket listening on psm */
c2287681 3612 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3613 if (!pchan) {
1da177e4
LT		 3614 result = L2CAP_CR_BAD_PSM;
3615 goto sendresp;
3616 }
3617
23691d75
GP		 3618 parent = pchan->sk;
3619
3df91ea2 3620 mutex_lock(&conn->chan_lock);
aa2ac881 3621 lock_sock(parent);
e0f0cb56 3622
e7c29cb1 3623 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3624 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3625 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3626 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3627 result = L2CAP_CR_SEC_BLOCK;
3628 goto response;
3629 }
3630
1da177e4
LT		 3631 result = L2CAP_CR_NO_MEM;
3632
2dfa1003
GP		 3633 /* Check if we already have channel with that dcid */
3634 if (__l2cap_get_chan_by_dcid(conn, scid))
3635 goto response;
3636
80b98027 3637 chan = pchan->ops->new_connection(pchan);
80808e43 3638 if (!chan)
1da177e4
LT		 3639 goto response;
3640
80808e43
GP		 3641 sk = chan->sk;
3642
1da177e4
LT		 3643 hci_conn_hold(conn->hcon);
3644
1da177e4
LT		 3645 bacpy(&bt_sk(sk)->src, conn->src);
3646 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3647 chan->psm = psm;
3648 chan->dcid = scid;
1700915f 3649 chan->local_amp_id = amp_id;
1da177e4 3650
6be36555 3651 __l2cap_chan_add(conn, chan);
48454079 3652
fe4128e0 3653 dcid = chan->scid;
1da177e4 3654
c9b66675 3655 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3656
fc7f8a7e 3657 chan->ident = cmd->ident;
1da177e4 3658
984947dc 3659 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3660 if (l2cap_chan_check_security(chan)) {
c5daa683 3661 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3662 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3663 result = L2CAP_CR_PEND;
3664 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3665 chan->ops->defer(chan);
f66dc81f 3666 } else {
1700915f
MM		 3667 /* Force pending result for AMP controllers.
3668 * The connection will succeed after the
3669 * physical link is up.
3670 */
3671 if (amp_id) {
3672 __l2cap_state_change(chan, BT_CONNECT2);
3673 result = L2CAP_CR_PEND;
3674 } else {
3675 __l2cap_state_change(chan, BT_CONFIG);
3676 result = L2CAP_CR_SUCCESS;
3677 }
f66dc81f
MH		 3678 status = L2CAP_CS_NO_INFO;
3679 }
79d554a6 3680 } else {
0e587be7 3681 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3682 result = L2CAP_CR_PEND;
3683 status = L2CAP_CS_AUTHEN_PEND;
3684 }
3685 } else {
0e587be7 3686 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3687 result = L2CAP_CR_PEND;
3688 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3689 }
3690
1da177e4 3691response:
aa2ac881 3692 release_sock(parent);
3df91ea2 3693 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3694
3695sendresp:
aca3192c
YH		 3696 rsp.scid = cpu_to_le16(scid);
3697 rsp.dcid = cpu_to_le16(dcid);
3698 rsp.result = cpu_to_le16(result);
3699 rsp.status = cpu_to_le16(status);
4c89b6aa 3700 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3701
3702 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3703 struct l2cap_info_req info;
ac73498c 3704 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3705
3706 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3707 conn->info_ident = l2cap_get_ident(conn);
3708
ba13ccd9 3709 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3710
2d792818
GP		 3711 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3712 sizeof(info), &info);
79d554a6
MH		 3713 }
3714
c1360a1c 3715 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3716 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3717 u8 buf[128];
c1360a1c 3718 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3719 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3720 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3721 chan->num_conf_req++;
e9aeb2dd 3722 }
1700915f
MM		 3723
3724 return chan;
4c89b6aa 3725}
e9aeb2dd 3726
4c89b6aa
MM		 3727static int l2cap_connect_req(struct l2cap_conn *conn,
3728 struct l2cap_cmd_hdr *cmd, u8 *data)
3729{
7b064eda
JK		 3730 struct hci_dev *hdev = conn->hcon->hdev;
3731 struct hci_conn *hcon = conn->hcon;
3732
3733 hci_dev_lock(hdev);
3734 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3735 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3736 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3737 hcon->dst_type, 0, NULL, 0,
3738 hcon->dev_class);
3739 hci_dev_unlock(hdev);
3740
300229f9 3741 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3742 return 0;
3743}
3744
5909cf30 3745static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
2d792818 3746 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3747{
3748 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3749 u16 scid, dcid, result, status;
48454079 3750 struct l2cap_chan *chan;
1da177e4 3751 u8 req[128];
3df91ea2 3752 int err;
1da177e4
LT		 3753
3754 scid = __le16_to_cpu(rsp->scid);
3755 dcid = __le16_to_cpu(rsp->dcid);
3756 result = __le16_to_cpu(rsp->result);
3757 status = __le16_to_cpu(rsp->status);
3758
1b009c98 3759 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3760 dcid, scid, result, status);
1da177e4 3761
3df91ea2
AE		 3762 mutex_lock(&conn->chan_lock);
3763
1da177e4 3764 if (scid) {
3df91ea2
AE		 3765 chan = __l2cap_get_chan_by_scid(conn, scid);
3766 if (!chan) {
3767 err = -EFAULT;
3768 goto unlock;
3769 }
1da177e4 3770 } else {
3df91ea2
AE		 3771 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3772 if (!chan) {
3773 err = -EFAULT;
3774 goto unlock;
3775 }
1da177e4
LT		 3776 }
3777
3df91ea2
AE		 3778 err = 0;
3779
6be36555 3780 l2cap_chan_lock(chan);
48454079 3781
1da177e4
LT		 3782 switch (result) {
3783 case L2CAP_CR_SUCCESS:
89bc500e 3784 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3785 chan->ident = 0;
fe4128e0 3786 chan->dcid = dcid;
c1360a1c 3787 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3788
c1360a1c 3789 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3790 break;
3791
1da177e4 3792 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3793 l2cap_build_conf_req(chan, req), req);
73ffa904 3794 chan->num_conf_req++;
1da177e4
LT		 3795 break;
3796
3797 case L2CAP_CR_PEND:
c1360a1c 3798 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3799 break;
3800
3801 default:
48454079 3802 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3803 break;
3804 }
3805
6be36555 3806 l2cap_chan_unlock(chan);
3df91ea2
AE		 3807
3808unlock:
3809 mutex_unlock(&conn->chan_lock);
3810
3811 return err;
1da177e4
LT		 3812}
3813
47d1ec61 3814static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3815{
3816 /* FCS is enabled only in ERTM or streaming mode, if one or both
3817 * sides request it.
3818 */
0c1bc5c6 3819 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3820 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3821 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3822 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3823}
3824
29d8a590
AE		 3825static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3826 u8 ident, u16 flags)
3827{
3828 struct l2cap_conn *conn = chan->conn;
3829
3830 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3831 flags);
3832
3833 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3834 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3835
3836 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3837 l2cap_build_conf_rsp(chan, data,
3838 L2CAP_CONF_SUCCESS, flags), data);
3839}
3840
2d792818
GP		 3841static inline int l2cap_config_req(struct l2cap_conn *conn,
3842 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3843 u8 *data)
1da177e4
LT		 3844{
3845 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3846 u16 dcid, flags;
3847 u8 rsp[64];
48454079 3848 struct l2cap_chan *chan;
3c588192 3849 int len, err = 0;
1da177e4
LT		 3850
3851 dcid = __le16_to_cpu(req->dcid);
3852 flags = __le16_to_cpu(req->flags);
3853
3854 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3855
baa7e1fa 3856 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3857 if (!chan)
1da177e4
LT		 3858 return -ENOENT;
3859
033b1142 3860 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3861 struct l2cap_cmd_rej_cid rej;
3862
ac73498c 3863 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3864 rej.scid = cpu_to_le16(chan->scid);
3865 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3866
df6bd743 3867 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3868 sizeof(rej), &rej);
354f60a9 3869 goto unlock;
df6bd743 3870 }
354f60a9 3871
5dee9e7c 3872 /* Reject if config buffer is too small. */
88219a0f 3873 len = cmd_len - sizeof(*req);
7ac28817 3874 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3875 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3876 l2cap_build_conf_rsp(chan, rsp,
3877 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 3878 goto unlock;
3879 }
3880
3881 /* Store config. */
73ffa904
GP		 3882 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3883 chan->conf_len += len;
1da177e4 3884
59e54bd1 3885 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3886 /* Incomplete config. Send empty response. */
3887 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3888 l2cap_build_conf_rsp(chan, rsp,
3889 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3890 goto unlock;
3891 }
3892
3893 /* Complete config. */
73ffa904 3894 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3895 if (len < 0) {
5e4e3972 3896 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 3897 goto unlock;
f2fcfcd6 3898 }
1da177e4 3899
1500109b 3900 chan->ident = cmd->ident;
5dee9e7c 3901 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3902 chan->num_conf_rsp++;
5dee9e7c 3903
5dee9e7c 3904 /* Reset config buffer. */
73ffa904 3905 chan->conf_len = 0;
5dee9e7c 3906
c1360a1c 3907 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3908 goto unlock;
3909
c1360a1c 3910 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3911 set_default_fcs(chan);
fcc203c3 3912
105bdf9e
MM		 3913 if (chan->mode == L2CAP_MODE_ERTM ||
3914 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3915 err = l2cap_ertm_init(chan);
3916
3917 if (err < 0)
5e4e3972 3918 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 3919 else
3920 l2cap_chan_ready(chan);
0565c1c2 3921
876d9484
MH		 3922 goto unlock;
3923 }
3924
c1360a1c 3925 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3926 u8 buf[64];
1da177e4 3927 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3928 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3929 chan->num_conf_req++;
1da177e4
LT		 3930 }
3931
0e8b207e
AE		 3932 /* Got Conf Rsp PENDING from remote side and asume we sent
3933 Conf Rsp PENDING in the code above */
3934 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 3935 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 3936
3937 /* check compatibility */
3938
79de886d 3939 /* Send rsp for BR/EDR channel */
f351bc72 3940 if (!chan->hs_hcon)
79de886d
AE		 3941 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
3942 else
3943 chan->ident = cmd->ident;
0e8b207e
AE		 3944 }
3945
1da177e4 3946unlock:
6be36555 3947 l2cap_chan_unlock(chan);
3c588192 3948 return err;
1da177e4
LT		 3949}
3950
2d792818
GP		 3951static inline int l2cap_config_rsp(struct l2cap_conn *conn,
3952 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3953{
3954 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3955 u16 scid, flags, result;
48454079 3956 struct l2cap_chan *chan;
61386cba 3957 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3958 int err = 0;
1da177e4
LT		 3959
3960 scid = __le16_to_cpu(rsp->scid);
3961 flags = __le16_to_cpu(rsp->flags);
3962 result = __le16_to_cpu(rsp->result);
3963
61386cba
AE		 3964 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3965 result, len);
1da177e4 3966
