projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge remote-tracking branch 'asoc/fix/wm8978' into asoc-linus
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
5ce66b59 41#include <net/bluetooth/amp.h>
1da177e4 42
d1de6d46 43bool disable_ertm;
f0709e03 44
47ec1dcd 45static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 46static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 47
b5ad8b7f
JB		 48static LIST_HEAD(chan_list);
49static DEFINE_RWLOCK(chan_list_lock);
1da177e4 50
1da177e4 51static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 52 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 53static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 54 void *data);
710f9b0a 55static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 56static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 59 struct sk_buff_head *skbs, u8 event);
608bcc6d 60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
2d792818
GP		 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
64 u16 cid)
0139418c 65{
3df91ea2 66 struct l2cap_chan *c;
3d57dc68 67
3df91ea2
AE		 68 list_for_each_entry(c, &conn->chan_l, list) {
69 if (c->dcid == cid)
70 return c;
0139418c 71 }
3df91ea2 72 return NULL;
0139418c
MH		 73}
74
2d792818
GP		 75static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
76 u16 cid)
0139418c 77{
3df91ea2 78 struct l2cap_chan *c;
3d57dc68 79
3df91ea2
AE		 80 list_for_each_entry(c, &conn->chan_l, list) {
81 if (c->scid == cid)
82 return c;
0139418c 83 }
3df91ea2 84 return NULL;
0139418c
MH		 85}
86
87/* Find channel with given SCID.
ef191ade 88 * Returns locked channel. */
2d792818
GP		 89static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
90 u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa 93
3df91ea2 94 mutex_lock(&conn->chan_lock);
baa7e1fa 95 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 96 if (c)
97 l2cap_chan_lock(c);
3df91ea2
AE		 98 mutex_unlock(&conn->chan_lock);
99
48454079 100 return c;
0139418c
MH		 101}
102
b1a130b7
MM		 103/* Find channel with given DCID.
104 * Returns locked channel.
105 */
106static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
107 u16 cid)
108{
109 struct l2cap_chan *c;
110
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_dcid(conn, cid);
113 if (c)
114 l2cap_chan_lock(c);
115 mutex_unlock(&conn->chan_lock);
116
117 return c;
118}
119
2d792818
GP		 120static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
121 u8 ident)
0139418c 122{
3df91ea2 123 struct l2cap_chan *c;
3d57dc68 124
3df91ea2
AE		 125 list_for_each_entry(c, &conn->chan_l, list) {
126 if (c->ident == ident)
127 return c;
0139418c 128 }
3df91ea2 129 return NULL;
0139418c
MH		 130}
131
5b155ef9
MM		 132static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
133 u8 ident)
134{
135 struct l2cap_chan *c;
136
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_ident(conn, ident);
139 if (c)
140 l2cap_chan_lock(c);
141 mutex_unlock(&conn->chan_lock);
142
143 return c;
144}
145
23691d75 146static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 147{
23691d75 148 struct l2cap_chan *c;
9e4425ff 149
23691d75
GP		 150 list_for_each_entry(c, &chan_list, global_l) {
151 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 152 return c;
9e4425ff 153 }
250938cb 154 return NULL;
9e4425ff
GP		 155}
156
157int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
158{
73b2ec18
GP		 159 int err;
160
333055f2 161 write_lock(&chan_list_lock);
9e4425ff 162
23691d75 163 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 164 err = -EADDRINUSE;
165 goto done;
9e4425ff
GP		 166 }
167
73b2ec18
GP		 168 if (psm) {
169 chan->psm = psm;
170 chan->sport = psm;
171 err = 0;
172 } else {
173 u16 p;
174
175 err = -EINVAL;
176 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 177 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 178 chan->psm = cpu_to_le16(p);
179 chan->sport = cpu_to_le16(p);
180 err = 0;
181 break;
182 }
183 }
9e4425ff 184
73b2ec18 185done:
333055f2 186 write_unlock(&chan_list_lock);
73b2ec18 187 return err;
9e4425ff
GP		 188}
189
190int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
191{
333055f2 192 write_lock(&chan_list_lock);
9e4425ff
GP		 193
194 chan->scid = scid;
195
333055f2 196 write_unlock(&chan_list_lock);
9e4425ff
GP		 197
198 return 0;
199}
200
baa7e1fa 201static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 202{
8db4dc46 203 u16 cid = L2CAP_CID_DYN_START;
0139418c 204
8db4dc46 205 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 206 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 207 return cid;
208 }
209
210 return 0;
211}
212
0e587be7 213static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 214{
42d2d87c 215 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 216 state_to_string(state));
badaaa00 217
89bc500e 218 chan->state = state;
80b98027 219 chan->ops->state_change(chan, state);
89bc500e
GP		 220}
221
0e587be7
AE		 222static void l2cap_state_change(struct l2cap_chan *chan, int state)
223{
224 struct sock *sk = chan->sk;
225
226 lock_sock(sk);
227 __l2cap_state_change(chan, state);
228 release_sock(sk);
229}
230
2e0052e4
AE		 231static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
232{
233 struct sock *sk = chan->sk;
234
235 sk->sk_err = err;
236}
237
238static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
239{
240 struct sock *sk = chan->sk;
241
242 lock_sock(sk);
243 __l2cap_chan_set_err(chan, err);
244 release_sock(sk);
245}
246
4239d16f
MM		 247static void __set_retrans_timer(struct l2cap_chan *chan)
248{
249 if (!delayed_work_pending(&chan->monitor_timer) &&
250 chan->retrans_timeout) {
251 l2cap_set_timer(chan, &chan->retrans_timer,
252 msecs_to_jiffies(chan->retrans_timeout));
253 }
254}
255
256static void __set_monitor_timer(struct l2cap_chan *chan)
257{
258 __clear_retrans_timer(chan);
259 if (chan->monitor_timeout) {
260 l2cap_set_timer(chan, &chan->monitor_timer,
261 msecs_to_jiffies(chan->monitor_timeout));
262 }
263}
264
608bcc6d
MM		 265static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
266 u16 seq)
267{
268 struct sk_buff *skb;
269
270 skb_queue_walk(head, skb) {
271 if (bt_cb(skb)->control.txseq == seq)
272 return skb;
273 }
274
275 return NULL;
276}
277
3c588192
MM		 278/* ---- L2CAP sequence number lists ---- */
279
280/* For ERTM, ordered lists of sequence numbers must be tracked for
281 * SREJ requests that are received and for frames that are to be
282 * retransmitted. These seq_list functions implement a singly-linked
283 * list in an array, where membership in the list can also be checked
284 * in constant time. Items can also be added to the tail of the list
285 * and removed from the head in constant time, without further memory
286 * allocs or frees.
287 */
288
289static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
290{
291 size_t alloc_size, i;
292
293 /* Allocated size is a power of 2 to map sequence numbers
294 * (which may be up to 14 bits) in to a smaller array that is
295 * sized for the negotiated ERTM transmit windows.
296 */
297 alloc_size = roundup_pow_of_two(size);
298
299 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
300 if (!seq_list->list)
301 return -ENOMEM;
302
303 seq_list->mask = alloc_size - 1;
304 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
305 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
306 for (i = 0; i < alloc_size; i++)
307 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
308
309 return 0;
310}
311
312static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
313{
314 kfree(seq_list->list);
315}
316
317static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
318 u16 seq)
319{
320 /* Constant-time check for list membership */
321 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
322}
323
324static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
325{
326 u16 mask = seq_list->mask;
327
328 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
329 /* In case someone tries to pop the head of an empty list */
330 return L2CAP_SEQ_LIST_CLEAR;
331 } else if (seq_list->head == seq) {
332 /* Head can be removed in constant time */
333 seq_list->head = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
335
336 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
339 }
340 } else {
341 /* Walk the list to find the sequence number */
342 u16 prev = seq_list->head;
343 while (seq_list->list[prev & mask] != seq) {
344 prev = seq_list->list[prev & mask];
345 if (prev == L2CAP_SEQ_LIST_TAIL)
346 return L2CAP_SEQ_LIST_CLEAR;
347 }
348
349 /* Unlink the number from the list and clear it */
350 seq_list->list[prev & mask] = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352 if (seq_list->tail == seq)
353 seq_list->tail = prev;
354 }
355 return seq;
356}
357
358static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
359{
360 /* Remove the head in constant time */
361 return l2cap_seq_list_remove(seq_list, seq_list->head);
362}
363
364static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
365{
f522ae36 366 u16 i;
3c588192 367
f522ae36
GP		 368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
369 return;
370
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
373
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 376}
377
378static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
379{
380 u16 mask = seq_list->mask;
381
382 /* All appends happen in constant time */
383
f522ae36
GP		 384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
385 return;
3c588192 386
f522ae36
GP		 387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
389 else
390 seq_list->list[seq_list->tail & mask] = seq;
391
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 394}
395
721c4181 396static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 397{
721c4181 398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 399 chan_timer.work);
3df91ea2 400 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 401 int reason;
402
e05dcc32 403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 404
3df91ea2 405 mutex_lock(&conn->chan_lock);
6be36555 406 l2cap_chan_lock(chan);
ab07801d 407
89bc500e 408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 409 reason = ECONNREFUSED;
89bc500e 410 else if (chan->state == BT_CONNECT &&
2d792818 411 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 412 reason = ECONNREFUSED;
413 else
414 reason = ETIMEDOUT;
415
0f852724 416 l2cap_chan_close(chan, reason);
ab07801d 417
6be36555 418 l2cap_chan_unlock(chan);
ab07801d 419
80b98027 420 chan->ops->close(chan);
3df91ea2
AE		 421 mutex_unlock(&conn->chan_lock);
422
371fd835 423 l2cap_chan_put(chan);
ab07801d
GP		 424}
425
eef1d9b6 426struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 427{
428 struct l2cap_chan *chan;
429
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
431 if (!chan)
432 return NULL;
433
c03b355e
AE		 434 mutex_init(&chan->lock);
435
333055f2 436 write_lock(&chan_list_lock);
23691d75 437 list_add(&chan->global_l, &chan_list);
333055f2 438 write_unlock(&chan_list_lock);
23691d75 439
721c4181 440 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 441
89bc500e
GP		 442 chan->state = BT_OPEN;
443
144ad330 444 kref_init(&chan->kref);
71ba0e56 445
2827011f
MM		 446 /* This flag is cleared in l2cap_chan_ready() */
447 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
448
eef1d9b6 449 BT_DBG("chan %p", chan);
abc545b8 450
48454079
GP		 451 return chan;
452}
453
144ad330 454static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 455{
144ad330
SS		 456 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
457
4af66c69
JK		 458 BT_DBG("chan %p", chan);
459
333055f2 460 write_lock(&chan_list_lock);
23691d75 461 list_del(&chan->global_l);
333055f2 462 write_unlock(&chan_list_lock);
23691d75 463
4af66c69 464 kfree(chan);
6ff5abbf
GP		 465}
466
30648372
JK		 467void l2cap_chan_hold(struct l2cap_chan *c)
468{
144ad330 469 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 470
144ad330 471 kref_get(&c->kref);
30648372
JK		 472}
473
474void l2cap_chan_put(struct l2cap_chan *c)
475{
144ad330 476 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 477
144ad330 478 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 479}
480
bd4b1653
AE		 481void l2cap_chan_set_defaults(struct l2cap_chan *chan)
482{
483 chan->fcs = L2CAP_FCS_CRC16;
484 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
485 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
486 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 487 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 488 chan->sec_level = BT_SECURITY_LOW;
489
490 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
491}
492
93c3e8f5 493void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 494{
af05b30b 495 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 496 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 497
9f5a0d7b 498 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 499
8c1d787b 500 chan->conn = conn;
0139418c 501
5491120e
AE		 502 switch (chan->chan_type) {
503 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 504 if (conn->hcon->type == LE_LINK) {
505 /* LE connection */
6fcb06a2 506 chan->omtu = L2CAP_DEFAULT_MTU;
9f22398c
JH		 507 if (chan->dcid == L2CAP_CID_ATT)
508 chan->scid = L2CAP_CID_ATT;
509 else
510 chan->scid = l2cap_alloc_cid(conn);
b62f328b
VT		 511 } else {
512 /* Alloc CID for connection-oriented socket */
fe4128e0 513 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 514 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 515 }
5491120e
AE		 516 break;
517
518 case L2CAP_CHAN_CONN_LESS:
0139418c 519 /* Connectionless socket */
fe4128e0
GP		 520 chan->scid = L2CAP_CID_CONN_LESS;
521 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 522 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 523 break;
524
416fa752
AE		 525 case L2CAP_CHAN_CONN_FIX_A2MP:
526 chan->scid = L2CAP_CID_A2MP;
527 chan->dcid = L2CAP_CID_A2MP;
528 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
529 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
530 break;
531
5491120e 532 default:
0139418c 533 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 534 chan->scid = L2CAP_CID_SIGNALING;
535 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 536 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 537 }
538
8f7975b1
AE		 539 chan->local_id = L2CAP_BESTEFFORT_ID;
540 chan->local_stype = L2CAP_SERV_BESTEFFORT;
541 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
542 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
543 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 544 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 545
371fd835 546 l2cap_chan_hold(chan);
baa7e1fa 547
5ee9891d
JH		 548 hci_conn_hold(conn->hcon);
549
3df91ea2 550 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 551}
552
466f8004 553void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 554{
555 mutex_lock(&conn->chan_lock);
556 __l2cap_chan_add(conn, chan);
3df91ea2 557 mutex_unlock(&conn->chan_lock);
0139418c
MH		 558}
559
466f8004 560void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 561{
8c1d787b 562 struct l2cap_conn *conn = chan->conn;
0139418c 563
c9b66675 564 __clear_chan_timer(chan);
0139418c 565
49208c9c 566 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 567
8e87d142 568 if (conn) {
56f60984 569 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 570 /* Delete from channel list */
3df91ea2 571 list_del(&chan->list);
3d57dc68 572
371fd835 573 l2cap_chan_put(chan);
baa7e1fa 574
8c1d787b 575 chan->conn = NULL;
3cabbfda
AE		 576
577 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
76a68ba0 578 hci_conn_drop(conn->hcon);
56f60984
AE		 579
580 if (mgr && mgr->bredr_chan == chan)
581 mgr->bredr_chan = NULL;
0139418c
MH		 582 }
583
419e08c1
AE		 584 if (chan->hs_hchan) {
585 struct hci_chan *hs_hchan = chan->hs_hchan;
586
587 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
588 amp_disconnect_logical_link(hs_hchan);
589 }
590
b699ec0d 591 chan->ops->teardown(chan, err);
6be36555 592
2827011f 593 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 594 return;
2ead70b8 595
ee556f66
GP		 596 switch(chan->mode) {
597 case L2CAP_MODE_BASIC:
598 break;
c13ffa62 599
ee556f66 600 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 601 __clear_retrans_timer(chan);
602 __clear_monitor_timer(chan);
603 __clear_ack_timer(chan);
c13ffa62 604
f1c6775b 605 skb_queue_purge(&chan->srej_q);
c13ffa62 606
3c588192
MM		 607 l2cap_seq_list_free(&chan->srej_list);
608 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 609
610 /* fall through */
611
612 case L2CAP_MODE_STREAMING:
613 skb_queue_purge(&chan->tx_q);
614 break;
c13ffa62 615 }
ee556f66
GP		 616
617 return;
0139418c
MH		 618}
619
0f852724 620void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 621{
622 struct l2cap_conn *conn = chan->conn;
623 struct sock *sk = chan->sk;
624
2d792818
GP		 625 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
626 sk);
4519de9a 627
89bc500e 628 switch (chan->state) {
4519de9a 629 case BT_LISTEN:
b699ec0d 630 chan->ops->teardown(chan, 0);
4519de9a
GP		 631 break;
632
633 case BT_CONNECTED:
634 case BT_CONFIG:
715ec005 635 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 636 conn->hcon->type == ACL_LINK) {
c9b66675 637 __set_chan_timer(chan, sk->sk_sndtimeo);
5e4e3972 638 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 639 } else
640 l2cap_chan_del(chan, reason);
641 break;
642
643 case BT_CONNECT2:
715ec005 644 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 645 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 646 struct l2cap_conn_rsp rsp;
647 __u16 result;
648
c5daa683 649 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 650 result = L2CAP_CR_SEC_BLOCK;
651 else
652 result = L2CAP_CR_BAD_PSM;
89bc500e 653 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 654
655 rsp.scid = cpu_to_le16(chan->dcid);
656 rsp.dcid = cpu_to_le16(chan->scid);
657 rsp.result = cpu_to_le16(result);
ac73498c 658 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 659 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 660 sizeof(rsp), &rsp);
4519de9a
GP		 661 }
662
663 l2cap_chan_del(chan, reason);
664 break;
665
666 case BT_CONNECT:
667 case BT_DISCONN:
668 l2cap_chan_del(chan, reason);
669 break;
670
671 default:
b699ec0d 672 chan->ops->teardown(chan, 0);
4519de9a
GP		 673 break;
674 }
675}
676
4343478f 677static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 678{
715ec005 679 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 680 switch (chan->sec_level) {
8556edd3
JH		 681 case BT_SECURITY_HIGH:
682 return HCI_AT_DEDICATED_BONDING_MITM;
683 case BT_SECURITY_MEDIUM:
684 return HCI_AT_DEDICATED_BONDING;
685 default:
686 return HCI_AT_NO_BONDING;
687 }
2983fd68 688 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 689 if (chan->sec_level == BT_SECURITY_LOW)
690 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 691
4343478f 692 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 693 return HCI_AT_NO_BONDING_MITM;
00ae4af9 694 else
8556edd3 695 return HCI_AT_NO_BONDING;
00ae4af9 696 } else {
4343478f 697 switch (chan->sec_level) {
00ae4af9 698 case BT_SECURITY_HIGH:
8556edd3 699 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 700 case BT_SECURITY_MEDIUM:
8556edd3 701 return HCI_AT_GENERAL_BONDING;
00ae4af9 702 default:
8556edd3 703 return HCI_AT_NO_BONDING;
00ae4af9 704 }
0684e5f9 705 }
8556edd3
JH		 706}
707
708/* Service level security */
d45fc423 709int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 710{
8c1d787b 711 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 712 __u8 auth_type;
713
4343478f 714 auth_type = l2cap_get_auth_type(chan);
79d554a6 715
4343478f 716 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 717}
718
b5ad8b7f 719static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 720{
721 u8 id;
722
723 /* Get next available identificator.
724 * 1 - 128 are used by kernel.
725 * 129 - 199 are reserved.
726 * 200 - 254 are used by utilities like l2ping, etc.
