projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Rename L2CAP_CHAN_CONN_FIX_A2MP to L2CAP_CHAN_FIXED
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
18722c24 43#include "6lowpan.h"
1da177e4 44
d1de6d46 45bool disable_ertm;
f0709e03 46
547d1032 47static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
d40bffbc 48static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP | L2CAP_FC_CONNLESS, };
1da177e4 49
b5ad8b7f
JB		 50static LIST_HEAD(chan_list);
51static DEFINE_RWLOCK(chan_list_lock);
1da177e4 52
f15b8ecf
JH		 53static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
54static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
55
1da177e4 56static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 57 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 58static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 59 void *data);
710f9b0a 60static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 61static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 62
d660366d 63static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 64 struct sk_buff_head *skbs, u8 event);
608bcc6d 65
4f1654e0
MH		 66static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
67{
68 if (hcon->type == LE_LINK) {
69 if (type == ADDR_LE_DEV_PUBLIC)
70 return BDADDR_LE_PUBLIC;
71 else
72 return BDADDR_LE_RANDOM;
73 }
74
75 return BDADDR_BREDR;
76}
77
0139418c 78/* ---- L2CAP channels ---- */
71ba0e56 79
2d792818
GP		 80static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
81 u16 cid)
0139418c 82{
3df91ea2 83 struct l2cap_chan *c;
3d57dc68 84
3df91ea2
AE		 85 list_for_each_entry(c, &conn->chan_l, list) {
86 if (c->dcid == cid)
87 return c;
0139418c 88 }
3df91ea2 89 return NULL;
0139418c
MH		 90}
91
2d792818
GP		 92static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
93 u16 cid)
0139418c 94{
3df91ea2 95 struct l2cap_chan *c;
3d57dc68 96
3df91ea2
AE		 97 list_for_each_entry(c, &conn->chan_l, list) {
98 if (c->scid == cid)
99 return c;
0139418c 100 }
3df91ea2 101 return NULL;
0139418c
MH		 102}
103
104/* Find channel with given SCID.
ef191ade 105 * Returns locked channel. */
2d792818
GP		 106static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
107 u16 cid)
0139418c 108{
48454079 109 struct l2cap_chan *c;
baa7e1fa 110
3df91ea2 111 mutex_lock(&conn->chan_lock);
baa7e1fa 112 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 113 if (c)
114 l2cap_chan_lock(c);
3df91ea2
AE		 115 mutex_unlock(&conn->chan_lock);
116
48454079 117 return c;
0139418c
MH		 118}
119
b1a130b7
MM		 120/* Find channel with given DCID.
121 * Returns locked channel.
122 */
123static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
124 u16 cid)
125{
126 struct l2cap_chan *c;
127
128 mutex_lock(&conn->chan_lock);
129 c = __l2cap_get_chan_by_dcid(conn, cid);
130 if (c)
131 l2cap_chan_lock(c);
132 mutex_unlock(&conn->chan_lock);
133
134 return c;
135}
136
2d792818
GP		 137static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
138 u8 ident)
0139418c 139{
3df91ea2 140 struct l2cap_chan *c;
3d57dc68 141
3df91ea2
AE		 142 list_for_each_entry(c, &conn->chan_l, list) {
143 if (c->ident == ident)
144 return c;
0139418c 145 }
3df91ea2 146 return NULL;
0139418c
MH		 147}
148
5b155ef9
MM		 149static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
150 u8 ident)
151{
152 struct l2cap_chan *c;
153
154 mutex_lock(&conn->chan_lock);
155 c = __l2cap_get_chan_by_ident(conn, ident);
156 if (c)
157 l2cap_chan_lock(c);
158 mutex_unlock(&conn->chan_lock);
159
160 return c;
161}
162
23691d75 163static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 164{
23691d75 165 struct l2cap_chan *c;
9e4425ff 166
23691d75 167 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 168 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 169 return c;
9e4425ff 170 }
250938cb 171 return NULL;
9e4425ff
GP		 172}
173
174int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
175{
73b2ec18
GP		 176 int err;
177
333055f2 178 write_lock(&chan_list_lock);
9e4425ff 179
23691d75 180 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 181 err = -EADDRINUSE;
182 goto done;
9e4425ff
GP		 183 }
184
73b2ec18
GP		 185 if (psm) {
186 chan->psm = psm;
187 chan->sport = psm;
188 err = 0;
189 } else {
190 u16 p;
191
192 err = -EINVAL;
193 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 194 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 195 chan->psm = cpu_to_le16(p);
196 chan->sport = cpu_to_le16(p);
197 err = 0;
198 break;
199 }
200 }
9e4425ff 201
73b2ec18 202done:
333055f2 203 write_unlock(&chan_list_lock);
73b2ec18 204 return err;
9e4425ff
GP		 205}
206
207int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
208{
333055f2 209 write_lock(&chan_list_lock);
9e4425ff
GP		 210
211 chan->scid = scid;
212
333055f2 213 write_unlock(&chan_list_lock);
9e4425ff
GP		 214
215 return 0;
216}
217
baa7e1fa 218static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 219{
e77af755 220 u16 cid, dyn_end;
0139418c 221
e77af755
JH		 222 if (conn->hcon->type == LE_LINK)
223 dyn_end = L2CAP_CID_LE_DYN_END;
224 else
225 dyn_end = L2CAP_CID_DYN_END;
226
227 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
baa7e1fa 228 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 229 return cid;
230 }
231
232 return 0;
233}
234
f93fa273 235static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 236{
42d2d87c 237 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 238 state_to_string(state));
badaaa00 239
89bc500e 240 chan->state = state;
53f52121 241 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 242}
243
f8e73017
GP		 244static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
245 int state, int err)
2e0052e4 246{
f8e73017 247 chan->state = state;
53f52121 248 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 249}
250
251static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
252{
f8e73017 253 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 254}
255
4239d16f
MM		 256static void __set_retrans_timer(struct l2cap_chan *chan)
257{
258 if (!delayed_work_pending(&chan->monitor_timer) &&
259 chan->retrans_timeout) {
260 l2cap_set_timer(chan, &chan->retrans_timer,
261 msecs_to_jiffies(chan->retrans_timeout));
262 }
263}
264
265static void __set_monitor_timer(struct l2cap_chan *chan)
266{
267 __clear_retrans_timer(chan);
268 if (chan->monitor_timeout) {
269 l2cap_set_timer(chan, &chan->monitor_timer,
270 msecs_to_jiffies(chan->monitor_timeout));
271 }
272}
273
608bcc6d
MM		 274static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
275 u16 seq)
276{
277 struct sk_buff *skb;
278
279 skb_queue_walk(head, skb) {
280 if (bt_cb(skb)->control.txseq == seq)
281 return skb;
282 }
283
284 return NULL;
285}
286
3c588192
MM		 287/* ---- L2CAP sequence number lists ---- */
288
289/* For ERTM, ordered lists of sequence numbers must be tracked for
290 * SREJ requests that are received and for frames that are to be
291 * retransmitted. These seq_list functions implement a singly-linked
292 * list in an array, where membership in the list can also be checked
293 * in constant time. Items can also be added to the tail of the list
294 * and removed from the head in constant time, without further memory
295 * allocs or frees.
296 */
297
298static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
299{
300 size_t alloc_size, i;
301
302 /* Allocated size is a power of 2 to map sequence numbers
303 * (which may be up to 14 bits) in to a smaller array that is
304 * sized for the negotiated ERTM transmit windows.
305 */
306 alloc_size = roundup_pow_of_two(size);
307
308 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
309 if (!seq_list->list)
310 return -ENOMEM;
311
312 seq_list->mask = alloc_size - 1;
313 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
314 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
315 for (i = 0; i < alloc_size; i++)
316 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
317
318 return 0;
319}
320
321static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
322{
323 kfree(seq_list->list);
324}
325
326static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
327 u16 seq)
328{
329 /* Constant-time check for list membership */
330 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
331}
332
03a0c5d6 333static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
3c588192 334{
03a0c5d6 335 u16 seq = seq_list->head;
3c588192
MM		 336 u16 mask = seq_list->mask;
337
03a0c5d6
JH		 338 seq_list->head = seq_list->list[seq & mask];
339 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
340
341 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
342 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
343 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192 344 }
3c588192 345
03a0c5d6 346 return seq;
3c588192
MM		 347}
348
349static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
350{
f522ae36 351 u16 i;
3c588192 352
f522ae36
GP		 353 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
354 return;
355
356 for (i = 0; i <= seq_list->mask; i++)
357 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
358
359 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
360 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 361}
362
363static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
364{
365 u16 mask = seq_list->mask;
366
367 /* All appends happen in constant time */
368
f522ae36
GP		 369 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
370 return;
3c588192 371
f522ae36
GP		 372 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
373 seq_list->head = seq;
374 else
375 seq_list->list[seq_list->tail & mask] = seq;
376
377 seq_list->tail = seq;
378 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 379}
380
721c4181 381static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 382{
721c4181 383 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 384 chan_timer.work);
3df91ea2 385 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 386 int reason;
387
e05dcc32 388 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 389
3df91ea2 390 mutex_lock(&conn->chan_lock);
6be36555 391 l2cap_chan_lock(chan);
ab07801d 392
89bc500e 393 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 394 reason = ECONNREFUSED;
89bc500e 395 else if (chan->state == BT_CONNECT &&
2d792818 396 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 397 reason = ECONNREFUSED;
398 else
399 reason = ETIMEDOUT;
400
0f852724 401 l2cap_chan_close(chan, reason);
ab07801d 402
6be36555 403 l2cap_chan_unlock(chan);
ab07801d 404
80b98027 405 chan->ops->close(chan);
3df91ea2
AE		 406 mutex_unlock(&conn->chan_lock);
407
371fd835 408 l2cap_chan_put(chan);
ab07801d
GP		 409}
410
eef1d9b6 411struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 412{
413 struct l2cap_chan *chan;
414
415 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
416 if (!chan)
417 return NULL;
418
c03b355e
AE		 419 mutex_init(&chan->lock);
420
333055f2 421 write_lock(&chan_list_lock);
23691d75 422 list_add(&chan->global_l, &chan_list);
333055f2 423 write_unlock(&chan_list_lock);
23691d75 424
721c4181 425 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 426
89bc500e
GP		 427 chan->state = BT_OPEN;
428
144ad330 429 kref_init(&chan->kref);
71ba0e56 430
2827011f
MM		 431 /* This flag is cleared in l2cap_chan_ready() */
432 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
433
eef1d9b6 434 BT_DBG("chan %p", chan);
abc545b8 435
48454079
GP		 436 return chan;
437}
438
144ad330 439static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 440{
144ad330
SS		 441 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
442
4af66c69
JK		 443 BT_DBG("chan %p", chan);
444
333055f2 445 write_lock(&chan_list_lock);
23691d75 446 list_del(&chan->global_l);
333055f2 447 write_unlock(&chan_list_lock);
23691d75 448
4af66c69 449 kfree(chan);
6ff5abbf
GP		 450}
451
30648372
JK		 452void l2cap_chan_hold(struct l2cap_chan *c)
453{
144ad330 454 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 455
144ad330 456 kref_get(&c->kref);
30648372
JK		 457}
458
459void l2cap_chan_put(struct l2cap_chan *c)
460{
144ad330 461 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 462
144ad330 463 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 464}
465
bd4b1653
AE		 466void l2cap_chan_set_defaults(struct l2cap_chan *chan)
467{
468 chan->fcs = L2CAP_FCS_CRC16;
469 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
470 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
471 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 472 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 473 chan->sec_level = BT_SECURITY_LOW;
474
475 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
476}
477
0ce43ce6 478static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
38319713 479{
0ce43ce6
JH		 480 chan->sdu = NULL;
481 chan->sdu_last_frag = NULL;
482 chan->sdu_len = 0;
0cd75f7e 483 chan->tx_credits = 0;
f15b8ecf 484 chan->rx_credits = le_max_credits;
f1324ea5 485 chan->mps = min_t(u16, chan->imtu, L2CAP_LE_DEFAULT_MPS);
0ce43ce6
JH		 486
487 skb_queue_head_init(&chan->tx_q);
38319713
JH		 488}
489
93c3e8f5 490void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 491{
af05b30b 492 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 493 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 494
9f5a0d7b 495 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 496
8c1d787b 497 chan->conn = conn;
0139418c 498
5491120e
AE		 499 switch (chan->chan_type) {
500 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b 501 if (conn->hcon->type == LE_LINK) {
aeddd075
JH		 502 if (chan->dcid == L2CAP_CID_ATT) {
503 chan->omtu = L2CAP_DEFAULT_MTU;
9f22398c 504 chan->scid = L2CAP_CID_ATT;
aeddd075 505 } else {
9f22398c 506 chan->scid = l2cap_alloc_cid(conn);
aeddd075 507 }
b62f328b
VT		 508 } else {
509 /* Alloc CID for connection-oriented socket */
fe4128e0 510 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 511 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 512 }
5491120e
AE		 513 break;
514
515 case L2CAP_CHAN_CONN_LESS:
0139418c 516 /* Connectionless socket */
fe4128e0
GP		 517 chan->scid = L2CAP_CID_CONN_LESS;
518 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 519 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 520 break;
521
2338a7e0
JH		 522 case L2CAP_CHAN_FIXED:
523 /* Caller will set CID and CID specific MTU values */
416fa752
AE		 524 break;
525
5491120e 526 default:
0139418c 527 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 528 chan->scid = L2CAP_CID_SIGNALING;
529 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 530 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 531 }
532
8f7975b1
AE		 533 chan->local_id = L2CAP_BESTEFFORT_ID;
534 chan->local_stype = L2CAP_SERV_BESTEFFORT;
535 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
536 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
537 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 538 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 539
371fd835 540 l2cap_chan_hold(chan);
baa7e1fa 541
5ee9891d
JH		 542 hci_conn_hold(conn->hcon);
543
3df91ea2 544 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 545}
546
466f8004 547void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 548{
549 mutex_lock(&conn->chan_lock);
550 __l2cap_chan_add(conn, chan);
3df91ea2 551 mutex_unlock(&conn->chan_lock);
0139418c
MH		 552}
553
466f8004 554void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 555{
8c1d787b 556 struct l2cap_conn *conn = chan->conn;
0139418c 557
c9b66675 558 __clear_chan_timer(chan);
0139418c 559
49208c9c 560 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 561
8e87d142 562 if (conn) {
56f60984 563 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 564 /* Delete from channel list */
3df91ea2 565 list_del(&chan->list);
3d57dc68 566
371fd835 567 l2cap_chan_put(chan);
baa7e1fa 568
8c1d787b 569 chan->conn = NULL;
3cabbfda 570
2338a7e0 571 if (chan->scid != L2CAP_CID_A2MP)
76a68ba0 572 hci_conn_drop(conn->hcon);
56f60984
AE		 573
574 if (mgr && mgr->bredr_chan == chan)
575 mgr->bredr_chan = NULL;
0139418c
MH		 576 }
577
419e08c1
AE		 578 if (chan->hs_hchan) {
579 struct hci_chan *hs_hchan = chan->hs_hchan;
580
581 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
582 amp_disconnect_logical_link(hs_hchan);
583 }
584
b699ec0d 585 chan->ops->teardown(chan, err);
6be36555 586
2827011f 587 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 588 return;
2ead70b8 589
ee556f66
GP		 590 switch(chan->mode) {
591 case L2CAP_MODE_BASIC:
592 break;
c13ffa62 593
38319713 594 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b 595 skb_queue_purge(&chan->tx_q);
38319713
JH		 596 break;
597
ee556f66 598 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 599 __clear_retrans_timer(chan);
600 __clear_monitor_timer(chan);
601 __clear_ack_timer(chan);
c13ffa62 602
f1c6775b 603 skb_queue_purge(&chan->srej_q);
c13ffa62 604
3c588192
MM		 605 l2cap_seq_list_free(&chan->srej_list);
606 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 607
608 /* fall through */
609
610 case L2CAP_MODE_STREAMING:
611 skb_queue_purge(&chan->tx_q);
612 break;
c13ffa62 613 }
ee556f66
GP		 614
615 return;
0139418c
MH		 616}
617
27e2d4c8
JH		 618static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
619{
620 struct l2cap_conn *conn = chan->conn;
621 struct l2cap_le_conn_rsp rsp;
622 u16 result;
623
624 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
625 result = L2CAP_CR_AUTHORIZATION;
626 else
627 result = L2CAP_CR_BAD_PSM;
628
629 l2cap_state_change(chan, BT_DISCONN);
630
631 rsp.dcid = cpu_to_le16(chan->scid);
632 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 633 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 634 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 635 rsp.result = cpu_to_le16(result);
636
637 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
638 &rsp);
639}
640
791d60f7
JH		 641static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
642{
643 struct l2cap_conn *conn = chan->conn;
644 struct l2cap_conn_rsp rsp;
645 u16 result;
646
647 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
648 result = L2CAP_CR_SEC_BLOCK;
649 else
650 result = L2CAP_CR_BAD_PSM;
651
652 l2cap_state_change(chan, BT_DISCONN);
653
654 rsp.scid = cpu_to_le16(chan->dcid);
655 rsp.dcid = cpu_to_le16(chan->scid);
656 rsp.result = cpu_to_le16(result);
657 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
658
659 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
660}
661
0f852724 662void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 663{
664 struct l2cap_conn *conn = chan->conn;
4519de9a 665
7eafc59e 666 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 667
89bc500e 668 switch (chan->state) {
4519de9a 669 case BT_LISTEN:
b699ec0d 670 chan->ops->teardown(chan, 0);
4519de9a
GP		 671 break;
672
673 case BT_CONNECTED:
674 case BT_CONFIG:
cea04ce3
JH		 675 /* ATT uses L2CAP_CHAN_CONN_ORIENTED so we must also
676 * check for chan->psm.
677 */
678 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && chan->psm) {
8d836d71 679 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 680 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 681 } else
682 l2cap_chan_del(chan, reason);
683 break;
684
685 case BT_CONNECT2:
791d60f7
JH		 686 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
687 if (conn->hcon->type == ACL_LINK)
688 l2cap_chan_connect_reject(chan);
27e2d4c8
JH		 689 else if (conn->hcon->type == LE_LINK)
690 l2cap_chan_le_connect_reject(chan);
4519de9a
GP		 691 }
692
693 l2cap_chan_del(chan, reason);
694 break;
695
696 case BT_CONNECT:
697 case BT_DISCONN:
698 l2cap_chan_del(chan, reason);
699 break;
700
701 default:
b699ec0d 702 chan->ops->teardown(chan, 0);
4519de9a
GP		 703 break;
704 }
705}
706
4343478f 707static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 708{
6a974b50
MH		 709 switch (chan->chan_type) {
710 case L2CAP_CHAN_RAW:
4343478f 711 switch (chan->sec_level) {
8556edd3 712 case BT_SECURITY_HIGH:
7d513e92 713 case BT_SECURITY_FIPS:
8556edd3
JH		 714 return HCI_AT_DEDICATED_BONDING_MITM;
715 case BT_SECURITY_MEDIUM:
716 return HCI_AT_DEDICATED_BONDING;
717 default:
718 return HCI_AT_NO_BONDING;
719 }
6a974b50 720 break;
3124b843
MH		 721 case L2CAP_CHAN_CONN_LESS:
722 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_3DSP)) {
723 if (chan->sec_level == BT_SECURITY_LOW)
724 chan->sec_level = BT_SECURITY_SDP;
725 }
7d513e92
MH		 726 if (chan->sec_level == BT_SECURITY_HIGH ||
727 chan->sec_level == BT_SECURITY_FIPS)
3124b843
MH		 728 return HCI_AT_NO_BONDING_MITM;
729 else
730 return HCI_AT_NO_BONDING;
731 break;
6a974b50
MH		 732 case L2CAP_CHAN_CONN_ORIENTED:
733 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
734 if (chan->sec_level == BT_SECURITY_LOW)
735 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 736
7d513e92
MH		 737 if (chan->sec_level == BT_SECURITY_HIGH ||
738 chan->sec_level == BT_SECURITY_FIPS)
6a974b50
MH		 739 return HCI_AT_NO_BONDING_MITM;
740 else
741 return HCI_AT_NO_BONDING;
742 }
743 /* fall through */
744 default:
4343478f 745 switch (chan->sec_level) {
00ae4af9 746 case BT_SECURITY_HIGH:
7d513e92 747 case BT_SECURITY_FIPS:
8556edd3 748 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 749 case BT_SECURITY_MEDIUM:
8556edd3 750 return HCI_AT_GENERAL_BONDING;
00ae4af9 751 default:
8556edd3 752 return HCI_AT_NO_BONDING;
00ae4af9 753 }
6a974b50 754 break;
0684e5f9 755 }
8556edd3
JH		 756}
757
758/* Service level security */
d45fc423 759int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 760{
8c1d787b 761 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 762 __u8 auth_type;
763
a17de2fe
JH		 764 if (conn->hcon->type == LE_LINK)
765 return smp_conn_security(conn->hcon, chan->sec_level);
766
4343478f 767 auth_type = l2cap_get_auth_type(chan);
79d554a6 768
4343478f 769 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 770}
771
b5ad8b7f 772static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 773{
774 u8 id;
775
776 /* Get next available identificator.
777 * 1 - 128 are used by kernel.
778 * 129 - 199 are reserved.
779 * 200 - 254 are used by utilities like l2ping, etc.
