projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix HCI init for 1st generation BlueFRITZ! devices
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
d1de6d46 44bool disable_ertm;
f0709e03 45
47ec1dcd 46static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 47static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 48
b5ad8b7f
JB		 49static LIST_HEAD(chan_list);
50static DEFINE_RWLOCK(chan_list_lock);
1da177e4 51
1da177e4 52static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 53 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 54static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 55 void *data);
710f9b0a 56static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 57static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 58
d660366d 59static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 60 struct sk_buff_head *skbs, u8 event);
608bcc6d 61
0139418c 62/* ---- L2CAP channels ---- */
71ba0e56 63
2d792818
GP		 64static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
65 u16 cid)
0139418c 66{
3df91ea2 67 struct l2cap_chan *c;
3d57dc68 68
3df91ea2
AE		 69 list_for_each_entry(c, &conn->chan_l, list) {
70 if (c->dcid == cid)
71 return c;
0139418c 72 }
3df91ea2 73 return NULL;
0139418c
MH		 74}
75
2d792818
GP		 76static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
77 u16 cid)
0139418c 78{
3df91ea2 79 struct l2cap_chan *c;
3d57dc68 80
3df91ea2
AE		 81 list_for_each_entry(c, &conn->chan_l, list) {
82 if (c->scid == cid)
83 return c;
0139418c 84 }
3df91ea2 85 return NULL;
0139418c
MH		 86}
87
88/* Find channel with given SCID.
ef191ade 89 * Returns locked channel. */
2d792818
GP		 90static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
91 u16 cid)
0139418c 92{
48454079 93 struct l2cap_chan *c;
baa7e1fa 94
3df91ea2 95 mutex_lock(&conn->chan_lock);
baa7e1fa 96 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 97 if (c)
98 l2cap_chan_lock(c);
3df91ea2
AE		 99 mutex_unlock(&conn->chan_lock);
100
48454079 101 return c;
0139418c
MH		 102}
103
b1a130b7
MM		 104/* Find channel with given DCID.
105 * Returns locked channel.
106 */
107static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
108 u16 cid)
109{
110 struct l2cap_chan *c;
111
112 mutex_lock(&conn->chan_lock);
113 c = __l2cap_get_chan_by_dcid(conn, cid);
114 if (c)
115 l2cap_chan_lock(c);
116 mutex_unlock(&conn->chan_lock);
117
118 return c;
119}
120
2d792818
GP		 121static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
122 u8 ident)
0139418c 123{
3df91ea2 124 struct l2cap_chan *c;
3d57dc68 125
3df91ea2
AE		 126 list_for_each_entry(c, &conn->chan_l, list) {
127 if (c->ident == ident)
128 return c;
0139418c 129 }
3df91ea2 130 return NULL;
0139418c
MH		 131}
132
5b155ef9
MM		 133static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
134 u8 ident)
135{
136 struct l2cap_chan *c;
137
138 mutex_lock(&conn->chan_lock);
139 c = __l2cap_get_chan_by_ident(conn, ident);
140 if (c)
141 l2cap_chan_lock(c);
142 mutex_unlock(&conn->chan_lock);
143
144 return c;
145}
146
23691d75 147static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 148{
23691d75 149 struct l2cap_chan *c;
9e4425ff 150
23691d75
GP		 151 list_for_each_entry(c, &chan_list, global_l) {
152 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 153 return c;
9e4425ff 154 }
250938cb 155 return NULL;
9e4425ff
GP		 156}
157
158int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
159{
73b2ec18
GP		 160 int err;
161
333055f2 162 write_lock(&chan_list_lock);
9e4425ff 163
23691d75 164 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 165 err = -EADDRINUSE;
166 goto done;
9e4425ff
GP		 167 }
168
73b2ec18
GP		 169 if (psm) {
170 chan->psm = psm;
171 chan->sport = psm;
172 err = 0;
173 } else {
174 u16 p;
175
176 err = -EINVAL;
177 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 178 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 179 chan->psm = cpu_to_le16(p);
180 chan->sport = cpu_to_le16(p);
181 err = 0;
182 break;
183 }
184 }
9e4425ff 185
73b2ec18 186done:
333055f2 187 write_unlock(&chan_list_lock);
73b2ec18 188 return err;
9e4425ff
GP		 189}
190
191int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
192{
333055f2 193 write_lock(&chan_list_lock);
9e4425ff
GP		 194
195 chan->scid = scid;
196
333055f2 197 write_unlock(&chan_list_lock);
9e4425ff
GP		 198
199 return 0;
200}
201
baa7e1fa 202static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 203{
8db4dc46 204 u16 cid = L2CAP_CID_DYN_START;
0139418c 205
8db4dc46 206 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 207 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 208 return cid;
209 }
210
211 return 0;
212}
213
0e587be7 214static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 215{
42d2d87c 216 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 217 state_to_string(state));
badaaa00 218
89bc500e 219 chan->state = state;
80b98027 220 chan->ops->state_change(chan, state);
89bc500e
GP		 221}
222
0e587be7
AE		 223static void l2cap_state_change(struct l2cap_chan *chan, int state)
224{
225 struct sock *sk = chan->sk;
226
227 lock_sock(sk);
228 __l2cap_state_change(chan, state);
229 release_sock(sk);
230}
231
2e0052e4
AE		 232static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
233{
234 struct sock *sk = chan->sk;
235
236 sk->sk_err = err;
237}
238
239static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
240{
241 struct sock *sk = chan->sk;
242
243 lock_sock(sk);
244 __l2cap_chan_set_err(chan, err);
245 release_sock(sk);
246}
247
4239d16f
MM		 248static void __set_retrans_timer(struct l2cap_chan *chan)
249{
250 if (!delayed_work_pending(&chan->monitor_timer) &&
251 chan->retrans_timeout) {
252 l2cap_set_timer(chan, &chan->retrans_timer,
253 msecs_to_jiffies(chan->retrans_timeout));
254 }
255}
256
257static void __set_monitor_timer(struct l2cap_chan *chan)
258{
259 __clear_retrans_timer(chan);
260 if (chan->monitor_timeout) {
261 l2cap_set_timer(chan, &chan->monitor_timer,
262 msecs_to_jiffies(chan->monitor_timeout));
263 }
264}
265
608bcc6d
MM		 266static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
267 u16 seq)
268{
269 struct sk_buff *skb;
270
271 skb_queue_walk(head, skb) {
272 if (bt_cb(skb)->control.txseq == seq)
273 return skb;
274 }
275
276 return NULL;
277}
278
3c588192
MM		 279/* ---- L2CAP sequence number lists ---- */
280
281/* For ERTM, ordered lists of sequence numbers must be tracked for
282 * SREJ requests that are received and for frames that are to be
283 * retransmitted. These seq_list functions implement a singly-linked
284 * list in an array, where membership in the list can also be checked
285 * in constant time. Items can also be added to the tail of the list
286 * and removed from the head in constant time, without further memory
287 * allocs or frees.
288 */
289
290static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
291{
292 size_t alloc_size, i;
293
294 /* Allocated size is a power of 2 to map sequence numbers
295 * (which may be up to 14 bits) in to a smaller array that is
296 * sized for the negotiated ERTM transmit windows.
297 */
298 alloc_size = roundup_pow_of_two(size);
299
300 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
301 if (!seq_list->list)
302 return -ENOMEM;
303
304 seq_list->mask = alloc_size - 1;
305 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
306 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
307 for (i = 0; i < alloc_size; i++)
308 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
309
310 return 0;
311}
312
313static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
314{
315 kfree(seq_list->list);
316}
317
318static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
319 u16 seq)
320{
321 /* Constant-time check for list membership */
322 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
323}
324
325static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
326{
327 u16 mask = seq_list->mask;
328
329 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
330 /* In case someone tries to pop the head of an empty list */
331 return L2CAP_SEQ_LIST_CLEAR;
332 } else if (seq_list->head == seq) {
333 /* Head can be removed in constant time */
334 seq_list->head = seq_list->list[seq & mask];
335 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
336
337 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
338 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
339 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
340 }
341 } else {
342 /* Walk the list to find the sequence number */
343 u16 prev = seq_list->head;
344 while (seq_list->list[prev & mask] != seq) {
345 prev = seq_list->list[prev & mask];
346 if (prev == L2CAP_SEQ_LIST_TAIL)
347 return L2CAP_SEQ_LIST_CLEAR;
348 }
349
350 /* Unlink the number from the list and clear it */
351 seq_list->list[prev & mask] = seq_list->list[seq & mask];
352 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
353 if (seq_list->tail == seq)
354 seq_list->tail = prev;
355 }
356 return seq;
357}
358
359static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
360{
361 /* Remove the head in constant time */
362 return l2cap_seq_list_remove(seq_list, seq_list->head);
363}
364
365static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
366{
f522ae36 367 u16 i;
3c588192 368
f522ae36
GP		 369 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
370 return;
371
372 for (i = 0; i <= seq_list->mask; i++)
373 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
374
375 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
376 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 377}
378
379static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
380{
381 u16 mask = seq_list->mask;
382
383 /* All appends happen in constant time */
384
f522ae36
GP		 385 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
386 return;
3c588192 387
f522ae36
GP		 388 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
389 seq_list->head = seq;
390 else
391 seq_list->list[seq_list->tail & mask] = seq;
392
393 seq_list->tail = seq;
394 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 395}
396
721c4181 397static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 398{
721c4181 399 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 400 chan_timer.work);
3df91ea2 401 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 402 int reason;
403
e05dcc32 404 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 405
3df91ea2 406 mutex_lock(&conn->chan_lock);
6be36555 407 l2cap_chan_lock(chan);
ab07801d 408
89bc500e 409 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 410 reason = ECONNREFUSED;
89bc500e 411 else if (chan->state == BT_CONNECT &&
2d792818 412 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 413 reason = ECONNREFUSED;
414 else
415 reason = ETIMEDOUT;
416
0f852724 417 l2cap_chan_close(chan, reason);
ab07801d 418
6be36555 419 l2cap_chan_unlock(chan);
ab07801d 420
80b98027 421 chan->ops->close(chan);
3df91ea2
AE		 422 mutex_unlock(&conn->chan_lock);
423
371fd835 424 l2cap_chan_put(chan);
ab07801d
GP		 425}
426
eef1d9b6 427struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 428{
429 struct l2cap_chan *chan;
430
431 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
432 if (!chan)
433 return NULL;
434
c03b355e
AE		 435 mutex_init(&chan->lock);
436
333055f2 437 write_lock(&chan_list_lock);
23691d75 438 list_add(&chan->global_l, &chan_list);
333055f2 439 write_unlock(&chan_list_lock);
23691d75 440
721c4181 441 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 442
89bc500e
GP		 443 chan->state = BT_OPEN;
444
144ad330 445 kref_init(&chan->kref);
71ba0e56 446
2827011f
MM		 447 /* This flag is cleared in l2cap_chan_ready() */
448 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
449
eef1d9b6 450 BT_DBG("chan %p", chan);
abc545b8 451
48454079
GP		 452 return chan;
453}
454
144ad330 455static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 456{
144ad330
SS		 457 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
458
4af66c69
JK		 459 BT_DBG("chan %p", chan);
460
333055f2 461 write_lock(&chan_list_lock);
23691d75 462 list_del(&chan->global_l);
333055f2 463 write_unlock(&chan_list_lock);
23691d75 464
4af66c69 465 kfree(chan);
6ff5abbf
GP		 466}
467
30648372
JK		 468void l2cap_chan_hold(struct l2cap_chan *c)
469{
144ad330 470 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 471
144ad330 472 kref_get(&c->kref);
30648372
JK		 473}
474
475void l2cap_chan_put(struct l2cap_chan *c)
476{
144ad330 477 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 478
144ad330 479 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 480}
481
bd4b1653
AE		 482void l2cap_chan_set_defaults(struct l2cap_chan *chan)
483{
484 chan->fcs = L2CAP_FCS_CRC16;
485 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
486 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
487 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 488 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 489 chan->sec_level = BT_SECURITY_LOW;
490
491 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
492}
493
93c3e8f5 494void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 495{
af05b30b 496 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 497 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 498
9f5a0d7b 499 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 500
8c1d787b 501 chan->conn = conn;
0139418c 502
5491120e
AE		 503 switch (chan->chan_type) {
504 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 505 if (conn->hcon->type == LE_LINK) {
506 /* LE connection */
6fcb06a2 507 chan->omtu = L2CAP_DEFAULT_MTU;
9f22398c
JH		 508 if (chan->dcid == L2CAP_CID_ATT)
509 chan->scid = L2CAP_CID_ATT;
510 else
511 chan->scid = l2cap_alloc_cid(conn);
b62f328b
VT		 512 } else {
513 /* Alloc CID for connection-oriented socket */
fe4128e0 514 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 515 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 516 }
5491120e
AE		 517 break;
518
519 case L2CAP_CHAN_CONN_LESS:
0139418c 520 /* Connectionless socket */
fe4128e0
GP		 521 chan->scid = L2CAP_CID_CONN_LESS;
522 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 523 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 524 break;
525
416fa752
AE		 526 case L2CAP_CHAN_CONN_FIX_A2MP:
527 chan->scid = L2CAP_CID_A2MP;
528 chan->dcid = L2CAP_CID_A2MP;
529 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
530 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
531 break;
532
5491120e 533 default:
0139418c 534 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 535 chan->scid = L2CAP_CID_SIGNALING;
536 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 537 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 538 }
539
8f7975b1
AE		 540 chan->local_id = L2CAP_BESTEFFORT_ID;
541 chan->local_stype = L2CAP_SERV_BESTEFFORT;
542 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
543 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
544 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 545 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 546
371fd835 547 l2cap_chan_hold(chan);
baa7e1fa 548
5ee9891d
JH		 549 hci_conn_hold(conn->hcon);
550
3df91ea2 551 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 552}
553
466f8004 554void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 555{
556 mutex_lock(&conn->chan_lock);
557 __l2cap_chan_add(conn, chan);
3df91ea2 558 mutex_unlock(&conn->chan_lock);
0139418c
MH		 559}
560
466f8004 561void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 562{
8c1d787b 563 struct l2cap_conn *conn = chan->conn;
0139418c 564
c9b66675 565 __clear_chan_timer(chan);
0139418c 566
49208c9c 567 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 568
8e87d142 569 if (conn) {
56f60984 570 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 571 /* Delete from channel list */
3df91ea2 572 list_del(&chan->list);
3d57dc68 573
371fd835 574 l2cap_chan_put(chan);
baa7e1fa 575
8c1d787b 576 chan->conn = NULL;
3cabbfda
AE		 577
578 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
76a68ba0 579 hci_conn_drop(conn->hcon);
56f60984
AE		 580
581 if (mgr && mgr->bredr_chan == chan)
582 mgr->bredr_chan = NULL;
0139418c
MH		 583 }
584
419e08c1
AE		 585 if (chan->hs_hchan) {
586 struct hci_chan *hs_hchan = chan->hs_hchan;
587
588 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
589 amp_disconnect_logical_link(hs_hchan);
590 }
591
b699ec0d 592 chan->ops->teardown(chan, err);
6be36555 593
2827011f 594 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 595 return;
2ead70b8 596
ee556f66
GP		 597 switch(chan->mode) {
598 case L2CAP_MODE_BASIC:
599 break;
c13ffa62 600
ee556f66 601 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 602 __clear_retrans_timer(chan);
603 __clear_monitor_timer(chan);
604 __clear_ack_timer(chan);
c13ffa62 605
f1c6775b 606 skb_queue_purge(&chan->srej_q);
c13ffa62 607
3c588192
MM		 608 l2cap_seq_list_free(&chan->srej_list);
609 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 610
611 /* fall through */
612
613 case L2CAP_MODE_STREAMING:
614 skb_queue_purge(&chan->tx_q);
615 break;
c13ffa62 616 }
ee556f66
GP		 617
618 return;
0139418c
MH		 619}
620
0f852724 621void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 622{
623 struct l2cap_conn *conn = chan->conn;
624 struct sock *sk = chan->sk;
625
2d792818
GP		 626 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
627 sk);
4519de9a 628
89bc500e 629 switch (chan->state) {
4519de9a 630 case BT_LISTEN:
b699ec0d 631 chan->ops->teardown(chan, 0);
4519de9a
GP		 632 break;
633
634 case BT_CONNECTED:
635 case BT_CONFIG:
715ec005 636 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 637 conn->hcon->type == ACL_LINK) {
c9b66675 638 __set_chan_timer(chan, sk->sk_sndtimeo);
5e4e3972 639 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 640 } else
641 l2cap_chan_del(chan, reason);
642 break;
643
644 case BT_CONNECT2:
715ec005 645 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 646 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 647 struct l2cap_conn_rsp rsp;
648 __u16 result;
649
c5daa683 650 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 651 result = L2CAP_CR_SEC_BLOCK;
652 else
653 result = L2CAP_CR_BAD_PSM;
89bc500e 654 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 655
656 rsp.scid = cpu_to_le16(chan->dcid);
657 rsp.dcid = cpu_to_le16(chan->scid);
658 rsp.result = cpu_to_le16(result);
ac73498c 659 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 660 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 661 sizeof(rsp), &rsp);
4519de9a
GP		 662 }
663
664 l2cap_chan_del(chan, reason);
665 break;
666
667 case BT_CONNECT:
668 case BT_DISCONN:
669 l2cap_chan_del(chan, reason);
670 break;
671
672 default:
b699ec0d 673 chan->ops->teardown(chan, 0);
4519de9a
GP		 674 break;
675 }
676}
677
4343478f 678static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 679{
715ec005 680 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 681 switch (chan->sec_level) {
8556edd3
JH		 682 case BT_SECURITY_HIGH:
683 return HCI_AT_DEDICATED_BONDING_MITM;
684 case BT_SECURITY_MEDIUM:
685 return HCI_AT_DEDICATED_BONDING;
686 default:
687 return HCI_AT_NO_BONDING;
688 }
2983fd68 689 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 690 if (chan->sec_level == BT_SECURITY_LOW)
691 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 692
4343478f 693 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 694 return HCI_AT_NO_BONDING_MITM;
00ae4af9 695 else
8556edd3 696 return HCI_AT_NO_BONDING;
00ae4af9 697 } else {
4343478f 698 switch (chan->sec_level) {
00ae4af9 699 case BT_SECURITY_HIGH:
8556edd3 700 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 701 case BT_SECURITY_MEDIUM:
8556edd3 702 return HCI_AT_GENERAL_BONDING;
00ae4af9 703 default:
8556edd3 704 return HCI_AT_NO_BONDING;
00ae4af9 705 }
0684e5f9 706 }
8556edd3
JH		 707}
708
709/* Service level security */
d45fc423 710int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 711{
8c1d787b 712 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 713 __u8 auth_type;
714
4343478f 715 auth_type = l2cap_get_auth_type(chan);
79d554a6 716
4343478f 717 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 718}
719
b5ad8b7f 720static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 721{
722 u8 id;
723
724 /* Get next available identificator.
725 * 1 - 128 are used by kernel.
726 * 129 - 199 are reserved.
727 * 200 - 254 are used by utilities like l2ping, etc.