727 */
728
333055f2 729 spin_lock(&conn->lock);
4e8402a3
MH		 730
731 if (++conn->tx_ident > 128)
732 conn->tx_ident = 1;
733
734 id = conn->tx_ident;
735
333055f2 736 spin_unlock(&conn->lock);
4e8402a3
MH		 737
738 return id;
739}
740
2d792818
GP		 741static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
742 void *data)
4e8402a3
MH		 743{
744 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 745 u8 flags;
4e8402a3
MH		 746
747 BT_DBG("code 0x%2.2x", code);
748
749 if (!skb)
9a9c6a34 750 return;
4e8402a3 751
e702112f
AE		 752 if (lmp_no_flush_capable(conn->hcon->hdev))
753 flags = ACL_START_NO_FLUSH;
754 else
755 flags = ACL_START;
756
14b12d0b 757 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 758 skb->priority = HCI_PRIO_MAX;
14b12d0b 759
73d80deb
LAD		 760 hci_send_acl(conn->hchan, skb, flags);
761}
762
02b0fbb9
MM		 763static bool __chan_is_moving(struct l2cap_chan *chan)
764{
765 return chan->move_state != L2CAP_MOVE_STABLE &&
766 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
767}
768
73d80deb
LAD		 769static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
770{
771 struct hci_conn *hcon = chan->conn->hcon;
772 u16 flags;
773
774 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 775 skb->priority);
73d80deb 776
d5f8a75d
MM		 777 if (chan->hs_hcon && !__chan_is_moving(chan)) {
778 if (chan->hs_hchan)
779 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
780 else
781 kfree_skb(skb);
782
783 return;
784 }
785
73d80deb 786 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 787 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 788 flags = ACL_START_NO_FLUSH;
789 else
790 flags = ACL_START;
14b12d0b 791
73d80deb
LAD		 792 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
793 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 794}
795
b76bbd66
MM		 796static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
797{
798 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
799 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
800
801 if (enh & L2CAP_CTRL_FRAME_TYPE) {
802 /* S-Frame */
803 control->sframe = 1;
804 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
805 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
806
807 control->sar = 0;
808 control->txseq = 0;
809 } else {
810 /* I-Frame */
811 control->sframe = 0;
812 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
813 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
814
815 control->poll = 0;
816 control->super = 0;
817 }
818}
819
b76bbd66
MM		 820static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
821{
822 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
823 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
824
825 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
826 /* S-Frame */
827 control->sframe = 1;
828 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
829 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
830
831 control->sar = 0;
832 control->txseq = 0;
833 } else {
834 /* I-Frame */
835 control->sframe = 0;
836 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
837 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
838
839 control->poll = 0;
840 control->super = 0;
841 }
842}
843
844static inline void __unpack_control(struct l2cap_chan *chan,
845 struct sk_buff *skb)
846{
847 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
848 __unpack_extended_control(get_unaligned_le32(skb->data),
849 &bt_cb(skb)->control);
cec8ab6e 850 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 851 } else {
852 __unpack_enhanced_control(get_unaligned_le16(skb->data),
853 &bt_cb(skb)->control);
cec8ab6e 854 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 855 }
856}
857
b5c6aaed
MM		 858static u32 __pack_extended_control(struct l2cap_ctrl *control)
859{
860 u32 packed;
861
862 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
863 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
864
865 if (control->sframe) {
866 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
867 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
868 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
869 } else {
870 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
871 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
872 }
873
874 return packed;
875}
876
877static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
878{
879 u16 packed;
880
881 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
882 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
883
884 if (control->sframe) {
885 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
886 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
887 packed |= L2CAP_CTRL_FRAME_TYPE;
888 } else {
889 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
890 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
891 }
892
893 return packed;
894}
895
b76bbd66
MM		 896static inline void __pack_control(struct l2cap_chan *chan,
897 struct l2cap_ctrl *control,
898 struct sk_buff *skb)
899{
900 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
901 put_unaligned_le32(__pack_extended_control(control),
902 skb->data + L2CAP_HDR_SIZE);
903 } else {
904 put_unaligned_le16(__pack_enhanced_control(control),
905 skb->data + L2CAP_HDR_SIZE);
906 }
907}
908
ba7aa64f
GP		 909static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
910{
911 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
912 return L2CAP_EXT_HDR_SIZE;
913 else
914 return L2CAP_ENH_HDR_SIZE;
915}
916
a67d7f6f
MM		 917static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
918 u32 control)
b5c6aaed
MM		 919{
920 struct sk_buff *skb;
921 struct l2cap_hdr *lh;
ba7aa64f 922 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 923
924 if (chan->fcs == L2CAP_FCS_CRC16)
925 hlen += L2CAP_FCS_SIZE;
926
a67d7f6f 927 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 928
b5c6aaed 929 if (!skb)
a67d7f6f 930 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 931
932 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
933 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
934 lh->cid = cpu_to_le16(chan->dcid);
935
a67d7f6f
MM		 936 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
937 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
938 else
939 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 940
941 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 942 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 943 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
944 }
945
946 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 947 return skb;
948}
949
950static void l2cap_send_sframe(struct l2cap_chan *chan,
951 struct l2cap_ctrl *control)
952{
953 struct sk_buff *skb;
954 u32 control_field;
955
956 BT_DBG("chan %p, control %p", chan, control);
957
958 if (!control->sframe)
959 return;
960
b99e13ad
MM		 961 if (__chan_is_moving(chan))
962 return;
963
a67d7f6f
MM		 964 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
965 !control->poll)
966 control->final = 1;
967
968 if (control->super == L2CAP_SUPER_RR)
969 clear_bit(CONN_RNR_SENT, &chan->conn_state);
970 else if (control->super == L2CAP_SUPER_RNR)
971 set_bit(CONN_RNR_SENT, &chan->conn_state);
972
973 if (control->super != L2CAP_SUPER_SREJ) {
974 chan->last_acked_seq = control->reqseq;
975 __clear_ack_timer(chan);
976 }
977
978 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
979 control->final, control->poll, control->super);
980
981 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
982 control_field = __pack_extended_control(control);
983 else
984 control_field = __pack_enhanced_control(control);
985
986 skb = l2cap_create_sframe_pdu(chan, control_field);
987 if (!IS_ERR(skb))
988 l2cap_do_send(chan, skb);
b5c6aaed
MM		 989}
990
c9e3d5e0 991static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 992{
c9e3d5e0
MM		 993 struct l2cap_ctrl control;
994
995 BT_DBG("chan %p, poll %d", chan, poll);
996
997 memset(&control, 0, sizeof(control));
998 control.sframe = 1;
999 control.poll = poll;
1000
1001 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1002 control.super = L2CAP_SUPER_RNR;
1003 else
1004 control.super = L2CAP_SUPER_RR;
b5c6aaed 1005
c9e3d5e0
MM		 1006 control.reqseq = chan->buffer_seq;
1007 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1008}
1009
b4450035 1010static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1011{
c1360a1c 1012 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1013}
1014
93c3e8f5
AE		 1015static bool __amp_capable(struct l2cap_chan *chan)
1016{
1017 struct l2cap_conn *conn = chan->conn;
1018
1019 if (enable_hs &&
5d05416e 1020 hci_amp_capable() &&
93c3e8f5
AE		 1021 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
1022 conn->fixed_chan_mask & L2CAP_FC_A2MP)
1023 return true;
1024 else
1025 return false;
1026}
1027
5ce66b59
AE		 1028static bool l2cap_check_efs(struct l2cap_chan *chan)
1029{
1030 /* Check EFS parameters */
1031 return true;
1032}
1033
2766be48 1034void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1035{
1036 struct l2cap_conn *conn = chan->conn;
1037 struct l2cap_conn_req req;
1038
1039 req.scid = cpu_to_le16(chan->scid);
1040 req.psm = chan->psm;
1041
1042 chan->ident = l2cap_get_ident(conn);
1043
1044 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1045
1046 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1047}
1048
8eb200bd
MM		 1049static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1050{
1051 struct l2cap_create_chan_req req;
1052 req.scid = cpu_to_le16(chan->scid);
1053 req.psm = chan->psm;
1054 req.amp_id = amp_id;
1055
1056 chan->ident = l2cap_get_ident(chan->conn);
1057
1058 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1059 sizeof(req), &req);
1060}
1061
02b0fbb9
MM		 1062static void l2cap_move_setup(struct l2cap_chan *chan)
1063{
1064 struct sk_buff *skb;
1065
1066 BT_DBG("chan %p", chan);
1067
1068 if (chan->mode != L2CAP_MODE_ERTM)
1069 return;
1070
1071 __clear_retrans_timer(chan);
1072 __clear_monitor_timer(chan);
1073 __clear_ack_timer(chan);
1074
1075 chan->retry_count = 0;
1076 skb_queue_walk(&chan->tx_q, skb) {
1077 if (bt_cb(skb)->control.retries)
1078 bt_cb(skb)->control.retries = 1;
1079 else
1080 break;
1081 }
1082
1083 chan->expected_tx_seq = chan->buffer_seq;
1084
1085 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1086 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1087 l2cap_seq_list_clear(&chan->retrans_list);
1088 l2cap_seq_list_clear(&chan->srej_list);
1089 skb_queue_purge(&chan->srej_q);
1090
1091 chan->tx_state = L2CAP_TX_STATE_XMIT;
1092 chan->rx_state = L2CAP_RX_STATE_MOVE;
1093
1094 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1095}
1096
5f3847a4
MM		 1097static void l2cap_move_done(struct l2cap_chan *chan)
1098{
1099 u8 move_role = chan->move_role;
1100 BT_DBG("chan %p", chan);
1101
1102 chan->move_state = L2CAP_MOVE_STABLE;
1103 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1104
1105 if (chan->mode != L2CAP_MODE_ERTM)
1106 return;
1107
1108 switch (move_role) {
1109 case L2CAP_MOVE_ROLE_INITIATOR:
1110 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1111 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1112 break;
1113 case L2CAP_MOVE_ROLE_RESPONDER:
1114 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1115 break;
1116 }
1117}
1118
9f0caeb1
VCG		 1119static void l2cap_chan_ready(struct l2cap_chan *chan)
1120{
2827011f 1121 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1122 chan->conf_state = 0;
1123 __clear_chan_timer(chan);
1124
54a59aa2 1125 chan->state = BT_CONNECTED;
9f0caeb1 1126
fd83e2c2 1127 chan->ops->ready(chan);
9f0caeb1
VCG		 1128}
1129
93c3e8f5
AE		 1130static void l2cap_start_connection(struct l2cap_chan *chan)
1131{
1132 if (__amp_capable(chan)) {
1133 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1134 a2mp_discover_amp(chan);
1135 } else {
1136 l2cap_send_conn_req(chan);
1137 }
1138}
1139
fc7f8a7e 1140static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1141{
8c1d787b 1142 struct l2cap_conn *conn = chan->conn;
79d554a6 1143
9f0caeb1
VCG		 1144 if (conn->hcon->type == LE_LINK) {
1145 l2cap_chan_ready(chan);
1146 return;
1147 }
1148
79d554a6 1149 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1150 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1151 return;
1152
d45fc423 1153 if (l2cap_chan_check_security(chan) &&
2d792818 1154 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1155 l2cap_start_connection(chan);
1156 }
79d554a6
MH		 1157 } else {
1158 struct l2cap_info_req req;
ac73498c 1159 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1160
1161 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1162 conn->info_ident = l2cap_get_ident(conn);
1163
ba13ccd9 1164 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1165
2d792818
GP		 1166 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1167 sizeof(req), &req);
79d554a6
MH		 1168 }
1169}
1170
cf6c2c0b
GP		 1171static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1172{
1173 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1174 if (!disable_ertm)
cf6c2c0b
GP		 1175 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1176
1177 switch (mode) {
1178 case L2CAP_MODE_ERTM:
1179 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1180 case L2CAP_MODE_STREAMING:
1181 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1182 default:
1183 return 0x00;
1184 }
1185}
1186
5e4e3972 1187static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1188{
6be36555 1189 struct sock *sk = chan->sk;
5e4e3972 1190 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1191 struct l2cap_disconn_req req;
1192
c13ffa62
GP		 1193 if (!conn)
1194 return;
1195
aad3d0e3 1196 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1197 __clear_retrans_timer(chan);
1198 __clear_monitor_timer(chan);
1199 __clear_ack_timer(chan);
c13ffa62
GP		 1200 }
1201
416fa752 1202 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1203 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1204 return;
1205 }
1206
fe4128e0
GP		 1207 req.dcid = cpu_to_le16(chan->dcid);
1208 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1209 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1210 sizeof(req), &req);
c13ffa62 1211
6be36555 1212 lock_sock(sk);
0e587be7 1213 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1214 __l2cap_chan_set_err(chan, err);
6be36555 1215 release_sock(sk);
22121fc9
GP		 1216}
1217
1da177e4 1218/* ---- L2CAP connections ---- */
4e8402a3
MH		 1219static void l2cap_conn_start(struct l2cap_conn *conn)
1220{
3df91ea2 1221 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1222
1223 BT_DBG("conn %p", conn);
1224
3df91ea2 1225 mutex_lock(&conn->chan_lock);
4e8402a3 1226
3df91ea2 1227 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1228 struct sock *sk = chan->sk;
baa7e1fa 1229
6be36555 1230 l2cap_chan_lock(chan);
4e8402a3 1231
715ec005 1232 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1233 l2cap_chan_unlock(chan);
79d554a6
MH		 1234 continue;
1235 }
1236
89bc500e 1237 if (chan->state == BT_CONNECT) {
d45fc423 1238 if (!l2cap_chan_check_security(chan) ||
2d792818 1239 !__l2cap_no_conn_pending(chan)) {
6be36555 1240 l2cap_chan_unlock(chan);
47731de7
GP		 1241 continue;
1242 }
79d554a6 1243
c1360a1c 1244 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1245 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1246 &chan->conf_state)) {
89bc500e 1247 l2cap_chan_close(chan, ECONNRESET);
6be36555 1248 l2cap_chan_unlock(chan);
47731de7 1249 continue;
b1235d79 1250 }
47731de7 1251
93c3e8f5 1252 l2cap_start_connection(chan);
47731de7 1253
89bc500e 1254 } else if (chan->state == BT_CONNECT2) {
79d554a6 1255 struct l2cap_conn_rsp rsp;
e9aeb2dd 1256 char buf[128];
fe4128e0
GP		 1257 rsp.scid = cpu_to_le16(chan->dcid);
1258 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1259
d45fc423 1260 if (l2cap_chan_check_security(chan)) {
6be36555 1261 lock_sock(sk);
c5daa683
GP		 1262 if (test_bit(BT_SK_DEFER_SETUP,
1263 &bt_sk(sk)->flags)) {
ac73498c
AE		 1264 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1265 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1266 chan->ops->defer(chan);
f66dc81f
MH		 1267
1268 } else {
0e587be7 1269 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1270 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1271 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1272 }
6be36555 1273 release_sock(sk);
79d554a6 1274 } else {
ac73498c
AE		 1275 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1276 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1277 }
1278
fc7f8a7e 1279 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1280 sizeof(rsp), &rsp);
e9aeb2dd 1281
c1360a1c 1282 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1283 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1284 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1285 continue;
1286 }
1287
c1360a1c 1288 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1289 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1290 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1291 chan->num_conf_req++;
4e8402a3
MH		 1292 }
1293
6be36555 1294 l2cap_chan_unlock(chan);
4e8402a3
MH		 1295 }
1296
3df91ea2 1297 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1298}
1299
c2287681 1300/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1301 * Returns closest match, locked.
1302 */
d9b88702 1303static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1304 bdaddr_t *src,
1305 bdaddr_t *dst)
b62f328b 1306{
23691d75 1307 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1308
23691d75 1309 read_lock(&chan_list_lock);
b62f328b 1310
23691d75
GP		 1311 list_for_each_entry(c, &chan_list, global_l) {
1312 struct sock *sk = c->sk;
fe4128e0 1313
89bc500e 1314 if (state && c->state != state)
b62f328b
VT		 1315 continue;
1316
23691d75 1317 if (c->scid == cid) {
c2287681
IY		 1318 int src_match, dst_match;
1319 int src_any, dst_any;
1320
b62f328b 1321 /* Exact match. */
c2287681
IY		 1322 src_match = !bacmp(&bt_sk(sk)->src, src);
1323 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1324 if (src_match && dst_match) {
23691d75
GP		 1325 read_unlock(&chan_list_lock);
1326 return c;
1327 }
b62f328b
VT		 1328
1329 /* Closest match */
c2287681
IY		 1330 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1331 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1332 if ((src_match && dst_any) || (src_any && dst_match) ||
1333 (src_any && dst_any))
23691d75 1334 c1 = c;
b62f328b
VT		 1335 }
1336 }
280f294f 1337
23691d75 1338 read_unlock(&chan_list_lock);
b62f328b 1339
23691d75 1340 return c1;
b62f328b
VT		 1341}
1342
1343static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1344{
60bac184 1345 struct sock *parent;
23691d75 1346 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1347
1348 BT_DBG("");
1349
1350 /* Check if we have socket listening on cid */
073d1cf3 1351 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
c2287681 1352 conn->src, conn->dst);
23691d75 1353 if (!pchan)
b62f328b
VT		 1354 return;
1355
44f3b0fb
JH		 1356 /* Client ATT sockets should override the server one */
1357 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1358 return;
1359
23691d75
GP		 1360 parent = pchan->sk;
1361
aa2ac881 1362 lock_sock(parent);
62f3a2cf 1363
80b98027 1364 chan = pchan->ops->new_connection(pchan);
80808e43 1365 if (!chan)
b62f328b
VT		 1366 goto clean;
1367
9f22398c
JH		 1368 chan->dcid = L2CAP_CID_ATT;
1369
60bac184
JH		 1370 bacpy(&bt_sk(chan->sk)->src, conn->src);
1371 bacpy(&bt_sk(chan->sk)->dst, conn->dst);
b62f328b 1372
44f3b0fb 1373 __l2cap_chan_add(conn, chan);
48454079 1374
b62f328b 1375clean:
aa2ac881 1376 release_sock(parent);
b62f328b
VT		 1377}
1378
4e8402a3
MH		 1379static void l2cap_conn_ready(struct l2cap_conn *conn)
1380{
48454079 1381 struct l2cap_chan *chan;
cc110922 1382 struct hci_conn *hcon = conn->hcon;
4e8402a3 1383
79d554a6 1384 BT_DBG("conn %p", conn);
4e8402a3 1385
d8729922
JH		 1386 /* For outgoing pairing which doesn't necessarily have an
1387 * associated socket (e.g. mgmt_pair_device).
1388 */
cc110922
VCG		 1389 if (hcon->out && hcon->type == LE_LINK)
1390 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1391
3df91ea2 1392 mutex_lock(&conn->chan_lock);
4e8402a3 1393
44f3b0fb
JH		 1394 if (hcon->type == LE_LINK)
1395 l2cap_le_conn_ready(conn);
1396
3df91ea2 1397 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1398
6be36555 1399 l2cap_chan_lock(chan);
4e8402a3 1400
416fa752
AE		 1401 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1402 l2cap_chan_unlock(chan);
1403 continue;
1404 }
1405
cc110922
VCG		 1406 if (hcon->type == LE_LINK) {
1407 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1408 l2cap_chan_ready(chan);
acd7d370 1409
63128451 1410 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1411 struct sock *sk = chan->sk;
c9b66675 1412 __clear_chan_timer(chan);
6be36555 1413 lock_sock(sk);
0e587be7 1414 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1415 sk->sk_state_change(sk);
6be36555 1416 release_sock(sk);
b501d6a1 1417
89bc500e 1418 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1419 l2cap_do_start(chan);
4e8402a3 1420
6be36555 1421 l2cap_chan_unlock(chan);
4e8402a3 1422 }
79d554a6 1423
3df91ea2 1424 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1425}
1426
1427/* Notify sockets that we cannot guaranty reliability anymore */
1428static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1429{
48454079 1430 struct l2cap_chan *chan;
4e8402a3
MH		 1431
1432 BT_DBG("conn %p", conn);
1433
3df91ea2 1434 mutex_lock(&conn->chan_lock);
4e8402a3 1435
3df91ea2 1436 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1437 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1438 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1439 }
1440
3df91ea2 1441 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1442}
1443
f878fcad 1444static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1445{
f878fcad 1446 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1447 info_timer.work);
4e8402a3 1448
984947dc 1449 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1450 conn->info_ident = 0;
984947dc 1451
4e8402a3
MH		 1452 l2cap_conn_start(conn);
1453}
1454
2c8e1411
DH		 1455/*
1456 * l2cap_user
1457 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1458 * callback is called during registration. The ->remove callback is called
1459 * during unregistration.
1460 * An l2cap_user object can either be explicitly unregistered or when the
1461 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1462 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1463 * External modules must own a reference to the l2cap_conn object if they intend
1464 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1465 * any time if they don't.
1466 */
1467
1468int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1469{
1470 struct hci_dev *hdev = conn->hcon->hdev;
1471 int ret;
1472
1473 /* We need to check whether l2cap_conn is registered. If it is not, we
1474 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1475 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1476 * relies on the parent hci_conn object to be locked. This itself relies
1477 * on the hci_dev object to be locked. So we must lock the hci device
1478 * here, too. */
1479
1480 hci_dev_lock(hdev);
1481
1482 if (user->list.next || user->list.prev) {
1483 ret = -EINVAL;
1484 goto out_unlock;
1485 }
1486
1487 /* conn->hchan is NULL after l2cap_conn_del() was called */
1488 if (!conn->hchan) {
1489 ret = -ENODEV;
1490 goto out_unlock;
1491 }
1492
1493 ret = user->probe(conn, user);
1494 if (ret)
1495 goto out_unlock;
1496
1497 list_add(&user->list, &conn->users);
1498 ret = 0;
1499
1500out_unlock:
1501 hci_dev_unlock(hdev);
1502 return ret;
1503}
1504EXPORT_SYMBOL(l2cap_register_user);
1505
1506void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1507{
1508 struct hci_dev *hdev = conn->hcon->hdev;
1509
1510 hci_dev_lock(hdev);
1511
1512 if (!user->list.next || !user->list.prev)
1513 goto out_unlock;
1514
1515 list_del(&user->list);
1516 user->list.next = NULL;
1517 user->list.prev = NULL;
1518 user->remove(conn, user);
1519
1520out_unlock:
1521 hci_dev_unlock(hdev);
1522}
1523EXPORT_SYMBOL(l2cap_unregister_user);
1524
1525static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1526{
1527 struct l2cap_user *user;
1528
1529 while (!list_empty(&conn->users)) {
1530 user = list_first_entry(&conn->users, struct l2cap_user, list);
1531 list_del(&user->list);
1532 user->list.next = NULL;
1533 user->list.prev = NULL;
1534 user->remove(conn, user);
1535 }
1536}
1537
5d3de7df
VCG		 1538static void l2cap_conn_del(struct hci_conn *hcon, int err)
1539{
1540 struct l2cap_conn *conn = hcon->l2cap_data;
1541 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1542
1543 if (!conn)
1544 return;
1545
1546 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1547
1548 kfree_skb(conn->rx_skb);
1549
2c8e1411
DH		 1550 l2cap_unregister_all_users(conn);
1551
3df91ea2
AE		 1552 mutex_lock(&conn->chan_lock);
1553
5d3de7df
VCG		 1554 /* Kill channels */
1555 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1556 l2cap_chan_hold(chan);
6be36555
AE		 1557 l2cap_chan_lock(chan);
1558
5d3de7df 1559 l2cap_chan_del(chan, err);
6be36555
AE		 1560
1561 l2cap_chan_unlock(chan);
1562
80b98027 1563 chan->ops->close(chan);
61d6ef3e 1564 l2cap_chan_put(chan);
5d3de7df
VCG		 1565 }
1566
3df91ea2
AE		 1567 mutex_unlock(&conn->chan_lock);
1568
73d80deb
LAD		 1569 hci_chan_del(conn->hchan);
1570
5d3de7df 1571 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1572 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1573
51a8efd7 1574 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1575 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1576 smp_chan_destroy(conn);
d26a2345 1577 }
5d3de7df
VCG		 1578
1579 hcon->l2cap_data = NULL;
9c903e37
DH		 1580 conn->hchan = NULL;
1581 l2cap_conn_put(conn);
5d3de7df
VCG		 1582}
1583
6c9d42a1 1584static void security_timeout(struct work_struct *work)
5d3de7df 1585{
6c9d42a1 1586 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1587 security_timer.work);
5d3de7df 1588
d06cc416
JH		 1589 BT_DBG("conn %p", conn);
1590
1591 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1592 smp_chan_destroy(conn);
1593 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1594 }
5d3de7df
VCG		 1595}
1596
baf43251 1597static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1da177e4 1598{
0139418c 1599 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1600 struct hci_chan *hchan;
1da177e4 1601
baf43251 1602 if (conn)
1da177e4
LT		 1603 return conn;
1604
73d80deb
LAD		 1605 hchan = hci_chan_create(hcon);
1606 if (!hchan)
1607 return NULL;
1608
8bcde1f2 1609 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1610 if (!conn) {
1611 hci_chan_del(hchan);
1da177e4 1612 return NULL;
73d80deb 1613 }
1da177e4 1614
9c903e37 1615 kref_init(&conn->ref);
1da177e4
LT		 1616 hcon->l2cap_data = conn;
1617 conn->hcon = hcon;
9c903e37 1618 hci_conn_get(conn->hcon);
73d80deb 1619 conn->hchan = hchan;
1da177e4 1620
73d80deb 1621 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1622
dcc042d5 1623 switch (hcon->type) {
dcc042d5
AE		 1624 case LE_LINK:
1625 if (hcon->hdev->le_mtu) {
1626 conn->mtu = hcon->hdev->le_mtu;
1627 break;
1628 }
1629 /* fall through */
dcc042d5 1630 default:
acd7d370 1631 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1632 break;
1633 }
acd7d370 1634
1da177e4
LT		 1635 conn->src = &hcon->hdev->bdaddr;
1636 conn->dst = &hcon->dst;
1637
4e8402a3
MH		 1638 conn->feat_mask = 0;
1639
1da177e4 1640 spin_lock_init(&conn->lock);
3df91ea2 1641 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1642
1643 INIT_LIST_HEAD(&conn->chan_l);
2c8e1411 1644 INIT_LIST_HEAD(&conn->users);
1da177e4 1645
5d3de7df 1646 if (hcon->type == LE_LINK)
6c9d42a1 1647 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1648 else
030013d8 1649 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1650
9f5a0d7b 1651 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1652
1da177e4
LT		 1653 return conn;
1654}
1655
9c903e37
DH		 1656static void l2cap_conn_free(struct kref *ref)
1657{
1658 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1659
1660 hci_conn_put(conn->hcon);
1661 kfree(conn);
1662}
1663
1664void l2cap_conn_get(struct l2cap_conn *conn)
1665{
1666 kref_get(&conn->ref);
1667}
1668EXPORT_SYMBOL(l2cap_conn_get);
1669
1670void l2cap_conn_put(struct l2cap_conn *conn)
1671{
1672 kref_put(&conn->ref, l2cap_conn_free);
1673}
1674EXPORT_SYMBOL(l2cap_conn_put);
1675
1da177e4 1676/* ---- Socket interface ---- */
1da177e4 1677
c2287681 1678/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1679 * Returns closest match.
