projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add L2CAP channel to skb private data
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
d1de6d46 44bool disable_ertm;
f0709e03 45
547d1032 46static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
d40bffbc 47static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP | L2CAP_FC_CONNLESS, };
1da177e4 48
b5ad8b7f
JB		 49static LIST_HEAD(chan_list);
50static DEFINE_RWLOCK(chan_list_lock);
1da177e4 51
1da177e4 52static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 53 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 54static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 55 void *data);
710f9b0a 56static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 57static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 58
d660366d 59static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 60 struct sk_buff_head *skbs, u8 event);
608bcc6d 61
4f1654e0
MH		 62static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
63{
64 if (hcon->type == LE_LINK) {
65 if (type == ADDR_LE_DEV_PUBLIC)
66 return BDADDR_LE_PUBLIC;
67 else
68 return BDADDR_LE_RANDOM;
69 }
70
71 return BDADDR_BREDR;
72}
73
0139418c 74/* ---- L2CAP channels ---- */
71ba0e56 75
2d792818
GP		 76static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
77 u16 cid)
0139418c 78{
3df91ea2 79 struct l2cap_chan *c;
3d57dc68 80
3df91ea2
AE		 81 list_for_each_entry(c, &conn->chan_l, list) {
82 if (c->dcid == cid)
83 return c;
0139418c 84 }
3df91ea2 85 return NULL;
0139418c
MH		 86}
87
2d792818
GP		 88static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
89 u16 cid)
0139418c 90{
3df91ea2 91 struct l2cap_chan *c;
3d57dc68 92
3df91ea2
AE		 93 list_for_each_entry(c, &conn->chan_l, list) {
94 if (c->scid == cid)
95 return c;
0139418c 96 }
3df91ea2 97 return NULL;
0139418c
MH		 98}
99
100/* Find channel with given SCID.
ef191ade 101 * Returns locked channel. */
2d792818
GP		 102static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
103 u16 cid)
0139418c 104{
48454079 105 struct l2cap_chan *c;
baa7e1fa 106
3df91ea2 107 mutex_lock(&conn->chan_lock);
baa7e1fa 108 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 109 if (c)
110 l2cap_chan_lock(c);
3df91ea2
AE		 111 mutex_unlock(&conn->chan_lock);
112
48454079 113 return c;
0139418c
MH		 114}
115
b1a130b7
MM		 116/* Find channel with given DCID.
117 * Returns locked channel.
118 */
119static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
120 u16 cid)
121{
122 struct l2cap_chan *c;
123
124 mutex_lock(&conn->chan_lock);
125 c = __l2cap_get_chan_by_dcid(conn, cid);
126 if (c)
127 l2cap_chan_lock(c);
128 mutex_unlock(&conn->chan_lock);
129
130 return c;
131}
132
2d792818
GP		 133static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
134 u8 ident)
0139418c 135{
3df91ea2 136 struct l2cap_chan *c;
3d57dc68 137
3df91ea2
AE		 138 list_for_each_entry(c, &conn->chan_l, list) {
139 if (c->ident == ident)
140 return c;
0139418c 141 }
3df91ea2 142 return NULL;
0139418c
MH		 143}
144
5b155ef9
MM		 145static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
146 u8 ident)
147{
148 struct l2cap_chan *c;
149
150 mutex_lock(&conn->chan_lock);
151 c = __l2cap_get_chan_by_ident(conn, ident);
152 if (c)
153 l2cap_chan_lock(c);
154 mutex_unlock(&conn->chan_lock);
155
156 return c;
157}
158
23691d75 159static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 160{
23691d75 161 struct l2cap_chan *c;
9e4425ff 162
23691d75 163 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 164 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 165 return c;
9e4425ff 166 }
250938cb 167 return NULL;
9e4425ff
GP		 168}
169
170int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
171{
73b2ec18
GP		 172 int err;
173
333055f2 174 write_lock(&chan_list_lock);
9e4425ff 175
23691d75 176 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 177 err = -EADDRINUSE;
178 goto done;
9e4425ff
GP		 179 }
180
73b2ec18
GP		 181 if (psm) {
182 chan->psm = psm;
183 chan->sport = psm;
184 err = 0;
185 } else {
186 u16 p;
187
188 err = -EINVAL;
189 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 190 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 191 chan->psm = cpu_to_le16(p);
192 chan->sport = cpu_to_le16(p);
193 err = 0;
194 break;
195 }
196 }
9e4425ff 197
73b2ec18 198done:
333055f2 199 write_unlock(&chan_list_lock);
73b2ec18 200 return err;
9e4425ff
GP		 201}
202
203int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
204{
333055f2 205 write_lock(&chan_list_lock);
9e4425ff
GP		 206
207 chan->scid = scid;
208
333055f2 209 write_unlock(&chan_list_lock);
9e4425ff
GP		 210
211 return 0;
212}
213
baa7e1fa 214static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 215{
8db4dc46 216 u16 cid = L2CAP_CID_DYN_START;
0139418c 217
8db4dc46 218 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 219 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 220 return cid;
221 }
222
223 return 0;
224}
225
f93fa273 226static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 227{
42d2d87c 228 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 229 state_to_string(state));
badaaa00 230
89bc500e 231 chan->state = state;
53f52121 232 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 233}
234
f8e73017
GP		 235static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
236 int state, int err)
2e0052e4 237{
f8e73017 238 chan->state = state;
53f52121 239 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 240}
241
242static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
243{
f8e73017 244 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 245}
246
4239d16f
MM		 247static void __set_retrans_timer(struct l2cap_chan *chan)
248{
249 if (!delayed_work_pending(&chan->monitor_timer) &&
250 chan->retrans_timeout) {
251 l2cap_set_timer(chan, &chan->retrans_timer,
252 msecs_to_jiffies(chan->retrans_timeout));
253 }
254}
255
256static void __set_monitor_timer(struct l2cap_chan *chan)
257{
258 __clear_retrans_timer(chan);
259 if (chan->monitor_timeout) {
260 l2cap_set_timer(chan, &chan->monitor_timer,
261 msecs_to_jiffies(chan->monitor_timeout));
262 }
263}
264
608bcc6d
MM		 265static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
266 u16 seq)
267{
268 struct sk_buff *skb;
269
270 skb_queue_walk(head, skb) {
271 if (bt_cb(skb)->control.txseq == seq)
272 return skb;
273 }
274
275 return NULL;
276}
277
3c588192
MM		 278/* ---- L2CAP sequence number lists ---- */
279
280/* For ERTM, ordered lists of sequence numbers must be tracked for
281 * SREJ requests that are received and for frames that are to be
282 * retransmitted. These seq_list functions implement a singly-linked
283 * list in an array, where membership in the list can also be checked
284 * in constant time. Items can also be added to the tail of the list
285 * and removed from the head in constant time, without further memory
286 * allocs or frees.
287 */
288
289static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
290{
291 size_t alloc_size, i;
292
293 /* Allocated size is a power of 2 to map sequence numbers
294 * (which may be up to 14 bits) in to a smaller array that is
295 * sized for the negotiated ERTM transmit windows.
296 */
297 alloc_size = roundup_pow_of_two(size);
298
299 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
300 if (!seq_list->list)
301 return -ENOMEM;
302
303 seq_list->mask = alloc_size - 1;
304 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
305 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
306 for (i = 0; i < alloc_size; i++)
307 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
308
309 return 0;
310}
311
312static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
313{
314 kfree(seq_list->list);
315}
316
317static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
318 u16 seq)
319{
320 /* Constant-time check for list membership */
321 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
322}
323
324static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
325{
326 u16 mask = seq_list->mask;
327
328 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
329 /* In case someone tries to pop the head of an empty list */
330 return L2CAP_SEQ_LIST_CLEAR;
331 } else if (seq_list->head == seq) {
332 /* Head can be removed in constant time */
333 seq_list->head = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
335
336 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
339 }
340 } else {
341 /* Walk the list to find the sequence number */
342 u16 prev = seq_list->head;
343 while (seq_list->list[prev & mask] != seq) {
344 prev = seq_list->list[prev & mask];
345 if (prev == L2CAP_SEQ_LIST_TAIL)
346 return L2CAP_SEQ_LIST_CLEAR;
347 }
348
349 /* Unlink the number from the list and clear it */
350 seq_list->list[prev & mask] = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352 if (seq_list->tail == seq)
353 seq_list->tail = prev;
354 }
355 return seq;
356}
357
358static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
359{
360 /* Remove the head in constant time */
361 return l2cap_seq_list_remove(seq_list, seq_list->head);
362}
363
364static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
365{
f522ae36 366 u16 i;
3c588192 367
f522ae36
GP		 368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
369 return;
370
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
373
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 376}
377
378static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
379{
380 u16 mask = seq_list->mask;
381
382 /* All appends happen in constant time */
383
f522ae36
GP		 384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
385 return;
3c588192 386
f522ae36
GP		 387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
389 else
390 seq_list->list[seq_list->tail & mask] = seq;
391
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 394}
395
721c4181 396static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 397{
721c4181 398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 399 chan_timer.work);
3df91ea2 400 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 401 int reason;
402
e05dcc32 403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 404
3df91ea2 405 mutex_lock(&conn->chan_lock);
6be36555 406 l2cap_chan_lock(chan);
ab07801d 407
89bc500e 408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 409 reason = ECONNREFUSED;
89bc500e 410 else if (chan->state == BT_CONNECT &&
2d792818 411 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 412 reason = ECONNREFUSED;
413 else
414 reason = ETIMEDOUT;
415
0f852724 416 l2cap_chan_close(chan, reason);
ab07801d 417
6be36555 418 l2cap_chan_unlock(chan);
ab07801d 419
80b98027 420 chan->ops->close(chan);
3df91ea2
AE		 421 mutex_unlock(&conn->chan_lock);
422
371fd835 423 l2cap_chan_put(chan);
ab07801d
GP		 424}
425
eef1d9b6 426struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 427{
428 struct l2cap_chan *chan;
429
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
431 if (!chan)
432 return NULL;
433
c03b355e
AE		 434 mutex_init(&chan->lock);
435
333055f2 436 write_lock(&chan_list_lock);
23691d75 437 list_add(&chan->global_l, &chan_list);
333055f2 438 write_unlock(&chan_list_lock);
23691d75 439
721c4181 440 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 441
89bc500e
GP		 442 chan->state = BT_OPEN;
443
144ad330 444 kref_init(&chan->kref);
71ba0e56 445
2827011f
MM		 446 /* This flag is cleared in l2cap_chan_ready() */
447 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
448
eef1d9b6 449 BT_DBG("chan %p", chan);
abc545b8 450
48454079
GP		 451 return chan;
452}
453
144ad330 454static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 455{
144ad330
SS		 456 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
457
4af66c69
JK		 458 BT_DBG("chan %p", chan);
459
333055f2 460 write_lock(&chan_list_lock);
23691d75 461 list_del(&chan->global_l);
333055f2 462 write_unlock(&chan_list_lock);
23691d75 463
4af66c69 464 kfree(chan);
6ff5abbf
GP		 465}
466
30648372
JK		 467void l2cap_chan_hold(struct l2cap_chan *c)
468{
144ad330 469 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 470
144ad330 471 kref_get(&c->kref);
30648372
JK		 472}
473
474void l2cap_chan_put(struct l2cap_chan *c)
475{
144ad330 476 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 477
144ad330 478 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 479}
480
bd4b1653
AE		 481void l2cap_chan_set_defaults(struct l2cap_chan *chan)
482{
483 chan->fcs = L2CAP_FCS_CRC16;
484 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
485 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
486 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 487 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 488 chan->sec_level = BT_SECURITY_LOW;
489
490 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
491}
492
93c3e8f5 493void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 494{
af05b30b 495 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 496 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 497
9f5a0d7b 498 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 499
8c1d787b 500 chan->conn = conn;
0139418c 501
5491120e
AE		 502 switch (chan->chan_type) {
503 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 504 if (conn->hcon->type == LE_LINK) {
505 /* LE connection */
6fcb06a2 506 chan->omtu = L2CAP_DEFAULT_MTU;
9f22398c
JH		 507 if (chan->dcid == L2CAP_CID_ATT)
508 chan->scid = L2CAP_CID_ATT;
509 else
510 chan->scid = l2cap_alloc_cid(conn);
b62f328b
VT		 511 } else {
512 /* Alloc CID for connection-oriented socket */
fe4128e0 513 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 514 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 515 }
5491120e
AE		 516 break;
517
518 case L2CAP_CHAN_CONN_LESS:
0139418c 519 /* Connectionless socket */
fe4128e0
GP		 520 chan->scid = L2CAP_CID_CONN_LESS;
521 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 522 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 523 break;
524
416fa752
AE		 525 case L2CAP_CHAN_CONN_FIX_A2MP:
526 chan->scid = L2CAP_CID_A2MP;
527 chan->dcid = L2CAP_CID_A2MP;
528 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
529 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
530 break;
531
5491120e 532 default:
0139418c 533 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 534 chan->scid = L2CAP_CID_SIGNALING;
535 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 536 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 537 }
538
8f7975b1
AE		 539 chan->local_id = L2CAP_BESTEFFORT_ID;
540 chan->local_stype = L2CAP_SERV_BESTEFFORT;
541 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
542 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
543 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 544 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 545
371fd835 546 l2cap_chan_hold(chan);
baa7e1fa 547
5ee9891d
JH		 548 hci_conn_hold(conn->hcon);
549
3df91ea2 550 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 551}
552
466f8004 553void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 554{
555 mutex_lock(&conn->chan_lock);
556 __l2cap_chan_add(conn, chan);
3df91ea2 557 mutex_unlock(&conn->chan_lock);
0139418c
MH		 558}
559
466f8004 560void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 561{
8c1d787b 562 struct l2cap_conn *conn = chan->conn;
0139418c 563
c9b66675 564 __clear_chan_timer(chan);
0139418c 565
49208c9c 566 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 567
8e87d142 568 if (conn) {
56f60984 569 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 570 /* Delete from channel list */
3df91ea2 571 list_del(&chan->list);
3d57dc68 572
371fd835 573 l2cap_chan_put(chan);
baa7e1fa 574
8c1d787b 575 chan->conn = NULL;
3cabbfda
AE		 576
577 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
76a68ba0 578 hci_conn_drop(conn->hcon);
56f60984
AE		 579
580 if (mgr && mgr->bredr_chan == chan)
581 mgr->bredr_chan = NULL;
0139418c
MH		 582 }
583
419e08c1
AE		 584 if (chan->hs_hchan) {
585 struct hci_chan *hs_hchan = chan->hs_hchan;
586
587 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
588 amp_disconnect_logical_link(hs_hchan);
589 }
590
b699ec0d 591 chan->ops->teardown(chan, err);
6be36555 592
2827011f 593 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 594 return;
2ead70b8 595
ee556f66
GP		 596 switch(chan->mode) {
597 case L2CAP_MODE_BASIC:
598 break;
c13ffa62 599
ee556f66 600 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 601 __clear_retrans_timer(chan);
602 __clear_monitor_timer(chan);
603 __clear_ack_timer(chan);
c13ffa62 604
f1c6775b 605 skb_queue_purge(&chan->srej_q);
c13ffa62 606
3c588192
MM		 607 l2cap_seq_list_free(&chan->srej_list);
608 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 609
610 /* fall through */
611
612 case L2CAP_MODE_STREAMING:
613 skb_queue_purge(&chan->tx_q);
614 break;
c13ffa62 615 }
ee556f66
GP		 616
617 return;
0139418c
MH		 618}
619
0f852724 620void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 621{
622 struct l2cap_conn *conn = chan->conn;
4519de9a 623
7eafc59e 624 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 625
89bc500e 626 switch (chan->state) {
4519de9a 627 case BT_LISTEN:
b699ec0d 628 chan->ops->teardown(chan, 0);
4519de9a
GP		 629 break;
630
631 case BT_CONNECTED:
632 case BT_CONFIG:
715ec005 633 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 634 conn->hcon->type == ACL_LINK) {
8d836d71 635 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 636 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 637 } else
638 l2cap_chan_del(chan, reason);
639 break;
640
641 case BT_CONNECT2:
715ec005 642 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 643 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 644 struct l2cap_conn_rsp rsp;
645 __u16 result;
646
bdc25783 647 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
4519de9a
GP		 648 result = L2CAP_CR_SEC_BLOCK;
649 else
650 result = L2CAP_CR_BAD_PSM;
bdc25783 651
89bc500e 652 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 653
654 rsp.scid = cpu_to_le16(chan->dcid);
655 rsp.dcid = cpu_to_le16(chan->scid);
656 rsp.result = cpu_to_le16(result);
ac73498c 657 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 658 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 659 sizeof(rsp), &rsp);
4519de9a
GP		 660 }
661
662 l2cap_chan_del(chan, reason);
663 break;
664
665 case BT_CONNECT:
666 case BT_DISCONN:
667 l2cap_chan_del(chan, reason);
668 break;
669
670 default:
b699ec0d 671 chan->ops->teardown(chan, 0);
4519de9a
GP		 672 break;
673 }
674}
675
4343478f 676static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 677{
6a974b50
MH		 678 switch (chan->chan_type) {
679 case L2CAP_CHAN_RAW:
4343478f 680 switch (chan->sec_level) {
8556edd3
JH		 681 case BT_SECURITY_HIGH:
682 return HCI_AT_DEDICATED_BONDING_MITM;
683 case BT_SECURITY_MEDIUM:
684 return HCI_AT_DEDICATED_BONDING;
685 default:
686 return HCI_AT_NO_BONDING;
687 }
6a974b50 688 break;
3124b843
MH		 689 case L2CAP_CHAN_CONN_LESS:
690 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_3DSP)) {
691 if (chan->sec_level == BT_SECURITY_LOW)
692 chan->sec_level = BT_SECURITY_SDP;
693 }
694 if (chan->sec_level == BT_SECURITY_HIGH)
695 return HCI_AT_NO_BONDING_MITM;
696 else
697 return HCI_AT_NO_BONDING;
698 break;
6a974b50
MH		 699 case L2CAP_CHAN_CONN_ORIENTED:
700 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
701 if (chan->sec_level == BT_SECURITY_LOW)
702 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 703
6a974b50
MH		 704 if (chan->sec_level == BT_SECURITY_HIGH)
705 return HCI_AT_NO_BONDING_MITM;
706 else
707 return HCI_AT_NO_BONDING;
708 }
709 /* fall through */
710 default:
4343478f 711 switch (chan->sec_level) {
00ae4af9 712 case BT_SECURITY_HIGH:
8556edd3 713 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 714 case BT_SECURITY_MEDIUM:
8556edd3 715 return HCI_AT_GENERAL_BONDING;
00ae4af9 716 default:
8556edd3 717 return HCI_AT_NO_BONDING;
00ae4af9 718 }
6a974b50 719 break;
0684e5f9 720 }
8556edd3
JH		 721}
722
723/* Service level security */
d45fc423 724int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 725{
8c1d787b 726 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 727 __u8 auth_type;
728
4343478f 729 auth_type = l2cap_get_auth_type(chan);
79d554a6 730
4343478f 731 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 732}
733
b5ad8b7f 734static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 735{
736 u8 id;
737
738 /* Get next available identificator.
739 * 1 - 128 are used by kernel.
740 * 129 - 199 are reserved.
741 * 200 - 254 are used by utilities like l2ping, etc.
