projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Reorder L2CAP functions to avoid forward declarations
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
18722c24 43#include "6lowpan.h"
1da177e4 44
d1de6d46 45bool disable_ertm;
f0709e03 46
547d1032 47static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
d40bffbc 48static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP | L2CAP_FC_CONNLESS, };
1da177e4 49
b5ad8b7f
JB		 50static LIST_HEAD(chan_list);
51static DEFINE_RWLOCK(chan_list_lock);
1da177e4 52
f15b8ecf
JH		 53static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
54static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
55
1da177e4 56static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 57 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 58static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 59 void *data);
710f9b0a 60static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 61static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 62
d660366d 63static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 64 struct sk_buff_head *skbs, u8 event);
608bcc6d 65
4f1654e0
MH		 66static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
67{
68 if (hcon->type == LE_LINK) {
69 if (type == ADDR_LE_DEV_PUBLIC)
70 return BDADDR_LE_PUBLIC;
71 else
72 return BDADDR_LE_RANDOM;
73 }
74
75 return BDADDR_BREDR;
76}
77
0139418c 78/* ---- L2CAP channels ---- */
71ba0e56 79
2d792818
GP		 80static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
81 u16 cid)
0139418c 82{
3df91ea2 83 struct l2cap_chan *c;
3d57dc68 84
3df91ea2
AE		 85 list_for_each_entry(c, &conn->chan_l, list) {
86 if (c->dcid == cid)
87 return c;
0139418c 88 }
3df91ea2 89 return NULL;
0139418c
MH		 90}
91
2d792818
GP		 92static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
93 u16 cid)
0139418c 94{
3df91ea2 95 struct l2cap_chan *c;
3d57dc68 96
3df91ea2
AE		 97 list_for_each_entry(c, &conn->chan_l, list) {
98 if (c->scid == cid)
99 return c;
0139418c 100 }
3df91ea2 101 return NULL;
0139418c
MH		 102}
103
104/* Find channel with given SCID.
ef191ade 105 * Returns locked channel. */
2d792818
GP		 106static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
107 u16 cid)
0139418c 108{
48454079 109 struct l2cap_chan *c;
baa7e1fa 110
3df91ea2 111 mutex_lock(&conn->chan_lock);
baa7e1fa 112 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 113 if (c)
114 l2cap_chan_lock(c);
3df91ea2
AE		 115 mutex_unlock(&conn->chan_lock);
116
48454079 117 return c;
0139418c
MH		 118}
119
b1a130b7
MM		 120/* Find channel with given DCID.
121 * Returns locked channel.
122 */
123static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
124 u16 cid)
125{
126 struct l2cap_chan *c;
127
128 mutex_lock(&conn->chan_lock);
129 c = __l2cap_get_chan_by_dcid(conn, cid);
130 if (c)
131 l2cap_chan_lock(c);
132 mutex_unlock(&conn->chan_lock);
133
134 return c;
135}
136
2d792818
GP		 137static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
138 u8 ident)
0139418c 139{
3df91ea2 140 struct l2cap_chan *c;
3d57dc68 141
3df91ea2
AE		 142 list_for_each_entry(c, &conn->chan_l, list) {
143 if (c->ident == ident)
144 return c;
0139418c 145 }
3df91ea2 146 return NULL;
0139418c
MH		 147}
148
5b155ef9
MM		 149static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
150 u8 ident)
151{
152 struct l2cap_chan *c;
153
154 mutex_lock(&conn->chan_lock);
155 c = __l2cap_get_chan_by_ident(conn, ident);
156 if (c)
157 l2cap_chan_lock(c);
158 mutex_unlock(&conn->chan_lock);
159
160 return c;
161}
162
23691d75 163static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 164{
23691d75 165 struct l2cap_chan *c;
9e4425ff 166
23691d75 167 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 168 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 169 return c;
9e4425ff 170 }
250938cb 171 return NULL;
9e4425ff
GP		 172}
173
174int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
175{
73b2ec18
GP		 176 int err;
177
333055f2 178 write_lock(&chan_list_lock);
9e4425ff 179
23691d75 180 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 181 err = -EADDRINUSE;
182 goto done;
9e4425ff
GP		 183 }
184
73b2ec18
GP		 185 if (psm) {
186 chan->psm = psm;
187 chan->sport = psm;
188 err = 0;
189 } else {
190 u16 p;
191
192 err = -EINVAL;
193 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 194 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 195 chan->psm = cpu_to_le16(p);
196 chan->sport = cpu_to_le16(p);
197 err = 0;
198 break;
199 }
200 }
9e4425ff 201
73b2ec18 202done:
333055f2 203 write_unlock(&chan_list_lock);
73b2ec18 204 return err;
9e4425ff
GP		 205}
206
207int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
208{
333055f2 209 write_lock(&chan_list_lock);
9e4425ff
GP		 210
211 chan->scid = scid;
212
333055f2 213 write_unlock(&chan_list_lock);
9e4425ff
GP		 214
215 return 0;
216}
217
baa7e1fa 218static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 219{
e77af755 220 u16 cid, dyn_end;
0139418c 221
e77af755
JH		 222 if (conn->hcon->type == LE_LINK)
223 dyn_end = L2CAP_CID_LE_DYN_END;
224 else
225 dyn_end = L2CAP_CID_DYN_END;
226
227 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
baa7e1fa 228 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 229 return cid;
230 }
231
232 return 0;
233}
234
f93fa273 235static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 236{
42d2d87c 237 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 238 state_to_string(state));
badaaa00 239
89bc500e 240 chan->state = state;
53f52121 241 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 242}
243
f8e73017
GP		 244static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
245 int state, int err)
2e0052e4 246{
f8e73017 247 chan->state = state;
53f52121 248 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 249}
250
251static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
252{
f8e73017 253 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 254}
255
4239d16f
MM		 256static void __set_retrans_timer(struct l2cap_chan *chan)
257{
258 if (!delayed_work_pending(&chan->monitor_timer) &&
259 chan->retrans_timeout) {
260 l2cap_set_timer(chan, &chan->retrans_timer,
261 msecs_to_jiffies(chan->retrans_timeout));
262 }
263}
264
265static void __set_monitor_timer(struct l2cap_chan *chan)
266{
267 __clear_retrans_timer(chan);
268 if (chan->monitor_timeout) {
269 l2cap_set_timer(chan, &chan->monitor_timer,
270 msecs_to_jiffies(chan->monitor_timeout));
271 }
272}
273
608bcc6d
MM		 274static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
275 u16 seq)
276{
277 struct sk_buff *skb;
278
279 skb_queue_walk(head, skb) {
280 if (bt_cb(skb)->control.txseq == seq)
281 return skb;
282 }
283
284 return NULL;
285}
286
3c588192
MM		 287/* ---- L2CAP sequence number lists ---- */
288
289/* For ERTM, ordered lists of sequence numbers must be tracked for
290 * SREJ requests that are received and for frames that are to be
291 * retransmitted. These seq_list functions implement a singly-linked
292 * list in an array, where membership in the list can also be checked
293 * in constant time. Items can also be added to the tail of the list
294 * and removed from the head in constant time, without further memory
295 * allocs or frees.
296 */
297
298static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
299{
300 size_t alloc_size, i;
301
302 /* Allocated size is a power of 2 to map sequence numbers
303 * (which may be up to 14 bits) in to a smaller array that is
304 * sized for the negotiated ERTM transmit windows.
305 */
306 alloc_size = roundup_pow_of_two(size);
307
308 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
309 if (!seq_list->list)
310 return -ENOMEM;
311
312 seq_list->mask = alloc_size - 1;
313 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
314 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
315 for (i = 0; i < alloc_size; i++)
316 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
317
318 return 0;
319}
320
321static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
322{
323 kfree(seq_list->list);
324}
325
326static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
327 u16 seq)
328{
329 /* Constant-time check for list membership */
330 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
331}
332
333static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
334{
335 u16 mask = seq_list->mask;
336
337 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
338 /* In case someone tries to pop the head of an empty list */
339 return L2CAP_SEQ_LIST_CLEAR;
340 } else if (seq_list->head == seq) {
341 /* Head can be removed in constant time */
342 seq_list->head = seq_list->list[seq & mask];
343 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
344
345 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
346 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
347 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
348 }
349 } else {
350 /* Walk the list to find the sequence number */
351 u16 prev = seq_list->head;
352 while (seq_list->list[prev & mask] != seq) {
353 prev = seq_list->list[prev & mask];
354 if (prev == L2CAP_SEQ_LIST_TAIL)
355 return L2CAP_SEQ_LIST_CLEAR;
356 }
357
358 /* Unlink the number from the list and clear it */
359 seq_list->list[prev & mask] = seq_list->list[seq & mask];
360 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
361 if (seq_list->tail == seq)
362 seq_list->tail = prev;
363 }
364 return seq;
365}
366
367static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
368{
369 /* Remove the head in constant time */
370 return l2cap_seq_list_remove(seq_list, seq_list->head);
371}
372
373static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
374{
f522ae36 375 u16 i;
3c588192 376
f522ae36
GP		 377 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
378 return;
379
380 for (i = 0; i <= seq_list->mask; i++)
381 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
382
383 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
384 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 385}
386
387static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
388{
389 u16 mask = seq_list->mask;
390
391 /* All appends happen in constant time */
392
f522ae36
GP		 393 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
394 return;
3c588192 395
f522ae36
GP		 396 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
397 seq_list->head = seq;
398 else
399 seq_list->list[seq_list->tail & mask] = seq;
400
401 seq_list->tail = seq;
402 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 403}
404
721c4181 405static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 406{
721c4181 407 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 408 chan_timer.work);
3df91ea2 409 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 410 int reason;
411
e05dcc32 412 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 413
3df91ea2 414 mutex_lock(&conn->chan_lock);
6be36555 415 l2cap_chan_lock(chan);
ab07801d 416
89bc500e 417 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 418 reason = ECONNREFUSED;
89bc500e 419 else if (chan->state == BT_CONNECT &&
2d792818 420 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 421 reason = ECONNREFUSED;
422 else
423 reason = ETIMEDOUT;
424
0f852724 425 l2cap_chan_close(chan, reason);
ab07801d 426
6be36555 427 l2cap_chan_unlock(chan);
ab07801d 428
80b98027 429 chan->ops->close(chan);
3df91ea2
AE		 430 mutex_unlock(&conn->chan_lock);
431
371fd835 432 l2cap_chan_put(chan);
ab07801d
GP		 433}
434
eef1d9b6 435struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 436{
437 struct l2cap_chan *chan;
438
439 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
440 if (!chan)
441 return NULL;
442
c03b355e
AE		 443 mutex_init(&chan->lock);
444
333055f2 445 write_lock(&chan_list_lock);
23691d75 446 list_add(&chan->global_l, &chan_list);
333055f2 447 write_unlock(&chan_list_lock);
23691d75 448
721c4181 449 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 450
89bc500e
GP		 451 chan->state = BT_OPEN;
452
144ad330 453 kref_init(&chan->kref);
71ba0e56 454
2827011f
MM		 455 /* This flag is cleared in l2cap_chan_ready() */
456 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
457
eef1d9b6 458 BT_DBG("chan %p", chan);
abc545b8 459
48454079
GP		 460 return chan;
461}
462
144ad330 463static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 464{
144ad330
SS		 465 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
466
4af66c69
JK		 467 BT_DBG("chan %p", chan);
468
333055f2 469 write_lock(&chan_list_lock);
23691d75 470 list_del(&chan->global_l);
333055f2 471 write_unlock(&chan_list_lock);
23691d75 472
4af66c69 473 kfree(chan);
6ff5abbf
GP		 474}
475
30648372
JK		 476void l2cap_chan_hold(struct l2cap_chan *c)
477{
144ad330 478 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 479
144ad330 480 kref_get(&c->kref);
30648372
JK		 481}
482
483void l2cap_chan_put(struct l2cap_chan *c)
484{
144ad330 485 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 486
144ad330 487 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 488}
489
bd4b1653
AE		 490void l2cap_chan_set_defaults(struct l2cap_chan *chan)
491{
492 chan->fcs = L2CAP_FCS_CRC16;
493 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
494 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
495 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 496 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 497 chan->sec_level = BT_SECURITY_LOW;
498
499 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
500}
501
0ce43ce6 502static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
38319713 503{
0ce43ce6
JH		 504 chan->sdu = NULL;
505 chan->sdu_last_frag = NULL;
506 chan->sdu_len = 0;
0cd75f7e 507 chan->tx_credits = 0;
f15b8ecf 508 chan->rx_credits = le_max_credits;
f1324ea5 509 chan->mps = min_t(u16, chan->imtu, L2CAP_LE_DEFAULT_MPS);
0ce43ce6
JH		 510
511 skb_queue_head_init(&chan->tx_q);
38319713
JH		 512}
513
93c3e8f5 514void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 515{
af05b30b 516 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 517 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 518
9f5a0d7b 519 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 520
8c1d787b 521 chan->conn = conn;
0139418c 522
5491120e
AE		 523 switch (chan->chan_type) {
524 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b 525 if (conn->hcon->type == LE_LINK) {
aeddd075
JH		 526 if (chan->dcid == L2CAP_CID_ATT) {
527 chan->omtu = L2CAP_DEFAULT_MTU;
9f22398c 528 chan->scid = L2CAP_CID_ATT;
aeddd075 529 } else {
9f22398c 530 chan->scid = l2cap_alloc_cid(conn);
aeddd075 531 }
b62f328b
VT		 532 } else {
533 /* Alloc CID for connection-oriented socket */
fe4128e0 534 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 535 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 536 }
5491120e
AE		 537 break;
538
539 case L2CAP_CHAN_CONN_LESS:
0139418c 540 /* Connectionless socket */
fe4128e0
GP		 541 chan->scid = L2CAP_CID_CONN_LESS;
542 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 543 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 544 break;
545
416fa752
AE		 546 case L2CAP_CHAN_CONN_FIX_A2MP:
547 chan->scid = L2CAP_CID_A2MP;
548 chan->dcid = L2CAP_CID_A2MP;
549 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
550 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
551 break;
552
5491120e 553 default:
0139418c 554 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 555 chan->scid = L2CAP_CID_SIGNALING;
556 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 557 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 558 }
559
8f7975b1
AE		 560 chan->local_id = L2CAP_BESTEFFORT_ID;
561 chan->local_stype = L2CAP_SERV_BESTEFFORT;
562 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
563 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
564 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 565 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 566
371fd835 567 l2cap_chan_hold(chan);
baa7e1fa 568
5ee9891d
JH		 569 hci_conn_hold(conn->hcon);
570
3df91ea2 571 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 572}
573
466f8004 574void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 575{
576 mutex_lock(&conn->chan_lock);
577 __l2cap_chan_add(conn, chan);
3df91ea2 578 mutex_unlock(&conn->chan_lock);
0139418c
MH		 579}
580
466f8004 581void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 582{
8c1d787b 583 struct l2cap_conn *conn = chan->conn;
0139418c 584
c9b66675 585 __clear_chan_timer(chan);
0139418c 586
49208c9c 587 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 588
8e87d142 589 if (conn) {
56f60984 590 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 591 /* Delete from channel list */
3df91ea2 592 list_del(&chan->list);
3d57dc68 593
371fd835 594 l2cap_chan_put(chan);
baa7e1fa 595
8c1d787b 596 chan->conn = NULL;
3cabbfda
AE		 597
598 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
76a68ba0 599 hci_conn_drop(conn->hcon);
56f60984
AE		 600
601 if (mgr && mgr->bredr_chan == chan)
602 mgr->bredr_chan = NULL;
0139418c
MH		 603 }
604
419e08c1
AE		 605 if (chan->hs_hchan) {
606 struct hci_chan *hs_hchan = chan->hs_hchan;
607
608 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
609 amp_disconnect_logical_link(hs_hchan);
610 }
611
b699ec0d 612 chan->ops->teardown(chan, err);
6be36555 613
2827011f 614 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 615 return;
2ead70b8 616
ee556f66
GP		 617 switch(chan->mode) {
618 case L2CAP_MODE_BASIC:
619 break;
c13ffa62 620
38319713 621 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b 622 skb_queue_purge(&chan->tx_q);
38319713
JH		 623 break;
624
ee556f66 625 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 626 __clear_retrans_timer(chan);
627 __clear_monitor_timer(chan);
628 __clear_ack_timer(chan);
c13ffa62 629
f1c6775b 630 skb_queue_purge(&chan->srej_q);
c13ffa62 631
3c588192
MM		 632 l2cap_seq_list_free(&chan->srej_list);
633 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 634
635 /* fall through */
636
637 case L2CAP_MODE_STREAMING:
638 skb_queue_purge(&chan->tx_q);
639 break;
c13ffa62 640 }
ee556f66
GP		 641
642 return;
0139418c
MH		 643}
644
27e2d4c8
JH		 645static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
646{
647 struct l2cap_conn *conn = chan->conn;
648 struct l2cap_le_conn_rsp rsp;
649 u16 result;
650
651 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
652 result = L2CAP_CR_AUTHORIZATION;
653 else
654 result = L2CAP_CR_BAD_PSM;
655
656 l2cap_state_change(chan, BT_DISCONN);
657
658 rsp.dcid = cpu_to_le16(chan->scid);
659 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 660 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 661 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 662 rsp.result = cpu_to_le16(result);
663
664 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
665 &rsp);
666}
667
791d60f7
JH		 668static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
669{
670 struct l2cap_conn *conn = chan->conn;
671 struct l2cap_conn_rsp rsp;
672 u16 result;
673
674 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
675 result = L2CAP_CR_SEC_BLOCK;
676 else
677 result = L2CAP_CR_BAD_PSM;
678
679 l2cap_state_change(chan, BT_DISCONN);
680
681 rsp.scid = cpu_to_le16(chan->dcid);
682 rsp.dcid = cpu_to_le16(chan->scid);
683 rsp.result = cpu_to_le16(result);
684 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
685
686 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
687}
688
0f852724 689void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 690{
691 struct l2cap_conn *conn = chan->conn;
4519de9a 692
7eafc59e 693 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 694
89bc500e 695 switch (chan->state) {
4519de9a 696 case BT_LISTEN:
b699ec0d 697 chan->ops->teardown(chan, 0);
4519de9a
GP		 698 break;
699
700 case BT_CONNECTED:
701 case BT_CONFIG:
cea04ce3
JH		 702 /* ATT uses L2CAP_CHAN_CONN_ORIENTED so we must also
703 * check for chan->psm.
704 */
705 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && chan->psm) {
8d836d71 706 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 707 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 708 } else
709 l2cap_chan_del(chan, reason);
710 break;
711
712 case BT_CONNECT2:
791d60f7
JH		 713 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
714 if (conn->hcon->type == ACL_LINK)
715 l2cap_chan_connect_reject(chan);
27e2d4c8
JH		 716 else if (conn->hcon->type == LE_LINK)
717 l2cap_chan_le_connect_reject(chan);
4519de9a
GP		 718 }
719
720 l2cap_chan_del(chan, reason);
721 break;
722
723 case BT_CONNECT:
724 case BT_DISCONN:
725 l2cap_chan_del(chan, reason);
726 break;
727
728 default:
b699ec0d 729 chan->ops->teardown(chan, 0);
4519de9a
GP		 730 break;
731 }
732}
733
4343478f 734static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 735{
6a974b50
MH		 736 switch (chan->chan_type) {
737 case L2CAP_CHAN_RAW:
4343478f 738 switch (chan->sec_level) {
8556edd3 739 case BT_SECURITY_HIGH:
7d513e92 740 case BT_SECURITY_FIPS:
8556edd3
JH		 741 return HCI_AT_DEDICATED_BONDING_MITM;
742 case BT_SECURITY_MEDIUM:
743 return HCI_AT_DEDICATED_BONDING;
744 default:
745 return HCI_AT_NO_BONDING;
746 }
6a974b50 747 break;
3124b843
MH		 748 case L2CAP_CHAN_CONN_LESS:
749 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_3DSP)) {
750 if (chan->sec_level == BT_SECURITY_LOW)
751 chan->sec_level = BT_SECURITY_SDP;
752 }
7d513e92
MH		 753 if (chan->sec_level == BT_SECURITY_HIGH ||
754 chan->sec_level == BT_SECURITY_FIPS)
3124b843
MH		 755 return HCI_AT_NO_BONDING_MITM;
756 else
757 return HCI_AT_NO_BONDING;
758 break;
6a974b50
MH		 759 case L2CAP_CHAN_CONN_ORIENTED:
760 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
761 if (chan->sec_level == BT_SECURITY_LOW)
762 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 763
7d513e92
MH		 764 if (chan->sec_level == BT_SECURITY_HIGH ||
765 chan->sec_level == BT_SECURITY_FIPS)
6a974b50
MH		 766 return HCI_AT_NO_BONDING_MITM;
767 else
768 return HCI_AT_NO_BONDING;
769 }
770 /* fall through */
771 default:
4343478f 772 switch (chan->sec_level) {
00ae4af9 773 case BT_SECURITY_HIGH:
7d513e92 774 case BT_SECURITY_FIPS:
8556edd3 775 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 776 case BT_SECURITY_MEDIUM:
8556edd3 777 return HCI_AT_GENERAL_BONDING;
00ae4af9 778 default:
8556edd3 779 return HCI_AT_NO_BONDING;
00ae4af9 780 }
6a974b50 781 break;
0684e5f9 782 }
8556edd3
JH		 783}
784
785/* Service level security */
d45fc423 786int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 787{
8c1d787b 788 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 789 __u8 auth_type;
790
a17de2fe
JH		 791 if (conn->hcon->type == LE_LINK)
792 return smp_conn_security(conn->hcon, chan->sec_level);
793
4343478f 794 auth_type = l2cap_get_auth_type(chan);
79d554a6 795
4343478f 796 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 797}
798
b5ad8b7f 799static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 800{
801 u8 id;
802
803 /* Get next available identificator.
804 * 1 - 128 are used by kernel.
805 * 129 - 199 are reserved.
806 * 200 - 254 are used by utilities like l2ping, etc.
