projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Move parts of fixed channel initialization to l2cap_add_scid
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
0f1bfe4e
JH		 44#define LE_FLOWCTL_MAX_CREDITS 65535
45
d1de6d46 46bool disable_ertm;
f0709e03 47
547d1032 48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
a6801ca9 49static u8 l2cap_fixed_chan[8] = { L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS, };
1da177e4 50
b5ad8b7f
JB		 51static LIST_HEAD(chan_list);
52static DEFINE_RWLOCK(chan_list_lock);
1da177e4 53
f15b8ecf
JH		 54static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56
1da177e4 57static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 58 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 59static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 60 void *data);
710f9b0a 61static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 62static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 63
d660366d 64static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 65 struct sk_buff_head *skbs, u8 event);
608bcc6d 66
4f1654e0
MH		 67static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
68{
69 if (hcon->type == LE_LINK) {
70 if (type == ADDR_LE_DEV_PUBLIC)
71 return BDADDR_LE_PUBLIC;
72 else
73 return BDADDR_LE_RANDOM;
74 }
75
76 return BDADDR_BREDR;
77}
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
2d792818
GP		 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
82 u16 cid)
0139418c 83{
3df91ea2 84 struct l2cap_chan *c;
3d57dc68 85
3df91ea2
AE		 86 list_for_each_entry(c, &conn->chan_l, list) {
87 if (c->dcid == cid)
88 return c;
0139418c 89 }
3df91ea2 90 return NULL;
0139418c
MH		 91}
92
2d792818
GP		 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
94 u16 cid)
0139418c 95{
3df91ea2 96 struct l2cap_chan *c;
3d57dc68 97
3df91ea2
AE		 98 list_for_each_entry(c, &conn->chan_l, list) {
99 if (c->scid == cid)
100 return c;
0139418c 101 }
3df91ea2 102 return NULL;
0139418c
MH		 103}
104
105/* Find channel with given SCID.
ef191ade 106 * Returns locked channel. */
2d792818
GP		 107static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
108 u16 cid)
0139418c 109{
48454079 110 struct l2cap_chan *c;
baa7e1fa 111
3df91ea2 112 mutex_lock(&conn->chan_lock);
baa7e1fa 113 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 114 if (c)
115 l2cap_chan_lock(c);
3df91ea2
AE		 116 mutex_unlock(&conn->chan_lock);
117
48454079 118 return c;
0139418c
MH		 119}
120
b1a130b7
MM		 121/* Find channel with given DCID.
122 * Returns locked channel.
123 */
124static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
125 u16 cid)
126{
127 struct l2cap_chan *c;
128
129 mutex_lock(&conn->chan_lock);
130 c = __l2cap_get_chan_by_dcid(conn, cid);
131 if (c)
132 l2cap_chan_lock(c);
133 mutex_unlock(&conn->chan_lock);
134
135 return c;
136}
137
2d792818
GP		 138static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
139 u8 ident)
0139418c 140{
3df91ea2 141 struct l2cap_chan *c;
3d57dc68 142
3df91ea2
AE		 143 list_for_each_entry(c, &conn->chan_l, list) {
144 if (c->ident == ident)
145 return c;
0139418c 146 }
3df91ea2 147 return NULL;
0139418c
MH		 148}
149
5b155ef9
MM		 150static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
151 u8 ident)
152{
153 struct l2cap_chan *c;
154
155 mutex_lock(&conn->chan_lock);
156 c = __l2cap_get_chan_by_ident(conn, ident);
157 if (c)
158 l2cap_chan_lock(c);
159 mutex_unlock(&conn->chan_lock);
160
161 return c;
162}
163
23691d75 164static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 165{
23691d75 166 struct l2cap_chan *c;
9e4425ff 167
23691d75 168 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 169 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 170 return c;
9e4425ff 171 }
250938cb 172 return NULL;
9e4425ff
GP		 173}
174
175int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
176{
73b2ec18
GP		 177 int err;
178
333055f2 179 write_lock(&chan_list_lock);
9e4425ff 180
23691d75 181 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 182 err = -EADDRINUSE;
183 goto done;
9e4425ff
GP		 184 }
185
73b2ec18
GP		 186 if (psm) {
187 chan->psm = psm;
188 chan->sport = psm;
189 err = 0;
190 } else {
191 u16 p;
192
193 err = -EINVAL;
194 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 195 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 196 chan->psm = cpu_to_le16(p);
197 chan->sport = cpu_to_le16(p);
198 err = 0;
199 break;
200 }
201 }
9e4425ff 202
73b2ec18 203done:
333055f2 204 write_unlock(&chan_list_lock);
73b2ec18 205 return err;
9e4425ff 206}
6b8d4a6a 207EXPORT_SYMBOL_GPL(l2cap_add_psm);
9e4425ff
GP		 208
209int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
210{
333055f2 211 write_lock(&chan_list_lock);
9e4425ff 212
14824308
JH		 213 /* Override the defaults (which are for conn-oriented) */
214 chan->omtu = L2CAP_DEFAULT_MTU;
215 chan->chan_type = L2CAP_CHAN_FIXED;
216
9e4425ff
GP		 217 chan->scid = scid;
218
333055f2 219 write_unlock(&chan_list_lock);
9e4425ff
GP		 220
221 return 0;
222}
223
baa7e1fa 224static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 225{
e77af755 226 u16 cid, dyn_end;
0139418c 227
e77af755
JH		 228 if (conn->hcon->type == LE_LINK)
229 dyn_end = L2CAP_CID_LE_DYN_END;
230 else
231 dyn_end = L2CAP_CID_DYN_END;
232
233 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
baa7e1fa 234 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 235 return cid;
236 }
237
238 return 0;
239}
240
f93fa273 241static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 242{
42d2d87c 243 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 244 state_to_string(state));
badaaa00 245
89bc500e 246 chan->state = state;
53f52121 247 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 248}
249
f8e73017
GP		 250static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
251 int state, int err)
2e0052e4 252{
f8e73017 253 chan->state = state;
53f52121 254 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 255}
256
257static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
258{
f8e73017 259 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 260}
261
4239d16f
MM		 262static void __set_retrans_timer(struct l2cap_chan *chan)
263{
264 if (!delayed_work_pending(&chan->monitor_timer) &&
265 chan->retrans_timeout) {
266 l2cap_set_timer(chan, &chan->retrans_timer,
267 msecs_to_jiffies(chan->retrans_timeout));
268 }
269}
270
271static void __set_monitor_timer(struct l2cap_chan *chan)
272{
273 __clear_retrans_timer(chan);
274 if (chan->monitor_timeout) {
275 l2cap_set_timer(chan, &chan->monitor_timer,
276 msecs_to_jiffies(chan->monitor_timeout));
277 }
278}
279
608bcc6d
MM		 280static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
281 u16 seq)
282{
283 struct sk_buff *skb;
284
285 skb_queue_walk(head, skb) {
286 if (bt_cb(skb)->control.txseq == seq)
287 return skb;
288 }
289
290 return NULL;
291}
292
3c588192
MM		 293/* ---- L2CAP sequence number lists ---- */
294
295/* For ERTM, ordered lists of sequence numbers must be tracked for
296 * SREJ requests that are received and for frames that are to be
297 * retransmitted. These seq_list functions implement a singly-linked
298 * list in an array, where membership in the list can also be checked
299 * in constant time. Items can also be added to the tail of the list
300 * and removed from the head in constant time, without further memory
301 * allocs or frees.
302 */
303
304static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
305{
306 size_t alloc_size, i;
307
308 /* Allocated size is a power of 2 to map sequence numbers
309 * (which may be up to 14 bits) in to a smaller array that is
310 * sized for the negotiated ERTM transmit windows.
311 */
312 alloc_size = roundup_pow_of_two(size);
313
314 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
315 if (!seq_list->list)
316 return -ENOMEM;
317
318 seq_list->mask = alloc_size - 1;
319 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
320 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
321 for (i = 0; i < alloc_size; i++)
322 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
323
324 return 0;
325}
326
327static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
328{
329 kfree(seq_list->list);
330}
331
332static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
333 u16 seq)
334{
335 /* Constant-time check for list membership */
336 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
337}
338
03a0c5d6 339static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
3c588192 340{
03a0c5d6 341 u16 seq = seq_list->head;
3c588192
MM		 342 u16 mask = seq_list->mask;
343
03a0c5d6
JH		 344 seq_list->head = seq_list->list[seq & mask];
345 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
346
347 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
348 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
349 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192 350 }
3c588192 351
03a0c5d6 352 return seq;
3c588192
MM		 353}
354
355static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
356{
f522ae36 357 u16 i;
3c588192 358
f522ae36
GP		 359 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
360 return;
361
362 for (i = 0; i <= seq_list->mask; i++)
363 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
364
365 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
366 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 367}
368
369static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
370{
371 u16 mask = seq_list->mask;
372
373 /* All appends happen in constant time */
374
f522ae36
GP		 375 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
376 return;
3c588192 377
f522ae36
GP		 378 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
379 seq_list->head = seq;
380 else
381 seq_list->list[seq_list->tail & mask] = seq;
382
383 seq_list->tail = seq;
384 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 385}
386
721c4181 387static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 388{
721c4181 389 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 390 chan_timer.work);
3df91ea2 391 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 392 int reason;
393
e05dcc32 394 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 395
3df91ea2 396 mutex_lock(&conn->chan_lock);
6be36555 397 l2cap_chan_lock(chan);
ab07801d 398
89bc500e 399 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 400 reason = ECONNREFUSED;
89bc500e 401 else if (chan->state == BT_CONNECT &&
2d792818 402 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 403 reason = ECONNREFUSED;
404 else
405 reason = ETIMEDOUT;
406
0f852724 407 l2cap_chan_close(chan, reason);
ab07801d 408
6be36555 409 l2cap_chan_unlock(chan);
ab07801d 410
80b98027 411 chan->ops->close(chan);
3df91ea2
AE		 412 mutex_unlock(&conn->chan_lock);
413
371fd835 414 l2cap_chan_put(chan);
ab07801d
GP		 415}
416
eef1d9b6 417struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 418{
419 struct l2cap_chan *chan;
420
421 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
422 if (!chan)
423 return NULL;
424
c03b355e
AE		 425 mutex_init(&chan->lock);
426
333055f2 427 write_lock(&chan_list_lock);
23691d75 428 list_add(&chan->global_l, &chan_list);
333055f2 429 write_unlock(&chan_list_lock);
23691d75 430
721c4181 431 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 432
89bc500e
GP		 433 chan->state = BT_OPEN;
434
144ad330 435 kref_init(&chan->kref);
71ba0e56 436
2827011f
MM		 437 /* This flag is cleared in l2cap_chan_ready() */
438 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
439
eef1d9b6 440 BT_DBG("chan %p", chan);
abc545b8 441
48454079
GP		 442 return chan;
443}
6b8d4a6a 444EXPORT_SYMBOL_GPL(l2cap_chan_create);
48454079 445
144ad330 446static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 447{
144ad330
SS		 448 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
449
4af66c69
JK		 450 BT_DBG("chan %p", chan);
451
333055f2 452 write_lock(&chan_list_lock);
23691d75 453 list_del(&chan->global_l);
333055f2 454 write_unlock(&chan_list_lock);
23691d75 455
4af66c69 456 kfree(chan);
6ff5abbf
GP		 457}
458
30648372
JK		 459void l2cap_chan_hold(struct l2cap_chan *c)
460{
144ad330 461 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 462
144ad330 463 kref_get(&c->kref);
30648372
JK		 464}
465
466void l2cap_chan_put(struct l2cap_chan *c)
467{
144ad330 468 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 469
144ad330 470 kref_put(&c->kref, l2cap_chan_destroy);
30648372 471}
6b8d4a6a 472EXPORT_SYMBOL_GPL(l2cap_chan_put);
30648372 473
bd4b1653
AE		 474void l2cap_chan_set_defaults(struct l2cap_chan *chan)
475{
476 chan->fcs = L2CAP_FCS_CRC16;
477 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
478 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
479 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
6a5e8165
JR		 480 chan->remote_max_tx = chan->max_tx;
481 chan->remote_tx_win = chan->tx_win;
c20f8e35 482 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653 483 chan->sec_level = BT_SECURITY_LOW;
6a5e8165
JR		 484 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
485 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
486 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
487 chan->conf_state = 0;
bd4b1653
AE		 488
489 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
490}
6b8d4a6a 491EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
bd4b1653 492
0ce43ce6 493static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
38319713 494{
0ce43ce6
JH		 495 chan->sdu = NULL;
496 chan->sdu_last_frag = NULL;
497 chan->sdu_len = 0;
0cd75f7e 498 chan->tx_credits = 0;
f15b8ecf 499 chan->rx_credits = le_max_credits;
d1d79413 500 chan->mps = min_t(u16, chan->imtu, le_default_mps);
0ce43ce6
JH		 501
502 skb_queue_head_init(&chan->tx_q);
38319713
JH		 503}
504
93c3e8f5 505void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 506{
af05b30b 507 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 508 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 509
9f5a0d7b 510 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 511
8c1d787b 512 chan->conn = conn;
0139418c 513
5491120e
AE		 514 switch (chan->chan_type) {
515 case L2CAP_CHAN_CONN_ORIENTED:
21626e62
JH		 516 /* Alloc CID for connection-oriented socket */
517 chan->scid = l2cap_alloc_cid(conn);
518 if (conn->hcon->type == ACL_LINK)
0c1bc5c6 519 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 520 break;
521
522 case L2CAP_CHAN_CONN_LESS:
0139418c 523 /* Connectionless socket */
fe4128e0
GP		 524 chan->scid = L2CAP_CID_CONN_LESS;
525 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 526 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 527 break;
528
2338a7e0
JH		 529 case L2CAP_CHAN_FIXED:
530 /* Caller will set CID and CID specific MTU values */
416fa752
AE		 531 break;
532
5491120e 533 default:
0139418c 534 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 535 chan->scid = L2CAP_CID_SIGNALING;
536 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 537 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 538 }
539
8f7975b1
AE		 540 chan->local_id = L2CAP_BESTEFFORT_ID;
541 chan->local_stype = L2CAP_SERV_BESTEFFORT;
542 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
543 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
544 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 545 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 546
371fd835 547 l2cap_chan_hold(chan);
baa7e1fa 548
5ee9891d
JH		 549 hci_conn_hold(conn->hcon);
550
3df91ea2 551 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 552}
553
466f8004 554void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 555{
556 mutex_lock(&conn->chan_lock);
557 __l2cap_chan_add(conn, chan);
3df91ea2 558 mutex_unlock(&conn->chan_lock);
0139418c
MH		 559}
560
466f8004 561void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 562{
8c1d787b 563 struct l2cap_conn *conn = chan->conn;
0139418c 564
c9b66675 565 __clear_chan_timer(chan);
0139418c 566
49208c9c 567 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 568
8e87d142 569 if (conn) {
56f60984 570 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 571 /* Delete from channel list */
3df91ea2 572 list_del(&chan->list);
3d57dc68 573
371fd835 574 l2cap_chan_put(chan);
baa7e1fa 575
8c1d787b 576 chan->conn = NULL;
3cabbfda 577
2338a7e0 578 if (chan->scid != L2CAP_CID_A2MP)
76a68ba0 579 hci_conn_drop(conn->hcon);
56f60984
AE		 580
581 if (mgr && mgr->bredr_chan == chan)
582 mgr->bredr_chan = NULL;
0139418c
MH		 583 }
584
419e08c1
AE		 585 if (chan->hs_hchan) {
586 struct hci_chan *hs_hchan = chan->hs_hchan;
587
588 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
589 amp_disconnect_logical_link(hs_hchan);
590 }
591
b699ec0d 592 chan->ops->teardown(chan, err);
6be36555 593
2827011f 594 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 595 return;
2ead70b8 596
ee556f66
GP		 597 switch(chan->mode) {
598 case L2CAP_MODE_BASIC:
599 break;
c13ffa62 600
38319713 601 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b 602 skb_queue_purge(&chan->tx_q);
38319713
JH		 603 break;
604
ee556f66 605 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 606 __clear_retrans_timer(chan);
607 __clear_monitor_timer(chan);
608 __clear_ack_timer(chan);
c13ffa62 609
f1c6775b 610 skb_queue_purge(&chan->srej_q);
c13ffa62 611
3c588192
MM		 612 l2cap_seq_list_free(&chan->srej_list);
613 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 614
615 /* fall through */
616
617 case L2CAP_MODE_STREAMING:
618 skb_queue_purge(&chan->tx_q);
619 break;
c13ffa62 620 }
ee556f66
GP		 621
622 return;
0139418c 623}
6b8d4a6a 624EXPORT_SYMBOL_GPL(l2cap_chan_del);
0139418c 625
387a33e3
JH		 626void l2cap_conn_update_id_addr(struct hci_conn *hcon)
627{
628 struct l2cap_conn *conn = hcon->l2cap_data;
629 struct l2cap_chan *chan;
630
631 mutex_lock(&conn->chan_lock);
632
633 list_for_each_entry(chan, &conn->chan_l, list) {
634 l2cap_chan_lock(chan);
635 bacpy(&chan->dst, &hcon->dst);
636 chan->dst_type = bdaddr_type(hcon, hcon->dst_type);
637 l2cap_chan_unlock(chan);
638 }
639
640 mutex_unlock(&conn->chan_lock);
641}
642
27e2d4c8
JH		 643static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
644{
645 struct l2cap_conn *conn = chan->conn;
646 struct l2cap_le_conn_rsp rsp;
647 u16 result;
648
649 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
650 result = L2CAP_CR_AUTHORIZATION;
651 else
652 result = L2CAP_CR_BAD_PSM;
653
654 l2cap_state_change(chan, BT_DISCONN);
655
656 rsp.dcid = cpu_to_le16(chan->scid);
657 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 658 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 659 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 660 rsp.result = cpu_to_le16(result);
661
662 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
663 &rsp);
664}
665
791d60f7
JH		 666static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
667{
668 struct l2cap_conn *conn = chan->conn;
669 struct l2cap_conn_rsp rsp;
670 u16 result;
671
672 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
673 result = L2CAP_CR_SEC_BLOCK;
674 else
675 result = L2CAP_CR_BAD_PSM;
676
677 l2cap_state_change(chan, BT_DISCONN);
678
679 rsp.scid = cpu_to_le16(chan->dcid);
680 rsp.dcid = cpu_to_le16(chan->scid);
681 rsp.result = cpu_to_le16(result);
dcf4adbf 682 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
791d60f7
JH		 683
684 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
685}
686
0f852724 687void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 688{
689 struct l2cap_conn *conn = chan->conn;
4519de9a 690
7eafc59e 691 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 692
89bc500e 693 switch (chan->state) {
4519de9a 694 case BT_LISTEN:
b699ec0d 695 chan->ops->teardown(chan, 0);
4519de9a
GP		 696 break;
697
698 case BT_CONNECTED:
699 case BT_CONFIG:
7b25c9b3 700 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
8d836d71 701 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 702 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 703 } else
704 l2cap_chan_del(chan, reason);
705 break;
706
707 case BT_CONNECT2:
791d60f7
JH		 708 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
709 if (conn->hcon->type == ACL_LINK)
710 l2cap_chan_connect_reject(chan);
27e2d4c8
JH		 711 else if (conn->hcon->type == LE_LINK)
712 l2cap_chan_le_connect_reject(chan);
4519de9a
GP		 713 }
714
715 l2cap_chan_del(chan, reason);
716 break;
717
718 case BT_CONNECT:
719 case BT_DISCONN:
720 l2cap_chan_del(chan, reason);
721 break;
722
723 default:
b699ec0d 724 chan->ops->teardown(chan, 0);
4519de9a
GP		 725 break;
726 }
727}
6b8d4a6a 728EXPORT_SYMBOL(l2cap_chan_close);
4519de9a 729
4343478f 730static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 731{
6a974b50
MH		 732 switch (chan->chan_type) {
733 case L2CAP_CHAN_RAW:
4343478f 734 switch (chan->sec_level) {
8556edd3 735 case BT_SECURITY_HIGH:
7d513e92 736 case BT_SECURITY_FIPS:
8556edd3
JH		 737 return HCI_AT_DEDICATED_BONDING_MITM;
738 case BT_SECURITY_MEDIUM:
739 return HCI_AT_DEDICATED_BONDING;
740 default:
741 return HCI_AT_NO_BONDING;
742 }
6a974b50 743 break;
3124b843 744 case L2CAP_CHAN_CONN_LESS:
dcf4adbf 745 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
3124b843
MH		 746 if (chan->sec_level == BT_SECURITY_LOW)
747 chan->sec_level = BT_SECURITY_SDP;
748 }
7d513e92
MH		 749 if (chan->sec_level == BT_SECURITY_HIGH ||
750 chan->sec_level == BT_SECURITY_FIPS)
3124b843
MH		 751 return HCI_AT_NO_BONDING_MITM;
752 else
753 return HCI_AT_NO_BONDING;
754 break;
6a974b50 755 case L2CAP_CHAN_CONN_ORIENTED:
dcf4adbf 756 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
6a974b50
MH		 757 if (chan->sec_level == BT_SECURITY_LOW)
758 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 759
7d513e92
MH		 760 if (chan->sec_level == BT_SECURITY_HIGH ||
761 chan->sec_level == BT_SECURITY_FIPS)
6a974b50
MH		 762 return HCI_AT_NO_BONDING_MITM;
763 else
764 return HCI_AT_NO_BONDING;
765 }
766 /* fall through */
767 default:
4343478f 768 switch (chan->sec_level) {
00ae4af9 769 case BT_SECURITY_HIGH:
7d513e92 770 case BT_SECURITY_FIPS:
8556edd3 771 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 772 case BT_SECURITY_MEDIUM:
8556edd3 773 return HCI_AT_GENERAL_BONDING;
00ae4af9 774 default:
8556edd3 775 return HCI_AT_NO_BONDING;
00ae4af9 776 }
6a974b50 777 break;
0684e5f9 778 }
8556edd3
JH		 779}
780
781/* Service level security */
e7cafc45 782int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
8556edd3 783{
8c1d787b 784 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 785 __u8 auth_type;
786
a17de2fe
JH		 787 if (conn->hcon->type == LE_LINK)
788 return smp_conn_security(conn->hcon, chan->sec_level);
789
4343478f 790 auth_type = l2cap_get_auth_type(chan);
79d554a6 791
e7cafc45
JH		 792 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
793 initiator);
79d554a6
MH		 794}
795
b5ad8b7f 796static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 797{
798 u8 id;
799
800 /* Get next available identificator.
801 * 1 - 128 are used by kernel.
802 * 129 - 199 are reserved.
803 * 200 - 254 are used by utilities like l2ping, etc.