baa7e1fa 3967 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3968 if (!chan)
1da177e4
LT		 3969 return 0;
3970
3971 switch (result) {
3972 case L2CAP_CONF_SUCCESS:
47d1ec61 3973 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3974 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3975 break;
3976
0e8b207e
AE		 3977 case L2CAP_CONF_PENDING:
3978 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3979
3980 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3981 char buf[64];
3982
3983 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3984 buf, &result);
0e8b207e 3985 if (len < 0) {
5e4e3972 3986 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 3987 goto done;
3988 }
3989
f351bc72 3990 if (!chan->hs_hcon) {
79de886d
AE		 3991 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
3992 0);
5ce66b59
AE		 3993 } else {
3994 if (l2cap_check_efs(chan)) {
3995 amp_create_logical_link(chan);
3996 chan->ident = cmd->ident;
3997 }
3998 }
0e8b207e
AE		 3999 }
4000 goto done;
4001
1da177e4 4002 case L2CAP_CONF_UNACCEPT:
73ffa904 4003 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4004 char req[64];
4005
c2c77ec8 4006 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4007 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4008 goto done;
4009 }
4010
f2fcfcd6
GP		 4011 /* throw out any old stored conf requests */
4012 result = L2CAP_CONF_SUCCESS;
b4450035 4013 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4014 req, &result);
f2fcfcd6 4015 if (len < 0) {
5e4e3972 4016 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4017 goto done;
4018 }
4019
4020 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4021 L2CAP_CONF_REQ, len, req);
73ffa904 4022 chan->num_conf_req++;
f2fcfcd6
GP		 4023 if (result != L2CAP_CONF_SUCCESS)
4024 goto done;
4025 break;
1da177e4
LT		 4026 }
4027
8e87d142 4028 default:
6be36555 4029 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4030
ba13ccd9 4031 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4032 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4033 goto done;
4034 }
4035
59e54bd1 4036 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4037 goto done;
4038
c1360a1c 4039 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4040
c1360a1c 4041 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4042 set_default_fcs(chan);
fcc203c3 4043
105bdf9e
MM		 4044 if (chan->mode == L2CAP_MODE_ERTM ||
4045 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4046 err = l2cap_ertm_init(chan);
0565c1c2 4047
3c588192 4048 if (err < 0)
5e4e3972 4049 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4050 else
4051 l2cap_chan_ready(chan);
1da177e4
LT		 4052 }
4053
4054done:
6be36555 4055 l2cap_chan_unlock(chan);
3c588192 4056 return err;
1da177e4
LT		 4057}
4058
2d792818
GP		 4059static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4060 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4061{
4062 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4063 struct l2cap_disconn_rsp rsp;
4064 u16 dcid, scid;
48454079 4065 struct l2cap_chan *chan;
1da177e4
LT		 4066 struct sock *sk;
4067
4068 scid = __le16_to_cpu(req->scid);
4069 dcid = __le16_to_cpu(req->dcid);
4070
4071 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4072
3df91ea2
AE		 4073 mutex_lock(&conn->chan_lock);
4074
4075 chan = __l2cap_get_chan_by_scid(conn, dcid);
4076 if (!chan) {
4077 mutex_unlock(&conn->chan_lock);
1da177e4 4078 return 0;
3df91ea2 4079 }
1da177e4 4080
6be36555
AE		 4081 l2cap_chan_lock(chan);
4082
48454079
GP		 4083 sk = chan->sk;
4084
fe4128e0
GP		 4085 rsp.dcid = cpu_to_le16(chan->scid);
4086 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4087 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4088
6be36555 4089 lock_sock(sk);
1da177e4 4090 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 4091 release_sock(sk);
1da177e4 4092
61d6ef3e 4093 l2cap_chan_hold(chan);
48454079 4094 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4095
4096 l2cap_chan_unlock(chan);
1da177e4 4097
80b98027 4098 chan->ops->close(chan);
61d6ef3e 4099 l2cap_chan_put(chan);
3df91ea2
AE		 4100
4101 mutex_unlock(&conn->chan_lock);
4102
1da177e4
LT		 4103 return 0;
4104}
4105
2d792818
GP		 4106static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4107 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4108{
4109 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4110 u16 dcid, scid;
48454079 4111 struct l2cap_chan *chan;
1da177e4
LT		 4112
4113 scid = __le16_to_cpu(rsp->scid);
4114 dcid = __le16_to_cpu(rsp->dcid);
4115
4116 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4117
3df91ea2
AE		 4118 mutex_lock(&conn->chan_lock);
4119
4120 chan = __l2cap_get_chan_by_scid(conn, scid);
4121 if (!chan) {
4122 mutex_unlock(&conn->chan_lock);
1da177e4 4123 return 0;
3df91ea2 4124 }
1da177e4 4125
6be36555 4126 l2cap_chan_lock(chan);
48454079 4127
61d6ef3e 4128 l2cap_chan_hold(chan);
48454079 4129 l2cap_chan_del(chan, 0);
6be36555
AE		 4130
4131 l2cap_chan_unlock(chan);
1da177e4 4132
80b98027 4133 chan->ops->close(chan);
61d6ef3e 4134 l2cap_chan_put(chan);
3df91ea2
AE		 4135
4136 mutex_unlock(&conn->chan_lock);
4137
1da177e4
LT		 4138 return 0;
4139}
4140
2d792818
GP		 4141static inline int l2cap_information_req(struct l2cap_conn *conn,
4142 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4143{
4144 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4145 u16 type;
4146
4147 type = __le16_to_cpu(req->type);
4148
4149 BT_DBG("type 0x%4.4x", type);
4150
f0709e03
MH		 4151 if (type == L2CAP_IT_FEAT_MASK) {
4152 u8 buf[8];
44dd46de 4153 u32 feat_mask = l2cap_feat_mask;
f0709e03 4154 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4155 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4156 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4157 if (!disable_ertm)
fcc203c3 4158 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4159 | L2CAP_FEAT_FCS;
a5fd6f30 4160 if (enable_hs)
6327eb98 4161 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4162 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4163
1b7bf4ed 4164 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4165 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4166 buf);
e1027a7c
MH		 4167 } else if (type == L2CAP_IT_FIXED_CHAN) {
4168 u8 buf[12];
4169 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 4170
4171 if (enable_hs)
4172 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4173 else
4174 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4175
ac73498c
AE		 4176 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4177 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4178 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4179 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4180 buf);
f0709e03
MH		 4181 } else {
4182 struct l2cap_info_rsp rsp;
4183 rsp.type = cpu_to_le16(type);
ac73498c 4184 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4185 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4186 &rsp);
f0709e03 4187 }
1da177e4
LT		 4188
4189 return 0;
4190}
4191
2d792818
GP		 4192static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4193 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4194{
4195 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4196 u16 type, result;
4197
4198 type = __le16_to_cpu(rsp->type);
4199 result = __le16_to_cpu(rsp->result);
4200
4201 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4202
e90165be
AE		 4203 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4204 if (cmd->ident != conn->info_ident ||
2d792818 4205 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4206 return 0;
4207
17cd3f37 4208 cancel_delayed_work(&conn->info_timer);
4e8402a3 4209
adb08ede
VT		 4210 if (result != L2CAP_IR_SUCCESS) {
4211 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4212 conn->info_ident = 0;
4213
4214 l2cap_conn_start(conn);
4215
4216 return 0;
4217 }
4218
978c93b9
AE		 4219 switch (type) {
4220 case L2CAP_IT_FEAT_MASK:
83985319 4221 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4222
47ec1dcd 4223 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4224 struct l2cap_info_req req;
ac73498c 4225 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4226
4227 conn->info_ident = l2cap_get_ident(conn);
4228
4229 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4230 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4231 } else {
4232 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4233 conn->info_ident = 0;
4234
4235 l2cap_conn_start(conn);
4236 }
978c93b9
AE		 4237 break;
4238
4239 case L2CAP_IT_FIXED_CHAN:
4240 conn->fixed_chan_mask = rsp->data[0];
984947dc 4241 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4242 conn->info_ident = 0;
984947dc
MH		 4243
4244 l2cap_conn_start(conn);
978c93b9 4245 break;
984947dc 4246 }
4e8402a3 4247
1da177e4
LT		 4248 return 0;
4249}
4250
1700915f
MM		 4251static int l2cap_create_channel_req(struct l2cap_conn *conn,
4252 struct l2cap_cmd_hdr *cmd,
4253 u16 cmd_len, void *data)
f94ff6ff
MM		 4254{
4255 struct l2cap_create_chan_req *req = data;
6e1df6a6 4256 struct l2cap_create_chan_rsp rsp;
1700915f 4257 struct l2cap_chan *chan;
6e1df6a6 4258 struct hci_dev *hdev;
f94ff6ff
MM		 4259 u16 psm, scid;
4260
4261 if (cmd_len != sizeof(*req))
4262 return -EPROTO;
4263
4264 if (!enable_hs)
4265 return -EINVAL;
4266
4267 psm = le16_to_cpu(req->psm);
4268 scid = le16_to_cpu(req->scid);
4269
ad0ac6ca 4270 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4271
6e1df6a6
AE		 4272 /* For controller id 0 make BR/EDR connection */
4273 if (req->amp_id == HCI_BREDR_ID) {
4274 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4275 req->amp_id);
4276 return 0;
4277 }
1700915f 4278
6e1df6a6
AE		 4279 /* Validate AMP controller id */
4280 hdev = hci_dev_get(req->amp_id);
4281 if (!hdev)
4282 goto error;
1700915f 4283
6e1df6a6
AE		 4284 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4285 hci_dev_put(hdev);
4286 goto error;
4287 }
1700915f 4288
6e1df6a6
AE		 4289 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4290 req->amp_id);
4291 if (chan) {
4292 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4293 struct hci_conn *hs_hcon;
1700915f 4294
6e1df6a6
AE		 4295 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, conn->dst);
4296 if (!hs_hcon) {
4297 hci_dev_put(hdev);
4298 return -EFAULT;
1700915f
MM		 4299 }
4300
6e1df6a6
AE		 4301 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4302
6e1df6a6
AE		 4303 mgr->bredr_chan = chan;
4304 chan->hs_hcon = hs_hcon;
fd45bf4c 4305 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4306 conn->mtu = hdev->block_mtu;
1700915f 4307 }
f94ff6ff 4308
6e1df6a6 4309 hci_dev_put(hdev);
f94ff6ff
MM		 4310
4311 return 0;
6e1df6a6
AE		 4312
4313error:
4314 rsp.dcid = 0;
4315 rsp.scid = cpu_to_le16(scid);
4316 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4317 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4318
4319 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4320 sizeof(rsp), &rsp);
4321
4322 return -EFAULT;
f94ff6ff
MM		 4323}
4324
8eb200bd
MM		 4325static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4326{
4327 struct l2cap_move_chan_req req;
4328 u8 ident;
4329
4330 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4331
4332 ident = l2cap_get_ident(chan->conn);
4333 chan->ident = ident;
4334
4335 req.icid = cpu_to_le16(chan->scid);
4336 req.dest_amp_id = dest_amp_id;
4337
4338 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4339 &req);
4340
4341 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4342}
4343
1500109b 4344static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4345{
4346 struct l2cap_move_chan_rsp rsp;
4347
1500109b 4348 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4349
