projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Remove dead code from SMP encryption function
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
d1de6d46 44bool disable_ertm;
f0709e03 45
547d1032 46static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
d40bffbc 47static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP | L2CAP_FC_CONNLESS, };
1da177e4 48
b5ad8b7f
JB		 49static LIST_HEAD(chan_list);
50static DEFINE_RWLOCK(chan_list_lock);
1da177e4 51
1da177e4 52static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 53 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 54static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 55 void *data);
710f9b0a 56static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 57static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 58
d660366d 59static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 60 struct sk_buff_head *skbs, u8 event);
608bcc6d 61
4f1654e0
MH		 62static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
63{
64 if (hcon->type == LE_LINK) {
65 if (type == ADDR_LE_DEV_PUBLIC)
66 return BDADDR_LE_PUBLIC;
67 else
68 return BDADDR_LE_RANDOM;
69 }
70
71 return BDADDR_BREDR;
72}
73
0139418c 74/* ---- L2CAP channels ---- */
71ba0e56 75
2d792818
GP		 76static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
77 u16 cid)
0139418c 78{
3df91ea2 79 struct l2cap_chan *c;
3d57dc68 80
3df91ea2
AE		 81 list_for_each_entry(c, &conn->chan_l, list) {
82 if (c->dcid == cid)
83 return c;
0139418c 84 }
3df91ea2 85 return NULL;
0139418c
MH		 86}
87
2d792818
GP		 88static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
89 u16 cid)
0139418c 90{
3df91ea2 91 struct l2cap_chan *c;
3d57dc68 92
3df91ea2
AE		 93 list_for_each_entry(c, &conn->chan_l, list) {
94 if (c->scid == cid)
95 return c;
0139418c 96 }
3df91ea2 97 return NULL;
0139418c
MH		 98}
99
100/* Find channel with given SCID.
ef191ade 101 * Returns locked channel. */
2d792818
GP		 102static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
103 u16 cid)
0139418c 104{
48454079 105 struct l2cap_chan *c;
baa7e1fa 106
3df91ea2 107 mutex_lock(&conn->chan_lock);
baa7e1fa 108 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 109 if (c)
110 l2cap_chan_lock(c);
3df91ea2
AE		 111 mutex_unlock(&conn->chan_lock);
112
48454079 113 return c;
0139418c
MH		 114}
115
b1a130b7
MM		 116/* Find channel with given DCID.
117 * Returns locked channel.
118 */
119static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
120 u16 cid)
121{
122 struct l2cap_chan *c;
123
124 mutex_lock(&conn->chan_lock);
125 c = __l2cap_get_chan_by_dcid(conn, cid);
126 if (c)
127 l2cap_chan_lock(c);
128 mutex_unlock(&conn->chan_lock);
129
130 return c;
131}
132
2d792818
GP		 133static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
134 u8 ident)
0139418c 135{
3df91ea2 136 struct l2cap_chan *c;
3d57dc68 137
3df91ea2
AE		 138 list_for_each_entry(c, &conn->chan_l, list) {
139 if (c->ident == ident)
140 return c;
0139418c 141 }
3df91ea2 142 return NULL;
0139418c
MH		 143}
144
5b155ef9
MM		 145static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
146 u8 ident)
147{
148 struct l2cap_chan *c;
149
150 mutex_lock(&conn->chan_lock);
151 c = __l2cap_get_chan_by_ident(conn, ident);
152 if (c)
153 l2cap_chan_lock(c);
154 mutex_unlock(&conn->chan_lock);
155
156 return c;
157}
158
23691d75 159static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 160{
23691d75 161 struct l2cap_chan *c;
9e4425ff 162
23691d75 163 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 164 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 165 return c;
9e4425ff 166 }
250938cb 167 return NULL;
9e4425ff
GP		 168}
169
170int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
171{
73b2ec18
GP		 172 int err;
173
333055f2 174 write_lock(&chan_list_lock);
9e4425ff 175
23691d75 176 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 177 err = -EADDRINUSE;
178 goto done;
9e4425ff
GP		 179 }
180
73b2ec18
GP		 181 if (psm) {
182 chan->psm = psm;
183 chan->sport = psm;
184 err = 0;
185 } else {
186 u16 p;
187
188 err = -EINVAL;
189 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 190 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 191 chan->psm = cpu_to_le16(p);
192 chan->sport = cpu_to_le16(p);
193 err = 0;
194 break;
195 }
196 }
9e4425ff 197
73b2ec18 198done:
333055f2 199 write_unlock(&chan_list_lock);
73b2ec18 200 return err;
9e4425ff
GP		 201}
202
203int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
204{
333055f2 205 write_lock(&chan_list_lock);
9e4425ff
GP		 206
207 chan->scid = scid;
208
333055f2 209 write_unlock(&chan_list_lock);
9e4425ff
GP		 210
211 return 0;
212}
213
baa7e1fa 214static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 215{
8db4dc46 216 u16 cid = L2CAP_CID_DYN_START;
0139418c 217
8db4dc46 218 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 219 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 220 return cid;
221 }
222
223 return 0;
224}
225
f93fa273 226static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 227{
42d2d87c 228 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 229 state_to_string(state));
badaaa00 230
89bc500e 231 chan->state = state;
53f52121 232 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 233}
234
f8e73017
GP		 235static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
236 int state, int err)
2e0052e4 237{
f8e73017 238 chan->state = state;
53f52121 239 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 240}
241
242static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
243{
f8e73017 244 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 245}
246
4239d16f
MM		 247static void __set_retrans_timer(struct l2cap_chan *chan)
248{
249 if (!delayed_work_pending(&chan->monitor_timer) &&
250 chan->retrans_timeout) {
251 l2cap_set_timer(chan, &chan->retrans_timer,
252 msecs_to_jiffies(chan->retrans_timeout));
253 }
254}
255
256static void __set_monitor_timer(struct l2cap_chan *chan)
257{
258 __clear_retrans_timer(chan);
259 if (chan->monitor_timeout) {
260 l2cap_set_timer(chan, &chan->monitor_timer,
261 msecs_to_jiffies(chan->monitor_timeout));
262 }
263}
264
608bcc6d
MM		 265static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
266 u16 seq)
267{
268 struct sk_buff *skb;
269
270 skb_queue_walk(head, skb) {
271 if (bt_cb(skb)->control.txseq == seq)
272 return skb;
273 }
274
275 return NULL;
276}
277
3c588192
MM		 278/* ---- L2CAP sequence number lists ---- */
279
280/* For ERTM, ordered lists of sequence numbers must be tracked for
281 * SREJ requests that are received and for frames that are to be
282 * retransmitted. These seq_list functions implement a singly-linked
283 * list in an array, where membership in the list can also be checked
284 * in constant time. Items can also be added to the tail of the list
285 * and removed from the head in constant time, without further memory
286 * allocs or frees.
287 */
288
289static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
290{
291 size_t alloc_size, i;
292
293 /* Allocated size is a power of 2 to map sequence numbers
294 * (which may be up to 14 bits) in to a smaller array that is
295 * sized for the negotiated ERTM transmit windows.
296 */
297 alloc_size = roundup_pow_of_two(size);
298
299 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
300 if (!seq_list->list)
301 return -ENOMEM;
302
303 seq_list->mask = alloc_size - 1;
304 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
305 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
306 for (i = 0; i < alloc_size; i++)
307 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
308
309 return 0;
310}
311
312static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
313{
314 kfree(seq_list->list);
315}
316
317static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
318 u16 seq)
319{
320 /* Constant-time check for list membership */
321 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
322}
323
324static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
325{
326 u16 mask = seq_list->mask;
327
328 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
329 /* In case someone tries to pop the head of an empty list */
330 return L2CAP_SEQ_LIST_CLEAR;
331 } else if (seq_list->head == seq) {
332 /* Head can be removed in constant time */
333 seq_list->head = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
335
336 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
339 }
340 } else {
341 /* Walk the list to find the sequence number */
342 u16 prev = seq_list->head;
343 while (seq_list->list[prev & mask] != seq) {
344 prev = seq_list->list[prev & mask];
345 if (prev == L2CAP_SEQ_LIST_TAIL)
346 return L2CAP_SEQ_LIST_CLEAR;
347 }
348
349 /* Unlink the number from the list and clear it */
350 seq_list->list[prev & mask] = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352 if (seq_list->tail == seq)
353 seq_list->tail = prev;
354 }
355 return seq;
356}
357
358static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
359{
360 /* Remove the head in constant time */
361 return l2cap_seq_list_remove(seq_list, seq_list->head);
362}
363
364static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
365{
f522ae36 366 u16 i;
3c588192 367
f522ae36
GP		 368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
369 return;
370
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
373
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 376}
377
378static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
379{
380 u16 mask = seq_list->mask;
381
382 /* All appends happen in constant time */
383
f522ae36
GP		 384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
385 return;
3c588192 386
f522ae36
GP		 387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
389 else
390 seq_list->list[seq_list->tail & mask] = seq;
391
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 394}
395
721c4181 396static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 397{
721c4181 398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 399 chan_timer.work);
3df91ea2 400 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 401 int reason;
402
e05dcc32 403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 404
3df91ea2 405 mutex_lock(&conn->chan_lock);
6be36555 406 l2cap_chan_lock(chan);
ab07801d 407
89bc500e 408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 409 reason = ECONNREFUSED;
89bc500e 410 else if (chan->state == BT_CONNECT &&
2d792818 411 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 412 reason = ECONNREFUSED;
413 else
414 reason = ETIMEDOUT;
415
0f852724 416 l2cap_chan_close(chan, reason);
ab07801d 417
6be36555 418 l2cap_chan_unlock(chan);
ab07801d 419
80b98027 420 chan->ops->close(chan);
3df91ea2
AE		 421 mutex_unlock(&conn->chan_lock);
422
371fd835 423 l2cap_chan_put(chan);
ab07801d
GP		 424}
425
eef1d9b6 426struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 427{
428 struct l2cap_chan *chan;
429
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
431 if (!chan)
432 return NULL;
433
c03b355e
AE		 434 mutex_init(&chan->lock);
435
333055f2 436 write_lock(&chan_list_lock);
23691d75 437 list_add(&chan->global_l, &chan_list);
333055f2 438 write_unlock(&chan_list_lock);
23691d75 439
721c4181 440 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 441
89bc500e
GP		 442 chan->state = BT_OPEN;
443
144ad330 444 kref_init(&chan->kref);
71ba0e56 445
2827011f
MM		 446 /* This flag is cleared in l2cap_chan_ready() */
447 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
448
eef1d9b6 449 BT_DBG("chan %p", chan);
abc545b8 450
48454079
GP		 451 return chan;
452}
453
144ad330 454static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 455{
144ad330
SS		 456 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
457
4af66c69
JK		 458 BT_DBG("chan %p", chan);
459
333055f2 460 write_lock(&chan_list_lock);
23691d75 461 list_del(&chan->global_l);
333055f2 462 write_unlock(&chan_list_lock);
23691d75 463
4af66c69 464 kfree(chan);
6ff5abbf
GP		 465}
466
30648372
JK		 467void l2cap_chan_hold(struct l2cap_chan *c)
468{
144ad330 469 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 470
144ad330 471 kref_get(&c->kref);
30648372
JK		 472}
473
474void l2cap_chan_put(struct l2cap_chan *c)
475{
144ad330 476 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 477
144ad330 478 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 479}
480
bd4b1653
AE		 481void l2cap_chan_set_defaults(struct l2cap_chan *chan)
482{
483 chan->fcs = L2CAP_FCS_CRC16;
484 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
485 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
486 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 487 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 488 chan->sec_level = BT_SECURITY_LOW;
489
490 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
491}
492
93c3e8f5 493void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 494{
af05b30b 495 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 496 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 497
9f5a0d7b 498 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 499
8c1d787b 500 chan->conn = conn;
0139418c 501
5491120e
AE		 502 switch (chan->chan_type) {
503 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 504 if (conn->hcon->type == LE_LINK) {
505 /* LE connection */
6fcb06a2 506 chan->omtu = L2CAP_DEFAULT_MTU;
9f22398c
JH		 507 if (chan->dcid == L2CAP_CID_ATT)
508 chan->scid = L2CAP_CID_ATT;
509 else
510 chan->scid = l2cap_alloc_cid(conn);
b62f328b
VT		 511 } else {
512 /* Alloc CID for connection-oriented socket */
fe4128e0 513 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 514 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 515 }
5491120e
AE		 516 break;
517
518 case L2CAP_CHAN_CONN_LESS:
0139418c 519 /* Connectionless socket */
fe4128e0
GP		 520 chan->scid = L2CAP_CID_CONN_LESS;
521 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 522 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 523 break;
524
416fa752
AE		 525 case L2CAP_CHAN_CONN_FIX_A2MP:
526 chan->scid = L2CAP_CID_A2MP;
527 chan->dcid = L2CAP_CID_A2MP;
528 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
529 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
530 break;
531
5491120e 532 default:
0139418c 533 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 534 chan->scid = L2CAP_CID_SIGNALING;
535 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 536 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 537 }
538
8f7975b1
AE		 539 chan->local_id = L2CAP_BESTEFFORT_ID;
540 chan->local_stype = L2CAP_SERV_BESTEFFORT;
541 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
542 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
543 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 544 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 545
371fd835 546 l2cap_chan_hold(chan);
baa7e1fa 547
5ee9891d
JH		 548 hci_conn_hold(conn->hcon);
549
3df91ea2 550 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 551}
552
466f8004 553void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 554{
555 mutex_lock(&conn->chan_lock);
556 __l2cap_chan_add(conn, chan);
3df91ea2 557 mutex_unlock(&conn->chan_lock);
0139418c
MH		 558}
559
466f8004 560void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 561{
8c1d787b 562 struct l2cap_conn *conn = chan->conn;
0139418c 563
c9b66675 564 __clear_chan_timer(chan);
0139418c 565
49208c9c 566 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 567
8e87d142 568 if (conn) {
56f60984 569 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 570 /* Delete from channel list */
3df91ea2 571 list_del(&chan->list);
3d57dc68 572
371fd835 573 l2cap_chan_put(chan);
baa7e1fa 574
8c1d787b 575 chan->conn = NULL;
3cabbfda
AE		 576
577 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
76a68ba0 578 hci_conn_drop(conn->hcon);
56f60984
AE		 579
580 if (mgr && mgr->bredr_chan == chan)
581 mgr->bredr_chan = NULL;
0139418c
MH		 582 }
583
419e08c1
AE		 584 if (chan->hs_hchan) {
585 struct hci_chan *hs_hchan = chan->hs_hchan;
586
587 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
588 amp_disconnect_logical_link(hs_hchan);
589 }
590
b699ec0d 591 chan->ops->teardown(chan, err);
6be36555 592
2827011f 593 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 594 return;
2ead70b8 595
ee556f66
GP		 596 switch(chan->mode) {
597 case L2CAP_MODE_BASIC:
598 break;
c13ffa62 599
ee556f66 600 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 601 __clear_retrans_timer(chan);
602 __clear_monitor_timer(chan);
603 __clear_ack_timer(chan);
c13ffa62 604
f1c6775b 605 skb_queue_purge(&chan->srej_q);
c13ffa62 606
3c588192
MM		 607 l2cap_seq_list_free(&chan->srej_list);
608 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 609
610 /* fall through */
611
612 case L2CAP_MODE_STREAMING:
613 skb_queue_purge(&chan->tx_q);
614 break;
c13ffa62 615 }
ee556f66
GP		 616
617 return;
0139418c
MH		 618}
619
0f852724 620void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 621{
622 struct l2cap_conn *conn = chan->conn;
4519de9a 623
7eafc59e 624 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 625
89bc500e 626 switch (chan->state) {
4519de9a 627 case BT_LISTEN:
b699ec0d 628 chan->ops->teardown(chan, 0);
4519de9a
GP		 629 break;
630
631 case BT_CONNECTED:
632 case BT_CONFIG:
715ec005 633 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 634 conn->hcon->type == ACL_LINK) {
8d836d71 635 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 636 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 637 } else
638 l2cap_chan_del(chan, reason);
639 break;
640
641 case BT_CONNECT2:
715ec005 642 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 643 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 644 struct l2cap_conn_rsp rsp;
645 __u16 result;
646
bdc25783 647 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
4519de9a
GP		 648 result = L2CAP_CR_SEC_BLOCK;
649 else
650 result = L2CAP_CR_BAD_PSM;
bdc25783 651
89bc500e 652 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 653
654 rsp.scid = cpu_to_le16(chan->dcid);
655 rsp.dcid = cpu_to_le16(chan->scid);
656 rsp.result = cpu_to_le16(result);
ac73498c 657 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 658 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 659 sizeof(rsp), &rsp);
4519de9a
GP		 660 }
661
662 l2cap_chan_del(chan, reason);
663 break;
664
665 case BT_CONNECT:
666 case BT_DISCONN:
667 l2cap_chan_del(chan, reason);
668 break;
669
670 default:
b699ec0d 671 chan->ops->teardown(chan, 0);
4519de9a
GP		 672 break;
673 }
674}
675
4343478f 676static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 677{
6a974b50
MH		 678 switch (chan->chan_type) {
679 case L2CAP_CHAN_RAW:
4343478f 680 switch (chan->sec_level) {
8556edd3
JH		 681 case BT_SECURITY_HIGH:
682 return HCI_AT_DEDICATED_BONDING_MITM;
683 case BT_SECURITY_MEDIUM:
684 return HCI_AT_DEDICATED_BONDING;
685 default:
686 return HCI_AT_NO_BONDING;
687 }
6a974b50 688 break;
3124b843
MH		 689 case L2CAP_CHAN_CONN_LESS:
690 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_3DSP)) {
691 if (chan->sec_level == BT_SECURITY_LOW)
692 chan->sec_level = BT_SECURITY_SDP;
693 }
694 if (chan->sec_level == BT_SECURITY_HIGH)
695 return HCI_AT_NO_BONDING_MITM;
696 else
697 return HCI_AT_NO_BONDING;
698 break;
6a974b50
MH		 699 case L2CAP_CHAN_CONN_ORIENTED:
700 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
701 if (chan->sec_level == BT_SECURITY_LOW)
702 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 703
6a974b50
MH		 704 if (chan->sec_level == BT_SECURITY_HIGH)
705 return HCI_AT_NO_BONDING_MITM;
706 else
707 return HCI_AT_NO_BONDING;
708 }
709 /* fall through */
710 default:
4343478f 711 switch (chan->sec_level) {
00ae4af9 712 case BT_SECURITY_HIGH:
8556edd3 713 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 714 case BT_SECURITY_MEDIUM:
8556edd3 715 return HCI_AT_GENERAL_BONDING;
00ae4af9 716 default:
8556edd3 717 return HCI_AT_NO_BONDING;
00ae4af9 718 }
6a974b50 719 break;
0684e5f9 720 }
8556edd3
JH		 721}
722
723/* Service level security */
d45fc423 724int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 725{
8c1d787b 726 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 727 __u8 auth_type;
728
4343478f 729 auth_type = l2cap_get_auth_type(chan);
79d554a6 730
4343478f 731 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 732}
733
b5ad8b7f 734static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 735{
736 u8 id;
737
738 /* Get next available identificator.
739 * 1 - 128 are used by kernel.
740 * 129 - 199 are reserved.
741 * 200 - 254 are used by utilities like l2ping, etc.