807 */
808
333055f2 809 spin_lock(&conn->lock);
4e8402a3
MH		 810
811 if (++conn->tx_ident > 128)
812 conn->tx_ident = 1;
813
814 id = conn->tx_ident;
815
333055f2 816 spin_unlock(&conn->lock);
4e8402a3
MH		 817
818 return id;
819}
820
2d792818
GP		 821static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
822 void *data)
4e8402a3
MH		 823{
824 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 825 u8 flags;
4e8402a3
MH		 826
827 BT_DBG("code 0x%2.2x", code);
828
829 if (!skb)
9a9c6a34 830 return;
4e8402a3 831
e702112f
AE		 832 if (lmp_no_flush_capable(conn->hcon->hdev))
833 flags = ACL_START_NO_FLUSH;
834 else
835 flags = ACL_START;
836
14b12d0b 837 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 838 skb->priority = HCI_PRIO_MAX;
14b12d0b 839
73d80deb
LAD		 840 hci_send_acl(conn->hchan, skb, flags);
841}
842
02b0fbb9
MM		 843static bool __chan_is_moving(struct l2cap_chan *chan)
844{
845 return chan->move_state != L2CAP_MOVE_STABLE &&
846 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
847}
848
73d80deb
LAD		 849static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
850{
851 struct hci_conn *hcon = chan->conn->hcon;
852 u16 flags;
853
854 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 855 skb->priority);
73d80deb 856
d5f8a75d
MM		 857 if (chan->hs_hcon && !__chan_is_moving(chan)) {
858 if (chan->hs_hchan)
859 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
860 else
861 kfree_skb(skb);
862
863 return;
864 }
865
73d80deb 866 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 867 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 868 flags = ACL_START_NO_FLUSH;
869 else
870 flags = ACL_START;
14b12d0b 871
73d80deb
LAD		 872 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
873 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 874}
875
b76bbd66
MM		 876static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
877{
878 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
879 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
880
881 if (enh & L2CAP_CTRL_FRAME_TYPE) {
882 /* S-Frame */
883 control->sframe = 1;
884 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
885 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
886
887 control->sar = 0;
888 control->txseq = 0;
889 } else {
890 /* I-Frame */
891 control->sframe = 0;
892 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
893 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
894
895 control->poll = 0;
896 control->super = 0;
897 }
898}
899
b76bbd66
MM		 900static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
901{
902 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
903 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
904
905 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
906 /* S-Frame */
907 control->sframe = 1;
908 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
909 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
910
911 control->sar = 0;
912 control->txseq = 0;
913 } else {
914 /* I-Frame */
915 control->sframe = 0;
916 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
917 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
918
919 control->poll = 0;
920 control->super = 0;
921 }
922}
923
924static inline void __unpack_control(struct l2cap_chan *chan,
925 struct sk_buff *skb)
926{
927 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
928 __unpack_extended_control(get_unaligned_le32(skb->data),
929 &bt_cb(skb)->control);
cec8ab6e 930 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 931 } else {
932 __unpack_enhanced_control(get_unaligned_le16(skb->data),
933 &bt_cb(skb)->control);
cec8ab6e 934 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 935 }
936}
937
b5c6aaed
MM		 938static u32 __pack_extended_control(struct l2cap_ctrl *control)
939{
940 u32 packed;
941
942 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
943 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
944
945 if (control->sframe) {
946 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
947 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
948 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
949 } else {
950 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
951 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
952 }
953
954 return packed;
955}
956
957static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
958{
959 u16 packed;
960
961 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
962 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
963
964 if (control->sframe) {
965 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
966 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
967 packed |= L2CAP_CTRL_FRAME_TYPE;
968 } else {
969 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
970 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
971 }
972
973 return packed;
974}
975
b76bbd66
MM		 976static inline void __pack_control(struct l2cap_chan *chan,
977 struct l2cap_ctrl *control,
978 struct sk_buff *skb)
979{
980 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
981 put_unaligned_le32(__pack_extended_control(control),
982 skb->data + L2CAP_HDR_SIZE);
983 } else {
984 put_unaligned_le16(__pack_enhanced_control(control),
985 skb->data + L2CAP_HDR_SIZE);
986 }
987}
988
ba7aa64f
GP		 989static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
990{
991 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
992 return L2CAP_EXT_HDR_SIZE;
993 else
994 return L2CAP_ENH_HDR_SIZE;
995}
996
a67d7f6f
MM		 997static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
998 u32 control)
b5c6aaed
MM		 999{
1000 struct sk_buff *skb;
1001 struct l2cap_hdr *lh;
ba7aa64f 1002 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 1003
1004 if (chan->fcs == L2CAP_FCS_CRC16)
1005 hlen += L2CAP_FCS_SIZE;
1006
a67d7f6f 1007 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 1008
b5c6aaed 1009 if (!skb)
a67d7f6f 1010 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 1011
1012 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1013 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1014 lh->cid = cpu_to_le16(chan->dcid);
1015
a67d7f6f
MM		 1016 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1017 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1018 else
1019 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 1020
1021 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 1022 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 1023 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1024 }
1025
1026 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 1027 return skb;
1028}
1029
1030static void l2cap_send_sframe(struct l2cap_chan *chan,
1031 struct l2cap_ctrl *control)
1032{
1033 struct sk_buff *skb;
1034 u32 control_field;
1035
1036 BT_DBG("chan %p, control %p", chan, control);
1037
1038 if (!control->sframe)
1039 return;
1040
b99e13ad
MM		 1041 if (__chan_is_moving(chan))
1042 return;
1043
a67d7f6f
MM		 1044 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1045 !control->poll)
1046 control->final = 1;
1047
1048 if (control->super == L2CAP_SUPER_RR)
1049 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1050 else if (control->super == L2CAP_SUPER_RNR)
1051 set_bit(CONN_RNR_SENT, &chan->conn_state);
1052
1053 if (control->super != L2CAP_SUPER_SREJ) {
1054 chan->last_acked_seq = control->reqseq;
1055 __clear_ack_timer(chan);
1056 }
1057
1058 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1059 control->final, control->poll, control->super);
1060
1061 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1062 control_field = __pack_extended_control(control);
1063 else
1064 control_field = __pack_enhanced_control(control);
1065
1066 skb = l2cap_create_sframe_pdu(chan, control_field);
1067 if (!IS_ERR(skb))
1068 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1069}
1070
c9e3d5e0 1071static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1072{
c9e3d5e0
MM		 1073 struct l2cap_ctrl control;
1074
1075 BT_DBG("chan %p, poll %d", chan, poll);
1076
1077 memset(&control, 0, sizeof(control));
1078 control.sframe = 1;
1079 control.poll = poll;
1080
1081 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1082 control.super = L2CAP_SUPER_RNR;
1083 else
1084 control.super = L2CAP_SUPER_RR;
b5c6aaed 1085
c9e3d5e0
MM		 1086 control.reqseq = chan->buffer_seq;
1087 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1088}
1089
b4450035 1090static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1091{
c1360a1c 1092 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1093}
1094
1df7b17a 1095static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1096{
1df7b17a 1097 struct l2cap_conn *conn = chan->conn;
80d58d0b 1098 struct hci_dev *hdev;
1df7b17a
MH		 1099 bool amp_available = false;
1100
1101 if (!conn->hs_enabled)
1102 return false;
1103
1104 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1105 return false;
80d58d0b
MH		 1106
1107 read_lock(&hci_dev_list_lock);
1df7b17a 1108 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1109 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1110 test_bit(HCI_UP, &hdev->flags)) {
1111 amp_available = true;
1112 break;
1113 }
1114 }
80d58d0b
MH		 1115 read_unlock(&hci_dev_list_lock);
1116
1df7b17a
MH		 1117 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1118 return amp_available;
848566b3
MH		 1119
1120 return false;
93c3e8f5
AE		 1121}
1122
5ce66b59
AE		 1123static bool l2cap_check_efs(struct l2cap_chan *chan)
1124{
1125 /* Check EFS parameters */
1126 return true;
1127}
1128
2766be48 1129void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1130{
1131 struct l2cap_conn *conn = chan->conn;
1132 struct l2cap_conn_req req;
1133
1134 req.scid = cpu_to_le16(chan->scid);
1135 req.psm = chan->psm;
1136
1137 chan->ident = l2cap_get_ident(conn);
1138
1139 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1140
1141 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1142}
1143
8eb200bd
MM		 1144static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1145{
1146 struct l2cap_create_chan_req req;
1147 req.scid = cpu_to_le16(chan->scid);
1148 req.psm = chan->psm;
1149 req.amp_id = amp_id;
1150
1151 chan->ident = l2cap_get_ident(chan->conn);
1152
1153 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1154 sizeof(req), &req);
1155}
1156
02b0fbb9
MM		 1157static void l2cap_move_setup(struct l2cap_chan *chan)
1158{
1159 struct sk_buff *skb;
1160
1161 BT_DBG("chan %p", chan);
1162
1163 if (chan->mode != L2CAP_MODE_ERTM)
1164 return;
1165
1166 __clear_retrans_timer(chan);
1167 __clear_monitor_timer(chan);
1168 __clear_ack_timer(chan);
1169
1170 chan->retry_count = 0;
1171 skb_queue_walk(&chan->tx_q, skb) {
1172 if (bt_cb(skb)->control.retries)
1173 bt_cb(skb)->control.retries = 1;
1174 else
1175 break;
1176 }
1177
1178 chan->expected_tx_seq = chan->buffer_seq;
1179
1180 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1181 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1182 l2cap_seq_list_clear(&chan->retrans_list);
1183 l2cap_seq_list_clear(&chan->srej_list);
1184 skb_queue_purge(&chan->srej_q);
1185
1186 chan->tx_state = L2CAP_TX_STATE_XMIT;
1187 chan->rx_state = L2CAP_RX_STATE_MOVE;
1188
1189 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1190}
1191
5f3847a4
MM		 1192static void l2cap_move_done(struct l2cap_chan *chan)
1193{
1194 u8 move_role = chan->move_role;
1195 BT_DBG("chan %p", chan);
1196
1197 chan->move_state = L2CAP_MOVE_STABLE;
1198 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1199
1200 if (chan->mode != L2CAP_MODE_ERTM)
1201 return;
1202
1203 switch (move_role) {
1204 case L2CAP_MOVE_ROLE_INITIATOR:
1205 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1206 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1207 break;
1208 case L2CAP_MOVE_ROLE_RESPONDER:
1209 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1210 break;
1211 }
1212}
1213
9f0caeb1
VCG		 1214static void l2cap_chan_ready(struct l2cap_chan *chan)
1215{
2827011f 1216 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1217 chan->conf_state = 0;
1218 __clear_chan_timer(chan);
1219
0ce43ce6
JH		 1220 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1221 chan->ops->suspend(chan);
177f8f2b 1222
54a59aa2 1223 chan->state = BT_CONNECTED;
9f0caeb1 1224
fd83e2c2 1225 chan->ops->ready(chan);
9f0caeb1
VCG		 1226}
1227
f1496dee
JH		 1228static void l2cap_le_connect(struct l2cap_chan *chan)
1229{
1230 struct l2cap_conn *conn = chan->conn;
1231 struct l2cap_le_conn_req req;
1232
595177f3
JH		 1233 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1234 return;
1235
f1496dee
JH		 1236 req.psm = chan->psm;
1237 req.scid = cpu_to_le16(chan->scid);
1238 req.mtu = cpu_to_le16(chan->imtu);
3916aed8 1239 req.mps = cpu_to_le16(chan->mps);
0cd75f7e 1240 req.credits = cpu_to_le16(chan->rx_credits);
f1496dee
JH		 1241
1242 chan->ident = l2cap_get_ident(conn);
1243
1244 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1245 sizeof(req), &req);
1246}
1247
1248static void l2cap_le_start(struct l2cap_chan *chan)
1249{
1250 struct l2cap_conn *conn = chan->conn;
1251
1252 if (!smp_conn_security(conn->hcon, chan->sec_level))
1253 return;
1254
1255 if (!chan->psm) {
1256 l2cap_chan_ready(chan);
1257 return;
1258 }
1259
1260 if (chan->state == BT_CONNECT)
1261 l2cap_le_connect(chan);
1262}
1263
93c3e8f5
AE		 1264static void l2cap_start_connection(struct l2cap_chan *chan)
1265{
1266 if (__amp_capable(chan)) {
1267 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1268 a2mp_discover_amp(chan);
f1496dee
JH		 1269 } else if (chan->conn->hcon->type == LE_LINK) {
1270 l2cap_le_start(chan);
93c3e8f5
AE		 1271 } else {
1272 l2cap_send_conn_req(chan);
1273 }
1274}
1275
fc7f8a7e 1276static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1277{
8c1d787b 1278 struct l2cap_conn *conn = chan->conn;
79d554a6 1279
9f0caeb1 1280 if (conn->hcon->type == LE_LINK) {
96ac34fb 1281 l2cap_le_start(chan);
9f0caeb1
VCG		 1282 return;
1283 }
1284
79d554a6 1285 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1286 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1287 return;
1288
d45fc423 1289 if (l2cap_chan_check_security(chan) &&
2d792818 1290 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1291 l2cap_start_connection(chan);
1292 }
79d554a6
MH		 1293 } else {
1294 struct l2cap_info_req req;
ac73498c 1295 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1296
1297 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1298 conn->info_ident = l2cap_get_ident(conn);
1299
ba13ccd9 1300 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1301
2d792818
GP		 1302 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1303 sizeof(req), &req);
79d554a6
MH		 1304 }
1305}
1306
cf6c2c0b
GP		 1307static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1308{
1309 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1310 if (!disable_ertm)
cf6c2c0b
GP		 1311 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1312
1313 switch (mode) {
1314 case L2CAP_MODE_ERTM:
1315 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1316 case L2CAP_MODE_STREAMING:
1317 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1318 default:
1319 return 0x00;
1320 }
1321}
1322
5e4e3972 1323static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1324{
5e4e3972 1325 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1326 struct l2cap_disconn_req req;
1327
c13ffa62
GP		 1328 if (!conn)
1329 return;
1330
aad3d0e3 1331 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1332 __clear_retrans_timer(chan);
1333 __clear_monitor_timer(chan);
1334 __clear_ack_timer(chan);
c13ffa62
GP		 1335 }
1336
416fa752 1337 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1338 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1339 return;
1340 }
1341
fe4128e0
GP		 1342 req.dcid = cpu_to_le16(chan->dcid);
1343 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1344 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1345 sizeof(req), &req);
c13ffa62 1346
f8e73017 1347 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1348}
1349
1da177e4 1350/* ---- L2CAP connections ---- */
4e8402a3
MH		 1351static void l2cap_conn_start(struct l2cap_conn *conn)
1352{
3df91ea2 1353 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1354
1355 BT_DBG("conn %p", conn);
1356
3df91ea2 1357 mutex_lock(&conn->chan_lock);
4e8402a3 1358
3df91ea2 1359 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1360 l2cap_chan_lock(chan);
4e8402a3 1361
715ec005 1362 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1363 l2cap_chan_unlock(chan);
79d554a6
MH		 1364 continue;
1365 }
1366
89bc500e 1367 if (chan->state == BT_CONNECT) {
d45fc423 1368 if (!l2cap_chan_check_security(chan) ||
2d792818 1369 !__l2cap_no_conn_pending(chan)) {
6be36555 1370 l2cap_chan_unlock(chan);
47731de7
GP		 1371 continue;
1372 }
79d554a6 1373
c1360a1c 1374 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1375 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1376 &chan->conf_state)) {
89bc500e 1377 l2cap_chan_close(chan, ECONNRESET);
6be36555 1378 l2cap_chan_unlock(chan);
47731de7 1379 continue;
b1235d79 1380 }
47731de7 1381
93c3e8f5 1382 l2cap_start_connection(chan);
47731de7 1383
89bc500e 1384 } else if (chan->state == BT_CONNECT2) {
79d554a6 1385 struct l2cap_conn_rsp rsp;
e9aeb2dd 1386 char buf[128];
fe4128e0
GP		 1387 rsp.scid = cpu_to_le16(chan->dcid);
1388 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1389
d45fc423 1390 if (l2cap_chan_check_security(chan)) {
bdc25783 1391 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
ac73498c
AE		 1392 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1393 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1394 chan->ops->defer(chan);
f66dc81f
MH		 1395
1396 } else {
acdcabf5 1397 l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1398 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1399 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1400 }
79d554a6 1401 } else {
ac73498c
AE		 1402 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1403 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1404 }
1405
fc7f8a7e 1406 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1407 sizeof(rsp), &rsp);
e9aeb2dd 1408
c1360a1c 1409 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1410 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1411 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1412 continue;
1413 }
1414
c1360a1c 1415 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1416 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1417 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1418 chan->num_conf_req++;
4e8402a3
MH		 1419 }
1420
6be36555 1421 l2cap_chan_unlock(chan);
4e8402a3
MH		 1422 }
1423
3df91ea2 1424 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1425}
1426
c2287681 1427/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1428 * Returns closest match, locked.
1429 */
d9b88702 1430static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1431 bdaddr_t *src,
1432 bdaddr_t *dst)
b62f328b 1433{
23691d75 1434 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1435
23691d75 1436 read_lock(&chan_list_lock);
b62f328b 1437
23691d75 1438 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1439 if (state && c->state != state)
b62f328b
VT		 1440 continue;
1441
23691d75 1442 if (c->scid == cid) {
c2287681
IY		 1443 int src_match, dst_match;
1444 int src_any, dst_any;
1445
b62f328b 1446 /* Exact match. */
7eafc59e
MH		 1447 src_match = !bacmp(&c->src, src);
1448 dst_match = !bacmp(&c->dst, dst);
c2287681 1449 if (src_match && dst_match) {
23691d75
GP		 1450 read_unlock(&chan_list_lock);
1451 return c;
1452 }
b62f328b
VT		 1453
1454 /* Closest match */
7eafc59e
MH		 1455 src_any = !bacmp(&c->src, BDADDR_ANY);
1456 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1457 if ((src_match && dst_any) || (src_any && dst_match) ||
1458 (src_any && dst_any))
23691d75 1459 c1 = c;
b62f328b
VT		 1460 }
1461 }
280f294f 1462
23691d75 1463 read_unlock(&chan_list_lock);
b62f328b 1464
23691d75 1465 return c1;
b62f328b
VT		 1466}
1467
1468static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1469{
cc8dba2b 1470 struct hci_conn *hcon = conn->hcon;
23691d75 1471 struct l2cap_chan *chan, *pchan;
cc8dba2b 1472 u8 dst_type;
b62f328b
VT		 1473
1474 BT_DBG("");
1475
18722c24
JR		 1476 bt_6lowpan_add_conn(conn);
1477
b62f328b 1478 /* Check if we have socket listening on cid */
073d1cf3 1479 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
cc8dba2b 1480 &hcon->src, &hcon->dst);
23691d75 1481 if (!pchan)
b62f328b
VT		 1482 return;
1483
44f3b0fb
JH		 1484 /* Client ATT sockets should override the server one */
1485 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1486 return;
1487
cc8dba2b
MH		 1488 dst_type = bdaddr_type(hcon, hcon->dst_type);
1489
1490 /* If device is blocked, do not create a channel for it */
1491 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, dst_type))
1492 return;
1493
8ffb9290 1494 l2cap_chan_lock(pchan);
62f3a2cf 1495
80b98027 1496 chan = pchan->ops->new_connection(pchan);
80808e43 1497 if (!chan)
b62f328b
VT		 1498 goto clean;
1499
9f22398c
JH		 1500 chan->dcid = L2CAP_CID_ATT;
1501
cc8dba2b
MH		 1502 bacpy(&chan->src, &hcon->src);
1503 bacpy(&chan->dst, &hcon->dst);
1504 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1505 chan->dst_type = dst_type;
b62f328b 1506
44f3b0fb 1507 __l2cap_chan_add(conn, chan);
48454079 1508
b62f328b 1509clean:
8ffb9290 1510 l2cap_chan_unlock(pchan);
b62f328b
VT		 1511}
1512
4e8402a3
MH		 1513static void l2cap_conn_ready(struct l2cap_conn *conn)
1514{
48454079 1515 struct l2cap_chan *chan;
cc110922 1516 struct hci_conn *hcon = conn->hcon;
4e8402a3 1517
79d554a6 1518 BT_DBG("conn %p", conn);
4e8402a3 1519
d8729922
JH		 1520 /* For outgoing pairing which doesn't necessarily have an
1521 * associated socket (e.g. mgmt_pair_device).
1522 */
cc110922
VCG		 1523 if (hcon->out && hcon->type == LE_LINK)
1524 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1525
3df91ea2 1526 mutex_lock(&conn->chan_lock);
4e8402a3 1527
44f3b0fb
JH		 1528 if (hcon->type == LE_LINK)
1529 l2cap_le_conn_ready(conn);
1530
3df91ea2 1531 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1532
6be36555 1533 l2cap_chan_lock(chan);
4e8402a3 1534
416fa752
AE		 1535 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1536 l2cap_chan_unlock(chan);
1537 continue;
1538 }
1539
cc110922 1540 if (hcon->type == LE_LINK) {
f1496dee 1541 l2cap_le_start(chan);
63128451 1542 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
74e75740 1543 l2cap_chan_ready(chan);
b501d6a1 1544
1c244f79 1545 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1546 l2cap_do_start(chan);
1c244f79 1547 }
4e8402a3 1548
6be36555 1549 l2cap_chan_unlock(chan);
4e8402a3 1550 }
79d554a6 1551
3df91ea2 1552 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1553}
1554
1555/* Notify sockets that we cannot guaranty reliability anymore */
1556static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1557{
48454079 1558 struct l2cap_chan *chan;
4e8402a3
MH		 1559
1560 BT_DBG("conn %p", conn);
1561
3df91ea2 1562 mutex_lock(&conn->chan_lock);
4e8402a3 1563
3df91ea2 1564 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1565 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1566 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1567 }
1568
3df91ea2 1569 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1570}
1571
f878fcad 1572static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1573{
f878fcad 1574 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1575 info_timer.work);
4e8402a3 1576
984947dc 1577 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1578 conn->info_ident = 0;
984947dc 1579
4e8402a3
MH		 1580 l2cap_conn_start(conn);
1581}
1582
2c8e1411
DH		 1583/*
1584 * l2cap_user
1585 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1586 * callback is called during registration. The ->remove callback is called
1587 * during unregistration.
1588 * An l2cap_user object can either be explicitly unregistered or when the
1589 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1590 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1591 * External modules must own a reference to the l2cap_conn object if they intend
1592 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1593 * any time if they don't.
1594 */
1595
1596int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1597{
1598 struct hci_dev *hdev = conn->hcon->hdev;
1599 int ret;
1600
1601 /* We need to check whether l2cap_conn is registered. If it is not, we
1602 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1603 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1604 * relies on the parent hci_conn object to be locked. This itself relies
1605 * on the hci_dev object to be locked. So we must lock the hci device
1606 * here, too. */
1607
1608 hci_dev_lock(hdev);
1609
1610 if (user->list.next || user->list.prev) {
1611 ret = -EINVAL;
1612 goto out_unlock;
1613 }
1614
1615 /* conn->hchan is NULL after l2cap_conn_del() was called */
1616 if (!conn->hchan) {
1617 ret = -ENODEV;
1618 goto out_unlock;
1619 }
1620
1621 ret = user->probe(conn, user);
1622 if (ret)
1623 goto out_unlock;
1624
1625 list_add(&user->list, &conn->users);
1626 ret = 0;
1627
1628out_unlock:
1629 hci_dev_unlock(hdev);
1630 return ret;
1631}
1632EXPORT_SYMBOL(l2cap_register_user);
1633
1634void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1635{
1636 struct hci_dev *hdev = conn->hcon->hdev;
1637
1638 hci_dev_lock(hdev);
1639
1640 if (!user->list.next || !user->list.prev)
1641 goto out_unlock;
1642
1643 list_del(&user->list);
1644 user->list.next = NULL;
1645 user->list.prev = NULL;
1646 user->remove(conn, user);
1647
1648out_unlock:
1649 hci_dev_unlock(hdev);
1650}
1651EXPORT_SYMBOL(l2cap_unregister_user);
1652
1653static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1654{
1655 struct l2cap_user *user;
1656
1657 while (!list_empty(&conn->users)) {
1658 user = list_first_entry(&conn->users, struct l2cap_user, list);
1659 list_del(&user->list);
1660 user->list.next = NULL;
1661 user->list.prev = NULL;
1662 user->remove(conn, user);
1663 }
1664}
1665
5d3de7df
VCG		 1666static void l2cap_conn_del(struct hci_conn *hcon, int err)
1667{
1668 struct l2cap_conn *conn = hcon->l2cap_data;
1669 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1670
1671 if (!conn)
1672 return;
1673
1674 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1675
1676 kfree_skb(conn->rx_skb);
1677
2c8e1411
DH		 1678 l2cap_unregister_all_users(conn);
1679
3df91ea2
AE		 1680 mutex_lock(&conn->chan_lock);
1681
5d3de7df
VCG		 1682 /* Kill channels */
1683 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1684 l2cap_chan_hold(chan);
6be36555
AE		 1685 l2cap_chan_lock(chan);
1686
5d3de7df 1687 l2cap_chan_del(chan, err);
6be36555
AE		 1688
1689 l2cap_chan_unlock(chan);
1690
80b98027 1691 chan->ops->close(chan);
61d6ef3e 1692 l2cap_chan_put(chan);
5d3de7df
VCG		 1693 }
1694
3df91ea2
AE		 1695 mutex_unlock(&conn->chan_lock);
1696
73d80deb
LAD		 1697 hci_chan_del(conn->hchan);
1698
5d3de7df 1699 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1700 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1701
51a8efd7 1702 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1703 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1704 smp_chan_destroy(conn);
d26a2345 1705 }
5d3de7df
VCG		 1706
1707 hcon->l2cap_data = NULL;
9c903e37
DH		 1708 conn->hchan = NULL;
1709 l2cap_conn_put(conn);
5d3de7df
VCG		 1710}
1711
6c9d42a1 1712static void security_timeout(struct work_struct *work)
5d3de7df 1713{
6c9d42a1 1714 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1715 security_timer.work);
5d3de7df 1716
d06cc416
JH		 1717 BT_DBG("conn %p", conn);
1718
1719 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1720 smp_chan_destroy(conn);
1721 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1722 }
5d3de7df
VCG		 1723}
1724
9c903e37
DH		 1725static void l2cap_conn_free(struct kref *ref)
1726{
1727 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1728
1729 hci_conn_put(conn->hcon);
1730 kfree(conn);
1731}
1732
1733void l2cap_conn_get(struct l2cap_conn *conn)
1734{
1735 kref_get(&conn->ref);
1736}
1737EXPORT_SYMBOL(l2cap_conn_get);
1738
1739void l2cap_conn_put(struct l2cap_conn *conn)
1740{
1741 kref_put(&conn->ref, l2cap_conn_free);
1742}
1743EXPORT_SYMBOL(l2cap_conn_put);
1744
1da177e4 1745/* ---- Socket interface ---- */
1da177e4 1746
c2287681 1747/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1748 * Returns closest match.
1749 */
c2287681
IY		 1750static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1751 bdaddr_t *src,
bf20fd4e
JH		 1752 bdaddr_t *dst,
1753 u8 link_type)
1da177e4 1754{
23691d75 1755 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1756
23691d75 1757 read_lock(&chan_list_lock);
e0f0cb56 1758
23691d75 1759 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1760 if (state && c->state != state)
1da177e4
LT		 1761 continue;
1762
bf20fd4e
JH		 1763 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1764 continue;
1765
1766 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1767 continue;
1768
23691d75 1769 if (c->psm == psm) {
c2287681
IY		 1770 int src_match, dst_match;
1771 int src_any, dst_any;
1772
1da177e4 1773 /* Exact match. */
7eafc59e
MH		 1774 src_match = !bacmp(&c->src, src);
1775 dst_match = !bacmp(&c->dst, dst);
c2287681 1776 if (src_match && dst_match) {
a7567b20 1777 read_unlock(&chan_list_lock);
23691d75
GP		 1778 return c;
1779 }
1da177e4
LT		 1780
1781 /* Closest match */
7eafc59e
MH		 1782 src_any = !bacmp(&c->src, BDADDR_ANY);
1783 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1784 if ((src_match && dst_any) || (src_any && dst_match) ||
1785 (src_any && dst_any))
23691d75 1786 c1 = c;
1da177e4
LT		 1787 }
1788 }
1da177e4 1789
23691d75 1790 read_unlock(&chan_list_lock);
e0f0cb56 1791
23691d75 1792 return c1;
1da177e4
LT		 1793}
1794
721c4181 1795static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1796{
721c4181 1797 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1798 monitor_timer.work);
e90bac06 1799
525cd185 1800 BT_DBG("chan %p", chan);
0e98958d 1801
6be36555
AE		 1802 l2cap_chan_lock(chan);
1803
80909e04 1804 if (!chan->conn) {
6be36555 1805 l2cap_chan_unlock(chan);
8d7e1c7f 1806 l2cap_chan_put(chan);
e90bac06
GP		 1807 return;
1808 }
1809
401bb1f7 1810 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1811
6be36555 1812 l2cap_chan_unlock(chan);
8d7e1c7f 1813 l2cap_chan_put(chan);
e90bac06
GP		 1814}
1815
721c4181 1816static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1817{
721c4181 1818 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1819 retrans_timer.work);
e90bac06 1820
49208c9c 1821 BT_DBG("chan %p", chan);
0e98958d 1822
6be36555
AE		 1823 l2cap_chan_lock(chan);
1824
80909e04
MM		 1825 if (!chan->conn) {
1826 l2cap_chan_unlock(chan);
1827 l2cap_chan_put(chan);
1828 return;
1829 }
6be36555 1830
401bb1f7 1831 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1832 l2cap_chan_unlock(chan);
8d7e1c7f 1833 l2cap_chan_put(chan);
e90bac06
GP		 1834}
1835
d660366d
GP		 1836static void l2cap_streaming_send(struct l2cap_chan *chan,
1837 struct sk_buff_head *skbs)
6840ed07 1838{
ccbb84af 1839 struct sk_buff *skb;
3733937d 1840 struct l2cap_ctrl *control;
6840ed07 1841
3733937d
MM		 1842 BT_DBG("chan %p, skbs %p", chan, skbs);
1843
b99e13ad
MM		 1844 if (__chan_is_moving(chan))
1845 return;
1846
3733937d
MM		 1847 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1848
1849 while (!skb_queue_empty(&chan->tx_q)) {
1850
1851 skb = skb_dequeue(&chan->tx_q);
1852
1853 bt_cb(skb)->control.retries = 1;
1854 control = &bt_cb(skb)->control;
1855
1856 control->reqseq = 0;
1857 control->txseq = chan->next_tx_seq;
1858
1859 __pack_control(chan, control, skb);
6840ed07 1860
47d1ec61 1861 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1862 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1863 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1864 }
1865
4343478f 1866 l2cap_do_send(chan, skb);
6840ed07 1867
b4400672 1868 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1869
836be934 1870 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1871 chan->frames_sent++;
6840ed07 1872 }
6840ed07
GP		 1873}
1874
67c9e840 1875static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1876{
1877 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1878 struct l2cap_ctrl *control;
1879 int sent = 0;
1880
1881 BT_DBG("chan %p", chan);
1c2acffb 1882
89bc500e 1883 if (chan->state != BT_CONNECTED)
c13ffa62 1884 return -ENOTCONN;
e90bac06 1885
94122bbe
MM		 1886 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1887 return 0;
1888
b99e13ad
MM		 1889 if (__chan_is_moving(chan))
1890 return 0;
1891
18a48e76
MM		 1892 while (chan->tx_send_head &&
1893 chan->unacked_frames < chan->remote_tx_win &&
1894 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1895
18a48e76 1896 skb = chan->tx_send_head;
e90bac06 1897
18a48e76
MM		 1898 bt_cb(skb)->control.retries = 1;
1899 control = &bt_cb(skb)->control;
95ffa978 1900
e2ab4353 1901 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1902 control->final = 1;
e2ab4353 1903
18a48e76
MM		 1904 control->reqseq = chan->buffer_seq;
1905 chan->last_acked_seq = chan->buffer_seq;
1906 control->txseq = chan->next_tx_seq;
1c2acffb 1907
18a48e76 1908 __pack_control(chan, control, skb);
e90bac06 1909
47d1ec61 1910 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1911 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1912 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1913 }
1914
18a48e76
MM		 1915 /* Clone after data has been modified. Data is assumed to be
1916 read-only (for locking purposes) on cloned sk_buffs.
