projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Remove special handling of ATT in l2cap_security_cfm()
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
0f1bfe4e
JH		 44#define LE_FLOWCTL_MAX_CREDITS 65535
45
d1de6d46 46bool disable_ertm;
f0709e03 47
547d1032 48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
a6801ca9 49static u8 l2cap_fixed_chan[8] = { L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS, };
1da177e4 50
b5ad8b7f
JB		 51static LIST_HEAD(chan_list);
52static DEFINE_RWLOCK(chan_list_lock);
1da177e4 53
f15b8ecf
JH		 54static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56
1da177e4 57static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 58 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 59static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 60 void *data);
710f9b0a 61static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 62static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 63
d660366d 64static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 65 struct sk_buff_head *skbs, u8 event);
608bcc6d 66
4f1654e0
MH		 67static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
68{
69 if (hcon->type == LE_LINK) {
70 if (type == ADDR_LE_DEV_PUBLIC)
71 return BDADDR_LE_PUBLIC;
72 else
73 return BDADDR_LE_RANDOM;
74 }
75
76 return BDADDR_BREDR;
77}
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
2d792818
GP		 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
82 u16 cid)
0139418c 83{
3df91ea2 84 struct l2cap_chan *c;
3d57dc68 85
3df91ea2
AE		 86 list_for_each_entry(c, &conn->chan_l, list) {
87 if (c->dcid == cid)
88 return c;
0139418c 89 }
3df91ea2 90 return NULL;
0139418c
MH		 91}
92
2d792818
GP		 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
94 u16 cid)
0139418c 95{
3df91ea2 96 struct l2cap_chan *c;
3d57dc68 97
3df91ea2
AE		 98 list_for_each_entry(c, &conn->chan_l, list) {
99 if (c->scid == cid)
100 return c;
0139418c 101 }
3df91ea2 102 return NULL;
0139418c
MH		 103}
104
105/* Find channel with given SCID.
ef191ade 106 * Returns locked channel. */
2d792818
GP		 107static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
108 u16 cid)
0139418c 109{
48454079 110 struct l2cap_chan *c;
baa7e1fa 111
3df91ea2 112 mutex_lock(&conn->chan_lock);
baa7e1fa 113 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 114 if (c)
115 l2cap_chan_lock(c);
3df91ea2
AE		 116 mutex_unlock(&conn->chan_lock);
117
48454079 118 return c;
0139418c
MH		 119}
120
b1a130b7
MM		 121/* Find channel with given DCID.
122 * Returns locked channel.
123 */
124static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
125 u16 cid)
126{
127 struct l2cap_chan *c;
128
129 mutex_lock(&conn->chan_lock);
130 c = __l2cap_get_chan_by_dcid(conn, cid);
131 if (c)
132 l2cap_chan_lock(c);
133 mutex_unlock(&conn->chan_lock);
134
135 return c;
136}
137
2d792818
GP		 138static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
139 u8 ident)
0139418c 140{
3df91ea2 141 struct l2cap_chan *c;
3d57dc68 142
3df91ea2
AE		 143 list_for_each_entry(c, &conn->chan_l, list) {
144 if (c->ident == ident)
145 return c;
0139418c 146 }
3df91ea2 147 return NULL;
0139418c
MH		 148}
149
5b155ef9
MM		 150static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
151 u8 ident)
152{
153 struct l2cap_chan *c;
154
155 mutex_lock(&conn->chan_lock);
156 c = __l2cap_get_chan_by_ident(conn, ident);
157 if (c)
158 l2cap_chan_lock(c);
159 mutex_unlock(&conn->chan_lock);
160
161 return c;
162}
163
23691d75 164static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 165{
23691d75 166 struct l2cap_chan *c;
9e4425ff 167
23691d75 168 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 169 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 170 return c;
9e4425ff 171 }
250938cb 172 return NULL;
9e4425ff
GP		 173}
174
175int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
176{
73b2ec18
GP		 177 int err;
178
333055f2 179 write_lock(&chan_list_lock);
9e4425ff 180
23691d75 181 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 182 err = -EADDRINUSE;
183 goto done;
9e4425ff
GP		 184 }
185
73b2ec18
GP		 186 if (psm) {
187 chan->psm = psm;
188 chan->sport = psm;
189 err = 0;
190 } else {
191 u16 p;
192
193 err = -EINVAL;
194 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 195 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 196 chan->psm = cpu_to_le16(p);
197 chan->sport = cpu_to_le16(p);
198 err = 0;
199 break;
200 }
201 }
9e4425ff 202
73b2ec18 203done:
333055f2 204 write_unlock(&chan_list_lock);
73b2ec18 205 return err;
9e4425ff 206}
6b8d4a6a 207EXPORT_SYMBOL_GPL(l2cap_add_psm);
9e4425ff
GP		 208
209int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
210{
333055f2 211 write_lock(&chan_list_lock);
9e4425ff
GP		 212
213 chan->scid = scid;
214
333055f2 215 write_unlock(&chan_list_lock);
9e4425ff
GP		 216
217 return 0;
218}
219
baa7e1fa 220static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 221{
e77af755 222 u16 cid, dyn_end;
0139418c 223
e77af755
JH		 224 if (conn->hcon->type == LE_LINK)
225 dyn_end = L2CAP_CID_LE_DYN_END;
226 else
227 dyn_end = L2CAP_CID_DYN_END;
228
229 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
baa7e1fa 230 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 231 return cid;
232 }
233
234 return 0;
235}
236
f93fa273 237static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 238{
42d2d87c 239 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 240 state_to_string(state));
badaaa00 241
89bc500e 242 chan->state = state;
53f52121 243 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 244}
245
f8e73017
GP		 246static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
247 int state, int err)
2e0052e4 248{
f8e73017 249 chan->state = state;
53f52121 250 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 251}
252
253static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
254{
f8e73017 255 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 256}
257
4239d16f
MM		 258static void __set_retrans_timer(struct l2cap_chan *chan)
259{
260 if (!delayed_work_pending(&chan->monitor_timer) &&
261 chan->retrans_timeout) {
262 l2cap_set_timer(chan, &chan->retrans_timer,
263 msecs_to_jiffies(chan->retrans_timeout));
264 }
265}
266
267static void __set_monitor_timer(struct l2cap_chan *chan)
268{
269 __clear_retrans_timer(chan);
270 if (chan->monitor_timeout) {
271 l2cap_set_timer(chan, &chan->monitor_timer,
272 msecs_to_jiffies(chan->monitor_timeout));
273 }
274}
275
608bcc6d
MM		 276static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
277 u16 seq)
278{
279 struct sk_buff *skb;
280
281 skb_queue_walk(head, skb) {
282 if (bt_cb(skb)->control.txseq == seq)
283 return skb;
284 }
285
286 return NULL;
287}
288
3c588192
MM		 289/* ---- L2CAP sequence number lists ---- */
290
291/* For ERTM, ordered lists of sequence numbers must be tracked for
292 * SREJ requests that are received and for frames that are to be
293 * retransmitted. These seq_list functions implement a singly-linked
294 * list in an array, where membership in the list can also be checked
295 * in constant time. Items can also be added to the tail of the list
296 * and removed from the head in constant time, without further memory
297 * allocs or frees.
298 */
299
300static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
301{
302 size_t alloc_size, i;
303
304 /* Allocated size is a power of 2 to map sequence numbers
305 * (which may be up to 14 bits) in to a smaller array that is
306 * sized for the negotiated ERTM transmit windows.
307 */
308 alloc_size = roundup_pow_of_two(size);
309
310 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
311 if (!seq_list->list)
312 return -ENOMEM;
313
314 seq_list->mask = alloc_size - 1;
315 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
316 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
317 for (i = 0; i < alloc_size; i++)
318 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
319
320 return 0;
321}
322
323static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
324{
325 kfree(seq_list->list);
326}
327
328static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
329 u16 seq)
330{
331 /* Constant-time check for list membership */
332 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
333}
334
03a0c5d6 335static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
3c588192 336{
03a0c5d6 337 u16 seq = seq_list->head;
3c588192
MM		 338 u16 mask = seq_list->mask;
339
03a0c5d6
JH		 340 seq_list->head = seq_list->list[seq & mask];
341 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
342
343 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
344 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
345 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192 346 }
3c588192 347
03a0c5d6 348 return seq;
3c588192
MM		 349}
350
351static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
352{
f522ae36 353 u16 i;
3c588192 354
f522ae36
GP		 355 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
356 return;
357
358 for (i = 0; i <= seq_list->mask; i++)
359 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
360
361 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
362 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 363}
364
365static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
366{
367 u16 mask = seq_list->mask;
368
369 /* All appends happen in constant time */
370
f522ae36
GP		 371 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
372 return;
3c588192 373
f522ae36
GP		 374 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
375 seq_list->head = seq;
376 else
377 seq_list->list[seq_list->tail & mask] = seq;
378
379 seq_list->tail = seq;
380 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 381}
382
721c4181 383static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 384{
721c4181 385 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 386 chan_timer.work);
3df91ea2 387 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 388 int reason;
389
e05dcc32 390 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 391
3df91ea2 392 mutex_lock(&conn->chan_lock);
6be36555 393 l2cap_chan_lock(chan);
ab07801d 394
89bc500e 395 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 396 reason = ECONNREFUSED;
89bc500e 397 else if (chan->state == BT_CONNECT &&
2d792818 398 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 399 reason = ECONNREFUSED;
400 else
401 reason = ETIMEDOUT;
402
0f852724 403 l2cap_chan_close(chan, reason);
ab07801d 404
6be36555 405 l2cap_chan_unlock(chan);
ab07801d 406
80b98027 407 chan->ops->close(chan);
3df91ea2
AE		 408 mutex_unlock(&conn->chan_lock);
409
371fd835 410 l2cap_chan_put(chan);
ab07801d
GP		 411}
412
eef1d9b6 413struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 414{
415 struct l2cap_chan *chan;
416
417 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
418 if (!chan)
419 return NULL;
420
c03b355e
AE		 421 mutex_init(&chan->lock);
422
333055f2 423 write_lock(&chan_list_lock);
23691d75 424 list_add(&chan->global_l, &chan_list);
333055f2 425 write_unlock(&chan_list_lock);
23691d75 426
721c4181 427 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 428
89bc500e
GP		 429 chan->state = BT_OPEN;
430
144ad330 431 kref_init(&chan->kref);
71ba0e56 432
2827011f
MM		 433 /* This flag is cleared in l2cap_chan_ready() */
434 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
435
eef1d9b6 436 BT_DBG("chan %p", chan);
abc545b8 437
48454079
GP		 438 return chan;
439}
6b8d4a6a 440EXPORT_SYMBOL_GPL(l2cap_chan_create);
48454079 441
144ad330 442static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 443{
144ad330
SS		 444 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
445
4af66c69
JK		 446 BT_DBG("chan %p", chan);
447
333055f2 448 write_lock(&chan_list_lock);
23691d75 449 list_del(&chan->global_l);
333055f2 450 write_unlock(&chan_list_lock);
23691d75 451
4af66c69 452 kfree(chan);
6ff5abbf
GP		 453}
454
30648372
JK		 455void l2cap_chan_hold(struct l2cap_chan *c)
456{
144ad330 457 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 458
144ad330 459 kref_get(&c->kref);
30648372
JK		 460}
461
462void l2cap_chan_put(struct l2cap_chan *c)
463{
144ad330 464 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 465
144ad330 466 kref_put(&c->kref, l2cap_chan_destroy);
30648372 467}
6b8d4a6a 468EXPORT_SYMBOL_GPL(l2cap_chan_put);
30648372 469
bd4b1653
AE		 470void l2cap_chan_set_defaults(struct l2cap_chan *chan)
471{
472 chan->fcs = L2CAP_FCS_CRC16;
473 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
474 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
475 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
6a5e8165
JR		 476 chan->remote_max_tx = chan->max_tx;
477 chan->remote_tx_win = chan->tx_win;
c20f8e35 478 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653 479 chan->sec_level = BT_SECURITY_LOW;
6a5e8165
JR		 480 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
481 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
482 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
483 chan->conf_state = 0;
bd4b1653
AE		 484
485 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
486}
6b8d4a6a 487EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
bd4b1653 488
0ce43ce6 489static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
38319713 490{
0ce43ce6
JH		 491 chan->sdu = NULL;
492 chan->sdu_last_frag = NULL;
493 chan->sdu_len = 0;
0cd75f7e 494 chan->tx_credits = 0;
f15b8ecf 495 chan->rx_credits = le_max_credits;
d1d79413 496 chan->mps = min_t(u16, chan->imtu, le_default_mps);
0ce43ce6
JH		 497
498 skb_queue_head_init(&chan->tx_q);
38319713
JH		 499}
500
93c3e8f5 501void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 502{
af05b30b 503 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 504 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 505
9f5a0d7b 506 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 507
8c1d787b 508 chan->conn = conn;
0139418c 509
5491120e
AE		 510 switch (chan->chan_type) {
511 case L2CAP_CHAN_CONN_ORIENTED:
21626e62
JH		 512 /* Alloc CID for connection-oriented socket */
513 chan->scid = l2cap_alloc_cid(conn);
514 if (conn->hcon->type == ACL_LINK)
0c1bc5c6 515 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 516 break;
517
518 case L2CAP_CHAN_CONN_LESS:
0139418c 519 /* Connectionless socket */
fe4128e0
GP		 520 chan->scid = L2CAP_CID_CONN_LESS;
521 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 522 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 523 break;
524
2338a7e0
JH		 525 case L2CAP_CHAN_FIXED:
526 /* Caller will set CID and CID specific MTU values */
416fa752
AE		 527 break;
528
5491120e 529 default:
0139418c 530 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 531 chan->scid = L2CAP_CID_SIGNALING;
532 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 533 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 534 }
535
8f7975b1
AE		 536 chan->local_id = L2CAP_BESTEFFORT_ID;
537 chan->local_stype = L2CAP_SERV_BESTEFFORT;
538 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
539 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
540 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 541 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 542
371fd835 543 l2cap_chan_hold(chan);
baa7e1fa 544
5ee9891d
JH		 545 hci_conn_hold(conn->hcon);
546
3df91ea2 547 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 548}
549
466f8004 550void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 551{
552 mutex_lock(&conn->chan_lock);
553 __l2cap_chan_add(conn, chan);
3df91ea2 554 mutex_unlock(&conn->chan_lock);
0139418c
MH		 555}
556
466f8004 557void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 558{
8c1d787b 559 struct l2cap_conn *conn = chan->conn;
0139418c 560
c9b66675 561 __clear_chan_timer(chan);
0139418c 562
49208c9c 563 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 564
8e87d142 565 if (conn) {
56f60984 566 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 567 /* Delete from channel list */
3df91ea2 568 list_del(&chan->list);
3d57dc68 569
371fd835 570 l2cap_chan_put(chan);
baa7e1fa 571
8c1d787b 572 chan->conn = NULL;
3cabbfda 573
2338a7e0 574 if (chan->scid != L2CAP_CID_A2MP)
76a68ba0 575 hci_conn_drop(conn->hcon);
56f60984
AE		 576
577 if (mgr && mgr->bredr_chan == chan)
578 mgr->bredr_chan = NULL;
0139418c
MH		 579 }
580
419e08c1
AE		 581 if (chan->hs_hchan) {
582 struct hci_chan *hs_hchan = chan->hs_hchan;
583
584 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
585 amp_disconnect_logical_link(hs_hchan);
586 }
587
b699ec0d 588 chan->ops->teardown(chan, err);
6be36555 589
2827011f 590 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 591 return;
2ead70b8 592
ee556f66
GP		 593 switch(chan->mode) {
594 case L2CAP_MODE_BASIC:
595 break;
c13ffa62 596
38319713 597 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b 598 skb_queue_purge(&chan->tx_q);
38319713
JH		 599 break;
600
ee556f66 601 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 602 __clear_retrans_timer(chan);
603 __clear_monitor_timer(chan);
604 __clear_ack_timer(chan);
c13ffa62 605
f1c6775b 606 skb_queue_purge(&chan->srej_q);
c13ffa62 607
3c588192
MM		 608 l2cap_seq_list_free(&chan->srej_list);
609 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 610
611 /* fall through */
612
613 case L2CAP_MODE_STREAMING:
614 skb_queue_purge(&chan->tx_q);
615 break;
c13ffa62 616 }
ee556f66
GP		 617
618 return;
0139418c 619}
6b8d4a6a 620EXPORT_SYMBOL_GPL(l2cap_chan_del);
0139418c 621
387a33e3
JH		 622void l2cap_conn_update_id_addr(struct hci_conn *hcon)
623{
624 struct l2cap_conn *conn = hcon->l2cap_data;
625 struct l2cap_chan *chan;
626
627 mutex_lock(&conn->chan_lock);
628
629 list_for_each_entry(chan, &conn->chan_l, list) {
630 l2cap_chan_lock(chan);
631 bacpy(&chan->dst, &hcon->dst);
632 chan->dst_type = bdaddr_type(hcon, hcon->dst_type);
633 l2cap_chan_unlock(chan);
634 }
635
636 mutex_unlock(&conn->chan_lock);
637}
638
27e2d4c8
JH		 639static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
640{
641 struct l2cap_conn *conn = chan->conn;
642 struct l2cap_le_conn_rsp rsp;
643 u16 result;
644
645 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
646 result = L2CAP_CR_AUTHORIZATION;
647 else
648 result = L2CAP_CR_BAD_PSM;
649
650 l2cap_state_change(chan, BT_DISCONN);
651
652 rsp.dcid = cpu_to_le16(chan->scid);
653 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 654 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 655 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 656 rsp.result = cpu_to_le16(result);
657
658 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
659 &rsp);
660}
661
791d60f7
JH		 662static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
663{
664 struct l2cap_conn *conn = chan->conn;
665 struct l2cap_conn_rsp rsp;
666 u16 result;
667
668 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
669 result = L2CAP_CR_SEC_BLOCK;
670 else
671 result = L2CAP_CR_BAD_PSM;
672
673 l2cap_state_change(chan, BT_DISCONN);
674
675 rsp.scid = cpu_to_le16(chan->dcid);
676 rsp.dcid = cpu_to_le16(chan->scid);
677 rsp.result = cpu_to_le16(result);
dcf4adbf 678 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
791d60f7
JH		 679
680 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
681}
682
0f852724 683void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 684{
685 struct l2cap_conn *conn = chan->conn;
4519de9a 686
7eafc59e 687 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 688
89bc500e 689 switch (chan->state) {
4519de9a 690 case BT_LISTEN:
b699ec0d 691 chan->ops->teardown(chan, 0);
4519de9a
GP		 692 break;
693
694 case BT_CONNECTED:
695 case BT_CONFIG:
7b25c9b3 696 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
8d836d71 697 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 698 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 699 } else
700 l2cap_chan_del(chan, reason);
701 break;
702
703 case BT_CONNECT2:
791d60f7
JH		 704 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
705 if (conn->hcon->type == ACL_LINK)
706 l2cap_chan_connect_reject(chan);
27e2d4c8
JH		 707 else if (conn->hcon->type == LE_LINK)
708 l2cap_chan_le_connect_reject(chan);
4519de9a
GP		 709 }
710
711 l2cap_chan_del(chan, reason);
712 break;
713
714 case BT_CONNECT:
715 case BT_DISCONN:
716 l2cap_chan_del(chan, reason);
717 break;
718
719 default:
b699ec0d 720 chan->ops->teardown(chan, 0);
4519de9a
GP		 721 break;
722 }
723}
6b8d4a6a 724EXPORT_SYMBOL(l2cap_chan_close);
4519de9a 725
4343478f 726static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 727{
6a974b50
MH		 728 switch (chan->chan_type) {
729 case L2CAP_CHAN_RAW:
4343478f 730 switch (chan->sec_level) {
8556edd3 731 case BT_SECURITY_HIGH:
7d513e92 732 case BT_SECURITY_FIPS:
8556edd3
JH		 733 return HCI_AT_DEDICATED_BONDING_MITM;
734 case BT_SECURITY_MEDIUM:
735 return HCI_AT_DEDICATED_BONDING;
736 default:
737 return HCI_AT_NO_BONDING;
738 }
6a974b50 739 break;
3124b843 740 case L2CAP_CHAN_CONN_LESS:
dcf4adbf 741 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
3124b843
MH		 742 if (chan->sec_level == BT_SECURITY_LOW)
743 chan->sec_level = BT_SECURITY_SDP;
744 }
7d513e92
MH		 745 if (chan->sec_level == BT_SECURITY_HIGH ||
746 chan->sec_level == BT_SECURITY_FIPS)
3124b843
MH		 747 return HCI_AT_NO_BONDING_MITM;
748 else
749 return HCI_AT_NO_BONDING;
750 break;
6a974b50 751 case L2CAP_CHAN_CONN_ORIENTED:
dcf4adbf 752 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
6a974b50
MH		 753 if (chan->sec_level == BT_SECURITY_LOW)
754 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 755
7d513e92
MH		 756 if (chan->sec_level == BT_SECURITY_HIGH ||
757 chan->sec_level == BT_SECURITY_FIPS)
6a974b50
MH		 758 return HCI_AT_NO_BONDING_MITM;
759 else
760 return HCI_AT_NO_BONDING;
761 }
762 /* fall through */
763 default:
4343478f 764 switch (chan->sec_level) {
00ae4af9 765 case BT_SECURITY_HIGH:
7d513e92 766 case BT_SECURITY_FIPS:
8556edd3 767 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 768 case BT_SECURITY_MEDIUM:
8556edd3 769 return HCI_AT_GENERAL_BONDING;
00ae4af9 770 default:
8556edd3 771 return HCI_AT_NO_BONDING;
00ae4af9 772 }
6a974b50 773 break;
0684e5f9 774 }
8556edd3
JH		 775}
776
777/* Service level security */
e7cafc45 778int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
8556edd3 779{
8c1d787b 780 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 781 __u8 auth_type;
782
a17de2fe
JH		 783 if (conn->hcon->type == LE_LINK)
784 return smp_conn_security(conn->hcon, chan->sec_level);
785
4343478f 786 auth_type = l2cap_get_auth_type(chan);
79d554a6 787
e7cafc45
JH		 788 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
789 initiator);
79d554a6
MH		 790}
791
b5ad8b7f 792static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 793{
794 u8 id;
795
796 /* Get next available identificator.
797 * 1 - 128 are used by kernel.
798 * 129 - 199 are reserved.
799 * 200 - 254 are used by utilities like l2ping, etc.