804 */
805
5a54e7c8 806 mutex_lock(&conn->ident_lock);
4e8402a3
MH		 807
808 if (++conn->tx_ident > 128)
809 conn->tx_ident = 1;
810
811 id = conn->tx_ident;
812
5a54e7c8 813 mutex_unlock(&conn->ident_lock);
4e8402a3
MH		 814
815 return id;
816}
817
2d792818
GP		 818static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
819 void *data)
4e8402a3
MH		 820{
821 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 822 u8 flags;
4e8402a3
MH		 823
824 BT_DBG("code 0x%2.2x", code);
825
826 if (!skb)
9a9c6a34 827 return;
4e8402a3 828
e702112f
AE		 829 if (lmp_no_flush_capable(conn->hcon->hdev))
830 flags = ACL_START_NO_FLUSH;
831 else
832 flags = ACL_START;
833
14b12d0b 834 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 835 skb->priority = HCI_PRIO_MAX;
14b12d0b 836
73d80deb
LAD		 837 hci_send_acl(conn->hchan, skb, flags);
838}
839
02b0fbb9
MM		 840static bool __chan_is_moving(struct l2cap_chan *chan)
841{
842 return chan->move_state != L2CAP_MOVE_STABLE &&
843 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
844}
845
73d80deb
LAD		 846static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
847{
848 struct hci_conn *hcon = chan->conn->hcon;
849 u16 flags;
850
851 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 852 skb->priority);
73d80deb 853
d5f8a75d
MM		 854 if (chan->hs_hcon && !__chan_is_moving(chan)) {
855 if (chan->hs_hchan)
856 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
857 else
858 kfree_skb(skb);
859
860 return;
861 }
862
73d80deb 863 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 864 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 865 flags = ACL_START_NO_FLUSH;
866 else
867 flags = ACL_START;
14b12d0b 868
73d80deb
LAD		 869 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
870 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 871}
872
b76bbd66
MM		 873static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
874{
875 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
876 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
877
878 if (enh & L2CAP_CTRL_FRAME_TYPE) {
879 /* S-Frame */
880 control->sframe = 1;
881 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
882 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
883
884 control->sar = 0;
885 control->txseq = 0;
886 } else {
887 /* I-Frame */
888 control->sframe = 0;
889 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
890 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
891
892 control->poll = 0;
893 control->super = 0;
894 }
895}
896
b76bbd66
MM		 897static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
898{
899 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
900 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
901
902 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
903 /* S-Frame */
904 control->sframe = 1;
905 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
906 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
907
908 control->sar = 0;
909 control->txseq = 0;
910 } else {
911 /* I-Frame */
912 control->sframe = 0;
913 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
914 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
915
916 control->poll = 0;
917 control->super = 0;
918 }
919}
920
921static inline void __unpack_control(struct l2cap_chan *chan,
922 struct sk_buff *skb)
923{
924 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
925 __unpack_extended_control(get_unaligned_le32(skb->data),
926 &bt_cb(skb)->control);
cec8ab6e 927 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 928 } else {
929 __unpack_enhanced_control(get_unaligned_le16(skb->data),
930 &bt_cb(skb)->control);
cec8ab6e 931 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 932 }
933}
934
b5c6aaed
MM		 935static u32 __pack_extended_control(struct l2cap_ctrl *control)
936{
937 u32 packed;
938
939 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
940 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
941
942 if (control->sframe) {
943 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
944 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
945 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
946 } else {
947 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
948 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
949 }
950
951 return packed;
952}
953
954static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
955{
956 u16 packed;
957
958 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
959 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
960
961 if (control->sframe) {
962 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
963 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
964 packed |= L2CAP_CTRL_FRAME_TYPE;
965 } else {
966 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
967 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
968 }
969
970 return packed;
971}
972
b76bbd66
MM		 973static inline void __pack_control(struct l2cap_chan *chan,
974 struct l2cap_ctrl *control,
975 struct sk_buff *skb)
976{
977 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
978 put_unaligned_le32(__pack_extended_control(control),
979 skb->data + L2CAP_HDR_SIZE);
980 } else {
981 put_unaligned_le16(__pack_enhanced_control(control),
982 skb->data + L2CAP_HDR_SIZE);
983 }
984}
985
ba7aa64f
GP		 986static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
987{
988 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
989 return L2CAP_EXT_HDR_SIZE;
990 else
991 return L2CAP_ENH_HDR_SIZE;
992}
993
a67d7f6f
MM		 994static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
995 u32 control)
b5c6aaed
MM		 996{
997 struct sk_buff *skb;
998 struct l2cap_hdr *lh;
ba7aa64f 999 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 1000
1001 if (chan->fcs == L2CAP_FCS_CRC16)
1002 hlen += L2CAP_FCS_SIZE;
1003
a67d7f6f 1004 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 1005
b5c6aaed 1006 if (!skb)
a67d7f6f 1007 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 1008
1009 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1010 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1011 lh->cid = cpu_to_le16(chan->dcid);
1012
a67d7f6f
MM		 1013 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1014 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1015 else
1016 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 1017
1018 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 1019 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 1020 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1021 }
1022
1023 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 1024 return skb;
1025}
1026
1027static void l2cap_send_sframe(struct l2cap_chan *chan,
1028 struct l2cap_ctrl *control)
1029{
1030 struct sk_buff *skb;
1031 u32 control_field;
1032
1033 BT_DBG("chan %p, control %p", chan, control);
1034
1035 if (!control->sframe)
1036 return;
1037
b99e13ad
MM		 1038 if (__chan_is_moving(chan))
1039 return;
1040
a67d7f6f
MM		 1041 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1042 !control->poll)
1043 control->final = 1;
1044
1045 if (control->super == L2CAP_SUPER_RR)
1046 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1047 else if (control->super == L2CAP_SUPER_RNR)
1048 set_bit(CONN_RNR_SENT, &chan->conn_state);
1049
1050 if (control->super != L2CAP_SUPER_SREJ) {
1051 chan->last_acked_seq = control->reqseq;
1052 __clear_ack_timer(chan);
1053 }
1054
1055 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1056 control->final, control->poll, control->super);
1057
1058 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1059 control_field = __pack_extended_control(control);
1060 else
1061 control_field = __pack_enhanced_control(control);
1062
1063 skb = l2cap_create_sframe_pdu(chan, control_field);
1064 if (!IS_ERR(skb))
1065 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1066}
1067
c9e3d5e0 1068static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1069{
c9e3d5e0
MM		 1070 struct l2cap_ctrl control;
1071
1072 BT_DBG("chan %p, poll %d", chan, poll);
1073
1074 memset(&control, 0, sizeof(control));
1075 control.sframe = 1;
1076 control.poll = poll;
1077
1078 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1079 control.super = L2CAP_SUPER_RNR;
1080 else
1081 control.super = L2CAP_SUPER_RR;
b5c6aaed 1082
c9e3d5e0
MM		 1083 control.reqseq = chan->buffer_seq;
1084 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1085}
1086
b4450035 1087static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1088{
5ff6f34d
JH		 1089 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1090 return true;
1091
c1360a1c 1092 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1093}
1094
1df7b17a 1095static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1096{
1df7b17a 1097 struct l2cap_conn *conn = chan->conn;
80d58d0b 1098 struct hci_dev *hdev;
1df7b17a
MH		 1099 bool amp_available = false;
1100
1101 if (!conn->hs_enabled)
1102 return false;
1103
1104 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1105 return false;
80d58d0b
MH		 1106
1107 read_lock(&hci_dev_list_lock);
1df7b17a 1108 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1109 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1110 test_bit(HCI_UP, &hdev->flags)) {
1111 amp_available = true;
1112 break;
1113 }
1114 }
80d58d0b
MH		 1115 read_unlock(&hci_dev_list_lock);
1116
1df7b17a
MH		 1117 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1118 return amp_available;
848566b3
MH		 1119
1120 return false;
93c3e8f5
AE		 1121}
1122
5ce66b59
AE		 1123static bool l2cap_check_efs(struct l2cap_chan *chan)
1124{
1125 /* Check EFS parameters */
1126 return true;
1127}
1128
2766be48 1129void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1130{
1131 struct l2cap_conn *conn = chan->conn;
1132 struct l2cap_conn_req req;
1133
1134 req.scid = cpu_to_le16(chan->scid);
1135 req.psm = chan->psm;
1136
1137 chan->ident = l2cap_get_ident(conn);
1138
1139 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1140
1141 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1142}
1143
8eb200bd
MM		 1144static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1145{
1146 struct l2cap_create_chan_req req;
1147 req.scid = cpu_to_le16(chan->scid);
1148 req.psm = chan->psm;
1149 req.amp_id = amp_id;
1150
1151 chan->ident = l2cap_get_ident(chan->conn);
1152
1153 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1154 sizeof(req), &req);
1155}
1156
02b0fbb9
MM		 1157static void l2cap_move_setup(struct l2cap_chan *chan)
1158{
1159 struct sk_buff *skb;
1160
1161 BT_DBG("chan %p", chan);
1162
1163 if (chan->mode != L2CAP_MODE_ERTM)
1164 return;
1165
1166 __clear_retrans_timer(chan);
1167 __clear_monitor_timer(chan);
1168 __clear_ack_timer(chan);
1169
1170 chan->retry_count = 0;
1171 skb_queue_walk(&chan->tx_q, skb) {
1172 if (bt_cb(skb)->control.retries)
1173 bt_cb(skb)->control.retries = 1;
1174 else
1175 break;
1176 }
1177
1178 chan->expected_tx_seq = chan->buffer_seq;
1179
1180 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1181 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1182 l2cap_seq_list_clear(&chan->retrans_list);
1183 l2cap_seq_list_clear(&chan->srej_list);
1184 skb_queue_purge(&chan->srej_q);
1185
1186 chan->tx_state = L2CAP_TX_STATE_XMIT;
1187 chan->rx_state = L2CAP_RX_STATE_MOVE;
1188
1189 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1190}
1191
5f3847a4
MM		 1192static void l2cap_move_done(struct l2cap_chan *chan)
1193{
1194 u8 move_role = chan->move_role;
1195 BT_DBG("chan %p", chan);
1196
1197 chan->move_state = L2CAP_MOVE_STABLE;
1198 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1199
1200 if (chan->mode != L2CAP_MODE_ERTM)
1201 return;
1202
1203 switch (move_role) {
1204 case L2CAP_MOVE_ROLE_INITIATOR:
1205 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1206 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1207 break;
1208 case L2CAP_MOVE_ROLE_RESPONDER:
1209 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1210 break;
1211 }
1212}
1213
9f0caeb1
VCG		 1214static void l2cap_chan_ready(struct l2cap_chan *chan)
1215{
2827011f 1216 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1217 chan->conf_state = 0;
1218 __clear_chan_timer(chan);
1219
0ce43ce6
JH		 1220 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1221 chan->ops->suspend(chan);
177f8f2b 1222
54a59aa2 1223 chan->state = BT_CONNECTED;
9f0caeb1 1224
fd83e2c2 1225 chan->ops->ready(chan);
9f0caeb1
VCG		 1226}
1227
f1496dee
JH		 1228static void l2cap_le_connect(struct l2cap_chan *chan)
1229{
1230 struct l2cap_conn *conn = chan->conn;
1231 struct l2cap_le_conn_req req;
1232
595177f3
JH		 1233 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1234 return;
1235
f1496dee
JH		 1236 req.psm = chan->psm;
1237 req.scid = cpu_to_le16(chan->scid);
1238 req.mtu = cpu_to_le16(chan->imtu);
3916aed8 1239 req.mps = cpu_to_le16(chan->mps);
0cd75f7e 1240 req.credits = cpu_to_le16(chan->rx_credits);
f1496dee
JH		 1241
1242 chan->ident = l2cap_get_ident(conn);
1243
1244 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1245 sizeof(req), &req);
1246}
1247
1248static void l2cap_le_start(struct l2cap_chan *chan)
1249{
1250 struct l2cap_conn *conn = chan->conn;
1251
1252 if (!smp_conn_security(conn->hcon, chan->sec_level))
1253 return;
1254
1255 if (!chan->psm) {
1256 l2cap_chan_ready(chan);
1257 return;
1258 }
1259
1260 if (chan->state == BT_CONNECT)
1261 l2cap_le_connect(chan);
1262}
1263
93c3e8f5
AE		 1264static void l2cap_start_connection(struct l2cap_chan *chan)
1265{
1266 if (__amp_capable(chan)) {
1267 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1268 a2mp_discover_amp(chan);
f1496dee
JH		 1269 } else if (chan->conn->hcon->type == LE_LINK) {
1270 l2cap_le_start(chan);
93c3e8f5
AE		 1271 } else {
1272 l2cap_send_conn_req(chan);
1273 }
1274}
1275
fc7f8a7e 1276static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1277{
8c1d787b 1278 struct l2cap_conn *conn = chan->conn;
79d554a6 1279
9f0caeb1 1280 if (conn->hcon->type == LE_LINK) {
96ac34fb 1281 l2cap_le_start(chan);
9f0caeb1
VCG		 1282 return;
1283 }
1284
79d554a6 1285 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1286 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1287 return;
1288
e7cafc45 1289 if (l2cap_chan_check_security(chan, true) &&
2d792818 1290 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1291 l2cap_start_connection(chan);
1292 }
79d554a6
MH		 1293 } else {
1294 struct l2cap_info_req req;
dcf4adbf 1295 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1296
1297 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1298 conn->info_ident = l2cap_get_ident(conn);
1299
ba13ccd9 1300 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1301
2d792818
GP		 1302 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1303 sizeof(req), &req);
79d554a6
MH		 1304 }
1305}
1306
cf6c2c0b
GP		 1307static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1308{
1309 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1310 if (!disable_ertm)
cf6c2c0b
GP		 1311 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1312
1313 switch (mode) {
1314 case L2CAP_MODE_ERTM:
1315 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1316 case L2CAP_MODE_STREAMING:
1317 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1318 default:
1319 return 0x00;
1320 }
1321}
1322
5e4e3972 1323static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1324{
5e4e3972 1325 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1326 struct l2cap_disconn_req req;
1327
c13ffa62
GP		 1328 if (!conn)
1329 return;
1330
aad3d0e3 1331 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1332 __clear_retrans_timer(chan);
1333 __clear_monitor_timer(chan);
1334 __clear_ack_timer(chan);
c13ffa62
GP		 1335 }
1336
2338a7e0 1337 if (chan->scid == L2CAP_CID_A2MP) {
d117773c 1338 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1339 return;
1340 }
1341
fe4128e0
GP		 1342 req.dcid = cpu_to_le16(chan->dcid);
1343 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1344 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1345 sizeof(req), &req);
c13ffa62 1346
f8e73017 1347 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1348}
1349
1da177e4 1350/* ---- L2CAP connections ---- */
4e8402a3
MH		 1351static void l2cap_conn_start(struct l2cap_conn *conn)
1352{
3df91ea2 1353 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1354
1355 BT_DBG("conn %p", conn);
1356
3df91ea2 1357 mutex_lock(&conn->chan_lock);
4e8402a3 1358
3df91ea2 1359 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1360 l2cap_chan_lock(chan);
4e8402a3 1361
715ec005 1362 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1363 l2cap_chan_unlock(chan);
79d554a6
MH		 1364 continue;
1365 }
1366
89bc500e 1367 if (chan->state == BT_CONNECT) {
e7cafc45 1368 if (!l2cap_chan_check_security(chan, true) ||
2d792818 1369 !__l2cap_no_conn_pending(chan)) {
6be36555 1370 l2cap_chan_unlock(chan);
47731de7
GP		 1371 continue;
1372 }
79d554a6 1373
c1360a1c 1374 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1375 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1376 &chan->conf_state)) {
89bc500e 1377 l2cap_chan_close(chan, ECONNRESET);
6be36555 1378 l2cap_chan_unlock(chan);
47731de7 1379 continue;
b1235d79 1380 }
47731de7 1381
93c3e8f5 1382 l2cap_start_connection(chan);
47731de7 1383
89bc500e 1384 } else if (chan->state == BT_CONNECT2) {
79d554a6 1385 struct l2cap_conn_rsp rsp;
e9aeb2dd 1386 char buf[128];
fe4128e0
GP		 1387 rsp.scid = cpu_to_le16(chan->dcid);
1388 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1389
e7cafc45 1390 if (l2cap_chan_check_security(chan, false)) {
bdc25783 1391 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
dcf4adbf
JP		 1392 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1393 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1394 chan->ops->defer(chan);
f66dc81f
MH		 1395
1396 } else {
acdcabf5 1397 l2cap_state_change(chan, BT_CONFIG);
dcf4adbf
JP		 1398 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1399 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1400 }
79d554a6 1401 } else {
dcf4adbf
JP		 1402 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1403 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1404 }
1405
fc7f8a7e 1406 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1407 sizeof(rsp), &rsp);
e9aeb2dd 1408
c1360a1c 1409 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1410 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1411 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1412 continue;
1413 }
1414
c1360a1c 1415 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1416 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1417 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1418 chan->num_conf_req++;
4e8402a3
MH		 1419 }
1420
6be36555 1421 l2cap_chan_unlock(chan);
4e8402a3
MH		 1422 }
1423
3df91ea2 1424 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1425}
1426
b62f328b
VT		 1427static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1428{
cc8dba2b 1429 struct hci_conn *hcon = conn->hcon;
dcc36c16 1430 struct hci_dev *hdev = hcon->hdev;
b62f328b 1431
e760ec12 1432 BT_DBG("%s conn %p", hdev->name, conn);
b62f328b 1433
e760ec12
JH		 1434 /* For outgoing pairing which doesn't necessarily have an
1435 * associated socket (e.g. mgmt_pair_device).
1436 */
1437 if (hcon->out)
1438 smp_conn_security(hcon, hcon->pending_sec_level);
cc8dba2b 1439
80afeb6c
MH		 1440 /* For LE slave connections, make sure the connection interval
1441 * is in the range of the minium and maximum interval that has
1442 * been configured for this connection. If not, then trigger
1443 * the connection update procedure.
1444 */
40bef302 1445 if (hcon->role == HCI_ROLE_SLAVE &&
80afeb6c
MH		 1446 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1447 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1448 struct l2cap_conn_param_update_req req;
1449
1450 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1451 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1452 req.latency = cpu_to_le16(hcon->le_conn_latency);
1453 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1454
1455 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1456 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1457 }
b62f328b
VT		 1458}
1459
4e8402a3
MH		 1460static void l2cap_conn_ready(struct l2cap_conn *conn)
1461{
48454079 1462 struct l2cap_chan *chan;
cc110922 1463 struct hci_conn *hcon = conn->hcon;
4e8402a3 1464
79d554a6 1465 BT_DBG("conn %p", conn);
4e8402a3 1466
44f3b0fb
JH		 1467 if (hcon->type == LE_LINK)
1468 l2cap_le_conn_ready(conn);
1469
e760ec12
JH		 1470 mutex_lock(&conn->chan_lock);
1471
3df91ea2 1472 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1473
6be36555 1474 l2cap_chan_lock(chan);
4e8402a3 1475
2338a7e0 1476 if (chan->scid == L2CAP_CID_A2MP) {
416fa752
AE		 1477 l2cap_chan_unlock(chan);
1478 continue;
1479 }
1480
cc110922 1481 if (hcon->type == LE_LINK) {
f1496dee 1482 l2cap_le_start(chan);
63128451 1483 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
74e75740 1484 l2cap_chan_ready(chan);
b501d6a1 1485
1c244f79 1486 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1487 l2cap_do_start(chan);
1c244f79 1488 }
4e8402a3 1489
6be36555 1490 l2cap_chan_unlock(chan);
4e8402a3 1491 }
79d554a6 1492
3df91ea2 1493 mutex_unlock(&conn->chan_lock);
61a939c6
JH		 1494
1495 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
4e8402a3
MH		 1496}
1497
1498/* Notify sockets that we cannot guaranty reliability anymore */
1499static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1500{
48454079 1501 struct l2cap_chan *chan;
4e8402a3
MH		 1502
1503 BT_DBG("conn %p", conn);
1504
3df91ea2 1505 mutex_lock(&conn->chan_lock);
4e8402a3 1506
3df91ea2 1507 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1508 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1509 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1510 }
1511
3df91ea2 1512 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1513}
1514
f878fcad 1515static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1516{
f878fcad 1517 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1518 info_timer.work);
4e8402a3 1519
984947dc 1520 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1521 conn->info_ident = 0;
984947dc 1522
4e8402a3
MH		 1523 l2cap_conn_start(conn);
1524}
1525
2c8e1411
DH		 1526/*
1527 * l2cap_user
1528 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1529 * callback is called during registration. The ->remove callback is called
1530 * during unregistration.
1531 * An l2cap_user object can either be explicitly unregistered or when the
1532 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1533 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1534 * External modules must own a reference to the l2cap_conn object if they intend
1535 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1536 * any time if they don't.
1537 */
1538
1539int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1540{
1541 struct hci_dev *hdev = conn->hcon->hdev;
1542 int ret;
1543
1544 /* We need to check whether l2cap_conn is registered. If it is not, we
1545 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1546 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1547 * relies on the parent hci_conn object to be locked. This itself relies
1548 * on the hci_dev object to be locked. So we must lock the hci device
1549 * here, too. */
1550
1551 hci_dev_lock(hdev);
1552
1553 if (user->list.next || user->list.prev) {
1554 ret = -EINVAL;
1555 goto out_unlock;
1556 }
1557
1558 /* conn->hchan is NULL after l2cap_conn_del() was called */
1559 if (!conn->hchan) {
1560 ret = -ENODEV;
1561 goto out_unlock;
1562 }
1563
1564 ret = user->probe(conn, user);
1565 if (ret)
1566 goto out_unlock;
1567
1568 list_add(&user->list, &conn->users);
1569 ret = 0;
1570
1571out_unlock:
1572 hci_dev_unlock(hdev);
1573 return ret;
1574}
1575EXPORT_SYMBOL(l2cap_register_user);
1576
1577void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1578{
1579 struct hci_dev *hdev = conn->hcon->hdev;
1580
1581 hci_dev_lock(hdev);
1582
1583 if (!user->list.next || !user->list.prev)
1584 goto out_unlock;
1585
1586 list_del(&user->list);
1587 user->list.next = NULL;
1588 user->list.prev = NULL;
1589 user->remove(conn, user);
1590
1591out_unlock:
1592 hci_dev_unlock(hdev);
1593}
1594EXPORT_SYMBOL(l2cap_unregister_user);
1595
1596static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1597{
1598 struct l2cap_user *user;
1599
1600 while (!list_empty(&conn->users)) {
1601 user = list_first_entry(&conn->users, struct l2cap_user, list);
1602 list_del(&user->list);
1603 user->list.next = NULL;
1604 user->list.prev = NULL;
1605 user->remove(conn, user);
1606 }
1607}
1608
5d3de7df
VCG		 1609static void l2cap_conn_del(struct hci_conn *hcon, int err)
1610{
1611 struct l2cap_conn *conn = hcon->l2cap_data;
1612 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1613
1614 if (!conn)
1615 return;
1616
1617 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1618
1619 kfree_skb(conn->rx_skb);
1620
61a939c6 1621 skb_queue_purge(&conn->pending_rx);
7ab56c3a
JT		 1622
1623 /* We can not call flush_work(&conn->pending_rx_work) here since we
1624 * might block if we are running on a worker from the same workqueue
1625 * pending_rx_work is waiting on.
1626 */
1627 if (work_pending(&conn->pending_rx_work))
1628 cancel_work_sync(&conn->pending_rx_work);
61a939c6 1629
2c8e1411
DH		 1630 l2cap_unregister_all_users(conn);
1631
3df91ea2
AE		 1632 mutex_lock(&conn->chan_lock);
1633
5d3de7df
VCG		 1634 /* Kill channels */
1635 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1636 l2cap_chan_hold(chan);
6be36555
AE		 1637 l2cap_chan_lock(chan);
1638
5d3de7df 1639 l2cap_chan_del(chan, err);
6be36555
AE		 1640
1641 l2cap_chan_unlock(chan);
1642
80b98027 1643 chan->ops->close(chan);
61d6ef3e 1644 l2cap_chan_put(chan);
5d3de7df
VCG		 1645 }
1646
3df91ea2
AE		 1647 mutex_unlock(&conn->chan_lock);
1648
73d80deb
LAD		 1649 hci_chan_del(conn->hchan);
1650
5d3de7df 1651 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1652 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1653
51a8efd7 1654 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1655 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1656 smp_chan_destroy(conn);
d26a2345 1657 }
5d3de7df
VCG		 1658
1659 hcon->l2cap_data = NULL;
9c903e37
DH		 1660 conn->hchan = NULL;
1661 l2cap_conn_put(conn);
5d3de7df
VCG		 1662}
1663
6c9d42a1 1664static void security_timeout(struct work_struct *work)
5d3de7df 1665{
6c9d42a1 1666 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1667 security_timer.work);
5d3de7df 1668
d06cc416
JH		 1669 BT_DBG("conn %p", conn);
1670
1671 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1672 smp_chan_destroy(conn);
1673 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1674 }
5d3de7df
VCG		 1675}
1676
9c903e37
DH		 1677static void l2cap_conn_free(struct kref *ref)
1678{
1679 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1680
1681 hci_conn_put(conn->hcon);
1682 kfree(conn);
1683}
1684
1685void l2cap_conn_get(struct l2cap_conn *conn)
1686{
1687 kref_get(&conn->ref);
1688}
1689EXPORT_SYMBOL(l2cap_conn_get);
1690
1691void l2cap_conn_put(struct l2cap_conn *conn)
1692{
1693 kref_put(&conn->ref, l2cap_conn_free);
1694}
1695EXPORT_SYMBOL(l2cap_conn_put);
1696
1da177e4 1697/* ---- Socket interface ---- */
1da177e4 1698
c2287681 1699/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1700 * Returns closest match.
1701 */
c2287681
IY		 1702static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1703 bdaddr_t *src,
bf20fd4e
JH		 1704 bdaddr_t *dst,
1705 u8 link_type)
1da177e4 1706{
23691d75 1707 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1708
23691d75 1709 read_lock(&chan_list_lock);
e0f0cb56 1710
23691d75 1711 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1712 if (state && c->state != state)
1da177e4
LT		 1713 continue;
1714
bf20fd4e
JH		 1715 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1716 continue;
1717
1718 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1719 continue;
1720
23691d75 1721 if (c->psm == psm) {
c2287681
IY		 1722 int src_match, dst_match;
1723 int src_any, dst_any;
1724
1da177e4 1725 /* Exact match. */
7eafc59e
MH		 1726 src_match = !bacmp(&c->src, src);
1727 dst_match = !bacmp(&c->dst, dst);
c2287681 1728 if (src_match && dst_match) {
a24cce14 1729 l2cap_chan_hold(c);
a7567b20 1730 read_unlock(&chan_list_lock);
23691d75
GP		 1731 return c;
1732 }
1da177e4
LT		 1733
1734 /* Closest match */
7eafc59e
MH		 1735 src_any = !bacmp(&c->src, BDADDR_ANY);
1736 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1737 if ((src_match && dst_any) || (src_any && dst_match) ||
1738 (src_any && dst_any))
23691d75 1739 c1 = c;
1da177e4
LT		 1740 }
1741 }
1da177e4 1742
a24cce14
JH		 1743 if (c1)
1744 l2cap_chan_hold(c1);
1745
23691d75 1746 read_unlock(&chan_list_lock);
e0f0cb56 1747
23691d75 1748 return c1;
1da177e4
LT		 1749}
1750
721c4181 1751static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1752{
721c4181 1753 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1754 monitor_timer.work);
e90bac06 1755
525cd185 1756 BT_DBG("chan %p", chan);
0e98958d 1757
6be36555
AE		 1758 l2cap_chan_lock(chan);
1759
80909e04 1760 if (!chan->conn) {
6be36555 1761 l2cap_chan_unlock(chan);
8d7e1c7f 1762 l2cap_chan_put(chan);
e90bac06
GP		 1763 return;
1764 }
1765
401bb1f7 1766 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1767
6be36555 1768 l2cap_chan_unlock(chan);
8d7e1c7f 1769 l2cap_chan_put(chan);
e90bac06
GP		 1770}
1771
721c4181 1772static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1773{
721c4181 1774 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1775 retrans_timer.work);
e90bac06 1776
49208c9c 1777 BT_DBG("chan %p", chan);
0e98958d 1778
6be36555
AE		 1779 l2cap_chan_lock(chan);
1780
80909e04
MM		 1781 if (!chan->conn) {
1782 l2cap_chan_unlock(chan);
1783 l2cap_chan_put(chan);
1784 return;
1785 }
6be36555 1786
401bb1f7 1787 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1788 l2cap_chan_unlock(chan);
8d7e1c7f 1789 l2cap_chan_put(chan);
e90bac06
GP		 1790}
1791
d660366d
GP		 1792static void l2cap_streaming_send(struct l2cap_chan *chan,
1793 struct sk_buff_head *skbs)
6840ed07 1794{
ccbb84af 1795 struct sk_buff *skb;
3733937d 1796 struct l2cap_ctrl *control;
6840ed07 1797
3733937d
MM		 1798 BT_DBG("chan %p, skbs %p", chan, skbs);
1799
b99e13ad
MM		 1800 if (__chan_is_moving(chan))
1801 return;
1802
3733937d
MM		 1803 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1804
1805 while (!skb_queue_empty(&chan->tx_q)) {
1806
1807 skb = skb_dequeue(&chan->tx_q);
1808
1809 bt_cb(skb)->control.retries = 1;
1810 control = &bt_cb(skb)->control;
1811
1812 control->reqseq = 0;
1813 control->txseq = chan->next_tx_seq;
1814
1815 __pack_control(chan, control, skb);
6840ed07 1816
47d1ec61 1817 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1818 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1819 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1820 }
1821
4343478f 1822 l2cap_do_send(chan, skb);
6840ed07 1823
b4400672 1824 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1825
836be934 1826 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1827 chan->frames_sent++;
6840ed07 1828 }
6840ed07
GP		 1829}
1830
67c9e840 1831static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1832{
1833 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1834 struct l2cap_ctrl *control;
1835 int sent = 0;
1836
1837 BT_DBG("chan %p", chan);
1c2acffb 1838
89bc500e 1839 if (chan->state != BT_CONNECTED)
c13ffa62 1840 return -ENOTCONN;
e90bac06 1841
94122bbe
MM		 1842 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1843 return 0;
1844
b99e13ad
MM		 1845 if (__chan_is_moving(chan))
1846 return 0;
1847
18a48e76
MM		 1848 while (chan->tx_send_head &&
1849 chan->unacked_frames < chan->remote_tx_win &&
1850 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1851
18a48e76 1852 skb = chan->tx_send_head;
e90bac06 1853
18a48e76
MM		 1854 bt_cb(skb)->control.retries = 1;
1855 control = &bt_cb(skb)->control;
95ffa978 1856
e2ab4353 1857 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1858 control->final = 1;
e2ab4353 1859
18a48e76
MM		 1860 control->reqseq = chan->buffer_seq;
1861 chan->last_acked_seq = chan->buffer_seq;
1862 control->txseq = chan->next_tx_seq;
1c2acffb 1863
18a48e76 1864 __pack_control(chan, control, skb);
e90bac06 1865
47d1ec61 1866 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1867 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1868 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1869 }
1870
18a48e76
MM		 1871 /* Clone after data has been modified. Data is assumed to be
1872 read-only (for locking purposes) on cloned sk_buffs.