1500109b 4350 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4351 rsp.result = cpu_to_le16(result);
4352
1500109b
MM		 4353 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4354 sizeof(rsp), &rsp);
8d5a04a1
MM		 4355}
4356
5b155ef9 4357static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4358{
4359 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4360
5b155ef9 4361 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4362
5b155ef9 4363 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4364
5b155ef9 4365 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4366 cfm.result = cpu_to_le16(result);
4367
5b155ef9
MM		 4368 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4369 sizeof(cfm), &cfm);
4370
4371 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4372}
4373
4374static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4375{
4376 struct l2cap_move_chan_cfm cfm;
4377
4378 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4379
4380 cfm.icid = cpu_to_le16(icid);
4381 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4382
4383 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4384 sizeof(cfm), &cfm);
8d5a04a1
MM		 4385}
4386
4387static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4388 u16 icid)
8d5a04a1
MM		 4389{
4390 struct l2cap_move_chan_cfm_rsp rsp;
4391
ad0ac6ca 4392 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4393
4394 rsp.icid = cpu_to_le16(icid);
4395 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4396}
4397
5f3847a4
MM		 4398static void __release_logical_link(struct l2cap_chan *chan)
4399{
4400 chan->hs_hchan = NULL;
4401 chan->hs_hcon = NULL;
4402
4403 /* Placeholder - release the logical link */
4404}
4405
1500109b
MM		 4406static void l2cap_logical_fail(struct l2cap_chan *chan)
4407{
4408 /* Logical link setup failed */
4409 if (chan->state != BT_CONNECTED) {
4410 /* Create channel failure, disconnect */
5e4e3972 4411 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4412 return;
4413 }
4414
4415 switch (chan->move_role) {
4416 case L2CAP_MOVE_ROLE_RESPONDER:
4417 l2cap_move_done(chan);
4418 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4419 break;
4420 case L2CAP_MOVE_ROLE_INITIATOR:
4421 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4422 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4423 /* Remote has only sent pending or
4424 * success responses, clean up
4425 */
4426 l2cap_move_done(chan);
4427 }
4428
4429 /* Other amp move states imply that the move
4430 * has already aborted
4431 */
4432 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4433 break;
4434 }
4435}
4436
4437static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4438 struct hci_chan *hchan)
4439{
4440 struct l2cap_conf_rsp rsp;
1500109b 4441
336178a3 4442 chan->hs_hchan = hchan;
1500109b
MM		 4443 chan->hs_hcon->l2cap_data = chan->conn;
4444
35ba9561 4445 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4446
4447 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4448 int err;
1500109b
MM		 4449
4450 set_default_fcs(chan);
4451
4452 err = l2cap_ertm_init(chan);
4453 if (err < 0)
5e4e3972 4454 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4455 else
4456 l2cap_chan_ready(chan);
4457 }
4458}
4459
4460static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4461 struct hci_chan *hchan)
4462{
4463 chan->hs_hcon = hchan->conn;
4464 chan->hs_hcon->l2cap_data = chan->conn;
4465
4466 BT_DBG("move_state %d", chan->move_state);
4467
4468 switch (chan->move_state) {
4469 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4470 /* Move confirm will be sent after a success
4471 * response is received
4472 */
4473 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4474 break;
4475 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4476 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4477 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4478 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4479 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4480 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4481 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4482 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4483 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4484 }
4485 break;
4486 default:
4487 /* Move was not in expected state, free the channel */
4488 __release_logical_link(chan);
4489
4490 chan->move_state = L2CAP_MOVE_STABLE;
4491 }
4492}
4493
4494/* Call with chan locked */
27695fb4
AE		 4495void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4496 u8 status)
5b155ef9 4497{
1500109b
MM		 4498 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4499
4500 if (status) {
4501 l2cap_logical_fail(chan);
4502 __release_logical_link(chan);
4503 return;
4504 }
4505
4506 if (chan->state != BT_CONNECTED) {
4507 /* Ignore logical link if channel is on BR/EDR */
4508 if (chan->local_amp_id)
4509 l2cap_logical_finish_create(chan, hchan);
4510 } else {
4511 l2cap_logical_finish_move(chan, hchan);
4512 }
5b155ef9
MM		 4513}
4514
3f7a56c4
MM		 4515void l2cap_move_start(struct l2cap_chan *chan)
4516{
4517 BT_DBG("chan %p", chan);
4518
4519 if (chan->local_amp_id == HCI_BREDR_ID) {
4520 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4521 return;
4522 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4523 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4524 /* Placeholder - start physical link setup */
4525 } else {
4526 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4527 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4528 chan->move_id = 0;
4529 l2cap_move_setup(chan);
4530 l2cap_send_move_chan_req(chan, 0);
4531 }
4532}
4533
8eb200bd
MM		 4534static void l2cap_do_create(struct l2cap_chan *chan, int result,
4535 u8 local_amp_id, u8 remote_amp_id)
4536{
62748ca1
AE		 4537 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4538 local_amp_id, remote_amp_id);
4539
12d6cc60
AE		 4540 chan->fcs = L2CAP_FCS_NONE;
4541
62748ca1
AE		 4542 /* Outgoing channel on AMP */
4543 if (chan->state == BT_CONNECT) {
4544 if (result == L2CAP_CR_SUCCESS) {
4545 chan->local_amp_id = local_amp_id;
4546 l2cap_send_create_chan_req(chan, remote_amp_id);
4547 } else {
4548 /* Revert to BR/EDR connect */
4549 l2cap_send_conn_req(chan);
4550 }
4551
4552 return;
4553 }
4554
4555 /* Incoming channel on AMP */
4556 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4557 struct l2cap_conn_rsp rsp;
4558 char buf[128];
4559 rsp.scid = cpu_to_le16(chan->dcid);
4560 rsp.dcid = cpu_to_le16(chan->scid);
4561
8eb200bd
MM		 4562 if (result == L2CAP_CR_SUCCESS) {
4563 /* Send successful response */
62cd50e2
AE		 4564 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4565 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4566 } else {
4567 /* Send negative response */
62cd50e2
AE		 4568 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4569 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4570 }
4571
4572 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4573 sizeof(rsp), &rsp);
4574
4575 if (result == L2CAP_CR_SUCCESS) {
4576 __l2cap_state_change(chan, BT_CONFIG);
4577 set_bit(CONF_REQ_SENT, &chan->conf_state);
4578 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4579 L2CAP_CONF_REQ,
4580 l2cap_build_conf_req(chan, buf), buf);
4581 chan->num_conf_req++;
4582 }
8eb200bd
MM		 4583 }
4584}
4585
4586static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4587 u8 remote_amp_id)
4588{
4589 l2cap_move_setup(chan);
4590 chan->move_id = local_amp_id;
4591 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4592
4593 l2cap_send_move_chan_req(chan, remote_amp_id);
4594}
4595
4596static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4597{
4598 struct hci_chan *hchan = NULL;
4599
4600 /* Placeholder - get hci_chan for logical link */
4601
4602 if (hchan) {
4603 if (hchan->state == BT_CONNECTED) {
4604 /* Logical link is ready to go */
4605 chan->hs_hcon = hchan->conn;
4606 chan->hs_hcon->l2cap_data = chan->conn;
4607 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4608 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4609
4610 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4611 } else {
4612 /* Wait for logical link to be ready */
4613 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4614 }
4615 } else {
4616 /* Logical link not available */
4617 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4618 }
4619}
4620
4621static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4622{
4623 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4624 u8 rsp_result;
4625 if (result == -EINVAL)
4626 rsp_result = L2CAP_MR_BAD_ID;
4627 else
4628 rsp_result = L2CAP_MR_NOT_ALLOWED;
4629
4630 l2cap_send_move_chan_rsp(chan, rsp_result);
4631 }
4632
4633 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4634 chan->move_state = L2CAP_MOVE_STABLE;
4635
4636 /* Restart data transmission */
4637 l2cap_ertm_send(chan);
4638}
4639
a514b17f
AE		 4640/* Invoke with locked chan */
4641void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4642{
770bfefa 4643 u8 local_amp_id = chan->local_amp_id;
fffadc08 4644 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4645
8eb200bd
MM		 4646 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4647 chan, result, local_amp_id, remote_amp_id);
4648
8eb200bd
MM		 4649 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4650 l2cap_chan_unlock(chan);
4651 return;
4652 }
4653
4654 if (chan->state != BT_CONNECTED) {
4655 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4656 } else if (result != L2CAP_MR_SUCCESS) {
4657 l2cap_do_move_cancel(chan, result);
4658 } else {
4659 switch (chan->move_role) {
4660 case L2CAP_MOVE_ROLE_INITIATOR:
4661 l2cap_do_move_initiate(chan, local_amp_id,
4662 remote_amp_id);
4663 break;
4664 case L2CAP_MOVE_ROLE_RESPONDER:
4665 l2cap_do_move_respond(chan, result);
4666 break;
4667 default:
4668 l2cap_do_move_cancel(chan, result);
4669 break;
4670 }
4671 }
8eb200bd
MM		 4672}
4673
8d5a04a1 4674static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4675 struct l2cap_cmd_hdr *cmd,
4676 u16 cmd_len, void *data)
8d5a04a1
MM		 4677{
4678 struct l2cap_move_chan_req *req = data;
1500109b 4679 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4680 struct l2cap_chan *chan;
8d5a04a1
MM		 4681 u16 icid = 0;
4682 u16 result = L2CAP_MR_NOT_ALLOWED;
4683
4684 if (cmd_len != sizeof(*req))
4685 return -EPROTO;
4686
4687 icid = le16_to_cpu(req->icid);
4688
ad0ac6ca 4689 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4690
4691 if (!enable_hs)
4692 return -EINVAL;
4693
02b0fbb9
MM		 4694 chan = l2cap_get_chan_by_dcid(conn, icid);
4695 if (!chan) {
1500109b
MM		 4696 rsp.icid = cpu_to_le16(icid);
4697 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4698 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4699 sizeof(rsp), &rsp);
02b0fbb9
MM		 4700 return 0;
4701 }
4702
1500109b
MM		 4703 chan->ident = cmd->ident;
4704
02b0fbb9
MM		 4705 if (chan->scid < L2CAP_CID_DYN_START ||
4706 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4707 (chan->mode != L2CAP_MODE_ERTM &&
4708 chan->mode != L2CAP_MODE_STREAMING)) {
4709 result = L2CAP_MR_NOT_ALLOWED;
4710 goto send_move_response;
4711 }
4712
4713 if (chan->local_amp_id == req->dest_amp_id) {
4714 result = L2CAP_MR_SAME_ID;
4715 goto send_move_response;
4716 }
4717
4718 if (req->dest_amp_id) {
4719 struct hci_dev *hdev;
4720 hdev = hci_dev_get(req->dest_amp_id);
4721 if (!hdev || hdev->dev_type != HCI_AMP ||
4722 !test_bit(HCI_UP, &hdev->flags)) {
4723 if (hdev)
4724 hci_dev_put(hdev);
4725
4726 result = L2CAP_MR_BAD_ID;
4727 goto send_move_response;
4728 }
4729 hci_dev_put(hdev);
4730 }
4731
4732 /* Detect a move collision. Only send a collision response
4733 * if this side has "lost", otherwise proceed with the move.
4734 * The winner has the larger bd_addr.
