projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Remove special ATT data channel handling
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
0f1bfe4e
JH		 44#define LE_FLOWCTL_MAX_CREDITS 65535
45
d1de6d46 46bool disable_ertm;
f0709e03 47
547d1032 48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
a6801ca9 49static u8 l2cap_fixed_chan[8] = { L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS, };
1da177e4 50
b5ad8b7f
JB		 51static LIST_HEAD(chan_list);
52static DEFINE_RWLOCK(chan_list_lock);
1da177e4 53
f15b8ecf
JH		 54static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56
1da177e4 57static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 58 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 59static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 60 void *data);
710f9b0a 61static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 62static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 63
d660366d 64static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 65 struct sk_buff_head *skbs, u8 event);
608bcc6d 66
4f1654e0
MH		 67static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
68{
69 if (hcon->type == LE_LINK) {
70 if (type == ADDR_LE_DEV_PUBLIC)
71 return BDADDR_LE_PUBLIC;
72 else
73 return BDADDR_LE_RANDOM;
74 }
75
76 return BDADDR_BREDR;
77}
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
2d792818
GP		 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
82 u16 cid)
0139418c 83{
3df91ea2 84 struct l2cap_chan *c;
3d57dc68 85
3df91ea2
AE		 86 list_for_each_entry(c, &conn->chan_l, list) {
87 if (c->dcid == cid)
88 return c;
0139418c 89 }
3df91ea2 90 return NULL;
0139418c
MH		 91}
92
2d792818
GP		 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
94 u16 cid)
0139418c 95{
3df91ea2 96 struct l2cap_chan *c;
3d57dc68 97
3df91ea2
AE		 98 list_for_each_entry(c, &conn->chan_l, list) {
99 if (c->scid == cid)
100 return c;
0139418c 101 }
3df91ea2 102 return NULL;
0139418c
MH		 103}
104
105/* Find channel with given SCID.
ef191ade 106 * Returns locked channel. */
2d792818
GP		 107static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
108 u16 cid)
0139418c 109{
48454079 110 struct l2cap_chan *c;
baa7e1fa 111
3df91ea2 112 mutex_lock(&conn->chan_lock);
baa7e1fa 113 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 114 if (c)
115 l2cap_chan_lock(c);
3df91ea2
AE		 116 mutex_unlock(&conn->chan_lock);
117
48454079 118 return c;
0139418c
MH		 119}
120
b1a130b7
MM		 121/* Find channel with given DCID.
122 * Returns locked channel.
123 */
124static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
125 u16 cid)
126{
127 struct l2cap_chan *c;
128
129 mutex_lock(&conn->chan_lock);
130 c = __l2cap_get_chan_by_dcid(conn, cid);
131 if (c)
132 l2cap_chan_lock(c);
133 mutex_unlock(&conn->chan_lock);
134
135 return c;
136}
137
2d792818
GP		 138static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
139 u8 ident)
0139418c 140{
3df91ea2 141 struct l2cap_chan *c;
3d57dc68 142
3df91ea2
AE		 143 list_for_each_entry(c, &conn->chan_l, list) {
144 if (c->ident == ident)
145 return c;
0139418c 146 }
3df91ea2 147 return NULL;
0139418c
MH		 148}
149
5b155ef9
MM		 150static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
151 u8 ident)
152{
153 struct l2cap_chan *c;
154
155 mutex_lock(&conn->chan_lock);
156 c = __l2cap_get_chan_by_ident(conn, ident);
157 if (c)
158 l2cap_chan_lock(c);
159 mutex_unlock(&conn->chan_lock);
160
161 return c;
162}
163
23691d75 164static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 165{
23691d75 166 struct l2cap_chan *c;
9e4425ff 167
23691d75 168 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 169 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 170 return c;
9e4425ff 171 }
250938cb 172 return NULL;
9e4425ff
GP		 173}
174
175int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
176{
73b2ec18
GP		 177 int err;
178
333055f2 179 write_lock(&chan_list_lock);
9e4425ff 180
23691d75 181 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 182 err = -EADDRINUSE;
183 goto done;
9e4425ff
GP		 184 }
185
73b2ec18
GP		 186 if (psm) {
187 chan->psm = psm;
188 chan->sport = psm;
189 err = 0;
190 } else {
191 u16 p;
192
193 err = -EINVAL;
194 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 195 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 196 chan->psm = cpu_to_le16(p);
197 chan->sport = cpu_to_le16(p);
198 err = 0;
199 break;
200 }
201 }
9e4425ff 202
73b2ec18 203done:
333055f2 204 write_unlock(&chan_list_lock);
73b2ec18 205 return err;
9e4425ff 206}
6b8d4a6a 207EXPORT_SYMBOL_GPL(l2cap_add_psm);
9e4425ff
GP		 208
209int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
210{
333055f2 211 write_lock(&chan_list_lock);
9e4425ff
GP		 212
213 chan->scid = scid;
214
333055f2 215 write_unlock(&chan_list_lock);
9e4425ff
GP		 216
217 return 0;
218}
219
baa7e1fa 220static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 221{
e77af755 222 u16 cid, dyn_end;
0139418c 223
e77af755
JH		 224 if (conn->hcon->type == LE_LINK)
225 dyn_end = L2CAP_CID_LE_DYN_END;
226 else
227 dyn_end = L2CAP_CID_DYN_END;
228
229 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
baa7e1fa 230 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 231 return cid;
232 }
233
234 return 0;
235}
236
f93fa273 237static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 238{
42d2d87c 239 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 240 state_to_string(state));
badaaa00 241
89bc500e 242 chan->state = state;
53f52121 243 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 244}
245
f8e73017
GP		 246static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
247 int state, int err)
2e0052e4 248{
f8e73017 249 chan->state = state;
53f52121 250 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 251}
252
253static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
254{
f8e73017 255 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 256}
257
4239d16f
MM		 258static void __set_retrans_timer(struct l2cap_chan *chan)
259{
260 if (!delayed_work_pending(&chan->monitor_timer) &&
261 chan->retrans_timeout) {
262 l2cap_set_timer(chan, &chan->retrans_timer,
263 msecs_to_jiffies(chan->retrans_timeout));
264 }
265}
266
267static void __set_monitor_timer(struct l2cap_chan *chan)
268{
269 __clear_retrans_timer(chan);
270 if (chan->monitor_timeout) {
271 l2cap_set_timer(chan, &chan->monitor_timer,
272 msecs_to_jiffies(chan->monitor_timeout));
273 }
274}
275
608bcc6d
MM		 276static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
277 u16 seq)
278{
279 struct sk_buff *skb;
280
281 skb_queue_walk(head, skb) {
282 if (bt_cb(skb)->control.txseq == seq)
283 return skb;
284 }
285
286 return NULL;
287}
288
3c588192
MM		 289/* ---- L2CAP sequence number lists ---- */
290
291/* For ERTM, ordered lists of sequence numbers must be tracked for
292 * SREJ requests that are received and for frames that are to be
293 * retransmitted. These seq_list functions implement a singly-linked
294 * list in an array, where membership in the list can also be checked
295 * in constant time. Items can also be added to the tail of the list
296 * and removed from the head in constant time, without further memory
297 * allocs or frees.
298 */
299
300static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
301{
302 size_t alloc_size, i;
303
304 /* Allocated size is a power of 2 to map sequence numbers
305 * (which may be up to 14 bits) in to a smaller array that is
306 * sized for the negotiated ERTM transmit windows.
307 */
308 alloc_size = roundup_pow_of_two(size);
309
310 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
311 if (!seq_list->list)
312 return -ENOMEM;
313
314 seq_list->mask = alloc_size - 1;
315 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
316 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
317 for (i = 0; i < alloc_size; i++)
318 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
319
320 return 0;
321}
322
323static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
324{
325 kfree(seq_list->list);
326}
327
328static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
329 u16 seq)
330{
331 /* Constant-time check for list membership */
332 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
333}
334
03a0c5d6 335static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
3c588192 336{
03a0c5d6 337 u16 seq = seq_list->head;
3c588192
MM		 338 u16 mask = seq_list->mask;
339
03a0c5d6
JH		 340 seq_list->head = seq_list->list[seq & mask];
341 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
342
343 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
344 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
345 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192 346 }
3c588192 347
03a0c5d6 348 return seq;
3c588192
MM		 349}
350
351static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
352{
f522ae36 353 u16 i;
3c588192 354
f522ae36
GP		 355 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
356 return;
357
358 for (i = 0; i <= seq_list->mask; i++)
359 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
360
361 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
362 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 363}
364
365static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
366{
367 u16 mask = seq_list->mask;
368
369 /* All appends happen in constant time */
370
f522ae36
GP		 371 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
372 return;
3c588192 373
f522ae36
GP		 374 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
375 seq_list->head = seq;
376 else
377 seq_list->list[seq_list->tail & mask] = seq;
378
379 seq_list->tail = seq;
380 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 381}
382
721c4181 383static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 384{
721c4181 385 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 386 chan_timer.work);
3df91ea2 387 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 388 int reason;
389
e05dcc32 390 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 391
3df91ea2 392 mutex_lock(&conn->chan_lock);
6be36555 393 l2cap_chan_lock(chan);
ab07801d 394
89bc500e 395 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 396 reason = ECONNREFUSED;
89bc500e 397 else if (chan->state == BT_CONNECT &&
2d792818 398 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 399 reason = ECONNREFUSED;
400 else
401 reason = ETIMEDOUT;
402
0f852724 403 l2cap_chan_close(chan, reason);
ab07801d 404
6be36555 405 l2cap_chan_unlock(chan);
ab07801d 406
80b98027 407 chan->ops->close(chan);
3df91ea2
AE		 408 mutex_unlock(&conn->chan_lock);
409
371fd835 410 l2cap_chan_put(chan);
ab07801d
GP		 411}
412
eef1d9b6 413struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 414{
415 struct l2cap_chan *chan;
416
417 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
418 if (!chan)
419 return NULL;
420
c03b355e
AE		 421 mutex_init(&chan->lock);
422
333055f2 423 write_lock(&chan_list_lock);
23691d75 424 list_add(&chan->global_l, &chan_list);
333055f2 425 write_unlock(&chan_list_lock);
23691d75 426
721c4181 427 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 428
89bc500e
GP		 429 chan->state = BT_OPEN;
430
144ad330 431 kref_init(&chan->kref);
71ba0e56 432
2827011f
MM		 433 /* This flag is cleared in l2cap_chan_ready() */
434 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
435
eef1d9b6 436 BT_DBG("chan %p", chan);
abc545b8 437
48454079
GP		 438 return chan;
439}
6b8d4a6a 440EXPORT_SYMBOL_GPL(l2cap_chan_create);
48454079 441
144ad330 442static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 443{
144ad330
SS		 444 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
445
4af66c69
JK		 446 BT_DBG("chan %p", chan);
447
333055f2 448 write_lock(&chan_list_lock);
23691d75 449 list_del(&chan->global_l);
333055f2 450 write_unlock(&chan_list_lock);
23691d75 451
4af66c69 452 kfree(chan);
6ff5abbf
GP		 453}
454
30648372
JK		 455void l2cap_chan_hold(struct l2cap_chan *c)
456{
144ad330 457 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 458
144ad330 459 kref_get(&c->kref);
30648372
JK		 460}
461
462void l2cap_chan_put(struct l2cap_chan *c)
463{
144ad330 464 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 465
144ad330 466 kref_put(&c->kref, l2cap_chan_destroy);
30648372 467}
6b8d4a6a 468EXPORT_SYMBOL_GPL(l2cap_chan_put);
30648372 469
bd4b1653
AE		 470void l2cap_chan_set_defaults(struct l2cap_chan *chan)
471{
472 chan->fcs = L2CAP_FCS_CRC16;
473 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
474 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
475 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
6a5e8165
JR		 476 chan->remote_max_tx = chan->max_tx;
477 chan->remote_tx_win = chan->tx_win;
c20f8e35 478 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653 479 chan->sec_level = BT_SECURITY_LOW;
6a5e8165
JR		 480 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
481 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
482 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
483 chan->conf_state = 0;
bd4b1653
AE		 484
485 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
486}
6b8d4a6a 487EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
bd4b1653 488
0ce43ce6 489static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
38319713 490{
0ce43ce6
JH		 491 chan->sdu = NULL;
492 chan->sdu_last_frag = NULL;
493 chan->sdu_len = 0;
0cd75f7e 494 chan->tx_credits = 0;
f15b8ecf 495 chan->rx_credits = le_max_credits;
d1d79413 496 chan->mps = min_t(u16, chan->imtu, le_default_mps);
0ce43ce6
JH		 497
498 skb_queue_head_init(&chan->tx_q);
38319713
JH		 499}
500
93c3e8f5 501void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 502{
af05b30b 503 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 504 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 505
9f5a0d7b 506 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 507
8c1d787b 508 chan->conn = conn;
0139418c 509
5491120e
AE		 510 switch (chan->chan_type) {
511 case L2CAP_CHAN_CONN_ORIENTED:
21626e62
JH		 512 /* Alloc CID for connection-oriented socket */
513 chan->scid = l2cap_alloc_cid(conn);
514 if (conn->hcon->type == ACL_LINK)
0c1bc5c6 515 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 516 break;
517
518 case L2CAP_CHAN_CONN_LESS:
0139418c 519 /* Connectionless socket */
fe4128e0
GP		 520 chan->scid = L2CAP_CID_CONN_LESS;
521 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 522 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 523 break;
524
2338a7e0
JH		 525 case L2CAP_CHAN_FIXED:
526 /* Caller will set CID and CID specific MTU values */
416fa752
AE		 527 break;
528
5491120e 529 default:
0139418c 530 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 531 chan->scid = L2CAP_CID_SIGNALING;
532 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 533 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 534 }
535
8f7975b1
AE		 536 chan->local_id = L2CAP_BESTEFFORT_ID;
537 chan->local_stype = L2CAP_SERV_BESTEFFORT;
538 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
539 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
540 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 541 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 542
371fd835 543 l2cap_chan_hold(chan);
baa7e1fa 544
5ee9891d
JH		 545 hci_conn_hold(conn->hcon);
546
3df91ea2 547 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 548}
549
466f8004 550void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 551{
552 mutex_lock(&conn->chan_lock);
553 __l2cap_chan_add(conn, chan);
3df91ea2 554 mutex_unlock(&conn->chan_lock);
0139418c
MH		 555}
556
466f8004 557void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 558{
8c1d787b 559 struct l2cap_conn *conn = chan->conn;
0139418c 560
c9b66675 561 __clear_chan_timer(chan);
0139418c 562
49208c9c 563 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 564
8e87d142 565 if (conn) {
56f60984 566 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 567 /* Delete from channel list */
3df91ea2 568 list_del(&chan->list);
3d57dc68 569
371fd835 570 l2cap_chan_put(chan);
baa7e1fa 571
8c1d787b 572 chan->conn = NULL;
3cabbfda 573
2338a7e0 574 if (chan->scid != L2CAP_CID_A2MP)
76a68ba0 575 hci_conn_drop(conn->hcon);
56f60984
AE		 576
577 if (mgr && mgr->bredr_chan == chan)
578 mgr->bredr_chan = NULL;
0139418c
MH		 579 }
580
419e08c1
AE		 581 if (chan->hs_hchan) {
582 struct hci_chan *hs_hchan = chan->hs_hchan;
583
584 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
585 amp_disconnect_logical_link(hs_hchan);
586 }
587
b699ec0d 588 chan->ops->teardown(chan, err);
6be36555 589
2827011f 590 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 591 return;
2ead70b8 592
ee556f66
GP		 593 switch(chan->mode) {
594 case L2CAP_MODE_BASIC:
595 break;
c13ffa62 596
38319713 597 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b 598 skb_queue_purge(&chan->tx_q);
38319713
JH		 599 break;
600
ee556f66 601 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 602 __clear_retrans_timer(chan);
603 __clear_monitor_timer(chan);
604 __clear_ack_timer(chan);
c13ffa62 605
f1c6775b 606 skb_queue_purge(&chan->srej_q);
c13ffa62 607
3c588192
MM		 608 l2cap_seq_list_free(&chan->srej_list);
609 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 610
611 /* fall through */
612
613 case L2CAP_MODE_STREAMING:
614 skb_queue_purge(&chan->tx_q);
615 break;
c13ffa62 616 }
ee556f66
GP		 617
618 return;
0139418c 619}
6b8d4a6a 620EXPORT_SYMBOL_GPL(l2cap_chan_del);
0139418c 621
387a33e3
JH		 622void l2cap_conn_update_id_addr(struct hci_conn *hcon)
623{
624 struct l2cap_conn *conn = hcon->l2cap_data;
625 struct l2cap_chan *chan;
626
627 mutex_lock(&conn->chan_lock);
628
629 list_for_each_entry(chan, &conn->chan_l, list) {
630 l2cap_chan_lock(chan);
631 bacpy(&chan->dst, &hcon->dst);
632 chan->dst_type = bdaddr_type(hcon, hcon->dst_type);
633 l2cap_chan_unlock(chan);
634 }
635
636 mutex_unlock(&conn->chan_lock);
637}
638
27e2d4c8
JH		 639static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
640{
641 struct l2cap_conn *conn = chan->conn;
642 struct l2cap_le_conn_rsp rsp;
643 u16 result;
644
645 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
646 result = L2CAP_CR_AUTHORIZATION;
647 else
648 result = L2CAP_CR_BAD_PSM;
649
650 l2cap_state_change(chan, BT_DISCONN);
651
652 rsp.dcid = cpu_to_le16(chan->scid);
653 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 654 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 655 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 656 rsp.result = cpu_to_le16(result);
657
658 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
659 &rsp);
660}
661
791d60f7
JH		 662static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
663{
664 struct l2cap_conn *conn = chan->conn;
665 struct l2cap_conn_rsp rsp;
666 u16 result;
667
668 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
669 result = L2CAP_CR_SEC_BLOCK;
670 else
671 result = L2CAP_CR_BAD_PSM;
672
673 l2cap_state_change(chan, BT_DISCONN);
674
675 rsp.scid = cpu_to_le16(chan->dcid);
676 rsp.dcid = cpu_to_le16(chan->scid);
677 rsp.result = cpu_to_le16(result);
dcf4adbf 678 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
791d60f7
JH		 679
680 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
681}
682
0f852724 683void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 684{
685 struct l2cap_conn *conn = chan->conn;
4519de9a 686
7eafc59e 687 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 688
89bc500e 689 switch (chan->state) {
4519de9a 690 case BT_LISTEN:
b699ec0d 691 chan->ops->teardown(chan, 0);
4519de9a
GP		 692 break;
693
694 case BT_CONNECTED:
695 case BT_CONFIG:
7b25c9b3 696 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
8d836d71 697 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 698 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 699 } else
700 l2cap_chan_del(chan, reason);
701 break;
702
703 case BT_CONNECT2:
791d60f7
JH		 704 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
705 if (conn->hcon->type == ACL_LINK)
706 l2cap_chan_connect_reject(chan);
27e2d4c8
JH		 707 else if (conn->hcon->type == LE_LINK)
708 l2cap_chan_le_connect_reject(chan);
4519de9a
GP		 709 }
710
711 l2cap_chan_del(chan, reason);
712 break;
713
714 case BT_CONNECT:
715 case BT_DISCONN:
716 l2cap_chan_del(chan, reason);
717 break;
718
719 default:
b699ec0d 720 chan->ops->teardown(chan, 0);
4519de9a
GP		 721 break;
722 }
723}
6b8d4a6a 724EXPORT_SYMBOL(l2cap_chan_close);
4519de9a 725
4343478f 726static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 727{
6a974b50
MH		 728 switch (chan->chan_type) {
729 case L2CAP_CHAN_RAW:
4343478f 730 switch (chan->sec_level) {
8556edd3 731 case BT_SECURITY_HIGH:
7d513e92 732 case BT_SECURITY_FIPS:
8556edd3
JH		 733 return HCI_AT_DEDICATED_BONDING_MITM;
734 case BT_SECURITY_MEDIUM:
735 return HCI_AT_DEDICATED_BONDING;
736 default:
737 return HCI_AT_NO_BONDING;
738 }
6a974b50 739 break;
3124b843 740 case L2CAP_CHAN_CONN_LESS:
dcf4adbf 741 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
3124b843
MH		 742 if (chan->sec_level == BT_SECURITY_LOW)
743 chan->sec_level = BT_SECURITY_SDP;
744 }
7d513e92
MH		 745 if (chan->sec_level == BT_SECURITY_HIGH ||
746 chan->sec_level == BT_SECURITY_FIPS)
3124b843
MH		 747 return HCI_AT_NO_BONDING_MITM;
748 else
749 return HCI_AT_NO_BONDING;
750 break;
6a974b50 751 case L2CAP_CHAN_CONN_ORIENTED:
dcf4adbf 752 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
6a974b50
MH		 753 if (chan->sec_level == BT_SECURITY_LOW)
754 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 755
7d513e92
MH		 756 if (chan->sec_level == BT_SECURITY_HIGH ||
757 chan->sec_level == BT_SECURITY_FIPS)
6a974b50
MH		 758 return HCI_AT_NO_BONDING_MITM;
759 else
760 return HCI_AT_NO_BONDING;
761 }
762 /* fall through */
763 default:
4343478f 764 switch (chan->sec_level) {
00ae4af9 765 case BT_SECURITY_HIGH:
7d513e92 766 case BT_SECURITY_FIPS:
8556edd3 767 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 768 case BT_SECURITY_MEDIUM:
8556edd3 769 return HCI_AT_GENERAL_BONDING;
00ae4af9 770 default:
8556edd3 771 return HCI_AT_NO_BONDING;
00ae4af9 772 }
6a974b50 773 break;
0684e5f9 774 }
8556edd3
JH		 775}
776
777/* Service level security */
e7cafc45 778int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
8556edd3 779{
8c1d787b 780 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 781 __u8 auth_type;
782
a17de2fe
JH		 783 if (conn->hcon->type == LE_LINK)
784 return smp_conn_security(conn->hcon, chan->sec_level);
785
4343478f 786 auth_type = l2cap_get_auth_type(chan);
79d554a6 787
e7cafc45
JH		 788 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
789 initiator);
79d554a6
MH		 790}
791
b5ad8b7f 792static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 793{
794 u8 id;
795
796 /* Get next available identificator.
797 * 1 - 128 are used by kernel.
798 * 129 - 199 are reserved.
799 * 200 - 254 are used by utilities like l2ping, etc.
