projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add key preference parameter to smp_sufficient_security
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
0f1bfe4e
JH		 44#define LE_FLOWCTL_MAX_CREDITS 65535
45
d1de6d46 46bool disable_ertm;
f0709e03 47
547d1032 48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
a6801ca9 49static u8 l2cap_fixed_chan[8] = { L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS, };
1da177e4 50
b5ad8b7f
JB		 51static LIST_HEAD(chan_list);
52static DEFINE_RWLOCK(chan_list_lock);
1da177e4 53
f15b8ecf
JH		 54static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56
1da177e4 57static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 58 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 59static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 60 void *data);
710f9b0a 61static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 62static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 63
d660366d 64static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 65 struct sk_buff_head *skbs, u8 event);
608bcc6d 66
4f1654e0
MH		 67static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
68{
69 if (hcon->type == LE_LINK) {
70 if (type == ADDR_LE_DEV_PUBLIC)
71 return BDADDR_LE_PUBLIC;
72 else
73 return BDADDR_LE_RANDOM;
74 }
75
76 return BDADDR_BREDR;
77}
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
2d792818
GP		 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
82 u16 cid)
0139418c 83{
3df91ea2 84 struct l2cap_chan *c;
3d57dc68 85
3df91ea2
AE		 86 list_for_each_entry(c, &conn->chan_l, list) {
87 if (c->dcid == cid)
88 return c;
0139418c 89 }
3df91ea2 90 return NULL;
0139418c
MH		 91}
92
2d792818
GP		 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
94 u16 cid)
0139418c 95{
3df91ea2 96 struct l2cap_chan *c;
3d57dc68 97
3df91ea2
AE		 98 list_for_each_entry(c, &conn->chan_l, list) {
99 if (c->scid == cid)
100 return c;
0139418c 101 }
3df91ea2 102 return NULL;
0139418c
MH		 103}
104
105/* Find channel with given SCID.
ef191ade 106 * Returns locked channel. */
2d792818
GP		 107static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
108 u16 cid)
0139418c 109{
48454079 110 struct l2cap_chan *c;
baa7e1fa 111
3df91ea2 112 mutex_lock(&conn->chan_lock);
baa7e1fa 113 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 114 if (c)
115 l2cap_chan_lock(c);
3df91ea2
AE		 116 mutex_unlock(&conn->chan_lock);
117
48454079 118 return c;
0139418c
MH		 119}
120
b1a130b7
MM		 121/* Find channel with given DCID.
122 * Returns locked channel.
123 */
124static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
125 u16 cid)
126{
127 struct l2cap_chan *c;
128
129 mutex_lock(&conn->chan_lock);
130 c = __l2cap_get_chan_by_dcid(conn, cid);
131 if (c)
132 l2cap_chan_lock(c);
133 mutex_unlock(&conn->chan_lock);
134
135 return c;
136}
137
2d792818
GP		 138static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
139 u8 ident)
0139418c 140{
3df91ea2 141 struct l2cap_chan *c;
3d57dc68 142
3df91ea2
AE		 143 list_for_each_entry(c, &conn->chan_l, list) {
144 if (c->ident == ident)
145 return c;
0139418c 146 }
3df91ea2 147 return NULL;
0139418c
MH		 148}
149
5b155ef9
MM		 150static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
151 u8 ident)
152{
153 struct l2cap_chan *c;
154
155 mutex_lock(&conn->chan_lock);
156 c = __l2cap_get_chan_by_ident(conn, ident);
157 if (c)
158 l2cap_chan_lock(c);
159 mutex_unlock(&conn->chan_lock);
160
161 return c;
162}
163
23691d75 164static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 165{
23691d75 166 struct l2cap_chan *c;
9e4425ff 167
23691d75 168 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 169 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 170 return c;
9e4425ff 171 }
250938cb 172 return NULL;
9e4425ff
GP		 173}
174
175int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
176{
73b2ec18
GP		 177 int err;
178
333055f2 179 write_lock(&chan_list_lock);
9e4425ff 180
23691d75 181 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 182 err = -EADDRINUSE;
183 goto done;
9e4425ff
GP		 184 }
185
73b2ec18
GP		 186 if (psm) {
187 chan->psm = psm;
188 chan->sport = psm;
189 err = 0;
190 } else {
191 u16 p;
192
193 err = -EINVAL;
194 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 195 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 196 chan->psm = cpu_to_le16(p);
197 chan->sport = cpu_to_le16(p);
198 err = 0;
199 break;
200 }
201 }
9e4425ff 202
73b2ec18 203done:
333055f2 204 write_unlock(&chan_list_lock);
73b2ec18 205 return err;
9e4425ff 206}
6b8d4a6a 207EXPORT_SYMBOL_GPL(l2cap_add_psm);
9e4425ff
GP		 208
209int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
210{
333055f2 211 write_lock(&chan_list_lock);
9e4425ff 212
14824308
JH		 213 /* Override the defaults (which are for conn-oriented) */
214 chan->omtu = L2CAP_DEFAULT_MTU;
215 chan->chan_type = L2CAP_CHAN_FIXED;
216
9e4425ff
GP		 217 chan->scid = scid;
218
333055f2 219 write_unlock(&chan_list_lock);
9e4425ff
GP		 220
221 return 0;
222}
223
baa7e1fa 224static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 225{
e77af755 226 u16 cid, dyn_end;
0139418c 227
e77af755
JH		 228 if (conn->hcon->type == LE_LINK)
229 dyn_end = L2CAP_CID_LE_DYN_END;
230 else
231 dyn_end = L2CAP_CID_DYN_END;
232
233 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
baa7e1fa 234 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 235 return cid;
236 }
237
238 return 0;
239}
240
f93fa273 241static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 242{
42d2d87c 243 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 244 state_to_string(state));
badaaa00 245
89bc500e 246 chan->state = state;
53f52121 247 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 248}
249
f8e73017
GP		 250static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
251 int state, int err)
2e0052e4 252{
f8e73017 253 chan->state = state;
53f52121 254 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 255}
256
257static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
258{
f8e73017 259 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 260}
261
4239d16f
MM		 262static void __set_retrans_timer(struct l2cap_chan *chan)
263{
264 if (!delayed_work_pending(&chan->monitor_timer) &&
265 chan->retrans_timeout) {
266 l2cap_set_timer(chan, &chan->retrans_timer,
267 msecs_to_jiffies(chan->retrans_timeout));
268 }
269}
270
271static void __set_monitor_timer(struct l2cap_chan *chan)
272{
273 __clear_retrans_timer(chan);
274 if (chan->monitor_timeout) {
275 l2cap_set_timer(chan, &chan->monitor_timer,
276 msecs_to_jiffies(chan->monitor_timeout));
277 }
278}
279
608bcc6d
MM		 280static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
281 u16 seq)
282{
283 struct sk_buff *skb;
284
285 skb_queue_walk(head, skb) {
286 if (bt_cb(skb)->control.txseq == seq)
287 return skb;
288 }
289
290 return NULL;
291}
292
3c588192
MM		 293/* ---- L2CAP sequence number lists ---- */
294
295/* For ERTM, ordered lists of sequence numbers must be tracked for
296 * SREJ requests that are received and for frames that are to be
297 * retransmitted. These seq_list functions implement a singly-linked
298 * list in an array, where membership in the list can also be checked
299 * in constant time. Items can also be added to the tail of the list
300 * and removed from the head in constant time, without further memory
301 * allocs or frees.
302 */
303
304static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
305{
306 size_t alloc_size, i;
307
308 /* Allocated size is a power of 2 to map sequence numbers
309 * (which may be up to 14 bits) in to a smaller array that is
310 * sized for the negotiated ERTM transmit windows.
311 */
312 alloc_size = roundup_pow_of_two(size);
313
314 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
315 if (!seq_list->list)
316 return -ENOMEM;
317
318 seq_list->mask = alloc_size - 1;
319 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
320 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
321 for (i = 0; i < alloc_size; i++)
322 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
323
324 return 0;
325}
326
327static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
328{
329 kfree(seq_list->list);
330}
331
332static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
333 u16 seq)
334{
335 /* Constant-time check for list membership */
336 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
337}
338
03a0c5d6 339static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
3c588192 340{
03a0c5d6 341 u16 seq = seq_list->head;
3c588192
MM		 342 u16 mask = seq_list->mask;
343
03a0c5d6
JH		 344 seq_list->head = seq_list->list[seq & mask];
345 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
346
347 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
348 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
349 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192 350 }
3c588192 351
03a0c5d6 352 return seq;
3c588192
MM		 353}
354
355static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
356{
f522ae36 357 u16 i;
3c588192 358
f522ae36
GP		 359 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
360 return;
361
362 for (i = 0; i <= seq_list->mask; i++)
363 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
364
365 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
366 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 367}
368
369static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
370{
371 u16 mask = seq_list->mask;
372
373 /* All appends happen in constant time */
374
f522ae36
GP		 375 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
376 return;
3c588192 377
f522ae36
GP		 378 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
379 seq_list->head = seq;
380 else
381 seq_list->list[seq_list->tail & mask] = seq;
382
383 seq_list->tail = seq;
384 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 385}
386
721c4181 387static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 388{
721c4181 389 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 390 chan_timer.work);
3df91ea2 391 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 392 int reason;
393
e05dcc32 394 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 395
3df91ea2 396 mutex_lock(&conn->chan_lock);
6be36555 397 l2cap_chan_lock(chan);
ab07801d 398
89bc500e 399 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 400 reason = ECONNREFUSED;
89bc500e 401 else if (chan->state == BT_CONNECT &&
2d792818 402 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 403 reason = ECONNREFUSED;
404 else
405 reason = ETIMEDOUT;
406
0f852724 407 l2cap_chan_close(chan, reason);
ab07801d 408
6be36555 409 l2cap_chan_unlock(chan);
ab07801d 410
80b98027 411 chan->ops->close(chan);
3df91ea2
AE		 412 mutex_unlock(&conn->chan_lock);
413
371fd835 414 l2cap_chan_put(chan);
ab07801d
GP		 415}
416
eef1d9b6 417struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 418{
419 struct l2cap_chan *chan;
420
421 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
422 if (!chan)
423 return NULL;
424
c03b355e
AE		 425 mutex_init(&chan->lock);
426
ff714119
JH		 427 /* Set default lock nesting level */
428 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
429
333055f2 430 write_lock(&chan_list_lock);
23691d75 431 list_add(&chan->global_l, &chan_list);
333055f2 432 write_unlock(&chan_list_lock);
23691d75 433
721c4181 434 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 435
89bc500e
GP		 436 chan->state = BT_OPEN;
437
144ad330 438 kref_init(&chan->kref);
71ba0e56 439
2827011f
MM		 440 /* This flag is cleared in l2cap_chan_ready() */
441 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
442
eef1d9b6 443 BT_DBG("chan %p", chan);
abc545b8 444
48454079
GP		 445 return chan;
446}
6b8d4a6a 447EXPORT_SYMBOL_GPL(l2cap_chan_create);
48454079 448
144ad330 449static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 450{
144ad330
SS		 451 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
452
4af66c69
JK		 453 BT_DBG("chan %p", chan);
454
333055f2 455 write_lock(&chan_list_lock);
23691d75 456 list_del(&chan->global_l);
333055f2 457 write_unlock(&chan_list_lock);
23691d75 458
4af66c69 459 kfree(chan);
6ff5abbf
GP		 460}
461
30648372
JK		 462void l2cap_chan_hold(struct l2cap_chan *c)
463{
144ad330 464 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 465
144ad330 466 kref_get(&c->kref);
30648372
JK		 467}
468
469void l2cap_chan_put(struct l2cap_chan *c)
470{
144ad330 471 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 472
144ad330 473 kref_put(&c->kref, l2cap_chan_destroy);
30648372 474}
6b8d4a6a 475EXPORT_SYMBOL_GPL(l2cap_chan_put);
30648372 476
bd4b1653
AE		 477void l2cap_chan_set_defaults(struct l2cap_chan *chan)
478{
479 chan->fcs = L2CAP_FCS_CRC16;
480 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
481 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
482 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
6a5e8165
JR		 483 chan->remote_max_tx = chan->max_tx;
484 chan->remote_tx_win = chan->tx_win;
c20f8e35 485 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653 486 chan->sec_level = BT_SECURITY_LOW;
6a5e8165
JR		 487 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
488 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
489 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
490 chan->conf_state = 0;
bd4b1653
AE		 491
492 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
493}
6b8d4a6a 494EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
bd4b1653 495
0ce43ce6 496static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
38319713 497{
0ce43ce6
JH		 498 chan->sdu = NULL;
499 chan->sdu_last_frag = NULL;
500 chan->sdu_len = 0;
0cd75f7e 501 chan->tx_credits = 0;
f15b8ecf 502 chan->rx_credits = le_max_credits;
d1d79413 503 chan->mps = min_t(u16, chan->imtu, le_default_mps);
0ce43ce6
JH		 504
505 skb_queue_head_init(&chan->tx_q);
38319713
JH		 506}
507
93c3e8f5 508void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 509{
af05b30b 510 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 511 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 512
9f5a0d7b 513 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 514
8c1d787b 515 chan->conn = conn;
0139418c 516
5491120e
AE		 517 switch (chan->chan_type) {
518 case L2CAP_CHAN_CONN_ORIENTED:
21626e62
JH		 519 /* Alloc CID for connection-oriented socket */
520 chan->scid = l2cap_alloc_cid(conn);
521 if (conn->hcon->type == ACL_LINK)
0c1bc5c6 522 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 523 break;
524
525 case L2CAP_CHAN_CONN_LESS:
0139418c 526 /* Connectionless socket */
fe4128e0
GP		 527 chan->scid = L2CAP_CID_CONN_LESS;
528 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 529 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 530 break;
531
2338a7e0
JH		 532 case L2CAP_CHAN_FIXED:
533 /* Caller will set CID and CID specific MTU values */
416fa752
AE		 534 break;
535
5491120e 536 default:
0139418c 537 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 538 chan->scid = L2CAP_CID_SIGNALING;
539 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 540 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 541 }
542
8f7975b1
AE		 543 chan->local_id = L2CAP_BESTEFFORT_ID;
544 chan->local_stype = L2CAP_SERV_BESTEFFORT;
545 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
546 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
547 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 548 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 549
371fd835 550 l2cap_chan_hold(chan);
baa7e1fa 551
c16900cf
JH		 552 /* Only keep a reference for fixed channels if they requested it */
553 if (chan->chan_type != L2CAP_CHAN_FIXED ||
554 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
555 hci_conn_hold(conn->hcon);
5ee9891d 556
3df91ea2 557 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 558}
559
466f8004 560void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 561{
562 mutex_lock(&conn->chan_lock);
563 __l2cap_chan_add(conn, chan);
3df91ea2 564 mutex_unlock(&conn->chan_lock);
0139418c
MH		 565}
566
466f8004 567void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 568{
8c1d787b 569 struct l2cap_conn *conn = chan->conn;
0139418c 570
c9b66675 571 __clear_chan_timer(chan);
0139418c 572
49208c9c 573 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 574
72847ce0
JH		 575 chan->ops->teardown(chan, err);
576
8e87d142 577 if (conn) {
56f60984 578 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 579 /* Delete from channel list */
3df91ea2 580 list_del(&chan->list);
3d57dc68 581
371fd835 582 l2cap_chan_put(chan);
baa7e1fa 583
8c1d787b 584 chan->conn = NULL;
3cabbfda 585
c16900cf
JH		 586 /* Reference was only held for non-fixed channels or
587 * fixed channels that explicitly requested it using the
588 * FLAG_HOLD_HCI_CONN flag.
589 */
590 if (chan->chan_type != L2CAP_CHAN_FIXED ||
591 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
76a68ba0 592 hci_conn_drop(conn->hcon);
56f60984
AE		 593
594 if (mgr && mgr->bredr_chan == chan)
595 mgr->bredr_chan = NULL;
0139418c
MH		 596 }
597
419e08c1
AE		 598 if (chan->hs_hchan) {
599 struct hci_chan *hs_hchan = chan->hs_hchan;
600
601 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
602 amp_disconnect_logical_link(hs_hchan);
603 }
604
2827011f 605 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 606 return;
2ead70b8 607
ee556f66
GP		 608 switch(chan->mode) {
609 case L2CAP_MODE_BASIC:
610 break;
c13ffa62 611
38319713 612 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b 613 skb_queue_purge(&chan->tx_q);
38319713
JH		 614 break;
615
ee556f66 616 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 617 __clear_retrans_timer(chan);
618 __clear_monitor_timer(chan);
619 __clear_ack_timer(chan);
c13ffa62 620
f1c6775b 621 skb_queue_purge(&chan->srej_q);
c13ffa62 622
3c588192
MM		 623 l2cap_seq_list_free(&chan->srej_list);
624 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 625
626 /* fall through */
627
628 case L2CAP_MODE_STREAMING:
629 skb_queue_purge(&chan->tx_q);
630 break;
c13ffa62 631 }
ee556f66
GP		 632
633 return;
0139418c 634}
6b8d4a6a 635EXPORT_SYMBOL_GPL(l2cap_chan_del);
0139418c 636
f3d82d0c 637static void l2cap_conn_update_id_addr(struct work_struct *work)
387a33e3 638{
f3d82d0c
JH		 639 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
640 id_addr_update_work);
641 struct hci_conn *hcon = conn->hcon;
387a33e3
JH		 642 struct l2cap_chan *chan;
643
644 mutex_lock(&conn->chan_lock);
645
646 list_for_each_entry(chan, &conn->chan_l, list) {
647 l2cap_chan_lock(chan);
648 bacpy(&chan->dst, &hcon->dst);
649 chan->dst_type = bdaddr_type(hcon, hcon->dst_type);
650 l2cap_chan_unlock(chan);
651 }
652
653 mutex_unlock(&conn->chan_lock);
654}
655
27e2d4c8
JH		 656static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
657{
658 struct l2cap_conn *conn = chan->conn;
659 struct l2cap_le_conn_rsp rsp;
660 u16 result;
661
662 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
663 result = L2CAP_CR_AUTHORIZATION;
664 else
665 result = L2CAP_CR_BAD_PSM;
666
667 l2cap_state_change(chan, BT_DISCONN);
668
669 rsp.dcid = cpu_to_le16(chan->scid);
670 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 671 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 672 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 673 rsp.result = cpu_to_le16(result);
674
675 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
676 &rsp);
677}
678
791d60f7
JH		 679static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
680{
681 struct l2cap_conn *conn = chan->conn;
682 struct l2cap_conn_rsp rsp;
683 u16 result;
684
685 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
686 result = L2CAP_CR_SEC_BLOCK;
687 else
688 result = L2CAP_CR_BAD_PSM;
689
690 l2cap_state_change(chan, BT_DISCONN);
691
692 rsp.scid = cpu_to_le16(chan->dcid);
693 rsp.dcid = cpu_to_le16(chan->scid);
694 rsp.result = cpu_to_le16(result);
dcf4adbf 695 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
791d60f7
JH		 696
697 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
698}
699
0f852724 700void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 701{
702 struct l2cap_conn *conn = chan->conn;
4519de9a 703
7eafc59e 704 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 705
89bc500e 706 switch (chan->state) {
4519de9a 707 case BT_LISTEN:
b699ec0d 708 chan->ops->teardown(chan, 0);
4519de9a
GP		 709 break;
710
711 case BT_CONNECTED:
712 case BT_CONFIG:
7b25c9b3 713 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
8d836d71 714 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 715 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 716 } else
717 l2cap_chan_del(chan, reason);
718 break;
719
720 case BT_CONNECT2:
791d60f7
JH		 721 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
722 if (conn->hcon->type == ACL_LINK)
723 l2cap_chan_connect_reject(chan);
27e2d4c8
JH		 724 else if (conn->hcon->type == LE_LINK)
725 l2cap_chan_le_connect_reject(chan);
4519de9a
GP		 726 }
727
728 l2cap_chan_del(chan, reason);
729 break;
730
731 case BT_CONNECT:
732 case BT_DISCONN:
733 l2cap_chan_del(chan, reason);
734 break;
735
736 default:
b699ec0d 737 chan->ops->teardown(chan, 0);
4519de9a
GP		 738 break;
739 }
740}
6b8d4a6a 741EXPORT_SYMBOL(l2cap_chan_close);
4519de9a 742
4343478f 743static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 744{
6a974b50
MH		 745 switch (chan->chan_type) {
746 case L2CAP_CHAN_RAW:
4343478f 747 switch (chan->sec_level) {
8556edd3 748 case BT_SECURITY_HIGH:
7d513e92 749 case BT_SECURITY_FIPS:
8556edd3
JH		 750 return HCI_AT_DEDICATED_BONDING_MITM;
751 case BT_SECURITY_MEDIUM:
752 return HCI_AT_DEDICATED_BONDING;
753 default:
754 return HCI_AT_NO_BONDING;
755 }
6a974b50 756 break;
3124b843 757 case L2CAP_CHAN_CONN_LESS:
dcf4adbf 758 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
3124b843
MH		 759 if (chan->sec_level == BT_SECURITY_LOW)
760 chan->sec_level = BT_SECURITY_SDP;
761 }
7d513e92
MH		 762 if (chan->sec_level == BT_SECURITY_HIGH ||
763 chan->sec_level == BT_SECURITY_FIPS)
3124b843
MH		 764 return HCI_AT_NO_BONDING_MITM;
765 else
766 return HCI_AT_NO_BONDING;
767 break;
6a974b50 768 case L2CAP_CHAN_CONN_ORIENTED:
dcf4adbf 769 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
6a974b50
MH		 770 if (chan->sec_level == BT_SECURITY_LOW)
771 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 772
7d513e92
MH		 773 if (chan->sec_level == BT_SECURITY_HIGH ||
774 chan->sec_level == BT_SECURITY_FIPS)
6a974b50
MH		 775 return HCI_AT_NO_BONDING_MITM;
776 else
777 return HCI_AT_NO_BONDING;
778 }
779 /* fall through */
780 default:
4343478f 781 switch (chan->sec_level) {
00ae4af9 782 case BT_SECURITY_HIGH:
7d513e92 783 case BT_SECURITY_FIPS:
8556edd3 784 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 785 case BT_SECURITY_MEDIUM:
8556edd3 786 return HCI_AT_GENERAL_BONDING;
00ae4af9 787 default:
8556edd3 788 return HCI_AT_NO_BONDING;
00ae4af9 789 }
6a974b50 790 break;
0684e5f9 791 }
8556edd3
JH		 792}
793
794/* Service level security */
e7cafc45 795int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
8556edd3 796{
8c1d787b 797 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 798 __u8 auth_type;
799
a17de2fe
JH		 800 if (conn->hcon->type == LE_LINK)
801 return smp_conn_security(conn->hcon, chan->sec_level);
802
4343478f 803 auth_type = l2cap_get_auth_type(chan);
79d554a6 804
e7cafc45
JH		 805 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
806 initiator);
79d554a6
MH		 807}
808
b5ad8b7f 809static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 810{
811 u8 id;
812
813 /* Get next available identificator.
814 * 1 - 128 are used by kernel.
815 * 129 - 199 are reserved.
816 * 200 - 254 are used by utilities like l2ping, etc.
