projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Queue incoming ACL data until BT_CONNECTED state is reached
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
18722c24 43#include "6lowpan.h"
1da177e4 44
d1de6d46 45bool disable_ertm;
f0709e03 46
547d1032 47static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
d40bffbc 48static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP | L2CAP_FC_CONNLESS, };
1da177e4 49
b5ad8b7f
JB		 50static LIST_HEAD(chan_list);
51static DEFINE_RWLOCK(chan_list_lock);
1da177e4 52
f15b8ecf
JH		 53static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
54static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
55
1da177e4 56static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 57 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 58static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 59 void *data);
710f9b0a 60static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 61static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 62
d660366d 63static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 64 struct sk_buff_head *skbs, u8 event);
608bcc6d 65
4f1654e0
MH		 66static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
67{
68 if (hcon->type == LE_LINK) {
69 if (type == ADDR_LE_DEV_PUBLIC)
70 return BDADDR_LE_PUBLIC;
71 else
72 return BDADDR_LE_RANDOM;
73 }
74
75 return BDADDR_BREDR;
76}
77
0139418c 78/* ---- L2CAP channels ---- */
71ba0e56 79
2d792818
GP		 80static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
81 u16 cid)
0139418c 82{
3df91ea2 83 struct l2cap_chan *c;
3d57dc68 84
3df91ea2
AE		 85 list_for_each_entry(c, &conn->chan_l, list) {
86 if (c->dcid == cid)
87 return c;
0139418c 88 }
3df91ea2 89 return NULL;
0139418c
MH		 90}
91
2d792818
GP		 92static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
93 u16 cid)
0139418c 94{
3df91ea2 95 struct l2cap_chan *c;
3d57dc68 96
3df91ea2
AE		 97 list_for_each_entry(c, &conn->chan_l, list) {
98 if (c->scid == cid)
99 return c;
0139418c 100 }
3df91ea2 101 return NULL;
0139418c
MH		 102}
103
104/* Find channel with given SCID.
ef191ade 105 * Returns locked channel. */
2d792818
GP		 106static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
107 u16 cid)
0139418c 108{
48454079 109 struct l2cap_chan *c;
baa7e1fa 110
3df91ea2 111 mutex_lock(&conn->chan_lock);
baa7e1fa 112 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 113 if (c)
114 l2cap_chan_lock(c);
3df91ea2
AE		 115 mutex_unlock(&conn->chan_lock);
116
48454079 117 return c;
0139418c
MH		 118}
119
b1a130b7
MM		 120/* Find channel with given DCID.
121 * Returns locked channel.
122 */
123static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
124 u16 cid)
125{
126 struct l2cap_chan *c;
127
128 mutex_lock(&conn->chan_lock);
129 c = __l2cap_get_chan_by_dcid(conn, cid);
130 if (c)
131 l2cap_chan_lock(c);
132 mutex_unlock(&conn->chan_lock);
133
134 return c;
135}
136
2d792818
GP		 137static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
138 u8 ident)
0139418c 139{
3df91ea2 140 struct l2cap_chan *c;
3d57dc68 141
3df91ea2
AE		 142 list_for_each_entry(c, &conn->chan_l, list) {
143 if (c->ident == ident)
144 return c;
0139418c 145 }
3df91ea2 146 return NULL;
0139418c
MH		 147}
148
5b155ef9
MM		 149static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
150 u8 ident)
151{
152 struct l2cap_chan *c;
153
154 mutex_lock(&conn->chan_lock);
155 c = __l2cap_get_chan_by_ident(conn, ident);
156 if (c)
157 l2cap_chan_lock(c);
158 mutex_unlock(&conn->chan_lock);
159
160 return c;
161}
162
23691d75 163static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 164{
23691d75 165 struct l2cap_chan *c;
9e4425ff 166
23691d75 167 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 168 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 169 return c;
9e4425ff 170 }
250938cb 171 return NULL;
9e4425ff
GP		 172}
173
174int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
175{
73b2ec18
GP		 176 int err;
177
333055f2 178 write_lock(&chan_list_lock);
9e4425ff 179
23691d75 180 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 181 err = -EADDRINUSE;
182 goto done;
9e4425ff
GP		 183 }
184
73b2ec18
GP		 185 if (psm) {
186 chan->psm = psm;
187 chan->sport = psm;
188 err = 0;
189 } else {
190 u16 p;
191
192 err = -EINVAL;
193 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 194 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 195 chan->psm = cpu_to_le16(p);
196 chan->sport = cpu_to_le16(p);
197 err = 0;
198 break;
199 }
200 }
9e4425ff 201
73b2ec18 202done:
333055f2 203 write_unlock(&chan_list_lock);
73b2ec18 204 return err;
9e4425ff
GP		 205}
206
207int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
208{
333055f2 209 write_lock(&chan_list_lock);
9e4425ff
GP		 210
211 chan->scid = scid;
212
333055f2 213 write_unlock(&chan_list_lock);
9e4425ff
GP		 214
215 return 0;
216}
217
baa7e1fa 218static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 219{
e77af755 220 u16 cid, dyn_end;
0139418c 221
e77af755
JH		 222 if (conn->hcon->type == LE_LINK)
223 dyn_end = L2CAP_CID_LE_DYN_END;
224 else
225 dyn_end = L2CAP_CID_DYN_END;
226
227 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
baa7e1fa 228 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 229 return cid;
230 }
231
232 return 0;
233}
234
f93fa273 235static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 236{
42d2d87c 237 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 238 state_to_string(state));
badaaa00 239
89bc500e 240 chan->state = state;
53f52121 241 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 242}
243
f8e73017
GP		 244static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
245 int state, int err)
2e0052e4 246{
f8e73017 247 chan->state = state;
53f52121 248 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 249}
250
251static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
252{
f8e73017 253 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 254}
255
4239d16f
MM		 256static void __set_retrans_timer(struct l2cap_chan *chan)
257{
258 if (!delayed_work_pending(&chan->monitor_timer) &&
259 chan->retrans_timeout) {
260 l2cap_set_timer(chan, &chan->retrans_timer,
261 msecs_to_jiffies(chan->retrans_timeout));
262 }
263}
264
265static void __set_monitor_timer(struct l2cap_chan *chan)
266{
267 __clear_retrans_timer(chan);
268 if (chan->monitor_timeout) {
269 l2cap_set_timer(chan, &chan->monitor_timer,
270 msecs_to_jiffies(chan->monitor_timeout));
271 }
272}
273
608bcc6d
MM		 274static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
275 u16 seq)
276{
277 struct sk_buff *skb;
278
279 skb_queue_walk(head, skb) {
280 if (bt_cb(skb)->control.txseq == seq)
281 return skb;
282 }
283
284 return NULL;
285}
286
3c588192
MM		 287/* ---- L2CAP sequence number lists ---- */
288
289/* For ERTM, ordered lists of sequence numbers must be tracked for
290 * SREJ requests that are received and for frames that are to be
291 * retransmitted. These seq_list functions implement a singly-linked
292 * list in an array, where membership in the list can also be checked
293 * in constant time. Items can also be added to the tail of the list
294 * and removed from the head in constant time, without further memory
295 * allocs or frees.
296 */
297
298static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
299{
300 size_t alloc_size, i;
301
302 /* Allocated size is a power of 2 to map sequence numbers
303 * (which may be up to 14 bits) in to a smaller array that is
304 * sized for the negotiated ERTM transmit windows.
305 */
306 alloc_size = roundup_pow_of_two(size);
307
308 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
309 if (!seq_list->list)
310 return -ENOMEM;
311
312 seq_list->mask = alloc_size - 1;
313 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
314 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
315 for (i = 0; i < alloc_size; i++)
316 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
317
318 return 0;
319}
320
321static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
322{
323 kfree(seq_list->list);
324}
325
326static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
327 u16 seq)
328{
329 /* Constant-time check for list membership */
330 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
331}
332
333static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
334{
335 u16 mask = seq_list->mask;
336
337 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
338 /* In case someone tries to pop the head of an empty list */
339 return L2CAP_SEQ_LIST_CLEAR;
340 } else if (seq_list->head == seq) {
341 /* Head can be removed in constant time */
342 seq_list->head = seq_list->list[seq & mask];
343 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
344
345 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
346 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
347 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
348 }
349 } else {
350 /* Walk the list to find the sequence number */
351 u16 prev = seq_list->head;
352 while (seq_list->list[prev & mask] != seq) {
353 prev = seq_list->list[prev & mask];
354 if (prev == L2CAP_SEQ_LIST_TAIL)
355 return L2CAP_SEQ_LIST_CLEAR;
356 }
357
358 /* Unlink the number from the list and clear it */
359 seq_list->list[prev & mask] = seq_list->list[seq & mask];
360 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
361 if (seq_list->tail == seq)
362 seq_list->tail = prev;
363 }
364 return seq;
365}
366
367static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
368{
369 /* Remove the head in constant time */
370 return l2cap_seq_list_remove(seq_list, seq_list->head);
371}
372
373static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
374{
f522ae36 375 u16 i;
3c588192 376
f522ae36
GP		 377 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
378 return;
379
380 for (i = 0; i <= seq_list->mask; i++)
381 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
382
383 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
384 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 385}
386
387static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
388{
389 u16 mask = seq_list->mask;
390
391 /* All appends happen in constant time */
392
f522ae36
GP		 393 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
394 return;
3c588192 395
f522ae36
GP		 396 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
397 seq_list->head = seq;
398 else
399 seq_list->list[seq_list->tail & mask] = seq;
400
401 seq_list->tail = seq;
402 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 403}
404
721c4181 405static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 406{
721c4181 407 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 408 chan_timer.work);
3df91ea2 409 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 410 int reason;
411
e05dcc32 412 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 413
3df91ea2 414 mutex_lock(&conn->chan_lock);
6be36555 415 l2cap_chan_lock(chan);
ab07801d 416
89bc500e 417 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 418 reason = ECONNREFUSED;
89bc500e 419 else if (chan->state == BT_CONNECT &&
2d792818 420 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 421 reason = ECONNREFUSED;
422 else
423 reason = ETIMEDOUT;
424
0f852724 425 l2cap_chan_close(chan, reason);
ab07801d 426
6be36555 427 l2cap_chan_unlock(chan);
ab07801d 428
80b98027 429 chan->ops->close(chan);
3df91ea2
AE		 430 mutex_unlock(&conn->chan_lock);
431
371fd835 432 l2cap_chan_put(chan);
ab07801d
GP		 433}
434