800 */
801
5a54e7c8 802 mutex_lock(&conn->ident_lock);
4e8402a3
MH		 803
804 if (++conn->tx_ident > 128)
805 conn->tx_ident = 1;
806
807 id = conn->tx_ident;
808
5a54e7c8 809 mutex_unlock(&conn->ident_lock);
4e8402a3
MH		 810
811 return id;
812}
813
2d792818
GP		 814static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
815 void *data)
4e8402a3
MH		 816{
817 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 818 u8 flags;
4e8402a3
MH		 819
820 BT_DBG("code 0x%2.2x", code);
821
822 if (!skb)
9a9c6a34 823 return;
4e8402a3 824
e702112f
AE		 825 if (lmp_no_flush_capable(conn->hcon->hdev))
826 flags = ACL_START_NO_FLUSH;
827 else
828 flags = ACL_START;
829
14b12d0b 830 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 831 skb->priority = HCI_PRIO_MAX;
14b12d0b 832
73d80deb
LAD		 833 hci_send_acl(conn->hchan, skb, flags);
834}
835
02b0fbb9
MM		 836static bool __chan_is_moving(struct l2cap_chan *chan)
837{
838 return chan->move_state != L2CAP_MOVE_STABLE &&
839 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
840}
841
73d80deb
LAD		 842static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
843{
844 struct hci_conn *hcon = chan->conn->hcon;
845 u16 flags;
846
847 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 848 skb->priority);
73d80deb 849
d5f8a75d
MM		 850 if (chan->hs_hcon && !__chan_is_moving(chan)) {
851 if (chan->hs_hchan)
852 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
853 else
854 kfree_skb(skb);
855
856 return;
857 }
858
73d80deb 859 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 860 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 861 flags = ACL_START_NO_FLUSH;
862 else
863 flags = ACL_START;
14b12d0b 864
73d80deb
LAD		 865 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
866 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 867}
868
b76bbd66
MM		 869static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
870{
871 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
872 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
873
874 if (enh & L2CAP_CTRL_FRAME_TYPE) {
875 /* S-Frame */
876 control->sframe = 1;
877 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
878 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
879
880 control->sar = 0;
881 control->txseq = 0;
882 } else {
883 /* I-Frame */
884 control->sframe = 0;
885 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
886 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
887
888 control->poll = 0;
889 control->super = 0;
890 }
891}
892
b76bbd66
MM		 893static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
894{
895 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
896 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
897
898 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
899 /* S-Frame */
900 control->sframe = 1;
901 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
902 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
903
904 control->sar = 0;
905 control->txseq = 0;
906 } else {
907 /* I-Frame */
908 control->sframe = 0;
909 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
910 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
911
912 control->poll = 0;
913 control->super = 0;
914 }
915}
916
917static inline void __unpack_control(struct l2cap_chan *chan,
918 struct sk_buff *skb)
919{
920 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
921 __unpack_extended_control(get_unaligned_le32(skb->data),
922 &bt_cb(skb)->control);
cec8ab6e 923 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 924 } else {
925 __unpack_enhanced_control(get_unaligned_le16(skb->data),
926 &bt_cb(skb)->control);
cec8ab6e 927 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 928 }
929}
930
b5c6aaed
MM		 931static u32 __pack_extended_control(struct l2cap_ctrl *control)
932{
933 u32 packed;
934
935 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
936 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
937
938 if (control->sframe) {
939 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
940 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
941 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
942 } else {
943 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
944 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
945 }
946
947 return packed;
948}
949
950static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
951{
952 u16 packed;
953
954 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
955 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
956
957 if (control->sframe) {
958 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
959 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
960 packed |= L2CAP_CTRL_FRAME_TYPE;
961 } else {
962 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
963 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
964 }
965
966 return packed;
967}
968
b76bbd66
MM		 969static inline void __pack_control(struct l2cap_chan *chan,
970 struct l2cap_ctrl *control,
971 struct sk_buff *skb)
972{
973 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
974 put_unaligned_le32(__pack_extended_control(control),
975 skb->data + L2CAP_HDR_SIZE);
976 } else {
977 put_unaligned_le16(__pack_enhanced_control(control),
978 skb->data + L2CAP_HDR_SIZE);
979 }
980}
981
ba7aa64f
GP		 982static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
983{
984 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
985 return L2CAP_EXT_HDR_SIZE;
986 else
987 return L2CAP_ENH_HDR_SIZE;
988}
989
a67d7f6f
MM		 990static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
991 u32 control)
b5c6aaed
MM		 992{
993 struct sk_buff *skb;
994 struct l2cap_hdr *lh;
ba7aa64f 995 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 996
997 if (chan->fcs == L2CAP_FCS_CRC16)
998 hlen += L2CAP_FCS_SIZE;
999
a67d7f6f 1000 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 1001
b5c6aaed 1002 if (!skb)
a67d7f6f 1003 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 1004
1005 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1006 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1007 lh->cid = cpu_to_le16(chan->dcid);
1008
a67d7f6f
MM		 1009 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1010 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1011 else
1012 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 1013
1014 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 1015 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 1016 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1017 }
1018
1019 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 1020 return skb;
1021}
1022
1023static void l2cap_send_sframe(struct l2cap_chan *chan,
1024 struct l2cap_ctrl *control)
1025{
1026 struct sk_buff *skb;
1027 u32 control_field;
1028
1029 BT_DBG("chan %p, control %p", chan, control);
1030
1031 if (!control->sframe)
1032 return;
1033
b99e13ad
MM		 1034 if (__chan_is_moving(chan))
1035 return;
1036
a67d7f6f
MM		 1037 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1038 !control->poll)
1039 control->final = 1;
1040
1041 if (control->super == L2CAP_SUPER_RR)
1042 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1043 else if (control->super == L2CAP_SUPER_RNR)
1044 set_bit(CONN_RNR_SENT, &chan->conn_state);
1045
1046 if (control->super != L2CAP_SUPER_SREJ) {
1047 chan->last_acked_seq = control->reqseq;
1048 __clear_ack_timer(chan);
1049 }
1050
1051 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1052 control->final, control->poll, control->super);
1053
1054 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1055 control_field = __pack_extended_control(control);
1056 else
1057 control_field = __pack_enhanced_control(control);
1058
1059 skb = l2cap_create_sframe_pdu(chan, control_field);
1060 if (!IS_ERR(skb))
1061 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1062}
1063
c9e3d5e0 1064static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1065{
c9e3d5e0
MM		 1066 struct l2cap_ctrl control;
1067
1068 BT_DBG("chan %p, poll %d", chan, poll);
1069
1070 memset(&control, 0, sizeof(control));
1071 control.sframe = 1;
1072 control.poll = poll;
1073
1074 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1075 control.super = L2CAP_SUPER_RNR;
1076 else
1077 control.super = L2CAP_SUPER_RR;
b5c6aaed 1078
c9e3d5e0
MM		 1079 control.reqseq = chan->buffer_seq;
1080 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1081}
1082
b4450035 1083static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1084{
5ff6f34d
JH		 1085 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1086 return true;
1087
c1360a1c 1088 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1089}
1090
1df7b17a 1091static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1092{
1df7b17a 1093 struct l2cap_conn *conn = chan->conn;
80d58d0b 1094 struct hci_dev *hdev;
1df7b17a
MH		 1095 bool amp_available = false;
1096
1097 if (!conn->hs_enabled)
1098 return false;
1099
1100 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1101 return false;
80d58d0b
MH		 1102
1103 read_lock(&hci_dev_list_lock);
1df7b17a 1104 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1105 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1106 test_bit(HCI_UP, &hdev->flags)) {
1107 amp_available = true;
1108 break;
1109 }
1110 }
80d58d0b
MH		 1111 read_unlock(&hci_dev_list_lock);
1112
1df7b17a
MH		 1113 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1114 return amp_available;
848566b3
MH		 1115
1116 return false;
93c3e8f5
AE		 1117}
1118
5ce66b59
AE		 1119static bool l2cap_check_efs(struct l2cap_chan *chan)
1120{
1121 /* Check EFS parameters */
1122 return true;
1123}
1124
2766be48 1125void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1126{
1127 struct l2cap_conn *conn = chan->conn;
1128 struct l2cap_conn_req req;
1129
1130 req.scid = cpu_to_le16(chan->scid);
1131 req.psm = chan->psm;
1132
1133 chan->ident = l2cap_get_ident(conn);
1134
1135 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1136
1137 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1138}
1139
8eb200bd
MM		 1140static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1141{
1142 struct l2cap_create_chan_req req;
1143 req.scid = cpu_to_le16(chan->scid);
1144 req.psm = chan->psm;
1145 req.amp_id = amp_id;
1146
1147 chan->ident = l2cap_get_ident(chan->conn);
1148
1149 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1150 sizeof(req), &req);
1151}
1152
02b0fbb9
MM		 1153static void l2cap_move_setup(struct l2cap_chan *chan)
1154{
1155 struct sk_buff *skb;
1156
1157 BT_DBG("chan %p", chan);
1158
1159 if (chan->mode != L2CAP_MODE_ERTM)
1160 return;
1161
1162 __clear_retrans_timer(chan);
1163 __clear_monitor_timer(chan);
1164 __clear_ack_timer(chan);
1165
1166 chan->retry_count = 0;
1167 skb_queue_walk(&chan->tx_q, skb) {
1168 if (bt_cb(skb)->control.retries)
1169 bt_cb(skb)->control.retries = 1;
1170 else
1171 break;
1172 }
1173
1174 chan->expected_tx_seq = chan->buffer_seq;
1175
1176 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1177 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1178 l2cap_seq_list_clear(&chan->retrans_list);
1179 l2cap_seq_list_clear(&chan->srej_list);
1180 skb_queue_purge(&chan->srej_q);
1181
1182 chan->tx_state = L2CAP_TX_STATE_XMIT;
1183 chan->rx_state = L2CAP_RX_STATE_MOVE;
1184
1185 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1186}
1187
5f3847a4
MM		 1188static void l2cap_move_done(struct l2cap_chan *chan)
1189{
1190 u8 move_role = chan->move_role;
1191 BT_DBG("chan %p", chan);
1192
1193 chan->move_state = L2CAP_MOVE_STABLE;
1194 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1195
1196 if (chan->mode != L2CAP_MODE_ERTM)
1197 return;
1198
1199 switch (move_role) {
1200 case L2CAP_MOVE_ROLE_INITIATOR:
1201 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1202 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1203 break;
1204 case L2CAP_MOVE_ROLE_RESPONDER:
1205 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1206 break;
1207 }
1208}
1209
9f0caeb1
VCG		 1210static void l2cap_chan_ready(struct l2cap_chan *chan)
1211{
2827011f 1212 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1213 chan->conf_state = 0;
1214 __clear_chan_timer(chan);
1215
0ce43ce6
JH		 1216 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1217 chan->ops->suspend(chan);
177f8f2b 1218
54a59aa2 1219 chan->state = BT_CONNECTED;
9f0caeb1 1220
fd83e2c2 1221 chan->ops->ready(chan);
9f0caeb1
VCG		 1222}
1223
f1496dee
JH		 1224static void l2cap_le_connect(struct l2cap_chan *chan)
1225{
1226 struct l2cap_conn *conn = chan->conn;
1227 struct l2cap_le_conn_req req;
1228
595177f3
JH		 1229 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1230 return;
1231
f1496dee
JH		 1232 req.psm = chan->psm;
1233 req.scid = cpu_to_le16(chan->scid);
1234 req.mtu = cpu_to_le16(chan->imtu);
3916aed8 1235 req.mps = cpu_to_le16(chan->mps);
0cd75f7e 1236 req.credits = cpu_to_le16(chan->rx_credits);
f1496dee
JH		 1237
1238 chan->ident = l2cap_get_ident(conn);
1239
1240 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1241 sizeof(req), &req);
1242}
1243
1244static void l2cap_le_start(struct l2cap_chan *chan)
1245{
1246 struct l2cap_conn *conn = chan->conn;
1247
1248 if (!smp_conn_security(conn->hcon, chan->sec_level))
1249 return;
1250
1251 if (!chan->psm) {
1252 l2cap_chan_ready(chan);
1253 return;
1254 }
1255
1256 if (chan->state == BT_CONNECT)
1257 l2cap_le_connect(chan);
1258}
1259
93c3e8f5
AE		 1260static void l2cap_start_connection(struct l2cap_chan *chan)
1261{
1262 if (__amp_capable(chan)) {
1263 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1264 a2mp_discover_amp(chan);
f1496dee
JH		 1265 } else if (chan->conn->hcon->type == LE_LINK) {
1266 l2cap_le_start(chan);
93c3e8f5
AE		 1267 } else {
1268 l2cap_send_conn_req(chan);
1269 }
1270}
1271
fc7f8a7e 1272static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1273{
8c1d787b 1274 struct l2cap_conn *conn = chan->conn;
79d554a6 1275
9f0caeb1 1276 if (conn->hcon->type == LE_LINK) {
96ac34fb 1277 l2cap_le_start(chan);
9f0caeb1
VCG		 1278 return;
1279 }
1280
79d554a6 1281 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1282 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1283 return;
1284
e7cafc45 1285 if (l2cap_chan_check_security(chan, true) &&
2d792818 1286 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1287 l2cap_start_connection(chan);
1288 }
79d554a6
MH		 1289 } else {
1290 struct l2cap_info_req req;
dcf4adbf 1291 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1292
1293 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1294 conn->info_ident = l2cap_get_ident(conn);
1295
ba13ccd9 1296 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1297
2d792818
GP		 1298 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1299 sizeof(req), &req);
79d554a6
MH		 1300 }
1301}
1302
cf6c2c0b
GP		 1303static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1304{
1305 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1306 if (!disable_ertm)
cf6c2c0b
GP		 1307 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1308
1309 switch (mode) {
1310 case L2CAP_MODE_ERTM:
1311 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1312 case L2CAP_MODE_STREAMING:
1313 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1314 default:
1315 return 0x00;
1316 }
1317}
1318
5e4e3972 1319static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1320{
5e4e3972 1321 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1322 struct l2cap_disconn_req req;
1323
c13ffa62
GP		 1324 if (!conn)
1325 return;
1326
aad3d0e3 1327 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1328 __clear_retrans_timer(chan);
1329 __clear_monitor_timer(chan);
1330 __clear_ack_timer(chan);
c13ffa62
GP		 1331 }
1332
2338a7e0 1333 if (chan->scid == L2CAP_CID_A2MP) {
d117773c 1334 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1335 return;
1336 }
1337
fe4128e0
GP		 1338 req.dcid = cpu_to_le16(chan->dcid);
1339 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1340 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1341 sizeof(req), &req);
c13ffa62 1342
f8e73017 1343 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1344}
1345
1da177e4 1346/* ---- L2CAP connections ---- */
4e8402a3
MH		 1347static void l2cap_conn_start(struct l2cap_conn *conn)
1348{
3df91ea2 1349 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1350
1351 BT_DBG("conn %p", conn);
1352
3df91ea2 1353 mutex_lock(&conn->chan_lock);
4e8402a3 1354
3df91ea2 1355 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1356 l2cap_chan_lock(chan);
4e8402a3 1357
715ec005 1358 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1359 l2cap_chan_unlock(chan);
79d554a6
MH		 1360 continue;
1361 }
1362
89bc500e 1363 if (chan->state == BT_CONNECT) {
e7cafc45 1364 if (!l2cap_chan_check_security(chan, true) ||
2d792818 1365 !__l2cap_no_conn_pending(chan)) {
6be36555 1366 l2cap_chan_unlock(chan);
47731de7
GP		 1367 continue;
1368 }
79d554a6 1369
c1360a1c 1370 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1371 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1372 &chan->conf_state)) {
89bc500e 1373 l2cap_chan_close(chan, ECONNRESET);
6be36555 1374 l2cap_chan_unlock(chan);
47731de7 1375 continue;
b1235d79 1376 }
47731de7 1377
93c3e8f5 1378 l2cap_start_connection(chan);
47731de7 1379
89bc500e 1380 } else if (chan->state == BT_CONNECT2) {
79d554a6 1381 struct l2cap_conn_rsp rsp;
e9aeb2dd 1382 char buf[128];
fe4128e0
GP		 1383 rsp.scid = cpu_to_le16(chan->dcid);
1384 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1385
e7cafc45 1386 if (l2cap_chan_check_security(chan, false)) {
bdc25783 1387 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
dcf4adbf
JP		 1388 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1389 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1390 chan->ops->defer(chan);
f66dc81f
MH		 1391
1392 } else {
acdcabf5 1393 l2cap_state_change(chan, BT_CONFIG);
dcf4adbf
JP		 1394 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1395 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1396 }
79d554a6 1397 } else {
dcf4adbf
JP		 1398 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1399 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1400 }
1401
fc7f8a7e 1402 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1403 sizeof(rsp), &rsp);
e9aeb2dd 1404
c1360a1c 1405 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1406 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1407 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1408 continue;
1409 }
1410
c1360a1c 1411 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1412 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1413 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1414 chan->num_conf_req++;
4e8402a3
MH		 1415 }
1416
6be36555 1417 l2cap_chan_unlock(chan);
4e8402a3
MH		 1418 }
1419
3df91ea2 1420 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1421}
1422
b62f328b
VT		 1423static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1424{
cc8dba2b 1425 struct hci_conn *hcon = conn->hcon;
dcc36c16 1426 struct hci_dev *hdev = hcon->hdev;
b62f328b 1427
e760ec12 1428 BT_DBG("%s conn %p", hdev->name, conn);
b62f328b 1429
e760ec12
JH		 1430 /* For outgoing pairing which doesn't necessarily have an
1431 * associated socket (e.g. mgmt_pair_device).
1432 */
1433 if (hcon->out)
1434 smp_conn_security(hcon, hcon->pending_sec_level);
cc8dba2b 1435
80afeb6c
MH		 1436 /* For LE slave connections, make sure the connection interval
1437 * is in the range of the minium and maximum interval that has
1438 * been configured for this connection. If not, then trigger
1439 * the connection update procedure.
1440 */
40bef302 1441 if (hcon->role == HCI_ROLE_SLAVE &&
80afeb6c
MH		 1442 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1443 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1444 struct l2cap_conn_param_update_req req;
1445
1446 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1447 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1448 req.latency = cpu_to_le16(hcon->le_conn_latency);
1449 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1450
1451 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1452 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1453 }
b62f328b
VT		 1454}
1455
4e8402a3
MH		 1456static void l2cap_conn_ready(struct l2cap_conn *conn)
1457{
48454079 1458 struct l2cap_chan *chan;
cc110922 1459 struct hci_conn *hcon = conn->hcon;
4e8402a3 1460
79d554a6 1461 BT_DBG("conn %p", conn);
4e8402a3 1462
44f3b0fb
JH		 1463 if (hcon->type == LE_LINK)
1464 l2cap_le_conn_ready(conn);
1465
e760ec12
JH		 1466 mutex_lock(&conn->chan_lock);
1467
3df91ea2 1468 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1469
6be36555 1470 l2cap_chan_lock(chan);
4e8402a3 1471
2338a7e0 1472 if (chan->scid == L2CAP_CID_A2MP) {
416fa752
AE		 1473 l2cap_chan_unlock(chan);
1474 continue;
1475 }
1476
cc110922 1477 if (hcon->type == LE_LINK) {
f1496dee 1478 l2cap_le_start(chan);
63128451 1479 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
74e75740 1480 l2cap_chan_ready(chan);
b501d6a1 1481
1c244f79 1482 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1483 l2cap_do_start(chan);
1c244f79 1484 }
4e8402a3 1485
6be36555 1486 l2cap_chan_unlock(chan);
4e8402a3 1487 }
79d554a6 1488
3df91ea2 1489 mutex_unlock(&conn->chan_lock);
61a939c6
JH		 1490
1491 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
4e8402a3
MH		 1492}
1493
1494/* Notify sockets that we cannot guaranty reliability anymore */
1495static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1496{
48454079 1497 struct l2cap_chan *chan;
4e8402a3
MH		 1498
1499 BT_DBG("conn %p", conn);
1500
3df91ea2 1501 mutex_lock(&conn->chan_lock);
4e8402a3 1502
3df91ea2 1503 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1504 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1505 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1506 }
1507
3df91ea2 1508 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1509}
1510
f878fcad 1511static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1512{
f878fcad 1513 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1514 info_timer.work);
4e8402a3 1515
984947dc 1516 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1517 conn->info_ident = 0;
984947dc 1518
4e8402a3
MH		 1519 l2cap_conn_start(conn);
1520}
1521
2c8e1411
DH		 1522/*
1523 * l2cap_user
1524 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1525 * callback is called during registration. The ->remove callback is called
1526 * during unregistration.
1527 * An l2cap_user object can either be explicitly unregistered or when the
1528 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1529 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1530 * External modules must own a reference to the l2cap_conn object if they intend
1531 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1532 * any time if they don't.
1533 */
1534
1535int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1536{
1537 struct hci_dev *hdev = conn->hcon->hdev;
1538 int ret;
1539
1540 /* We need to check whether l2cap_conn is registered. If it is not, we
1541 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1542 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1543 * relies on the parent hci_conn object to be locked. This itself relies
1544 * on the hci_dev object to be locked. So we must lock the hci device
1545 * here, too. */
1546
1547 hci_dev_lock(hdev);
1548
1549 if (user->list.next || user->list.prev) {
1550 ret = -EINVAL;
1551 goto out_unlock;
1552 }
1553
1554 /* conn->hchan is NULL after l2cap_conn_del() was called */
1555 if (!conn->hchan) {
1556 ret = -ENODEV;
1557 goto out_unlock;
1558 }
1559
1560 ret = user->probe(conn, user);
1561 if (ret)
1562 goto out_unlock;
1563
1564 list_add(&user->list, &conn->users);
1565 ret = 0;
1566
1567out_unlock:
1568 hci_dev_unlock(hdev);
1569 return ret;
1570}
1571EXPORT_SYMBOL(l2cap_register_user);
1572
1573void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1574{
1575 struct hci_dev *hdev = conn->hcon->hdev;
1576
1577 hci_dev_lock(hdev);
1578
1579 if (!user->list.next || !user->list.prev)
1580 goto out_unlock;
1581
1582 list_del(&user->list);
1583 user->list.next = NULL;
1584 user->list.prev = NULL;
1585 user->remove(conn, user);
1586
1587out_unlock:
1588 hci_dev_unlock(hdev);
1589}
1590EXPORT_SYMBOL(l2cap_unregister_user);
1591
1592static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1593{
1594 struct l2cap_user *user;
1595
1596 while (!list_empty(&conn->users)) {
1597 user = list_first_entry(&conn->users, struct l2cap_user, list);
1598 list_del(&user->list);
1599 user->list.next = NULL;
1600 user->list.prev = NULL;
1601 user->remove(conn, user);
1602 }
1603}
1604
5d3de7df
VCG		 1605static void l2cap_conn_del(struct hci_conn *hcon, int err)
1606{
1607 struct l2cap_conn *conn = hcon->l2cap_data;
1608 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1609
1610 if (!conn)
1611 return;
1612
1613 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1614
1615 kfree_skb(conn->rx_skb);
1616
61a939c6 1617 skb_queue_purge(&conn->pending_rx);
7ab56c3a
JT		 1618
1619 /* We can not call flush_work(&conn->pending_rx_work) here since we
1620 * might block if we are running on a worker from the same workqueue
1621 * pending_rx_work is waiting on.
1622 */
1623 if (work_pending(&conn->pending_rx_work))
1624 cancel_work_sync(&conn->pending_rx_work);
61a939c6 1625
2c8e1411
DH		 1626 l2cap_unregister_all_users(conn);
1627
3df91ea2
AE		 1628 mutex_lock(&conn->chan_lock);
1629
5d3de7df
VCG		 1630 /* Kill channels */
1631 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1632 l2cap_chan_hold(chan);
6be36555
AE		 1633 l2cap_chan_lock(chan);
1634
5d3de7df 1635 l2cap_chan_del(chan, err);
6be36555
AE		 1636
1637 l2cap_chan_unlock(chan);
1638
80b98027 1639 chan->ops->close(chan);
61d6ef3e 1640 l2cap_chan_put(chan);
5d3de7df
VCG		 1641 }
1642
3df91ea2
AE		 1643 mutex_unlock(&conn->chan_lock);
1644
73d80deb
LAD		 1645 hci_chan_del(conn->hchan);
1646
5d3de7df 1647 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1648 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1649
51a8efd7 1650 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1651 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1652 smp_chan_destroy(conn);
d26a2345 1653 }
5d3de7df
VCG		 1654
1655 hcon->l2cap_data = NULL;
9c903e37
DH		 1656 conn->hchan = NULL;
1657 l2cap_conn_put(conn);
5d3de7df
VCG		 1658}
1659
6c9d42a1 1660static void security_timeout(struct work_struct *work)
5d3de7df 1661{
6c9d42a1 1662 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1663 security_timer.work);
5d3de7df 1664
d06cc416
JH		 1665 BT_DBG("conn %p", conn);
1666
1667 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1668 smp_chan_destroy(conn);
1669 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1670 }
5d3de7df
VCG		 1671}
1672
9c903e37
DH		 1673static void l2cap_conn_free(struct kref *ref)
1674{
1675 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1676
1677 hci_conn_put(conn->hcon);
1678 kfree(conn);
1679}
1680
1681void l2cap_conn_get(struct l2cap_conn *conn)
1682{
1683 kref_get(&conn->ref);
1684}
1685EXPORT_SYMBOL(l2cap_conn_get);
1686
1687void l2cap_conn_put(struct l2cap_conn *conn)
1688{
1689 kref_put(&conn->ref, l2cap_conn_free);
1690}
1691EXPORT_SYMBOL(l2cap_conn_put);
1692
1da177e4 1693/* ---- Socket interface ---- */
1da177e4 1694
c2287681 1695/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1696 * Returns closest match.
1697 */
c2287681
IY		 1698static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1699 bdaddr_t *src,
bf20fd4e
JH		 1700 bdaddr_t *dst,
1701 u8 link_type)
1da177e4 1702{
23691d75 1703 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1704
23691d75 1705 read_lock(&chan_list_lock);
e0f0cb56 1706
23691d75 1707 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1708 if (state && c->state != state)
1da177e4
LT		 1709 continue;
1710
bf20fd4e
JH		 1711 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1712 continue;
1713
1714 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1715 continue;
1716
23691d75 1717 if (c->psm == psm) {
c2287681
IY		 1718 int src_match, dst_match;
1719 int src_any, dst_any;
1720
1da177e4 1721 /* Exact match. */
7eafc59e
MH		 1722 src_match = !bacmp(&c->src, src);
1723 dst_match = !bacmp(&c->dst, dst);
c2287681 1724 if (src_match && dst_match) {
a24cce14 1725 l2cap_chan_hold(c);
a7567b20 1726 read_unlock(&chan_list_lock);
23691d75
GP		 1727 return c;
1728 }
1da177e4
LT		 1729
1730 /* Closest match */
7eafc59e
MH		 1731 src_any = !bacmp(&c->src, BDADDR_ANY);
1732 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1733 if ((src_match && dst_any) || (src_any && dst_match) ||
1734 (src_any && dst_any))
23691d75 1735 c1 = c;
1da177e4
LT		 1736 }
1737 }
1da177e4 1738
a24cce14
JH		 1739 if (c1)
1740 l2cap_chan_hold(c1);
1741
23691d75 1742 read_unlock(&chan_list_lock);
e0f0cb56 1743
23691d75 1744 return c1;
1da177e4
LT		 1745}
1746
721c4181 1747static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1748{
721c4181 1749 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1750 monitor_timer.work);
e90bac06 1751
525cd185 1752 BT_DBG("chan %p", chan);
0e98958d 1753
6be36555
AE		 1754 l2cap_chan_lock(chan);
1755
80909e04 1756 if (!chan->conn) {
6be36555 1757 l2cap_chan_unlock(chan);
8d7e1c7f 1758 l2cap_chan_put(chan);
e90bac06
GP		 1759 return;
1760 }
1761
401bb1f7 1762 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1763
6be36555 1764 l2cap_chan_unlock(chan);
8d7e1c7f 1765 l2cap_chan_put(chan);
e90bac06
GP		 1766}
1767
721c4181 1768static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1769{
721c4181 1770 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1771 retrans_timer.work);
e90bac06 1772
49208c9c 1773 BT_DBG("chan %p", chan);
0e98958d 1774
6be36555
AE		 1775 l2cap_chan_lock(chan);
1776
80909e04
MM		 1777 if (!chan->conn) {
1778 l2cap_chan_unlock(chan);
1779 l2cap_chan_put(chan);
1780 return;
1781 }
6be36555 1782
401bb1f7 1783 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1784 l2cap_chan_unlock(chan);
8d7e1c7f 1785 l2cap_chan_put(chan);
e90bac06
GP		 1786}
1787
d660366d
GP		 1788static void l2cap_streaming_send(struct l2cap_chan *chan,
1789 struct sk_buff_head *skbs)
6840ed07 1790{
ccbb84af 1791 struct sk_buff *skb;
3733937d 1792 struct l2cap_ctrl *control;
6840ed07 1793
3733937d
MM		 1794 BT_DBG("chan %p, skbs %p", chan, skbs);
1795
b99e13ad
MM		 1796 if (__chan_is_moving(chan))
1797 return;
1798
3733937d
MM		 1799 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1800
1801 while (!skb_queue_empty(&chan->tx_q)) {
1802
1803 skb = skb_dequeue(&chan->tx_q);
1804
1805 bt_cb(skb)->control.retries = 1;
1806 control = &bt_cb(skb)->control;
1807
1808 control->reqseq = 0;
1809 control->txseq = chan->next_tx_seq;
1810
1811 __pack_control(chan, control, skb);
6840ed07 1812
47d1ec61 1813 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1814 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1815 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1816 }
1817
4343478f 1818 l2cap_do_send(chan, skb);
6840ed07 1819
b4400672 1820 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1821
836be934 1822 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1823 chan->frames_sent++;
6840ed07 1824 }
6840ed07
GP		 1825}
1826
67c9e840 1827static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1828{
1829 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1830 struct l2cap_ctrl *control;
1831 int sent = 0;
1832
1833 BT_DBG("chan %p", chan);
1c2acffb 1834
89bc500e 1835 if (chan->state != BT_CONNECTED)
c13ffa62 1836 return -ENOTCONN;
e90bac06 1837
94122bbe
MM		 1838 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1839 return 0;
1840
b99e13ad
MM		 1841 if (__chan_is_moving(chan))
1842 return 0;
1843
18a48e76
MM		 1844 while (chan->tx_send_head &&
1845 chan->unacked_frames < chan->remote_tx_win &&
1846 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1847
18a48e76 1848 skb = chan->tx_send_head;
e90bac06 1849
18a48e76
MM		 1850 bt_cb(skb)->control.retries = 1;
1851 control = &bt_cb(skb)->control;
95ffa978 1852
e2ab4353 1853 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1854 control->final = 1;
e2ab4353 1855
18a48e76
MM		 1856 control->reqseq = chan->buffer_seq;
1857 chan->last_acked_seq = chan->buffer_seq;
1858 control->txseq = chan->next_tx_seq;
1c2acffb 1859
18a48e76 1860 __pack_control(chan, control, skb);
e90bac06 1861
47d1ec61 1862 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1863 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1864 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1865 }
1866
18a48e76
MM		 1867 /* Clone after data has been modified. Data is assumed to be
1868 read-only (for locking purposes) on cloned sk_buffs.