800 */
801
5a54e7c8 802 mutex_lock(&conn->ident_lock);
4e8402a3
MH		 803
804 if (++conn->tx_ident > 128)
805 conn->tx_ident = 1;
806
807 id = conn->tx_ident;
808
5a54e7c8 809 mutex_unlock(&conn->ident_lock);
4e8402a3
MH		 810
811 return id;
812}
813
2d792818
GP		 814static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
815 void *data)
4e8402a3
MH		 816{
817 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 818 u8 flags;
4e8402a3
MH		 819
820 BT_DBG("code 0x%2.2x", code);
821
822 if (!skb)
9a9c6a34 823 return;
4e8402a3 824
e702112f
AE		 825 if (lmp_no_flush_capable(conn->hcon->hdev))
826 flags = ACL_START_NO_FLUSH;
827 else
828 flags = ACL_START;
829
14b12d0b 830 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 831 skb->priority = HCI_PRIO_MAX;
14b12d0b 832
73d80deb
LAD		 833 hci_send_acl(conn->hchan, skb, flags);
834}
835
02b0fbb9
MM		 836static bool __chan_is_moving(struct l2cap_chan *chan)
837{
838 return chan->move_state != L2CAP_MOVE_STABLE &&
839 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
840}
841
73d80deb
LAD		 842static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
843{
844 struct hci_conn *hcon = chan->conn->hcon;
845 u16 flags;
846
847 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 848 skb->priority);
73d80deb 849
d5f8a75d
MM		 850 if (chan->hs_hcon && !__chan_is_moving(chan)) {
851 if (chan->hs_hchan)
852 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
853 else
854 kfree_skb(skb);
855
856 return;
857 }
858
73d80deb 859 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 860 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 861 flags = ACL_START_NO_FLUSH;
862 else
863 flags = ACL_START;
14b12d0b 864
73d80deb
LAD		 865 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
866 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 867}
868
b76bbd66
MM		 869static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
870{
871 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
872 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
873
874 if (enh & L2CAP_CTRL_FRAME_TYPE) {
875 /* S-Frame */
876 control->sframe = 1;
877 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
878 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
879
880 control->sar = 0;
881 control->txseq = 0;
882 } else {
883 /* I-Frame */
884 control->sframe = 0;
885 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
886 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
887
888 control->poll = 0;
889 control->super = 0;
890 }
891}
892
b76bbd66
MM		 893static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
894{
895 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
896 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
897
898 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
899 /* S-Frame */
900 control->sframe = 1;
901 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
902 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
903
904 control->sar = 0;
905 control->txseq = 0;
906 } else {
907 /* I-Frame */
908 control->sframe = 0;
909 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
910 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
911
912 control->poll = 0;
913 control->super = 0;
914 }
915}
916
917static inline void __unpack_control(struct l2cap_chan *chan,
918 struct sk_buff *skb)
919{
920 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
921 __unpack_extended_control(get_unaligned_le32(skb->data),
922 &bt_cb(skb)->control);
cec8ab6e 923 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 924 } else {
925 __unpack_enhanced_control(get_unaligned_le16(skb->data),
926 &bt_cb(skb)->control);
cec8ab6e 927 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 928 }
929}
930
b5c6aaed
MM		 931static u32 __pack_extended_control(struct l2cap_ctrl *control)
932{
933 u32 packed;
934
935 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
936 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
937
938 if (control->sframe) {
939 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
940 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
941 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
942 } else {
943 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
944 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
945 }
946
947 return packed;
948}
949
950static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
951{
952 u16 packed;
953
954 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
955 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
956
957 if (control->sframe) {
958 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
959 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
960 packed |= L2CAP_CTRL_FRAME_TYPE;
961 } else {
962 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
963 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
964 }
965
966 return packed;
967}
968
b76bbd66
MM		 969static inline void __pack_control(struct l2cap_chan *chan,
970 struct l2cap_ctrl *control,
971 struct sk_buff *skb)
972{
973 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
974 put_unaligned_le32(__pack_extended_control(control),
975 skb->data + L2CAP_HDR_SIZE);
976 } else {
977 put_unaligned_le16(__pack_enhanced_control(control),
978 skb->data + L2CAP_HDR_SIZE);
979 }
980}
981
ba7aa64f
GP		 982static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
983{
984 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
985 return L2CAP_EXT_HDR_SIZE;
986 else
987 return L2CAP_ENH_HDR_SIZE;
988}
989
a67d7f6f
MM		 990static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
991 u32 control)
b5c6aaed
MM		 992{
993 struct sk_buff *skb;
994 struct l2cap_hdr *lh;
ba7aa64f 995 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 996
997 if (chan->fcs == L2CAP_FCS_CRC16)
998 hlen += L2CAP_FCS_SIZE;
999
a67d7f6f 1000 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 1001
b5c6aaed 1002 if (!skb)
a67d7f6f 1003 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 1004
1005 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1006 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1007 lh->cid = cpu_to_le16(chan->dcid);
1008
a67d7f6f
MM		 1009 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1010 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1011 else
1012 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 1013
1014 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 1015 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 1016 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1017 }
1018
1019 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 1020 return skb;
1021}
1022
1023static void l2cap_send_sframe(struct l2cap_chan *chan,
1024 struct l2cap_ctrl *control)
1025{
1026 struct sk_buff *skb;
1027 u32 control_field;
1028
1029 BT_DBG("chan %p, control %p", chan, control);
1030
1031 if (!control->sframe)
1032 return;
1033
b99e13ad
MM		 1034 if (__chan_is_moving(chan))
1035 return;
1036
a67d7f6f
MM		 1037 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1038 !control->poll)
1039 control->final = 1;
1040
1041 if (control->super == L2CAP_SUPER_RR)
1042 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1043 else if (control->super == L2CAP_SUPER_RNR)
1044 set_bit(CONN_RNR_SENT, &chan->conn_state);
1045
1046 if (control->super != L2CAP_SUPER_SREJ) {
1047 chan->last_acked_seq = control->reqseq;
1048 __clear_ack_timer(chan);
1049 }
1050
1051 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1052 control->final, control->poll, control->super);
1053
1054 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1055 control_field = __pack_extended_control(control);
1056 else
1057 control_field = __pack_enhanced_control(control);
1058
1059 skb = l2cap_create_sframe_pdu(chan, control_field);
1060 if (!IS_ERR(skb))
1061 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1062}
1063
c9e3d5e0 1064static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1065{
c9e3d5e0
MM		 1066 struct l2cap_ctrl control;
1067
1068 BT_DBG("chan %p, poll %d", chan, poll);
1069
1070 memset(&control, 0, sizeof(control));
1071 control.sframe = 1;
1072 control.poll = poll;
1073
1074 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1075 control.super = L2CAP_SUPER_RNR;
1076 else
1077 control.super = L2CAP_SUPER_RR;
b5c6aaed 1078
c9e3d5e0
MM		 1079 control.reqseq = chan->buffer_seq;
1080 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1081}
1082
b4450035 1083static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1084{
5ff6f34d
JH		 1085 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1086 return true;
1087
c1360a1c 1088 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1089}
1090
1df7b17a 1091static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1092{
1df7b17a 1093 struct l2cap_conn *conn = chan->conn;
80d58d0b 1094 struct hci_dev *hdev;
1df7b17a
MH		 1095 bool amp_available = false;
1096
1097 if (!conn->hs_enabled)
1098 return false;
1099
1100 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1101 return false;
80d58d0b
MH		 1102
1103 read_lock(&hci_dev_list_lock);
1df7b17a 1104 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1105 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1106 test_bit(HCI_UP, &hdev->flags)) {
1107 amp_available = true;
1108 break;
1109 }
1110 }
80d58d0b
MH		 1111 read_unlock(&hci_dev_list_lock);
1112
1df7b17a
MH		 1113 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1114 return amp_available;
848566b3
MH		 1115
1116 return false;
93c3e8f5
AE		 1117}
1118
5ce66b59
AE		 1119static bool l2cap_check_efs(struct l2cap_chan *chan)
1120{
1121 /* Check EFS parameters */
1122 return true;
1123}
1124
2766be48 1125void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1126{
1127 struct l2cap_conn *conn = chan->conn;
1128 struct l2cap_conn_req req;
1129
1130 req.scid = cpu_to_le16(chan->scid);
1131 req.psm = chan->psm;
1132
1133 chan->ident = l2cap_get_ident(conn);
1134
1135 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1136
1137 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1138}
1139
8eb200bd
MM		 1140static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1141{
1142 struct l2cap_create_chan_req req;
1143 req.scid = cpu_to_le16(chan->scid);
1144 req.psm = chan->psm;
1145 req.amp_id = amp_id;
1146
1147 chan->ident = l2cap_get_ident(chan->conn);
1148
1149 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1150 sizeof(req), &req);
1151}
1152
02b0fbb9
MM		 1153static void l2cap_move_setup(struct l2cap_chan *chan)
1154{
1155 struct sk_buff *skb;
1156
1157 BT_DBG("chan %p", chan);
1158
1159 if (chan->mode != L2CAP_MODE_ERTM)
1160 return;
1161
1162 __clear_retrans_timer(chan);
1163 __clear_monitor_timer(chan);
1164 __clear_ack_timer(chan);
1165
1166 chan->retry_count = 0;
1167 skb_queue_walk(&chan->tx_q, skb) {
1168 if (bt_cb(skb)->control.retries)
1169 bt_cb(skb)->control.retries = 1;
1170 else
1171 break;
1172 }
1173
1174 chan->expected_tx_seq = chan->buffer_seq;
1175
1176 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1177 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1178 l2cap_seq_list_clear(&chan->retrans_list);
1179 l2cap_seq_list_clear(&chan->srej_list);
1180 skb_queue_purge(&chan->srej_q);
1181
1182 chan->tx_state = L2CAP_TX_STATE_XMIT;
1183 chan->rx_state = L2CAP_RX_STATE_MOVE;
1184
1185 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1186}
1187
5f3847a4
MM		 1188static void l2cap_move_done(struct l2cap_chan *chan)
1189{
1190 u8 move_role = chan->move_role;
1191 BT_DBG("chan %p", chan);
1192
1193 chan->move_state = L2CAP_MOVE_STABLE;
1194 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1195
1196 if (chan->mode != L2CAP_MODE_ERTM)
1197 return;
1198
1199 switch (move_role) {
1200 case L2CAP_MOVE_ROLE_INITIATOR:
1201 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1202 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1203 break;
1204 case L2CAP_MOVE_ROLE_RESPONDER:
1205 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1206 break;
1207 }
1208}
1209
9f0caeb1
VCG		 1210static void l2cap_chan_ready(struct l2cap_chan *chan)
1211{
2827011f 1212 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1213 chan->conf_state = 0;
1214 __clear_chan_timer(chan);
1215
0ce43ce6
JH		 1216 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1217 chan->ops->suspend(chan);
177f8f2b 1218
54a59aa2 1219 chan->state = BT_CONNECTED;
9f0caeb1 1220
fd83e2c2 1221 chan->ops->ready(chan);
9f0caeb1
VCG		 1222}
1223
f1496dee
JH		 1224static void l2cap_le_connect(struct l2cap_chan *chan)
1225{
1226 struct l2cap_conn *conn = chan->conn;
1227 struct l2cap_le_conn_req req;
1228
595177f3
JH		 1229 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1230 return;
1231
f1496dee
JH		 1232 req.psm = chan->psm;
1233 req.scid = cpu_to_le16(chan->scid);
1234 req.mtu = cpu_to_le16(chan->imtu);
3916aed8 1235 req.mps = cpu_to_le16(chan->mps);
0cd75f7e 1236 req.credits = cpu_to_le16(chan->rx_credits);
f1496dee
JH		 1237
1238 chan->ident = l2cap_get_ident(conn);
1239
1240 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1241 sizeof(req), &req);
1242}
1243
1244static void l2cap_le_start(struct l2cap_chan *chan)
1245{
1246 struct l2cap_conn *conn = chan->conn;
1247
1248 if (!smp_conn_security(conn->hcon, chan->sec_level))
1249 return;
1250
1251 if (!chan->psm) {
1252 l2cap_chan_ready(chan);
1253 return;
1254 }
1255
1256 if (chan->state == BT_CONNECT)
1257 l2cap_le_connect(chan);
1258}
1259
93c3e8f5
AE		 1260static void l2cap_start_connection(struct l2cap_chan *chan)
1261{
1262 if (__amp_capable(chan)) {
1263 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1264 a2mp_discover_amp(chan);
f1496dee
JH		 1265 } else if (chan->conn->hcon->type == LE_LINK) {
1266 l2cap_le_start(chan);
93c3e8f5
AE		 1267 } else {
1268 l2cap_send_conn_req(chan);
1269 }
1270}
1271
fc7f8a7e 1272static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1273{
8c1d787b 1274 struct l2cap_conn *conn = chan->conn;
79d554a6 1275
9f0caeb1 1276 if (conn->hcon->type == LE_LINK) {
96ac34fb 1277 l2cap_le_start(chan);
9f0caeb1
VCG		 1278 return;
1279 }
1280
79d554a6 1281 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1282 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1283 return;
1284
e7cafc45 1285 if (l2cap_chan_check_security(chan, true) &&
2d792818 1286 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1287 l2cap_start_connection(chan);
1288 }
79d554a6
MH		 1289 } else {
1290 struct l2cap_info_req req;
dcf4adbf 1291 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1292
1293 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1294 conn->info_ident = l2cap_get_ident(conn);
1295
ba13ccd9 1296 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1297
2d792818
GP		 1298 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1299 sizeof(req), &req);
79d554a6
MH		 1300 }
1301}
1302
cf6c2c0b
GP		 1303static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1304{
1305 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1306 if (!disable_ertm)
cf6c2c0b
GP		 1307 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1308
1309 switch (mode) {
1310 case L2CAP_MODE_ERTM:
1311 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1312 case L2CAP_MODE_STREAMING:
1313 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1314 default:
1315 return 0x00;
1316 }
1317}
1318
5e4e3972 1319static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1320{
5e4e3972 1321 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1322 struct l2cap_disconn_req req;
1323
c13ffa62
GP		 1324 if (!conn)
1325 return;
1326
aad3d0e3 1327 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1328 __clear_retrans_timer(chan);
1329 __clear_monitor_timer(chan);
1330 __clear_ack_timer(chan);
c13ffa62
GP		 1331 }
1332
2338a7e0 1333 if (chan->scid == L2CAP_CID_A2MP) {
d117773c 1334 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1335 return;
1336 }
1337
fe4128e0
GP		 1338 req.dcid = cpu_to_le16(chan->dcid);
1339 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1340 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1341 sizeof(req), &req);
c13ffa62 1342
f8e73017 1343 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1344}
1345
1da177e4 1346/* ---- L2CAP connections ---- */
4e8402a3
MH		 1347static void l2cap_conn_start(struct l2cap_conn *conn)
1348{
3df91ea2 1349 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1350
1351 BT_DBG("conn %p", conn);
1352
3df91ea2 1353 mutex_lock(&conn->chan_lock);
4e8402a3 1354
3df91ea2 1355 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1356 l2cap_chan_lock(chan);
4e8402a3 1357
715ec005 1358 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1359 l2cap_chan_unlock(chan);
79d554a6
MH		 1360 continue;
1361 }
1362
89bc500e 1363 if (chan->state == BT_CONNECT) {
e7cafc45 1364 if (!l2cap_chan_check_security(chan, true) ||
2d792818 1365 !__l2cap_no_conn_pending(chan)) {
6be36555 1366 l2cap_chan_unlock(chan);
47731de7
GP		 1367 continue;
1368 }
79d554a6 1369
c1360a1c 1370 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1371 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1372 &chan->conf_state)) {
89bc500e 1373 l2cap_chan_close(chan, ECONNRESET);
6be36555 1374 l2cap_chan_unlock(chan);
47731de7 1375 continue;
b1235d79 1376 }
47731de7 1377
93c3e8f5 1378 l2cap_start_connection(chan);
47731de7 1379
89bc500e 1380 } else if (chan->state == BT_CONNECT2) {
79d554a6 1381 struct l2cap_conn_rsp rsp;
e9aeb2dd 1382 char buf[128];
fe4128e0
GP		 1383 rsp.scid = cpu_to_le16(chan->dcid);
1384 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1385
e7cafc45 1386 if (l2cap_chan_check_security(chan, false)) {
bdc25783 1387 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
dcf4adbf
JP		 1388 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1389 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1390 chan->ops->defer(chan);
f66dc81f
MH		 1391
1392 } else {
acdcabf5 1393 l2cap_state_change(chan, BT_CONFIG);
dcf4adbf
JP		 1394 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1395 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1396 }
79d554a6 1397 } else {
dcf4adbf
JP		 1398 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1399 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1400 }
1401
fc7f8a7e 1402 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1403 sizeof(rsp), &rsp);
e9aeb2dd 1404
c1360a1c 1405 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1406 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1407 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1408 continue;
1409 }
1410
c1360a1c 1411 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1412 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1413 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1414 chan->num_conf_req++;
4e8402a3
MH		 1415 }
1416
6be36555 1417 l2cap_chan_unlock(chan);
4e8402a3
MH		 1418 }
1419
3df91ea2 1420 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1421}
1422
c2287681 1423/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1424 * Returns closest match, locked.
1425 */
d9b88702 1426static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1427 bdaddr_t *src,
1428 bdaddr_t *dst)
b62f328b 1429{
23691d75 1430 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1431
23691d75 1432 read_lock(&chan_list_lock);
b62f328b 1433
23691d75 1434 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1435 if (state && c->state != state)
b62f328b
VT		 1436 continue;
1437
23691d75 1438 if (c->scid == cid) {
c2287681
IY		 1439 int src_match, dst_match;
1440 int src_any, dst_any;
1441
b62f328b 1442 /* Exact match. */
7eafc59e
MH		 1443 src_match = !bacmp(&c->src, src);
1444 dst_match = !bacmp(&c->dst, dst);
c2287681 1445 if (src_match && dst_match) {
a24cce14 1446 l2cap_chan_hold(c);
23691d75
GP		 1447 read_unlock(&chan_list_lock);
1448 return c;
1449 }
b62f328b
VT		 1450
1451 /* Closest match */
7eafc59e
MH		 1452 src_any = !bacmp(&c->src, BDADDR_ANY);
1453 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1454 if ((src_match && dst_any) || (src_any && dst_match) ||
1455 (src_any && dst_any))
23691d75 1456 c1 = c;
b62f328b
VT		 1457 }
1458 }
280f294f 1459
a24cce14
JH		 1460 if (c1)
1461 l2cap_chan_hold(c1);
1462
23691d75 1463 read_unlock(&chan_list_lock);
b62f328b 1464
23691d75 1465 return c1;
b62f328b
VT		 1466}
1467
1468static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1469{
cc8dba2b 1470 struct hci_conn *hcon = conn->hcon;
dcc36c16 1471 struct hci_dev *hdev = hcon->hdev;
23691d75 1472 struct l2cap_chan *chan, *pchan;
cc8dba2b 1473 u8 dst_type;
b62f328b
VT		 1474
1475 BT_DBG("");
1476
1477 /* Check if we have socket listening on cid */
073d1cf3 1478 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
cc8dba2b 1479 &hcon->src, &hcon->dst);
23691d75 1480 if (!pchan)
b62f328b
VT		 1481 return;
1482
44f3b0fb
JH		 1483 /* Client ATT sockets should override the server one */
1484 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
a24cce14 1485 goto put;
44f3b0fb 1486
cc8dba2b
MH		 1487 dst_type = bdaddr_type(hcon, hcon->dst_type);
1488
1489 /* If device is blocked, do not create a channel for it */
dcc36c16 1490 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
a24cce14 1491 goto put;
cc8dba2b 1492
80afeb6c
MH		 1493 /* For LE slave connections, make sure the connection interval
1494 * is in the range of the minium and maximum interval that has
1495 * been configured for this connection. If not, then trigger
1496 * the connection update procedure.
1497 */
40bef302 1498 if (hcon->role == HCI_ROLE_SLAVE &&
80afeb6c
MH		 1499 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1500 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1501 struct l2cap_conn_param_update_req req;
1502
1503 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1504 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1505 req.latency = cpu_to_le16(hcon->le_conn_latency);
1506 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1507
1508 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1509 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1510 }
1511
8ffb9290 1512 l2cap_chan_lock(pchan);
62f3a2cf 1513
80b98027 1514 chan = pchan->ops->new_connection(pchan);
80808e43 1515 if (!chan)
b62f328b
VT		 1516 goto clean;
1517
cc8dba2b
MH		 1518 bacpy(&chan->src, &hcon->src);
1519 bacpy(&chan->dst, &hcon->dst);
1520 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1521 chan->dst_type = dst_type;
b62f328b 1522
44f3b0fb 1523 __l2cap_chan_add(conn, chan);
48454079 1524
b62f328b 1525clean:
8ffb9290 1526 l2cap_chan_unlock(pchan);
a24cce14
JH		 1527put:
1528 l2cap_chan_put(pchan);
b62f328b
VT		 1529}
1530
4e8402a3
MH		 1531static void l2cap_conn_ready(struct l2cap_conn *conn)
1532{
48454079 1533 struct l2cap_chan *chan;
cc110922 1534 struct hci_conn *hcon = conn->hcon;
4e8402a3 1535
79d554a6 1536 BT_DBG("conn %p", conn);
4e8402a3 1537
d8729922
JH		 1538 /* For outgoing pairing which doesn't necessarily have an
1539 * associated socket (e.g. mgmt_pair_device).
1540 */
cc110922
VCG		 1541 if (hcon->out && hcon->type == LE_LINK)
1542 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1543
3df91ea2 1544 mutex_lock(&conn->chan_lock);
4e8402a3 1545
44f3b0fb
JH		 1546 if (hcon->type == LE_LINK)
1547 l2cap_le_conn_ready(conn);
1548
3df91ea2 1549 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1550
6be36555 1551 l2cap_chan_lock(chan);
4e8402a3 1552
2338a7e0 1553 if (chan->scid == L2CAP_CID_A2MP) {
416fa752
AE		 1554 l2cap_chan_unlock(chan);
1555 continue;
1556 }
1557
cc110922 1558 if (hcon->type == LE_LINK) {
f1496dee 1559 l2cap_le_start(chan);
63128451 1560 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
74e75740 1561 l2cap_chan_ready(chan);
b501d6a1 1562
1c244f79 1563 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1564 l2cap_do_start(chan);
1c244f79 1565 }
4e8402a3 1566
6be36555 1567 l2cap_chan_unlock(chan);
4e8402a3 1568 }
79d554a6 1569
3df91ea2 1570 mutex_unlock(&conn->chan_lock);
61a939c6
JH		 1571
1572 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
4e8402a3
MH		 1573}
1574
1575/* Notify sockets that we cannot guaranty reliability anymore */
1576static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1577{
48454079 1578 struct l2cap_chan *chan;
4e8402a3
MH		 1579
1580 BT_DBG("conn %p", conn);
1581
3df91ea2 1582 mutex_lock(&conn->chan_lock);
4e8402a3 1583
3df91ea2 1584 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1585 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1586 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1587 }
1588
3df91ea2 1589 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1590}
1591
f878fcad 1592static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1593{
f878fcad 1594 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1595 info_timer.work);
4e8402a3 1596
984947dc 1597 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1598 conn->info_ident = 0;
984947dc 1599
4e8402a3
MH		 1600 l2cap_conn_start(conn);
1601}
1602
2c8e1411
DH		 1603/*
1604 * l2cap_user
1605 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1606 * callback is called during registration. The ->remove callback is called
1607 * during unregistration.
1608 * An l2cap_user object can either be explicitly unregistered or when the
1609 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1610 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1611 * External modules must own a reference to the l2cap_conn object if they intend
1612 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1613 * any time if they don't.
1614 */
1615
1616int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1617{
1618 struct hci_dev *hdev = conn->hcon->hdev;
1619 int ret;
1620
1621 /* We need to check whether l2cap_conn is registered. If it is not, we
1622 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1623 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1624 * relies on the parent hci_conn object to be locked. This itself relies
1625 * on the hci_dev object to be locked. So we must lock the hci device
1626 * here, too. */
1627
1628 hci_dev_lock(hdev);
1629
1630 if (user->list.next || user->list.prev) {
1631 ret = -EINVAL;
1632 goto out_unlock;
1633 }
1634
1635 /* conn->hchan is NULL after l2cap_conn_del() was called */
1636 if (!conn->hchan) {
1637 ret = -ENODEV;
1638 goto out_unlock;
1639 }
1640
1641 ret = user->probe(conn, user);
1642 if (ret)
1643 goto out_unlock;
1644
1645 list_add(&user->list, &conn->users);
1646 ret = 0;
1647
1648out_unlock:
1649 hci_dev_unlock(hdev);
1650 return ret;
1651}
1652EXPORT_SYMBOL(l2cap_register_user);
1653
1654void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1655{
1656 struct hci_dev *hdev = conn->hcon->hdev;
1657
1658 hci_dev_lock(hdev);
1659
1660 if (!user->list.next || !user->list.prev)
1661 goto out_unlock;
1662
1663 list_del(&user->list);
1664 user->list.next = NULL;
1665 user->list.prev = NULL;
1666 user->remove(conn, user);
1667
1668out_unlock:
1669 hci_dev_unlock(hdev);
1670}
1671EXPORT_SYMBOL(l2cap_unregister_user);
1672
1673static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1674{
1675 struct l2cap_user *user;
1676
1677 while (!list_empty(&conn->users)) {
1678 user = list_first_entry(&conn->users, struct l2cap_user, list);
1679 list_del(&user->list);
1680 user->list.next = NULL;
1681 user->list.prev = NULL;
1682 user->remove(conn, user);
1683 }
1684}
1685
5d3de7df
VCG		 1686static void l2cap_conn_del(struct hci_conn *hcon, int err)
1687{
1688 struct l2cap_conn *conn = hcon->l2cap_data;
1689 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1690
1691 if (!conn)
1692 return;
1693
1694 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1695
1696 kfree_skb(conn->rx_skb);
1697
61a939c6 1698 skb_queue_purge(&conn->pending_rx);
7ab56c3a
JT		 1699
1700 /* We can not call flush_work(&conn->pending_rx_work) here since we
1701 * might block if we are running on a worker from the same workqueue
1702 * pending_rx_work is waiting on.
1703 */
1704 if (work_pending(&conn->pending_rx_work))
1705 cancel_work_sync(&conn->pending_rx_work);
61a939c6 1706
2c8e1411
DH		 1707 l2cap_unregister_all_users(conn);
1708
3df91ea2
AE		 1709 mutex_lock(&conn->chan_lock);
1710
5d3de7df
VCG		 1711 /* Kill channels */
1712 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1713 l2cap_chan_hold(chan);
6be36555
AE		 1714 l2cap_chan_lock(chan);
1715
5d3de7df 1716 l2cap_chan_del(chan, err);
6be36555
AE		 1717
1718 l2cap_chan_unlock(chan);
1719
80b98027 1720 chan->ops->close(chan);
61d6ef3e 1721 l2cap_chan_put(chan);
5d3de7df
VCG		 1722 }
1723
3df91ea2
AE		 1724 mutex_unlock(&conn->chan_lock);
1725
73d80deb
LAD		 1726 hci_chan_del(conn->hchan);
1727
5d3de7df 1728 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1729 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1730
51a8efd7 1731 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1732 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1733 smp_chan_destroy(conn);
d26a2345 1734 }
5d3de7df
VCG		 1735
1736 hcon->l2cap_data = NULL;
9c903e37
DH		 1737 conn->hchan = NULL;
1738 l2cap_conn_put(conn);
5d3de7df
VCG		 1739}
1740
6c9d42a1 1741static void security_timeout(struct work_struct *work)
5d3de7df 1742{
6c9d42a1 1743 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1744 security_timer.work);
5d3de7df 1745
d06cc416
JH		 1746 BT_DBG("conn %p", conn);
1747
1748 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1749 smp_chan_destroy(conn);
1750 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1751 }
5d3de7df
VCG		 1752}
1753
9c903e37
DH		 1754static void l2cap_conn_free(struct kref *ref)
1755{
1756 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1757
1758 hci_conn_put(conn->hcon);
1759 kfree(conn);
1760}
1761
1762void l2cap_conn_get(struct l2cap_conn *conn)
1763{
1764 kref_get(&conn->ref);
1765}
1766EXPORT_SYMBOL(l2cap_conn_get);
1767
1768void l2cap_conn_put(struct l2cap_conn *conn)
1769{
1770 kref_put(&conn->ref, l2cap_conn_free);
1771}
1772EXPORT_SYMBOL(l2cap_conn_put);
1773
1da177e4 1774/* ---- Socket interface ---- */
1da177e4 1775
c2287681 1776/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1777 * Returns closest match.
1778 */
c2287681
IY		 1779static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1780 bdaddr_t *src,
bf20fd4e
JH		 1781 bdaddr_t *dst,
1782 u8 link_type)
1da177e4 1783{
23691d75 1784 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1785
23691d75 1786 read_lock(&chan_list_lock);
e0f0cb56 1787
23691d75 1788 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1789 if (state && c->state != state)
1da177e4
LT		 1790 continue;
1791
bf20fd4e
JH		 1792 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1793 continue;
1794
1795 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1796 continue;
1797
23691d75 1798 if (c->psm == psm) {
c2287681
IY		 1799 int src_match, dst_match;
1800 int src_any, dst_any;
1801
1da177e4 1802 /* Exact match. */
7eafc59e
MH		 1803 src_match = !bacmp(&c->src, src);
1804 dst_match = !bacmp(&c->dst, dst);
c2287681 1805 if (src_match && dst_match) {
a24cce14 1806 l2cap_chan_hold(c);
a7567b20 1807 read_unlock(&chan_list_lock);
23691d75
GP		 1808 return c;
1809 }
1da177e4
LT		 1810
1811 /* Closest match */
7eafc59e
MH		 1812 src_any = !bacmp(&c->src, BDADDR_ANY);
1813 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1814 if ((src_match && dst_any) || (src_any && dst_match) ||
1815 (src_any && dst_any))
23691d75 1816 c1 = c;
1da177e4
LT		 1817 }
1818 }
1da177e4 1819
a24cce14
JH		 1820 if (c1)
1821 l2cap_chan_hold(c1);
1822
23691d75 1823 read_unlock(&chan_list_lock);
e0f0cb56 1824
23691d75 1825 return c1;
1da177e4
LT		 1826}
1827
721c4181 1828static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1829{
721c4181 1830 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1831 monitor_timer.work);
e90bac06 1832
525cd185 1833 BT_DBG("chan %p", chan);
0e98958d 1834
6be36555
AE		 1835 l2cap_chan_lock(chan);
1836
80909e04 1837 if (!chan->conn) {
6be36555 1838 l2cap_chan_unlock(chan);
8d7e1c7f 1839 l2cap_chan_put(chan);
e90bac06
GP		 1840 return;
1841 }
1842
401bb1f7 1843 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1844
6be36555 1845 l2cap_chan_unlock(chan);
8d7e1c7f 1846 l2cap_chan_put(chan);
e90bac06
GP		 1847}
1848
721c4181 1849static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1850{
721c4181 1851 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1852 retrans_timer.work);
e90bac06 1853
49208c9c 1854 BT_DBG("chan %p", chan);
0e98958d 1855
6be36555
AE		 1856 l2cap_chan_lock(chan);
1857
80909e04
MM		 1858 if (!chan->conn) {
1859 l2cap_chan_unlock(chan);
1860 l2cap_chan_put(chan);
1861 return;
1862 }
6be36555 1863
401bb1f7 1864 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1865 l2cap_chan_unlock(chan);
8d7e1c7f 1866 l2cap_chan_put(chan);
e90bac06
GP		 1867}
1868
d660366d
GP		 1869static void l2cap_streaming_send(struct l2cap_chan *chan,
1870 struct sk_buff_head *skbs)
6840ed07 1871{
ccbb84af 1872 struct sk_buff *skb;
3733937d 1873 struct l2cap_ctrl *control;
6840ed07 1874
3733937d
MM		 1875 BT_DBG("chan %p, skbs %p", chan, skbs);
1876
b99e13ad
MM		 1877 if (__chan_is_moving(chan))
1878 return;
1879
3733937d
MM		 1880 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1881
1882 while (!skb_queue_empty(&chan->tx_q)) {
1883
1884 skb = skb_dequeue(&chan->tx_q);
1885
1886 bt_cb(skb)->control.retries = 1;
1887 control = &bt_cb(skb)->control;
1888
1889 control->reqseq = 0;
1890 control->txseq = chan->next_tx_seq;
1891
1892 __pack_control(chan, control, skb);
6840ed07 1893
47d1ec61 1894 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1895 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1896 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1897 }
1898
4343478f 1899 l2cap_do_send(chan, skb);
6840ed07 1900
b4400672 1901 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1902
836be934 1903 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1904 chan->frames_sent++;
6840ed07 1905 }
6840ed07
GP		 1906}
1907
67c9e840 1908static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1909{
1910 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1911 struct l2cap_ctrl *control;
1912 int sent = 0;
1913
1914 BT_DBG("chan %p", chan);
1c2acffb 1915
89bc500e 1916 if (chan->state != BT_CONNECTED)
c13ffa62 1917 return -ENOTCONN;
e90bac06 1918
94122bbe
MM		 1919 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1920 return 0;
1921
b99e13ad
MM		 1922 if (__chan_is_moving(chan))
1923 return 0;
1924
18a48e76
MM		 1925 while (chan->tx_send_head &&
1926 chan->unacked_frames < chan->remote_tx_win &&
1927 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1928
18a48e76 1929 skb = chan->tx_send_head;
e90bac06 1930
18a48e76
MM		 1931 bt_cb(skb)->control.retries = 1;
1932 control = &bt_cb(skb)->control;
95ffa978 1933
e2ab4353 1934 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1935 control->final = 1;
e2ab4353 1936
18a48e76
MM		 1937 control->reqseq = chan->buffer_seq;
1938 chan->last_acked_seq = chan->buffer_seq;
1939 control->txseq = chan->next_tx_seq;
1c2acffb 1940
18a48e76 1941 __pack_control(chan, control, skb);
e90bac06 1942
47d1ec61 1943 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1944 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1945 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1946 }
1947
18a48e76
MM		 1948 /* Clone after data has been modified. Data is assumed to be
1949 read-only (for locking purposes) on cloned sk_buffs.