742 */
743
333055f2 744 spin_lock(&conn->lock);
4e8402a3
MH		 745
746 if (++conn->tx_ident > 128)
747 conn->tx_ident = 1;
748
749 id = conn->tx_ident;
750
333055f2 751 spin_unlock(&conn->lock);
4e8402a3
MH		 752
753 return id;
754}
755
2d792818
GP		 756static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
757 void *data)
4e8402a3
MH		 758{
759 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 760 u8 flags;
4e8402a3
MH		 761
762 BT_DBG("code 0x%2.2x", code);
763
764 if (!skb)
9a9c6a34 765 return;
4e8402a3 766
e702112f
AE		 767 if (lmp_no_flush_capable(conn->hcon->hdev))
768 flags = ACL_START_NO_FLUSH;
769 else
770 flags = ACL_START;
771
14b12d0b 772 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 773 skb->priority = HCI_PRIO_MAX;
14b12d0b 774
73d80deb
LAD		 775 hci_send_acl(conn->hchan, skb, flags);
776}
777
02b0fbb9
MM		 778static bool __chan_is_moving(struct l2cap_chan *chan)
779{
780 return chan->move_state != L2CAP_MOVE_STABLE &&
781 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
782}
783
73d80deb
LAD		 784static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
785{
786 struct hci_conn *hcon = chan->conn->hcon;
787 u16 flags;
788
789 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 790 skb->priority);
73d80deb 791
d5f8a75d
MM		 792 if (chan->hs_hcon && !__chan_is_moving(chan)) {
793 if (chan->hs_hchan)
794 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
795 else
796 kfree_skb(skb);
797
798 return;
799 }
800
73d80deb 801 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 802 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 803 flags = ACL_START_NO_FLUSH;
804 else
805 flags = ACL_START;
14b12d0b 806
73d80deb
LAD		 807 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
808 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 809}
810
b76bbd66
MM		 811static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
812{
813 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
814 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
815
816 if (enh & L2CAP_CTRL_FRAME_TYPE) {
817 /* S-Frame */
818 control->sframe = 1;
819 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
820 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
821
822 control->sar = 0;
823 control->txseq = 0;
824 } else {
825 /* I-Frame */
826 control->sframe = 0;
827 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
828 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
829
830 control->poll = 0;
831 control->super = 0;
832 }
833}
834
b76bbd66
MM		 835static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
836{
837 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
838 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
839
840 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
841 /* S-Frame */
842 control->sframe = 1;
843 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
844 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
845
846 control->sar = 0;
847 control->txseq = 0;
848 } else {
849 /* I-Frame */
850 control->sframe = 0;
851 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
852 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
853
854 control->poll = 0;
855 control->super = 0;
856 }
857}
858
859static inline void __unpack_control(struct l2cap_chan *chan,
860 struct sk_buff *skb)
861{
862 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
863 __unpack_extended_control(get_unaligned_le32(skb->data),
864 &bt_cb(skb)->control);
cec8ab6e 865 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 866 } else {
867 __unpack_enhanced_control(get_unaligned_le16(skb->data),
868 &bt_cb(skb)->control);
cec8ab6e 869 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 870 }
871}
872
b5c6aaed
MM		 873static u32 __pack_extended_control(struct l2cap_ctrl *control)
874{
875 u32 packed;
876
877 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
878 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
879
880 if (control->sframe) {
881 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
882 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
883 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
884 } else {
885 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
886 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
887 }
888
889 return packed;
890}
891
892static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
893{
894 u16 packed;
895
896 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
897 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
898
899 if (control->sframe) {
900 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
901 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
902 packed |= L2CAP_CTRL_FRAME_TYPE;
903 } else {
904 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
905 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
906 }
907
908 return packed;
909}
910
b76bbd66
MM		 911static inline void __pack_control(struct l2cap_chan *chan,
912 struct l2cap_ctrl *control,
913 struct sk_buff *skb)
914{
915 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
916 put_unaligned_le32(__pack_extended_control(control),
917 skb->data + L2CAP_HDR_SIZE);
918 } else {
919 put_unaligned_le16(__pack_enhanced_control(control),
920 skb->data + L2CAP_HDR_SIZE);
921 }
922}
923
ba7aa64f
GP		 924static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
925{
926 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
927 return L2CAP_EXT_HDR_SIZE;
928 else
929 return L2CAP_ENH_HDR_SIZE;
930}
931
a67d7f6f
MM		 932static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
933 u32 control)
b5c6aaed
MM		 934{
935 struct sk_buff *skb;
936 struct l2cap_hdr *lh;
ba7aa64f 937 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 938
939 if (chan->fcs == L2CAP_FCS_CRC16)
940 hlen += L2CAP_FCS_SIZE;
941
a67d7f6f 942 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 943
b5c6aaed 944 if (!skb)
a67d7f6f 945 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 946
947 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
948 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
949 lh->cid = cpu_to_le16(chan->dcid);
950
a67d7f6f
MM		 951 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
952 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
953 else
954 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 955
956 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 957 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 958 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
959 }
960
961 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 962 return skb;
963}
964
965static void l2cap_send_sframe(struct l2cap_chan *chan,
966 struct l2cap_ctrl *control)
967{
968 struct sk_buff *skb;
969 u32 control_field;
970
971 BT_DBG("chan %p, control %p", chan, control);
972
973 if (!control->sframe)
974 return;
975
b99e13ad
MM		 976 if (__chan_is_moving(chan))
977 return;
978
a67d7f6f
MM		 979 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
980 !control->poll)
981 control->final = 1;
982
983 if (control->super == L2CAP_SUPER_RR)
984 clear_bit(CONN_RNR_SENT, &chan->conn_state);
985 else if (control->super == L2CAP_SUPER_RNR)
986 set_bit(CONN_RNR_SENT, &chan->conn_state);
987
988 if (control->super != L2CAP_SUPER_SREJ) {
989 chan->last_acked_seq = control->reqseq;
990 __clear_ack_timer(chan);
991 }
992
993 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
994 control->final, control->poll, control->super);
995
996 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
997 control_field = __pack_extended_control(control);
998 else
999 control_field = __pack_enhanced_control(control);
1000
1001 skb = l2cap_create_sframe_pdu(chan, control_field);
1002 if (!IS_ERR(skb))
1003 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1004}
1005
c9e3d5e0 1006static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1007{
c9e3d5e0
MM		 1008 struct l2cap_ctrl control;
1009
1010 BT_DBG("chan %p, poll %d", chan, poll);
1011
1012 memset(&control, 0, sizeof(control));
1013 control.sframe = 1;
1014 control.poll = poll;
1015
1016 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1017 control.super = L2CAP_SUPER_RNR;
1018 else
1019 control.super = L2CAP_SUPER_RR;
b5c6aaed 1020
c9e3d5e0
MM		 1021 control.reqseq = chan->buffer_seq;
1022 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1023}
1024
b4450035 1025static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1026{
c1360a1c 1027 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1028}
1029
1df7b17a 1030static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1031{
1df7b17a 1032 struct l2cap_conn *conn = chan->conn;
80d58d0b 1033 struct hci_dev *hdev;
1df7b17a
MH		 1034 bool amp_available = false;
1035
1036 if (!conn->hs_enabled)
1037 return false;
1038
1039 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1040 return false;
80d58d0b
MH		 1041
1042 read_lock(&hci_dev_list_lock);
1df7b17a 1043 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1044 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1045 test_bit(HCI_UP, &hdev->flags)) {
1046 amp_available = true;
1047 break;
1048 }
1049 }
80d58d0b
MH		 1050 read_unlock(&hci_dev_list_lock);
1051
1df7b17a
MH		 1052 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1053 return amp_available;
848566b3
MH		 1054
1055 return false;
93c3e8f5
AE		 1056}
1057
5ce66b59
AE		 1058static bool l2cap_check_efs(struct l2cap_chan *chan)
1059{
1060 /* Check EFS parameters */
1061 return true;
1062}
1063
2766be48 1064void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1065{
1066 struct l2cap_conn *conn = chan->conn;
1067 struct l2cap_conn_req req;
1068
1069 req.scid = cpu_to_le16(chan->scid);
1070 req.psm = chan->psm;
1071
1072 chan->ident = l2cap_get_ident(conn);
1073
1074 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1075
1076 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1077}
1078
8eb200bd
MM		 1079static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1080{
1081 struct l2cap_create_chan_req req;
1082 req.scid = cpu_to_le16(chan->scid);
1083 req.psm = chan->psm;
1084 req.amp_id = amp_id;
1085
1086 chan->ident = l2cap_get_ident(chan->conn);
1087
1088 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1089 sizeof(req), &req);
1090}
1091
02b0fbb9
MM		 1092static void l2cap_move_setup(struct l2cap_chan *chan)
1093{
1094 struct sk_buff *skb;
1095
1096 BT_DBG("chan %p", chan);
1097
1098 if (chan->mode != L2CAP_MODE_ERTM)
1099 return;
1100
1101 __clear_retrans_timer(chan);
1102 __clear_monitor_timer(chan);
1103 __clear_ack_timer(chan);
1104
1105 chan->retry_count = 0;
1106 skb_queue_walk(&chan->tx_q, skb) {
1107 if (bt_cb(skb)->control.retries)
1108 bt_cb(skb)->control.retries = 1;
1109 else
1110 break;
1111 }
1112
1113 chan->expected_tx_seq = chan->buffer_seq;
1114
1115 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1116 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1117 l2cap_seq_list_clear(&chan->retrans_list);
1118 l2cap_seq_list_clear(&chan->srej_list);
1119 skb_queue_purge(&chan->srej_q);
1120
1121 chan->tx_state = L2CAP_TX_STATE_XMIT;
1122 chan->rx_state = L2CAP_RX_STATE_MOVE;
1123
1124 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1125}
1126
5f3847a4
MM		 1127static void l2cap_move_done(struct l2cap_chan *chan)
1128{
1129 u8 move_role = chan->move_role;
1130 BT_DBG("chan %p", chan);
1131
1132 chan->move_state = L2CAP_MOVE_STABLE;
1133 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1134
1135 if (chan->mode != L2CAP_MODE_ERTM)
1136 return;
1137
1138 switch (move_role) {
1139 case L2CAP_MOVE_ROLE_INITIATOR:
1140 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1141 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1142 break;
1143 case L2CAP_MOVE_ROLE_RESPONDER:
1144 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1145 break;
1146 }
1147}
1148
9f0caeb1
VCG		 1149static void l2cap_chan_ready(struct l2cap_chan *chan)
1150{
2827011f 1151 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1152 chan->conf_state = 0;
1153 __clear_chan_timer(chan);
1154
54a59aa2 1155 chan->state = BT_CONNECTED;
9f0caeb1 1156
fd83e2c2 1157 chan->ops->ready(chan);
9f0caeb1
VCG		 1158}
1159
93c3e8f5
AE		 1160static void l2cap_start_connection(struct l2cap_chan *chan)
1161{
1162 if (__amp_capable(chan)) {
1163 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1164 a2mp_discover_amp(chan);
1165 } else {
1166 l2cap_send_conn_req(chan);
1167 }
1168}
1169
fc7f8a7e 1170static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1171{
8c1d787b 1172 struct l2cap_conn *conn = chan->conn;
79d554a6 1173
9f0caeb1
VCG		 1174 if (conn->hcon->type == LE_LINK) {
1175 l2cap_chan_ready(chan);
1176 return;
1177 }
1178
79d554a6 1179 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1180 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1181 return;
1182
d45fc423 1183 if (l2cap_chan_check_security(chan) &&
2d792818 1184 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1185 l2cap_start_connection(chan);
1186 }
79d554a6
MH		 1187 } else {
1188 struct l2cap_info_req req;
ac73498c 1189 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1190
1191 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1192 conn->info_ident = l2cap_get_ident(conn);
1193
ba13ccd9 1194 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1195
2d792818
GP		 1196 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1197 sizeof(req), &req);
79d554a6
MH		 1198 }
1199}
1200
cf6c2c0b
GP		 1201static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1202{
1203 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1204 if (!disable_ertm)
cf6c2c0b
GP		 1205 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1206
1207 switch (mode) {
1208 case L2CAP_MODE_ERTM:
1209 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1210 case L2CAP_MODE_STREAMING:
1211 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1212 default:
1213 return 0x00;
1214 }
1215}
1216
5e4e3972 1217static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1218{
5e4e3972 1219 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1220 struct l2cap_disconn_req req;
1221
c13ffa62
GP		 1222 if (!conn)
1223 return;
1224
aad3d0e3 1225 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1226 __clear_retrans_timer(chan);
1227 __clear_monitor_timer(chan);
1228 __clear_ack_timer(chan);
c13ffa62
GP		 1229 }
1230
416fa752 1231 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1232 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1233 return;
1234 }
1235
fe4128e0
GP		 1236 req.dcid = cpu_to_le16(chan->dcid);
1237 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1238 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1239 sizeof(req), &req);
c13ffa62 1240
f8e73017 1241 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1242}
1243
1da177e4 1244/* ---- L2CAP connections ---- */
4e8402a3
MH		 1245static void l2cap_conn_start(struct l2cap_conn *conn)
1246{
3df91ea2 1247 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1248
1249 BT_DBG("conn %p", conn);
1250
3df91ea2 1251 mutex_lock(&conn->chan_lock);
4e8402a3 1252
3df91ea2 1253 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1254 l2cap_chan_lock(chan);
4e8402a3 1255
715ec005 1256 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1257 l2cap_chan_unlock(chan);
79d554a6
MH		 1258 continue;
1259 }
1260
89bc500e 1261 if (chan->state == BT_CONNECT) {
d45fc423 1262 if (!l2cap_chan_check_security(chan) ||
2d792818 1263 !__l2cap_no_conn_pending(chan)) {
6be36555 1264 l2cap_chan_unlock(chan);
47731de7
GP		 1265 continue;
1266 }
79d554a6 1267
c1360a1c 1268 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1269 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1270 &chan->conf_state)) {
89bc500e 1271 l2cap_chan_close(chan, ECONNRESET);
6be36555 1272 l2cap_chan_unlock(chan);
47731de7 1273 continue;
b1235d79 1274 }
47731de7 1275
93c3e8f5 1276 l2cap_start_connection(chan);
47731de7 1277
89bc500e 1278 } else if (chan->state == BT_CONNECT2) {
79d554a6 1279 struct l2cap_conn_rsp rsp;
e9aeb2dd 1280 char buf[128];
fe4128e0
GP		 1281 rsp.scid = cpu_to_le16(chan->dcid);
1282 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1283
d45fc423 1284 if (l2cap_chan_check_security(chan)) {
bdc25783 1285 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
ac73498c
AE		 1286 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1287 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1288 chan->ops->defer(chan);
f66dc81f
MH		 1289
1290 } else {
acdcabf5 1291 l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1292 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1293 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1294 }
79d554a6 1295 } else {
ac73498c
AE		 1296 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1297 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1298 }
1299
fc7f8a7e 1300 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1301 sizeof(rsp), &rsp);
e9aeb2dd 1302
c1360a1c 1303 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1304 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1305 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1306 continue;
1307 }
1308
c1360a1c 1309 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1310 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1311 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1312 chan->num_conf_req++;
4e8402a3
MH		 1313 }
1314
6be36555 1315 l2cap_chan_unlock(chan);
4e8402a3
MH		 1316 }
1317
3df91ea2 1318 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1319}
1320
c2287681 1321/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1322 * Returns closest match, locked.
1323 */
d9b88702 1324static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1325 bdaddr_t *src,
1326 bdaddr_t *dst)
b62f328b 1327{
23691d75 1328 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1329
23691d75 1330 read_lock(&chan_list_lock);
b62f328b 1331
23691d75 1332 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1333 if (state && c->state != state)
b62f328b
VT		 1334 continue;
1335
23691d75 1336 if (c->scid == cid) {
c2287681
IY		 1337 int src_match, dst_match;
1338 int src_any, dst_any;
1339
b62f328b 1340 /* Exact match. */
7eafc59e
MH		 1341 src_match = !bacmp(&c->src, src);
1342 dst_match = !bacmp(&c->dst, dst);
c2287681 1343 if (src_match && dst_match) {
23691d75
GP		 1344 read_unlock(&chan_list_lock);
1345 return c;
1346 }
b62f328b
VT		 1347
1348 /* Closest match */
7eafc59e
MH		 1349 src_any = !bacmp(&c->src, BDADDR_ANY);
1350 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1351 if ((src_match && dst_any) || (src_any && dst_match) ||
1352 (src_any && dst_any))
23691d75 1353 c1 = c;
b62f328b
VT		 1354 }
1355 }
280f294f 1356
23691d75 1357 read_unlock(&chan_list_lock);
b62f328b 1358
23691d75 1359 return c1;
b62f328b
VT		 1360}
1361
1362static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1363{
cc8dba2b 1364 struct hci_conn *hcon = conn->hcon;
23691d75 1365 struct l2cap_chan *chan, *pchan;
cc8dba2b 1366 u8 dst_type;
b62f328b
VT		 1367
1368 BT_DBG("");
1369
1370 /* Check if we have socket listening on cid */
073d1cf3 1371 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
cc8dba2b 1372 &hcon->src, &hcon->dst);
23691d75 1373 if (!pchan)
b62f328b
VT		 1374 return;
1375
44f3b0fb
JH		 1376 /* Client ATT sockets should override the server one */
1377 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1378 return;
1379
cc8dba2b
MH		 1380 dst_type = bdaddr_type(hcon, hcon->dst_type);
1381
1382 /* If device is blocked, do not create a channel for it */
1383 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, dst_type))
1384 return;
1385
8ffb9290 1386 l2cap_chan_lock(pchan);
62f3a2cf 1387
80b98027 1388 chan = pchan->ops->new_connection(pchan);
80808e43 1389 if (!chan)
b62f328b
VT		 1390 goto clean;
1391
9f22398c
JH		 1392 chan->dcid = L2CAP_CID_ATT;
1393
cc8dba2b
MH		 1394 bacpy(&chan->src, &hcon->src);
1395 bacpy(&chan->dst, &hcon->dst);
1396 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1397 chan->dst_type = dst_type;
b62f328b 1398
44f3b0fb 1399 __l2cap_chan_add(conn, chan);
48454079 1400
b62f328b 1401clean:
8ffb9290 1402 l2cap_chan_unlock(pchan);
b62f328b
VT		 1403}
1404
4e8402a3
MH		 1405static void l2cap_conn_ready(struct l2cap_conn *conn)
1406{
48454079 1407 struct l2cap_chan *chan;
cc110922 1408 struct hci_conn *hcon = conn->hcon;
4e8402a3 1409
79d554a6 1410 BT_DBG("conn %p", conn);
4e8402a3 1411
d8729922
JH		 1412 /* For outgoing pairing which doesn't necessarily have an
1413 * associated socket (e.g. mgmt_pair_device).
1414 */
cc110922
VCG		 1415 if (hcon->out && hcon->type == LE_LINK)
1416 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1417
3df91ea2 1418 mutex_lock(&conn->chan_lock);
4e8402a3 1419
44f3b0fb
JH		 1420 if (hcon->type == LE_LINK)
1421 l2cap_le_conn_ready(conn);
1422
3df91ea2 1423 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1424
6be36555 1425 l2cap_chan_lock(chan);
4e8402a3 1426
416fa752
AE		 1427 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1428 l2cap_chan_unlock(chan);
1429 continue;
1430 }
1431
cc110922
VCG		 1432 if (hcon->type == LE_LINK) {
1433 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1434 l2cap_chan_ready(chan);
acd7d370 1435
63128451 1436 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
74e75740 1437 l2cap_chan_ready(chan);
b501d6a1 1438
1c244f79 1439 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1440 l2cap_do_start(chan);
1c244f79 1441 }
4e8402a3 1442
6be36555 1443 l2cap_chan_unlock(chan);
4e8402a3 1444 }
79d554a6 1445
3df91ea2 1446 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1447}
1448
1449/* Notify sockets that we cannot guaranty reliability anymore */
1450static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1451{
48454079 1452 struct l2cap_chan *chan;
4e8402a3
MH		 1453
1454 BT_DBG("conn %p", conn);
1455
3df91ea2 1456 mutex_lock(&conn->chan_lock);
4e8402a3 1457
3df91ea2 1458 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1459 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1460 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1461 }
1462
3df91ea2 1463 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1464}
1465
f878fcad 1466static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1467{
f878fcad 1468 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1469 info_timer.work);
4e8402a3 1470
984947dc 1471 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1472 conn->info_ident = 0;
984947dc 1473
4e8402a3
MH		 1474 l2cap_conn_start(conn);
1475}
1476
2c8e1411
DH		 1477/*
1478 * l2cap_user
1479 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1480 * callback is called during registration. The ->remove callback is called
1481 * during unregistration.
1482 * An l2cap_user object can either be explicitly unregistered or when the
1483 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1484 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1485 * External modules must own a reference to the l2cap_conn object if they intend
1486 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1487 * any time if they don't.
1488 */
1489
1490int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1491{
1492 struct hci_dev *hdev = conn->hcon->hdev;
1493 int ret;
1494
1495 /* We need to check whether l2cap_conn is registered. If it is not, we
1496 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1497 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1498 * relies on the parent hci_conn object to be locked. This itself relies
1499 * on the hci_dev object to be locked. So we must lock the hci device
1500 * here, too. */
1501
1502 hci_dev_lock(hdev);
1503
1504 if (user->list.next || user->list.prev) {
1505 ret = -EINVAL;
1506 goto out_unlock;
1507 }
1508
1509 /* conn->hchan is NULL after l2cap_conn_del() was called */
1510 if (!conn->hchan) {
1511 ret = -ENODEV;
1512 goto out_unlock;
1513 }
1514
1515 ret = user->probe(conn, user);
1516 if (ret)
1517 goto out_unlock;
1518
1519 list_add(&user->list, &conn->users);
1520 ret = 0;
1521
1522out_unlock:
1523 hci_dev_unlock(hdev);
1524 return ret;
1525}
1526EXPORT_SYMBOL(l2cap_register_user);
1527
1528void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1529{
1530 struct hci_dev *hdev = conn->hcon->hdev;
1531
1532 hci_dev_lock(hdev);
1533
1534 if (!user->list.next || !user->list.prev)
1535 goto out_unlock;
1536
1537 list_del(&user->list);
1538 user->list.next = NULL;
1539 user->list.prev = NULL;
1540 user->remove(conn, user);
1541
1542out_unlock:
1543 hci_dev_unlock(hdev);
1544}
1545EXPORT_SYMBOL(l2cap_unregister_user);
1546
1547static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1548{
1549 struct l2cap_user *user;
1550
1551 while (!list_empty(&conn->users)) {
1552 user = list_first_entry(&conn->users, struct l2cap_user, list);
1553 list_del(&user->list);
1554 user->list.next = NULL;
1555 user->list.prev = NULL;
1556 user->remove(conn, user);
1557 }
1558}
1559
5d3de7df
VCG		 1560static void l2cap_conn_del(struct hci_conn *hcon, int err)
1561{
1562 struct l2cap_conn *conn = hcon->l2cap_data;
1563 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1564
1565 if (!conn)
1566 return;
1567
1568 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1569
1570 kfree_skb(conn->rx_skb);
1571
2c8e1411
DH		 1572 l2cap_unregister_all_users(conn);
1573
3df91ea2
AE		 1574 mutex_lock(&conn->chan_lock);
1575
5d3de7df
VCG		 1576 /* Kill channels */
1577 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1578 l2cap_chan_hold(chan);
6be36555
AE		 1579 l2cap_chan_lock(chan);
1580
5d3de7df 1581 l2cap_chan_del(chan, err);
6be36555
AE		 1582
1583 l2cap_chan_unlock(chan);
1584
80b98027 1585 chan->ops->close(chan);
61d6ef3e 1586 l2cap_chan_put(chan);
5d3de7df
VCG		 1587 }
1588
3df91ea2
AE		 1589 mutex_unlock(&conn->chan_lock);
1590
73d80deb
LAD		 1591 hci_chan_del(conn->hchan);
1592
5d3de7df 1593 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1594 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1595
51a8efd7 1596 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1597 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1598 smp_chan_destroy(conn);
d26a2345 1599 }
5d3de7df
VCG		 1600
1601 hcon->l2cap_data = NULL;
9c903e37
DH		 1602 conn->hchan = NULL;
1603 l2cap_conn_put(conn);
5d3de7df
VCG		 1604}
1605
6c9d42a1 1606static void security_timeout(struct work_struct *work)
5d3de7df 1607{
6c9d42a1 1608 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1609 security_timer.work);
5d3de7df 1610
d06cc416
JH		 1611 BT_DBG("conn %p", conn);
1612
1613 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1614 smp_chan_destroy(conn);
1615 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1616 }
5d3de7df
VCG		 1617}
1618
baf43251 1619static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1da177e4 1620{
0139418c 1621 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1622 struct hci_chan *hchan;
1da177e4 1623
baf43251 1624 if (conn)
1da177e4
LT		 1625 return conn;
1626
73d80deb
LAD		 1627 hchan = hci_chan_create(hcon);
1628 if (!hchan)
1629 return NULL;
1630
8bcde1f2 1631 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1632 if (!conn) {
1633 hci_chan_del(hchan);
1da177e4 1634 return NULL;
73d80deb 1635 }
1da177e4 1636
9c903e37 1637 kref_init(&conn->ref);
1da177e4
LT		 1638 hcon->l2cap_data = conn;
1639 conn->hcon = hcon;
9c903e37 1640 hci_conn_get(conn->hcon);
73d80deb 1641 conn->hchan = hchan;
1da177e4 1642
73d80deb 1643 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1644
dcc042d5 1645 switch (hcon->type) {
dcc042d5
AE		 1646 case LE_LINK:
1647 if (hcon->hdev->le_mtu) {
1648 conn->mtu = hcon->hdev->le_mtu;
1649 break;
1650 }
1651 /* fall through */
dcc042d5 1652 default:
acd7d370 1653 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1654 break;
1655 }
acd7d370 1656
4e8402a3
MH		 1657 conn->feat_mask = 0;
1658
848566b3
MH		 1659 if (hcon->type == ACL_LINK)
1660 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
1661 &hcon->hdev->dev_flags);
1662
1da177e4 1663 spin_lock_init(&conn->lock);
3df91ea2 1664 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1665
1666 INIT_LIST_HEAD(&conn->chan_l);
2c8e1411 1667 INIT_LIST_HEAD(&conn->users);
1da177e4 1668
5d3de7df 1669 if (hcon->type == LE_LINK)
6c9d42a1 1670 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1671 else
030013d8 1672 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1673
9f5a0d7b 1674 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1675
1da177e4
LT		 1676 return conn;
1677}
1678
9c903e37
DH		 1679static void l2cap_conn_free(struct kref *ref)
1680{
1681 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1682
1683 hci_conn_put(conn->hcon);
1684 kfree(conn);
1685}
1686
1687void l2cap_conn_get(struct l2cap_conn *conn)
1688{
1689 kref_get(&conn->ref);
1690}
1691EXPORT_SYMBOL(l2cap_conn_get);
1692
1693void l2cap_conn_put(struct l2cap_conn *conn)
1694{
1695 kref_put(&conn->ref, l2cap_conn_free);
1696}
1697EXPORT_SYMBOL(l2cap_conn_put);
1698
1da177e4 1699/* ---- Socket interface ---- */
1da177e4 1700
c2287681 1701/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1702 * Returns closest match.