1873 */
1874 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1875
18a48e76
MM		 1876 if (!tx_skb)
1877 break;
1c2acffb 1878
18a48e76 1879 __set_retrans_timer(chan);
836be934
AE		 1880
1881 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1882 chan->unacked_frames++;
6a026610 1883 chan->frames_sent++;
18a48e76 1884 sent++;
1c2acffb 1885
58d35f87
GP		 1886 if (skb_queue_is_last(&chan->tx_q, skb))
1887 chan->tx_send_head = NULL;
1c2acffb 1888 else
58d35f87 1889 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1890
1891 l2cap_do_send(chan, tx_skb);
b4400672 1892 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1893 }
1894
b4400672
AE		 1895 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1896 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1897
1898 return sent;
9e917af1
GP		 1899}
1900
e1fbd4c1
MM		 1901static void l2cap_ertm_resend(struct l2cap_chan *chan)
1902{
1903 struct l2cap_ctrl control;
1904 struct sk_buff *skb;
1905 struct sk_buff *tx_skb;
1906 u16 seq;
1907
1908 BT_DBG("chan %p", chan);
1909
1910 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1911 return;
1912
b99e13ad
MM		 1913 if (__chan_is_moving(chan))
1914 return;
1915
e1fbd4c1
MM		 1916 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1917 seq = l2cap_seq_list_pop(&chan->retrans_list);
1918
1919 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1920 if (!skb) {
1921 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1922 seq);
e1fbd4c1
MM		 1923 continue;
1924 }
1925
1926 bt_cb(skb)->control.retries++;
1927 control = bt_cb(skb)->control;
1928
1929 if (chan->max_tx != 0 &&
1930 bt_cb(skb)->control.retries > chan->max_tx) {
1931 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1932 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1933 l2cap_seq_list_clear(&chan->retrans_list);
1934 break;
1935 }
1936
1937 control.reqseq = chan->buffer_seq;
1938 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1939 control.final = 1;
1940 else
1941 control.final = 0;
1942
1943 if (skb_cloned(skb)) {
1944 /* Cloned sk_buffs are read-only, so we need a
1945 * writeable copy
1946 */
8bcde1f2 1947 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1948 } else {
8bcde1f2 1949 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1950 }
1951
1952 if (!tx_skb) {
1953 l2cap_seq_list_clear(&chan->retrans_list);
1954 break;
1955 }
1956
1957 /* Update skb contents */
1958 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1959 put_unaligned_le32(__pack_extended_control(&control),
1960 tx_skb->data + L2CAP_HDR_SIZE);
1961 } else {
1962 put_unaligned_le16(__pack_enhanced_control(&control),
1963 tx_skb->data + L2CAP_HDR_SIZE);
1964 }
1965
1966 if (chan->fcs == L2CAP_FCS_CRC16) {
1967 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1968 put_unaligned_le16(fcs, skb_put(tx_skb,
1969 L2CAP_FCS_SIZE));
1970 }
1971
1972 l2cap_do_send(chan, tx_skb);
1973
1974 BT_DBG("Resent txseq %d", control.txseq);
1975
1976 chan->last_acked_seq = chan->buffer_seq;
1977 }
1978}
1979
f80842a8
MM		 1980static void l2cap_retransmit(struct l2cap_chan *chan,
1981 struct l2cap_ctrl *control)
1982{
1983 BT_DBG("chan %p, control %p", chan, control);
1984
1985 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1986 l2cap_ertm_resend(chan);
1987}
1988
d2a7ac5d
MM		 1989static void l2cap_retransmit_all(struct l2cap_chan *chan,
1990 struct l2cap_ctrl *control)
1991{
e1fbd4c1
MM		 1992 struct sk_buff *skb;
1993
1994 BT_DBG("chan %p, control %p", chan, control);
1995
1996 if (control->poll)
1997 set_bit(CONN_SEND_FBIT, &chan->conn_state);
1998
1999 l2cap_seq_list_clear(&chan->retrans_list);
2000
2001 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2002 return;
2003
2004 if (chan->unacked_frames) {
2005 skb_queue_walk(&chan->tx_q, skb) {
2006 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2007 skb == chan->tx_send_head)
e1fbd4c1
MM		 2008 break;
2009 }
2010
2011 skb_queue_walk_from(&chan->tx_q, skb) {
2012 if (skb == chan->tx_send_head)
2013 break;
2014
2015 l2cap_seq_list_append(&chan->retrans_list,
2016 bt_cb(skb)->control.txseq);
2017 }
2018
2019 l2cap_ertm_resend(chan);
2020 }
d2a7ac5d
MM		 2021}
2022
0a0aba42 2023static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2024{
0a0aba42
MM		 2025 struct l2cap_ctrl control;
2026 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2027 chan->last_acked_seq);
2028 int threshold;
9e917af1 2029
0a0aba42
MM		 2030 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2031 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2032
0a0aba42
MM		 2033 memset(&control, 0, sizeof(control));
2034 control.sframe = 1;
dfc909be 2035
0a0aba42
MM		 2036 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2037 chan->rx_state == L2CAP_RX_STATE_RECV) {
2038 __clear_ack_timer(chan);
2039 control.super = L2CAP_SUPER_RNR;
2040 control.reqseq = chan->buffer_seq;
2041 l2cap_send_sframe(chan, &control);
2042 } else {
2043 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2044 l2cap_ertm_send(chan);
2045 /* If any i-frames were sent, they included an ack */
2046 if (chan->buffer_seq == chan->last_acked_seq)
2047 frames_to_ack = 0;
2048 }
dfc909be 2049
c20f8e35 2050 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2051 * Calculate without mul or div
2052 */
c20f8e35 2053 threshold = chan->ack_win;
0a0aba42
MM		 2054 threshold += threshold << 1;
2055 threshold >>= 2;
2056
b4400672 2057 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2058 threshold);
2059
2060 if (frames_to_ack >= threshold) {
2061 __clear_ack_timer(chan);
2062 control.super = L2CAP_SUPER_RR;
2063 control.reqseq = chan->buffer_seq;
2064 l2cap_send_sframe(chan, &control);
2065 frames_to_ack = 0;
2066 }
1c2acffb 2067
0a0aba42
MM		 2068 if (frames_to_ack)
2069 __set_ack_timer(chan);
2070 }
b17e73bb
SJ		 2071}
2072
04124681
GP		 2073static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2074 struct msghdr *msg, int len,
2075 int count, struct sk_buff *skb)
1c2acffb 2076{
0952a57a 2077 struct l2cap_conn *conn = chan->conn;
1c2acffb 2078 struct sk_buff **frag;
90338947 2079 int sent = 0;
1da177e4 2080
0498878b
JR		 2081 if (chan->ops->memcpy_fromiovec(chan, skb_put(skb, count),
2082 msg->msg_iov, count))
1c2acffb 2083 return -EFAULT;
1da177e4
LT		 2084
2085 sent += count;
2086 len -= count;
2087
2088 /* Continuation fragments (no L2CAP header) */
2089 frag = &skb_shinfo(skb)->frag_list;
2090 while (len) {
fbe00700
GP		 2091 struct sk_buff *tmp;
2092
1da177e4
LT		 2093 count = min_t(unsigned int, conn->mtu, len);
2094
d9fbd02b 2095 tmp = chan->ops->alloc_skb(chan, 0, count,
fbe00700
GP		 2096 msg->msg_flags & MSG_DONTWAIT);
2097 if (IS_ERR(tmp))
2098 return PTR_ERR(tmp);
2099
2100 *frag = tmp;
2f7719ce 2101
0498878b
JR		 2102 if (chan->ops->memcpy_fromiovec(chan, skb_put(*frag, count),
2103 msg->msg_iov, count))
1c2acffb 2104 return -EFAULT;
1da177e4
LT		 2105
2106 sent += count;
2107 len -= count;
2108
2d0ed3d5
GP		 2109 skb->len += (*frag)->len;
2110 skb->data_len += (*frag)->len;
2111
1da177e4
LT		 2112 frag = &(*frag)->next;
2113 }
1da177e4
LT		 2114
2115 return sent;
1c2acffb 2116}
1da177e4 2117
5e59b791 2118static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
8d46321c 2119 struct msghdr *msg, size_t len)
1c2acffb 2120{
8c1d787b 2121 struct l2cap_conn *conn = chan->conn;
1c2acffb 2122 struct sk_buff *skb;
03a51213 2123 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2124 struct l2cap_hdr *lh;
2125
8d46321c
MH		 2126 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2127 __le16_to_cpu(chan->psm), len);
1c2acffb
GP		 2128
2129 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2130
d9fbd02b 2131 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2132 msg->msg_flags & MSG_DONTWAIT);
2133 if (IS_ERR(skb))
2134 return skb;
1c2acffb
GP		 2135
2136 /* Create L2CAP header */
2137 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2138 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2139 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2140 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2141
0952a57a 2142 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2143 if (unlikely(err < 0)) {
2144 kfree_skb(skb);
2145 return ERR_PTR(err);
2146 }
2147 return skb;
2148}
2149
5e59b791 2150static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
8d46321c 2151 struct msghdr *msg, size_t len)
1c2acffb 2152{
8c1d787b 2153 struct l2cap_conn *conn = chan->conn;
1c2acffb 2154 struct sk_buff *skb;
f2ba7fae 2155 int err, count;
1c2acffb
GP		 2156 struct l2cap_hdr *lh;
2157
b4400672 2158 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2159
f2ba7fae 2160 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2161
d9fbd02b 2162 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
90338947
GP		 2163 msg->msg_flags & MSG_DONTWAIT);
2164 if (IS_ERR(skb))
2165 return skb;
1c2acffb
GP		 2166
2167 /* Create L2CAP header */
2168 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2169 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2170 lh->len = cpu_to_le16(len);
1c2acffb 2171
0952a57a 2172 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2173 if (unlikely(err < 0)) {
2174 kfree_skb(skb);
2175 return ERR_PTR(err);
2176 }
2177 return skb;
2178}
2179
ab0ff76d 2180static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2181 struct msghdr *msg, size_t len,
2182 u16 sdulen)
1c2acffb 2183{
8c1d787b 2184 struct l2cap_conn *conn = chan->conn;
1c2acffb 2185 struct sk_buff *skb;
e4ca6d98 2186 int err, count, hlen;
1c2acffb
GP		 2187 struct l2cap_hdr *lh;
2188
b4400672 2189 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2190
0ee0d208
GP		 2191 if (!conn)
2192 return ERR_PTR(-ENOTCONN);
2193
ba7aa64f 2194 hlen = __ertm_hdr_size(chan);
e4ca6d98 2195
c74e560c 2196 if (sdulen)
03a51213 2197 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2198
47d1ec61 2199 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2200 hlen += L2CAP_FCS_SIZE;
fcc203c3 2201
1c2acffb 2202 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2203
d9fbd02b 2204 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2205 msg->msg_flags & MSG_DONTWAIT);
2206 if (IS_ERR(skb))
2207 return skb;
1c2acffb
GP		 2208
2209 /* Create L2CAP header */
2210 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2211 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2212 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2213
18a48e76
MM		 2214 /* Control header is populated later */
2215 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2216 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2217 else
2218 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2219
c74e560c 2220 if (sdulen)
03a51213 2221 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2222
0952a57a 2223 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2224 if (unlikely(err < 0)) {
2225 kfree_skb(skb);
2226 return ERR_PTR(err);
2227 }
e90bac06 2228
18a48e76 2229 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2230 bt_cb(skb)->control.retries = 0;
1c2acffb 2231 return skb;
1da177e4
LT		 2232}
2233
94122bbe
MM		 2234static int l2cap_segment_sdu(struct l2cap_chan *chan,
2235 struct sk_buff_head *seg_queue,
2236 struct msghdr *msg, size_t len)
c74e560c 2237{
c74e560c 2238 struct sk_buff *skb;
94122bbe
MM		 2239 u16 sdu_len;
2240 size_t pdu_len;
94122bbe 2241 u8 sar;
c74e560c 2242
b4400672 2243 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2244
94122bbe
MM		 2245 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2246 * so fragmented skbs are not used. The HCI layer's handling
2247 * of fragmented skbs is not compatible with ERTM's queueing.
2248 */
c74e560c 2249
94122bbe
MM		 2250 /* PDU size is derived from the HCI MTU */
2251 pdu_len = chan->conn->mtu;
c74e560c 2252
a549574d
MM		 2253 /* Constrain PDU size for BR/EDR connections */
2254 if (!chan->hs_hcon)
2255 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2256
2257 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2258 if (chan->fcs)
2259 pdu_len -= L2CAP_FCS_SIZE;
2260
ba7aa64f 2261 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2262
2263 /* Remote device may have requested smaller PDUs */
2264 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2265
2266 if (len <= pdu_len) {
2267 sar = L2CAP_SAR_UNSEGMENTED;
2268 sdu_len = 0;
2269 pdu_len = len;
2270 } else {
2271 sar = L2CAP_SAR_START;
2272 sdu_len = len;
2273 pdu_len -= L2CAP_SDULEN_SIZE;
2274 }
2275
2276 while (len > 0) {
2277 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2278
c74e560c 2279 if (IS_ERR(skb)) {
94122bbe 2280 __skb_queue_purge(seg_queue);
c74e560c
GP		 2281 return PTR_ERR(skb);
2282 }
2283
94122bbe
MM		 2284 bt_cb(skb)->control.sar = sar;
2285 __skb_queue_tail(seg_queue, skb);
2286
2287 len -= pdu_len;
2288 if (sdu_len) {
2289 sdu_len = 0;
2290 pdu_len += L2CAP_SDULEN_SIZE;
2291 }
2292
2293 if (len <= pdu_len) {
2294 sar = L2CAP_SAR_END;
2295 pdu_len = len;
2296 } else {
2297 sar = L2CAP_SAR_CONTINUE;
2298 }
c74e560c 2299 }
c74e560c 2300
f0f62799 2301 return 0;
c74e560c
GP		 2302}
2303
177f8f2b
JH		 2304static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2305 struct msghdr *msg,
2306 size_t len, u16 sdulen)
2307{
2308 struct l2cap_conn *conn = chan->conn;
2309 struct sk_buff *skb;
2310 int err, count, hlen;
2311 struct l2cap_hdr *lh;
2312
2313 BT_DBG("chan %p len %zu", chan, len);
2314
2315 if (!conn)
2316 return ERR_PTR(-ENOTCONN);
2317
2318 hlen = L2CAP_HDR_SIZE;
2319
2320 if (sdulen)
2321 hlen += L2CAP_SDULEN_SIZE;
2322
2323 count = min_t(unsigned int, (conn->mtu - hlen), len);
2324
d9fbd02b 2325 skb = chan->ops->alloc_skb(chan, hlen, count,
177f8f2b
JH		 2326 msg->msg_flags & MSG_DONTWAIT);
2327 if (IS_ERR(skb))
2328 return skb;
2329
2330 /* Create L2CAP header */
2331 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2332 lh->cid = cpu_to_le16(chan->dcid);
2333 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2334
2335 if (sdulen)
2336 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2337
2338 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2339 if (unlikely(err < 0)) {
2340 kfree_skb(skb);
2341 return ERR_PTR(err);
2342 }
2343
2344 return skb;
2345}
2346
2347static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2348 struct sk_buff_head *seg_queue,
2349 struct msghdr *msg, size_t len)
2350{
2351 struct sk_buff *skb;
2352 size_t pdu_len;
2353 u16 sdu_len;
2354
2355 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2356
2357 pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE;
2358
2359 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2360
2361 sdu_len = len;
2362 pdu_len -= L2CAP_SDULEN_SIZE;
2363
2364 while (len > 0) {
2365 if (len <= pdu_len)
2366 pdu_len = len;
2367
2368 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2369 if (IS_ERR(skb)) {
2370 __skb_queue_purge(seg_queue);
2371 return PTR_ERR(skb);
2372 }
2373
2374 __skb_queue_tail(seg_queue, skb);
2375
2376 len -= pdu_len;
2377
2378 if (sdu_len) {
2379 sdu_len = 0;
2380 pdu_len += L2CAP_SDULEN_SIZE;
2381 }
2382 }
2383
2384 return 0;
2385}
2386
8d46321c 2387int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
9a91a04a 2388{
9a91a04a 2389 struct sk_buff *skb;
9a91a04a 2390 int err;
94122bbe 2391 struct sk_buff_head seg_queue;
9a91a04a 2392
31e8ce80
SWK		 2393 if (!chan->conn)
2394 return -ENOTCONN;
2395
9a91a04a 2396 /* Connectionless channel */
715ec005 2397 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
8d46321c 2398 skb = l2cap_create_connless_pdu(chan, msg, len);
9a91a04a
GP		 2399 if (IS_ERR(skb))
2400 return PTR_ERR(skb);
2401
ede81a2a
AK		 2402 /* Channel lock is released before requesting new skb and then
2403 * reacquired thus we need to recheck channel state.
2404 */
2405 if (chan->state != BT_CONNECTED) {
2406 kfree_skb(skb);
2407 return -ENOTCONN;
2408 }
2409
9a91a04a
GP		 2410 l2cap_do_send(chan, skb);
2411 return len;
2412 }
2413
2414 switch (chan->mode) {
38319713 2415 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b
JH		 2416 /* Check outgoing MTU */
2417 if (len > chan->omtu)
2418 return -EMSGSIZE;
2419
fad5fc89
JH		 2420 if (!chan->tx_credits)
2421 return -EAGAIN;
2422
177f8f2b
JH		 2423 __skb_queue_head_init(&seg_queue);
2424
2425 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2426
2427 if (chan->state != BT_CONNECTED) {
2428 __skb_queue_purge(&seg_queue);
2429 err = -ENOTCONN;
2430 }
2431
2432 if (err)
2433 return err;
2434
2435 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2436
2437 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2438 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2439 chan->tx_credits--;
2440 }
2441
2442 if (!chan->tx_credits)
2443 chan->ops->suspend(chan);
2444
2445 err = len;
2446
2447 break;
2448
fad5fc89 2449 case L2CAP_MODE_BASIC:
9a91a04a
GP		 2450 /* Check outgoing MTU */
2451 if (len > chan->omtu)
2452 return -EMSGSIZE;
2453
2454 /* Create a basic PDU */
8d46321c 2455 skb = l2cap_create_basic_pdu(chan, msg, len);
9a91a04a
GP		 2456 if (IS_ERR(skb))
2457 return PTR_ERR(skb);
2458
ede81a2a
AK		 2459 /* Channel lock is released before requesting new skb and then
2460 * reacquired thus we need to recheck channel state.
2461 */
2462 if (chan->state != BT_CONNECTED) {
2463 kfree_skb(skb);
2464 return -ENOTCONN;
2465 }
2466
9a91a04a
GP		 2467 l2cap_do_send(chan, skb);
2468 err = len;
2469 break;
2470
2471 case L2CAP_MODE_ERTM:
2472 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2473 /* Check outgoing MTU */
2474 if (len > chan->omtu) {
2475 err = -EMSGSIZE;
2476 break;
2477 }
9a91a04a 2478
94122bbe 2479 __skb_queue_head_init(&seg_queue);
9a91a04a 2480
94122bbe
MM		 2481 /* Do segmentation before calling in to the state machine,
2482 * since it's possible to block while waiting for memory
2483 * allocation.
2484 */
2485 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2486
94122bbe
MM		 2487 /* The channel could have been closed while segmenting,
2488 * check that it is still connected.
2489 */
2490 if (chan->state != BT_CONNECTED) {
2491 __skb_queue_purge(&seg_queue);
2492 err = -ENOTCONN;
9a91a04a
GP		 2493 }
2494
94122bbe 2495 if (err)
9a91a04a 2496 break;
9a91a04a 2497
3733937d 2498 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2499 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2500 else
d660366d 2501 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2502
d660366d 2503 err = len;
9a91a04a 2504
94122bbe
MM		 2505 /* If the skbs were not queued for sending, they'll still be in
2506 * seg_queue and need to be purged.
2507 */
2508 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2509 break;
2510
2511 default:
2512 BT_DBG("bad state %1.1x", chan->mode);
2513 err = -EBADFD;
2514 }
2515
2516 return err;
2517}
6b8d4a6a 2518EXPORT_SYMBOL_GPL(l2cap_chan_send);
9a91a04a 2519
d2a7ac5d
MM		 2520static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2521{
bed68bde
MM		 2522 struct l2cap_ctrl control;
2523 u16 seq;
2524
b4400672 2525 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2526
2527 memset(&control, 0, sizeof(control));
2528 control.sframe = 1;
2529 control.super = L2CAP_SUPER_SREJ;
2530
2531 for (seq = chan->expected_tx_seq; seq != txseq;
2532 seq = __next_seq(chan, seq)) {
2533 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2534 control.reqseq = seq;
2535 l2cap_send_sframe(chan, &control);
2536 l2cap_seq_list_append(&chan->srej_list, seq);
2537 }
2538 }
2539
2540 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2541}
2542
2543static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2544{
bed68bde
MM		 2545 struct l2cap_ctrl control;
2546
2547 BT_DBG("chan %p", chan);
2548
2549 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2550 return;
2551
2552 memset(&control, 0, sizeof(control));
2553 control.sframe = 1;
2554 control.super = L2CAP_SUPER_SREJ;
2555 control.reqseq = chan->srej_list.tail;
2556 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2557}
2558
2559static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2560{
bed68bde
MM		 2561 struct l2cap_ctrl control;
2562 u16 initial_head;
2563 u16 seq;
2564
b4400672 2565 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2566
2567 memset(&control, 0, sizeof(control));
2568 control.sframe = 1;
2569 control.super = L2CAP_SUPER_SREJ;
2570
2571 /* Capture initial list head to allow only one pass through the list. */
2572 initial_head = chan->srej_list.head;
2573
2574 do {
2575 seq = l2cap_seq_list_pop(&chan->srej_list);
2576 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2577 break;
2578
2579 control.reqseq = seq;
2580 l2cap_send_sframe(chan, &control);
2581 l2cap_seq_list_append(&chan->srej_list, seq);
2582 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2583}
2584
608bcc6d
MM		 2585static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2586{
2587 struct sk_buff *acked_skb;
2588 u16 ackseq;
2589
b4400672 2590 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2591
2592 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2593 return;
2594
b4400672 2595 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2596 chan->expected_ack_seq, chan->unacked_frames);
2597
2598 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2599 ackseq = __next_seq(chan, ackseq)) {
2600
2601 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2602 if (acked_skb) {
2603 skb_unlink(acked_skb, &chan->tx_q);
2604 kfree_skb(acked_skb);
2605 chan->unacked_frames--;
2606 }
2607 }
2608
2609 chan->expected_ack_seq = reqseq;
2610
2611 if (chan->unacked_frames == 0)
2612 __clear_retrans_timer(chan);
2613
b4400672 2614 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2615}
2616
2617static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2618{
2619 BT_DBG("chan %p", chan);
2620
2621 chan->expected_tx_seq = chan->buffer_seq;
2622 l2cap_seq_list_clear(&chan->srej_list);
2623 skb_queue_purge(&chan->srej_q);
2624 chan->rx_state = L2CAP_RX_STATE_RECV;
2625}
2626
d660366d
GP		 2627static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2628 struct l2cap_ctrl *control,
2629 struct sk_buff_head *skbs, u8 event)
608bcc6d 2630{
608bcc6d
MM		 2631 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2632 event);
2633
2634 switch (event) {
2635 case L2CAP_EV_DATA_REQUEST:
2636 if (chan->tx_send_head == NULL)
2637 chan->tx_send_head = skb_peek(skbs);
2638
2639 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2640 l2cap_ertm_send(chan);
2641 break;
2642 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2643 BT_DBG("Enter LOCAL_BUSY");
2644 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2645
2646 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2647 /* The SREJ_SENT state must be aborted if we are to
2648 * enter the LOCAL_BUSY state.
2649 */
2650 l2cap_abort_rx_srej_sent(chan);
2651 }
2652
2653 l2cap_send_ack(chan);
2654
2655 break;
2656 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2657 BT_DBG("Exit LOCAL_BUSY");
2658 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2659
2660 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2661 struct l2cap_ctrl local_control;
2662
2663 memset(&local_control, 0, sizeof(local_control));
2664 local_control.sframe = 1;
2665 local_control.super = L2CAP_SUPER_RR;
2666 local_control.poll = 1;
2667 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2668 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2669
2670 chan->retry_count = 1;
2671 __set_monitor_timer(chan);
2672 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2673 }
2674 break;
2675 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2676 l2cap_process_reqseq(chan, control->reqseq);
2677 break;
2678 case L2CAP_EV_EXPLICIT_POLL:
2679 l2cap_send_rr_or_rnr(chan, 1);
2680 chan->retry_count = 1;
2681 __set_monitor_timer(chan);
2682 __clear_ack_timer(chan);
2683 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2684 break;
2685 case L2CAP_EV_RETRANS_TO:
2686 l2cap_send_rr_or_rnr(chan, 1);
2687 chan->retry_count = 1;
2688 __set_monitor_timer(chan);
2689 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2690 break;
2691 case L2CAP_EV_RECV_FBIT:
2692 /* Nothing to process */
2693 break;
2694 default:
2695 break;
2696 }
608bcc6d
MM		 2697}
2698
d660366d
GP		 2699static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2700 struct l2cap_ctrl *control,
2701 struct sk_buff_head *skbs, u8 event)
608bcc6d 2702{
608bcc6d
MM		 2703 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2704 event);
2705
2706 switch (event) {
2707 case L2CAP_EV_DATA_REQUEST:
2708 if (chan->tx_send_head == NULL)
2709 chan->tx_send_head = skb_peek(skbs);
2710 /* Queue data, but don't send. */
2711 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2712 break;
2713 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2714 BT_DBG("Enter LOCAL_BUSY");
2715 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2716
2717 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2718 /* The SREJ_SENT state must be aborted if we are to
2719 * enter the LOCAL_BUSY state.