817 */
818
5a54e7c8 819 mutex_lock(&conn->ident_lock);
4e8402a3
MH		 820
821 if (++conn->tx_ident > 128)
822 conn->tx_ident = 1;
823
824 id = conn->tx_ident;
825
5a54e7c8 826 mutex_unlock(&conn->ident_lock);
4e8402a3
MH		 827
828 return id;
829}
830
2d792818
GP		 831static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
832 void *data)
4e8402a3
MH		 833{
834 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 835 u8 flags;
4e8402a3
MH		 836
837 BT_DBG("code 0x%2.2x", code);
838
839 if (!skb)
9a9c6a34 840 return;
4e8402a3 841
e702112f
AE		 842 if (lmp_no_flush_capable(conn->hcon->hdev))
843 flags = ACL_START_NO_FLUSH;
844 else
845 flags = ACL_START;
846
14b12d0b 847 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 848 skb->priority = HCI_PRIO_MAX;
14b12d0b 849
73d80deb
LAD		 850 hci_send_acl(conn->hchan, skb, flags);
851}
852
02b0fbb9
MM		 853static bool __chan_is_moving(struct l2cap_chan *chan)
854{
855 return chan->move_state != L2CAP_MOVE_STABLE &&
856 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
857}
858
73d80deb
LAD		 859static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
860{
861 struct hci_conn *hcon = chan->conn->hcon;
862 u16 flags;
863
864 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 865 skb->priority);
73d80deb 866
d5f8a75d
MM		 867 if (chan->hs_hcon && !__chan_is_moving(chan)) {
868 if (chan->hs_hchan)
869 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
870 else
871 kfree_skb(skb);
872
873 return;
874 }
875
73d80deb 876 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 877 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 878 flags = ACL_START_NO_FLUSH;
879 else
880 flags = ACL_START;
14b12d0b 881
73d80deb
LAD		 882 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
883 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 884}
885
b76bbd66
MM		 886static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
887{
888 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
889 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
890
891 if (enh & L2CAP_CTRL_FRAME_TYPE) {
892 /* S-Frame */
893 control->sframe = 1;
894 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
895 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
896
897 control->sar = 0;
898 control->txseq = 0;
899 } else {
900 /* I-Frame */
901 control->sframe = 0;
902 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
903 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
904
905 control->poll = 0;
906 control->super = 0;
907 }
908}
909
b76bbd66
MM		 910static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
911{
912 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
913 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
914
915 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
916 /* S-Frame */
917 control->sframe = 1;
918 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
919 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
920
921 control->sar = 0;
922 control->txseq = 0;
923 } else {
924 /* I-Frame */
925 control->sframe = 0;
926 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
927 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
928
929 control->poll = 0;
930 control->super = 0;
931 }
932}
933
934static inline void __unpack_control(struct l2cap_chan *chan,
935 struct sk_buff *skb)
936{
937 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
938 __unpack_extended_control(get_unaligned_le32(skb->data),
939 &bt_cb(skb)->control);
cec8ab6e 940 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 941 } else {
942 __unpack_enhanced_control(get_unaligned_le16(skb->data),
943 &bt_cb(skb)->control);
cec8ab6e 944 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 945 }
946}
947
b5c6aaed
MM		 948static u32 __pack_extended_control(struct l2cap_ctrl *control)
949{
950 u32 packed;
951
952 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
953 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
954
955 if (control->sframe) {
956 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
957 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
958 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
959 } else {
960 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
961 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
962 }
963
964 return packed;
965}
966
967static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
968{
969 u16 packed;
970
971 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
972 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
973
974 if (control->sframe) {
975 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
976 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
977 packed |= L2CAP_CTRL_FRAME_TYPE;
978 } else {
979 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
980 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
981 }
982
983 return packed;
984}
985
b76bbd66
MM		 986static inline void __pack_control(struct l2cap_chan *chan,
987 struct l2cap_ctrl *control,
988 struct sk_buff *skb)
989{
990 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
991 put_unaligned_le32(__pack_extended_control(control),
992 skb->data + L2CAP_HDR_SIZE);
993 } else {
994 put_unaligned_le16(__pack_enhanced_control(control),
995 skb->data + L2CAP_HDR_SIZE);
996 }
997}
998
ba7aa64f
GP		 999static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1000{
1001 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1002 return L2CAP_EXT_HDR_SIZE;
1003 else
1004 return L2CAP_ENH_HDR_SIZE;
1005}
1006
a67d7f6f
MM		 1007static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1008 u32 control)
b5c6aaed
MM		 1009{
1010 struct sk_buff *skb;
1011 struct l2cap_hdr *lh;
ba7aa64f 1012 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 1013
1014 if (chan->fcs == L2CAP_FCS_CRC16)
1015 hlen += L2CAP_FCS_SIZE;
1016
a67d7f6f 1017 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 1018
b5c6aaed 1019 if (!skb)
a67d7f6f 1020 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 1021
1022 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1023 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1024 lh->cid = cpu_to_le16(chan->dcid);
1025
a67d7f6f
MM		 1026 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1027 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1028 else
1029 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 1030
1031 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 1032 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 1033 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1034 }
1035
1036 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 1037 return skb;
1038}
1039
1040static void l2cap_send_sframe(struct l2cap_chan *chan,
1041 struct l2cap_ctrl *control)
1042{
1043 struct sk_buff *skb;
1044 u32 control_field;
1045
1046 BT_DBG("chan %p, control %p", chan, control);
1047
1048 if (!control->sframe)
1049 return;
1050
b99e13ad
MM		 1051 if (__chan_is_moving(chan))
1052 return;
1053
a67d7f6f
MM		 1054 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1055 !control->poll)
1056 control->final = 1;
1057
1058 if (control->super == L2CAP_SUPER_RR)
1059 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1060 else if (control->super == L2CAP_SUPER_RNR)
1061 set_bit(CONN_RNR_SENT, &chan->conn_state);
1062
1063 if (control->super != L2CAP_SUPER_SREJ) {
1064 chan->last_acked_seq = control->reqseq;
1065 __clear_ack_timer(chan);
1066 }
1067
1068 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1069 control->final, control->poll, control->super);
1070
1071 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1072 control_field = __pack_extended_control(control);
1073 else
1074 control_field = __pack_enhanced_control(control);
1075
1076 skb = l2cap_create_sframe_pdu(chan, control_field);
1077 if (!IS_ERR(skb))
1078 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1079}
1080
c9e3d5e0 1081static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1082{
c9e3d5e0
MM		 1083 struct l2cap_ctrl control;
1084
1085 BT_DBG("chan %p, poll %d", chan, poll);
1086
1087 memset(&control, 0, sizeof(control));
1088 control.sframe = 1;
1089 control.poll = poll;
1090
1091 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1092 control.super = L2CAP_SUPER_RNR;
1093 else
1094 control.super = L2CAP_SUPER_RR;
b5c6aaed 1095
c9e3d5e0
MM		 1096 control.reqseq = chan->buffer_seq;
1097 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1098}
1099
b4450035 1100static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1101{
5ff6f34d
JH		 1102 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1103 return true;
1104
c1360a1c 1105 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1106}
1107
1df7b17a 1108static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1109{
1df7b17a 1110 struct l2cap_conn *conn = chan->conn;
80d58d0b 1111 struct hci_dev *hdev;
1df7b17a
MH		 1112 bool amp_available = false;
1113
1114 if (!conn->hs_enabled)
1115 return false;
1116
1117 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1118 return false;
80d58d0b
MH		 1119
1120 read_lock(&hci_dev_list_lock);
1df7b17a 1121 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1122 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1123 test_bit(HCI_UP, &hdev->flags)) {
1124 amp_available = true;
1125 break;
1126 }
1127 }
80d58d0b
MH		 1128 read_unlock(&hci_dev_list_lock);
1129
1df7b17a
MH		 1130 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1131 return amp_available;
848566b3
MH		 1132
1133 return false;
93c3e8f5
AE		 1134}
1135
5ce66b59
AE		 1136static bool l2cap_check_efs(struct l2cap_chan *chan)
1137{
1138 /* Check EFS parameters */
1139 return true;
1140}
1141
2766be48 1142void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1143{
1144 struct l2cap_conn *conn = chan->conn;
1145 struct l2cap_conn_req req;
1146
1147 req.scid = cpu_to_le16(chan->scid);
1148 req.psm = chan->psm;
1149
1150 chan->ident = l2cap_get_ident(conn);
1151
1152 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1153
1154 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1155}
1156
8eb200bd
MM		 1157static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1158{
1159 struct l2cap_create_chan_req req;
1160 req.scid = cpu_to_le16(chan->scid);
1161 req.psm = chan->psm;
1162 req.amp_id = amp_id;
1163
1164 chan->ident = l2cap_get_ident(chan->conn);
1165
1166 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1167 sizeof(req), &req);
1168}
1169
02b0fbb9
MM		 1170static void l2cap_move_setup(struct l2cap_chan *chan)
1171{
1172 struct sk_buff *skb;
1173
1174 BT_DBG("chan %p", chan);
1175
1176 if (chan->mode != L2CAP_MODE_ERTM)
1177 return;
1178
1179 __clear_retrans_timer(chan);
1180 __clear_monitor_timer(chan);
1181 __clear_ack_timer(chan);
1182
1183 chan->retry_count = 0;
1184 skb_queue_walk(&chan->tx_q, skb) {
1185 if (bt_cb(skb)->control.retries)
1186 bt_cb(skb)->control.retries = 1;
1187 else
1188 break;
1189 }
1190
1191 chan->expected_tx_seq = chan->buffer_seq;
1192
1193 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1194 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1195 l2cap_seq_list_clear(&chan->retrans_list);
1196 l2cap_seq_list_clear(&chan->srej_list);
1197 skb_queue_purge(&chan->srej_q);
1198
1199 chan->tx_state = L2CAP_TX_STATE_XMIT;
1200 chan->rx_state = L2CAP_RX_STATE_MOVE;
1201
1202 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1203}
1204
5f3847a4
MM		 1205static void l2cap_move_done(struct l2cap_chan *chan)
1206{
1207 u8 move_role = chan->move_role;
1208 BT_DBG("chan %p", chan);
1209
1210 chan->move_state = L2CAP_MOVE_STABLE;
1211 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1212
1213 if (chan->mode != L2CAP_MODE_ERTM)
1214 return;
1215
1216 switch (move_role) {
1217 case L2CAP_MOVE_ROLE_INITIATOR:
1218 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1219 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1220 break;
1221 case L2CAP_MOVE_ROLE_RESPONDER:
1222 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1223 break;
1224 }
1225}
1226
9f0caeb1
VCG		 1227static void l2cap_chan_ready(struct l2cap_chan *chan)
1228{
2827011f 1229 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1230 chan->conf_state = 0;
1231 __clear_chan_timer(chan);
1232
0ce43ce6
JH		 1233 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1234 chan->ops->suspend(chan);
177f8f2b 1235
54a59aa2 1236 chan->state = BT_CONNECTED;
9f0caeb1 1237
fd83e2c2 1238 chan->ops->ready(chan);
9f0caeb1
VCG		 1239}
1240
f1496dee
JH		 1241static void l2cap_le_connect(struct l2cap_chan *chan)
1242{
1243 struct l2cap_conn *conn = chan->conn;
1244 struct l2cap_le_conn_req req;
1245
595177f3
JH		 1246 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1247 return;
1248
f1496dee
JH		 1249 req.psm = chan->psm;
1250 req.scid = cpu_to_le16(chan->scid);
1251 req.mtu = cpu_to_le16(chan->imtu);
3916aed8 1252 req.mps = cpu_to_le16(chan->mps);
0cd75f7e 1253 req.credits = cpu_to_le16(chan->rx_credits);
f1496dee
JH		 1254
1255 chan->ident = l2cap_get_ident(conn);
1256
1257 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1258 sizeof(req), &req);
1259}
1260
1261static void l2cap_le_start(struct l2cap_chan *chan)
1262{
1263 struct l2cap_conn *conn = chan->conn;
1264
1265 if (!smp_conn_security(conn->hcon, chan->sec_level))
1266 return;
1267
1268 if (!chan->psm) {
1269 l2cap_chan_ready(chan);
1270 return;
1271 }
1272
1273 if (chan->state == BT_CONNECT)
1274 l2cap_le_connect(chan);
1275}
1276
93c3e8f5
AE		 1277static void l2cap_start_connection(struct l2cap_chan *chan)
1278{
1279 if (__amp_capable(chan)) {
1280 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1281 a2mp_discover_amp(chan);
f1496dee
JH		 1282 } else if (chan->conn->hcon->type == LE_LINK) {
1283 l2cap_le_start(chan);
93c3e8f5
AE		 1284 } else {
1285 l2cap_send_conn_req(chan);
1286 }
1287}
1288
aeaeb4bb
JH		 1289static void l2cap_request_info(struct l2cap_conn *conn)
1290{
1291 struct l2cap_info_req req;
1292
1293 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1294 return;
1295
1296 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1297
1298 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1299 conn->info_ident = l2cap_get_ident(conn);
1300
1301 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1302
1303 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1304 sizeof(req), &req);
1305}
1306
fc7f8a7e 1307static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1308{
8c1d787b 1309 struct l2cap_conn *conn = chan->conn;
79d554a6 1310
9f0caeb1 1311 if (conn->hcon->type == LE_LINK) {
96ac34fb 1312 l2cap_le_start(chan);
9f0caeb1
VCG		 1313 return;
1314 }
1315
aeaeb4bb
JH		 1316 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1317 l2cap_request_info(conn);
1318 return;
1319 }
79d554a6 1320
aeaeb4bb
JH		 1321 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1322 return;
79d554a6 1323
aeaeb4bb
JH		 1324 if (l2cap_chan_check_security(chan, true) &&
1325 __l2cap_no_conn_pending(chan))
1326 l2cap_start_connection(chan);
79d554a6
MH		 1327}
1328
cf6c2c0b
GP		 1329static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1330{
1331 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1332 if (!disable_ertm)
cf6c2c0b
GP		 1333 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1334
1335 switch (mode) {
1336 case L2CAP_MODE_ERTM:
1337 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1338 case L2CAP_MODE_STREAMING:
1339 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1340 default:
1341 return 0x00;
1342 }
1343}
1344
5e4e3972 1345static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1346{
5e4e3972 1347 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1348 struct l2cap_disconn_req req;
1349
c13ffa62
GP		 1350 if (!conn)
1351 return;
1352
aad3d0e3 1353 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1354 __clear_retrans_timer(chan);
1355 __clear_monitor_timer(chan);
1356 __clear_ack_timer(chan);
c13ffa62
GP		 1357 }
1358
2338a7e0 1359 if (chan->scid == L2CAP_CID_A2MP) {
d117773c 1360 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1361 return;
1362 }
1363
fe4128e0
GP		 1364 req.dcid = cpu_to_le16(chan->dcid);
1365 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1366 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1367 sizeof(req), &req);
c13ffa62 1368
f8e73017 1369 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1370}
1371
1da177e4 1372/* ---- L2CAP connections ---- */
4e8402a3
MH		 1373static void l2cap_conn_start(struct l2cap_conn *conn)
1374{
3df91ea2 1375 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1376
1377 BT_DBG("conn %p", conn);
1378
3df91ea2 1379 mutex_lock(&conn->chan_lock);
4e8402a3 1380
3df91ea2 1381 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1382 l2cap_chan_lock(chan);
4e8402a3 1383
715ec005 1384 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
aeaeb4bb 1385 l2cap_chan_ready(chan);
6be36555 1386 l2cap_chan_unlock(chan);
79d554a6
MH		 1387 continue;
1388 }
1389
89bc500e 1390 if (chan->state == BT_CONNECT) {
e7cafc45 1391 if (!l2cap_chan_check_security(chan, true) ||
2d792818 1392 !__l2cap_no_conn_pending(chan)) {
6be36555 1393 l2cap_chan_unlock(chan);
47731de7
GP		 1394 continue;
1395 }
79d554a6 1396
c1360a1c 1397 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1398 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1399 &chan->conf_state)) {
89bc500e 1400 l2cap_chan_close(chan, ECONNRESET);
6be36555 1401 l2cap_chan_unlock(chan);
47731de7 1402 continue;
b1235d79 1403 }
47731de7 1404
93c3e8f5 1405 l2cap_start_connection(chan);
47731de7 1406
89bc500e 1407 } else if (chan->state == BT_CONNECT2) {
79d554a6 1408 struct l2cap_conn_rsp rsp;
e9aeb2dd 1409 char buf[128];
fe4128e0
GP		 1410 rsp.scid = cpu_to_le16(chan->dcid);
1411 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1412
e7cafc45 1413 if (l2cap_chan_check_security(chan, false)) {
bdc25783 1414 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
dcf4adbf
JP		 1415 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1416 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1417 chan->ops->defer(chan);
f66dc81f
MH		 1418
1419 } else {
acdcabf5 1420 l2cap_state_change(chan, BT_CONFIG);
dcf4adbf
JP		 1421 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1422 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1423 }
79d554a6 1424 } else {
dcf4adbf
JP		 1425 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1426 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1427 }
1428
fc7f8a7e 1429 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1430 sizeof(rsp), &rsp);
e9aeb2dd 1431
c1360a1c 1432 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1433 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1434 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1435 continue;
1436 }
1437
c1360a1c 1438 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1439 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1440 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1441 chan->num_conf_req++;
4e8402a3
MH		 1442 }
1443
6be36555 1444 l2cap_chan_unlock(chan);
4e8402a3
MH		 1445 }
1446
3df91ea2 1447 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1448}
1449
b62f328b
VT		 1450static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1451{
cc8dba2b 1452 struct hci_conn *hcon = conn->hcon;
dcc36c16 1453 struct hci_dev *hdev = hcon->hdev;
b62f328b 1454
e760ec12 1455 BT_DBG("%s conn %p", hdev->name, conn);
b62f328b 1456
e760ec12
JH		 1457 /* For outgoing pairing which doesn't necessarily have an
1458 * associated socket (e.g. mgmt_pair_device).
1459 */
1460 if (hcon->out)
1461 smp_conn_security(hcon, hcon->pending_sec_level);
cc8dba2b 1462
80afeb6c
MH		 1463 /* For LE slave connections, make sure the connection interval
1464 * is in the range of the minium and maximum interval that has
1465 * been configured for this connection. If not, then trigger
1466 * the connection update procedure.
1467 */
40bef302 1468 if (hcon->role == HCI_ROLE_SLAVE &&
80afeb6c
MH		 1469 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1470 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1471 struct l2cap_conn_param_update_req req;
1472
1473 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1474 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1475 req.latency = cpu_to_le16(hcon->le_conn_latency);
1476 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1477
1478 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1479 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1480 }
b62f328b
VT		 1481}
1482
4e8402a3
MH		 1483static void l2cap_conn_ready(struct l2cap_conn *conn)
1484{
48454079 1485 struct l2cap_chan *chan;
cc110922 1486 struct hci_conn *hcon = conn->hcon;
4e8402a3 1487
79d554a6 1488 BT_DBG("conn %p", conn);
4e8402a3 1489
aeaeb4bb
JH		 1490 if (hcon->type == ACL_LINK)
1491 l2cap_request_info(conn);
1492
e760ec12
JH		 1493 mutex_lock(&conn->chan_lock);
1494
3df91ea2 1495 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1496
6be36555 1497 l2cap_chan_lock(chan);
4e8402a3 1498
2338a7e0 1499 if (chan->scid == L2CAP_CID_A2MP) {
416fa752
AE		 1500 l2cap_chan_unlock(chan);
1501 continue;
1502 }
1503
cc110922 1504 if (hcon->type == LE_LINK) {
f1496dee 1505 l2cap_le_start(chan);
63128451 1506 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
aeaeb4bb
JH		 1507 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1508 l2cap_chan_ready(chan);
1c244f79 1509 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1510 l2cap_do_start(chan);
1c244f79 1511 }
4e8402a3 1512
6be36555 1513 l2cap_chan_unlock(chan);
4e8402a3 1514 }
79d554a6 1515
3df91ea2 1516 mutex_unlock(&conn->chan_lock);
61a939c6 1517
79a05727
JH		 1518 if (hcon->type == LE_LINK)
1519 l2cap_le_conn_ready(conn);
1520
61a939c6 1521 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
4e8402a3
MH		 1522}
1523
1524/* Notify sockets that we cannot guaranty reliability anymore */
1525static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1526{
48454079 1527 struct l2cap_chan *chan;
4e8402a3
MH		 1528
1529 BT_DBG("conn %p", conn);
1530
3df91ea2 1531 mutex_lock(&conn->chan_lock);
4e8402a3 1532
3df91ea2 1533 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1534 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1535 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1536 }
1537
3df91ea2 1538 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1539}
1540
f878fcad 1541static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1542{
f878fcad 1543 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1544 info_timer.work);
4e8402a3 1545
984947dc 1546 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1547 conn->info_ident = 0;
984947dc 1548
4e8402a3
MH		 1549 l2cap_conn_start(conn);
1550}
1551
2c8e1411
DH		 1552/*
1553 * l2cap_user
1554 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1555 * callback is called during registration. The ->remove callback is called
1556 * during unregistration.
1557 * An l2cap_user object can either be explicitly unregistered or when the
1558 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1559 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1560 * External modules must own a reference to the l2cap_conn object if they intend
1561 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1562 * any time if they don't.
1563 */
1564
1565int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1566{
1567 struct hci_dev *hdev = conn->hcon->hdev;
1568 int ret;
1569
1570 /* We need to check whether l2cap_conn is registered. If it is not, we
1571 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1572 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1573 * relies on the parent hci_conn object to be locked. This itself relies
1574 * on the hci_dev object to be locked. So we must lock the hci device
1575 * here, too. */
1576
1577 hci_dev_lock(hdev);
1578
1579 if (user->list.next || user->list.prev) {
1580 ret = -EINVAL;
1581 goto out_unlock;
1582 }
1583
1584 /* conn->hchan is NULL after l2cap_conn_del() was called */
1585 if (!conn->hchan) {
1586 ret = -ENODEV;
1587 goto out_unlock;
1588 }
1589
1590 ret = user->probe(conn, user);
1591 if (ret)
1592 goto out_unlock;
1593
1594 list_add(&user->list, &conn->users);
1595 ret = 0;
1596
1597out_unlock:
1598 hci_dev_unlock(hdev);
1599 return ret;
1600}
1601EXPORT_SYMBOL(l2cap_register_user);
1602
1603void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1604{
1605 struct hci_dev *hdev = conn->hcon->hdev;
1606
1607 hci_dev_lock(hdev);
1608
1609 if (!user->list.next || !user->list.prev)
1610 goto out_unlock;
1611
1612 list_del(&user->list);
1613 user->list.next = NULL;
1614 user->list.prev = NULL;
1615 user->remove(conn, user);
1616
1617out_unlock:
1618 hci_dev_unlock(hdev);
1619}
1620EXPORT_SYMBOL(l2cap_unregister_user);
1621
1622static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1623{
1624 struct l2cap_user *user;
1625
1626 while (!list_empty(&conn->users)) {
1627 user = list_first_entry(&conn->users, struct l2cap_user, list);
1628 list_del(&user->list);
1629 user->list.next = NULL;
1630 user->list.prev = NULL;
1631 user->remove(conn, user);
1632 }
1633}
1634
5d3de7df
VCG		 1635static void l2cap_conn_del(struct hci_conn *hcon, int err)
1636{
1637 struct l2cap_conn *conn = hcon->l2cap_data;
1638 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1639
1640 if (!conn)
1641 return;
1642
1643 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1644
1645 kfree_skb(conn->rx_skb);
1646
61a939c6 1647 skb_queue_purge(&conn->pending_rx);
7ab56c3a
JT		 1648
1649 /* We can not call flush_work(&conn->pending_rx_work) here since we
1650 * might block if we are running on a worker from the same workqueue
1651 * pending_rx_work is waiting on.
1652 */
1653 if (work_pending(&conn->pending_rx_work))
1654 cancel_work_sync(&conn->pending_rx_work);
61a939c6 1655
f3d82d0c
JH		 1656 if (work_pending(&conn->id_addr_update_work))
1657 cancel_work_sync(&conn->id_addr_update_work);
1658
2c8e1411
DH		 1659 l2cap_unregister_all_users(conn);
1660
e31fb860
JH		 1661 /* Force the connection to be immediately dropped */
1662 hcon->disc_timeout = 0;
1663
3df91ea2
AE		 1664 mutex_lock(&conn->chan_lock);
1665
5d3de7df
VCG		 1666 /* Kill channels */
1667 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1668 l2cap_chan_hold(chan);
6be36555
AE		 1669 l2cap_chan_lock(chan);
1670
5d3de7df 1671 l2cap_chan_del(chan, err);
6be36555
AE		 1672
1673 l2cap_chan_unlock(chan);
1674
80b98027 1675 chan->ops->close(chan);
61d6ef3e 1676 l2cap_chan_put(chan);
5d3de7df
VCG		 1677 }
1678
3df91ea2
AE		 1679 mutex_unlock(&conn->chan_lock);
1680
73d80deb
LAD		 1681 hci_chan_del(conn->hchan);
1682
5d3de7df 1683 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1684 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1685
5d3de7df 1686 hcon->l2cap_data = NULL;
9c903e37
DH		 1687 conn->hchan = NULL;
1688 l2cap_conn_put(conn);
5d3de7df
VCG		 1689}
1690
9c903e37
DH		 1691static void l2cap_conn_free(struct kref *ref)
1692{
1693 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1694
1695 hci_conn_put(conn->hcon);
1696 kfree(conn);
1697}
1698
51bb8457 1699struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
9c903e37
DH		 1700{
1701 kref_get(&conn->ref);
51bb8457 1702 return conn;
9c903e37
DH		 1703}
1704EXPORT_SYMBOL(l2cap_conn_get);
1705
1706void l2cap_conn_put(struct l2cap_conn *conn)
1707{
1708 kref_put(&conn->ref, l2cap_conn_free);
1709}
1710EXPORT_SYMBOL(l2cap_conn_put);
1711
1da177e4 1712/* ---- Socket interface ---- */
1da177e4 1713
c2287681 1714/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1715 * Returns closest match.
1716 */
c2287681
IY		 1717static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1718 bdaddr_t *src,
bf20fd4e
JH		 1719 bdaddr_t *dst,
1720 u8 link_type)
1da177e4 1721{
23691d75 1722 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1723
23691d75 1724 read_lock(&chan_list_lock);
e0f0cb56 1725
23691d75 1726 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1727 if (state && c->state != state)
1da177e4
LT		 1728 continue;
1729
bf20fd4e
JH		 1730 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1731 continue;
1732
1733 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1734 continue;
1735
23691d75 1736 if (c->psm == psm) {
c2287681
IY		 1737 int src_match, dst_match;
1738 int src_any, dst_any;
1739
1da177e4 1740 /* Exact match. */
7eafc59e
MH		 1741 src_match = !bacmp(&c->src, src);
1742 dst_match = !bacmp(&c->dst, dst);
c2287681 1743 if (src_match && dst_match) {
a24cce14 1744 l2cap_chan_hold(c);
a7567b20 1745 read_unlock(&chan_list_lock);
23691d75
GP		 1746 return c;
1747 }
1da177e4
LT		 1748
1749 /* Closest match */
7eafc59e
MH		 1750 src_any = !bacmp(&c->src, BDADDR_ANY);
1751 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1752 if ((src_match && dst_any) || (src_any && dst_match) ||
1753 (src_any && dst_any))
23691d75 1754 c1 = c;
1da177e4
LT		 1755 }
1756 }
1da177e4 1757
a24cce14
JH		 1758 if (c1)
1759 l2cap_chan_hold(c1);
1760
23691d75 1761 read_unlock(&chan_list_lock);
e0f0cb56 1762
23691d75 1763 return c1;
1da177e4
LT		 1764}
1765
721c4181 1766static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1767{
721c4181 1768 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1769 monitor_timer.work);
e90bac06 1770
525cd185 1771 BT_DBG("chan %p", chan);
0e98958d 1772
6be36555
AE		 1773 l2cap_chan_lock(chan);
1774
80909e04 1775 if (!chan->conn) {
6be36555 1776 l2cap_chan_unlock(chan);
8d7e1c7f 1777 l2cap_chan_put(chan);
e90bac06
GP		 1778 return;
1779 }
1780
401bb1f7 1781 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1782
6be36555 1783 l2cap_chan_unlock(chan);
8d7e1c7f 1784 l2cap_chan_put(chan);
e90bac06
GP		 1785}
1786
721c4181 1787static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1788{
721c4181 1789 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1790 retrans_timer.work);
e90bac06 1791
49208c9c 1792 BT_DBG("chan %p", chan);
0e98958d 1793
6be36555
AE		 1794 l2cap_chan_lock(chan);
1795
80909e04
MM		 1796 if (!chan->conn) {
1797 l2cap_chan_unlock(chan);
1798 l2cap_chan_put(chan);
1799 return;
1800 }
6be36555 1801
401bb1f7 1802 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1803 l2cap_chan_unlock(chan);
8d7e1c7f 1804 l2cap_chan_put(chan);
e90bac06
GP		 1805}
1806
d660366d
GP		 1807static void l2cap_streaming_send(struct l2cap_chan *chan,
1808 struct sk_buff_head *skbs)
6840ed07 1809{
ccbb84af 1810 struct sk_buff *skb;
3733937d 1811 struct l2cap_ctrl *control;
6840ed07 1812
3733937d
MM		 1813 BT_DBG("chan %p, skbs %p", chan, skbs);
1814
b99e13ad
MM		 1815 if (__chan_is_moving(chan))
1816 return;
1817
3733937d
MM		 1818 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1819
1820 while (!skb_queue_empty(&chan->tx_q)) {
1821
1822 skb = skb_dequeue(&chan->tx_q);
1823
1824 bt_cb(skb)->control.retries = 1;
1825 control = &bt_cb(skb)->control;
1826
1827 control->reqseq = 0;
1828 control->txseq = chan->next_tx_seq;
1829
1830 __pack_control(chan, control, skb);
6840ed07 1831
47d1ec61 1832 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1833 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1834 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1835 }
1836
4343478f 1837 l2cap_do_send(chan, skb);
6840ed07 1838
b4400672 1839 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1840
836be934 1841 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1842 chan->frames_sent++;
6840ed07 1843 }
6840ed07
GP		 1844}
1845
67c9e840 1846static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1847{
1848 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1849 struct l2cap_ctrl *control;
1850 int sent = 0;
1851
1852 BT_DBG("chan %p", chan);
1c2acffb 1853
89bc500e 1854 if (chan->state != BT_CONNECTED)
c13ffa62 1855 return -ENOTCONN;
e90bac06 1856
94122bbe
MM		 1857 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1858 return 0;
1859
b99e13ad
MM		 1860 if (__chan_is_moving(chan))
1861 return 0;
1862
18a48e76
MM		 1863 while (chan->tx_send_head &&
1864 chan->unacked_frames < chan->remote_tx_win &&
1865 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1866
18a48e76 1867 skb = chan->tx_send_head;
e90bac06 1868
18a48e76
MM		 1869 bt_cb(skb)->control.retries = 1;
1870 control = &bt_cb(skb)->control;
95ffa978 1871
e2ab4353 1872 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1873 control->final = 1;
e2ab4353 1874
18a48e76
MM		 1875 control->reqseq = chan->buffer_seq;
1876 chan->last_acked_seq = chan->buffer_seq;
1877 control->txseq = chan->next_tx_seq;
1c2acffb 1878
18a48e76 1879 __pack_control(chan, control, skb);
e90bac06 1880
47d1ec61 1881 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1882 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1883 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1884 }
1885
18a48e76
MM		 1886 /* Clone after data has been modified. Data is assumed to be
1887 read-only (for locking purposes) on cloned sk_buffs.