1703 */
c2287681
IY		 1704static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1705 bdaddr_t *src,
1706 bdaddr_t *dst)
1da177e4 1707{
23691d75 1708 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1709
23691d75 1710 read_lock(&chan_list_lock);
e0f0cb56 1711
23691d75 1712 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1713 if (state && c->state != state)
1da177e4
LT		 1714 continue;
1715
23691d75 1716 if (c->psm == psm) {
c2287681
IY		 1717 int src_match, dst_match;
1718 int src_any, dst_any;
1719
1da177e4 1720 /* Exact match. */
7eafc59e
MH		 1721 src_match = !bacmp(&c->src, src);
1722 dst_match = !bacmp(&c->dst, dst);
c2287681 1723 if (src_match && dst_match) {
a7567b20 1724 read_unlock(&chan_list_lock);
23691d75
GP		 1725 return c;
1726 }
1da177e4
LT		 1727
1728 /* Closest match */
7eafc59e
MH		 1729 src_any = !bacmp(&c->src, BDADDR_ANY);
1730 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1731 if ((src_match && dst_any) || (src_any && dst_match) ||
1732 (src_any && dst_any))
23691d75 1733 c1 = c;
1da177e4
LT		 1734 }
1735 }
1da177e4 1736
23691d75 1737 read_unlock(&chan_list_lock);
e0f0cb56 1738
23691d75 1739 return c1;
1da177e4
LT		 1740}
1741
8e9f9892
AG		 1742int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1743 bdaddr_t *dst, u8 dst_type)
1da177e4 1744{
1da177e4
LT		 1745 struct l2cap_conn *conn;
1746 struct hci_conn *hcon;
1747 struct hci_dev *hdev;
09ab6f4c 1748 __u8 auth_type;
44d0e48e 1749 int err;
1da177e4 1750
7eafc59e 1751 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
ab19516a 1752 dst_type, __le16_to_cpu(psm));
1da177e4 1753
7eafc59e 1754 hdev = hci_get_route(dst, &chan->src);
af05b30b 1755 if (!hdev)
1da177e4
LT		 1756 return -EHOSTUNREACH;
1757
09fd0de5 1758 hci_dev_lock(hdev);
1da177e4 1759
6be36555 1760 l2cap_chan_lock(chan);
03a00194
GP		 1761
1762 /* PSM must be odd and lsb of upper byte must be 0 */
1763 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1764 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1765 err = -EINVAL;
1766 goto done;
1767 }
1768
1769 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1770 err = -EINVAL;
1771 goto done;
1772 }
1773
1774 switch (chan->mode) {
1775 case L2CAP_MODE_BASIC:
1776 break;
1777 case L2CAP_MODE_ERTM:
1778 case L2CAP_MODE_STREAMING:
1779 if (!disable_ertm)
1780 break;
1781 /* fall through */
1782 default:
1783 err = -ENOTSUPP;
1784 goto done;
1785 }
1786
0797e01d 1787 switch (chan->state) {
03a00194
GP		 1788 case BT_CONNECT:
1789 case BT_CONNECT2:
1790 case BT_CONFIG:
1791 /* Already connecting */
1792 err = 0;
1793 goto done;
1794
1795 case BT_CONNECTED:
1796 /* Already connected */
1797 err = -EISCONN;
1798 goto done;
1799
1800 case BT_OPEN:
1801 case BT_BOUND:
1802 /* Can connect */
1803 break;
1804
1805 default:
1806 err = -EBADFD;
1807 goto done;
1808 }
1809
1810 /* Set destination address and psm */
7eafc59e 1811 bacpy(&chan->dst, dst);
4f1654e0 1812 chan->dst_type = dst_type;
6be36555 1813
03a00194
GP		 1814 chan->psm = psm;
1815 chan->dcid = cid;
1da177e4 1816
4343478f 1817 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1818
f224ca5f 1819 if (bdaddr_type_is_le(dst_type))
8e9f9892 1820 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1821 chan->sec_level, auth_type);
acd7d370 1822 else
8e9f9892 1823 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1824 chan->sec_level, auth_type);
acd7d370 1825
30e76272
VT		 1826 if (IS_ERR(hcon)) {
1827 err = PTR_ERR(hcon);
1da177e4 1828 goto done;
30e76272 1829 }
1da177e4 1830
baf43251 1831 conn = l2cap_conn_add(hcon);
1da177e4 1832 if (!conn) {
76a68ba0 1833 hci_conn_drop(hcon);
30e76272 1834 err = -ENOMEM;
1da177e4
LT		 1835 goto done;
1836 }
1837
141d5706
JH		 1838 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
1839 hci_conn_drop(hcon);
1840 err = -EBUSY;
1841 goto done;
9f0caeb1
VCG		 1842 }
1843
1da177e4 1844 /* Update source addr of the socket */
7eafc59e 1845 bacpy(&chan->src, &hcon->src);
4f1654e0 1846 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1da177e4 1847
6be36555 1848 l2cap_chan_unlock(chan);
48454079 1849 l2cap_chan_add(conn, chan);
6be36555 1850 l2cap_chan_lock(chan);
48454079 1851
5ee9891d
JH		 1852 /* l2cap_chan_add takes its own ref so we can drop this one */
1853 hci_conn_drop(hcon);
1854
6be36555 1855 l2cap_state_change(chan, BT_CONNECT);
8d836d71 1856 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4
LT		 1857
1858 if (hcon->state == BT_CONNECTED) {
715ec005 1859 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1860 __clear_chan_timer(chan);
d45fc423 1861 if (l2cap_chan_check_security(chan))
6be36555 1862 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1863 } else
fc7f8a7e 1864 l2cap_do_start(chan);
1da177e4
LT		 1865 }
1866
30e76272
VT		 1867 err = 0;
1868
1da177e4 1869done:
6be36555 1870 l2cap_chan_unlock(chan);
09fd0de5 1871 hci_dev_unlock(hdev);
1da177e4
LT		 1872 hci_dev_put(hdev);
1873 return err;
1874}
1875
721c4181 1876static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1877{
721c4181 1878 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1879 monitor_timer.work);
e90bac06 1880
525cd185 1881 BT_DBG("chan %p", chan);
0e98958d 1882
6be36555
AE		 1883 l2cap_chan_lock(chan);
1884
80909e04 1885 if (!chan->conn) {
6be36555 1886 l2cap_chan_unlock(chan);
8d7e1c7f 1887 l2cap_chan_put(chan);
e90bac06
GP		 1888 return;
1889 }
1890
401bb1f7 1891 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1892
6be36555 1893 l2cap_chan_unlock(chan);
8d7e1c7f 1894 l2cap_chan_put(chan);
e90bac06
GP		 1895}
1896
721c4181 1897static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1898{
721c4181 1899 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1900 retrans_timer.work);
e90bac06 1901
49208c9c 1902 BT_DBG("chan %p", chan);
0e98958d 1903
6be36555
AE		 1904 l2cap_chan_lock(chan);
1905
80909e04
MM		 1906 if (!chan->conn) {
1907 l2cap_chan_unlock(chan);
1908 l2cap_chan_put(chan);
1909 return;
1910 }
6be36555 1911
401bb1f7 1912 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1913 l2cap_chan_unlock(chan);
8d7e1c7f 1914 l2cap_chan_put(chan);
e90bac06
GP		 1915}
1916
d660366d
GP		 1917static void l2cap_streaming_send(struct l2cap_chan *chan,
1918 struct sk_buff_head *skbs)
6840ed07 1919{
ccbb84af 1920 struct sk_buff *skb;
3733937d 1921 struct l2cap_ctrl *control;
6840ed07 1922
3733937d
MM		 1923 BT_DBG("chan %p, skbs %p", chan, skbs);
1924
b99e13ad
MM		 1925 if (__chan_is_moving(chan))
1926 return;
1927
3733937d
MM		 1928 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1929
1930 while (!skb_queue_empty(&chan->tx_q)) {
1931
1932 skb = skb_dequeue(&chan->tx_q);
1933
1934 bt_cb(skb)->control.retries = 1;
1935 control = &bt_cb(skb)->control;
1936
1937 control->reqseq = 0;
1938 control->txseq = chan->next_tx_seq;
1939
1940 __pack_control(chan, control, skb);
6840ed07 1941
47d1ec61 1942 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1943 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1944 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1945 }
1946
4343478f 1947 l2cap_do_send(chan, skb);
6840ed07 1948
b4400672 1949 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1950
836be934 1951 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1952 chan->frames_sent++;
6840ed07 1953 }
6840ed07
GP		 1954}
1955
67c9e840 1956static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1957{
1958 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1959 struct l2cap_ctrl *control;
1960 int sent = 0;
1961
1962 BT_DBG("chan %p", chan);
1c2acffb 1963
89bc500e 1964 if (chan->state != BT_CONNECTED)
c13ffa62 1965 return -ENOTCONN;
e90bac06 1966
94122bbe
MM		 1967 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1968 return 0;
1969
b99e13ad
MM		 1970 if (__chan_is_moving(chan))
1971 return 0;
1972
18a48e76
MM		 1973 while (chan->tx_send_head &&
1974 chan->unacked_frames < chan->remote_tx_win &&
1975 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1976
18a48e76 1977 skb = chan->tx_send_head;
e90bac06 1978
18a48e76
MM		 1979 bt_cb(skb)->control.retries = 1;
1980 control = &bt_cb(skb)->control;
95ffa978 1981
e2ab4353 1982 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1983 control->final = 1;
e2ab4353 1984
18a48e76
MM		 1985 control->reqseq = chan->buffer_seq;
1986 chan->last_acked_seq = chan->buffer_seq;
1987 control->txseq = chan->next_tx_seq;
1c2acffb 1988
18a48e76 1989 __pack_control(chan, control, skb);
e90bac06 1990
47d1ec61 1991 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1992 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1993 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1994 }
1995
18a48e76
MM		 1996 /* Clone after data has been modified. Data is assumed to be
1997 read-only (for locking purposes) on cloned sk_buffs.
1998 */
1999 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 2000
18a48e76
MM		 2001 if (!tx_skb)
2002 break;
1c2acffb 2003
18a48e76 2004 __set_retrans_timer(chan);
836be934
AE		 2005
2006 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 2007 chan->unacked_frames++;
6a026610 2008 chan->frames_sent++;
18a48e76 2009 sent++;
1c2acffb 2010
58d35f87
GP		 2011 if (skb_queue_is_last(&chan->tx_q, skb))
2012 chan->tx_send_head = NULL;
1c2acffb 2013 else
58d35f87 2014 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 2015
2016 l2cap_do_send(chan, tx_skb);
b4400672 2017 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 2018 }
2019
b4400672
AE		 2020 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2021 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 2022
2023 return sent;
9e917af1
GP		 2024}
2025
e1fbd4c1
MM		 2026static void l2cap_ertm_resend(struct l2cap_chan *chan)
2027{
2028 struct l2cap_ctrl control;
2029 struct sk_buff *skb;
2030 struct sk_buff *tx_skb;
2031 u16 seq;
2032
2033 BT_DBG("chan %p", chan);
2034
2035 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2036 return;
2037
b99e13ad
MM		 2038 if (__chan_is_moving(chan))
2039 return;
2040
e1fbd4c1
MM		 2041 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2042 seq = l2cap_seq_list_pop(&chan->retrans_list);
2043
2044 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2045 if (!skb) {
2046 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 2047 seq);
e1fbd4c1
MM		 2048 continue;
2049 }
2050
2051 bt_cb(skb)->control.retries++;
2052 control = bt_cb(skb)->control;
2053
2054 if (chan->max_tx != 0 &&
2055 bt_cb(skb)->control.retries > chan->max_tx) {
2056 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 2057 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 2058 l2cap_seq_list_clear(&chan->retrans_list);
2059 break;
2060 }
2061
2062 control.reqseq = chan->buffer_seq;
2063 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2064 control.final = 1;
2065 else
2066 control.final = 0;
2067
2068 if (skb_cloned(skb)) {
2069 /* Cloned sk_buffs are read-only, so we need a
2070 * writeable copy
2071 */
8bcde1f2 2072 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 2073 } else {
8bcde1f2 2074 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 2075 }
2076
2077 if (!tx_skb) {
2078 l2cap_seq_list_clear(&chan->retrans_list);
2079 break;
2080 }
2081
2082 /* Update skb contents */
2083 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2084 put_unaligned_le32(__pack_extended_control(&control),
2085 tx_skb->data + L2CAP_HDR_SIZE);
2086 } else {
2087 put_unaligned_le16(__pack_enhanced_control(&control),
2088 tx_skb->data + L2CAP_HDR_SIZE);
2089 }
2090
2091 if (chan->fcs == L2CAP_FCS_CRC16) {
2092 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2093 put_unaligned_le16(fcs, skb_put(tx_skb,
2094 L2CAP_FCS_SIZE));
2095 }
2096
2097 l2cap_do_send(chan, tx_skb);
2098
2099 BT_DBG("Resent txseq %d", control.txseq);
2100
2101 chan->last_acked_seq = chan->buffer_seq;
2102 }
2103}
2104
f80842a8
MM		 2105static void l2cap_retransmit(struct l2cap_chan *chan,
2106 struct l2cap_ctrl *control)
2107{
2108 BT_DBG("chan %p, control %p", chan, control);
2109
2110 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2111 l2cap_ertm_resend(chan);
2112}
2113
d2a7ac5d
MM		 2114static void l2cap_retransmit_all(struct l2cap_chan *chan,
2115 struct l2cap_ctrl *control)
2116{
e1fbd4c1
MM		 2117 struct sk_buff *skb;
2118
2119 BT_DBG("chan %p, control %p", chan, control);
2120
2121 if (control->poll)
2122 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2123
2124 l2cap_seq_list_clear(&chan->retrans_list);
2125
2126 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2127 return;
2128
2129 if (chan->unacked_frames) {
2130 skb_queue_walk(&chan->tx_q, skb) {
2131 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2132 skb == chan->tx_send_head)
e1fbd4c1
MM		 2133 break;
2134 }
2135
2136 skb_queue_walk_from(&chan->tx_q, skb) {
2137 if (skb == chan->tx_send_head)
2138 break;
2139
2140 l2cap_seq_list_append(&chan->retrans_list,
2141 bt_cb(skb)->control.txseq);
2142 }
2143
2144 l2cap_ertm_resend(chan);
2145 }
d2a7ac5d
MM		 2146}
2147
0a0aba42 2148static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2149{
0a0aba42
MM		 2150 struct l2cap_ctrl control;
2151 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2152 chan->last_acked_seq);
2153 int threshold;
9e917af1 2154
0a0aba42
MM		 2155 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2156 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2157
0a0aba42
MM		 2158 memset(&control, 0, sizeof(control));
2159 control.sframe = 1;
dfc909be 2160
0a0aba42
MM		 2161 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2162 chan->rx_state == L2CAP_RX_STATE_RECV) {
2163 __clear_ack_timer(chan);
2164 control.super = L2CAP_SUPER_RNR;
2165 control.reqseq = chan->buffer_seq;
2166 l2cap_send_sframe(chan, &control);
2167 } else {
2168 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2169 l2cap_ertm_send(chan);
2170 /* If any i-frames were sent, they included an ack */
2171 if (chan->buffer_seq == chan->last_acked_seq)
2172 frames_to_ack = 0;
2173 }
dfc909be 2174
c20f8e35 2175 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2176 * Calculate without mul or div
2177 */
c20f8e35 2178 threshold = chan->ack_win;
0a0aba42
MM		 2179 threshold += threshold << 1;
2180 threshold >>= 2;
2181
b4400672 2182 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2183 threshold);
2184
2185 if (frames_to_ack >= threshold) {
2186 __clear_ack_timer(chan);
2187 control.super = L2CAP_SUPER_RR;
2188 control.reqseq = chan->buffer_seq;
2189 l2cap_send_sframe(chan, &control);
2190 frames_to_ack = 0;
2191 }
1c2acffb 2192
0a0aba42
MM		 2193 if (frames_to_ack)
2194 __set_ack_timer(chan);
2195 }
b17e73bb
SJ		 2196}
2197
04124681
GP		 2198static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2199 struct msghdr *msg, int len,
2200 int count, struct sk_buff *skb)
1c2acffb 2201{
0952a57a 2202 struct l2cap_conn *conn = chan->conn;
1c2acffb 2203 struct sk_buff **frag;
90338947 2204 int sent = 0;
1da177e4 2205
59203a21 2206 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2207 return -EFAULT;
1da177e4
LT		 2208
2209 sent += count;
2210 len -= count;
2211
2212 /* Continuation fragments (no L2CAP header) */
2213 frag = &skb_shinfo(skb)->frag_list;
2214 while (len) {
fbe00700
GP		 2215 struct sk_buff *tmp;
2216
1da177e4
LT		 2217 count = min_t(unsigned int, conn->mtu, len);
2218
fbe00700
GP		 2219 tmp = chan->ops->alloc_skb(chan, count,
2220 msg->msg_flags & MSG_DONTWAIT);
2221 if (IS_ERR(tmp))
2222 return PTR_ERR(tmp);
2223
2224 *frag = tmp;
2f7719ce 2225
1c2acffb
GP		 2226 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2227 return -EFAULT;
1da177e4 2228
5e59b791
LAD		 2229 (*frag)->priority = skb->priority;
2230
1da177e4
LT		 2231 sent += count;
2232 len -= count;
2233
2d0ed3d5
GP		 2234 skb->len += (*frag)->len;
2235 skb->data_len += (*frag)->len;
2236
1da177e4
LT		 2237 frag = &(*frag)->next;
2238 }
1da177e4
LT		 2239
2240 return sent;
1c2acffb 2241}
1da177e4 2242
5e59b791 2243static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2244 struct msghdr *msg, size_t len,
2245 u32 priority)
1c2acffb 2246{
8c1d787b 2247 struct l2cap_conn *conn = chan->conn;
1c2acffb 2248 struct sk_buff *skb;
03a51213 2249 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2250 struct l2cap_hdr *lh;
2251
43b1b8df
MH		 2252 BT_DBG("chan %p psm 0x%2.2x len %zu priority %u", chan,
2253 __le16_to_cpu(chan->psm), len, priority);
1c2acffb
GP		 2254
2255 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2256
2257 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2258 msg->msg_flags & MSG_DONTWAIT);
2259 if (IS_ERR(skb))
2260 return skb;
1c2acffb 2261
5e59b791
LAD		 2262 skb->priority = priority;
2263
1c2acffb
GP		 2264 /* Create L2CAP header */
2265 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2266 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2267 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2268 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2269
0952a57a 2270 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2271 if (unlikely(err < 0)) {
2272 kfree_skb(skb);
2273 return ERR_PTR(err);
2274 }
2275 return skb;
2276}
2277
5e59b791 2278static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2279 struct msghdr *msg, size_t len,
2280 u32 priority)
1c2acffb 2281{
8c1d787b 2282 struct l2cap_conn *conn = chan->conn;
1c2acffb 2283 struct sk_buff *skb;
f2ba7fae 2284 int err, count;
1c2acffb
GP		 2285 struct l2cap_hdr *lh;
2286
b4400672 2287 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2288
f2ba7fae 2289 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2290
f2ba7fae 2291 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2292 msg->msg_flags & MSG_DONTWAIT);
2293 if (IS_ERR(skb))
2294 return skb;
1c2acffb 2295
5e59b791
LAD		 2296 skb->priority = priority;
2297
1c2acffb
GP		 2298 /* Create L2CAP header */
2299 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2300 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2301 lh->len = cpu_to_le16(len);
1c2acffb 2302
0952a57a 2303 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2304 if (unlikely(err < 0)) {
2305 kfree_skb(skb);
2306 return ERR_PTR(err);
2307 }
2308 return skb;
2309}
2310
ab0ff76d 2311static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2312 struct msghdr *msg, size_t len,
2313 u16 sdulen)
1c2acffb 2314{
8c1d787b 2315 struct l2cap_conn *conn = chan->conn;
1c2acffb 2316 struct sk_buff *skb;
e4ca6d98 2317 int err, count, hlen;
1c2acffb
GP		 2318 struct l2cap_hdr *lh;
2319
b4400672 2320 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2321
0ee0d208
GP		 2322 if (!conn)
2323 return ERR_PTR(-ENOTCONN);
2324
ba7aa64f 2325 hlen = __ertm_hdr_size(chan);
e4ca6d98 2326
c74e560c 2327 if (sdulen)
03a51213 2328 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2329
47d1ec61 2330 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2331 hlen += L2CAP_FCS_SIZE;
fcc203c3 2332
1c2acffb 2333 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2334
2335 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2336 msg->msg_flags & MSG_DONTWAIT);
2337 if (IS_ERR(skb))
2338 return skb;
1c2acffb
GP		 2339
2340 /* Create L2CAP header */
2341 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2342 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2343 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2344
18a48e76
MM		 2345 /* Control header is populated later */
2346 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2347 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2348 else
2349 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2350
c74e560c 2351 if (sdulen)
03a51213 2352 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2353
0952a57a 2354 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2355 if (unlikely(err < 0)) {
2356 kfree_skb(skb);
2357 return ERR_PTR(err);
2358 }
e90bac06 2359
18a48e76 2360 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2361 bt_cb(skb)->control.retries = 0;
1c2acffb 2362 return skb;
1da177e4
LT		 2363}
2364
94122bbe
MM		 2365static int l2cap_segment_sdu(struct l2cap_chan *chan,
2366 struct sk_buff_head *seg_queue,
2367 struct msghdr *msg, size_t len)
c74e560c 2368{
c74e560c 2369 struct sk_buff *skb;
94122bbe
MM		 2370 u16 sdu_len;
2371 size_t pdu_len;
94122bbe 2372 u8 sar;
c74e560c 2373
b4400672 2374 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2375
94122bbe
MM		 2376 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2377 * so fragmented skbs are not used. The HCI layer's handling
2378 * of fragmented skbs is not compatible with ERTM's queueing.
2379 */
c74e560c 2380
94122bbe
MM		 2381 /* PDU size is derived from the HCI MTU */
2382 pdu_len = chan->conn->mtu;
c74e560c 2383
a549574d
MM		 2384 /* Constrain PDU size for BR/EDR connections */
2385 if (!chan->hs_hcon)
2386 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2387
2388 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2389 if (chan->fcs)
2390 pdu_len -= L2CAP_FCS_SIZE;
2391
ba7aa64f 2392 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2393
2394 /* Remote device may have requested smaller PDUs */
2395 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2396
2397 if (len <= pdu_len) {
2398 sar = L2CAP_SAR_UNSEGMENTED;
2399 sdu_len = 0;
2400 pdu_len = len;
2401 } else {
2402 sar = L2CAP_SAR_START;
2403 sdu_len = len;
2404 pdu_len -= L2CAP_SDULEN_SIZE;
2405 }
2406
2407 while (len > 0) {
2408 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2409
c74e560c 2410 if (IS_ERR(skb)) {
94122bbe 2411 __skb_queue_purge(seg_queue);
c74e560c
GP		 2412 return PTR_ERR(skb);
2413 }
2414
94122bbe
MM		 2415 bt_cb(skb)->control.sar = sar;
2416 __skb_queue_tail(seg_queue, skb);
2417
2418 len -= pdu_len;
2419 if (sdu_len) {
2420 sdu_len = 0;
2421 pdu_len += L2CAP_SDULEN_SIZE;
2422 }
2423
2424 if (len <= pdu_len) {
2425 sar = L2CAP_SAR_END;
2426 pdu_len = len;
2427 } else {
2428 sar = L2CAP_SAR_CONTINUE;
2429 }
c74e560c 2430 }
c74e560c 2431
f0f62799 2432 return 0;
c74e560c
GP		 2433}
2434
5e59b791 2435int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2436 u32 priority)
9a91a04a 2437{
9a91a04a 2438 struct sk_buff *skb;
9a91a04a 2439 int err;
94122bbe 2440 struct sk_buff_head seg_queue;
9a91a04a
GP		 2441
2442 /* Connectionless channel */
715ec005 2443 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2444 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2445 if (IS_ERR(skb))
2446 return PTR_ERR(skb);
2447
2448 l2cap_do_send(chan, skb);
2449 return len;
2450 }
2451
2452 switch (chan->mode) {
2453 case L2CAP_MODE_BASIC:
2454 /* Check outgoing MTU */
2455 if (len > chan->omtu)
2456 return -EMSGSIZE;
2457
2458 /* Create a basic PDU */
5e59b791 2459 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2460 if (IS_ERR(skb))
2461 return PTR_ERR(skb);
2462
2463 l2cap_do_send(chan, skb);
2464 err = len;
2465 break;
2466
2467 case L2CAP_MODE_ERTM:
2468 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2469 /* Check outgoing MTU */
2470 if (len > chan->omtu) {
2471 err = -EMSGSIZE;
2472 break;
2473 }
9a91a04a 2474
94122bbe 2475 __skb_queue_head_init(&seg_queue);
9a91a04a 2476
94122bbe
MM		 2477 /* Do segmentation before calling in to the state machine,
2478 * since it's possible to block while waiting for memory
2479 * allocation.
2480 */
2481 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2482
94122bbe
MM		 2483 /* The channel could have been closed while segmenting,
2484 * check that it is still connected.
2485 */
2486 if (chan->state != BT_CONNECTED) {
2487 __skb_queue_purge(&seg_queue);
2488 err = -ENOTCONN;
9a91a04a
GP		 2489 }
2490
94122bbe 2491 if (err)
9a91a04a 2492 break;
9a91a04a 2493
3733937d 2494 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2495 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2496 else
d660366d 2497 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2498
d660366d 2499 err = len;
9a91a04a 2500
94122bbe
MM		 2501 /* If the skbs were not queued for sending, they'll still be in
2502 * seg_queue and need to be purged.
2503 */
2504 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2505 break;
2506
2507 default:
2508 BT_DBG("bad state %1.1x", chan->mode);
2509 err = -EBADFD;
2510 }
2511
2512 return err;
2513}
2514
d2a7ac5d
MM		 2515static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2516{
bed68bde
MM		 2517 struct l2cap_ctrl control;
2518 u16 seq;
2519
b4400672 2520 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2521
2522 memset(&control, 0, sizeof(control));
2523 control.sframe = 1;
2524 control.super = L2CAP_SUPER_SREJ;
2525
2526 for (seq = chan->expected_tx_seq; seq != txseq;
2527 seq = __next_seq(chan, seq)) {
2528 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2529 control.reqseq = seq;
2530 l2cap_send_sframe(chan, &control);
2531 l2cap_seq_list_append(&chan->srej_list, seq);
2532 }
2533 }
2534
2535 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2536}
2537
2538static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2539{
bed68bde
MM		 2540 struct l2cap_ctrl control;
2541
2542 BT_DBG("chan %p", chan);
2543
2544 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2545 return;
2546
2547 memset(&control, 0, sizeof(control));
2548 control.sframe = 1;
2549 control.super = L2CAP_SUPER_SREJ;
2550 control.reqseq = chan->srej_list.tail;
2551 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2552}
2553
2554static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2555{
bed68bde
MM		 2556 struct l2cap_ctrl control;
2557 u16 initial_head;
2558 u16 seq;
2559
b4400672 2560 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2561
2562 memset(&control, 0, sizeof(control));
2563 control.sframe = 1;
2564 control.super = L2CAP_SUPER_SREJ;
2565
2566 /* Capture initial list head to allow only one pass through the list. */
2567 initial_head = chan->srej_list.head;
2568
2569 do {
2570 seq = l2cap_seq_list_pop(&chan->srej_list);
2571 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2572 break;
2573
2574 control.reqseq = seq;
2575 l2cap_send_sframe(chan, &control);
2576 l2cap_seq_list_append(&chan->srej_list, seq);
2577 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2578}
2579
608bcc6d
MM		 2580static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2581{
2582 struct sk_buff *acked_skb;
2583 u16 ackseq;
2584
b4400672 2585 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2586
2587 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2588 return;
2589
b4400672 2590 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2591 chan->expected_ack_seq, chan->unacked_frames);
2592
2593 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2594 ackseq = __next_seq(chan, ackseq)) {
2595
2596 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2597 if (acked_skb) {
2598 skb_unlink(acked_skb, &chan->tx_q);
2599 kfree_skb(acked_skb);
2600 chan->unacked_frames--;
2601 }
2602 }
2603
2604 chan->expected_ack_seq = reqseq;
2605
2606 if (chan->unacked_frames == 0)
2607 __clear_retrans_timer(chan);
2608
b4400672 2609 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2610}
2611
2612static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2613{
2614 BT_DBG("chan %p", chan);
2615
2616 chan->expected_tx_seq = chan->buffer_seq;
2617 l2cap_seq_list_clear(&chan->srej_list);
2618 skb_queue_purge(&chan->srej_q);
2619 chan->rx_state = L2CAP_RX_STATE_RECV;
2620}
2621
d660366d
GP		 2622static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2623 struct l2cap_ctrl *control,
2624 struct sk_buff_head *skbs, u8 event)
608bcc6d 2625{
608bcc6d
MM		 2626 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2627 event);
2628
2629 switch (event) {
2630 case L2CAP_EV_DATA_REQUEST:
2631 if (chan->tx_send_head == NULL)
2632 chan->tx_send_head = skb_peek(skbs);
2633
2634 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2635 l2cap_ertm_send(chan);
2636 break;
2637 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2638 BT_DBG("Enter LOCAL_BUSY");
2639 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2640
2641 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2642 /* The SREJ_SENT state must be aborted if we are to
2643 * enter the LOCAL_BUSY state.
