projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Remove typedef bt3c_info_t
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
0f1bfe4e
JH		 44#define LE_FLOWCTL_MAX_CREDITS 65535
45
d1de6d46 46bool disable_ertm;
f0709e03 47
547d1032 48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
a6801ca9 49static u8 l2cap_fixed_chan[8] = { L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS, };
1da177e4 50
b5ad8b7f
JB		 51static LIST_HEAD(chan_list);
52static DEFINE_RWLOCK(chan_list_lock);
1da177e4 53
f15b8ecf
JH		 54static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56
1da177e4 57static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 58 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 59static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 60 void *data);
710f9b0a 61static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 62static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 63
d660366d 64static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 65 struct sk_buff_head *skbs, u8 event);
608bcc6d 66
4f1654e0
MH		 67static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
68{
69 if (hcon->type == LE_LINK) {
70 if (type == ADDR_LE_DEV_PUBLIC)
71 return BDADDR_LE_PUBLIC;
72 else
73 return BDADDR_LE_RANDOM;
74 }
75
76 return BDADDR_BREDR;
77}
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
2d792818
GP		 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
82 u16 cid)
0139418c 83{
3df91ea2 84 struct l2cap_chan *c;
3d57dc68 85
3df91ea2
AE		 86 list_for_each_entry(c, &conn->chan_l, list) {
87 if (c->dcid == cid)
88 return c;
0139418c 89 }
3df91ea2 90 return NULL;
0139418c
MH		 91}
92
2d792818
GP		 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
94 u16 cid)
0139418c 95{
3df91ea2 96 struct l2cap_chan *c;
3d57dc68 97
3df91ea2
AE		 98 list_for_each_entry(c, &conn->chan_l, list) {
99 if (c->scid == cid)
100 return c;
0139418c 101 }
3df91ea2 102 return NULL;
0139418c
MH		 103}
104
105/* Find channel with given SCID.
ef191ade 106 * Returns locked channel. */
2d792818
GP		 107static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
108 u16 cid)
0139418c 109{
48454079 110 struct l2cap_chan *c;
baa7e1fa 111
3df91ea2 112 mutex_lock(&conn->chan_lock);
baa7e1fa 113 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 114 if (c)
115 l2cap_chan_lock(c);
3df91ea2
AE		 116 mutex_unlock(&conn->chan_lock);
117
48454079 118 return c;
0139418c
MH		 119}
120
b1a130b7
MM		 121/* Find channel with given DCID.
122 * Returns locked channel.
123 */
124static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
125 u16 cid)
126{
127 struct l2cap_chan *c;
128
129 mutex_lock(&conn->chan_lock);
130 c = __l2cap_get_chan_by_dcid(conn, cid);
131 if (c)
132 l2cap_chan_lock(c);
133 mutex_unlock(&conn->chan_lock);
134
135 return c;
136}
137
2d792818
GP		 138static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
139 u8 ident)
0139418c 140{
3df91ea2 141 struct l2cap_chan *c;
3d57dc68 142
3df91ea2
AE		 143 list_for_each_entry(c, &conn->chan_l, list) {
144 if (c->ident == ident)
145 return c;
0139418c 146 }
3df91ea2 147 return NULL;
0139418c
MH		 148}
149
5b155ef9
MM		 150static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
151 u8 ident)
152{
153 struct l2cap_chan *c;
154
155 mutex_lock(&conn->chan_lock);
156 c = __l2cap_get_chan_by_ident(conn, ident);
157 if (c)
158 l2cap_chan_lock(c);
159 mutex_unlock(&conn->chan_lock);
160
161 return c;
162}
163
23691d75 164static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 165{
23691d75 166 struct l2cap_chan *c;
9e4425ff 167
23691d75 168 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 169 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 170 return c;
9e4425ff 171 }
250938cb 172 return NULL;
9e4425ff
GP		 173}
174
175int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
176{
73b2ec18
GP		 177 int err;
178
333055f2 179 write_lock(&chan_list_lock);
9e4425ff 180
23691d75 181 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 182 err = -EADDRINUSE;
183 goto done;
9e4425ff
GP		 184 }
185
73b2ec18
GP		 186 if (psm) {
187 chan->psm = psm;
188 chan->sport = psm;
189 err = 0;
190 } else {
191 u16 p;
192
193 err = -EINVAL;
194 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 195 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 196 chan->psm = cpu_to_le16(p);
197 chan->sport = cpu_to_le16(p);
198 err = 0;
199 break;
200 }
201 }
9e4425ff 202
73b2ec18 203done:
333055f2 204 write_unlock(&chan_list_lock);
73b2ec18 205 return err;
9e4425ff 206}
6b8d4a6a 207EXPORT_SYMBOL_GPL(l2cap_add_psm);
9e4425ff
GP		 208
209int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
210{
333055f2 211 write_lock(&chan_list_lock);
9e4425ff 212
14824308
JH		 213 /* Override the defaults (which are for conn-oriented) */
214 chan->omtu = L2CAP_DEFAULT_MTU;
215 chan->chan_type = L2CAP_CHAN_FIXED;
216
9e4425ff
GP		 217 chan->scid = scid;
218
333055f2 219 write_unlock(&chan_list_lock);
9e4425ff
GP		 220
221 return 0;
222}
223
baa7e1fa 224static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 225{
e77af755 226 u16 cid, dyn_end;
0139418c 227
e77af755
JH		 228 if (conn->hcon->type == LE_LINK)
229 dyn_end = L2CAP_CID_LE_DYN_END;
230 else
231 dyn_end = L2CAP_CID_DYN_END;
232
233 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
baa7e1fa 234 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 235 return cid;
236 }
237
238 return 0;
239}
240
f93fa273 241static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 242{
42d2d87c 243 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 244 state_to_string(state));
badaaa00 245
89bc500e 246 chan->state = state;
53f52121 247 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 248}
249
f8e73017
GP		 250static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
251 int state, int err)
2e0052e4 252{
f8e73017 253 chan->state = state;
53f52121 254 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 255}
256
257static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
258{
f8e73017 259 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 260}
261
4239d16f
MM		 262static void __set_retrans_timer(struct l2cap_chan *chan)
263{
264 if (!delayed_work_pending(&chan->monitor_timer) &&
265 chan->retrans_timeout) {
266 l2cap_set_timer(chan, &chan->retrans_timer,
267 msecs_to_jiffies(chan->retrans_timeout));
268 }
269}
270
271static void __set_monitor_timer(struct l2cap_chan *chan)
272{
273 __clear_retrans_timer(chan);
274 if (chan->monitor_timeout) {
275 l2cap_set_timer(chan, &chan->monitor_timer,
276 msecs_to_jiffies(chan->monitor_timeout));
277 }
278}
279
608bcc6d
MM		 280static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
281 u16 seq)
282{
283 struct sk_buff *skb;
284
285 skb_queue_walk(head, skb) {
286 if (bt_cb(skb)->control.txseq == seq)
287 return skb;
288 }
289
290 return NULL;
291}
292
3c588192
MM		 293/* ---- L2CAP sequence number lists ---- */
294
295/* For ERTM, ordered lists of sequence numbers must be tracked for
296 * SREJ requests that are received and for frames that are to be
297 * retransmitted. These seq_list functions implement a singly-linked
298 * list in an array, where membership in the list can also be checked
299 * in constant time. Items can also be added to the tail of the list
300 * and removed from the head in constant time, without further memory
301 * allocs or frees.
302 */
303
304static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
305{
306 size_t alloc_size, i;
307
308 /* Allocated size is a power of 2 to map sequence numbers
309 * (which may be up to 14 bits) in to a smaller array that is
310 * sized for the negotiated ERTM transmit windows.
311 */
312 alloc_size = roundup_pow_of_two(size);
313
314 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
315 if (!seq_list->list)
316 return -ENOMEM;
317
318 seq_list->mask = alloc_size - 1;
319 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
320 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
321 for (i = 0; i < alloc_size; i++)
322 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
323
324 return 0;
325}
326
327static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
328{
329 kfree(seq_list->list);
330}
331
332static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
333 u16 seq)
334{
335 /* Constant-time check for list membership */
336 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
337}
338
03a0c5d6 339static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
3c588192 340{
03a0c5d6 341 u16 seq = seq_list->head;
3c588192
MM		 342 u16 mask = seq_list->mask;
343
03a0c5d6
JH		 344 seq_list->head = seq_list->list[seq & mask];
345 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
346
347 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
348 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
349 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192 350 }
3c588192 351
03a0c5d6 352 return seq;
3c588192
MM		 353}
354
355static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
356{
f522ae36 357 u16 i;
3c588192 358
f522ae36
GP		 359 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
360 return;
361
362 for (i = 0; i <= seq_list->mask; i++)
363 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
364
365 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
366 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 367}
368
369static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
370{
371 u16 mask = seq_list->mask;
372
373 /* All appends happen in constant time */
374
f522ae36
GP		 375 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
376 return;
3c588192 377
f522ae36
GP		 378 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
379 seq_list->head = seq;
380 else
381 seq_list->list[seq_list->tail & mask] = seq;
382
383 seq_list->tail = seq;
384 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 385}
386
721c4181 387static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 388{
721c4181 389 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 390 chan_timer.work);
3df91ea2 391 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 392 int reason;
393
e05dcc32 394 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 395
3df91ea2 396 mutex_lock(&conn->chan_lock);
6be36555 397 l2cap_chan_lock(chan);
ab07801d 398
89bc500e 399 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 400 reason = ECONNREFUSED;
89bc500e 401 else if (chan->state == BT_CONNECT &&
2d792818 402 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 403 reason = ECONNREFUSED;
404 else
405 reason = ETIMEDOUT;
406
0f852724 407 l2cap_chan_close(chan, reason);
ab07801d 408
6be36555 409 l2cap_chan_unlock(chan);
ab07801d 410
80b98027 411 chan->ops->close(chan);
3df91ea2
AE		 412 mutex_unlock(&conn->chan_lock);
413
371fd835 414 l2cap_chan_put(chan);
ab07801d
GP		 415}
416
eef1d9b6 417struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 418{
419 struct l2cap_chan *chan;
420
421 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
422 if (!chan)
423 return NULL;
424
c03b355e
AE		 425 mutex_init(&chan->lock);
426
333055f2 427 write_lock(&chan_list_lock);
23691d75 428 list_add(&chan->global_l, &chan_list);
333055f2 429 write_unlock(&chan_list_lock);
23691d75 430
721c4181 431 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 432
89bc500e
GP		 433 chan->state = BT_OPEN;
434
144ad330 435 kref_init(&chan->kref);
71ba0e56 436
2827011f
MM		 437 /* This flag is cleared in l2cap_chan_ready() */
438 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
439
eef1d9b6 440 BT_DBG("chan %p", chan);
abc545b8 441
48454079
GP		 442 return chan;
443}
6b8d4a6a 444EXPORT_SYMBOL_GPL(l2cap_chan_create);
48454079 445
144ad330 446static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 447{
144ad330
SS		 448 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
449
4af66c69
JK		 450 BT_DBG("chan %p", chan);
451
333055f2 452 write_lock(&chan_list_lock);
23691d75 453 list_del(&chan->global_l);
333055f2 454 write_unlock(&chan_list_lock);
23691d75 455
4af66c69 456 kfree(chan);
6ff5abbf
GP		 457}
458
30648372
JK		 459void l2cap_chan_hold(struct l2cap_chan *c)
460{
144ad330 461 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 462
144ad330 463 kref_get(&c->kref);
30648372
JK		 464}
465
466void l2cap_chan_put(struct l2cap_chan *c)
467{
144ad330 468 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 469
144ad330 470 kref_put(&c->kref, l2cap_chan_destroy);
30648372 471}
6b8d4a6a 472EXPORT_SYMBOL_GPL(l2cap_chan_put);
30648372 473
bd4b1653
AE		 474void l2cap_chan_set_defaults(struct l2cap_chan *chan)
475{
476 chan->fcs = L2CAP_FCS_CRC16;
477 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
478 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
479 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
6a5e8165
JR		 480 chan->remote_max_tx = chan->max_tx;
481 chan->remote_tx_win = chan->tx_win;
c20f8e35 482 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653 483 chan->sec_level = BT_SECURITY_LOW;
6a5e8165
JR		 484 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
485 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
486 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
487 chan->conf_state = 0;
bd4b1653
AE		 488
489 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
490}
6b8d4a6a 491EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
bd4b1653 492
0ce43ce6 493static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
38319713 494{
0ce43ce6
JH		 495 chan->sdu = NULL;
496 chan->sdu_last_frag = NULL;
497 chan->sdu_len = 0;
0cd75f7e 498 chan->tx_credits = 0;
f15b8ecf 499 chan->rx_credits = le_max_credits;
d1d79413 500 chan->mps = min_t(u16, chan->imtu, le_default_mps);
0ce43ce6
JH		 501
502 skb_queue_head_init(&chan->tx_q);
38319713
JH		 503}
504
93c3e8f5 505void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 506{
af05b30b 507 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 508 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 509
9f5a0d7b 510 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 511
8c1d787b 512 chan->conn = conn;
0139418c 513
5491120e
AE		 514 switch (chan->chan_type) {
515 case L2CAP_CHAN_CONN_ORIENTED:
21626e62
JH		 516 /* Alloc CID for connection-oriented socket */
517 chan->scid = l2cap_alloc_cid(conn);
518 if (conn->hcon->type == ACL_LINK)
0c1bc5c6 519 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 520 break;
521
522 case L2CAP_CHAN_CONN_LESS:
0139418c 523 /* Connectionless socket */
fe4128e0
GP		 524 chan->scid = L2CAP_CID_CONN_LESS;
525 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 526 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 527 break;
528
2338a7e0
JH		 529 case L2CAP_CHAN_FIXED:
530 /* Caller will set CID and CID specific MTU values */
416fa752
AE		 531 break;
532
5491120e 533 default:
0139418c 534 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 535 chan->scid = L2CAP_CID_SIGNALING;
536 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 537 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 538 }
539
8f7975b1
AE		 540 chan->local_id = L2CAP_BESTEFFORT_ID;
541 chan->local_stype = L2CAP_SERV_BESTEFFORT;
542 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
543 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
544 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 545 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 546
371fd835 547 l2cap_chan_hold(chan);
baa7e1fa 548
5ee9891d
JH		 549 hci_conn_hold(conn->hcon);
550
3df91ea2 551 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 552}
553
466f8004 554void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 555{
556 mutex_lock(&conn->chan_lock);
557 __l2cap_chan_add(conn, chan);
3df91ea2 558 mutex_unlock(&conn->chan_lock);
0139418c
MH		 559}
560
466f8004 561void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 562{
8c1d787b 563 struct l2cap_conn *conn = chan->conn;
0139418c 564
c9b66675 565 __clear_chan_timer(chan);
0139418c 566
49208c9c 567 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 568
72847ce0
JH		 569 chan->ops->teardown(chan, err);
570
8e87d142 571 if (conn) {
56f60984 572 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 573 /* Delete from channel list */
3df91ea2 574 list_del(&chan->list);
3d57dc68 575
371fd835 576 l2cap_chan_put(chan);
baa7e1fa 577
8c1d787b 578 chan->conn = NULL;
3cabbfda 579
2338a7e0 580 if (chan->scid != L2CAP_CID_A2MP)
76a68ba0 581 hci_conn_drop(conn->hcon);
56f60984
AE		 582
583 if (mgr && mgr->bredr_chan == chan)
584 mgr->bredr_chan = NULL;
0139418c
MH		 585 }
586
419e08c1
AE		 587 if (chan->hs_hchan) {
588 struct hci_chan *hs_hchan = chan->hs_hchan;
589
590 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
591 amp_disconnect_logical_link(hs_hchan);
592 }
593
2827011f 594 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 595 return;
2ead70b8 596
ee556f66
GP		 597 switch(chan->mode) {
598 case L2CAP_MODE_BASIC:
599 break;
c13ffa62 600
38319713 601 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b 602 skb_queue_purge(&chan->tx_q);
38319713
JH		 603 break;
604
ee556f66 605 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 606 __clear_retrans_timer(chan);
607 __clear_monitor_timer(chan);
608 __clear_ack_timer(chan);
c13ffa62 609
f1c6775b 610 skb_queue_purge(&chan->srej_q);
c13ffa62 611
3c588192
MM		 612 l2cap_seq_list_free(&chan->srej_list);
613 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 614
615 /* fall through */
616
617 case L2CAP_MODE_STREAMING:
618 skb_queue_purge(&chan->tx_q);
619 break;
c13ffa62 620 }
ee556f66
GP		 621
622 return;
0139418c 623}
6b8d4a6a 624EXPORT_SYMBOL_GPL(l2cap_chan_del);
0139418c 625
387a33e3
JH		 626void l2cap_conn_update_id_addr(struct hci_conn *hcon)
627{
628 struct l2cap_conn *conn = hcon->l2cap_data;
629 struct l2cap_chan *chan;
630
631 mutex_lock(&conn->chan_lock);
632
633 list_for_each_entry(chan, &conn->chan_l, list) {
634 l2cap_chan_lock(chan);
635 bacpy(&chan->dst, &hcon->dst);
636 chan->dst_type = bdaddr_type(hcon, hcon->dst_type);
637 l2cap_chan_unlock(chan);
638 }
639
640 mutex_unlock(&conn->chan_lock);
641}
642
27e2d4c8
JH		 643static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
644{
645 struct l2cap_conn *conn = chan->conn;
646 struct l2cap_le_conn_rsp rsp;
647 u16 result;
648
649 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
650 result = L2CAP_CR_AUTHORIZATION;
651 else
652 result = L2CAP_CR_BAD_PSM;
653
654 l2cap_state_change(chan, BT_DISCONN);
655
656 rsp.dcid = cpu_to_le16(chan->scid);
657 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 658 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 659 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 660 rsp.result = cpu_to_le16(result);
661
662 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
663 &rsp);
664}
665
791d60f7
JH		 666static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
667{
668 struct l2cap_conn *conn = chan->conn;
669 struct l2cap_conn_rsp rsp;
670 u16 result;
671
672 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
673 result = L2CAP_CR_SEC_BLOCK;
674 else
675 result = L2CAP_CR_BAD_PSM;
676
677 l2cap_state_change(chan, BT_DISCONN);
678
679 rsp.scid = cpu_to_le16(chan->dcid);
680 rsp.dcid = cpu_to_le16(chan->scid);
681 rsp.result = cpu_to_le16(result);
dcf4adbf 682 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
791d60f7
JH		 683
684 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
685}
686
0f852724 687void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 688{
689 struct l2cap_conn *conn = chan->conn;
4519de9a 690
7eafc59e 691 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 692
89bc500e 693 switch (chan->state) {
4519de9a 694 case BT_LISTEN:
b699ec0d 695 chan->ops->teardown(chan, 0);
4519de9a
GP		 696 break;
697
698 case BT_CONNECTED:
699 case BT_CONFIG:
7b25c9b3 700 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
8d836d71 701 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 702 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 703 } else
704 l2cap_chan_del(chan, reason);
705 break;
706
707 case BT_CONNECT2:
791d60f7
JH		 708 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
709 if (conn->hcon->type == ACL_LINK)
710 l2cap_chan_connect_reject(chan);
27e2d4c8
JH		 711 else if (conn->hcon->type == LE_LINK)
712 l2cap_chan_le_connect_reject(chan);
4519de9a
GP		 713 }
714
715 l2cap_chan_del(chan, reason);
716 break;
717
718 case BT_CONNECT:
719 case BT_DISCONN:
720 l2cap_chan_del(chan, reason);
721 break;
722
723 default:
b699ec0d 724 chan->ops->teardown(chan, 0);
4519de9a
GP		 725 break;
726 }
727}
6b8d4a6a 728EXPORT_SYMBOL(l2cap_chan_close);
4519de9a 729
4343478f 730static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 731{
6a974b50
MH		 732 switch (chan->chan_type) {
733 case L2CAP_CHAN_RAW:
4343478f 734 switch (chan->sec_level) {
8556edd3 735 case BT_SECURITY_HIGH:
7d513e92 736 case BT_SECURITY_FIPS:
8556edd3
JH		 737 return HCI_AT_DEDICATED_BONDING_MITM;
738 case BT_SECURITY_MEDIUM:
739 return HCI_AT_DEDICATED_BONDING;
740 default:
741 return HCI_AT_NO_BONDING;
742 }
6a974b50 743 break;
3124b843 744 case L2CAP_CHAN_CONN_LESS:
dcf4adbf 745 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
3124b843
MH		 746 if (chan->sec_level == BT_SECURITY_LOW)
747 chan->sec_level = BT_SECURITY_SDP;
748 }
7d513e92
MH		 749 if (chan->sec_level == BT_SECURITY_HIGH ||
750 chan->sec_level == BT_SECURITY_FIPS)
3124b843
MH		 751 return HCI_AT_NO_BONDING_MITM;
752 else
753 return HCI_AT_NO_BONDING;
754 break;
6a974b50 755 case L2CAP_CHAN_CONN_ORIENTED:
dcf4adbf 756 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
6a974b50
MH		 757 if (chan->sec_level == BT_SECURITY_LOW)
758 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 759
7d513e92
MH		 760 if (chan->sec_level == BT_SECURITY_HIGH ||
761 chan->sec_level == BT_SECURITY_FIPS)
6a974b50
MH		 762 return HCI_AT_NO_BONDING_MITM;
763 else
764 return HCI_AT_NO_BONDING;
765 }
766 /* fall through */
767 default:
4343478f 768 switch (chan->sec_level) {
00ae4af9 769 case BT_SECURITY_HIGH:
7d513e92 770 case BT_SECURITY_FIPS:
8556edd3 771 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 772 case BT_SECURITY_MEDIUM:
8556edd3 773 return HCI_AT_GENERAL_BONDING;
00ae4af9 774 default:
8556edd3 775 return HCI_AT_NO_BONDING;
00ae4af9 776 }
6a974b50 777 break;
0684e5f9 778 }
8556edd3
JH		 779}
780
781/* Service level security */
e7cafc45 782int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
8556edd3 783{
8c1d787b 784 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 785 __u8 auth_type;
786
a17de2fe
JH		 787 if (conn->hcon->type == LE_LINK)
788 return smp_conn_security(conn->hcon, chan->sec_level);
789
4343478f 790 auth_type = l2cap_get_auth_type(chan);
79d554a6 791
e7cafc45
JH		 792 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
793 initiator);
79d554a6
MH		 794}
795
b5ad8b7f 796static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 797{
798 u8 id;
799
800 /* Get next available identificator.
801 * 1 - 128 are used by kernel.
802 * 129 - 199 are reserved.
803 * 200 - 254 are used by utilities like l2ping, etc.