eef1d9b6 435struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 436{
437 struct l2cap_chan *chan;
438
439 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
440 if (!chan)
441 return NULL;
442
c03b355e
AE		 443 mutex_init(&chan->lock);
444
333055f2 445 write_lock(&chan_list_lock);
23691d75 446 list_add(&chan->global_l, &chan_list);
333055f2 447 write_unlock(&chan_list_lock);
23691d75 448
721c4181 449 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 450
89bc500e
GP		 451 chan->state = BT_OPEN;
452
144ad330 453 kref_init(&chan->kref);
71ba0e56 454
2827011f
MM		 455 /* This flag is cleared in l2cap_chan_ready() */
456 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
457
eef1d9b6 458 BT_DBG("chan %p", chan);
abc545b8 459
48454079
GP		 460 return chan;
461}
462
144ad330 463static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 464{
144ad330
SS		 465 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
466
4af66c69
JK		 467 BT_DBG("chan %p", chan);
468
333055f2 469 write_lock(&chan_list_lock);
23691d75 470 list_del(&chan->global_l);
333055f2 471 write_unlock(&chan_list_lock);
23691d75 472
4af66c69 473 kfree(chan);
6ff5abbf
GP		 474}
475
30648372
JK		 476void l2cap_chan_hold(struct l2cap_chan *c)
477{
144ad330 478 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 479
144ad330 480 kref_get(&c->kref);
30648372
JK		 481}
482
483void l2cap_chan_put(struct l2cap_chan *c)
484{
144ad330 485 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 486
144ad330 487 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 488}
489
bd4b1653
AE		 490void l2cap_chan_set_defaults(struct l2cap_chan *chan)
491{
492 chan->fcs = L2CAP_FCS_CRC16;
493 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
494 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
495 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 496 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 497 chan->sec_level = BT_SECURITY_LOW;
498
499 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
500}
501
0ce43ce6 502static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
38319713 503{
0ce43ce6
JH		 504 chan->sdu = NULL;
505 chan->sdu_last_frag = NULL;
506 chan->sdu_len = 0;
0cd75f7e 507 chan->tx_credits = 0;
f15b8ecf 508 chan->rx_credits = le_max_credits;
f1324ea5 509 chan->mps = min_t(u16, chan->imtu, L2CAP_LE_DEFAULT_MPS);
0ce43ce6
JH		 510
511 skb_queue_head_init(&chan->tx_q);
38319713
JH		 512}
513
93c3e8f5 514void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 515{
af05b30b 516 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 517 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 518
9f5a0d7b 519 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 520
8c1d787b 521 chan->conn = conn;
0139418c 522
5491120e
AE		 523 switch (chan->chan_type) {
524 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b 525 if (conn->hcon->type == LE_LINK) {
aeddd075
JH		 526 if (chan->dcid == L2CAP_CID_ATT) {
527 chan->omtu = L2CAP_DEFAULT_MTU;
9f22398c 528 chan->scid = L2CAP_CID_ATT;
aeddd075 529 } else {
9f22398c 530 chan->scid = l2cap_alloc_cid(conn);
aeddd075 531 }
b62f328b
VT		 532 } else {
533 /* Alloc CID for connection-oriented socket */
fe4128e0 534 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 535 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 536 }
5491120e
AE		 537 break;
538
539 case L2CAP_CHAN_CONN_LESS:
0139418c 540 /* Connectionless socket */
fe4128e0
GP		 541 chan->scid = L2CAP_CID_CONN_LESS;
542 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 543 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 544 break;
545
416fa752
AE		 546 case L2CAP_CHAN_CONN_FIX_A2MP:
547 chan->scid = L2CAP_CID_A2MP;
548 chan->dcid = L2CAP_CID_A2MP;
549 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
550 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
551 break;
552
5491120e 553 default:
0139418c 554 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 555 chan->scid = L2CAP_CID_SIGNALING;
556 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 557 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 558 }
559
8f7975b1
AE		 560 chan->local_id = L2CAP_BESTEFFORT_ID;
561 chan->local_stype = L2CAP_SERV_BESTEFFORT;
562 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
563 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
564 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 565 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 566
371fd835 567 l2cap_chan_hold(chan);
baa7e1fa 568
5ee9891d
JH		 569 hci_conn_hold(conn->hcon);
570
3df91ea2 571 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 572}
573
466f8004 574void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 575{
576 mutex_lock(&conn->chan_lock);
577 __l2cap_chan_add(conn, chan);
3df91ea2 578 mutex_unlock(&conn->chan_lock);
0139418c
MH		 579}
580
466f8004 581void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 582{
8c1d787b 583 struct l2cap_conn *conn = chan->conn;
0139418c 584
c9b66675 585 __clear_chan_timer(chan);
0139418c 586
49208c9c 587 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 588
8e87d142 589 if (conn) {
56f60984 590 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 591 /* Delete from channel list */
3df91ea2 592 list_del(&chan->list);
3d57dc68 593
371fd835 594 l2cap_chan_put(chan);
baa7e1fa 595
8c1d787b 596 chan->conn = NULL;
3cabbfda
AE		 597
598 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
76a68ba0 599 hci_conn_drop(conn->hcon);
56f60984
AE		 600
601 if (mgr && mgr->bredr_chan == chan)
602 mgr->bredr_chan = NULL;
0139418c
MH		 603 }
604
419e08c1
AE		 605 if (chan->hs_hchan) {
606 struct hci_chan *hs_hchan = chan->hs_hchan;
607
608 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
609 amp_disconnect_logical_link(hs_hchan);
610 }
611
b699ec0d 612 chan->ops->teardown(chan, err);
6be36555 613
2827011f 614 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 615 return;
2ead70b8 616
ee556f66
GP		 617 switch(chan->mode) {
618 case L2CAP_MODE_BASIC:
619 break;
c13ffa62 620
38319713 621 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b 622 skb_queue_purge(&chan->tx_q);
38319713
JH		 623 break;
624
ee556f66 625 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 626 __clear_retrans_timer(chan);
627 __clear_monitor_timer(chan);
628 __clear_ack_timer(chan);
c13ffa62 629
f1c6775b 630 skb_queue_purge(&chan->srej_q);
c13ffa62 631
3c588192
MM		 632 l2cap_seq_list_free(&chan->srej_list);
633 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 634
635 /* fall through */
636
637 case L2CAP_MODE_STREAMING:
638 skb_queue_purge(&chan->tx_q);
639 break;
c13ffa62 640 }
ee556f66
GP		 641
642 return;
0139418c
MH		 643}
644
27e2d4c8
JH		 645static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
646{
647 struct l2cap_conn *conn = chan->conn;
648 struct l2cap_le_conn_rsp rsp;
649 u16 result;
650
651 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
652 result = L2CAP_CR_AUTHORIZATION;
653 else
654 result = L2CAP_CR_BAD_PSM;
655
656 l2cap_state_change(chan, BT_DISCONN);
657
658 rsp.dcid = cpu_to_le16(chan->scid);
659 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 660 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 661 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 662 rsp.result = cpu_to_le16(result);
663
664 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
665 &rsp);
666}
667
791d60f7
JH		 668static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
669{
670 struct l2cap_conn *conn = chan->conn;
671 struct l2cap_conn_rsp rsp;
672 u16 result;
673
674 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
675 result = L2CAP_CR_SEC_BLOCK;
676 else
677 result = L2CAP_CR_BAD_PSM;
678
679 l2cap_state_change(chan, BT_DISCONN);
680
681 rsp.scid = cpu_to_le16(chan->dcid);
682 rsp.dcid = cpu_to_le16(chan->scid);
683 rsp.result = cpu_to_le16(result);
684 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
685
686 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
687}
688
0f852724 689void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 690{
691 struct l2cap_conn *conn = chan->conn;
4519de9a 692
7eafc59e 693 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 694
89bc500e 695 switch (chan->state) {
4519de9a 696 case BT_LISTEN:
b699ec0d 697 chan->ops->teardown(chan, 0);
4519de9a
GP		 698 break;
699
700 case BT_CONNECTED:
701 case BT_CONFIG:
cea04ce3
JH		 702 /* ATT uses L2CAP_CHAN_CONN_ORIENTED so we must also
703 * check for chan->psm.
704 */
705 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && chan->psm) {
8d836d71 706 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 707 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 708 } else
709 l2cap_chan_del(chan, reason);
710 break;
711
712 case BT_CONNECT2:
791d60f7
JH		 713 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
714 if (conn->hcon->type == ACL_LINK)
715 l2cap_chan_connect_reject(chan);
27e2d4c8
JH		 716 else if (conn->hcon->type == LE_LINK)
717 l2cap_chan_le_connect_reject(chan);
4519de9a
GP		 718 }
719
720 l2cap_chan_del(chan, reason);
721 break;
722
723 case BT_CONNECT:
724 case BT_DISCONN:
725 l2cap_chan_del(chan, reason);
726 break;
727
728 default:
b699ec0d 729 chan->ops->teardown(chan, 0);
4519de9a
GP		 730 break;
731 }
732}
733
4343478f 734static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 735{
6a974b50
MH		 736 switch (chan->chan_type) {
737 case L2CAP_CHAN_RAW:
4343478f 738 switch (chan->sec_level) {
8556edd3 739 case BT_SECURITY_HIGH:
7d513e92 740 case BT_SECURITY_FIPS:
8556edd3
JH		 741 return HCI_AT_DEDICATED_BONDING_MITM;
742 case BT_SECURITY_MEDIUM:
743 return HCI_AT_DEDICATED_BONDING;
744 default:
745 return HCI_AT_NO_BONDING;
746 }
6a974b50 747 break;
3124b843
MH		 748 case L2CAP_CHAN_CONN_LESS:
749 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_3DSP)) {
750 if (chan->sec_level == BT_SECURITY_LOW)
751 chan->sec_level = BT_SECURITY_SDP;
752 }
7d513e92
MH		 753 if (chan->sec_level == BT_SECURITY_HIGH ||
754 chan->sec_level == BT_SECURITY_FIPS)
3124b843
MH		 755 return HCI_AT_NO_BONDING_MITM;
756 else
757 return HCI_AT_NO_BONDING;
758 break;
6a974b50
MH		 759 case L2CAP_CHAN_CONN_ORIENTED:
760 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
761 if (chan->sec_level == BT_SECURITY_LOW)
762 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 763
7d513e92
MH		 764 if (chan->sec_level == BT_SECURITY_HIGH ||
765 chan->sec_level == BT_SECURITY_FIPS)
6a974b50
MH		 766 return HCI_AT_NO_BONDING_MITM;
767 else
768 return HCI_AT_NO_BONDING;
769 }
770 /* fall through */
771 default:
4343478f 772 switch (chan->sec_level) {
00ae4af9 773 case BT_SECURITY_HIGH:
7d513e92 774 case BT_SECURITY_FIPS:
8556edd3 775 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 776 case BT_SECURITY_MEDIUM:
8556edd3 777 return HCI_AT_GENERAL_BONDING;
00ae4af9 778 default:
8556edd3 779 return HCI_AT_NO_BONDING;
00ae4af9 780 }
6a974b50 781 break;
0684e5f9 782 }
8556edd3
JH		 783}
784
785/* Service level security */
d45fc423 786int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 787{
8c1d787b 788 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 789 __u8 auth_type;
790
a17de2fe
JH		 791 if (conn->hcon->type == LE_LINK)
792 return smp_conn_security(conn->hcon, chan->sec_level);
793
4343478f 794 auth_type = l2cap_get_auth_type(chan);
79d554a6 795
4343478f 796 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 797}
798
b5ad8b7f 799static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 800{
801 u8 id;
802
803 /* Get next available identificator.