2720 */
2721 l2cap_abort_rx_srej_sent(chan);
2722 }
2723
2724 l2cap_send_ack(chan);
2725
2726 break;
2727 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2728 BT_DBG("Exit LOCAL_BUSY");
2729 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2730
2731 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2732 struct l2cap_ctrl local_control;
2733 memset(&local_control, 0, sizeof(local_control));
2734 local_control.sframe = 1;
2735 local_control.super = L2CAP_SUPER_RR;
2736 local_control.poll = 1;
2737 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2738 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2739
2740 chan->retry_count = 1;
2741 __set_monitor_timer(chan);
2742 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2743 }
2744 break;
2745 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2746 l2cap_process_reqseq(chan, control->reqseq);
2747
2748 /* Fall through */
2749
2750 case L2CAP_EV_RECV_FBIT:
2751 if (control && control->final) {
2752 __clear_monitor_timer(chan);
2753 if (chan->unacked_frames > 0)
2754 __set_retrans_timer(chan);
2755 chan->retry_count = 0;
2756 chan->tx_state = L2CAP_TX_STATE_XMIT;
2757 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2758 }
2759 break;
2760 case L2CAP_EV_EXPLICIT_POLL:
2761 /* Ignore */
2762 break;
2763 case L2CAP_EV_MONITOR_TO:
2764 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2765 l2cap_send_rr_or_rnr(chan, 1);
2766 __set_monitor_timer(chan);
2767 chan->retry_count++;
2768 } else {
5e4e3972 2769 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2770 }
2771 break;
2772 default:
2773 break;
2774 }
608bcc6d
MM		 2775}
2776
d660366d
GP		 2777static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2778 struct sk_buff_head *skbs, u8 event)
608bcc6d 2779{
608bcc6d
MM		 2780 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2781 chan, control, skbs, event, chan->tx_state);
2782
2783 switch (chan->tx_state) {
2784 case L2CAP_TX_STATE_XMIT:
d660366d 2785 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2786 break;
2787 case L2CAP_TX_STATE_WAIT_F:
d660366d 2788 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2789 break;
2790 default:
2791 /* Ignore event */
2792 break;
2793 }
608bcc6d
MM		 2794}
2795
4b51dae9
MM		 2796static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2797 struct l2cap_ctrl *control)
2798{
2799 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2800 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2801}
2802
f80842a8
MM		 2803static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2804 struct l2cap_ctrl *control)
2805{
2806 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2807 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2808}
2809
1da177e4
LT		 2810/* Copy frame to all raw sockets on that connection */
2811static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2812{
1da177e4 2813 struct sk_buff *nskb;
48454079 2814 struct l2cap_chan *chan;
1da177e4
LT		 2815
2816 BT_DBG("conn %p", conn);
2817
3df91ea2 2818 mutex_lock(&conn->chan_lock);
3d57dc68 2819
3df91ea2 2820 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2821 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2822 continue;
2823
7f5396a7
GP		 2824 /* Don't send frame to the channel it came from */
2825 if (bt_cb(skb)->chan == chan)
1da177e4 2826 continue;
7f5396a7 2827
8bcde1f2 2828 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2829 if (!nskb)
1da177e4 2830 continue;
80b98027 2831 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2832 kfree_skb(nskb);
2833 }
3d57dc68 2834
3df91ea2 2835 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2836}
2837
2838/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2839static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2840 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2841{
2842 struct sk_buff *skb, **frag;
2843 struct l2cap_cmd_hdr *cmd;
2844 struct l2cap_hdr *lh;
2845 int len, count;
2846
b4400672
AE		 2847 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2848 conn, code, ident, dlen);
1da177e4 2849
300b962e
AL		 2850 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2851 return NULL;
2852
1da177e4
LT		 2853 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2854 count = min_t(unsigned int, conn->mtu, len);
2855
8bcde1f2 2856 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2857 if (!skb)
2858 return NULL;
2859
2860 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2861 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2862
2863 if (conn->hcon->type == LE_LINK)
dcf4adbf 2864 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2865 else
dcf4adbf 2866 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2867
2868 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2869 cmd->code = code;
2870 cmd->ident = ident;
aca3192c 2871 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2872
2873 if (dlen) {
2874 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2875 memcpy(skb_put(skb, count), data, count);
2876 data += count;
2877 }
2878
2879 len -= skb->len;
2880
2881 /* Continuation fragments (no L2CAP header) */
2882 frag = &skb_shinfo(skb)->frag_list;
2883 while (len) {
2884 count = min_t(unsigned int, conn->mtu, len);
2885
8bcde1f2 2886 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2887 if (!*frag)
2888 goto fail;
2889
2890 memcpy(skb_put(*frag, count), data, count);
2891
2892 len -= count;
2893 data += count;
2894
2895 frag = &(*frag)->next;
2896 }
2897
2898 return skb;
2899
2900fail:
2901 kfree_skb(skb);
2902 return NULL;
2903}
2904
2d792818
GP		 2905static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2906 unsigned long *val)
1da177e4
LT		 2907{
2908 struct l2cap_conf_opt *opt = *ptr;
2909 int len;
2910
2911 len = L2CAP_CONF_OPT_SIZE + opt->len;
2912 *ptr += len;
2913
2914 *type = opt->type;
2915 *olen = opt->len;
2916
2917 switch (opt->len) {
2918 case 1:
2919 *val = *((u8 *) opt->val);
2920 break;
2921
2922 case 2:
bfaaeb3e 2923 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2924 break;
2925
2926 case 4:
bfaaeb3e 2927 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2928 break;
2929
2930 default:
2931 *val = (unsigned long) opt->val;
2932 break;
2933 }
2934
b4400672 2935 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2936 return len;
2937}
2938
1da177e4
LT		 2939static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2940{
2941 struct l2cap_conf_opt *opt = *ptr;
2942
b4400672 2943 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2944
2945 opt->type = type;
2946 opt->len = len;
2947
2948 switch (len) {
2949 case 1:
2950 *((u8 *) opt->val) = val;
2951 break;
2952
2953 case 2:
4f8b691c 2954 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2955 break;
2956
2957 case 4:
4f8b691c 2958 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2959 break;
2960
2961 default:
2962 memcpy(opt->val, (void *) val, len);
2963 break;
2964 }
2965
2966 *ptr += L2CAP_CONF_OPT_SIZE + len;
2967}
2968
f89cef09
AE		 2969static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2970{
2971 struct l2cap_conf_efs efs;
2972
1ec918ce 2973 switch (chan->mode) {
f89cef09
AE		 2974 case L2CAP_MODE_ERTM:
2975 efs.id = chan->local_id;
2976 efs.stype = chan->local_stype;
2977 efs.msdu = cpu_to_le16(chan->local_msdu);
2978 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
dcf4adbf
JP		 2979 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2980 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2981 break;
2982
2983 case L2CAP_MODE_STREAMING:
2984 efs.id = 1;
2985 efs.stype = L2CAP_SERV_BESTEFFORT;
2986 efs.msdu = cpu_to_le16(chan->local_msdu);
2987 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2988 efs.acc_lat = 0;
2989 efs.flush_to = 0;
2990 break;
2991
2992 default:
2993 return;
2994 }
2995
2996 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2997 (unsigned long) &efs);
f89cef09
AE		 2998}
2999
721c4181 3000static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3001{
721c4181 3002 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3003 ack_timer.work);
3004 u16 frames_to_ack;
c1b4f43b 3005
2fb9b3d4
GP		 3006 BT_DBG("chan %p", chan);
3007
6be36555
AE		 3008 l2cap_chan_lock(chan);
3009
0362520b
MM		 3010 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3011 chan->last_acked_seq);
6be36555 3012
0362520b
MM		 3013 if (frames_to_ack)
3014 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3015
0362520b 3016 l2cap_chan_unlock(chan);
09bfb2ee 3017 l2cap_chan_put(chan);
c1b4f43b
GP		 3018}
3019
466f8004 3020int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3021{
3c588192
MM		 3022 int err;
3023
105bdf9e
MM		 3024 chan->next_tx_seq = 0;
3025 chan->expected_tx_seq = 0;
42e5c802 3026 chan->expected_ack_seq = 0;
6a026610 3027 chan->unacked_frames = 0;
42e5c802 3028 chan->buffer_seq = 0;
6a026610 3029 chan->frames_sent = 0;
105bdf9e
MM		 3030 chan->last_acked_seq = 0;
3031 chan->sdu = NULL;
3032 chan->sdu_last_frag = NULL;
3033 chan->sdu_len = 0;
3034
d34c34fb
MM		 3035 skb_queue_head_init(&chan->tx_q);
3036
6ed971ca
MH		 3037 chan->local_amp_id = AMP_ID_BREDR;
3038 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3039 chan->move_state = L2CAP_MOVE_STABLE;
3040 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3041
105bdf9e
MM		 3042 if (chan->mode != L2CAP_MODE_ERTM)
3043 return 0;
3044
3045 chan->rx_state = L2CAP_RX_STATE_RECV;
3046 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3047
721c4181
GP		 3048 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3049 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3050 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3051
f1c6775b 3052 skb_queue_head_init(&chan->srej_q);
1890d36b 3053
3c588192
MM		 3054 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3055 if (err < 0)
3056 return err;
3057
9dc9affc
MM		 3058 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3059 if (err < 0)
3060 l2cap_seq_list_free(&chan->srej_list);
3061
3062 return err;
0565c1c2
GP		 3063}
3064
f2fcfcd6
GP		 3065static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3066{
3067 switch (mode) {
3068 case L2CAP_MODE_STREAMING:
3069 case L2CAP_MODE_ERTM:
3070 if (l2cap_mode_supported(mode, remote_feat_mask))
3071 return mode;
3072 /* fall through */
3073 default:
3074 return L2CAP_MODE_BASIC;
3075 }
3076}
3077
848566b3 3078static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3079{
848566b3 3080 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3081}
3082
848566b3 3083static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3084{
848566b3 3085 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3086}
3087
36c86c85
MM		 3088static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3089 struct l2cap_conf_rfc *rfc)
3090{
6ed971ca 3091 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3092 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3093
3094 /* Class 1 devices have must have ERTM timeouts
3095 * exceeding the Link Supervision Timeout. The
3096 * default Link Supervision Timeout for AMP
3097 * controllers is 10 seconds.
3098 *
3099 * Class 1 devices use 0xffffffff for their
3100 * best-effort flush timeout, so the clamping logic
3101 * will result in a timeout that meets the above
3102 * requirement. ERTM timeouts are 16-bit values, so
3103 * the maximum timeout is 65.535 seconds.
3104 */
3105
3106 /* Convert timeout to milliseconds and round */
3107 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3108
3109 /* This is the recommended formula for class 2 devices
3110 * that start ERTM timers when packets are sent to the
3111 * controller.
3112 */
3113 ertm_to = 3 * ertm_to + 500;
3114
3115 if (ertm_to > 0xffff)
3116 ertm_to = 0xffff;
3117
3118 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3119 rfc->monitor_timeout = rfc->retrans_timeout;
3120 } else {
dcf4adbf
JP		 3121 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3122 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36c86c85
MM		 3123 }
3124}
3125
6327eb98
AE		 3126static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3127{
3128 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3129 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3130 /* use extended control field */
3131 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3132 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3133 } else {
6327eb98 3134 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3135 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3136 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3137 }
c20f8e35 3138 chan->ack_win = chan->tx_win;
6327eb98
AE		 3139}
3140
710f9b0a 3141static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3142{
1da177e4 3143 struct l2cap_conf_req *req = data;
0c1bc5c6 3144 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3145 void *ptr = req->data;
c8f79162 3146 u16 size;
1da177e4 3147
49208c9c 3148 BT_DBG("chan %p", chan);
1da177e4 3149
73ffa904 3150 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3151 goto done;
3152
0c1bc5c6 3153 switch (chan->mode) {
f2fcfcd6
GP		 3154 case L2CAP_MODE_STREAMING:
3155 case L2CAP_MODE_ERTM:
c1360a1c 3156 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3157 break;
85eb53c6 3158
848566b3 3159 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3160 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3161
2ba13ed6 3162 /* fall through */
f2fcfcd6 3163 default:
8c1d787b 3164 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3165 break;
3166 }
3167
3168done:
0c1bc5c6
GP		 3169 if (chan->imtu != L2CAP_DEFAULT_MTU)
3170 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3171
0c1bc5c6 3172 switch (chan->mode) {
65c7c491 3173 case L2CAP_MODE_BASIC:
6fea7ad1
MH		 3174 if (disable_ertm)
3175 break;
3176
8c1d787b 3177 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3178 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3179 break;
3180
62547752
GP		 3181 rfc.mode = L2CAP_MODE_BASIC;
3182 rfc.txwin_size = 0;
3183 rfc.max_transmit = 0;
3184 rfc.retrans_timeout = 0;
3185 rfc.monitor_timeout = 0;
3186 rfc.max_pdu_size = 0;
3187
63406504 3188 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3189 (unsigned long) &rfc);
65c7c491
MH		 3190 break;
3191
3192 case L2CAP_MODE_ERTM:
3193 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3194 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3195
3196 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3197
3198 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3199 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3200 L2CAP_FCS_SIZE);
c8f79162 3201 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3202
6327eb98
AE		 3203 l2cap_txwin_setup(chan);
3204
3205 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3206 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3207
63406504 3208 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3209 (unsigned long) &rfc);
63406504 3210
f89cef09
AE		 3211 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3212 l2cap_add_opt_efs(&ptr, chan);
3213
6327eb98
AE		 3214 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3215 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3216 chan->tx_win);
60918918
AE		 3217
3218 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3219 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3220 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3221 chan->fcs = L2CAP_FCS_NONE;
3222 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3223 chan->fcs);
3224 }
f2fcfcd6
GP		 3225 break;
3226
3227 case L2CAP_MODE_STREAMING:
273759e2 3228 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3229 rfc.mode = L2CAP_MODE_STREAMING;
3230 rfc.txwin_size = 0;
3231 rfc.max_transmit = 0;
3232 rfc.retrans_timeout = 0;
3233 rfc.monitor_timeout = 0;
c8f79162
AE		 3234
3235 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3236 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3237 L2CAP_FCS_SIZE);
c8f79162 3238 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3239
63406504 3240 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3241 (unsigned long) &rfc);
63406504 3242
f89cef09
AE		 3243 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3244 l2cap_add_opt_efs(&ptr, chan);
3245
60918918
AE		 3246 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3247 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3248 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3249 chan->fcs = L2CAP_FCS_NONE;
3250 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3251 chan->fcs);
3252 }
65c7c491
MH		 3253 break;
3254 }
1da177e4 3255
fe4128e0 3256 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3257 req->flags = cpu_to_le16(0);
1da177e4
LT		 3258
3259 return ptr - data;
3260}
3261
73ffa904 3262static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3263{
5dee9e7c
MH		 3264 struct l2cap_conf_rsp *rsp = data;
3265 void *ptr = rsp->data;
73ffa904
GP		 3266 void *req = chan->conf_req;
3267 int len = chan->conf_len;
5dee9e7c
MH		 3268 int type, hint, olen;
3269 unsigned long val;
6464f35f 3270 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3271 struct l2cap_conf_efs efs;
3272 u8 remote_efs = 0;
861d6882 3273 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3274 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3275 u16 size;
1da177e4 3276
73ffa904 3277 BT_DBG("chan %p", chan);
820ae1b8 3278
5dee9e7c
MH		 3279 while (len >= L2CAP_CONF_OPT_SIZE) {
3280 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3281
589d2746 3282 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3283 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3284
3285 switch (type) {
3286 case L2CAP_CONF_MTU:
861d6882 3287 mtu = val;
5dee9e7c
MH		 3288 break;
3289
3290 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3291 chan->flush_to = val;
5dee9e7c
MH		 3292 break;
3293
3294 case L2CAP_CONF_QOS:
3295 break;
3296
6464f35f
MH		 3297 case L2CAP_CONF_RFC:
3298 if (olen == sizeof(rfc))
3299 memcpy(&rfc, (void *) val, olen);
3300 break;
3301
fcc203c3
GP		 3302 case L2CAP_CONF_FCS:
3303 if (val == L2CAP_FCS_NONE)
f2592d3e 3304 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3305 break;
fcc203c3 3306
42dceae2
AE		 3307 case L2CAP_CONF_EFS:
3308 remote_efs = 1;
3309 if (olen == sizeof(efs))
3310 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3311 break;
3312
6327eb98 3313 case L2CAP_CONF_EWS:
848566b3 3314 if (!chan->conn->hs_enabled)
6327eb98 3315 return -ECONNREFUSED;
fcc203c3 3316
6327eb98
AE		 3317 set_bit(FLAG_EXT_CTRL, &chan->flags);
3318 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3319 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3320 chan->remote_tx_win = val;
fcc203c3
GP		 3321 break;
3322
5dee9e7c
MH		 3323 default:
3324 if (hint)
3325 break;
3326
3327 result = L2CAP_CONF_UNKNOWN;
3328 *((u8 *) ptr++) = type;
3329 break;
3330 }
3331 }
3332
73ffa904 3333 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3334 goto done;
3335
0c1bc5c6 3336 switch (chan->mode) {
f2fcfcd6
GP		 3337 case L2CAP_MODE_STREAMING:
3338 case L2CAP_MODE_ERTM:
c1360a1c 3339 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3340 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3341 chan->conn->feat_mask);
85eb53c6
GP		 3342 break;
3343 }
3344
42dceae2 3345 if (remote_efs) {
848566b3 3346 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3347 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3348 else
3349 return -ECONNREFUSED;
3350 }
3351
0c1bc5c6 3352 if (chan->mode != rfc.mode)
f2fcfcd6 3353 return -ECONNREFUSED;
742e519b 3354
f2fcfcd6 3355 break;
f2fcfcd6
GP		 3356 }
3357
3358done:
0c1bc5c6 3359 if (chan->mode != rfc.mode) {
f2fcfcd6 3360 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3361 rfc.mode = chan->mode;
f2fcfcd6 3362
73ffa904 3363 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3364 return -ECONNREFUSED;
3365
2d792818
GP		 3366 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3367 (unsigned long) &rfc);
f2fcfcd6
GP		 3368 }
3369
5dee9e7c
MH		 3370 if (result == L2CAP_CONF_SUCCESS) {
3371 /* Configure output options and let the other side know
3372 * which ones we don't like. */
3373
f2fcfcd6
GP		 3374 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3375 result = L2CAP_CONF_UNACCEPT;
3376 else {
0c1bc5c6 3377 chan->omtu = mtu;
c1360a1c 3378 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3379 }
0c1bc5c6 3380 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3381
42dceae2
AE		 3382 if (remote_efs) {
3383 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3384 efs.stype != L2CAP_SERV_NOTRAFIC &&
3385 efs.stype != chan->local_stype) {
42dceae2
AE		 3386
3387 result = L2CAP_CONF_UNACCEPT;
3388
3389 if (chan->num_conf_req >= 1)
3390 return -ECONNREFUSED;
3391
3392 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3393 sizeof(efs),
3394 (unsigned long) &efs);
0e8b207e 3395 } else {
3e6b3b95 3396 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3397 result = L2CAP_CONF_PENDING;
3398 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3399 }
3400 }
3401
f2fcfcd6
GP		 3402 switch (rfc.mode) {
3403 case L2CAP_MODE_BASIC:
47d1ec61 3404 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3405 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3406 break;
3407
3408 case L2CAP_MODE_ERTM:
6327eb98
AE		 3409 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3410 chan->remote_tx_win = rfc.txwin_size;
3411 else
3412 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3413
2c03a7a4 3414 chan->remote_max_tx = rfc.max_transmit;
1c762159 3415
c8f79162 3416 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3417 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3418 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3419 rfc.max_pdu_size = cpu_to_le16(size);
3420 chan->remote_mps = size;
f2fcfcd6 3421
36c86c85 3422 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3423
c1360a1c 3424 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3425
3426 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3427 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3428
42dceae2
AE		 3429 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3430 chan->remote_id = efs.id;
3431 chan->remote_stype = efs.stype;
3432 chan->remote_msdu = le16_to_cpu(efs.msdu);
3433 chan->remote_flush_to =
2d792818 3434 le32_to_cpu(efs.flush_to);
42dceae2 3435 chan->remote_acc_lat =
2d792818 3436 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3437 chan->remote_sdu_itime =
3438 le32_to_cpu(efs.sdu_itime);
3439 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3440 sizeof(efs),
3441 (unsigned long) &efs);
42dceae2 3442 }
f2fcfcd6
GP		 3443 break;
3444
3445 case L2CAP_MODE_STREAMING:
c8f79162 3446 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3447 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3448 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3449 rfc.max_pdu_size = cpu_to_le16(size);
3450 chan->remote_mps = size;
f2fcfcd6 3451
c1360a1c 3452 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3453
2d792818
GP		 3454 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3455 (unsigned long) &rfc);
68ae6639 3456
f2fcfcd6
GP		 3457 break;
3458
3459 default:
5dee9e7c 3460 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3461
6464f35f 3462 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3463 rfc.mode = chan->mode;
f2fcfcd6 3464 }
6464f35f 3465
f2fcfcd6 3466 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3467 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3468 }
fe4128e0 3469 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3470 rsp->result = cpu_to_le16(result);
dcf4adbf 3471 rsp->flags = cpu_to_le16(0);
5dee9e7c
MH		 3472
3473 return ptr - data;
1da177e4
LT		 3474}
3475
2d792818
GP		 3476static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3477 void *data, u16 *result)
f2fcfcd6 3478{
f2fcfcd6
GP		 3479 struct l2cap_conf_req *req = data;
3480 void *ptr = req->data;
3481 int type, olen;
3482 unsigned long val;
36e999a8 3483 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3484 struct l2cap_conf_efs efs;
f2fcfcd6 3485
fe4128e0 3486 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3487
3488 while (len >= L2CAP_CONF_OPT_SIZE) {
3489 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3490
3491 switch (type) {
3492 case L2CAP_CONF_MTU:
3493 if (val < L2CAP_DEFAULT_MIN_MTU) {
3494 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3495 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3496 } else
0c1bc5c6
GP		 3497 chan->imtu = val;
3498 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3499 break;
3500
3501 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3502 chan->flush_to = val;
f2fcfcd6 3503 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3504 2, chan->flush_to);
f2fcfcd6
GP		 3505 break;
3506
3507 case L2CAP_CONF_RFC:
3508 if (olen == sizeof(rfc))
3509 memcpy(&rfc, (void *)val, olen);
3510
c1360a1c 3511 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3512 rfc.mode != chan->mode)
f2fcfcd6
GP		 3513 return -ECONNREFUSED;
3514
47d1ec61 3515 chan->fcs = 0;
f2fcfcd6
GP		 3516
3517 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3518 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3519 break;
6327eb98
AE		 3520
3521 case L2CAP_CONF_EWS:
c20f8e35 3522 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3523 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3524 chan->tx_win);
6327eb98 3525 break;
66af7aaf
AE		 3526
3527 case L2CAP_CONF_EFS:
3528 if (olen == sizeof(efs))
3529 memcpy(&efs, (void *)val, olen);
3530
3531 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3532 efs.stype != L2CAP_SERV_NOTRAFIC &&
3533 efs.stype != chan->local_stype)
66af7aaf
AE		 3534 return -ECONNREFUSED;
3535
2d792818
GP		 3536 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3537 (unsigned long) &efs);
66af7aaf 3538 break;
cbabee78
AE		 3539
3540 case L2CAP_CONF_FCS:
3541 if (*result == L2CAP_CONF_PENDING)
3542 if (val == L2CAP_FCS_NONE)
f2592d3e 3543 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3544 &chan->conf_state);
3545 break;
f2fcfcd6
GP		 3546 }
3547 }
3548
0c1bc5c6 3549 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3550 return -ECONNREFUSED;
3551
0c1bc5c6 3552 chan->mode = rfc.mode;
6c2ea7a8 3553
0e8b207e 3554 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3555 switch (rfc.mode) {
3556 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3557 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3558 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3559 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3560 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3561 chan->ack_win = min_t(u16, chan->ack_win,
3562 rfc.txwin_size);
66af7aaf
AE		 3563
3564 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3565 chan->local_msdu = le16_to_cpu(efs.msdu);
3566 chan->local_sdu_itime =
2d792818 3567 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3568 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3569 chan->local_flush_to =
2d792818 3570 le32_to_cpu(efs.flush_to);
66af7aaf 3571 }
f2fcfcd6 3572 break;
66af7aaf 3573
f2fcfcd6 3574 case L2CAP_MODE_STREAMING:
47d1ec61 3575 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3576 }
3577 }
3578
fe4128e0 3579 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3580 req->flags = cpu_to_le16(0);
f2fcfcd6
GP		 3581
3582 return ptr - data;
3583}
3584
2d792818
GP		 3585static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3586 u16 result, u16 flags)
1da177e4
LT		 3587{
3588 struct l2cap_conf_rsp *rsp = data;
3589 void *ptr = rsp->data;
1da177e4 3590
fe4128e0 3591 BT_DBG("chan %p", chan);
1da177e4 3592
fe4128e0 3593 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3594 rsp->result = cpu_to_le16(result);
aca3192c 3595 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3596
3597 return ptr - data;
3598}
3599
27e2d4c8
JH		 3600void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3601{
3602 struct l2cap_le_conn_rsp rsp;
3603 struct l2cap_conn *conn = chan->conn;
3604
3605 BT_DBG("chan %p", chan);
3606
3607 rsp.dcid = cpu_to_le16(chan->scid);
3608 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 3609 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 3610 rsp.credits = cpu_to_le16(chan->rx_credits);
dcf4adbf 3611 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
27e2d4c8
JH		 3612
3613 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3614 &rsp);
3615}
3616
8c1d787b 3617void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3618{
3619 struct l2cap_conn_rsp rsp;
8c1d787b 3620 struct l2cap_conn *conn = chan->conn;
710f9b0a 3621 u8 buf[128];
439f34ac 3622 u8 rsp_code;
710f9b0a 3623
fe4128e0
GP		 3624 rsp.scid = cpu_to_le16(chan->dcid);
3625 rsp.dcid = cpu_to_le16(chan->scid);
dcf4adbf
JP		 3626 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3627 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3628
3629 if (chan->hs_hcon)
3630 rsp_code = L2CAP_CREATE_CHAN_RSP;
3631 else
3632 rsp_code = L2CAP_CONN_RSP;
3633
3634 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3635
3636 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3637
c1360a1c 3638 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3639 return;
3640
710f9b0a 3641 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3642 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3643 chan->num_conf_req++;
3644}
3645
47d1ec61 3646static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3647{
7b1c0049
GP		 3648 int type, olen;
3649 unsigned long val;
c20f8e35
MM		 3650 /* Use sane default values in case a misbehaving remote device
3651 * did not send an RFC or extended window size option.
3652 */
3653 u16 txwin_ext = chan->ack_win;
3654 struct l2cap_conf_rfc rfc = {
3655 .mode = chan->mode,
dcf4adbf
JP		 3656 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3657 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
c20f8e35
MM		 3658 .max_pdu_size = cpu_to_le16(chan->imtu),
3659 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3660 };
7b1c0049 3661
47d1ec61 3662 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3663
0c1bc5c6 3664 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3665 return;
3666
3667 while (len >= L2CAP_CONF_OPT_SIZE) {
3668 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3669
c20f8e35
MM		 3670 switch (type) {
3671 case L2CAP_CONF_RFC:
3672 if (olen == sizeof(rfc))
3673 memcpy(&rfc, (void *)val, olen);
8f321f85 3674 break;
c20f8e35
MM		 3675 case L2CAP_CONF_EWS:
3676 txwin_ext = val;
3677 break;
3678 }
7b1c0049
GP		 3679 }
3680
7b1c0049
GP		 3681 switch (rfc.mode) {
3682 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3683 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3684 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3685 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3686 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3687 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3688 else
3689 chan->ack_win = min_t(u16, chan->ack_win,
3690 rfc.txwin_size);
7b1c0049
GP		 3691 break;
3692 case L2CAP_MODE_STREAMING:
47d1ec61 3693 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3694 }
3695}
3696
2d792818 3697static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3698 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3699 u8 *data)
4e8402a3 3700{
e2fd318e 3701 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3702
cb3b3152
JH		 3703 if (cmd_len < sizeof(*rej))
3704 return -EPROTO;
3705
e2fd318e 3706 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3707 return 0;
3708
3709 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3710 cmd->ident == conn->info_ident) {
17cd3f37 3711 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3712
3713 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3714 conn->info_ident = 0;
984947dc 3715
4e8402a3
MH		 3716 l2cap_conn_start(conn);
3717 }
3718
3719 return 0;
3720}
3721
1700915f
MM		 3722static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3723 struct l2cap_cmd_hdr *cmd,
3724 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3725{
1da177e4
LT		 3726 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3727 struct l2cap_conn_rsp rsp;
23691d75 3728 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3729 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3730
3731 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3732 __le16 psm = req->psm;
1da177e4 3733
097db76c 3734 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3735
3736 /* Check if we have socket listening on psm */
6f59b904 3737 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
bf20fd4e 3738 &conn->hcon->dst, ACL_LINK);
23691d75 3739 if (!pchan) {
1da177e4
LT		 3740 result = L2CAP_CR_BAD_PSM;
3741 goto sendresp;
3742 }
3743
3df91ea2 3744 mutex_lock(&conn->chan_lock);
8ffb9290 3745 l2cap_chan_lock(pchan);
e0f0cb56 3746
e7c29cb1 3747 /* Check if the ACL is secure enough (if not SDP) */
dcf4adbf 3748 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3749 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3750 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3751 result = L2CAP_CR_SEC_BLOCK;
3752 goto response;
3753 }
3754
1da177e4
LT		 3755 result = L2CAP_CR_NO_MEM;
3756
2dfa1003
GP		 3757 /* Check if we already have channel with that dcid */
3758 if (__l2cap_get_chan_by_dcid(conn, scid))
3759 goto response;
3760
80b98027 3761 chan = pchan->ops->new_connection(pchan);
80808e43 3762 if (!chan)
1da177e4
LT		 3763 goto response;
3764
330b6c15
SS		 3765 /* For certain devices (ex: HID mouse), support for authentication,
3766 * pairing and bonding is optional. For such devices, inorder to avoid
3767 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3768 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3769 */
3770 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3771
7eafc59e
MH		 3772 bacpy(&chan->src, &conn->hcon->src);
3773 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3774 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3775 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3776 chan->psm = psm;
3777 chan->dcid = scid;
1700915f 3778 chan->local_amp_id = amp_id;
1da177e4 3779
6be36555 3780 __l2cap_chan_add(conn, chan);
48454079 3781
fe4128e0 3782 dcid = chan->scid;
1da177e4 3783
8d836d71 3784 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3785
fc7f8a7e 3786 chan->ident = cmd->ident;
1da177e4 3787
984947dc 3788 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
e7cafc45 3789 if (l2cap_chan_check_security(chan, false)) {
bdc25783 3790 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3791 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3792 result = L2CAP_CR_PEND;
3793 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3794 chan->ops->defer(chan);
f66dc81f 3795 } else {
1700915f
MM		 3796 /* Force pending result for AMP controllers.
3797 * The connection will succeed after the
3798 * physical link is up.