2644 */
2645 l2cap_abort_rx_srej_sent(chan);
2646 }
2647
2648 l2cap_send_ack(chan);
2649
2650 break;
2651 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2652 BT_DBG("Exit LOCAL_BUSY");
2653 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2654
2655 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2656 struct l2cap_ctrl local_control;
2657
2658 memset(&local_control, 0, sizeof(local_control));
2659 local_control.sframe = 1;
2660 local_control.super = L2CAP_SUPER_RR;
2661 local_control.poll = 1;
2662 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2663 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2664
2665 chan->retry_count = 1;
2666 __set_monitor_timer(chan);
2667 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2668 }
2669 break;
2670 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2671 l2cap_process_reqseq(chan, control->reqseq);
2672 break;
2673 case L2CAP_EV_EXPLICIT_POLL:
2674 l2cap_send_rr_or_rnr(chan, 1);
2675 chan->retry_count = 1;
2676 __set_monitor_timer(chan);
2677 __clear_ack_timer(chan);
2678 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2679 break;
2680 case L2CAP_EV_RETRANS_TO:
2681 l2cap_send_rr_or_rnr(chan, 1);
2682 chan->retry_count = 1;
2683 __set_monitor_timer(chan);
2684 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2685 break;
2686 case L2CAP_EV_RECV_FBIT:
2687 /* Nothing to process */
2688 break;
2689 default:
2690 break;
2691 }
608bcc6d
MM		 2692}
2693
d660366d
GP		 2694static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2695 struct l2cap_ctrl *control,
2696 struct sk_buff_head *skbs, u8 event)
608bcc6d 2697{
608bcc6d
MM		 2698 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2699 event);
2700
2701 switch (event) {
2702 case L2CAP_EV_DATA_REQUEST:
2703 if (chan->tx_send_head == NULL)
2704 chan->tx_send_head = skb_peek(skbs);
2705 /* Queue data, but don't send. */
2706 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2707 break;
2708 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2709 BT_DBG("Enter LOCAL_BUSY");
2710 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2711
2712 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2713 /* The SREJ_SENT state must be aborted if we are to
2714 * enter the LOCAL_BUSY state.
2715 */
2716 l2cap_abort_rx_srej_sent(chan);
2717 }
2718
2719 l2cap_send_ack(chan);
2720
2721 break;
2722 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2723 BT_DBG("Exit LOCAL_BUSY");
2724 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2725
2726 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2727 struct l2cap_ctrl local_control;
2728 memset(&local_control, 0, sizeof(local_control));
2729 local_control.sframe = 1;
2730 local_control.super = L2CAP_SUPER_RR;
2731 local_control.poll = 1;
2732 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2733 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2734
2735 chan->retry_count = 1;
2736 __set_monitor_timer(chan);
2737 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2738 }
2739 break;
2740 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2741 l2cap_process_reqseq(chan, control->reqseq);
2742
2743 /* Fall through */
2744
2745 case L2CAP_EV_RECV_FBIT:
2746 if (control && control->final) {
2747 __clear_monitor_timer(chan);
2748 if (chan->unacked_frames > 0)
2749 __set_retrans_timer(chan);
2750 chan->retry_count = 0;
2751 chan->tx_state = L2CAP_TX_STATE_XMIT;
2752 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2753 }
2754 break;
2755 case L2CAP_EV_EXPLICIT_POLL:
2756 /* Ignore */
2757 break;
2758 case L2CAP_EV_MONITOR_TO:
2759 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2760 l2cap_send_rr_or_rnr(chan, 1);
2761 __set_monitor_timer(chan);
2762 chan->retry_count++;
2763 } else {
5e4e3972 2764 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2765 }
2766 break;
2767 default:
2768 break;
2769 }
608bcc6d
MM		 2770}
2771
d660366d
GP		 2772static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2773 struct sk_buff_head *skbs, u8 event)
608bcc6d 2774{
608bcc6d
MM		 2775 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2776 chan, control, skbs, event, chan->tx_state);
2777
2778 switch (chan->tx_state) {
2779 case L2CAP_TX_STATE_XMIT:
d660366d 2780 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2781 break;
2782 case L2CAP_TX_STATE_WAIT_F:
d660366d 2783 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2784 break;
2785 default:
2786 /* Ignore event */
2787 break;
2788 }
608bcc6d
MM		 2789}
2790
4b51dae9
MM		 2791static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2792 struct l2cap_ctrl *control)
2793{
2794 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2795 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2796}
2797
f80842a8
MM		 2798static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2799 struct l2cap_ctrl *control)
2800{
2801 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2802 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2803}
2804
1da177e4
LT		 2805/* Copy frame to all raw sockets on that connection */
2806static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2807{
1da177e4 2808 struct sk_buff *nskb;
48454079 2809 struct l2cap_chan *chan;
1da177e4
LT		 2810
2811 BT_DBG("conn %p", conn);
2812
3df91ea2 2813 mutex_lock(&conn->chan_lock);
3d57dc68 2814
3df91ea2 2815 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2816 struct sock *sk = chan->sk;
715ec005 2817 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2818 continue;
2819
2820 /* Don't send frame to the socket it came from */
2821 if (skb->sk == sk)
2822 continue;
8bcde1f2 2823 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2824 if (!nskb)
1da177e4
LT		 2825 continue;
2826
80b98027 2827 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2828 kfree_skb(nskb);
2829 }
3d57dc68 2830
3df91ea2 2831 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2832}
2833
2834/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2835static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2836 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2837{
2838 struct sk_buff *skb, **frag;
2839 struct l2cap_cmd_hdr *cmd;
2840 struct l2cap_hdr *lh;
2841 int len, count;
2842
b4400672
AE		 2843 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2844 conn, code, ident, dlen);
1da177e4 2845
300b962e
AL		 2846 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2847 return NULL;
2848
1da177e4
LT		 2849 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2850 count = min_t(unsigned int, conn->mtu, len);
2851
8bcde1f2 2852 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2853 if (!skb)
2854 return NULL;
2855
2856 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2857 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2858
2859 if (conn->hcon->type == LE_LINK)
ac73498c 2860 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2861 else
ac73498c 2862 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2863
2864 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2865 cmd->code = code;
2866 cmd->ident = ident;
aca3192c 2867 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2868
2869 if (dlen) {
2870 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2871 memcpy(skb_put(skb, count), data, count);
2872 data += count;
2873 }
2874
2875 len -= skb->len;
2876
2877 /* Continuation fragments (no L2CAP header) */
2878 frag = &skb_shinfo(skb)->frag_list;
2879 while (len) {
2880 count = min_t(unsigned int, conn->mtu, len);
2881
8bcde1f2 2882 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2883 if (!*frag)
2884 goto fail;
2885
2886 memcpy(skb_put(*frag, count), data, count);
2887
2888 len -= count;
2889 data += count;
2890
2891 frag = &(*frag)->next;
2892 }
2893
2894 return skb;
2895
2896fail:
2897 kfree_skb(skb);
2898 return NULL;
2899}
2900
2d792818
GP		 2901static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2902 unsigned long *val)
1da177e4
LT		 2903{
2904 struct l2cap_conf_opt *opt = *ptr;
2905 int len;
2906
2907 len = L2CAP_CONF_OPT_SIZE + opt->len;
2908 *ptr += len;
2909
2910 *type = opt->type;
2911 *olen = opt->len;
2912
2913 switch (opt->len) {
2914 case 1:
2915 *val = *((u8 *) opt->val);
2916 break;
2917
2918 case 2:
bfaaeb3e 2919 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2920 break;
2921
2922 case 4:
bfaaeb3e 2923 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2924 break;
2925
2926 default:
2927 *val = (unsigned long) opt->val;
2928 break;
2929 }
2930
b4400672 2931 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2932 return len;
2933}
2934
1da177e4
LT		 2935static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2936{
2937 struct l2cap_conf_opt *opt = *ptr;
2938
b4400672 2939 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2940
2941 opt->type = type;
2942 opt->len = len;
2943
2944 switch (len) {
2945 case 1:
2946 *((u8 *) opt->val) = val;
2947 break;
2948
2949 case 2:
4f8b691c 2950 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2951 break;
2952
2953 case 4:
4f8b691c 2954 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2955 break;
2956
2957 default:
2958 memcpy(opt->val, (void *) val, len);
2959 break;
2960 }
2961
2962 *ptr += L2CAP_CONF_OPT_SIZE + len;
2963}
2964
f89cef09
AE		 2965static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2966{
2967 struct l2cap_conf_efs efs;
2968
1ec918ce 2969 switch (chan->mode) {
f89cef09
AE		 2970 case L2CAP_MODE_ERTM:
2971 efs.id = chan->local_id;
2972 efs.stype = chan->local_stype;
2973 efs.msdu = cpu_to_le16(chan->local_msdu);
2974 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2975 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2976 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2977 break;
2978
2979 case L2CAP_MODE_STREAMING:
2980 efs.id = 1;
2981 efs.stype = L2CAP_SERV_BESTEFFORT;
2982 efs.msdu = cpu_to_le16(chan->local_msdu);
2983 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2984 efs.acc_lat = 0;
2985 efs.flush_to = 0;
2986 break;
2987
2988 default:
2989 return;
2990 }
2991
2992 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2993 (unsigned long) &efs);
f89cef09
AE		 2994}
2995
721c4181 2996static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2997{
721c4181 2998 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2999 ack_timer.work);
3000 u16 frames_to_ack;
c1b4f43b 3001
2fb9b3d4
GP		 3002 BT_DBG("chan %p", chan);
3003
6be36555
AE		 3004 l2cap_chan_lock(chan);
3005
0362520b
MM		 3006 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3007 chan->last_acked_seq);
6be36555 3008
0362520b
MM		 3009 if (frames_to_ack)
3010 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3011
0362520b 3012 l2cap_chan_unlock(chan);
09bfb2ee 3013 l2cap_chan_put(chan);
c1b4f43b
GP		 3014}
3015
466f8004 3016int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3017{
3c588192
MM		 3018 int err;
3019
105bdf9e
MM		 3020 chan->next_tx_seq = 0;
3021 chan->expected_tx_seq = 0;
42e5c802 3022 chan->expected_ack_seq = 0;
6a026610 3023 chan->unacked_frames = 0;
42e5c802 3024 chan->buffer_seq = 0;
6a026610 3025 chan->frames_sent = 0;
105bdf9e
MM		 3026 chan->last_acked_seq = 0;
3027 chan->sdu = NULL;
3028 chan->sdu_last_frag = NULL;
3029 chan->sdu_len = 0;
3030
d34c34fb
MM		 3031 skb_queue_head_init(&chan->tx_q);
3032
6ed971ca
MH		 3033 chan->local_amp_id = AMP_ID_BREDR;
3034 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3035 chan->move_state = L2CAP_MOVE_STABLE;
3036 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3037
105bdf9e
MM		 3038 if (chan->mode != L2CAP_MODE_ERTM)
3039 return 0;
3040
3041 chan->rx_state = L2CAP_RX_STATE_RECV;
3042 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3043
721c4181
GP		 3044 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3045 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3046 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3047
f1c6775b 3048 skb_queue_head_init(&chan->srej_q);
1890d36b 3049
3c588192
MM		 3050 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3051 if (err < 0)
3052 return err;
3053
9dc9affc
MM		 3054 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3055 if (err < 0)
3056 l2cap_seq_list_free(&chan->srej_list);
3057
3058 return err;
0565c1c2
GP		 3059}
3060
f2fcfcd6
GP		 3061static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3062{
3063 switch (mode) {
3064 case L2CAP_MODE_STREAMING:
3065 case L2CAP_MODE_ERTM:
3066 if (l2cap_mode_supported(mode, remote_feat_mask))
3067 return mode;
3068 /* fall through */
3069 default:
3070 return L2CAP_MODE_BASIC;
3071 }
3072}
3073
848566b3 3074static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3075{
848566b3 3076 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3077}
3078
848566b3 3079static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3080{
848566b3 3081 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3082}
3083
36c86c85
MM		 3084static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3085 struct l2cap_conf_rfc *rfc)
3086{
6ed971ca 3087 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3088 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3089
3090 /* Class 1 devices have must have ERTM timeouts
3091 * exceeding the Link Supervision Timeout. The
3092 * default Link Supervision Timeout for AMP
3093 * controllers is 10 seconds.
3094 *
3095 * Class 1 devices use 0xffffffff for their
3096 * best-effort flush timeout, so the clamping logic
3097 * will result in a timeout that meets the above
3098 * requirement. ERTM timeouts are 16-bit values, so
3099 * the maximum timeout is 65.535 seconds.
3100 */
3101
3102 /* Convert timeout to milliseconds and round */
3103 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3104
3105 /* This is the recommended formula for class 2 devices
3106 * that start ERTM timers when packets are sent to the
3107 * controller.
3108 */
3109 ertm_to = 3 * ertm_to + 500;
3110
3111 if (ertm_to > 0xffff)
3112 ertm_to = 0xffff;
3113
3114 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3115 rfc->monitor_timeout = rfc->retrans_timeout;
3116 } else {
3117 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3118 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3119 }
3120}
3121
6327eb98
AE		 3122static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3123{
3124 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3125 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3126 /* use extended control field */
3127 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3128 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3129 } else {
6327eb98 3130 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3131 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3132 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3133 }
c20f8e35 3134 chan->ack_win = chan->tx_win;
6327eb98
AE		 3135}
3136
710f9b0a 3137static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3138{
1da177e4 3139 struct l2cap_conf_req *req = data;
0c1bc5c6 3140 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3141 void *ptr = req->data;
c8f79162 3142 u16 size;
1da177e4 3143
49208c9c 3144 BT_DBG("chan %p", chan);
1da177e4 3145
73ffa904 3146 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3147 goto done;
3148
0c1bc5c6 3149 switch (chan->mode) {
f2fcfcd6
GP		 3150 case L2CAP_MODE_STREAMING:
3151 case L2CAP_MODE_ERTM:
c1360a1c 3152 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3153 break;
85eb53c6 3154
848566b3 3155 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3156 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3157
2ba13ed6 3158 /* fall through */
f2fcfcd6 3159 default:
8c1d787b 3160 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3161 break;
3162 }
3163
3164done:
0c1bc5c6
GP		 3165 if (chan->imtu != L2CAP_DEFAULT_MTU)
3166 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3167
0c1bc5c6 3168 switch (chan->mode) {
65c7c491 3169 case L2CAP_MODE_BASIC:
8c1d787b 3170 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3171 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3172 break;
3173
62547752
GP		 3174 rfc.mode = L2CAP_MODE_BASIC;
3175 rfc.txwin_size = 0;
3176 rfc.max_transmit = 0;
3177 rfc.retrans_timeout = 0;
3178 rfc.monitor_timeout = 0;
3179 rfc.max_pdu_size = 0;
3180
63406504 3181 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3182 (unsigned long) &rfc);
65c7c491
MH		 3183 break;
3184
3185 case L2CAP_MODE_ERTM:
3186 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3187 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3188
3189 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3190
3191 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3192 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3193 L2CAP_FCS_SIZE);
c8f79162 3194 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3195
6327eb98
AE		 3196 l2cap_txwin_setup(chan);
3197
3198 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3199 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3200
63406504 3201 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3202 (unsigned long) &rfc);
63406504 3203
f89cef09
AE		 3204 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3205 l2cap_add_opt_efs(&ptr, chan);
3206
6327eb98
AE		 3207 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3208 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3209 chan->tx_win);
60918918
AE		 3210
3211 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3212 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3213 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3214 chan->fcs = L2CAP_FCS_NONE;
3215 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3216 chan->fcs);
3217 }
f2fcfcd6
GP		 3218 break;
3219
3220 case L2CAP_MODE_STREAMING:
273759e2 3221 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3222 rfc.mode = L2CAP_MODE_STREAMING;
3223 rfc.txwin_size = 0;
3224 rfc.max_transmit = 0;
3225 rfc.retrans_timeout = 0;
3226 rfc.monitor_timeout = 0;
c8f79162
AE		 3227
3228 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3229 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3230 L2CAP_FCS_SIZE);
c8f79162 3231 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3232
63406504 3233 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3234 (unsigned long) &rfc);
63406504 3235
f89cef09
AE		 3236 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3237 l2cap_add_opt_efs(&ptr, chan);
3238
60918918
AE		 3239 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3240 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3241 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3242 chan->fcs = L2CAP_FCS_NONE;
3243 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3244 chan->fcs);
3245 }
65c7c491
MH		 3246 break;
3247 }
1da177e4 3248
fe4128e0 3249 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3250 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3251
3252 return ptr - data;
3253}
3254
73ffa904 3255static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3256{
5dee9e7c
MH		 3257 struct l2cap_conf_rsp *rsp = data;
3258 void *ptr = rsp->data;
73ffa904
GP		 3259 void *req = chan->conf_req;
3260 int len = chan->conf_len;
5dee9e7c
MH		 3261 int type, hint, olen;
3262 unsigned long val;
6464f35f 3263 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3264 struct l2cap_conf_efs efs;
3265 u8 remote_efs = 0;
861d6882 3266 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3267 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3268 u16 size;
1da177e4 3269
73ffa904 3270 BT_DBG("chan %p", chan);
820ae1b8 3271
5dee9e7c
MH		 3272 while (len >= L2CAP_CONF_OPT_SIZE) {
3273 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3274
589d2746 3275 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3276 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3277
3278 switch (type) {
3279 case L2CAP_CONF_MTU:
861d6882 3280 mtu = val;
5dee9e7c
MH		 3281 break;
3282
3283 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3284 chan->flush_to = val;
5dee9e7c
MH		 3285 break;
3286
3287 case L2CAP_CONF_QOS:
3288 break;
3289
6464f35f
MH		 3290 case L2CAP_CONF_RFC:
3291 if (olen == sizeof(rfc))
3292 memcpy(&rfc, (void *) val, olen);
3293 break;
3294
fcc203c3
GP		 3295 case L2CAP_CONF_FCS:
3296 if (val == L2CAP_FCS_NONE)
f2592d3e 3297 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3298 break;
fcc203c3 3299
42dceae2
AE		 3300 case L2CAP_CONF_EFS:
3301 remote_efs = 1;
3302 if (olen == sizeof(efs))
3303 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3304 break;
3305
6327eb98 3306 case L2CAP_CONF_EWS:
848566b3 3307 if (!chan->conn->hs_enabled)
6327eb98 3308 return -ECONNREFUSED;
fcc203c3 3309
6327eb98
AE		 3310 set_bit(FLAG_EXT_CTRL, &chan->flags);
3311 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3312 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3313 chan->remote_tx_win = val;
fcc203c3
GP		 3314 break;
3315
5dee9e7c
MH		 3316 default:
3317 if (hint)
3318 break;
3319
3320 result = L2CAP_CONF_UNKNOWN;
3321 *((u8 *) ptr++) = type;
3322 break;
3323 }
3324 }
3325
73ffa904 3326 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3327 goto done;
3328
0c1bc5c6 3329 switch (chan->mode) {
f2fcfcd6
GP		 3330 case L2CAP_MODE_STREAMING:
3331 case L2CAP_MODE_ERTM:
c1360a1c 3332 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3333 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3334 chan->conn->feat_mask);
85eb53c6
GP		 3335 break;
3336 }
3337
42dceae2 3338 if (remote_efs) {
848566b3 3339 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3340 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3341 else
3342 return -ECONNREFUSED;
3343 }
3344
0c1bc5c6 3345 if (chan->mode != rfc.mode)
f2fcfcd6 3346 return -ECONNREFUSED;
742e519b 3347
f2fcfcd6 3348 break;
f2fcfcd6
GP		 3349 }
3350
3351done:
0c1bc5c6 3352 if (chan->mode != rfc.mode) {
f2fcfcd6 3353 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3354 rfc.mode = chan->mode;
f2fcfcd6 3355
73ffa904 3356 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3357 return -ECONNREFUSED;
3358
2d792818
GP		 3359 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3360 (unsigned long) &rfc);
f2fcfcd6
GP		 3361 }
3362
5dee9e7c
MH		 3363 if (result == L2CAP_CONF_SUCCESS) {
3364 /* Configure output options and let the other side know
3365 * which ones we don't like. */
3366
f2fcfcd6
GP		 3367 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3368 result = L2CAP_CONF_UNACCEPT;
3369 else {
0c1bc5c6 3370 chan->omtu = mtu;
c1360a1c 3371 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3372 }
0c1bc5c6 3373 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3374
42dceae2
AE		 3375 if (remote_efs) {
3376 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3377 efs.stype != L2CAP_SERV_NOTRAFIC &&
3378 efs.stype != chan->local_stype) {
42dceae2
AE		 3379
3380 result = L2CAP_CONF_UNACCEPT;
3381
3382 if (chan->num_conf_req >= 1)
3383 return -ECONNREFUSED;
3384
3385 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3386 sizeof(efs),
3387 (unsigned long) &efs);
0e8b207e 3388 } else {
3e6b3b95 3389 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3390 result = L2CAP_CONF_PENDING;
3391 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3392 }
3393 }
3394
f2fcfcd6
GP		 3395 switch (rfc.mode) {
3396 case L2CAP_MODE_BASIC:
47d1ec61 3397 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3398 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3399 break;
3400
3401 case L2CAP_MODE_ERTM:
6327eb98
AE		 3402 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3403 chan->remote_tx_win = rfc.txwin_size;
3404 else
3405 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3406
2c03a7a4 3407 chan->remote_max_tx = rfc.max_transmit;
1c762159 3408
c8f79162 3409 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3410 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3411 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3412 rfc.max_pdu_size = cpu_to_le16(size);
3413 chan->remote_mps = size;
f2fcfcd6 3414
36c86c85 3415 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3416
c1360a1c 3417 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3418
3419 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3420 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3421
42dceae2
AE		 3422 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3423 chan->remote_id = efs.id;
3424 chan->remote_stype = efs.stype;
3425 chan->remote_msdu = le16_to_cpu(efs.msdu);
3426 chan->remote_flush_to =
2d792818 3427 le32_to_cpu(efs.flush_to);
42dceae2 3428 chan->remote_acc_lat =
2d792818 3429 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3430 chan->remote_sdu_itime =
3431 le32_to_cpu(efs.sdu_itime);
3432 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3433 sizeof(efs),
3434 (unsigned long) &efs);
42dceae2 3435 }
f2fcfcd6
GP		 3436 break;
3437
3438 case L2CAP_MODE_STREAMING:
c8f79162 3439 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3440 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3441 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3442 rfc.max_pdu_size = cpu_to_le16(size);
3443 chan->remote_mps = size;
f2fcfcd6 3444
c1360a1c 3445 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3446
2d792818
GP		 3447 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3448 (unsigned long) &rfc);
68ae6639 3449
f2fcfcd6
GP		 3450 break;
3451
3452 default:
5dee9e7c 3453 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3454
6464f35f 3455 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3456 rfc.mode = chan->mode;
f2fcfcd6 3457 }
6464f35f 3458
f2fcfcd6 3459 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3460 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3461 }
fe4128e0 3462 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3463 rsp->result = cpu_to_le16(result);
59e54bd1 3464 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3465
3466 return ptr - data;
1da177e4
LT		 3467}
3468
2d792818
GP		 3469static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3470 void *data, u16 *result)
f2fcfcd6 3471{
f2fcfcd6
GP		 3472 struct l2cap_conf_req *req = data;
3473 void *ptr = req->data;
3474 int type, olen;
3475 unsigned long val;
36e999a8 3476 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3477 struct l2cap_conf_efs efs;
f2fcfcd6 3478
fe4128e0 3479 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3480
3481 while (len >= L2CAP_CONF_OPT_SIZE) {
3482 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3483
3484 switch (type) {
3485 case L2CAP_CONF_MTU:
3486 if (val < L2CAP_DEFAULT_MIN_MTU) {
3487 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3488 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3489 } else
0c1bc5c6
GP		 3490 chan->imtu = val;
3491 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3492 break;
3493
3494 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3495 chan->flush_to = val;
f2fcfcd6 3496 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3497 2, chan->flush_to);
f2fcfcd6
GP		 3498 break;
3499
3500 case L2CAP_CONF_RFC:
3501 if (olen == sizeof(rfc))
3502 memcpy(&rfc, (void *)val, olen);
3503
c1360a1c 3504 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3505 rfc.mode != chan->mode)
f2fcfcd6
GP		 3506 return -ECONNREFUSED;
3507
47d1ec61 3508 chan->fcs = 0;
f2fcfcd6
GP		 3509
3510 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3511 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3512 break;
6327eb98
AE		 3513
3514 case L2CAP_CONF_EWS:
c20f8e35 3515 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3516 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3517 chan->tx_win);
6327eb98 3518 break;
66af7aaf
AE		 3519
3520 case L2CAP_CONF_EFS:
3521 if (olen == sizeof(efs))
3522 memcpy(&efs, (void *)val, olen);
3523
3524 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3525 efs.stype != L2CAP_SERV_NOTRAFIC &&
3526 efs.stype != chan->local_stype)
66af7aaf
AE		 3527 return -ECONNREFUSED;
3528
2d792818
GP		 3529 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3530 (unsigned long) &efs);
66af7aaf 3531 break;
cbabee78
AE		 3532
3533 case L2CAP_CONF_FCS:
3534 if (*result == L2CAP_CONF_PENDING)
3535 if (val == L2CAP_FCS_NONE)
f2592d3e 3536 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3537 &chan->conf_state);
3538 break;
f2fcfcd6
GP		 3539 }
3540 }
3541
0c1bc5c6 3542 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3543 return -ECONNREFUSED;
3544
0c1bc5c6 3545 chan->mode = rfc.mode;
6c2ea7a8 3546
0e8b207e 3547 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3548 switch (rfc.mode) {
3549 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3550 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3551 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3552 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3553 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3554 chan->ack_win = min_t(u16, chan->ack_win,
3555 rfc.txwin_size);
66af7aaf
AE		 3556
3557 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3558 chan->local_msdu = le16_to_cpu(efs.msdu);
3559 chan->local_sdu_itime =
2d792818 3560 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3561 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3562 chan->local_flush_to =
2d792818 3563 le32_to_cpu(efs.flush_to);
66af7aaf 3564 }
f2fcfcd6 3565 break;
66af7aaf 3566
f2fcfcd6 3567 case L2CAP_MODE_STREAMING:
47d1ec61 3568 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3569 }
3570 }
3571
fe4128e0 3572 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3573 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3574
3575 return ptr - data;
3576}
3577
2d792818
GP		 3578static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3579 u16 result, u16 flags)
1da177e4
LT		 3580{
3581 struct l2cap_conf_rsp *rsp = data;
3582 void *ptr = rsp->data;
1da177e4 3583
fe4128e0 3584 BT_DBG("chan %p", chan);
1da177e4 3585
fe4128e0 3586 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3587 rsp->result = cpu_to_le16(result);
aca3192c 3588 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3589
3590 return ptr - data;
3591}
3592
8c1d787b 3593void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3594{
3595 struct l2cap_conn_rsp rsp;
8c1d787b 3596 struct l2cap_conn *conn = chan->conn;
710f9b0a 3597 u8 buf[128];
439f34ac 3598 u8 rsp_code;
710f9b0a 3599
fe4128e0
GP		 3600 rsp.scid = cpu_to_le16(chan->dcid);
3601 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3602 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3603 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3604
3605 if (chan->hs_hcon)
3606 rsp_code = L2CAP_CREATE_CHAN_RSP;
3607 else
3608 rsp_code = L2CAP_CONN_RSP;
3609
3610 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3611
3612 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3613
c1360a1c 3614 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3615 return;
3616
710f9b0a 3617 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3618 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3619 chan->num_conf_req++;
3620}
3621
47d1ec61 3622static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3623{
7b1c0049
GP		 3624 int type, olen;
3625 unsigned long val;
c20f8e35
MM		 3626 /* Use sane default values in case a misbehaving remote device
3627 * did not send an RFC or extended window size option.