1869 */
1870 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1871
18a48e76
MM		 1872 if (!tx_skb)
1873 break;
1c2acffb 1874
18a48e76 1875 __set_retrans_timer(chan);
836be934
AE		 1876
1877 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1878 chan->unacked_frames++;
6a026610 1879 chan->frames_sent++;
18a48e76 1880 sent++;
1c2acffb 1881
58d35f87
GP		 1882 if (skb_queue_is_last(&chan->tx_q, skb))
1883 chan->tx_send_head = NULL;
1c2acffb 1884 else
58d35f87 1885 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1886
1887 l2cap_do_send(chan, tx_skb);
b4400672 1888 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1889 }
1890
b4400672
AE		 1891 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1892 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1893
1894 return sent;
9e917af1
GP		 1895}
1896
e1fbd4c1
MM		 1897static void l2cap_ertm_resend(struct l2cap_chan *chan)
1898{
1899 struct l2cap_ctrl control;
1900 struct sk_buff *skb;
1901 struct sk_buff *tx_skb;
1902 u16 seq;
1903
1904 BT_DBG("chan %p", chan);
1905
1906 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1907 return;
1908
b99e13ad
MM		 1909 if (__chan_is_moving(chan))
1910 return;
1911
e1fbd4c1
MM		 1912 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1913 seq = l2cap_seq_list_pop(&chan->retrans_list);
1914
1915 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1916 if (!skb) {
1917 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1918 seq);
e1fbd4c1
MM		 1919 continue;
1920 }
1921
1922 bt_cb(skb)->control.retries++;
1923 control = bt_cb(skb)->control;
1924
1925 if (chan->max_tx != 0 &&
1926 bt_cb(skb)->control.retries > chan->max_tx) {
1927 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1928 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1929 l2cap_seq_list_clear(&chan->retrans_list);
1930 break;
1931 }
1932
1933 control.reqseq = chan->buffer_seq;
1934 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1935 control.final = 1;
1936 else
1937 control.final = 0;
1938
1939 if (skb_cloned(skb)) {
1940 /* Cloned sk_buffs are read-only, so we need a
1941 * writeable copy
1942 */
8bcde1f2 1943 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1944 } else {
8bcde1f2 1945 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1946 }
1947
1948 if (!tx_skb) {
1949 l2cap_seq_list_clear(&chan->retrans_list);
1950 break;
1951 }
1952
1953 /* Update skb contents */
1954 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1955 put_unaligned_le32(__pack_extended_control(&control),
1956 tx_skb->data + L2CAP_HDR_SIZE);
1957 } else {
1958 put_unaligned_le16(__pack_enhanced_control(&control),
1959 tx_skb->data + L2CAP_HDR_SIZE);
1960 }
1961
1962 if (chan->fcs == L2CAP_FCS_CRC16) {
1963 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1964 put_unaligned_le16(fcs, skb_put(tx_skb,
1965 L2CAP_FCS_SIZE));
1966 }
1967
1968 l2cap_do_send(chan, tx_skb);
1969
1970 BT_DBG("Resent txseq %d", control.txseq);
1971
1972 chan->last_acked_seq = chan->buffer_seq;
1973 }
1974}
1975
f80842a8
MM		 1976static void l2cap_retransmit(struct l2cap_chan *chan,
1977 struct l2cap_ctrl *control)
1978{
1979 BT_DBG("chan %p, control %p", chan, control);
1980
1981 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1982 l2cap_ertm_resend(chan);
1983}
1984
d2a7ac5d
MM		 1985static void l2cap_retransmit_all(struct l2cap_chan *chan,
1986 struct l2cap_ctrl *control)
1987{
e1fbd4c1
MM		 1988 struct sk_buff *skb;
1989
1990 BT_DBG("chan %p, control %p", chan, control);
1991
1992 if (control->poll)
1993 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1994
1995 l2cap_seq_list_clear(&chan->retrans_list);
1996
1997 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1998 return;
1999
2000 if (chan->unacked_frames) {
2001 skb_queue_walk(&chan->tx_q, skb) {
2002 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2003 skb == chan->tx_send_head)
e1fbd4c1
MM		 2004 break;
2005 }
2006
2007 skb_queue_walk_from(&chan->tx_q, skb) {
2008 if (skb == chan->tx_send_head)
2009 break;
2010
2011 l2cap_seq_list_append(&chan->retrans_list,
2012 bt_cb(skb)->control.txseq);
2013 }
2014
2015 l2cap_ertm_resend(chan);
2016 }
d2a7ac5d
MM		 2017}
2018
0a0aba42 2019static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2020{
0a0aba42
MM		 2021 struct l2cap_ctrl control;
2022 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2023 chan->last_acked_seq);
2024 int threshold;
9e917af1 2025
0a0aba42
MM		 2026 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2027 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2028
0a0aba42
MM		 2029 memset(&control, 0, sizeof(control));
2030 control.sframe = 1;
dfc909be 2031
0a0aba42
MM		 2032 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2033 chan->rx_state == L2CAP_RX_STATE_RECV) {
2034 __clear_ack_timer(chan);
2035 control.super = L2CAP_SUPER_RNR;
2036 control.reqseq = chan->buffer_seq;
2037 l2cap_send_sframe(chan, &control);
2038 } else {
2039 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2040 l2cap_ertm_send(chan);
2041 /* If any i-frames were sent, they included an ack */
2042 if (chan->buffer_seq == chan->last_acked_seq)
2043 frames_to_ack = 0;
2044 }
dfc909be 2045
c20f8e35 2046 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2047 * Calculate without mul or div
2048 */
c20f8e35 2049 threshold = chan->ack_win;
0a0aba42
MM		 2050 threshold += threshold << 1;
2051 threshold >>= 2;
2052
b4400672 2053 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2054 threshold);
2055
2056 if (frames_to_ack >= threshold) {
2057 __clear_ack_timer(chan);
2058 control.super = L2CAP_SUPER_RR;
2059 control.reqseq = chan->buffer_seq;
2060 l2cap_send_sframe(chan, &control);
2061 frames_to_ack = 0;
2062 }
1c2acffb 2063
0a0aba42
MM		 2064 if (frames_to_ack)
2065 __set_ack_timer(chan);
2066 }
b17e73bb
SJ		 2067}
2068
04124681
GP		 2069static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2070 struct msghdr *msg, int len,
2071 int count, struct sk_buff *skb)
1c2acffb 2072{
0952a57a 2073 struct l2cap_conn *conn = chan->conn;
1c2acffb 2074 struct sk_buff **frag;
90338947 2075 int sent = 0;
1da177e4 2076
0498878b
JR		 2077 if (chan->ops->memcpy_fromiovec(chan, skb_put(skb, count),
2078 msg->msg_iov, count))
1c2acffb 2079 return -EFAULT;
1da177e4
LT		 2080
2081 sent += count;
2082 len -= count;
2083
2084 /* Continuation fragments (no L2CAP header) */
2085 frag = &skb_shinfo(skb)->frag_list;
2086 while (len) {
fbe00700
GP		 2087 struct sk_buff *tmp;
2088
1da177e4
LT		 2089 count = min_t(unsigned int, conn->mtu, len);
2090
d9fbd02b 2091 tmp = chan->ops->alloc_skb(chan, 0, count,
fbe00700
GP		 2092 msg->msg_flags & MSG_DONTWAIT);
2093 if (IS_ERR(tmp))
2094 return PTR_ERR(tmp);
2095
2096 *frag = tmp;
2f7719ce 2097
0498878b
JR		 2098 if (chan->ops->memcpy_fromiovec(chan, skb_put(*frag, count),
2099 msg->msg_iov, count))
1c2acffb 2100 return -EFAULT;
1da177e4
LT		 2101
2102 sent += count;
2103 len -= count;
2104
2d0ed3d5
GP		 2105 skb->len += (*frag)->len;
2106 skb->data_len += (*frag)->len;
2107
1da177e4
LT		 2108 frag = &(*frag)->next;
2109 }
1da177e4
LT		 2110
2111 return sent;
1c2acffb 2112}
1da177e4 2113
5e59b791 2114static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
8d46321c 2115 struct msghdr *msg, size_t len)
1c2acffb 2116{
8c1d787b 2117 struct l2cap_conn *conn = chan->conn;
1c2acffb 2118 struct sk_buff *skb;
03a51213 2119 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2120 struct l2cap_hdr *lh;
2121
8d46321c
MH		 2122 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2123 __le16_to_cpu(chan->psm), len);
1c2acffb
GP		 2124
2125 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2126
d9fbd02b 2127 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2128 msg->msg_flags & MSG_DONTWAIT);
2129 if (IS_ERR(skb))
2130 return skb;
1c2acffb
GP		 2131
2132 /* Create L2CAP header */
2133 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2134 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2135 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2136 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2137
0952a57a 2138 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2139 if (unlikely(err < 0)) {
2140 kfree_skb(skb);
2141 return ERR_PTR(err);
2142 }
2143 return skb;
2144}
2145
5e59b791 2146static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
8d46321c 2147 struct msghdr *msg, size_t len)
1c2acffb 2148{
8c1d787b 2149 struct l2cap_conn *conn = chan->conn;
1c2acffb 2150 struct sk_buff *skb;
f2ba7fae 2151 int err, count;
1c2acffb
GP		 2152 struct l2cap_hdr *lh;
2153
b4400672 2154 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2155
f2ba7fae 2156 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2157
d9fbd02b 2158 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
90338947
GP		 2159 msg->msg_flags & MSG_DONTWAIT);
2160 if (IS_ERR(skb))
2161 return skb;
1c2acffb
GP		 2162
2163 /* Create L2CAP header */
2164 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2165 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2166 lh->len = cpu_to_le16(len);
1c2acffb 2167
0952a57a 2168 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2169 if (unlikely(err < 0)) {
2170 kfree_skb(skb);
2171 return ERR_PTR(err);
2172 }
2173 return skb;
2174}
2175
ab0ff76d 2176static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2177 struct msghdr *msg, size_t len,
2178 u16 sdulen)
1c2acffb 2179{
8c1d787b 2180 struct l2cap_conn *conn = chan->conn;
1c2acffb 2181 struct sk_buff *skb;
e4ca6d98 2182 int err, count, hlen;
1c2acffb
GP		 2183 struct l2cap_hdr *lh;
2184
b4400672 2185 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2186
0ee0d208
GP		 2187 if (!conn)
2188 return ERR_PTR(-ENOTCONN);
2189
ba7aa64f 2190 hlen = __ertm_hdr_size(chan);
e4ca6d98 2191
c74e560c 2192 if (sdulen)
03a51213 2193 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2194
47d1ec61 2195 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2196 hlen += L2CAP_FCS_SIZE;
fcc203c3 2197
1c2acffb 2198 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2199
d9fbd02b 2200 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2201 msg->msg_flags & MSG_DONTWAIT);
2202 if (IS_ERR(skb))
2203 return skb;
1c2acffb
GP		 2204
2205 /* Create L2CAP header */
2206 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2207 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2208 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2209
18a48e76
MM		 2210 /* Control header is populated later */
2211 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2212 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2213 else
2214 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2215
c74e560c 2216 if (sdulen)
03a51213 2217 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2218
0952a57a 2219 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2220 if (unlikely(err < 0)) {
2221 kfree_skb(skb);
2222 return ERR_PTR(err);
2223 }
e90bac06 2224
18a48e76 2225 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2226 bt_cb(skb)->control.retries = 0;
1c2acffb 2227 return skb;
1da177e4
LT		 2228}
2229
94122bbe
MM		 2230static int l2cap_segment_sdu(struct l2cap_chan *chan,
2231 struct sk_buff_head *seg_queue,
2232 struct msghdr *msg, size_t len)
c74e560c 2233{
c74e560c 2234 struct sk_buff *skb;
94122bbe
MM		 2235 u16 sdu_len;
2236 size_t pdu_len;
94122bbe 2237 u8 sar;
c74e560c 2238
b4400672 2239 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2240
94122bbe
MM		 2241 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2242 * so fragmented skbs are not used. The HCI layer's handling
2243 * of fragmented skbs is not compatible with ERTM's queueing.
2244 */
c74e560c 2245
94122bbe
MM		 2246 /* PDU size is derived from the HCI MTU */
2247 pdu_len = chan->conn->mtu;
c74e560c 2248
a549574d
MM		 2249 /* Constrain PDU size for BR/EDR connections */
2250 if (!chan->hs_hcon)
2251 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2252
2253 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2254 if (chan->fcs)
2255 pdu_len -= L2CAP_FCS_SIZE;
2256
ba7aa64f 2257 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2258
2259 /* Remote device may have requested smaller PDUs */
2260 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2261
2262 if (len <= pdu_len) {
2263 sar = L2CAP_SAR_UNSEGMENTED;
2264 sdu_len = 0;
2265 pdu_len = len;
2266 } else {
2267 sar = L2CAP_SAR_START;
2268 sdu_len = len;
2269 pdu_len -= L2CAP_SDULEN_SIZE;
2270 }
2271
2272 while (len > 0) {
2273 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2274
c74e560c 2275 if (IS_ERR(skb)) {
94122bbe 2276 __skb_queue_purge(seg_queue);
c74e560c
GP		 2277 return PTR_ERR(skb);
2278 }
2279
94122bbe
MM		 2280 bt_cb(skb)->control.sar = sar;
2281 __skb_queue_tail(seg_queue, skb);
2282
2283 len -= pdu_len;
2284 if (sdu_len) {
2285 sdu_len = 0;
2286 pdu_len += L2CAP_SDULEN_SIZE;
2287 }
2288
2289 if (len <= pdu_len) {
2290 sar = L2CAP_SAR_END;
2291 pdu_len = len;
2292 } else {
2293 sar = L2CAP_SAR_CONTINUE;
2294 }
c74e560c 2295 }
c74e560c 2296
f0f62799 2297 return 0;
c74e560c
GP		 2298}
2299
177f8f2b
JH		 2300static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2301 struct msghdr *msg,
2302 size_t len, u16 sdulen)
2303{
2304 struct l2cap_conn *conn = chan->conn;
2305 struct sk_buff *skb;
2306 int err, count, hlen;
2307 struct l2cap_hdr *lh;
2308
2309 BT_DBG("chan %p len %zu", chan, len);
2310
2311 if (!conn)
2312 return ERR_PTR(-ENOTCONN);
2313
2314 hlen = L2CAP_HDR_SIZE;
2315
2316 if (sdulen)
2317 hlen += L2CAP_SDULEN_SIZE;
2318
2319 count = min_t(unsigned int, (conn->mtu - hlen), len);
2320
d9fbd02b 2321 skb = chan->ops->alloc_skb(chan, hlen, count,
177f8f2b
JH		 2322 msg->msg_flags & MSG_DONTWAIT);
2323 if (IS_ERR(skb))
2324 return skb;
2325
2326 /* Create L2CAP header */
2327 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2328 lh->cid = cpu_to_le16(chan->dcid);
2329 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2330
2331 if (sdulen)
2332 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2333
2334 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2335 if (unlikely(err < 0)) {
2336 kfree_skb(skb);
2337 return ERR_PTR(err);
2338 }
2339
2340 return skb;
2341}
2342
2343static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2344 struct sk_buff_head *seg_queue,
2345 struct msghdr *msg, size_t len)
2346{
2347 struct sk_buff *skb;
2348 size_t pdu_len;
2349 u16 sdu_len;
2350
2351 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2352
2353 pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE;
2354
2355 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2356
2357 sdu_len = len;
2358 pdu_len -= L2CAP_SDULEN_SIZE;
2359
2360 while (len > 0) {
2361 if (len <= pdu_len)
2362 pdu_len = len;
2363
2364 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2365 if (IS_ERR(skb)) {
2366 __skb_queue_purge(seg_queue);
2367 return PTR_ERR(skb);
2368 }
2369
2370 __skb_queue_tail(seg_queue, skb);
2371
2372 len -= pdu_len;
2373
2374 if (sdu_len) {
2375 sdu_len = 0;
2376 pdu_len += L2CAP_SDULEN_SIZE;
2377 }
2378 }
2379
2380 return 0;
2381}
2382
8d46321c 2383int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
9a91a04a 2384{
9a91a04a 2385 struct sk_buff *skb;
9a91a04a 2386 int err;
94122bbe 2387 struct sk_buff_head seg_queue;
9a91a04a 2388
31e8ce80
SWK		 2389 if (!chan->conn)
2390 return -ENOTCONN;
2391
9a91a04a 2392 /* Connectionless channel */
715ec005 2393 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
8d46321c 2394 skb = l2cap_create_connless_pdu(chan, msg, len);
9a91a04a
GP		 2395 if (IS_ERR(skb))
2396 return PTR_ERR(skb);
2397
ede81a2a
AK		 2398 /* Channel lock is released before requesting new skb and then
2399 * reacquired thus we need to recheck channel state.
2400 */
2401 if (chan->state != BT_CONNECTED) {
2402 kfree_skb(skb);
2403 return -ENOTCONN;
2404 }
2405
9a91a04a
GP		 2406 l2cap_do_send(chan, skb);
2407 return len;
2408 }
2409
2410 switch (chan->mode) {
38319713 2411 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b
JH		 2412 /* Check outgoing MTU */
2413 if (len > chan->omtu)
2414 return -EMSGSIZE;
2415
fad5fc89
JH		 2416 if (!chan->tx_credits)
2417 return -EAGAIN;
2418
177f8f2b
JH		 2419 __skb_queue_head_init(&seg_queue);
2420
2421 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2422
2423 if (chan->state != BT_CONNECTED) {
2424 __skb_queue_purge(&seg_queue);
2425 err = -ENOTCONN;
2426 }
2427
2428 if (err)
2429 return err;
2430
2431 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2432
2433 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2434 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2435 chan->tx_credits--;
2436 }
2437
2438 if (!chan->tx_credits)
2439 chan->ops->suspend(chan);
2440
2441 err = len;
2442
2443 break;
2444
fad5fc89 2445 case L2CAP_MODE_BASIC:
9a91a04a
GP		 2446 /* Check outgoing MTU */
2447 if (len > chan->omtu)
2448 return -EMSGSIZE;
2449
2450 /* Create a basic PDU */
8d46321c 2451 skb = l2cap_create_basic_pdu(chan, msg, len);
9a91a04a
GP		 2452 if (IS_ERR(skb))
2453 return PTR_ERR(skb);
2454
ede81a2a
AK		 2455 /* Channel lock is released before requesting new skb and then
2456 * reacquired thus we need to recheck channel state.
2457 */
2458 if (chan->state != BT_CONNECTED) {
2459 kfree_skb(skb);
2460 return -ENOTCONN;
2461 }
2462
9a91a04a
GP		 2463 l2cap_do_send(chan, skb);
2464 err = len;
2465 break;
2466
2467 case L2CAP_MODE_ERTM:
2468 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2469 /* Check outgoing MTU */
2470 if (len > chan->omtu) {
2471 err = -EMSGSIZE;
2472 break;
2473 }
9a91a04a 2474
94122bbe 2475 __skb_queue_head_init(&seg_queue);
9a91a04a 2476
94122bbe
MM		 2477 /* Do segmentation before calling in to the state machine,
2478 * since it's possible to block while waiting for memory
2479 * allocation.
2480 */
2481 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2482
94122bbe
MM		 2483 /* The channel could have been closed while segmenting,
2484 * check that it is still connected.
2485 */
2486 if (chan->state != BT_CONNECTED) {
2487 __skb_queue_purge(&seg_queue);
2488 err = -ENOTCONN;
9a91a04a
GP		 2489 }
2490
94122bbe 2491 if (err)
9a91a04a 2492 break;
9a91a04a 2493
3733937d 2494 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2495 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2496 else
d660366d 2497 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2498
d660366d 2499 err = len;
9a91a04a 2500
94122bbe
MM		 2501 /* If the skbs were not queued for sending, they'll still be in
2502 * seg_queue and need to be purged.
2503 */
2504 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2505 break;
2506
2507 default:
2508 BT_DBG("bad state %1.1x", chan->mode);
2509 err = -EBADFD;
2510 }
2511
2512 return err;
2513}
6b8d4a6a 2514EXPORT_SYMBOL_GPL(l2cap_chan_send);
9a91a04a 2515
d2a7ac5d
MM		 2516static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2517{
bed68bde
MM		 2518 struct l2cap_ctrl control;
2519 u16 seq;
2520
b4400672 2521 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2522
2523 memset(&control, 0, sizeof(control));
2524 control.sframe = 1;
2525 control.super = L2CAP_SUPER_SREJ;
2526
2527 for (seq = chan->expected_tx_seq; seq != txseq;
2528 seq = __next_seq(chan, seq)) {
2529 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2530 control.reqseq = seq;
2531 l2cap_send_sframe(chan, &control);
2532 l2cap_seq_list_append(&chan->srej_list, seq);
2533 }
2534 }
2535
2536 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2537}
2538
2539static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2540{
bed68bde
MM		 2541 struct l2cap_ctrl control;
2542
2543 BT_DBG("chan %p", chan);
2544
2545 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2546 return;
2547
2548 memset(&control, 0, sizeof(control));
2549 control.sframe = 1;
2550 control.super = L2CAP_SUPER_SREJ;
2551 control.reqseq = chan->srej_list.tail;
2552 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2553}
2554
2555static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2556{
bed68bde
MM		 2557 struct l2cap_ctrl control;
2558 u16 initial_head;
2559 u16 seq;
2560
b4400672 2561 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2562
2563 memset(&control, 0, sizeof(control));
2564 control.sframe = 1;
2565 control.super = L2CAP_SUPER_SREJ;
2566
2567 /* Capture initial list head to allow only one pass through the list. */
2568 initial_head = chan->srej_list.head;
2569
2570 do {
2571 seq = l2cap_seq_list_pop(&chan->srej_list);
2572 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2573 break;
2574
2575 control.reqseq = seq;
2576 l2cap_send_sframe(chan, &control);
2577 l2cap_seq_list_append(&chan->srej_list, seq);
2578 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2579}
2580
608bcc6d
MM		 2581static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2582{
2583 struct sk_buff *acked_skb;
2584 u16 ackseq;
2585
b4400672 2586 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2587
2588 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2589 return;
2590
b4400672 2591 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2592 chan->expected_ack_seq, chan->unacked_frames);
2593
2594 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2595 ackseq = __next_seq(chan, ackseq)) {
2596
2597 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2598 if (acked_skb) {
2599 skb_unlink(acked_skb, &chan->tx_q);
2600 kfree_skb(acked_skb);
2601 chan->unacked_frames--;
2602 }
2603 }
2604
2605 chan->expected_ack_seq = reqseq;
2606
2607 if (chan->unacked_frames == 0)
2608 __clear_retrans_timer(chan);
2609
b4400672 2610 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2611}
2612
2613static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2614{
2615 BT_DBG("chan %p", chan);
2616
2617 chan->expected_tx_seq = chan->buffer_seq;
2618 l2cap_seq_list_clear(&chan->srej_list);
2619 skb_queue_purge(&chan->srej_q);
2620 chan->rx_state = L2CAP_RX_STATE_RECV;
2621}
2622
d660366d
GP		 2623static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2624 struct l2cap_ctrl *control,
2625 struct sk_buff_head *skbs, u8 event)
608bcc6d 2626{
608bcc6d
MM		 2627 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2628 event);
2629
2630 switch (event) {
2631 case L2CAP_EV_DATA_REQUEST:
2632 if (chan->tx_send_head == NULL)
2633 chan->tx_send_head = skb_peek(skbs);
2634
2635 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2636 l2cap_ertm_send(chan);
2637 break;
2638 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2639 BT_DBG("Enter LOCAL_BUSY");
2640 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2641
2642 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2643 /* The SREJ_SENT state must be aborted if we are to
2644 * enter the LOCAL_BUSY state.
2645 */
2646 l2cap_abort_rx_srej_sent(chan);
2647 }
2648
2649 l2cap_send_ack(chan);
2650
2651 break;
2652 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2653 BT_DBG("Exit LOCAL_BUSY");
2654 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2655
2656 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2657 struct l2cap_ctrl local_control;
2658
2659 memset(&local_control, 0, sizeof(local_control));
2660 local_control.sframe = 1;
2661 local_control.super = L2CAP_SUPER_RR;
2662 local_control.poll = 1;
2663 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2664 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2665
2666 chan->retry_count = 1;
2667 __set_monitor_timer(chan);
2668 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2669 }
2670 break;
2671 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2672 l2cap_process_reqseq(chan, control->reqseq);
2673 break;
2674 case L2CAP_EV_EXPLICIT_POLL:
2675 l2cap_send_rr_or_rnr(chan, 1);
2676 chan->retry_count = 1;
2677 __set_monitor_timer(chan);
2678 __clear_ack_timer(chan);
2679 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2680 break;
2681 case L2CAP_EV_RETRANS_TO:
2682 l2cap_send_rr_or_rnr(chan, 1);
2683 chan->retry_count = 1;
2684 __set_monitor_timer(chan);
2685 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2686 break;
2687 case L2CAP_EV_RECV_FBIT:
2688 /* Nothing to process */
2689 break;
2690 default:
2691 break;
2692 }
608bcc6d
MM		 2693}
2694
d660366d
GP		 2695static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2696 struct l2cap_ctrl *control,
2697 struct sk_buff_head *skbs, u8 event)
608bcc6d 2698{
608bcc6d
MM		 2699 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2700 event);
2701
2702 switch (event) {
2703 case L2CAP_EV_DATA_REQUEST:
2704 if (chan->tx_send_head == NULL)
2705 chan->tx_send_head = skb_peek(skbs);
2706 /* Queue data, but don't send. */
2707 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2708 break;
2709 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2710 BT_DBG("Enter LOCAL_BUSY");
2711 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2712
2713 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2714 /* The SREJ_SENT state must be aborted if we are to
2715 * enter the LOCAL_BUSY state.