742 */
743
333055f2 744 spin_lock(&conn->lock);
4e8402a3
MH		 745
746 if (++conn->tx_ident > 128)
747 conn->tx_ident = 1;
748
749 id = conn->tx_ident;
750
333055f2 751 spin_unlock(&conn->lock);
4e8402a3
MH		 752
753 return id;
754}
755
2d792818
GP		 756static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
757 void *data)
4e8402a3
MH		 758{
759 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 760 u8 flags;
4e8402a3
MH		 761
762 BT_DBG("code 0x%2.2x", code);
763
764 if (!skb)
9a9c6a34 765 return;
4e8402a3 766
e702112f
AE		 767 if (lmp_no_flush_capable(conn->hcon->hdev))
768 flags = ACL_START_NO_FLUSH;
769 else
770 flags = ACL_START;
771
14b12d0b 772 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 773 skb->priority = HCI_PRIO_MAX;
14b12d0b 774
73d80deb
LAD		 775 hci_send_acl(conn->hchan, skb, flags);
776}
777
02b0fbb9
MM		 778static bool __chan_is_moving(struct l2cap_chan *chan)
779{
780 return chan->move_state != L2CAP_MOVE_STABLE &&
781 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
782}
783
73d80deb
LAD		 784static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
785{
786 struct hci_conn *hcon = chan->conn->hcon;
787 u16 flags;
788
789 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 790 skb->priority);
73d80deb 791
d5f8a75d
MM		 792 if (chan->hs_hcon && !__chan_is_moving(chan)) {
793 if (chan->hs_hchan)
794 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
795 else
796 kfree_skb(skb);
797
798 return;
799 }
800
73d80deb 801 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 802 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 803 flags = ACL_START_NO_FLUSH;
804 else
805 flags = ACL_START;
14b12d0b 806
73d80deb
LAD		 807 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
808 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 809}
810
b76bbd66
MM		 811static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
812{
813 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
814 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
815
816 if (enh & L2CAP_CTRL_FRAME_TYPE) {
817 /* S-Frame */
818 control->sframe = 1;
819 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
820 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
821
822 control->sar = 0;
823 control->txseq = 0;
824 } else {
825 /* I-Frame */
826 control->sframe = 0;
827 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
828 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
829
830 control->poll = 0;
831 control->super = 0;
832 }
833}
834
b76bbd66
MM		 835static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
836{
837 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
838 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
839
840 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
841 /* S-Frame */
842 control->sframe = 1;
843 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
844 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
845
846 control->sar = 0;
847 control->txseq = 0;
848 } else {
849 /* I-Frame */
850 control->sframe = 0;
851 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
852 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
853
854 control->poll = 0;
855 control->super = 0;
856 }
857}
858
859static inline void __unpack_control(struct l2cap_chan *chan,
860 struct sk_buff *skb)
861{
862 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
863 __unpack_extended_control(get_unaligned_le32(skb->data),
864 &bt_cb(skb)->control);
cec8ab6e 865 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 866 } else {
867 __unpack_enhanced_control(get_unaligned_le16(skb->data),
868 &bt_cb(skb)->control);
cec8ab6e 869 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 870 }
871}
872
b5c6aaed
MM		 873static u32 __pack_extended_control(struct l2cap_ctrl *control)
874{
875 u32 packed;
876
877 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
878 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
879
880 if (control->sframe) {
881 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
882 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
883 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
884 } else {
885 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
886 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
887 }
888
889 return packed;
890}
891
892static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
893{
894 u16 packed;
895
896 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
897 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
898
899 if (control->sframe) {
900 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
901 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
902 packed |= L2CAP_CTRL_FRAME_TYPE;
903 } else {
904 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
905 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
906 }
907
908 return packed;
909}
910
b76bbd66
MM		 911static inline void __pack_control(struct l2cap_chan *chan,
912 struct l2cap_ctrl *control,
913 struct sk_buff *skb)
914{
915 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
916 put_unaligned_le32(__pack_extended_control(control),
917 skb->data + L2CAP_HDR_SIZE);
918 } else {
919 put_unaligned_le16(__pack_enhanced_control(control),
920 skb->data + L2CAP_HDR_SIZE);
921 }
922}
923
ba7aa64f
GP		 924static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
925{
926 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
927 return L2CAP_EXT_HDR_SIZE;
928 else
929 return L2CAP_ENH_HDR_SIZE;
930}
931
a67d7f6f
MM		 932static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
933 u32 control)
b5c6aaed
MM		 934{
935 struct sk_buff *skb;
936 struct l2cap_hdr *lh;
ba7aa64f 937 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 938
939 if (chan->fcs == L2CAP_FCS_CRC16)
940 hlen += L2CAP_FCS_SIZE;
941
a67d7f6f 942 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 943
b5c6aaed 944 if (!skb)
a67d7f6f 945 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 946
947 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
948 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
949 lh->cid = cpu_to_le16(chan->dcid);
950
a67d7f6f
MM		 951 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
952 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
953 else
954 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 955
956 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 957 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 958 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
959 }
960
961 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 962 return skb;
963}
964
965static void l2cap_send_sframe(struct l2cap_chan *chan,
966 struct l2cap_ctrl *control)
967{
968 struct sk_buff *skb;
969 u32 control_field;
970
971 BT_DBG("chan %p, control %p", chan, control);
972
973 if (!control->sframe)
974 return;
975
b99e13ad
MM		 976 if (__chan_is_moving(chan))
977 return;
978
a67d7f6f
MM		 979 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
980 !control->poll)
981 control->final = 1;
982
983 if (control->super == L2CAP_SUPER_RR)
984 clear_bit(CONN_RNR_SENT, &chan->conn_state);
985 else if (control->super == L2CAP_SUPER_RNR)
986 set_bit(CONN_RNR_SENT, &chan->conn_state);
987
988 if (control->super != L2CAP_SUPER_SREJ) {
989 chan->last_acked_seq = control->reqseq;
990 __clear_ack_timer(chan);
991 }
992
993 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
994 control->final, control->poll, control->super);
995
996 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
997 control_field = __pack_extended_control(control);
998 else
999 control_field = __pack_enhanced_control(control);
1000
1001 skb = l2cap_create_sframe_pdu(chan, control_field);
1002 if (!IS_ERR(skb))
1003 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1004}
1005
c9e3d5e0 1006static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1007{
c9e3d5e0
MM		 1008 struct l2cap_ctrl control;
1009
1010 BT_DBG("chan %p, poll %d", chan, poll);
1011
1012 memset(&control, 0, sizeof(control));
1013 control.sframe = 1;
1014 control.poll = poll;
1015
1016 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1017 control.super = L2CAP_SUPER_RNR;
1018 else
1019 control.super = L2CAP_SUPER_RR;
b5c6aaed 1020
c9e3d5e0
MM		 1021 control.reqseq = chan->buffer_seq;
1022 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1023}
1024
b4450035 1025static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1026{
c1360a1c 1027 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1028}
1029
1df7b17a 1030static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1031{
1df7b17a 1032 struct l2cap_conn *conn = chan->conn;
80d58d0b 1033 struct hci_dev *hdev;
1df7b17a
MH		 1034 bool amp_available = false;
1035
1036 if (!conn->hs_enabled)
1037 return false;
1038
1039 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1040 return false;
80d58d0b
MH		 1041
1042 read_lock(&hci_dev_list_lock);
1df7b17a 1043 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1044 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1045 test_bit(HCI_UP, &hdev->flags)) {
1046 amp_available = true;
1047 break;
1048 }
1049 }
80d58d0b
MH		 1050 read_unlock(&hci_dev_list_lock);
1051
1df7b17a
MH		 1052 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1053 return amp_available;
848566b3
MH		 1054
1055 return false;
93c3e8f5
AE		 1056}
1057
5ce66b59
AE		 1058static bool l2cap_check_efs(struct l2cap_chan *chan)
1059{
1060 /* Check EFS parameters */
1061 return true;
1062}
1063
2766be48 1064void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1065{
1066 struct l2cap_conn *conn = chan->conn;
1067 struct l2cap_conn_req req;
1068
1069 req.scid = cpu_to_le16(chan->scid);
1070 req.psm = chan->psm;
1071
1072 chan->ident = l2cap_get_ident(conn);
1073
1074 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1075
1076 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1077}
1078
8eb200bd
MM		 1079static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1080{
1081 struct l2cap_create_chan_req req;
1082 req.scid = cpu_to_le16(chan->scid);
1083 req.psm = chan->psm;
1084 req.amp_id = amp_id;
1085
1086 chan->ident = l2cap_get_ident(chan->conn);
1087
1088 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1089 sizeof(req), &req);
1090}
1091
02b0fbb9
MM		 1092static void l2cap_move_setup(struct l2cap_chan *chan)
1093{
1094 struct sk_buff *skb;
1095
1096 BT_DBG("chan %p", chan);
1097
1098 if (chan->mode != L2CAP_MODE_ERTM)
1099 return;
1100
1101 __clear_retrans_timer(chan);
1102 __clear_monitor_timer(chan);
1103 __clear_ack_timer(chan);
1104
1105 chan->retry_count = 0;
1106 skb_queue_walk(&chan->tx_q, skb) {
1107 if (bt_cb(skb)->control.retries)
1108 bt_cb(skb)->control.retries = 1;
1109 else
1110 break;
1111 }
1112
1113 chan->expected_tx_seq = chan->buffer_seq;
1114
1115 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1116 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1117 l2cap_seq_list_clear(&chan->retrans_list);
1118 l2cap_seq_list_clear(&chan->srej_list);
1119 skb_queue_purge(&chan->srej_q);
1120
1121 chan->tx_state = L2CAP_TX_STATE_XMIT;
1122 chan->rx_state = L2CAP_RX_STATE_MOVE;
1123
1124 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1125}
1126
5f3847a4
MM		 1127static void l2cap_move_done(struct l2cap_chan *chan)
1128{
1129 u8 move_role = chan->move_role;
1130 BT_DBG("chan %p", chan);
1131
1132 chan->move_state = L2CAP_MOVE_STABLE;
1133 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1134
1135 if (chan->mode != L2CAP_MODE_ERTM)
1136 return;
1137
1138 switch (move_role) {
1139 case L2CAP_MOVE_ROLE_INITIATOR:
1140 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1141 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1142 break;
1143 case L2CAP_MOVE_ROLE_RESPONDER:
1144 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1145 break;
1146 }
1147}
1148
9f0caeb1
VCG		 1149static void l2cap_chan_ready(struct l2cap_chan *chan)
1150{
2827011f 1151 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1152 chan->conf_state = 0;
1153 __clear_chan_timer(chan);
1154
54a59aa2 1155 chan->state = BT_CONNECTED;
9f0caeb1 1156
fd83e2c2 1157 chan->ops->ready(chan);
9f0caeb1
VCG		 1158}
1159
93c3e8f5
AE		 1160static void l2cap_start_connection(struct l2cap_chan *chan)
1161{
1162 if (__amp_capable(chan)) {
1163 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1164 a2mp_discover_amp(chan);
1165 } else {
1166 l2cap_send_conn_req(chan);
1167 }
1168}
1169
fc7f8a7e 1170static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1171{
8c1d787b 1172 struct l2cap_conn *conn = chan->conn;
79d554a6 1173
9f0caeb1
VCG		 1174 if (conn->hcon->type == LE_LINK) {
1175 l2cap_chan_ready(chan);
1176 return;
1177 }
1178
79d554a6 1179 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1180 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1181 return;
1182
d45fc423 1183 if (l2cap_chan_check_security(chan) &&
2d792818 1184 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1185 l2cap_start_connection(chan);
1186 }
79d554a6
MH		 1187 } else {
1188 struct l2cap_info_req req;
ac73498c 1189 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1190
1191 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1192 conn->info_ident = l2cap_get_ident(conn);
1193
ba13ccd9 1194 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1195
2d792818
GP		 1196 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1197 sizeof(req), &req);
79d554a6
MH		 1198 }
1199}
1200
cf6c2c0b
GP		 1201static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1202{
1203 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1204 if (!disable_ertm)
cf6c2c0b
GP		 1205 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1206
1207 switch (mode) {
1208 case L2CAP_MODE_ERTM:
1209 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1210 case L2CAP_MODE_STREAMING:
1211 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1212 default:
1213 return 0x00;
1214 }
1215}
1216
5e4e3972 1217static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1218{
5e4e3972 1219 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1220 struct l2cap_disconn_req req;
1221
c13ffa62
GP		 1222 if (!conn)
1223 return;
1224
aad3d0e3 1225 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1226 __clear_retrans_timer(chan);
1227 __clear_monitor_timer(chan);
1228 __clear_ack_timer(chan);
c13ffa62
GP		 1229 }
1230
416fa752 1231 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1232 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1233 return;
1234 }
1235
fe4128e0
GP		 1236 req.dcid = cpu_to_le16(chan->dcid);
1237 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1238 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1239 sizeof(req), &req);
c13ffa62 1240
f8e73017 1241 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1242}
1243
1da177e4 1244/* ---- L2CAP connections ---- */
4e8402a3
MH		 1245static void l2cap_conn_start(struct l2cap_conn *conn)
1246{
3df91ea2 1247 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1248
1249 BT_DBG("conn %p", conn);
1250
3df91ea2 1251 mutex_lock(&conn->chan_lock);
4e8402a3 1252
3df91ea2 1253 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1254 l2cap_chan_lock(chan);
4e8402a3 1255
715ec005 1256 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1257 l2cap_chan_unlock(chan);
79d554a6
MH		 1258 continue;
1259 }
1260
89bc500e 1261 if (chan->state == BT_CONNECT) {
d45fc423 1262 if (!l2cap_chan_check_security(chan) ||
2d792818 1263 !__l2cap_no_conn_pending(chan)) {
6be36555 1264 l2cap_chan_unlock(chan);
47731de7
GP		 1265 continue;
1266 }
79d554a6 1267
c1360a1c 1268 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1269 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1270 &chan->conf_state)) {
89bc500e 1271 l2cap_chan_close(chan, ECONNRESET);
6be36555 1272 l2cap_chan_unlock(chan);
47731de7 1273 continue;
b1235d79 1274 }
47731de7 1275
93c3e8f5 1276 l2cap_start_connection(chan);
47731de7 1277
89bc500e 1278 } else if (chan->state == BT_CONNECT2) {
79d554a6 1279 struct l2cap_conn_rsp rsp;
e9aeb2dd 1280 char buf[128];
fe4128e0
GP		 1281 rsp.scid = cpu_to_le16(chan->dcid);
1282 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1283
d45fc423 1284 if (l2cap_chan_check_security(chan)) {
bdc25783 1285 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
ac73498c
AE		 1286 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1287 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1288 chan->ops->defer(chan);
f66dc81f
MH		 1289
1290 } else {
acdcabf5 1291 l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1292 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1293 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1294 }
79d554a6 1295 } else {
ac73498c
AE		 1296 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1297 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1298 }
1299
fc7f8a7e 1300 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1301 sizeof(rsp), &rsp);
e9aeb2dd 1302
c1360a1c 1303 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1304 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1305 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1306 continue;
1307 }
1308
c1360a1c 1309 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1310 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1311 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1312 chan->num_conf_req++;
4e8402a3
MH		 1313 }
1314
6be36555 1315 l2cap_chan_unlock(chan);
4e8402a3
MH		 1316 }
1317
3df91ea2 1318 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1319}
1320
c2287681 1321/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1322 * Returns closest match, locked.
1323 */
d9b88702 1324static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1325 bdaddr_t *src,
1326 bdaddr_t *dst)
b62f328b 1327{
23691d75 1328 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1329
23691d75 1330 read_lock(&chan_list_lock);
b62f328b 1331
23691d75 1332 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1333 if (state && c->state != state)
b62f328b
VT		 1334 continue;
1335
23691d75 1336 if (c->scid == cid) {
c2287681
IY		 1337 int src_match, dst_match;
1338 int src_any, dst_any;
1339
b62f328b 1340 /* Exact match. */
7eafc59e
MH		 1341 src_match = !bacmp(&c->src, src);
1342 dst_match = !bacmp(&c->dst, dst);
c2287681 1343 if (src_match && dst_match) {
23691d75
GP		 1344 read_unlock(&chan_list_lock);
1345 return c;
1346 }
b62f328b
VT		 1347
1348 /* Closest match */
7eafc59e
MH		 1349 src_any = !bacmp(&c->src, BDADDR_ANY);
1350 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1351 if ((src_match && dst_any) || (src_any && dst_match) ||
1352 (src_any && dst_any))
23691d75 1353 c1 = c;
b62f328b
VT		 1354 }
1355 }
280f294f 1356
23691d75 1357 read_unlock(&chan_list_lock);
b62f328b 1358
23691d75 1359 return c1;
b62f328b
VT		 1360}
1361
1362static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1363{
cc8dba2b 1364 struct hci_conn *hcon = conn->hcon;
23691d75 1365 struct l2cap_chan *chan, *pchan;
cc8dba2b 1366 u8 dst_type;
b62f328b
VT		 1367
1368 BT_DBG("");
1369
1370 /* Check if we have socket listening on cid */
073d1cf3 1371 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
cc8dba2b 1372 &hcon->src, &hcon->dst);
23691d75 1373 if (!pchan)
b62f328b
VT		 1374 return;
1375
44f3b0fb
JH		 1376 /* Client ATT sockets should override the server one */
1377 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1378 return;
1379
cc8dba2b
MH		 1380 dst_type = bdaddr_type(hcon, hcon->dst_type);
1381
1382 /* If device is blocked, do not create a channel for it */
1383 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, dst_type))
1384 return;
1385
8ffb9290 1386 l2cap_chan_lock(pchan);
62f3a2cf 1387
80b98027 1388 chan = pchan->ops->new_connection(pchan);
80808e43 1389 if (!chan)
b62f328b
VT		 1390 goto clean;
1391
9f22398c
JH		 1392 chan->dcid = L2CAP_CID_ATT;
1393
cc8dba2b
MH		 1394 bacpy(&chan->src, &hcon->src);
1395 bacpy(&chan->dst, &hcon->dst);
1396 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1397 chan->dst_type = dst_type;
b62f328b 1398
44f3b0fb 1399 __l2cap_chan_add(conn, chan);
48454079 1400
b62f328b 1401clean:
8ffb9290 1402 l2cap_chan_unlock(pchan);
b62f328b
VT		 1403}
1404
4e8402a3
MH		 1405static void l2cap_conn_ready(struct l2cap_conn *conn)
1406{
48454079 1407 struct l2cap_chan *chan;
cc110922 1408 struct hci_conn *hcon = conn->hcon;
4e8402a3 1409
79d554a6 1410 BT_DBG("conn %p", conn);
4e8402a3 1411
d8729922
JH		 1412 /* For outgoing pairing which doesn't necessarily have an
1413 * associated socket (e.g. mgmt_pair_device).
1414 */
cc110922
VCG		 1415 if (hcon->out && hcon->type == LE_LINK)
1416 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1417
3df91ea2 1418 mutex_lock(&conn->chan_lock);
4e8402a3 1419
44f3b0fb
JH		 1420 if (hcon->type == LE_LINK)
1421 l2cap_le_conn_ready(conn);
1422
3df91ea2 1423 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1424
6be36555 1425 l2cap_chan_lock(chan);
4e8402a3 1426
416fa752
AE		 1427 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1428 l2cap_chan_unlock(chan);
1429 continue;
1430 }
1431
cc110922
VCG		 1432 if (hcon->type == LE_LINK) {
1433 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1434 l2cap_chan_ready(chan);
acd7d370 1435
63128451 1436 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
74e75740 1437 l2cap_chan_ready(chan);
b501d6a1 1438
1c244f79 1439 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1440 l2cap_do_start(chan);
1c244f79 1441 }
4e8402a3 1442
6be36555 1443 l2cap_chan_unlock(chan);
4e8402a3 1444 }
79d554a6 1445
3df91ea2 1446 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1447}
1448
1449/* Notify sockets that we cannot guaranty reliability anymore */
1450static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1451{
48454079 1452 struct l2cap_chan *chan;
4e8402a3
MH		 1453
1454 BT_DBG("conn %p", conn);
1455
3df91ea2 1456 mutex_lock(&conn->chan_lock);
4e8402a3 1457
3df91ea2 1458 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1459 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1460 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1461 }
1462
3df91ea2 1463 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1464}
1465
f878fcad 1466static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1467{
f878fcad 1468 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1469 info_timer.work);
4e8402a3 1470
984947dc 1471 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1472 conn->info_ident = 0;
984947dc 1473
4e8402a3
MH		 1474 l2cap_conn_start(conn);
1475}
1476
2c8e1411
DH		 1477/*
1478 * l2cap_user
1479 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1480 * callback is called during registration. The ->remove callback is called
1481 * during unregistration.
1482 * An l2cap_user object can either be explicitly unregistered or when the
1483 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1484 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1485 * External modules must own a reference to the l2cap_conn object if they intend
1486 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1487 * any time if they don't.
1488 */
1489
1490int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1491{
1492 struct hci_dev *hdev = conn->hcon->hdev;
1493 int ret;
1494
1495 /* We need to check whether l2cap_conn is registered. If it is not, we
1496 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1497 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1498 * relies on the parent hci_conn object to be locked. This itself relies
1499 * on the hci_dev object to be locked. So we must lock the hci device
1500 * here, too. */
1501
1502 hci_dev_lock(hdev);
1503
1504 if (user->list.next || user->list.prev) {
1505 ret = -EINVAL;
1506 goto out_unlock;
1507 }
1508
1509 /* conn->hchan is NULL after l2cap_conn_del() was called */
1510 if (!conn->hchan) {
1511 ret = -ENODEV;
1512 goto out_unlock;
1513 }
1514
1515 ret = user->probe(conn, user);
1516 if (ret)
1517 goto out_unlock;
1518
1519 list_add(&user->list, &conn->users);
1520 ret = 0;
1521
1522out_unlock:
1523 hci_dev_unlock(hdev);
1524 return ret;
1525}
1526EXPORT_SYMBOL(l2cap_register_user);
1527
1528void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1529{
1530 struct hci_dev *hdev = conn->hcon->hdev;
1531
1532 hci_dev_lock(hdev);
1533
1534 if (!user->list.next || !user->list.prev)
1535 goto out_unlock;
1536
1537 list_del(&user->list);
1538 user->list.next = NULL;
1539 user->list.prev = NULL;
1540 user->remove(conn, user);
1541
1542out_unlock:
1543 hci_dev_unlock(hdev);
1544}
1545EXPORT_SYMBOL(l2cap_unregister_user);
1546
1547static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1548{
1549 struct l2cap_user *user;
1550
1551 while (!list_empty(&conn->users)) {
1552 user = list_first_entry(&conn->users, struct l2cap_user, list);
1553 list_del(&user->list);
1554 user->list.next = NULL;
1555 user->list.prev = NULL;
1556 user->remove(conn, user);
1557 }
1558}
1559
5d3de7df
VCG		 1560static void l2cap_conn_del(struct hci_conn *hcon, int err)
1561{
1562 struct l2cap_conn *conn = hcon->l2cap_data;
1563 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1564
1565 if (!conn)
1566 return;
1567
1568 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1569
1570 kfree_skb(conn->rx_skb);
1571
2c8e1411
DH		 1572 l2cap_unregister_all_users(conn);
1573
3df91ea2
AE		 1574 mutex_lock(&conn->chan_lock);
1575
5d3de7df
VCG		 1576 /* Kill channels */
1577 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1578 l2cap_chan_hold(chan);
6be36555
AE		 1579 l2cap_chan_lock(chan);
1580
5d3de7df 1581 l2cap_chan_del(chan, err);
6be36555
AE		 1582
1583 l2cap_chan_unlock(chan);
1584
80b98027 1585 chan->ops->close(chan);
61d6ef3e 1586 l2cap_chan_put(chan);
5d3de7df
VCG		 1587 }
1588
3df91ea2
AE		 1589 mutex_unlock(&conn->chan_lock);
1590
73d80deb
LAD		 1591 hci_chan_del(conn->hchan);
1592
5d3de7df 1593 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1594 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1595
51a8efd7 1596 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1597 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1598 smp_chan_destroy(conn);
d26a2345 1599 }
5d3de7df
VCG		 1600
1601 hcon->l2cap_data = NULL;
9c903e37
DH		 1602 conn->hchan = NULL;
1603 l2cap_conn_put(conn);
5d3de7df
VCG		 1604}
1605
6c9d42a1 1606static void security_timeout(struct work_struct *work)
5d3de7df 1607{
6c9d42a1 1608 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1609 security_timer.work);
5d3de7df 1610
d06cc416
JH		 1611 BT_DBG("conn %p", conn);
1612
1613 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1614 smp_chan_destroy(conn);
1615 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1616 }
5d3de7df
VCG		 1617}
1618
baf43251 1619static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1da177e4 1620{
0139418c 1621 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1622 struct hci_chan *hchan;
1da177e4 1623
baf43251 1624 if (conn)
1da177e4
LT		 1625 return conn;
1626
73d80deb
LAD		 1627 hchan = hci_chan_create(hcon);
1628 if (!hchan)
1629 return NULL;
1630
8bcde1f2 1631 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1632 if (!conn) {
1633 hci_chan_del(hchan);
1da177e4 1634 return NULL;
73d80deb 1635 }
1da177e4 1636
9c903e37 1637 kref_init(&conn->ref);
1da177e4
LT		 1638 hcon->l2cap_data = conn;
1639 conn->hcon = hcon;
9c903e37 1640 hci_conn_get(conn->hcon);
73d80deb 1641 conn->hchan = hchan;
1da177e4 1642
73d80deb 1643 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1644
dcc042d5 1645 switch (hcon->type) {
dcc042d5
AE		 1646 case LE_LINK:
1647 if (hcon->hdev->le_mtu) {
1648 conn->mtu = hcon->hdev->le_mtu;
1649 break;
1650 }
1651 /* fall through */
dcc042d5 1652 default:
acd7d370 1653 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1654 break;
1655 }
acd7d370 1656
4e8402a3
MH		 1657 conn->feat_mask = 0;
1658
848566b3
MH		 1659 if (hcon->type == ACL_LINK)
1660 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
1661 &hcon->hdev->dev_flags);
1662
1da177e4 1663 spin_lock_init(&conn->lock);
3df91ea2 1664 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1665
1666 INIT_LIST_HEAD(&conn->chan_l);
2c8e1411 1667 INIT_LIST_HEAD(&conn->users);
1da177e4 1668
5d3de7df 1669 if (hcon->type == LE_LINK)
6c9d42a1 1670 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1671 else
030013d8 1672 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1673
9f5a0d7b 1674 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1675
1da177e4
LT		 1676 return conn;
1677}
1678
9c903e37
DH		 1679static void l2cap_conn_free(struct kref *ref)
1680{
1681 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1682
1683 hci_conn_put(conn->hcon);
1684 kfree(conn);
1685}
1686
1687void l2cap_conn_get(struct l2cap_conn *conn)
1688{
1689 kref_get(&conn->ref);
1690}
1691EXPORT_SYMBOL(l2cap_conn_get);
1692
1693void l2cap_conn_put(struct l2cap_conn *conn)
1694{
1695 kref_put(&conn->ref, l2cap_conn_free);
1696}
1697EXPORT_SYMBOL(l2cap_conn_put);
1698
1da177e4 1699/* ---- Socket interface ---- */
1da177e4 1700
c2287681 1701/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1702 * Returns closest match.