728 */
729
333055f2 730 spin_lock(&conn->lock);
4e8402a3
MH		 731
732 if (++conn->tx_ident > 128)
733 conn->tx_ident = 1;
734
735 id = conn->tx_ident;
736
333055f2 737 spin_unlock(&conn->lock);
4e8402a3
MH		 738
739 return id;
740}
741
2d792818
GP		 742static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
743 void *data)
4e8402a3
MH		 744{
745 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 746 u8 flags;
4e8402a3
MH		 747
748 BT_DBG("code 0x%2.2x", code);
749
750 if (!skb)
9a9c6a34 751 return;
4e8402a3 752
e702112f
AE		 753 if (lmp_no_flush_capable(conn->hcon->hdev))
754 flags = ACL_START_NO_FLUSH;
755 else
756 flags = ACL_START;
757
14b12d0b 758 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 759 skb->priority = HCI_PRIO_MAX;
14b12d0b 760
73d80deb
LAD		 761 hci_send_acl(conn->hchan, skb, flags);
762}
763
02b0fbb9
MM		 764static bool __chan_is_moving(struct l2cap_chan *chan)
765{
766 return chan->move_state != L2CAP_MOVE_STABLE &&
767 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
768}
769
73d80deb
LAD		 770static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
771{
772 struct hci_conn *hcon = chan->conn->hcon;
773 u16 flags;
774
775 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 776 skb->priority);
73d80deb 777
d5f8a75d
MM		 778 if (chan->hs_hcon && !__chan_is_moving(chan)) {
779 if (chan->hs_hchan)
780 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
781 else
782 kfree_skb(skb);
783
784 return;
785 }
786
73d80deb 787 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 788 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 789 flags = ACL_START_NO_FLUSH;
790 else
791 flags = ACL_START;
14b12d0b 792
73d80deb
LAD		 793 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
794 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 795}
796
b76bbd66
MM		 797static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
798{
799 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
800 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
801
802 if (enh & L2CAP_CTRL_FRAME_TYPE) {
803 /* S-Frame */
804 control->sframe = 1;
805 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
806 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
807
808 control->sar = 0;
809 control->txseq = 0;
810 } else {
811 /* I-Frame */
812 control->sframe = 0;
813 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
814 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
815
816 control->poll = 0;
817 control->super = 0;
818 }
819}
820
b76bbd66
MM		 821static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
822{
823 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
824 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
825
826 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
827 /* S-Frame */
828 control->sframe = 1;
829 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
830 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
831
832 control->sar = 0;
833 control->txseq = 0;
834 } else {
835 /* I-Frame */
836 control->sframe = 0;
837 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
838 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
839
840 control->poll = 0;
841 control->super = 0;
842 }
843}
844
845static inline void __unpack_control(struct l2cap_chan *chan,
846 struct sk_buff *skb)
847{
848 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
849 __unpack_extended_control(get_unaligned_le32(skb->data),
850 &bt_cb(skb)->control);
cec8ab6e 851 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 852 } else {
853 __unpack_enhanced_control(get_unaligned_le16(skb->data),
854 &bt_cb(skb)->control);
cec8ab6e 855 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 856 }
857}
858
b5c6aaed
MM		 859static u32 __pack_extended_control(struct l2cap_ctrl *control)
860{
861 u32 packed;
862
863 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
864 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
865
866 if (control->sframe) {
867 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
868 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
869 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
870 } else {
871 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
872 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
873 }
874
875 return packed;
876}
877
878static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
879{
880 u16 packed;
881
882 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
883 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
884
885 if (control->sframe) {
886 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
887 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
888 packed |= L2CAP_CTRL_FRAME_TYPE;
889 } else {
890 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
891 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
892 }
893
894 return packed;
895}
896
b76bbd66
MM		 897static inline void __pack_control(struct l2cap_chan *chan,
898 struct l2cap_ctrl *control,
899 struct sk_buff *skb)
900{
901 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
902 put_unaligned_le32(__pack_extended_control(control),
903 skb->data + L2CAP_HDR_SIZE);
904 } else {
905 put_unaligned_le16(__pack_enhanced_control(control),
906 skb->data + L2CAP_HDR_SIZE);
907 }
908}
909
ba7aa64f
GP		 910static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
911{
912 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
913 return L2CAP_EXT_HDR_SIZE;
914 else
915 return L2CAP_ENH_HDR_SIZE;
916}
917
a67d7f6f
MM		 918static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
919 u32 control)
b5c6aaed
MM		 920{
921 struct sk_buff *skb;
922 struct l2cap_hdr *lh;
ba7aa64f 923 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 924
925 if (chan->fcs == L2CAP_FCS_CRC16)
926 hlen += L2CAP_FCS_SIZE;
927
a67d7f6f 928 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 929
b5c6aaed 930 if (!skb)
a67d7f6f 931 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 932
933 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
934 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
935 lh->cid = cpu_to_le16(chan->dcid);
936
a67d7f6f
MM		 937 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
938 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
939 else
940 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 941
942 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 943 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 944 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
945 }
946
947 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 948 return skb;
949}
950
951static void l2cap_send_sframe(struct l2cap_chan *chan,
952 struct l2cap_ctrl *control)
953{
954 struct sk_buff *skb;
955 u32 control_field;
956
957 BT_DBG("chan %p, control %p", chan, control);
958
959 if (!control->sframe)
960 return;
961
b99e13ad
MM		 962 if (__chan_is_moving(chan))
963 return;
964
a67d7f6f
MM		 965 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
966 !control->poll)
967 control->final = 1;
968
969 if (control->super == L2CAP_SUPER_RR)
970 clear_bit(CONN_RNR_SENT, &chan->conn_state);
971 else if (control->super == L2CAP_SUPER_RNR)
972 set_bit(CONN_RNR_SENT, &chan->conn_state);
973
974 if (control->super != L2CAP_SUPER_SREJ) {
975 chan->last_acked_seq = control->reqseq;
976 __clear_ack_timer(chan);
977 }
978
979 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
980 control->final, control->poll, control->super);
981
982 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
983 control_field = __pack_extended_control(control);
984 else
985 control_field = __pack_enhanced_control(control);
986
987 skb = l2cap_create_sframe_pdu(chan, control_field);
988 if (!IS_ERR(skb))
989 l2cap_do_send(chan, skb);
b5c6aaed
MM		 990}
991
c9e3d5e0 992static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 993{
c9e3d5e0
MM		 994 struct l2cap_ctrl control;
995
996 BT_DBG("chan %p, poll %d", chan, poll);
997
998 memset(&control, 0, sizeof(control));
999 control.sframe = 1;
1000 control.poll = poll;
1001
1002 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1003 control.super = L2CAP_SUPER_RNR;
1004 else
1005 control.super = L2CAP_SUPER_RR;
b5c6aaed 1006
c9e3d5e0
MM		 1007 control.reqseq = chan->buffer_seq;
1008 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1009}
1010
b4450035 1011static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1012{
c1360a1c 1013 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1014}
1015
1df7b17a 1016static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1017{
1df7b17a 1018 struct l2cap_conn *conn = chan->conn;
80d58d0b 1019 struct hci_dev *hdev;
1df7b17a
MH		 1020 bool amp_available = false;
1021
1022 if (!conn->hs_enabled)
1023 return false;
1024
1025 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1026 return false;
80d58d0b
MH		 1027
1028 read_lock(&hci_dev_list_lock);
1df7b17a 1029 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1030 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1031 test_bit(HCI_UP, &hdev->flags)) {
1032 amp_available = true;
1033 break;
1034 }
1035 }
80d58d0b
MH		 1036 read_unlock(&hci_dev_list_lock);
1037
1df7b17a
MH		 1038 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1039 return amp_available;
848566b3
MH		 1040
1041 return false;
93c3e8f5
AE		 1042}
1043
5ce66b59
AE		 1044static bool l2cap_check_efs(struct l2cap_chan *chan)
1045{
1046 /* Check EFS parameters */
1047 return true;
1048}
1049
2766be48 1050void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1051{
1052 struct l2cap_conn *conn = chan->conn;
1053 struct l2cap_conn_req req;
1054
1055 req.scid = cpu_to_le16(chan->scid);
1056 req.psm = chan->psm;
1057
1058 chan->ident = l2cap_get_ident(conn);
1059
1060 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1061
1062 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1063}
1064
8eb200bd
MM		 1065static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1066{
1067 struct l2cap_create_chan_req req;
1068 req.scid = cpu_to_le16(chan->scid);
1069 req.psm = chan->psm;
1070 req.amp_id = amp_id;
1071
1072 chan->ident = l2cap_get_ident(chan->conn);
1073
1074 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1075 sizeof(req), &req);
1076}
1077
02b0fbb9
MM		 1078static void l2cap_move_setup(struct l2cap_chan *chan)
1079{
1080 struct sk_buff *skb;
1081
1082 BT_DBG("chan %p", chan);
1083
1084 if (chan->mode != L2CAP_MODE_ERTM)
1085 return;
1086
1087 __clear_retrans_timer(chan);
1088 __clear_monitor_timer(chan);
1089 __clear_ack_timer(chan);
1090
1091 chan->retry_count = 0;
1092 skb_queue_walk(&chan->tx_q, skb) {
1093 if (bt_cb(skb)->control.retries)
1094 bt_cb(skb)->control.retries = 1;
1095 else
1096 break;
1097 }
1098
1099 chan->expected_tx_seq = chan->buffer_seq;
1100
1101 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1102 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1103 l2cap_seq_list_clear(&chan->retrans_list);
1104 l2cap_seq_list_clear(&chan->srej_list);
1105 skb_queue_purge(&chan->srej_q);
1106
1107 chan->tx_state = L2CAP_TX_STATE_XMIT;
1108 chan->rx_state = L2CAP_RX_STATE_MOVE;
1109
1110 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1111}
1112
5f3847a4
MM		 1113static void l2cap_move_done(struct l2cap_chan *chan)
1114{
1115 u8 move_role = chan->move_role;
1116 BT_DBG("chan %p", chan);
1117
1118 chan->move_state = L2CAP_MOVE_STABLE;
1119 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1120
1121 if (chan->mode != L2CAP_MODE_ERTM)
1122 return;
1123
1124 switch (move_role) {
1125 case L2CAP_MOVE_ROLE_INITIATOR:
1126 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1127 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1128 break;
1129 case L2CAP_MOVE_ROLE_RESPONDER:
1130 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1131 break;
1132 }
1133}
1134
9f0caeb1
VCG		 1135static void l2cap_chan_ready(struct l2cap_chan *chan)
1136{
2827011f 1137 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1138 chan->conf_state = 0;
1139 __clear_chan_timer(chan);
1140
54a59aa2 1141 chan->state = BT_CONNECTED;
9f0caeb1 1142
fd83e2c2 1143 chan->ops->ready(chan);
9f0caeb1
VCG		 1144}
1145
93c3e8f5
AE		 1146static void l2cap_start_connection(struct l2cap_chan *chan)
1147{
1148 if (__amp_capable(chan)) {
1149 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1150 a2mp_discover_amp(chan);
1151 } else {
1152 l2cap_send_conn_req(chan);
1153 }
1154}
1155
fc7f8a7e 1156static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1157{
8c1d787b 1158 struct l2cap_conn *conn = chan->conn;
79d554a6 1159
9f0caeb1
VCG		 1160 if (conn->hcon->type == LE_LINK) {
1161 l2cap_chan_ready(chan);
1162 return;
1163 }
1164
79d554a6 1165 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1166 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1167 return;
1168
d45fc423 1169 if (l2cap_chan_check_security(chan) &&
2d792818 1170 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1171 l2cap_start_connection(chan);
1172 }
79d554a6
MH		 1173 } else {
1174 struct l2cap_info_req req;
ac73498c 1175 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1176
1177 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1178 conn->info_ident = l2cap_get_ident(conn);
1179
ba13ccd9 1180 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1181
2d792818
GP		 1182 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1183 sizeof(req), &req);
79d554a6
MH		 1184 }
1185}
1186
cf6c2c0b
GP		 1187static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1188{
1189 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1190 if (!disable_ertm)
cf6c2c0b
GP		 1191 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1192
1193 switch (mode) {
1194 case L2CAP_MODE_ERTM:
1195 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1196 case L2CAP_MODE_STREAMING:
1197 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1198 default:
1199 return 0x00;
1200 }
1201}
1202
5e4e3972 1203static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1204{
6be36555 1205 struct sock *sk = chan->sk;
5e4e3972 1206 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1207 struct l2cap_disconn_req req;
1208
c13ffa62
GP		 1209 if (!conn)
1210 return;
1211
aad3d0e3 1212 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1213 __clear_retrans_timer(chan);
1214 __clear_monitor_timer(chan);
1215 __clear_ack_timer(chan);
c13ffa62
GP		 1216 }
1217
416fa752 1218 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1219 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1220 return;
1221 }
1222
fe4128e0
GP		 1223 req.dcid = cpu_to_le16(chan->dcid);
1224 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1225 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1226 sizeof(req), &req);
c13ffa62 1227
6be36555 1228 lock_sock(sk);
0e587be7 1229 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1230 __l2cap_chan_set_err(chan, err);
6be36555 1231 release_sock(sk);
22121fc9
GP		 1232}
1233
1da177e4 1234/* ---- L2CAP connections ---- */
4e8402a3
MH		 1235static void l2cap_conn_start(struct l2cap_conn *conn)
1236{
3df91ea2 1237 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1238
1239 BT_DBG("conn %p", conn);
1240
3df91ea2 1241 mutex_lock(&conn->chan_lock);
4e8402a3 1242
3df91ea2 1243 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1244 struct sock *sk = chan->sk;
baa7e1fa 1245
6be36555 1246 l2cap_chan_lock(chan);
4e8402a3 1247
715ec005 1248 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1249 l2cap_chan_unlock(chan);
79d554a6
MH		 1250 continue;
1251 }
1252
89bc500e 1253 if (chan->state == BT_CONNECT) {
d45fc423 1254 if (!l2cap_chan_check_security(chan) ||
2d792818 1255 !__l2cap_no_conn_pending(chan)) {
6be36555 1256 l2cap_chan_unlock(chan);
47731de7
GP		 1257 continue;
1258 }
79d554a6 1259
c1360a1c 1260 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1261 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1262 &chan->conf_state)) {
89bc500e 1263 l2cap_chan_close(chan, ECONNRESET);
6be36555 1264 l2cap_chan_unlock(chan);
47731de7 1265 continue;
b1235d79 1266 }
47731de7 1267
93c3e8f5 1268 l2cap_start_connection(chan);
47731de7 1269
89bc500e 1270 } else if (chan->state == BT_CONNECT2) {
79d554a6 1271 struct l2cap_conn_rsp rsp;
e9aeb2dd 1272 char buf[128];
fe4128e0
GP		 1273 rsp.scid = cpu_to_le16(chan->dcid);
1274 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1275
d45fc423 1276 if (l2cap_chan_check_security(chan)) {
6be36555 1277 lock_sock(sk);
c5daa683
GP		 1278 if (test_bit(BT_SK_DEFER_SETUP,
1279 &bt_sk(sk)->flags)) {
ac73498c
AE		 1280 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1281 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1282 chan->ops->defer(chan);
f66dc81f
MH		 1283
1284 } else {
0e587be7 1285 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1286 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1287 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1288 }
6be36555 1289 release_sock(sk);
79d554a6 1290 } else {
ac73498c
AE		 1291 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1292 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1293 }
1294
fc7f8a7e 1295 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1296 sizeof(rsp), &rsp);
e9aeb2dd 1297
c1360a1c 1298 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1299 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1300 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1301 continue;
1302 }
1303
c1360a1c 1304 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1305 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1306 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1307 chan->num_conf_req++;
4e8402a3
MH		 1308 }
1309
6be36555 1310 l2cap_chan_unlock(chan);
4e8402a3
MH		 1311 }
1312
3df91ea2 1313 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1314}
1315
c2287681 1316/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1317 * Returns closest match, locked.
1318 */
d9b88702 1319static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1320 bdaddr_t *src,
1321 bdaddr_t *dst)
b62f328b 1322{
23691d75 1323 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1324
23691d75 1325 read_lock(&chan_list_lock);
b62f328b 1326
23691d75
GP		 1327 list_for_each_entry(c, &chan_list, global_l) {
1328 struct sock *sk = c->sk;
fe4128e0 1329
89bc500e 1330 if (state && c->state != state)
b62f328b
VT		 1331 continue;
1332
23691d75 1333 if (c->scid == cid) {
c2287681
IY		 1334 int src_match, dst_match;
1335 int src_any, dst_any;
1336
b62f328b 1337 /* Exact match. */
c2287681
IY		 1338 src_match = !bacmp(&bt_sk(sk)->src, src);
1339 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1340 if (src_match && dst_match) {
23691d75
GP		 1341 read_unlock(&chan_list_lock);
1342 return c;
1343 }
b62f328b
VT		 1344
1345 /* Closest match */
c2287681
IY		 1346 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1347 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1348 if ((src_match && dst_any) || (src_any && dst_match) ||
1349 (src_any && dst_any))
23691d75 1350 c1 = c;
b62f328b
VT		 1351 }
1352 }
280f294f 1353
23691d75 1354 read_unlock(&chan_list_lock);
b62f328b 1355
23691d75 1356 return c1;
b62f328b
VT		 1357}
1358
1359static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1360{
60bac184 1361 struct sock *parent;
23691d75 1362 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1363
1364 BT_DBG("");
1365
1366 /* Check if we have socket listening on cid */
073d1cf3 1367 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
c2287681 1368 conn->src, conn->dst);
23691d75 1369 if (!pchan)
b62f328b
VT		 1370 return;
1371
44f3b0fb
JH		 1372 /* Client ATT sockets should override the server one */
1373 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1374 return;
1375
23691d75
GP		 1376 parent = pchan->sk;
1377
aa2ac881 1378 lock_sock(parent);
62f3a2cf 1379
80b98027 1380 chan = pchan->ops->new_connection(pchan);
80808e43 1381 if (!chan)
b62f328b
VT		 1382 goto clean;
1383
9f22398c
JH		 1384 chan->dcid = L2CAP_CID_ATT;
1385
60bac184
JH		 1386 bacpy(&bt_sk(chan->sk)->src, conn->src);
1387 bacpy(&bt_sk(chan->sk)->dst, conn->dst);
b62f328b 1388
44f3b0fb 1389 __l2cap_chan_add(conn, chan);
48454079 1390
b62f328b 1391clean:
aa2ac881 1392 release_sock(parent);
b62f328b
VT		 1393}
1394
4e8402a3
MH		 1395static void l2cap_conn_ready(struct l2cap_conn *conn)
1396{
48454079 1397 struct l2cap_chan *chan;
cc110922 1398 struct hci_conn *hcon = conn->hcon;
4e8402a3 1399
79d554a6 1400 BT_DBG("conn %p", conn);
4e8402a3 1401
d8729922
JH		 1402 /* For outgoing pairing which doesn't necessarily have an
1403 * associated socket (e.g. mgmt_pair_device).
1404 */
cc110922
VCG		 1405 if (hcon->out && hcon->type == LE_LINK)
1406 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1407
3df91ea2 1408 mutex_lock(&conn->chan_lock);
4e8402a3 1409
44f3b0fb
JH		 1410 if (hcon->type == LE_LINK)
1411 l2cap_le_conn_ready(conn);
1412
3df91ea2 1413 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1414
6be36555 1415 l2cap_chan_lock(chan);
4e8402a3 1416
416fa752
AE		 1417 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1418 l2cap_chan_unlock(chan);
1419 continue;
1420 }
1421
cc110922
VCG		 1422 if (hcon->type == LE_LINK) {
1423 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1424 l2cap_chan_ready(chan);
acd7d370 1425
63128451 1426 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1427 struct sock *sk = chan->sk;
c9b66675 1428 __clear_chan_timer(chan);
6be36555 1429 lock_sock(sk);
0e587be7 1430 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1431 sk->sk_state_change(sk);
6be36555 1432 release_sock(sk);
b501d6a1 1433
1c244f79 1434 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1435 l2cap_do_start(chan);
1c244f79 1436 }
4e8402a3 1437
6be36555 1438 l2cap_chan_unlock(chan);
4e8402a3 1439 }
79d554a6 1440
3df91ea2 1441 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1442}
1443
1444/* Notify sockets that we cannot guaranty reliability anymore */
1445static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1446{
48454079 1447 struct l2cap_chan *chan;
4e8402a3
MH		 1448
1449 BT_DBG("conn %p", conn);
1450
3df91ea2 1451 mutex_lock(&conn->chan_lock);
4e8402a3 1452
3df91ea2 1453 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1454 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1455 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1456 }
1457
3df91ea2 1458 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1459}
1460
f878fcad 1461static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1462{
f878fcad 1463 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1464 info_timer.work);
4e8402a3 1465
984947dc 1466 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1467 conn->info_ident = 0;
984947dc 1468
4e8402a3
MH		 1469 l2cap_conn_start(conn);
1470}
1471
2c8e1411
DH		 1472/*
1473 * l2cap_user
1474 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1475 * callback is called during registration. The ->remove callback is called
1476 * during unregistration.
1477 * An l2cap_user object can either be explicitly unregistered or when the
1478 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1479 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1480 * External modules must own a reference to the l2cap_conn object if they intend
1481 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1482 * any time if they don't.
1483 */
1484
1485int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1486{
1487 struct hci_dev *hdev = conn->hcon->hdev;
1488 int ret;
1489
1490 /* We need to check whether l2cap_conn is registered. If it is not, we
1491 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1492 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1493 * relies on the parent hci_conn object to be locked. This itself relies
1494 * on the hci_dev object to be locked. So we must lock the hci device
1495 * here, too. */
1496
1497 hci_dev_lock(hdev);
1498
1499 if (user->list.next || user->list.prev) {
1500 ret = -EINVAL;
1501 goto out_unlock;
1502 }
1503
1504 /* conn->hchan is NULL after l2cap_conn_del() was called */
1505 if (!conn->hchan) {
1506 ret = -ENODEV;
1507 goto out_unlock;
1508 }
1509
1510 ret = user->probe(conn, user);
1511 if (ret)
1512 goto out_unlock;
1513
1514 list_add(&user->list, &conn->users);
1515 ret = 0;
1516
1517out_unlock:
1518 hci_dev_unlock(hdev);
1519 return ret;
1520}
1521EXPORT_SYMBOL(l2cap_register_user);
1522
1523void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1524{
1525 struct hci_dev *hdev = conn->hcon->hdev;
1526
1527 hci_dev_lock(hdev);
1528
1529 if (!user->list.next || !user->list.prev)
1530 goto out_unlock;
1531
1532 list_del(&user->list);
1533 user->list.next = NULL;
1534 user->list.prev = NULL;
1535 user->remove(conn, user);
1536
1537out_unlock:
1538 hci_dev_unlock(hdev);
1539}
1540EXPORT_SYMBOL(l2cap_unregister_user);
1541
1542static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1543{
1544 struct l2cap_user *user;
1545
1546 while (!list_empty(&conn->users)) {
1547 user = list_first_entry(&conn->users, struct l2cap_user, list);
1548 list_del(&user->list);
1549 user->list.next = NULL;
1550 user->list.prev = NULL;
1551 user->remove(conn, user);
1552 }
1553}
1554
5d3de7df
VCG		 1555static void l2cap_conn_del(struct hci_conn *hcon, int err)
1556{
1557 struct l2cap_conn *conn = hcon->l2cap_data;
1558 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1559
1560 if (!conn)
1561 return;
1562
1563 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1564
1565 kfree_skb(conn->rx_skb);
1566
2c8e1411
DH		 1567 l2cap_unregister_all_users(conn);
1568
3df91ea2
AE		 1569 mutex_lock(&conn->chan_lock);
1570
5d3de7df
VCG		 1571 /* Kill channels */
1572 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1573 l2cap_chan_hold(chan);
6be36555
AE		 1574 l2cap_chan_lock(chan);
1575
5d3de7df 1576 l2cap_chan_del(chan, err);
6be36555
AE		 1577
1578 l2cap_chan_unlock(chan);
1579
80b98027 1580 chan->ops->close(chan);
61d6ef3e 1581 l2cap_chan_put(chan);
5d3de7df
VCG		 1582 }
1583
3df91ea2
AE		 1584 mutex_unlock(&conn->chan_lock);
1585
73d80deb
LAD		 1586 hci_chan_del(conn->hchan);
1587
5d3de7df 1588 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1589 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1590
51a8efd7 1591 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1592 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1593 smp_chan_destroy(conn);
d26a2345 1594 }
5d3de7df
VCG		 1595
1596 hcon->l2cap_data = NULL;
9c903e37
DH		 1597 conn->hchan = NULL;
1598 l2cap_conn_put(conn);
5d3de7df
VCG		 1599}
1600
6c9d42a1 1601static void security_timeout(struct work_struct *work)
5d3de7df 1602{
6c9d42a1 1603 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1604 security_timer.work);
5d3de7df 1605
d06cc416
JH		 1606 BT_DBG("conn %p", conn);
1607
1608 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1609 smp_chan_destroy(conn);
1610 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1611 }
5d3de7df
VCG		 1612}
1613
baf43251 1614static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1da177e4 1615{
0139418c 1616 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1617 struct hci_chan *hchan;
1da177e4 1618
baf43251 1619 if (conn)
1da177e4
LT		 1620 return conn;
1621
73d80deb
LAD		 1622 hchan = hci_chan_create(hcon);
1623 if (!hchan)
1624 return NULL;
1625
8bcde1f2 1626 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1627 if (!conn) {
1628 hci_chan_del(hchan);
1da177e4 1629 return NULL;
73d80deb 1630 }
1da177e4 1631
9c903e37 1632 kref_init(&conn->ref);
1da177e4
LT		 1633 hcon->l2cap_data = conn;
1634 conn->hcon = hcon;
9c903e37 1635 hci_conn_get(conn->hcon);
73d80deb 1636 conn->hchan = hchan;
1da177e4 1637
73d80deb 1638 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1639
dcc042d5 1640 switch (hcon->type) {
dcc042d5
AE		 1641 case LE_LINK:
1642 if (hcon->hdev->le_mtu) {
1643 conn->mtu = hcon->hdev->le_mtu;
1644 break;
1645 }
1646 /* fall through */
dcc042d5 1647 default:
acd7d370 1648 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1649 break;
1650 }
acd7d370 1651
1da177e4
LT		 1652 conn->src = &hcon->hdev->bdaddr;
1653 conn->dst = &hcon->dst;
1654
4e8402a3
MH		 1655 conn->feat_mask = 0;
1656
848566b3
MH		 1657 if (hcon->type == ACL_LINK)
1658 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
1659 &hcon->hdev->dev_flags);
1660
1da177e4 1661 spin_lock_init(&conn->lock);
3df91ea2 1662 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1663
1664 INIT_LIST_HEAD(&conn->chan_l);
2c8e1411 1665 INIT_LIST_HEAD(&conn->users);
1da177e4 1666
5d3de7df 1667 if (hcon->type == LE_LINK)
6c9d42a1 1668 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1669 else
030013d8 1670 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1671
9f5a0d7b 1672 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1673
1da177e4
LT		 1674 return conn;
1675}
1676
9c903e37
DH		 1677static void l2cap_conn_free(struct kref *ref)
1678{
1679 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1680
1681 hci_conn_put(conn->hcon);
1682 kfree(conn);
1683}
1684
1685void l2cap_conn_get(struct l2cap_conn *conn)
1686{
1687 kref_get(&conn->ref);
1688}
1689EXPORT_SYMBOL(l2cap_conn_get);
1690
1691void l2cap_conn_put(struct l2cap_conn *conn)
1692{
1693 kref_put(&conn->ref, l2cap_conn_free);
1694}
1695EXPORT_SYMBOL(l2cap_conn_put);
1696
1da177e4 1697/* ---- Socket interface ---- */
1da177e4 1698
c2287681 1699/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1700 * Returns closest match.