780 */
781
333055f2 782 spin_lock(&conn->lock);
4e8402a3
MH		 783
784 if (++conn->tx_ident > 128)
785 conn->tx_ident = 1;
786
787 id = conn->tx_ident;
788
333055f2 789 spin_unlock(&conn->lock);
4e8402a3
MH		 790
791 return id;
792}
793
2d792818
GP		 794static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
795 void *data)
4e8402a3
MH		 796{
797 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 798 u8 flags;
4e8402a3
MH		 799
800 BT_DBG("code 0x%2.2x", code);
801
802 if (!skb)
9a9c6a34 803 return;
4e8402a3 804
e702112f
AE		 805 if (lmp_no_flush_capable(conn->hcon->hdev))
806 flags = ACL_START_NO_FLUSH;
807 else
808 flags = ACL_START;
809
14b12d0b 810 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 811 skb->priority = HCI_PRIO_MAX;
14b12d0b 812
73d80deb
LAD		 813 hci_send_acl(conn->hchan, skb, flags);
814}
815
02b0fbb9
MM		 816static bool __chan_is_moving(struct l2cap_chan *chan)
817{
818 return chan->move_state != L2CAP_MOVE_STABLE &&
819 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
820}
821
73d80deb
LAD		 822static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
823{
824 struct hci_conn *hcon = chan->conn->hcon;
825 u16 flags;
826
827 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 828 skb->priority);
73d80deb 829
d5f8a75d
MM		 830 if (chan->hs_hcon && !__chan_is_moving(chan)) {
831 if (chan->hs_hchan)
832 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
833 else
834 kfree_skb(skb);
835
836 return;
837 }
838
73d80deb 839 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 840 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 841 flags = ACL_START_NO_FLUSH;
842 else
843 flags = ACL_START;
14b12d0b 844
73d80deb
LAD		 845 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
846 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 847}
848
b76bbd66
MM		 849static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
850{
851 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
852 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
853
854 if (enh & L2CAP_CTRL_FRAME_TYPE) {
855 /* S-Frame */
856 control->sframe = 1;
857 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
858 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
859
860 control->sar = 0;
861 control->txseq = 0;
862 } else {
863 /* I-Frame */
864 control->sframe = 0;
865 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
866 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
867
868 control->poll = 0;
869 control->super = 0;
870 }
871}
872
b76bbd66
MM		 873static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
874{
875 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
876 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
877
878 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
879 /* S-Frame */
880 control->sframe = 1;
881 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
882 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
883
884 control->sar = 0;
885 control->txseq = 0;
886 } else {
887 /* I-Frame */
888 control->sframe = 0;
889 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
890 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
891
892 control->poll = 0;
893 control->super = 0;
894 }
895}
896
897static inline void __unpack_control(struct l2cap_chan *chan,
898 struct sk_buff *skb)
899{
900 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
901 __unpack_extended_control(get_unaligned_le32(skb->data),
902 &bt_cb(skb)->control);
cec8ab6e 903 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 904 } else {
905 __unpack_enhanced_control(get_unaligned_le16(skb->data),
906 &bt_cb(skb)->control);
cec8ab6e 907 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 908 }
909}
910
b5c6aaed
MM		 911static u32 __pack_extended_control(struct l2cap_ctrl *control)
912{
913 u32 packed;
914
915 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
916 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
917
918 if (control->sframe) {
919 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
920 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
921 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
922 } else {
923 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
924 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
925 }
926
927 return packed;
928}
929
930static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
931{
932 u16 packed;
933
934 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
935 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
936
937 if (control->sframe) {
938 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
939 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
940 packed |= L2CAP_CTRL_FRAME_TYPE;
941 } else {
942 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
943 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
944 }
945
946 return packed;
947}
948
b76bbd66
MM		 949static inline void __pack_control(struct l2cap_chan *chan,
950 struct l2cap_ctrl *control,
951 struct sk_buff *skb)
952{
953 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
954 put_unaligned_le32(__pack_extended_control(control),
955 skb->data + L2CAP_HDR_SIZE);
956 } else {
957 put_unaligned_le16(__pack_enhanced_control(control),
958 skb->data + L2CAP_HDR_SIZE);
959 }
960}
961
ba7aa64f
GP		 962static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
963{
964 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
965 return L2CAP_EXT_HDR_SIZE;
966 else
967 return L2CAP_ENH_HDR_SIZE;
968}
969
a67d7f6f
MM		 970static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
971 u32 control)
b5c6aaed
MM		 972{
973 struct sk_buff *skb;
974 struct l2cap_hdr *lh;
ba7aa64f 975 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 976
977 if (chan->fcs == L2CAP_FCS_CRC16)
978 hlen += L2CAP_FCS_SIZE;
979
a67d7f6f 980 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 981
b5c6aaed 982 if (!skb)
a67d7f6f 983 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 984
985 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
986 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
987 lh->cid = cpu_to_le16(chan->dcid);
988
a67d7f6f
MM		 989 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
990 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
991 else
992 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 993
994 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 995 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 996 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
997 }
998
999 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 1000 return skb;
1001}
1002
1003static void l2cap_send_sframe(struct l2cap_chan *chan,
1004 struct l2cap_ctrl *control)
1005{
1006 struct sk_buff *skb;
1007 u32 control_field;
1008
1009 BT_DBG("chan %p, control %p", chan, control);
1010
1011 if (!control->sframe)
1012 return;
1013
b99e13ad
MM		 1014 if (__chan_is_moving(chan))
1015 return;
1016
a67d7f6f
MM		 1017 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1018 !control->poll)
1019 control->final = 1;
1020
1021 if (control->super == L2CAP_SUPER_RR)
1022 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1023 else if (control->super == L2CAP_SUPER_RNR)
1024 set_bit(CONN_RNR_SENT, &chan->conn_state);
1025
1026 if (control->super != L2CAP_SUPER_SREJ) {
1027 chan->last_acked_seq = control->reqseq;
1028 __clear_ack_timer(chan);
1029 }
1030
1031 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1032 control->final, control->poll, control->super);
1033
1034 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1035 control_field = __pack_extended_control(control);
1036 else
1037 control_field = __pack_enhanced_control(control);
1038
1039 skb = l2cap_create_sframe_pdu(chan, control_field);
1040 if (!IS_ERR(skb))
1041 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1042}
1043
c9e3d5e0 1044static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1045{
c9e3d5e0
MM		 1046 struct l2cap_ctrl control;
1047
1048 BT_DBG("chan %p, poll %d", chan, poll);
1049
1050 memset(&control, 0, sizeof(control));
1051 control.sframe = 1;
1052 control.poll = poll;
1053
1054 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1055 control.super = L2CAP_SUPER_RNR;
1056 else
1057 control.super = L2CAP_SUPER_RR;
b5c6aaed 1058
c9e3d5e0
MM		 1059 control.reqseq = chan->buffer_seq;
1060 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1061}
1062
b4450035 1063static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1064{
c1360a1c 1065 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1066}
1067
1df7b17a 1068static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1069{
1df7b17a 1070 struct l2cap_conn *conn = chan->conn;
80d58d0b 1071 struct hci_dev *hdev;
1df7b17a
MH		 1072 bool amp_available = false;
1073
1074 if (!conn->hs_enabled)
1075 return false;
1076
1077 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1078 return false;
80d58d0b
MH		 1079
1080 read_lock(&hci_dev_list_lock);
1df7b17a 1081 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1082 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1083 test_bit(HCI_UP, &hdev->flags)) {
1084 amp_available = true;
1085 break;
1086 }
1087 }
80d58d0b
MH		 1088 read_unlock(&hci_dev_list_lock);
1089
1df7b17a
MH		 1090 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1091 return amp_available;
848566b3
MH		 1092
1093 return false;
93c3e8f5
AE		 1094}
1095
5ce66b59
AE		 1096static bool l2cap_check_efs(struct l2cap_chan *chan)
1097{
1098 /* Check EFS parameters */
1099 return true;
1100}
1101
2766be48 1102void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1103{
1104 struct l2cap_conn *conn = chan->conn;
1105 struct l2cap_conn_req req;
1106
1107 req.scid = cpu_to_le16(chan->scid);
1108 req.psm = chan->psm;
1109
1110 chan->ident = l2cap_get_ident(conn);
1111
1112 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1113
1114 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1115}
1116
8eb200bd
MM		 1117static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1118{
1119 struct l2cap_create_chan_req req;
1120 req.scid = cpu_to_le16(chan->scid);
1121 req.psm = chan->psm;
1122 req.amp_id = amp_id;
1123
1124 chan->ident = l2cap_get_ident(chan->conn);
1125
1126 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1127 sizeof(req), &req);
1128}
1129
02b0fbb9
MM		 1130static void l2cap_move_setup(struct l2cap_chan *chan)
1131{
1132 struct sk_buff *skb;
1133
1134 BT_DBG("chan %p", chan);
1135
1136 if (chan->mode != L2CAP_MODE_ERTM)
1137 return;
1138
1139 __clear_retrans_timer(chan);
1140 __clear_monitor_timer(chan);
1141 __clear_ack_timer(chan);
1142
1143 chan->retry_count = 0;
1144 skb_queue_walk(&chan->tx_q, skb) {
1145 if (bt_cb(skb)->control.retries)
1146 bt_cb(skb)->control.retries = 1;
1147 else
1148 break;
1149 }
1150
1151 chan->expected_tx_seq = chan->buffer_seq;
1152
1153 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1154 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1155 l2cap_seq_list_clear(&chan->retrans_list);
1156 l2cap_seq_list_clear(&chan->srej_list);
1157 skb_queue_purge(&chan->srej_q);
1158
1159 chan->tx_state = L2CAP_TX_STATE_XMIT;
1160 chan->rx_state = L2CAP_RX_STATE_MOVE;
1161
1162 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1163}
1164
5f3847a4
MM		 1165static void l2cap_move_done(struct l2cap_chan *chan)
1166{
1167 u8 move_role = chan->move_role;
1168 BT_DBG("chan %p", chan);
1169
1170 chan->move_state = L2CAP_MOVE_STABLE;
1171 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1172
1173 if (chan->mode != L2CAP_MODE_ERTM)
1174 return;
1175
1176 switch (move_role) {
1177 case L2CAP_MOVE_ROLE_INITIATOR:
1178 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1179 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1180 break;
1181 case L2CAP_MOVE_ROLE_RESPONDER:
1182 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1183 break;
1184 }
1185}
1186
9f0caeb1
VCG		 1187static void l2cap_chan_ready(struct l2cap_chan *chan)
1188{
2827011f 1189 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1190 chan->conf_state = 0;
1191 __clear_chan_timer(chan);
1192
0ce43ce6
JH		 1193 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1194 chan->ops->suspend(chan);
177f8f2b 1195
54a59aa2 1196 chan->state = BT_CONNECTED;
9f0caeb1 1197
fd83e2c2 1198 chan->ops->ready(chan);
9f0caeb1
VCG		 1199}
1200
f1496dee
JH		 1201static void l2cap_le_connect(struct l2cap_chan *chan)
1202{
1203 struct l2cap_conn *conn = chan->conn;
1204 struct l2cap_le_conn_req req;
1205
595177f3
JH		 1206 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1207 return;
1208
f1496dee
JH		 1209 req.psm = chan->psm;
1210 req.scid = cpu_to_le16(chan->scid);
1211 req.mtu = cpu_to_le16(chan->imtu);
3916aed8 1212 req.mps = cpu_to_le16(chan->mps);
0cd75f7e 1213 req.credits = cpu_to_le16(chan->rx_credits);
f1496dee
JH		 1214
1215 chan->ident = l2cap_get_ident(conn);
1216
1217 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1218 sizeof(req), &req);
1219}
1220
1221static void l2cap_le_start(struct l2cap_chan *chan)
1222{
1223 struct l2cap_conn *conn = chan->conn;
1224
1225 if (!smp_conn_security(conn->hcon, chan->sec_level))
1226 return;
1227
1228 if (!chan->psm) {
1229 l2cap_chan_ready(chan);
1230 return;
1231 }
1232
1233 if (chan->state == BT_CONNECT)
1234 l2cap_le_connect(chan);
1235}
1236
93c3e8f5
AE		 1237static void l2cap_start_connection(struct l2cap_chan *chan)
1238{
1239 if (__amp_capable(chan)) {
1240 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1241 a2mp_discover_amp(chan);
f1496dee
JH		 1242 } else if (chan->conn->hcon->type == LE_LINK) {
1243 l2cap_le_start(chan);
93c3e8f5
AE		 1244 } else {
1245 l2cap_send_conn_req(chan);
1246 }
1247}
1248
fc7f8a7e 1249static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1250{
8c1d787b 1251 struct l2cap_conn *conn = chan->conn;
79d554a6 1252
9f0caeb1 1253 if (conn->hcon->type == LE_LINK) {
96ac34fb 1254 l2cap_le_start(chan);
9f0caeb1
VCG		 1255 return;
1256 }
1257
79d554a6 1258 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1259 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1260 return;
1261
d45fc423 1262 if (l2cap_chan_check_security(chan) &&
2d792818 1263 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1264 l2cap_start_connection(chan);
1265 }
79d554a6
MH		 1266 } else {
1267 struct l2cap_info_req req;
ac73498c 1268 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1269
1270 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1271 conn->info_ident = l2cap_get_ident(conn);
1272
ba13ccd9 1273 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1274
2d792818
GP		 1275 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1276 sizeof(req), &req);
79d554a6
MH		 1277 }
1278}
1279
cf6c2c0b
GP		 1280static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1281{
1282 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1283 if (!disable_ertm)
cf6c2c0b
GP		 1284 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1285
1286 switch (mode) {
1287 case L2CAP_MODE_ERTM:
1288 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1289 case L2CAP_MODE_STREAMING:
1290 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1291 default:
1292 return 0x00;
1293 }
1294}
1295
5e4e3972 1296static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1297{
5e4e3972 1298 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1299 struct l2cap_disconn_req req;
1300
c13ffa62
GP		 1301 if (!conn)
1302 return;
1303
aad3d0e3 1304 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1305 __clear_retrans_timer(chan);
1306 __clear_monitor_timer(chan);
1307 __clear_ack_timer(chan);
c13ffa62
GP		 1308 }
1309
2338a7e0 1310 if (chan->scid == L2CAP_CID_A2MP) {
d117773c 1311 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1312 return;
1313 }
1314
fe4128e0
GP		 1315 req.dcid = cpu_to_le16(chan->dcid);
1316 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1317 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1318 sizeof(req), &req);
c13ffa62 1319
f8e73017 1320 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1321}
1322
1da177e4 1323/* ---- L2CAP connections ---- */
4e8402a3
MH		 1324static void l2cap_conn_start(struct l2cap_conn *conn)
1325{
3df91ea2 1326 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1327
1328 BT_DBG("conn %p", conn);
1329
3df91ea2 1330 mutex_lock(&conn->chan_lock);
4e8402a3 1331
3df91ea2 1332 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1333 l2cap_chan_lock(chan);
4e8402a3 1334
715ec005 1335 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1336 l2cap_chan_unlock(chan);
79d554a6
MH		 1337 continue;
1338 }
1339
89bc500e 1340 if (chan->state == BT_CONNECT) {
d45fc423 1341 if (!l2cap_chan_check_security(chan) ||
2d792818 1342 !__l2cap_no_conn_pending(chan)) {
6be36555 1343 l2cap_chan_unlock(chan);
47731de7
GP		 1344 continue;
1345 }
79d554a6 1346
c1360a1c 1347 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1348 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1349 &chan->conf_state)) {
89bc500e 1350 l2cap_chan_close(chan, ECONNRESET);
6be36555 1351 l2cap_chan_unlock(chan);
47731de7 1352 continue;
b1235d79 1353 }
47731de7 1354
93c3e8f5 1355 l2cap_start_connection(chan);
47731de7 1356
89bc500e 1357 } else if (chan->state == BT_CONNECT2) {
79d554a6 1358 struct l2cap_conn_rsp rsp;
e9aeb2dd 1359 char buf[128];
fe4128e0
GP		 1360 rsp.scid = cpu_to_le16(chan->dcid);
1361 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1362
d45fc423 1363 if (l2cap_chan_check_security(chan)) {
bdc25783 1364 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
ac73498c
AE		 1365 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1366 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1367 chan->ops->defer(chan);
f66dc81f
MH		 1368
1369 } else {
acdcabf5 1370 l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1371 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1372 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1373 }
79d554a6 1374 } else {
ac73498c
AE		 1375 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1376 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1377 }
1378
fc7f8a7e 1379 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1380 sizeof(rsp), &rsp);
e9aeb2dd 1381
c1360a1c 1382 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1383 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1384 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1385 continue;
1386 }
1387
c1360a1c 1388 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1389 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1390 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1391 chan->num_conf_req++;
4e8402a3
MH		 1392 }
1393
6be36555 1394 l2cap_chan_unlock(chan);
4e8402a3
MH		 1395 }
1396
3df91ea2 1397 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1398}
1399
c2287681 1400/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1401 * Returns closest match, locked.
1402 */
d9b88702 1403static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1404 bdaddr_t *src,
1405 bdaddr_t *dst)
b62f328b 1406{
23691d75 1407 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1408
23691d75 1409 read_lock(&chan_list_lock);
b62f328b 1410
23691d75 1411 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1412 if (state && c->state != state)
b62f328b
VT		 1413 continue;
1414
23691d75 1415 if (c->scid == cid) {
c2287681
IY		 1416 int src_match, dst_match;
1417 int src_any, dst_any;
1418
b62f328b 1419 /* Exact match. */
7eafc59e
MH		 1420 src_match = !bacmp(&c->src, src);
1421 dst_match = !bacmp(&c->dst, dst);
c2287681 1422 if (src_match && dst_match) {
23691d75
GP		 1423 read_unlock(&chan_list_lock);
1424 return c;
1425 }
b62f328b
VT		 1426
1427 /* Closest match */
7eafc59e
MH		 1428 src_any = !bacmp(&c->src, BDADDR_ANY);
1429 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1430 if ((src_match && dst_any) || (src_any && dst_match) ||
1431 (src_any && dst_any))
23691d75 1432 c1 = c;
b62f328b
VT		 1433 }
1434 }
280f294f 1435
23691d75 1436 read_unlock(&chan_list_lock);
b62f328b 1437
23691d75 1438 return c1;
b62f328b
VT		 1439}
1440
1441static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1442{
cc8dba2b 1443 struct hci_conn *hcon = conn->hcon;
23691d75 1444 struct l2cap_chan *chan, *pchan;
cc8dba2b 1445 u8 dst_type;
b62f328b
VT		 1446
1447 BT_DBG("");
1448
18722c24
JR		 1449 bt_6lowpan_add_conn(conn);
1450
b62f328b 1451 /* Check if we have socket listening on cid */
073d1cf3 1452 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
cc8dba2b 1453 &hcon->src, &hcon->dst);
23691d75 1454 if (!pchan)
b62f328b
VT		 1455 return;
1456
44f3b0fb
JH		 1457 /* Client ATT sockets should override the server one */
1458 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1459 return;
1460
cc8dba2b
MH		 1461 dst_type = bdaddr_type(hcon, hcon->dst_type);
1462
1463 /* If device is blocked, do not create a channel for it */
1464 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, dst_type))
1465 return;
1466
8ffb9290 1467 l2cap_chan_lock(pchan);
62f3a2cf 1468
80b98027 1469 chan = pchan->ops->new_connection(pchan);
80808e43 1470 if (!chan)
b62f328b
VT		 1471 goto clean;
1472
9f22398c
JH		 1473 chan->dcid = L2CAP_CID_ATT;
1474
cc8dba2b
MH		 1475 bacpy(&chan->src, &hcon->src);
1476 bacpy(&chan->dst, &hcon->dst);
1477 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1478 chan->dst_type = dst_type;
b62f328b 1479
44f3b0fb 1480 __l2cap_chan_add(conn, chan);
48454079 1481
b62f328b 1482clean:
8ffb9290 1483 l2cap_chan_unlock(pchan);
b62f328b
VT		 1484}
1485
4e8402a3
MH		 1486static void l2cap_conn_ready(struct l2cap_conn *conn)
1487{
48454079 1488 struct l2cap_chan *chan;
cc110922 1489 struct hci_conn *hcon = conn->hcon;
4e8402a3 1490
79d554a6 1491 BT_DBG("conn %p", conn);
4e8402a3 1492
d8729922
JH		 1493 /* For outgoing pairing which doesn't necessarily have an
1494 * associated socket (e.g. mgmt_pair_device).
1495 */
cc110922
VCG		 1496 if (hcon->out && hcon->type == LE_LINK)
1497 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1498
3df91ea2 1499 mutex_lock(&conn->chan_lock);
4e8402a3 1500
44f3b0fb
JH		 1501 if (hcon->type == LE_LINK)
1502 l2cap_le_conn_ready(conn);
1503
3df91ea2 1504 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1505
6be36555 1506 l2cap_chan_lock(chan);
4e8402a3 1507
2338a7e0 1508 if (chan->scid == L2CAP_CID_A2MP) {
416fa752
AE		 1509 l2cap_chan_unlock(chan);
1510 continue;
1511 }
1512
cc110922 1513 if (hcon->type == LE_LINK) {
f1496dee 1514 l2cap_le_start(chan);
63128451 1515 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
74e75740 1516 l2cap_chan_ready(chan);
b501d6a1 1517
1c244f79 1518 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1519 l2cap_do_start(chan);
1c244f79 1520 }
4e8402a3 1521
6be36555 1522 l2cap_chan_unlock(chan);
4e8402a3 1523 }
79d554a6 1524
3df91ea2 1525 mutex_unlock(&conn->chan_lock);
61a939c6
JH		 1526
1527 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
4e8402a3
MH		 1528}
1529
1530/* Notify sockets that we cannot guaranty reliability anymore */
1531static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1532{
48454079 1533 struct l2cap_chan *chan;
4e8402a3
MH		 1534
1535 BT_DBG("conn %p", conn);
1536
3df91ea2 1537 mutex_lock(&conn->chan_lock);
4e8402a3 1538
3df91ea2 1539 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1540 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1541 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1542 }
1543
3df91ea2 1544 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1545}
1546
f878fcad 1547static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1548{
f878fcad 1549 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1550 info_timer.work);
4e8402a3 1551
984947dc 1552 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1553 conn->info_ident = 0;
984947dc 1554
4e8402a3
MH		 1555 l2cap_conn_start(conn);
1556}
1557
2c8e1411
DH		 1558/*
1559 * l2cap_user
1560 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1561 * callback is called during registration. The ->remove callback is called
1562 * during unregistration.
1563 * An l2cap_user object can either be explicitly unregistered or when the
1564 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1565 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1566 * External modules must own a reference to the l2cap_conn object if they intend
1567 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1568 * any time if they don't.
1569 */
1570
1571int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1572{
1573 struct hci_dev *hdev = conn->hcon->hdev;
1574 int ret;
1575
1576 /* We need to check whether l2cap_conn is registered. If it is not, we
1577 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1578 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1579 * relies on the parent hci_conn object to be locked. This itself relies
1580 * on the hci_dev object to be locked. So we must lock the hci device
1581 * here, too. */
1582
1583 hci_dev_lock(hdev);
1584
1585 if (user->list.next || user->list.prev) {
1586 ret = -EINVAL;
1587 goto out_unlock;
1588 }
1589
1590 /* conn->hchan is NULL after l2cap_conn_del() was called */
1591 if (!conn->hchan) {
1592 ret = -ENODEV;
1593 goto out_unlock;
1594 }
1595
1596 ret = user->probe(conn, user);
1597 if (ret)
1598 goto out_unlock;
1599
1600 list_add(&user->list, &conn->users);
1601 ret = 0;
1602
1603out_unlock:
1604 hci_dev_unlock(hdev);
1605 return ret;
1606}
1607EXPORT_SYMBOL(l2cap_register_user);
1608
1609void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1610{
1611 struct hci_dev *hdev = conn->hcon->hdev;
1612
1613 hci_dev_lock(hdev);
1614
1615 if (!user->list.next || !user->list.prev)
1616 goto out_unlock;
1617
1618 list_del(&user->list);
1619 user->list.next = NULL;
1620 user->list.prev = NULL;
1621 user->remove(conn, user);
1622
1623out_unlock:
1624 hci_dev_unlock(hdev);
1625}
1626EXPORT_SYMBOL(l2cap_unregister_user);
1627
1628static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1629{
1630 struct l2cap_user *user;
1631
1632 while (!list_empty(&conn->users)) {
1633 user = list_first_entry(&conn->users, struct l2cap_user, list);
1634 list_del(&user->list);
1635 user->list.next = NULL;
1636 user->list.prev = NULL;
1637 user->remove(conn, user);
1638 }
1639}
1640
5d3de7df
VCG		 1641static void l2cap_conn_del(struct hci_conn *hcon, int err)
1642{
1643 struct l2cap_conn *conn = hcon->l2cap_data;
1644 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1645
1646 if (!conn)
1647 return;
1648
1649 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1650
1651 kfree_skb(conn->rx_skb);
1652
61a939c6
JH		 1653 skb_queue_purge(&conn->pending_rx);
1654 flush_work(&conn->pending_rx_work);
1655
2c8e1411
DH		 1656 l2cap_unregister_all_users(conn);
1657
3df91ea2
AE		 1658 mutex_lock(&conn->chan_lock);
1659
5d3de7df
VCG		 1660 /* Kill channels */
1661 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1662 l2cap_chan_hold(chan);
6be36555
AE		 1663 l2cap_chan_lock(chan);
1664
5d3de7df 1665 l2cap_chan_del(chan, err);
6be36555
AE		 1666
1667 l2cap_chan_unlock(chan);
1668
80b98027 1669 chan->ops->close(chan);
61d6ef3e 1670 l2cap_chan_put(chan);
5d3de7df
VCG		 1671 }
1672
3df91ea2
AE		 1673 mutex_unlock(&conn->chan_lock);
1674
73d80deb
LAD		 1675 hci_chan_del(conn->hchan);
1676
5d3de7df 1677 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1678 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1679
51a8efd7 1680 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1681 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1682 smp_chan_destroy(conn);
d26a2345 1683 }
5d3de7df
VCG		 1684
1685 hcon->l2cap_data = NULL;
9c903e37
DH		 1686 conn->hchan = NULL;
1687 l2cap_conn_put(conn);
5d3de7df
VCG		 1688}
1689
6c9d42a1 1690static void security_timeout(struct work_struct *work)
5d3de7df 1691{
6c9d42a1 1692 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1693 security_timer.work);
5d3de7df 1694
d06cc416
JH		 1695 BT_DBG("conn %p", conn);
1696
1697 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1698 smp_chan_destroy(conn);
1699 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1700 }
5d3de7df
VCG		 1701}
1702
9c903e37
DH		 1703static void l2cap_conn_free(struct kref *ref)
1704{
1705 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1706
1707 hci_conn_put(conn->hcon);
1708 kfree(conn);
1709}
1710
1711void l2cap_conn_get(struct l2cap_conn *conn)
1712{
1713 kref_get(&conn->ref);
1714}
1715EXPORT_SYMBOL(l2cap_conn_get);
1716
1717void l2cap_conn_put(struct l2cap_conn *conn)
1718{
1719 kref_put(&conn->ref, l2cap_conn_free);
1720}
1721EXPORT_SYMBOL(l2cap_conn_put);
1722
1da177e4 1723/* ---- Socket interface ---- */
1da177e4 1724
c2287681 1725/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1726 * Returns closest match.
1727 */
c2287681
IY		 1728static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1729 bdaddr_t *src,
bf20fd4e
JH		 1730 bdaddr_t *dst,
1731 u8 link_type)
1da177e4 1732{
23691d75 1733 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1734
23691d75 1735 read_lock(&chan_list_lock);
e0f0cb56 1736
23691d75 1737 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1738 if (state && c->state != state)
1da177e4
LT		 1739 continue;
1740
bf20fd4e
JH		 1741 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1742 continue;
1743
1744 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1745 continue;
1746
23691d75 1747 if (c->psm == psm) {
c2287681
IY		 1748 int src_match, dst_match;
1749 int src_any, dst_any;
1750
1da177e4 1751 /* Exact match. */
7eafc59e
MH		 1752 src_match = !bacmp(&c->src, src);
1753 dst_match = !bacmp(&c->dst, dst);
c2287681 1754 if (src_match && dst_match) {
a7567b20 1755 read_unlock(&chan_list_lock);
23691d75
GP		 1756 return c;
1757 }
1da177e4
LT		 1758
1759 /* Closest match */
7eafc59e
MH		 1760 src_any = !bacmp(&c->src, BDADDR_ANY);
1761 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1762 if ((src_match && dst_any) || (src_any && dst_match) ||
1763 (src_any && dst_any))
23691d75 1764 c1 = c;
1da177e4
LT		 1765 }
1766 }
1da177e4 1767
23691d75 1768 read_unlock(&chan_list_lock);
e0f0cb56 1769
23691d75 1770 return c1;
1da177e4
LT		 1771}
1772
721c4181 1773static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1774{
721c4181 1775 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1776 monitor_timer.work);
e90bac06 1777
525cd185 1778 BT_DBG("chan %p", chan);
0e98958d 1779
6be36555
AE		 1780 l2cap_chan_lock(chan);
1781
80909e04 1782 if (!chan->conn) {
6be36555 1783 l2cap_chan_unlock(chan);
8d7e1c7f 1784 l2cap_chan_put(chan);
e90bac06
GP		 1785 return;
1786 }
1787
401bb1f7 1788 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1789
6be36555 1790 l2cap_chan_unlock(chan);
8d7e1c7f 1791 l2cap_chan_put(chan);
e90bac06
GP		 1792}
1793
721c4181 1794static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1795{
721c4181 1796 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1797 retrans_timer.work);
e90bac06 1798
49208c9c 1799 BT_DBG("chan %p", chan);
0e98958d 1800
6be36555
AE		 1801 l2cap_chan_lock(chan);
1802
80909e04
MM		 1803 if (!chan->conn) {
1804 l2cap_chan_unlock(chan);
1805 l2cap_chan_put(chan);
1806 return;
1807 }
6be36555 1808
401bb1f7 1809 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1810 l2cap_chan_unlock(chan);
8d7e1c7f 1811 l2cap_chan_put(chan);
e90bac06
GP		 1812}
1813
d660366d
GP		 1814static void l2cap_streaming_send(struct l2cap_chan *chan,
1815 struct sk_buff_head *skbs)
6840ed07 1816{
ccbb84af 1817 struct sk_buff *skb;
3733937d 1818 struct l2cap_ctrl *control;
6840ed07 1819
3733937d
MM		 1820 BT_DBG("chan %p, skbs %p", chan, skbs);
1821
b99e13ad
MM		 1822 if (__chan_is_moving(chan))
1823 return;
1824
3733937d
MM		 1825 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1826
1827 while (!skb_queue_empty(&chan->tx_q)) {
1828
1829 skb = skb_dequeue(&chan->tx_q);
1830
1831 bt_cb(skb)->control.retries = 1;
1832 control = &bt_cb(skb)->control;
1833
1834 control->reqseq = 0;
1835 control->txseq = chan->next_tx_seq;
1836
1837 __pack_control(chan, control, skb);
6840ed07 1838
47d1ec61 1839 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1840 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1841 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1842 }
1843
4343478f 1844 l2cap_do_send(chan, skb);
6840ed07 1845
b4400672 1846 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1847
836be934 1848 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1849 chan->frames_sent++;
6840ed07 1850 }
6840ed07
GP		 1851}
1852
67c9e840 1853static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1854{
1855 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1856 struct l2cap_ctrl *control;
1857 int sent = 0;
1858
1859 BT_DBG("chan %p", chan);
1c2acffb 1860
89bc500e 1861 if (chan->state != BT_CONNECTED)
c13ffa62 1862 return -ENOTCONN;
e90bac06 1863
94122bbe
MM		 1864 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1865 return 0;
1866
b99e13ad
MM		 1867 if (__chan_is_moving(chan))
1868 return 0;
1869
18a48e76
MM		 1870 while (chan->tx_send_head &&
1871 chan->unacked_frames < chan->remote_tx_win &&
1872 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1873
18a48e76 1874 skb = chan->tx_send_head;
e90bac06 1875
18a48e76
MM		 1876 bt_cb(skb)->control.retries = 1;
1877 control = &bt_cb(skb)->control;
95ffa978 1878
e2ab4353 1879 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1880 control->final = 1;
e2ab4353 1881
18a48e76
MM		 1882 control->reqseq = chan->buffer_seq;
1883 chan->last_acked_seq = chan->buffer_seq;
1884 control->txseq = chan->next_tx_seq;
1c2acffb 1885
18a48e76 1886 __pack_control(chan, control, skb);
e90bac06 1887
47d1ec61 1888 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1889 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1890 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1891 }
1892
18a48e76
MM		 1893 /* Clone after data has been modified. Data is assumed to be
1894 read-only (for locking purposes) on cloned sk_buffs.