1888 */
1889 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1890
18a48e76
MM		 1891 if (!tx_skb)
1892 break;
1c2acffb 1893
18a48e76 1894 __set_retrans_timer(chan);
836be934
AE		 1895
1896 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1897 chan->unacked_frames++;
6a026610 1898 chan->frames_sent++;
18a48e76 1899 sent++;
1c2acffb 1900
58d35f87
GP		 1901 if (skb_queue_is_last(&chan->tx_q, skb))
1902 chan->tx_send_head = NULL;
1c2acffb 1903 else
58d35f87 1904 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1905
1906 l2cap_do_send(chan, tx_skb);
b4400672 1907 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1908 }
1909
b4400672
AE		 1910 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1911 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1912
1913 return sent;
9e917af1
GP		 1914}
1915
e1fbd4c1
MM		 1916static void l2cap_ertm_resend(struct l2cap_chan *chan)
1917{
1918 struct l2cap_ctrl control;
1919 struct sk_buff *skb;
1920 struct sk_buff *tx_skb;
1921 u16 seq;
1922
1923 BT_DBG("chan %p", chan);
1924
1925 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1926 return;
1927
b99e13ad
MM		 1928 if (__chan_is_moving(chan))
1929 return;
1930
e1fbd4c1
MM		 1931 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1932 seq = l2cap_seq_list_pop(&chan->retrans_list);
1933
1934 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1935 if (!skb) {
1936 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1937 seq);
e1fbd4c1
MM		 1938 continue;
1939 }
1940
1941 bt_cb(skb)->control.retries++;
1942 control = bt_cb(skb)->control;
1943
1944 if (chan->max_tx != 0 &&
1945 bt_cb(skb)->control.retries > chan->max_tx) {
1946 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1947 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1948 l2cap_seq_list_clear(&chan->retrans_list);
1949 break;
1950 }
1951
1952 control.reqseq = chan->buffer_seq;
1953 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1954 control.final = 1;
1955 else
1956 control.final = 0;
1957
1958 if (skb_cloned(skb)) {
1959 /* Cloned sk_buffs are read-only, so we need a
1960 * writeable copy
1961 */
8bcde1f2 1962 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1963 } else {
8bcde1f2 1964 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1965 }
1966
1967 if (!tx_skb) {
1968 l2cap_seq_list_clear(&chan->retrans_list);
1969 break;
1970 }
1971
1972 /* Update skb contents */
1973 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1974 put_unaligned_le32(__pack_extended_control(&control),
1975 tx_skb->data + L2CAP_HDR_SIZE);
1976 } else {
1977 put_unaligned_le16(__pack_enhanced_control(&control),
1978 tx_skb->data + L2CAP_HDR_SIZE);
1979 }
1980
13cac152 1981 /* Update FCS */
e1fbd4c1 1982 if (chan->fcs == L2CAP_FCS_CRC16) {
13cac152
LR		 1983 u16 fcs = crc16(0, (u8 *) tx_skb->data,
1984 tx_skb->len - L2CAP_FCS_SIZE);
1985 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
1986 L2CAP_FCS_SIZE);
e1fbd4c1
MM		 1987 }
1988
1989 l2cap_do_send(chan, tx_skb);
1990
1991 BT_DBG("Resent txseq %d", control.txseq);
1992
1993 chan->last_acked_seq = chan->buffer_seq;
1994 }
1995}
1996
f80842a8
MM		 1997static void l2cap_retransmit(struct l2cap_chan *chan,
1998 struct l2cap_ctrl *control)
1999{
2000 BT_DBG("chan %p, control %p", chan, control);
2001
2002 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2003 l2cap_ertm_resend(chan);
2004}
2005
d2a7ac5d
MM		 2006static void l2cap_retransmit_all(struct l2cap_chan *chan,
2007 struct l2cap_ctrl *control)
2008{
e1fbd4c1
MM		 2009 struct sk_buff *skb;
2010
2011 BT_DBG("chan %p, control %p", chan, control);
2012
2013 if (control->poll)
2014 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2015
2016 l2cap_seq_list_clear(&chan->retrans_list);
2017
2018 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2019 return;
2020
2021 if (chan->unacked_frames) {
2022 skb_queue_walk(&chan->tx_q, skb) {
2023 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2024 skb == chan->tx_send_head)
e1fbd4c1
MM		 2025 break;
2026 }
2027
2028 skb_queue_walk_from(&chan->tx_q, skb) {
2029 if (skb == chan->tx_send_head)
2030 break;
2031
2032 l2cap_seq_list_append(&chan->retrans_list,
2033 bt_cb(skb)->control.txseq);
2034 }
2035
2036 l2cap_ertm_resend(chan);
2037 }
d2a7ac5d
MM		 2038}
2039
0a0aba42 2040static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2041{
0a0aba42
MM		 2042 struct l2cap_ctrl control;
2043 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2044 chan->last_acked_seq);
2045 int threshold;
9e917af1 2046
0a0aba42
MM		 2047 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2048 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2049
0a0aba42
MM		 2050 memset(&control, 0, sizeof(control));
2051 control.sframe = 1;
dfc909be 2052
0a0aba42
MM		 2053 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2054 chan->rx_state == L2CAP_RX_STATE_RECV) {
2055 __clear_ack_timer(chan);
2056 control.super = L2CAP_SUPER_RNR;
2057 control.reqseq = chan->buffer_seq;
2058 l2cap_send_sframe(chan, &control);
2059 } else {
2060 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2061 l2cap_ertm_send(chan);
2062 /* If any i-frames were sent, they included an ack */
2063 if (chan->buffer_seq == chan->last_acked_seq)
2064 frames_to_ack = 0;
2065 }
dfc909be 2066
c20f8e35 2067 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2068 * Calculate without mul or div
2069 */
c20f8e35 2070 threshold = chan->ack_win;
0a0aba42
MM		 2071 threshold += threshold << 1;
2072 threshold >>= 2;
2073
b4400672 2074 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2075 threshold);
2076
2077 if (frames_to_ack >= threshold) {
2078 __clear_ack_timer(chan);
2079 control.super = L2CAP_SUPER_RR;
2080 control.reqseq = chan->buffer_seq;
2081 l2cap_send_sframe(chan, &control);
2082 frames_to_ack = 0;
2083 }
1c2acffb 2084
0a0aba42
MM		 2085 if (frames_to_ack)
2086 __set_ack_timer(chan);
2087 }
b17e73bb
SJ		 2088}
2089
04124681
GP		 2090static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2091 struct msghdr *msg, int len,
2092 int count, struct sk_buff *skb)
1c2acffb 2093{
0952a57a 2094 struct l2cap_conn *conn = chan->conn;
1c2acffb 2095 struct sk_buff **frag;
90338947 2096 int sent = 0;
1da177e4 2097
0498878b
JR		 2098 if (chan->ops->memcpy_fromiovec(chan, skb_put(skb, count),
2099 msg->msg_iov, count))
1c2acffb 2100 return -EFAULT;
1da177e4
LT		 2101
2102 sent += count;
2103 len -= count;
2104
2105 /* Continuation fragments (no L2CAP header) */
2106 frag = &skb_shinfo(skb)->frag_list;
2107 while (len) {
fbe00700
GP		 2108 struct sk_buff *tmp;
2109
1da177e4
LT		 2110 count = min_t(unsigned int, conn->mtu, len);
2111
d9fbd02b 2112 tmp = chan->ops->alloc_skb(chan, 0, count,
fbe00700
GP		 2113 msg->msg_flags & MSG_DONTWAIT);
2114 if (IS_ERR(tmp))
2115 return PTR_ERR(tmp);
2116
2117 *frag = tmp;
2f7719ce 2118
0498878b
JR		 2119 if (chan->ops->memcpy_fromiovec(chan, skb_put(*frag, count),
2120 msg->msg_iov, count))
1c2acffb 2121 return -EFAULT;
1da177e4
LT		 2122
2123 sent += count;
2124 len -= count;
2125
2d0ed3d5
GP		 2126 skb->len += (*frag)->len;
2127 skb->data_len += (*frag)->len;
2128
1da177e4
LT		 2129 frag = &(*frag)->next;
2130 }
1da177e4
LT		 2131
2132 return sent;
1c2acffb 2133}
1da177e4 2134
5e59b791 2135static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
8d46321c 2136 struct msghdr *msg, size_t len)
1c2acffb 2137{
8c1d787b 2138 struct l2cap_conn *conn = chan->conn;
1c2acffb 2139 struct sk_buff *skb;
03a51213 2140 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2141 struct l2cap_hdr *lh;
2142
8d46321c
MH		 2143 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2144 __le16_to_cpu(chan->psm), len);
1c2acffb
GP		 2145
2146 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2147
d9fbd02b 2148 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2149 msg->msg_flags & MSG_DONTWAIT);
2150 if (IS_ERR(skb))
2151 return skb;
1c2acffb
GP		 2152
2153 /* Create L2CAP header */
2154 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2155 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2156 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2157 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2158
0952a57a 2159 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2160 if (unlikely(err < 0)) {
2161 kfree_skb(skb);
2162 return ERR_PTR(err);
2163 }
2164 return skb;
2165}
2166
5e59b791 2167static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
8d46321c 2168 struct msghdr *msg, size_t len)
1c2acffb 2169{
8c1d787b 2170 struct l2cap_conn *conn = chan->conn;
1c2acffb 2171 struct sk_buff *skb;
f2ba7fae 2172 int err, count;
1c2acffb
GP		 2173 struct l2cap_hdr *lh;
2174
b4400672 2175 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2176
f2ba7fae 2177 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2178
d9fbd02b 2179 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
90338947
GP		 2180 msg->msg_flags & MSG_DONTWAIT);
2181 if (IS_ERR(skb))
2182 return skb;
1c2acffb
GP		 2183
2184 /* Create L2CAP header */
2185 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2186 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2187 lh->len = cpu_to_le16(len);
1c2acffb 2188
0952a57a 2189 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2190 if (unlikely(err < 0)) {
2191 kfree_skb(skb);
2192 return ERR_PTR(err);
2193 }
2194 return skb;
2195}
2196
ab0ff76d 2197static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2198 struct msghdr *msg, size_t len,
2199 u16 sdulen)
1c2acffb 2200{
8c1d787b 2201 struct l2cap_conn *conn = chan->conn;
1c2acffb 2202 struct sk_buff *skb;
e4ca6d98 2203 int err, count, hlen;
1c2acffb
GP		 2204 struct l2cap_hdr *lh;
2205
b4400672 2206 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2207
0ee0d208
GP		 2208 if (!conn)
2209 return ERR_PTR(-ENOTCONN);
2210
ba7aa64f 2211 hlen = __ertm_hdr_size(chan);
e4ca6d98 2212
c74e560c 2213 if (sdulen)
03a51213 2214 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2215
47d1ec61 2216 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2217 hlen += L2CAP_FCS_SIZE;
fcc203c3 2218
1c2acffb 2219 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2220
d9fbd02b 2221 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2222 msg->msg_flags & MSG_DONTWAIT);
2223 if (IS_ERR(skb))
2224 return skb;
1c2acffb
GP		 2225
2226 /* Create L2CAP header */
2227 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2228 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2229 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2230
18a48e76
MM		 2231 /* Control header is populated later */
2232 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2233 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2234 else
2235 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2236
c74e560c 2237 if (sdulen)
03a51213 2238 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2239
0952a57a 2240 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2241 if (unlikely(err < 0)) {
2242 kfree_skb(skb);
2243 return ERR_PTR(err);
2244 }
e90bac06 2245
18a48e76 2246 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2247 bt_cb(skb)->control.retries = 0;
1c2acffb 2248 return skb;
1da177e4
LT		 2249}
2250
94122bbe
MM		 2251static int l2cap_segment_sdu(struct l2cap_chan *chan,
2252 struct sk_buff_head *seg_queue,
2253 struct msghdr *msg, size_t len)
c74e560c 2254{
c74e560c 2255 struct sk_buff *skb;
94122bbe
MM		 2256 u16 sdu_len;
2257 size_t pdu_len;
94122bbe 2258 u8 sar;
c74e560c 2259
b4400672 2260 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2261
94122bbe
MM		 2262 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2263 * so fragmented skbs are not used. The HCI layer's handling
2264 * of fragmented skbs is not compatible with ERTM's queueing.
2265 */
c74e560c 2266
94122bbe
MM		 2267 /* PDU size is derived from the HCI MTU */
2268 pdu_len = chan->conn->mtu;
c74e560c 2269
a549574d
MM		 2270 /* Constrain PDU size for BR/EDR connections */
2271 if (!chan->hs_hcon)
2272 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2273
2274 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2275 if (chan->fcs)
2276 pdu_len -= L2CAP_FCS_SIZE;
2277
ba7aa64f 2278 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2279
2280 /* Remote device may have requested smaller PDUs */
2281 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2282
2283 if (len <= pdu_len) {
2284 sar = L2CAP_SAR_UNSEGMENTED;
2285 sdu_len = 0;
2286 pdu_len = len;
2287 } else {
2288 sar = L2CAP_SAR_START;
2289 sdu_len = len;
94122bbe
MM		 2290 }
2291
2292 while (len > 0) {
2293 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2294
c74e560c 2295 if (IS_ERR(skb)) {
94122bbe 2296 __skb_queue_purge(seg_queue);
c74e560c
GP		 2297 return PTR_ERR(skb);
2298 }
2299
94122bbe
MM		 2300 bt_cb(skb)->control.sar = sar;
2301 __skb_queue_tail(seg_queue, skb);
2302
2303 len -= pdu_len;
069cb270 2304 if (sdu_len)
94122bbe 2305 sdu_len = 0;
94122bbe
MM		 2306
2307 if (len <= pdu_len) {
2308 sar = L2CAP_SAR_END;
2309 pdu_len = len;
2310 } else {
2311 sar = L2CAP_SAR_CONTINUE;
2312 }
c74e560c 2313 }
c74e560c 2314
f0f62799 2315 return 0;
c74e560c
GP		 2316}
2317
177f8f2b
JH		 2318static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2319 struct msghdr *msg,
2320 size_t len, u16 sdulen)
2321{
2322 struct l2cap_conn *conn = chan->conn;
2323 struct sk_buff *skb;
2324 int err, count, hlen;
2325 struct l2cap_hdr *lh;
2326
2327 BT_DBG("chan %p len %zu", chan, len);
2328
2329 if (!conn)
2330 return ERR_PTR(-ENOTCONN);
2331
2332 hlen = L2CAP_HDR_SIZE;
2333
2334 if (sdulen)
2335 hlen += L2CAP_SDULEN_SIZE;
2336
2337 count = min_t(unsigned int, (conn->mtu - hlen), len);
2338
d9fbd02b 2339 skb = chan->ops->alloc_skb(chan, hlen, count,
177f8f2b
JH		 2340 msg->msg_flags & MSG_DONTWAIT);
2341 if (IS_ERR(skb))
2342 return skb;
2343
2344 /* Create L2CAP header */
2345 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2346 lh->cid = cpu_to_le16(chan->dcid);
2347 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2348
2349 if (sdulen)
2350 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2351
2352 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2353 if (unlikely(err < 0)) {
2354 kfree_skb(skb);
2355 return ERR_PTR(err);
2356 }
2357
2358 return skb;
2359}
2360
2361static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2362 struct sk_buff_head *seg_queue,
2363 struct msghdr *msg, size_t len)
2364{
2365 struct sk_buff *skb;
2366 size_t pdu_len;
2367 u16 sdu_len;
2368
2369 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2370
177f8f2b 2371 sdu_len = len;
72c6fb91 2372 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
177f8f2b
JH		 2373
2374 while (len > 0) {
2375 if (len <= pdu_len)
2376 pdu_len = len;
2377
2378 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2379 if (IS_ERR(skb)) {
2380 __skb_queue_purge(seg_queue);
2381 return PTR_ERR(skb);
2382 }
2383
2384 __skb_queue_tail(seg_queue, skb);
2385
2386 len -= pdu_len;
2387
2388 if (sdu_len) {
2389 sdu_len = 0;
2390 pdu_len += L2CAP_SDULEN_SIZE;
2391 }
2392 }
2393
2394 return 0;
2395}
2396
8d46321c 2397int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
9a91a04a 2398{
9a91a04a 2399 struct sk_buff *skb;
9a91a04a 2400 int err;
94122bbe 2401 struct sk_buff_head seg_queue;
9a91a04a 2402
31e8ce80
SWK		 2403 if (!chan->conn)
2404 return -ENOTCONN;
2405
9a91a04a 2406 /* Connectionless channel */
715ec005 2407 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
8d46321c 2408 skb = l2cap_create_connless_pdu(chan, msg, len);
9a91a04a
GP		 2409 if (IS_ERR(skb))
2410 return PTR_ERR(skb);
2411
ede81a2a
AK		 2412 /* Channel lock is released before requesting new skb and then
2413 * reacquired thus we need to recheck channel state.
2414 */
2415 if (chan->state != BT_CONNECTED) {
2416 kfree_skb(skb);
2417 return -ENOTCONN;
2418 }
2419
9a91a04a
GP		 2420 l2cap_do_send(chan, skb);
2421 return len;
2422 }
2423
2424 switch (chan->mode) {
38319713 2425 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b
JH		 2426 /* Check outgoing MTU */
2427 if (len > chan->omtu)
2428 return -EMSGSIZE;
2429
fad5fc89
JH		 2430 if (!chan->tx_credits)
2431 return -EAGAIN;
2432
177f8f2b
JH		 2433 __skb_queue_head_init(&seg_queue);
2434
2435 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2436
2437 if (chan->state != BT_CONNECTED) {
2438 __skb_queue_purge(&seg_queue);
2439 err = -ENOTCONN;
2440 }
2441
2442 if (err)
2443 return err;
2444
2445 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2446
2447 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2448 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2449 chan->tx_credits--;
2450 }
2451
2452 if (!chan->tx_credits)
2453 chan->ops->suspend(chan);
2454
2455 err = len;
2456
2457 break;
2458
fad5fc89 2459 case L2CAP_MODE_BASIC:
9a91a04a
GP		 2460 /* Check outgoing MTU */
2461 if (len > chan->omtu)
2462 return -EMSGSIZE;
2463
2464 /* Create a basic PDU */
8d46321c 2465 skb = l2cap_create_basic_pdu(chan, msg, len);
9a91a04a
GP		 2466 if (IS_ERR(skb))
2467 return PTR_ERR(skb);
2468
ede81a2a
AK		 2469 /* Channel lock is released before requesting new skb and then
2470 * reacquired thus we need to recheck channel state.
2471 */
2472 if (chan->state != BT_CONNECTED) {
2473 kfree_skb(skb);
2474 return -ENOTCONN;
2475 }
2476
9a91a04a
GP		 2477 l2cap_do_send(chan, skb);
2478 err = len;
2479 break;
2480
2481 case L2CAP_MODE_ERTM:
2482 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2483 /* Check outgoing MTU */
2484 if (len > chan->omtu) {
2485 err = -EMSGSIZE;
2486 break;
2487 }
9a91a04a 2488
94122bbe 2489 __skb_queue_head_init(&seg_queue);
9a91a04a 2490
94122bbe
MM		 2491 /* Do segmentation before calling in to the state machine,
2492 * since it's possible to block while waiting for memory
2493 * allocation.
2494 */
2495 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2496
94122bbe
MM		 2497 /* The channel could have been closed while segmenting,
2498 * check that it is still connected.
2499 */
2500 if (chan->state != BT_CONNECTED) {
2501 __skb_queue_purge(&seg_queue);
2502 err = -ENOTCONN;
9a91a04a
GP		 2503 }
2504
94122bbe 2505 if (err)
9a91a04a 2506 break;
9a91a04a 2507
3733937d 2508 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2509 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2510 else
d660366d 2511 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2512
d660366d 2513 err = len;
9a91a04a 2514
94122bbe
MM		 2515 /* If the skbs were not queued for sending, they'll still be in
2516 * seg_queue and need to be purged.
2517 */
2518 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2519 break;
2520
2521 default:
2522 BT_DBG("bad state %1.1x", chan->mode);
2523 err = -EBADFD;
2524 }
2525
2526 return err;
2527}
6b8d4a6a 2528EXPORT_SYMBOL_GPL(l2cap_chan_send);
9a91a04a 2529
d2a7ac5d
MM		 2530static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2531{
bed68bde
MM		 2532 struct l2cap_ctrl control;
2533 u16 seq;
2534
b4400672 2535 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2536
2537 memset(&control, 0, sizeof(control));
2538 control.sframe = 1;
2539 control.super = L2CAP_SUPER_SREJ;
2540
2541 for (seq = chan->expected_tx_seq; seq != txseq;
2542 seq = __next_seq(chan, seq)) {
2543 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2544 control.reqseq = seq;
2545 l2cap_send_sframe(chan, &control);
2546 l2cap_seq_list_append(&chan->srej_list, seq);
2547 }
2548 }
2549
2550 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2551}
2552
2553static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2554{
bed68bde
MM		 2555 struct l2cap_ctrl control;
2556
2557 BT_DBG("chan %p", chan);
2558
2559 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2560 return;
2561
2562 memset(&control, 0, sizeof(control));
2563 control.sframe = 1;
2564 control.super = L2CAP_SUPER_SREJ;
2565 control.reqseq = chan->srej_list.tail;
2566 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2567}
2568
2569static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2570{
bed68bde
MM		 2571 struct l2cap_ctrl control;
2572 u16 initial_head;
2573 u16 seq;
2574
b4400672 2575 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2576
2577 memset(&control, 0, sizeof(control));
2578 control.sframe = 1;
2579 control.super = L2CAP_SUPER_SREJ;
2580
2581 /* Capture initial list head to allow only one pass through the list. */
2582 initial_head = chan->srej_list.head;
2583
2584 do {
2585 seq = l2cap_seq_list_pop(&chan->srej_list);
2586 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2587 break;
2588
2589 control.reqseq = seq;
2590 l2cap_send_sframe(chan, &control);
2591 l2cap_seq_list_append(&chan->srej_list, seq);
2592 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2593}
2594
608bcc6d
MM		 2595static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2596{
2597 struct sk_buff *acked_skb;
2598 u16 ackseq;
2599
b4400672 2600 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2601
2602 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2603 return;
2604
b4400672 2605 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2606 chan->expected_ack_seq, chan->unacked_frames);
2607
2608 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2609 ackseq = __next_seq(chan, ackseq)) {
2610
2611 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2612 if (acked_skb) {
2613 skb_unlink(acked_skb, &chan->tx_q);
2614 kfree_skb(acked_skb);
2615 chan->unacked_frames--;
2616 }
2617 }
2618
2619 chan->expected_ack_seq = reqseq;
2620
2621 if (chan->unacked_frames == 0)
2622 __clear_retrans_timer(chan);
2623
b4400672 2624 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2625}
2626
2627static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2628{
2629 BT_DBG("chan %p", chan);
2630
2631 chan->expected_tx_seq = chan->buffer_seq;
2632 l2cap_seq_list_clear(&chan->srej_list);
2633 skb_queue_purge(&chan->srej_q);
2634 chan->rx_state = L2CAP_RX_STATE_RECV;
2635}
2636
d660366d
GP		 2637static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2638 struct l2cap_ctrl *control,
2639 struct sk_buff_head *skbs, u8 event)
608bcc6d 2640{
608bcc6d
MM		 2641 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2642 event);
2643
2644 switch (event) {
2645 case L2CAP_EV_DATA_REQUEST:
2646 if (chan->tx_send_head == NULL)
2647 chan->tx_send_head = skb_peek(skbs);
2648
2649 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2650 l2cap_ertm_send(chan);
2651 break;
2652 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2653 BT_DBG("Enter LOCAL_BUSY");
2654 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2655
2656 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2657 /* The SREJ_SENT state must be aborted if we are to
2658 * enter the LOCAL_BUSY state.
2659 */
2660 l2cap_abort_rx_srej_sent(chan);
2661 }
2662
2663 l2cap_send_ack(chan);
2664
2665 break;
2666 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2667 BT_DBG("Exit LOCAL_BUSY");
2668 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2669
2670 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2671 struct l2cap_ctrl local_control;
2672
2673 memset(&local_control, 0, sizeof(local_control));
2674 local_control.sframe = 1;
2675 local_control.super = L2CAP_SUPER_RR;
2676 local_control.poll = 1;
2677 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2678 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2679
2680 chan->retry_count = 1;
2681 __set_monitor_timer(chan);
2682 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2683 }
2684 break;
2685 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2686 l2cap_process_reqseq(chan, control->reqseq);
2687 break;
2688 case L2CAP_EV_EXPLICIT_POLL:
2689 l2cap_send_rr_or_rnr(chan, 1);
2690 chan->retry_count = 1;
2691 __set_monitor_timer(chan);
2692 __clear_ack_timer(chan);
2693 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2694 break;
2695 case L2CAP_EV_RETRANS_TO:
2696 l2cap_send_rr_or_rnr(chan, 1);
2697 chan->retry_count = 1;
2698 __set_monitor_timer(chan);
2699 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2700 break;
2701 case L2CAP_EV_RECV_FBIT:
2702 /* Nothing to process */
2703 break;
2704 default:
2705 break;
2706 }
608bcc6d
MM		 2707}
2708
d660366d
GP		 2709static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2710 struct l2cap_ctrl *control,
2711 struct sk_buff_head *skbs, u8 event)
608bcc6d 2712{
608bcc6d
MM		 2713 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2714 event);
2715
2716 switch (event) {
2717 case L2CAP_EV_DATA_REQUEST:
2718 if (chan->tx_send_head == NULL)
2719 chan->tx_send_head = skb_peek(skbs);
2720 /* Queue data, but don't send. */
2721 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2722 break;
2723 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2724 BT_DBG("Enter LOCAL_BUSY");
2725 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2726
2727 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2728 /* The SREJ_SENT state must be aborted if we are to
2729 * enter the LOCAL_BUSY state.