2716 */
2717 l2cap_abort_rx_srej_sent(chan);
2718 }
2719
2720 l2cap_send_ack(chan);
2721
2722 break;
2723 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2724 BT_DBG("Exit LOCAL_BUSY");
2725 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2726
2727 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2728 struct l2cap_ctrl local_control;
2729 memset(&local_control, 0, sizeof(local_control));
2730 local_control.sframe = 1;
2731 local_control.super = L2CAP_SUPER_RR;
2732 local_control.poll = 1;
2733 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2734 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2735
2736 chan->retry_count = 1;
2737 __set_monitor_timer(chan);
2738 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2739 }
2740 break;
2741 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2742 l2cap_process_reqseq(chan, control->reqseq);
2743
2744 /* Fall through */
2745
2746 case L2CAP_EV_RECV_FBIT:
2747 if (control && control->final) {
2748 __clear_monitor_timer(chan);
2749 if (chan->unacked_frames > 0)
2750 __set_retrans_timer(chan);
2751 chan->retry_count = 0;
2752 chan->tx_state = L2CAP_TX_STATE_XMIT;
2753 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2754 }
2755 break;
2756 case L2CAP_EV_EXPLICIT_POLL:
2757 /* Ignore */
2758 break;
2759 case L2CAP_EV_MONITOR_TO:
2760 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2761 l2cap_send_rr_or_rnr(chan, 1);
2762 __set_monitor_timer(chan);
2763 chan->retry_count++;
2764 } else {
5e4e3972 2765 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2766 }
2767 break;
2768 default:
2769 break;
2770 }
608bcc6d
MM		 2771}
2772
d660366d
GP		 2773static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2774 struct sk_buff_head *skbs, u8 event)
608bcc6d 2775{
608bcc6d
MM		 2776 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2777 chan, control, skbs, event, chan->tx_state);
2778
2779 switch (chan->tx_state) {
2780 case L2CAP_TX_STATE_XMIT:
d660366d 2781 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2782 break;
2783 case L2CAP_TX_STATE_WAIT_F:
d660366d 2784 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2785 break;
2786 default:
2787 /* Ignore event */
2788 break;
2789 }
608bcc6d
MM		 2790}
2791
4b51dae9
MM		 2792static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2793 struct l2cap_ctrl *control)
2794{
2795 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2796 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2797}
2798
f80842a8
MM		 2799static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2800 struct l2cap_ctrl *control)
2801{
2802 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2803 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2804}
2805
1da177e4
LT		 2806/* Copy frame to all raw sockets on that connection */
2807static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2808{
1da177e4 2809 struct sk_buff *nskb;
48454079 2810 struct l2cap_chan *chan;
1da177e4
LT		 2811
2812 BT_DBG("conn %p", conn);
2813
3df91ea2 2814 mutex_lock(&conn->chan_lock);
3d57dc68 2815
3df91ea2 2816 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2817 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2818 continue;
2819
7f5396a7
GP		 2820 /* Don't send frame to the channel it came from */
2821 if (bt_cb(skb)->chan == chan)
1da177e4 2822 continue;
7f5396a7 2823
8bcde1f2 2824 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2825 if (!nskb)
1da177e4 2826 continue;
80b98027 2827 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2828 kfree_skb(nskb);
2829 }
3d57dc68 2830
3df91ea2 2831 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2832}
2833
2834/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2835static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2836 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2837{
2838 struct sk_buff *skb, **frag;
2839 struct l2cap_cmd_hdr *cmd;
2840 struct l2cap_hdr *lh;
2841 int len, count;
2842
b4400672
AE		 2843 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2844 conn, code, ident, dlen);
1da177e4 2845
300b962e
AL		 2846 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2847 return NULL;
2848
1da177e4
LT		 2849 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2850 count = min_t(unsigned int, conn->mtu, len);
2851
8bcde1f2 2852 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2853 if (!skb)
2854 return NULL;
2855
2856 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2857 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2858
2859 if (conn->hcon->type == LE_LINK)
dcf4adbf 2860 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2861 else
dcf4adbf 2862 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2863
2864 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2865 cmd->code = code;
2866 cmd->ident = ident;
aca3192c 2867 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2868
2869 if (dlen) {
2870 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2871 memcpy(skb_put(skb, count), data, count);
2872 data += count;
2873 }
2874
2875 len -= skb->len;
2876
2877 /* Continuation fragments (no L2CAP header) */
2878 frag = &skb_shinfo(skb)->frag_list;
2879 while (len) {
2880 count = min_t(unsigned int, conn->mtu, len);
2881
8bcde1f2 2882 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2883 if (!*frag)
2884 goto fail;
2885
2886 memcpy(skb_put(*frag, count), data, count);
2887
2888 len -= count;
2889 data += count;
2890
2891 frag = &(*frag)->next;
2892 }
2893
2894 return skb;
2895
2896fail:
2897 kfree_skb(skb);
2898 return NULL;
2899}
2900
2d792818
GP		 2901static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2902 unsigned long *val)
1da177e4
LT		 2903{
2904 struct l2cap_conf_opt *opt = *ptr;
2905 int len;
2906
2907 len = L2CAP_CONF_OPT_SIZE + opt->len;
2908 *ptr += len;
2909
2910 *type = opt->type;
2911 *olen = opt->len;
2912
2913 switch (opt->len) {
2914 case 1:
2915 *val = *((u8 *) opt->val);
2916 break;
2917
2918 case 2:
bfaaeb3e 2919 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2920 break;
2921
2922 case 4:
bfaaeb3e 2923 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2924 break;
2925
2926 default:
2927 *val = (unsigned long) opt->val;
2928 break;
2929 }
2930
b4400672 2931 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2932 return len;
2933}
2934
1da177e4
LT		 2935static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2936{
2937 struct l2cap_conf_opt *opt = *ptr;
2938
b4400672 2939 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2940
2941 opt->type = type;
2942 opt->len = len;
2943
2944 switch (len) {
2945 case 1:
2946 *((u8 *) opt->val) = val;
2947 break;
2948
2949 case 2:
4f8b691c 2950 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2951 break;
2952
2953 case 4:
4f8b691c 2954 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2955 break;
2956
2957 default:
2958 memcpy(opt->val, (void *) val, len);
2959 break;
2960 }
2961
2962 *ptr += L2CAP_CONF_OPT_SIZE + len;
2963}
2964
f89cef09
AE		 2965static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2966{
2967 struct l2cap_conf_efs efs;
2968
1ec918ce 2969 switch (chan->mode) {
f89cef09
AE		 2970 case L2CAP_MODE_ERTM:
2971 efs.id = chan->local_id;
2972 efs.stype = chan->local_stype;
2973 efs.msdu = cpu_to_le16(chan->local_msdu);
2974 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
dcf4adbf
JP		 2975 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2976 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2977 break;
2978
2979 case L2CAP_MODE_STREAMING:
2980 efs.id = 1;
2981 efs.stype = L2CAP_SERV_BESTEFFORT;
2982 efs.msdu = cpu_to_le16(chan->local_msdu);
2983 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2984 efs.acc_lat = 0;
2985 efs.flush_to = 0;
2986 break;
2987
2988 default:
2989 return;
2990 }
2991
2992 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2993 (unsigned long) &efs);
f89cef09
AE		 2994}
2995
721c4181 2996static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2997{
721c4181 2998 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2999 ack_timer.work);
3000 u16 frames_to_ack;
c1b4f43b 3001
2fb9b3d4
GP		 3002 BT_DBG("chan %p", chan);
3003
6be36555
AE		 3004 l2cap_chan_lock(chan);
3005
0362520b
MM		 3006 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3007 chan->last_acked_seq);
6be36555 3008
0362520b
MM		 3009 if (frames_to_ack)
3010 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3011
0362520b 3012 l2cap_chan_unlock(chan);
09bfb2ee 3013 l2cap_chan_put(chan);
c1b4f43b
GP		 3014}
3015
466f8004 3016int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3017{
3c588192
MM		 3018 int err;
3019
105bdf9e
MM		 3020 chan->next_tx_seq = 0;
3021 chan->expected_tx_seq = 0;
42e5c802 3022 chan->expected_ack_seq = 0;
6a026610 3023 chan->unacked_frames = 0;
42e5c802 3024 chan->buffer_seq = 0;
6a026610 3025 chan->frames_sent = 0;
105bdf9e
MM		 3026 chan->last_acked_seq = 0;
3027 chan->sdu = NULL;
3028 chan->sdu_last_frag = NULL;
3029 chan->sdu_len = 0;
3030
d34c34fb
MM		 3031 skb_queue_head_init(&chan->tx_q);
3032
6ed971ca
MH		 3033 chan->local_amp_id = AMP_ID_BREDR;
3034 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3035 chan->move_state = L2CAP_MOVE_STABLE;
3036 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3037
105bdf9e
MM		 3038 if (chan->mode != L2CAP_MODE_ERTM)
3039 return 0;
3040
3041 chan->rx_state = L2CAP_RX_STATE_RECV;
3042 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3043
721c4181
GP		 3044 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3045 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3046 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3047
f1c6775b 3048 skb_queue_head_init(&chan->srej_q);
1890d36b 3049
3c588192
MM		 3050 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3051 if (err < 0)
3052 return err;
3053
9dc9affc
MM		 3054 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3055 if (err < 0)
3056 l2cap_seq_list_free(&chan->srej_list);
3057
3058 return err;
0565c1c2
GP		 3059}
3060
f2fcfcd6
GP		 3061static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3062{
3063 switch (mode) {
3064 case L2CAP_MODE_STREAMING:
3065 case L2CAP_MODE_ERTM:
3066 if (l2cap_mode_supported(mode, remote_feat_mask))
3067 return mode;
3068 /* fall through */
3069 default:
3070 return L2CAP_MODE_BASIC;
3071 }
3072}
3073
848566b3 3074static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3075{
848566b3 3076 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3077}
3078
848566b3 3079static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3080{
848566b3 3081 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3082}
3083
36c86c85
MM		 3084static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3085 struct l2cap_conf_rfc *rfc)
3086{
6ed971ca 3087 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3088 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3089
3090 /* Class 1 devices have must have ERTM timeouts
3091 * exceeding the Link Supervision Timeout. The
3092 * default Link Supervision Timeout for AMP
3093 * controllers is 10 seconds.
3094 *
3095 * Class 1 devices use 0xffffffff for their
3096 * best-effort flush timeout, so the clamping logic
3097 * will result in a timeout that meets the above
3098 * requirement. ERTM timeouts are 16-bit values, so
3099 * the maximum timeout is 65.535 seconds.
3100 */
3101
3102 /* Convert timeout to milliseconds and round */
3103 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3104
3105 /* This is the recommended formula for class 2 devices
3106 * that start ERTM timers when packets are sent to the
3107 * controller.
3108 */
3109 ertm_to = 3 * ertm_to + 500;
3110
3111 if (ertm_to > 0xffff)
3112 ertm_to = 0xffff;
3113
3114 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3115 rfc->monitor_timeout = rfc->retrans_timeout;
3116 } else {
dcf4adbf
JP		 3117 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3118 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36c86c85
MM		 3119 }
3120}
3121
6327eb98
AE		 3122static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3123{
3124 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3125 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3126 /* use extended control field */
3127 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3128 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3129 } else {
6327eb98 3130 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3131 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3132 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3133 }
c20f8e35 3134 chan->ack_win = chan->tx_win;
6327eb98
AE		 3135}
3136
710f9b0a 3137static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3138{
1da177e4 3139 struct l2cap_conf_req *req = data;
0c1bc5c6 3140 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3141 void *ptr = req->data;
c8f79162 3142 u16 size;
1da177e4 3143
49208c9c 3144 BT_DBG("chan %p", chan);
1da177e4 3145
73ffa904 3146 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3147 goto done;
3148
0c1bc5c6 3149 switch (chan->mode) {
f2fcfcd6
GP		 3150 case L2CAP_MODE_STREAMING:
3151 case L2CAP_MODE_ERTM:
c1360a1c 3152 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3153 break;
85eb53c6 3154
848566b3 3155 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3156 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3157
2ba13ed6 3158 /* fall through */
f2fcfcd6 3159 default:
8c1d787b 3160 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3161 break;
3162 }
3163
3164done:
0c1bc5c6
GP		 3165 if (chan->imtu != L2CAP_DEFAULT_MTU)
3166 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3167
0c1bc5c6 3168 switch (chan->mode) {
65c7c491 3169 case L2CAP_MODE_BASIC:
6fea7ad1
MH		 3170 if (disable_ertm)
3171 break;
3172
8c1d787b 3173 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3174 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3175 break;
3176
62547752
GP		 3177 rfc.mode = L2CAP_MODE_BASIC;
3178 rfc.txwin_size = 0;
3179 rfc.max_transmit = 0;
3180 rfc.retrans_timeout = 0;
3181 rfc.monitor_timeout = 0;
3182 rfc.max_pdu_size = 0;
3183
63406504 3184 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3185 (unsigned long) &rfc);
65c7c491
MH		 3186 break;
3187
3188 case L2CAP_MODE_ERTM:
3189 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3190 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3191
3192 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3193
3194 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3195 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3196 L2CAP_FCS_SIZE);
c8f79162 3197 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3198
6327eb98
AE		 3199 l2cap_txwin_setup(chan);
3200
3201 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3202 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3203
63406504 3204 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3205 (unsigned long) &rfc);
63406504 3206
f89cef09
AE		 3207 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3208 l2cap_add_opt_efs(&ptr, chan);
3209
6327eb98
AE		 3210 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3211 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3212 chan->tx_win);
60918918
AE		 3213
3214 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3215 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3216 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3217 chan->fcs = L2CAP_FCS_NONE;
3218 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3219 chan->fcs);
3220 }
f2fcfcd6
GP		 3221 break;
3222
3223 case L2CAP_MODE_STREAMING:
273759e2 3224 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3225 rfc.mode = L2CAP_MODE_STREAMING;
3226 rfc.txwin_size = 0;
3227 rfc.max_transmit = 0;
3228 rfc.retrans_timeout = 0;
3229 rfc.monitor_timeout = 0;
c8f79162
AE		 3230
3231 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3232 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3233 L2CAP_FCS_SIZE);
c8f79162 3234 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3235
63406504 3236 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3237 (unsigned long) &rfc);
63406504 3238
f89cef09
AE		 3239 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3240 l2cap_add_opt_efs(&ptr, chan);
3241
60918918
AE		 3242 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3243 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3244 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3245 chan->fcs = L2CAP_FCS_NONE;
3246 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3247 chan->fcs);
3248 }
65c7c491
MH		 3249 break;
3250 }
1da177e4 3251
fe4128e0 3252 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3253 req->flags = cpu_to_le16(0);
1da177e4
LT		 3254
3255 return ptr - data;
3256}
3257
73ffa904 3258static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3259{
5dee9e7c
MH		 3260 struct l2cap_conf_rsp *rsp = data;
3261 void *ptr = rsp->data;
73ffa904
GP		 3262 void *req = chan->conf_req;
3263 int len = chan->conf_len;
5dee9e7c
MH		 3264 int type, hint, olen;
3265 unsigned long val;
6464f35f 3266 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3267 struct l2cap_conf_efs efs;
3268 u8 remote_efs = 0;
861d6882 3269 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3270 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3271 u16 size;
1da177e4 3272
73ffa904 3273 BT_DBG("chan %p", chan);
820ae1b8 3274
5dee9e7c
MH		 3275 while (len >= L2CAP_CONF_OPT_SIZE) {
3276 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3277
589d2746 3278 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3279 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3280
3281 switch (type) {
3282 case L2CAP_CONF_MTU:
861d6882 3283 mtu = val;
5dee9e7c
MH		 3284 break;
3285
3286 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3287 chan->flush_to = val;
5dee9e7c
MH		 3288 break;
3289
3290 case L2CAP_CONF_QOS:
3291 break;
3292
6464f35f
MH		 3293 case L2CAP_CONF_RFC:
3294 if (olen == sizeof(rfc))
3295 memcpy(&rfc, (void *) val, olen);
3296 break;
3297
fcc203c3
GP		 3298 case L2CAP_CONF_FCS:
3299 if (val == L2CAP_FCS_NONE)
f2592d3e 3300 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3301 break;
fcc203c3 3302
42dceae2
AE		 3303 case L2CAP_CONF_EFS:
3304 remote_efs = 1;
3305 if (olen == sizeof(efs))
3306 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3307 break;
3308
6327eb98 3309 case L2CAP_CONF_EWS:
848566b3 3310 if (!chan->conn->hs_enabled)
6327eb98 3311 return -ECONNREFUSED;
fcc203c3 3312
6327eb98
AE		 3313 set_bit(FLAG_EXT_CTRL, &chan->flags);
3314 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3315 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3316 chan->remote_tx_win = val;
fcc203c3
GP		 3317 break;
3318
5dee9e7c
MH		 3319 default:
3320 if (hint)
3321 break;
3322
3323 result = L2CAP_CONF_UNKNOWN;
3324 *((u8 *) ptr++) = type;
3325 break;
3326 }
3327 }
3328
73ffa904 3329 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3330 goto done;
3331
0c1bc5c6 3332 switch (chan->mode) {
f2fcfcd6
GP		 3333 case L2CAP_MODE_STREAMING:
3334 case L2CAP_MODE_ERTM:
c1360a1c 3335 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3336 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3337 chan->conn->feat_mask);
85eb53c6
GP		 3338 break;
3339 }
3340
42dceae2 3341 if (remote_efs) {
848566b3 3342 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3343 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3344 else
3345 return -ECONNREFUSED;
3346 }
3347
0c1bc5c6 3348 if (chan->mode != rfc.mode)
f2fcfcd6 3349 return -ECONNREFUSED;
742e519b 3350
f2fcfcd6 3351 break;
f2fcfcd6
GP		 3352 }
3353
3354done:
0c1bc5c6 3355 if (chan->mode != rfc.mode) {
f2fcfcd6 3356 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3357 rfc.mode = chan->mode;
f2fcfcd6 3358
73ffa904 3359 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3360 return -ECONNREFUSED;
3361
2d792818
GP		 3362 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3363 (unsigned long) &rfc);
f2fcfcd6
GP		 3364 }
3365
5dee9e7c
MH		 3366 if (result == L2CAP_CONF_SUCCESS) {
3367 /* Configure output options and let the other side know
3368 * which ones we don't like. */
3369
f2fcfcd6
GP		 3370 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3371 result = L2CAP_CONF_UNACCEPT;
3372 else {
0c1bc5c6 3373 chan->omtu = mtu;
c1360a1c 3374 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3375 }
0c1bc5c6 3376 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3377
42dceae2
AE		 3378 if (remote_efs) {
3379 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3380 efs.stype != L2CAP_SERV_NOTRAFIC &&
3381 efs.stype != chan->local_stype) {
42dceae2
AE		 3382
3383 result = L2CAP_CONF_UNACCEPT;
3384
3385 if (chan->num_conf_req >= 1)
3386 return -ECONNREFUSED;
3387
3388 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3389 sizeof(efs),
3390 (unsigned long) &efs);
0e8b207e 3391 } else {
3e6b3b95 3392 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3393 result = L2CAP_CONF_PENDING;
3394 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3395 }
3396 }
3397
f2fcfcd6
GP		 3398 switch (rfc.mode) {
3399 case L2CAP_MODE_BASIC:
47d1ec61 3400 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3401 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3402 break;
3403
3404 case L2CAP_MODE_ERTM:
6327eb98
AE		 3405 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3406 chan->remote_tx_win = rfc.txwin_size;
3407 else
3408 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3409
2c03a7a4 3410 chan->remote_max_tx = rfc.max_transmit;
1c762159 3411
c8f79162 3412 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3413 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3414 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3415 rfc.max_pdu_size = cpu_to_le16(size);
3416 chan->remote_mps = size;
f2fcfcd6 3417
36c86c85 3418 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3419
c1360a1c 3420 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3421
3422 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3423 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3424
42dceae2
AE		 3425 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3426 chan->remote_id = efs.id;
3427 chan->remote_stype = efs.stype;
3428 chan->remote_msdu = le16_to_cpu(efs.msdu);
3429 chan->remote_flush_to =
2d792818 3430 le32_to_cpu(efs.flush_to);
42dceae2 3431 chan->remote_acc_lat =
2d792818 3432 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3433 chan->remote_sdu_itime =
3434 le32_to_cpu(efs.sdu_itime);
3435 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3436 sizeof(efs),
3437 (unsigned long) &efs);
42dceae2 3438 }
f2fcfcd6
GP		 3439 break;
3440
3441 case L2CAP_MODE_STREAMING:
c8f79162 3442 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3443 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3444 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3445 rfc.max_pdu_size = cpu_to_le16(size);
3446 chan->remote_mps = size;
f2fcfcd6 3447
c1360a1c 3448 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3449
2d792818
GP		 3450 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3451 (unsigned long) &rfc);
68ae6639 3452
f2fcfcd6
GP		 3453 break;
3454
3455 default:
5dee9e7c 3456 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3457
6464f35f 3458 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3459 rfc.mode = chan->mode;
f2fcfcd6 3460 }
6464f35f 3461
f2fcfcd6 3462 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3463 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3464 }
fe4128e0 3465 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3466 rsp->result = cpu_to_le16(result);
dcf4adbf 3467 rsp->flags = cpu_to_le16(0);
5dee9e7c
MH		 3468
3469 return ptr - data;
1da177e4
LT		 3470}
3471
2d792818
GP		 3472static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3473 void *data, u16 *result)
f2fcfcd6 3474{
f2fcfcd6
GP		 3475 struct l2cap_conf_req *req = data;
3476 void *ptr = req->data;
3477 int type, olen;
3478 unsigned long val;
36e999a8 3479 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3480 struct l2cap_conf_efs efs;
f2fcfcd6 3481
fe4128e0 3482 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3483
3484 while (len >= L2CAP_CONF_OPT_SIZE) {
3485 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3486
3487 switch (type) {
3488 case L2CAP_CONF_MTU:
3489 if (val < L2CAP_DEFAULT_MIN_MTU) {
3490 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3491 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3492 } else
0c1bc5c6
GP		 3493 chan->imtu = val;
3494 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3495 break;
3496
3497 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3498 chan->flush_to = val;
f2fcfcd6 3499 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3500 2, chan->flush_to);
f2fcfcd6
GP		 3501 break;
3502
3503 case L2CAP_CONF_RFC:
3504 if (olen == sizeof(rfc))
3505 memcpy(&rfc, (void *)val, olen);
3506
c1360a1c 3507 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3508 rfc.mode != chan->mode)
f2fcfcd6
GP		 3509 return -ECONNREFUSED;
3510
47d1ec61 3511 chan->fcs = 0;
f2fcfcd6
GP		 3512
3513 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3514 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3515 break;
6327eb98
AE		 3516
3517 case L2CAP_CONF_EWS:
c20f8e35 3518 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3519 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3520 chan->tx_win);
6327eb98 3521 break;
66af7aaf
AE		 3522
3523 case L2CAP_CONF_EFS:
3524 if (olen == sizeof(efs))
3525 memcpy(&efs, (void *)val, olen);
3526
3527 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3528 efs.stype != L2CAP_SERV_NOTRAFIC &&
3529 efs.stype != chan->local_stype)
66af7aaf
AE		 3530 return -ECONNREFUSED;
3531
2d792818
GP		 3532 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3533 (unsigned long) &efs);
66af7aaf 3534 break;
cbabee78
AE		 3535
3536 case L2CAP_CONF_FCS:
3537 if (*result == L2CAP_CONF_PENDING)
3538 if (val == L2CAP_FCS_NONE)
f2592d3e 3539 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3540 &chan->conf_state);
3541 break;
f2fcfcd6
GP		 3542 }
3543 }
3544
0c1bc5c6 3545 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3546 return -ECONNREFUSED;
3547
0c1bc5c6 3548 chan->mode = rfc.mode;
6c2ea7a8 3549
0e8b207e 3550 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3551 switch (rfc.mode) {
3552 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3553 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3554 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3555 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3556 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3557 chan->ack_win = min_t(u16, chan->ack_win,
3558 rfc.txwin_size);
66af7aaf
AE		 3559
3560 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3561 chan->local_msdu = le16_to_cpu(efs.msdu);
3562 chan->local_sdu_itime =
2d792818 3563 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3564 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3565 chan->local_flush_to =
2d792818 3566 le32_to_cpu(efs.flush_to);
66af7aaf 3567 }
f2fcfcd6 3568 break;
66af7aaf 3569
f2fcfcd6 3570 case L2CAP_MODE_STREAMING:
47d1ec61 3571 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3572 }
3573 }
3574
fe4128e0 3575 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3576 req->flags = cpu_to_le16(0);
f2fcfcd6
GP		 3577
3578 return ptr - data;
3579}
3580
2d792818
GP		 3581static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3582 u16 result, u16 flags)
1da177e4
LT		 3583{
3584 struct l2cap_conf_rsp *rsp = data;
3585 void *ptr = rsp->data;
1da177e4 3586
fe4128e0 3587 BT_DBG("chan %p", chan);
1da177e4 3588
fe4128e0 3589 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3590 rsp->result = cpu_to_le16(result);
aca3192c 3591 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3592
3593 return ptr - data;
3594}
3595
27e2d4c8
JH		 3596void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3597{
3598 struct l2cap_le_conn_rsp rsp;
3599 struct l2cap_conn *conn = chan->conn;
3600
3601 BT_DBG("chan %p", chan);
3602
3603 rsp.dcid = cpu_to_le16(chan->scid);
3604 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 3605 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 3606 rsp.credits = cpu_to_le16(chan->rx_credits);
dcf4adbf 3607 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
27e2d4c8
JH		 3608
3609 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3610 &rsp);
3611}
3612
8c1d787b 3613void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3614{
3615 struct l2cap_conn_rsp rsp;
8c1d787b 3616 struct l2cap_conn *conn = chan->conn;
710f9b0a 3617 u8 buf[128];
439f34ac 3618 u8 rsp_code;
710f9b0a 3619
fe4128e0
GP		 3620 rsp.scid = cpu_to_le16(chan->dcid);
3621 rsp.dcid = cpu_to_le16(chan->scid);
dcf4adbf
JP		 3622 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3623 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3624
3625 if (chan->hs_hcon)
3626 rsp_code = L2CAP_CREATE_CHAN_RSP;
3627 else
3628 rsp_code = L2CAP_CONN_RSP;
3629
3630 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3631
3632 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3633
c1360a1c 3634 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3635 return;
3636
710f9b0a 3637 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3638 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3639 chan->num_conf_req++;
3640}
3641
47d1ec61 3642static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3643{
7b1c0049
GP		 3644 int type, olen;
3645 unsigned long val;
c20f8e35
MM		 3646 /* Use sane default values in case a misbehaving remote device
3647 * did not send an RFC or extended window size option.
3648 */
3649 u16 txwin_ext = chan->ack_win;
3650 struct l2cap_conf_rfc rfc = {
3651 .mode = chan->mode,
dcf4adbf
JP		 3652 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3653 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
c20f8e35
MM		 3654 .max_pdu_size = cpu_to_le16(chan->imtu),
3655 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3656 };
7b1c0049 3657
47d1ec61 3658 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3659
0c1bc5c6 3660 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3661 return;
3662
3663 while (len >= L2CAP_CONF_OPT_SIZE) {
3664 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3665
c20f8e35
MM		 3666 switch (type) {
3667 case L2CAP_CONF_RFC:
3668 if (olen == sizeof(rfc))
3669 memcpy(&rfc, (void *)val, olen);
8f321f85 3670 break;
c20f8e35
MM		 3671 case L2CAP_CONF_EWS:
3672 txwin_ext = val;
3673 break;
3674 }
7b1c0049
GP		 3675 }
3676
7b1c0049
GP		 3677 switch (rfc.mode) {
3678 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3679 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3680 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3681 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3682 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3683 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3684 else
3685 chan->ack_win = min_t(u16, chan->ack_win,
3686 rfc.txwin_size);
7b1c0049
GP		 3687 break;
3688 case L2CAP_MODE_STREAMING:
47d1ec61 3689 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3690 }
3691}
3692
2d792818 3693static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3694 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3695 u8 *data)
4e8402a3 3696{
e2fd318e 3697 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3698
cb3b3152
JH		 3699 if (cmd_len < sizeof(*rej))
3700 return -EPROTO;
3701
e2fd318e 3702 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3703 return 0;
3704
3705 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3706 cmd->ident == conn->info_ident) {
17cd3f37 3707 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3708
3709 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3710 conn->info_ident = 0;
984947dc 3711
4e8402a3
MH		 3712 l2cap_conn_start(conn);
3713 }
3714
3715 return 0;
3716}
3717
1700915f
MM		 3718static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3719 struct l2cap_cmd_hdr *cmd,
3720 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3721{
1da177e4
LT		 3722 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3723 struct l2cap_conn_rsp rsp;
23691d75 3724 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3725 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3726
3727 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3728 __le16 psm = req->psm;
1da177e4 3729
097db76c 3730 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3731
3732 /* Check if we have socket listening on psm */
6f59b904 3733 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
bf20fd4e 3734 &conn->hcon->dst, ACL_LINK);
23691d75 3735 if (!pchan) {
1da177e4
LT		 3736 result = L2CAP_CR_BAD_PSM;
3737 goto sendresp;
3738 }
3739
3df91ea2 3740 mutex_lock(&conn->chan_lock);
8ffb9290 3741 l2cap_chan_lock(pchan);
e0f0cb56 3742
e7c29cb1 3743 /* Check if the ACL is secure enough (if not SDP) */
dcf4adbf 3744 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3745 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3746 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3747 result = L2CAP_CR_SEC_BLOCK;
3748 goto response;
3749 }
3750
1da177e4
LT		 3751 result = L2CAP_CR_NO_MEM;
3752
2dfa1003
GP		 3753 /* Check if we already have channel with that dcid */
3754 if (__l2cap_get_chan_by_dcid(conn, scid))
3755 goto response;
3756
80b98027 3757 chan = pchan->ops->new_connection(pchan);
80808e43 3758 if (!chan)
1da177e4
LT		 3759 goto response;
3760
330b6c15
SS		 3761 /* For certain devices (ex: HID mouse), support for authentication,
3762 * pairing and bonding is optional. For such devices, inorder to avoid
3763 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3764 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3765 */
3766 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3767
7eafc59e
MH		 3768 bacpy(&chan->src, &conn->hcon->src);
3769 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3770 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3771 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3772 chan->psm = psm;
3773 chan->dcid = scid;
1700915f 3774 chan->local_amp_id = amp_id;
1da177e4 3775
6be36555 3776 __l2cap_chan_add(conn, chan);
48454079 3777
fe4128e0 3778 dcid = chan->scid;
1da177e4 3779
8d836d71 3780 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3781
fc7f8a7e 3782 chan->ident = cmd->ident;
1da177e4 3783
984947dc 3784 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
e7cafc45 3785 if (l2cap_chan_check_security(chan, false)) {
bdc25783 3786 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3787 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3788 result = L2CAP_CR_PEND;
3789 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3790 chan->ops->defer(chan);
f66dc81f 3791 } else {
1700915f
MM		 3792 /* Force pending result for AMP controllers.
3793 * The connection will succeed after the
3794 * physical link is up.