3628 */
3629 u16 txwin_ext = chan->ack_win;
3630 struct l2cap_conf_rfc rfc = {
3631 .mode = chan->mode,
3632 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3633 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3634 .max_pdu_size = cpu_to_le16(chan->imtu),
3635 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3636 };
7b1c0049 3637
47d1ec61 3638 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3639
0c1bc5c6 3640 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3641 return;
3642
3643 while (len >= L2CAP_CONF_OPT_SIZE) {
3644 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3645
c20f8e35
MM		 3646 switch (type) {
3647 case L2CAP_CONF_RFC:
3648 if (olen == sizeof(rfc))
3649 memcpy(&rfc, (void *)val, olen);
8f321f85 3650 break;
c20f8e35
MM		 3651 case L2CAP_CONF_EWS:
3652 txwin_ext = val;
3653 break;
3654 }
7b1c0049
GP		 3655 }
3656
7b1c0049
GP		 3657 switch (rfc.mode) {
3658 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3659 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3660 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3661 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3662 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3663 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3664 else
3665 chan->ack_win = min_t(u16, chan->ack_win,
3666 rfc.txwin_size);
7b1c0049
GP		 3667 break;
3668 case L2CAP_MODE_STREAMING:
47d1ec61 3669 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3670 }
3671}
3672
2d792818 3673static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3674 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3675 u8 *data)
4e8402a3 3676{
e2fd318e 3677 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3678
cb3b3152
JH		 3679 if (cmd_len < sizeof(*rej))
3680 return -EPROTO;
3681
e2fd318e 3682 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3683 return 0;
3684
3685 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3686 cmd->ident == conn->info_ident) {
17cd3f37 3687 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3688
3689 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3690 conn->info_ident = 0;
984947dc 3691
4e8402a3
MH		 3692 l2cap_conn_start(conn);
3693 }
3694
3695 return 0;
3696}
3697
1700915f
MM		 3698static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3699 struct l2cap_cmd_hdr *cmd,
3700 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3701{
1da177e4
LT		 3702 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3703 struct l2cap_conn_rsp rsp;
23691d75 3704 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3705 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3706
3707 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3708 __le16 psm = req->psm;
1da177e4 3709
097db76c 3710 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3711
3712 /* Check if we have socket listening on psm */
6f59b904 3713 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
98e0f7ea 3714 &conn->hcon->dst);
23691d75 3715 if (!pchan) {
1da177e4
LT		 3716 result = L2CAP_CR_BAD_PSM;
3717 goto sendresp;
3718 }
3719
3df91ea2 3720 mutex_lock(&conn->chan_lock);
8ffb9290 3721 l2cap_chan_lock(pchan);
e0f0cb56 3722
e7c29cb1 3723 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3724 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3725 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3726 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3727 result = L2CAP_CR_SEC_BLOCK;
3728 goto response;
3729 }
3730
1da177e4
LT		 3731 result = L2CAP_CR_NO_MEM;
3732
2dfa1003
GP		 3733 /* Check if we already have channel with that dcid */
3734 if (__l2cap_get_chan_by_dcid(conn, scid))
3735 goto response;
3736
80b98027 3737 chan = pchan->ops->new_connection(pchan);
80808e43 3738 if (!chan)
1da177e4
LT		 3739 goto response;
3740
330b6c15
SS		 3741 /* For certain devices (ex: HID mouse), support for authentication,
3742 * pairing and bonding is optional. For such devices, inorder to avoid
3743 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3744 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3745 */
3746 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3747
7eafc59e
MH		 3748 bacpy(&chan->src, &conn->hcon->src);
3749 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3750 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3751 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3752 chan->psm = psm;
3753 chan->dcid = scid;
1700915f 3754 chan->local_amp_id = amp_id;
1da177e4 3755
6be36555 3756 __l2cap_chan_add(conn, chan);
48454079 3757
fe4128e0 3758 dcid = chan->scid;
1da177e4 3759
8d836d71 3760 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3761
fc7f8a7e 3762 chan->ident = cmd->ident;
1da177e4 3763
984947dc 3764 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3765 if (l2cap_chan_check_security(chan)) {
bdc25783 3766 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3767 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3768 result = L2CAP_CR_PEND;
3769 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3770 chan->ops->defer(chan);
f66dc81f 3771 } else {
1700915f
MM		 3772 /* Force pending result for AMP controllers.
3773 * The connection will succeed after the
3774 * physical link is up.
3775 */
6ed971ca 3776 if (amp_id == AMP_ID_BREDR) {
f93fa273 3777 l2cap_state_change(chan, BT_CONFIG);
1700915f 3778 result = L2CAP_CR_SUCCESS;
6ed971ca 3779 } else {
f93fa273 3780 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3781 result = L2CAP_CR_PEND;
1700915f 3782 }
f66dc81f
MH		 3783 status = L2CAP_CS_NO_INFO;
3784 }
79d554a6 3785 } else {
f93fa273 3786 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3787 result = L2CAP_CR_PEND;
3788 status = L2CAP_CS_AUTHEN_PEND;
3789 }
3790 } else {
f93fa273 3791 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3792 result = L2CAP_CR_PEND;
3793 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3794 }
3795
1da177e4 3796response:
8ffb9290 3797 l2cap_chan_unlock(pchan);
3df91ea2 3798 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3799
3800sendresp:
aca3192c
YH		 3801 rsp.scid = cpu_to_le16(scid);
3802 rsp.dcid = cpu_to_le16(dcid);
3803 rsp.result = cpu_to_le16(result);
3804 rsp.status = cpu_to_le16(status);
4c89b6aa 3805 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3806
3807 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3808 struct l2cap_info_req info;
ac73498c 3809 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3810
3811 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3812 conn->info_ident = l2cap_get_ident(conn);
3813
ba13ccd9 3814 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3815
2d792818
GP		 3816 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3817 sizeof(info), &info);
79d554a6
MH		 3818 }
3819
c1360a1c 3820 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3821 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3822 u8 buf[128];
c1360a1c 3823 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3824 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3825 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3826 chan->num_conf_req++;
e9aeb2dd 3827 }
1700915f
MM		 3828
3829 return chan;
4c89b6aa 3830}
e9aeb2dd 3831
4c89b6aa 3832static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3833 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3834{
7b064eda
JK		 3835 struct hci_dev *hdev = conn->hcon->hdev;
3836 struct hci_conn *hcon = conn->hcon;
3837
cb3b3152
JH		 3838 if (cmd_len < sizeof(struct l2cap_conn_req))
3839 return -EPROTO;
3840
7b064eda
JK		 3841 hci_dev_lock(hdev);
3842 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3843 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3844 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3845 hcon->dst_type, 0, NULL, 0,
3846 hcon->dev_class);
3847 hci_dev_unlock(hdev);
3848
300229f9 3849 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3850 return 0;
3851}
3852
5909cf30 3853static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3854 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3855 u8 *data)
1da177e4
LT		 3856{
3857 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3858 u16 scid, dcid, result, status;
48454079 3859 struct l2cap_chan *chan;
1da177e4 3860 u8 req[128];
3df91ea2 3861 int err;
1da177e4 3862
cb3b3152
JH		 3863 if (cmd_len < sizeof(*rsp))
3864 return -EPROTO;
3865
1da177e4
LT		 3866 scid = __le16_to_cpu(rsp->scid);
3867 dcid = __le16_to_cpu(rsp->dcid);
3868 result = __le16_to_cpu(rsp->result);
3869 status = __le16_to_cpu(rsp->status);
3870
1b009c98 3871 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3872 dcid, scid, result, status);
1da177e4 3873
3df91ea2
AE		 3874 mutex_lock(&conn->chan_lock);
3875
1da177e4 3876 if (scid) {
3df91ea2
AE		 3877 chan = __l2cap_get_chan_by_scid(conn, scid);
3878 if (!chan) {
21870b52 3879 err = -EBADSLT;
3df91ea2
AE		 3880 goto unlock;
3881 }
1da177e4 3882 } else {
3df91ea2
AE		 3883 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3884 if (!chan) {
21870b52 3885 err = -EBADSLT;
3df91ea2
AE		 3886 goto unlock;
3887 }
1da177e4
LT		 3888 }
3889
3df91ea2
AE		 3890 err = 0;
3891
6be36555 3892 l2cap_chan_lock(chan);
48454079 3893
1da177e4
LT		 3894 switch (result) {
3895 case L2CAP_CR_SUCCESS:
89bc500e 3896 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3897 chan->ident = 0;
fe4128e0 3898 chan->dcid = dcid;
c1360a1c 3899 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3900
c1360a1c 3901 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3902 break;
3903
1da177e4 3904 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3905 l2cap_build_conf_req(chan, req), req);
73ffa904 3906 chan->num_conf_req++;
1da177e4
LT		 3907 break;
3908
3909 case L2CAP_CR_PEND:
c1360a1c 3910 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3911 break;
3912
3913 default:
48454079 3914 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3915 break;
3916 }
3917
6be36555 3918 l2cap_chan_unlock(chan);
3df91ea2
AE		 3919
3920unlock:
3921 mutex_unlock(&conn->chan_lock);
3922
3923 return err;
1da177e4
LT		 3924}
3925
47d1ec61 3926static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3927{
3928 /* FCS is enabled only in ERTM or streaming mode, if one or both
3929 * sides request it.
3930 */
0c1bc5c6 3931 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3932 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3933 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3934 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3935}
3936
29d8a590
AE		 3937static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3938 u8 ident, u16 flags)
3939{
3940 struct l2cap_conn *conn = chan->conn;
3941
3942 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3943 flags);
3944
3945 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3946 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3947
3948 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3949 l2cap_build_conf_rsp(chan, data,
3950 L2CAP_CONF_SUCCESS, flags), data);
3951}
3952
662d652d
JH		 3953static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
3954 u16 scid, u16 dcid)
3955{
3956 struct l2cap_cmd_rej_cid rej;
3957
3958 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
3959 rej.scid = __cpu_to_le16(scid);
3960 rej.dcid = __cpu_to_le16(dcid);
3961
3962 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3963}
3964
2d792818
GP		 3965static inline int l2cap_config_req(struct l2cap_conn *conn,
3966 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3967 u8 *data)
1da177e4
LT		 3968{
3969 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3970 u16 dcid, flags;
3971 u8 rsp[64];
48454079 3972 struct l2cap_chan *chan;
3c588192 3973 int len, err = 0;
1da177e4 3974
cb3b3152
JH		 3975 if (cmd_len < sizeof(*req))
3976 return -EPROTO;
3977
1da177e4
LT		 3978 dcid = __le16_to_cpu(req->dcid);
3979 flags = __le16_to_cpu(req->flags);
3980
3981 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3982
baa7e1fa 3983 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 3984 if (!chan) {
3985 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
3986 return 0;
3987 }
1da177e4 3988
033b1142 3989 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 3990 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
3991 chan->dcid);
354f60a9 3992 goto unlock;
df6bd743 3993 }
354f60a9 3994
5dee9e7c 3995 /* Reject if config buffer is too small. */
88219a0f 3996 len = cmd_len - sizeof(*req);
cb3b3152 3997 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3998 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3999 l2cap_build_conf_rsp(chan, rsp,
4000 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4001 goto unlock;
4002 }
4003
4004 /* Store config. */
73ffa904
GP		 4005 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4006 chan->conf_len += len;
1da177e4 4007
59e54bd1 4008 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4009 /* Incomplete config. Send empty response. */
4010 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4011 l2cap_build_conf_rsp(chan, rsp,
4012 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4013 goto unlock;
4014 }
4015
4016 /* Complete config. */
73ffa904 4017 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4018 if (len < 0) {
5e4e3972 4019 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4020 goto unlock;
f2fcfcd6 4021 }
1da177e4 4022
1500109b 4023 chan->ident = cmd->ident;
5dee9e7c 4024 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4025 chan->num_conf_rsp++;
5dee9e7c 4026
5dee9e7c 4027 /* Reset config buffer. */
73ffa904 4028 chan->conf_len = 0;
5dee9e7c 4029
c1360a1c 4030 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4031 goto unlock;
4032
c1360a1c 4033 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4034 set_default_fcs(chan);
fcc203c3 4035
105bdf9e
MM		 4036 if (chan->mode == L2CAP_MODE_ERTM ||
4037 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4038 err = l2cap_ertm_init(chan);
4039
4040 if (err < 0)
5e4e3972 4041 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4042 else
4043 l2cap_chan_ready(chan);
0565c1c2 4044
876d9484
MH		 4045 goto unlock;
4046 }
4047
c1360a1c 4048 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4049 u8 buf[64];
1da177e4 4050 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4051 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4052 chan->num_conf_req++;
1da177e4
LT		 4053 }
4054
0e8b207e
AE		 4055 /* Got Conf Rsp PENDING from remote side and asume we sent
4056 Conf Rsp PENDING in the code above */
4057 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4058 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4059
4060 /* check compatibility */
4061
79de886d 4062 /* Send rsp for BR/EDR channel */
f351bc72 4063 if (!chan->hs_hcon)
79de886d
AE		 4064 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4065 else
4066 chan->ident = cmd->ident;
0e8b207e
AE		 4067 }
4068
1da177e4 4069unlock:
6be36555 4070 l2cap_chan_unlock(chan);
3c588192 4071 return err;
1da177e4
LT		 4072}
4073
2d792818 4074static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4075 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4076 u8 *data)
1da177e4
LT		 4077{
4078 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4079 u16 scid, flags, result;
48454079 4080 struct l2cap_chan *chan;
cb3b3152 4081 int len = cmd_len - sizeof(*rsp);
3c588192 4082 int err = 0;
1da177e4 4083
cb3b3152
JH		 4084 if (cmd_len < sizeof(*rsp))
4085 return -EPROTO;
4086
1da177e4
LT		 4087 scid = __le16_to_cpu(rsp->scid);
4088 flags = __le16_to_cpu(rsp->flags);
4089 result = __le16_to_cpu(rsp->result);
4090
61386cba
AE		 4091 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4092 result, len);
1da177e4 4093
baa7e1fa 4094 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4095 if (!chan)
1da177e4
LT		 4096 return 0;
4097
4098 switch (result) {
4099 case L2CAP_CONF_SUCCESS:
47d1ec61 4100 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4101 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4102 break;
4103
0e8b207e
AE		 4104 case L2CAP_CONF_PENDING:
4105 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4106
4107 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4108 char buf[64];
4109
4110 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4111 buf, &result);
0e8b207e 4112 if (len < 0) {
5e4e3972 4113 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4114 goto done;
4115 }
4116
f351bc72 4117 if (!chan->hs_hcon) {
79de886d
AE		 4118 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4119 0);
5ce66b59
AE		 4120 } else {
4121 if (l2cap_check_efs(chan)) {
4122 amp_create_logical_link(chan);
4123 chan->ident = cmd->ident;
4124 }
4125 }
0e8b207e
AE		 4126 }
4127 goto done;
4128
1da177e4 4129 case L2CAP_CONF_UNACCEPT:
73ffa904 4130 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4131 char req[64];
4132
c2c77ec8 4133 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4134 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4135 goto done;
4136 }
4137
f2fcfcd6
GP		 4138 /* throw out any old stored conf requests */
4139 result = L2CAP_CONF_SUCCESS;
b4450035 4140 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4141 req, &result);
f2fcfcd6 4142 if (len < 0) {
5e4e3972 4143 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4144 goto done;
4145 }
4146
4147 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4148 L2CAP_CONF_REQ, len, req);
73ffa904 4149 chan->num_conf_req++;
f2fcfcd6
GP		 4150 if (result != L2CAP_CONF_SUCCESS)
4151 goto done;
4152 break;
1da177e4
LT		 4153 }
4154
8e87d142 4155 default:
6be36555 4156 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4157
ba13ccd9 4158 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4159 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4160 goto done;
4161 }
4162
59e54bd1 4163 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4164 goto done;
4165
c1360a1c 4166 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4167
c1360a1c 4168 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4169 set_default_fcs(chan);
fcc203c3 4170
105bdf9e
MM		 4171 if (chan->mode == L2CAP_MODE_ERTM ||
4172 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4173 err = l2cap_ertm_init(chan);
0565c1c2 4174
3c588192 4175 if (err < 0)
5e4e3972 4176 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4177 else
4178 l2cap_chan_ready(chan);
1da177e4
LT		 4179 }
4180
4181done:
6be36555 4182 l2cap_chan_unlock(chan);
3c588192 4183 return err;
1da177e4
LT		 4184}
4185
2d792818 4186static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4187 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4188 u8 *data)
1da177e4
LT		 4189{
4190 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4191 struct l2cap_disconn_rsp rsp;
4192 u16 dcid, scid;
48454079 4193 struct l2cap_chan *chan;
1da177e4 4194
cb3b3152
JH		 4195 if (cmd_len != sizeof(*req))
4196 return -EPROTO;
4197
1da177e4
LT		 4198 scid = __le16_to_cpu(req->scid);
4199 dcid = __le16_to_cpu(req->dcid);
4200
4201 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4202
3df91ea2
AE		 4203 mutex_lock(&conn->chan_lock);
4204
4205 chan = __l2cap_get_chan_by_scid(conn, dcid);
4206 if (!chan) {
4207 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4208 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4209 return 0;
3df91ea2 4210 }
1da177e4 4211
6be36555
AE		 4212 l2cap_chan_lock(chan);
4213
fe4128e0
GP		 4214 rsp.dcid = cpu_to_le16(chan->scid);
4215 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4216 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4217
5ec1bbe5 4218 chan->ops->set_shutdown(chan);
1da177e4 4219
61d6ef3e 4220 l2cap_chan_hold(chan);
48454079 4221 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4222
4223 l2cap_chan_unlock(chan);
1da177e4 4224
80b98027 4225 chan->ops->close(chan);
61d6ef3e 4226 l2cap_chan_put(chan);
3df91ea2
AE		 4227
4228 mutex_unlock(&conn->chan_lock);
4229
1da177e4
LT		 4230 return 0;
4231}
4232
2d792818 4233static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4234 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4235 u8 *data)
1da177e4
LT		 4236{
4237 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4238 u16 dcid, scid;
48454079 4239 struct l2cap_chan *chan;
1da177e4 4240
cb3b3152
JH		 4241 if (cmd_len != sizeof(*rsp))
4242 return -EPROTO;
4243
1da177e4
LT		 4244 scid = __le16_to_cpu(rsp->scid);
4245 dcid = __le16_to_cpu(rsp->dcid);
4246
4247 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4248
3df91ea2
AE		 4249 mutex_lock(&conn->chan_lock);
4250
4251 chan = __l2cap_get_chan_by_scid(conn, scid);
4252 if (!chan) {
4253 mutex_unlock(&conn->chan_lock);
1da177e4 4254 return 0;
3df91ea2 4255 }
1da177e4 4256
6be36555 4257 l2cap_chan_lock(chan);
48454079 4258
61d6ef3e 4259 l2cap_chan_hold(chan);
48454079 4260 l2cap_chan_del(chan, 0);
6be36555
AE		 4261
4262 l2cap_chan_unlock(chan);
1da177e4 4263
80b98027 4264 chan->ops->close(chan);
61d6ef3e 4265 l2cap_chan_put(chan);
3df91ea2
AE		 4266
4267 mutex_unlock(&conn->chan_lock);
4268
1da177e4
LT		 4269 return 0;
4270}
4271
2d792818 4272static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4273 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4274 u8 *data)
1da177e4
LT		 4275{
4276 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4277 u16 type;
4278
cb3b3152
JH		 4279 if (cmd_len != sizeof(*req))
4280 return -EPROTO;
4281
1da177e4
LT		 4282 type = __le16_to_cpu(req->type);
4283
4284 BT_DBG("type 0x%4.4x", type);
4285
f0709e03
MH		 4286 if (type == L2CAP_IT_FEAT_MASK) {