2730 */
2731 l2cap_abort_rx_srej_sent(chan);
2732 }
2733
2734 l2cap_send_ack(chan);
2735
2736 break;
2737 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2738 BT_DBG("Exit LOCAL_BUSY");
2739 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2740
2741 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2742 struct l2cap_ctrl local_control;
2743 memset(&local_control, 0, sizeof(local_control));
2744 local_control.sframe = 1;
2745 local_control.super = L2CAP_SUPER_RR;
2746 local_control.poll = 1;
2747 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2748 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2749
2750 chan->retry_count = 1;
2751 __set_monitor_timer(chan);
2752 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2753 }
2754 break;
2755 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2756 l2cap_process_reqseq(chan, control->reqseq);
2757
2758 /* Fall through */
2759
2760 case L2CAP_EV_RECV_FBIT:
2761 if (control && control->final) {
2762 __clear_monitor_timer(chan);
2763 if (chan->unacked_frames > 0)
2764 __set_retrans_timer(chan);
2765 chan->retry_count = 0;
2766 chan->tx_state = L2CAP_TX_STATE_XMIT;
2767 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2768 }
2769 break;
2770 case L2CAP_EV_EXPLICIT_POLL:
2771 /* Ignore */
2772 break;
2773 case L2CAP_EV_MONITOR_TO:
2774 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2775 l2cap_send_rr_or_rnr(chan, 1);
2776 __set_monitor_timer(chan);
2777 chan->retry_count++;
2778 } else {
5e4e3972 2779 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2780 }
2781 break;
2782 default:
2783 break;
2784 }
608bcc6d
MM		 2785}
2786
d660366d
GP		 2787static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2788 struct sk_buff_head *skbs, u8 event)
608bcc6d 2789{
608bcc6d
MM		 2790 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2791 chan, control, skbs, event, chan->tx_state);
2792
2793 switch (chan->tx_state) {
2794 case L2CAP_TX_STATE_XMIT:
d660366d 2795 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2796 break;
2797 case L2CAP_TX_STATE_WAIT_F:
d660366d 2798 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2799 break;
2800 default:
2801 /* Ignore event */
2802 break;
2803 }
608bcc6d
MM		 2804}
2805
4b51dae9
MM		 2806static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2807 struct l2cap_ctrl *control)
2808{
2809 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2810 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2811}
2812
f80842a8
MM		 2813static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2814 struct l2cap_ctrl *control)
2815{
2816 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2817 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2818}
2819
1da177e4
LT		 2820/* Copy frame to all raw sockets on that connection */
2821static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2822{
1da177e4 2823 struct sk_buff *nskb;
48454079 2824 struct l2cap_chan *chan;
1da177e4
LT		 2825
2826 BT_DBG("conn %p", conn);
2827
3df91ea2 2828 mutex_lock(&conn->chan_lock);
3d57dc68 2829
3df91ea2 2830 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2831 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2832 continue;
2833
7f5396a7
GP		 2834 /* Don't send frame to the channel it came from */
2835 if (bt_cb(skb)->chan == chan)
1da177e4 2836 continue;
7f5396a7 2837
8bcde1f2 2838 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2839 if (!nskb)
1da177e4 2840 continue;
80b98027 2841 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2842 kfree_skb(nskb);
2843 }
3d57dc68 2844
3df91ea2 2845 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2846}
2847
2848/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2849static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2850 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2851{
2852 struct sk_buff *skb, **frag;
2853 struct l2cap_cmd_hdr *cmd;
2854 struct l2cap_hdr *lh;
2855 int len, count;
2856
b4400672
AE		 2857 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2858 conn, code, ident, dlen);
1da177e4 2859
300b962e
AL		 2860 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2861 return NULL;
2862
1da177e4
LT		 2863 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2864 count = min_t(unsigned int, conn->mtu, len);
2865
8bcde1f2 2866 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2867 if (!skb)
2868 return NULL;
2869
2870 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2871 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2872
2873 if (conn->hcon->type == LE_LINK)
dcf4adbf 2874 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2875 else
dcf4adbf 2876 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2877
2878 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2879 cmd->code = code;
2880 cmd->ident = ident;
aca3192c 2881 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2882
2883 if (dlen) {
2884 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2885 memcpy(skb_put(skb, count), data, count);
2886 data += count;
2887 }
2888
2889 len -= skb->len;
2890
2891 /* Continuation fragments (no L2CAP header) */
2892 frag = &skb_shinfo(skb)->frag_list;
2893 while (len) {
2894 count = min_t(unsigned int, conn->mtu, len);
2895
8bcde1f2 2896 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2897 if (!*frag)
2898 goto fail;
2899
2900 memcpy(skb_put(*frag, count), data, count);
2901
2902 len -= count;
2903 data += count;
2904
2905 frag = &(*frag)->next;
2906 }
2907
2908 return skb;
2909
2910fail:
2911 kfree_skb(skb);
2912 return NULL;
2913}
2914
2d792818
GP		 2915static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2916 unsigned long *val)
1da177e4
LT		 2917{
2918 struct l2cap_conf_opt *opt = *ptr;
2919 int len;
2920
2921 len = L2CAP_CONF_OPT_SIZE + opt->len;
2922 *ptr += len;
2923
2924 *type = opt->type;
2925 *olen = opt->len;
2926
2927 switch (opt->len) {
2928 case 1:
2929 *val = *((u8 *) opt->val);
2930 break;
2931
2932 case 2:
bfaaeb3e 2933 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2934 break;
2935
2936 case 4:
bfaaeb3e 2937 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2938 break;
2939
2940 default:
2941 *val = (unsigned long) opt->val;
2942 break;
2943 }
2944
b4400672 2945 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2946 return len;
2947}
2948
1da177e4
LT		 2949static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2950{
2951 struct l2cap_conf_opt *opt = *ptr;
2952
b4400672 2953 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2954
2955 opt->type = type;
2956 opt->len = len;
2957
2958 switch (len) {
2959 case 1:
2960 *((u8 *) opt->val) = val;
2961 break;
2962
2963 case 2:
4f8b691c 2964 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2965 break;
2966
2967 case 4:
4f8b691c 2968 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2969 break;
2970
2971 default:
2972 memcpy(opt->val, (void *) val, len);
2973 break;
2974 }
2975
2976 *ptr += L2CAP_CONF_OPT_SIZE + len;
2977}
2978
f89cef09
AE		 2979static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2980{
2981 struct l2cap_conf_efs efs;
2982
1ec918ce 2983 switch (chan->mode) {
f89cef09
AE		 2984 case L2CAP_MODE_ERTM:
2985 efs.id = chan->local_id;
2986 efs.stype = chan->local_stype;
2987 efs.msdu = cpu_to_le16(chan->local_msdu);
2988 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
dcf4adbf
JP		 2989 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2990 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2991 break;
2992
2993 case L2CAP_MODE_STREAMING:
2994 efs.id = 1;
2995 efs.stype = L2CAP_SERV_BESTEFFORT;
2996 efs.msdu = cpu_to_le16(chan->local_msdu);
2997 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2998 efs.acc_lat = 0;
2999 efs.flush_to = 0;
3000 break;
3001
3002 default:
3003 return;
3004 }
3005
3006 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3007 (unsigned long) &efs);
f89cef09
AE		 3008}
3009
721c4181 3010static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3011{
721c4181 3012 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3013 ack_timer.work);
3014 u16 frames_to_ack;
c1b4f43b 3015
2fb9b3d4
GP		 3016 BT_DBG("chan %p", chan);
3017
6be36555
AE		 3018 l2cap_chan_lock(chan);
3019
0362520b
MM		 3020 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3021 chan->last_acked_seq);
6be36555 3022
0362520b
MM		 3023 if (frames_to_ack)
3024 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3025
0362520b 3026 l2cap_chan_unlock(chan);
09bfb2ee 3027 l2cap_chan_put(chan);
c1b4f43b
GP		 3028}
3029
466f8004 3030int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3031{
3c588192
MM		 3032 int err;
3033
105bdf9e
MM		 3034 chan->next_tx_seq = 0;
3035 chan->expected_tx_seq = 0;
42e5c802 3036 chan->expected_ack_seq = 0;
6a026610 3037 chan->unacked_frames = 0;
42e5c802 3038 chan->buffer_seq = 0;
6a026610 3039 chan->frames_sent = 0;
105bdf9e
MM		 3040 chan->last_acked_seq = 0;
3041 chan->sdu = NULL;
3042 chan->sdu_last_frag = NULL;
3043 chan->sdu_len = 0;
3044
d34c34fb
MM		 3045 skb_queue_head_init(&chan->tx_q);
3046
6ed971ca
MH		 3047 chan->local_amp_id = AMP_ID_BREDR;
3048 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3049 chan->move_state = L2CAP_MOVE_STABLE;
3050 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3051
105bdf9e
MM		 3052 if (chan->mode != L2CAP_MODE_ERTM)
3053 return 0;
3054
3055 chan->rx_state = L2CAP_RX_STATE_RECV;
3056 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3057
721c4181
GP		 3058 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3059 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3060 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3061
f1c6775b 3062 skb_queue_head_init(&chan->srej_q);
1890d36b 3063
3c588192
MM		 3064 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3065 if (err < 0)
3066 return err;
3067
9dc9affc
MM		 3068 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3069 if (err < 0)
3070 l2cap_seq_list_free(&chan->srej_list);
3071
3072 return err;
0565c1c2
GP		 3073}
3074
f2fcfcd6
GP		 3075static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3076{
3077 switch (mode) {
3078 case L2CAP_MODE_STREAMING:
3079 case L2CAP_MODE_ERTM:
3080 if (l2cap_mode_supported(mode, remote_feat_mask))
3081 return mode;
3082 /* fall through */
3083 default:
3084 return L2CAP_MODE_BASIC;
3085 }
3086}
3087
848566b3 3088static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3089{
848566b3 3090 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3091}
3092
848566b3 3093static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3094{
848566b3 3095 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3096}
3097
36c86c85
MM		 3098static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3099 struct l2cap_conf_rfc *rfc)
3100{
6ed971ca 3101 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3102 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3103
3104 /* Class 1 devices have must have ERTM timeouts
3105 * exceeding the Link Supervision Timeout. The
3106 * default Link Supervision Timeout for AMP
3107 * controllers is 10 seconds.
3108 *
3109 * Class 1 devices use 0xffffffff for their
3110 * best-effort flush timeout, so the clamping logic
3111 * will result in a timeout that meets the above
3112 * requirement. ERTM timeouts are 16-bit values, so
3113 * the maximum timeout is 65.535 seconds.
3114 */
3115
3116 /* Convert timeout to milliseconds and round */
3117 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3118
3119 /* This is the recommended formula for class 2 devices
3120 * that start ERTM timers when packets are sent to the
3121 * controller.
3122 */
3123 ertm_to = 3 * ertm_to + 500;
3124
3125 if (ertm_to > 0xffff)
3126 ertm_to = 0xffff;
3127
3128 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3129 rfc->monitor_timeout = rfc->retrans_timeout;
3130 } else {
dcf4adbf
JP		 3131 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3132 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36c86c85
MM		 3133 }
3134}
3135
6327eb98
AE		 3136static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3137{
3138 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3139 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3140 /* use extended control field */
3141 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3142 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3143 } else {
6327eb98 3144 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3145 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3146 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3147 }
c20f8e35 3148 chan->ack_win = chan->tx_win;
6327eb98
AE		 3149}
3150
710f9b0a 3151static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3152{
1da177e4 3153 struct l2cap_conf_req *req = data;
0c1bc5c6 3154 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3155 void *ptr = req->data;
c8f79162 3156 u16 size;
1da177e4 3157
49208c9c 3158 BT_DBG("chan %p", chan);
1da177e4 3159
73ffa904 3160 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3161 goto done;
3162
0c1bc5c6 3163 switch (chan->mode) {
f2fcfcd6
GP		 3164 case L2CAP_MODE_STREAMING:
3165 case L2CAP_MODE_ERTM:
c1360a1c 3166 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3167 break;
85eb53c6 3168
848566b3 3169 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3170 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3171
2ba13ed6 3172 /* fall through */
f2fcfcd6 3173 default:
8c1d787b 3174 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3175 break;
3176 }
3177
3178done:
0c1bc5c6
GP		 3179 if (chan->imtu != L2CAP_DEFAULT_MTU)
3180 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3181
0c1bc5c6 3182 switch (chan->mode) {
65c7c491 3183 case L2CAP_MODE_BASIC:
6fea7ad1
MH		 3184 if (disable_ertm)
3185 break;
3186
8c1d787b 3187 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3188 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3189 break;
3190
62547752
GP		 3191 rfc.mode = L2CAP_MODE_BASIC;
3192 rfc.txwin_size = 0;
3193 rfc.max_transmit = 0;
3194 rfc.retrans_timeout = 0;
3195 rfc.monitor_timeout = 0;
3196 rfc.max_pdu_size = 0;
3197
63406504 3198 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3199 (unsigned long) &rfc);
65c7c491
MH		 3200 break;
3201
3202 case L2CAP_MODE_ERTM:
3203 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3204 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3205
3206 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3207
3208 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3209 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3210 L2CAP_FCS_SIZE);
c8f79162 3211 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3212
6327eb98
AE		 3213 l2cap_txwin_setup(chan);
3214
3215 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3216 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3217
63406504 3218 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3219 (unsigned long) &rfc);
63406504 3220
f89cef09
AE		 3221 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3222 l2cap_add_opt_efs(&ptr, chan);
3223
6327eb98
AE		 3224 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3225 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3226 chan->tx_win);
60918918
AE		 3227
3228 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3229 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3230 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3231 chan->fcs = L2CAP_FCS_NONE;
3232 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3233 chan->fcs);
3234 }
f2fcfcd6
GP		 3235 break;
3236
3237 case L2CAP_MODE_STREAMING:
273759e2 3238 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3239 rfc.mode = L2CAP_MODE_STREAMING;
3240 rfc.txwin_size = 0;
3241 rfc.max_transmit = 0;
3242 rfc.retrans_timeout = 0;
3243 rfc.monitor_timeout = 0;
c8f79162
AE		 3244
3245 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3246 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3247 L2CAP_FCS_SIZE);
c8f79162 3248 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3249
63406504 3250 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3251 (unsigned long) &rfc);
63406504 3252
f89cef09
AE		 3253 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3254 l2cap_add_opt_efs(&ptr, chan);
3255
60918918
AE		 3256 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3257 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3258 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3259 chan->fcs = L2CAP_FCS_NONE;
3260 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3261 chan->fcs);
3262 }
65c7c491
MH		 3263 break;
3264 }
1da177e4 3265
fe4128e0 3266 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3267 req->flags = cpu_to_le16(0);
1da177e4
LT		 3268
3269 return ptr - data;
3270}
3271
73ffa904 3272static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3273{
5dee9e7c
MH		 3274 struct l2cap_conf_rsp *rsp = data;
3275 void *ptr = rsp->data;
73ffa904
GP		 3276 void *req = chan->conf_req;
3277 int len = chan->conf_len;
5dee9e7c
MH		 3278 int type, hint, olen;
3279 unsigned long val;
6464f35f 3280 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3281 struct l2cap_conf_efs efs;
3282 u8 remote_efs = 0;
861d6882 3283 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3284 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3285 u16 size;
1da177e4 3286
73ffa904 3287 BT_DBG("chan %p", chan);
820ae1b8 3288
5dee9e7c
MH		 3289 while (len >= L2CAP_CONF_OPT_SIZE) {
3290 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3291
589d2746 3292 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3293 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3294
3295 switch (type) {
3296 case L2CAP_CONF_MTU:
861d6882 3297 mtu = val;
5dee9e7c
MH		 3298 break;
3299
3300 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3301 chan->flush_to = val;
5dee9e7c
MH		 3302 break;
3303
3304 case L2CAP_CONF_QOS:
3305 break;
3306
6464f35f
MH		 3307 case L2CAP_CONF_RFC:
3308 if (olen == sizeof(rfc))
3309 memcpy(&rfc, (void *) val, olen);
3310 break;
3311
fcc203c3
GP		 3312 case L2CAP_CONF_FCS:
3313 if (val == L2CAP_FCS_NONE)
f2592d3e 3314 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3315 break;
fcc203c3 3316
42dceae2
AE		 3317 case L2CAP_CONF_EFS:
3318 remote_efs = 1;
3319 if (olen == sizeof(efs))
3320 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3321 break;
3322
6327eb98 3323 case L2CAP_CONF_EWS:
848566b3 3324 if (!chan->conn->hs_enabled)
6327eb98 3325 return -ECONNREFUSED;
fcc203c3 3326
6327eb98
AE		 3327 set_bit(FLAG_EXT_CTRL, &chan->flags);
3328 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3329 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3330 chan->remote_tx_win = val;
fcc203c3
GP		 3331 break;
3332
5dee9e7c
MH		 3333 default:
3334 if (hint)
3335 break;
3336
3337 result = L2CAP_CONF_UNKNOWN;
3338 *((u8 *) ptr++) = type;
3339 break;
3340 }
3341 }
3342
73ffa904 3343 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3344 goto done;
3345
0c1bc5c6 3346 switch (chan->mode) {
f2fcfcd6
GP		 3347 case L2CAP_MODE_STREAMING:
3348 case L2CAP_MODE_ERTM:
c1360a1c 3349 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3350 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3351 chan->conn->feat_mask);
85eb53c6
GP		 3352 break;
3353 }
3354
42dceae2 3355 if (remote_efs) {
848566b3 3356 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3357 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3358 else
3359 return -ECONNREFUSED;
3360 }
3361
0c1bc5c6 3362 if (chan->mode != rfc.mode)
f2fcfcd6 3363 return -ECONNREFUSED;
742e519b 3364
f2fcfcd6 3365 break;
f2fcfcd6
GP		 3366 }
3367
3368done:
0c1bc5c6 3369 if (chan->mode != rfc.mode) {
f2fcfcd6 3370 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3371 rfc.mode = chan->mode;
f2fcfcd6 3372
73ffa904 3373 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3374 return -ECONNREFUSED;
3375
2d792818
GP		 3376 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3377 (unsigned long) &rfc);
f2fcfcd6
GP		 3378 }
3379
5dee9e7c
MH		 3380 if (result == L2CAP_CONF_SUCCESS) {
3381 /* Configure output options and let the other side know
3382 * which ones we don't like. */
3383
f2fcfcd6
GP		 3384 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3385 result = L2CAP_CONF_UNACCEPT;
3386 else {
0c1bc5c6 3387 chan->omtu = mtu;
c1360a1c 3388 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3389 }
0c1bc5c6 3390 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3391
42dceae2
AE		 3392 if (remote_efs) {
3393 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3394 efs.stype != L2CAP_SERV_NOTRAFIC &&
3395 efs.stype != chan->local_stype) {
42dceae2
AE		 3396
3397 result = L2CAP_CONF_UNACCEPT;
3398
3399 if (chan->num_conf_req >= 1)
3400 return -ECONNREFUSED;
3401
3402 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3403 sizeof(efs),
3404 (unsigned long) &efs);
0e8b207e 3405 } else {
3e6b3b95 3406 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3407 result = L2CAP_CONF_PENDING;
3408 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3409 }
3410 }
3411
f2fcfcd6
GP		 3412 switch (rfc.mode) {
3413 case L2CAP_MODE_BASIC:
47d1ec61 3414 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3415 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3416 break;
3417
3418 case L2CAP_MODE_ERTM:
6327eb98
AE		 3419 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3420 chan->remote_tx_win = rfc.txwin_size;
3421 else
3422 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3423
2c03a7a4 3424 chan->remote_max_tx = rfc.max_transmit;
1c762159 3425
c8f79162 3426 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3427 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3428 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3429 rfc.max_pdu_size = cpu_to_le16(size);
3430 chan->remote_mps = size;
f2fcfcd6 3431
36c86c85 3432 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3433
c1360a1c 3434 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3435
3436 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3437 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3438
42dceae2
AE		 3439 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3440 chan->remote_id = efs.id;
3441 chan->remote_stype = efs.stype;
3442 chan->remote_msdu = le16_to_cpu(efs.msdu);
3443 chan->remote_flush_to =
2d792818 3444 le32_to_cpu(efs.flush_to);
42dceae2 3445 chan->remote_acc_lat =
2d792818 3446 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3447 chan->remote_sdu_itime =
3448 le32_to_cpu(efs.sdu_itime);
3449 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3450 sizeof(efs),
3451 (unsigned long) &efs);
42dceae2 3452 }
f2fcfcd6
GP		 3453 break;
3454
3455 case L2CAP_MODE_STREAMING:
c8f79162 3456 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3457 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3458 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3459 rfc.max_pdu_size = cpu_to_le16(size);
3460 chan->remote_mps = size;
f2fcfcd6 3461
c1360a1c 3462 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3463
2d792818
GP		 3464 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3465 (unsigned long) &rfc);
68ae6639 3466
f2fcfcd6
GP		 3467 break;
3468
3469 default:
5dee9e7c 3470 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3471
6464f35f 3472 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3473 rfc.mode = chan->mode;
f2fcfcd6 3474 }
6464f35f 3475
f2fcfcd6 3476 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3477 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3478 }
fe4128e0 3479 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3480 rsp->result = cpu_to_le16(result);
dcf4adbf 3481 rsp->flags = cpu_to_le16(0);
5dee9e7c
MH		 3482
3483 return ptr - data;
1da177e4
LT		 3484}
3485
2d792818
GP		 3486static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3487 void *data, u16 *result)
f2fcfcd6 3488{
f2fcfcd6
GP		 3489 struct l2cap_conf_req *req = data;
3490 void *ptr = req->data;
3491 int type, olen;
3492 unsigned long val;
36e999a8 3493 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3494 struct l2cap_conf_efs efs;
f2fcfcd6 3495
fe4128e0 3496 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3497
3498 while (len >= L2CAP_CONF_OPT_SIZE) {
3499 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3500
3501 switch (type) {
3502 case L2CAP_CONF_MTU:
3503 if (val < L2CAP_DEFAULT_MIN_MTU) {
3504 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3505 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3506 } else
0c1bc5c6
GP		 3507 chan->imtu = val;
3508 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3509 break;
3510
3511 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3512 chan->flush_to = val;
f2fcfcd6 3513 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3514 2, chan->flush_to);
f2fcfcd6
GP		 3515 break;
3516
3517 case L2CAP_CONF_RFC:
3518 if (olen == sizeof(rfc))
3519 memcpy(&rfc, (void *)val, olen);
3520
c1360a1c 3521 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3522 rfc.mode != chan->mode)
f2fcfcd6
GP		 3523 return -ECONNREFUSED;
3524
47d1ec61 3525 chan->fcs = 0;
f2fcfcd6
GP		 3526
3527 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3528 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3529 break;
6327eb98
AE		 3530
3531 case L2CAP_CONF_EWS:
c20f8e35 3532 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3533 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3534 chan->tx_win);
6327eb98 3535 break;
66af7aaf
AE		 3536
3537 case L2CAP_CONF_EFS:
3538 if (olen == sizeof(efs))
3539 memcpy(&efs, (void *)val, olen);
3540
3541 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3542 efs.stype != L2CAP_SERV_NOTRAFIC &&
3543 efs.stype != chan->local_stype)
66af7aaf
AE		 3544 return -ECONNREFUSED;
3545
2d792818
GP		 3546 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3547 (unsigned long) &efs);
66af7aaf 3548 break;
cbabee78
AE		 3549
3550 case L2CAP_CONF_FCS:
3551 if (*result == L2CAP_CONF_PENDING)
3552 if (val == L2CAP_FCS_NONE)
f2592d3e 3553 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3554 &chan->conf_state);
3555 break;
f2fcfcd6
GP		 3556 }
3557 }
3558
0c1bc5c6 3559 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3560 return -ECONNREFUSED;
3561
0c1bc5c6 3562 chan->mode = rfc.mode;
6c2ea7a8 3563
0e8b207e 3564 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3565 switch (rfc.mode) {
3566 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3567 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3568 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3569 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3570 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3571 chan->ack_win = min_t(u16, chan->ack_win,
3572 rfc.txwin_size);
66af7aaf
AE		 3573
3574 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3575 chan->local_msdu = le16_to_cpu(efs.msdu);
3576 chan->local_sdu_itime =
2d792818 3577 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3578 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3579 chan->local_flush_to =
2d792818 3580 le32_to_cpu(efs.flush_to);
66af7aaf 3581 }
f2fcfcd6 3582 break;
66af7aaf 3583
f2fcfcd6 3584 case L2CAP_MODE_STREAMING:
47d1ec61 3585 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3586 }
3587 }
3588
fe4128e0 3589 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3590 req->flags = cpu_to_le16(0);
f2fcfcd6
GP		 3591
3592 return ptr - data;
3593}
3594
2d792818
GP		 3595static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3596 u16 result, u16 flags)
1da177e4
LT		 3597{
3598 struct l2cap_conf_rsp *rsp = data;
3599 void *ptr = rsp->data;
1da177e4 3600
fe4128e0 3601 BT_DBG("chan %p", chan);
1da177e4 3602
fe4128e0 3603 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3604 rsp->result = cpu_to_le16(result);
aca3192c 3605 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3606
3607 return ptr - data;
3608}
3609
27e2d4c8
JH		 3610void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3611{
3612 struct l2cap_le_conn_rsp rsp;
3613 struct l2cap_conn *conn = chan->conn;
3614
3615 BT_DBG("chan %p", chan);
3616
3617 rsp.dcid = cpu_to_le16(chan->scid);
3618 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 3619 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 3620 rsp.credits = cpu_to_le16(chan->rx_credits);
dcf4adbf 3621 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
27e2d4c8
JH		 3622
3623 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3624 &rsp);
3625}
3626
8c1d787b 3627void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3628{
3629 struct l2cap_conn_rsp rsp;
8c1d787b 3630 struct l2cap_conn *conn = chan->conn;
710f9b0a 3631 u8 buf[128];
439f34ac 3632 u8 rsp_code;
710f9b0a 3633
fe4128e0
GP		 3634 rsp.scid = cpu_to_le16(chan->dcid);
3635 rsp.dcid = cpu_to_le16(chan->scid);
dcf4adbf
JP		 3636 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3637 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3638
3639 if (chan->hs_hcon)
3640 rsp_code = L2CAP_CREATE_CHAN_RSP;
3641 else
3642 rsp_code = L2CAP_CONN_RSP;
3643
3644 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3645
3646 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3647
c1360a1c 3648 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3649 return;
3650
710f9b0a 3651 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3652 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3653 chan->num_conf_req++;
3654}
3655
47d1ec61 3656static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3657{
7b1c0049
GP		 3658 int type, olen;
3659 unsigned long val;
c20f8e35
MM		 3660 /* Use sane default values in case a misbehaving remote device
3661 * did not send an RFC or extended window size option.
3662 */
3663 u16 txwin_ext = chan->ack_win;
3664 struct l2cap_conf_rfc rfc = {
3665 .mode = chan->mode,
dcf4adbf
JP		 3666 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3667 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
c20f8e35
MM		 3668 .max_pdu_size = cpu_to_le16(chan->imtu),
3669 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3670 };
7b1c0049 3671
47d1ec61 3672 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3673
0c1bc5c6 3674 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3675 return;
3676
3677 while (len >= L2CAP_CONF_OPT_SIZE) {
3678 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3679
c20f8e35
MM		 3680 switch (type) {
3681 case L2CAP_CONF_RFC:
3682 if (olen == sizeof(rfc))
3683 memcpy(&rfc, (void *)val, olen);
8f321f85 3684 break;
c20f8e35
MM		 3685 case L2CAP_CONF_EWS:
3686 txwin_ext = val;
3687 break;
3688 }
7b1c0049
GP		 3689 }
3690
7b1c0049
GP		 3691 switch (rfc.mode) {
3692 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3693 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3694 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3695 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3696 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3697 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3698 else
3699 chan->ack_win = min_t(u16, chan->ack_win,
3700 rfc.txwin_size);
7b1c0049
GP		 3701 break;
3702 case L2CAP_MODE_STREAMING:
47d1ec61 3703 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3704 }
3705}
3706
2d792818 3707static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3708 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3709 u8 *data)
4e8402a3 3710{
e2fd318e 3711 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3712
cb3b3152
JH		 3713 if (cmd_len < sizeof(*rej))
3714 return -EPROTO;
3715
e2fd318e 3716 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3717 return 0;
3718
3719 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3720 cmd->ident == conn->info_ident) {
17cd3f37 3721 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3722
3723 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3724 conn->info_ident = 0;
984947dc 3725
4e8402a3
MH		 3726 l2cap_conn_start(conn);
3727 }
3728
3729 return 0;
3730}
3731
1700915f
MM		 3732static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3733 struct l2cap_cmd_hdr *cmd,
3734 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3735{
1da177e4
LT		 3736 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3737 struct l2cap_conn_rsp rsp;
23691d75 3738 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3739 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3740
3741 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3742 __le16 psm = req->psm;
1da177e4 3743
097db76c 3744 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3745
3746 /* Check if we have socket listening on psm */
6f59b904 3747 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
bf20fd4e 3748 &conn->hcon->dst, ACL_LINK);
23691d75 3749 if (!pchan) {
1da177e4
LT		 3750 result = L2CAP_CR_BAD_PSM;
3751 goto sendresp;
3752 }
3753
3df91ea2 3754 mutex_lock(&conn->chan_lock);
8ffb9290 3755 l2cap_chan_lock(pchan);
e0f0cb56 3756
e7c29cb1 3757 /* Check if the ACL is secure enough (if not SDP) */
dcf4adbf 3758 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3759 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3760 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3761 result = L2CAP_CR_SEC_BLOCK;
3762 goto response;
3763 }
3764
1da177e4
LT		 3765 result = L2CAP_CR_NO_MEM;
3766
2dfa1003
GP		 3767 /* Check if we already have channel with that dcid */
3768 if (__l2cap_get_chan_by_dcid(conn, scid))
3769 goto response;
3770
80b98027 3771 chan = pchan->ops->new_connection(pchan);
80808e43 3772 if (!chan)
1da177e4
LT		 3773 goto response;
3774
330b6c15
SS		 3775 /* For certain devices (ex: HID mouse), support for authentication,
3776 * pairing and bonding is optional. For such devices, inorder to avoid
3777 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3778 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3779 */
3780 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3781
7eafc59e
MH		 3782 bacpy(&chan->src, &conn->hcon->src);
3783 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3784 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3785 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3786 chan->psm = psm;
3787 chan->dcid = scid;
1700915f 3788 chan->local_amp_id = amp_id;
1da177e4 3789
6be36555 3790 __l2cap_chan_add(conn, chan);
48454079 3791
fe4128e0 3792 dcid = chan->scid;
1da177e4 3793
8d836d71 3794 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3795
fc7f8a7e 3796 chan->ident = cmd->ident;
1da177e4 3797
984947dc 3798 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
e7cafc45 3799 if (l2cap_chan_check_security(chan, false)) {
bdc25783 3800 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3801 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3802 result = L2CAP_CR_PEND;
3803 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3804 chan->ops->defer(chan);
f66dc81f 3805 } else {
1700915f
MM		 3806 /* Force pending result for AMP controllers.
3807 * The connection will succeed after the
3808 * physical link is up.