804 */
805
5a54e7c8 806 mutex_lock(&conn->ident_lock);
4e8402a3
MH		 807
808 if (++conn->tx_ident > 128)
809 conn->tx_ident = 1;
810
811 id = conn->tx_ident;
812
5a54e7c8 813 mutex_unlock(&conn->ident_lock);
4e8402a3
MH		 814
815 return id;
816}
817
2d792818
GP		 818static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
819 void *data)
4e8402a3
MH		 820{
821 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 822 u8 flags;
4e8402a3
MH		 823
824 BT_DBG("code 0x%2.2x", code);
825
826 if (!skb)
9a9c6a34 827 return;
4e8402a3 828
e702112f
AE		 829 if (lmp_no_flush_capable(conn->hcon->hdev))
830 flags = ACL_START_NO_FLUSH;
831 else
832 flags = ACL_START;
833
14b12d0b 834 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 835 skb->priority = HCI_PRIO_MAX;
14b12d0b 836
73d80deb
LAD		 837 hci_send_acl(conn->hchan, skb, flags);
838}
839
02b0fbb9
MM		 840static bool __chan_is_moving(struct l2cap_chan *chan)
841{
842 return chan->move_state != L2CAP_MOVE_STABLE &&
843 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
844}
845
73d80deb
LAD		 846static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
847{
848 struct hci_conn *hcon = chan->conn->hcon;
849 u16 flags;
850
851 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 852 skb->priority);
73d80deb 853
d5f8a75d
MM		 854 if (chan->hs_hcon && !__chan_is_moving(chan)) {
855 if (chan->hs_hchan)
856 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
857 else
858 kfree_skb(skb);
859
860 return;
861 }
862
73d80deb 863 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 864 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 865 flags = ACL_START_NO_FLUSH;
866 else
867 flags = ACL_START;
14b12d0b 868
73d80deb
LAD		 869 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
870 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 871}
872
b76bbd66
MM		 873static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
874{
875 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
876 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
877
878 if (enh & L2CAP_CTRL_FRAME_TYPE) {
879 /* S-Frame */
880 control->sframe = 1;
881 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
882 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
883
884 control->sar = 0;
885 control->txseq = 0;
886 } else {
887 /* I-Frame */
888 control->sframe = 0;
889 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
890 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
891
892 control->poll = 0;
893 control->super = 0;
894 }
895}
896
b76bbd66
MM		 897static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
898{
899 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
900 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
901
902 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
903 /* S-Frame */
904 control->sframe = 1;
905 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
906 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
907
908 control->sar = 0;
909 control->txseq = 0;
910 } else {
911 /* I-Frame */
912 control->sframe = 0;
913 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
914 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
915
916 control->poll = 0;
917 control->super = 0;
918 }
919}
920
921static inline void __unpack_control(struct l2cap_chan *chan,
922 struct sk_buff *skb)
923{
924 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
925 __unpack_extended_control(get_unaligned_le32(skb->data),
926 &bt_cb(skb)->control);
cec8ab6e 927 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 928 } else {
929 __unpack_enhanced_control(get_unaligned_le16(skb->data),
930 &bt_cb(skb)->control);
cec8ab6e 931 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 932 }
933}
934
b5c6aaed
MM		 935static u32 __pack_extended_control(struct l2cap_ctrl *control)
936{
937 u32 packed;
938
939 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
940 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
941
942 if (control->sframe) {
943 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
944 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
945 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
946 } else {
947 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
948 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
949 }
950
951 return packed;
952}
953
954static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
955{
956 u16 packed;
957
958 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
959 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
960
961 if (control->sframe) {
962 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
963 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
964 packed |= L2CAP_CTRL_FRAME_TYPE;
965 } else {
966 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
967 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
968 }
969
970 return packed;
971}
972
b76bbd66
MM		 973static inline void __pack_control(struct l2cap_chan *chan,
974 struct l2cap_ctrl *control,
975 struct sk_buff *skb)
976{
977 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
978 put_unaligned_le32(__pack_extended_control(control),
979 skb->data + L2CAP_HDR_SIZE);
980 } else {
981 put_unaligned_le16(__pack_enhanced_control(control),
982 skb->data + L2CAP_HDR_SIZE);
983 }
984}
985
ba7aa64f
GP		 986static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
987{
988 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
989 return L2CAP_EXT_HDR_SIZE;
990 else
991 return L2CAP_ENH_HDR_SIZE;
992}
993
a67d7f6f
MM		 994static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
995 u32 control)
b5c6aaed
MM		 996{
997 struct sk_buff *skb;
998 struct l2cap_hdr *lh;
ba7aa64f 999 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 1000
1001 if (chan->fcs == L2CAP_FCS_CRC16)
1002 hlen += L2CAP_FCS_SIZE;
1003
a67d7f6f 1004 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 1005
b5c6aaed 1006 if (!skb)
a67d7f6f 1007 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 1008
1009 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1010 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1011 lh->cid = cpu_to_le16(chan->dcid);
1012
a67d7f6f
MM		 1013 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1014 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1015 else
1016 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 1017
1018 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 1019 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 1020 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1021 }
1022
1023 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 1024 return skb;
1025}
1026
1027static void l2cap_send_sframe(struct l2cap_chan *chan,
1028 struct l2cap_ctrl *control)
1029{
1030 struct sk_buff *skb;
1031 u32 control_field;
1032
1033 BT_DBG("chan %p, control %p", chan, control);
1034
1035 if (!control->sframe)
1036 return;
1037
b99e13ad
MM		 1038 if (__chan_is_moving(chan))
1039 return;
1040
a67d7f6f
MM		 1041 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1042 !control->poll)
1043 control->final = 1;
1044
1045 if (control->super == L2CAP_SUPER_RR)
1046 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1047 else if (control->super == L2CAP_SUPER_RNR)
1048 set_bit(CONN_RNR_SENT, &chan->conn_state);
1049
1050 if (control->super != L2CAP_SUPER_SREJ) {
1051 chan->last_acked_seq = control->reqseq;
1052 __clear_ack_timer(chan);
1053 }
1054
1055 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1056 control->final, control->poll, control->super);
1057
1058 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1059 control_field = __pack_extended_control(control);
1060 else
1061 control_field = __pack_enhanced_control(control);
1062
1063 skb = l2cap_create_sframe_pdu(chan, control_field);
1064 if (!IS_ERR(skb))
1065 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1066}
1067
c9e3d5e0 1068static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1069{
c9e3d5e0
MM		 1070 struct l2cap_ctrl control;
1071
1072 BT_DBG("chan %p, poll %d", chan, poll);
1073
1074 memset(&control, 0, sizeof(control));
1075 control.sframe = 1;
1076 control.poll = poll;
1077
1078 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1079 control.super = L2CAP_SUPER_RNR;
1080 else
1081 control.super = L2CAP_SUPER_RR;
b5c6aaed 1082
c9e3d5e0
MM		 1083 control.reqseq = chan->buffer_seq;
1084 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1085}
1086
b4450035 1087static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1088{
5ff6f34d
JH		 1089 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1090 return true;
1091
c1360a1c 1092 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1093}
1094
1df7b17a 1095static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1096{
1df7b17a 1097 struct l2cap_conn *conn = chan->conn;
80d58d0b 1098 struct hci_dev *hdev;
1df7b17a
MH		 1099 bool amp_available = false;
1100
1101 if (!conn->hs_enabled)
1102 return false;
1103
1104 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1105 return false;
80d58d0b
MH		 1106
1107 read_lock(&hci_dev_list_lock);
1df7b17a 1108 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1109 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1110 test_bit(HCI_UP, &hdev->flags)) {
1111 amp_available = true;
1112 break;
1113 }
1114 }
80d58d0b
MH		 1115 read_unlock(&hci_dev_list_lock);
1116
1df7b17a
MH		 1117 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1118 return amp_available;
848566b3
MH		 1119
1120 return false;
93c3e8f5
AE		 1121}
1122
5ce66b59
AE		 1123static bool l2cap_check_efs(struct l2cap_chan *chan)
1124{
1125 /* Check EFS parameters */
1126 return true;
1127}
1128
2766be48 1129void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1130{
1131 struct l2cap_conn *conn = chan->conn;
1132 struct l2cap_conn_req req;
1133
1134 req.scid = cpu_to_le16(chan->scid);
1135 req.psm = chan->psm;
1136
1137 chan->ident = l2cap_get_ident(conn);
1138
1139 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1140
1141 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1142}
1143
8eb200bd
MM		 1144static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1145{
1146 struct l2cap_create_chan_req req;
1147 req.scid = cpu_to_le16(chan->scid);
1148 req.psm = chan->psm;
1149 req.amp_id = amp_id;
1150
1151 chan->ident = l2cap_get_ident(chan->conn);
1152
1153 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1154 sizeof(req), &req);
1155}
1156
02b0fbb9
MM		 1157static void l2cap_move_setup(struct l2cap_chan *chan)
1158{
1159 struct sk_buff *skb;
1160
1161 BT_DBG("chan %p", chan);
1162
1163 if (chan->mode != L2CAP_MODE_ERTM)
1164 return;
1165
1166 __clear_retrans_timer(chan);
1167 __clear_monitor_timer(chan);
1168 __clear_ack_timer(chan);
1169
1170 chan->retry_count = 0;
1171 skb_queue_walk(&chan->tx_q, skb) {
1172 if (bt_cb(skb)->control.retries)
1173 bt_cb(skb)->control.retries = 1;
1174 else
1175 break;
1176 }
1177
1178 chan->expected_tx_seq = chan->buffer_seq;
1179
1180 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1181 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1182 l2cap_seq_list_clear(&chan->retrans_list);
1183 l2cap_seq_list_clear(&chan->srej_list);
1184 skb_queue_purge(&chan->srej_q);
1185
1186 chan->tx_state = L2CAP_TX_STATE_XMIT;
1187 chan->rx_state = L2CAP_RX_STATE_MOVE;
1188
1189 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1190}
1191
5f3847a4
MM		 1192static void l2cap_move_done(struct l2cap_chan *chan)
1193{
1194 u8 move_role = chan->move_role;
1195 BT_DBG("chan %p", chan);
1196
1197 chan->move_state = L2CAP_MOVE_STABLE;
1198 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1199
1200 if (chan->mode != L2CAP_MODE_ERTM)
1201 return;
1202
1203 switch (move_role) {
1204 case L2CAP_MOVE_ROLE_INITIATOR:
1205 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1206 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1207 break;
1208 case L2CAP_MOVE_ROLE_RESPONDER:
1209 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1210 break;
1211 }
1212}
1213
9f0caeb1
VCG		 1214static void l2cap_chan_ready(struct l2cap_chan *chan)
1215{
2827011f 1216 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1217 chan->conf_state = 0;
1218 __clear_chan_timer(chan);
1219
0ce43ce6
JH		 1220 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1221 chan->ops->suspend(chan);
177f8f2b 1222
54a59aa2 1223 chan->state = BT_CONNECTED;
9f0caeb1 1224
fd83e2c2 1225 chan->ops->ready(chan);
9f0caeb1
VCG		 1226}
1227
f1496dee
JH		 1228static void l2cap_le_connect(struct l2cap_chan *chan)
1229{
1230 struct l2cap_conn *conn = chan->conn;
1231 struct l2cap_le_conn_req req;
1232
595177f3
JH		 1233 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1234 return;
1235
f1496dee
JH		 1236 req.psm = chan->psm;
1237 req.scid = cpu_to_le16(chan->scid);
1238 req.mtu = cpu_to_le16(chan->imtu);
3916aed8 1239 req.mps = cpu_to_le16(chan->mps);
0cd75f7e 1240 req.credits = cpu_to_le16(chan->rx_credits);
f1496dee
JH		 1241
1242 chan->ident = l2cap_get_ident(conn);
1243
1244 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1245 sizeof(req), &req);
1246}
1247
1248static void l2cap_le_start(struct l2cap_chan *chan)
1249{
1250 struct l2cap_conn *conn = chan->conn;
1251
1252 if (!smp_conn_security(conn->hcon, chan->sec_level))
1253 return;
1254
1255 if (!chan->psm) {
1256 l2cap_chan_ready(chan);
1257 return;
1258 }
1259
1260 if (chan->state == BT_CONNECT)
1261 l2cap_le_connect(chan);
1262}
1263
93c3e8f5
AE		 1264static void l2cap_start_connection(struct l2cap_chan *chan)
1265{
1266 if (__amp_capable(chan)) {
1267 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1268 a2mp_discover_amp(chan);
f1496dee
JH		 1269 } else if (chan->conn->hcon->type == LE_LINK) {
1270 l2cap_le_start(chan);
93c3e8f5
AE		 1271 } else {
1272 l2cap_send_conn_req(chan);
1273 }
1274}
1275
fc7f8a7e 1276static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1277{
8c1d787b 1278 struct l2cap_conn *conn = chan->conn;
79d554a6 1279
9f0caeb1 1280 if (conn->hcon->type == LE_LINK) {
96ac34fb 1281 l2cap_le_start(chan);
9f0caeb1
VCG		 1282 return;
1283 }
1284
79d554a6 1285 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1286 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1287 return;
1288
e7cafc45 1289 if (l2cap_chan_check_security(chan, true) &&
2d792818 1290 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1291 l2cap_start_connection(chan);
1292 }
79d554a6
MH		 1293 } else {
1294 struct l2cap_info_req req;
dcf4adbf 1295 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1296
1297 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1298 conn->info_ident = l2cap_get_ident(conn);
1299
ba13ccd9 1300 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1301
2d792818
GP		 1302 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1303 sizeof(req), &req);
79d554a6
MH		 1304 }
1305}
1306
cf6c2c0b
GP		 1307static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1308{
1309 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1310 if (!disable_ertm)
cf6c2c0b
GP		 1311 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1312
1313 switch (mode) {
1314 case L2CAP_MODE_ERTM:
1315 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1316 case L2CAP_MODE_STREAMING:
1317 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1318 default:
1319 return 0x00;
1320 }
1321}
1322
5e4e3972 1323static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1324{
5e4e3972 1325 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1326 struct l2cap_disconn_req req;
1327
c13ffa62
GP		 1328 if (!conn)
1329 return;
1330
aad3d0e3 1331 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1332 __clear_retrans_timer(chan);
1333 __clear_monitor_timer(chan);
1334 __clear_ack_timer(chan);
c13ffa62
GP		 1335 }
1336
2338a7e0 1337 if (chan->scid == L2CAP_CID_A2MP) {
d117773c 1338 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1339 return;
1340 }
1341
fe4128e0
GP		 1342 req.dcid = cpu_to_le16(chan->dcid);
1343 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1344 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1345 sizeof(req), &req);
c13ffa62 1346
f8e73017 1347 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1348}
1349
1da177e4 1350/* ---- L2CAP connections ---- */
4e8402a3
MH		 1351static void l2cap_conn_start(struct l2cap_conn *conn)
1352{
3df91ea2 1353 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1354
1355 BT_DBG("conn %p", conn);
1356
3df91ea2 1357 mutex_lock(&conn->chan_lock);
4e8402a3 1358
3df91ea2 1359 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1360 l2cap_chan_lock(chan);
4e8402a3 1361
715ec005 1362 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1363 l2cap_chan_unlock(chan);
79d554a6
MH		 1364 continue;
1365 }
1366
89bc500e 1367 if (chan->state == BT_CONNECT) {
e7cafc45 1368 if (!l2cap_chan_check_security(chan, true) ||
2d792818 1369 !__l2cap_no_conn_pending(chan)) {
6be36555 1370 l2cap_chan_unlock(chan);
47731de7
GP		 1371 continue;
1372 }
79d554a6 1373
c1360a1c 1374 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1375 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1376 &chan->conf_state)) {
89bc500e 1377 l2cap_chan_close(chan, ECONNRESET);
6be36555 1378 l2cap_chan_unlock(chan);
47731de7 1379 continue;
b1235d79 1380 }
47731de7 1381
93c3e8f5 1382 l2cap_start_connection(chan);
47731de7 1383
89bc500e 1384 } else if (chan->state == BT_CONNECT2) {
79d554a6 1385 struct l2cap_conn_rsp rsp;
e9aeb2dd 1386 char buf[128];
fe4128e0
GP		 1387 rsp.scid = cpu_to_le16(chan->dcid);
1388 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1389
e7cafc45 1390 if (l2cap_chan_check_security(chan, false)) {
bdc25783 1391 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
dcf4adbf
JP		 1392 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1393 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1394 chan->ops->defer(chan);
f66dc81f
MH		 1395
1396 } else {
acdcabf5 1397 l2cap_state_change(chan, BT_CONFIG);
dcf4adbf
JP		 1398 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1399 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1400 }
79d554a6 1401 } else {
dcf4adbf
JP		 1402 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1403 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1404 }
1405
fc7f8a7e 1406 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1407 sizeof(rsp), &rsp);
e9aeb2dd 1408
c1360a1c 1409 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1410 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1411 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1412 continue;
1413 }
1414
c1360a1c 1415 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1416 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1417 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1418 chan->num_conf_req++;
4e8402a3
MH		 1419 }
1420
6be36555 1421 l2cap_chan_unlock(chan);
4e8402a3
MH		 1422 }
1423
3df91ea2 1424 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1425}
1426
b62f328b
VT		 1427static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1428{
cc8dba2b 1429 struct hci_conn *hcon = conn->hcon;
dcc36c16 1430 struct hci_dev *hdev = hcon->hdev;
b62f328b 1431
e760ec12 1432 BT_DBG("%s conn %p", hdev->name, conn);
b62f328b 1433
e760ec12
JH		 1434 /* For outgoing pairing which doesn't necessarily have an
1435 * associated socket (e.g. mgmt_pair_device).
1436 */
1437 if (hcon->out)
1438 smp_conn_security(hcon, hcon->pending_sec_level);
cc8dba2b 1439
80afeb6c
MH		 1440 /* For LE slave connections, make sure the connection interval
1441 * is in the range of the minium and maximum interval that has
1442 * been configured for this connection. If not, then trigger
1443 * the connection update procedure.
1444 */
40bef302 1445 if (hcon->role == HCI_ROLE_SLAVE &&
80afeb6c
MH		 1446 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1447 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1448 struct l2cap_conn_param_update_req req;
1449
1450 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1451 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1452 req.latency = cpu_to_le16(hcon->le_conn_latency);
1453 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1454
1455 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1456 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1457 }
b62f328b
VT		 1458}
1459
4e8402a3
MH		 1460static void l2cap_conn_ready(struct l2cap_conn *conn)
1461{
48454079 1462 struct l2cap_chan *chan;
cc110922 1463 struct hci_conn *hcon = conn->hcon;
4e8402a3 1464
79d554a6 1465 BT_DBG("conn %p", conn);
4e8402a3 1466
e760ec12
JH		 1467 mutex_lock(&conn->chan_lock);
1468
3df91ea2 1469 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1470
6be36555 1471 l2cap_chan_lock(chan);
4e8402a3 1472
2338a7e0 1473 if (chan->scid == L2CAP_CID_A2MP) {
416fa752
AE		 1474 l2cap_chan_unlock(chan);
1475 continue;
1476 }
1477
cc110922 1478 if (hcon->type == LE_LINK) {
f1496dee 1479 l2cap_le_start(chan);
63128451 1480 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
74e75740 1481 l2cap_chan_ready(chan);
b501d6a1 1482
1c244f79 1483 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1484 l2cap_do_start(chan);
1c244f79 1485 }
4e8402a3 1486
6be36555 1487 l2cap_chan_unlock(chan);
4e8402a3 1488 }
79d554a6 1489
3df91ea2 1490 mutex_unlock(&conn->chan_lock);
61a939c6 1491
79a05727
JH		 1492 if (hcon->type == LE_LINK)
1493 l2cap_le_conn_ready(conn);
1494
61a939c6 1495 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
4e8402a3
MH		 1496}
1497
1498/* Notify sockets that we cannot guaranty reliability anymore */
1499static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1500{
48454079 1501 struct l2cap_chan *chan;
4e8402a3
MH		 1502
1503 BT_DBG("conn %p", conn);
1504
3df91ea2 1505 mutex_lock(&conn->chan_lock);
4e8402a3 1506
3df91ea2 1507 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1508 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1509 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1510 }
1511
3df91ea2 1512 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1513}
1514
f878fcad 1515static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1516{
f878fcad 1517 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1518 info_timer.work);
4e8402a3 1519
984947dc 1520 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1521 conn->info_ident = 0;
984947dc 1522
4e8402a3
MH		 1523 l2cap_conn_start(conn);
1524}
1525
2c8e1411
DH		 1526/*
1527 * l2cap_user
1528 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1529 * callback is called during registration. The ->remove callback is called
1530 * during unregistration.
1531 * An l2cap_user object can either be explicitly unregistered or when the
1532 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1533 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1534 * External modules must own a reference to the l2cap_conn object if they intend
1535 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1536 * any time if they don't.
1537 */
1538
1539int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1540{
1541 struct hci_dev *hdev = conn->hcon->hdev;
1542 int ret;
1543
1544 /* We need to check whether l2cap_conn is registered. If it is not, we
1545 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1546 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1547 * relies on the parent hci_conn object to be locked. This itself relies
1548 * on the hci_dev object to be locked. So we must lock the hci device
1549 * here, too. */
1550
1551 hci_dev_lock(hdev);
1552
1553 if (user->list.next || user->list.prev) {
1554 ret = -EINVAL;
1555 goto out_unlock;
1556 }
1557
1558 /* conn->hchan is NULL after l2cap_conn_del() was called */
1559 if (!conn->hchan) {
1560 ret = -ENODEV;
1561 goto out_unlock;
1562 }
1563
1564 ret = user->probe(conn, user);
1565 if (ret)
1566 goto out_unlock;
1567
1568 list_add(&user->list, &conn->users);
1569 ret = 0;
1570
1571out_unlock:
1572 hci_dev_unlock(hdev);
1573 return ret;
1574}
1575EXPORT_SYMBOL(l2cap_register_user);
1576
1577void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1578{
1579 struct hci_dev *hdev = conn->hcon->hdev;
1580
1581 hci_dev_lock(hdev);
1582
1583 if (!user->list.next || !user->list.prev)
1584 goto out_unlock;
1585
1586 list_del(&user->list);
1587 user->list.next = NULL;
1588 user->list.prev = NULL;
1589 user->remove(conn, user);
1590
1591out_unlock:
1592 hci_dev_unlock(hdev);
1593}
1594EXPORT_SYMBOL(l2cap_unregister_user);
1595
1596static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1597{
1598 struct l2cap_user *user;
1599
1600 while (!list_empty(&conn->users)) {
1601 user = list_first_entry(&conn->users, struct l2cap_user, list);
1602 list_del(&user->list);
1603 user->list.next = NULL;
1604 user->list.prev = NULL;
1605 user->remove(conn, user);
1606 }
1607}
1608
5d3de7df
VCG		 1609static void l2cap_conn_del(struct hci_conn *hcon, int err)
1610{
1611 struct l2cap_conn *conn = hcon->l2cap_data;
1612 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1613
1614 if (!conn)
1615 return;
1616
1617 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1618
1619 kfree_skb(conn->rx_skb);
1620
61a939c6 1621 skb_queue_purge(&conn->pending_rx);
7ab56c3a
JT		 1622
1623 /* We can not call flush_work(&conn->pending_rx_work) here since we
1624 * might block if we are running on a worker from the same workqueue
1625 * pending_rx_work is waiting on.
1626 */
1627 if (work_pending(&conn->pending_rx_work))
1628 cancel_work_sync(&conn->pending_rx_work);
61a939c6 1629
dec5b492
JH		 1630 if (work_pending(&conn->disconn_work))
1631 cancel_work_sync(&conn->disconn_work);
1632
2c8e1411
DH		 1633 l2cap_unregister_all_users(conn);
1634
3df91ea2
AE		 1635 mutex_lock(&conn->chan_lock);
1636
5d3de7df
VCG		 1637 /* Kill channels */
1638 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1639 l2cap_chan_hold(chan);
6be36555
AE		 1640 l2cap_chan_lock(chan);
1641
5d3de7df 1642 l2cap_chan_del(chan, err);
6be36555
AE		 1643
1644 l2cap_chan_unlock(chan);
1645
80b98027 1646 chan->ops->close(chan);
61d6ef3e 1647 l2cap_chan_put(chan);
5d3de7df
VCG		 1648 }
1649
3df91ea2
AE		 1650 mutex_unlock(&conn->chan_lock);
1651
73d80deb
LAD		 1652 hci_chan_del(conn->hchan);
1653
5d3de7df 1654 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1655 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1656
5d3de7df 1657 hcon->l2cap_data = NULL;
9c903e37
DH		 1658 conn->hchan = NULL;
1659 l2cap_conn_put(conn);
5d3de7df
VCG		 1660}
1661
dec5b492
JH		 1662static void disconn_work(struct work_struct *work)
1663{
1664 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1665 disconn_work);
1666
1667 BT_DBG("conn %p", conn);
1668
1669 l2cap_conn_del(conn->hcon, conn->disconn_err);
1670}
1671
1672void l2cap_conn_shutdown(struct l2cap_conn *conn, int err)
1673{
1674 struct hci_dev *hdev = conn->hcon->hdev;
1675
1676 BT_DBG("conn %p err %d", conn, err);
1677
1678 conn->disconn_err = err;
1679 queue_work(hdev->workqueue, &conn->disconn_work);
1680}
1681
9c903e37
DH		 1682static void l2cap_conn_free(struct kref *ref)
1683{
1684 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1685
1686 hci_conn_put(conn->hcon);
1687 kfree(conn);
1688}
1689
1690void l2cap_conn_get(struct l2cap_conn *conn)
1691{
1692 kref_get(&conn->ref);
1693}
1694EXPORT_SYMBOL(l2cap_conn_get);
1695
1696void l2cap_conn_put(struct l2cap_conn *conn)
1697{
1698 kref_put(&conn->ref, l2cap_conn_free);
1699}
1700EXPORT_SYMBOL(l2cap_conn_put);
1701
1da177e4 1702/* ---- Socket interface ---- */
1da177e4 1703
c2287681 1704/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1705 * Returns closest match.
1706 */
c2287681
IY		 1707static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1708 bdaddr_t *src,
bf20fd4e
JH		 1709 bdaddr_t *dst,
1710 u8 link_type)
1da177e4 1711{
23691d75 1712 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1713
23691d75 1714 read_lock(&chan_list_lock);
e0f0cb56 1715
23691d75 1716 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1717 if (state && c->state != state)
1da177e4
LT		 1718 continue;
1719
bf20fd4e
JH		 1720 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1721 continue;
1722
1723 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1724 continue;
1725
23691d75 1726 if (c->psm == psm) {
c2287681
IY		 1727 int src_match, dst_match;
1728 int src_any, dst_any;
1729
1da177e4 1730 /* Exact match. */
7eafc59e
MH		 1731 src_match = !bacmp(&c->src, src);
1732 dst_match = !bacmp(&c->dst, dst);
c2287681 1733 if (src_match && dst_match) {
a24cce14 1734 l2cap_chan_hold(c);
a7567b20 1735 read_unlock(&chan_list_lock);
23691d75
GP		 1736 return c;
1737 }
1da177e4
LT		 1738
1739 /* Closest match */
7eafc59e
MH		 1740 src_any = !bacmp(&c->src, BDADDR_ANY);
1741 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1742 if ((src_match && dst_any) || (src_any && dst_match) ||
1743 (src_any && dst_any))
23691d75 1744 c1 = c;
1da177e4
LT		 1745 }
1746 }
1da177e4 1747
a24cce14
JH		 1748 if (c1)
1749 l2cap_chan_hold(c1);
1750
23691d75 1751 read_unlock(&chan_list_lock);
e0f0cb56 1752
23691d75 1753 return c1;
1da177e4
LT		 1754}
1755
721c4181 1756static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1757{
721c4181 1758 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1759 monitor_timer.work);
e90bac06 1760
525cd185 1761 BT_DBG("chan %p", chan);
0e98958d 1762
6be36555
AE		 1763 l2cap_chan_lock(chan);
1764
80909e04 1765 if (!chan->conn) {
6be36555 1766 l2cap_chan_unlock(chan);
8d7e1c7f 1767 l2cap_chan_put(chan);
e90bac06
GP		 1768 return;
1769 }
1770
401bb1f7 1771 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1772
6be36555 1773 l2cap_chan_unlock(chan);
8d7e1c7f 1774 l2cap_chan_put(chan);
e90bac06
GP		 1775}
1776
721c4181 1777static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1778{
721c4181 1779 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1780 retrans_timer.work);
e90bac06 1781
49208c9c 1782 BT_DBG("chan %p", chan);
0e98958d 1783
6be36555
AE		 1784 l2cap_chan_lock(chan);
1785
80909e04
MM		 1786 if (!chan->conn) {
1787 l2cap_chan_unlock(chan);
1788 l2cap_chan_put(chan);
1789 return;
1790 }
6be36555 1791
401bb1f7 1792 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1793 l2cap_chan_unlock(chan);
8d7e1c7f 1794 l2cap_chan_put(chan);
e90bac06
GP		 1795}
1796
d660366d
GP		 1797static void l2cap_streaming_send(struct l2cap_chan *chan,
1798 struct sk_buff_head *skbs)
6840ed07 1799{
ccbb84af 1800 struct sk_buff *skb;
3733937d 1801 struct l2cap_ctrl *control;
6840ed07 1802
3733937d
MM		 1803 BT_DBG("chan %p, skbs %p", chan, skbs);
1804
b99e13ad
MM		 1805 if (__chan_is_moving(chan))
1806 return;
1807
3733937d
MM		 1808 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1809
1810 while (!skb_queue_empty(&chan->tx_q)) {
1811
1812 skb = skb_dequeue(&chan->tx_q);
1813
1814 bt_cb(skb)->control.retries = 1;
1815 control = &bt_cb(skb)->control;
1816
1817 control->reqseq = 0;
1818 control->txseq = chan->next_tx_seq;
1819
1820 __pack_control(chan, control, skb);
6840ed07 1821
47d1ec61 1822 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1823 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1824 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1825 }
1826
4343478f 1827 l2cap_do_send(chan, skb);
6840ed07 1828
b4400672 1829 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1830
836be934 1831 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1832 chan->frames_sent++;
6840ed07 1833 }
6840ed07
GP		 1834}
1835
67c9e840 1836static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1837{
1838 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1839 struct l2cap_ctrl *control;
1840 int sent = 0;
1841
1842 BT_DBG("chan %p", chan);
1c2acffb 1843
89bc500e 1844 if (chan->state != BT_CONNECTED)
c13ffa62 1845 return -ENOTCONN;
e90bac06 1846
94122bbe
MM		 1847 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1848 return 0;
1849
b99e13ad
MM		 1850 if (__chan_is_moving(chan))
1851 return 0;
1852
18a48e76
MM		 1853 while (chan->tx_send_head &&
1854 chan->unacked_frames < chan->remote_tx_win &&
1855 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1856
18a48e76 1857 skb = chan->tx_send_head;
e90bac06 1858
18a48e76
MM		 1859 bt_cb(skb)->control.retries = 1;
1860 control = &bt_cb(skb)->control;
95ffa978 1861
e2ab4353 1862 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1863 control->final = 1;
e2ab4353 1864
18a48e76
MM		 1865 control->reqseq = chan->buffer_seq;
1866 chan->last_acked_seq = chan->buffer_seq;
1867 control->txseq = chan->next_tx_seq;
1c2acffb 1868
18a48e76 1869 __pack_control(chan, control, skb);
e90bac06 1870
47d1ec61 1871 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1872 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1873 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1874 }
1875
18a48e76
MM		 1876 /* Clone after data has been modified. Data is assumed to be
1877 read-only (for locking purposes) on cloned sk_buffs.