1701 */
c2287681
IY		 1702static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1703 bdaddr_t *src,
1704 bdaddr_t *dst)
1da177e4 1705{
23691d75 1706 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1707
23691d75 1708 read_lock(&chan_list_lock);
e0f0cb56 1709
23691d75
GP		 1710 list_for_each_entry(c, &chan_list, global_l) {
1711 struct sock *sk = c->sk;
fe4128e0 1712
89bc500e 1713 if (state && c->state != state)
1da177e4
LT		 1714 continue;
1715
23691d75 1716 if (c->psm == psm) {
c2287681
IY		 1717 int src_match, dst_match;
1718 int src_any, dst_any;
1719
1da177e4 1720 /* Exact match. */
c2287681
IY		 1721 src_match = !bacmp(&bt_sk(sk)->src, src);
1722 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1723 if (src_match && dst_match) {
a7567b20 1724 read_unlock(&chan_list_lock);
23691d75
GP		 1725 return c;
1726 }
1da177e4
LT		 1727
1728 /* Closest match */
c2287681
IY		 1729 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1730 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1731 if ((src_match && dst_any) || (src_any && dst_match) ||
1732 (src_any && dst_any))
23691d75 1733 c1 = c;
1da177e4
LT		 1734 }
1735 }
1da177e4 1736
23691d75 1737 read_unlock(&chan_list_lock);
e0f0cb56 1738
23691d75 1739 return c1;
1da177e4
LT		 1740}
1741
8e9f9892
AG		 1742int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1743 bdaddr_t *dst, u8 dst_type)
1da177e4 1744{
5d41ce1d 1745 struct sock *sk = chan->sk;
1da177e4 1746 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1747 struct l2cap_conn *conn;
1748 struct hci_conn *hcon;
1749 struct hci_dev *hdev;
09ab6f4c 1750 __u8 auth_type;
44d0e48e 1751 int err;
1da177e4 1752
6ed93dc6 1753 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1754 dst_type, __le16_to_cpu(psm));
1da177e4 1755
af05b30b
GP		 1756 hdev = hci_get_route(dst, src);
1757 if (!hdev)
1da177e4
LT		 1758 return -EHOSTUNREACH;
1759
09fd0de5 1760 hci_dev_lock(hdev);
1da177e4 1761
6be36555 1762 l2cap_chan_lock(chan);
03a00194
GP		 1763
1764 /* PSM must be odd and lsb of upper byte must be 0 */
1765 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1766 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1767 err = -EINVAL;
1768 goto done;
1769 }
1770
1771 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1772 err = -EINVAL;
1773 goto done;
1774 }
1775
1776 switch (chan->mode) {
1777 case L2CAP_MODE_BASIC:
1778 break;
1779 case L2CAP_MODE_ERTM:
1780 case L2CAP_MODE_STREAMING:
1781 if (!disable_ertm)
1782 break;
1783 /* fall through */
1784 default:
1785 err = -ENOTSUPP;
1786 goto done;
1787 }
1788
0797e01d 1789 switch (chan->state) {
03a00194
GP		 1790 case BT_CONNECT:
1791 case BT_CONNECT2:
1792 case BT_CONFIG:
1793 /* Already connecting */
1794 err = 0;
1795 goto done;
1796
1797 case BT_CONNECTED:
1798 /* Already connected */
1799 err = -EISCONN;
1800 goto done;
1801
1802 case BT_OPEN:
1803 case BT_BOUND:
1804 /* Can connect */
1805 break;
1806
1807 default:
1808 err = -EBADFD;
1809 goto done;
1810 }
1811
1812 /* Set destination address and psm */
0797e01d 1813 lock_sock(sk);
9219b2a0 1814 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1815 release_sock(sk);
1816
03a00194
GP		 1817 chan->psm = psm;
1818 chan->dcid = cid;
1da177e4 1819
4343478f 1820 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1821
f224ca5f 1822 if (bdaddr_type_is_le(dst_type))
8e9f9892 1823 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1824 chan->sec_level, auth_type);
acd7d370 1825 else
8e9f9892 1826 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1827 chan->sec_level, auth_type);
acd7d370 1828
30e76272
VT		 1829 if (IS_ERR(hcon)) {
1830 err = PTR_ERR(hcon);
1da177e4 1831 goto done;
30e76272 1832 }
1da177e4 1833
baf43251 1834 conn = l2cap_conn_add(hcon);
1da177e4 1835 if (!conn) {
76a68ba0 1836 hci_conn_drop(hcon);
30e76272 1837 err = -ENOMEM;
1da177e4
LT		 1838 goto done;
1839 }
1840
141d5706
JH		 1841 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
1842 hci_conn_drop(hcon);
1843 err = -EBUSY;
1844 goto done;
9f0caeb1
VCG		 1845 }
1846
1da177e4
LT		 1847 /* Update source addr of the socket */
1848 bacpy(src, conn->src);
1849
6be36555 1850 l2cap_chan_unlock(chan);
48454079 1851 l2cap_chan_add(conn, chan);
6be36555 1852 l2cap_chan_lock(chan);
48454079 1853
5ee9891d
JH		 1854 /* l2cap_chan_add takes its own ref so we can drop this one */
1855 hci_conn_drop(hcon);
1856
6be36555 1857 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1858 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1859
1860 if (hcon->state == BT_CONNECTED) {
715ec005 1861 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1862 __clear_chan_timer(chan);
d45fc423 1863 if (l2cap_chan_check_security(chan))
6be36555 1864 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1865 } else
fc7f8a7e 1866 l2cap_do_start(chan);
1da177e4
LT		 1867 }
1868
30e76272
VT		 1869 err = 0;
1870
1da177e4 1871done:
6be36555 1872 l2cap_chan_unlock(chan);
09fd0de5 1873 hci_dev_unlock(hdev);
1da177e4
LT		 1874 hci_dev_put(hdev);
1875 return err;
1876}
1877
dcba0dba 1878int __l2cap_wait_ack(struct sock *sk)
6161c038 1879{
8c1d787b 1880 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1881 DECLARE_WAITQUEUE(wait, current);
1882 int err = 0;
1883 int timeo = HZ/5;
1884
2b0b05dd 1885 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1886 set_current_state(TASK_INTERRUPTIBLE);
1887 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1888 if (!timeo)
1889 timeo = HZ/5;
1890
1891 if (signal_pending(current)) {
1892 err = sock_intr_errno(timeo);
1893 break;
1894 }
1895
1896 release_sock(sk);
1897 timeo = schedule_timeout(timeo);
1898 lock_sock(sk);
a71a0cf4 1899 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1900
1901 err = sock_error(sk);
1902 if (err)
1903 break;
1904 }
1905 set_current_state(TASK_RUNNING);
2b0b05dd 1906 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1907 return err;
1908}
1909
721c4181 1910static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1911{
721c4181 1912 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1913 monitor_timer.work);
e90bac06 1914
525cd185 1915 BT_DBG("chan %p", chan);
0e98958d 1916
6be36555
AE		 1917 l2cap_chan_lock(chan);
1918
80909e04 1919 if (!chan->conn) {
6be36555 1920 l2cap_chan_unlock(chan);
8d7e1c7f 1921 l2cap_chan_put(chan);
e90bac06
GP		 1922 return;
1923 }
1924
401bb1f7 1925 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1926
6be36555 1927 l2cap_chan_unlock(chan);
8d7e1c7f 1928 l2cap_chan_put(chan);
e90bac06
GP		 1929}
1930
721c4181 1931static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1932{
721c4181 1933 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1934 retrans_timer.work);
e90bac06 1935
49208c9c 1936 BT_DBG("chan %p", chan);
0e98958d 1937
6be36555
AE		 1938 l2cap_chan_lock(chan);
1939
80909e04
MM		 1940 if (!chan->conn) {
1941 l2cap_chan_unlock(chan);
1942 l2cap_chan_put(chan);
1943 return;
1944 }
6be36555 1945
401bb1f7 1946 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1947 l2cap_chan_unlock(chan);
8d7e1c7f 1948 l2cap_chan_put(chan);
e90bac06
GP		 1949}
1950
d660366d
GP		 1951static void l2cap_streaming_send(struct l2cap_chan *chan,
1952 struct sk_buff_head *skbs)
6840ed07 1953{
ccbb84af 1954 struct sk_buff *skb;
3733937d 1955 struct l2cap_ctrl *control;
6840ed07 1956
3733937d
MM		 1957 BT_DBG("chan %p, skbs %p", chan, skbs);
1958
b99e13ad
MM		 1959 if (__chan_is_moving(chan))
1960 return;
1961
3733937d
MM		 1962 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1963
1964 while (!skb_queue_empty(&chan->tx_q)) {
1965
1966 skb = skb_dequeue(&chan->tx_q);
1967
1968 bt_cb(skb)->control.retries = 1;
1969 control = &bt_cb(skb)->control;
1970
1971 control->reqseq = 0;
1972 control->txseq = chan->next_tx_seq;
1973
1974 __pack_control(chan, control, skb);
6840ed07 1975
47d1ec61 1976 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1977 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1978 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1979 }
1980
4343478f 1981 l2cap_do_send(chan, skb);
6840ed07 1982
b4400672 1983 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1984
836be934 1985 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1986 chan->frames_sent++;
6840ed07 1987 }
6840ed07
GP		 1988}
1989
67c9e840 1990static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1991{
1992 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1993 struct l2cap_ctrl *control;
1994 int sent = 0;
1995
1996 BT_DBG("chan %p", chan);
1c2acffb 1997
89bc500e 1998 if (chan->state != BT_CONNECTED)
c13ffa62 1999 return -ENOTCONN;
e90bac06 2000
94122bbe
MM		 2001 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2002 return 0;
2003
b99e13ad
MM		 2004 if (__chan_is_moving(chan))
2005 return 0;
2006
18a48e76
MM		 2007 while (chan->tx_send_head &&
2008 chan->unacked_frames < chan->remote_tx_win &&
2009 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 2010
18a48e76 2011 skb = chan->tx_send_head;
e90bac06 2012
18a48e76
MM		 2013 bt_cb(skb)->control.retries = 1;
2014 control = &bt_cb(skb)->control;
95ffa978 2015
e2ab4353 2016 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 2017 control->final = 1;
e2ab4353 2018
18a48e76
MM		 2019 control->reqseq = chan->buffer_seq;
2020 chan->last_acked_seq = chan->buffer_seq;
2021 control->txseq = chan->next_tx_seq;
1c2acffb 2022
18a48e76 2023 __pack_control(chan, control, skb);
e90bac06 2024
47d1ec61 2025 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 2026 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2027 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 2028 }
2029
18a48e76
MM		 2030 /* Clone after data has been modified. Data is assumed to be
2031 read-only (for locking purposes) on cloned sk_buffs.
2032 */
2033 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 2034
18a48e76
MM		 2035 if (!tx_skb)
2036 break;
1c2acffb 2037
18a48e76 2038 __set_retrans_timer(chan);
836be934
AE		 2039
2040 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 2041 chan->unacked_frames++;
6a026610 2042 chan->frames_sent++;
18a48e76 2043 sent++;
1c2acffb 2044
58d35f87
GP		 2045 if (skb_queue_is_last(&chan->tx_q, skb))
2046 chan->tx_send_head = NULL;
1c2acffb 2047 else
58d35f87 2048 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 2049
2050 l2cap_do_send(chan, tx_skb);
b4400672 2051 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 2052 }
2053
b4400672
AE		 2054 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2055 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 2056
2057 return sent;
9e917af1
GP		 2058}
2059
e1fbd4c1
MM		 2060static void l2cap_ertm_resend(struct l2cap_chan *chan)
2061{
2062 struct l2cap_ctrl control;
2063 struct sk_buff *skb;
2064 struct sk_buff *tx_skb;
2065 u16 seq;
2066
2067 BT_DBG("chan %p", chan);
2068
2069 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2070 return;
2071
b99e13ad
MM		 2072 if (__chan_is_moving(chan))
2073 return;
2074
e1fbd4c1
MM		 2075 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2076 seq = l2cap_seq_list_pop(&chan->retrans_list);
2077
2078 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2079 if (!skb) {
2080 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 2081 seq);
e1fbd4c1
MM		 2082 continue;
2083 }
2084
2085 bt_cb(skb)->control.retries++;
2086 control = bt_cb(skb)->control;
2087
2088 if (chan->max_tx != 0 &&
2089 bt_cb(skb)->control.retries > chan->max_tx) {
2090 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 2091 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 2092 l2cap_seq_list_clear(&chan->retrans_list);
2093 break;
2094 }
2095
2096 control.reqseq = chan->buffer_seq;
2097 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2098 control.final = 1;
2099 else
2100 control.final = 0;
2101
2102 if (skb_cloned(skb)) {
2103 /* Cloned sk_buffs are read-only, so we need a
2104 * writeable copy
2105 */
8bcde1f2 2106 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 2107 } else {
8bcde1f2 2108 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 2109 }
2110
2111 if (!tx_skb) {
2112 l2cap_seq_list_clear(&chan->retrans_list);
2113 break;
2114 }
2115
2116 /* Update skb contents */
2117 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2118 put_unaligned_le32(__pack_extended_control(&control),
2119 tx_skb->data + L2CAP_HDR_SIZE);
2120 } else {
2121 put_unaligned_le16(__pack_enhanced_control(&control),
2122 tx_skb->data + L2CAP_HDR_SIZE);
2123 }
2124
2125 if (chan->fcs == L2CAP_FCS_CRC16) {
2126 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2127 put_unaligned_le16(fcs, skb_put(tx_skb,
2128 L2CAP_FCS_SIZE));
2129 }
2130
2131 l2cap_do_send(chan, tx_skb);
2132
2133 BT_DBG("Resent txseq %d", control.txseq);
2134
2135 chan->last_acked_seq = chan->buffer_seq;
2136 }
2137}
2138
f80842a8
MM		 2139static void l2cap_retransmit(struct l2cap_chan *chan,
2140 struct l2cap_ctrl *control)
2141{
2142 BT_DBG("chan %p, control %p", chan, control);
2143
2144 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2145 l2cap_ertm_resend(chan);
2146}
2147
d2a7ac5d
MM		 2148static void l2cap_retransmit_all(struct l2cap_chan *chan,
2149 struct l2cap_ctrl *control)
2150{
e1fbd4c1
MM		 2151 struct sk_buff *skb;
2152
2153 BT_DBG("chan %p, control %p", chan, control);
2154
2155 if (control->poll)
2156 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2157
2158 l2cap_seq_list_clear(&chan->retrans_list);
2159
2160 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2161 return;
2162
2163 if (chan->unacked_frames) {
2164 skb_queue_walk(&chan->tx_q, skb) {
2165 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2166 skb == chan->tx_send_head)
e1fbd4c1
MM		 2167 break;
2168 }
2169
2170 skb_queue_walk_from(&chan->tx_q, skb) {
2171 if (skb == chan->tx_send_head)
2172 break;
2173
2174 l2cap_seq_list_append(&chan->retrans_list,
2175 bt_cb(skb)->control.txseq);
2176 }
2177
2178 l2cap_ertm_resend(chan);
2179 }
d2a7ac5d
MM		 2180}
2181
0a0aba42 2182static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2183{
0a0aba42
MM		 2184 struct l2cap_ctrl control;
2185 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2186 chan->last_acked_seq);
2187 int threshold;
9e917af1 2188
0a0aba42
MM		 2189 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2190 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2191
0a0aba42
MM		 2192 memset(&control, 0, sizeof(control));
2193 control.sframe = 1;
dfc909be 2194
0a0aba42
MM		 2195 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2196 chan->rx_state == L2CAP_RX_STATE_RECV) {
2197 __clear_ack_timer(chan);
2198 control.super = L2CAP_SUPER_RNR;
2199 control.reqseq = chan->buffer_seq;
2200 l2cap_send_sframe(chan, &control);
2201 } else {
2202 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2203 l2cap_ertm_send(chan);
2204 /* If any i-frames were sent, they included an ack */
2205 if (chan->buffer_seq == chan->last_acked_seq)
2206 frames_to_ack = 0;
2207 }
dfc909be 2208
c20f8e35 2209 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2210 * Calculate without mul or div
2211 */
c20f8e35 2212 threshold = chan->ack_win;
0a0aba42
MM		 2213 threshold += threshold << 1;
2214 threshold >>= 2;
2215
b4400672 2216 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2217 threshold);
2218
2219 if (frames_to_ack >= threshold) {
2220 __clear_ack_timer(chan);
2221 control.super = L2CAP_SUPER_RR;
2222 control.reqseq = chan->buffer_seq;
2223 l2cap_send_sframe(chan, &control);
2224 frames_to_ack = 0;
2225 }
1c2acffb 2226
0a0aba42
MM		 2227 if (frames_to_ack)
2228 __set_ack_timer(chan);
2229 }
b17e73bb
SJ		 2230}
2231
04124681
GP		 2232static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2233 struct msghdr *msg, int len,
2234 int count, struct sk_buff *skb)
1c2acffb 2235{
0952a57a 2236 struct l2cap_conn *conn = chan->conn;
1c2acffb 2237 struct sk_buff **frag;
90338947 2238 int sent = 0;
1da177e4 2239
59203a21 2240 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2241 return -EFAULT;
1da177e4
LT		 2242
2243 sent += count;
2244 len -= count;
2245
2246 /* Continuation fragments (no L2CAP header) */
2247 frag = &skb_shinfo(skb)->frag_list;
2248 while (len) {
fbe00700
GP		 2249 struct sk_buff *tmp;
2250
1da177e4
LT		 2251 count = min_t(unsigned int, conn->mtu, len);
2252
fbe00700
GP		 2253 tmp = chan->ops->alloc_skb(chan, count,
2254 msg->msg_flags & MSG_DONTWAIT);
2255 if (IS_ERR(tmp))
2256 return PTR_ERR(tmp);
2257
2258 *frag = tmp;
2f7719ce 2259
1c2acffb
GP		 2260 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2261 return -EFAULT;
1da177e4 2262
5e59b791
LAD		 2263 (*frag)->priority = skb->priority;
2264
1da177e4
LT		 2265 sent += count;
2266 len -= count;
2267
2d0ed3d5
GP		 2268 skb->len += (*frag)->len;
2269 skb->data_len += (*frag)->len;
2270
1da177e4
LT		 2271 frag = &(*frag)->next;
2272 }
1da177e4
LT		 2273
2274 return sent;
1c2acffb 2275}
1da177e4 2276
5e59b791 2277static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2278 struct msghdr *msg, size_t len,
2279 u32 priority)
1c2acffb 2280{
8c1d787b 2281 struct l2cap_conn *conn = chan->conn;
1c2acffb 2282 struct sk_buff *skb;
03a51213 2283 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2284 struct l2cap_hdr *lh;
2285
b4400672 2286 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2287
2288 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2289
2290 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2291 msg->msg_flags & MSG_DONTWAIT);
2292 if (IS_ERR(skb))
2293 return skb;
1c2acffb 2294
5e59b791
LAD		 2295 skb->priority = priority;
2296
1c2acffb
GP		 2297 /* Create L2CAP header */
2298 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2299 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2300 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2301 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2302
0952a57a 2303 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2304 if (unlikely(err < 0)) {
2305 kfree_skb(skb);
2306 return ERR_PTR(err);
2307 }
2308 return skb;
2309}
2310
5e59b791 2311static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2312 struct msghdr *msg, size_t len,
2313 u32 priority)
1c2acffb 2314{
8c1d787b 2315 struct l2cap_conn *conn = chan->conn;
1c2acffb 2316 struct sk_buff *skb;
f2ba7fae 2317 int err, count;
1c2acffb
GP		 2318 struct l2cap_hdr *lh;
2319
b4400672 2320 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2321
f2ba7fae 2322 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2323
f2ba7fae 2324 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2325 msg->msg_flags & MSG_DONTWAIT);
2326 if (IS_ERR(skb))
2327 return skb;
1c2acffb 2328
5e59b791
LAD		 2329 skb->priority = priority;
2330
1c2acffb
GP		 2331 /* Create L2CAP header */
2332 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2333 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2334 lh->len = cpu_to_le16(len);
1c2acffb 2335
0952a57a 2336 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2337 if (unlikely(err < 0)) {
2338 kfree_skb(skb);
2339 return ERR_PTR(err);
2340 }
2341 return skb;
2342}
2343
ab0ff76d 2344static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2345 struct msghdr *msg, size_t len,
2346 u16 sdulen)
1c2acffb 2347{
8c1d787b 2348 struct l2cap_conn *conn = chan->conn;
1c2acffb 2349 struct sk_buff *skb;
e4ca6d98 2350 int err, count, hlen;
1c2acffb
GP		 2351 struct l2cap_hdr *lh;
2352
b4400672 2353 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2354
0ee0d208
GP		 2355 if (!conn)
2356 return ERR_PTR(-ENOTCONN);
2357
ba7aa64f 2358 hlen = __ertm_hdr_size(chan);
e4ca6d98 2359
c74e560c 2360 if (sdulen)
03a51213 2361 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2362
47d1ec61 2363 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2364 hlen += L2CAP_FCS_SIZE;
fcc203c3 2365
1c2acffb 2366 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2367
2368 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2369 msg->msg_flags & MSG_DONTWAIT);
2370 if (IS_ERR(skb))
2371 return skb;
1c2acffb
GP		 2372
2373 /* Create L2CAP header */
2374 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2375 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2376 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2377
18a48e76
MM		 2378 /* Control header is populated later */
2379 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2380 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2381 else
2382 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2383
c74e560c 2384 if (sdulen)
03a51213 2385 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2386
0952a57a 2387 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2388 if (unlikely(err < 0)) {
2389 kfree_skb(skb);
2390 return ERR_PTR(err);
2391 }
e90bac06 2392
18a48e76 2393 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2394 bt_cb(skb)->control.retries = 0;
1c2acffb 2395 return skb;
1da177e4
LT		 2396}
2397
94122bbe
MM		 2398static int l2cap_segment_sdu(struct l2cap_chan *chan,
2399 struct sk_buff_head *seg_queue,
2400 struct msghdr *msg, size_t len)
c74e560c 2401{
c74e560c 2402 struct sk_buff *skb;
94122bbe
MM		 2403 u16 sdu_len;
2404 size_t pdu_len;
94122bbe 2405 u8 sar;
c74e560c 2406
b4400672 2407 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2408
94122bbe
MM		 2409 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2410 * so fragmented skbs are not used. The HCI layer's handling
2411 * of fragmented skbs is not compatible with ERTM's queueing.
2412 */
c74e560c 2413
94122bbe
MM		 2414 /* PDU size is derived from the HCI MTU */
2415 pdu_len = chan->conn->mtu;
c74e560c 2416
a549574d
MM		 2417 /* Constrain PDU size for BR/EDR connections */
2418 if (!chan->hs_hcon)
2419 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2420
2421 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2422 if (chan->fcs)
2423 pdu_len -= L2CAP_FCS_SIZE;
2424
ba7aa64f 2425 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2426
2427 /* Remote device may have requested smaller PDUs */
2428 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2429
2430 if (len <= pdu_len) {
2431 sar = L2CAP_SAR_UNSEGMENTED;
2432 sdu_len = 0;
2433 pdu_len = len;
2434 } else {
2435 sar = L2CAP_SAR_START;
2436 sdu_len = len;
2437 pdu_len -= L2CAP_SDULEN_SIZE;
2438 }
2439
2440 while (len > 0) {
2441 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2442
c74e560c 2443 if (IS_ERR(skb)) {
94122bbe 2444 __skb_queue_purge(seg_queue);
c74e560c
GP		 2445 return PTR_ERR(skb);
2446 }
2447
94122bbe
MM		 2448 bt_cb(skb)->control.sar = sar;
2449 __skb_queue_tail(seg_queue, skb);
2450
2451 len -= pdu_len;
2452 if (sdu_len) {
2453 sdu_len = 0;
2454 pdu_len += L2CAP_SDULEN_SIZE;
2455 }
2456
2457 if (len <= pdu_len) {
2458 sar = L2CAP_SAR_END;
2459 pdu_len = len;
2460 } else {
2461 sar = L2CAP_SAR_CONTINUE;
2462 }
c74e560c 2463 }
c74e560c 2464
f0f62799 2465 return 0;
c74e560c
GP		 2466}
2467
5e59b791 2468int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2469 u32 priority)
9a91a04a 2470{
9a91a04a 2471 struct sk_buff *skb;
9a91a04a 2472 int err;
94122bbe 2473 struct sk_buff_head seg_queue;
9a91a04a
GP		 2474
2475 /* Connectionless channel */
715ec005 2476 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2477 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2478 if (IS_ERR(skb))
2479 return PTR_ERR(skb);
2480
2481 l2cap_do_send(chan, skb);
2482 return len;
2483 }
2484
2485 switch (chan->mode) {
2486 case L2CAP_MODE_BASIC:
2487 /* Check outgoing MTU */
2488 if (len > chan->omtu)
2489 return -EMSGSIZE;
2490
2491 /* Create a basic PDU */
5e59b791 2492 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2493 if (IS_ERR(skb))
2494 return PTR_ERR(skb);
2495
2496 l2cap_do_send(chan, skb);
2497 err = len;
2498 break;
2499
2500 case L2CAP_MODE_ERTM:
2501 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2502 /* Check outgoing MTU */
2503 if (len > chan->omtu) {
2504 err = -EMSGSIZE;
2505 break;
2506 }
9a91a04a 2507
94122bbe 2508 __skb_queue_head_init(&seg_queue);
9a91a04a 2509
94122bbe
MM		 2510 /* Do segmentation before calling in to the state machine,
2511 * since it's possible to block while waiting for memory
2512 * allocation.
2513 */
2514 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2515
94122bbe
MM		 2516 /* The channel could have been closed while segmenting,
2517 * check that it is still connected.
2518 */
2519 if (chan->state != BT_CONNECTED) {
2520 __skb_queue_purge(&seg_queue);
2521 err = -ENOTCONN;
9a91a04a
GP		 2522 }
2523
94122bbe 2524 if (err)
9a91a04a 2525 break;
9a91a04a 2526
3733937d 2527 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2528 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2529 else
d660366d 2530 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2531
d660366d 2532 err = len;
9a91a04a 2533
94122bbe
MM		 2534 /* If the skbs were not queued for sending, they'll still be in
2535 * seg_queue and need to be purged.
