projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Use hcon directly instead of conn->hcon where possible
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
d1de6d46 44bool disable_ertm;
f0709e03 45
547d1032 46static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
d40bffbc 47static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP | L2CAP_FC_CONNLESS, };
1da177e4 48
b5ad8b7f
JB		 49static LIST_HEAD(chan_list);
50static DEFINE_RWLOCK(chan_list_lock);
1da177e4 51
1da177e4 52static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 53 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 54static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 55 void *data);
710f9b0a 56static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 57static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 58
d660366d 59static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 60 struct sk_buff_head *skbs, u8 event);
608bcc6d 61
4f1654e0
MH		 62static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
63{
64 if (hcon->type == LE_LINK) {
65 if (type == ADDR_LE_DEV_PUBLIC)
66 return BDADDR_LE_PUBLIC;
67 else
68 return BDADDR_LE_RANDOM;
69 }
70
71 return BDADDR_BREDR;
72}
73
0139418c 74/* ---- L2CAP channels ---- */
71ba0e56 75
2d792818
GP		 76static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
77 u16 cid)
0139418c 78{
3df91ea2 79 struct l2cap_chan *c;
3d57dc68 80
3df91ea2
AE		 81 list_for_each_entry(c, &conn->chan_l, list) {
82 if (c->dcid == cid)
83 return c;
0139418c 84 }
3df91ea2 85 return NULL;
0139418c
MH		 86}
87
2d792818
GP		 88static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
89 u16 cid)
0139418c 90{
3df91ea2 91 struct l2cap_chan *c;
3d57dc68 92
3df91ea2
AE		 93 list_for_each_entry(c, &conn->chan_l, list) {
94 if (c->scid == cid)
95 return c;
0139418c 96 }
3df91ea2 97 return NULL;
0139418c
MH		 98}
99
100/* Find channel with given SCID.
ef191ade 101 * Returns locked channel. */
2d792818
GP		 102static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
103 u16 cid)
0139418c 104{
48454079 105 struct l2cap_chan *c;
baa7e1fa 106
3df91ea2 107 mutex_lock(&conn->chan_lock);
baa7e1fa 108 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 109 if (c)
110 l2cap_chan_lock(c);
3df91ea2
AE		 111 mutex_unlock(&conn->chan_lock);
112
48454079 113 return c;
0139418c
MH		 114}
115
b1a130b7
MM		 116/* Find channel with given DCID.
117 * Returns locked channel.
118 */
119static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
120 u16 cid)
121{
122 struct l2cap_chan *c;
123
124 mutex_lock(&conn->chan_lock);
125 c = __l2cap_get_chan_by_dcid(conn, cid);
126 if (c)
127 l2cap_chan_lock(c);
128 mutex_unlock(&conn->chan_lock);
129
130 return c;
131}
132
2d792818
GP		 133static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
134 u8 ident)
0139418c 135{
3df91ea2 136 struct l2cap_chan *c;
3d57dc68 137
3df91ea2
AE		 138 list_for_each_entry(c, &conn->chan_l, list) {
139 if (c->ident == ident)
140 return c;
0139418c 141 }
3df91ea2 142 return NULL;
0139418c
MH		 143}
144
5b155ef9
MM		 145static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
146 u8 ident)
147{
148 struct l2cap_chan *c;
149
150 mutex_lock(&conn->chan_lock);
151 c = __l2cap_get_chan_by_ident(conn, ident);
152 if (c)
153 l2cap_chan_lock(c);
154 mutex_unlock(&conn->chan_lock);
155
156 return c;
157}
158
23691d75 159static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 160{
23691d75 161 struct l2cap_chan *c;
9e4425ff 162
23691d75 163 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 164 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 165 return c;
9e4425ff 166 }
250938cb 167 return NULL;
9e4425ff
GP		 168}
169
170int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
171{
73b2ec18
GP		 172 int err;
173
333055f2 174 write_lock(&chan_list_lock);
9e4425ff 175
23691d75 176 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 177 err = -EADDRINUSE;
178 goto done;
9e4425ff
GP		 179 }
180
73b2ec18
GP		 181 if (psm) {
182 chan->psm = psm;
183 chan->sport = psm;
184 err = 0;
185 } else {
186 u16 p;
187
188 err = -EINVAL;
189 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 190 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 191 chan->psm = cpu_to_le16(p);
192 chan->sport = cpu_to_le16(p);
193 err = 0;
194 break;
195 }
196 }
9e4425ff 197
73b2ec18 198done:
333055f2 199 write_unlock(&chan_list_lock);
73b2ec18 200 return err;
9e4425ff
GP		 201}
202
203int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
204{
333055f2 205 write_lock(&chan_list_lock);
9e4425ff
GP		 206
207 chan->scid = scid;
208
333055f2 209 write_unlock(&chan_list_lock);
9e4425ff
GP		 210
211 return 0;
212}
213
baa7e1fa 214static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 215{
8db4dc46 216 u16 cid = L2CAP_CID_DYN_START;
0139418c 217
8db4dc46 218 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 219 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 220 return cid;
221 }
222
223 return 0;
224}
225
0e587be7 226static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 227{
42d2d87c 228 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 229 state_to_string(state));
badaaa00 230
89bc500e 231 chan->state = state;
53f52121 232 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 233}
234
0e587be7
AE		 235static void l2cap_state_change(struct l2cap_chan *chan, int state)
236{
237 struct sock *sk = chan->sk;
238
239 lock_sock(sk);
240 __l2cap_state_change(chan, state);
241 release_sock(sk);
242}
243
f8e73017
GP		 244static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
245 int state, int err)
2e0052e4 246{
f8e73017
GP		 247 struct sock *sk = chan->sk;
248
249 lock_sock(sk);
250 chan->state = state;
53f52121 251 chan->ops->state_change(chan, chan->state, err);
f8e73017 252 release_sock(sk);
2e0052e4
AE		 253}
254
255static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
256{
257 struct sock *sk = chan->sk;
258
259 lock_sock(sk);
f8e73017 260 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 261 release_sock(sk);
262}
263
4239d16f
MM		 264static void __set_retrans_timer(struct l2cap_chan *chan)
265{
266 if (!delayed_work_pending(&chan->monitor_timer) &&
267 chan->retrans_timeout) {
268 l2cap_set_timer(chan, &chan->retrans_timer,
269 msecs_to_jiffies(chan->retrans_timeout));
270 }
271}
272
273static void __set_monitor_timer(struct l2cap_chan *chan)
274{
275 __clear_retrans_timer(chan);
276 if (chan->monitor_timeout) {
277 l2cap_set_timer(chan, &chan->monitor_timer,
278 msecs_to_jiffies(chan->monitor_timeout));
279 }
280}
281
608bcc6d
MM		 282static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
283 u16 seq)
284{
285 struct sk_buff *skb;
286
287 skb_queue_walk(head, skb) {
288 if (bt_cb(skb)->control.txseq == seq)
289 return skb;
290 }
291
292 return NULL;
293}
294
3c588192
MM		 295/* ---- L2CAP sequence number lists ---- */
296
297/* For ERTM, ordered lists of sequence numbers must be tracked for
298 * SREJ requests that are received and for frames that are to be
299 * retransmitted. These seq_list functions implement a singly-linked
300 * list in an array, where membership in the list can also be checked
301 * in constant time. Items can also be added to the tail of the list
302 * and removed from the head in constant time, without further memory
303 * allocs or frees.
304 */
305
306static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
307{
308 size_t alloc_size, i;
309
310 /* Allocated size is a power of 2 to map sequence numbers
311 * (which may be up to 14 bits) in to a smaller array that is
312 * sized for the negotiated ERTM transmit windows.
313 */
314 alloc_size = roundup_pow_of_two(size);
315
316 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
317 if (!seq_list->list)
318 return -ENOMEM;
319
320 seq_list->mask = alloc_size - 1;
321 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
322 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
323 for (i = 0; i < alloc_size; i++)
324 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
325
326 return 0;
327}
328
329static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
330{
331 kfree(seq_list->list);
332}
333
334static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
335 u16 seq)
336{
337 /* Constant-time check for list membership */
338 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
339}
340
341static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
342{
343 u16 mask = seq_list->mask;
344
345 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
346 /* In case someone tries to pop the head of an empty list */
347 return L2CAP_SEQ_LIST_CLEAR;
348 } else if (seq_list->head == seq) {
349 /* Head can be removed in constant time */
350 seq_list->head = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352
353 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
354 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
355 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
356 }
357 } else {
358 /* Walk the list to find the sequence number */
359 u16 prev = seq_list->head;
360 while (seq_list->list[prev & mask] != seq) {
361 prev = seq_list->list[prev & mask];
362 if (prev == L2CAP_SEQ_LIST_TAIL)
363 return L2CAP_SEQ_LIST_CLEAR;
364 }
365
366 /* Unlink the number from the list and clear it */
367 seq_list->list[prev & mask] = seq_list->list[seq & mask];
368 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
369 if (seq_list->tail == seq)
370 seq_list->tail = prev;
371 }
372 return seq;
373}
374
375static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
376{
377 /* Remove the head in constant time */
378 return l2cap_seq_list_remove(seq_list, seq_list->head);
379}
380
381static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
382{
f522ae36 383 u16 i;
3c588192 384
f522ae36
GP		 385 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
386 return;
387
388 for (i = 0; i <= seq_list->mask; i++)
389 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
390
391 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
392 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 393}
394
395static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
396{
397 u16 mask = seq_list->mask;
398
399 /* All appends happen in constant time */
400
f522ae36
GP		 401 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
402 return;
3c588192 403
f522ae36
GP		 404 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
405 seq_list->head = seq;
406 else
407 seq_list->list[seq_list->tail & mask] = seq;
408
409 seq_list->tail = seq;
410 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 411}
412
721c4181 413static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 414{
721c4181 415 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 416 chan_timer.work);
3df91ea2 417 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 418 int reason;
419
e05dcc32 420 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 421
3df91ea2 422 mutex_lock(&conn->chan_lock);
6be36555 423 l2cap_chan_lock(chan);
ab07801d 424
89bc500e 425 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 426 reason = ECONNREFUSED;
89bc500e 427 else if (chan->state == BT_CONNECT &&
2d792818 428 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 429 reason = ECONNREFUSED;
430 else
431 reason = ETIMEDOUT;
432
0f852724 433 l2cap_chan_close(chan, reason);
ab07801d 434
6be36555 435 l2cap_chan_unlock(chan);
ab07801d 436
80b98027 437 chan->ops->close(chan);
3df91ea2
AE		 438 mutex_unlock(&conn->chan_lock);
439
371fd835 440 l2cap_chan_put(chan);
ab07801d
GP		 441}
442
eef1d9b6 443struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 444{
445 struct l2cap_chan *chan;
446
447 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
448 if (!chan)
449 return NULL;
450
c03b355e
AE		 451 mutex_init(&chan->lock);
452
333055f2 453 write_lock(&chan_list_lock);
23691d75 454 list_add(&chan->global_l, &chan_list);
333055f2 455 write_unlock(&chan_list_lock);
23691d75 456
721c4181 457 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 458
89bc500e
GP		 459 chan->state = BT_OPEN;
460
144ad330 461 kref_init(&chan->kref);
71ba0e56 462
2827011f
MM		 463 /* This flag is cleared in l2cap_chan_ready() */
464 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
465
eef1d9b6 466 BT_DBG("chan %p", chan);
abc545b8 467
48454079
GP		 468 return chan;
469}
470
144ad330 471static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 472{
144ad330
SS		 473 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
474
4af66c69
JK		 475 BT_DBG("chan %p", chan);
476
333055f2 477 write_lock(&chan_list_lock);
23691d75 478 list_del(&chan->global_l);
333055f2 479 write_unlock(&chan_list_lock);
23691d75 480
4af66c69 481 kfree(chan);
6ff5abbf
GP		 482}
483
30648372
JK		 484void l2cap_chan_hold(struct l2cap_chan *c)
485{
144ad330 486 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 487
144ad330 488 kref_get(&c->kref);
30648372
JK		 489}
490
491void l2cap_chan_put(struct l2cap_chan *c)
492{
144ad330 493 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 494
144ad330 495 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 496}
497
bd4b1653
AE		 498void l2cap_chan_set_defaults(struct l2cap_chan *chan)
499{
500 chan->fcs = L2CAP_FCS_CRC16;
501 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
502 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
503 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 504 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 505 chan->sec_level = BT_SECURITY_LOW;
506
507 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
508}
509
93c3e8f5 510void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 511{
af05b30b 512 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 513 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 514
9f5a0d7b 515 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 516
8c1d787b 517 chan->conn = conn;
0139418c 518
5491120e
AE		 519 switch (chan->chan_type) {
520 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 521 if (conn->hcon->type == LE_LINK) {
522 /* LE connection */
6fcb06a2 523 chan->omtu = L2CAP_DEFAULT_MTU;
9f22398c
JH		 524 if (chan->dcid == L2CAP_CID_ATT)
525 chan->scid = L2CAP_CID_ATT;
526 else
527 chan->scid = l2cap_alloc_cid(conn);
b62f328b
VT		 528 } else {
529 /* Alloc CID for connection-oriented socket */
fe4128e0 530 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 531 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 532 }
5491120e
AE		 533 break;
534
535 case L2CAP_CHAN_CONN_LESS:
0139418c 536 /* Connectionless socket */
fe4128e0
GP		 537 chan->scid = L2CAP_CID_CONN_LESS;
538 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 539 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 540 break;
541
416fa752
AE		 542 case L2CAP_CHAN_CONN_FIX_A2MP:
543 chan->scid = L2CAP_CID_A2MP;
544 chan->dcid = L2CAP_CID_A2MP;
545 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
546 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
547 break;
548
5491120e 549 default:
0139418c 550 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 551 chan->scid = L2CAP_CID_SIGNALING;
552 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 553 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 554 }
555
8f7975b1
AE		 556 chan->local_id = L2CAP_BESTEFFORT_ID;
557 chan->local_stype = L2CAP_SERV_BESTEFFORT;
558 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
559 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
560 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 561 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 562
371fd835 563 l2cap_chan_hold(chan);
baa7e1fa 564
5ee9891d
JH		 565 hci_conn_hold(conn->hcon);
566
3df91ea2 567 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 568}
569
466f8004 570void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 571{
572 mutex_lock(&conn->chan_lock);
573 __l2cap_chan_add(conn, chan);
3df91ea2 574 mutex_unlock(&conn->chan_lock);
0139418c
MH		 575}
576
466f8004 577void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 578{
8c1d787b 579 struct l2cap_conn *conn = chan->conn;
0139418c 580
c9b66675 581 __clear_chan_timer(chan);
0139418c 582
49208c9c 583 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 584
8e87d142 585 if (conn) {
56f60984 586 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 587 /* Delete from channel list */
3df91ea2 588 list_del(&chan->list);
3d57dc68 589
371fd835 590 l2cap_chan_put(chan);
baa7e1fa 591
8c1d787b 592 chan->conn = NULL;
3cabbfda
AE		 593
594 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
76a68ba0 595 hci_conn_drop(conn->hcon);
56f60984
AE		 596
597 if (mgr && mgr->bredr_chan == chan)
598 mgr->bredr_chan = NULL;
0139418c
MH		 599 }
600
419e08c1
AE		 601 if (chan->hs_hchan) {
602 struct hci_chan *hs_hchan = chan->hs_hchan;
603
604 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
605 amp_disconnect_logical_link(hs_hchan);
606 }
607
b699ec0d 608 chan->ops->teardown(chan, err);
6be36555 609
2827011f 610 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 611 return;
2ead70b8 612
ee556f66
GP		 613 switch(chan->mode) {
614 case L2CAP_MODE_BASIC:
615 break;
c13ffa62 616
ee556f66 617 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 618 __clear_retrans_timer(chan);
619 __clear_monitor_timer(chan);
620 __clear_ack_timer(chan);
c13ffa62 621
f1c6775b 622 skb_queue_purge(&chan->srej_q);
c13ffa62 623
3c588192
MM		 624 l2cap_seq_list_free(&chan->srej_list);
625 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 626
627 /* fall through */
628
629 case L2CAP_MODE_STREAMING:
630 skb_queue_purge(&chan->tx_q);
631 break;
c13ffa62 632 }
ee556f66
GP		 633
634 return;
0139418c
MH		 635}
636
0f852724 637void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 638{
639 struct l2cap_conn *conn = chan->conn;
4519de9a 640
7eafc59e 641 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 642
89bc500e 643 switch (chan->state) {
4519de9a 644 case BT_LISTEN:
b699ec0d 645 chan->ops->teardown(chan, 0);
4519de9a
GP		 646 break;
647
648 case BT_CONNECTED:
649 case BT_CONFIG:
715ec005 650 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 651 conn->hcon->type == ACL_LINK) {
8d836d71 652 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 653 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 654 } else
655 l2cap_chan_del(chan, reason);
656 break;
657
658 case BT_CONNECT2:
715ec005 659 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 660 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 661 struct l2cap_conn_rsp rsp;
662 __u16 result;
663
bdc25783 664 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
4519de9a
GP		 665 result = L2CAP_CR_SEC_BLOCK;
666 else
667 result = L2CAP_CR_BAD_PSM;
bdc25783 668
89bc500e 669 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 670
671 rsp.scid = cpu_to_le16(chan->dcid);
672 rsp.dcid = cpu_to_le16(chan->scid);
673 rsp.result = cpu_to_le16(result);
ac73498c 674 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 675 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 676 sizeof(rsp), &rsp);
4519de9a
GP		 677 }
678
679 l2cap_chan_del(chan, reason);
680 break;
681
682 case BT_CONNECT:
683 case BT_DISCONN:
684 l2cap_chan_del(chan, reason);
685 break;
686
687 default:
b699ec0d 688 chan->ops->teardown(chan, 0);
4519de9a
GP		 689 break;
690 }
691}
692
4343478f 693static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 694{
6a974b50
MH		 695 switch (chan->chan_type) {
696 case L2CAP_CHAN_RAW:
4343478f 697 switch (chan->sec_level) {
8556edd3
JH		 698 case BT_SECURITY_HIGH:
699 return HCI_AT_DEDICATED_BONDING_MITM;
700 case BT_SECURITY_MEDIUM:
701 return HCI_AT_DEDICATED_BONDING;
702 default:
703 return HCI_AT_NO_BONDING;
704 }
6a974b50 705 break;
3124b843
MH		 706 case L2CAP_CHAN_CONN_LESS:
707 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_3DSP)) {
708 if (chan->sec_level == BT_SECURITY_LOW)
709 chan->sec_level = BT_SECURITY_SDP;
710 }
711 if (chan->sec_level == BT_SECURITY_HIGH)
712 return HCI_AT_NO_BONDING_MITM;
713 else
714 return HCI_AT_NO_BONDING;
715 break;
6a974b50
MH		 716 case L2CAP_CHAN_CONN_ORIENTED:
717 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
718 if (chan->sec_level == BT_SECURITY_LOW)
719 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 720
6a974b50
MH		 721 if (chan->sec_level == BT_SECURITY_HIGH)
722 return HCI_AT_NO_BONDING_MITM;
723 else
724 return HCI_AT_NO_BONDING;
725 }
726 /* fall through */
727 default:
4343478f 728 switch (chan->sec_level) {
00ae4af9 729 case BT_SECURITY_HIGH:
8556edd3 730 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 731 case BT_SECURITY_MEDIUM:
8556edd3 732 return HCI_AT_GENERAL_BONDING;
00ae4af9 733 default:
8556edd3 734 return HCI_AT_NO_BONDING;
00ae4af9 735 }
6a974b50 736 break;
0684e5f9 737 }
8556edd3
JH		 738}
739
740/* Service level security */
d45fc423 741int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 742{
8c1d787b 743 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 744 __u8 auth_type;
745
4343478f 746 auth_type = l2cap_get_auth_type(chan);
79d554a6 747
4343478f 748 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 749}
750
b5ad8b7f 751static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 752{
753 u8 id;
754
755 /* Get next available identificator.
756 * 1 - 128 are used by kernel.
757 * 129 - 199 are reserved.
758 * 200 - 254 are used by utilities like l2ping, etc.