4735 */
4736 if ((__chan_is_moving(chan) ||
4737 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4738 bacmp(conn->src, conn->dst) > 0) {
4739 result = L2CAP_MR_COLLISION;
4740 goto send_move_response;
4741 }
4742
02b0fbb9
MM		 4743 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4744 l2cap_move_setup(chan);
4745 chan->move_id = req->dest_amp_id;
4746 icid = chan->dcid;
4747
4748 if (!req->dest_amp_id) {
4749 /* Moving to BR/EDR */
4750 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4751 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4752 result = L2CAP_MR_PEND;
4753 } else {
4754 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4755 result = L2CAP_MR_SUCCESS;
4756 }
4757 } else {
4758 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4759 /* Placeholder - uncomment when amp functions are available */
4760 /*amp_accept_physical(chan, req->dest_amp_id);*/
4761 result = L2CAP_MR_PEND;
4762 }
4763
4764send_move_response:
1500109b 4765 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4766
02b0fbb9
MM		 4767 l2cap_chan_unlock(chan);
4768
8d5a04a1
MM		 4769 return 0;
4770}
4771
5b155ef9
MM		 4772static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4773{
4774 struct l2cap_chan *chan;
4775 struct hci_chan *hchan = NULL;
4776
4777 chan = l2cap_get_chan_by_scid(conn, icid);
4778 if (!chan) {
4779 l2cap_send_move_chan_cfm_icid(conn, icid);
4780 return;
4781 }
4782
4783 __clear_chan_timer(chan);
4784 if (result == L2CAP_MR_PEND)
4785 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4786
4787 switch (chan->move_state) {
4788 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4789 /* Move confirm will be sent when logical link
4790 * is complete.
4791 */
4792 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4793 break;
4794 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4795 if (result == L2CAP_MR_PEND) {
4796 break;
4797 } else if (test_bit(CONN_LOCAL_BUSY,
4798 &chan->conn_state)) {
4799 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4800 } else {
4801 /* Logical link is up or moving to BR/EDR,
4802 * proceed with move
4803 */
4804 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4805 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4806 }
4807 break;
4808 case L2CAP_MOVE_WAIT_RSP:
4809 /* Moving to AMP */
4810 if (result == L2CAP_MR_SUCCESS) {
4811 /* Remote is ready, send confirm immediately
4812 * after logical link is ready
4813 */
4814 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4815 } else {
4816 /* Both logical link and move success
4817 * are required to confirm
4818 */
4819 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4820 }
4821
4822 /* Placeholder - get hci_chan for logical link */
4823 if (!hchan) {
4824 /* Logical link not available */
4825 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4826 break;
4827 }
4828
4829 /* If the logical link is not yet connected, do not
4830 * send confirmation.
4831 */
4832 if (hchan->state != BT_CONNECTED)
4833 break;
4834
4835 /* Logical link is already ready to go */
4836
4837 chan->hs_hcon = hchan->conn;
4838 chan->hs_hcon->l2cap_data = chan->conn;
4839
4840 if (result == L2CAP_MR_SUCCESS) {
4841 /* Can confirm now */
4842 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4843 } else {
4844 /* Now only need move success
4845 * to confirm
4846 */
4847 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4848 }
4849
4850 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4851 break;
4852 default:
4853 /* Any other amp move state means the move failed. */
4854 chan->move_id = chan->local_amp_id;
4855 l2cap_move_done(chan);
4856 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4857 }
4858
4859 l2cap_chan_unlock(chan);
4860}
4861
4862static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
4863 u16 result)
4864{
4865 struct l2cap_chan *chan;
4866
4867 chan = l2cap_get_chan_by_ident(conn, ident);
4868 if (!chan) {
4869 /* Could not locate channel, icid is best guess */
4870 l2cap_send_move_chan_cfm_icid(conn, icid);
4871 return;
4872 }
4873
4874 __clear_chan_timer(chan);
4875
4876 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4877 if (result == L2CAP_MR_COLLISION) {
4878 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4879 } else {
4880 /* Cleanup - cancel move */
4881 chan->move_id = chan->local_amp_id;
4882 l2cap_move_done(chan);
4883 }
4884 }
4885
4886 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4887
4888 l2cap_chan_unlock(chan);
4889}
4890
4891static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4892 struct l2cap_cmd_hdr *cmd,
4893 u16 cmd_len, void *data)
8d5a04a1
MM		 4894{
4895 struct l2cap_move_chan_rsp *rsp = data;
4896 u16 icid, result;
4897
4898 if (cmd_len != sizeof(*rsp))
4899 return -EPROTO;
4900
4901 icid = le16_to_cpu(rsp->icid);
4902 result = le16_to_cpu(rsp->result);
4903
ad0ac6ca 4904 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4905
5b155ef9
MM		 4906 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
4907 l2cap_move_continue(conn, icid, result);
4908 else
4909 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 4910
4911 return 0;
4912}
4913
5f3847a4
MM		 4914static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4915 struct l2cap_cmd_hdr *cmd,
4916 u16 cmd_len, void *data)
8d5a04a1
MM		 4917{
4918 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 4919 struct l2cap_chan *chan;
8d5a04a1
MM		 4920 u16 icid, result;
4921
4922 if (cmd_len != sizeof(*cfm))
4923 return -EPROTO;
4924
4925 icid = le16_to_cpu(cfm->icid);
4926 result = le16_to_cpu(cfm->result);
4927
ad0ac6ca 4928 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4929
5f3847a4
MM		 4930 chan = l2cap_get_chan_by_dcid(conn, icid);
4931 if (!chan) {
4932 /* Spec requires a response even if the icid was not found */
4933 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4934 return 0;
4935 }
4936
4937 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
4938 if (result == L2CAP_MC_CONFIRMED) {
4939 chan->local_amp_id = chan->move_id;
4940 if (!chan->local_amp_id)
4941 __release_logical_link(chan);
4942 } else {
4943 chan->move_id = chan->local_amp_id;
4944 }
4945
4946 l2cap_move_done(chan);
4947 }
4948
8d5a04a1
MM		 4949 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4950
5f3847a4
MM		 4951 l2cap_chan_unlock(chan);
4952
8d5a04a1
MM		 4953 return 0;
4954}
4955
4956static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4957 struct l2cap_cmd_hdr *cmd,
4958 u16 cmd_len, void *data)
8d5a04a1
MM		 4959{
4960 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 4961 struct l2cap_chan *chan;
8d5a04a1
MM		 4962 u16 icid;
4963
4964 if (cmd_len != sizeof(*rsp))
4965 return -EPROTO;
4966
4967 icid = le16_to_cpu(rsp->icid);
4968
ad0ac6ca 4969 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 4970
3fd71a0a
MM		 4971 chan = l2cap_get_chan_by_scid(conn, icid);
4972 if (!chan)
4973 return 0;
4974
4975 __clear_chan_timer(chan);
4976
4977 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
4978 chan->local_amp_id = chan->move_id;
4979
4980 if (!chan->local_amp_id && chan->hs_hchan)
4981 __release_logical_link(chan);
4982
4983 l2cap_move_done(chan);
4984 }
4985
4986 l2cap_chan_unlock(chan);
4987
8d5a04a1
MM		 4988 return 0;
4989}
4990
e2174ca4 4991static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 4992 u16 to_multiplier)
de73115a
CT		 4993{
4994 u16 max_latency;
4995
4996 if (min > max || min < 6 || max > 3200)
4997 return -EINVAL;
4998
4999 if (to_multiplier < 10 || to_multiplier > 3200)
5000 return -EINVAL;
5001
5002 if (max >= to_multiplier * 8)
5003 return -EINVAL;
5004
5005 max_latency = (to_multiplier * 8 / max) - 1;
5006 if (latency > 499 || latency > max_latency)
5007 return -EINVAL;
5008
5009 return 0;
5010}
5011
5012static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 5013 struct l2cap_cmd_hdr *cmd,
5014 u8 *data)
de73115a
CT		 5015{
5016 struct hci_conn *hcon = conn->hcon;
5017 struct l2cap_conn_param_update_req *req;
5018 struct l2cap_conn_param_update_rsp rsp;
5019 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 5020 int err;
de73115a
CT		 5021
5022 if (!(hcon->link_mode & HCI_LM_MASTER))
5023 return -EINVAL;
5024
5025 cmd_len = __le16_to_cpu(cmd->len);
5026 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5027 return -EPROTO;
5028
5029 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5030 min = __le16_to_cpu(req->min);
5031 max = __le16_to_cpu(req->max);
de73115a
CT		 5032 latency = __le16_to_cpu(req->latency);
5033 to_multiplier = __le16_to_cpu(req->to_multiplier);
5034
5035 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5036 min, max, latency, to_multiplier);
de73115a
CT		 5037
5038 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5039
5040 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5041 if (err)
ac73498c 5042 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5043 else
ac73498c 5044 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5045
5046 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5047 sizeof(rsp), &rsp);
de73115a 5048
2ce603eb
CT		 5049 if (!err)
5050 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5051
de73115a
CT		 5052 return 0;
5053}
5054
3300d9a9 5055static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5056 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5057 u8 *data)
3300d9a9
CT		 5058{
5059 int err = 0;
5060
5061 switch (cmd->code) {
5062 case L2CAP_COMMAND_REJ:
5063 l2cap_command_rej(conn, cmd, data);
5064 break;
5065
5066 case L2CAP_CONN_REQ:
5067 err = l2cap_connect_req(conn, cmd, data);
5068 break;
5069
5070 case L2CAP_CONN_RSP:
f5a2598d 5071 case L2CAP_CREATE_CHAN_RSP:
5909cf30 5072 err = l2cap_connect_create_rsp(conn, cmd, data);
3300d9a9
CT		 5073 break;
5074
5075 case L2CAP_CONF_REQ:
5076 err = l2cap_config_req(conn, cmd, cmd_len, data);
5077 break;
5078
5079 case L2CAP_CONF_RSP:
5080 err = l2cap_config_rsp(conn, cmd, data);
5081 break;
5082
5083 case L2CAP_DISCONN_REQ:
5084 err = l2cap_disconnect_req(conn, cmd, data);
5085 break;
5086
5087 case L2CAP_DISCONN_RSP:
5088 err = l2cap_disconnect_rsp(conn, cmd, data);
5089 break;
5090
5091 case L2CAP_ECHO_REQ:
5092 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5093 break;
5094
5095 case L2CAP_ECHO_RSP:
5096 break;
5097
5098 case L2CAP_INFO_REQ:
5099 err = l2cap_information_req(conn, cmd, data);
5100 break;
5101
5102 case L2CAP_INFO_RSP:
5103 err = l2cap_information_rsp(conn, cmd, data);
5104 break;
5105
f94ff6ff
MM		 5106 case L2CAP_CREATE_CHAN_REQ:
5107 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5108 break;
5109
8d5a04a1
MM		 5110 case L2CAP_MOVE_CHAN_REQ:
5111 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5112 break;
5113
5114 case L2CAP_MOVE_CHAN_RSP:
5115 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5116 break;
5117
5118 case L2CAP_MOVE_CHAN_CFM:
5119 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5120 break;
5121
5122 case L2CAP_MOVE_CHAN_CFM_RSP:
5123 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5124 break;
5125
3300d9a9
CT		 5126 default:
5127 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5128 err = -EINVAL;
5129 break;
5130 }
5131
5132 return err;
5133}
5134
5135static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5136 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5137{
5138 switch (cmd->code) {
5139 case L2CAP_COMMAND_REJ:
5140 return 0;
5141
5142 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5143 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5144
5145 case L2CAP_CONN_PARAM_UPDATE_RSP:
5146 return 0;
5147
5148 default:
5149 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5150 return -EINVAL;
5151 }
5152}
5153
5154static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5155 struct sk_buff *skb)
1da177e4
LT		 5156{
5157 u8 *data = skb->data;
5158 int len = skb->len;
5159 struct l2cap_cmd_hdr cmd;
3300d9a9 5160 int err;
1da177e4
LT		 5161
5162 l2cap_raw_recv(conn, skb);
5163
5164 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5165 u16 cmd_len;
1da177e4
LT		 5166 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5167 data += L2CAP_CMD_HDR_SIZE;
5168 len -= L2CAP_CMD_HDR_SIZE;
5169
88219a0f 5170 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5171
2d792818
GP		 5172 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5173 cmd.ident);
1da177e4 5174
88219a0f 5175 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5176 BT_DBG("corrupted command");
5177 break;
5178 }
5179
3300d9a9
CT		 5180 if (conn->hcon->type == LE_LINK)
5181 err = l2cap_le_sig_cmd(conn, &cmd, data);
5182 else
5183 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 5184
5185 if (err) {
e2fd318e 5186 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5187
5188 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 5189
5190 /* FIXME: Map err to a valid reason */
ac73498c 5191 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5192 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5193 sizeof(rej), &rej);
1da177e4
LT		 5194 }
5195
88219a0f
AV		 5196 data += cmd_len;
5197 len -= cmd_len;
1da177e4
LT		 5198 }
5199
5200 kfree_skb(skb);
5201}
5202
47d1ec61 5203static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5204{
5205 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5206 int hdr_size;
5207
5208 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5209 hdr_size = L2CAP_EXT_HDR_SIZE;
5210 else
5211 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5212
47d1ec61 5213 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5214 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5215 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5216 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5217
5218 if (our_fcs != rcv_fcs)
7a560e5c 5219 return -EBADMSG;
fcc203c3
GP		 5220 }
5221 return 0;
5222}
5223
6ea00485 5224static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5225{
e31f7633 5226 struct l2cap_ctrl control;
d5392c8f 5227
e31f7633 5228 BT_DBG("chan %p", chan);
d5392c8f 5229
e31f7633
MM		 5230 memset(&control, 0, sizeof(control));
5231 control.sframe = 1;
5232 control.final = 1;
5233 control.reqseq = chan->buffer_seq;
5234 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5235
e2ab4353 5236 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5237 control.super = L2CAP_SUPER_RNR;
5238 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5239 }
5240
e31f7633
MM		 5241 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5242 chan->unacked_frames > 0)
5243 __set_retrans_timer(chan);
d5392c8f 5244
e31f7633 5245 /* Send pending iframes */
525cd185 5246 l2cap_ertm_send(chan);
d5392c8f 5247
e2ab4353 5248 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5249 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5250 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5251 * send it now.