1917 */
1918 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1919
18a48e76
MM		 1920 if (!tx_skb)
1921 break;
1c2acffb 1922
18a48e76 1923 __set_retrans_timer(chan);
836be934
AE		 1924
1925 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1926 chan->unacked_frames++;
6a026610 1927 chan->frames_sent++;
18a48e76 1928 sent++;
1c2acffb 1929
58d35f87
GP		 1930 if (skb_queue_is_last(&chan->tx_q, skb))
1931 chan->tx_send_head = NULL;
1c2acffb 1932 else
58d35f87 1933 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1934
1935 l2cap_do_send(chan, tx_skb);
b4400672 1936 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1937 }
1938
b4400672
AE		 1939 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1940 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1941
1942 return sent;
9e917af1
GP		 1943}
1944
e1fbd4c1
MM		 1945static void l2cap_ertm_resend(struct l2cap_chan *chan)
1946{
1947 struct l2cap_ctrl control;
1948 struct sk_buff *skb;
1949 struct sk_buff *tx_skb;
1950 u16 seq;
1951
1952 BT_DBG("chan %p", chan);
1953
1954 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1955 return;
1956
b99e13ad
MM		 1957 if (__chan_is_moving(chan))
1958 return;
1959
e1fbd4c1
MM		 1960 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1961 seq = l2cap_seq_list_pop(&chan->retrans_list);
1962
1963 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1964 if (!skb) {
1965 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1966 seq);
e1fbd4c1
MM		 1967 continue;
1968 }
1969
1970 bt_cb(skb)->control.retries++;
1971 control = bt_cb(skb)->control;
1972
1973 if (chan->max_tx != 0 &&
1974 bt_cb(skb)->control.retries > chan->max_tx) {
1975 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1976 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1977 l2cap_seq_list_clear(&chan->retrans_list);
1978 break;
1979 }
1980
1981 control.reqseq = chan->buffer_seq;
1982 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1983 control.final = 1;
1984 else
1985 control.final = 0;
1986
1987 if (skb_cloned(skb)) {
1988 /* Cloned sk_buffs are read-only, so we need a
1989 * writeable copy
1990 */
8bcde1f2 1991 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1992 } else {
8bcde1f2 1993 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1994 }
1995
1996 if (!tx_skb) {
1997 l2cap_seq_list_clear(&chan->retrans_list);
1998 break;
1999 }
2000
2001 /* Update skb contents */
2002 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2003 put_unaligned_le32(__pack_extended_control(&control),
2004 tx_skb->data + L2CAP_HDR_SIZE);
2005 } else {
2006 put_unaligned_le16(__pack_enhanced_control(&control),
2007 tx_skb->data + L2CAP_HDR_SIZE);
2008 }
2009
2010 if (chan->fcs == L2CAP_FCS_CRC16) {
2011 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2012 put_unaligned_le16(fcs, skb_put(tx_skb,
2013 L2CAP_FCS_SIZE));
2014 }
2015
2016 l2cap_do_send(chan, tx_skb);
2017
2018 BT_DBG("Resent txseq %d", control.txseq);
2019
2020 chan->last_acked_seq = chan->buffer_seq;
2021 }
2022}
2023
f80842a8
MM		 2024static void l2cap_retransmit(struct l2cap_chan *chan,
2025 struct l2cap_ctrl *control)
2026{
2027 BT_DBG("chan %p, control %p", chan, control);
2028
2029 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2030 l2cap_ertm_resend(chan);
2031}
2032
d2a7ac5d
MM		 2033static void l2cap_retransmit_all(struct l2cap_chan *chan,
2034 struct l2cap_ctrl *control)
2035{
e1fbd4c1
MM		 2036 struct sk_buff *skb;
2037
2038 BT_DBG("chan %p, control %p", chan, control);
2039
2040 if (control->poll)
2041 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2042
2043 l2cap_seq_list_clear(&chan->retrans_list);
2044
2045 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2046 return;
2047
2048 if (chan->unacked_frames) {
2049 skb_queue_walk(&chan->tx_q, skb) {
2050 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2051 skb == chan->tx_send_head)
e1fbd4c1
MM		 2052 break;
2053 }
2054
2055 skb_queue_walk_from(&chan->tx_q, skb) {
2056 if (skb == chan->tx_send_head)
2057 break;
2058
2059 l2cap_seq_list_append(&chan->retrans_list,
2060 bt_cb(skb)->control.txseq);
2061 }
2062
2063 l2cap_ertm_resend(chan);
2064 }
d2a7ac5d
MM		 2065}
2066
0a0aba42 2067static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2068{
0a0aba42
MM		 2069 struct l2cap_ctrl control;
2070 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2071 chan->last_acked_seq);
2072 int threshold;
9e917af1 2073
0a0aba42
MM		 2074 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2075 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2076
0a0aba42
MM		 2077 memset(&control, 0, sizeof(control));
2078 control.sframe = 1;
dfc909be 2079
0a0aba42
MM		 2080 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2081 chan->rx_state == L2CAP_RX_STATE_RECV) {
2082 __clear_ack_timer(chan);
2083 control.super = L2CAP_SUPER_RNR;
2084 control.reqseq = chan->buffer_seq;
2085 l2cap_send_sframe(chan, &control);
2086 } else {
2087 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2088 l2cap_ertm_send(chan);
2089 /* If any i-frames were sent, they included an ack */
2090 if (chan->buffer_seq == chan->last_acked_seq)
2091 frames_to_ack = 0;
2092 }
dfc909be 2093
c20f8e35 2094 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2095 * Calculate without mul or div
2096 */
c20f8e35 2097 threshold = chan->ack_win;
0a0aba42
MM		 2098 threshold += threshold << 1;
2099 threshold >>= 2;
2100
b4400672 2101 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2102 threshold);
2103
2104 if (frames_to_ack >= threshold) {
2105 __clear_ack_timer(chan);
2106 control.super = L2CAP_SUPER_RR;
2107 control.reqseq = chan->buffer_seq;
2108 l2cap_send_sframe(chan, &control);
2109 frames_to_ack = 0;
2110 }
1c2acffb 2111
0a0aba42
MM		 2112 if (frames_to_ack)
2113 __set_ack_timer(chan);
2114 }
b17e73bb
SJ		 2115}
2116
04124681
GP		 2117static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2118 struct msghdr *msg, int len,
2119 int count, struct sk_buff *skb)
1c2acffb 2120{
0952a57a 2121 struct l2cap_conn *conn = chan->conn;
1c2acffb 2122 struct sk_buff **frag;
90338947 2123 int sent = 0;
1da177e4 2124
59203a21 2125 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2126 return -EFAULT;
1da177e4
LT		 2127
2128 sent += count;
2129 len -= count;
2130
2131 /* Continuation fragments (no L2CAP header) */
2132 frag = &skb_shinfo(skb)->frag_list;
2133 while (len) {
fbe00700
GP		 2134 struct sk_buff *tmp;
2135
1da177e4
LT		 2136 count = min_t(unsigned int, conn->mtu, len);
2137
fbe00700
GP		 2138 tmp = chan->ops->alloc_skb(chan, count,
2139 msg->msg_flags & MSG_DONTWAIT);
2140 if (IS_ERR(tmp))
2141 return PTR_ERR(tmp);
2142
2143 *frag = tmp;
2f7719ce 2144
1c2acffb
GP		 2145 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2146 return -EFAULT;
1da177e4 2147
5e59b791
LAD		 2148 (*frag)->priority = skb->priority;
2149
1da177e4
LT		 2150 sent += count;
2151 len -= count;
2152
2d0ed3d5
GP		 2153 skb->len += (*frag)->len;
2154 skb->data_len += (*frag)->len;
2155
1da177e4
LT		 2156 frag = &(*frag)->next;
2157 }
1da177e4
LT		 2158
2159 return sent;
1c2acffb 2160}
1da177e4 2161
5e59b791 2162static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2163 struct msghdr *msg, size_t len,
2164 u32 priority)
1c2acffb 2165{
8c1d787b 2166 struct l2cap_conn *conn = chan->conn;
1c2acffb 2167 struct sk_buff *skb;
03a51213 2168 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2169 struct l2cap_hdr *lh;
2170
43b1b8df
MH		 2171 BT_DBG("chan %p psm 0x%2.2x len %zu priority %u", chan,
2172 __le16_to_cpu(chan->psm), len, priority);
1c2acffb
GP		 2173
2174 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2175
2176 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2177 msg->msg_flags & MSG_DONTWAIT);
2178 if (IS_ERR(skb))
2179 return skb;
1c2acffb 2180
5e59b791
LAD		 2181 skb->priority = priority;
2182
1c2acffb
GP		 2183 /* Create L2CAP header */
2184 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2185 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2186 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2187 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2188
0952a57a 2189 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2190 if (unlikely(err < 0)) {
2191 kfree_skb(skb);
2192 return ERR_PTR(err);
2193 }
2194 return skb;
2195}
2196
5e59b791 2197static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2198 struct msghdr *msg, size_t len,
2199 u32 priority)
1c2acffb 2200{
8c1d787b 2201 struct l2cap_conn *conn = chan->conn;
1c2acffb 2202 struct sk_buff *skb;
f2ba7fae 2203 int err, count;
1c2acffb
GP		 2204 struct l2cap_hdr *lh;
2205
b4400672 2206 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2207
f2ba7fae 2208 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2209
f2ba7fae 2210 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2211 msg->msg_flags & MSG_DONTWAIT);
2212 if (IS_ERR(skb))
2213 return skb;
1c2acffb 2214
5e59b791
LAD		 2215 skb->priority = priority;
2216
1c2acffb
GP		 2217 /* Create L2CAP header */
2218 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2219 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2220 lh->len = cpu_to_le16(len);
1c2acffb 2221
0952a57a 2222 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2223 if (unlikely(err < 0)) {
2224 kfree_skb(skb);
2225 return ERR_PTR(err);
2226 }
2227 return skb;
2228}
2229
ab0ff76d 2230static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2231 struct msghdr *msg, size_t len,
2232 u16 sdulen)
1c2acffb 2233{
8c1d787b 2234 struct l2cap_conn *conn = chan->conn;
1c2acffb 2235 struct sk_buff *skb;
e4ca6d98 2236 int err, count, hlen;
1c2acffb
GP		 2237 struct l2cap_hdr *lh;
2238
b4400672 2239 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2240
0ee0d208
GP		 2241 if (!conn)
2242 return ERR_PTR(-ENOTCONN);
2243
ba7aa64f 2244 hlen = __ertm_hdr_size(chan);
e4ca6d98 2245
c74e560c 2246 if (sdulen)
03a51213 2247 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2248
47d1ec61 2249 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2250 hlen += L2CAP_FCS_SIZE;
fcc203c3 2251
1c2acffb 2252 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2253
2254 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2255 msg->msg_flags & MSG_DONTWAIT);
2256 if (IS_ERR(skb))
2257 return skb;
1c2acffb
GP		 2258
2259 /* Create L2CAP header */
2260 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2261 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2262 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2263
18a48e76
MM		 2264 /* Control header is populated later */
2265 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2266 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2267 else
2268 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2269
c74e560c 2270 if (sdulen)
03a51213 2271 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2272
0952a57a 2273 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2274 if (unlikely(err < 0)) {
2275 kfree_skb(skb);
2276 return ERR_PTR(err);
2277 }
e90bac06 2278
18a48e76 2279 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2280 bt_cb(skb)->control.retries = 0;
1c2acffb 2281 return skb;
1da177e4
LT		 2282}
2283
94122bbe
MM		 2284static int l2cap_segment_sdu(struct l2cap_chan *chan,
2285 struct sk_buff_head *seg_queue,
2286 struct msghdr *msg, size_t len)
c74e560c 2287{
c74e560c 2288 struct sk_buff *skb;
94122bbe
MM		 2289 u16 sdu_len;
2290 size_t pdu_len;
94122bbe 2291 u8 sar;
c74e560c 2292
b4400672 2293 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2294
94122bbe
MM		 2295 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2296 * so fragmented skbs are not used. The HCI layer's handling
2297 * of fragmented skbs is not compatible with ERTM's queueing.
2298 */
c74e560c 2299
94122bbe
MM		 2300 /* PDU size is derived from the HCI MTU */
2301 pdu_len = chan->conn->mtu;
c74e560c 2302
a549574d
MM		 2303 /* Constrain PDU size for BR/EDR connections */
2304 if (!chan->hs_hcon)
2305 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2306
2307 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2308 if (chan->fcs)
2309 pdu_len -= L2CAP_FCS_SIZE;
2310
ba7aa64f 2311 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2312
2313 /* Remote device may have requested smaller PDUs */
2314 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2315
2316 if (len <= pdu_len) {
2317 sar = L2CAP_SAR_UNSEGMENTED;
2318 sdu_len = 0;
2319 pdu_len = len;
2320 } else {
2321 sar = L2CAP_SAR_START;
2322 sdu_len = len;
2323 pdu_len -= L2CAP_SDULEN_SIZE;
2324 }
2325
2326 while (len > 0) {
2327 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2328
c74e560c 2329 if (IS_ERR(skb)) {
94122bbe 2330 __skb_queue_purge(seg_queue);
c74e560c
GP		 2331 return PTR_ERR(skb);
2332 }
2333
94122bbe
MM		 2334 bt_cb(skb)->control.sar = sar;
2335 __skb_queue_tail(seg_queue, skb);
2336
2337 len -= pdu_len;
2338 if (sdu_len) {
2339 sdu_len = 0;
2340 pdu_len += L2CAP_SDULEN_SIZE;
2341 }
2342
2343 if (len <= pdu_len) {
2344 sar = L2CAP_SAR_END;
2345 pdu_len = len;
2346 } else {
2347 sar = L2CAP_SAR_CONTINUE;
2348 }
c74e560c 2349 }
c74e560c 2350
f0f62799 2351 return 0;
c74e560c
GP		 2352}
2353
177f8f2b
JH		 2354static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2355 struct msghdr *msg,
2356 size_t len, u16 sdulen)
2357{
2358 struct l2cap_conn *conn = chan->conn;
2359 struct sk_buff *skb;
2360 int err, count, hlen;
2361 struct l2cap_hdr *lh;
2362
2363 BT_DBG("chan %p len %zu", chan, len);
2364
2365 if (!conn)
2366 return ERR_PTR(-ENOTCONN);
2367
2368 hlen = L2CAP_HDR_SIZE;
2369
2370 if (sdulen)
2371 hlen += L2CAP_SDULEN_SIZE;
2372
2373 count = min_t(unsigned int, (conn->mtu - hlen), len);
2374
2375 skb = chan->ops->alloc_skb(chan, count + hlen,
2376 msg->msg_flags & MSG_DONTWAIT);
2377 if (IS_ERR(skb))
2378 return skb;
2379
2380 /* Create L2CAP header */
2381 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2382 lh->cid = cpu_to_le16(chan->dcid);
2383 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2384
2385 if (sdulen)
2386 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2387
2388 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2389 if (unlikely(err < 0)) {
2390 kfree_skb(skb);
2391 return ERR_PTR(err);
2392 }
2393
2394 return skb;
2395}
2396
2397static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2398 struct sk_buff_head *seg_queue,
2399 struct msghdr *msg, size_t len)
2400{
2401 struct sk_buff *skb;
2402 size_t pdu_len;
2403 u16 sdu_len;
2404
2405 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2406
2407 pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE;
2408
2409 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2410
2411 sdu_len = len;
2412 pdu_len -= L2CAP_SDULEN_SIZE;
2413
2414 while (len > 0) {
2415 if (len <= pdu_len)
2416 pdu_len = len;
2417
2418 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2419 if (IS_ERR(skb)) {
2420 __skb_queue_purge(seg_queue);
2421 return PTR_ERR(skb);
2422 }
2423
2424 __skb_queue_tail(seg_queue, skb);
2425
2426 len -= pdu_len;
2427
2428 if (sdu_len) {
2429 sdu_len = 0;
2430 pdu_len += L2CAP_SDULEN_SIZE;
2431 }
2432 }
2433
2434 return 0;
2435}
2436
5e59b791 2437int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2438 u32 priority)
9a91a04a 2439{
9a91a04a 2440 struct sk_buff *skb;
9a91a04a 2441 int err;
94122bbe 2442 struct sk_buff_head seg_queue;
9a91a04a 2443
31e8ce80
SWK		 2444 if (!chan->conn)
2445 return -ENOTCONN;
2446
9a91a04a 2447 /* Connectionless channel */
715ec005 2448 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2449 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2450 if (IS_ERR(skb))
2451 return PTR_ERR(skb);
2452
2453 l2cap_do_send(chan, skb);
2454 return len;
2455 }
2456
2457 switch (chan->mode) {
38319713 2458 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b
JH		 2459 /* Check outgoing MTU */
2460 if (len > chan->omtu)
2461 return -EMSGSIZE;
2462
fad5fc89
JH		 2463 if (!chan->tx_credits)
2464 return -EAGAIN;
2465
177f8f2b
JH		 2466 __skb_queue_head_init(&seg_queue);
2467
2468 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2469
2470 if (chan->state != BT_CONNECTED) {
2471 __skb_queue_purge(&seg_queue);
2472 err = -ENOTCONN;
2473 }
2474
2475 if (err)
2476 return err;
2477
2478 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2479
2480 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2481 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2482 chan->tx_credits--;
2483 }
2484
2485 if (!chan->tx_credits)
2486 chan->ops->suspend(chan);
2487
2488 err = len;
2489
2490 break;
2491
fad5fc89 2492 case L2CAP_MODE_BASIC:
9a91a04a
GP		 2493 /* Check outgoing MTU */
2494 if (len > chan->omtu)
2495 return -EMSGSIZE;
2496
2497 /* Create a basic PDU */
5e59b791 2498 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2499 if (IS_ERR(skb))
2500 return PTR_ERR(skb);
2501
2502 l2cap_do_send(chan, skb);
2503 err = len;
2504 break;
2505
2506 case L2CAP_MODE_ERTM:
2507 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2508 /* Check outgoing MTU */
2509 if (len > chan->omtu) {
2510 err = -EMSGSIZE;
2511 break;
2512 }
9a91a04a 2513
94122bbe 2514 __skb_queue_head_init(&seg_queue);
9a91a04a 2515
94122bbe
MM		 2516 /* Do segmentation before calling in to the state machine,
2517 * since it's possible to block while waiting for memory
2518 * allocation.
2519 */
2520 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2521
94122bbe
MM		 2522 /* The channel could have been closed while segmenting,
2523 * check that it is still connected.
2524 */
2525 if (chan->state != BT_CONNECTED) {
2526 __skb_queue_purge(&seg_queue);
2527 err = -ENOTCONN;
9a91a04a
GP		 2528 }
2529
94122bbe 2530 if (err)
9a91a04a 2531 break;
9a91a04a 2532
3733937d 2533 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2534 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2535 else
d660366d 2536 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2537
d660366d 2538 err = len;
9a91a04a 2539
94122bbe
MM		 2540 /* If the skbs were not queued for sending, they'll still be in
2541 * seg_queue and need to be purged.
2542 */
2543 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2544 break;
2545
2546 default:
2547 BT_DBG("bad state %1.1x", chan->mode);
2548 err = -EBADFD;
2549 }
2550
2551 return err;
2552}
2553
d2a7ac5d
MM		 2554static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2555{
bed68bde
MM		 2556 struct l2cap_ctrl control;
2557 u16 seq;
2558
b4400672 2559 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2560
2561 memset(&control, 0, sizeof(control));
2562 control.sframe = 1;
2563 control.super = L2CAP_SUPER_SREJ;
2564
2565 for (seq = chan->expected_tx_seq; seq != txseq;
2566 seq = __next_seq(chan, seq)) {
2567 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2568 control.reqseq = seq;
2569 l2cap_send_sframe(chan, &control);
2570 l2cap_seq_list_append(&chan->srej_list, seq);
2571 }
2572 }
2573
2574 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2575}
2576
2577static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2578{
bed68bde
MM		 2579 struct l2cap_ctrl control;
2580
2581 BT_DBG("chan %p", chan);
2582
2583 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2584 return;
2585
2586 memset(&control, 0, sizeof(control));
2587 control.sframe = 1;
2588 control.super = L2CAP_SUPER_SREJ;
2589 control.reqseq = chan->srej_list.tail;
2590 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2591}
2592
2593static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2594{
bed68bde
MM		 2595 struct l2cap_ctrl control;
2596 u16 initial_head;
2597 u16 seq;
2598
b4400672 2599 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2600
2601 memset(&control, 0, sizeof(control));
2602 control.sframe = 1;
2603 control.super = L2CAP_SUPER_SREJ;
2604
2605 /* Capture initial list head to allow only one pass through the list. */
2606 initial_head = chan->srej_list.head;
2607
2608 do {
2609 seq = l2cap_seq_list_pop(&chan->srej_list);
2610 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2611 break;
2612
2613 control.reqseq = seq;
2614 l2cap_send_sframe(chan, &control);
2615 l2cap_seq_list_append(&chan->srej_list, seq);
2616 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2617}
2618
608bcc6d
MM		 2619static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2620{
2621 struct sk_buff *acked_skb;
2622 u16 ackseq;
2623
b4400672 2624 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2625
2626 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2627 return;
2628
b4400672 2629 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2630 chan->expected_ack_seq, chan->unacked_frames);
2631
2632 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2633 ackseq = __next_seq(chan, ackseq)) {
2634
2635 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2636 if (acked_skb) {
2637 skb_unlink(acked_skb, &chan->tx_q);
2638 kfree_skb(acked_skb);
2639 chan->unacked_frames--;
2640 }
2641 }
2642
2643 chan->expected_ack_seq = reqseq;
2644
2645 if (chan->unacked_frames == 0)
2646 __clear_retrans_timer(chan);
2647
b4400672 2648 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2649}
2650
2651static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2652{
2653 BT_DBG("chan %p", chan);
2654
2655 chan->expected_tx_seq = chan->buffer_seq;
2656 l2cap_seq_list_clear(&chan->srej_list);
2657 skb_queue_purge(&chan->srej_q);
2658 chan->rx_state = L2CAP_RX_STATE_RECV;
2659}
2660
d660366d
GP		 2661static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2662 struct l2cap_ctrl *control,
2663 struct sk_buff_head *skbs, u8 event)
608bcc6d 2664{
608bcc6d
MM		 2665 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2666 event);
2667
2668 switch (event) {
2669 case L2CAP_EV_DATA_REQUEST:
2670 if (chan->tx_send_head == NULL)
2671 chan->tx_send_head = skb_peek(skbs);
2672
2673 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2674 l2cap_ertm_send(chan);
2675 break;
2676 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2677 BT_DBG("Enter LOCAL_BUSY");
2678 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2679
2680 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2681 /* The SREJ_SENT state must be aborted if we are to
2682 * enter the LOCAL_BUSY state.
2683 */
2684 l2cap_abort_rx_srej_sent(chan);
2685 }
2686
2687 l2cap_send_ack(chan);
2688
2689 break;
2690 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2691 BT_DBG("Exit LOCAL_BUSY");
2692 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2693
2694 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2695 struct l2cap_ctrl local_control;
2696
2697 memset(&local_control, 0, sizeof(local_control));
2698 local_control.sframe = 1;
2699 local_control.super = L2CAP_SUPER_RR;
2700 local_control.poll = 1;
2701 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2702 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2703
2704 chan->retry_count = 1;
2705 __set_monitor_timer(chan);
2706 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2707 }
2708 break;
2709 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2710 l2cap_process_reqseq(chan, control->reqseq);
2711 break;
2712 case L2CAP_EV_EXPLICIT_POLL:
2713 l2cap_send_rr_or_rnr(chan, 1);
2714 chan->retry_count = 1;
2715 __set_monitor_timer(chan);
2716 __clear_ack_timer(chan);
2717 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2718 break;
2719 case L2CAP_EV_RETRANS_TO:
2720 l2cap_send_rr_or_rnr(chan, 1);
2721 chan->retry_count = 1;
2722 __set_monitor_timer(chan);
2723 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2724 break;
2725 case L2CAP_EV_RECV_FBIT:
2726 /* Nothing to process */
2727 break;
2728 default:
2729 break;
2730 }
608bcc6d
MM		 2731}
2732
d660366d
GP		 2733static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2734 struct l2cap_ctrl *control,
2735 struct sk_buff_head *skbs, u8 event)
608bcc6d 2736{
608bcc6d
MM		 2737 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2738 event);
2739
2740 switch (event) {
2741 case L2CAP_EV_DATA_REQUEST:
2742 if (chan->tx_send_head == NULL)
2743 chan->tx_send_head = skb_peek(skbs);
2744 /* Queue data, but don't send. */
2745 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2746 break;
2747 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2748 BT_DBG("Enter LOCAL_BUSY");
2749 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2750
2751 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2752 /* The SREJ_SENT state must be aborted if we are to
2753 * enter the LOCAL_BUSY state.