759 */
760
333055f2 761 spin_lock(&conn->lock);
4e8402a3
MH		 762
763 if (++conn->tx_ident > 128)
764 conn->tx_ident = 1;
765
766 id = conn->tx_ident;
767
333055f2 768 spin_unlock(&conn->lock);
4e8402a3
MH		 769
770 return id;
771}
772
2d792818
GP		 773static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
774 void *data)
4e8402a3
MH		 775{
776 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 777 u8 flags;
4e8402a3
MH		 778
779 BT_DBG("code 0x%2.2x", code);
780
781 if (!skb)
9a9c6a34 782 return;
4e8402a3 783
e702112f
AE		 784 if (lmp_no_flush_capable(conn->hcon->hdev))
785 flags = ACL_START_NO_FLUSH;
786 else
787 flags = ACL_START;
788
14b12d0b 789 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 790 skb->priority = HCI_PRIO_MAX;
14b12d0b 791
73d80deb
LAD		 792 hci_send_acl(conn->hchan, skb, flags);
793}
794
02b0fbb9
MM		 795static bool __chan_is_moving(struct l2cap_chan *chan)
796{
797 return chan->move_state != L2CAP_MOVE_STABLE &&
798 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
799}
800
73d80deb
LAD		 801static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
802{
803 struct hci_conn *hcon = chan->conn->hcon;
804 u16 flags;
805
806 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 807 skb->priority);
73d80deb 808
d5f8a75d
MM		 809 if (chan->hs_hcon && !__chan_is_moving(chan)) {
810 if (chan->hs_hchan)
811 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
812 else
813 kfree_skb(skb);
814
815 return;
816 }
817
73d80deb 818 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 819 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 820 flags = ACL_START_NO_FLUSH;
821 else
822 flags = ACL_START;
14b12d0b 823
73d80deb
LAD		 824 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
825 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 826}
827
b76bbd66
MM		 828static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
829{
830 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
831 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
832
833 if (enh & L2CAP_CTRL_FRAME_TYPE) {
834 /* S-Frame */
835 control->sframe = 1;
836 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
837 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
838
839 control->sar = 0;
840 control->txseq = 0;
841 } else {
842 /* I-Frame */
843 control->sframe = 0;
844 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
845 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
846
847 control->poll = 0;
848 control->super = 0;
849 }
850}
851
b76bbd66
MM		 852static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
853{
854 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
855 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
856
857 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
858 /* S-Frame */
859 control->sframe = 1;
860 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
861 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
862
863 control->sar = 0;
864 control->txseq = 0;
865 } else {
866 /* I-Frame */
867 control->sframe = 0;
868 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
869 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
870
871 control->poll = 0;
872 control->super = 0;
873 }
874}
875
876static inline void __unpack_control(struct l2cap_chan *chan,
877 struct sk_buff *skb)
878{
879 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
880 __unpack_extended_control(get_unaligned_le32(skb->data),
881 &bt_cb(skb)->control);
cec8ab6e 882 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 883 } else {
884 __unpack_enhanced_control(get_unaligned_le16(skb->data),
885 &bt_cb(skb)->control);
cec8ab6e 886 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 887 }
888}
889
b5c6aaed
MM		 890static u32 __pack_extended_control(struct l2cap_ctrl *control)
891{
892 u32 packed;
893
894 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
895 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
896
897 if (control->sframe) {
898 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
899 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
900 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
901 } else {
902 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
903 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
904 }
905
906 return packed;
907}
908
909static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
910{
911 u16 packed;
912
913 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
914 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
915
916 if (control->sframe) {
917 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
918 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
919 packed |= L2CAP_CTRL_FRAME_TYPE;
920 } else {
921 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
922 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
923 }
924
925 return packed;
926}
927
b76bbd66
MM		 928static inline void __pack_control(struct l2cap_chan *chan,
929 struct l2cap_ctrl *control,
930 struct sk_buff *skb)
931{
932 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
933 put_unaligned_le32(__pack_extended_control(control),
934 skb->data + L2CAP_HDR_SIZE);
935 } else {
936 put_unaligned_le16(__pack_enhanced_control(control),
937 skb->data + L2CAP_HDR_SIZE);
938 }
939}
940
ba7aa64f
GP		 941static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
942{
943 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
944 return L2CAP_EXT_HDR_SIZE;
945 else
946 return L2CAP_ENH_HDR_SIZE;
947}
948
a67d7f6f
MM		 949static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
950 u32 control)
b5c6aaed
MM		 951{
952 struct sk_buff *skb;
953 struct l2cap_hdr *lh;
ba7aa64f 954 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 955
956 if (chan->fcs == L2CAP_FCS_CRC16)
957 hlen += L2CAP_FCS_SIZE;
958
a67d7f6f 959 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 960
b5c6aaed 961 if (!skb)
a67d7f6f 962 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 963
964 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
965 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
966 lh->cid = cpu_to_le16(chan->dcid);
967
a67d7f6f
MM		 968 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
969 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
970 else
971 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 972
973 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 974 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 975 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
976 }
977
978 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 979 return skb;
980}
981
982static void l2cap_send_sframe(struct l2cap_chan *chan,
983 struct l2cap_ctrl *control)
984{
985 struct sk_buff *skb;
986 u32 control_field;
987
988 BT_DBG("chan %p, control %p", chan, control);
989
990 if (!control->sframe)
991 return;
992
b99e13ad
MM		 993 if (__chan_is_moving(chan))
994 return;
995
a67d7f6f
MM		 996 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
997 !control->poll)
998 control->final = 1;
999
1000 if (control->super == L2CAP_SUPER_RR)
1001 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1002 else if (control->super == L2CAP_SUPER_RNR)
1003 set_bit(CONN_RNR_SENT, &chan->conn_state);
1004
1005 if (control->super != L2CAP_SUPER_SREJ) {
1006 chan->last_acked_seq = control->reqseq;
1007 __clear_ack_timer(chan);
1008 }
1009
1010 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1011 control->final, control->poll, control->super);
1012
1013 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1014 control_field = __pack_extended_control(control);
1015 else
1016 control_field = __pack_enhanced_control(control);
1017
1018 skb = l2cap_create_sframe_pdu(chan, control_field);
1019 if (!IS_ERR(skb))
1020 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1021}
1022
c9e3d5e0 1023static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1024{
c9e3d5e0
MM		 1025 struct l2cap_ctrl control;
1026
1027 BT_DBG("chan %p, poll %d", chan, poll);
1028
1029 memset(&control, 0, sizeof(control));
1030 control.sframe = 1;
1031 control.poll = poll;
1032
1033 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1034 control.super = L2CAP_SUPER_RNR;
1035 else
1036 control.super = L2CAP_SUPER_RR;
b5c6aaed 1037
c9e3d5e0
MM		 1038 control.reqseq = chan->buffer_seq;
1039 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1040}
1041
b4450035 1042static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1043{
c1360a1c 1044 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1045}
1046
1df7b17a 1047static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1048{
1df7b17a 1049 struct l2cap_conn *conn = chan->conn;
80d58d0b 1050 struct hci_dev *hdev;
1df7b17a
MH		 1051 bool amp_available = false;
1052
1053 if (!conn->hs_enabled)
1054 return false;
1055
1056 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1057 return false;
80d58d0b
MH		 1058
1059 read_lock(&hci_dev_list_lock);
1df7b17a 1060 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1061 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1062 test_bit(HCI_UP, &hdev->flags)) {
1063 amp_available = true;
1064 break;
1065 }
1066 }
80d58d0b
MH		 1067 read_unlock(&hci_dev_list_lock);
1068
1df7b17a
MH		 1069 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1070 return amp_available;
848566b3
MH		 1071
1072 return false;
93c3e8f5
AE		 1073}
1074
5ce66b59
AE		 1075static bool l2cap_check_efs(struct l2cap_chan *chan)
1076{
1077 /* Check EFS parameters */
1078 return true;
1079}
1080
2766be48 1081void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1082{
1083 struct l2cap_conn *conn = chan->conn;
1084 struct l2cap_conn_req req;
1085
1086 req.scid = cpu_to_le16(chan->scid);
1087 req.psm = chan->psm;
1088
1089 chan->ident = l2cap_get_ident(conn);
1090
1091 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1092
1093 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1094}
1095
8eb200bd
MM		 1096static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1097{
1098 struct l2cap_create_chan_req req;
1099 req.scid = cpu_to_le16(chan->scid);
1100 req.psm = chan->psm;
1101 req.amp_id = amp_id;
1102
1103 chan->ident = l2cap_get_ident(chan->conn);
1104
1105 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1106 sizeof(req), &req);
1107}
1108
02b0fbb9
MM		 1109static void l2cap_move_setup(struct l2cap_chan *chan)
1110{
1111 struct sk_buff *skb;
1112
1113 BT_DBG("chan %p", chan);
1114
1115 if (chan->mode != L2CAP_MODE_ERTM)
1116 return;
1117
1118 __clear_retrans_timer(chan);
1119 __clear_monitor_timer(chan);
1120 __clear_ack_timer(chan);
1121
1122 chan->retry_count = 0;
1123 skb_queue_walk(&chan->tx_q, skb) {
1124 if (bt_cb(skb)->control.retries)
1125 bt_cb(skb)->control.retries = 1;
1126 else
1127 break;
1128 }
1129
1130 chan->expected_tx_seq = chan->buffer_seq;
1131
1132 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1133 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1134 l2cap_seq_list_clear(&chan->retrans_list);
1135 l2cap_seq_list_clear(&chan->srej_list);
1136 skb_queue_purge(&chan->srej_q);
1137
1138 chan->tx_state = L2CAP_TX_STATE_XMIT;
1139 chan->rx_state = L2CAP_RX_STATE_MOVE;
1140
1141 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1142}
1143
5f3847a4
MM		 1144static void l2cap_move_done(struct l2cap_chan *chan)
1145{
1146 u8 move_role = chan->move_role;
1147 BT_DBG("chan %p", chan);
1148
1149 chan->move_state = L2CAP_MOVE_STABLE;
1150 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1151
1152 if (chan->mode != L2CAP_MODE_ERTM)
1153 return;
1154
1155 switch (move_role) {
1156 case L2CAP_MOVE_ROLE_INITIATOR:
1157 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1158 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1159 break;
1160 case L2CAP_MOVE_ROLE_RESPONDER:
1161 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1162 break;
1163 }
1164}
1165
9f0caeb1
VCG		 1166static void l2cap_chan_ready(struct l2cap_chan *chan)
1167{
2827011f 1168 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1169 chan->conf_state = 0;
1170 __clear_chan_timer(chan);
1171
54a59aa2 1172 chan->state = BT_CONNECTED;
9f0caeb1 1173
fd83e2c2 1174 chan->ops->ready(chan);
9f0caeb1
VCG		 1175}
1176
93c3e8f5
AE		 1177static void l2cap_start_connection(struct l2cap_chan *chan)
1178{
1179 if (__amp_capable(chan)) {
1180 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1181 a2mp_discover_amp(chan);
1182 } else {
1183 l2cap_send_conn_req(chan);
1184 }
1185}
1186
fc7f8a7e 1187static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1188{
8c1d787b 1189 struct l2cap_conn *conn = chan->conn;
79d554a6 1190
9f0caeb1
VCG		 1191 if (conn->hcon->type == LE_LINK) {
1192 l2cap_chan_ready(chan);
1193 return;
1194 }
1195
79d554a6 1196 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1197 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1198 return;
1199
d45fc423 1200 if (l2cap_chan_check_security(chan) &&
2d792818 1201 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1202 l2cap_start_connection(chan);
1203 }
79d554a6
MH		 1204 } else {
1205 struct l2cap_info_req req;
ac73498c 1206 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1207
1208 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1209 conn->info_ident = l2cap_get_ident(conn);
1210
ba13ccd9 1211 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1212
2d792818
GP		 1213 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1214 sizeof(req), &req);
79d554a6
MH		 1215 }
1216}
1217
cf6c2c0b
GP		 1218static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1219{
1220 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1221 if (!disable_ertm)
cf6c2c0b
GP		 1222 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1223
1224 switch (mode) {
1225 case L2CAP_MODE_ERTM:
1226 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1227 case L2CAP_MODE_STREAMING:
1228 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1229 default:
1230 return 0x00;
1231 }
1232}
1233
5e4e3972 1234static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1235{
5e4e3972 1236 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1237 struct l2cap_disconn_req req;
1238
c13ffa62
GP		 1239 if (!conn)
1240 return;
1241
aad3d0e3 1242 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1243 __clear_retrans_timer(chan);
1244 __clear_monitor_timer(chan);
1245 __clear_ack_timer(chan);
c13ffa62
GP		 1246 }
1247
416fa752 1248 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1249 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1250 return;
1251 }
1252
fe4128e0
GP		 1253 req.dcid = cpu_to_le16(chan->dcid);
1254 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1255 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1256 sizeof(req), &req);
c13ffa62 1257
f8e73017 1258 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1259}
1260
1da177e4 1261/* ---- L2CAP connections ---- */
4e8402a3
MH		 1262static void l2cap_conn_start(struct l2cap_conn *conn)
1263{
3df91ea2 1264 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1265
1266 BT_DBG("conn %p", conn);
1267
3df91ea2 1268 mutex_lock(&conn->chan_lock);
4e8402a3 1269
3df91ea2 1270 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1271 l2cap_chan_lock(chan);
4e8402a3 1272
715ec005 1273 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1274 l2cap_chan_unlock(chan);
79d554a6
MH		 1275 continue;
1276 }
1277
89bc500e 1278 if (chan->state == BT_CONNECT) {
d45fc423 1279 if (!l2cap_chan_check_security(chan) ||
2d792818 1280 !__l2cap_no_conn_pending(chan)) {
6be36555 1281 l2cap_chan_unlock(chan);
47731de7
GP		 1282 continue;
1283 }
79d554a6 1284
c1360a1c 1285 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1286 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1287 &chan->conf_state)) {
89bc500e 1288 l2cap_chan_close(chan, ECONNRESET);
6be36555 1289 l2cap_chan_unlock(chan);
47731de7 1290 continue;
b1235d79 1291 }
47731de7 1292
93c3e8f5 1293 l2cap_start_connection(chan);
47731de7 1294
89bc500e 1295 } else if (chan->state == BT_CONNECT2) {
79d554a6 1296 struct l2cap_conn_rsp rsp;
e9aeb2dd 1297 char buf[128];
fe4128e0
GP		 1298 rsp.scid = cpu_to_le16(chan->dcid);
1299 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1300
d45fc423 1301 if (l2cap_chan_check_security(chan)) {
bdc25783
MH		 1302 struct sock *sk = chan->sk;
1303
6be36555 1304 lock_sock(sk);
bdc25783 1305 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
ac73498c
AE		 1306 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1307 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1308 chan->ops->defer(chan);
f66dc81f
MH		 1309
1310 } else {
0e587be7 1311 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1312 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1313 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1314 }
6be36555 1315 release_sock(sk);
79d554a6 1316 } else {
ac73498c
AE		 1317 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1318 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1319 }
1320
fc7f8a7e 1321 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1322 sizeof(rsp), &rsp);
e9aeb2dd 1323
c1360a1c 1324 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1325 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1326 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1327 continue;
1328 }
1329
c1360a1c 1330 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1331 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1332 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1333 chan->num_conf_req++;
4e8402a3
MH		 1334 }
1335
6be36555 1336 l2cap_chan_unlock(chan);
4e8402a3
MH		 1337 }
1338
3df91ea2 1339 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1340}
1341
c2287681 1342/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1343 * Returns closest match, locked.
1344 */
d9b88702 1345static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1346 bdaddr_t *src,
1347 bdaddr_t *dst)
b62f328b 1348{
23691d75 1349 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1350
23691d75 1351 read_lock(&chan_list_lock);
b62f328b 1352
23691d75 1353 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1354 if (state && c->state != state)
b62f328b
VT		 1355 continue;
1356
23691d75 1357 if (c->scid == cid) {
c2287681
IY		 1358 int src_match, dst_match;
1359 int src_any, dst_any;
1360
b62f328b 1361 /* Exact match. */
7eafc59e
MH		 1362 src_match = !bacmp(&c->src, src);
1363 dst_match = !bacmp(&c->dst, dst);
c2287681 1364 if (src_match && dst_match) {
23691d75
GP		 1365 read_unlock(&chan_list_lock);
1366 return c;
1367 }
b62f328b
VT		 1368
1369 /* Closest match */
7eafc59e
MH		 1370 src_any = !bacmp(&c->src, BDADDR_ANY);
1371 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1372 if ((src_match && dst_any) || (src_any && dst_match) ||
1373 (src_any && dst_any))
23691d75 1374 c1 = c;
b62f328b
VT		 1375 }
1376 }
280f294f 1377
23691d75 1378 read_unlock(&chan_list_lock);
b62f328b 1379
23691d75 1380 return c1;
b62f328b
VT		 1381}
1382
1383static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1384{
60bac184 1385 struct sock *parent;
23691d75 1386 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1387
1388 BT_DBG("");
1389
1390 /* Check if we have socket listening on cid */
073d1cf3 1391 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
6f59b904 1392 &conn->hcon->src, &conn->hcon->dst);
23691d75 1393 if (!pchan)
b62f328b
VT		 1394 return;
1395
44f3b0fb
JH		 1396 /* Client ATT sockets should override the server one */
1397 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1398 return;
1399
23691d75
GP		 1400 parent = pchan->sk;
1401
aa2ac881 1402 lock_sock(parent);
62f3a2cf 1403
80b98027 1404 chan = pchan->ops->new_connection(pchan);
80808e43 1405 if (!chan)
b62f328b
VT		 1406 goto clean;
1407
9f22398c
JH		 1408 chan->dcid = L2CAP_CID_ATT;
1409
7eafc59e
MH		 1410 bacpy(&chan->src, &conn->hcon->src);
1411 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 1412 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
1413 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
b62f328b 1414
44f3b0fb 1415 __l2cap_chan_add(conn, chan);
48454079 1416
b62f328b 1417clean:
aa2ac881 1418 release_sock(parent);
b62f328b
VT		 1419}
1420
4e8402a3
MH		 1421static void l2cap_conn_ready(struct l2cap_conn *conn)
1422{
48454079 1423 struct l2cap_chan *chan;
cc110922 1424 struct hci_conn *hcon = conn->hcon;
4e8402a3 1425
79d554a6 1426 BT_DBG("conn %p", conn);
4e8402a3 1427
d8729922
JH		 1428 /* For outgoing pairing which doesn't necessarily have an
1429 * associated socket (e.g. mgmt_pair_device).
1430 */
cc110922
VCG		 1431 if (hcon->out && hcon->type == LE_LINK)
1432 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1433
3df91ea2 1434 mutex_lock(&conn->chan_lock);
4e8402a3 1435
44f3b0fb
JH		 1436 if (hcon->type == LE_LINK)
1437 l2cap_le_conn_ready(conn);
1438
3df91ea2 1439 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1440
6be36555 1441 l2cap_chan_lock(chan);
4e8402a3 1442
416fa752
AE		 1443 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1444 l2cap_chan_unlock(chan);
1445 continue;
1446 }
1447
cc110922
VCG		 1448 if (hcon->type == LE_LINK) {
1449 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1450 l2cap_chan_ready(chan);
acd7d370 1451
63128451 1452 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
74e75740 1453 l2cap_chan_ready(chan);
b501d6a1 1454
1c244f79 1455 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1456 l2cap_do_start(chan);
1c244f79 1457 }
4e8402a3 1458
6be36555 1459 l2cap_chan_unlock(chan);
4e8402a3 1460 }
79d554a6 1461
3df91ea2 1462 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1463}
1464
1465/* Notify sockets that we cannot guaranty reliability anymore */
1466static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1467{
48454079 1468 struct l2cap_chan *chan;
4e8402a3
MH		 1469
1470 BT_DBG("conn %p", conn);
1471
3df91ea2 1472 mutex_lock(&conn->chan_lock);
4e8402a3 1473
3df91ea2 1474 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1475 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1476 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1477 }
1478
3df91ea2 1479 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1480}
1481
f878fcad 1482static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1483{
f878fcad 1484 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1485 info_timer.work);
4e8402a3 1486
984947dc 1487 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1488 conn->info_ident = 0;
984947dc 1489
4e8402a3
MH		 1490 l2cap_conn_start(conn);
1491}
1492
2c8e1411
DH		 1493/*
1494 * l2cap_user
1495 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1496 * callback is called during registration. The ->remove callback is called
1497 * during unregistration.
1498 * An l2cap_user object can either be explicitly unregistered or when the
1499 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1500 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1501 * External modules must own a reference to the l2cap_conn object if they intend
1502 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1503 * any time if they don't.
1504 */
1505
1506int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1507{
1508 struct hci_dev *hdev = conn->hcon->hdev;
1509 int ret;
1510
1511 /* We need to check whether l2cap_conn is registered. If it is not, we
1512 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1513 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1514 * relies on the parent hci_conn object to be locked. This itself relies
1515 * on the hci_dev object to be locked. So we must lock the hci device
1516 * here, too. */
1517
1518 hci_dev_lock(hdev);
1519
1520 if (user->list.next || user->list.prev) {
1521 ret = -EINVAL;
1522 goto out_unlock;
1523 }
1524
1525 /* conn->hchan is NULL after l2cap_conn_del() was called */
1526 if (!conn->hchan) {
1527 ret = -ENODEV;
1528 goto out_unlock;
1529 }
1530
1531 ret = user->probe(conn, user);
1532 if (ret)
1533 goto out_unlock;
1534
1535 list_add(&user->list, &conn->users);
1536 ret = 0;
1537
1538out_unlock:
1539 hci_dev_unlock(hdev);
1540 return ret;
1541}
1542EXPORT_SYMBOL(l2cap_register_user);
1543
1544void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1545{
1546 struct hci_dev *hdev = conn->hcon->hdev;
1547
1548 hci_dev_lock(hdev);
1549
1550 if (!user->list.next || !user->list.prev)
1551 goto out_unlock;
1552
1553 list_del(&user->list);
1554 user->list.next = NULL;
1555 user->list.prev = NULL;
1556 user->remove(conn, user);
1557
1558out_unlock:
1559 hci_dev_unlock(hdev);
1560}
1561EXPORT_SYMBOL(l2cap_unregister_user);
1562
1563static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1564{
1565 struct l2cap_user *user;
1566
1567 while (!list_empty(&conn->users)) {
1568 user = list_first_entry(&conn->users, struct l2cap_user, list);
1569 list_del(&user->list);
1570 user->list.next = NULL;
1571 user->list.prev = NULL;
1572 user->remove(conn, user);
1573 }
1574}
1575
5d3de7df
VCG		 1576static void l2cap_conn_del(struct hci_conn *hcon, int err)
1577{
1578 struct l2cap_conn *conn = hcon->l2cap_data;
1579 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1580
1581 if (!conn)
1582 return;
1583
1584 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1585
1586 kfree_skb(conn->rx_skb);
1587
2c8e1411
DH		 1588 l2cap_unregister_all_users(conn);
1589
3df91ea2
AE		 1590 mutex_lock(&conn->chan_lock);
1591
5d3de7df
VCG		 1592 /* Kill channels */
1593 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1594 l2cap_chan_hold(chan);
6be36555
AE		 1595 l2cap_chan_lock(chan);
1596
5d3de7df 1597 l2cap_chan_del(chan, err);
6be36555
AE		 1598
1599 l2cap_chan_unlock(chan);
1600
80b98027 1601 chan->ops->close(chan);
61d6ef3e 1602 l2cap_chan_put(chan);
5d3de7df
VCG		 1603 }
1604
3df91ea2
AE		 1605 mutex_unlock(&conn->chan_lock);
1606
73d80deb
LAD		 1607 hci_chan_del(conn->hchan);
1608
5d3de7df 1609 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1610 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1611
51a8efd7 1612 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1613 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1614 smp_chan_destroy(conn);
d26a2345 1615 }
5d3de7df
VCG		 1616
1617 hcon->l2cap_data = NULL;
9c903e37
DH		 1618 conn->hchan = NULL;
1619 l2cap_conn_put(conn);
5d3de7df
VCG		 1620}
1621
6c9d42a1 1622static void security_timeout(struct work_struct *work)
5d3de7df 1623{
6c9d42a1 1624 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1625 security_timer.work);
5d3de7df 1626
d06cc416
JH		 1627 BT_DBG("conn %p", conn);
1628
1629 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1630 smp_chan_destroy(conn);
1631 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1632 }
5d3de7df
VCG		 1633}
1634
baf43251 1635static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1da177e4 1636{
0139418c 1637 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1638 struct hci_chan *hchan;
1da177e4 1639
baf43251 1640 if (conn)
1da177e4
LT		 1641 return conn;
1642
73d80deb
LAD		 1643 hchan = hci_chan_create(hcon);
1644 if (!hchan)
1645 return NULL;
1646
8bcde1f2 1647 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1648 if (!conn) {
1649 hci_chan_del(hchan);
1da177e4 1650 return NULL;
73d80deb 1651 }
1da177e4 1652
9c903e37 1653 kref_init(&conn->ref);
1da177e4
LT		 1654 hcon->l2cap_data = conn;
1655 conn->hcon = hcon;
9c903e37 1656 hci_conn_get(conn->hcon);
73d80deb 1657 conn->hchan = hchan;
1da177e4 1658
73d80deb 1659 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1660
dcc042d5 1661 switch (hcon->type) {
dcc042d5
AE		 1662 case LE_LINK:
1663 if (hcon->hdev->le_mtu) {
1664 conn->mtu = hcon->hdev->le_mtu;
1665 break;
1666 }
1667 /* fall through */
dcc042d5 1668 default:
acd7d370 1669 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1670 break;
1671 }
acd7d370 1672
4e8402a3
MH		 1673 conn->feat_mask = 0;
1674
848566b3
MH		 1675 if (hcon->type == ACL_LINK)
1676 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
1677 &hcon->hdev->dev_flags);
1678
1da177e4 1679 spin_lock_init(&conn->lock);
3df91ea2 1680 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1681
1682 INIT_LIST_HEAD(&conn->chan_l);
2c8e1411 1683 INIT_LIST_HEAD(&conn->users);
1da177e4 1684
5d3de7df 1685 if (hcon->type == LE_LINK)
6c9d42a1 1686 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1687 else
030013d8 1688 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1689
9f5a0d7b 1690 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1691
1da177e4
LT		 1692 return conn;
1693}
1694
9c903e37
DH		 1695static void l2cap_conn_free(struct kref *ref)
1696{
1697 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1698
1699 hci_conn_put(conn->hcon);
1700 kfree(conn);
1701}
1702
1703void l2cap_conn_get(struct l2cap_conn *conn)
1704{
1705 kref_get(&conn->ref);
1706}
1707EXPORT_SYMBOL(l2cap_conn_get);
1708
1709void l2cap_conn_put(struct l2cap_conn *conn)
1710{
1711 kref_put(&conn->ref, l2cap_conn_free);
1712}
1713EXPORT_SYMBOL(l2cap_conn_put);
1714
1da177e4 1715/* ---- Socket interface ---- */
1da177e4 1716
c2287681 1717/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1718 * Returns closest match.