1878 */
1879 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1880
18a48e76
MM		 1881 if (!tx_skb)
1882 break;
1c2acffb 1883
18a48e76 1884 __set_retrans_timer(chan);
836be934
AE		 1885
1886 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1887 chan->unacked_frames++;
6a026610 1888 chan->frames_sent++;
18a48e76 1889 sent++;
1c2acffb 1890
58d35f87
GP		 1891 if (skb_queue_is_last(&chan->tx_q, skb))
1892 chan->tx_send_head = NULL;
1c2acffb 1893 else
58d35f87 1894 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1895
1896 l2cap_do_send(chan, tx_skb);
b4400672 1897 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1898 }
1899
b4400672
AE		 1900 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1901 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1902
1903 return sent;
9e917af1
GP		 1904}
1905
e1fbd4c1
MM		 1906static void l2cap_ertm_resend(struct l2cap_chan *chan)
1907{
1908 struct l2cap_ctrl control;
1909 struct sk_buff *skb;
1910 struct sk_buff *tx_skb;
1911 u16 seq;
1912
1913 BT_DBG("chan %p", chan);
1914
1915 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1916 return;
1917
b99e13ad
MM		 1918 if (__chan_is_moving(chan))
1919 return;
1920
e1fbd4c1
MM		 1921 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1922 seq = l2cap_seq_list_pop(&chan->retrans_list);
1923
1924 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1925 if (!skb) {
1926 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1927 seq);
e1fbd4c1
MM		 1928 continue;
1929 }
1930
1931 bt_cb(skb)->control.retries++;
1932 control = bt_cb(skb)->control;
1933
1934 if (chan->max_tx != 0 &&
1935 bt_cb(skb)->control.retries > chan->max_tx) {
1936 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1937 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1938 l2cap_seq_list_clear(&chan->retrans_list);
1939 break;
1940 }
1941
1942 control.reqseq = chan->buffer_seq;
1943 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1944 control.final = 1;
1945 else
1946 control.final = 0;
1947
1948 if (skb_cloned(skb)) {
1949 /* Cloned sk_buffs are read-only, so we need a
1950 * writeable copy
1951 */
8bcde1f2 1952 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1953 } else {
8bcde1f2 1954 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1955 }
1956
1957 if (!tx_skb) {
1958 l2cap_seq_list_clear(&chan->retrans_list);
1959 break;
1960 }
1961
1962 /* Update skb contents */
1963 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1964 put_unaligned_le32(__pack_extended_control(&control),
1965 tx_skb->data + L2CAP_HDR_SIZE);
1966 } else {
1967 put_unaligned_le16(__pack_enhanced_control(&control),
1968 tx_skb->data + L2CAP_HDR_SIZE);
1969 }
1970
1971 if (chan->fcs == L2CAP_FCS_CRC16) {
1972 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1973 put_unaligned_le16(fcs, skb_put(tx_skb,
1974 L2CAP_FCS_SIZE));
1975 }
1976
1977 l2cap_do_send(chan, tx_skb);
1978
1979 BT_DBG("Resent txseq %d", control.txseq);
1980
1981 chan->last_acked_seq = chan->buffer_seq;
1982 }
1983}
1984
f80842a8
MM		 1985static void l2cap_retransmit(struct l2cap_chan *chan,
1986 struct l2cap_ctrl *control)
1987{
1988 BT_DBG("chan %p, control %p", chan, control);
1989
1990 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1991 l2cap_ertm_resend(chan);
1992}
1993
d2a7ac5d
MM		 1994static void l2cap_retransmit_all(struct l2cap_chan *chan,
1995 struct l2cap_ctrl *control)
1996{
e1fbd4c1
MM		 1997 struct sk_buff *skb;
1998
1999 BT_DBG("chan %p, control %p", chan, control);
2000
2001 if (control->poll)
2002 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2003
2004 l2cap_seq_list_clear(&chan->retrans_list);
2005
2006 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2007 return;
2008
2009 if (chan->unacked_frames) {
2010 skb_queue_walk(&chan->tx_q, skb) {
2011 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2012 skb == chan->tx_send_head)
e1fbd4c1
MM		 2013 break;
2014 }
2015
2016 skb_queue_walk_from(&chan->tx_q, skb) {
2017 if (skb == chan->tx_send_head)
2018 break;
2019
2020 l2cap_seq_list_append(&chan->retrans_list,
2021 bt_cb(skb)->control.txseq);
2022 }
2023
2024 l2cap_ertm_resend(chan);
2025 }
d2a7ac5d
MM		 2026}
2027
0a0aba42 2028static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2029{
0a0aba42
MM		 2030 struct l2cap_ctrl control;
2031 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2032 chan->last_acked_seq);
2033 int threshold;
9e917af1 2034
0a0aba42
MM		 2035 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2036 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2037
0a0aba42
MM		 2038 memset(&control, 0, sizeof(control));
2039 control.sframe = 1;
dfc909be 2040
0a0aba42
MM		 2041 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2042 chan->rx_state == L2CAP_RX_STATE_RECV) {
2043 __clear_ack_timer(chan);
2044 control.super = L2CAP_SUPER_RNR;
2045 control.reqseq = chan->buffer_seq;
2046 l2cap_send_sframe(chan, &control);
2047 } else {
2048 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2049 l2cap_ertm_send(chan);
2050 /* If any i-frames were sent, they included an ack */
2051 if (chan->buffer_seq == chan->last_acked_seq)
2052 frames_to_ack = 0;
2053 }
dfc909be 2054
c20f8e35 2055 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2056 * Calculate without mul or div
2057 */
c20f8e35 2058 threshold = chan->ack_win;
0a0aba42
MM		 2059 threshold += threshold << 1;
2060 threshold >>= 2;
2061
b4400672 2062 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2063 threshold);
2064
2065 if (frames_to_ack >= threshold) {
2066 __clear_ack_timer(chan);
2067 control.super = L2CAP_SUPER_RR;
2068 control.reqseq = chan->buffer_seq;
2069 l2cap_send_sframe(chan, &control);
2070 frames_to_ack = 0;
2071 }
1c2acffb 2072
0a0aba42
MM		 2073 if (frames_to_ack)
2074 __set_ack_timer(chan);
2075 }
b17e73bb
SJ		 2076}
2077
04124681
GP		 2078static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2079 struct msghdr *msg, int len,
2080 int count, struct sk_buff *skb)
1c2acffb 2081{
0952a57a 2082 struct l2cap_conn *conn = chan->conn;
1c2acffb 2083 struct sk_buff **frag;
90338947 2084 int sent = 0;
1da177e4 2085
0498878b
JR		 2086 if (chan->ops->memcpy_fromiovec(chan, skb_put(skb, count),
2087 msg->msg_iov, count))
1c2acffb 2088 return -EFAULT;
1da177e4
LT		 2089
2090 sent += count;
2091 len -= count;
2092
2093 /* Continuation fragments (no L2CAP header) */
2094 frag = &skb_shinfo(skb)->frag_list;
2095 while (len) {
fbe00700
GP		 2096 struct sk_buff *tmp;
2097
1da177e4
LT		 2098 count = min_t(unsigned int, conn->mtu, len);
2099
d9fbd02b 2100 tmp = chan->ops->alloc_skb(chan, 0, count,
fbe00700
GP		 2101 msg->msg_flags & MSG_DONTWAIT);
2102 if (IS_ERR(tmp))
2103 return PTR_ERR(tmp);
2104
2105 *frag = tmp;
2f7719ce 2106
0498878b
JR		 2107 if (chan->ops->memcpy_fromiovec(chan, skb_put(*frag, count),
2108 msg->msg_iov, count))
1c2acffb 2109 return -EFAULT;
1da177e4
LT		 2110
2111 sent += count;
2112 len -= count;
2113
2d0ed3d5
GP		 2114 skb->len += (*frag)->len;
2115 skb->data_len += (*frag)->len;
2116
1da177e4
LT		 2117 frag = &(*frag)->next;
2118 }
1da177e4
LT		 2119
2120 return sent;
1c2acffb 2121}
1da177e4 2122
5e59b791 2123static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
8d46321c 2124 struct msghdr *msg, size_t len)
1c2acffb 2125{
8c1d787b 2126 struct l2cap_conn *conn = chan->conn;
1c2acffb 2127 struct sk_buff *skb;
03a51213 2128 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2129 struct l2cap_hdr *lh;
2130
8d46321c
MH		 2131 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2132 __le16_to_cpu(chan->psm), len);
1c2acffb
GP		 2133
2134 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2135
d9fbd02b 2136 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2137 msg->msg_flags & MSG_DONTWAIT);
2138 if (IS_ERR(skb))
2139 return skb;
1c2acffb
GP		 2140
2141 /* Create L2CAP header */
2142 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2143 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2144 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2145 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2146
0952a57a 2147 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2148 if (unlikely(err < 0)) {
2149 kfree_skb(skb);
2150 return ERR_PTR(err);
2151 }
2152 return skb;
2153}
2154
5e59b791 2155static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
8d46321c 2156 struct msghdr *msg, size_t len)
1c2acffb 2157{
8c1d787b 2158 struct l2cap_conn *conn = chan->conn;
1c2acffb 2159 struct sk_buff *skb;
f2ba7fae 2160 int err, count;
1c2acffb
GP		 2161 struct l2cap_hdr *lh;
2162
b4400672 2163 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2164
f2ba7fae 2165 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2166
d9fbd02b 2167 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
90338947
GP		 2168 msg->msg_flags & MSG_DONTWAIT);
2169 if (IS_ERR(skb))
2170 return skb;
1c2acffb
GP		 2171
2172 /* Create L2CAP header */
2173 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2174 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2175 lh->len = cpu_to_le16(len);
1c2acffb 2176
0952a57a 2177 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2178 if (unlikely(err < 0)) {
2179 kfree_skb(skb);
2180 return ERR_PTR(err);
2181 }
2182 return skb;
2183}
2184
ab0ff76d 2185static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2186 struct msghdr *msg, size_t len,
2187 u16 sdulen)
1c2acffb 2188{
8c1d787b 2189 struct l2cap_conn *conn = chan->conn;
1c2acffb 2190 struct sk_buff *skb;
e4ca6d98 2191 int err, count, hlen;
1c2acffb
GP		 2192 struct l2cap_hdr *lh;
2193
b4400672 2194 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2195
0ee0d208
GP		 2196 if (!conn)
2197 return ERR_PTR(-ENOTCONN);
2198
ba7aa64f 2199 hlen = __ertm_hdr_size(chan);
e4ca6d98 2200
c74e560c 2201 if (sdulen)
03a51213 2202 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2203
47d1ec61 2204 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2205 hlen += L2CAP_FCS_SIZE;
fcc203c3 2206
1c2acffb 2207 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2208
d9fbd02b 2209 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2210 msg->msg_flags & MSG_DONTWAIT);
2211 if (IS_ERR(skb))
2212 return skb;
1c2acffb
GP		 2213
2214 /* Create L2CAP header */
2215 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2216 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2217 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2218
18a48e76
MM		 2219 /* Control header is populated later */
2220 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2221 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2222 else
2223 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2224
c74e560c 2225 if (sdulen)
03a51213 2226 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2227
0952a57a 2228 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2229 if (unlikely(err < 0)) {
2230 kfree_skb(skb);
2231 return ERR_PTR(err);
2232 }
e90bac06 2233
18a48e76 2234 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2235 bt_cb(skb)->control.retries = 0;
1c2acffb 2236 return skb;
1da177e4
LT		 2237}
2238
94122bbe
MM		 2239static int l2cap_segment_sdu(struct l2cap_chan *chan,
2240 struct sk_buff_head *seg_queue,
2241 struct msghdr *msg, size_t len)
c74e560c 2242{
c74e560c 2243 struct sk_buff *skb;
94122bbe
MM		 2244 u16 sdu_len;
2245 size_t pdu_len;
94122bbe 2246 u8 sar;
c74e560c 2247
b4400672 2248 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2249
94122bbe
MM		 2250 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2251 * so fragmented skbs are not used. The HCI layer's handling
2252 * of fragmented skbs is not compatible with ERTM's queueing.
2253 */
c74e560c 2254
94122bbe
MM		 2255 /* PDU size is derived from the HCI MTU */
2256 pdu_len = chan->conn->mtu;
c74e560c 2257
a549574d
MM		 2258 /* Constrain PDU size for BR/EDR connections */
2259 if (!chan->hs_hcon)
2260 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2261
2262 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2263 if (chan->fcs)
2264 pdu_len -= L2CAP_FCS_SIZE;
2265
ba7aa64f 2266 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2267
2268 /* Remote device may have requested smaller PDUs */
2269 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2270
2271 if (len <= pdu_len) {
2272 sar = L2CAP_SAR_UNSEGMENTED;
2273 sdu_len = 0;
2274 pdu_len = len;
2275 } else {
2276 sar = L2CAP_SAR_START;
2277 sdu_len = len;
2278 pdu_len -= L2CAP_SDULEN_SIZE;
2279 }
2280
2281 while (len > 0) {
2282 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2283
c74e560c 2284 if (IS_ERR(skb)) {
94122bbe 2285 __skb_queue_purge(seg_queue);
c74e560c
GP		 2286 return PTR_ERR(skb);
2287 }
2288
94122bbe
MM		 2289 bt_cb(skb)->control.sar = sar;
2290 __skb_queue_tail(seg_queue, skb);
2291
2292 len -= pdu_len;
2293 if (sdu_len) {
2294 sdu_len = 0;
2295 pdu_len += L2CAP_SDULEN_SIZE;
2296 }
2297
2298 if (len <= pdu_len) {
2299 sar = L2CAP_SAR_END;
2300 pdu_len = len;
2301 } else {
2302 sar = L2CAP_SAR_CONTINUE;
2303 }
c74e560c 2304 }
c74e560c 2305
f0f62799 2306 return 0;
c74e560c
GP		 2307}
2308
177f8f2b
JH		 2309static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2310 struct msghdr *msg,
2311 size_t len, u16 sdulen)
2312{
2313 struct l2cap_conn *conn = chan->conn;
2314 struct sk_buff *skb;
2315 int err, count, hlen;
2316 struct l2cap_hdr *lh;
2317
2318 BT_DBG("chan %p len %zu", chan, len);
2319
2320 if (!conn)
2321 return ERR_PTR(-ENOTCONN);
2322
2323 hlen = L2CAP_HDR_SIZE;
2324
2325 if (sdulen)
2326 hlen += L2CAP_SDULEN_SIZE;
2327
2328 count = min_t(unsigned int, (conn->mtu - hlen), len);
2329
d9fbd02b 2330 skb = chan->ops->alloc_skb(chan, hlen, count,
177f8f2b
JH		 2331 msg->msg_flags & MSG_DONTWAIT);
2332 if (IS_ERR(skb))
2333 return skb;
2334
2335 /* Create L2CAP header */
2336 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2337 lh->cid = cpu_to_le16(chan->dcid);
2338 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2339
2340 if (sdulen)
2341 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2342
2343 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2344 if (unlikely(err < 0)) {
2345 kfree_skb(skb);
2346 return ERR_PTR(err);
2347 }
2348
2349 return skb;
2350}
2351
2352static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2353 struct sk_buff_head *seg_queue,
2354 struct msghdr *msg, size_t len)
2355{
2356 struct sk_buff *skb;
2357 size_t pdu_len;
2358 u16 sdu_len;
2359
2360 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2361
2362 pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE;
2363
2364 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2365
2366 sdu_len = len;
2367 pdu_len -= L2CAP_SDULEN_SIZE;
2368
2369 while (len > 0) {
2370 if (len <= pdu_len)
2371 pdu_len = len;
2372
2373 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2374 if (IS_ERR(skb)) {
2375 __skb_queue_purge(seg_queue);
2376 return PTR_ERR(skb);
2377 }
2378
2379 __skb_queue_tail(seg_queue, skb);
2380
2381 len -= pdu_len;
2382
2383 if (sdu_len) {
2384 sdu_len = 0;
2385 pdu_len += L2CAP_SDULEN_SIZE;
2386 }
2387 }
2388
2389 return 0;
2390}
2391
8d46321c 2392int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
9a91a04a 2393{
9a91a04a 2394 struct sk_buff *skb;
9a91a04a 2395 int err;
94122bbe 2396 struct sk_buff_head seg_queue;
9a91a04a 2397
31e8ce80
SWK		 2398 if (!chan->conn)
2399 return -ENOTCONN;
2400
9a91a04a 2401 /* Connectionless channel */
715ec005 2402 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
8d46321c 2403 skb = l2cap_create_connless_pdu(chan, msg, len);
9a91a04a
GP		 2404 if (IS_ERR(skb))
2405 return PTR_ERR(skb);
2406
ede81a2a
AK		 2407 /* Channel lock is released before requesting new skb and then
2408 * reacquired thus we need to recheck channel state.
2409 */
2410 if (chan->state != BT_CONNECTED) {
2411 kfree_skb(skb);
2412 return -ENOTCONN;
2413 }
2414
9a91a04a
GP		 2415 l2cap_do_send(chan, skb);
2416 return len;
2417 }
2418
2419 switch (chan->mode) {
38319713 2420 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b
JH		 2421 /* Check outgoing MTU */
2422 if (len > chan->omtu)
2423 return -EMSGSIZE;
2424
fad5fc89
JH		 2425 if (!chan->tx_credits)
2426 return -EAGAIN;
2427
177f8f2b
JH		 2428 __skb_queue_head_init(&seg_queue);
2429
2430 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2431
2432 if (chan->state != BT_CONNECTED) {
2433 __skb_queue_purge(&seg_queue);
2434 err = -ENOTCONN;
2435 }
2436
2437 if (err)
2438 return err;
2439
2440 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2441
2442 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2443 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2444 chan->tx_credits--;
2445 }
2446
2447 if (!chan->tx_credits)
2448 chan->ops->suspend(chan);
2449
2450 err = len;
2451
2452 break;
2453
fad5fc89 2454 case L2CAP_MODE_BASIC:
9a91a04a
GP		 2455 /* Check outgoing MTU */
2456 if (len > chan->omtu)
2457 return -EMSGSIZE;
2458
2459 /* Create a basic PDU */
8d46321c 2460 skb = l2cap_create_basic_pdu(chan, msg, len);
9a91a04a
GP		 2461 if (IS_ERR(skb))
2462 return PTR_ERR(skb);
2463
ede81a2a
AK		 2464 /* Channel lock is released before requesting new skb and then
2465 * reacquired thus we need to recheck channel state.
2466 */
2467 if (chan->state != BT_CONNECTED) {
2468 kfree_skb(skb);
2469 return -ENOTCONN;
2470 }
2471
9a91a04a
GP		 2472 l2cap_do_send(chan, skb);
2473 err = len;
2474 break;
2475
2476 case L2CAP_MODE_ERTM:
2477 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2478 /* Check outgoing MTU */
2479 if (len > chan->omtu) {
2480 err = -EMSGSIZE;
2481 break;
2482 }
9a91a04a 2483
94122bbe 2484 __skb_queue_head_init(&seg_queue);
9a91a04a 2485
94122bbe
MM		 2486 /* Do segmentation before calling in to the state machine,
2487 * since it's possible to block while waiting for memory
2488 * allocation.
2489 */
2490 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2491
94122bbe
MM		 2492 /* The channel could have been closed while segmenting,
2493 * check that it is still connected.
2494 */
2495 if (chan->state != BT_CONNECTED) {
2496 __skb_queue_purge(&seg_queue);
2497 err = -ENOTCONN;
9a91a04a
GP		 2498 }
2499
94122bbe 2500 if (err)
9a91a04a 2501 break;
9a91a04a 2502
3733937d 2503 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2504 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2505 else
d660366d 2506 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2507
d660366d 2508 err = len;
9a91a04a 2509
94122bbe
MM		 2510 /* If the skbs were not queued for sending, they'll still be in
2511 * seg_queue and need to be purged.
2512 */
2513 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2514 break;
2515
2516 default:
2517 BT_DBG("bad state %1.1x", chan->mode);
2518 err = -EBADFD;
2519 }
2520
2521 return err;
2522}
6b8d4a6a 2523EXPORT_SYMBOL_GPL(l2cap_chan_send);
9a91a04a 2524
d2a7ac5d
MM		 2525static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2526{
bed68bde
MM		 2527 struct l2cap_ctrl control;
2528 u16 seq;
2529
b4400672 2530 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2531
2532 memset(&control, 0, sizeof(control));
2533 control.sframe = 1;
2534 control.super = L2CAP_SUPER_SREJ;
2535
2536 for (seq = chan->expected_tx_seq; seq != txseq;
2537 seq = __next_seq(chan, seq)) {
2538 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2539 control.reqseq = seq;
2540 l2cap_send_sframe(chan, &control);
2541 l2cap_seq_list_append(&chan->srej_list, seq);
2542 }
2543 }
2544
2545 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2546}
2547
2548static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2549{
bed68bde
MM		 2550 struct l2cap_ctrl control;
2551
2552 BT_DBG("chan %p", chan);
2553
2554 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2555 return;
2556
2557 memset(&control, 0, sizeof(control));
2558 control.sframe = 1;
2559 control.super = L2CAP_SUPER_SREJ;
2560 control.reqseq = chan->srej_list.tail;
2561 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2562}
2563
2564static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2565{
bed68bde
MM		 2566 struct l2cap_ctrl control;
2567 u16 initial_head;
2568 u16 seq;
2569
b4400672 2570 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2571
2572 memset(&control, 0, sizeof(control));
2573 control.sframe = 1;
2574 control.super = L2CAP_SUPER_SREJ;
2575
2576 /* Capture initial list head to allow only one pass through the list. */
2577 initial_head = chan->srej_list.head;
2578
2579 do {
2580 seq = l2cap_seq_list_pop(&chan->srej_list);
2581 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2582 break;
2583
2584 control.reqseq = seq;
2585 l2cap_send_sframe(chan, &control);
2586 l2cap_seq_list_append(&chan->srej_list, seq);
2587 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2588}
2589
608bcc6d
MM		 2590static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2591{
2592 struct sk_buff *acked_skb;
2593 u16 ackseq;
2594
b4400672 2595 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2596
2597 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2598 return;
2599
b4400672 2600 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2601 chan->expected_ack_seq, chan->unacked_frames);
2602
2603 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2604 ackseq = __next_seq(chan, ackseq)) {
2605
2606 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2607 if (acked_skb) {
2608 skb_unlink(acked_skb, &chan->tx_q);
2609 kfree_skb(acked_skb);
2610 chan->unacked_frames--;
2611 }
2612 }
2613
2614 chan->expected_ack_seq = reqseq;
2615
2616 if (chan->unacked_frames == 0)
2617 __clear_retrans_timer(chan);
2618
b4400672 2619 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2620}
2621
2622static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2623{
2624 BT_DBG("chan %p", chan);
2625
2626 chan->expected_tx_seq = chan->buffer_seq;
2627 l2cap_seq_list_clear(&chan->srej_list);
2628 skb_queue_purge(&chan->srej_q);
2629 chan->rx_state = L2CAP_RX_STATE_RECV;
2630}
2631
d660366d
GP		 2632static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2633 struct l2cap_ctrl *control,
2634 struct sk_buff_head *skbs, u8 event)
608bcc6d 2635{
608bcc6d
MM		 2636 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2637 event);
2638
2639 switch (event) {
2640 case L2CAP_EV_DATA_REQUEST:
2641 if (chan->tx_send_head == NULL)
2642 chan->tx_send_head = skb_peek(skbs);
2643
2644 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2645 l2cap_ertm_send(chan);
2646 break;
2647 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2648 BT_DBG("Enter LOCAL_BUSY");
2649 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2650
2651 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2652 /* The SREJ_SENT state must be aborted if we are to
2653 * enter the LOCAL_BUSY state.
2654 */
2655 l2cap_abort_rx_srej_sent(chan);
2656 }
2657
2658 l2cap_send_ack(chan);
2659
2660 break;
2661 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2662 BT_DBG("Exit LOCAL_BUSY");
2663 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2664
2665 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2666 struct l2cap_ctrl local_control;
2667
2668 memset(&local_control, 0, sizeof(local_control));
2669 local_control.sframe = 1;
2670 local_control.super = L2CAP_SUPER_RR;
2671 local_control.poll = 1;
2672 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2673 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2674
2675 chan->retry_count = 1;
2676 __set_monitor_timer(chan);
2677 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2678 }
2679 break;
2680 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2681 l2cap_process_reqseq(chan, control->reqseq);
2682 break;
2683 case L2CAP_EV_EXPLICIT_POLL:
2684 l2cap_send_rr_or_rnr(chan, 1);
2685 chan->retry_count = 1;
2686 __set_monitor_timer(chan);
2687 __clear_ack_timer(chan);
2688 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2689 break;
2690 case L2CAP_EV_RETRANS_TO:
2691 l2cap_send_rr_or_rnr(chan, 1);
2692 chan->retry_count = 1;
2693 __set_monitor_timer(chan);
2694 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2695 break;
2696 case L2CAP_EV_RECV_FBIT:
2697 /* Nothing to process */
2698 break;
2699 default:
2700 break;
2701 }
608bcc6d
MM		 2702}
2703
d660366d
GP		 2704static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2705 struct l2cap_ctrl *control,
2706 struct sk_buff_head *skbs, u8 event)
608bcc6d 2707{
608bcc6d
MM		 2708 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2709 event);
2710
2711 switch (event) {
2712 case L2CAP_EV_DATA_REQUEST:
2713 if (chan->tx_send_head == NULL)
2714 chan->tx_send_head = skb_peek(skbs);
2715 /* Queue data, but don't send. */
2716 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2717 break;
2718 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2719 BT_DBG("Enter LOCAL_BUSY");
2720 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2721
2722 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2723 /* The SREJ_SENT state must be aborted if we are to
2724 * enter the LOCAL_BUSY state.