2754 */
2755 l2cap_abort_rx_srej_sent(chan);
2756 }
2757
2758 l2cap_send_ack(chan);
2759
2760 break;
2761 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2762 BT_DBG("Exit LOCAL_BUSY");
2763 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2764
2765 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2766 struct l2cap_ctrl local_control;
2767 memset(&local_control, 0, sizeof(local_control));
2768 local_control.sframe = 1;
2769 local_control.super = L2CAP_SUPER_RR;
2770 local_control.poll = 1;
2771 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2772 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2773
2774 chan->retry_count = 1;
2775 __set_monitor_timer(chan);
2776 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2777 }
2778 break;
2779 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2780 l2cap_process_reqseq(chan, control->reqseq);
2781
2782 /* Fall through */
2783
2784 case L2CAP_EV_RECV_FBIT:
2785 if (control && control->final) {
2786 __clear_monitor_timer(chan);
2787 if (chan->unacked_frames > 0)
2788 __set_retrans_timer(chan);
2789 chan->retry_count = 0;
2790 chan->tx_state = L2CAP_TX_STATE_XMIT;
2791 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2792 }
2793 break;
2794 case L2CAP_EV_EXPLICIT_POLL:
2795 /* Ignore */
2796 break;
2797 case L2CAP_EV_MONITOR_TO:
2798 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2799 l2cap_send_rr_or_rnr(chan, 1);
2800 __set_monitor_timer(chan);
2801 chan->retry_count++;
2802 } else {
5e4e3972 2803 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2804 }
2805 break;
2806 default:
2807 break;
2808 }
608bcc6d
MM		 2809}
2810
d660366d
GP		 2811static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2812 struct sk_buff_head *skbs, u8 event)
608bcc6d 2813{
608bcc6d
MM		 2814 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2815 chan, control, skbs, event, chan->tx_state);
2816
2817 switch (chan->tx_state) {
2818 case L2CAP_TX_STATE_XMIT:
d660366d 2819 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2820 break;
2821 case L2CAP_TX_STATE_WAIT_F:
d660366d 2822 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2823 break;
2824 default:
2825 /* Ignore event */
2826 break;
2827 }
608bcc6d
MM		 2828}
2829
4b51dae9
MM		 2830static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2831 struct l2cap_ctrl *control)
2832{
2833 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2834 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2835}
2836
f80842a8
MM		 2837static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2838 struct l2cap_ctrl *control)
2839{
2840 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2841 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2842}
2843
1da177e4
LT		 2844/* Copy frame to all raw sockets on that connection */
2845static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2846{
1da177e4 2847 struct sk_buff *nskb;
48454079 2848 struct l2cap_chan *chan;
1da177e4
LT		 2849
2850 BT_DBG("conn %p", conn);
2851
3df91ea2 2852 mutex_lock(&conn->chan_lock);
3d57dc68 2853
3df91ea2 2854 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2855 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2856 continue;
2857
7f5396a7
GP		 2858 /* Don't send frame to the channel it came from */
2859 if (bt_cb(skb)->chan == chan)
1da177e4 2860 continue;
7f5396a7 2861
8bcde1f2 2862 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2863 if (!nskb)
1da177e4 2864 continue;
80b98027 2865 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2866 kfree_skb(nskb);
2867 }
3d57dc68 2868
3df91ea2 2869 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2870}
2871
2872/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2873static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2874 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2875{
2876 struct sk_buff *skb, **frag;
2877 struct l2cap_cmd_hdr *cmd;
2878 struct l2cap_hdr *lh;
2879 int len, count;
2880
b4400672
AE		 2881 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2882 conn, code, ident, dlen);
1da177e4 2883
300b962e
AL		 2884 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2885 return NULL;
2886
1da177e4
LT		 2887 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2888 count = min_t(unsigned int, conn->mtu, len);
2889
8bcde1f2 2890 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2891 if (!skb)
2892 return NULL;
2893
2894 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2895 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2896
2897 if (conn->hcon->type == LE_LINK)
ac73498c 2898 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2899 else
ac73498c 2900 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2901
2902 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2903 cmd->code = code;
2904 cmd->ident = ident;
aca3192c 2905 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2906
2907 if (dlen) {
2908 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2909 memcpy(skb_put(skb, count), data, count);
2910 data += count;
2911 }
2912
2913 len -= skb->len;
2914
2915 /* Continuation fragments (no L2CAP header) */
2916 frag = &skb_shinfo(skb)->frag_list;
2917 while (len) {
2918 count = min_t(unsigned int, conn->mtu, len);
2919
8bcde1f2 2920 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2921 if (!*frag)
2922 goto fail;
2923
2924 memcpy(skb_put(*frag, count), data, count);
2925
2926 len -= count;
2927 data += count;
2928
2929 frag = &(*frag)->next;
2930 }
2931
2932 return skb;
2933
2934fail:
2935 kfree_skb(skb);
2936 return NULL;
2937}
2938
2d792818
GP		 2939static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2940 unsigned long *val)
1da177e4
LT		 2941{
2942 struct l2cap_conf_opt *opt = *ptr;
2943 int len;
2944
2945 len = L2CAP_CONF_OPT_SIZE + opt->len;
2946 *ptr += len;
2947
2948 *type = opt->type;
2949 *olen = opt->len;
2950
2951 switch (opt->len) {
2952 case 1:
2953 *val = *((u8 *) opt->val);
2954 break;
2955
2956 case 2:
bfaaeb3e 2957 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2958 break;
2959
2960 case 4:
bfaaeb3e 2961 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2962 break;
2963
2964 default:
2965 *val = (unsigned long) opt->val;
2966 break;
2967 }
2968
b4400672 2969 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2970 return len;
2971}
2972
1da177e4
LT		 2973static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2974{
2975 struct l2cap_conf_opt *opt = *ptr;
2976
b4400672 2977 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2978
2979 opt->type = type;
2980 opt->len = len;
2981
2982 switch (len) {
2983 case 1:
2984 *((u8 *) opt->val) = val;
2985 break;
2986
2987 case 2:
4f8b691c 2988 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2989 break;
2990
2991 case 4:
4f8b691c 2992 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2993 break;
2994
2995 default:
2996 memcpy(opt->val, (void *) val, len);
2997 break;
2998 }
2999
3000 *ptr += L2CAP_CONF_OPT_SIZE + len;
3001}
3002
f89cef09
AE		 3003static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
3004{
3005 struct l2cap_conf_efs efs;
3006
1ec918ce 3007 switch (chan->mode) {
f89cef09
AE		 3008 case L2CAP_MODE_ERTM:
3009 efs.id = chan->local_id;
3010 efs.stype = chan->local_stype;
3011 efs.msdu = cpu_to_le16(chan->local_msdu);
3012 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 3013 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 3014 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 3015 break;
3016
3017 case L2CAP_MODE_STREAMING:
3018 efs.id = 1;
3019 efs.stype = L2CAP_SERV_BESTEFFORT;
3020 efs.msdu = cpu_to_le16(chan->local_msdu);
3021 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3022 efs.acc_lat = 0;
3023 efs.flush_to = 0;
3024 break;
3025
3026 default:
3027 return;
3028 }
3029
3030 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3031 (unsigned long) &efs);
f89cef09
AE		 3032}
3033
721c4181 3034static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3035{
721c4181 3036 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3037 ack_timer.work);
3038 u16 frames_to_ack;
c1b4f43b 3039
2fb9b3d4
GP		 3040 BT_DBG("chan %p", chan);
3041
6be36555
AE		 3042 l2cap_chan_lock(chan);
3043
0362520b
MM		 3044 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3045 chan->last_acked_seq);
6be36555 3046
0362520b
MM		 3047 if (frames_to_ack)
3048 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3049
0362520b 3050 l2cap_chan_unlock(chan);
09bfb2ee 3051 l2cap_chan_put(chan);
c1b4f43b
GP		 3052}
3053
466f8004 3054int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3055{
3c588192
MM		 3056 int err;
3057
105bdf9e
MM		 3058 chan->next_tx_seq = 0;
3059 chan->expected_tx_seq = 0;
42e5c802 3060 chan->expected_ack_seq = 0;
6a026610 3061 chan->unacked_frames = 0;
42e5c802 3062 chan->buffer_seq = 0;
6a026610 3063 chan->frames_sent = 0;
105bdf9e
MM		 3064 chan->last_acked_seq = 0;
3065 chan->sdu = NULL;
3066 chan->sdu_last_frag = NULL;
3067 chan->sdu_len = 0;
3068
d34c34fb
MM		 3069 skb_queue_head_init(&chan->tx_q);
3070
6ed971ca
MH		 3071 chan->local_amp_id = AMP_ID_BREDR;
3072 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3073 chan->move_state = L2CAP_MOVE_STABLE;
3074 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3075
105bdf9e
MM		 3076 if (chan->mode != L2CAP_MODE_ERTM)
3077 return 0;
3078
3079 chan->rx_state = L2CAP_RX_STATE_RECV;
3080 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3081
721c4181
GP		 3082 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3083 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3084 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3085
f1c6775b 3086 skb_queue_head_init(&chan->srej_q);
1890d36b 3087
3c588192
MM		 3088 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3089 if (err < 0)
3090 return err;
3091
9dc9affc
MM		 3092 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3093 if (err < 0)
3094 l2cap_seq_list_free(&chan->srej_list);
3095
3096 return err;
0565c1c2
GP		 3097}
3098
f2fcfcd6
GP		 3099static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3100{
3101 switch (mode) {
3102 case L2CAP_MODE_STREAMING:
3103 case L2CAP_MODE_ERTM:
3104 if (l2cap_mode_supported(mode, remote_feat_mask))
3105 return mode;
3106 /* fall through */
3107 default:
3108 return L2CAP_MODE_BASIC;
3109 }
3110}
3111
848566b3 3112static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3113{
848566b3 3114 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3115}
3116
848566b3 3117static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3118{
848566b3 3119 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3120}
3121
36c86c85
MM		 3122static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3123 struct l2cap_conf_rfc *rfc)
3124{
6ed971ca 3125 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3126 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3127
3128 /* Class 1 devices have must have ERTM timeouts
3129 * exceeding the Link Supervision Timeout. The
3130 * default Link Supervision Timeout for AMP
3131 * controllers is 10 seconds.
3132 *
3133 * Class 1 devices use 0xffffffff for their
3134 * best-effort flush timeout, so the clamping logic
3135 * will result in a timeout that meets the above
3136 * requirement. ERTM timeouts are 16-bit values, so
3137 * the maximum timeout is 65.535 seconds.
3138 */
3139
3140 /* Convert timeout to milliseconds and round */
3141 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3142
3143 /* This is the recommended formula for class 2 devices
3144 * that start ERTM timers when packets are sent to the
3145 * controller.
3146 */
3147 ertm_to = 3 * ertm_to + 500;
3148
3149 if (ertm_to > 0xffff)
3150 ertm_to = 0xffff;
3151
3152 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3153 rfc->monitor_timeout = rfc->retrans_timeout;
3154 } else {
3155 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3156 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3157 }
3158}
3159
6327eb98
AE		 3160static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3161{
3162 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3163 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3164 /* use extended control field */
3165 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3166 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3167 } else {
6327eb98 3168 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3169 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3170 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3171 }
c20f8e35 3172 chan->ack_win = chan->tx_win;
6327eb98
AE		 3173}
3174
710f9b0a 3175static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3176{
1da177e4 3177 struct l2cap_conf_req *req = data;
0c1bc5c6 3178 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3179 void *ptr = req->data;
c8f79162 3180 u16 size;
1da177e4 3181
49208c9c 3182 BT_DBG("chan %p", chan);
1da177e4 3183
73ffa904 3184 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3185 goto done;
3186
0c1bc5c6 3187 switch (chan->mode) {
f2fcfcd6
GP		 3188 case L2CAP_MODE_STREAMING:
3189 case L2CAP_MODE_ERTM:
c1360a1c 3190 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3191 break;
85eb53c6 3192
848566b3 3193 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3194 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3195
2ba13ed6 3196 /* fall through */
f2fcfcd6 3197 default:
8c1d787b 3198 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3199 break;
3200 }
3201
3202done:
0c1bc5c6
GP		 3203 if (chan->imtu != L2CAP_DEFAULT_MTU)
3204 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3205
0c1bc5c6 3206 switch (chan->mode) {
65c7c491 3207 case L2CAP_MODE_BASIC:
8c1d787b 3208 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3209 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3210 break;
3211
62547752
GP		 3212 rfc.mode = L2CAP_MODE_BASIC;
3213 rfc.txwin_size = 0;
3214 rfc.max_transmit = 0;
3215 rfc.retrans_timeout = 0;
3216 rfc.monitor_timeout = 0;
3217 rfc.max_pdu_size = 0;
3218
63406504 3219 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3220 (unsigned long) &rfc);
65c7c491
MH		 3221 break;
3222
3223 case L2CAP_MODE_ERTM:
3224 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3225 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3226
3227 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3228
3229 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3230 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3231 L2CAP_FCS_SIZE);
c8f79162 3232 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3233
6327eb98
AE		 3234 l2cap_txwin_setup(chan);
3235
3236 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3237 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3238
63406504 3239 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3240 (unsigned long) &rfc);
63406504 3241
f89cef09
AE		 3242 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3243 l2cap_add_opt_efs(&ptr, chan);
3244
6327eb98
AE		 3245 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3246 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3247 chan->tx_win);
60918918
AE		 3248
3249 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3250 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3251 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3252 chan->fcs = L2CAP_FCS_NONE;
3253 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3254 chan->fcs);
3255 }
f2fcfcd6
GP		 3256 break;
3257
3258 case L2CAP_MODE_STREAMING:
273759e2 3259 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3260 rfc.mode = L2CAP_MODE_STREAMING;
3261 rfc.txwin_size = 0;
3262 rfc.max_transmit = 0;
3263 rfc.retrans_timeout = 0;
3264 rfc.monitor_timeout = 0;
c8f79162
AE		 3265
3266 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3267 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3268 L2CAP_FCS_SIZE);
c8f79162 3269 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3270
63406504 3271 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3272 (unsigned long) &rfc);
63406504 3273
f89cef09
AE		 3274 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3275 l2cap_add_opt_efs(&ptr, chan);
3276
60918918
AE		 3277 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3278 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3279 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3280 chan->fcs = L2CAP_FCS_NONE;
3281 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3282 chan->fcs);
3283 }
65c7c491
MH		 3284 break;
3285 }
1da177e4 3286
fe4128e0 3287 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3288 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3289
3290 return ptr - data;
3291}
3292
73ffa904 3293static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3294{
5dee9e7c
MH		 3295 struct l2cap_conf_rsp *rsp = data;
3296 void *ptr = rsp->data;
73ffa904
GP		 3297 void *req = chan->conf_req;
3298 int len = chan->conf_len;
5dee9e7c
MH		 3299 int type, hint, olen;
3300 unsigned long val;
6464f35f 3301 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3302 struct l2cap_conf_efs efs;
3303 u8 remote_efs = 0;
861d6882 3304 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3305 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3306 u16 size;
1da177e4 3307
73ffa904 3308 BT_DBG("chan %p", chan);
820ae1b8 3309
5dee9e7c
MH		 3310 while (len >= L2CAP_CONF_OPT_SIZE) {
3311 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3312
589d2746 3313 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3314 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3315
3316 switch (type) {
3317 case L2CAP_CONF_MTU:
861d6882 3318 mtu = val;
5dee9e7c
MH		 3319 break;
3320
3321 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3322 chan->flush_to = val;
5dee9e7c
MH		 3323 break;
3324
3325 case L2CAP_CONF_QOS:
3326 break;
3327
6464f35f
MH		 3328 case L2CAP_CONF_RFC:
3329 if (olen == sizeof(rfc))
3330 memcpy(&rfc, (void *) val, olen);
3331 break;
3332
fcc203c3
GP		 3333 case L2CAP_CONF_FCS:
3334 if (val == L2CAP_FCS_NONE)
f2592d3e 3335 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3336 break;
fcc203c3 3337
42dceae2
AE		 3338 case L2CAP_CONF_EFS:
3339 remote_efs = 1;
3340 if (olen == sizeof(efs))
3341 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3342 break;
3343
6327eb98 3344 case L2CAP_CONF_EWS:
848566b3 3345 if (!chan->conn->hs_enabled)
6327eb98 3346 return -ECONNREFUSED;
fcc203c3 3347
6327eb98
AE		 3348 set_bit(FLAG_EXT_CTRL, &chan->flags);
3349 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3350 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3351 chan->remote_tx_win = val;
fcc203c3
GP		 3352 break;
3353
5dee9e7c
MH		 3354 default:
3355 if (hint)
3356 break;
3357
3358 result = L2CAP_CONF_UNKNOWN;
3359 *((u8 *) ptr++) = type;
3360 break;
3361 }
3362 }
3363
73ffa904 3364 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3365 goto done;
3366
0c1bc5c6 3367 switch (chan->mode) {
f2fcfcd6
GP		 3368 case L2CAP_MODE_STREAMING:
3369 case L2CAP_MODE_ERTM:
c1360a1c 3370 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3371 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3372 chan->conn->feat_mask);
85eb53c6
GP		 3373 break;
3374 }
3375
42dceae2 3376 if (remote_efs) {
848566b3 3377 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3378 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3379 else
3380 return -ECONNREFUSED;
3381 }
3382
0c1bc5c6 3383 if (chan->mode != rfc.mode)
f2fcfcd6 3384 return -ECONNREFUSED;
742e519b 3385
f2fcfcd6 3386 break;
f2fcfcd6
GP		 3387 }
3388
3389done:
0c1bc5c6 3390 if (chan->mode != rfc.mode) {
f2fcfcd6 3391 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3392 rfc.mode = chan->mode;
f2fcfcd6 3393
73ffa904 3394 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3395 return -ECONNREFUSED;
3396
2d792818
GP		 3397 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3398 (unsigned long) &rfc);
f2fcfcd6
GP		 3399 }
3400
5dee9e7c
MH		 3401 if (result == L2CAP_CONF_SUCCESS) {
3402 /* Configure output options and let the other side know
3403 * which ones we don't like. */
3404
f2fcfcd6
GP		 3405 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3406 result = L2CAP_CONF_UNACCEPT;
3407 else {
0c1bc5c6 3408 chan->omtu = mtu;
c1360a1c 3409 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3410 }
0c1bc5c6 3411 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3412
42dceae2
AE		 3413 if (remote_efs) {
3414 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3415 efs.stype != L2CAP_SERV_NOTRAFIC &&
3416 efs.stype != chan->local_stype) {
42dceae2
AE		 3417
3418 result = L2CAP_CONF_UNACCEPT;
3419
3420 if (chan->num_conf_req >= 1)
3421 return -ECONNREFUSED;
3422
3423 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3424 sizeof(efs),
3425 (unsigned long) &efs);
0e8b207e 3426 } else {
3e6b3b95 3427 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3428 result = L2CAP_CONF_PENDING;
3429 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3430 }
3431 }
3432
f2fcfcd6
GP		 3433 switch (rfc.mode) {
3434 case L2CAP_MODE_BASIC:
47d1ec61 3435 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3436 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3437 break;
3438
3439 case L2CAP_MODE_ERTM:
6327eb98
AE		 3440 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3441 chan->remote_tx_win = rfc.txwin_size;
3442 else
3443 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3444
2c03a7a4 3445 chan->remote_max_tx = rfc.max_transmit;
1c762159 3446
c8f79162 3447 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3448 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3449 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3450 rfc.max_pdu_size = cpu_to_le16(size);
3451 chan->remote_mps = size;
f2fcfcd6 3452
36c86c85 3453 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3454
c1360a1c 3455 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3456
3457 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3458 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3459
42dceae2
AE		 3460 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3461 chan->remote_id = efs.id;
3462 chan->remote_stype = efs.stype;
3463 chan->remote_msdu = le16_to_cpu(efs.msdu);
3464 chan->remote_flush_to =
2d792818 3465 le32_to_cpu(efs.flush_to);
42dceae2 3466 chan->remote_acc_lat =
2d792818 3467 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3468 chan->remote_sdu_itime =
3469 le32_to_cpu(efs.sdu_itime);
3470 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3471 sizeof(efs),
3472 (unsigned long) &efs);
42dceae2 3473 }
f2fcfcd6
GP		 3474 break;
3475
3476 case L2CAP_MODE_STREAMING:
c8f79162 3477 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3478 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3479 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3480 rfc.max_pdu_size = cpu_to_le16(size);
3481 chan->remote_mps = size;
f2fcfcd6 3482
c1360a1c 3483 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3484
2d792818
GP		 3485 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3486 (unsigned long) &rfc);
68ae6639 3487
f2fcfcd6
GP		 3488 break;
3489
3490 default:
5dee9e7c 3491 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3492
6464f35f 3493 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3494 rfc.mode = chan->mode;
f2fcfcd6 3495 }
6464f35f 3496
f2fcfcd6 3497 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3498 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3499 }
fe4128e0 3500 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3501 rsp->result = cpu_to_le16(result);
59e54bd1 3502 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3503
3504 return ptr - data;
1da177e4
LT		 3505}
3506
2d792818
GP		 3507static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3508 void *data, u16 *result)
f2fcfcd6 3509{
f2fcfcd6
GP		 3510 struct l2cap_conf_req *req = data;
3511 void *ptr = req->data;
3512 int type, olen;
3513 unsigned long val;
36e999a8 3514 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3515 struct l2cap_conf_efs efs;
f2fcfcd6 3516
fe4128e0 3517 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3518
3519 while (len >= L2CAP_CONF_OPT_SIZE) {
3520 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3521
3522 switch (type) {
3523 case L2CAP_CONF_MTU:
3524 if (val < L2CAP_DEFAULT_MIN_MTU) {
3525 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3526 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3527 } else
0c1bc5c6
GP		 3528 chan->imtu = val;
3529 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3530 break;
3531
3532 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3533 chan->flush_to = val;
f2fcfcd6 3534 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3535 2, chan->flush_to);
f2fcfcd6
GP		 3536 break;
3537
3538 case L2CAP_CONF_RFC:
3539 if (olen == sizeof(rfc))
3540 memcpy(&rfc, (void *)val, olen);
3541
c1360a1c 3542 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3543 rfc.mode != chan->mode)
f2fcfcd6
GP		 3544 return -ECONNREFUSED;
3545
47d1ec61 3546 chan->fcs = 0;
f2fcfcd6
GP		 3547
3548 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3549 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3550 break;
6327eb98
AE		 3551
3552 case L2CAP_CONF_EWS:
c20f8e35 3553 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3554 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3555 chan->tx_win);
6327eb98 3556 break;
66af7aaf
AE		 3557
3558 case L2CAP_CONF_EFS:
3559 if (olen == sizeof(efs))
3560 memcpy(&efs, (void *)val, olen);
3561
3562 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3563 efs.stype != L2CAP_SERV_NOTRAFIC &&
3564 efs.stype != chan->local_stype)
66af7aaf
AE		 3565 return -ECONNREFUSED;
3566
2d792818
GP		 3567 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3568 (unsigned long) &efs);
66af7aaf 3569 break;
cbabee78
AE		 3570
3571 case L2CAP_CONF_FCS:
3572 if (*result == L2CAP_CONF_PENDING)
3573 if (val == L2CAP_FCS_NONE)
f2592d3e 3574 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3575 &chan->conf_state);
3576 break;
f2fcfcd6
GP		 3577 }
3578 }
3579
0c1bc5c6 3580 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3581 return -ECONNREFUSED;
3582
0c1bc5c6 3583 chan->mode = rfc.mode;
6c2ea7a8 3584
0e8b207e 3585 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3586 switch (rfc.mode) {
3587 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3588 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3589 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3590 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3591 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3592 chan->ack_win = min_t(u16, chan->ack_win,
3593 rfc.txwin_size);
66af7aaf
AE		 3594
3595 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3596 chan->local_msdu = le16_to_cpu(efs.msdu);
3597 chan->local_sdu_itime =
2d792818 3598 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3599 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3600 chan->local_flush_to =
2d792818 3601 le32_to_cpu(efs.flush_to);
66af7aaf 3602 }
f2fcfcd6 3603 break;
66af7aaf 3604
f2fcfcd6 3605 case L2CAP_MODE_STREAMING:
47d1ec61 3606 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3607 }
3608 }
3609
fe4128e0 3610 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3611 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3612
3613 return ptr - data;
3614}
3615
2d792818
GP		 3616static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3617 u16 result, u16 flags)
1da177e4
LT		 3618{
3619 struct l2cap_conf_rsp *rsp = data;
3620 void *ptr = rsp->data;
1da177e4 3621
fe4128e0 3622 BT_DBG("chan %p", chan);
1da177e4 3623
fe4128e0 3624 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3625 rsp->result = cpu_to_le16(result);
aca3192c 3626 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3627
3628 return ptr - data;
3629}
3630
27e2d4c8
JH		 3631void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3632{
3633 struct l2cap_le_conn_rsp rsp;
3634 struct l2cap_conn *conn = chan->conn;
3635
3636 BT_DBG("chan %p", chan);
3637
3638 rsp.dcid = cpu_to_le16(chan->scid);
3639 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 3640 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 3641 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 3642 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3643
3644 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3645 &rsp);
3646}
3647
8c1d787b 3648void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3649{
3650 struct l2cap_conn_rsp rsp;
8c1d787b 3651 struct l2cap_conn *conn = chan->conn;
710f9b0a 3652 u8 buf[128];
439f34ac 3653 u8 rsp_code;
710f9b0a 3654
fe4128e0
GP		 3655 rsp.scid = cpu_to_le16(chan->dcid);
3656 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3657 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3658 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3659
3660 if (chan->hs_hcon)
3661 rsp_code = L2CAP_CREATE_CHAN_RSP;
3662 else
3663 rsp_code = L2CAP_CONN_RSP;
3664
3665 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3666
3667 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3668
c1360a1c 3669 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3670 return;
3671
710f9b0a 3672 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3673 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3674 chan->num_conf_req++;
3675}
3676
47d1ec61 3677static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3678{
7b1c0049
GP		 3679 int type, olen;
3680 unsigned long val;
c20f8e35
MM		 3681 /* Use sane default values in case a misbehaving remote device
3682 * did not send an RFC or extended window size option.
3683 */
3684 u16 txwin_ext = chan->ack_win;
3685 struct l2cap_conf_rfc rfc = {
3686 .mode = chan->mode,
3687 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3688 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3689 .max_pdu_size = cpu_to_le16(chan->imtu),
3690 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3691 };
7b1c0049 3692
47d1ec61 3693 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3694
0c1bc5c6 3695 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3696 return;
3697
3698 while (len >= L2CAP_CONF_OPT_SIZE) {
3699 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3700
c20f8e35
MM		 3701 switch (type) {
3702 case L2CAP_CONF_RFC:
3703 if (olen == sizeof(rfc))
3704 memcpy(&rfc, (void *)val, olen);
8f321f85 3705 break;
c20f8e35
MM		 3706 case L2CAP_CONF_EWS:
3707 txwin_ext = val;
3708 break;
3709 }
7b1c0049
GP		 3710 }
3711
7b1c0049
GP		 3712 switch (rfc.mode) {
3713 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3714 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3715 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3716 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3717 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3718 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3719 else
3720 chan->ack_win = min_t(u16, chan->ack_win,
3721 rfc.txwin_size);
7b1c0049
GP		 3722 break;
3723 case L2CAP_MODE_STREAMING:
47d1ec61 3724 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3725 }
3726}
3727
2d792818 3728static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3729 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3730 u8 *data)
4e8402a3 3731{
e2fd318e 3732 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3733
cb3b3152
JH		 3734 if (cmd_len < sizeof(*rej))
3735 return -EPROTO;
3736
e2fd318e 3737 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3738 return 0;
3739
3740 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3741 cmd->ident == conn->info_ident) {
17cd3f37 3742 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3743
3744 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3745 conn->info_ident = 0;
984947dc 3746
4e8402a3
MH		 3747 l2cap_conn_start(conn);
3748 }
3749
3750 return 0;
3751}
3752
1700915f
MM		 3753static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3754 struct l2cap_cmd_hdr *cmd,
3755 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3756{
1da177e4
LT		 3757 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3758 struct l2cap_conn_rsp rsp;
23691d75 3759 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3760 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3761
3762 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3763 __le16 psm = req->psm;
1da177e4 3764
097db76c 3765 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3766
3767 /* Check if we have socket listening on psm */
6f59b904 3768 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
bf20fd4e 3769 &conn->hcon->dst, ACL_LINK);
23691d75 3770 if (!pchan) {
1da177e4
LT		 3771 result = L2CAP_CR_BAD_PSM;
3772 goto sendresp;
3773 }
3774
3df91ea2 3775 mutex_lock(&conn->chan_lock);
8ffb9290 3776 l2cap_chan_lock(pchan);
e0f0cb56 3777
e7c29cb1 3778 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3779 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3780 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3781 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3782 result = L2CAP_CR_SEC_BLOCK;
3783 goto response;
3784 }
3785
1da177e4
LT		 3786 result = L2CAP_CR_NO_MEM;
3787
2dfa1003
GP		 3788 /* Check if we already have channel with that dcid */
3789 if (__l2cap_get_chan_by_dcid(conn, scid))
3790 goto response;
3791
80b98027 3792 chan = pchan->ops->new_connection(pchan);
80808e43 3793 if (!chan)
1da177e4
LT		 3794 goto response;
3795
330b6c15
SS		 3796 /* For certain devices (ex: HID mouse), support for authentication,
3797 * pairing and bonding is optional. For such devices, inorder to avoid
3798 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3799 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3800 */
3801 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3802
7eafc59e
MH		 3803 bacpy(&chan->src, &conn->hcon->src);
3804 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3805 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3806 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3807 chan->psm = psm;
3808 chan->dcid = scid;
1700915f 3809 chan->local_amp_id = amp_id;
1da177e4 3810
6be36555 3811 __l2cap_chan_add(conn, chan);
48454079 3812
fe4128e0 3813 dcid = chan->scid;
1da177e4 3814
8d836d71 3815 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3816
fc7f8a7e 3817 chan->ident = cmd->ident;
1da177e4 3818
984947dc 3819 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3820 if (l2cap_chan_check_security(chan)) {
bdc25783 3821 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3822 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3823 result = L2CAP_CR_PEND;
3824 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3825 chan->ops->defer(chan);
f66dc81f 3826 } else {
1700915f
MM		 3827 /* Force pending result for AMP controllers.