2536 */
2537 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2538 break;
2539
2540 default:
2541 BT_DBG("bad state %1.1x", chan->mode);
2542 err = -EBADFD;
2543 }
2544
2545 return err;
2546}
2547
d2a7ac5d
MM		 2548static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2549{
bed68bde
MM		 2550 struct l2cap_ctrl control;
2551 u16 seq;
2552
b4400672 2553 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2554
2555 memset(&control, 0, sizeof(control));
2556 control.sframe = 1;
2557 control.super = L2CAP_SUPER_SREJ;
2558
2559 for (seq = chan->expected_tx_seq; seq != txseq;
2560 seq = __next_seq(chan, seq)) {
2561 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2562 control.reqseq = seq;
2563 l2cap_send_sframe(chan, &control);
2564 l2cap_seq_list_append(&chan->srej_list, seq);
2565 }
2566 }
2567
2568 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2569}
2570
2571static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2572{
bed68bde
MM		 2573 struct l2cap_ctrl control;
2574
2575 BT_DBG("chan %p", chan);
2576
2577 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2578 return;
2579
2580 memset(&control, 0, sizeof(control));
2581 control.sframe = 1;
2582 control.super = L2CAP_SUPER_SREJ;
2583 control.reqseq = chan->srej_list.tail;
2584 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2585}
2586
2587static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2588{
bed68bde
MM		 2589 struct l2cap_ctrl control;
2590 u16 initial_head;
2591 u16 seq;
2592
b4400672 2593 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2594
2595 memset(&control, 0, sizeof(control));
2596 control.sframe = 1;
2597 control.super = L2CAP_SUPER_SREJ;
2598
2599 /* Capture initial list head to allow only one pass through the list. */
2600 initial_head = chan->srej_list.head;
2601
2602 do {
2603 seq = l2cap_seq_list_pop(&chan->srej_list);
2604 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2605 break;
2606
2607 control.reqseq = seq;
2608 l2cap_send_sframe(chan, &control);
2609 l2cap_seq_list_append(&chan->srej_list, seq);
2610 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2611}
2612
608bcc6d
MM		 2613static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2614{
2615 struct sk_buff *acked_skb;
2616 u16 ackseq;
2617
b4400672 2618 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2619
2620 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2621 return;
2622
b4400672 2623 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2624 chan->expected_ack_seq, chan->unacked_frames);
2625
2626 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2627 ackseq = __next_seq(chan, ackseq)) {
2628
2629 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2630 if (acked_skb) {
2631 skb_unlink(acked_skb, &chan->tx_q);
2632 kfree_skb(acked_skb);
2633 chan->unacked_frames--;
2634 }
2635 }
2636
2637 chan->expected_ack_seq = reqseq;
2638
2639 if (chan->unacked_frames == 0)
2640 __clear_retrans_timer(chan);
2641
b4400672 2642 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2643}
2644
2645static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2646{
2647 BT_DBG("chan %p", chan);
2648
2649 chan->expected_tx_seq = chan->buffer_seq;
2650 l2cap_seq_list_clear(&chan->srej_list);
2651 skb_queue_purge(&chan->srej_q);
2652 chan->rx_state = L2CAP_RX_STATE_RECV;
2653}
2654
d660366d
GP		 2655static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2656 struct l2cap_ctrl *control,
2657 struct sk_buff_head *skbs, u8 event)
608bcc6d 2658{
608bcc6d
MM		 2659 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2660 event);
2661
2662 switch (event) {
2663 case L2CAP_EV_DATA_REQUEST:
2664 if (chan->tx_send_head == NULL)
2665 chan->tx_send_head = skb_peek(skbs);
2666
2667 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2668 l2cap_ertm_send(chan);
2669 break;
2670 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2671 BT_DBG("Enter LOCAL_BUSY");
2672 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2673
2674 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2675 /* The SREJ_SENT state must be aborted if we are to
2676 * enter the LOCAL_BUSY state.
2677 */
2678 l2cap_abort_rx_srej_sent(chan);
2679 }
2680
2681 l2cap_send_ack(chan);
2682
2683 break;
2684 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2685 BT_DBG("Exit LOCAL_BUSY");
2686 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2687
2688 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2689 struct l2cap_ctrl local_control;
2690
2691 memset(&local_control, 0, sizeof(local_control));
2692 local_control.sframe = 1;
2693 local_control.super = L2CAP_SUPER_RR;
2694 local_control.poll = 1;
2695 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2696 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2697
2698 chan->retry_count = 1;
2699 __set_monitor_timer(chan);
2700 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2701 }
2702 break;
2703 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2704 l2cap_process_reqseq(chan, control->reqseq);
2705 break;
2706 case L2CAP_EV_EXPLICIT_POLL:
2707 l2cap_send_rr_or_rnr(chan, 1);
2708 chan->retry_count = 1;
2709 __set_monitor_timer(chan);
2710 __clear_ack_timer(chan);
2711 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2712 break;
2713 case L2CAP_EV_RETRANS_TO:
2714 l2cap_send_rr_or_rnr(chan, 1);
2715 chan->retry_count = 1;
2716 __set_monitor_timer(chan);
2717 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2718 break;
2719 case L2CAP_EV_RECV_FBIT:
2720 /* Nothing to process */
2721 break;
2722 default:
2723 break;
2724 }
608bcc6d
MM		 2725}
2726
d660366d
GP		 2727static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2728 struct l2cap_ctrl *control,
2729 struct sk_buff_head *skbs, u8 event)
608bcc6d 2730{
608bcc6d
MM		 2731 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2732 event);
2733
2734 switch (event) {
2735 case L2CAP_EV_DATA_REQUEST:
2736 if (chan->tx_send_head == NULL)
2737 chan->tx_send_head = skb_peek(skbs);
2738 /* Queue data, but don't send. */
2739 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2740 break;
2741 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2742 BT_DBG("Enter LOCAL_BUSY");
2743 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2744
2745 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2746 /* The SREJ_SENT state must be aborted if we are to
2747 * enter the LOCAL_BUSY state.
2748 */
2749 l2cap_abort_rx_srej_sent(chan);
2750 }
2751
2752 l2cap_send_ack(chan);
2753
2754 break;
2755 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2756 BT_DBG("Exit LOCAL_BUSY");
2757 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2758
2759 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2760 struct l2cap_ctrl local_control;
2761 memset(&local_control, 0, sizeof(local_control));
2762 local_control.sframe = 1;
2763 local_control.super = L2CAP_SUPER_RR;
2764 local_control.poll = 1;
2765 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2766 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2767
2768 chan->retry_count = 1;
2769 __set_monitor_timer(chan);
2770 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2771 }
2772 break;
2773 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2774 l2cap_process_reqseq(chan, control->reqseq);
2775
2776 /* Fall through */
2777
2778 case L2CAP_EV_RECV_FBIT:
2779 if (control && control->final) {
2780 __clear_monitor_timer(chan);
2781 if (chan->unacked_frames > 0)
2782 __set_retrans_timer(chan);
2783 chan->retry_count = 0;
2784 chan->tx_state = L2CAP_TX_STATE_XMIT;
2785 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2786 }
2787 break;
2788 case L2CAP_EV_EXPLICIT_POLL:
2789 /* Ignore */
2790 break;
2791 case L2CAP_EV_MONITOR_TO:
2792 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2793 l2cap_send_rr_or_rnr(chan, 1);
2794 __set_monitor_timer(chan);
2795 chan->retry_count++;
2796 } else {
5e4e3972 2797 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2798 }
2799 break;
2800 default:
2801 break;
2802 }
608bcc6d
MM		 2803}
2804
d660366d
GP		 2805static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2806 struct sk_buff_head *skbs, u8 event)
608bcc6d 2807{
608bcc6d
MM		 2808 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2809 chan, control, skbs, event, chan->tx_state);
2810
2811 switch (chan->tx_state) {
2812 case L2CAP_TX_STATE_XMIT:
d660366d 2813 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2814 break;
2815 case L2CAP_TX_STATE_WAIT_F:
d660366d 2816 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2817 break;
2818 default:
2819 /* Ignore event */
2820 break;
2821 }
608bcc6d
MM		 2822}
2823
4b51dae9
MM		 2824static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2825 struct l2cap_ctrl *control)
2826{
2827 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2828 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2829}
2830
f80842a8
MM		 2831static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2832 struct l2cap_ctrl *control)
2833{
2834 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2835 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2836}
2837
1da177e4
LT		 2838/* Copy frame to all raw sockets on that connection */
2839static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2840{
1da177e4 2841 struct sk_buff *nskb;
48454079 2842 struct l2cap_chan *chan;
1da177e4
LT		 2843
2844 BT_DBG("conn %p", conn);
2845
3df91ea2 2846 mutex_lock(&conn->chan_lock);
3d57dc68 2847
3df91ea2 2848 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2849 struct sock *sk = chan->sk;
715ec005 2850 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2851 continue;
2852
2853 /* Don't send frame to the socket it came from */
2854 if (skb->sk == sk)
2855 continue;
8bcde1f2 2856 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2857 if (!nskb)
1da177e4
LT		 2858 continue;
2859
80b98027 2860 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2861 kfree_skb(nskb);
2862 }
3d57dc68 2863
3df91ea2 2864 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2865}
2866
2867/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2868static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2869 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2870{
2871 struct sk_buff *skb, **frag;
2872 struct l2cap_cmd_hdr *cmd;
2873 struct l2cap_hdr *lh;
2874 int len, count;
2875
b4400672
AE		 2876 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2877 conn, code, ident, dlen);
1da177e4 2878
300b962e
AL		 2879 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2880 return NULL;
2881
1da177e4
LT		 2882 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2883 count = min_t(unsigned int, conn->mtu, len);
2884
8bcde1f2 2885 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2886 if (!skb)
2887 return NULL;
2888
2889 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2890 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2891
2892 if (conn->hcon->type == LE_LINK)
ac73498c 2893 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2894 else
ac73498c 2895 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2896
2897 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2898 cmd->code = code;
2899 cmd->ident = ident;
aca3192c 2900 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2901
2902 if (dlen) {
2903 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2904 memcpy(skb_put(skb, count), data, count);
2905 data += count;
2906 }
2907
2908 len -= skb->len;
2909
2910 /* Continuation fragments (no L2CAP header) */
2911 frag = &skb_shinfo(skb)->frag_list;
2912 while (len) {
2913 count = min_t(unsigned int, conn->mtu, len);
2914
8bcde1f2 2915 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2916 if (!*frag)
2917 goto fail;
2918
2919 memcpy(skb_put(*frag, count), data, count);
2920
2921 len -= count;
2922 data += count;
2923
2924 frag = &(*frag)->next;
2925 }
2926
2927 return skb;
2928
2929fail:
2930 kfree_skb(skb);
2931 return NULL;
2932}
2933
2d792818
GP		 2934static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2935 unsigned long *val)
1da177e4
LT		 2936{
2937 struct l2cap_conf_opt *opt = *ptr;
2938 int len;
2939
2940 len = L2CAP_CONF_OPT_SIZE + opt->len;
2941 *ptr += len;
2942
2943 *type = opt->type;
2944 *olen = opt->len;
2945
2946 switch (opt->len) {
2947 case 1:
2948 *val = *((u8 *) opt->val);
2949 break;
2950
2951 case 2:
bfaaeb3e 2952 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2953 break;
2954
2955 case 4:
bfaaeb3e 2956 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2957 break;
2958
2959 default:
2960 *val = (unsigned long) opt->val;
2961 break;
2962 }
2963
b4400672 2964 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2965 return len;
2966}
2967
1da177e4
LT		 2968static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2969{
2970 struct l2cap_conf_opt *opt = *ptr;
2971
b4400672 2972 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2973
2974 opt->type = type;
2975 opt->len = len;
2976
2977 switch (len) {
2978 case 1:
2979 *((u8 *) opt->val) = val;
2980 break;
2981
2982 case 2:
4f8b691c 2983 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2984 break;
2985
2986 case 4:
4f8b691c 2987 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2988 break;
2989
2990 default:
2991 memcpy(opt->val, (void *) val, len);
2992 break;
2993 }
2994
2995 *ptr += L2CAP_CONF_OPT_SIZE + len;
2996}
2997
f89cef09
AE		 2998static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2999{
3000 struct l2cap_conf_efs efs;
3001
1ec918ce 3002 switch (chan->mode) {
f89cef09
AE		 3003 case L2CAP_MODE_ERTM:
3004 efs.id = chan->local_id;
3005 efs.stype = chan->local_stype;
3006 efs.msdu = cpu_to_le16(chan->local_msdu);
3007 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 3008 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 3009 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 3010 break;
3011
3012 case L2CAP_MODE_STREAMING:
3013 efs.id = 1;
3014 efs.stype = L2CAP_SERV_BESTEFFORT;
3015 efs.msdu = cpu_to_le16(chan->local_msdu);
3016 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3017 efs.acc_lat = 0;
3018 efs.flush_to = 0;
3019 break;
3020
3021 default:
3022 return;
3023 }
3024
3025 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3026 (unsigned long) &efs);
f89cef09
AE		 3027}
3028
721c4181 3029static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3030{
721c4181 3031 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3032 ack_timer.work);
3033 u16 frames_to_ack;
c1b4f43b 3034
2fb9b3d4
GP		 3035 BT_DBG("chan %p", chan);
3036
6be36555
AE		 3037 l2cap_chan_lock(chan);
3038
0362520b
MM		 3039 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3040 chan->last_acked_seq);
6be36555 3041
0362520b
MM		 3042 if (frames_to_ack)
3043 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3044
0362520b 3045 l2cap_chan_unlock(chan);
09bfb2ee 3046 l2cap_chan_put(chan);
c1b4f43b
GP		 3047}
3048
466f8004 3049int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3050{
3c588192
MM		 3051 int err;
3052
105bdf9e
MM		 3053 chan->next_tx_seq = 0;
3054 chan->expected_tx_seq = 0;
42e5c802 3055 chan->expected_ack_seq = 0;
6a026610 3056 chan->unacked_frames = 0;
42e5c802 3057 chan->buffer_seq = 0;
6a026610 3058 chan->frames_sent = 0;
105bdf9e
MM		 3059 chan->last_acked_seq = 0;
3060 chan->sdu = NULL;
3061 chan->sdu_last_frag = NULL;
3062 chan->sdu_len = 0;
3063
d34c34fb
MM		 3064 skb_queue_head_init(&chan->tx_q);
3065
6ed971ca
MH		 3066 chan->local_amp_id = AMP_ID_BREDR;
3067 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3068 chan->move_state = L2CAP_MOVE_STABLE;
3069 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3070
105bdf9e
MM		 3071 if (chan->mode != L2CAP_MODE_ERTM)
3072 return 0;
3073
3074 chan->rx_state = L2CAP_RX_STATE_RECV;
3075 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3076
721c4181
GP		 3077 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3078 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3079 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3080
f1c6775b 3081 skb_queue_head_init(&chan->srej_q);
1890d36b 3082
3c588192
MM		 3083 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3084 if (err < 0)
3085 return err;
3086
9dc9affc
MM		 3087 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3088 if (err < 0)
3089 l2cap_seq_list_free(&chan->srej_list);
3090
3091 return err;
0565c1c2
GP		 3092}
3093
f2fcfcd6
GP		 3094static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3095{
3096 switch (mode) {
3097 case L2CAP_MODE_STREAMING:
3098 case L2CAP_MODE_ERTM:
3099 if (l2cap_mode_supported(mode, remote_feat_mask))
3100 return mode;
3101 /* fall through */
3102 default:
3103 return L2CAP_MODE_BASIC;
3104 }
3105}
3106
848566b3 3107static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3108{
848566b3 3109 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3110}
3111
848566b3 3112static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3113{
848566b3 3114 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3115}
3116
36c86c85
MM		 3117static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3118 struct l2cap_conf_rfc *rfc)
3119{
6ed971ca 3120 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3121 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3122
3123 /* Class 1 devices have must have ERTM timeouts
3124 * exceeding the Link Supervision Timeout. The
3125 * default Link Supervision Timeout for AMP
3126 * controllers is 10 seconds.
3127 *
3128 * Class 1 devices use 0xffffffff for their
3129 * best-effort flush timeout, so the clamping logic
3130 * will result in a timeout that meets the above
3131 * requirement. ERTM timeouts are 16-bit values, so
3132 * the maximum timeout is 65.535 seconds.
3133 */
3134
3135 /* Convert timeout to milliseconds and round */
3136 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3137
3138 /* This is the recommended formula for class 2 devices
3139 * that start ERTM timers when packets are sent to the
3140 * controller.
3141 */
3142 ertm_to = 3 * ertm_to + 500;
3143
3144 if (ertm_to > 0xffff)
3145 ertm_to = 0xffff;
3146
3147 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3148 rfc->monitor_timeout = rfc->retrans_timeout;
3149 } else {
3150 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3151 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3152 }
3153}
3154
6327eb98
AE		 3155static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3156{
3157 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3158 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3159 /* use extended control field */
3160 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3161 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3162 } else {
6327eb98 3163 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3164 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3165 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3166 }
c20f8e35 3167 chan->ack_win = chan->tx_win;
6327eb98
AE		 3168}
3169
710f9b0a 3170static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3171{
1da177e4 3172 struct l2cap_conf_req *req = data;
0c1bc5c6 3173 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3174 void *ptr = req->data;
c8f79162 3175 u16 size;
1da177e4 3176
49208c9c 3177 BT_DBG("chan %p", chan);
1da177e4 3178
73ffa904 3179 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3180 goto done;
3181
0c1bc5c6 3182 switch (chan->mode) {
f2fcfcd6
GP		 3183 case L2CAP_MODE_STREAMING:
3184 case L2CAP_MODE_ERTM:
c1360a1c 3185 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3186 break;
85eb53c6 3187
848566b3 3188 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3189 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3190
2ba13ed6 3191 /* fall through */
f2fcfcd6 3192 default:
8c1d787b 3193 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3194 break;
3195 }
3196
3197done:
0c1bc5c6
GP		 3198 if (chan->imtu != L2CAP_DEFAULT_MTU)
3199 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3200
0c1bc5c6 3201 switch (chan->mode) {
65c7c491 3202 case L2CAP_MODE_BASIC:
8c1d787b 3203 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3204 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3205 break;
3206
62547752
GP		 3207 rfc.mode = L2CAP_MODE_BASIC;
3208 rfc.txwin_size = 0;
3209 rfc.max_transmit = 0;
3210 rfc.retrans_timeout = 0;
3211 rfc.monitor_timeout = 0;
3212 rfc.max_pdu_size = 0;
3213
63406504 3214 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3215 (unsigned long) &rfc);
65c7c491
MH		 3216 break;
3217
3218 case L2CAP_MODE_ERTM:
3219 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3220 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3221
3222 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3223
3224 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3225 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3226 L2CAP_FCS_SIZE);
c8f79162 3227 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3228
6327eb98
AE		 3229 l2cap_txwin_setup(chan);
3230
3231 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3232 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3233
63406504 3234 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3235 (unsigned long) &rfc);
63406504 3236
f89cef09
AE		 3237 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3238 l2cap_add_opt_efs(&ptr, chan);
3239
6327eb98
AE		 3240 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3241 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3242 chan->tx_win);
60918918
AE		 3243
3244 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3245 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3246 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3247 chan->fcs = L2CAP_FCS_NONE;
3248 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3249 chan->fcs);
3250 }
f2fcfcd6
GP		 3251 break;
3252
3253 case L2CAP_MODE_STREAMING:
273759e2 3254 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3255 rfc.mode = L2CAP_MODE_STREAMING;
3256 rfc.txwin_size = 0;
3257 rfc.max_transmit = 0;
3258 rfc.retrans_timeout = 0;
3259 rfc.monitor_timeout = 0;
c8f79162
AE		 3260
3261 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3262 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3263 L2CAP_FCS_SIZE);
c8f79162 3264 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3265
63406504 3266 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3267 (unsigned long) &rfc);
63406504 3268
f89cef09
AE		 3269 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3270 l2cap_add_opt_efs(&ptr, chan);
3271
60918918
AE		 3272 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3273 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3274 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3275 chan->fcs = L2CAP_FCS_NONE;
3276 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3277 chan->fcs);
3278 }
65c7c491
MH		 3279 break;
3280 }
1da177e4 3281
fe4128e0 3282 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3283 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3284
3285 return ptr - data;
3286}
3287
73ffa904 3288static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3289{
5dee9e7c
MH		 3290 struct l2cap_conf_rsp *rsp = data;
3291 void *ptr = rsp->data;
73ffa904
GP		 3292 void *req = chan->conf_req;
3293 int len = chan->conf_len;
5dee9e7c
MH		 3294 int type, hint, olen;
3295 unsigned long val;
6464f35f 3296 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3297 struct l2cap_conf_efs efs;
3298 u8 remote_efs = 0;
861d6882 3299 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3300 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3301 u16 size;
1da177e4 3302
73ffa904 3303 BT_DBG("chan %p", chan);
820ae1b8 3304
5dee9e7c
MH		 3305 while (len >= L2CAP_CONF_OPT_SIZE) {
3306 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3307
589d2746 3308 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3309 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3310
3311 switch (type) {
3312 case L2CAP_CONF_MTU:
861d6882 3313 mtu = val;
5dee9e7c
MH		 3314 break;
3315
3316 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3317 chan->flush_to = val;
5dee9e7c
MH		 3318 break;
3319
3320 case L2CAP_CONF_QOS:
3321 break;
3322
6464f35f
MH		 3323 case L2CAP_CONF_RFC:
3324 if (olen == sizeof(rfc))
3325 memcpy(&rfc, (void *) val, olen);
3326 break;
3327
fcc203c3
GP		 3328 case L2CAP_CONF_FCS:
3329 if (val == L2CAP_FCS_NONE)
f2592d3e 3330 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3331 break;
fcc203c3 3332
42dceae2
AE		 3333 case L2CAP_CONF_EFS:
3334 remote_efs = 1;
3335 if (olen == sizeof(efs))
3336 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3337 break;
3338
6327eb98 3339 case L2CAP_CONF_EWS:
848566b3 3340 if (!chan->conn->hs_enabled)
6327eb98 3341 return -ECONNREFUSED;
fcc203c3 3342
6327eb98
AE		 3343 set_bit(FLAG_EXT_CTRL, &chan->flags);
3344 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3345 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3346 chan->remote_tx_win = val;
fcc203c3
GP		 3347 break;
3348
5dee9e7c
MH		 3349 default:
3350 if (hint)
3351 break;
3352
3353 result = L2CAP_CONF_UNKNOWN;
3354 *((u8 *) ptr++) = type;
3355 break;
3356 }
3357 }
3358
73ffa904 3359 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3360 goto done;
3361
0c1bc5c6 3362 switch (chan->mode) {
f2fcfcd6
GP		 3363 case L2CAP_MODE_STREAMING:
3364 case L2CAP_MODE_ERTM:
c1360a1c 3365 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3366 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3367 chan->conn->feat_mask);
85eb53c6
GP		 3368 break;
3369 }
3370
42dceae2 3371 if (remote_efs) {
848566b3 3372 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3373 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3374 else
3375 return -ECONNREFUSED;
3376 }
3377
0c1bc5c6 3378 if (chan->mode != rfc.mode)
f2fcfcd6 3379 return -ECONNREFUSED;
742e519b 3380
f2fcfcd6 3381 break;
f2fcfcd6
GP		 3382 }
3383
3384done:
0c1bc5c6 3385 if (chan->mode != rfc.mode) {
f2fcfcd6 3386 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3387 rfc.mode = chan->mode;
f2fcfcd6 3388
73ffa904 3389 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3390 return -ECONNREFUSED;
3391
2d792818
GP		 3392 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3393 (unsigned long) &rfc);
f2fcfcd6
GP		 3394 }
3395
5dee9e7c
MH		 3396 if (result == L2CAP_CONF_SUCCESS) {
3397 /* Configure output options and let the other side know
3398 * which ones we don't like. */
3399
f2fcfcd6
GP		 3400 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3401 result = L2CAP_CONF_UNACCEPT;
3402 else {
0c1bc5c6 3403 chan->omtu = mtu;
c1360a1c 3404 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3405 }
0c1bc5c6 3406 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3407
42dceae2
AE		 3408 if (remote_efs) {
3409 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3410 efs.stype != L2CAP_SERV_NOTRAFIC &&
3411 efs.stype != chan->local_stype) {
42dceae2
AE		 3412
3413 result = L2CAP_CONF_UNACCEPT;
3414
3415 if (chan->num_conf_req >= 1)
3416 return -ECONNREFUSED;
3417
3418 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3419 sizeof(efs),
3420 (unsigned long) &efs);
0e8b207e 3421 } else {
3e6b3b95 3422 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3423 result = L2CAP_CONF_PENDING;
3424 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3425 }
3426 }
3427
f2fcfcd6
GP		 3428 switch (rfc.mode) {
3429 case L2CAP_MODE_BASIC:
47d1ec61 3430 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3431 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3432 break;
3433
3434 case L2CAP_MODE_ERTM:
6327eb98
AE		 3435 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3436 chan->remote_tx_win = rfc.txwin_size;
3437 else
3438 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3439
2c03a7a4 3440 chan->remote_max_tx = rfc.max_transmit;
1c762159 3441
c8f79162 3442 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3443 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3444 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3445 rfc.max_pdu_size = cpu_to_le16(size);
3446 chan->remote_mps = size;
f2fcfcd6 3447
36c86c85 3448 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3449
c1360a1c 3450 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3451
3452 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3453 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3454
42dceae2
AE		 3455 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3456 chan->remote_id = efs.id;
3457 chan->remote_stype = efs.stype;
3458 chan->remote_msdu = le16_to_cpu(efs.msdu);
3459 chan->remote_flush_to =
2d792818 3460 le32_to_cpu(efs.flush_to);
42dceae2 3461 chan->remote_acc_lat =
2d792818 3462 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3463 chan->remote_sdu_itime =
3464 le32_to_cpu(efs.sdu_itime);
3465 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3466 sizeof(efs),
3467 (unsigned long) &efs);
42dceae2 3468 }
f2fcfcd6
GP		 3469 break;
3470
3471 case L2CAP_MODE_STREAMING:
c8f79162 3472 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3473 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3474 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3475 rfc.max_pdu_size = cpu_to_le16(size);
3476 chan->remote_mps = size;
f2fcfcd6 3477
c1360a1c 3478 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3479
2d792818
GP		 3480 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3481 (unsigned long) &rfc);
68ae6639 3482
f2fcfcd6
GP		 3483 break;
3484
3485 default:
5dee9e7c 3486 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3487
6464f35f 3488 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3489 rfc.mode = chan->mode;
f2fcfcd6 3490 }
6464f35f 3491
f2fcfcd6 3492 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3493 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3494 }
fe4128e0 3495 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3496 rsp->result = cpu_to_le16(result);
59e54bd1 3497 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3498
3499 return ptr - data;
1da177e4
LT		 3500}
3501
2d792818
GP		 3502static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3503 void *data, u16 *result)
f2fcfcd6 3504{
f2fcfcd6
GP		 3505 struct l2cap_conf_req *req = data;
3506 void *ptr = req->data;
3507 int type, olen;
3508 unsigned long val;
36e999a8 3509 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3510 struct l2cap_conf_efs efs;
f2fcfcd6 3511
fe4128e0 3512 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3513
3514 while (len >= L2CAP_CONF_OPT_SIZE) {
3515 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3516
3517 switch (type) {
3518 case L2CAP_CONF_MTU:
3519 if (val < L2CAP_DEFAULT_MIN_MTU) {
3520 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3521 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3522 } else
0c1bc5c6
GP		 3523 chan->imtu = val;
3524 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3525 break;
3526
3527 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3528 chan->flush_to = val;
f2fcfcd6 3529 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3530 2, chan->flush_to);
f2fcfcd6
GP		 3531 break;
3532
3533 case L2CAP_CONF_RFC:
3534 if (olen == sizeof(rfc))
3535 memcpy(&rfc, (void *)val, olen);
3536
c1360a1c 3537 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3538 rfc.mode != chan->mode)
f2fcfcd6
GP		 3539 return -ECONNREFUSED;
3540
47d1ec61 3541 chan->fcs = 0;
f2fcfcd6
GP		 3542
3543 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3544 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3545 break;
6327eb98
AE		 3546
3547 case L2CAP_CONF_EWS:
c20f8e35 3548 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3549 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3550 chan->tx_win);
6327eb98 3551 break;
66af7aaf
AE		 3552
3553 case L2CAP_CONF_EFS:
3554 if (olen == sizeof(efs))
3555 memcpy(&efs, (void *)val, olen);
3556
3557 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3558 efs.stype != L2CAP_SERV_NOTRAFIC &&
3559 efs.stype != chan->local_stype)
66af7aaf
AE		 3560 return -ECONNREFUSED;
3561
2d792818
GP		 3562 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3563 (unsigned long) &efs);
66af7aaf 3564 break;
cbabee78
AE		 3565
3566 case L2CAP_CONF_FCS:
3567 if (*result == L2CAP_CONF_PENDING)
3568 if (val == L2CAP_FCS_NONE)
f2592d3e 3569 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3570 &chan->conf_state);
3571 break;
f2fcfcd6
GP		 3572 }
3573 }
3574
0c1bc5c6 3575 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3576 return -ECONNREFUSED;
3577
0c1bc5c6 3578 chan->mode = rfc.mode;
6c2ea7a8 3579
0e8b207e 3580 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3581 switch (rfc.mode) {
3582 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3583 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3584 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3585 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3586 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3587 chan->ack_win = min_t(u16, chan->ack_win,
3588 rfc.txwin_size);
66af7aaf
AE		 3589
3590 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3591 chan->local_msdu = le16_to_cpu(efs.msdu);
3592 chan->local_sdu_itime =
2d792818 3593 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3594 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3595 chan->local_flush_to =
2d792818 3596 le32_to_cpu(efs.flush_to);
66af7aaf 3597 }
f2fcfcd6 3598 break;
66af7aaf 3599
f2fcfcd6 3600 case L2CAP_MODE_STREAMING:
47d1ec61 3601 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3602 }
3603 }
3604
fe4128e0 3605 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3606 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3607
3608 return ptr - data;
3609}
3610
2d792818
GP		 3611static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3612 u16 result, u16 flags)
1da177e4
LT		 3613{
3614 struct l2cap_conf_rsp *rsp = data;
3615 void *ptr = rsp->data;
1da177e4 3616
fe4128e0 3617 BT_DBG("chan %p", chan);
1da177e4 3618
fe4128e0 3619 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3620 rsp->result = cpu_to_le16(result);
aca3192c 3621 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3622
3623 return ptr - data;
3624}
3625
8c1d787b 3626void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3627{
3628 struct l2cap_conn_rsp rsp;
8c1d787b 3629 struct l2cap_conn *conn = chan->conn;
710f9b0a 3630 u8 buf[128];
439f34ac 3631 u8 rsp_code;
710f9b0a 3632
fe4128e0
GP		 3633 rsp.scid = cpu_to_le16(chan->dcid);
3634 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3635 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3636 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3637
3638 if (chan->hs_hcon)
3639 rsp_code = L2CAP_CREATE_CHAN_RSP;
3640 else
3641 rsp_code = L2CAP_CONN_RSP;
3642
3643 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3644
3645 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3646
c1360a1c 3647 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3648 return;
3649
710f9b0a 3650 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3651 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3652 chan->num_conf_req++;
3653}
3654
47d1ec61 3655static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3656{
7b1c0049
GP		 3657 int type, olen;
3658 unsigned long val;
c20f8e35
MM		 3659 /* Use sane default values in case a misbehaving remote device
3660 * did not send an RFC or extended window size option.