2725 */
2726 l2cap_abort_rx_srej_sent(chan);
2727 }
2728
2729 l2cap_send_ack(chan);
2730
2731 break;
2732 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2733 BT_DBG("Exit LOCAL_BUSY");
2734 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2735
2736 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2737 struct l2cap_ctrl local_control;
2738 memset(&local_control, 0, sizeof(local_control));
2739 local_control.sframe = 1;
2740 local_control.super = L2CAP_SUPER_RR;
2741 local_control.poll = 1;
2742 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2743 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2744
2745 chan->retry_count = 1;
2746 __set_monitor_timer(chan);
2747 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2748 }
2749 break;
2750 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2751 l2cap_process_reqseq(chan, control->reqseq);
2752
2753 /* Fall through */
2754
2755 case L2CAP_EV_RECV_FBIT:
2756 if (control && control->final) {
2757 __clear_monitor_timer(chan);
2758 if (chan->unacked_frames > 0)
2759 __set_retrans_timer(chan);
2760 chan->retry_count = 0;
2761 chan->tx_state = L2CAP_TX_STATE_XMIT;
2762 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2763 }
2764 break;
2765 case L2CAP_EV_EXPLICIT_POLL:
2766 /* Ignore */
2767 break;
2768 case L2CAP_EV_MONITOR_TO:
2769 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2770 l2cap_send_rr_or_rnr(chan, 1);
2771 __set_monitor_timer(chan);
2772 chan->retry_count++;
2773 } else {
5e4e3972 2774 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2775 }
2776 break;
2777 default:
2778 break;
2779 }
608bcc6d
MM		 2780}
2781
d660366d
GP		 2782static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2783 struct sk_buff_head *skbs, u8 event)
608bcc6d 2784{
608bcc6d
MM		 2785 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2786 chan, control, skbs, event, chan->tx_state);
2787
2788 switch (chan->tx_state) {
2789 case L2CAP_TX_STATE_XMIT:
d660366d 2790 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2791 break;
2792 case L2CAP_TX_STATE_WAIT_F:
d660366d 2793 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2794 break;
2795 default:
2796 /* Ignore event */
2797 break;
2798 }
608bcc6d
MM		 2799}
2800
4b51dae9
MM		 2801static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2802 struct l2cap_ctrl *control)
2803{
2804 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2805 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2806}
2807
f80842a8
MM		 2808static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2809 struct l2cap_ctrl *control)
2810{
2811 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2812 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2813}
2814
1da177e4
LT		 2815/* Copy frame to all raw sockets on that connection */
2816static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2817{
1da177e4 2818 struct sk_buff *nskb;
48454079 2819 struct l2cap_chan *chan;
1da177e4
LT		 2820
2821 BT_DBG("conn %p", conn);
2822
3df91ea2 2823 mutex_lock(&conn->chan_lock);
3d57dc68 2824
3df91ea2 2825 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2826 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2827 continue;
2828
7f5396a7
GP		 2829 /* Don't send frame to the channel it came from */
2830 if (bt_cb(skb)->chan == chan)
1da177e4 2831 continue;
7f5396a7 2832
8bcde1f2 2833 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2834 if (!nskb)
1da177e4 2835 continue;
80b98027 2836 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2837 kfree_skb(nskb);
2838 }
3d57dc68 2839
3df91ea2 2840 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2841}
2842
2843/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2844static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2845 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2846{
2847 struct sk_buff *skb, **frag;
2848 struct l2cap_cmd_hdr *cmd;
2849 struct l2cap_hdr *lh;
2850 int len, count;
2851
b4400672
AE		 2852 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2853 conn, code, ident, dlen);
1da177e4 2854
300b962e
AL		 2855 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2856 return NULL;
2857
1da177e4
LT		 2858 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2859 count = min_t(unsigned int, conn->mtu, len);
2860
8bcde1f2 2861 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2862 if (!skb)
2863 return NULL;
2864
2865 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2866 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2867
2868 if (conn->hcon->type == LE_LINK)
dcf4adbf 2869 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2870 else
dcf4adbf 2871 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2872
2873 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2874 cmd->code = code;
2875 cmd->ident = ident;
aca3192c 2876 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2877
2878 if (dlen) {
2879 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2880 memcpy(skb_put(skb, count), data, count);
2881 data += count;
2882 }
2883
2884 len -= skb->len;
2885
2886 /* Continuation fragments (no L2CAP header) */
2887 frag = &skb_shinfo(skb)->frag_list;
2888 while (len) {
2889 count = min_t(unsigned int, conn->mtu, len);
2890
8bcde1f2 2891 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2892 if (!*frag)
2893 goto fail;
2894
2895 memcpy(skb_put(*frag, count), data, count);
2896
2897 len -= count;
2898 data += count;
2899
2900 frag = &(*frag)->next;
2901 }
2902
2903 return skb;
2904
2905fail:
2906 kfree_skb(skb);
2907 return NULL;
2908}
2909
2d792818
GP		 2910static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2911 unsigned long *val)
1da177e4
LT		 2912{
2913 struct l2cap_conf_opt *opt = *ptr;
2914 int len;
2915
2916 len = L2CAP_CONF_OPT_SIZE + opt->len;
2917 *ptr += len;
2918
2919 *type = opt->type;
2920 *olen = opt->len;
2921
2922 switch (opt->len) {
2923 case 1:
2924 *val = *((u8 *) opt->val);
2925 break;
2926
2927 case 2:
bfaaeb3e 2928 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2929 break;
2930
2931 case 4:
bfaaeb3e 2932 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2933 break;
2934
2935 default:
2936 *val = (unsigned long) opt->val;
2937 break;
2938 }
2939
b4400672 2940 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2941 return len;
2942}
2943
1da177e4
LT		 2944static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2945{
2946 struct l2cap_conf_opt *opt = *ptr;
2947
b4400672 2948 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2949
2950 opt->type = type;
2951 opt->len = len;
2952
2953 switch (len) {
2954 case 1:
2955 *((u8 *) opt->val) = val;
2956 break;
2957
2958 case 2:
4f8b691c 2959 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2960 break;
2961
2962 case 4:
4f8b691c 2963 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2964 break;
2965
2966 default:
2967 memcpy(opt->val, (void *) val, len);
2968 break;
2969 }
2970
2971 *ptr += L2CAP_CONF_OPT_SIZE + len;
2972}
2973
f89cef09
AE		 2974static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2975{
2976 struct l2cap_conf_efs efs;
2977
1ec918ce 2978 switch (chan->mode) {
f89cef09
AE		 2979 case L2CAP_MODE_ERTM:
2980 efs.id = chan->local_id;
2981 efs.stype = chan->local_stype;
2982 efs.msdu = cpu_to_le16(chan->local_msdu);
2983 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
dcf4adbf
JP		 2984 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2985 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2986 break;
2987
2988 case L2CAP_MODE_STREAMING:
2989 efs.id = 1;
2990 efs.stype = L2CAP_SERV_BESTEFFORT;
2991 efs.msdu = cpu_to_le16(chan->local_msdu);
2992 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2993 efs.acc_lat = 0;
2994 efs.flush_to = 0;
2995 break;
2996
2997 default:
2998 return;
2999 }
3000
3001 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3002 (unsigned long) &efs);
f89cef09
AE		 3003}
3004
721c4181 3005static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3006{
721c4181 3007 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3008 ack_timer.work);
3009 u16 frames_to_ack;
c1b4f43b 3010
2fb9b3d4
GP		 3011 BT_DBG("chan %p", chan);
3012
6be36555
AE		 3013 l2cap_chan_lock(chan);
3014
0362520b
MM		 3015 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3016 chan->last_acked_seq);
6be36555 3017
0362520b
MM		 3018 if (frames_to_ack)
3019 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3020
0362520b 3021 l2cap_chan_unlock(chan);
09bfb2ee 3022 l2cap_chan_put(chan);
c1b4f43b
GP		 3023}
3024
466f8004 3025int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3026{
3c588192
MM		 3027 int err;
3028
105bdf9e
MM		 3029 chan->next_tx_seq = 0;
3030 chan->expected_tx_seq = 0;
42e5c802 3031 chan->expected_ack_seq = 0;
6a026610 3032 chan->unacked_frames = 0;
42e5c802 3033 chan->buffer_seq = 0;
6a026610 3034 chan->frames_sent = 0;
105bdf9e
MM		 3035 chan->last_acked_seq = 0;
3036 chan->sdu = NULL;
3037 chan->sdu_last_frag = NULL;
3038 chan->sdu_len = 0;
3039
d34c34fb
MM		 3040 skb_queue_head_init(&chan->tx_q);
3041
6ed971ca
MH		 3042 chan->local_amp_id = AMP_ID_BREDR;
3043 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3044 chan->move_state = L2CAP_MOVE_STABLE;
3045 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3046
105bdf9e
MM		 3047 if (chan->mode != L2CAP_MODE_ERTM)
3048 return 0;
3049
3050 chan->rx_state = L2CAP_RX_STATE_RECV;
3051 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3052
721c4181
GP		 3053 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3054 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3055 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3056
f1c6775b 3057 skb_queue_head_init(&chan->srej_q);
1890d36b 3058
3c588192
MM		 3059 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3060 if (err < 0)
3061 return err;
3062
9dc9affc
MM		 3063 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3064 if (err < 0)
3065 l2cap_seq_list_free(&chan->srej_list);
3066
3067 return err;
0565c1c2
GP		 3068}
3069
f2fcfcd6
GP		 3070static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3071{
3072 switch (mode) {
3073 case L2CAP_MODE_STREAMING:
3074 case L2CAP_MODE_ERTM:
3075 if (l2cap_mode_supported(mode, remote_feat_mask))
3076 return mode;
3077 /* fall through */
3078 default:
3079 return L2CAP_MODE_BASIC;
3080 }
3081}
3082
848566b3 3083static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3084{
848566b3 3085 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3086}
3087
848566b3 3088static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3089{
848566b3 3090 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3091}
3092
36c86c85
MM		 3093static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3094 struct l2cap_conf_rfc *rfc)
3095{
6ed971ca 3096 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3097 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3098
3099 /* Class 1 devices have must have ERTM timeouts
3100 * exceeding the Link Supervision Timeout. The
3101 * default Link Supervision Timeout for AMP
3102 * controllers is 10 seconds.
3103 *
3104 * Class 1 devices use 0xffffffff for their
3105 * best-effort flush timeout, so the clamping logic
3106 * will result in a timeout that meets the above
3107 * requirement. ERTM timeouts are 16-bit values, so
3108 * the maximum timeout is 65.535 seconds.
3109 */
3110
3111 /* Convert timeout to milliseconds and round */
3112 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3113
3114 /* This is the recommended formula for class 2 devices
3115 * that start ERTM timers when packets are sent to the
3116 * controller.
3117 */
3118 ertm_to = 3 * ertm_to + 500;
3119
3120 if (ertm_to > 0xffff)
3121 ertm_to = 0xffff;
3122
3123 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3124 rfc->monitor_timeout = rfc->retrans_timeout;
3125 } else {
dcf4adbf
JP		 3126 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3127 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36c86c85
MM		 3128 }
3129}
3130
6327eb98
AE		 3131static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3132{
3133 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3134 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3135 /* use extended control field */
3136 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3137 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3138 } else {
6327eb98 3139 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3140 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3141 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3142 }
c20f8e35 3143 chan->ack_win = chan->tx_win;
6327eb98
AE		 3144}
3145
710f9b0a 3146static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3147{
1da177e4 3148 struct l2cap_conf_req *req = data;
0c1bc5c6 3149 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3150 void *ptr = req->data;
c8f79162 3151 u16 size;
1da177e4 3152
49208c9c 3153 BT_DBG("chan %p", chan);
1da177e4 3154
73ffa904 3155 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3156 goto done;
3157
0c1bc5c6 3158 switch (chan->mode) {
f2fcfcd6
GP		 3159 case L2CAP_MODE_STREAMING:
3160 case L2CAP_MODE_ERTM:
c1360a1c 3161 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3162 break;
85eb53c6 3163
848566b3 3164 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3165 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3166
2ba13ed6 3167 /* fall through */
f2fcfcd6 3168 default:
8c1d787b 3169 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3170 break;
3171 }
3172
3173done:
0c1bc5c6
GP		 3174 if (chan->imtu != L2CAP_DEFAULT_MTU)
3175 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3176
0c1bc5c6 3177 switch (chan->mode) {
65c7c491 3178 case L2CAP_MODE_BASIC:
6fea7ad1
MH		 3179 if (disable_ertm)
3180 break;
3181
8c1d787b 3182 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3183 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3184 break;
3185
62547752
GP		 3186 rfc.mode = L2CAP_MODE_BASIC;
3187 rfc.txwin_size = 0;
3188 rfc.max_transmit = 0;
3189 rfc.retrans_timeout = 0;
3190 rfc.monitor_timeout = 0;
3191 rfc.max_pdu_size = 0;
3192
63406504 3193 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3194 (unsigned long) &rfc);
65c7c491
MH		 3195 break;
3196
3197 case L2CAP_MODE_ERTM:
3198 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3199 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3200
3201 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3202
3203 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3204 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3205 L2CAP_FCS_SIZE);
c8f79162 3206 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3207
6327eb98
AE		 3208 l2cap_txwin_setup(chan);
3209
3210 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3211 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3212
63406504 3213 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3214 (unsigned long) &rfc);
63406504 3215
f89cef09
AE		 3216 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3217 l2cap_add_opt_efs(&ptr, chan);
3218
6327eb98
AE		 3219 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3220 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3221 chan->tx_win);
60918918
AE		 3222
3223 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3224 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3225 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3226 chan->fcs = L2CAP_FCS_NONE;
3227 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3228 chan->fcs);
3229 }
f2fcfcd6
GP		 3230 break;
3231
3232 case L2CAP_MODE_STREAMING:
273759e2 3233 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3234 rfc.mode = L2CAP_MODE_STREAMING;
3235 rfc.txwin_size = 0;
3236 rfc.max_transmit = 0;
3237 rfc.retrans_timeout = 0;
3238 rfc.monitor_timeout = 0;
c8f79162
AE		 3239
3240 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3241 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3242 L2CAP_FCS_SIZE);
c8f79162 3243 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3244
63406504 3245 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3246 (unsigned long) &rfc);
63406504 3247
f89cef09
AE		 3248 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3249 l2cap_add_opt_efs(&ptr, chan);
3250
60918918
AE		 3251 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3252 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3253 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3254 chan->fcs = L2CAP_FCS_NONE;
3255 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3256 chan->fcs);
3257 }
65c7c491
MH		 3258 break;
3259 }
1da177e4 3260
fe4128e0 3261 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3262 req->flags = cpu_to_le16(0);
1da177e4
LT		 3263
3264 return ptr - data;
3265}
3266
73ffa904 3267static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3268{
5dee9e7c
MH		 3269 struct l2cap_conf_rsp *rsp = data;
3270 void *ptr = rsp->data;
73ffa904
GP		 3271 void *req = chan->conf_req;
3272 int len = chan->conf_len;
5dee9e7c
MH		 3273 int type, hint, olen;
3274 unsigned long val;
6464f35f 3275 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3276 struct l2cap_conf_efs efs;
3277 u8 remote_efs = 0;
861d6882 3278 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3279 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3280 u16 size;
1da177e4 3281
73ffa904 3282 BT_DBG("chan %p", chan);
820ae1b8 3283
5dee9e7c
MH		 3284 while (len >= L2CAP_CONF_OPT_SIZE) {
3285 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3286
589d2746 3287 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3288 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3289
3290 switch (type) {
3291 case L2CAP_CONF_MTU:
861d6882 3292 mtu = val;
5dee9e7c
MH		 3293 break;
3294
3295 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3296 chan->flush_to = val;
5dee9e7c
MH		 3297 break;
3298
3299 case L2CAP_CONF_QOS:
3300 break;
3301
6464f35f
MH		 3302 case L2CAP_CONF_RFC:
3303 if (olen == sizeof(rfc))
3304 memcpy(&rfc, (void *) val, olen);
3305 break;
3306
fcc203c3
GP		 3307 case L2CAP_CONF_FCS:
3308 if (val == L2CAP_FCS_NONE)
f2592d3e 3309 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3310 break;
fcc203c3 3311
42dceae2
AE		 3312 case L2CAP_CONF_EFS:
3313 remote_efs = 1;
3314 if (olen == sizeof(efs))
3315 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3316 break;
3317
6327eb98 3318 case L2CAP_CONF_EWS:
848566b3 3319 if (!chan->conn->hs_enabled)
6327eb98 3320 return -ECONNREFUSED;
fcc203c3 3321
6327eb98
AE		 3322 set_bit(FLAG_EXT_CTRL, &chan->flags);
3323 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3324 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3325 chan->remote_tx_win = val;
fcc203c3
GP		 3326 break;
3327
5dee9e7c
MH		 3328 default:
3329 if (hint)
3330 break;
3331
3332 result = L2CAP_CONF_UNKNOWN;
3333 *((u8 *) ptr++) = type;
3334 break;
3335 }
3336 }
3337
73ffa904 3338 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3339 goto done;
3340
0c1bc5c6 3341 switch (chan->mode) {
f2fcfcd6
GP		 3342 case L2CAP_MODE_STREAMING:
3343 case L2CAP_MODE_ERTM:
c1360a1c 3344 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3345 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3346 chan->conn->feat_mask);
85eb53c6
GP		 3347 break;
3348 }
3349
42dceae2 3350 if (remote_efs) {
848566b3 3351 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3352 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3353 else
3354 return -ECONNREFUSED;
3355 }
3356
0c1bc5c6 3357 if (chan->mode != rfc.mode)
f2fcfcd6 3358 return -ECONNREFUSED;
742e519b 3359
f2fcfcd6 3360 break;
f2fcfcd6
GP		 3361 }
3362
3363done:
0c1bc5c6 3364 if (chan->mode != rfc.mode) {
f2fcfcd6 3365 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3366 rfc.mode = chan->mode;
f2fcfcd6 3367
73ffa904 3368 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3369 return -ECONNREFUSED;
3370
2d792818
GP		 3371 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3372 (unsigned long) &rfc);
f2fcfcd6
GP		 3373 }
3374
5dee9e7c
MH		 3375 if (result == L2CAP_CONF_SUCCESS) {
3376 /* Configure output options and let the other side know
3377 * which ones we don't like. */
3378
f2fcfcd6
GP		 3379 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3380 result = L2CAP_CONF_UNACCEPT;
3381 else {
0c1bc5c6 3382 chan->omtu = mtu;
c1360a1c 3383 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3384 }
0c1bc5c6 3385 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3386
42dceae2
AE		 3387 if (remote_efs) {
3388 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3389 efs.stype != L2CAP_SERV_NOTRAFIC &&
3390 efs.stype != chan->local_stype) {
42dceae2
AE		 3391
3392 result = L2CAP_CONF_UNACCEPT;
3393
3394 if (chan->num_conf_req >= 1)
3395 return -ECONNREFUSED;
3396
3397 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3398 sizeof(efs),
3399 (unsigned long) &efs);
0e8b207e 3400 } else {
3e6b3b95 3401 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3402 result = L2CAP_CONF_PENDING;
3403 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3404 }
3405 }
3406
f2fcfcd6
GP		 3407 switch (rfc.mode) {
3408 case L2CAP_MODE_BASIC:
47d1ec61 3409 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3410 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3411 break;
3412
3413 case L2CAP_MODE_ERTM:
6327eb98
AE		 3414 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3415 chan->remote_tx_win = rfc.txwin_size;
3416 else
3417 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3418
2c03a7a4 3419 chan->remote_max_tx = rfc.max_transmit;
1c762159 3420
c8f79162 3421 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3422 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3423 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3424 rfc.max_pdu_size = cpu_to_le16(size);
3425 chan->remote_mps = size;
f2fcfcd6 3426
36c86c85 3427 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3428
c1360a1c 3429 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3430
3431 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3432 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3433
42dceae2
AE		 3434 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3435 chan->remote_id = efs.id;
3436 chan->remote_stype = efs.stype;
3437 chan->remote_msdu = le16_to_cpu(efs.msdu);
3438 chan->remote_flush_to =
2d792818 3439 le32_to_cpu(efs.flush_to);
42dceae2 3440 chan->remote_acc_lat =
2d792818 3441 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3442 chan->remote_sdu_itime =
3443 le32_to_cpu(efs.sdu_itime);
3444 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3445 sizeof(efs),
3446 (unsigned long) &efs);
42dceae2 3447 }
f2fcfcd6
GP		 3448 break;
3449
3450 case L2CAP_MODE_STREAMING:
c8f79162 3451 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3452 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3453 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3454 rfc.max_pdu_size = cpu_to_le16(size);
3455 chan->remote_mps = size;
f2fcfcd6 3456
c1360a1c 3457 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3458
2d792818
GP		 3459 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3460 (unsigned long) &rfc);
68ae6639 3461
f2fcfcd6
GP		 3462 break;
3463
3464 default:
5dee9e7c 3465 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3466
6464f35f 3467 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3468 rfc.mode = chan->mode;
f2fcfcd6 3469 }
6464f35f 3470
f2fcfcd6 3471 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3472 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3473 }
fe4128e0 3474 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3475 rsp->result = cpu_to_le16(result);
dcf4adbf 3476 rsp->flags = cpu_to_le16(0);
5dee9e7c
MH		 3477
3478 return ptr - data;
1da177e4
LT		 3479}
3480
2d792818
GP		 3481static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3482 void *data, u16 *result)
f2fcfcd6 3483{
f2fcfcd6
GP		 3484 struct l2cap_conf_req *req = data;
3485 void *ptr = req->data;
3486 int type, olen;
3487 unsigned long val;
36e999a8 3488 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3489 struct l2cap_conf_efs efs;
f2fcfcd6 3490
fe4128e0 3491 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3492
3493 while (len >= L2CAP_CONF_OPT_SIZE) {
3494 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3495
3496 switch (type) {
3497 case L2CAP_CONF_MTU:
3498 if (val < L2CAP_DEFAULT_MIN_MTU) {
3499 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3500 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3501 } else
0c1bc5c6
GP		 3502 chan->imtu = val;
3503 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3504 break;
3505
3506 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3507 chan->flush_to = val;
f2fcfcd6 3508 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3509 2, chan->flush_to);
f2fcfcd6
GP		 3510 break;
3511
3512 case L2CAP_CONF_RFC:
3513 if (olen == sizeof(rfc))
3514 memcpy(&rfc, (void *)val, olen);
3515
c1360a1c 3516 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3517 rfc.mode != chan->mode)
f2fcfcd6
GP		 3518 return -ECONNREFUSED;
3519
47d1ec61 3520 chan->fcs = 0;
f2fcfcd6
GP		 3521
3522 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3523 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3524 break;
6327eb98
AE		 3525
3526 case L2CAP_CONF_EWS:
c20f8e35 3527 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3528 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3529 chan->tx_win);
6327eb98 3530 break;
66af7aaf
AE		 3531
3532 case L2CAP_CONF_EFS:
3533 if (olen == sizeof(efs))
3534 memcpy(&efs, (void *)val, olen);
3535
3536 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3537 efs.stype != L2CAP_SERV_NOTRAFIC &&
3538 efs.stype != chan->local_stype)
66af7aaf
AE		 3539 return -ECONNREFUSED;
3540
2d792818
GP		 3541 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3542 (unsigned long) &efs);
66af7aaf 3543 break;
cbabee78
AE		 3544
3545 case L2CAP_CONF_FCS:
3546 if (*result == L2CAP_CONF_PENDING)
3547 if (val == L2CAP_FCS_NONE)
f2592d3e 3548 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3549 &chan->conf_state);
3550 break;
f2fcfcd6
GP		 3551 }
3552 }
3553
0c1bc5c6 3554 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3555 return -ECONNREFUSED;
3556
0c1bc5c6 3557 chan->mode = rfc.mode;
6c2ea7a8 3558
0e8b207e 3559 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3560 switch (rfc.mode) {
3561 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3562 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3563 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3564 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3565 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3566 chan->ack_win = min_t(u16, chan->ack_win,
3567 rfc.txwin_size);
66af7aaf
AE		 3568
3569 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3570 chan->local_msdu = le16_to_cpu(efs.msdu);
3571 chan->local_sdu_itime =
2d792818 3572 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3573 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3574 chan->local_flush_to =
2d792818 3575 le32_to_cpu(efs.flush_to);
66af7aaf 3576 }
f2fcfcd6 3577 break;
66af7aaf 3578
f2fcfcd6 3579 case L2CAP_MODE_STREAMING:
47d1ec61 3580 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3581 }
3582 }
3583
fe4128e0 3584 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3585 req->flags = cpu_to_le16(0);
f2fcfcd6
GP		 3586
3587 return ptr - data;
3588}
3589
2d792818
GP		 3590static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3591 u16 result, u16 flags)
1da177e4
LT		 3592{
3593 struct l2cap_conf_rsp *rsp = data;
3594 void *ptr = rsp->data;
1da177e4 3595
fe4128e0 3596 BT_DBG("chan %p", chan);
1da177e4 3597
fe4128e0 3598 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3599 rsp->result = cpu_to_le16(result);
aca3192c 3600 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3601
3602 return ptr - data;
3603}
3604
27e2d4c8
JH		 3605void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3606{
3607 struct l2cap_le_conn_rsp rsp;
3608 struct l2cap_conn *conn = chan->conn;
3609
3610 BT_DBG("chan %p", chan);
3611
3612 rsp.dcid = cpu_to_le16(chan->scid);
3613 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 3614 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 3615 rsp.credits = cpu_to_le16(chan->rx_credits);
dcf4adbf 3616 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
27e2d4c8
JH		 3617
3618 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3619 &rsp);
3620}
3621
8c1d787b 3622void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3623{
3624 struct l2cap_conn_rsp rsp;
8c1d787b 3625 struct l2cap_conn *conn = chan->conn;
710f9b0a 3626 u8 buf[128];
439f34ac 3627 u8 rsp_code;
710f9b0a 3628
fe4128e0
GP		 3629 rsp.scid = cpu_to_le16(chan->dcid);
3630 rsp.dcid = cpu_to_le16(chan->scid);
dcf4adbf
JP		 3631 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3632 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3633
3634 if (chan->hs_hcon)
3635 rsp_code = L2CAP_CREATE_CHAN_RSP;
3636 else
3637 rsp_code = L2CAP_CONN_RSP;
3638
3639 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3640
3641 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3642
c1360a1c 3643 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3644 return;
3645
710f9b0a 3646 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3647 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3648 chan->num_conf_req++;
3649}
3650
47d1ec61 3651static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3652{
7b1c0049
GP		 3653 int type, olen;
3654 unsigned long val;
c20f8e35
MM		 3655 /* Use sane default values in case a misbehaving remote device
3656 * did not send an RFC or extended window size option.
3657 */
3658 u16 txwin_ext = chan->ack_win;
3659 struct l2cap_conf_rfc rfc = {
3660 .mode = chan->mode,
dcf4adbf
JP		 3661 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3662 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
c20f8e35
MM		 3663 .max_pdu_size = cpu_to_le16(chan->imtu),
3664 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3665 };
7b1c0049 3666
47d1ec61 3667 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3668
0c1bc5c6 3669 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3670 return;
3671
3672 while (len >= L2CAP_CONF_OPT_SIZE) {
3673 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3674
c20f8e35
MM		 3675 switch (type) {
3676 case L2CAP_CONF_RFC:
3677 if (olen == sizeof(rfc))
3678 memcpy(&rfc, (void *)val, olen);
8f321f85 3679 break;
c20f8e35
MM		 3680 case L2CAP_CONF_EWS:
3681 txwin_ext = val;
3682 break;
3683 }
7b1c0049
GP		 3684 }
3685
7b1c0049
GP		 3686 switch (rfc.mode) {
3687 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3688 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3689 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3690 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3691 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3692 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3693 else
3694 chan->ack_win = min_t(u16, chan->ack_win,
3695 rfc.txwin_size);
7b1c0049
GP		 3696 break;
3697 case L2CAP_MODE_STREAMING:
47d1ec61 3698 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3699 }
3700}
3701
2d792818 3702static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3703 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3704 u8 *data)
4e8402a3 3705{
e2fd318e 3706 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3707
cb3b3152
JH		 3708 if (cmd_len < sizeof(*rej))
3709 return -EPROTO;
3710
e2fd318e 3711 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3712 return 0;
3713
3714 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3715 cmd->ident == conn->info_ident) {
17cd3f37 3716 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3717
3718 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3719 conn->info_ident = 0;
984947dc 3720
4e8402a3
MH		 3721 l2cap_conn_start(conn);
3722 }
3723
3724 return 0;
3725}
3726
1700915f
MM		 3727static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3728 struct l2cap_cmd_hdr *cmd,
3729 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3730{
1da177e4
LT		 3731 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3732 struct l2cap_conn_rsp rsp;
23691d75 3733 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3734 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3735
3736 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3737 __le16 psm = req->psm;
1da177e4 3738
097db76c 3739 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3740
3741 /* Check if we have socket listening on psm */
6f59b904 3742 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
bf20fd4e 3743 &conn->hcon->dst, ACL_LINK);
23691d75 3744 if (!pchan) {
1da177e4
LT		 3745 result = L2CAP_CR_BAD_PSM;
3746 goto sendresp;
3747 }
3748
3df91ea2 3749 mutex_lock(&conn->chan_lock);
8ffb9290 3750 l2cap_chan_lock(pchan);
e0f0cb56 3751
e7c29cb1 3752 /* Check if the ACL is secure enough (if not SDP) */
dcf4adbf 3753 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3754 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3755 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3756 result = L2CAP_CR_SEC_BLOCK;
3757 goto response;
3758 }
3759
1da177e4
LT		 3760 result = L2CAP_CR_NO_MEM;
3761
2dfa1003
GP		 3762 /* Check if we already have channel with that dcid */
3763 if (__l2cap_get_chan_by_dcid(conn, scid))
3764 goto response;
3765
80b98027 3766 chan = pchan->ops->new_connection(pchan);
80808e43 3767 if (!chan)
1da177e4
LT		 3768 goto response;
3769
330b6c15
SS		 3770 /* For certain devices (ex: HID mouse), support for authentication,
3771 * pairing and bonding is optional. For such devices, inorder to avoid
3772 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3773 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3774 */
3775 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3776
7eafc59e
MH		 3777 bacpy(&chan->src, &conn->hcon->src);
3778 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3779 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3780 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3781 chan->psm = psm;
3782 chan->dcid = scid;
1700915f 3783 chan->local_amp_id = amp_id;
1da177e4 3784
6be36555 3785 __l2cap_chan_add(conn, chan);
48454079 3786
fe4128e0 3787 dcid = chan->scid;
1da177e4 3788
8d836d71 3789 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3790
fc7f8a7e 3791 chan->ident = cmd->ident;
1da177e4 3792
984947dc 3793 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
e7cafc45 3794 if (l2cap_chan_check_security(chan, false)) {
bdc25783 3795 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3796 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3797 result = L2CAP_CR_PEND;
3798 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3799 chan->ops->defer(chan);
f66dc81f 3800 } else {
1700915f
MM		 3801 /* Force pending result for AMP controllers.
3802 * The connection will succeed after the
3803 * physical link is up.