4287 u8 buf[8];
44dd46de 4288 u32 feat_mask = l2cap_feat_mask;
f0709e03 4289 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4290 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4291 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4292 if (!disable_ertm)
fcc203c3 4293 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4294 | L2CAP_FEAT_FCS;
848566b3 4295 if (conn->hs_enabled)
6327eb98 4296 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4297 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4298
1b7bf4ed 4299 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4300 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4301 buf);
e1027a7c
MH		 4302 } else if (type == L2CAP_IT_FIXED_CHAN) {
4303 u8 buf[12];
4304 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4305
848566b3 4306 if (conn->hs_enabled)
50a147cd
MM		 4307 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4308 else
4309 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4310
ac73498c
AE		 4311 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4312 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4313 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4314 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4315 buf);
f0709e03
MH		 4316 } else {
4317 struct l2cap_info_rsp rsp;
4318 rsp.type = cpu_to_le16(type);
ac73498c 4319 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4320 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4321 &rsp);
f0709e03 4322 }
1da177e4
LT		 4323
4324 return 0;
4325}
4326
2d792818 4327static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4328 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4329 u8 *data)
1da177e4
LT		 4330{
4331 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4332 u16 type, result;
4333
3f6fa3d4 4334 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4335 return -EPROTO;
4336
1da177e4
LT		 4337 type = __le16_to_cpu(rsp->type);
4338 result = __le16_to_cpu(rsp->result);
4339
4340 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4341
e90165be
AE		 4342 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4343 if (cmd->ident != conn->info_ident ||
2d792818 4344 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4345 return 0;
4346
17cd3f37 4347 cancel_delayed_work(&conn->info_timer);
4e8402a3 4348
adb08ede
VT		 4349 if (result != L2CAP_IR_SUCCESS) {
4350 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4351 conn->info_ident = 0;
4352
4353 l2cap_conn_start(conn);
4354
4355 return 0;
4356 }
4357
978c93b9
AE		 4358 switch (type) {
4359 case L2CAP_IT_FEAT_MASK:
83985319 4360 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4361
47ec1dcd 4362 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4363 struct l2cap_info_req req;
ac73498c 4364 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4365
4366 conn->info_ident = l2cap_get_ident(conn);
4367
4368 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4369 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4370 } else {
4371 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4372 conn->info_ident = 0;
4373
4374 l2cap_conn_start(conn);
4375 }
978c93b9
AE		 4376 break;
4377
4378 case L2CAP_IT_FIXED_CHAN:
4379 conn->fixed_chan_mask = rsp->data[0];
984947dc 4380 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4381 conn->info_ident = 0;
984947dc
MH		 4382
4383 l2cap_conn_start(conn);
978c93b9 4384 break;
984947dc 4385 }
4e8402a3 4386
1da177e4
LT		 4387 return 0;
4388}
4389
1700915f
MM		 4390static int l2cap_create_channel_req(struct l2cap_conn *conn,
4391 struct l2cap_cmd_hdr *cmd,
4392 u16 cmd_len, void *data)
f94ff6ff
MM		 4393{
4394 struct l2cap_create_chan_req *req = data;
6e1df6a6 4395 struct l2cap_create_chan_rsp rsp;
1700915f 4396 struct l2cap_chan *chan;
6e1df6a6 4397 struct hci_dev *hdev;
f94ff6ff
MM		 4398 u16 psm, scid;
4399
4400 if (cmd_len != sizeof(*req))
4401 return -EPROTO;
4402
848566b3 4403 if (!conn->hs_enabled)
f94ff6ff
MM		 4404 return -EINVAL;
4405
4406 psm = le16_to_cpu(req->psm);
4407 scid = le16_to_cpu(req->scid);
4408
ad0ac6ca 4409 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4410
6e1df6a6 4411 /* For controller id 0 make BR/EDR connection */
6ed971ca 4412 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4413 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4414 req->amp_id);
4415 return 0;
4416 }
1700915f 4417
6e1df6a6
AE		 4418 /* Validate AMP controller id */
4419 hdev = hci_dev_get(req->amp_id);
4420 if (!hdev)
4421 goto error;
1700915f 4422
6e1df6a6
AE		 4423 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4424 hci_dev_put(hdev);
4425 goto error;
4426 }
1700915f 4427
6e1df6a6
AE		 4428 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4429 req->amp_id);
4430 if (chan) {
4431 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4432 struct hci_conn *hs_hcon;
1700915f 4433
98e0f7ea
MH		 4434 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4435 &conn->hcon->dst);
6e1df6a6
AE		 4436 if (!hs_hcon) {
4437 hci_dev_put(hdev);
662d652d
JH		 4438 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4439 chan->dcid);
4440 return 0;
1700915f
MM		 4441 }
4442
6e1df6a6
AE		 4443 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4444
6e1df6a6
AE		 4445 mgr->bredr_chan = chan;
4446 chan->hs_hcon = hs_hcon;
fd45bf4c 4447 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4448 conn->mtu = hdev->block_mtu;
1700915f 4449 }
f94ff6ff 4450
6e1df6a6 4451 hci_dev_put(hdev);
f94ff6ff
MM		 4452
4453 return 0;
6e1df6a6
AE		 4454
4455error:
4456 rsp.dcid = 0;
4457 rsp.scid = cpu_to_le16(scid);
4458 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4459 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4460
4461 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4462 sizeof(rsp), &rsp);
4463
dc280801 4464 return 0;
f94ff6ff
MM		 4465}
4466
8eb200bd
MM		 4467static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4468{
4469 struct l2cap_move_chan_req req;
4470 u8 ident;
4471
4472 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4473
4474 ident = l2cap_get_ident(chan->conn);
4475 chan->ident = ident;
4476
4477 req.icid = cpu_to_le16(chan->scid);
4478 req.dest_amp_id = dest_amp_id;
4479
4480 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4481 &req);
4482
4483 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4484}
4485
1500109b 4486static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4487{
4488 struct l2cap_move_chan_rsp rsp;
4489
1500109b 4490 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4491
1500109b 4492 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4493 rsp.result = cpu_to_le16(result);
4494
1500109b
MM		 4495 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4496 sizeof(rsp), &rsp);
8d5a04a1
MM		 4497}
4498
5b155ef9 4499static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4500{
4501 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4502
5b155ef9 4503 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4504
5b155ef9 4505 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4506
5b155ef9 4507 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4508 cfm.result = cpu_to_le16(result);
4509
5b155ef9
MM		 4510 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4511 sizeof(cfm), &cfm);
4512
4513 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4514}
4515
4516static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4517{
4518 struct l2cap_move_chan_cfm cfm;
4519
4520 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4521
4522 cfm.icid = cpu_to_le16(icid);
4523 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4524
4525 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4526 sizeof(cfm), &cfm);
8d5a04a1
MM		 4527}
4528
4529static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4530 u16 icid)
8d5a04a1
MM		 4531{
4532 struct l2cap_move_chan_cfm_rsp rsp;
4533
ad0ac6ca 4534 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4535
4536 rsp.icid = cpu_to_le16(icid);
4537 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4538}
4539
5f3847a4
MM		 4540static void __release_logical_link(struct l2cap_chan *chan)
4541{
4542 chan->hs_hchan = NULL;
4543 chan->hs_hcon = NULL;
4544
4545 /* Placeholder - release the logical link */
4546}
4547
1500109b
MM		 4548static void l2cap_logical_fail(struct l2cap_chan *chan)
4549{
4550 /* Logical link setup failed */
4551 if (chan->state != BT_CONNECTED) {
4552 /* Create channel failure, disconnect */
5e4e3972 4553 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4554 return;
4555 }
4556
4557 switch (chan->move_role) {
4558 case L2CAP_MOVE_ROLE_RESPONDER:
4559 l2cap_move_done(chan);
4560 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4561 break;
4562 case L2CAP_MOVE_ROLE_INITIATOR:
4563 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4564 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4565 /* Remote has only sent pending or
4566 * success responses, clean up
4567 */
4568 l2cap_move_done(chan);
4569 }
4570
4571 /* Other amp move states imply that the move
4572 * has already aborted
4573 */
4574 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4575 break;
4576 }
4577}
4578
4579static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4580 struct hci_chan *hchan)
4581{
4582 struct l2cap_conf_rsp rsp;
1500109b 4583
336178a3 4584 chan->hs_hchan = hchan;
1500109b
MM		 4585 chan->hs_hcon->l2cap_data = chan->conn;
4586
35ba9561 4587 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4588
4589 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4590 int err;
1500109b
MM		 4591
4592 set_default_fcs(chan);
4593
4594 err = l2cap_ertm_init(chan);
4595 if (err < 0)
5e4e3972 4596 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4597 else
4598 l2cap_chan_ready(chan);
4599 }
4600}
4601
4602static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4603 struct hci_chan *hchan)
4604{
4605 chan->hs_hcon = hchan->conn;
4606 chan->hs_hcon->l2cap_data = chan->conn;
4607
4608 BT_DBG("move_state %d", chan->move_state);
4609
4610 switch (chan->move_state) {
4611 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4612 /* Move confirm will be sent after a success
4613 * response is received
4614 */
4615 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4616 break;
4617 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4618 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4619 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4620 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4621 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4622 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4623 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4624 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4625 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4626 }
4627 break;
4628 default:
4629 /* Move was not in expected state, free the channel */
4630 __release_logical_link(chan);
4631
4632 chan->move_state = L2CAP_MOVE_STABLE;
4633 }
4634}
4635
4636/* Call with chan locked */
27695fb4
AE		 4637void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4638 u8 status)
5b155ef9 4639{
1500109b
MM		 4640 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4641
4642 if (status) {
4643 l2cap_logical_fail(chan);
4644 __release_logical_link(chan);
4645 return;
4646 }
4647
4648 if (chan->state != BT_CONNECTED) {
4649 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4650 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4651 l2cap_logical_finish_create(chan, hchan);
4652 } else {
4653 l2cap_logical_finish_move(chan, hchan);
4654 }
5b155ef9
MM		 4655}
4656
3f7a56c4
MM		 4657void l2cap_move_start(struct l2cap_chan *chan)
4658{
4659 BT_DBG("chan %p", chan);
4660
6ed971ca 4661 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4662 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4663 return;
4664 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4665 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4666 /* Placeholder - start physical link setup */
4667 } else {
4668 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4669 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4670 chan->move_id = 0;
4671 l2cap_move_setup(chan);
4672 l2cap_send_move_chan_req(chan, 0);
4673 }
4674}
4675
8eb200bd
MM		 4676static void l2cap_do_create(struct l2cap_chan *chan, int result,
4677 u8 local_amp_id, u8 remote_amp_id)
4678{
62748ca1
AE		 4679 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4680 local_amp_id, remote_amp_id);
4681
12d6cc60
AE		 4682 chan->fcs = L2CAP_FCS_NONE;
4683
62748ca1
AE		 4684 /* Outgoing channel on AMP */
4685 if (chan->state == BT_CONNECT) {
4686 if (result == L2CAP_CR_SUCCESS) {
4687 chan->local_amp_id = local_amp_id;
4688 l2cap_send_create_chan_req(chan, remote_amp_id);
4689 } else {
4690 /* Revert to BR/EDR connect */
4691 l2cap_send_conn_req(chan);
4692 }
4693
4694 return;
4695 }
4696
4697 /* Incoming channel on AMP */
4698 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4699 struct l2cap_conn_rsp rsp;
4700 char buf[128];
4701 rsp.scid = cpu_to_le16(chan->dcid);
4702 rsp.dcid = cpu_to_le16(chan->scid);
4703
8eb200bd
MM		 4704 if (result == L2CAP_CR_SUCCESS) {
4705 /* Send successful response */
62cd50e2
AE		 4706 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4707 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4708 } else {
4709 /* Send negative response */
62cd50e2
AE		 4710 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4711 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4712 }
4713
4714 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4715 sizeof(rsp), &rsp);
4716
4717 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4718 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4719 set_bit(CONF_REQ_SENT, &chan->conf_state);
4720 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4721 L2CAP_CONF_REQ,
4722 l2cap_build_conf_req(chan, buf), buf);
4723 chan->num_conf_req++;
4724 }
8eb200bd
MM		 4725 }
4726}
4727
4728static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4729 u8 remote_amp_id)
4730{
4731 l2cap_move_setup(chan);
4732 chan->move_id = local_amp_id;
4733 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4734
4735 l2cap_send_move_chan_req(chan, remote_amp_id);
4736}
4737
4738static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4739{
4740 struct hci_chan *hchan = NULL;
4741
4742 /* Placeholder - get hci_chan for logical link */
4743
4744 if (hchan) {
4745 if (hchan->state == BT_CONNECTED) {
4746 /* Logical link is ready to go */
4747 chan->hs_hcon = hchan->conn;
4748 chan->hs_hcon->l2cap_data = chan->conn;
4749 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4750 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4751
4752 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4753 } else {
4754 /* Wait for logical link to be ready */
4755 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4756 }
4757 } else {
4758 /* Logical link not available */
4759 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4760 }
4761}
4762
4763static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4764{
4765 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4766 u8 rsp_result;
4767 if (result == -EINVAL)
4768 rsp_result = L2CAP_MR_BAD_ID;
4769 else
4770 rsp_result = L2CAP_MR_NOT_ALLOWED;
4771
4772 l2cap_send_move_chan_rsp(chan, rsp_result);
4773 }
4774
4775 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4776 chan->move_state = L2CAP_MOVE_STABLE;
4777
4778 /* Restart data transmission */
4779 l2cap_ertm_send(chan);
4780}
4781
a514b17f
AE		 4782/* Invoke with locked chan */
4783void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4784{
770bfefa 4785 u8 local_amp_id = chan->local_amp_id;
fffadc08 4786 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4787
8eb200bd
MM		 4788 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4789 chan, result, local_amp_id, remote_amp_id);
4790
8eb200bd
MM		 4791 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4792 l2cap_chan_unlock(chan);
4793 return;
4794 }
4795
4796 if (chan->state != BT_CONNECTED) {
4797 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4798 } else if (result != L2CAP_MR_SUCCESS) {
4799 l2cap_do_move_cancel(chan, result);
4800 } else {
4801 switch (chan->move_role) {
4802 case L2CAP_MOVE_ROLE_INITIATOR:
4803 l2cap_do_move_initiate(chan, local_amp_id,
4804 remote_amp_id);
4805 break;
4806 case L2CAP_MOVE_ROLE_RESPONDER:
4807 l2cap_do_move_respond(chan, result);
4808 break;
4809 default:
4810 l2cap_do_move_cancel(chan, result);
4811 break;
4812 }
4813 }
8eb200bd
MM		 4814}
4815
8d5a04a1 4816static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4817 struct l2cap_cmd_hdr *cmd,
4818 u16 cmd_len, void *data)
8d5a04a1
MM		 4819{
4820 struct l2cap_move_chan_req *req = data;
1500109b 4821 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4822 struct l2cap_chan *chan;
8d5a04a1
MM		 4823 u16 icid = 0;
4824 u16 result = L2CAP_MR_NOT_ALLOWED;
4825
4826 if (cmd_len != sizeof(*req))
4827 return -EPROTO;
4828
4829 icid = le16_to_cpu(req->icid);
4830
ad0ac6ca 4831 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4832
848566b3 4833 if (!conn->hs_enabled)
8d5a04a1
MM		 4834 return -EINVAL;
4835
02b0fbb9
MM		 4836 chan = l2cap_get_chan_by_dcid(conn, icid);
4837 if (!chan) {
1500109b
MM		 4838 rsp.icid = cpu_to_le16(icid);
4839 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4840 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4841 sizeof(rsp), &rsp);
02b0fbb9
MM		 4842 return 0;
4843 }
4844
1500109b
MM		 4845 chan->ident = cmd->ident;
4846
02b0fbb9
MM		 4847 if (chan->scid < L2CAP_CID_DYN_START ||
4848 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4849 (chan->mode != L2CAP_MODE_ERTM &&
4850 chan->mode != L2CAP_MODE_STREAMING)) {
4851 result = L2CAP_MR_NOT_ALLOWED;
4852 goto send_move_response;
4853 }
4854
4855 if (chan->local_amp_id == req->dest_amp_id) {
4856 result = L2CAP_MR_SAME_ID;
4857 goto send_move_response;
4858 }
4859
6ed971ca 4860 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4861 struct hci_dev *hdev;
4862 hdev = hci_dev_get(req->dest_amp_id);
4863 if (!hdev || hdev->dev_type != HCI_AMP ||
4864 !test_bit(HCI_UP, &hdev->flags)) {
4865 if (hdev)
4866 hci_dev_put(hdev);
4867
4868 result = L2CAP_MR_BAD_ID;
4869 goto send_move_response;
4870 }
4871 hci_dev_put(hdev);
4872 }
4873
4874 /* Detect a move collision. Only send a collision response
4875 * if this side has "lost", otherwise proceed with the move.
4876 * The winner has the larger bd_addr.
4877 */
4878 if ((__chan_is_moving(chan) ||
4879 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4880 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4881 result = L2CAP_MR_COLLISION;
4882 goto send_move_response;
4883 }
4884
02b0fbb9
MM		 4885 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4886 l2cap_move_setup(chan);
4887 chan->move_id = req->dest_amp_id;
4888 icid = chan->dcid;
4889
6ed971ca 4890 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4891 /* Moving to BR/EDR */
4892 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4893 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4894 result = L2CAP_MR_PEND;
4895 } else {
4896 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4897 result = L2CAP_MR_SUCCESS;
4898 }
4899 } else {
4900 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4901 /* Placeholder - uncomment when amp functions are available */
4902 /*amp_accept_physical(chan, req->dest_amp_id);*/
4903 result = L2CAP_MR_PEND;
4904 }
4905
4906send_move_response:
1500109b 4907 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4908
02b0fbb9
MM		 4909 l2cap_chan_unlock(chan);
4910
8d5a04a1
MM		 4911 return 0;
4912}
4913
5b155ef9
MM		 4914static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4915{
4916 struct l2cap_chan *chan;
4917 struct hci_chan *hchan = NULL;
4918
4919 chan = l2cap_get_chan_by_scid(conn, icid);
4920 if (!chan) {
4921 l2cap_send_move_chan_cfm_icid(conn, icid);
4922 return;
4923 }
4924
4925 __clear_chan_timer(chan);
4926 if (result == L2CAP_MR_PEND)
4927 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4928
4929 switch (chan->move_state) {
4930 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4931 /* Move confirm will be sent when logical link
4932 * is complete.
4933 */
4934 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4935 break;
4936 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4937 if (result == L2CAP_MR_PEND) {
4938 break;
4939 } else if (test_bit(CONN_LOCAL_BUSY,
4940 &chan->conn_state)) {
4941 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4942 } else {
4943 /* Logical link is up or moving to BR/EDR,
4944 * proceed with move
4945 */
4946 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4947 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4948 }
4949 break;
4950 case L2CAP_MOVE_WAIT_RSP:
4951 /* Moving to AMP */
4952 if (result == L2CAP_MR_SUCCESS) {
4953 /* Remote is ready, send confirm immediately
4954 * after logical link is ready
4955 */
4956 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4957 } else {
4958 /* Both logical link and move success
4959 * are required to confirm
4960 */
4961 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4962 }
4963
4964 /* Placeholder - get hci_chan for logical link */
4965 if (!hchan) {
4966 /* Logical link not available */
4967 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4968 break;
4969 }
4970
4971 /* If the logical link is not yet connected, do not
4972 * send confirmation.