1895 */
1896 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1897
18a48e76
MM		 1898 if (!tx_skb)
1899 break;
1c2acffb 1900
18a48e76 1901 __set_retrans_timer(chan);
836be934
AE		 1902
1903 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1904 chan->unacked_frames++;
6a026610 1905 chan->frames_sent++;
18a48e76 1906 sent++;
1c2acffb 1907
58d35f87
GP		 1908 if (skb_queue_is_last(&chan->tx_q, skb))
1909 chan->tx_send_head = NULL;
1c2acffb 1910 else
58d35f87 1911 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1912
1913 l2cap_do_send(chan, tx_skb);
b4400672 1914 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1915 }
1916
b4400672
AE		 1917 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1918 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1919
1920 return sent;
9e917af1
GP		 1921}
1922
e1fbd4c1
MM		 1923static void l2cap_ertm_resend(struct l2cap_chan *chan)
1924{
1925 struct l2cap_ctrl control;
1926 struct sk_buff *skb;
1927 struct sk_buff *tx_skb;
1928 u16 seq;
1929
1930 BT_DBG("chan %p", chan);
1931
1932 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1933 return;
1934
b99e13ad
MM		 1935 if (__chan_is_moving(chan))
1936 return;
1937
e1fbd4c1
MM		 1938 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1939 seq = l2cap_seq_list_pop(&chan->retrans_list);
1940
1941 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1942 if (!skb) {
1943 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1944 seq);
e1fbd4c1
MM		 1945 continue;
1946 }
1947
1948 bt_cb(skb)->control.retries++;
1949 control = bt_cb(skb)->control;
1950
1951 if (chan->max_tx != 0 &&
1952 bt_cb(skb)->control.retries > chan->max_tx) {
1953 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1954 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1955 l2cap_seq_list_clear(&chan->retrans_list);
1956 break;
1957 }
1958
1959 control.reqseq = chan->buffer_seq;
1960 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1961 control.final = 1;
1962 else
1963 control.final = 0;
1964
1965 if (skb_cloned(skb)) {
1966 /* Cloned sk_buffs are read-only, so we need a
1967 * writeable copy
1968 */
8bcde1f2 1969 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1970 } else {
8bcde1f2 1971 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1972 }
1973
1974 if (!tx_skb) {
1975 l2cap_seq_list_clear(&chan->retrans_list);
1976 break;
1977 }
1978
1979 /* Update skb contents */
1980 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1981 put_unaligned_le32(__pack_extended_control(&control),
1982 tx_skb->data + L2CAP_HDR_SIZE);
1983 } else {
1984 put_unaligned_le16(__pack_enhanced_control(&control),
1985 tx_skb->data + L2CAP_HDR_SIZE);
1986 }
1987
1988 if (chan->fcs == L2CAP_FCS_CRC16) {
1989 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1990 put_unaligned_le16(fcs, skb_put(tx_skb,
1991 L2CAP_FCS_SIZE));
1992 }
1993
1994 l2cap_do_send(chan, tx_skb);
1995
1996 BT_DBG("Resent txseq %d", control.txseq);
1997
1998 chan->last_acked_seq = chan->buffer_seq;
1999 }
2000}
2001
f80842a8
MM		 2002static void l2cap_retransmit(struct l2cap_chan *chan,
2003 struct l2cap_ctrl *control)
2004{
2005 BT_DBG("chan %p, control %p", chan, control);
2006
2007 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2008 l2cap_ertm_resend(chan);
2009}
2010
d2a7ac5d
MM		 2011static void l2cap_retransmit_all(struct l2cap_chan *chan,
2012 struct l2cap_ctrl *control)
2013{
e1fbd4c1
MM		 2014 struct sk_buff *skb;
2015
2016 BT_DBG("chan %p, control %p", chan, control);
2017
2018 if (control->poll)
2019 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2020
2021 l2cap_seq_list_clear(&chan->retrans_list);
2022
2023 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2024 return;
2025
2026 if (chan->unacked_frames) {
2027 skb_queue_walk(&chan->tx_q, skb) {
2028 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2029 skb == chan->tx_send_head)
e1fbd4c1
MM		 2030 break;
2031 }
2032
2033 skb_queue_walk_from(&chan->tx_q, skb) {
2034 if (skb == chan->tx_send_head)
2035 break;
2036
2037 l2cap_seq_list_append(&chan->retrans_list,
2038 bt_cb(skb)->control.txseq);
2039 }
2040
2041 l2cap_ertm_resend(chan);
2042 }
d2a7ac5d
MM		 2043}
2044
0a0aba42 2045static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2046{
0a0aba42
MM		 2047 struct l2cap_ctrl control;
2048 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2049 chan->last_acked_seq);
2050 int threshold;
9e917af1 2051
0a0aba42
MM		 2052 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2053 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2054
0a0aba42
MM		 2055 memset(&control, 0, sizeof(control));
2056 control.sframe = 1;
dfc909be 2057
0a0aba42
MM		 2058 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2059 chan->rx_state == L2CAP_RX_STATE_RECV) {
2060 __clear_ack_timer(chan);
2061 control.super = L2CAP_SUPER_RNR;
2062 control.reqseq = chan->buffer_seq;
2063 l2cap_send_sframe(chan, &control);
2064 } else {
2065 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2066 l2cap_ertm_send(chan);
2067 /* If any i-frames were sent, they included an ack */
2068 if (chan->buffer_seq == chan->last_acked_seq)
2069 frames_to_ack = 0;
2070 }
dfc909be 2071
c20f8e35 2072 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2073 * Calculate without mul or div
2074 */
c20f8e35 2075 threshold = chan->ack_win;
0a0aba42
MM		 2076 threshold += threshold << 1;
2077 threshold >>= 2;
2078
b4400672 2079 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2080 threshold);
2081
2082 if (frames_to_ack >= threshold) {
2083 __clear_ack_timer(chan);
2084 control.super = L2CAP_SUPER_RR;
2085 control.reqseq = chan->buffer_seq;
2086 l2cap_send_sframe(chan, &control);
2087 frames_to_ack = 0;
2088 }
1c2acffb 2089
0a0aba42
MM		 2090 if (frames_to_ack)
2091 __set_ack_timer(chan);
2092 }
b17e73bb
SJ		 2093}
2094
04124681
GP		 2095static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2096 struct msghdr *msg, int len,
2097 int count, struct sk_buff *skb)
1c2acffb 2098{
0952a57a 2099 struct l2cap_conn *conn = chan->conn;
1c2acffb 2100 struct sk_buff **frag;
90338947 2101 int sent = 0;
1da177e4 2102
59203a21 2103 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2104 return -EFAULT;
1da177e4
LT		 2105
2106 sent += count;
2107 len -= count;
2108
2109 /* Continuation fragments (no L2CAP header) */
2110 frag = &skb_shinfo(skb)->frag_list;
2111 while (len) {
fbe00700
GP		 2112 struct sk_buff *tmp;
2113
1da177e4
LT		 2114 count = min_t(unsigned int, conn->mtu, len);
2115
fbe00700
GP		 2116 tmp = chan->ops->alloc_skb(chan, count,
2117 msg->msg_flags & MSG_DONTWAIT);
2118 if (IS_ERR(tmp))
2119 return PTR_ERR(tmp);
2120
2121 *frag = tmp;
2f7719ce 2122
1c2acffb
GP		 2123 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2124 return -EFAULT;
1da177e4 2125
5e59b791
LAD		 2126 (*frag)->priority = skb->priority;
2127
1da177e4
LT		 2128 sent += count;
2129 len -= count;
2130
2d0ed3d5
GP		 2131 skb->len += (*frag)->len;
2132 skb->data_len += (*frag)->len;
2133
1da177e4
LT		 2134 frag = &(*frag)->next;
2135 }
1da177e4
LT		 2136
2137 return sent;
1c2acffb 2138}
1da177e4 2139
5e59b791 2140static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2141 struct msghdr *msg, size_t len,
2142 u32 priority)
1c2acffb 2143{
8c1d787b 2144 struct l2cap_conn *conn = chan->conn;
1c2acffb 2145 struct sk_buff *skb;
03a51213 2146 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2147 struct l2cap_hdr *lh;
2148
43b1b8df
MH		 2149 BT_DBG("chan %p psm 0x%2.2x len %zu priority %u", chan,
2150 __le16_to_cpu(chan->psm), len, priority);
1c2acffb
GP		 2151
2152 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2153
2154 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2155 msg->msg_flags & MSG_DONTWAIT);
2156 if (IS_ERR(skb))
2157 return skb;
1c2acffb 2158
5e59b791
LAD		 2159 skb->priority = priority;
2160
1c2acffb
GP		 2161 /* Create L2CAP header */
2162 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2163 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2164 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2165 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2166
0952a57a 2167 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2168 if (unlikely(err < 0)) {
2169 kfree_skb(skb);
2170 return ERR_PTR(err);
2171 }
2172 return skb;
2173}
2174
5e59b791 2175static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2176 struct msghdr *msg, size_t len,
2177 u32 priority)
1c2acffb 2178{
8c1d787b 2179 struct l2cap_conn *conn = chan->conn;
1c2acffb 2180 struct sk_buff *skb;
f2ba7fae 2181 int err, count;
1c2acffb
GP		 2182 struct l2cap_hdr *lh;
2183
b4400672 2184 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2185
f2ba7fae 2186 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2187
f2ba7fae 2188 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2189 msg->msg_flags & MSG_DONTWAIT);
2190 if (IS_ERR(skb))
2191 return skb;
1c2acffb 2192
5e59b791
LAD		 2193 skb->priority = priority;
2194
1c2acffb
GP		 2195 /* Create L2CAP header */
2196 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2197 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2198 lh->len = cpu_to_le16(len);
1c2acffb 2199
0952a57a 2200 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2201 if (unlikely(err < 0)) {
2202 kfree_skb(skb);
2203 return ERR_PTR(err);
2204 }
2205 return skb;
2206}
2207
ab0ff76d 2208static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2209 struct msghdr *msg, size_t len,
2210 u16 sdulen)
1c2acffb 2211{
8c1d787b 2212 struct l2cap_conn *conn = chan->conn;
1c2acffb 2213 struct sk_buff *skb;
e4ca6d98 2214 int err, count, hlen;
1c2acffb
GP		 2215 struct l2cap_hdr *lh;
2216
b4400672 2217 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2218
0ee0d208
GP		 2219 if (!conn)
2220 return ERR_PTR(-ENOTCONN);
2221
ba7aa64f 2222 hlen = __ertm_hdr_size(chan);
e4ca6d98 2223
c74e560c 2224 if (sdulen)
03a51213 2225 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2226
47d1ec61 2227 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2228 hlen += L2CAP_FCS_SIZE;
fcc203c3 2229
1c2acffb 2230 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2231
2232 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2233 msg->msg_flags & MSG_DONTWAIT);
2234 if (IS_ERR(skb))
2235 return skb;
1c2acffb
GP		 2236
2237 /* Create L2CAP header */
2238 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2239 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2240 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2241
18a48e76
MM		 2242 /* Control header is populated later */
2243 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2244 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2245 else
2246 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2247
c74e560c 2248 if (sdulen)
03a51213 2249 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2250
0952a57a 2251 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2252 if (unlikely(err < 0)) {
2253 kfree_skb(skb);
2254 return ERR_PTR(err);
2255 }
e90bac06 2256
18a48e76 2257 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2258 bt_cb(skb)->control.retries = 0;
1c2acffb 2259 return skb;
1da177e4
LT		 2260}
2261
94122bbe
MM		 2262static int l2cap_segment_sdu(struct l2cap_chan *chan,
2263 struct sk_buff_head *seg_queue,
2264 struct msghdr *msg, size_t len)
c74e560c 2265{
c74e560c 2266 struct sk_buff *skb;
94122bbe
MM		 2267 u16 sdu_len;
2268 size_t pdu_len;
94122bbe 2269 u8 sar;
c74e560c 2270
b4400672 2271 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2272
94122bbe
MM		 2273 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2274 * so fragmented skbs are not used. The HCI layer's handling
2275 * of fragmented skbs is not compatible with ERTM's queueing.
2276 */
c74e560c 2277
94122bbe
MM		 2278 /* PDU size is derived from the HCI MTU */
2279 pdu_len = chan->conn->mtu;
c74e560c 2280
a549574d
MM		 2281 /* Constrain PDU size for BR/EDR connections */
2282 if (!chan->hs_hcon)
2283 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2284
2285 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2286 if (chan->fcs)
2287 pdu_len -= L2CAP_FCS_SIZE;
2288
ba7aa64f 2289 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2290
2291 /* Remote device may have requested smaller PDUs */
2292 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2293
2294 if (len <= pdu_len) {
2295 sar = L2CAP_SAR_UNSEGMENTED;
2296 sdu_len = 0;
2297 pdu_len = len;
2298 } else {
2299 sar = L2CAP_SAR_START;
2300 sdu_len = len;
2301 pdu_len -= L2CAP_SDULEN_SIZE;
2302 }
2303
2304 while (len > 0) {
2305 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2306
c74e560c 2307 if (IS_ERR(skb)) {
94122bbe 2308 __skb_queue_purge(seg_queue);
c74e560c
GP		 2309 return PTR_ERR(skb);
2310 }
2311
94122bbe
MM		 2312 bt_cb(skb)->control.sar = sar;
2313 __skb_queue_tail(seg_queue, skb);
2314
2315 len -= pdu_len;
2316 if (sdu_len) {
2317 sdu_len = 0;
2318 pdu_len += L2CAP_SDULEN_SIZE;
2319 }
2320
2321 if (len <= pdu_len) {
2322 sar = L2CAP_SAR_END;
2323 pdu_len = len;
2324 } else {
2325 sar = L2CAP_SAR_CONTINUE;
2326 }
c74e560c 2327 }
c74e560c 2328
f0f62799 2329 return 0;
c74e560c
GP		 2330}
2331
177f8f2b
JH		 2332static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2333 struct msghdr *msg,
2334 size_t len, u16 sdulen)
2335{
2336 struct l2cap_conn *conn = chan->conn;
2337 struct sk_buff *skb;
2338 int err, count, hlen;
2339 struct l2cap_hdr *lh;
2340
2341 BT_DBG("chan %p len %zu", chan, len);
2342
2343 if (!conn)
2344 return ERR_PTR(-ENOTCONN);
2345
2346 hlen = L2CAP_HDR_SIZE;
2347
2348 if (sdulen)
2349 hlen += L2CAP_SDULEN_SIZE;
2350
2351 count = min_t(unsigned int, (conn->mtu - hlen), len);
2352
2353 skb = chan->ops->alloc_skb(chan, count + hlen,
2354 msg->msg_flags & MSG_DONTWAIT);
2355 if (IS_ERR(skb))
2356 return skb;
2357
2358 /* Create L2CAP header */
2359 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2360 lh->cid = cpu_to_le16(chan->dcid);
2361 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2362
2363 if (sdulen)
2364 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2365
2366 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2367 if (unlikely(err < 0)) {
2368 kfree_skb(skb);
2369 return ERR_PTR(err);
2370 }
2371
2372 return skb;
2373}
2374
2375static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2376 struct sk_buff_head *seg_queue,
2377 struct msghdr *msg, size_t len)
2378{
2379 struct sk_buff *skb;
2380 size_t pdu_len;
2381 u16 sdu_len;
2382
2383 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2384
2385 pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE;
2386
2387 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2388
2389 sdu_len = len;
2390 pdu_len -= L2CAP_SDULEN_SIZE;
2391
2392 while (len > 0) {
2393 if (len <= pdu_len)
2394 pdu_len = len;
2395
2396 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2397 if (IS_ERR(skb)) {
2398 __skb_queue_purge(seg_queue);
2399 return PTR_ERR(skb);
2400 }
2401
2402 __skb_queue_tail(seg_queue, skb);
2403
2404 len -= pdu_len;
2405
2406 if (sdu_len) {
2407 sdu_len = 0;
2408 pdu_len += L2CAP_SDULEN_SIZE;
2409 }
2410 }
2411
2412 return 0;
2413}
2414
5e59b791 2415int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2416 u32 priority)
9a91a04a 2417{
9a91a04a 2418 struct sk_buff *skb;
9a91a04a 2419 int err;
94122bbe 2420 struct sk_buff_head seg_queue;
9a91a04a 2421
31e8ce80
SWK		 2422 if (!chan->conn)
2423 return -ENOTCONN;
2424
9a91a04a 2425 /* Connectionless channel */
715ec005 2426 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2427 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2428 if (IS_ERR(skb))
2429 return PTR_ERR(skb);
2430
2431 l2cap_do_send(chan, skb);
2432 return len;
2433 }
2434
2435 switch (chan->mode) {
38319713 2436 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b
JH		 2437 /* Check outgoing MTU */
2438 if (len > chan->omtu)
2439 return -EMSGSIZE;
2440
fad5fc89
JH		 2441 if (!chan->tx_credits)
2442 return -EAGAIN;
2443
177f8f2b
JH		 2444 __skb_queue_head_init(&seg_queue);
2445
2446 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2447
2448 if (chan->state != BT_CONNECTED) {
2449 __skb_queue_purge(&seg_queue);
2450 err = -ENOTCONN;
2451 }
2452
2453 if (err)
2454 return err;
2455
2456 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2457
2458 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2459 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2460 chan->tx_credits--;
2461 }
2462
2463 if (!chan->tx_credits)
2464 chan->ops->suspend(chan);
2465
2466 err = len;
2467
2468 break;
2469
fad5fc89 2470 case L2CAP_MODE_BASIC:
9a91a04a
GP		 2471 /* Check outgoing MTU */
2472 if (len > chan->omtu)
2473 return -EMSGSIZE;
2474
2475 /* Create a basic PDU */
5e59b791 2476 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2477 if (IS_ERR(skb))
2478 return PTR_ERR(skb);
2479
2480 l2cap_do_send(chan, skb);
2481 err = len;
2482 break;
2483
2484 case L2CAP_MODE_ERTM:
2485 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2486 /* Check outgoing MTU */
2487 if (len > chan->omtu) {
2488 err = -EMSGSIZE;
2489 break;
2490 }
9a91a04a 2491
94122bbe 2492 __skb_queue_head_init(&seg_queue);
9a91a04a 2493
94122bbe
MM		 2494 /* Do segmentation before calling in to the state machine,
2495 * since it's possible to block while waiting for memory
2496 * allocation.
2497 */
2498 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2499
94122bbe
MM		 2500 /* The channel could have been closed while segmenting,
2501 * check that it is still connected.
2502 */
2503 if (chan->state != BT_CONNECTED) {
2504 __skb_queue_purge(&seg_queue);
2505 err = -ENOTCONN;
9a91a04a
GP		 2506 }
2507
94122bbe 2508 if (err)
9a91a04a 2509 break;
9a91a04a 2510
3733937d 2511 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2512 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2513 else
d660366d 2514 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2515
d660366d 2516 err = len;
9a91a04a 2517
94122bbe
MM		 2518 /* If the skbs were not queued for sending, they'll still be in
2519 * seg_queue and need to be purged.
2520 */
2521 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2522 break;
2523
2524 default:
2525 BT_DBG("bad state %1.1x", chan->mode);
2526 err = -EBADFD;
2527 }
2528
2529 return err;
2530}
2531
d2a7ac5d
MM		 2532static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2533{
bed68bde
MM		 2534 struct l2cap_ctrl control;
2535 u16 seq;
2536
b4400672 2537 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2538
2539 memset(&control, 0, sizeof(control));
2540 control.sframe = 1;
2541 control.super = L2CAP_SUPER_SREJ;
2542
2543 for (seq = chan->expected_tx_seq; seq != txseq;
2544 seq = __next_seq(chan, seq)) {
2545 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2546 control.reqseq = seq;
2547 l2cap_send_sframe(chan, &control);
2548 l2cap_seq_list_append(&chan->srej_list, seq);
2549 }
2550 }
2551
2552 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2553}
2554
2555static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2556{
bed68bde
MM		 2557 struct l2cap_ctrl control;
2558
2559 BT_DBG("chan %p", chan);
2560
2561 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2562 return;
2563
2564 memset(&control, 0, sizeof(control));
2565 control.sframe = 1;
2566 control.super = L2CAP_SUPER_SREJ;
2567 control.reqseq = chan->srej_list.tail;
2568 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2569}
2570
2571static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2572{
bed68bde
MM		 2573 struct l2cap_ctrl control;
2574 u16 initial_head;
2575 u16 seq;
2576
b4400672 2577 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2578
2579 memset(&control, 0, sizeof(control));
2580 control.sframe = 1;
2581 control.super = L2CAP_SUPER_SREJ;
2582
2583 /* Capture initial list head to allow only one pass through the list. */
2584 initial_head = chan->srej_list.head;
2585
2586 do {
2587 seq = l2cap_seq_list_pop(&chan->srej_list);
2588 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2589 break;
2590
2591 control.reqseq = seq;
2592 l2cap_send_sframe(chan, &control);
2593 l2cap_seq_list_append(&chan->srej_list, seq);
2594 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2595}
2596
608bcc6d
MM		 2597static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2598{
2599 struct sk_buff *acked_skb;
2600 u16 ackseq;
2601
b4400672 2602 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2603
2604 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2605 return;
2606
b4400672 2607 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2608 chan->expected_ack_seq, chan->unacked_frames);
2609
2610 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2611 ackseq = __next_seq(chan, ackseq)) {
2612
2613 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2614 if (acked_skb) {
2615 skb_unlink(acked_skb, &chan->tx_q);
2616 kfree_skb(acked_skb);
2617 chan->unacked_frames--;
2618 }
2619 }
2620
2621 chan->expected_ack_seq = reqseq;
2622
2623 if (chan->unacked_frames == 0)
2624 __clear_retrans_timer(chan);
2625
b4400672 2626 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2627}
2628
2629static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2630{
2631 BT_DBG("chan %p", chan);
2632
2633 chan->expected_tx_seq = chan->buffer_seq;
2634 l2cap_seq_list_clear(&chan->srej_list);
2635 skb_queue_purge(&chan->srej_q);
2636 chan->rx_state = L2CAP_RX_STATE_RECV;
2637}
2638
d660366d
GP		 2639static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2640 struct l2cap_ctrl *control,
2641 struct sk_buff_head *skbs, u8 event)
608bcc6d 2642{
608bcc6d
MM		 2643 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2644 event);
2645
2646 switch (event) {
2647 case L2CAP_EV_DATA_REQUEST:
2648 if (chan->tx_send_head == NULL)
2649 chan->tx_send_head = skb_peek(skbs);
2650
2651 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2652 l2cap_ertm_send(chan);
2653 break;
2654 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2655 BT_DBG("Enter LOCAL_BUSY");
2656 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2657
2658 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2659 /* The SREJ_SENT state must be aborted if we are to
2660 * enter the LOCAL_BUSY state.
2661 */
2662 l2cap_abort_rx_srej_sent(chan);
2663 }
2664
2665 l2cap_send_ack(chan);
2666
2667 break;
2668 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2669 BT_DBG("Exit LOCAL_BUSY");
2670 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2671
2672 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2673 struct l2cap_ctrl local_control;
2674
2675 memset(&local_control, 0, sizeof(local_control));
2676 local_control.sframe = 1;
2677 local_control.super = L2CAP_SUPER_RR;
2678 local_control.poll = 1;
2679 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2680 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2681
2682 chan->retry_count = 1;
2683 __set_monitor_timer(chan);
2684 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2685 }
2686 break;
2687 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2688 l2cap_process_reqseq(chan, control->reqseq);
2689 break;
2690 case L2CAP_EV_EXPLICIT_POLL:
2691 l2cap_send_rr_or_rnr(chan, 1);
2692 chan->retry_count = 1;
2693 __set_monitor_timer(chan);
2694 __clear_ack_timer(chan);
2695 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2696 break;
2697 case L2CAP_EV_RETRANS_TO:
2698 l2cap_send_rr_or_rnr(chan, 1);
2699 chan->retry_count = 1;
2700 __set_monitor_timer(chan);
2701 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2702 break;
2703 case L2CAP_EV_RECV_FBIT:
2704 /* Nothing to process */
2705 break;
2706 default:
2707 break;
2708 }
608bcc6d
MM		 2709}
2710
d660366d
GP		 2711static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2712 struct l2cap_ctrl *control,
2713 struct sk_buff_head *skbs, u8 event)
608bcc6d 2714{
608bcc6d
MM		 2715 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2716 event);
2717
2718 switch (event) {
2719 case L2CAP_EV_DATA_REQUEST:
2720 if (chan->tx_send_head == NULL)
2721 chan->tx_send_head = skb_peek(skbs);
2722 /* Queue data, but don't send. */
2723 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2724 break;
2725 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2726 BT_DBG("Enter LOCAL_BUSY");
2727 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2728
2729 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2730 /* The SREJ_SENT state must be aborted if we are to
2731 * enter the LOCAL_BUSY state.