3661 */
3662 u16 txwin_ext = chan->ack_win;
3663 struct l2cap_conf_rfc rfc = {
3664 .mode = chan->mode,
3665 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3666 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3667 .max_pdu_size = cpu_to_le16(chan->imtu),
3668 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3669 };
7b1c0049 3670
47d1ec61 3671 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3672
0c1bc5c6 3673 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3674 return;
3675
3676 while (len >= L2CAP_CONF_OPT_SIZE) {
3677 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3678
c20f8e35
MM		 3679 switch (type) {
3680 case L2CAP_CONF_RFC:
3681 if (olen == sizeof(rfc))
3682 memcpy(&rfc, (void *)val, olen);
8f321f85 3683 break;
c20f8e35
MM		 3684 case L2CAP_CONF_EWS:
3685 txwin_ext = val;
3686 break;
3687 }
7b1c0049
GP		 3688 }
3689
7b1c0049
GP		 3690 switch (rfc.mode) {
3691 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3692 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3693 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3694 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3695 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3696 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3697 else
3698 chan->ack_win = min_t(u16, chan->ack_win,
3699 rfc.txwin_size);
7b1c0049
GP		 3700 break;
3701 case L2CAP_MODE_STREAMING:
47d1ec61 3702 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3703 }
3704}
3705
2d792818 3706static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3707 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3708 u8 *data)
4e8402a3 3709{
e2fd318e 3710 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3711
cb3b3152
JH		 3712 if (cmd_len < sizeof(*rej))
3713 return -EPROTO;
3714
e2fd318e 3715 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3716 return 0;
3717
3718 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3719 cmd->ident == conn->info_ident) {
17cd3f37 3720 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3721
3722 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3723 conn->info_ident = 0;
984947dc 3724
4e8402a3
MH		 3725 l2cap_conn_start(conn);
3726 }
3727
3728 return 0;
3729}
3730
1700915f
MM		 3731static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3732 struct l2cap_cmd_hdr *cmd,
3733 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3734{
1da177e4
LT		 3735 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3736 struct l2cap_conn_rsp rsp;
23691d75 3737 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3738 struct sock *parent, *sk = NULL;
e7c29cb1 3739 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3740
3741 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3742 __le16 psm = req->psm;
1da177e4 3743
097db76c 3744 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3745
3746 /* Check if we have socket listening on psm */
c2287681 3747 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3748 if (!pchan) {
1da177e4
LT		 3749 result = L2CAP_CR_BAD_PSM;
3750 goto sendresp;
3751 }
3752
23691d75
GP		 3753 parent = pchan->sk;
3754
3df91ea2 3755 mutex_lock(&conn->chan_lock);
aa2ac881 3756 lock_sock(parent);
e0f0cb56 3757
e7c29cb1 3758 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3759 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3760 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3761 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3762 result = L2CAP_CR_SEC_BLOCK;
3763 goto response;
3764 }
3765
1da177e4
LT		 3766 result = L2CAP_CR_NO_MEM;
3767
2dfa1003
GP		 3768 /* Check if we already have channel with that dcid */
3769 if (__l2cap_get_chan_by_dcid(conn, scid))
3770 goto response;
3771
80b98027 3772 chan = pchan->ops->new_connection(pchan);
80808e43 3773 if (!chan)
1da177e4
LT		 3774 goto response;
3775
80808e43
GP		 3776 sk = chan->sk;
3777
330b6c15
SS		 3778 /* For certain devices (ex: HID mouse), support for authentication,
3779 * pairing and bonding is optional. For such devices, inorder to avoid
3780 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3781 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3782 */
3783 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3784
1da177e4
LT		 3785 bacpy(&bt_sk(sk)->src, conn->src);
3786 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3787 chan->psm = psm;
3788 chan->dcid = scid;
1700915f 3789 chan->local_amp_id = amp_id;
1da177e4 3790
6be36555 3791 __l2cap_chan_add(conn, chan);
48454079 3792
fe4128e0 3793 dcid = chan->scid;
1da177e4 3794
c9b66675 3795 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3796
fc7f8a7e 3797 chan->ident = cmd->ident;
1da177e4 3798
984947dc 3799 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3800 if (l2cap_chan_check_security(chan)) {
c5daa683 3801 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3802 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3803 result = L2CAP_CR_PEND;
3804 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3805 chan->ops->defer(chan);
f66dc81f 3806 } else {
1700915f
MM		 3807 /* Force pending result for AMP controllers.
3808 * The connection will succeed after the
3809 * physical link is up.
3810 */
6ed971ca 3811 if (amp_id == AMP_ID_BREDR) {
1700915f
MM		 3812 __l2cap_state_change(chan, BT_CONFIG);
3813 result = L2CAP_CR_SUCCESS;
6ed971ca
MH		 3814 } else {
3815 __l2cap_state_change(chan, BT_CONNECT2);
3816 result = L2CAP_CR_PEND;
1700915f 3817 }
f66dc81f
MH		 3818 status = L2CAP_CS_NO_INFO;
3819 }
79d554a6 3820 } else {
0e587be7 3821 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3822 result = L2CAP_CR_PEND;
3823 status = L2CAP_CS_AUTHEN_PEND;
3824 }
3825 } else {
0e587be7 3826 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3827 result = L2CAP_CR_PEND;
3828 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3829 }
3830
1da177e4 3831response:
aa2ac881 3832 release_sock(parent);
3df91ea2 3833 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3834
3835sendresp:
aca3192c
YH		 3836 rsp.scid = cpu_to_le16(scid);
3837 rsp.dcid = cpu_to_le16(dcid);
3838 rsp.result = cpu_to_le16(result);
3839 rsp.status = cpu_to_le16(status);
4c89b6aa 3840 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3841
3842 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3843 struct l2cap_info_req info;
ac73498c 3844 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3845
3846 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3847 conn->info_ident = l2cap_get_ident(conn);
3848
ba13ccd9 3849 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3850
2d792818
GP		 3851 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3852 sizeof(info), &info);
79d554a6
MH		 3853 }
3854
c1360a1c 3855 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3856 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3857 u8 buf[128];
c1360a1c 3858 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3859 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3860 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3861 chan->num_conf_req++;
e9aeb2dd 3862 }
1700915f
MM		 3863
3864 return chan;
4c89b6aa 3865}
e9aeb2dd 3866
4c89b6aa 3867static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3868 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3869{
7b064eda
JK		 3870 struct hci_dev *hdev = conn->hcon->hdev;
3871 struct hci_conn *hcon = conn->hcon;
3872
cb3b3152
JH		 3873 if (cmd_len < sizeof(struct l2cap_conn_req))
3874 return -EPROTO;
3875
7b064eda
JK		 3876 hci_dev_lock(hdev);
3877 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3878 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3879 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3880 hcon->dst_type, 0, NULL, 0,
3881 hcon->dev_class);
3882 hci_dev_unlock(hdev);
3883
300229f9 3884 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3885 return 0;
3886}
3887
5909cf30 3888static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3889 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3890 u8 *data)
1da177e4
LT		 3891{
3892 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3893 u16 scid, dcid, result, status;
48454079 3894 struct l2cap_chan *chan;
1da177e4 3895 u8 req[128];
3df91ea2 3896 int err;
1da177e4 3897
cb3b3152
JH		 3898 if (cmd_len < sizeof(*rsp))
3899 return -EPROTO;
3900
1da177e4
LT		 3901 scid = __le16_to_cpu(rsp->scid);
3902 dcid = __le16_to_cpu(rsp->dcid);
3903 result = __le16_to_cpu(rsp->result);
3904 status = __le16_to_cpu(rsp->status);
3905
1b009c98 3906 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3907 dcid, scid, result, status);
1da177e4 3908
3df91ea2
AE		 3909 mutex_lock(&conn->chan_lock);
3910
1da177e4 3911 if (scid) {
3df91ea2
AE		 3912 chan = __l2cap_get_chan_by_scid(conn, scid);
3913 if (!chan) {
21870b52 3914 err = -EBADSLT;
3df91ea2
AE		 3915 goto unlock;
3916 }
1da177e4 3917 } else {
3df91ea2
AE		 3918 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3919 if (!chan) {
21870b52 3920 err = -EBADSLT;
3df91ea2
AE		 3921 goto unlock;
3922 }
1da177e4
LT		 3923 }
3924
3df91ea2
AE		 3925 err = 0;
3926
6be36555 3927 l2cap_chan_lock(chan);
48454079 3928
1da177e4
LT		 3929 switch (result) {
3930 case L2CAP_CR_SUCCESS:
89bc500e 3931 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3932 chan->ident = 0;
fe4128e0 3933 chan->dcid = dcid;
c1360a1c 3934 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3935
c1360a1c 3936 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3937 break;
3938
1da177e4 3939 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3940 l2cap_build_conf_req(chan, req), req);
73ffa904 3941 chan->num_conf_req++;
1da177e4
LT		 3942 break;
3943
3944 case L2CAP_CR_PEND:
c1360a1c 3945 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3946 break;
3947
3948 default:
48454079 3949 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3950 break;
3951 }
3952
6be36555 3953 l2cap_chan_unlock(chan);
3df91ea2
AE		 3954
3955unlock:
3956 mutex_unlock(&conn->chan_lock);
3957
3958 return err;
1da177e4
LT		 3959}
3960
47d1ec61 3961static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3962{
3963 /* FCS is enabled only in ERTM or streaming mode, if one or both
3964 * sides request it.
3965 */
0c1bc5c6 3966 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3967 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3968 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3969 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3970}
3971
29d8a590
AE		 3972static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3973 u8 ident, u16 flags)
3974{
3975 struct l2cap_conn *conn = chan->conn;
3976
3977 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3978 flags);
3979
3980 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3981 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3982
3983 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3984 l2cap_build_conf_rsp(chan, data,
3985 L2CAP_CONF_SUCCESS, flags), data);
3986}
3987
2d792818
GP		 3988static inline int l2cap_config_req(struct l2cap_conn *conn,
3989 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3990 u8 *data)
1da177e4
LT		 3991{
3992 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3993 u16 dcid, flags;
3994 u8 rsp[64];
48454079 3995 struct l2cap_chan *chan;
3c588192 3996 int len, err = 0;
1da177e4 3997
cb3b3152
JH		 3998 if (cmd_len < sizeof(*req))
3999 return -EPROTO;
4000
1da177e4
LT		 4001 dcid = __le16_to_cpu(req->dcid);
4002 flags = __le16_to_cpu(req->flags);
4003
4004 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4005
baa7e1fa 4006 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 4007 if (!chan)
21870b52 4008 return -EBADSLT;
1da177e4 4009
033b1142 4010 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 4011 struct l2cap_cmd_rej_cid rej;
4012
ac73498c 4013 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 4014 rej.scid = cpu_to_le16(chan->scid);
4015 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 4016
df6bd743 4017 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 4018 sizeof(rej), &rej);
354f60a9 4019 goto unlock;
df6bd743 4020 }
354f60a9 4021
5dee9e7c 4022 /* Reject if config buffer is too small. */
88219a0f 4023 len = cmd_len - sizeof(*req);
cb3b3152 4024 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4025 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4026 l2cap_build_conf_rsp(chan, rsp,
4027 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4028 goto unlock;
4029 }
4030
4031 /* Store config. */
73ffa904
GP		 4032 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4033 chan->conf_len += len;
1da177e4 4034
59e54bd1 4035 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4036 /* Incomplete config. Send empty response. */
4037 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4038 l2cap_build_conf_rsp(chan, rsp,
4039 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4040 goto unlock;
4041 }
4042
4043 /* Complete config. */
73ffa904 4044 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4045 if (len < 0) {
5e4e3972 4046 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4047 goto unlock;
f2fcfcd6 4048 }
1da177e4 4049
1500109b 4050 chan->ident = cmd->ident;
5dee9e7c 4051 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4052 chan->num_conf_rsp++;
5dee9e7c 4053
5dee9e7c 4054 /* Reset config buffer. */
73ffa904 4055 chan->conf_len = 0;
5dee9e7c 4056
c1360a1c 4057 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4058 goto unlock;
4059
c1360a1c 4060 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4061 set_default_fcs(chan);
fcc203c3 4062
105bdf9e
MM		 4063 if (chan->mode == L2CAP_MODE_ERTM ||
4064 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4065 err = l2cap_ertm_init(chan);
4066
4067 if (err < 0)
5e4e3972 4068 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4069 else
4070 l2cap_chan_ready(chan);
0565c1c2 4071
876d9484
MH		 4072 goto unlock;
4073 }
4074
c1360a1c 4075 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4076 u8 buf[64];
1da177e4 4077 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4078 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4079 chan->num_conf_req++;
1da177e4
LT		 4080 }
4081
0e8b207e
AE		 4082 /* Got Conf Rsp PENDING from remote side and asume we sent
4083 Conf Rsp PENDING in the code above */
4084 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4085 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4086
4087 /* check compatibility */
4088
79de886d 4089 /* Send rsp for BR/EDR channel */
f351bc72 4090 if (!chan->hs_hcon)
79de886d
AE		 4091 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4092 else
4093 chan->ident = cmd->ident;
0e8b207e
AE		 4094 }
4095
1da177e4 4096unlock:
6be36555 4097 l2cap_chan_unlock(chan);
3c588192 4098 return err;
1da177e4
LT		 4099}
4100
2d792818 4101static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4102 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4103 u8 *data)
1da177e4
LT		 4104{
4105 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4106 u16 scid, flags, result;
48454079 4107 struct l2cap_chan *chan;
cb3b3152 4108 int len = cmd_len - sizeof(*rsp);
3c588192 4109 int err = 0;
1da177e4 4110
cb3b3152
JH		 4111 if (cmd_len < sizeof(*rsp))
4112 return -EPROTO;
4113
1da177e4
LT		 4114 scid = __le16_to_cpu(rsp->scid);
4115 flags = __le16_to_cpu(rsp->flags);
4116 result = __le16_to_cpu(rsp->result);
4117
61386cba
AE		 4118 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4119 result, len);
1da177e4 4120
baa7e1fa 4121 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4122 if (!chan)
1da177e4
LT		 4123 return 0;
4124
4125 switch (result) {
4126 case L2CAP_CONF_SUCCESS:
47d1ec61 4127 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4128 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4129 break;
4130
0e8b207e
AE		 4131 case L2CAP_CONF_PENDING:
4132 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4133
4134 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4135 char buf[64];
4136
4137 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4138 buf, &result);
0e8b207e 4139 if (len < 0) {
5e4e3972 4140 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4141 goto done;
4142 }
4143
f351bc72 4144 if (!chan->hs_hcon) {
79de886d
AE		 4145 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4146 0);
5ce66b59
AE		 4147 } else {
4148 if (l2cap_check_efs(chan)) {
4149 amp_create_logical_link(chan);
4150 chan->ident = cmd->ident;
4151 }
4152 }
0e8b207e
AE		 4153 }
4154 goto done;
4155
1da177e4 4156 case L2CAP_CONF_UNACCEPT:
73ffa904 4157 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4158 char req[64];
4159
c2c77ec8 4160 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4161 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4162 goto done;
4163 }
4164
f2fcfcd6
GP		 4165 /* throw out any old stored conf requests */
4166 result = L2CAP_CONF_SUCCESS;
b4450035 4167 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4168 req, &result);
f2fcfcd6 4169 if (len < 0) {
5e4e3972 4170 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4171 goto done;
4172 }
4173
4174 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4175 L2CAP_CONF_REQ, len, req);
73ffa904 4176 chan->num_conf_req++;
f2fcfcd6
GP		 4177 if (result != L2CAP_CONF_SUCCESS)
4178 goto done;
4179 break;
1da177e4
LT		 4180 }
4181
8e87d142 4182 default:
6be36555 4183 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4184
ba13ccd9 4185 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4186 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4187 goto done;
4188 }
4189
59e54bd1 4190 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4191 goto done;
4192
c1360a1c 4193 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4194
c1360a1c 4195 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4196 set_default_fcs(chan);
fcc203c3 4197
105bdf9e
MM		 4198 if (chan->mode == L2CAP_MODE_ERTM ||
4199 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4200 err = l2cap_ertm_init(chan);
0565c1c2 4201
3c588192 4202 if (err < 0)
5e4e3972 4203 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4204 else
4205 l2cap_chan_ready(chan);
1da177e4
LT		 4206 }
4207
4208done:
6be36555 4209 l2cap_chan_unlock(chan);
3c588192 4210 return err;
1da177e4
LT		 4211}
4212
2d792818 4213static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4214 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4215 u8 *data)
1da177e4
LT		 4216{
4217 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4218 struct l2cap_disconn_rsp rsp;
4219 u16 dcid, scid;
48454079 4220 struct l2cap_chan *chan;
1da177e4
LT		 4221 struct sock *sk;
4222
cb3b3152
JH		 4223 if (cmd_len != sizeof(*req))
4224 return -EPROTO;
4225
1da177e4
LT		 4226 scid = __le16_to_cpu(req->scid);
4227 dcid = __le16_to_cpu(req->dcid);
4228
4229 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4230
3df91ea2
AE		 4231 mutex_lock(&conn->chan_lock);
4232
4233 chan = __l2cap_get_chan_by_scid(conn, dcid);
4234 if (!chan) {
4235 mutex_unlock(&conn->chan_lock);
c4ea249f 4236 return -EBADSLT;
3df91ea2 4237 }
1da177e4 4238
6be36555
AE		 4239 l2cap_chan_lock(chan);
4240
48454079
GP		 4241 sk = chan->sk;
4242
fe4128e0
GP		 4243 rsp.dcid = cpu_to_le16(chan->scid);
4244 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4245 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4246
6be36555 4247 lock_sock(sk);
1da177e4 4248 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 4249 release_sock(sk);
1da177e4 4250
61d6ef3e 4251 l2cap_chan_hold(chan);
48454079 4252 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4253
4254 l2cap_chan_unlock(chan);
1da177e4 4255
80b98027 4256 chan->ops->close(chan);
61d6ef3e 4257 l2cap_chan_put(chan);
3df91ea2
AE		 4258
4259 mutex_unlock(&conn->chan_lock);
4260
1da177e4
LT		 4261 return 0;
4262}
4263
2d792818 4264static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4265 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4266 u8 *data)
1da177e4
LT		 4267{
4268 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4269 u16 dcid, scid;
48454079 4270 struct l2cap_chan *chan;
1da177e4 4271
cb3b3152
JH		 4272 if (cmd_len != sizeof(*rsp))
4273 return -EPROTO;
4274
1da177e4
LT		 4275 scid = __le16_to_cpu(rsp->scid);
4276 dcid = __le16_to_cpu(rsp->dcid);
4277
4278 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4279
3df91ea2
AE		 4280 mutex_lock(&conn->chan_lock);
4281
4282 chan = __l2cap_get_chan_by_scid(conn, scid);
4283 if (!chan) {
4284 mutex_unlock(&conn->chan_lock);
1da177e4 4285 return 0;
3df91ea2 4286 }
1da177e4 4287
6be36555 4288 l2cap_chan_lock(chan);
48454079 4289
61d6ef3e 4290 l2cap_chan_hold(chan);
48454079 4291 l2cap_chan_del(chan, 0);
6be36555
AE		 4292
4293 l2cap_chan_unlock(chan);
1da177e4 4294
80b98027 4295 chan->ops->close(chan);
61d6ef3e 4296 l2cap_chan_put(chan);
3df91ea2
AE		 4297
4298 mutex_unlock(&conn->chan_lock);
4299
1da177e4
LT		 4300 return 0;
4301}
4302
2d792818 4303static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4304 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4305 u8 *data)
1da177e4
LT		 4306{
4307 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4308 u16 type;
4309
cb3b3152
JH		 4310 if (cmd_len != sizeof(*req))
4311 return -EPROTO;
4312
1da177e4
LT		 4313 type = __le16_to_cpu(req->type);
4314
4315 BT_DBG("type 0x%4.4x", type);
4316
f0709e03
MH		 4317 if (type == L2CAP_IT_FEAT_MASK) {
4318 u8 buf[8];