3799 */
6ed971ca 3800 if (amp_id == AMP_ID_BREDR) {
f93fa273 3801 l2cap_state_change(chan, BT_CONFIG);
1700915f 3802 result = L2CAP_CR_SUCCESS;
6ed971ca 3803 } else {
f93fa273 3804 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3805 result = L2CAP_CR_PEND;
1700915f 3806 }
f66dc81f
MH		 3807 status = L2CAP_CS_NO_INFO;
3808 }
79d554a6 3809 } else {
f93fa273 3810 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3811 result = L2CAP_CR_PEND;
3812 status = L2CAP_CS_AUTHEN_PEND;
3813 }
3814 } else {
f93fa273 3815 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3816 result = L2CAP_CR_PEND;
3817 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3818 }
3819
1da177e4 3820response:
8ffb9290 3821 l2cap_chan_unlock(pchan);
3df91ea2 3822 mutex_unlock(&conn->chan_lock);
a24cce14 3823 l2cap_chan_put(pchan);
1da177e4
LT		 3824
3825sendresp:
aca3192c
YH		 3826 rsp.scid = cpu_to_le16(scid);
3827 rsp.dcid = cpu_to_le16(dcid);
3828 rsp.result = cpu_to_le16(result);
3829 rsp.status = cpu_to_le16(status);
4c89b6aa 3830 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3831
3832 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3833 struct l2cap_info_req info;
dcf4adbf 3834 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3835
3836 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3837 conn->info_ident = l2cap_get_ident(conn);
3838
ba13ccd9 3839 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3840
2d792818
GP		 3841 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3842 sizeof(info), &info);
79d554a6
MH		 3843 }
3844
c1360a1c 3845 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3846 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3847 u8 buf[128];
c1360a1c 3848 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3849 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3850 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3851 chan->num_conf_req++;
e9aeb2dd 3852 }
1700915f
MM		 3853
3854 return chan;
4c89b6aa 3855}
e9aeb2dd 3856
4c89b6aa 3857static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3858 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3859{
7b064eda
JK		 3860 struct hci_dev *hdev = conn->hcon->hdev;
3861 struct hci_conn *hcon = conn->hcon;
3862
cb3b3152
JH		 3863 if (cmd_len < sizeof(struct l2cap_conn_req))
3864 return -EPROTO;
3865
7b064eda
JK		 3866 hci_dev_lock(hdev);
3867 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3868 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3869 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3870 hcon->dst_type, 0, NULL, 0,
3871 hcon->dev_class);
3872 hci_dev_unlock(hdev);
3873
300229f9 3874 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3875 return 0;
3876}
3877
5909cf30 3878static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3879 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3880 u8 *data)
1da177e4
LT		 3881{
3882 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3883 u16 scid, dcid, result, status;
48454079 3884 struct l2cap_chan *chan;
1da177e4 3885 u8 req[128];
3df91ea2 3886 int err;
1da177e4 3887
cb3b3152
JH		 3888 if (cmd_len < sizeof(*rsp))
3889 return -EPROTO;
3890
1da177e4
LT		 3891 scid = __le16_to_cpu(rsp->scid);
3892 dcid = __le16_to_cpu(rsp->dcid);
3893 result = __le16_to_cpu(rsp->result);
3894 status = __le16_to_cpu(rsp->status);
3895
1b009c98 3896 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3897 dcid, scid, result, status);
1da177e4 3898
3df91ea2
AE		 3899 mutex_lock(&conn->chan_lock);
3900
1da177e4 3901 if (scid) {
3df91ea2
AE		 3902 chan = __l2cap_get_chan_by_scid(conn, scid);
3903 if (!chan) {
21870b52 3904 err = -EBADSLT;
3df91ea2
AE		 3905 goto unlock;
3906 }
1da177e4 3907 } else {
3df91ea2
AE		 3908 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3909 if (!chan) {
21870b52 3910 err = -EBADSLT;
3df91ea2
AE		 3911 goto unlock;
3912 }
1da177e4
LT		 3913 }
3914
3df91ea2
AE		 3915 err = 0;
3916
6be36555 3917 l2cap_chan_lock(chan);
48454079 3918
1da177e4
LT		 3919 switch (result) {
3920 case L2CAP_CR_SUCCESS:
89bc500e 3921 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3922 chan->ident = 0;
fe4128e0 3923 chan->dcid = dcid;
c1360a1c 3924 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3925
c1360a1c 3926 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3927 break;
3928
1da177e4 3929 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3930 l2cap_build_conf_req(chan, req), req);
73ffa904 3931 chan->num_conf_req++;
1da177e4
LT		 3932 break;
3933
3934 case L2CAP_CR_PEND:
c1360a1c 3935 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3936 break;
3937
3938 default:
48454079 3939 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3940 break;
3941 }
3942
6be36555 3943 l2cap_chan_unlock(chan);
3df91ea2
AE		 3944
3945unlock:
3946 mutex_unlock(&conn->chan_lock);
3947
3948 return err;
1da177e4
LT		 3949}
3950
47d1ec61 3951static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3952{
3953 /* FCS is enabled only in ERTM or streaming mode, if one or both
3954 * sides request it.
3955 */
0c1bc5c6 3956 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3957 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3958 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3959 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3960}
3961
29d8a590
AE		 3962static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3963 u8 ident, u16 flags)
3964{
3965 struct l2cap_conn *conn = chan->conn;
3966
3967 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3968 flags);
3969
3970 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3971 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3972
3973 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3974 l2cap_build_conf_rsp(chan, data,
3975 L2CAP_CONF_SUCCESS, flags), data);
3976}
3977
662d652d
JH		 3978static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
3979 u16 scid, u16 dcid)
3980{
3981 struct l2cap_cmd_rej_cid rej;
3982
dcf4adbf 3983 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
662d652d
JH		 3984 rej.scid = __cpu_to_le16(scid);
3985 rej.dcid = __cpu_to_le16(dcid);
3986
3987 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3988}
3989
2d792818
GP		 3990static inline int l2cap_config_req(struct l2cap_conn *conn,
3991 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3992 u8 *data)
1da177e4
LT		 3993{
3994 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3995 u16 dcid, flags;
3996 u8 rsp[64];
48454079 3997 struct l2cap_chan *chan;
3c588192 3998 int len, err = 0;
1da177e4 3999
cb3b3152
JH		 4000 if (cmd_len < sizeof(*req))
4001 return -EPROTO;
4002
1da177e4
LT		 4003 dcid = __le16_to_cpu(req->dcid);
4004 flags = __le16_to_cpu(req->flags);
4005
4006 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4007
baa7e1fa 4008 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4009 if (!chan) {
4010 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4011 return 0;
4012 }
1da177e4 4013
033b1142 4014 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4015 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4016 chan->dcid);
354f60a9 4017 goto unlock;
df6bd743 4018 }
354f60a9 4019
5dee9e7c 4020 /* Reject if config buffer is too small. */
88219a0f 4021 len = cmd_len - sizeof(*req);
cb3b3152 4022 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4023 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4024 l2cap_build_conf_rsp(chan, rsp,
4025 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4026 goto unlock;
4027 }
4028
4029 /* Store config. */
73ffa904
GP		 4030 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4031 chan->conf_len += len;
1da177e4 4032
59e54bd1 4033 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4034 /* Incomplete config. Send empty response. */
4035 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4036 l2cap_build_conf_rsp(chan, rsp,
4037 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4038 goto unlock;
4039 }
4040
4041 /* Complete config. */
73ffa904 4042 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4043 if (len < 0) {
5e4e3972 4044 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4045 goto unlock;
f2fcfcd6 4046 }
1da177e4 4047
1500109b 4048 chan->ident = cmd->ident;
5dee9e7c 4049 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4050 chan->num_conf_rsp++;
5dee9e7c 4051
5dee9e7c 4052 /* Reset config buffer. */
73ffa904 4053 chan->conf_len = 0;
5dee9e7c 4054
c1360a1c 4055 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4056 goto unlock;
4057
c1360a1c 4058 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4059 set_default_fcs(chan);
fcc203c3 4060
105bdf9e
MM		 4061 if (chan->mode == L2CAP_MODE_ERTM ||
4062 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4063 err = l2cap_ertm_init(chan);
4064
4065 if (err < 0)
5e4e3972 4066 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4067 else
4068 l2cap_chan_ready(chan);
0565c1c2 4069
876d9484
MH		 4070 goto unlock;
4071 }
4072
c1360a1c 4073 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4074 u8 buf[64];
1da177e4 4075 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4076 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4077 chan->num_conf_req++;
1da177e4
LT		 4078 }
4079
0e8b207e
AE		 4080 /* Got Conf Rsp PENDING from remote side and asume we sent
4081 Conf Rsp PENDING in the code above */
4082 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4083 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4084
4085 /* check compatibility */
4086
79de886d 4087 /* Send rsp for BR/EDR channel */
f351bc72 4088 if (!chan->hs_hcon)
79de886d
AE		 4089 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4090 else
4091 chan->ident = cmd->ident;
0e8b207e
AE		 4092 }
4093
1da177e4 4094unlock:
6be36555 4095 l2cap_chan_unlock(chan);
3c588192 4096 return err;
1da177e4
LT		 4097}
4098
2d792818 4099static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4100 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4101 u8 *data)
1da177e4
LT		 4102{
4103 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4104 u16 scid, flags, result;
48454079 4105 struct l2cap_chan *chan;
cb3b3152 4106 int len = cmd_len - sizeof(*rsp);
3c588192 4107 int err = 0;
1da177e4 4108
cb3b3152
JH		 4109 if (cmd_len < sizeof(*rsp))
4110 return -EPROTO;
4111
1da177e4
LT		 4112 scid = __le16_to_cpu(rsp->scid);
4113 flags = __le16_to_cpu(rsp->flags);
4114 result = __le16_to_cpu(rsp->result);
4115
61386cba
AE		 4116 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4117 result, len);
1da177e4 4118
baa7e1fa 4119 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4120 if (!chan)
1da177e4
LT		 4121 return 0;
4122
4123 switch (result) {
4124 case L2CAP_CONF_SUCCESS:
47d1ec61 4125 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4126 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4127 break;
4128
0e8b207e
AE		 4129 case L2CAP_CONF_PENDING:
4130 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4131
4132 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4133 char buf[64];
4134
4135 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4136 buf, &result);
0e8b207e 4137 if (len < 0) {
5e4e3972 4138 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4139 goto done;
4140 }
4141
f351bc72 4142 if (!chan->hs_hcon) {
79de886d
AE		 4143 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4144 0);
5ce66b59
AE		 4145 } else {
4146 if (l2cap_check_efs(chan)) {
4147 amp_create_logical_link(chan);
4148 chan->ident = cmd->ident;
4149 }
4150 }
0e8b207e
AE		 4151 }
4152 goto done;
4153
1da177e4 4154 case L2CAP_CONF_UNACCEPT:
73ffa904 4155 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4156 char req[64];
4157
c2c77ec8 4158 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4159 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4160 goto done;
4161 }
4162
f2fcfcd6
GP		 4163 /* throw out any old stored conf requests */
4164 result = L2CAP_CONF_SUCCESS;
b4450035 4165 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4166 req, &result);
f2fcfcd6 4167 if (len < 0) {
5e4e3972 4168 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4169 goto done;
4170 }
4171
4172 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4173 L2CAP_CONF_REQ, len, req);
73ffa904 4174 chan->num_conf_req++;
f2fcfcd6
GP		 4175 if (result != L2CAP_CONF_SUCCESS)
4176 goto done;
4177 break;
1da177e4
LT		 4178 }
4179
8e87d142 4180 default:
6be36555 4181 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4182
ba13ccd9 4183 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4184 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4185 goto done;
4186 }
4187
59e54bd1 4188 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4189 goto done;
4190
c1360a1c 4191 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4192
c1360a1c 4193 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4194 set_default_fcs(chan);
fcc203c3 4195
105bdf9e
MM		 4196 if (chan->mode == L2CAP_MODE_ERTM ||
4197 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4198 err = l2cap_ertm_init(chan);
0565c1c2 4199
3c588192 4200 if (err < 0)
5e4e3972 4201 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4202 else
4203 l2cap_chan_ready(chan);
1da177e4
LT		 4204 }
4205
4206done:
6be36555 4207 l2cap_chan_unlock(chan);
3c588192 4208 return err;
1da177e4
LT		 4209}
4210
2d792818 4211static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4212 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4213 u8 *data)
1da177e4
LT		 4214{
4215 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4216 struct l2cap_disconn_rsp rsp;
4217 u16 dcid, scid;
48454079 4218 struct l2cap_chan *chan;
1da177e4 4219
cb3b3152
JH		 4220 if (cmd_len != sizeof(*req))
4221 return -EPROTO;
4222
1da177e4
LT		 4223 scid = __le16_to_cpu(req->scid);
4224 dcid = __le16_to_cpu(req->dcid);
4225
4226 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4227
3df91ea2
AE		 4228 mutex_lock(&conn->chan_lock);
4229
4230 chan = __l2cap_get_chan_by_scid(conn, dcid);
4231 if (!chan) {
4232 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4233 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4234 return 0;
3df91ea2 4235 }
1da177e4 4236
6be36555
AE		 4237 l2cap_chan_lock(chan);
4238
fe4128e0
GP		 4239 rsp.dcid = cpu_to_le16(chan->scid);
4240 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4241 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4242
5ec1bbe5 4243 chan->ops->set_shutdown(chan);
1da177e4 4244
61d6ef3e 4245 l2cap_chan_hold(chan);
48454079 4246 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4247
4248 l2cap_chan_unlock(chan);
1da177e4 4249
80b98027 4250 chan->ops->close(chan);
61d6ef3e 4251 l2cap_chan_put(chan);
3df91ea2
AE		 4252
4253 mutex_unlock(&conn->chan_lock);
4254
1da177e4
LT		 4255 return 0;
4256}
4257
2d792818 4258static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4259 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4260 u8 *data)
1da177e4
LT		 4261{
4262 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4263 u16 dcid, scid;
48454079 4264 struct l2cap_chan *chan;
1da177e4 4265
cb3b3152
JH		 4266 if (cmd_len != sizeof(*rsp))
4267 return -EPROTO;
4268
1da177e4
LT		 4269 scid = __le16_to_cpu(rsp->scid);
4270 dcid = __le16_to_cpu(rsp->dcid);
4271
4272 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4273
3df91ea2
AE		 4274 mutex_lock(&conn->chan_lock);
4275
4276 chan = __l2cap_get_chan_by_scid(conn, scid);
4277 if (!chan) {
4278 mutex_unlock(&conn->chan_lock);
1da177e4 4279 return 0;
3df91ea2 4280 }
1da177e4 4281
6be36555 4282 l2cap_chan_lock(chan);
48454079 4283
61d6ef3e 4284 l2cap_chan_hold(chan);
48454079 4285 l2cap_chan_del(chan, 0);
6be36555
AE		 4286
4287 l2cap_chan_unlock(chan);
1da177e4 4288
80b98027 4289 chan->ops->close(chan);
61d6ef3e 4290 l2cap_chan_put(chan);
3df91ea2
AE		 4291
4292 mutex_unlock(&conn->chan_lock);
4293
1da177e4
LT		 4294 return 0;
4295}
4296
2d792818 4297static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4298 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4299 u8 *data)
1da177e4
LT		 4300{
4301 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4302 u16 type;
4303
cb3b3152
JH		 4304 if (cmd_len != sizeof(*req))
4305 return -EPROTO;
4306
1da177e4
LT		 4307 type = __le16_to_cpu(req->type);
4308
4309 BT_DBG("type 0x%4.4x", type);
4310
f0709e03
MH		 4311 if (type == L2CAP_IT_FEAT_MASK) {
4312 u8 buf[8];
44dd46de 4313 u32 feat_mask = l2cap_feat_mask;
f0709e03 4314 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
dcf4adbf
JP		 4315 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4316 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4317 if (!disable_ertm)
fcc203c3 4318 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4319 | L2CAP_FEAT_FCS;
848566b3 4320 if (conn->hs_enabled)
6327eb98 4321 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4322 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4323
1b7bf4ed 4324 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4325 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4326 buf);
e1027a7c
MH		 4327 } else if (type == L2CAP_IT_FIXED_CHAN) {
4328 u8 buf[12];
4329 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4330
848566b3 4331 if (conn->hs_enabled)
50a147cd
MM		 4332 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4333 else
4334 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4335
dcf4adbf
JP		 4336 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4337 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4338 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4339 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4340 buf);
f0709e03
MH		 4341 } else {
4342 struct l2cap_info_rsp rsp;
4343 rsp.type = cpu_to_le16(type);
dcf4adbf 4344 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4345 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4346 &rsp);
f0709e03 4347 }
1da177e4
LT		 4348
4349 return 0;
4350}
4351
2d792818 4352static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4353 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4354 u8 *data)
1da177e4
LT		 4355{
4356 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4357 u16 type, result;
4358
3f6fa3d4 4359 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4360 return -EPROTO;
4361
1da177e4
LT		 4362 type = __le16_to_cpu(rsp->type);
4363 result = __le16_to_cpu(rsp->result);
4364
4365 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4366
e90165be
AE		 4367 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4368 if (cmd->ident != conn->info_ident ||
2d792818 4369 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4370 return 0;
4371
17cd3f37 4372 cancel_delayed_work(&conn->info_timer);
4e8402a3 4373
adb08ede
VT		 4374 if (result != L2CAP_IR_SUCCESS) {
4375 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4376 conn->info_ident = 0;
4377
4378 l2cap_conn_start(conn);
4379
4380 return 0;
4381 }
4382
978c93b9
AE		 4383 switch (type) {
4384 case L2CAP_IT_FEAT_MASK:
83985319 4385 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4386
47ec1dcd 4387 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4388 struct l2cap_info_req req;
dcf4adbf 4389 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4390
4391 conn->info_ident = l2cap_get_ident(conn);
4392
4393 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4394 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4395 } else {
4396 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4397 conn->info_ident = 0;
4398
4399 l2cap_conn_start(conn);
4400 }
978c93b9
AE		 4401 break;
4402
4403 case L2CAP_IT_FIXED_CHAN:
4404 conn->fixed_chan_mask = rsp->data[0];
984947dc 4405 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4406 conn->info_ident = 0;
984947dc
MH		 4407
4408 l2cap_conn_start(conn);
978c93b9 4409 break;
984947dc 4410 }
4e8402a3 4411
1da177e4
LT		 4412 return 0;
4413}
4414
1700915f
MM		 4415static int l2cap_create_channel_req(struct l2cap_conn *conn,
4416 struct l2cap_cmd_hdr *cmd,
4417 u16 cmd_len, void *data)
f94ff6ff
MM		 4418{
4419 struct l2cap_create_chan_req *req = data;
6e1df6a6 4420 struct l2cap_create_chan_rsp rsp;
1700915f 4421 struct l2cap_chan *chan;
6e1df6a6 4422 struct hci_dev *hdev;
f94ff6ff
MM		 4423 u16 psm, scid;
4424
4425 if (cmd_len != sizeof(*req))
4426 return -EPROTO;
4427
848566b3 4428 if (!conn->hs_enabled)
f94ff6ff
MM		 4429 return -EINVAL;
4430
4431 psm = le16_to_cpu(req->psm);
4432 scid = le16_to_cpu(req->scid);
4433
ad0ac6ca 4434 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4435
6e1df6a6 4436 /* For controller id 0 make BR/EDR connection */
6ed971ca 4437 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4438 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4439 req->amp_id);
4440 return 0;
4441 }
1700915f 4442
6e1df6a6
AE		 4443 /* Validate AMP controller id */
4444 hdev = hci_dev_get(req->amp_id);
4445 if (!hdev)
4446 goto error;
1700915f 4447
6e1df6a6
AE		 4448 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4449 hci_dev_put(hdev);
4450 goto error;
4451 }
1700915f 4452
6e1df6a6
AE		 4453 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4454 req->amp_id);
4455 if (chan) {
4456 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4457 struct hci_conn *hs_hcon;
1700915f 4458
98e0f7ea
MH		 4459 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4460 &conn->hcon->dst);
6e1df6a6
AE		 4461 if (!hs_hcon) {
4462 hci_dev_put(hdev);
662d652d
JH		 4463 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4464 chan->dcid);
4465 return 0;
1700915f
MM		 4466 }
4467
6e1df6a6
AE		 4468 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4469
6e1df6a6
AE		 4470 mgr->bredr_chan = chan;
4471 chan->hs_hcon = hs_hcon;
fd45bf4c 4472 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4473 conn->mtu = hdev->block_mtu;
1700915f 4474 }
f94ff6ff 4475
6e1df6a6 4476 hci_dev_put(hdev);
f94ff6ff
MM		 4477
4478 return 0;
6e1df6a6
AE		 4479
4480error:
4481 rsp.dcid = 0;
4482 rsp.scid = cpu_to_le16(scid);
dcf4adbf
JP		 4483 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4484 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
6e1df6a6
AE		 4485
4486 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4487 sizeof(rsp), &rsp);
4488
dc280801 4489 return 0;
f94ff6ff
MM		 4490}
4491
8eb200bd
MM		 4492static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4493{
4494 struct l2cap_move_chan_req req;
4495 u8 ident;
4496
4497 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4498
4499 ident = l2cap_get_ident(chan->conn);
4500 chan->ident = ident;
4501
4502 req.icid = cpu_to_le16(chan->scid);
4503 req.dest_amp_id = dest_amp_id;
4504
4505 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4506 &req);
4507
4508 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4509}
4510
1500109b 4511static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4512{
4513 struct l2cap_move_chan_rsp rsp;
4514
1500109b 4515 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4516
1500109b 4517 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4518 rsp.result = cpu_to_le16(result);
4519
1500109b
MM		 4520 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4521 sizeof(rsp), &rsp);
8d5a04a1
MM		 4522}
4523
5b155ef9 4524static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4525{
4526 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4527
5b155ef9 4528 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4529
5b155ef9 4530 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4531
5b155ef9 4532 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4533 cfm.result = cpu_to_le16(result);
4534
5b155ef9
MM		 4535 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4536 sizeof(cfm), &cfm);
4537
4538 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4539}
4540
4541static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4542{
4543 struct l2cap_move_chan_cfm cfm;
4544
4545 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4546
4547 cfm.icid = cpu_to_le16(icid);
dcf4adbf 4548 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
5b155ef9
MM		 4549
4550 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4551 sizeof(cfm), &cfm);
8d5a04a1
MM		 4552}
4553
4554static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4555 u16 icid)
8d5a04a1
MM		 4556{
4557 struct l2cap_move_chan_cfm_rsp rsp;
4558
ad0ac6ca 4559 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4560
4561 rsp.icid = cpu_to_le16(icid);
4562 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4563}
4564
5f3847a4
MM		 4565static void __release_logical_link(struct l2cap_chan *chan)
4566{
4567 chan->hs_hchan = NULL;
4568 chan->hs_hcon = NULL;
4569
4570 /* Placeholder - release the logical link */
4571}
4572
1500109b
MM		 4573static void l2cap_logical_fail(struct l2cap_chan *chan)
4574{
4575 /* Logical link setup failed */
4576 if (chan->state != BT_CONNECTED) {
4577 /* Create channel failure, disconnect */
5e4e3972 4578 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4579 return;
4580 }
4581
4582 switch (chan->move_role) {
4583 case L2CAP_MOVE_ROLE_RESPONDER:
4584 l2cap_move_done(chan);
4585 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4586 break;
4587 case L2CAP_MOVE_ROLE_INITIATOR:
4588 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4589 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4590 /* Remote has only sent pending or
4591 * success responses, clean up
4592 */
4593 l2cap_move_done(chan);
4594 }
4595
4596 /* Other amp move states imply that the move
4597 * has already aborted
4598 */
4599 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4600 break;
4601 }
4602}
4603
4604static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4605 struct hci_chan *hchan)
4606{
4607 struct l2cap_conf_rsp rsp;
1500109b 4608
336178a3 4609 chan->hs_hchan = hchan;
1500109b
MM		 4610 chan->hs_hcon->l2cap_data = chan->conn;
4611
35ba9561 4612 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4613
4614 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4615 int err;
1500109b
MM		 4616
4617 set_default_fcs(chan);
4618
4619 err = l2cap_ertm_init(chan);
4620 if (err < 0)
5e4e3972 4621 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4622 else
4623 l2cap_chan_ready(chan);
4624 }
4625}
4626
4627static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4628 struct hci_chan *hchan)
4629{
4630 chan->hs_hcon = hchan->conn;
4631 chan->hs_hcon->l2cap_data = chan->conn;
4632
4633 BT_DBG("move_state %d", chan->move_state);
4634
4635 switch (chan->move_state) {
4636 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4637 /* Move confirm will be sent after a success
4638 * response is received
4639 */
4640 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4641 break;
4642 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4643 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4644 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4645 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4646 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4647 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4648 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4649 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4650 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4651 }
4652 break;
4653 default:
4654 /* Move was not in expected state, free the channel */
4655 __release_logical_link(chan);
4656
4657 chan->move_state = L2CAP_MOVE_STABLE;
4658 }
4659}
4660
4661/* Call with chan locked */
27695fb4
AE		 4662void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4663 u8 status)
5b155ef9 4664{
1500109b
MM		 4665 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4666
4667 if (status) {
4668 l2cap_logical_fail(chan);
4669 __release_logical_link(chan);
4670 return;
4671 }
4672
4673 if (chan->state != BT_CONNECTED) {
4674 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4675 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4676 l2cap_logical_finish_create(chan, hchan);
4677 } else {
4678 l2cap_logical_finish_move(chan, hchan);
4679 }
5b155ef9
MM		 4680}
4681
3f7a56c4
MM		 4682void l2cap_move_start(struct l2cap_chan *chan)
4683{
4684 BT_DBG("chan %p", chan);
4685
6ed971ca 4686 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4687 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4688 return;
4689 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4690 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4691 /* Placeholder - start physical link setup */
4692 } else {
4693 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4694 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4695 chan->move_id = 0;
4696 l2cap_move_setup(chan);
4697 l2cap_send_move_chan_req(chan, 0);
4698 }
4699}
4700
8eb200bd
MM		 4701static void l2cap_do_create(struct l2cap_chan *chan, int result,
4702 u8 local_amp_id, u8 remote_amp_id)
4703{
62748ca1
AE		 4704 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4705 local_amp_id, remote_amp_id);
4706
12d6cc60
AE		 4707 chan->fcs = L2CAP_FCS_NONE;
4708
62748ca1
AE		 4709 /* Outgoing channel on AMP */
4710 if (chan->state == BT_CONNECT) {
4711 if (result == L2CAP_CR_SUCCESS) {
4712 chan->local_amp_id = local_amp_id;
4713 l2cap_send_create_chan_req(chan, remote_amp_id);
4714 } else {
4715 /* Revert to BR/EDR connect */
4716 l2cap_send_conn_req(chan);
4717 }
4718
4719 return;
4720 }
4721
4722 /* Incoming channel on AMP */
4723 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4724 struct l2cap_conn_rsp rsp;
4725 char buf[128];
4726 rsp.scid = cpu_to_le16(chan->dcid);
4727 rsp.dcid = cpu_to_le16(chan->scid);
4728
8eb200bd
MM		 4729 if (result == L2CAP_CR_SUCCESS) {
4730 /* Send successful response */
dcf4adbf
JP		 4731 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4732 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4733 } else {
4734 /* Send negative response */
dcf4adbf
JP		 4735 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4736 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4737 }
4738
4739 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4740 sizeof(rsp), &rsp);
4741
4742 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4743 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4744 set_bit(CONF_REQ_SENT, &chan->conf_state);
4745 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4746 L2CAP_CONF_REQ,
4747 l2cap_build_conf_req(chan, buf), buf);
4748 chan->num_conf_req++;
4749 }
8eb200bd
MM		 4750 }
4751}
4752
4753static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4754 u8 remote_amp_id)
4755{
4756 l2cap_move_setup(chan);
4757 chan->move_id = local_amp_id;
4758 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4759
4760 l2cap_send_move_chan_req(chan, remote_amp_id);
4761}
4762
4763static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4764{
4765 struct hci_chan *hchan = NULL;
4766
4767 /* Placeholder - get hci_chan for logical link */
4768
4769 if (hchan) {
4770 if (hchan->state == BT_CONNECTED) {
4771 /* Logical link is ready to go */
4772 chan->hs_hcon = hchan->conn;
4773 chan->hs_hcon->l2cap_data = chan->conn;
4774 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4775 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4776
4777 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4778 } else {
4779 /* Wait for logical link to be ready */
4780 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4781 }
4782 } else {
4783 /* Logical link not available */
4784 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4785 }
4786}
4787
4788static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4789{
4790 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4791 u8 rsp_result;
4792 if (result == -EINVAL)
4793 rsp_result = L2CAP_MR_BAD_ID;
4794 else
4795 rsp_result = L2CAP_MR_NOT_ALLOWED;
4796
4797 l2cap_send_move_chan_rsp(chan, rsp_result);
4798 }
4799
4800 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4801 chan->move_state = L2CAP_MOVE_STABLE;
4802
4803 /* Restart data transmission */
4804 l2cap_ertm_send(chan);
4805}
4806
a514b17f
AE		 4807/* Invoke with locked chan */
4808void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4809{
770bfefa 4810 u8 local_amp_id = chan->local_amp_id;
fffadc08 4811 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4812
8eb200bd
MM		 4813 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4814 chan, result, local_amp_id, remote_amp_id);
4815
8eb200bd
MM		 4816 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4817 l2cap_chan_unlock(chan);
4818 return;
4819 }
4820
4821 if (chan->state != BT_CONNECTED) {
4822 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4823 } else if (result != L2CAP_MR_SUCCESS) {
4824 l2cap_do_move_cancel(chan, result);
4825 } else {
4826 switch (chan->move_role) {
4827 case L2CAP_MOVE_ROLE_INITIATOR:
4828 l2cap_do_move_initiate(chan, local_amp_id,
4829 remote_amp_id);
4830 break;
4831 case L2CAP_MOVE_ROLE_RESPONDER:
4832 l2cap_do_move_respond(chan, result);
4833 break;
4834 default:
4835 l2cap_do_move_cancel(chan, result);
4836 break;
4837 }
4838 }
8eb200bd
MM		 4839}
4840
8d5a04a1 4841static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4842 struct l2cap_cmd_hdr *cmd,
4843 u16 cmd_len, void *data)
8d5a04a1
MM		 4844{
4845 struct l2cap_move_chan_req *req = data;
1500109b 4846 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4847 struct l2cap_chan *chan;
8d5a04a1
MM		 4848 u16 icid = 0;
4849 u16 result = L2CAP_MR_NOT_ALLOWED;
4850
4851 if (cmd_len != sizeof(*req))
4852 return -EPROTO;
4853
4854 icid = le16_to_cpu(req->icid);
4855
ad0ac6ca 4856 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4857
848566b3 4858 if (!conn->hs_enabled)
8d5a04a1
MM		 4859 return -EINVAL;
4860
02b0fbb9
MM		 4861 chan = l2cap_get_chan_by_dcid(conn, icid);
4862 if (!chan) {
1500109b 4863 rsp.icid = cpu_to_le16(icid);
dcf4adbf 4864 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
1500109b
MM		 4865 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4866 sizeof(rsp), &rsp);
02b0fbb9
MM		 4867 return 0;
4868 }
4869
1500109b
MM		 4870 chan->ident = cmd->ident;
4871
02b0fbb9
MM		 4872 if (chan->scid < L2CAP_CID_DYN_START ||
4873 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4874 (chan->mode != L2CAP_MODE_ERTM &&
4875 chan->mode != L2CAP_MODE_STREAMING)) {
4876 result = L2CAP_MR_NOT_ALLOWED;
4877 goto send_move_response;
4878 }
4879
4880 if (chan->local_amp_id == req->dest_amp_id) {
4881 result = L2CAP_MR_SAME_ID;
4882 goto send_move_response;
4883 }
4884
6ed971ca 4885 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4886 struct hci_dev *hdev;
4887 hdev = hci_dev_get(req->dest_amp_id);
4888 if (!hdev || hdev->dev_type != HCI_AMP ||
4889 !test_bit(HCI_UP, &hdev->flags)) {
4890 if (hdev)
4891 hci_dev_put(hdev);
4892
4893 result = L2CAP_MR_BAD_ID;
4894 goto send_move_response;
4895 }
4896 hci_dev_put(hdev);
4897 }
4898
4899 /* Detect a move collision. Only send a collision response
4900 * if this side has "lost", otherwise proceed with the move.