1719 */
c2287681
IY		 1720static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1721 bdaddr_t *src,
1722 bdaddr_t *dst)
1da177e4 1723{
23691d75 1724 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1725
23691d75 1726 read_lock(&chan_list_lock);
e0f0cb56 1727
23691d75 1728 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1729 if (state && c->state != state)
1da177e4
LT		 1730 continue;
1731
23691d75 1732 if (c->psm == psm) {
c2287681
IY		 1733 int src_match, dst_match;
1734 int src_any, dst_any;
1735
1da177e4 1736 /* Exact match. */
7eafc59e
MH		 1737 src_match = !bacmp(&c->src, src);
1738 dst_match = !bacmp(&c->dst, dst);
c2287681 1739 if (src_match && dst_match) {
a7567b20 1740 read_unlock(&chan_list_lock);
23691d75
GP		 1741 return c;
1742 }
1da177e4
LT		 1743
1744 /* Closest match */
7eafc59e
MH		 1745 src_any = !bacmp(&c->src, BDADDR_ANY);
1746 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1747 if ((src_match && dst_any) || (src_any && dst_match) ||
1748 (src_any && dst_any))
23691d75 1749 c1 = c;
1da177e4
LT		 1750 }
1751 }
1da177e4 1752
23691d75 1753 read_unlock(&chan_list_lock);
e0f0cb56 1754
23691d75 1755 return c1;
1da177e4
LT		 1756}
1757
8e9f9892
AG		 1758int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1759 bdaddr_t *dst, u8 dst_type)
1da177e4 1760{
1da177e4
LT		 1761 struct l2cap_conn *conn;
1762 struct hci_conn *hcon;
1763 struct hci_dev *hdev;
09ab6f4c 1764 __u8 auth_type;
44d0e48e 1765 int err;
1da177e4 1766
7eafc59e 1767 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
ab19516a 1768 dst_type, __le16_to_cpu(psm));
1da177e4 1769
7eafc59e 1770 hdev = hci_get_route(dst, &chan->src);
af05b30b 1771 if (!hdev)
1da177e4
LT		 1772 return -EHOSTUNREACH;
1773
09fd0de5 1774 hci_dev_lock(hdev);
1da177e4 1775
6be36555 1776 l2cap_chan_lock(chan);
03a00194
GP		 1777
1778 /* PSM must be odd and lsb of upper byte must be 0 */
1779 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1780 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1781 err = -EINVAL;
1782 goto done;
1783 }
1784
1785 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1786 err = -EINVAL;
1787 goto done;
1788 }
1789
1790 switch (chan->mode) {
1791 case L2CAP_MODE_BASIC:
1792 break;
1793 case L2CAP_MODE_ERTM:
1794 case L2CAP_MODE_STREAMING:
1795 if (!disable_ertm)
1796 break;
1797 /* fall through */
1798 default:
1799 err = -ENOTSUPP;
1800 goto done;
1801 }
1802
0797e01d 1803 switch (chan->state) {
03a00194
GP		 1804 case BT_CONNECT:
1805 case BT_CONNECT2:
1806 case BT_CONFIG:
1807 /* Already connecting */
1808 err = 0;
1809 goto done;
1810
1811 case BT_CONNECTED:
1812 /* Already connected */
1813 err = -EISCONN;
1814 goto done;
1815
1816 case BT_OPEN:
1817 case BT_BOUND:
1818 /* Can connect */
1819 break;
1820
1821 default:
1822 err = -EBADFD;
1823 goto done;
1824 }
1825
1826 /* Set destination address and psm */
7eafc59e 1827 bacpy(&chan->dst, dst);
4f1654e0 1828 chan->dst_type = dst_type;
6be36555 1829
03a00194
GP		 1830 chan->psm = psm;
1831 chan->dcid = cid;
1da177e4 1832
4343478f 1833 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1834
f224ca5f 1835 if (bdaddr_type_is_le(dst_type))
8e9f9892 1836 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1837 chan->sec_level, auth_type);
acd7d370 1838 else
8e9f9892 1839 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1840 chan->sec_level, auth_type);
acd7d370 1841
30e76272
VT		 1842 if (IS_ERR(hcon)) {
1843 err = PTR_ERR(hcon);
1da177e4 1844 goto done;
30e76272 1845 }
1da177e4 1846
baf43251 1847 conn = l2cap_conn_add(hcon);
1da177e4 1848 if (!conn) {
76a68ba0 1849 hci_conn_drop(hcon);
30e76272 1850 err = -ENOMEM;
1da177e4
LT		 1851 goto done;
1852 }
1853
141d5706
JH		 1854 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
1855 hci_conn_drop(hcon);
1856 err = -EBUSY;
1857 goto done;
9f0caeb1
VCG		 1858 }
1859
1da177e4 1860 /* Update source addr of the socket */
7eafc59e 1861 bacpy(&chan->src, &hcon->src);
4f1654e0 1862 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1da177e4 1863
6be36555 1864 l2cap_chan_unlock(chan);
48454079 1865 l2cap_chan_add(conn, chan);
6be36555 1866 l2cap_chan_lock(chan);
48454079 1867
5ee9891d
JH		 1868 /* l2cap_chan_add takes its own ref so we can drop this one */
1869 hci_conn_drop(hcon);
1870
6be36555 1871 l2cap_state_change(chan, BT_CONNECT);
8d836d71 1872 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4
LT		 1873
1874 if (hcon->state == BT_CONNECTED) {
715ec005 1875 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1876 __clear_chan_timer(chan);
d45fc423 1877 if (l2cap_chan_check_security(chan))
6be36555 1878 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1879 } else
fc7f8a7e 1880 l2cap_do_start(chan);
1da177e4
LT		 1881 }
1882
30e76272
VT		 1883 err = 0;
1884
1da177e4 1885done:
6be36555 1886 l2cap_chan_unlock(chan);
09fd0de5 1887 hci_dev_unlock(hdev);
1da177e4
LT		 1888 hci_dev_put(hdev);
1889 return err;
1890}
1891
721c4181 1892static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1893{
721c4181 1894 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1895 monitor_timer.work);
e90bac06 1896
525cd185 1897 BT_DBG("chan %p", chan);
0e98958d 1898
6be36555
AE		 1899 l2cap_chan_lock(chan);
1900
80909e04 1901 if (!chan->conn) {
6be36555 1902 l2cap_chan_unlock(chan);
8d7e1c7f 1903 l2cap_chan_put(chan);
e90bac06
GP		 1904 return;
1905 }
1906
401bb1f7 1907 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1908
6be36555 1909 l2cap_chan_unlock(chan);
8d7e1c7f 1910 l2cap_chan_put(chan);
e90bac06
GP		 1911}
1912
721c4181 1913static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1914{
721c4181 1915 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1916 retrans_timer.work);
e90bac06 1917
49208c9c 1918 BT_DBG("chan %p", chan);
0e98958d 1919
6be36555
AE		 1920 l2cap_chan_lock(chan);
1921
80909e04
MM		 1922 if (!chan->conn) {
1923 l2cap_chan_unlock(chan);
1924 l2cap_chan_put(chan);
1925 return;
1926 }
6be36555 1927
401bb1f7 1928 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1929 l2cap_chan_unlock(chan);
8d7e1c7f 1930 l2cap_chan_put(chan);
e90bac06
GP		 1931}
1932
d660366d
GP		 1933static void l2cap_streaming_send(struct l2cap_chan *chan,
1934 struct sk_buff_head *skbs)
6840ed07 1935{
ccbb84af 1936 struct sk_buff *skb;
3733937d 1937 struct l2cap_ctrl *control;
6840ed07 1938
3733937d
MM		 1939 BT_DBG("chan %p, skbs %p", chan, skbs);
1940
b99e13ad
MM		 1941 if (__chan_is_moving(chan))
1942 return;
1943
3733937d
MM		 1944 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1945
1946 while (!skb_queue_empty(&chan->tx_q)) {
1947
1948 skb = skb_dequeue(&chan->tx_q);
1949
1950 bt_cb(skb)->control.retries = 1;
1951 control = &bt_cb(skb)->control;
1952
1953 control->reqseq = 0;
1954 control->txseq = chan->next_tx_seq;
1955
1956 __pack_control(chan, control, skb);
6840ed07 1957
47d1ec61 1958 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1959 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1960 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1961 }
1962
4343478f 1963 l2cap_do_send(chan, skb);
6840ed07 1964
b4400672 1965 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1966
836be934 1967 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1968 chan->frames_sent++;
6840ed07 1969 }
6840ed07
GP		 1970}
1971
67c9e840 1972static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1973{
1974 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1975 struct l2cap_ctrl *control;
1976 int sent = 0;
1977
1978 BT_DBG("chan %p", chan);
1c2acffb 1979
89bc500e 1980 if (chan->state != BT_CONNECTED)
c13ffa62 1981 return -ENOTCONN;
e90bac06 1982
94122bbe
MM		 1983 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1984 return 0;
1985
b99e13ad
MM		 1986 if (__chan_is_moving(chan))
1987 return 0;
1988
18a48e76
MM		 1989 while (chan->tx_send_head &&
1990 chan->unacked_frames < chan->remote_tx_win &&
1991 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1992
18a48e76 1993 skb = chan->tx_send_head;
e90bac06 1994
18a48e76
MM		 1995 bt_cb(skb)->control.retries = 1;
1996 control = &bt_cb(skb)->control;
95ffa978 1997
e2ab4353 1998 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1999 control->final = 1;
e2ab4353 2000
18a48e76
MM		 2001 control->reqseq = chan->buffer_seq;
2002 chan->last_acked_seq = chan->buffer_seq;
2003 control->txseq = chan->next_tx_seq;
1c2acffb 2004
18a48e76 2005 __pack_control(chan, control, skb);
e90bac06 2006
47d1ec61 2007 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 2008 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2009 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 2010 }
2011
18a48e76
MM		 2012 /* Clone after data has been modified. Data is assumed to be
2013 read-only (for locking purposes) on cloned sk_buffs.
2014 */
2015 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 2016
18a48e76
MM		 2017 if (!tx_skb)
2018 break;
1c2acffb 2019
18a48e76 2020 __set_retrans_timer(chan);
836be934
AE		 2021
2022 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 2023 chan->unacked_frames++;
6a026610 2024 chan->frames_sent++;
18a48e76 2025 sent++;
1c2acffb 2026
58d35f87
GP		 2027 if (skb_queue_is_last(&chan->tx_q, skb))
2028 chan->tx_send_head = NULL;
1c2acffb 2029 else
58d35f87 2030 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 2031
2032 l2cap_do_send(chan, tx_skb);
b4400672 2033 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 2034 }
2035
b4400672
AE		 2036 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2037 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 2038
2039 return sent;
9e917af1
GP		 2040}
2041
e1fbd4c1
MM		 2042static void l2cap_ertm_resend(struct l2cap_chan *chan)
2043{
2044 struct l2cap_ctrl control;
2045 struct sk_buff *skb;
2046 struct sk_buff *tx_skb;
2047 u16 seq;
2048
2049 BT_DBG("chan %p", chan);
2050
2051 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2052 return;
2053
b99e13ad
MM		 2054 if (__chan_is_moving(chan))
2055 return;
2056
e1fbd4c1
MM		 2057 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2058 seq = l2cap_seq_list_pop(&chan->retrans_list);
2059
2060 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2061 if (!skb) {
2062 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 2063 seq);
e1fbd4c1
MM		 2064 continue;
2065 }
2066
2067 bt_cb(skb)->control.retries++;
2068 control = bt_cb(skb)->control;
2069
2070 if (chan->max_tx != 0 &&
2071 bt_cb(skb)->control.retries > chan->max_tx) {
2072 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 2073 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 2074 l2cap_seq_list_clear(&chan->retrans_list);
2075 break;
2076 }
2077
2078 control.reqseq = chan->buffer_seq;
2079 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2080 control.final = 1;
2081 else
2082 control.final = 0;
2083
2084 if (skb_cloned(skb)) {
2085 /* Cloned sk_buffs are read-only, so we need a
2086 * writeable copy
2087 */
8bcde1f2 2088 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 2089 } else {
8bcde1f2 2090 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 2091 }
2092
2093 if (!tx_skb) {
2094 l2cap_seq_list_clear(&chan->retrans_list);
2095 break;
2096 }
2097
2098 /* Update skb contents */
2099 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2100 put_unaligned_le32(__pack_extended_control(&control),
2101 tx_skb->data + L2CAP_HDR_SIZE);
2102 } else {
2103 put_unaligned_le16(__pack_enhanced_control(&control),
2104 tx_skb->data + L2CAP_HDR_SIZE);
2105 }
2106
2107 if (chan->fcs == L2CAP_FCS_CRC16) {
2108 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2109 put_unaligned_le16(fcs, skb_put(tx_skb,
2110 L2CAP_FCS_SIZE));
2111 }
2112
2113 l2cap_do_send(chan, tx_skb);
2114
2115 BT_DBG("Resent txseq %d", control.txseq);
2116
2117 chan->last_acked_seq = chan->buffer_seq;
2118 }
2119}
2120
f80842a8
MM		 2121static void l2cap_retransmit(struct l2cap_chan *chan,
2122 struct l2cap_ctrl *control)
2123{
2124 BT_DBG("chan %p, control %p", chan, control);
2125
2126 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2127 l2cap_ertm_resend(chan);
2128}
2129
d2a7ac5d
MM		 2130static void l2cap_retransmit_all(struct l2cap_chan *chan,
2131 struct l2cap_ctrl *control)
2132{
e1fbd4c1
MM		 2133 struct sk_buff *skb;
2134
2135 BT_DBG("chan %p, control %p", chan, control);
2136
2137 if (control->poll)
2138 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2139
2140 l2cap_seq_list_clear(&chan->retrans_list);
2141
2142 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2143 return;
2144
2145 if (chan->unacked_frames) {
2146 skb_queue_walk(&chan->tx_q, skb) {
2147 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2148 skb == chan->tx_send_head)
e1fbd4c1
MM		 2149 break;
2150 }
2151
2152 skb_queue_walk_from(&chan->tx_q, skb) {
2153 if (skb == chan->tx_send_head)
2154 break;
2155
2156 l2cap_seq_list_append(&chan->retrans_list,
2157 bt_cb(skb)->control.txseq);
2158 }
2159
2160 l2cap_ertm_resend(chan);
2161 }
d2a7ac5d
MM		 2162}
2163
0a0aba42 2164static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2165{
0a0aba42
MM		 2166 struct l2cap_ctrl control;
2167 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2168 chan->last_acked_seq);
2169 int threshold;
9e917af1 2170
0a0aba42
MM		 2171 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2172 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2173
0a0aba42
MM		 2174 memset(&control, 0, sizeof(control));
2175 control.sframe = 1;
dfc909be 2176
0a0aba42
MM		 2177 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2178 chan->rx_state == L2CAP_RX_STATE_RECV) {
2179 __clear_ack_timer(chan);
2180 control.super = L2CAP_SUPER_RNR;
2181 control.reqseq = chan->buffer_seq;
2182 l2cap_send_sframe(chan, &control);
2183 } else {
2184 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2185 l2cap_ertm_send(chan);
2186 /* If any i-frames were sent, they included an ack */
2187 if (chan->buffer_seq == chan->last_acked_seq)
2188 frames_to_ack = 0;
2189 }
dfc909be 2190
c20f8e35 2191 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2192 * Calculate without mul or div
2193 */
c20f8e35 2194 threshold = chan->ack_win;
0a0aba42
MM		 2195 threshold += threshold << 1;
2196 threshold >>= 2;
2197
b4400672 2198 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2199 threshold);
2200
2201 if (frames_to_ack >= threshold) {
2202 __clear_ack_timer(chan);
2203 control.super = L2CAP_SUPER_RR;
2204 control.reqseq = chan->buffer_seq;
2205 l2cap_send_sframe(chan, &control);
2206 frames_to_ack = 0;
2207 }
1c2acffb 2208
0a0aba42
MM		 2209 if (frames_to_ack)
2210 __set_ack_timer(chan);
2211 }
b17e73bb
SJ		 2212}
2213
04124681
GP		 2214static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2215 struct msghdr *msg, int len,
2216 int count, struct sk_buff *skb)
1c2acffb 2217{
0952a57a 2218 struct l2cap_conn *conn = chan->conn;
1c2acffb 2219 struct sk_buff **frag;
90338947 2220 int sent = 0;
1da177e4 2221
59203a21 2222 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2223 return -EFAULT;
1da177e4
LT		 2224
2225 sent += count;
2226 len -= count;
2227
2228 /* Continuation fragments (no L2CAP header) */
2229 frag = &skb_shinfo(skb)->frag_list;
2230 while (len) {
fbe00700
GP		 2231 struct sk_buff *tmp;
2232
1da177e4
LT		 2233 count = min_t(unsigned int, conn->mtu, len);
2234
fbe00700
GP		 2235 tmp = chan->ops->alloc_skb(chan, count,
2236 msg->msg_flags & MSG_DONTWAIT);
2237 if (IS_ERR(tmp))
2238 return PTR_ERR(tmp);
2239
2240 *frag = tmp;
2f7719ce 2241
1c2acffb
GP		 2242 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2243 return -EFAULT;
1da177e4 2244
5e59b791
LAD		 2245 (*frag)->priority = skb->priority;
2246
1da177e4
LT		 2247 sent += count;
2248 len -= count;
2249
2d0ed3d5
GP		 2250 skb->len += (*frag)->len;
2251 skb->data_len += (*frag)->len;
2252
1da177e4
LT		 2253 frag = &(*frag)->next;
2254 }
1da177e4
LT		 2255
2256 return sent;
1c2acffb 2257}
1da177e4 2258
5e59b791 2259static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2260 struct msghdr *msg, size_t len,
2261 u32 priority)
1c2acffb 2262{
8c1d787b 2263 struct l2cap_conn *conn = chan->conn;
1c2acffb 2264 struct sk_buff *skb;
03a51213 2265 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2266 struct l2cap_hdr *lh;
2267
43b1b8df
MH		 2268 BT_DBG("chan %p psm 0x%2.2x len %zu priority %u", chan,
2269 __le16_to_cpu(chan->psm), len, priority);
1c2acffb
GP		 2270
2271 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2272
2273 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2274 msg->msg_flags & MSG_DONTWAIT);
2275 if (IS_ERR(skb))
2276 return skb;
1c2acffb 2277
5e59b791
LAD		 2278 skb->priority = priority;
2279
1c2acffb
GP		 2280 /* Create L2CAP header */
2281 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2282 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2283 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2284 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2285
0952a57a 2286 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2287 if (unlikely(err < 0)) {
2288 kfree_skb(skb);
2289 return ERR_PTR(err);
2290 }
2291 return skb;
2292}
2293
5e59b791 2294static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2295 struct msghdr *msg, size_t len,
2296 u32 priority)
1c2acffb 2297{
8c1d787b 2298 struct l2cap_conn *conn = chan->conn;
1c2acffb 2299 struct sk_buff *skb;
f2ba7fae 2300 int err, count;
1c2acffb
GP		 2301 struct l2cap_hdr *lh;
2302
b4400672 2303 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2304
f2ba7fae 2305 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2306
f2ba7fae 2307 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2308 msg->msg_flags & MSG_DONTWAIT);
2309 if (IS_ERR(skb))
2310 return skb;
1c2acffb 2311
5e59b791
LAD		 2312 skb->priority = priority;
2313
1c2acffb
GP		 2314 /* Create L2CAP header */
2315 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2316 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2317 lh->len = cpu_to_le16(len);
1c2acffb 2318
0952a57a 2319 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2320 if (unlikely(err < 0)) {
2321 kfree_skb(skb);
2322 return ERR_PTR(err);
2323 }
2324 return skb;
2325}
2326
ab0ff76d 2327static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2328 struct msghdr *msg, size_t len,
2329 u16 sdulen)
1c2acffb 2330{
8c1d787b 2331 struct l2cap_conn *conn = chan->conn;
1c2acffb 2332 struct sk_buff *skb;
e4ca6d98 2333 int err, count, hlen;
1c2acffb
GP		 2334 struct l2cap_hdr *lh;
2335
b4400672 2336 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2337
0ee0d208
GP		 2338 if (!conn)
2339 return ERR_PTR(-ENOTCONN);
2340
ba7aa64f 2341 hlen = __ertm_hdr_size(chan);
e4ca6d98 2342
c74e560c 2343 if (sdulen)
03a51213 2344 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2345
47d1ec61 2346 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2347 hlen += L2CAP_FCS_SIZE;
fcc203c3 2348
1c2acffb 2349 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2350
2351 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2352 msg->msg_flags & MSG_DONTWAIT);
2353 if (IS_ERR(skb))
2354 return skb;
1c2acffb
GP		 2355
2356 /* Create L2CAP header */
2357 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2358 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2359 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2360
18a48e76
MM		 2361 /* Control header is populated later */
2362 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2363 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2364 else
2365 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2366
c74e560c 2367 if (sdulen)
03a51213 2368 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2369
0952a57a 2370 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2371 if (unlikely(err < 0)) {
2372 kfree_skb(skb);
2373 return ERR_PTR(err);
2374 }
e90bac06 2375
18a48e76 2376 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2377 bt_cb(skb)->control.retries = 0;
1c2acffb 2378 return skb;
1da177e4
LT		 2379}
2380
94122bbe
MM		 2381static int l2cap_segment_sdu(struct l2cap_chan *chan,
2382 struct sk_buff_head *seg_queue,
2383 struct msghdr *msg, size_t len)
c74e560c 2384{
c74e560c 2385 struct sk_buff *skb;
94122bbe
MM		 2386 u16 sdu_len;
2387 size_t pdu_len;
94122bbe 2388 u8 sar;
c74e560c 2389
b4400672 2390 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2391
94122bbe
MM		 2392 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2393 * so fragmented skbs are not used. The HCI layer's handling
2394 * of fragmented skbs is not compatible with ERTM's queueing.
2395 */
c74e560c 2396
94122bbe
MM		 2397 /* PDU size is derived from the HCI MTU */
2398 pdu_len = chan->conn->mtu;
c74e560c 2399
a549574d
MM		 2400 /* Constrain PDU size for BR/EDR connections */
2401 if (!chan->hs_hcon)
2402 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2403
2404 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2405 if (chan->fcs)
2406 pdu_len -= L2CAP_FCS_SIZE;
2407
ba7aa64f 2408 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2409
2410 /* Remote device may have requested smaller PDUs */
2411 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2412
2413 if (len <= pdu_len) {
2414 sar = L2CAP_SAR_UNSEGMENTED;
2415 sdu_len = 0;
2416 pdu_len = len;
2417 } else {
2418 sar = L2CAP_SAR_START;
2419 sdu_len = len;
2420 pdu_len -= L2CAP_SDULEN_SIZE;
2421 }
2422
2423 while (len > 0) {
2424 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2425
c74e560c 2426 if (IS_ERR(skb)) {
94122bbe 2427 __skb_queue_purge(seg_queue);
c74e560c
GP		 2428 return PTR_ERR(skb);
2429 }
2430
94122bbe
MM		 2431 bt_cb(skb)->control.sar = sar;
2432 __skb_queue_tail(seg_queue, skb);
2433
2434 len -= pdu_len;
2435 if (sdu_len) {
2436 sdu_len = 0;
2437 pdu_len += L2CAP_SDULEN_SIZE;
2438 }
2439
2440 if (len <= pdu_len) {
2441 sar = L2CAP_SAR_END;
2442 pdu_len = len;
2443 } else {
2444 sar = L2CAP_SAR_CONTINUE;
2445 }
c74e560c 2446 }
c74e560c 2447
f0f62799 2448 return 0;
c74e560c
GP		 2449}
2450
5e59b791 2451int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2452 u32 priority)
9a91a04a 2453{
9a91a04a 2454 struct sk_buff *skb;
9a91a04a 2455 int err;
94122bbe 2456 struct sk_buff_head seg_queue;
9a91a04a
GP		 2457
2458 /* Connectionless channel */
715ec005 2459 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2460 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2461 if (IS_ERR(skb))
2462 return PTR_ERR(skb);
2463
2464 l2cap_do_send(chan, skb);
2465 return len;
2466 }
2467
2468 switch (chan->mode) {
2469 case L2CAP_MODE_BASIC:
2470 /* Check outgoing MTU */
2471 if (len > chan->omtu)
2472 return -EMSGSIZE;
2473
2474 /* Create a basic PDU */
5e59b791 2475 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2476 if (IS_ERR(skb))
2477 return PTR_ERR(skb);
2478
2479 l2cap_do_send(chan, skb);
2480 err = len;
2481 break;
2482
2483 case L2CAP_MODE_ERTM:
2484 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2485 /* Check outgoing MTU */
2486 if (len > chan->omtu) {
2487 err = -EMSGSIZE;
2488 break;
2489 }
9a91a04a 2490
94122bbe 2491 __skb_queue_head_init(&seg_queue);
9a91a04a 2492
94122bbe
MM		 2493 /* Do segmentation before calling in to the state machine,
2494 * since it's possible to block while waiting for memory
2495 * allocation.
2496 */
2497 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2498
94122bbe
MM		 2499 /* The channel could have been closed while segmenting,
2500 * check that it is still connected.
2501 */
2502 if (chan->state != BT_CONNECTED) {
2503 __skb_queue_purge(&seg_queue);
2504 err = -ENOTCONN;
9a91a04a
GP		 2505 }
2506
94122bbe 2507 if (err)
9a91a04a 2508 break;
9a91a04a 2509
3733937d 2510 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2511 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2512 else
d660366d 2513 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2514
d660366d 2515 err = len;
9a91a04a 2516
94122bbe
MM		 2517 /* If the skbs were not queued for sending, they'll still be in
2518 * seg_queue and need to be purged.