3804 */
6ed971ca 3805 if (amp_id == AMP_ID_BREDR) {
f93fa273 3806 l2cap_state_change(chan, BT_CONFIG);
1700915f 3807 result = L2CAP_CR_SUCCESS;
6ed971ca 3808 } else {
f93fa273 3809 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3810 result = L2CAP_CR_PEND;
1700915f 3811 }
f66dc81f
MH		 3812 status = L2CAP_CS_NO_INFO;
3813 }
79d554a6 3814 } else {
f93fa273 3815 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3816 result = L2CAP_CR_PEND;
3817 status = L2CAP_CS_AUTHEN_PEND;
3818 }
3819 } else {
f93fa273 3820 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3821 result = L2CAP_CR_PEND;
3822 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3823 }
3824
1da177e4 3825response:
8ffb9290 3826 l2cap_chan_unlock(pchan);
3df91ea2 3827 mutex_unlock(&conn->chan_lock);
a24cce14 3828 l2cap_chan_put(pchan);
1da177e4
LT		 3829
3830sendresp:
aca3192c
YH		 3831 rsp.scid = cpu_to_le16(scid);
3832 rsp.dcid = cpu_to_le16(dcid);
3833 rsp.result = cpu_to_le16(result);
3834 rsp.status = cpu_to_le16(status);
4c89b6aa 3835 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3836
3837 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3838 struct l2cap_info_req info;
dcf4adbf 3839 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3840
3841 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3842 conn->info_ident = l2cap_get_ident(conn);
3843
ba13ccd9 3844 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3845
2d792818
GP		 3846 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3847 sizeof(info), &info);
79d554a6
MH		 3848 }
3849
c1360a1c 3850 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3851 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3852 u8 buf[128];
c1360a1c 3853 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3854 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3855 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3856 chan->num_conf_req++;
e9aeb2dd 3857 }
1700915f
MM		 3858
3859 return chan;
4c89b6aa 3860}
e9aeb2dd 3861
4c89b6aa 3862static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3863 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3864{
7b064eda
JK		 3865 struct hci_dev *hdev = conn->hcon->hdev;
3866 struct hci_conn *hcon = conn->hcon;
3867
cb3b3152
JH		 3868 if (cmd_len < sizeof(struct l2cap_conn_req))
3869 return -EPROTO;
3870
7b064eda
JK		 3871 hci_dev_lock(hdev);
3872 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3873 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3874 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3875 hcon->dst_type, 0, NULL, 0,
3876 hcon->dev_class);
3877 hci_dev_unlock(hdev);
3878
300229f9 3879 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3880 return 0;
3881}
3882
5909cf30 3883static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3884 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3885 u8 *data)
1da177e4
LT		 3886{
3887 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3888 u16 scid, dcid, result, status;
48454079 3889 struct l2cap_chan *chan;
1da177e4 3890 u8 req[128];
3df91ea2 3891 int err;
1da177e4 3892
cb3b3152
JH		 3893 if (cmd_len < sizeof(*rsp))
3894 return -EPROTO;
3895
1da177e4
LT		 3896 scid = __le16_to_cpu(rsp->scid);
3897 dcid = __le16_to_cpu(rsp->dcid);
3898 result = __le16_to_cpu(rsp->result);
3899 status = __le16_to_cpu(rsp->status);
3900
1b009c98 3901 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3902 dcid, scid, result, status);
1da177e4 3903
3df91ea2
AE		 3904 mutex_lock(&conn->chan_lock);
3905
1da177e4 3906 if (scid) {
3df91ea2
AE		 3907 chan = __l2cap_get_chan_by_scid(conn, scid);
3908 if (!chan) {
21870b52 3909 err = -EBADSLT;
3df91ea2
AE		 3910 goto unlock;
3911 }
1da177e4 3912 } else {
3df91ea2
AE		 3913 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3914 if (!chan) {
21870b52 3915 err = -EBADSLT;
3df91ea2
AE		 3916 goto unlock;
3917 }
1da177e4
LT		 3918 }
3919
3df91ea2
AE		 3920 err = 0;
3921
6be36555 3922 l2cap_chan_lock(chan);
48454079 3923
1da177e4
LT		 3924 switch (result) {
3925 case L2CAP_CR_SUCCESS:
89bc500e 3926 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3927 chan->ident = 0;
fe4128e0 3928 chan->dcid = dcid;
c1360a1c 3929 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3930
c1360a1c 3931 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3932 break;
3933
1da177e4 3934 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3935 l2cap_build_conf_req(chan, req), req);
73ffa904 3936 chan->num_conf_req++;
1da177e4
LT		 3937 break;
3938
3939 case L2CAP_CR_PEND:
c1360a1c 3940 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3941 break;
3942
3943 default:
48454079 3944 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3945 break;
3946 }
3947
6be36555 3948 l2cap_chan_unlock(chan);
3df91ea2
AE		 3949
3950unlock:
3951 mutex_unlock(&conn->chan_lock);
3952
3953 return err;
1da177e4
LT		 3954}
3955
47d1ec61 3956static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3957{
3958 /* FCS is enabled only in ERTM or streaming mode, if one or both
3959 * sides request it.
3960 */
0c1bc5c6 3961 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3962 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3963 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3964 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3965}
3966
29d8a590
AE		 3967static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3968 u8 ident, u16 flags)
3969{
3970 struct l2cap_conn *conn = chan->conn;
3971
3972 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3973 flags);
3974
3975 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3976 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3977
3978 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3979 l2cap_build_conf_rsp(chan, data,
3980 L2CAP_CONF_SUCCESS, flags), data);
3981}
3982
662d652d
JH		 3983static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
3984 u16 scid, u16 dcid)
3985{
3986 struct l2cap_cmd_rej_cid rej;
3987
dcf4adbf 3988 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
662d652d
JH		 3989 rej.scid = __cpu_to_le16(scid);
3990 rej.dcid = __cpu_to_le16(dcid);
3991
3992 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3993}
3994
2d792818
GP		 3995static inline int l2cap_config_req(struct l2cap_conn *conn,
3996 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3997 u8 *data)
1da177e4
LT		 3998{
3999 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4000 u16 dcid, flags;
4001 u8 rsp[64];
48454079 4002 struct l2cap_chan *chan;
3c588192 4003 int len, err = 0;
1da177e4 4004
cb3b3152
JH		 4005 if (cmd_len < sizeof(*req))
4006 return -EPROTO;
4007
1da177e4
LT		 4008 dcid = __le16_to_cpu(req->dcid);
4009 flags = __le16_to_cpu(req->flags);
4010
4011 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4012
baa7e1fa 4013 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4014 if (!chan) {
4015 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4016 return 0;
4017 }
1da177e4 4018
033b1142 4019 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4020 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4021 chan->dcid);
354f60a9 4022 goto unlock;
df6bd743 4023 }
354f60a9 4024
5dee9e7c 4025 /* Reject if config buffer is too small. */
88219a0f 4026 len = cmd_len - sizeof(*req);
cb3b3152 4027 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4028 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4029 l2cap_build_conf_rsp(chan, rsp,
4030 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4031 goto unlock;
4032 }
4033
4034 /* Store config. */
73ffa904
GP		 4035 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4036 chan->conf_len += len;
1da177e4 4037
59e54bd1 4038 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4039 /* Incomplete config. Send empty response. */
4040 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4041 l2cap_build_conf_rsp(chan, rsp,
4042 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4043 goto unlock;
4044 }
4045
4046 /* Complete config. */
73ffa904 4047 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4048 if (len < 0) {
5e4e3972 4049 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4050 goto unlock;
f2fcfcd6 4051 }
1da177e4 4052
1500109b 4053 chan->ident = cmd->ident;
5dee9e7c 4054 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4055 chan->num_conf_rsp++;
5dee9e7c 4056
5dee9e7c 4057 /* Reset config buffer. */
73ffa904 4058 chan->conf_len = 0;
5dee9e7c 4059
c1360a1c 4060 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4061 goto unlock;
4062
c1360a1c 4063 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4064 set_default_fcs(chan);
fcc203c3 4065
105bdf9e
MM		 4066 if (chan->mode == L2CAP_MODE_ERTM ||
4067 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4068 err = l2cap_ertm_init(chan);
4069
4070 if (err < 0)
5e4e3972 4071 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4072 else
4073 l2cap_chan_ready(chan);
0565c1c2 4074
876d9484
MH		 4075 goto unlock;
4076 }
4077
c1360a1c 4078 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4079 u8 buf[64];
1da177e4 4080 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4081 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4082 chan->num_conf_req++;
1da177e4
LT		 4083 }
4084
0e8b207e
AE		 4085 /* Got Conf Rsp PENDING from remote side and asume we sent
4086 Conf Rsp PENDING in the code above */
4087 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4088 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4089
4090 /* check compatibility */
4091
79de886d 4092 /* Send rsp for BR/EDR channel */
f351bc72 4093 if (!chan->hs_hcon)
79de886d
AE		 4094 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4095 else
4096 chan->ident = cmd->ident;
0e8b207e
AE		 4097 }
4098
1da177e4 4099unlock:
6be36555 4100 l2cap_chan_unlock(chan);
3c588192 4101 return err;
1da177e4
LT		 4102}
4103
2d792818 4104static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4105 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4106 u8 *data)
1da177e4
LT		 4107{
4108 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4109 u16 scid, flags, result;
48454079 4110 struct l2cap_chan *chan;
cb3b3152 4111 int len = cmd_len - sizeof(*rsp);
3c588192 4112 int err = 0;
1da177e4 4113
cb3b3152
JH		 4114 if (cmd_len < sizeof(*rsp))
4115 return -EPROTO;
4116
1da177e4
LT		 4117 scid = __le16_to_cpu(rsp->scid);
4118 flags = __le16_to_cpu(rsp->flags);
4119 result = __le16_to_cpu(rsp->result);
4120
61386cba
AE		 4121 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4122 result, len);
1da177e4 4123
baa7e1fa 4124 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4125 if (!chan)
1da177e4
LT		 4126 return 0;
4127
4128 switch (result) {
4129 case L2CAP_CONF_SUCCESS:
47d1ec61 4130 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4131 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4132 break;
4133
0e8b207e
AE		 4134 case L2CAP_CONF_PENDING:
4135 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4136
4137 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4138 char buf[64];
4139
4140 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4141 buf, &result);
0e8b207e 4142 if (len < 0) {
5e4e3972 4143 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4144 goto done;
4145 }
4146
f351bc72 4147 if (!chan->hs_hcon) {
79de886d
AE		 4148 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4149 0);
5ce66b59
AE		 4150 } else {
4151 if (l2cap_check_efs(chan)) {
4152 amp_create_logical_link(chan);
4153 chan->ident = cmd->ident;
4154 }
4155 }
0e8b207e
AE		 4156 }
4157 goto done;
4158
1da177e4 4159 case L2CAP_CONF_UNACCEPT:
73ffa904 4160 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4161 char req[64];
4162
c2c77ec8 4163 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4164 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4165 goto done;
4166 }
4167
f2fcfcd6
GP		 4168 /* throw out any old stored conf requests */
4169 result = L2CAP_CONF_SUCCESS;
b4450035 4170 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4171 req, &result);
f2fcfcd6 4172 if (len < 0) {
5e4e3972 4173 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4174 goto done;
4175 }
4176
4177 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4178 L2CAP_CONF_REQ, len, req);
73ffa904 4179 chan->num_conf_req++;
f2fcfcd6
GP		 4180 if (result != L2CAP_CONF_SUCCESS)
4181 goto done;
4182 break;
1da177e4
LT		 4183 }
4184
8e87d142 4185 default:
6be36555 4186 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4187
ba13ccd9 4188 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4189 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4190 goto done;
4191 }
4192
59e54bd1 4193 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4194 goto done;
4195
c1360a1c 4196 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4197
c1360a1c 4198 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4199 set_default_fcs(chan);
fcc203c3 4200
105bdf9e
MM		 4201 if (chan->mode == L2CAP_MODE_ERTM ||
4202 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4203 err = l2cap_ertm_init(chan);
0565c1c2 4204
3c588192 4205 if (err < 0)
5e4e3972 4206 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4207 else
4208 l2cap_chan_ready(chan);
1da177e4
LT		 4209 }
4210
4211done:
6be36555 4212 l2cap_chan_unlock(chan);
3c588192 4213 return err;
1da177e4
LT		 4214}
4215
2d792818 4216static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4217 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4218 u8 *data)
1da177e4
LT		 4219{
4220 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4221 struct l2cap_disconn_rsp rsp;
4222 u16 dcid, scid;
48454079 4223 struct l2cap_chan *chan;
1da177e4 4224
cb3b3152
JH		 4225 if (cmd_len != sizeof(*req))
4226 return -EPROTO;
4227
1da177e4
LT		 4228 scid = __le16_to_cpu(req->scid);
4229 dcid = __le16_to_cpu(req->dcid);
4230
4231 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4232
3df91ea2
AE		 4233 mutex_lock(&conn->chan_lock);
4234
4235 chan = __l2cap_get_chan_by_scid(conn, dcid);
4236 if (!chan) {
4237 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4238 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4239 return 0;
3df91ea2 4240 }
1da177e4 4241
6be36555
AE		 4242 l2cap_chan_lock(chan);
4243
fe4128e0
GP		 4244 rsp.dcid = cpu_to_le16(chan->scid);
4245 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4246 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4247
5ec1bbe5 4248 chan->ops->set_shutdown(chan);
1da177e4 4249
61d6ef3e 4250 l2cap_chan_hold(chan);
48454079 4251 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4252
4253 l2cap_chan_unlock(chan);
1da177e4 4254
80b98027 4255 chan->ops->close(chan);
61d6ef3e 4256 l2cap_chan_put(chan);
3df91ea2
AE		 4257
4258 mutex_unlock(&conn->chan_lock);
4259
1da177e4
LT		 4260 return 0;
4261}
4262
2d792818 4263static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4264 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4265 u8 *data)
1da177e4
LT		 4266{
4267 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4268 u16 dcid, scid;
48454079 4269 struct l2cap_chan *chan;
1da177e4 4270
cb3b3152
JH		 4271 if (cmd_len != sizeof(*rsp))
4272 return -EPROTO;
4273
1da177e4
LT		 4274 scid = __le16_to_cpu(rsp->scid);
4275 dcid = __le16_to_cpu(rsp->dcid);
4276
4277 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4278
3df91ea2
AE		 4279 mutex_lock(&conn->chan_lock);
4280
4281 chan = __l2cap_get_chan_by_scid(conn, scid);
4282 if (!chan) {
4283 mutex_unlock(&conn->chan_lock);
1da177e4 4284 return 0;
3df91ea2 4285 }
1da177e4 4286
6be36555 4287 l2cap_chan_lock(chan);
48454079 4288
61d6ef3e 4289 l2cap_chan_hold(chan);
48454079 4290 l2cap_chan_del(chan, 0);
6be36555
AE		 4291
4292 l2cap_chan_unlock(chan);
1da177e4 4293
80b98027 4294 chan->ops->close(chan);
61d6ef3e 4295 l2cap_chan_put(chan);
3df91ea2
AE		 4296
4297 mutex_unlock(&conn->chan_lock);
4298
1da177e4
LT		 4299 return 0;
4300}
4301
2d792818 4302static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4303 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4304 u8 *data)
1da177e4
LT		 4305{
4306 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4307 u16 type;
4308
cb3b3152
JH		 4309 if (cmd_len != sizeof(*req))
4310 return -EPROTO;
4311
1da177e4
LT		 4312 type = __le16_to_cpu(req->type);
4313
4314 BT_DBG("type 0x%4.4x", type);
4315
f0709e03
MH		 4316 if (type == L2CAP_IT_FEAT_MASK) {
4317 u8 buf[8];
44dd46de 4318 u32 feat_mask = l2cap_feat_mask;
f0709e03 4319 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
dcf4adbf
JP		 4320 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4321 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4322 if (!disable_ertm)
fcc203c3 4323 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4324 | L2CAP_FEAT_FCS;
848566b3 4325 if (conn->hs_enabled)
6327eb98 4326 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4327 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4328
1b7bf4ed 4329 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4330 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4331 buf);
e1027a7c
MH		 4332 } else if (type == L2CAP_IT_FIXED_CHAN) {
4333 u8 buf[12];
4334 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4335
848566b3 4336 if (conn->hs_enabled)
50a147cd
MM		 4337 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4338 else
4339 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4340
dcf4adbf
JP		 4341 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4342 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4343 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4344 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4345 buf);
f0709e03
MH		 4346 } else {
4347 struct l2cap_info_rsp rsp;
4348 rsp.type = cpu_to_le16(type);
dcf4adbf 4349 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4350 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4351 &rsp);
f0709e03 4352 }
1da177e4
LT		 4353
4354 return 0;
4355}
4356
2d792818 4357static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4358 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4359 u8 *data)
1da177e4
LT		 4360{
4361 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4362 u16 type, result;
4363
3f6fa3d4 4364 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4365 return -EPROTO;
4366
1da177e4
LT		 4367 type = __le16_to_cpu(rsp->type);
4368 result = __le16_to_cpu(rsp->result);
4369
4370 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4371
e90165be
AE		 4372 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4373 if (cmd->ident != conn->info_ident ||
2d792818 4374 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4375 return 0;
4376
17cd3f37 4377 cancel_delayed_work(&conn->info_timer);
4e8402a3 4378
adb08ede
VT		 4379 if (result != L2CAP_IR_SUCCESS) {
4380 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4381 conn->info_ident = 0;
4382
4383 l2cap_conn_start(conn);
4384
4385 return 0;
4386 }
4387
978c93b9
AE		 4388 switch (type) {
4389 case L2CAP_IT_FEAT_MASK:
83985319 4390 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4391
47ec1dcd 4392 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4393 struct l2cap_info_req req;
dcf4adbf 4394 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4395
4396 conn->info_ident = l2cap_get_ident(conn);
4397
4398 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4399 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4400 } else {
4401 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4402 conn->info_ident = 0;
4403
4404 l2cap_conn_start(conn);
4405 }
978c93b9
AE		 4406 break;
4407
4408 case L2CAP_IT_FIXED_CHAN:
4409 conn->fixed_chan_mask = rsp->data[0];
984947dc 4410 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4411 conn->info_ident = 0;
984947dc
MH		 4412
4413 l2cap_conn_start(conn);
978c93b9 4414 break;
984947dc 4415 }
4e8402a3 4416
1da177e4
LT		 4417 return 0;
4418}
4419
1700915f
MM		 4420static int l2cap_create_channel_req(struct l2cap_conn *conn,
4421 struct l2cap_cmd_hdr *cmd,
4422 u16 cmd_len, void *data)
f94ff6ff
MM		 4423{
4424 struct l2cap_create_chan_req *req = data;
6e1df6a6 4425 struct l2cap_create_chan_rsp rsp;
1700915f 4426 struct l2cap_chan *chan;
6e1df6a6 4427 struct hci_dev *hdev;
f94ff6ff
MM		 4428 u16 psm, scid;
4429
4430 if (cmd_len != sizeof(*req))
4431 return -EPROTO;
4432
848566b3 4433 if (!conn->hs_enabled)
f94ff6ff
MM		 4434 return -EINVAL;
4435
4436 psm = le16_to_cpu(req->psm);
4437 scid = le16_to_cpu(req->scid);
4438
ad0ac6ca 4439 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4440
6e1df6a6 4441 /* For controller id 0 make BR/EDR connection */
6ed971ca 4442 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4443 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4444 req->amp_id);
4445 return 0;
4446 }
1700915f 4447
6e1df6a6
AE		 4448 /* Validate AMP controller id */
4449 hdev = hci_dev_get(req->amp_id);
4450 if (!hdev)
4451 goto error;
1700915f 4452
6e1df6a6
AE		 4453 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4454 hci_dev_put(hdev);
4455 goto error;
4456 }
1700915f 4457
6e1df6a6
AE		 4458 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4459 req->amp_id);
4460 if (chan) {
4461 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4462 struct hci_conn *hs_hcon;
1700915f 4463
98e0f7ea
MH		 4464 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4465 &conn->hcon->dst);
6e1df6a6
AE		 4466 if (!hs_hcon) {
4467 hci_dev_put(hdev);
662d652d
JH		 4468 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4469 chan->dcid);
4470 return 0;
1700915f
MM		 4471 }
4472
6e1df6a6
AE		 4473 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4474
6e1df6a6
AE		 4475 mgr->bredr_chan = chan;
4476 chan->hs_hcon = hs_hcon;
fd45bf4c 4477 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4478 conn->mtu = hdev->block_mtu;
1700915f 4479 }
f94ff6ff 4480
6e1df6a6 4481 hci_dev_put(hdev);
f94ff6ff
MM		 4482
4483 return 0;
6e1df6a6
AE		 4484
4485error:
4486 rsp.dcid = 0;
4487 rsp.scid = cpu_to_le16(scid);
dcf4adbf
JP		 4488 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4489 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
6e1df6a6
AE		 4490
4491 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4492 sizeof(rsp), &rsp);
4493
dc280801 4494 return 0;
f94ff6ff
MM		 4495}
4496
8eb200bd
MM		 4497static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4498{
4499 struct l2cap_move_chan_req req;
4500 u8 ident;
4501
4502 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4503
4504 ident = l2cap_get_ident(chan->conn);
4505 chan->ident = ident;
4506
4507 req.icid = cpu_to_le16(chan->scid);
4508 req.dest_amp_id = dest_amp_id;
4509
4510 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4511 &req);
4512
4513 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4514}
4515
1500109b 4516static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4517{
4518 struct l2cap_move_chan_rsp rsp;
4519
1500109b 4520 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4521
1500109b 4522 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4523 rsp.result = cpu_to_le16(result);
4524
1500109b
MM		 4525 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4526 sizeof(rsp), &rsp);
8d5a04a1
MM		 4527}
4528
5b155ef9 4529static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4530{
4531 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4532
5b155ef9 4533 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4534
5b155ef9 4535 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4536
5b155ef9 4537 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4538 cfm.result = cpu_to_le16(result);
4539
5b155ef9
MM		 4540 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4541 sizeof(cfm), &cfm);
4542
4543 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4544}
4545
4546static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4547{
4548 struct l2cap_move_chan_cfm cfm;
4549
4550 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4551
4552 cfm.icid = cpu_to_le16(icid);
dcf4adbf 4553 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
5b155ef9
MM		 4554
4555 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4556 sizeof(cfm), &cfm);
8d5a04a1
MM		 4557}
4558
4559static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4560 u16 icid)
8d5a04a1
MM		 4561{
4562 struct l2cap_move_chan_cfm_rsp rsp;
4563
ad0ac6ca 4564 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4565
4566 rsp.icid = cpu_to_le16(icid);
4567 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4568}
4569
5f3847a4
MM		 4570static void __release_logical_link(struct l2cap_chan *chan)
4571{
4572 chan->hs_hchan = NULL;
4573 chan->hs_hcon = NULL;
4574
4575 /* Placeholder - release the logical link */
4576}
4577
1500109b
MM		 4578static void l2cap_logical_fail(struct l2cap_chan *chan)
4579{
4580 /* Logical link setup failed */
4581 if (chan->state != BT_CONNECTED) {
4582 /* Create channel failure, disconnect */
5e4e3972 4583 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4584 return;
4585 }
4586
4587 switch (chan->move_role) {
4588 case L2CAP_MOVE_ROLE_RESPONDER:
4589 l2cap_move_done(chan);
4590 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4591 break;
4592 case L2CAP_MOVE_ROLE_INITIATOR:
4593 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4594 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4595 /* Remote has only sent pending or
4596 * success responses, clean up
4597 */
4598 l2cap_move_done(chan);
4599 }
4600
4601 /* Other amp move states imply that the move
4602 * has already aborted
4603 */
4604 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4605 break;
4606 }
4607}
4608
4609static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4610 struct hci_chan *hchan)
4611{
4612 struct l2cap_conf_rsp rsp;
1500109b 4613
336178a3 4614 chan->hs_hchan = hchan;
1500109b
MM		 4615 chan->hs_hcon->l2cap_data = chan->conn;
4616
35ba9561 4617 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4618
4619 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4620 int err;
1500109b
MM		 4621
4622 set_default_fcs(chan);
4623
4624 err = l2cap_ertm_init(chan);
4625 if (err < 0)
5e4e3972 4626 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4627 else
4628 l2cap_chan_ready(chan);
4629 }
4630}
4631
4632static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4633 struct hci_chan *hchan)
4634{
4635 chan->hs_hcon = hchan->conn;
4636 chan->hs_hcon->l2cap_data = chan->conn;
4637
4638 BT_DBG("move_state %d", chan->move_state);
4639
4640 switch (chan->move_state) {
4641 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4642 /* Move confirm will be sent after a success
4643 * response is received
4644 */
4645 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4646 break;
4647 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4648 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4649 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4650 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4651 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4652 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4653 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4654 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4655 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4656 }
4657 break;
4658 default:
4659 /* Move was not in expected state, free the channel */
4660 __release_logical_link(chan);
4661
4662 chan->move_state = L2CAP_MOVE_STABLE;
4663 }
4664}
4665
4666/* Call with chan locked */
27695fb4
AE		 4667void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4668 u8 status)
5b155ef9 4669{
1500109b
MM		 4670 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4671
4672 if (status) {
4673 l2cap_logical_fail(chan);
4674 __release_logical_link(chan);
4675 return;
4676 }
4677
4678 if (chan->state != BT_CONNECTED) {
4679 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4680 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4681 l2cap_logical_finish_create(chan, hchan);
4682 } else {
4683 l2cap_logical_finish_move(chan, hchan);
4684 }
5b155ef9
MM		 4685}
4686
3f7a56c4
MM		 4687void l2cap_move_start(struct l2cap_chan *chan)
4688{
4689 BT_DBG("chan %p", chan);
4690
6ed971ca 4691 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4692 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4693 return;
4694 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4695 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4696 /* Placeholder - start physical link setup */
4697 } else {
4698 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4699 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4700 chan->move_id = 0;
4701 l2cap_move_setup(chan);
4702 l2cap_send_move_chan_req(chan, 0);
4703 }
4704}
4705
8eb200bd
MM		 4706static void l2cap_do_create(struct l2cap_chan *chan, int result,
4707 u8 local_amp_id, u8 remote_amp_id)
4708{
62748ca1
AE		 4709 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4710 local_amp_id, remote_amp_id);
4711
12d6cc60
AE		 4712 chan->fcs = L2CAP_FCS_NONE;
4713
62748ca1
AE		 4714 /* Outgoing channel on AMP */
4715 if (chan->state == BT_CONNECT) {
4716 if (result == L2CAP_CR_SUCCESS) {
4717 chan->local_amp_id = local_amp_id;
4718 l2cap_send_create_chan_req(chan, remote_amp_id);
4719 } else {
4720 /* Revert to BR/EDR connect */
4721 l2cap_send_conn_req(chan);
4722 }
4723
4724 return;
4725 }
4726
4727 /* Incoming channel on AMP */
4728 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4729 struct l2cap_conn_rsp rsp;
4730 char buf[128];
4731 rsp.scid = cpu_to_le16(chan->dcid);
4732 rsp.dcid = cpu_to_le16(chan->scid);
4733
8eb200bd
MM		 4734 if (result == L2CAP_CR_SUCCESS) {
4735 /* Send successful response */
dcf4adbf
JP		 4736 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4737 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4738 } else {
4739 /* Send negative response */
dcf4adbf
JP		 4740 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4741 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4742 }
4743
4744 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4745 sizeof(rsp), &rsp);
4746
4747 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4748 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4749 set_bit(CONF_REQ_SENT, &chan->conf_state);
4750 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4751 L2CAP_CONF_REQ,
4752 l2cap_build_conf_req(chan, buf), buf);
4753 chan->num_conf_req++;
4754 }
8eb200bd
MM		 4755 }
4756}
4757
4758static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4759 u8 remote_amp_id)
4760{
4761 l2cap_move_setup(chan);
4762 chan->move_id = local_amp_id;
4763 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4764
4765 l2cap_send_move_chan_req(chan, remote_amp_id);
4766}
4767
4768static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4769{
4770 struct hci_chan *hchan = NULL;
4771
4772 /* Placeholder - get hci_chan for logical link */
4773
4774 if (hchan) {
4775 if (hchan->state == BT_CONNECTED) {
4776 /* Logical link is ready to go */
4777 chan->hs_hcon = hchan->conn;
4778 chan->hs_hcon->l2cap_data = chan->conn;
4779 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4780 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4781
4782 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4783 } else {
4784 /* Wait for logical link to be ready */
4785 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4786 }
4787 } else {
4788 /* Logical link not available */
4789 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4790 }
4791}
4792
4793static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4794{
4795 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4796 u8 rsp_result;
4797 if (result == -EINVAL)
4798 rsp_result = L2CAP_MR_BAD_ID;
4799 else
4800 rsp_result = L2CAP_MR_NOT_ALLOWED;
4801
4802 l2cap_send_move_chan_rsp(chan, rsp_result);
4803 }
4804
4805 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4806 chan->move_state = L2CAP_MOVE_STABLE;
4807
4808 /* Restart data transmission */
4809 l2cap_ertm_send(chan);
4810}
4811
a514b17f
AE		 4812/* Invoke with locked chan */
4813void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4814{
770bfefa 4815 u8 local_amp_id = chan->local_amp_id;
fffadc08 4816 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4817
8eb200bd
MM		 4818 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4819 chan, result, local_amp_id, remote_amp_id);
4820
8eb200bd
MM		 4821 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4822 l2cap_chan_unlock(chan);
4823 return;
4824 }
4825
4826 if (chan->state != BT_CONNECTED) {
4827 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4828 } else if (result != L2CAP_MR_SUCCESS) {
4829 l2cap_do_move_cancel(chan, result);
4830 } else {
4831 switch (chan->move_role) {
4832 case L2CAP_MOVE_ROLE_INITIATOR:
4833 l2cap_do_move_initiate(chan, local_amp_id,
4834 remote_amp_id);
4835 break;
4836 case L2CAP_MOVE_ROLE_RESPONDER:
4837 l2cap_do_move_respond(chan, result);
4838 break;
4839 default:
4840 l2cap_do_move_cancel(chan, result);
4841 break;
4842 }
4843 }
8eb200bd
MM		 4844}
4845
8d5a04a1 4846static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4847 struct l2cap_cmd_hdr *cmd,
4848 u16 cmd_len, void *data)
8d5a04a1
MM		 4849{
4850 struct l2cap_move_chan_req *req = data;
1500109b 4851 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4852 struct l2cap_chan *chan;
8d5a04a1
MM		 4853 u16 icid = 0;
4854 u16 result = L2CAP_MR_NOT_ALLOWED;
4855
4856 if (cmd_len != sizeof(*req))
4857 return -EPROTO;
4858
4859 icid = le16_to_cpu(req->icid);
4860
ad0ac6ca 4861 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4862
848566b3 4863 if (!conn->hs_enabled)
8d5a04a1
MM		 4864 return -EINVAL;
4865
02b0fbb9
MM		 4866 chan = l2cap_get_chan_by_dcid(conn, icid);
4867 if (!chan) {
1500109b 4868 rsp.icid = cpu_to_le16(icid);
dcf4adbf 4869 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
1500109b
MM		 4870 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4871 sizeof(rsp), &rsp);
02b0fbb9
MM		 4872 return 0;
4873 }
4874
1500109b
MM		 4875 chan->ident = cmd->ident;
4876
02b0fbb9
MM		 4877 if (chan->scid < L2CAP_CID_DYN_START ||
4878 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4879 (chan->mode != L2CAP_MODE_ERTM &&
4880 chan->mode != L2CAP_MODE_STREAMING)) {
4881 result = L2CAP_MR_NOT_ALLOWED;
4882 goto send_move_response;
4883 }
4884
4885 if (chan->local_amp_id == req->dest_amp_id) {
4886 result = L2CAP_MR_SAME_ID;
4887 goto send_move_response;
4888 }
4889
6ed971ca 4890 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4891 struct hci_dev *hdev;
4892 hdev = hci_dev_get(req->dest_amp_id);
4893 if (!hdev || hdev->dev_type != HCI_AMP ||
4894 !test_bit(HCI_UP, &hdev->flags)) {
4895 if (hdev)
4896 hci_dev_put(hdev);
4897
4898 result = L2CAP_MR_BAD_ID;
4899 goto send_move_response;
4900 }
4901 hci_dev_put(hdev);
4902 }
4903
4904 /* Detect a move collision. Only send a collision response
4905 * if this side has "lost", otherwise proceed with the move.