4901 * The winner has the larger bd_addr.
4902 */
4903 if ((__chan_is_moving(chan) ||
4904 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4905 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4906 result = L2CAP_MR_COLLISION;
4907 goto send_move_response;
4908 }
4909
02b0fbb9
MM		 4910 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4911 l2cap_move_setup(chan);
4912 chan->move_id = req->dest_amp_id;
4913 icid = chan->dcid;
4914
6ed971ca 4915 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4916 /* Moving to BR/EDR */
4917 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4918 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4919 result = L2CAP_MR_PEND;
4920 } else {
4921 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4922 result = L2CAP_MR_SUCCESS;
4923 }
4924 } else {
4925 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4926 /* Placeholder - uncomment when amp functions are available */
4927 /*amp_accept_physical(chan, req->dest_amp_id);*/
4928 result = L2CAP_MR_PEND;
4929 }
4930
4931send_move_response:
1500109b 4932 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4933
02b0fbb9
MM		 4934 l2cap_chan_unlock(chan);
4935
8d5a04a1
MM		 4936 return 0;
4937}
4938
5b155ef9
MM		 4939static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4940{
4941 struct l2cap_chan *chan;
4942 struct hci_chan *hchan = NULL;
4943
4944 chan = l2cap_get_chan_by_scid(conn, icid);
4945 if (!chan) {
4946 l2cap_send_move_chan_cfm_icid(conn, icid);
4947 return;
4948 }
4949
4950 __clear_chan_timer(chan);
4951 if (result == L2CAP_MR_PEND)
4952 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4953
4954 switch (chan->move_state) {
4955 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4956 /* Move confirm will be sent when logical link
4957 * is complete.
4958 */
4959 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4960 break;
4961 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4962 if (result == L2CAP_MR_PEND) {
4963 break;
4964 } else if (test_bit(CONN_LOCAL_BUSY,
4965 &chan->conn_state)) {
4966 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4967 } else {
4968 /* Logical link is up or moving to BR/EDR,
4969 * proceed with move
4970 */
4971 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4972 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4973 }
4974 break;
4975 case L2CAP_MOVE_WAIT_RSP:
4976 /* Moving to AMP */
4977 if (result == L2CAP_MR_SUCCESS) {
4978 /* Remote is ready, send confirm immediately
4979 * after logical link is ready
4980 */
4981 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4982 } else {
4983 /* Both logical link and move success
4984 * are required to confirm
4985 */
4986 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4987 }
4988
4989 /* Placeholder - get hci_chan for logical link */
4990 if (!hchan) {
4991 /* Logical link not available */
4992 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4993 break;
4994 }
4995
4996 /* If the logical link is not yet connected, do not
4997 * send confirmation.
4998 */
4999 if (hchan->state != BT_CONNECTED)
5000 break;
5001
5002 /* Logical link is already ready to go */
5003
5004 chan->hs_hcon = hchan->conn;
5005 chan->hs_hcon->l2cap_data = chan->conn;
5006
5007 if (result == L2CAP_MR_SUCCESS) {
5008 /* Can confirm now */
5009 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5010 } else {
5011 /* Now only need move success
5012 * to confirm
5013 */
5014 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5015 }
5016
5017 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5018 break;
5019 default:
5020 /* Any other amp move state means the move failed. */
5021 chan->move_id = chan->local_amp_id;
5022 l2cap_move_done(chan);
5023 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5024 }
5025
5026 l2cap_chan_unlock(chan);
5027}
5028
5029static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5030 u16 result)
5031{
5032 struct l2cap_chan *chan;
5033
5034 chan = l2cap_get_chan_by_ident(conn, ident);
5035 if (!chan) {
5036 /* Could not locate channel, icid is best guess */
5037 l2cap_send_move_chan_cfm_icid(conn, icid);
5038 return;
5039 }
5040
5041 __clear_chan_timer(chan);
5042
5043 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5044 if (result == L2CAP_MR_COLLISION) {
5045 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5046 } else {
5047 /* Cleanup - cancel move */
5048 chan->move_id = chan->local_amp_id;
5049 l2cap_move_done(chan);
5050 }
5051 }
5052
5053 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5054
5055 l2cap_chan_unlock(chan);
5056}
5057
5058static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5059 struct l2cap_cmd_hdr *cmd,
5060 u16 cmd_len, void *data)
8d5a04a1
MM		 5061{
5062 struct l2cap_move_chan_rsp *rsp = data;
5063 u16 icid, result;
5064
5065 if (cmd_len != sizeof(*rsp))
5066 return -EPROTO;
5067
5068 icid = le16_to_cpu(rsp->icid);
5069 result = le16_to_cpu(rsp->result);
5070
ad0ac6ca 5071 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5072
5b155ef9
MM		 5073 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5074 l2cap_move_continue(conn, icid, result);
5075 else
5076 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5077
5078 return 0;
5079}
5080
5f3847a4
MM		 5081static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5082 struct l2cap_cmd_hdr *cmd,
5083 u16 cmd_len, void *data)
8d5a04a1
MM		 5084{
5085 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5086 struct l2cap_chan *chan;
8d5a04a1
MM		 5087 u16 icid, result;
5088
5089 if (cmd_len != sizeof(*cfm))
5090 return -EPROTO;
5091
5092 icid = le16_to_cpu(cfm->icid);
5093 result = le16_to_cpu(cfm->result);
5094
ad0ac6ca 5095 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5096
5f3847a4
MM		 5097 chan = l2cap_get_chan_by_dcid(conn, icid);
5098 if (!chan) {
5099 /* Spec requires a response even if the icid was not found */
5100 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5101 return 0;
5102 }
5103
5104 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5105 if (result == L2CAP_MC_CONFIRMED) {
5106 chan->local_amp_id = chan->move_id;
6ed971ca 5107 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5108 __release_logical_link(chan);
5109 } else {
5110 chan->move_id = chan->local_amp_id;
5111 }
5112
5113 l2cap_move_done(chan);
5114 }
5115
8d5a04a1
MM		 5116 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5117
5f3847a4
MM		 5118 l2cap_chan_unlock(chan);
5119
8d5a04a1
MM		 5120 return 0;
5121}
5122
5123static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5124 struct l2cap_cmd_hdr *cmd,
5125 u16 cmd_len, void *data)
8d5a04a1
MM		 5126{
5127 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5128 struct l2cap_chan *chan;
8d5a04a1
MM		 5129 u16 icid;
5130
5131 if (cmd_len != sizeof(*rsp))
5132 return -EPROTO;
5133
5134 icid = le16_to_cpu(rsp->icid);
5135
ad0ac6ca 5136 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5137
3fd71a0a
MM		 5138 chan = l2cap_get_chan_by_scid(conn, icid);
5139 if (!chan)
5140 return 0;
5141
5142 __clear_chan_timer(chan);
5143
5144 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5145 chan->local_amp_id = chan->move_id;
5146
6ed971ca 5147 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5148 __release_logical_link(chan);
5149
5150 l2cap_move_done(chan);
5151 }
5152
5153 l2cap_chan_unlock(chan);
5154
8d5a04a1
MM		 5155 return 0;
5156}
5157
de73115a 5158static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818 5159 struct l2cap_cmd_hdr *cmd,
203e639e 5160 u16 cmd_len, u8 *data)
de73115a
CT		 5161{
5162 struct hci_conn *hcon = conn->hcon;
5163 struct l2cap_conn_param_update_req *req;
5164 struct l2cap_conn_param_update_rsp rsp;
203e639e 5165 u16 min, max, latency, to_multiplier;
2ce603eb 5166 int err;
de73115a 5167
40bef302 5168 if (hcon->role != HCI_ROLE_MASTER)
de73115a
CT		 5169 return -EINVAL;
5170
de73115a
CT		 5171 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5172 return -EPROTO;
5173
5174 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5175 min = __le16_to_cpu(req->min);
5176 max = __le16_to_cpu(req->max);
de73115a
CT		 5177 latency = __le16_to_cpu(req->latency);
5178 to_multiplier = __le16_to_cpu(req->to_multiplier);
5179
5180 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5181 min, max, latency, to_multiplier);
de73115a
CT		 5182
5183 memset(&rsp, 0, sizeof(rsp));
2ce603eb 5184
d4905f24 5185 err = hci_check_conn_params(min, max, latency, to_multiplier);
2ce603eb 5186 if (err)
dcf4adbf 5187 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5188 else
dcf4adbf 5189 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5190
5191 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5192 sizeof(rsp), &rsp);
de73115a 5193
ffb5a827 5194 if (!err) {
f4869e2a
JH		 5195 u8 store_hint;
5196
5197 store_hint = hci_le_conn_update(hcon, min, max, latency,
5198 to_multiplier);
ffb5a827 5199 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
f4869e2a
JH		 5200 store_hint, min, max, latency,
5201 to_multiplier);
ffb5a827 5202
ffb5a827 5203 }
2ce603eb 5204
de73115a
CT		 5205 return 0;
5206}
5207
f1496dee
JH		 5208static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5209 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5210 u8 *data)
5211{
5212 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5213 u16 dcid, mtu, mps, credits, result;
5214 struct l2cap_chan *chan;
5215 int err;
5216
5217 if (cmd_len < sizeof(*rsp))
5218 return -EPROTO;
5219
5220 dcid = __le16_to_cpu(rsp->dcid);
5221 mtu = __le16_to_cpu(rsp->mtu);
5222 mps = __le16_to_cpu(rsp->mps);
5223 credits = __le16_to_cpu(rsp->credits);
5224 result = __le16_to_cpu(rsp->result);
5225
5226 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5227 return -EPROTO;
5228
5229 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5230 dcid, mtu, mps, credits, result);
5231
5232 mutex_lock(&conn->chan_lock);
5233
5234 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5235 if (!chan) {
5236 err = -EBADSLT;
5237 goto unlock;
5238 }
5239
5240 err = 0;
5241
5242 l2cap_chan_lock(chan);
5243
5244 switch (result) {
5245 case L2CAP_CR_SUCCESS:
5246 chan->ident = 0;
5247 chan->dcid = dcid;
5248 chan->omtu = mtu;
5249 chan->remote_mps = mps;
0cd75f7e 5250 chan->tx_credits = credits;
f1496dee
JH		 5251 l2cap_chan_ready(chan);
5252 break;
5253
5254 default:
5255 l2cap_chan_del(chan, ECONNREFUSED);
5256 break;
5257 }
5258
5259 l2cap_chan_unlock(chan);
5260
5261unlock:
5262 mutex_unlock(&conn->chan_lock);
5263
5264 return err;
5265}
5266
3300d9a9 5267static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5268 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5269 u8 *data)
3300d9a9
CT		 5270{
5271 int err = 0;
5272
5273 switch (cmd->code) {
5274 case L2CAP_COMMAND_REJ:
cb3b3152 5275 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5276 break;
5277
5278 case L2CAP_CONN_REQ:
cb3b3152 5279 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5280 break;
5281
5282 case L2CAP_CONN_RSP:
f5a2598d 5283 case L2CAP_CREATE_CHAN_RSP:
9245e737 5284 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5285 break;
5286
5287 case L2CAP_CONF_REQ:
5288 err = l2cap_config_req(conn, cmd, cmd_len, data);
5289 break;
5290
5291 case L2CAP_CONF_RSP:
9245e737 5292 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5293 break;
5294
5295 case L2CAP_DISCONN_REQ:
cb3b3152 5296 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5297 break;
5298
5299 case L2CAP_DISCONN_RSP:
9245e737 5300 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5301 break;
5302
5303 case L2CAP_ECHO_REQ:
5304 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5305 break;
5306
5307 case L2CAP_ECHO_RSP:
5308 break;
5309
5310 case L2CAP_INFO_REQ:
cb3b3152 5311 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5312 break;
5313
5314 case L2CAP_INFO_RSP:
9245e737 5315 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5316 break;
5317
f94ff6ff
MM		 5318 case L2CAP_CREATE_CHAN_REQ:
5319 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5320 break;
5321
8d5a04a1
MM		 5322 case L2CAP_MOVE_CHAN_REQ:
5323 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5324 break;
5325
5326 case L2CAP_MOVE_CHAN_RSP:
9245e737 5327 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5328 break;
5329
5330 case L2CAP_MOVE_CHAN_CFM:
5331 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5332 break;
5333
5334 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5335 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5336 break;
5337
3300d9a9
CT		 5338 default:
5339 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5340 err = -EINVAL;
5341 break;
5342 }
5343
5344 return err;
5345}
5346
27e2d4c8
JH		 5347static int l2cap_le_connect_req(struct l2cap_conn *conn,
5348 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5349 u8 *data)
5350{
5351 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5352 struct l2cap_le_conn_rsp rsp;
5353 struct l2cap_chan *chan, *pchan;
0cd75f7e 5354 u16 dcid, scid, credits, mtu, mps;
27e2d4c8
JH		 5355 __le16 psm;
5356 u8 result;
5357
5358 if (cmd_len != sizeof(*req))
5359 return -EPROTO;
5360
5361 scid = __le16_to_cpu(req->scid);
5362 mtu = __le16_to_cpu(req->mtu);
5363 mps = __le16_to_cpu(req->mps);
5364 psm = req->psm;
5365 dcid = 0;
0cd75f7e 5366 credits = 0;
27e2d4c8
JH		 5367
5368 if (mtu < 23 || mps < 23)
5369 return -EPROTO;
5370
5371 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5372 scid, mtu, mps);
5373
5374 /* Check if we have socket listening on psm */
5375 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5376 &conn->hcon->dst, LE_LINK);
5377 if (!pchan) {
5378 result = L2CAP_CR_BAD_PSM;
5379 chan = NULL;
5380 goto response;
5381 }
5382
5383 mutex_lock(&conn->chan_lock);
5384 l2cap_chan_lock(pchan);
5385
5386 if (!smp_sufficient_security(conn->hcon, pchan->sec_level)) {
5387 result = L2CAP_CR_AUTHENTICATION;
5388 chan = NULL;
5389 goto response_unlock;
5390 }
5391
5392 /* Check if we already have channel with that dcid */
5393 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5394 result = L2CAP_CR_NO_MEM;
5395 chan = NULL;
5396 goto response_unlock;
5397 }
5398
5399 chan = pchan->ops->new_connection(pchan);
5400 if (!chan) {
5401 result = L2CAP_CR_NO_MEM;
5402 goto response_unlock;
5403 }
5404
0ce43ce6
JH		 5405 l2cap_le_flowctl_init(chan);
5406
27e2d4c8
JH		 5407 bacpy(&chan->src, &conn->hcon->src);
5408 bacpy(&chan->dst, &conn->hcon->dst);
5409 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5410 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5411 chan->psm = psm;
5412 chan->dcid = scid;
5413 chan->omtu = mtu;
5414 chan->remote_mps = mps;
0cd75f7e 5415 chan->tx_credits = __le16_to_cpu(req->credits);
27e2d4c8
JH		 5416
5417 __l2cap_chan_add(conn, chan);
5418 dcid = chan->scid;
0cd75f7e 5419 credits = chan->rx_credits;
27e2d4c8
JH		 5420
5421 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5422
5423 chan->ident = cmd->ident;
5424
5425 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5426 l2cap_state_change(chan, BT_CONNECT2);
5427 result = L2CAP_CR_PEND;
5428 chan->ops->defer(chan);
5429 } else {
5430 l2cap_chan_ready(chan);
5431 result = L2CAP_CR_SUCCESS;
5432 }
5433
5434response_unlock:
5435 l2cap_chan_unlock(pchan);
5436 mutex_unlock(&conn->chan_lock);
a24cce14 5437 l2cap_chan_put(pchan);
27e2d4c8
JH		 5438
5439 if (result == L2CAP_CR_PEND)
5440 return 0;
5441
5442response:
5443 if (chan) {
5444 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 5445 rsp.mps = cpu_to_le16(chan->mps);
27e2d4c8
JH		 5446 } else {
5447 rsp.mtu = 0;
5448 rsp.mps = 0;
5449 }
5450
5451 rsp.dcid = cpu_to_le16(dcid);
0cd75f7e 5452 rsp.credits = cpu_to_le16(credits);
27e2d4c8
JH		 5453 rsp.result = cpu_to_le16(result);
5454
5455 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5456
5457 return 0;
5458}
5459
fad5fc89
JH		 5460static inline int l2cap_le_credits(struct l2cap_conn *conn,
5461 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5462 u8 *data)
5463{
5464 struct l2cap_le_credits *pkt;
5465 struct l2cap_chan *chan;
0f1bfe4e 5466 u16 cid, credits, max_credits;
fad5fc89
JH		 5467
5468 if (cmd_len != sizeof(*pkt))
5469 return -EPROTO;
5470
5471 pkt = (struct l2cap_le_credits *) data;
5472 cid = __le16_to_cpu(pkt->cid);
5473 credits = __le16_to_cpu(pkt->credits);
5474
5475 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5476
5477 chan = l2cap_get_chan_by_dcid(conn, cid);
5478 if (!chan)
5479 return -EBADSLT;
5480
0f1bfe4e
JH		 5481 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5482 if (credits > max_credits) {
5483 BT_ERR("LE credits overflow");
5484 l2cap_send_disconn_req(chan, ECONNRESET);
5485
5486 /* Return 0 so that we don't trigger an unnecessary
5487 * command reject packet.
5488 */
5489 return 0;
5490 }
5491
fad5fc89
JH		 5492 chan->tx_credits += credits;
5493
5494 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5495 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5496 chan->tx_credits--;
5497 }
5498
5499 if (chan->tx_credits)
5500 chan->ops->resume(chan);
5501
5502 l2cap_chan_unlock(chan);
5503
5504 return 0;
5505}
5506
71fb4197
JH		 5507static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5508 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5509 u8 *data)
5510{
5511 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5512 struct l2cap_chan *chan;
5513
5514 if (cmd_len < sizeof(*rej))
5515 return -EPROTO;
5516
5517 mutex_lock(&conn->chan_lock);
5518
5519 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5520 if (!chan)
5521 goto done;
5522
5523 l2cap_chan_lock(chan);
5524 l2cap_chan_del(chan, ECONNREFUSED);
5525 l2cap_chan_unlock(chan);
5526
5527done:
5528 mutex_unlock(&conn->chan_lock);
5529 return 0;
5530}
5531
3300d9a9 5532static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
203e639e
JH		 5533 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5534 u8 *data)
3300d9a9 5535{
b5ecba64
JH		 5536 int err = 0;
5537
3300d9a9
CT		 5538 switch (cmd->code) {
5539 case L2CAP_COMMAND_REJ:
71fb4197 5540 l2cap_le_command_rej(conn, cmd, cmd_len, data);
b5ecba64 5541 break;
3300d9a9
CT		 5542
5543 case L2CAP_CONN_PARAM_UPDATE_REQ:
b5ecba64
JH		 5544 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5545 break;
3300d9a9
CT		 5546
5547 case L2CAP_CONN_PARAM_UPDATE_RSP:
b5ecba64 5548 break;
3300d9a9 5549
f1496dee
JH		 5550 case L2CAP_LE_CONN_RSP:
5551 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5552 break;
f1496dee 5553
27e2d4c8 5554 case L2CAP_LE_CONN_REQ:
b5ecba64
JH		 5555 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5556 break;
27e2d4c8 5557
fad5fc89
JH		 5558 case L2CAP_LE_CREDITS:
5559 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5560 break;
5561
3defe01a 5562 case L2CAP_DISCONN_REQ:
b5ecba64
JH		 5563 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5564 break;
3defe01a
JH		 5565
5566 case L2CAP_DISCONN_RSP:
5567 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5568 break;
3defe01a 5569
3300d9a9
CT		 5570 default:
5571 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
b5ecba64
JH		 5572 err = -EINVAL;
5573 break;
3300d9a9 5574 }
b5ecba64
JH		 5575
5576 return err;
3300d9a9
CT		 5577}
5578
c5623556
JH		 5579static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5580 struct sk_buff *skb)
5581{
69c4e4e8 5582 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5583 struct l2cap_cmd_hdr *cmd;
5584 u16 len;
c5623556
JH		 5585 int err;
5586
69c4e4e8 5587 if (hcon->type != LE_LINK)
3b166295 5588 goto drop;
69c4e4e8 5589
4f3e219d
MH		 5590 if (skb->len < L2CAP_CMD_HDR_SIZE)
5591 goto drop;
c5623556 5592
4f3e219d
MH		 5593 cmd = (void *) skb->data;
5594 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5595
4f3e219d 5596 len = le16_to_cpu(cmd->len);
c5623556 5597
4f3e219d 5598 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5599
4f3e219d
MH		 5600 if (len != skb->len || !cmd->ident) {
5601 BT_DBG("corrupted command");
5602 goto drop;
5603 }
c5623556 5604
203e639e 5605 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
4f3e219d
MH		 5606 if (err) {
5607 struct l2cap_cmd_rej_unk rej;
c5623556 5608
4f3e219d 5609 BT_ERR("Wrong link type (%d)", err);
c5623556 5610
dcf4adbf 5611 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5612 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5613 sizeof(rej), &rej);
c5623556
JH		 5614 }
5615
3b166295 5616drop:
c5623556
JH		 5617 kfree_skb(skb);
5618}
5619
3300d9a9 5620static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5621 struct sk_buff *skb)
1da177e4 5622{
69c4e4e8 5623 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5624 u8 *data = skb->data;
5625 int len = skb->len;
5626 struct l2cap_cmd_hdr cmd;
3300d9a9 5627 int err;
1da177e4
LT		 5628
5629 l2cap_raw_recv(conn, skb);
5630
69c4e4e8 5631 if (hcon->type != ACL_LINK)
3b166295 5632 goto drop;
69c4e4e8 5633
1da177e4 5634 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5635 u16 cmd_len;
1da177e4
LT		 5636 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5637 data += L2CAP_CMD_HDR_SIZE;
5638 len -= L2CAP_CMD_HDR_SIZE;
5639
88219a0f 5640 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5641
2d792818
GP		 5642 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5643 cmd.ident);
1da177e4 5644
88219a0f 5645 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5646 BT_DBG("corrupted command");
5647 break;
5648 }
5649
c5623556 5650 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5651 if (err) {
e2fd318e 5652 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5653
5654 BT_ERR("Wrong link type (%d)", err);
1da177e4 5655
dcf4adbf 5656 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5657 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5658 sizeof(rej), &rej);
1da177e4
LT		 5659 }
5660
88219a0f
AV		 5661 data += cmd_len;
5662 len -= cmd_len;
1da177e4
LT		 5663 }
5664
3b166295 5665drop:
1da177e4
LT		 5666 kfree_skb(skb);
5667}
5668
47d1ec61 5669static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5670{
5671 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5672 int hdr_size;
5673
5674 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5675 hdr_size = L2CAP_EXT_HDR_SIZE;
5676 else
5677 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5678
47d1ec61 5679 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5680 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5681 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5682 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5683
5684 if (our_fcs != rcv_fcs)
7a560e5c 5685 return -EBADMSG;
fcc203c3
GP		 5686 }
5687 return 0;
5688}
5689
6ea00485 5690static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5691{
e31f7633 5692 struct l2cap_ctrl control;
d5392c8f 5693
e31f7633 5694 BT_DBG("chan %p", chan);
d5392c8f 5695
e31f7633
MM		 5696 memset(&control, 0, sizeof(control));
5697 control.sframe = 1;
5698 control.final = 1;
5699 control.reqseq = chan->buffer_seq;
5700 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5701
e2ab4353 5702 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5703 control.super = L2CAP_SUPER_RNR;
5704 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5705 }
5706
e31f7633
MM		 5707 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5708 chan->unacked_frames > 0)
5709 __set_retrans_timer(chan);
d5392c8f 5710
e31f7633 5711 /* Send pending iframes */
525cd185 5712 l2cap_ertm_send(chan);
d5392c8f 5713
e2ab4353 5714 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5715 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5716 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5717 * send it now.