3795 */
6ed971ca 3796 if (amp_id == AMP_ID_BREDR) {
f93fa273 3797 l2cap_state_change(chan, BT_CONFIG);
1700915f 3798 result = L2CAP_CR_SUCCESS;
6ed971ca 3799 } else {
f93fa273 3800 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3801 result = L2CAP_CR_PEND;
1700915f 3802 }
f66dc81f
MH		 3803 status = L2CAP_CS_NO_INFO;
3804 }
79d554a6 3805 } else {
f93fa273 3806 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3807 result = L2CAP_CR_PEND;
3808 status = L2CAP_CS_AUTHEN_PEND;
3809 }
3810 } else {
f93fa273 3811 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3812 result = L2CAP_CR_PEND;
3813 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3814 }
3815
1da177e4 3816response:
8ffb9290 3817 l2cap_chan_unlock(pchan);
3df91ea2 3818 mutex_unlock(&conn->chan_lock);
a24cce14 3819 l2cap_chan_put(pchan);
1da177e4
LT		 3820
3821sendresp:
aca3192c
YH		 3822 rsp.scid = cpu_to_le16(scid);
3823 rsp.dcid = cpu_to_le16(dcid);
3824 rsp.result = cpu_to_le16(result);
3825 rsp.status = cpu_to_le16(status);
4c89b6aa 3826 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3827
3828 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3829 struct l2cap_info_req info;
dcf4adbf 3830 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3831
3832 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3833 conn->info_ident = l2cap_get_ident(conn);
3834
ba13ccd9 3835 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3836
2d792818
GP		 3837 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3838 sizeof(info), &info);
79d554a6
MH		 3839 }
3840
c1360a1c 3841 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3842 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3843 u8 buf[128];
c1360a1c 3844 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3845 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3846 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3847 chan->num_conf_req++;
e9aeb2dd 3848 }
1700915f
MM		 3849
3850 return chan;
4c89b6aa 3851}
e9aeb2dd 3852
4c89b6aa 3853static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3854 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3855{
7b064eda
JK		 3856 struct hci_dev *hdev = conn->hcon->hdev;
3857 struct hci_conn *hcon = conn->hcon;
3858
cb3b3152
JH		 3859 if (cmd_len < sizeof(struct l2cap_conn_req))
3860 return -EPROTO;
3861
7b064eda
JK		 3862 hci_dev_lock(hdev);
3863 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3864 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3865 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3866 hcon->dst_type, 0, NULL, 0,
3867 hcon->dev_class);
3868 hci_dev_unlock(hdev);
3869
300229f9 3870 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3871 return 0;
3872}
3873
5909cf30 3874static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3875 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3876 u8 *data)
1da177e4
LT		 3877{
3878 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3879 u16 scid, dcid, result, status;
48454079 3880 struct l2cap_chan *chan;
1da177e4 3881 u8 req[128];
3df91ea2 3882 int err;
1da177e4 3883
cb3b3152
JH		 3884 if (cmd_len < sizeof(*rsp))
3885 return -EPROTO;
3886
1da177e4
LT		 3887 scid = __le16_to_cpu(rsp->scid);
3888 dcid = __le16_to_cpu(rsp->dcid);
3889 result = __le16_to_cpu(rsp->result);
3890 status = __le16_to_cpu(rsp->status);
3891
1b009c98 3892 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3893 dcid, scid, result, status);
1da177e4 3894
3df91ea2
AE		 3895 mutex_lock(&conn->chan_lock);
3896
1da177e4 3897 if (scid) {
3df91ea2
AE		 3898 chan = __l2cap_get_chan_by_scid(conn, scid);
3899 if (!chan) {
21870b52 3900 err = -EBADSLT;
3df91ea2
AE		 3901 goto unlock;
3902 }
1da177e4 3903 } else {
3df91ea2
AE		 3904 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3905 if (!chan) {
21870b52 3906 err = -EBADSLT;
3df91ea2
AE		 3907 goto unlock;
3908 }
1da177e4
LT		 3909 }
3910
3df91ea2
AE		 3911 err = 0;
3912
6be36555 3913 l2cap_chan_lock(chan);
48454079 3914
1da177e4
LT		 3915 switch (result) {
3916 case L2CAP_CR_SUCCESS:
89bc500e 3917 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3918 chan->ident = 0;
fe4128e0 3919 chan->dcid = dcid;
c1360a1c 3920 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3921
c1360a1c 3922 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3923 break;
3924
1da177e4 3925 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3926 l2cap_build_conf_req(chan, req), req);
73ffa904 3927 chan->num_conf_req++;
1da177e4
LT		 3928 break;
3929
3930 case L2CAP_CR_PEND:
c1360a1c 3931 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3932 break;
3933
3934 default:
48454079 3935 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3936 break;
3937 }
3938
6be36555 3939 l2cap_chan_unlock(chan);
3df91ea2
AE		 3940
3941unlock:
3942 mutex_unlock(&conn->chan_lock);
3943
3944 return err;
1da177e4
LT		 3945}
3946
47d1ec61 3947static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3948{
3949 /* FCS is enabled only in ERTM or streaming mode, if one or both
3950 * sides request it.
3951 */
0c1bc5c6 3952 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3953 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3954 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3955 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3956}
3957
29d8a590
AE		 3958static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3959 u8 ident, u16 flags)
3960{
3961 struct l2cap_conn *conn = chan->conn;
3962
3963 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3964 flags);
3965
3966 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3967 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3968
3969 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3970 l2cap_build_conf_rsp(chan, data,
3971 L2CAP_CONF_SUCCESS, flags), data);
3972}
3973
662d652d
JH		 3974static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
3975 u16 scid, u16 dcid)
3976{
3977 struct l2cap_cmd_rej_cid rej;
3978
dcf4adbf 3979 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
662d652d
JH		 3980 rej.scid = __cpu_to_le16(scid);
3981 rej.dcid = __cpu_to_le16(dcid);
3982
3983 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3984}
3985
2d792818
GP		 3986static inline int l2cap_config_req(struct l2cap_conn *conn,
3987 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3988 u8 *data)
1da177e4
LT		 3989{
3990 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3991 u16 dcid, flags;
3992 u8 rsp[64];
48454079 3993 struct l2cap_chan *chan;
3c588192 3994 int len, err = 0;
1da177e4 3995
cb3b3152
JH		 3996 if (cmd_len < sizeof(*req))
3997 return -EPROTO;
3998
1da177e4
LT		 3999 dcid = __le16_to_cpu(req->dcid);
4000 flags = __le16_to_cpu(req->flags);
4001
4002 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4003
baa7e1fa 4004 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4005 if (!chan) {
4006 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4007 return 0;
4008 }
1da177e4 4009
033b1142 4010 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4011 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4012 chan->dcid);
354f60a9 4013 goto unlock;
df6bd743 4014 }
354f60a9 4015
5dee9e7c 4016 /* Reject if config buffer is too small. */
88219a0f 4017 len = cmd_len - sizeof(*req);
cb3b3152 4018 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4019 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4020 l2cap_build_conf_rsp(chan, rsp,
4021 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4022 goto unlock;
4023 }
4024
4025 /* Store config. */
73ffa904
GP		 4026 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4027 chan->conf_len += len;
1da177e4 4028
59e54bd1 4029 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4030 /* Incomplete config. Send empty response. */
4031 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4032 l2cap_build_conf_rsp(chan, rsp,
4033 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4034 goto unlock;
4035 }
4036
4037 /* Complete config. */
73ffa904 4038 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4039 if (len < 0) {
5e4e3972 4040 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4041 goto unlock;
f2fcfcd6 4042 }
1da177e4 4043
1500109b 4044 chan->ident = cmd->ident;
5dee9e7c 4045 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4046 chan->num_conf_rsp++;
5dee9e7c 4047
5dee9e7c 4048 /* Reset config buffer. */
73ffa904 4049 chan->conf_len = 0;
5dee9e7c 4050
c1360a1c 4051 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4052 goto unlock;
4053
c1360a1c 4054 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4055 set_default_fcs(chan);
fcc203c3 4056
105bdf9e
MM		 4057 if (chan->mode == L2CAP_MODE_ERTM ||
4058 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4059 err = l2cap_ertm_init(chan);
4060
4061 if (err < 0)
5e4e3972 4062 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4063 else
4064 l2cap_chan_ready(chan);
0565c1c2 4065
876d9484
MH		 4066 goto unlock;
4067 }
4068
c1360a1c 4069 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4070 u8 buf[64];
1da177e4 4071 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4072 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4073 chan->num_conf_req++;
1da177e4
LT		 4074 }
4075
0e8b207e
AE		 4076 /* Got Conf Rsp PENDING from remote side and asume we sent
4077 Conf Rsp PENDING in the code above */
4078 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4079 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4080
4081 /* check compatibility */
4082
79de886d 4083 /* Send rsp for BR/EDR channel */
f351bc72 4084 if (!chan->hs_hcon)
79de886d
AE		 4085 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4086 else
4087 chan->ident = cmd->ident;
0e8b207e
AE		 4088 }
4089
1da177e4 4090unlock:
6be36555 4091 l2cap_chan_unlock(chan);
3c588192 4092 return err;
1da177e4
LT		 4093}
4094
2d792818 4095static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4096 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4097 u8 *data)
1da177e4
LT		 4098{
4099 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4100 u16 scid, flags, result;
48454079 4101 struct l2cap_chan *chan;
cb3b3152 4102 int len = cmd_len - sizeof(*rsp);
3c588192 4103 int err = 0;
1da177e4 4104
cb3b3152
JH		 4105 if (cmd_len < sizeof(*rsp))
4106 return -EPROTO;
4107
1da177e4
LT		 4108 scid = __le16_to_cpu(rsp->scid);
4109 flags = __le16_to_cpu(rsp->flags);
4110 result = __le16_to_cpu(rsp->result);
4111
61386cba
AE		 4112 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4113 result, len);
1da177e4 4114
baa7e1fa 4115 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4116 if (!chan)
1da177e4
LT		 4117 return 0;
4118
4119 switch (result) {
4120 case L2CAP_CONF_SUCCESS:
47d1ec61 4121 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4122 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4123 break;
4124
0e8b207e
AE		 4125 case L2CAP_CONF_PENDING:
4126 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4127
4128 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4129 char buf[64];
4130
4131 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4132 buf, &result);
0e8b207e 4133 if (len < 0) {
5e4e3972 4134 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4135 goto done;
4136 }
4137
f351bc72 4138 if (!chan->hs_hcon) {
79de886d
AE		 4139 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4140 0);
5ce66b59
AE		 4141 } else {
4142 if (l2cap_check_efs(chan)) {
4143 amp_create_logical_link(chan);
4144 chan->ident = cmd->ident;
4145 }
4146 }
0e8b207e
AE		 4147 }
4148 goto done;
4149
1da177e4 4150 case L2CAP_CONF_UNACCEPT:
73ffa904 4151 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4152 char req[64];
4153
c2c77ec8 4154 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4155 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4156 goto done;
4157 }
4158
f2fcfcd6
GP		 4159 /* throw out any old stored conf requests */
4160 result = L2CAP_CONF_SUCCESS;
b4450035 4161 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4162 req, &result);
f2fcfcd6 4163 if (len < 0) {
5e4e3972 4164 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4165 goto done;
4166 }
4167
4168 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4169 L2CAP_CONF_REQ, len, req);
73ffa904 4170 chan->num_conf_req++;
f2fcfcd6
GP		 4171 if (result != L2CAP_CONF_SUCCESS)
4172 goto done;
4173 break;
1da177e4
LT		 4174 }
4175
8e87d142 4176 default:
6be36555 4177 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4178
ba13ccd9 4179 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4180 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4181 goto done;
4182 }
4183
59e54bd1 4184 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4185 goto done;
4186
c1360a1c 4187 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4188
c1360a1c 4189 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4190 set_default_fcs(chan);
fcc203c3 4191
105bdf9e
MM		 4192 if (chan->mode == L2CAP_MODE_ERTM ||
4193 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4194 err = l2cap_ertm_init(chan);
0565c1c2 4195
3c588192 4196 if (err < 0)
5e4e3972 4197 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4198 else
4199 l2cap_chan_ready(chan);
1da177e4
LT		 4200 }
4201
4202done:
6be36555 4203 l2cap_chan_unlock(chan);
3c588192 4204 return err;
1da177e4
LT		 4205}
4206
2d792818 4207static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4208 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4209 u8 *data)
1da177e4
LT		 4210{
4211 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4212 struct l2cap_disconn_rsp rsp;
4213 u16 dcid, scid;
48454079 4214 struct l2cap_chan *chan;
1da177e4 4215
cb3b3152
JH		 4216 if (cmd_len != sizeof(*req))
4217 return -EPROTO;
4218
1da177e4
LT		 4219 scid = __le16_to_cpu(req->scid);
4220 dcid = __le16_to_cpu(req->dcid);
4221
4222 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4223
3df91ea2
AE		 4224 mutex_lock(&conn->chan_lock);
4225
4226 chan = __l2cap_get_chan_by_scid(conn, dcid);
4227 if (!chan) {
4228 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4229 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4230 return 0;
3df91ea2 4231 }
1da177e4 4232
6be36555
AE		 4233 l2cap_chan_lock(chan);
4234
fe4128e0
GP		 4235 rsp.dcid = cpu_to_le16(chan->scid);
4236 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4237 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4238
5ec1bbe5 4239 chan->ops->set_shutdown(chan);
1da177e4 4240
61d6ef3e 4241 l2cap_chan_hold(chan);
48454079 4242 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4243
4244 l2cap_chan_unlock(chan);
1da177e4 4245
80b98027 4246 chan->ops->close(chan);
61d6ef3e 4247 l2cap_chan_put(chan);
3df91ea2
AE		 4248
4249 mutex_unlock(&conn->chan_lock);
4250
1da177e4
LT		 4251 return 0;
4252}
4253
2d792818 4254static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4255 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4256 u8 *data)
1da177e4
LT		 4257{
4258 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4259 u16 dcid, scid;
48454079 4260 struct l2cap_chan *chan;
1da177e4 4261
cb3b3152
JH		 4262 if (cmd_len != sizeof(*rsp))
4263 return -EPROTO;
4264
1da177e4
LT		 4265 scid = __le16_to_cpu(rsp->scid);
4266 dcid = __le16_to_cpu(rsp->dcid);
4267
4268 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4269
3df91ea2
AE		 4270 mutex_lock(&conn->chan_lock);
4271
4272 chan = __l2cap_get_chan_by_scid(conn, scid);
4273 if (!chan) {
4274 mutex_unlock(&conn->chan_lock);
1da177e4 4275 return 0;
3df91ea2 4276 }
1da177e4 4277
6be36555 4278 l2cap_chan_lock(chan);
48454079 4279
61d6ef3e 4280 l2cap_chan_hold(chan);
48454079 4281 l2cap_chan_del(chan, 0);
6be36555
AE		 4282
4283 l2cap_chan_unlock(chan);
1da177e4 4284
80b98027 4285 chan->ops->close(chan);
61d6ef3e 4286 l2cap_chan_put(chan);
3df91ea2
AE		 4287
4288 mutex_unlock(&conn->chan_lock);
4289
1da177e4
LT		 4290 return 0;
4291}
4292
2d792818 4293static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4294 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4295 u8 *data)
1da177e4
LT		 4296{
4297 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4298 u16 type;
4299
cb3b3152
JH		 4300 if (cmd_len != sizeof(*req))
4301 return -EPROTO;
4302
1da177e4
LT		 4303 type = __le16_to_cpu(req->type);
4304
4305 BT_DBG("type 0x%4.4x", type);
4306
f0709e03
MH		 4307 if (type == L2CAP_IT_FEAT_MASK) {
4308 u8 buf[8];
44dd46de 4309 u32 feat_mask = l2cap_feat_mask;
f0709e03 4310 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
dcf4adbf
JP		 4311 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4312 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4313 if (!disable_ertm)
fcc203c3 4314 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4315 | L2CAP_FEAT_FCS;
848566b3 4316 if (conn->hs_enabled)
6327eb98 4317 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4318 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4319
1b7bf4ed 4320 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4321 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4322 buf);
e1027a7c
MH		 4323 } else if (type == L2CAP_IT_FIXED_CHAN) {
4324 u8 buf[12];
4325 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4326
848566b3 4327 if (conn->hs_enabled)
50a147cd
MM		 4328 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4329 else
4330 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4331
dcf4adbf
JP		 4332 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4333 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4334 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4335 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4336 buf);
f0709e03
MH		 4337 } else {
4338 struct l2cap_info_rsp rsp;
4339 rsp.type = cpu_to_le16(type);
dcf4adbf 4340 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4341 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4342 &rsp);
f0709e03 4343 }
1da177e4
LT		 4344
4345 return 0;
4346}
4347
2d792818 4348static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4349 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4350 u8 *data)
1da177e4
LT		 4351{
4352 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4353 u16 type, result;
4354
3f6fa3d4 4355 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4356 return -EPROTO;
4357
1da177e4
LT		 4358 type = __le16_to_cpu(rsp->type);
4359 result = __le16_to_cpu(rsp->result);
4360
4361 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4362
e90165be
AE		 4363 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4364 if (cmd->ident != conn->info_ident ||
2d792818 4365 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4366 return 0;
4367
17cd3f37 4368 cancel_delayed_work(&conn->info_timer);
4e8402a3 4369
adb08ede
VT		 4370 if (result != L2CAP_IR_SUCCESS) {
4371 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4372 conn->info_ident = 0;
4373
4374 l2cap_conn_start(conn);
4375
4376 return 0;
4377 }
4378
978c93b9
AE		 4379 switch (type) {
4380 case L2CAP_IT_FEAT_MASK:
83985319 4381 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4382
47ec1dcd 4383 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4384 struct l2cap_info_req req;
dcf4adbf 4385 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4386
4387 conn->info_ident = l2cap_get_ident(conn);
4388
4389 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4390 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4391 } else {
4392 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4393 conn->info_ident = 0;
4394
4395 l2cap_conn_start(conn);
4396 }
978c93b9
AE		 4397 break;
4398
4399 case L2CAP_IT_FIXED_CHAN:
4400 conn->fixed_chan_mask = rsp->data[0];
984947dc 4401 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4402 conn->info_ident = 0;
984947dc
MH		 4403
4404 l2cap_conn_start(conn);
978c93b9 4405 break;
984947dc 4406 }
4e8402a3 4407
1da177e4
LT		 4408 return 0;
4409}
4410
1700915f
MM		 4411static int l2cap_create_channel_req(struct l2cap_conn *conn,
4412 struct l2cap_cmd_hdr *cmd,
4413 u16 cmd_len, void *data)
f94ff6ff
MM		 4414{
4415 struct l2cap_create_chan_req *req = data;
6e1df6a6 4416 struct l2cap_create_chan_rsp rsp;
1700915f 4417 struct l2cap_chan *chan;
6e1df6a6 4418 struct hci_dev *hdev;
f94ff6ff
MM		 4419 u16 psm, scid;
4420
4421 if (cmd_len != sizeof(*req))
4422 return -EPROTO;
4423
848566b3 4424 if (!conn->hs_enabled)
f94ff6ff
MM		 4425 return -EINVAL;
4426
4427 psm = le16_to_cpu(req->psm);
4428 scid = le16_to_cpu(req->scid);
4429
ad0ac6ca 4430 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4431
6e1df6a6 4432 /* For controller id 0 make BR/EDR connection */
6ed971ca 4433 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4434 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4435 req->amp_id);
4436 return 0;
4437 }
1700915f 4438
6e1df6a6
AE		 4439 /* Validate AMP controller id */
4440 hdev = hci_dev_get(req->amp_id);
4441 if (!hdev)
4442 goto error;
1700915f 4443
6e1df6a6
AE		 4444 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4445 hci_dev_put(hdev);
4446 goto error;
4447 }
1700915f 4448
6e1df6a6
AE		 4449 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4450 req->amp_id);
4451 if (chan) {
4452 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4453 struct hci_conn *hs_hcon;
1700915f 4454
98e0f7ea
MH		 4455 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4456 &conn->hcon->dst);
6e1df6a6
AE		 4457 if (!hs_hcon) {
4458 hci_dev_put(hdev);
662d652d
JH		 4459 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4460 chan->dcid);
4461 return 0;
1700915f
MM		 4462 }
4463
6e1df6a6
AE		 4464 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4465
6e1df6a6
AE		 4466 mgr->bredr_chan = chan;
4467 chan->hs_hcon = hs_hcon;
fd45bf4c 4468 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4469 conn->mtu = hdev->block_mtu;
1700915f 4470 }
f94ff6ff 4471
6e1df6a6 4472 hci_dev_put(hdev);
f94ff6ff
MM		 4473
4474 return 0;
6e1df6a6
AE		 4475
4476error:
4477 rsp.dcid = 0;
4478 rsp.scid = cpu_to_le16(scid);
dcf4adbf
JP		 4479 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4480 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
6e1df6a6
AE		 4481
4482 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4483 sizeof(rsp), &rsp);
4484
dc280801 4485 return 0;
f94ff6ff
MM		 4486}
4487
8eb200bd
MM		 4488static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4489{
4490 struct l2cap_move_chan_req req;
4491 u8 ident;
4492
4493 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4494
4495 ident = l2cap_get_ident(chan->conn);
4496 chan->ident = ident;
4497
4498 req.icid = cpu_to_le16(chan->scid);
4499 req.dest_amp_id = dest_amp_id;
4500
4501 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4502 &req);
4503
4504 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4505}
4506
1500109b 4507static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4508{
4509 struct l2cap_move_chan_rsp rsp;
4510
1500109b 4511 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4512
1500109b 4513 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4514 rsp.result = cpu_to_le16(result);
4515
1500109b
MM		 4516 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4517 sizeof(rsp), &rsp);
8d5a04a1
MM		 4518}
4519
5b155ef9 4520static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4521{
4522 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4523
5b155ef9 4524 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4525
5b155ef9 4526 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4527
5b155ef9 4528 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4529 cfm.result = cpu_to_le16(result);
4530
5b155ef9
MM		 4531 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4532 sizeof(cfm), &cfm);
4533
4534 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4535}
4536
4537static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4538{
4539 struct l2cap_move_chan_cfm cfm;
4540
4541 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4542
4543 cfm.icid = cpu_to_le16(icid);
dcf4adbf 4544 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
5b155ef9
MM		 4545
4546 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4547 sizeof(cfm), &cfm);
8d5a04a1
MM		 4548}
4549
4550static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4551 u16 icid)
8d5a04a1
MM		 4552{
4553 struct l2cap_move_chan_cfm_rsp rsp;
4554
ad0ac6ca 4555 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4556
4557 rsp.icid = cpu_to_le16(icid);
4558 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4559}
4560
5f3847a4
MM		 4561static void __release_logical_link(struct l2cap_chan *chan)
4562{
4563 chan->hs_hchan = NULL;
4564 chan->hs_hcon = NULL;
4565
4566 /* Placeholder - release the logical link */
4567}
4568
1500109b
MM		 4569static void l2cap_logical_fail(struct l2cap_chan *chan)
4570{
4571 /* Logical link setup failed */
4572 if (chan->state != BT_CONNECTED) {
4573 /* Create channel failure, disconnect */
5e4e3972 4574 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4575 return;
4576 }
4577
4578 switch (chan->move_role) {
4579 case L2CAP_MOVE_ROLE_RESPONDER:
4580 l2cap_move_done(chan);
4581 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4582 break;
4583 case L2CAP_MOVE_ROLE_INITIATOR:
4584 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4585 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4586 /* Remote has only sent pending or
4587 * success responses, clean up
4588 */
4589 l2cap_move_done(chan);
4590 }
4591
4592 /* Other amp move states imply that the move
4593 * has already aborted
4594 */
4595 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4596 break;
4597 }
4598}
4599
4600static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4601 struct hci_chan *hchan)
4602{
4603 struct l2cap_conf_rsp rsp;
1500109b 4604
336178a3 4605 chan->hs_hchan = hchan;
1500109b
MM		 4606 chan->hs_hcon->l2cap_data = chan->conn;
4607
35ba9561 4608 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4609
4610 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4611 int err;
1500109b
MM		 4612
4613 set_default_fcs(chan);
4614
4615 err = l2cap_ertm_init(chan);
4616 if (err < 0)
5e4e3972 4617 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4618 else
4619 l2cap_chan_ready(chan);
4620 }
4621}
4622
4623static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4624 struct hci_chan *hchan)
4625{
4626 chan->hs_hcon = hchan->conn;
4627 chan->hs_hcon->l2cap_data = chan->conn;
4628
4629 BT_DBG("move_state %d", chan->move_state);
4630
4631 switch (chan->move_state) {
4632 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4633 /* Move confirm will be sent after a success
4634 * response is received
4635 */
4636 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4637 break;
4638 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4639 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4640 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4641 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4642 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4643 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4644 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4645 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4646 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4647 }
4648 break;
4649 default:
4650 /* Move was not in expected state, free the channel */
4651 __release_logical_link(chan);
4652
4653 chan->move_state = L2CAP_MOVE_STABLE;
4654 }
4655}
4656
4657/* Call with chan locked */
27695fb4
AE		 4658void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4659 u8 status)
5b155ef9 4660{
1500109b
MM		 4661 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4662
4663 if (status) {
4664 l2cap_logical_fail(chan);
4665 __release_logical_link(chan);
4666 return;
4667 }
4668
4669 if (chan->state != BT_CONNECTED) {
4670 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4671 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4672 l2cap_logical_finish_create(chan, hchan);
4673 } else {
4674 l2cap_logical_finish_move(chan, hchan);
4675 }
5b155ef9
MM		 4676}
4677
3f7a56c4
MM		 4678void l2cap_move_start(struct l2cap_chan *chan)
4679{
4680 BT_DBG("chan %p", chan);
4681
6ed971ca 4682 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4683 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4684 return;
4685 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4686 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4687 /* Placeholder - start physical link setup */
4688 } else {
4689 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4690 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4691 chan->move_id = 0;
4692 l2cap_move_setup(chan);
4693 l2cap_send_move_chan_req(chan, 0);
4694 }
4695}
4696
8eb200bd
MM		 4697static void l2cap_do_create(struct l2cap_chan *chan, int result,
4698 u8 local_amp_id, u8 remote_amp_id)
4699{
62748ca1
AE		 4700 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4701 local_amp_id, remote_amp_id);
4702
12d6cc60
AE		 4703 chan->fcs = L2CAP_FCS_NONE;
4704
62748ca1
AE		 4705 /* Outgoing channel on AMP */
4706 if (chan->state == BT_CONNECT) {
4707 if (result == L2CAP_CR_SUCCESS) {
4708 chan->local_amp_id = local_amp_id;
4709 l2cap_send_create_chan_req(chan, remote_amp_id);
4710 } else {
4711 /* Revert to BR/EDR connect */
4712 l2cap_send_conn_req(chan);
4713 }
4714
4715 return;
4716 }
4717
4718 /* Incoming channel on AMP */
4719 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4720 struct l2cap_conn_rsp rsp;
4721 char buf[128];
4722 rsp.scid = cpu_to_le16(chan->dcid);
4723 rsp.dcid = cpu_to_le16(chan->scid);
4724
8eb200bd
MM		 4725 if (result == L2CAP_CR_SUCCESS) {
4726 /* Send successful response */
dcf4adbf
JP		 4727 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4728 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4729 } else {
4730 /* Send negative response */
dcf4adbf
JP		 4731 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4732 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4733 }
4734
4735 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4736 sizeof(rsp), &rsp);
4737
4738 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4739 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4740 set_bit(CONF_REQ_SENT, &chan->conf_state);
4741 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4742 L2CAP_CONF_REQ,
4743 l2cap_build_conf_req(chan, buf), buf);
4744 chan->num_conf_req++;
4745 }
8eb200bd
MM		 4746 }
4747}
4748
4749static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4750 u8 remote_amp_id)
4751{
4752 l2cap_move_setup(chan);
4753 chan->move_id = local_amp_id;
4754 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4755
4756 l2cap_send_move_chan_req(chan, remote_amp_id);
4757}
4758
4759static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4760{
4761 struct hci_chan *hchan = NULL;
4762
4763 /* Placeholder - get hci_chan for logical link */
4764
4765 if (hchan) {
4766 if (hchan->state == BT_CONNECTED) {
4767 /* Logical link is ready to go */
4768 chan->hs_hcon = hchan->conn;
4769 chan->hs_hcon->l2cap_data = chan->conn;
4770 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4771 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4772
4773 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4774 } else {
4775 /* Wait for logical link to be ready */
4776 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4777 }
4778 } else {
4779 /* Logical link not available */
4780 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4781 }
4782}
4783
4784static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4785{
4786 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4787 u8 rsp_result;
4788 if (result == -EINVAL)
4789 rsp_result = L2CAP_MR_BAD_ID;
4790 else
4791 rsp_result = L2CAP_MR_NOT_ALLOWED;
4792
4793 l2cap_send_move_chan_rsp(chan, rsp_result);
4794 }
4795
4796 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4797 chan->move_state = L2CAP_MOVE_STABLE;
4798
4799 /* Restart data transmission */
4800 l2cap_ertm_send(chan);
4801}
4802
a514b17f
AE		 4803/* Invoke with locked chan */
4804void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4805{
770bfefa 4806 u8 local_amp_id = chan->local_amp_id;
fffadc08 4807 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4808
8eb200bd
MM		 4809 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4810 chan, result, local_amp_id, remote_amp_id);
4811
8eb200bd
MM		 4812 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4813 l2cap_chan_unlock(chan);
4814 return;
4815 }
4816
4817 if (chan->state != BT_CONNECTED) {
4818 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4819 } else if (result != L2CAP_MR_SUCCESS) {
4820 l2cap_do_move_cancel(chan, result);
4821 } else {
4822 switch (chan->move_role) {
4823 case L2CAP_MOVE_ROLE_INITIATOR:
4824 l2cap_do_move_initiate(chan, local_amp_id,
4825 remote_amp_id);
4826 break;
4827 case L2CAP_MOVE_ROLE_RESPONDER:
4828 l2cap_do_move_respond(chan, result);
4829 break;
4830 default:
4831 l2cap_do_move_cancel(chan, result);
4832 break;
4833 }
4834 }
8eb200bd
MM		 4835}
4836
8d5a04a1 4837static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4838 struct l2cap_cmd_hdr *cmd,
4839 u16 cmd_len, void *data)
8d5a04a1
MM		 4840{
4841 struct l2cap_move_chan_req *req = data;
1500109b 4842 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4843 struct l2cap_chan *chan;
8d5a04a1
MM		 4844 u16 icid = 0;
4845 u16 result = L2CAP_MR_NOT_ALLOWED;
4846
4847 if (cmd_len != sizeof(*req))
4848 return -EPROTO;
4849
4850 icid = le16_to_cpu(req->icid);
4851
ad0ac6ca 4852 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4853
848566b3 4854 if (!conn->hs_enabled)
8d5a04a1
MM		 4855 return -EINVAL;
4856
02b0fbb9
MM		 4857 chan = l2cap_get_chan_by_dcid(conn, icid);
4858 if (!chan) {
1500109b 4859 rsp.icid = cpu_to_le16(icid);
dcf4adbf 4860 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
1500109b
MM		 4861 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4862 sizeof(rsp), &rsp);
02b0fbb9
MM		 4863 return 0;
4864 }
4865
1500109b
MM		 4866 chan->ident = cmd->ident;
4867
02b0fbb9
MM		 4868 if (chan->scid < L2CAP_CID_DYN_START ||
4869 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4870 (chan->mode != L2CAP_MODE_ERTM &&
4871 chan->mode != L2CAP_MODE_STREAMING)) {
4872 result = L2CAP_MR_NOT_ALLOWED;
4873 goto send_move_response;
4874 }
4875
4876 if (chan->local_amp_id == req->dest_amp_id) {
4877 result = L2CAP_MR_SAME_ID;
4878 goto send_move_response;
4879 }
4880
6ed971ca 4881 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4882 struct hci_dev *hdev;
4883 hdev = hci_dev_get(req->dest_amp_id);
4884 if (!hdev || hdev->dev_type != HCI_AMP ||
4885 !test_bit(HCI_UP, &hdev->flags)) {
4886 if (hdev)
4887 hci_dev_put(hdev);
4888
4889 result = L2CAP_MR_BAD_ID;
4890 goto send_move_response;
4891 }
4892 hci_dev_put(hdev);
4893 }
4894
4895 /* Detect a move collision. Only send a collision response
4896 * if this side has "lost", otherwise proceed with the move.