2732 */
2733 l2cap_abort_rx_srej_sent(chan);
2734 }
2735
2736 l2cap_send_ack(chan);
2737
2738 break;
2739 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2740 BT_DBG("Exit LOCAL_BUSY");
2741 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2742
2743 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2744 struct l2cap_ctrl local_control;
2745 memset(&local_control, 0, sizeof(local_control));
2746 local_control.sframe = 1;
2747 local_control.super = L2CAP_SUPER_RR;
2748 local_control.poll = 1;
2749 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2750 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2751
2752 chan->retry_count = 1;
2753 __set_monitor_timer(chan);
2754 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2755 }
2756 break;
2757 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2758 l2cap_process_reqseq(chan, control->reqseq);
2759
2760 /* Fall through */
2761
2762 case L2CAP_EV_RECV_FBIT:
2763 if (control && control->final) {
2764 __clear_monitor_timer(chan);
2765 if (chan->unacked_frames > 0)
2766 __set_retrans_timer(chan);
2767 chan->retry_count = 0;
2768 chan->tx_state = L2CAP_TX_STATE_XMIT;
2769 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2770 }
2771 break;
2772 case L2CAP_EV_EXPLICIT_POLL:
2773 /* Ignore */
2774 break;
2775 case L2CAP_EV_MONITOR_TO:
2776 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2777 l2cap_send_rr_or_rnr(chan, 1);
2778 __set_monitor_timer(chan);
2779 chan->retry_count++;
2780 } else {
5e4e3972 2781 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2782 }
2783 break;
2784 default:
2785 break;
2786 }
608bcc6d
MM		 2787}
2788
d660366d
GP		 2789static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2790 struct sk_buff_head *skbs, u8 event)
608bcc6d 2791{
608bcc6d
MM		 2792 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2793 chan, control, skbs, event, chan->tx_state);
2794
2795 switch (chan->tx_state) {
2796 case L2CAP_TX_STATE_XMIT:
d660366d 2797 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2798 break;
2799 case L2CAP_TX_STATE_WAIT_F:
d660366d 2800 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2801 break;
2802 default:
2803 /* Ignore event */
2804 break;
2805 }
608bcc6d
MM		 2806}
2807
4b51dae9
MM		 2808static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2809 struct l2cap_ctrl *control)
2810{
2811 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2812 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2813}
2814
f80842a8
MM		 2815static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2816 struct l2cap_ctrl *control)
2817{
2818 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2819 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2820}
2821
1da177e4
LT		 2822/* Copy frame to all raw sockets on that connection */
2823static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2824{
1da177e4 2825 struct sk_buff *nskb;
48454079 2826 struct l2cap_chan *chan;
1da177e4
LT		 2827
2828 BT_DBG("conn %p", conn);
2829
3df91ea2 2830 mutex_lock(&conn->chan_lock);
3d57dc68 2831
3df91ea2 2832 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2833 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2834 continue;
2835
7f5396a7
GP		 2836 /* Don't send frame to the channel it came from */
2837 if (bt_cb(skb)->chan == chan)
1da177e4 2838 continue;
7f5396a7 2839
8bcde1f2 2840 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2841 if (!nskb)
1da177e4 2842 continue;
80b98027 2843 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2844 kfree_skb(nskb);
2845 }
3d57dc68 2846
3df91ea2 2847 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2848}
2849
2850/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2851static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2852 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2853{
2854 struct sk_buff *skb, **frag;
2855 struct l2cap_cmd_hdr *cmd;
2856 struct l2cap_hdr *lh;
2857 int len, count;
2858
b4400672
AE		 2859 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2860 conn, code, ident, dlen);
1da177e4 2861
300b962e
AL		 2862 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2863 return NULL;
2864
1da177e4
LT		 2865 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2866 count = min_t(unsigned int, conn->mtu, len);
2867
8bcde1f2 2868 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2869 if (!skb)
2870 return NULL;
2871
2872 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2873 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2874
2875 if (conn->hcon->type == LE_LINK)
ac73498c 2876 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2877 else
ac73498c 2878 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2879
2880 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2881 cmd->code = code;
2882 cmd->ident = ident;
aca3192c 2883 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2884
2885 if (dlen) {
2886 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2887 memcpy(skb_put(skb, count), data, count);
2888 data += count;
2889 }
2890
2891 len -= skb->len;
2892
2893 /* Continuation fragments (no L2CAP header) */
2894 frag = &skb_shinfo(skb)->frag_list;
2895 while (len) {
2896 count = min_t(unsigned int, conn->mtu, len);
2897
8bcde1f2 2898 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2899 if (!*frag)
2900 goto fail;
2901
2902 memcpy(skb_put(*frag, count), data, count);
2903
2904 len -= count;
2905 data += count;
2906
2907 frag = &(*frag)->next;
2908 }
2909
2910 return skb;
2911
2912fail:
2913 kfree_skb(skb);
2914 return NULL;
2915}
2916
2d792818
GP		 2917static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2918 unsigned long *val)
1da177e4
LT		 2919{
2920 struct l2cap_conf_opt *opt = *ptr;
2921 int len;
2922
2923 len = L2CAP_CONF_OPT_SIZE + opt->len;
2924 *ptr += len;
2925
2926 *type = opt->type;
2927 *olen = opt->len;
2928
2929 switch (opt->len) {
2930 case 1:
2931 *val = *((u8 *) opt->val);
2932 break;
2933
2934 case 2:
bfaaeb3e 2935 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2936 break;
2937
2938 case 4:
bfaaeb3e 2939 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2940 break;
2941
2942 default:
2943 *val = (unsigned long) opt->val;
2944 break;
2945 }
2946
b4400672 2947 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2948 return len;
2949}
2950
1da177e4
LT		 2951static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2952{
2953 struct l2cap_conf_opt *opt = *ptr;
2954
b4400672 2955 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2956
2957 opt->type = type;
2958 opt->len = len;
2959
2960 switch (len) {
2961 case 1:
2962 *((u8 *) opt->val) = val;
2963 break;
2964
2965 case 2:
4f8b691c 2966 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2967 break;
2968
2969 case 4:
4f8b691c 2970 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2971 break;
2972
2973 default:
2974 memcpy(opt->val, (void *) val, len);
2975 break;
2976 }
2977
2978 *ptr += L2CAP_CONF_OPT_SIZE + len;
2979}
2980
f89cef09
AE		 2981static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2982{
2983 struct l2cap_conf_efs efs;
2984
1ec918ce 2985 switch (chan->mode) {
f89cef09
AE		 2986 case L2CAP_MODE_ERTM:
2987 efs.id = chan->local_id;
2988 efs.stype = chan->local_stype;
2989 efs.msdu = cpu_to_le16(chan->local_msdu);
2990 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2991 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2992 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2993 break;
2994
2995 case L2CAP_MODE_STREAMING:
2996 efs.id = 1;
2997 efs.stype = L2CAP_SERV_BESTEFFORT;
2998 efs.msdu = cpu_to_le16(chan->local_msdu);
2999 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3000 efs.acc_lat = 0;
3001 efs.flush_to = 0;
3002 break;
3003
3004 default:
3005 return;
3006 }
3007
3008 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3009 (unsigned long) &efs);
f89cef09
AE		 3010}
3011
721c4181 3012static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3013{
721c4181 3014 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3015 ack_timer.work);
3016 u16 frames_to_ack;
c1b4f43b 3017
2fb9b3d4
GP		 3018 BT_DBG("chan %p", chan);
3019
6be36555
AE		 3020 l2cap_chan_lock(chan);
3021
0362520b
MM		 3022 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3023 chan->last_acked_seq);
6be36555 3024
0362520b
MM		 3025 if (frames_to_ack)
3026 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3027
0362520b 3028 l2cap_chan_unlock(chan);
09bfb2ee 3029 l2cap_chan_put(chan);
c1b4f43b
GP		 3030}
3031
466f8004 3032int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3033{
3c588192
MM		 3034 int err;
3035
105bdf9e
MM		 3036 chan->next_tx_seq = 0;
3037 chan->expected_tx_seq = 0;
42e5c802 3038 chan->expected_ack_seq = 0;
6a026610 3039 chan->unacked_frames = 0;
42e5c802 3040 chan->buffer_seq = 0;
6a026610 3041 chan->frames_sent = 0;
105bdf9e
MM		 3042 chan->last_acked_seq = 0;
3043 chan->sdu = NULL;
3044 chan->sdu_last_frag = NULL;
3045 chan->sdu_len = 0;
3046
d34c34fb
MM		 3047 skb_queue_head_init(&chan->tx_q);
3048
6ed971ca
MH		 3049 chan->local_amp_id = AMP_ID_BREDR;
3050 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3051 chan->move_state = L2CAP_MOVE_STABLE;
3052 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3053
105bdf9e
MM		 3054 if (chan->mode != L2CAP_MODE_ERTM)
3055 return 0;
3056
3057 chan->rx_state = L2CAP_RX_STATE_RECV;
3058 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3059
721c4181
GP		 3060 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3061 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3062 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3063
f1c6775b 3064 skb_queue_head_init(&chan->srej_q);
1890d36b 3065
3c588192
MM		 3066 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3067 if (err < 0)
3068 return err;
3069
9dc9affc
MM		 3070 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3071 if (err < 0)
3072 l2cap_seq_list_free(&chan->srej_list);
3073
3074 return err;
0565c1c2
GP		 3075}
3076
f2fcfcd6
GP		 3077static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3078{
3079 switch (mode) {
3080 case L2CAP_MODE_STREAMING:
3081 case L2CAP_MODE_ERTM:
3082 if (l2cap_mode_supported(mode, remote_feat_mask))
3083 return mode;
3084 /* fall through */
3085 default:
3086 return L2CAP_MODE_BASIC;
3087 }
3088}
3089
848566b3 3090static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3091{
848566b3 3092 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3093}
3094
848566b3 3095static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3096{
848566b3 3097 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3098}
3099
36c86c85
MM		 3100static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3101 struct l2cap_conf_rfc *rfc)
3102{
6ed971ca 3103 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3104 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3105
3106 /* Class 1 devices have must have ERTM timeouts
3107 * exceeding the Link Supervision Timeout. The
3108 * default Link Supervision Timeout for AMP
3109 * controllers is 10 seconds.
3110 *
3111 * Class 1 devices use 0xffffffff for their
3112 * best-effort flush timeout, so the clamping logic
3113 * will result in a timeout that meets the above
3114 * requirement. ERTM timeouts are 16-bit values, so
3115 * the maximum timeout is 65.535 seconds.
3116 */
3117
3118 /* Convert timeout to milliseconds and round */
3119 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3120
3121 /* This is the recommended formula for class 2 devices
3122 * that start ERTM timers when packets are sent to the
3123 * controller.
3124 */
3125 ertm_to = 3 * ertm_to + 500;
3126
3127 if (ertm_to > 0xffff)
3128 ertm_to = 0xffff;
3129
3130 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3131 rfc->monitor_timeout = rfc->retrans_timeout;
3132 } else {
3133 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3134 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3135 }
3136}
3137
6327eb98
AE		 3138static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3139{
3140 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3141 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3142 /* use extended control field */
3143 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3144 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3145 } else {
6327eb98 3146 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3147 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3148 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3149 }
c20f8e35 3150 chan->ack_win = chan->tx_win;
6327eb98
AE		 3151}
3152
710f9b0a 3153static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3154{
1da177e4 3155 struct l2cap_conf_req *req = data;
0c1bc5c6 3156 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3157 void *ptr = req->data;
c8f79162 3158 u16 size;
1da177e4 3159
49208c9c 3160 BT_DBG("chan %p", chan);
1da177e4 3161
73ffa904 3162 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3163 goto done;
3164
0c1bc5c6 3165 switch (chan->mode) {
f2fcfcd6
GP		 3166 case L2CAP_MODE_STREAMING:
3167 case L2CAP_MODE_ERTM:
c1360a1c 3168 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3169 break;
85eb53c6 3170
848566b3 3171 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3172 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3173
2ba13ed6 3174 /* fall through */
f2fcfcd6 3175 default:
8c1d787b 3176 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3177 break;
3178 }
3179
3180done:
0c1bc5c6
GP		 3181 if (chan->imtu != L2CAP_DEFAULT_MTU)
3182 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3183
0c1bc5c6 3184 switch (chan->mode) {
65c7c491 3185 case L2CAP_MODE_BASIC:
8c1d787b 3186 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3187 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3188 break;
3189
62547752
GP		 3190 rfc.mode = L2CAP_MODE_BASIC;
3191 rfc.txwin_size = 0;
3192 rfc.max_transmit = 0;
3193 rfc.retrans_timeout = 0;
3194 rfc.monitor_timeout = 0;
3195 rfc.max_pdu_size = 0;
3196
63406504 3197 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3198 (unsigned long) &rfc);
65c7c491
MH		 3199 break;
3200
3201 case L2CAP_MODE_ERTM:
3202 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3203 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3204
3205 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3206
3207 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3208 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3209 L2CAP_FCS_SIZE);
c8f79162 3210 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3211
6327eb98
AE		 3212 l2cap_txwin_setup(chan);
3213
3214 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3215 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3216
63406504 3217 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3218 (unsigned long) &rfc);
63406504 3219
f89cef09
AE		 3220 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3221 l2cap_add_opt_efs(&ptr, chan);
3222
6327eb98
AE		 3223 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3224 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3225 chan->tx_win);
60918918
AE		 3226
3227 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3228 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3229 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3230 chan->fcs = L2CAP_FCS_NONE;
3231 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3232 chan->fcs);
3233 }
f2fcfcd6
GP		 3234 break;
3235
3236 case L2CAP_MODE_STREAMING:
273759e2 3237 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3238 rfc.mode = L2CAP_MODE_STREAMING;
3239 rfc.txwin_size = 0;
3240 rfc.max_transmit = 0;
3241 rfc.retrans_timeout = 0;
3242 rfc.monitor_timeout = 0;
c8f79162
AE		 3243
3244 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3245 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3246 L2CAP_FCS_SIZE);
c8f79162 3247 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3248
63406504 3249 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3250 (unsigned long) &rfc);
63406504 3251
f89cef09
AE		 3252 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3253 l2cap_add_opt_efs(&ptr, chan);
3254
60918918
AE		 3255 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3256 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3257 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3258 chan->fcs = L2CAP_FCS_NONE;
3259 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3260 chan->fcs);
3261 }
65c7c491
MH		 3262 break;
3263 }
1da177e4 3264
fe4128e0 3265 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3266 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3267
3268 return ptr - data;
3269}
3270
73ffa904 3271static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3272{
5dee9e7c
MH		 3273 struct l2cap_conf_rsp *rsp = data;
3274 void *ptr = rsp->data;
73ffa904
GP		 3275 void *req = chan->conf_req;
3276 int len = chan->conf_len;
5dee9e7c
MH		 3277 int type, hint, olen;
3278 unsigned long val;
6464f35f 3279 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3280 struct l2cap_conf_efs efs;
3281 u8 remote_efs = 0;
861d6882 3282 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3283 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3284 u16 size;
1da177e4 3285
73ffa904 3286 BT_DBG("chan %p", chan);
820ae1b8 3287
5dee9e7c
MH		 3288 while (len >= L2CAP_CONF_OPT_SIZE) {
3289 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3290
589d2746 3291 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3292 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3293
3294 switch (type) {
3295 case L2CAP_CONF_MTU:
861d6882 3296 mtu = val;
5dee9e7c
MH		 3297 break;
3298
3299 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3300 chan->flush_to = val;
5dee9e7c
MH		 3301 break;
3302
3303 case L2CAP_CONF_QOS:
3304 break;
3305
6464f35f
MH		 3306 case L2CAP_CONF_RFC:
3307 if (olen == sizeof(rfc))
3308 memcpy(&rfc, (void *) val, olen);
3309 break;
3310
fcc203c3
GP		 3311 case L2CAP_CONF_FCS:
3312 if (val == L2CAP_FCS_NONE)
f2592d3e 3313 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3314 break;
fcc203c3 3315
42dceae2
AE		 3316 case L2CAP_CONF_EFS:
3317 remote_efs = 1;
3318 if (olen == sizeof(efs))
3319 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3320 break;
3321
6327eb98 3322 case L2CAP_CONF_EWS:
848566b3 3323 if (!chan->conn->hs_enabled)
6327eb98 3324 return -ECONNREFUSED;
fcc203c3 3325
6327eb98
AE		 3326 set_bit(FLAG_EXT_CTRL, &chan->flags);
3327 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3328 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3329 chan->remote_tx_win = val;
fcc203c3
GP		 3330 break;
3331
5dee9e7c
MH		 3332 default:
3333 if (hint)
3334 break;
3335
3336 result = L2CAP_CONF_UNKNOWN;
3337 *((u8 *) ptr++) = type;
3338 break;
3339 }
3340 }
3341
73ffa904 3342 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3343 goto done;
3344
0c1bc5c6 3345 switch (chan->mode) {
f2fcfcd6
GP		 3346 case L2CAP_MODE_STREAMING:
3347 case L2CAP_MODE_ERTM:
c1360a1c 3348 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3349 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3350 chan->conn->feat_mask);
85eb53c6
GP		 3351 break;
3352 }
3353
42dceae2 3354 if (remote_efs) {
848566b3 3355 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3356 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3357 else
3358 return -ECONNREFUSED;
3359 }
3360
0c1bc5c6 3361 if (chan->mode != rfc.mode)
f2fcfcd6 3362 return -ECONNREFUSED;
742e519b 3363
f2fcfcd6 3364 break;
f2fcfcd6
GP		 3365 }
3366
3367done:
0c1bc5c6 3368 if (chan->mode != rfc.mode) {
f2fcfcd6 3369 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3370 rfc.mode = chan->mode;
f2fcfcd6 3371
73ffa904 3372 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3373 return -ECONNREFUSED;
3374
2d792818
GP		 3375 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3376 (unsigned long) &rfc);
f2fcfcd6
GP		 3377 }
3378
5dee9e7c
MH		 3379 if (result == L2CAP_CONF_SUCCESS) {
3380 /* Configure output options and let the other side know
3381 * which ones we don't like. */
3382
f2fcfcd6
GP		 3383 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3384 result = L2CAP_CONF_UNACCEPT;
3385 else {
0c1bc5c6 3386 chan->omtu = mtu;
c1360a1c 3387 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3388 }
0c1bc5c6 3389 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3390
42dceae2
AE		 3391 if (remote_efs) {
3392 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3393 efs.stype != L2CAP_SERV_NOTRAFIC &&
3394 efs.stype != chan->local_stype) {
42dceae2
AE		 3395
3396 result = L2CAP_CONF_UNACCEPT;
3397
3398 if (chan->num_conf_req >= 1)
3399 return -ECONNREFUSED;
3400
3401 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3402 sizeof(efs),
3403 (unsigned long) &efs);
0e8b207e 3404 } else {
3e6b3b95 3405 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3406 result = L2CAP_CONF_PENDING;
3407 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3408 }
3409 }
3410
f2fcfcd6
GP		 3411 switch (rfc.mode) {
3412 case L2CAP_MODE_BASIC:
47d1ec61 3413 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3414 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3415 break;
3416
3417 case L2CAP_MODE_ERTM:
6327eb98
AE		 3418 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3419 chan->remote_tx_win = rfc.txwin_size;
3420 else
3421 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3422
2c03a7a4 3423 chan->remote_max_tx = rfc.max_transmit;
1c762159 3424
c8f79162 3425 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3426 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3427 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3428 rfc.max_pdu_size = cpu_to_le16(size);
3429 chan->remote_mps = size;
f2fcfcd6 3430
36c86c85 3431 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3432
c1360a1c 3433 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3434
3435 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3436 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3437
42dceae2
AE		 3438 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3439 chan->remote_id = efs.id;
3440 chan->remote_stype = efs.stype;
3441 chan->remote_msdu = le16_to_cpu(efs.msdu);
3442 chan->remote_flush_to =
2d792818 3443 le32_to_cpu(efs.flush_to);
42dceae2 3444 chan->remote_acc_lat =
2d792818 3445 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3446 chan->remote_sdu_itime =
3447 le32_to_cpu(efs.sdu_itime);
3448 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3449 sizeof(efs),
3450 (unsigned long) &efs);
42dceae2 3451 }
f2fcfcd6
GP		 3452 break;
3453
3454 case L2CAP_MODE_STREAMING:
c8f79162 3455 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3456 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3457 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3458 rfc.max_pdu_size = cpu_to_le16(size);
3459 chan->remote_mps = size;
f2fcfcd6 3460
c1360a1c 3461 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3462
2d792818
GP		 3463 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3464 (unsigned long) &rfc);
68ae6639 3465
f2fcfcd6
GP		 3466 break;
3467
3468 default:
5dee9e7c 3469 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3470
6464f35f 3471 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3472 rfc.mode = chan->mode;
f2fcfcd6 3473 }
6464f35f 3474
f2fcfcd6 3475 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3476 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3477 }
fe4128e0 3478 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3479 rsp->result = cpu_to_le16(result);
59e54bd1 3480 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3481
3482 return ptr - data;
1da177e4
LT		 3483}
3484
2d792818
GP		 3485static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3486 void *data, u16 *result)
f2fcfcd6 3487{
f2fcfcd6
GP		 3488 struct l2cap_conf_req *req = data;
3489 void *ptr = req->data;
3490 int type, olen;
3491 unsigned long val;
36e999a8 3492 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3493 struct l2cap_conf_efs efs;
f2fcfcd6 3494
fe4128e0 3495 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3496
3497 while (len >= L2CAP_CONF_OPT_SIZE) {
3498 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3499
3500 switch (type) {
3501 case L2CAP_CONF_MTU:
3502 if (val < L2CAP_DEFAULT_MIN_MTU) {
3503 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3504 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3505 } else
0c1bc5c6
GP		 3506 chan->imtu = val;
3507 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3508 break;
3509
3510 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3511 chan->flush_to = val;
f2fcfcd6 3512 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3513 2, chan->flush_to);
f2fcfcd6
GP		 3514 break;
3515
3516 case L2CAP_CONF_RFC:
3517 if (olen == sizeof(rfc))
3518 memcpy(&rfc, (void *)val, olen);
3519
c1360a1c 3520 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3521 rfc.mode != chan->mode)
f2fcfcd6
GP		 3522 return -ECONNREFUSED;
3523
47d1ec61 3524 chan->fcs = 0;
f2fcfcd6
GP		 3525
3526 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3527 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3528 break;
6327eb98
AE		 3529
3530 case L2CAP_CONF_EWS:
c20f8e35 3531 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3532 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3533 chan->tx_win);
6327eb98 3534 break;
66af7aaf
AE		 3535
3536 case L2CAP_CONF_EFS:
3537 if (olen == sizeof(efs))
3538 memcpy(&efs, (void *)val, olen);
3539
3540 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3541 efs.stype != L2CAP_SERV_NOTRAFIC &&
3542 efs.stype != chan->local_stype)
66af7aaf
AE		 3543 return -ECONNREFUSED;
3544
2d792818
GP		 3545 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3546 (unsigned long) &efs);
66af7aaf 3547 break;
cbabee78
AE		 3548
3549 case L2CAP_CONF_FCS:
3550 if (*result == L2CAP_CONF_PENDING)
3551 if (val == L2CAP_FCS_NONE)
f2592d3e 3552 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3553 &chan->conf_state);
3554 break;
f2fcfcd6
GP		 3555 }
3556 }
3557
0c1bc5c6 3558 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3559 return -ECONNREFUSED;
3560
0c1bc5c6 3561 chan->mode = rfc.mode;
6c2ea7a8 3562
0e8b207e 3563 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3564 switch (rfc.mode) {
3565 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3566 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3567 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3568 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3569 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3570 chan->ack_win = min_t(u16, chan->ack_win,
3571 rfc.txwin_size);
66af7aaf
AE		 3572
3573 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3574 chan->local_msdu = le16_to_cpu(efs.msdu);
3575 chan->local_sdu_itime =
2d792818 3576 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3577 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3578 chan->local_flush_to =
2d792818 3579 le32_to_cpu(efs.flush_to);
66af7aaf 3580 }
f2fcfcd6 3581 break;
66af7aaf 3582
f2fcfcd6 3583 case L2CAP_MODE_STREAMING:
47d1ec61 3584 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3585 }
3586 }
3587
fe4128e0 3588 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3589 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3590
3591 return ptr - data;
3592}
3593
2d792818
GP		 3594static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3595 u16 result, u16 flags)
1da177e4
LT		 3596{
3597 struct l2cap_conf_rsp *rsp = data;
3598 void *ptr = rsp->data;
1da177e4 3599
fe4128e0 3600 BT_DBG("chan %p", chan);
1da177e4 3601
fe4128e0 3602 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3603 rsp->result = cpu_to_le16(result);
aca3192c 3604 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3605
3606 return ptr - data;
3607}
3608
27e2d4c8
JH		 3609void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3610{
3611 struct l2cap_le_conn_rsp rsp;
3612 struct l2cap_conn *conn = chan->conn;
3613
3614 BT_DBG("chan %p", chan);
3615
3616 rsp.dcid = cpu_to_le16(chan->scid);
3617 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 3618 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 3619 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 3620 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3621
3622 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3623 &rsp);
3624}
3625
8c1d787b 3626void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3627{
3628 struct l2cap_conn_rsp rsp;
8c1d787b 3629 struct l2cap_conn *conn = chan->conn;
710f9b0a 3630 u8 buf[128];
439f34ac 3631 u8 rsp_code;
710f9b0a 3632
fe4128e0
GP		 3633 rsp.scid = cpu_to_le16(chan->dcid);
3634 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3635 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3636 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3637
3638 if (chan->hs_hcon)
3639 rsp_code = L2CAP_CREATE_CHAN_RSP;
3640 else
3641 rsp_code = L2CAP_CONN_RSP;
3642
3643 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3644
3645 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3646
c1360a1c 3647 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3648 return;
3649
710f9b0a 3650 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3651 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3652 chan->num_conf_req++;
3653}
3654
47d1ec61 3655static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3656{
7b1c0049
GP		 3657 int type, olen;
3658 unsigned long val;
c20f8e35
MM		 3659 /* Use sane default values in case a misbehaving remote device
3660 * did not send an RFC or extended window size option.
3661 */
3662 u16 txwin_ext = chan->ack_win;
3663 struct l2cap_conf_rfc rfc = {
3664 .mode = chan->mode,
3665 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3666 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3667 .max_pdu_size = cpu_to_le16(chan->imtu),
3668 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3669 };
7b1c0049 3670
47d1ec61 3671 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3672
0c1bc5c6 3673 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3674 return;
3675
3676 while (len >= L2CAP_CONF_OPT_SIZE) {
3677 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3678
c20f8e35
MM		 3679 switch (type) {
3680 case L2CAP_CONF_RFC:
3681 if (olen == sizeof(rfc))
3682 memcpy(&rfc, (void *)val, olen);
8f321f85 3683 break;
c20f8e35
MM		 3684 case L2CAP_CONF_EWS:
3685 txwin_ext = val;
3686 break;
3687 }
7b1c0049
GP		 3688 }
3689
7b1c0049
GP		 3690 switch (rfc.mode) {
3691 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3692 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3693 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3694 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3695 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3696 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3697 else
3698 chan->ack_win = min_t(u16, chan->ack_win,
3699 rfc.txwin_size);
7b1c0049
GP		 3700 break;
3701 case L2CAP_MODE_STREAMING:
47d1ec61 3702 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3703 }
3704}
3705
2d792818 3706static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3707 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3708 u8 *data)
4e8402a3 3709{
e2fd318e 3710 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3711
cb3b3152
JH		 3712 if (cmd_len < sizeof(*rej))
3713 return -EPROTO;
3714
e2fd318e 3715 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3716 return 0;
3717
3718 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3719 cmd->ident == conn->info_ident) {
17cd3f37 3720 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3721
3722 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3723 conn->info_ident = 0;
984947dc 3724
4e8402a3
MH		 3725 l2cap_conn_start(conn);
3726 }
3727
3728 return 0;
3729}
3730
1700915f
MM		 3731static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3732 struct l2cap_cmd_hdr *cmd,
3733 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3734{
1da177e4
LT		 3735 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3736 struct l2cap_conn_rsp rsp;
23691d75 3737 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3738 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3739
3740 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3741 __le16 psm = req->psm;
1da177e4 3742
097db76c 3743 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3744
3745 /* Check if we have socket listening on psm */
6f59b904 3746 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
bf20fd4e 3747 &conn->hcon->dst, ACL_LINK);
23691d75 3748 if (!pchan) {
1da177e4
LT		 3749 result = L2CAP_CR_BAD_PSM;
3750 goto sendresp;
3751 }
3752
3df91ea2 3753 mutex_lock(&conn->chan_lock);
8ffb9290 3754 l2cap_chan_lock(pchan);
e0f0cb56 3755
e7c29cb1 3756 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3757 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3758 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3759 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3760 result = L2CAP_CR_SEC_BLOCK;
3761 goto response;
3762 }
3763
1da177e4
LT		 3764 result = L2CAP_CR_NO_MEM;
3765
2dfa1003
GP		 3766 /* Check if we already have channel with that dcid */
3767 if (__l2cap_get_chan_by_dcid(conn, scid))
3768 goto response;
3769
80b98027 3770 chan = pchan->ops->new_connection(pchan);
80808e43 3771 if (!chan)
1da177e4
LT		 3772 goto response;
3773
330b6c15
SS		 3774 /* For certain devices (ex: HID mouse), support for authentication,
3775 * pairing and bonding is optional. For such devices, inorder to avoid
3776 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3777 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3778 */
3779 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3780
7eafc59e
MH		 3781 bacpy(&chan->src, &conn->hcon->src);
3782 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3783 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3784 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3785 chan->psm = psm;
3786 chan->dcid = scid;
1700915f 3787 chan->local_amp_id = amp_id;
1da177e4 3788
6be36555 3789 __l2cap_chan_add(conn, chan);
48454079 3790
fe4128e0 3791 dcid = chan->scid;
1da177e4 3792
8d836d71 3793 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3794
fc7f8a7e 3795 chan->ident = cmd->ident;
1da177e4 3796
984947dc 3797 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3798 if (l2cap_chan_check_security(chan)) {
bdc25783 3799 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3800 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3801 result = L2CAP_CR_PEND;
3802 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3803 chan->ops->defer(chan);
f66dc81f 3804 } else {
1700915f
MM		 3805 /* Force pending result for AMP controllers.
3806 * The connection will succeed after the
3807 * physical link is up.