5252 */
5253 control.super = L2CAP_SUPER_RR;
5254 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5255 }
5256}
5257
2d792818
GP		 5258static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5259 struct sk_buff **last_frag)
18778a63 5260{
84084a31
MM		 5261 /* skb->len reflects data in skb as well as all fragments
5262 * skb->data_len reflects only data in fragments
5263 */
5264 if (!skb_has_frag_list(skb))
5265 skb_shinfo(skb)->frag_list = new_frag;
5266
5267 new_frag->next = NULL;
5268
5269 (*last_frag)->next = new_frag;
5270 *last_frag = new_frag;
5271
5272 skb->len += new_frag->len;
5273 skb->data_len += new_frag->len;
5274 skb->truesize += new_frag->truesize;
5275}
5276
4b51dae9
MM		 5277static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5278 struct l2cap_ctrl *control)
84084a31
MM		 5279{
5280 int err = -EINVAL;
18778a63 5281
4b51dae9 5282 switch (control->sar) {
7e0ef6ee 5283 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5284 if (chan->sdu)
5285 break;
18778a63 5286
80b98027 5287 err = chan->ops->recv(chan, skb);
84084a31 5288 break;
18778a63 5289
7e0ef6ee 5290 case L2CAP_SAR_START:
84084a31
MM		 5291 if (chan->sdu)
5292 break;
18778a63 5293
6f61fd47 5294 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5295 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5296
84084a31
MM		 5297 if (chan->sdu_len > chan->imtu) {
5298 err = -EMSGSIZE;
5299 break;
5300 }
1890d36b 5301
84084a31
MM		 5302 if (skb->len >= chan->sdu_len)
5303 break;
18778a63 5304
84084a31
MM		 5305 chan->sdu = skb;
5306 chan->sdu_last_frag = skb;
18778a63 5307
84084a31
MM		 5308 skb = NULL;
5309 err = 0;
18778a63
GP		 5310 break;
5311
7e0ef6ee 5312 case L2CAP_SAR_CONTINUE:
6f61fd47 5313 if (!chan->sdu)
84084a31 5314 break;
18778a63 5315
84084a31
MM		 5316 append_skb_frag(chan->sdu, skb,
5317 &chan->sdu_last_frag);
5318 skb = NULL;
18778a63 5319
84084a31
MM		 5320 if (chan->sdu->len >= chan->sdu_len)
5321 break;
4178ba46 5322
84084a31 5323 err = 0;
18778a63
GP		 5324 break;
5325
7e0ef6ee 5326 case L2CAP_SAR_END:
6f61fd47 5327 if (!chan->sdu)
84084a31 5328 break;
18778a63 5329
84084a31
MM		 5330 append_skb_frag(chan->sdu, skb,
5331 &chan->sdu_last_frag);
5332 skb = NULL;
4178ba46 5333
84084a31
MM		 5334 if (chan->sdu->len != chan->sdu_len)
5335 break;
18778a63 5336
80b98027 5337 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5338
84084a31
MM		 5339 if (!err) {
5340 /* Reassembly complete */
5341 chan->sdu = NULL;
5342 chan->sdu_last_frag = NULL;
5343 chan->sdu_len = 0;
1890d36b 5344 }
18778a63
GP		 5345 break;
5346 }
5347
84084a31
MM		 5348 if (err) {
5349 kfree_skb(skb);
5350 kfree_skb(chan->sdu);
5351 chan->sdu = NULL;
5352 chan->sdu_last_frag = NULL;
5353 chan->sdu_len = 0;
5354 }
18778a63 5355
84084a31 5356 return err;
18778a63
GP		 5357}
5358
32b32735
MM		 5359static int l2cap_resegment(struct l2cap_chan *chan)
5360{
5361 /* Placeholder */
5362 return 0;
5363}
5364
61aa4f5b 5365void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5366{
61aa4f5b 5367 u8 event;
712132eb 5368
61aa4f5b
MM		 5369 if (chan->mode != L2CAP_MODE_ERTM)
5370 return;
712132eb 5371
61aa4f5b 5372 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5373 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5374}
5375
d2a7ac5d
MM		 5376static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5377{
63838725
MM		 5378 int err = 0;
5379 /* Pass sequential frames to l2cap_reassemble_sdu()
5380 * until a gap is encountered.
5381 */
5382
5383 BT_DBG("chan %p", chan);
5384
5385 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5386 struct sk_buff *skb;
5387 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5388 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5389
5390 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5391
5392 if (!skb)
5393 break;
5394
5395 skb_unlink(skb, &chan->srej_q);
5396 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5397 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5398 if (err)
5399 break;
5400 }
5401
5402 if (skb_queue_empty(&chan->srej_q)) {
5403 chan->rx_state = L2CAP_RX_STATE_RECV;
5404 l2cap_send_ack(chan);
5405 }
5406
5407 return err;
d2a7ac5d
MM		 5408}
5409
5410static void l2cap_handle_srej(struct l2cap_chan *chan,
5411 struct l2cap_ctrl *control)
5412{
f80842a8
MM		 5413 struct sk_buff *skb;
5414
5415 BT_DBG("chan %p, control %p", chan, control);
5416
5417 if (control->reqseq == chan->next_tx_seq) {
5418 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5419 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5420 return;
5421 }
5422
5423 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5424
5425 if (skb == NULL) {
5426 BT_DBG("Seq %d not available for retransmission",
5427 control->reqseq);
5428 return;
5429 }
5430
5431 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5432 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5433 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5434 return;
5435 }
5436
5437 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5438
5439 if (control->poll) {
5440 l2cap_pass_to_tx(chan, control);
5441
5442 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5443 l2cap_retransmit(chan, control);
5444 l2cap_ertm_send(chan);
5445
5446 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5447 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5448 chan->srej_save_reqseq = control->reqseq;
5449 }
5450 } else {
5451 l2cap_pass_to_tx_fbit(chan, control);
5452
5453 if (control->final) {
5454 if (chan->srej_save_reqseq != control->reqseq ||
5455 !test_and_clear_bit(CONN_SREJ_ACT,
5456 &chan->conn_state))
5457 l2cap_retransmit(chan, control);
5458 } else {
5459 l2cap_retransmit(chan, control);
5460 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5461 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5462 chan->srej_save_reqseq = control->reqseq;
5463 }
5464 }
5465 }
d2a7ac5d
MM		 5466}
5467
5468static void l2cap_handle_rej(struct l2cap_chan *chan,
5469 struct l2cap_ctrl *control)
5470{
fcd289df
MM		 5471 struct sk_buff *skb;
5472
5473 BT_DBG("chan %p, control %p", chan, control);
5474
5475 if (control->reqseq == chan->next_tx_seq) {
5476 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5477 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5478 return;
5479 }
5480
5481 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5482
5483 if (chan->max_tx && skb &&
5484 bt_cb(skb)->control.retries >= chan->max_tx) {
5485 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5486 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5487 return;
5488 }
5489
5490 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5491
5492 l2cap_pass_to_tx(chan, control);
5493
5494 if (control->final) {
5495 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5496 l2cap_retransmit_all(chan, control);
5497 } else {
5498 l2cap_retransmit_all(chan, control);
5499 l2cap_ertm_send(chan);
5500 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5501 set_bit(CONN_REJ_ACT, &chan->conn_state);
5502 }
d2a7ac5d
MM		 5503}
5504
4b51dae9
MM		 5505static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5506{
5507 BT_DBG("chan %p, txseq %d", chan, txseq);
5508
5509 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5510 chan->expected_tx_seq);
5511
5512 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5513 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5514 chan->tx_win) {
4b51dae9
MM		 5515 /* See notes below regarding "double poll" and
5516 * invalid packets.
5517 */
5518 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5519 BT_DBG("Invalid/Ignore - after SREJ");
5520 return L2CAP_TXSEQ_INVALID_IGNORE;
5521 } else {
5522 BT_DBG("Invalid - in window after SREJ sent");
5523 return L2CAP_TXSEQ_INVALID;
5524 }
5525 }
5526
5527 if (chan->srej_list.head == txseq) {
5528 BT_DBG("Expected SREJ");
5529 return L2CAP_TXSEQ_EXPECTED_SREJ;
5530 }
5531
5532 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5533 BT_DBG("Duplicate SREJ - txseq already stored");
5534 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5535 }
5536
5537 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5538 BT_DBG("Unexpected SREJ - not requested");
5539 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5540 }
5541 }
5542
5543 if (chan->expected_tx_seq == txseq) {
5544 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5545 chan->tx_win) {
5546 BT_DBG("Invalid - txseq outside tx window");
5547 return L2CAP_TXSEQ_INVALID;
5548 } else {
5549 BT_DBG("Expected");
5550 return L2CAP_TXSEQ_EXPECTED;
5551 }
5552 }
5553
5554 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5555 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5556 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5557 return L2CAP_TXSEQ_DUPLICATE;
5558 }
5559
5560 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5561 /* A source of invalid packets is a "double poll" condition,
5562 * where delays cause us to send multiple poll packets. If
5563 * the remote stack receives and processes both polls,
5564 * sequence numbers can wrap around in such a way that a
5565 * resent frame has a sequence number that looks like new data
5566 * with a sequence gap. This would trigger an erroneous SREJ
5567 * request.