1703 */
c2287681
IY		 1704static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1705 bdaddr_t *src,
1706 bdaddr_t *dst)
1da177e4 1707{
23691d75 1708 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1709
23691d75 1710 read_lock(&chan_list_lock);
e0f0cb56 1711
23691d75 1712 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1713 if (state && c->state != state)
1da177e4
LT		 1714 continue;
1715
23691d75 1716 if (c->psm == psm) {
c2287681
IY		 1717 int src_match, dst_match;
1718 int src_any, dst_any;
1719
1da177e4 1720 /* Exact match. */
7eafc59e
MH		 1721 src_match = !bacmp(&c->src, src);
1722 dst_match = !bacmp(&c->dst, dst);
c2287681 1723 if (src_match && dst_match) {
a7567b20 1724 read_unlock(&chan_list_lock);
23691d75
GP		 1725 return c;
1726 }
1da177e4
LT		 1727
1728 /* Closest match */
7eafc59e
MH		 1729 src_any = !bacmp(&c->src, BDADDR_ANY);
1730 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1731 if ((src_match && dst_any) || (src_any && dst_match) ||
1732 (src_any && dst_any))
23691d75 1733 c1 = c;
1da177e4
LT		 1734 }
1735 }
1da177e4 1736
23691d75 1737 read_unlock(&chan_list_lock);
e0f0cb56 1738
23691d75 1739 return c1;
1da177e4
LT		 1740}
1741
8e9f9892
AG		 1742int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1743 bdaddr_t *dst, u8 dst_type)
1da177e4 1744{
1da177e4
LT		 1745 struct l2cap_conn *conn;
1746 struct hci_conn *hcon;
1747 struct hci_dev *hdev;
09ab6f4c 1748 __u8 auth_type;
44d0e48e 1749 int err;
1da177e4 1750
7eafc59e 1751 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
ab19516a 1752 dst_type, __le16_to_cpu(psm));
1da177e4 1753
7eafc59e 1754 hdev = hci_get_route(dst, &chan->src);
af05b30b 1755 if (!hdev)
1da177e4
LT		 1756 return -EHOSTUNREACH;
1757
09fd0de5 1758 hci_dev_lock(hdev);
1da177e4 1759
6be36555 1760 l2cap_chan_lock(chan);
03a00194
GP		 1761
1762 /* PSM must be odd and lsb of upper byte must be 0 */
1763 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1764 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1765 err = -EINVAL;
1766 goto done;
1767 }
1768
1769 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1770 err = -EINVAL;
1771 goto done;
1772 }
1773
1774 switch (chan->mode) {
1775 case L2CAP_MODE_BASIC:
1776 break;
1777 case L2CAP_MODE_ERTM:
1778 case L2CAP_MODE_STREAMING:
1779 if (!disable_ertm)
1780 break;
1781 /* fall through */
1782 default:
1783 err = -ENOTSUPP;
1784 goto done;
1785 }
1786
0797e01d 1787 switch (chan->state) {
03a00194
GP		 1788 case BT_CONNECT:
1789 case BT_CONNECT2:
1790 case BT_CONFIG:
1791 /* Already connecting */
1792 err = 0;
1793 goto done;
1794
1795 case BT_CONNECTED:
1796 /* Already connected */
1797 err = -EISCONN;
1798 goto done;
1799
1800 case BT_OPEN:
1801 case BT_BOUND:
1802 /* Can connect */
1803 break;
1804
1805 default:
1806 err = -EBADFD;
1807 goto done;
1808 }
1809
1810 /* Set destination address and psm */
7eafc59e 1811 bacpy(&chan->dst, dst);
4f1654e0 1812 chan->dst_type = dst_type;
6be36555 1813
03a00194
GP		 1814 chan->psm = psm;
1815 chan->dcid = cid;
1da177e4 1816
4343478f 1817 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1818
f224ca5f 1819 if (bdaddr_type_is_le(dst_type))
8e9f9892 1820 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1821 chan->sec_level, auth_type);
acd7d370 1822 else
8e9f9892 1823 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1824 chan->sec_level, auth_type);
acd7d370 1825
30e76272
VT		 1826 if (IS_ERR(hcon)) {
1827 err = PTR_ERR(hcon);
1da177e4 1828 goto done;
30e76272 1829 }
1da177e4 1830
baf43251 1831 conn = l2cap_conn_add(hcon);
1da177e4 1832 if (!conn) {
76a68ba0 1833 hci_conn_drop(hcon);
30e76272 1834 err = -ENOMEM;
1da177e4
LT		 1835 goto done;
1836 }
1837
141d5706
JH		 1838 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
1839 hci_conn_drop(hcon);
1840 err = -EBUSY;
1841 goto done;
9f0caeb1
VCG		 1842 }
1843
1da177e4 1844 /* Update source addr of the socket */
7eafc59e 1845 bacpy(&chan->src, &hcon->src);
4f1654e0 1846 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1da177e4 1847
6be36555 1848 l2cap_chan_unlock(chan);
48454079 1849 l2cap_chan_add(conn, chan);
6be36555 1850 l2cap_chan_lock(chan);
48454079 1851
5ee9891d
JH		 1852 /* l2cap_chan_add takes its own ref so we can drop this one */
1853 hci_conn_drop(hcon);
1854
6be36555 1855 l2cap_state_change(chan, BT_CONNECT);
8d836d71 1856 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4
LT		 1857
1858 if (hcon->state == BT_CONNECTED) {
715ec005 1859 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1860 __clear_chan_timer(chan);
d45fc423 1861 if (l2cap_chan_check_security(chan))
6be36555 1862 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1863 } else
fc7f8a7e 1864 l2cap_do_start(chan);
1da177e4
LT		 1865 }
1866
30e76272
VT		 1867 err = 0;
1868
1da177e4 1869done:
6be36555 1870 l2cap_chan_unlock(chan);
09fd0de5 1871 hci_dev_unlock(hdev);
1da177e4
LT		 1872 hci_dev_put(hdev);
1873 return err;
1874}
1875
721c4181 1876static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1877{
721c4181 1878 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1879 monitor_timer.work);
e90bac06 1880
525cd185 1881 BT_DBG("chan %p", chan);
0e98958d 1882
6be36555
AE		 1883 l2cap_chan_lock(chan);
1884
80909e04 1885 if (!chan->conn) {
6be36555 1886 l2cap_chan_unlock(chan);
8d7e1c7f 1887 l2cap_chan_put(chan);
e90bac06
GP		 1888 return;
1889 }
1890
401bb1f7 1891 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1892
6be36555 1893 l2cap_chan_unlock(chan);
8d7e1c7f 1894 l2cap_chan_put(chan);
e90bac06
GP		 1895}
1896
721c4181 1897static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1898{
721c4181 1899 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1900 retrans_timer.work);
e90bac06 1901
49208c9c 1902 BT_DBG("chan %p", chan);
0e98958d 1903
6be36555
AE		 1904 l2cap_chan_lock(chan);
1905
80909e04
MM		 1906 if (!chan->conn) {
1907 l2cap_chan_unlock(chan);
1908 l2cap_chan_put(chan);
1909 return;
1910 }
6be36555 1911
401bb1f7 1912 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1913 l2cap_chan_unlock(chan);
8d7e1c7f 1914 l2cap_chan_put(chan);
e90bac06
GP		 1915}
1916
d660366d
GP		 1917static void l2cap_streaming_send(struct l2cap_chan *chan,
1918 struct sk_buff_head *skbs)
6840ed07 1919{
ccbb84af 1920 struct sk_buff *skb;
3733937d 1921 struct l2cap_ctrl *control;
6840ed07 1922
3733937d
MM		 1923 BT_DBG("chan %p, skbs %p", chan, skbs);
1924
b99e13ad
MM		 1925 if (__chan_is_moving(chan))
1926 return;
1927
3733937d
MM		 1928 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1929
1930 while (!skb_queue_empty(&chan->tx_q)) {
1931
1932 skb = skb_dequeue(&chan->tx_q);
1933
1934 bt_cb(skb)->control.retries = 1;
1935 control = &bt_cb(skb)->control;
1936
1937 control->reqseq = 0;
1938 control->txseq = chan->next_tx_seq;
1939
1940 __pack_control(chan, control, skb);
6840ed07 1941
47d1ec61 1942 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1943 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1944 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1945 }
1946
4343478f 1947 l2cap_do_send(chan, skb);
6840ed07 1948
b4400672 1949 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1950
836be934 1951 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1952 chan->frames_sent++;
6840ed07 1953 }
6840ed07
GP		 1954}
1955
67c9e840 1956static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1957{
1958 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1959 struct l2cap_ctrl *control;
1960 int sent = 0;
1961
1962 BT_DBG("chan %p", chan);
1c2acffb 1963
89bc500e 1964 if (chan->state != BT_CONNECTED)
c13ffa62 1965 return -ENOTCONN;
e90bac06 1966
94122bbe
MM		 1967 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1968 return 0;
1969
b99e13ad
MM		 1970 if (__chan_is_moving(chan))
1971 return 0;
1972
18a48e76
MM		 1973 while (chan->tx_send_head &&
1974 chan->unacked_frames < chan->remote_tx_win &&
1975 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1976
18a48e76 1977 skb = chan->tx_send_head;
e90bac06 1978
18a48e76
MM		 1979 bt_cb(skb)->control.retries = 1;
1980 control = &bt_cb(skb)->control;
95ffa978 1981
e2ab4353 1982 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1983 control->final = 1;
e2ab4353 1984
18a48e76
MM		 1985 control->reqseq = chan->buffer_seq;
1986 chan->last_acked_seq = chan->buffer_seq;
1987 control->txseq = chan->next_tx_seq;
1c2acffb 1988
18a48e76 1989 __pack_control(chan, control, skb);
e90bac06 1990
47d1ec61 1991 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1992 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1993 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1994 }
1995
18a48e76
MM		 1996 /* Clone after data has been modified. Data is assumed to be
1997 read-only (for locking purposes) on cloned sk_buffs.
1998 */
1999 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 2000
18a48e76
MM		 2001 if (!tx_skb)
2002 break;
1c2acffb 2003
18a48e76 2004 __set_retrans_timer(chan);
836be934
AE		 2005
2006 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 2007 chan->unacked_frames++;
6a026610 2008 chan->frames_sent++;
18a48e76 2009 sent++;
1c2acffb 2010
58d35f87
GP		 2011 if (skb_queue_is_last(&chan->tx_q, skb))
2012 chan->tx_send_head = NULL;
1c2acffb 2013 else
58d35f87 2014 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 2015
2016 l2cap_do_send(chan, tx_skb);
b4400672 2017 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 2018 }
2019
b4400672
AE		 2020 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2021 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 2022
2023 return sent;
9e917af1
GP		 2024}
2025
e1fbd4c1
MM		 2026static void l2cap_ertm_resend(struct l2cap_chan *chan)
2027{
2028 struct l2cap_ctrl control;
2029 struct sk_buff *skb;
2030 struct sk_buff *tx_skb;
2031 u16 seq;
2032
2033 BT_DBG("chan %p", chan);
2034
2035 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2036 return;
2037
b99e13ad
MM		 2038 if (__chan_is_moving(chan))
2039 return;
2040
e1fbd4c1
MM		 2041 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2042 seq = l2cap_seq_list_pop(&chan->retrans_list);
2043
2044 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2045 if (!skb) {
2046 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 2047 seq);
e1fbd4c1
MM		 2048 continue;
2049 }
2050
2051 bt_cb(skb)->control.retries++;
2052 control = bt_cb(skb)->control;
2053
2054 if (chan->max_tx != 0 &&
2055 bt_cb(skb)->control.retries > chan->max_tx) {
2056 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 2057 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 2058 l2cap_seq_list_clear(&chan->retrans_list);
2059 break;
2060 }
2061
2062 control.reqseq = chan->buffer_seq;
2063 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2064 control.final = 1;
2065 else
2066 control.final = 0;
2067
2068 if (skb_cloned(skb)) {
2069 /* Cloned sk_buffs are read-only, so we need a
2070 * writeable copy
2071 */
8bcde1f2 2072 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 2073 } else {
8bcde1f2 2074 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 2075 }
2076
2077 if (!tx_skb) {
2078 l2cap_seq_list_clear(&chan->retrans_list);
2079 break;
2080 }
2081
2082 /* Update skb contents */
2083 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2084 put_unaligned_le32(__pack_extended_control(&control),
2085 tx_skb->data + L2CAP_HDR_SIZE);
2086 } else {
2087 put_unaligned_le16(__pack_enhanced_control(&control),
2088 tx_skb->data + L2CAP_HDR_SIZE);
2089 }
2090
2091 if (chan->fcs == L2CAP_FCS_CRC16) {
2092 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2093 put_unaligned_le16(fcs, skb_put(tx_skb,
2094 L2CAP_FCS_SIZE));
2095 }
2096
2097 l2cap_do_send(chan, tx_skb);
2098
2099 BT_DBG("Resent txseq %d", control.txseq);
2100
2101 chan->last_acked_seq = chan->buffer_seq;
2102 }
2103}
2104
f80842a8
MM		 2105static void l2cap_retransmit(struct l2cap_chan *chan,
2106 struct l2cap_ctrl *control)
2107{
2108 BT_DBG("chan %p, control %p", chan, control);
2109
2110 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2111 l2cap_ertm_resend(chan);
2112}
2113
d2a7ac5d
MM		 2114static void l2cap_retransmit_all(struct l2cap_chan *chan,
2115 struct l2cap_ctrl *control)
2116{
e1fbd4c1
MM		 2117 struct sk_buff *skb;
2118
2119 BT_DBG("chan %p, control %p", chan, control);
2120
2121 if (control->poll)
2122 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2123
2124 l2cap_seq_list_clear(&chan->retrans_list);
2125
2126 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2127 return;
2128
2129 if (chan->unacked_frames) {
2130 skb_queue_walk(&chan->tx_q, skb) {
2131 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2132 skb == chan->tx_send_head)
e1fbd4c1
MM		 2133 break;
2134 }
2135
2136 skb_queue_walk_from(&chan->tx_q, skb) {
2137 if (skb == chan->tx_send_head)
2138 break;
2139
2140 l2cap_seq_list_append(&chan->retrans_list,
2141 bt_cb(skb)->control.txseq);
2142 }
2143
2144 l2cap_ertm_resend(chan);
2145 }
d2a7ac5d
MM		 2146}
2147
0a0aba42 2148static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2149{
0a0aba42
MM		 2150 struct l2cap_ctrl control;
2151 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2152 chan->last_acked_seq);
2153 int threshold;
9e917af1 2154
0a0aba42
MM		 2155 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2156 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2157
0a0aba42
MM		 2158 memset(&control, 0, sizeof(control));
2159 control.sframe = 1;
dfc909be 2160
0a0aba42
MM		 2161 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2162 chan->rx_state == L2CAP_RX_STATE_RECV) {
2163 __clear_ack_timer(chan);
2164 control.super = L2CAP_SUPER_RNR;
2165 control.reqseq = chan->buffer_seq;
2166 l2cap_send_sframe(chan, &control);
2167 } else {
2168 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2169 l2cap_ertm_send(chan);
2170 /* If any i-frames were sent, they included an ack */
2171 if (chan->buffer_seq == chan->last_acked_seq)
2172 frames_to_ack = 0;
2173 }
dfc909be 2174
c20f8e35 2175 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2176 * Calculate without mul or div
2177 */
c20f8e35 2178 threshold = chan->ack_win;
0a0aba42
MM		 2179 threshold += threshold << 1;
2180 threshold >>= 2;
2181
b4400672 2182 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2183 threshold);
2184
2185 if (frames_to_ack >= threshold) {
2186 __clear_ack_timer(chan);
2187 control.super = L2CAP_SUPER_RR;
2188 control.reqseq = chan->buffer_seq;
2189 l2cap_send_sframe(chan, &control);
2190 frames_to_ack = 0;
2191 }
1c2acffb 2192
0a0aba42
MM		 2193 if (frames_to_ack)
2194 __set_ack_timer(chan);
2195 }
b17e73bb
SJ		 2196}
2197
04124681
GP		 2198static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2199 struct msghdr *msg, int len,
2200 int count, struct sk_buff *skb)
1c2acffb 2201{
0952a57a 2202 struct l2cap_conn *conn = chan->conn;
1c2acffb 2203 struct sk_buff **frag;
90338947 2204 int sent = 0;
1da177e4 2205
59203a21 2206 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2207 return -EFAULT;
1da177e4
LT		 2208
2209 sent += count;
2210 len -= count;
2211
2212 /* Continuation fragments (no L2CAP header) */
2213 frag = &skb_shinfo(skb)->frag_list;
2214 while (len) {
fbe00700
GP		 2215 struct sk_buff *tmp;
2216
1da177e4
LT		 2217 count = min_t(unsigned int, conn->mtu, len);
2218
fbe00700
GP		 2219 tmp = chan->ops->alloc_skb(chan, count,
2220 msg->msg_flags & MSG_DONTWAIT);
2221 if (IS_ERR(tmp))
2222 return PTR_ERR(tmp);
2223
2224 *frag = tmp;
2f7719ce 2225
1c2acffb
GP		 2226 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2227 return -EFAULT;
1da177e4 2228
5e59b791
LAD		 2229 (*frag)->priority = skb->priority;
2230
1da177e4
LT		 2231 sent += count;
2232 len -= count;
2233
2d0ed3d5
GP		 2234 skb->len += (*frag)->len;
2235 skb->data_len += (*frag)->len;
2236
1da177e4
LT		 2237 frag = &(*frag)->next;
2238 }
1da177e4
LT		 2239
2240 return sent;
1c2acffb 2241}
1da177e4 2242
5e59b791 2243static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2244 struct msghdr *msg, size_t len,
2245 u32 priority)
1c2acffb 2246{
8c1d787b 2247 struct l2cap_conn *conn = chan->conn;
1c2acffb 2248 struct sk_buff *skb;
03a51213 2249 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2250 struct l2cap_hdr *lh;
2251
43b1b8df
MH		 2252 BT_DBG("chan %p psm 0x%2.2x len %zu priority %u", chan,
2253 __le16_to_cpu(chan->psm), len, priority);
1c2acffb
GP		 2254
2255 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2256
2257 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2258 msg->msg_flags & MSG_DONTWAIT);
2259 if (IS_ERR(skb))
2260 return skb;
1c2acffb 2261
5e59b791
LAD		 2262 skb->priority = priority;
2263
1c2acffb
GP		 2264 /* Create L2CAP header */
2265 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2266 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2267 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2268 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2269
0952a57a 2270 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2271 if (unlikely(err < 0)) {
2272 kfree_skb(skb);
2273 return ERR_PTR(err);
2274 }
2275 return skb;
2276}
2277
5e59b791 2278static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2279 struct msghdr *msg, size_t len,
2280 u32 priority)
1c2acffb 2281{
8c1d787b 2282 struct l2cap_conn *conn = chan->conn;
1c2acffb 2283 struct sk_buff *skb;
f2ba7fae 2284 int err, count;
1c2acffb
GP		 2285 struct l2cap_hdr *lh;
2286
b4400672 2287 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2288
f2ba7fae 2289 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2290
f2ba7fae 2291 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2292 msg->msg_flags & MSG_DONTWAIT);
2293 if (IS_ERR(skb))
2294 return skb;
1c2acffb 2295
5e59b791
LAD		 2296 skb->priority = priority;
2297
1c2acffb
GP		 2298 /* Create L2CAP header */
2299 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2300 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2301 lh->len = cpu_to_le16(len);
1c2acffb 2302
0952a57a 2303 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2304 if (unlikely(err < 0)) {
2305 kfree_skb(skb);
2306 return ERR_PTR(err);
2307 }
2308 return skb;
2309}
2310
ab0ff76d 2311static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2312 struct msghdr *msg, size_t len,
2313 u16 sdulen)
1c2acffb 2314{
8c1d787b 2315 struct l2cap_conn *conn = chan->conn;
1c2acffb 2316 struct sk_buff *skb;
e4ca6d98 2317 int err, count, hlen;
1c2acffb
GP		 2318 struct l2cap_hdr *lh;
2319
b4400672 2320 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2321
0ee0d208
GP		 2322 if (!conn)
2323 return ERR_PTR(-ENOTCONN);
2324
ba7aa64f 2325 hlen = __ertm_hdr_size(chan);
e4ca6d98 2326
c74e560c 2327 if (sdulen)
03a51213 2328 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2329
47d1ec61 2330 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2331 hlen += L2CAP_FCS_SIZE;
fcc203c3 2332
1c2acffb 2333 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2334
2335 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2336 msg->msg_flags & MSG_DONTWAIT);
2337 if (IS_ERR(skb))
2338 return skb;
1c2acffb
GP		 2339
2340 /* Create L2CAP header */
2341 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2342 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2343 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2344
18a48e76
MM		 2345 /* Control header is populated later */
2346 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2347 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2348 else
2349 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2350
c74e560c 2351 if (sdulen)
03a51213 2352 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2353
0952a57a 2354 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2355 if (unlikely(err < 0)) {
2356 kfree_skb(skb);
2357 return ERR_PTR(err);
2358 }
e90bac06 2359
18a48e76 2360 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2361 bt_cb(skb)->control.retries = 0;
1c2acffb 2362 return skb;
1da177e4
LT		 2363}
2364
94122bbe
MM		 2365static int l2cap_segment_sdu(struct l2cap_chan *chan,
2366 struct sk_buff_head *seg_queue,
2367 struct msghdr *msg, size_t len)
c74e560c 2368{
c74e560c 2369 struct sk_buff *skb;
94122bbe
MM		 2370 u16 sdu_len;
2371 size_t pdu_len;
94122bbe 2372 u8 sar;
c74e560c 2373
b4400672 2374 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2375
94122bbe
MM		 2376 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2377 * so fragmented skbs are not used. The HCI layer's handling
2378 * of fragmented skbs is not compatible with ERTM's queueing.
2379 */
c74e560c 2380
94122bbe
MM		 2381 /* PDU size is derived from the HCI MTU */
2382 pdu_len = chan->conn->mtu;
c74e560c 2383
a549574d
MM		 2384 /* Constrain PDU size for BR/EDR connections */
2385 if (!chan->hs_hcon)
2386 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2387
2388 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2389 if (chan->fcs)
2390 pdu_len -= L2CAP_FCS_SIZE;
2391
ba7aa64f 2392 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2393
2394 /* Remote device may have requested smaller PDUs */
2395 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2396
2397 if (len <= pdu_len) {
2398 sar = L2CAP_SAR_UNSEGMENTED;
2399 sdu_len = 0;
2400 pdu_len = len;
2401 } else {
2402 sar = L2CAP_SAR_START;
2403 sdu_len = len;
2404 pdu_len -= L2CAP_SDULEN_SIZE;
2405 }
2406
2407 while (len > 0) {
2408 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2409
c74e560c 2410 if (IS_ERR(skb)) {
94122bbe 2411 __skb_queue_purge(seg_queue);
c74e560c
GP		 2412 return PTR_ERR(skb);
2413 }
2414
94122bbe
MM		 2415 bt_cb(skb)->control.sar = sar;
2416 __skb_queue_tail(seg_queue, skb);
2417
2418 len -= pdu_len;
2419 if (sdu_len) {
2420 sdu_len = 0;
2421 pdu_len += L2CAP_SDULEN_SIZE;
2422 }
2423
2424 if (len <= pdu_len) {
2425 sar = L2CAP_SAR_END;
2426 pdu_len = len;
2427 } else {
2428 sar = L2CAP_SAR_CONTINUE;
2429 }
c74e560c 2430 }
c74e560c 2431
f0f62799 2432 return 0;
c74e560c
GP		 2433}
2434
5e59b791 2435int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2436 u32 priority)
9a91a04a 2437{
9a91a04a 2438 struct sk_buff *skb;
9a91a04a 2439 int err;
94122bbe 2440 struct sk_buff_head seg_queue;
9a91a04a 2441
31e8ce80
SWK		 2442 if (!chan->conn)
2443 return -ENOTCONN;
2444
9a91a04a 2445 /* Connectionless channel */
715ec005 2446 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2447 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2448 if (IS_ERR(skb))
2449 return PTR_ERR(skb);
2450
2451 l2cap_do_send(chan, skb);
2452 return len;
2453 }
2454
2455 switch (chan->mode) {
2456 case L2CAP_MODE_BASIC:
2457 /* Check outgoing MTU */
2458 if (len > chan->omtu)
2459 return -EMSGSIZE;
2460
2461 /* Create a basic PDU */
5e59b791 2462 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2463 if (IS_ERR(skb))
2464 return PTR_ERR(skb);
2465
2466 l2cap_do_send(chan, skb);
2467 err = len;
2468 break;
2469
2470 case L2CAP_MODE_ERTM:
2471 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2472 /* Check outgoing MTU */
2473 if (len > chan->omtu) {
2474 err = -EMSGSIZE;
2475 break;
2476 }
9a91a04a 2477
94122bbe 2478 __skb_queue_head_init(&seg_queue);
9a91a04a 2479
94122bbe
MM		 2480 /* Do segmentation before calling in to the state machine,
2481 * since it's possible to block while waiting for memory
2482 * allocation.
2483 */
2484 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2485
94122bbe
MM		 2486 /* The channel could have been closed while segmenting,
2487 * check that it is still connected.
2488 */
2489 if (chan->state != BT_CONNECTED) {
2490 __skb_queue_purge(&seg_queue);
2491 err = -ENOTCONN;
9a91a04a
GP		 2492 }
2493
94122bbe 2494 if (err)
9a91a04a 2495 break;
9a91a04a 2496
3733937d 2497 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2498 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2499 else
d660366d 2500 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2501
d660366d 2502 err = len;
9a91a04a 2503
94122bbe
MM		 2504 /* If the skbs were not queued for sending, they'll still be in
2505 * seg_queue and need to be purged.
2506 */
2507 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2508 break;
2509
2510 default:
2511 BT_DBG("bad state %1.1x", chan->mode);
2512 err = -EBADFD;
2513 }
2514
2515 return err;
2516}
2517
d2a7ac5d
MM		 2518static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2519{
bed68bde
MM		 2520 struct l2cap_ctrl control;
2521 u16 seq;
2522
b4400672 2523 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2524
2525 memset(&control, 0, sizeof(control));
2526 control.sframe = 1;
2527 control.super = L2CAP_SUPER_SREJ;
2528
2529 for (seq = chan->expected_tx_seq; seq != txseq;
2530 seq = __next_seq(chan, seq)) {
2531 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2532 control.reqseq = seq;
2533 l2cap_send_sframe(chan, &control);
2534 l2cap_seq_list_append(&chan->srej_list, seq);
2535 }
2536 }
2537
2538 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2539}
2540
2541static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2542{
bed68bde
MM		 2543 struct l2cap_ctrl control;
2544
2545 BT_DBG("chan %p", chan);
2546
2547 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2548 return;
2549
2550 memset(&control, 0, sizeof(control));
2551 control.sframe = 1;
2552 control.super = L2CAP_SUPER_SREJ;
2553 control.reqseq = chan->srej_list.tail;
2554 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2555}
2556
2557static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2558{
bed68bde
MM		 2559 struct l2cap_ctrl control;
2560 u16 initial_head;
2561 u16 seq;
2562
b4400672 2563 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2564
2565 memset(&control, 0, sizeof(control));
2566 control.sframe = 1;
2567 control.super = L2CAP_SUPER_SREJ;
2568
2569 /* Capture initial list head to allow only one pass through the list. */
2570 initial_head = chan->srej_list.head;
2571
2572 do {
2573 seq = l2cap_seq_list_pop(&chan->srej_list);
2574 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2575 break;
2576
2577 control.reqseq = seq;
2578 l2cap_send_sframe(chan, &control);
2579 l2cap_seq_list_append(&chan->srej_list, seq);
2580 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2581}
2582
608bcc6d
MM		 2583static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2584{
2585 struct sk_buff *acked_skb;
2586 u16 ackseq;
2587
b4400672 2588 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2589
2590 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2591 return;
2592
b4400672 2593 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2594 chan->expected_ack_seq, chan->unacked_frames);
2595
2596 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2597 ackseq = __next_seq(chan, ackseq)) {
2598
2599 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2600 if (acked_skb) {
2601 skb_unlink(acked_skb, &chan->tx_q);
2602 kfree_skb(acked_skb);
2603 chan->unacked_frames--;
2604 }
2605 }
2606
2607 chan->expected_ack_seq = reqseq;
2608
2609 if (chan->unacked_frames == 0)
2610 __clear_retrans_timer(chan);
2611
b4400672 2612 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2613}
2614
2615static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2616{
2617 BT_DBG("chan %p", chan);
2618
2619 chan->expected_tx_seq = chan->buffer_seq;
2620 l2cap_seq_list_clear(&chan->srej_list);
2621 skb_queue_purge(&chan->srej_q);
2622 chan->rx_state = L2CAP_RX_STATE_RECV;
2623}
2624
d660366d
GP		 2625static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2626 struct l2cap_ctrl *control,
2627 struct sk_buff_head *skbs, u8 event)
608bcc6d 2628{
608bcc6d
MM		 2629 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2630 event);
2631
2632 switch (event) {
2633 case L2CAP_EV_DATA_REQUEST:
2634 if (chan->tx_send_head == NULL)
2635 chan->tx_send_head = skb_peek(skbs);
2636
2637 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2638 l2cap_ertm_send(chan);
2639 break;
2640 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2641 BT_DBG("Enter LOCAL_BUSY");
2642 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2643
2644 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2645 /* The SREJ_SENT state must be aborted if we are to
2646 * enter the LOCAL_BUSY state.