1950 */
1951 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1952
18a48e76
MM		 1953 if (!tx_skb)
1954 break;
1c2acffb 1955
18a48e76 1956 __set_retrans_timer(chan);
836be934
AE		 1957
1958 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1959 chan->unacked_frames++;
6a026610 1960 chan->frames_sent++;
18a48e76 1961 sent++;
1c2acffb 1962
58d35f87
GP		 1963 if (skb_queue_is_last(&chan->tx_q, skb))
1964 chan->tx_send_head = NULL;
1c2acffb 1965 else
58d35f87 1966 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1967
1968 l2cap_do_send(chan, tx_skb);
b4400672 1969 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1970 }
1971
b4400672
AE		 1972 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1973 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1974
1975 return sent;
9e917af1
GP		 1976}
1977
e1fbd4c1
MM		 1978static void l2cap_ertm_resend(struct l2cap_chan *chan)
1979{
1980 struct l2cap_ctrl control;
1981 struct sk_buff *skb;
1982 struct sk_buff *tx_skb;
1983 u16 seq;
1984
1985 BT_DBG("chan %p", chan);
1986
1987 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1988 return;
1989
b99e13ad
MM		 1990 if (__chan_is_moving(chan))
1991 return;
1992
e1fbd4c1
MM		 1993 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1994 seq = l2cap_seq_list_pop(&chan->retrans_list);
1995
1996 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1997 if (!skb) {
1998 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1999 seq);
e1fbd4c1
MM		 2000 continue;
2001 }
2002
2003 bt_cb(skb)->control.retries++;
2004 control = bt_cb(skb)->control;
2005
2006 if (chan->max_tx != 0 &&
2007 bt_cb(skb)->control.retries > chan->max_tx) {
2008 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 2009 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 2010 l2cap_seq_list_clear(&chan->retrans_list);
2011 break;
2012 }
2013
2014 control.reqseq = chan->buffer_seq;
2015 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2016 control.final = 1;
2017 else
2018 control.final = 0;
2019
2020 if (skb_cloned(skb)) {
2021 /* Cloned sk_buffs are read-only, so we need a
2022 * writeable copy
2023 */
8bcde1f2 2024 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 2025 } else {
8bcde1f2 2026 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 2027 }
2028
2029 if (!tx_skb) {
2030 l2cap_seq_list_clear(&chan->retrans_list);
2031 break;
2032 }
2033
2034 /* Update skb contents */
2035 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2036 put_unaligned_le32(__pack_extended_control(&control),
2037 tx_skb->data + L2CAP_HDR_SIZE);
2038 } else {
2039 put_unaligned_le16(__pack_enhanced_control(&control),
2040 tx_skb->data + L2CAP_HDR_SIZE);
2041 }
2042
2043 if (chan->fcs == L2CAP_FCS_CRC16) {
2044 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2045 put_unaligned_le16(fcs, skb_put(tx_skb,
2046 L2CAP_FCS_SIZE));
2047 }
2048
2049 l2cap_do_send(chan, tx_skb);
2050
2051 BT_DBG("Resent txseq %d", control.txseq);
2052
2053 chan->last_acked_seq = chan->buffer_seq;
2054 }
2055}
2056
f80842a8
MM		 2057static void l2cap_retransmit(struct l2cap_chan *chan,
2058 struct l2cap_ctrl *control)
2059{
2060 BT_DBG("chan %p, control %p", chan, control);
2061
2062 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2063 l2cap_ertm_resend(chan);
2064}
2065
d2a7ac5d
MM		 2066static void l2cap_retransmit_all(struct l2cap_chan *chan,
2067 struct l2cap_ctrl *control)
2068{
e1fbd4c1
MM		 2069 struct sk_buff *skb;
2070
2071 BT_DBG("chan %p, control %p", chan, control);
2072
2073 if (control->poll)
2074 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2075
2076 l2cap_seq_list_clear(&chan->retrans_list);
2077
2078 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2079 return;
2080
2081 if (chan->unacked_frames) {
2082 skb_queue_walk(&chan->tx_q, skb) {
2083 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2084 skb == chan->tx_send_head)
e1fbd4c1
MM		 2085 break;
2086 }
2087
2088 skb_queue_walk_from(&chan->tx_q, skb) {
2089 if (skb == chan->tx_send_head)
2090 break;
2091
2092 l2cap_seq_list_append(&chan->retrans_list,
2093 bt_cb(skb)->control.txseq);
2094 }
2095
2096 l2cap_ertm_resend(chan);
2097 }
d2a7ac5d
MM		 2098}
2099
0a0aba42 2100static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2101{
0a0aba42
MM		 2102 struct l2cap_ctrl control;
2103 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2104 chan->last_acked_seq);
2105 int threshold;
9e917af1 2106
0a0aba42
MM		 2107 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2108 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2109
0a0aba42
MM		 2110 memset(&control, 0, sizeof(control));
2111 control.sframe = 1;
dfc909be 2112
0a0aba42
MM		 2113 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2114 chan->rx_state == L2CAP_RX_STATE_RECV) {
2115 __clear_ack_timer(chan);
2116 control.super = L2CAP_SUPER_RNR;
2117 control.reqseq = chan->buffer_seq;
2118 l2cap_send_sframe(chan, &control);
2119 } else {
2120 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2121 l2cap_ertm_send(chan);
2122 /* If any i-frames were sent, they included an ack */
2123 if (chan->buffer_seq == chan->last_acked_seq)
2124 frames_to_ack = 0;
2125 }
dfc909be 2126
c20f8e35 2127 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2128 * Calculate without mul or div
2129 */
c20f8e35 2130 threshold = chan->ack_win;
0a0aba42
MM		 2131 threshold += threshold << 1;
2132 threshold >>= 2;
2133
b4400672 2134 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2135 threshold);
2136
2137 if (frames_to_ack >= threshold) {
2138 __clear_ack_timer(chan);
2139 control.super = L2CAP_SUPER_RR;
2140 control.reqseq = chan->buffer_seq;
2141 l2cap_send_sframe(chan, &control);
2142 frames_to_ack = 0;
2143 }
1c2acffb 2144
0a0aba42
MM		 2145 if (frames_to_ack)
2146 __set_ack_timer(chan);
2147 }
b17e73bb
SJ		 2148}
2149
04124681
GP		 2150static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2151 struct msghdr *msg, int len,
2152 int count, struct sk_buff *skb)
1c2acffb 2153{
0952a57a 2154 struct l2cap_conn *conn = chan->conn;
1c2acffb 2155 struct sk_buff **frag;
90338947 2156 int sent = 0;
1da177e4 2157
0498878b
JR		 2158 if (chan->ops->memcpy_fromiovec(chan, skb_put(skb, count),
2159 msg->msg_iov, count))
1c2acffb 2160 return -EFAULT;
1da177e4
LT		 2161
2162 sent += count;
2163 len -= count;
2164
2165 /* Continuation fragments (no L2CAP header) */
2166 frag = &skb_shinfo(skb)->frag_list;
2167 while (len) {
fbe00700
GP		 2168 struct sk_buff *tmp;
2169
1da177e4
LT		 2170 count = min_t(unsigned int, conn->mtu, len);
2171
d9fbd02b 2172 tmp = chan->ops->alloc_skb(chan, 0, count,
fbe00700
GP		 2173 msg->msg_flags & MSG_DONTWAIT);
2174 if (IS_ERR(tmp))
2175 return PTR_ERR(tmp);
2176
2177 *frag = tmp;
2f7719ce 2178
0498878b
JR		 2179 if (chan->ops->memcpy_fromiovec(chan, skb_put(*frag, count),
2180 msg->msg_iov, count))
1c2acffb 2181 return -EFAULT;
1da177e4
LT		 2182
2183 sent += count;
2184 len -= count;
2185
2d0ed3d5
GP		 2186 skb->len += (*frag)->len;
2187 skb->data_len += (*frag)->len;
2188
1da177e4
LT		 2189 frag = &(*frag)->next;
2190 }
1da177e4
LT		 2191
2192 return sent;
1c2acffb 2193}
1da177e4 2194
5e59b791 2195static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
8d46321c 2196 struct msghdr *msg, size_t len)
1c2acffb 2197{
8c1d787b 2198 struct l2cap_conn *conn = chan->conn;
1c2acffb 2199 struct sk_buff *skb;
03a51213 2200 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2201 struct l2cap_hdr *lh;
2202
8d46321c
MH		 2203 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2204 __le16_to_cpu(chan->psm), len);
1c2acffb
GP		 2205
2206 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2207
d9fbd02b 2208 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2209 msg->msg_flags & MSG_DONTWAIT);
2210 if (IS_ERR(skb))
2211 return skb;
1c2acffb
GP		 2212
2213 /* Create L2CAP header */
2214 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2215 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2216 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2217 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2218
0952a57a 2219 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2220 if (unlikely(err < 0)) {
2221 kfree_skb(skb);
2222 return ERR_PTR(err);
2223 }
2224 return skb;
2225}
2226
5e59b791 2227static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
8d46321c 2228 struct msghdr *msg, size_t len)
1c2acffb 2229{
8c1d787b 2230 struct l2cap_conn *conn = chan->conn;
1c2acffb 2231 struct sk_buff *skb;
f2ba7fae 2232 int err, count;
1c2acffb
GP		 2233 struct l2cap_hdr *lh;
2234
b4400672 2235 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2236
f2ba7fae 2237 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2238
d9fbd02b 2239 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
90338947
GP		 2240 msg->msg_flags & MSG_DONTWAIT);
2241 if (IS_ERR(skb))
2242 return skb;
1c2acffb
GP		 2243
2244 /* Create L2CAP header */
2245 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2246 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2247 lh->len = cpu_to_le16(len);
1c2acffb 2248
0952a57a 2249 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2250 if (unlikely(err < 0)) {
2251 kfree_skb(skb);
2252 return ERR_PTR(err);
2253 }
2254 return skb;
2255}
2256
ab0ff76d 2257static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2258 struct msghdr *msg, size_t len,
2259 u16 sdulen)
1c2acffb 2260{
8c1d787b 2261 struct l2cap_conn *conn = chan->conn;
1c2acffb 2262 struct sk_buff *skb;
e4ca6d98 2263 int err, count, hlen;
1c2acffb
GP		 2264 struct l2cap_hdr *lh;
2265
b4400672 2266 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2267
0ee0d208
GP		 2268 if (!conn)
2269 return ERR_PTR(-ENOTCONN);
2270
ba7aa64f 2271 hlen = __ertm_hdr_size(chan);
e4ca6d98 2272
c74e560c 2273 if (sdulen)
03a51213 2274 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2275
47d1ec61 2276 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2277 hlen += L2CAP_FCS_SIZE;
fcc203c3 2278
1c2acffb 2279 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2280
d9fbd02b 2281 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2282 msg->msg_flags & MSG_DONTWAIT);
2283 if (IS_ERR(skb))
2284 return skb;
1c2acffb
GP		 2285
2286 /* Create L2CAP header */
2287 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2288 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2289 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2290
18a48e76
MM		 2291 /* Control header is populated later */
2292 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2293 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2294 else
2295 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2296
c74e560c 2297 if (sdulen)
03a51213 2298 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2299
0952a57a 2300 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2301 if (unlikely(err < 0)) {
2302 kfree_skb(skb);
2303 return ERR_PTR(err);
2304 }
e90bac06 2305
18a48e76 2306 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2307 bt_cb(skb)->control.retries = 0;
1c2acffb 2308 return skb;
1da177e4
LT		 2309}
2310
94122bbe
MM		 2311static int l2cap_segment_sdu(struct l2cap_chan *chan,
2312 struct sk_buff_head *seg_queue,
2313 struct msghdr *msg, size_t len)
c74e560c 2314{
c74e560c 2315 struct sk_buff *skb;
94122bbe
MM		 2316 u16 sdu_len;
2317 size_t pdu_len;
94122bbe 2318 u8 sar;
c74e560c 2319
b4400672 2320 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2321
94122bbe
MM		 2322 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2323 * so fragmented skbs are not used. The HCI layer's handling
2324 * of fragmented skbs is not compatible with ERTM's queueing.
2325 */
c74e560c 2326
94122bbe
MM		 2327 /* PDU size is derived from the HCI MTU */
2328 pdu_len = chan->conn->mtu;
c74e560c 2329
a549574d
MM		 2330 /* Constrain PDU size for BR/EDR connections */
2331 if (!chan->hs_hcon)
2332 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2333
2334 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2335 if (chan->fcs)
2336 pdu_len -= L2CAP_FCS_SIZE;
2337
ba7aa64f 2338 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2339
2340 /* Remote device may have requested smaller PDUs */
2341 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2342
2343 if (len <= pdu_len) {
2344 sar = L2CAP_SAR_UNSEGMENTED;
2345 sdu_len = 0;
2346 pdu_len = len;
2347 } else {
2348 sar = L2CAP_SAR_START;
2349 sdu_len = len;
2350 pdu_len -= L2CAP_SDULEN_SIZE;
2351 }
2352
2353 while (len > 0) {
2354 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2355
c74e560c 2356 if (IS_ERR(skb)) {
94122bbe 2357 __skb_queue_purge(seg_queue);
c74e560c
GP		 2358 return PTR_ERR(skb);
2359 }
2360
94122bbe
MM		 2361 bt_cb(skb)->control.sar = sar;
2362 __skb_queue_tail(seg_queue, skb);
2363
2364 len -= pdu_len;
2365 if (sdu_len) {
2366 sdu_len = 0;
2367 pdu_len += L2CAP_SDULEN_SIZE;
2368 }
2369
2370 if (len <= pdu_len) {
2371 sar = L2CAP_SAR_END;
2372 pdu_len = len;
2373 } else {
2374 sar = L2CAP_SAR_CONTINUE;
2375 }
c74e560c 2376 }
c74e560c 2377
f0f62799 2378 return 0;
c74e560c
GP		 2379}
2380
177f8f2b
JH		 2381static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2382 struct msghdr *msg,
2383 size_t len, u16 sdulen)
2384{
2385 struct l2cap_conn *conn = chan->conn;
2386 struct sk_buff *skb;
2387 int err, count, hlen;
2388 struct l2cap_hdr *lh;
2389
2390 BT_DBG("chan %p len %zu", chan, len);
2391
2392 if (!conn)
2393 return ERR_PTR(-ENOTCONN);
2394
2395 hlen = L2CAP_HDR_SIZE;
2396
2397 if (sdulen)
2398 hlen += L2CAP_SDULEN_SIZE;
2399
2400 count = min_t(unsigned int, (conn->mtu - hlen), len);
2401
d9fbd02b 2402 skb = chan->ops->alloc_skb(chan, hlen, count,
177f8f2b
JH		 2403 msg->msg_flags & MSG_DONTWAIT);
2404 if (IS_ERR(skb))
2405 return skb;
2406
2407 /* Create L2CAP header */
2408 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2409 lh->cid = cpu_to_le16(chan->dcid);
2410 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2411
2412 if (sdulen)
2413 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2414
2415 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2416 if (unlikely(err < 0)) {
2417 kfree_skb(skb);
2418 return ERR_PTR(err);
2419 }
2420
2421 return skb;
2422}
2423
2424static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2425 struct sk_buff_head *seg_queue,
2426 struct msghdr *msg, size_t len)
2427{
2428 struct sk_buff *skb;
2429 size_t pdu_len;
2430 u16 sdu_len;
2431
2432 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2433
2434 pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE;
2435
2436 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2437
2438 sdu_len = len;
2439 pdu_len -= L2CAP_SDULEN_SIZE;
2440
2441 while (len > 0) {
2442 if (len <= pdu_len)
2443 pdu_len = len;
2444
2445 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2446 if (IS_ERR(skb)) {
2447 __skb_queue_purge(seg_queue);
2448 return PTR_ERR(skb);
2449 }
2450
2451 __skb_queue_tail(seg_queue, skb);
2452
2453 len -= pdu_len;
2454
2455 if (sdu_len) {
2456 sdu_len = 0;
2457 pdu_len += L2CAP_SDULEN_SIZE;
2458 }
2459 }
2460
2461 return 0;
2462}
2463
8d46321c 2464int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
9a91a04a 2465{
9a91a04a 2466 struct sk_buff *skb;
9a91a04a 2467 int err;
94122bbe 2468 struct sk_buff_head seg_queue;
9a91a04a 2469
31e8ce80
SWK		 2470 if (!chan->conn)
2471 return -ENOTCONN;
2472
9a91a04a 2473 /* Connectionless channel */
715ec005 2474 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
8d46321c 2475 skb = l2cap_create_connless_pdu(chan, msg, len);
9a91a04a
GP		 2476 if (IS_ERR(skb))
2477 return PTR_ERR(skb);
2478
ede81a2a
AK		 2479 /* Channel lock is released before requesting new skb and then
2480 * reacquired thus we need to recheck channel state.
2481 */
2482 if (chan->state != BT_CONNECTED) {
2483 kfree_skb(skb);
2484 return -ENOTCONN;
2485 }
2486
9a91a04a
GP		 2487 l2cap_do_send(chan, skb);
2488 return len;
2489 }
2490
2491 switch (chan->mode) {
38319713 2492 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b
JH		 2493 /* Check outgoing MTU */
2494 if (len > chan->omtu)
2495 return -EMSGSIZE;
2496
fad5fc89
JH		 2497 if (!chan->tx_credits)
2498 return -EAGAIN;
2499
177f8f2b
JH		 2500 __skb_queue_head_init(&seg_queue);
2501
2502 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2503
2504 if (chan->state != BT_CONNECTED) {
2505 __skb_queue_purge(&seg_queue);
2506 err = -ENOTCONN;
2507 }
2508
2509 if (err)
2510 return err;
2511
2512 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2513
2514 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2515 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2516 chan->tx_credits--;
2517 }
2518
2519 if (!chan->tx_credits)
2520 chan->ops->suspend(chan);
2521
2522 err = len;
2523
2524 break;
2525
fad5fc89 2526 case L2CAP_MODE_BASIC:
9a91a04a
GP		 2527 /* Check outgoing MTU */
2528 if (len > chan->omtu)
2529 return -EMSGSIZE;
2530
2531 /* Create a basic PDU */
8d46321c 2532 skb = l2cap_create_basic_pdu(chan, msg, len);
9a91a04a
GP		 2533 if (IS_ERR(skb))
2534 return PTR_ERR(skb);
2535
ede81a2a
AK		 2536 /* Channel lock is released before requesting new skb and then
2537 * reacquired thus we need to recheck channel state.
2538 */
2539 if (chan->state != BT_CONNECTED) {
2540 kfree_skb(skb);
2541 return -ENOTCONN;
2542 }
2543
9a91a04a
GP		 2544 l2cap_do_send(chan, skb);
2545 err = len;
2546 break;
2547
2548 case L2CAP_MODE_ERTM:
2549 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2550 /* Check outgoing MTU */
2551 if (len > chan->omtu) {
2552 err = -EMSGSIZE;
2553 break;
2554 }
9a91a04a 2555
94122bbe 2556 __skb_queue_head_init(&seg_queue);
9a91a04a 2557
94122bbe
MM		 2558 /* Do segmentation before calling in to the state machine,
2559 * since it's possible to block while waiting for memory
2560 * allocation.
2561 */
2562 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2563
94122bbe
MM		 2564 /* The channel could have been closed while segmenting,
2565 * check that it is still connected.
2566 */
2567 if (chan->state != BT_CONNECTED) {
2568 __skb_queue_purge(&seg_queue);
2569 err = -ENOTCONN;
9a91a04a
GP		 2570 }
2571
94122bbe 2572 if (err)
9a91a04a 2573 break;
9a91a04a 2574
3733937d 2575 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2576 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2577 else
d660366d 2578 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2579
d660366d 2580 err = len;
9a91a04a 2581
94122bbe
MM		 2582 /* If the skbs were not queued for sending, they'll still be in
2583 * seg_queue and need to be purged.
2584 */
2585 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2586 break;
2587
2588 default:
2589 BT_DBG("bad state %1.1x", chan->mode);
2590 err = -EBADFD;
2591 }
2592
2593 return err;
2594}
6b8d4a6a 2595EXPORT_SYMBOL_GPL(l2cap_chan_send);
9a91a04a 2596
d2a7ac5d
MM		 2597static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2598{
bed68bde
MM		 2599 struct l2cap_ctrl control;
2600 u16 seq;
2601
b4400672 2602 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2603
2604 memset(&control, 0, sizeof(control));
2605 control.sframe = 1;
2606 control.super = L2CAP_SUPER_SREJ;
2607
2608 for (seq = chan->expected_tx_seq; seq != txseq;
2609 seq = __next_seq(chan, seq)) {
2610 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2611 control.reqseq = seq;
2612 l2cap_send_sframe(chan, &control);
2613 l2cap_seq_list_append(&chan->srej_list, seq);
2614 }
2615 }
2616
2617 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2618}
2619
2620static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2621{
bed68bde
MM		 2622 struct l2cap_ctrl control;
2623
2624 BT_DBG("chan %p", chan);
2625
2626 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2627 return;
2628
2629 memset(&control, 0, sizeof(control));
2630 control.sframe = 1;
2631 control.super = L2CAP_SUPER_SREJ;
2632 control.reqseq = chan->srej_list.tail;
2633 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2634}
2635
2636static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2637{
bed68bde
MM		 2638 struct l2cap_ctrl control;
2639 u16 initial_head;
2640 u16 seq;
2641
b4400672 2642 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2643
2644 memset(&control, 0, sizeof(control));
2645 control.sframe = 1;
2646 control.super = L2CAP_SUPER_SREJ;
2647
2648 /* Capture initial list head to allow only one pass through the list. */
2649 initial_head = chan->srej_list.head;
2650
2651 do {
2652 seq = l2cap_seq_list_pop(&chan->srej_list);
2653 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2654 break;
2655
2656 control.reqseq = seq;
2657 l2cap_send_sframe(chan, &control);
2658 l2cap_seq_list_append(&chan->srej_list, seq);
2659 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2660}
2661
608bcc6d
MM		 2662static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2663{
2664 struct sk_buff *acked_skb;
2665 u16 ackseq;
2666
b4400672 2667 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2668
2669 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2670 return;
2671
b4400672 2672 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2673 chan->expected_ack_seq, chan->unacked_frames);
2674
2675 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2676 ackseq = __next_seq(chan, ackseq)) {
2677
2678 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2679 if (acked_skb) {
2680 skb_unlink(acked_skb, &chan->tx_q);
2681 kfree_skb(acked_skb);
2682 chan->unacked_frames--;
2683 }
2684 }
2685
2686 chan->expected_ack_seq = reqseq;
2687
2688 if (chan->unacked_frames == 0)
2689 __clear_retrans_timer(chan);
2690
b4400672 2691 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2692}
2693
2694static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2695{
2696 BT_DBG("chan %p", chan);
2697
2698 chan->expected_tx_seq = chan->buffer_seq;
2699 l2cap_seq_list_clear(&chan->srej_list);
2700 skb_queue_purge(&chan->srej_q);
2701 chan->rx_state = L2CAP_RX_STATE_RECV;
2702}
2703
d660366d
GP		 2704static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2705 struct l2cap_ctrl *control,
2706 struct sk_buff_head *skbs, u8 event)
608bcc6d 2707{
608bcc6d
MM		 2708 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2709 event);
2710
2711 switch (event) {
2712 case L2CAP_EV_DATA_REQUEST:
2713 if (chan->tx_send_head == NULL)
2714 chan->tx_send_head = skb_peek(skbs);
2715
2716 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2717 l2cap_ertm_send(chan);
2718 break;
2719 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2720 BT_DBG("Enter LOCAL_BUSY");
2721 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2722
2723 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2724 /* The SREJ_SENT state must be aborted if we are to
2725 * enter the LOCAL_BUSY state.
2726 */
2727 l2cap_abort_rx_srej_sent(chan);
2728 }
2729
2730 l2cap_send_ack(chan);
2731
2732 break;
2733 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2734 BT_DBG("Exit LOCAL_BUSY");
2735 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2736
2737 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2738 struct l2cap_ctrl local_control;
2739
2740 memset(&local_control, 0, sizeof(local_control));
2741 local_control.sframe = 1;
2742 local_control.super = L2CAP_SUPER_RR;
2743 local_control.poll = 1;
2744 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2745 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2746
2747 chan->retry_count = 1;
2748 __set_monitor_timer(chan);
2749 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2750 }
2751 break;
2752 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2753 l2cap_process_reqseq(chan, control->reqseq);
2754 break;
2755 case L2CAP_EV_EXPLICIT_POLL:
2756 l2cap_send_rr_or_rnr(chan, 1);
2757 chan->retry_count = 1;
2758 __set_monitor_timer(chan);
2759 __clear_ack_timer(chan);
2760 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2761 break;
2762 case L2CAP_EV_RETRANS_TO:
2763 l2cap_send_rr_or_rnr(chan, 1);
2764 chan->retry_count = 1;
2765 __set_monitor_timer(chan);
2766 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2767 break;
2768 case L2CAP_EV_RECV_FBIT:
2769 /* Nothing to process */
2770 break;
2771 default:
2772 break;
2773 }
608bcc6d
MM		 2774}
2775
d660366d
GP		 2776static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2777 struct l2cap_ctrl *control,
2778 struct sk_buff_head *skbs, u8 event)
608bcc6d 2779{
608bcc6d
MM		 2780 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2781 event);
2782
2783 switch (event) {
2784 case L2CAP_EV_DATA_REQUEST:
2785 if (chan->tx_send_head == NULL)
2786 chan->tx_send_head = skb_peek(skbs);
2787 /* Queue data, but don't send. */
2788 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2789 break;
2790 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2791 BT_DBG("Enter LOCAL_BUSY");
2792 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2793
2794 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2795 /* The SREJ_SENT state must be aborted if we are to
2796 * enter the LOCAL_BUSY state.