804 * 1 - 128 are used by kernel.
805 * 129 - 199 are reserved.
806 * 200 - 254 are used by utilities like l2ping, etc.
807 */
808
333055f2 809 spin_lock(&conn->lock);
4e8402a3
MH		 810
811 if (++conn->tx_ident > 128)
812 conn->tx_ident = 1;
813
814 id = conn->tx_ident;
815
333055f2 816 spin_unlock(&conn->lock);
4e8402a3
MH		 817
818 return id;
819}
820
2d792818
GP		 821static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
822 void *data)
4e8402a3
MH		 823{
824 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 825 u8 flags;
4e8402a3
MH		 826
827 BT_DBG("code 0x%2.2x", code);
828
829 if (!skb)
9a9c6a34 830 return;
4e8402a3 831
e702112f
AE		 832 if (lmp_no_flush_capable(conn->hcon->hdev))
833 flags = ACL_START_NO_FLUSH;
834 else
835 flags = ACL_START;
836
14b12d0b 837 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 838 skb->priority = HCI_PRIO_MAX;
14b12d0b 839
73d80deb
LAD		 840 hci_send_acl(conn->hchan, skb, flags);
841}
842
02b0fbb9
MM		 843static bool __chan_is_moving(struct l2cap_chan *chan)
844{
845 return chan->move_state != L2CAP_MOVE_STABLE &&
846 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
847}
848
73d80deb
LAD		 849static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
850{
851 struct hci_conn *hcon = chan->conn->hcon;
852 u16 flags;
853
854 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 855 skb->priority);
73d80deb 856
d5f8a75d
MM		 857 if (chan->hs_hcon && !__chan_is_moving(chan)) {
858 if (chan->hs_hchan)
859 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
860 else
861 kfree_skb(skb);
862
863 return;
864 }
865
73d80deb 866 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 867 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 868 flags = ACL_START_NO_FLUSH;
869 else
870 flags = ACL_START;
14b12d0b 871
73d80deb
LAD		 872 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
873 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 874}
875
b76bbd66
MM		 876static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
877{
878 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
879 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
880
881 if (enh & L2CAP_CTRL_FRAME_TYPE) {
882 /* S-Frame */
883 control->sframe = 1;
884 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
885 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
886
887 control->sar = 0;
888 control->txseq = 0;
889 } else {
890 /* I-Frame */
891 control->sframe = 0;
892 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
893 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
894
895 control->poll = 0;
896 control->super = 0;
897 }
898}
899
b76bbd66
MM		 900static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
901{
902 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
903 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
904
905 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
906 /* S-Frame */
907 control->sframe = 1;
908 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
909 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
910
911 control->sar = 0;
912 control->txseq = 0;
913 } else {
914 /* I-Frame */
915 control->sframe = 0;
916 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
917 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
918
919 control->poll = 0;
920 control->super = 0;
921 }
922}
923
924static inline void __unpack_control(struct l2cap_chan *chan,
925 struct sk_buff *skb)
926{
927 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
928 __unpack_extended_control(get_unaligned_le32(skb->data),
929 &bt_cb(skb)->control);
cec8ab6e 930 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 931 } else {
932 __unpack_enhanced_control(get_unaligned_le16(skb->data),
933 &bt_cb(skb)->control);
cec8ab6e 934 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 935 }
936}
937
b5c6aaed
MM		 938static u32 __pack_extended_control(struct l2cap_ctrl *control)
939{
940 u32 packed;
941
942 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
943 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
944
945 if (control->sframe) {
946 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
947 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
948 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
949 } else {
950 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
951 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
952 }
953
954 return packed;
955}
956
957static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
958{
959 u16 packed;
960
961 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
962 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
963
964 if (control->sframe) {
965 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
966 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
967 packed |= L2CAP_CTRL_FRAME_TYPE;
968 } else {
969 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
970 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
971 }
972
973 return packed;
974}
975
b76bbd66
MM		 976static inline void __pack_control(struct l2cap_chan *chan,
977 struct l2cap_ctrl *control,
978 struct sk_buff *skb)
979{
980 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
981 put_unaligned_le32(__pack_extended_control(control),
982 skb->data + L2CAP_HDR_SIZE);
983 } else {
984 put_unaligned_le16(__pack_enhanced_control(control),
985 skb->data + L2CAP_HDR_SIZE);
986 }
987}
988
ba7aa64f
GP		 989static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
990{
991 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
992 return L2CAP_EXT_HDR_SIZE;
993 else
994 return L2CAP_ENH_HDR_SIZE;
995}
996
a67d7f6f
MM		 997static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
998 u32 control)
b5c6aaed
MM		 999{
1000 struct sk_buff *skb;
1001 struct l2cap_hdr *lh;
ba7aa64f 1002 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 1003
1004 if (chan->fcs == L2CAP_FCS_CRC16)
1005 hlen += L2CAP_FCS_SIZE;
1006
a67d7f6f 1007 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 1008
b5c6aaed 1009 if (!skb)
a67d7f6f 1010 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 1011
1012 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1013 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1014 lh->cid = cpu_to_le16(chan->dcid);
1015
a67d7f6f
MM		 1016 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1017 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1018 else
1019 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 1020
1021 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 1022 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 1023 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1024 }
1025
1026 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 1027 return skb;
1028}
1029
1030static void l2cap_send_sframe(struct l2cap_chan *chan,
1031 struct l2cap_ctrl *control)
1032{
1033 struct sk_buff *skb;
1034 u32 control_field;
1035
1036 BT_DBG("chan %p, control %p", chan, control);
1037
1038 if (!control->sframe)
1039 return;
1040
b99e13ad
MM		 1041 if (__chan_is_moving(chan))
1042 return;
1043
a67d7f6f
MM		 1044 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1045 !control->poll)
1046 control->final = 1;
1047
1048 if (control->super == L2CAP_SUPER_RR)
1049 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1050 else if (control->super == L2CAP_SUPER_RNR)
1051 set_bit(CONN_RNR_SENT, &chan->conn_state);
1052
1053 if (control->super != L2CAP_SUPER_SREJ) {
1054 chan->last_acked_seq = control->reqseq;
1055 __clear_ack_timer(chan);
1056 }
1057
1058 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1059 control->final, control->poll, control->super);
1060
1061 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1062 control_field = __pack_extended_control(control);
1063 else
1064 control_field = __pack_enhanced_control(control);
1065
1066 skb = l2cap_create_sframe_pdu(chan, control_field);
1067 if (!IS_ERR(skb))
1068 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1069}
1070
c9e3d5e0 1071static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1072{
c9e3d5e0
MM		 1073 struct l2cap_ctrl control;
1074
1075 BT_DBG("chan %p, poll %d", chan, poll);
1076
1077 memset(&control, 0, sizeof(control));
1078 control.sframe = 1;
1079 control.poll = poll;
1080
1081 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1082 control.super = L2CAP_SUPER_RNR;
1083 else
1084 control.super = L2CAP_SUPER_RR;
b5c6aaed 1085
c9e3d5e0
MM		 1086 control.reqseq = chan->buffer_seq;
1087 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1088}
1089
b4450035 1090static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1091{
c1360a1c 1092 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1093}
1094
1df7b17a 1095static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1096{
1df7b17a 1097 struct l2cap_conn *conn = chan->conn;
80d58d0b 1098 struct hci_dev *hdev;
1df7b17a
MH		 1099 bool amp_available = false;
1100
1101 if (!conn->hs_enabled)
1102 return false;
1103
1104 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1105 return false;
80d58d0b
MH		 1106
1107 read_lock(&hci_dev_list_lock);
1df7b17a 1108 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1109 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1110 test_bit(HCI_UP, &hdev->flags)) {
1111 amp_available = true;
1112 break;
1113 }
1114 }
80d58d0b
MH		 1115 read_unlock(&hci_dev_list_lock);
1116
1df7b17a
MH		 1117 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1118 return amp_available;
848566b3
MH		 1119
1120 return false;
93c3e8f5
AE		 1121}
1122
5ce66b59
AE		 1123static bool l2cap_check_efs(struct l2cap_chan *chan)
1124{
1125 /* Check EFS parameters */
1126 return true;
1127}
1128
2766be48 1129void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1130{
1131 struct l2cap_conn *conn = chan->conn;
1132 struct l2cap_conn_req req;
1133
1134 req.scid = cpu_to_le16(chan->scid);
1135 req.psm = chan->psm;
1136
1137 chan->ident = l2cap_get_ident(conn);
1138
1139 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1140
1141 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1142}
1143
8eb200bd
MM		 1144static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1145{
1146 struct l2cap_create_chan_req req;
1147 req.scid = cpu_to_le16(chan->scid);
1148 req.psm = chan->psm;
1149 req.amp_id = amp_id;
1150
1151 chan->ident = l2cap_get_ident(chan->conn);
1152
1153 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1154 sizeof(req), &req);
1155}
1156
02b0fbb9
MM		 1157static void l2cap_move_setup(struct l2cap_chan *chan)
1158{
1159 struct sk_buff *skb;
1160
1161 BT_DBG("chan %p", chan);
1162
1163 if (chan->mode != L2CAP_MODE_ERTM)
1164 return;
1165
1166 __clear_retrans_timer(chan);
1167 __clear_monitor_timer(chan);
1168 __clear_ack_timer(chan);
1169
1170 chan->retry_count = 0;
1171 skb_queue_walk(&chan->tx_q, skb) {
1172 if (bt_cb(skb)->control.retries)
1173 bt_cb(skb)->control.retries = 1;
1174 else
1175 break;
1176 }
1177
1178 chan->expected_tx_seq = chan->buffer_seq;
1179