1680 */
c2287681
IY		 1681static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1682 bdaddr_t *src,
1683 bdaddr_t *dst)
1da177e4 1684{
23691d75 1685 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1686
23691d75 1687 read_lock(&chan_list_lock);
e0f0cb56 1688
23691d75
GP		 1689 list_for_each_entry(c, &chan_list, global_l) {
1690 struct sock *sk = c->sk;
fe4128e0 1691
89bc500e 1692 if (state && c->state != state)
1da177e4
LT		 1693 continue;
1694
23691d75 1695 if (c->psm == psm) {
c2287681
IY		 1696 int src_match, dst_match;
1697 int src_any, dst_any;
1698
1da177e4 1699 /* Exact match. */
c2287681
IY		 1700 src_match = !bacmp(&bt_sk(sk)->src, src);
1701 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1702 if (src_match && dst_match) {
a7567b20 1703 read_unlock(&chan_list_lock);
23691d75
GP		 1704 return c;
1705 }
1da177e4
LT		 1706
1707 /* Closest match */
c2287681
IY		 1708 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1709 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1710 if ((src_match && dst_any) || (src_any && dst_match) ||
1711 (src_any && dst_any))
23691d75 1712 c1 = c;
1da177e4
LT		 1713 }
1714 }
1da177e4 1715
23691d75 1716 read_unlock(&chan_list_lock);
e0f0cb56 1717
23691d75 1718 return c1;
1da177e4
LT		 1719}
1720
8e9f9892
AG		 1721int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1722 bdaddr_t *dst, u8 dst_type)
1da177e4 1723{
5d41ce1d 1724 struct sock *sk = chan->sk;
1da177e4 1725 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1726 struct l2cap_conn *conn;
1727 struct hci_conn *hcon;
1728 struct hci_dev *hdev;
09ab6f4c 1729 __u8 auth_type;
44d0e48e 1730 int err;
1da177e4 1731
6ed93dc6 1732 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1733 dst_type, __le16_to_cpu(psm));
1da177e4 1734
af05b30b
GP		 1735 hdev = hci_get_route(dst, src);
1736 if (!hdev)
1da177e4
LT		 1737 return -EHOSTUNREACH;
1738
09fd0de5 1739 hci_dev_lock(hdev);
1da177e4 1740
6be36555 1741 l2cap_chan_lock(chan);
03a00194
GP		 1742
1743 /* PSM must be odd and lsb of upper byte must be 0 */
1744 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1745 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1746 err = -EINVAL;
1747 goto done;
1748 }
1749
1750 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1751 err = -EINVAL;
1752 goto done;
1753 }
1754
1755 switch (chan->mode) {
1756 case L2CAP_MODE_BASIC:
1757 break;
1758 case L2CAP_MODE_ERTM:
1759 case L2CAP_MODE_STREAMING:
1760 if (!disable_ertm)
1761 break;
1762 /* fall through */
1763 default:
1764 err = -ENOTSUPP;
1765 goto done;
1766 }
1767
0797e01d 1768 switch (chan->state) {
03a00194
GP		 1769 case BT_CONNECT:
1770 case BT_CONNECT2:
1771 case BT_CONFIG:
1772 /* Already connecting */
1773 err = 0;
1774 goto done;
1775
1776 case BT_CONNECTED:
1777 /* Already connected */
1778 err = -EISCONN;
1779 goto done;
1780
1781 case BT_OPEN:
1782 case BT_BOUND:
1783 /* Can connect */
1784 break;
1785
1786 default:
1787 err = -EBADFD;
1788 goto done;
1789 }
1790
1791 /* Set destination address and psm */
0797e01d 1792 lock_sock(sk);
9219b2a0 1793 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1794 release_sock(sk);
1795
03a00194
GP		 1796 chan->psm = psm;
1797 chan->dcid = cid;
1da177e4 1798
4343478f 1799 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1800
f224ca5f 1801 if (bdaddr_type_is_le(dst_type))
8e9f9892 1802 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1803 chan->sec_level, auth_type);
acd7d370 1804 else
8e9f9892 1805 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1806 chan->sec_level, auth_type);
acd7d370 1807
30e76272
VT		 1808 if (IS_ERR(hcon)) {
1809 err = PTR_ERR(hcon);
1da177e4 1810 goto done;
30e76272 1811 }
1da177e4 1812
baf43251 1813 conn = l2cap_conn_add(hcon);
1da177e4 1814 if (!conn) {
76a68ba0 1815 hci_conn_drop(hcon);
30e76272 1816 err = -ENOMEM;
1da177e4
LT		 1817 goto done;
1818 }
1819
141d5706
JH		 1820 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
1821 hci_conn_drop(hcon);
1822 err = -EBUSY;
1823 goto done;
9f0caeb1
VCG		 1824 }
1825
1da177e4
LT		 1826 /* Update source addr of the socket */
1827 bacpy(src, conn->src);
1828
6be36555 1829 l2cap_chan_unlock(chan);
48454079 1830 l2cap_chan_add(conn, chan);
6be36555 1831 l2cap_chan_lock(chan);
48454079 1832
5ee9891d
JH		 1833 /* l2cap_chan_add takes its own ref so we can drop this one */
1834 hci_conn_drop(hcon);
1835
6be36555 1836 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1837 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1838
1839 if (hcon->state == BT_CONNECTED) {
715ec005 1840 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1841 __clear_chan_timer(chan);
d45fc423 1842 if (l2cap_chan_check_security(chan))
6be36555 1843 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1844 } else
fc7f8a7e 1845 l2cap_do_start(chan);
1da177e4
LT		 1846 }
1847
30e76272
VT		 1848 err = 0;
1849
1da177e4 1850done:
6be36555 1851 l2cap_chan_unlock(chan);
09fd0de5 1852 hci_dev_unlock(hdev);
1da177e4
LT		 1853 hci_dev_put(hdev);
1854 return err;
1855}
1856
dcba0dba 1857int __l2cap_wait_ack(struct sock *sk)
6161c038 1858{
8c1d787b 1859 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1860 DECLARE_WAITQUEUE(wait, current);
1861 int err = 0;
1862 int timeo = HZ/5;
1863
2b0b05dd 1864 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1865 set_current_state(TASK_INTERRUPTIBLE);
1866 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1867 if (!timeo)
1868 timeo = HZ/5;
1869
1870 if (signal_pending(current)) {
1871 err = sock_intr_errno(timeo);
1872 break;
1873 }
1874
1875 release_sock(sk);
1876 timeo = schedule_timeout(timeo);
1877 lock_sock(sk);
a71a0cf4 1878 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1879
1880 err = sock_error(sk);
1881 if (err)
1882 break;
1883 }
1884 set_current_state(TASK_RUNNING);
2b0b05dd 1885 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1886 return err;
1887}
1888
721c4181 1889static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1890{
721c4181 1891 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1892 monitor_timer.work);
e90bac06 1893
525cd185 1894 BT_DBG("chan %p", chan);
0e98958d 1895
6be36555
AE		 1896 l2cap_chan_lock(chan);
1897
80909e04 1898 if (!chan->conn) {
6be36555 1899 l2cap_chan_unlock(chan);
8d7e1c7f 1900 l2cap_chan_put(chan);
e90bac06
GP		 1901 return;
1902 }
1903
401bb1f7 1904 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1905
6be36555 1906 l2cap_chan_unlock(chan);
8d7e1c7f 1907 l2cap_chan_put(chan);
e90bac06
GP		 1908}
1909
721c4181 1910static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1911{
721c4181 1912 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1913 retrans_timer.work);
e90bac06 1914
49208c9c 1915 BT_DBG("chan %p", chan);
0e98958d 1916
6be36555
AE		 1917 l2cap_chan_lock(chan);
1918
80909e04
MM		 1919 if (!chan->conn) {
1920 l2cap_chan_unlock(chan);
1921 l2cap_chan_put(chan);
1922 return;
1923 }
6be36555 1924
401bb1f7 1925 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1926 l2cap_chan_unlock(chan);
8d7e1c7f 1927 l2cap_chan_put(chan);
e90bac06
GP		 1928}
1929
d660366d
GP		 1930static void l2cap_streaming_send(struct l2cap_chan *chan,
1931 struct sk_buff_head *skbs)
6840ed07 1932{
ccbb84af 1933 struct sk_buff *skb;
3733937d 1934 struct l2cap_ctrl *control;
6840ed07 1935
3733937d
MM		 1936 BT_DBG("chan %p, skbs %p", chan, skbs);
1937
b99e13ad
MM		 1938 if (__chan_is_moving(chan))
1939 return;
1940
3733937d
MM		 1941 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1942
1943 while (!skb_queue_empty(&chan->tx_q)) {
1944
1945 skb = skb_dequeue(&chan->tx_q);
1946
1947 bt_cb(skb)->control.retries = 1;
1948 control = &bt_cb(skb)->control;
1949
1950 control->reqseq = 0;
1951 control->txseq = chan->next_tx_seq;
1952
1953 __pack_control(chan, control, skb);
6840ed07 1954
47d1ec61 1955 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1956 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1957 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1958 }
1959
4343478f 1960 l2cap_do_send(chan, skb);
6840ed07 1961
b4400672 1962 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1963
836be934 1964 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1965 chan->frames_sent++;
6840ed07 1966 }
6840ed07
GP		 1967}
1968
67c9e840 1969static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1970{
1971 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1972 struct l2cap_ctrl *control;
1973 int sent = 0;
1974
1975 BT_DBG("chan %p", chan);
1c2acffb 1976
89bc500e 1977 if (chan->state != BT_CONNECTED)
c13ffa62 1978 return -ENOTCONN;
e90bac06 1979
94122bbe
MM		 1980 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1981 return 0;
1982
b99e13ad
MM		 1983 if (__chan_is_moving(chan))
1984 return 0;
1985
18a48e76
MM		 1986 while (chan->tx_send_head &&
1987 chan->unacked_frames < chan->remote_tx_win &&
1988 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1989
18a48e76 1990 skb = chan->tx_send_head;
e90bac06 1991
18a48e76
MM		 1992 bt_cb(skb)->control.retries = 1;
1993 control = &bt_cb(skb)->control;
95ffa978 1994
e2ab4353 1995 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1996 control->final = 1;
e2ab4353 1997
18a48e76
MM		 1998 control->reqseq = chan->buffer_seq;
1999 chan->last_acked_seq = chan->buffer_seq;
2000 control->txseq = chan->next_tx_seq;
1c2acffb 2001
18a48e76 2002 __pack_control(chan, control, skb);
e90bac06 2003
47d1ec61 2004 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 2005 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2006 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 2007 }
2008
18a48e76
MM		 2009 /* Clone after data has been modified. Data is assumed to be
2010 read-only (for locking purposes) on cloned sk_buffs.
2011 */
2012 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 2013
18a48e76
MM		 2014 if (!tx_skb)
2015 break;
1c2acffb 2016
18a48e76 2017 __set_retrans_timer(chan);
836be934
AE		 2018
2019 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 2020 chan->unacked_frames++;
6a026610 2021 chan->frames_sent++;
18a48e76 2022 sent++;
1c2acffb 2023
58d35f87
GP		 2024 if (skb_queue_is_last(&chan->tx_q, skb))
2025 chan->tx_send_head = NULL;
1c2acffb 2026 else
58d35f87 2027 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 2028
2029 l2cap_do_send(chan, tx_skb);
b4400672 2030 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 2031 }
2032
b4400672
AE		 2033 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2034 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 2035
2036 return sent;
9e917af1
GP		 2037}
2038
e1fbd4c1
MM		 2039static void l2cap_ertm_resend(struct l2cap_chan *chan)
2040{
2041 struct l2cap_ctrl control;
2042 struct sk_buff *skb;
2043 struct sk_buff *tx_skb;
2044 u16 seq;
2045
2046 BT_DBG("chan %p", chan);
2047
2048 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2049 return;
2050
b99e13ad
MM		 2051 if (__chan_is_moving(chan))
2052 return;
2053
e1fbd4c1
MM		 2054 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2055 seq = l2cap_seq_list_pop(&chan->retrans_list);
2056
2057 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2058 if (!skb) {
2059 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 2060 seq);
e1fbd4c1
MM		 2061 continue;
2062 }
2063
2064 bt_cb(skb)->control.retries++;
2065 control = bt_cb(skb)->control;
2066
2067 if (chan->max_tx != 0 &&
2068 bt_cb(skb)->control.retries > chan->max_tx) {
2069 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 2070 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 2071 l2cap_seq_list_clear(&chan->retrans_list);
2072 break;
2073 }
2074
2075 control.reqseq = chan->buffer_seq;
2076 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2077 control.final = 1;
2078 else
2079 control.final = 0;
2080
2081 if (skb_cloned(skb)) {
2082 /* Cloned sk_buffs are read-only, so we need a
2083 * writeable copy
2084 */
8bcde1f2 2085 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 2086 } else {
8bcde1f2 2087 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 2088 }
2089
2090 if (!tx_skb) {
2091 l2cap_seq_list_clear(&chan->retrans_list);
2092 break;
2093 }
2094
2095 /* Update skb contents */
2096 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2097 put_unaligned_le32(__pack_extended_control(&control),
2098 tx_skb->data + L2CAP_HDR_SIZE);
2099 } else {
2100 put_unaligned_le16(__pack_enhanced_control(&control),
2101 tx_skb->data + L2CAP_HDR_SIZE);
2102 }
2103
2104 if (chan->fcs == L2CAP_FCS_CRC16) {
2105 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2106 put_unaligned_le16(fcs, skb_put(tx_skb,
2107 L2CAP_FCS_SIZE));
2108 }
2109
2110 l2cap_do_send(chan, tx_skb);
2111
2112 BT_DBG("Resent txseq %d", control.txseq);
2113
2114 chan->last_acked_seq = chan->buffer_seq;
2115 }
2116}
2117
f80842a8
MM		 2118static void l2cap_retransmit(struct l2cap_chan *chan,
2119 struct l2cap_ctrl *control)
2120{
2121 BT_DBG("chan %p, control %p", chan, control);
2122
2123 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2124 l2cap_ertm_resend(chan);
2125}
2126
d2a7ac5d
MM		 2127static void l2cap_retransmit_all(struct l2cap_chan *chan,
2128 struct l2cap_ctrl *control)
2129{
e1fbd4c1
MM		 2130 struct sk_buff *skb;
2131
2132 BT_DBG("chan %p, control %p", chan, control);
2133
2134 if (control->poll)
2135 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2136
2137 l2cap_seq_list_clear(&chan->retrans_list);
2138
2139 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2140 return;
2141
2142 if (chan->unacked_frames) {
2143 skb_queue_walk(&chan->tx_q, skb) {
2144 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2145 skb == chan->tx_send_head)
e1fbd4c1
MM		 2146 break;
2147 }
2148
2149 skb_queue_walk_from(&chan->tx_q, skb) {
2150 if (skb == chan->tx_send_head)
2151 break;
2152
2153 l2cap_seq_list_append(&chan->retrans_list,
2154 bt_cb(skb)->control.txseq);
2155 }
2156
2157 l2cap_ertm_resend(chan);
2158 }
d2a7ac5d
MM		 2159}
2160
0a0aba42 2161static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2162{
0a0aba42
MM		 2163 struct l2cap_ctrl control;
2164 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2165 chan->last_acked_seq);
2166 int threshold;
9e917af1 2167
0a0aba42
MM		 2168 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2169 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2170
0a0aba42
MM		 2171 memset(&control, 0, sizeof(control));
2172 control.sframe = 1;
dfc909be 2173
0a0aba42
MM		 2174 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2175 chan->rx_state == L2CAP_RX_STATE_RECV) {
2176 __clear_ack_timer(chan);
2177 control.super = L2CAP_SUPER_RNR;
2178 control.reqseq = chan->buffer_seq;
2179 l2cap_send_sframe(chan, &control);
2180 } else {
2181 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2182 l2cap_ertm_send(chan);
2183 /* If any i-frames were sent, they included an ack */
2184 if (chan->buffer_seq == chan->last_acked_seq)
2185 frames_to_ack = 0;
2186 }
dfc909be 2187
c20f8e35 2188 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2189 * Calculate without mul or div
2190 */
c20f8e35 2191 threshold = chan->ack_win;
0a0aba42
MM		 2192 threshold += threshold << 1;
2193 threshold >>= 2;
2194
b4400672 2195 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2196 threshold);
2197
2198 if (frames_to_ack >= threshold) {
2199 __clear_ack_timer(chan);
2200 control.super = L2CAP_SUPER_RR;
2201 control.reqseq = chan->buffer_seq;
2202 l2cap_send_sframe(chan, &control);
2203 frames_to_ack = 0;
2204 }
1c2acffb 2205
0a0aba42
MM		 2206 if (frames_to_ack)
2207 __set_ack_timer(chan);
2208 }
b17e73bb
SJ		 2209}
2210
04124681
GP		 2211static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2212 struct msghdr *msg, int len,
2213 int count, struct sk_buff *skb)
1c2acffb 2214{
0952a57a 2215 struct l2cap_conn *conn = chan->conn;
1c2acffb 2216 struct sk_buff **frag;
90338947 2217 int sent = 0;
1da177e4 2218
59203a21 2219 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2220 return -EFAULT;
1da177e4
LT		 2221
2222 sent += count;
2223 len -= count;
2224
2225 /* Continuation fragments (no L2CAP header) */
2226 frag = &skb_shinfo(skb)->frag_list;
2227 while (len) {
fbe00700
GP		 2228 struct sk_buff *tmp;
2229
1da177e4
LT		 2230 count = min_t(unsigned int, conn->mtu, len);
2231
fbe00700
GP		 2232 tmp = chan->ops->alloc_skb(chan, count,
2233 msg->msg_flags & MSG_DONTWAIT);
2234 if (IS_ERR(tmp))
2235 return PTR_ERR(tmp);
2236
2237 *frag = tmp;
2f7719ce 2238
1c2acffb
GP		 2239 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2240 return -EFAULT;
1da177e4 2241
5e59b791
LAD		 2242 (*frag)->priority = skb->priority;
2243
1da177e4
LT		 2244 sent += count;
2245 len -= count;
2246
2d0ed3d5
GP		 2247 skb->len += (*frag)->len;
2248 skb->data_len += (*frag)->len;
2249
1da177e4
LT		 2250 frag = &(*frag)->next;
2251 }
1da177e4
LT		 2252
2253 return sent;
1c2acffb 2254}
1da177e4 2255
5e59b791 2256static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2257 struct msghdr *msg, size_t len,
2258 u32 priority)
1c2acffb 2259{
8c1d787b 2260 struct l2cap_conn *conn = chan->conn;
1c2acffb 2261 struct sk_buff *skb;
03a51213 2262 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2263 struct l2cap_hdr *lh;
2264
b4400672 2265 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2266
2267 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2268
2269 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2270 msg->msg_flags & MSG_DONTWAIT);
2271 if (IS_ERR(skb))
2272 return skb;
1c2acffb 2273
5e59b791
LAD		 2274 skb->priority = priority;
2275
1c2acffb
GP		 2276 /* Create L2CAP header */
2277 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2278 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2279 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2280 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2281
0952a57a 2282 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2283 if (unlikely(err < 0)) {
2284 kfree_skb(skb);
2285 return ERR_PTR(err);
2286 }
2287 return skb;
2288}
2289
5e59b791 2290static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2291 struct msghdr *msg, size_t len,
2292 u32 priority)
1c2acffb 2293{
8c1d787b 2294 struct l2cap_conn *conn = chan->conn;
1c2acffb 2295 struct sk_buff *skb;
f2ba7fae 2296 int err, count;
1c2acffb
GP		 2297 struct l2cap_hdr *lh;
2298
b4400672 2299 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2300
f2ba7fae 2301 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2302
f2ba7fae 2303 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2304 msg->msg_flags & MSG_DONTWAIT);
2305 if (IS_ERR(skb))
2306 return skb;
1c2acffb 2307
5e59b791
LAD		 2308 skb->priority = priority;
2309
1c2acffb
GP		 2310 /* Create L2CAP header */
2311 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2312 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2313 lh->len = cpu_to_le16(len);
1c2acffb 2314
0952a57a 2315 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2316 if (unlikely(err < 0)) {
2317 kfree_skb(skb);
2318 return ERR_PTR(err);
2319 }
2320 return skb;
2321}
2322
ab0ff76d 2323static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2324 struct msghdr *msg, size_t len,
2325 u16 sdulen)
1c2acffb 2326{
8c1d787b 2327 struct l2cap_conn *conn = chan->conn;
1c2acffb 2328 struct sk_buff *skb;
e4ca6d98 2329 int err, count, hlen;
1c2acffb
GP		 2330 struct l2cap_hdr *lh;
2331
b4400672 2332 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2333
0ee0d208
GP		 2334 if (!conn)
2335 return ERR_PTR(-ENOTCONN);
2336
ba7aa64f 2337 hlen = __ertm_hdr_size(chan);
e4ca6d98 2338
c74e560c 2339 if (sdulen)
03a51213 2340 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2341
47d1ec61 2342 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2343 hlen += L2CAP_FCS_SIZE;
fcc203c3 2344
1c2acffb 2345 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2346
2347 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2348 msg->msg_flags & MSG_DONTWAIT);
2349 if (IS_ERR(skb))
2350 return skb;
1c2acffb
GP		 2351
2352 /* Create L2CAP header */
2353 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2354 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2355 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2356
18a48e76
MM		 2357 /* Control header is populated later */
2358 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2359 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2360 else
2361 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2362
c74e560c 2363 if (sdulen)
03a51213 2364 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2365
0952a57a 2366 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2367 if (unlikely(err < 0)) {
2368 kfree_skb(skb);
2369 return ERR_PTR(err);
2370 }
e90bac06 2371
18a48e76 2372 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2373 bt_cb(skb)->control.retries = 0;
1c2acffb 2374 return skb;
1da177e4
LT		 2375}
2376
94122bbe
MM		 2377static int l2cap_segment_sdu(struct l2cap_chan *chan,
2378 struct sk_buff_head *seg_queue,
2379 struct msghdr *msg, size_t len)
c74e560c 2380{
c74e560c 2381 struct sk_buff *skb;
94122bbe
MM		 2382 u16 sdu_len;
2383 size_t pdu_len;
94122bbe 2384 u8 sar;
c74e560c 2385
b4400672 2386 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2387
94122bbe
MM		 2388 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2389 * so fragmented skbs are not used. The HCI layer's handling
2390 * of fragmented skbs is not compatible with ERTM's queueing.
2391 */
c74e560c 2392
94122bbe
MM		 2393 /* PDU size is derived from the HCI MTU */
2394 pdu_len = chan->conn->mtu;
c74e560c 2395
a549574d
MM		 2396 /* Constrain PDU size for BR/EDR connections */
2397 if (!chan->hs_hcon)
2398 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2399
2400 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2401 if (chan->fcs)
2402 pdu_len -= L2CAP_FCS_SIZE;
2403
ba7aa64f 2404 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2405
2406 /* Remote device may have requested smaller PDUs */
2407 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2408
2409 if (len <= pdu_len) {
2410 sar = L2CAP_SAR_UNSEGMENTED;
2411 sdu_len = 0;
2412 pdu_len = len;
2413 } else {
2414 sar = L2CAP_SAR_START;
2415 sdu_len = len;
2416 pdu_len -= L2CAP_SDULEN_SIZE;
2417 }
2418
2419 while (len > 0) {
2420 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2421
c74e560c 2422 if (IS_ERR(skb)) {
94122bbe 2423 __skb_queue_purge(seg_queue);
c74e560c
GP		 2424 return PTR_ERR(skb);
2425 }
2426
94122bbe
MM		 2427 bt_cb(skb)->control.sar = sar;
2428 __skb_queue_tail(seg_queue, skb);
2429
2430 len -= pdu_len;
2431 if (sdu_len) {
2432 sdu_len = 0;
2433 pdu_len += L2CAP_SDULEN_SIZE;
2434 }
2435
2436 if (len <= pdu_len) {
2437 sar = L2CAP_SAR_END;
2438 pdu_len = len;
2439 } else {
2440 sar = L2CAP_SAR_CONTINUE;
2441 }
c74e560c 2442 }
c74e560c 2443
f0f62799 2444 return 0;
c74e560c
GP		 2445}
2446
5e59b791 2447int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2448 u32 priority)
9a91a04a 2449{
9a91a04a 2450 struct sk_buff *skb;
9a91a04a 2451 int err;
94122bbe 2452 struct sk_buff_head seg_queue;
9a91a04a
GP		 2453
2454 /* Connectionless channel */
715ec005 2455 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2456 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2457 if (IS_ERR(skb))
2458 return PTR_ERR(skb);
2459
2460 l2cap_do_send(chan, skb);
2461 return len;
2462 }
2463
2464 switch (chan->mode) {
2465 case L2CAP_MODE_BASIC:
2466 /* Check outgoing MTU */
2467 if (len > chan->omtu)
2468 return -EMSGSIZE;
2469
2470 /* Create a basic PDU */
5e59b791 2471 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2472 if (IS_ERR(skb))
2473 return PTR_ERR(skb);
2474
2475 l2cap_do_send(chan, skb);
2476 err = len;
2477 break;
2478
2479 case L2CAP_MODE_ERTM:
2480 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2481 /* Check outgoing MTU */
2482 if (len > chan->omtu) {
2483 err = -EMSGSIZE;
2484 break;
2485 }
9a91a04a 2486
94122bbe 2487 __skb_queue_head_init(&seg_queue);
9a91a04a 2488
94122bbe
MM		 2489 /* Do segmentation before calling in to the state machine,
2490 * since it's possible to block while waiting for memory
2491 * allocation.
2492 */
2493 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2494
94122bbe
MM		 2495 /* The channel could have been closed while segmenting,
2496 * check that it is still connected.
2497 */
2498 if (chan->state != BT_CONNECTED) {
2499 __skb_queue_purge(&seg_queue);
2500 err = -ENOTCONN;
9a91a04a
GP		 2501 }
2502
94122bbe 2503 if (err)
9a91a04a 2504 break;
9a91a04a 2505
3733937d 2506 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2507 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2508 else
d660366d 2509 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2510
d660366d 2511 err = len;
9a91a04a 2512
94122bbe
MM		 2513 /* If the skbs were not queued for sending, they'll still be in
2514 * seg_queue and need to be purged.