2519 */
2520 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2521 break;
2522
2523 default:
2524 BT_DBG("bad state %1.1x", chan->mode);
2525 err = -EBADFD;
2526 }
2527
2528 return err;
2529}
2530
d2a7ac5d
MM		 2531static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2532{
bed68bde
MM		 2533 struct l2cap_ctrl control;
2534 u16 seq;
2535
b4400672 2536 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2537
2538 memset(&control, 0, sizeof(control));
2539 control.sframe = 1;
2540 control.super = L2CAP_SUPER_SREJ;
2541
2542 for (seq = chan->expected_tx_seq; seq != txseq;
2543 seq = __next_seq(chan, seq)) {
2544 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2545 control.reqseq = seq;
2546 l2cap_send_sframe(chan, &control);
2547 l2cap_seq_list_append(&chan->srej_list, seq);
2548 }
2549 }
2550
2551 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2552}
2553
2554static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2555{
bed68bde
MM		 2556 struct l2cap_ctrl control;
2557
2558 BT_DBG("chan %p", chan);
2559
2560 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2561 return;
2562
2563 memset(&control, 0, sizeof(control));
2564 control.sframe = 1;
2565 control.super = L2CAP_SUPER_SREJ;
2566 control.reqseq = chan->srej_list.tail;
2567 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2568}
2569
2570static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2571{
bed68bde
MM		 2572 struct l2cap_ctrl control;
2573 u16 initial_head;
2574 u16 seq;
2575
b4400672 2576 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2577
2578 memset(&control, 0, sizeof(control));
2579 control.sframe = 1;
2580 control.super = L2CAP_SUPER_SREJ;
2581
2582 /* Capture initial list head to allow only one pass through the list. */
2583 initial_head = chan->srej_list.head;
2584
2585 do {
2586 seq = l2cap_seq_list_pop(&chan->srej_list);
2587 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2588 break;
2589
2590 control.reqseq = seq;
2591 l2cap_send_sframe(chan, &control);
2592 l2cap_seq_list_append(&chan->srej_list, seq);
2593 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2594}
2595
608bcc6d
MM		 2596static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2597{
2598 struct sk_buff *acked_skb;
2599 u16 ackseq;
2600
b4400672 2601 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2602
2603 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2604 return;
2605
b4400672 2606 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2607 chan->expected_ack_seq, chan->unacked_frames);
2608
2609 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2610 ackseq = __next_seq(chan, ackseq)) {
2611
2612 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2613 if (acked_skb) {
2614 skb_unlink(acked_skb, &chan->tx_q);
2615 kfree_skb(acked_skb);
2616 chan->unacked_frames--;
2617 }
2618 }
2619
2620 chan->expected_ack_seq = reqseq;
2621
2622 if (chan->unacked_frames == 0)
2623 __clear_retrans_timer(chan);
2624
b4400672 2625 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2626}
2627
2628static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2629{
2630 BT_DBG("chan %p", chan);
2631
2632 chan->expected_tx_seq = chan->buffer_seq;
2633 l2cap_seq_list_clear(&chan->srej_list);
2634 skb_queue_purge(&chan->srej_q);
2635 chan->rx_state = L2CAP_RX_STATE_RECV;
2636}
2637
d660366d
GP		 2638static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2639 struct l2cap_ctrl *control,
2640 struct sk_buff_head *skbs, u8 event)
608bcc6d 2641{
608bcc6d
MM		 2642 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2643 event);
2644
2645 switch (event) {
2646 case L2CAP_EV_DATA_REQUEST:
2647 if (chan->tx_send_head == NULL)
2648 chan->tx_send_head = skb_peek(skbs);
2649
2650 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2651 l2cap_ertm_send(chan);
2652 break;
2653 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2654 BT_DBG("Enter LOCAL_BUSY");
2655 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2656
2657 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2658 /* The SREJ_SENT state must be aborted if we are to
2659 * enter the LOCAL_BUSY state.
2660 */
2661 l2cap_abort_rx_srej_sent(chan);
2662 }
2663
2664 l2cap_send_ack(chan);
2665
2666 break;
2667 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2668 BT_DBG("Exit LOCAL_BUSY");
2669 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2670
2671 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2672 struct l2cap_ctrl local_control;
2673
2674 memset(&local_control, 0, sizeof(local_control));
2675 local_control.sframe = 1;
2676 local_control.super = L2CAP_SUPER_RR;
2677 local_control.poll = 1;
2678 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2679 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2680
2681 chan->retry_count = 1;
2682 __set_monitor_timer(chan);
2683 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2684 }
2685 break;
2686 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2687 l2cap_process_reqseq(chan, control->reqseq);
2688 break;
2689 case L2CAP_EV_EXPLICIT_POLL:
2690 l2cap_send_rr_or_rnr(chan, 1);
2691 chan->retry_count = 1;
2692 __set_monitor_timer(chan);
2693 __clear_ack_timer(chan);
2694 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2695 break;
2696 case L2CAP_EV_RETRANS_TO:
2697 l2cap_send_rr_or_rnr(chan, 1);
2698 chan->retry_count = 1;
2699 __set_monitor_timer(chan);
2700 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2701 break;
2702 case L2CAP_EV_RECV_FBIT:
2703 /* Nothing to process */
2704 break;
2705 default:
2706 break;
2707 }
608bcc6d
MM		 2708}
2709
d660366d
GP		 2710static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2711 struct l2cap_ctrl *control,
2712 struct sk_buff_head *skbs, u8 event)
608bcc6d 2713{
608bcc6d
MM		 2714 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2715 event);
2716
2717 switch (event) {
2718 case L2CAP_EV_DATA_REQUEST:
2719 if (chan->tx_send_head == NULL)
2720 chan->tx_send_head = skb_peek(skbs);
2721 /* Queue data, but don't send. */
2722 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2723 break;
2724 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2725 BT_DBG("Enter LOCAL_BUSY");
2726 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2727
2728 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2729 /* The SREJ_SENT state must be aborted if we are to
2730 * enter the LOCAL_BUSY state.
2731 */
2732 l2cap_abort_rx_srej_sent(chan);
2733 }
2734
2735 l2cap_send_ack(chan);
2736
2737 break;
2738 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2739 BT_DBG("Exit LOCAL_BUSY");
2740 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2741
2742 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2743 struct l2cap_ctrl local_control;
2744 memset(&local_control, 0, sizeof(local_control));
2745 local_control.sframe = 1;
2746 local_control.super = L2CAP_SUPER_RR;
2747 local_control.poll = 1;
2748 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2749 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2750
2751 chan->retry_count = 1;
2752 __set_monitor_timer(chan);
2753 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2754 }
2755 break;
2756 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2757 l2cap_process_reqseq(chan, control->reqseq);
2758
2759 /* Fall through */
2760
2761 case L2CAP_EV_RECV_FBIT:
2762 if (control && control->final) {
2763 __clear_monitor_timer(chan);
2764 if (chan->unacked_frames > 0)
2765 __set_retrans_timer(chan);
2766 chan->retry_count = 0;
2767 chan->tx_state = L2CAP_TX_STATE_XMIT;
2768 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2769 }
2770 break;
2771 case L2CAP_EV_EXPLICIT_POLL:
2772 /* Ignore */
2773 break;
2774 case L2CAP_EV_MONITOR_TO:
2775 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2776 l2cap_send_rr_or_rnr(chan, 1);
2777 __set_monitor_timer(chan);
2778 chan->retry_count++;
2779 } else {
5e4e3972 2780 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2781 }
2782 break;
2783 default:
2784 break;
2785 }
608bcc6d
MM		 2786}
2787
d660366d
GP		 2788static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2789 struct sk_buff_head *skbs, u8 event)
608bcc6d 2790{
608bcc6d
MM		 2791 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2792 chan, control, skbs, event, chan->tx_state);
2793
2794 switch (chan->tx_state) {
2795 case L2CAP_TX_STATE_XMIT:
d660366d 2796 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2797 break;
2798 case L2CAP_TX_STATE_WAIT_F:
d660366d 2799 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2800 break;
2801 default:
2802 /* Ignore event */
2803 break;
2804 }
608bcc6d
MM		 2805}
2806
4b51dae9
MM		 2807static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2808 struct l2cap_ctrl *control)
2809{
2810 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2811 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2812}
2813
f80842a8
MM		 2814static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2815 struct l2cap_ctrl *control)
2816{
2817 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2818 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2819}
2820
1da177e4
LT		 2821/* Copy frame to all raw sockets on that connection */
2822static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2823{
1da177e4 2824 struct sk_buff *nskb;
48454079 2825 struct l2cap_chan *chan;
1da177e4
LT		 2826
2827 BT_DBG("conn %p", conn);
2828
3df91ea2 2829 mutex_lock(&conn->chan_lock);
3d57dc68 2830
3df91ea2 2831 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2832 struct sock *sk = chan->sk;
715ec005 2833 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2834 continue;
2835
2836 /* Don't send frame to the socket it came from */
2837 if (skb->sk == sk)
2838 continue;
8bcde1f2 2839 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2840 if (!nskb)
1da177e4
LT		 2841 continue;
2842
80b98027 2843 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2844 kfree_skb(nskb);
2845 }
3d57dc68 2846
3df91ea2 2847 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2848}
2849
2850/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2851static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2852 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2853{
2854 struct sk_buff *skb, **frag;
2855 struct l2cap_cmd_hdr *cmd;
2856 struct l2cap_hdr *lh;
2857 int len, count;
2858
b4400672
AE		 2859 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2860 conn, code, ident, dlen);
1da177e4 2861
300b962e
AL		 2862 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2863 return NULL;
2864
1da177e4
LT		 2865 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2866 count = min_t(unsigned int, conn->mtu, len);
2867
8bcde1f2 2868 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2869 if (!skb)
2870 return NULL;
2871
2872 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2873 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2874
2875 if (conn->hcon->type == LE_LINK)
ac73498c 2876 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2877 else
ac73498c 2878 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2879
2880 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2881 cmd->code = code;
2882 cmd->ident = ident;
aca3192c 2883 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2884
2885 if (dlen) {
2886 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2887 memcpy(skb_put(skb, count), data, count);
2888 data += count;
2889 }
2890
2891 len -= skb->len;
2892
2893 /* Continuation fragments (no L2CAP header) */
2894 frag = &skb_shinfo(skb)->frag_list;
2895 while (len) {
2896 count = min_t(unsigned int, conn->mtu, len);
2897
8bcde1f2 2898 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2899 if (!*frag)
2900 goto fail;
2901
2902 memcpy(skb_put(*frag, count), data, count);
2903
2904 len -= count;
2905 data += count;
2906
2907 frag = &(*frag)->next;
2908 }
2909
2910 return skb;
2911
2912fail:
2913 kfree_skb(skb);
2914 return NULL;
2915}
2916
2d792818
GP		 2917static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2918 unsigned long *val)
1da177e4
LT		 2919{
2920 struct l2cap_conf_opt *opt = *ptr;
2921 int len;
2922
2923 len = L2CAP_CONF_OPT_SIZE + opt->len;
2924 *ptr += len;
2925
2926 *type = opt->type;
2927 *olen = opt->len;
2928
2929 switch (opt->len) {
2930 case 1:
2931 *val = *((u8 *) opt->val);
2932 break;
2933
2934 case 2:
bfaaeb3e 2935 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2936 break;
2937
2938 case 4:
bfaaeb3e 2939 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2940 break;
2941
2942 default:
2943 *val = (unsigned long) opt->val;
2944 break;
2945 }
2946
b4400672 2947 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2948 return len;
2949}
2950
1da177e4
LT		 2951static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2952{
2953 struct l2cap_conf_opt *opt = *ptr;
2954
b4400672 2955 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2956
2957 opt->type = type;
2958 opt->len = len;
2959
2960 switch (len) {
2961 case 1:
2962 *((u8 *) opt->val) = val;
2963 break;
2964
2965 case 2:
4f8b691c 2966 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2967 break;
2968
2969 case 4:
4f8b691c 2970 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2971 break;
2972
2973 default:
2974 memcpy(opt->val, (void *) val, len);
2975 break;
2976 }
2977
2978 *ptr += L2CAP_CONF_OPT_SIZE + len;
2979}
2980
f89cef09
AE		 2981static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2982{
2983 struct l2cap_conf_efs efs;
2984
1ec918ce 2985 switch (chan->mode) {
f89cef09
AE		 2986 case L2CAP_MODE_ERTM:
2987 efs.id = chan->local_id;
2988 efs.stype = chan->local_stype;
2989 efs.msdu = cpu_to_le16(chan->local_msdu);
2990 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2991 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2992 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2993 break;
2994
2995 case L2CAP_MODE_STREAMING:
2996 efs.id = 1;
2997 efs.stype = L2CAP_SERV_BESTEFFORT;
2998 efs.msdu = cpu_to_le16(chan->local_msdu);
2999 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3000 efs.acc_lat = 0;
3001 efs.flush_to = 0;
3002 break;
3003
3004 default:
3005 return;
3006 }
3007
3008 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3009 (unsigned long) &efs);
f89cef09
AE		 3010}
3011
721c4181 3012static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3013{
721c4181 3014 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3015 ack_timer.work);
3016 u16 frames_to_ack;
c1b4f43b 3017
2fb9b3d4
GP		 3018 BT_DBG("chan %p", chan);
3019
6be36555
AE		 3020 l2cap_chan_lock(chan);
3021
0362520b
MM		 3022 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3023 chan->last_acked_seq);
6be36555 3024
0362520b
MM		 3025 if (frames_to_ack)
3026 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3027
0362520b 3028 l2cap_chan_unlock(chan);
09bfb2ee 3029 l2cap_chan_put(chan);
c1b4f43b
GP		 3030}
3031
466f8004 3032int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3033{
3c588192
MM		 3034 int err;
3035
105bdf9e
MM		 3036 chan->next_tx_seq = 0;
3037 chan->expected_tx_seq = 0;
42e5c802 3038 chan->expected_ack_seq = 0;
6a026610 3039 chan->unacked_frames = 0;
42e5c802 3040 chan->buffer_seq = 0;
6a026610 3041 chan->frames_sent = 0;
105bdf9e
MM		 3042 chan->last_acked_seq = 0;
3043 chan->sdu = NULL;
3044 chan->sdu_last_frag = NULL;
3045 chan->sdu_len = 0;
3046
d34c34fb
MM		 3047 skb_queue_head_init(&chan->tx_q);
3048
6ed971ca
MH		 3049 chan->local_amp_id = AMP_ID_BREDR;
3050 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3051 chan->move_state = L2CAP_MOVE_STABLE;
3052 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3053
105bdf9e
MM		 3054 if (chan->mode != L2CAP_MODE_ERTM)
3055 return 0;
3056
3057 chan->rx_state = L2CAP_RX_STATE_RECV;
3058 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3059
721c4181
GP		 3060 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3061 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3062 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3063
f1c6775b 3064 skb_queue_head_init(&chan->srej_q);
1890d36b 3065
3c588192
MM		 3066 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3067 if (err < 0)
3068 return err;
3069
9dc9affc
MM		 3070 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3071 if (err < 0)
3072 l2cap_seq_list_free(&chan->srej_list);
3073
3074 return err;
0565c1c2
GP		 3075}
3076
f2fcfcd6
GP		 3077static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3078{
3079 switch (mode) {
3080 case L2CAP_MODE_STREAMING:
3081 case L2CAP_MODE_ERTM:
3082 if (l2cap_mode_supported(mode, remote_feat_mask))
3083 return mode;
3084 /* fall through */
3085 default:
3086 return L2CAP_MODE_BASIC;
3087 }
3088}
3089
848566b3 3090static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3091{
848566b3 3092 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3093}
3094
848566b3 3095static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3096{
848566b3 3097 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3098}
3099
36c86c85
MM		 3100static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3101 struct l2cap_conf_rfc *rfc)
3102{
6ed971ca 3103 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3104 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3105
3106 /* Class 1 devices have must have ERTM timeouts
3107 * exceeding the Link Supervision Timeout. The
3108 * default Link Supervision Timeout for AMP
3109 * controllers is 10 seconds.
3110 *
3111 * Class 1 devices use 0xffffffff for their
3112 * best-effort flush timeout, so the clamping logic
3113 * will result in a timeout that meets the above
3114 * requirement. ERTM timeouts are 16-bit values, so
3115 * the maximum timeout is 65.535 seconds.
3116 */
3117
3118 /* Convert timeout to milliseconds and round */
3119 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3120
3121 /* This is the recommended formula for class 2 devices
3122 * that start ERTM timers when packets are sent to the
3123 * controller.
3124 */
3125 ertm_to = 3 * ertm_to + 500;
3126
3127 if (ertm_to > 0xffff)
3128 ertm_to = 0xffff;
3129
3130 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3131 rfc->monitor_timeout = rfc->retrans_timeout;
3132 } else {
3133 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3134 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3135 }
3136}
3137
6327eb98
AE		 3138static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3139{
3140 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3141 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3142 /* use extended control field */
3143 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3144 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3145 } else {
6327eb98 3146 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3147 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3148 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3149 }
c20f8e35 3150 chan->ack_win = chan->tx_win;
6327eb98
AE		 3151}
3152
710f9b0a 3153static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3154{
1da177e4 3155 struct l2cap_conf_req *req = data;
0c1bc5c6 3156 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3157 void *ptr = req->data;
c8f79162 3158 u16 size;
1da177e4 3159
49208c9c 3160 BT_DBG("chan %p", chan);
1da177e4 3161
73ffa904 3162 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3163 goto done;
3164
0c1bc5c6 3165 switch (chan->mode) {
f2fcfcd6
GP		 3166 case L2CAP_MODE_STREAMING:
3167 case L2CAP_MODE_ERTM:
c1360a1c 3168 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3169 break;
85eb53c6 3170
848566b3 3171 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3172 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3173
2ba13ed6 3174 /* fall through */
f2fcfcd6 3175 default:
8c1d787b 3176 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3177 break;
3178 }
3179
3180done:
0c1bc5c6
GP		 3181 if (chan->imtu != L2CAP_DEFAULT_MTU)
3182 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3183
0c1bc5c6 3184 switch (chan->mode) {
65c7c491 3185 case L2CAP_MODE_BASIC:
8c1d787b 3186 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3187 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3188 break;
3189
62547752
GP		 3190 rfc.mode = L2CAP_MODE_BASIC;
3191 rfc.txwin_size = 0;
3192 rfc.max_transmit = 0;
3193 rfc.retrans_timeout = 0;
3194 rfc.monitor_timeout = 0;
3195 rfc.max_pdu_size = 0;
3196
63406504 3197 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3198 (unsigned long) &rfc);
65c7c491
MH		 3199 break;
3200
3201 case L2CAP_MODE_ERTM:
3202 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3203 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3204
3205 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3206
3207 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3208 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3209 L2CAP_FCS_SIZE);
c8f79162 3210 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3211
6327eb98
AE		 3212 l2cap_txwin_setup(chan);
3213
3214 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3215 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3216
63406504 3217 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3218 (unsigned long) &rfc);
63406504 3219
f89cef09
AE		 3220 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3221 l2cap_add_opt_efs(&ptr, chan);
3222
6327eb98
AE		 3223 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3224 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3225 chan->tx_win);
60918918
AE		 3226
3227 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3228 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3229 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3230 chan->fcs = L2CAP_FCS_NONE;
3231 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3232 chan->fcs);
3233 }
f2fcfcd6
GP		 3234 break;
3235
3236 case L2CAP_MODE_STREAMING:
273759e2 3237 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3238 rfc.mode = L2CAP_MODE_STREAMING;
3239 rfc.txwin_size = 0;
3240 rfc.max_transmit = 0;
3241 rfc.retrans_timeout = 0;
3242 rfc.monitor_timeout = 0;
c8f79162
AE		 3243
3244 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3245 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3246 L2CAP_FCS_SIZE);
c8f79162 3247 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3248
63406504 3249 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3250 (unsigned long) &rfc);
63406504 3251
f89cef09
AE		 3252 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3253 l2cap_add_opt_efs(&ptr, chan);
3254
60918918
AE		 3255 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3256 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3257 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3258 chan->fcs = L2CAP_FCS_NONE;
3259 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3260 chan->fcs);
3261 }
65c7c491
MH		 3262 break;
3263 }
1da177e4 3264
fe4128e0 3265 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3266 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3267
3268 return ptr - data;
3269}
3270
73ffa904 3271static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3272{
5dee9e7c
MH		 3273 struct l2cap_conf_rsp *rsp = data;
3274 void *ptr = rsp->data;
73ffa904
GP		 3275 void *req = chan->conf_req;
3276 int len = chan->conf_len;
5dee9e7c
MH		 3277 int type, hint, olen;
3278 unsigned long val;
6464f35f 3279 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3280 struct l2cap_conf_efs efs;
3281 u8 remote_efs = 0;
861d6882 3282 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3283 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3284 u16 size;
1da177e4 3285
73ffa904 3286 BT_DBG("chan %p", chan);
820ae1b8 3287
5dee9e7c
MH		 3288 while (len >= L2CAP_CONF_OPT_SIZE) {
3289 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3290
589d2746 3291 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3292 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3293
3294 switch (type) {
3295 case L2CAP_CONF_MTU:
861d6882 3296 mtu = val;
5dee9e7c
MH		 3297 break;
3298
3299 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3300 chan->flush_to = val;
5dee9e7c
MH		 3301 break;
3302
3303 case L2CAP_CONF_QOS:
3304 break;
3305
6464f35f
MH		 3306 case L2CAP_CONF_RFC:
3307 if (olen == sizeof(rfc))
3308 memcpy(&rfc, (void *) val, olen);
3309 break;
3310
fcc203c3
GP		 3311 case L2CAP_CONF_FCS:
3312 if (val == L2CAP_FCS_NONE)
f2592d3e 3313 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3314 break;
fcc203c3 3315
42dceae2
AE		 3316 case L2CAP_CONF_EFS:
3317 remote_efs = 1;
3318 if (olen == sizeof(efs))
3319 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3320 break;
3321
6327eb98 3322 case L2CAP_CONF_EWS:
848566b3 3323 if (!chan->conn->hs_enabled)
6327eb98 3324 return -ECONNREFUSED;
fcc203c3 3325
6327eb98
AE		 3326 set_bit(FLAG_EXT_CTRL, &chan->flags);
3327 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3328 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3329 chan->remote_tx_win = val;
fcc203c3
GP		 3330 break;
3331
5dee9e7c
MH		 3332 default:
3333 if (hint)
3334 break;
3335
3336 result = L2CAP_CONF_UNKNOWN;
3337 *((u8 *) ptr++) = type;
3338 break;
3339 }
3340 }
3341
73ffa904 3342 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3343 goto done;
3344
0c1bc5c6 3345 switch (chan->mode) {
f2fcfcd6
GP		 3346 case L2CAP_MODE_STREAMING:
3347 case L2CAP_MODE_ERTM:
c1360a1c 3348 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3349 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3350 chan->conn->feat_mask);
85eb53c6
GP		 3351 break;
3352 }
3353
42dceae2 3354 if (remote_efs) {
848566b3 3355 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3356 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3357 else
3358 return -ECONNREFUSED;
3359 }
3360
0c1bc5c6 3361 if (chan->mode != rfc.mode)
f2fcfcd6 3362 return -ECONNREFUSED;
742e519b 3363
f2fcfcd6 3364 break;
f2fcfcd6
GP		 3365 }
3366
3367done:
0c1bc5c6 3368 if (chan->mode != rfc.mode) {
f2fcfcd6 3369 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3370 rfc.mode = chan->mode;
f2fcfcd6 3371
73ffa904 3372 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3373 return -ECONNREFUSED;
3374
2d792818
GP		 3375 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3376 (unsigned long) &rfc);
f2fcfcd6
GP		 3377 }
3378
5dee9e7c
MH		 3379 if (result == L2CAP_CONF_SUCCESS) {
3380 /* Configure output options and let the other side know
3381 * which ones we don't like. */
3382
f2fcfcd6
GP		 3383 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3384 result = L2CAP_CONF_UNACCEPT;
3385 else {
0c1bc5c6 3386 chan->omtu = mtu;
c1360a1c 3387 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3388 }
0c1bc5c6 3389 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3390
42dceae2
AE		 3391 if (remote_efs) {
3392 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3393 efs.stype != L2CAP_SERV_NOTRAFIC &&
3394 efs.stype != chan->local_stype) {
42dceae2
AE		 3395
3396 result = L2CAP_CONF_UNACCEPT;
3397
3398 if (chan->num_conf_req >= 1)
3399 return -ECONNREFUSED;
3400
3401 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3402 sizeof(efs),
3403 (unsigned long) &efs);
0e8b207e 3404 } else {
3e6b3b95 3405 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3406 result = L2CAP_CONF_PENDING;
3407 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3408 }
3409 }
3410
f2fcfcd6
GP		 3411 switch (rfc.mode) {
3412 case L2CAP_MODE_BASIC:
47d1ec61 3413 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3414 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3415 break;
3416
3417 case L2CAP_MODE_ERTM:
6327eb98
AE		 3418 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3419 chan->remote_tx_win = rfc.txwin_size;
3420 else
3421 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3422
2c03a7a4 3423 chan->remote_max_tx = rfc.max_transmit;
1c762159 3424
c8f79162 3425 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3426 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3427 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3428 rfc.max_pdu_size = cpu_to_le16(size);
3429 chan->remote_mps = size;
f2fcfcd6 3430
36c86c85 3431 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3432
c1360a1c 3433 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3434
3435 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3436 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3437
42dceae2
AE		 3438 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3439 chan->remote_id = efs.id;
3440 chan->remote_stype = efs.stype;
3441 chan->remote_msdu = le16_to_cpu(efs.msdu);
3442 chan->remote_flush_to =
2d792818 3443 le32_to_cpu(efs.flush_to);
42dceae2 3444 chan->remote_acc_lat =
2d792818 3445 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3446 chan->remote_sdu_itime =
3447 le32_to_cpu(efs.sdu_itime);
3448 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3449 sizeof(efs),
3450 (unsigned long) &efs);
42dceae2 3451 }
f2fcfcd6
GP		 3452 break;
3453
3454 case L2CAP_MODE_STREAMING:
c8f79162 3455 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3456 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3457 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3458 rfc.max_pdu_size = cpu_to_le16(size);
3459 chan->remote_mps = size;
f2fcfcd6 3460
c1360a1c 3461 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3462
2d792818
GP		 3463 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3464 (unsigned long) &rfc);
68ae6639 3465
f2fcfcd6
GP		 3466 break;
3467
3468 default:
5dee9e7c 3469 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3470
6464f35f 3471 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3472 rfc.mode = chan->mode;
f2fcfcd6 3473 }
6464f35f 3474
f2fcfcd6 3475 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3476 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3477 }
fe4128e0 3478 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3479 rsp->result = cpu_to_le16(result);
59e54bd1 3480 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3481
3482 return ptr - data;
1da177e4
LT		 3483}
3484
2d792818
GP		 3485static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3486 void *data, u16 *result)
f2fcfcd6 3487{
f2fcfcd6
GP		 3488 struct l2cap_conf_req *req = data;
3489 void *ptr = req->data;
3490 int type, olen;
3491 unsigned long val;
36e999a8 3492 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3493 struct l2cap_conf_efs efs;
f2fcfcd6 3494
fe4128e0 3495 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3496
3497 while (len >= L2CAP_CONF_OPT_SIZE) {
3498 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3499
3500 switch (type) {
3501 case L2CAP_CONF_MTU:
3502 if (val < L2CAP_DEFAULT_MIN_MTU) {
3503 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3504 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3505 } else
0c1bc5c6
GP		 3506 chan->imtu = val;
3507 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3508 break;
3509
3510 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3511 chan->flush_to = val;
f2fcfcd6 3512 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3513 2, chan->flush_to);
f2fcfcd6
GP		 3514 break;
3515
3516 case L2CAP_CONF_RFC:
3517 if (olen == sizeof(rfc))
3518 memcpy(&rfc, (void *)val, olen);
3519
c1360a1c 3520 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3521 rfc.mode != chan->mode)
f2fcfcd6
GP		 3522 return -ECONNREFUSED;
3523
47d1ec61 3524 chan->fcs = 0;
f2fcfcd6
GP		 3525
3526 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3527 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3528 break;
6327eb98
AE		 3529
3530 case L2CAP_CONF_EWS:
c20f8e35 3531 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3532 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3533 chan->tx_win);
6327eb98 3534 break;
66af7aaf
AE		 3535
3536 case L2CAP_CONF_EFS:
3537 if (olen == sizeof(efs))
3538 memcpy(&efs, (void *)val, olen);
3539
3540 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3541 efs.stype != L2CAP_SERV_NOTRAFIC &&
3542 efs.stype != chan->local_stype)
66af7aaf
AE		 3543 return -ECONNREFUSED;
3544
2d792818
GP		 3545 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3546 (unsigned long) &efs);
66af7aaf 3547 break;
cbabee78
AE		 3548
3549 case L2CAP_CONF_FCS:
3550 if (*result == L2CAP_CONF_PENDING)
3551 if (val == L2CAP_FCS_NONE)
f2592d3e 3552 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3553 &chan->conf_state);
3554 break;
f2fcfcd6
GP		 3555 }
3556 }
3557
0c1bc5c6 3558 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3559 return -ECONNREFUSED;
3560
0c1bc5c6 3561 chan->mode = rfc.mode;
6c2ea7a8 3562
0e8b207e 3563 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3564 switch (rfc.mode) {
3565 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3566 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3567 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3568 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3569 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3570 chan->ack_win = min_t(u16, chan->ack_win,
3571 rfc.txwin_size);
66af7aaf
AE		 3572
3573 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3574 chan->local_msdu = le16_to_cpu(efs.msdu);
3575 chan->local_sdu_itime =
2d792818 3576 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3577 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3578 chan->local_flush_to =
2d792818 3579 le32_to_cpu(efs.flush_to);
66af7aaf 3580 }
f2fcfcd6 3581 break;
66af7aaf 3582
f2fcfcd6 3583 case L2CAP_MODE_STREAMING:
47d1ec61 3584 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3585 }
3586 }
3587
fe4128e0 3588 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3589 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3590
3591 return ptr - data;
3592}
3593
2d792818
GP		 3594static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3595 u16 result, u16 flags)
1da177e4
LT		 3596{
3597 struct l2cap_conf_rsp *rsp = data;
3598 void *ptr = rsp->data;
1da177e4 3599
fe4128e0 3600 BT_DBG("chan %p", chan);
1da177e4 3601
fe4128e0 3602 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3603 rsp->result = cpu_to_le16(result);
aca3192c 3604 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3605
3606 return ptr - data;
3607}
3608
8c1d787b 3609void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3610{
3611 struct l2cap_conn_rsp rsp;
8c1d787b 3612 struct l2cap_conn *conn = chan->conn;
710f9b0a 3613 u8 buf[128];
439f34ac 3614 u8 rsp_code;
710f9b0a 3615
fe4128e0
GP		 3616 rsp.scid = cpu_to_le16(chan->dcid);
3617 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3618 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3619 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3620
3621 if (chan->hs_hcon)
3622 rsp_code = L2CAP_CREATE_CHAN_RSP;
3623 else
3624 rsp_code = L2CAP_CONN_RSP;
3625
3626 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3627
3628 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3629
c1360a1c 3630 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3631 return;
3632
710f9b0a 3633 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3634 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3635 chan->num_conf_req++;
3636}
3637
47d1ec61 3638static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3639{
7b1c0049
GP		 3640 int type, olen;
3641 unsigned long val;
c20f8e35
MM		 3642 /* Use sane default values in case a misbehaving remote device
3643 * did not send an RFC or extended window size option.