3809 */
6ed971ca 3810 if (amp_id == AMP_ID_BREDR) {
f93fa273 3811 l2cap_state_change(chan, BT_CONFIG);
1700915f 3812 result = L2CAP_CR_SUCCESS;
6ed971ca 3813 } else {
f93fa273 3814 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3815 result = L2CAP_CR_PEND;
1700915f 3816 }
f66dc81f
MH		 3817 status = L2CAP_CS_NO_INFO;
3818 }
79d554a6 3819 } else {
f93fa273 3820 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3821 result = L2CAP_CR_PEND;
3822 status = L2CAP_CS_AUTHEN_PEND;
3823 }
3824 } else {
f93fa273 3825 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3826 result = L2CAP_CR_PEND;
3827 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3828 }
3829
1da177e4 3830response:
8ffb9290 3831 l2cap_chan_unlock(pchan);
3df91ea2 3832 mutex_unlock(&conn->chan_lock);
a24cce14 3833 l2cap_chan_put(pchan);
1da177e4
LT		 3834
3835sendresp:
aca3192c
YH		 3836 rsp.scid = cpu_to_le16(scid);
3837 rsp.dcid = cpu_to_le16(dcid);
3838 rsp.result = cpu_to_le16(result);
3839 rsp.status = cpu_to_le16(status);
4c89b6aa 3840 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3841
3842 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3843 struct l2cap_info_req info;
dcf4adbf 3844 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3845
3846 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3847 conn->info_ident = l2cap_get_ident(conn);
3848
ba13ccd9 3849 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3850
2d792818
GP		 3851 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3852 sizeof(info), &info);
79d554a6
MH		 3853 }
3854
c1360a1c 3855 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3856 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3857 u8 buf[128];
c1360a1c 3858 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3859 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3860 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3861 chan->num_conf_req++;
e9aeb2dd 3862 }
1700915f
MM		 3863
3864 return chan;
4c89b6aa 3865}
e9aeb2dd 3866
4c89b6aa 3867static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3868 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3869{
7b064eda
JK		 3870 struct hci_dev *hdev = conn->hcon->hdev;
3871 struct hci_conn *hcon = conn->hcon;
3872
cb3b3152
JH		 3873 if (cmd_len < sizeof(struct l2cap_conn_req))
3874 return -EPROTO;
3875
7b064eda
JK		 3876 hci_dev_lock(hdev);
3877 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3878 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
48ec92fa 3879 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
7b064eda
JK		 3880 hci_dev_unlock(hdev);
3881
300229f9 3882 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3883 return 0;
3884}
3885
5909cf30 3886static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3887 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3888 u8 *data)
1da177e4
LT		 3889{
3890 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3891 u16 scid, dcid, result, status;
48454079 3892 struct l2cap_chan *chan;
1da177e4 3893 u8 req[128];
3df91ea2 3894 int err;
1da177e4 3895
cb3b3152
JH		 3896 if (cmd_len < sizeof(*rsp))
3897 return -EPROTO;
3898
1da177e4
LT		 3899 scid = __le16_to_cpu(rsp->scid);
3900 dcid = __le16_to_cpu(rsp->dcid);
3901 result = __le16_to_cpu(rsp->result);
3902 status = __le16_to_cpu(rsp->status);
3903
1b009c98 3904 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3905 dcid, scid, result, status);
1da177e4 3906
3df91ea2
AE		 3907 mutex_lock(&conn->chan_lock);
3908
1da177e4 3909 if (scid) {
3df91ea2
AE		 3910 chan = __l2cap_get_chan_by_scid(conn, scid);
3911 if (!chan) {
21870b52 3912 err = -EBADSLT;
3df91ea2
AE		 3913 goto unlock;
3914 }
1da177e4 3915 } else {
3df91ea2
AE		 3916 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3917 if (!chan) {
21870b52 3918 err = -EBADSLT;
3df91ea2
AE		 3919 goto unlock;
3920 }
1da177e4
LT		 3921 }
3922
3df91ea2
AE		 3923 err = 0;
3924
6be36555 3925 l2cap_chan_lock(chan);
48454079 3926
1da177e4
LT		 3927 switch (result) {
3928 case L2CAP_CR_SUCCESS:
89bc500e 3929 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3930 chan->ident = 0;
fe4128e0 3931 chan->dcid = dcid;
c1360a1c 3932 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3933
c1360a1c 3934 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3935 break;
3936
1da177e4 3937 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3938 l2cap_build_conf_req(chan, req), req);
73ffa904 3939 chan->num_conf_req++;
1da177e4
LT		 3940 break;
3941
3942 case L2CAP_CR_PEND:
c1360a1c 3943 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3944 break;
3945
3946 default:
48454079 3947 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3948 break;
3949 }
3950
6be36555 3951 l2cap_chan_unlock(chan);
3df91ea2
AE		 3952
3953unlock:
3954 mutex_unlock(&conn->chan_lock);
3955
3956 return err;
1da177e4
LT		 3957}
3958
47d1ec61 3959static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3960{
3961 /* FCS is enabled only in ERTM or streaming mode, if one or both
3962 * sides request it.
3963 */
0c1bc5c6 3964 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3965 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3966 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3967 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3968}
3969
29d8a590
AE		 3970static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3971 u8 ident, u16 flags)
3972{
3973 struct l2cap_conn *conn = chan->conn;
3974
3975 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3976 flags);
3977
3978 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3979 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3980
3981 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3982 l2cap_build_conf_rsp(chan, data,
3983 L2CAP_CONF_SUCCESS, flags), data);
3984}
3985
662d652d
JH		 3986static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
3987 u16 scid, u16 dcid)
3988{
3989 struct l2cap_cmd_rej_cid rej;
3990
dcf4adbf 3991 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
662d652d
JH		 3992 rej.scid = __cpu_to_le16(scid);
3993 rej.dcid = __cpu_to_le16(dcid);
3994
3995 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3996}
3997
2d792818
GP		 3998static inline int l2cap_config_req(struct l2cap_conn *conn,
3999 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4000 u8 *data)
1da177e4
LT		 4001{
4002 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4003 u16 dcid, flags;
4004 u8 rsp[64];
48454079 4005 struct l2cap_chan *chan;
3c588192 4006 int len, err = 0;
1da177e4 4007
cb3b3152
JH		 4008 if (cmd_len < sizeof(*req))
4009 return -EPROTO;
4010
1da177e4
LT		 4011 dcid = __le16_to_cpu(req->dcid);
4012 flags = __le16_to_cpu(req->flags);
4013
4014 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4015
baa7e1fa 4016 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4017 if (!chan) {
4018 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4019 return 0;
4020 }
1da177e4 4021
033b1142 4022 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4023 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4024 chan->dcid);
354f60a9 4025 goto unlock;
df6bd743 4026 }
354f60a9 4027
5dee9e7c 4028 /* Reject if config buffer is too small. */
88219a0f 4029 len = cmd_len - sizeof(*req);
cb3b3152 4030 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4031 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4032 l2cap_build_conf_rsp(chan, rsp,
4033 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4034 goto unlock;
4035 }
4036
4037 /* Store config. */
73ffa904
GP		 4038 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4039 chan->conf_len += len;
1da177e4 4040
59e54bd1 4041 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4042 /* Incomplete config. Send empty response. */
4043 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4044 l2cap_build_conf_rsp(chan, rsp,
4045 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4046 goto unlock;
4047 }
4048
4049 /* Complete config. */
73ffa904 4050 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4051 if (len < 0) {
5e4e3972 4052 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4053 goto unlock;
f2fcfcd6 4054 }
1da177e4 4055
1500109b 4056 chan->ident = cmd->ident;
5dee9e7c 4057 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4058 chan->num_conf_rsp++;
5dee9e7c 4059
5dee9e7c 4060 /* Reset config buffer. */
73ffa904 4061 chan->conf_len = 0;
5dee9e7c 4062
c1360a1c 4063 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4064 goto unlock;
4065
c1360a1c 4066 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4067 set_default_fcs(chan);
fcc203c3 4068
105bdf9e
MM		 4069 if (chan->mode == L2CAP_MODE_ERTM ||
4070 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4071 err = l2cap_ertm_init(chan);
4072
4073 if (err < 0)
5e4e3972 4074 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4075 else
4076 l2cap_chan_ready(chan);
0565c1c2 4077
876d9484
MH		 4078 goto unlock;
4079 }
4080
c1360a1c 4081 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4082 u8 buf[64];
1da177e4 4083 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4084 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4085 chan->num_conf_req++;
1da177e4
LT		 4086 }
4087
49c922bb 4088 /* Got Conf Rsp PENDING from remote side and assume we sent
0e8b207e
AE		 4089 Conf Rsp PENDING in the code above */
4090 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4091 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4092
4093 /* check compatibility */
4094
79de886d 4095 /* Send rsp for BR/EDR channel */
f351bc72 4096 if (!chan->hs_hcon)
79de886d
AE		 4097 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4098 else
4099 chan->ident = cmd->ident;
0e8b207e
AE		 4100 }
4101
1da177e4 4102unlock:
6be36555 4103 l2cap_chan_unlock(chan);
3c588192 4104 return err;
1da177e4
LT		 4105}
4106
2d792818 4107static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4108 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4109 u8 *data)
1da177e4
LT		 4110{
4111 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4112 u16 scid, flags, result;
48454079 4113 struct l2cap_chan *chan;
cb3b3152 4114 int len = cmd_len - sizeof(*rsp);
3c588192 4115 int err = 0;
1da177e4 4116
cb3b3152
JH		 4117 if (cmd_len < sizeof(*rsp))
4118 return -EPROTO;
4119
1da177e4
LT		 4120 scid = __le16_to_cpu(rsp->scid);
4121 flags = __le16_to_cpu(rsp->flags);
4122 result = __le16_to_cpu(rsp->result);
4123
61386cba
AE		 4124 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4125 result, len);
1da177e4 4126
baa7e1fa 4127 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4128 if (!chan)
1da177e4
LT		 4129 return 0;
4130
4131 switch (result) {
4132 case L2CAP_CONF_SUCCESS:
47d1ec61 4133 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4134 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4135 break;
4136
0e8b207e
AE		 4137 case L2CAP_CONF_PENDING:
4138 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4139
4140 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4141 char buf[64];
4142
4143 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4144 buf, &result);
0e8b207e 4145 if (len < 0) {
5e4e3972 4146 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4147 goto done;
4148 }
4149
f351bc72 4150 if (!chan->hs_hcon) {
79de886d
AE		 4151 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4152 0);
5ce66b59
AE		 4153 } else {
4154 if (l2cap_check_efs(chan)) {
4155 amp_create_logical_link(chan);
4156 chan->ident = cmd->ident;
4157 }
4158 }
0e8b207e
AE		 4159 }
4160 goto done;
4161
1da177e4 4162 case L2CAP_CONF_UNACCEPT:
73ffa904 4163 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4164 char req[64];
4165
c2c77ec8 4166 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4167 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4168 goto done;
4169 }
4170
f2fcfcd6
GP		 4171 /* throw out any old stored conf requests */
4172 result = L2CAP_CONF_SUCCESS;
b4450035 4173 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4174 req, &result);
f2fcfcd6 4175 if (len < 0) {
5e4e3972 4176 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4177 goto done;
4178 }
4179
4180 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4181 L2CAP_CONF_REQ, len, req);
73ffa904 4182 chan->num_conf_req++;
f2fcfcd6
GP		 4183 if (result != L2CAP_CONF_SUCCESS)
4184 goto done;
4185 break;
1da177e4
LT		 4186 }
4187
8e87d142 4188 default:
6be36555 4189 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4190
ba13ccd9 4191 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4192 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4193 goto done;
4194 }
4195
59e54bd1 4196 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4197 goto done;
4198
c1360a1c 4199 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4200
c1360a1c 4201 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4202 set_default_fcs(chan);
fcc203c3 4203
105bdf9e
MM		 4204 if (chan->mode == L2CAP_MODE_ERTM ||
4205 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4206 err = l2cap_ertm_init(chan);
0565c1c2 4207
3c588192 4208 if (err < 0)
5e4e3972 4209 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4210 else
4211 l2cap_chan_ready(chan);
1da177e4
LT		 4212 }
4213
4214done:
6be36555 4215 l2cap_chan_unlock(chan);
3c588192 4216 return err;
1da177e4
LT		 4217}
4218
2d792818 4219static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4220 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4221 u8 *data)
1da177e4
LT		 4222{
4223 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4224 struct l2cap_disconn_rsp rsp;
4225 u16 dcid, scid;
48454079 4226 struct l2cap_chan *chan;
1da177e4 4227
cb3b3152
JH		 4228 if (cmd_len != sizeof(*req))
4229 return -EPROTO;
4230
1da177e4
LT		 4231 scid = __le16_to_cpu(req->scid);
4232 dcid = __le16_to_cpu(req->dcid);
4233
4234 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4235
3df91ea2
AE		 4236 mutex_lock(&conn->chan_lock);
4237
4238 chan = __l2cap_get_chan_by_scid(conn, dcid);
4239 if (!chan) {
4240 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4241 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4242 return 0;
3df91ea2 4243 }
1da177e4 4244
6be36555
AE		 4245 l2cap_chan_lock(chan);
4246
fe4128e0
GP		 4247 rsp.dcid = cpu_to_le16(chan->scid);
4248 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4249 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4250
5ec1bbe5 4251 chan->ops->set_shutdown(chan);
1da177e4 4252
61d6ef3e 4253 l2cap_chan_hold(chan);
48454079 4254 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4255
4256 l2cap_chan_unlock(chan);
1da177e4 4257
80b98027 4258 chan->ops->close(chan);
61d6ef3e 4259 l2cap_chan_put(chan);
3df91ea2
AE		 4260
4261 mutex_unlock(&conn->chan_lock);
4262
1da177e4
LT		 4263 return 0;
4264}
4265
2d792818 4266static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4267 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4268 u8 *data)
1da177e4
LT		 4269{
4270 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4271 u16 dcid, scid;
48454079 4272 struct l2cap_chan *chan;
1da177e4 4273
cb3b3152
JH		 4274 if (cmd_len != sizeof(*rsp))
4275 return -EPROTO;
4276
1da177e4
LT		 4277 scid = __le16_to_cpu(rsp->scid);
4278 dcid = __le16_to_cpu(rsp->dcid);
4279
4280 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4281
3df91ea2
AE		 4282 mutex_lock(&conn->chan_lock);
4283
4284 chan = __l2cap_get_chan_by_scid(conn, scid);
4285 if (!chan) {
4286 mutex_unlock(&conn->chan_lock);
1da177e4 4287 return 0;
3df91ea2 4288 }
1da177e4 4289
6be36555 4290 l2cap_chan_lock(chan);
48454079 4291
61d6ef3e 4292 l2cap_chan_hold(chan);
48454079 4293 l2cap_chan_del(chan, 0);
6be36555
AE		 4294
4295 l2cap_chan_unlock(chan);
1da177e4 4296
80b98027 4297 chan->ops->close(chan);
61d6ef3e 4298 l2cap_chan_put(chan);
3df91ea2
AE		 4299
4300 mutex_unlock(&conn->chan_lock);
4301
1da177e4
LT		 4302 return 0;
4303}
4304
2d792818 4305static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4306 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4307 u8 *data)
1da177e4
LT		 4308{
4309 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4310 u16 type;
4311
cb3b3152
JH		 4312 if (cmd_len != sizeof(*req))
4313 return -EPROTO;
4314
1da177e4
LT		 4315 type = __le16_to_cpu(req->type);
4316
4317 BT_DBG("type 0x%4.4x", type);
4318
f0709e03
MH		 4319 if (type == L2CAP_IT_FEAT_MASK) {
4320 u8 buf[8];
44dd46de 4321 u32 feat_mask = l2cap_feat_mask;
f0709e03 4322 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
dcf4adbf
JP		 4323 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4324 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4325 if (!disable_ertm)
fcc203c3 4326 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4327 | L2CAP_FEAT_FCS;
848566b3 4328 if (conn->hs_enabled)
6327eb98 4329 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4330 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4331
1b7bf4ed 4332 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4333 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4334 buf);
e1027a7c
MH		 4335 } else if (type == L2CAP_IT_FIXED_CHAN) {
4336 u8 buf[12];
4337 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4338
848566b3 4339 if (conn->hs_enabled)
50a147cd
MM		 4340 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4341 else
4342 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4343
dcf4adbf
JP		 4344 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4345 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4346 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4347 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4348 buf);
f0709e03
MH		 4349 } else {
4350 struct l2cap_info_rsp rsp;
4351 rsp.type = cpu_to_le16(type);
dcf4adbf 4352 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4353 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4354 &rsp);
f0709e03 4355 }
1da177e4
LT		 4356
4357 return 0;
4358}
4359
2d792818 4360static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4361 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4362 u8 *data)
1da177e4
LT		 4363{
4364 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4365 u16 type, result;
4366
3f6fa3d4 4367 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4368 return -EPROTO;
4369
1da177e4
LT		 4370 type = __le16_to_cpu(rsp->type);
4371 result = __le16_to_cpu(rsp->result);
4372
4373 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4374
e90165be
AE		 4375 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4376 if (cmd->ident != conn->info_ident ||
2d792818 4377 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4378 return 0;
4379
17cd3f37 4380 cancel_delayed_work(&conn->info_timer);
4e8402a3 4381
adb08ede
VT		 4382 if (result != L2CAP_IR_SUCCESS) {
4383 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4384 conn->info_ident = 0;
4385
4386 l2cap_conn_start(conn);
4387
4388 return 0;
4389 }
4390
978c93b9
AE		 4391 switch (type) {
4392 case L2CAP_IT_FEAT_MASK:
83985319 4393 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4394
47ec1dcd 4395 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4396 struct l2cap_info_req req;
dcf4adbf 4397 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4398
4399 conn->info_ident = l2cap_get_ident(conn);
4400
4401 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4402 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4403 } else {
4404 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4405 conn->info_ident = 0;
4406
4407 l2cap_conn_start(conn);
4408 }
978c93b9
AE		 4409 break;
4410
4411 case L2CAP_IT_FIXED_CHAN:
4412 conn->fixed_chan_mask = rsp->data[0];
984947dc 4413 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4414 conn->info_ident = 0;
984947dc
MH		 4415
4416 l2cap_conn_start(conn);
978c93b9 4417 break;
984947dc 4418 }
4e8402a3 4419
1da177e4
LT		 4420 return 0;
4421}
4422
1700915f
MM		 4423static int l2cap_create_channel_req(struct l2cap_conn *conn,
4424 struct l2cap_cmd_hdr *cmd,
4425 u16 cmd_len, void *data)
f94ff6ff
MM		 4426{
4427 struct l2cap_create_chan_req *req = data;
6e1df6a6 4428 struct l2cap_create_chan_rsp rsp;
1700915f 4429 struct l2cap_chan *chan;
6e1df6a6 4430 struct hci_dev *hdev;
f94ff6ff
MM		 4431 u16 psm, scid;
4432
4433 if (cmd_len != sizeof(*req))
4434 return -EPROTO;
4435
848566b3 4436 if (!conn->hs_enabled)
f94ff6ff
MM		 4437 return -EINVAL;
4438
4439 psm = le16_to_cpu(req->psm);
4440 scid = le16_to_cpu(req->scid);
4441
ad0ac6ca 4442 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4443
6e1df6a6 4444 /* For controller id 0 make BR/EDR connection */
6ed971ca 4445 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4446 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4447 req->amp_id);
4448 return 0;
4449 }
1700915f 4450
6e1df6a6
AE		 4451 /* Validate AMP controller id */
4452 hdev = hci_dev_get(req->amp_id);
4453 if (!hdev)
4454 goto error;
1700915f 4455
6e1df6a6
AE		 4456 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4457 hci_dev_put(hdev);
4458 goto error;
4459 }
1700915f 4460
6e1df6a6
AE		 4461 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4462 req->amp_id);
4463 if (chan) {
4464 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4465 struct hci_conn *hs_hcon;
1700915f 4466
98e0f7ea
MH		 4467 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4468 &conn->hcon->dst);
6e1df6a6
AE		 4469 if (!hs_hcon) {
4470 hci_dev_put(hdev);
662d652d
JH		 4471 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4472 chan->dcid);
4473 return 0;
1700915f
MM		 4474 }
4475
6e1df6a6
AE		 4476 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4477
6e1df6a6
AE		 4478 mgr->bredr_chan = chan;
4479 chan->hs_hcon = hs_hcon;
fd45bf4c 4480 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4481 conn->mtu = hdev->block_mtu;
1700915f 4482 }
f94ff6ff 4483
6e1df6a6 4484 hci_dev_put(hdev);
f94ff6ff
MM		 4485
4486 return 0;
6e1df6a6
AE		 4487
4488error:
4489 rsp.dcid = 0;
4490 rsp.scid = cpu_to_le16(scid);
dcf4adbf
JP		 4491 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4492 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
6e1df6a6
AE		 4493
4494 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4495 sizeof(rsp), &rsp);
4496
dc280801 4497 return 0;
f94ff6ff
MM		 4498}
4499
8eb200bd
MM		 4500static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4501{
4502 struct l2cap_move_chan_req req;
4503 u8 ident;
4504
4505 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4506
4507 ident = l2cap_get_ident(chan->conn);
4508 chan->ident = ident;
4509
4510 req.icid = cpu_to_le16(chan->scid);
4511 req.dest_amp_id = dest_amp_id;
4512
4513 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4514 &req);
4515
4516 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4517}
4518
1500109b 4519static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4520{
4521 struct l2cap_move_chan_rsp rsp;
4522
1500109b 4523 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4524
1500109b 4525 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4526 rsp.result = cpu_to_le16(result);
4527
1500109b
MM		 4528 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4529 sizeof(rsp), &rsp);
8d5a04a1
MM		 4530}
4531
5b155ef9 4532static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4533{
4534 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4535
5b155ef9 4536 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4537
5b155ef9 4538 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4539
5b155ef9 4540 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4541 cfm.result = cpu_to_le16(result);
4542
5b155ef9
MM		 4543 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4544 sizeof(cfm), &cfm);
4545
4546 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4547}
4548
4549static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4550{
4551 struct l2cap_move_chan_cfm cfm;
4552
4553 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4554
4555 cfm.icid = cpu_to_le16(icid);
dcf4adbf 4556 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
5b155ef9
MM		 4557
4558 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4559 sizeof(cfm), &cfm);
8d5a04a1
MM		 4560}
4561
4562static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4563 u16 icid)
8d5a04a1
MM		 4564{
4565 struct l2cap_move_chan_cfm_rsp rsp;
4566
ad0ac6ca 4567 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4568
4569 rsp.icid = cpu_to_le16(icid);
4570 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4571}
4572
5f3847a4
MM		 4573static void __release_logical_link(struct l2cap_chan *chan)
4574{
4575 chan->hs_hchan = NULL;
4576 chan->hs_hcon = NULL;
4577
4578 /* Placeholder - release the logical link */
4579}
4580
1500109b
MM		 4581static void l2cap_logical_fail(struct l2cap_chan *chan)
4582{
4583 /* Logical link setup failed */
4584 if (chan->state != BT_CONNECTED) {
4585 /* Create channel failure, disconnect */
5e4e3972 4586 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4587 return;
4588 }
4589
4590 switch (chan->move_role) {
4591 case L2CAP_MOVE_ROLE_RESPONDER:
4592 l2cap_move_done(chan);
4593 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4594 break;
4595 case L2CAP_MOVE_ROLE_INITIATOR:
4596 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4597 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4598 /* Remote has only sent pending or
4599 * success responses, clean up
4600 */
4601 l2cap_move_done(chan);
4602 }
4603
4604 /* Other amp move states imply that the move
4605 * has already aborted
4606 */
4607 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4608 break;
4609 }
4610}
4611
4612static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4613 struct hci_chan *hchan)
4614{
4615 struct l2cap_conf_rsp rsp;
1500109b 4616
336178a3 4617 chan->hs_hchan = hchan;
1500109b
MM		 4618 chan->hs_hcon->l2cap_data = chan->conn;
4619
35ba9561 4620 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4621
4622 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4623 int err;
1500109b
MM		 4624
4625 set_default_fcs(chan);
4626
4627 err = l2cap_ertm_init(chan);
4628 if (err < 0)
5e4e3972 4629 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4630 else
4631 l2cap_chan_ready(chan);
4632 }
4633}
4634
4635static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4636 struct hci_chan *hchan)
4637{
4638 chan->hs_hcon = hchan->conn;
4639 chan->hs_hcon->l2cap_data = chan->conn;
4640
4641 BT_DBG("move_state %d", chan->move_state);
4642
4643 switch (chan->move_state) {
4644 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4645 /* Move confirm will be sent after a success
4646 * response is received
4647 */
4648 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4649 break;
4650 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4651 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4652 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4653 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4654 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4655 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4656 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4657 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4658 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4659 }
4660 break;
4661 default:
4662 /* Move was not in expected state, free the channel */
4663 __release_logical_link(chan);
4664
4665 chan->move_state = L2CAP_MOVE_STABLE;
4666 }
4667}
4668
4669/* Call with chan locked */
27695fb4
AE		 4670void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4671 u8 status)
5b155ef9 4672{
1500109b
MM		 4673 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4674
4675 if (status) {
4676 l2cap_logical_fail(chan);
4677 __release_logical_link(chan);
4678 return;
4679 }
4680
4681 if (chan->state != BT_CONNECTED) {
4682 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4683 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4684 l2cap_logical_finish_create(chan, hchan);
4685 } else {
4686 l2cap_logical_finish_move(chan, hchan);
4687 }
5b155ef9
MM		 4688}
4689
3f7a56c4
MM		 4690void l2cap_move_start(struct l2cap_chan *chan)
4691{
4692 BT_DBG("chan %p", chan);
4693
6ed971ca 4694 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4695 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4696 return;
4697 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4698 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4699 /* Placeholder - start physical link setup */
4700 } else {
4701 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4702 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4703 chan->move_id = 0;
4704 l2cap_move_setup(chan);
4705 l2cap_send_move_chan_req(chan, 0);
4706 }
4707}
4708
8eb200bd
MM		 4709static void l2cap_do_create(struct l2cap_chan *chan, int result,
4710 u8 local_amp_id, u8 remote_amp_id)
4711{
62748ca1
AE		 4712 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4713 local_amp_id, remote_amp_id);
4714
12d6cc60
AE		 4715 chan->fcs = L2CAP_FCS_NONE;
4716
62748ca1
AE		 4717 /* Outgoing channel on AMP */
4718 if (chan->state == BT_CONNECT) {
4719 if (result == L2CAP_CR_SUCCESS) {
4720 chan->local_amp_id = local_amp_id;
4721 l2cap_send_create_chan_req(chan, remote_amp_id);
4722 } else {
4723 /* Revert to BR/EDR connect */
4724 l2cap_send_conn_req(chan);
4725 }
4726
4727 return;
4728 }
4729
4730 /* Incoming channel on AMP */
4731 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4732 struct l2cap_conn_rsp rsp;
4733 char buf[128];
4734 rsp.scid = cpu_to_le16(chan->dcid);
4735 rsp.dcid = cpu_to_le16(chan->scid);
4736
8eb200bd
MM		 4737 if (result == L2CAP_CR_SUCCESS) {
4738 /* Send successful response */
dcf4adbf
JP		 4739 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4740 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4741 } else {
4742 /* Send negative response */
dcf4adbf
JP		 4743 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4744 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4745 }
4746
4747 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4748 sizeof(rsp), &rsp);
4749
4750 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4751 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4752 set_bit(CONF_REQ_SENT, &chan->conf_state);
4753 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4754 L2CAP_CONF_REQ,
4755 l2cap_build_conf_req(chan, buf), buf);
4756 chan->num_conf_req++;
4757 }
8eb200bd
MM		 4758 }
4759}
4760
4761static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4762 u8 remote_amp_id)
4763{
4764 l2cap_move_setup(chan);
4765 chan->move_id = local_amp_id;
4766 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4767
4768 l2cap_send_move_chan_req(chan, remote_amp_id);
4769}
4770
4771static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4772{
4773 struct hci_chan *hchan = NULL;
4774
4775 /* Placeholder - get hci_chan for logical link */
4776
4777 if (hchan) {
4778 if (hchan->state == BT_CONNECTED) {
4779 /* Logical link is ready to go */
4780 chan->hs_hcon = hchan->conn;
4781 chan->hs_hcon->l2cap_data = chan->conn;
4782 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4783 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4784
4785 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4786 } else {
4787 /* Wait for logical link to be ready */
4788 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4789 }
4790 } else {
4791 /* Logical link not available */
4792 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4793 }
4794}
4795
4796static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4797{
4798 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4799 u8 rsp_result;
4800 if (result == -EINVAL)
4801 rsp_result = L2CAP_MR_BAD_ID;
4802 else
4803 rsp_result = L2CAP_MR_NOT_ALLOWED;
4804
4805 l2cap_send_move_chan_rsp(chan, rsp_result);
4806 }
4807
4808 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4809 chan->move_state = L2CAP_MOVE_STABLE;
4810
4811 /* Restart data transmission */
4812 l2cap_ertm_send(chan);
4813}
4814
a514b17f
AE		 4815/* Invoke with locked chan */
4816void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4817{
770bfefa 4818 u8 local_amp_id = chan->local_amp_id;
fffadc08 4819 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4820
8eb200bd
MM		 4821 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4822 chan, result, local_amp_id, remote_amp_id);
4823
8eb200bd
MM		 4824 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4825 l2cap_chan_unlock(chan);
4826 return;
4827 }
4828
4829 if (chan->state != BT_CONNECTED) {
4830 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4831 } else if (result != L2CAP_MR_SUCCESS) {
4832 l2cap_do_move_cancel(chan, result);
4833 } else {
4834 switch (chan->move_role) {
4835 case L2CAP_MOVE_ROLE_INITIATOR:
4836 l2cap_do_move_initiate(chan, local_amp_id,
4837 remote_amp_id);
4838 break;
4839 case L2CAP_MOVE_ROLE_RESPONDER:
4840 l2cap_do_move_respond(chan, result);
4841 break;
4842 default:
4843 l2cap_do_move_cancel(chan, result);
4844 break;
4845 }
4846 }
8eb200bd
MM		 4847}
4848
8d5a04a1 4849static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4850 struct l2cap_cmd_hdr *cmd,
4851 u16 cmd_len, void *data)
8d5a04a1
MM		 4852{
4853 struct l2cap_move_chan_req *req = data;
1500109b 4854 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4855 struct l2cap_chan *chan;
8d5a04a1
MM		 4856 u16 icid = 0;
4857 u16 result = L2CAP_MR_NOT_ALLOWED;
4858
4859 if (cmd_len != sizeof(*req))
4860 return -EPROTO;
4861
4862 icid = le16_to_cpu(req->icid);
4863
ad0ac6ca 4864 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4865
848566b3 4866 if (!conn->hs_enabled)
8d5a04a1
MM		 4867 return -EINVAL;
4868
02b0fbb9
MM		 4869 chan = l2cap_get_chan_by_dcid(conn, icid);
4870 if (!chan) {
1500109b 4871 rsp.icid = cpu_to_le16(icid);
dcf4adbf 4872 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
1500109b
MM		 4873 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4874 sizeof(rsp), &rsp);
02b0fbb9
MM		 4875 return 0;
4876 }
4877
1500109b
MM		 4878 chan->ident = cmd->ident;
4879
02b0fbb9
MM		 4880 if (chan->scid < L2CAP_CID_DYN_START ||
4881 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4882 (chan->mode != L2CAP_MODE_ERTM &&
4883 chan->mode != L2CAP_MODE_STREAMING)) {
4884 result = L2CAP_MR_NOT_ALLOWED;
4885 goto send_move_response;
4886 }
4887
4888 if (chan->local_amp_id == req->dest_amp_id) {
4889 result = L2CAP_MR_SAME_ID;
4890 goto send_move_response;
4891 }
4892
6ed971ca 4893 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4894 struct hci_dev *hdev;
4895 hdev = hci_dev_get(req->dest_amp_id);
4896 if (!hdev || hdev->dev_type != HCI_AMP ||
4897 !test_bit(HCI_UP, &hdev->flags)) {
4898 if (hdev)
4899 hci_dev_put(hdev);
4900
4901 result = L2CAP_MR_BAD_ID;
4902 goto send_move_response;
4903 }
4904 hci_dev_put(hdev);
4905 }
4906
4907 /* Detect a move collision. Only send a collision response
4908 * if this side has "lost", otherwise proceed with the move.