5568 *
5569 * Fortunately, this is impossible with a tx window that's
5570 * less than half of the maximum sequence number, which allows
5571 * invalid frames to be safely ignored.
5572 *
5573 * With tx window sizes greater than half of the tx window
5574 * maximum, the frame is invalid and cannot be ignored. This
5575 * causes a disconnect.
5576 */
5577
5578 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5579 BT_DBG("Invalid/Ignore - txseq outside tx window");
5580 return L2CAP_TXSEQ_INVALID_IGNORE;
5581 } else {
5582 BT_DBG("Invalid - txseq outside tx window");
5583 return L2CAP_TXSEQ_INVALID;
5584 }
5585 } else {
5586 BT_DBG("Unexpected - txseq indicates missing frames");
5587 return L2CAP_TXSEQ_UNEXPECTED;
5588 }
5589}
5590
d2a7ac5d
MM		 5591static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5592 struct l2cap_ctrl *control,
5593 struct sk_buff *skb, u8 event)
5594{
5595 int err = 0;
5596 bool skb_in_use = 0;
5597
5598 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5599 event);
5600
5601 switch (event) {
5602 case L2CAP_EV_RECV_IFRAME:
5603 switch (l2cap_classify_txseq(chan, control->txseq)) {
5604 case L2CAP_TXSEQ_EXPECTED:
5605 l2cap_pass_to_tx(chan, control);
5606
5607 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5608 BT_DBG("Busy, discarding expected seq %d",
5609 control->txseq);
5610 break;
5611 }
5612
5613 chan->expected_tx_seq = __next_seq(chan,
5614 control->txseq);
5615
5616 chan->buffer_seq = chan->expected_tx_seq;
5617 skb_in_use = 1;
5618
5619 err = l2cap_reassemble_sdu(chan, skb, control);
5620 if (err)
5621 break;
5622
5623 if (control->final) {
5624 if (!test_and_clear_bit(CONN_REJ_ACT,
5625 &chan->conn_state)) {
5626 control->final = 0;
5627 l2cap_retransmit_all(chan, control);
5628 l2cap_ertm_send(chan);
5629 }
5630 }
5631
5632 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5633 l2cap_send_ack(chan);
5634 break;
5635 case L2CAP_TXSEQ_UNEXPECTED:
5636 l2cap_pass_to_tx(chan, control);
5637
5638 /* Can't issue SREJ frames in the local busy state.
5639 * Drop this frame, it will be seen as missing
5640 * when local busy is exited.
5641 */
5642 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5643 BT_DBG("Busy, discarding unexpected seq %d",
5644 control->txseq);
5645 break;
5646 }
5647
5648 /* There was a gap in the sequence, so an SREJ
5649 * must be sent for each missing frame. The
5650 * current frame is stored for later use.
5651 */
5652 skb_queue_tail(&chan->srej_q, skb);
5653 skb_in_use = 1;
5654 BT_DBG("Queued %p (queue len %d)", skb,
5655 skb_queue_len(&chan->srej_q));
5656
5657 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5658 l2cap_seq_list_clear(&chan->srej_list);
5659 l2cap_send_srej(chan, control->txseq);
5660
5661 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5662 break;
5663 case L2CAP_TXSEQ_DUPLICATE:
5664 l2cap_pass_to_tx(chan, control);
5665 break;
5666 case L2CAP_TXSEQ_INVALID_IGNORE:
5667 break;
5668 case L2CAP_TXSEQ_INVALID:
5669 default:
5e4e3972 5670 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5671 break;
5672 }
5673 break;
5674 case L2CAP_EV_RECV_RR:
5675 l2cap_pass_to_tx(chan, control);
5676 if (control->final) {
5677 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5678
e6a3ee6e
MM		 5679 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5680 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 5681 control->final = 0;
5682 l2cap_retransmit_all(chan, control);
5683 }
5684
5685 l2cap_ertm_send(chan);
5686 } else if (control->poll) {
5687 l2cap_send_i_or_rr_or_rnr(chan);
5688 } else {
5689 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5690 &chan->conn_state) &&
5691 chan->unacked_frames)
5692 __set_retrans_timer(chan);
5693
5694 l2cap_ertm_send(chan);
5695 }
5696 break;
5697 case L2CAP_EV_RECV_RNR:
5698 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5699 l2cap_pass_to_tx(chan, control);
5700 if (control && control->poll) {
5701 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5702 l2cap_send_rr_or_rnr(chan, 0);
5703 }
5704 __clear_retrans_timer(chan);
5705 l2cap_seq_list_clear(&chan->retrans_list);
5706 break;
5707 case L2CAP_EV_RECV_REJ:
5708 l2cap_handle_rej(chan, control);
5709 break;
5710 case L2CAP_EV_RECV_SREJ:
5711 l2cap_handle_srej(chan, control);
5712 break;
5713 default:
5714 break;
5715 }
5716
5717 if (skb && !skb_in_use) {
5718 BT_DBG("Freeing %p", skb);
5719 kfree_skb(skb);
5720 }
5721
5722 return err;
5723}
5724
5725static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5726 struct l2cap_ctrl *control,
5727 struct sk_buff *skb, u8 event)
5728{
5729 int err = 0;
5730 u16 txseq = control->txseq;
5731 bool skb_in_use = 0;
5732
5733 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5734 event);
5735
5736 switch (event) {
5737 case L2CAP_EV_RECV_IFRAME:
5738 switch (l2cap_classify_txseq(chan, txseq)) {
5739 case L2CAP_TXSEQ_EXPECTED:
5740 /* Keep frame for reassembly later */
5741 l2cap_pass_to_tx(chan, control);
5742 skb_queue_tail(&chan->srej_q, skb);
5743 skb_in_use = 1;
5744 BT_DBG("Queued %p (queue len %d)", skb,
5745 skb_queue_len(&chan->srej_q));
5746
5747 chan->expected_tx_seq = __next_seq(chan, txseq);
5748 break;
5749 case L2CAP_TXSEQ_EXPECTED_SREJ:
5750 l2cap_seq_list_pop(&chan->srej_list);
5751
5752 l2cap_pass_to_tx(chan, control);
5753 skb_queue_tail(&chan->srej_q, skb);
5754 skb_in_use = 1;
5755 BT_DBG("Queued %p (queue len %d)", skb,
5756 skb_queue_len(&chan->srej_q));
5757
5758 err = l2cap_rx_queued_iframes(chan);
5759 if (err)
5760 break;
5761
5762 break;
5763 case L2CAP_TXSEQ_UNEXPECTED:
5764 /* Got a frame that can't be reassembled yet.
5765 * Save it for later, and send SREJs to cover
5766 * the missing frames.
5767 */
5768 skb_queue_tail(&chan->srej_q, skb);
5769 skb_in_use = 1;
5770 BT_DBG("Queued %p (queue len %d)", skb,
5771 skb_queue_len(&chan->srej_q));
5772
5773 l2cap_pass_to_tx(chan, control);
5774 l2cap_send_srej(chan, control->txseq);
5775 break;
5776 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5777 /* This frame was requested with an SREJ, but
5778 * some expected retransmitted frames are
5779 * missing. Request retransmission of missing
5780 * SREJ'd frames.
5781 */
5782 skb_queue_tail(&chan->srej_q, skb);
5783 skb_in_use = 1;
5784 BT_DBG("Queued %p (queue len %d)", skb,
5785 skb_queue_len(&chan->srej_q));
5786
5787 l2cap_pass_to_tx(chan, control);
5788 l2cap_send_srej_list(chan, control->txseq);
5789 break;
5790 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5791 /* We've already queued this frame. Drop this copy. */
5792 l2cap_pass_to_tx(chan, control);
5793 break;
5794 case L2CAP_TXSEQ_DUPLICATE:
5795 /* Expecting a later sequence number, so this frame
5796 * was already received. Ignore it completely.
5797 */
5798 break;
5799 case L2CAP_TXSEQ_INVALID_IGNORE:
5800 break;
5801 case L2CAP_TXSEQ_INVALID:
5802 default:
5e4e3972 5803 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5804 break;
5805 }
5806 break;
5807 case L2CAP_EV_RECV_RR:
5808 l2cap_pass_to_tx(chan, control);
5809 if (control->final) {
5810 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5811
5812 if (!test_and_clear_bit(CONN_REJ_ACT,
5813 &chan->conn_state)) {
5814 control->final = 0;
5815 l2cap_retransmit_all(chan, control);
5816 }
5817
5818 l2cap_ertm_send(chan);
5819 } else if (control->poll) {
5820 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5821 &chan->conn_state) &&
5822 chan->unacked_frames) {
5823 __set_retrans_timer(chan);
5824 }
5825
5826 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5827 l2cap_send_srej_tail(chan);
5828 } else {
5829 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5830 &chan->conn_state) &&
5831 chan->unacked_frames)
5832 __set_retrans_timer(chan);
5833
5834 l2cap_send_ack(chan);
5835 }
5836 break;
5837 case L2CAP_EV_RECV_RNR:
5838 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5839 l2cap_pass_to_tx(chan, control);
5840 if (control->poll) {
5841 l2cap_send_srej_tail(chan);
5842 } else {
5843 struct l2cap_ctrl rr_control;
5844 memset(&rr_control, 0, sizeof(rr_control));
5845 rr_control.sframe = 1;
5846 rr_control.super = L2CAP_SUPER_RR;
5847 rr_control.reqseq = chan->buffer_seq;
5848 l2cap_send_sframe(chan, &rr_control);
5849 }
5850
5851 break;
5852 case L2CAP_EV_RECV_REJ:
5853 l2cap_handle_rej(chan, control);
5854 break;
5855 case L2CAP_EV_RECV_SREJ:
5856 l2cap_handle_srej(chan, control);
5857 break;
5858 }
5859
5860 if (skb && !skb_in_use) {
5861 BT_DBG("Freeing %p", skb);
5862 kfree_skb(skb);
5863 }
5864
5865 return err;
5866}
5867
32b32735
MM		 5868static int l2cap_finish_move(struct l2cap_chan *chan)
5869{
5870 BT_DBG("chan %p", chan);
5871
5872 chan->rx_state = L2CAP_RX_STATE_RECV;
5873
5874 if (chan->hs_hcon)
5875 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5876 else
5877 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5878
5879 return l2cap_resegment(chan);
5880}
5881
5882static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
5883 struct l2cap_ctrl *control,
5884 struct sk_buff *skb, u8 event)
5885{
5886 int err;
5887
5888 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5889 event);
5890
5891 if (!control->poll)
5892 return -EPROTO;
5893
5894 l2cap_process_reqseq(chan, control->reqseq);
5895
5896 if (!skb_queue_empty(&chan->tx_q))
5897 chan->tx_send_head = skb_peek(&chan->tx_q);
5898 else
5899 chan->tx_send_head = NULL;
5900
5901 /* Rewind next_tx_seq to the point expected
5902 * by the receiver.