2797 */
2798 l2cap_abort_rx_srej_sent(chan);
2799 }
2800
2801 l2cap_send_ack(chan);
2802
2803 break;
2804 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2805 BT_DBG("Exit LOCAL_BUSY");
2806 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2807
2808 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2809 struct l2cap_ctrl local_control;
2810 memset(&local_control, 0, sizeof(local_control));
2811 local_control.sframe = 1;
2812 local_control.super = L2CAP_SUPER_RR;
2813 local_control.poll = 1;
2814 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2815 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2816
2817 chan->retry_count = 1;
2818 __set_monitor_timer(chan);
2819 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2820 }
2821 break;
2822 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2823 l2cap_process_reqseq(chan, control->reqseq);
2824
2825 /* Fall through */
2826
2827 case L2CAP_EV_RECV_FBIT:
2828 if (control && control->final) {
2829 __clear_monitor_timer(chan);
2830 if (chan->unacked_frames > 0)
2831 __set_retrans_timer(chan);
2832 chan->retry_count = 0;
2833 chan->tx_state = L2CAP_TX_STATE_XMIT;
2834 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2835 }
2836 break;
2837 case L2CAP_EV_EXPLICIT_POLL:
2838 /* Ignore */
2839 break;
2840 case L2CAP_EV_MONITOR_TO:
2841 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2842 l2cap_send_rr_or_rnr(chan, 1);
2843 __set_monitor_timer(chan);
2844 chan->retry_count++;
2845 } else {
5e4e3972 2846 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2847 }
2848 break;
2849 default:
2850 break;
2851 }
608bcc6d
MM		 2852}
2853
d660366d
GP		 2854static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2855 struct sk_buff_head *skbs, u8 event)
608bcc6d 2856{
608bcc6d
MM		 2857 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2858 chan, control, skbs, event, chan->tx_state);
2859
2860 switch (chan->tx_state) {
2861 case L2CAP_TX_STATE_XMIT:
d660366d 2862 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2863 break;
2864 case L2CAP_TX_STATE_WAIT_F:
d660366d 2865 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2866 break;
2867 default:
2868 /* Ignore event */
2869 break;
2870 }
608bcc6d
MM		 2871}
2872
4b51dae9
MM		 2873static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2874 struct l2cap_ctrl *control)
2875{
2876 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2877 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2878}
2879
f80842a8
MM		 2880static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2881 struct l2cap_ctrl *control)
2882{
2883 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2884 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2885}
2886
1da177e4
LT		 2887/* Copy frame to all raw sockets on that connection */
2888static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2889{
1da177e4 2890 struct sk_buff *nskb;
48454079 2891 struct l2cap_chan *chan;
1da177e4
LT		 2892
2893 BT_DBG("conn %p", conn);
2894
3df91ea2 2895 mutex_lock(&conn->chan_lock);
3d57dc68 2896
3df91ea2 2897 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2898 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2899 continue;
2900
7f5396a7
GP		 2901 /* Don't send frame to the channel it came from */
2902 if (bt_cb(skb)->chan == chan)
1da177e4 2903 continue;
7f5396a7 2904
8bcde1f2 2905 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2906 if (!nskb)
1da177e4 2907 continue;
80b98027 2908 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2909 kfree_skb(nskb);
2910 }
3d57dc68 2911
3df91ea2 2912 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2913}
2914
2915/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2916static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2917 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2918{
2919 struct sk_buff *skb, **frag;
2920 struct l2cap_cmd_hdr *cmd;
2921 struct l2cap_hdr *lh;
2922 int len, count;
2923
b4400672
AE		 2924 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2925 conn, code, ident, dlen);
1da177e4 2926
300b962e
AL		 2927 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2928 return NULL;
2929
1da177e4
LT		 2930 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2931 count = min_t(unsigned int, conn->mtu, len);
2932
8bcde1f2 2933 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2934 if (!skb)
2935 return NULL;
2936
2937 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2938 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2939
2940 if (conn->hcon->type == LE_LINK)
dcf4adbf 2941 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2942 else
dcf4adbf 2943 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2944
2945 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2946 cmd->code = code;
2947 cmd->ident = ident;
aca3192c 2948 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2949
2950 if (dlen) {
2951 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2952 memcpy(skb_put(skb, count), data, count);
2953 data += count;
2954 }
2955
2956 len -= skb->len;
2957
2958 /* Continuation fragments (no L2CAP header) */
2959 frag = &skb_shinfo(skb)->frag_list;
2960 while (len) {
2961 count = min_t(unsigned int, conn->mtu, len);
2962
8bcde1f2 2963 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2964 if (!*frag)
2965 goto fail;
2966
2967 memcpy(skb_put(*frag, count), data, count);
2968
2969 len -= count;
2970 data += count;
2971
2972 frag = &(*frag)->next;
2973 }
2974
2975 return skb;
2976
2977fail:
2978 kfree_skb(skb);
2979 return NULL;
2980}
2981
2d792818
GP		 2982static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2983 unsigned long *val)
1da177e4
LT		 2984{
2985 struct l2cap_conf_opt *opt = *ptr;
2986 int len;
2987
2988 len = L2CAP_CONF_OPT_SIZE + opt->len;
2989 *ptr += len;
2990
2991 *type = opt->type;
2992 *olen = opt->len;
2993
2994 switch (opt->len) {
2995 case 1:
2996 *val = *((u8 *) opt->val);
2997 break;
2998
2999 case 2:
bfaaeb3e 3000 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 3001 break;
3002
3003 case 4:
bfaaeb3e 3004 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 3005 break;
3006
3007 default:
3008 *val = (unsigned long) opt->val;
3009 break;
3010 }
3011
b4400672 3012 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 3013 return len;
3014}
3015
1da177e4
LT		 3016static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
3017{
3018 struct l2cap_conf_opt *opt = *ptr;
3019
b4400672 3020 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 3021
3022 opt->type = type;
3023 opt->len = len;
3024
3025 switch (len) {
3026 case 1:
3027 *((u8 *) opt->val) = val;
3028 break;
3029
3030 case 2:
4f8b691c 3031 put_unaligned_le16(val, opt->val);
1da177e4
LT		 3032 break;
3033
3034 case 4:
4f8b691c 3035 put_unaligned_le32(val, opt->val);
1da177e4
LT		 3036 break;
3037
3038 default:
3039 memcpy(opt->val, (void *) val, len);
3040 break;
3041 }
3042
3043 *ptr += L2CAP_CONF_OPT_SIZE + len;
3044}
3045
f89cef09
AE		 3046static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
3047{
3048 struct l2cap_conf_efs efs;
3049
1ec918ce 3050 switch (chan->mode) {
f89cef09
AE		 3051 case L2CAP_MODE_ERTM:
3052 efs.id = chan->local_id;
3053 efs.stype = chan->local_stype;
3054 efs.msdu = cpu_to_le16(chan->local_msdu);
3055 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
dcf4adbf
JP		 3056 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3057 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 3058 break;
3059
3060 case L2CAP_MODE_STREAMING:
3061 efs.id = 1;
3062 efs.stype = L2CAP_SERV_BESTEFFORT;
3063 efs.msdu = cpu_to_le16(chan->local_msdu);
3064 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3065 efs.acc_lat = 0;
3066 efs.flush_to = 0;
3067 break;
3068
3069 default:
3070 return;
3071 }
3072
3073 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3074 (unsigned long) &efs);
f89cef09
AE		 3075}
3076
721c4181 3077static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3078{
721c4181 3079 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3080 ack_timer.work);
3081 u16 frames_to_ack;
c1b4f43b 3082
2fb9b3d4
GP		 3083 BT_DBG("chan %p", chan);
3084
6be36555
AE		 3085 l2cap_chan_lock(chan);
3086
0362520b
MM		 3087 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3088 chan->last_acked_seq);
6be36555 3089
0362520b
MM		 3090 if (frames_to_ack)
3091 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3092
0362520b 3093 l2cap_chan_unlock(chan);
09bfb2ee 3094 l2cap_chan_put(chan);
c1b4f43b
GP		 3095}
3096
466f8004 3097int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3098{
3c588192
MM		 3099 int err;
3100
105bdf9e
MM		 3101 chan->next_tx_seq = 0;
3102 chan->expected_tx_seq = 0;
42e5c802 3103 chan->expected_ack_seq = 0;
6a026610 3104 chan->unacked_frames = 0;
42e5c802 3105 chan->buffer_seq = 0;
6a026610 3106 chan->frames_sent = 0;
105bdf9e
MM		 3107 chan->last_acked_seq = 0;
3108 chan->sdu = NULL;
3109 chan->sdu_last_frag = NULL;
3110 chan->sdu_len = 0;
3111
d34c34fb
MM		 3112 skb_queue_head_init(&chan->tx_q);
3113
6ed971ca
MH		 3114 chan->local_amp_id = AMP_ID_BREDR;
3115 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3116 chan->move_state = L2CAP_MOVE_STABLE;
3117 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3118
105bdf9e
MM		 3119 if (chan->mode != L2CAP_MODE_ERTM)
3120 return 0;
3121
3122 chan->rx_state = L2CAP_RX_STATE_RECV;
3123 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3124
721c4181
GP		 3125 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3126 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3127 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3128
f1c6775b 3129 skb_queue_head_init(&chan->srej_q);
1890d36b 3130
3c588192
MM		 3131 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3132 if (err < 0)
3133 return err;
3134
9dc9affc
MM		 3135 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3136 if (err < 0)
3137 l2cap_seq_list_free(&chan->srej_list);
3138
3139 return err;
0565c1c2
GP		 3140}
3141
f2fcfcd6
GP		 3142static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3143{
3144 switch (mode) {
3145 case L2CAP_MODE_STREAMING:
3146 case L2CAP_MODE_ERTM:
3147 if (l2cap_mode_supported(mode, remote_feat_mask))
3148 return mode;
3149 /* fall through */
3150 default:
3151 return L2CAP_MODE_BASIC;
3152 }
3153}
3154
848566b3 3155static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3156{
848566b3 3157 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3158}
3159
848566b3 3160static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3161{
848566b3 3162 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3163}
3164
36c86c85
MM		 3165static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3166 struct l2cap_conf_rfc *rfc)
3167{
6ed971ca 3168 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3169 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3170
3171 /* Class 1 devices have must have ERTM timeouts
3172 * exceeding the Link Supervision Timeout. The
3173 * default Link Supervision Timeout for AMP
3174 * controllers is 10 seconds.
3175 *
3176 * Class 1 devices use 0xffffffff for their
3177 * best-effort flush timeout, so the clamping logic
3178 * will result in a timeout that meets the above
3179 * requirement. ERTM timeouts are 16-bit values, so
3180 * the maximum timeout is 65.535 seconds.
3181 */
3182
3183 /* Convert timeout to milliseconds and round */
3184 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3185
3186 /* This is the recommended formula for class 2 devices
3187 * that start ERTM timers when packets are sent to the
3188 * controller.
3189 */
3190 ertm_to = 3 * ertm_to + 500;
3191
3192 if (ertm_to > 0xffff)
3193 ertm_to = 0xffff;
3194
3195 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3196 rfc->monitor_timeout = rfc->retrans_timeout;
3197 } else {
dcf4adbf
JP		 3198 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3199 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36c86c85
MM		 3200 }
3201}
3202
6327eb98
AE		 3203static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3204{
3205 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3206 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3207 /* use extended control field */
3208 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3209 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3210 } else {
6327eb98 3211 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3212 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3213 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3214 }
c20f8e35 3215 chan->ack_win = chan->tx_win;
6327eb98
AE		 3216}
3217
710f9b0a 3218static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3219{
1da177e4 3220 struct l2cap_conf_req *req = data;
0c1bc5c6 3221 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3222 void *ptr = req->data;
c8f79162 3223 u16 size;
1da177e4 3224
49208c9c 3225 BT_DBG("chan %p", chan);
1da177e4 3226
73ffa904 3227 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3228 goto done;
3229
0c1bc5c6 3230 switch (chan->mode) {
f2fcfcd6
GP		 3231 case L2CAP_MODE_STREAMING:
3232 case L2CAP_MODE_ERTM:
c1360a1c 3233 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3234 break;
85eb53c6 3235
848566b3 3236 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3237 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3238
2ba13ed6 3239 /* fall through */
f2fcfcd6 3240 default:
8c1d787b 3241 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3242 break;
3243 }
3244
3245done:
0c1bc5c6
GP		 3246 if (chan->imtu != L2CAP_DEFAULT_MTU)
3247 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3248
0c1bc5c6 3249 switch (chan->mode) {
65c7c491 3250 case L2CAP_MODE_BASIC:
6fea7ad1
MH		 3251 if (disable_ertm)
3252 break;
3253
8c1d787b 3254 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3255 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3256 break;
3257
62547752
GP		 3258 rfc.mode = L2CAP_MODE_BASIC;
3259 rfc.txwin_size = 0;
3260 rfc.max_transmit = 0;
3261 rfc.retrans_timeout = 0;
3262 rfc.monitor_timeout = 0;
3263 rfc.max_pdu_size = 0;
3264
63406504 3265 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3266 (unsigned long) &rfc);
65c7c491
MH		 3267 break;
3268
3269 case L2CAP_MODE_ERTM:
3270 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3271 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3272
3273 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3274
3275 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3276 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3277 L2CAP_FCS_SIZE);
c8f79162 3278 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3279
6327eb98
AE		 3280 l2cap_txwin_setup(chan);
3281
3282 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3283 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3284
63406504 3285 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3286 (unsigned long) &rfc);
63406504 3287
f89cef09
AE		 3288 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3289 l2cap_add_opt_efs(&ptr, chan);
3290
6327eb98
AE		 3291 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3292 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3293 chan->tx_win);
60918918
AE		 3294
3295 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3296 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3297 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3298 chan->fcs = L2CAP_FCS_NONE;
3299 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3300 chan->fcs);
3301 }
f2fcfcd6
GP		 3302 break;
3303
3304 case L2CAP_MODE_STREAMING:
273759e2 3305 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3306 rfc.mode = L2CAP_MODE_STREAMING;
3307 rfc.txwin_size = 0;
3308 rfc.max_transmit = 0;
3309 rfc.retrans_timeout = 0;
3310 rfc.monitor_timeout = 0;
c8f79162
AE		 3311
3312 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3313 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3314 L2CAP_FCS_SIZE);
c8f79162 3315 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3316
63406504 3317 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3318 (unsigned long) &rfc);
63406504 3319
f89cef09
AE		 3320 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3321 l2cap_add_opt_efs(&ptr, chan);
3322
60918918
AE		 3323 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3324 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3325 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3326 chan->fcs = L2CAP_FCS_NONE;
3327 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3328 chan->fcs);
3329 }
65c7c491
MH		 3330 break;
3331 }
1da177e4 3332
fe4128e0 3333 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3334 req->flags = cpu_to_le16(0);
1da177e4
LT		 3335
3336 return ptr - data;
3337}
3338
73ffa904 3339static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3340{
5dee9e7c
MH		 3341 struct l2cap_conf_rsp *rsp = data;
3342 void *ptr = rsp->data;
73ffa904
GP		 3343 void *req = chan->conf_req;
3344 int len = chan->conf_len;
5dee9e7c
MH		 3345 int type, hint, olen;
3346 unsigned long val;
6464f35f 3347 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3348 struct l2cap_conf_efs efs;
3349 u8 remote_efs = 0;
861d6882 3350 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3351 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3352 u16 size;
1da177e4 3353
73ffa904 3354 BT_DBG("chan %p", chan);
820ae1b8 3355
5dee9e7c
MH		 3356 while (len >= L2CAP_CONF_OPT_SIZE) {
3357 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3358
589d2746 3359 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3360 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3361
3362 switch (type) {
3363 case L2CAP_CONF_MTU:
861d6882 3364 mtu = val;
5dee9e7c
MH		 3365 break;
3366
3367 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3368 chan->flush_to = val;
5dee9e7c
MH		 3369 break;
3370
3371 case L2CAP_CONF_QOS:
3372 break;
3373
6464f35f
MH		 3374 case L2CAP_CONF_RFC:
3375 if (olen == sizeof(rfc))
3376 memcpy(&rfc, (void *) val, olen);
3377 break;
3378
fcc203c3
GP		 3379 case L2CAP_CONF_FCS:
3380 if (val == L2CAP_FCS_NONE)
f2592d3e 3381 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3382 break;
fcc203c3 3383
42dceae2
AE		 3384 case L2CAP_CONF_EFS:
3385 remote_efs = 1;
3386 if (olen == sizeof(efs))
3387 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3388 break;
3389
6327eb98 3390 case L2CAP_CONF_EWS:
848566b3 3391 if (!chan->conn->hs_enabled)
6327eb98 3392 return -ECONNREFUSED;
fcc203c3 3393
6327eb98
AE		 3394 set_bit(FLAG_EXT_CTRL, &chan->flags);
3395 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3396 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3397 chan->remote_tx_win = val;
fcc203c3
GP		 3398 break;
3399
5dee9e7c
MH		 3400 default:
3401 if (hint)
3402 break;
3403
3404 result = L2CAP_CONF_UNKNOWN;
3405 *((u8 *) ptr++) = type;
3406 break;
3407 }
3408 }
3409
73ffa904 3410 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3411 goto done;
3412
0c1bc5c6 3413 switch (chan->mode) {
f2fcfcd6
GP		 3414 case L2CAP_MODE_STREAMING:
3415 case L2CAP_MODE_ERTM:
c1360a1c 3416 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3417 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3418 chan->conn->feat_mask);
85eb53c6
GP		 3419 break;
3420 }
3421
42dceae2 3422 if (remote_efs) {
848566b3 3423 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3424 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3425 else
3426 return -ECONNREFUSED;
3427 }
3428
0c1bc5c6 3429 if (chan->mode != rfc.mode)
f2fcfcd6 3430 return -ECONNREFUSED;
742e519b 3431
f2fcfcd6 3432 break;
f2fcfcd6
GP		 3433 }
3434
3435done:
0c1bc5c6 3436 if (chan->mode != rfc.mode) {
f2fcfcd6 3437 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3438 rfc.mode = chan->mode;
f2fcfcd6 3439
73ffa904 3440 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3441 return -ECONNREFUSED;
3442
2d792818
GP		 3443 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3444 (unsigned long) &rfc);
f2fcfcd6
GP		 3445 }
3446
5dee9e7c
MH		 3447 if (result == L2CAP_CONF_SUCCESS) {
3448 /* Configure output options and let the other side know
3449 * which ones we don't like. */
3450
f2fcfcd6
GP		 3451 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3452 result = L2CAP_CONF_UNACCEPT;
3453 else {
0c1bc5c6 3454 chan->omtu = mtu;
c1360a1c 3455 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3456 }
0c1bc5c6 3457 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3458
42dceae2
AE		 3459 if (remote_efs) {
3460 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3461 efs.stype != L2CAP_SERV_NOTRAFIC &&
3462 efs.stype != chan->local_stype) {
42dceae2
AE		 3463
3464 result = L2CAP_CONF_UNACCEPT;
3465
3466 if (chan->num_conf_req >= 1)
3467 return -ECONNREFUSED;
3468
3469 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3470 sizeof(efs),
3471 (unsigned long) &efs);
0e8b207e 3472 } else {
3e6b3b95 3473 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3474 result = L2CAP_CONF_PENDING;
3475 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3476 }
3477 }
3478
f2fcfcd6
GP		 3479 switch (rfc.mode) {
3480 case L2CAP_MODE_BASIC:
47d1ec61 3481 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3482 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3483 break;
3484
3485 case L2CAP_MODE_ERTM:
6327eb98
AE		 3486 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3487 chan->remote_tx_win = rfc.txwin_size;
3488 else
3489 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3490
2c03a7a4 3491 chan->remote_max_tx = rfc.max_transmit;
1c762159 3492
c8f79162 3493 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3494 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3495 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3496 rfc.max_pdu_size = cpu_to_le16(size);
3497 chan->remote_mps = size;
f2fcfcd6 3498
36c86c85 3499 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3500
c1360a1c 3501 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3502
3503 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3504 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3505
42dceae2
AE		 3506 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3507 chan->remote_id = efs.id;
3508 chan->remote_stype = efs.stype;
3509 chan->remote_msdu = le16_to_cpu(efs.msdu);
3510 chan->remote_flush_to =
2d792818 3511 le32_to_cpu(efs.flush_to);
42dceae2 3512 chan->remote_acc_lat =
2d792818 3513 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3514 chan->remote_sdu_itime =
3515 le32_to_cpu(efs.sdu_itime);
3516 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3517 sizeof(efs),
3518 (unsigned long) &efs);
42dceae2 3519 }
f2fcfcd6
GP		 3520 break;
3521
3522 case L2CAP_MODE_STREAMING:
c8f79162 3523 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3524 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3525 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3526 rfc.max_pdu_size = cpu_to_le16(size);
3527 chan->remote_mps = size;
f2fcfcd6 3528
c1360a1c 3529 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3530
2d792818
GP		 3531 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3532 (unsigned long) &rfc);
68ae6639 3533
f2fcfcd6
GP		 3534 break;
3535
3536 default:
5dee9e7c 3537 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3538
6464f35f 3539 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3540 rfc.mode = chan->mode;
f2fcfcd6 3541 }
6464f35f 3542
f2fcfcd6 3543 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3544 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3545 }
fe4128e0 3546 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3547 rsp->result = cpu_to_le16(result);
dcf4adbf 3548 rsp->flags = cpu_to_le16(0);
5dee9e7c
MH		 3549
3550 return ptr - data;
1da177e4
LT		 3551}
3552
2d792818
GP		 3553static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3554 void *data, u16 *result)
f2fcfcd6 3555{
f2fcfcd6
GP		 3556 struct l2cap_conf_req *req = data;
3557 void *ptr = req->data;
3558 int type, olen;
3559 unsigned long val;
36e999a8 3560 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3561 struct l2cap_conf_efs efs;
f2fcfcd6 3562
fe4128e0 3563 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3564
3565 while (len >= L2CAP_CONF_OPT_SIZE) {
3566 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3567
3568 switch (type) {
3569 case L2CAP_CONF_MTU:
3570 if (val < L2CAP_DEFAULT_MIN_MTU) {
3571 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3572 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3573 } else
0c1bc5c6
GP		 3574 chan->imtu = val;
3575 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3576 break;
3577
3578 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3579 chan->flush_to = val;
f2fcfcd6 3580 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3581 2, chan->flush_to);
f2fcfcd6
GP		 3582 break;
3583
3584 case L2CAP_CONF_RFC:
3585 if (olen == sizeof(rfc))
3586 memcpy(&rfc, (void *)val, olen);
3587
c1360a1c 3588 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3589 rfc.mode != chan->mode)
f2fcfcd6
GP		 3590 return -ECONNREFUSED;
3591
47d1ec61 3592 chan->fcs = 0;
f2fcfcd6
GP		 3593
3594 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3595 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3596 break;
6327eb98
AE		 3597
3598 case L2CAP_CONF_EWS:
c20f8e35 3599 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3600 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3601 chan->tx_win);
6327eb98 3602 break;
66af7aaf
AE		 3603
3604 case L2CAP_CONF_EFS:
3605 if (olen == sizeof(efs))
3606 memcpy(&efs, (void *)val, olen);
3607
3608 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3609 efs.stype != L2CAP_SERV_NOTRAFIC &&
3610 efs.stype != chan->local_stype)
66af7aaf
AE		 3611 return -ECONNREFUSED;
3612
2d792818
GP		 3613 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3614 (unsigned long) &efs);
66af7aaf 3615 break;
cbabee78
AE		 3616
3617 case L2CAP_CONF_FCS:
3618 if (*result == L2CAP_CONF_PENDING)
3619 if (val == L2CAP_FCS_NONE)
f2592d3e 3620 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3621 &chan->conf_state);
3622 break;
f2fcfcd6
GP		 3623 }
3624 }
3625
0c1bc5c6 3626 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3627 return -ECONNREFUSED;
3628
0c1bc5c6 3629 chan->mode = rfc.mode;
6c2ea7a8 3630
0e8b207e 3631 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3632 switch (rfc.mode) {
3633 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3634 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3635 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3636 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3637 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3638 chan->ack_win = min_t(u16, chan->ack_win,
3639 rfc.txwin_size);
66af7aaf
AE		 3640
3641 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3642 chan->local_msdu = le16_to_cpu(efs.msdu);
3643 chan->local_sdu_itime =
2d792818 3644 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3645 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3646 chan->local_flush_to =
2d792818 3647 le32_to_cpu(efs.flush_to);
66af7aaf 3648 }
f2fcfcd6 3649 break;
66af7aaf 3650
f2fcfcd6 3651 case L2CAP_MODE_STREAMING:
47d1ec61 3652 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3653 }
3654 }
3655
fe4128e0 3656 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3657 req->flags = cpu_to_le16(0);
f2fcfcd6
GP		 3658
3659 return ptr - data;
3660}
3661
2d792818
GP		 3662static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3663 u16 result, u16 flags)
1da177e4
LT		 3664{
3665 struct l2cap_conf_rsp *rsp = data;
3666 void *ptr = rsp->data;
1da177e4 3667
fe4128e0 3668 BT_DBG("chan %p", chan);
1da177e4 3669
fe4128e0 3670 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3671 rsp->result = cpu_to_le16(result);
aca3192c 3672 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3673
3674 return ptr - data;
3675}
3676
27e2d4c8
JH		 3677void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3678{
3679 struct l2cap_le_conn_rsp rsp;
3680 struct l2cap_conn *conn = chan->conn;
3681
3682 BT_DBG("chan %p", chan);
3683
3684 rsp.dcid = cpu_to_le16(chan->scid);
3685 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 3686 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 3687 rsp.credits = cpu_to_le16(chan->rx_credits);
dcf4adbf 3688 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
27e2d4c8
JH		 3689
3690 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3691 &rsp);
3692}
3693
8c1d787b 3694void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3695{
3696 struct l2cap_conn_rsp rsp;
8c1d787b 3697 struct l2cap_conn *conn = chan->conn;
710f9b0a 3698 u8 buf[128];
439f34ac 3699 u8 rsp_code;
710f9b0a 3700
fe4128e0
GP		 3701 rsp.scid = cpu_to_le16(chan->dcid);
3702 rsp.dcid = cpu_to_le16(chan->scid);
dcf4adbf
JP		 3703 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3704 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3705
3706 if (chan->hs_hcon)
3707 rsp_code = L2CAP_CREATE_CHAN_RSP;
3708 else
3709 rsp_code = L2CAP_CONN_RSP;
3710
3711 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3712
3713 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3714
c1360a1c 3715 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3716 return;
3717
710f9b0a 3718 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3719 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3720 chan->num_conf_req++;
3721}
3722
47d1ec61 3723static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3724{
7b1c0049
GP		 3725 int type, olen;
3726 unsigned long val;
c20f8e35
MM		 3727 /* Use sane default values in case a misbehaving remote device
3728 * did not send an RFC or extended window size option.
3729 */
3730 u16 txwin_ext = chan->ack_win;
3731 struct l2cap_conf_rfc rfc = {
3732 .mode = chan->mode,
dcf4adbf
JP		 3733 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3734 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
c20f8e35
MM		 3735 .max_pdu_size = cpu_to_le16(chan->imtu),
3736 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3737 };
7b1c0049 3738
47d1ec61 3739 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3740
0c1bc5c6 3741 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3742 return;
3743
3744 while (len >= L2CAP_CONF_OPT_SIZE) {
3745 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3746
c20f8e35
MM		 3747 switch (type) {
3748 case L2CAP_CONF_RFC:
3749 if (olen == sizeof(rfc))
3750 memcpy(&rfc, (void *)val, olen);
8f321f85 3751 break;
c20f8e35
MM		 3752 case L2CAP_CONF_EWS:
3753 txwin_ext = val;
3754 break;
3755 }
7b1c0049
GP		 3756 }
3757
7b1c0049
GP		 3758 switch (rfc.mode) {
3759 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3760 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3761 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3762 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3763 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3764 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3765 else
3766 chan->ack_win = min_t(u16, chan->ack_win,
3767 rfc.txwin_size);
7b1c0049
GP		 3768 break;
3769 case L2CAP_MODE_STREAMING:
47d1ec61 3770 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3771 }
3772}
3773
2d792818 3774static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3775 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3776 u8 *data)
4e8402a3 3777{
e2fd318e 3778 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3779
cb3b3152
JH		 3780 if (cmd_len < sizeof(*rej))
3781 return -EPROTO;
3782
e2fd318e 3783 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3784 return 0;
3785
3786 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3787 cmd->ident == conn->info_ident) {
17cd3f37 3788 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3789
3790 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3791 conn->info_ident = 0;
984947dc 3792
4e8402a3
MH		 3793 l2cap_conn_start(conn);
3794 }
3795
3796 return 0;
3797}
3798
1700915f
MM		 3799static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3800 struct l2cap_cmd_hdr *cmd,
3801 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3802{
1da177e4
LT		 3803 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3804 struct l2cap_conn_rsp rsp;
23691d75 3805 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3806 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3807
3808 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3809 __le16 psm = req->psm;
1da177e4 3810
097db76c 3811 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3812
3813 /* Check if we have socket listening on psm */
6f59b904 3814 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
bf20fd4e 3815 &conn->hcon->dst, ACL_LINK);
23691d75 3816 if (!pchan) {
1da177e4
LT		 3817 result = L2CAP_CR_BAD_PSM;
3818 goto sendresp;
3819 }
3820
3df91ea2 3821 mutex_lock(&conn->chan_lock);
8ffb9290 3822 l2cap_chan_lock(pchan);
e0f0cb56 3823
e7c29cb1 3824 /* Check if the ACL is secure enough (if not SDP) */
dcf4adbf 3825 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3826 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3827 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3828 result = L2CAP_CR_SEC_BLOCK;
3829 goto response;
3830 }
3831
1da177e4
LT		 3832 result = L2CAP_CR_NO_MEM;
3833
2dfa1003
GP		 3834 /* Check if we already have channel with that dcid */
3835 if (__l2cap_get_chan_by_dcid(conn, scid))
3836 goto response;
3837
80b98027 3838 chan = pchan->ops->new_connection(pchan);
80808e43 3839 if (!chan)
1da177e4
LT		 3840 goto response;
3841
330b6c15
SS		 3842 /* For certain devices (ex: HID mouse), support for authentication,
3843 * pairing and bonding is optional. For such devices, inorder to avoid
3844 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3845 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3846 */
3847 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3848
7eafc59e
MH		 3849 bacpy(&chan->src, &conn->hcon->src);
3850 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3851 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3852 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3853 chan->psm = psm;
3854 chan->dcid = scid;
1700915f 3855 chan->local_amp_id = amp_id;
1da177e4 3856
6be36555 3857 __l2cap_chan_add(conn, chan);
48454079 3858
fe4128e0 3859 dcid = chan->scid;
1da177e4 3860
8d836d71 3861 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3862
fc7f8a7e 3863 chan->ident = cmd->ident;
1da177e4 3864
984947dc 3865 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
e7cafc45 3866 if (l2cap_chan_check_security(chan, false)) {
bdc25783 3867 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3868 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3869 result = L2CAP_CR_PEND;
3870 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3871 chan->ops->defer(chan);
f66dc81f 3872 } else {
1700915f
MM		 3873 /* Force pending result for AMP controllers.