3828 * The connection will succeed after the
3829 * physical link is up.
3830 */
6ed971ca 3831 if (amp_id == AMP_ID_BREDR) {
f93fa273 3832 l2cap_state_change(chan, BT_CONFIG);
1700915f 3833 result = L2CAP_CR_SUCCESS;
6ed971ca 3834 } else {
f93fa273 3835 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3836 result = L2CAP_CR_PEND;
1700915f 3837 }
f66dc81f
MH		 3838 status = L2CAP_CS_NO_INFO;
3839 }
79d554a6 3840 } else {
f93fa273 3841 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3842 result = L2CAP_CR_PEND;
3843 status = L2CAP_CS_AUTHEN_PEND;
3844 }
3845 } else {
f93fa273 3846 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3847 result = L2CAP_CR_PEND;
3848 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3849 }
3850
1da177e4 3851response:
8ffb9290 3852 l2cap_chan_unlock(pchan);
3df91ea2 3853 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3854
3855sendresp:
aca3192c
YH		 3856 rsp.scid = cpu_to_le16(scid);
3857 rsp.dcid = cpu_to_le16(dcid);
3858 rsp.result = cpu_to_le16(result);
3859 rsp.status = cpu_to_le16(status);
4c89b6aa 3860 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3861
3862 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3863 struct l2cap_info_req info;
ac73498c 3864 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3865
3866 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3867 conn->info_ident = l2cap_get_ident(conn);
3868
ba13ccd9 3869 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3870
2d792818
GP		 3871 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3872 sizeof(info), &info);
79d554a6
MH		 3873 }
3874
c1360a1c 3875 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3876 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3877 u8 buf[128];
c1360a1c 3878 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3879 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3880 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3881 chan->num_conf_req++;
e9aeb2dd 3882 }
1700915f
MM		 3883
3884 return chan;
4c89b6aa 3885}
e9aeb2dd 3886
4c89b6aa 3887static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3888 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3889{
7b064eda
JK		 3890 struct hci_dev *hdev = conn->hcon->hdev;
3891 struct hci_conn *hcon = conn->hcon;
3892
cb3b3152
JH		 3893 if (cmd_len < sizeof(struct l2cap_conn_req))
3894 return -EPROTO;
3895
7b064eda
JK		 3896 hci_dev_lock(hdev);
3897 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3898 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3899 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3900 hcon->dst_type, 0, NULL, 0,
3901 hcon->dev_class);
3902 hci_dev_unlock(hdev);
3903
300229f9 3904 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3905 return 0;
3906}
3907
5909cf30 3908static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3909 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3910 u8 *data)
1da177e4
LT		 3911{
3912 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3913 u16 scid, dcid, result, status;
48454079 3914 struct l2cap_chan *chan;
1da177e4 3915 u8 req[128];
3df91ea2 3916 int err;
1da177e4 3917
cb3b3152
JH		 3918 if (cmd_len < sizeof(*rsp))
3919 return -EPROTO;
3920
1da177e4
LT		 3921 scid = __le16_to_cpu(rsp->scid);
3922 dcid = __le16_to_cpu(rsp->dcid);
3923 result = __le16_to_cpu(rsp->result);
3924 status = __le16_to_cpu(rsp->status);
3925
1b009c98 3926 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3927 dcid, scid, result, status);
1da177e4 3928
3df91ea2
AE		 3929 mutex_lock(&conn->chan_lock);
3930
1da177e4 3931 if (scid) {
3df91ea2
AE		 3932 chan = __l2cap_get_chan_by_scid(conn, scid);
3933 if (!chan) {
21870b52 3934 err = -EBADSLT;
3df91ea2
AE		 3935 goto unlock;
3936 }
1da177e4 3937 } else {
3df91ea2
AE		 3938 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3939 if (!chan) {
21870b52 3940 err = -EBADSLT;
3df91ea2
AE		 3941 goto unlock;
3942 }
1da177e4
LT		 3943 }
3944
3df91ea2
AE		 3945 err = 0;
3946
6be36555 3947 l2cap_chan_lock(chan);
48454079 3948
1da177e4
LT		 3949 switch (result) {
3950 case L2CAP_CR_SUCCESS:
89bc500e 3951 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3952 chan->ident = 0;
fe4128e0 3953 chan->dcid = dcid;
c1360a1c 3954 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3955
c1360a1c 3956 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3957 break;
3958
1da177e4 3959 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3960 l2cap_build_conf_req(chan, req), req);
73ffa904 3961 chan->num_conf_req++;
1da177e4
LT		 3962 break;
3963
3964 case L2CAP_CR_PEND:
c1360a1c 3965 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3966 break;
3967
3968 default:
48454079 3969 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3970 break;
3971 }
3972
6be36555 3973 l2cap_chan_unlock(chan);
3df91ea2
AE		 3974
3975unlock:
3976 mutex_unlock(&conn->chan_lock);
3977
3978 return err;
1da177e4
LT		 3979}
3980
47d1ec61 3981static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3982{
3983 /* FCS is enabled only in ERTM or streaming mode, if one or both
3984 * sides request it.
3985 */
0c1bc5c6 3986 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3987 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3988 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3989 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3990}
3991
29d8a590
AE		 3992static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3993 u8 ident, u16 flags)
3994{
3995 struct l2cap_conn *conn = chan->conn;
3996
3997 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3998 flags);
3999
4000 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4001 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4002
4003 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4004 l2cap_build_conf_rsp(chan, data,
4005 L2CAP_CONF_SUCCESS, flags), data);
4006}
4007
662d652d
JH		 4008static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4009 u16 scid, u16 dcid)
4010{
4011 struct l2cap_cmd_rej_cid rej;
4012
4013 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
4014 rej.scid = __cpu_to_le16(scid);
4015 rej.dcid = __cpu_to_le16(dcid);
4016
4017 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4018}
4019
2d792818
GP		 4020static inline int l2cap_config_req(struct l2cap_conn *conn,
4021 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4022 u8 *data)
1da177e4
LT		 4023{
4024 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4025 u16 dcid, flags;
4026 u8 rsp[64];
48454079 4027 struct l2cap_chan *chan;
3c588192 4028 int len, err = 0;
1da177e4 4029
cb3b3152
JH		 4030 if (cmd_len < sizeof(*req))
4031 return -EPROTO;
4032
1da177e4
LT		 4033 dcid = __le16_to_cpu(req->dcid);
4034 flags = __le16_to_cpu(req->flags);
4035
4036 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4037
baa7e1fa 4038 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4039 if (!chan) {
4040 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4041 return 0;
4042 }
1da177e4 4043
033b1142 4044 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4045 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4046 chan->dcid);
354f60a9 4047 goto unlock;
df6bd743 4048 }
354f60a9 4049
5dee9e7c 4050 /* Reject if config buffer is too small. */
88219a0f 4051 len = cmd_len - sizeof(*req);
cb3b3152 4052 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4053 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4054 l2cap_build_conf_rsp(chan, rsp,
4055 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4056 goto unlock;
4057 }
4058
4059 /* Store config. */
73ffa904
GP		 4060 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4061 chan->conf_len += len;
1da177e4 4062
59e54bd1 4063 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4064 /* Incomplete config. Send empty response. */
4065 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4066 l2cap_build_conf_rsp(chan, rsp,
4067 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4068 goto unlock;
4069 }
4070
4071 /* Complete config. */
73ffa904 4072 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4073 if (len < 0) {
5e4e3972 4074 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4075 goto unlock;
f2fcfcd6 4076 }
1da177e4 4077
1500109b 4078 chan->ident = cmd->ident;
5dee9e7c 4079 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4080 chan->num_conf_rsp++;
5dee9e7c 4081
5dee9e7c 4082 /* Reset config buffer. */
73ffa904 4083 chan->conf_len = 0;
5dee9e7c 4084
c1360a1c 4085 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4086 goto unlock;
4087
c1360a1c 4088 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4089 set_default_fcs(chan);
fcc203c3 4090
105bdf9e
MM		 4091 if (chan->mode == L2CAP_MODE_ERTM ||
4092 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4093 err = l2cap_ertm_init(chan);
4094
4095 if (err < 0)
5e4e3972 4096 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4097 else
4098 l2cap_chan_ready(chan);
0565c1c2 4099
876d9484
MH		 4100 goto unlock;
4101 }
4102
c1360a1c 4103 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4104 u8 buf[64];
1da177e4 4105 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4106 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4107 chan->num_conf_req++;
1da177e4
LT		 4108 }
4109
0e8b207e
AE		 4110 /* Got Conf Rsp PENDING from remote side and asume we sent
4111 Conf Rsp PENDING in the code above */
4112 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4113 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4114
4115 /* check compatibility */
4116
79de886d 4117 /* Send rsp for BR/EDR channel */
f351bc72 4118 if (!chan->hs_hcon)
79de886d
AE		 4119 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4120 else
4121 chan->ident = cmd->ident;
0e8b207e
AE		 4122 }
4123
1da177e4 4124unlock:
6be36555 4125 l2cap_chan_unlock(chan);
3c588192 4126 return err;
1da177e4
LT		 4127}
4128
2d792818 4129static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4130 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4131 u8 *data)
1da177e4
LT		 4132{
4133 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4134 u16 scid, flags, result;
48454079 4135 struct l2cap_chan *chan;
cb3b3152 4136 int len = cmd_len - sizeof(*rsp);
3c588192 4137 int err = 0;
1da177e4 4138
cb3b3152
JH		 4139 if (cmd_len < sizeof(*rsp))
4140 return -EPROTO;
4141
1da177e4
LT		 4142 scid = __le16_to_cpu(rsp->scid);
4143 flags = __le16_to_cpu(rsp->flags);
4144 result = __le16_to_cpu(rsp->result);
4145
61386cba
AE		 4146 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4147 result, len);
1da177e4 4148
baa7e1fa 4149 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4150 if (!chan)
1da177e4
LT		 4151 return 0;
4152
4153 switch (result) {
4154 case L2CAP_CONF_SUCCESS:
47d1ec61 4155 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4156 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4157 break;
4158
0e8b207e
AE		 4159 case L2CAP_CONF_PENDING:
4160 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4161
4162 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4163 char buf[64];
4164
4165 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4166 buf, &result);
0e8b207e 4167 if (len < 0) {
5e4e3972 4168 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4169 goto done;
4170 }
4171
f351bc72 4172 if (!chan->hs_hcon) {
79de886d
AE		 4173 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4174 0);
5ce66b59
AE		 4175 } else {
4176 if (l2cap_check_efs(chan)) {
4177 amp_create_logical_link(chan);
4178 chan->ident = cmd->ident;
4179 }
4180 }
0e8b207e
AE		 4181 }
4182 goto done;
4183
1da177e4 4184 case L2CAP_CONF_UNACCEPT:
73ffa904 4185 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4186 char req[64];
4187
c2c77ec8 4188 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4189 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4190 goto done;
4191 }
4192
f2fcfcd6
GP		 4193 /* throw out any old stored conf requests */
4194 result = L2CAP_CONF_SUCCESS;
b4450035 4195 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4196 req, &result);
f2fcfcd6 4197 if (len < 0) {
5e4e3972 4198 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4199 goto done;
4200 }
4201
4202 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4203 L2CAP_CONF_REQ, len, req);
73ffa904 4204 chan->num_conf_req++;
f2fcfcd6
GP		 4205 if (result != L2CAP_CONF_SUCCESS)
4206 goto done;
4207 break;
1da177e4
LT		 4208 }
4209
8e87d142 4210 default:
6be36555 4211 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4212
ba13ccd9 4213 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4214 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4215 goto done;
4216 }
4217
59e54bd1 4218 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4219 goto done;
4220
c1360a1c 4221 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4222
c1360a1c 4223 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4224 set_default_fcs(chan);
fcc203c3 4225
105bdf9e
MM		 4226 if (chan->mode == L2CAP_MODE_ERTM ||
4227 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4228 err = l2cap_ertm_init(chan);
0565c1c2 4229
3c588192 4230 if (err < 0)
5e4e3972 4231 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4232 else
4233 l2cap_chan_ready(chan);
1da177e4
LT		 4234 }
4235
4236done:
6be36555 4237 l2cap_chan_unlock(chan);
3c588192 4238 return err;
1da177e4
LT		 4239}
4240
2d792818 4241static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4242 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4243 u8 *data)
1da177e4
LT		 4244{
4245 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4246 struct l2cap_disconn_rsp rsp;
4247 u16 dcid, scid;
48454079 4248 struct l2cap_chan *chan;
1da177e4 4249
cb3b3152
JH		 4250 if (cmd_len != sizeof(*req))
4251 return -EPROTO;
4252
1da177e4
LT		 4253 scid = __le16_to_cpu(req->scid);
4254 dcid = __le16_to_cpu(req->dcid);
4255
4256 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4257
3df91ea2
AE		 4258 mutex_lock(&conn->chan_lock);
4259
4260 chan = __l2cap_get_chan_by_scid(conn, dcid);
4261 if (!chan) {
4262 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4263 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4264 return 0;
3df91ea2 4265 }
1da177e4 4266
6be36555
AE		 4267 l2cap_chan_lock(chan);
4268
fe4128e0
GP		 4269 rsp.dcid = cpu_to_le16(chan->scid);
4270 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4271 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4272
5ec1bbe5 4273 chan->ops->set_shutdown(chan);
1da177e4 4274
61d6ef3e 4275 l2cap_chan_hold(chan);
48454079 4276 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4277
4278 l2cap_chan_unlock(chan);
1da177e4 4279
80b98027 4280 chan->ops->close(chan);
61d6ef3e 4281 l2cap_chan_put(chan);
3df91ea2
AE		 4282
4283 mutex_unlock(&conn->chan_lock);
4284
1da177e4
LT		 4285 return 0;
4286}
4287
2d792818 4288static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4289 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4290 u8 *data)
1da177e4
LT		 4291{
4292 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4293 u16 dcid, scid;
48454079 4294 struct l2cap_chan *chan;
1da177e4 4295
cb3b3152
JH		 4296 if (cmd_len != sizeof(*rsp))
4297 return -EPROTO;
4298
1da177e4
LT		 4299 scid = __le16_to_cpu(rsp->scid);
4300 dcid = __le16_to_cpu(rsp->dcid);
4301
4302 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4303
3df91ea2
AE		 4304 mutex_lock(&conn->chan_lock);
4305
4306 chan = __l2cap_get_chan_by_scid(conn, scid);
4307 if (!chan) {
4308 mutex_unlock(&conn->chan_lock);
1da177e4 4309 return 0;
3df91ea2 4310 }
1da177e4 4311
6be36555 4312 l2cap_chan_lock(chan);
48454079 4313
61d6ef3e 4314 l2cap_chan_hold(chan);
48454079 4315 l2cap_chan_del(chan, 0);
6be36555
AE		 4316
4317 l2cap_chan_unlock(chan);
1da177e4 4318
80b98027 4319 chan->ops->close(chan);
61d6ef3e 4320 l2cap_chan_put(chan);
3df91ea2
AE		 4321
4322 mutex_unlock(&conn->chan_lock);
4323
1da177e4
LT		 4324 return 0;
4325}
4326
2d792818 4327static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4328 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4329 u8 *data)
1da177e4
LT		 4330{
4331 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4332 u16 type;
4333
cb3b3152
JH		 4334 if (cmd_len != sizeof(*req))
4335 return -EPROTO;
4336
1da177e4
LT		 4337 type = __le16_to_cpu(req->type);
4338
4339 BT_DBG("type 0x%4.4x", type);
4340
f0709e03
MH		 4341 if (type == L2CAP_IT_FEAT_MASK) {
4342 u8 buf[8];
44dd46de 4343 u32 feat_mask = l2cap_feat_mask;
f0709e03 4344 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4345 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4346 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4347 if (!disable_ertm)
fcc203c3 4348 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4349 | L2CAP_FEAT_FCS;
848566b3 4350 if (conn->hs_enabled)
6327eb98 4351 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4352 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4353
1b7bf4ed 4354 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4355 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4356 buf);
e1027a7c
MH		 4357 } else if (type == L2CAP_IT_FIXED_CHAN) {
4358 u8 buf[12];
4359 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4360
848566b3 4361 if (conn->hs_enabled)
50a147cd
MM		 4362 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4363 else
4364 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4365
ac73498c
AE		 4366 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4367 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4368 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4369 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4370 buf);
f0709e03
MH		 4371 } else {
4372 struct l2cap_info_rsp rsp;
4373 rsp.type = cpu_to_le16(type);
ac73498c 4374 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4375 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4376 &rsp);
f0709e03 4377 }
1da177e4
LT		 4378
4379 return 0;
4380}
4381
2d792818 4382static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4383 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4384 u8 *data)
1da177e4
LT		 4385{
4386 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4387 u16 type, result;
4388
3f6fa3d4 4389 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4390 return -EPROTO;
4391
1da177e4
LT		 4392 type = __le16_to_cpu(rsp->type);
4393 result = __le16_to_cpu(rsp->result);
4394
4395 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4396
e90165be
AE		 4397 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4398 if (cmd->ident != conn->info_ident ||
2d792818 4399 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4400 return 0;
4401
17cd3f37 4402 cancel_delayed_work(&conn->info_timer);
4e8402a3 4403
adb08ede
VT		 4404 if (result != L2CAP_IR_SUCCESS) {
4405 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4406 conn->info_ident = 0;
4407
4408 l2cap_conn_start(conn);
4409
4410 return 0;
4411 }
4412
978c93b9
AE		 4413 switch (type) {
4414 case L2CAP_IT_FEAT_MASK:
83985319 4415 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4416
47ec1dcd 4417 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4418 struct l2cap_info_req req;
ac73498c 4419 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4420
4421 conn->info_ident = l2cap_get_ident(conn);
4422
4423 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4424 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4425 } else {
4426 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4427 conn->info_ident = 0;
4428
4429 l2cap_conn_start(conn);
4430 }
978c93b9
AE		 4431 break;
4432
4433 case L2CAP_IT_FIXED_CHAN:
4434 conn->fixed_chan_mask = rsp->data[0];
984947dc 4435 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4436 conn->info_ident = 0;
984947dc
MH		 4437
4438 l2cap_conn_start(conn);
978c93b9 4439 break;
984947dc 4440 }
4e8402a3 4441
1da177e4
LT		 4442 return 0;
4443}
4444
1700915f
MM		 4445static int l2cap_create_channel_req(struct l2cap_conn *conn,
4446 struct l2cap_cmd_hdr *cmd,
4447 u16 cmd_len, void *data)
f94ff6ff
MM		 4448{
4449 struct l2cap_create_chan_req *req = data;
6e1df6a6 4450 struct l2cap_create_chan_rsp rsp;
1700915f 4451 struct l2cap_chan *chan;
6e1df6a6 4452 struct hci_dev *hdev;
f94ff6ff
MM		 4453 u16 psm, scid;
4454
4455 if (cmd_len != sizeof(*req))
4456 return -EPROTO;
4457
848566b3 4458 if (!conn->hs_enabled)
f94ff6ff
MM		 4459 return -EINVAL;
4460
4461 psm = le16_to_cpu(req->psm);
4462 scid = le16_to_cpu(req->scid);
4463
ad0ac6ca 4464 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4465
6e1df6a6 4466 /* For controller id 0 make BR/EDR connection */
6ed971ca 4467 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4468 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4469 req->amp_id);
4470 return 0;
4471 }
1700915f 4472
6e1df6a6
AE		 4473 /* Validate AMP controller id */
4474 hdev = hci_dev_get(req->amp_id);
4475 if (!hdev)
4476 goto error;
1700915f 4477
6e1df6a6
AE		 4478 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4479 hci_dev_put(hdev);
4480 goto error;
4481 }
1700915f 4482
6e1df6a6
AE		 4483 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4484 req->amp_id);
4485 if (chan) {
4486 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4487 struct hci_conn *hs_hcon;
1700915f 4488
98e0f7ea
MH		 4489 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4490 &conn->hcon->dst);
6e1df6a6
AE		 4491 if (!hs_hcon) {
4492 hci_dev_put(hdev);
662d652d
JH		 4493 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4494 chan->dcid);
4495 return 0;
1700915f
MM		 4496 }
4497
6e1df6a6
AE		 4498 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4499
6e1df6a6
AE		 4500 mgr->bredr_chan = chan;
4501 chan->hs_hcon = hs_hcon;
fd45bf4c 4502 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4503 conn->mtu = hdev->block_mtu;
1700915f 4504 }
f94ff6ff 4505
6e1df6a6 4506 hci_dev_put(hdev);
f94ff6ff
MM		 4507
4508 return 0;
6e1df6a6
AE		 4509
4510error:
4511 rsp.dcid = 0;
4512 rsp.scid = cpu_to_le16(scid);
4513 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4514 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4515
4516 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4517 sizeof(rsp), &rsp);
4518
dc280801 4519 return 0;
f94ff6ff
MM		 4520}
4521
8eb200bd
MM		 4522static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4523{
4524 struct l2cap_move_chan_req req;
4525 u8 ident;
4526
4527 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4528
4529 ident = l2cap_get_ident(chan->conn);
4530 chan->ident = ident;
4531
4532 req.icid = cpu_to_le16(chan->scid);
4533 req.dest_amp_id = dest_amp_id;
4534
4535 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4536 &req);
4537
4538 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4539}
4540
1500109b 4541static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4542{
4543 struct l2cap_move_chan_rsp rsp;
4544
1500109b 4545 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4546
1500109b 4547 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4548 rsp.result = cpu_to_le16(result);
4549
1500109b
MM		 4550 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4551 sizeof(rsp), &rsp);
8d5a04a1
MM		 4552}
4553
5b155ef9 4554static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4555{
4556 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4557
5b155ef9 4558 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4559
5b155ef9 4560 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4561
5b155ef9 4562 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4563 cfm.result = cpu_to_le16(result);
4564
5b155ef9
MM		 4565 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4566 sizeof(cfm), &cfm);
4567
4568 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4569}
4570
4571static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4572{
4573 struct l2cap_move_chan_cfm cfm;
4574
4575 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4576
4577 cfm.icid = cpu_to_le16(icid);
4578 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4579
4580 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4581 sizeof(cfm), &cfm);
8d5a04a1
MM		 4582}
4583
4584static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4585 u16 icid)
8d5a04a1
MM		 4586{
4587 struct l2cap_move_chan_cfm_rsp rsp;
4588
ad0ac6ca 4589 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4590
4591 rsp.icid = cpu_to_le16(icid);
4592 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4593}
4594
5f3847a4
MM		 4595static void __release_logical_link(struct l2cap_chan *chan)
4596{
4597 chan->hs_hchan = NULL;
4598 chan->hs_hcon = NULL;
4599
4600 /* Placeholder - release the logical link */
4601}
4602
1500109b
MM		 4603static void l2cap_logical_fail(struct l2cap_chan *chan)
4604{
4605 /* Logical link setup failed */
4606 if (chan->state != BT_CONNECTED) {
4607 /* Create channel failure, disconnect */
5e4e3972 4608 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4609 return;
4610 }
4611
4612 switch (chan->move_role) {
4613 case L2CAP_MOVE_ROLE_RESPONDER:
4614 l2cap_move_done(chan);
4615 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4616 break;
4617 case L2CAP_MOVE_ROLE_INITIATOR:
4618 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4619 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4620 /* Remote has only sent pending or
4621 * success responses, clean up
4622 */
4623 l2cap_move_done(chan);
4624 }
4625
4626 /* Other amp move states imply that the move
4627 * has already aborted
4628 */
4629 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4630 break;
4631 }
4632}
4633
4634static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4635 struct hci_chan *hchan)
4636{
4637 struct l2cap_conf_rsp rsp;
1500109b 4638
336178a3 4639 chan->hs_hchan = hchan;
1500109b
MM		 4640 chan->hs_hcon->l2cap_data = chan->conn;
4641
35ba9561 4642 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4643
4644 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4645 int err;
1500109b
MM		 4646
4647 set_default_fcs(chan);
4648
4649 err = l2cap_ertm_init(chan);
4650 if (err < 0)
5e4e3972 4651 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4652 else
4653 l2cap_chan_ready(chan);
4654 }
4655}
4656
4657static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4658 struct hci_chan *hchan)
4659{
4660 chan->hs_hcon = hchan->conn;
4661 chan->hs_hcon->l2cap_data = chan->conn;
4662
4663 BT_DBG("move_state %d", chan->move_state);
4664
4665 switch (chan->move_state) {
4666 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4667 /* Move confirm will be sent after a success
4668 * response is received
4669 */
4670 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4671 break;
4672 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4673 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4674 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4675 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4676 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4677 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4678 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4679 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4680 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4681 }
4682 break;
4683 default:
4684 /* Move was not in expected state, free the channel */
4685 __release_logical_link(chan);
4686
4687 chan->move_state = L2CAP_MOVE_STABLE;
4688 }
4689}
4690
4691/* Call with chan locked */
27695fb4
AE		 4692void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4693 u8 status)
5b155ef9 4694{
1500109b
MM		 4695 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4696
4697 if (status) {
4698 l2cap_logical_fail(chan);
4699 __release_logical_link(chan);
4700 return;
4701 }
4702
4703 if (chan->state != BT_CONNECTED) {
4704 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4705 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4706 l2cap_logical_finish_create(chan, hchan);
4707 } else {
4708 l2cap_logical_finish_move(chan, hchan);
4709 }
5b155ef9
MM		 4710}
4711
3f7a56c4
MM		 4712void l2cap_move_start(struct l2cap_chan *chan)
4713{
4714 BT_DBG("chan %p", chan);
4715
6ed971ca 4716 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4717 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4718 return;
4719 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4720 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4721 /* Placeholder - start physical link setup */
4722 } else {
4723 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4724 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4725 chan->move_id = 0;
4726 l2cap_move_setup(chan);
4727 l2cap_send_move_chan_req(chan, 0);
4728 }
4729}
4730
8eb200bd
MM		 4731static void l2cap_do_create(struct l2cap_chan *chan, int result,
4732 u8 local_amp_id, u8 remote_amp_id)
4733{
62748ca1
AE		 4734 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4735 local_amp_id, remote_amp_id);
4736
12d6cc60
AE		 4737 chan->fcs = L2CAP_FCS_NONE;
4738
62748ca1
AE		 4739 /* Outgoing channel on AMP */
4740 if (chan->state == BT_CONNECT) {
4741 if (result == L2CAP_CR_SUCCESS) {
4742 chan->local_amp_id = local_amp_id;
4743 l2cap_send_create_chan_req(chan, remote_amp_id);
4744 } else {
4745 /* Revert to BR/EDR connect */
4746 l2cap_send_conn_req(chan);
4747 }
4748
4749 return;
4750 }
4751
4752 /* Incoming channel on AMP */
4753 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4754 struct l2cap_conn_rsp rsp;
4755 char buf[128];
4756 rsp.scid = cpu_to_le16(chan->dcid);
4757 rsp.dcid = cpu_to_le16(chan->scid);
4758
8eb200bd
MM		 4759 if (result == L2CAP_CR_SUCCESS) {
4760 /* Send successful response */
62cd50e2
AE		 4761 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4762 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4763 } else {
4764 /* Send negative response */
62cd50e2
AE		 4765 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4766 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4767 }
4768
4769 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4770 sizeof(rsp), &rsp);
4771
4772 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4773 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4774 set_bit(CONF_REQ_SENT, &chan->conf_state);
4775 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4776 L2CAP_CONF_REQ,
4777 l2cap_build_conf_req(chan, buf), buf);
4778 chan->num_conf_req++;
4779 }
8eb200bd
MM		 4780 }
4781}
4782
4783static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4784 u8 remote_amp_id)
4785{
4786 l2cap_move_setup(chan);
4787 chan->move_id = local_amp_id;
4788 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4789
4790 l2cap_send_move_chan_req(chan, remote_amp_id);
4791}
4792
4793static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4794{
4795 struct hci_chan *hchan = NULL;
4796
4797 /* Placeholder - get hci_chan for logical link */
4798
4799 if (hchan) {
4800 if (hchan->state == BT_CONNECTED) {
4801 /* Logical link is ready to go */
4802 chan->hs_hcon = hchan->conn;
4803 chan->hs_hcon->l2cap_data = chan->conn;
4804 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4805 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4806
4807 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4808 } else {
4809 /* Wait for logical link to be ready */
4810 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4811 }
4812 } else {
4813 /* Logical link not available */
4814 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4815 }
4816}
4817
4818static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4819{
4820 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4821 u8 rsp_result;
4822 if (result == -EINVAL)
4823 rsp_result = L2CAP_MR_BAD_ID;
4824 else
4825 rsp_result = L2CAP_MR_NOT_ALLOWED;
4826
4827 l2cap_send_move_chan_rsp(chan, rsp_result);
4828 }
4829
4830 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4831 chan->move_state = L2CAP_MOVE_STABLE;
4832
4833 /* Restart data transmission */
4834 l2cap_ertm_send(chan);
4835}
4836
a514b17f
AE		 4837/* Invoke with locked chan */
4838void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4839{
770bfefa 4840 u8 local_amp_id = chan->local_amp_id;
fffadc08 4841 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4842
8eb200bd
MM		 4843 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4844 chan, result, local_amp_id, remote_amp_id);
4845
8eb200bd
MM		 4846 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4847 l2cap_chan_unlock(chan);
4848 return;
4849 }
4850
4851 if (chan->state != BT_CONNECTED) {
4852 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4853 } else if (result != L2CAP_MR_SUCCESS) {
4854 l2cap_do_move_cancel(chan, result);
4855 } else {
4856 switch (chan->move_role) {
4857 case L2CAP_MOVE_ROLE_INITIATOR:
4858 l2cap_do_move_initiate(chan, local_amp_id,
4859 remote_amp_id);
4860 break;
4861 case L2CAP_MOVE_ROLE_RESPONDER:
4862 l2cap_do_move_respond(chan, result);
4863 break;
4864 default:
4865 l2cap_do_move_cancel(chan, result);
4866 break;
4867 }
4868 }
8eb200bd
MM		 4869}
4870
8d5a04a1 4871static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4872 struct l2cap_cmd_hdr *cmd,
4873 u16 cmd_len, void *data)
8d5a04a1
MM		 4874{
4875 struct l2cap_move_chan_req *req = data;
1500109b 4876 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4877 struct l2cap_chan *chan;
8d5a04a1
MM		 4878 u16 icid = 0;
4879 u16 result = L2CAP_MR_NOT_ALLOWED;
4880
4881 if (cmd_len != sizeof(*req))
4882 return -EPROTO;
4883
4884 icid = le16_to_cpu(req->icid);
4885
ad0ac6ca 4886 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4887
848566b3 4888 if (!conn->hs_enabled)
8d5a04a1
MM		 4889 return -EINVAL;
4890
02b0fbb9
MM		 4891 chan = l2cap_get_chan_by_dcid(conn, icid);
4892 if (!chan) {
1500109b
MM		 4893 rsp.icid = cpu_to_le16(icid);
4894 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4895 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4896 sizeof(rsp), &rsp);
02b0fbb9
MM		 4897 return 0;
4898 }
4899
1500109b
MM		 4900 chan->ident = cmd->ident;
4901
02b0fbb9
MM		 4902 if (chan->scid < L2CAP_CID_DYN_START ||
4903 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4904 (chan->mode != L2CAP_MODE_ERTM &&
4905 chan->mode != L2CAP_MODE_STREAMING)) {
4906 result = L2CAP_MR_NOT_ALLOWED;
4907 goto send_move_response;
4908 }
4909
4910 if (chan->local_amp_id == req->dest_amp_id) {
4911 result = L2CAP_MR_SAME_ID;
4912 goto send_move_response;
4913 }
4914
6ed971ca 4915 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4916 struct hci_dev *hdev;
4917 hdev = hci_dev_get(req->dest_amp_id);
4918 if (!hdev || hdev->dev_type != HCI_AMP ||
4919 !test_bit(HCI_UP, &hdev->flags)) {
4920 if (hdev)
4921 hci_dev_put(hdev);
4922
4923 result = L2CAP_MR_BAD_ID;
4924 goto send_move_response;
4925 }
4926 hci_dev_put(hdev);
4927 }
4928
4929 /* Detect a move collision. Only send a collision response
4930 * if this side has "lost", otherwise proceed with the move.