3644 */
3645 u16 txwin_ext = chan->ack_win;
3646 struct l2cap_conf_rfc rfc = {
3647 .mode = chan->mode,
3648 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3649 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3650 .max_pdu_size = cpu_to_le16(chan->imtu),
3651 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3652 };
7b1c0049 3653
47d1ec61 3654 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3655
0c1bc5c6 3656 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3657 return;
3658
3659 while (len >= L2CAP_CONF_OPT_SIZE) {
3660 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3661
c20f8e35
MM		 3662 switch (type) {
3663 case L2CAP_CONF_RFC:
3664 if (olen == sizeof(rfc))
3665 memcpy(&rfc, (void *)val, olen);
8f321f85 3666 break;
c20f8e35
MM		 3667 case L2CAP_CONF_EWS:
3668 txwin_ext = val;
3669 break;
3670 }
7b1c0049
GP		 3671 }
3672
7b1c0049
GP		 3673 switch (rfc.mode) {
3674 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3675 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3676 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3677 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3678 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3679 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3680 else
3681 chan->ack_win = min_t(u16, chan->ack_win,
3682 rfc.txwin_size);
7b1c0049
GP		 3683 break;
3684 case L2CAP_MODE_STREAMING:
47d1ec61 3685 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3686 }
3687}
3688
2d792818 3689static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3690 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3691 u8 *data)
4e8402a3 3692{
e2fd318e 3693 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3694
cb3b3152
JH		 3695 if (cmd_len < sizeof(*rej))
3696 return -EPROTO;
3697
e2fd318e 3698 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3699 return 0;
3700
3701 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3702 cmd->ident == conn->info_ident) {
17cd3f37 3703 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3704
3705 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3706 conn->info_ident = 0;
984947dc 3707
4e8402a3
MH		 3708 l2cap_conn_start(conn);
3709 }
3710
3711 return 0;
3712}
3713
1700915f
MM		 3714static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3715 struct l2cap_cmd_hdr *cmd,
3716 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3717{
1da177e4
LT		 3718 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3719 struct l2cap_conn_rsp rsp;
23691d75 3720 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3721 struct sock *parent, *sk = NULL;
e7c29cb1 3722 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3723
3724 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3725 __le16 psm = req->psm;
1da177e4 3726
097db76c 3727 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3728
3729 /* Check if we have socket listening on psm */
6f59b904 3730 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
98e0f7ea 3731 &conn->hcon->dst);
23691d75 3732 if (!pchan) {
1da177e4
LT		 3733 result = L2CAP_CR_BAD_PSM;
3734 goto sendresp;
3735 }
3736
23691d75
GP		 3737 parent = pchan->sk;
3738
3df91ea2 3739 mutex_lock(&conn->chan_lock);
aa2ac881 3740 lock_sock(parent);
e0f0cb56 3741
e7c29cb1 3742 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3743 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3744 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3745 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3746 result = L2CAP_CR_SEC_BLOCK;
3747 goto response;
3748 }
3749
1da177e4
LT		 3750 result = L2CAP_CR_NO_MEM;
3751
2dfa1003
GP		 3752 /* Check if we already have channel with that dcid */
3753 if (__l2cap_get_chan_by_dcid(conn, scid))
3754 goto response;
3755
80b98027 3756 chan = pchan->ops->new_connection(pchan);
80808e43 3757 if (!chan)
1da177e4
LT		 3758 goto response;
3759
80808e43
GP		 3760 sk = chan->sk;
3761
330b6c15
SS		 3762 /* For certain devices (ex: HID mouse), support for authentication,
3763 * pairing and bonding is optional. For such devices, inorder to avoid
3764 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3765 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3766 */
3767 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3768
7eafc59e
MH		 3769 bacpy(&chan->src, &conn->hcon->src);
3770 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3771 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3772 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3773 chan->psm = psm;
3774 chan->dcid = scid;
1700915f 3775 chan->local_amp_id = amp_id;
1da177e4 3776
6be36555 3777 __l2cap_chan_add(conn, chan);
48454079 3778
fe4128e0 3779 dcid = chan->scid;
1da177e4 3780
8d836d71 3781 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3782
fc7f8a7e 3783 chan->ident = cmd->ident;
1da177e4 3784
984947dc 3785 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3786 if (l2cap_chan_check_security(chan)) {
bdc25783 3787 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
0e587be7 3788 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3789 result = L2CAP_CR_PEND;
3790 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3791 chan->ops->defer(chan);
f66dc81f 3792 } else {
1700915f
MM		 3793 /* Force pending result for AMP controllers.
3794 * The connection will succeed after the
3795 * physical link is up.
3796 */
6ed971ca 3797 if (amp_id == AMP_ID_BREDR) {
1700915f
MM		 3798 __l2cap_state_change(chan, BT_CONFIG);
3799 result = L2CAP_CR_SUCCESS;
6ed971ca
MH		 3800 } else {
3801 __l2cap_state_change(chan, BT_CONNECT2);
3802 result = L2CAP_CR_PEND;
1700915f 3803 }
f66dc81f
MH		 3804 status = L2CAP_CS_NO_INFO;
3805 }
79d554a6 3806 } else {
0e587be7 3807 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3808 result = L2CAP_CR_PEND;
3809 status = L2CAP_CS_AUTHEN_PEND;
3810 }
3811 } else {
0e587be7 3812 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3813 result = L2CAP_CR_PEND;
3814 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3815 }
3816
1da177e4 3817response:
aa2ac881 3818 release_sock(parent);
3df91ea2 3819 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3820
3821sendresp:
aca3192c
YH		 3822 rsp.scid = cpu_to_le16(scid);
3823 rsp.dcid = cpu_to_le16(dcid);
3824 rsp.result = cpu_to_le16(result);
3825 rsp.status = cpu_to_le16(status);
4c89b6aa 3826 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3827
3828 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3829 struct l2cap_info_req info;
ac73498c 3830 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3831
3832 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3833 conn->info_ident = l2cap_get_ident(conn);
3834
ba13ccd9 3835 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3836
2d792818
GP		 3837 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3838 sizeof(info), &info);
79d554a6
MH		 3839 }
3840
c1360a1c 3841 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3842 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3843 u8 buf[128];
c1360a1c 3844 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3845 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3846 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3847 chan->num_conf_req++;
e9aeb2dd 3848 }
1700915f
MM		 3849
3850 return chan;
4c89b6aa 3851}
e9aeb2dd 3852
4c89b6aa 3853static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3854 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3855{
7b064eda
JK		 3856 struct hci_dev *hdev = conn->hcon->hdev;
3857 struct hci_conn *hcon = conn->hcon;
3858
cb3b3152
JH		 3859 if (cmd_len < sizeof(struct l2cap_conn_req))
3860 return -EPROTO;
3861
7b064eda
JK		 3862 hci_dev_lock(hdev);
3863 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3864 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3865 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3866 hcon->dst_type, 0, NULL, 0,
3867 hcon->dev_class);
3868 hci_dev_unlock(hdev);
3869
300229f9 3870 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3871 return 0;
3872}
3873
5909cf30 3874static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3875 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3876 u8 *data)
1da177e4
LT		 3877{
3878 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3879 u16 scid, dcid, result, status;
48454079 3880 struct l2cap_chan *chan;
1da177e4 3881 u8 req[128];
3df91ea2 3882 int err;
1da177e4 3883
cb3b3152
JH		 3884 if (cmd_len < sizeof(*rsp))
3885 return -EPROTO;
3886
1da177e4
LT		 3887 scid = __le16_to_cpu(rsp->scid);
3888 dcid = __le16_to_cpu(rsp->dcid);
3889 result = __le16_to_cpu(rsp->result);
3890 status = __le16_to_cpu(rsp->status);
3891
1b009c98 3892 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3893 dcid, scid, result, status);
1da177e4 3894
3df91ea2
AE		 3895 mutex_lock(&conn->chan_lock);
3896
1da177e4 3897 if (scid) {
3df91ea2
AE		 3898 chan = __l2cap_get_chan_by_scid(conn, scid);
3899 if (!chan) {
21870b52 3900 err = -EBADSLT;
3df91ea2
AE		 3901 goto unlock;
3902 }
1da177e4 3903 } else {
3df91ea2
AE		 3904 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3905 if (!chan) {
21870b52 3906 err = -EBADSLT;
3df91ea2
AE		 3907 goto unlock;
3908 }
1da177e4
LT		 3909 }
3910
3df91ea2
AE		 3911 err = 0;
3912
6be36555 3913 l2cap_chan_lock(chan);
48454079 3914
1da177e4
LT		 3915 switch (result) {
3916 case L2CAP_CR_SUCCESS:
89bc500e 3917 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3918 chan->ident = 0;
fe4128e0 3919 chan->dcid = dcid;
c1360a1c 3920 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3921
c1360a1c 3922 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3923 break;
3924
1da177e4 3925 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3926 l2cap_build_conf_req(chan, req), req);
73ffa904 3927 chan->num_conf_req++;
1da177e4
LT		 3928 break;
3929
3930 case L2CAP_CR_PEND:
c1360a1c 3931 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3932 break;
3933
3934 default:
48454079 3935 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3936 break;
3937 }
3938
6be36555 3939 l2cap_chan_unlock(chan);
3df91ea2
AE		 3940
3941unlock:
3942 mutex_unlock(&conn->chan_lock);
3943
3944 return err;
1da177e4
LT		 3945}
3946
47d1ec61 3947static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3948{
3949 /* FCS is enabled only in ERTM or streaming mode, if one or both
3950 * sides request it.
3951 */
0c1bc5c6 3952 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3953 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3954 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3955 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3956}
3957
29d8a590
AE		 3958static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3959 u8 ident, u16 flags)
3960{
3961 struct l2cap_conn *conn = chan->conn;
3962
3963 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3964 flags);
3965
3966 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3967 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3968
3969 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3970 l2cap_build_conf_rsp(chan, data,
3971 L2CAP_CONF_SUCCESS, flags), data);
3972}
3973
662d652d
JH		 3974static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
3975 u16 scid, u16 dcid)
3976{
3977 struct l2cap_cmd_rej_cid rej;
3978
3979 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
3980 rej.scid = __cpu_to_le16(scid);
3981 rej.dcid = __cpu_to_le16(dcid);
3982
3983 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3984}
3985
2d792818
GP		 3986static inline int l2cap_config_req(struct l2cap_conn *conn,
3987 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3988 u8 *data)
1da177e4
LT		 3989{
3990 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3991 u16 dcid, flags;
3992 u8 rsp[64];
48454079 3993 struct l2cap_chan *chan;
3c588192 3994 int len, err = 0;
1da177e4 3995
cb3b3152
JH		 3996 if (cmd_len < sizeof(*req))
3997 return -EPROTO;
3998
1da177e4
LT		 3999 dcid = __le16_to_cpu(req->dcid);
4000 flags = __le16_to_cpu(req->flags);
4001
4002 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4003
baa7e1fa 4004 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4005 if (!chan) {
4006 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4007 return 0;
4008 }
1da177e4 4009
033b1142 4010 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4011 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4012 chan->dcid);
354f60a9 4013 goto unlock;
df6bd743 4014 }
354f60a9 4015
5dee9e7c 4016 /* Reject if config buffer is too small. */
88219a0f 4017 len = cmd_len - sizeof(*req);
cb3b3152 4018 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4019 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4020 l2cap_build_conf_rsp(chan, rsp,
4021 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4022 goto unlock;
4023 }
4024
4025 /* Store config. */
73ffa904
GP		 4026 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4027 chan->conf_len += len;
1da177e4 4028
59e54bd1 4029 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4030 /* Incomplete config. Send empty response. */
4031 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4032 l2cap_build_conf_rsp(chan, rsp,
4033 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4034 goto unlock;
4035 }
4036
4037 /* Complete config. */
73ffa904 4038 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4039 if (len < 0) {
5e4e3972 4040 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4041 goto unlock;
f2fcfcd6 4042 }
1da177e4 4043
1500109b 4044 chan->ident = cmd->ident;
5dee9e7c 4045 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4046 chan->num_conf_rsp++;
5dee9e7c 4047
5dee9e7c 4048 /* Reset config buffer. */
73ffa904 4049 chan->conf_len = 0;
5dee9e7c 4050
c1360a1c 4051 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4052 goto unlock;
4053
c1360a1c 4054 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4055 set_default_fcs(chan);
fcc203c3 4056
105bdf9e
MM		 4057 if (chan->mode == L2CAP_MODE_ERTM ||
4058 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4059 err = l2cap_ertm_init(chan);
4060
4061 if (err < 0)
5e4e3972 4062 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4063 else
4064 l2cap_chan_ready(chan);
0565c1c2 4065
876d9484
MH		 4066 goto unlock;
4067 }
4068
c1360a1c 4069 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4070 u8 buf[64];
1da177e4 4071 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4072 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4073 chan->num_conf_req++;
1da177e4
LT		 4074 }
4075
0e8b207e
AE		 4076 /* Got Conf Rsp PENDING from remote side and asume we sent
4077 Conf Rsp PENDING in the code above */
4078 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4079 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4080
4081 /* check compatibility */
4082
79de886d 4083 /* Send rsp for BR/EDR channel */
f351bc72 4084 if (!chan->hs_hcon)
79de886d
AE		 4085 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4086 else
4087 chan->ident = cmd->ident;
0e8b207e
AE		 4088 }
4089
1da177e4 4090unlock:
6be36555 4091 l2cap_chan_unlock(chan);
3c588192 4092 return err;
1da177e4
LT		 4093}
4094
2d792818 4095static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4096 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4097 u8 *data)
1da177e4
LT		 4098{
4099 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4100 u16 scid, flags, result;
48454079 4101 struct l2cap_chan *chan;
cb3b3152 4102 int len = cmd_len - sizeof(*rsp);
3c588192 4103 int err = 0;
1da177e4 4104
cb3b3152
JH		 4105 if (cmd_len < sizeof(*rsp))
4106 return -EPROTO;
4107
1da177e4
LT		 4108 scid = __le16_to_cpu(rsp->scid);
4109 flags = __le16_to_cpu(rsp->flags);
4110 result = __le16_to_cpu(rsp->result);
4111
61386cba
AE		 4112 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4113 result, len);
1da177e4 4114
baa7e1fa 4115 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4116 if (!chan)
1da177e4
LT		 4117 return 0;
4118
4119 switch (result) {
4120 case L2CAP_CONF_SUCCESS:
47d1ec61 4121 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4122 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4123 break;
4124
0e8b207e
AE		 4125 case L2CAP_CONF_PENDING:
4126 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4127
4128 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4129 char buf[64];
4130
4131 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4132 buf, &result);
0e8b207e 4133 if (len < 0) {
5e4e3972 4134 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4135 goto done;
4136 }
4137
f351bc72 4138 if (!chan->hs_hcon) {
79de886d
AE		 4139 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4140 0);
5ce66b59
AE		 4141 } else {
4142 if (l2cap_check_efs(chan)) {
4143 amp_create_logical_link(chan);
4144 chan->ident = cmd->ident;
4145 }
4146 }
0e8b207e
AE		 4147 }
4148 goto done;
4149
1da177e4 4150 case L2CAP_CONF_UNACCEPT:
73ffa904 4151 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4152 char req[64];
4153
c2c77ec8 4154 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4155 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4156 goto done;
4157 }
4158
f2fcfcd6
GP		 4159 /* throw out any old stored conf requests */
4160 result = L2CAP_CONF_SUCCESS;
b4450035 4161 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4162 req, &result);
f2fcfcd6 4163 if (len < 0) {
5e4e3972 4164 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4165 goto done;
4166 }
4167
4168 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4169 L2CAP_CONF_REQ, len, req);
73ffa904 4170 chan->num_conf_req++;
f2fcfcd6
GP		 4171 if (result != L2CAP_CONF_SUCCESS)
4172 goto done;
4173 break;
1da177e4
LT		 4174 }
4175
8e87d142 4176 default:
6be36555 4177 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4178
ba13ccd9 4179 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4180 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4181 goto done;
4182 }
4183
59e54bd1 4184 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4185 goto done;
4186
c1360a1c 4187 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4188
c1360a1c 4189 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4190 set_default_fcs(chan);
fcc203c3 4191
105bdf9e
MM		 4192 if (chan->mode == L2CAP_MODE_ERTM ||
4193 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4194 err = l2cap_ertm_init(chan);
0565c1c2 4195
3c588192 4196 if (err < 0)
5e4e3972 4197 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4198 else
4199 l2cap_chan_ready(chan);
1da177e4
LT		 4200 }
4201
4202done:
6be36555 4203 l2cap_chan_unlock(chan);
3c588192 4204 return err;
1da177e4
LT		 4205}
4206
2d792818 4207static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4208 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4209 u8 *data)
1da177e4
LT		 4210{
4211 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4212 struct l2cap_disconn_rsp rsp;
4213 u16 dcid, scid;
48454079 4214 struct l2cap_chan *chan;
1da177e4 4215
cb3b3152
JH		 4216 if (cmd_len != sizeof(*req))
4217 return -EPROTO;
4218
1da177e4
LT		 4219 scid = __le16_to_cpu(req->scid);
4220 dcid = __le16_to_cpu(req->dcid);
4221
4222 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4223
3df91ea2
AE		 4224 mutex_lock(&conn->chan_lock);
4225
4226 chan = __l2cap_get_chan_by_scid(conn, dcid);
4227 if (!chan) {
4228 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4229 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4230 return 0;
3df91ea2 4231 }
1da177e4 4232
6be36555
AE		 4233 l2cap_chan_lock(chan);
4234
fe4128e0
GP		 4235 rsp.dcid = cpu_to_le16(chan->scid);
4236 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4237 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4238
5ec1bbe5 4239 chan->ops->set_shutdown(chan);
1da177e4 4240
61d6ef3e 4241 l2cap_chan_hold(chan);
48454079 4242 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4243
4244 l2cap_chan_unlock(chan);
1da177e4 4245
80b98027 4246 chan->ops->close(chan);
61d6ef3e 4247 l2cap_chan_put(chan);
3df91ea2
AE		 4248
4249 mutex_unlock(&conn->chan_lock);
4250
1da177e4
LT		 4251 return 0;
4252}
4253
2d792818 4254static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4255 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4256 u8 *data)
1da177e4
LT		 4257{
4258 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4259 u16 dcid, scid;
48454079 4260 struct l2cap_chan *chan;
1da177e4 4261
cb3b3152
JH		 4262 if (cmd_len != sizeof(*rsp))
4263 return -EPROTO;
4264
1da177e4
LT		 4265 scid = __le16_to_cpu(rsp->scid);
4266 dcid = __le16_to_cpu(rsp->dcid);
4267
4268 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4269
3df91ea2
AE		 4270 mutex_lock(&conn->chan_lock);
4271
4272 chan = __l2cap_get_chan_by_scid(conn, scid);
4273 if (!chan) {
4274 mutex_unlock(&conn->chan_lock);
1da177e4 4275 return 0;
3df91ea2 4276 }
1da177e4 4277
6be36555 4278 l2cap_chan_lock(chan);
48454079 4279
61d6ef3e 4280 l2cap_chan_hold(chan);
48454079 4281 l2cap_chan_del(chan, 0);
6be36555
AE		 4282
4283 l2cap_chan_unlock(chan);
1da177e4 4284
80b98027 4285 chan->ops->close(chan);
61d6ef3e 4286 l2cap_chan_put(chan);
3df91ea2
AE		 4287
4288 mutex_unlock(&conn->chan_lock);
4289
1da177e4
LT		 4290 return 0;
4291}
4292
2d792818 4293static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4294 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4295 u8 *data)
1da177e4
LT		 4296{
4297 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4298 u16 type;
4299
cb3b3152
JH		 4300 if (cmd_len != sizeof(*req))
4301 return -EPROTO;
4302
1da177e4
LT		 4303 type = __le16_to_cpu(req->type);
4304
4305 BT_DBG("type 0x%4.4x", type);