3874 * The connection will succeed after the
3875 * physical link is up.
3876 */
6ed971ca 3877 if (amp_id == AMP_ID_BREDR) {
f93fa273 3878 l2cap_state_change(chan, BT_CONFIG);
1700915f 3879 result = L2CAP_CR_SUCCESS;
6ed971ca 3880 } else {
f93fa273 3881 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3882 result = L2CAP_CR_PEND;
1700915f 3883 }
f66dc81f
MH		 3884 status = L2CAP_CS_NO_INFO;
3885 }
79d554a6 3886 } else {
f93fa273 3887 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3888 result = L2CAP_CR_PEND;
3889 status = L2CAP_CS_AUTHEN_PEND;
3890 }
3891 } else {
f93fa273 3892 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3893 result = L2CAP_CR_PEND;
3894 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3895 }
3896
1da177e4 3897response:
8ffb9290 3898 l2cap_chan_unlock(pchan);
3df91ea2 3899 mutex_unlock(&conn->chan_lock);
a24cce14 3900 l2cap_chan_put(pchan);
1da177e4
LT		 3901
3902sendresp:
aca3192c
YH		 3903 rsp.scid = cpu_to_le16(scid);
3904 rsp.dcid = cpu_to_le16(dcid);
3905 rsp.result = cpu_to_le16(result);
3906 rsp.status = cpu_to_le16(status);
4c89b6aa 3907 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3908
3909 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3910 struct l2cap_info_req info;
dcf4adbf 3911 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3912
3913 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3914 conn->info_ident = l2cap_get_ident(conn);
3915
ba13ccd9 3916 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3917
2d792818
GP		 3918 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3919 sizeof(info), &info);
79d554a6
MH		 3920 }
3921
c1360a1c 3922 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3923 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3924 u8 buf[128];
c1360a1c 3925 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3926 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3927 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3928 chan->num_conf_req++;
e9aeb2dd 3929 }
1700915f
MM		 3930
3931 return chan;
4c89b6aa 3932}
e9aeb2dd 3933
4c89b6aa 3934static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3935 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3936{
7b064eda
JK		 3937 struct hci_dev *hdev = conn->hcon->hdev;
3938 struct hci_conn *hcon = conn->hcon;
3939
cb3b3152
JH		 3940 if (cmd_len < sizeof(struct l2cap_conn_req))
3941 return -EPROTO;
3942
7b064eda
JK		 3943 hci_dev_lock(hdev);
3944 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3945 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3946 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3947 hcon->dst_type, 0, NULL, 0,
3948 hcon->dev_class);
3949 hci_dev_unlock(hdev);
3950
300229f9 3951 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3952 return 0;
3953}
3954
5909cf30 3955static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3956 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3957 u8 *data)
1da177e4
LT		 3958{
3959 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3960 u16 scid, dcid, result, status;
48454079 3961 struct l2cap_chan *chan;
1da177e4 3962 u8 req[128];
3df91ea2 3963 int err;
1da177e4 3964
cb3b3152
JH		 3965 if (cmd_len < sizeof(*rsp))
3966 return -EPROTO;
3967
1da177e4
LT		 3968 scid = __le16_to_cpu(rsp->scid);
3969 dcid = __le16_to_cpu(rsp->dcid);
3970 result = __le16_to_cpu(rsp->result);
3971 status = __le16_to_cpu(rsp->status);
3972
1b009c98 3973 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3974 dcid, scid, result, status);
1da177e4 3975
3df91ea2
AE		 3976 mutex_lock(&conn->chan_lock);
3977
1da177e4 3978 if (scid) {
3df91ea2
AE		 3979 chan = __l2cap_get_chan_by_scid(conn, scid);
3980 if (!chan) {
21870b52 3981 err = -EBADSLT;
3df91ea2
AE		 3982 goto unlock;
3983 }
1da177e4 3984 } else {
3df91ea2
AE		 3985 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3986 if (!chan) {
21870b52 3987 err = -EBADSLT;
3df91ea2
AE		 3988 goto unlock;
3989 }
1da177e4
LT		 3990 }
3991
3df91ea2
AE		 3992 err = 0;
3993
6be36555 3994 l2cap_chan_lock(chan);
48454079 3995
1da177e4
LT		 3996 switch (result) {
3997 case L2CAP_CR_SUCCESS:
89bc500e 3998 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3999 chan->ident = 0;
fe4128e0 4000 chan->dcid = dcid;
c1360a1c 4001 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 4002
c1360a1c 4003 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 4004 break;
4005
1da177e4 4006 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4007 l2cap_build_conf_req(chan, req), req);
73ffa904 4008 chan->num_conf_req++;
1da177e4
LT		 4009 break;
4010
4011 case L2CAP_CR_PEND:
c1360a1c 4012 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 4013 break;
4014
4015 default:
48454079 4016 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 4017 break;
4018 }
4019
6be36555 4020 l2cap_chan_unlock(chan);
3df91ea2
AE		 4021
4022unlock:
4023 mutex_unlock(&conn->chan_lock);
4024
4025 return err;
1da177e4
LT		 4026}
4027
47d1ec61 4028static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 4029{
4030 /* FCS is enabled only in ERTM or streaming mode, if one or both
4031 * sides request it.
4032 */
0c1bc5c6 4033 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 4034 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 4035 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 4036 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 4037}
4038
29d8a590
AE		 4039static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4040 u8 ident, u16 flags)
4041{
4042 struct l2cap_conn *conn = chan->conn;
4043
4044 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4045 flags);
4046
4047 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4048 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4049
4050 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4051 l2cap_build_conf_rsp(chan, data,
4052 L2CAP_CONF_SUCCESS, flags), data);
4053}
4054
662d652d
JH		 4055static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4056 u16 scid, u16 dcid)
4057{
4058 struct l2cap_cmd_rej_cid rej;
4059
dcf4adbf 4060 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
662d652d
JH		 4061 rej.scid = __cpu_to_le16(scid);
4062 rej.dcid = __cpu_to_le16(dcid);
4063
4064 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4065}
4066
2d792818
GP		 4067static inline int l2cap_config_req(struct l2cap_conn *conn,
4068 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4069 u8 *data)
1da177e4
LT		 4070{
4071 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4072 u16 dcid, flags;
4073 u8 rsp[64];
48454079 4074 struct l2cap_chan *chan;
3c588192 4075 int len, err = 0;
1da177e4 4076
cb3b3152
JH		 4077 if (cmd_len < sizeof(*req))
4078 return -EPROTO;
4079
1da177e4
LT		 4080 dcid = __le16_to_cpu(req->dcid);
4081 flags = __le16_to_cpu(req->flags);
4082
4083 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4084
baa7e1fa 4085 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4086 if (!chan) {
4087 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4088 return 0;
4089 }
1da177e4 4090
033b1142 4091 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4092 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4093 chan->dcid);
354f60a9 4094 goto unlock;
df6bd743 4095 }
354f60a9 4096
5dee9e7c 4097 /* Reject if config buffer is too small. */
88219a0f 4098 len = cmd_len - sizeof(*req);
cb3b3152 4099 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4100 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4101 l2cap_build_conf_rsp(chan, rsp,
4102 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4103 goto unlock;
4104 }
4105
4106 /* Store config. */
73ffa904
GP		 4107 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4108 chan->conf_len += len;
1da177e4 4109
59e54bd1 4110 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4111 /* Incomplete config. Send empty response. */
4112 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4113 l2cap_build_conf_rsp(chan, rsp,
4114 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4115 goto unlock;
4116 }
4117
4118 /* Complete config. */
73ffa904 4119 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4120 if (len < 0) {
5e4e3972 4121 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4122 goto unlock;
f2fcfcd6 4123 }
1da177e4 4124
1500109b 4125 chan->ident = cmd->ident;
5dee9e7c 4126 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4127 chan->num_conf_rsp++;
5dee9e7c 4128
5dee9e7c 4129 /* Reset config buffer. */
73ffa904 4130 chan->conf_len = 0;
5dee9e7c 4131
c1360a1c 4132 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4133 goto unlock;
4134
c1360a1c 4135 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4136 set_default_fcs(chan);
fcc203c3 4137
105bdf9e
MM		 4138 if (chan->mode == L2CAP_MODE_ERTM ||
4139 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4140 err = l2cap_ertm_init(chan);
4141
4142 if (err < 0)
5e4e3972 4143 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4144 else
4145 l2cap_chan_ready(chan);
0565c1c2 4146
876d9484
MH		 4147 goto unlock;
4148 }
4149
c1360a1c 4150 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4151 u8 buf[64];
1da177e4 4152 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4153 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4154 chan->num_conf_req++;
1da177e4
LT		 4155 }
4156
0e8b207e
AE		 4157 /* Got Conf Rsp PENDING from remote side and asume we sent
4158 Conf Rsp PENDING in the code above */
4159 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4160 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4161
4162 /* check compatibility */
4163
79de886d 4164 /* Send rsp for BR/EDR channel */
f351bc72 4165 if (!chan->hs_hcon)
79de886d
AE		 4166 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4167 else
4168 chan->ident = cmd->ident;
0e8b207e
AE		 4169 }
4170
1da177e4 4171unlock:
6be36555 4172 l2cap_chan_unlock(chan);
3c588192 4173 return err;
1da177e4
LT		 4174}
4175
2d792818 4176static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4177 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4178 u8 *data)
1da177e4
LT		 4179{
4180 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4181 u16 scid, flags, result;
48454079 4182 struct l2cap_chan *chan;
cb3b3152 4183 int len = cmd_len - sizeof(*rsp);
3c588192 4184 int err = 0;
1da177e4 4185
cb3b3152
JH		 4186 if (cmd_len < sizeof(*rsp))
4187 return -EPROTO;
4188
1da177e4
LT		 4189 scid = __le16_to_cpu(rsp->scid);
4190 flags = __le16_to_cpu(rsp->flags);
4191 result = __le16_to_cpu(rsp->result);
4192
61386cba
AE		 4193 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4194 result, len);
1da177e4 4195
baa7e1fa 4196 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4197 if (!chan)
1da177e4
LT		 4198 return 0;
4199
4200 switch (result) {
4201 case L2CAP_CONF_SUCCESS:
47d1ec61 4202 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4203 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4204 break;
4205
0e8b207e
AE		 4206 case L2CAP_CONF_PENDING:
4207 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4208
4209 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4210 char buf[64];
4211
4212 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4213 buf, &result);
0e8b207e 4214 if (len < 0) {
5e4e3972 4215 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4216 goto done;
4217 }
4218
f351bc72 4219 if (!chan->hs_hcon) {
79de886d
AE		 4220 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4221 0);
5ce66b59
AE		 4222 } else {
4223 if (l2cap_check_efs(chan)) {
4224 amp_create_logical_link(chan);
4225 chan->ident = cmd->ident;
4226 }
4227 }
0e8b207e
AE		 4228 }
4229 goto done;
4230
1da177e4 4231 case L2CAP_CONF_UNACCEPT:
73ffa904 4232 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4233 char req[64];
4234
c2c77ec8 4235 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4236 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4237 goto done;
4238 }
4239
f2fcfcd6
GP		 4240 /* throw out any old stored conf requests */
4241 result = L2CAP_CONF_SUCCESS;
b4450035 4242 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4243 req, &result);
f2fcfcd6 4244 if (len < 0) {
5e4e3972 4245 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4246 goto done;
4247 }
4248
4249 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4250 L2CAP_CONF_REQ, len, req);
73ffa904 4251 chan->num_conf_req++;
f2fcfcd6
GP		 4252 if (result != L2CAP_CONF_SUCCESS)
4253 goto done;
4254 break;
1da177e4
LT		 4255 }
4256
8e87d142 4257 default:
6be36555 4258 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4259
ba13ccd9 4260 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4261 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4262 goto done;
4263 }
4264
59e54bd1 4265 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4266 goto done;
4267
c1360a1c 4268 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4269
c1360a1c 4270 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4271 set_default_fcs(chan);
fcc203c3 4272
105bdf9e
MM		 4273 if (chan->mode == L2CAP_MODE_ERTM ||
4274 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4275 err = l2cap_ertm_init(chan);
0565c1c2 4276
3c588192 4277 if (err < 0)
5e4e3972 4278 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4279 else
4280 l2cap_chan_ready(chan);
1da177e4
LT		 4281 }
4282
4283done:
6be36555 4284 l2cap_chan_unlock(chan);
3c588192 4285 return err;
1da177e4
LT		 4286}
4287
2d792818 4288static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4289 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4290 u8 *data)
1da177e4
LT		 4291{
4292 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4293 struct l2cap_disconn_rsp rsp;
4294 u16 dcid, scid;
48454079 4295 struct l2cap_chan *chan;
1da177e4 4296
cb3b3152
JH		 4297 if (cmd_len != sizeof(*req))
4298 return -EPROTO;
4299
1da177e4
LT		 4300 scid = __le16_to_cpu(req->scid);
4301 dcid = __le16_to_cpu(req->dcid);
4302
4303 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4304
3df91ea2
AE		 4305 mutex_lock(&conn->chan_lock);
4306
4307 chan = __l2cap_get_chan_by_scid(conn, dcid);
4308 if (!chan) {
4309 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4310 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4311 return 0;
3df91ea2 4312 }
1da177e4 4313
6be36555
AE		 4314 l2cap_chan_lock(chan);
4315
fe4128e0
GP		 4316 rsp.dcid = cpu_to_le16(chan->scid);
4317 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4318 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4319
5ec1bbe5 4320 chan->ops->set_shutdown(chan);
1da177e4 4321
61d6ef3e 4322 l2cap_chan_hold(chan);
48454079 4323 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4324
4325 l2cap_chan_unlock(chan);
1da177e4 4326
80b98027 4327 chan->ops->close(chan);
61d6ef3e 4328 l2cap_chan_put(chan);
3df91ea2
AE		 4329
4330 mutex_unlock(&conn->chan_lock);
4331
1da177e4
LT		 4332 return 0;
4333}
4334
2d792818 4335static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4336 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4337 u8 *data)
1da177e4
LT		 4338{
4339 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4340 u16 dcid, scid;
48454079 4341 struct l2cap_chan *chan;
1da177e4 4342
cb3b3152
JH		 4343 if (cmd_len != sizeof(*rsp))
4344 return -EPROTO;
4345
1da177e4
LT		 4346 scid = __le16_to_cpu(rsp->scid);
4347 dcid = __le16_to_cpu(rsp->dcid);
4348
4349 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4350
3df91ea2
AE		 4351 mutex_lock(&conn->chan_lock);
4352
4353 chan = __l2cap_get_chan_by_scid(conn, scid);
4354 if (!chan) {
4355 mutex_unlock(&conn->chan_lock);
1da177e4 4356 return 0;
3df91ea2 4357 }
1da177e4 4358
6be36555 4359 l2cap_chan_lock(chan);
48454079 4360
61d6ef3e 4361 l2cap_chan_hold(chan);
48454079 4362 l2cap_chan_del(chan, 0);
6be36555
AE		 4363
4364 l2cap_chan_unlock(chan);
1da177e4 4365
80b98027 4366 chan->ops->close(chan);
61d6ef3e 4367 l2cap_chan_put(chan);
3df91ea2
AE		 4368
4369 mutex_unlock(&conn->chan_lock);
4370
1da177e4
LT		 4371 return 0;
4372}
4373
2d792818 4374static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4375 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4376 u8 *data)
1da177e4
LT		 4377{
4378 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4379 u16 type;
4380
cb3b3152
JH		 4381 if (cmd_len != sizeof(*req))
4382 return -EPROTO;
4383
1da177e4
LT		 4384 type = __le16_to_cpu(req->type);
4385
4386 BT_DBG("type 0x%4.4x", type);
4387
f0709e03
MH		 4388 if (type == L2CAP_IT_FEAT_MASK) {
4389 u8 buf[8];
44dd46de 4390 u32 feat_mask = l2cap_feat_mask;
f0709e03 4391 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
dcf4adbf
JP		 4392 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4393 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4394 if (!disable_ertm)
fcc203c3 4395 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4396 | L2CAP_FEAT_FCS;
848566b3 4397 if (conn->hs_enabled)
6327eb98 4398 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4399 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4400
1b7bf4ed 4401 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4402 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4403 buf);
e1027a7c
MH		 4404 } else if (type == L2CAP_IT_FIXED_CHAN) {
4405 u8 buf[12];
4406 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4407
848566b3 4408 if (conn->hs_enabled)
50a147cd
MM		 4409 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4410 else
4411 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4412
dcf4adbf
JP		 4413 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4414 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4415 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4416 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4417 buf);
f0709e03
MH		 4418 } else {
4419 struct l2cap_info_rsp rsp;
4420 rsp.type = cpu_to_le16(type);
dcf4adbf 4421 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4422 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4423 &rsp);
f0709e03 4424 }
1da177e4
LT		 4425
4426 return 0;
4427}
4428
2d792818 4429static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4430 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4431 u8 *data)
1da177e4
LT		 4432{
4433 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4434 u16 type, result;
4435
3f6fa3d4 4436 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4437 return -EPROTO;
4438
1da177e4
LT		 4439 type = __le16_to_cpu(rsp->type);
4440 result = __le16_to_cpu(rsp->result);
4441
4442 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4443
e90165be
AE		 4444 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4445 if (cmd->ident != conn->info_ident ||
2d792818 4446 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4447 return 0;
4448
17cd3f37 4449 cancel_delayed_work(&conn->info_timer);
4e8402a3 4450
adb08ede
VT		 4451 if (result != L2CAP_IR_SUCCESS) {
4452 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4453 conn->info_ident = 0;
4454
4455 l2cap_conn_start(conn);
4456
4457 return 0;
4458 }
4459
978c93b9
AE		 4460 switch (type) {
4461 case L2CAP_IT_FEAT_MASK:
83985319 4462 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4463
47ec1dcd 4464 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4465 struct l2cap_info_req req;
dcf4adbf 4466 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4467
4468 conn->info_ident = l2cap_get_ident(conn);
4469
4470 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4471 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4472 } else {
4473 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4474 conn->info_ident = 0;
4475
4476 l2cap_conn_start(conn);
4477 }
978c93b9
AE		 4478 break;
4479
4480 case L2CAP_IT_FIXED_CHAN:
4481 conn->fixed_chan_mask = rsp->data[0];
984947dc 4482 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4483 conn->info_ident = 0;
984947dc
MH		 4484
4485 l2cap_conn_start(conn);
978c93b9 4486 break;
984947dc 4487 }
4e8402a3 4488
1da177e4
LT		 4489 return 0;
4490}
4491
1700915f
MM		 4492static int l2cap_create_channel_req(struct l2cap_conn *conn,
4493 struct l2cap_cmd_hdr *cmd,
4494 u16 cmd_len, void *data)
f94ff6ff
MM		 4495{
4496 struct l2cap_create_chan_req *req = data;
6e1df6a6 4497 struct l2cap_create_chan_rsp rsp;
1700915f 4498 struct l2cap_chan *chan;
6e1df6a6 4499 struct hci_dev *hdev;
f94ff6ff
MM		 4500 u16 psm, scid;
4501
4502 if (cmd_len != sizeof(*req))
4503 return -EPROTO;
4504
848566b3 4505 if (!conn->hs_enabled)
f94ff6ff
MM		 4506 return -EINVAL;
4507
4508 psm = le16_to_cpu(req->psm);
4509 scid = le16_to_cpu(req->scid);
4510
ad0ac6ca 4511 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4512
6e1df6a6 4513 /* For controller id 0 make BR/EDR connection */
6ed971ca 4514 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4515 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4516 req->amp_id);
4517 return 0;
4518 }
1700915f 4519
6e1df6a6
AE		 4520 /* Validate AMP controller id */
4521 hdev = hci_dev_get(req->amp_id);
4522 if (!hdev)
4523 goto error;
1700915f 4524
6e1df6a6
AE		 4525 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4526 hci_dev_put(hdev);
4527 goto error;
4528 }
1700915f 4529
6e1df6a6
AE		 4530 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4531 req->amp_id);
4532 if (chan) {
4533 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4534 struct hci_conn *hs_hcon;
1700915f 4535
98e0f7ea
MH		 4536 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4537 &conn->hcon->dst);
6e1df6a6
AE		 4538 if (!hs_hcon) {
4539 hci_dev_put(hdev);
662d652d
JH		 4540 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4541 chan->dcid);
4542 return 0;
1700915f
MM		 4543 }
4544
6e1df6a6
AE		 4545 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4546
6e1df6a6
AE		 4547 mgr->bredr_chan = chan;
4548 chan->hs_hcon = hs_hcon;
fd45bf4c 4549 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4550 conn->mtu = hdev->block_mtu;
1700915f 4551 }
f94ff6ff 4552
6e1df6a6 4553 hci_dev_put(hdev);
f94ff6ff
MM		 4554
4555 return 0;
6e1df6a6
AE		 4556
4557error:
4558 rsp.dcid = 0;
4559 rsp.scid = cpu_to_le16(scid);
dcf4adbf
JP		 4560 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4561 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
6e1df6a6
AE		 4562
4563 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4564 sizeof(rsp), &rsp);
4565
dc280801 4566 return 0;
f94ff6ff
MM		 4567}
4568
8eb200bd
MM		 4569static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4570{
4571 struct l2cap_move_chan_req req;
4572 u8 ident;
4573
4574 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4575
4576 ident = l2cap_get_ident(chan->conn);
4577 chan->ident = ident;
4578
4579 req.icid = cpu_to_le16(chan->scid);
4580 req.dest_amp_id = dest_amp_id;
4581
4582 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4583 &req);
4584
4585 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4586}
4587
1500109b 4588static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4589{
4590 struct l2cap_move_chan_rsp rsp;
4591
1500109b 4592 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4593
1500109b 4594 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4595 rsp.result = cpu_to_le16(result);
4596
1500109b
MM		 4597 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4598 sizeof(rsp), &rsp);
8d5a04a1
MM		 4599}
4600
5b155ef9 4601static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4602{
4603 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4604
5b155ef9 4605 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4606
5b155ef9 4607 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4608
5b155ef9 4609 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4610 cfm.result = cpu_to_le16(result);
4611
5b155ef9
MM		 4612 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4613 sizeof(cfm), &cfm);
4614
4615 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4616}
4617
4618static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4619{
4620 struct l2cap_move_chan_cfm cfm;
4621
4622 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4623
4624 cfm.icid = cpu_to_le16(icid);
dcf4adbf 4625 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
5b155ef9
MM		 4626
4627 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4628 sizeof(cfm), &cfm);
8d5a04a1
MM		 4629}
4630
4631static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4632 u16 icid)
8d5a04a1
MM		 4633{
4634 struct l2cap_move_chan_cfm_rsp rsp;
4635
ad0ac6ca 4636 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4637
4638 rsp.icid = cpu_to_le16(icid);
4639 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4640}
4641
5f3847a4
MM		 4642static void __release_logical_link(struct l2cap_chan *chan)
4643{
4644 chan->hs_hchan = NULL;
4645 chan->hs_hcon = NULL;
4646
4647 /* Placeholder - release the logical link */
4648}
4649
1500109b
MM		 4650static void l2cap_logical_fail(struct l2cap_chan *chan)
4651{
4652 /* Logical link setup failed */
4653 if (chan->state != BT_CONNECTED) {
4654 /* Create channel failure, disconnect */
5e4e3972 4655 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4656 return;
4657 }
4658
4659 switch (chan->move_role) {
4660 case L2CAP_MOVE_ROLE_RESPONDER:
4661 l2cap_move_done(chan);
4662 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4663 break;
4664 case L2CAP_MOVE_ROLE_INITIATOR:
4665 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4666 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4667 /* Remote has only sent pending or
4668 * success responses, clean up
4669 */
4670 l2cap_move_done(chan);
4671 }
4672
4673 /* Other amp move states imply that the move
4674 * has already aborted
4675 */
4676 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4677 break;
4678 }
4679}
4680
4681static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4682 struct hci_chan *hchan)
4683{
4684 struct l2cap_conf_rsp rsp;
1500109b 4685
336178a3 4686 chan->hs_hchan = hchan;
1500109b
MM		 4687 chan->hs_hcon->l2cap_data = chan->conn;
4688
35ba9561 4689 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4690
4691 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4692 int err;
1500109b
MM		 4693
4694 set_default_fcs(chan);
4695
4696 err = l2cap_ertm_init(chan);
4697 if (err < 0)
5e4e3972 4698 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4699 else
4700 l2cap_chan_ready(chan);
4701 }
4702}
4703
4704static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4705 struct hci_chan *hchan)
4706{
4707 chan->hs_hcon = hchan->conn;
4708 chan->hs_hcon->l2cap_data = chan->conn;
4709
4710 BT_DBG("move_state %d", chan->move_state);
4711
4712 switch (chan->move_state) {
4713 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4714 /* Move confirm will be sent after a success
4715 * response is received
4716 */
4717 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4718 break;
4719 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4720 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4721 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4722 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4723 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4724 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4725 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4726 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4727 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4728 }
4729 break;
4730 default:
4731 /* Move was not in expected state, free the channel */
4732 __release_logical_link(chan);
4733
4734 chan->move_state = L2CAP_MOVE_STABLE;
4735 }
4736}
4737
4738/* Call with chan locked */
27695fb4
AE		 4739void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4740 u8 status)
5b155ef9 4741{
1500109b
MM		 4742 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4743
4744 if (status) {
4745 l2cap_logical_fail(chan);
4746 __release_logical_link(chan);
4747 return;
4748 }
4749
4750 if (chan->state != BT_CONNECTED) {
4751 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4752 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4753 l2cap_logical_finish_create(chan, hchan);
4754 } else {
4755 l2cap_logical_finish_move(chan, hchan);
4756 }
5b155ef9
MM		 4757}
4758
3f7a56c4
MM		 4759void l2cap_move_start(struct l2cap_chan *chan)
4760{
4761 BT_DBG("chan %p", chan);
4762
6ed971ca 4763 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4764 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4765 return;
4766 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4767 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4768 /* Placeholder - start physical link setup */
4769 } else {
4770 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4771 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4772 chan->move_id = 0;
4773 l2cap_move_setup(chan);
4774 l2cap_send_move_chan_req(chan, 0);
4775 }
4776}
4777
8eb200bd
MM		 4778static void l2cap_do_create(struct l2cap_chan *chan, int result,
4779 u8 local_amp_id, u8 remote_amp_id)
4780{
62748ca1
AE		 4781 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4782 local_amp_id, remote_amp_id);
4783
12d6cc60
AE		 4784 chan->fcs = L2CAP_FCS_NONE;
4785
62748ca1
AE		 4786 /* Outgoing channel on AMP */
4787 if (chan->state == BT_CONNECT) {
4788 if (result == L2CAP_CR_SUCCESS) {
4789 chan->local_amp_id = local_amp_id;
4790 l2cap_send_create_chan_req(chan, remote_amp_id);
4791 } else {
4792 /* Revert to BR/EDR connect */
4793 l2cap_send_conn_req(chan);
4794 }
4795
4796 return;
4797 }
4798
4799 /* Incoming channel on AMP */
4800 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4801 struct l2cap_conn_rsp rsp;
4802 char buf[128];
4803 rsp.scid = cpu_to_le16(chan->dcid);
4804 rsp.dcid = cpu_to_le16(chan->scid);
4805
8eb200bd
MM		 4806 if (result == L2CAP_CR_SUCCESS) {
4807 /* Send successful response */
dcf4adbf
JP		 4808 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4809 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4810 } else {
4811 /* Send negative response */
dcf4adbf
JP		 4812 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4813 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4814 }
4815
4816 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4817 sizeof(rsp), &rsp);
4818
4819 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4820 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4821 set_bit(CONF_REQ_SENT, &chan->conf_state);
4822 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4823 L2CAP_CONF_REQ,
4824 l2cap_build_conf_req(chan, buf), buf);
4825 chan->num_conf_req++;
4826 }
8eb200bd
MM		 4827 }
4828}
4829
4830static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4831 u8 remote_amp_id)
4832{
4833 l2cap_move_setup(chan);
4834 chan->move_id = local_amp_id;
4835 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4836
4837 l2cap_send_move_chan_req(chan, remote_amp_id);
4838}
4839
4840static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4841{
4842 struct hci_chan *hchan = NULL;
4843
4844 /* Placeholder - get hci_chan for logical link */
4845
4846 if (hchan) {
4847 if (hchan->state == BT_CONNECTED) {
4848 /* Logical link is ready to go */
4849 chan->hs_hcon = hchan->conn;
4850 chan->hs_hcon->l2cap_data = chan->conn;
4851 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4852 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4853
4854 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4855 } else {
4856 /* Wait for logical link to be ready */
4857 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4858 }
4859 } else {
4860 /* Logical link not available */
4861 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4862 }
4863}
4864
4865static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4866{
4867 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4868 u8 rsp_result;
4869 if (result == -EINVAL)
4870 rsp_result = L2CAP_MR_BAD_ID;
4871 else
4872 rsp_result = L2CAP_MR_NOT_ALLOWED;
4873
4874 l2cap_send_move_chan_rsp(chan, rsp_result);
4875 }
4876
4877 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4878 chan->move_state = L2CAP_MOVE_STABLE;
4879
4880 /* Restart data transmission */
4881 l2cap_ertm_send(chan);
4882}
4883
a514b17f
AE		 4884/* Invoke with locked chan */
4885void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4886{
770bfefa 4887 u8 local_amp_id = chan->local_amp_id;
fffadc08 4888 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4889
8eb200bd
MM		 4890 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4891 chan, result, local_amp_id, remote_amp_id);
4892
8eb200bd
MM		 4893 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4894 l2cap_chan_unlock(chan);
4895 return;
4896 }
4897
4898 if (chan->state != BT_CONNECTED) {
4899 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4900 } else if (result != L2CAP_MR_SUCCESS) {
4901 l2cap_do_move_cancel(chan, result);
4902 } else {
4903 switch (chan->move_role) {
4904 case L2CAP_MOVE_ROLE_INITIATOR:
4905 l2cap_do_move_initiate(chan, local_amp_id,
4906 remote_amp_id);
4907 break;
4908 case L2CAP_MOVE_ROLE_RESPONDER:
4909 l2cap_do_move_respond(chan, result);
4910 break;
4911 default:
4912 l2cap_do_move_cancel(chan, result);
4913 break;
4914 }
4915 }
8eb200bd
MM		 4916}
4917
8d5a04a1 4918static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4919 struct l2cap_cmd_hdr *cmd,
4920 u16 cmd_len, void *data)
8d5a04a1
MM		 4921{
4922 struct l2cap_move_chan_req *req = data;
1500109b 4923 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4924 struct l2cap_chan *chan;
8d5a04a1
MM		 4925 u16 icid = 0;
4926 u16 result = L2CAP_MR_NOT_ALLOWED;
4927
4928 if (cmd_len != sizeof(*req))
4929 return -EPROTO;
4930
4931 icid = le16_to_cpu(req->icid);
4932
ad0ac6ca 4933 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4934
848566b3 4935 if (!conn->hs_enabled)
8d5a04a1
MM		 4936 return -EINVAL;
4937
02b0fbb9
MM		 4938 chan = l2cap_get_chan_by_dcid(conn, icid);
4939 if (!chan) {
1500109b 4940 rsp.icid = cpu_to_le16(icid);
dcf4adbf 4941 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
1500109b
MM		 4942 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4943 sizeof(rsp), &rsp);
02b0fbb9
MM		 4944 return 0;
4945 }
4946
1500109b
MM		 4947 chan->ident = cmd->ident;
4948
02b0fbb9
MM		 4949 if (chan->scid < L2CAP_CID_DYN_START ||
4950 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4951 (chan->mode != L2CAP_MODE_ERTM &&
4952 chan->mode != L2CAP_MODE_STREAMING)) {
4953 result = L2CAP_MR_NOT_ALLOWED;
4954 goto send_move_response;
4955 }
4956
4957 if (chan->local_amp_id == req->dest_amp_id) {
4958 result = L2CAP_MR_SAME_ID;
4959 goto send_move_response;
4960 }
4961
6ed971ca 4962 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4963 struct hci_dev *hdev;
4964 hdev = hci_dev_get(req->dest_amp_id);
4965 if (!hdev || hdev->dev_type != HCI_AMP ||
4966 !test_bit(HCI_UP, &hdev->flags)) {
4967 if (hdev)
4968 hci_dev_put(hdev);
4969
4970 result = L2CAP_MR_BAD_ID;
4971 goto send_move_response;
4972 }
4973 hci_dev_put(hdev);
4974 }
4975
4976 /* Detect a move collision. Only send a collision response
4977 * if this side has "lost", otherwise proceed with the move.