2647 */
2648 l2cap_abort_rx_srej_sent(chan);
2649 }
2650
2651 l2cap_send_ack(chan);
2652
2653 break;
2654 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2655 BT_DBG("Exit LOCAL_BUSY");
2656 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2657
2658 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2659 struct l2cap_ctrl local_control;
2660
2661 memset(&local_control, 0, sizeof(local_control));
2662 local_control.sframe = 1;
2663 local_control.super = L2CAP_SUPER_RR;
2664 local_control.poll = 1;
2665 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2666 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2667
2668 chan->retry_count = 1;
2669 __set_monitor_timer(chan);
2670 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2671 }
2672 break;
2673 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2674 l2cap_process_reqseq(chan, control->reqseq);
2675 break;
2676 case L2CAP_EV_EXPLICIT_POLL:
2677 l2cap_send_rr_or_rnr(chan, 1);
2678 chan->retry_count = 1;
2679 __set_monitor_timer(chan);
2680 __clear_ack_timer(chan);
2681 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2682 break;
2683 case L2CAP_EV_RETRANS_TO:
2684 l2cap_send_rr_or_rnr(chan, 1);
2685 chan->retry_count = 1;
2686 __set_monitor_timer(chan);
2687 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2688 break;
2689 case L2CAP_EV_RECV_FBIT:
2690 /* Nothing to process */
2691 break;
2692 default:
2693 break;
2694 }
608bcc6d
MM		 2695}
2696
d660366d
GP		 2697static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2698 struct l2cap_ctrl *control,
2699 struct sk_buff_head *skbs, u8 event)
608bcc6d 2700{
608bcc6d
MM		 2701 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2702 event);
2703
2704 switch (event) {
2705 case L2CAP_EV_DATA_REQUEST:
2706 if (chan->tx_send_head == NULL)
2707 chan->tx_send_head = skb_peek(skbs);
2708 /* Queue data, but don't send. */
2709 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2710 break;
2711 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2712 BT_DBG("Enter LOCAL_BUSY");
2713 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2714
2715 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2716 /* The SREJ_SENT state must be aborted if we are to
2717 * enter the LOCAL_BUSY state.
2718 */
2719 l2cap_abort_rx_srej_sent(chan);
2720 }
2721
2722 l2cap_send_ack(chan);
2723
2724 break;
2725 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2726 BT_DBG("Exit LOCAL_BUSY");
2727 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2728
2729 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2730 struct l2cap_ctrl local_control;
2731 memset(&local_control, 0, sizeof(local_control));
2732 local_control.sframe = 1;
2733 local_control.super = L2CAP_SUPER_RR;
2734 local_control.poll = 1;
2735 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2736 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2737
2738 chan->retry_count = 1;
2739 __set_monitor_timer(chan);
2740 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2741 }
2742 break;
2743 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2744 l2cap_process_reqseq(chan, control->reqseq);
2745
2746 /* Fall through */
2747
2748 case L2CAP_EV_RECV_FBIT:
2749 if (control && control->final) {
2750 __clear_monitor_timer(chan);
2751 if (chan->unacked_frames > 0)
2752 __set_retrans_timer(chan);
2753 chan->retry_count = 0;
2754 chan->tx_state = L2CAP_TX_STATE_XMIT;
2755 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2756 }
2757 break;
2758 case L2CAP_EV_EXPLICIT_POLL:
2759 /* Ignore */
2760 break;
2761 case L2CAP_EV_MONITOR_TO:
2762 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2763 l2cap_send_rr_or_rnr(chan, 1);
2764 __set_monitor_timer(chan);
2765 chan->retry_count++;
2766 } else {
5e4e3972 2767 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2768 }
2769 break;
2770 default:
2771 break;
2772 }
608bcc6d
MM		 2773}
2774
d660366d
GP		 2775static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2776 struct sk_buff_head *skbs, u8 event)
608bcc6d 2777{
608bcc6d
MM		 2778 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2779 chan, control, skbs, event, chan->tx_state);
2780
2781 switch (chan->tx_state) {
2782 case L2CAP_TX_STATE_XMIT:
d660366d 2783 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2784 break;
2785 case L2CAP_TX_STATE_WAIT_F:
d660366d 2786 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2787 break;
2788 default:
2789 /* Ignore event */
2790 break;
2791 }
608bcc6d
MM		 2792}
2793
4b51dae9
MM		 2794static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2795 struct l2cap_ctrl *control)
2796{
2797 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2798 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2799}
2800
f80842a8
MM		 2801static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2802 struct l2cap_ctrl *control)
2803{
2804 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2805 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2806}
2807
1da177e4
LT		 2808/* Copy frame to all raw sockets on that connection */
2809static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2810{
1da177e4 2811 struct sk_buff *nskb;
48454079 2812 struct l2cap_chan *chan;
1da177e4
LT		 2813
2814 BT_DBG("conn %p", conn);
2815
3df91ea2 2816 mutex_lock(&conn->chan_lock);
3d57dc68 2817
3df91ea2 2818 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2819 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2820 continue;
2821
7f5396a7
GP		 2822 /* Don't send frame to the channel it came from */
2823 if (bt_cb(skb)->chan == chan)
1da177e4 2824 continue;
7f5396a7 2825
8bcde1f2 2826 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2827 if (!nskb)
1da177e4 2828 continue;
80b98027 2829 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2830 kfree_skb(nskb);
2831 }
3d57dc68 2832
3df91ea2 2833 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2834}
2835
2836/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2837static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2838 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2839{
2840 struct sk_buff *skb, **frag;
2841 struct l2cap_cmd_hdr *cmd;
2842 struct l2cap_hdr *lh;
2843 int len, count;
2844
b4400672
AE		 2845 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2846 conn, code, ident, dlen);
1da177e4 2847
300b962e
AL		 2848 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2849 return NULL;
2850
1da177e4
LT		 2851 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2852 count = min_t(unsigned int, conn->mtu, len);
2853
8bcde1f2 2854 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2855 if (!skb)
2856 return NULL;
2857
2858 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2859 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2860
2861 if (conn->hcon->type == LE_LINK)
ac73498c 2862 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2863 else
ac73498c 2864 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2865
2866 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2867 cmd->code = code;
2868 cmd->ident = ident;
aca3192c 2869 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2870
2871 if (dlen) {
2872 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2873 memcpy(skb_put(skb, count), data, count);
2874 data += count;
2875 }
2876
2877 len -= skb->len;
2878
2879 /* Continuation fragments (no L2CAP header) */
2880 frag = &skb_shinfo(skb)->frag_list;
2881 while (len) {
2882 count = min_t(unsigned int, conn->mtu, len);
2883
8bcde1f2 2884 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2885 if (!*frag)
2886 goto fail;
2887
2888 memcpy(skb_put(*frag, count), data, count);
2889
2890 len -= count;
2891 data += count;
2892
2893 frag = &(*frag)->next;
2894 }
2895
2896 return skb;
2897
2898fail:
2899 kfree_skb(skb);
2900 return NULL;
2901}
2902
2d792818
GP		 2903static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2904 unsigned long *val)
1da177e4
LT		 2905{
2906 struct l2cap_conf_opt *opt = *ptr;
2907 int len;
2908
2909 len = L2CAP_CONF_OPT_SIZE + opt->len;
2910 *ptr += len;
2911
2912 *type = opt->type;
2913 *olen = opt->len;
2914
2915 switch (opt->len) {
2916 case 1:
2917 *val = *((u8 *) opt->val);
2918 break;
2919
2920 case 2:
bfaaeb3e 2921 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2922 break;
2923
2924 case 4:
bfaaeb3e 2925 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2926 break;
2927
2928 default:
2929 *val = (unsigned long) opt->val;
2930 break;
2931 }
2932
b4400672 2933 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2934 return len;
2935}
2936
1da177e4
LT		 2937static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2938{
2939 struct l2cap_conf_opt *opt = *ptr;
2940
b4400672 2941 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2942
2943 opt->type = type;
2944 opt->len = len;
2945
2946 switch (len) {
2947 case 1:
2948 *((u8 *) opt->val) = val;
2949 break;
2950
2951 case 2:
4f8b691c 2952 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2953 break;
2954
2955 case 4:
4f8b691c 2956 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2957 break;
2958
2959 default:
2960 memcpy(opt->val, (void *) val, len);
2961 break;
2962 }
2963
2964 *ptr += L2CAP_CONF_OPT_SIZE + len;
2965}
2966
f89cef09
AE		 2967static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2968{
2969 struct l2cap_conf_efs efs;
2970
1ec918ce 2971 switch (chan->mode) {
f89cef09
AE		 2972 case L2CAP_MODE_ERTM:
2973 efs.id = chan->local_id;
2974 efs.stype = chan->local_stype;
2975 efs.msdu = cpu_to_le16(chan->local_msdu);
2976 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2977 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2978 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2979 break;
2980
2981 case L2CAP_MODE_STREAMING:
2982 efs.id = 1;
2983 efs.stype = L2CAP_SERV_BESTEFFORT;
2984 efs.msdu = cpu_to_le16(chan->local_msdu);
2985 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2986 efs.acc_lat = 0;
2987 efs.flush_to = 0;
2988 break;
2989
2990 default:
2991 return;
2992 }
2993
2994 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2995 (unsigned long) &efs);
f89cef09
AE		 2996}
2997
721c4181 2998static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2999{
721c4181 3000 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3001 ack_timer.work);
3002 u16 frames_to_ack;
c1b4f43b 3003
2fb9b3d4
GP		 3004 BT_DBG("chan %p", chan);
3005
6be36555
AE		 3006 l2cap_chan_lock(chan);
3007
0362520b
MM		 3008 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3009 chan->last_acked_seq);
6be36555 3010
0362520b
MM		 3011 if (frames_to_ack)
3012 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3013
0362520b 3014 l2cap_chan_unlock(chan);
09bfb2ee 3015 l2cap_chan_put(chan);
c1b4f43b
GP		 3016}
3017
466f8004 3018int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3019{
3c588192
MM		 3020 int err;
3021
105bdf9e
MM		 3022 chan->next_tx_seq = 0;
3023 chan->expected_tx_seq = 0;
42e5c802 3024 chan->expected_ack_seq = 0;
6a026610 3025 chan->unacked_frames = 0;
42e5c802 3026 chan->buffer_seq = 0;
6a026610 3027 chan->frames_sent = 0;
105bdf9e
MM		 3028 chan->last_acked_seq = 0;
3029 chan->sdu = NULL;
3030 chan->sdu_last_frag = NULL;
3031 chan->sdu_len = 0;
3032
d34c34fb
MM		 3033 skb_queue_head_init(&chan->tx_q);
3034
6ed971ca
MH		 3035 chan->local_amp_id = AMP_ID_BREDR;
3036 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3037 chan->move_state = L2CAP_MOVE_STABLE;
3038 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3039
105bdf9e
MM		 3040 if (chan->mode != L2CAP_MODE_ERTM)
3041 return 0;
3042
3043 chan->rx_state = L2CAP_RX_STATE_RECV;
3044 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3045
721c4181
GP		 3046 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3047 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3048 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3049
f1c6775b 3050 skb_queue_head_init(&chan->srej_q);
1890d36b 3051
3c588192
MM		 3052 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3053 if (err < 0)
3054 return err;
3055
9dc9affc
MM		 3056 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3057 if (err < 0)
3058 l2cap_seq_list_free(&chan->srej_list);
3059
3060 return err;
0565c1c2
GP		 3061}
3062
f2fcfcd6
GP		 3063static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3064{
3065 switch (mode) {
3066 case L2CAP_MODE_STREAMING:
3067 case L2CAP_MODE_ERTM:
3068 if (l2cap_mode_supported(mode, remote_feat_mask))
3069 return mode;
3070 /* fall through */
3071 default:
3072 return L2CAP_MODE_BASIC;
3073 }
3074}
3075
848566b3 3076static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3077{
848566b3 3078 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3079}
3080
848566b3 3081static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3082{
848566b3 3083 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3084}
3085
36c86c85
MM		 3086static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3087 struct l2cap_conf_rfc *rfc)
3088{
6ed971ca 3089 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3090 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3091
3092 /* Class 1 devices have must have ERTM timeouts
3093 * exceeding the Link Supervision Timeout. The
3094 * default Link Supervision Timeout for AMP
3095 * controllers is 10 seconds.
3096 *
3097 * Class 1 devices use 0xffffffff for their
3098 * best-effort flush timeout, so the clamping logic
3099 * will result in a timeout that meets the above
3100 * requirement. ERTM timeouts are 16-bit values, so
3101 * the maximum timeout is 65.535 seconds.
3102 */
3103
3104 /* Convert timeout to milliseconds and round */
3105 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3106
3107 /* This is the recommended formula for class 2 devices
3108 * that start ERTM timers when packets are sent to the
3109 * controller.
3110 */
3111 ertm_to = 3 * ertm_to + 500;
3112
3113 if (ertm_to > 0xffff)
3114 ertm_to = 0xffff;
3115
3116 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3117 rfc->monitor_timeout = rfc->retrans_timeout;
3118 } else {
3119 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3120 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3121 }
3122}
3123
6327eb98
AE		 3124static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3125{
3126 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3127 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3128 /* use extended control field */
3129 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3130 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3131 } else {
6327eb98 3132 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3133 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3134 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3135 }
c20f8e35 3136 chan->ack_win = chan->tx_win;
6327eb98
AE		 3137}
3138
710f9b0a 3139static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3140{
1da177e4 3141 struct l2cap_conf_req *req = data;
0c1bc5c6 3142 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3143 void *ptr = req->data;
c8f79162 3144 u16 size;
1da177e4 3145
49208c9c 3146 BT_DBG("chan %p", chan);
1da177e4 3147
73ffa904 3148 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3149 goto done;
3150
0c1bc5c6 3151 switch (chan->mode) {
f2fcfcd6
GP		 3152 case L2CAP_MODE_STREAMING:
3153 case L2CAP_MODE_ERTM:
c1360a1c 3154 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3155 break;
85eb53c6 3156
848566b3 3157 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3158 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3159
2ba13ed6 3160 /* fall through */
f2fcfcd6 3161 default:
8c1d787b 3162 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3163 break;
3164 }
3165
3166done:
0c1bc5c6
GP		 3167 if (chan->imtu != L2CAP_DEFAULT_MTU)
3168 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3169
0c1bc5c6 3170 switch (chan->mode) {
65c7c491 3171 case L2CAP_MODE_BASIC:
8c1d787b 3172 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3173 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3174 break;
3175
62547752
GP		 3176 rfc.mode = L2CAP_MODE_BASIC;
3177 rfc.txwin_size = 0;
3178 rfc.max_transmit = 0;
3179 rfc.retrans_timeout = 0;
3180 rfc.monitor_timeout = 0;
3181 rfc.max_pdu_size = 0;
3182
63406504 3183 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3184 (unsigned long) &rfc);
65c7c491
MH		 3185 break;
3186
3187 case L2CAP_MODE_ERTM:
3188 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3189 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3190
3191 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3192
3193 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3194 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3195 L2CAP_FCS_SIZE);
c8f79162 3196 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3197
6327eb98
AE		 3198 l2cap_txwin_setup(chan);
3199
3200 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3201 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3202
63406504 3203 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3204 (unsigned long) &rfc);
63406504 3205
f89cef09
AE		 3206 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3207 l2cap_add_opt_efs(&ptr, chan);
3208
6327eb98
AE		 3209 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3210 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3211 chan->tx_win);
60918918
AE		 3212
3213 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3214 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3215 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3216 chan->fcs = L2CAP_FCS_NONE;
3217 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3218 chan->fcs);
3219 }
f2fcfcd6
GP		 3220 break;
3221
3222 case L2CAP_MODE_STREAMING:
273759e2 3223 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3224 rfc.mode = L2CAP_MODE_STREAMING;
3225 rfc.txwin_size = 0;
3226 rfc.max_transmit = 0;
3227 rfc.retrans_timeout = 0;
3228 rfc.monitor_timeout = 0;
c8f79162
AE		 3229
3230 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3231 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3232 L2CAP_FCS_SIZE);
c8f79162 3233 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3234
63406504 3235 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3236 (unsigned long) &rfc);
63406504 3237
f89cef09
AE		 3238 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3239 l2cap_add_opt_efs(&ptr, chan);
3240
60918918
AE		 3241 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3242 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3243 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3244 chan->fcs = L2CAP_FCS_NONE;
3245 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3246 chan->fcs);
3247 }
65c7c491
MH		 3248 break;
3249 }
1da177e4 3250
fe4128e0 3251 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3252 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3253
3254 return ptr - data;
3255}
3256
73ffa904 3257static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3258{
5dee9e7c
MH		 3259 struct l2cap_conf_rsp *rsp = data;
3260 void *ptr = rsp->data;
73ffa904
GP		 3261 void *req = chan->conf_req;
3262 int len = chan->conf_len;
5dee9e7c
MH		 3263 int type, hint, olen;
3264 unsigned long val;
6464f35f 3265 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3266 struct l2cap_conf_efs efs;
3267 u8 remote_efs = 0;
861d6882 3268 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3269 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3270 u16 size;
1da177e4 3271
73ffa904 3272 BT_DBG("chan %p", chan);
820ae1b8 3273
5dee9e7c
MH		 3274 while (len >= L2CAP_CONF_OPT_SIZE) {
3275 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3276
589d2746 3277 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3278 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3279
3280 switch (type) {
3281 case L2CAP_CONF_MTU:
861d6882 3282 mtu = val;
5dee9e7c
MH		 3283 break;
3284
3285 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3286 chan->flush_to = val;
5dee9e7c
MH		 3287 break;
3288
3289 case L2CAP_CONF_QOS:
3290 break;
3291
6464f35f
MH		 3292 case L2CAP_CONF_RFC:
3293 if (olen == sizeof(rfc))
3294 memcpy(&rfc, (void *) val, olen);
3295 break;
3296
fcc203c3
GP		 3297 case L2CAP_CONF_FCS:
3298 if (val == L2CAP_FCS_NONE)
f2592d3e 3299 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3300 break;
fcc203c3 3301
42dceae2
AE		 3302 case L2CAP_CONF_EFS:
3303 remote_efs = 1;
3304 if (olen == sizeof(efs))
3305 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3306 break;
3307
6327eb98 3308 case L2CAP_CONF_EWS:
848566b3 3309 if (!chan->conn->hs_enabled)
6327eb98 3310 return -ECONNREFUSED;
fcc203c3 3311
6327eb98
AE		 3312 set_bit(FLAG_EXT_CTRL, &chan->flags);
3313 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3314 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3315 chan->remote_tx_win = val;
fcc203c3
GP		 3316 break;
3317
5dee9e7c
MH		 3318 default:
3319 if (hint)
3320 break;
3321
3322 result = L2CAP_CONF_UNKNOWN;
3323 *((u8 *) ptr++) = type;
3324 break;
3325 }
3326 }
3327
73ffa904 3328 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3329 goto done;
3330
0c1bc5c6 3331 switch (chan->mode) {
f2fcfcd6
GP		 3332 case L2CAP_MODE_STREAMING:
3333 case L2CAP_MODE_ERTM:
c1360a1c 3334 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3335 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3336 chan->conn->feat_mask);
85eb53c6
GP		 3337 break;
3338 }
3339
42dceae2 3340 if (remote_efs) {
848566b3 3341 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3342 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3343 else
3344 return -ECONNREFUSED;
3345 }
3346
0c1bc5c6 3347 if (chan->mode != rfc.mode)
f2fcfcd6 3348 return -ECONNREFUSED;
742e519b 3349
f2fcfcd6 3350 break;
f2fcfcd6
GP		 3351 }
3352
3353done:
0c1bc5c6 3354 if (chan->mode != rfc.mode) {
f2fcfcd6 3355 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3356 rfc.mode = chan->mode;
f2fcfcd6 3357
73ffa904 3358 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3359 return -ECONNREFUSED;
3360
2d792818
GP		 3361 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3362 (unsigned long) &rfc);
f2fcfcd6
GP		 3363 }
3364
5dee9e7c
MH		 3365 if (result == L2CAP_CONF_SUCCESS) {
3366 /* Configure output options and let the other side know
3367 * which ones we don't like. */
3368
f2fcfcd6
GP		 3369 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3370 result = L2CAP_CONF_UNACCEPT;
3371 else {
0c1bc5c6 3372 chan->omtu = mtu;
c1360a1c 3373 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3374 }
0c1bc5c6 3375 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3376
42dceae2
AE		 3377 if (remote_efs) {
3378 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3379 efs.stype != L2CAP_SERV_NOTRAFIC &&
3380 efs.stype != chan->local_stype) {
42dceae2
AE		 3381
3382 result = L2CAP_CONF_UNACCEPT;
3383
3384 if (chan->num_conf_req >= 1)
3385 return -ECONNREFUSED;
3386
3387 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3388 sizeof(efs),
3389 (unsigned long) &efs);
0e8b207e 3390 } else {
3e6b3b95 3391 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3392 result = L2CAP_CONF_PENDING;
3393 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3394 }
3395 }
3396
f2fcfcd6
GP		 3397 switch (rfc.mode) {
3398 case L2CAP_MODE_BASIC:
47d1ec61 3399 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3400 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3401 break;
3402
3403 case L2CAP_MODE_ERTM:
6327eb98
AE		 3404 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3405 chan->remote_tx_win = rfc.txwin_size;
3406 else
3407 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3408
2c03a7a4 3409 chan->remote_max_tx = rfc.max_transmit;
1c762159 3410
c8f79162 3411 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3412 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3413 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3414 rfc.max_pdu_size = cpu_to_le16(size);
3415 chan->remote_mps = size;
f2fcfcd6 3416
36c86c85 3417 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3418
c1360a1c 3419 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3420
3421 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3422 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3423
42dceae2
AE		 3424 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3425 chan->remote_id = efs.id;
3426 chan->remote_stype = efs.stype;
3427 chan->remote_msdu = le16_to_cpu(efs.msdu);
3428 chan->remote_flush_to =
2d792818 3429 le32_to_cpu(efs.flush_to);
42dceae2 3430 chan->remote_acc_lat =
2d792818 3431 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3432 chan->remote_sdu_itime =
3433 le32_to_cpu(efs.sdu_itime);
3434 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3435 sizeof(efs),
3436 (unsigned long) &efs);
42dceae2 3437 }
f2fcfcd6
GP		 3438 break;
3439
3440 case L2CAP_MODE_STREAMING:
c8f79162 3441 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3442 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3443 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3444 rfc.max_pdu_size = cpu_to_le16(size);
3445 chan->remote_mps = size;
f2fcfcd6 3446
c1360a1c 3447 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3448
2d792818
GP		 3449 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3450 (unsigned long) &rfc);
68ae6639 3451
f2fcfcd6
GP		 3452 break;
3453
3454 default:
5dee9e7c 3455 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3456
6464f35f 3457 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3458 rfc.mode = chan->mode;
f2fcfcd6 3459 }
6464f35f 3460
f2fcfcd6 3461 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3462 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3463 }
fe4128e0 3464 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3465 rsp->result = cpu_to_le16(result);
59e54bd1 3466 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3467
3468 return ptr - data;
1da177e4
LT		 3469}
3470
2d792818
GP		 3471static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3472 void *data, u16 *result)
f2fcfcd6 3473{
f2fcfcd6
GP		 3474 struct l2cap_conf_req *req = data;
3475 void *ptr = req->data;
3476 int type, olen;
3477 unsigned long val;
36e999a8 3478 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3479 struct l2cap_conf_efs efs;
f2fcfcd6 3480
fe4128e0 3481 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3482
3483 while (len >= L2CAP_CONF_OPT_SIZE) {
3484 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3485
3486 switch (type) {
3487 case L2CAP_CONF_MTU:
3488 if (val < L2CAP_DEFAULT_MIN_MTU) {
3489 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3490 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3491 } else
0c1bc5c6
GP		 3492 chan->imtu = val;
3493 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3494 break;
3495
3496 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3497 chan->flush_to = val;
f2fcfcd6 3498 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3499 2, chan->flush_to);
f2fcfcd6
GP		 3500 break;
3501
3502 case L2CAP_CONF_RFC:
3503 if (olen == sizeof(rfc))
3504 memcpy(&rfc, (void *)val, olen);
3505
c1360a1c 3506 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3507 rfc.mode != chan->mode)
f2fcfcd6
GP		 3508 return -ECONNREFUSED;
3509
47d1ec61 3510 chan->fcs = 0;
f2fcfcd6
GP		 3511
3512 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3513 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3514 break;
6327eb98
AE		 3515
3516 case L2CAP_CONF_EWS:
c20f8e35 3517 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3518 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3519 chan->tx_win);
6327eb98 3520 break;
66af7aaf
AE		 3521
3522 case L2CAP_CONF_EFS:
3523 if (olen == sizeof(efs))
3524 memcpy(&efs, (void *)val, olen);
3525
3526 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3527 efs.stype != L2CAP_SERV_NOTRAFIC &&
3528 efs.stype != chan->local_stype)
66af7aaf
AE		 3529 return -ECONNREFUSED;
3530
2d792818
GP		 3531 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3532 (unsigned long) &efs);
66af7aaf 3533 break;
cbabee78
AE		 3534
3535 case L2CAP_CONF_FCS:
3536 if (*result == L2CAP_CONF_PENDING)
3537 if (val == L2CAP_FCS_NONE)
f2592d3e 3538 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3539 &chan->conf_state);
3540 break;
f2fcfcd6
GP		 3541 }
3542 }
3543
0c1bc5c6 3544 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3545 return -ECONNREFUSED;
3546
0c1bc5c6 3547 chan->mode = rfc.mode;
6c2ea7a8 3548
0e8b207e 3549 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3550 switch (rfc.mode) {
3551 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3552 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3553 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3554 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3555 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3556 chan->ack_win = min_t(u16, chan->ack_win,
3557 rfc.txwin_size);
66af7aaf
AE		 3558
3559 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3560 chan->local_msdu = le16_to_cpu(efs.msdu);
3561 chan->local_sdu_itime =
2d792818 3562 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3563 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3564 chan->local_flush_to =
2d792818 3565 le32_to_cpu(efs.flush_to);
66af7aaf 3566 }
f2fcfcd6 3567 break;
66af7aaf 3568
f2fcfcd6 3569 case L2CAP_MODE_STREAMING:
47d1ec61 3570 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3571 }
3572 }
3573
fe4128e0 3574 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3575 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3576
3577 return ptr - data;
3578}
3579
2d792818
GP		 3580static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3581 u16 result, u16 flags)
1da177e4
LT		 3582{
3583 struct l2cap_conf_rsp *rsp = data;
3584 void *ptr = rsp->data;
1da177e4 3585
fe4128e0 3586 BT_DBG("chan %p", chan);
1da177e4 3587
fe4128e0 3588 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3589 rsp->result = cpu_to_le16(result);
aca3192c 3590 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3591
3592 return ptr - data;
3593}
3594
8c1d787b 3595void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3596{
3597 struct l2cap_conn_rsp rsp;
8c1d787b 3598 struct l2cap_conn *conn = chan->conn;
710f9b0a 3599 u8 buf[128];
439f34ac 3600 u8 rsp_code;
710f9b0a 3601
fe4128e0
GP		 3602 rsp.scid = cpu_to_le16(chan->dcid);
3603 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3604 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3605 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3606
3607 if (chan->hs_hcon)
3608 rsp_code = L2CAP_CREATE_CHAN_RSP;
3609 else
3610 rsp_code = L2CAP_CONN_RSP;
3611
3612 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3613
3614 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3615
c1360a1c 3616 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3617 return;
3618
710f9b0a 3619 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3620 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3621 chan->num_conf_req++;
3622}
3623
47d1ec61 3624static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3625{
7b1c0049
GP		 3626 int type, olen;
3627 unsigned long val;
c20f8e35
MM		 3628 /* Use sane default values in case a misbehaving remote device
3629 * did not send an RFC or extended window size option.