4306
f0709e03
MH		 4307 if (type == L2CAP_IT_FEAT_MASK) {
4308 u8 buf[8];
44dd46de 4309 u32 feat_mask = l2cap_feat_mask;
f0709e03 4310 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4311 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4312 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4313 if (!disable_ertm)
fcc203c3 4314 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4315 | L2CAP_FEAT_FCS;
848566b3 4316 if (conn->hs_enabled)
6327eb98 4317 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4318 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4319
1b7bf4ed 4320 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4321 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4322 buf);
e1027a7c
MH		 4323 } else if (type == L2CAP_IT_FIXED_CHAN) {
4324 u8 buf[12];
4325 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4326
848566b3 4327 if (conn->hs_enabled)
50a147cd
MM		 4328 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4329 else
4330 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4331
ac73498c
AE		 4332 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4333 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4334 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4335 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4336 buf);
f0709e03
MH		 4337 } else {
4338 struct l2cap_info_rsp rsp;
4339 rsp.type = cpu_to_le16(type);
ac73498c 4340 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4341 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4342 &rsp);
f0709e03 4343 }
1da177e4
LT		 4344
4345 return 0;
4346}
4347
2d792818 4348static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4349 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4350 u8 *data)
1da177e4
LT		 4351{
4352 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4353 u16 type, result;
4354
3f6fa3d4 4355 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4356 return -EPROTO;
4357
1da177e4
LT		 4358 type = __le16_to_cpu(rsp->type);
4359 result = __le16_to_cpu(rsp->result);
4360
4361 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4362
e90165be
AE		 4363 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4364 if (cmd->ident != conn->info_ident ||
2d792818 4365 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4366 return 0;
4367
17cd3f37 4368 cancel_delayed_work(&conn->info_timer);
4e8402a3 4369
adb08ede
VT		 4370 if (result != L2CAP_IR_SUCCESS) {
4371 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4372 conn->info_ident = 0;
4373
4374 l2cap_conn_start(conn);
4375
4376 return 0;
4377 }
4378
978c93b9
AE		 4379 switch (type) {
4380 case L2CAP_IT_FEAT_MASK:
83985319 4381 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4382
47ec1dcd 4383 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4384 struct l2cap_info_req req;
ac73498c 4385 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4386
4387 conn->info_ident = l2cap_get_ident(conn);
4388
4389 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4390 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4391 } else {
4392 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4393 conn->info_ident = 0;
4394
4395 l2cap_conn_start(conn);
4396 }
978c93b9
AE		 4397 break;
4398
4399 case L2CAP_IT_FIXED_CHAN:
4400 conn->fixed_chan_mask = rsp->data[0];
984947dc 4401 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4402 conn->info_ident = 0;
984947dc
MH		 4403
4404 l2cap_conn_start(conn);
978c93b9 4405 break;
984947dc 4406 }
4e8402a3 4407
1da177e4
LT		 4408 return 0;
4409}
4410
1700915f
MM		 4411static int l2cap_create_channel_req(struct l2cap_conn *conn,
4412 struct l2cap_cmd_hdr *cmd,
4413 u16 cmd_len, void *data)
f94ff6ff
MM		 4414{
4415 struct l2cap_create_chan_req *req = data;
6e1df6a6 4416 struct l2cap_create_chan_rsp rsp;
1700915f 4417 struct l2cap_chan *chan;
6e1df6a6 4418 struct hci_dev *hdev;
f94ff6ff
MM		 4419 u16 psm, scid;
4420
4421 if (cmd_len != sizeof(*req))
4422 return -EPROTO;
4423
848566b3 4424 if (!conn->hs_enabled)
f94ff6ff
MM		 4425 return -EINVAL;
4426
4427 psm = le16_to_cpu(req->psm);
4428 scid = le16_to_cpu(req->scid);
4429
ad0ac6ca 4430 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4431
6e1df6a6 4432 /* For controller id 0 make BR/EDR connection */
6ed971ca 4433 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4434 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4435 req->amp_id);
4436 return 0;
4437 }
1700915f 4438
6e1df6a6
AE		 4439 /* Validate AMP controller id */
4440 hdev = hci_dev_get(req->amp_id);
4441 if (!hdev)
4442 goto error;
1700915f 4443
6e1df6a6
AE		 4444 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4445 hci_dev_put(hdev);
4446 goto error;
4447 }
1700915f 4448
6e1df6a6
AE		 4449 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4450 req->amp_id);
4451 if (chan) {
4452 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4453 struct hci_conn *hs_hcon;
1700915f 4454
98e0f7ea
MH		 4455 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4456 &conn->hcon->dst);
6e1df6a6
AE		 4457 if (!hs_hcon) {
4458 hci_dev_put(hdev);
662d652d
JH		 4459 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4460 chan->dcid);
4461 return 0;
1700915f
MM		 4462 }
4463
6e1df6a6
AE		 4464 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4465
6e1df6a6
AE		 4466 mgr->bredr_chan = chan;
4467 chan->hs_hcon = hs_hcon;
fd45bf4c 4468 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4469 conn->mtu = hdev->block_mtu;
1700915f 4470 }
f94ff6ff 4471
6e1df6a6 4472 hci_dev_put(hdev);
f94ff6ff
MM		 4473
4474 return 0;
6e1df6a6
AE		 4475
4476error:
4477 rsp.dcid = 0;
4478 rsp.scid = cpu_to_le16(scid);
4479 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4480 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4481
4482 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4483 sizeof(rsp), &rsp);
4484
dc280801 4485 return 0;
f94ff6ff
MM		 4486}
4487
8eb200bd
MM		 4488static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4489{
4490 struct l2cap_move_chan_req req;
4491 u8 ident;
4492
4493 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4494
4495 ident = l2cap_get_ident(chan->conn);
4496 chan->ident = ident;
4497
4498 req.icid = cpu_to_le16(chan->scid);
4499 req.dest_amp_id = dest_amp_id;
4500
4501 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4502 &req);
4503
4504 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4505}
4506
1500109b 4507static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4508{
4509 struct l2cap_move_chan_rsp rsp;
4510
1500109b 4511 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4512
1500109b 4513 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4514 rsp.result = cpu_to_le16(result);
4515
1500109b
MM		 4516 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4517 sizeof(rsp), &rsp);
8d5a04a1
MM		 4518}
4519
5b155ef9 4520static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4521{
4522 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4523
5b155ef9 4524 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4525
5b155ef9 4526 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4527
5b155ef9 4528 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4529 cfm.result = cpu_to_le16(result);
4530
5b155ef9
MM		 4531 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4532 sizeof(cfm), &cfm);
4533
4534 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4535}
4536
4537static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4538{
4539 struct l2cap_move_chan_cfm cfm;
4540
4541 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4542
4543 cfm.icid = cpu_to_le16(icid);
4544 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4545
4546 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4547 sizeof(cfm), &cfm);
8d5a04a1
MM		 4548}
4549
4550static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4551 u16 icid)
8d5a04a1
MM		 4552{
4553 struct l2cap_move_chan_cfm_rsp rsp;
4554
ad0ac6ca 4555 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4556
4557 rsp.icid = cpu_to_le16(icid);
4558 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4559}
4560
5f3847a4
MM		 4561static void __release_logical_link(struct l2cap_chan *chan)
4562{
4563 chan->hs_hchan = NULL;
4564 chan->hs_hcon = NULL;
4565
4566 /* Placeholder - release the logical link */
4567}
4568
1500109b
MM		 4569static void l2cap_logical_fail(struct l2cap_chan *chan)
4570{
4571 /* Logical link setup failed */
4572 if (chan->state != BT_CONNECTED) {
4573 /* Create channel failure, disconnect */
5e4e3972 4574 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4575 return;
4576 }
4577
4578 switch (chan->move_role) {
4579 case L2CAP_MOVE_ROLE_RESPONDER:
4580 l2cap_move_done(chan);
4581 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4582 break;
4583 case L2CAP_MOVE_ROLE_INITIATOR:
4584 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4585 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4586 /* Remote has only sent pending or
4587 * success responses, clean up
4588 */
4589 l2cap_move_done(chan);
4590 }
4591
4592 /* Other amp move states imply that the move
4593 * has already aborted
4594 */
4595 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4596 break;
4597 }
4598}
4599
4600static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4601 struct hci_chan *hchan)
4602{
4603 struct l2cap_conf_rsp rsp;
1500109b 4604
336178a3 4605 chan->hs_hchan = hchan;
1500109b
MM		 4606 chan->hs_hcon->l2cap_data = chan->conn;
4607
35ba9561 4608 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4609
4610 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4611 int err;
1500109b
MM		 4612
4613 set_default_fcs(chan);
4614
4615 err = l2cap_ertm_init(chan);
4616 if (err < 0)
5e4e3972 4617 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4618 else
4619 l2cap_chan_ready(chan);
4620 }
4621}
4622
4623static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4624 struct hci_chan *hchan)
4625{
4626 chan->hs_hcon = hchan->conn;
4627 chan->hs_hcon->l2cap_data = chan->conn;
4628
4629 BT_DBG("move_state %d", chan->move_state);
4630
4631 switch (chan->move_state) {
4632 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4633 /* Move confirm will be sent after a success
4634 * response is received
4635 */
4636 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4637 break;
4638 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4639 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4640 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4641 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4642 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4643 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4644 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4645 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4646 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4647 }
4648 break;
4649 default:
4650 /* Move was not in expected state, free the channel */
4651 __release_logical_link(chan);
4652
4653 chan->move_state = L2CAP_MOVE_STABLE;
4654 }
4655}
4656
4657/* Call with chan locked */
27695fb4
AE		 4658void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4659 u8 status)
5b155ef9 4660{
1500109b
MM		 4661 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4662
4663 if (status) {
4664 l2cap_logical_fail(chan);
4665 __release_logical_link(chan);
4666 return;
4667 }
4668
4669 if (chan->state != BT_CONNECTED) {
4670 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4671 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4672 l2cap_logical_finish_create(chan, hchan);
4673 } else {
4674 l2cap_logical_finish_move(chan, hchan);
4675 }
5b155ef9
MM		 4676}
4677
3f7a56c4
MM		 4678void l2cap_move_start(struct l2cap_chan *chan)
4679{
4680 BT_DBG("chan %p", chan);
4681
6ed971ca 4682 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4683 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4684 return;
4685 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4686 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4687 /* Placeholder - start physical link setup */
4688 } else {
4689 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4690 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4691 chan->move_id = 0;
4692 l2cap_move_setup(chan);
4693 l2cap_send_move_chan_req(chan, 0);
4694 }
4695}
4696
8eb200bd
MM		 4697static void l2cap_do_create(struct l2cap_chan *chan, int result,
4698 u8 local_amp_id, u8 remote_amp_id)
4699{
62748ca1
AE		 4700 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4701 local_amp_id, remote_amp_id);
4702
12d6cc60
AE		 4703 chan->fcs = L2CAP_FCS_NONE;
4704
62748ca1
AE		 4705 /* Outgoing channel on AMP */
4706 if (chan->state == BT_CONNECT) {
4707 if (result == L2CAP_CR_SUCCESS) {
4708 chan->local_amp_id = local_amp_id;
4709 l2cap_send_create_chan_req(chan, remote_amp_id);
4710 } else {
4711 /* Revert to BR/EDR connect */
4712 l2cap_send_conn_req(chan);
4713 }
4714
4715 return;
4716 }
4717
4718 /* Incoming channel on AMP */
4719 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4720 struct l2cap_conn_rsp rsp;
4721 char buf[128];
4722 rsp.scid = cpu_to_le16(chan->dcid);
4723 rsp.dcid = cpu_to_le16(chan->scid);
4724
8eb200bd
MM		 4725 if (result == L2CAP_CR_SUCCESS) {
4726 /* Send successful response */
62cd50e2
AE		 4727 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4728 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4729 } else {
4730 /* Send negative response */
62cd50e2
AE		 4731 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4732 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4733 }
4734
4735 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4736 sizeof(rsp), &rsp);
4737
4738 if (result == L2CAP_CR_SUCCESS) {
4739 __l2cap_state_change(chan, BT_CONFIG);
4740 set_bit(CONF_REQ_SENT, &chan->conf_state);
4741 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4742 L2CAP_CONF_REQ,
4743 l2cap_build_conf_req(chan, buf), buf);
4744 chan->num_conf_req++;
4745 }
8eb200bd
MM		 4746 }
4747}
4748
4749static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4750 u8 remote_amp_id)
4751{
4752 l2cap_move_setup(chan);
4753 chan->move_id = local_amp_id;
4754 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4755
4756 l2cap_send_move_chan_req(chan, remote_amp_id);
4757}
4758
4759static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4760{
4761 struct hci_chan *hchan = NULL;
4762
4763 /* Placeholder - get hci_chan for logical link */
4764
4765 if (hchan) {
4766 if (hchan->state == BT_CONNECTED) {
4767 /* Logical link is ready to go */
4768 chan->hs_hcon = hchan->conn;
4769 chan->hs_hcon->l2cap_data = chan->conn;
4770 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4771 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4772
4773 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4774 } else {
4775 /* Wait for logical link to be ready */
4776 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4777 }
4778 } else {
4779 /* Logical link not available */
4780 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4781 }
4782}
4783
4784static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4785{
4786 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4787 u8 rsp_result;
4788 if (result == -EINVAL)
4789 rsp_result = L2CAP_MR_BAD_ID;
4790 else
4791 rsp_result = L2CAP_MR_NOT_ALLOWED;
4792
4793 l2cap_send_move_chan_rsp(chan, rsp_result);
4794 }
4795
4796 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4797 chan->move_state = L2CAP_MOVE_STABLE;
4798
4799 /* Restart data transmission */
4800 l2cap_ertm_send(chan);
4801}
4802
a514b17f
AE		 4803/* Invoke with locked chan */
4804void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4805{
770bfefa 4806 u8 local_amp_id = chan->local_amp_id;
fffadc08 4807 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4808
8eb200bd
MM		 4809 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4810 chan, result, local_amp_id, remote_amp_id);
4811
8eb200bd
MM		 4812 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4813 l2cap_chan_unlock(chan);
4814 return;
4815 }
4816
4817 if (chan->state != BT_CONNECTED) {
4818 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4819 } else if (result != L2CAP_MR_SUCCESS) {
4820 l2cap_do_move_cancel(chan, result);
4821 } else {
4822 switch (chan->move_role) {
4823 case L2CAP_MOVE_ROLE_INITIATOR:
4824 l2cap_do_move_initiate(chan, local_amp_id,
4825 remote_amp_id);
4826 break;
4827 case L2CAP_MOVE_ROLE_RESPONDER:
4828 l2cap_do_move_respond(chan, result);
4829 break;
4830 default:
4831 l2cap_do_move_cancel(chan, result);
4832 break;
4833 }
4834 }
8eb200bd
MM		 4835}
4836
8d5a04a1 4837static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4838 struct l2cap_cmd_hdr *cmd,
4839 u16 cmd_len, void *data)
8d5a04a1
MM		 4840{
4841 struct l2cap_move_chan_req *req = data;
1500109b 4842 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4843 struct l2cap_chan *chan;
8d5a04a1
MM		 4844 u16 icid = 0;
4845 u16 result = L2CAP_MR_NOT_ALLOWED;
4846
4847 if (cmd_len != sizeof(*req))
4848 return -EPROTO;
4849
4850 icid = le16_to_cpu(req->icid);
4851
ad0ac6ca 4852 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4853
848566b3 4854 if (!conn->hs_enabled)
8d5a04a1
MM		 4855 return -EINVAL;
4856
02b0fbb9
MM		 4857 chan = l2cap_get_chan_by_dcid(conn, icid);
4858 if (!chan) {
1500109b
MM		 4859 rsp.icid = cpu_to_le16(icid);
4860 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4861 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4862 sizeof(rsp), &rsp);
02b0fbb9
MM		 4863 return 0;
4864 }
4865
1500109b
MM		 4866 chan->ident = cmd->ident;
4867
02b0fbb9
MM		 4868 if (chan->scid < L2CAP_CID_DYN_START ||
4869 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4870 (chan->mode != L2CAP_MODE_ERTM &&
4871 chan->mode != L2CAP_MODE_STREAMING)) {
4872 result = L2CAP_MR_NOT_ALLOWED;
4873 goto send_move_response;
4874 }
4875
4876 if (chan->local_amp_id == req->dest_amp_id) {
4877 result = L2CAP_MR_SAME_ID;
4878 goto send_move_response;
4879 }
4880
6ed971ca 4881 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4882 struct hci_dev *hdev;
4883 hdev = hci_dev_get(req->dest_amp_id);
4884 if (!hdev || hdev->dev_type != HCI_AMP ||
4885 !test_bit(HCI_UP, &hdev->flags)) {
4886 if (hdev)
4887 hci_dev_put(hdev);
4888
4889 result = L2CAP_MR_BAD_ID;
4890 goto send_move_response;
4891 }
4892 hci_dev_put(hdev);
4893 }
4894
4895 /* Detect a move collision. Only send a collision response
4896 * if this side has "lost", otherwise proceed with the move.
4897 * The winner has the larger bd_addr.
4898 */
4899 if ((__chan_is_moving(chan) ||
4900 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4901 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4902 result = L2CAP_MR_COLLISION;
4903 goto send_move_response;
4904 }
4905
02b0fbb9
MM		 4906 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4907 l2cap_move_setup(chan);
4908 chan->move_id = req->dest_amp_id;
4909 icid = chan->dcid;
4910
6ed971ca 4911 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4912 /* Moving to BR/EDR */
4913 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4914 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4915 result = L2CAP_MR_PEND;
4916 } else {
4917 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4918 result = L2CAP_MR_SUCCESS;
4919 }
4920 } else {
4921 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4922 /* Placeholder - uncomment when amp functions are available */
4923 /*amp_accept_physical(chan, req->dest_amp_id);*/
4924 result = L2CAP_MR_PEND;
4925 }
4926
4927send_move_response:
1500109b 4928 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4929
02b0fbb9
MM		 4930 l2cap_chan_unlock(chan);
4931
8d5a04a1
MM		 4932 return 0;
4933}
4934
5b155ef9
MM		 4935static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4936{
4937 struct l2cap_chan *chan;
4938 struct hci_chan *hchan = NULL;
4939
4940 chan = l2cap_get_chan_by_scid(conn, icid);
4941 if (!chan) {
4942 l2cap_send_move_chan_cfm_icid(conn, icid);
4943 return;
4944 }
4945
4946 __clear_chan_timer(chan);
4947 if (result == L2CAP_MR_PEND)
4948 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4949
4950 switch (chan->move_state) {
4951 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4952 /* Move confirm will be sent when logical link
4953 * is complete.
4954 */
4955 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4956 break;
4957 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4958 if (result == L2CAP_MR_PEND) {
4959 break;
4960 } else if (test_bit(CONN_LOCAL_BUSY,
4961 &chan->conn_state)) {
4962 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4963 } else {
4964 /* Logical link is up or moving to BR/EDR,
4965 * proceed with move
4966 */
4967 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4968 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4969 }
4970 break;
4971 case L2CAP_MOVE_WAIT_RSP:
4972 /* Moving to AMP */
4973 if (result == L2CAP_MR_SUCCESS) {
4974 /* Remote is ready, send confirm immediately
4975 * after logical link is ready
4976 */
4977 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4978 } else {
4979 /* Both logical link and move success
4980 * are required to confirm
4981 */
4982 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4983 }
4984
4985 /* Placeholder - get hci_chan for logical link */
4986 if (!hchan) {
4987 /* Logical link not available */
4988 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4989 break;
4990 }
4991
4992 /* If the logical link is not yet connected, do not
4993 * send confirmation.