4909 * The winner has the larger bd_addr.
4910 */
4911 if ((__chan_is_moving(chan) ||
4912 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4913 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4914 result = L2CAP_MR_COLLISION;
4915 goto send_move_response;
4916 }
4917
02b0fbb9
MM		 4918 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4919 l2cap_move_setup(chan);
4920 chan->move_id = req->dest_amp_id;
4921 icid = chan->dcid;
4922
6ed971ca 4923 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4924 /* Moving to BR/EDR */
4925 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4926 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4927 result = L2CAP_MR_PEND;
4928 } else {
4929 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4930 result = L2CAP_MR_SUCCESS;
4931 }
4932 } else {
4933 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4934 /* Placeholder - uncomment when amp functions are available */
4935 /*amp_accept_physical(chan, req->dest_amp_id);*/
4936 result = L2CAP_MR_PEND;
4937 }
4938
4939send_move_response:
1500109b 4940 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4941
02b0fbb9
MM		 4942 l2cap_chan_unlock(chan);
4943
8d5a04a1
MM		 4944 return 0;
4945}
4946
5b155ef9
MM		 4947static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4948{
4949 struct l2cap_chan *chan;
4950 struct hci_chan *hchan = NULL;
4951
4952 chan = l2cap_get_chan_by_scid(conn, icid);
4953 if (!chan) {
4954 l2cap_send_move_chan_cfm_icid(conn, icid);
4955 return;
4956 }
4957
4958 __clear_chan_timer(chan);
4959 if (result == L2CAP_MR_PEND)
4960 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4961
4962 switch (chan->move_state) {
4963 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4964 /* Move confirm will be sent when logical link
4965 * is complete.
4966 */
4967 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4968 break;
4969 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4970 if (result == L2CAP_MR_PEND) {
4971 break;
4972 } else if (test_bit(CONN_LOCAL_BUSY,
4973 &chan->conn_state)) {
4974 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4975 } else {
4976 /* Logical link is up or moving to BR/EDR,
4977 * proceed with move
4978 */
4979 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4980 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4981 }
4982 break;
4983 case L2CAP_MOVE_WAIT_RSP:
4984 /* Moving to AMP */
4985 if (result == L2CAP_MR_SUCCESS) {
4986 /* Remote is ready, send confirm immediately
4987 * after logical link is ready
4988 */
4989 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4990 } else {
4991 /* Both logical link and move success
4992 * are required to confirm
4993 */
4994 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4995 }
4996
4997 /* Placeholder - get hci_chan for logical link */
4998 if (!hchan) {
4999 /* Logical link not available */
5000 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5001 break;
5002 }
5003
5004 /* If the logical link is not yet connected, do not
5005 * send confirmation.
5006 */
5007 if (hchan->state != BT_CONNECTED)
5008 break;
5009
5010 /* Logical link is already ready to go */
5011
5012 chan->hs_hcon = hchan->conn;
5013 chan->hs_hcon->l2cap_data = chan->conn;
5014
5015 if (result == L2CAP_MR_SUCCESS) {
5016 /* Can confirm now */
5017 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5018 } else {
5019 /* Now only need move success
5020 * to confirm
5021 */
5022 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5023 }
5024
5025 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5026 break;
5027 default:
5028 /* Any other amp move state means the move failed. */
5029 chan->move_id = chan->local_amp_id;
5030 l2cap_move_done(chan);
5031 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5032 }
5033
5034 l2cap_chan_unlock(chan);
5035}
5036
5037static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5038 u16 result)
5039{
5040 struct l2cap_chan *chan;
5041
5042 chan = l2cap_get_chan_by_ident(conn, ident);
5043 if (!chan) {
5044 /* Could not locate channel, icid is best guess */
5045 l2cap_send_move_chan_cfm_icid(conn, icid);
5046 return;
5047 }
5048
5049 __clear_chan_timer(chan);
5050
5051 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5052 if (result == L2CAP_MR_COLLISION) {
5053 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5054 } else {
5055 /* Cleanup - cancel move */
5056 chan->move_id = chan->local_amp_id;
5057 l2cap_move_done(chan);
5058 }
5059 }
5060
5061 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5062
5063 l2cap_chan_unlock(chan);
5064}
5065
5066static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5067 struct l2cap_cmd_hdr *cmd,
5068 u16 cmd_len, void *data)
8d5a04a1
MM		 5069{
5070 struct l2cap_move_chan_rsp *rsp = data;
5071 u16 icid, result;
5072
5073 if (cmd_len != sizeof(*rsp))
5074 return -EPROTO;
5075
5076 icid = le16_to_cpu(rsp->icid);
5077 result = le16_to_cpu(rsp->result);
5078
ad0ac6ca 5079 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5080
5b155ef9
MM		 5081 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5082 l2cap_move_continue(conn, icid, result);
5083 else
5084 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5085
5086 return 0;
5087}
5088
5f3847a4
MM		 5089static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5090 struct l2cap_cmd_hdr *cmd,
5091 u16 cmd_len, void *data)
8d5a04a1
MM		 5092{
5093 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5094 struct l2cap_chan *chan;
8d5a04a1
MM		 5095 u16 icid, result;
5096
5097 if (cmd_len != sizeof(*cfm))
5098 return -EPROTO;
5099
5100 icid = le16_to_cpu(cfm->icid);
5101 result = le16_to_cpu(cfm->result);
5102
ad0ac6ca 5103 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5104
5f3847a4
MM		 5105 chan = l2cap_get_chan_by_dcid(conn, icid);
5106 if (!chan) {
5107 /* Spec requires a response even if the icid was not found */
5108 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5109 return 0;
5110 }
5111
5112 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5113 if (result == L2CAP_MC_CONFIRMED) {
5114 chan->local_amp_id = chan->move_id;
6ed971ca 5115 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5116 __release_logical_link(chan);
5117 } else {
5118 chan->move_id = chan->local_amp_id;
5119 }
5120
5121 l2cap_move_done(chan);
5122 }
5123
8d5a04a1
MM		 5124 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5125
5f3847a4
MM		 5126 l2cap_chan_unlock(chan);
5127
8d5a04a1
MM		 5128 return 0;
5129}
5130
5131static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5132 struct l2cap_cmd_hdr *cmd,
5133 u16 cmd_len, void *data)
8d5a04a1
MM		 5134{
5135 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5136 struct l2cap_chan *chan;
8d5a04a1
MM		 5137 u16 icid;
5138
5139 if (cmd_len != sizeof(*rsp))
5140 return -EPROTO;
5141
5142 icid = le16_to_cpu(rsp->icid);
5143
ad0ac6ca 5144 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5145
3fd71a0a
MM		 5146 chan = l2cap_get_chan_by_scid(conn, icid);
5147 if (!chan)
5148 return 0;
5149
5150 __clear_chan_timer(chan);
5151
5152 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5153 chan->local_amp_id = chan->move_id;
5154
6ed971ca 5155 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5156 __release_logical_link(chan);
5157
5158 l2cap_move_done(chan);
5159 }
5160
5161 l2cap_chan_unlock(chan);
5162
8d5a04a1
MM		 5163 return 0;
5164}
5165
de73115a 5166static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818 5167 struct l2cap_cmd_hdr *cmd,
203e639e 5168 u16 cmd_len, u8 *data)
de73115a
CT		 5169{
5170 struct hci_conn *hcon = conn->hcon;
5171 struct l2cap_conn_param_update_req *req;
5172 struct l2cap_conn_param_update_rsp rsp;
203e639e 5173 u16 min, max, latency, to_multiplier;
2ce603eb 5174 int err;
de73115a 5175
40bef302 5176 if (hcon->role != HCI_ROLE_MASTER)
de73115a
CT		 5177 return -EINVAL;
5178
de73115a
CT		 5179 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5180 return -EPROTO;
5181
5182 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5183 min = __le16_to_cpu(req->min);
5184 max = __le16_to_cpu(req->max);
de73115a
CT		 5185 latency = __le16_to_cpu(req->latency);
5186 to_multiplier = __le16_to_cpu(req->to_multiplier);
5187
5188 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5189 min, max, latency, to_multiplier);
de73115a
CT		 5190
5191 memset(&rsp, 0, sizeof(rsp));
2ce603eb 5192
d4905f24 5193 err = hci_check_conn_params(min, max, latency, to_multiplier);
2ce603eb 5194 if (err)
dcf4adbf 5195 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5196 else
dcf4adbf 5197 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5198
5199 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5200 sizeof(rsp), &rsp);
de73115a 5201
ffb5a827 5202 if (!err) {
f4869e2a
JH		 5203 u8 store_hint;
5204
5205 store_hint = hci_le_conn_update(hcon, min, max, latency,
5206 to_multiplier);
ffb5a827 5207 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
f4869e2a
JH		 5208 store_hint, min, max, latency,
5209 to_multiplier);
ffb5a827 5210
ffb5a827 5211 }
2ce603eb 5212
de73115a
CT		 5213 return 0;
5214}
5215
f1496dee
JH		 5216static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5217 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5218 u8 *data)
5219{
5220 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5221 u16 dcid, mtu, mps, credits, result;
5222 struct l2cap_chan *chan;
5223 int err;
5224
5225 if (cmd_len < sizeof(*rsp))
5226 return -EPROTO;
5227
5228 dcid = __le16_to_cpu(rsp->dcid);
5229 mtu = __le16_to_cpu(rsp->mtu);
5230 mps = __le16_to_cpu(rsp->mps);
5231 credits = __le16_to_cpu(rsp->credits);
5232 result = __le16_to_cpu(rsp->result);
5233
5234 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5235 return -EPROTO;
5236
5237 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5238 dcid, mtu, mps, credits, result);
5239
5240 mutex_lock(&conn->chan_lock);
5241
5242 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5243 if (!chan) {
5244 err = -EBADSLT;
5245 goto unlock;
5246 }
5247
5248 err = 0;
5249
5250 l2cap_chan_lock(chan);
5251
5252 switch (result) {
5253 case L2CAP_CR_SUCCESS:
5254 chan->ident = 0;
5255 chan->dcid = dcid;
5256 chan->omtu = mtu;
5257 chan->remote_mps = mps;
0cd75f7e 5258 chan->tx_credits = credits;
f1496dee
JH		 5259 l2cap_chan_ready(chan);
5260 break;
5261
5262 default:
5263 l2cap_chan_del(chan, ECONNREFUSED);
5264 break;
5265 }
5266
5267 l2cap_chan_unlock(chan);
5268
5269unlock:
5270 mutex_unlock(&conn->chan_lock);
5271
5272 return err;
5273}
5274
3300d9a9 5275static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5276 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5277 u8 *data)
3300d9a9
CT		 5278{
5279 int err = 0;
5280
5281 switch (cmd->code) {
5282 case L2CAP_COMMAND_REJ:
cb3b3152 5283 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5284 break;
5285
5286 case L2CAP_CONN_REQ:
cb3b3152 5287 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5288 break;
5289
5290 case L2CAP_CONN_RSP:
f5a2598d 5291 case L2CAP_CREATE_CHAN_RSP:
9245e737 5292 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5293 break;
5294
5295 case L2CAP_CONF_REQ:
5296 err = l2cap_config_req(conn, cmd, cmd_len, data);
5297 break;
5298
5299 case L2CAP_CONF_RSP:
9245e737 5300 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5301 break;
5302
5303 case L2CAP_DISCONN_REQ:
cb3b3152 5304 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5305 break;
5306
5307 case L2CAP_DISCONN_RSP:
9245e737 5308 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5309 break;
5310
5311 case L2CAP_ECHO_REQ:
5312 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5313 break;
5314
5315 case L2CAP_ECHO_RSP:
5316 break;
5317
5318 case L2CAP_INFO_REQ:
cb3b3152 5319 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5320 break;
5321
5322 case L2CAP_INFO_RSP:
9245e737 5323 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5324 break;
5325
f94ff6ff
MM		 5326 case L2CAP_CREATE_CHAN_REQ:
5327 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5328 break;
5329
8d5a04a1
MM		 5330 case L2CAP_MOVE_CHAN_REQ:
5331 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5332 break;
5333
5334 case L2CAP_MOVE_CHAN_RSP:
9245e737 5335 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5336 break;
5337
5338 case L2CAP_MOVE_CHAN_CFM:
5339 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5340 break;
5341
5342 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5343 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5344 break;
5345
3300d9a9
CT		 5346 default:
5347 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5348 err = -EINVAL;
5349 break;
5350 }
5351
5352 return err;
5353}
5354
27e2d4c8
JH		 5355static int l2cap_le_connect_req(struct l2cap_conn *conn,
5356 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5357 u8 *data)
5358{
5359 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5360 struct l2cap_le_conn_rsp rsp;
5361 struct l2cap_chan *chan, *pchan;
0cd75f7e 5362 u16 dcid, scid, credits, mtu, mps;
27e2d4c8
JH		 5363 __le16 psm;
5364 u8 result;
5365
5366 if (cmd_len != sizeof(*req))
5367 return -EPROTO;
5368
5369 scid = __le16_to_cpu(req->scid);
5370 mtu = __le16_to_cpu(req->mtu);
5371 mps = __le16_to_cpu(req->mps);
5372 psm = req->psm;
5373 dcid = 0;
0cd75f7e 5374 credits = 0;
27e2d4c8
JH		 5375
5376 if (mtu < 23 || mps < 23)
5377 return -EPROTO;
5378
5379 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5380 scid, mtu, mps);
5381
5382 /* Check if we have socket listening on psm */
5383 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5384 &conn->hcon->dst, LE_LINK);
5385 if (!pchan) {
5386 result = L2CAP_CR_BAD_PSM;
5387 chan = NULL;
5388 goto response;
5389 }
5390
5391 mutex_lock(&conn->chan_lock);
5392 l2cap_chan_lock(pchan);
5393
35dc6f83
JH		 5394 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5395 SMP_ALLOW_STK)) {
27e2d4c8
JH		 5396 result = L2CAP_CR_AUTHENTICATION;
5397 chan = NULL;
5398 goto response_unlock;
5399 }
5400
5401 /* Check if we already have channel with that dcid */
5402 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5403 result = L2CAP_CR_NO_MEM;
5404 chan = NULL;
5405 goto response_unlock;
5406 }
5407
5408 chan = pchan->ops->new_connection(pchan);
5409 if (!chan) {
5410 result = L2CAP_CR_NO_MEM;
5411 goto response_unlock;
5412 }
5413
0ce43ce6
JH		 5414 l2cap_le_flowctl_init(chan);
5415
27e2d4c8
JH		 5416 bacpy(&chan->src, &conn->hcon->src);
5417 bacpy(&chan->dst, &conn->hcon->dst);
5418 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5419 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5420 chan->psm = psm;
5421 chan->dcid = scid;
5422 chan->omtu = mtu;
5423 chan->remote_mps = mps;
0cd75f7e 5424 chan->tx_credits = __le16_to_cpu(req->credits);
27e2d4c8
JH		 5425
5426 __l2cap_chan_add(conn, chan);
5427 dcid = chan->scid;
0cd75f7e 5428 credits = chan->rx_credits;
27e2d4c8
JH		 5429
5430 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5431
5432 chan->ident = cmd->ident;
5433
5434 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5435 l2cap_state_change(chan, BT_CONNECT2);
434714dc
JH		 5436 /* The following result value is actually not defined
5437 * for LE CoC but we use it to let the function know
5438 * that it should bail out after doing its cleanup
5439 * instead of sending a response.
5440 */
27e2d4c8
JH		 5441 result = L2CAP_CR_PEND;
5442 chan->ops->defer(chan);
5443 } else {
5444 l2cap_chan_ready(chan);
5445 result = L2CAP_CR_SUCCESS;
5446 }
5447
5448response_unlock:
5449 l2cap_chan_unlock(pchan);
5450 mutex_unlock(&conn->chan_lock);
a24cce14 5451 l2cap_chan_put(pchan);
27e2d4c8
JH		 5452
5453 if (result == L2CAP_CR_PEND)
5454 return 0;
5455
5456response:
5457 if (chan) {
5458 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 5459 rsp.mps = cpu_to_le16(chan->mps);
27e2d4c8
JH		 5460 } else {
5461 rsp.mtu = 0;
5462 rsp.mps = 0;
5463 }
5464
5465 rsp.dcid = cpu_to_le16(dcid);
0cd75f7e 5466 rsp.credits = cpu_to_le16(credits);
27e2d4c8
JH		 5467 rsp.result = cpu_to_le16(result);
5468
5469 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5470
5471 return 0;
5472}
5473
fad5fc89
JH		 5474static inline int l2cap_le_credits(struct l2cap_conn *conn,
5475 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5476 u8 *data)
5477{
5478 struct l2cap_le_credits *pkt;
5479 struct l2cap_chan *chan;
0f1bfe4e 5480 u16 cid, credits, max_credits;
fad5fc89
JH		 5481
5482 if (cmd_len != sizeof(*pkt))
5483 return -EPROTO;
5484
5485 pkt = (struct l2cap_le_credits *) data;
5486 cid = __le16_to_cpu(pkt->cid);
5487 credits = __le16_to_cpu(pkt->credits);
5488
5489 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5490
5491 chan = l2cap_get_chan_by_dcid(conn, cid);
5492 if (!chan)
5493 return -EBADSLT;
5494
0f1bfe4e
JH		 5495 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5496 if (credits > max_credits) {
5497 BT_ERR("LE credits overflow");
5498 l2cap_send_disconn_req(chan, ECONNRESET);
ee93053d 5499 l2cap_chan_unlock(chan);
0f1bfe4e
JH		 5500
5501 /* Return 0 so that we don't trigger an unnecessary
5502 * command reject packet.
5503 */
5504 return 0;
5505 }
5506
fad5fc89
JH		 5507 chan->tx_credits += credits;
5508
5509 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5510 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5511 chan->tx_credits--;
5512 }
5513
5514 if (chan->tx_credits)
5515 chan->ops->resume(chan);
5516
5517 l2cap_chan_unlock(chan);
5518
5519 return 0;
5520}
5521
71fb4197
JH		 5522static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5523 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5524 u8 *data)
5525{
5526 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5527 struct l2cap_chan *chan;
5528
5529 if (cmd_len < sizeof(*rej))
5530 return -EPROTO;
5531
5532 mutex_lock(&conn->chan_lock);
5533
5534 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5535 if (!chan)
5536 goto done;
5537
5538 l2cap_chan_lock(chan);
5539 l2cap_chan_del(chan, ECONNREFUSED);
5540 l2cap_chan_unlock(chan);
5541
5542done:
5543 mutex_unlock(&conn->chan_lock);
5544 return 0;
5545}
5546
3300d9a9 5547static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
203e639e
JH		 5548 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5549 u8 *data)
3300d9a9 5550{
b5ecba64
JH		 5551 int err = 0;
5552
3300d9a9
CT		 5553 switch (cmd->code) {
5554 case L2CAP_COMMAND_REJ:
71fb4197 5555 l2cap_le_command_rej(conn, cmd, cmd_len, data);
b5ecba64 5556 break;
3300d9a9
CT		 5557
5558 case L2CAP_CONN_PARAM_UPDATE_REQ:
b5ecba64
JH		 5559 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5560 break;
3300d9a9
CT		 5561
5562 case L2CAP_CONN_PARAM_UPDATE_RSP:
b5ecba64 5563 break;
3300d9a9 5564
f1496dee
JH		 5565 case L2CAP_LE_CONN_RSP:
5566 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5567 break;
f1496dee 5568
27e2d4c8 5569 case L2CAP_LE_CONN_REQ:
b5ecba64
JH		 5570 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5571 break;
27e2d4c8 5572
fad5fc89
JH		 5573 case L2CAP_LE_CREDITS:
5574 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5575 break;
5576
3defe01a 5577 case L2CAP_DISCONN_REQ:
b5ecba64
JH		 5578 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5579 break;
3defe01a
JH		 5580
5581 case L2CAP_DISCONN_RSP:
5582 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5583 break;
3defe01a 5584
3300d9a9
CT		 5585 default:
5586 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
b5ecba64
JH		 5587 err = -EINVAL;
5588 break;
3300d9a9 5589 }
b5ecba64
JH		 5590
5591 return err;
3300d9a9
CT		 5592}
5593
c5623556
JH		 5594static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5595 struct sk_buff *skb)
5596{
69c4e4e8 5597 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5598 struct l2cap_cmd_hdr *cmd;
5599 u16 len;
c5623556
JH		 5600 int err;
5601
69c4e4e8 5602 if (hcon->type != LE_LINK)
3b166295 5603 goto drop;
69c4e4e8 5604
4f3e219d
MH		 5605 if (skb->len < L2CAP_CMD_HDR_SIZE)
5606 goto drop;
c5623556 5607
4f3e219d
MH		 5608 cmd = (void *) skb->data;
5609 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5610
4f3e219d 5611 len = le16_to_cpu(cmd->len);
c5623556 5612
4f3e219d 5613 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5614
4f3e219d
MH		 5615 if (len != skb->len || !cmd->ident) {
5616 BT_DBG("corrupted command");
5617 goto drop;
5618 }
c5623556 5619
203e639e 5620 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
4f3e219d
MH		 5621 if (err) {
5622 struct l2cap_cmd_rej_unk rej;
c5623556 5623
4f3e219d 5624 BT_ERR("Wrong link type (%d)", err);
c5623556 5625
dcf4adbf 5626 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5627 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5628 sizeof(rej), &rej);
c5623556
JH		 5629 }
5630
3b166295 5631drop:
c5623556
JH		 5632 kfree_skb(skb);
5633}
5634
3300d9a9 5635static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5636 struct sk_buff *skb)
1da177e4 5637{
69c4e4e8 5638 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5639 u8 *data = skb->data;
5640 int len = skb->len;
5641 struct l2cap_cmd_hdr cmd;
3300d9a9 5642 int err;
1da177e4
LT		 5643
5644 l2cap_raw_recv(conn, skb);
5645
69c4e4e8 5646 if (hcon->type != ACL_LINK)
3b166295 5647 goto drop;
69c4e4e8 5648
1da177e4 5649 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5650 u16 cmd_len;
1da177e4
LT		 5651 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5652 data += L2CAP_CMD_HDR_SIZE;
5653 len -= L2CAP_CMD_HDR_SIZE;
5654
88219a0f 5655 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5656
2d792818
GP		 5657 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5658 cmd.ident);
1da177e4 5659
88219a0f 5660 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5661 BT_DBG("corrupted command");
5662 break;
5663 }
5664
c5623556 5665 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5666 if (err) {
e2fd318e 5667 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5668
5669 BT_ERR("Wrong link type (%d)", err);
1da177e4 5670
dcf4adbf 5671 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5672 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5673 sizeof(rej), &rej);
1da177e4
LT		 5674 }
5675
88219a0f
AV		 5676 data += cmd_len;
5677 len -= cmd_len;
1da177e4
LT		 5678 }
5679
3b166295 5680drop:
1da177e4
LT		 5681 kfree_skb(skb);
5682}
5683
47d1ec61 5684static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5685{
5686 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5687 int hdr_size;
5688
5689 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5690 hdr_size = L2CAP_EXT_HDR_SIZE;
5691 else
5692 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5693
47d1ec61 5694 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5695 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5696 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5697 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5698
5699 if (our_fcs != rcv_fcs)
7a560e5c 5700 return -EBADMSG;
fcc203c3
GP		 5701 }
5702 return 0;
5703}
5704
6ea00485 5705static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5706{
e31f7633 5707 struct l2cap_ctrl control;
d5392c8f 5708
e31f7633 5709 BT_DBG("chan %p", chan);
d5392c8f 5710
e31f7633
MM		 5711 memset(&control, 0, sizeof(control));
5712 control.sframe = 1;
5713 control.final = 1;
5714 control.reqseq = chan->buffer_seq;
5715 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5716
e2ab4353 5717 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5718 control.super = L2CAP_SUPER_RNR;
5719 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5720 }
5721
e31f7633
MM		 5722 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5723 chan->unacked_frames > 0)
5724 __set_retrans_timer(chan);
d5392c8f 5725
e31f7633 5726 /* Send pending iframes */
525cd185 5727 l2cap_ertm_send(chan);
d5392c8f 5728
e2ab4353 5729 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5730 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5731 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5732 * send it now.