4906 * The winner has the larger bd_addr.
4907 */
4908 if ((__chan_is_moving(chan) ||
4909 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4910 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4911 result = L2CAP_MR_COLLISION;
4912 goto send_move_response;
4913 }
4914
02b0fbb9
MM		 4915 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4916 l2cap_move_setup(chan);
4917 chan->move_id = req->dest_amp_id;
4918 icid = chan->dcid;
4919
6ed971ca 4920 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4921 /* Moving to BR/EDR */
4922 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4923 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4924 result = L2CAP_MR_PEND;
4925 } else {
4926 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4927 result = L2CAP_MR_SUCCESS;
4928 }
4929 } else {
4930 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4931 /* Placeholder - uncomment when amp functions are available */
4932 /*amp_accept_physical(chan, req->dest_amp_id);*/
4933 result = L2CAP_MR_PEND;
4934 }
4935
4936send_move_response:
1500109b 4937 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4938
02b0fbb9
MM		 4939 l2cap_chan_unlock(chan);
4940
8d5a04a1
MM		 4941 return 0;
4942}
4943
5b155ef9
MM		 4944static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4945{
4946 struct l2cap_chan *chan;
4947 struct hci_chan *hchan = NULL;
4948
4949 chan = l2cap_get_chan_by_scid(conn, icid);
4950 if (!chan) {
4951 l2cap_send_move_chan_cfm_icid(conn, icid);
4952 return;
4953 }
4954
4955 __clear_chan_timer(chan);
4956 if (result == L2CAP_MR_PEND)
4957 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4958
4959 switch (chan->move_state) {
4960 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4961 /* Move confirm will be sent when logical link
4962 * is complete.
4963 */
4964 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4965 break;
4966 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4967 if (result == L2CAP_MR_PEND) {
4968 break;
4969 } else if (test_bit(CONN_LOCAL_BUSY,
4970 &chan->conn_state)) {
4971 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4972 } else {
4973 /* Logical link is up or moving to BR/EDR,
4974 * proceed with move
4975 */
4976 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4977 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4978 }
4979 break;
4980 case L2CAP_MOVE_WAIT_RSP:
4981 /* Moving to AMP */
4982 if (result == L2CAP_MR_SUCCESS) {
4983 /* Remote is ready, send confirm immediately
4984 * after logical link is ready
4985 */
4986 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4987 } else {
4988 /* Both logical link and move success
4989 * are required to confirm
4990 */
4991 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4992 }
4993
4994 /* Placeholder - get hci_chan for logical link */
4995 if (!hchan) {
4996 /* Logical link not available */
4997 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4998 break;
4999 }
5000
5001 /* If the logical link is not yet connected, do not
5002 * send confirmation.
5003 */
5004 if (hchan->state != BT_CONNECTED)
5005 break;
5006
5007 /* Logical link is already ready to go */
5008
5009 chan->hs_hcon = hchan->conn;
5010 chan->hs_hcon->l2cap_data = chan->conn;
5011
5012 if (result == L2CAP_MR_SUCCESS) {
5013 /* Can confirm now */
5014 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5015 } else {
5016 /* Now only need move success
5017 * to confirm
5018 */
5019 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5020 }
5021
5022 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5023 break;
5024 default:
5025 /* Any other amp move state means the move failed. */
5026 chan->move_id = chan->local_amp_id;
5027 l2cap_move_done(chan);
5028 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5029 }
5030
5031 l2cap_chan_unlock(chan);
5032}
5033
5034static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5035 u16 result)
5036{
5037 struct l2cap_chan *chan;
5038
5039 chan = l2cap_get_chan_by_ident(conn, ident);
5040 if (!chan) {
5041 /* Could not locate channel, icid is best guess */
5042 l2cap_send_move_chan_cfm_icid(conn, icid);
5043 return;
5044 }
5045
5046 __clear_chan_timer(chan);
5047
5048 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5049 if (result == L2CAP_MR_COLLISION) {
5050 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5051 } else {
5052 /* Cleanup - cancel move */
5053 chan->move_id = chan->local_amp_id;
5054 l2cap_move_done(chan);
5055 }
5056 }
5057
5058 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5059
5060 l2cap_chan_unlock(chan);
5061}
5062
5063static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5064 struct l2cap_cmd_hdr *cmd,
5065 u16 cmd_len, void *data)
8d5a04a1
MM		 5066{
5067 struct l2cap_move_chan_rsp *rsp = data;
5068 u16 icid, result;
5069
5070 if (cmd_len != sizeof(*rsp))
5071 return -EPROTO;
5072
5073 icid = le16_to_cpu(rsp->icid);
5074 result = le16_to_cpu(rsp->result);
5075
ad0ac6ca 5076 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5077
5b155ef9
MM		 5078 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5079 l2cap_move_continue(conn, icid, result);
5080 else
5081 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5082
5083 return 0;
5084}
5085
5f3847a4
MM		 5086static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5087 struct l2cap_cmd_hdr *cmd,
5088 u16 cmd_len, void *data)
8d5a04a1
MM		 5089{
5090 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5091 struct l2cap_chan *chan;
8d5a04a1
MM		 5092 u16 icid, result;
5093
5094 if (cmd_len != sizeof(*cfm))
5095 return -EPROTO;
5096
5097 icid = le16_to_cpu(cfm->icid);
5098 result = le16_to_cpu(cfm->result);
5099
ad0ac6ca 5100 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5101
5f3847a4
MM		 5102 chan = l2cap_get_chan_by_dcid(conn, icid);
5103 if (!chan) {
5104 /* Spec requires a response even if the icid was not found */
5105 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5106 return 0;
5107 }
5108
5109 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5110 if (result == L2CAP_MC_CONFIRMED) {
5111 chan->local_amp_id = chan->move_id;
6ed971ca 5112 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5113 __release_logical_link(chan);
5114 } else {
5115 chan->move_id = chan->local_amp_id;
5116 }
5117
5118 l2cap_move_done(chan);
5119 }
5120
8d5a04a1
MM		 5121 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5122
5f3847a4
MM		 5123 l2cap_chan_unlock(chan);
5124
8d5a04a1
MM		 5125 return 0;
5126}
5127
5128static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5129 struct l2cap_cmd_hdr *cmd,
5130 u16 cmd_len, void *data)
8d5a04a1
MM		 5131{
5132 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5133 struct l2cap_chan *chan;
8d5a04a1
MM		 5134 u16 icid;
5135
5136 if (cmd_len != sizeof(*rsp))
5137 return -EPROTO;
5138
5139 icid = le16_to_cpu(rsp->icid);
5140
ad0ac6ca 5141 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5142
3fd71a0a
MM		 5143 chan = l2cap_get_chan_by_scid(conn, icid);
5144 if (!chan)
5145 return 0;
5146
5147 __clear_chan_timer(chan);
5148
5149 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5150 chan->local_amp_id = chan->move_id;
5151
6ed971ca 5152 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5153 __release_logical_link(chan);
5154
5155 l2cap_move_done(chan);
5156 }
5157
5158 l2cap_chan_unlock(chan);
5159
8d5a04a1
MM		 5160 return 0;
5161}
5162
de73115a 5163static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818 5164 struct l2cap_cmd_hdr *cmd,
203e639e 5165 u16 cmd_len, u8 *data)
de73115a
CT		 5166{
5167 struct hci_conn *hcon = conn->hcon;
5168 struct l2cap_conn_param_update_req *req;
5169 struct l2cap_conn_param_update_rsp rsp;
203e639e 5170 u16 min, max, latency, to_multiplier;
2ce603eb 5171 int err;
de73115a 5172
40bef302 5173 if (hcon->role != HCI_ROLE_MASTER)
de73115a
CT		 5174 return -EINVAL;
5175
de73115a
CT		 5176 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5177 return -EPROTO;
5178
5179 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5180 min = __le16_to_cpu(req->min);
5181 max = __le16_to_cpu(req->max);
de73115a
CT		 5182 latency = __le16_to_cpu(req->latency);
5183 to_multiplier = __le16_to_cpu(req->to_multiplier);
5184
5185 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5186 min, max, latency, to_multiplier);
de73115a
CT		 5187
5188 memset(&rsp, 0, sizeof(rsp));
2ce603eb 5189
d4905f24 5190 err = hci_check_conn_params(min, max, latency, to_multiplier);
2ce603eb 5191 if (err)
dcf4adbf 5192 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5193 else
dcf4adbf 5194 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5195
5196 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5197 sizeof(rsp), &rsp);
de73115a 5198
ffb5a827 5199 if (!err) {
f4869e2a
JH		 5200 u8 store_hint;
5201
5202 store_hint = hci_le_conn_update(hcon, min, max, latency,
5203 to_multiplier);
ffb5a827 5204 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
f4869e2a
JH		 5205 store_hint, min, max, latency,
5206 to_multiplier);
ffb5a827 5207
ffb5a827 5208 }
2ce603eb 5209
de73115a
CT		 5210 return 0;
5211}
5212
f1496dee
JH		 5213static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5214 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5215 u8 *data)
5216{
5217 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5218 u16 dcid, mtu, mps, credits, result;
5219 struct l2cap_chan *chan;
5220 int err;
5221
5222 if (cmd_len < sizeof(*rsp))
5223 return -EPROTO;
5224
5225 dcid = __le16_to_cpu(rsp->dcid);
5226 mtu = __le16_to_cpu(rsp->mtu);
5227 mps = __le16_to_cpu(rsp->mps);
5228 credits = __le16_to_cpu(rsp->credits);
5229 result = __le16_to_cpu(rsp->result);
5230
5231 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5232 return -EPROTO;
5233
5234 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5235 dcid, mtu, mps, credits, result);
5236
5237 mutex_lock(&conn->chan_lock);
5238
5239 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5240 if (!chan) {
5241 err = -EBADSLT;
5242 goto unlock;
5243 }
5244
5245 err = 0;
5246
5247 l2cap_chan_lock(chan);
5248
5249 switch (result) {
5250 case L2CAP_CR_SUCCESS:
5251 chan->ident = 0;
5252 chan->dcid = dcid;
5253 chan->omtu = mtu;
5254 chan->remote_mps = mps;
0cd75f7e 5255 chan->tx_credits = credits;
f1496dee
JH		 5256 l2cap_chan_ready(chan);
5257 break;
5258
5259 default:
5260 l2cap_chan_del(chan, ECONNREFUSED);
5261 break;
5262 }
5263
5264 l2cap_chan_unlock(chan);
5265
5266unlock:
5267 mutex_unlock(&conn->chan_lock);
5268
5269 return err;
5270}
5271
3300d9a9 5272static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5273 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5274 u8 *data)
3300d9a9
CT		 5275{
5276 int err = 0;
5277
5278 switch (cmd->code) {
5279 case L2CAP_COMMAND_REJ:
cb3b3152 5280 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5281 break;
5282
5283 case L2CAP_CONN_REQ:
cb3b3152 5284 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5285 break;
5286
5287 case L2CAP_CONN_RSP:
f5a2598d 5288 case L2CAP_CREATE_CHAN_RSP:
9245e737 5289 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5290 break;
5291
5292 case L2CAP_CONF_REQ:
5293 err = l2cap_config_req(conn, cmd, cmd_len, data);
5294 break;
5295
5296 case L2CAP_CONF_RSP:
9245e737 5297 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5298 break;
5299
5300 case L2CAP_DISCONN_REQ:
cb3b3152 5301 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5302 break;
5303
5304 case L2CAP_DISCONN_RSP:
9245e737 5305 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5306 break;
5307
5308 case L2CAP_ECHO_REQ:
5309 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5310 break;
5311
5312 case L2CAP_ECHO_RSP:
5313 break;
5314
5315 case L2CAP_INFO_REQ:
cb3b3152 5316 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5317 break;
5318
5319 case L2CAP_INFO_RSP:
9245e737 5320 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5321 break;
5322
f94ff6ff
MM		 5323 case L2CAP_CREATE_CHAN_REQ:
5324 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5325 break;
5326
8d5a04a1
MM		 5327 case L2CAP_MOVE_CHAN_REQ:
5328 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5329 break;
5330
5331 case L2CAP_MOVE_CHAN_RSP:
9245e737 5332 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5333 break;
5334
5335 case L2CAP_MOVE_CHAN_CFM:
5336 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5337 break;
5338
5339 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5340 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5341 break;
5342
3300d9a9
CT		 5343 default:
5344 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5345 err = -EINVAL;
5346 break;
5347 }
5348
5349 return err;
5350}
5351
27e2d4c8
JH		 5352static int l2cap_le_connect_req(struct l2cap_conn *conn,
5353 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5354 u8 *data)
5355{
5356 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5357 struct l2cap_le_conn_rsp rsp;
5358 struct l2cap_chan *chan, *pchan;
0cd75f7e 5359 u16 dcid, scid, credits, mtu, mps;
27e2d4c8
JH		 5360 __le16 psm;
5361 u8 result;
5362
5363 if (cmd_len != sizeof(*req))
5364 return -EPROTO;
5365
5366 scid = __le16_to_cpu(req->scid);
5367 mtu = __le16_to_cpu(req->mtu);
5368 mps = __le16_to_cpu(req->mps);
5369 psm = req->psm;
5370 dcid = 0;
0cd75f7e 5371 credits = 0;
27e2d4c8
JH		 5372
5373 if (mtu < 23 || mps < 23)
5374 return -EPROTO;
5375
5376 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5377 scid, mtu, mps);
5378
5379 /* Check if we have socket listening on psm */
5380 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5381 &conn->hcon->dst, LE_LINK);
5382 if (!pchan) {
5383 result = L2CAP_CR_BAD_PSM;
5384 chan = NULL;
5385 goto response;
5386 }
5387
5388 mutex_lock(&conn->chan_lock);
5389 l2cap_chan_lock(pchan);
5390
5391 if (!smp_sufficient_security(conn->hcon, pchan->sec_level)) {
5392 result = L2CAP_CR_AUTHENTICATION;
5393 chan = NULL;
5394 goto response_unlock;
5395 }
5396
5397 /* Check if we already have channel with that dcid */
5398 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5399 result = L2CAP_CR_NO_MEM;
5400 chan = NULL;
5401 goto response_unlock;
5402 }
5403
5404 chan = pchan->ops->new_connection(pchan);
5405 if (!chan) {
5406 result = L2CAP_CR_NO_MEM;
5407 goto response_unlock;
5408 }
5409
0ce43ce6
JH		 5410 l2cap_le_flowctl_init(chan);
5411
27e2d4c8
JH		 5412 bacpy(&chan->src, &conn->hcon->src);
5413 bacpy(&chan->dst, &conn->hcon->dst);
5414 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5415 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5416 chan->psm = psm;
5417 chan->dcid = scid;
5418 chan->omtu = mtu;
5419 chan->remote_mps = mps;
0cd75f7e 5420 chan->tx_credits = __le16_to_cpu(req->credits);
27e2d4c8
JH		 5421
5422 __l2cap_chan_add(conn, chan);
5423 dcid = chan->scid;
0cd75f7e 5424 credits = chan->rx_credits;
27e2d4c8
JH		 5425
5426 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5427
5428 chan->ident = cmd->ident;
5429
5430 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5431 l2cap_state_change(chan, BT_CONNECT2);
5432 result = L2CAP_CR_PEND;
5433 chan->ops->defer(chan);
5434 } else {
5435 l2cap_chan_ready(chan);
5436 result = L2CAP_CR_SUCCESS;
5437 }
5438
5439response_unlock:
5440 l2cap_chan_unlock(pchan);
5441 mutex_unlock(&conn->chan_lock);
a24cce14 5442 l2cap_chan_put(pchan);
27e2d4c8
JH		 5443
5444 if (result == L2CAP_CR_PEND)
5445 return 0;
5446
5447response:
5448 if (chan) {
5449 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 5450 rsp.mps = cpu_to_le16(chan->mps);
27e2d4c8
JH		 5451 } else {
5452 rsp.mtu = 0;
5453 rsp.mps = 0;
5454 }
5455
5456 rsp.dcid = cpu_to_le16(dcid);
0cd75f7e 5457 rsp.credits = cpu_to_le16(credits);
27e2d4c8
JH		 5458 rsp.result = cpu_to_le16(result);
5459
5460 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5461
5462 return 0;
5463}
5464
fad5fc89
JH		 5465static inline int l2cap_le_credits(struct l2cap_conn *conn,
5466 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5467 u8 *data)
5468{
5469 struct l2cap_le_credits *pkt;
5470 struct l2cap_chan *chan;
0f1bfe4e 5471 u16 cid, credits, max_credits;
fad5fc89
JH		 5472
5473 if (cmd_len != sizeof(*pkt))
5474 return -EPROTO;
5475
5476 pkt = (struct l2cap_le_credits *) data;
5477 cid = __le16_to_cpu(pkt->cid);
5478 credits = __le16_to_cpu(pkt->credits);
5479
5480 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5481
5482 chan = l2cap_get_chan_by_dcid(conn, cid);
5483 if (!chan)
5484 return -EBADSLT;
5485
0f1bfe4e
JH		 5486 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5487 if (credits > max_credits) {
5488 BT_ERR("LE credits overflow");
5489 l2cap_send_disconn_req(chan, ECONNRESET);
5490
5491 /* Return 0 so that we don't trigger an unnecessary
5492 * command reject packet.
5493 */
5494 return 0;
5495 }
5496
fad5fc89
JH		 5497 chan->tx_credits += credits;
5498
5499 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5500 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5501 chan->tx_credits--;
5502 }
5503
5504 if (chan->tx_credits)
5505 chan->ops->resume(chan);
5506
5507 l2cap_chan_unlock(chan);
5508
5509 return 0;
5510}
5511
71fb4197
JH		 5512static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5513 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5514 u8 *data)
5515{
5516 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5517 struct l2cap_chan *chan;
5518
5519 if (cmd_len < sizeof(*rej))
5520 return -EPROTO;
5521
5522 mutex_lock(&conn->chan_lock);
5523
5524 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5525 if (!chan)
5526 goto done;
5527
5528 l2cap_chan_lock(chan);
5529 l2cap_chan_del(chan, ECONNREFUSED);
5530 l2cap_chan_unlock(chan);
5531
5532done:
5533 mutex_unlock(&conn->chan_lock);
5534 return 0;
5535}
5536
3300d9a9 5537static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
203e639e
JH		 5538 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5539 u8 *data)
3300d9a9 5540{
b5ecba64
JH		 5541 int err = 0;
5542
3300d9a9
CT		 5543 switch (cmd->code) {
5544 case L2CAP_COMMAND_REJ:
71fb4197 5545 l2cap_le_command_rej(conn, cmd, cmd_len, data);
b5ecba64 5546 break;
3300d9a9
CT		 5547
5548 case L2CAP_CONN_PARAM_UPDATE_REQ:
b5ecba64
JH		 5549 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5550 break;
3300d9a9
CT		 5551
5552 case L2CAP_CONN_PARAM_UPDATE_RSP:
b5ecba64 5553 break;
3300d9a9 5554
f1496dee
JH		 5555 case L2CAP_LE_CONN_RSP:
5556 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5557 break;
f1496dee 5558
27e2d4c8 5559 case L2CAP_LE_CONN_REQ:
b5ecba64
JH		 5560 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5561 break;
27e2d4c8 5562
fad5fc89
JH		 5563 case L2CAP_LE_CREDITS:
5564 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5565 break;
5566
3defe01a 5567 case L2CAP_DISCONN_REQ:
b5ecba64
JH		 5568 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5569 break;
3defe01a
JH		 5570
5571 case L2CAP_DISCONN_RSP:
5572 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5573 break;
3defe01a 5574
3300d9a9
CT		 5575 default:
5576 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
b5ecba64
JH		 5577 err = -EINVAL;
5578 break;
3300d9a9 5579 }
b5ecba64
JH		 5580
5581 return err;
3300d9a9
CT		 5582}
5583
c5623556
JH		 5584static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5585 struct sk_buff *skb)
5586{
69c4e4e8 5587 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5588 struct l2cap_cmd_hdr *cmd;
5589 u16 len;
c5623556
JH		 5590 int err;
5591
69c4e4e8 5592 if (hcon->type != LE_LINK)
3b166295 5593 goto drop;
69c4e4e8 5594
4f3e219d
MH		 5595 if (skb->len < L2CAP_CMD_HDR_SIZE)
5596 goto drop;
c5623556 5597
4f3e219d
MH		 5598 cmd = (void *) skb->data;
5599 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5600
4f3e219d 5601 len = le16_to_cpu(cmd->len);
c5623556 5602
4f3e219d 5603 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5604
4f3e219d
MH		 5605 if (len != skb->len || !cmd->ident) {
5606 BT_DBG("corrupted command");
5607 goto drop;
5608 }
c5623556 5609
203e639e 5610 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
4f3e219d
MH		 5611 if (err) {
5612 struct l2cap_cmd_rej_unk rej;
c5623556 5613
4f3e219d 5614 BT_ERR("Wrong link type (%d)", err);
c5623556 5615
dcf4adbf 5616 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5617 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5618 sizeof(rej), &rej);
c5623556
JH		 5619 }
5620
3b166295 5621drop:
c5623556
JH		 5622 kfree_skb(skb);
5623}
5624
3300d9a9 5625static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5626 struct sk_buff *skb)
1da177e4 5627{
69c4e4e8 5628 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5629 u8 *data = skb->data;
5630 int len = skb->len;
5631 struct l2cap_cmd_hdr cmd;
3300d9a9 5632 int err;
1da177e4
LT		 5633
5634 l2cap_raw_recv(conn, skb);
5635
69c4e4e8 5636 if (hcon->type != ACL_LINK)
3b166295 5637 goto drop;
69c4e4e8 5638
1da177e4 5639 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5640 u16 cmd_len;
1da177e4
LT		 5641 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5642 data += L2CAP_CMD_HDR_SIZE;
5643 len -= L2CAP_CMD_HDR_SIZE;
5644
88219a0f 5645 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5646
2d792818
GP		 5647 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5648 cmd.ident);
1da177e4 5649
88219a0f 5650 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5651 BT_DBG("corrupted command");
5652 break;
5653 }
5654
c5623556 5655 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5656 if (err) {
e2fd318e 5657 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5658
5659 BT_ERR("Wrong link type (%d)", err);
1da177e4 5660
dcf4adbf 5661 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5662 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5663 sizeof(rej), &rej);
1da177e4
LT		 5664 }
5665
88219a0f
AV		 5666 data += cmd_len;
5667 len -= cmd_len;
1da177e4
LT		 5668 }
5669
3b166295 5670drop:
1da177e4
LT		 5671 kfree_skb(skb);
5672}
5673
47d1ec61 5674static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5675{
5676 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5677 int hdr_size;
5678
5679 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5680 hdr_size = L2CAP_EXT_HDR_SIZE;
5681 else
5682 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5683
47d1ec61 5684 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5685 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5686 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5687 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5688
5689 if (our_fcs != rcv_fcs)
7a560e5c 5690 return -EBADMSG;
fcc203c3
GP		 5691 }
5692 return 0;
5693}
5694
6ea00485 5695static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5696{
e31f7633 5697 struct l2cap_ctrl control;
d5392c8f 5698
e31f7633 5699 BT_DBG("chan %p", chan);
d5392c8f 5700
e31f7633
MM		 5701 memset(&control, 0, sizeof(control));
5702 control.sframe = 1;
5703 control.final = 1;
5704 control.reqseq = chan->buffer_seq;
5705 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5706
e2ab4353 5707 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5708 control.super = L2CAP_SUPER_RNR;
5709 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5710 }
5711
e31f7633
MM		 5712 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5713 chan->unacked_frames > 0)
5714 __set_retrans_timer(chan);
d5392c8f 5715
e31f7633 5716 /* Send pending iframes */
525cd185 5717 l2cap_ertm_send(chan);
d5392c8f 5718
e2ab4353 5719 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5720 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5721 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5722 * send it now.