2515 */
2516 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2517 break;
2518
2519 default:
2520 BT_DBG("bad state %1.1x", chan->mode);
2521 err = -EBADFD;
2522 }
2523
2524 return err;
2525}
2526
d2a7ac5d
MM		 2527static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2528{
bed68bde
MM		 2529 struct l2cap_ctrl control;
2530 u16 seq;
2531
b4400672 2532 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2533
2534 memset(&control, 0, sizeof(control));
2535 control.sframe = 1;
2536 control.super = L2CAP_SUPER_SREJ;
2537
2538 for (seq = chan->expected_tx_seq; seq != txseq;
2539 seq = __next_seq(chan, seq)) {
2540 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2541 control.reqseq = seq;
2542 l2cap_send_sframe(chan, &control);
2543 l2cap_seq_list_append(&chan->srej_list, seq);
2544 }
2545 }
2546
2547 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2548}
2549
2550static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2551{
bed68bde
MM		 2552 struct l2cap_ctrl control;
2553
2554 BT_DBG("chan %p", chan);
2555
2556 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2557 return;
2558
2559 memset(&control, 0, sizeof(control));
2560 control.sframe = 1;
2561 control.super = L2CAP_SUPER_SREJ;
2562 control.reqseq = chan->srej_list.tail;
2563 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2564}
2565
2566static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2567{
bed68bde
MM		 2568 struct l2cap_ctrl control;
2569 u16 initial_head;
2570 u16 seq;
2571
b4400672 2572 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2573
2574 memset(&control, 0, sizeof(control));
2575 control.sframe = 1;
2576 control.super = L2CAP_SUPER_SREJ;
2577
2578 /* Capture initial list head to allow only one pass through the list. */
2579 initial_head = chan->srej_list.head;
2580
2581 do {
2582 seq = l2cap_seq_list_pop(&chan->srej_list);
2583 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2584 break;
2585
2586 control.reqseq = seq;
2587 l2cap_send_sframe(chan, &control);
2588 l2cap_seq_list_append(&chan->srej_list, seq);
2589 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2590}
2591
608bcc6d
MM		 2592static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2593{
2594 struct sk_buff *acked_skb;
2595 u16 ackseq;
2596
b4400672 2597 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2598
2599 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2600 return;
2601
b4400672 2602 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2603 chan->expected_ack_seq, chan->unacked_frames);
2604
2605 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2606 ackseq = __next_seq(chan, ackseq)) {
2607
2608 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2609 if (acked_skb) {
2610 skb_unlink(acked_skb, &chan->tx_q);
2611 kfree_skb(acked_skb);
2612 chan->unacked_frames--;
2613 }
2614 }
2615
2616 chan->expected_ack_seq = reqseq;
2617
2618 if (chan->unacked_frames == 0)
2619 __clear_retrans_timer(chan);
2620
b4400672 2621 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2622}
2623
2624static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2625{
2626 BT_DBG("chan %p", chan);
2627
2628 chan->expected_tx_seq = chan->buffer_seq;
2629 l2cap_seq_list_clear(&chan->srej_list);
2630 skb_queue_purge(&chan->srej_q);
2631 chan->rx_state = L2CAP_RX_STATE_RECV;
2632}
2633
d660366d
GP		 2634static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2635 struct l2cap_ctrl *control,
2636 struct sk_buff_head *skbs, u8 event)
608bcc6d 2637{
608bcc6d
MM		 2638 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2639 event);
2640
2641 switch (event) {
2642 case L2CAP_EV_DATA_REQUEST:
2643 if (chan->tx_send_head == NULL)
2644 chan->tx_send_head = skb_peek(skbs);
2645
2646 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2647 l2cap_ertm_send(chan);
2648 break;
2649 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2650 BT_DBG("Enter LOCAL_BUSY");
2651 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2652
2653 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2654 /* The SREJ_SENT state must be aborted if we are to
2655 * enter the LOCAL_BUSY state.
2656 */
2657 l2cap_abort_rx_srej_sent(chan);
2658 }
2659
2660 l2cap_send_ack(chan);
2661
2662 break;
2663 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2664 BT_DBG("Exit LOCAL_BUSY");
2665 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2666
2667 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2668 struct l2cap_ctrl local_control;
2669
2670 memset(&local_control, 0, sizeof(local_control));
2671 local_control.sframe = 1;
2672 local_control.super = L2CAP_SUPER_RR;
2673 local_control.poll = 1;
2674 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2675 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2676
2677 chan->retry_count = 1;
2678 __set_monitor_timer(chan);
2679 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2680 }
2681 break;
2682 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2683 l2cap_process_reqseq(chan, control->reqseq);
2684 break;
2685 case L2CAP_EV_EXPLICIT_POLL:
2686 l2cap_send_rr_or_rnr(chan, 1);
2687 chan->retry_count = 1;
2688 __set_monitor_timer(chan);
2689 __clear_ack_timer(chan);
2690 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2691 break;
2692 case L2CAP_EV_RETRANS_TO:
2693 l2cap_send_rr_or_rnr(chan, 1);
2694 chan->retry_count = 1;
2695 __set_monitor_timer(chan);
2696 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2697 break;
2698 case L2CAP_EV_RECV_FBIT:
2699 /* Nothing to process */
2700 break;
2701 default:
2702 break;
2703 }
608bcc6d
MM		 2704}
2705
d660366d
GP		 2706static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2707 struct l2cap_ctrl *control,
2708 struct sk_buff_head *skbs, u8 event)
608bcc6d 2709{
608bcc6d
MM		 2710 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2711 event);
2712
2713 switch (event) {
2714 case L2CAP_EV_DATA_REQUEST:
2715 if (chan->tx_send_head == NULL)
2716 chan->tx_send_head = skb_peek(skbs);
2717 /* Queue data, but don't send. */
2718 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2719 break;
2720 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2721 BT_DBG("Enter LOCAL_BUSY");
2722 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2723
2724 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2725 /* The SREJ_SENT state must be aborted if we are to
2726 * enter the LOCAL_BUSY state.
2727 */
2728 l2cap_abort_rx_srej_sent(chan);
2729 }
2730
2731 l2cap_send_ack(chan);
2732
2733 break;
2734 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2735 BT_DBG("Exit LOCAL_BUSY");
2736 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2737
2738 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2739 struct l2cap_ctrl local_control;
2740 memset(&local_control, 0, sizeof(local_control));
2741 local_control.sframe = 1;
2742 local_control.super = L2CAP_SUPER_RR;
2743 local_control.poll = 1;
2744 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2745 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2746
2747 chan->retry_count = 1;
2748 __set_monitor_timer(chan);
2749 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2750 }
2751 break;
2752 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2753 l2cap_process_reqseq(chan, control->reqseq);
2754
2755 /* Fall through */
2756
2757 case L2CAP_EV_RECV_FBIT:
2758 if (control && control->final) {
2759 __clear_monitor_timer(chan);
2760 if (chan->unacked_frames > 0)
2761 __set_retrans_timer(chan);
2762 chan->retry_count = 0;
2763 chan->tx_state = L2CAP_TX_STATE_XMIT;
2764 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2765 }
2766 break;
2767 case L2CAP_EV_EXPLICIT_POLL:
2768 /* Ignore */
2769 break;
2770 case L2CAP_EV_MONITOR_TO:
2771 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2772 l2cap_send_rr_or_rnr(chan, 1);
2773 __set_monitor_timer(chan);
2774 chan->retry_count++;
2775 } else {
5e4e3972 2776 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2777 }
2778 break;
2779 default:
2780 break;
2781 }
608bcc6d
MM		 2782}
2783
d660366d
GP		 2784static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2785 struct sk_buff_head *skbs, u8 event)
608bcc6d 2786{
608bcc6d
MM		 2787 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2788 chan, control, skbs, event, chan->tx_state);
2789
2790 switch (chan->tx_state) {
2791 case L2CAP_TX_STATE_XMIT:
d660366d 2792 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2793 break;
2794 case L2CAP_TX_STATE_WAIT_F:
d660366d 2795 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2796 break;
2797 default:
2798 /* Ignore event */
2799 break;
2800 }
608bcc6d
MM		 2801}
2802
4b51dae9
MM		 2803static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2804 struct l2cap_ctrl *control)
2805{
2806 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2807 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2808}
2809
f80842a8
MM		 2810static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2811 struct l2cap_ctrl *control)
2812{
2813 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2814 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2815}
2816
1da177e4
LT		 2817/* Copy frame to all raw sockets on that connection */
2818static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2819{
1da177e4 2820 struct sk_buff *nskb;
48454079 2821 struct l2cap_chan *chan;
1da177e4
LT		 2822
2823 BT_DBG("conn %p", conn);
2824
3df91ea2 2825 mutex_lock(&conn->chan_lock);
3d57dc68 2826
3df91ea2 2827 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2828 struct sock *sk = chan->sk;
715ec005 2829 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2830 continue;
2831
2832 /* Don't send frame to the socket it came from */
2833 if (skb->sk == sk)
2834 continue;
8bcde1f2 2835 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2836 if (!nskb)
1da177e4
LT		 2837 continue;
2838
80b98027 2839 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2840 kfree_skb(nskb);
2841 }
3d57dc68 2842
3df91ea2 2843 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2844}
2845
2846/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2847static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2848 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2849{
2850 struct sk_buff *skb, **frag;
2851 struct l2cap_cmd_hdr *cmd;
2852 struct l2cap_hdr *lh;
2853 int len, count;
2854
b4400672
AE		 2855 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2856 conn, code, ident, dlen);
1da177e4 2857
300b962e
AL		 2858 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2859 return NULL;
2860
1da177e4
LT		 2861 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2862 count = min_t(unsigned int, conn->mtu, len);
2863
8bcde1f2 2864 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2865 if (!skb)
2866 return NULL;
2867
2868 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2869 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2870
2871 if (conn->hcon->type == LE_LINK)
ac73498c 2872 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2873 else
ac73498c 2874 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2875
2876 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2877 cmd->code = code;
2878 cmd->ident = ident;
aca3192c 2879 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2880
2881 if (dlen) {
2882 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2883 memcpy(skb_put(skb, count), data, count);
2884 data += count;
2885 }
2886
2887 len -= skb->len;
2888
2889 /* Continuation fragments (no L2CAP header) */
2890 frag = &skb_shinfo(skb)->frag_list;
2891 while (len) {
2892 count = min_t(unsigned int, conn->mtu, len);
2893
8bcde1f2 2894 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2895 if (!*frag)
2896 goto fail;
2897
2898 memcpy(skb_put(*frag, count), data, count);
2899
2900 len -= count;
2901 data += count;
2902
2903 frag = &(*frag)->next;
2904 }
2905
2906 return skb;
2907
2908fail:
2909 kfree_skb(skb);
2910 return NULL;
2911}
2912
2d792818
GP		 2913static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2914 unsigned long *val)
1da177e4
LT		 2915{
2916 struct l2cap_conf_opt *opt = *ptr;
2917 int len;
2918
2919 len = L2CAP_CONF_OPT_SIZE + opt->len;
2920 *ptr += len;
2921
2922 *type = opt->type;
2923 *olen = opt->len;
2924
2925 switch (opt->len) {
2926 case 1:
2927 *val = *((u8 *) opt->val);
2928 break;
2929
2930 case 2:
bfaaeb3e 2931 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2932 break;
2933
2934 case 4:
bfaaeb3e 2935 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2936 break;
2937
2938 default:
2939 *val = (unsigned long) opt->val;
2940 break;
2941 }
2942
b4400672 2943 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2944 return len;
2945}
2946
1da177e4
LT		 2947static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2948{
2949 struct l2cap_conf_opt *opt = *ptr;
2950
b4400672 2951 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2952
2953 opt->type = type;
2954 opt->len = len;
2955
2956 switch (len) {
2957 case 1:
2958 *((u8 *) opt->val) = val;
2959 break;
2960
2961 case 2:
4f8b691c 2962 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2963 break;
2964
2965 case 4:
4f8b691c 2966 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2967 break;
2968
2969 default:
2970 memcpy(opt->val, (void *) val, len);
2971 break;
2972 }
2973
2974 *ptr += L2CAP_CONF_OPT_SIZE + len;
2975}
2976
f89cef09
AE		 2977static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2978{
2979 struct l2cap_conf_efs efs;
2980
1ec918ce 2981 switch (chan->mode) {
f89cef09
AE		 2982 case L2CAP_MODE_ERTM:
2983 efs.id = chan->local_id;
2984 efs.stype = chan->local_stype;
2985 efs.msdu = cpu_to_le16(chan->local_msdu);
2986 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2987 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2988 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2989 break;
2990
2991 case L2CAP_MODE_STREAMING:
2992 efs.id = 1;
2993 efs.stype = L2CAP_SERV_BESTEFFORT;
2994 efs.msdu = cpu_to_le16(chan->local_msdu);
2995 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2996 efs.acc_lat = 0;
2997 efs.flush_to = 0;
2998 break;
2999
3000 default:
3001 return;
3002 }
3003
3004 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3005 (unsigned long) &efs);
f89cef09
AE		 3006}
3007
721c4181 3008static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3009{
721c4181 3010 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3011 ack_timer.work);
3012 u16 frames_to_ack;
c1b4f43b 3013
2fb9b3d4
GP		 3014 BT_DBG("chan %p", chan);
3015
6be36555
AE		 3016 l2cap_chan_lock(chan);
3017
0362520b
MM		 3018 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3019 chan->last_acked_seq);
6be36555 3020
0362520b
MM		 3021 if (frames_to_ack)
3022 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3023
0362520b 3024 l2cap_chan_unlock(chan);
09bfb2ee 3025 l2cap_chan_put(chan);
c1b4f43b
GP		 3026}
3027
466f8004 3028int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3029{
3c588192
MM		 3030 int err;
3031
105bdf9e
MM		 3032 chan->next_tx_seq = 0;
3033 chan->expected_tx_seq = 0;
42e5c802 3034 chan->expected_ack_seq = 0;
6a026610 3035 chan->unacked_frames = 0;
42e5c802 3036 chan->buffer_seq = 0;
6a026610 3037 chan->frames_sent = 0;
105bdf9e
MM		 3038 chan->last_acked_seq = 0;
3039 chan->sdu = NULL;
3040 chan->sdu_last_frag = NULL;
3041 chan->sdu_len = 0;
3042
d34c34fb
MM		 3043 skb_queue_head_init(&chan->tx_q);
3044
08333283
MM		 3045 chan->local_amp_id = 0;
3046 chan->move_id = 0;
3047 chan->move_state = L2CAP_MOVE_STABLE;
3048 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3049
105bdf9e
MM		 3050 if (chan->mode != L2CAP_MODE_ERTM)
3051 return 0;
3052
3053 chan->rx_state = L2CAP_RX_STATE_RECV;
3054 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3055
721c4181
GP		 3056 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3057 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3058 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3059
f1c6775b 3060 skb_queue_head_init(&chan->srej_q);
1890d36b 3061
3c588192
MM		 3062 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3063 if (err < 0)
3064 return err;
3065
9dc9affc
MM		 3066 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3067 if (err < 0)
3068 l2cap_seq_list_free(&chan->srej_list);
3069
3070 return err;
0565c1c2
GP		 3071}
3072
f2fcfcd6
GP		 3073static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3074{
3075 switch (mode) {
3076 case L2CAP_MODE_STREAMING:
3077 case L2CAP_MODE_ERTM:
3078 if (l2cap_mode_supported(mode, remote_feat_mask))
3079 return mode;
3080 /* fall through */
3081 default:
3082 return L2CAP_MODE_BASIC;
3083 }
3084}
3085
6327eb98
AE		 3086static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
3087{
3088 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
3089}
3090
f89cef09
AE		 3091static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
3092{
3093 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
3094}
3095
36c86c85
MM		 3096static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3097 struct l2cap_conf_rfc *rfc)
3098{
3099 if (chan->local_amp_id && chan->hs_hcon) {
3100 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3101
3102 /* Class 1 devices have must have ERTM timeouts
3103 * exceeding the Link Supervision Timeout. The
3104 * default Link Supervision Timeout for AMP
3105 * controllers is 10 seconds.
3106 *
3107 * Class 1 devices use 0xffffffff for their
3108 * best-effort flush timeout, so the clamping logic
3109 * will result in a timeout that meets the above
3110 * requirement. ERTM timeouts are 16-bit values, so
3111 * the maximum timeout is 65.535 seconds.
3112 */
3113
3114 /* Convert timeout to milliseconds and round */
3115 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3116
3117 /* This is the recommended formula for class 2 devices
3118 * that start ERTM timers when packets are sent to the
3119 * controller.
3120 */
3121 ertm_to = 3 * ertm_to + 500;
3122
3123 if (ertm_to > 0xffff)
3124 ertm_to = 0xffff;
3125
3126 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3127 rfc->monitor_timeout = rfc->retrans_timeout;
3128 } else {
3129 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3130 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3131 }
3132}
3133
6327eb98
AE		 3134static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3135{
3136 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 3137 __l2cap_ews_supported(chan)) {
6327eb98
AE		 3138 /* use extended control field */
3139 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3140 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3141 } else {
6327eb98 3142 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3143 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3144 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3145 }
c20f8e35 3146 chan->ack_win = chan->tx_win;
6327eb98
AE		 3147}
3148
710f9b0a 3149static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3150{
1da177e4 3151 struct l2cap_conf_req *req = data;
0c1bc5c6 3152 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3153 void *ptr = req->data;
c8f79162 3154 u16 size;
1da177e4 3155
49208c9c 3156 BT_DBG("chan %p", chan);
1da177e4 3157
73ffa904 3158 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3159 goto done;
3160
0c1bc5c6 3161 switch (chan->mode) {
f2fcfcd6
GP		 3162 case L2CAP_MODE_STREAMING:
3163 case L2CAP_MODE_ERTM:
c1360a1c 3164 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3165 break;
85eb53c6 3166
f89cef09
AE		 3167 if (__l2cap_efs_supported(chan))
3168 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3169
2ba13ed6 3170 /* fall through */
f2fcfcd6 3171 default:
8c1d787b 3172 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3173 break;
3174 }
3175
3176done:
0c1bc5c6
GP		 3177 if (chan->imtu != L2CAP_DEFAULT_MTU)
3178 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3179
0c1bc5c6 3180 switch (chan->mode) {
65c7c491 3181 case L2CAP_MODE_BASIC:
8c1d787b 3182 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3183 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3184 break;
3185
62547752
GP		 3186 rfc.mode = L2CAP_MODE_BASIC;
3187 rfc.txwin_size = 0;
3188 rfc.max_transmit = 0;
3189 rfc.retrans_timeout = 0;
3190 rfc.monitor_timeout = 0;
3191 rfc.max_pdu_size = 0;
3192
63406504 3193 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3194 (unsigned long) &rfc);
65c7c491
MH		 3195 break;
3196
3197 case L2CAP_MODE_ERTM:
3198 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3199 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3200
3201 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3202
3203 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3204 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3205 L2CAP_FCS_SIZE);
c8f79162 3206 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3207
6327eb98
AE		 3208 l2cap_txwin_setup(chan);
3209
3210 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3211 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3212
63406504 3213 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3214 (unsigned long) &rfc);
63406504 3215
f89cef09
AE		 3216 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3217 l2cap_add_opt_efs(&ptr, chan);
3218
6327eb98
AE		 3219 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3220 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3221 chan->tx_win);
60918918
AE		 3222
3223 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3224 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3225 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3226 chan->fcs = L2CAP_FCS_NONE;
3227 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3228 chan->fcs);
3229 }
f2fcfcd6
GP		 3230 break;
3231
3232 case L2CAP_MODE_STREAMING:
273759e2 3233 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3234 rfc.mode = L2CAP_MODE_STREAMING;
3235 rfc.txwin_size = 0;
3236 rfc.max_transmit = 0;
3237 rfc.retrans_timeout = 0;
3238 rfc.monitor_timeout = 0;
c8f79162
AE		 3239
3240 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3241 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3242 L2CAP_FCS_SIZE);
c8f79162 3243 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3244
63406504 3245 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3246 (unsigned long) &rfc);
63406504 3247
f89cef09
AE		 3248 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3249 l2cap_add_opt_efs(&ptr, chan);
3250
60918918
AE		 3251 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3252 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3253 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3254 chan->fcs = L2CAP_FCS_NONE;
3255 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3256 chan->fcs);
3257 }
65c7c491
MH		 3258 break;
3259 }
1da177e4 3260
fe4128e0 3261 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3262 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3263
3264 return ptr - data;
3265}
3266
73ffa904 3267static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3268{
5dee9e7c
MH		 3269 struct l2cap_conf_rsp *rsp = data;
3270 void *ptr = rsp->data;
73ffa904
GP		 3271 void *req = chan->conf_req;
3272 int len = chan->conf_len;
5dee9e7c
MH		 3273 int type, hint, olen;
3274 unsigned long val;
6464f35f 3275 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3276 struct l2cap_conf_efs efs;
3277 u8 remote_efs = 0;
861d6882 3278 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3279 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3280 u16 size;
1da177e4 3281
73ffa904 3282 BT_DBG("chan %p", chan);
820ae1b8 3283
5dee9e7c
MH		 3284 while (len >= L2CAP_CONF_OPT_SIZE) {
3285 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3286
589d2746 3287 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3288 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3289
3290 switch (type) {
3291 case L2CAP_CONF_MTU:
861d6882 3292 mtu = val;
5dee9e7c
MH		 3293 break;
3294
3295 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3296 chan->flush_to = val;
5dee9e7c
MH		 3297 break;
3298
3299 case L2CAP_CONF_QOS:
3300 break;
3301
6464f35f
MH		 3302 case L2CAP_CONF_RFC:
3303 if (olen == sizeof(rfc))
3304 memcpy(&rfc, (void *) val, olen);
3305 break;
3306
fcc203c3
GP		 3307 case L2CAP_CONF_FCS:
3308 if (val == L2CAP_FCS_NONE)
f2592d3e 3309 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3310 break;
fcc203c3 3311
42dceae2
AE		 3312 case L2CAP_CONF_EFS:
3313 remote_efs = 1;
3314 if (olen == sizeof(efs))
3315 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3316 break;
3317
6327eb98
AE		 3318 case L2CAP_CONF_EWS:
3319 if (!enable_hs)
3320 return -ECONNREFUSED;
fcc203c3 3321
6327eb98
AE		 3322 set_bit(FLAG_EXT_CTRL, &chan->flags);
3323 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3324 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3325 chan->remote_tx_win = val;
fcc203c3
GP		 3326 break;
3327
5dee9e7c
MH		 3328 default:
3329 if (hint)
3330 break;
3331
3332 result = L2CAP_CONF_UNKNOWN;
3333 *((u8 *) ptr++) = type;
3334 break;
3335 }
3336 }
3337
73ffa904 3338 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3339 goto done;
3340
0c1bc5c6 3341 switch (chan->mode) {
f2fcfcd6
GP		 3342 case L2CAP_MODE_STREAMING:
3343 case L2CAP_MODE_ERTM:
c1360a1c 3344 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3345 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3346 chan->conn->feat_mask);
85eb53c6
GP		 3347 break;
3348 }
3349
42dceae2
AE		 3350 if (remote_efs) {
3351 if (__l2cap_efs_supported(chan))
3352 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3353 else
3354 return -ECONNREFUSED;
3355 }
3356
0c1bc5c6 3357 if (chan->mode != rfc.mode)
f2fcfcd6 3358 return -ECONNREFUSED;
742e519b 3359
f2fcfcd6 3360 break;
f2fcfcd6
GP		 3361 }
3362
3363done:
0c1bc5c6 3364 if (chan->mode != rfc.mode) {
f2fcfcd6 3365 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3366 rfc.mode = chan->mode;
f2fcfcd6 3367
73ffa904 3368 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3369 return -ECONNREFUSED;
3370
2d792818
GP		 3371 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3372 (unsigned long) &rfc);
f2fcfcd6
GP		 3373 }
3374
5dee9e7c
MH		 3375 if (result == L2CAP_CONF_SUCCESS) {
3376 /* Configure output options and let the other side know
3377 * which ones we don't like. */
3378
f2fcfcd6
GP		 3379 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3380 result = L2CAP_CONF_UNACCEPT;
3381 else {
0c1bc5c6 3382 chan->omtu = mtu;
c1360a1c 3383 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3384 }
0c1bc5c6 3385 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3386
42dceae2
AE		 3387 if (remote_efs) {
3388 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3389 efs.stype != L2CAP_SERV_NOTRAFIC &&
3390 efs.stype != chan->local_stype) {
42dceae2
AE		 3391
3392 result = L2CAP_CONF_UNACCEPT;
3393
3394 if (chan->num_conf_req >= 1)
3395 return -ECONNREFUSED;
3396
3397 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3398 sizeof(efs),
3399 (unsigned long) &efs);
0e8b207e 3400 } else {
3e6b3b95 3401 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3402 result = L2CAP_CONF_PENDING;
3403 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3404 }
3405 }
3406
f2fcfcd6
GP		 3407 switch (rfc.mode) {
3408 case L2CAP_MODE_BASIC:
47d1ec61 3409 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3410 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3411 break;
3412
3413 case L2CAP_MODE_ERTM:
6327eb98
AE		 3414 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3415 chan->remote_tx_win = rfc.txwin_size;
3416 else
3417 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3418
2c03a7a4 3419 chan->remote_max_tx = rfc.max_transmit;
1c762159 3420
c8f79162 3421 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3422 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3423 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3424 rfc.max_pdu_size = cpu_to_le16(size);
3425 chan->remote_mps = size;
f2fcfcd6 3426
36c86c85 3427 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3428
c1360a1c 3429 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3430
3431 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3432 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3433
42dceae2
AE		 3434 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3435 chan->remote_id = efs.id;
3436 chan->remote_stype = efs.stype;
3437 chan->remote_msdu = le16_to_cpu(efs.msdu);
3438 chan->remote_flush_to =
2d792818 3439 le32_to_cpu(efs.flush_to);
42dceae2 3440 chan->remote_acc_lat =
2d792818 3441 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3442 chan->remote_sdu_itime =
3443 le32_to_cpu(efs.sdu_itime);
3444 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3445 sizeof(efs),
3446 (unsigned long) &efs);
42dceae2 3447 }
f2fcfcd6
GP		 3448 break;
3449
3450 case L2CAP_MODE_STREAMING:
c8f79162 3451 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3452 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3453 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3454 rfc.max_pdu_size = cpu_to_le16(size);
3455 chan->remote_mps = size;
f2fcfcd6 3456
c1360a1c 3457 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3458
2d792818
GP		 3459 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3460 (unsigned long) &rfc);
68ae6639 3461
f2fcfcd6
GP		 3462 break;
3463
3464 default:
5dee9e7c 3465 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3466
6464f35f 3467 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3468 rfc.mode = chan->mode;
f2fcfcd6 3469 }
6464f35f 3470
f2fcfcd6 3471 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3472 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3473 }
fe4128e0 3474 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3475 rsp->result = cpu_to_le16(result);
59e54bd1 3476 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3477
3478 return ptr - data;
1da177e4
LT		 3479}
3480
2d792818
GP		 3481static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3482 void *data, u16 *result)
f2fcfcd6 3483{
f2fcfcd6
GP		 3484 struct l2cap_conf_req *req = data;
3485 void *ptr = req->data;
3486 int type, olen;
3487 unsigned long val;
36e999a8 3488 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3489 struct l2cap_conf_efs efs;
f2fcfcd6 3490
fe4128e0 3491 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3492
3493 while (len >= L2CAP_CONF_OPT_SIZE) {
3494 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3495
3496 switch (type) {
3497 case L2CAP_CONF_MTU:
3498 if (val < L2CAP_DEFAULT_MIN_MTU) {
3499 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3500 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3501 } else
0c1bc5c6
GP		 3502 chan->imtu = val;
3503 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3504 break;
3505
3506 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3507 chan->flush_to = val;
f2fcfcd6 3508 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3509 2, chan->flush_to);
f2fcfcd6
GP		 3510 break;
3511
3512 case L2CAP_CONF_RFC:
3513 if (olen == sizeof(rfc))
3514 memcpy(&rfc, (void *)val, olen);
3515
c1360a1c 3516 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3517 rfc.mode != chan->mode)
f2fcfcd6
GP		 3518 return -ECONNREFUSED;
3519
47d1ec61 3520 chan->fcs = 0;
f2fcfcd6
GP		 3521
3522 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3523 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3524 break;
6327eb98
AE		 3525
3526 case L2CAP_CONF_EWS:
c20f8e35 3527 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3528 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3529 chan->tx_win);
6327eb98 3530 break;
66af7aaf
AE		 3531
3532 case L2CAP_CONF_EFS:
3533 if (olen == sizeof(efs))
3534 memcpy(&efs, (void *)val, olen);
3535
3536 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3537 efs.stype != L2CAP_SERV_NOTRAFIC &&
3538 efs.stype != chan->local_stype)
66af7aaf
AE		 3539 return -ECONNREFUSED;
3540
2d792818
GP		 3541 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3542 (unsigned long) &efs);
66af7aaf 3543 break;
cbabee78
AE		 3544
3545 case L2CAP_CONF_FCS:
3546 if (*result == L2CAP_CONF_PENDING)
3547 if (val == L2CAP_FCS_NONE)
f2592d3e 3548 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3549 &chan->conf_state);
3550 break;
f2fcfcd6
GP		 3551 }
3552 }
3553
0c1bc5c6 3554 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3555 return -ECONNREFUSED;
3556
0c1bc5c6 3557 chan->mode = rfc.mode;
6c2ea7a8 3558
0e8b207e 3559 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3560 switch (rfc.mode) {
3561 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3562 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3563 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3564 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3565 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3566 chan->ack_win = min_t(u16, chan->ack_win,
3567 rfc.txwin_size);
66af7aaf
AE		 3568
3569 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3570 chan->local_msdu = le16_to_cpu(efs.msdu);
3571 chan->local_sdu_itime =
2d792818 3572 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3573 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3574 chan->local_flush_to =
2d792818 3575 le32_to_cpu(efs.flush_to);
66af7aaf 3576 }
f2fcfcd6 3577 break;
66af7aaf 3578
f2fcfcd6 3579 case L2CAP_MODE_STREAMING:
47d1ec61 3580 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3581 }
3582 }
3583
fe4128e0 3584 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3585 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3586
3587 return ptr - data;
3588}
3589
2d792818
GP		 3590static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3591 u16 result, u16 flags)
1da177e4
LT		 3592{
3593 struct l2cap_conf_rsp *rsp = data;
3594 void *ptr = rsp->data;
1da177e4 3595
fe4128e0 3596 BT_DBG("chan %p", chan);
1da177e4 3597
fe4128e0 3598 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3599 rsp->result = cpu_to_le16(result);
aca3192c 3600 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3601
3602 return ptr - data;
3603}
3604
8c1d787b 3605void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3606{
3607 struct l2cap_conn_rsp rsp;
8c1d787b 3608 struct l2cap_conn *conn = chan->conn;
710f9b0a 3609 u8 buf[128];
439f34ac 3610 u8 rsp_code;
710f9b0a 3611
fe4128e0
GP		 3612 rsp.scid = cpu_to_le16(chan->dcid);
3613 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3614 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3615 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3616
3617 if (chan->hs_hcon)
3618 rsp_code = L2CAP_CREATE_CHAN_RSP;
3619 else
3620 rsp_code = L2CAP_CONN_RSP;
3621
3622 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3623
3624 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3625
c1360a1c 3626 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3627 return;
3628
710f9b0a 3629 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3630 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3631 chan->num_conf_req++;
3632}
3633
47d1ec61 3634static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3635{
7b1c0049
GP		 3636 int type, olen;
3637 unsigned long val;
c20f8e35
MM		 3638 /* Use sane default values in case a misbehaving remote device
3639 * did not send an RFC or extended window size option.