4994 */
4995 if (hchan->state != BT_CONNECTED)
4996 break;
4997
4998 /* Logical link is already ready to go */
4999
5000 chan->hs_hcon = hchan->conn;
5001 chan->hs_hcon->l2cap_data = chan->conn;
5002
5003 if (result == L2CAP_MR_SUCCESS) {
5004 /* Can confirm now */
5005 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5006 } else {
5007 /* Now only need move success
5008 * to confirm
5009 */
5010 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5011 }
5012
5013 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5014 break;
5015 default:
5016 /* Any other amp move state means the move failed. */
5017 chan->move_id = chan->local_amp_id;
5018 l2cap_move_done(chan);
5019 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5020 }
5021
5022 l2cap_chan_unlock(chan);
5023}
5024
5025static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5026 u16 result)
5027{
5028 struct l2cap_chan *chan;
5029
5030 chan = l2cap_get_chan_by_ident(conn, ident);
5031 if (!chan) {
5032 /* Could not locate channel, icid is best guess */
5033 l2cap_send_move_chan_cfm_icid(conn, icid);
5034 return;
5035 }
5036
5037 __clear_chan_timer(chan);
5038
5039 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5040 if (result == L2CAP_MR_COLLISION) {
5041 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5042 } else {
5043 /* Cleanup - cancel move */
5044 chan->move_id = chan->local_amp_id;
5045 l2cap_move_done(chan);
5046 }
5047 }
5048
5049 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5050
5051 l2cap_chan_unlock(chan);
5052}
5053
5054static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5055 struct l2cap_cmd_hdr *cmd,
5056 u16 cmd_len, void *data)
8d5a04a1
MM		 5057{
5058 struct l2cap_move_chan_rsp *rsp = data;
5059 u16 icid, result;
5060
5061 if (cmd_len != sizeof(*rsp))
5062 return -EPROTO;
5063
5064 icid = le16_to_cpu(rsp->icid);
5065 result = le16_to_cpu(rsp->result);
5066
ad0ac6ca 5067 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5068
5b155ef9
MM		 5069 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5070 l2cap_move_continue(conn, icid, result);
5071 else
5072 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5073
5074 return 0;
5075}
5076
5f3847a4
MM		 5077static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5078 struct l2cap_cmd_hdr *cmd,
5079 u16 cmd_len, void *data)
8d5a04a1
MM		 5080{
5081 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5082 struct l2cap_chan *chan;
8d5a04a1
MM		 5083 u16 icid, result;
5084
5085 if (cmd_len != sizeof(*cfm))
5086 return -EPROTO;
5087
5088 icid = le16_to_cpu(cfm->icid);
5089 result = le16_to_cpu(cfm->result);
5090
ad0ac6ca 5091 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5092
5f3847a4
MM		 5093 chan = l2cap_get_chan_by_dcid(conn, icid);
5094 if (!chan) {
5095 /* Spec requires a response even if the icid was not found */
5096 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5097 return 0;
5098 }
5099
5100 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5101 if (result == L2CAP_MC_CONFIRMED) {
5102 chan->local_amp_id = chan->move_id;
6ed971ca 5103 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5104 __release_logical_link(chan);
5105 } else {
5106 chan->move_id = chan->local_amp_id;
5107 }
5108
5109 l2cap_move_done(chan);
5110 }
5111
8d5a04a1
MM		 5112 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5113
5f3847a4
MM		 5114 l2cap_chan_unlock(chan);
5115
8d5a04a1
MM		 5116 return 0;
5117}
5118
5119static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5120 struct l2cap_cmd_hdr *cmd,
5121 u16 cmd_len, void *data)
8d5a04a1
MM		 5122{
5123 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5124 struct l2cap_chan *chan;
8d5a04a1
MM		 5125 u16 icid;
5126
5127 if (cmd_len != sizeof(*rsp))
5128 return -EPROTO;
5129
5130 icid = le16_to_cpu(rsp->icid);
5131
ad0ac6ca 5132 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5133
3fd71a0a
MM		 5134 chan = l2cap_get_chan_by_scid(conn, icid);
5135 if (!chan)
5136 return 0;
5137
5138 __clear_chan_timer(chan);
5139
5140 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5141 chan->local_amp_id = chan->move_id;
5142
6ed971ca 5143 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5144 __release_logical_link(chan);
5145
5146 l2cap_move_done(chan);
5147 }
5148
5149 l2cap_chan_unlock(chan);
5150
8d5a04a1
MM		 5151 return 0;
5152}
5153
e2174ca4 5154static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 5155 u16 to_multiplier)
de73115a
CT		 5156{
5157 u16 max_latency;
5158
5159 if (min > max || min < 6 || max > 3200)
5160 return -EINVAL;
5161
5162 if (to_multiplier < 10 || to_multiplier > 3200)
5163 return -EINVAL;
5164
5165 if (max >= to_multiplier * 8)
5166 return -EINVAL;
5167
5168 max_latency = (to_multiplier * 8 / max) - 1;
5169 if (latency > 499 || latency > max_latency)
5170 return -EINVAL;
5171
5172 return 0;
5173}
5174
5175static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 5176 struct l2cap_cmd_hdr *cmd,
5177 u8 *data)
de73115a
CT		 5178{
5179 struct hci_conn *hcon = conn->hcon;
5180 struct l2cap_conn_param_update_req *req;
5181 struct l2cap_conn_param_update_rsp rsp;
5182 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 5183 int err;
de73115a
CT		 5184
5185 if (!(hcon->link_mode & HCI_LM_MASTER))
5186 return -EINVAL;
5187
5188 cmd_len = __le16_to_cpu(cmd->len);
5189 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5190 return -EPROTO;
5191
5192 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5193 min = __le16_to_cpu(req->min);
5194 max = __le16_to_cpu(req->max);
de73115a
CT		 5195 latency = __le16_to_cpu(req->latency);
5196 to_multiplier = __le16_to_cpu(req->to_multiplier);
5197
5198 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5199 min, max, latency, to_multiplier);
de73115a
CT		 5200
5201 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5202
5203 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5204 if (err)
ac73498c 5205 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5206 else
ac73498c 5207 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5208
5209 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5210 sizeof(rsp), &rsp);
de73115a 5211
2ce603eb
CT		 5212 if (!err)
5213 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5214
de73115a
CT		 5215 return 0;
5216}
5217
3300d9a9 5218static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5219 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5220 u8 *data)
3300d9a9
CT		 5221{
5222 int err = 0;
5223
5224 switch (cmd->code) {
5225 case L2CAP_COMMAND_REJ:
cb3b3152 5226 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5227 break;
5228
5229 case L2CAP_CONN_REQ:
cb3b3152 5230 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5231 break;
5232
5233 case L2CAP_CONN_RSP:
f5a2598d 5234 case L2CAP_CREATE_CHAN_RSP:
9245e737 5235 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5236 break;
5237
5238 case L2CAP_CONF_REQ:
5239 err = l2cap_config_req(conn, cmd, cmd_len, data);
5240 break;
5241
5242 case L2CAP_CONF_RSP:
9245e737 5243 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5244 break;
5245
5246 case L2CAP_DISCONN_REQ:
cb3b3152 5247 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5248 break;
5249
5250 case L2CAP_DISCONN_RSP:
9245e737 5251 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5252 break;
5253
5254 case L2CAP_ECHO_REQ:
5255 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5256 break;
5257
5258 case L2CAP_ECHO_RSP:
5259 break;
5260
5261 case L2CAP_INFO_REQ:
cb3b3152 5262 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5263 break;
5264
5265 case L2CAP_INFO_RSP:
9245e737 5266 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5267 break;
5268
f94ff6ff
MM		 5269 case L2CAP_CREATE_CHAN_REQ:
5270 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5271 break;
5272
8d5a04a1
MM		 5273 case L2CAP_MOVE_CHAN_REQ:
5274 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5275 break;
5276
5277 case L2CAP_MOVE_CHAN_RSP:
9245e737 5278 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5279 break;
5280
5281 case L2CAP_MOVE_CHAN_CFM:
5282 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5283 break;
5284
5285 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5286 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5287 break;
5288
3300d9a9
CT		 5289 default:
5290 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5291 err = -EINVAL;
5292 break;
5293 }
5294
5295 return err;
5296}
5297
5298static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5299 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5300{
5301 switch (cmd->code) {
5302 case L2CAP_COMMAND_REJ:
5303 return 0;
5304
5305 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5306 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5307
5308 case L2CAP_CONN_PARAM_UPDATE_RSP:
5309 return 0;
5310
5311 default:
5312 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5313 return -EINVAL;
5314 }
5315}
5316
c5623556
JH		 5317static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5318 struct sk_buff *skb)
5319{
69c4e4e8 5320 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5321 struct l2cap_cmd_hdr *cmd;
5322 u16 len;
c5623556
JH		 5323 int err;
5324
69c4e4e8 5325 if (hcon->type != LE_LINK)
3b166295 5326 goto drop;
69c4e4e8 5327
4f3e219d
MH		 5328 if (skb->len < L2CAP_CMD_HDR_SIZE)
5329 goto drop;
c5623556 5330
4f3e219d
MH		 5331 cmd = (void *) skb->data;
5332 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5333
4f3e219d 5334 len = le16_to_cpu(cmd->len);
c5623556 5335
4f3e219d 5336 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5337
4f3e219d
MH		 5338 if (len != skb->len || !cmd->ident) {
5339 BT_DBG("corrupted command");
5340 goto drop;
5341 }
c5623556 5342
4f3e219d
MH		 5343 err = l2cap_le_sig_cmd(conn, cmd, skb->data);
5344 if (err) {
5345 struct l2cap_cmd_rej_unk rej;
c5623556 5346
4f3e219d 5347 BT_ERR("Wrong link type (%d)", err);
c5623556 5348
a521149a 5349 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5350 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5351 sizeof(rej), &rej);
c5623556
JH		 5352 }
5353
3b166295 5354drop:
c5623556
JH		 5355 kfree_skb(skb);
5356}
5357
3300d9a9 5358static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5359 struct sk_buff *skb)
1da177e4 5360{
69c4e4e8 5361 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5362 u8 *data = skb->data;
5363 int len = skb->len;
5364 struct l2cap_cmd_hdr cmd;
3300d9a9 5365 int err;
1da177e4
LT		 5366
5367 l2cap_raw_recv(conn, skb);
5368
69c4e4e8 5369 if (hcon->type != ACL_LINK)
3b166295 5370 goto drop;
69c4e4e8 5371
1da177e4 5372 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5373 u16 cmd_len;
1da177e4
LT		 5374 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5375 data += L2CAP_CMD_HDR_SIZE;
5376 len -= L2CAP_CMD_HDR_SIZE;
5377
88219a0f 5378 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5379
2d792818
GP		 5380 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5381 cmd.ident);
1da177e4 5382
88219a0f 5383 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5384 BT_DBG("corrupted command");
5385 break;
5386 }
5387
c5623556 5388 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5389 if (err) {
e2fd318e 5390 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5391
5392 BT_ERR("Wrong link type (%d)", err);
1da177e4 5393
a521149a 5394 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5395 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5396 sizeof(rej), &rej);
1da177e4
LT		 5397 }
5398
88219a0f
AV		 5399 data += cmd_len;
5400 len -= cmd_len;
1da177e4
LT		 5401 }
5402
3b166295 5403drop:
1da177e4
LT		 5404 kfree_skb(skb);
5405}
5406
47d1ec61 5407static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5408{
5409 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5410 int hdr_size;
5411
5412 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5413 hdr_size = L2CAP_EXT_HDR_SIZE;
5414 else
5415 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5416
47d1ec61 5417 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5418 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5419 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5420 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5421
5422 if (our_fcs != rcv_fcs)
7a560e5c 5423 return -EBADMSG;
fcc203c3
GP		 5424 }
5425 return 0;
5426}
5427
6ea00485 5428static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5429{
e31f7633 5430 struct l2cap_ctrl control;
d5392c8f 5431
e31f7633 5432 BT_DBG("chan %p", chan);
d5392c8f 5433
e31f7633
MM		 5434 memset(&control, 0, sizeof(control));
5435 control.sframe = 1;
5436 control.final = 1;
5437 control.reqseq = chan->buffer_seq;
5438 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5439
e2ab4353 5440 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5441 control.super = L2CAP_SUPER_RNR;
5442 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5443 }
5444
e31f7633
MM		 5445 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5446 chan->unacked_frames > 0)
5447 __set_retrans_timer(chan);
d5392c8f 5448
e31f7633 5449 /* Send pending iframes */
525cd185 5450 l2cap_ertm_send(chan);
d5392c8f 5451
e2ab4353 5452 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5453 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5454 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5455 * send it now.
5456 */
5457 control.super = L2CAP_SUPER_RR;
5458 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5459 }
5460}
5461
2d792818
GP		 5462static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5463 struct sk_buff **last_frag)
18778a63 5464{
84084a31
MM		 5465 /* skb->len reflects data in skb as well as all fragments
5466 * skb->data_len reflects only data in fragments
5467 */
5468 if (!skb_has_frag_list(skb))
5469 skb_shinfo(skb)->frag_list = new_frag;
5470
5471 new_frag->next = NULL;
5472
5473 (*last_frag)->next = new_frag;
5474 *last_frag = new_frag;
5475
5476 skb->len += new_frag->len;
5477 skb->data_len += new_frag->len;
5478 skb->truesize += new_frag->truesize;
5479}
5480
4b51dae9
MM		 5481static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5482 struct l2cap_ctrl *control)
84084a31
MM		 5483{
5484 int err = -EINVAL;
18778a63 5485
4b51dae9 5486 switch (control->sar) {
7e0ef6ee 5487 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5488 if (chan->sdu)
5489 break;
18778a63 5490
80b98027 5491 err = chan->ops->recv(chan, skb);
84084a31 5492 break;
18778a63 5493
7e0ef6ee 5494 case L2CAP_SAR_START:
84084a31
MM		 5495 if (chan->sdu)
5496 break;
18778a63 5497
6f61fd47 5498 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5499 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5500
84084a31
MM		 5501 if (chan->sdu_len > chan->imtu) {
5502 err = -EMSGSIZE;
5503 break;
5504 }
1890d36b 5505
84084a31
MM		 5506 if (skb->len >= chan->sdu_len)
5507 break;
18778a63 5508
84084a31
MM		 5509 chan->sdu = skb;
5510 chan->sdu_last_frag = skb;
18778a63 5511
84084a31
MM		 5512 skb = NULL;
5513 err = 0;
18778a63
GP		 5514 break;
5515
7e0ef6ee 5516 case L2CAP_SAR_CONTINUE:
6f61fd47 5517 if (!chan->sdu)
84084a31 5518 break;
18778a63 5519
84084a31
MM		 5520 append_skb_frag(chan->sdu, skb,
5521 &chan->sdu_last_frag);
5522 skb = NULL;
18778a63 5523
84084a31
MM		 5524 if (chan->sdu->len >= chan->sdu_len)
5525 break;
4178ba46 5526
84084a31 5527 err = 0;
18778a63
GP		 5528 break;
5529
7e0ef6ee 5530 case L2CAP_SAR_END:
6f61fd47 5531 if (!chan->sdu)
84084a31 5532 break;
18778a63 5533
84084a31
MM		 5534 append_skb_frag(chan->sdu, skb,
5535 &chan->sdu_last_frag);
5536 skb = NULL;
4178ba46 5537
84084a31
MM		 5538 if (chan->sdu->len != chan->sdu_len)
5539 break;
18778a63 5540
80b98027 5541 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5542
84084a31
MM		 5543 if (!err) {
5544 /* Reassembly complete */
5545 chan->sdu = NULL;
5546 chan->sdu_last_frag = NULL;
5547 chan->sdu_len = 0;
1890d36b 5548 }
18778a63
GP		 5549 break;
5550 }
5551
84084a31
MM		 5552 if (err) {
5553 kfree_skb(skb);
5554 kfree_skb(chan->sdu);
5555 chan->sdu = NULL;
5556 chan->sdu_last_frag = NULL;
5557 chan->sdu_len = 0;
5558 }
18778a63 5559
84084a31 5560 return err;
18778a63
GP		 5561}
5562
32b32735
MM		 5563static int l2cap_resegment(struct l2cap_chan *chan)
5564{
5565 /* Placeholder */
5566 return 0;
5567}
5568
61aa4f5b 5569void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5570{
61aa4f5b 5571 u8 event;
712132eb 5572
61aa4f5b
MM		 5573 if (chan->mode != L2CAP_MODE_ERTM)
5574 return;
712132eb 5575
61aa4f5b 5576 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5577 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5578}
5579
d2a7ac5d
MM		 5580static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5581{
63838725
MM		 5582 int err = 0;
5583 /* Pass sequential frames to l2cap_reassemble_sdu()
5584 * until a gap is encountered.
5585 */
5586
5587 BT_DBG("chan %p", chan);
5588
5589 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5590 struct sk_buff *skb;
5591 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5592 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5593
5594 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5595
5596 if (!skb)
5597 break;
5598
5599 skb_unlink(skb, &chan->srej_q);
5600 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5601 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5602 if (err)
5603 break;
5604 }
5605
5606 if (skb_queue_empty(&chan->srej_q)) {
5607 chan->rx_state = L2CAP_RX_STATE_RECV;
5608 l2cap_send_ack(chan);
5609 }
5610
5611 return err;
d2a7ac5d
MM		 5612}
5613
5614static void l2cap_handle_srej(struct l2cap_chan *chan,
5615 struct l2cap_ctrl *control)
5616{
f80842a8
MM		 5617 struct sk_buff *skb;
5618
5619 BT_DBG("chan %p, control %p", chan, control);
5620
5621 if (control->reqseq == chan->next_tx_seq) {
5622 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5623 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5624 return;
5625 }
5626
5627 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5628
5629 if (skb == NULL) {
5630 BT_DBG("Seq %d not available for retransmission",
5631 control->reqseq);
5632 return;
5633 }
5634
5635 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5636 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5637 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5638 return;
5639 }
5640
5641 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5642
5643 if (control->poll) {
5644 l2cap_pass_to_tx(chan, control);
5645
5646 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5647 l2cap_retransmit(chan, control);
5648 l2cap_ertm_send(chan);
5649
5650 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5651 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5652 chan->srej_save_reqseq = control->reqseq;
5653 }
5654 } else {
5655 l2cap_pass_to_tx_fbit(chan, control);
5656
5657 if (control->final) {
5658 if (chan->srej_save_reqseq != control->reqseq ||
5659 !test_and_clear_bit(CONN_SREJ_ACT,
5660 &chan->conn_state))
5661 l2cap_retransmit(chan, control);
5662 } else {
5663 l2cap_retransmit(chan, control);
5664 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5665 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5666 chan->srej_save_reqseq = control->reqseq;
5667 }
5668 }
5669 }
d2a7ac5d
MM		 5670}
5671
5672static void l2cap_handle_rej(struct l2cap_chan *chan,
5673 struct l2cap_ctrl *control)
5674{
fcd289df
MM		 5675 struct sk_buff *skb;
5676
5677 BT_DBG("chan %p, control %p", chan, control);
5678
5679 if (control->reqseq == chan->next_tx_seq) {
5680 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5681 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5682 return;
5683 }
5684
5685 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5686
5687 if (chan->max_tx && skb &&
5688 bt_cb(skb)->control.retries >= chan->max_tx) {
5689 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5690 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5691 return;
5692 }
5693
5694 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5695
5696 l2cap_pass_to_tx(chan, control);
5697
5698 if (control->final) {
5699 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5700 l2cap_retransmit_all(chan, control);
5701 } else {
5702 l2cap_retransmit_all(chan, control);
5703 l2cap_ertm_send(chan);
5704 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5705 set_bit(CONN_REJ_ACT, &chan->conn_state);
5706 }
d2a7ac5d
MM		 5707}
5708
4b51dae9
MM		 5709static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5710{
5711 BT_DBG("chan %p, txseq %d", chan, txseq);
5712
5713 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5714 chan->expected_tx_seq);
5715
5716 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5717 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5718 chan->tx_win) {
4b51dae9
MM		 5719 /* See notes below regarding "double poll" and
5720 * invalid packets.
5721 */
5722 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5723 BT_DBG("Invalid/Ignore - after SREJ");
5724 return L2CAP_TXSEQ_INVALID_IGNORE;
5725 } else {
5726 BT_DBG("Invalid - in window after SREJ sent");
5727 return L2CAP_TXSEQ_INVALID;
5728 }
5729 }
5730
5731 if (chan->srej_list.head == txseq) {
5732 BT_DBG("Expected SREJ");
5733 return L2CAP_TXSEQ_EXPECTED_SREJ;
5734 }
5735
5736 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5737 BT_DBG("Duplicate SREJ - txseq already stored");
5738 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5739 }
5740
5741 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5742 BT_DBG("Unexpected SREJ - not requested");
5743 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5744 }
5745 }
5746
5747 if (chan->expected_tx_seq == txseq) {
5748 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5749 chan->tx_win) {
5750 BT_DBG("Invalid - txseq outside tx window");
5751 return L2CAP_TXSEQ_INVALID;
5752 } else {
5753 BT_DBG("Expected");
5754 return L2CAP_TXSEQ_EXPECTED;
5755 }
5756 }
5757
5758 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5759 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5760 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5761 return L2CAP_TXSEQ_DUPLICATE;
5762 }
5763
5764 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5765 /* A source of invalid packets is a "double poll" condition,
5766 * where delays cause us to send multiple poll packets. If
5767 * the remote stack receives and processes both polls,
5768 * sequence numbers can wrap around in such a way that a
5769 * resent frame has a sequence number that looks like new data
5770 * with a sequence gap. This would trigger an erroneous SREJ
5771 * request.
5772 *
5773 * Fortunately, this is impossible with a tx window that's
5774 * less than half of the maximum sequence number, which allows
5775 * invalid frames to be safely ignored.
5776 *
5777 * With tx window sizes greater than half of the tx window
5778 * maximum, the frame is invalid and cannot be ignored. This
5779 * causes a disconnect.
5780 */
5781
5782 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5783 BT_DBG("Invalid/Ignore - txseq outside tx window");
5784 return L2CAP_TXSEQ_INVALID_IGNORE;
5785 } else {
5786 BT_DBG("Invalid - txseq outside tx window");
5787 return L2CAP_TXSEQ_INVALID;
5788 }
5789 } else {
5790 BT_DBG("Unexpected - txseq indicates missing frames");
5791 return L2CAP_TXSEQ_UNEXPECTED;
5792 }
5793}
5794
d2a7ac5d
MM		 5795static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5796 struct l2cap_ctrl *control,
5797 struct sk_buff *skb, u8 event)
5798{
5799 int err = 0;
941247f9 5800 bool skb_in_use = false;
d2a7ac5d
MM		 5801
5802 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5803 event);
5804
5805 switch (event) {
5806 case L2CAP_EV_RECV_IFRAME:
5807 switch (l2cap_classify_txseq(chan, control->txseq)) {
5808 case L2CAP_TXSEQ_EXPECTED:
5809 l2cap_pass_to_tx(chan, control);
5810
5811 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5812 BT_DBG("Busy, discarding expected seq %d",
5813 control->txseq);
5814 break;
5815 }
5816
5817 chan->expected_tx_seq = __next_seq(chan,
5818 control->txseq);
5819
5820 chan->buffer_seq = chan->expected_tx_seq;
941247f9 5821 skb_in_use = true;
d2a7ac5d
MM		 5822
5823 err = l2cap_reassemble_sdu(chan, skb, control);
5824 if (err)
5825 break;
5826
5827 if (control->final) {
5828 if (!test_and_clear_bit(CONN_REJ_ACT,
5829 &chan->conn_state)) {
5830 control->final = 0;
5831 l2cap_retransmit_all(chan, control);
5832 l2cap_ertm_send(chan);
5833 }
5834 }
5835
5836 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5837 l2cap_send_ack(chan);
5838 break;
5839 case L2CAP_TXSEQ_UNEXPECTED:
5840 l2cap_pass_to_tx(chan, control);
5841
5842 /* Can't issue SREJ frames in the local busy state.
5843 * Drop this frame, it will be seen as missing
5844 * when local busy is exited.
5845 */
5846 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5847 BT_DBG("Busy, discarding unexpected seq %d",
5848 control->txseq);
5849 break;
5850 }
5851
5852 /* There was a gap in the sequence, so an SREJ
5853 * must be sent for each missing frame. The
5854 * current frame is stored for later use.
5855 */
5856 skb_queue_tail(&chan->srej_q, skb);
941247f9 5857 skb_in_use = true;
d2a7ac5d
MM		 5858 BT_DBG("Queued %p (queue len %d)", skb,
5859 skb_queue_len(&chan->srej_q));
5860
5861 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5862 l2cap_seq_list_clear(&chan->srej_list);
5863 l2cap_send_srej(chan, control->txseq);
5864
5865 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5866 break;
5867 case L2CAP_TXSEQ_DUPLICATE:
5868 l2cap_pass_to_tx(chan, control);
5869 break;
5870 case L2CAP_TXSEQ_INVALID_IGNORE:
5871 break;
5872 case L2CAP_TXSEQ_INVALID:
5873 default:
5e4e3972 5874 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5875 break;
5876 }
5877 break;
5878 case L2CAP_EV_RECV_RR:
5879 l2cap_pass_to_tx(chan, control);
5880 if (control->final) {
5881 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5882
e6a3ee6e
MM		 5883 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5884 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 5885 control->final = 0;
5886 l2cap_retransmit_all(chan, control);
5887 }
5888
5889 l2cap_ertm_send(chan);
5890 } else if (control->poll) {
5891 l2cap_send_i_or_rr_or_rnr(chan);
5892 } else {
5893 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5894 &chan->conn_state) &&
5895 chan->unacked_frames)
5896 __set_retrans_timer(chan);
5897
5898 l2cap_ertm_send(chan);
5899 }
5900 break;
5901 case L2CAP_EV_RECV_RNR:
5902 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5903 l2cap_pass_to_tx(chan, control);
5904 if (control && control->poll) {
5905 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5906 l2cap_send_rr_or_rnr(chan, 0);
5907 }
5908 __clear_retrans_timer(chan);
5909 l2cap_seq_list_clear(&chan->retrans_list);
5910 break;
5911 case L2CAP_EV_RECV_REJ:
5912 l2cap_handle_rej(chan, control);
5913 break;
5914 case L2CAP_EV_RECV_SREJ:
5915 l2cap_handle_srej(chan, control);
5916 break;
5917 default:
5918 break;
5919 }
5920
5921 if (skb && !skb_in_use) {
5922 BT_DBG("Freeing %p", skb);
5923 kfree_skb(skb);
5924 }
5925
5926 return err;
5927}
5928
5929static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5930 struct l2cap_ctrl *control,
5931 struct sk_buff *skb, u8 event)
5932{
5933 int err = 0;
5934 u16 txseq = control->txseq;
941247f9 5935 bool skb_in_use = false;
d2a7ac5d
MM		 5936
5937 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5938 event);
5939
5940 switch (event) {
5941 case L2CAP_EV_RECV_IFRAME:
5942 switch (l2cap_classify_txseq(chan, txseq)) {
5943 case L2CAP_TXSEQ_EXPECTED:
5944 /* Keep frame for reassembly later */
5945 l2cap_pass_to_tx(chan, control);
5946 skb_queue_tail(&chan->srej_q, skb);
941247f9 5947 skb_in_use = true;
d2a7ac5d
MM		 5948 BT_DBG("Queued %p (queue len %d)", skb,
5949 skb_queue_len(&chan->srej_q));
5950
5951 chan->expected_tx_seq = __next_seq(chan, txseq);
5952 break;
5953 case L2CAP_TXSEQ_EXPECTED_SREJ:
5954 l2cap_seq_list_pop(&chan->srej_list);
5955
5956 l2cap_pass_to_tx(chan, control);
5957 skb_queue_tail(&chan->srej_q, skb);
941247f9 5958 skb_in_use = true;
d2a7ac5d
MM		 5959 BT_DBG("Queued %p (queue len %d)", skb,
5960 skb_queue_len(&chan->srej_q));
5961
5962 err = l2cap_rx_queued_iframes(chan);
5963 if (err)
5964 break;
5965
5966 break;
5967 case L2CAP_TXSEQ_UNEXPECTED:
5968 /* Got a frame that can't be reassembled yet.
5969 * Save it for later, and send SREJs to cover
5970 * the missing frames.
5971 */
5972 skb_queue_tail(&chan->srej_q, skb);
941247f9 5973 skb_in_use = true;
d2a7ac5d
MM		 5974 BT_DBG("Queued %p (queue len %d)", skb,
5975 skb_queue_len(&chan->srej_q));
5976
5977 l2cap_pass_to_tx(chan, control);
5978 l2cap_send_srej(chan, control->txseq);
5979 break;
5980 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5981 /* This frame was requested with an SREJ, but
5982 * some expected retransmitted frames are
5983 * missing. Request retransmission of missing
5984 * SREJ'd frames.
5985 */
5986 skb_queue_tail(&chan->srej_q, skb);
941247f9 5987 skb_in_use = true;
d2a7ac5d
MM		 5988 BT_DBG("Queued %p (queue len %d)", skb,
5989 skb_queue_len(&chan->srej_q));
5990
5991 l2cap_pass_to_tx(chan, control);
5992 l2cap_send_srej_list(chan, control->txseq);
5993 break;
5994 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5995 /* We've already queued this frame. Drop this copy. */
5996 l2cap_pass_to_tx(chan, control);
5997 break;
5998 case L2CAP_TXSEQ_DUPLICATE:
5999 /* Expecting a later sequence number, so this frame
6000 * was already received. Ignore it completely.