5723 */
5724 control.super = L2CAP_SUPER_RR;
5725 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5726 }
5727}
5728
2d792818
GP		 5729static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5730 struct sk_buff **last_frag)
18778a63 5731{
84084a31
MM		 5732 /* skb->len reflects data in skb as well as all fragments
5733 * skb->data_len reflects only data in fragments
5734 */
5735 if (!skb_has_frag_list(skb))
5736 skb_shinfo(skb)->frag_list = new_frag;
5737
5738 new_frag->next = NULL;
5739
5740 (*last_frag)->next = new_frag;
5741 *last_frag = new_frag;
5742
5743 skb->len += new_frag->len;
5744 skb->data_len += new_frag->len;
5745 skb->truesize += new_frag->truesize;
5746}
5747
4b51dae9
MM		 5748static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5749 struct l2cap_ctrl *control)
84084a31
MM		 5750{
5751 int err = -EINVAL;
18778a63 5752
4b51dae9 5753 switch (control->sar) {
7e0ef6ee 5754 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5755 if (chan->sdu)
5756 break;
18778a63 5757
80b98027 5758 err = chan->ops->recv(chan, skb);
84084a31 5759 break;
18778a63 5760
7e0ef6ee 5761 case L2CAP_SAR_START:
84084a31
MM		 5762 if (chan->sdu)
5763 break;
18778a63 5764
6f61fd47 5765 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5766 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5767
84084a31
MM		 5768 if (chan->sdu_len > chan->imtu) {
5769 err = -EMSGSIZE;
5770 break;
5771 }
1890d36b 5772
84084a31
MM		 5773 if (skb->len >= chan->sdu_len)
5774 break;
18778a63 5775
84084a31
MM		 5776 chan->sdu = skb;
5777 chan->sdu_last_frag = skb;
18778a63 5778
84084a31
MM		 5779 skb = NULL;
5780 err = 0;
18778a63
GP		 5781 break;
5782
7e0ef6ee 5783 case L2CAP_SAR_CONTINUE:
6f61fd47 5784 if (!chan->sdu)
84084a31 5785 break;
18778a63 5786
84084a31
MM		 5787 append_skb_frag(chan->sdu, skb,
5788 &chan->sdu_last_frag);
5789 skb = NULL;
18778a63 5790
84084a31
MM		 5791 if (chan->sdu->len >= chan->sdu_len)
5792 break;
4178ba46 5793
84084a31 5794 err = 0;
18778a63
GP		 5795 break;
5796
7e0ef6ee 5797 case L2CAP_SAR_END:
6f61fd47 5798 if (!chan->sdu)
84084a31 5799 break;
18778a63 5800
84084a31
MM		 5801 append_skb_frag(chan->sdu, skb,
5802 &chan->sdu_last_frag);
5803 skb = NULL;
4178ba46 5804
84084a31
MM		 5805 if (chan->sdu->len != chan->sdu_len)
5806 break;
18778a63 5807
80b98027 5808 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5809
84084a31
MM		 5810 if (!err) {
5811 /* Reassembly complete */
5812 chan->sdu = NULL;
5813 chan->sdu_last_frag = NULL;
5814 chan->sdu_len = 0;
1890d36b 5815 }
18778a63
GP		 5816 break;
5817 }
5818
84084a31
MM		 5819 if (err) {
5820 kfree_skb(skb);
5821 kfree_skb(chan->sdu);
5822 chan->sdu = NULL;
5823 chan->sdu_last_frag = NULL;
5824 chan->sdu_len = 0;
5825 }
18778a63 5826
84084a31 5827 return err;
18778a63
GP		 5828}
5829
32b32735
MM		 5830static int l2cap_resegment(struct l2cap_chan *chan)
5831{
5832 /* Placeholder */
5833 return 0;
5834}
5835
61aa4f5b 5836void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5837{
61aa4f5b 5838 u8 event;
712132eb 5839
61aa4f5b
MM		 5840 if (chan->mode != L2CAP_MODE_ERTM)
5841 return;
712132eb 5842
61aa4f5b 5843 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5844 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5845}
5846
d2a7ac5d
MM		 5847static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5848{
63838725
MM		 5849 int err = 0;
5850 /* Pass sequential frames to l2cap_reassemble_sdu()
5851 * until a gap is encountered.
5852 */
5853
5854 BT_DBG("chan %p", chan);
5855
5856 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5857 struct sk_buff *skb;
5858 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5859 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5860
5861 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5862
5863 if (!skb)
5864 break;
5865
5866 skb_unlink(skb, &chan->srej_q);
5867 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5868 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5869 if (err)
5870 break;
5871 }
5872
5873 if (skb_queue_empty(&chan->srej_q)) {
5874 chan->rx_state = L2CAP_RX_STATE_RECV;
5875 l2cap_send_ack(chan);
5876 }
5877
5878 return err;
d2a7ac5d
MM		 5879}
5880
5881static void l2cap_handle_srej(struct l2cap_chan *chan,
5882 struct l2cap_ctrl *control)
5883{
f80842a8
MM		 5884 struct sk_buff *skb;
5885
5886 BT_DBG("chan %p, control %p", chan, control);
5887
5888 if (control->reqseq == chan->next_tx_seq) {
5889 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5890 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5891 return;
5892 }
5893
5894 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5895
5896 if (skb == NULL) {
5897 BT_DBG("Seq %d not available for retransmission",
5898 control->reqseq);
5899 return;
5900 }
5901
5902 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5903 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5904 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5905 return;
5906 }
5907
5908 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5909
5910 if (control->poll) {
5911 l2cap_pass_to_tx(chan, control);
5912
5913 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5914 l2cap_retransmit(chan, control);
5915 l2cap_ertm_send(chan);
5916
5917 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5918 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5919 chan->srej_save_reqseq = control->reqseq;
5920 }
5921 } else {
5922 l2cap_pass_to_tx_fbit(chan, control);
5923
5924 if (control->final) {
5925 if (chan->srej_save_reqseq != control->reqseq ||
5926 !test_and_clear_bit(CONN_SREJ_ACT,
5927 &chan->conn_state))
5928 l2cap_retransmit(chan, control);
5929 } else {
5930 l2cap_retransmit(chan, control);
5931 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5932 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5933 chan->srej_save_reqseq = control->reqseq;
5934 }
5935 }
5936 }
d2a7ac5d
MM		 5937}
5938
5939static void l2cap_handle_rej(struct l2cap_chan *chan,
5940 struct l2cap_ctrl *control)
5941{
fcd289df
MM		 5942 struct sk_buff *skb;
5943
5944 BT_DBG("chan %p, control %p", chan, control);
5945
5946 if (control->reqseq == chan->next_tx_seq) {
5947 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5948 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5949 return;
5950 }
5951
5952 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5953
5954 if (chan->max_tx && skb &&
5955 bt_cb(skb)->control.retries >= chan->max_tx) {
5956 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5957 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5958 return;
5959 }
5960
5961 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5962
5963 l2cap_pass_to_tx(chan, control);
5964
5965 if (control->final) {
5966 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5967 l2cap_retransmit_all(chan, control);
5968 } else {
5969 l2cap_retransmit_all(chan, control);
5970 l2cap_ertm_send(chan);
5971 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5972 set_bit(CONN_REJ_ACT, &chan->conn_state);
5973 }
d2a7ac5d
MM		 5974}
5975
4b51dae9
MM		 5976static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5977{
5978 BT_DBG("chan %p, txseq %d", chan, txseq);
5979
5980 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5981 chan->expected_tx_seq);
5982
5983 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5984 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5985 chan->tx_win) {
4b51dae9
MM		 5986 /* See notes below regarding "double poll" and
5987 * invalid packets.
5988 */
5989 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5990 BT_DBG("Invalid/Ignore - after SREJ");
5991 return L2CAP_TXSEQ_INVALID_IGNORE;
5992 } else {
5993 BT_DBG("Invalid - in window after SREJ sent");
5994 return L2CAP_TXSEQ_INVALID;
5995 }
5996 }
5997
5998 if (chan->srej_list.head == txseq) {
5999 BT_DBG("Expected SREJ");
6000 return L2CAP_TXSEQ_EXPECTED_SREJ;
6001 }
6002
6003 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6004 BT_DBG("Duplicate SREJ - txseq already stored");
6005 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6006 }
6007
6008 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6009 BT_DBG("Unexpected SREJ - not requested");
6010 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6011 }
6012 }
6013
6014 if (chan->expected_tx_seq == txseq) {
6015 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6016 chan->tx_win) {
6017 BT_DBG("Invalid - txseq outside tx window");
6018 return L2CAP_TXSEQ_INVALID;
6019 } else {
6020 BT_DBG("Expected");
6021 return L2CAP_TXSEQ_EXPECTED;
6022 }
6023 }
6024
6025 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 6026 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 6027 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6028 return L2CAP_TXSEQ_DUPLICATE;
6029 }
6030
6031 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6032 /* A source of invalid packets is a "double poll" condition,
6033 * where delays cause us to send multiple poll packets. If
6034 * the remote stack receives and processes both polls,
6035 * sequence numbers can wrap around in such a way that a
6036 * resent frame has a sequence number that looks like new data
6037 * with a sequence gap. This would trigger an erroneous SREJ
6038 * request.
6039 *
6040 * Fortunately, this is impossible with a tx window that's
6041 * less than half of the maximum sequence number, which allows
6042 * invalid frames to be safely ignored.
6043 *
6044 * With tx window sizes greater than half of the tx window
6045 * maximum, the frame is invalid and cannot be ignored. This
6046 * causes a disconnect.
6047 */
6048
6049 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6050 BT_DBG("Invalid/Ignore - txseq outside tx window");
6051 return L2CAP_TXSEQ_INVALID_IGNORE;
6052 } else {
6053 BT_DBG("Invalid - txseq outside tx window");
6054 return L2CAP_TXSEQ_INVALID;
6055 }
6056 } else {
6057 BT_DBG("Unexpected - txseq indicates missing frames");
6058 return L2CAP_TXSEQ_UNEXPECTED;
6059 }
6060}
6061
d2a7ac5d
MM		 6062static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6063 struct l2cap_ctrl *control,
6064 struct sk_buff *skb, u8 event)
6065{
6066 int err = 0;
941247f9 6067 bool skb_in_use = false;
d2a7ac5d
MM		 6068
6069 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6070 event);
6071
6072 switch (event) {
6073 case L2CAP_EV_RECV_IFRAME:
6074 switch (l2cap_classify_txseq(chan, control->txseq)) {
6075 case L2CAP_TXSEQ_EXPECTED:
6076 l2cap_pass_to_tx(chan, control);
6077
6078 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6079 BT_DBG("Busy, discarding expected seq %d",
6080 control->txseq);
6081 break;
6082 }
6083
6084 chan->expected_tx_seq = __next_seq(chan,
6085 control->txseq);
6086
6087 chan->buffer_seq = chan->expected_tx_seq;
941247f9 6088 skb_in_use = true;
d2a7ac5d
MM		 6089
6090 err = l2cap_reassemble_sdu(chan, skb, control);
6091 if (err)
6092 break;
6093
6094 if (control->final) {
6095 if (!test_and_clear_bit(CONN_REJ_ACT,
6096 &chan->conn_state)) {
6097 control->final = 0;
6098 l2cap_retransmit_all(chan, control);
6099 l2cap_ertm_send(chan);
6100 }
6101 }
6102
6103 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6104 l2cap_send_ack(chan);
6105 break;
6106 case L2CAP_TXSEQ_UNEXPECTED:
6107 l2cap_pass_to_tx(chan, control);
6108
6109 /* Can't issue SREJ frames in the local busy state.
6110 * Drop this frame, it will be seen as missing
6111 * when local busy is exited.
6112 */
6113 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6114 BT_DBG("Busy, discarding unexpected seq %d",
6115 control->txseq);
6116 break;
6117 }
6118
6119 /* There was a gap in the sequence, so an SREJ
6120 * must be sent for each missing frame. The
6121 * current frame is stored for later use.
6122 */
6123 skb_queue_tail(&chan->srej_q, skb);
941247f9 6124 skb_in_use = true;
d2a7ac5d
MM		 6125 BT_DBG("Queued %p (queue len %d)", skb,
6126 skb_queue_len(&chan->srej_q));
6127
6128 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6129 l2cap_seq_list_clear(&chan->srej_list);
6130 l2cap_send_srej(chan, control->txseq);
6131
6132 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6133 break;
6134 case L2CAP_TXSEQ_DUPLICATE:
6135 l2cap_pass_to_tx(chan, control);
6136 break;
6137 case L2CAP_TXSEQ_INVALID_IGNORE:
6138 break;
6139 case L2CAP_TXSEQ_INVALID:
6140 default:
5e4e3972 6141 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6142 break;
6143 }
6144 break;
6145 case L2CAP_EV_RECV_RR:
6146 l2cap_pass_to_tx(chan, control);
6147 if (control->final) {
6148 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6149
e6a3ee6e
MM		 6150 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6151 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 6152 control->final = 0;
6153 l2cap_retransmit_all(chan, control);
6154 }
6155
6156 l2cap_ertm_send(chan);
6157 } else if (control->poll) {
6158 l2cap_send_i_or_rr_or_rnr(chan);
6159 } else {
6160 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6161 &chan->conn_state) &&
6162 chan->unacked_frames)
6163 __set_retrans_timer(chan);
6164
6165 l2cap_ertm_send(chan);
6166 }
6167 break;
6168 case L2CAP_EV_RECV_RNR:
6169 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6170 l2cap_pass_to_tx(chan, control);
6171 if (control && control->poll) {
6172 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6173 l2cap_send_rr_or_rnr(chan, 0);
6174 }
6175 __clear_retrans_timer(chan);
6176 l2cap_seq_list_clear(&chan->retrans_list);
6177 break;
6178 case L2CAP_EV_RECV_REJ:
6179 l2cap_handle_rej(chan, control);
6180 break;
6181 case L2CAP_EV_RECV_SREJ:
6182 l2cap_handle_srej(chan, control);
6183 break;
6184 default:
6185 break;
6186 }
6187
6188 if (skb && !skb_in_use) {
6189 BT_DBG("Freeing %p", skb);
6190 kfree_skb(skb);
6191 }
6192
6193 return err;
6194}
6195
6196static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6197 struct l2cap_ctrl *control,
6198 struct sk_buff *skb, u8 event)
6199{
6200 int err = 0;
6201 u16 txseq = control->txseq;
941247f9 6202 bool skb_in_use = false;
d2a7ac5d
MM		 6203
6204 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6205 event);
6206
6207 switch (event) {
6208 case L2CAP_EV_RECV_IFRAME:
6209 switch (l2cap_classify_txseq(chan, txseq)) {
6210 case L2CAP_TXSEQ_EXPECTED:
6211 /* Keep frame for reassembly later */
6212 l2cap_pass_to_tx(chan, control);
6213 skb_queue_tail(&chan->srej_q, skb);
941247f9 6214 skb_in_use = true;
d2a7ac5d
MM		 6215 BT_DBG("Queued %p (queue len %d)", skb,
6216 skb_queue_len(&chan->srej_q));
6217
6218 chan->expected_tx_seq = __next_seq(chan, txseq);
6219 break;
6220 case L2CAP_TXSEQ_EXPECTED_SREJ:
6221 l2cap_seq_list_pop(&chan->srej_list);
6222
6223 l2cap_pass_to_tx(chan, control);
6224 skb_queue_tail(&chan->srej_q, skb);
941247f9 6225 skb_in_use = true;
d2a7ac5d
MM		 6226 BT_DBG("Queued %p (queue len %d)", skb,
6227 skb_queue_len(&chan->srej_q));
6228
6229 err = l2cap_rx_queued_iframes(chan);
6230 if (err)
6231 break;
6232
6233 break;
6234 case L2CAP_TXSEQ_UNEXPECTED:
6235 /* Got a frame that can't be reassembled yet.
6236 * Save it for later, and send SREJs to cover
6237 * the missing frames.
6238 */
6239 skb_queue_tail(&chan->srej_q, skb);
941247f9 6240 skb_in_use = true;
d2a7ac5d
MM		 6241 BT_DBG("Queued %p (queue len %d)", skb,
6242 skb_queue_len(&chan->srej_q));
6243
6244 l2cap_pass_to_tx(chan, control);
6245 l2cap_send_srej(chan, control->txseq);
6246 break;
6247 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6248 /* This frame was requested with an SREJ, but
6249 * some expected retransmitted frames are
6250 * missing. Request retransmission of missing
6251 * SREJ'd frames.
6252 */
6253 skb_queue_tail(&chan->srej_q, skb);
941247f9 6254 skb_in_use = true;
d2a7ac5d
MM		 6255 BT_DBG("Queued %p (queue len %d)", skb,
6256 skb_queue_len(&chan->srej_q));
6257
6258 l2cap_pass_to_tx(chan, control);
6259 l2cap_send_srej_list(chan, control->txseq);
6260 break;
6261 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6262 /* We've already queued this frame. Drop this copy. */
6263 l2cap_pass_to_tx(chan, control);
6264 break;
6265 case L2CAP_TXSEQ_DUPLICATE:
6266 /* Expecting a later sequence number, so this frame
6267 * was already received. Ignore it completely.
6268 */
6269 break;
6270 case L2CAP_TXSEQ_INVALID_IGNORE:
6271 break;
6272 case L2CAP_TXSEQ_INVALID:
6273 default:
5e4e3972 6274 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6275 break;
6276 }
6277 break;
6278 case L2CAP_EV_RECV_RR:
6279 l2cap_pass_to_tx(chan, control);
6280 if (control->final) {
6281 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6282
6283 if (!test_and_clear_bit(CONN_REJ_ACT,
6284 &chan->conn_state)) {
6285 control->final = 0;
6286 l2cap_retransmit_all(chan, control);
6287 }
6288
6289 l2cap_ertm_send(chan);
6290 } else if (control->poll) {
6291 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6292 &chan->conn_state) &&
6293 chan->unacked_frames) {
6294 __set_retrans_timer(chan);
6295 }
6296
6297 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6298 l2cap_send_srej_tail(chan);
6299 } else {
6300 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6301 &chan->conn_state) &&
6302 chan->unacked_frames)
6303 __set_retrans_timer(chan);
6304
6305 l2cap_send_ack(chan);
6306 }
6307 break;
6308 case L2CAP_EV_RECV_RNR:
6309 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6310 l2cap_pass_to_tx(chan, control);
6311 if (control->poll) {
6312 l2cap_send_srej_tail(chan);
6313 } else {
6314 struct l2cap_ctrl rr_control;
6315 memset(&rr_control, 0, sizeof(rr_control));
6316 rr_control.sframe = 1;
6317 rr_control.super = L2CAP_SUPER_RR;
6318 rr_control.reqseq = chan->buffer_seq;
6319 l2cap_send_sframe(chan, &rr_control);
6320 }
6321
6322 break;
6323 case L2CAP_EV_RECV_REJ:
6324 l2cap_handle_rej(chan, control);
6325 break;
6326 case L2CAP_EV_RECV_SREJ:
6327 l2cap_handle_srej(chan, control);
6328 break;
6329 }
6330
6331 if (skb && !skb_in_use) {
6332 BT_DBG("Freeing %p", skb);
6333 kfree_skb(skb);
6334 }
6335
6336 return err;
6337}
6338
32b32735
MM		 6339static int l2cap_finish_move(struct l2cap_chan *chan)
6340{
6341 BT_DBG("chan %p", chan);
6342
6343 chan->rx_state = L2CAP_RX_STATE_RECV;
6344
6345 if (chan->hs_hcon)
6346 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6347 else
6348 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6349
6350 return l2cap_resegment(chan);
6351}
6352
6353static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6354 struct l2cap_ctrl *control,
6355 struct sk_buff *skb, u8 event)
6356{
6357 int err;
6358
6359 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6360 event);
6361
6362 if (!control->poll)
6363 return -EPROTO;
6364
6365 l2cap_process_reqseq(chan, control->reqseq);
6366
6367 if (!skb_queue_empty(&chan->tx_q))
6368 chan->tx_send_head = skb_peek(&chan->tx_q);
6369 else
6370 chan->tx_send_head = NULL;
6371
6372 /* Rewind next_tx_seq to the point expected
6373 * by the receiver.
6374 */
6375 chan->next_tx_seq = control->reqseq;
6376 chan->unacked_frames = 0;
6377
6378 err = l2cap_finish_move(chan);
6379 if (err)
6380 return err;
6381
6382 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6383 l2cap_send_i_or_rr_or_rnr(chan);
6384
6385 if (event == L2CAP_EV_RECV_IFRAME)
6386 return -EPROTO;
6387
6388 return l2cap_rx_state_recv(chan, control, NULL, event);
6389}
6390
6391static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6392 struct l2cap_ctrl *control,
6393 struct sk_buff *skb, u8 event)
6394{
6395 int err;
6396
6397 if (!control->final)
6398 return -EPROTO;
6399
6400 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6401
6402 chan->rx_state = L2CAP_RX_STATE_RECV;
6403 l2cap_process_reqseq(chan, control->reqseq);
6404
6405 if (!skb_queue_empty(&chan->tx_q))
6406 chan->tx_send_head = skb_peek(&chan->tx_q);
6407 else
6408 chan->tx_send_head = NULL;
6409
6410 /* Rewind next_tx_seq to the point expected
6411 * by the receiver.
6412 */
6413 chan->next_tx_seq = control->reqseq;
6414 chan->unacked_frames = 0;
6415
6416 if (chan->hs_hcon)
6417 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6418 else
6419 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6420
6421 err = l2cap_resegment(chan);
6422
6423 if (!err)
6424 err = l2cap_rx_state_recv(chan, control, skb, event);
6425
6426 return err;
6427}
6428
d2a7ac5d
MM		 6429static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6430{
6431 /* Make sure reqseq is for a packet that has been sent but not acked */
6432 u16 unacked;
6433
6434 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6435 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6436}
6437
cec8ab6e
MM		 6438static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6439 struct sk_buff *skb, u8 event)
218bb9df 6440{
d2a7ac5d
MM		 6441 int err = 0;
6442
6443 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6444 control, skb, event, chan->rx_state);
6445
6446 if (__valid_reqseq(chan, control->reqseq)) {
6447 switch (chan->rx_state) {
6448 case L2CAP_RX_STATE_RECV:
6449 err = l2cap_rx_state_recv(chan, control, skb, event);
6450 break;
6451 case L2CAP_RX_STATE_SREJ_SENT:
6452 err = l2cap_rx_state_srej_sent(chan, control, skb,
6453 event);
6454 break;
32b32735
MM		 6455 case L2CAP_RX_STATE_WAIT_P:
6456 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6457 break;
6458 case L2CAP_RX_STATE_WAIT_F:
6459 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6460 break;
d2a7ac5d
MM		 6461 default:
6462 /* shut it down */
6463 break;
6464 }
6465 } else {
6466 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6467 control->reqseq, chan->next_tx_seq,
6468 chan->expected_ack_seq);
5e4e3972 6469 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6470 }
6471
6472 return err;
cec8ab6e
MM		 6473}
6474
6475static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6476 struct sk_buff *skb)
6477{
4b51dae9
MM		 6478 int err = 0;
6479
6480 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6481 chan->rx_state);
6482
6483 if (l2cap_classify_txseq(chan, control->txseq) ==
6484 L2CAP_TXSEQ_EXPECTED) {
6485 l2cap_pass_to_tx(chan, control);
6486
6487 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6488 __next_seq(chan, chan->buffer_seq));
6489
6490 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6491
6492 l2cap_reassemble_sdu(chan, skb, control);
6493 } else {
6494 if (chan->sdu) {
6495 kfree_skb(chan->sdu);
6496 chan->sdu = NULL;
6497 }
6498 chan->sdu_last_frag = NULL;
6499 chan->sdu_len = 0;
6500
6501 if (skb) {
6502 BT_DBG("Freeing %p", skb);
6503 kfree_skb(skb);
6504 }
6505 }
6506
6507 chan->last_acked_seq = control->txseq;
6508 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6509
6510 return err;
cec8ab6e
MM		 6511}
6512
6513static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6514{
6515 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6516 u16 len;
6517 u8 event;
218bb9df 6518
b76bbd66
MM		 6519 __unpack_control(chan, skb);
6520
218bb9df
GP		 6521 len = skb->len;
6522
6523 /*
6524 * We can just drop the corrupted I-frame here.
6525 * Receiver will miss it and start proper recovery
cec8ab6e 6526 * procedures and ask for retransmission.
218bb9df 6527 */
47d1ec61 6528 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6529 goto drop;
6530
cec8ab6e 6531 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6532 len -= L2CAP_SDULEN_SIZE;
218bb9df 6533
47d1ec61 6534 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6535 len -= L2CAP_FCS_SIZE;
218bb9df 6536
47d1ec61 6537 if (len > chan->mps) {
5e4e3972 6538 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6539 goto drop;
6540 }
6541
cec8ab6e
MM		 6542 if (!control->sframe) {
6543 int err;
218bb9df 6544
cec8ab6e
MM		 6545 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6546 control->sar, control->reqseq, control->final,
6547 control->txseq);
218bb9df 6548
cec8ab6e
MM		 6549 /* Validate F-bit - F=0 always valid, F=1 only
6550 * valid in TX WAIT_F
6551 */
6552 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6553 goto drop;
cec8ab6e
MM		 6554
6555 if (chan->mode != L2CAP_MODE_STREAMING) {
6556 event = L2CAP_EV_RECV_IFRAME;
6557 err = l2cap_rx(chan, control, skb, event);
6558 } else {
6559 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6560 }
6561
cec8ab6e 6562 if (err)
5e4e3972 6563 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6564 } else {
cec8ab6e
MM		 6565 const u8 rx_func_to_event[4] = {
6566 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6567 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6568 };
6569
6570 /* Only I-frames are expected in streaming mode */
6571 if (chan->mode == L2CAP_MODE_STREAMING)
6572 goto drop;
6573
6574 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6575 control->reqseq, control->final, control->poll,
6576 control->super);
6577
218bb9df 6578 if (len != 0) {
1bb166e6 6579 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6580 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6581 goto drop;
6582 }
6583
cec8ab6e
MM		 6584 /* Validate F and P bits */
6585 if (control->final && (control->poll ||
6586 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6587 goto drop;
6588
6589 event = rx_func_to_event[control->super];
6590 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6591 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6592 }
6593
6594 return 0;
6595
6596drop:
6597 kfree_skb(skb);
6598 return 0;
6599}
6600
b1c325c2
JH		 6601static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6602{
6603 struct l2cap_conn *conn = chan->conn;
6604 struct l2cap_le_credits pkt;
6605 u16 return_credits;
6606
6607 /* We return more credits to the sender only after the amount of
6608 * credits falls below half of the initial amount.
6609 */
f15b8ecf 6610 if (chan->rx_credits >= (le_max_credits + 1) / 2)
b1c325c2
JH		 6611 return;
6612
f15b8ecf 6613 return_credits = le_max_credits - chan->rx_credits;
b1c325c2
JH		 6614
6615 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6616
6617 chan->rx_credits += return_credits;
6618
6619 pkt.cid = cpu_to_le16(chan->scid);
6620 pkt.credits = cpu_to_le16(return_credits);
6621
6622 chan->ident = l2cap_get_ident(conn);
6623
6624 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6625}
6626
fad5fc89
JH		 6627static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6628{
aac23bf6
JH		 6629 int err;
6630
6631 if (!chan->rx_credits) {
6632 BT_ERR("No credits to receive LE L2CAP data");
dfd9774c 6633 l2cap_send_disconn_req(chan, ECONNRESET);
fad5fc89 6634 return -ENOBUFS;
aac23bf6 6635 }
fad5fc89 6636
aac23bf6
JH		 6637 if (chan->imtu < skb->len) {
6638 BT_ERR("Too big LE L2CAP PDU");
fad5fc89 6639 return -ENOBUFS;
aac23bf6 6640 }
fad5fc89
JH		 6641
6642 chan->rx_credits--;
6643 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6644
6645 l2cap_chan_le_send_credits(chan);
6646
aac23bf6
JH		 6647 err = 0;
6648
6649 if (!chan->sdu) {
6650 u16 sdu_len;
6651
6652 sdu_len = get_unaligned_le16(skb->data);
6653 skb_pull(skb, L2CAP_SDULEN_SIZE);
6654
6655 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6656 sdu_len, skb->len, chan->imtu);
6657
6658 if (sdu_len > chan->imtu) {
6659 BT_ERR("Too big LE L2CAP SDU length received");
6660 err = -EMSGSIZE;
6661 goto failed;
6662 }
6663
6664 if (skb->len > sdu_len) {
6665 BT_ERR("Too much LE L2CAP data received");
6666 err = -EINVAL;
6667 goto failed;
6668 }
6669
6670 if (skb->len == sdu_len)
6671 return chan->ops->recv(chan, skb);
6672
6673 chan->sdu = skb;
6674 chan->sdu_len = sdu_len;
6675 chan->sdu_last_frag = skb;
6676
6677 return 0;
6678 }
6679
6680 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6681 chan->sdu->len, skb->len, chan->sdu_len);
6682
6683 if (chan->sdu->len + skb->len > chan->sdu_len) {
6684 BT_ERR("Too much LE L2CAP data received");
6685 err = -EINVAL;
6686 goto failed;
6687 }
6688
6689 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6690 skb = NULL;
6691
6692 if (chan->sdu->len == chan->sdu_len) {
6693 err = chan->ops->recv(chan, chan->sdu);
6694 if (!err) {
6695 chan->sdu = NULL;
6696 chan->sdu_last_frag = NULL;
6697 chan->sdu_len = 0;
6698 }
6699 }
6700
6701failed:
6702 if (err) {
6703 kfree_skb(skb);
6704 kfree_skb(chan->sdu);
6705 chan->sdu = NULL;
6706 chan->sdu_last_frag = NULL;
6707 chan->sdu_len = 0;
6708 }
6709
6710 /* We can't return an error here since we took care of the skb
6711 * freeing internally. An error return would cause the caller to
6712 * do a double-free of the skb.