3640 */
3641 u16 txwin_ext = chan->ack_win;
3642 struct l2cap_conf_rfc rfc = {
3643 .mode = chan->mode,
3644 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3645 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3646 .max_pdu_size = cpu_to_le16(chan->imtu),
3647 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3648 };
7b1c0049 3649
47d1ec61 3650 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3651
0c1bc5c6 3652 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3653 return;
3654
3655 while (len >= L2CAP_CONF_OPT_SIZE) {
3656 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3657
c20f8e35
MM		 3658 switch (type) {
3659 case L2CAP_CONF_RFC:
3660 if (olen == sizeof(rfc))
3661 memcpy(&rfc, (void *)val, olen);
8f321f85 3662 break;
c20f8e35
MM		 3663 case L2CAP_CONF_EWS:
3664 txwin_ext = val;
3665 break;
3666 }
7b1c0049
GP		 3667 }
3668
7b1c0049
GP		 3669 switch (rfc.mode) {
3670 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3671 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3672 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3673 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3674 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3675 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3676 else
3677 chan->ack_win = min_t(u16, chan->ack_win,
3678 rfc.txwin_size);
7b1c0049
GP		 3679 break;
3680 case L2CAP_MODE_STREAMING:
47d1ec61 3681 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3682 }
3683}
3684
2d792818 3685static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3686 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3687 u8 *data)
4e8402a3 3688{
e2fd318e 3689 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3690
cb3b3152
JH		 3691 if (cmd_len < sizeof(*rej))
3692 return -EPROTO;
3693
e2fd318e 3694 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3695 return 0;
3696
3697 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3698 cmd->ident == conn->info_ident) {
17cd3f37 3699 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3700
3701 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3702 conn->info_ident = 0;
984947dc 3703
4e8402a3
MH		 3704 l2cap_conn_start(conn);
3705 }
3706
3707 return 0;
3708}
3709
1700915f
MM		 3710static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3711 struct l2cap_cmd_hdr *cmd,
3712 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3713{
1da177e4
LT		 3714 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3715 struct l2cap_conn_rsp rsp;
23691d75 3716 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3717 struct sock *parent, *sk = NULL;
e7c29cb1 3718 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3719
3720 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3721 __le16 psm = req->psm;
1da177e4 3722
097db76c 3723 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3724
3725 /* Check if we have socket listening on psm */
c2287681 3726 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3727 if (!pchan) {
1da177e4
LT		 3728 result = L2CAP_CR_BAD_PSM;
3729 goto sendresp;
3730 }
3731
23691d75
GP		 3732 parent = pchan->sk;
3733
3df91ea2 3734 mutex_lock(&conn->chan_lock);
aa2ac881 3735 lock_sock(parent);
e0f0cb56 3736
e7c29cb1 3737 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3738 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3739 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3740 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3741 result = L2CAP_CR_SEC_BLOCK;
3742 goto response;
3743 }
3744
1da177e4
LT		 3745 result = L2CAP_CR_NO_MEM;
3746
2dfa1003
GP		 3747 /* Check if we already have channel with that dcid */
3748 if (__l2cap_get_chan_by_dcid(conn, scid))
3749 goto response;
3750
80b98027 3751 chan = pchan->ops->new_connection(pchan);
80808e43 3752 if (!chan)
1da177e4
LT		 3753 goto response;
3754
80808e43
GP		 3755 sk = chan->sk;
3756
1da177e4
LT		 3757 bacpy(&bt_sk(sk)->src, conn->src);
3758 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3759 chan->psm = psm;
3760 chan->dcid = scid;
1700915f 3761 chan->local_amp_id = amp_id;
1da177e4 3762
6be36555 3763 __l2cap_chan_add(conn, chan);
48454079 3764
fe4128e0 3765 dcid = chan->scid;
1da177e4 3766
c9b66675 3767 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3768
fc7f8a7e 3769 chan->ident = cmd->ident;
1da177e4 3770
984947dc 3771 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3772 if (l2cap_chan_check_security(chan)) {
c5daa683 3773 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3774 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3775 result = L2CAP_CR_PEND;
3776 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3777 chan->ops->defer(chan);
f66dc81f 3778 } else {
1700915f
MM		 3779 /* Force pending result for AMP controllers.
3780 * The connection will succeed after the
3781 * physical link is up.
3782 */
3783 if (amp_id) {
3784 __l2cap_state_change(chan, BT_CONNECT2);
3785 result = L2CAP_CR_PEND;
3786 } else {
3787 __l2cap_state_change(chan, BT_CONFIG);
3788 result = L2CAP_CR_SUCCESS;
3789 }
f66dc81f
MH		 3790 status = L2CAP_CS_NO_INFO;
3791 }
79d554a6 3792 } else {
0e587be7 3793 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3794 result = L2CAP_CR_PEND;
3795 status = L2CAP_CS_AUTHEN_PEND;
3796 }
3797 } else {
0e587be7 3798 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3799 result = L2CAP_CR_PEND;
3800 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3801 }
3802
1da177e4 3803response:
aa2ac881 3804 release_sock(parent);
3df91ea2 3805 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3806
3807sendresp:
aca3192c
YH		 3808 rsp.scid = cpu_to_le16(scid);
3809 rsp.dcid = cpu_to_le16(dcid);
3810 rsp.result = cpu_to_le16(result);
3811 rsp.status = cpu_to_le16(status);
4c89b6aa 3812 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3813
3814 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3815 struct l2cap_info_req info;
ac73498c 3816 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3817
3818 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3819 conn->info_ident = l2cap_get_ident(conn);
3820
ba13ccd9 3821 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3822
2d792818
GP		 3823 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3824 sizeof(info), &info);
79d554a6
MH		 3825 }
3826
c1360a1c 3827 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3828 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3829 u8 buf[128];
c1360a1c 3830 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3831 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3832 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3833 chan->num_conf_req++;
e9aeb2dd 3834 }
1700915f
MM		 3835
3836 return chan;
4c89b6aa 3837}
e9aeb2dd 3838
4c89b6aa 3839static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3840 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3841{
7b064eda
JK		 3842 struct hci_dev *hdev = conn->hcon->hdev;
3843 struct hci_conn *hcon = conn->hcon;
3844
cb3b3152
JH		 3845 if (cmd_len < sizeof(struct l2cap_conn_req))
3846 return -EPROTO;
3847
7b064eda
JK		 3848 hci_dev_lock(hdev);
3849 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3850 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3851 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3852 hcon->dst_type, 0, NULL, 0,
3853 hcon->dev_class);
3854 hci_dev_unlock(hdev);
3855
300229f9 3856 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3857 return 0;
3858}
3859
5909cf30 3860static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3861 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3862 u8 *data)
1da177e4
LT		 3863{
3864 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3865 u16 scid, dcid, result, status;
48454079 3866 struct l2cap_chan *chan;
1da177e4 3867 u8 req[128];
3df91ea2 3868 int err;
1da177e4 3869
cb3b3152
JH		 3870 if (cmd_len < sizeof(*rsp))
3871 return -EPROTO;
3872
1da177e4
LT		 3873 scid = __le16_to_cpu(rsp->scid);
3874 dcid = __le16_to_cpu(rsp->dcid);
3875 result = __le16_to_cpu(rsp->result);
3876 status = __le16_to_cpu(rsp->status);
3877
1b009c98 3878 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3879 dcid, scid, result, status);
1da177e4 3880
3df91ea2
AE		 3881 mutex_lock(&conn->chan_lock);
3882
1da177e4 3883 if (scid) {
3df91ea2
AE		 3884 chan = __l2cap_get_chan_by_scid(conn, scid);
3885 if (!chan) {
3886 err = -EFAULT;
3887 goto unlock;
3888 }
1da177e4 3889 } else {
3df91ea2
AE		 3890 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3891 if (!chan) {
3892 err = -EFAULT;
3893 goto unlock;
3894 }
1da177e4
LT		 3895 }
3896
3df91ea2
AE		 3897 err = 0;
3898
6be36555 3899 l2cap_chan_lock(chan);
48454079 3900
1da177e4
LT		 3901 switch (result) {
3902 case L2CAP_CR_SUCCESS:
89bc500e 3903 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3904 chan->ident = 0;
fe4128e0 3905 chan->dcid = dcid;
c1360a1c 3906 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3907
c1360a1c 3908 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3909 break;
3910
1da177e4 3911 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3912 l2cap_build_conf_req(chan, req), req);
73ffa904 3913 chan->num_conf_req++;
1da177e4
LT		 3914 break;
3915
3916 case L2CAP_CR_PEND:
c1360a1c 3917 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3918 break;
3919
3920 default:
48454079 3921 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3922 break;
3923 }
3924
6be36555 3925 l2cap_chan_unlock(chan);
3df91ea2
AE		 3926
3927unlock:
3928 mutex_unlock(&conn->chan_lock);
3929
3930 return err;
1da177e4
LT		 3931}
3932
47d1ec61 3933static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3934{
3935 /* FCS is enabled only in ERTM or streaming mode, if one or both
3936 * sides request it.
3937 */
0c1bc5c6 3938 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3939 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3940 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3941 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3942}
3943
29d8a590
AE		 3944static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3945 u8 ident, u16 flags)
3946{
3947 struct l2cap_conn *conn = chan->conn;
3948
3949 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3950 flags);
3951
3952 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3953 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3954
3955 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3956 l2cap_build_conf_rsp(chan, data,
3957 L2CAP_CONF_SUCCESS, flags), data);
3958}
3959
2d792818
GP		 3960static inline int l2cap_config_req(struct l2cap_conn *conn,
3961 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3962 u8 *data)
1da177e4
LT		 3963{
3964 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3965 u16 dcid, flags;
3966 u8 rsp[64];
48454079 3967 struct l2cap_chan *chan;
3c588192 3968 int len, err = 0;
1da177e4 3969
cb3b3152
JH		 3970 if (cmd_len < sizeof(*req))
3971 return -EPROTO;
3972
1da177e4
LT		 3973 dcid = __le16_to_cpu(req->dcid);
3974 flags = __le16_to_cpu(req->flags);
3975
3976 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3977
baa7e1fa 3978 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3979 if (!chan)
1da177e4
LT		 3980 return -ENOENT;
3981
033b1142 3982 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3983 struct l2cap_cmd_rej_cid rej;
3984
ac73498c 3985 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3986 rej.scid = cpu_to_le16(chan->scid);
3987 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3988
df6bd743 3989 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3990 sizeof(rej), &rej);
354f60a9 3991 goto unlock;
df6bd743 3992 }
354f60a9 3993
5dee9e7c 3994 /* Reject if config buffer is too small. */
88219a0f 3995 len = cmd_len - sizeof(*req);
cb3b3152 3996 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3997 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3998 l2cap_build_conf_rsp(chan, rsp,
3999 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4000 goto unlock;
4001 }
4002
4003 /* Store config. */
73ffa904
GP		 4004 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4005 chan->conf_len += len;
1da177e4 4006
59e54bd1 4007 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4008 /* Incomplete config. Send empty response. */
4009 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4010 l2cap_build_conf_rsp(chan, rsp,
4011 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4012 goto unlock;
4013 }
4014
4015 /* Complete config. */
73ffa904 4016 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4017 if (len < 0) {
5e4e3972 4018 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4019 goto unlock;
f2fcfcd6 4020 }
1da177e4 4021
1500109b 4022 chan->ident = cmd->ident;
5dee9e7c 4023 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4024 chan->num_conf_rsp++;
5dee9e7c 4025
5dee9e7c 4026 /* Reset config buffer. */
73ffa904 4027 chan->conf_len = 0;
5dee9e7c 4028
c1360a1c 4029 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4030 goto unlock;
4031
c1360a1c 4032 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4033 set_default_fcs(chan);
fcc203c3 4034
105bdf9e
MM		 4035 if (chan->mode == L2CAP_MODE_ERTM ||
4036 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4037 err = l2cap_ertm_init(chan);
4038
4039 if (err < 0)
5e4e3972 4040 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4041 else
4042 l2cap_chan_ready(chan);
0565c1c2 4043
876d9484
MH		 4044 goto unlock;
4045 }
4046
c1360a1c 4047 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4048 u8 buf[64];
1da177e4 4049 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4050 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4051 chan->num_conf_req++;
1da177e4
LT		 4052 }
4053
0e8b207e
AE		 4054 /* Got Conf Rsp PENDING from remote side and asume we sent
4055 Conf Rsp PENDING in the code above */
4056 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4057 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4058
4059 /* check compatibility */
4060
79de886d 4061 /* Send rsp for BR/EDR channel */
f351bc72 4062 if (!chan->hs_hcon)
79de886d
AE		 4063 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4064 else
4065 chan->ident = cmd->ident;
0e8b207e
AE		 4066 }
4067
1da177e4 4068unlock:
6be36555 4069 l2cap_chan_unlock(chan);
3c588192 4070 return err;
1da177e4
LT		 4071}
4072
2d792818 4073static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4074 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4075 u8 *data)
1da177e4
LT		 4076{
4077 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4078 u16 scid, flags, result;
48454079 4079 struct l2cap_chan *chan;
cb3b3152 4080 int len = cmd_len - sizeof(*rsp);
3c588192 4081 int err = 0;
1da177e4 4082
cb3b3152
JH		 4083 if (cmd_len < sizeof(*rsp))
4084 return -EPROTO;
4085
1da177e4
LT		 4086 scid = __le16_to_cpu(rsp->scid);
4087 flags = __le16_to_cpu(rsp->flags);
4088 result = __le16_to_cpu(rsp->result);
4089
61386cba
AE		 4090 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4091 result, len);
1da177e4 4092
baa7e1fa 4093 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4094 if (!chan)
1da177e4
LT		 4095 return 0;
4096
4097 switch (result) {
4098 case L2CAP_CONF_SUCCESS:
47d1ec61 4099 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4100 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4101 break;
4102
0e8b207e
AE		 4103 case L2CAP_CONF_PENDING:
4104 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4105
4106 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4107 char buf[64];
4108
4109 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4110 buf, &result);
0e8b207e 4111 if (len < 0) {
5e4e3972 4112 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4113 goto done;
4114 }
4115
f351bc72 4116 if (!chan->hs_hcon) {
79de886d
AE		 4117 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4118 0);
5ce66b59
AE		 4119 } else {
4120 if (l2cap_check_efs(chan)) {
4121 amp_create_logical_link(chan);
4122 chan->ident = cmd->ident;
4123 }
4124 }
0e8b207e
AE		 4125 }
4126 goto done;
4127
1da177e4 4128 case L2CAP_CONF_UNACCEPT:
73ffa904 4129 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4130 char req[64];
4131
c2c77ec8 4132 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4133 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4134 goto done;
4135 }
4136
f2fcfcd6
GP		 4137 /* throw out any old stored conf requests */
4138 result = L2CAP_CONF_SUCCESS;
b4450035 4139 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4140 req, &result);
f2fcfcd6 4141 if (len < 0) {
5e4e3972 4142 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4143 goto done;
4144 }
4145
4146 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4147 L2CAP_CONF_REQ, len, req);
73ffa904 4148 chan->num_conf_req++;
f2fcfcd6
GP		 4149 if (result != L2CAP_CONF_SUCCESS)
4150 goto done;
4151 break;
1da177e4
LT		 4152 }
4153
8e87d142 4154 default:
6be36555 4155 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4156
ba13ccd9 4157 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4158 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4159 goto done;
4160 }
4161
59e54bd1 4162 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4163 goto done;
4164
c1360a1c 4165 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4166
c1360a1c 4167 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4168 set_default_fcs(chan);
fcc203c3 4169
105bdf9e
MM		 4170 if (chan->mode == L2CAP_MODE_ERTM ||
4171 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4172 err = l2cap_ertm_init(chan);
0565c1c2 4173
3c588192 4174 if (err < 0)
5e4e3972 4175 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4176 else
4177 l2cap_chan_ready(chan);
1da177e4
LT		 4178 }
4179
4180done:
6be36555 4181 l2cap_chan_unlock(chan);
3c588192 4182 return err;
1da177e4
LT		 4183}
4184
2d792818 4185static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4186 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4187 u8 *data)
1da177e4
LT		 4188{
4189 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4190 struct l2cap_disconn_rsp rsp;
4191 u16 dcid, scid;
48454079 4192 struct l2cap_chan *chan;
1da177e4
LT		 4193 struct sock *sk;
4194
cb3b3152
JH		 4195 if (cmd_len != sizeof(*req))
4196 return -EPROTO;
4197
1da177e4
LT		 4198 scid = __le16_to_cpu(req->scid);
4199 dcid = __le16_to_cpu(req->dcid);
4200
4201 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4202
3df91ea2
AE		 4203 mutex_lock(&conn->chan_lock);
4204
4205 chan = __l2cap_get_chan_by_scid(conn, dcid);
4206 if (!chan) {
4207 mutex_unlock(&conn->chan_lock);
1da177e4 4208 return 0;
3df91ea2 4209 }
1da177e4 4210
6be36555
AE		 4211 l2cap_chan_lock(chan);
4212
48454079
GP		 4213 sk = chan->sk;
4214
fe4128e0
GP		 4215 rsp.dcid = cpu_to_le16(chan->scid);
4216 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4217 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4218
6be36555 4219 lock_sock(sk);
1da177e4 4220 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 4221 release_sock(sk);
1da177e4 4222
61d6ef3e 4223 l2cap_chan_hold(chan);
48454079 4224 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4225
4226 l2cap_chan_unlock(chan);
1da177e4 4227
80b98027 4228 chan->ops->close(chan);
61d6ef3e 4229 l2cap_chan_put(chan);
3df91ea2
AE		 4230
4231 mutex_unlock(&conn->chan_lock);
4232
1da177e4
LT		 4233 return 0;
4234}
4235
2d792818 4236static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4237 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4238 u8 *data)
1da177e4
LT		 4239{
4240 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4241 u16 dcid, scid;
48454079 4242 struct l2cap_chan *chan;
1da177e4 4243
cb3b3152
JH		 4244 if (cmd_len != sizeof(*rsp))
4245 return -EPROTO;
4246
1da177e4
LT		 4247 scid = __le16_to_cpu(rsp->scid);
4248 dcid = __le16_to_cpu(rsp->dcid);
4249
4250 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4251
3df91ea2
AE		 4252 mutex_lock(&conn->chan_lock);
4253
4254 chan = __l2cap_get_chan_by_scid(conn, scid);
4255 if (!chan) {
4256 mutex_unlock(&conn->chan_lock);
1da177e4 4257 return 0;
3df91ea2 4258 }
1da177e4 4259
6be36555 4260 l2cap_chan_lock(chan);
48454079 4261
61d6ef3e 4262 l2cap_chan_hold(chan);
48454079 4263 l2cap_chan_del(chan, 0);
6be36555
AE		 4264
4265 l2cap_chan_unlock(chan);
1da177e4 4266
80b98027 4267 chan->ops->close(chan);
61d6ef3e 4268 l2cap_chan_put(chan);
3df91ea2
AE		 4269
4270 mutex_unlock(&conn->chan_lock);
4271
1da177e4
LT		 4272 return 0;
4273}
4274
2d792818 4275static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4276 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4277 u8 *data)
1da177e4
LT		 4278{
4279 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4280 u16 type;
4281
cb3b3152
JH		 4282 if (cmd_len != sizeof(*req))
4283 return -EPROTO;
4284
1da177e4
LT		 4285 type = __le16_to_cpu(req->type);
4286
4287 BT_DBG("type 0x%4.4x", type);
4288
f0709e03
MH		 4289 if (type == L2CAP_IT_FEAT_MASK) {
4290 u8 buf[8];
44dd46de 4291 u32 feat_mask = l2cap_feat_mask;