3630 */
3631 u16 txwin_ext = chan->ack_win;
3632 struct l2cap_conf_rfc rfc = {
3633 .mode = chan->mode,
3634 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3635 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3636 .max_pdu_size = cpu_to_le16(chan->imtu),
3637 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3638 };
7b1c0049 3639
47d1ec61 3640 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3641
0c1bc5c6 3642 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3643 return;
3644
3645 while (len >= L2CAP_CONF_OPT_SIZE) {
3646 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3647
c20f8e35
MM		 3648 switch (type) {
3649 case L2CAP_CONF_RFC:
3650 if (olen == sizeof(rfc))
3651 memcpy(&rfc, (void *)val, olen);
8f321f85 3652 break;
c20f8e35
MM		 3653 case L2CAP_CONF_EWS:
3654 txwin_ext = val;
3655 break;
3656 }
7b1c0049
GP		 3657 }
3658
7b1c0049
GP		 3659 switch (rfc.mode) {
3660 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3661 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3662 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3663 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3664 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3665 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3666 else
3667 chan->ack_win = min_t(u16, chan->ack_win,
3668 rfc.txwin_size);
7b1c0049
GP		 3669 break;
3670 case L2CAP_MODE_STREAMING:
47d1ec61 3671 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3672 }
3673}
3674
2d792818 3675static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3676 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3677 u8 *data)
4e8402a3 3678{
e2fd318e 3679 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3680
cb3b3152
JH		 3681 if (cmd_len < sizeof(*rej))
3682 return -EPROTO;
3683
e2fd318e 3684 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3685 return 0;
3686
3687 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3688 cmd->ident == conn->info_ident) {
17cd3f37 3689 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3690
3691 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3692 conn->info_ident = 0;
984947dc 3693
4e8402a3
MH		 3694 l2cap_conn_start(conn);
3695 }
3696
3697 return 0;
3698}
3699
1700915f
MM		 3700static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3701 struct l2cap_cmd_hdr *cmd,
3702 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3703{
1da177e4
LT		 3704 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3705 struct l2cap_conn_rsp rsp;
23691d75 3706 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3707 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3708
3709 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3710 __le16 psm = req->psm;
1da177e4 3711
097db76c 3712 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3713
3714 /* Check if we have socket listening on psm */
6f59b904 3715 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
98e0f7ea 3716 &conn->hcon->dst);
23691d75 3717 if (!pchan) {
1da177e4
LT		 3718 result = L2CAP_CR_BAD_PSM;
3719 goto sendresp;
3720 }
3721
3df91ea2 3722 mutex_lock(&conn->chan_lock);
8ffb9290 3723 l2cap_chan_lock(pchan);
e0f0cb56 3724
e7c29cb1 3725 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3726 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3727 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3728 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3729 result = L2CAP_CR_SEC_BLOCK;
3730 goto response;
3731 }
3732
1da177e4
LT		 3733 result = L2CAP_CR_NO_MEM;
3734
2dfa1003
GP		 3735 /* Check if we already have channel with that dcid */
3736 if (__l2cap_get_chan_by_dcid(conn, scid))
3737 goto response;
3738
80b98027 3739 chan = pchan->ops->new_connection(pchan);
80808e43 3740 if (!chan)
1da177e4
LT		 3741 goto response;
3742
330b6c15
SS		 3743 /* For certain devices (ex: HID mouse), support for authentication,
3744 * pairing and bonding is optional. For such devices, inorder to avoid
3745 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3746 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3747 */
3748 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3749
7eafc59e
MH		 3750 bacpy(&chan->src, &conn->hcon->src);
3751 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3752 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3753 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3754 chan->psm = psm;
3755 chan->dcid = scid;
1700915f 3756 chan->local_amp_id = amp_id;
1da177e4 3757
6be36555 3758 __l2cap_chan_add(conn, chan);
48454079 3759
fe4128e0 3760 dcid = chan->scid;
1da177e4 3761
8d836d71 3762 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3763
fc7f8a7e 3764 chan->ident = cmd->ident;
1da177e4 3765
984947dc 3766 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3767 if (l2cap_chan_check_security(chan)) {
bdc25783 3768 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3769 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3770 result = L2CAP_CR_PEND;
3771 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3772 chan->ops->defer(chan);
f66dc81f 3773 } else {
1700915f
MM		 3774 /* Force pending result for AMP controllers.
3775 * The connection will succeed after the
3776 * physical link is up.
3777 */
6ed971ca 3778 if (amp_id == AMP_ID_BREDR) {
f93fa273 3779 l2cap_state_change(chan, BT_CONFIG);
1700915f 3780 result = L2CAP_CR_SUCCESS;
6ed971ca 3781 } else {
f93fa273 3782 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3783 result = L2CAP_CR_PEND;
1700915f 3784 }
f66dc81f
MH		 3785 status = L2CAP_CS_NO_INFO;
3786 }
79d554a6 3787 } else {
f93fa273 3788 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3789 result = L2CAP_CR_PEND;
3790 status = L2CAP_CS_AUTHEN_PEND;
3791 }
3792 } else {
f93fa273 3793 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3794 result = L2CAP_CR_PEND;
3795 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3796 }
3797
1da177e4 3798response:
8ffb9290 3799 l2cap_chan_unlock(pchan);
3df91ea2 3800 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3801
3802sendresp:
aca3192c
YH		 3803 rsp.scid = cpu_to_le16(scid);
3804 rsp.dcid = cpu_to_le16(dcid);
3805 rsp.result = cpu_to_le16(result);
3806 rsp.status = cpu_to_le16(status);
4c89b6aa 3807 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3808
3809 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3810 struct l2cap_info_req info;
ac73498c 3811 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3812
3813 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3814 conn->info_ident = l2cap_get_ident(conn);
3815
ba13ccd9 3816 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3817
2d792818
GP		 3818 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3819 sizeof(info), &info);
79d554a6
MH		 3820 }
3821
c1360a1c 3822 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3823 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3824 u8 buf[128];
c1360a1c 3825 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3826 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3827 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3828 chan->num_conf_req++;
e9aeb2dd 3829 }
1700915f
MM		 3830
3831 return chan;
4c89b6aa 3832}
e9aeb2dd 3833
4c89b6aa 3834static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3835 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3836{
7b064eda
JK		 3837 struct hci_dev *hdev = conn->hcon->hdev;
3838 struct hci_conn *hcon = conn->hcon;
3839
cb3b3152
JH		 3840 if (cmd_len < sizeof(struct l2cap_conn_req))
3841 return -EPROTO;
3842
7b064eda
JK		 3843 hci_dev_lock(hdev);
3844 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3845 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3846 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3847 hcon->dst_type, 0, NULL, 0,
3848 hcon->dev_class);
3849 hci_dev_unlock(hdev);
3850
300229f9 3851 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3852 return 0;
3853}
3854
5909cf30 3855static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3856 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3857 u8 *data)
1da177e4
LT		 3858{
3859 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3860 u16 scid, dcid, result, status;
48454079 3861 struct l2cap_chan *chan;
1da177e4 3862 u8 req[128];
3df91ea2 3863 int err;
1da177e4 3864
cb3b3152
JH		 3865 if (cmd_len < sizeof(*rsp))
3866 return -EPROTO;
3867
1da177e4
LT		 3868 scid = __le16_to_cpu(rsp->scid);
3869 dcid = __le16_to_cpu(rsp->dcid);
3870 result = __le16_to_cpu(rsp->result);
3871 status = __le16_to_cpu(rsp->status);
3872
1b009c98 3873 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3874 dcid, scid, result, status);
1da177e4 3875
3df91ea2
AE		 3876 mutex_lock(&conn->chan_lock);
3877
1da177e4 3878 if (scid) {
3df91ea2
AE		 3879 chan = __l2cap_get_chan_by_scid(conn, scid);
3880 if (!chan) {
21870b52 3881 err = -EBADSLT;
3df91ea2
AE		 3882 goto unlock;
3883 }
1da177e4 3884 } else {
3df91ea2
AE		 3885 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3886 if (!chan) {
21870b52 3887 err = -EBADSLT;
3df91ea2
AE		 3888 goto unlock;
3889 }
1da177e4
LT		 3890 }
3891
3df91ea2
AE		 3892 err = 0;
3893
6be36555 3894 l2cap_chan_lock(chan);
48454079 3895
1da177e4
LT		 3896 switch (result) {
3897 case L2CAP_CR_SUCCESS:
89bc500e 3898 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3899 chan->ident = 0;
fe4128e0 3900 chan->dcid = dcid;
c1360a1c 3901 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3902
c1360a1c 3903 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3904 break;
3905
1da177e4 3906 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3907 l2cap_build_conf_req(chan, req), req);
73ffa904 3908 chan->num_conf_req++;
1da177e4
LT		 3909 break;
3910
3911 case L2CAP_CR_PEND:
c1360a1c 3912 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3913 break;
3914
3915 default:
48454079 3916 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3917 break;
3918 }
3919
6be36555 3920 l2cap_chan_unlock(chan);
3df91ea2
AE		 3921
3922unlock:
3923 mutex_unlock(&conn->chan_lock);
3924
3925 return err;
1da177e4
LT		 3926}
3927
47d1ec61 3928static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3929{
3930 /* FCS is enabled only in ERTM or streaming mode, if one or both
3931 * sides request it.
3932 */
0c1bc5c6 3933 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3934 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3935 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3936 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3937}
3938
29d8a590
AE		 3939static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3940 u8 ident, u16 flags)
3941{
3942 struct l2cap_conn *conn = chan->conn;
3943
3944 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3945 flags);
3946
3947 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3948 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3949
3950 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3951 l2cap_build_conf_rsp(chan, data,
3952 L2CAP_CONF_SUCCESS, flags), data);
3953}
3954
662d652d
JH		 3955static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
3956 u16 scid, u16 dcid)
3957{
3958 struct l2cap_cmd_rej_cid rej;
3959
3960 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
3961 rej.scid = __cpu_to_le16(scid);
3962 rej.dcid = __cpu_to_le16(dcid);
3963
3964 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3965}
3966
2d792818
GP		 3967static inline int l2cap_config_req(struct l2cap_conn *conn,
3968 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3969 u8 *data)
1da177e4
LT		 3970{
3971 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3972 u16 dcid, flags;
3973 u8 rsp[64];
48454079 3974 struct l2cap_chan *chan;
3c588192 3975 int len, err = 0;
1da177e4 3976
cb3b3152
JH		 3977 if (cmd_len < sizeof(*req))
3978 return -EPROTO;
3979
1da177e4
LT		 3980 dcid = __le16_to_cpu(req->dcid);
3981 flags = __le16_to_cpu(req->flags);
3982
3983 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3984
baa7e1fa 3985 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 3986 if (!chan) {
3987 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
3988 return 0;
3989 }
1da177e4 3990
033b1142 3991 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 3992 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
3993 chan->dcid);
354f60a9 3994 goto unlock;
df6bd743 3995 }
354f60a9 3996
5dee9e7c 3997 /* Reject if config buffer is too small. */
88219a0f 3998 len = cmd_len - sizeof(*req);
cb3b3152 3999 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4000 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4001 l2cap_build_conf_rsp(chan, rsp,
4002 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4003 goto unlock;
4004 }
4005
4006 /* Store config. */
73ffa904
GP		 4007 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4008 chan->conf_len += len;
1da177e4 4009
59e54bd1 4010 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4011 /* Incomplete config. Send empty response. */
4012 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4013 l2cap_build_conf_rsp(chan, rsp,
4014 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4015 goto unlock;
4016 }
4017
4018 /* Complete config. */
73ffa904 4019 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4020 if (len < 0) {
5e4e3972 4021 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4022 goto unlock;
f2fcfcd6 4023 }
1da177e4 4024
1500109b 4025 chan->ident = cmd->ident;
5dee9e7c 4026 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4027 chan->num_conf_rsp++;
5dee9e7c 4028
5dee9e7c 4029 /* Reset config buffer. */
73ffa904 4030 chan->conf_len = 0;
5dee9e7c 4031
c1360a1c 4032 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4033 goto unlock;
4034
c1360a1c 4035 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4036 set_default_fcs(chan);
fcc203c3 4037
105bdf9e
MM		 4038 if (chan->mode == L2CAP_MODE_ERTM ||
4039 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4040 err = l2cap_ertm_init(chan);
4041
4042 if (err < 0)
5e4e3972 4043 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4044 else
4045 l2cap_chan_ready(chan);
0565c1c2 4046
876d9484
MH		 4047 goto unlock;
4048 }
4049
c1360a1c 4050 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4051 u8 buf[64];
1da177e4 4052 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4053 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4054 chan->num_conf_req++;
1da177e4
LT		 4055 }
4056
0e8b207e
AE		 4057 /* Got Conf Rsp PENDING from remote side and asume we sent
4058 Conf Rsp PENDING in the code above */
4059 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4060 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4061
4062 /* check compatibility */
4063
79de886d 4064 /* Send rsp for BR/EDR channel */
f351bc72 4065 if (!chan->hs_hcon)
79de886d
AE		 4066 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4067 else
4068 chan->ident = cmd->ident;
0e8b207e
AE		 4069 }
4070
1da177e4 4071unlock:
6be36555 4072 l2cap_chan_unlock(chan);
3c588192 4073 return err;
1da177e4
LT		 4074}
4075
2d792818 4076static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4077 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4078 u8 *data)
1da177e4
LT		 4079{
4080 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4081 u16 scid, flags, result;
48454079 4082 struct l2cap_chan *chan;
cb3b3152 4083 int len = cmd_len - sizeof(*rsp);
3c588192 4084 int err = 0;
1da177e4 4085
cb3b3152
JH		 4086 if (cmd_len < sizeof(*rsp))
4087 return -EPROTO;
4088
1da177e4
LT		 4089 scid = __le16_to_cpu(rsp->scid);
4090 flags = __le16_to_cpu(rsp->flags);
4091 result = __le16_to_cpu(rsp->result);
4092
61386cba
AE		 4093 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4094 result, len);
1da177e4 4095
baa7e1fa 4096 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4097 if (!chan)
1da177e4
LT		 4098 return 0;
4099
4100 switch (result) {
4101 case L2CAP_CONF_SUCCESS:
47d1ec61 4102 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4103 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4104 break;
4105
0e8b207e
AE		 4106 case L2CAP_CONF_PENDING:
4107 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4108
4109 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4110 char buf[64];
4111
4112 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4113 buf, &result);
0e8b207e 4114 if (len < 0) {
5e4e3972 4115 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4116 goto done;
4117 }
4118
f351bc72 4119 if (!chan->hs_hcon) {
79de886d
AE		 4120 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4121 0);
5ce66b59
AE		 4122 } else {
4123 if (l2cap_check_efs(chan)) {
4124 amp_create_logical_link(chan);
4125 chan->ident = cmd->ident;
4126 }
4127 }
0e8b207e
AE		 4128 }
4129 goto done;
4130
1da177e4 4131 case L2CAP_CONF_UNACCEPT:
73ffa904 4132 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4133 char req[64];
4134
c2c77ec8 4135 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4136 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4137 goto done;
4138 }
4139
f2fcfcd6
GP		 4140 /* throw out any old stored conf requests */
4141 result = L2CAP_CONF_SUCCESS;
b4450035 4142 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4143 req, &result);
f2fcfcd6 4144 if (len < 0) {
5e4e3972 4145 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4146 goto done;
4147 }
4148
4149 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4150 L2CAP_CONF_REQ, len, req);
73ffa904 4151 chan->num_conf_req++;
f2fcfcd6
GP		 4152 if (result != L2CAP_CONF_SUCCESS)
4153 goto done;
4154 break;
1da177e4
LT		 4155 }
4156
8e87d142 4157 default:
6be36555 4158 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4159
ba13ccd9 4160 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4161 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4162 goto done;
4163 }
4164
59e54bd1 4165 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4166 goto done;
4167
c1360a1c 4168 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4169
c1360a1c 4170 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4171 set_default_fcs(chan);
fcc203c3 4172
105bdf9e
MM		 4173 if (chan->mode == L2CAP_MODE_ERTM ||
4174 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4175 err = l2cap_ertm_init(chan);
0565c1c2 4176
3c588192 4177 if (err < 0)
5e4e3972 4178 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4179 else
4180 l2cap_chan_ready(chan);
1da177e4
LT		 4181 }
4182
4183done:
6be36555 4184 l2cap_chan_unlock(chan);
3c588192 4185 return err;
1da177e4
LT		 4186}
4187
2d792818 4188static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4189 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4190 u8 *data)
1da177e4
LT		 4191{
4192 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4193 struct l2cap_disconn_rsp rsp;
4194 u16 dcid, scid;
48454079 4195 struct l2cap_chan *chan;
1da177e4 4196
cb3b3152
JH		 4197 if (cmd_len != sizeof(*req))
4198 return -EPROTO;
4199
1da177e4
LT		 4200 scid = __le16_to_cpu(req->scid);
4201 dcid = __le16_to_cpu(req->dcid);
4202
4203 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4204
3df91ea2
AE		 4205 mutex_lock(&conn->chan_lock);
4206
4207 chan = __l2cap_get_chan_by_scid(conn, dcid);
4208 if (!chan) {
4209 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4210 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4211 return 0;
3df91ea2 4212 }
1da177e4 4213
6be36555
AE		 4214 l2cap_chan_lock(chan);
4215
fe4128e0
GP		 4216 rsp.dcid = cpu_to_le16(chan->scid);
4217 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4218 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4219
5ec1bbe5 4220 chan->ops->set_shutdown(chan);
1da177e4 4221
61d6ef3e 4222 l2cap_chan_hold(chan);
48454079 4223 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4224
4225 l2cap_chan_unlock(chan);
1da177e4 4226
80b98027 4227 chan->ops->close(chan);
61d6ef3e 4228 l2cap_chan_put(chan);
3df91ea2
AE		 4229
4230 mutex_unlock(&conn->chan_lock);
4231
1da177e4
LT		 4232 return 0;
4233}
4234
2d792818 4235static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4236 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4237 u8 *data)
1da177e4
LT		 4238{
4239 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4240 u16 dcid, scid;
48454079 4241 struct l2cap_chan *chan;
1da177e4 4242
cb3b3152
JH		 4243 if (cmd_len != sizeof(*rsp))
4244 return -EPROTO;
4245
1da177e4
LT		 4246 scid = __le16_to_cpu(rsp->scid);
4247 dcid = __le16_to_cpu(rsp->dcid);
4248
4249 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4250
3df91ea2
AE		 4251 mutex_lock(&conn->chan_lock);
4252
4253 chan = __l2cap_get_chan_by_scid(conn, scid);
4254 if (!chan) {
4255 mutex_unlock(&conn->chan_lock);
1da177e4 4256 return 0;
3df91ea2 4257 }
1da177e4 4258
6be36555 4259 l2cap_chan_lock(chan);
48454079 4260
61d6ef3e 4261 l2cap_chan_hold(chan);
48454079 4262 l2cap_chan_del(chan, 0);
6be36555
AE		 4263
4264 l2cap_chan_unlock(chan);
1da177e4 4265
80b98027 4266 chan->ops->close(chan);
61d6ef3e 4267 l2cap_chan_put(chan);
3df91ea2
AE		 4268
4269 mutex_unlock(&conn->chan_lock);
4270
1da177e4
LT		 4271 return 0;
4272}
4273
2d792818 4274static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4275 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4276 u8 *data)
1da177e4
LT		 4277{
4278 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4279 u16 type;
4280
cb3b3152
JH		 4281 if (cmd_len != sizeof(*req))
4282 return -EPROTO;
4283
1da177e4
LT		 4284 type = __le16_to_cpu(req->type);
4285
4286 BT_DBG("type 0x%4.4x", type);
4287
f0709e03
MH		 4288 if (type == L2CAP_IT_FEAT_MASK) {