6713 */
6714 return 0;
fad5fc89
JH		 6715}
6716
13ca56e0
AE		 6717static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6718 struct sk_buff *skb)
1da177e4 6719{
48454079 6720 struct l2cap_chan *chan;
1da177e4 6721
baa7e1fa 6722 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6723 if (!chan) {
97e8e89d
AE		 6724 if (cid == L2CAP_CID_A2MP) {
6725 chan = a2mp_channel_create(conn, skb);
6726 if (!chan) {
6727 kfree_skb(skb);
13ca56e0 6728 return;
97e8e89d
AE		 6729 }
6730
6731 l2cap_chan_lock(chan);
6732 } else {
6733 BT_DBG("unknown cid 0x%4.4x", cid);
6734 /* Drop packet and return */
6735 kfree_skb(skb);
13ca56e0 6736 return;
97e8e89d 6737 }
1da177e4
LT		 6738 }
6739
49208c9c 6740 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6741
89bc500e 6742 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6743 goto drop;
6744
0c1bc5c6 6745 switch (chan->mode) {
38319713 6746 case L2CAP_MODE_LE_FLOWCTL:
fad5fc89
JH		 6747 if (l2cap_le_data_rcv(chan, skb) < 0)
6748 goto drop;
6749
6750 goto done;
6751
1c2acffb
GP		 6752 case L2CAP_MODE_BASIC:
6753 /* If socket recv buffers overflows we drop data here
6754 * which is *bad* because L2CAP has to be reliable.
6755 * But we don't have any other choice. L2CAP doesn't
6756 * provide flow control mechanism. */
1da177e4 6757
2c96e03d
SJ		 6758 if (chan->imtu < skb->len) {
6759 BT_ERR("Dropping L2CAP data: receive buffer overflow");
1c2acffb 6760 goto drop;
2c96e03d 6761 }
1da177e4 6762
80b98027 6763 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6764 goto done;
6765 break;
6766
6767 case L2CAP_MODE_ERTM:
6840ed07 6768 case L2CAP_MODE_STREAMING:
cec8ab6e 6769 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6770 goto done;
6771
1c2acffb 6772 default:
0c1bc5c6 6773 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6774 break;
6775 }
1da177e4
LT		 6776
6777drop:
6778 kfree_skb(skb);
6779
6780done:
6be36555 6781 l2cap_chan_unlock(chan);
1da177e4
LT		 6782}
6783
84104b24
AE		 6784static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6785 struct sk_buff *skb)
1da177e4 6786{
ae4fd2d3 6787 struct hci_conn *hcon = conn->hcon;
23691d75 6788 struct l2cap_chan *chan;
1da177e4 6789
ae4fd2d3 6790 if (hcon->type != ACL_LINK)
a24cce14 6791 goto free_skb;
ae4fd2d3 6792
bf20fd4e
JH		 6793 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6794 ACL_LINK);
23691d75 6795 if (!chan)
a24cce14 6796 goto free_skb;
1da177e4 6797
5b4cedaa 6798 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6799
89bc500e 6800 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6801 goto drop;
6802
e13e21dc 6803 if (chan->imtu < skb->len)
1da177e4
LT		 6804 goto drop;
6805
2edf870d 6806 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6807 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6808 bt_cb(skb)->psm = psm;
6809
a24cce14
JH		 6810 if (!chan->ops->recv(chan, skb)) {
6811 l2cap_chan_put(chan);
84104b24 6812 return;
a24cce14 6813 }
1da177e4
LT		 6814
6815drop:
a24cce14
JH		 6816 l2cap_chan_put(chan);
6817free_skb:
1da177e4 6818 kfree_skb(skb);
1da177e4
LT		 6819}
6820
6821static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6822{
6823 struct l2cap_hdr *lh = (void *) skb->data;
61a939c6 6824 struct hci_conn *hcon = conn->hcon;
8e036fc3
AV		 6825 u16 cid, len;
6826 __le16 psm;
1da177e4 6827
61a939c6
JH		 6828 if (hcon->state != BT_CONNECTED) {
6829 BT_DBG("queueing pending rx skb");
6830 skb_queue_tail(&conn->pending_rx, skb);
6831 return;
6832 }
6833
1da177e4
LT		 6834 skb_pull(skb, L2CAP_HDR_SIZE);
6835 cid = __le16_to_cpu(lh->cid);
6836 len = __le16_to_cpu(lh->len);
6837
1c2acffb
GP		 6838 if (len != skb->len) {
6839 kfree_skb(skb);
6840 return;
6841 }
6842
9e1d7e15
JH		 6843 /* Since we can't actively block incoming LE connections we must
6844 * at least ensure that we ignore incoming data from them.
6845 */
6846 if (hcon->type == LE_LINK &&
dcc36c16
JH		 6847 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6848 bdaddr_type(hcon, hcon->dst_type))) {
e493150e
JH		 6849 kfree_skb(skb);
6850 return;
6851 }
6852
1da177e4
LT		 6853 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6854
6855 switch (cid) {
8db4dc46 6856 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6857 l2cap_sig_channel(conn, skb);
6858 break;
6859
8db4dc46 6860 case L2CAP_CID_CONN_LESS:
097db76c 6861 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6862 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6863 l2cap_conless_channel(conn, psm, skb);
6864 break;
6865
a2877629
MH		 6866 case L2CAP_CID_LE_SIGNALING:
6867 l2cap_le_sig_channel(conn, skb);
6868 break;
6869
1da177e4
LT		 6870 default:
6871 l2cap_data_channel(conn, cid, skb);
6872 break;
6873 }
6874}
6875
61a939c6
JH		 6876static void process_pending_rx(struct work_struct *work)
6877{
6878 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6879 pending_rx_work);
6880 struct sk_buff *skb;
6881
6882 BT_DBG("");
6883
6884 while ((skb = skb_dequeue(&conn->pending_rx)))
6885 l2cap_recv_frame(conn, skb);
6886}
6887
162b49e7
JH		 6888static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6889{
6890 struct l2cap_conn *conn = hcon->l2cap_data;
6891 struct hci_chan *hchan;
6892
6893 if (conn)
6894 return conn;
6895
6896 hchan = hci_chan_create(hcon);
6897 if (!hchan)
6898 return NULL;
6899
27f70f3e 6900 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
162b49e7
JH		 6901 if (!conn) {
6902 hci_chan_del(hchan);
6903 return NULL;
6904 }
6905
6906 kref_init(&conn->ref);
6907 hcon->l2cap_data = conn;
6908 conn->hcon = hcon;
6909 hci_conn_get(conn->hcon);
6910 conn->hchan = hchan;
6911
6912 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6913
6914 switch (hcon->type) {
6915 case LE_LINK:
6916 if (hcon->hdev->le_mtu) {
6917 conn->mtu = hcon->hdev->le_mtu;
6918 break;
6919 }
6920 /* fall through */
6921 default:
6922 conn->mtu = hcon->hdev->acl_mtu;
6923 break;
6924 }
6925
6926 conn->feat_mask = 0;
6927
6928 if (hcon->type == ACL_LINK)
6929 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
6930 &hcon->hdev->dev_flags);
6931
5a54e7c8 6932 mutex_init(&conn->ident_lock);
162b49e7
JH		 6933 mutex_init(&conn->chan_lock);
6934
6935 INIT_LIST_HEAD(&conn->chan_l);
6936 INIT_LIST_HEAD(&conn->users);
6937
276d8073 6938 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
162b49e7 6939
dec5b492
JH		 6940 INIT_WORK(&conn->disconn_work, disconn_work);
6941
61a939c6
JH		 6942 skb_queue_head_init(&conn->pending_rx);
6943 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
6944
162b49e7
JH		 6945 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6946
6947 return conn;
6948}
6949
6950static bool is_valid_psm(u16 psm, u8 dst_type) {
6951 if (!psm)
6952 return false;
6953
6954 if (bdaddr_type_is_le(dst_type))
6955 return (psm <= 0x00ff);
6956
6957 /* PSM must be odd and lsb of upper byte must be 0 */
6958 return ((psm & 0x0101) == 0x0001);
6959}
6960
6961int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
6962 bdaddr_t *dst, u8 dst_type)
6963{
6964 struct l2cap_conn *conn;
6965 struct hci_conn *hcon;
6966 struct hci_dev *hdev;
162b49e7
JH		 6967 int err;
6968
6969 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
6970 dst_type, __le16_to_cpu(psm));
6971
6972 hdev = hci_get_route(dst, &chan->src);
6973 if (!hdev)
6974 return -EHOSTUNREACH;
6975
6976 hci_dev_lock(hdev);
6977
6978 l2cap_chan_lock(chan);
6979
6980 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
6981 chan->chan_type != L2CAP_CHAN_RAW) {
6982 err = -EINVAL;
6983 goto done;
6984 }
6985
21626e62
JH		 6986 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
6987 err = -EINVAL;
6988 goto done;
6989 }
6990
6991 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
162b49e7
JH		 6992 err = -EINVAL;
6993 goto done;
6994 }
6995
6996 switch (chan->mode) {
6997 case L2CAP_MODE_BASIC:
6998 break;
6999 case L2CAP_MODE_LE_FLOWCTL:
7000 l2cap_le_flowctl_init(chan);
7001 break;
7002 case L2CAP_MODE_ERTM:
7003 case L2CAP_MODE_STREAMING:
7004 if (!disable_ertm)
7005 break;
7006 /* fall through */
7007 default:
beb19e4c 7008 err = -EOPNOTSUPP;
162b49e7
JH		 7009 goto done;
7010 }
7011
7012 switch (chan->state) {
7013 case BT_CONNECT:
7014 case BT_CONNECT2:
7015 case BT_CONFIG:
7016 /* Already connecting */
7017 err = 0;
7018 goto done;
7019
7020 case BT_CONNECTED:
7021 /* Already connected */
7022 err = -EISCONN;
7023 goto done;
7024
7025 case BT_OPEN:
7026 case BT_BOUND:
7027 /* Can connect */
7028 break;
7029
7030 default:
7031 err = -EBADFD;
7032 goto done;
7033 }
7034
7035 /* Set destination address and psm */
7036 bacpy(&chan->dst, dst);
7037 chan->dst_type = dst_type;
7038
7039 chan->psm = psm;
7040 chan->dcid = cid;
7041
6f77d8c7 7042 if (bdaddr_type_is_le(dst_type)) {
e804d25d 7043 u8 role;
cdd6275e 7044
6f77d8c7
AG		 7045 /* Convert from L2CAP channel address type to HCI address type
7046 */
7047 if (dst_type == BDADDR_LE_PUBLIC)
7048 dst_type = ADDR_LE_DEV_PUBLIC;
7049 else
7050 dst_type = ADDR_LE_DEV_RANDOM;
7051
e804d25d
JH		 7052 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
7053 role = HCI_ROLE_SLAVE;
7054 else
7055 role = HCI_ROLE_MASTER;
cdd6275e 7056
04a6c589 7057 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
e804d25d 7058 HCI_LE_CONN_TIMEOUT, role);
6f77d8c7 7059 } else {
d93375a8 7060 u8 auth_type = l2cap_get_auth_type(chan);
04a6c589 7061 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
6f77d8c7 7062 }
162b49e7
JH		 7063
7064 if (IS_ERR(hcon)) {
7065 err = PTR_ERR(hcon);
7066 goto done;
7067 }
7068
7069 conn = l2cap_conn_add(hcon);
7070 if (!conn) {
7071 hci_conn_drop(hcon);
7072 err = -ENOMEM;
7073 goto done;
7074 }
7075
7076 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7077 hci_conn_drop(hcon);
7078 err = -EBUSY;
7079 goto done;
7080 }
7081
7082 /* Update source addr of the socket */
7083 bacpy(&chan->src, &hcon->src);
7084 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7085
7086 l2cap_chan_unlock(chan);
7087 l2cap_chan_add(conn, chan);
7088 l2cap_chan_lock(chan);
7089
7090 /* l2cap_chan_add takes its own ref so we can drop this one */
7091 hci_conn_drop(hcon);
7092
7093 l2cap_state_change(chan, BT_CONNECT);
7094 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7095
61202e4d
JH		 7096 /* Release chan->sport so that it can be reused by other
7097 * sockets (as it's only used for listening sockets).
7098 */
7099 write_lock(&chan_list_lock);
7100 chan->sport = 0;
7101 write_unlock(&chan_list_lock);
7102
162b49e7
JH		 7103 if (hcon->state == BT_CONNECTED) {
7104 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7105 __clear_chan_timer(chan);
e7cafc45 7106 if (l2cap_chan_check_security(chan, true))
162b49e7
JH		 7107 l2cap_state_change(chan, BT_CONNECTED);
7108 } else
7109 l2cap_do_start(chan);
7110 }
7111
7112 err = 0;
7113
7114done:
7115 l2cap_chan_unlock(chan);
7116 hci_dev_unlock(hdev);
7117 hci_dev_put(hdev);
7118 return err;
7119}
6b8d4a6a 7120EXPORT_SYMBOL_GPL(l2cap_chan_connect);
162b49e7 7121
1da177e4
LT		 7122/* ---- L2CAP interface with lower layer (HCI) ---- */
7123
686ebf28 7124int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 7125{
7126 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 7127 struct l2cap_chan *c;
1da177e4 7128
6ed93dc6 7129 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 7130
7131 /* Find listening sockets and check their link_mode */
23691d75
GP		 7132 read_lock(&chan_list_lock);
7133 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 7134 if (c->state != BT_LISTEN)
1da177e4
LT		 7135 continue;
7136
7eafc59e 7137 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 7138 lm1 |= HCI_LM_ACCEPT;
43bd0f32 7139 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 7140 lm1 |= HCI_LM_MASTER;
1da177e4 7141 exact++;
7eafc59e 7142 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 7143 lm2 |= HCI_LM_ACCEPT;
43bd0f32 7144 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 7145 lm2 |= HCI_LM_MASTER;
7146 }
1da177e4 7147 }
23691d75 7148 read_unlock(&chan_list_lock);
1da177e4
LT		 7149
7150 return exact ? lm1 : lm2;
7151}
7152
e760ec12
JH		 7153/* Find the next fixed channel in BT_LISTEN state, continue iteration
7154 * from an existing channel in the list or from the beginning of the
7155 * global list (by passing NULL as first parameter).
7156 */
7157static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
54a1b626 7158 bdaddr_t *src, u8 link_type)
e760ec12
JH		 7159{
7160 read_lock(&chan_list_lock);
7161
7162 if (c)
7163 c = list_next_entry(c, global_l);
7164 else
7165 c = list_entry(chan_list.next, typeof(*c), global_l);
7166
7167 list_for_each_entry_from(c, &chan_list, global_l) {
7168 if (c->chan_type != L2CAP_CHAN_FIXED)
7169 continue;
7170 if (c->state != BT_LISTEN)
7171 continue;
7172 if (bacmp(&c->src, src) && bacmp(&c->src, BDADDR_ANY))
7173 continue;
54a1b626
JH		 7174 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
7175 continue;
7176 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
7177 continue;
e760ec12
JH		 7178
7179 l2cap_chan_hold(c);
7180 read_unlock(&chan_list_lock);
7181 return c;
7182 }
7183
7184 read_unlock(&chan_list_lock);
7185
7186 return NULL;
7187}
7188
9e664631 7189void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 7190{
e760ec12 7191 struct hci_dev *hdev = hcon->hdev;
0139418c 7192 struct l2cap_conn *conn;
e760ec12
JH		 7193 struct l2cap_chan *pchan;
7194 u8 dst_type;
0139418c 7195
6ed93dc6 7196 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 7197
dc0f5088 7198 if (status) {
e175072f 7199 l2cap_conn_del(hcon, bt_to_errno(status));
dc0f5088 7200 return;
ba6fc317 7201 }
dc0f5088
JH		 7202
7203 conn = l2cap_conn_add(hcon);
7204 if (!conn)
7205 return;
7206
e760ec12
JH		 7207 dst_type = bdaddr_type(hcon, hcon->dst_type);
7208
7209 /* If device is blocked, do not create channels for it */
7210 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7211 return;
7212
7213 /* Find fixed channels and notify them of the new connection. We
7214 * use multiple individual lookups, continuing each time where
7215 * we left off, because the list lock would prevent calling the
7216 * potentially sleeping l2cap_chan_lock() function.
7217 */
54a1b626 7218 pchan = l2cap_global_fixed_chan(NULL, &hdev->bdaddr, hcon->type);
e760ec12
JH		 7219 while (pchan) {
7220 struct l2cap_chan *chan, *next;
7221
7222 /* Client fixed channels should override server ones */
7223 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7224 goto next;
7225
7226 l2cap_chan_lock(pchan);
7227 chan = pchan->ops->new_connection(pchan);
7228 if (chan) {
7229 bacpy(&chan->src, &hcon->src);
7230 bacpy(&chan->dst, &hcon->dst);
7231 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7232 chan->dst_type = dst_type;
7233
7234 __l2cap_chan_add(conn, chan);
7235 }
7236
7237 l2cap_chan_unlock(pchan);
7238next:
54a1b626
JH		 7239 next = l2cap_global_fixed_chan(pchan, &hdev->bdaddr,
7240 hcon->type);
e760ec12
JH		 7241 l2cap_chan_put(pchan);
7242 pchan = next;
7243 }
7244
dc0f5088 7245 l2cap_conn_ready(conn);
1da177e4
LT		 7246}
7247
686ebf28 7248int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 7249{
7250 struct l2cap_conn *conn = hcon->l2cap_data;
7251
7252 BT_DBG("hcon %p", hcon);
7253
686ebf28 7254 if (!conn)
9f5a0d7b 7255 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 7256 return conn->disc_reason;
7257}
7258
9e664631 7259void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 7260{
7261 BT_DBG("hcon %p reason %d", hcon, reason);
7262
e175072f 7263 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 7264}
7265
4343478f 7266static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 7267{
715ec005 7268 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 7269 return;
7270
f62e4323 7271 if (encrypt == 0x00) {
4343478f 7272 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 7273 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7d513e92
MH		 7274 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7275 chan->sec_level == BT_SECURITY_FIPS)
0f852724 7276 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 7277 } else {
4343478f 7278 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 7279 __clear_chan_timer(chan);
f62e4323
MH		 7280 }
7281}
7282
686ebf28 7283int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 7284{
0139418c 7285 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 7286 struct l2cap_chan *chan;
1da177e4 7287
0139418c 7288 if (!conn)
1da177e4 7289 return 0;
0139418c 7290
89d8b407 7291 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 7292
3df91ea2 7293 mutex_lock(&conn->chan_lock);
1da177e4 7294
3df91ea2 7295 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 7296 l2cap_chan_lock(chan);
1da177e4 7297
89d8b407
AE		 7298 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7299 state_to_string(chan->state));
f1cb9af5 7300
2338a7e0 7301 if (chan->scid == L2CAP_CID_A2MP) {
78eb2f98
AE		 7302 l2cap_chan_unlock(chan);
7303 continue;
7304 }
7305
191eb398
JH		 7306 if (!status && encrypt)
7307 chan->sec_level = hcon->sec_level;
f1cb9af5 7308
96eff46e 7309 if (!__l2cap_no_conn_pending(chan)) {
6be36555 7310 l2cap_chan_unlock(chan);
6a8d3010
MH		 7311 continue;
7312 }
7313
89bc500e 7314 if (!status && (chan->state == BT_CONNECTED ||
2d792818 7315 chan->state == BT_CONFIG)) {
d97c899b 7316 chan->ops->resume(chan);
4343478f 7317 l2cap_check_encryption(chan, encrypt);
6be36555 7318 l2cap_chan_unlock(chan);
9719f8af
MH		 7319 continue;
7320 }
7321
89bc500e 7322 if (chan->state == BT_CONNECT) {
6d3c15da 7323 if (!status)
93c3e8f5 7324 l2cap_start_connection(chan);
6d3c15da 7325 else
ba13ccd9 7326 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
89bc500e 7327 } else if (chan->state == BT_CONNECT2) {
b1235d79 7328 struct l2cap_conn_rsp rsp;
df3c3931 7329 __u16 res, stat;
1da177e4 7330
b1235d79 7331 if (!status) {
bdc25783 7332 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 7333 res = L2CAP_CR_PEND;
7334 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 7335 chan->ops->defer(chan);
df3c3931 7336 } else {
acdcabf5 7337 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 7338 res = L2CAP_CR_SUCCESS;
7339 stat = L2CAP_CS_NO_INFO;
7340 }
b1235d79 7341 } else {
acdcabf5 7342 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 7343 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 7344 res = L2CAP_CR_SEC_BLOCK;
7345 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 7346 }
7347
fe4128e0
GP		 7348 rsp.scid = cpu_to_le16(chan->dcid);
7349 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 7350 rsp.result = cpu_to_le16(res);
7351 rsp.status = cpu_to_le16(stat);
fc7f8a7e 7352 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 7353 sizeof(rsp), &rsp);
2d369359
MM		 7354
7355 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7356 res == L2CAP_CR_SUCCESS) {
7357 char buf[128];
7358 set_bit(CONF_REQ_SENT, &chan->conf_state);
7359 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7360 L2CAP_CONF_REQ,
7361 l2cap_build_conf_req(chan, buf),
7362 buf);
7363 chan->num_conf_req++;
7364 }
b1235d79 7365 }
1da177e4 7366
6be36555 7367 l2cap_chan_unlock(chan);
1da177e4
LT		 7368 }
7369
3df91ea2 7370 mutex_unlock(&conn->chan_lock);
b1235d79 7371
1da177e4
LT		 7372 return 0;
7373}
7374
686ebf28 7375int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 7376{
7377 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 7378 struct l2cap_hdr *hdr;
7379 int len;
1da177e4 7380
1d13a254
AE		 7381 /* For AMP controller do not create l2cap conn */
7382 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7383 goto drop;
1da177e4 7384
5a08ecce 7385 if (!conn)
baf43251 7386 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 7387
7388 if (!conn)
1da177e4
LT		 7389 goto drop;
7390
7391 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7392
d73a0988
AE		 7393 switch (flags) {
7394 case ACL_START:
7395 case ACL_START_NO_FLUSH:
7396 case ACL_COMPLETE:
1da177e4
LT		 7397 if (conn->rx_len) {
7398 BT_ERR("Unexpected start frame (len %d)", skb->len);
7399 kfree_skb(conn->rx_skb);
7400 conn->rx_skb = NULL;
7401 conn->rx_len = 0;
7402 l2cap_conn_unreliable(conn, ECOMM);
7403 }
7404
aae7fe22
AE		 7405 /* Start fragment always begin with Basic L2CAP header */
7406 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 7407 BT_ERR("Frame is too short (len %d)", skb->len);
7408 l2cap_conn_unreliable(conn, ECOMM);
7409 goto drop;
7410 }
7411
7412 hdr = (struct l2cap_hdr *) skb->data;
7413 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7414
7415 if (len == skb->len) {
7416 /* Complete frame received */
7417 l2cap_recv_frame(conn, skb);
7418 return 0;
7419 }
7420
7421 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7422
7423 if (skb->len > len) {
7424 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 7425 skb->len, len);
1da177e4
LT		 7426 l2cap_conn_unreliable(conn, ECOMM);
7427 goto drop;
7428 }
7429
7430 /* Allocate skb for the complete frame (with header) */
8bcde1f2 7431 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 7432 if (!conn->rx_skb)
1da177e4
LT		 7433 goto drop;
7434
d626f62b 7435 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7436 skb->len);
1da177e4 7437 conn->rx_len = len - skb->len;
d73a0988
AE		 7438 break;
7439
7440 case ACL_CONT:
1da177e4
LT		 7441 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7442
7443 if (!conn->rx_len) {
7444 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7445 l2cap_conn_unreliable(conn, ECOMM);
7446 goto drop;
7447 }
7448
7449 if (skb->len > conn->rx_len) {
7450 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 7451 skb->len, conn->rx_len);
1da177e4
LT		 7452 kfree_skb(conn->rx_skb);
7453 conn->rx_skb = NULL;
7454 conn->rx_len = 0;
7455 l2cap_conn_unreliable(conn, ECOMM);
7456 goto drop;
7457 }
7458
d626f62b 7459 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7460 skb->len);
1da177e4
LT		 7461 conn->rx_len -= skb->len;
7462
7463 if (!conn->rx_len) {
c4e5bafa
JH		 7464 /* Complete frame received. l2cap_recv_frame
7465 * takes ownership of the skb so set the global
7466 * rx_skb pointer to NULL first.
7467 */
7468 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 7469 conn->rx_skb = NULL;
c4e5bafa 7470 l2cap_recv_frame(conn, rx_skb);
1da177e4 7471 }
d73a0988 7472 break;
1da177e4
LT		 7473 }
7474
7475drop:
7476 kfree_skb(skb);
7477 return 0;
7478}
7479
aef7d97c 7480static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 7481{
23691d75 7482 struct l2cap_chan *c;
1da177e4 7483
333055f2 7484 read_lock(&chan_list_lock);
1da177e4 7485
23691d75 7486 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 7487 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 7488 &c->src, &c->dst,
fcb73338
AE		 7489 c->state, __le16_to_cpu(c->psm),
7490 c->scid, c->dcid, c->imtu, c->omtu,
7491 c->sec_level, c->mode);
61e1b4b7 7492 }
1da177e4 7493
333055f2 7494 read_unlock(&chan_list_lock);
1da177e4 7495
aef7d97c 7496 return 0;
1da177e4
LT		 7497}
7498
aef7d97c
MH		 7499static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7500{
7501 return single_open(file, l2cap_debugfs_show, inode->i_private);
7502}
7503
7504static const struct file_operations l2cap_debugfs_fops = {
7505 .open = l2cap_debugfs_open,
7506 .read = seq_read,
7507 .llseek = seq_lseek,
7508 .release = single_release,
7509};
7510
7511static struct dentry *l2cap_debugfs;
1da177e4 7512
64274518 7513int __init l2cap_init(void)
1da177e4
LT		 7514{
7515 int err;
be9d1227 7516
bb58f747 7517 err = l2cap_init_sockets();
1da177e4
LT		 7518 if (err < 0)
7519 return err;
7520
1120e4bf
MH		 7521 if (IS_ERR_OR_NULL(bt_debugfs))
7522 return 0;
7523
7524 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7525 NULL, &l2cap_debugfs_fops);
1da177e4 7526
40b9397a 7527 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
f15b8ecf 7528 &le_max_credits);
40b9397a 7529 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
f15b8ecf
JH		 7530 &le_default_mps);
7531
1da177e4 7532 return 0;
1da177e4
LT		 7533}
7534
64274518 7535void l2cap_exit(void)
1da177e4 7536{
aef7d97c 7537 debugfs_remove(l2cap_debugfs);
bb58f747 7538 l2cap_cleanup_sockets();
1da177e4
LT		 7539}
7540
d1c4a17d
GP		 7541module_param(disable_ertm, bool, 0644);
7542MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.778806 seconds and 5 git commands to generate.