4931 * The winner has the larger bd_addr.
4932 */
4933 if ((__chan_is_moving(chan) ||
4934 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4935 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4936 result = L2CAP_MR_COLLISION;
4937 goto send_move_response;
4938 }
4939
02b0fbb9
MM		 4940 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4941 l2cap_move_setup(chan);
4942 chan->move_id = req->dest_amp_id;
4943 icid = chan->dcid;
4944
6ed971ca 4945 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4946 /* Moving to BR/EDR */
4947 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4948 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4949 result = L2CAP_MR_PEND;
4950 } else {
4951 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4952 result = L2CAP_MR_SUCCESS;
4953 }
4954 } else {
4955 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4956 /* Placeholder - uncomment when amp functions are available */
4957 /*amp_accept_physical(chan, req->dest_amp_id);*/
4958 result = L2CAP_MR_PEND;
4959 }
4960
4961send_move_response:
1500109b 4962 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4963
02b0fbb9
MM		 4964 l2cap_chan_unlock(chan);
4965
8d5a04a1
MM		 4966 return 0;
4967}
4968
5b155ef9
MM		 4969static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4970{
4971 struct l2cap_chan *chan;
4972 struct hci_chan *hchan = NULL;
4973
4974 chan = l2cap_get_chan_by_scid(conn, icid);
4975 if (!chan) {
4976 l2cap_send_move_chan_cfm_icid(conn, icid);
4977 return;
4978 }
4979
4980 __clear_chan_timer(chan);
4981 if (result == L2CAP_MR_PEND)
4982 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4983
4984 switch (chan->move_state) {
4985 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4986 /* Move confirm will be sent when logical link
4987 * is complete.
4988 */
4989 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4990 break;
4991 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4992 if (result == L2CAP_MR_PEND) {
4993 break;
4994 } else if (test_bit(CONN_LOCAL_BUSY,
4995 &chan->conn_state)) {
4996 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4997 } else {
4998 /* Logical link is up or moving to BR/EDR,
4999 * proceed with move
5000 */
5001 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5002 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5003 }
5004 break;
5005 case L2CAP_MOVE_WAIT_RSP:
5006 /* Moving to AMP */
5007 if (result == L2CAP_MR_SUCCESS) {
5008 /* Remote is ready, send confirm immediately
5009 * after logical link is ready
5010 */
5011 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5012 } else {
5013 /* Both logical link and move success
5014 * are required to confirm
5015 */
5016 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5017 }
5018
5019 /* Placeholder - get hci_chan for logical link */
5020 if (!hchan) {
5021 /* Logical link not available */
5022 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5023 break;
5024 }
5025
5026 /* If the logical link is not yet connected, do not
5027 * send confirmation.
5028 */
5029 if (hchan->state != BT_CONNECTED)
5030 break;
5031
5032 /* Logical link is already ready to go */
5033
5034 chan->hs_hcon = hchan->conn;
5035 chan->hs_hcon->l2cap_data = chan->conn;
5036
5037 if (result == L2CAP_MR_SUCCESS) {
5038 /* Can confirm now */
5039 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5040 } else {
5041 /* Now only need move success
5042 * to confirm
5043 */
5044 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5045 }
5046
5047 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5048 break;
5049 default:
5050 /* Any other amp move state means the move failed. */
5051 chan->move_id = chan->local_amp_id;
5052 l2cap_move_done(chan);
5053 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5054 }
5055
5056 l2cap_chan_unlock(chan);
5057}
5058
5059static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5060 u16 result)
5061{
5062 struct l2cap_chan *chan;
5063
5064 chan = l2cap_get_chan_by_ident(conn, ident);
5065 if (!chan) {
5066 /* Could not locate channel, icid is best guess */
5067 l2cap_send_move_chan_cfm_icid(conn, icid);
5068 return;
5069 }
5070
5071 __clear_chan_timer(chan);
5072
5073 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5074 if (result == L2CAP_MR_COLLISION) {
5075 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5076 } else {
5077 /* Cleanup - cancel move */
5078 chan->move_id = chan->local_amp_id;
5079 l2cap_move_done(chan);
5080 }
5081 }
5082
5083 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5084
5085 l2cap_chan_unlock(chan);
5086}
5087
5088static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5089 struct l2cap_cmd_hdr *cmd,
5090 u16 cmd_len, void *data)
8d5a04a1
MM		 5091{
5092 struct l2cap_move_chan_rsp *rsp = data;
5093 u16 icid, result;
5094
5095 if (cmd_len != sizeof(*rsp))
5096 return -EPROTO;
5097
5098 icid = le16_to_cpu(rsp->icid);
5099 result = le16_to_cpu(rsp->result);
5100
ad0ac6ca 5101 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5102
5b155ef9
MM		 5103 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5104 l2cap_move_continue(conn, icid, result);
5105 else
5106 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5107
5108 return 0;
5109}
5110
5f3847a4
MM		 5111static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5112 struct l2cap_cmd_hdr *cmd,
5113 u16 cmd_len, void *data)
8d5a04a1
MM		 5114{
5115 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5116 struct l2cap_chan *chan;
8d5a04a1
MM		 5117 u16 icid, result;
5118
5119 if (cmd_len != sizeof(*cfm))
5120 return -EPROTO;
5121
5122 icid = le16_to_cpu(cfm->icid);
5123 result = le16_to_cpu(cfm->result);
5124
ad0ac6ca 5125 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5126
5f3847a4
MM		 5127 chan = l2cap_get_chan_by_dcid(conn, icid);
5128 if (!chan) {
5129 /* Spec requires a response even if the icid was not found */
5130 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5131 return 0;
5132 }
5133
5134 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5135 if (result == L2CAP_MC_CONFIRMED) {
5136 chan->local_amp_id = chan->move_id;
6ed971ca 5137 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5138 __release_logical_link(chan);
5139 } else {
5140 chan->move_id = chan->local_amp_id;
5141 }
5142
5143 l2cap_move_done(chan);
5144 }
5145
8d5a04a1
MM		 5146 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5147
5f3847a4
MM		 5148 l2cap_chan_unlock(chan);
5149
8d5a04a1
MM		 5150 return 0;
5151}
5152
5153static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5154 struct l2cap_cmd_hdr *cmd,
5155 u16 cmd_len, void *data)
8d5a04a1
MM		 5156{
5157 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5158 struct l2cap_chan *chan;
8d5a04a1
MM		 5159 u16 icid;
5160
5161 if (cmd_len != sizeof(*rsp))
5162 return -EPROTO;
5163
5164 icid = le16_to_cpu(rsp->icid);
5165
ad0ac6ca 5166 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5167
3fd71a0a
MM		 5168 chan = l2cap_get_chan_by_scid(conn, icid);
5169 if (!chan)
5170 return 0;
5171
5172 __clear_chan_timer(chan);
5173
5174 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5175 chan->local_amp_id = chan->move_id;
5176
6ed971ca 5177 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5178 __release_logical_link(chan);
5179
5180 l2cap_move_done(chan);
5181 }
5182
5183 l2cap_chan_unlock(chan);
5184
8d5a04a1
MM		 5185 return 0;
5186}
5187
e2174ca4 5188static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 5189 u16 to_multiplier)
de73115a
CT		 5190{
5191 u16 max_latency;
5192
5193 if (min > max || min < 6 || max > 3200)
5194 return -EINVAL;
5195
5196 if (to_multiplier < 10 || to_multiplier > 3200)
5197 return -EINVAL;
5198
5199 if (max >= to_multiplier * 8)
5200 return -EINVAL;
5201
5202 max_latency = (to_multiplier * 8 / max) - 1;
5203 if (latency > 499 || latency > max_latency)
5204 return -EINVAL;
5205
5206 return 0;
5207}
5208
5209static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818 5210 struct l2cap_cmd_hdr *cmd,
203e639e 5211 u16 cmd_len, u8 *data)
de73115a
CT		 5212{
5213 struct hci_conn *hcon = conn->hcon;
5214 struct l2cap_conn_param_update_req *req;
5215 struct l2cap_conn_param_update_rsp rsp;
203e639e 5216 u16 min, max, latency, to_multiplier;
2ce603eb 5217 int err;
de73115a
CT		 5218
5219 if (!(hcon->link_mode & HCI_LM_MASTER))
5220 return -EINVAL;
5221
de73115a
CT		 5222 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5223 return -EPROTO;
5224
5225 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5226 min = __le16_to_cpu(req->min);
5227 max = __le16_to_cpu(req->max);
de73115a
CT		 5228 latency = __le16_to_cpu(req->latency);
5229 to_multiplier = __le16_to_cpu(req->to_multiplier);
5230
5231 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5232 min, max, latency, to_multiplier);
de73115a
CT		 5233
5234 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5235
5236 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5237 if (err)
ac73498c 5238 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5239 else
ac73498c 5240 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5241
5242 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5243 sizeof(rsp), &rsp);
de73115a 5244
2ce603eb
CT		 5245 if (!err)
5246 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5247
de73115a
CT		 5248 return 0;
5249}
5250
f1496dee
JH		 5251static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5252 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5253 u8 *data)
5254{
5255 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5256 u16 dcid, mtu, mps, credits, result;
5257 struct l2cap_chan *chan;
5258 int err;
5259
5260 if (cmd_len < sizeof(*rsp))
5261 return -EPROTO;
5262
5263 dcid = __le16_to_cpu(rsp->dcid);
5264 mtu = __le16_to_cpu(rsp->mtu);
5265 mps = __le16_to_cpu(rsp->mps);
5266 credits = __le16_to_cpu(rsp->credits);
5267 result = __le16_to_cpu(rsp->result);
5268
5269 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5270 return -EPROTO;
5271
5272 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5273 dcid, mtu, mps, credits, result);
5274
5275 mutex_lock(&conn->chan_lock);
5276
5277 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5278 if (!chan) {
5279 err = -EBADSLT;
5280 goto unlock;
5281 }
5282
5283 err = 0;
5284
5285 l2cap_chan_lock(chan);
5286
5287 switch (result) {
5288 case L2CAP_CR_SUCCESS:
5289 chan->ident = 0;
5290 chan->dcid = dcid;
5291 chan->omtu = mtu;
5292 chan->remote_mps = mps;
0cd75f7e 5293 chan->tx_credits = credits;
f1496dee
JH		 5294 l2cap_chan_ready(chan);
5295 break;
5296
5297 default:
5298 l2cap_chan_del(chan, ECONNREFUSED);
5299 break;
5300 }
5301
5302 l2cap_chan_unlock(chan);
5303
5304unlock:
5305 mutex_unlock(&conn->chan_lock);
5306
5307 return err;
5308}
5309
3300d9a9 5310static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5311 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5312 u8 *data)
3300d9a9
CT		 5313{
5314 int err = 0;
5315
5316 switch (cmd->code) {
5317 case L2CAP_COMMAND_REJ:
cb3b3152 5318 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5319 break;
5320
5321 case L2CAP_CONN_REQ:
cb3b3152 5322 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5323 break;
5324
5325 case L2CAP_CONN_RSP:
f5a2598d 5326 case L2CAP_CREATE_CHAN_RSP:
9245e737 5327 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5328 break;
5329
5330 case L2CAP_CONF_REQ:
5331 err = l2cap_config_req(conn, cmd, cmd_len, data);
5332 break;
5333
5334 case L2CAP_CONF_RSP:
9245e737 5335 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5336 break;
5337
5338 case L2CAP_DISCONN_REQ:
cb3b3152 5339 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5340 break;
5341
5342 case L2CAP_DISCONN_RSP:
9245e737 5343 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5344 break;
5345
5346 case L2CAP_ECHO_REQ:
5347 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5348 break;
5349
5350 case L2CAP_ECHO_RSP:
5351 break;
5352
5353 case L2CAP_INFO_REQ:
cb3b3152 5354 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5355 break;
5356
5357 case L2CAP_INFO_RSP:
9245e737 5358 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5359 break;
5360
f94ff6ff
MM		 5361 case L2CAP_CREATE_CHAN_REQ:
5362 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5363 break;
5364
8d5a04a1
MM		 5365 case L2CAP_MOVE_CHAN_REQ:
5366 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5367 break;
5368
5369 case L2CAP_MOVE_CHAN_RSP:
9245e737 5370 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5371 break;
5372
5373 case L2CAP_MOVE_CHAN_CFM:
5374 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5375 break;
5376
5377 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5378 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5379 break;
5380
3300d9a9
CT		 5381 default:
5382 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5383 err = -EINVAL;
5384 break;
5385 }
5386
5387 return err;
5388}
5389
27e2d4c8
JH		 5390static int l2cap_le_connect_req(struct l2cap_conn *conn,
5391 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5392 u8 *data)
5393{
5394 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5395 struct l2cap_le_conn_rsp rsp;
5396 struct l2cap_chan *chan, *pchan;
0cd75f7e 5397 u16 dcid, scid, credits, mtu, mps;
27e2d4c8
JH		 5398 __le16 psm;
5399 u8 result;
5400
5401 if (cmd_len != sizeof(*req))
5402 return -EPROTO;
5403
5404 scid = __le16_to_cpu(req->scid);
5405 mtu = __le16_to_cpu(req->mtu);
5406 mps = __le16_to_cpu(req->mps);
5407 psm = req->psm;
5408 dcid = 0;
0cd75f7e 5409 credits = 0;
27e2d4c8
JH		 5410
5411 if (mtu < 23 || mps < 23)
5412 return -EPROTO;
5413
5414 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5415 scid, mtu, mps);
5416
5417 /* Check if we have socket listening on psm */
5418 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5419 &conn->hcon->dst, LE_LINK);
5420 if (!pchan) {
5421 result = L2CAP_CR_BAD_PSM;
5422 chan = NULL;
5423 goto response;
5424 }
5425
5426 mutex_lock(&conn->chan_lock);
5427 l2cap_chan_lock(pchan);
5428
5429 if (!smp_sufficient_security(conn->hcon, pchan->sec_level)) {
5430 result = L2CAP_CR_AUTHENTICATION;
5431 chan = NULL;
5432 goto response_unlock;
5433 }
5434
5435 /* Check if we already have channel with that dcid */
5436 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5437 result = L2CAP_CR_NO_MEM;
5438 chan = NULL;
5439 goto response_unlock;
5440 }
5441
5442 chan = pchan->ops->new_connection(pchan);
5443 if (!chan) {
5444 result = L2CAP_CR_NO_MEM;
5445 goto response_unlock;
5446 }
5447
0ce43ce6
JH		 5448 l2cap_le_flowctl_init(chan);
5449
27e2d4c8
JH		 5450 bacpy(&chan->src, &conn->hcon->src);
5451 bacpy(&chan->dst, &conn->hcon->dst);
5452 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5453 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5454 chan->psm = psm;
5455 chan->dcid = scid;
5456 chan->omtu = mtu;
5457 chan->remote_mps = mps;
0cd75f7e 5458 chan->tx_credits = __le16_to_cpu(req->credits);
27e2d4c8
JH		 5459
5460 __l2cap_chan_add(conn, chan);
5461 dcid = chan->scid;
0cd75f7e 5462 credits = chan->rx_credits;
27e2d4c8
JH		 5463
5464 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5465
5466 chan->ident = cmd->ident;
5467
5468 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5469 l2cap_state_change(chan, BT_CONNECT2);
5470 result = L2CAP_CR_PEND;
5471 chan->ops->defer(chan);
5472 } else {
5473 l2cap_chan_ready(chan);
5474 result = L2CAP_CR_SUCCESS;
5475 }
5476
5477response_unlock:
5478 l2cap_chan_unlock(pchan);
5479 mutex_unlock(&conn->chan_lock);
5480
5481 if (result == L2CAP_CR_PEND)
5482 return 0;
5483
5484response:
5485 if (chan) {
5486 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 5487 rsp.mps = cpu_to_le16(chan->mps);
27e2d4c8
JH		 5488 } else {
5489 rsp.mtu = 0;
5490 rsp.mps = 0;
5491 }
5492
5493 rsp.dcid = cpu_to_le16(dcid);
0cd75f7e 5494 rsp.credits = cpu_to_le16(credits);
27e2d4c8
JH		 5495 rsp.result = cpu_to_le16(result);
5496
5497 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5498
5499 return 0;
5500}
5501
fad5fc89
JH		 5502static inline int l2cap_le_credits(struct l2cap_conn *conn,
5503 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5504 u8 *data)
5505{
5506 struct l2cap_le_credits *pkt;
5507 struct l2cap_chan *chan;
5508 u16 cid, credits;
5509
5510 if (cmd_len != sizeof(*pkt))
5511 return -EPROTO;
5512
5513 pkt = (struct l2cap_le_credits *) data;
5514 cid = __le16_to_cpu(pkt->cid);
5515 credits = __le16_to_cpu(pkt->credits);
5516
5517 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5518
5519 chan = l2cap_get_chan_by_dcid(conn, cid);
5520 if (!chan)
5521 return -EBADSLT;
5522
5523 chan->tx_credits += credits;
5524
5525 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5526 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5527 chan->tx_credits--;
5528 }
5529
5530 if (chan->tx_credits)
5531 chan->ops->resume(chan);
5532
5533 l2cap_chan_unlock(chan);
5534
5535 return 0;
5536}
5537
71fb4197
JH		 5538static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5539 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5540 u8 *data)
5541{
5542 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5543 struct l2cap_chan *chan;
5544
5545 if (cmd_len < sizeof(*rej))
5546 return -EPROTO;
5547
5548 mutex_lock(&conn->chan_lock);
5549
5550 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5551 if (!chan)
5552 goto done;
5553
5554 l2cap_chan_lock(chan);
5555 l2cap_chan_del(chan, ECONNREFUSED);
5556 l2cap_chan_unlock(chan);
5557
5558done:
5559 mutex_unlock(&conn->chan_lock);
5560 return 0;
5561}
5562
3300d9a9 5563static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
203e639e
JH		 5564 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5565 u8 *data)
3300d9a9 5566{
b5ecba64
JH		 5567 int err = 0;
5568
3af8ace6
JH		 5569 if (!enable_lecoc) {
5570 switch (cmd->code) {
5571 case L2CAP_LE_CONN_REQ:
5572 case L2CAP_LE_CONN_RSP:
5573 case L2CAP_LE_CREDITS:
5574 case L2CAP_DISCONN_REQ:
5575 case L2CAP_DISCONN_RSP:
5576 return -EINVAL;
5577 }
5578 }
5579
3300d9a9
CT		 5580 switch (cmd->code) {
5581 case L2CAP_COMMAND_REJ:
71fb4197 5582 l2cap_le_command_rej(conn, cmd, cmd_len, data);
b5ecba64 5583 break;
3300d9a9
CT		 5584
5585 case L2CAP_CONN_PARAM_UPDATE_REQ:
b5ecba64
JH		 5586 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5587 break;
3300d9a9
CT		 5588
5589 case L2CAP_CONN_PARAM_UPDATE_RSP:
b5ecba64 5590 break;
3300d9a9 5591
f1496dee
JH		 5592 case L2CAP_LE_CONN_RSP:
5593 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5594 break;
f1496dee 5595
27e2d4c8 5596 case L2CAP_LE_CONN_REQ:
b5ecba64
JH		 5597 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5598 break;
27e2d4c8 5599
fad5fc89
JH		 5600 case L2CAP_LE_CREDITS:
5601 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5602 break;
5603
3defe01a 5604 case L2CAP_DISCONN_REQ:
b5ecba64
JH		 5605 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5606 break;
3defe01a
JH		 5607
5608 case L2CAP_DISCONN_RSP:
5609 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5610 break;
3defe01a 5611
3300d9a9
CT		 5612 default:
5613 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
b5ecba64
JH		 5614 err = -EINVAL;
5615 break;
3300d9a9 5616 }
b5ecba64
JH		 5617
5618 return err;
3300d9a9
CT		 5619}
5620
c5623556
JH		 5621static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5622 struct sk_buff *skb)
5623{
69c4e4e8 5624 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5625 struct l2cap_cmd_hdr *cmd;
5626 u16 len;
c5623556
JH		 5627 int err;
5628
69c4e4e8 5629 if (hcon->type != LE_LINK)
3b166295 5630 goto drop;
69c4e4e8 5631
4f3e219d
MH		 5632 if (skb->len < L2CAP_CMD_HDR_SIZE)
5633 goto drop;
c5623556 5634
4f3e219d
MH		 5635 cmd = (void *) skb->data;
5636 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5637
4f3e219d 5638 len = le16_to_cpu(cmd->len);
c5623556 5639
4f3e219d 5640 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5641
4f3e219d
MH		 5642 if (len != skb->len || !cmd->ident) {
5643 BT_DBG("corrupted command");
5644 goto drop;
5645 }
c5623556 5646
203e639e 5647 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
4f3e219d
MH		 5648 if (err) {
5649 struct l2cap_cmd_rej_unk rej;
c5623556 5650
4f3e219d 5651 BT_ERR("Wrong link type (%d)", err);
c5623556 5652
a521149a 5653 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5654 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5655 sizeof(rej), &rej);
c5623556
JH		 5656 }
5657
3b166295 5658drop:
c5623556
JH		 5659 kfree_skb(skb);
5660}
5661
3300d9a9 5662static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5663 struct sk_buff *skb)
1da177e4 5664{
69c4e4e8 5665 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5666 u8 *data = skb->data;
5667 int len = skb->len;
5668 struct l2cap_cmd_hdr cmd;
3300d9a9 5669 int err;
1da177e4
LT		 5670
5671 l2cap_raw_recv(conn, skb);
5672
69c4e4e8 5673 if (hcon->type != ACL_LINK)
3b166295 5674 goto drop;
69c4e4e8 5675
1da177e4 5676 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5677 u16 cmd_len;
1da177e4
LT		 5678 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5679 data += L2CAP_CMD_HDR_SIZE;
5680 len -= L2CAP_CMD_HDR_SIZE;
5681
88219a0f 5682 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5683
2d792818
GP		 5684 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5685 cmd.ident);
1da177e4 5686
88219a0f 5687 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5688 BT_DBG("corrupted command");
5689 break;
5690 }
5691
c5623556 5692 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5693 if (err) {
e2fd318e 5694 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5695
5696 BT_ERR("Wrong link type (%d)", err);
1da177e4 5697
a521149a 5698 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5699 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5700 sizeof(rej), &rej);
1da177e4
LT		 5701 }
5702
88219a0f
AV		 5703 data += cmd_len;
5704 len -= cmd_len;
1da177e4
LT		 5705 }
5706
3b166295 5707drop:
1da177e4
LT		 5708 kfree_skb(skb);
5709}
5710
47d1ec61 5711static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5712{
5713 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5714 int hdr_size;
5715
5716 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5717 hdr_size = L2CAP_EXT_HDR_SIZE;
5718 else
5719 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5720
47d1ec61 5721 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5722 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5723 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5724 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5725
5726 if (our_fcs != rcv_fcs)
7a560e5c 5727 return -EBADMSG;
fcc203c3
GP		 5728 }
5729 return 0;
5730}
5731
6ea00485 5732static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5733{
e31f7633 5734 struct l2cap_ctrl control;
d5392c8f 5735
e31f7633 5736 BT_DBG("chan %p", chan);
d5392c8f 5737
e31f7633
MM		 5738 memset(&control, 0, sizeof(control));
5739 control.sframe = 1;
5740 control.final = 1;
5741 control.reqseq = chan->buffer_seq;
5742 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5743
e2ab4353 5744 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5745 control.super = L2CAP_SUPER_RNR;
5746 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5747 }
5748
e31f7633
MM		 5749 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5750 chan->unacked_frames > 0)
5751 __set_retrans_timer(chan);
d5392c8f 5752
e31f7633 5753 /* Send pending iframes */
525cd185 5754 l2cap_ertm_send(chan);
d5392c8f 5755
e2ab4353 5756 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5757 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5758 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5759 * send it now.