4897 * The winner has the larger bd_addr.
4898 */
4899 if ((__chan_is_moving(chan) ||
4900 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4901 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4902 result = L2CAP_MR_COLLISION;
4903 goto send_move_response;
4904 }
4905
02b0fbb9
MM		 4906 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4907 l2cap_move_setup(chan);
4908 chan->move_id = req->dest_amp_id;
4909 icid = chan->dcid;
4910
6ed971ca 4911 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4912 /* Moving to BR/EDR */
4913 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4914 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4915 result = L2CAP_MR_PEND;
4916 } else {
4917 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4918 result = L2CAP_MR_SUCCESS;
4919 }
4920 } else {
4921 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4922 /* Placeholder - uncomment when amp functions are available */
4923 /*amp_accept_physical(chan, req->dest_amp_id);*/
4924 result = L2CAP_MR_PEND;
4925 }
4926
4927send_move_response:
1500109b 4928 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4929
02b0fbb9
MM		 4930 l2cap_chan_unlock(chan);
4931
8d5a04a1
MM		 4932 return 0;
4933}
4934
5b155ef9
MM		 4935static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4936{
4937 struct l2cap_chan *chan;
4938 struct hci_chan *hchan = NULL;
4939
4940 chan = l2cap_get_chan_by_scid(conn, icid);
4941 if (!chan) {
4942 l2cap_send_move_chan_cfm_icid(conn, icid);
4943 return;
4944 }
4945
4946 __clear_chan_timer(chan);
4947 if (result == L2CAP_MR_PEND)
4948 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4949
4950 switch (chan->move_state) {
4951 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4952 /* Move confirm will be sent when logical link
4953 * is complete.
4954 */
4955 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4956 break;
4957 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4958 if (result == L2CAP_MR_PEND) {
4959 break;
4960 } else if (test_bit(CONN_LOCAL_BUSY,
4961 &chan->conn_state)) {
4962 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4963 } else {
4964 /* Logical link is up or moving to BR/EDR,
4965 * proceed with move
4966 */
4967 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4968 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4969 }
4970 break;
4971 case L2CAP_MOVE_WAIT_RSP:
4972 /* Moving to AMP */
4973 if (result == L2CAP_MR_SUCCESS) {
4974 /* Remote is ready, send confirm immediately
4975 * after logical link is ready
4976 */
4977 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4978 } else {
4979 /* Both logical link and move success
4980 * are required to confirm
4981 */
4982 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4983 }
4984
4985 /* Placeholder - get hci_chan for logical link */
4986 if (!hchan) {
4987 /* Logical link not available */
4988 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4989 break;
4990 }
4991
4992 /* If the logical link is not yet connected, do not
4993 * send confirmation.
4994 */
4995 if (hchan->state != BT_CONNECTED)
4996 break;
4997
4998 /* Logical link is already ready to go */
4999
5000 chan->hs_hcon = hchan->conn;
5001 chan->hs_hcon->l2cap_data = chan->conn;
5002
5003 if (result == L2CAP_MR_SUCCESS) {
5004 /* Can confirm now */
5005 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5006 } else {
5007 /* Now only need move success
5008 * to confirm
5009 */
5010 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5011 }
5012
5013 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5014 break;
5015 default:
5016 /* Any other amp move state means the move failed. */
5017 chan->move_id = chan->local_amp_id;
5018 l2cap_move_done(chan);
5019 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5020 }
5021
5022 l2cap_chan_unlock(chan);
5023}
5024
5025static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5026 u16 result)
5027{
5028 struct l2cap_chan *chan;
5029
5030 chan = l2cap_get_chan_by_ident(conn, ident);
5031 if (!chan) {
5032 /* Could not locate channel, icid is best guess */
5033 l2cap_send_move_chan_cfm_icid(conn, icid);
5034 return;
5035 }
5036
5037 __clear_chan_timer(chan);
5038
5039 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5040 if (result == L2CAP_MR_COLLISION) {
5041 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5042 } else {
5043 /* Cleanup - cancel move */
5044 chan->move_id = chan->local_amp_id;
5045 l2cap_move_done(chan);
5046 }
5047 }
5048
5049 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5050
5051 l2cap_chan_unlock(chan);
5052}
5053
5054static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5055 struct l2cap_cmd_hdr *cmd,
5056 u16 cmd_len, void *data)
8d5a04a1
MM		 5057{
5058 struct l2cap_move_chan_rsp *rsp = data;
5059 u16 icid, result;
5060
5061 if (cmd_len != sizeof(*rsp))
5062 return -EPROTO;
5063
5064 icid = le16_to_cpu(rsp->icid);
5065 result = le16_to_cpu(rsp->result);
5066
ad0ac6ca 5067 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5068
5b155ef9
MM		 5069 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5070 l2cap_move_continue(conn, icid, result);
5071 else
5072 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5073
5074 return 0;
5075}
5076
5f3847a4
MM		 5077static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5078 struct l2cap_cmd_hdr *cmd,
5079 u16 cmd_len, void *data)
8d5a04a1
MM		 5080{
5081 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5082 struct l2cap_chan *chan;
8d5a04a1
MM		 5083 u16 icid, result;
5084
5085 if (cmd_len != sizeof(*cfm))
5086 return -EPROTO;
5087
5088 icid = le16_to_cpu(cfm->icid);
5089 result = le16_to_cpu(cfm->result);
5090
ad0ac6ca 5091 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5092
5f3847a4
MM		 5093 chan = l2cap_get_chan_by_dcid(conn, icid);
5094 if (!chan) {
5095 /* Spec requires a response even if the icid was not found */
5096 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5097 return 0;
5098 }
5099
5100 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5101 if (result == L2CAP_MC_CONFIRMED) {
5102 chan->local_amp_id = chan->move_id;
6ed971ca 5103 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5104 __release_logical_link(chan);
5105 } else {
5106 chan->move_id = chan->local_amp_id;
5107 }
5108
5109 l2cap_move_done(chan);
5110 }
5111
8d5a04a1
MM		 5112 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5113
5f3847a4
MM		 5114 l2cap_chan_unlock(chan);
5115
8d5a04a1
MM		 5116 return 0;
5117}
5118
5119static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5120 struct l2cap_cmd_hdr *cmd,
5121 u16 cmd_len, void *data)
8d5a04a1
MM		 5122{
5123 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5124 struct l2cap_chan *chan;
8d5a04a1
MM		 5125 u16 icid;
5126
5127 if (cmd_len != sizeof(*rsp))
5128 return -EPROTO;
5129
5130 icid = le16_to_cpu(rsp->icid);
5131
ad0ac6ca 5132 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5133
3fd71a0a
MM		 5134 chan = l2cap_get_chan_by_scid(conn, icid);
5135 if (!chan)
5136 return 0;
5137
5138 __clear_chan_timer(chan);
5139
5140 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5141 chan->local_amp_id = chan->move_id;
5142
6ed971ca 5143 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5144 __release_logical_link(chan);
5145
5146 l2cap_move_done(chan);
5147 }
5148
5149 l2cap_chan_unlock(chan);
5150
8d5a04a1
MM		 5151 return 0;
5152}
5153
de73115a 5154static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818 5155 struct l2cap_cmd_hdr *cmd,
203e639e 5156 u16 cmd_len, u8 *data)
de73115a
CT		 5157{
5158 struct hci_conn *hcon = conn->hcon;
5159 struct l2cap_conn_param_update_req *req;
5160 struct l2cap_conn_param_update_rsp rsp;
203e639e 5161 u16 min, max, latency, to_multiplier;
2ce603eb 5162 int err;
de73115a 5163
40bef302 5164 if (hcon->role != HCI_ROLE_MASTER)
de73115a
CT		 5165 return -EINVAL;
5166
de73115a
CT		 5167 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5168 return -EPROTO;
5169
5170 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5171 min = __le16_to_cpu(req->min);
5172 max = __le16_to_cpu(req->max);
de73115a
CT		 5173 latency = __le16_to_cpu(req->latency);
5174 to_multiplier = __le16_to_cpu(req->to_multiplier);
5175
5176 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5177 min, max, latency, to_multiplier);
de73115a
CT		 5178
5179 memset(&rsp, 0, sizeof(rsp));
2ce603eb 5180
d4905f24 5181 err = hci_check_conn_params(min, max, latency, to_multiplier);
2ce603eb 5182 if (err)
dcf4adbf 5183 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5184 else
dcf4adbf 5185 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5186
5187 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5188 sizeof(rsp), &rsp);
de73115a 5189
ffb5a827 5190 if (!err) {
f4869e2a
JH		 5191 u8 store_hint;
5192
5193 store_hint = hci_le_conn_update(hcon, min, max, latency,
5194 to_multiplier);
ffb5a827 5195 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
f4869e2a
JH		 5196 store_hint, min, max, latency,
5197 to_multiplier);
ffb5a827 5198
ffb5a827 5199 }
2ce603eb 5200
de73115a
CT		 5201 return 0;
5202}
5203
f1496dee
JH		 5204static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5205 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5206 u8 *data)
5207{
5208 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5209 u16 dcid, mtu, mps, credits, result;
5210 struct l2cap_chan *chan;
5211 int err;
5212
5213 if (cmd_len < sizeof(*rsp))
5214 return -EPROTO;
5215
5216 dcid = __le16_to_cpu(rsp->dcid);
5217 mtu = __le16_to_cpu(rsp->mtu);
5218 mps = __le16_to_cpu(rsp->mps);
5219 credits = __le16_to_cpu(rsp->credits);
5220 result = __le16_to_cpu(rsp->result);
5221
5222 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5223 return -EPROTO;
5224
5225 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5226 dcid, mtu, mps, credits, result);
5227
5228 mutex_lock(&conn->chan_lock);
5229
5230 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5231 if (!chan) {
5232 err = -EBADSLT;
5233 goto unlock;
5234 }
5235
5236 err = 0;
5237
5238 l2cap_chan_lock(chan);
5239
5240 switch (result) {
5241 case L2CAP_CR_SUCCESS:
5242 chan->ident = 0;
5243 chan->dcid = dcid;
5244 chan->omtu = mtu;
5245 chan->remote_mps = mps;
0cd75f7e 5246 chan->tx_credits = credits;
f1496dee
JH		 5247 l2cap_chan_ready(chan);
5248 break;
5249
5250 default:
5251 l2cap_chan_del(chan, ECONNREFUSED);
5252 break;
5253 }
5254
5255 l2cap_chan_unlock(chan);
5256
5257unlock:
5258 mutex_unlock(&conn->chan_lock);
5259
5260 return err;
5261}
5262
3300d9a9 5263static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5264 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5265 u8 *data)
3300d9a9
CT		 5266{
5267 int err = 0;
5268
5269 switch (cmd->code) {
5270 case L2CAP_COMMAND_REJ:
cb3b3152 5271 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5272 break;
5273
5274 case L2CAP_CONN_REQ:
cb3b3152 5275 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5276 break;
5277
5278 case L2CAP_CONN_RSP:
f5a2598d 5279 case L2CAP_CREATE_CHAN_RSP:
9245e737 5280 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5281 break;
5282
5283 case L2CAP_CONF_REQ:
5284 err = l2cap_config_req(conn, cmd, cmd_len, data);
5285 break;
5286
5287 case L2CAP_CONF_RSP:
9245e737 5288 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5289 break;
5290
5291 case L2CAP_DISCONN_REQ:
cb3b3152 5292 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5293 break;
5294
5295 case L2CAP_DISCONN_RSP:
9245e737 5296 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5297 break;
5298
5299 case L2CAP_ECHO_REQ:
5300 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5301 break;
5302
5303 case L2CAP_ECHO_RSP:
5304 break;
5305
5306 case L2CAP_INFO_REQ:
cb3b3152 5307 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5308 break;
5309
5310 case L2CAP_INFO_RSP:
9245e737 5311 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5312 break;
5313
f94ff6ff
MM		 5314 case L2CAP_CREATE_CHAN_REQ:
5315 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5316 break;
5317
8d5a04a1
MM		 5318 case L2CAP_MOVE_CHAN_REQ:
5319 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5320 break;
5321
5322 case L2CAP_MOVE_CHAN_RSP:
9245e737 5323 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5324 break;
5325
5326 case L2CAP_MOVE_CHAN_CFM:
5327 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5328 break;
5329
5330 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5331 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5332 break;
5333
3300d9a9
CT		 5334 default:
5335 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5336 err = -EINVAL;
5337 break;
5338 }
5339
5340 return err;
5341}
5342
27e2d4c8
JH		 5343static int l2cap_le_connect_req(struct l2cap_conn *conn,
5344 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5345 u8 *data)
5346{
5347 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5348 struct l2cap_le_conn_rsp rsp;
5349 struct l2cap_chan *chan, *pchan;
0cd75f7e 5350 u16 dcid, scid, credits, mtu, mps;
27e2d4c8
JH		 5351 __le16 psm;
5352 u8 result;
5353
5354 if (cmd_len != sizeof(*req))
5355 return -EPROTO;
5356
5357 scid = __le16_to_cpu(req->scid);
5358 mtu = __le16_to_cpu(req->mtu);
5359 mps = __le16_to_cpu(req->mps);
5360 psm = req->psm;
5361 dcid = 0;
0cd75f7e 5362 credits = 0;
27e2d4c8
JH		 5363
5364 if (mtu < 23 || mps < 23)
5365 return -EPROTO;
5366
5367 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5368 scid, mtu, mps);
5369
5370 /* Check if we have socket listening on psm */
5371 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5372 &conn->hcon->dst, LE_LINK);
5373 if (!pchan) {
5374 result = L2CAP_CR_BAD_PSM;
5375 chan = NULL;
5376 goto response;
5377 }
5378
5379 mutex_lock(&conn->chan_lock);
5380 l2cap_chan_lock(pchan);
5381
5382 if (!smp_sufficient_security(conn->hcon, pchan->sec_level)) {
5383 result = L2CAP_CR_AUTHENTICATION;
5384 chan = NULL;
5385 goto response_unlock;
5386 }
5387
5388 /* Check if we already have channel with that dcid */
5389 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5390 result = L2CAP_CR_NO_MEM;
5391 chan = NULL;
5392 goto response_unlock;
5393 }
5394
5395 chan = pchan->ops->new_connection(pchan);
5396 if (!chan) {
5397 result = L2CAP_CR_NO_MEM;
5398 goto response_unlock;
5399 }
5400
0ce43ce6
JH		 5401 l2cap_le_flowctl_init(chan);
5402
27e2d4c8
JH		 5403 bacpy(&chan->src, &conn->hcon->src);
5404 bacpy(&chan->dst, &conn->hcon->dst);
5405 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5406 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5407 chan->psm = psm;
5408 chan->dcid = scid;
5409 chan->omtu = mtu;
5410 chan->remote_mps = mps;
0cd75f7e 5411 chan->tx_credits = __le16_to_cpu(req->credits);
27e2d4c8
JH		 5412
5413 __l2cap_chan_add(conn, chan);
5414 dcid = chan->scid;
0cd75f7e 5415 credits = chan->rx_credits;
27e2d4c8
JH		 5416
5417 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5418
5419 chan->ident = cmd->ident;
5420
5421 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5422 l2cap_state_change(chan, BT_CONNECT2);
5423 result = L2CAP_CR_PEND;
5424 chan->ops->defer(chan);
5425 } else {
5426 l2cap_chan_ready(chan);
5427 result = L2CAP_CR_SUCCESS;
5428 }
5429
5430response_unlock:
5431 l2cap_chan_unlock(pchan);
5432 mutex_unlock(&conn->chan_lock);
a24cce14 5433 l2cap_chan_put(pchan);
27e2d4c8
JH		 5434
5435 if (result == L2CAP_CR_PEND)
5436 return 0;
5437
5438response:
5439 if (chan) {
5440 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 5441 rsp.mps = cpu_to_le16(chan->mps);
27e2d4c8
JH		 5442 } else {
5443 rsp.mtu = 0;
5444 rsp.mps = 0;
5445 }
5446
5447 rsp.dcid = cpu_to_le16(dcid);
0cd75f7e 5448 rsp.credits = cpu_to_le16(credits);
27e2d4c8
JH		 5449 rsp.result = cpu_to_le16(result);
5450
5451 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5452
5453 return 0;
5454}
5455
fad5fc89
JH		 5456static inline int l2cap_le_credits(struct l2cap_conn *conn,
5457 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5458 u8 *data)
5459{
5460 struct l2cap_le_credits *pkt;
5461 struct l2cap_chan *chan;
0f1bfe4e 5462 u16 cid, credits, max_credits;
fad5fc89
JH		 5463
5464 if (cmd_len != sizeof(*pkt))
5465 return -EPROTO;
5466
5467 pkt = (struct l2cap_le_credits *) data;
5468 cid = __le16_to_cpu(pkt->cid);
5469 credits = __le16_to_cpu(pkt->credits);
5470
5471 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5472
5473 chan = l2cap_get_chan_by_dcid(conn, cid);
5474 if (!chan)
5475 return -EBADSLT;
5476
0f1bfe4e
JH		 5477 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5478 if (credits > max_credits) {
5479 BT_ERR("LE credits overflow");
5480 l2cap_send_disconn_req(chan, ECONNRESET);
5481
5482 /* Return 0 so that we don't trigger an unnecessary
5483 * command reject packet.
5484 */
5485 return 0;
5486 }
5487
fad5fc89
JH		 5488 chan->tx_credits += credits;
5489
5490 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5491 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5492 chan->tx_credits--;
5493 }
5494
5495 if (chan->tx_credits)
5496 chan->ops->resume(chan);
5497
5498 l2cap_chan_unlock(chan);
5499
5500 return 0;
5501}
5502
71fb4197
JH		 5503static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5504 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5505 u8 *data)
5506{
5507 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5508 struct l2cap_chan *chan;
5509
5510 if (cmd_len < sizeof(*rej))
5511 return -EPROTO;
5512
5513 mutex_lock(&conn->chan_lock);
5514
5515 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5516 if (!chan)
5517 goto done;
5518
5519 l2cap_chan_lock(chan);
5520 l2cap_chan_del(chan, ECONNREFUSED);
5521 l2cap_chan_unlock(chan);
5522
5523done:
5524 mutex_unlock(&conn->chan_lock);
5525 return 0;
5526}
5527
3300d9a9 5528static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
203e639e
JH		 5529 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5530 u8 *data)
3300d9a9 5531{
b5ecba64
JH		 5532 int err = 0;
5533
3300d9a9
CT		 5534 switch (cmd->code) {
5535 case L2CAP_COMMAND_REJ:
71fb4197 5536 l2cap_le_command_rej(conn, cmd, cmd_len, data);
b5ecba64 5537 break;
3300d9a9
CT		 5538
5539 case L2CAP_CONN_PARAM_UPDATE_REQ:
b5ecba64
JH		 5540 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5541 break;
3300d9a9
CT		 5542
5543 case L2CAP_CONN_PARAM_UPDATE_RSP:
b5ecba64 5544 break;
3300d9a9 5545
f1496dee
JH		 5546 case L2CAP_LE_CONN_RSP:
5547 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5548 break;
f1496dee 5549
27e2d4c8 5550 case L2CAP_LE_CONN_REQ:
b5ecba64
JH		 5551 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5552 break;
27e2d4c8 5553
fad5fc89
JH		 5554 case L2CAP_LE_CREDITS:
5555 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5556 break;
5557
3defe01a 5558 case L2CAP_DISCONN_REQ:
b5ecba64
JH		 5559 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5560 break;
3defe01a
JH		 5561
5562 case L2CAP_DISCONN_RSP:
5563 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5564 break;
3defe01a 5565
3300d9a9
CT		 5566 default:
5567 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
b5ecba64
JH		 5568 err = -EINVAL;
5569 break;
3300d9a9 5570 }
b5ecba64
JH		 5571
5572 return err;
3300d9a9
CT		 5573}
5574
c5623556
JH		 5575static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5576 struct sk_buff *skb)
5577{
69c4e4e8 5578 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5579 struct l2cap_cmd_hdr *cmd;
5580 u16 len;
c5623556
JH		 5581 int err;
5582
69c4e4e8 5583 if (hcon->type != LE_LINK)
3b166295 5584 goto drop;
69c4e4e8 5585
4f3e219d
MH		 5586 if (skb->len < L2CAP_CMD_HDR_SIZE)
5587 goto drop;
c5623556 5588
4f3e219d
MH		 5589 cmd = (void *) skb->data;
5590 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5591
4f3e219d 5592 len = le16_to_cpu(cmd->len);
c5623556 5593
4f3e219d 5594 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5595
4f3e219d
MH		 5596 if (len != skb->len || !cmd->ident) {
5597 BT_DBG("corrupted command");
5598 goto drop;
5599 }
c5623556 5600
203e639e 5601 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
4f3e219d
MH		 5602 if (err) {
5603 struct l2cap_cmd_rej_unk rej;
c5623556 5604
4f3e219d 5605 BT_ERR("Wrong link type (%d)", err);
c5623556 5606
dcf4adbf 5607 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5608 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5609 sizeof(rej), &rej);
c5623556
JH		 5610 }
5611
3b166295 5612drop:
c5623556
JH		 5613 kfree_skb(skb);
5614}
5615
3300d9a9 5616static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5617 struct sk_buff *skb)
1da177e4 5618{
69c4e4e8 5619 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5620 u8 *data = skb->data;
5621 int len = skb->len;
5622 struct l2cap_cmd_hdr cmd;
3300d9a9 5623 int err;
1da177e4
LT		 5624
5625 l2cap_raw_recv(conn, skb);
5626
69c4e4e8 5627 if (hcon->type != ACL_LINK)
3b166295 5628 goto drop;
69c4e4e8 5629
1da177e4 5630 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5631 u16 cmd_len;
1da177e4
LT		 5632 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5633 data += L2CAP_CMD_HDR_SIZE;
5634 len -= L2CAP_CMD_HDR_SIZE;
5635
88219a0f 5636 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5637
2d792818
GP		 5638 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5639 cmd.ident);
1da177e4 5640
88219a0f 5641 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5642 BT_DBG("corrupted command");
5643 break;
5644 }
5645
c5623556 5646 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5647 if (err) {
e2fd318e 5648 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5649
5650 BT_ERR("Wrong link type (%d)", err);
1da177e4 5651
dcf4adbf 5652 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5653 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5654 sizeof(rej), &rej);
1da177e4
LT		 5655 }
5656
88219a0f
AV		 5657 data += cmd_len;
5658 len -= cmd_len;
1da177e4
LT		 5659 }
5660
3b166295 5661drop:
1da177e4
LT		 5662 kfree_skb(skb);
5663}
5664
47d1ec61 5665static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5666{
5667 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5668 int hdr_size;
5669
5670 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5671 hdr_size = L2CAP_EXT_HDR_SIZE;
5672 else
5673 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5674
47d1ec61 5675 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5676 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5677 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5678 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5679
5680 if (our_fcs != rcv_fcs)
7a560e5c 5681 return -EBADMSG;
fcc203c3
GP		 5682 }
5683 return 0;
5684}
5685
6ea00485 5686static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5687{
e31f7633 5688 struct l2cap_ctrl control;
d5392c8f 5689
e31f7633 5690 BT_DBG("chan %p", chan);
d5392c8f 5691
e31f7633
MM		 5692 memset(&control, 0, sizeof(control));
5693 control.sframe = 1;
5694 control.final = 1;
5695 control.reqseq = chan->buffer_seq;
5696 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5697
e2ab4353 5698 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5699 control.super = L2CAP_SUPER_RNR;
5700 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5701 }
5702
e31f7633
MM		 5703 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5704 chan->unacked_frames > 0)
5705 __set_retrans_timer(chan);
d5392c8f 5706
e31f7633 5707 /* Send pending iframes */
525cd185 5708 l2cap_ertm_send(chan);
d5392c8f 5709
e2ab4353 5710 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5711 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5712 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5713 * send it now.