44dd46de 4319 u32 feat_mask = l2cap_feat_mask;
f0709e03 4320 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4321 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4322 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4323 if (!disable_ertm)
fcc203c3 4324 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4325 | L2CAP_FEAT_FCS;
848566b3 4326 if (conn->hs_enabled)
6327eb98 4327 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4328 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4329
1b7bf4ed 4330 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4331 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4332 buf);
e1027a7c
MH		 4333 } else if (type == L2CAP_IT_FIXED_CHAN) {
4334 u8 buf[12];
4335 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4336
848566b3 4337 if (conn->hs_enabled)
50a147cd
MM		 4338 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4339 else
4340 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4341
ac73498c
AE		 4342 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4343 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4344 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4345 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4346 buf);
f0709e03
MH		 4347 } else {
4348 struct l2cap_info_rsp rsp;
4349 rsp.type = cpu_to_le16(type);
ac73498c 4350 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4351 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4352 &rsp);
f0709e03 4353 }
1da177e4
LT		 4354
4355 return 0;
4356}
4357
2d792818 4358static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4359 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4360 u8 *data)
1da177e4
LT		 4361{
4362 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4363 u16 type, result;
4364
3f6fa3d4 4365 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4366 return -EPROTO;
4367
1da177e4
LT		 4368 type = __le16_to_cpu(rsp->type);
4369 result = __le16_to_cpu(rsp->result);
4370
4371 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4372
e90165be
AE		 4373 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4374 if (cmd->ident != conn->info_ident ||
2d792818 4375 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4376 return 0;
4377
17cd3f37 4378 cancel_delayed_work(&conn->info_timer);
4e8402a3 4379
adb08ede
VT		 4380 if (result != L2CAP_IR_SUCCESS) {
4381 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4382 conn->info_ident = 0;
4383
4384 l2cap_conn_start(conn);
4385
4386 return 0;
4387 }
4388
978c93b9
AE		 4389 switch (type) {
4390 case L2CAP_IT_FEAT_MASK:
83985319 4391 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4392
47ec1dcd 4393 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4394 struct l2cap_info_req req;
ac73498c 4395 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4396
4397 conn->info_ident = l2cap_get_ident(conn);
4398
4399 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4400 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4401 } else {
4402 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4403 conn->info_ident = 0;
4404
4405 l2cap_conn_start(conn);
4406 }
978c93b9
AE		 4407 break;
4408
4409 case L2CAP_IT_FIXED_CHAN:
4410 conn->fixed_chan_mask = rsp->data[0];
984947dc 4411 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4412 conn->info_ident = 0;
984947dc
MH		 4413
4414 l2cap_conn_start(conn);
978c93b9 4415 break;
984947dc 4416 }
4e8402a3 4417
1da177e4
LT		 4418 return 0;
4419}
4420
1700915f
MM		 4421static int l2cap_create_channel_req(struct l2cap_conn *conn,
4422 struct l2cap_cmd_hdr *cmd,
4423 u16 cmd_len, void *data)
f94ff6ff
MM		 4424{
4425 struct l2cap_create_chan_req *req = data;
6e1df6a6 4426 struct l2cap_create_chan_rsp rsp;
1700915f 4427 struct l2cap_chan *chan;
6e1df6a6 4428 struct hci_dev *hdev;
f94ff6ff
MM		 4429 u16 psm, scid;
4430
4431 if (cmd_len != sizeof(*req))
4432 return -EPROTO;
4433
848566b3 4434 if (!conn->hs_enabled)
f94ff6ff
MM		 4435 return -EINVAL;
4436
4437 psm = le16_to_cpu(req->psm);
4438 scid = le16_to_cpu(req->scid);
4439
ad0ac6ca 4440 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4441
6e1df6a6 4442 /* For controller id 0 make BR/EDR connection */
6ed971ca 4443 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4444 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4445 req->amp_id);
4446 return 0;
4447 }
1700915f 4448
6e1df6a6
AE		 4449 /* Validate AMP controller id */
4450 hdev = hci_dev_get(req->amp_id);
4451 if (!hdev)
4452 goto error;
1700915f 4453
6e1df6a6
AE		 4454 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4455 hci_dev_put(hdev);
4456 goto error;
4457 }
1700915f 4458
6e1df6a6
AE		 4459 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4460 req->amp_id);
4461 if (chan) {
4462 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4463 struct hci_conn *hs_hcon;
1700915f 4464
6e1df6a6
AE		 4465 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, conn->dst);
4466 if (!hs_hcon) {
4467 hci_dev_put(hdev);
21870b52 4468 return -EBADSLT;
1700915f
MM		 4469 }
4470
6e1df6a6
AE		 4471 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4472
6e1df6a6
AE		 4473 mgr->bredr_chan = chan;
4474 chan->hs_hcon = hs_hcon;
fd45bf4c 4475 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4476 conn->mtu = hdev->block_mtu;
1700915f 4477 }
f94ff6ff 4478
6e1df6a6 4479 hci_dev_put(hdev);
f94ff6ff
MM		 4480
4481 return 0;
6e1df6a6
AE		 4482
4483error:
4484 rsp.dcid = 0;
4485 rsp.scid = cpu_to_le16(scid);
4486 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4487 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4488
4489 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4490 sizeof(rsp), &rsp);
4491
dc280801 4492 return 0;
f94ff6ff
MM		 4493}
4494
8eb200bd
MM		 4495static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4496{
4497 struct l2cap_move_chan_req req;
4498 u8 ident;
4499
4500 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4501
4502 ident = l2cap_get_ident(chan->conn);
4503 chan->ident = ident;
4504
4505 req.icid = cpu_to_le16(chan->scid);
4506 req.dest_amp_id = dest_amp_id;
4507
4508 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4509 &req);
4510
4511 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4512}
4513
1500109b 4514static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4515{
4516 struct l2cap_move_chan_rsp rsp;
4517
1500109b 4518 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4519
1500109b 4520 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4521 rsp.result = cpu_to_le16(result);
4522
1500109b
MM		 4523 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4524 sizeof(rsp), &rsp);
8d5a04a1
MM		 4525}
4526
5b155ef9 4527static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4528{
4529 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4530
5b155ef9 4531 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4532
5b155ef9 4533 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4534
5b155ef9 4535 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4536 cfm.result = cpu_to_le16(result);
4537
5b155ef9
MM		 4538 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4539 sizeof(cfm), &cfm);
4540
4541 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4542}
4543
4544static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4545{
4546 struct l2cap_move_chan_cfm cfm;
4547
4548 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4549
4550 cfm.icid = cpu_to_le16(icid);
4551 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4552
4553 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4554 sizeof(cfm), &cfm);
8d5a04a1
MM		 4555}
4556
4557static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4558 u16 icid)
8d5a04a1
MM		 4559{
4560 struct l2cap_move_chan_cfm_rsp rsp;
4561
ad0ac6ca 4562 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4563
4564 rsp.icid = cpu_to_le16(icid);
4565 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4566}
4567
5f3847a4
MM		 4568static void __release_logical_link(struct l2cap_chan *chan)
4569{
4570 chan->hs_hchan = NULL;
4571 chan->hs_hcon = NULL;
4572
4573 /* Placeholder - release the logical link */
4574}
4575
1500109b
MM		 4576static void l2cap_logical_fail(struct l2cap_chan *chan)
4577{
4578 /* Logical link setup failed */
4579 if (chan->state != BT_CONNECTED) {
4580 /* Create channel failure, disconnect */
5e4e3972 4581 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4582 return;
4583 }
4584
4585 switch (chan->move_role) {
4586 case L2CAP_MOVE_ROLE_RESPONDER:
4587 l2cap_move_done(chan);
4588 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4589 break;
4590 case L2CAP_MOVE_ROLE_INITIATOR:
4591 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4592 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4593 /* Remote has only sent pending or
4594 * success responses, clean up
4595 */
4596 l2cap_move_done(chan);
4597 }
4598
4599 /* Other amp move states imply that the move
4600 * has already aborted
4601 */
4602 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4603 break;
4604 }
4605}
4606
4607static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4608 struct hci_chan *hchan)
4609{
4610 struct l2cap_conf_rsp rsp;
1500109b 4611
336178a3 4612 chan->hs_hchan = hchan;
1500109b
MM		 4613 chan->hs_hcon->l2cap_data = chan->conn;
4614
35ba9561 4615 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4616
4617 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4618 int err;
1500109b
MM		 4619
4620 set_default_fcs(chan);
4621
4622 err = l2cap_ertm_init(chan);
4623 if (err < 0)
5e4e3972 4624 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4625 else
4626 l2cap_chan_ready(chan);
4627 }
4628}
4629
4630static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4631 struct hci_chan *hchan)
4632{
4633 chan->hs_hcon = hchan->conn;
4634 chan->hs_hcon->l2cap_data = chan->conn;
4635
4636 BT_DBG("move_state %d", chan->move_state);
4637
4638 switch (chan->move_state) {
4639 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4640 /* Move confirm will be sent after a success
4641 * response is received
4642 */
4643 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4644 break;
4645 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4646 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4647 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4648 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4649 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4650 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4651 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4652 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4653 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4654 }
4655 break;
4656 default:
4657 /* Move was not in expected state, free the channel */
4658 __release_logical_link(chan);
4659
4660 chan->move_state = L2CAP_MOVE_STABLE;
4661 }
4662}
4663
4664/* Call with chan locked */
27695fb4
AE		 4665void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4666 u8 status)
5b155ef9 4667{
1500109b
MM		 4668 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4669
4670 if (status) {
4671 l2cap_logical_fail(chan);
4672 __release_logical_link(chan);
4673 return;
4674 }
4675
4676 if (chan->state != BT_CONNECTED) {
4677 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4678 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4679 l2cap_logical_finish_create(chan, hchan);
4680 } else {
4681 l2cap_logical_finish_move(chan, hchan);
4682 }
5b155ef9
MM		 4683}
4684
3f7a56c4
MM		 4685void l2cap_move_start(struct l2cap_chan *chan)
4686{
4687 BT_DBG("chan %p", chan);
4688
6ed971ca 4689 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4690 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4691 return;
4692 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4693 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4694 /* Placeholder - start physical link setup */
4695 } else {
4696 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4697 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4698 chan->move_id = 0;
4699 l2cap_move_setup(chan);
4700 l2cap_send_move_chan_req(chan, 0);
4701 }
4702}
4703
8eb200bd
MM		 4704static void l2cap_do_create(struct l2cap_chan *chan, int result,
4705 u8 local_amp_id, u8 remote_amp_id)
4706{
62748ca1
AE		 4707 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4708 local_amp_id, remote_amp_id);
4709
12d6cc60
AE		 4710 chan->fcs = L2CAP_FCS_NONE;
4711
62748ca1
AE		 4712 /* Outgoing channel on AMP */
4713 if (chan->state == BT_CONNECT) {
4714 if (result == L2CAP_CR_SUCCESS) {
4715 chan->local_amp_id = local_amp_id;
4716 l2cap_send_create_chan_req(chan, remote_amp_id);
4717 } else {
4718 /* Revert to BR/EDR connect */
4719 l2cap_send_conn_req(chan);
4720 }
4721
4722 return;
4723 }
4724
4725 /* Incoming channel on AMP */
4726 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4727 struct l2cap_conn_rsp rsp;
4728 char buf[128];
4729 rsp.scid = cpu_to_le16(chan->dcid);
4730 rsp.dcid = cpu_to_le16(chan->scid);
4731
8eb200bd
MM		 4732 if (result == L2CAP_CR_SUCCESS) {
4733 /* Send successful response */
62cd50e2
AE		 4734 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4735 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4736 } else {
4737 /* Send negative response */
62cd50e2
AE		 4738 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4739 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4740 }
4741
4742 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4743 sizeof(rsp), &rsp);
4744
4745 if (result == L2CAP_CR_SUCCESS) {
4746 __l2cap_state_change(chan, BT_CONFIG);
4747 set_bit(CONF_REQ_SENT, &chan->conf_state);
4748 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4749 L2CAP_CONF_REQ,
4750 l2cap_build_conf_req(chan, buf), buf);
4751 chan->num_conf_req++;
4752 }
8eb200bd
MM		 4753 }
4754}
4755
4756static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4757 u8 remote_amp_id)
4758{
4759 l2cap_move_setup(chan);
4760 chan->move_id = local_amp_id;
4761 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4762
4763 l2cap_send_move_chan_req(chan, remote_amp_id);
4764}
4765
4766static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4767{
4768 struct hci_chan *hchan = NULL;
4769
4770 /* Placeholder - get hci_chan for logical link */
4771
4772 if (hchan) {
4773 if (hchan->state == BT_CONNECTED) {
4774 /* Logical link is ready to go */
4775 chan->hs_hcon = hchan->conn;
4776 chan->hs_hcon->l2cap_data = chan->conn;
4777 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4778 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4779
4780 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4781 } else {
4782 /* Wait for logical link to be ready */
4783 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4784 }
4785 } else {
4786 /* Logical link not available */
4787 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4788 }
4789}
4790
4791static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4792{
4793 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4794 u8 rsp_result;
4795 if (result == -EINVAL)
4796 rsp_result = L2CAP_MR_BAD_ID;
4797 else
4798 rsp_result = L2CAP_MR_NOT_ALLOWED;
4799
4800 l2cap_send_move_chan_rsp(chan, rsp_result);
4801 }
4802
4803 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4804 chan->move_state = L2CAP_MOVE_STABLE;
4805
4806 /* Restart data transmission */
4807 l2cap_ertm_send(chan);
4808}
4809
a514b17f
AE		 4810/* Invoke with locked chan */
4811void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4812{
770bfefa 4813 u8 local_amp_id = chan->local_amp_id;
fffadc08 4814 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4815
8eb200bd
MM		 4816 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4817 chan, result, local_amp_id, remote_amp_id);
4818
8eb200bd
MM		 4819 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4820 l2cap_chan_unlock(chan);
4821 return;
4822 }
4823
4824 if (chan->state != BT_CONNECTED) {
4825 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4826 } else if (result != L2CAP_MR_SUCCESS) {
4827 l2cap_do_move_cancel(chan, result);
4828 } else {
4829 switch (chan->move_role) {
4830 case L2CAP_MOVE_ROLE_INITIATOR:
4831 l2cap_do_move_initiate(chan, local_amp_id,
4832 remote_amp_id);
4833 break;
4834 case L2CAP_MOVE_ROLE_RESPONDER:
4835 l2cap_do_move_respond(chan, result);
4836 break;
4837 default:
4838 l2cap_do_move_cancel(chan, result);
4839 break;
4840 }
4841 }
8eb200bd
MM		 4842}
4843
8d5a04a1 4844static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4845 struct l2cap_cmd_hdr *cmd,
4846 u16 cmd_len, void *data)
8d5a04a1
MM		 4847{
4848 struct l2cap_move_chan_req *req = data;
1500109b 4849 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4850 struct l2cap_chan *chan;
8d5a04a1
MM		 4851 u16 icid = 0;
4852 u16 result = L2CAP_MR_NOT_ALLOWED;
4853
4854 if (cmd_len != sizeof(*req))
4855 return -EPROTO;
4856
4857 icid = le16_to_cpu(req->icid);
4858
ad0ac6ca 4859 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4860
848566b3 4861 if (!conn->hs_enabled)
8d5a04a1
MM		 4862 return -EINVAL;
4863
02b0fbb9
MM		 4864 chan = l2cap_get_chan_by_dcid(conn, icid);
4865 if (!chan) {
1500109b
MM		 4866 rsp.icid = cpu_to_le16(icid);
4867 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4868 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4869 sizeof(rsp), &rsp);
02b0fbb9
MM		 4870 return 0;
4871 }
4872
1500109b
MM		 4873 chan->ident = cmd->ident;
4874
02b0fbb9
MM		 4875 if (chan->scid < L2CAP_CID_DYN_START ||
4876 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4877 (chan->mode != L2CAP_MODE_ERTM &&
4878 chan->mode != L2CAP_MODE_STREAMING)) {
4879 result = L2CAP_MR_NOT_ALLOWED;
4880 goto send_move_response;
4881 }
4882
4883 if (chan->local_amp_id == req->dest_amp_id) {
4884 result = L2CAP_MR_SAME_ID;
4885 goto send_move_response;
4886 }
4887
6ed971ca 4888 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4889 struct hci_dev *hdev;
4890 hdev = hci_dev_get(req->dest_amp_id);
4891 if (!hdev || hdev->dev_type != HCI_AMP ||
4892 !test_bit(HCI_UP, &hdev->flags)) {
4893 if (hdev)
4894 hci_dev_put(hdev);
4895
4896 result = L2CAP_MR_BAD_ID;
4897 goto send_move_response;
4898 }
4899 hci_dev_put(hdev);
4900 }
4901
4902 /* Detect a move collision. Only send a collision response
4903 * if this side has "lost", otherwise proceed with the move.
4904 * The winner has the larger bd_addr.
4905 */
4906 if ((__chan_is_moving(chan) ||
4907 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4908 bacmp(conn->src, conn->dst) > 0) {
4909 result = L2CAP_MR_COLLISION;
4910 goto send_move_response;
4911 }
4912
02b0fbb9
MM		 4913 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4914 l2cap_move_setup(chan);
4915 chan->move_id = req->dest_amp_id;
4916 icid = chan->dcid;
4917
6ed971ca 4918 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4919 /* Moving to BR/EDR */
4920 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4921 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4922 result = L2CAP_MR_PEND;
4923 } else {
4924 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4925 result = L2CAP_MR_SUCCESS;
4926 }
4927 } else {
4928 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4929 /* Placeholder - uncomment when amp functions are available */
4930 /*amp_accept_physical(chan, req->dest_amp_id);*/
4931 result = L2CAP_MR_PEND;
4932 }
4933
4934send_move_response:
1500109b 4935 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4936
02b0fbb9
MM		 4937 l2cap_chan_unlock(chan);
4938
8d5a04a1
MM		 4939 return 0;
4940}
4941
5b155ef9
MM		 4942static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4943{
4944 struct l2cap_chan *chan;
4945 struct hci_chan *hchan = NULL;
4946
4947 chan = l2cap_get_chan_by_scid(conn, icid);
4948 if (!chan) {
4949 l2cap_send_move_chan_cfm_icid(conn, icid);
4950 return;
4951 }
4952
4953 __clear_chan_timer(chan);
4954 if (result == L2CAP_MR_PEND)
4955 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4956
4957 switch (chan->move_state) {
4958 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4959 /* Move confirm will be sent when logical link
4960 * is complete.
4961 */
4962 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4963 break;
4964 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4965 if (result == L2CAP_MR_PEND) {
4966 break;
4967 } else if (test_bit(CONN_LOCAL_BUSY,
4968 &chan->conn_state)) {
4969 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4970 } else {
4971 /* Logical link is up or moving to BR/EDR,
4972 * proceed with move
4973 */
4974 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4975 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4976 }
4977 break;
4978 case L2CAP_MOVE_WAIT_RSP:
4979 /* Moving to AMP */
4980 if (result == L2CAP_MR_SUCCESS) {
4981 /* Remote is ready, send confirm immediately
4982 * after logical link is ready
4983 */
4984 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4985 } else {
4986 /* Both logical link and move success
4987 * are required to confirm
4988 */
4989 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4990 }
4991
4992 /* Placeholder - get hci_chan for logical link */
4993 if (!hchan) {
4994 /* Logical link not available */
4995 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4996 break;
4997 }
4998
4999 /* If the logical link is not yet connected, do not
5000 * send confirmation.