f0709e03 4292 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4293 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4294 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4295 if (!disable_ertm)
fcc203c3 4296 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4297 | L2CAP_FEAT_FCS;
a5fd6f30 4298 if (enable_hs)
6327eb98 4299 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4300 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4301
1b7bf4ed 4302 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4303 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4304 buf);
e1027a7c
MH		 4305 } else if (type == L2CAP_IT_FIXED_CHAN) {
4306 u8 buf[12];
4307 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 4308
4309 if (enable_hs)
4310 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4311 else
4312 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4313
ac73498c
AE		 4314 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4315 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4316 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4317 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4318 buf);
f0709e03
MH		 4319 } else {
4320 struct l2cap_info_rsp rsp;
4321 rsp.type = cpu_to_le16(type);
ac73498c 4322 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4323 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4324 &rsp);
f0709e03 4325 }
1da177e4
LT		 4326
4327 return 0;
4328}
4329
2d792818 4330static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4331 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4332 u8 *data)
1da177e4
LT		 4333{
4334 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4335 u16 type, result;
4336
3f6fa3d4 4337 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4338 return -EPROTO;
4339
1da177e4
LT		 4340 type = __le16_to_cpu(rsp->type);
4341 result = __le16_to_cpu(rsp->result);
4342
4343 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4344
e90165be
AE		 4345 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4346 if (cmd->ident != conn->info_ident ||
2d792818 4347 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4348 return 0;
4349
17cd3f37 4350 cancel_delayed_work(&conn->info_timer);
4e8402a3 4351
adb08ede
VT		 4352 if (result != L2CAP_IR_SUCCESS) {
4353 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4354 conn->info_ident = 0;
4355
4356 l2cap_conn_start(conn);
4357
4358 return 0;
4359 }
4360
978c93b9
AE		 4361 switch (type) {
4362 case L2CAP_IT_FEAT_MASK:
83985319 4363 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4364
47ec1dcd 4365 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4366 struct l2cap_info_req req;
ac73498c 4367 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4368
4369 conn->info_ident = l2cap_get_ident(conn);
4370
4371 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4372 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4373 } else {
4374 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4375 conn->info_ident = 0;
4376
4377 l2cap_conn_start(conn);
4378 }
978c93b9
AE		 4379 break;
4380
4381 case L2CAP_IT_FIXED_CHAN:
4382 conn->fixed_chan_mask = rsp->data[0];
984947dc 4383 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4384 conn->info_ident = 0;
984947dc
MH		 4385
4386 l2cap_conn_start(conn);
978c93b9 4387 break;
984947dc 4388 }
4e8402a3 4389
1da177e4
LT		 4390 return 0;
4391}
4392
1700915f
MM		 4393static int l2cap_create_channel_req(struct l2cap_conn *conn,
4394 struct l2cap_cmd_hdr *cmd,
4395 u16 cmd_len, void *data)
f94ff6ff
MM		 4396{
4397 struct l2cap_create_chan_req *req = data;
6e1df6a6 4398 struct l2cap_create_chan_rsp rsp;
1700915f 4399 struct l2cap_chan *chan;
6e1df6a6 4400 struct hci_dev *hdev;
f94ff6ff
MM		 4401 u16 psm, scid;
4402
4403 if (cmd_len != sizeof(*req))
4404 return -EPROTO;
4405
4406 if (!enable_hs)
4407 return -EINVAL;
4408
4409 psm = le16_to_cpu(req->psm);
4410 scid = le16_to_cpu(req->scid);
4411
ad0ac6ca 4412 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4413
6e1df6a6
AE		 4414 /* For controller id 0 make BR/EDR connection */
4415 if (req->amp_id == HCI_BREDR_ID) {
4416 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4417 req->amp_id);
4418 return 0;
4419 }
1700915f 4420
6e1df6a6
AE		 4421 /* Validate AMP controller id */
4422 hdev = hci_dev_get(req->amp_id);
4423 if (!hdev)
4424 goto error;
1700915f 4425
6e1df6a6
AE		 4426 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4427 hci_dev_put(hdev);
4428 goto error;
4429 }
1700915f 4430
6e1df6a6
AE		 4431 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4432 req->amp_id);
4433 if (chan) {
4434 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4435 struct hci_conn *hs_hcon;
1700915f 4436
6e1df6a6
AE		 4437 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, conn->dst);
4438 if (!hs_hcon) {
4439 hci_dev_put(hdev);
4440 return -EFAULT;
1700915f
MM		 4441 }
4442
6e1df6a6
AE		 4443 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4444
6e1df6a6
AE		 4445 mgr->bredr_chan = chan;
4446 chan->hs_hcon = hs_hcon;
fd45bf4c 4447 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4448 conn->mtu = hdev->block_mtu;
1700915f 4449 }
f94ff6ff 4450
6e1df6a6 4451 hci_dev_put(hdev);
f94ff6ff
MM		 4452
4453 return 0;
6e1df6a6
AE		 4454
4455error:
4456 rsp.dcid = 0;
4457 rsp.scid = cpu_to_le16(scid);
4458 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4459 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4460
4461 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4462 sizeof(rsp), &rsp);
4463
4464 return -EFAULT;
f94ff6ff
MM		 4465}
4466
8eb200bd
MM		 4467static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4468{
4469 struct l2cap_move_chan_req req;
4470 u8 ident;
4471
4472 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4473
4474 ident = l2cap_get_ident(chan->conn);
4475 chan->ident = ident;
4476
4477 req.icid = cpu_to_le16(chan->scid);
4478 req.dest_amp_id = dest_amp_id;
4479
4480 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4481 &req);
4482
4483 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4484}
4485
1500109b 4486static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4487{
4488 struct l2cap_move_chan_rsp rsp;
4489
1500109b 4490 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4491
1500109b 4492 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4493 rsp.result = cpu_to_le16(result);
4494
1500109b
MM		 4495 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4496 sizeof(rsp), &rsp);
8d5a04a1
MM		 4497}
4498
5b155ef9 4499static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4500{
4501 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4502
5b155ef9 4503 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4504
5b155ef9 4505 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4506
5b155ef9 4507 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4508 cfm.result = cpu_to_le16(result);
4509
5b155ef9
MM		 4510 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4511 sizeof(cfm), &cfm);
4512
4513 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4514}
4515
4516static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4517{
4518 struct l2cap_move_chan_cfm cfm;
4519
4520 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4521
4522 cfm.icid = cpu_to_le16(icid);
4523 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4524
4525 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4526 sizeof(cfm), &cfm);
8d5a04a1
MM		 4527}
4528
4529static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4530 u16 icid)
8d5a04a1
MM		 4531{
4532 struct l2cap_move_chan_cfm_rsp rsp;
4533
ad0ac6ca 4534 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4535
4536 rsp.icid = cpu_to_le16(icid);
4537 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4538}
4539
5f3847a4
MM		 4540static void __release_logical_link(struct l2cap_chan *chan)
4541{
4542 chan->hs_hchan = NULL;
4543 chan->hs_hcon = NULL;
4544
4545 /* Placeholder - release the logical link */
4546}
4547
1500109b
MM		 4548static void l2cap_logical_fail(struct l2cap_chan *chan)
4549{
4550 /* Logical link setup failed */
4551 if (chan->state != BT_CONNECTED) {
4552 /* Create channel failure, disconnect */
5e4e3972 4553 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4554 return;
4555 }
4556
4557 switch (chan->move_role) {
4558 case L2CAP_MOVE_ROLE_RESPONDER:
4559 l2cap_move_done(chan);
4560 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4561 break;
4562 case L2CAP_MOVE_ROLE_INITIATOR:
4563 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4564 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4565 /* Remote has only sent pending or
4566 * success responses, clean up
4567 */
4568 l2cap_move_done(chan);
4569 }
4570
4571 /* Other amp move states imply that the move
4572 * has already aborted
4573 */
4574 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4575 break;
4576 }
4577}
4578
4579static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4580 struct hci_chan *hchan)
4581{
4582 struct l2cap_conf_rsp rsp;
1500109b 4583
336178a3 4584 chan->hs_hchan = hchan;
1500109b
MM		 4585 chan->hs_hcon->l2cap_data = chan->conn;
4586
35ba9561 4587 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4588
4589 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4590 int err;
1500109b
MM		 4591
4592 set_default_fcs(chan);
4593
4594 err = l2cap_ertm_init(chan);
4595 if (err < 0)
5e4e3972 4596 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4597 else
4598 l2cap_chan_ready(chan);
4599 }
4600}
4601
4602static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4603 struct hci_chan *hchan)
4604{
4605 chan->hs_hcon = hchan->conn;
4606 chan->hs_hcon->l2cap_data = chan->conn;
4607
4608 BT_DBG("move_state %d", chan->move_state);
4609
4610 switch (chan->move_state) {
4611 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4612 /* Move confirm will be sent after a success
4613 * response is received
4614 */
4615 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4616 break;
4617 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4618 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4619 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4620 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4621 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4622 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4623 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4624 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4625 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4626 }
4627 break;
4628 default:
4629 /* Move was not in expected state, free the channel */
4630 __release_logical_link(chan);
4631
4632 chan->move_state = L2CAP_MOVE_STABLE;
4633 }
4634}
4635
4636/* Call with chan locked */
27695fb4
AE		 4637void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4638 u8 status)
5b155ef9 4639{
1500109b
MM		 4640 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4641
4642 if (status) {
4643 l2cap_logical_fail(chan);
4644 __release_logical_link(chan);
4645 return;
4646 }
4647
4648 if (chan->state != BT_CONNECTED) {
4649 /* Ignore logical link if channel is on BR/EDR */
4650 if (chan->local_amp_id)
4651 l2cap_logical_finish_create(chan, hchan);
4652 } else {
4653 l2cap_logical_finish_move(chan, hchan);
4654 }
5b155ef9
MM		 4655}
4656
3f7a56c4
MM		 4657void l2cap_move_start(struct l2cap_chan *chan)
4658{
4659 BT_DBG("chan %p", chan);
4660
4661 if (chan->local_amp_id == HCI_BREDR_ID) {
4662 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4663 return;
4664 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4665 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4666 /* Placeholder - start physical link setup */
4667 } else {
4668 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4669 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4670 chan->move_id = 0;
4671 l2cap_move_setup(chan);
4672 l2cap_send_move_chan_req(chan, 0);
4673 }
4674}
4675
8eb200bd
MM		 4676static void l2cap_do_create(struct l2cap_chan *chan, int result,
4677 u8 local_amp_id, u8 remote_amp_id)
4678{
62748ca1
AE		 4679 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4680 local_amp_id, remote_amp_id);
4681
12d6cc60
AE		 4682 chan->fcs = L2CAP_FCS_NONE;
4683
62748ca1
AE		 4684 /* Outgoing channel on AMP */
4685 if (chan->state == BT_CONNECT) {
4686 if (result == L2CAP_CR_SUCCESS) {
4687 chan->local_amp_id = local_amp_id;
4688 l2cap_send_create_chan_req(chan, remote_amp_id);
4689 } else {
4690 /* Revert to BR/EDR connect */
4691 l2cap_send_conn_req(chan);
4692 }
4693
4694 return;
4695 }
4696
4697 /* Incoming channel on AMP */
4698 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4699 struct l2cap_conn_rsp rsp;
4700 char buf[128];
4701 rsp.scid = cpu_to_le16(chan->dcid);
4702 rsp.dcid = cpu_to_le16(chan->scid);
4703
8eb200bd
MM		 4704 if (result == L2CAP_CR_SUCCESS) {
4705 /* Send successful response */
62cd50e2
AE		 4706 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4707 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4708 } else {
4709 /* Send negative response */
62cd50e2
AE		 4710 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4711 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4712 }
4713
4714 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4715 sizeof(rsp), &rsp);
4716
4717 if (result == L2CAP_CR_SUCCESS) {
4718 __l2cap_state_change(chan, BT_CONFIG);
4719 set_bit(CONF_REQ_SENT, &chan->conf_state);
4720 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4721 L2CAP_CONF_REQ,
4722 l2cap_build_conf_req(chan, buf), buf);
4723 chan->num_conf_req++;
4724 }
8eb200bd
MM		 4725 }
4726}
4727
4728static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4729 u8 remote_amp_id)
4730{
4731 l2cap_move_setup(chan);
4732 chan->move_id = local_amp_id;
4733 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4734
4735 l2cap_send_move_chan_req(chan, remote_amp_id);
4736}
4737
4738static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4739{
4740 struct hci_chan *hchan = NULL;
4741
4742 /* Placeholder - get hci_chan for logical link */
4743
4744 if (hchan) {
4745 if (hchan->state == BT_CONNECTED) {
4746 /* Logical link is ready to go */
4747 chan->hs_hcon = hchan->conn;
4748 chan->hs_hcon->l2cap_data = chan->conn;
4749 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4750 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4751
4752 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4753 } else {
4754 /* Wait for logical link to be ready */
4755 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4756 }
4757 } else {
4758 /* Logical link not available */
4759 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4760 }
4761}
4762
4763static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4764{
4765 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4766 u8 rsp_result;
4767 if (result == -EINVAL)
4768 rsp_result = L2CAP_MR_BAD_ID;
4769 else
4770 rsp_result = L2CAP_MR_NOT_ALLOWED;
4771
4772 l2cap_send_move_chan_rsp(chan, rsp_result);
4773 }
4774
4775 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4776 chan->move_state = L2CAP_MOVE_STABLE;
4777
4778 /* Restart data transmission */
4779 l2cap_ertm_send(chan);
4780}
4781
a514b17f
AE		 4782/* Invoke with locked chan */
4783void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4784{
770bfefa 4785 u8 local_amp_id = chan->local_amp_id;
fffadc08 4786 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4787
8eb200bd
MM		 4788 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4789 chan, result, local_amp_id, remote_amp_id);
4790
8eb200bd
MM		 4791 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4792 l2cap_chan_unlock(chan);
4793 return;
4794 }
4795
4796 if (chan->state != BT_CONNECTED) {
4797 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4798 } else if (result != L2CAP_MR_SUCCESS) {
4799 l2cap_do_move_cancel(chan, result);
4800 } else {
4801 switch (chan->move_role) {
4802 case L2CAP_MOVE_ROLE_INITIATOR:
4803 l2cap_do_move_initiate(chan, local_amp_id,
4804 remote_amp_id);
4805 break;
4806 case L2CAP_MOVE_ROLE_RESPONDER:
4807 l2cap_do_move_respond(chan, result);
4808 break;
4809 default:
4810 l2cap_do_move_cancel(chan, result);
4811 break;
4812 }
4813 }
8eb200bd
MM		 4814}
4815
8d5a04a1 4816static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4817 struct l2cap_cmd_hdr *cmd,
4818 u16 cmd_len, void *data)
8d5a04a1
MM		 4819{
4820 struct l2cap_move_chan_req *req = data;
1500109b 4821 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4822 struct l2cap_chan *chan;
8d5a04a1
MM		 4823 u16 icid = 0;
4824 u16 result = L2CAP_MR_NOT_ALLOWED;
4825
4826 if (cmd_len != sizeof(*req))
4827 return -EPROTO;
4828
4829 icid = le16_to_cpu(req->icid);
4830
ad0ac6ca 4831 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4832
4833 if (!enable_hs)
4834 return -EINVAL;
4835
02b0fbb9
MM		 4836 chan = l2cap_get_chan_by_dcid(conn, icid);
4837 if (!chan) {
1500109b
MM		 4838 rsp.icid = cpu_to_le16(icid);
4839 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4840 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4841 sizeof(rsp), &rsp);
02b0fbb9
MM		 4842 return 0;
4843 }
4844
1500109b
MM		 4845 chan->ident = cmd->ident;
4846
02b0fbb9
MM		 4847 if (chan->scid < L2CAP_CID_DYN_START ||
4848 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4849 (chan->mode != L2CAP_MODE_ERTM &&
4850 chan->mode != L2CAP_MODE_STREAMING)) {
4851 result = L2CAP_MR_NOT_ALLOWED;
4852 goto send_move_response;
4853 }
4854
4855 if (chan->local_amp_id == req->dest_amp_id) {
4856 result = L2CAP_MR_SAME_ID;
4857 goto send_move_response;
4858 }
4859
4860 if (req->dest_amp_id) {
4861 struct hci_dev *hdev;
4862 hdev = hci_dev_get(req->dest_amp_id);
4863 if (!hdev || hdev->dev_type != HCI_AMP ||
4864 !test_bit(HCI_UP, &hdev->flags)) {
4865 if (hdev)
4866 hci_dev_put(hdev);
4867
4868 result = L2CAP_MR_BAD_ID;
4869 goto send_move_response;
4870 }
4871 hci_dev_put(hdev);
4872 }
4873
4874 /* Detect a move collision. Only send a collision response
4875 * if this side has "lost", otherwise proceed with the move.
4876 * The winner has the larger bd_addr.
4877 */
4878 if ((__chan_is_moving(chan) ||
4879 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4880 bacmp(conn->src, conn->dst) > 0) {
4881 result = L2CAP_MR_COLLISION;
4882 goto send_move_response;
4883 }
4884
02b0fbb9
MM		 4885 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4886 l2cap_move_setup(chan);
4887 chan->move_id = req->dest_amp_id;
4888 icid = chan->dcid;
4889
4890 if (!req->dest_amp_id) {
4891 /* Moving to BR/EDR */
4892 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4893 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4894 result = L2CAP_MR_PEND;
4895 } else {
4896 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4897 result = L2CAP_MR_SUCCESS;
4898 }
4899 } else {
4900 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4901 /* Placeholder - uncomment when amp functions are available */
4902 /*amp_accept_physical(chan, req->dest_amp_id);*/
4903 result = L2CAP_MR_PEND;
4904 }
4905
4906send_move_response:
1500109b 4907 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4908
02b0fbb9
MM		 4909 l2cap_chan_unlock(chan);
4910
8d5a04a1
MM		 4911 return 0;
4912}
4913
5b155ef9
MM		 4914static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4915{
4916 struct l2cap_chan *chan;
4917 struct hci_chan *hchan = NULL;
4918
4919 chan = l2cap_get_chan_by_scid(conn, icid);
4920 if (!chan) {
4921 l2cap_send_move_chan_cfm_icid(conn, icid);
4922 return;
4923 }
4924
4925 __clear_chan_timer(chan);
4926 if (result == L2CAP_MR_PEND)
4927 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4928
4929 switch (chan->move_state) {
4930 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4931 /* Move confirm will be sent when logical link
4932 * is complete.
4933 */
4934 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4935 break;
4936 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4937 if (result == L2CAP_MR_PEND) {
4938 break;
4939 } else if (test_bit(CONN_LOCAL_BUSY,
4940 &chan->conn_state)) {
4941 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4942 } else {
4943 /* Logical link is up or moving to BR/EDR,
4944 * proceed with move
4945 */
4946 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4947 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4948 }
4949 break;
4950 case L2CAP_MOVE_WAIT_RSP:
4951 /* Moving to AMP */
4952 if (result == L2CAP_MR_SUCCESS) {
4953 /* Remote is ready, send confirm immediately
4954 * after logical link is ready
4955 */
4956 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4957 } else {
4958 /* Both logical link and move success
4959 * are required to confirm
4960 */
4961 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4962 }
4963
4964 /* Placeholder - get hci_chan for logical link */
4965 if (!hchan) {
4966 /* Logical link not available */
4967 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4968 break;
4969 }
4970
4971 /* If the logical link is not yet connected, do not
4972 * send confirmation.