3808 */
6ed971ca 3809 if (amp_id == AMP_ID_BREDR) {
f93fa273 3810 l2cap_state_change(chan, BT_CONFIG);
1700915f 3811 result = L2CAP_CR_SUCCESS;
6ed971ca 3812 } else {
f93fa273 3813 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3814 result = L2CAP_CR_PEND;
1700915f 3815 }
f66dc81f
MH		 3816 status = L2CAP_CS_NO_INFO;
3817 }
79d554a6 3818 } else {
f93fa273 3819 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3820 result = L2CAP_CR_PEND;
3821 status = L2CAP_CS_AUTHEN_PEND;
3822 }
3823 } else {
f93fa273 3824 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3825 result = L2CAP_CR_PEND;
3826 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3827 }
3828
1da177e4 3829response:
8ffb9290 3830 l2cap_chan_unlock(pchan);
3df91ea2 3831 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3832
3833sendresp:
aca3192c
YH		 3834 rsp.scid = cpu_to_le16(scid);
3835 rsp.dcid = cpu_to_le16(dcid);
3836 rsp.result = cpu_to_le16(result);
3837 rsp.status = cpu_to_le16(status);
4c89b6aa 3838 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3839
3840 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3841 struct l2cap_info_req info;
ac73498c 3842 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3843
3844 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3845 conn->info_ident = l2cap_get_ident(conn);
3846
ba13ccd9 3847 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3848
2d792818
GP		 3849 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3850 sizeof(info), &info);
79d554a6
MH		 3851 }
3852
c1360a1c 3853 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3854 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3855 u8 buf[128];
c1360a1c 3856 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3857 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3858 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3859 chan->num_conf_req++;
e9aeb2dd 3860 }
1700915f
MM		 3861
3862 return chan;
4c89b6aa 3863}
e9aeb2dd 3864
4c89b6aa 3865static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3866 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3867{
7b064eda
JK		 3868 struct hci_dev *hdev = conn->hcon->hdev;
3869 struct hci_conn *hcon = conn->hcon;
3870
cb3b3152
JH		 3871 if (cmd_len < sizeof(struct l2cap_conn_req))
3872 return -EPROTO;
3873
7b064eda
JK		 3874 hci_dev_lock(hdev);
3875 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3876 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3877 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3878 hcon->dst_type, 0, NULL, 0,
3879 hcon->dev_class);
3880 hci_dev_unlock(hdev);
3881
300229f9 3882 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3883 return 0;
3884}
3885
5909cf30 3886static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3887 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3888 u8 *data)
1da177e4
LT		 3889{
3890 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3891 u16 scid, dcid, result, status;
48454079 3892 struct l2cap_chan *chan;
1da177e4 3893 u8 req[128];
3df91ea2 3894 int err;
1da177e4 3895
cb3b3152
JH		 3896 if (cmd_len < sizeof(*rsp))
3897 return -EPROTO;
3898
1da177e4
LT		 3899 scid = __le16_to_cpu(rsp->scid);
3900 dcid = __le16_to_cpu(rsp->dcid);
3901 result = __le16_to_cpu(rsp->result);
3902 status = __le16_to_cpu(rsp->status);
3903
1b009c98 3904 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3905 dcid, scid, result, status);
1da177e4 3906
3df91ea2
AE		 3907 mutex_lock(&conn->chan_lock);
3908
1da177e4 3909 if (scid) {
3df91ea2
AE		 3910 chan = __l2cap_get_chan_by_scid(conn, scid);
3911 if (!chan) {
21870b52 3912 err = -EBADSLT;
3df91ea2
AE		 3913 goto unlock;
3914 }
1da177e4 3915 } else {
3df91ea2
AE		 3916 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3917 if (!chan) {
21870b52 3918 err = -EBADSLT;
3df91ea2
AE		 3919 goto unlock;
3920 }
1da177e4
LT		 3921 }
3922
3df91ea2
AE		 3923 err = 0;
3924
6be36555 3925 l2cap_chan_lock(chan);
48454079 3926
1da177e4
LT		 3927 switch (result) {
3928 case L2CAP_CR_SUCCESS:
89bc500e 3929 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3930 chan->ident = 0;
fe4128e0 3931 chan->dcid = dcid;
c1360a1c 3932 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3933
c1360a1c 3934 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3935 break;
3936
1da177e4 3937 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3938 l2cap_build_conf_req(chan, req), req);
73ffa904 3939 chan->num_conf_req++;
1da177e4
LT		 3940 break;
3941
3942 case L2CAP_CR_PEND:
c1360a1c 3943 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3944 break;
3945
3946 default:
48454079 3947 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3948 break;
3949 }
3950
6be36555 3951 l2cap_chan_unlock(chan);
3df91ea2
AE		 3952
3953unlock:
3954 mutex_unlock(&conn->chan_lock);
3955
3956 return err;
1da177e4
LT		 3957}
3958
47d1ec61 3959static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3960{
3961 /* FCS is enabled only in ERTM or streaming mode, if one or both
3962 * sides request it.
3963 */
0c1bc5c6 3964 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3965 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3966 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3967 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3968}
3969
29d8a590
AE		 3970static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3971 u8 ident, u16 flags)
3972{
3973 struct l2cap_conn *conn = chan->conn;
3974
3975 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3976 flags);
3977
3978 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3979 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3980
3981 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3982 l2cap_build_conf_rsp(chan, data,
3983 L2CAP_CONF_SUCCESS, flags), data);
3984}
3985
662d652d
JH		 3986static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
3987 u16 scid, u16 dcid)
3988{
3989 struct l2cap_cmd_rej_cid rej;
3990
3991 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
3992 rej.scid = __cpu_to_le16(scid);
3993 rej.dcid = __cpu_to_le16(dcid);
3994
3995 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3996}
3997
2d792818
GP		 3998static inline int l2cap_config_req(struct l2cap_conn *conn,
3999 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4000 u8 *data)
1da177e4
LT		 4001{
4002 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4003 u16 dcid, flags;
4004 u8 rsp[64];
48454079 4005 struct l2cap_chan *chan;
3c588192 4006 int len, err = 0;
1da177e4 4007
cb3b3152
JH		 4008 if (cmd_len < sizeof(*req))
4009 return -EPROTO;
4010
1da177e4
LT		 4011 dcid = __le16_to_cpu(req->dcid);
4012 flags = __le16_to_cpu(req->flags);
4013
4014 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4015
baa7e1fa 4016 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4017 if (!chan) {
4018 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4019 return 0;
4020 }
1da177e4 4021
033b1142 4022 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4023 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4024 chan->dcid);
354f60a9 4025 goto unlock;
df6bd743 4026 }
354f60a9 4027
5dee9e7c 4028 /* Reject if config buffer is too small. */
88219a0f 4029 len = cmd_len - sizeof(*req);
cb3b3152 4030 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4031 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4032 l2cap_build_conf_rsp(chan, rsp,
4033 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4034 goto unlock;
4035 }
4036
4037 /* Store config. */
73ffa904
GP		 4038 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4039 chan->conf_len += len;
1da177e4 4040
59e54bd1 4041 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4042 /* Incomplete config. Send empty response. */
4043 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4044 l2cap_build_conf_rsp(chan, rsp,
4045 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4046 goto unlock;
4047 }
4048
4049 /* Complete config. */
73ffa904 4050 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4051 if (len < 0) {
5e4e3972 4052 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4053 goto unlock;
f2fcfcd6 4054 }
1da177e4 4055
1500109b 4056 chan->ident = cmd->ident;
5dee9e7c 4057 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4058 chan->num_conf_rsp++;
5dee9e7c 4059
5dee9e7c 4060 /* Reset config buffer. */
73ffa904 4061 chan->conf_len = 0;
5dee9e7c 4062
c1360a1c 4063 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4064 goto unlock;
4065
c1360a1c 4066 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4067 set_default_fcs(chan);
fcc203c3 4068
105bdf9e
MM		 4069 if (chan->mode == L2CAP_MODE_ERTM ||
4070 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4071 err = l2cap_ertm_init(chan);
4072
4073 if (err < 0)
5e4e3972 4074 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4075 else
4076 l2cap_chan_ready(chan);
0565c1c2 4077
876d9484
MH		 4078 goto unlock;
4079 }
4080
c1360a1c 4081 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4082 u8 buf[64];
1da177e4 4083 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4084 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4085 chan->num_conf_req++;
1da177e4
LT		 4086 }
4087
0e8b207e
AE		 4088 /* Got Conf Rsp PENDING from remote side and asume we sent
4089 Conf Rsp PENDING in the code above */
4090 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4091 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4092
4093 /* check compatibility */
4094
79de886d 4095 /* Send rsp for BR/EDR channel */
f351bc72 4096 if (!chan->hs_hcon)
79de886d
AE		 4097 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4098 else
4099 chan->ident = cmd->ident;
0e8b207e
AE		 4100 }
4101
1da177e4 4102unlock:
6be36555 4103 l2cap_chan_unlock(chan);
3c588192 4104 return err;
1da177e4
LT		 4105}
4106
2d792818 4107static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4108 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4109 u8 *data)
1da177e4
LT		 4110{
4111 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4112 u16 scid, flags, result;
48454079 4113 struct l2cap_chan *chan;
cb3b3152 4114 int len = cmd_len - sizeof(*rsp);
3c588192 4115 int err = 0;
1da177e4 4116
cb3b3152
JH		 4117 if (cmd_len < sizeof(*rsp))
4118 return -EPROTO;
4119
1da177e4
LT		 4120 scid = __le16_to_cpu(rsp->scid);
4121 flags = __le16_to_cpu(rsp->flags);
4122 result = __le16_to_cpu(rsp->result);
4123
61386cba
AE		 4124 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4125 result, len);
1da177e4 4126
baa7e1fa 4127 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4128 if (!chan)
1da177e4
LT		 4129 return 0;
4130
4131 switch (result) {
4132 case L2CAP_CONF_SUCCESS:
47d1ec61 4133 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4134 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4135 break;
4136
0e8b207e
AE		 4137 case L2CAP_CONF_PENDING:
4138 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4139
4140 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4141 char buf[64];
4142
4143 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4144 buf, &result);
0e8b207e 4145 if (len < 0) {
5e4e3972 4146 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4147 goto done;
4148 }
4149
f351bc72 4150 if (!chan->hs_hcon) {
79de886d
AE		 4151 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4152 0);
5ce66b59
AE		 4153 } else {
4154 if (l2cap_check_efs(chan)) {
4155 amp_create_logical_link(chan);
4156 chan->ident = cmd->ident;
4157 }
4158 }
0e8b207e
AE		 4159 }
4160 goto done;
4161
1da177e4 4162 case L2CAP_CONF_UNACCEPT:
73ffa904 4163 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4164 char req[64];
4165
c2c77ec8 4166 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4167 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4168 goto done;
4169 }
4170
f2fcfcd6
GP		 4171 /* throw out any old stored conf requests */
4172 result = L2CAP_CONF_SUCCESS;
b4450035 4173 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4174 req, &result);
f2fcfcd6 4175 if (len < 0) {
5e4e3972 4176 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4177 goto done;
4178 }
4179
4180 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4181 L2CAP_CONF_REQ, len, req);
73ffa904 4182 chan->num_conf_req++;
f2fcfcd6
GP		 4183 if (result != L2CAP_CONF_SUCCESS)
4184 goto done;
4185 break;
1da177e4
LT		 4186 }
4187
8e87d142 4188 default:
6be36555 4189 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4190
ba13ccd9 4191 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4192 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4193 goto done;
4194 }
4195
59e54bd1 4196 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4197 goto done;
4198
c1360a1c 4199 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4200
c1360a1c 4201 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4202 set_default_fcs(chan);
fcc203c3 4203
105bdf9e
MM		 4204 if (chan->mode == L2CAP_MODE_ERTM ||
4205 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4206 err = l2cap_ertm_init(chan);
0565c1c2 4207
3c588192 4208 if (err < 0)
5e4e3972 4209 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4210 else
4211 l2cap_chan_ready(chan);
1da177e4
LT		 4212 }
4213
4214done:
6be36555 4215 l2cap_chan_unlock(chan);
3c588192 4216 return err;
1da177e4
LT		 4217}
4218
2d792818 4219static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4220 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4221 u8 *data)
1da177e4
LT		 4222{
4223 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4224 struct l2cap_disconn_rsp rsp;
4225 u16 dcid, scid;
48454079 4226 struct l2cap_chan *chan;
1da177e4 4227
cb3b3152
JH		 4228 if (cmd_len != sizeof(*req))
4229 return -EPROTO;
4230
1da177e4
LT		 4231 scid = __le16_to_cpu(req->scid);
4232 dcid = __le16_to_cpu(req->dcid);
4233
4234 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4235
3df91ea2
AE		 4236 mutex_lock(&conn->chan_lock);
4237
4238 chan = __l2cap_get_chan_by_scid(conn, dcid);
4239 if (!chan) {
4240 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4241 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4242 return 0;
3df91ea2 4243 }
1da177e4 4244
6be36555
AE		 4245 l2cap_chan_lock(chan);
4246
fe4128e0
GP		 4247 rsp.dcid = cpu_to_le16(chan->scid);
4248 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4249 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4250
5ec1bbe5 4251 chan->ops->set_shutdown(chan);
1da177e4 4252
61d6ef3e 4253 l2cap_chan_hold(chan);
48454079 4254 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4255
4256 l2cap_chan_unlock(chan);
1da177e4 4257
80b98027 4258 chan->ops->close(chan);
61d6ef3e 4259 l2cap_chan_put(chan);
3df91ea2
AE		 4260
4261 mutex_unlock(&conn->chan_lock);
4262
1da177e4
LT		 4263 return 0;
4264}
4265
2d792818 4266static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4267 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4268 u8 *data)
1da177e4
LT		 4269{
4270 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4271 u16 dcid, scid;
48454079 4272 struct l2cap_chan *chan;
1da177e4 4273
cb3b3152
JH		 4274 if (cmd_len != sizeof(*rsp))
4275 return -EPROTO;
4276
1da177e4
LT		 4277 scid = __le16_to_cpu(rsp->scid);
4278 dcid = __le16_to_cpu(rsp->dcid);
4279
4280 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4281
3df91ea2
AE		 4282 mutex_lock(&conn->chan_lock);
4283
4284 chan = __l2cap_get_chan_by_scid(conn, scid);
4285 if (!chan) {
4286 mutex_unlock(&conn->chan_lock);
1da177e4 4287 return 0;
3df91ea2 4288 }
1da177e4 4289
6be36555 4290 l2cap_chan_lock(chan);
48454079 4291
61d6ef3e 4292 l2cap_chan_hold(chan);
48454079 4293 l2cap_chan_del(chan, 0);
6be36555
AE		 4294
4295 l2cap_chan_unlock(chan);
1da177e4 4296
80b98027 4297 chan->ops->close(chan);
61d6ef3e 4298 l2cap_chan_put(chan);
3df91ea2
AE		 4299
4300 mutex_unlock(&conn->chan_lock);
4301
1da177e4
LT		 4302 return 0;
4303}
4304
2d792818 4305static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4306 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4307 u8 *data)
1da177e4
LT		 4308{
4309 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4310 u16 type;
4311
cb3b3152
JH		 4312 if (cmd_len != sizeof(*req))
4313 return -EPROTO;
4314
1da177e4
LT		 4315 type = __le16_to_cpu(req->type);
4316
4317 BT_DBG("type 0x%4.4x", type);
4318
f0709e03
MH		 4319 if (type == L2CAP_IT_FEAT_MASK) {
4320 u8 buf[8];
44dd46de 4321 u32 feat_mask = l2cap_feat_mask;
f0709e03 4322 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4323 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4324 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4325 if (!disable_ertm)
fcc203c3 4326 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4327 | L2CAP_FEAT_FCS;
848566b3 4328 if (conn->hs_enabled)
6327eb98 4329 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4330 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4331
1b7bf4ed 4332 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4333 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4334 buf);
e1027a7c
MH		 4335 } else if (type == L2CAP_IT_FIXED_CHAN) {
4336 u8 buf[12];
4337 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4338
848566b3 4339 if (conn->hs_enabled)
50a147cd
MM		 4340 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4341 else
4342 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4343
ac73498c
AE		 4344 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4345 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4346 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4347 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4348 buf);
f0709e03
MH		 4349 } else {
4350 struct l2cap_info_rsp rsp;
4351 rsp.type = cpu_to_le16(type);
ac73498c 4352 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4353 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4354 &rsp);
f0709e03 4355 }
1da177e4
LT		 4356
4357 return 0;
4358}
4359
2d792818 4360static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4361 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4362 u8 *data)
1da177e4
LT		 4363{
4364 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4365 u16 type, result;
4366
3f6fa3d4 4367 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4368 return -EPROTO;
4369
1da177e4
LT		 4370 type = __le16_to_cpu(rsp->type);
4371 result = __le16_to_cpu(rsp->result);
4372
4373 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4374
e90165be
AE		 4375 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4376 if (cmd->ident != conn->info_ident ||
2d792818 4377 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4378 return 0;
4379
17cd3f37 4380 cancel_delayed_work(&conn->info_timer);
4e8402a3 4381
adb08ede
VT		 4382 if (result != L2CAP_IR_SUCCESS) {
4383 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4384 conn->info_ident = 0;
4385
4386 l2cap_conn_start(conn);
4387
4388 return 0;
4389 }
4390
978c93b9
AE		 4391 switch (type) {
4392 case L2CAP_IT_FEAT_MASK:
83985319 4393 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4394
47ec1dcd 4395 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4396 struct l2cap_info_req req;
ac73498c 4397 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4398
4399 conn->info_ident = l2cap_get_ident(conn);
4400
4401 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4402 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4403 } else {
4404 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4405 conn->info_ident = 0;
4406
4407 l2cap_conn_start(conn);
4408 }
978c93b9
AE		 4409 break;
4410
4411 case L2CAP_IT_FIXED_CHAN:
4412 conn->fixed_chan_mask = rsp->data[0];
984947dc 4413 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4414 conn->info_ident = 0;
984947dc
MH		 4415
4416 l2cap_conn_start(conn);
978c93b9 4417 break;
984947dc 4418 }
4e8402a3 4419
1da177e4
LT		 4420 return 0;
4421}
4422
1700915f
MM		 4423static int l2cap_create_channel_req(struct l2cap_conn *conn,
4424 struct l2cap_cmd_hdr *cmd,
4425 u16 cmd_len, void *data)
f94ff6ff
MM		 4426{
4427 struct l2cap_create_chan_req *req = data;
6e1df6a6 4428 struct l2cap_create_chan_rsp rsp;
1700915f 4429 struct l2cap_chan *chan;
6e1df6a6 4430 struct hci_dev *hdev;
f94ff6ff
MM		 4431 u16 psm, scid;
4432
4433 if (cmd_len != sizeof(*req))
4434 return -EPROTO;
4435
848566b3 4436 if (!conn->hs_enabled)
f94ff6ff
MM		 4437 return -EINVAL;
4438
4439 psm = le16_to_cpu(req->psm);
4440 scid = le16_to_cpu(req->scid);
4441
ad0ac6ca 4442 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4443
6e1df6a6 4444 /* For controller id 0 make BR/EDR connection */
6ed971ca 4445 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4446 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4447 req->amp_id);
4448 return 0;
4449 }
1700915f 4450
6e1df6a6
AE		 4451 /* Validate AMP controller id */
4452 hdev = hci_dev_get(req->amp_id);
4453 if (!hdev)
4454 goto error;
1700915f 4455
6e1df6a6
AE		 4456 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4457 hci_dev_put(hdev);
4458 goto error;
4459 }
1700915f 4460
6e1df6a6
AE		 4461 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4462 req->amp_id);
4463 if (chan) {
4464 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4465 struct hci_conn *hs_hcon;
1700915f 4466
98e0f7ea
MH		 4467 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4468 &conn->hcon->dst);
6e1df6a6
AE		 4469 if (!hs_hcon) {
4470 hci_dev_put(hdev);
662d652d
JH		 4471 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4472 chan->dcid);
4473 return 0;
1700915f
MM		 4474 }
4475
6e1df6a6
AE		 4476 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4477
6e1df6a6
AE		 4478 mgr->bredr_chan = chan;
4479 chan->hs_hcon = hs_hcon;
fd45bf4c 4480 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4481 conn->mtu = hdev->block_mtu;
1700915f 4482 }
f94ff6ff 4483
6e1df6a6 4484 hci_dev_put(hdev);
f94ff6ff
MM		 4485
4486 return 0;
6e1df6a6
AE		 4487
4488error:
4489 rsp.dcid = 0;
4490 rsp.scid = cpu_to_le16(scid);
4491 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4492 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4493
4494 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4495 sizeof(rsp), &rsp);
4496
dc280801 4497 return 0;
f94ff6ff
MM		 4498}
4499
8eb200bd
MM		 4500static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4501{
4502 struct l2cap_move_chan_req req;
4503 u8 ident;
4504
4505 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4506
4507 ident = l2cap_get_ident(chan->conn);
4508 chan->ident = ident;
4509
4510 req.icid = cpu_to_le16(chan->scid);
4511 req.dest_amp_id = dest_amp_id;
4512
4513 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4514 &req);
4515
4516 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4517}
4518
1500109b 4519static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4520{
4521 struct l2cap_move_chan_rsp rsp;
4522
1500109b 4523 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4524
1500109b 4525 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4526 rsp.result = cpu_to_le16(result);
4527
1500109b
MM		 4528 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4529 sizeof(rsp), &rsp);
8d5a04a1
MM		 4530}
4531
5b155ef9 4532static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4533{
4534 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4535
5b155ef9 4536 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4537
5b155ef9 4538 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4539
5b155ef9 4540 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4541 cfm.result = cpu_to_le16(result);
4542
5b155ef9
MM		 4543 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4544 sizeof(cfm), &cfm);
4545
4546 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4547}
4548
4549static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4550{
4551 struct l2cap_move_chan_cfm cfm;
4552
4553 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4554
4555 cfm.icid = cpu_to_le16(icid);
4556 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4557
4558 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4559 sizeof(cfm), &cfm);
8d5a04a1
MM		 4560}
4561
4562static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4563 u16 icid)
8d5a04a1
MM		 4564{
4565 struct l2cap_move_chan_cfm_rsp rsp;
4566
ad0ac6ca 4567 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4568
4569 rsp.icid = cpu_to_le16(icid);
4570 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4571}
4572
5f3847a4
MM		 4573static void __release_logical_link(struct l2cap_chan *chan)
4574{
4575 chan->hs_hchan = NULL;
4576 chan->hs_hcon = NULL;
4577
4578 /* Placeholder - release the logical link */
4579}
4580
1500109b
MM		 4581static void l2cap_logical_fail(struct l2cap_chan *chan)
4582{
4583 /* Logical link setup failed */
4584 if (chan->state != BT_CONNECTED) {
4585 /* Create channel failure, disconnect */
5e4e3972 4586 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4587 return;
4588 }
4589
4590 switch (chan->move_role) {
4591 case L2CAP_MOVE_ROLE_RESPONDER:
4592 l2cap_move_done(chan);
4593 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4594 break;
4595 case L2CAP_MOVE_ROLE_INITIATOR:
4596 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4597 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4598 /* Remote has only sent pending or
4599 * success responses, clean up
4600 */
4601 l2cap_move_done(chan);
4602 }
4603
4604 /* Other amp move states imply that the move
4605 * has already aborted
4606 */
4607 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4608 break;
4609 }
4610}
4611
4612static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4613 struct hci_chan *hchan)
4614{
4615 struct l2cap_conf_rsp rsp;
1500109b 4616
336178a3 4617 chan->hs_hchan = hchan;
1500109b
MM		 4618 chan->hs_hcon->l2cap_data = chan->conn;
4619
35ba9561 4620 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4621
4622 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4623 int err;
1500109b
MM		 4624
4625 set_default_fcs(chan);
4626
4627 err = l2cap_ertm_init(chan);
4628 if (err < 0)
5e4e3972 4629 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4630 else
4631 l2cap_chan_ready(chan);
4632 }
4633}
4634
4635static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4636 struct hci_chan *hchan)
4637{
4638 chan->hs_hcon = hchan->conn;
4639 chan->hs_hcon->l2cap_data = chan->conn;
4640
4641 BT_DBG("move_state %d", chan->move_state);
4642
4643 switch (chan->move_state) {
4644 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4645 /* Move confirm will be sent after a success
4646 * response is received
4647 */
4648 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4649 break;
4650 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4651 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4652 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4653 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4654 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4655 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4656 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4657 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4658 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4659 }
4660 break;
4661 default:
4662 /* Move was not in expected state, free the channel */
4663 __release_logical_link(chan);
4664
4665 chan->move_state = L2CAP_MOVE_STABLE;
4666 }
4667}
4668
4669/* Call with chan locked */
27695fb4
AE		 4670void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4671 u8 status)
5b155ef9 4672{
1500109b
MM		 4673 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4674
4675 if (status) {
4676 l2cap_logical_fail(chan);
4677 __release_logical_link(chan);
4678 return;
4679 }
4680
4681 if (chan->state != BT_CONNECTED) {
4682 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4683 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4684 l2cap_logical_finish_create(chan, hchan);
4685 } else {
4686 l2cap_logical_finish_move(chan, hchan);
4687 }
5b155ef9
MM		 4688}
4689
3f7a56c4
MM		 4690void l2cap_move_start(struct l2cap_chan *chan)
4691{
4692 BT_DBG("chan %p", chan);
4693
6ed971ca 4694 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4695 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4696 return;
4697 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4698 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4699 /* Placeholder - start physical link setup */
4700 } else {
4701 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4702 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4703 chan->move_id = 0;
4704 l2cap_move_setup(chan);
4705 l2cap_send_move_chan_req(chan, 0);
4706 }
4707}
4708
8eb200bd
MM		 4709static void l2cap_do_create(struct l2cap_chan *chan, int result,
4710 u8 local_amp_id, u8 remote_amp_id)
4711{
62748ca1
AE		 4712 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4713 local_amp_id, remote_amp_id);
4714
12d6cc60
AE		 4715 chan->fcs = L2CAP_FCS_NONE;
4716
62748ca1
AE		 4717 /* Outgoing channel on AMP */
4718 if (chan->state == BT_CONNECT) {
4719 if (result == L2CAP_CR_SUCCESS) {
4720 chan->local_amp_id = local_amp_id;
4721 l2cap_send_create_chan_req(chan, remote_amp_id);
4722 } else {
4723 /* Revert to BR/EDR connect */
4724 l2cap_send_conn_req(chan);
4725 }
4726
4727 return;
4728 }
4729
4730 /* Incoming channel on AMP */
4731 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4732 struct l2cap_conn_rsp rsp;
4733 char buf[128];
4734 rsp.scid = cpu_to_le16(chan->dcid);
4735 rsp.dcid = cpu_to_le16(chan->scid);
4736
8eb200bd
MM		 4737 if (result == L2CAP_CR_SUCCESS) {
4738 /* Send successful response */
62cd50e2
AE		 4739 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4740 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4741 } else {
4742 /* Send negative response */
62cd50e2
AE		 4743 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4744 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4745 }
4746
4747 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4748 sizeof(rsp), &rsp);
4749
4750 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4751 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4752 set_bit(CONF_REQ_SENT, &chan->conf_state);
4753 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4754 L2CAP_CONF_REQ,
4755 l2cap_build_conf_req(chan, buf), buf);
4756 chan->num_conf_req++;
4757 }
8eb200bd
MM		 4758 }
4759}
4760
4761static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4762 u8 remote_amp_id)
4763{
4764 l2cap_move_setup(chan);
4765 chan->move_id = local_amp_id;
4766 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4767
4768 l2cap_send_move_chan_req(chan, remote_amp_id);
4769}
4770
4771static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4772{
4773 struct hci_chan *hchan = NULL;
4774
4775 /* Placeholder - get hci_chan for logical link */
4776
4777 if (hchan) {
4778 if (hchan->state == BT_CONNECTED) {
4779 /* Logical link is ready to go */
4780 chan->hs_hcon = hchan->conn;
4781 chan->hs_hcon->l2cap_data = chan->conn;
4782 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4783 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4784
4785 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4786 } else {
4787 /* Wait for logical link to be ready */
4788 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4789 }
4790 } else {
4791 /* Logical link not available */
4792 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4793 }
4794}
4795
4796static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4797{
4798 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4799 u8 rsp_result;
4800 if (result == -EINVAL)
4801 rsp_result = L2CAP_MR_BAD_ID;
4802 else
4803 rsp_result = L2CAP_MR_NOT_ALLOWED;
4804
4805 l2cap_send_move_chan_rsp(chan, rsp_result);
4806 }
4807
4808 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4809 chan->move_state = L2CAP_MOVE_STABLE;
4810
4811 /* Restart data transmission */
4812 l2cap_ertm_send(chan);
4813}
4814
a514b17f
AE		 4815/* Invoke with locked chan */
4816void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4817{
770bfefa 4818 u8 local_amp_id = chan->local_amp_id;
fffadc08 4819 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4820
8eb200bd
MM		 4821 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4822 chan, result, local_amp_id, remote_amp_id);
4823
8eb200bd
MM		 4824 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4825 l2cap_chan_unlock(chan);
4826 return;
4827 }
4828
4829 if (chan->state != BT_CONNECTED) {
4830 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4831 } else if (result != L2CAP_MR_SUCCESS) {
4832 l2cap_do_move_cancel(chan, result);
4833 } else {
4834 switch (chan->move_role) {
4835 case L2CAP_MOVE_ROLE_INITIATOR:
4836 l2cap_do_move_initiate(chan, local_amp_id,
4837 remote_amp_id);
4838 break;
4839 case L2CAP_MOVE_ROLE_RESPONDER:
4840 l2cap_do_move_respond(chan, result);
4841 break;
4842 default:
4843 l2cap_do_move_cancel(chan, result);
4844 break;
4845 }
4846 }
8eb200bd
MM		 4847}
4848
8d5a04a1 4849static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4850 struct l2cap_cmd_hdr *cmd,
4851 u16 cmd_len, void *data)
8d5a04a1
MM		 4852{
4853 struct l2cap_move_chan_req *req = data;
1500109b 4854 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4855 struct l2cap_chan *chan;
8d5a04a1
MM		 4856 u16 icid = 0;
4857 u16 result = L2CAP_MR_NOT_ALLOWED;
4858
4859 if (cmd_len != sizeof(*req))
4860 return -EPROTO;
4861
4862 icid = le16_to_cpu(req->icid);
4863
ad0ac6ca 4864 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4865
848566b3 4866 if (!conn->hs_enabled)
8d5a04a1
MM		 4867 return -EINVAL;
4868
02b0fbb9
MM		 4869 chan = l2cap_get_chan_by_dcid(conn, icid);
4870 if (!chan) {
1500109b
MM		 4871 rsp.icid = cpu_to_le16(icid);
4872 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4873 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4874 sizeof(rsp), &rsp);
02b0fbb9
MM		 4875 return 0;
4876 }
4877
1500109b
MM		 4878 chan->ident = cmd->ident;
4879
02b0fbb9
MM		 4880 if (chan->scid < L2CAP_CID_DYN_START ||
4881 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4882 (chan->mode != L2CAP_MODE_ERTM &&
4883 chan->mode != L2CAP_MODE_STREAMING)) {
4884 result = L2CAP_MR_NOT_ALLOWED;
4885 goto send_move_response;
4886 }
4887
4888 if (chan->local_amp_id == req->dest_amp_id) {
4889 result = L2CAP_MR_SAME_ID;
4890 goto send_move_response;
4891 }
4892
6ed971ca 4893 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4894 struct hci_dev *hdev;
4895 hdev = hci_dev_get(req->dest_amp_id);
4896 if (!hdev || hdev->dev_type != HCI_AMP ||
4897 !test_bit(HCI_UP, &hdev->flags)) {
4898 if (hdev)
4899 hci_dev_put(hdev);
4900
4901 result = L2CAP_MR_BAD_ID;
4902 goto send_move_response;
4903 }
4904 hci_dev_put(hdev);
4905 }
4906
4907 /* Detect a move collision. Only send a collision response
4908 * if this side has "lost", otherwise proceed with the move.