5903 */
5904 chan->next_tx_seq = control->reqseq;
5905 chan->unacked_frames = 0;
5906
5907 err = l2cap_finish_move(chan);
5908 if (err)
5909 return err;
5910
5911 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5912 l2cap_send_i_or_rr_or_rnr(chan);
5913
5914 if (event == L2CAP_EV_RECV_IFRAME)
5915 return -EPROTO;
5916
5917 return l2cap_rx_state_recv(chan, control, NULL, event);
5918}
5919
5920static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
5921 struct l2cap_ctrl *control,
5922 struct sk_buff *skb, u8 event)
5923{
5924 int err;
5925
5926 if (!control->final)
5927 return -EPROTO;
5928
5929 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5930
5931 chan->rx_state = L2CAP_RX_STATE_RECV;
5932 l2cap_process_reqseq(chan, control->reqseq);
5933
5934 if (!skb_queue_empty(&chan->tx_q))
5935 chan->tx_send_head = skb_peek(&chan->tx_q);
5936 else
5937 chan->tx_send_head = NULL;
5938
5939 /* Rewind next_tx_seq to the point expected
5940 * by the receiver.
5941 */
5942 chan->next_tx_seq = control->reqseq;
5943 chan->unacked_frames = 0;
5944
5945 if (chan->hs_hcon)
5946 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5947 else
5948 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5949
5950 err = l2cap_resegment(chan);
5951
5952 if (!err)
5953 err = l2cap_rx_state_recv(chan, control, skb, event);
5954
5955 return err;
5956}
5957
d2a7ac5d
MM		 5958static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5959{
5960 /* Make sure reqseq is for a packet that has been sent but not acked */
5961 u16 unacked;
5962
5963 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5964 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5965}
5966
cec8ab6e
MM		 5967static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5968 struct sk_buff *skb, u8 event)
218bb9df 5969{
d2a7ac5d
MM		 5970 int err = 0;
5971
5972 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5973 control, skb, event, chan->rx_state);
5974
5975 if (__valid_reqseq(chan, control->reqseq)) {
5976 switch (chan->rx_state) {
5977 case L2CAP_RX_STATE_RECV:
5978 err = l2cap_rx_state_recv(chan, control, skb, event);
5979 break;
5980 case L2CAP_RX_STATE_SREJ_SENT:
5981 err = l2cap_rx_state_srej_sent(chan, control, skb,
5982 event);
5983 break;
32b32735
MM		 5984 case L2CAP_RX_STATE_WAIT_P:
5985 err = l2cap_rx_state_wait_p(chan, control, skb, event);
5986 break;
5987 case L2CAP_RX_STATE_WAIT_F:
5988 err = l2cap_rx_state_wait_f(chan, control, skb, event);
5989 break;
d2a7ac5d
MM		 5990 default:
5991 /* shut it down */
5992 break;
5993 }
5994 } else {
5995 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5996 control->reqseq, chan->next_tx_seq,
5997 chan->expected_ack_seq);
5e4e3972 5998 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5999 }
6000
6001 return err;
cec8ab6e
MM		 6002}
6003
6004static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6005 struct sk_buff *skb)
6006{
4b51dae9
MM		 6007 int err = 0;
6008
6009 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6010 chan->rx_state);
6011
6012 if (l2cap_classify_txseq(chan, control->txseq) ==
6013 L2CAP_TXSEQ_EXPECTED) {
6014 l2cap_pass_to_tx(chan, control);
6015
6016 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6017 __next_seq(chan, chan->buffer_seq));
6018
6019 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6020
6021 l2cap_reassemble_sdu(chan, skb, control);
6022 } else {
6023 if (chan->sdu) {
6024 kfree_skb(chan->sdu);
6025 chan->sdu = NULL;
6026 }
6027 chan->sdu_last_frag = NULL;
6028 chan->sdu_len = 0;
6029
6030 if (skb) {
6031 BT_DBG("Freeing %p", skb);
6032 kfree_skb(skb);
6033 }
6034 }
6035
6036 chan->last_acked_seq = control->txseq;
6037 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6038
6039 return err;
cec8ab6e
MM		 6040}
6041
6042static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6043{
6044 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6045 u16 len;
6046 u8 event;
218bb9df 6047
b76bbd66
MM		 6048 __unpack_control(chan, skb);
6049
218bb9df
GP		 6050 len = skb->len;
6051
6052 /*
6053 * We can just drop the corrupted I-frame here.
6054 * Receiver will miss it and start proper recovery
cec8ab6e 6055 * procedures and ask for retransmission.
218bb9df 6056 */
47d1ec61 6057 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6058 goto drop;
6059
cec8ab6e 6060 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6061 len -= L2CAP_SDULEN_SIZE;
218bb9df 6062
47d1ec61 6063 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6064 len -= L2CAP_FCS_SIZE;
218bb9df 6065
47d1ec61 6066 if (len > chan->mps) {
5e4e3972 6067 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6068 goto drop;
6069 }
6070
cec8ab6e
MM		 6071 if (!control->sframe) {
6072 int err;
218bb9df 6073
cec8ab6e
MM		 6074 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6075 control->sar, control->reqseq, control->final,
6076 control->txseq);
218bb9df 6077
cec8ab6e
MM		 6078 /* Validate F-bit - F=0 always valid, F=1 only
6079 * valid in TX WAIT_F
6080 */
6081 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6082 goto drop;
cec8ab6e
MM		 6083
6084 if (chan->mode != L2CAP_MODE_STREAMING) {
6085 event = L2CAP_EV_RECV_IFRAME;
6086 err = l2cap_rx(chan, control, skb, event);
6087 } else {
6088 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6089 }
6090
cec8ab6e 6091 if (err)
5e4e3972 6092 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6093 } else {
cec8ab6e
MM		 6094 const u8 rx_func_to_event[4] = {
6095 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6096 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6097 };
6098
6099 /* Only I-frames are expected in streaming mode */
6100 if (chan->mode == L2CAP_MODE_STREAMING)
6101 goto drop;
6102
6103 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6104 control->reqseq, control->final, control->poll,
6105 control->super);
6106
218bb9df 6107 if (len != 0) {
1bb166e6 6108 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6109 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6110 goto drop;
6111 }
6112
cec8ab6e
MM		 6113 /* Validate F and P bits */
6114 if (control->final && (control->poll ||
6115 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6116 goto drop;
6117
6118 event = rx_func_to_event[control->super];
6119 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6120 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6121 }
6122
6123 return 0;
6124
6125drop:
6126 kfree_skb(skb);
6127 return 0;
6128}
6129
13ca56e0
AE		 6130static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6131 struct sk_buff *skb)
1da177e4 6132{
48454079 6133 struct l2cap_chan *chan;
1da177e4 6134
baa7e1fa 6135 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6136 if (!chan) {
97e8e89d
AE		 6137 if (cid == L2CAP_CID_A2MP) {
6138 chan = a2mp_channel_create(conn, skb);
6139 if (!chan) {
6140 kfree_skb(skb);
13ca56e0 6141 return;
97e8e89d
AE		 6142 }
6143
6144 l2cap_chan_lock(chan);
6145 } else {
6146 BT_DBG("unknown cid 0x%4.4x", cid);
6147 /* Drop packet and return */
6148 kfree_skb(skb);
13ca56e0 6149 return;
97e8e89d 6150 }
1da177e4
LT		 6151 }
6152
49208c9c 6153 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6154
89bc500e 6155 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6156 goto drop;
6157
0c1bc5c6 6158 switch (chan->mode) {
1c2acffb
GP		 6159 case L2CAP_MODE_BASIC:
6160 /* If socket recv buffers overflows we drop data here
6161 * which is *bad* because L2CAP has to be reliable.
6162 * But we don't have any other choice. L2CAP doesn't
6163 * provide flow control mechanism. */
1da177e4 6164
0c1bc5c6 6165 if (chan->imtu < skb->len)
1c2acffb 6166 goto drop;
1da177e4 6167
80b98027 6168 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6169 goto done;
6170 break;
6171
6172 case L2CAP_MODE_ERTM:
6840ed07 6173 case L2CAP_MODE_STREAMING:
cec8ab6e 6174 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6175 goto done;
6176
1c2acffb 6177 default:
0c1bc5c6 6178 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6179 break;
6180 }
1da177e4
LT		 6181
6182drop:
6183 kfree_skb(skb);
6184
6185done:
6be36555 6186 l2cap_chan_unlock(chan);
1da177e4
LT		 6187}
6188
84104b24
AE		 6189static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6190 struct sk_buff *skb)
1da177e4 6191{
23691d75 6192 struct l2cap_chan *chan;
1da177e4 6193
c2287681 6194 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 6195 if (!chan)
1da177e4
LT		 6196 goto drop;
6197
5b4cedaa 6198 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6199
89bc500e 6200 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6201 goto drop;
6202
e13e21dc 6203 if (chan->imtu < skb->len)
1da177e4
LT		 6204 goto drop;
6205
80b98027 6206 if (!chan->ops->recv(chan, skb))
84104b24 6207 return;
1da177e4
LT		 6208
6209drop:
6210 kfree_skb(skb);
1da177e4
LT		 6211}
6212
6810fca7
AE		 6213static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
6214 struct sk_buff *skb)
9f69bda6 6215{
23691d75 6216 struct l2cap_chan *chan;
9f69bda6 6217
c2287681 6218 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 6219 if (!chan)
9f69bda6
GP		 6220 goto drop;
6221
5b4cedaa 6222 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6223
89bc500e 6224 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 6225 goto drop;
6226
e13e21dc 6227 if (chan->imtu < skb->len)
9f69bda6
GP		 6228 goto drop;
6229
80b98027 6230 if (!chan->ops->recv(chan, skb))
6810fca7 6231 return;
9f69bda6
GP		 6232
6233drop:
6234 kfree_skb(skb);
9f69bda6
GP		 6235}
6236
1da177e4
LT		 6237static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6238{
6239 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6240 u16 cid, len;
6241 __le16 psm;
1da177e4
LT		 6242
6243 skb_pull(skb, L2CAP_HDR_SIZE);
6244 cid = __le16_to_cpu(lh->cid);
6245 len = __le16_to_cpu(lh->len);
6246
1c2acffb
GP		 6247 if (len != skb->len) {
6248 kfree_skb(skb);
6249 return;
6250 }
6251
1da177e4
LT		 6252 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6253
6254 switch (cid) {
3300d9a9 6255 case L2CAP_CID_LE_SIGNALING:
8db4dc46 6256 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6257 l2cap_sig_channel(conn, skb);
6258 break;
6259
8db4dc46 6260 case L2CAP_CID_CONN_LESS:
097db76c 6261 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6262 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6263 l2cap_conless_channel(conn, psm, skb);
6264 break;
6265
9f69bda6
GP		 6266 case L2CAP_CID_LE_DATA:
6267 l2cap_att_channel(conn, cid, skb);
6268 break;
6269
b501d6a1
AB		 6270 case L2CAP_CID_SMP:
6271 if (smp_sig_channel(conn, skb))
6272 l2cap_conn_del(conn->hcon, EACCES);
6273 break;
6274
1da177e4
LT		 6275 default:
6276 l2cap_data_channel(conn, cid, skb);
6277 break;
6278 }
6279}
6280
6281/* ---- L2CAP interface with lower layer (HCI) ---- */
6282
686ebf28 6283int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6284{
6285 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6286 struct l2cap_chan *c;
1da177e4 6287