4973 */
4974 if (hchan->state != BT_CONNECTED)
4975 break;
4976
4977 /* Logical link is already ready to go */
4978
4979 chan->hs_hcon = hchan->conn;
4980 chan->hs_hcon->l2cap_data = chan->conn;
4981
4982 if (result == L2CAP_MR_SUCCESS) {
4983 /* Can confirm now */
4984 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4985 } else {
4986 /* Now only need move success
4987 * to confirm
4988 */
4989 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4990 }
4991
4992 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4993 break;
4994 default:
4995 /* Any other amp move state means the move failed. */
4996 chan->move_id = chan->local_amp_id;
4997 l2cap_move_done(chan);
4998 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4999 }
5000
5001 l2cap_chan_unlock(chan);
5002}
5003
5004static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5005 u16 result)
5006{
5007 struct l2cap_chan *chan;
5008
5009 chan = l2cap_get_chan_by_ident(conn, ident);
5010 if (!chan) {
5011 /* Could not locate channel, icid is best guess */
5012 l2cap_send_move_chan_cfm_icid(conn, icid);
5013 return;
5014 }
5015
5016 __clear_chan_timer(chan);
5017
5018 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5019 if (result == L2CAP_MR_COLLISION) {
5020 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5021 } else {
5022 /* Cleanup - cancel move */
5023 chan->move_id = chan->local_amp_id;
5024 l2cap_move_done(chan);
5025 }
5026 }
5027
5028 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5029
5030 l2cap_chan_unlock(chan);
5031}
5032
5033static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5034 struct l2cap_cmd_hdr *cmd,
5035 u16 cmd_len, void *data)
8d5a04a1
MM		 5036{
5037 struct l2cap_move_chan_rsp *rsp = data;
5038 u16 icid, result;
5039
5040 if (cmd_len != sizeof(*rsp))
5041 return -EPROTO;
5042
5043 icid = le16_to_cpu(rsp->icid);
5044 result = le16_to_cpu(rsp->result);
5045
ad0ac6ca 5046 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5047
5b155ef9
MM		 5048 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5049 l2cap_move_continue(conn, icid, result);
5050 else
5051 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5052
5053 return 0;
5054}
5055
5f3847a4
MM		 5056static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5057 struct l2cap_cmd_hdr *cmd,
5058 u16 cmd_len, void *data)
8d5a04a1
MM		 5059{
5060 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5061 struct l2cap_chan *chan;
8d5a04a1
MM		 5062 u16 icid, result;
5063
5064 if (cmd_len != sizeof(*cfm))
5065 return -EPROTO;
5066
5067 icid = le16_to_cpu(cfm->icid);
5068 result = le16_to_cpu(cfm->result);
5069
ad0ac6ca 5070 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5071
5f3847a4
MM		 5072 chan = l2cap_get_chan_by_dcid(conn, icid);
5073 if (!chan) {
5074 /* Spec requires a response even if the icid was not found */
5075 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5076 return 0;
5077 }
5078
5079 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5080 if (result == L2CAP_MC_CONFIRMED) {
5081 chan->local_amp_id = chan->move_id;
5082 if (!chan->local_amp_id)
5083 __release_logical_link(chan);
5084 } else {
5085 chan->move_id = chan->local_amp_id;
5086 }
5087
5088 l2cap_move_done(chan);
5089 }
5090
8d5a04a1
MM		 5091 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5092
5f3847a4
MM		 5093 l2cap_chan_unlock(chan);
5094
8d5a04a1
MM		 5095 return 0;
5096}
5097
5098static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5099 struct l2cap_cmd_hdr *cmd,
5100 u16 cmd_len, void *data)
8d5a04a1
MM		 5101{
5102 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5103 struct l2cap_chan *chan;
8d5a04a1
MM		 5104 u16 icid;
5105
5106 if (cmd_len != sizeof(*rsp))
5107 return -EPROTO;
5108
5109 icid = le16_to_cpu(rsp->icid);
5110
ad0ac6ca 5111 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5112
3fd71a0a
MM		 5113 chan = l2cap_get_chan_by_scid(conn, icid);
5114 if (!chan)
5115 return 0;
5116
5117 __clear_chan_timer(chan);
5118
5119 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5120 chan->local_amp_id = chan->move_id;
5121
5122 if (!chan->local_amp_id && chan->hs_hchan)
5123 __release_logical_link(chan);
5124
5125 l2cap_move_done(chan);
5126 }
5127
5128 l2cap_chan_unlock(chan);
5129
8d5a04a1
MM		 5130 return 0;
5131}
5132
e2174ca4 5133static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 5134 u16 to_multiplier)
de73115a
CT		 5135{
5136 u16 max_latency;
5137
5138 if (min > max || min < 6 || max > 3200)
5139 return -EINVAL;
5140
5141 if (to_multiplier < 10 || to_multiplier > 3200)
5142 return -EINVAL;
5143
5144 if (max >= to_multiplier * 8)
5145 return -EINVAL;
5146
5147 max_latency = (to_multiplier * 8 / max) - 1;
5148 if (latency > 499 || latency > max_latency)
5149 return -EINVAL;
5150
5151 return 0;
5152}
5153
5154static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 5155 struct l2cap_cmd_hdr *cmd,
5156 u8 *data)
de73115a
CT		 5157{
5158 struct hci_conn *hcon = conn->hcon;
5159 struct l2cap_conn_param_update_req *req;
5160 struct l2cap_conn_param_update_rsp rsp;
5161 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 5162 int err;
de73115a
CT		 5163
5164 if (!(hcon->link_mode & HCI_LM_MASTER))
5165 return -EINVAL;
5166
5167 cmd_len = __le16_to_cpu(cmd->len);
5168 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5169 return -EPROTO;
5170
5171 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5172 min = __le16_to_cpu(req->min);
5173 max = __le16_to_cpu(req->max);
de73115a
CT		 5174 latency = __le16_to_cpu(req->latency);
5175 to_multiplier = __le16_to_cpu(req->to_multiplier);
5176
5177 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5178 min, max, latency, to_multiplier);
de73115a
CT		 5179
5180 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5181
5182 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5183 if (err)
ac73498c 5184 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5185 else
ac73498c 5186 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5187
5188 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5189 sizeof(rsp), &rsp);
de73115a 5190
2ce603eb
CT		 5191 if (!err)
5192 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5193
de73115a
CT		 5194 return 0;
5195}
5196
3300d9a9 5197static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5198 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5199 u8 *data)
3300d9a9
CT		 5200{
5201 int err = 0;
5202
5203 switch (cmd->code) {
5204 case L2CAP_COMMAND_REJ:
cb3b3152 5205 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5206 break;
5207
5208 case L2CAP_CONN_REQ:
cb3b3152 5209 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5210 break;
5211
5212 case L2CAP_CONN_RSP:
f5a2598d 5213 case L2CAP_CREATE_CHAN_RSP:
cb3b3152 5214 err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5215 break;
5216
5217 case L2CAP_CONF_REQ:
5218 err = l2cap_config_req(conn, cmd, cmd_len, data);
5219 break;
5220
5221 case L2CAP_CONF_RSP:
cb3b3152 5222 err = l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5223 break;
5224
5225 case L2CAP_DISCONN_REQ:
cb3b3152 5226 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5227 break;
5228
5229 case L2CAP_DISCONN_RSP:
cb3b3152 5230 err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5231 break;
5232
5233 case L2CAP_ECHO_REQ:
5234 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5235 break;
5236
5237 case L2CAP_ECHO_RSP:
5238 break;
5239
5240 case L2CAP_INFO_REQ:
cb3b3152 5241 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5242 break;
5243
5244 case L2CAP_INFO_RSP:
cb3b3152 5245 err = l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5246 break;
5247
f94ff6ff
MM		 5248 case L2CAP_CREATE_CHAN_REQ:
5249 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5250 break;
5251
8d5a04a1
MM		 5252 case L2CAP_MOVE_CHAN_REQ:
5253 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5254 break;
5255
5256 case L2CAP_MOVE_CHAN_RSP:
5257 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5258 break;
5259
5260 case L2CAP_MOVE_CHAN_CFM:
5261 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5262 break;
5263
5264 case L2CAP_MOVE_CHAN_CFM_RSP:
5265 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5266 break;
5267
3300d9a9
CT		 5268 default:
5269 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5270 err = -EINVAL;
5271 break;
5272 }
5273
5274 return err;
5275}
5276
5277static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5278 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5279{
5280 switch (cmd->code) {
5281 case L2CAP_COMMAND_REJ:
5282 return 0;
5283
5284 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5285 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5286
5287 case L2CAP_CONN_PARAM_UPDATE_RSP:
5288 return 0;
5289
5290 default:
5291 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5292 return -EINVAL;
5293 }
5294}
5295
c5623556
JH		 5296static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5297 struct sk_buff *skb)
5298{
5299 u8 *data = skb->data;
5300 int len = skb->len;
5301 struct l2cap_cmd_hdr cmd;
5302 int err;
5303
5304 l2cap_raw_recv(conn, skb);
5305
5306 while (len >= L2CAP_CMD_HDR_SIZE) {
5307 u16 cmd_len;
5308 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5309 data += L2CAP_CMD_HDR_SIZE;
5310 len -= L2CAP_CMD_HDR_SIZE;
5311
5312 cmd_len = le16_to_cpu(cmd.len);
5313
5314 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5315 cmd.ident);
5316
5317 if (cmd_len > len || !cmd.ident) {
5318 BT_DBG("corrupted command");
5319 break;
5320 }
5321
5322 err = l2cap_le_sig_cmd(conn, &cmd, data);
5323 if (err) {
5324 struct l2cap_cmd_rej_unk rej;
5325
5326 BT_ERR("Wrong link type (%d)", err);
5327
5328 /* FIXME: Map err to a valid reason */
5329 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5330 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5331 sizeof(rej), &rej);
5332 }
5333
5334 data += cmd_len;
5335 len -= cmd_len;
5336 }
5337
5338 kfree_skb(skb);
5339}
5340
3300d9a9 5341static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5342 struct sk_buff *skb)
1da177e4
LT		 5343{
5344 u8 *data = skb->data;
5345 int len = skb->len;
5346 struct l2cap_cmd_hdr cmd;
3300d9a9 5347 int err;
1da177e4
LT		 5348
5349 l2cap_raw_recv(conn, skb);
5350
5351 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5352 u16 cmd_len;
1da177e4
LT		 5353 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5354 data += L2CAP_CMD_HDR_SIZE;
5355 len -= L2CAP_CMD_HDR_SIZE;
5356
88219a0f 5357 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5358
2d792818
GP		 5359 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5360 cmd.ident);
1da177e4 5361
88219a0f 5362 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5363 BT_DBG("corrupted command");
5364 break;
5365 }
5366
c5623556 5367 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5368 if (err) {
e2fd318e 5369 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5370
5371 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 5372
5373 /* FIXME: Map err to a valid reason */
ac73498c 5374 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5375 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5376 sizeof(rej), &rej);
1da177e4
LT		 5377 }
5378
88219a0f
AV		 5379 data += cmd_len;
5380 len -= cmd_len;
1da177e4
LT		 5381 }
5382
5383 kfree_skb(skb);
5384}
5385
47d1ec61 5386static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5387{
5388 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5389 int hdr_size;
5390
5391 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5392 hdr_size = L2CAP_EXT_HDR_SIZE;
5393 else
5394 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5395
47d1ec61 5396 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5397 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5398 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5399 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5400
5401 if (our_fcs != rcv_fcs)
7a560e5c 5402 return -EBADMSG;
fcc203c3
GP		 5403 }
5404 return 0;
5405}
5406
6ea00485 5407static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5408{
e31f7633 5409 struct l2cap_ctrl control;
d5392c8f 5410
e31f7633 5411 BT_DBG("chan %p", chan);
d5392c8f 5412
e31f7633
MM		 5413 memset(&control, 0, sizeof(control));
5414 control.sframe = 1;
5415 control.final = 1;
5416 control.reqseq = chan->buffer_seq;
5417 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5418
e2ab4353 5419 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5420 control.super = L2CAP_SUPER_RNR;
5421 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5422 }
5423
e31f7633
MM		 5424 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5425 chan->unacked_frames > 0)
5426 __set_retrans_timer(chan);
d5392c8f 5427
e31f7633 5428 /* Send pending iframes */
525cd185 5429 l2cap_ertm_send(chan);
d5392c8f 5430
e2ab4353 5431 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5432 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5433 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5434 * send it now.
5435 */
5436 control.super = L2CAP_SUPER_RR;
5437 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5438 }
5439}
5440
2d792818
GP		 5441static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5442 struct sk_buff **last_frag)
18778a63 5443{
84084a31
MM		 5444 /* skb->len reflects data in skb as well as all fragments
5445 * skb->data_len reflects only data in fragments
5446 */
5447 if (!skb_has_frag_list(skb))
5448 skb_shinfo(skb)->frag_list = new_frag;
5449
5450 new_frag->next = NULL;
5451
5452 (*last_frag)->next = new_frag;
5453 *last_frag = new_frag;
5454
5455 skb->len += new_frag->len;
5456 skb->data_len += new_frag->len;
5457 skb->truesize += new_frag->truesize;
5458}
5459
4b51dae9
MM		 5460static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5461 struct l2cap_ctrl *control)
84084a31
MM		 5462{
5463 int err = -EINVAL;
18778a63 5464
4b51dae9 5465 switch (control->sar) {
7e0ef6ee 5466 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5467 if (chan->sdu)
5468 break;
18778a63 5469
80b98027 5470 err = chan->ops->recv(chan, skb);
84084a31 5471 break;
18778a63 5472
7e0ef6ee 5473 case L2CAP_SAR_START:
84084a31
MM		 5474 if (chan->sdu)
5475 break;
18778a63 5476
6f61fd47 5477 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5478 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5479
84084a31
MM		 5480 if (chan->sdu_len > chan->imtu) {
5481 err = -EMSGSIZE;
5482 break;
5483 }
1890d36b 5484
84084a31
MM		 5485 if (skb->len >= chan->sdu_len)
5486 break;
18778a63 5487
84084a31
MM		 5488 chan->sdu = skb;
5489 chan->sdu_last_frag = skb;
18778a63 5490
84084a31
MM		 5491 skb = NULL;
5492 err = 0;
18778a63
GP		 5493 break;
5494
7e0ef6ee 5495 case L2CAP_SAR_CONTINUE:
6f61fd47 5496 if (!chan->sdu)
84084a31 5497 break;
18778a63 5498
84084a31
MM		 5499 append_skb_frag(chan->sdu, skb,
5500 &chan->sdu_last_frag);
5501 skb = NULL;
18778a63 5502
84084a31
MM		 5503 if (chan->sdu->len >= chan->sdu_len)
5504 break;
4178ba46 5505
84084a31 5506 err = 0;
18778a63
GP		 5507 break;
5508
7e0ef6ee 5509 case L2CAP_SAR_END:
6f61fd47 5510 if (!chan->sdu)
84084a31 5511 break;
18778a63 5512
84084a31
MM		 5513 append_skb_frag(chan->sdu, skb,
5514 &chan->sdu_last_frag);
5515 skb = NULL;
4178ba46 5516
84084a31
MM		 5517 if (chan->sdu->len != chan->sdu_len)
5518 break;
18778a63 5519
80b98027 5520 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5521
84084a31
MM		 5522 if (!err) {
5523 /* Reassembly complete */
5524 chan->sdu = NULL;
5525 chan->sdu_last_frag = NULL;
5526 chan->sdu_len = 0;
1890d36b 5527 }
18778a63
GP		 5528 break;
5529 }
5530
84084a31
MM		 5531 if (err) {
5532 kfree_skb(skb);
5533 kfree_skb(chan->sdu);
5534 chan->sdu = NULL;
5535 chan->sdu_last_frag = NULL;
5536 chan->sdu_len = 0;
5537 }
18778a63 5538
84084a31 5539 return err;
18778a63
GP		 5540}
5541
32b32735
MM		 5542static int l2cap_resegment(struct l2cap_chan *chan)
5543{
5544 /* Placeholder */
5545 return 0;
5546}
5547
61aa4f5b 5548void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5549{
61aa4f5b 5550 u8 event;
712132eb 5551
61aa4f5b
MM		 5552 if (chan->mode != L2CAP_MODE_ERTM)
5553 return;
712132eb 5554
61aa4f5b 5555 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5556 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5557}
5558
d2a7ac5d
MM		 5559static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5560{
63838725
MM		 5561 int err = 0;
5562 /* Pass sequential frames to l2cap_reassemble_sdu()
5563 * until a gap is encountered.
5564 */
5565
5566 BT_DBG("chan %p", chan);
5567
5568 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5569 struct sk_buff *skb;
5570 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5571 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5572
5573 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5574
5575 if (!skb)
5576 break;
5577
5578 skb_unlink(skb, &chan->srej_q);
5579 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5580 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5581 if (err)
5582 break;
5583 }
5584
5585 if (skb_queue_empty(&chan->srej_q)) {
5586 chan->rx_state = L2CAP_RX_STATE_RECV;
5587 l2cap_send_ack(chan);
5588 }
5589
5590 return err;
d2a7ac5d
MM		 5591}
5592
5593static void l2cap_handle_srej(struct l2cap_chan *chan,
5594 struct l2cap_ctrl *control)
5595{
f80842a8
MM		 5596 struct sk_buff *skb;
5597
5598 BT_DBG("chan %p, control %p", chan, control);
5599
5600 if (control->reqseq == chan->next_tx_seq) {
5601 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5602 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5603 return;
5604 }
5605
5606 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5607
5608 if (skb == NULL) {
5609 BT_DBG("Seq %d not available for retransmission",
5610 control->reqseq);
5611 return;
5612 }
5613
5614 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5615 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5616 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5617 return;
5618 }
5619
5620 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5621
5622 if (control->poll) {
5623 l2cap_pass_to_tx(chan, control);
5624
5625 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5626 l2cap_retransmit(chan, control);
5627 l2cap_ertm_send(chan);
5628
5629 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5630 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5631 chan->srej_save_reqseq = control->reqseq;
5632 }
5633 } else {
5634 l2cap_pass_to_tx_fbit(chan, control);
5635
5636 if (control->final) {
5637 if (chan->srej_save_reqseq != control->reqseq ||
5638 !test_and_clear_bit(CONN_SREJ_ACT,
5639 &chan->conn_state))
5640 l2cap_retransmit(chan, control);
5641 } else {
5642 l2cap_retransmit(chan, control);
5643 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5644 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5645 chan->srej_save_reqseq = control->reqseq;
5646 }
5647 }
5648 }
d2a7ac5d
MM		 5649}
5650
5651static void l2cap_handle_rej(struct l2cap_chan *chan,
5652 struct l2cap_ctrl *control)
5653{
fcd289df
MM		 5654 struct sk_buff *skb;
5655
5656 BT_DBG("chan %p, control %p", chan, control);
5657
5658 if (control->reqseq == chan->next_tx_seq) {
5659 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5660 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5661 return;
5662 }
5663
5664 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5665
5666 if (chan->max_tx && skb &&
5667 bt_cb(skb)->control.retries >= chan->max_tx) {
5668 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5669 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5670 return;
5671 }
5672
5673 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5674
5675 l2cap_pass_to_tx(chan, control);
5676
5677 if (control->final) {
5678 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5679 l2cap_retransmit_all(chan, control);
5680 } else {
5681 l2cap_retransmit_all(chan, control);
5682 l2cap_ertm_send(chan);
5683 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5684 set_bit(CONN_REJ_ACT, &chan->conn_state);
5685 }
d2a7ac5d
MM		 5686}
5687
4b51dae9
MM		 5688static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5689{
5690 BT_DBG("chan %p, txseq %d", chan, txseq);
5691
5692 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5693 chan->expected_tx_seq);
5694
5695 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5696 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5697 chan->tx_win) {
4b51dae9
MM		 5698 /* See notes below regarding "double poll" and
5699 * invalid packets.
5700 */
5701 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5702 BT_DBG("Invalid/Ignore - after SREJ");
5703 return L2CAP_TXSEQ_INVALID_IGNORE;
5704 } else {
5705 BT_DBG("Invalid - in window after SREJ sent");
5706 return L2CAP_TXSEQ_INVALID;
5707 }
5708 }
5709
5710 if (chan->srej_list.head == txseq) {
5711 BT_DBG("Expected SREJ");
5712 return L2CAP_TXSEQ_EXPECTED_SREJ;
5713 }
5714
5715 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5716 BT_DBG("Duplicate SREJ - txseq already stored");
5717 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5718 }
5719
5720 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5721 BT_DBG("Unexpected SREJ - not requested");
5722 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5723 }
5724 }
5725
5726 if (chan->expected_tx_seq == txseq) {
5727 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5728 chan->tx_win) {
5729 BT_DBG("Invalid - txseq outside tx window");
5730 return L2CAP_TXSEQ_INVALID;
5731 } else {
5732 BT_DBG("Expected");
5733 return L2CAP_TXSEQ_EXPECTED;
5734 }
5735 }
5736
5737 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5738 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5739 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5740 return L2CAP_TXSEQ_DUPLICATE;
5741 }
5742
5743 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5744 /* A source of invalid packets is a "double poll" condition,
5745 * where delays cause us to send multiple poll packets. If
5746 * the remote stack receives and processes both polls,
5747 * sequence numbers can wrap around in such a way that a
5748 * resent frame has a sequence number that looks like new data
5749 * with a sequence gap. This would trigger an erroneous SREJ
5750 * request.
5751 *
5752 * Fortunately, this is impossible with a tx window that's
5753 * less than half of the maximum sequence number, which allows
5754 * invalid frames to be safely ignored.
5755 *
5756 * With tx window sizes greater than half of the tx window
5757 * maximum, the frame is invalid and cannot be ignored. This
5758 * causes a disconnect.
5759 */
5760
5761 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5762 BT_DBG("Invalid/Ignore - txseq outside tx window");
5763 return L2CAP_TXSEQ_INVALID_IGNORE;
5764 } else {
5765 BT_DBG("Invalid - txseq outside tx window");
5766 return L2CAP_TXSEQ_INVALID;
5767 }
5768 } else {
5769 BT_DBG("Unexpected - txseq indicates missing frames");
5770 return L2CAP_TXSEQ_UNEXPECTED;
5771 }
5772}
5773
d2a7ac5d
MM		 5774static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5775 struct l2cap_ctrl *control,
5776 struct sk_buff *skb, u8 event)
5777{
5778 int err = 0;
5779 bool skb_in_use = 0;
5780
5781 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5782 event);
5783
5784 switch (event) {
5785 case L2CAP_EV_RECV_IFRAME:
5786 switch (l2cap_classify_txseq(chan, control->txseq)) {
5787 case L2CAP_TXSEQ_EXPECTED:
5788 l2cap_pass_to_tx(chan, control);
5789
5790 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5791 BT_DBG("Busy, discarding expected seq %d",
5792 control->txseq);
5793 break;
5794 }
5795
5796 chan->expected_tx_seq = __next_seq(chan,
5797 control->txseq);
5798
5799 chan->buffer_seq = chan->expected_tx_seq;
5800 skb_in_use = 1;
5801
5802 err = l2cap_reassemble_sdu(chan, skb, control);
5803 if (err)
5804 break;
5805
5806 if (control->final) {
5807 if (!test_and_clear_bit(CONN_REJ_ACT,
5808 &chan->conn_state)) {
5809 control->final = 0;
5810 l2cap_retransmit_all(chan, control);
5811 l2cap_ertm_send(chan);
5812 }
5813 }
5814
5815 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5816 l2cap_send_ack(chan);
5817 break;
5818 case L2CAP_TXSEQ_UNEXPECTED:
5819 l2cap_pass_to_tx(chan, control);
5820
5821 /* Can't issue SREJ frames in the local busy state.
5822 * Drop this frame, it will be seen as missing
5823 * when local busy is exited.
5824 */
5825 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5826 BT_DBG("Busy, discarding unexpected seq %d",
5827 control->txseq);
5828 break;
5829 }
5830
5831 /* There was a gap in the sequence, so an SREJ
5832 * must be sent for each missing frame. The
5833 * current frame is stored for later use.
5834 */
5835 skb_queue_tail(&chan->srej_q, skb);
5836 skb_in_use = 1;
5837 BT_DBG("Queued %p (queue len %d)", skb,
5838 skb_queue_len(&chan->srej_q));
5839
5840 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5841 l2cap_seq_list_clear(&chan->srej_list);
5842 l2cap_send_srej(chan, control->txseq);
5843
5844 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5845 break;
5846 case L2CAP_TXSEQ_DUPLICATE:
5847 l2cap_pass_to_tx(chan, control);
5848 break;
5849 case L2CAP_TXSEQ_INVALID_IGNORE:
5850 break;
5851 case L2CAP_TXSEQ_INVALID:
5852 default:
5e4e3972 5853 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5854 break;
5855 }
5856 break;
5857 case L2CAP_EV_RECV_RR:
5858 l2cap_pass_to_tx(chan, control);
5859 if (control->final) {
5860 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5861
e6a3ee6e
MM		 5862 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5863 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 5864 control->final = 0;
5865 l2cap_retransmit_all(chan, control);
5866 }
5867
5868 l2cap_ertm_send(chan);
5869 } else if (control->poll) {
5870 l2cap_send_i_or_rr_or_rnr(chan);
5871 } else {
5872 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5873 &chan->conn_state) &&
5874 chan->unacked_frames)
5875 __set_retrans_timer(chan);
5876
5877 l2cap_ertm_send(chan);
5878 }
5879 break;
5880 case L2CAP_EV_RECV_RNR:
5881 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5882 l2cap_pass_to_tx(chan, control);
5883 if (control && control->poll) {
5884 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5885 l2cap_send_rr_or_rnr(chan, 0);
5886 }
5887 __clear_retrans_timer(chan);
5888 l2cap_seq_list_clear(&chan->retrans_list);
5889 break;
5890 case L2CAP_EV_RECV_REJ:
5891 l2cap_handle_rej(chan, control);
5892 break;
5893 case L2CAP_EV_RECV_SREJ:
5894 l2cap_handle_srej(chan, control);
5895 break;
5896 default:
5897 break;
5898 }
5899
5900 if (skb && !skb_in_use) {
5901 BT_DBG("Freeing %p", skb);
5902 kfree_skb(skb);
5903 }
5904
5905 return err;
5906}
5907
5908static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5909 struct l2cap_ctrl *control,
5910 struct sk_buff *skb, u8 event)
5911{
5912 int err = 0;
5913 u16 txseq = control->txseq;
5914 bool skb_in_use = 0;
5915
5916 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5917 event);
5918
5919 switch (event) {
5920 case L2CAP_EV_RECV_IFRAME:
5921 switch (l2cap_classify_txseq(chan, txseq)) {
5922 case L2CAP_TXSEQ_EXPECTED:
5923 /* Keep frame for reassembly later */
5924 l2cap_pass_to_tx(chan, control);
5925 skb_queue_tail(&chan->srej_q, skb);
5926 skb_in_use = 1;
5927 BT_DBG("Queued %p (queue len %d)", skb,
5928 skb_queue_len(&chan->srej_q));
5929
5930 chan->expected_tx_seq = __next_seq(chan, txseq);
5931 break;
5932 case L2CAP_TXSEQ_EXPECTED_SREJ:
5933 l2cap_seq_list_pop(&chan->srej_list);
5934
5935 l2cap_pass_to_tx(chan, control);
5936 skb_queue_tail(&chan->srej_q, skb);
5937 skb_in_use = 1;
5938 BT_DBG("Queued %p (queue len %d)", skb,
5939 skb_queue_len(&chan->srej_q));
5940
5941 err = l2cap_rx_queued_iframes(chan);
5942 if (err)
5943 break;
5944
5945 break;
5946 case L2CAP_TXSEQ_UNEXPECTED:
5947 /* Got a frame that can't be reassembled yet.
5948 * Save it for later, and send SREJs to cover
5949 * the missing frames.
5950 */
5951 skb_queue_tail(&chan->srej_q, skb);
5952 skb_in_use = 1;
5953 BT_DBG("Queued %p (queue len %d)", skb,
5954 skb_queue_len(&chan->srej_q));
5955
5956 l2cap_pass_to_tx(chan, control);
5957 l2cap_send_srej(chan, control->txseq);
5958 break;
5959 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5960 /* This frame was requested with an SREJ, but
5961 * some expected retransmitted frames are
5962 * missing. Request retransmission of missing
5963 * SREJ'd frames.
5964 */
5965 skb_queue_tail(&chan->srej_q, skb);
5966 skb_in_use = 1;
5967 BT_DBG("Queued %p (queue len %d)", skb,
5968 skb_queue_len(&chan->srej_q));
5969
5970 l2cap_pass_to_tx(chan, control);
5971 l2cap_send_srej_list(chan, control->txseq);
5972 break;
5973 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5974 /* We've already queued this frame. Drop this copy. */
5975 l2cap_pass_to_tx(chan, control);
5976 break;
5977 case L2CAP_TXSEQ_DUPLICATE:
5978 /* Expecting a later sequence number, so this frame
5979 * was already received. Ignore it completely.