4909 * The winner has the larger bd_addr.
4910 */
4911 if ((__chan_is_moving(chan) ||
4912 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4913 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4914 result = L2CAP_MR_COLLISION;
4915 goto send_move_response;
4916 }
4917
02b0fbb9
MM		 4918 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4919 l2cap_move_setup(chan);
4920 chan->move_id = req->dest_amp_id;
4921 icid = chan->dcid;
4922
6ed971ca 4923 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4924 /* Moving to BR/EDR */
4925 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4926 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4927 result = L2CAP_MR_PEND;
4928 } else {
4929 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4930 result = L2CAP_MR_SUCCESS;
4931 }
4932 } else {
4933 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4934 /* Placeholder - uncomment when amp functions are available */
4935 /*amp_accept_physical(chan, req->dest_amp_id);*/
4936 result = L2CAP_MR_PEND;
4937 }
4938
4939send_move_response:
1500109b 4940 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4941
02b0fbb9
MM		 4942 l2cap_chan_unlock(chan);
4943
8d5a04a1
MM		 4944 return 0;
4945}
4946
5b155ef9
MM		 4947static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4948{
4949 struct l2cap_chan *chan;
4950 struct hci_chan *hchan = NULL;
4951
4952 chan = l2cap_get_chan_by_scid(conn, icid);
4953 if (!chan) {
4954 l2cap_send_move_chan_cfm_icid(conn, icid);
4955 return;
4956 }
4957
4958 __clear_chan_timer(chan);
4959 if (result == L2CAP_MR_PEND)
4960 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4961
4962 switch (chan->move_state) {
4963 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4964 /* Move confirm will be sent when logical link
4965 * is complete.
4966 */
4967 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4968 break;
4969 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4970 if (result == L2CAP_MR_PEND) {
4971 break;
4972 } else if (test_bit(CONN_LOCAL_BUSY,
4973 &chan->conn_state)) {
4974 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4975 } else {
4976 /* Logical link is up or moving to BR/EDR,
4977 * proceed with move
4978 */
4979 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4980 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4981 }
4982 break;
4983 case L2CAP_MOVE_WAIT_RSP:
4984 /* Moving to AMP */
4985 if (result == L2CAP_MR_SUCCESS) {
4986 /* Remote is ready, send confirm immediately
4987 * after logical link is ready
4988 */
4989 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4990 } else {
4991 /* Both logical link and move success
4992 * are required to confirm
4993 */
4994 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4995 }
4996
4997 /* Placeholder - get hci_chan for logical link */
4998 if (!hchan) {
4999 /* Logical link not available */
5000 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5001 break;
5002 }
5003
5004 /* If the logical link is not yet connected, do not
5005 * send confirmation.
5006 */
5007 if (hchan->state != BT_CONNECTED)
5008 break;
5009
5010 /* Logical link is already ready to go */
5011
5012 chan->hs_hcon = hchan->conn;
5013 chan->hs_hcon->l2cap_data = chan->conn;
5014
5015 if (result == L2CAP_MR_SUCCESS) {
5016 /* Can confirm now */
5017 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5018 } else {
5019 /* Now only need move success
5020 * to confirm
5021 */
5022 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5023 }
5024
5025 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5026 break;
5027 default:
5028 /* Any other amp move state means the move failed. */
5029 chan->move_id = chan->local_amp_id;
5030 l2cap_move_done(chan);
5031 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5032 }
5033
5034 l2cap_chan_unlock(chan);
5035}
5036
5037static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5038 u16 result)
5039{
5040 struct l2cap_chan *chan;
5041
5042 chan = l2cap_get_chan_by_ident(conn, ident);
5043 if (!chan) {
5044 /* Could not locate channel, icid is best guess */
5045 l2cap_send_move_chan_cfm_icid(conn, icid);
5046 return;
5047 }
5048
5049 __clear_chan_timer(chan);
5050
5051 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5052 if (result == L2CAP_MR_COLLISION) {
5053 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5054 } else {
5055 /* Cleanup - cancel move */
5056 chan->move_id = chan->local_amp_id;
5057 l2cap_move_done(chan);
5058 }
5059 }
5060
5061 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5062
5063 l2cap_chan_unlock(chan);
5064}
5065
5066static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5067 struct l2cap_cmd_hdr *cmd,
5068 u16 cmd_len, void *data)
8d5a04a1
MM		 5069{
5070 struct l2cap_move_chan_rsp *rsp = data;
5071 u16 icid, result;
5072
5073 if (cmd_len != sizeof(*rsp))
5074 return -EPROTO;
5075
5076 icid = le16_to_cpu(rsp->icid);
5077 result = le16_to_cpu(rsp->result);
5078
ad0ac6ca 5079 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5080
5b155ef9
MM		 5081 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5082 l2cap_move_continue(conn, icid, result);
5083 else
5084 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5085
5086 return 0;
5087}
5088
5f3847a4
MM		 5089static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5090 struct l2cap_cmd_hdr *cmd,
5091 u16 cmd_len, void *data)
8d5a04a1
MM		 5092{
5093 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5094 struct l2cap_chan *chan;
8d5a04a1
MM		 5095 u16 icid, result;
5096
5097 if (cmd_len != sizeof(*cfm))
5098 return -EPROTO;
5099
5100 icid = le16_to_cpu(cfm->icid);
5101 result = le16_to_cpu(cfm->result);
5102
ad0ac6ca 5103 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5104
5f3847a4
MM		 5105 chan = l2cap_get_chan_by_dcid(conn, icid);
5106 if (!chan) {
5107 /* Spec requires a response even if the icid was not found */
5108 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5109 return 0;
5110 }
5111
5112 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5113 if (result == L2CAP_MC_CONFIRMED) {
5114 chan->local_amp_id = chan->move_id;
6ed971ca 5115 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5116 __release_logical_link(chan);
5117 } else {
5118 chan->move_id = chan->local_amp_id;
5119 }
5120
5121 l2cap_move_done(chan);
5122 }
5123
8d5a04a1
MM		 5124 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5125
5f3847a4
MM		 5126 l2cap_chan_unlock(chan);
5127
8d5a04a1
MM		 5128 return 0;
5129}
5130
5131static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5132 struct l2cap_cmd_hdr *cmd,
5133 u16 cmd_len, void *data)
8d5a04a1
MM		 5134{
5135 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5136 struct l2cap_chan *chan;
8d5a04a1
MM		 5137 u16 icid;
5138
5139 if (cmd_len != sizeof(*rsp))
5140 return -EPROTO;
5141
5142 icid = le16_to_cpu(rsp->icid);
5143
ad0ac6ca 5144 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5145
3fd71a0a
MM		 5146 chan = l2cap_get_chan_by_scid(conn, icid);
5147 if (!chan)
5148 return 0;
5149
5150 __clear_chan_timer(chan);
5151
5152 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5153 chan->local_amp_id = chan->move_id;
5154
6ed971ca 5155 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5156 __release_logical_link(chan);
5157
5158 l2cap_move_done(chan);
5159 }
5160
5161 l2cap_chan_unlock(chan);
5162
8d5a04a1
MM		 5163 return 0;
5164}
5165
e2174ca4 5166static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 5167 u16 to_multiplier)
de73115a
CT		 5168{
5169 u16 max_latency;
5170
5171 if (min > max || min < 6 || max > 3200)
5172 return -EINVAL;
5173
5174 if (to_multiplier < 10 || to_multiplier > 3200)
5175 return -EINVAL;
5176
5177 if (max >= to_multiplier * 8)
5178 return -EINVAL;
5179
5180 max_latency = (to_multiplier * 8 / max) - 1;
5181 if (latency > 499 || latency > max_latency)
5182 return -EINVAL;
5183
5184 return 0;
5185}
5186
5187static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818 5188 struct l2cap_cmd_hdr *cmd,
203e639e 5189 u16 cmd_len, u8 *data)
de73115a
CT		 5190{
5191 struct hci_conn *hcon = conn->hcon;
5192 struct l2cap_conn_param_update_req *req;
5193 struct l2cap_conn_param_update_rsp rsp;
203e639e 5194 u16 min, max, latency, to_multiplier;
2ce603eb 5195 int err;
de73115a
CT		 5196
5197 if (!(hcon->link_mode & HCI_LM_MASTER))
5198 return -EINVAL;
5199
de73115a
CT		 5200 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5201 return -EPROTO;
5202
5203 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5204 min = __le16_to_cpu(req->min);
5205 max = __le16_to_cpu(req->max);
de73115a
CT		 5206 latency = __le16_to_cpu(req->latency);
5207 to_multiplier = __le16_to_cpu(req->to_multiplier);
5208
5209 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5210 min, max, latency, to_multiplier);
de73115a
CT		 5211
5212 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5213
5214 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5215 if (err)
ac73498c 5216 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5217 else
ac73498c 5218 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5219
5220 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5221 sizeof(rsp), &rsp);
de73115a 5222
2ce603eb
CT		 5223 if (!err)
5224 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5225
de73115a
CT		 5226 return 0;
5227}
5228
f1496dee
JH		 5229static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5230 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5231 u8 *data)
5232{
5233 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5234 u16 dcid, mtu, mps, credits, result;
5235 struct l2cap_chan *chan;
5236 int err;
5237
5238 if (cmd_len < sizeof(*rsp))
5239 return -EPROTO;
5240
5241 dcid = __le16_to_cpu(rsp->dcid);
5242 mtu = __le16_to_cpu(rsp->mtu);
5243 mps = __le16_to_cpu(rsp->mps);
5244 credits = __le16_to_cpu(rsp->credits);
5245 result = __le16_to_cpu(rsp->result);
5246
5247 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5248 return -EPROTO;
5249
5250 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5251 dcid, mtu, mps, credits, result);
5252
5253 mutex_lock(&conn->chan_lock);
5254
5255 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5256 if (!chan) {
5257 err = -EBADSLT;
5258 goto unlock;
5259 }
5260
5261 err = 0;
5262
5263 l2cap_chan_lock(chan);
5264
5265 switch (result) {
5266 case L2CAP_CR_SUCCESS:
5267 chan->ident = 0;
5268 chan->dcid = dcid;
5269 chan->omtu = mtu;
5270 chan->remote_mps = mps;
0cd75f7e 5271 chan->tx_credits = credits;
f1496dee
JH		 5272 l2cap_chan_ready(chan);
5273 break;
5274
5275 default:
5276 l2cap_chan_del(chan, ECONNREFUSED);
5277 break;
5278 }
5279
5280 l2cap_chan_unlock(chan);
5281
5282unlock:
5283 mutex_unlock(&conn->chan_lock);
5284
5285 return err;
5286}
5287
3300d9a9 5288static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5289 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5290 u8 *data)
3300d9a9
CT		 5291{
5292 int err = 0;
5293
5294 switch (cmd->code) {
5295 case L2CAP_COMMAND_REJ:
cb3b3152 5296 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5297 break;
5298
5299 case L2CAP_CONN_REQ:
cb3b3152 5300 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5301 break;
5302
5303 case L2CAP_CONN_RSP:
f5a2598d 5304 case L2CAP_CREATE_CHAN_RSP:
9245e737 5305 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5306 break;
5307
5308 case L2CAP_CONF_REQ:
5309 err = l2cap_config_req(conn, cmd, cmd_len, data);
5310 break;
5311
5312 case L2CAP_CONF_RSP:
9245e737 5313 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5314 break;
5315
5316 case L2CAP_DISCONN_REQ:
cb3b3152 5317 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5318 break;
5319
5320 case L2CAP_DISCONN_RSP:
9245e737 5321 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5322 break;
5323
5324 case L2CAP_ECHO_REQ:
5325 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5326 break;
5327
5328 case L2CAP_ECHO_RSP:
5329 break;
5330
5331 case L2CAP_INFO_REQ:
cb3b3152 5332 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5333 break;
5334
5335 case L2CAP_INFO_RSP:
9245e737 5336 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5337 break;
5338
f94ff6ff
MM		 5339 case L2CAP_CREATE_CHAN_REQ:
5340 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5341 break;
5342
8d5a04a1
MM		 5343 case L2CAP_MOVE_CHAN_REQ:
5344 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5345 break;
5346
5347 case L2CAP_MOVE_CHAN_RSP:
9245e737 5348 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5349 break;
5350
5351 case L2CAP_MOVE_CHAN_CFM:
5352 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5353 break;
5354
5355 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5356 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5357 break;
5358
3300d9a9
CT		 5359 default:
5360 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5361 err = -EINVAL;
5362 break;
5363 }
5364
5365 return err;
5366}
5367
27e2d4c8
JH		 5368static int l2cap_le_connect_req(struct l2cap_conn *conn,
5369 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5370 u8 *data)
5371{
5372 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5373 struct l2cap_le_conn_rsp rsp;
5374 struct l2cap_chan *chan, *pchan;
0cd75f7e 5375 u16 dcid, scid, credits, mtu, mps;
27e2d4c8
JH		 5376 __le16 psm;
5377 u8 result;
5378
5379 if (cmd_len != sizeof(*req))
5380 return -EPROTO;
5381
5382 scid = __le16_to_cpu(req->scid);
5383 mtu = __le16_to_cpu(req->mtu);
5384 mps = __le16_to_cpu(req->mps);
5385 psm = req->psm;
5386 dcid = 0;
0cd75f7e 5387 credits = 0;
27e2d4c8
JH		 5388
5389 if (mtu < 23 || mps < 23)
5390 return -EPROTO;
5391
5392 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5393 scid, mtu, mps);
5394
5395 /* Check if we have socket listening on psm */
5396 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5397 &conn->hcon->dst, LE_LINK);
5398 if (!pchan) {
5399 result = L2CAP_CR_BAD_PSM;
5400 chan = NULL;
5401 goto response;
5402 }
5403
5404 mutex_lock(&conn->chan_lock);
5405 l2cap_chan_lock(pchan);
5406
5407 if (!smp_sufficient_security(conn->hcon, pchan->sec_level)) {
5408 result = L2CAP_CR_AUTHENTICATION;
5409 chan = NULL;
5410 goto response_unlock;
5411 }
5412
5413 /* Check if we already have channel with that dcid */
5414 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5415 result = L2CAP_CR_NO_MEM;
5416 chan = NULL;
5417 goto response_unlock;
5418 }
5419
5420 chan = pchan->ops->new_connection(pchan);
5421 if (!chan) {
5422 result = L2CAP_CR_NO_MEM;
5423 goto response_unlock;
5424 }
5425
0ce43ce6
JH		 5426 l2cap_le_flowctl_init(chan);
5427
27e2d4c8
JH		 5428 bacpy(&chan->src, &conn->hcon->src);
5429 bacpy(&chan->dst, &conn->hcon->dst);
5430 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5431 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5432 chan->psm = psm;
5433 chan->dcid = scid;
5434 chan->omtu = mtu;
5435 chan->remote_mps = mps;
0cd75f7e 5436 chan->tx_credits = __le16_to_cpu(req->credits);
27e2d4c8
JH		 5437
5438 __l2cap_chan_add(conn, chan);
5439 dcid = chan->scid;
0cd75f7e 5440 credits = chan->rx_credits;
27e2d4c8
JH		 5441
5442 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5443
5444 chan->ident = cmd->ident;
5445
5446 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5447 l2cap_state_change(chan, BT_CONNECT2);
5448 result = L2CAP_CR_PEND;
5449 chan->ops->defer(chan);
5450 } else {
5451 l2cap_chan_ready(chan);
5452 result = L2CAP_CR_SUCCESS;
5453 }
5454
5455response_unlock:
5456 l2cap_chan_unlock(pchan);
5457 mutex_unlock(&conn->chan_lock);
5458
5459 if (result == L2CAP_CR_PEND)
5460 return 0;
5461
5462response:
5463 if (chan) {
5464 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 5465 rsp.mps = cpu_to_le16(chan->mps);
27e2d4c8
JH		 5466 } else {
5467 rsp.mtu = 0;
5468 rsp.mps = 0;
5469 }
5470
5471 rsp.dcid = cpu_to_le16(dcid);
0cd75f7e 5472 rsp.credits = cpu_to_le16(credits);
27e2d4c8
JH		 5473 rsp.result = cpu_to_le16(result);
5474
5475 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5476
5477 return 0;
5478}
5479
fad5fc89
JH		 5480static inline int l2cap_le_credits(struct l2cap_conn *conn,
5481 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5482 u8 *data)
5483{
5484 struct l2cap_le_credits *pkt;
5485 struct l2cap_chan *chan;
5486 u16 cid, credits;
5487
5488 if (cmd_len != sizeof(*pkt))
5489 return -EPROTO;
5490
5491 pkt = (struct l2cap_le_credits *) data;
5492 cid = __le16_to_cpu(pkt->cid);
5493 credits = __le16_to_cpu(pkt->credits);
5494
5495 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5496
5497 chan = l2cap_get_chan_by_dcid(conn, cid);
5498 if (!chan)
5499 return -EBADSLT;
5500
5501 chan->tx_credits += credits;
5502
5503 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5504 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5505 chan->tx_credits--;
5506 }
5507
5508 if (chan->tx_credits)
5509 chan->ops->resume(chan);
5510
5511 l2cap_chan_unlock(chan);
5512
5513 return 0;
5514}
5515
71fb4197
JH		 5516static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5517 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5518 u8 *data)
5519{
5520 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5521 struct l2cap_chan *chan;
5522
5523 if (cmd_len < sizeof(*rej))
5524 return -EPROTO;
5525
5526 mutex_lock(&conn->chan_lock);
5527
5528 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5529 if (!chan)
5530 goto done;
5531
5532 l2cap_chan_lock(chan);
5533 l2cap_chan_del(chan, ECONNREFUSED);
5534 l2cap_chan_unlock(chan);
5535
5536done:
5537 mutex_unlock(&conn->chan_lock);
5538 return 0;
5539}
5540
3300d9a9 5541static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
203e639e
JH		 5542 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5543 u8 *data)
3300d9a9 5544{
b5ecba64
JH		 5545 int err = 0;
5546
3af8ace6
JH		 5547 if (!enable_lecoc) {
5548 switch (cmd->code) {
5549 case L2CAP_LE_CONN_REQ:
5550 case L2CAP_LE_CONN_RSP:
5551 case L2CAP_LE_CREDITS:
5552 case L2CAP_DISCONN_REQ:
5553 case L2CAP_DISCONN_RSP:
5554 return -EINVAL;
5555 }
5556 }
5557
3300d9a9
CT		 5558 switch (cmd->code) {
5559 case L2CAP_COMMAND_REJ:
71fb4197 5560 l2cap_le_command_rej(conn, cmd, cmd_len, data);
b5ecba64 5561 break;
3300d9a9
CT		 5562
5563 case L2CAP_CONN_PARAM_UPDATE_REQ:
b5ecba64
JH		 5564 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5565 break;
3300d9a9
CT		 5566
5567 case L2CAP_CONN_PARAM_UPDATE_RSP:
b5ecba64 5568 break;
3300d9a9 5569
f1496dee
JH		 5570 case L2CAP_LE_CONN_RSP:
5571 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5572 break;
f1496dee 5573
27e2d4c8 5574 case L2CAP_LE_CONN_REQ:
b5ecba64
JH		 5575 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5576 break;
27e2d4c8 5577
fad5fc89
JH		 5578 case L2CAP_LE_CREDITS:
5579 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5580 break;
5581
3defe01a 5582 case L2CAP_DISCONN_REQ:
b5ecba64
JH		 5583 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5584 break;
3defe01a
JH		 5585
5586 case L2CAP_DISCONN_RSP:
5587 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5588 break;
3defe01a 5589
3300d9a9
CT		 5590 default:
5591 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
b5ecba64
JH		 5592 err = -EINVAL;
5593 break;
3300d9a9 5594 }
b5ecba64
JH		 5595
5596 return err;
3300d9a9
CT		 5597}
5598
c5623556
JH		 5599static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5600 struct sk_buff *skb)
5601{
69c4e4e8 5602 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5603 struct l2cap_cmd_hdr *cmd;
5604 u16 len;
c5623556
JH		 5605 int err;
5606
69c4e4e8 5607 if (hcon->type != LE_LINK)
3b166295 5608 goto drop;
69c4e4e8 5609
4f3e219d
MH		 5610 if (skb->len < L2CAP_CMD_HDR_SIZE)
5611 goto drop;
c5623556 5612
4f3e219d
MH		 5613 cmd = (void *) skb->data;
5614 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5615
4f3e219d 5616 len = le16_to_cpu(cmd->len);
c5623556 5617
4f3e219d 5618 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5619
4f3e219d
MH		 5620 if (len != skb->len || !cmd->ident) {
5621 BT_DBG("corrupted command");
5622 goto drop;
5623 }
c5623556 5624
203e639e 5625 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
4f3e219d
MH		 5626 if (err) {
5627 struct l2cap_cmd_rej_unk rej;
c5623556 5628
4f3e219d 5629 BT_ERR("Wrong link type (%d)", err);
c5623556 5630
a521149a 5631 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5632 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5633 sizeof(rej), &rej);
c5623556
JH		 5634 }
5635
3b166295 5636drop:
c5623556
JH		 5637 kfree_skb(skb);
5638}
5639
3300d9a9 5640static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5641 struct sk_buff *skb)
1da177e4 5642{
69c4e4e8 5643 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5644 u8 *data = skb->data;
5645 int len = skb->len;
5646 struct l2cap_cmd_hdr cmd;
3300d9a9 5647 int err;
1da177e4
LT		 5648
5649 l2cap_raw_recv(conn, skb);
5650
69c4e4e8 5651 if (hcon->type != ACL_LINK)
3b166295 5652 goto drop;
69c4e4e8 5653
1da177e4 5654 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5655 u16 cmd_len;
1da177e4
LT		 5656 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5657 data += L2CAP_CMD_HDR_SIZE;
5658 len -= L2CAP_CMD_HDR_SIZE;
5659
88219a0f 5660 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5661
2d792818
GP		 5662 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5663 cmd.ident);
1da177e4 5664
88219a0f 5665 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5666 BT_DBG("corrupted command");
5667 break;
5668 }
5669
c5623556 5670 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5671 if (err) {
e2fd318e 5672 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5673
5674 BT_ERR("Wrong link type (%d)", err);
1da177e4 5675
a521149a 5676 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5677 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5678 sizeof(rej), &rej);
1da177e4
LT		 5679 }
5680
88219a0f
AV		 5681 data += cmd_len;
5682 len -= cmd_len;
1da177e4
LT		 5683 }
5684
3b166295 5685drop:
1da177e4
LT		 5686 kfree_skb(skb);
5687}
5688
47d1ec61 5689static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5690{
5691 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5692 int hdr_size;
5693
5694 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5695 hdr_size = L2CAP_EXT_HDR_SIZE;
5696 else
5697 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5698
47d1ec61 5699 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5700 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5701 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5702 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5703
5704 if (our_fcs != rcv_fcs)
7a560e5c 5705 return -EBADMSG;
fcc203c3
GP		 5706 }
5707 return 0;
5708}
5709
6ea00485 5710static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5711{
e31f7633 5712 struct l2cap_ctrl control;
d5392c8f 5713
e31f7633 5714 BT_DBG("chan %p", chan);
d5392c8f 5715
e31f7633
MM		 5716 memset(&control, 0, sizeof(control));
5717 control.sframe = 1;
5718 control.final = 1;
5719 control.reqseq = chan->buffer_seq;
5720 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5721
e2ab4353 5722 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5723 control.super = L2CAP_SUPER_RNR;
5724 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5725 }
5726
e31f7633
MM		 5727 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5728 chan->unacked_frames > 0)
5729 __set_retrans_timer(chan);
d5392c8f 5730
e31f7633 5731 /* Send pending iframes */
525cd185 5732 l2cap_ertm_send(chan);
d5392c8f 5733
e2ab4353 5734 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5735 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5736 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5737 * send it now.