1180 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1181 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1182 l2cap_seq_list_clear(&chan->retrans_list);
1183 l2cap_seq_list_clear(&chan->srej_list);
1184 skb_queue_purge(&chan->srej_q);
1185
1186 chan->tx_state = L2CAP_TX_STATE_XMIT;
1187 chan->rx_state = L2CAP_RX_STATE_MOVE;
1188
1189 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1190}
1191
5f3847a4
MM		 1192static void l2cap_move_done(struct l2cap_chan *chan)
1193{
1194 u8 move_role = chan->move_role;
1195 BT_DBG("chan %p", chan);
1196
1197 chan->move_state = L2CAP_MOVE_STABLE;
1198 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1199
1200 if (chan->mode != L2CAP_MODE_ERTM)
1201 return;
1202
1203 switch (move_role) {
1204 case L2CAP_MOVE_ROLE_INITIATOR:
1205 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1206 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1207 break;
1208 case L2CAP_MOVE_ROLE_RESPONDER:
1209 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1210 break;
1211 }
1212}
1213
9f0caeb1
VCG		 1214static void l2cap_chan_ready(struct l2cap_chan *chan)
1215{
2827011f 1216 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1217 chan->conf_state = 0;
1218 __clear_chan_timer(chan);
1219
0ce43ce6
JH		 1220 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1221 chan->ops->suspend(chan);
177f8f2b 1222
54a59aa2 1223 chan->state = BT_CONNECTED;
9f0caeb1 1224
fd83e2c2 1225 chan->ops->ready(chan);
9f0caeb1
VCG		 1226}
1227
f1496dee
JH		 1228static void l2cap_le_connect(struct l2cap_chan *chan)
1229{
1230 struct l2cap_conn *conn = chan->conn;
1231 struct l2cap_le_conn_req req;
1232
595177f3
JH		 1233 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1234 return;
1235
f1496dee
JH		 1236 req.psm = chan->psm;
1237 req.scid = cpu_to_le16(chan->scid);
1238 req.mtu = cpu_to_le16(chan->imtu);
3916aed8 1239 req.mps = cpu_to_le16(chan->mps);
0cd75f7e 1240 req.credits = cpu_to_le16(chan->rx_credits);
f1496dee
JH		 1241
1242 chan->ident = l2cap_get_ident(conn);
1243
1244 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1245 sizeof(req), &req);
1246}
1247
1248static void l2cap_le_start(struct l2cap_chan *chan)
1249{
1250 struct l2cap_conn *conn = chan->conn;
1251
1252 if (!smp_conn_security(conn->hcon, chan->sec_level))
1253 return;
1254
1255 if (!chan->psm) {
1256 l2cap_chan_ready(chan);
1257 return;
1258 }
1259
1260 if (chan->state == BT_CONNECT)
1261 l2cap_le_connect(chan);
1262}
1263
93c3e8f5
AE		 1264static void l2cap_start_connection(struct l2cap_chan *chan)
1265{
1266 if (__amp_capable(chan)) {
1267 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1268 a2mp_discover_amp(chan);
f1496dee
JH		 1269 } else if (chan->conn->hcon->type == LE_LINK) {
1270 l2cap_le_start(chan);
93c3e8f5
AE		 1271 } else {
1272 l2cap_send_conn_req(chan);
1273 }
1274}
1275
fc7f8a7e 1276static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1277{
8c1d787b 1278 struct l2cap_conn *conn = chan->conn;
79d554a6 1279
9f0caeb1 1280 if (conn->hcon->type == LE_LINK) {
96ac34fb 1281 l2cap_le_start(chan);
9f0caeb1
VCG		 1282 return;
1283 }
1284
79d554a6 1285 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1286 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1287 return;
1288
d45fc423 1289 if (l2cap_chan_check_security(chan) &&
2d792818 1290 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1291 l2cap_start_connection(chan);
1292 }
79d554a6
MH		 1293 } else {
1294 struct l2cap_info_req req;
ac73498c 1295 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1296
1297 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1298 conn->info_ident = l2cap_get_ident(conn);
1299
ba13ccd9 1300 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1301
2d792818
GP		 1302 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1303 sizeof(req), &req);
79d554a6
MH		 1304 }
1305}
1306
cf6c2c0b
GP		 1307static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1308{
1309 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1310 if (!disable_ertm)
cf6c2c0b
GP		 1311 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1312
1313 switch (mode) {
1314 case L2CAP_MODE_ERTM:
1315 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1316 case L2CAP_MODE_STREAMING:
1317 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1318 default:
1319 return 0x00;
1320 }
1321}
1322
5e4e3972 1323static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1324{
5e4e3972 1325 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1326 struct l2cap_disconn_req req;
1327
c13ffa62
GP		 1328 if (!conn)
1329 return;
1330
aad3d0e3 1331 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1332 __clear_retrans_timer(chan);
1333 __clear_monitor_timer(chan);
1334 __clear_ack_timer(chan);
c13ffa62
GP		 1335 }
1336
416fa752 1337 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1338 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1339 return;
1340 }
1341
fe4128e0
GP		 1342 req.dcid = cpu_to_le16(chan->dcid);
1343 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1344 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1345 sizeof(req), &req);
c13ffa62 1346
f8e73017 1347 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1348}
1349
1da177e4 1350/* ---- L2CAP connections ---- */
4e8402a3
MH		 1351static void l2cap_conn_start(struct l2cap_conn *conn)
1352{
3df91ea2 1353 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1354
1355 BT_DBG("conn %p", conn);
1356
3df91ea2 1357 mutex_lock(&conn->chan_lock);
4e8402a3 1358
3df91ea2 1359 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1360 l2cap_chan_lock(chan);
4e8402a3 1361
715ec005 1362 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1363 l2cap_chan_unlock(chan);
79d554a6
MH		 1364 continue;
1365 }
1366
89bc500e 1367 if (chan->state == BT_CONNECT) {
d45fc423 1368 if (!l2cap_chan_check_security(chan) ||
2d792818 1369 !__l2cap_no_conn_pending(chan)) {
6be36555 1370 l2cap_chan_unlock(chan);
47731de7
GP		 1371 continue;
1372 }
79d554a6 1373
c1360a1c 1374 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1375 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1376 &chan->conf_state)) {
89bc500e 1377 l2cap_chan_close(chan, ECONNRESET);
6be36555 1378 l2cap_chan_unlock(chan);
47731de7 1379 continue;
b1235d79 1380 }
47731de7 1381
93c3e8f5 1382 l2cap_start_connection(chan);
47731de7 1383
89bc500e 1384 } else if (chan->state == BT_CONNECT2) {
79d554a6 1385 struct l2cap_conn_rsp rsp;
e9aeb2dd 1386 char buf[128];
fe4128e0
GP		 1387 rsp.scid = cpu_to_le16(chan->dcid);
1388 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1389
d45fc423 1390 if (l2cap_chan_check_security(chan)) {
bdc25783 1391 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
ac73498c
AE		 1392 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1393 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1394 chan->ops->defer(chan);
f66dc81f
MH		 1395
1396 } else {
acdcabf5 1397 l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1398 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1399 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1400 }
79d554a6 1401 } else {
ac73498c
AE		 1402 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1403 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1404 }
1405
fc7f8a7e 1406 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1407 sizeof(rsp), &rsp);
e9aeb2dd 1408
c1360a1c 1409 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1410 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1411 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1412 continue;
1413 }
1414
c1360a1c 1415 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1416 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1417 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1418 chan->num_conf_req++;
4e8402a3
MH		 1419 }
1420
6be36555 1421 l2cap_chan_unlock(chan);
4e8402a3
MH		 1422 }
1423
3df91ea2 1424 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1425}
1426
c2287681 1427/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1428 * Returns closest match, locked.
1429 */
d9b88702 1430static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1431 bdaddr_t *src,
1432 bdaddr_t *dst)
b62f328b 1433{
23691d75 1434 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1435
23691d75 1436 read_lock(&chan_list_lock);
b62f328b 1437
23691d75 1438 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1439 if (state && c->state != state)
b62f328b
VT		 1440 continue;
1441
23691d75 1442 if (c->scid == cid) {
c2287681
IY		 1443 int src_match, dst_match;
1444 int src_any, dst_any;
1445
b62f328b 1446 /* Exact match. */
7eafc59e
MH		 1447 src_match = !bacmp(&c->src, src);
1448 dst_match = !bacmp(&c->dst, dst);
c2287681 1449 if (src_match && dst_match) {
23691d75
GP		 1450 read_unlock(&chan_list_lock);
1451 return c;
1452 }
b62f328b
VT		 1453
1454 /* Closest match */
7eafc59e
MH		 1455 src_any = !bacmp(&c->src, BDADDR_ANY);
1456 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1457 if ((src_match && dst_any) || (src_any && dst_match) ||
1458 (src_any && dst_any))
23691d75 1459 c1 = c;
b62f328b
VT		 1460 }
1461 }
280f294f 1462
23691d75 1463 read_unlock(&chan_list_lock);
b62f328b 1464
23691d75 1465 return c1;
b62f328b
VT		 1466}
1467
1468static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1469{
cc8dba2b 1470 struct hci_conn *hcon = conn->hcon;
23691d75 1471 struct l2cap_chan *chan, *pchan;
cc8dba2b 1472 u8 dst_type;
b62f328b
VT		 1473
1474 BT_DBG("");
1475
18722c24
JR		 1476 bt_6lowpan_add_conn(conn);
1477
b62f328b 1478 /* Check if we have socket listening on cid */
073d1cf3 1479 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
cc8dba2b 1480 &hcon->src, &hcon->dst);
23691d75 1481 if (!pchan)
b62f328b
VT		 1482 return;
1483
44f3b0fb
JH		 1484 /* Client ATT sockets should override the server one */
1485 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1486 return;
1487
cc8dba2b
MH		 1488 dst_type = bdaddr_type(hcon, hcon->dst_type);
1489
1490 /* If device is blocked, do not create a channel for it */
1491 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, dst_type))
1492 return;
1493
8ffb9290 1494 l2cap_chan_lock(pchan);
62f3a2cf 1495
80b98027 1496 chan = pchan->ops->new_connection(pchan);
80808e43 1497 if (!chan)
b62f328b
VT		 1498 goto clean;
1499
9f22398c
JH		 1500 chan->dcid = L2CAP_CID_ATT;
1501
cc8dba2b
MH		 1502 bacpy(&chan->src, &hcon->src);
1503 bacpy(&chan->dst, &hcon->dst);
1504 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1505 chan->dst_type = dst_type;
b62f328b 1506
44f3b0fb 1507 __l2cap_chan_add(conn, chan);
48454079 1508
b62f328b 1509clean:
8ffb9290 1510 l2cap_chan_unlock(pchan);
b62f328b
VT		 1511}
1512
4e8402a3
MH		 1513static void l2cap_conn_ready(struct l2cap_conn *conn)
1514{
48454079 1515 struct l2cap_chan *chan;
cc110922 1516 struct hci_conn *hcon = conn->hcon;
4e8402a3 1517
79d554a6 1518 BT_DBG("conn %p", conn);
4e8402a3 1519
d8729922
JH		 1520 /* For outgoing pairing which doesn't necessarily have an
1521 * associated socket (e.g. mgmt_pair_device).