4978 * The winner has the larger bd_addr.
4979 */
4980 if ((__chan_is_moving(chan) ||
4981 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4982 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4983 result = L2CAP_MR_COLLISION;
4984 goto send_move_response;
4985 }
4986
02b0fbb9
MM		 4987 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4988 l2cap_move_setup(chan);
4989 chan->move_id = req->dest_amp_id;
4990 icid = chan->dcid;
4991
6ed971ca 4992 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4993 /* Moving to BR/EDR */
4994 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4995 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4996 result = L2CAP_MR_PEND;
4997 } else {
4998 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4999 result = L2CAP_MR_SUCCESS;
5000 }
5001 } else {
5002 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5003 /* Placeholder - uncomment when amp functions are available */
5004 /*amp_accept_physical(chan, req->dest_amp_id);*/
5005 result = L2CAP_MR_PEND;
5006 }
5007
5008send_move_response:
1500109b 5009 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 5010
02b0fbb9
MM		 5011 l2cap_chan_unlock(chan);
5012
8d5a04a1
MM		 5013 return 0;
5014}
5015
5b155ef9
MM		 5016static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5017{
5018 struct l2cap_chan *chan;
5019 struct hci_chan *hchan = NULL;
5020
5021 chan = l2cap_get_chan_by_scid(conn, icid);
5022 if (!chan) {
5023 l2cap_send_move_chan_cfm_icid(conn, icid);
5024 return;
5025 }
5026
5027 __clear_chan_timer(chan);
5028 if (result == L2CAP_MR_PEND)
5029 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5030
5031 switch (chan->move_state) {
5032 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5033 /* Move confirm will be sent when logical link
5034 * is complete.
5035 */
5036 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5037 break;
5038 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5039 if (result == L2CAP_MR_PEND) {
5040 break;
5041 } else if (test_bit(CONN_LOCAL_BUSY,
5042 &chan->conn_state)) {
5043 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5044 } else {
5045 /* Logical link is up or moving to BR/EDR,
5046 * proceed with move
5047 */
5048 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5049 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5050 }
5051 break;
5052 case L2CAP_MOVE_WAIT_RSP:
5053 /* Moving to AMP */
5054 if (result == L2CAP_MR_SUCCESS) {
5055 /* Remote is ready, send confirm immediately
5056 * after logical link is ready
5057 */
5058 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5059 } else {
5060 /* Both logical link and move success
5061 * are required to confirm
5062 */
5063 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5064 }
5065
5066 /* Placeholder - get hci_chan for logical link */
5067 if (!hchan) {
5068 /* Logical link not available */
5069 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5070 break;
5071 }
5072
5073 /* If the logical link is not yet connected, do not
5074 * send confirmation.
5075 */
5076 if (hchan->state != BT_CONNECTED)
5077 break;
5078
5079 /* Logical link is already ready to go */
5080
5081 chan->hs_hcon = hchan->conn;
5082 chan->hs_hcon->l2cap_data = chan->conn;
5083
5084 if (result == L2CAP_MR_SUCCESS) {
5085 /* Can confirm now */
5086 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5087 } else {
5088 /* Now only need move success
5089 * to confirm
5090 */
5091 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5092 }
5093
5094 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5095 break;
5096 default:
5097 /* Any other amp move state means the move failed. */
5098 chan->move_id = chan->local_amp_id;
5099 l2cap_move_done(chan);
5100 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5101 }
5102
5103 l2cap_chan_unlock(chan);
5104}
5105
5106static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5107 u16 result)
5108{
5109 struct l2cap_chan *chan;
5110
5111 chan = l2cap_get_chan_by_ident(conn, ident);
5112 if (!chan) {
5113 /* Could not locate channel, icid is best guess */
5114 l2cap_send_move_chan_cfm_icid(conn, icid);
5115 return;
5116 }
5117
5118 __clear_chan_timer(chan);
5119
5120 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5121 if (result == L2CAP_MR_COLLISION) {
5122 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5123 } else {
5124 /* Cleanup - cancel move */
5125 chan->move_id = chan->local_amp_id;
5126 l2cap_move_done(chan);
5127 }
5128 }
5129
5130 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5131
5132 l2cap_chan_unlock(chan);
5133}
5134
5135static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5136 struct l2cap_cmd_hdr *cmd,
5137 u16 cmd_len, void *data)
8d5a04a1
MM		 5138{
5139 struct l2cap_move_chan_rsp *rsp = data;
5140 u16 icid, result;
5141
5142 if (cmd_len != sizeof(*rsp))
5143 return -EPROTO;
5144
5145 icid = le16_to_cpu(rsp->icid);
5146 result = le16_to_cpu(rsp->result);
5147
ad0ac6ca 5148 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5149
5b155ef9
MM		 5150 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5151 l2cap_move_continue(conn, icid, result);
5152 else
5153 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5154
5155 return 0;
5156}
5157
5f3847a4
MM		 5158static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5159 struct l2cap_cmd_hdr *cmd,
5160 u16 cmd_len, void *data)
8d5a04a1
MM		 5161{
5162 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5163 struct l2cap_chan *chan;
8d5a04a1
MM		 5164 u16 icid, result;
5165
5166 if (cmd_len != sizeof(*cfm))
5167 return -EPROTO;
5168
5169 icid = le16_to_cpu(cfm->icid);
5170 result = le16_to_cpu(cfm->result);
5171
ad0ac6ca 5172 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5173
5f3847a4
MM		 5174 chan = l2cap_get_chan_by_dcid(conn, icid);
5175 if (!chan) {
5176 /* Spec requires a response even if the icid was not found */
5177 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5178 return 0;
5179 }
5180
5181 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5182 if (result == L2CAP_MC_CONFIRMED) {
5183 chan->local_amp_id = chan->move_id;
6ed971ca 5184 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5185 __release_logical_link(chan);
5186 } else {
5187 chan->move_id = chan->local_amp_id;
5188 }
5189
5190 l2cap_move_done(chan);
5191 }
5192
8d5a04a1
MM		 5193 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5194
5f3847a4
MM		 5195 l2cap_chan_unlock(chan);
5196
8d5a04a1
MM		 5197 return 0;
5198}
5199
5200static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5201 struct l2cap_cmd_hdr *cmd,
5202 u16 cmd_len, void *data)
8d5a04a1
MM		 5203{
5204 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5205 struct l2cap_chan *chan;
8d5a04a1
MM		 5206 u16 icid;
5207
5208 if (cmd_len != sizeof(*rsp))
5209 return -EPROTO;
5210
5211 icid = le16_to_cpu(rsp->icid);
5212
ad0ac6ca 5213 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5214
3fd71a0a
MM		 5215 chan = l2cap_get_chan_by_scid(conn, icid);
5216 if (!chan)
5217 return 0;
5218
5219 __clear_chan_timer(chan);
5220
5221 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5222 chan->local_amp_id = chan->move_id;
5223
6ed971ca 5224 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5225 __release_logical_link(chan);
5226
5227 l2cap_move_done(chan);
5228 }
5229
5230 l2cap_chan_unlock(chan);
5231
8d5a04a1
MM		 5232 return 0;
5233}
5234
de73115a 5235static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818 5236 struct l2cap_cmd_hdr *cmd,
203e639e 5237 u16 cmd_len, u8 *data)
de73115a
CT		 5238{
5239 struct hci_conn *hcon = conn->hcon;
5240 struct l2cap_conn_param_update_req *req;
5241 struct l2cap_conn_param_update_rsp rsp;
203e639e 5242 u16 min, max, latency, to_multiplier;
2ce603eb 5243 int err;
de73115a 5244
40bef302 5245 if (hcon->role != HCI_ROLE_MASTER)
de73115a
CT		 5246 return -EINVAL;
5247
de73115a
CT		 5248 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5249 return -EPROTO;
5250
5251 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5252 min = __le16_to_cpu(req->min);
5253 max = __le16_to_cpu(req->max);
de73115a
CT		 5254 latency = __le16_to_cpu(req->latency);
5255 to_multiplier = __le16_to_cpu(req->to_multiplier);
5256
5257 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5258 min, max, latency, to_multiplier);
de73115a
CT		 5259
5260 memset(&rsp, 0, sizeof(rsp));
2ce603eb 5261
d4905f24 5262 err = hci_check_conn_params(min, max, latency, to_multiplier);
2ce603eb 5263 if (err)
dcf4adbf 5264 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5265 else
dcf4adbf 5266 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5267
5268 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5269 sizeof(rsp), &rsp);
de73115a 5270
ffb5a827 5271 if (!err) {
f4869e2a
JH		 5272 u8 store_hint;
5273
5274 store_hint = hci_le_conn_update(hcon, min, max, latency,
5275 to_multiplier);
ffb5a827 5276 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
f4869e2a
JH		 5277 store_hint, min, max, latency,
5278 to_multiplier);
ffb5a827 5279
ffb5a827 5280 }
2ce603eb 5281
de73115a
CT		 5282 return 0;
5283}
5284
f1496dee
JH		 5285static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5286 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5287 u8 *data)
5288{
5289 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5290 u16 dcid, mtu, mps, credits, result;
5291 struct l2cap_chan *chan;
5292 int err;
5293
5294 if (cmd_len < sizeof(*rsp))
5295 return -EPROTO;
5296
5297 dcid = __le16_to_cpu(rsp->dcid);
5298 mtu = __le16_to_cpu(rsp->mtu);
5299 mps = __le16_to_cpu(rsp->mps);
5300 credits = __le16_to_cpu(rsp->credits);
5301 result = __le16_to_cpu(rsp->result);
5302
5303 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5304 return -EPROTO;
5305
5306 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5307 dcid, mtu, mps, credits, result);
5308
5309 mutex_lock(&conn->chan_lock);
5310
5311 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5312 if (!chan) {
5313 err = -EBADSLT;
5314 goto unlock;
5315 }
5316
5317 err = 0;
5318
5319 l2cap_chan_lock(chan);
5320
5321 switch (result) {
5322 case L2CAP_CR_SUCCESS:
5323 chan->ident = 0;
5324 chan->dcid = dcid;
5325 chan->omtu = mtu;
5326 chan->remote_mps = mps;
0cd75f7e 5327 chan->tx_credits = credits;
f1496dee
JH		 5328 l2cap_chan_ready(chan);
5329 break;
5330
5331 default:
5332 l2cap_chan_del(chan, ECONNREFUSED);
5333 break;
5334 }
5335
5336 l2cap_chan_unlock(chan);
5337
5338unlock:
5339 mutex_unlock(&conn->chan_lock);
5340
5341 return err;
5342}
5343
3300d9a9 5344static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5345 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5346 u8 *data)
3300d9a9
CT		 5347{
5348 int err = 0;
5349
5350 switch (cmd->code) {
5351 case L2CAP_COMMAND_REJ:
cb3b3152 5352 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5353 break;
5354
5355 case L2CAP_CONN_REQ:
cb3b3152 5356 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5357 break;
5358
5359 case L2CAP_CONN_RSP:
f5a2598d 5360 case L2CAP_CREATE_CHAN_RSP:
9245e737 5361 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5362 break;
5363
5364 case L2CAP_CONF_REQ:
5365 err = l2cap_config_req(conn, cmd, cmd_len, data);
5366 break;
5367
5368 case L2CAP_CONF_RSP:
9245e737 5369 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5370 break;
5371
5372 case L2CAP_DISCONN_REQ:
cb3b3152 5373 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5374 break;
5375
5376 case L2CAP_DISCONN_RSP:
9245e737 5377 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5378 break;
5379
5380 case L2CAP_ECHO_REQ:
5381 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5382 break;
5383
5384 case L2CAP_ECHO_RSP:
5385 break;
5386
5387 case L2CAP_INFO_REQ:
cb3b3152 5388 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5389 break;
5390
5391 case L2CAP_INFO_RSP:
9245e737 5392 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5393 break;
5394
f94ff6ff
MM		 5395 case L2CAP_CREATE_CHAN_REQ:
5396 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5397 break;
5398
8d5a04a1
MM		 5399 case L2CAP_MOVE_CHAN_REQ:
5400 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5401 break;
5402
5403 case L2CAP_MOVE_CHAN_RSP:
9245e737 5404 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5405 break;
5406
5407 case L2CAP_MOVE_CHAN_CFM:
5408 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5409 break;
5410
5411 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5412 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5413 break;
5414
3300d9a9
CT		 5415 default:
5416 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5417 err = -EINVAL;
5418 break;
5419 }
5420
5421 return err;
5422}
5423
27e2d4c8
JH		 5424static int l2cap_le_connect_req(struct l2cap_conn *conn,
5425 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5426 u8 *data)
5427{
5428 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5429 struct l2cap_le_conn_rsp rsp;
5430 struct l2cap_chan *chan, *pchan;
0cd75f7e 5431 u16 dcid, scid, credits, mtu, mps;
27e2d4c8
JH		 5432 __le16 psm;
5433 u8 result;
5434
5435 if (cmd_len != sizeof(*req))
5436 return -EPROTO;
5437
5438 scid = __le16_to_cpu(req->scid);
5439 mtu = __le16_to_cpu(req->mtu);
5440 mps = __le16_to_cpu(req->mps);
5441 psm = req->psm;
5442 dcid = 0;
0cd75f7e 5443 credits = 0;
27e2d4c8
JH		 5444
5445 if (mtu < 23 || mps < 23)
5446 return -EPROTO;
5447
5448 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5449 scid, mtu, mps);
5450
5451 /* Check if we have socket listening on psm */
5452 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5453 &conn->hcon->dst, LE_LINK);
5454 if (!pchan) {
5455 result = L2CAP_CR_BAD_PSM;
5456 chan = NULL;
5457 goto response;
5458 }
5459
5460 mutex_lock(&conn->chan_lock);
5461 l2cap_chan_lock(pchan);
5462
5463 if (!smp_sufficient_security(conn->hcon, pchan->sec_level)) {
5464 result = L2CAP_CR_AUTHENTICATION;
5465 chan = NULL;
5466 goto response_unlock;
5467 }
5468
5469 /* Check if we already have channel with that dcid */
5470 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5471 result = L2CAP_CR_NO_MEM;
5472 chan = NULL;
5473 goto response_unlock;
5474 }
5475
5476 chan = pchan->ops->new_connection(pchan);
5477 if (!chan) {
5478 result = L2CAP_CR_NO_MEM;
5479 goto response_unlock;
5480 }
5481
0ce43ce6
JH		 5482 l2cap_le_flowctl_init(chan);
5483
27e2d4c8
JH		 5484 bacpy(&chan->src, &conn->hcon->src);
5485 bacpy(&chan->dst, &conn->hcon->dst);
5486 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5487 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5488 chan->psm = psm;
5489 chan->dcid = scid;
5490 chan->omtu = mtu;
5491 chan->remote_mps = mps;
0cd75f7e 5492 chan->tx_credits = __le16_to_cpu(req->credits);
27e2d4c8
JH		 5493
5494 __l2cap_chan_add(conn, chan);
5495 dcid = chan->scid;
0cd75f7e 5496 credits = chan->rx_credits;
27e2d4c8
JH		 5497
5498 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5499
5500 chan->ident = cmd->ident;
5501
5502 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5503 l2cap_state_change(chan, BT_CONNECT2);
5504 result = L2CAP_CR_PEND;
5505 chan->ops->defer(chan);
5506 } else {
5507 l2cap_chan_ready(chan);
5508 result = L2CAP_CR_SUCCESS;
5509 }
5510
5511response_unlock:
5512 l2cap_chan_unlock(pchan);
5513 mutex_unlock(&conn->chan_lock);
a24cce14 5514 l2cap_chan_put(pchan);
27e2d4c8
JH		 5515
5516 if (result == L2CAP_CR_PEND)
5517 return 0;
5518
5519response:
5520 if (chan) {
5521 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 5522 rsp.mps = cpu_to_le16(chan->mps);
27e2d4c8
JH		 5523 } else {
5524 rsp.mtu = 0;
5525 rsp.mps = 0;
5526 }
5527
5528 rsp.dcid = cpu_to_le16(dcid);
0cd75f7e 5529 rsp.credits = cpu_to_le16(credits);
27e2d4c8
JH		 5530 rsp.result = cpu_to_le16(result);
5531
5532 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5533
5534 return 0;
5535}
5536
fad5fc89
JH		 5537static inline int l2cap_le_credits(struct l2cap_conn *conn,
5538 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5539 u8 *data)
5540{
5541 struct l2cap_le_credits *pkt;
5542 struct l2cap_chan *chan;
0f1bfe4e 5543 u16 cid, credits, max_credits;
fad5fc89
JH		 5544
5545 if (cmd_len != sizeof(*pkt))
5546 return -EPROTO;
5547
5548 pkt = (struct l2cap_le_credits *) data;
5549 cid = __le16_to_cpu(pkt->cid);
5550 credits = __le16_to_cpu(pkt->credits);
5551
5552 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5553
5554 chan = l2cap_get_chan_by_dcid(conn, cid);
5555 if (!chan)
5556 return -EBADSLT;
5557
0f1bfe4e
JH		 5558 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5559 if (credits > max_credits) {
5560 BT_ERR("LE credits overflow");
5561 l2cap_send_disconn_req(chan, ECONNRESET);
5562
5563 /* Return 0 so that we don't trigger an unnecessary
5564 * command reject packet.
5565 */
5566 return 0;
5567 }
5568
fad5fc89
JH		 5569 chan->tx_credits += credits;
5570
5571 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5572 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5573 chan->tx_credits--;
5574 }
5575
5576 if (chan->tx_credits)
5577 chan->ops->resume(chan);
5578
5579 l2cap_chan_unlock(chan);
5580
5581 return 0;
5582}
5583
71fb4197
JH		 5584static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5585 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5586 u8 *data)
5587{
5588 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5589 struct l2cap_chan *chan;
5590
5591 if (cmd_len < sizeof(*rej))
5592 return -EPROTO;
5593
5594 mutex_lock(&conn->chan_lock);
5595
5596 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5597 if (!chan)
5598 goto done;
5599
5600 l2cap_chan_lock(chan);
5601 l2cap_chan_del(chan, ECONNREFUSED);
5602 l2cap_chan_unlock(chan);
5603
5604done:
5605 mutex_unlock(&conn->chan_lock);
5606 return 0;
5607}
5608
3300d9a9 5609static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
203e639e
JH		 5610 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5611 u8 *data)
3300d9a9 5612{
b5ecba64
JH		 5613 int err = 0;
5614
3300d9a9
CT		 5615 switch (cmd->code) {
5616 case L2CAP_COMMAND_REJ:
71fb4197 5617 l2cap_le_command_rej(conn, cmd, cmd_len, data);
b5ecba64 5618 break;
3300d9a9
CT		 5619
5620 case L2CAP_CONN_PARAM_UPDATE_REQ:
b5ecba64
JH		 5621 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5622 break;
3300d9a9
CT		 5623
5624 case L2CAP_CONN_PARAM_UPDATE_RSP:
b5ecba64 5625 break;
3300d9a9 5626
f1496dee
JH		 5627 case L2CAP_LE_CONN_RSP:
5628 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5629 break;
f1496dee 5630
27e2d4c8 5631 case L2CAP_LE_CONN_REQ:
b5ecba64
JH		 5632 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5633 break;
27e2d4c8 5634
fad5fc89
JH		 5635 case L2CAP_LE_CREDITS:
5636 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5637 break;
5638
3defe01a 5639 case L2CAP_DISCONN_REQ:
b5ecba64
JH		 5640 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5641 break;
3defe01a
JH		 5642
5643 case L2CAP_DISCONN_RSP:
5644 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5645 break;
3defe01a 5646
3300d9a9
CT		 5647 default:
5648 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
b5ecba64
JH		 5649 err = -EINVAL;
5650 break;
3300d9a9 5651 }
b5ecba64
JH		 5652
5653 return err;
3300d9a9
CT		 5654}
5655
c5623556
JH		 5656static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5657 struct sk_buff *skb)
5658{
69c4e4e8 5659 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5660 struct l2cap_cmd_hdr *cmd;
5661 u16 len;
c5623556
JH		 5662 int err;
5663
69c4e4e8 5664 if (hcon->type != LE_LINK)
3b166295 5665 goto drop;
69c4e4e8 5666
4f3e219d
MH		 5667 if (skb->len < L2CAP_CMD_HDR_SIZE)
5668 goto drop;
c5623556 5669
4f3e219d
MH		 5670 cmd = (void *) skb->data;
5671 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5672
4f3e219d 5673 len = le16_to_cpu(cmd->len);
c5623556 5674
4f3e219d 5675 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5676
4f3e219d
MH		 5677 if (len != skb->len || !cmd->ident) {
5678 BT_DBG("corrupted command");
5679 goto drop;
5680 }
c5623556 5681
203e639e 5682 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
4f3e219d
MH		 5683 if (err) {
5684 struct l2cap_cmd_rej_unk rej;
c5623556 5685
4f3e219d 5686 BT_ERR("Wrong link type (%d)", err);
c5623556 5687
dcf4adbf 5688 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5689 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5690 sizeof(rej), &rej);
c5623556
JH		 5691 }
5692
3b166295 5693drop:
c5623556
JH		 5694 kfree_skb(skb);
5695}
5696
3300d9a9 5697static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5698 struct sk_buff *skb)
1da177e4 5699{
69c4e4e8 5700 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5701 u8 *data = skb->data;
5702 int len = skb->len;
5703 struct l2cap_cmd_hdr cmd;
3300d9a9 5704 int err;
1da177e4
LT		 5705
5706 l2cap_raw_recv(conn, skb);
5707
69c4e4e8 5708 if (hcon->type != ACL_LINK)
3b166295 5709 goto drop;
69c4e4e8 5710
1da177e4 5711 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5712 u16 cmd_len;
1da177e4
LT		 5713 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5714 data += L2CAP_CMD_HDR_SIZE;
5715 len -= L2CAP_CMD_HDR_SIZE;
5716
88219a0f 5717 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5718
2d792818
GP		 5719 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5720 cmd.ident);
1da177e4 5721
88219a0f 5722 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5723 BT_DBG("corrupted command");
5724 break;
5725 }
5726
c5623556 5727 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5728 if (err) {
e2fd318e 5729 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5730
5731 BT_ERR("Wrong link type (%d)", err);
1da177e4 5732
dcf4adbf 5733 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5734 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5735 sizeof(rej), &rej);
1da177e4
LT		 5736 }
5737
88219a0f
AV		 5738 data += cmd_len;
5739 len -= cmd_len;
1da177e4
LT		 5740 }
5741
3b166295 5742drop:
1da177e4
LT		 5743 kfree_skb(skb);
5744}
5745
47d1ec61 5746static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5747{
5748 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5749 int hdr_size;
5750
5751 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5752 hdr_size = L2CAP_EXT_HDR_SIZE;
5753 else
5754 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5755
47d1ec61 5756 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5757 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5758 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5759 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5760
5761 if (our_fcs != rcv_fcs)
7a560e5c 5762 return -EBADMSG;
fcc203c3
GP		 5763 }
5764 return 0;
5765}
5766
6ea00485 5767static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5768{
e31f7633 5769 struct l2cap_ctrl control;
d5392c8f 5770
e31f7633 5771 BT_DBG("chan %p", chan);
d5392c8f 5772
e31f7633
MM		 5773 memset(&control, 0, sizeof(control));
5774 control.sframe = 1;
5775 control.final = 1;
5776 control.reqseq = chan->buffer_seq;
5777 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5778
e2ab4353 5779 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5780 control.super = L2CAP_SUPER_RNR;
5781 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5782 }
5783
e31f7633
MM		 5784 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5785 chan->unacked_frames > 0)
5786 __set_retrans_timer(chan);
d5392c8f 5787
e31f7633 5788 /* Send pending iframes */
525cd185 5789 l2cap_ertm_send(chan);
d5392c8f 5790
e2ab4353 5791 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5792 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5793 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5794 * send it now.