5738 */
5739 control.super = L2CAP_SUPER_RR;
5740 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5741 }
5742}
5743
2d792818
GP		 5744static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5745 struct sk_buff **last_frag)
18778a63 5746{
84084a31
MM		 5747 /* skb->len reflects data in skb as well as all fragments
5748 * skb->data_len reflects only data in fragments
5749 */
5750 if (!skb_has_frag_list(skb))
5751 skb_shinfo(skb)->frag_list = new_frag;
5752
5753 new_frag->next = NULL;
5754
5755 (*last_frag)->next = new_frag;
5756 *last_frag = new_frag;
5757
5758 skb->len += new_frag->len;
5759 skb->data_len += new_frag->len;
5760 skb->truesize += new_frag->truesize;
5761}
5762
4b51dae9
MM		 5763static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5764 struct l2cap_ctrl *control)
84084a31
MM		 5765{
5766 int err = -EINVAL;
18778a63 5767
4b51dae9 5768 switch (control->sar) {
7e0ef6ee 5769 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5770 if (chan->sdu)
5771 break;
18778a63 5772
80b98027 5773 err = chan->ops->recv(chan, skb);
84084a31 5774 break;
18778a63 5775
7e0ef6ee 5776 case L2CAP_SAR_START:
84084a31
MM		 5777 if (chan->sdu)
5778 break;
18778a63 5779
6f61fd47 5780 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5781 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5782
84084a31
MM		 5783 if (chan->sdu_len > chan->imtu) {
5784 err = -EMSGSIZE;
5785 break;
5786 }
1890d36b 5787
84084a31
MM		 5788 if (skb->len >= chan->sdu_len)
5789 break;
18778a63 5790
84084a31
MM		 5791 chan->sdu = skb;
5792 chan->sdu_last_frag = skb;
18778a63 5793
84084a31
MM		 5794 skb = NULL;
5795 err = 0;
18778a63
GP		 5796 break;
5797
7e0ef6ee 5798 case L2CAP_SAR_CONTINUE:
6f61fd47 5799 if (!chan->sdu)
84084a31 5800 break;
18778a63 5801
84084a31
MM		 5802 append_skb_frag(chan->sdu, skb,
5803 &chan->sdu_last_frag);
5804 skb = NULL;
18778a63 5805
84084a31
MM		 5806 if (chan->sdu->len >= chan->sdu_len)
5807 break;
4178ba46 5808
84084a31 5809 err = 0;
18778a63
GP		 5810 break;
5811
7e0ef6ee 5812 case L2CAP_SAR_END:
6f61fd47 5813 if (!chan->sdu)
84084a31 5814 break;
18778a63 5815
84084a31
MM		 5816 append_skb_frag(chan->sdu, skb,
5817 &chan->sdu_last_frag);
5818 skb = NULL;
4178ba46 5819
84084a31
MM		 5820 if (chan->sdu->len != chan->sdu_len)
5821 break;
18778a63 5822
80b98027 5823 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5824
84084a31
MM		 5825 if (!err) {
5826 /* Reassembly complete */
5827 chan->sdu = NULL;
5828 chan->sdu_last_frag = NULL;
5829 chan->sdu_len = 0;
1890d36b 5830 }
18778a63
GP		 5831 break;
5832 }
5833
84084a31
MM		 5834 if (err) {
5835 kfree_skb(skb);
5836 kfree_skb(chan->sdu);
5837 chan->sdu = NULL;
5838 chan->sdu_last_frag = NULL;
5839 chan->sdu_len = 0;
5840 }
18778a63 5841
84084a31 5842 return err;
18778a63
GP		 5843}
5844
32b32735
MM		 5845static int l2cap_resegment(struct l2cap_chan *chan)
5846{
5847 /* Placeholder */
5848 return 0;
5849}
5850
61aa4f5b 5851void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5852{
61aa4f5b 5853 u8 event;
712132eb 5854
61aa4f5b
MM		 5855 if (chan->mode != L2CAP_MODE_ERTM)
5856 return;
712132eb 5857
61aa4f5b 5858 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5859 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5860}
5861
d2a7ac5d
MM		 5862static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5863{
63838725
MM		 5864 int err = 0;
5865 /* Pass sequential frames to l2cap_reassemble_sdu()
5866 * until a gap is encountered.
5867 */
5868
5869 BT_DBG("chan %p", chan);
5870
5871 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5872 struct sk_buff *skb;
5873 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5874 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5875
5876 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5877
5878 if (!skb)
5879 break;
5880
5881 skb_unlink(skb, &chan->srej_q);
5882 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5883 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5884 if (err)
5885 break;
5886 }
5887
5888 if (skb_queue_empty(&chan->srej_q)) {
5889 chan->rx_state = L2CAP_RX_STATE_RECV;
5890 l2cap_send_ack(chan);
5891 }
5892
5893 return err;
d2a7ac5d
MM		 5894}
5895
5896static void l2cap_handle_srej(struct l2cap_chan *chan,
5897 struct l2cap_ctrl *control)
5898{
f80842a8
MM		 5899 struct sk_buff *skb;
5900
5901 BT_DBG("chan %p, control %p", chan, control);
5902
5903 if (control->reqseq == chan->next_tx_seq) {
5904 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5905 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5906 return;
5907 }
5908
5909 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5910
5911 if (skb == NULL) {
5912 BT_DBG("Seq %d not available for retransmission",
5913 control->reqseq);
5914 return;
5915 }
5916
5917 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5918 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5919 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5920 return;
5921 }
5922
5923 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5924
5925 if (control->poll) {
5926 l2cap_pass_to_tx(chan, control);
5927
5928 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5929 l2cap_retransmit(chan, control);
5930 l2cap_ertm_send(chan);
5931
5932 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5933 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5934 chan->srej_save_reqseq = control->reqseq;
5935 }
5936 } else {
5937 l2cap_pass_to_tx_fbit(chan, control);
5938
5939 if (control->final) {
5940 if (chan->srej_save_reqseq != control->reqseq ||
5941 !test_and_clear_bit(CONN_SREJ_ACT,
5942 &chan->conn_state))
5943 l2cap_retransmit(chan, control);
5944 } else {
5945 l2cap_retransmit(chan, control);
5946 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5947 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5948 chan->srej_save_reqseq = control->reqseq;
5949 }
5950 }
5951 }
d2a7ac5d
MM		 5952}
5953
5954static void l2cap_handle_rej(struct l2cap_chan *chan,
5955 struct l2cap_ctrl *control)
5956{
fcd289df
MM		 5957 struct sk_buff *skb;
5958
5959 BT_DBG("chan %p, control %p", chan, control);
5960
5961 if (control->reqseq == chan->next_tx_seq) {
5962 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5963 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5964 return;
5965 }
5966
5967 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5968
5969 if (chan->max_tx && skb &&
5970 bt_cb(skb)->control.retries >= chan->max_tx) {
5971 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5972 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5973 return;
5974 }
5975
5976 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5977
5978 l2cap_pass_to_tx(chan, control);
5979
5980 if (control->final) {
5981 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5982 l2cap_retransmit_all(chan, control);
5983 } else {
5984 l2cap_retransmit_all(chan, control);
5985 l2cap_ertm_send(chan);
5986 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5987 set_bit(CONN_REJ_ACT, &chan->conn_state);
5988 }
d2a7ac5d
MM		 5989}
5990
4b51dae9
MM		 5991static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5992{
5993 BT_DBG("chan %p, txseq %d", chan, txseq);
5994
5995 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5996 chan->expected_tx_seq);
5997
5998 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5999 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 6000 chan->tx_win) {
4b51dae9
MM		 6001 /* See notes below regarding "double poll" and
6002 * invalid packets.
6003 */
6004 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6005 BT_DBG("Invalid/Ignore - after SREJ");
6006 return L2CAP_TXSEQ_INVALID_IGNORE;
6007 } else {
6008 BT_DBG("Invalid - in window after SREJ sent");
6009 return L2CAP_TXSEQ_INVALID;
6010 }
6011 }
6012
6013 if (chan->srej_list.head == txseq) {
6014 BT_DBG("Expected SREJ");
6015 return L2CAP_TXSEQ_EXPECTED_SREJ;
6016 }
6017
6018 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6019 BT_DBG("Duplicate SREJ - txseq already stored");
6020 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6021 }
6022
6023 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6024 BT_DBG("Unexpected SREJ - not requested");
6025 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6026 }
6027 }
6028
6029 if (chan->expected_tx_seq == txseq) {
6030 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6031 chan->tx_win) {
6032 BT_DBG("Invalid - txseq outside tx window");
6033 return L2CAP_TXSEQ_INVALID;
6034 } else {
6035 BT_DBG("Expected");
6036 return L2CAP_TXSEQ_EXPECTED;
6037 }
6038 }
6039
6040 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 6041 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 6042 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6043 return L2CAP_TXSEQ_DUPLICATE;
6044 }
6045
6046 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6047 /* A source of invalid packets is a "double poll" condition,
6048 * where delays cause us to send multiple poll packets. If
6049 * the remote stack receives and processes both polls,
6050 * sequence numbers can wrap around in such a way that a
6051 * resent frame has a sequence number that looks like new data
6052 * with a sequence gap. This would trigger an erroneous SREJ
6053 * request.
6054 *
6055 * Fortunately, this is impossible with a tx window that's
6056 * less than half of the maximum sequence number, which allows
6057 * invalid frames to be safely ignored.
6058 *
6059 * With tx window sizes greater than half of the tx window
6060 * maximum, the frame is invalid and cannot be ignored. This
6061 * causes a disconnect.
6062 */
6063
6064 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6065 BT_DBG("Invalid/Ignore - txseq outside tx window");
6066 return L2CAP_TXSEQ_INVALID_IGNORE;
6067 } else {
6068 BT_DBG("Invalid - txseq outside tx window");
6069 return L2CAP_TXSEQ_INVALID;
6070 }
6071 } else {
6072 BT_DBG("Unexpected - txseq indicates missing frames");
6073 return L2CAP_TXSEQ_UNEXPECTED;
6074 }
6075}
6076
d2a7ac5d
MM		 6077static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6078 struct l2cap_ctrl *control,
6079 struct sk_buff *skb, u8 event)
6080{
6081 int err = 0;
941247f9 6082 bool skb_in_use = false;
d2a7ac5d
MM		 6083
6084 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6085 event);
6086
6087 switch (event) {
6088 case L2CAP_EV_RECV_IFRAME:
6089 switch (l2cap_classify_txseq(chan, control->txseq)) {
6090 case L2CAP_TXSEQ_EXPECTED:
6091 l2cap_pass_to_tx(chan, control);
6092
6093 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6094 BT_DBG("Busy, discarding expected seq %d",
6095 control->txseq);
6096 break;
6097 }
6098
6099 chan->expected_tx_seq = __next_seq(chan,
6100 control->txseq);
6101
6102 chan->buffer_seq = chan->expected_tx_seq;
941247f9 6103 skb_in_use = true;
d2a7ac5d
MM		 6104
6105 err = l2cap_reassemble_sdu(chan, skb, control);
6106 if (err)
6107 break;
6108
6109 if (control->final) {
6110 if (!test_and_clear_bit(CONN_REJ_ACT,
6111 &chan->conn_state)) {
6112 control->final = 0;
6113 l2cap_retransmit_all(chan, control);
6114 l2cap_ertm_send(chan);
6115 }
6116 }
6117
6118 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6119 l2cap_send_ack(chan);
6120 break;
6121 case L2CAP_TXSEQ_UNEXPECTED:
6122 l2cap_pass_to_tx(chan, control);
6123
6124 /* Can't issue SREJ frames in the local busy state.
6125 * Drop this frame, it will be seen as missing
6126 * when local busy is exited.
6127 */
6128 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6129 BT_DBG("Busy, discarding unexpected seq %d",
6130 control->txseq);
6131 break;
6132 }
6133
6134 /* There was a gap in the sequence, so an SREJ
6135 * must be sent for each missing frame. The
6136 * current frame is stored for later use.
6137 */
6138 skb_queue_tail(&chan->srej_q, skb);
941247f9 6139 skb_in_use = true;
d2a7ac5d
MM		 6140 BT_DBG("Queued %p (queue len %d)", skb,
6141 skb_queue_len(&chan->srej_q));
6142
6143 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6144 l2cap_seq_list_clear(&chan->srej_list);
6145 l2cap_send_srej(chan, control->txseq);
6146
6147 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6148 break;
6149 case L2CAP_TXSEQ_DUPLICATE:
6150 l2cap_pass_to_tx(chan, control);
6151 break;
6152 case L2CAP_TXSEQ_INVALID_IGNORE:
6153 break;
6154 case L2CAP_TXSEQ_INVALID:
6155 default:
5e4e3972 6156 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6157 break;
6158 }
6159 break;
6160 case L2CAP_EV_RECV_RR:
6161 l2cap_pass_to_tx(chan, control);
6162 if (control->final) {
6163 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6164
e6a3ee6e
MM		 6165 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6166 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 6167 control->final = 0;
6168 l2cap_retransmit_all(chan, control);
6169 }
6170
6171 l2cap_ertm_send(chan);
6172 } else if (control->poll) {
6173 l2cap_send_i_or_rr_or_rnr(chan);
6174 } else {
6175 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6176 &chan->conn_state) &&
6177 chan->unacked_frames)
6178 __set_retrans_timer(chan);
6179
6180 l2cap_ertm_send(chan);
6181 }
6182 break;
6183 case L2CAP_EV_RECV_RNR:
6184 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6185 l2cap_pass_to_tx(chan, control);
6186 if (control && control->poll) {
6187 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6188 l2cap_send_rr_or_rnr(chan, 0);
6189 }
6190 __clear_retrans_timer(chan);
6191 l2cap_seq_list_clear(&chan->retrans_list);
6192 break;
6193 case L2CAP_EV_RECV_REJ:
6194 l2cap_handle_rej(chan, control);
6195 break;
6196 case L2CAP_EV_RECV_SREJ:
6197 l2cap_handle_srej(chan, control);
6198 break;
6199 default:
6200 break;
6201 }
6202
6203 if (skb && !skb_in_use) {
6204 BT_DBG("Freeing %p", skb);
6205 kfree_skb(skb);
6206 }
6207
6208 return err;
6209}
6210
6211static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6212 struct l2cap_ctrl *control,
6213 struct sk_buff *skb, u8 event)
6214{
6215 int err = 0;
6216 u16 txseq = control->txseq;
941247f9 6217 bool skb_in_use = false;
d2a7ac5d
MM		 6218
6219 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6220 event);
6221
6222 switch (event) {
6223 case L2CAP_EV_RECV_IFRAME:
6224 switch (l2cap_classify_txseq(chan, txseq)) {
6225 case L2CAP_TXSEQ_EXPECTED:
6226 /* Keep frame for reassembly later */
6227 l2cap_pass_to_tx(chan, control);
6228 skb_queue_tail(&chan->srej_q, skb);
941247f9 6229 skb_in_use = true;
d2a7ac5d
MM		 6230 BT_DBG("Queued %p (queue len %d)", skb,
6231 skb_queue_len(&chan->srej_q));
6232
6233 chan->expected_tx_seq = __next_seq(chan, txseq);
6234 break;
6235 case L2CAP_TXSEQ_EXPECTED_SREJ:
6236 l2cap_seq_list_pop(&chan->srej_list);
6237
6238 l2cap_pass_to_tx(chan, control);
6239 skb_queue_tail(&chan->srej_q, skb);
941247f9 6240 skb_in_use = true;
d2a7ac5d
MM		 6241 BT_DBG("Queued %p (queue len %d)", skb,
6242 skb_queue_len(&chan->srej_q));
6243
6244 err = l2cap_rx_queued_iframes(chan);
6245 if (err)
6246 break;
6247
6248 break;
6249 case L2CAP_TXSEQ_UNEXPECTED:
6250 /* Got a frame that can't be reassembled yet.
6251 * Save it for later, and send SREJs to cover
6252 * the missing frames.
6253 */
6254 skb_queue_tail(&chan->srej_q, skb);
941247f9 6255 skb_in_use = true;
d2a7ac5d
MM		 6256 BT_DBG("Queued %p (queue len %d)", skb,
6257 skb_queue_len(&chan->srej_q));
6258
6259 l2cap_pass_to_tx(chan, control);
6260 l2cap_send_srej(chan, control->txseq);
6261 break;
6262 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6263 /* This frame was requested with an SREJ, but
6264 * some expected retransmitted frames are
6265 * missing. Request retransmission of missing
6266 * SREJ'd frames.
6267 */
6268 skb_queue_tail(&chan->srej_q, skb);
941247f9 6269 skb_in_use = true;
d2a7ac5d
MM		 6270 BT_DBG("Queued %p (queue len %d)", skb,
6271 skb_queue_len(&chan->srej_q));
6272
6273 l2cap_pass_to_tx(chan, control);
6274 l2cap_send_srej_list(chan, control->txseq);
6275 break;
6276 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6277 /* We've already queued this frame. Drop this copy. */
6278 l2cap_pass_to_tx(chan, control);
6279 break;
6280 case L2CAP_TXSEQ_DUPLICATE:
6281 /* Expecting a later sequence number, so this frame
6282 * was already received. Ignore it completely.
6283 */
6284 break;
6285 case L2CAP_TXSEQ_INVALID_IGNORE:
6286 break;
6287 case L2CAP_TXSEQ_INVALID:
6288 default:
5e4e3972 6289 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6290 break;
6291 }
6292 break;
6293 case L2CAP_EV_RECV_RR:
6294 l2cap_pass_to_tx(chan, control);
6295 if (control->final) {
6296 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6297
6298 if (!test_and_clear_bit(CONN_REJ_ACT,
6299 &chan->conn_state)) {
6300 control->final = 0;
6301 l2cap_retransmit_all(chan, control);
6302 }
6303
6304 l2cap_ertm_send(chan);
6305 } else if (control->poll) {
6306 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6307 &chan->conn_state) &&
6308 chan->unacked_frames) {
6309 __set_retrans_timer(chan);
6310 }
6311
6312 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6313 l2cap_send_srej_tail(chan);
6314 } else {
6315 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6316 &chan->conn_state) &&
6317 chan->unacked_frames)
6318 __set_retrans_timer(chan);
6319
6320 l2cap_send_ack(chan);
6321 }
6322 break;
6323 case L2CAP_EV_RECV_RNR:
6324 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6325 l2cap_pass_to_tx(chan, control);
6326 if (control->poll) {
6327 l2cap_send_srej_tail(chan);
6328 } else {
6329 struct l2cap_ctrl rr_control;
6330 memset(&rr_control, 0, sizeof(rr_control));
6331 rr_control.sframe = 1;
6332 rr_control.super = L2CAP_SUPER_RR;
6333 rr_control.reqseq = chan->buffer_seq;
6334 l2cap_send_sframe(chan, &rr_control);
6335 }
6336
6337 break;
6338 case L2CAP_EV_RECV_REJ:
6339 l2cap_handle_rej(chan, control);
6340 break;
6341 case L2CAP_EV_RECV_SREJ:
6342 l2cap_handle_srej(chan, control);
6343 break;
6344 }
6345
6346 if (skb && !skb_in_use) {
6347 BT_DBG("Freeing %p", skb);
6348 kfree_skb(skb);
6349 }
6350
6351 return err;
6352}
6353
32b32735
MM		 6354static int l2cap_finish_move(struct l2cap_chan *chan)
6355{
6356 BT_DBG("chan %p", chan);
6357
6358 chan->rx_state = L2CAP_RX_STATE_RECV;
6359
6360 if (chan->hs_hcon)
6361 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6362 else
6363 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6364
6365 return l2cap_resegment(chan);
6366}
6367
6368static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6369 struct l2cap_ctrl *control,
6370 struct sk_buff *skb, u8 event)
6371{
6372 int err;
6373
6374 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6375 event);
6376
6377 if (!control->poll)
6378 return -EPROTO;
6379
6380 l2cap_process_reqseq(chan, control->reqseq);
6381
6382 if (!skb_queue_empty(&chan->tx_q))
6383 chan->tx_send_head = skb_peek(&chan->tx_q);
6384 else
6385 chan->tx_send_head = NULL;
6386
6387 /* Rewind next_tx_seq to the point expected
6388 * by the receiver.
6389 */
6390 chan->next_tx_seq = control->reqseq;
6391 chan->unacked_frames = 0;
6392
6393 err = l2cap_finish_move(chan);
6394 if (err)
6395 return err;
6396
6397 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6398 l2cap_send_i_or_rr_or_rnr(chan);
6399
6400 if (event == L2CAP_EV_RECV_IFRAME)
6401 return -EPROTO;
6402
6403 return l2cap_rx_state_recv(chan, control, NULL, event);
6404}
6405
6406static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6407 struct l2cap_ctrl *control,
6408 struct sk_buff *skb, u8 event)
6409{
6410 int err;
6411
6412 if (!control->final)
6413 return -EPROTO;
6414
6415 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6416
6417 chan->rx_state = L2CAP_RX_STATE_RECV;
6418 l2cap_process_reqseq(chan, control->reqseq);
6419
6420 if (!skb_queue_empty(&chan->tx_q))
6421 chan->tx_send_head = skb_peek(&chan->tx_q);
6422 else
6423 chan->tx_send_head = NULL;
6424
6425 /* Rewind next_tx_seq to the point expected
6426 * by the receiver.
6427 */
6428 chan->next_tx_seq = control->reqseq;
6429 chan->unacked_frames = 0;
6430
6431 if (chan->hs_hcon)
6432 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6433 else
6434 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6435
6436 err = l2cap_resegment(chan);
6437
6438 if (!err)
6439 err = l2cap_rx_state_recv(chan, control, skb, event);
6440
6441 return err;
6442}
6443
d2a7ac5d
MM		 6444static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6445{
6446 /* Make sure reqseq is for a packet that has been sent but not acked */
6447 u16 unacked;
6448
6449 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6450 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6451}
6452
cec8ab6e
MM		 6453static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6454 struct sk_buff *skb, u8 event)
218bb9df 6455{
d2a7ac5d
MM		 6456 int err = 0;
6457
6458 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6459 control, skb, event, chan->rx_state);
6460
6461 if (__valid_reqseq(chan, control->reqseq)) {
6462 switch (chan->rx_state) {
6463 case L2CAP_RX_STATE_RECV:
6464 err = l2cap_rx_state_recv(chan, control, skb, event);
6465 break;
6466 case L2CAP_RX_STATE_SREJ_SENT:
6467 err = l2cap_rx_state_srej_sent(chan, control, skb,
6468 event);
6469 break;
32b32735
MM		 6470 case L2CAP_RX_STATE_WAIT_P:
6471 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6472 break;
6473 case L2CAP_RX_STATE_WAIT_F:
6474 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6475 break;
d2a7ac5d
MM		 6476 default:
6477 /* shut it down */
6478 break;
6479 }
6480 } else {
6481 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6482 control->reqseq, chan->next_tx_seq,
6483 chan->expected_ack_seq);
5e4e3972 6484 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6485 }
6486
6487 return err;
cec8ab6e
MM		 6488}
6489
6490static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6491 struct sk_buff *skb)
6492{
4b51dae9
MM		 6493 int err = 0;
6494
6495 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6496 chan->rx_state);
6497
6498 if (l2cap_classify_txseq(chan, control->txseq) ==
6499 L2CAP_TXSEQ_EXPECTED) {
6500 l2cap_pass_to_tx(chan, control);
6501
6502 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6503 __next_seq(chan, chan->buffer_seq));
6504
6505 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6506
6507 l2cap_reassemble_sdu(chan, skb, control);
6508 } else {
6509 if (chan->sdu) {
6510 kfree_skb(chan->sdu);
6511 chan->sdu = NULL;
6512 }
6513 chan->sdu_last_frag = NULL;
6514 chan->sdu_len = 0;
6515
6516 if (skb) {
6517 BT_DBG("Freeing %p", skb);
6518 kfree_skb(skb);
6519 }
6520 }
6521
6522 chan->last_acked_seq = control->txseq;
6523 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6524
6525 return err;
cec8ab6e
MM		 6526}
6527
6528static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6529{
6530 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6531 u16 len;
6532 u8 event;
218bb9df 6533
b76bbd66
MM		 6534 __unpack_control(chan, skb);
6535
218bb9df
GP		 6536 len = skb->len;
6537
6538 /*
6539 * We can just drop the corrupted I-frame here.
6540 * Receiver will miss it and start proper recovery
cec8ab6e 6541 * procedures and ask for retransmission.
218bb9df 6542 */
47d1ec61 6543 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6544 goto drop;
6545
cec8ab6e 6546 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6547 len -= L2CAP_SDULEN_SIZE;
218bb9df 6548
47d1ec61 6549 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6550 len -= L2CAP_FCS_SIZE;
218bb9df 6551
47d1ec61 6552 if (len > chan->mps) {
5e4e3972 6553 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6554 goto drop;
6555 }
6556
cec8ab6e
MM		 6557 if (!control->sframe) {
6558 int err;
218bb9df 6559
cec8ab6e
MM		 6560 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6561 control->sar, control->reqseq, control->final,
6562 control->txseq);
218bb9df 6563
cec8ab6e
MM		 6564 /* Validate F-bit - F=0 always valid, F=1 only
6565 * valid in TX WAIT_F
6566 */
6567 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6568 goto drop;
cec8ab6e
MM		 6569
6570 if (chan->mode != L2CAP_MODE_STREAMING) {
6571 event = L2CAP_EV_RECV_IFRAME;
6572 err = l2cap_rx(chan, control, skb, event);
6573 } else {
6574 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6575 }
6576
cec8ab6e 6577 if (err)
5e4e3972 6578 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6579 } else {
cec8ab6e
MM		 6580 const u8 rx_func_to_event[4] = {
6581 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6582 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6583 };
6584
6585 /* Only I-frames are expected in streaming mode */
6586 if (chan->mode == L2CAP_MODE_STREAMING)
6587 goto drop;
6588
6589 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6590 control->reqseq, control->final, control->poll,
6591 control->super);
6592
218bb9df 6593 if (len != 0) {
1bb166e6 6594 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6595 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6596 goto drop;
6597 }
6598
cec8ab6e
MM		 6599 /* Validate F and P bits */
6600 if (control->final && (control->poll ||
6601 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6602 goto drop;
6603
6604 event = rx_func_to_event[control->super];
6605 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6606 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6607 }
6608
6609 return 0;
6610
6611drop:
6612 kfree_skb(skb);
6613 return 0;
6614}
6615
b1c325c2
JH		 6616static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6617{
6618 struct l2cap_conn *conn = chan->conn;
6619 struct l2cap_le_credits pkt;
6620 u16 return_credits;
6621
6622 /* We return more credits to the sender only after the amount of
6623 * credits falls below half of the initial amount.