5980 */
5981 break;
5982 case L2CAP_TXSEQ_INVALID_IGNORE:
5983 break;
5984 case L2CAP_TXSEQ_INVALID:
5985 default:
5e4e3972 5986 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5987 break;
5988 }
5989 break;
5990 case L2CAP_EV_RECV_RR:
5991 l2cap_pass_to_tx(chan, control);
5992 if (control->final) {
5993 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5994
5995 if (!test_and_clear_bit(CONN_REJ_ACT,
5996 &chan->conn_state)) {
5997 control->final = 0;
5998 l2cap_retransmit_all(chan, control);
5999 }
6000
6001 l2cap_ertm_send(chan);
6002 } else if (control->poll) {
6003 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6004 &chan->conn_state) &&
6005 chan->unacked_frames) {
6006 __set_retrans_timer(chan);
6007 }
6008
6009 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6010 l2cap_send_srej_tail(chan);
6011 } else {
6012 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6013 &chan->conn_state) &&
6014 chan->unacked_frames)
6015 __set_retrans_timer(chan);
6016
6017 l2cap_send_ack(chan);
6018 }
6019 break;
6020 case L2CAP_EV_RECV_RNR:
6021 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6022 l2cap_pass_to_tx(chan, control);
6023 if (control->poll) {
6024 l2cap_send_srej_tail(chan);
6025 } else {
6026 struct l2cap_ctrl rr_control;
6027 memset(&rr_control, 0, sizeof(rr_control));
6028 rr_control.sframe = 1;
6029 rr_control.super = L2CAP_SUPER_RR;
6030 rr_control.reqseq = chan->buffer_seq;
6031 l2cap_send_sframe(chan, &rr_control);
6032 }
6033
6034 break;
6035 case L2CAP_EV_RECV_REJ:
6036 l2cap_handle_rej(chan, control);
6037 break;
6038 case L2CAP_EV_RECV_SREJ:
6039 l2cap_handle_srej(chan, control);
6040 break;
6041 }
6042
6043 if (skb && !skb_in_use) {
6044 BT_DBG("Freeing %p", skb);
6045 kfree_skb(skb);
6046 }
6047
6048 return err;
6049}
6050
32b32735
MM		 6051static int l2cap_finish_move(struct l2cap_chan *chan)
6052{
6053 BT_DBG("chan %p", chan);
6054
6055 chan->rx_state = L2CAP_RX_STATE_RECV;
6056
6057 if (chan->hs_hcon)
6058 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6059 else
6060 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6061
6062 return l2cap_resegment(chan);
6063}
6064
6065static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6066 struct l2cap_ctrl *control,
6067 struct sk_buff *skb, u8 event)
6068{
6069 int err;
6070
6071 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6072 event);
6073
6074 if (!control->poll)
6075 return -EPROTO;
6076
6077 l2cap_process_reqseq(chan, control->reqseq);
6078
6079 if (!skb_queue_empty(&chan->tx_q))
6080 chan->tx_send_head = skb_peek(&chan->tx_q);
6081 else
6082 chan->tx_send_head = NULL;
6083
6084 /* Rewind next_tx_seq to the point expected
6085 * by the receiver.
6086 */
6087 chan->next_tx_seq = control->reqseq;
6088 chan->unacked_frames = 0;
6089
6090 err = l2cap_finish_move(chan);
6091 if (err)
6092 return err;
6093
6094 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6095 l2cap_send_i_or_rr_or_rnr(chan);
6096
6097 if (event == L2CAP_EV_RECV_IFRAME)
6098 return -EPROTO;
6099
6100 return l2cap_rx_state_recv(chan, control, NULL, event);
6101}
6102
6103static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6104 struct l2cap_ctrl *control,
6105 struct sk_buff *skb, u8 event)
6106{
6107 int err;
6108
6109 if (!control->final)
6110 return -EPROTO;
6111
6112 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6113
6114 chan->rx_state = L2CAP_RX_STATE_RECV;
6115 l2cap_process_reqseq(chan, control->reqseq);
6116
6117 if (!skb_queue_empty(&chan->tx_q))
6118 chan->tx_send_head = skb_peek(&chan->tx_q);
6119 else
6120 chan->tx_send_head = NULL;
6121
6122 /* Rewind next_tx_seq to the point expected
6123 * by the receiver.
6124 */
6125 chan->next_tx_seq = control->reqseq;
6126 chan->unacked_frames = 0;
6127
6128 if (chan->hs_hcon)
6129 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6130 else
6131 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6132
6133 err = l2cap_resegment(chan);
6134
6135 if (!err)
6136 err = l2cap_rx_state_recv(chan, control, skb, event);
6137
6138 return err;
6139}
6140
d2a7ac5d
MM		 6141static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6142{
6143 /* Make sure reqseq is for a packet that has been sent but not acked */
6144 u16 unacked;
6145
6146 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6147 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6148}
6149
cec8ab6e
MM		 6150static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6151 struct sk_buff *skb, u8 event)
218bb9df 6152{
d2a7ac5d
MM		 6153 int err = 0;
6154
6155 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6156 control, skb, event, chan->rx_state);
6157
6158 if (__valid_reqseq(chan, control->reqseq)) {
6159 switch (chan->rx_state) {
6160 case L2CAP_RX_STATE_RECV:
6161 err = l2cap_rx_state_recv(chan, control, skb, event);
6162 break;
6163 case L2CAP_RX_STATE_SREJ_SENT:
6164 err = l2cap_rx_state_srej_sent(chan, control, skb,
6165 event);
6166 break;
32b32735
MM		 6167 case L2CAP_RX_STATE_WAIT_P:
6168 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6169 break;
6170 case L2CAP_RX_STATE_WAIT_F:
6171 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6172 break;
d2a7ac5d
MM		 6173 default:
6174 /* shut it down */
6175 break;
6176 }
6177 } else {
6178 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6179 control->reqseq, chan->next_tx_seq,
6180 chan->expected_ack_seq);
5e4e3972 6181 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6182 }
6183
6184 return err;
cec8ab6e
MM		 6185}
6186
6187static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6188 struct sk_buff *skb)
6189{
4b51dae9
MM		 6190 int err = 0;
6191
6192 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6193 chan->rx_state);
6194
6195 if (l2cap_classify_txseq(chan, control->txseq) ==
6196 L2CAP_TXSEQ_EXPECTED) {
6197 l2cap_pass_to_tx(chan, control);
6198
6199 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6200 __next_seq(chan, chan->buffer_seq));
6201
6202 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6203
6204 l2cap_reassemble_sdu(chan, skb, control);
6205 } else {
6206 if (chan->sdu) {
6207 kfree_skb(chan->sdu);
6208 chan->sdu = NULL;
6209 }
6210 chan->sdu_last_frag = NULL;
6211 chan->sdu_len = 0;
6212
6213 if (skb) {
6214 BT_DBG("Freeing %p", skb);
6215 kfree_skb(skb);
6216 }
6217 }
6218
6219 chan->last_acked_seq = control->txseq;
6220 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6221
6222 return err;
cec8ab6e
MM		 6223}
6224
6225static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6226{
6227 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6228 u16 len;
6229 u8 event;
218bb9df 6230
b76bbd66
MM		 6231 __unpack_control(chan, skb);
6232
218bb9df
GP		 6233 len = skb->len;
6234
6235 /*
6236 * We can just drop the corrupted I-frame here.
6237 * Receiver will miss it and start proper recovery
cec8ab6e 6238 * procedures and ask for retransmission.
218bb9df 6239 */
47d1ec61 6240 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6241 goto drop;
6242
cec8ab6e 6243 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6244 len -= L2CAP_SDULEN_SIZE;
218bb9df 6245
47d1ec61 6246 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6247 len -= L2CAP_FCS_SIZE;
218bb9df 6248
47d1ec61 6249 if (len > chan->mps) {
5e4e3972 6250 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6251 goto drop;
6252 }
6253
cec8ab6e
MM		 6254 if (!control->sframe) {
6255 int err;
218bb9df 6256
cec8ab6e
MM		 6257 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6258 control->sar, control->reqseq, control->final,
6259 control->txseq);
218bb9df 6260
cec8ab6e
MM		 6261 /* Validate F-bit - F=0 always valid, F=1 only
6262 * valid in TX WAIT_F
6263 */
6264 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6265 goto drop;
cec8ab6e
MM		 6266
6267 if (chan->mode != L2CAP_MODE_STREAMING) {
6268 event = L2CAP_EV_RECV_IFRAME;
6269 err = l2cap_rx(chan, control, skb, event);
6270 } else {
6271 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6272 }
6273
cec8ab6e 6274 if (err)
5e4e3972 6275 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6276 } else {
cec8ab6e
MM		 6277 const u8 rx_func_to_event[4] = {
6278 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6279 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6280 };
6281
6282 /* Only I-frames are expected in streaming mode */
6283 if (chan->mode == L2CAP_MODE_STREAMING)
6284 goto drop;
6285
6286 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6287 control->reqseq, control->final, control->poll,
6288 control->super);
6289
218bb9df 6290 if (len != 0) {
1bb166e6 6291 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6292 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6293 goto drop;
6294 }
6295
cec8ab6e
MM		 6296 /* Validate F and P bits */
6297 if (control->final && (control->poll ||
6298 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6299 goto drop;
6300
6301 event = rx_func_to_event[control->super];
6302 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6303 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6304 }
6305
6306 return 0;
6307
6308drop:
6309 kfree_skb(skb);
6310 return 0;
6311}
6312
13ca56e0
AE		 6313static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6314 struct sk_buff *skb)
1da177e4 6315{
48454079 6316 struct l2cap_chan *chan;
1da177e4 6317
baa7e1fa 6318 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6319 if (!chan) {
97e8e89d
AE		 6320 if (cid == L2CAP_CID_A2MP) {
6321 chan = a2mp_channel_create(conn, skb);
6322 if (!chan) {
6323 kfree_skb(skb);
13ca56e0 6324 return;
97e8e89d
AE		 6325 }
6326
6327 l2cap_chan_lock(chan);
6328 } else {
6329 BT_DBG("unknown cid 0x%4.4x", cid);
6330 /* Drop packet and return */
6331 kfree_skb(skb);
13ca56e0 6332 return;
97e8e89d 6333 }
1da177e4
LT		 6334 }
6335
49208c9c 6336 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6337
89bc500e 6338 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6339 goto drop;
6340
0c1bc5c6 6341 switch (chan->mode) {
1c2acffb
GP		 6342 case L2CAP_MODE_BASIC:
6343 /* If socket recv buffers overflows we drop data here
6344 * which is *bad* because L2CAP has to be reliable.
6345 * But we don't have any other choice. L2CAP doesn't
6346 * provide flow control mechanism. */
1da177e4 6347
0c1bc5c6 6348 if (chan->imtu < skb->len)
1c2acffb 6349 goto drop;
1da177e4 6350
80b98027 6351 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6352 goto done;
6353 break;
6354
6355 case L2CAP_MODE_ERTM:
6840ed07 6356 case L2CAP_MODE_STREAMING:
cec8ab6e 6357 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6358 goto done;
6359
1c2acffb 6360 default:
0c1bc5c6 6361 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6362 break;
6363 }
1da177e4
LT		 6364
6365drop:
6366 kfree_skb(skb);
6367
6368done:
6be36555 6369 l2cap_chan_unlock(chan);
1da177e4
LT		 6370}
6371
84104b24
AE		 6372static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6373 struct sk_buff *skb)
1da177e4 6374{
23691d75 6375 struct l2cap_chan *chan;
1da177e4 6376
c2287681 6377 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 6378 if (!chan)
1da177e4
LT		 6379 goto drop;
6380
5b4cedaa 6381 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6382
89bc500e 6383 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6384 goto drop;
6385
e13e21dc 6386 if (chan->imtu < skb->len)
1da177e4
LT		 6387 goto drop;
6388
80b98027 6389 if (!chan->ops->recv(chan, skb))
84104b24 6390 return;
1da177e4
LT		 6391
6392drop:
6393 kfree_skb(skb);
1da177e4
LT		 6394}
6395
72f78356 6396static void l2cap_att_channel(struct l2cap_conn *conn,
6810fca7 6397 struct sk_buff *skb)
9f69bda6 6398{
23691d75 6399 struct l2cap_chan *chan;
9f69bda6 6400
af1c0134 6401 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
72f78356 6402 conn->src, conn->dst);
23691d75 6403 if (!chan)
9f69bda6
GP		 6404 goto drop;
6405
5b4cedaa 6406 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6407
e13e21dc 6408 if (chan->imtu < skb->len)
9f69bda6
GP		 6409 goto drop;
6410
80b98027 6411 if (!chan->ops->recv(chan, skb))
6810fca7 6412 return;
9f69bda6
GP		 6413
6414drop:
6415 kfree_skb(skb);
9f69bda6
GP		 6416}
6417
1da177e4
LT		 6418static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6419{
6420 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6421 u16 cid, len;
6422 __le16 psm;
1da177e4
LT		 6423
6424 skb_pull(skb, L2CAP_HDR_SIZE);
6425 cid = __le16_to_cpu(lh->cid);
6426 len = __le16_to_cpu(lh->len);
6427
1c2acffb
GP		 6428 if (len != skb->len) {
6429 kfree_skb(skb);
6430 return;
6431 }
6432
1da177e4
LT		 6433 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6434
6435 switch (cid) {
3300d9a9 6436 case L2CAP_CID_LE_SIGNALING:
c5623556
JH		 6437 l2cap_le_sig_channel(conn, skb);
6438 break;
8db4dc46 6439 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6440 l2cap_sig_channel(conn, skb);
6441 break;
6442
8db4dc46 6443 case L2CAP_CID_CONN_LESS:
097db76c 6444 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6445 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6446 l2cap_conless_channel(conn, psm, skb);
6447 break;
6448
073d1cf3 6449 case L2CAP_CID_ATT:
72f78356 6450 l2cap_att_channel(conn, skb);
9f69bda6
GP		 6451 break;
6452
b501d6a1
AB		 6453 case L2CAP_CID_SMP:
6454 if (smp_sig_channel(conn, skb))
6455 l2cap_conn_del(conn->hcon, EACCES);
6456 break;
6457
1da177e4
LT		 6458 default:
6459 l2cap_data_channel(conn, cid, skb);
6460 break;
6461 }
6462}
6463
6464/* ---- L2CAP interface with lower layer (HCI) ---- */
6465
686ebf28 6466int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6467{
6468 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6469 struct l2cap_chan *c;
1da177e4 6470
6ed93dc6 6471 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6472
6473 /* Find listening sockets and check their link_mode */
23691d75
GP		 6474 read_lock(&chan_list_lock);
6475 list_for_each_entry(c, &chan_list, global_l) {
6476 struct sock *sk = c->sk;
4343478f 6477
89bc500e 6478 if (c->state != BT_LISTEN)
1da177e4
LT		 6479 continue;
6480
6481 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 6482 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6483 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6484 lm1 |= HCI_LM_MASTER;
1da177e4 6485 exact++;
2af6b9d5
MH		 6486 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
6487 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6488 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6489 lm2 |= HCI_LM_MASTER;
6490 }
1da177e4 6491 }
23691d75 6492 read_unlock(&chan_list_lock);
1da177e4
LT		 6493
6494 return exact ? lm1 : lm2;
6495}
6496
9e664631 6497void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6498{
0139418c
MH		 6499 struct l2cap_conn *conn;
6500
6ed93dc6 6501 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6502
1da177e4 6503 if (!status) {
baf43251 6504 conn = l2cap_conn_add(hcon);
1da177e4
LT		 6505 if (conn)
6506 l2cap_conn_ready(conn);
ba6fc317 6507 } else {
e175072f 6508 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 6509 }
1da177e4
LT		 6510}
6511
686ebf28 6512int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6513{
6514 struct l2cap_conn *conn = hcon->l2cap_data;
6515
6516 BT_DBG("hcon %p", hcon);
6517
686ebf28 6518 if (!conn)
9f5a0d7b 6519 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6520 return conn->disc_reason;
6521}
6522
9e664631 6523void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6524{
6525 BT_DBG("hcon %p reason %d", hcon, reason);
6526
e175072f 6527 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6528}
6529
4343478f 6530static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6531{
715ec005 6532 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6533 return;
6534
f62e4323 6535 if (encrypt == 0x00) {
4343478f 6536 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6537 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6538 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6539 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6540 } else {
4343478f 6541 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6542 __clear_chan_timer(chan);
f62e4323
MH		 6543 }
6544}
6545
686ebf28 6546int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6547{
0139418c 6548 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6549 struct l2cap_chan *chan;
1da177e4 6550
0139418c 6551 if (!conn)
1da177e4 6552 return 0;
0139418c 6553
89d8b407 6554 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6555
160dc6ac 6556 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6557 if (!status && encrypt)
6558 smp_distribute_keys(conn, 0);
17cd3f37 6559 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6560 }
6561
3df91ea2 6562 mutex_lock(&conn->chan_lock);
1da177e4 6563
3df91ea2 6564 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6565 l2cap_chan_lock(chan);
1da177e4 6566
89d8b407
AE		 6567 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6568 state_to_string(chan->state));
f1cb9af5 6569
78eb2f98
AE		 6570 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6571 l2cap_chan_unlock(chan);
6572 continue;
6573 }
6574
073d1cf3 6575 if (chan->scid == L2CAP_CID_ATT) {
f1cb9af5
VCG		 6576 if (!status && encrypt) {
6577 chan->sec_level = hcon->sec_level;
cf4cd009 6578 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6579 }
6580
6be36555 6581 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6582 continue;
6583 }
6584
96eff46e 6585 if (!__l2cap_no_conn_pending(chan)) {
6be36555 6586 l2cap_chan_unlock(chan);
6a8d3010
MH		 6587 continue;
6588 }
6589
89bc500e 6590 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6591 chan->state == BT_CONFIG)) {
a7d7723a
GP		 6592 struct sock *sk = chan->sk;
6593
c5daa683 6594 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 6595 sk->sk_state_change(sk);
6596
4343478f 6597 l2cap_check_encryption(chan, encrypt);
6be36555 6598 l2cap_chan_unlock(chan);
9719f8af
MH		 6599 continue;
6600 }
6601
89bc500e 6602 if (chan->state == BT_CONNECT) {
b1235d79 6603 if (!status) {
93c3e8f5 6604 l2cap_start_connection(chan);
b1235d79 6605 } else {
ba13ccd9 6606 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6607 }
89bc500e 6608 } else if (chan->state == BT_CONNECT2) {
6be36555 6609 struct sock *sk = chan->sk;
b1235d79 6610 struct l2cap_conn_rsp rsp;
df3c3931 6611 __u16 res, stat;
1da177e4 6612
6be36555
AE		 6613 lock_sock(sk);
6614
b1235d79 6615 if (!status) {
c5daa683
GP		 6616 if (test_bit(BT_SK_DEFER_SETUP,
6617 &bt_sk(sk)->flags)) {
df3c3931
JH		 6618 res = L2CAP_CR_PEND;
6619 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6620 chan->ops->defer(chan);
df3c3931 6621 } else {
0e587be7 6622 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6623 res = L2CAP_CR_SUCCESS;
6624 stat = L2CAP_CS_NO_INFO;
6625 }
b1235d79 6626 } else {
0e587be7 6627 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6628 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6629 res = L2CAP_CR_SEC_BLOCK;
6630 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6631 }
6632
6be36555
AE		 6633 release_sock(sk);
6634
fe4128e0
GP		 6635 rsp.scid = cpu_to_le16(chan->dcid);
6636 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6637 rsp.result = cpu_to_le16(res);
6638 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6639 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6640 sizeof(rsp), &rsp);
2d369359
MM		 6641
6642 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6643 res == L2CAP_CR_SUCCESS) {
6644 char buf[128];
6645 set_bit(CONF_REQ_SENT, &chan->conf_state);
6646 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6647 L2CAP_CONF_REQ,
6648 l2cap_build_conf_req(chan, buf),
6649 buf);
6650 chan->num_conf_req++;
6651 }
b1235d79 6652 }
1da177e4 6653
6be36555 6654 l2cap_chan_unlock(chan);
1da177e4
LT		 6655 }
6656
3df91ea2 6657 mutex_unlock(&conn->chan_lock);
b1235d79 6658
1da177e4
LT		 6659 return 0;
6660}
6661
686ebf28 6662int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6663{
6664 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6665 struct l2cap_hdr *hdr;
6666 int len;
1da177e4 6667
1d13a254
AE		 6668 /* For AMP controller do not create l2cap conn */
6669 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6670 goto drop;
1da177e4 6671
5a08ecce 6672 if (!conn)
baf43251 6673 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 6674
6675 if (!conn)
1da177e4
LT		 6676 goto drop;
6677
6678 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6679
d73a0988
AE		 6680 switch (flags) {
6681 case ACL_START:
6682 case ACL_START_NO_FLUSH:
6683 case ACL_COMPLETE:
1da177e4
LT		 6684 if (conn->rx_len) {
6685 BT_ERR("Unexpected start frame (len %d)", skb->len);
6686 kfree_skb(conn->rx_skb);
6687 conn->rx_skb = NULL;
6688 conn->rx_len = 0;
6689 l2cap_conn_unreliable(conn, ECOMM);
6690 }
6691
aae7fe22
AE		 6692 /* Start fragment always begin with Basic L2CAP header */
6693 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6694 BT_ERR("Frame is too short (len %d)", skb->len);
6695 l2cap_conn_unreliable(conn, ECOMM);
6696 goto drop;
6697 }
6698
6699 hdr = (struct l2cap_hdr *) skb->data;
6700 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6701
6702 if (len == skb->len) {
6703 /* Complete frame received */
6704 l2cap_recv_frame(conn, skb);
6705 return 0;
6706 }
6707
6708 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6709
6710 if (skb->len > len) {
6711 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6712 skb->len, len);
1da177e4
LT		 6713 l2cap_conn_unreliable(conn, ECOMM);
6714 goto drop;
6715 }
6716
6717 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6718 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6719 if (!conn->rx_skb)
1da177e4
LT		 6720 goto drop;
6721
d626f62b 6722 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6723 skb->len);
1da177e4 6724 conn->rx_len = len - skb->len;
d73a0988
AE		 6725 break;
6726
6727 case ACL_CONT:
1da177e4
LT		 6728 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6729
6730 if (!conn->rx_len) {
6731 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6732 l2cap_conn_unreliable(conn, ECOMM);
6733 goto drop;
6734 }
6735
6736 if (skb->len > conn->rx_len) {
6737 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6738 skb->len, conn->rx_len);
1da177e4
LT		 6739 kfree_skb(conn->rx_skb);
6740 conn->rx_skb = NULL;
6741 conn->rx_len = 0;
6742 l2cap_conn_unreliable(conn, ECOMM);
6743 goto drop;
6744 }
6745
d626f62b 6746 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6747 skb->len);
1da177e4
LT		 6748 conn->rx_len -= skb->len;
6749
6750 if (!conn->rx_len) {
6751 /* Complete frame received */
6752 l2cap_recv_frame(conn, conn->rx_skb);
6753 conn->rx_skb = NULL;
6754 }
d73a0988 6755 break;
1da177e4
LT		 6756 }
6757
6758drop:
6759 kfree_skb(skb);
6760 return 0;
6761}
6762
aef7d97c 6763static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6764{
23691d75 6765 struct l2cap_chan *c;
1da177e4 6766
333055f2 6767 read_lock(&chan_list_lock);
1da177e4 6768
23691d75
GP		 6769 list_for_each_entry(c, &chan_list, global_l) {
6770 struct sock *sk = c->sk;
101545f6 6771
fcb73338
AE		 6772 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6773 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6774 c->state, __le16_to_cpu(c->psm),
6775 c->scid, c->dcid, c->imtu, c->omtu,
6776 c->sec_level, c->mode);
61e1b4b7 6777 }
1da177e4 6778
333055f2 6779 read_unlock(&chan_list_lock);
1da177e4 6780
aef7d97c 6781 return 0;
1da177e4
LT		 6782}
6783
aef7d97c
MH		 6784static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6785{
6786 return single_open(file, l2cap_debugfs_show, inode->i_private);
6787}
6788
6789static const struct file_operations l2cap_debugfs_fops = {
6790 .open = l2cap_debugfs_open,
6791 .read = seq_read,
6792 .llseek = seq_lseek,
6793 .release = single_release,
6794};
6795
6796static struct dentry *l2cap_debugfs;
1da177e4 6797
64274518 6798int __init l2cap_init(void)
1da177e4
LT		 6799{
6800 int err;
be9d1227 6801
bb58f747 6802 err = l2cap_init_sockets();
1da177e4
LT		 6803 if (err < 0)
6804 return err;
6805
aef7d97c 6806 if (bt_debugfs) {
2d792818
GP		 6807 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6808 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 6809 if (!l2cap_debugfs)
6810 BT_ERR("Failed to create L2CAP debug file");
6811 }
1da177e4 6812
1da177e4 6813 return 0;
1da177e4
LT		 6814}
6815
64274518 6816void l2cap_exit(void)
1da177e4 6817{
aef7d97c 6818 debugfs_remove(l2cap_debugfs);
bb58f747 6819 l2cap_cleanup_sockets();
1da177e4
LT		 6820}
6821
d1c4a17d
GP		 6822module_param(disable_ertm, bool, 0644);
6823MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.644934 seconds and 5 git commands to generate.