5760 */
5761 control.super = L2CAP_SUPER_RR;
5762 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5763 }
5764}
5765
2d792818
GP		 5766static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5767 struct sk_buff **last_frag)
18778a63 5768{
84084a31
MM		 5769 /* skb->len reflects data in skb as well as all fragments
5770 * skb->data_len reflects only data in fragments
5771 */
5772 if (!skb_has_frag_list(skb))
5773 skb_shinfo(skb)->frag_list = new_frag;
5774
5775 new_frag->next = NULL;
5776
5777 (*last_frag)->next = new_frag;
5778 *last_frag = new_frag;
5779
5780 skb->len += new_frag->len;
5781 skb->data_len += new_frag->len;
5782 skb->truesize += new_frag->truesize;
5783}
5784
4b51dae9
MM		 5785static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5786 struct l2cap_ctrl *control)
84084a31
MM		 5787{
5788 int err = -EINVAL;
18778a63 5789
4b51dae9 5790 switch (control->sar) {
7e0ef6ee 5791 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5792 if (chan->sdu)
5793 break;
18778a63 5794
80b98027 5795 err = chan->ops->recv(chan, skb);
84084a31 5796 break;
18778a63 5797
7e0ef6ee 5798 case L2CAP_SAR_START:
84084a31
MM		 5799 if (chan->sdu)
5800 break;
18778a63 5801
6f61fd47 5802 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5803 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5804
84084a31
MM		 5805 if (chan->sdu_len > chan->imtu) {
5806 err = -EMSGSIZE;
5807 break;
5808 }
1890d36b 5809
84084a31
MM		 5810 if (skb->len >= chan->sdu_len)
5811 break;
18778a63 5812
84084a31
MM		 5813 chan->sdu = skb;
5814 chan->sdu_last_frag = skb;
18778a63 5815
84084a31
MM		 5816 skb = NULL;
5817 err = 0;
18778a63
GP		 5818 break;
5819
7e0ef6ee 5820 case L2CAP_SAR_CONTINUE:
6f61fd47 5821 if (!chan->sdu)
84084a31 5822 break;
18778a63 5823
84084a31
MM		 5824 append_skb_frag(chan->sdu, skb,
5825 &chan->sdu_last_frag);
5826 skb = NULL;
18778a63 5827
84084a31
MM		 5828 if (chan->sdu->len >= chan->sdu_len)
5829 break;
4178ba46 5830
84084a31 5831 err = 0;
18778a63
GP		 5832 break;
5833
7e0ef6ee 5834 case L2CAP_SAR_END:
6f61fd47 5835 if (!chan->sdu)
84084a31 5836 break;
18778a63 5837
84084a31
MM		 5838 append_skb_frag(chan->sdu, skb,
5839 &chan->sdu_last_frag);
5840 skb = NULL;
4178ba46 5841
84084a31
MM		 5842 if (chan->sdu->len != chan->sdu_len)
5843 break;
18778a63 5844
80b98027 5845 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5846
84084a31
MM		 5847 if (!err) {
5848 /* Reassembly complete */
5849 chan->sdu = NULL;
5850 chan->sdu_last_frag = NULL;
5851 chan->sdu_len = 0;
1890d36b 5852 }
18778a63
GP		 5853 break;
5854 }
5855
84084a31
MM		 5856 if (err) {
5857 kfree_skb(skb);
5858 kfree_skb(chan->sdu);
5859 chan->sdu = NULL;
5860 chan->sdu_last_frag = NULL;
5861 chan->sdu_len = 0;
5862 }
18778a63 5863
84084a31 5864 return err;
18778a63
GP		 5865}
5866
32b32735
MM		 5867static int l2cap_resegment(struct l2cap_chan *chan)
5868{
5869 /* Placeholder */
5870 return 0;
5871}
5872
61aa4f5b 5873void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5874{
61aa4f5b 5875 u8 event;
712132eb 5876
61aa4f5b
MM		 5877 if (chan->mode != L2CAP_MODE_ERTM)
5878 return;
712132eb 5879
61aa4f5b 5880 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5881 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5882}
5883
d2a7ac5d
MM		 5884static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5885{
63838725
MM		 5886 int err = 0;
5887 /* Pass sequential frames to l2cap_reassemble_sdu()
5888 * until a gap is encountered.
5889 */
5890
5891 BT_DBG("chan %p", chan);
5892
5893 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5894 struct sk_buff *skb;
5895 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5896 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5897
5898 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5899
5900 if (!skb)
5901 break;
5902
5903 skb_unlink(skb, &chan->srej_q);
5904 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5905 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5906 if (err)
5907 break;
5908 }
5909
5910 if (skb_queue_empty(&chan->srej_q)) {
5911 chan->rx_state = L2CAP_RX_STATE_RECV;
5912 l2cap_send_ack(chan);
5913 }
5914
5915 return err;
d2a7ac5d
MM		 5916}
5917
5918static void l2cap_handle_srej(struct l2cap_chan *chan,
5919 struct l2cap_ctrl *control)
5920{
f80842a8
MM		 5921 struct sk_buff *skb;
5922
5923 BT_DBG("chan %p, control %p", chan, control);
5924
5925 if (control->reqseq == chan->next_tx_seq) {
5926 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5927 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5928 return;
5929 }
5930
5931 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5932
5933 if (skb == NULL) {
5934 BT_DBG("Seq %d not available for retransmission",
5935 control->reqseq);
5936 return;
5937 }
5938
5939 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5940 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5941 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5942 return;
5943 }
5944
5945 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5946
5947 if (control->poll) {
5948 l2cap_pass_to_tx(chan, control);
5949
5950 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5951 l2cap_retransmit(chan, control);
5952 l2cap_ertm_send(chan);
5953
5954 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5955 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5956 chan->srej_save_reqseq = control->reqseq;
5957 }
5958 } else {
5959 l2cap_pass_to_tx_fbit(chan, control);
5960
5961 if (control->final) {
5962 if (chan->srej_save_reqseq != control->reqseq ||
5963 !test_and_clear_bit(CONN_SREJ_ACT,
5964 &chan->conn_state))
5965 l2cap_retransmit(chan, control);
5966 } else {
5967 l2cap_retransmit(chan, control);
5968 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5969 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5970 chan->srej_save_reqseq = control->reqseq;
5971 }
5972 }
5973 }
d2a7ac5d
MM		 5974}
5975
5976static void l2cap_handle_rej(struct l2cap_chan *chan,
5977 struct l2cap_ctrl *control)
5978{
fcd289df
MM		 5979 struct sk_buff *skb;
5980
5981 BT_DBG("chan %p, control %p", chan, control);
5982
5983 if (control->reqseq == chan->next_tx_seq) {
5984 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5985 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5986 return;
5987 }
5988
5989 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5990
5991 if (chan->max_tx && skb &&
5992 bt_cb(skb)->control.retries >= chan->max_tx) {
5993 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5994 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5995 return;
5996 }
5997
5998 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5999
6000 l2cap_pass_to_tx(chan, control);
6001
6002 if (control->final) {
6003 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6004 l2cap_retransmit_all(chan, control);
6005 } else {
6006 l2cap_retransmit_all(chan, control);
6007 l2cap_ertm_send(chan);
6008 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6009 set_bit(CONN_REJ_ACT, &chan->conn_state);
6010 }
d2a7ac5d
MM		 6011}
6012
4b51dae9
MM		 6013static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6014{
6015 BT_DBG("chan %p, txseq %d", chan, txseq);
6016
6017 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6018 chan->expected_tx_seq);
6019
6020 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6021 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 6022 chan->tx_win) {
4b51dae9
MM		 6023 /* See notes below regarding "double poll" and
6024 * invalid packets.
6025 */
6026 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6027 BT_DBG("Invalid/Ignore - after SREJ");
6028 return L2CAP_TXSEQ_INVALID_IGNORE;
6029 } else {
6030 BT_DBG("Invalid - in window after SREJ sent");
6031 return L2CAP_TXSEQ_INVALID;
6032 }
6033 }
6034
6035 if (chan->srej_list.head == txseq) {
6036 BT_DBG("Expected SREJ");
6037 return L2CAP_TXSEQ_EXPECTED_SREJ;
6038 }
6039
6040 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6041 BT_DBG("Duplicate SREJ - txseq already stored");
6042 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6043 }
6044
6045 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6046 BT_DBG("Unexpected SREJ - not requested");
6047 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6048 }
6049 }
6050
6051 if (chan->expected_tx_seq == txseq) {
6052 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6053 chan->tx_win) {
6054 BT_DBG("Invalid - txseq outside tx window");
6055 return L2CAP_TXSEQ_INVALID;
6056 } else {
6057 BT_DBG("Expected");
6058 return L2CAP_TXSEQ_EXPECTED;
6059 }
6060 }
6061
6062 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 6063 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 6064 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6065 return L2CAP_TXSEQ_DUPLICATE;
6066 }
6067
6068 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6069 /* A source of invalid packets is a "double poll" condition,
6070 * where delays cause us to send multiple poll packets. If
6071 * the remote stack receives and processes both polls,
6072 * sequence numbers can wrap around in such a way that a
6073 * resent frame has a sequence number that looks like new data
6074 * with a sequence gap. This would trigger an erroneous SREJ
6075 * request.
6076 *
6077 * Fortunately, this is impossible with a tx window that's
6078 * less than half of the maximum sequence number, which allows
6079 * invalid frames to be safely ignored.
6080 *
6081 * With tx window sizes greater than half of the tx window
6082 * maximum, the frame is invalid and cannot be ignored. This
6083 * causes a disconnect.
6084 */
6085
6086 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6087 BT_DBG("Invalid/Ignore - txseq outside tx window");
6088 return L2CAP_TXSEQ_INVALID_IGNORE;
6089 } else {
6090 BT_DBG("Invalid - txseq outside tx window");
6091 return L2CAP_TXSEQ_INVALID;
6092 }
6093 } else {
6094 BT_DBG("Unexpected - txseq indicates missing frames");
6095 return L2CAP_TXSEQ_UNEXPECTED;
6096 }
6097}
6098
d2a7ac5d
MM		 6099static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6100 struct l2cap_ctrl *control,
6101 struct sk_buff *skb, u8 event)
6102{
6103 int err = 0;
941247f9 6104 bool skb_in_use = false;
d2a7ac5d
MM		 6105
6106 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6107 event);
6108
6109 switch (event) {
6110 case L2CAP_EV_RECV_IFRAME:
6111 switch (l2cap_classify_txseq(chan, control->txseq)) {
6112 case L2CAP_TXSEQ_EXPECTED:
6113 l2cap_pass_to_tx(chan, control);
6114
6115 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6116 BT_DBG("Busy, discarding expected seq %d",
6117 control->txseq);
6118 break;
6119 }
6120
6121 chan->expected_tx_seq = __next_seq(chan,
6122 control->txseq);
6123
6124 chan->buffer_seq = chan->expected_tx_seq;
941247f9 6125 skb_in_use = true;
d2a7ac5d
MM		 6126
6127 err = l2cap_reassemble_sdu(chan, skb, control);
6128 if (err)
6129 break;
6130
6131 if (control->final) {
6132 if (!test_and_clear_bit(CONN_REJ_ACT,
6133 &chan->conn_state)) {
6134 control->final = 0;
6135 l2cap_retransmit_all(chan, control);
6136 l2cap_ertm_send(chan);
6137 }
6138 }
6139
6140 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6141 l2cap_send_ack(chan);
6142 break;
6143 case L2CAP_TXSEQ_UNEXPECTED:
6144 l2cap_pass_to_tx(chan, control);
6145
6146 /* Can't issue SREJ frames in the local busy state.
6147 * Drop this frame, it will be seen as missing
6148 * when local busy is exited.
6149 */
6150 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6151 BT_DBG("Busy, discarding unexpected seq %d",
6152 control->txseq);
6153 break;
6154 }
6155
6156 /* There was a gap in the sequence, so an SREJ
6157 * must be sent for each missing frame. The
6158 * current frame is stored for later use.
6159 */
6160 skb_queue_tail(&chan->srej_q, skb);
941247f9 6161 skb_in_use = true;
d2a7ac5d
MM		 6162 BT_DBG("Queued %p (queue len %d)", skb,
6163 skb_queue_len(&chan->srej_q));
6164
6165 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6166 l2cap_seq_list_clear(&chan->srej_list);
6167 l2cap_send_srej(chan, control->txseq);
6168
6169 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6170 break;
6171 case L2CAP_TXSEQ_DUPLICATE:
6172 l2cap_pass_to_tx(chan, control);
6173 break;
6174 case L2CAP_TXSEQ_INVALID_IGNORE:
6175 break;
6176 case L2CAP_TXSEQ_INVALID:
6177 default:
5e4e3972 6178 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6179 break;
6180 }
6181 break;
6182 case L2CAP_EV_RECV_RR:
6183 l2cap_pass_to_tx(chan, control);
6184 if (control->final) {
6185 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6186
e6a3ee6e
MM		 6187 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6188 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 6189 control->final = 0;
6190 l2cap_retransmit_all(chan, control);
6191 }
6192
6193 l2cap_ertm_send(chan);
6194 } else if (control->poll) {
6195 l2cap_send_i_or_rr_or_rnr(chan);
6196 } else {
6197 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6198 &chan->conn_state) &&
6199 chan->unacked_frames)
6200 __set_retrans_timer(chan);
6201
6202 l2cap_ertm_send(chan);
6203 }
6204 break;
6205 case L2CAP_EV_RECV_RNR:
6206 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6207 l2cap_pass_to_tx(chan, control);
6208 if (control && control->poll) {
6209 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6210 l2cap_send_rr_or_rnr(chan, 0);
6211 }
6212 __clear_retrans_timer(chan);
6213 l2cap_seq_list_clear(&chan->retrans_list);
6214 break;
6215 case L2CAP_EV_RECV_REJ:
6216 l2cap_handle_rej(chan, control);
6217 break;
6218 case L2CAP_EV_RECV_SREJ:
6219 l2cap_handle_srej(chan, control);
6220 break;
6221 default:
6222 break;
6223 }
6224
6225 if (skb && !skb_in_use) {
6226 BT_DBG("Freeing %p", skb);
6227 kfree_skb(skb);
6228 }
6229
6230 return err;
6231}
6232
6233static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6234 struct l2cap_ctrl *control,
6235 struct sk_buff *skb, u8 event)
6236{
6237 int err = 0;
6238 u16 txseq = control->txseq;
941247f9 6239 bool skb_in_use = false;
d2a7ac5d
MM		 6240
6241 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6242 event);
6243
6244 switch (event) {
6245 case L2CAP_EV_RECV_IFRAME:
6246 switch (l2cap_classify_txseq(chan, txseq)) {
6247 case L2CAP_TXSEQ_EXPECTED:
6248 /* Keep frame for reassembly later */
6249 l2cap_pass_to_tx(chan, control);
6250 skb_queue_tail(&chan->srej_q, skb);
941247f9 6251 skb_in_use = true;
d2a7ac5d
MM		 6252 BT_DBG("Queued %p (queue len %d)", skb,
6253 skb_queue_len(&chan->srej_q));
6254
6255 chan->expected_tx_seq = __next_seq(chan, txseq);
6256 break;
6257 case L2CAP_TXSEQ_EXPECTED_SREJ:
6258 l2cap_seq_list_pop(&chan->srej_list);
6259
6260 l2cap_pass_to_tx(chan, control);
6261 skb_queue_tail(&chan->srej_q, skb);
941247f9 6262 skb_in_use = true;
d2a7ac5d
MM		 6263 BT_DBG("Queued %p (queue len %d)", skb,
6264 skb_queue_len(&chan->srej_q));
6265
6266 err = l2cap_rx_queued_iframes(chan);
6267 if (err)
6268 break;
6269
6270 break;
6271 case L2CAP_TXSEQ_UNEXPECTED:
6272 /* Got a frame that can't be reassembled yet.
6273 * Save it for later, and send SREJs to cover
6274 * the missing frames.
6275 */
6276 skb_queue_tail(&chan->srej_q, skb);
941247f9 6277 skb_in_use = true;
d2a7ac5d
MM		 6278 BT_DBG("Queued %p (queue len %d)", skb,
6279 skb_queue_len(&chan->srej_q));
6280
6281 l2cap_pass_to_tx(chan, control);
6282 l2cap_send_srej(chan, control->txseq);
6283 break;
6284 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6285 /* This frame was requested with an SREJ, but
6286 * some expected retransmitted frames are
6287 * missing. Request retransmission of missing
6288 * SREJ'd frames.
6289 */
6290 skb_queue_tail(&chan->srej_q, skb);
941247f9 6291 skb_in_use = true;
d2a7ac5d
MM		 6292 BT_DBG("Queued %p (queue len %d)", skb,
6293 skb_queue_len(&chan->srej_q));
6294
6295 l2cap_pass_to_tx(chan, control);
6296 l2cap_send_srej_list(chan, control->txseq);
6297 break;
6298 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6299 /* We've already queued this frame. Drop this copy. */
6300 l2cap_pass_to_tx(chan, control);
6301 break;
6302 case L2CAP_TXSEQ_DUPLICATE:
6303 /* Expecting a later sequence number, so this frame
6304 * was already received. Ignore it completely.
6305 */
6306 break;
6307 case L2CAP_TXSEQ_INVALID_IGNORE:
6308 break;
6309 case L2CAP_TXSEQ_INVALID:
6310 default:
5e4e3972 6311 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6312 break;
6313 }
6314 break;
6315 case L2CAP_EV_RECV_RR:
6316 l2cap_pass_to_tx(chan, control);
6317 if (control->final) {
6318 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6319
6320 if (!test_and_clear_bit(CONN_REJ_ACT,
6321 &chan->conn_state)) {
6322 control->final = 0;
6323 l2cap_retransmit_all(chan, control);
6324 }
6325
6326 l2cap_ertm_send(chan);
6327 } else if (control->poll) {
6328 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6329 &chan->conn_state) &&
6330 chan->unacked_frames) {
6331 __set_retrans_timer(chan);
6332 }
6333
6334 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6335 l2cap_send_srej_tail(chan);
6336 } else {
6337 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6338 &chan->conn_state) &&
6339 chan->unacked_frames)
6340 __set_retrans_timer(chan);
6341
6342 l2cap_send_ack(chan);
6343 }
6344 break;
6345 case L2CAP_EV_RECV_RNR:
6346 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6347 l2cap_pass_to_tx(chan, control);
6348 if (control->poll) {
6349 l2cap_send_srej_tail(chan);
6350 } else {
6351 struct l2cap_ctrl rr_control;
6352 memset(&rr_control, 0, sizeof(rr_control));
6353 rr_control.sframe = 1;
6354 rr_control.super = L2CAP_SUPER_RR;
6355 rr_control.reqseq = chan->buffer_seq;
6356 l2cap_send_sframe(chan, &rr_control);
6357 }
6358
6359 break;
6360 case L2CAP_EV_RECV_REJ:
6361 l2cap_handle_rej(chan, control);
6362 break;
6363 case L2CAP_EV_RECV_SREJ:
6364 l2cap_handle_srej(chan, control);
6365 break;
6366 }
6367
6368 if (skb && !skb_in_use) {
6369 BT_DBG("Freeing %p", skb);
6370 kfree_skb(skb);
6371 }
6372
6373 return err;
6374}
6375
32b32735
MM		 6376static int l2cap_finish_move(struct l2cap_chan *chan)
6377{
6378 BT_DBG("chan %p", chan);
6379
6380 chan->rx_state = L2CAP_RX_STATE_RECV;
6381
6382 if (chan->hs_hcon)
6383 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6384 else
6385 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6386
6387 return l2cap_resegment(chan);
6388}
6389
6390static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6391 struct l2cap_ctrl *control,
6392 struct sk_buff *skb, u8 event)
6393{
6394 int err;
6395
6396 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6397 event);
6398
6399 if (!control->poll)
6400 return -EPROTO;
6401
6402 l2cap_process_reqseq(chan, control->reqseq);
6403
6404 if (!skb_queue_empty(&chan->tx_q))
6405 chan->tx_send_head = skb_peek(&chan->tx_q);
6406 else
6407 chan->tx_send_head = NULL;
6408
6409 /* Rewind next_tx_seq to the point expected
6410 * by the receiver.
6411 */
6412 chan->next_tx_seq = control->reqseq;
6413 chan->unacked_frames = 0;
6414
6415 err = l2cap_finish_move(chan);
6416 if (err)
6417 return err;
6418
6419 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6420 l2cap_send_i_or_rr_or_rnr(chan);
6421
6422 if (event == L2CAP_EV_RECV_IFRAME)
6423 return -EPROTO;
6424
6425 return l2cap_rx_state_recv(chan, control, NULL, event);
6426}
6427
6428static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6429 struct l2cap_ctrl *control,
6430 struct sk_buff *skb, u8 event)
6431{
6432 int err;
6433
6434 if (!control->final)
6435 return -EPROTO;
6436
6437 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6438
6439 chan->rx_state = L2CAP_RX_STATE_RECV;
6440 l2cap_process_reqseq(chan, control->reqseq);
6441
6442 if (!skb_queue_empty(&chan->tx_q))
6443 chan->tx_send_head = skb_peek(&chan->tx_q);
6444 else
6445 chan->tx_send_head = NULL;
6446
6447 /* Rewind next_tx_seq to the point expected
6448 * by the receiver.
6449 */
6450 chan->next_tx_seq = control->reqseq;
6451 chan->unacked_frames = 0;
6452
6453 if (chan->hs_hcon)
6454 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6455 else
6456 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6457
6458 err = l2cap_resegment(chan);
6459
6460 if (!err)
6461 err = l2cap_rx_state_recv(chan, control, skb, event);
6462
6463 return err;
6464}
6465
d2a7ac5d
MM		 6466static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6467{
6468 /* Make sure reqseq is for a packet that has been sent but not acked */
6469 u16 unacked;
6470
6471 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6472 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6473}
6474
cec8ab6e
MM		 6475static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6476 struct sk_buff *skb, u8 event)
218bb9df 6477{
d2a7ac5d
MM		 6478 int err = 0;
6479
6480 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6481 control, skb, event, chan->rx_state);
6482
6483 if (__valid_reqseq(chan, control->reqseq)) {
6484 switch (chan->rx_state) {
6485 case L2CAP_RX_STATE_RECV:
6486 err = l2cap_rx_state_recv(chan, control, skb, event);
6487 break;
6488 case L2CAP_RX_STATE_SREJ_SENT:
6489 err = l2cap_rx_state_srej_sent(chan, control, skb,
6490 event);
6491 break;
32b32735
MM		 6492 case L2CAP_RX_STATE_WAIT_P:
6493 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6494 break;
6495 case L2CAP_RX_STATE_WAIT_F:
6496 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6497 break;
d2a7ac5d
MM		 6498 default:
6499 /* shut it down */
6500 break;
6501 }
6502 } else {
6503 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6504 control->reqseq, chan->next_tx_seq,
6505 chan->expected_ack_seq);
5e4e3972 6506 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6507 }
6508
6509 return err;
cec8ab6e
MM		 6510}
6511
6512static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6513 struct sk_buff *skb)
6514{
4b51dae9
MM		 6515 int err = 0;
6516
6517 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6518 chan->rx_state);
6519
6520 if (l2cap_classify_txseq(chan, control->txseq) ==
6521 L2CAP_TXSEQ_EXPECTED) {
6522 l2cap_pass_to_tx(chan, control);
6523
6524 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6525 __next_seq(chan, chan->buffer_seq));
6526
6527 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6528
6529 l2cap_reassemble_sdu(chan, skb, control);
6530 } else {
6531 if (chan->sdu) {
6532 kfree_skb(chan->sdu);
6533 chan->sdu = NULL;
6534 }
6535 chan->sdu_last_frag = NULL;
6536 chan->sdu_len = 0;
6537
6538 if (skb) {
6539 BT_DBG("Freeing %p", skb);
6540 kfree_skb(skb);
6541 }
6542 }
6543
6544 chan->last_acked_seq = control->txseq;
6545 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6546
6547 return err;
cec8ab6e
MM		 6548}
6549
6550static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6551{
6552 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6553 u16 len;
6554 u8 event;
218bb9df 6555
b76bbd66
MM		 6556 __unpack_control(chan, skb);
6557
218bb9df
GP		 6558 len = skb->len;
6559
6560 /*
6561 * We can just drop the corrupted I-frame here.
6562 * Receiver will miss it and start proper recovery
cec8ab6e 6563 * procedures and ask for retransmission.
218bb9df 6564 */
47d1ec61 6565 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6566 goto drop;
6567
cec8ab6e 6568 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6569 len -= L2CAP_SDULEN_SIZE;
218bb9df 6570
47d1ec61 6571 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6572 len -= L2CAP_FCS_SIZE;
218bb9df 6573
47d1ec61 6574 if (len > chan->mps) {
5e4e3972 6575 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6576 goto drop;
6577 }
6578
cec8ab6e
MM		 6579 if (!control->sframe) {
6580 int err;
218bb9df 6581
cec8ab6e
MM		 6582 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6583 control->sar, control->reqseq, control->final,
6584 control->txseq);
218bb9df 6585
cec8ab6e
MM		 6586 /* Validate F-bit - F=0 always valid, F=1 only
6587 * valid in TX WAIT_F
6588 */
6589 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6590 goto drop;
cec8ab6e
MM		 6591
6592 if (chan->mode != L2CAP_MODE_STREAMING) {
6593 event = L2CAP_EV_RECV_IFRAME;
6594 err = l2cap_rx(chan, control, skb, event);
6595 } else {
6596 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6597 }
6598
cec8ab6e 6599 if (err)
5e4e3972 6600 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6601 } else {
cec8ab6e
MM		 6602 const u8 rx_func_to_event[4] = {
6603 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6604 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6605 };
6606
6607 /* Only I-frames are expected in streaming mode */
6608 if (chan->mode == L2CAP_MODE_STREAMING)
6609 goto drop;
6610
6611 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6612 control->reqseq, control->final, control->poll,
6613 control->super);
6614
218bb9df 6615 if (len != 0) {
1bb166e6 6616 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6617 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6618 goto drop;
6619 }
6620
cec8ab6e
MM		 6621 /* Validate F and P bits */
6622 if (control->final && (control->poll ||
6623 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6624 goto drop;
6625
6626 event = rx_func_to_event[control->super];
6627 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6628 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6629 }
6630
6631 return 0;
6632
6633drop:
6634 kfree_skb(skb);
6635 return 0;
6636}
6637
b1c325c2
JH		 6638static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6639{
6640 struct l2cap_conn *conn = chan->conn;
6641 struct l2cap_le_credits pkt;
6642 u16 return_credits;
6643
6644 /* We return more credits to the sender only after the amount of
6645 * credits falls below half of the initial amount.