5795 */
5796 control.super = L2CAP_SUPER_RR;
5797 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5798 }
5799}
5800
2d792818
GP		 5801static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5802 struct sk_buff **last_frag)
18778a63 5803{
84084a31
MM		 5804 /* skb->len reflects data in skb as well as all fragments
5805 * skb->data_len reflects only data in fragments
5806 */
5807 if (!skb_has_frag_list(skb))
5808 skb_shinfo(skb)->frag_list = new_frag;
5809
5810 new_frag->next = NULL;
5811
5812 (*last_frag)->next = new_frag;
5813 *last_frag = new_frag;
5814
5815 skb->len += new_frag->len;
5816 skb->data_len += new_frag->len;
5817 skb->truesize += new_frag->truesize;
5818}
5819
4b51dae9
MM		 5820static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5821 struct l2cap_ctrl *control)
84084a31
MM		 5822{
5823 int err = -EINVAL;
18778a63 5824
4b51dae9 5825 switch (control->sar) {
7e0ef6ee 5826 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5827 if (chan->sdu)
5828 break;
18778a63 5829
80b98027 5830 err = chan->ops->recv(chan, skb);
84084a31 5831 break;
18778a63 5832
7e0ef6ee 5833 case L2CAP_SAR_START:
84084a31
MM		 5834 if (chan->sdu)
5835 break;
18778a63 5836
6f61fd47 5837 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5838 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5839
84084a31
MM		 5840 if (chan->sdu_len > chan->imtu) {
5841 err = -EMSGSIZE;
5842 break;
5843 }
1890d36b 5844
84084a31
MM		 5845 if (skb->len >= chan->sdu_len)
5846 break;
18778a63 5847
84084a31
MM		 5848 chan->sdu = skb;
5849 chan->sdu_last_frag = skb;
18778a63 5850
84084a31
MM		 5851 skb = NULL;
5852 err = 0;
18778a63
GP		 5853 break;
5854
7e0ef6ee 5855 case L2CAP_SAR_CONTINUE:
6f61fd47 5856 if (!chan->sdu)
84084a31 5857 break;
18778a63 5858
84084a31
MM		 5859 append_skb_frag(chan->sdu, skb,
5860 &chan->sdu_last_frag);
5861 skb = NULL;
18778a63 5862
84084a31
MM		 5863 if (chan->sdu->len >= chan->sdu_len)
5864 break;
4178ba46 5865
84084a31 5866 err = 0;
18778a63
GP		 5867 break;
5868
7e0ef6ee 5869 case L2CAP_SAR_END:
6f61fd47 5870 if (!chan->sdu)
84084a31 5871 break;
18778a63 5872
84084a31
MM		 5873 append_skb_frag(chan->sdu, skb,
5874 &chan->sdu_last_frag);
5875 skb = NULL;
4178ba46 5876
84084a31
MM		 5877 if (chan->sdu->len != chan->sdu_len)
5878 break;
18778a63 5879
80b98027 5880 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5881
84084a31
MM		 5882 if (!err) {
5883 /* Reassembly complete */
5884 chan->sdu = NULL;
5885 chan->sdu_last_frag = NULL;
5886 chan->sdu_len = 0;
1890d36b 5887 }
18778a63
GP		 5888 break;
5889 }
5890
84084a31
MM		 5891 if (err) {
5892 kfree_skb(skb);
5893 kfree_skb(chan->sdu);
5894 chan->sdu = NULL;
5895 chan->sdu_last_frag = NULL;
5896 chan->sdu_len = 0;
5897 }
18778a63 5898
84084a31 5899 return err;
18778a63
GP		 5900}
5901
32b32735
MM		 5902static int l2cap_resegment(struct l2cap_chan *chan)
5903{
5904 /* Placeholder */
5905 return 0;
5906}
5907
61aa4f5b 5908void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5909{
61aa4f5b 5910 u8 event;
712132eb 5911
61aa4f5b
MM		 5912 if (chan->mode != L2CAP_MODE_ERTM)
5913 return;
712132eb 5914
61aa4f5b 5915 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5916 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5917}
5918
d2a7ac5d
MM		 5919static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5920{
63838725
MM		 5921 int err = 0;
5922 /* Pass sequential frames to l2cap_reassemble_sdu()
5923 * until a gap is encountered.
5924 */
5925
5926 BT_DBG("chan %p", chan);
5927
5928 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5929 struct sk_buff *skb;
5930 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5931 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5932
5933 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5934
5935 if (!skb)
5936 break;
5937
5938 skb_unlink(skb, &chan->srej_q);
5939 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5940 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5941 if (err)
5942 break;
5943 }
5944
5945 if (skb_queue_empty(&chan->srej_q)) {
5946 chan->rx_state = L2CAP_RX_STATE_RECV;
5947 l2cap_send_ack(chan);
5948 }
5949
5950 return err;
d2a7ac5d
MM		 5951}
5952
5953static void l2cap_handle_srej(struct l2cap_chan *chan,
5954 struct l2cap_ctrl *control)
5955{
f80842a8
MM		 5956 struct sk_buff *skb;
5957
5958 BT_DBG("chan %p, control %p", chan, control);
5959
5960 if (control->reqseq == chan->next_tx_seq) {
5961 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5962 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5963 return;
5964 }
5965
5966 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5967
5968 if (skb == NULL) {
5969 BT_DBG("Seq %d not available for retransmission",
5970 control->reqseq);
5971 return;
5972 }
5973
5974 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5975 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5976 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5977 return;
5978 }
5979
5980 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5981
5982 if (control->poll) {
5983 l2cap_pass_to_tx(chan, control);
5984
5985 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5986 l2cap_retransmit(chan, control);
5987 l2cap_ertm_send(chan);
5988
5989 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5990 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5991 chan->srej_save_reqseq = control->reqseq;
5992 }
5993 } else {
5994 l2cap_pass_to_tx_fbit(chan, control);
5995
5996 if (control->final) {
5997 if (chan->srej_save_reqseq != control->reqseq ||
5998 !test_and_clear_bit(CONN_SREJ_ACT,
5999 &chan->conn_state))
6000 l2cap_retransmit(chan, control);
6001 } else {
6002 l2cap_retransmit(chan, control);
6003 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6004 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6005 chan->srej_save_reqseq = control->reqseq;
6006 }
6007 }
6008 }
d2a7ac5d
MM		 6009}
6010
6011static void l2cap_handle_rej(struct l2cap_chan *chan,
6012 struct l2cap_ctrl *control)
6013{
fcd289df
MM		 6014 struct sk_buff *skb;
6015
6016 BT_DBG("chan %p, control %p", chan, control);
6017
6018 if (control->reqseq == chan->next_tx_seq) {
6019 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 6020 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 6021 return;
6022 }
6023
6024 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6025
6026 if (chan->max_tx && skb &&
6027 bt_cb(skb)->control.retries >= chan->max_tx) {
6028 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 6029 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 6030 return;
6031 }
6032
6033 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6034
6035 l2cap_pass_to_tx(chan, control);
6036
6037 if (control->final) {
6038 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6039 l2cap_retransmit_all(chan, control);
6040 } else {
6041 l2cap_retransmit_all(chan, control);
6042 l2cap_ertm_send(chan);
6043 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6044 set_bit(CONN_REJ_ACT, &chan->conn_state);
6045 }
d2a7ac5d
MM		 6046}
6047
4b51dae9
MM		 6048static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6049{
6050 BT_DBG("chan %p, txseq %d", chan, txseq);
6051
6052 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6053 chan->expected_tx_seq);
6054
6055 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6056 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 6057 chan->tx_win) {
4b51dae9
MM		 6058 /* See notes below regarding "double poll" and
6059 * invalid packets.
6060 */
6061 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6062 BT_DBG("Invalid/Ignore - after SREJ");
6063 return L2CAP_TXSEQ_INVALID_IGNORE;
6064 } else {
6065 BT_DBG("Invalid - in window after SREJ sent");
6066 return L2CAP_TXSEQ_INVALID;
6067 }
6068 }
6069
6070 if (chan->srej_list.head == txseq) {
6071 BT_DBG("Expected SREJ");
6072 return L2CAP_TXSEQ_EXPECTED_SREJ;
6073 }
6074
6075 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6076 BT_DBG("Duplicate SREJ - txseq already stored");
6077 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6078 }
6079
6080 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6081 BT_DBG("Unexpected SREJ - not requested");
6082 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6083 }
6084 }
6085
6086 if (chan->expected_tx_seq == txseq) {
6087 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6088 chan->tx_win) {
6089 BT_DBG("Invalid - txseq outside tx window");
6090 return L2CAP_TXSEQ_INVALID;
6091 } else {
6092 BT_DBG("Expected");
6093 return L2CAP_TXSEQ_EXPECTED;
6094 }
6095 }
6096
6097 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 6098 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 6099 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6100 return L2CAP_TXSEQ_DUPLICATE;
6101 }
6102
6103 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6104 /* A source of invalid packets is a "double poll" condition,
6105 * where delays cause us to send multiple poll packets. If
6106 * the remote stack receives and processes both polls,
6107 * sequence numbers can wrap around in such a way that a
6108 * resent frame has a sequence number that looks like new data
6109 * with a sequence gap. This would trigger an erroneous SREJ
6110 * request.
6111 *
6112 * Fortunately, this is impossible with a tx window that's
6113 * less than half of the maximum sequence number, which allows
6114 * invalid frames to be safely ignored.
6115 *
6116 * With tx window sizes greater than half of the tx window
6117 * maximum, the frame is invalid and cannot be ignored. This
6118 * causes a disconnect.
6119 */
6120
6121 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6122 BT_DBG("Invalid/Ignore - txseq outside tx window");
6123 return L2CAP_TXSEQ_INVALID_IGNORE;
6124 } else {
6125 BT_DBG("Invalid - txseq outside tx window");
6126 return L2CAP_TXSEQ_INVALID;
6127 }
6128 } else {
6129 BT_DBG("Unexpected - txseq indicates missing frames");
6130 return L2CAP_TXSEQ_UNEXPECTED;
6131 }
6132}
6133
d2a7ac5d
MM		 6134static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6135 struct l2cap_ctrl *control,
6136 struct sk_buff *skb, u8 event)
6137{
6138 int err = 0;
941247f9 6139 bool skb_in_use = false;
d2a7ac5d
MM		 6140
6141 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6142 event);
6143
6144 switch (event) {
6145 case L2CAP_EV_RECV_IFRAME:
6146 switch (l2cap_classify_txseq(chan, control->txseq)) {
6147 case L2CAP_TXSEQ_EXPECTED:
6148 l2cap_pass_to_tx(chan, control);
6149
6150 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6151 BT_DBG("Busy, discarding expected seq %d",
6152 control->txseq);
6153 break;
6154 }
6155
6156 chan->expected_tx_seq = __next_seq(chan,
6157 control->txseq);
6158
6159 chan->buffer_seq = chan->expected_tx_seq;
941247f9 6160 skb_in_use = true;
d2a7ac5d
MM		 6161
6162 err = l2cap_reassemble_sdu(chan, skb, control);
6163 if (err)
6164 break;
6165
6166 if (control->final) {
6167 if (!test_and_clear_bit(CONN_REJ_ACT,
6168 &chan->conn_state)) {
6169 control->final = 0;
6170 l2cap_retransmit_all(chan, control);
6171 l2cap_ertm_send(chan);
6172 }
6173 }
6174
6175 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6176 l2cap_send_ack(chan);
6177 break;
6178 case L2CAP_TXSEQ_UNEXPECTED:
6179 l2cap_pass_to_tx(chan, control);
6180
6181 /* Can't issue SREJ frames in the local busy state.
6182 * Drop this frame, it will be seen as missing
6183 * when local busy is exited.
6184 */
6185 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6186 BT_DBG("Busy, discarding unexpected seq %d",
6187 control->txseq);
6188 break;
6189 }
6190
6191 /* There was a gap in the sequence, so an SREJ
6192 * must be sent for each missing frame. The
6193 * current frame is stored for later use.
6194 */
6195 skb_queue_tail(&chan->srej_q, skb);
941247f9 6196 skb_in_use = true;
d2a7ac5d
MM		 6197 BT_DBG("Queued %p (queue len %d)", skb,
6198 skb_queue_len(&chan->srej_q));
6199
6200 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6201 l2cap_seq_list_clear(&chan->srej_list);
6202 l2cap_send_srej(chan, control->txseq);
6203
6204 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6205 break;
6206 case L2CAP_TXSEQ_DUPLICATE:
6207 l2cap_pass_to_tx(chan, control);
6208 break;
6209 case L2CAP_TXSEQ_INVALID_IGNORE:
6210 break;
6211 case L2CAP_TXSEQ_INVALID:
6212 default:
5e4e3972 6213 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6214 break;
6215 }
6216 break;
6217 case L2CAP_EV_RECV_RR:
6218 l2cap_pass_to_tx(chan, control);
6219 if (control->final) {
6220 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6221
e6a3ee6e
MM		 6222 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6223 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 6224 control->final = 0;
6225 l2cap_retransmit_all(chan, control);
6226 }
6227
6228 l2cap_ertm_send(chan);
6229 } else if (control->poll) {
6230 l2cap_send_i_or_rr_or_rnr(chan);
6231 } else {
6232 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6233 &chan->conn_state) &&
6234 chan->unacked_frames)
6235 __set_retrans_timer(chan);
6236
6237 l2cap_ertm_send(chan);
6238 }
6239 break;
6240 case L2CAP_EV_RECV_RNR:
6241 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6242 l2cap_pass_to_tx(chan, control);
6243 if (control && control->poll) {
6244 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6245 l2cap_send_rr_or_rnr(chan, 0);
6246 }
6247 __clear_retrans_timer(chan);
6248 l2cap_seq_list_clear(&chan->retrans_list);
6249 break;
6250 case L2CAP_EV_RECV_REJ:
6251 l2cap_handle_rej(chan, control);
6252 break;
6253 case L2CAP_EV_RECV_SREJ:
6254 l2cap_handle_srej(chan, control);
6255 break;
6256 default:
6257 break;
6258 }
6259
6260 if (skb && !skb_in_use) {
6261 BT_DBG("Freeing %p", skb);
6262 kfree_skb(skb);
6263 }
6264
6265 return err;
6266}
6267
6268static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6269 struct l2cap_ctrl *control,
6270 struct sk_buff *skb, u8 event)
6271{
6272 int err = 0;
6273 u16 txseq = control->txseq;
941247f9 6274 bool skb_in_use = false;
d2a7ac5d
MM		 6275
6276 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6277 event);
6278
6279 switch (event) {
6280 case L2CAP_EV_RECV_IFRAME:
6281 switch (l2cap_classify_txseq(chan, txseq)) {
6282 case L2CAP_TXSEQ_EXPECTED:
6283 /* Keep frame for reassembly later */
6284 l2cap_pass_to_tx(chan, control);
6285 skb_queue_tail(&chan->srej_q, skb);
941247f9 6286 skb_in_use = true;
d2a7ac5d
MM		 6287 BT_DBG("Queued %p (queue len %d)", skb,
6288 skb_queue_len(&chan->srej_q));
6289
6290 chan->expected_tx_seq = __next_seq(chan, txseq);
6291 break;
6292 case L2CAP_TXSEQ_EXPECTED_SREJ:
6293 l2cap_seq_list_pop(&chan->srej_list);
6294
6295 l2cap_pass_to_tx(chan, control);
6296 skb_queue_tail(&chan->srej_q, skb);
941247f9 6297 skb_in_use = true;
d2a7ac5d
MM		 6298 BT_DBG("Queued %p (queue len %d)", skb,
6299 skb_queue_len(&chan->srej_q));
6300
6301 err = l2cap_rx_queued_iframes(chan);
6302 if (err)
6303 break;
6304
6305 break;
6306 case L2CAP_TXSEQ_UNEXPECTED:
6307 /* Got a frame that can't be reassembled yet.
6308 * Save it for later, and send SREJs to cover
6309 * the missing frames.
6310 */
6311 skb_queue_tail(&chan->srej_q, skb);
941247f9 6312 skb_in_use = true;
d2a7ac5d
MM		 6313 BT_DBG("Queued %p (queue len %d)", skb,
6314 skb_queue_len(&chan->srej_q));
6315
6316 l2cap_pass_to_tx(chan, control);
6317 l2cap_send_srej(chan, control->txseq);
6318 break;
6319 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6320 /* This frame was requested with an SREJ, but
6321 * some expected retransmitted frames are
6322 * missing. Request retransmission of missing
6323 * SREJ'd frames.
6324 */
6325 skb_queue_tail(&chan->srej_q, skb);
941247f9 6326 skb_in_use = true;
d2a7ac5d
MM		 6327 BT_DBG("Queued %p (queue len %d)", skb,
6328 skb_queue_len(&chan->srej_q));
6329
6330 l2cap_pass_to_tx(chan, control);
6331 l2cap_send_srej_list(chan, control->txseq);
6332 break;
6333 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6334 /* We've already queued this frame. Drop this copy. */
6335 l2cap_pass_to_tx(chan, control);
6336 break;
6337 case L2CAP_TXSEQ_DUPLICATE:
6338 /* Expecting a later sequence number, so this frame
6339 * was already received. Ignore it completely.
6340 */
6341 break;
6342 case L2CAP_TXSEQ_INVALID_IGNORE:
6343 break;
6344 case L2CAP_TXSEQ_INVALID:
6345 default:
5e4e3972 6346 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6347 break;
6348 }
6349 break;
6350 case L2CAP_EV_RECV_RR:
6351 l2cap_pass_to_tx(chan, control);
6352 if (control->final) {
6353 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6354
6355 if (!test_and_clear_bit(CONN_REJ_ACT,
6356 &chan->conn_state)) {
6357 control->final = 0;
6358 l2cap_retransmit_all(chan, control);
6359 }
6360
6361 l2cap_ertm_send(chan);
6362 } else if (control->poll) {
6363 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6364 &chan->conn_state) &&
6365 chan->unacked_frames) {
6366 __set_retrans_timer(chan);
6367 }
6368
6369 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6370 l2cap_send_srej_tail(chan);
6371 } else {
6372 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6373 &chan->conn_state) &&
6374 chan->unacked_frames)
6375 __set_retrans_timer(chan);
6376
6377 l2cap_send_ack(chan);
6378 }
6379 break;
6380 case L2CAP_EV_RECV_RNR:
6381 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6382 l2cap_pass_to_tx(chan, control);
6383 if (control->poll) {
6384 l2cap_send_srej_tail(chan);
6385 } else {
6386 struct l2cap_ctrl rr_control;
6387 memset(&rr_control, 0, sizeof(rr_control));
6388 rr_control.sframe = 1;
6389 rr_control.super = L2CAP_SUPER_RR;
6390 rr_control.reqseq = chan->buffer_seq;
6391 l2cap_send_sframe(chan, &rr_control);
6392 }
6393
6394 break;
6395 case L2CAP_EV_RECV_REJ:
6396 l2cap_handle_rej(chan, control);
6397 break;
6398 case L2CAP_EV_RECV_SREJ:
6399 l2cap_handle_srej(chan, control);
6400 break;
6401 }
6402
6403 if (skb && !skb_in_use) {
6404 BT_DBG("Freeing %p", skb);
6405 kfree_skb(skb);
6406 }
6407
6408 return err;
6409}
6410
32b32735
MM		 6411static int l2cap_finish_move(struct l2cap_chan *chan)
6412{
6413 BT_DBG("chan %p", chan);
6414
6415 chan->rx_state = L2CAP_RX_STATE_RECV;
6416
6417 if (chan->hs_hcon)
6418 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6419 else
6420 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6421
6422 return l2cap_resegment(chan);
6423}
6424
6425static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6426 struct l2cap_ctrl *control,
6427 struct sk_buff *skb, u8 event)
6428{
6429 int err;
6430
6431 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6432 event);
6433
6434 if (!control->poll)
6435 return -EPROTO;
6436
6437 l2cap_process_reqseq(chan, control->reqseq);
6438
6439 if (!skb_queue_empty(&chan->tx_q))
6440 chan->tx_send_head = skb_peek(&chan->tx_q);
6441 else
6442 chan->tx_send_head = NULL;
6443
6444 /* Rewind next_tx_seq to the point expected
6445 * by the receiver.
6446 */
6447 chan->next_tx_seq = control->reqseq;
6448 chan->unacked_frames = 0;
6449
6450 err = l2cap_finish_move(chan);
6451 if (err)
6452 return err;
6453
6454 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6455 l2cap_send_i_or_rr_or_rnr(chan);
6456
6457 if (event == L2CAP_EV_RECV_IFRAME)
6458 return -EPROTO;
6459
6460 return l2cap_rx_state_recv(chan, control, NULL, event);
6461}
6462
6463static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6464 struct l2cap_ctrl *control,
6465 struct sk_buff *skb, u8 event)
6466{
6467 int err;
6468
6469 if (!control->final)
6470 return -EPROTO;
6471
6472 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6473
6474 chan->rx_state = L2CAP_RX_STATE_RECV;
6475 l2cap_process_reqseq(chan, control->reqseq);
6476
6477 if (!skb_queue_empty(&chan->tx_q))
6478 chan->tx_send_head = skb_peek(&chan->tx_q);
6479 else
6480 chan->tx_send_head = NULL;
6481
6482 /* Rewind next_tx_seq to the point expected
6483 * by the receiver.
6484 */
6485 chan->next_tx_seq = control->reqseq;
6486 chan->unacked_frames = 0;
6487
6488 if (chan->hs_hcon)
6489 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6490 else
6491 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6492
6493 err = l2cap_resegment(chan);
6494
6495 if (!err)
6496 err = l2cap_rx_state_recv(chan, control, skb, event);
6497
6498 return err;
6499}
6500
d2a7ac5d
MM		 6501static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6502{
6503 /* Make sure reqseq is for a packet that has been sent but not acked */
6504 u16 unacked;
6505
6506 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6507 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6508}
6509
cec8ab6e
MM		 6510static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6511 struct sk_buff *skb, u8 event)
218bb9df 6512{
d2a7ac5d
MM		 6513 int err = 0;
6514
6515 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6516 control, skb, event, chan->rx_state);
6517
6518 if (__valid_reqseq(chan, control->reqseq)) {
6519 switch (chan->rx_state) {
6520 case L2CAP_RX_STATE_RECV:
6521 err = l2cap_rx_state_recv(chan, control, skb, event);
6522 break;
6523 case L2CAP_RX_STATE_SREJ_SENT:
6524 err = l2cap_rx_state_srej_sent(chan, control, skb,
6525 event);
6526 break;
32b32735
MM		 6527 case L2CAP_RX_STATE_WAIT_P:
6528 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6529 break;
6530 case L2CAP_RX_STATE_WAIT_F:
6531 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6532 break;
d2a7ac5d
MM		 6533 default:
6534 /* shut it down */
6535 break;
6536 }
6537 } else {
6538 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6539 control->reqseq, chan->next_tx_seq,
6540 chan->expected_ack_seq);
5e4e3972 6541 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6542 }
6543
6544 return err;
cec8ab6e
MM		 6545}
6546
6547static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6548 struct sk_buff *skb)
6549{
4b51dae9
MM		 6550 int err = 0;
6551
6552 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6553 chan->rx_state);
6554
6555 if (l2cap_classify_txseq(chan, control->txseq) ==
6556 L2CAP_TXSEQ_EXPECTED) {
6557 l2cap_pass_to_tx(chan, control);
6558
6559 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6560 __next_seq(chan, chan->buffer_seq));
6561
6562 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6563
6564 l2cap_reassemble_sdu(chan, skb, control);
6565 } else {
6566 if (chan->sdu) {
6567 kfree_skb(chan->sdu);
6568 chan->sdu = NULL;
6569 }
6570 chan->sdu_last_frag = NULL;
6571 chan->sdu_len = 0;
6572
6573 if (skb) {
6574 BT_DBG("Freeing %p", skb);
6575 kfree_skb(skb);
6576 }
6577 }
6578
6579 chan->last_acked_seq = control->txseq;
6580 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6581
6582 return err;
cec8ab6e
MM		 6583}
6584
6585static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6586{
6587 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6588 u16 len;
6589 u8 event;
218bb9df 6590
b76bbd66
MM		 6591 __unpack_control(chan, skb);
6592
218bb9df
GP		 6593 len = skb->len;
6594
6595 /*
6596 * We can just drop the corrupted I-frame here.
6597 * Receiver will miss it and start proper recovery
cec8ab6e 6598 * procedures and ask for retransmission.
218bb9df 6599 */
47d1ec61 6600 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6601 goto drop;
6602
cec8ab6e 6603 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6604 len -= L2CAP_SDULEN_SIZE;
218bb9df 6605
47d1ec61 6606 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6607 len -= L2CAP_FCS_SIZE;
218bb9df 6608
47d1ec61 6609 if (len > chan->mps) {
5e4e3972 6610 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6611 goto drop;
6612 }
6613
cec8ab6e
MM		 6614 if (!control->sframe) {
6615 int err;
218bb9df 6616
cec8ab6e
MM		 6617 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6618 control->sar, control->reqseq, control->final,
6619 control->txseq);
218bb9df 6620
cec8ab6e
MM		 6621 /* Validate F-bit - F=0 always valid, F=1 only
6622 * valid in TX WAIT_F
6623 */
6624 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6625 goto drop;
cec8ab6e
MM		 6626
6627 if (chan->mode != L2CAP_MODE_STREAMING) {
6628 event = L2CAP_EV_RECV_IFRAME;
6629 err = l2cap_rx(chan, control, skb, event);
6630 } else {
6631 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6632 }
6633
cec8ab6e 6634 if (err)
5e4e3972 6635 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6636 } else {
cec8ab6e
MM		 6637 const u8 rx_func_to_event[4] = {
6638 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6639 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6640 };
6641
6642 /* Only I-frames are expected in streaming mode */
6643 if (chan->mode == L2CAP_MODE_STREAMING)
6644 goto drop;
6645
6646 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6647 control->reqseq, control->final, control->poll,
6648 control->super);
6649
218bb9df 6650 if (len != 0) {
1bb166e6 6651 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6652 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6653 goto drop;
6654 }
6655
cec8ab6e
MM		 6656 /* Validate F and P bits */
6657 if (control->final && (control->poll ||
6658 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6659 goto drop;
6660
6661 event = rx_func_to_event[control->super];
6662 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6663 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6664 }
6665
6666 return 0;
6667
6668drop:
6669 kfree_skb(skb);
6670 return 0;
6671}
6672
b1c325c2
JH		 6673static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6674{
6675 struct l2cap_conn *conn = chan->conn;
6676 struct l2cap_le_credits pkt;
6677 u16 return_credits;
6678
6679 /* We return more credits to the sender only after the amount of
6680 * credits falls below half of the initial amount.