1522 */
cc110922
VCG		 1523 if (hcon->out && hcon->type == LE_LINK)
1524 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1525
3df91ea2 1526 mutex_lock(&conn->chan_lock);
4e8402a3 1527
44f3b0fb
JH		 1528 if (hcon->type == LE_LINK)
1529 l2cap_le_conn_ready(conn);
1530
3df91ea2 1531 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1532
6be36555 1533 l2cap_chan_lock(chan);
4e8402a3 1534
416fa752
AE		 1535 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1536 l2cap_chan_unlock(chan);
1537 continue;
1538 }
1539
cc110922 1540 if (hcon->type == LE_LINK) {
f1496dee 1541 l2cap_le_start(chan);
63128451 1542 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
74e75740 1543 l2cap_chan_ready(chan);
b501d6a1 1544
1c244f79 1545 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1546 l2cap_do_start(chan);
1c244f79 1547 }
4e8402a3 1548
6be36555 1549 l2cap_chan_unlock(chan);
4e8402a3 1550 }
79d554a6 1551
3df91ea2 1552 mutex_unlock(&conn->chan_lock);
61a939c6
JH		 1553
1554 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
4e8402a3
MH		 1555}
1556
1557/* Notify sockets that we cannot guaranty reliability anymore */
1558static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1559{
48454079 1560 struct l2cap_chan *chan;
4e8402a3
MH		 1561
1562 BT_DBG("conn %p", conn);
1563
3df91ea2 1564 mutex_lock(&conn->chan_lock);
4e8402a3 1565
3df91ea2 1566 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1567 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1568 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1569 }
1570
3df91ea2 1571 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1572}
1573
f878fcad 1574static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1575{
f878fcad 1576 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1577 info_timer.work);
4e8402a3 1578
984947dc 1579 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1580 conn->info_ident = 0;
984947dc 1581
4e8402a3
MH		 1582 l2cap_conn_start(conn);
1583}
1584
2c8e1411
DH		 1585/*
1586 * l2cap_user
1587 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1588 * callback is called during registration. The ->remove callback is called
1589 * during unregistration.
1590 * An l2cap_user object can either be explicitly unregistered or when the
1591 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1592 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1593 * External modules must own a reference to the l2cap_conn object if they intend
1594 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1595 * any time if they don't.
1596 */
1597
1598int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1599{
1600 struct hci_dev *hdev = conn->hcon->hdev;
1601 int ret;
1602
1603 /* We need to check whether l2cap_conn is registered. If it is not, we
1604 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1605 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1606 * relies on the parent hci_conn object to be locked. This itself relies
1607 * on the hci_dev object to be locked. So we must lock the hci device
1608 * here, too. */
1609
1610 hci_dev_lock(hdev);
1611
1612 if (user->list.next || user->list.prev) {
1613 ret = -EINVAL;
1614 goto out_unlock;
1615 }
1616
1617 /* conn->hchan is NULL after l2cap_conn_del() was called */
1618 if (!conn->hchan) {
1619 ret = -ENODEV;
1620 goto out_unlock;
1621 }
1622
1623 ret = user->probe(conn, user);
1624 if (ret)
1625 goto out_unlock;
1626
1627 list_add(&user->list, &conn->users);
1628 ret = 0;
1629
1630out_unlock:
1631 hci_dev_unlock(hdev);
1632 return ret;
1633}
1634EXPORT_SYMBOL(l2cap_register_user);
1635
1636void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1637{
1638 struct hci_dev *hdev = conn->hcon->hdev;
1639
1640 hci_dev_lock(hdev);
1641
1642 if (!user->list.next || !user->list.prev)
1643 goto out_unlock;
1644
1645 list_del(&user->list);
1646 user->list.next = NULL;
1647 user->list.prev = NULL;
1648 user->remove(conn, user);
1649
1650out_unlock:
1651 hci_dev_unlock(hdev);
1652}
1653EXPORT_SYMBOL(l2cap_unregister_user);
1654
1655static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1656{
1657 struct l2cap_user *user;
1658
1659 while (!list_empty(&conn->users)) {
1660 user = list_first_entry(&conn->users, struct l2cap_user, list);
1661 list_del(&user->list);
1662 user->list.next = NULL;
1663 user->list.prev = NULL;
1664 user->remove(conn, user);
1665 }
1666}
1667
5d3de7df
VCG		 1668static void l2cap_conn_del(struct hci_conn *hcon, int err)
1669{
1670 struct l2cap_conn *conn = hcon->l2cap_data;
1671 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1672
1673 if (!conn)
1674 return;
1675
1676 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1677
1678 kfree_skb(conn->rx_skb);
1679
61a939c6
JH		 1680 skb_queue_purge(&conn->pending_rx);
1681 flush_work(&conn->pending_rx_work);
1682
2c8e1411
DH		 1683 l2cap_unregister_all_users(conn);
1684
3df91ea2
AE		 1685 mutex_lock(&conn->chan_lock);
1686
5d3de7df
VCG		 1687 /* Kill channels */
1688 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1689 l2cap_chan_hold(chan);
6be36555
AE		 1690 l2cap_chan_lock(chan);
1691
5d3de7df 1692 l2cap_chan_del(chan, err);
6be36555
AE		 1693
1694 l2cap_chan_unlock(chan);
1695
80b98027 1696 chan->ops->close(chan);
61d6ef3e 1697 l2cap_chan_put(chan);
5d3de7df
VCG		 1698 }
1699
3df91ea2
AE		 1700 mutex_unlock(&conn->chan_lock);
1701
73d80deb
LAD		 1702 hci_chan_del(conn->hchan);
1703
5d3de7df 1704 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1705 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1706
51a8efd7 1707 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1708 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1709 smp_chan_destroy(conn);
d26a2345 1710 }
5d3de7df
VCG		 1711
1712 hcon->l2cap_data = NULL;
9c903e37
DH		 1713 conn->hchan = NULL;
1714 l2cap_conn_put(conn);
5d3de7df
VCG		 1715}
1716
6c9d42a1 1717static void security_timeout(struct work_struct *work)
5d3de7df 1718{
6c9d42a1 1719 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1720 security_timer.work);
5d3de7df 1721
d06cc416
JH		 1722 BT_DBG("conn %p", conn);
1723
1724 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1725 smp_chan_destroy(conn);
1726 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1727 }
5d3de7df
VCG		 1728}
1729
9c903e37
DH		 1730static void l2cap_conn_free(struct kref *ref)
1731{
1732 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1733
1734 hci_conn_put(conn->hcon);
1735 kfree(conn);
1736}
1737
1738void l2cap_conn_get(struct l2cap_conn *conn)
1739{
1740 kref_get(&conn->ref);
1741}
1742EXPORT_SYMBOL(l2cap_conn_get);
1743
1744void l2cap_conn_put(struct l2cap_conn *conn)
1745{
1746 kref_put(&conn->ref, l2cap_conn_free);
1747}
1748EXPORT_SYMBOL(l2cap_conn_put);
1749
1da177e4 1750/* ---- Socket interface ---- */
1da177e4 1751
c2287681 1752/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1753 * Returns closest match.
1754 */
c2287681
IY		 1755static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1756 bdaddr_t *src,
bf20fd4e
JH		 1757 bdaddr_t *dst,
1758 u8 link_type)
1da177e4 1759{
23691d75 1760 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1761
23691d75 1762 read_lock(&chan_list_lock);
e0f0cb56 1763
23691d75 1764 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1765 if (state && c->state != state)
1da177e4
LT		 1766 continue;
1767
bf20fd4e
JH		 1768 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1769 continue;
1770
1771 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1772 continue;
1773
23691d75 1774 if (c->psm == psm) {
c2287681
IY		 1775 int src_match, dst_match;
1776 int src_any, dst_any;
1777
1da177e4 1778 /* Exact match. */
7eafc59e
MH		 1779 src_match = !bacmp(&c->src, src);
1780 dst_match = !bacmp(&c->dst, dst);
c2287681 1781 if (src_match && dst_match) {
a7567b20 1782 read_unlock(&chan_list_lock);
23691d75
GP		 1783 return c;
1784 }
1da177e4
LT		 1785
1786 /* Closest match */
7eafc59e
MH		 1787 src_any = !bacmp(&c->src, BDADDR_ANY);
1788 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1789 if ((src_match && dst_any) || (src_any && dst_match) ||
1790 (src_any && dst_any))
23691d75 1791 c1 = c;
1da177e4
LT		 1792 }
1793 }
1da177e4 1794
23691d75 1795 read_unlock(&chan_list_lock);
e0f0cb56 1796
23691d75 1797 return c1;
1da177e4
LT		 1798}
1799
721c4181 1800static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1801{
721c4181 1802 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1803 monitor_timer.work);
e90bac06 1804
525cd185 1805 BT_DBG("chan %p", chan);
0e98958d 1806
6be36555
AE		 1807 l2cap_chan_lock(chan);
1808
80909e04 1809 if (!chan->conn) {
6be36555 1810 l2cap_chan_unlock(chan);
8d7e1c7f 1811 l2cap_chan_put(chan);
e90bac06
GP		 1812 return;
1813 }
1814
401bb1f7 1815 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1816
6be36555 1817 l2cap_chan_unlock(chan);
8d7e1c7f 1818 l2cap_chan_put(chan);
e90bac06
GP		 1819}
1820
721c4181 1821static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1822{
721c4181 1823 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1824 retrans_timer.work);
e90bac06 1825
49208c9c 1826 BT_DBG("chan %p", chan);
0e98958d 1827
6be36555
AE		 1828 l2cap_chan_lock(chan);
1829
80909e04
MM		 1830 if (!chan->conn) {
1831 l2cap_chan_unlock(chan);
1832 l2cap_chan_put(chan);
1833 return;
1834 }
6be36555 1835
401bb1f7 1836 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1837 l2cap_chan_unlock(chan);
8d7e1c7f 1838 l2cap_chan_put(chan);
e90bac06
GP		 1839}
1840
d660366d
GP		 1841static void l2cap_streaming_send(struct l2cap_chan *chan,
1842 struct sk_buff_head *skbs)
6840ed07 1843{
ccbb84af 1844 struct sk_buff *skb;
3733937d 1845 struct l2cap_ctrl *control;
6840ed07 1846
3733937d
MM		 1847 BT_DBG("chan %p, skbs %p", chan, skbs);
1848
b99e13ad
MM		 1849 if (__chan_is_moving(chan))
1850 return;
1851
3733937d
MM		 1852 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1853
1854 while (!skb_queue_empty(&chan->tx_q)) {
1855
1856 skb = skb_dequeue(&chan->tx_q);
1857
1858 bt_cb(skb)->control.retries = 1;
1859 control = &bt_cb(skb)->control;
1860
1861 control->reqseq = 0;
1862 control->txseq = chan->next_tx_seq;
1863
1864 __pack_control(chan, control, skb);
6840ed07 1865
47d1ec61 1866 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1867 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1868 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1869 }
1870
4343478f 1871 l2cap_do_send(chan, skb);
6840ed07 1872
b4400672 1873 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1874
836be934 1875 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1876 chan->frames_sent++;
6840ed07 1877 }
6840ed07
GP		 1878}
1879
67c9e840 1880static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1881{
1882 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1883 struct l2cap_ctrl *control;
1884 int sent = 0;
1885
1886 BT_DBG("chan %p", chan);
1c2acffb 1887
89bc500e 1888 if (chan->state != BT_CONNECTED)
c13ffa62 1889 return -ENOTCONN;
e90bac06 1890
94122bbe
MM		 1891 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1892 return 0;
1893
b99e13ad
MM		 1894 if (__chan_is_moving(chan))
1895 return 0;
1896
18a48e76
MM		 1897 while (chan->tx_send_head &&
1898 chan->unacked_frames < chan->remote_tx_win &&
1899 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1900
18a48e76 1901 skb = chan->tx_send_head;
e90bac06 1902
18a48e76
MM		 1903 bt_cb(skb)->control.retries = 1;
1904 control = &bt_cb(skb)->control;
95ffa978 1905
e2ab4353 1906 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1907 control->final = 1;
e2ab4353 1908
18a48e76
MM		 1909 control->reqseq = chan->buffer_seq;
1910 chan->last_acked_seq = chan->buffer_seq;
1911 control->txseq = chan->next_tx_seq;
1c2acffb 1912
18a48e76 1913 __pack_control(chan, control, skb);
e90bac06 1914
47d1ec61 1915 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1916 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1917 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1918 }
1919
18a48e76
MM		 1920 /* Clone after data has been modified. Data is assumed to be
1921 read-only (for locking purposes) on cloned sk_buffs.