5001 */
5002 if (hchan->state != BT_CONNECTED)
5003 break;
5004
5005 /* Logical link is already ready to go */
5006
5007 chan->hs_hcon = hchan->conn;
5008 chan->hs_hcon->l2cap_data = chan->conn;
5009
5010 if (result == L2CAP_MR_SUCCESS) {
5011 /* Can confirm now */
5012 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5013 } else {
5014 /* Now only need move success
5015 * to confirm
5016 */
5017 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5018 }
5019
5020 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5021 break;
5022 default:
5023 /* Any other amp move state means the move failed. */
5024 chan->move_id = chan->local_amp_id;
5025 l2cap_move_done(chan);
5026 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5027 }
5028
5029 l2cap_chan_unlock(chan);
5030}
5031
5032static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5033 u16 result)
5034{
5035 struct l2cap_chan *chan;
5036
5037 chan = l2cap_get_chan_by_ident(conn, ident);
5038 if (!chan) {
5039 /* Could not locate channel, icid is best guess */
5040 l2cap_send_move_chan_cfm_icid(conn, icid);
5041 return;
5042 }
5043
5044 __clear_chan_timer(chan);
5045
5046 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5047 if (result == L2CAP_MR_COLLISION) {
5048 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5049 } else {
5050 /* Cleanup - cancel move */
5051 chan->move_id = chan->local_amp_id;
5052 l2cap_move_done(chan);
5053 }
5054 }
5055
5056 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5057
5058 l2cap_chan_unlock(chan);
5059}
5060
5061static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5062 struct l2cap_cmd_hdr *cmd,
5063 u16 cmd_len, void *data)
8d5a04a1
MM		 5064{
5065 struct l2cap_move_chan_rsp *rsp = data;
5066 u16 icid, result;
5067
5068 if (cmd_len != sizeof(*rsp))
5069 return -EPROTO;
5070
5071 icid = le16_to_cpu(rsp->icid);
5072 result = le16_to_cpu(rsp->result);
5073
ad0ac6ca 5074 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5075
5b155ef9
MM		 5076 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5077 l2cap_move_continue(conn, icid, result);
5078 else
5079 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5080
5081 return 0;
5082}
5083
5f3847a4
MM		 5084static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5085 struct l2cap_cmd_hdr *cmd,
5086 u16 cmd_len, void *data)
8d5a04a1
MM		 5087{
5088 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5089 struct l2cap_chan *chan;
8d5a04a1
MM		 5090 u16 icid, result;
5091
5092 if (cmd_len != sizeof(*cfm))
5093 return -EPROTO;
5094
5095 icid = le16_to_cpu(cfm->icid);
5096 result = le16_to_cpu(cfm->result);
5097
ad0ac6ca 5098 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5099
5f3847a4
MM		 5100 chan = l2cap_get_chan_by_dcid(conn, icid);
5101 if (!chan) {
5102 /* Spec requires a response even if the icid was not found */
5103 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5104 return 0;
5105 }
5106
5107 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5108 if (result == L2CAP_MC_CONFIRMED) {
5109 chan->local_amp_id = chan->move_id;
6ed971ca 5110 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5111 __release_logical_link(chan);
5112 } else {
5113 chan->move_id = chan->local_amp_id;
5114 }
5115
5116 l2cap_move_done(chan);
5117 }
5118
8d5a04a1
MM		 5119 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5120
5f3847a4
MM		 5121 l2cap_chan_unlock(chan);
5122
8d5a04a1
MM		 5123 return 0;
5124}
5125
5126static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5127 struct l2cap_cmd_hdr *cmd,
5128 u16 cmd_len, void *data)
8d5a04a1
MM		 5129{
5130 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5131 struct l2cap_chan *chan;
8d5a04a1
MM		 5132 u16 icid;
5133
5134 if (cmd_len != sizeof(*rsp))
5135 return -EPROTO;
5136
5137 icid = le16_to_cpu(rsp->icid);
5138
ad0ac6ca 5139 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5140
3fd71a0a
MM		 5141 chan = l2cap_get_chan_by_scid(conn, icid);
5142 if (!chan)
5143 return 0;
5144
5145 __clear_chan_timer(chan);
5146
5147 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5148 chan->local_amp_id = chan->move_id;
5149
6ed971ca 5150 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5151 __release_logical_link(chan);
5152
5153 l2cap_move_done(chan);
5154 }
5155
5156 l2cap_chan_unlock(chan);
5157
8d5a04a1
MM		 5158 return 0;
5159}
5160
e2174ca4 5161static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 5162 u16 to_multiplier)
de73115a
CT		 5163{
5164 u16 max_latency;
5165
5166 if (min > max || min < 6 || max > 3200)
5167 return -EINVAL;
5168
5169 if (to_multiplier < 10 || to_multiplier > 3200)
5170 return -EINVAL;
5171
5172 if (max >= to_multiplier * 8)
5173 return -EINVAL;
5174
5175 max_latency = (to_multiplier * 8 / max) - 1;
5176 if (latency > 499 || latency > max_latency)
5177 return -EINVAL;
5178
5179 return 0;
5180}
5181
5182static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 5183 struct l2cap_cmd_hdr *cmd,
5184 u8 *data)
de73115a
CT		 5185{
5186 struct hci_conn *hcon = conn->hcon;
5187 struct l2cap_conn_param_update_req *req;
5188 struct l2cap_conn_param_update_rsp rsp;
5189 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 5190 int err;
de73115a
CT		 5191
5192 if (!(hcon->link_mode & HCI_LM_MASTER))
5193 return -EINVAL;
5194
5195 cmd_len = __le16_to_cpu(cmd->len);
5196 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5197 return -EPROTO;
5198
5199 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5200 min = __le16_to_cpu(req->min);
5201 max = __le16_to_cpu(req->max);
de73115a
CT		 5202 latency = __le16_to_cpu(req->latency);
5203 to_multiplier = __le16_to_cpu(req->to_multiplier);
5204
5205 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5206 min, max, latency, to_multiplier);
de73115a
CT		 5207
5208 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5209
5210 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5211 if (err)
ac73498c 5212 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5213 else
ac73498c 5214 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5215
5216 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5217 sizeof(rsp), &rsp);
de73115a 5218
2ce603eb
CT		 5219 if (!err)
5220 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5221
de73115a
CT		 5222 return 0;
5223}
5224
3300d9a9 5225static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5226 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5227 u8 *data)
3300d9a9
CT		 5228{
5229 int err = 0;
5230
5231 switch (cmd->code) {
5232 case L2CAP_COMMAND_REJ:
cb3b3152 5233 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5234 break;
5235
5236 case L2CAP_CONN_REQ:
cb3b3152 5237 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5238 break;
5239
5240 case L2CAP_CONN_RSP:
f5a2598d 5241 case L2CAP_CREATE_CHAN_RSP:
9245e737 5242 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5243 break;
5244
5245 case L2CAP_CONF_REQ:
5246 err = l2cap_config_req(conn, cmd, cmd_len, data);
5247 break;
5248
5249 case L2CAP_CONF_RSP:
9245e737 5250 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5251 break;
5252
5253 case L2CAP_DISCONN_REQ:
cb3b3152 5254 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5255 break;
5256
5257 case L2CAP_DISCONN_RSP:
9245e737 5258 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5259 break;
5260
5261 case L2CAP_ECHO_REQ:
5262 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5263 break;
5264
5265 case L2CAP_ECHO_RSP:
5266 break;
5267
5268 case L2CAP_INFO_REQ:
cb3b3152 5269 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5270 break;
5271
5272 case L2CAP_INFO_RSP:
9245e737 5273 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5274 break;
5275
f94ff6ff
MM		 5276 case L2CAP_CREATE_CHAN_REQ:
5277 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5278 break;
5279
8d5a04a1
MM		 5280 case L2CAP_MOVE_CHAN_REQ:
5281 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5282 break;
5283
5284 case L2CAP_MOVE_CHAN_RSP:
9245e737 5285 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5286 break;
5287
5288 case L2CAP_MOVE_CHAN_CFM:
5289 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5290 break;
5291
5292 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5293 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5294 break;
5295
3300d9a9
CT		 5296 default:
5297 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5298 err = -EINVAL;
5299 break;
5300 }
5301
5302 return err;
5303}
5304
5305static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5306 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5307{
5308 switch (cmd->code) {
5309 case L2CAP_COMMAND_REJ:
5310 return 0;
5311
5312 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5313 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5314
5315 case L2CAP_CONN_PARAM_UPDATE_RSP:
5316 return 0;
5317
5318 default:
5319 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5320 return -EINVAL;
5321 }
5322}
5323
7c2005d6
JH		 5324static __le16 l2cap_err_to_reason(int err)
5325{
5326 switch (err) {
5327 case -EBADSLT:
5328 return __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
5329 case -EMSGSIZE:
5330 return __constant_cpu_to_le16(L2CAP_REJ_MTU_EXCEEDED);
5331 case -EINVAL:
5332 case -EPROTO:
5333 default:
5334 return __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5335 }
5336}
5337
c5623556
JH		 5338static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5339 struct sk_buff *skb)
5340{
69c4e4e8 5341 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5342 struct l2cap_cmd_hdr *cmd;
5343 u16 len;
c5623556
JH		 5344 int err;
5345
69c4e4e8 5346 if (hcon->type != LE_LINK)
3b166295 5347 goto drop;
69c4e4e8 5348
4f3e219d
MH		 5349 if (skb->len < L2CAP_CMD_HDR_SIZE)
5350 goto drop;
c5623556 5351
4f3e219d
MH		 5352 cmd = (void *) skb->data;
5353 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5354
4f3e219d 5355 len = le16_to_cpu(cmd->len);
c5623556 5356
4f3e219d 5357 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5358
4f3e219d
MH		 5359 if (len != skb->len || !cmd->ident) {
5360 BT_DBG("corrupted command");
5361 goto drop;
5362 }
c5623556 5363
4f3e219d
MH		 5364 err = l2cap_le_sig_cmd(conn, cmd, skb->data);
5365 if (err) {
5366 struct l2cap_cmd_rej_unk rej;
c5623556 5367
4f3e219d 5368 BT_ERR("Wrong link type (%d)", err);
c5623556 5369
4f3e219d
MH		 5370 rej.reason = l2cap_err_to_reason(err);
5371 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5372 sizeof(rej), &rej);
c5623556
JH		 5373 }
5374
3b166295 5375drop:
c5623556
JH		 5376 kfree_skb(skb);
5377}
5378
3300d9a9 5379static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5380 struct sk_buff *skb)
1da177e4 5381{
69c4e4e8 5382 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5383 u8 *data = skb->data;
5384 int len = skb->len;
5385 struct l2cap_cmd_hdr cmd;
3300d9a9 5386 int err;
1da177e4
LT		 5387
5388 l2cap_raw_recv(conn, skb);
5389
69c4e4e8 5390 if (hcon->type != ACL_LINK)
3b166295 5391 goto drop;
69c4e4e8 5392
1da177e4 5393 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5394 u16 cmd_len;
1da177e4
LT		 5395 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5396 data += L2CAP_CMD_HDR_SIZE;
5397 len -= L2CAP_CMD_HDR_SIZE;
5398
88219a0f 5399 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5400
2d792818
GP		 5401 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5402 cmd.ident);
1da177e4 5403
88219a0f 5404 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5405 BT_DBG("corrupted command");
5406 break;
5407 }
5408
c5623556 5409 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5410 if (err) {
e2fd318e 5411 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5412
5413 BT_ERR("Wrong link type (%d)", err);
1da177e4 5414
7c2005d6 5415 rej.reason = l2cap_err_to_reason(err);
2d792818
GP		 5416 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5417 sizeof(rej), &rej);
1da177e4
LT		 5418 }
5419
88219a0f
AV		 5420 data += cmd_len;
5421 len -= cmd_len;
1da177e4
LT		 5422 }
5423
3b166295 5424drop:
1da177e4
LT		 5425 kfree_skb(skb);
5426}
5427
47d1ec61 5428static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5429{
5430 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5431 int hdr_size;
5432
5433 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5434 hdr_size = L2CAP_EXT_HDR_SIZE;
5435 else
5436 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5437
47d1ec61 5438 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5439 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5440 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5441 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5442
5443 if (our_fcs != rcv_fcs)
7a560e5c 5444 return -EBADMSG;
fcc203c3
GP		 5445 }
5446 return 0;
5447}
5448
6ea00485 5449static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5450{
e31f7633 5451 struct l2cap_ctrl control;
d5392c8f 5452
e31f7633 5453 BT_DBG("chan %p", chan);
d5392c8f 5454
e31f7633
MM		 5455 memset(&control, 0, sizeof(control));
5456 control.sframe = 1;
5457 control.final = 1;
5458 control.reqseq = chan->buffer_seq;
5459 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5460
e2ab4353 5461 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5462 control.super = L2CAP_SUPER_RNR;
5463 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5464 }
5465
e31f7633
MM		 5466 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5467 chan->unacked_frames > 0)
5468 __set_retrans_timer(chan);
d5392c8f 5469
e31f7633 5470 /* Send pending iframes */
525cd185 5471 l2cap_ertm_send(chan);
d5392c8f 5472
e2ab4353 5473 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5474 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5475 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5476 * send it now.
5477 */
5478 control.super = L2CAP_SUPER_RR;
5479 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5480 }
5481}
5482
2d792818
GP		 5483static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5484 struct sk_buff **last_frag)
18778a63 5485{
84084a31
MM		 5486 /* skb->len reflects data in skb as well as all fragments
5487 * skb->data_len reflects only data in fragments
5488 */
5489 if (!skb_has_frag_list(skb))
5490 skb_shinfo(skb)->frag_list = new_frag;
5491
5492 new_frag->next = NULL;
5493
5494 (*last_frag)->next = new_frag;
5495 *last_frag = new_frag;
5496
5497 skb->len += new_frag->len;
5498 skb->data_len += new_frag->len;
5499 skb->truesize += new_frag->truesize;
5500}
5501
4b51dae9
MM		 5502static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5503 struct l2cap_ctrl *control)
84084a31
MM		 5504{
5505 int err = -EINVAL;
18778a63 5506
4b51dae9 5507 switch (control->sar) {
7e0ef6ee 5508 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5509 if (chan->sdu)
5510 break;
18778a63 5511
80b98027 5512 err = chan->ops->recv(chan, skb);
84084a31 5513 break;
18778a63 5514
7e0ef6ee 5515 case L2CAP_SAR_START:
84084a31
MM		 5516 if (chan->sdu)
5517 break;
18778a63 5518
6f61fd47 5519 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5520 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5521
84084a31
MM		 5522 if (chan->sdu_len > chan->imtu) {
5523 err = -EMSGSIZE;
5524 break;
5525 }
1890d36b 5526
84084a31
MM		 5527 if (skb->len >= chan->sdu_len)
5528 break;
18778a63 5529
84084a31
MM		 5530 chan->sdu = skb;
5531 chan->sdu_last_frag = skb;
18778a63 5532
84084a31
MM		 5533 skb = NULL;
5534 err = 0;
18778a63
GP		 5535 break;
5536
7e0ef6ee 5537 case L2CAP_SAR_CONTINUE:
6f61fd47 5538 if (!chan->sdu)
84084a31 5539 break;
18778a63 5540
84084a31
MM		 5541 append_skb_frag(chan->sdu, skb,
5542 &chan->sdu_last_frag);
5543 skb = NULL;
18778a63 5544
84084a31
MM		 5545 if (chan->sdu->len >= chan->sdu_len)
5546 break;
4178ba46 5547
84084a31 5548 err = 0;
18778a63
GP		 5549 break;
5550
7e0ef6ee 5551 case L2CAP_SAR_END:
6f61fd47 5552 if (!chan->sdu)
84084a31 5553 break;
18778a63 5554
84084a31
MM		 5555 append_skb_frag(chan->sdu, skb,
5556 &chan->sdu_last_frag);
5557 skb = NULL;
4178ba46 5558
84084a31
MM		 5559 if (chan->sdu->len != chan->sdu_len)
5560 break;
18778a63 5561
80b98027 5562 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5563
84084a31
MM		 5564 if (!err) {
5565 /* Reassembly complete */
5566 chan->sdu = NULL;
5567 chan->sdu_last_frag = NULL;
5568 chan->sdu_len = 0;
1890d36b 5569 }
18778a63
GP		 5570 break;
5571 }
5572
84084a31
MM		 5573 if (err) {
5574 kfree_skb(skb);
5575 kfree_skb(chan->sdu);
5576 chan->sdu = NULL;
5577 chan->sdu_last_frag = NULL;
5578 chan->sdu_len = 0;
5579 }
18778a63 5580
84084a31 5581 return err;
18778a63
GP		 5582}
5583
32b32735
MM		 5584static int l2cap_resegment(struct l2cap_chan *chan)
5585{
5586 /* Placeholder */
5587 return 0;
5588}
5589
61aa4f5b 5590void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5591{
61aa4f5b 5592 u8 event;
712132eb 5593
61aa4f5b
MM		 5594 if (chan->mode != L2CAP_MODE_ERTM)
5595 return;
712132eb 5596
61aa4f5b 5597 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5598 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5599}
5600
d2a7ac5d
MM		 5601static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5602{
63838725
MM		 5603 int err = 0;
5604 /* Pass sequential frames to l2cap_reassemble_sdu()
5605 * until a gap is encountered.
5606 */
5607
5608 BT_DBG("chan %p", chan);
5609
5610 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5611 struct sk_buff *skb;
5612 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5613 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5614
5615 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5616
5617 if (!skb)
5618 break;
5619
5620 skb_unlink(skb, &chan->srej_q);
5621 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5622 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5623 if (err)
5624 break;
5625 }
5626
5627 if (skb_queue_empty(&chan->srej_q)) {
5628 chan->rx_state = L2CAP_RX_STATE_RECV;
5629 l2cap_send_ack(chan);
5630 }
5631
5632 return err;
d2a7ac5d
MM		 5633}
5634
5635static void l2cap_handle_srej(struct l2cap_chan *chan,
5636 struct l2cap_ctrl *control)
5637{
f80842a8
MM		 5638 struct sk_buff *skb;
5639
5640 BT_DBG("chan %p, control %p", chan, control);
5641
5642 if (control->reqseq == chan->next_tx_seq) {
5643 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5644 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5645 return;
5646 }
5647
5648 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5649
5650 if (skb == NULL) {
5651 BT_DBG("Seq %d not available for retransmission",
5652 control->reqseq);
5653 return;
5654 }
5655
5656 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5657 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5658 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5659 return;
5660 }
5661
5662 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5663
5664 if (control->poll) {
5665 l2cap_pass_to_tx(chan, control);
5666
5667 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5668 l2cap_retransmit(chan, control);
5669 l2cap_ertm_send(chan);
5670
5671 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5672 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5673 chan->srej_save_reqseq = control->reqseq;
5674 }
5675 } else {
5676 l2cap_pass_to_tx_fbit(chan, control);
5677
5678 if (control->final) {
5679 if (chan->srej_save_reqseq != control->reqseq ||
5680 !test_and_clear_bit(CONN_SREJ_ACT,
5681 &chan->conn_state))
5682 l2cap_retransmit(chan, control);
5683 } else {
5684 l2cap_retransmit(chan, control);
5685 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5686 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5687 chan->srej_save_reqseq = control->reqseq;
5688 }
5689 }
5690 }
d2a7ac5d
MM		 5691}
5692
5693static void l2cap_handle_rej(struct l2cap_chan *chan,
5694 struct l2cap_ctrl *control)
5695{
fcd289df
MM		 5696 struct sk_buff *skb;
5697
5698 BT_DBG("chan %p, control %p", chan, control);
5699
5700 if (control->reqseq == chan->next_tx_seq) {
5701 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5702 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5703 return;
5704 }
5705
5706 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5707
5708 if (chan->max_tx && skb &&
5709 bt_cb(skb)->control.retries >= chan->max_tx) {
5710 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5711 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5712 return;
5713 }
5714
5715 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5716
5717 l2cap_pass_to_tx(chan, control);
5718
5719 if (control->final) {
5720 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5721 l2cap_retransmit_all(chan, control);
5722 } else {
5723 l2cap_retransmit_all(chan, control);
5724 l2cap_ertm_send(chan);
5725 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5726 set_bit(CONN_REJ_ACT, &chan->conn_state);
5727 }
d2a7ac5d
MM		 5728}
5729
4b51dae9
MM		 5730static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5731{
5732 BT_DBG("chan %p, txseq %d", chan, txseq);
5733
5734 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5735 chan->expected_tx_seq);
5736
5737 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5738 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5739 chan->tx_win) {
4b51dae9
MM		 5740 /* See notes below regarding "double poll" and
5741 * invalid packets.
5742 */
5743 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5744 BT_DBG("Invalid/Ignore - after SREJ");
5745 return L2CAP_TXSEQ_INVALID_IGNORE;
5746 } else {
5747 BT_DBG("Invalid - in window after SREJ sent");
5748 return L2CAP_TXSEQ_INVALID;
5749 }
5750 }
5751
5752 if (chan->srej_list.head == txseq) {
5753 BT_DBG("Expected SREJ");
5754 return L2CAP_TXSEQ_EXPECTED_SREJ;
5755 }
5756
5757 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5758 BT_DBG("Duplicate SREJ - txseq already stored");
5759 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5760 }
5761
5762 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5763 BT_DBG("Unexpected SREJ - not requested");
5764 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5765 }
5766 }
5767
5768 if (chan->expected_tx_seq == txseq) {
5769 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5770 chan->tx_win) {
5771 BT_DBG("Invalid - txseq outside tx window");
5772 return L2CAP_TXSEQ_INVALID;
5773 } else {
5774 BT_DBG("Expected");
5775 return L2CAP_TXSEQ_EXPECTED;
5776 }
5777 }
5778
5779 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5780 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5781 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5782 return L2CAP_TXSEQ_DUPLICATE;
5783 }
5784
5785 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5786 /* A source of invalid packets is a "double poll" condition,
5787 * where delays cause us to send multiple poll packets. If
5788 * the remote stack receives and processes both polls,
5789 * sequence numbers can wrap around in such a way that a
5790 * resent frame has a sequence number that looks like new data
5791 * with a sequence gap. This would trigger an erroneous SREJ
5792 * request.
5793 *
5794 * Fortunately, this is impossible with a tx window that's
5795 * less than half of the maximum sequence number, which allows
5796 * invalid frames to be safely ignored.
5797 *
5798 * With tx window sizes greater than half of the tx window
5799 * maximum, the frame is invalid and cannot be ignored. This
5800 * causes a disconnect.
5801 */
5802
5803 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5804 BT_DBG("Invalid/Ignore - txseq outside tx window");
5805 return L2CAP_TXSEQ_INVALID_IGNORE;
5806 } else {
5807 BT_DBG("Invalid - txseq outside tx window");
5808 return L2CAP_TXSEQ_INVALID;
5809 }
5810 } else {
5811 BT_DBG("Unexpected - txseq indicates missing frames");
5812 return L2CAP_TXSEQ_UNEXPECTED;
5813 }
5814}
5815
d2a7ac5d
MM		 5816static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5817 struct l2cap_ctrl *control,
5818 struct sk_buff *skb, u8 event)
5819{
5820 int err = 0;
941247f9 5821 bool skb_in_use = false;
d2a7ac5d
MM		 5822
5823 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5824 event);
5825
5826 switch (event) {
5827 case L2CAP_EV_RECV_IFRAME:
5828 switch (l2cap_classify_txseq(chan, control->txseq)) {
5829 case L2CAP_TXSEQ_EXPECTED:
5830 l2cap_pass_to_tx(chan, control);
5831
5832 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5833 BT_DBG("Busy, discarding expected seq %d",
5834 control->txseq);
5835 break;
5836 }
5837
5838 chan->expected_tx_seq = __next_seq(chan,
5839 control->txseq);
5840
5841 chan->buffer_seq = chan->expected_tx_seq;
941247f9 5842 skb_in_use = true;
d2a7ac5d
MM		 5843
5844 err = l2cap_reassemble_sdu(chan, skb, control);
5845 if (err)
5846 break;
5847
5848 if (control->final) {
5849 if (!test_and_clear_bit(CONN_REJ_ACT,
5850 &chan->conn_state)) {
5851 control->final = 0;
5852 l2cap_retransmit_all(chan, control);
5853 l2cap_ertm_send(chan);
5854 }
5855 }
5856
5857 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5858 l2cap_send_ack(chan);
5859 break;
5860 case L2CAP_TXSEQ_UNEXPECTED:
5861 l2cap_pass_to_tx(chan, control);
5862
5863 /* Can't issue SREJ frames in the local busy state.
5864 * Drop this frame, it will be seen as missing
5865 * when local busy is exited.
5866 */
5867 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5868 BT_DBG("Busy, discarding unexpected seq %d",
5869 control->txseq);
5870 break;
5871 }
5872
5873 /* There was a gap in the sequence, so an SREJ
5874 * must be sent for each missing frame. The
5875 * current frame is stored for later use.
5876 */
5877 skb_queue_tail(&chan->srej_q, skb);
941247f9 5878 skb_in_use = true;
d2a7ac5d
MM		 5879 BT_DBG("Queued %p (queue len %d)", skb,
5880 skb_queue_len(&chan->srej_q));
5881
5882 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5883 l2cap_seq_list_clear(&chan->srej_list);
5884 l2cap_send_srej(chan, control->txseq);
5885
5886 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5887 break;
5888 case L2CAP_TXSEQ_DUPLICATE:
5889 l2cap_pass_to_tx(chan, control);
5890 break;
5891 case L2CAP_TXSEQ_INVALID_IGNORE:
5892 break;
5893 case L2CAP_TXSEQ_INVALID:
5894 default:
5e4e3972 5895 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5896 break;
5897 }
5898 break;
5899 case L2CAP_EV_RECV_RR:
5900 l2cap_pass_to_tx(chan, control);
5901 if (control->final) {
5902 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5903
e6a3ee6e
MM		 5904 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5905 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 5906 control->final = 0;
5907 l2cap_retransmit_all(chan, control);
5908 }
5909
5910 l2cap_ertm_send(chan);
5911 } else if (control->poll) {
5912 l2cap_send_i_or_rr_or_rnr(chan);
5913 } else {
5914 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5915 &chan->conn_state) &&
5916 chan->unacked_frames)
5917 __set_retrans_timer(chan);
5918
5919 l2cap_ertm_send(chan);
5920 }
5921 break;
5922 case L2CAP_EV_RECV_RNR:
5923 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5924 l2cap_pass_to_tx(chan, control);
5925 if (control && control->poll) {
5926 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5927 l2cap_send_rr_or_rnr(chan, 0);
5928 }
5929 __clear_retrans_timer(chan);
5930 l2cap_seq_list_clear(&chan->retrans_list);
5931 break;
5932 case L2CAP_EV_RECV_REJ:
5933 l2cap_handle_rej(chan, control);
5934 break;
5935 case L2CAP_EV_RECV_SREJ:
5936 l2cap_handle_srej(chan, control);
5937 break;
5938 default:
5939 break;
5940 }
5941
5942 if (skb && !skb_in_use) {
5943 BT_DBG("Freeing %p", skb);
5944 kfree_skb(skb);
5945 }
5946
5947 return err;
5948}
5949
5950static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5951 struct l2cap_ctrl *control,
5952 struct sk_buff *skb, u8 event)
5953{
5954 int err = 0;
5955 u16 txseq = control->txseq;
941247f9 5956 bool skb_in_use = false;
d2a7ac5d
MM		 5957
5958 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5959 event);
5960
5961 switch (event) {
5962 case L2CAP_EV_RECV_IFRAME:
5963 switch (l2cap_classify_txseq(chan, txseq)) {
5964 case L2CAP_TXSEQ_EXPECTED:
5965 /* Keep frame for reassembly later */
5966 l2cap_pass_to_tx(chan, control);
5967 skb_queue_tail(&chan->srej_q, skb);
941247f9 5968 skb_in_use = true;
d2a7ac5d
MM		 5969 BT_DBG("Queued %p (queue len %d)", skb,
5970 skb_queue_len(&chan->srej_q));
5971
5972 chan->expected_tx_seq = __next_seq(chan, txseq);
5973 break;
5974 case L2CAP_TXSEQ_EXPECTED_SREJ:
5975 l2cap_seq_list_pop(&chan->srej_list);
5976
5977 l2cap_pass_to_tx(chan, control);
5978 skb_queue_tail(&chan->srej_q, skb);
941247f9 5979 skb_in_use = true;
d2a7ac5d
MM		 5980 BT_DBG("Queued %p (queue len %d)", skb,
5981 skb_queue_len(&chan->srej_q));
5982
5983 err = l2cap_rx_queued_iframes(chan);
5984 if (err)
5985 break;
5986
5987 break;
5988 case L2CAP_TXSEQ_UNEXPECTED:
5989 /* Got a frame that can't be reassembled yet.
5990 * Save it for later, and send SREJs to cover
5991 * the missing frames.
5992 */
5993 skb_queue_tail(&chan->srej_q, skb);
941247f9 5994 skb_in_use = true;
d2a7ac5d
MM		 5995 BT_DBG("Queued %p (queue len %d)", skb,
5996 skb_queue_len(&chan->srej_q));
5997
5998 l2cap_pass_to_tx(chan, control);
5999 l2cap_send_srej(chan, control->txseq);
6000 break;
6001 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6002 /* This frame was requested with an SREJ, but
6003 * some expected retransmitted frames are
6004 * missing. Request retransmission of missing
6005 * SREJ'd frames.
6006 */
6007 skb_queue_tail(&chan->srej_q, skb);
941247f9 6008 skb_in_use = true;
d2a7ac5d
MM		 6009 BT_DBG("Queued %p (queue len %d)", skb,
6010 skb_queue_len(&chan->srej_q));
6011
6012 l2cap_pass_to_tx(chan, control);
6013 l2cap_send_srej_list(chan, control->txseq);
6014 break;
6015 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6016 /* We've already queued this frame. Drop this copy. */
6017 l2cap_pass_to_tx(chan, control);
6018 break;
6019 case L2CAP_TXSEQ_DUPLICATE:
6020 /* Expecting a later sequence number, so this frame
6021 * was already received. Ignore it completely.