4289 u8 buf[8];
44dd46de 4290 u32 feat_mask = l2cap_feat_mask;
f0709e03 4291 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4292 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4293 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4294 if (!disable_ertm)
fcc203c3 4295 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4296 | L2CAP_FEAT_FCS;
848566b3 4297 if (conn->hs_enabled)
6327eb98 4298 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4299 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4300
1b7bf4ed 4301 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4302 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4303 buf);
e1027a7c
MH		 4304 } else if (type == L2CAP_IT_FIXED_CHAN) {
4305 u8 buf[12];
4306 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4307
848566b3 4308 if (conn->hs_enabled)
50a147cd
MM		 4309 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4310 else
4311 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4312
ac73498c
AE		 4313 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4314 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4315 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4316 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4317 buf);
f0709e03
MH		 4318 } else {
4319 struct l2cap_info_rsp rsp;
4320 rsp.type = cpu_to_le16(type);
ac73498c 4321 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4322 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4323 &rsp);
f0709e03 4324 }
1da177e4
LT		 4325
4326 return 0;
4327}
4328
2d792818 4329static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4330 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4331 u8 *data)
1da177e4
LT		 4332{
4333 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4334 u16 type, result;
4335
3f6fa3d4 4336 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4337 return -EPROTO;
4338
1da177e4
LT		 4339 type = __le16_to_cpu(rsp->type);
4340 result = __le16_to_cpu(rsp->result);
4341
4342 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4343
e90165be
AE		 4344 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4345 if (cmd->ident != conn->info_ident ||
2d792818 4346 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4347 return 0;
4348
17cd3f37 4349 cancel_delayed_work(&conn->info_timer);
4e8402a3 4350
adb08ede
VT		 4351 if (result != L2CAP_IR_SUCCESS) {
4352 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4353 conn->info_ident = 0;
4354
4355 l2cap_conn_start(conn);
4356
4357 return 0;
4358 }
4359
978c93b9
AE		 4360 switch (type) {
4361 case L2CAP_IT_FEAT_MASK:
83985319 4362 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4363
47ec1dcd 4364 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4365 struct l2cap_info_req req;
ac73498c 4366 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4367
4368 conn->info_ident = l2cap_get_ident(conn);
4369
4370 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4371 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4372 } else {
4373 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4374 conn->info_ident = 0;
4375
4376 l2cap_conn_start(conn);
4377 }
978c93b9
AE		 4378 break;
4379
4380 case L2CAP_IT_FIXED_CHAN:
4381 conn->fixed_chan_mask = rsp->data[0];
984947dc 4382 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4383 conn->info_ident = 0;
984947dc
MH		 4384
4385 l2cap_conn_start(conn);
978c93b9 4386 break;
984947dc 4387 }
4e8402a3 4388
1da177e4
LT		 4389 return 0;
4390}
4391
1700915f
MM		 4392static int l2cap_create_channel_req(struct l2cap_conn *conn,
4393 struct l2cap_cmd_hdr *cmd,
4394 u16 cmd_len, void *data)
f94ff6ff
MM		 4395{
4396 struct l2cap_create_chan_req *req = data;
6e1df6a6 4397 struct l2cap_create_chan_rsp rsp;
1700915f 4398 struct l2cap_chan *chan;
6e1df6a6 4399 struct hci_dev *hdev;
f94ff6ff
MM		 4400 u16 psm, scid;
4401
4402 if (cmd_len != sizeof(*req))
4403 return -EPROTO;
4404
848566b3 4405 if (!conn->hs_enabled)
f94ff6ff
MM		 4406 return -EINVAL;
4407
4408 psm = le16_to_cpu(req->psm);
4409 scid = le16_to_cpu(req->scid);
4410
ad0ac6ca 4411 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4412
6e1df6a6 4413 /* For controller id 0 make BR/EDR connection */
6ed971ca 4414 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4415 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4416 req->amp_id);
4417 return 0;
4418 }
1700915f 4419
6e1df6a6
AE		 4420 /* Validate AMP controller id */
4421 hdev = hci_dev_get(req->amp_id);
4422 if (!hdev)
4423 goto error;
1700915f 4424
6e1df6a6
AE		 4425 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4426 hci_dev_put(hdev);
4427 goto error;
4428 }
1700915f 4429
6e1df6a6
AE		 4430 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4431 req->amp_id);
4432 if (chan) {
4433 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4434 struct hci_conn *hs_hcon;
1700915f 4435
98e0f7ea
MH		 4436 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4437 &conn->hcon->dst);
6e1df6a6
AE		 4438 if (!hs_hcon) {
4439 hci_dev_put(hdev);
662d652d
JH		 4440 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4441 chan->dcid);
4442 return 0;
1700915f
MM		 4443 }
4444
6e1df6a6
AE		 4445 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4446
6e1df6a6
AE		 4447 mgr->bredr_chan = chan;
4448 chan->hs_hcon = hs_hcon;
fd45bf4c 4449 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4450 conn->mtu = hdev->block_mtu;
1700915f 4451 }
f94ff6ff 4452
6e1df6a6 4453 hci_dev_put(hdev);
f94ff6ff
MM		 4454
4455 return 0;
6e1df6a6
AE		 4456
4457error:
4458 rsp.dcid = 0;
4459 rsp.scid = cpu_to_le16(scid);
4460 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4461 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4462
4463 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4464 sizeof(rsp), &rsp);
4465
dc280801 4466 return 0;
f94ff6ff
MM		 4467}
4468
8eb200bd
MM		 4469static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4470{
4471 struct l2cap_move_chan_req req;
4472 u8 ident;
4473
4474 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4475
4476 ident = l2cap_get_ident(chan->conn);
4477 chan->ident = ident;
4478
4479 req.icid = cpu_to_le16(chan->scid);
4480 req.dest_amp_id = dest_amp_id;
4481
4482 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4483 &req);
4484
4485 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4486}
4487
1500109b 4488static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4489{
4490 struct l2cap_move_chan_rsp rsp;
4491
1500109b 4492 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4493
1500109b 4494 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4495 rsp.result = cpu_to_le16(result);
4496
1500109b
MM		 4497 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4498 sizeof(rsp), &rsp);
8d5a04a1
MM		 4499}
4500
5b155ef9 4501static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4502{
4503 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4504
5b155ef9 4505 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4506
5b155ef9 4507 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4508
5b155ef9 4509 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4510 cfm.result = cpu_to_le16(result);
4511
5b155ef9
MM		 4512 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4513 sizeof(cfm), &cfm);
4514
4515 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4516}
4517
4518static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4519{
4520 struct l2cap_move_chan_cfm cfm;
4521
4522 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4523
4524 cfm.icid = cpu_to_le16(icid);
4525 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4526
4527 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4528 sizeof(cfm), &cfm);
8d5a04a1
MM		 4529}
4530
4531static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4532 u16 icid)
8d5a04a1
MM		 4533{
4534 struct l2cap_move_chan_cfm_rsp rsp;
4535
ad0ac6ca 4536 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4537
4538 rsp.icid = cpu_to_le16(icid);
4539 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4540}
4541
5f3847a4
MM		 4542static void __release_logical_link(struct l2cap_chan *chan)
4543{
4544 chan->hs_hchan = NULL;
4545 chan->hs_hcon = NULL;
4546
4547 /* Placeholder - release the logical link */
4548}
4549
1500109b
MM		 4550static void l2cap_logical_fail(struct l2cap_chan *chan)
4551{
4552 /* Logical link setup failed */
4553 if (chan->state != BT_CONNECTED) {
4554 /* Create channel failure, disconnect */
5e4e3972 4555 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4556 return;
4557 }
4558
4559 switch (chan->move_role) {
4560 case L2CAP_MOVE_ROLE_RESPONDER:
4561 l2cap_move_done(chan);
4562 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4563 break;
4564 case L2CAP_MOVE_ROLE_INITIATOR:
4565 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4566 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4567 /* Remote has only sent pending or
4568 * success responses, clean up
4569 */
4570 l2cap_move_done(chan);
4571 }
4572
4573 /* Other amp move states imply that the move
4574 * has already aborted
4575 */
4576 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4577 break;
4578 }
4579}
4580
4581static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4582 struct hci_chan *hchan)
4583{
4584 struct l2cap_conf_rsp rsp;
1500109b 4585
336178a3 4586 chan->hs_hchan = hchan;
1500109b
MM		 4587 chan->hs_hcon->l2cap_data = chan->conn;
4588
35ba9561 4589 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4590
4591 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4592 int err;
1500109b
MM		 4593
4594 set_default_fcs(chan);
4595
4596 err = l2cap_ertm_init(chan);
4597 if (err < 0)
5e4e3972 4598 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4599 else
4600 l2cap_chan_ready(chan);
4601 }
4602}
4603
4604static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4605 struct hci_chan *hchan)
4606{
4607 chan->hs_hcon = hchan->conn;
4608 chan->hs_hcon->l2cap_data = chan->conn;
4609
4610 BT_DBG("move_state %d", chan->move_state);
4611
4612 switch (chan->move_state) {
4613 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4614 /* Move confirm will be sent after a success
4615 * response is received
4616 */
4617 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4618 break;
4619 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4620 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4621 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4622 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4623 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4624 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4625 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4626 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4627 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4628 }
4629 break;
4630 default:
4631 /* Move was not in expected state, free the channel */
4632 __release_logical_link(chan);
4633
4634 chan->move_state = L2CAP_MOVE_STABLE;
4635 }
4636}
4637
4638/* Call with chan locked */
27695fb4
AE		 4639void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4640 u8 status)
5b155ef9 4641{
1500109b
MM		 4642 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4643
4644 if (status) {
4645 l2cap_logical_fail(chan);
4646 __release_logical_link(chan);
4647 return;
4648 }
4649
4650 if (chan->state != BT_CONNECTED) {
4651 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4652 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4653 l2cap_logical_finish_create(chan, hchan);
4654 } else {
4655 l2cap_logical_finish_move(chan, hchan);
4656 }
5b155ef9
MM		 4657}
4658
3f7a56c4
MM		 4659void l2cap_move_start(struct l2cap_chan *chan)
4660{
4661 BT_DBG("chan %p", chan);
4662
6ed971ca 4663 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4664 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4665 return;
4666 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4667 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4668 /* Placeholder - start physical link setup */
4669 } else {
4670 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4671 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4672 chan->move_id = 0;
4673 l2cap_move_setup(chan);
4674 l2cap_send_move_chan_req(chan, 0);
4675 }
4676}
4677
8eb200bd
MM		 4678static void l2cap_do_create(struct l2cap_chan *chan, int result,
4679 u8 local_amp_id, u8 remote_amp_id)
4680{
62748ca1
AE		 4681 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4682 local_amp_id, remote_amp_id);
4683
12d6cc60
AE		 4684 chan->fcs = L2CAP_FCS_NONE;
4685
62748ca1
AE		 4686 /* Outgoing channel on AMP */
4687 if (chan->state == BT_CONNECT) {
4688 if (result == L2CAP_CR_SUCCESS) {
4689 chan->local_amp_id = local_amp_id;
4690 l2cap_send_create_chan_req(chan, remote_amp_id);
4691 } else {
4692 /* Revert to BR/EDR connect */
4693 l2cap_send_conn_req(chan);
4694 }
4695
4696 return;
4697 }
4698
4699 /* Incoming channel on AMP */
4700 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4701 struct l2cap_conn_rsp rsp;
4702 char buf[128];
4703 rsp.scid = cpu_to_le16(chan->dcid);
4704 rsp.dcid = cpu_to_le16(chan->scid);
4705
8eb200bd
MM		 4706 if (result == L2CAP_CR_SUCCESS) {
4707 /* Send successful response */
62cd50e2
AE		 4708 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4709 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4710 } else {
4711 /* Send negative response */
62cd50e2
AE		 4712 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4713 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4714 }
4715
4716 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4717 sizeof(rsp), &rsp);
4718
4719 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4720 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4721 set_bit(CONF_REQ_SENT, &chan->conf_state);
4722 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4723 L2CAP_CONF_REQ,
4724 l2cap_build_conf_req(chan, buf), buf);
4725 chan->num_conf_req++;
4726 }
8eb200bd
MM		 4727 }
4728}
4729
4730static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4731 u8 remote_amp_id)
4732{
4733 l2cap_move_setup(chan);
4734 chan->move_id = local_amp_id;
4735 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4736
4737 l2cap_send_move_chan_req(chan, remote_amp_id);
4738}
4739
4740static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4741{
4742 struct hci_chan *hchan = NULL;
4743
4744 /* Placeholder - get hci_chan for logical link */
4745
4746 if (hchan) {
4747 if (hchan->state == BT_CONNECTED) {
4748 /* Logical link is ready to go */
4749 chan->hs_hcon = hchan->conn;
4750 chan->hs_hcon->l2cap_data = chan->conn;
4751 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4752 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4753
4754 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4755 } else {
4756 /* Wait for logical link to be ready */
4757 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4758 }
4759 } else {
4760 /* Logical link not available */
4761 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4762 }
4763}
4764
4765static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4766{
4767 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4768 u8 rsp_result;
4769 if (result == -EINVAL)
4770 rsp_result = L2CAP_MR_BAD_ID;
4771 else
4772 rsp_result = L2CAP_MR_NOT_ALLOWED;
4773
4774 l2cap_send_move_chan_rsp(chan, rsp_result);
4775 }
4776
4777 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4778 chan->move_state = L2CAP_MOVE_STABLE;
4779
4780 /* Restart data transmission */
4781 l2cap_ertm_send(chan);
4782}
4783
a514b17f
AE		 4784/* Invoke with locked chan */
4785void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4786{
770bfefa 4787 u8 local_amp_id = chan->local_amp_id;
fffadc08 4788 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4789
8eb200bd
MM		 4790 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4791 chan, result, local_amp_id, remote_amp_id);
4792
8eb200bd
MM		 4793 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4794 l2cap_chan_unlock(chan);
4795 return;
4796 }
4797
4798 if (chan->state != BT_CONNECTED) {
4799 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4800 } else if (result != L2CAP_MR_SUCCESS) {
4801 l2cap_do_move_cancel(chan, result);
4802 } else {
4803 switch (chan->move_role) {
4804 case L2CAP_MOVE_ROLE_INITIATOR:
4805 l2cap_do_move_initiate(chan, local_amp_id,
4806 remote_amp_id);
4807 break;
4808 case L2CAP_MOVE_ROLE_RESPONDER:
4809 l2cap_do_move_respond(chan, result);
4810 break;
4811 default:
4812 l2cap_do_move_cancel(chan, result);
4813 break;
4814 }
4815 }
8eb200bd
MM		 4816}
4817
8d5a04a1 4818static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4819 struct l2cap_cmd_hdr *cmd,
4820 u16 cmd_len, void *data)
8d5a04a1
MM		 4821{
4822 struct l2cap_move_chan_req *req = data;
1500109b 4823 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4824 struct l2cap_chan *chan;
8d5a04a1
MM		 4825 u16 icid = 0;
4826 u16 result = L2CAP_MR_NOT_ALLOWED;
4827
4828 if (cmd_len != sizeof(*req))
4829 return -EPROTO;
4830
4831 icid = le16_to_cpu(req->icid);
4832
ad0ac6ca 4833 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4834
848566b3 4835 if (!conn->hs_enabled)
8d5a04a1
MM		 4836 return -EINVAL;
4837
02b0fbb9
MM		 4838 chan = l2cap_get_chan_by_dcid(conn, icid);
4839 if (!chan) {
1500109b
MM		 4840 rsp.icid = cpu_to_le16(icid);
4841 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4842 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4843 sizeof(rsp), &rsp);
02b0fbb9
MM		 4844 return 0;
4845 }
4846
1500109b
MM		 4847 chan->ident = cmd->ident;
4848
02b0fbb9
MM		 4849 if (chan->scid < L2CAP_CID_DYN_START ||
4850 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4851 (chan->mode != L2CAP_MODE_ERTM &&
4852 chan->mode != L2CAP_MODE_STREAMING)) {
4853 result = L2CAP_MR_NOT_ALLOWED;
4854 goto send_move_response;
4855 }
4856
4857 if (chan->local_amp_id == req->dest_amp_id) {
4858 result = L2CAP_MR_SAME_ID;
4859 goto send_move_response;
4860 }
4861
6ed971ca 4862 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4863 struct hci_dev *hdev;
4864 hdev = hci_dev_get(req->dest_amp_id);
4865 if (!hdev || hdev->dev_type != HCI_AMP ||
4866 !test_bit(HCI_UP, &hdev->flags)) {
4867 if (hdev)
4868 hci_dev_put(hdev);
4869
4870 result = L2CAP_MR_BAD_ID;
4871 goto send_move_response;
4872 }
4873 hci_dev_put(hdev);
4874 }
4875
4876 /* Detect a move collision. Only send a collision response
4877 * if this side has "lost", otherwise proceed with the move.
4878 * The winner has the larger bd_addr.
4879 */
4880 if ((__chan_is_moving(chan) ||
4881 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4882 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4883 result = L2CAP_MR_COLLISION;
4884 goto send_move_response;
4885 }
4886
02b0fbb9
MM		 4887 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4888 l2cap_move_setup(chan);
4889 chan->move_id = req->dest_amp_id;
4890 icid = chan->dcid;
4891
6ed971ca 4892 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4893 /* Moving to BR/EDR */
4894 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4895 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4896 result = L2CAP_MR_PEND;
4897 } else {
4898 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4899 result = L2CAP_MR_SUCCESS;
4900 }
4901 } else {
4902 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4903 /* Placeholder - uncomment when amp functions are available */
4904 /*amp_accept_physical(chan, req->dest_amp_id);*/
4905 result = L2CAP_MR_PEND;
4906 }
4907
4908send_move_response:
1500109b 4909 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4910
02b0fbb9
MM		 4911 l2cap_chan_unlock(chan);
4912
8d5a04a1
MM		 4913 return 0;
4914}
4915
5b155ef9
MM		 4916static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4917{
4918 struct l2cap_chan *chan;
4919 struct hci_chan *hchan = NULL;
4920
4921 chan = l2cap_get_chan_by_scid(conn, icid);
4922 if (!chan) {
4923 l2cap_send_move_chan_cfm_icid(conn, icid);
4924 return;
4925 }
4926
4927 __clear_chan_timer(chan);
4928 if (result == L2CAP_MR_PEND)
4929 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4930
4931 switch (chan->move_state) {
4932 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4933 /* Move confirm will be sent when logical link
4934 * is complete.
4935 */
4936 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4937 break;
4938 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4939 if (result == L2CAP_MR_PEND) {
4940 break;
4941 } else if (test_bit(CONN_LOCAL_BUSY,
4942 &chan->conn_state)) {
4943 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4944 } else {
4945 /* Logical link is up or moving to BR/EDR,
4946 * proceed with move
4947 */
4948 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4949 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4950 }
4951 break;
4952 case L2CAP_MOVE_WAIT_RSP:
4953 /* Moving to AMP */
4954 if (result == L2CAP_MR_SUCCESS) {
4955 /* Remote is ready, send confirm immediately
4956 * after logical link is ready
4957 */
4958 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4959 } else {
4960 /* Both logical link and move success
4961 * are required to confirm
4962 */
4963 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4964 }
4965
4966 /* Placeholder - get hci_chan for logical link */
4967 if (!hchan) {
4968 /* Logical link not available */
4969 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4970 break;
4971 }
4972
4973 /* If the logical link is not yet connected, do not
4974 * send confirmation.