5714 */
5715 control.super = L2CAP_SUPER_RR;
5716 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5717 }
5718}
5719
2d792818
GP		 5720static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5721 struct sk_buff **last_frag)
18778a63 5722{
84084a31
MM		 5723 /* skb->len reflects data in skb as well as all fragments
5724 * skb->data_len reflects only data in fragments
5725 */
5726 if (!skb_has_frag_list(skb))
5727 skb_shinfo(skb)->frag_list = new_frag;
5728
5729 new_frag->next = NULL;
5730
5731 (*last_frag)->next = new_frag;
5732 *last_frag = new_frag;
5733
5734 skb->len += new_frag->len;
5735 skb->data_len += new_frag->len;
5736 skb->truesize += new_frag->truesize;
5737}
5738
4b51dae9
MM		 5739static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5740 struct l2cap_ctrl *control)
84084a31
MM		 5741{
5742 int err = -EINVAL;
18778a63 5743
4b51dae9 5744 switch (control->sar) {
7e0ef6ee 5745 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5746 if (chan->sdu)
5747 break;
18778a63 5748
80b98027 5749 err = chan->ops->recv(chan, skb);
84084a31 5750 break;
18778a63 5751
7e0ef6ee 5752 case L2CAP_SAR_START:
84084a31
MM		 5753 if (chan->sdu)
5754 break;
18778a63 5755
6f61fd47 5756 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5757 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5758
84084a31
MM		 5759 if (chan->sdu_len > chan->imtu) {
5760 err = -EMSGSIZE;
5761 break;
5762 }
1890d36b 5763
84084a31
MM		 5764 if (skb->len >= chan->sdu_len)
5765 break;
18778a63 5766
84084a31
MM		 5767 chan->sdu = skb;
5768 chan->sdu_last_frag = skb;
18778a63 5769
84084a31
MM		 5770 skb = NULL;
5771 err = 0;
18778a63
GP		 5772 break;
5773
7e0ef6ee 5774 case L2CAP_SAR_CONTINUE:
6f61fd47 5775 if (!chan->sdu)
84084a31 5776 break;
18778a63 5777
84084a31
MM		 5778 append_skb_frag(chan->sdu, skb,
5779 &chan->sdu_last_frag);
5780 skb = NULL;
18778a63 5781
84084a31
MM		 5782 if (chan->sdu->len >= chan->sdu_len)
5783 break;
4178ba46 5784
84084a31 5785 err = 0;
18778a63
GP		 5786 break;
5787
7e0ef6ee 5788 case L2CAP_SAR_END:
6f61fd47 5789 if (!chan->sdu)
84084a31 5790 break;
18778a63 5791
84084a31
MM		 5792 append_skb_frag(chan->sdu, skb,
5793 &chan->sdu_last_frag);
5794 skb = NULL;
4178ba46 5795
84084a31
MM		 5796 if (chan->sdu->len != chan->sdu_len)
5797 break;
18778a63 5798
80b98027 5799 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5800
84084a31
MM		 5801 if (!err) {
5802 /* Reassembly complete */
5803 chan->sdu = NULL;
5804 chan->sdu_last_frag = NULL;
5805 chan->sdu_len = 0;
1890d36b 5806 }
18778a63
GP		 5807 break;
5808 }
5809
84084a31
MM		 5810 if (err) {
5811 kfree_skb(skb);
5812 kfree_skb(chan->sdu);
5813 chan->sdu = NULL;
5814 chan->sdu_last_frag = NULL;
5815 chan->sdu_len = 0;
5816 }
18778a63 5817
84084a31 5818 return err;
18778a63
GP		 5819}
5820
32b32735
MM		 5821static int l2cap_resegment(struct l2cap_chan *chan)
5822{
5823 /* Placeholder */
5824 return 0;
5825}
5826
61aa4f5b 5827void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5828{
61aa4f5b 5829 u8 event;
712132eb 5830
61aa4f5b
MM		 5831 if (chan->mode != L2CAP_MODE_ERTM)
5832 return;
712132eb 5833
61aa4f5b 5834 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5835 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5836}
5837
d2a7ac5d
MM		 5838static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5839{
63838725
MM		 5840 int err = 0;
5841 /* Pass sequential frames to l2cap_reassemble_sdu()
5842 * until a gap is encountered.
5843 */
5844
5845 BT_DBG("chan %p", chan);
5846
5847 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5848 struct sk_buff *skb;
5849 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5850 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5851
5852 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5853
5854 if (!skb)
5855 break;
5856
5857 skb_unlink(skb, &chan->srej_q);
5858 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5859 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5860 if (err)
5861 break;
5862 }
5863
5864 if (skb_queue_empty(&chan->srej_q)) {
5865 chan->rx_state = L2CAP_RX_STATE_RECV;
5866 l2cap_send_ack(chan);
5867 }
5868
5869 return err;
d2a7ac5d
MM		 5870}
5871
5872static void l2cap_handle_srej(struct l2cap_chan *chan,
5873 struct l2cap_ctrl *control)
5874{
f80842a8
MM		 5875 struct sk_buff *skb;
5876
5877 BT_DBG("chan %p, control %p", chan, control);
5878
5879 if (control->reqseq == chan->next_tx_seq) {
5880 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5881 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5882 return;
5883 }
5884
5885 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5886
5887 if (skb == NULL) {
5888 BT_DBG("Seq %d not available for retransmission",
5889 control->reqseq);
5890 return;
5891 }
5892
5893 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5894 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5895 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5896 return;
5897 }
5898
5899 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5900
5901 if (control->poll) {
5902 l2cap_pass_to_tx(chan, control);
5903
5904 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5905 l2cap_retransmit(chan, control);
5906 l2cap_ertm_send(chan);
5907
5908 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5909 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5910 chan->srej_save_reqseq = control->reqseq;
5911 }
5912 } else {
5913 l2cap_pass_to_tx_fbit(chan, control);
5914
5915 if (control->final) {
5916 if (chan->srej_save_reqseq != control->reqseq ||
5917 !test_and_clear_bit(CONN_SREJ_ACT,
5918 &chan->conn_state))
5919 l2cap_retransmit(chan, control);
5920 } else {
5921 l2cap_retransmit(chan, control);
5922 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5923 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5924 chan->srej_save_reqseq = control->reqseq;
5925 }
5926 }
5927 }
d2a7ac5d
MM		 5928}
5929
5930static void l2cap_handle_rej(struct l2cap_chan *chan,
5931 struct l2cap_ctrl *control)
5932{
fcd289df
MM		 5933 struct sk_buff *skb;
5934
5935 BT_DBG("chan %p, control %p", chan, control);
5936
5937 if (control->reqseq == chan->next_tx_seq) {
5938 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5939 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5940 return;
5941 }
5942
5943 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5944
5945 if (chan->max_tx && skb &&
5946 bt_cb(skb)->control.retries >= chan->max_tx) {
5947 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5948 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5949 return;
5950 }
5951
5952 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5953
5954 l2cap_pass_to_tx(chan, control);
5955
5956 if (control->final) {
5957 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5958 l2cap_retransmit_all(chan, control);
5959 } else {
5960 l2cap_retransmit_all(chan, control);
5961 l2cap_ertm_send(chan);
5962 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5963 set_bit(CONN_REJ_ACT, &chan->conn_state);
5964 }
d2a7ac5d
MM		 5965}
5966
4b51dae9
MM		 5967static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5968{
5969 BT_DBG("chan %p, txseq %d", chan, txseq);
5970
5971 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5972 chan->expected_tx_seq);
5973
5974 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5975 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5976 chan->tx_win) {
4b51dae9
MM		 5977 /* See notes below regarding "double poll" and
5978 * invalid packets.
5979 */
5980 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5981 BT_DBG("Invalid/Ignore - after SREJ");
5982 return L2CAP_TXSEQ_INVALID_IGNORE;
5983 } else {
5984 BT_DBG("Invalid - in window after SREJ sent");
5985 return L2CAP_TXSEQ_INVALID;
5986 }
5987 }
5988
5989 if (chan->srej_list.head == txseq) {
5990 BT_DBG("Expected SREJ");
5991 return L2CAP_TXSEQ_EXPECTED_SREJ;
5992 }
5993
5994 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5995 BT_DBG("Duplicate SREJ - txseq already stored");
5996 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5997 }
5998
5999 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6000 BT_DBG("Unexpected SREJ - not requested");
6001 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6002 }
6003 }
6004
6005 if (chan->expected_tx_seq == txseq) {
6006 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6007 chan->tx_win) {
6008 BT_DBG("Invalid - txseq outside tx window");
6009 return L2CAP_TXSEQ_INVALID;
6010 } else {
6011 BT_DBG("Expected");
6012 return L2CAP_TXSEQ_EXPECTED;
6013 }
6014 }
6015
6016 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 6017 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 6018 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6019 return L2CAP_TXSEQ_DUPLICATE;
6020 }
6021
6022 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6023 /* A source of invalid packets is a "double poll" condition,
6024 * where delays cause us to send multiple poll packets. If
6025 * the remote stack receives and processes both polls,
6026 * sequence numbers can wrap around in such a way that a
6027 * resent frame has a sequence number that looks like new data
6028 * with a sequence gap. This would trigger an erroneous SREJ
6029 * request.
6030 *
6031 * Fortunately, this is impossible with a tx window that's
6032 * less than half of the maximum sequence number, which allows
6033 * invalid frames to be safely ignored.
6034 *
6035 * With tx window sizes greater than half of the tx window
6036 * maximum, the frame is invalid and cannot be ignored. This
6037 * causes a disconnect.
6038 */
6039
6040 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6041 BT_DBG("Invalid/Ignore - txseq outside tx window");
6042 return L2CAP_TXSEQ_INVALID_IGNORE;
6043 } else {
6044 BT_DBG("Invalid - txseq outside tx window");
6045 return L2CAP_TXSEQ_INVALID;
6046 }
6047 } else {
6048 BT_DBG("Unexpected - txseq indicates missing frames");
6049 return L2CAP_TXSEQ_UNEXPECTED;
6050 }
6051}
6052
d2a7ac5d
MM		 6053static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6054 struct l2cap_ctrl *control,
6055 struct sk_buff *skb, u8 event)
6056{
6057 int err = 0;
941247f9 6058 bool skb_in_use = false;
d2a7ac5d
MM		 6059
6060 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6061 event);
6062
6063 switch (event) {
6064 case L2CAP_EV_RECV_IFRAME:
6065 switch (l2cap_classify_txseq(chan, control->txseq)) {
6066 case L2CAP_TXSEQ_EXPECTED:
6067 l2cap_pass_to_tx(chan, control);
6068
6069 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6070 BT_DBG("Busy, discarding expected seq %d",
6071 control->txseq);
6072 break;
6073 }
6074
6075 chan->expected_tx_seq = __next_seq(chan,
6076 control->txseq);
6077
6078 chan->buffer_seq = chan->expected_tx_seq;
941247f9 6079 skb_in_use = true;
d2a7ac5d
MM		 6080
6081 err = l2cap_reassemble_sdu(chan, skb, control);
6082 if (err)
6083 break;
6084
6085 if (control->final) {
6086 if (!test_and_clear_bit(CONN_REJ_ACT,
6087 &chan->conn_state)) {
6088 control->final = 0;
6089 l2cap_retransmit_all(chan, control);
6090 l2cap_ertm_send(chan);
6091 }
6092 }
6093
6094 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6095 l2cap_send_ack(chan);
6096 break;
6097 case L2CAP_TXSEQ_UNEXPECTED:
6098 l2cap_pass_to_tx(chan, control);
6099
6100 /* Can't issue SREJ frames in the local busy state.
6101 * Drop this frame, it will be seen as missing
6102 * when local busy is exited.
6103 */
6104 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6105 BT_DBG("Busy, discarding unexpected seq %d",
6106 control->txseq);
6107 break;
6108 }
6109
6110 /* There was a gap in the sequence, so an SREJ
6111 * must be sent for each missing frame. The
6112 * current frame is stored for later use.
6113 */
6114 skb_queue_tail(&chan->srej_q, skb);
941247f9 6115 skb_in_use = true;
d2a7ac5d
MM		 6116 BT_DBG("Queued %p (queue len %d)", skb,
6117 skb_queue_len(&chan->srej_q));
6118
6119 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6120 l2cap_seq_list_clear(&chan->srej_list);
6121 l2cap_send_srej(chan, control->txseq);
6122
6123 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6124 break;
6125 case L2CAP_TXSEQ_DUPLICATE:
6126 l2cap_pass_to_tx(chan, control);
6127 break;
6128 case L2CAP_TXSEQ_INVALID_IGNORE:
6129 break;
6130 case L2CAP_TXSEQ_INVALID:
6131 default:
5e4e3972 6132 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6133 break;
6134 }
6135 break;
6136 case L2CAP_EV_RECV_RR:
6137 l2cap_pass_to_tx(chan, control);
6138 if (control->final) {
6139 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6140
e6a3ee6e
MM		 6141 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6142 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 6143 control->final = 0;
6144 l2cap_retransmit_all(chan, control);
6145 }
6146
6147 l2cap_ertm_send(chan);
6148 } else if (control->poll) {
6149 l2cap_send_i_or_rr_or_rnr(chan);
6150 } else {
6151 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6152 &chan->conn_state) &&
6153 chan->unacked_frames)
6154 __set_retrans_timer(chan);
6155
6156 l2cap_ertm_send(chan);
6157 }
6158 break;
6159 case L2CAP_EV_RECV_RNR:
6160 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6161 l2cap_pass_to_tx(chan, control);
6162 if (control && control->poll) {
6163 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6164 l2cap_send_rr_or_rnr(chan, 0);
6165 }
6166 __clear_retrans_timer(chan);
6167 l2cap_seq_list_clear(&chan->retrans_list);
6168 break;
6169 case L2CAP_EV_RECV_REJ:
6170 l2cap_handle_rej(chan, control);
6171 break;
6172 case L2CAP_EV_RECV_SREJ:
6173 l2cap_handle_srej(chan, control);
6174 break;
6175 default:
6176 break;
6177 }
6178
6179 if (skb && !skb_in_use) {
6180 BT_DBG("Freeing %p", skb);
6181 kfree_skb(skb);
6182 }
6183
6184 return err;
6185}
6186
6187static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6188 struct l2cap_ctrl *control,
6189 struct sk_buff *skb, u8 event)
6190{
6191 int err = 0;
6192 u16 txseq = control->txseq;
941247f9 6193 bool skb_in_use = false;
d2a7ac5d
MM		 6194
6195 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6196 event);
6197
6198 switch (event) {
6199 case L2CAP_EV_RECV_IFRAME:
6200 switch (l2cap_classify_txseq(chan, txseq)) {
6201 case L2CAP_TXSEQ_EXPECTED:
6202 /* Keep frame for reassembly later */
6203 l2cap_pass_to_tx(chan, control);
6204 skb_queue_tail(&chan->srej_q, skb);
941247f9 6205 skb_in_use = true;
d2a7ac5d
MM		 6206 BT_DBG("Queued %p (queue len %d)", skb,
6207 skb_queue_len(&chan->srej_q));
6208
6209 chan->expected_tx_seq = __next_seq(chan, txseq);
6210 break;
6211 case L2CAP_TXSEQ_EXPECTED_SREJ:
6212 l2cap_seq_list_pop(&chan->srej_list);
6213
6214 l2cap_pass_to_tx(chan, control);
6215 skb_queue_tail(&chan->srej_q, skb);
941247f9 6216 skb_in_use = true;
d2a7ac5d
MM		 6217 BT_DBG("Queued %p (queue len %d)", skb,
6218 skb_queue_len(&chan->srej_q));
6219
6220 err = l2cap_rx_queued_iframes(chan);
6221 if (err)
6222 break;
6223
6224 break;
6225 case L2CAP_TXSEQ_UNEXPECTED:
6226 /* Got a frame that can't be reassembled yet.
6227 * Save it for later, and send SREJs to cover
6228 * the missing frames.
6229 */
6230 skb_queue_tail(&chan->srej_q, skb);
941247f9 6231 skb_in_use = true;
d2a7ac5d
MM		 6232 BT_DBG("Queued %p (queue len %d)", skb,
6233 skb_queue_len(&chan->srej_q));
6234
6235 l2cap_pass_to_tx(chan, control);
6236 l2cap_send_srej(chan, control->txseq);
6237 break;
6238 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6239 /* This frame was requested with an SREJ, but
6240 * some expected retransmitted frames are
6241 * missing. Request retransmission of missing
6242 * SREJ'd frames.
6243 */
6244 skb_queue_tail(&chan->srej_q, skb);
941247f9 6245 skb_in_use = true;
d2a7ac5d
MM		 6246 BT_DBG("Queued %p (queue len %d)", skb,
6247 skb_queue_len(&chan->srej_q));
6248
6249 l2cap_pass_to_tx(chan, control);
6250 l2cap_send_srej_list(chan, control->txseq);
6251 break;
6252 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6253 /* We've already queued this frame. Drop this copy. */
6254 l2cap_pass_to_tx(chan, control);
6255 break;
6256 case L2CAP_TXSEQ_DUPLICATE:
6257 /* Expecting a later sequence number, so this frame
6258 * was already received. Ignore it completely.
6259 */
6260 break;
6261 case L2CAP_TXSEQ_INVALID_IGNORE:
6262 break;
6263 case L2CAP_TXSEQ_INVALID:
6264 default:
5e4e3972 6265 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6266 break;
6267 }
6268 break;
6269 case L2CAP_EV_RECV_RR:
6270 l2cap_pass_to_tx(chan, control);
6271 if (control->final) {
6272 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6273
6274 if (!test_and_clear_bit(CONN_REJ_ACT,
6275 &chan->conn_state)) {
6276 control->final = 0;
6277 l2cap_retransmit_all(chan, control);
6278 }
6279
6280 l2cap_ertm_send(chan);
6281 } else if (control->poll) {
6282 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6283 &chan->conn_state) &&
6284 chan->unacked_frames) {
6285 __set_retrans_timer(chan);
6286 }
6287
6288 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6289 l2cap_send_srej_tail(chan);
6290 } else {
6291 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6292 &chan->conn_state) &&
6293 chan->unacked_frames)
6294 __set_retrans_timer(chan);
6295
6296 l2cap_send_ack(chan);
6297 }
6298 break;
6299 case L2CAP_EV_RECV_RNR:
6300 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6301 l2cap_pass_to_tx(chan, control);
6302 if (control->poll) {
6303 l2cap_send_srej_tail(chan);
6304 } else {
6305 struct l2cap_ctrl rr_control;
6306 memset(&rr_control, 0, sizeof(rr_control));
6307 rr_control.sframe = 1;
6308 rr_control.super = L2CAP_SUPER_RR;
6309 rr_control.reqseq = chan->buffer_seq;
6310 l2cap_send_sframe(chan, &rr_control);
6311 }
6312
6313 break;
6314 case L2CAP_EV_RECV_REJ:
6315 l2cap_handle_rej(chan, control);
6316 break;
6317 case L2CAP_EV_RECV_SREJ:
6318 l2cap_handle_srej(chan, control);
6319 break;
6320 }
6321
6322 if (skb && !skb_in_use) {
6323 BT_DBG("Freeing %p", skb);
6324 kfree_skb(skb);
6325 }
6326
6327 return err;
6328}
6329
32b32735
MM		 6330static int l2cap_finish_move(struct l2cap_chan *chan)
6331{
6332 BT_DBG("chan %p", chan);
6333
6334 chan->rx_state = L2CAP_RX_STATE_RECV;
6335
6336 if (chan->hs_hcon)
6337 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6338 else
6339 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6340
6341 return l2cap_resegment(chan);
6342}
6343
6344static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6345 struct l2cap_ctrl *control,
6346 struct sk_buff *skb, u8 event)
6347{
6348 int err;
6349
6350 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6351 event);
6352
6353 if (!control->poll)
6354 return -EPROTO;
6355
6356 l2cap_process_reqseq(chan, control->reqseq);
6357
6358 if (!skb_queue_empty(&chan->tx_q))
6359 chan->tx_send_head = skb_peek(&chan->tx_q);
6360 else
6361 chan->tx_send_head = NULL;
6362
6363 /* Rewind next_tx_seq to the point expected
6364 * by the receiver.
6365 */
6366 chan->next_tx_seq = control->reqseq;
6367 chan->unacked_frames = 0;
6368
6369 err = l2cap_finish_move(chan);
6370 if (err)
6371 return err;
6372
6373 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6374 l2cap_send_i_or_rr_or_rnr(chan);
6375
6376 if (event == L2CAP_EV_RECV_IFRAME)
6377 return -EPROTO;
6378
6379 return l2cap_rx_state_recv(chan, control, NULL, event);
6380}
6381
6382static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6383 struct l2cap_ctrl *control,
6384 struct sk_buff *skb, u8 event)
6385{
6386 int err;
6387
6388 if (!control->final)
6389 return -EPROTO;
6390
6391 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6392
6393 chan->rx_state = L2CAP_RX_STATE_RECV;
6394 l2cap_process_reqseq(chan, control->reqseq);
6395
6396 if (!skb_queue_empty(&chan->tx_q))
6397 chan->tx_send_head = skb_peek(&chan->tx_q);
6398 else
6399 chan->tx_send_head = NULL;
6400
6401 /* Rewind next_tx_seq to the point expected
6402 * by the receiver.
6403 */
6404 chan->next_tx_seq = control->reqseq;
6405 chan->unacked_frames = 0;
6406
6407 if (chan->hs_hcon)
6408 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6409 else
6410 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6411
6412 err = l2cap_resegment(chan);
6413
6414 if (!err)
6415 err = l2cap_rx_state_recv(chan, control, skb, event);
6416
6417 return err;
6418}
6419
d2a7ac5d
MM		 6420static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6421{
6422 /* Make sure reqseq is for a packet that has been sent but not acked */
6423 u16 unacked;
6424
6425 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6426 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6427}
6428
cec8ab6e
MM		 6429static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6430 struct sk_buff *skb, u8 event)
218bb9df 6431{
d2a7ac5d
MM		 6432 int err = 0;
6433
6434 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6435 control, skb, event, chan->rx_state);
6436
6437 if (__valid_reqseq(chan, control->reqseq)) {
6438 switch (chan->rx_state) {
6439 case L2CAP_RX_STATE_RECV:
6440 err = l2cap_rx_state_recv(chan, control, skb, event);
6441 break;
6442 case L2CAP_RX_STATE_SREJ_SENT:
6443 err = l2cap_rx_state_srej_sent(chan, control, skb,
6444 event);
6445 break;
32b32735
MM		 6446 case L2CAP_RX_STATE_WAIT_P:
6447 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6448 break;
6449 case L2CAP_RX_STATE_WAIT_F:
6450 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6451 break;
d2a7ac5d
MM		 6452 default:
6453 /* shut it down */
6454 break;
6455 }
6456 } else {
6457 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6458 control->reqseq, chan->next_tx_seq,
6459 chan->expected_ack_seq);
5e4e3972 6460 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6461 }
6462
6463 return err;
cec8ab6e
MM		 6464}
6465
6466static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6467 struct sk_buff *skb)
6468{
4b51dae9
MM		 6469 int err = 0;
6470
6471 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6472 chan->rx_state);
6473
6474 if (l2cap_classify_txseq(chan, control->txseq) ==
6475 L2CAP_TXSEQ_EXPECTED) {
6476 l2cap_pass_to_tx(chan, control);
6477
6478 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6479 __next_seq(chan, chan->buffer_seq));
6480
6481 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6482
6483 l2cap_reassemble_sdu(chan, skb, control);
6484 } else {
6485 if (chan->sdu) {
6486 kfree_skb(chan->sdu);
6487 chan->sdu = NULL;
6488 }
6489 chan->sdu_last_frag = NULL;
6490 chan->sdu_len = 0;
6491
6492 if (skb) {
6493 BT_DBG("Freeing %p", skb);
6494 kfree_skb(skb);
6495 }
6496 }
6497
6498 chan->last_acked_seq = control->txseq;
6499 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6500
6501 return err;
cec8ab6e
MM		 6502}
6503
6504static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6505{
6506 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6507 u16 len;
6508 u8 event;
218bb9df 6509
b76bbd66
MM		 6510 __unpack_control(chan, skb);
6511
218bb9df
GP		 6512 len = skb->len;
6513
6514 /*
6515 * We can just drop the corrupted I-frame here.
6516 * Receiver will miss it and start proper recovery
cec8ab6e 6517 * procedures and ask for retransmission.
218bb9df 6518 */
47d1ec61 6519 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6520 goto drop;
6521
cec8ab6e 6522 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6523 len -= L2CAP_SDULEN_SIZE;
218bb9df 6524
47d1ec61 6525 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6526 len -= L2CAP_FCS_SIZE;
218bb9df 6527
47d1ec61 6528 if (len > chan->mps) {
5e4e3972 6529 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6530 goto drop;
6531 }
6532
cec8ab6e
MM		 6533 if (!control->sframe) {
6534 int err;
218bb9df 6535
cec8ab6e
MM		 6536 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6537 control->sar, control->reqseq, control->final,
6538 control->txseq);
218bb9df 6539
cec8ab6e
MM		 6540 /* Validate F-bit - F=0 always valid, F=1 only
6541 * valid in TX WAIT_F
6542 */
6543 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6544 goto drop;
cec8ab6e
MM		 6545
6546 if (chan->mode != L2CAP_MODE_STREAMING) {
6547 event = L2CAP_EV_RECV_IFRAME;
6548 err = l2cap_rx(chan, control, skb, event);
6549 } else {
6550 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6551 }
6552
cec8ab6e 6553 if (err)
5e4e3972 6554 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6555 } else {
cec8ab6e
MM		 6556 const u8 rx_func_to_event[4] = {
6557 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6558 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6559 };
6560
6561 /* Only I-frames are expected in streaming mode */
6562 if (chan->mode == L2CAP_MODE_STREAMING)
6563 goto drop;
6564
6565 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6566 control->reqseq, control->final, control->poll,
6567 control->super);
6568
218bb9df 6569 if (len != 0) {
1bb166e6 6570 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6571 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6572 goto drop;
6573 }
6574
cec8ab6e
MM		 6575 /* Validate F and P bits */
6576 if (control->final && (control->poll ||
6577 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6578 goto drop;
6579
6580 event = rx_func_to_event[control->super];
6581 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6582 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6583 }
6584
6585 return 0;
6586
6587drop:
6588 kfree_skb(skb);
6589 return 0;
6590}
6591
b1c325c2
JH		 6592static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6593{
6594 struct l2cap_conn *conn = chan->conn;
6595 struct l2cap_le_credits pkt;
6596 u16 return_credits;
6597
6598 /* We return more credits to the sender only after the amount of
6599 * credits falls below half of the initial amount.
6600 */
f15b8ecf 6601 if (chan->rx_credits >= (le_max_credits + 1) / 2)
b1c325c2
JH		 6602 return;
6603
f15b8ecf 6604 return_credits = le_max_credits - chan->rx_credits;
b1c325c2
JH		 6605
6606 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6607
6608 chan->rx_credits += return_credits;
6609
6610 pkt.cid = cpu_to_le16(chan->scid);
6611 pkt.credits = cpu_to_le16(return_credits);
6612
6613 chan->ident = l2cap_get_ident(conn);
6614
6615 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6616}
6617
fad5fc89
JH		 6618static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6619{
aac23bf6
JH		 6620 int err;
6621
6622 if (!chan->rx_credits) {
6623 BT_ERR("No credits to receive LE L2CAP data");
dfd9774c 6624 l2cap_send_disconn_req(chan, ECONNRESET);
fad5fc89 6625 return -ENOBUFS;
aac23bf6 6626 }
fad5fc89 6627
aac23bf6
JH		 6628 if (chan->imtu < skb->len) {
6629 BT_ERR("Too big LE L2CAP PDU");
fad5fc89 6630 return -ENOBUFS;
aac23bf6 6631 }
fad5fc89
JH		 6632
6633 chan->rx_credits--;
6634 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6635
6636 l2cap_chan_le_send_credits(chan);
6637
aac23bf6
JH		 6638 err = 0;
6639
6640 if (!chan->sdu) {
6641 u16 sdu_len;
6642
6643 sdu_len = get_unaligned_le16(skb->data);
6644 skb_pull(skb, L2CAP_SDULEN_SIZE);
6645
6646 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6647 sdu_len, skb->len, chan->imtu);
6648
6649 if (sdu_len > chan->imtu) {
6650 BT_ERR("Too big LE L2CAP SDU length received");
6651 err = -EMSGSIZE;
6652 goto failed;
6653 }
6654
6655 if (skb->len > sdu_len) {
6656 BT_ERR("Too much LE L2CAP data received");
6657 err = -EINVAL;
6658 goto failed;
6659 }
6660
6661 if (skb->len == sdu_len)
6662 return chan->ops->recv(chan, skb);
6663
6664 chan->sdu = skb;
6665 chan->sdu_len = sdu_len;
6666 chan->sdu_last_frag = skb;
6667
6668 return 0;
6669 }
6670
6671 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6672 chan->sdu->len, skb->len, chan->sdu_len);
6673
6674 if (chan->sdu->len + skb->len > chan->sdu_len) {
6675 BT_ERR("Too much LE L2CAP data received");
6676 err = -EINVAL;
6677 goto failed;
6678 }
6679
6680 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6681 skb = NULL;
6682
6683 if (chan->sdu->len == chan->sdu_len) {
6684 err = chan->ops->recv(chan, chan->sdu);
6685 if (!err) {
6686 chan->sdu = NULL;
6687 chan->sdu_last_frag = NULL;
6688 chan->sdu_len = 0;
6689 }
6690 }
6691
6692failed:
6693 if (err) {
6694 kfree_skb(skb);
6695 kfree_skb(chan->sdu);
6696 chan->sdu = NULL;
6697 chan->sdu_last_frag = NULL;
6698 chan->sdu_len = 0;
6699 }
6700
6701 /* We can't return an error here since we took care of the skb
6702 * freeing internally. An error return would cause the caller to
6703 * do a double-free of the skb.