4973 */
4974 if (hchan->state != BT_CONNECTED)
4975 break;
4976
4977 /* Logical link is already ready to go */
4978
4979 chan->hs_hcon = hchan->conn;
4980 chan->hs_hcon->l2cap_data = chan->conn;
4981
4982 if (result == L2CAP_MR_SUCCESS) {
4983 /* Can confirm now */
4984 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4985 } else {
4986 /* Now only need move success
4987 * to confirm
4988 */
4989 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4990 }
4991
4992 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4993 break;
4994 default:
4995 /* Any other amp move state means the move failed. */
4996 chan->move_id = chan->local_amp_id;
4997 l2cap_move_done(chan);
4998 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4999 }
5000
5001 l2cap_chan_unlock(chan);
5002}
5003
5004static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5005 u16 result)
5006{
5007 struct l2cap_chan *chan;
5008
5009 chan = l2cap_get_chan_by_ident(conn, ident);
5010 if (!chan) {
5011 /* Could not locate channel, icid is best guess */
5012 l2cap_send_move_chan_cfm_icid(conn, icid);
5013 return;
5014 }
5015
5016 __clear_chan_timer(chan);
5017
5018 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5019 if (result == L2CAP_MR_COLLISION) {
5020 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5021 } else {
5022 /* Cleanup - cancel move */
5023 chan->move_id = chan->local_amp_id;
5024 l2cap_move_done(chan);
5025 }
5026 }
5027
5028 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5029
5030 l2cap_chan_unlock(chan);
5031}
5032
5033static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5034 struct l2cap_cmd_hdr *cmd,
5035 u16 cmd_len, void *data)
8d5a04a1
MM		 5036{
5037 struct l2cap_move_chan_rsp *rsp = data;
5038 u16 icid, result;
5039
5040 if (cmd_len != sizeof(*rsp))
5041 return -EPROTO;
5042
5043 icid = le16_to_cpu(rsp->icid);
5044 result = le16_to_cpu(rsp->result);
5045
ad0ac6ca 5046 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5047
5b155ef9
MM		 5048 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5049 l2cap_move_continue(conn, icid, result);
5050 else
5051 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5052
5053 return 0;
5054}
5055
5f3847a4
MM		 5056static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5057 struct l2cap_cmd_hdr *cmd,
5058 u16 cmd_len, void *data)
8d5a04a1
MM		 5059{
5060 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5061 struct l2cap_chan *chan;
8d5a04a1
MM		 5062 u16 icid, result;
5063
5064 if (cmd_len != sizeof(*cfm))
5065 return -EPROTO;
5066
5067 icid = le16_to_cpu(cfm->icid);
5068 result = le16_to_cpu(cfm->result);
5069
ad0ac6ca 5070 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5071
5f3847a4
MM		 5072 chan = l2cap_get_chan_by_dcid(conn, icid);
5073 if (!chan) {
5074 /* Spec requires a response even if the icid was not found */
5075 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5076 return 0;
5077 }
5078
5079 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5080 if (result == L2CAP_MC_CONFIRMED) {
5081 chan->local_amp_id = chan->move_id;
6ed971ca 5082 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5083 __release_logical_link(chan);
5084 } else {
5085 chan->move_id = chan->local_amp_id;
5086 }
5087
5088 l2cap_move_done(chan);
5089 }
5090
8d5a04a1
MM		 5091 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5092
5f3847a4
MM		 5093 l2cap_chan_unlock(chan);
5094
8d5a04a1
MM		 5095 return 0;
5096}
5097
5098static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5099 struct l2cap_cmd_hdr *cmd,
5100 u16 cmd_len, void *data)
8d5a04a1
MM		 5101{
5102 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5103 struct l2cap_chan *chan;
8d5a04a1
MM		 5104 u16 icid;
5105
5106 if (cmd_len != sizeof(*rsp))
5107 return -EPROTO;
5108
5109 icid = le16_to_cpu(rsp->icid);
5110
ad0ac6ca 5111 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5112
3fd71a0a
MM		 5113 chan = l2cap_get_chan_by_scid(conn, icid);
5114 if (!chan)
5115 return 0;
5116
5117 __clear_chan_timer(chan);
5118
5119 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5120 chan->local_amp_id = chan->move_id;
5121
6ed971ca 5122 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5123 __release_logical_link(chan);
5124
5125 l2cap_move_done(chan);
5126 }
5127
5128 l2cap_chan_unlock(chan);
5129
8d5a04a1
MM		 5130 return 0;
5131}
5132
e2174ca4 5133static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 5134 u16 to_multiplier)
de73115a
CT		 5135{
5136 u16 max_latency;
5137
5138 if (min > max || min < 6 || max > 3200)
5139 return -EINVAL;
5140
5141 if (to_multiplier < 10 || to_multiplier > 3200)
5142 return -EINVAL;
5143
5144 if (max >= to_multiplier * 8)
5145 return -EINVAL;
5146
5147 max_latency = (to_multiplier * 8 / max) - 1;
5148 if (latency > 499 || latency > max_latency)
5149 return -EINVAL;
5150
5151 return 0;
5152}
5153
5154static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 5155 struct l2cap_cmd_hdr *cmd,
5156 u8 *data)
de73115a
CT		 5157{
5158 struct hci_conn *hcon = conn->hcon;
5159 struct l2cap_conn_param_update_req *req;
5160 struct l2cap_conn_param_update_rsp rsp;
5161 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 5162 int err;
de73115a
CT		 5163
5164 if (!(hcon->link_mode & HCI_LM_MASTER))
5165 return -EINVAL;
5166
5167 cmd_len = __le16_to_cpu(cmd->len);
5168 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5169 return -EPROTO;
5170
5171 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5172 min = __le16_to_cpu(req->min);
5173 max = __le16_to_cpu(req->max);
de73115a
CT		 5174 latency = __le16_to_cpu(req->latency);
5175 to_multiplier = __le16_to_cpu(req->to_multiplier);
5176
5177 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5178 min, max, latency, to_multiplier);
de73115a
CT		 5179
5180 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5181
5182 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5183 if (err)
ac73498c 5184 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5185 else
ac73498c 5186 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5187
5188 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5189 sizeof(rsp), &rsp);
de73115a 5190
2ce603eb
CT		 5191 if (!err)
5192 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5193
de73115a
CT		 5194 return 0;
5195}
5196
3300d9a9 5197static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5198 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5199 u8 *data)
3300d9a9
CT		 5200{
5201 int err = 0;
5202
5203 switch (cmd->code) {
5204 case L2CAP_COMMAND_REJ:
cb3b3152 5205 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5206 break;
5207
5208 case L2CAP_CONN_REQ:
cb3b3152 5209 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5210 break;
5211
5212 case L2CAP_CONN_RSP:
f5a2598d 5213 case L2CAP_CREATE_CHAN_RSP:
9245e737 5214 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5215 break;
5216
5217 case L2CAP_CONF_REQ:
5218 err = l2cap_config_req(conn, cmd, cmd_len, data);
5219 break;
5220
5221 case L2CAP_CONF_RSP:
9245e737 5222 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5223 break;
5224
5225 case L2CAP_DISCONN_REQ:
cb3b3152 5226 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5227 break;
5228
5229 case L2CAP_DISCONN_RSP:
9245e737 5230 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5231 break;
5232
5233 case L2CAP_ECHO_REQ:
5234 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5235 break;
5236
5237 case L2CAP_ECHO_RSP:
5238 break;
5239
5240 case L2CAP_INFO_REQ:
cb3b3152 5241 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5242 break;
5243
5244 case L2CAP_INFO_RSP:
9245e737 5245 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5246 break;
5247
f94ff6ff
MM		 5248 case L2CAP_CREATE_CHAN_REQ:
5249 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5250 break;
5251
8d5a04a1
MM		 5252 case L2CAP_MOVE_CHAN_REQ:
5253 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5254 break;
5255
5256 case L2CAP_MOVE_CHAN_RSP:
9245e737 5257 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5258 break;
5259
5260 case L2CAP_MOVE_CHAN_CFM:
5261 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5262 break;
5263
5264 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5265 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5266 break;
5267
3300d9a9
CT		 5268 default:
5269 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5270 err = -EINVAL;
5271 break;
5272 }
5273
5274 return err;
5275}
5276
5277static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5278 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5279{
5280 switch (cmd->code) {
5281 case L2CAP_COMMAND_REJ:
5282 return 0;
5283
5284 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5285 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5286
5287 case L2CAP_CONN_PARAM_UPDATE_RSP:
5288 return 0;
5289
5290 default:
5291 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5292 return -EINVAL;
5293 }
5294}
5295
c5623556
JH		 5296static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5297 struct sk_buff *skb)
5298{
69c4e4e8 5299 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5300 struct l2cap_cmd_hdr *cmd;
5301 u16 len;
c5623556
JH		 5302 int err;
5303
69c4e4e8 5304 if (hcon->type != LE_LINK)
3b166295 5305 goto drop;
69c4e4e8 5306
4f3e219d
MH		 5307 if (skb->len < L2CAP_CMD_HDR_SIZE)
5308 goto drop;
c5623556 5309
4f3e219d
MH		 5310 cmd = (void *) skb->data;
5311 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5312
4f3e219d 5313 len = le16_to_cpu(cmd->len);
c5623556 5314
4f3e219d 5315 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5316
4f3e219d
MH		 5317 if (len != skb->len || !cmd->ident) {
5318 BT_DBG("corrupted command");
5319 goto drop;
5320 }
c5623556 5321
4f3e219d
MH		 5322 err = l2cap_le_sig_cmd(conn, cmd, skb->data);
5323 if (err) {
5324 struct l2cap_cmd_rej_unk rej;
c5623556 5325
4f3e219d 5326 BT_ERR("Wrong link type (%d)", err);
c5623556 5327
a521149a 5328 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5329 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5330 sizeof(rej), &rej);
c5623556
JH		 5331 }
5332
3b166295 5333drop:
c5623556
JH		 5334 kfree_skb(skb);
5335}
5336
3300d9a9 5337static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5338 struct sk_buff *skb)
1da177e4 5339{
69c4e4e8 5340 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5341 u8 *data = skb->data;
5342 int len = skb->len;
5343 struct l2cap_cmd_hdr cmd;
3300d9a9 5344 int err;
1da177e4
LT		 5345
5346 l2cap_raw_recv(conn, skb);
5347
69c4e4e8 5348 if (hcon->type != ACL_LINK)
3b166295 5349 goto drop;
69c4e4e8 5350
1da177e4 5351 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5352 u16 cmd_len;
1da177e4
LT		 5353 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5354 data += L2CAP_CMD_HDR_SIZE;
5355 len -= L2CAP_CMD_HDR_SIZE;
5356
88219a0f 5357 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5358
2d792818
GP		 5359 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5360 cmd.ident);
1da177e4 5361
88219a0f 5362 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5363 BT_DBG("corrupted command");
5364 break;
5365 }
5366
c5623556 5367 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5368 if (err) {
e2fd318e 5369 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5370
5371 BT_ERR("Wrong link type (%d)", err);
1da177e4 5372
a521149a 5373 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5374 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5375 sizeof(rej), &rej);
1da177e4
LT		 5376 }
5377
88219a0f
AV		 5378 data += cmd_len;
5379 len -= cmd_len;
1da177e4
LT		 5380 }
5381
3b166295 5382drop:
1da177e4
LT		 5383 kfree_skb(skb);
5384}
5385
47d1ec61 5386static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5387{
5388 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5389 int hdr_size;
5390
5391 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5392 hdr_size = L2CAP_EXT_HDR_SIZE;
5393 else
5394 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5395
47d1ec61 5396 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5397 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5398 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5399 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5400
5401 if (our_fcs != rcv_fcs)
7a560e5c 5402 return -EBADMSG;
fcc203c3
GP		 5403 }
5404 return 0;
5405}
5406
6ea00485 5407static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5408{
e31f7633 5409 struct l2cap_ctrl control;
d5392c8f 5410
e31f7633 5411 BT_DBG("chan %p", chan);
d5392c8f 5412
e31f7633
MM		 5413 memset(&control, 0, sizeof(control));
5414 control.sframe = 1;
5415 control.final = 1;
5416 control.reqseq = chan->buffer_seq;
5417 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5418
e2ab4353 5419 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5420 control.super = L2CAP_SUPER_RNR;
5421 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5422 }
5423
e31f7633
MM		 5424 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5425 chan->unacked_frames > 0)
5426 __set_retrans_timer(chan);
d5392c8f 5427
e31f7633 5428 /* Send pending iframes */
525cd185 5429 l2cap_ertm_send(chan);
d5392c8f 5430
e2ab4353 5431 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5432 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5433 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5434 * send it now.
5435 */
5436 control.super = L2CAP_SUPER_RR;
5437 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5438 }
5439}
5440
2d792818
GP		 5441static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5442 struct sk_buff **last_frag)
18778a63 5443{
84084a31
MM		 5444 /* skb->len reflects data in skb as well as all fragments
5445 * skb->data_len reflects only data in fragments
5446 */
5447 if (!skb_has_frag_list(skb))
5448 skb_shinfo(skb)->frag_list = new_frag;
5449
5450 new_frag->next = NULL;
5451
5452 (*last_frag)->next = new_frag;
5453 *last_frag = new_frag;
5454
5455 skb->len += new_frag->len;
5456 skb->data_len += new_frag->len;
5457 skb->truesize += new_frag->truesize;
5458}
5459
4b51dae9
MM		 5460static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5461 struct l2cap_ctrl *control)
84084a31
MM		 5462{
5463 int err = -EINVAL;
18778a63 5464
4b51dae9 5465 switch (control->sar) {
7e0ef6ee 5466 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5467 if (chan->sdu)
5468 break;
18778a63 5469
80b98027 5470 err = chan->ops->recv(chan, skb);
84084a31 5471 break;
18778a63 5472
7e0ef6ee 5473 case L2CAP_SAR_START:
84084a31
MM		 5474 if (chan->sdu)
5475 break;
18778a63 5476
6f61fd47 5477 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5478 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5479
84084a31
MM		 5480 if (chan->sdu_len > chan->imtu) {
5481 err = -EMSGSIZE;
5482 break;
5483 }
1890d36b 5484
84084a31
MM		 5485 if (skb->len >= chan->sdu_len)
5486 break;
18778a63 5487
84084a31
MM		 5488 chan->sdu = skb;
5489 chan->sdu_last_frag = skb;
18778a63 5490
84084a31
MM		 5491 skb = NULL;
5492 err = 0;
18778a63
GP		 5493 break;
5494
7e0ef6ee 5495 case L2CAP_SAR_CONTINUE:
6f61fd47 5496 if (!chan->sdu)
84084a31 5497 break;
18778a63 5498
84084a31
MM		 5499 append_skb_frag(chan->sdu, skb,
5500 &chan->sdu_last_frag);
5501 skb = NULL;
18778a63 5502
84084a31
MM		 5503 if (chan->sdu->len >= chan->sdu_len)
5504 break;
4178ba46 5505
84084a31 5506 err = 0;
18778a63
GP		 5507 break;
5508
7e0ef6ee 5509 case L2CAP_SAR_END:
6f61fd47 5510 if (!chan->sdu)
84084a31 5511 break;
18778a63 5512
84084a31
MM		 5513 append_skb_frag(chan->sdu, skb,
5514 &chan->sdu_last_frag);
5515 skb = NULL;
4178ba46 5516
84084a31
MM		 5517 if (chan->sdu->len != chan->sdu_len)
5518 break;
18778a63 5519
80b98027 5520 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5521
84084a31
MM		 5522 if (!err) {
5523 /* Reassembly complete */
5524 chan->sdu = NULL;
5525 chan->sdu_last_frag = NULL;
5526 chan->sdu_len = 0;
1890d36b 5527 }
18778a63
GP		 5528 break;
5529 }
5530
84084a31
MM		 5531 if (err) {
5532 kfree_skb(skb);
5533 kfree_skb(chan->sdu);
5534 chan->sdu = NULL;
5535 chan->sdu_last_frag = NULL;
5536 chan->sdu_len = 0;
5537 }
18778a63 5538
84084a31 5539 return err;
18778a63
GP		 5540}
5541
32b32735
MM		 5542static int l2cap_resegment(struct l2cap_chan *chan)
5543{
5544 /* Placeholder */
5545 return 0;
5546}
5547
61aa4f5b 5548void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5549{
61aa4f5b 5550 u8 event;
712132eb 5551
61aa4f5b
MM		 5552 if (chan->mode != L2CAP_MODE_ERTM)
5553 return;
712132eb 5554
61aa4f5b 5555 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5556 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5557}
5558
d2a7ac5d
MM		 5559static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5560{
63838725
MM		 5561 int err = 0;
5562 /* Pass sequential frames to l2cap_reassemble_sdu()
5563 * until a gap is encountered.
5564 */
5565
5566 BT_DBG("chan %p", chan);
5567
5568 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5569 struct sk_buff *skb;
5570 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5571 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5572
5573 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5574
5575 if (!skb)
5576 break;
5577
5578 skb_unlink(skb, &chan->srej_q);
5579 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5580 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5581 if (err)
5582 break;
5583 }
5584
5585 if (skb_queue_empty(&chan->srej_q)) {
5586 chan->rx_state = L2CAP_RX_STATE_RECV;
5587 l2cap_send_ack(chan);
5588 }
5589
5590 return err;
d2a7ac5d
MM		 5591}
5592
5593static void l2cap_handle_srej(struct l2cap_chan *chan,
5594 struct l2cap_ctrl *control)
5595{
f80842a8
MM		 5596 struct sk_buff *skb;
5597
5598 BT_DBG("chan %p, control %p", chan, control);
5599
5600 if (control->reqseq == chan->next_tx_seq) {
5601 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5602 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5603 return;
5604 }
5605
5606 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5607
5608 if (skb == NULL) {
5609 BT_DBG("Seq %d not available for retransmission",
5610 control->reqseq);
5611 return;
5612 }
5613
5614 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5615 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5616 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5617 return;
5618 }
5619
5620 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5621
5622 if (control->poll) {
5623 l2cap_pass_to_tx(chan, control);
5624
5625 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5626 l2cap_retransmit(chan, control);
5627 l2cap_ertm_send(chan);
5628
5629 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5630 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5631 chan->srej_save_reqseq = control->reqseq;
5632 }
5633 } else {
5634 l2cap_pass_to_tx_fbit(chan, control);
5635
5636 if (control->final) {
5637 if (chan->srej_save_reqseq != control->reqseq ||
5638 !test_and_clear_bit(CONN_SREJ_ACT,
5639 &chan->conn_state))
5640 l2cap_retransmit(chan, control);
5641 } else {
5642 l2cap_retransmit(chan, control);
5643 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5644 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5645 chan->srej_save_reqseq = control->reqseq;
5646 }
5647 }
5648 }
d2a7ac5d
MM		 5649}
5650
5651static void l2cap_handle_rej(struct l2cap_chan *chan,
5652 struct l2cap_ctrl *control)
5653{
fcd289df
MM		 5654 struct sk_buff *skb;
5655
5656 BT_DBG("chan %p, control %p", chan, control);
5657
5658 if (control->reqseq == chan->next_tx_seq) {
5659 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5660 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5661 return;
5662 }
5663
5664 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5665
5666 if (chan->max_tx && skb &&
5667 bt_cb(skb)->control.retries >= chan->max_tx) {
5668 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5669 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5670 return;
5671 }
5672
5673 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5674
5675 l2cap_pass_to_tx(chan, control);
5676
5677 if (control->final) {
5678 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5679 l2cap_retransmit_all(chan, control);
5680 } else {
5681 l2cap_retransmit_all(chan, control);
5682 l2cap_ertm_send(chan);
5683 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5684 set_bit(CONN_REJ_ACT, &chan->conn_state);
5685 }
d2a7ac5d
MM		 5686}
5687
4b51dae9
MM		 5688static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5689{
5690 BT_DBG("chan %p, txseq %d", chan, txseq);
5691
5692 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5693 chan->expected_tx_seq);
5694
5695 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5696 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5697 chan->tx_win) {
4b51dae9
MM		 5698 /* See notes below regarding "double poll" and
5699 * invalid packets.
5700 */
5701 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5702 BT_DBG("Invalid/Ignore - after SREJ");
5703 return L2CAP_TXSEQ_INVALID_IGNORE;
5704 } else {
5705 BT_DBG("Invalid - in window after SREJ sent");
5706 return L2CAP_TXSEQ_INVALID;
5707 }
5708 }
5709
5710 if (chan->srej_list.head == txseq) {
5711 BT_DBG("Expected SREJ");
5712 return L2CAP_TXSEQ_EXPECTED_SREJ;
5713 }
5714
5715 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5716 BT_DBG("Duplicate SREJ - txseq already stored");
5717 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5718 }
5719
5720 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5721 BT_DBG("Unexpected SREJ - not requested");
5722 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5723 }
5724 }
5725
5726 if (chan->expected_tx_seq == txseq) {
5727 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5728 chan->tx_win) {
5729 BT_DBG("Invalid - txseq outside tx window");
5730 return L2CAP_TXSEQ_INVALID;
5731 } else {
5732 BT_DBG("Expected");
5733 return L2CAP_TXSEQ_EXPECTED;
5734 }
5735 }
5736
5737 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5738 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5739 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5740 return L2CAP_TXSEQ_DUPLICATE;
5741 }
5742
5743 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5744 /* A source of invalid packets is a "double poll" condition,
5745 * where delays cause us to send multiple poll packets. If
5746 * the remote stack receives and processes both polls,
5747 * sequence numbers can wrap around in such a way that a
5748 * resent frame has a sequence number that looks like new data
5749 * with a sequence gap. This would trigger an erroneous SREJ
5750 * request.
5751 *
5752 * Fortunately, this is impossible with a tx window that's
5753 * less than half of the maximum sequence number, which allows
5754 * invalid frames to be safely ignored.
5755 *
5756 * With tx window sizes greater than half of the tx window
5757 * maximum, the frame is invalid and cannot be ignored. This
5758 * causes a disconnect.
5759 */
5760
5761 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5762 BT_DBG("Invalid/Ignore - txseq outside tx window");
5763 return L2CAP_TXSEQ_INVALID_IGNORE;
5764 } else {
5765 BT_DBG("Invalid - txseq outside tx window");
5766 return L2CAP_TXSEQ_INVALID;
5767 }
5768 } else {
5769 BT_DBG("Unexpected - txseq indicates missing frames");
5770 return L2CAP_TXSEQ_UNEXPECTED;
5771 }
5772}
5773
d2a7ac5d
MM		 5774static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5775 struct l2cap_ctrl *control,
5776 struct sk_buff *skb, u8 event)
5777{
5778 int err = 0;
941247f9 5779 bool skb_in_use = false;
d2a7ac5d
MM		 5780
5781 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5782 event);
5783
5784 switch (event) {
5785 case L2CAP_EV_RECV_IFRAME:
5786 switch (l2cap_classify_txseq(chan, control->txseq)) {
5787 case L2CAP_TXSEQ_EXPECTED:
5788 l2cap_pass_to_tx(chan, control);
5789
5790 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5791 BT_DBG("Busy, discarding expected seq %d",
5792 control->txseq);
5793 break;
5794 }
5795
5796 chan->expected_tx_seq = __next_seq(chan,
5797 control->txseq);
5798
5799 chan->buffer_seq = chan->expected_tx_seq;
941247f9 5800 skb_in_use = true;
d2a7ac5d
MM		 5801
5802 err = l2cap_reassemble_sdu(chan, skb, control);
5803 if (err)
5804 break;
5805
5806 if (control->final) {
5807 if (!test_and_clear_bit(CONN_REJ_ACT,
5808 &chan->conn_state)) {
5809 control->final = 0;
5810 l2cap_retransmit_all(chan, control);
5811 l2cap_ertm_send(chan);
5812 }
5813 }
5814
5815 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5816 l2cap_send_ack(chan);
5817 break;
5818 case L2CAP_TXSEQ_UNEXPECTED:
5819 l2cap_pass_to_tx(chan, control);
5820
5821 /* Can't issue SREJ frames in the local busy state.
5822 * Drop this frame, it will be seen as missing
5823 * when local busy is exited.
5824 */
5825 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5826 BT_DBG("Busy, discarding unexpected seq %d",
5827 control->txseq);
5828 break;
5829 }
5830
5831 /* There was a gap in the sequence, so an SREJ
5832 * must be sent for each missing frame. The
5833 * current frame is stored for later use.
5834 */
5835 skb_queue_tail(&chan->srej_q, skb);
941247f9 5836 skb_in_use = true;
d2a7ac5d
MM		 5837 BT_DBG("Queued %p (queue len %d)", skb,
5838 skb_queue_len(&chan->srej_q));
5839
5840 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5841 l2cap_seq_list_clear(&chan->srej_list);
5842 l2cap_send_srej(chan, control->txseq);
5843
5844 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5845 break;
5846 case L2CAP_TXSEQ_DUPLICATE:
5847 l2cap_pass_to_tx(chan, control);
5848 break;
5849 case L2CAP_TXSEQ_INVALID_IGNORE:
5850 break;
5851 case L2CAP_TXSEQ_INVALID:
5852 default:
5e4e3972 5853 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5854 break;
5855 }
5856 break;
5857 case L2CAP_EV_RECV_RR:
5858 l2cap_pass_to_tx(chan, control);
5859 if (control->final) {
5860 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5861
e6a3ee6e
MM		 5862 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5863 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 5864 control->final = 0;
5865 l2cap_retransmit_all(chan, control);
5866 }
5867
5868 l2cap_ertm_send(chan);
5869 } else if (control->poll) {
5870 l2cap_send_i_or_rr_or_rnr(chan);
5871 } else {
5872 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5873 &chan->conn_state) &&
5874 chan->unacked_frames)
5875 __set_retrans_timer(chan);
5876
5877 l2cap_ertm_send(chan);
5878 }
5879 break;
5880 case L2CAP_EV_RECV_RNR:
5881 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5882 l2cap_pass_to_tx(chan, control);
5883 if (control && control->poll) {
5884 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5885 l2cap_send_rr_or_rnr(chan, 0);
5886 }
5887 __clear_retrans_timer(chan);
5888 l2cap_seq_list_clear(&chan->retrans_list);
5889 break;
5890 case L2CAP_EV_RECV_REJ:
5891 l2cap_handle_rej(chan, control);
5892 break;
5893 case L2CAP_EV_RECV_SREJ:
5894 l2cap_handle_srej(chan, control);
5895 break;
5896 default:
5897 break;
5898 }
5899
5900 if (skb && !skb_in_use) {
5901 BT_DBG("Freeing %p", skb);
5902 kfree_skb(skb);
5903 }
5904
5905 return err;
5906}
5907
5908static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5909 struct l2cap_ctrl *control,
5910 struct sk_buff *skb, u8 event)
5911{
5912 int err = 0;
5913 u16 txseq = control->txseq;
941247f9 5914 bool skb_in_use = false;
d2a7ac5d
MM		 5915
5916 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5917 event);
5918
5919 switch (event) {
5920 case L2CAP_EV_RECV_IFRAME:
5921 switch (l2cap_classify_txseq(chan, txseq)) {
5922 case L2CAP_TXSEQ_EXPECTED:
5923 /* Keep frame for reassembly later */
5924 l2cap_pass_to_tx(chan, control);
5925 skb_queue_tail(&chan->srej_q, skb);
941247f9 5926 skb_in_use = true;
d2a7ac5d
MM		 5927 BT_DBG("Queued %p (queue len %d)", skb,
5928 skb_queue_len(&chan->srej_q));
5929
5930 chan->expected_tx_seq = __next_seq(chan, txseq);
5931 break;
5932 case L2CAP_TXSEQ_EXPECTED_SREJ:
5933 l2cap_seq_list_pop(&chan->srej_list);
5934
5935 l2cap_pass_to_tx(chan, control);
5936 skb_queue_tail(&chan->srej_q, skb);
941247f9 5937 skb_in_use = true;
d2a7ac5d
MM		 5938 BT_DBG("Queued %p (queue len %d)", skb,
5939 skb_queue_len(&chan->srej_q));
5940
5941 err = l2cap_rx_queued_iframes(chan);
5942 if (err)
5943 break;
5944
5945 break;
5946 case L2CAP_TXSEQ_UNEXPECTED:
5947 /* Got a frame that can't be reassembled yet.
5948 * Save it for later, and send SREJs to cover
5949 * the missing frames.
5950 */
5951 skb_queue_tail(&chan->srej_q, skb);
941247f9 5952 skb_in_use = true;
d2a7ac5d
MM		 5953 BT_DBG("Queued %p (queue len %d)", skb,
5954 skb_queue_len(&chan->srej_q));
5955
5956 l2cap_pass_to_tx(chan, control);
5957 l2cap_send_srej(chan, control->txseq);
5958 break;
5959 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5960 /* This frame was requested with an SREJ, but
5961 * some expected retransmitted frames are
5962 * missing. Request retransmission of missing
5963 * SREJ'd frames.
5964 */
5965 skb_queue_tail(&chan->srej_q, skb);
941247f9 5966 skb_in_use = true;
d2a7ac5d
MM		 5967 BT_DBG("Queued %p (queue len %d)", skb,
5968 skb_queue_len(&chan->srej_q));
5969
5970 l2cap_pass_to_tx(chan, control);
5971 l2cap_send_srej_list(chan, control->txseq);
5972 break;
5973 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5974 /* We've already queued this frame. Drop this copy. */
5975 l2cap_pass_to_tx(chan, control);
5976 break;
5977 case L2CAP_TXSEQ_DUPLICATE:
5978 /* Expecting a later sequence number, so this frame
5979 * was already received. Ignore it completely.