4975 */
4976 if (hchan->state != BT_CONNECTED)
4977 break;
4978
4979 /* Logical link is already ready to go */
4980
4981 chan->hs_hcon = hchan->conn;
4982 chan->hs_hcon->l2cap_data = chan->conn;
4983
4984 if (result == L2CAP_MR_SUCCESS) {
4985 /* Can confirm now */
4986 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4987 } else {
4988 /* Now only need move success
4989 * to confirm
4990 */
4991 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4992 }
4993
4994 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4995 break;
4996 default:
4997 /* Any other amp move state means the move failed. */
4998 chan->move_id = chan->local_amp_id;
4999 l2cap_move_done(chan);
5000 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5001 }
5002
5003 l2cap_chan_unlock(chan);
5004}
5005
5006static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5007 u16 result)
5008{
5009 struct l2cap_chan *chan;
5010
5011 chan = l2cap_get_chan_by_ident(conn, ident);
5012 if (!chan) {
5013 /* Could not locate channel, icid is best guess */
5014 l2cap_send_move_chan_cfm_icid(conn, icid);
5015 return;
5016 }
5017
5018 __clear_chan_timer(chan);
5019
5020 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5021 if (result == L2CAP_MR_COLLISION) {
5022 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5023 } else {
5024 /* Cleanup - cancel move */
5025 chan->move_id = chan->local_amp_id;
5026 l2cap_move_done(chan);
5027 }
5028 }
5029
5030 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5031
5032 l2cap_chan_unlock(chan);
5033}
5034
5035static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5036 struct l2cap_cmd_hdr *cmd,
5037 u16 cmd_len, void *data)
8d5a04a1
MM		 5038{
5039 struct l2cap_move_chan_rsp *rsp = data;
5040 u16 icid, result;
5041
5042 if (cmd_len != sizeof(*rsp))
5043 return -EPROTO;
5044
5045 icid = le16_to_cpu(rsp->icid);
5046 result = le16_to_cpu(rsp->result);
5047
ad0ac6ca 5048 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5049
5b155ef9
MM		 5050 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5051 l2cap_move_continue(conn, icid, result);
5052 else
5053 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5054
5055 return 0;
5056}
5057
5f3847a4
MM		 5058static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5059 struct l2cap_cmd_hdr *cmd,
5060 u16 cmd_len, void *data)
8d5a04a1
MM		 5061{
5062 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5063 struct l2cap_chan *chan;
8d5a04a1
MM		 5064 u16 icid, result;
5065
5066 if (cmd_len != sizeof(*cfm))
5067 return -EPROTO;
5068
5069 icid = le16_to_cpu(cfm->icid);
5070 result = le16_to_cpu(cfm->result);
5071
ad0ac6ca 5072 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5073
5f3847a4
MM		 5074 chan = l2cap_get_chan_by_dcid(conn, icid);
5075 if (!chan) {
5076 /* Spec requires a response even if the icid was not found */
5077 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5078 return 0;
5079 }
5080
5081 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5082 if (result == L2CAP_MC_CONFIRMED) {
5083 chan->local_amp_id = chan->move_id;
6ed971ca 5084 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5085 __release_logical_link(chan);
5086 } else {
5087 chan->move_id = chan->local_amp_id;
5088 }
5089
5090 l2cap_move_done(chan);
5091 }
5092
8d5a04a1
MM		 5093 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5094
5f3847a4
MM		 5095 l2cap_chan_unlock(chan);
5096
8d5a04a1
MM		 5097 return 0;
5098}
5099
5100static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5101 struct l2cap_cmd_hdr *cmd,
5102 u16 cmd_len, void *data)
8d5a04a1
MM		 5103{
5104 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5105 struct l2cap_chan *chan;
8d5a04a1
MM		 5106 u16 icid;
5107
5108 if (cmd_len != sizeof(*rsp))
5109 return -EPROTO;
5110
5111 icid = le16_to_cpu(rsp->icid);
5112
ad0ac6ca 5113 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5114
3fd71a0a
MM		 5115 chan = l2cap_get_chan_by_scid(conn, icid);
5116 if (!chan)
5117 return 0;
5118
5119 __clear_chan_timer(chan);
5120
5121 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5122 chan->local_amp_id = chan->move_id;
5123
6ed971ca 5124 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5125 __release_logical_link(chan);
5126
5127 l2cap_move_done(chan);
5128 }
5129
5130 l2cap_chan_unlock(chan);
5131
8d5a04a1
MM		 5132 return 0;
5133}
5134
e2174ca4 5135static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 5136 u16 to_multiplier)
de73115a
CT		 5137{
5138 u16 max_latency;
5139
5140 if (min > max || min < 6 || max > 3200)
5141 return -EINVAL;
5142
5143 if (to_multiplier < 10 || to_multiplier > 3200)
5144 return -EINVAL;
5145
5146 if (max >= to_multiplier * 8)
5147 return -EINVAL;
5148
5149 max_latency = (to_multiplier * 8 / max) - 1;
5150 if (latency > 499 || latency > max_latency)
5151 return -EINVAL;
5152
5153 return 0;
5154}
5155
5156static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 5157 struct l2cap_cmd_hdr *cmd,
5158 u8 *data)
de73115a
CT		 5159{
5160 struct hci_conn *hcon = conn->hcon;
5161 struct l2cap_conn_param_update_req *req;
5162 struct l2cap_conn_param_update_rsp rsp;
5163 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 5164 int err;
de73115a
CT		 5165
5166 if (!(hcon->link_mode & HCI_LM_MASTER))
5167 return -EINVAL;
5168
5169 cmd_len = __le16_to_cpu(cmd->len);
5170 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5171 return -EPROTO;
5172
5173 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5174 min = __le16_to_cpu(req->min);
5175 max = __le16_to_cpu(req->max);
de73115a
CT		 5176 latency = __le16_to_cpu(req->latency);
5177 to_multiplier = __le16_to_cpu(req->to_multiplier);
5178
5179 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5180 min, max, latency, to_multiplier);
de73115a
CT		 5181
5182 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5183
5184 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5185 if (err)
ac73498c 5186 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5187 else
ac73498c 5188 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5189
5190 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5191 sizeof(rsp), &rsp);
de73115a 5192
2ce603eb
CT		 5193 if (!err)
5194 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5195
de73115a
CT		 5196 return 0;
5197}
5198
3300d9a9 5199static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5200 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5201 u8 *data)
3300d9a9
CT		 5202{
5203 int err = 0;
5204
5205 switch (cmd->code) {
5206 case L2CAP_COMMAND_REJ:
cb3b3152 5207 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5208 break;
5209
5210 case L2CAP_CONN_REQ:
cb3b3152 5211 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5212 break;
5213
5214 case L2CAP_CONN_RSP:
f5a2598d 5215 case L2CAP_CREATE_CHAN_RSP:
9245e737 5216 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5217 break;
5218
5219 case L2CAP_CONF_REQ:
5220 err = l2cap_config_req(conn, cmd, cmd_len, data);
5221 break;
5222
5223 case L2CAP_CONF_RSP:
9245e737 5224 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5225 break;
5226
5227 case L2CAP_DISCONN_REQ:
cb3b3152 5228 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5229 break;
5230
5231 case L2CAP_DISCONN_RSP:
9245e737 5232 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5233 break;
5234
5235 case L2CAP_ECHO_REQ:
5236 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5237 break;
5238
5239 case L2CAP_ECHO_RSP:
5240 break;
5241
5242 case L2CAP_INFO_REQ:
cb3b3152 5243 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5244 break;
5245
5246 case L2CAP_INFO_RSP:
9245e737 5247 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5248 break;
5249
f94ff6ff
MM		 5250 case L2CAP_CREATE_CHAN_REQ:
5251 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5252 break;
5253
8d5a04a1
MM		 5254 case L2CAP_MOVE_CHAN_REQ:
5255 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5256 break;
5257
5258 case L2CAP_MOVE_CHAN_RSP:
9245e737 5259 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5260 break;
5261
5262 case L2CAP_MOVE_CHAN_CFM:
5263 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5264 break;
5265
5266 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5267 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5268 break;
5269
3300d9a9
CT		 5270 default:
5271 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5272 err = -EINVAL;
5273 break;
5274 }
5275
5276 return err;
5277}
5278
5279static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5280 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5281{
5282 switch (cmd->code) {
5283 case L2CAP_COMMAND_REJ:
5284 return 0;
5285
5286 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5287 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5288
5289 case L2CAP_CONN_PARAM_UPDATE_RSP:
5290 return 0;
5291
5292 default:
5293 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5294 return -EINVAL;
5295 }
5296}
5297
c5623556
JH		 5298static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5299 struct sk_buff *skb)
5300{
69c4e4e8 5301 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5302 struct l2cap_cmd_hdr *cmd;
5303 u16 len;
c5623556
JH		 5304 int err;
5305
69c4e4e8 5306 if (hcon->type != LE_LINK)
3b166295 5307 goto drop;
69c4e4e8 5308
4f3e219d
MH		 5309 if (skb->len < L2CAP_CMD_HDR_SIZE)
5310 goto drop;
c5623556 5311
4f3e219d
MH		 5312 cmd = (void *) skb->data;
5313 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5314
4f3e219d 5315 len = le16_to_cpu(cmd->len);
c5623556 5316
4f3e219d 5317 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5318
4f3e219d
MH		 5319 if (len != skb->len || !cmd->ident) {
5320 BT_DBG("corrupted command");
5321 goto drop;
5322 }
c5623556 5323
4f3e219d
MH		 5324 err = l2cap_le_sig_cmd(conn, cmd, skb->data);
5325 if (err) {
5326 struct l2cap_cmd_rej_unk rej;
c5623556 5327
4f3e219d 5328 BT_ERR("Wrong link type (%d)", err);
c5623556 5329
a521149a 5330 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5331 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5332 sizeof(rej), &rej);
c5623556
JH		 5333 }
5334
3b166295 5335drop:
c5623556
JH		 5336 kfree_skb(skb);
5337}
5338
3300d9a9 5339static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5340 struct sk_buff *skb)
1da177e4 5341{
69c4e4e8 5342 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5343 u8 *data = skb->data;
5344 int len = skb->len;
5345 struct l2cap_cmd_hdr cmd;
3300d9a9 5346 int err;
1da177e4
LT		 5347
5348 l2cap_raw_recv(conn, skb);
5349
69c4e4e8 5350 if (hcon->type != ACL_LINK)
3b166295 5351 goto drop;
69c4e4e8 5352
1da177e4 5353 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5354 u16 cmd_len;
1da177e4
LT		 5355 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5356 data += L2CAP_CMD_HDR_SIZE;
5357 len -= L2CAP_CMD_HDR_SIZE;
5358
88219a0f 5359 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5360
2d792818
GP		 5361 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5362 cmd.ident);
1da177e4 5363
88219a0f 5364 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5365 BT_DBG("corrupted command");
5366 break;
5367 }
5368
c5623556 5369 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5370 if (err) {
e2fd318e 5371 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5372
5373 BT_ERR("Wrong link type (%d)", err);
1da177e4 5374
a521149a 5375 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5376 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5377 sizeof(rej), &rej);
1da177e4
LT		 5378 }
5379
88219a0f
AV		 5380 data += cmd_len;
5381 len -= cmd_len;
1da177e4
LT		 5382 }
5383
3b166295 5384drop:
1da177e4
LT		 5385 kfree_skb(skb);
5386}
5387
47d1ec61 5388static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5389{
5390 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5391 int hdr_size;
5392
5393 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5394 hdr_size = L2CAP_EXT_HDR_SIZE;
5395 else
5396 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5397
47d1ec61 5398 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5399 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5400 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5401 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5402
5403 if (our_fcs != rcv_fcs)
7a560e5c 5404 return -EBADMSG;
fcc203c3
GP		 5405 }
5406 return 0;
5407}
5408
6ea00485 5409static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5410{
e31f7633 5411 struct l2cap_ctrl control;
d5392c8f 5412
e31f7633 5413 BT_DBG("chan %p", chan);
d5392c8f 5414
e31f7633
MM		 5415 memset(&control, 0, sizeof(control));
5416 control.sframe = 1;
5417 control.final = 1;
5418 control.reqseq = chan->buffer_seq;
5419 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5420
e2ab4353 5421 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5422 control.super = L2CAP_SUPER_RNR;
5423 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5424 }
5425
e31f7633
MM		 5426 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5427 chan->unacked_frames > 0)
5428 __set_retrans_timer(chan);
d5392c8f 5429
e31f7633 5430 /* Send pending iframes */
525cd185 5431 l2cap_ertm_send(chan);
d5392c8f 5432
e2ab4353 5433 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5434 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5435 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5436 * send it now.
5437 */
5438 control.super = L2CAP_SUPER_RR;
5439 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5440 }
5441}
5442
2d792818
GP		 5443static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5444 struct sk_buff **last_frag)
18778a63 5445{
84084a31
MM		 5446 /* skb->len reflects data in skb as well as all fragments
5447 * skb->data_len reflects only data in fragments
5448 */
5449 if (!skb_has_frag_list(skb))
5450 skb_shinfo(skb)->frag_list = new_frag;
5451
5452 new_frag->next = NULL;
5453
5454 (*last_frag)->next = new_frag;
5455 *last_frag = new_frag;
5456
5457 skb->len += new_frag->len;
5458 skb->data_len += new_frag->len;
5459 skb->truesize += new_frag->truesize;
5460}
5461
4b51dae9
MM		 5462static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5463 struct l2cap_ctrl *control)
84084a31
MM		 5464{
5465 int err = -EINVAL;
18778a63 5466
4b51dae9 5467 switch (control->sar) {
7e0ef6ee 5468 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5469 if (chan->sdu)
5470 break;
18778a63 5471
80b98027 5472 err = chan->ops->recv(chan, skb);
84084a31 5473 break;
18778a63 5474
7e0ef6ee 5475 case L2CAP_SAR_START:
84084a31
MM		 5476 if (chan->sdu)
5477 break;
18778a63 5478
6f61fd47 5479 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5480 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5481
84084a31
MM		 5482 if (chan->sdu_len > chan->imtu) {
5483 err = -EMSGSIZE;
5484 break;
5485 }
1890d36b 5486
84084a31
MM		 5487 if (skb->len >= chan->sdu_len)
5488 break;
18778a63 5489
84084a31
MM		 5490 chan->sdu = skb;
5491 chan->sdu_last_frag = skb;
18778a63 5492
84084a31
MM		 5493 skb = NULL;
5494 err = 0;
18778a63
GP		 5495 break;
5496
7e0ef6ee 5497 case L2CAP_SAR_CONTINUE:
6f61fd47 5498 if (!chan->sdu)
84084a31 5499 break;
18778a63 5500
84084a31
MM		 5501 append_skb_frag(chan->sdu, skb,
5502 &chan->sdu_last_frag);
5503 skb = NULL;
18778a63 5504
84084a31
MM		 5505 if (chan->sdu->len >= chan->sdu_len)
5506 break;
4178ba46 5507
84084a31 5508 err = 0;
18778a63
GP		 5509 break;
5510
7e0ef6ee 5511 case L2CAP_SAR_END:
6f61fd47 5512 if (!chan->sdu)
84084a31 5513 break;
18778a63 5514
84084a31
MM		 5515 append_skb_frag(chan->sdu, skb,
5516 &chan->sdu_last_frag);
5517 skb = NULL;
4178ba46 5518
84084a31
MM		 5519 if (chan->sdu->len != chan->sdu_len)
5520 break;
18778a63 5521
80b98027 5522 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5523
84084a31
MM		 5524 if (!err) {
5525 /* Reassembly complete */
5526 chan->sdu = NULL;
5527 chan->sdu_last_frag = NULL;
5528 chan->sdu_len = 0;
1890d36b 5529 }
18778a63
GP		 5530 break;
5531 }
5532
84084a31
MM		 5533 if (err) {
5534 kfree_skb(skb);
5535 kfree_skb(chan->sdu);
5536 chan->sdu = NULL;
5537 chan->sdu_last_frag = NULL;
5538 chan->sdu_len = 0;
5539 }
18778a63 5540
84084a31 5541 return err;
18778a63
GP		 5542}
5543
32b32735
MM		 5544static int l2cap_resegment(struct l2cap_chan *chan)
5545{
5546 /* Placeholder */
5547 return 0;
5548}
5549
61aa4f5b 5550void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5551{
61aa4f5b 5552 u8 event;
712132eb 5553
61aa4f5b
MM		 5554 if (chan->mode != L2CAP_MODE_ERTM)
5555 return;
712132eb 5556
61aa4f5b 5557 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5558 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5559}
5560
d2a7ac5d
MM		 5561static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5562{
63838725
MM		 5563 int err = 0;
5564 /* Pass sequential frames to l2cap_reassemble_sdu()
5565 * until a gap is encountered.
5566 */
5567
5568 BT_DBG("chan %p", chan);
5569
5570 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5571 struct sk_buff *skb;
5572 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5573 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5574
5575 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5576
5577 if (!skb)
5578 break;
5579
5580 skb_unlink(skb, &chan->srej_q);
5581 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5582 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5583 if (err)
5584 break;
5585 }
5586
5587 if (skb_queue_empty(&chan->srej_q)) {
5588 chan->rx_state = L2CAP_RX_STATE_RECV;
5589 l2cap_send_ack(chan);
5590 }
5591
5592 return err;
d2a7ac5d
MM		 5593}
5594
5595static void l2cap_handle_srej(struct l2cap_chan *chan,
5596 struct l2cap_ctrl *control)
5597{
f80842a8
MM		 5598 struct sk_buff *skb;
5599
5600 BT_DBG("chan %p, control %p", chan, control);
5601
5602 if (control->reqseq == chan->next_tx_seq) {
5603 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5604 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5605 return;
5606 }
5607
5608 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5609
5610 if (skb == NULL) {
5611 BT_DBG("Seq %d not available for retransmission",
5612 control->reqseq);
5613 return;
5614 }
5615
5616 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5617 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5618 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5619 return;
5620 }
5621
5622 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5623
5624 if (control->poll) {
5625 l2cap_pass_to_tx(chan, control);
5626
5627 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5628 l2cap_retransmit(chan, control);
5629 l2cap_ertm_send(chan);
5630
5631 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5632 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5633 chan->srej_save_reqseq = control->reqseq;
5634 }
5635 } else {
5636 l2cap_pass_to_tx_fbit(chan, control);
5637
5638 if (control->final) {
5639 if (chan->srej_save_reqseq != control->reqseq ||
5640 !test_and_clear_bit(CONN_SREJ_ACT,
5641 &chan->conn_state))
5642 l2cap_retransmit(chan, control);
5643 } else {
5644 l2cap_retransmit(chan, control);
5645 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5646 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5647 chan->srej_save_reqseq = control->reqseq;
5648 }
5649 }
5650 }
d2a7ac5d
MM		 5651}
5652
5653static void l2cap_handle_rej(struct l2cap_chan *chan,
5654 struct l2cap_ctrl *control)
5655{
fcd289df
MM		 5656 struct sk_buff *skb;
5657
5658 BT_DBG("chan %p, control %p", chan, control);
5659
5660 if (control->reqseq == chan->next_tx_seq) {
5661 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5662 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5663 return;
5664 }
5665
5666 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5667
5668 if (chan->max_tx && skb &&
5669 bt_cb(skb)->control.retries >= chan->max_tx) {
5670 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5671 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5672 return;
5673 }
5674
5675 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5676
5677 l2cap_pass_to_tx(chan, control);
5678
5679 if (control->final) {
5680 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5681 l2cap_retransmit_all(chan, control);
5682 } else {
5683 l2cap_retransmit_all(chan, control);
5684 l2cap_ertm_send(chan);
5685 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5686 set_bit(CONN_REJ_ACT, &chan->conn_state);
5687 }
d2a7ac5d
MM		 5688}
5689
4b51dae9
MM		 5690static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5691{
5692 BT_DBG("chan %p, txseq %d", chan, txseq);
5693
5694 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5695 chan->expected_tx_seq);
5696
5697 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5698 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5699 chan->tx_win) {
4b51dae9
MM		 5700 /* See notes below regarding "double poll" and
5701 * invalid packets.
5702 */
5703 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5704 BT_DBG("Invalid/Ignore - after SREJ");
5705 return L2CAP_TXSEQ_INVALID_IGNORE;
5706 } else {
5707 BT_DBG("Invalid - in window after SREJ sent");
5708 return L2CAP_TXSEQ_INVALID;
5709 }
5710 }
5711
5712 if (chan->srej_list.head == txseq) {
5713 BT_DBG("Expected SREJ");
5714 return L2CAP_TXSEQ_EXPECTED_SREJ;
5715 }
5716
5717 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5718 BT_DBG("Duplicate SREJ - txseq already stored");
5719 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5720 }
5721
5722 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5723 BT_DBG("Unexpected SREJ - not requested");
5724 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5725 }
5726 }
5727
5728 if (chan->expected_tx_seq == txseq) {
5729 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5730 chan->tx_win) {
5731 BT_DBG("Invalid - txseq outside tx window");
5732 return L2CAP_TXSEQ_INVALID;
5733 } else {
5734 BT_DBG("Expected");
5735 return L2CAP_TXSEQ_EXPECTED;
5736 }
5737 }
5738
5739 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5740 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5741 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5742 return L2CAP_TXSEQ_DUPLICATE;
5743 }
5744
5745 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5746 /* A source of invalid packets is a "double poll" condition,
5747 * where delays cause us to send multiple poll packets. If
5748 * the remote stack receives and processes both polls,
5749 * sequence numbers can wrap around in such a way that a
5750 * resent frame has a sequence number that looks like new data
5751 * with a sequence gap. This would trigger an erroneous SREJ
5752 * request.
5753 *
5754 * Fortunately, this is impossible with a tx window that's
5755 * less than half of the maximum sequence number, which allows
5756 * invalid frames to be safely ignored.
5757 *
5758 * With tx window sizes greater than half of the tx window
5759 * maximum, the frame is invalid and cannot be ignored. This
5760 * causes a disconnect.
5761 */
5762
5763 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5764 BT_DBG("Invalid/Ignore - txseq outside tx window");
5765 return L2CAP_TXSEQ_INVALID_IGNORE;
5766 } else {
5767 BT_DBG("Invalid - txseq outside tx window");
5768 return L2CAP_TXSEQ_INVALID;
5769 }
5770 } else {
5771 BT_DBG("Unexpected - txseq indicates missing frames");
5772 return L2CAP_TXSEQ_UNEXPECTED;
5773 }
5774}
5775
d2a7ac5d
MM		 5776static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5777 struct l2cap_ctrl *control,
5778 struct sk_buff *skb, u8 event)
5779{
5780 int err = 0;
941247f9 5781 bool skb_in_use = false;
d2a7ac5d
MM		 5782
5783 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5784 event);
5785
5786 switch (event) {
5787 case L2CAP_EV_RECV_IFRAME:
5788 switch (l2cap_classify_txseq(chan, control->txseq)) {
5789 case L2CAP_TXSEQ_EXPECTED:
5790 l2cap_pass_to_tx(chan, control);
5791
5792 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5793 BT_DBG("Busy, discarding expected seq %d",
5794 control->txseq);
5795 break;
5796 }
5797
5798 chan->expected_tx_seq = __next_seq(chan,
5799 control->txseq);
5800
5801 chan->buffer_seq = chan->expected_tx_seq;
941247f9 5802 skb_in_use = true;
d2a7ac5d
MM		 5803
5804 err = l2cap_reassemble_sdu(chan, skb, control);
5805 if (err)
5806 break;
5807
5808 if (control->final) {
5809 if (!test_and_clear_bit(CONN_REJ_ACT,
5810 &chan->conn_state)) {
5811 control->final = 0;
5812 l2cap_retransmit_all(chan, control);
5813 l2cap_ertm_send(chan);
5814 }
5815 }
5816
5817 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5818 l2cap_send_ack(chan);
5819 break;
5820 case L2CAP_TXSEQ_UNEXPECTED:
5821 l2cap_pass_to_tx(chan, control);
5822
5823 /* Can't issue SREJ frames in the local busy state.
5824 * Drop this frame, it will be seen as missing
5825 * when local busy is exited.
5826 */
5827 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5828 BT_DBG("Busy, discarding unexpected seq %d",
5829 control->txseq);
5830 break;
5831 }
5832
5833 /* There was a gap in the sequence, so an SREJ
5834 * must be sent for each missing frame. The
5835 * current frame is stored for later use.
5836 */
5837 skb_queue_tail(&chan->srej_q, skb);
941247f9 5838 skb_in_use = true;
d2a7ac5d
MM		 5839 BT_DBG("Queued %p (queue len %d)", skb,
5840 skb_queue_len(&chan->srej_q));
5841
5842 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5843 l2cap_seq_list_clear(&chan->srej_list);
5844 l2cap_send_srej(chan, control->txseq);
5845
5846 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5847 break;
5848 case L2CAP_TXSEQ_DUPLICATE:
5849 l2cap_pass_to_tx(chan, control);
5850 break;
5851 case L2CAP_TXSEQ_INVALID_IGNORE:
5852 break;
5853 case L2CAP_TXSEQ_INVALID:
5854 default:
5e4e3972 5855 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5856 break;
5857 }
5858 break;
5859 case L2CAP_EV_RECV_RR:
5860 l2cap_pass_to_tx(chan, control);
5861 if (control->final) {
5862 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5863
e6a3ee6e
MM		 5864 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5865 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 5866 control->final = 0;
5867 l2cap_retransmit_all(chan, control);
5868 }
5869
5870 l2cap_ertm_send(chan);
5871 } else if (control->poll) {
5872 l2cap_send_i_or_rr_or_rnr(chan);
5873 } else {
5874 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5875 &chan->conn_state) &&
5876 chan->unacked_frames)
5877 __set_retrans_timer(chan);
5878
5879 l2cap_ertm_send(chan);
5880 }
5881 break;
5882 case L2CAP_EV_RECV_RNR:
5883 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5884 l2cap_pass_to_tx(chan, control);
5885 if (control && control->poll) {
5886 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5887 l2cap_send_rr_or_rnr(chan, 0);
5888 }
5889 __clear_retrans_timer(chan);
5890 l2cap_seq_list_clear(&chan->retrans_list);
5891 break;
5892 case L2CAP_EV_RECV_REJ:
5893 l2cap_handle_rej(chan, control);
5894 break;
5895 case L2CAP_EV_RECV_SREJ:
5896 l2cap_handle_srej(chan, control);
5897 break;
5898 default:
5899 break;
5900 }
5901
5902 if (skb && !skb_in_use) {
5903 BT_DBG("Freeing %p", skb);
5904 kfree_skb(skb);
5905 }
5906
5907 return err;
5908}
5909
5910static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5911 struct l2cap_ctrl *control,
5912 struct sk_buff *skb, u8 event)
5913{
5914 int err = 0;
5915 u16 txseq = control->txseq;
941247f9 5916 bool skb_in_use = false;
d2a7ac5d
MM		 5917
5918 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5919 event);
5920
5921 switch (event) {
5922 case L2CAP_EV_RECV_IFRAME:
5923 switch (l2cap_classify_txseq(chan, txseq)) {
5924 case L2CAP_TXSEQ_EXPECTED:
5925 /* Keep frame for reassembly later */
5926 l2cap_pass_to_tx(chan, control);
5927 skb_queue_tail(&chan->srej_q, skb);
941247f9 5928 skb_in_use = true;
d2a7ac5d
MM		 5929 BT_DBG("Queued %p (queue len %d)", skb,
5930 skb_queue_len(&chan->srej_q));
5931
5932 chan->expected_tx_seq = __next_seq(chan, txseq);
5933 break;
5934 case L2CAP_TXSEQ_EXPECTED_SREJ:
5935 l2cap_seq_list_pop(&chan->srej_list);
5936
5937 l2cap_pass_to_tx(chan, control);
5938 skb_queue_tail(&chan->srej_q, skb);
941247f9 5939 skb_in_use = true;
d2a7ac5d
MM		 5940 BT_DBG("Queued %p (queue len %d)", skb,
5941 skb_queue_len(&chan->srej_q));
5942
5943 err = l2cap_rx_queued_iframes(chan);
5944 if (err)
5945 break;
5946
5947 break;
5948 case L2CAP_TXSEQ_UNEXPECTED:
5949 /* Got a frame that can't be reassembled yet.
5950 * Save it for later, and send SREJs to cover
5951 * the missing frames.
5952 */
5953 skb_queue_tail(&chan->srej_q, skb);
941247f9 5954 skb_in_use = true;
d2a7ac5d
MM		 5955 BT_DBG("Queued %p (queue len %d)", skb,
5956 skb_queue_len(&chan->srej_q));
5957
5958 l2cap_pass_to_tx(chan, control);
5959 l2cap_send_srej(chan, control->txseq);
5960 break;
5961 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5962 /* This frame was requested with an SREJ, but
5963 * some expected retransmitted frames are
5964 * missing. Request retransmission of missing
5965 * SREJ'd frames.
5966 */
5967 skb_queue_tail(&chan->srej_q, skb);
941247f9 5968 skb_in_use = true;
d2a7ac5d
MM		 5969 BT_DBG("Queued %p (queue len %d)", skb,
5970 skb_queue_len(&chan->srej_q));
5971
5972 l2cap_pass_to_tx(chan, control);
5973 l2cap_send_srej_list(chan, control->txseq);
5974 break;
5975 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5976 /* We've already queued this frame. Drop this copy. */
5977 l2cap_pass_to_tx(chan, control);
5978 break;
5979 case L2CAP_TXSEQ_DUPLICATE:
5980 /* Expecting a later sequence number, so this frame
5981 * was already received. Ignore it completely.