1922 */
1923 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1924
18a48e76
MM		 1925 if (!tx_skb)
1926 break;
1c2acffb 1927
18a48e76 1928 __set_retrans_timer(chan);
836be934
AE		 1929
1930 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1931 chan->unacked_frames++;
6a026610 1932 chan->frames_sent++;
18a48e76 1933 sent++;
1c2acffb 1934
58d35f87
GP		 1935 if (skb_queue_is_last(&chan->tx_q, skb))
1936 chan->tx_send_head = NULL;
1c2acffb 1937 else
58d35f87 1938 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1939
1940 l2cap_do_send(chan, tx_skb);
b4400672 1941 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1942 }
1943
b4400672
AE		 1944 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1945 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1946
1947 return sent;
9e917af1
GP		 1948}
1949
e1fbd4c1
MM		 1950static void l2cap_ertm_resend(struct l2cap_chan *chan)
1951{
1952 struct l2cap_ctrl control;
1953 struct sk_buff *skb;
1954 struct sk_buff *tx_skb;
1955 u16 seq;
1956
1957 BT_DBG("chan %p", chan);
1958
1959 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1960 return;
1961
b99e13ad
MM		 1962 if (__chan_is_moving(chan))
1963 return;
1964
e1fbd4c1
MM		 1965 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1966 seq = l2cap_seq_list_pop(&chan->retrans_list);
1967
1968 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1969 if (!skb) {
1970 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1971 seq);
e1fbd4c1
MM		 1972 continue;
1973 }
1974
1975 bt_cb(skb)->control.retries++;
1976 control = bt_cb(skb)->control;
1977
1978 if (chan->max_tx != 0 &&
1979 bt_cb(skb)->control.retries > chan->max_tx) {
1980 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1981 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1982 l2cap_seq_list_clear(&chan->retrans_list);
1983 break;
1984 }
1985
1986 control.reqseq = chan->buffer_seq;
1987 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1988 control.final = 1;
1989 else
1990 control.final = 0;
1991
1992 if (skb_cloned(skb)) {
1993 /* Cloned sk_buffs are read-only, so we need a
1994 * writeable copy
1995 */
8bcde1f2 1996 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1997 } else {
8bcde1f2 1998 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1999 }
2000
2001 if (!tx_skb) {
2002 l2cap_seq_list_clear(&chan->retrans_list);
2003 break;
2004 }
2005
2006 /* Update skb contents */
2007 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2008 put_unaligned_le32(__pack_extended_control(&control),
2009 tx_skb->data + L2CAP_HDR_SIZE);
2010 } else {
2011 put_unaligned_le16(__pack_enhanced_control(&control),
2012 tx_skb->data + L2CAP_HDR_SIZE);
2013 }
2014
2015 if (chan->fcs == L2CAP_FCS_CRC16) {
2016 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2017 put_unaligned_le16(fcs, skb_put(tx_skb,
2018 L2CAP_FCS_SIZE));
2019 }
2020
2021 l2cap_do_send(chan, tx_skb);
2022
2023 BT_DBG("Resent txseq %d", control.txseq);
2024
2025 chan->last_acked_seq = chan->buffer_seq;
2026 }
2027}
2028
f80842a8
MM		 2029static void l2cap_retransmit(struct l2cap_chan *chan,
2030 struct l2cap_ctrl *control)
2031{
2032 BT_DBG("chan %p, control %p", chan, control);
2033
2034 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2035 l2cap_ertm_resend(chan);
2036}
2037
d2a7ac5d
MM		 2038static void l2cap_retransmit_all(struct l2cap_chan *chan,
2039 struct l2cap_ctrl *control)
2040{
e1fbd4c1
MM		 2041 struct sk_buff *skb;
2042
2043 BT_DBG("chan %p, control %p", chan, control);
2044
2045 if (control->poll)
2046 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2047
2048 l2cap_seq_list_clear(&chan->retrans_list);
2049
2050 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2051 return;
2052
2053 if (chan->unacked_frames) {
2054 skb_queue_walk(&chan->tx_q, skb) {
2055 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2056 skb == chan->tx_send_head)
e1fbd4c1
MM		 2057 break;
2058 }
2059
2060 skb_queue_walk_from(&chan->tx_q, skb) {
2061 if (skb == chan->tx_send_head)
2062 break;
2063
2064 l2cap_seq_list_append(&chan->retrans_list,
2065 bt_cb(skb)->control.txseq);
2066 }
2067
2068 l2cap_ertm_resend(chan);
2069 }
d2a7ac5d
MM		 2070}
2071
0a0aba42 2072static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2073{
0a0aba42
MM		 2074 struct l2cap_ctrl control;
2075 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2076 chan->last_acked_seq);
2077 int threshold;
9e917af1 2078
0a0aba42
MM		 2079 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2080 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2081
0a0aba42
MM		 2082 memset(&control, 0, sizeof(control));
2083 control.sframe = 1;
dfc909be 2084
0a0aba42
MM		 2085 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2086 chan->rx_state == L2CAP_RX_STATE_RECV) {
2087 __clear_ack_timer(chan);
2088 control.super = L2CAP_SUPER_RNR;
2089 control.reqseq = chan->buffer_seq;
2090 l2cap_send_sframe(chan, &control);
2091 } else {
2092 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2093 l2cap_ertm_send(chan);
2094 /* If any i-frames were sent, they included an ack */
2095 if (chan->buffer_seq == chan->last_acked_seq)
2096 frames_to_ack = 0;
2097 }
dfc909be 2098
c20f8e35 2099 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2100 * Calculate without mul or div
2101 */
c20f8e35 2102 threshold = chan->ack_win;
0a0aba42
MM		 2103 threshold += threshold << 1;
2104 threshold >>= 2;
2105
b4400672 2106 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2107 threshold);
2108
2109 if (frames_to_ack >= threshold) {
2110 __clear_ack_timer(chan);
2111 control.super = L2CAP_SUPER_RR;
2112 control.reqseq = chan->buffer_seq;
2113 l2cap_send_sframe(chan, &control);
2114 frames_to_ack = 0;
2115 }
1c2acffb 2116
0a0aba42
MM		 2117 if (frames_to_ack)
2118 __set_ack_timer(chan);
2119 }
b17e73bb
SJ		 2120}
2121
04124681
GP		 2122static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2123 struct msghdr *msg, int len,
2124 int count, struct sk_buff *skb)
1c2acffb 2125{
0952a57a 2126 struct l2cap_conn *conn = chan->conn;
1c2acffb 2127 struct sk_buff **frag;
90338947 2128 int sent = 0;
1da177e4 2129
59203a21 2130 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2131 return -EFAULT;
1da177e4
LT		 2132
2133 sent += count;
2134 len -= count;
2135
2136 /* Continuation fragments (no L2CAP header) */
2137 frag = &skb_shinfo(skb)->frag_list;
2138 while (len) {
fbe00700
GP		 2139 struct sk_buff *tmp;
2140
1da177e4
LT		 2141 count = min_t(unsigned int, conn->mtu, len);
2142
fbe00700
GP		 2143 tmp = chan->ops->alloc_skb(chan, count,
2144 msg->msg_flags & MSG_DONTWAIT);
2145 if (IS_ERR(tmp))
2146 return PTR_ERR(tmp);
2147
2148 *frag = tmp;
2f7719ce 2149
1c2acffb
GP		 2150 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2151 return -EFAULT;
1da177e4 2152
5e59b791
LAD		 2153 (*frag)->priority = skb->priority;
2154
1da177e4
LT		 2155 sent += count;
2156 len -= count;
2157
2d0ed3d5
GP		 2158 skb->len += (*frag)->len;
2159 skb->data_len += (*frag)->len;
2160
1da177e4
LT		 2161 frag = &(*frag)->next;
2162 }
1da177e4
LT		 2163
2164 return sent;
1c2acffb 2165}
1da177e4 2166
5e59b791 2167static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2168 struct msghdr *msg, size_t len,
2169 u32 priority)
1c2acffb 2170{
8c1d787b 2171 struct l2cap_conn *conn = chan->conn;
1c2acffb 2172 struct sk_buff *skb;
03a51213 2173 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2174 struct l2cap_hdr *lh;
2175
43b1b8df
MH		 2176 BT_DBG("chan %p psm 0x%2.2x len %zu priority %u", chan,
2177 __le16_to_cpu(chan->psm), len, priority);
1c2acffb
GP		 2178
2179 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2180
2181 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2182 msg->msg_flags & MSG_DONTWAIT);
2183 if (IS_ERR(skb))
2184 return skb;
1c2acffb 2185
5e59b791
LAD		 2186 skb->priority = priority;
2187
1c2acffb
GP		 2188 /* Create L2CAP header */
2189 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2190 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2191 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2192 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2193
0952a57a 2194 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2195 if (unlikely(err < 0)) {
2196 kfree_skb(skb);
2197 return ERR_PTR(err);
2198 }
2199 return skb;
2200}
2201
5e59b791 2202static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2203 struct msghdr *msg, size_t len,
2204 u32 priority)
1c2acffb 2205{
8c1d787b 2206 struct l2cap_conn *conn = chan->conn;
1c2acffb 2207 struct sk_buff *skb;
f2ba7fae 2208 int err, count;
1c2acffb
GP		 2209 struct l2cap_hdr *lh;
2210
b4400672 2211 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2212
f2ba7fae 2213 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2214
f2ba7fae 2215 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2216 msg->msg_flags & MSG_DONTWAIT);
2217 if (IS_ERR(skb))
2218 return skb;
1c2acffb 2219
5e59b791
LAD		 2220 skb->priority = priority;
2221
1c2acffb
GP		 2222 /* Create L2CAP header */
2223 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2224 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2225 lh->len = cpu_to_le16(len);
1c2acffb 2226
0952a57a 2227 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2228 if (unlikely(err < 0)) {
2229 kfree_skb(skb);
2230 return ERR_PTR(err);
2231 }
2232 return skb;
2233}
2234
ab0ff76d 2235static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2236 struct msghdr *msg, size_t len,
2237 u16 sdulen)
1c2acffb 2238{
8c1d787b 2239 struct l2cap_conn *conn = chan->conn;
1c2acffb 2240 struct sk_buff *skb;
e4ca6d98 2241 int err, count, hlen;
1c2acffb
GP		 2242 struct l2cap_hdr *lh;
2243
b4400672 2244 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2245
0ee0d208
GP		 2246 if (!conn)
2247 return ERR_PTR(-ENOTCONN);
2248
ba7aa64f 2249 hlen = __ertm_hdr_size(chan);
e4ca6d98 2250
c74e560c 2251 if (sdulen)
03a51213 2252 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2253
47d1ec61 2254 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2255 hlen += L2CAP_FCS_SIZE;
fcc203c3 2256
1c2acffb 2257 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2258
2259 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2260 msg->msg_flags & MSG_DONTWAIT);
2261 if (IS_ERR(skb))
2262 return skb;
1c2acffb
GP		 2263
2264 /* Create L2CAP header */
2265 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2266 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2267 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2268
18a48e76
MM		 2269 /* Control header is populated later */
2270 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2271 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2272 else
2273 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2274
c74e560c 2275 if (sdulen)
03a51213 2276 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2277
0952a57a 2278 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2279 if (unlikely(err < 0)) {
2280 kfree_skb(skb);
2281 return ERR_PTR(err);
2282 }
e90bac06 2283
18a48e76 2284 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2285 bt_cb(skb)->control.retries = 0;
1c2acffb 2286 return skb;
1da177e4
LT		 2287}
2288
94122bbe
MM		 2289static int l2cap_segment_sdu(struct l2cap_chan *chan,
2290 struct sk_buff_head *seg_queue,
2291 struct msghdr *msg, size_t len)
c74e560c 2292{
c74e560c 2293 struct sk_buff *skb;
94122bbe
MM		 2294 u16 sdu_len;
2295 size_t pdu_len;
94122bbe 2296 u8 sar;
c74e560c 2297
b4400672 2298 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2299
94122bbe
MM		 2300 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2301 * so fragmented skbs are not used. The HCI layer's handling
2302 * of fragmented skbs is not compatible with ERTM's queueing.