6001 */
6002 break;
6003 case L2CAP_TXSEQ_INVALID_IGNORE:
6004 break;
6005 case L2CAP_TXSEQ_INVALID:
6006 default:
5e4e3972 6007 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6008 break;
6009 }
6010 break;
6011 case L2CAP_EV_RECV_RR:
6012 l2cap_pass_to_tx(chan, control);
6013 if (control->final) {
6014 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6015
6016 if (!test_and_clear_bit(CONN_REJ_ACT,
6017 &chan->conn_state)) {
6018 control->final = 0;
6019 l2cap_retransmit_all(chan, control);
6020 }
6021
6022 l2cap_ertm_send(chan);
6023 } else if (control->poll) {
6024 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6025 &chan->conn_state) &&
6026 chan->unacked_frames) {
6027 __set_retrans_timer(chan);
6028 }
6029
6030 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6031 l2cap_send_srej_tail(chan);
6032 } else {
6033 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6034 &chan->conn_state) &&
6035 chan->unacked_frames)
6036 __set_retrans_timer(chan);
6037
6038 l2cap_send_ack(chan);
6039 }
6040 break;
6041 case L2CAP_EV_RECV_RNR:
6042 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6043 l2cap_pass_to_tx(chan, control);
6044 if (control->poll) {
6045 l2cap_send_srej_tail(chan);
6046 } else {
6047 struct l2cap_ctrl rr_control;
6048 memset(&rr_control, 0, sizeof(rr_control));
6049 rr_control.sframe = 1;
6050 rr_control.super = L2CAP_SUPER_RR;
6051 rr_control.reqseq = chan->buffer_seq;
6052 l2cap_send_sframe(chan, &rr_control);
6053 }
6054
6055 break;
6056 case L2CAP_EV_RECV_REJ:
6057 l2cap_handle_rej(chan, control);
6058 break;
6059 case L2CAP_EV_RECV_SREJ:
6060 l2cap_handle_srej(chan, control);
6061 break;
6062 }
6063
6064 if (skb && !skb_in_use) {
6065 BT_DBG("Freeing %p", skb);
6066 kfree_skb(skb);
6067 }
6068
6069 return err;
6070}
6071
32b32735
MM		 6072static int l2cap_finish_move(struct l2cap_chan *chan)
6073{
6074 BT_DBG("chan %p", chan);
6075
6076 chan->rx_state = L2CAP_RX_STATE_RECV;
6077
6078 if (chan->hs_hcon)
6079 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6080 else
6081 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6082
6083 return l2cap_resegment(chan);
6084}
6085
6086static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6087 struct l2cap_ctrl *control,
6088 struct sk_buff *skb, u8 event)
6089{
6090 int err;
6091
6092 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6093 event);
6094
6095 if (!control->poll)
6096 return -EPROTO;
6097
6098 l2cap_process_reqseq(chan, control->reqseq);
6099
6100 if (!skb_queue_empty(&chan->tx_q))
6101 chan->tx_send_head = skb_peek(&chan->tx_q);
6102 else
6103 chan->tx_send_head = NULL;
6104
6105 /* Rewind next_tx_seq to the point expected
6106 * by the receiver.
6107 */
6108 chan->next_tx_seq = control->reqseq;
6109 chan->unacked_frames = 0;
6110
6111 err = l2cap_finish_move(chan);
6112 if (err)
6113 return err;
6114
6115 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6116 l2cap_send_i_or_rr_or_rnr(chan);
6117
6118 if (event == L2CAP_EV_RECV_IFRAME)
6119 return -EPROTO;
6120
6121 return l2cap_rx_state_recv(chan, control, NULL, event);
6122}
6123
6124static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6125 struct l2cap_ctrl *control,
6126 struct sk_buff *skb, u8 event)
6127{
6128 int err;
6129
6130 if (!control->final)
6131 return -EPROTO;
6132
6133 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6134
6135 chan->rx_state = L2CAP_RX_STATE_RECV;
6136 l2cap_process_reqseq(chan, control->reqseq);
6137
6138 if (!skb_queue_empty(&chan->tx_q))
6139 chan->tx_send_head = skb_peek(&chan->tx_q);
6140 else
6141 chan->tx_send_head = NULL;
6142
6143 /* Rewind next_tx_seq to the point expected
6144 * by the receiver.
6145 */
6146 chan->next_tx_seq = control->reqseq;
6147 chan->unacked_frames = 0;
6148
6149 if (chan->hs_hcon)
6150 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6151 else
6152 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6153
6154 err = l2cap_resegment(chan);
6155
6156 if (!err)
6157 err = l2cap_rx_state_recv(chan, control, skb, event);
6158
6159 return err;
6160}
6161
d2a7ac5d
MM		 6162static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6163{
6164 /* Make sure reqseq is for a packet that has been sent but not acked */
6165 u16 unacked;
6166
6167 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6168 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6169}
6170
cec8ab6e
MM		 6171static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6172 struct sk_buff *skb, u8 event)
218bb9df 6173{
d2a7ac5d
MM		 6174 int err = 0;
6175
6176 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6177 control, skb, event, chan->rx_state);
6178
6179 if (__valid_reqseq(chan, control->reqseq)) {
6180 switch (chan->rx_state) {
6181 case L2CAP_RX_STATE_RECV:
6182 err = l2cap_rx_state_recv(chan, control, skb, event);
6183 break;
6184 case L2CAP_RX_STATE_SREJ_SENT:
6185 err = l2cap_rx_state_srej_sent(chan, control, skb,
6186 event);
6187 break;
32b32735
MM		 6188 case L2CAP_RX_STATE_WAIT_P:
6189 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6190 break;
6191 case L2CAP_RX_STATE_WAIT_F:
6192 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6193 break;
d2a7ac5d
MM		 6194 default:
6195 /* shut it down */
6196 break;
6197 }
6198 } else {
6199 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6200 control->reqseq, chan->next_tx_seq,
6201 chan->expected_ack_seq);
5e4e3972 6202 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6203 }
6204
6205 return err;
cec8ab6e
MM		 6206}
6207
6208static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6209 struct sk_buff *skb)
6210{
4b51dae9
MM		 6211 int err = 0;
6212
6213 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6214 chan->rx_state);
6215
6216 if (l2cap_classify_txseq(chan, control->txseq) ==
6217 L2CAP_TXSEQ_EXPECTED) {
6218 l2cap_pass_to_tx(chan, control);
6219
6220 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6221 __next_seq(chan, chan->buffer_seq));
6222
6223 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6224
6225 l2cap_reassemble_sdu(chan, skb, control);
6226 } else {
6227 if (chan->sdu) {
6228 kfree_skb(chan->sdu);
6229 chan->sdu = NULL;
6230 }
6231 chan->sdu_last_frag = NULL;
6232 chan->sdu_len = 0;
6233
6234 if (skb) {
6235 BT_DBG("Freeing %p", skb);
6236 kfree_skb(skb);
6237 }
6238 }
6239
6240 chan->last_acked_seq = control->txseq;
6241 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6242
6243 return err;
cec8ab6e
MM		 6244}
6245
6246static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6247{
6248 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6249 u16 len;
6250 u8 event;
218bb9df 6251
b76bbd66
MM		 6252 __unpack_control(chan, skb);
6253
218bb9df
GP		 6254 len = skb->len;
6255
6256 /*
6257 * We can just drop the corrupted I-frame here.
6258 * Receiver will miss it and start proper recovery
cec8ab6e 6259 * procedures and ask for retransmission.
218bb9df 6260 */
47d1ec61 6261 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6262 goto drop;
6263
cec8ab6e 6264 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6265 len -= L2CAP_SDULEN_SIZE;
218bb9df 6266
47d1ec61 6267 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6268 len -= L2CAP_FCS_SIZE;
218bb9df 6269
47d1ec61 6270 if (len > chan->mps) {
5e4e3972 6271 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6272 goto drop;
6273 }
6274
cec8ab6e
MM		 6275 if (!control->sframe) {
6276 int err;
218bb9df 6277
cec8ab6e
MM		 6278 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6279 control->sar, control->reqseq, control->final,
6280 control->txseq);
218bb9df 6281
cec8ab6e
MM		 6282 /* Validate F-bit - F=0 always valid, F=1 only
6283 * valid in TX WAIT_F
6284 */
6285 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6286 goto drop;
cec8ab6e
MM		 6287
6288 if (chan->mode != L2CAP_MODE_STREAMING) {
6289 event = L2CAP_EV_RECV_IFRAME;
6290 err = l2cap_rx(chan, control, skb, event);
6291 } else {
6292 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6293 }
6294
cec8ab6e 6295 if (err)
5e4e3972 6296 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6297 } else {
cec8ab6e
MM		 6298 const u8 rx_func_to_event[4] = {
6299 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6300 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6301 };
6302
6303 /* Only I-frames are expected in streaming mode */
6304 if (chan->mode == L2CAP_MODE_STREAMING)
6305 goto drop;
6306
6307 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6308 control->reqseq, control->final, control->poll,
6309 control->super);
6310
218bb9df 6311 if (len != 0) {
1bb166e6 6312 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6313 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6314 goto drop;
6315 }
6316
cec8ab6e
MM		 6317 /* Validate F and P bits */
6318 if (control->final && (control->poll ||
6319 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6320 goto drop;
6321
6322 event = rx_func_to_event[control->super];
6323 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6324 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6325 }
6326
6327 return 0;
6328
6329drop:
6330 kfree_skb(skb);
6331 return 0;
6332}
6333
13ca56e0
AE		 6334static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6335 struct sk_buff *skb)
1da177e4 6336{
48454079 6337 struct l2cap_chan *chan;
1da177e4 6338
baa7e1fa 6339 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6340 if (!chan) {
97e8e89d
AE		 6341 if (cid == L2CAP_CID_A2MP) {
6342 chan = a2mp_channel_create(conn, skb);
6343 if (!chan) {
6344 kfree_skb(skb);
13ca56e0 6345 return;
97e8e89d
AE		 6346 }
6347
6348 l2cap_chan_lock(chan);
6349 } else {
6350 BT_DBG("unknown cid 0x%4.4x", cid);
6351 /* Drop packet and return */
6352 kfree_skb(skb);
13ca56e0 6353 return;
97e8e89d 6354 }
1da177e4
LT		 6355 }
6356
49208c9c 6357 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6358
89bc500e 6359 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6360 goto drop;
6361
0c1bc5c6 6362 switch (chan->mode) {
1c2acffb
GP		 6363 case L2CAP_MODE_BASIC:
6364 /* If socket recv buffers overflows we drop data here
6365 * which is *bad* because L2CAP has to be reliable.
6366 * But we don't have any other choice. L2CAP doesn't
6367 * provide flow control mechanism. */
1da177e4 6368
0c1bc5c6 6369 if (chan->imtu < skb->len)
1c2acffb 6370 goto drop;
1da177e4 6371
80b98027 6372 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6373 goto done;
6374 break;
6375
6376 case L2CAP_MODE_ERTM:
6840ed07 6377 case L2CAP_MODE_STREAMING:
cec8ab6e 6378 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6379 goto done;
6380
1c2acffb 6381 default:
0c1bc5c6 6382 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6383 break;
6384 }
1da177e4
LT		 6385
6386drop:
6387 kfree_skb(skb);
6388
6389done:
6be36555 6390 l2cap_chan_unlock(chan);
1da177e4
LT		 6391}
6392
84104b24
AE		 6393static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6394 struct sk_buff *skb)
1da177e4 6395{
ae4fd2d3 6396 struct hci_conn *hcon = conn->hcon;
23691d75 6397 struct l2cap_chan *chan;
1da177e4 6398
ae4fd2d3
MH		 6399 if (hcon->type != ACL_LINK)
6400 goto drop;
6401
06ae3314 6402 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst);
23691d75 6403 if (!chan)
1da177e4
LT		 6404 goto drop;
6405
5b4cedaa 6406 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6407
89bc500e 6408 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6409 goto drop;
6410
e13e21dc 6411 if (chan->imtu < skb->len)
1da177e4
LT		 6412 goto drop;
6413
2edf870d 6414 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6415 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6416 bt_cb(skb)->psm = psm;
6417
80b98027 6418 if (!chan->ops->recv(chan, skb))
84104b24 6419 return;
1da177e4
LT		 6420
6421drop:
6422 kfree_skb(skb);
1da177e4
LT		 6423}
6424
72f78356 6425static void l2cap_att_channel(struct l2cap_conn *conn,
6810fca7 6426 struct sk_buff *skb)
9f69bda6 6427{
b99707d7 6428 struct hci_conn *hcon = conn->hcon;
23691d75 6429 struct l2cap_chan *chan;
9f69bda6 6430
b99707d7
MH		 6431 if (hcon->type != LE_LINK)
6432 goto drop;
6433
af1c0134 6434 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
06ae3314 6435 &hcon->src, &hcon->dst);
23691d75 6436 if (!chan)
9f69bda6
GP		 6437 goto drop;
6438
5b4cedaa 6439 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6440
e13e21dc 6441 if (chan->imtu < skb->len)
9f69bda6
GP		 6442 goto drop;
6443
80b98027 6444 if (!chan->ops->recv(chan, skb))
6810fca7 6445 return;
9f69bda6
GP		 6446
6447drop:
6448 kfree_skb(skb);
9f69bda6
GP		 6449}
6450
1da177e4
LT		 6451static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6452{
6453 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6454 u16 cid, len;
6455 __le16 psm;
1da177e4
LT		 6456
6457 skb_pull(skb, L2CAP_HDR_SIZE);
6458 cid = __le16_to_cpu(lh->cid);
6459 len = __le16_to_cpu(lh->len);
6460
1c2acffb
GP		 6461 if (len != skb->len) {
6462 kfree_skb(skb);
6463 return;
6464 }
6465
1da177e4
LT		 6466 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6467
6468 switch (cid) {
8db4dc46 6469 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6470 l2cap_sig_channel(conn, skb);
6471 break;
6472
8db4dc46 6473 case L2CAP_CID_CONN_LESS:
097db76c 6474 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6475 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6476 l2cap_conless_channel(conn, psm, skb);
6477 break;
6478
073d1cf3 6479 case L2CAP_CID_ATT:
72f78356 6480 l2cap_att_channel(conn, skb);
9f69bda6
GP		 6481 break;
6482
a2877629
MH		 6483 case L2CAP_CID_LE_SIGNALING:
6484 l2cap_le_sig_channel(conn, skb);
6485 break;
6486
b501d6a1
AB		 6487 case L2CAP_CID_SMP:
6488 if (smp_sig_channel(conn, skb))
6489 l2cap_conn_del(conn->hcon, EACCES);
6490 break;
6491
1da177e4
LT		 6492 default:
6493 l2cap_data_channel(conn, cid, skb);
6494 break;
6495 }
6496}
6497
6498/* ---- L2CAP interface with lower layer (HCI) ---- */
6499
686ebf28 6500int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6501{
6502 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6503 struct l2cap_chan *c;
1da177e4 6504
6ed93dc6 6505 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6506
6507 /* Find listening sockets and check their link_mode */
23691d75
GP		 6508 read_lock(&chan_list_lock);
6509 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 6510 if (c->state != BT_LISTEN)
1da177e4
LT		 6511 continue;
6512
7eafc59e 6513 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 6514 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6515 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6516 lm1 |= HCI_LM_MASTER;
1da177e4 6517 exact++;
7eafc59e 6518 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 6519 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6520 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6521 lm2 |= HCI_LM_MASTER;
6522 }
1da177e4 6523 }
23691d75 6524 read_unlock(&chan_list_lock);
1da177e4
LT		 6525
6526 return exact ? lm1 : lm2;
6527}
6528
9e664631 6529void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6530{
0139418c
MH		 6531 struct l2cap_conn *conn;
6532
6ed93dc6 6533 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6534
1da177e4 6535 if (!status) {
baf43251 6536 conn = l2cap_conn_add(hcon);
1da177e4
LT		 6537 if (conn)
6538 l2cap_conn_ready(conn);
ba6fc317 6539 } else {
e175072f 6540 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 6541 }
1da177e4
LT		 6542}
6543
686ebf28 6544int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6545{
6546 struct l2cap_conn *conn = hcon->l2cap_data;
6547
6548 BT_DBG("hcon %p", hcon);
6549
686ebf28 6550 if (!conn)
9f5a0d7b 6551 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6552 return conn->disc_reason;
6553}
6554
9e664631 6555void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6556{
6557 BT_DBG("hcon %p reason %d", hcon, reason);
6558
e175072f 6559 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6560}
6561
4343478f 6562static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6563{
715ec005 6564 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6565 return;
6566
f62e4323 6567 if (encrypt == 0x00) {
4343478f 6568 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6569 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6570 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6571 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6572 } else {
4343478f 6573 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6574 __clear_chan_timer(chan);
f62e4323
MH		 6575 }
6576}
6577
686ebf28 6578int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6579{
0139418c 6580 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6581 struct l2cap_chan *chan;
1da177e4 6582
0139418c 6583 if (!conn)
1da177e4 6584 return 0;
0139418c 6585
89d8b407 6586 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6587
160dc6ac 6588 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6589 if (!status && encrypt)
6590 smp_distribute_keys(conn, 0);
17cd3f37 6591 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6592 }
6593
3df91ea2 6594 mutex_lock(&conn->chan_lock);
1da177e4 6595
3df91ea2 6596 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6597 l2cap_chan_lock(chan);
1da177e4 6598
89d8b407
AE		 6599 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6600 state_to_string(chan->state));
f1cb9af5 6601
78eb2f98
AE		 6602 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6603 l2cap_chan_unlock(chan);
6604 continue;
6605 }
6606
073d1cf3 6607 if (chan->scid == L2CAP_CID_ATT) {
f1cb9af5
VCG		 6608 if (!status && encrypt) {
6609 chan->sec_level = hcon->sec_level;
cf4cd009 6610 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6611 }
6612
6be36555 6613 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6614 continue;
6615 }
6616
96eff46e 6617 if (!__l2cap_no_conn_pending(chan)) {
6be36555 6618 l2cap_chan_unlock(chan);
6a8d3010
MH		 6619 continue;
6620 }
6621
89bc500e 6622 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6623 chan->state == BT_CONFIG)) {
d97c899b 6624 chan->ops->resume(chan);
4343478f 6625 l2cap_check_encryption(chan, encrypt);
6be36555 6626 l2cap_chan_unlock(chan);
9719f8af
MH		 6627 continue;
6628 }
6629
89bc500e 6630 if (chan->state == BT_CONNECT) {
b1235d79 6631 if (!status) {
93c3e8f5 6632 l2cap_start_connection(chan);
b1235d79 6633 } else {
ba13ccd9 6634 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6635 }
89bc500e 6636 } else if (chan->state == BT_CONNECT2) {
6be36555 6637 struct sock *sk = chan->sk;
b1235d79 6638 struct l2cap_conn_rsp rsp;
df3c3931 6639 __u16 res, stat;
1da177e4 6640
6be36555
AE		 6641 lock_sock(sk);
6642
b1235d79 6643 if (!status) {
bdc25783 6644 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 6645 res = L2CAP_CR_PEND;
6646 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6647 chan->ops->defer(chan);
df3c3931 6648 } else {
0e587be7 6649 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6650 res = L2CAP_CR_SUCCESS;
6651 stat = L2CAP_CS_NO_INFO;
6652 }
b1235d79 6653 } else {
0e587be7 6654 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6655 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6656 res = L2CAP_CR_SEC_BLOCK;
6657 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6658 }
6659
6be36555
AE		 6660 release_sock(sk);
6661
fe4128e0
GP		 6662 rsp.scid = cpu_to_le16(chan->dcid);
6663 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6664 rsp.result = cpu_to_le16(res);
6665 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6666 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6667 sizeof(rsp), &rsp);
2d369359
MM		 6668
6669 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6670 res == L2CAP_CR_SUCCESS) {
6671 char buf[128];
6672 set_bit(CONF_REQ_SENT, &chan->conf_state);
6673 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6674 L2CAP_CONF_REQ,
6675 l2cap_build_conf_req(chan, buf),
6676 buf);
6677 chan->num_conf_req++;
6678 }
b1235d79 6679 }
1da177e4 6680
6be36555 6681 l2cap_chan_unlock(chan);
1da177e4
LT		 6682 }
6683
3df91ea2 6684 mutex_unlock(&conn->chan_lock);
b1235d79 6685
1da177e4
LT		 6686 return 0;
6687}
6688
686ebf28 6689int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6690{
6691 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6692 struct l2cap_hdr *hdr;
6693 int len;
1da177e4 6694
1d13a254
AE		 6695 /* For AMP controller do not create l2cap conn */
6696 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6697 goto drop;
1da177e4 6698
5a08ecce 6699 if (!conn)
baf43251 6700 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 6701
6702 if (!conn)
1da177e4
LT		 6703 goto drop;
6704
6705 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6706
d73a0988
AE		 6707 switch (flags) {
6708 case ACL_START:
6709 case ACL_START_NO_FLUSH:
6710 case ACL_COMPLETE:
1da177e4
LT		 6711 if (conn->rx_len) {
6712 BT_ERR("Unexpected start frame (len %d)", skb->len);
6713 kfree_skb(conn->rx_skb);
6714 conn->rx_skb = NULL;
6715 conn->rx_len = 0;
6716 l2cap_conn_unreliable(conn, ECOMM);
6717 }
6718
aae7fe22
AE		 6719 /* Start fragment always begin with Basic L2CAP header */
6720 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6721 BT_ERR("Frame is too short (len %d)", skb->len);
6722 l2cap_conn_unreliable(conn, ECOMM);
6723 goto drop;
6724 }
6725
6726 hdr = (struct l2cap_hdr *) skb->data;
6727 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6728
6729 if (len == skb->len) {
6730 /* Complete frame received */
6731 l2cap_recv_frame(conn, skb);
6732 return 0;
6733 }
6734
6735 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6736
6737 if (skb->len > len) {
6738 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6739 skb->len, len);
1da177e4
LT		 6740 l2cap_conn_unreliable(conn, ECOMM);
6741 goto drop;
6742 }
6743
6744 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6745 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6746 if (!conn->rx_skb)
1da177e4
LT		 6747 goto drop;
6748
d626f62b 6749 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6750 skb->len);
1da177e4 6751 conn->rx_len = len - skb->len;
d73a0988
AE		 6752 break;
6753
6754 case ACL_CONT:
1da177e4
LT		 6755 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6756
6757 if (!conn->rx_len) {
6758 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6759 l2cap_conn_unreliable(conn, ECOMM);
6760 goto drop;
6761 }
6762
6763 if (skb->len > conn->rx_len) {
6764 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6765 skb->len, conn->rx_len);
1da177e4
LT		 6766 kfree_skb(conn->rx_skb);
6767 conn->rx_skb = NULL;
6768 conn->rx_len = 0;
6769 l2cap_conn_unreliable(conn, ECOMM);
6770 goto drop;
6771 }
6772
d626f62b 6773 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6774 skb->len);
1da177e4
LT		 6775 conn->rx_len -= skb->len;
6776
6777 if (!conn->rx_len) {
c4e5bafa
JH		 6778 /* Complete frame received. l2cap_recv_frame
6779 * takes ownership of the skb so set the global
6780 * rx_skb pointer to NULL first.
6781 */
6782 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 6783 conn->rx_skb = NULL;
c4e5bafa 6784 l2cap_recv_frame(conn, rx_skb);
1da177e4 6785 }
d73a0988 6786 break;
1da177e4
LT		 6787 }
6788
6789drop:
6790 kfree_skb(skb);
6791 return 0;
6792}
6793
aef7d97c 6794static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6795{
23691d75 6796 struct l2cap_chan *c;
1da177e4 6797
333055f2 6798 read_lock(&chan_list_lock);
1da177e4 6799
23691d75 6800 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 6801 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 6802 &c->src, &c->dst,
fcb73338
AE		 6803 c->state, __le16_to_cpu(c->psm),
6804 c->scid, c->dcid, c->imtu, c->omtu,
6805 c->sec_level, c->mode);
61e1b4b7 6806 }
1da177e4 6807
333055f2 6808 read_unlock(&chan_list_lock);
1da177e4 6809
aef7d97c 6810 return 0;
1da177e4
LT		 6811}
6812
aef7d97c
MH		 6813static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6814{
6815 return single_open(file, l2cap_debugfs_show, inode->i_private);
6816}
6817
6818static const struct file_operations l2cap_debugfs_fops = {
6819 .open = l2cap_debugfs_open,
6820 .read = seq_read,
6821 .llseek = seq_lseek,
6822 .release = single_release,
6823};
6824
6825static struct dentry *l2cap_debugfs;
1da177e4 6826
64274518 6827int __init l2cap_init(void)
1da177e4
LT		 6828{
6829 int err;
be9d1227 6830
bb58f747 6831 err = l2cap_init_sockets();
1da177e4
LT		 6832 if (err < 0)
6833 return err;
6834
1120e4bf
MH		 6835 if (IS_ERR_OR_NULL(bt_debugfs))
6836 return 0;
6837
6838 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6839 NULL, &l2cap_debugfs_fops);
1da177e4 6840
1da177e4 6841 return 0;
1da177e4
LT		 6842}
6843
64274518 6844void l2cap_exit(void)
1da177e4 6845{
aef7d97c 6846 debugfs_remove(l2cap_debugfs);
bb58f747 6847 l2cap_cleanup_sockets();
1da177e4
LT		 6848}
6849
d1c4a17d
GP		 6850module_param(disable_ertm, bool, 0644);
6851MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.395829 seconds and 5 git commands to generate.