6646 */
f15b8ecf 6647 if (chan->rx_credits >= (le_max_credits + 1) / 2)
b1c325c2
JH		 6648 return;
6649
f15b8ecf 6650 return_credits = le_max_credits - chan->rx_credits;
b1c325c2
JH		 6651
6652 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6653
6654 chan->rx_credits += return_credits;
6655
6656 pkt.cid = cpu_to_le16(chan->scid);
6657 pkt.credits = cpu_to_le16(return_credits);
6658
6659 chan->ident = l2cap_get_ident(conn);
6660
6661 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6662}
6663
fad5fc89
JH		 6664static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6665{
aac23bf6
JH		 6666 int err;
6667
6668 if (!chan->rx_credits) {
6669 BT_ERR("No credits to receive LE L2CAP data");
fad5fc89 6670 return -ENOBUFS;
aac23bf6 6671 }
fad5fc89 6672
aac23bf6
JH		 6673 if (chan->imtu < skb->len) {
6674 BT_ERR("Too big LE L2CAP PDU");
fad5fc89 6675 return -ENOBUFS;
aac23bf6 6676 }
fad5fc89
JH		 6677
6678 chan->rx_credits--;
6679 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6680
6681 l2cap_chan_le_send_credits(chan);
6682
aac23bf6
JH		 6683 err = 0;
6684
6685 if (!chan->sdu) {
6686 u16 sdu_len;
6687
6688 sdu_len = get_unaligned_le16(skb->data);
6689 skb_pull(skb, L2CAP_SDULEN_SIZE);
6690
6691 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6692 sdu_len, skb->len, chan->imtu);
6693
6694 if (sdu_len > chan->imtu) {
6695 BT_ERR("Too big LE L2CAP SDU length received");
6696 err = -EMSGSIZE;
6697 goto failed;
6698 }
6699
6700 if (skb->len > sdu_len) {
6701 BT_ERR("Too much LE L2CAP data received");
6702 err = -EINVAL;
6703 goto failed;
6704 }
6705
6706 if (skb->len == sdu_len)
6707 return chan->ops->recv(chan, skb);
6708
6709 chan->sdu = skb;
6710 chan->sdu_len = sdu_len;
6711 chan->sdu_last_frag = skb;
6712
6713 return 0;
6714 }
6715
6716 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6717 chan->sdu->len, skb->len, chan->sdu_len);
6718
6719 if (chan->sdu->len + skb->len > chan->sdu_len) {
6720 BT_ERR("Too much LE L2CAP data received");
6721 err = -EINVAL;
6722 goto failed;
6723 }
6724
6725 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6726 skb = NULL;
6727
6728 if (chan->sdu->len == chan->sdu_len) {
6729 err = chan->ops->recv(chan, chan->sdu);
6730 if (!err) {
6731 chan->sdu = NULL;
6732 chan->sdu_last_frag = NULL;
6733 chan->sdu_len = 0;
6734 }
6735 }
6736
6737failed:
6738 if (err) {
6739 kfree_skb(skb);
6740 kfree_skb(chan->sdu);
6741 chan->sdu = NULL;
6742 chan->sdu_last_frag = NULL;
6743 chan->sdu_len = 0;
6744 }
6745
6746 /* We can't return an error here since we took care of the skb
6747 * freeing internally. An error return would cause the caller to
6748 * do a double-free of the skb.
6749 */
6750 return 0;
fad5fc89
JH		 6751}
6752
13ca56e0
AE		 6753static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6754 struct sk_buff *skb)
1da177e4 6755{
48454079 6756 struct l2cap_chan *chan;
1da177e4 6757
baa7e1fa 6758 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6759 if (!chan) {
97e8e89d
AE		 6760 if (cid == L2CAP_CID_A2MP) {
6761 chan = a2mp_channel_create(conn, skb);
6762 if (!chan) {
6763 kfree_skb(skb);
13ca56e0 6764 return;
97e8e89d
AE		 6765 }
6766
6767 l2cap_chan_lock(chan);
6768 } else {
6769 BT_DBG("unknown cid 0x%4.4x", cid);
6770 /* Drop packet and return */
6771 kfree_skb(skb);
13ca56e0 6772 return;
97e8e89d 6773 }
1da177e4
LT		 6774 }
6775
49208c9c 6776 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6777
89bc500e 6778 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6779 goto drop;
6780
0c1bc5c6 6781 switch (chan->mode) {
38319713 6782 case L2CAP_MODE_LE_FLOWCTL:
fad5fc89
JH		 6783 if (l2cap_le_data_rcv(chan, skb) < 0)
6784 goto drop;
6785
6786 goto done;
6787
1c2acffb
GP		 6788 case L2CAP_MODE_BASIC:
6789 /* If socket recv buffers overflows we drop data here
6790 * which is *bad* because L2CAP has to be reliable.
6791 * But we don't have any other choice. L2CAP doesn't
6792 * provide flow control mechanism. */
1da177e4 6793
0c1bc5c6 6794 if (chan->imtu < skb->len)
1c2acffb 6795 goto drop;
1da177e4 6796
80b98027 6797 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6798 goto done;
6799 break;
6800
6801 case L2CAP_MODE_ERTM:
6840ed07 6802 case L2CAP_MODE_STREAMING:
cec8ab6e 6803 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6804 goto done;
6805
1c2acffb 6806 default:
0c1bc5c6 6807 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6808 break;
6809 }
1da177e4
LT		 6810
6811drop:
6812 kfree_skb(skb);
6813
6814done:
6be36555 6815 l2cap_chan_unlock(chan);
1da177e4
LT		 6816}
6817
84104b24
AE		 6818static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6819 struct sk_buff *skb)
1da177e4 6820{
ae4fd2d3 6821 struct hci_conn *hcon = conn->hcon;
23691d75 6822 struct l2cap_chan *chan;
1da177e4 6823
ae4fd2d3
MH		 6824 if (hcon->type != ACL_LINK)
6825 goto drop;
6826
bf20fd4e
JH		 6827 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6828 ACL_LINK);
23691d75 6829 if (!chan)
1da177e4
LT		 6830 goto drop;
6831
5b4cedaa 6832 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6833
89bc500e 6834 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6835 goto drop;
6836
e13e21dc 6837 if (chan->imtu < skb->len)
1da177e4
LT		 6838 goto drop;
6839
2edf870d 6840 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6841 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6842 bt_cb(skb)->psm = psm;
6843
80b98027 6844 if (!chan->ops->recv(chan, skb))
84104b24 6845 return;
1da177e4
LT		 6846
6847drop:
6848 kfree_skb(skb);
1da177e4
LT		 6849}
6850
72f78356 6851static void l2cap_att_channel(struct l2cap_conn *conn,
6810fca7 6852 struct sk_buff *skb)
9f69bda6 6853{
b99707d7 6854 struct hci_conn *hcon = conn->hcon;
23691d75 6855 struct l2cap_chan *chan;
9f69bda6 6856
b99707d7
MH		 6857 if (hcon->type != LE_LINK)
6858 goto drop;
6859
af1c0134 6860 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
06ae3314 6861 &hcon->src, &hcon->dst);
23691d75 6862 if (!chan)
9f69bda6
GP		 6863 goto drop;
6864
5b4cedaa 6865 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6866
cc8dba2b
MH		 6867 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, hcon->dst_type))
6868 goto drop;
6869
e13e21dc 6870 if (chan->imtu < skb->len)
9f69bda6
GP		 6871 goto drop;
6872
80b98027 6873 if (!chan->ops->recv(chan, skb))
6810fca7 6874 return;
9f69bda6
GP		 6875
6876drop:
6877 kfree_skb(skb);
9f69bda6
GP		 6878}
6879
1da177e4
LT		 6880static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6881{
6882 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6883 u16 cid, len;
6884 __le16 psm;
1da177e4
LT		 6885
6886 skb_pull(skb, L2CAP_HDR_SIZE);
6887 cid = __le16_to_cpu(lh->cid);
6888 len = __le16_to_cpu(lh->len);
6889
1c2acffb
GP		 6890 if (len != skb->len) {
6891 kfree_skb(skb);
6892 return;
6893 }
6894
1da177e4
LT		 6895 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6896
6897 switch (cid) {
8db4dc46 6898 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6899 l2cap_sig_channel(conn, skb);
6900 break;
6901
8db4dc46 6902 case L2CAP_CID_CONN_LESS:
097db76c 6903 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6904 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6905 l2cap_conless_channel(conn, psm, skb);
6906 break;
6907
073d1cf3 6908 case L2CAP_CID_ATT:
72f78356 6909 l2cap_att_channel(conn, skb);
9f69bda6
GP		 6910 break;
6911
a2877629
MH		 6912 case L2CAP_CID_LE_SIGNALING:
6913 l2cap_le_sig_channel(conn, skb);
6914 break;
6915
b501d6a1
AB		 6916 case L2CAP_CID_SMP:
6917 if (smp_sig_channel(conn, skb))
6918 l2cap_conn_del(conn->hcon, EACCES);
6919 break;
6920
18722c24
JR		 6921 case L2CAP_FC_6LOWPAN:
6922 bt_6lowpan_recv(conn, skb);
6923 break;
6924
1da177e4
LT		 6925 default:
6926 l2cap_data_channel(conn, cid, skb);
6927 break;
6928 }
6929}
6930
162b49e7
JH		 6931static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6932{
6933 struct l2cap_conn *conn = hcon->l2cap_data;
6934 struct hci_chan *hchan;
6935
6936 if (conn)
6937 return conn;
6938
6939 hchan = hci_chan_create(hcon);
6940 if (!hchan)
6941 return NULL;
6942
6943 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
6944 if (!conn) {
6945 hci_chan_del(hchan);
6946 return NULL;
6947 }
6948
6949 kref_init(&conn->ref);
6950 hcon->l2cap_data = conn;
6951 conn->hcon = hcon;
6952 hci_conn_get(conn->hcon);
6953 conn->hchan = hchan;
6954
6955 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6956
6957 switch (hcon->type) {
6958 case LE_LINK:
6959 if (hcon->hdev->le_mtu) {
6960 conn->mtu = hcon->hdev->le_mtu;
6961 break;
6962 }
6963 /* fall through */
6964 default:
6965 conn->mtu = hcon->hdev->acl_mtu;
6966 break;
6967 }
6968
6969 conn->feat_mask = 0;
6970
6971 if (hcon->type == ACL_LINK)
6972 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
6973 &hcon->hdev->dev_flags);
6974
6975 spin_lock_init(&conn->lock);
6976 mutex_init(&conn->chan_lock);
6977
6978 INIT_LIST_HEAD(&conn->chan_l);
6979 INIT_LIST_HEAD(&conn->users);
6980
6981 if (hcon->type == LE_LINK)
6982 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
6983 else
6984 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
6985
6986 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6987
6988 return conn;
6989}
6990
6991static bool is_valid_psm(u16 psm, u8 dst_type) {
6992 if (!psm)
6993 return false;
6994
6995 if (bdaddr_type_is_le(dst_type))
6996 return (psm <= 0x00ff);
6997
6998 /* PSM must be odd and lsb of upper byte must be 0 */
6999 return ((psm & 0x0101) == 0x0001);
7000}
7001
7002int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7003 bdaddr_t *dst, u8 dst_type)
7004{
7005 struct l2cap_conn *conn;
7006 struct hci_conn *hcon;
7007 struct hci_dev *hdev;
7008 __u8 auth_type;
7009 int err;
7010
7011 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7012 dst_type, __le16_to_cpu(psm));
7013
7014 hdev = hci_get_route(dst, &chan->src);
7015 if (!hdev)
7016 return -EHOSTUNREACH;
7017
7018 hci_dev_lock(hdev);
7019
7020 l2cap_chan_lock(chan);
7021
7022 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7023 chan->chan_type != L2CAP_CHAN_RAW) {
7024 err = -EINVAL;
7025 goto done;
7026 }
7027
7028 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
7029 err = -EINVAL;
7030 goto done;
7031 }
7032
7033 switch (chan->mode) {
7034 case L2CAP_MODE_BASIC:
7035 break;
7036 case L2CAP_MODE_LE_FLOWCTL:
7037 l2cap_le_flowctl_init(chan);
7038 break;
7039 case L2CAP_MODE_ERTM:
7040 case L2CAP_MODE_STREAMING:
7041 if (!disable_ertm)
7042 break;
7043 /* fall through */
7044 default:
7045 err = -ENOTSUPP;
7046 goto done;
7047 }
7048
7049 switch (chan->state) {
7050 case BT_CONNECT:
7051 case BT_CONNECT2:
7052 case BT_CONFIG:
7053 /* Already connecting */
7054 err = 0;
7055 goto done;
7056
7057 case BT_CONNECTED:
7058 /* Already connected */
7059 err = -EISCONN;
7060 goto done;
7061
7062 case BT_OPEN:
7063 case BT_BOUND:
7064 /* Can connect */
7065 break;
7066
7067 default:
7068 err = -EBADFD;
7069 goto done;
7070 }
7071
7072 /* Set destination address and psm */
7073 bacpy(&chan->dst, dst);
7074 chan->dst_type = dst_type;
7075
7076 chan->psm = psm;
7077 chan->dcid = cid;
7078
7079 auth_type = l2cap_get_auth_type(chan);
7080
7081 if (bdaddr_type_is_le(dst_type))
7082 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
7083 chan->sec_level, auth_type);
7084 else
7085 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
7086 chan->sec_level, auth_type);
7087
7088 if (IS_ERR(hcon)) {
7089 err = PTR_ERR(hcon);
7090 goto done;
7091 }
7092
7093 conn = l2cap_conn_add(hcon);
7094 if (!conn) {
7095 hci_conn_drop(hcon);
7096 err = -ENOMEM;
7097 goto done;
7098 }
7099
7100 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7101 hci_conn_drop(hcon);
7102 err = -EBUSY;
7103 goto done;
7104 }
7105
7106 /* Update source addr of the socket */
7107 bacpy(&chan->src, &hcon->src);
7108 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7109
7110 l2cap_chan_unlock(chan);
7111 l2cap_chan_add(conn, chan);
7112 l2cap_chan_lock(chan);
7113
7114 /* l2cap_chan_add takes its own ref so we can drop this one */
7115 hci_conn_drop(hcon);
7116
7117 l2cap_state_change(chan, BT_CONNECT);
7118 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7119
7120 if (hcon->state == BT_CONNECTED) {
7121 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7122 __clear_chan_timer(chan);
7123 if (l2cap_chan_check_security(chan))
7124 l2cap_state_change(chan, BT_CONNECTED);
7125 } else
7126 l2cap_do_start(chan);
7127 }
7128
7129 err = 0;
7130
7131done:
7132 l2cap_chan_unlock(chan);
7133 hci_dev_unlock(hdev);
7134 hci_dev_put(hdev);
7135 return err;
7136}
7137
1da177e4
LT		 7138/* ---- L2CAP interface with lower layer (HCI) ---- */
7139
686ebf28 7140int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 7141{
7142 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 7143 struct l2cap_chan *c;
1da177e4 7144
6ed93dc6 7145 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 7146
7147 /* Find listening sockets and check their link_mode */
23691d75
GP		 7148 read_lock(&chan_list_lock);
7149 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 7150 if (c->state != BT_LISTEN)
1da177e4
LT		 7151 continue;
7152
7eafc59e 7153 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 7154 lm1 |= HCI_LM_ACCEPT;
43bd0f32 7155 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 7156 lm1 |= HCI_LM_MASTER;
1da177e4 7157 exact++;
7eafc59e 7158 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 7159 lm2 |= HCI_LM_ACCEPT;
43bd0f32 7160 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 7161 lm2 |= HCI_LM_MASTER;
7162 }
1da177e4 7163 }
23691d75 7164 read_unlock(&chan_list_lock);
1da177e4
LT		 7165
7166 return exact ? lm1 : lm2;
7167}
7168
9e664631 7169void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 7170{
0139418c
MH		 7171 struct l2cap_conn *conn;
7172
6ed93dc6 7173 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 7174
1da177e4 7175 if (!status) {
baf43251 7176 conn = l2cap_conn_add(hcon);
1da177e4
LT		 7177 if (conn)
7178 l2cap_conn_ready(conn);
ba6fc317 7179 } else {
e175072f 7180 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 7181 }
1da177e4
LT		 7182}
7183
686ebf28 7184int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 7185{
7186 struct l2cap_conn *conn = hcon->l2cap_data;
7187
7188 BT_DBG("hcon %p", hcon);
7189
686ebf28 7190 if (!conn)
9f5a0d7b 7191 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 7192 return conn->disc_reason;
7193}
7194
9e664631 7195void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 7196{
7197 BT_DBG("hcon %p reason %d", hcon, reason);
7198
18722c24
JR		 7199 bt_6lowpan_del_conn(hcon->l2cap_data);
7200
e175072f 7201 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 7202}
7203
4343478f 7204static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 7205{
715ec005 7206 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 7207 return;
7208
f62e4323 7209 if (encrypt == 0x00) {
4343478f 7210 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 7211 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7d513e92
MH		 7212 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7213 chan->sec_level == BT_SECURITY_FIPS)
0f852724 7214 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 7215 } else {
4343478f 7216 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 7217 __clear_chan_timer(chan);
f62e4323
MH		 7218 }
7219}
7220
686ebf28 7221int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 7222{
0139418c 7223 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 7224 struct l2cap_chan *chan;
1da177e4 7225
0139418c 7226 if (!conn)
1da177e4 7227 return 0;
0139418c 7228
89d8b407 7229 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 7230
160dc6ac 7231 if (hcon->type == LE_LINK) {
35d4adcc
HG		 7232 if (!status && encrypt)
7233 smp_distribute_keys(conn, 0);
17cd3f37 7234 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 7235 }
7236
3df91ea2 7237 mutex_lock(&conn->chan_lock);
1da177e4 7238
3df91ea2 7239 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 7240 l2cap_chan_lock(chan);
1da177e4 7241
89d8b407
AE		 7242 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7243 state_to_string(chan->state));
f1cb9af5 7244
78eb2f98
AE		 7245 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
7246 l2cap_chan_unlock(chan);
7247 continue;
7248 }
7249
073d1cf3 7250 if (chan->scid == L2CAP_CID_ATT) {
f1cb9af5
VCG		 7251 if (!status && encrypt) {
7252 chan->sec_level = hcon->sec_level;
cf4cd009 7253 l2cap_chan_ready(chan);
f1cb9af5
VCG		 7254 }
7255
6be36555 7256 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 7257 continue;
7258 }
7259
96eff46e 7260 if (!__l2cap_no_conn_pending(chan)) {
6be36555 7261 l2cap_chan_unlock(chan);
6a8d3010
MH		 7262 continue;
7263 }
7264
89bc500e 7265 if (!status && (chan->state == BT_CONNECTED ||
2d792818 7266 chan->state == BT_CONFIG)) {
d97c899b 7267 chan->ops->resume(chan);
4343478f 7268 l2cap_check_encryption(chan, encrypt);
6be36555 7269 l2cap_chan_unlock(chan);
9719f8af
MH		 7270 continue;
7271 }
7272
89bc500e 7273 if (chan->state == BT_CONNECT) {
6d3c15da 7274 if (!status)
93c3e8f5 7275 l2cap_start_connection(chan);
6d3c15da 7276 else
ba13ccd9 7277 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
89bc500e 7278 } else if (chan->state == BT_CONNECT2) {
b1235d79 7279 struct l2cap_conn_rsp rsp;
df3c3931 7280 __u16 res, stat;
1da177e4 7281
b1235d79 7282 if (!status) {
bdc25783 7283 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 7284 res = L2CAP_CR_PEND;
7285 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 7286 chan->ops->defer(chan);
df3c3931 7287 } else {
acdcabf5 7288 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 7289 res = L2CAP_CR_SUCCESS;
7290 stat = L2CAP_CS_NO_INFO;
7291 }
b1235d79 7292 } else {
acdcabf5 7293 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 7294 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 7295 res = L2CAP_CR_SEC_BLOCK;
7296 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 7297 }
7298
fe4128e0
GP		 7299 rsp.scid = cpu_to_le16(chan->dcid);
7300 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 7301 rsp.result = cpu_to_le16(res);
7302 rsp.status = cpu_to_le16(stat);
fc7f8a7e 7303 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 7304 sizeof(rsp), &rsp);
2d369359
MM		 7305
7306 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7307 res == L2CAP_CR_SUCCESS) {
7308 char buf[128];
7309 set_bit(CONF_REQ_SENT, &chan->conf_state);
7310 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7311 L2CAP_CONF_REQ,
7312 l2cap_build_conf_req(chan, buf),
7313 buf);
7314 chan->num_conf_req++;
7315 }
b1235d79 7316 }
1da177e4 7317
6be36555 7318 l2cap_chan_unlock(chan);
1da177e4
LT		 7319 }
7320
3df91ea2 7321 mutex_unlock(&conn->chan_lock);
b1235d79 7322
1da177e4
LT		 7323 return 0;
7324}
7325
686ebf28 7326int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 7327{
7328 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 7329 struct l2cap_hdr *hdr;
7330 int len;
1da177e4 7331
1d13a254
AE		 7332 /* For AMP controller do not create l2cap conn */
7333 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7334 goto drop;
1da177e4 7335
5a08ecce 7336 if (!conn)
baf43251 7337 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 7338
7339 if (!conn)
1da177e4
LT		 7340 goto drop;
7341
7342 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7343
d73a0988
AE		 7344 switch (flags) {
7345 case ACL_START:
7346 case ACL_START_NO_FLUSH:
7347 case ACL_COMPLETE:
1da177e4
LT		 7348 if (conn->rx_len) {
7349 BT_ERR("Unexpected start frame (len %d)", skb->len);
7350 kfree_skb(conn->rx_skb);
7351 conn->rx_skb = NULL;
7352 conn->rx_len = 0;
7353 l2cap_conn_unreliable(conn, ECOMM);
7354 }
7355
aae7fe22
AE		 7356 /* Start fragment always begin with Basic L2CAP header */
7357 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 7358 BT_ERR("Frame is too short (len %d)", skb->len);
7359 l2cap_conn_unreliable(conn, ECOMM);
7360 goto drop;
7361 }
7362
7363 hdr = (struct l2cap_hdr *) skb->data;
7364 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7365
7366 if (len == skb->len) {
7367 /* Complete frame received */
7368 l2cap_recv_frame(conn, skb);
7369 return 0;
7370 }
7371
7372 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7373
7374 if (skb->len > len) {
7375 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 7376 skb->len, len);
1da177e4
LT		 7377 l2cap_conn_unreliable(conn, ECOMM);
7378 goto drop;
7379 }
7380
7381 /* Allocate skb for the complete frame (with header) */
8bcde1f2 7382 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 7383 if (!conn->rx_skb)
1da177e4
LT		 7384 goto drop;
7385
d626f62b 7386 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7387 skb->len);
1da177e4 7388 conn->rx_len = len - skb->len;
d73a0988
AE		 7389 break;
7390
7391 case ACL_CONT:
1da177e4
LT		 7392 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7393
7394 if (!conn->rx_len) {
7395 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7396 l2cap_conn_unreliable(conn, ECOMM);
7397 goto drop;
7398 }
7399
7400 if (skb->len > conn->rx_len) {
7401 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 7402 skb->len, conn->rx_len);
1da177e4
LT		 7403 kfree_skb(conn->rx_skb);
7404 conn->rx_skb = NULL;
7405 conn->rx_len = 0;
7406 l2cap_conn_unreliable(conn, ECOMM);
7407 goto drop;
7408 }
7409
d626f62b 7410 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7411 skb->len);
1da177e4
LT		 7412 conn->rx_len -= skb->len;
7413
7414 if (!conn->rx_len) {
c4e5bafa
JH		 7415 /* Complete frame received. l2cap_recv_frame
7416 * takes ownership of the skb so set the global
7417 * rx_skb pointer to NULL first.
7418 */
7419 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 7420 conn->rx_skb = NULL;
c4e5bafa 7421 l2cap_recv_frame(conn, rx_skb);
1da177e4 7422 }
d73a0988 7423 break;
1da177e4
LT		 7424 }
7425
7426drop:
7427 kfree_skb(skb);
7428 return 0;
7429}
7430
aef7d97c 7431static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 7432{
23691d75 7433 struct l2cap_chan *c;
1da177e4 7434
333055f2 7435 read_lock(&chan_list_lock);
1da177e4 7436
23691d75 7437 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 7438 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 7439 &c->src, &c->dst,
fcb73338
AE		 7440 c->state, __le16_to_cpu(c->psm),
7441 c->scid, c->dcid, c->imtu, c->omtu,
7442 c->sec_level, c->mode);
61e1b4b7 7443 }
1da177e4 7444
333055f2 7445 read_unlock(&chan_list_lock);
1da177e4 7446
aef7d97c 7447 return 0;
1da177e4
LT		 7448}
7449
aef7d97c
MH		 7450static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7451{
7452 return single_open(file, l2cap_debugfs_show, inode->i_private);
7453}
7454
7455static const struct file_operations l2cap_debugfs_fops = {
7456 .open = l2cap_debugfs_open,
7457 .read = seq_read,
7458 .llseek = seq_lseek,
7459 .release = single_release,
7460};
7461
7462static struct dentry *l2cap_debugfs;
1da177e4 7463
64274518 7464int __init l2cap_init(void)
1da177e4
LT		 7465{
7466 int err;
be9d1227 7467
bb58f747 7468 err = l2cap_init_sockets();
1da177e4
LT		 7469 if (err < 0)
7470 return err;
7471
1120e4bf
MH		 7472 if (IS_ERR_OR_NULL(bt_debugfs))
7473 return 0;
7474
7475 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7476 NULL, &l2cap_debugfs_fops);
1da177e4 7477
f15b8ecf
JH		 7478 debugfs_create_u16("l2cap_le_max_credits", 0466, bt_debugfs,
7479 &le_max_credits);
7480 debugfs_create_u16("l2cap_le_default_mps", 0466, bt_debugfs,
7481 &le_default_mps);
7482
18722c24
JR		 7483 bt_6lowpan_init();
7484
1da177e4 7485 return 0;
1da177e4
LT		 7486}
7487
64274518 7488void l2cap_exit(void)
1da177e4 7489{
18722c24 7490 bt_6lowpan_cleanup();
aef7d97c 7491 debugfs_remove(l2cap_debugfs);
bb58f747 7492 l2cap_cleanup_sockets();
1da177e4
LT		 7493}
7494
d1c4a17d
GP		 7495module_param(disable_ertm, bool, 0644);
7496MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.40699 seconds and 5 git commands to generate.