2303 */
c74e560c 2304
94122bbe
MM		 2305 /* PDU size is derived from the HCI MTU */
2306 pdu_len = chan->conn->mtu;
c74e560c 2307
a549574d
MM		 2308 /* Constrain PDU size for BR/EDR connections */
2309 if (!chan->hs_hcon)
2310 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2311
2312 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2313 if (chan->fcs)
2314 pdu_len -= L2CAP_FCS_SIZE;
2315
ba7aa64f 2316 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2317
2318 /* Remote device may have requested smaller PDUs */
2319 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2320
2321 if (len <= pdu_len) {
2322 sar = L2CAP_SAR_UNSEGMENTED;
2323 sdu_len = 0;
2324 pdu_len = len;
2325 } else {
2326 sar = L2CAP_SAR_START;
2327 sdu_len = len;
2328 pdu_len -= L2CAP_SDULEN_SIZE;
2329 }
2330
2331 while (len > 0) {
2332 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2333
c74e560c 2334 if (IS_ERR(skb)) {
94122bbe 2335 __skb_queue_purge(seg_queue);
c74e560c
GP		 2336 return PTR_ERR(skb);
2337 }
2338
94122bbe
MM		 2339 bt_cb(skb)->control.sar = sar;
2340 __skb_queue_tail(seg_queue, skb);
2341
2342 len -= pdu_len;
2343 if (sdu_len) {
2344 sdu_len = 0;
2345 pdu_len += L2CAP_SDULEN_SIZE;
2346 }
2347
2348 if (len <= pdu_len) {
2349 sar = L2CAP_SAR_END;
2350 pdu_len = len;
2351 } else {
2352 sar = L2CAP_SAR_CONTINUE;
2353 }
c74e560c 2354 }
c74e560c 2355
f0f62799 2356 return 0;
c74e560c
GP		 2357}
2358
177f8f2b
JH		 2359static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2360 struct msghdr *msg,
2361 size_t len, u16 sdulen)
2362{
2363 struct l2cap_conn *conn = chan->conn;
2364 struct sk_buff *skb;
2365 int err, count, hlen;
2366 struct l2cap_hdr *lh;
2367
2368 BT_DBG("chan %p len %zu", chan, len);
2369
2370 if (!conn)
2371 return ERR_PTR(-ENOTCONN);
2372
2373 hlen = L2CAP_HDR_SIZE;
2374
2375 if (sdulen)
2376 hlen += L2CAP_SDULEN_SIZE;
2377
2378 count = min_t(unsigned int, (conn->mtu - hlen), len);
2379
2380 skb = chan->ops->alloc_skb(chan, count + hlen,
2381 msg->msg_flags & MSG_DONTWAIT);
2382 if (IS_ERR(skb))
2383 return skb;
2384
2385 /* Create L2CAP header */
2386 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2387 lh->cid = cpu_to_le16(chan->dcid);
2388 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2389
2390 if (sdulen)
2391 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2392
2393 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2394 if (unlikely(err < 0)) {
2395 kfree_skb(skb);
2396 return ERR_PTR(err);
2397 }
2398
2399 return skb;
2400}
2401
2402static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2403 struct sk_buff_head *seg_queue,
2404 struct msghdr *msg, size_t len)
2405{
2406 struct sk_buff *skb;
2407 size_t pdu_len;
2408 u16 sdu_len;
2409
2410 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2411
2412 pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE;
2413
2414 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2415
2416 sdu_len = len;
2417 pdu_len -= L2CAP_SDULEN_SIZE;
2418
2419 while (len > 0) {
2420 if (len <= pdu_len)
2421 pdu_len = len;
2422
2423 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2424 if (IS_ERR(skb)) {
2425 __skb_queue_purge(seg_queue);
2426 return PTR_ERR(skb);
2427 }
2428
2429 __skb_queue_tail(seg_queue, skb);
2430
2431 len -= pdu_len;
2432
2433 if (sdu_len) {
2434 sdu_len = 0;
2435 pdu_len += L2CAP_SDULEN_SIZE;
2436 }
2437 }
2438
2439 return 0;
2440}
2441
5e59b791 2442int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2443 u32 priority)
9a91a04a 2444{
9a91a04a 2445 struct sk_buff *skb;
9a91a04a 2446 int err;
94122bbe 2447 struct sk_buff_head seg_queue;
9a91a04a 2448
31e8ce80
SWK		 2449 if (!chan->conn)
2450 return -ENOTCONN;
2451
9a91a04a 2452 /* Connectionless channel */
715ec005 2453 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2454 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2455 if (IS_ERR(skb))
2456 return PTR_ERR(skb);
2457
2458 l2cap_do_send(chan, skb);
2459 return len;
2460 }
2461
2462 switch (chan->mode) {
38319713 2463 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b
JH		 2464 /* Check outgoing MTU */
2465 if (len > chan->omtu)
2466 return -EMSGSIZE;
2467
fad5fc89
JH		 2468 if (!chan->tx_credits)
2469 return -EAGAIN;
2470
177f8f2b
JH		 2471 __skb_queue_head_init(&seg_queue);
2472
2473 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2474
2475 if (chan->state != BT_CONNECTED) {
2476 __skb_queue_purge(&seg_queue);
2477 err = -ENOTCONN;
2478 }
2479
2480 if (err)
2481 return err;
2482
2483 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2484
2485 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2486 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2487 chan->tx_credits--;
2488 }
2489
2490 if (!chan->tx_credits)
2491 chan->ops->suspend(chan);
2492
2493 err = len;
2494
2495 break;
2496
fad5fc89 2497 case L2CAP_MODE_BASIC:
9a91a04a
GP		 2498 /* Check outgoing MTU */
2499 if (len > chan->omtu)
2500 return -EMSGSIZE;
2501
2502 /* Create a basic PDU */
5e59b791 2503 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2504 if (IS_ERR(skb))
2505 return PTR_ERR(skb);
2506
2507 l2cap_do_send(chan, skb);
2508 err = len;
2509 break;
2510
2511 case L2CAP_MODE_ERTM:
2512 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2513 /* Check outgoing MTU */
2514 if (len > chan->omtu) {
2515 err = -EMSGSIZE;
2516 break;
2517 }
9a91a04a 2518
94122bbe 2519 __skb_queue_head_init(&seg_queue);
9a91a04a 2520
94122bbe
MM		 2521 /* Do segmentation before calling in to the state machine,
2522 * since it's possible to block while waiting for memory
2523 * allocation.
2524 */
2525 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2526
94122bbe
MM		 2527 /* The channel could have been closed while segmenting,
2528 * check that it is still connected.
2529 */
2530 if (chan->state != BT_CONNECTED) {
2531 __skb_queue_purge(&seg_queue);
2532 err = -ENOTCONN;
9a91a04a
GP		 2533 }
2534
94122bbe 2535 if (err)
9a91a04a 2536 break;
9a91a04a 2537
3733937d 2538 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2539 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2540 else
d660366d 2541 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2542
d660366d 2543 err = len;
9a91a04a 2544
94122bbe
MM		 2545 /* If the skbs were not queued for sending, they'll still be in
2546 * seg_queue and need to be purged.