6624 */
f15b8ecf 6625 if (chan->rx_credits >= (le_max_credits + 1) / 2)
b1c325c2
JH		 6626 return;
6627
f15b8ecf 6628 return_credits = le_max_credits - chan->rx_credits;
b1c325c2
JH		 6629
6630 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6631
6632 chan->rx_credits += return_credits;
6633
6634 pkt.cid = cpu_to_le16(chan->scid);
6635 pkt.credits = cpu_to_le16(return_credits);
6636
6637 chan->ident = l2cap_get_ident(conn);
6638
6639 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6640}
6641
fad5fc89
JH		 6642static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6643{
aac23bf6
JH		 6644 int err;
6645
6646 if (!chan->rx_credits) {
6647 BT_ERR("No credits to receive LE L2CAP data");
fad5fc89 6648 return -ENOBUFS;
aac23bf6 6649 }
fad5fc89 6650
aac23bf6
JH		 6651 if (chan->imtu < skb->len) {
6652 BT_ERR("Too big LE L2CAP PDU");
fad5fc89 6653 return -ENOBUFS;
aac23bf6 6654 }
fad5fc89
JH		 6655
6656 chan->rx_credits--;
6657 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6658
6659 l2cap_chan_le_send_credits(chan);
6660
aac23bf6
JH		 6661 err = 0;
6662
6663 if (!chan->sdu) {
6664 u16 sdu_len;
6665
6666 sdu_len = get_unaligned_le16(skb->data);
6667 skb_pull(skb, L2CAP_SDULEN_SIZE);
6668
6669 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6670 sdu_len, skb->len, chan->imtu);
6671
6672 if (sdu_len > chan->imtu) {
6673 BT_ERR("Too big LE L2CAP SDU length received");
6674 err = -EMSGSIZE;
6675 goto failed;
6676 }
6677
6678 if (skb->len > sdu_len) {
6679 BT_ERR("Too much LE L2CAP data received");
6680 err = -EINVAL;
6681 goto failed;
6682 }
6683
6684 if (skb->len == sdu_len)
6685 return chan->ops->recv(chan, skb);
6686
6687 chan->sdu = skb;
6688 chan->sdu_len = sdu_len;
6689 chan->sdu_last_frag = skb;
6690
6691 return 0;
6692 }
6693
6694 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6695 chan->sdu->len, skb->len, chan->sdu_len);
6696
6697 if (chan->sdu->len + skb->len > chan->sdu_len) {
6698 BT_ERR("Too much LE L2CAP data received");
6699 err = -EINVAL;
6700 goto failed;
6701 }
6702
6703 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6704 skb = NULL;
6705
6706 if (chan->sdu->len == chan->sdu_len) {
6707 err = chan->ops->recv(chan, chan->sdu);
6708 if (!err) {
6709 chan->sdu = NULL;
6710 chan->sdu_last_frag = NULL;
6711 chan->sdu_len = 0;
6712 }
6713 }
6714
6715failed:
6716 if (err) {
6717 kfree_skb(skb);
6718 kfree_skb(chan->sdu);
6719 chan->sdu = NULL;
6720 chan->sdu_last_frag = NULL;
6721 chan->sdu_len = 0;
6722 }
6723
6724 /* We can't return an error here since we took care of the skb
6725 * freeing internally. An error return would cause the caller to
6726 * do a double-free of the skb.
6727 */
6728 return 0;
fad5fc89
JH		 6729}
6730
13ca56e0
AE		 6731static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6732 struct sk_buff *skb)
1da177e4 6733{
48454079 6734 struct l2cap_chan *chan;
1da177e4 6735
baa7e1fa 6736 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6737 if (!chan) {
97e8e89d
AE		 6738 if (cid == L2CAP_CID_A2MP) {
6739 chan = a2mp_channel_create(conn, skb);
6740 if (!chan) {
6741 kfree_skb(skb);
13ca56e0 6742 return;
97e8e89d
AE		 6743 }
6744
6745 l2cap_chan_lock(chan);
6746 } else {
6747 BT_DBG("unknown cid 0x%4.4x", cid);
6748 /* Drop packet and return */
6749 kfree_skb(skb);
13ca56e0 6750 return;
97e8e89d 6751 }
1da177e4
LT		 6752 }
6753
49208c9c 6754 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6755
89bc500e 6756 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6757 goto drop;
6758
0c1bc5c6 6759 switch (chan->mode) {
38319713 6760 case L2CAP_MODE_LE_FLOWCTL:
fad5fc89
JH		 6761 if (l2cap_le_data_rcv(chan, skb) < 0)
6762 goto drop;
6763
6764 goto done;
6765
1c2acffb
GP		 6766 case L2CAP_MODE_BASIC:
6767 /* If socket recv buffers overflows we drop data here
6768 * which is *bad* because L2CAP has to be reliable.
6769 * But we don't have any other choice. L2CAP doesn't
6770 * provide flow control mechanism. */
1da177e4 6771
0c1bc5c6 6772 if (chan->imtu < skb->len)
1c2acffb 6773 goto drop;
1da177e4 6774
80b98027 6775 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6776 goto done;
6777 break;
6778
6779 case L2CAP_MODE_ERTM:
6840ed07 6780 case L2CAP_MODE_STREAMING:
cec8ab6e 6781 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6782 goto done;
6783
1c2acffb 6784 default:
0c1bc5c6 6785 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6786 break;
6787 }
1da177e4
LT		 6788
6789drop:
6790 kfree_skb(skb);
6791
6792done:
6be36555 6793 l2cap_chan_unlock(chan);
1da177e4
LT		 6794}
6795
84104b24
AE		 6796static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6797 struct sk_buff *skb)
1da177e4 6798{
ae4fd2d3 6799 struct hci_conn *hcon = conn->hcon;
23691d75 6800 struct l2cap_chan *chan;
1da177e4 6801
ae4fd2d3
MH		 6802 if (hcon->type != ACL_LINK)
6803 goto drop;
6804
bf20fd4e
JH		 6805 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6806 ACL_LINK);
23691d75 6807 if (!chan)
1da177e4
LT		 6808 goto drop;
6809
5b4cedaa 6810 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6811
89bc500e 6812 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6813 goto drop;
6814
e13e21dc 6815 if (chan->imtu < skb->len)
1da177e4
LT		 6816 goto drop;
6817
2edf870d 6818 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6819 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6820 bt_cb(skb)->psm = psm;
6821
80b98027 6822 if (!chan->ops->recv(chan, skb))
84104b24 6823 return;
1da177e4
LT		 6824
6825drop:
6826 kfree_skb(skb);
1da177e4
LT		 6827}
6828
72f78356 6829static void l2cap_att_channel(struct l2cap_conn *conn,
6810fca7 6830 struct sk_buff *skb)
9f69bda6 6831{
b99707d7 6832 struct hci_conn *hcon = conn->hcon;
23691d75 6833 struct l2cap_chan *chan;
9f69bda6 6834
b99707d7
MH		 6835 if (hcon->type != LE_LINK)
6836 goto drop;
6837
af1c0134 6838 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
06ae3314 6839 &hcon->src, &hcon->dst);
23691d75 6840 if (!chan)
9f69bda6
GP		 6841 goto drop;
6842
5b4cedaa 6843 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6844
cc8dba2b
MH		 6845 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, hcon->dst_type))
6846 goto drop;
6847
e13e21dc 6848 if (chan->imtu < skb->len)
9f69bda6
GP		 6849 goto drop;
6850
80b98027 6851 if (!chan->ops->recv(chan, skb))
6810fca7 6852 return;
9f69bda6
GP		 6853
6854drop:
6855 kfree_skb(skb);
9f69bda6
GP		 6856}
6857
1da177e4
LT		 6858static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6859{
6860 struct l2cap_hdr *lh = (void *) skb->data;
61a939c6 6861 struct hci_conn *hcon = conn->hcon;
8e036fc3
AV		 6862 u16 cid, len;
6863 __le16 psm;
1da177e4 6864
61a939c6
JH		 6865 if (hcon->state != BT_CONNECTED) {
6866 BT_DBG("queueing pending rx skb");
6867 skb_queue_tail(&conn->pending_rx, skb);
6868 return;
6869 }
6870
1da177e4
LT		 6871 skb_pull(skb, L2CAP_HDR_SIZE);
6872 cid = __le16_to_cpu(lh->cid);
6873 len = __le16_to_cpu(lh->len);
6874
1c2acffb
GP		 6875 if (len != skb->len) {
6876 kfree_skb(skb);
6877 return;
6878 }
6879
1da177e4
LT		 6880 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6881
6882 switch (cid) {
8db4dc46 6883 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6884 l2cap_sig_channel(conn, skb);
6885 break;
6886
8db4dc46 6887 case L2CAP_CID_CONN_LESS:
097db76c 6888 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6889 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6890 l2cap_conless_channel(conn, psm, skb);
6891 break;
6892
073d1cf3 6893 case L2CAP_CID_ATT:
72f78356 6894 l2cap_att_channel(conn, skb);
9f69bda6
GP		 6895 break;
6896
a2877629
MH		 6897 case L2CAP_CID_LE_SIGNALING:
6898 l2cap_le_sig_channel(conn, skb);
6899 break;
6900
b501d6a1
AB		 6901 case L2CAP_CID_SMP:
6902 if (smp_sig_channel(conn, skb))
6903 l2cap_conn_del(conn->hcon, EACCES);
6904 break;
6905
18722c24
JR		 6906 case L2CAP_FC_6LOWPAN:
6907 bt_6lowpan_recv(conn, skb);
6908 break;
6909
1da177e4
LT		 6910 default:
6911 l2cap_data_channel(conn, cid, skb);
6912 break;
6913 }
6914}
6915
61a939c6
JH		 6916static void process_pending_rx(struct work_struct *work)
6917{
6918 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6919 pending_rx_work);
6920 struct sk_buff *skb;
6921
6922 BT_DBG("");
6923
6924 while ((skb = skb_dequeue(&conn->pending_rx)))
6925 l2cap_recv_frame(conn, skb);
6926}
6927
162b49e7
JH		 6928static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6929{
6930 struct l2cap_conn *conn = hcon->l2cap_data;
6931 struct hci_chan *hchan;
6932
6933 if (conn)
6934 return conn;
6935
6936 hchan = hci_chan_create(hcon);
6937 if (!hchan)
6938 return NULL;
6939
6940 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
6941 if (!conn) {
6942 hci_chan_del(hchan);
6943 return NULL;
6944 }
6945
6946 kref_init(&conn->ref);
6947 hcon->l2cap_data = conn;
6948 conn->hcon = hcon;
6949 hci_conn_get(conn->hcon);
6950 conn->hchan = hchan;
6951
6952 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6953
6954 switch (hcon->type) {
6955 case LE_LINK:
6956 if (hcon->hdev->le_mtu) {
6957 conn->mtu = hcon->hdev->le_mtu;
6958 break;
6959 }
6960 /* fall through */
6961 default:
6962 conn->mtu = hcon->hdev->acl_mtu;
6963 break;
6964 }
6965
6966 conn->feat_mask = 0;
6967
6968 if (hcon->type == ACL_LINK)
6969 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
6970 &hcon->hdev->dev_flags);
6971
6972 spin_lock_init(&conn->lock);
6973 mutex_init(&conn->chan_lock);
6974
6975 INIT_LIST_HEAD(&conn->chan_l);
6976 INIT_LIST_HEAD(&conn->users);
6977
6978 if (hcon->type == LE_LINK)
6979 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
6980 else
6981 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
6982
61a939c6
JH		 6983 skb_queue_head_init(&conn->pending_rx);
6984 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
6985
162b49e7
JH		 6986 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6987
6988 return conn;
6989}
6990
6991static bool is_valid_psm(u16 psm, u8 dst_type) {
6992 if (!psm)
6993 return false;
6994
6995 if (bdaddr_type_is_le(dst_type))
6996 return (psm <= 0x00ff);
6997
6998 /* PSM must be odd and lsb of upper byte must be 0 */
6999 return ((psm & 0x0101) == 0x0001);
7000}
7001
7002int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7003 bdaddr_t *dst, u8 dst_type)
7004{
7005 struct l2cap_conn *conn;
7006 struct hci_conn *hcon;
7007 struct hci_dev *hdev;
7008 __u8 auth_type;
7009 int err;
7010
7011 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7012 dst_type, __le16_to_cpu(psm));
7013
7014 hdev = hci_get_route(dst, &chan->src);
7015 if (!hdev)
7016 return -EHOSTUNREACH;
7017
7018 hci_dev_lock(hdev);
7019
7020 l2cap_chan_lock(chan);
7021
7022 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7023 chan->chan_type != L2CAP_CHAN_RAW) {
7024 err = -EINVAL;
7025 goto done;
7026 }
7027
7028 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
7029 err = -EINVAL;
7030 goto done;
7031 }
7032
7033 switch (chan->mode) {
7034 case L2CAP_MODE_BASIC:
7035 break;
7036 case L2CAP_MODE_LE_FLOWCTL:
7037 l2cap_le_flowctl_init(chan);
7038 break;
7039 case L2CAP_MODE_ERTM:
7040 case L2CAP_MODE_STREAMING:
7041 if (!disable_ertm)
7042 break;
7043 /* fall through */
7044 default:
7045 err = -ENOTSUPP;
7046 goto done;
7047 }
7048
7049 switch (chan->state) {
7050 case BT_CONNECT:
7051 case BT_CONNECT2:
7052 case BT_CONFIG:
7053 /* Already connecting */
7054 err = 0;
7055 goto done;
7056
7057 case BT_CONNECTED:
7058 /* Already connected */
7059 err = -EISCONN;
7060 goto done;
7061
7062 case BT_OPEN:
7063 case BT_BOUND:
7064 /* Can connect */
7065 break;
7066
7067 default:
7068 err = -EBADFD;
7069 goto done;
7070 }
7071
7072 /* Set destination address and psm */
7073 bacpy(&chan->dst, dst);
7074 chan->dst_type = dst_type;
7075
7076 chan->psm = psm;
7077 chan->dcid = cid;
7078
7079 auth_type = l2cap_get_auth_type(chan);
7080
7081 if (bdaddr_type_is_le(dst_type))
7082 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
7083 chan->sec_level, auth_type);
7084 else
7085 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
7086 chan->sec_level, auth_type);
7087
7088 if (IS_ERR(hcon)) {
7089 err = PTR_ERR(hcon);
7090 goto done;
7091 }
7092
7093 conn = l2cap_conn_add(hcon);
7094 if (!conn) {
7095 hci_conn_drop(hcon);
7096 err = -ENOMEM;
7097 goto done;
7098 }
7099
7100 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7101 hci_conn_drop(hcon);
7102 err = -EBUSY;
7103 goto done;
7104 }
7105
7106 /* Update source addr of the socket */
7107 bacpy(&chan->src, &hcon->src);
7108 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7109
7110 l2cap_chan_unlock(chan);
7111 l2cap_chan_add(conn, chan);
7112 l2cap_chan_lock(chan);
7113
7114 /* l2cap_chan_add takes its own ref so we can drop this one */
7115 hci_conn_drop(hcon);
7116
7117 l2cap_state_change(chan, BT_CONNECT);
7118 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7119
7120 if (hcon->state == BT_CONNECTED) {
7121 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7122 __clear_chan_timer(chan);
7123 if (l2cap_chan_check_security(chan))
7124 l2cap_state_change(chan, BT_CONNECTED);
7125 } else
7126 l2cap_do_start(chan);
7127 }
7128
7129 err = 0;
7130
7131done:
7132 l2cap_chan_unlock(chan);
7133 hci_dev_unlock(hdev);
7134 hci_dev_put(hdev);
7135 return err;
7136}
7137
1da177e4
LT		 7138/* ---- L2CAP interface with lower layer (HCI) ---- */
7139
686ebf28 7140int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 7141{
7142 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 7143 struct l2cap_chan *c;
1da177e4 7144
6ed93dc6 7145 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 7146
7147 /* Find listening sockets and check their link_mode */
23691d75
GP		 7148 read_lock(&chan_list_lock);
7149 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 7150 if (c->state != BT_LISTEN)
1da177e4
LT		 7151 continue;
7152
7eafc59e 7153 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 7154 lm1 |= HCI_LM_ACCEPT;
43bd0f32 7155 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 7156 lm1 |= HCI_LM_MASTER;
1da177e4 7157 exact++;
7eafc59e 7158 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 7159 lm2 |= HCI_LM_ACCEPT;
43bd0f32 7160 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 7161 lm2 |= HCI_LM_MASTER;
7162 }
1da177e4 7163 }
23691d75 7164 read_unlock(&chan_list_lock);
1da177e4
LT		 7165
7166 return exact ? lm1 : lm2;
7167}
7168
9e664631 7169void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 7170{
0139418c
MH		 7171 struct l2cap_conn *conn;
7172
6ed93dc6 7173 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 7174
1da177e4 7175 if (!status) {
baf43251 7176 conn = l2cap_conn_add(hcon);
1da177e4
LT		 7177 if (conn)
7178 l2cap_conn_ready(conn);
ba6fc317 7179 } else {
e175072f 7180 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 7181 }
1da177e4
LT		 7182}
7183
686ebf28 7184int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 7185{
7186 struct l2cap_conn *conn = hcon->l2cap_data;
7187
7188 BT_DBG("hcon %p", hcon);
7189
686ebf28 7190 if (!conn)
9f5a0d7b 7191 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 7192 return conn->disc_reason;
7193}
7194
9e664631 7195void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 7196{
7197 BT_DBG("hcon %p reason %d", hcon, reason);
7198
18722c24
JR		 7199 bt_6lowpan_del_conn(hcon->l2cap_data);
7200
e175072f 7201 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 7202}
7203
4343478f 7204static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 7205{
715ec005 7206 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 7207 return;
7208
f62e4323 7209 if (encrypt == 0x00) {
4343478f 7210 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 7211 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7d513e92
MH		 7212 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7213 chan->sec_level == BT_SECURITY_FIPS)
0f852724 7214 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 7215 } else {
4343478f 7216 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 7217 __clear_chan_timer(chan);
f62e4323
MH		 7218 }
7219}
7220
686ebf28 7221int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 7222{
0139418c 7223 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 7224 struct l2cap_chan *chan;
1da177e4 7225
0139418c 7226 if (!conn)
1da177e4 7227 return 0;
0139418c 7228
89d8b407 7229 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 7230
160dc6ac 7231 if (hcon->type == LE_LINK) {
35d4adcc
HG		 7232 if (!status && encrypt)
7233 smp_distribute_keys(conn, 0);
17cd3f37 7234 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 7235 }
7236
3df91ea2 7237 mutex_lock(&conn->chan_lock);
1da177e4 7238
3df91ea2 7239 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 7240 l2cap_chan_lock(chan);
1da177e4 7241
89d8b407
AE		 7242 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7243 state_to_string(chan->state));
f1cb9af5 7244
2338a7e0 7245 if (chan->scid == L2CAP_CID_A2MP) {
78eb2f98
AE		 7246 l2cap_chan_unlock(chan);
7247 continue;
7248 }
7249
073d1cf3 7250 if (chan->scid == L2CAP_CID_ATT) {
f1cb9af5
VCG		 7251 if (!status && encrypt) {
7252 chan->sec_level = hcon->sec_level;
cf4cd009 7253 l2cap_chan_ready(chan);
f1cb9af5
VCG		 7254 }
7255
6be36555 7256 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 7257 continue;
7258 }
7259
96eff46e 7260 if (!__l2cap_no_conn_pending(chan)) {
6be36555 7261 l2cap_chan_unlock(chan);
6a8d3010
MH		 7262 continue;
7263 }
7264
89bc500e 7265 if (!status && (chan->state == BT_CONNECTED ||
2d792818 7266 chan->state == BT_CONFIG)) {
d97c899b 7267 chan->ops->resume(chan);
4343478f 7268 l2cap_check_encryption(chan, encrypt);
6be36555 7269 l2cap_chan_unlock(chan);
9719f8af
MH		 7270 continue;
7271 }
7272
89bc500e 7273 if (chan->state == BT_CONNECT) {
6d3c15da 7274 if (!status)
93c3e8f5 7275 l2cap_start_connection(chan);
6d3c15da 7276 else
ba13ccd9 7277 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
89bc500e 7278 } else if (chan->state == BT_CONNECT2) {
b1235d79 7279 struct l2cap_conn_rsp rsp;
df3c3931 7280 __u16 res, stat;
1da177e4 7281
b1235d79 7282 if (!status) {
bdc25783 7283 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 7284 res = L2CAP_CR_PEND;
7285 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 7286 chan->ops->defer(chan);
df3c3931 7287 } else {
acdcabf5 7288 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 7289 res = L2CAP_CR_SUCCESS;
7290 stat = L2CAP_CS_NO_INFO;
7291 }
b1235d79 7292 } else {
acdcabf5 7293 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 7294 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 7295 res = L2CAP_CR_SEC_BLOCK;
7296 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 7297 }
7298
fe4128e0
GP		 7299 rsp.scid = cpu_to_le16(chan->dcid);
7300 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 7301 rsp.result = cpu_to_le16(res);
7302 rsp.status = cpu_to_le16(stat);
fc7f8a7e 7303 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 7304 sizeof(rsp), &rsp);
2d369359
MM		 7305
7306 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7307 res == L2CAP_CR_SUCCESS) {
7308 char buf[128];
7309 set_bit(CONF_REQ_SENT, &chan->conf_state);
7310 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7311 L2CAP_CONF_REQ,
7312 l2cap_build_conf_req(chan, buf),
7313 buf);
7314 chan->num_conf_req++;
7315 }
b1235d79 7316 }
1da177e4 7317
6be36555 7318 l2cap_chan_unlock(chan);
1da177e4
LT		 7319 }
7320
3df91ea2 7321 mutex_unlock(&conn->chan_lock);
b1235d79 7322
1da177e4
LT		 7323 return 0;
7324}
7325
686ebf28 7326int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 7327{
7328 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 7329 struct l2cap_hdr *hdr;
7330 int len;
1da177e4 7331
1d13a254
AE		 7332 /* For AMP controller do not create l2cap conn */
7333 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7334 goto drop;
1da177e4 7335
5a08ecce 7336 if (!conn)
baf43251 7337 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 7338
7339 if (!conn)
1da177e4
LT		 7340 goto drop;
7341
7342 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7343
d73a0988
AE		 7344 switch (flags) {
7345 case ACL_START:
7346 case ACL_START_NO_FLUSH:
7347 case ACL_COMPLETE:
1da177e4
LT		 7348 if (conn->rx_len) {
7349 BT_ERR("Unexpected start frame (len %d)", skb->len);
7350 kfree_skb(conn->rx_skb);
7351 conn->rx_skb = NULL;
7352 conn->rx_len = 0;
7353 l2cap_conn_unreliable(conn, ECOMM);
7354 }
7355
aae7fe22
AE		 7356 /* Start fragment always begin with Basic L2CAP header */
7357 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 7358 BT_ERR("Frame is too short (len %d)", skb->len);
7359 l2cap_conn_unreliable(conn, ECOMM);
7360 goto drop;
7361 }
7362
7363 hdr = (struct l2cap_hdr *) skb->data;
7364 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7365
7366 if (len == skb->len) {
7367 /* Complete frame received */
7368 l2cap_recv_frame(conn, skb);
7369 return 0;
7370 }
7371
7372 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7373
7374 if (skb->len > len) {
7375 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 7376 skb->len, len);
1da177e4
LT		 7377 l2cap_conn_unreliable(conn, ECOMM);
7378 goto drop;
7379 }
7380
7381 /* Allocate skb for the complete frame (with header) */
8bcde1f2 7382 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 7383 if (!conn->rx_skb)
1da177e4
LT		 7384 goto drop;
7385
d626f62b 7386 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7387 skb->len);
1da177e4 7388 conn->rx_len = len - skb->len;
d73a0988
AE		 7389 break;
7390
7391 case ACL_CONT:
1da177e4
LT		 7392 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7393
7394 if (!conn->rx_len) {
7395 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7396 l2cap_conn_unreliable(conn, ECOMM);
7397 goto drop;
7398 }
7399
7400 if (skb->len > conn->rx_len) {
7401 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 7402 skb->len, conn->rx_len);
1da177e4
LT		 7403 kfree_skb(conn->rx_skb);
7404 conn->rx_skb = NULL;
7405 conn->rx_len = 0;
7406 l2cap_conn_unreliable(conn, ECOMM);
7407 goto drop;
7408 }
7409
d626f62b 7410 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7411 skb->len);
1da177e4
LT		 7412 conn->rx_len -= skb->len;
7413
7414 if (!conn->rx_len) {
c4e5bafa
JH		 7415 /* Complete frame received. l2cap_recv_frame
7416 * takes ownership of the skb so set the global
7417 * rx_skb pointer to NULL first.
7418 */
7419 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 7420 conn->rx_skb = NULL;
c4e5bafa 7421 l2cap_recv_frame(conn, rx_skb);
1da177e4 7422 }
d73a0988 7423 break;
1da177e4
LT		 7424 }
7425
7426drop:
7427 kfree_skb(skb);
7428 return 0;
7429}
7430
aef7d97c 7431static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 7432{
23691d75 7433 struct l2cap_chan *c;
1da177e4 7434
333055f2 7435 read_lock(&chan_list_lock);
1da177e4 7436
23691d75 7437 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 7438 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 7439 &c->src, &c->dst,
fcb73338
AE		 7440 c->state, __le16_to_cpu(c->psm),
7441 c->scid, c->dcid, c->imtu, c->omtu,
7442 c->sec_level, c->mode);
61e1b4b7 7443 }
1da177e4 7444
333055f2 7445 read_unlock(&chan_list_lock);
1da177e4 7446
aef7d97c 7447 return 0;
1da177e4
LT		 7448}
7449
aef7d97c
MH		 7450static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7451{
7452 return single_open(file, l2cap_debugfs_show, inode->i_private);
7453}
7454
7455static const struct file_operations l2cap_debugfs_fops = {
7456 .open = l2cap_debugfs_open,
7457 .read = seq_read,
7458 .llseek = seq_lseek,
7459 .release = single_release,
7460};
7461
7462static struct dentry *l2cap_debugfs;
1da177e4 7463
64274518 7464int __init l2cap_init(void)
1da177e4
LT		 7465{
7466 int err;
be9d1227 7467
bb58f747 7468 err = l2cap_init_sockets();
1da177e4
LT		 7469 if (err < 0)
7470 return err;
7471
1120e4bf
MH		 7472 if (IS_ERR_OR_NULL(bt_debugfs))
7473 return 0;
7474
7475 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7476 NULL, &l2cap_debugfs_fops);
1da177e4 7477
f15b8ecf
JH		 7478 debugfs_create_u16("l2cap_le_max_credits", 0466, bt_debugfs,
7479 &le_max_credits);
7480 debugfs_create_u16("l2cap_le_default_mps", 0466, bt_debugfs,
7481 &le_default_mps);
7482
18722c24
JR		 7483 bt_6lowpan_init();
7484
1da177e4 7485 return 0;
1da177e4
LT		 7486}
7487
64274518 7488void l2cap_exit(void)
1da177e4 7489{
18722c24 7490 bt_6lowpan_cleanup();
aef7d97c 7491 debugfs_remove(l2cap_debugfs);
bb58f747 7492 l2cap_cleanup_sockets();
1da177e4
LT		 7493}
7494
d1c4a17d
GP		 7495module_param(disable_ertm, bool, 0644);
7496MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.363652 seconds and 5 git commands to generate.