5980 */
5981 break;
5982 case L2CAP_TXSEQ_INVALID_IGNORE:
5983 break;
5984 case L2CAP_TXSEQ_INVALID:
5985 default:
5e4e3972 5986 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5987 break;
5988 }
5989 break;
5990 case L2CAP_EV_RECV_RR:
5991 l2cap_pass_to_tx(chan, control);
5992 if (control->final) {
5993 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5994
5995 if (!test_and_clear_bit(CONN_REJ_ACT,
5996 &chan->conn_state)) {
5997 control->final = 0;
5998 l2cap_retransmit_all(chan, control);
5999 }
6000
6001 l2cap_ertm_send(chan);
6002 } else if (control->poll) {
6003 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6004 &chan->conn_state) &&
6005 chan->unacked_frames) {
6006 __set_retrans_timer(chan);
6007 }
6008
6009 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6010 l2cap_send_srej_tail(chan);
6011 } else {
6012 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6013 &chan->conn_state) &&
6014 chan->unacked_frames)
6015 __set_retrans_timer(chan);
6016
6017 l2cap_send_ack(chan);
6018 }
6019 break;
6020 case L2CAP_EV_RECV_RNR:
6021 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6022 l2cap_pass_to_tx(chan, control);
6023 if (control->poll) {
6024 l2cap_send_srej_tail(chan);
6025 } else {
6026 struct l2cap_ctrl rr_control;
6027 memset(&rr_control, 0, sizeof(rr_control));
6028 rr_control.sframe = 1;
6029 rr_control.super = L2CAP_SUPER_RR;
6030 rr_control.reqseq = chan->buffer_seq;
6031 l2cap_send_sframe(chan, &rr_control);
6032 }
6033
6034 break;
6035 case L2CAP_EV_RECV_REJ:
6036 l2cap_handle_rej(chan, control);
6037 break;
6038 case L2CAP_EV_RECV_SREJ:
6039 l2cap_handle_srej(chan, control);
6040 break;
6041 }
6042
6043 if (skb && !skb_in_use) {
6044 BT_DBG("Freeing %p", skb);
6045 kfree_skb(skb);
6046 }
6047
6048 return err;
6049}
6050
32b32735
MM		 6051static int l2cap_finish_move(struct l2cap_chan *chan)
6052{
6053 BT_DBG("chan %p", chan);
6054
6055 chan->rx_state = L2CAP_RX_STATE_RECV;
6056
6057 if (chan->hs_hcon)
6058 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6059 else
6060 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6061
6062 return l2cap_resegment(chan);
6063}
6064
6065static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6066 struct l2cap_ctrl *control,
6067 struct sk_buff *skb, u8 event)
6068{
6069 int err;
6070
6071 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6072 event);
6073
6074 if (!control->poll)
6075 return -EPROTO;
6076
6077 l2cap_process_reqseq(chan, control->reqseq);
6078
6079 if (!skb_queue_empty(&chan->tx_q))
6080 chan->tx_send_head = skb_peek(&chan->tx_q);
6081 else
6082 chan->tx_send_head = NULL;
6083
6084 /* Rewind next_tx_seq to the point expected
6085 * by the receiver.
6086 */
6087 chan->next_tx_seq = control->reqseq;
6088 chan->unacked_frames = 0;
6089
6090 err = l2cap_finish_move(chan);
6091 if (err)
6092 return err;
6093
6094 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6095 l2cap_send_i_or_rr_or_rnr(chan);
6096
6097 if (event == L2CAP_EV_RECV_IFRAME)
6098 return -EPROTO;
6099
6100 return l2cap_rx_state_recv(chan, control, NULL, event);
6101}
6102
6103static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6104 struct l2cap_ctrl *control,
6105 struct sk_buff *skb, u8 event)
6106{
6107 int err;
6108
6109 if (!control->final)
6110 return -EPROTO;
6111
6112 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6113
6114 chan->rx_state = L2CAP_RX_STATE_RECV;
6115 l2cap_process_reqseq(chan, control->reqseq);
6116
6117 if (!skb_queue_empty(&chan->tx_q))
6118 chan->tx_send_head = skb_peek(&chan->tx_q);
6119 else
6120 chan->tx_send_head = NULL;
6121
6122 /* Rewind next_tx_seq to the point expected
6123 * by the receiver.
6124 */
6125 chan->next_tx_seq = control->reqseq;
6126 chan->unacked_frames = 0;
6127
6128 if (chan->hs_hcon)
6129 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6130 else
6131 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6132
6133 err = l2cap_resegment(chan);
6134
6135 if (!err)
6136 err = l2cap_rx_state_recv(chan, control, skb, event);
6137
6138 return err;
6139}
6140
d2a7ac5d
MM		 6141static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6142{
6143 /* Make sure reqseq is for a packet that has been sent but not acked */
6144 u16 unacked;
6145
6146 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6147 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6148}
6149
cec8ab6e
MM		 6150static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6151 struct sk_buff *skb, u8 event)
218bb9df 6152{
d2a7ac5d
MM		 6153 int err = 0;
6154
6155 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6156 control, skb, event, chan->rx_state);
6157
6158 if (__valid_reqseq(chan, control->reqseq)) {
6159 switch (chan->rx_state) {
6160 case L2CAP_RX_STATE_RECV:
6161 err = l2cap_rx_state_recv(chan, control, skb, event);
6162 break;
6163 case L2CAP_RX_STATE_SREJ_SENT:
6164 err = l2cap_rx_state_srej_sent(chan, control, skb,
6165 event);
6166 break;
32b32735
MM		 6167 case L2CAP_RX_STATE_WAIT_P:
6168 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6169 break;
6170 case L2CAP_RX_STATE_WAIT_F:
6171 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6172 break;
d2a7ac5d
MM		 6173 default:
6174 /* shut it down */
6175 break;
6176 }
6177 } else {
6178 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6179 control->reqseq, chan->next_tx_seq,
6180 chan->expected_ack_seq);
5e4e3972 6181 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6182 }
6183
6184 return err;
cec8ab6e
MM		 6185}
6186
6187static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6188 struct sk_buff *skb)
6189{
4b51dae9
MM		 6190 int err = 0;
6191
6192 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6193 chan->rx_state);
6194
6195 if (l2cap_classify_txseq(chan, control->txseq) ==
6196 L2CAP_TXSEQ_EXPECTED) {
6197 l2cap_pass_to_tx(chan, control);
6198
6199 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6200 __next_seq(chan, chan->buffer_seq));
6201
6202 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6203
6204 l2cap_reassemble_sdu(chan, skb, control);
6205 } else {
6206 if (chan->sdu) {
6207 kfree_skb(chan->sdu);
6208 chan->sdu = NULL;
6209 }
6210 chan->sdu_last_frag = NULL;
6211 chan->sdu_len = 0;
6212
6213 if (skb) {
6214 BT_DBG("Freeing %p", skb);
6215 kfree_skb(skb);
6216 }
6217 }
6218
6219 chan->last_acked_seq = control->txseq;
6220 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6221
6222 return err;
cec8ab6e
MM		 6223}
6224
6225static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6226{
6227 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6228 u16 len;
6229 u8 event;
218bb9df 6230
b76bbd66
MM		 6231 __unpack_control(chan, skb);
6232
218bb9df
GP		 6233 len = skb->len;
6234
6235 /*
6236 * We can just drop the corrupted I-frame here.
6237 * Receiver will miss it and start proper recovery
cec8ab6e 6238 * procedures and ask for retransmission.
218bb9df 6239 */
47d1ec61 6240 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6241 goto drop;
6242
cec8ab6e 6243 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6244 len -= L2CAP_SDULEN_SIZE;
218bb9df 6245
47d1ec61 6246 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6247 len -= L2CAP_FCS_SIZE;
218bb9df 6248
47d1ec61 6249 if (len > chan->mps) {
5e4e3972 6250 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6251 goto drop;
6252 }
6253
cec8ab6e
MM		 6254 if (!control->sframe) {
6255 int err;
218bb9df 6256
cec8ab6e
MM		 6257 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6258 control->sar, control->reqseq, control->final,
6259 control->txseq);
218bb9df 6260
cec8ab6e
MM		 6261 /* Validate F-bit - F=0 always valid, F=1 only
6262 * valid in TX WAIT_F
6263 */
6264 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6265 goto drop;
cec8ab6e
MM		 6266
6267 if (chan->mode != L2CAP_MODE_STREAMING) {
6268 event = L2CAP_EV_RECV_IFRAME;
6269 err = l2cap_rx(chan, control, skb, event);
6270 } else {
6271 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6272 }
6273
cec8ab6e 6274 if (err)
5e4e3972 6275 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6276 } else {
cec8ab6e
MM		 6277 const u8 rx_func_to_event[4] = {
6278 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6279 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6280 };
6281
6282 /* Only I-frames are expected in streaming mode */
6283 if (chan->mode == L2CAP_MODE_STREAMING)
6284 goto drop;
6285
6286 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6287 control->reqseq, control->final, control->poll,
6288 control->super);
6289
218bb9df 6290 if (len != 0) {
1bb166e6 6291 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6292 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6293 goto drop;
6294 }
6295
cec8ab6e
MM		 6296 /* Validate F and P bits */
6297 if (control->final && (control->poll ||
6298 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6299 goto drop;
6300
6301 event = rx_func_to_event[control->super];
6302 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6303 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6304 }
6305
6306 return 0;
6307
6308drop:
6309 kfree_skb(skb);
6310 return 0;
6311}
6312
13ca56e0
AE		 6313static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6314 struct sk_buff *skb)
1da177e4 6315{
48454079 6316 struct l2cap_chan *chan;
1da177e4 6317
baa7e1fa 6318 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6319 if (!chan) {
97e8e89d
AE		 6320 if (cid == L2CAP_CID_A2MP) {
6321 chan = a2mp_channel_create(conn, skb);
6322 if (!chan) {
6323 kfree_skb(skb);
13ca56e0 6324 return;
97e8e89d
AE		 6325 }
6326
6327 l2cap_chan_lock(chan);
6328 } else {
6329 BT_DBG("unknown cid 0x%4.4x", cid);
6330 /* Drop packet and return */
6331 kfree_skb(skb);
13ca56e0 6332 return;
97e8e89d 6333 }
1da177e4
LT		 6334 }
6335
49208c9c 6336 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6337
89bc500e 6338 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6339 goto drop;
6340
0c1bc5c6 6341 switch (chan->mode) {
1c2acffb
GP		 6342 case L2CAP_MODE_BASIC:
6343 /* If socket recv buffers overflows we drop data here
6344 * which is *bad* because L2CAP has to be reliable.
6345 * But we don't have any other choice. L2CAP doesn't
6346 * provide flow control mechanism. */
1da177e4 6347
0c1bc5c6 6348 if (chan->imtu < skb->len)
1c2acffb 6349 goto drop;
1da177e4 6350
80b98027 6351 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6352 goto done;
6353 break;
6354
6355 case L2CAP_MODE_ERTM:
6840ed07 6356 case L2CAP_MODE_STREAMING:
cec8ab6e 6357 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6358 goto done;
6359
1c2acffb 6360 default:
0c1bc5c6 6361 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6362 break;
6363 }
1da177e4
LT		 6364
6365drop:
6366 kfree_skb(skb);
6367
6368done:
6be36555 6369 l2cap_chan_unlock(chan);
1da177e4
LT		 6370}
6371
84104b24
AE		 6372static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6373 struct sk_buff *skb)
1da177e4 6374{
ae4fd2d3 6375 struct hci_conn *hcon = conn->hcon;
23691d75 6376 struct l2cap_chan *chan;
1da177e4 6377
ae4fd2d3
MH		 6378 if (hcon->type != ACL_LINK)
6379 goto drop;
6380
06ae3314 6381 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst);
23691d75 6382 if (!chan)
1da177e4
LT		 6383 goto drop;
6384
5b4cedaa 6385 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6386
89bc500e 6387 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6388 goto drop;
6389
e13e21dc 6390 if (chan->imtu < skb->len)
1da177e4
LT		 6391 goto drop;
6392
2edf870d 6393 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6394 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6395 bt_cb(skb)->psm = psm;
6396
80b98027 6397 if (!chan->ops->recv(chan, skb))
84104b24 6398 return;
1da177e4
LT		 6399
6400drop:
6401 kfree_skb(skb);
1da177e4
LT		 6402}
6403
72f78356 6404static void l2cap_att_channel(struct l2cap_conn *conn,
6810fca7 6405 struct sk_buff *skb)
9f69bda6 6406{
b99707d7 6407 struct hci_conn *hcon = conn->hcon;
23691d75 6408 struct l2cap_chan *chan;
9f69bda6 6409
b99707d7
MH		 6410 if (hcon->type != LE_LINK)
6411 goto drop;
6412
af1c0134 6413 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
06ae3314 6414 &hcon->src, &hcon->dst);
23691d75 6415 if (!chan)
9f69bda6
GP		 6416 goto drop;
6417
5b4cedaa 6418 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6419
cc8dba2b
MH		 6420 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, hcon->dst_type))
6421 goto drop;
6422
e13e21dc 6423 if (chan->imtu < skb->len)
9f69bda6
GP		 6424 goto drop;
6425
80b98027 6426 if (!chan->ops->recv(chan, skb))
6810fca7 6427 return;
9f69bda6
GP		 6428
6429drop:
6430 kfree_skb(skb);
9f69bda6
GP		 6431}
6432
1da177e4
LT		 6433static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6434{
6435 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6436 u16 cid, len;
6437 __le16 psm;
1da177e4
LT		 6438
6439 skb_pull(skb, L2CAP_HDR_SIZE);
6440 cid = __le16_to_cpu(lh->cid);
6441 len = __le16_to_cpu(lh->len);
6442
1c2acffb
GP		 6443 if (len != skb->len) {
6444 kfree_skb(skb);
6445 return;
6446 }
6447
1da177e4
LT		 6448 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6449
6450 switch (cid) {
8db4dc46 6451 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6452 l2cap_sig_channel(conn, skb);
6453 break;
6454
8db4dc46 6455 case L2CAP_CID_CONN_LESS:
097db76c 6456 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6457 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6458 l2cap_conless_channel(conn, psm, skb);
6459 break;
6460
073d1cf3 6461 case L2CAP_CID_ATT:
72f78356 6462 l2cap_att_channel(conn, skb);
9f69bda6
GP		 6463 break;
6464
a2877629
MH		 6465 case L2CAP_CID_LE_SIGNALING:
6466 l2cap_le_sig_channel(conn, skb);
6467 break;
6468
b501d6a1
AB		 6469 case L2CAP_CID_SMP:
6470 if (smp_sig_channel(conn, skb))
6471 l2cap_conn_del(conn->hcon, EACCES);
6472 break;
6473
1da177e4
LT		 6474 default:
6475 l2cap_data_channel(conn, cid, skb);
6476 break;
6477 }
6478}
6479
6480/* ---- L2CAP interface with lower layer (HCI) ---- */
6481
686ebf28 6482int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6483{
6484 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6485 struct l2cap_chan *c;
1da177e4 6486
6ed93dc6 6487 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6488
6489 /* Find listening sockets and check their link_mode */
23691d75
GP		 6490 read_lock(&chan_list_lock);
6491 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 6492 if (c->state != BT_LISTEN)
1da177e4
LT		 6493 continue;
6494
7eafc59e 6495 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 6496 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6497 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6498 lm1 |= HCI_LM_MASTER;
1da177e4 6499 exact++;
7eafc59e 6500 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 6501 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6502 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6503 lm2 |= HCI_LM_MASTER;
6504 }
1da177e4 6505 }
23691d75 6506 read_unlock(&chan_list_lock);
1da177e4
LT		 6507
6508 return exact ? lm1 : lm2;
6509}
6510
9e664631 6511void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6512{
0139418c
MH		 6513 struct l2cap_conn *conn;
6514
6ed93dc6 6515 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6516
1da177e4 6517 if (!status) {
baf43251 6518 conn = l2cap_conn_add(hcon);
1da177e4
LT		 6519 if (conn)
6520 l2cap_conn_ready(conn);
ba6fc317 6521 } else {
e175072f 6522 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 6523 }
1da177e4
LT		 6524}
6525
686ebf28 6526int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6527{
6528 struct l2cap_conn *conn = hcon->l2cap_data;
6529
6530 BT_DBG("hcon %p", hcon);
6531
686ebf28 6532 if (!conn)
9f5a0d7b 6533 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6534 return conn->disc_reason;
6535}
6536
9e664631 6537void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6538{
6539 BT_DBG("hcon %p reason %d", hcon, reason);
6540
e175072f 6541 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6542}
6543
4343478f 6544static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6545{
715ec005 6546 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6547 return;
6548
f62e4323 6549 if (encrypt == 0x00) {
4343478f 6550 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6551 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6552 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6553 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6554 } else {
4343478f 6555 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6556 __clear_chan_timer(chan);
f62e4323
MH		 6557 }
6558}
6559
686ebf28 6560int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6561{
0139418c 6562 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6563 struct l2cap_chan *chan;
1da177e4 6564
0139418c 6565 if (!conn)
1da177e4 6566 return 0;
0139418c 6567
89d8b407 6568 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6569
160dc6ac 6570 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6571 if (!status && encrypt)
6572 smp_distribute_keys(conn, 0);
17cd3f37 6573 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6574 }
6575
3df91ea2 6576 mutex_lock(&conn->chan_lock);
1da177e4 6577
3df91ea2 6578 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6579 l2cap_chan_lock(chan);
1da177e4 6580
89d8b407
AE		 6581 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6582 state_to_string(chan->state));
f1cb9af5 6583
78eb2f98
AE		 6584 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6585 l2cap_chan_unlock(chan);
6586 continue;
6587 }
6588
073d1cf3 6589 if (chan->scid == L2CAP_CID_ATT) {
f1cb9af5
VCG		 6590 if (!status && encrypt) {
6591 chan->sec_level = hcon->sec_level;
cf4cd009 6592 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6593 }
6594
6be36555 6595 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6596 continue;
6597 }
6598
96eff46e 6599 if (!__l2cap_no_conn_pending(chan)) {
6be36555 6600 l2cap_chan_unlock(chan);
6a8d3010
MH		 6601 continue;
6602 }
6603
89bc500e 6604 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6605 chan->state == BT_CONFIG)) {
d97c899b 6606 chan->ops->resume(chan);
4343478f 6607 l2cap_check_encryption(chan, encrypt);
6be36555 6608 l2cap_chan_unlock(chan);
9719f8af
MH		 6609 continue;
6610 }
6611
89bc500e 6612 if (chan->state == BT_CONNECT) {
b1235d79 6613 if (!status) {
93c3e8f5 6614 l2cap_start_connection(chan);
b1235d79 6615 } else {
ba13ccd9 6616 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6617 }
89bc500e 6618 } else if (chan->state == BT_CONNECT2) {
b1235d79 6619 struct l2cap_conn_rsp rsp;
df3c3931 6620 __u16 res, stat;
1da177e4 6621
b1235d79 6622 if (!status) {
bdc25783 6623 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 6624 res = L2CAP_CR_PEND;
6625 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6626 chan->ops->defer(chan);
df3c3931 6627 } else {
acdcabf5 6628 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6629 res = L2CAP_CR_SUCCESS;
6630 stat = L2CAP_CS_NO_INFO;
6631 }
b1235d79 6632 } else {
acdcabf5 6633 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6634 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6635 res = L2CAP_CR_SEC_BLOCK;
6636 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6637 }
6638
fe4128e0
GP		 6639 rsp.scid = cpu_to_le16(chan->dcid);
6640 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6641 rsp.result = cpu_to_le16(res);
6642 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6643 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6644 sizeof(rsp), &rsp);
2d369359
MM		 6645
6646 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6647 res == L2CAP_CR_SUCCESS) {
6648 char buf[128];
6649 set_bit(CONF_REQ_SENT, &chan->conf_state);
6650 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6651 L2CAP_CONF_REQ,
6652 l2cap_build_conf_req(chan, buf),
6653 buf);
6654 chan->num_conf_req++;
6655 }
b1235d79 6656 }
1da177e4 6657
6be36555 6658 l2cap_chan_unlock(chan);
1da177e4
LT		 6659 }
6660
3df91ea2 6661 mutex_unlock(&conn->chan_lock);
b1235d79 6662
1da177e4
LT		 6663 return 0;
6664}
6665
686ebf28 6666int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6667{
6668 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6669 struct l2cap_hdr *hdr;
6670 int len;
1da177e4 6671
1d13a254
AE		 6672 /* For AMP controller do not create l2cap conn */
6673 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6674 goto drop;
1da177e4 6675
5a08ecce 6676 if (!conn)
baf43251 6677 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 6678
6679 if (!conn)
1da177e4
LT		 6680 goto drop;
6681
6682 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6683
d73a0988
AE		 6684 switch (flags) {
6685 case ACL_START:
6686 case ACL_START_NO_FLUSH:
6687 case ACL_COMPLETE:
1da177e4
LT		 6688 if (conn->rx_len) {
6689 BT_ERR("Unexpected start frame (len %d)", skb->len);
6690 kfree_skb(conn->rx_skb);
6691 conn->rx_skb = NULL;
6692 conn->rx_len = 0;
6693 l2cap_conn_unreliable(conn, ECOMM);
6694 }
6695
aae7fe22
AE		 6696 /* Start fragment always begin with Basic L2CAP header */
6697 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6698 BT_ERR("Frame is too short (len %d)", skb->len);
6699 l2cap_conn_unreliable(conn, ECOMM);
6700 goto drop;
6701 }
6702
6703 hdr = (struct l2cap_hdr *) skb->data;
6704 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6705
6706 if (len == skb->len) {
6707 /* Complete frame received */
6708 l2cap_recv_frame(conn, skb);
6709 return 0;
6710 }
6711
6712 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6713
6714 if (skb->len > len) {
6715 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6716 skb->len, len);
1da177e4
LT		 6717 l2cap_conn_unreliable(conn, ECOMM);
6718 goto drop;
6719 }
6720
6721 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6722 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6723 if (!conn->rx_skb)
1da177e4
LT		 6724 goto drop;
6725
d626f62b 6726 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6727 skb->len);
1da177e4 6728 conn->rx_len = len - skb->len;
d73a0988
AE		 6729 break;
6730
6731 case ACL_CONT:
1da177e4
LT		 6732 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6733
6734 if (!conn->rx_len) {
6735 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6736 l2cap_conn_unreliable(conn, ECOMM);
6737 goto drop;
6738 }
6739
6740 if (skb->len > conn->rx_len) {
6741 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6742 skb->len, conn->rx_len);
1da177e4
LT		 6743 kfree_skb(conn->rx_skb);
6744 conn->rx_skb = NULL;
6745 conn->rx_len = 0;
6746 l2cap_conn_unreliable(conn, ECOMM);
6747 goto drop;
6748 }
6749
d626f62b 6750 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6751 skb->len);
1da177e4
LT		 6752 conn->rx_len -= skb->len;
6753
6754 if (!conn->rx_len) {
c4e5bafa
JH		 6755 /* Complete frame received. l2cap_recv_frame
6756 * takes ownership of the skb so set the global
6757 * rx_skb pointer to NULL first.
6758 */
6759 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 6760 conn->rx_skb = NULL;
c4e5bafa 6761 l2cap_recv_frame(conn, rx_skb);
1da177e4 6762 }
d73a0988 6763 break;
1da177e4
LT		 6764 }
6765
6766drop:
6767 kfree_skb(skb);
6768 return 0;
6769}
6770
aef7d97c 6771static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6772{
23691d75 6773 struct l2cap_chan *c;
1da177e4 6774
333055f2 6775 read_lock(&chan_list_lock);
1da177e4 6776
23691d75 6777 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 6778 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 6779 &c->src, &c->dst,
fcb73338
AE		 6780 c->state, __le16_to_cpu(c->psm),
6781 c->scid, c->dcid, c->imtu, c->omtu,
6782 c->sec_level, c->mode);
61e1b4b7 6783 }
1da177e4 6784
333055f2 6785 read_unlock(&chan_list_lock);
1da177e4 6786
aef7d97c 6787 return 0;
1da177e4
LT		 6788}
6789
aef7d97c
MH		 6790static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6791{
6792 return single_open(file, l2cap_debugfs_show, inode->i_private);
6793}
6794
6795static const struct file_operations l2cap_debugfs_fops = {
6796 .open = l2cap_debugfs_open,
6797 .read = seq_read,
6798 .llseek = seq_lseek,
6799 .release = single_release,
6800};
6801
6802static struct dentry *l2cap_debugfs;
1da177e4 6803
64274518 6804int __init l2cap_init(void)
1da177e4
LT		 6805{
6806 int err;
be9d1227 6807
bb58f747 6808 err = l2cap_init_sockets();
1da177e4
LT		 6809 if (err < 0)
6810 return err;
6811
1120e4bf
MH		 6812 if (IS_ERR_OR_NULL(bt_debugfs))
6813 return 0;
6814
6815 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6816 NULL, &l2cap_debugfs_fops);
1da177e4 6817
1da177e4 6818 return 0;
1da177e4
LT		 6819}
6820
64274518 6821void l2cap_exit(void)
1da177e4 6822{
aef7d97c 6823 debugfs_remove(l2cap_debugfs);
bb58f747 6824 l2cap_cleanup_sockets();
1da177e4
LT		 6825}
6826
d1c4a17d
GP		 6827module_param(disable_ertm, bool, 0644);
6828MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 2.058278 seconds and 5 git commands to generate.