6ed93dc6 6288 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6289
6290 /* Find listening sockets and check their link_mode */
23691d75
GP		 6291 read_lock(&chan_list_lock);
6292 list_for_each_entry(c, &chan_list, global_l) {
6293 struct sock *sk = c->sk;
4343478f 6294
89bc500e 6295 if (c->state != BT_LISTEN)
1da177e4
LT		 6296 continue;
6297
6298 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 6299 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6300 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6301 lm1 |= HCI_LM_MASTER;
1da177e4 6302 exact++;
2af6b9d5
MH		 6303 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
6304 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6305 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6306 lm2 |= HCI_LM_MASTER;
6307 }
1da177e4 6308 }
23691d75 6309 read_unlock(&chan_list_lock);
1da177e4
LT		 6310
6311 return exact ? lm1 : lm2;
6312}
6313
9e664631 6314void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6315{
0139418c
MH		 6316 struct l2cap_conn *conn;
6317
6ed93dc6 6318 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6319
1da177e4 6320 if (!status) {
1da177e4
LT		 6321 conn = l2cap_conn_add(hcon, status);
6322 if (conn)
6323 l2cap_conn_ready(conn);
ba6fc317 6324 } else {
e175072f 6325 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 6326 }
1da177e4
LT		 6327}
6328
686ebf28 6329int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6330{
6331 struct l2cap_conn *conn = hcon->l2cap_data;
6332
6333 BT_DBG("hcon %p", hcon);
6334
686ebf28 6335 if (!conn)
9f5a0d7b 6336 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6337 return conn->disc_reason;
6338}
6339
9e664631 6340void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6341{
6342 BT_DBG("hcon %p reason %d", hcon, reason);
6343
e175072f 6344 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6345}
6346
4343478f 6347static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6348{
715ec005 6349 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6350 return;
6351
f62e4323 6352 if (encrypt == 0x00) {
4343478f 6353 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6354 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6355 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6356 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6357 } else {
4343478f 6358 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6359 __clear_chan_timer(chan);
f62e4323
MH		 6360 }
6361}
6362
686ebf28 6363int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6364{
0139418c 6365 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6366 struct l2cap_chan *chan;
1da177e4 6367
0139418c 6368 if (!conn)
1da177e4 6369 return 0;
0139418c 6370
89d8b407 6371 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6372
160dc6ac 6373 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6374 if (!status && encrypt)
6375 smp_distribute_keys(conn, 0);
17cd3f37 6376 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6377 }
6378
3df91ea2 6379 mutex_lock(&conn->chan_lock);
1da177e4 6380
3df91ea2 6381 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6382 l2cap_chan_lock(chan);
1da177e4 6383
89d8b407
AE		 6384 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6385 state_to_string(chan->state));
f1cb9af5 6386
78eb2f98
AE		 6387 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6388 l2cap_chan_unlock(chan);
6389 continue;
6390 }
6391
f1cb9af5
VCG		 6392 if (chan->scid == L2CAP_CID_LE_DATA) {
6393 if (!status && encrypt) {
6394 chan->sec_level = hcon->sec_level;
cf4cd009 6395 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6396 }
6397
6be36555 6398 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6399 continue;
6400 }
6401
96eff46e 6402 if (!__l2cap_no_conn_pending(chan)) {
6be36555 6403 l2cap_chan_unlock(chan);
6a8d3010
MH		 6404 continue;
6405 }
6406
89bc500e 6407 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6408 chan->state == BT_CONFIG)) {
a7d7723a
GP		 6409 struct sock *sk = chan->sk;
6410
c5daa683 6411 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 6412 sk->sk_state_change(sk);
6413
4343478f 6414 l2cap_check_encryption(chan, encrypt);
6be36555 6415 l2cap_chan_unlock(chan);
9719f8af
MH		 6416 continue;
6417 }
6418
89bc500e 6419 if (chan->state == BT_CONNECT) {
b1235d79 6420 if (!status) {
93c3e8f5 6421 l2cap_start_connection(chan);
b1235d79 6422 } else {
ba13ccd9 6423 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6424 }
89bc500e 6425 } else if (chan->state == BT_CONNECT2) {
6be36555 6426 struct sock *sk = chan->sk;
b1235d79 6427 struct l2cap_conn_rsp rsp;
df3c3931 6428 __u16 res, stat;
1da177e4 6429
6be36555
AE		 6430 lock_sock(sk);
6431
b1235d79 6432 if (!status) {
c5daa683
GP		 6433 if (test_bit(BT_SK_DEFER_SETUP,
6434 &bt_sk(sk)->flags)) {
df3c3931
JH		 6435 res = L2CAP_CR_PEND;
6436 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6437 chan->ops->defer(chan);
df3c3931 6438 } else {
0e587be7 6439 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6440 res = L2CAP_CR_SUCCESS;
6441 stat = L2CAP_CS_NO_INFO;
6442 }
b1235d79 6443 } else {
0e587be7 6444 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6445 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6446 res = L2CAP_CR_SEC_BLOCK;
6447 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6448 }
6449
6be36555
AE		 6450 release_sock(sk);
6451
fe4128e0
GP		 6452 rsp.scid = cpu_to_le16(chan->dcid);
6453 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6454 rsp.result = cpu_to_le16(res);
6455 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6456 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6457 sizeof(rsp), &rsp);
2d369359
MM		 6458
6459 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6460 res == L2CAP_CR_SUCCESS) {
6461 char buf[128];
6462 set_bit(CONF_REQ_SENT, &chan->conf_state);
6463 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6464 L2CAP_CONF_REQ,
6465 l2cap_build_conf_req(chan, buf),
6466 buf);
6467 chan->num_conf_req++;
6468 }
b1235d79 6469 }
1da177e4 6470
6be36555 6471 l2cap_chan_unlock(chan);
1da177e4
LT		 6472 }
6473
3df91ea2 6474 mutex_unlock(&conn->chan_lock);
b1235d79 6475
1da177e4
LT		 6476 return 0;
6477}
6478
686ebf28 6479int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6480{
6481 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6482 struct l2cap_hdr *hdr;
6483 int len;
1da177e4 6484
1d13a254
AE		 6485 /* For AMP controller do not create l2cap conn */
6486 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6487 goto drop;
1da177e4 6488
5a08ecce
AE		 6489 if (!conn)
6490 conn = l2cap_conn_add(hcon, 0);
6491
6492 if (!conn)
1da177e4
LT		 6493 goto drop;
6494
6495 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6496
d73a0988
AE		 6497 switch (flags) {
6498 case ACL_START:
6499 case ACL_START_NO_FLUSH:
6500 case ACL_COMPLETE:
1da177e4
LT		 6501 if (conn->rx_len) {
6502 BT_ERR("Unexpected start frame (len %d)", skb->len);
6503 kfree_skb(conn->rx_skb);
6504 conn->rx_skb = NULL;
6505 conn->rx_len = 0;
6506 l2cap_conn_unreliable(conn, ECOMM);
6507 }
6508
aae7fe22
AE		 6509 /* Start fragment always begin with Basic L2CAP header */
6510 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6511 BT_ERR("Frame is too short (len %d)", skb->len);
6512 l2cap_conn_unreliable(conn, ECOMM);
6513 goto drop;
6514 }
6515
6516 hdr = (struct l2cap_hdr *) skb->data;
6517 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6518
6519 if (len == skb->len) {
6520 /* Complete frame received */
6521 l2cap_recv_frame(conn, skb);
6522 return 0;
6523 }
6524
6525 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6526
6527 if (skb->len > len) {
6528 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6529 skb->len, len);
1da177e4
LT		 6530 l2cap_conn_unreliable(conn, ECOMM);
6531 goto drop;
6532 }
6533
6534 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6535 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6536 if (!conn->rx_skb)
1da177e4
LT		 6537 goto drop;
6538
d626f62b 6539 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6540 skb->len);
1da177e4 6541 conn->rx_len = len - skb->len;
d73a0988
AE		 6542 break;
6543
6544 case ACL_CONT:
1da177e4
LT		 6545 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6546
6547 if (!conn->rx_len) {
6548 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6549 l2cap_conn_unreliable(conn, ECOMM);
6550 goto drop;
6551 }
6552
6553 if (skb->len > conn->rx_len) {
6554 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6555 skb->len, conn->rx_len);
1da177e4
LT		 6556 kfree_skb(conn->rx_skb);
6557 conn->rx_skb = NULL;
6558 conn->rx_len = 0;
6559 l2cap_conn_unreliable(conn, ECOMM);
6560 goto drop;
6561 }
6562
d626f62b 6563 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6564 skb->len);
1da177e4
LT		 6565 conn->rx_len -= skb->len;
6566
6567 if (!conn->rx_len) {
6568 /* Complete frame received */
6569 l2cap_recv_frame(conn, conn->rx_skb);
6570 conn->rx_skb = NULL;
6571 }
d73a0988 6572 break;
1da177e4
LT		 6573 }
6574
6575drop:
6576 kfree_skb(skb);
6577 return 0;
6578}
6579
aef7d97c 6580static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6581{
23691d75 6582 struct l2cap_chan *c;
1da177e4 6583
333055f2 6584 read_lock(&chan_list_lock);
1da177e4 6585
23691d75
GP		 6586 list_for_each_entry(c, &chan_list, global_l) {
6587 struct sock *sk = c->sk;
101545f6 6588
fcb73338
AE		 6589 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6590 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6591 c->state, __le16_to_cpu(c->psm),
6592 c->scid, c->dcid, c->imtu, c->omtu,
6593 c->sec_level, c->mode);
61e1b4b7 6594 }
1da177e4 6595
333055f2 6596 read_unlock(&chan_list_lock);
1da177e4 6597
aef7d97c 6598 return 0;
1da177e4
LT		 6599}
6600
aef7d97c
MH		 6601static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6602{
6603 return single_open(file, l2cap_debugfs_show, inode->i_private);
6604}
6605
6606static const struct file_operations l2cap_debugfs_fops = {
6607 .open = l2cap_debugfs_open,
6608 .read = seq_read,
6609 .llseek = seq_lseek,
6610 .release = single_release,
6611};
6612
6613static struct dentry *l2cap_debugfs;
1da177e4 6614
64274518 6615int __init l2cap_init(void)
1da177e4
LT		 6616{
6617 int err;
be9d1227 6618
bb58f747 6619 err = l2cap_init_sockets();
1da177e4
LT		 6620 if (err < 0)
6621 return err;
6622
aef7d97c 6623 if (bt_debugfs) {
2d792818
GP		 6624 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6625 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 6626 if (!l2cap_debugfs)
6627 BT_ERR("Failed to create L2CAP debug file");
6628 }
1da177e4 6629
1da177e4 6630 return 0;
1da177e4
LT		 6631}
6632
64274518 6633void l2cap_exit(void)
1da177e4 6634{
aef7d97c 6635 debugfs_remove(l2cap_debugfs);
bb58f747 6636 l2cap_cleanup_sockets();
1da177e4
LT		 6637}
6638
d1c4a17d
GP		 6639module_param(disable_ertm, bool, 0644);
6640MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.352794 seconds and 5 git commands to generate.