5733 */
5734 control.super = L2CAP_SUPER_RR;
5735 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5736 }
5737}
5738
2d792818
GP		 5739static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5740 struct sk_buff **last_frag)
18778a63 5741{
84084a31
MM		 5742 /* skb->len reflects data in skb as well as all fragments
5743 * skb->data_len reflects only data in fragments
5744 */
5745 if (!skb_has_frag_list(skb))
5746 skb_shinfo(skb)->frag_list = new_frag;
5747
5748 new_frag->next = NULL;
5749
5750 (*last_frag)->next = new_frag;
5751 *last_frag = new_frag;
5752
5753 skb->len += new_frag->len;
5754 skb->data_len += new_frag->len;
5755 skb->truesize += new_frag->truesize;
5756}
5757
4b51dae9
MM		 5758static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5759 struct l2cap_ctrl *control)
84084a31
MM		 5760{
5761 int err = -EINVAL;
18778a63 5762
4b51dae9 5763 switch (control->sar) {
7e0ef6ee 5764 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5765 if (chan->sdu)
5766 break;
18778a63 5767
80b98027 5768 err = chan->ops->recv(chan, skb);
84084a31 5769 break;
18778a63 5770
7e0ef6ee 5771 case L2CAP_SAR_START:
84084a31
MM		 5772 if (chan->sdu)
5773 break;
18778a63 5774
6f61fd47 5775 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5776 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5777
84084a31
MM		 5778 if (chan->sdu_len > chan->imtu) {
5779 err = -EMSGSIZE;
5780 break;
5781 }
1890d36b 5782
84084a31
MM		 5783 if (skb->len >= chan->sdu_len)
5784 break;
18778a63 5785
84084a31
MM		 5786 chan->sdu = skb;
5787 chan->sdu_last_frag = skb;
18778a63 5788
84084a31
MM		 5789 skb = NULL;
5790 err = 0;
18778a63
GP		 5791 break;
5792
7e0ef6ee 5793 case L2CAP_SAR_CONTINUE:
6f61fd47 5794 if (!chan->sdu)
84084a31 5795 break;
18778a63 5796
84084a31
MM		 5797 append_skb_frag(chan->sdu, skb,
5798 &chan->sdu_last_frag);
5799 skb = NULL;
18778a63 5800
84084a31
MM		 5801 if (chan->sdu->len >= chan->sdu_len)
5802 break;
4178ba46 5803
84084a31 5804 err = 0;
18778a63
GP		 5805 break;
5806
7e0ef6ee 5807 case L2CAP_SAR_END:
6f61fd47 5808 if (!chan->sdu)
84084a31 5809 break;
18778a63 5810
84084a31
MM		 5811 append_skb_frag(chan->sdu, skb,
5812 &chan->sdu_last_frag);
5813 skb = NULL;
4178ba46 5814
84084a31
MM		 5815 if (chan->sdu->len != chan->sdu_len)
5816 break;
18778a63 5817
80b98027 5818 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5819
84084a31
MM		 5820 if (!err) {
5821 /* Reassembly complete */
5822 chan->sdu = NULL;
5823 chan->sdu_last_frag = NULL;
5824 chan->sdu_len = 0;
1890d36b 5825 }
18778a63
GP		 5826 break;
5827 }
5828
84084a31
MM		 5829 if (err) {
5830 kfree_skb(skb);
5831 kfree_skb(chan->sdu);
5832 chan->sdu = NULL;
5833 chan->sdu_last_frag = NULL;
5834 chan->sdu_len = 0;
5835 }
18778a63 5836
84084a31 5837 return err;
18778a63
GP		 5838}
5839
32b32735
MM		 5840static int l2cap_resegment(struct l2cap_chan *chan)
5841{
5842 /* Placeholder */
5843 return 0;
5844}
5845
61aa4f5b 5846void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5847{
61aa4f5b 5848 u8 event;
712132eb 5849
61aa4f5b
MM		 5850 if (chan->mode != L2CAP_MODE_ERTM)
5851 return;
712132eb 5852
61aa4f5b 5853 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5854 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5855}
5856
d2a7ac5d
MM		 5857static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5858{
63838725
MM		 5859 int err = 0;
5860 /* Pass sequential frames to l2cap_reassemble_sdu()
5861 * until a gap is encountered.
5862 */
5863
5864 BT_DBG("chan %p", chan);
5865
5866 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5867 struct sk_buff *skb;
5868 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5869 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5870
5871 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5872
5873 if (!skb)
5874 break;
5875
5876 skb_unlink(skb, &chan->srej_q);
5877 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5878 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5879 if (err)
5880 break;
5881 }
5882
5883 if (skb_queue_empty(&chan->srej_q)) {
5884 chan->rx_state = L2CAP_RX_STATE_RECV;
5885 l2cap_send_ack(chan);
5886 }
5887
5888 return err;
d2a7ac5d
MM		 5889}
5890
5891static void l2cap_handle_srej(struct l2cap_chan *chan,
5892 struct l2cap_ctrl *control)
5893{
f80842a8
MM		 5894 struct sk_buff *skb;
5895
5896 BT_DBG("chan %p, control %p", chan, control);
5897
5898 if (control->reqseq == chan->next_tx_seq) {
5899 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5900 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5901 return;
5902 }
5903
5904 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5905
5906 if (skb == NULL) {
5907 BT_DBG("Seq %d not available for retransmission",
5908 control->reqseq);
5909 return;
5910 }
5911
5912 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5913 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5914 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5915 return;
5916 }
5917
5918 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5919
5920 if (control->poll) {
5921 l2cap_pass_to_tx(chan, control);
5922
5923 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5924 l2cap_retransmit(chan, control);
5925 l2cap_ertm_send(chan);
5926
5927 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5928 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5929 chan->srej_save_reqseq = control->reqseq;
5930 }
5931 } else {
5932 l2cap_pass_to_tx_fbit(chan, control);
5933
5934 if (control->final) {
5935 if (chan->srej_save_reqseq != control->reqseq ||
5936 !test_and_clear_bit(CONN_SREJ_ACT,
5937 &chan->conn_state))
5938 l2cap_retransmit(chan, control);
5939 } else {
5940 l2cap_retransmit(chan, control);
5941 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5942 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5943 chan->srej_save_reqseq = control->reqseq;
5944 }
5945 }
5946 }
d2a7ac5d
MM		 5947}
5948
5949static void l2cap_handle_rej(struct l2cap_chan *chan,
5950 struct l2cap_ctrl *control)
5951{
fcd289df
MM		 5952 struct sk_buff *skb;
5953
5954 BT_DBG("chan %p, control %p", chan, control);
5955
5956 if (control->reqseq == chan->next_tx_seq) {
5957 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5958 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5959 return;
5960 }
5961
5962 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5963
5964 if (chan->max_tx && skb &&
5965 bt_cb(skb)->control.retries >= chan->max_tx) {
5966 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5967 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5968 return;
5969 }
5970
5971 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5972
5973 l2cap_pass_to_tx(chan, control);
5974
5975 if (control->final) {
5976 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5977 l2cap_retransmit_all(chan, control);
5978 } else {
5979 l2cap_retransmit_all(chan, control);
5980 l2cap_ertm_send(chan);
5981 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5982 set_bit(CONN_REJ_ACT, &chan->conn_state);
5983 }
d2a7ac5d
MM		 5984}
5985
4b51dae9
MM		 5986static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5987{
5988 BT_DBG("chan %p, txseq %d", chan, txseq);
5989
5990 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5991 chan->expected_tx_seq);
5992
5993 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5994 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5995 chan->tx_win) {
4b51dae9
MM		 5996 /* See notes below regarding "double poll" and
5997 * invalid packets.
5998 */
5999 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6000 BT_DBG("Invalid/Ignore - after SREJ");
6001 return L2CAP_TXSEQ_INVALID_IGNORE;
6002 } else {
6003 BT_DBG("Invalid - in window after SREJ sent");
6004 return L2CAP_TXSEQ_INVALID;
6005 }
6006 }
6007
6008 if (chan->srej_list.head == txseq) {
6009 BT_DBG("Expected SREJ");
6010 return L2CAP_TXSEQ_EXPECTED_SREJ;
6011 }
6012
6013 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6014 BT_DBG("Duplicate SREJ - txseq already stored");
6015 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6016 }
6017
6018 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6019 BT_DBG("Unexpected SREJ - not requested");
6020 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6021 }
6022 }
6023
6024 if (chan->expected_tx_seq == txseq) {
6025 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6026 chan->tx_win) {
6027 BT_DBG("Invalid - txseq outside tx window");
6028 return L2CAP_TXSEQ_INVALID;
6029 } else {
6030 BT_DBG("Expected");
6031 return L2CAP_TXSEQ_EXPECTED;
6032 }
6033 }
6034
6035 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 6036 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 6037 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6038 return L2CAP_TXSEQ_DUPLICATE;
6039 }
6040
6041 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6042 /* A source of invalid packets is a "double poll" condition,
6043 * where delays cause us to send multiple poll packets. If
6044 * the remote stack receives and processes both polls,
6045 * sequence numbers can wrap around in such a way that a
6046 * resent frame has a sequence number that looks like new data
6047 * with a sequence gap. This would trigger an erroneous SREJ
6048 * request.
6049 *
6050 * Fortunately, this is impossible with a tx window that's
6051 * less than half of the maximum sequence number, which allows
6052 * invalid frames to be safely ignored.
6053 *
6054 * With tx window sizes greater than half of the tx window
6055 * maximum, the frame is invalid and cannot be ignored. This
6056 * causes a disconnect.
6057 */
6058
6059 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6060 BT_DBG("Invalid/Ignore - txseq outside tx window");
6061 return L2CAP_TXSEQ_INVALID_IGNORE;
6062 } else {
6063 BT_DBG("Invalid - txseq outside tx window");
6064 return L2CAP_TXSEQ_INVALID;
6065 }
6066 } else {
6067 BT_DBG("Unexpected - txseq indicates missing frames");
6068 return L2CAP_TXSEQ_UNEXPECTED;
6069 }
6070}
6071
d2a7ac5d
MM		 6072static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6073 struct l2cap_ctrl *control,
6074 struct sk_buff *skb, u8 event)
6075{
6076 int err = 0;
941247f9 6077 bool skb_in_use = false;
d2a7ac5d
MM		 6078
6079 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6080 event);
6081
6082 switch (event) {
6083 case L2CAP_EV_RECV_IFRAME:
6084 switch (l2cap_classify_txseq(chan, control->txseq)) {
6085 case L2CAP_TXSEQ_EXPECTED:
6086 l2cap_pass_to_tx(chan, control);
6087
6088 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6089 BT_DBG("Busy, discarding expected seq %d",
6090 control->txseq);
6091 break;
6092 }
6093
6094 chan->expected_tx_seq = __next_seq(chan,
6095 control->txseq);
6096
6097 chan->buffer_seq = chan->expected_tx_seq;
941247f9 6098 skb_in_use = true;
d2a7ac5d
MM		 6099
6100 err = l2cap_reassemble_sdu(chan, skb, control);
6101 if (err)
6102 break;
6103
6104 if (control->final) {
6105 if (!test_and_clear_bit(CONN_REJ_ACT,
6106 &chan->conn_state)) {
6107 control->final = 0;
6108 l2cap_retransmit_all(chan, control);
6109 l2cap_ertm_send(chan);
6110 }
6111 }
6112
6113 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6114 l2cap_send_ack(chan);
6115 break;
6116 case L2CAP_TXSEQ_UNEXPECTED:
6117 l2cap_pass_to_tx(chan, control);
6118
6119 /* Can't issue SREJ frames in the local busy state.
6120 * Drop this frame, it will be seen as missing
6121 * when local busy is exited.
6122 */
6123 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6124 BT_DBG("Busy, discarding unexpected seq %d",
6125 control->txseq);
6126 break;
6127 }
6128
6129 /* There was a gap in the sequence, so an SREJ
6130 * must be sent for each missing frame. The
6131 * current frame is stored for later use.
6132 */
6133 skb_queue_tail(&chan->srej_q, skb);
941247f9 6134 skb_in_use = true;
d2a7ac5d
MM		 6135 BT_DBG("Queued %p (queue len %d)", skb,
6136 skb_queue_len(&chan->srej_q));
6137
6138 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6139 l2cap_seq_list_clear(&chan->srej_list);
6140 l2cap_send_srej(chan, control->txseq);
6141
6142 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6143 break;
6144 case L2CAP_TXSEQ_DUPLICATE:
6145 l2cap_pass_to_tx(chan, control);
6146 break;
6147 case L2CAP_TXSEQ_INVALID_IGNORE:
6148 break;
6149 case L2CAP_TXSEQ_INVALID:
6150 default:
5e4e3972 6151 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6152 break;
6153 }
6154 break;
6155 case L2CAP_EV_RECV_RR:
6156 l2cap_pass_to_tx(chan, control);
6157 if (control->final) {
6158 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6159
e6a3ee6e
MM		 6160 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6161 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 6162 control->final = 0;
6163 l2cap_retransmit_all(chan, control);
6164 }
6165
6166 l2cap_ertm_send(chan);
6167 } else if (control->poll) {
6168 l2cap_send_i_or_rr_or_rnr(chan);
6169 } else {
6170 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6171 &chan->conn_state) &&
6172 chan->unacked_frames)
6173 __set_retrans_timer(chan);
6174
6175 l2cap_ertm_send(chan);
6176 }
6177 break;
6178 case L2CAP_EV_RECV_RNR:
6179 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6180 l2cap_pass_to_tx(chan, control);
6181 if (control && control->poll) {
6182 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6183 l2cap_send_rr_or_rnr(chan, 0);
6184 }
6185 __clear_retrans_timer(chan);
6186 l2cap_seq_list_clear(&chan->retrans_list);
6187 break;
6188 case L2CAP_EV_RECV_REJ:
6189 l2cap_handle_rej(chan, control);
6190 break;
6191 case L2CAP_EV_RECV_SREJ:
6192 l2cap_handle_srej(chan, control);
6193 break;
6194 default:
6195 break;
6196 }
6197
6198 if (skb && !skb_in_use) {
6199 BT_DBG("Freeing %p", skb);
6200 kfree_skb(skb);
6201 }
6202
6203 return err;
6204}
6205
6206static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6207 struct l2cap_ctrl *control,
6208 struct sk_buff *skb, u8 event)
6209{
6210 int err = 0;
6211 u16 txseq = control->txseq;
941247f9 6212 bool skb_in_use = false;
d2a7ac5d
MM		 6213
6214 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6215 event);
6216
6217 switch (event) {
6218 case L2CAP_EV_RECV_IFRAME:
6219 switch (l2cap_classify_txseq(chan, txseq)) {
6220 case L2CAP_TXSEQ_EXPECTED:
6221 /* Keep frame for reassembly later */
6222 l2cap_pass_to_tx(chan, control);
6223 skb_queue_tail(&chan->srej_q, skb);
941247f9 6224 skb_in_use = true;
d2a7ac5d
MM		 6225 BT_DBG("Queued %p (queue len %d)", skb,
6226 skb_queue_len(&chan->srej_q));
6227
6228 chan->expected_tx_seq = __next_seq(chan, txseq);
6229 break;
6230 case L2CAP_TXSEQ_EXPECTED_SREJ:
6231 l2cap_seq_list_pop(&chan->srej_list);
6232
6233 l2cap_pass_to_tx(chan, control);
6234 skb_queue_tail(&chan->srej_q, skb);
941247f9 6235 skb_in_use = true;
d2a7ac5d
MM		 6236 BT_DBG("Queued %p (queue len %d)", skb,
6237 skb_queue_len(&chan->srej_q));
6238
6239 err = l2cap_rx_queued_iframes(chan);
6240 if (err)
6241 break;
6242
6243 break;
6244 case L2CAP_TXSEQ_UNEXPECTED:
6245 /* Got a frame that can't be reassembled yet.
6246 * Save it for later, and send SREJs to cover
6247 * the missing frames.
6248 */
6249 skb_queue_tail(&chan->srej_q, skb);
941247f9 6250 skb_in_use = true;
d2a7ac5d
MM		 6251 BT_DBG("Queued %p (queue len %d)", skb,
6252 skb_queue_len(&chan->srej_q));
6253
6254 l2cap_pass_to_tx(chan, control);
6255 l2cap_send_srej(chan, control->txseq);
6256 break;
6257 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6258 /* This frame was requested with an SREJ, but
6259 * some expected retransmitted frames are
6260 * missing. Request retransmission of missing
6261 * SREJ'd frames.
6262 */
6263 skb_queue_tail(&chan->srej_q, skb);
941247f9 6264 skb_in_use = true;
d2a7ac5d
MM		 6265 BT_DBG("Queued %p (queue len %d)", skb,
6266 skb_queue_len(&chan->srej_q));
6267
6268 l2cap_pass_to_tx(chan, control);
6269 l2cap_send_srej_list(chan, control->txseq);
6270 break;
6271 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6272 /* We've already queued this frame. Drop this copy. */
6273 l2cap_pass_to_tx(chan, control);
6274 break;
6275 case L2CAP_TXSEQ_DUPLICATE:
6276 /* Expecting a later sequence number, so this frame
6277 * was already received. Ignore it completely.
6278 */
6279 break;
6280 case L2CAP_TXSEQ_INVALID_IGNORE:
6281 break;
6282 case L2CAP_TXSEQ_INVALID:
6283 default:
5e4e3972 6284 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6285 break;
6286 }
6287 break;
6288 case L2CAP_EV_RECV_RR:
6289 l2cap_pass_to_tx(chan, control);
6290 if (control->final) {
6291 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6292
6293 if (!test_and_clear_bit(CONN_REJ_ACT,
6294 &chan->conn_state)) {
6295 control->final = 0;
6296 l2cap_retransmit_all(chan, control);
6297 }
6298
6299 l2cap_ertm_send(chan);
6300 } else if (control->poll) {
6301 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6302 &chan->conn_state) &&
6303 chan->unacked_frames) {
6304 __set_retrans_timer(chan);
6305 }
6306
6307 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6308 l2cap_send_srej_tail(chan);
6309 } else {
6310 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6311 &chan->conn_state) &&
6312 chan->unacked_frames)
6313 __set_retrans_timer(chan);
6314
6315 l2cap_send_ack(chan);
6316 }
6317 break;
6318 case L2CAP_EV_RECV_RNR:
6319 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6320 l2cap_pass_to_tx(chan, control);
6321 if (control->poll) {
6322 l2cap_send_srej_tail(chan);
6323 } else {
6324 struct l2cap_ctrl rr_control;
6325 memset(&rr_control, 0, sizeof(rr_control));
6326 rr_control.sframe = 1;
6327 rr_control.super = L2CAP_SUPER_RR;
6328 rr_control.reqseq = chan->buffer_seq;
6329 l2cap_send_sframe(chan, &rr_control);
6330 }
6331
6332 break;
6333 case L2CAP_EV_RECV_REJ:
6334 l2cap_handle_rej(chan, control);
6335 break;
6336 case L2CAP_EV_RECV_SREJ:
6337 l2cap_handle_srej(chan, control);
6338 break;
6339 }
6340
6341 if (skb && !skb_in_use) {
6342 BT_DBG("Freeing %p", skb);
6343 kfree_skb(skb);
6344 }
6345
6346 return err;
6347}
6348
32b32735
MM		 6349static int l2cap_finish_move(struct l2cap_chan *chan)
6350{
6351 BT_DBG("chan %p", chan);
6352
6353 chan->rx_state = L2CAP_RX_STATE_RECV;
6354
6355 if (chan->hs_hcon)
6356 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6357 else
6358 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6359
6360 return l2cap_resegment(chan);
6361}
6362
6363static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6364 struct l2cap_ctrl *control,
6365 struct sk_buff *skb, u8 event)
6366{
6367 int err;
6368
6369 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6370 event);
6371
6372 if (!control->poll)
6373 return -EPROTO;
6374
6375 l2cap_process_reqseq(chan, control->reqseq);
6376
6377 if (!skb_queue_empty(&chan->tx_q))
6378 chan->tx_send_head = skb_peek(&chan->tx_q);
6379 else
6380 chan->tx_send_head = NULL;
6381
6382 /* Rewind next_tx_seq to the point expected
6383 * by the receiver.
6384 */
6385 chan->next_tx_seq = control->reqseq;
6386 chan->unacked_frames = 0;
6387
6388 err = l2cap_finish_move(chan);
6389 if (err)
6390 return err;
6391
6392 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6393 l2cap_send_i_or_rr_or_rnr(chan);
6394
6395 if (event == L2CAP_EV_RECV_IFRAME)
6396 return -EPROTO;
6397
6398 return l2cap_rx_state_recv(chan, control, NULL, event);
6399}
6400
6401static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6402 struct l2cap_ctrl *control,
6403 struct sk_buff *skb, u8 event)
6404{
6405 int err;
6406
6407 if (!control->final)
6408 return -EPROTO;
6409
6410 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6411
6412 chan->rx_state = L2CAP_RX_STATE_RECV;
6413 l2cap_process_reqseq(chan, control->reqseq);
6414
6415 if (!skb_queue_empty(&chan->tx_q))
6416 chan->tx_send_head = skb_peek(&chan->tx_q);
6417 else
6418 chan->tx_send_head = NULL;
6419
6420 /* Rewind next_tx_seq to the point expected
6421 * by the receiver.
6422 */
6423 chan->next_tx_seq = control->reqseq;
6424 chan->unacked_frames = 0;
6425
6426 if (chan->hs_hcon)
6427 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6428 else
6429 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6430
6431 err = l2cap_resegment(chan);
6432
6433 if (!err)
6434 err = l2cap_rx_state_recv(chan, control, skb, event);
6435
6436 return err;
6437}
6438
d2a7ac5d
MM		 6439static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6440{
6441 /* Make sure reqseq is for a packet that has been sent but not acked */
6442 u16 unacked;
6443
6444 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6445 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6446}
6447
cec8ab6e
MM		 6448static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6449 struct sk_buff *skb, u8 event)
218bb9df 6450{
d2a7ac5d
MM		 6451 int err = 0;
6452
6453 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6454 control, skb, event, chan->rx_state);
6455
6456 if (__valid_reqseq(chan, control->reqseq)) {
6457 switch (chan->rx_state) {
6458 case L2CAP_RX_STATE_RECV:
6459 err = l2cap_rx_state_recv(chan, control, skb, event);
6460 break;
6461 case L2CAP_RX_STATE_SREJ_SENT:
6462 err = l2cap_rx_state_srej_sent(chan, control, skb,
6463 event);
6464 break;
32b32735
MM		 6465 case L2CAP_RX_STATE_WAIT_P:
6466 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6467 break;
6468 case L2CAP_RX_STATE_WAIT_F:
6469 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6470 break;
d2a7ac5d
MM		 6471 default:
6472 /* shut it down */
6473 break;
6474 }
6475 } else {
6476 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6477 control->reqseq, chan->next_tx_seq,
6478 chan->expected_ack_seq);
5e4e3972 6479 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6480 }
6481
6482 return err;
cec8ab6e
MM		 6483}
6484
6485static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6486 struct sk_buff *skb)
6487{
4b51dae9
MM		 6488 int err = 0;
6489
6490 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6491 chan->rx_state);
6492
6493 if (l2cap_classify_txseq(chan, control->txseq) ==
6494 L2CAP_TXSEQ_EXPECTED) {
6495 l2cap_pass_to_tx(chan, control);
6496
6497 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6498 __next_seq(chan, chan->buffer_seq));
6499
6500 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6501
6502 l2cap_reassemble_sdu(chan, skb, control);
6503 } else {
6504 if (chan->sdu) {
6505 kfree_skb(chan->sdu);
6506 chan->sdu = NULL;
6507 }
6508 chan->sdu_last_frag = NULL;
6509 chan->sdu_len = 0;
6510
6511 if (skb) {
6512 BT_DBG("Freeing %p", skb);
6513 kfree_skb(skb);
6514 }
6515 }
6516
6517 chan->last_acked_seq = control->txseq;
6518 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6519
6520 return err;
cec8ab6e
MM		 6521}
6522
6523static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6524{
6525 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6526 u16 len;
6527 u8 event;
218bb9df 6528
b76bbd66
MM		 6529 __unpack_control(chan, skb);
6530
218bb9df
GP		 6531 len = skb->len;
6532
6533 /*
6534 * We can just drop the corrupted I-frame here.
6535 * Receiver will miss it and start proper recovery
cec8ab6e 6536 * procedures and ask for retransmission.
218bb9df 6537 */
47d1ec61 6538 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6539 goto drop;
6540
cec8ab6e 6541 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6542 len -= L2CAP_SDULEN_SIZE;
218bb9df 6543
47d1ec61 6544 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6545 len -= L2CAP_FCS_SIZE;
218bb9df 6546
47d1ec61 6547 if (len > chan->mps) {
5e4e3972 6548 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6549 goto drop;
6550 }
6551
cec8ab6e
MM		 6552 if (!control->sframe) {
6553 int err;
218bb9df 6554
cec8ab6e
MM		 6555 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6556 control->sar, control->reqseq, control->final,
6557 control->txseq);
218bb9df 6558
cec8ab6e
MM		 6559 /* Validate F-bit - F=0 always valid, F=1 only
6560 * valid in TX WAIT_F
6561 */
6562 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6563 goto drop;
cec8ab6e
MM		 6564
6565 if (chan->mode != L2CAP_MODE_STREAMING) {
6566 event = L2CAP_EV_RECV_IFRAME;
6567 err = l2cap_rx(chan, control, skb, event);
6568 } else {
6569 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6570 }
6571
cec8ab6e 6572 if (err)
5e4e3972 6573 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6574 } else {
cec8ab6e
MM		 6575 const u8 rx_func_to_event[4] = {
6576 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6577 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6578 };
6579
6580 /* Only I-frames are expected in streaming mode */
6581 if (chan->mode == L2CAP_MODE_STREAMING)
6582 goto drop;
6583
6584 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6585 control->reqseq, control->final, control->poll,
6586 control->super);
6587
218bb9df 6588 if (len != 0) {
1bb166e6 6589 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6590 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6591 goto drop;
6592 }
6593
cec8ab6e
MM		 6594 /* Validate F and P bits */
6595 if (control->final && (control->poll ||
6596 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6597 goto drop;
6598
6599 event = rx_func_to_event[control->super];
6600 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6601 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6602 }
6603
6604 return 0;
6605
6606drop:
6607 kfree_skb(skb);
6608 return 0;
6609}
6610
b1c325c2
JH		 6611static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6612{
6613 struct l2cap_conn *conn = chan->conn;
6614 struct l2cap_le_credits pkt;
6615 u16 return_credits;
6616
6617 /* We return more credits to the sender only after the amount of
6618 * credits falls below half of the initial amount.
6619 */
f15b8ecf 6620 if (chan->rx_credits >= (le_max_credits + 1) / 2)
b1c325c2
JH		 6621 return;
6622
f15b8ecf 6623 return_credits = le_max_credits - chan->rx_credits;
b1c325c2
JH		 6624
6625 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6626
6627 chan->rx_credits += return_credits;
6628
6629 pkt.cid = cpu_to_le16(chan->scid);
6630 pkt.credits = cpu_to_le16(return_credits);
6631
6632 chan->ident = l2cap_get_ident(conn);
6633
6634 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6635}
6636
fad5fc89
JH		 6637static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6638{
aac23bf6
JH		 6639 int err;
6640
6641 if (!chan->rx_credits) {
6642 BT_ERR("No credits to receive LE L2CAP data");
dfd9774c 6643 l2cap_send_disconn_req(chan, ECONNRESET);
fad5fc89 6644 return -ENOBUFS;
aac23bf6 6645 }
fad5fc89 6646
aac23bf6
JH		 6647 if (chan->imtu < skb->len) {
6648 BT_ERR("Too big LE L2CAP PDU");
fad5fc89 6649 return -ENOBUFS;
aac23bf6 6650 }
fad5fc89
JH		 6651
6652 chan->rx_credits--;
6653 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6654
6655 l2cap_chan_le_send_credits(chan);
6656
aac23bf6
JH		 6657 err = 0;
6658
6659 if (!chan->sdu) {
6660 u16 sdu_len;
6661
6662 sdu_len = get_unaligned_le16(skb->data);
6663 skb_pull(skb, L2CAP_SDULEN_SIZE);
6664
6665 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6666 sdu_len, skb->len, chan->imtu);
6667
6668 if (sdu_len > chan->imtu) {
6669 BT_ERR("Too big LE L2CAP SDU length received");
6670 err = -EMSGSIZE;
6671 goto failed;
6672 }
6673
6674 if (skb->len > sdu_len) {
6675 BT_ERR("Too much LE L2CAP data received");
6676 err = -EINVAL;
6677 goto failed;
6678 }
6679
6680 if (skb->len == sdu_len)
6681 return chan->ops->recv(chan, skb);
6682
6683 chan->sdu = skb;
6684 chan->sdu_len = sdu_len;
6685 chan->sdu_last_frag = skb;
6686
6687 return 0;
6688 }
6689
6690 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6691 chan->sdu->len, skb->len, chan->sdu_len);
6692
6693 if (chan->sdu->len + skb->len > chan->sdu_len) {
6694 BT_ERR("Too much LE L2CAP data received");
6695 err = -EINVAL;
6696 goto failed;
6697 }
6698
6699 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6700 skb = NULL;
6701
6702 if (chan->sdu->len == chan->sdu_len) {
6703 err = chan->ops->recv(chan, chan->sdu);
6704 if (!err) {
6705 chan->sdu = NULL;
6706 chan->sdu_last_frag = NULL;
6707 chan->sdu_len = 0;
6708 }
6709 }
6710
6711failed:
6712 if (err) {
6713 kfree_skb(skb);
6714 kfree_skb(chan->sdu);
6715 chan->sdu = NULL;
6716 chan->sdu_last_frag = NULL;
6717 chan->sdu_len = 0;
6718 }
6719
6720 /* We can't return an error here since we took care of the skb
6721 * freeing internally. An error return would cause the caller to
6722 * do a double-free of the skb.