6681 */
f15b8ecf 6682 if (chan->rx_credits >= (le_max_credits + 1) / 2)
b1c325c2
JH		 6683 return;
6684
f15b8ecf 6685 return_credits = le_max_credits - chan->rx_credits;
b1c325c2
JH		 6686
6687 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6688
6689 chan->rx_credits += return_credits;
6690
6691 pkt.cid = cpu_to_le16(chan->scid);
6692 pkt.credits = cpu_to_le16(return_credits);
6693
6694 chan->ident = l2cap_get_ident(conn);
6695
6696 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6697}
6698
fad5fc89
JH		 6699static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6700{
aac23bf6
JH		 6701 int err;
6702
6703 if (!chan->rx_credits) {
6704 BT_ERR("No credits to receive LE L2CAP data");
dfd9774c 6705 l2cap_send_disconn_req(chan, ECONNRESET);
fad5fc89 6706 return -ENOBUFS;
aac23bf6 6707 }
fad5fc89 6708
aac23bf6
JH		 6709 if (chan->imtu < skb->len) {
6710 BT_ERR("Too big LE L2CAP PDU");
fad5fc89 6711 return -ENOBUFS;
aac23bf6 6712 }
fad5fc89
JH		 6713
6714 chan->rx_credits--;
6715 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6716
6717 l2cap_chan_le_send_credits(chan);
6718
aac23bf6
JH		 6719 err = 0;
6720
6721 if (!chan->sdu) {
6722 u16 sdu_len;
6723
6724 sdu_len = get_unaligned_le16(skb->data);
6725 skb_pull(skb, L2CAP_SDULEN_SIZE);
6726
6727 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6728 sdu_len, skb->len, chan->imtu);
6729
6730 if (sdu_len > chan->imtu) {
6731 BT_ERR("Too big LE L2CAP SDU length received");
6732 err = -EMSGSIZE;
6733 goto failed;
6734 }
6735
6736 if (skb->len > sdu_len) {
6737 BT_ERR("Too much LE L2CAP data received");
6738 err = -EINVAL;
6739 goto failed;
6740 }
6741
6742 if (skb->len == sdu_len)
6743 return chan->ops->recv(chan, skb);
6744
6745 chan->sdu = skb;
6746 chan->sdu_len = sdu_len;
6747 chan->sdu_last_frag = skb;
6748
6749 return 0;
6750 }
6751
6752 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6753 chan->sdu->len, skb->len, chan->sdu_len);
6754
6755 if (chan->sdu->len + skb->len > chan->sdu_len) {
6756 BT_ERR("Too much LE L2CAP data received");
6757 err = -EINVAL;
6758 goto failed;
6759 }
6760
6761 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6762 skb = NULL;
6763
6764 if (chan->sdu->len == chan->sdu_len) {
6765 err = chan->ops->recv(chan, chan->sdu);
6766 if (!err) {
6767 chan->sdu = NULL;
6768 chan->sdu_last_frag = NULL;
6769 chan->sdu_len = 0;
6770 }
6771 }
6772
6773failed:
6774 if (err) {
6775 kfree_skb(skb);
6776 kfree_skb(chan->sdu);
6777 chan->sdu = NULL;
6778 chan->sdu_last_frag = NULL;
6779 chan->sdu_len = 0;
6780 }
6781
6782 /* We can't return an error here since we took care of the skb
6783 * freeing internally. An error return would cause the caller to
6784 * do a double-free of the skb.
6785 */
6786 return 0;
fad5fc89
JH		 6787}
6788
13ca56e0
AE		 6789static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6790 struct sk_buff *skb)
1da177e4 6791{
48454079 6792 struct l2cap_chan *chan;
1da177e4 6793
baa7e1fa 6794 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6795 if (!chan) {
97e8e89d
AE		 6796 if (cid == L2CAP_CID_A2MP) {
6797 chan = a2mp_channel_create(conn, skb);
6798 if (!chan) {
6799 kfree_skb(skb);
13ca56e0 6800 return;
97e8e89d
AE		 6801 }
6802
6803 l2cap_chan_lock(chan);
6804 } else {
6805 BT_DBG("unknown cid 0x%4.4x", cid);
6806 /* Drop packet and return */
6807 kfree_skb(skb);
13ca56e0 6808 return;
97e8e89d 6809 }
1da177e4
LT		 6810 }
6811
49208c9c 6812 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6813
89bc500e 6814 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6815 goto drop;
6816
0c1bc5c6 6817 switch (chan->mode) {
38319713 6818 case L2CAP_MODE_LE_FLOWCTL:
fad5fc89
JH		 6819 if (l2cap_le_data_rcv(chan, skb) < 0)
6820 goto drop;
6821
6822 goto done;
6823
1c2acffb
GP		 6824 case L2CAP_MODE_BASIC:
6825 /* If socket recv buffers overflows we drop data here
6826 * which is *bad* because L2CAP has to be reliable.
6827 * But we don't have any other choice. L2CAP doesn't
6828 * provide flow control mechanism. */
1da177e4 6829
2c96e03d
SJ		 6830 if (chan->imtu < skb->len) {
6831 BT_ERR("Dropping L2CAP data: receive buffer overflow");
1c2acffb 6832 goto drop;
2c96e03d 6833 }
1da177e4 6834
80b98027 6835 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6836 goto done;
6837 break;
6838
6839 case L2CAP_MODE_ERTM:
6840ed07 6840 case L2CAP_MODE_STREAMING:
cec8ab6e 6841 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6842 goto done;
6843
1c2acffb 6844 default:
0c1bc5c6 6845 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6846 break;
6847 }
1da177e4
LT		 6848
6849drop:
6850 kfree_skb(skb);
6851
6852done:
6be36555 6853 l2cap_chan_unlock(chan);
1da177e4
LT		 6854}
6855
84104b24
AE		 6856static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6857 struct sk_buff *skb)
1da177e4 6858{
ae4fd2d3 6859 struct hci_conn *hcon = conn->hcon;
23691d75 6860 struct l2cap_chan *chan;
1da177e4 6861
ae4fd2d3 6862 if (hcon->type != ACL_LINK)
a24cce14 6863 goto free_skb;
ae4fd2d3 6864
bf20fd4e
JH		 6865 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6866 ACL_LINK);
23691d75 6867 if (!chan)
a24cce14 6868 goto free_skb;
1da177e4 6869
5b4cedaa 6870 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6871
89bc500e 6872 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6873 goto drop;
6874
e13e21dc 6875 if (chan->imtu < skb->len)
1da177e4
LT		 6876 goto drop;
6877
2edf870d 6878 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6879 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6880 bt_cb(skb)->psm = psm;
6881
a24cce14
JH		 6882 if (!chan->ops->recv(chan, skb)) {
6883 l2cap_chan_put(chan);
84104b24 6884 return;
a24cce14 6885 }
1da177e4
LT		 6886
6887drop:
a24cce14
JH		 6888 l2cap_chan_put(chan);
6889free_skb:
1da177e4 6890 kfree_skb(skb);
1da177e4
LT		 6891}
6892
72f78356 6893static void l2cap_att_channel(struct l2cap_conn *conn,
6810fca7 6894 struct sk_buff *skb)
9f69bda6 6895{
b99707d7 6896 struct hci_conn *hcon = conn->hcon;
23691d75 6897 struct l2cap_chan *chan;
9f69bda6 6898
b99707d7 6899 if (hcon->type != LE_LINK)
a24cce14 6900 goto free_skb;
b99707d7 6901
af1c0134 6902 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
06ae3314 6903 &hcon->src, &hcon->dst);
23691d75 6904 if (!chan)
a24cce14 6905 goto free_skb;
9f69bda6 6906
5b4cedaa 6907 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6908
e13e21dc 6909 if (chan->imtu < skb->len)
9f69bda6
GP		 6910 goto drop;
6911
a24cce14
JH		 6912 if (!chan->ops->recv(chan, skb)) {
6913 l2cap_chan_put(chan);
6810fca7 6914 return;
a24cce14 6915 }
9f69bda6
GP		 6916
6917drop:
a24cce14
JH		 6918 l2cap_chan_put(chan);
6919free_skb:
9f69bda6 6920 kfree_skb(skb);
9f69bda6
GP		 6921}
6922
1da177e4
LT		 6923static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6924{
6925 struct l2cap_hdr *lh = (void *) skb->data;
61a939c6 6926 struct hci_conn *hcon = conn->hcon;
8e036fc3
AV		 6927 u16 cid, len;
6928 __le16 psm;
1da177e4 6929
61a939c6
JH		 6930 if (hcon->state != BT_CONNECTED) {
6931 BT_DBG("queueing pending rx skb");
6932 skb_queue_tail(&conn->pending_rx, skb);
6933 return;
6934 }
6935
1da177e4
LT		 6936 skb_pull(skb, L2CAP_HDR_SIZE);
6937 cid = __le16_to_cpu(lh->cid);
6938 len = __le16_to_cpu(lh->len);
6939
1c2acffb
GP		 6940 if (len != skb->len) {
6941 kfree_skb(skb);
6942 return;
6943 }
6944
9e1d7e15
JH		 6945 /* Since we can't actively block incoming LE connections we must
6946 * at least ensure that we ignore incoming data from them.
6947 */
6948 if (hcon->type == LE_LINK &&
dcc36c16
JH		 6949 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6950 bdaddr_type(hcon, hcon->dst_type))) {
e493150e
JH		 6951 kfree_skb(skb);
6952 return;
6953 }
6954
1da177e4
LT		 6955 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6956
6957 switch (cid) {
8db4dc46 6958 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6959 l2cap_sig_channel(conn, skb);
6960 break;
6961
8db4dc46 6962 case L2CAP_CID_CONN_LESS:
097db76c 6963 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6964 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6965 l2cap_conless_channel(conn, psm, skb);
6966 break;
6967
073d1cf3 6968 case L2CAP_CID_ATT:
72f78356 6969 l2cap_att_channel(conn, skb);
9f69bda6
GP		 6970 break;
6971
a2877629
MH		 6972 case L2CAP_CID_LE_SIGNALING:
6973 l2cap_le_sig_channel(conn, skb);
6974 break;
6975
b501d6a1
AB		 6976 case L2CAP_CID_SMP:
6977 if (smp_sig_channel(conn, skb))
6978 l2cap_conn_del(conn->hcon, EACCES);
6979 break;
6980
1da177e4
LT		 6981 default:
6982 l2cap_data_channel(conn, cid, skb);
6983 break;
6984 }
6985}
6986
61a939c6
JH		 6987static void process_pending_rx(struct work_struct *work)
6988{
6989 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6990 pending_rx_work);
6991 struct sk_buff *skb;
6992
6993 BT_DBG("");
6994
6995 while ((skb = skb_dequeue(&conn->pending_rx)))
6996 l2cap_recv_frame(conn, skb);
6997}
6998
162b49e7
JH		 6999static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7000{
7001 struct l2cap_conn *conn = hcon->l2cap_data;
7002 struct hci_chan *hchan;
7003
7004 if (conn)
7005 return conn;
7006
7007 hchan = hci_chan_create(hcon);
7008 if (!hchan)
7009 return NULL;
7010
27f70f3e 7011 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
162b49e7
JH		 7012 if (!conn) {
7013 hci_chan_del(hchan);
7014 return NULL;
7015 }
7016
7017 kref_init(&conn->ref);
7018 hcon->l2cap_data = conn;
7019 conn->hcon = hcon;
7020 hci_conn_get(conn->hcon);
7021 conn->hchan = hchan;
7022
7023 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7024
7025 switch (hcon->type) {
7026 case LE_LINK:
7027 if (hcon->hdev->le_mtu) {
7028 conn->mtu = hcon->hdev->le_mtu;
7029 break;
7030 }
7031 /* fall through */
7032 default:
7033 conn->mtu = hcon->hdev->acl_mtu;
7034 break;
7035 }
7036
7037 conn->feat_mask = 0;
7038
7039 if (hcon->type == ACL_LINK)
7040 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
7041 &hcon->hdev->dev_flags);
7042
5a54e7c8 7043 mutex_init(&conn->ident_lock);
162b49e7
JH		 7044 mutex_init(&conn->chan_lock);
7045
7046 INIT_LIST_HEAD(&conn->chan_l);
7047 INIT_LIST_HEAD(&conn->users);
7048
7049 if (hcon->type == LE_LINK)
7050 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
7051 else
7052 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7053
61a939c6
JH		 7054 skb_queue_head_init(&conn->pending_rx);
7055 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7056
162b49e7
JH		 7057 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7058
7059 return conn;
7060}
7061
7062static bool is_valid_psm(u16 psm, u8 dst_type) {
7063 if (!psm)
7064 return false;
7065
7066 if (bdaddr_type_is_le(dst_type))
7067 return (psm <= 0x00ff);
7068
7069 /* PSM must be odd and lsb of upper byte must be 0 */
7070 return ((psm & 0x0101) == 0x0001);
7071}
7072
7073int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7074 bdaddr_t *dst, u8 dst_type)
7075{
7076 struct l2cap_conn *conn;
7077 struct hci_conn *hcon;
7078 struct hci_dev *hdev;
162b49e7
JH		 7079 int err;
7080
7081 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7082 dst_type, __le16_to_cpu(psm));
7083
7084 hdev = hci_get_route(dst, &chan->src);
7085 if (!hdev)
7086 return -EHOSTUNREACH;
7087
7088 hci_dev_lock(hdev);
7089
7090 l2cap_chan_lock(chan);
7091
7092 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7093 chan->chan_type != L2CAP_CHAN_RAW) {
7094 err = -EINVAL;
7095 goto done;
7096 }
7097
21626e62
JH		 7098 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7099 err = -EINVAL;
7100 goto done;
7101 }
7102
7103 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
162b49e7
JH		 7104 err = -EINVAL;
7105 goto done;
7106 }
7107
7108 switch (chan->mode) {
7109 case L2CAP_MODE_BASIC:
7110 break;
7111 case L2CAP_MODE_LE_FLOWCTL:
7112 l2cap_le_flowctl_init(chan);
7113 break;
7114 case L2CAP_MODE_ERTM:
7115 case L2CAP_MODE_STREAMING:
7116 if (!disable_ertm)
7117 break;
7118 /* fall through */
7119 default:
beb19e4c 7120 err = -EOPNOTSUPP;
162b49e7
JH		 7121 goto done;
7122 }
7123
7124 switch (chan->state) {
7125 case BT_CONNECT:
7126 case BT_CONNECT2:
7127 case BT_CONFIG:
7128 /* Already connecting */
7129 err = 0;
7130 goto done;
7131
7132 case BT_CONNECTED:
7133 /* Already connected */
7134 err = -EISCONN;
7135 goto done;
7136
7137 case BT_OPEN:
7138 case BT_BOUND:
7139 /* Can connect */
7140 break;
7141
7142 default:
7143 err = -EBADFD;
7144 goto done;
7145 }
7146
7147 /* Set destination address and psm */
7148 bacpy(&chan->dst, dst);
7149 chan->dst_type = dst_type;
7150
7151 chan->psm = psm;
7152 chan->dcid = cid;
7153
6f77d8c7 7154 if (bdaddr_type_is_le(dst_type)) {
e804d25d 7155 u8 role;
cdd6275e 7156
6f77d8c7
AG		 7157 /* Convert from L2CAP channel address type to HCI address type
7158 */
7159 if (dst_type == BDADDR_LE_PUBLIC)
7160 dst_type = ADDR_LE_DEV_PUBLIC;
7161 else
7162 dst_type = ADDR_LE_DEV_RANDOM;
7163
e804d25d
JH		 7164 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
7165 role = HCI_ROLE_SLAVE;
7166 else
7167 role = HCI_ROLE_MASTER;
cdd6275e 7168
04a6c589 7169 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
e804d25d 7170 HCI_LE_CONN_TIMEOUT, role);
6f77d8c7 7171 } else {
d93375a8 7172 u8 auth_type = l2cap_get_auth_type(chan);
04a6c589 7173 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
6f77d8c7 7174 }
162b49e7
JH		 7175
7176 if (IS_ERR(hcon)) {
7177 err = PTR_ERR(hcon);
7178 goto done;
7179 }
7180
7181 conn = l2cap_conn_add(hcon);
7182 if (!conn) {
7183 hci_conn_drop(hcon);
7184 err = -ENOMEM;
7185 goto done;
7186 }
7187
7188 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7189 hci_conn_drop(hcon);
7190 err = -EBUSY;
7191 goto done;
7192 }
7193
7194 /* Update source addr of the socket */
7195 bacpy(&chan->src, &hcon->src);
7196 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7197
7198 l2cap_chan_unlock(chan);
7199 l2cap_chan_add(conn, chan);
7200 l2cap_chan_lock(chan);
7201
7202 /* l2cap_chan_add takes its own ref so we can drop this one */
7203 hci_conn_drop(hcon);
7204
7205 l2cap_state_change(chan, BT_CONNECT);
7206 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7207
61202e4d
JH		 7208 /* Release chan->sport so that it can be reused by other
7209 * sockets (as it's only used for listening sockets).
7210 */
7211 write_lock(&chan_list_lock);
7212 chan->sport = 0;
7213 write_unlock(&chan_list_lock);
7214
162b49e7
JH		 7215 if (hcon->state == BT_CONNECTED) {
7216 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7217 __clear_chan_timer(chan);
e7cafc45 7218 if (l2cap_chan_check_security(chan, true))
162b49e7
JH		 7219 l2cap_state_change(chan, BT_CONNECTED);
7220 } else
7221 l2cap_do_start(chan);
7222 }
7223
7224 err = 0;
7225
7226done:
7227 l2cap_chan_unlock(chan);
7228 hci_dev_unlock(hdev);
7229 hci_dev_put(hdev);
7230 return err;
7231}
6b8d4a6a 7232EXPORT_SYMBOL_GPL(l2cap_chan_connect);
162b49e7 7233
1da177e4
LT		 7234/* ---- L2CAP interface with lower layer (HCI) ---- */
7235
686ebf28 7236int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 7237{
7238 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 7239 struct l2cap_chan *c;
1da177e4 7240
6ed93dc6 7241 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 7242
7243 /* Find listening sockets and check their link_mode */
23691d75
GP		 7244 read_lock(&chan_list_lock);
7245 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 7246 if (c->state != BT_LISTEN)
1da177e4
LT		 7247 continue;
7248
7eafc59e 7249 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 7250 lm1 |= HCI_LM_ACCEPT;
43bd0f32 7251 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 7252 lm1 |= HCI_LM_MASTER;
1da177e4 7253 exact++;
7eafc59e 7254 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 7255 lm2 |= HCI_LM_ACCEPT;
43bd0f32 7256 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 7257 lm2 |= HCI_LM_MASTER;
7258 }
1da177e4 7259 }
23691d75 7260 read_unlock(&chan_list_lock);
1da177e4
LT		 7261
7262 return exact ? lm1 : lm2;
7263}
7264
9e664631 7265void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 7266{
0139418c
MH		 7267 struct l2cap_conn *conn;
7268
6ed93dc6 7269 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 7270
1da177e4 7271 if (!status) {
baf43251 7272 conn = l2cap_conn_add(hcon);
1da177e4
LT		 7273 if (conn)
7274 l2cap_conn_ready(conn);
ba6fc317 7275 } else {
e175072f 7276 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 7277 }
1da177e4
LT		 7278}
7279
686ebf28 7280int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 7281{
7282 struct l2cap_conn *conn = hcon->l2cap_data;
7283
7284 BT_DBG("hcon %p", hcon);
7285
686ebf28 7286 if (!conn)
9f5a0d7b 7287 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 7288 return conn->disc_reason;
7289}
7290
9e664631 7291void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 7292{
7293 BT_DBG("hcon %p reason %d", hcon, reason);
7294
e175072f 7295 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 7296}
7297
4343478f 7298static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 7299{
715ec005 7300 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 7301 return;
7302
f62e4323 7303 if (encrypt == 0x00) {
4343478f 7304 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 7305 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7d513e92
MH		 7306 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7307 chan->sec_level == BT_SECURITY_FIPS)
0f852724 7308 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 7309 } else {
4343478f 7310 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 7311 __clear_chan_timer(chan);
f62e4323
MH		 7312 }
7313}
7314
686ebf28 7315int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 7316{
0139418c 7317 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 7318 struct l2cap_chan *chan;
1da177e4 7319
0139418c 7320 if (!conn)
1da177e4 7321 return 0;
0139418c 7322
89d8b407 7323 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 7324
160dc6ac 7325 if (hcon->type == LE_LINK) {
35d4adcc 7326 if (!status && encrypt)
4bd6d38e 7327 smp_distribute_keys(conn);
17cd3f37 7328 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 7329 }
7330
3df91ea2 7331 mutex_lock(&conn->chan_lock);
1da177e4 7332
3df91ea2 7333 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 7334 l2cap_chan_lock(chan);
1da177e4 7335
89d8b407
AE		 7336 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7337 state_to_string(chan->state));
f1cb9af5 7338
2338a7e0 7339 if (chan->scid == L2CAP_CID_A2MP) {
78eb2f98
AE		 7340 l2cap_chan_unlock(chan);
7341 continue;
7342 }
7343
191eb398
JH		 7344 if (!status && encrypt)
7345 chan->sec_level = hcon->sec_level;
f1cb9af5 7346
96eff46e 7347 if (!__l2cap_no_conn_pending(chan)) {
6be36555 7348 l2cap_chan_unlock(chan);
6a8d3010
MH		 7349 continue;
7350 }
7351
89bc500e 7352 if (!status && (chan->state == BT_CONNECTED ||
2d792818 7353 chan->state == BT_CONFIG)) {
d97c899b 7354 chan->ops->resume(chan);
4343478f 7355 l2cap_check_encryption(chan, encrypt);
6be36555 7356 l2cap_chan_unlock(chan);
9719f8af
MH		 7357 continue;
7358 }
7359
89bc500e 7360 if (chan->state == BT_CONNECT) {
6d3c15da 7361 if (!status)
93c3e8f5 7362 l2cap_start_connection(chan);
6d3c15da 7363 else
ba13ccd9 7364 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
89bc500e 7365 } else if (chan->state == BT_CONNECT2) {
b1235d79 7366 struct l2cap_conn_rsp rsp;
df3c3931 7367 __u16 res, stat;
1da177e4 7368
b1235d79 7369 if (!status) {
bdc25783 7370 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 7371 res = L2CAP_CR_PEND;
7372 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 7373 chan->ops->defer(chan);
df3c3931 7374 } else {
acdcabf5 7375 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 7376 res = L2CAP_CR_SUCCESS;
7377 stat = L2CAP_CS_NO_INFO;
7378 }
b1235d79 7379 } else {
acdcabf5 7380 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 7381 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 7382 res = L2CAP_CR_SEC_BLOCK;
7383 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 7384 }
7385
fe4128e0
GP		 7386 rsp.scid = cpu_to_le16(chan->dcid);
7387 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 7388 rsp.result = cpu_to_le16(res);
7389 rsp.status = cpu_to_le16(stat);
fc7f8a7e 7390 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 7391 sizeof(rsp), &rsp);
2d369359
MM		 7392
7393 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7394 res == L2CAP_CR_SUCCESS) {
7395 char buf[128];
7396 set_bit(CONF_REQ_SENT, &chan->conf_state);
7397 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7398 L2CAP_CONF_REQ,
7399 l2cap_build_conf_req(chan, buf),
7400 buf);
7401 chan->num_conf_req++;
7402 }
b1235d79 7403 }
1da177e4 7404
6be36555 7405 l2cap_chan_unlock(chan);
1da177e4
LT		 7406 }
7407
3df91ea2 7408 mutex_unlock(&conn->chan_lock);
b1235d79 7409
1da177e4
LT		 7410 return 0;
7411}
7412
686ebf28 7413int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 7414{
7415 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 7416 struct l2cap_hdr *hdr;
7417 int len;
1da177e4 7418
1d13a254
AE		 7419 /* For AMP controller do not create l2cap conn */
7420 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7421 goto drop;
1da177e4 7422
5a08ecce 7423 if (!conn)
baf43251 7424 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 7425
7426 if (!conn)
1da177e4
LT		 7427 goto drop;
7428
7429 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7430
d73a0988
AE		 7431 switch (flags) {
7432 case ACL_START:
7433 case ACL_START_NO_FLUSH:
7434 case ACL_COMPLETE:
1da177e4
LT		 7435 if (conn->rx_len) {
7436 BT_ERR("Unexpected start frame (len %d)", skb->len);
7437 kfree_skb(conn->rx_skb);
7438 conn->rx_skb = NULL;
7439 conn->rx_len = 0;
7440 l2cap_conn_unreliable(conn, ECOMM);
7441 }
7442
aae7fe22
AE		 7443 /* Start fragment always begin with Basic L2CAP header */
7444 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 7445 BT_ERR("Frame is too short (len %d)", skb->len);
7446 l2cap_conn_unreliable(conn, ECOMM);
7447 goto drop;
7448 }
7449
7450 hdr = (struct l2cap_hdr *) skb->data;
7451 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7452
7453 if (len == skb->len) {
7454 /* Complete frame received */
7455 l2cap_recv_frame(conn, skb);
7456 return 0;
7457 }
7458
7459 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7460
7461 if (skb->len > len) {
7462 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 7463 skb->len, len);
1da177e4
LT		 7464 l2cap_conn_unreliable(conn, ECOMM);
7465 goto drop;
7466 }
7467
7468 /* Allocate skb for the complete frame (with header) */
8bcde1f2 7469 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 7470 if (!conn->rx_skb)
1da177e4
LT		 7471 goto drop;
7472
d626f62b 7473 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7474 skb->len);
1da177e4 7475 conn->rx_len = len - skb->len;
d73a0988
AE		 7476 break;
7477
7478 case ACL_CONT:
1da177e4
LT		 7479 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7480
7481 if (!conn->rx_len) {
7482 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7483 l2cap_conn_unreliable(conn, ECOMM);
7484 goto drop;
7485 }
7486
7487 if (skb->len > conn->rx_len) {
7488 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 7489 skb->len, conn->rx_len);
1da177e4
LT		 7490 kfree_skb(conn->rx_skb);
7491 conn->rx_skb = NULL;
7492 conn->rx_len = 0;
7493 l2cap_conn_unreliable(conn, ECOMM);
7494 goto drop;
7495 }
7496
d626f62b 7497 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7498 skb->len);
1da177e4
LT		 7499 conn->rx_len -= skb->len;
7500
7501 if (!conn->rx_len) {
c4e5bafa
JH		 7502 /* Complete frame received. l2cap_recv_frame
7503 * takes ownership of the skb so set the global
7504 * rx_skb pointer to NULL first.
7505 */
7506 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 7507 conn->rx_skb = NULL;
c4e5bafa 7508 l2cap_recv_frame(conn, rx_skb);
1da177e4 7509 }
d73a0988 7510 break;
1da177e4
LT		 7511 }
7512
7513drop:
7514 kfree_skb(skb);
7515 return 0;
7516}
7517
aef7d97c 7518static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 7519{
23691d75 7520 struct l2cap_chan *c;
1da177e4 7521
333055f2 7522 read_lock(&chan_list_lock);
1da177e4 7523
23691d75 7524 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 7525 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 7526 &c->src, &c->dst,
fcb73338
AE		 7527 c->state, __le16_to_cpu(c->psm),
7528 c->scid, c->dcid, c->imtu, c->omtu,
7529 c->sec_level, c->mode);
61e1b4b7 7530 }
1da177e4 7531
333055f2 7532 read_unlock(&chan_list_lock);
1da177e4 7533
aef7d97c 7534 return 0;
1da177e4
LT		 7535}
7536
aef7d97c
MH		 7537static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7538{
7539 return single_open(file, l2cap_debugfs_show, inode->i_private);
7540}
7541
7542static const struct file_operations l2cap_debugfs_fops = {
7543 .open = l2cap_debugfs_open,
7544 .read = seq_read,
7545 .llseek = seq_lseek,
7546 .release = single_release,
7547};
7548
7549static struct dentry *l2cap_debugfs;
1da177e4 7550
64274518 7551int __init l2cap_init(void)
1da177e4
LT		 7552{
7553 int err;
be9d1227 7554
bb58f747 7555 err = l2cap_init_sockets();
1da177e4
LT		 7556 if (err < 0)
7557 return err;
7558
1120e4bf
MH		 7559 if (IS_ERR_OR_NULL(bt_debugfs))
7560 return 0;
7561
7562 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7563 NULL, &l2cap_debugfs_fops);
1da177e4 7564
40b9397a 7565 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
f15b8ecf 7566 &le_max_credits);
40b9397a 7567 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
f15b8ecf
JH		 7568 &le_default_mps);
7569
1da177e4 7570 return 0;
1da177e4
LT		 7571}
7572
64274518 7573void l2cap_exit(void)
1da177e4 7574{
aef7d97c 7575 debugfs_remove(l2cap_debugfs);
bb58f747 7576 l2cap_cleanup_sockets();
1da177e4
LT		 7577}
7578
d1c4a17d
GP		 7579module_param(disable_ertm, bool, 0644);
7580MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.839775 seconds and 5 git commands to generate.