5718 */
5719 control.super = L2CAP_SUPER_RR;
5720 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5721 }
5722}
5723
2d792818
GP		 5724static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5725 struct sk_buff **last_frag)
18778a63 5726{
84084a31
MM		 5727 /* skb->len reflects data in skb as well as all fragments
5728 * skb->data_len reflects only data in fragments
5729 */
5730 if (!skb_has_frag_list(skb))
5731 skb_shinfo(skb)->frag_list = new_frag;
5732
5733 new_frag->next = NULL;
5734
5735 (*last_frag)->next = new_frag;
5736 *last_frag = new_frag;
5737
5738 skb->len += new_frag->len;
5739 skb->data_len += new_frag->len;
5740 skb->truesize += new_frag->truesize;
5741}
5742
4b51dae9
MM		 5743static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5744 struct l2cap_ctrl *control)
84084a31
MM		 5745{
5746 int err = -EINVAL;
18778a63 5747
4b51dae9 5748 switch (control->sar) {
7e0ef6ee 5749 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5750 if (chan->sdu)
5751 break;
18778a63 5752
80b98027 5753 err = chan->ops->recv(chan, skb);
84084a31 5754 break;
18778a63 5755
7e0ef6ee 5756 case L2CAP_SAR_START:
84084a31
MM		 5757 if (chan->sdu)
5758 break;
18778a63 5759
6f61fd47 5760 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5761 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5762
84084a31
MM		 5763 if (chan->sdu_len > chan->imtu) {
5764 err = -EMSGSIZE;
5765 break;
5766 }
1890d36b 5767
84084a31
MM		 5768 if (skb->len >= chan->sdu_len)
5769 break;
18778a63 5770
84084a31
MM		 5771 chan->sdu = skb;
5772 chan->sdu_last_frag = skb;
18778a63 5773
84084a31
MM		 5774 skb = NULL;
5775 err = 0;
18778a63
GP		 5776 break;
5777
7e0ef6ee 5778 case L2CAP_SAR_CONTINUE:
6f61fd47 5779 if (!chan->sdu)
84084a31 5780 break;
18778a63 5781
84084a31
MM		 5782 append_skb_frag(chan->sdu, skb,
5783 &chan->sdu_last_frag);
5784 skb = NULL;
18778a63 5785
84084a31
MM		 5786 if (chan->sdu->len >= chan->sdu_len)
5787 break;
4178ba46 5788
84084a31 5789 err = 0;
18778a63
GP		 5790 break;
5791
7e0ef6ee 5792 case L2CAP_SAR_END:
6f61fd47 5793 if (!chan->sdu)
84084a31 5794 break;
18778a63 5795
84084a31
MM		 5796 append_skb_frag(chan->sdu, skb,
5797 &chan->sdu_last_frag);
5798 skb = NULL;
4178ba46 5799
84084a31
MM		 5800 if (chan->sdu->len != chan->sdu_len)
5801 break;
18778a63 5802
80b98027 5803 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5804
84084a31
MM		 5805 if (!err) {
5806 /* Reassembly complete */
5807 chan->sdu = NULL;
5808 chan->sdu_last_frag = NULL;
5809 chan->sdu_len = 0;
1890d36b 5810 }
18778a63
GP		 5811 break;
5812 }
5813
84084a31
MM		 5814 if (err) {
5815 kfree_skb(skb);
5816 kfree_skb(chan->sdu);
5817 chan->sdu = NULL;
5818 chan->sdu_last_frag = NULL;
5819 chan->sdu_len = 0;
5820 }
18778a63 5821
84084a31 5822 return err;
18778a63
GP		 5823}
5824
32b32735
MM		 5825static int l2cap_resegment(struct l2cap_chan *chan)
5826{
5827 /* Placeholder */
5828 return 0;
5829}
5830
61aa4f5b 5831void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5832{
61aa4f5b 5833 u8 event;
712132eb 5834
61aa4f5b
MM		 5835 if (chan->mode != L2CAP_MODE_ERTM)
5836 return;
712132eb 5837
61aa4f5b 5838 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5839 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5840}
5841
d2a7ac5d
MM		 5842static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5843{
63838725
MM		 5844 int err = 0;
5845 /* Pass sequential frames to l2cap_reassemble_sdu()
5846 * until a gap is encountered.
5847 */
5848
5849 BT_DBG("chan %p", chan);
5850
5851 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5852 struct sk_buff *skb;
5853 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5854 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5855
5856 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5857
5858 if (!skb)
5859 break;
5860
5861 skb_unlink(skb, &chan->srej_q);
5862 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5863 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5864 if (err)
5865 break;
5866 }
5867
5868 if (skb_queue_empty(&chan->srej_q)) {
5869 chan->rx_state = L2CAP_RX_STATE_RECV;
5870 l2cap_send_ack(chan);
5871 }
5872
5873 return err;
d2a7ac5d
MM		 5874}
5875
5876static void l2cap_handle_srej(struct l2cap_chan *chan,
5877 struct l2cap_ctrl *control)
5878{
f80842a8
MM		 5879 struct sk_buff *skb;
5880
5881 BT_DBG("chan %p, control %p", chan, control);
5882
5883 if (control->reqseq == chan->next_tx_seq) {
5884 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5885 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5886 return;
5887 }
5888
5889 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5890
5891 if (skb == NULL) {
5892 BT_DBG("Seq %d not available for retransmission",
5893 control->reqseq);
5894 return;
5895 }
5896
5897 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5898 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5899 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5900 return;
5901 }
5902
5903 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5904
5905 if (control->poll) {
5906 l2cap_pass_to_tx(chan, control);
5907
5908 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5909 l2cap_retransmit(chan, control);
5910 l2cap_ertm_send(chan);
5911
5912 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5913 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5914 chan->srej_save_reqseq = control->reqseq;
5915 }
5916 } else {
5917 l2cap_pass_to_tx_fbit(chan, control);
5918
5919 if (control->final) {
5920 if (chan->srej_save_reqseq != control->reqseq ||
5921 !test_and_clear_bit(CONN_SREJ_ACT,
5922 &chan->conn_state))
5923 l2cap_retransmit(chan, control);
5924 } else {
5925 l2cap_retransmit(chan, control);
5926 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5927 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5928 chan->srej_save_reqseq = control->reqseq;
5929 }
5930 }
5931 }
d2a7ac5d
MM		 5932}
5933
5934static void l2cap_handle_rej(struct l2cap_chan *chan,
5935 struct l2cap_ctrl *control)
5936{
fcd289df
MM		 5937 struct sk_buff *skb;
5938
5939 BT_DBG("chan %p, control %p", chan, control);
5940
5941 if (control->reqseq == chan->next_tx_seq) {
5942 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5943 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5944 return;
5945 }
5946
5947 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5948
5949 if (chan->max_tx && skb &&
5950 bt_cb(skb)->control.retries >= chan->max_tx) {
5951 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5952 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5953 return;
5954 }
5955
5956 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5957
5958 l2cap_pass_to_tx(chan, control);
5959
5960 if (control->final) {
5961 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5962 l2cap_retransmit_all(chan, control);
5963 } else {
5964 l2cap_retransmit_all(chan, control);
5965 l2cap_ertm_send(chan);
5966 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5967 set_bit(CONN_REJ_ACT, &chan->conn_state);
5968 }
d2a7ac5d
MM		 5969}
5970
4b51dae9
MM		 5971static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5972{
5973 BT_DBG("chan %p, txseq %d", chan, txseq);
5974
5975 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5976 chan->expected_tx_seq);
5977
5978 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5979 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5980 chan->tx_win) {
4b51dae9
MM		 5981 /* See notes below regarding "double poll" and
5982 * invalid packets.
5983 */
5984 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5985 BT_DBG("Invalid/Ignore - after SREJ");
5986 return L2CAP_TXSEQ_INVALID_IGNORE;
5987 } else {
5988 BT_DBG("Invalid - in window after SREJ sent");
5989 return L2CAP_TXSEQ_INVALID;
5990 }
5991 }
5992
5993 if (chan->srej_list.head == txseq) {
5994 BT_DBG("Expected SREJ");
5995 return L2CAP_TXSEQ_EXPECTED_SREJ;
5996 }
5997
5998 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5999 BT_DBG("Duplicate SREJ - txseq already stored");
6000 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6001 }
6002
6003 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6004 BT_DBG("Unexpected SREJ - not requested");
6005 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6006 }
6007 }
6008
6009 if (chan->expected_tx_seq == txseq) {
6010 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6011 chan->tx_win) {
6012 BT_DBG("Invalid - txseq outside tx window");
6013 return L2CAP_TXSEQ_INVALID;
6014 } else {
6015 BT_DBG("Expected");
6016 return L2CAP_TXSEQ_EXPECTED;
6017 }
6018 }
6019
6020 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 6021 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 6022 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6023 return L2CAP_TXSEQ_DUPLICATE;
6024 }
6025
6026 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6027 /* A source of invalid packets is a "double poll" condition,
6028 * where delays cause us to send multiple poll packets. If
6029 * the remote stack receives and processes both polls,
6030 * sequence numbers can wrap around in such a way that a
6031 * resent frame has a sequence number that looks like new data
6032 * with a sequence gap. This would trigger an erroneous SREJ
6033 * request.
6034 *
6035 * Fortunately, this is impossible with a tx window that's
6036 * less than half of the maximum sequence number, which allows
6037 * invalid frames to be safely ignored.
6038 *
6039 * With tx window sizes greater than half of the tx window
6040 * maximum, the frame is invalid and cannot be ignored. This
6041 * causes a disconnect.
6042 */
6043
6044 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6045 BT_DBG("Invalid/Ignore - txseq outside tx window");
6046 return L2CAP_TXSEQ_INVALID_IGNORE;
6047 } else {
6048 BT_DBG("Invalid - txseq outside tx window");
6049 return L2CAP_TXSEQ_INVALID;
6050 }
6051 } else {
6052 BT_DBG("Unexpected - txseq indicates missing frames");
6053 return L2CAP_TXSEQ_UNEXPECTED;
6054 }
6055}
6056
d2a7ac5d
MM		 6057static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6058 struct l2cap_ctrl *control,
6059 struct sk_buff *skb, u8 event)
6060{
6061 int err = 0;
941247f9 6062 bool skb_in_use = false;
d2a7ac5d
MM		 6063
6064 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6065 event);
6066
6067 switch (event) {
6068 case L2CAP_EV_RECV_IFRAME:
6069 switch (l2cap_classify_txseq(chan, control->txseq)) {
6070 case L2CAP_TXSEQ_EXPECTED:
6071 l2cap_pass_to_tx(chan, control);
6072
6073 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6074 BT_DBG("Busy, discarding expected seq %d",
6075 control->txseq);
6076 break;
6077 }
6078
6079 chan->expected_tx_seq = __next_seq(chan,
6080 control->txseq);
6081
6082 chan->buffer_seq = chan->expected_tx_seq;
941247f9 6083 skb_in_use = true;
d2a7ac5d
MM		 6084
6085 err = l2cap_reassemble_sdu(chan, skb, control);
6086 if (err)
6087 break;
6088
6089 if (control->final) {
6090 if (!test_and_clear_bit(CONN_REJ_ACT,
6091 &chan->conn_state)) {
6092 control->final = 0;
6093 l2cap_retransmit_all(chan, control);
6094 l2cap_ertm_send(chan);
6095 }
6096 }
6097
6098 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6099 l2cap_send_ack(chan);
6100 break;
6101 case L2CAP_TXSEQ_UNEXPECTED:
6102 l2cap_pass_to_tx(chan, control);
6103
6104 /* Can't issue SREJ frames in the local busy state.
6105 * Drop this frame, it will be seen as missing
6106 * when local busy is exited.
6107 */
6108 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6109 BT_DBG("Busy, discarding unexpected seq %d",
6110 control->txseq);
6111 break;
6112 }
6113
6114 /* There was a gap in the sequence, so an SREJ
6115 * must be sent for each missing frame. The
6116 * current frame is stored for later use.
6117 */
6118 skb_queue_tail(&chan->srej_q, skb);
941247f9 6119 skb_in_use = true;
d2a7ac5d
MM		 6120 BT_DBG("Queued %p (queue len %d)", skb,
6121 skb_queue_len(&chan->srej_q));
6122
6123 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6124 l2cap_seq_list_clear(&chan->srej_list);
6125 l2cap_send_srej(chan, control->txseq);
6126
6127 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6128 break;
6129 case L2CAP_TXSEQ_DUPLICATE:
6130 l2cap_pass_to_tx(chan, control);
6131 break;
6132 case L2CAP_TXSEQ_INVALID_IGNORE:
6133 break;
6134 case L2CAP_TXSEQ_INVALID:
6135 default:
5e4e3972 6136 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6137 break;
6138 }
6139 break;
6140 case L2CAP_EV_RECV_RR:
6141 l2cap_pass_to_tx(chan, control);
6142 if (control->final) {
6143 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6144
e6a3ee6e
MM		 6145 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6146 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 6147 control->final = 0;
6148 l2cap_retransmit_all(chan, control);
6149 }
6150
6151 l2cap_ertm_send(chan);
6152 } else if (control->poll) {
6153 l2cap_send_i_or_rr_or_rnr(chan);
6154 } else {
6155 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6156 &chan->conn_state) &&
6157 chan->unacked_frames)
6158 __set_retrans_timer(chan);
6159
6160 l2cap_ertm_send(chan);
6161 }
6162 break;
6163 case L2CAP_EV_RECV_RNR:
6164 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6165 l2cap_pass_to_tx(chan, control);
6166 if (control && control->poll) {
6167 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6168 l2cap_send_rr_or_rnr(chan, 0);
6169 }
6170 __clear_retrans_timer(chan);
6171 l2cap_seq_list_clear(&chan->retrans_list);
6172 break;
6173 case L2CAP_EV_RECV_REJ:
6174 l2cap_handle_rej(chan, control);
6175 break;
6176 case L2CAP_EV_RECV_SREJ:
6177 l2cap_handle_srej(chan, control);
6178 break;
6179 default:
6180 break;
6181 }
6182
6183 if (skb && !skb_in_use) {
6184 BT_DBG("Freeing %p", skb);
6185 kfree_skb(skb);
6186 }
6187
6188 return err;
6189}
6190
6191static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6192 struct l2cap_ctrl *control,
6193 struct sk_buff *skb, u8 event)
6194{
6195 int err = 0;
6196 u16 txseq = control->txseq;
941247f9 6197 bool skb_in_use = false;
d2a7ac5d
MM		 6198
6199 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6200 event);
6201
6202 switch (event) {
6203 case L2CAP_EV_RECV_IFRAME:
6204 switch (l2cap_classify_txseq(chan, txseq)) {
6205 case L2CAP_TXSEQ_EXPECTED:
6206 /* Keep frame for reassembly later */
6207 l2cap_pass_to_tx(chan, control);
6208 skb_queue_tail(&chan->srej_q, skb);
941247f9 6209 skb_in_use = true;
d2a7ac5d
MM		 6210 BT_DBG("Queued %p (queue len %d)", skb,
6211 skb_queue_len(&chan->srej_q));
6212
6213 chan->expected_tx_seq = __next_seq(chan, txseq);
6214 break;
6215 case L2CAP_TXSEQ_EXPECTED_SREJ:
6216 l2cap_seq_list_pop(&chan->srej_list);
6217
6218 l2cap_pass_to_tx(chan, control);
6219 skb_queue_tail(&chan->srej_q, skb);
941247f9 6220 skb_in_use = true;
d2a7ac5d
MM		 6221 BT_DBG("Queued %p (queue len %d)", skb,
6222 skb_queue_len(&chan->srej_q));
6223
6224 err = l2cap_rx_queued_iframes(chan);
6225 if (err)
6226 break;
6227
6228 break;
6229 case L2CAP_TXSEQ_UNEXPECTED:
6230 /* Got a frame that can't be reassembled yet.
6231 * Save it for later, and send SREJs to cover
6232 * the missing frames.
6233 */
6234 skb_queue_tail(&chan->srej_q, skb);
941247f9 6235 skb_in_use = true;
d2a7ac5d
MM		 6236 BT_DBG("Queued %p (queue len %d)", skb,
6237 skb_queue_len(&chan->srej_q));
6238
6239 l2cap_pass_to_tx(chan, control);
6240 l2cap_send_srej(chan, control->txseq);
6241 break;
6242 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6243 /* This frame was requested with an SREJ, but
6244 * some expected retransmitted frames are
6245 * missing. Request retransmission of missing
6246 * SREJ'd frames.
6247 */
6248 skb_queue_tail(&chan->srej_q, skb);
941247f9 6249 skb_in_use = true;
d2a7ac5d
MM		 6250 BT_DBG("Queued %p (queue len %d)", skb,
6251 skb_queue_len(&chan->srej_q));
6252
6253 l2cap_pass_to_tx(chan, control);
6254 l2cap_send_srej_list(chan, control->txseq);
6255 break;
6256 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6257 /* We've already queued this frame. Drop this copy. */
6258 l2cap_pass_to_tx(chan, control);
6259 break;
6260 case L2CAP_TXSEQ_DUPLICATE:
6261 /* Expecting a later sequence number, so this frame
6262 * was already received. Ignore it completely.
6263 */
6264 break;
6265 case L2CAP_TXSEQ_INVALID_IGNORE:
6266 break;
6267 case L2CAP_TXSEQ_INVALID:
6268 default:
5e4e3972 6269 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6270 break;
6271 }
6272 break;
6273 case L2CAP_EV_RECV_RR:
6274 l2cap_pass_to_tx(chan, control);
6275 if (control->final) {
6276 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6277
6278 if (!test_and_clear_bit(CONN_REJ_ACT,
6279 &chan->conn_state)) {
6280 control->final = 0;
6281 l2cap_retransmit_all(chan, control);
6282 }
6283
6284 l2cap_ertm_send(chan);
6285 } else if (control->poll) {
6286 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6287 &chan->conn_state) &&
6288 chan->unacked_frames) {
6289 __set_retrans_timer(chan);
6290 }
6291
6292 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6293 l2cap_send_srej_tail(chan);
6294 } else {
6295 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6296 &chan->conn_state) &&
6297 chan->unacked_frames)
6298 __set_retrans_timer(chan);
6299
6300 l2cap_send_ack(chan);
6301 }
6302 break;
6303 case L2CAP_EV_RECV_RNR:
6304 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6305 l2cap_pass_to_tx(chan, control);
6306 if (control->poll) {
6307 l2cap_send_srej_tail(chan);
6308 } else {
6309 struct l2cap_ctrl rr_control;
6310 memset(&rr_control, 0, sizeof(rr_control));
6311 rr_control.sframe = 1;
6312 rr_control.super = L2CAP_SUPER_RR;
6313 rr_control.reqseq = chan->buffer_seq;
6314 l2cap_send_sframe(chan, &rr_control);
6315 }
6316
6317 break;
6318 case L2CAP_EV_RECV_REJ:
6319 l2cap_handle_rej(chan, control);
6320 break;
6321 case L2CAP_EV_RECV_SREJ:
6322 l2cap_handle_srej(chan, control);
6323 break;
6324 }
6325
6326 if (skb && !skb_in_use) {
6327 BT_DBG("Freeing %p", skb);
6328 kfree_skb(skb);
6329 }
6330
6331 return err;
6332}
6333
32b32735
MM		 6334static int l2cap_finish_move(struct l2cap_chan *chan)
6335{
6336 BT_DBG("chan %p", chan);
6337
6338 chan->rx_state = L2CAP_RX_STATE_RECV;
6339
6340 if (chan->hs_hcon)
6341 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6342 else
6343 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6344
6345 return l2cap_resegment(chan);
6346}
6347
6348static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6349 struct l2cap_ctrl *control,
6350 struct sk_buff *skb, u8 event)
6351{
6352 int err;
6353
6354 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6355 event);
6356
6357 if (!control->poll)
6358 return -EPROTO;
6359
6360 l2cap_process_reqseq(chan, control->reqseq);
6361
6362 if (!skb_queue_empty(&chan->tx_q))
6363 chan->tx_send_head = skb_peek(&chan->tx_q);
6364 else
6365 chan->tx_send_head = NULL;
6366
6367 /* Rewind next_tx_seq to the point expected
6368 * by the receiver.
6369 */
6370 chan->next_tx_seq = control->reqseq;
6371 chan->unacked_frames = 0;
6372
6373 err = l2cap_finish_move(chan);
6374 if (err)
6375 return err;
6376
6377 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6378 l2cap_send_i_or_rr_or_rnr(chan);
6379
6380 if (event == L2CAP_EV_RECV_IFRAME)
6381 return -EPROTO;
6382
6383 return l2cap_rx_state_recv(chan, control, NULL, event);
6384}
6385
6386static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6387 struct l2cap_ctrl *control,
6388 struct sk_buff *skb, u8 event)
6389{
6390 int err;
6391
6392 if (!control->final)
6393 return -EPROTO;
6394
6395 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6396
6397 chan->rx_state = L2CAP_RX_STATE_RECV;
6398 l2cap_process_reqseq(chan, control->reqseq);
6399
6400 if (!skb_queue_empty(&chan->tx_q))
6401 chan->tx_send_head = skb_peek(&chan->tx_q);
6402 else
6403 chan->tx_send_head = NULL;
6404
6405 /* Rewind next_tx_seq to the point expected
6406 * by the receiver.
6407 */
6408 chan->next_tx_seq = control->reqseq;
6409 chan->unacked_frames = 0;
6410
6411 if (chan->hs_hcon)
6412 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6413 else
6414 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6415
6416 err = l2cap_resegment(chan);
6417
6418 if (!err)
6419 err = l2cap_rx_state_recv(chan, control, skb, event);
6420
6421 return err;
6422}
6423
d2a7ac5d
MM		 6424static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6425{
6426 /* Make sure reqseq is for a packet that has been sent but not acked */
6427 u16 unacked;
6428
6429 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6430 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6431}
6432
cec8ab6e
MM		 6433static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6434 struct sk_buff *skb, u8 event)
218bb9df 6435{
d2a7ac5d
MM		 6436 int err = 0;
6437
6438 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6439 control, skb, event, chan->rx_state);
6440
6441 if (__valid_reqseq(chan, control->reqseq)) {
6442 switch (chan->rx_state) {
6443 case L2CAP_RX_STATE_RECV:
6444 err = l2cap_rx_state_recv(chan, control, skb, event);
6445 break;
6446 case L2CAP_RX_STATE_SREJ_SENT:
6447 err = l2cap_rx_state_srej_sent(chan, control, skb,
6448 event);
6449 break;
32b32735
MM		 6450 case L2CAP_RX_STATE_WAIT_P:
6451 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6452 break;
6453 case L2CAP_RX_STATE_WAIT_F:
6454 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6455 break;
d2a7ac5d
MM		 6456 default:
6457 /* shut it down */
6458 break;
6459 }
6460 } else {
6461 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6462 control->reqseq, chan->next_tx_seq,
6463 chan->expected_ack_seq);
5e4e3972 6464 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6465 }
6466
6467 return err;
cec8ab6e
MM		 6468}
6469
6470static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6471 struct sk_buff *skb)
6472{
4b51dae9
MM		 6473 int err = 0;
6474
6475 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6476 chan->rx_state);
6477
6478 if (l2cap_classify_txseq(chan, control->txseq) ==
6479 L2CAP_TXSEQ_EXPECTED) {
6480 l2cap_pass_to_tx(chan, control);
6481
6482 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6483 __next_seq(chan, chan->buffer_seq));
6484
6485 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6486
6487 l2cap_reassemble_sdu(chan, skb, control);
6488 } else {
6489 if (chan->sdu) {
6490 kfree_skb(chan->sdu);
6491 chan->sdu = NULL;
6492 }
6493 chan->sdu_last_frag = NULL;
6494 chan->sdu_len = 0;
6495
6496 if (skb) {
6497 BT_DBG("Freeing %p", skb);
6498 kfree_skb(skb);
6499 }
6500 }
6501
6502 chan->last_acked_seq = control->txseq;
6503 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6504
6505 return err;
cec8ab6e
MM		 6506}
6507
6508static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6509{
6510 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6511 u16 len;
6512 u8 event;
218bb9df 6513
b76bbd66
MM		 6514 __unpack_control(chan, skb);
6515
218bb9df
GP		 6516 len = skb->len;
6517
6518 /*
6519 * We can just drop the corrupted I-frame here.
6520 * Receiver will miss it and start proper recovery
cec8ab6e 6521 * procedures and ask for retransmission.
218bb9df 6522 */
47d1ec61 6523 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6524 goto drop;
6525
cec8ab6e 6526 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6527 len -= L2CAP_SDULEN_SIZE;
218bb9df 6528
47d1ec61 6529 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6530 len -= L2CAP_FCS_SIZE;
218bb9df 6531
47d1ec61 6532 if (len > chan->mps) {
5e4e3972 6533 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6534 goto drop;
6535 }
6536
cec8ab6e
MM		 6537 if (!control->sframe) {
6538 int err;
218bb9df 6539
cec8ab6e
MM		 6540 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6541 control->sar, control->reqseq, control->final,
6542 control->txseq);
218bb9df 6543
cec8ab6e
MM		 6544 /* Validate F-bit - F=0 always valid, F=1 only
6545 * valid in TX WAIT_F
6546 */
6547 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6548 goto drop;
cec8ab6e
MM		 6549
6550 if (chan->mode != L2CAP_MODE_STREAMING) {
6551 event = L2CAP_EV_RECV_IFRAME;
6552 err = l2cap_rx(chan, control, skb, event);
6553 } else {
6554 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6555 }
6556
cec8ab6e 6557 if (err)
5e4e3972 6558 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6559 } else {
cec8ab6e
MM		 6560 const u8 rx_func_to_event[4] = {
6561 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6562 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6563 };
6564
6565 /* Only I-frames are expected in streaming mode */
6566 if (chan->mode == L2CAP_MODE_STREAMING)
6567 goto drop;
6568
6569 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6570 control->reqseq, control->final, control->poll,
6571 control->super);
6572
218bb9df 6573 if (len != 0) {
1bb166e6 6574 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6575 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6576 goto drop;
6577 }
6578
cec8ab6e
MM		 6579 /* Validate F and P bits */
6580 if (control->final && (control->poll ||
6581 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6582 goto drop;
6583
6584 event = rx_func_to_event[control->super];
6585 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6586 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6587 }
6588
6589 return 0;
6590
6591drop:
6592 kfree_skb(skb);
6593 return 0;
6594}
6595
b1c325c2
JH		 6596static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6597{
6598 struct l2cap_conn *conn = chan->conn;
6599 struct l2cap_le_credits pkt;
6600 u16 return_credits;
6601
6602 /* We return more credits to the sender only after the amount of
6603 * credits falls below half of the initial amount.
6604 */
f15b8ecf 6605 if (chan->rx_credits >= (le_max_credits + 1) / 2)
b1c325c2
JH		 6606 return;
6607
f15b8ecf 6608 return_credits = le_max_credits - chan->rx_credits;
b1c325c2
JH		 6609
6610 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6611
6612 chan->rx_credits += return_credits;
6613
6614 pkt.cid = cpu_to_le16(chan->scid);
6615 pkt.credits = cpu_to_le16(return_credits);
6616
6617 chan->ident = l2cap_get_ident(conn);
6618
6619 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6620}
6621
fad5fc89
JH		 6622static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6623{
aac23bf6
JH		 6624 int err;
6625
6626 if (!chan->rx_credits) {
6627 BT_ERR("No credits to receive LE L2CAP data");
dfd9774c 6628 l2cap_send_disconn_req(chan, ECONNRESET);
fad5fc89 6629 return -ENOBUFS;
aac23bf6 6630 }
fad5fc89 6631
aac23bf6
JH		 6632 if (chan->imtu < skb->len) {
6633 BT_ERR("Too big LE L2CAP PDU");
fad5fc89 6634 return -ENOBUFS;
aac23bf6 6635 }
fad5fc89
JH		 6636
6637 chan->rx_credits--;
6638 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6639
6640 l2cap_chan_le_send_credits(chan);
6641
aac23bf6
JH		 6642 err = 0;
6643
6644 if (!chan->sdu) {
6645 u16 sdu_len;
6646
6647 sdu_len = get_unaligned_le16(skb->data);
6648 skb_pull(skb, L2CAP_SDULEN_SIZE);
6649
6650 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6651 sdu_len, skb->len, chan->imtu);
6652
6653 if (sdu_len > chan->imtu) {
6654 BT_ERR("Too big LE L2CAP SDU length received");
6655 err = -EMSGSIZE;
6656 goto failed;
6657 }
6658
6659 if (skb->len > sdu_len) {
6660 BT_ERR("Too much LE L2CAP data received");
6661 err = -EINVAL;
6662 goto failed;
6663 }
6664
6665 if (skb->len == sdu_len)
6666 return chan->ops->recv(chan, skb);
6667
6668 chan->sdu = skb;
6669 chan->sdu_len = sdu_len;
6670 chan->sdu_last_frag = skb;
6671
6672 return 0;
6673 }
6674
6675 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6676 chan->sdu->len, skb->len, chan->sdu_len);
6677
6678 if (chan->sdu->len + skb->len > chan->sdu_len) {
6679 BT_ERR("Too much LE L2CAP data received");
6680 err = -EINVAL;
6681 goto failed;
6682 }
6683
6684 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6685 skb = NULL;
6686
6687 if (chan->sdu->len == chan->sdu_len) {
6688 err = chan->ops->recv(chan, chan->sdu);
6689 if (!err) {
6690 chan->sdu = NULL;
6691 chan->sdu_last_frag = NULL;
6692 chan->sdu_len = 0;
6693 }
6694 }
6695
6696failed:
6697 if (err) {
6698 kfree_skb(skb);
6699 kfree_skb(chan->sdu);
6700 chan->sdu = NULL;
6701 chan->sdu_last_frag = NULL;
6702 chan->sdu_len = 0;
6703 }
6704
6705 /* We can't return an error here since we took care of the skb
6706 * freeing internally. An error return would cause the caller to
6707 * do a double-free of the skb.