6723 */
6724 return 0;
fad5fc89
JH		 6725}
6726
13ca56e0
AE		 6727static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6728 struct sk_buff *skb)
1da177e4 6729{
48454079 6730 struct l2cap_chan *chan;
1da177e4 6731
baa7e1fa 6732 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6733 if (!chan) {
97e8e89d
AE		 6734 if (cid == L2CAP_CID_A2MP) {
6735 chan = a2mp_channel_create(conn, skb);
6736 if (!chan) {
6737 kfree_skb(skb);
13ca56e0 6738 return;
97e8e89d
AE		 6739 }
6740
6741 l2cap_chan_lock(chan);
6742 } else {
6743 BT_DBG("unknown cid 0x%4.4x", cid);
6744 /* Drop packet and return */
6745 kfree_skb(skb);
13ca56e0 6746 return;
97e8e89d 6747 }
1da177e4
LT		 6748 }
6749
49208c9c 6750 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6751
89bc500e 6752 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6753 goto drop;
6754
0c1bc5c6 6755 switch (chan->mode) {
38319713 6756 case L2CAP_MODE_LE_FLOWCTL:
fad5fc89
JH		 6757 if (l2cap_le_data_rcv(chan, skb) < 0)
6758 goto drop;
6759
6760 goto done;
6761
1c2acffb
GP		 6762 case L2CAP_MODE_BASIC:
6763 /* If socket recv buffers overflows we drop data here
6764 * which is *bad* because L2CAP has to be reliable.
6765 * But we don't have any other choice. L2CAP doesn't
6766 * provide flow control mechanism. */
1da177e4 6767
2c96e03d
SJ		 6768 if (chan->imtu < skb->len) {
6769 BT_ERR("Dropping L2CAP data: receive buffer overflow");
1c2acffb 6770 goto drop;
2c96e03d 6771 }
1da177e4 6772
80b98027 6773 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6774 goto done;
6775 break;
6776
6777 case L2CAP_MODE_ERTM:
6840ed07 6778 case L2CAP_MODE_STREAMING:
cec8ab6e 6779 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6780 goto done;
6781
1c2acffb 6782 default:
0c1bc5c6 6783 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6784 break;
6785 }
1da177e4
LT		 6786
6787drop:
6788 kfree_skb(skb);
6789
6790done:
6be36555 6791 l2cap_chan_unlock(chan);
1da177e4
LT		 6792}
6793
84104b24
AE		 6794static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6795 struct sk_buff *skb)
1da177e4 6796{
ae4fd2d3 6797 struct hci_conn *hcon = conn->hcon;
23691d75 6798 struct l2cap_chan *chan;
1da177e4 6799
ae4fd2d3 6800 if (hcon->type != ACL_LINK)
a24cce14 6801 goto free_skb;
ae4fd2d3 6802
bf20fd4e
JH		 6803 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6804 ACL_LINK);
23691d75 6805 if (!chan)
a24cce14 6806 goto free_skb;
1da177e4 6807
5b4cedaa 6808 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6809
89bc500e 6810 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6811 goto drop;
6812
e13e21dc 6813 if (chan->imtu < skb->len)
1da177e4
LT		 6814 goto drop;
6815
2edf870d 6816 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6817 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6818 bt_cb(skb)->psm = psm;
6819
a24cce14
JH		 6820 if (!chan->ops->recv(chan, skb)) {
6821 l2cap_chan_put(chan);
84104b24 6822 return;
a24cce14 6823 }
1da177e4
LT		 6824
6825drop:
a24cce14
JH		 6826 l2cap_chan_put(chan);
6827free_skb:
1da177e4 6828 kfree_skb(skb);
1da177e4
LT		 6829}
6830
6831static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6832{
6833 struct l2cap_hdr *lh = (void *) skb->data;
61a939c6 6834 struct hci_conn *hcon = conn->hcon;
8e036fc3
AV		 6835 u16 cid, len;
6836 __le16 psm;
1da177e4 6837
61a939c6
JH		 6838 if (hcon->state != BT_CONNECTED) {
6839 BT_DBG("queueing pending rx skb");
6840 skb_queue_tail(&conn->pending_rx, skb);
6841 return;
6842 }
6843
1da177e4
LT		 6844 skb_pull(skb, L2CAP_HDR_SIZE);
6845 cid = __le16_to_cpu(lh->cid);
6846 len = __le16_to_cpu(lh->len);
6847
1c2acffb
GP		 6848 if (len != skb->len) {
6849 kfree_skb(skb);
6850 return;
6851 }
6852
9e1d7e15
JH		 6853 /* Since we can't actively block incoming LE connections we must
6854 * at least ensure that we ignore incoming data from them.
6855 */
6856 if (hcon->type == LE_LINK &&
dcc36c16
JH		 6857 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6858 bdaddr_type(hcon, hcon->dst_type))) {
e493150e
JH		 6859 kfree_skb(skb);
6860 return;
6861 }
6862
1da177e4
LT		 6863 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6864
6865 switch (cid) {
8db4dc46 6866 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6867 l2cap_sig_channel(conn, skb);
6868 break;
6869
8db4dc46 6870 case L2CAP_CID_CONN_LESS:
097db76c 6871 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6872 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6873 l2cap_conless_channel(conn, psm, skb);
6874 break;
6875
a2877629
MH		 6876 case L2CAP_CID_LE_SIGNALING:
6877 l2cap_le_sig_channel(conn, skb);
6878 break;
6879
1da177e4
LT		 6880 default:
6881 l2cap_data_channel(conn, cid, skb);
6882 break;
6883 }
6884}
6885
61a939c6
JH		 6886static void process_pending_rx(struct work_struct *work)
6887{
6888 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6889 pending_rx_work);
6890 struct sk_buff *skb;
6891
6892 BT_DBG("");
6893
6894 while ((skb = skb_dequeue(&conn->pending_rx)))
6895 l2cap_recv_frame(conn, skb);
6896}
6897
162b49e7
JH		 6898static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6899{
6900 struct l2cap_conn *conn = hcon->l2cap_data;
6901 struct hci_chan *hchan;
6902
6903 if (conn)
6904 return conn;
6905
6906 hchan = hci_chan_create(hcon);
6907 if (!hchan)
6908 return NULL;
6909
27f70f3e 6910 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
162b49e7
JH		 6911 if (!conn) {
6912 hci_chan_del(hchan);
6913 return NULL;
6914 }
6915
6916 kref_init(&conn->ref);
6917 hcon->l2cap_data = conn;
51bb8457 6918 conn->hcon = hci_conn_get(hcon);
162b49e7
JH		 6919 conn->hchan = hchan;
6920
6921 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6922
6923 switch (hcon->type) {
6924 case LE_LINK:
6925 if (hcon->hdev->le_mtu) {
6926 conn->mtu = hcon->hdev->le_mtu;
6927 break;
6928 }
6929 /* fall through */
6930 default:
6931 conn->mtu = hcon->hdev->acl_mtu;
6932 break;
6933 }
6934
6935 conn->feat_mask = 0;
6936
6937 if (hcon->type == ACL_LINK)
6938 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
6939 &hcon->hdev->dev_flags);
6940
5a54e7c8 6941 mutex_init(&conn->ident_lock);
162b49e7
JH		 6942 mutex_init(&conn->chan_lock);
6943
6944 INIT_LIST_HEAD(&conn->chan_l);
6945 INIT_LIST_HEAD(&conn->users);
6946
276d8073 6947 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
162b49e7 6948
61a939c6
JH		 6949 skb_queue_head_init(&conn->pending_rx);
6950 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
f3d82d0c 6951 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
61a939c6 6952
162b49e7
JH		 6953 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6954
6955 return conn;
6956}
6957
6958static bool is_valid_psm(u16 psm, u8 dst_type) {
6959 if (!psm)
6960 return false;
6961
6962 if (bdaddr_type_is_le(dst_type))
6963 return (psm <= 0x00ff);
6964
6965 /* PSM must be odd and lsb of upper byte must be 0 */
6966 return ((psm & 0x0101) == 0x0001);
6967}
6968
6969int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
6970 bdaddr_t *dst, u8 dst_type)
6971{
6972 struct l2cap_conn *conn;
6973 struct hci_conn *hcon;
6974 struct hci_dev *hdev;
162b49e7
JH		 6975 int err;
6976
6977 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
6978 dst_type, __le16_to_cpu(psm));
6979
6980 hdev = hci_get_route(dst, &chan->src);
6981 if (!hdev)
6982 return -EHOSTUNREACH;
6983
6984 hci_dev_lock(hdev);
6985
162b49e7
JH		 6986 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
6987 chan->chan_type != L2CAP_CHAN_RAW) {
6988 err = -EINVAL;
6989 goto done;
6990 }
6991
21626e62
JH		 6992 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
6993 err = -EINVAL;
6994 goto done;
6995 }
6996
6997 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
162b49e7
JH		 6998 err = -EINVAL;
6999 goto done;
7000 }
7001
7002 switch (chan->mode) {
7003 case L2CAP_MODE_BASIC:
7004 break;
7005 case L2CAP_MODE_LE_FLOWCTL:
7006 l2cap_le_flowctl_init(chan);
7007 break;
7008 case L2CAP_MODE_ERTM:
7009 case L2CAP_MODE_STREAMING:
7010 if (!disable_ertm)
7011 break;
7012 /* fall through */
7013 default:
beb19e4c 7014 err = -EOPNOTSUPP;
162b49e7
JH		 7015 goto done;
7016 }
7017
7018 switch (chan->state) {
7019 case BT_CONNECT:
7020 case BT_CONNECT2:
7021 case BT_CONFIG:
7022 /* Already connecting */
7023 err = 0;
7024 goto done;
7025
7026 case BT_CONNECTED:
7027 /* Already connected */
7028 err = -EISCONN;
7029 goto done;
7030
7031 case BT_OPEN:
7032 case BT_BOUND:
7033 /* Can connect */
7034 break;
7035
7036 default:
7037 err = -EBADFD;
7038 goto done;
7039 }
7040
7041 /* Set destination address and psm */
7042 bacpy(&chan->dst, dst);
7043 chan->dst_type = dst_type;
7044
7045 chan->psm = psm;
7046 chan->dcid = cid;
7047
6f77d8c7 7048 if (bdaddr_type_is_le(dst_type)) {
e804d25d 7049 u8 role;
cdd6275e 7050
6f77d8c7
AG		 7051 /* Convert from L2CAP channel address type to HCI address type
7052 */
7053 if (dst_type == BDADDR_LE_PUBLIC)
7054 dst_type = ADDR_LE_DEV_PUBLIC;
7055 else
7056 dst_type = ADDR_LE_DEV_RANDOM;
7057
e804d25d
JH		 7058 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
7059 role = HCI_ROLE_SLAVE;
7060 else
7061 role = HCI_ROLE_MASTER;
cdd6275e 7062
04a6c589 7063 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
e804d25d 7064 HCI_LE_CONN_TIMEOUT, role);
6f77d8c7 7065 } else {
d93375a8 7066 u8 auth_type = l2cap_get_auth_type(chan);
04a6c589 7067 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
6f77d8c7 7068 }
162b49e7
JH		 7069
7070 if (IS_ERR(hcon)) {
7071 err = PTR_ERR(hcon);
7072 goto done;
7073 }
7074
7075 conn = l2cap_conn_add(hcon);
7076 if (!conn) {
7077 hci_conn_drop(hcon);
7078 err = -ENOMEM;
7079 goto done;
7080 }
7081
02e246ae
JH		 7082 mutex_lock(&conn->chan_lock);
7083 l2cap_chan_lock(chan);
7084
162b49e7
JH		 7085 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7086 hci_conn_drop(hcon);
7087 err = -EBUSY;
02e246ae 7088 goto chan_unlock;
162b49e7
JH		 7089 }
7090
7091 /* Update source addr of the socket */
7092 bacpy(&chan->src, &hcon->src);
7093 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7094
02e246ae 7095 __l2cap_chan_add(conn, chan);
162b49e7
JH		 7096
7097 /* l2cap_chan_add takes its own ref so we can drop this one */
7098 hci_conn_drop(hcon);
7099
7100 l2cap_state_change(chan, BT_CONNECT);
7101 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7102
61202e4d
JH		 7103 /* Release chan->sport so that it can be reused by other
7104 * sockets (as it's only used for listening sockets).
7105 */
7106 write_lock(&chan_list_lock);
7107 chan->sport = 0;
7108 write_unlock(&chan_list_lock);
7109
162b49e7
JH		 7110 if (hcon->state == BT_CONNECTED) {
7111 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7112 __clear_chan_timer(chan);
e7cafc45 7113 if (l2cap_chan_check_security(chan, true))
162b49e7
JH		 7114 l2cap_state_change(chan, BT_CONNECTED);
7115 } else
7116 l2cap_do_start(chan);
7117 }
7118
7119 err = 0;
7120
02e246ae 7121chan_unlock:
162b49e7 7122 l2cap_chan_unlock(chan);
02e246ae
JH		 7123 mutex_unlock(&conn->chan_lock);
7124done:
162b49e7
JH		 7125 hci_dev_unlock(hdev);
7126 hci_dev_put(hdev);
7127 return err;
7128}
6b8d4a6a 7129EXPORT_SYMBOL_GPL(l2cap_chan_connect);
162b49e7 7130
1da177e4
LT		 7131/* ---- L2CAP interface with lower layer (HCI) ---- */
7132
686ebf28 7133int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 7134{
7135 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 7136 struct l2cap_chan *c;
1da177e4 7137
6ed93dc6 7138 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 7139
7140 /* Find listening sockets and check their link_mode */
23691d75
GP		 7141 read_lock(&chan_list_lock);
7142 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 7143 if (c->state != BT_LISTEN)
1da177e4
LT		 7144 continue;
7145
7eafc59e 7146 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 7147 lm1 |= HCI_LM_ACCEPT;
43bd0f32 7148 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 7149 lm1 |= HCI_LM_MASTER;
1da177e4 7150 exact++;
7eafc59e 7151 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 7152 lm2 |= HCI_LM_ACCEPT;
43bd0f32 7153 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 7154 lm2 |= HCI_LM_MASTER;
7155 }
1da177e4 7156 }
23691d75 7157 read_unlock(&chan_list_lock);
1da177e4
LT		 7158
7159 return exact ? lm1 : lm2;
7160}
7161
e760ec12
JH		 7162/* Find the next fixed channel in BT_LISTEN state, continue iteration
7163 * from an existing channel in the list or from the beginning of the
7164 * global list (by passing NULL as first parameter).
7165 */
7166static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
54a1b626 7167 bdaddr_t *src, u8 link_type)
e760ec12
JH		 7168{
7169 read_lock(&chan_list_lock);
7170
7171 if (c)
7172 c = list_next_entry(c, global_l);
7173 else
7174 c = list_entry(chan_list.next, typeof(*c), global_l);
7175
7176 list_for_each_entry_from(c, &chan_list, global_l) {
7177 if (c->chan_type != L2CAP_CHAN_FIXED)
7178 continue;
7179 if (c->state != BT_LISTEN)
7180 continue;
7181 if (bacmp(&c->src, src) && bacmp(&c->src, BDADDR_ANY))
7182 continue;
54a1b626
JH		 7183 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
7184 continue;
7185 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
7186 continue;
e760ec12
JH		 7187
7188 l2cap_chan_hold(c);
7189 read_unlock(&chan_list_lock);
7190 return c;
7191 }
7192
7193 read_unlock(&chan_list_lock);
7194
7195 return NULL;
7196}
7197
9e664631 7198void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 7199{
e760ec12 7200 struct hci_dev *hdev = hcon->hdev;
0139418c 7201 struct l2cap_conn *conn;
e760ec12
JH		 7202 struct l2cap_chan *pchan;
7203 u8 dst_type;
0139418c 7204
6ed93dc6 7205 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 7206
dc0f5088 7207 if (status) {
e175072f 7208 l2cap_conn_del(hcon, bt_to_errno(status));
dc0f5088 7209 return;
ba6fc317 7210 }
dc0f5088
JH		 7211
7212 conn = l2cap_conn_add(hcon);
7213 if (!conn)
7214 return;
7215
e760ec12
JH		 7216 dst_type = bdaddr_type(hcon, hcon->dst_type);
7217
7218 /* If device is blocked, do not create channels for it */
7219 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7220 return;
7221
7222 /* Find fixed channels and notify them of the new connection. We
7223 * use multiple individual lookups, continuing each time where
7224 * we left off, because the list lock would prevent calling the
7225 * potentially sleeping l2cap_chan_lock() function.
7226 */
54a1b626 7227 pchan = l2cap_global_fixed_chan(NULL, &hdev->bdaddr, hcon->type);
e760ec12
JH		 7228 while (pchan) {
7229 struct l2cap_chan *chan, *next;
7230
7231 /* Client fixed channels should override server ones */
7232 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7233 goto next;
7234
7235 l2cap_chan_lock(pchan);
7236 chan = pchan->ops->new_connection(pchan);
7237 if (chan) {
7238 bacpy(&chan->src, &hcon->src);
7239 bacpy(&chan->dst, &hcon->dst);
7240 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7241 chan->dst_type = dst_type;
7242
7243 __l2cap_chan_add(conn, chan);
7244 }
7245
7246 l2cap_chan_unlock(pchan);
7247next:
54a1b626
JH		 7248 next = l2cap_global_fixed_chan(pchan, &hdev->bdaddr,
7249 hcon->type);
e760ec12
JH		 7250 l2cap_chan_put(pchan);
7251 pchan = next;
7252 }
7253
dc0f5088 7254 l2cap_conn_ready(conn);
1da177e4
LT		 7255}
7256
686ebf28 7257int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 7258{
7259 struct l2cap_conn *conn = hcon->l2cap_data;
7260
7261 BT_DBG("hcon %p", hcon);
7262
686ebf28 7263 if (!conn)
9f5a0d7b 7264 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 7265 return conn->disc_reason;
7266}
7267
9e664631 7268void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 7269{
7270 BT_DBG("hcon %p reason %d", hcon, reason);
7271
e175072f 7272 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 7273}
7274
4343478f 7275static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 7276{
715ec005 7277 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 7278 return;
7279
f62e4323 7280 if (encrypt == 0x00) {
4343478f 7281 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 7282 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7d513e92
MH		 7283 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7284 chan->sec_level == BT_SECURITY_FIPS)
0f852724 7285 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 7286 } else {
4343478f 7287 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 7288 __clear_chan_timer(chan);
f62e4323
MH		 7289 }
7290}
7291
686ebf28 7292int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 7293{
0139418c 7294 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 7295 struct l2cap_chan *chan;
1da177e4 7296
0139418c 7297 if (!conn)
1da177e4 7298 return 0;
0139418c 7299
89d8b407 7300 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 7301
3df91ea2 7302 mutex_lock(&conn->chan_lock);
1da177e4 7303
3df91ea2 7304 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 7305 l2cap_chan_lock(chan);
1da177e4 7306
89d8b407
AE		 7307 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7308 state_to_string(chan->state));
f1cb9af5 7309
2338a7e0 7310 if (chan->scid == L2CAP_CID_A2MP) {
78eb2f98
AE		 7311 l2cap_chan_unlock(chan);
7312 continue;
7313 }
7314
191eb398
JH		 7315 if (!status && encrypt)
7316 chan->sec_level = hcon->sec_level;
f1cb9af5 7317
96eff46e 7318 if (!__l2cap_no_conn_pending(chan)) {
6be36555 7319 l2cap_chan_unlock(chan);
6a8d3010
MH		 7320 continue;
7321 }
7322
89bc500e 7323 if (!status && (chan->state == BT_CONNECTED ||
2d792818 7324 chan->state == BT_CONFIG)) {
d97c899b 7325 chan->ops->resume(chan);
4343478f 7326 l2cap_check_encryption(chan, encrypt);
6be36555 7327 l2cap_chan_unlock(chan);
9719f8af
MH		 7328 continue;
7329 }
7330
89bc500e 7331 if (chan->state == BT_CONNECT) {
6d3c15da 7332 if (!status)
93c3e8f5 7333 l2cap_start_connection(chan);
6d3c15da 7334 else
ba13ccd9 7335 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
fa37c1aa
JH		 7336 } else if (chan->state == BT_CONNECT2 &&
7337 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
b1235d79 7338 struct l2cap_conn_rsp rsp;
df3c3931 7339 __u16 res, stat;
1da177e4 7340
b1235d79 7341 if (!status) {
bdc25783 7342 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 7343 res = L2CAP_CR_PEND;
7344 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 7345 chan->ops->defer(chan);
df3c3931 7346 } else {
acdcabf5 7347 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 7348 res = L2CAP_CR_SUCCESS;
7349 stat = L2CAP_CS_NO_INFO;
7350 }
b1235d79 7351 } else {
acdcabf5 7352 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 7353 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 7354 res = L2CAP_CR_SEC_BLOCK;
7355 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 7356 }
7357
fe4128e0
GP		 7358 rsp.scid = cpu_to_le16(chan->dcid);
7359 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 7360 rsp.result = cpu_to_le16(res);
7361 rsp.status = cpu_to_le16(stat);
fc7f8a7e 7362 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 7363 sizeof(rsp), &rsp);
2d369359
MM		 7364
7365 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7366 res == L2CAP_CR_SUCCESS) {
7367 char buf[128];
7368 set_bit(CONF_REQ_SENT, &chan->conf_state);
7369 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7370 L2CAP_CONF_REQ,
7371 l2cap_build_conf_req(chan, buf),
7372 buf);
7373 chan->num_conf_req++;
7374 }
b1235d79 7375 }
1da177e4 7376
6be36555 7377 l2cap_chan_unlock(chan);
1da177e4
LT		 7378 }
7379
3df91ea2 7380 mutex_unlock(&conn->chan_lock);
b1235d79 7381
1da177e4
LT		 7382 return 0;
7383}
7384
686ebf28 7385int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 7386{
7387 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 7388 struct l2cap_hdr *hdr;
7389 int len;
1da177e4 7390
1d13a254
AE		 7391 /* For AMP controller do not create l2cap conn */
7392 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7393 goto drop;
1da177e4 7394
5a08ecce 7395 if (!conn)
baf43251 7396 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 7397
7398 if (!conn)
1da177e4
LT		 7399 goto drop;
7400
7401 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7402
d73a0988
AE		 7403 switch (flags) {
7404 case ACL_START:
7405 case ACL_START_NO_FLUSH:
7406 case ACL_COMPLETE:
1da177e4
LT		 7407 if (conn->rx_len) {
7408 BT_ERR("Unexpected start frame (len %d)", skb->len);
7409 kfree_skb(conn->rx_skb);
7410 conn->rx_skb = NULL;
7411 conn->rx_len = 0;
7412 l2cap_conn_unreliable(conn, ECOMM);
7413 }
7414
aae7fe22
AE		 7415 /* Start fragment always begin with Basic L2CAP header */
7416 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 7417 BT_ERR("Frame is too short (len %d)", skb->len);
7418 l2cap_conn_unreliable(conn, ECOMM);
7419 goto drop;
7420 }
7421
7422 hdr = (struct l2cap_hdr *) skb->data;
7423 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7424
7425 if (len == skb->len) {
7426 /* Complete frame received */
7427 l2cap_recv_frame(conn, skb);
7428 return 0;
7429 }
7430
7431 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7432
7433 if (skb->len > len) {
7434 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 7435 skb->len, len);
1da177e4
LT		 7436 l2cap_conn_unreliable(conn, ECOMM);
7437 goto drop;
7438 }
7439
7440 /* Allocate skb for the complete frame (with header) */
8bcde1f2 7441 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 7442 if (!conn->rx_skb)
1da177e4
LT		 7443 goto drop;
7444
d626f62b 7445 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7446 skb->len);
1da177e4 7447 conn->rx_len = len - skb->len;
d73a0988
AE		 7448 break;
7449
7450 case ACL_CONT:
1da177e4
LT		 7451 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7452
7453 if (!conn->rx_len) {
7454 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7455 l2cap_conn_unreliable(conn, ECOMM);
7456 goto drop;
7457 }
7458
7459 if (skb->len > conn->rx_len) {
7460 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 7461 skb->len, conn->rx_len);
1da177e4
LT		 7462 kfree_skb(conn->rx_skb);
7463 conn->rx_skb = NULL;
7464 conn->rx_len = 0;
7465 l2cap_conn_unreliable(conn, ECOMM);
7466 goto drop;
7467 }
7468
d626f62b 7469 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7470 skb->len);
1da177e4
LT		 7471 conn->rx_len -= skb->len;
7472
7473 if (!conn->rx_len) {
c4e5bafa
JH		 7474 /* Complete frame received. l2cap_recv_frame
7475 * takes ownership of the skb so set the global
7476 * rx_skb pointer to NULL first.
7477 */
7478 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 7479 conn->rx_skb = NULL;
c4e5bafa 7480 l2cap_recv_frame(conn, rx_skb);
1da177e4 7481 }
d73a0988 7482 break;
1da177e4
LT		 7483 }
7484
7485drop:
7486 kfree_skb(skb);
7487 return 0;
7488}
7489
aef7d97c 7490static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 7491{
23691d75 7492 struct l2cap_chan *c;
1da177e4 7493
333055f2 7494 read_lock(&chan_list_lock);
1da177e4 7495
23691d75 7496 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 7497 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 7498 &c->src, &c->dst,
fcb73338
AE		 7499 c->state, __le16_to_cpu(c->psm),
7500 c->scid, c->dcid, c->imtu, c->omtu,
7501 c->sec_level, c->mode);
61e1b4b7 7502 }
1da177e4 7503
333055f2 7504 read_unlock(&chan_list_lock);
1da177e4 7505
aef7d97c 7506 return 0;
1da177e4
LT		 7507}
7508
aef7d97c
MH		 7509static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7510{
7511 return single_open(file, l2cap_debugfs_show, inode->i_private);
7512}
7513
7514static const struct file_operations l2cap_debugfs_fops = {
7515 .open = l2cap_debugfs_open,
7516 .read = seq_read,
7517 .llseek = seq_lseek,
7518 .release = single_release,
7519};
7520
7521static struct dentry *l2cap_debugfs;
1da177e4 7522
64274518 7523int __init l2cap_init(void)
1da177e4
LT		 7524{
7525 int err;
be9d1227 7526
bb58f747 7527 err = l2cap_init_sockets();
1da177e4
LT		 7528 if (err < 0)
7529 return err;
7530
1120e4bf
MH		 7531 if (IS_ERR_OR_NULL(bt_debugfs))
7532 return 0;
7533
7534 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7535 NULL, &l2cap_debugfs_fops);
1da177e4 7536
40b9397a 7537 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
f15b8ecf 7538 &le_max_credits);
40b9397a 7539 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
f15b8ecf
JH		 7540 &le_default_mps);
7541
1da177e4 7542 return 0;
1da177e4
LT		 7543}
7544
64274518 7545void l2cap_exit(void)
1da177e4 7546{
aef7d97c 7547 debugfs_remove(l2cap_debugfs);
bb58f747 7548 l2cap_cleanup_sockets();
1da177e4
LT		 7549}
7550
d1c4a17d
GP		 7551module_param(disable_ertm, bool, 0644);
7552MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.605093 seconds and 5 git commands to generate.