6022 */
6023 break;
6024 case L2CAP_TXSEQ_INVALID_IGNORE:
6025 break;
6026 case L2CAP_TXSEQ_INVALID:
6027 default:
5e4e3972 6028 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6029 break;
6030 }
6031 break;
6032 case L2CAP_EV_RECV_RR:
6033 l2cap_pass_to_tx(chan, control);
6034 if (control->final) {
6035 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6036
6037 if (!test_and_clear_bit(CONN_REJ_ACT,
6038 &chan->conn_state)) {
6039 control->final = 0;
6040 l2cap_retransmit_all(chan, control);
6041 }
6042
6043 l2cap_ertm_send(chan);
6044 } else if (control->poll) {
6045 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6046 &chan->conn_state) &&
6047 chan->unacked_frames) {
6048 __set_retrans_timer(chan);
6049 }
6050
6051 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6052 l2cap_send_srej_tail(chan);
6053 } else {
6054 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6055 &chan->conn_state) &&
6056 chan->unacked_frames)
6057 __set_retrans_timer(chan);
6058
6059 l2cap_send_ack(chan);
6060 }
6061 break;
6062 case L2CAP_EV_RECV_RNR:
6063 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6064 l2cap_pass_to_tx(chan, control);
6065 if (control->poll) {
6066 l2cap_send_srej_tail(chan);
6067 } else {
6068 struct l2cap_ctrl rr_control;
6069 memset(&rr_control, 0, sizeof(rr_control));
6070 rr_control.sframe = 1;
6071 rr_control.super = L2CAP_SUPER_RR;
6072 rr_control.reqseq = chan->buffer_seq;
6073 l2cap_send_sframe(chan, &rr_control);
6074 }
6075
6076 break;
6077 case L2CAP_EV_RECV_REJ:
6078 l2cap_handle_rej(chan, control);
6079 break;
6080 case L2CAP_EV_RECV_SREJ:
6081 l2cap_handle_srej(chan, control);
6082 break;
6083 }
6084
6085 if (skb && !skb_in_use) {
6086 BT_DBG("Freeing %p", skb);
6087 kfree_skb(skb);
6088 }
6089
6090 return err;
6091}
6092
32b32735
MM		 6093static int l2cap_finish_move(struct l2cap_chan *chan)
6094{
6095 BT_DBG("chan %p", chan);
6096
6097 chan->rx_state = L2CAP_RX_STATE_RECV;
6098
6099 if (chan->hs_hcon)
6100 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6101 else
6102 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6103
6104 return l2cap_resegment(chan);
6105}
6106
6107static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6108 struct l2cap_ctrl *control,
6109 struct sk_buff *skb, u8 event)
6110{
6111 int err;
6112
6113 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6114 event);
6115
6116 if (!control->poll)
6117 return -EPROTO;
6118
6119 l2cap_process_reqseq(chan, control->reqseq);
6120
6121 if (!skb_queue_empty(&chan->tx_q))
6122 chan->tx_send_head = skb_peek(&chan->tx_q);
6123 else
6124 chan->tx_send_head = NULL;
6125
6126 /* Rewind next_tx_seq to the point expected
6127 * by the receiver.
6128 */
6129 chan->next_tx_seq = control->reqseq;
6130 chan->unacked_frames = 0;
6131
6132 err = l2cap_finish_move(chan);
6133 if (err)
6134 return err;
6135
6136 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6137 l2cap_send_i_or_rr_or_rnr(chan);
6138
6139 if (event == L2CAP_EV_RECV_IFRAME)
6140 return -EPROTO;
6141
6142 return l2cap_rx_state_recv(chan, control, NULL, event);
6143}
6144
6145static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6146 struct l2cap_ctrl *control,
6147 struct sk_buff *skb, u8 event)
6148{
6149 int err;
6150
6151 if (!control->final)
6152 return -EPROTO;
6153
6154 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6155
6156 chan->rx_state = L2CAP_RX_STATE_RECV;
6157 l2cap_process_reqseq(chan, control->reqseq);
6158
6159 if (!skb_queue_empty(&chan->tx_q))
6160 chan->tx_send_head = skb_peek(&chan->tx_q);
6161 else
6162 chan->tx_send_head = NULL;
6163
6164 /* Rewind next_tx_seq to the point expected
6165 * by the receiver.
6166 */
6167 chan->next_tx_seq = control->reqseq;
6168 chan->unacked_frames = 0;
6169
6170 if (chan->hs_hcon)
6171 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6172 else
6173 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6174
6175 err = l2cap_resegment(chan);
6176
6177 if (!err)
6178 err = l2cap_rx_state_recv(chan, control, skb, event);
6179
6180 return err;
6181}
6182
d2a7ac5d
MM		 6183static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6184{
6185 /* Make sure reqseq is for a packet that has been sent but not acked */
6186 u16 unacked;
6187
6188 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6189 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6190}
6191
cec8ab6e
MM		 6192static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6193 struct sk_buff *skb, u8 event)
218bb9df 6194{
d2a7ac5d
MM		 6195 int err = 0;
6196
6197 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6198 control, skb, event, chan->rx_state);
6199
6200 if (__valid_reqseq(chan, control->reqseq)) {
6201 switch (chan->rx_state) {
6202 case L2CAP_RX_STATE_RECV:
6203 err = l2cap_rx_state_recv(chan, control, skb, event);
6204 break;
6205 case L2CAP_RX_STATE_SREJ_SENT:
6206 err = l2cap_rx_state_srej_sent(chan, control, skb,
6207 event);
6208 break;
32b32735
MM		 6209 case L2CAP_RX_STATE_WAIT_P:
6210 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6211 break;
6212 case L2CAP_RX_STATE_WAIT_F:
6213 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6214 break;
d2a7ac5d
MM		 6215 default:
6216 /* shut it down */
6217 break;
6218 }
6219 } else {
6220 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6221 control->reqseq, chan->next_tx_seq,
6222 chan->expected_ack_seq);
5e4e3972 6223 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6224 }
6225
6226 return err;
cec8ab6e
MM		 6227}
6228
6229static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6230 struct sk_buff *skb)
6231{
4b51dae9
MM		 6232 int err = 0;
6233
6234 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6235 chan->rx_state);
6236
6237 if (l2cap_classify_txseq(chan, control->txseq) ==
6238 L2CAP_TXSEQ_EXPECTED) {
6239 l2cap_pass_to_tx(chan, control);
6240
6241 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6242 __next_seq(chan, chan->buffer_seq));
6243
6244 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6245
6246 l2cap_reassemble_sdu(chan, skb, control);
6247 } else {
6248 if (chan->sdu) {
6249 kfree_skb(chan->sdu);
6250 chan->sdu = NULL;
6251 }
6252 chan->sdu_last_frag = NULL;
6253 chan->sdu_len = 0;
6254
6255 if (skb) {
6256 BT_DBG("Freeing %p", skb);
6257 kfree_skb(skb);
6258 }
6259 }
6260
6261 chan->last_acked_seq = control->txseq;
6262 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6263
6264 return err;
cec8ab6e
MM		 6265}
6266
6267static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6268{
6269 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6270 u16 len;
6271 u8 event;
218bb9df 6272
b76bbd66
MM		 6273 __unpack_control(chan, skb);
6274
218bb9df
GP		 6275 len = skb->len;
6276
6277 /*
6278 * We can just drop the corrupted I-frame here.
6279 * Receiver will miss it and start proper recovery
cec8ab6e 6280 * procedures and ask for retransmission.
218bb9df 6281 */
47d1ec61 6282 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6283 goto drop;
6284
cec8ab6e 6285 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6286 len -= L2CAP_SDULEN_SIZE;
218bb9df 6287
47d1ec61 6288 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6289 len -= L2CAP_FCS_SIZE;
218bb9df 6290
47d1ec61 6291 if (len > chan->mps) {
5e4e3972 6292 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6293 goto drop;
6294 }
6295
cec8ab6e
MM		 6296 if (!control->sframe) {
6297 int err;
218bb9df 6298
cec8ab6e
MM		 6299 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6300 control->sar, control->reqseq, control->final,
6301 control->txseq);
218bb9df 6302
cec8ab6e
MM		 6303 /* Validate F-bit - F=0 always valid, F=1 only
6304 * valid in TX WAIT_F
6305 */
6306 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6307 goto drop;
cec8ab6e
MM		 6308
6309 if (chan->mode != L2CAP_MODE_STREAMING) {
6310 event = L2CAP_EV_RECV_IFRAME;
6311 err = l2cap_rx(chan, control, skb, event);
6312 } else {
6313 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6314 }
6315
cec8ab6e 6316 if (err)
5e4e3972 6317 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6318 } else {
cec8ab6e
MM		 6319 const u8 rx_func_to_event[4] = {
6320 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6321 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6322 };
6323
6324 /* Only I-frames are expected in streaming mode */
6325 if (chan->mode == L2CAP_MODE_STREAMING)
6326 goto drop;
6327
6328 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6329 control->reqseq, control->final, control->poll,
6330 control->super);
6331
218bb9df 6332 if (len != 0) {
1bb166e6 6333 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6334 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6335 goto drop;
6336 }
6337
cec8ab6e
MM		 6338 /* Validate F and P bits */
6339 if (control->final && (control->poll ||
6340 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6341 goto drop;
6342
6343 event = rx_func_to_event[control->super];
6344 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6345 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6346 }
6347
6348 return 0;
6349
6350drop:
6351 kfree_skb(skb);
6352 return 0;
6353}
6354
13ca56e0
AE		 6355static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6356 struct sk_buff *skb)
1da177e4 6357{
48454079 6358 struct l2cap_chan *chan;
1da177e4 6359
baa7e1fa 6360 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6361 if (!chan) {
97e8e89d
AE		 6362 if (cid == L2CAP_CID_A2MP) {
6363 chan = a2mp_channel_create(conn, skb);
6364 if (!chan) {
6365 kfree_skb(skb);
13ca56e0 6366 return;
97e8e89d
AE		 6367 }
6368
6369 l2cap_chan_lock(chan);
6370 } else {
6371 BT_DBG("unknown cid 0x%4.4x", cid);
6372 /* Drop packet and return */
6373 kfree_skb(skb);
13ca56e0 6374 return;
97e8e89d 6375 }
1da177e4
LT		 6376 }
6377
49208c9c 6378 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6379
89bc500e 6380 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6381 goto drop;
6382
0c1bc5c6 6383 switch (chan->mode) {
1c2acffb
GP		 6384 case L2CAP_MODE_BASIC:
6385 /* If socket recv buffers overflows we drop data here
6386 * which is *bad* because L2CAP has to be reliable.
6387 * But we don't have any other choice. L2CAP doesn't
6388 * provide flow control mechanism. */
1da177e4 6389
0c1bc5c6 6390 if (chan->imtu < skb->len)
1c2acffb 6391 goto drop;
1da177e4 6392
80b98027 6393 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6394 goto done;
6395 break;
6396
6397 case L2CAP_MODE_ERTM:
6840ed07 6398 case L2CAP_MODE_STREAMING:
cec8ab6e 6399 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6400 goto done;
6401
1c2acffb 6402 default:
0c1bc5c6 6403 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6404 break;
6405 }
1da177e4
LT		 6406
6407drop:
6408 kfree_skb(skb);
6409
6410done:
6be36555 6411 l2cap_chan_unlock(chan);
1da177e4
LT		 6412}
6413
84104b24
AE		 6414static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6415 struct sk_buff *skb)
1da177e4 6416{
ae4fd2d3 6417 struct hci_conn *hcon = conn->hcon;
23691d75 6418 struct l2cap_chan *chan;
1da177e4 6419
ae4fd2d3
MH		 6420 if (hcon->type != ACL_LINK)
6421 goto drop;
6422
c2287681 6423 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 6424 if (!chan)
1da177e4
LT		 6425 goto drop;
6426
5b4cedaa 6427 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6428
89bc500e 6429 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6430 goto drop;
6431
e13e21dc 6432 if (chan->imtu < skb->len)
1da177e4
LT		 6433 goto drop;
6434
80b98027 6435 if (!chan->ops->recv(chan, skb))
84104b24 6436 return;
1da177e4
LT		 6437
6438drop:
6439 kfree_skb(skb);
1da177e4
LT		 6440}
6441
72f78356 6442static void l2cap_att_channel(struct l2cap_conn *conn,
6810fca7 6443 struct sk_buff *skb)
9f69bda6 6444{
b99707d7 6445 struct hci_conn *hcon = conn->hcon;
23691d75 6446 struct l2cap_chan *chan;
9f69bda6 6447
b99707d7
MH		 6448 if (hcon->type != LE_LINK)
6449 goto drop;
6450
af1c0134 6451 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
72f78356 6452 conn->src, conn->dst);
23691d75 6453 if (!chan)
9f69bda6
GP		 6454 goto drop;
6455
5b4cedaa 6456 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6457
e13e21dc 6458 if (chan->imtu < skb->len)
9f69bda6
GP		 6459 goto drop;
6460
80b98027 6461 if (!chan->ops->recv(chan, skb))
6810fca7 6462 return;
9f69bda6
GP		 6463
6464drop:
6465 kfree_skb(skb);
9f69bda6
GP		 6466}
6467
1da177e4
LT		 6468static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6469{
6470 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6471 u16 cid, len;
6472 __le16 psm;
1da177e4
LT		 6473
6474 skb_pull(skb, L2CAP_HDR_SIZE);
6475 cid = __le16_to_cpu(lh->cid);
6476 len = __le16_to_cpu(lh->len);
6477
1c2acffb
GP		 6478 if (len != skb->len) {
6479 kfree_skb(skb);
6480 return;
6481 }
6482
1da177e4
LT		 6483 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6484
6485 switch (cid) {
8db4dc46 6486 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6487 l2cap_sig_channel(conn, skb);
6488 break;
6489
8db4dc46 6490 case L2CAP_CID_CONN_LESS:
097db76c 6491 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6492 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6493 l2cap_conless_channel(conn, psm, skb);
6494 break;
6495
073d1cf3 6496 case L2CAP_CID_ATT:
72f78356 6497 l2cap_att_channel(conn, skb);
9f69bda6
GP		 6498 break;
6499
a2877629
MH		 6500 case L2CAP_CID_LE_SIGNALING:
6501 l2cap_le_sig_channel(conn, skb);
6502 break;
6503
b501d6a1
AB		 6504 case L2CAP_CID_SMP:
6505 if (smp_sig_channel(conn, skb))
6506 l2cap_conn_del(conn->hcon, EACCES);
6507 break;
6508
1da177e4
LT		 6509 default:
6510 l2cap_data_channel(conn, cid, skb);
6511 break;
6512 }
6513}
6514
6515/* ---- L2CAP interface with lower layer (HCI) ---- */
6516
686ebf28 6517int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6518{
6519 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6520 struct l2cap_chan *c;
1da177e4 6521
6ed93dc6 6522 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6523
6524 /* Find listening sockets and check their link_mode */
23691d75
GP		 6525 read_lock(&chan_list_lock);
6526 list_for_each_entry(c, &chan_list, global_l) {
6527 struct sock *sk = c->sk;
4343478f 6528
89bc500e 6529 if (c->state != BT_LISTEN)
1da177e4
LT		 6530 continue;
6531
6532 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 6533 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6534 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6535 lm1 |= HCI_LM_MASTER;
1da177e4 6536 exact++;
2af6b9d5
MH		 6537 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
6538 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6539 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6540 lm2 |= HCI_LM_MASTER;
6541 }
1da177e4 6542 }
23691d75 6543 read_unlock(&chan_list_lock);
1da177e4
LT		 6544
6545 return exact ? lm1 : lm2;
6546}
6547
9e664631 6548void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6549{
0139418c
MH		 6550 struct l2cap_conn *conn;
6551
6ed93dc6 6552 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6553
1da177e4 6554 if (!status) {
baf43251 6555 conn = l2cap_conn_add(hcon);
1da177e4
LT		 6556 if (conn)
6557 l2cap_conn_ready(conn);
ba6fc317 6558 } else {
e175072f 6559 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 6560 }
1da177e4
LT		 6561}
6562
686ebf28 6563int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6564{
6565 struct l2cap_conn *conn = hcon->l2cap_data;
6566
6567 BT_DBG("hcon %p", hcon);
6568
686ebf28 6569 if (!conn)
9f5a0d7b 6570 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6571 return conn->disc_reason;
6572}
6573
9e664631 6574void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6575{
6576 BT_DBG("hcon %p reason %d", hcon, reason);
6577
e175072f 6578 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6579}
6580
4343478f 6581static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6582{
715ec005 6583 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6584 return;
6585
f62e4323 6586 if (encrypt == 0x00) {
4343478f 6587 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6588 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6589 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6590 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6591 } else {
4343478f 6592 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6593 __clear_chan_timer(chan);
f62e4323
MH		 6594 }
6595}
6596
686ebf28 6597int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6598{
0139418c 6599 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6600 struct l2cap_chan *chan;
1da177e4 6601
0139418c 6602 if (!conn)
1da177e4 6603 return 0;
0139418c 6604
89d8b407 6605 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6606
160dc6ac 6607 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6608 if (!status && encrypt)
6609 smp_distribute_keys(conn, 0);
17cd3f37 6610 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6611 }
6612
3df91ea2 6613 mutex_lock(&conn->chan_lock);
1da177e4 6614
3df91ea2 6615 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6616 l2cap_chan_lock(chan);
1da177e4 6617
89d8b407
AE		 6618 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6619 state_to_string(chan->state));
f1cb9af5 6620
78eb2f98
AE		 6621 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6622 l2cap_chan_unlock(chan);
6623 continue;
6624 }
6625
073d1cf3 6626 if (chan->scid == L2CAP_CID_ATT) {
f1cb9af5
VCG		 6627 if (!status && encrypt) {
6628 chan->sec_level = hcon->sec_level;
cf4cd009 6629 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6630 }
6631
6be36555 6632 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6633 continue;
6634 }
6635
96eff46e 6636 if (!__l2cap_no_conn_pending(chan)) {
6be36555 6637 l2cap_chan_unlock(chan);
6a8d3010
MH		 6638 continue;
6639 }
6640
89bc500e 6641 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6642 chan->state == BT_CONFIG)) {
a7d7723a
GP		 6643 struct sock *sk = chan->sk;
6644
c5daa683 6645 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 6646 sk->sk_state_change(sk);
6647
4343478f 6648 l2cap_check_encryption(chan, encrypt);
6be36555 6649 l2cap_chan_unlock(chan);
9719f8af
MH		 6650 continue;
6651 }
6652
89bc500e 6653 if (chan->state == BT_CONNECT) {
b1235d79 6654 if (!status) {
93c3e8f5 6655 l2cap_start_connection(chan);
b1235d79 6656 } else {
ba13ccd9 6657 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6658 }
89bc500e 6659 } else if (chan->state == BT_CONNECT2) {
6be36555 6660 struct sock *sk = chan->sk;
b1235d79 6661 struct l2cap_conn_rsp rsp;
df3c3931 6662 __u16 res, stat;
1da177e4 6663
6be36555
AE		 6664 lock_sock(sk);
6665
b1235d79 6666 if (!status) {
c5daa683
GP		 6667 if (test_bit(BT_SK_DEFER_SETUP,
6668 &bt_sk(sk)->flags)) {
df3c3931
JH		 6669 res = L2CAP_CR_PEND;
6670 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6671 chan->ops->defer(chan);
df3c3931 6672 } else {
0e587be7 6673 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6674 res = L2CAP_CR_SUCCESS;
6675 stat = L2CAP_CS_NO_INFO;
6676 }
b1235d79 6677 } else {
0e587be7 6678 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6679 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6680 res = L2CAP_CR_SEC_BLOCK;
6681 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6682 }
6683
6be36555
AE		 6684 release_sock(sk);
6685
fe4128e0
GP		 6686 rsp.scid = cpu_to_le16(chan->dcid);
6687 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6688 rsp.result = cpu_to_le16(res);
6689 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6690 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6691 sizeof(rsp), &rsp);
2d369359
MM		 6692
6693 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6694 res == L2CAP_CR_SUCCESS) {
6695 char buf[128];
6696 set_bit(CONF_REQ_SENT, &chan->conf_state);
6697 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6698 L2CAP_CONF_REQ,
6699 l2cap_build_conf_req(chan, buf),
6700 buf);
6701 chan->num_conf_req++;
6702 }
b1235d79 6703 }
1da177e4 6704
6be36555 6705 l2cap_chan_unlock(chan);
1da177e4
LT		 6706 }
6707
3df91ea2 6708 mutex_unlock(&conn->chan_lock);
b1235d79 6709
1da177e4
LT		 6710 return 0;
6711}
6712
686ebf28 6713int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6714{
6715 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6716 struct l2cap_hdr *hdr;
6717 int len;
1da177e4 6718
1d13a254
AE		 6719 /* For AMP controller do not create l2cap conn */
6720 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6721 goto drop;
1da177e4 6722
5a08ecce 6723 if (!conn)
baf43251 6724 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 6725
6726 if (!conn)
1da177e4
LT		 6727 goto drop;
6728
6729 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6730
d73a0988
AE		 6731 switch (flags) {
6732 case ACL_START:
6733 case ACL_START_NO_FLUSH:
6734 case ACL_COMPLETE:
1da177e4
LT		 6735 if (conn->rx_len) {
6736 BT_ERR("Unexpected start frame (len %d)", skb->len);
6737 kfree_skb(conn->rx_skb);
6738 conn->rx_skb = NULL;
6739 conn->rx_len = 0;
6740 l2cap_conn_unreliable(conn, ECOMM);
6741 }
6742
aae7fe22
AE		 6743 /* Start fragment always begin with Basic L2CAP header */
6744 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6745 BT_ERR("Frame is too short (len %d)", skb->len);
6746 l2cap_conn_unreliable(conn, ECOMM);
6747 goto drop;
6748 }
6749
6750 hdr = (struct l2cap_hdr *) skb->data;
6751 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6752
6753 if (len == skb->len) {
6754 /* Complete frame received */
6755 l2cap_recv_frame(conn, skb);
6756 return 0;
6757 }
6758
6759 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6760
6761 if (skb->len > len) {
6762 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6763 skb->len, len);
1da177e4
LT		 6764 l2cap_conn_unreliable(conn, ECOMM);
6765 goto drop;
6766 }
6767
6768 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6769 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6770 if (!conn->rx_skb)
1da177e4
LT		 6771 goto drop;
6772
d626f62b 6773 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6774 skb->len);
1da177e4 6775 conn->rx_len = len - skb->len;
d73a0988
AE		 6776 break;
6777
6778 case ACL_CONT:
1da177e4
LT		 6779 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6780
6781 if (!conn->rx_len) {
6782 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6783 l2cap_conn_unreliable(conn, ECOMM);
6784 goto drop;
6785 }
6786
6787 if (skb->len > conn->rx_len) {
6788 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6789 skb->len, conn->rx_len);
1da177e4
LT		 6790 kfree_skb(conn->rx_skb);
6791 conn->rx_skb = NULL;
6792 conn->rx_len = 0;
6793 l2cap_conn_unreliable(conn, ECOMM);
6794 goto drop;
6795 }
6796
d626f62b 6797 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6798 skb->len);
1da177e4
LT		 6799 conn->rx_len -= skb->len;
6800
6801 if (!conn->rx_len) {
c4e5bafa
JH		 6802 /* Complete frame received. l2cap_recv_frame
6803 * takes ownership of the skb so set the global
6804 * rx_skb pointer to NULL first.
6805 */
6806 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 6807 conn->rx_skb = NULL;
c4e5bafa 6808 l2cap_recv_frame(conn, rx_skb);
1da177e4 6809 }
d73a0988 6810 break;
1da177e4
LT		 6811 }
6812
6813drop:
6814 kfree_skb(skb);
6815 return 0;
6816}
6817
aef7d97c 6818static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6819{
23691d75 6820 struct l2cap_chan *c;
1da177e4 6821
333055f2 6822 read_lock(&chan_list_lock);
1da177e4 6823
23691d75
GP		 6824 list_for_each_entry(c, &chan_list, global_l) {
6825 struct sock *sk = c->sk;
101545f6 6826
fcb73338
AE		 6827 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6828 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6829 c->state, __le16_to_cpu(c->psm),
6830 c->scid, c->dcid, c->imtu, c->omtu,
6831 c->sec_level, c->mode);
61e1b4b7 6832 }
1da177e4 6833
333055f2 6834 read_unlock(&chan_list_lock);
1da177e4 6835
aef7d97c 6836 return 0;
1da177e4
LT		 6837}
6838
aef7d97c
MH		 6839static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6840{
6841 return single_open(file, l2cap_debugfs_show, inode->i_private);
6842}
6843
6844static const struct file_operations l2cap_debugfs_fops = {
6845 .open = l2cap_debugfs_open,
6846 .read = seq_read,
6847 .llseek = seq_lseek,
6848 .release = single_release,
6849};
6850
6851static struct dentry *l2cap_debugfs;
1da177e4 6852
64274518 6853int __init l2cap_init(void)
1da177e4
LT		 6854{
6855 int err;
be9d1227 6856
bb58f747 6857 err = l2cap_init_sockets();
1da177e4
LT		 6858 if (err < 0)
6859 return err;
6860
aef7d97c 6861 if (bt_debugfs) {
2d792818
GP		 6862 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6863 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 6864 if (!l2cap_debugfs)
6865 BT_ERR("Failed to create L2CAP debug file");
6866 }
1da177e4 6867
1da177e4 6868 return 0;
1da177e4
LT		 6869}
6870
64274518 6871void l2cap_exit(void)
1da177e4 6872{
aef7d97c 6873 debugfs_remove(l2cap_debugfs);
bb58f747 6874 l2cap_cleanup_sockets();
1da177e4
LT		 6875}
6876
d1c4a17d
GP		 6877module_param(disable_ertm, bool, 0644);
6878MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.995007 seconds and 5 git commands to generate.