5982 */
5983 break;
5984 case L2CAP_TXSEQ_INVALID_IGNORE:
5985 break;
5986 case L2CAP_TXSEQ_INVALID:
5987 default:
5e4e3972 5988 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5989 break;
5990 }
5991 break;
5992 case L2CAP_EV_RECV_RR:
5993 l2cap_pass_to_tx(chan, control);
5994 if (control->final) {
5995 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5996
5997 if (!test_and_clear_bit(CONN_REJ_ACT,
5998 &chan->conn_state)) {
5999 control->final = 0;
6000 l2cap_retransmit_all(chan, control);
6001 }
6002
6003 l2cap_ertm_send(chan);
6004 } else if (control->poll) {
6005 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6006 &chan->conn_state) &&
6007 chan->unacked_frames) {
6008 __set_retrans_timer(chan);
6009 }
6010
6011 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6012 l2cap_send_srej_tail(chan);
6013 } else {
6014 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6015 &chan->conn_state) &&
6016 chan->unacked_frames)
6017 __set_retrans_timer(chan);
6018
6019 l2cap_send_ack(chan);
6020 }
6021 break;
6022 case L2CAP_EV_RECV_RNR:
6023 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6024 l2cap_pass_to_tx(chan, control);
6025 if (control->poll) {
6026 l2cap_send_srej_tail(chan);
6027 } else {
6028 struct l2cap_ctrl rr_control;
6029 memset(&rr_control, 0, sizeof(rr_control));
6030 rr_control.sframe = 1;
6031 rr_control.super = L2CAP_SUPER_RR;
6032 rr_control.reqseq = chan->buffer_seq;
6033 l2cap_send_sframe(chan, &rr_control);
6034 }
6035
6036 break;
6037 case L2CAP_EV_RECV_REJ:
6038 l2cap_handle_rej(chan, control);
6039 break;
6040 case L2CAP_EV_RECV_SREJ:
6041 l2cap_handle_srej(chan, control);
6042 break;
6043 }
6044
6045 if (skb && !skb_in_use) {
6046 BT_DBG("Freeing %p", skb);
6047 kfree_skb(skb);
6048 }
6049
6050 return err;
6051}
6052
32b32735
MM		 6053static int l2cap_finish_move(struct l2cap_chan *chan)
6054{
6055 BT_DBG("chan %p", chan);
6056
6057 chan->rx_state = L2CAP_RX_STATE_RECV;
6058
6059 if (chan->hs_hcon)
6060 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6061 else
6062 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6063
6064 return l2cap_resegment(chan);
6065}
6066
6067static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6068 struct l2cap_ctrl *control,
6069 struct sk_buff *skb, u8 event)
6070{
6071 int err;
6072
6073 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6074 event);
6075
6076 if (!control->poll)
6077 return -EPROTO;
6078
6079 l2cap_process_reqseq(chan, control->reqseq);
6080
6081 if (!skb_queue_empty(&chan->tx_q))
6082 chan->tx_send_head = skb_peek(&chan->tx_q);
6083 else
6084 chan->tx_send_head = NULL;
6085
6086 /* Rewind next_tx_seq to the point expected
6087 * by the receiver.
6088 */
6089 chan->next_tx_seq = control->reqseq;
6090 chan->unacked_frames = 0;
6091
6092 err = l2cap_finish_move(chan);
6093 if (err)
6094 return err;
6095
6096 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6097 l2cap_send_i_or_rr_or_rnr(chan);
6098
6099 if (event == L2CAP_EV_RECV_IFRAME)
6100 return -EPROTO;
6101
6102 return l2cap_rx_state_recv(chan, control, NULL, event);
6103}
6104
6105static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6106 struct l2cap_ctrl *control,
6107 struct sk_buff *skb, u8 event)
6108{
6109 int err;
6110
6111 if (!control->final)
6112 return -EPROTO;
6113
6114 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6115
6116 chan->rx_state = L2CAP_RX_STATE_RECV;
6117 l2cap_process_reqseq(chan, control->reqseq);
6118
6119 if (!skb_queue_empty(&chan->tx_q))
6120 chan->tx_send_head = skb_peek(&chan->tx_q);
6121 else
6122 chan->tx_send_head = NULL;
6123
6124 /* Rewind next_tx_seq to the point expected
6125 * by the receiver.
6126 */
6127 chan->next_tx_seq = control->reqseq;
6128 chan->unacked_frames = 0;
6129
6130 if (chan->hs_hcon)
6131 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6132 else
6133 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6134
6135 err = l2cap_resegment(chan);
6136
6137 if (!err)
6138 err = l2cap_rx_state_recv(chan, control, skb, event);
6139
6140 return err;
6141}
6142
d2a7ac5d
MM		 6143static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6144{
6145 /* Make sure reqseq is for a packet that has been sent but not acked */
6146 u16 unacked;
6147
6148 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6149 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6150}
6151
cec8ab6e
MM		 6152static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6153 struct sk_buff *skb, u8 event)
218bb9df 6154{
d2a7ac5d
MM		 6155 int err = 0;
6156
6157 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6158 control, skb, event, chan->rx_state);
6159
6160 if (__valid_reqseq(chan, control->reqseq)) {
6161 switch (chan->rx_state) {
6162 case L2CAP_RX_STATE_RECV:
6163 err = l2cap_rx_state_recv(chan, control, skb, event);
6164 break;
6165 case L2CAP_RX_STATE_SREJ_SENT:
6166 err = l2cap_rx_state_srej_sent(chan, control, skb,
6167 event);
6168 break;
32b32735
MM		 6169 case L2CAP_RX_STATE_WAIT_P:
6170 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6171 break;
6172 case L2CAP_RX_STATE_WAIT_F:
6173 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6174 break;
d2a7ac5d
MM		 6175 default:
6176 /* shut it down */
6177 break;
6178 }
6179 } else {
6180 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6181 control->reqseq, chan->next_tx_seq,
6182 chan->expected_ack_seq);
5e4e3972 6183 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6184 }
6185
6186 return err;
cec8ab6e
MM		 6187}
6188
6189static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6190 struct sk_buff *skb)
6191{
4b51dae9
MM		 6192 int err = 0;
6193
6194 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6195 chan->rx_state);
6196
6197 if (l2cap_classify_txseq(chan, control->txseq) ==
6198 L2CAP_TXSEQ_EXPECTED) {
6199 l2cap_pass_to_tx(chan, control);
6200
6201 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6202 __next_seq(chan, chan->buffer_seq));
6203
6204 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6205
6206 l2cap_reassemble_sdu(chan, skb, control);
6207 } else {
6208 if (chan->sdu) {
6209 kfree_skb(chan->sdu);
6210 chan->sdu = NULL;
6211 }
6212 chan->sdu_last_frag = NULL;
6213 chan->sdu_len = 0;
6214
6215 if (skb) {
6216 BT_DBG("Freeing %p", skb);
6217 kfree_skb(skb);
6218 }
6219 }
6220
6221 chan->last_acked_seq = control->txseq;
6222 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6223
6224 return err;
cec8ab6e
MM		 6225}
6226
6227static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6228{
6229 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6230 u16 len;
6231 u8 event;
218bb9df 6232
b76bbd66
MM		 6233 __unpack_control(chan, skb);
6234
218bb9df
GP		 6235 len = skb->len;
6236
6237 /*
6238 * We can just drop the corrupted I-frame here.
6239 * Receiver will miss it and start proper recovery
cec8ab6e 6240 * procedures and ask for retransmission.
218bb9df 6241 */
47d1ec61 6242 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6243 goto drop;
6244
cec8ab6e 6245 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6246 len -= L2CAP_SDULEN_SIZE;
218bb9df 6247
47d1ec61 6248 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6249 len -= L2CAP_FCS_SIZE;
218bb9df 6250
47d1ec61 6251 if (len > chan->mps) {
5e4e3972 6252 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6253 goto drop;
6254 }
6255
cec8ab6e
MM		 6256 if (!control->sframe) {
6257 int err;
218bb9df 6258
cec8ab6e
MM		 6259 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6260 control->sar, control->reqseq, control->final,
6261 control->txseq);
218bb9df 6262
cec8ab6e
MM		 6263 /* Validate F-bit - F=0 always valid, F=1 only
6264 * valid in TX WAIT_F
6265 */
6266 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6267 goto drop;
cec8ab6e
MM		 6268
6269 if (chan->mode != L2CAP_MODE_STREAMING) {
6270 event = L2CAP_EV_RECV_IFRAME;
6271 err = l2cap_rx(chan, control, skb, event);
6272 } else {
6273 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6274 }
6275
cec8ab6e 6276 if (err)
5e4e3972 6277 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6278 } else {
cec8ab6e
MM		 6279 const u8 rx_func_to_event[4] = {
6280 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6281 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6282 };
6283
6284 /* Only I-frames are expected in streaming mode */
6285 if (chan->mode == L2CAP_MODE_STREAMING)
6286 goto drop;
6287
6288 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6289 control->reqseq, control->final, control->poll,
6290 control->super);
6291
218bb9df 6292 if (len != 0) {
1bb166e6 6293 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6294 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6295 goto drop;
6296 }
6297
cec8ab6e
MM		 6298 /* Validate F and P bits */
6299 if (control->final && (control->poll ||
6300 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6301 goto drop;
6302
6303 event = rx_func_to_event[control->super];
6304 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6305 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6306 }
6307
6308 return 0;
6309
6310drop:
6311 kfree_skb(skb);
6312 return 0;
6313}
6314
13ca56e0
AE		 6315static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6316 struct sk_buff *skb)
1da177e4 6317{
48454079 6318 struct l2cap_chan *chan;
1da177e4 6319
baa7e1fa 6320 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6321 if (!chan) {
97e8e89d
AE		 6322 if (cid == L2CAP_CID_A2MP) {
6323 chan = a2mp_channel_create(conn, skb);
6324 if (!chan) {
6325 kfree_skb(skb);
13ca56e0 6326 return;
97e8e89d
AE		 6327 }
6328
6329 l2cap_chan_lock(chan);
6330 } else {
6331 BT_DBG("unknown cid 0x%4.4x", cid);
6332 /* Drop packet and return */
6333 kfree_skb(skb);
13ca56e0 6334 return;
97e8e89d 6335 }
1da177e4
LT		 6336 }
6337
49208c9c 6338 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6339
89bc500e 6340 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6341 goto drop;
6342
0c1bc5c6 6343 switch (chan->mode) {
1c2acffb
GP		 6344 case L2CAP_MODE_BASIC:
6345 /* If socket recv buffers overflows we drop data here
6346 * which is *bad* because L2CAP has to be reliable.
6347 * But we don't have any other choice. L2CAP doesn't
6348 * provide flow control mechanism. */
1da177e4 6349
0c1bc5c6 6350 if (chan->imtu < skb->len)
1c2acffb 6351 goto drop;
1da177e4 6352
80b98027 6353 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6354 goto done;
6355 break;
6356
6357 case L2CAP_MODE_ERTM:
6840ed07 6358 case L2CAP_MODE_STREAMING:
cec8ab6e 6359 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6360 goto done;
6361
1c2acffb 6362 default:
0c1bc5c6 6363 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6364 break;
6365 }
1da177e4
LT		 6366
6367drop:
6368 kfree_skb(skb);
6369
6370done:
6be36555 6371 l2cap_chan_unlock(chan);
1da177e4
LT		 6372}
6373
84104b24
AE		 6374static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6375 struct sk_buff *skb)
1da177e4 6376{
ae4fd2d3 6377 struct hci_conn *hcon = conn->hcon;
23691d75 6378 struct l2cap_chan *chan;
1da177e4 6379
ae4fd2d3
MH		 6380 if (hcon->type != ACL_LINK)
6381 goto drop;
6382
06ae3314 6383 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst);
23691d75 6384 if (!chan)
1da177e4
LT		 6385 goto drop;
6386
5b4cedaa 6387 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6388
89bc500e 6389 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6390 goto drop;
6391
e13e21dc 6392 if (chan->imtu < skb->len)
1da177e4
LT		 6393 goto drop;
6394
2edf870d 6395 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6396 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6397 bt_cb(skb)->psm = psm;
6398
80b98027 6399 if (!chan->ops->recv(chan, skb))
84104b24 6400 return;
1da177e4
LT		 6401
6402drop:
6403 kfree_skb(skb);
1da177e4
LT		 6404}
6405
72f78356 6406static void l2cap_att_channel(struct l2cap_conn *conn,
6810fca7 6407 struct sk_buff *skb)
9f69bda6 6408{
b99707d7 6409 struct hci_conn *hcon = conn->hcon;
23691d75 6410 struct l2cap_chan *chan;
9f69bda6 6411
b99707d7
MH		 6412 if (hcon->type != LE_LINK)
6413 goto drop;
6414
af1c0134 6415 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
06ae3314 6416 &hcon->src, &hcon->dst);
23691d75 6417 if (!chan)
9f69bda6
GP		 6418 goto drop;
6419
5b4cedaa 6420 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6421
cc8dba2b
MH		 6422 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, hcon->dst_type))
6423 goto drop;
6424
e13e21dc 6425 if (chan->imtu < skb->len)
9f69bda6
GP		 6426 goto drop;
6427
80b98027 6428 if (!chan->ops->recv(chan, skb))
6810fca7 6429 return;
9f69bda6
GP		 6430
6431drop:
6432 kfree_skb(skb);
9f69bda6
GP		 6433}
6434
1da177e4
LT		 6435static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6436{
6437 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6438 u16 cid, len;
6439 __le16 psm;
1da177e4
LT		 6440
6441 skb_pull(skb, L2CAP_HDR_SIZE);
6442 cid = __le16_to_cpu(lh->cid);
6443 len = __le16_to_cpu(lh->len);
6444
1c2acffb
GP		 6445 if (len != skb->len) {
6446 kfree_skb(skb);
6447 return;
6448 }
6449
1da177e4
LT		 6450 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6451
6452 switch (cid) {
8db4dc46 6453 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6454 l2cap_sig_channel(conn, skb);
6455 break;
6456
8db4dc46 6457 case L2CAP_CID_CONN_LESS:
097db76c 6458 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6459 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6460 l2cap_conless_channel(conn, psm, skb);
6461 break;
6462
073d1cf3 6463 case L2CAP_CID_ATT:
72f78356 6464 l2cap_att_channel(conn, skb);
9f69bda6
GP		 6465 break;
6466
a2877629
MH		 6467 case L2CAP_CID_LE_SIGNALING:
6468 l2cap_le_sig_channel(conn, skb);
6469 break;
6470
b501d6a1
AB		 6471 case L2CAP_CID_SMP:
6472 if (smp_sig_channel(conn, skb))
6473 l2cap_conn_del(conn->hcon, EACCES);
6474 break;
6475
1da177e4
LT		 6476 default:
6477 l2cap_data_channel(conn, cid, skb);
6478 break;
6479 }
6480}
6481
6482/* ---- L2CAP interface with lower layer (HCI) ---- */
6483
686ebf28 6484int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6485{
6486 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6487 struct l2cap_chan *c;
1da177e4 6488
6ed93dc6 6489 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6490
6491 /* Find listening sockets and check their link_mode */
23691d75
GP		 6492 read_lock(&chan_list_lock);
6493 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 6494 if (c->state != BT_LISTEN)
1da177e4
LT		 6495 continue;
6496
7eafc59e 6497 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 6498 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6499 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6500 lm1 |= HCI_LM_MASTER;
1da177e4 6501 exact++;
7eafc59e 6502 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 6503 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6504 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6505 lm2 |= HCI_LM_MASTER;
6506 }
1da177e4 6507 }
23691d75 6508 read_unlock(&chan_list_lock);
1da177e4
LT		 6509
6510 return exact ? lm1 : lm2;
6511}
6512
9e664631 6513void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6514{
0139418c
MH		 6515 struct l2cap_conn *conn;
6516
6ed93dc6 6517 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6518
1da177e4 6519 if (!status) {
baf43251 6520 conn = l2cap_conn_add(hcon);
1da177e4
LT		 6521 if (conn)
6522 l2cap_conn_ready(conn);
ba6fc317 6523 } else {
e175072f 6524 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 6525 }
1da177e4
LT		 6526}
6527
686ebf28 6528int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6529{
6530 struct l2cap_conn *conn = hcon->l2cap_data;
6531
6532 BT_DBG("hcon %p", hcon);
6533
686ebf28 6534 if (!conn)
9f5a0d7b 6535 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6536 return conn->disc_reason;
6537}
6538
9e664631 6539void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6540{
6541 BT_DBG("hcon %p reason %d", hcon, reason);
6542
e175072f 6543 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6544}
6545
4343478f 6546static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6547{
715ec005 6548 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6549 return;
6550
f62e4323 6551 if (encrypt == 0x00) {
4343478f 6552 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6553 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6554 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6555 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6556 } else {
4343478f 6557 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6558 __clear_chan_timer(chan);
f62e4323
MH		 6559 }
6560}
6561
686ebf28 6562int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6563{
0139418c 6564 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6565 struct l2cap_chan *chan;
1da177e4 6566
0139418c 6567 if (!conn)
1da177e4 6568 return 0;
0139418c 6569
89d8b407 6570 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6571
160dc6ac 6572 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6573 if (!status && encrypt)
6574 smp_distribute_keys(conn, 0);
17cd3f37 6575 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6576 }
6577
3df91ea2 6578 mutex_lock(&conn->chan_lock);
1da177e4 6579
3df91ea2 6580 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6581 l2cap_chan_lock(chan);
1da177e4 6582
89d8b407
AE		 6583 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6584 state_to_string(chan->state));
f1cb9af5 6585
78eb2f98
AE		 6586 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6587 l2cap_chan_unlock(chan);
6588 continue;
6589 }
6590
073d1cf3 6591 if (chan->scid == L2CAP_CID_ATT) {
f1cb9af5
VCG		 6592 if (!status && encrypt) {
6593 chan->sec_level = hcon->sec_level;
cf4cd009 6594 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6595 }
6596
6be36555 6597 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6598 continue;
6599 }
6600
96eff46e 6601 if (!__l2cap_no_conn_pending(chan)) {
6be36555 6602 l2cap_chan_unlock(chan);
6a8d3010
MH		 6603 continue;
6604 }
6605
89bc500e 6606 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6607 chan->state == BT_CONFIG)) {
d97c899b 6608 chan->ops->resume(chan);
4343478f 6609 l2cap_check_encryption(chan, encrypt);
6be36555 6610 l2cap_chan_unlock(chan);
9719f8af
MH		 6611 continue;
6612 }
6613
89bc500e 6614 if (chan->state == BT_CONNECT) {
b1235d79 6615 if (!status) {
93c3e8f5 6616 l2cap_start_connection(chan);
b1235d79 6617 } else {
ba13ccd9 6618 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6619 }
89bc500e 6620 } else if (chan->state == BT_CONNECT2) {
b1235d79 6621 struct l2cap_conn_rsp rsp;
df3c3931 6622 __u16 res, stat;
1da177e4 6623
b1235d79 6624 if (!status) {
bdc25783 6625 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 6626 res = L2CAP_CR_PEND;
6627 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6628 chan->ops->defer(chan);
df3c3931 6629 } else {
acdcabf5 6630 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6631 res = L2CAP_CR_SUCCESS;
6632 stat = L2CAP_CS_NO_INFO;
6633 }
b1235d79 6634 } else {
acdcabf5 6635 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6636 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6637 res = L2CAP_CR_SEC_BLOCK;
6638 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6639 }
6640
fe4128e0
GP		 6641 rsp.scid = cpu_to_le16(chan->dcid);
6642 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6643 rsp.result = cpu_to_le16(res);
6644 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6645 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6646 sizeof(rsp), &rsp);
2d369359
MM		 6647
6648 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6649 res == L2CAP_CR_SUCCESS) {
6650 char buf[128];
6651 set_bit(CONF_REQ_SENT, &chan->conf_state);
6652 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6653 L2CAP_CONF_REQ,
6654 l2cap_build_conf_req(chan, buf),
6655 buf);
6656 chan->num_conf_req++;
6657 }
b1235d79 6658 }
1da177e4 6659
6be36555 6660 l2cap_chan_unlock(chan);
1da177e4
LT		 6661 }
6662
3df91ea2 6663 mutex_unlock(&conn->chan_lock);
b1235d79 6664
1da177e4
LT		 6665 return 0;
6666}
6667
686ebf28 6668int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6669{
6670 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6671 struct l2cap_hdr *hdr;
6672 int len;
1da177e4 6673
1d13a254
AE		 6674 /* For AMP controller do not create l2cap conn */
6675 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6676 goto drop;
1da177e4 6677
5a08ecce 6678 if (!conn)
baf43251 6679 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 6680
6681 if (!conn)
1da177e4
LT		 6682 goto drop;
6683
6684 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6685
d73a0988
AE		 6686 switch (flags) {
6687 case ACL_START:
6688 case ACL_START_NO_FLUSH:
6689 case ACL_COMPLETE:
1da177e4
LT		 6690 if (conn->rx_len) {
6691 BT_ERR("Unexpected start frame (len %d)", skb->len);
6692 kfree_skb(conn->rx_skb);
6693 conn->rx_skb = NULL;
6694 conn->rx_len = 0;
6695 l2cap_conn_unreliable(conn, ECOMM);
6696 }
6697
aae7fe22
AE		 6698 /* Start fragment always begin with Basic L2CAP header */
6699 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6700 BT_ERR("Frame is too short (len %d)", skb->len);
6701 l2cap_conn_unreliable(conn, ECOMM);
6702 goto drop;
6703 }
6704
6705 hdr = (struct l2cap_hdr *) skb->data;
6706 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6707
6708 if (len == skb->len) {
6709 /* Complete frame received */
6710 l2cap_recv_frame(conn, skb);
6711 return 0;
6712 }
6713
6714 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6715
6716 if (skb->len > len) {
6717 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6718 skb->len, len);
1da177e4
LT		 6719 l2cap_conn_unreliable(conn, ECOMM);
6720 goto drop;
6721 }
6722
6723 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6724 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6725 if (!conn->rx_skb)
1da177e4
LT		 6726 goto drop;
6727
d626f62b 6728 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6729 skb->len);
1da177e4 6730 conn->rx_len = len - skb->len;
d73a0988
AE		 6731 break;
6732
6733 case ACL_CONT:
1da177e4
LT		 6734 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6735
6736 if (!conn->rx_len) {
6737 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6738 l2cap_conn_unreliable(conn, ECOMM);
6739 goto drop;
6740 }
6741
6742 if (skb->len > conn->rx_len) {
6743 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6744 skb->len, conn->rx_len);
1da177e4
LT		 6745 kfree_skb(conn->rx_skb);
6746 conn->rx_skb = NULL;
6747 conn->rx_len = 0;
6748 l2cap_conn_unreliable(conn, ECOMM);
6749 goto drop;
6750 }
6751
d626f62b 6752 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6753 skb->len);
1da177e4
LT		 6754 conn->rx_len -= skb->len;
6755
6756 if (!conn->rx_len) {
c4e5bafa
JH		 6757 /* Complete frame received. l2cap_recv_frame
6758 * takes ownership of the skb so set the global
6759 * rx_skb pointer to NULL first.
6760 */
6761 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 6762 conn->rx_skb = NULL;
c4e5bafa 6763 l2cap_recv_frame(conn, rx_skb);
1da177e4 6764 }
d73a0988 6765 break;
1da177e4
LT		 6766 }
6767
6768drop:
6769 kfree_skb(skb);
6770 return 0;
6771}
6772
aef7d97c 6773static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6774{
23691d75 6775 struct l2cap_chan *c;
1da177e4 6776
333055f2 6777 read_lock(&chan_list_lock);
1da177e4 6778
23691d75 6779 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 6780 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 6781 &c->src, &c->dst,
fcb73338
AE		 6782 c->state, __le16_to_cpu(c->psm),
6783 c->scid, c->dcid, c->imtu, c->omtu,
6784 c->sec_level, c->mode);
61e1b4b7 6785 }
1da177e4 6786
333055f2 6787 read_unlock(&chan_list_lock);
1da177e4 6788
aef7d97c 6789 return 0;
1da177e4
LT		 6790}
6791
aef7d97c
MH		 6792static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6793{
6794 return single_open(file, l2cap_debugfs_show, inode->i_private);
6795}
6796
6797static const struct file_operations l2cap_debugfs_fops = {
6798 .open = l2cap_debugfs_open,
6799 .read = seq_read,
6800 .llseek = seq_lseek,
6801 .release = single_release,
6802};
6803
6804static struct dentry *l2cap_debugfs;
1da177e4 6805
64274518 6806int __init l2cap_init(void)
1da177e4
LT		 6807{
6808 int err;
be9d1227 6809
bb58f747 6810 err = l2cap_init_sockets();
1da177e4
LT		 6811 if (err < 0)
6812 return err;
6813
1120e4bf
MH		 6814 if (IS_ERR_OR_NULL(bt_debugfs))
6815 return 0;
6816
6817 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6818 NULL, &l2cap_debugfs_fops);
1da177e4 6819
1da177e4 6820 return 0;
1da177e4
LT		 6821}
6822
64274518 6823void l2cap_exit(void)
1da177e4 6824{
aef7d97c 6825 debugfs_remove(l2cap_debugfs);
bb58f747 6826 l2cap_cleanup_sockets();
1da177e4
LT		 6827}
6828
d1c4a17d
GP		 6829module_param(disable_ertm, bool, 0644);
6830MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.435799 seconds and 5 git commands to generate.