6708 */
6709 return 0;
fad5fc89
JH		 6710}
6711
13ca56e0
AE		 6712static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6713 struct sk_buff *skb)
1da177e4 6714{
48454079 6715 struct l2cap_chan *chan;
1da177e4 6716
baa7e1fa 6717 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6718 if (!chan) {
97e8e89d
AE		 6719 if (cid == L2CAP_CID_A2MP) {
6720 chan = a2mp_channel_create(conn, skb);
6721 if (!chan) {
6722 kfree_skb(skb);
13ca56e0 6723 return;
97e8e89d
AE		 6724 }
6725
6726 l2cap_chan_lock(chan);
6727 } else {
6728 BT_DBG("unknown cid 0x%4.4x", cid);
6729 /* Drop packet and return */
6730 kfree_skb(skb);
13ca56e0 6731 return;
97e8e89d 6732 }
1da177e4
LT		 6733 }
6734
49208c9c 6735 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6736
89bc500e 6737 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6738 goto drop;
6739
0c1bc5c6 6740 switch (chan->mode) {
38319713 6741 case L2CAP_MODE_LE_FLOWCTL:
fad5fc89
JH		 6742 if (l2cap_le_data_rcv(chan, skb) < 0)
6743 goto drop;
6744
6745 goto done;
6746
1c2acffb
GP		 6747 case L2CAP_MODE_BASIC:
6748 /* If socket recv buffers overflows we drop data here
6749 * which is *bad* because L2CAP has to be reliable.
6750 * But we don't have any other choice. L2CAP doesn't
6751 * provide flow control mechanism. */
1da177e4 6752
2c96e03d
SJ		 6753 if (chan->imtu < skb->len) {
6754 BT_ERR("Dropping L2CAP data: receive buffer overflow");
1c2acffb 6755 goto drop;
2c96e03d 6756 }
1da177e4 6757
80b98027 6758 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6759 goto done;
6760 break;
6761
6762 case L2CAP_MODE_ERTM:
6840ed07 6763 case L2CAP_MODE_STREAMING:
cec8ab6e 6764 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6765 goto done;
6766
1c2acffb 6767 default:
0c1bc5c6 6768 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6769 break;
6770 }
1da177e4
LT		 6771
6772drop:
6773 kfree_skb(skb);
6774
6775done:
6be36555 6776 l2cap_chan_unlock(chan);
1da177e4
LT		 6777}
6778
84104b24
AE		 6779static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6780 struct sk_buff *skb)
1da177e4 6781{
ae4fd2d3 6782 struct hci_conn *hcon = conn->hcon;
23691d75 6783 struct l2cap_chan *chan;
1da177e4 6784
ae4fd2d3 6785 if (hcon->type != ACL_LINK)
a24cce14 6786 goto free_skb;
ae4fd2d3 6787
bf20fd4e
JH		 6788 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6789 ACL_LINK);
23691d75 6790 if (!chan)
a24cce14 6791 goto free_skb;
1da177e4 6792
5b4cedaa 6793 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6794
89bc500e 6795 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6796 goto drop;
6797
e13e21dc 6798 if (chan->imtu < skb->len)
1da177e4
LT		 6799 goto drop;
6800
2edf870d 6801 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6802 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6803 bt_cb(skb)->psm = psm;
6804
a24cce14
JH		 6805 if (!chan->ops->recv(chan, skb)) {
6806 l2cap_chan_put(chan);
84104b24 6807 return;
a24cce14 6808 }
1da177e4
LT		 6809
6810drop:
a24cce14
JH		 6811 l2cap_chan_put(chan);
6812free_skb:
1da177e4 6813 kfree_skb(skb);
1da177e4
LT		 6814}
6815
6816static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6817{
6818 struct l2cap_hdr *lh = (void *) skb->data;
61a939c6 6819 struct hci_conn *hcon = conn->hcon;
8e036fc3
AV		 6820 u16 cid, len;
6821 __le16 psm;
1da177e4 6822
61a939c6
JH		 6823 if (hcon->state != BT_CONNECTED) {
6824 BT_DBG("queueing pending rx skb");
6825 skb_queue_tail(&conn->pending_rx, skb);
6826 return;
6827 }
6828
1da177e4
LT		 6829 skb_pull(skb, L2CAP_HDR_SIZE);
6830 cid = __le16_to_cpu(lh->cid);
6831 len = __le16_to_cpu(lh->len);
6832
1c2acffb
GP		 6833 if (len != skb->len) {
6834 kfree_skb(skb);
6835 return;
6836 }
6837
9e1d7e15
JH		 6838 /* Since we can't actively block incoming LE connections we must
6839 * at least ensure that we ignore incoming data from them.
6840 */
6841 if (hcon->type == LE_LINK &&
dcc36c16
JH		 6842 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6843 bdaddr_type(hcon, hcon->dst_type))) {
e493150e
JH		 6844 kfree_skb(skb);
6845 return;
6846 }
6847
1da177e4
LT		 6848 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6849
6850 switch (cid) {
8db4dc46 6851 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6852 l2cap_sig_channel(conn, skb);
6853 break;
6854
8db4dc46 6855 case L2CAP_CID_CONN_LESS:
097db76c 6856 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6857 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6858 l2cap_conless_channel(conn, psm, skb);
6859 break;
6860
a2877629
MH		 6861 case L2CAP_CID_LE_SIGNALING:
6862 l2cap_le_sig_channel(conn, skb);
6863 break;
6864
b501d6a1
AB		 6865 case L2CAP_CID_SMP:
6866 if (smp_sig_channel(conn, skb))
6867 l2cap_conn_del(conn->hcon, EACCES);
6868 break;
6869
1da177e4
LT		 6870 default:
6871 l2cap_data_channel(conn, cid, skb);
6872 break;
6873 }
6874}
6875
61a939c6
JH		 6876static void process_pending_rx(struct work_struct *work)
6877{
6878 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6879 pending_rx_work);
6880 struct sk_buff *skb;
6881
6882 BT_DBG("");
6883
6884 while ((skb = skb_dequeue(&conn->pending_rx)))
6885 l2cap_recv_frame(conn, skb);
6886}
6887
162b49e7
JH		 6888static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6889{
6890 struct l2cap_conn *conn = hcon->l2cap_data;
6891 struct hci_chan *hchan;
6892
6893 if (conn)
6894 return conn;
6895
6896 hchan = hci_chan_create(hcon);
6897 if (!hchan)
6898 return NULL;
6899
27f70f3e 6900 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
162b49e7
JH		 6901 if (!conn) {
6902 hci_chan_del(hchan);
6903 return NULL;
6904 }
6905
6906 kref_init(&conn->ref);
6907 hcon->l2cap_data = conn;
6908 conn->hcon = hcon;
6909 hci_conn_get(conn->hcon);
6910 conn->hchan = hchan;
6911
6912 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6913
6914 switch (hcon->type) {
6915 case LE_LINK:
6916 if (hcon->hdev->le_mtu) {
6917 conn->mtu = hcon->hdev->le_mtu;
6918 break;
6919 }
6920 /* fall through */
6921 default:
6922 conn->mtu = hcon->hdev->acl_mtu;
6923 break;
6924 }
6925
6926 conn->feat_mask = 0;
6927
6928 if (hcon->type == ACL_LINK)
6929 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
6930 &hcon->hdev->dev_flags);
6931
5a54e7c8 6932 mutex_init(&conn->ident_lock);
162b49e7
JH		 6933 mutex_init(&conn->chan_lock);
6934
6935 INIT_LIST_HEAD(&conn->chan_l);
6936 INIT_LIST_HEAD(&conn->users);
6937
6938 if (hcon->type == LE_LINK)
6939 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
6940 else
6941 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
6942
61a939c6
JH		 6943 skb_queue_head_init(&conn->pending_rx);
6944 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
6945
162b49e7
JH		 6946 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6947
6948 return conn;
6949}
6950
6951static bool is_valid_psm(u16 psm, u8 dst_type) {
6952 if (!psm)
6953 return false;
6954
6955 if (bdaddr_type_is_le(dst_type))
6956 return (psm <= 0x00ff);
6957
6958 /* PSM must be odd and lsb of upper byte must be 0 */
6959 return ((psm & 0x0101) == 0x0001);
6960}
6961
6962int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
6963 bdaddr_t *dst, u8 dst_type)
6964{
6965 struct l2cap_conn *conn;
6966 struct hci_conn *hcon;
6967 struct hci_dev *hdev;
162b49e7
JH		 6968 int err;
6969
6970 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
6971 dst_type, __le16_to_cpu(psm));
6972
6973 hdev = hci_get_route(dst, &chan->src);
6974 if (!hdev)
6975 return -EHOSTUNREACH;
6976
6977 hci_dev_lock(hdev);
6978
6979 l2cap_chan_lock(chan);
6980
6981 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
6982 chan->chan_type != L2CAP_CHAN_RAW) {
6983 err = -EINVAL;
6984 goto done;
6985 }
6986
21626e62
JH		 6987 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
6988 err = -EINVAL;
6989 goto done;
6990 }
6991
6992 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
162b49e7
JH		 6993 err = -EINVAL;
6994 goto done;
6995 }
6996
6997 switch (chan->mode) {
6998 case L2CAP_MODE_BASIC:
6999 break;
7000 case L2CAP_MODE_LE_FLOWCTL:
7001 l2cap_le_flowctl_init(chan);
7002 break;
7003 case L2CAP_MODE_ERTM:
7004 case L2CAP_MODE_STREAMING:
7005 if (!disable_ertm)
7006 break;
7007 /* fall through */
7008 default:
beb19e4c 7009 err = -EOPNOTSUPP;
162b49e7
JH		 7010 goto done;
7011 }
7012
7013 switch (chan->state) {
7014 case BT_CONNECT:
7015 case BT_CONNECT2:
7016 case BT_CONFIG:
7017 /* Already connecting */
7018 err = 0;
7019 goto done;
7020
7021 case BT_CONNECTED:
7022 /* Already connected */
7023 err = -EISCONN;
7024 goto done;
7025
7026 case BT_OPEN:
7027 case BT_BOUND:
7028 /* Can connect */
7029 break;
7030
7031 default:
7032 err = -EBADFD;
7033 goto done;
7034 }
7035
7036 /* Set destination address and psm */
7037 bacpy(&chan->dst, dst);
7038 chan->dst_type = dst_type;
7039
7040 chan->psm = psm;
7041 chan->dcid = cid;
7042
6f77d8c7 7043 if (bdaddr_type_is_le(dst_type)) {
e804d25d 7044 u8 role;
cdd6275e 7045
6f77d8c7
AG		 7046 /* Convert from L2CAP channel address type to HCI address type
7047 */
7048 if (dst_type == BDADDR_LE_PUBLIC)
7049 dst_type = ADDR_LE_DEV_PUBLIC;
7050 else
7051 dst_type = ADDR_LE_DEV_RANDOM;
7052
e804d25d
JH		 7053 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
7054 role = HCI_ROLE_SLAVE;
7055 else
7056 role = HCI_ROLE_MASTER;
cdd6275e 7057
04a6c589 7058 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
e804d25d 7059 HCI_LE_CONN_TIMEOUT, role);
6f77d8c7 7060 } else {
d93375a8 7061 u8 auth_type = l2cap_get_auth_type(chan);
04a6c589 7062 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
6f77d8c7 7063 }
162b49e7
JH		 7064
7065 if (IS_ERR(hcon)) {
7066 err = PTR_ERR(hcon);
7067 goto done;
7068 }
7069
7070 conn = l2cap_conn_add(hcon);
7071 if (!conn) {
7072 hci_conn_drop(hcon);
7073 err = -ENOMEM;
7074 goto done;
7075 }
7076
7077 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7078 hci_conn_drop(hcon);
7079 err = -EBUSY;
7080 goto done;
7081 }
7082
7083 /* Update source addr of the socket */
7084 bacpy(&chan->src, &hcon->src);
7085 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7086
7087 l2cap_chan_unlock(chan);
7088 l2cap_chan_add(conn, chan);
7089 l2cap_chan_lock(chan);
7090
7091 /* l2cap_chan_add takes its own ref so we can drop this one */
7092 hci_conn_drop(hcon);
7093
7094 l2cap_state_change(chan, BT_CONNECT);
7095 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7096
61202e4d
JH		 7097 /* Release chan->sport so that it can be reused by other
7098 * sockets (as it's only used for listening sockets).
7099 */
7100 write_lock(&chan_list_lock);
7101 chan->sport = 0;
7102 write_unlock(&chan_list_lock);
7103
162b49e7
JH		 7104 if (hcon->state == BT_CONNECTED) {
7105 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7106 __clear_chan_timer(chan);
e7cafc45 7107 if (l2cap_chan_check_security(chan, true))
162b49e7
JH		 7108 l2cap_state_change(chan, BT_CONNECTED);
7109 } else
7110 l2cap_do_start(chan);
7111 }
7112
7113 err = 0;
7114
7115done:
7116 l2cap_chan_unlock(chan);
7117 hci_dev_unlock(hdev);
7118 hci_dev_put(hdev);
7119 return err;
7120}
6b8d4a6a 7121EXPORT_SYMBOL_GPL(l2cap_chan_connect);
162b49e7 7122
1da177e4
LT		 7123/* ---- L2CAP interface with lower layer (HCI) ---- */
7124
686ebf28 7125int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 7126{
7127 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 7128 struct l2cap_chan *c;
1da177e4 7129
6ed93dc6 7130 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 7131
7132 /* Find listening sockets and check their link_mode */
23691d75
GP		 7133 read_lock(&chan_list_lock);
7134 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 7135 if (c->state != BT_LISTEN)
1da177e4
LT		 7136 continue;
7137
7eafc59e 7138 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 7139 lm1 |= HCI_LM_ACCEPT;
43bd0f32 7140 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 7141 lm1 |= HCI_LM_MASTER;
1da177e4 7142 exact++;
7eafc59e 7143 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 7144 lm2 |= HCI_LM_ACCEPT;
43bd0f32 7145 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 7146 lm2 |= HCI_LM_MASTER;
7147 }
1da177e4 7148 }
23691d75 7149 read_unlock(&chan_list_lock);
1da177e4
LT		 7150
7151 return exact ? lm1 : lm2;
7152}
7153
e760ec12
JH		 7154/* Find the next fixed channel in BT_LISTEN state, continue iteration
7155 * from an existing channel in the list or from the beginning of the
7156 * global list (by passing NULL as first parameter).
7157 */
7158static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
54a1b626 7159 bdaddr_t *src, u8 link_type)
e760ec12
JH		 7160{
7161 read_lock(&chan_list_lock);
7162
7163 if (c)
7164 c = list_next_entry(c, global_l);
7165 else
7166 c = list_entry(chan_list.next, typeof(*c), global_l);
7167
7168 list_for_each_entry_from(c, &chan_list, global_l) {
7169 if (c->chan_type != L2CAP_CHAN_FIXED)
7170 continue;
7171 if (c->state != BT_LISTEN)
7172 continue;
7173 if (bacmp(&c->src, src) && bacmp(&c->src, BDADDR_ANY))
7174 continue;
54a1b626
JH		 7175 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
7176 continue;
7177 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
7178 continue;
e760ec12
JH		 7179
7180 l2cap_chan_hold(c);
7181 read_unlock(&chan_list_lock);
7182 return c;
7183 }
7184
7185 read_unlock(&chan_list_lock);
7186
7187 return NULL;
7188}
7189
9e664631 7190void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 7191{
e760ec12 7192 struct hci_dev *hdev = hcon->hdev;
0139418c 7193 struct l2cap_conn *conn;
e760ec12
JH		 7194 struct l2cap_chan *pchan;
7195 u8 dst_type;
0139418c 7196
6ed93dc6 7197 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 7198
dc0f5088 7199 if (status) {
e175072f 7200 l2cap_conn_del(hcon, bt_to_errno(status));
dc0f5088 7201 return;
ba6fc317 7202 }
dc0f5088
JH		 7203
7204 conn = l2cap_conn_add(hcon);
7205 if (!conn)
7206 return;
7207
e760ec12
JH		 7208 dst_type = bdaddr_type(hcon, hcon->dst_type);
7209
7210 /* If device is blocked, do not create channels for it */
7211 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7212 return;
7213
7214 /* Find fixed channels and notify them of the new connection. We
7215 * use multiple individual lookups, continuing each time where
7216 * we left off, because the list lock would prevent calling the
7217 * potentially sleeping l2cap_chan_lock() function.
7218 */
54a1b626 7219 pchan = l2cap_global_fixed_chan(NULL, &hdev->bdaddr, hcon->type);
e760ec12
JH		 7220 while (pchan) {
7221 struct l2cap_chan *chan, *next;
7222
7223 /* Client fixed channels should override server ones */
7224 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7225 goto next;
7226
7227 l2cap_chan_lock(pchan);
7228 chan = pchan->ops->new_connection(pchan);
7229 if (chan) {
7230 bacpy(&chan->src, &hcon->src);
7231 bacpy(&chan->dst, &hcon->dst);
7232 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7233 chan->dst_type = dst_type;
7234
7235 __l2cap_chan_add(conn, chan);
7236 }
7237
7238 l2cap_chan_unlock(pchan);
7239next:
54a1b626
JH		 7240 next = l2cap_global_fixed_chan(pchan, &hdev->bdaddr,
7241 hcon->type);
e760ec12
JH		 7242 l2cap_chan_put(pchan);
7243 pchan = next;
7244 }
7245
dc0f5088 7246 l2cap_conn_ready(conn);
1da177e4
LT		 7247}
7248
686ebf28 7249int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 7250{
7251 struct l2cap_conn *conn = hcon->l2cap_data;
7252
7253 BT_DBG("hcon %p", hcon);
7254
686ebf28 7255 if (!conn)
9f5a0d7b 7256 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 7257 return conn->disc_reason;
7258}
7259
9e664631 7260void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 7261{
7262 BT_DBG("hcon %p reason %d", hcon, reason);
7263
e175072f 7264 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 7265}
7266
4343478f 7267static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 7268{
715ec005 7269 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 7270 return;
7271
f62e4323 7272 if (encrypt == 0x00) {
4343478f 7273 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 7274 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7d513e92
MH		 7275 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7276 chan->sec_level == BT_SECURITY_FIPS)
0f852724 7277 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 7278 } else {
4343478f 7279 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 7280 __clear_chan_timer(chan);
f62e4323
MH		 7281 }
7282}
7283
686ebf28 7284int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 7285{
0139418c 7286 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 7287 struct l2cap_chan *chan;
1da177e4 7288
0139418c 7289 if (!conn)
1da177e4 7290 return 0;
0139418c 7291
89d8b407 7292 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 7293
160dc6ac 7294 if (hcon->type == LE_LINK) {
35d4adcc 7295 if (!status && encrypt)
4bd6d38e 7296 smp_distribute_keys(conn);
17cd3f37 7297 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 7298 }
7299
3df91ea2 7300 mutex_lock(&conn->chan_lock);
1da177e4 7301
3df91ea2 7302 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 7303 l2cap_chan_lock(chan);
1da177e4 7304
89d8b407
AE		 7305 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7306 state_to_string(chan->state));
f1cb9af5 7307
2338a7e0 7308 if (chan->scid == L2CAP_CID_A2MP) {
78eb2f98
AE		 7309 l2cap_chan_unlock(chan);
7310 continue;
7311 }
7312
191eb398
JH		 7313 if (!status && encrypt)
7314 chan->sec_level = hcon->sec_level;
f1cb9af5 7315
96eff46e 7316 if (!__l2cap_no_conn_pending(chan)) {
6be36555 7317 l2cap_chan_unlock(chan);
6a8d3010
MH		 7318 continue;
7319 }
7320
89bc500e 7321 if (!status && (chan->state == BT_CONNECTED ||
2d792818 7322 chan->state == BT_CONFIG)) {
d97c899b 7323 chan->ops->resume(chan);
4343478f 7324 l2cap_check_encryption(chan, encrypt);
6be36555 7325 l2cap_chan_unlock(chan);
9719f8af
MH		 7326 continue;
7327 }
7328
89bc500e 7329 if (chan->state == BT_CONNECT) {
6d3c15da 7330 if (!status)
93c3e8f5 7331 l2cap_start_connection(chan);
6d3c15da 7332 else
ba13ccd9 7333 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
89bc500e 7334 } else if (chan->state == BT_CONNECT2) {
b1235d79 7335 struct l2cap_conn_rsp rsp;
df3c3931 7336 __u16 res, stat;
1da177e4 7337
b1235d79 7338 if (!status) {
bdc25783 7339 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 7340 res = L2CAP_CR_PEND;
7341 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 7342 chan->ops->defer(chan);
df3c3931 7343 } else {
acdcabf5 7344 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 7345 res = L2CAP_CR_SUCCESS;
7346 stat = L2CAP_CS_NO_INFO;
7347 }
b1235d79 7348 } else {
acdcabf5 7349 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 7350 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 7351 res = L2CAP_CR_SEC_BLOCK;
7352 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 7353 }
7354
fe4128e0
GP		 7355 rsp.scid = cpu_to_le16(chan->dcid);
7356 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 7357 rsp.result = cpu_to_le16(res);
7358 rsp.status = cpu_to_le16(stat);
fc7f8a7e 7359 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 7360 sizeof(rsp), &rsp);
2d369359
MM		 7361
7362 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7363 res == L2CAP_CR_SUCCESS) {
7364 char buf[128];
7365 set_bit(CONF_REQ_SENT, &chan->conf_state);
7366 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7367 L2CAP_CONF_REQ,
7368 l2cap_build_conf_req(chan, buf),
7369 buf);
7370 chan->num_conf_req++;
7371 }
b1235d79 7372 }
1da177e4 7373
6be36555 7374 l2cap_chan_unlock(chan);
1da177e4
LT		 7375 }
7376
3df91ea2 7377 mutex_unlock(&conn->chan_lock);
b1235d79 7378
1da177e4
LT		 7379 return 0;
7380}
7381
686ebf28 7382int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 7383{
7384 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 7385 struct l2cap_hdr *hdr;
7386 int len;
1da177e4 7387
1d13a254
AE		 7388 /* For AMP controller do not create l2cap conn */
7389 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7390 goto drop;
1da177e4 7391
5a08ecce 7392 if (!conn)
baf43251 7393 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 7394
7395 if (!conn)
1da177e4
LT		 7396 goto drop;
7397
7398 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7399
d73a0988
AE		 7400 switch (flags) {
7401 case ACL_START:
7402 case ACL_START_NO_FLUSH:
7403 case ACL_COMPLETE:
1da177e4
LT		 7404 if (conn->rx_len) {
7405 BT_ERR("Unexpected start frame (len %d)", skb->len);
7406 kfree_skb(conn->rx_skb);
7407 conn->rx_skb = NULL;
7408 conn->rx_len = 0;
7409 l2cap_conn_unreliable(conn, ECOMM);
7410 }
7411
aae7fe22
AE		 7412 /* Start fragment always begin with Basic L2CAP header */
7413 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 7414 BT_ERR("Frame is too short (len %d)", skb->len);
7415 l2cap_conn_unreliable(conn, ECOMM);
7416 goto drop;
7417 }
7418
7419 hdr = (struct l2cap_hdr *) skb->data;
7420 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7421
7422 if (len == skb->len) {
7423 /* Complete frame received */
7424 l2cap_recv_frame(conn, skb);
7425 return 0;
7426 }
7427
7428 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7429
7430 if (skb->len > len) {
7431 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 7432 skb->len, len);
1da177e4
LT		 7433 l2cap_conn_unreliable(conn, ECOMM);
7434 goto drop;
7435 }
7436
7437 /* Allocate skb for the complete frame (with header) */
8bcde1f2 7438 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 7439 if (!conn->rx_skb)
1da177e4
LT		 7440 goto drop;
7441
d626f62b 7442 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7443 skb->len);
1da177e4 7444 conn->rx_len = len - skb->len;
d73a0988
AE		 7445 break;
7446
7447 case ACL_CONT:
1da177e4
LT		 7448 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7449
7450 if (!conn->rx_len) {
7451 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7452 l2cap_conn_unreliable(conn, ECOMM);
7453 goto drop;
7454 }
7455
7456 if (skb->len > conn->rx_len) {
7457 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 7458 skb->len, conn->rx_len);
1da177e4
LT		 7459 kfree_skb(conn->rx_skb);
7460 conn->rx_skb = NULL;
7461 conn->rx_len = 0;
7462 l2cap_conn_unreliable(conn, ECOMM);
7463 goto drop;
7464 }
7465
d626f62b 7466 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7467 skb->len);
1da177e4
LT		 7468 conn->rx_len -= skb->len;
7469
7470 if (!conn->rx_len) {
c4e5bafa
JH		 7471 /* Complete frame received. l2cap_recv_frame
7472 * takes ownership of the skb so set the global
7473 * rx_skb pointer to NULL first.
7474 */
7475 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 7476 conn->rx_skb = NULL;
c4e5bafa 7477 l2cap_recv_frame(conn, rx_skb);
1da177e4 7478 }
d73a0988 7479 break;
1da177e4
LT		 7480 }
7481
7482drop:
7483 kfree_skb(skb);
7484 return 0;
7485}
7486
aef7d97c 7487static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 7488{
23691d75 7489 struct l2cap_chan *c;
1da177e4 7490
333055f2 7491 read_lock(&chan_list_lock);
1da177e4 7492
23691d75 7493 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 7494 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 7495 &c->src, &c->dst,
fcb73338
AE		 7496 c->state, __le16_to_cpu(c->psm),
7497 c->scid, c->dcid, c->imtu, c->omtu,
7498 c->sec_level, c->mode);
61e1b4b7 7499 }
1da177e4 7500
333055f2 7501 read_unlock(&chan_list_lock);
1da177e4 7502
aef7d97c 7503 return 0;
1da177e4
LT		 7504}
7505
aef7d97c
MH		 7506static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7507{
7508 return single_open(file, l2cap_debugfs_show, inode->i_private);
7509}
7510
7511static const struct file_operations l2cap_debugfs_fops = {
7512 .open = l2cap_debugfs_open,
7513 .read = seq_read,
7514 .llseek = seq_lseek,
7515 .release = single_release,
7516};
7517
7518static struct dentry *l2cap_debugfs;
1da177e4 7519
64274518 7520int __init l2cap_init(void)
1da177e4
LT		 7521{
7522 int err;
be9d1227 7523
bb58f747 7524 err = l2cap_init_sockets();
1da177e4
LT		 7525 if (err < 0)
7526 return err;
7527
1120e4bf
MH		 7528 if (IS_ERR_OR_NULL(bt_debugfs))
7529 return 0;
7530
7531 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7532 NULL, &l2cap_debugfs_fops);
1da177e4 7533
40b9397a 7534 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
f15b8ecf 7535 &le_max_credits);
40b9397a 7536 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
f15b8ecf
JH		 7537 &le_default_mps);
7538
1da177e4 7539 return 0;
1da177e4
LT		 7540}
7541
64274518 7542void l2cap_exit(void)
1da177e4 7543{
aef7d97c 7544 debugfs_remove(l2cap_debugfs);
bb58f747 7545 l2cap_cleanup_sockets();
1da177e4
LT		 7546}
7547
d1c4a17d
GP		 7548module_param(disable_ertm, bool, 0644);
7549MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.461191 seconds and 5 git commands to generate.