6704 */
6705 return 0;
fad5fc89
JH		 6706}
6707
13ca56e0
AE		 6708static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6709 struct sk_buff *skb)
1da177e4 6710{
48454079 6711 struct l2cap_chan *chan;
1da177e4 6712
baa7e1fa 6713 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6714 if (!chan) {
97e8e89d
AE		 6715 if (cid == L2CAP_CID_A2MP) {
6716 chan = a2mp_channel_create(conn, skb);
6717 if (!chan) {
6718 kfree_skb(skb);
13ca56e0 6719 return;
97e8e89d
AE		 6720 }
6721
6722 l2cap_chan_lock(chan);
6723 } else {
6724 BT_DBG("unknown cid 0x%4.4x", cid);
6725 /* Drop packet and return */
6726 kfree_skb(skb);
13ca56e0 6727 return;
97e8e89d 6728 }
1da177e4
LT		 6729 }
6730
49208c9c 6731 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6732
89bc500e 6733 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6734 goto drop;
6735
0c1bc5c6 6736 switch (chan->mode) {
38319713 6737 case L2CAP_MODE_LE_FLOWCTL:
fad5fc89
JH		 6738 if (l2cap_le_data_rcv(chan, skb) < 0)
6739 goto drop;
6740
6741 goto done;
6742
1c2acffb
GP		 6743 case L2CAP_MODE_BASIC:
6744 /* If socket recv buffers overflows we drop data here
6745 * which is *bad* because L2CAP has to be reliable.
6746 * But we don't have any other choice. L2CAP doesn't
6747 * provide flow control mechanism. */
1da177e4 6748
2c96e03d
SJ		 6749 if (chan->imtu < skb->len) {
6750 BT_ERR("Dropping L2CAP data: receive buffer overflow");
1c2acffb 6751 goto drop;
2c96e03d 6752 }
1da177e4 6753
80b98027 6754 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6755 goto done;
6756 break;
6757
6758 case L2CAP_MODE_ERTM:
6840ed07 6759 case L2CAP_MODE_STREAMING:
cec8ab6e 6760 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6761 goto done;
6762
1c2acffb 6763 default:
0c1bc5c6 6764 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6765 break;
6766 }
1da177e4
LT		 6767
6768drop:
6769 kfree_skb(skb);
6770
6771done:
6be36555 6772 l2cap_chan_unlock(chan);
1da177e4
LT		 6773}
6774
84104b24
AE		 6775static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6776 struct sk_buff *skb)
1da177e4 6777{
ae4fd2d3 6778 struct hci_conn *hcon = conn->hcon;
23691d75 6779 struct l2cap_chan *chan;
1da177e4 6780
ae4fd2d3 6781 if (hcon->type != ACL_LINK)
a24cce14 6782 goto free_skb;
ae4fd2d3 6783
bf20fd4e
JH		 6784 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6785 ACL_LINK);
23691d75 6786 if (!chan)
a24cce14 6787 goto free_skb;
1da177e4 6788
5b4cedaa 6789 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6790
89bc500e 6791 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6792 goto drop;
6793
e13e21dc 6794 if (chan->imtu < skb->len)
1da177e4
LT		 6795 goto drop;
6796
2edf870d 6797 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6798 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6799 bt_cb(skb)->psm = psm;
6800
a24cce14
JH		 6801 if (!chan->ops->recv(chan, skb)) {
6802 l2cap_chan_put(chan);
84104b24 6803 return;
a24cce14 6804 }
1da177e4
LT		 6805
6806drop:
a24cce14
JH		 6807 l2cap_chan_put(chan);
6808free_skb:
1da177e4 6809 kfree_skb(skb);
1da177e4
LT		 6810}
6811
6812static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6813{
6814 struct l2cap_hdr *lh = (void *) skb->data;
61a939c6 6815 struct hci_conn *hcon = conn->hcon;
8e036fc3
AV		 6816 u16 cid, len;
6817 __le16 psm;
1da177e4 6818
61a939c6
JH		 6819 if (hcon->state != BT_CONNECTED) {
6820 BT_DBG("queueing pending rx skb");
6821 skb_queue_tail(&conn->pending_rx, skb);
6822 return;
6823 }
6824
1da177e4
LT		 6825 skb_pull(skb, L2CAP_HDR_SIZE);
6826 cid = __le16_to_cpu(lh->cid);
6827 len = __le16_to_cpu(lh->len);
6828
1c2acffb
GP		 6829 if (len != skb->len) {
6830 kfree_skb(skb);
6831 return;
6832 }
6833
9e1d7e15
JH		 6834 /* Since we can't actively block incoming LE connections we must
6835 * at least ensure that we ignore incoming data from them.
6836 */
6837 if (hcon->type == LE_LINK &&
dcc36c16
JH		 6838 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6839 bdaddr_type(hcon, hcon->dst_type))) {
e493150e
JH		 6840 kfree_skb(skb);
6841 return;
6842 }
6843
1da177e4
LT		 6844 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6845
6846 switch (cid) {
8db4dc46 6847 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6848 l2cap_sig_channel(conn, skb);
6849 break;
6850
8db4dc46 6851 case L2CAP_CID_CONN_LESS:
097db76c 6852 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6853 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6854 l2cap_conless_channel(conn, psm, skb);
6855 break;
6856
a2877629
MH		 6857 case L2CAP_CID_LE_SIGNALING:
6858 l2cap_le_sig_channel(conn, skb);
6859 break;
6860
b501d6a1
AB		 6861 case L2CAP_CID_SMP:
6862 if (smp_sig_channel(conn, skb))
6863 l2cap_conn_del(conn->hcon, EACCES);
6864 break;
6865
1da177e4
LT		 6866 default:
6867 l2cap_data_channel(conn, cid, skb);
6868 break;
6869 }
6870}
6871
61a939c6
JH		 6872static void process_pending_rx(struct work_struct *work)
6873{
6874 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6875 pending_rx_work);
6876 struct sk_buff *skb;
6877
6878 BT_DBG("");
6879
6880 while ((skb = skb_dequeue(&conn->pending_rx)))
6881 l2cap_recv_frame(conn, skb);
6882}
6883
162b49e7
JH		 6884static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6885{
6886 struct l2cap_conn *conn = hcon->l2cap_data;
6887 struct hci_chan *hchan;
6888
6889 if (conn)
6890 return conn;
6891
6892 hchan = hci_chan_create(hcon);
6893 if (!hchan)
6894 return NULL;
6895
27f70f3e 6896 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
162b49e7
JH		 6897 if (!conn) {
6898 hci_chan_del(hchan);
6899 return NULL;
6900 }
6901
6902 kref_init(&conn->ref);
6903 hcon->l2cap_data = conn;
6904 conn->hcon = hcon;
6905 hci_conn_get(conn->hcon);
6906 conn->hchan = hchan;
6907
6908 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6909
6910 switch (hcon->type) {
6911 case LE_LINK:
6912 if (hcon->hdev->le_mtu) {
6913 conn->mtu = hcon->hdev->le_mtu;
6914 break;
6915 }
6916 /* fall through */
6917 default:
6918 conn->mtu = hcon->hdev->acl_mtu;
6919 break;
6920 }
6921
6922 conn->feat_mask = 0;
6923
6924 if (hcon->type == ACL_LINK)
6925 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
6926 &hcon->hdev->dev_flags);
6927
5a54e7c8 6928 mutex_init(&conn->ident_lock);
162b49e7
JH		 6929 mutex_init(&conn->chan_lock);
6930
6931 INIT_LIST_HEAD(&conn->chan_l);
6932 INIT_LIST_HEAD(&conn->users);
6933
6934 if (hcon->type == LE_LINK)
6935 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
6936 else
6937 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
6938
61a939c6
JH		 6939 skb_queue_head_init(&conn->pending_rx);
6940 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
6941
162b49e7
JH		 6942 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6943
6944 return conn;
6945}
6946
6947static bool is_valid_psm(u16 psm, u8 dst_type) {
6948 if (!psm)
6949 return false;
6950
6951 if (bdaddr_type_is_le(dst_type))
6952 return (psm <= 0x00ff);
6953
6954 /* PSM must be odd and lsb of upper byte must be 0 */
6955 return ((psm & 0x0101) == 0x0001);
6956}
6957
6958int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
6959 bdaddr_t *dst, u8 dst_type)
6960{
6961 struct l2cap_conn *conn;
6962 struct hci_conn *hcon;
6963 struct hci_dev *hdev;
162b49e7
JH		 6964 int err;
6965
6966 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
6967 dst_type, __le16_to_cpu(psm));
6968
6969 hdev = hci_get_route(dst, &chan->src);
6970 if (!hdev)
6971 return -EHOSTUNREACH;
6972
6973 hci_dev_lock(hdev);
6974
6975 l2cap_chan_lock(chan);
6976
6977 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
6978 chan->chan_type != L2CAP_CHAN_RAW) {
6979 err = -EINVAL;
6980 goto done;
6981 }
6982
21626e62
JH		 6983 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
6984 err = -EINVAL;
6985 goto done;
6986 }
6987
6988 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
162b49e7
JH		 6989 err = -EINVAL;
6990 goto done;
6991 }
6992
6993 switch (chan->mode) {
6994 case L2CAP_MODE_BASIC:
6995 break;
6996 case L2CAP_MODE_LE_FLOWCTL:
6997 l2cap_le_flowctl_init(chan);
6998 break;
6999 case L2CAP_MODE_ERTM:
7000 case L2CAP_MODE_STREAMING:
7001 if (!disable_ertm)
7002 break;
7003 /* fall through */
7004 default:
beb19e4c 7005 err = -EOPNOTSUPP;
162b49e7
JH		 7006 goto done;
7007 }
7008
7009 switch (chan->state) {
7010 case BT_CONNECT:
7011 case BT_CONNECT2:
7012 case BT_CONFIG:
7013 /* Already connecting */
7014 err = 0;
7015 goto done;
7016
7017 case BT_CONNECTED:
7018 /* Already connected */
7019 err = -EISCONN;
7020 goto done;
7021
7022 case BT_OPEN:
7023 case BT_BOUND:
7024 /* Can connect */
7025 break;
7026
7027 default:
7028 err = -EBADFD;
7029 goto done;
7030 }
7031
7032 /* Set destination address and psm */
7033 bacpy(&chan->dst, dst);
7034 chan->dst_type = dst_type;
7035
7036 chan->psm = psm;
7037 chan->dcid = cid;
7038
6f77d8c7 7039 if (bdaddr_type_is_le(dst_type)) {
e804d25d 7040 u8 role;
cdd6275e 7041
6f77d8c7
AG		 7042 /* Convert from L2CAP channel address type to HCI address type
7043 */
7044 if (dst_type == BDADDR_LE_PUBLIC)
7045 dst_type = ADDR_LE_DEV_PUBLIC;
7046 else
7047 dst_type = ADDR_LE_DEV_RANDOM;
7048
e804d25d
JH		 7049 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
7050 role = HCI_ROLE_SLAVE;
7051 else
7052 role = HCI_ROLE_MASTER;
cdd6275e 7053
04a6c589 7054 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
e804d25d 7055 HCI_LE_CONN_TIMEOUT, role);
6f77d8c7 7056 } else {
d93375a8 7057 u8 auth_type = l2cap_get_auth_type(chan);
04a6c589 7058 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
6f77d8c7 7059 }
162b49e7
JH		 7060
7061 if (IS_ERR(hcon)) {
7062 err = PTR_ERR(hcon);
7063 goto done;
7064 }
7065
7066 conn = l2cap_conn_add(hcon);
7067 if (!conn) {
7068 hci_conn_drop(hcon);
7069 err = -ENOMEM;
7070 goto done;
7071 }
7072
7073 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7074 hci_conn_drop(hcon);
7075 err = -EBUSY;
7076 goto done;
7077 }
7078
7079 /* Update source addr of the socket */
7080 bacpy(&chan->src, &hcon->src);
7081 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7082
7083 l2cap_chan_unlock(chan);
7084 l2cap_chan_add(conn, chan);
7085 l2cap_chan_lock(chan);
7086
7087 /* l2cap_chan_add takes its own ref so we can drop this one */
7088 hci_conn_drop(hcon);
7089
7090 l2cap_state_change(chan, BT_CONNECT);
7091 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7092
61202e4d
JH		 7093 /* Release chan->sport so that it can be reused by other
7094 * sockets (as it's only used for listening sockets).
7095 */
7096 write_lock(&chan_list_lock);
7097 chan->sport = 0;
7098 write_unlock(&chan_list_lock);
7099
162b49e7
JH		 7100 if (hcon->state == BT_CONNECTED) {
7101 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7102 __clear_chan_timer(chan);
e7cafc45 7103 if (l2cap_chan_check_security(chan, true))
162b49e7
JH		 7104 l2cap_state_change(chan, BT_CONNECTED);
7105 } else
7106 l2cap_do_start(chan);
7107 }
7108
7109 err = 0;
7110
7111done:
7112 l2cap_chan_unlock(chan);
7113 hci_dev_unlock(hdev);
7114 hci_dev_put(hdev);
7115 return err;
7116}
6b8d4a6a 7117EXPORT_SYMBOL_GPL(l2cap_chan_connect);
162b49e7 7118
1da177e4
LT		 7119/* ---- L2CAP interface with lower layer (HCI) ---- */
7120
686ebf28 7121int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 7122{
7123 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 7124 struct l2cap_chan *c;
1da177e4 7125
6ed93dc6 7126 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 7127
7128 /* Find listening sockets and check their link_mode */
23691d75
GP		 7129 read_lock(&chan_list_lock);
7130 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 7131 if (c->state != BT_LISTEN)
1da177e4
LT		 7132 continue;
7133
7eafc59e 7134 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 7135 lm1 |= HCI_LM_ACCEPT;
43bd0f32 7136 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 7137 lm1 |= HCI_LM_MASTER;
1da177e4 7138 exact++;
7eafc59e 7139 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 7140 lm2 |= HCI_LM_ACCEPT;
43bd0f32 7141 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 7142 lm2 |= HCI_LM_MASTER;
7143 }
1da177e4 7144 }
23691d75 7145 read_unlock(&chan_list_lock);
1da177e4
LT		 7146
7147 return exact ? lm1 : lm2;
7148}
7149
e760ec12
JH		 7150/* Find the next fixed channel in BT_LISTEN state, continue iteration
7151 * from an existing channel in the list or from the beginning of the
7152 * global list (by passing NULL as first parameter).
7153 */
7154static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
54a1b626 7155 bdaddr_t *src, u8 link_type)
e760ec12
JH		 7156{
7157 read_lock(&chan_list_lock);
7158
7159 if (c)
7160 c = list_next_entry(c, global_l);
7161 else
7162 c = list_entry(chan_list.next, typeof(*c), global_l);
7163
7164 list_for_each_entry_from(c, &chan_list, global_l) {
7165 if (c->chan_type != L2CAP_CHAN_FIXED)
7166 continue;
7167 if (c->state != BT_LISTEN)
7168 continue;
7169 if (bacmp(&c->src, src) && bacmp(&c->src, BDADDR_ANY))
7170 continue;
54a1b626
JH		 7171 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
7172 continue;
7173 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
7174 continue;
e760ec12
JH		 7175
7176 l2cap_chan_hold(c);
7177 read_unlock(&chan_list_lock);
7178 return c;
7179 }
7180
7181 read_unlock(&chan_list_lock);
7182
7183 return NULL;
7184}
7185
9e664631 7186void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 7187{
e760ec12 7188 struct hci_dev *hdev = hcon->hdev;
0139418c 7189 struct l2cap_conn *conn;
e760ec12
JH		 7190 struct l2cap_chan *pchan;
7191 u8 dst_type;
0139418c 7192
6ed93dc6 7193 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 7194
dc0f5088 7195 if (status) {
e175072f 7196 l2cap_conn_del(hcon, bt_to_errno(status));
dc0f5088 7197 return;
ba6fc317 7198 }
dc0f5088
JH		 7199
7200 conn = l2cap_conn_add(hcon);
7201 if (!conn)
7202 return;
7203
e760ec12
JH		 7204 dst_type = bdaddr_type(hcon, hcon->dst_type);
7205
7206 /* If device is blocked, do not create channels for it */
7207 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7208 return;
7209
7210 /* Find fixed channels and notify them of the new connection. We
7211 * use multiple individual lookups, continuing each time where
7212 * we left off, because the list lock would prevent calling the
7213 * potentially sleeping l2cap_chan_lock() function.
7214 */
54a1b626 7215 pchan = l2cap_global_fixed_chan(NULL, &hdev->bdaddr, hcon->type);
e760ec12
JH		 7216 while (pchan) {
7217 struct l2cap_chan *chan, *next;
7218
7219 /* Client fixed channels should override server ones */
7220 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7221 goto next;
7222
7223 l2cap_chan_lock(pchan);
7224 chan = pchan->ops->new_connection(pchan);
7225 if (chan) {
7226 bacpy(&chan->src, &hcon->src);
7227 bacpy(&chan->dst, &hcon->dst);
7228 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7229 chan->dst_type = dst_type;
7230
7231 __l2cap_chan_add(conn, chan);
7232 }
7233
7234 l2cap_chan_unlock(pchan);
7235next:
54a1b626
JH		 7236 next = l2cap_global_fixed_chan(pchan, &hdev->bdaddr,
7237 hcon->type);
e760ec12
JH		 7238 l2cap_chan_put(pchan);
7239 pchan = next;
7240 }
7241
dc0f5088 7242 l2cap_conn_ready(conn);
1da177e4
LT		 7243}
7244
686ebf28 7245int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 7246{
7247 struct l2cap_conn *conn = hcon->l2cap_data;
7248
7249 BT_DBG("hcon %p", hcon);
7250
686ebf28 7251 if (!conn)
9f5a0d7b 7252 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 7253 return conn->disc_reason;
7254}
7255
9e664631 7256void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 7257{
7258 BT_DBG("hcon %p reason %d", hcon, reason);
7259
e175072f 7260 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 7261}
7262
4343478f 7263static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 7264{
715ec005 7265 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 7266 return;
7267
f62e4323 7268 if (encrypt == 0x00) {
4343478f 7269 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 7270 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7d513e92
MH		 7271 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7272 chan->sec_level == BT_SECURITY_FIPS)
0f852724 7273 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 7274 } else {
4343478f 7275 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 7276 __clear_chan_timer(chan);
f62e4323
MH		 7277 }
7278}
7279
686ebf28 7280int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 7281{
0139418c 7282 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 7283 struct l2cap_chan *chan;
1da177e4 7284
0139418c 7285 if (!conn)
1da177e4 7286 return 0;
0139418c 7287
89d8b407 7288 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 7289
160dc6ac 7290 if (hcon->type == LE_LINK) {
35d4adcc 7291 if (!status && encrypt)
4bd6d38e 7292 smp_distribute_keys(conn);
17cd3f37 7293 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 7294 }
7295
3df91ea2 7296 mutex_lock(&conn->chan_lock);
1da177e4 7297
3df91ea2 7298 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 7299 l2cap_chan_lock(chan);
1da177e4 7300
89d8b407
AE		 7301 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7302 state_to_string(chan->state));
f1cb9af5 7303
2338a7e0 7304 if (chan->scid == L2CAP_CID_A2MP) {
78eb2f98
AE		 7305 l2cap_chan_unlock(chan);
7306 continue;
7307 }
7308
191eb398
JH		 7309 if (!status && encrypt)
7310 chan->sec_level = hcon->sec_level;
f1cb9af5 7311
96eff46e 7312 if (!__l2cap_no_conn_pending(chan)) {
6be36555 7313 l2cap_chan_unlock(chan);
6a8d3010
MH		 7314 continue;
7315 }
7316
89bc500e 7317 if (!status && (chan->state == BT_CONNECTED ||
2d792818 7318 chan->state == BT_CONFIG)) {
d97c899b 7319 chan->ops->resume(chan);
4343478f 7320 l2cap_check_encryption(chan, encrypt);
6be36555 7321 l2cap_chan_unlock(chan);
9719f8af
MH		 7322 continue;
7323 }
7324
89bc500e 7325 if (chan->state == BT_CONNECT) {
6d3c15da 7326 if (!status)
93c3e8f5 7327 l2cap_start_connection(chan);
6d3c15da 7328 else
ba13ccd9 7329 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
89bc500e 7330 } else if (chan->state == BT_CONNECT2) {
b1235d79 7331 struct l2cap_conn_rsp rsp;
df3c3931 7332 __u16 res, stat;
1da177e4 7333
b1235d79 7334 if (!status) {
bdc25783 7335 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 7336 res = L2CAP_CR_PEND;
7337 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 7338 chan->ops->defer(chan);
df3c3931 7339 } else {
acdcabf5 7340 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 7341 res = L2CAP_CR_SUCCESS;
7342 stat = L2CAP_CS_NO_INFO;
7343 }
b1235d79 7344 } else {
acdcabf5 7345 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 7346 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 7347 res = L2CAP_CR_SEC_BLOCK;
7348 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 7349 }
7350
fe4128e0
GP		 7351 rsp.scid = cpu_to_le16(chan->dcid);
7352 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 7353 rsp.result = cpu_to_le16(res);
7354 rsp.status = cpu_to_le16(stat);
fc7f8a7e 7355 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 7356 sizeof(rsp), &rsp);
2d369359
MM		 7357
7358 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7359 res == L2CAP_CR_SUCCESS) {
7360 char buf[128];
7361 set_bit(CONF_REQ_SENT, &chan->conf_state);
7362 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7363 L2CAP_CONF_REQ,
7364 l2cap_build_conf_req(chan, buf),
7365 buf);
7366 chan->num_conf_req++;
7367 }
b1235d79 7368 }
1da177e4 7369
6be36555 7370 l2cap_chan_unlock(chan);
1da177e4
LT		 7371 }
7372
3df91ea2 7373 mutex_unlock(&conn->chan_lock);
b1235d79 7374
1da177e4
LT		 7375 return 0;
7376}
7377
686ebf28 7378int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 7379{
7380 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 7381 struct l2cap_hdr *hdr;
7382 int len;
1da177e4 7383
1d13a254
AE		 7384 /* For AMP controller do not create l2cap conn */
7385 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7386 goto drop;
1da177e4 7387
5a08ecce 7388 if (!conn)
baf43251 7389 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 7390
7391 if (!conn)
1da177e4
LT		 7392 goto drop;
7393
7394 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7395
d73a0988
AE		 7396 switch (flags) {
7397 case ACL_START:
7398 case ACL_START_NO_FLUSH:
7399 case ACL_COMPLETE:
1da177e4
LT		 7400 if (conn->rx_len) {
7401 BT_ERR("Unexpected start frame (len %d)", skb->len);
7402 kfree_skb(conn->rx_skb);
7403 conn->rx_skb = NULL;
7404 conn->rx_len = 0;
7405 l2cap_conn_unreliable(conn, ECOMM);
7406 }
7407
aae7fe22
AE		 7408 /* Start fragment always begin with Basic L2CAP header */
7409 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 7410 BT_ERR("Frame is too short (len %d)", skb->len);
7411 l2cap_conn_unreliable(conn, ECOMM);
7412 goto drop;
7413 }
7414
7415 hdr = (struct l2cap_hdr *) skb->data;
7416 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7417
7418 if (len == skb->len) {
7419 /* Complete frame received */
7420 l2cap_recv_frame(conn, skb);
7421 return 0;
7422 }
7423
7424 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7425
7426 if (skb->len > len) {
7427 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 7428 skb->len, len);
1da177e4
LT		 7429 l2cap_conn_unreliable(conn, ECOMM);
7430 goto drop;
7431 }
7432
7433 /* Allocate skb for the complete frame (with header) */
8bcde1f2 7434 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 7435 if (!conn->rx_skb)
1da177e4
LT		 7436 goto drop;
7437
d626f62b 7438 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7439 skb->len);
1da177e4 7440 conn->rx_len = len - skb->len;
d73a0988
AE		 7441 break;
7442
7443 case ACL_CONT:
1da177e4
LT		 7444 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7445
7446 if (!conn->rx_len) {
7447 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7448 l2cap_conn_unreliable(conn, ECOMM);
7449 goto drop;
7450 }
7451
7452 if (skb->len > conn->rx_len) {
7453 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 7454 skb->len, conn->rx_len);
1da177e4
LT		 7455 kfree_skb(conn->rx_skb);
7456 conn->rx_skb = NULL;
7457 conn->rx_len = 0;
7458 l2cap_conn_unreliable(conn, ECOMM);
7459 goto drop;
7460 }
7461
d626f62b 7462 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7463 skb->len);
1da177e4
LT		 7464 conn->rx_len -= skb->len;
7465
7466 if (!conn->rx_len) {
c4e5bafa
JH		 7467 /* Complete frame received. l2cap_recv_frame
7468 * takes ownership of the skb so set the global
7469 * rx_skb pointer to NULL first.
7470 */
7471 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 7472 conn->rx_skb = NULL;
c4e5bafa 7473 l2cap_recv_frame(conn, rx_skb);
1da177e4 7474 }
d73a0988 7475 break;
1da177e4
LT		 7476 }
7477
7478drop:
7479 kfree_skb(skb);
7480 return 0;
7481}
7482
aef7d97c 7483static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 7484{
23691d75 7485 struct l2cap_chan *c;
1da177e4 7486
333055f2 7487 read_lock(&chan_list_lock);
1da177e4 7488
23691d75 7489 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 7490 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 7491 &c->src, &c->dst,
fcb73338
AE		 7492 c->state, __le16_to_cpu(c->psm),
7493 c->scid, c->dcid, c->imtu, c->omtu,
7494 c->sec_level, c->mode);
61e1b4b7 7495 }
1da177e4 7496
333055f2 7497 read_unlock(&chan_list_lock);
1da177e4 7498
aef7d97c 7499 return 0;
1da177e4
LT		 7500}
7501
aef7d97c
MH		 7502static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7503{
7504 return single_open(file, l2cap_debugfs_show, inode->i_private);
7505}
7506
7507static const struct file_operations l2cap_debugfs_fops = {
7508 .open = l2cap_debugfs_open,
7509 .read = seq_read,
7510 .llseek = seq_lseek,
7511 .release = single_release,
7512};
7513
7514static struct dentry *l2cap_debugfs;
1da177e4 7515
64274518 7516int __init l2cap_init(void)
1da177e4
LT		 7517{
7518 int err;
be9d1227 7519
bb58f747 7520 err = l2cap_init_sockets();
1da177e4
LT		 7521 if (err < 0)
7522 return err;
7523
1120e4bf
MH		 7524 if (IS_ERR_OR_NULL(bt_debugfs))
7525 return 0;
7526
7527 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7528 NULL, &l2cap_debugfs_fops);
1da177e4 7529
40b9397a 7530 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
f15b8ecf 7531 &le_max_credits);
40b9397a 7532 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
f15b8ecf
JH		 7533 &le_default_mps);
7534
1da177e4 7535 return 0;
1da177e4
LT		 7536}
7537
64274518 7538void l2cap_exit(void)
1da177e4 7539{
aef7d97c 7540 debugfs_remove(l2cap_debugfs);
bb58f747 7541 l2cap_cleanup_sockets();
1da177e4
LT		 7542}
7543
d1c4a17d
GP		 7544module_param(disable_ertm, bool, 0644);
7545MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.469936 seconds and 5 git commands to generate.