2547 */
2548 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2549 break;
2550
2551 default:
2552 BT_DBG("bad state %1.1x", chan->mode);
2553 err = -EBADFD;
2554 }
2555
2556 return err;
2557}
2558
d2a7ac5d
MM		 2559static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2560{
bed68bde
MM		 2561 struct l2cap_ctrl control;
2562 u16 seq;
2563
b4400672 2564 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2565
2566 memset(&control, 0, sizeof(control));
2567 control.sframe = 1;
2568 control.super = L2CAP_SUPER_SREJ;
2569
2570 for (seq = chan->expected_tx_seq; seq != txseq;
2571 seq = __next_seq(chan, seq)) {
2572 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2573 control.reqseq = seq;
2574 l2cap_send_sframe(chan, &control);
2575 l2cap_seq_list_append(&chan->srej_list, seq);
2576 }
2577 }
2578
2579 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2580}
2581
2582static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2583{
bed68bde
MM		 2584 struct l2cap_ctrl control;
2585
2586 BT_DBG("chan %p", chan);
2587
2588 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2589 return;
2590
2591 memset(&control, 0, sizeof(control));
2592 control.sframe = 1;
2593 control.super = L2CAP_SUPER_SREJ;
2594 control.reqseq = chan->srej_list.tail;
2595 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2596}
2597
2598static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2599{
bed68bde
MM		 2600 struct l2cap_ctrl control;
2601 u16 initial_head;
2602 u16 seq;
2603
b4400672 2604 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2605
2606 memset(&control, 0, sizeof(control));
2607 control.sframe = 1;
2608 control.super = L2CAP_SUPER_SREJ;
2609
2610 /* Capture initial list head to allow only one pass through the list. */
2611 initial_head = chan->srej_list.head;
2612
2613 do {
2614 seq = l2cap_seq_list_pop(&chan->srej_list);
2615 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2616 break;
2617
2618 control.reqseq = seq;
2619 l2cap_send_sframe(chan, &control);
2620 l2cap_seq_list_append(&chan->srej_list, seq);
2621 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2622}
2623
608bcc6d
MM		 2624static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2625{
2626 struct sk_buff *acked_skb;
2627 u16 ackseq;
2628
b4400672 2629 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2630
2631 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2632 return;
2633
b4400672 2634 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2635 chan->expected_ack_seq, chan->unacked_frames);
2636
2637 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2638 ackseq = __next_seq(chan, ackseq)) {
2639
2640 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2641 if (acked_skb) {
2642 skb_unlink(acked_skb, &chan->tx_q);
2643 kfree_skb(acked_skb);
2644 chan->unacked_frames--;
2645 }
2646 }
2647
2648 chan->expected_ack_seq = reqseq;
2649
2650 if (chan->unacked_frames == 0)
2651 __clear_retrans_timer(chan);
2652
b4400672 2653 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2654}
2655
2656static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2657{
2658 BT_DBG("chan %p", chan);
2659
2660 chan->expected_tx_seq = chan->buffer_seq;
2661 l2cap_seq_list_clear(&chan->srej_list);
2662 skb_queue_purge(&chan->srej_q);
2663 chan->rx_state = L2CAP_RX_STATE_RECV;
2664}
2665
d660366d
GP		 2666static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2667 struct l2cap_ctrl *control,
2668 struct sk_buff_head *skbs, u8 event)
608bcc6d 2669{
608bcc6d
MM		 2670 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2671 event);
2672
2673 switch (event) {
2674 case L2CAP_EV_DATA_REQUEST:
2675 if (chan->tx_send_head == NULL)
2676 chan->tx_send_head = skb_peek(skbs);
2677
2678 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2679 l2cap_ertm_send(chan);
2680 break;
2681 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2682 BT_DBG("Enter LOCAL_BUSY");
2683 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2684
2685 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2686 /* The SREJ_SENT state must be aborted if we are to
2687 * enter the LOCAL_BUSY state.
2688 */
2689 l2cap_abort_rx_srej_sent(chan);
2690 }
2691
2692 l2cap_send_ack(chan);
2693
2694 break;
2695 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2696 BT_DBG("Exit LOCAL_BUSY");
2697 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2698
2699 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2700 struct l2cap_ctrl local_control;
2701
2702 memset(&local_control, 0, sizeof(local_control));
2703 local_control.sframe = 1;
2704 local_control.super = L2CAP_SUPER_RR;
2705 local_control.poll = 1;
2706 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2707 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2708
2709 chan->retry_count = 1;
2710 __set_monitor_timer(chan);
2711 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2712 }
2713 break;
2714 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2715 l2cap_process_reqseq(chan, control->reqseq);
2716 break;
2717 case L2CAP_EV_EXPLICIT_POLL:
2718 l2cap_send_rr_or_rnr(chan, 1);
2719 chan->retry_count = 1;
2720 __set_monitor_timer(chan);
2721 __clear_ack_timer(chan);
2722 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2723 break;
2724 case L2CAP_EV_RETRANS_TO:
2725 l2cap_send_rr_or_rnr(chan, 1);
2726 chan->retry_count = 1;
2727 __set_monitor_timer(chan);
2728 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2729 break;
2730 case L2CAP_EV_RECV_FBIT:
2731 /* Nothing to process */
2732 break;
2733 default:
2734 break;
2735 }
608bcc6d
MM		 2736}
2737
d660366d
GP		 2738static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2739 struct l2cap_ctrl *control,
2740 struct sk_buff_head *skbs, u8 event)
608bcc6d 2741{
608bcc6d
MM		 2742 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2743 event);
2744
2745 switch (event) {
2746 case L2CAP_EV_DATA_REQUEST:
2747 if (chan->tx_send_head == NULL)
2748 chan->tx_send_head = skb_peek(skbs);
2749 /* Queue data, but don't send. */
2750 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2751 break;
2752 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2753 BT_DBG("Enter LOCAL_BUSY");
2754 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2755
2756 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2757 /* The SREJ_SENT state must be aborted if we are to
2758 * enter the LOCAL_BUSY state.
2759 */
2760 l2cap_abort_rx_srej_sent(chan);
2761 }
2762
2763 l2cap_send_ack(chan);
2764
2765 break;
2766 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2767 BT_DBG("Exit LOCAL_BUSY");
2768 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2769
2770 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2771 struct l2cap_ctrl local_control;
2772 memset(&local_control, 0, sizeof(local_control));
2773 local_control.sframe = 1;
2774 local_control.super = L2CAP_SUPER_RR;
2775 local_control.poll = 1;
2776 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2777 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2778
2779 chan->retry_count = 1;
2780 __set_monitor_timer(chan);
2781 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2782 }
2783 break;
2784 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2785 l2cap_process_reqseq(chan, control->reqseq);
2786
2787 /* Fall through */
2788
2789 case L2CAP_EV_RECV_FBIT:
2790 if (control && control->final) {
2791 __clear_monitor_timer(chan);
2792 if (chan->unacked_frames > 0)
2793 __set_retrans_timer(chan);
2794 chan->retry_count = 0;
2795 chan->tx_state = L2CAP_TX_STATE_XMIT;
2796 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2797 }
2798 break;
2799 case L2CAP_EV_EXPLICIT_POLL:
2800 /* Ignore */
2801 break;
2802 case L2CAP_EV_MONITOR_TO:
2803 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2804 l2cap_send_rr_or_rnr(chan, 1);
2805 __set_monitor_timer(chan);
2806 chan->retry_count++;
2807 } else {
5e4e3972 2808 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2809 }
2810 break;
2811 default:
2812 break;
2813 }
608bcc6d
MM		 2814}
2815
d660366d
GP		 2816static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2817 struct sk_buff_head *skbs, u8 event)
608bcc6d 2818{
608bcc6d
MM		 2819 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2820 chan, control, skbs, event, chan->tx_state);
2821
2822 switch (chan->tx_state) {
2823 case L2CAP_TX_STATE_XMIT:
d660366d 2824 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2825 break;
2826 case L2CAP_TX_STATE_WAIT_F:
d660366d 2827 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2828 break;
2829 default:
2830 /* Ignore event */
2831 break;
2832 }
608bcc6d
MM		 2833}
2834
4b51dae9
MM		 2835static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2836 struct l2cap_ctrl *control)
2837{
2838 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2839 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2840}
2841
f80842a8
MM		 2842static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2843 struct l2cap_ctrl *control)
2844{
2845 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2846 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2847}
2848
1da177e4
LT		 2849/* Copy frame to all raw sockets on that connection */
2850static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2851{
1da177e4 2852 struct sk_buff *nskb;
48454079 2853 struct l2cap_chan *chan;
1da177e4
LT		 2854
2855 BT_DBG("conn %p", conn);
2856
3df91ea2 2857 mutex_lock(&conn->chan_lock);
3d57dc68 2858
3df91ea2 2859 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2860 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2861 continue;
2862
7f5396a7
GP		 2863 /* Don't send frame to the channel it came from */
2864 if (bt_cb(skb)->chan == chan)
1da177e4 2865 continue;
7f5396a7 2866
8bcde1f2 2867 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2868 if (!nskb)
1da177e4 2869 continue;
80b98027 2870 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2871 kfree_skb(nskb);
2872 }
3d57dc68 2873
3df91ea2 2874 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2875}
2876
2877/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2878static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2879 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2880{
2881 struct sk_buff *skb, **frag;
2882 struct l2cap_cmd_hdr *cmd;
2883 struct l2cap_hdr *lh;
2884 int len, count;
2885
b4400672
AE		 2886 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2887 conn, code, ident, dlen);
1da177e4 2888
300b962e
AL		 2889 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2890 return NULL;
2891
1da177e4
LT		 2892 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2893 count = min_t(unsigned int, conn->mtu, len);
2894
8bcde1f2 2895 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2896 if (!skb)
2897 return NULL;
2898
2899 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2900 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2901
2902 if (conn->hcon->type == LE_LINK)
ac73498c 2903 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2904 else
ac73498c 2905 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2906
2907 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2908 cmd->code = code;
2909 cmd->ident = ident;
aca3192c 2910 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2911
2912 if (dlen) {
2913 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2914 memcpy(skb_put(skb, count), data, count);
2915 data += count;
2916 }
2917
2918 len -= skb->len;
2919
2920 /* Continuation fragments (no L2CAP header) */
2921 frag = &skb_shinfo(skb)->frag_list;
2922 while (len) {
2923 count = min_t(unsigned int, conn->mtu, len);
2924
8bcde1f2 2925 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2926 if (!*frag)
2927 goto fail;
2928
2929 memcpy(skb_put(*frag, count), data, count);
2930
2931 len -= count;
2932 data += count;
2933
2934 frag = &(*frag)->next;
2935 }
2936
2937 return skb;
2938
2939fail:
2940 kfree_skb(skb);
2941 return NULL;
2942}
2943
2d792818
GP		 2944static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2945 unsigned long *val)
1da177e4
LT		 2946{
2947 struct l2cap_conf_opt *opt = *ptr;
2948 int len;
2949
2950 len = L2CAP_CONF_OPT_SIZE + opt->len;
2951 *ptr += len;
2952
2953 *type = opt->type;
2954 *olen = opt->len;
2955
2956 switch (opt->len) {
2957 case 1:
2958 *val = *((u8 *) opt->val);
2959 break;
2960
2961 case 2:
bfaaeb3e 2962 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2963 break;
2964
2965 case 4:
bfaaeb3e 2966 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2967 break;
2968
2969 default:
2970 *val = (unsigned long) opt->val;
2971 break;
2972 }
2973
b4400672 2974 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2975 return len;
2976}
2977
1da177e4
LT		 2978static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2979{
2980 struct l2cap_conf_opt *opt = *ptr;
2981
b4400672 2982 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2983
2984 opt->type = type;
2985 opt->len = len;
2986
2987 switch (len) {
2988 case 1:
2989 *((u8 *) opt->val) = val;
2990 break;
2991
2992 case 2:
4f8b691c 2993 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2994 break;
2995
2996 case 4:
4f8b691c 2997 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2998 break;
2999
3000 default:
3001 memcpy(opt->val, (void *) val, len);
3002 break;
3003 }
3004
3005 *ptr += L2CAP_CONF_OPT_SIZE + len;
3006}
3007
f89cef09
AE		 3008static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
3009{
3010 struct l2cap_conf_efs efs;
3011
1ec918ce 3012 switch (chan->mode) {
f89cef09
AE		 3013 case L2CAP_MODE_ERTM:
3014 efs.id = chan->local_id;
3015 efs.stype = chan->local_stype;
3016 efs.msdu = cpu_to_le16(chan->local_msdu);
3017 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 3018 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 3019 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 3020 break;
3021
3022 case L2CAP_MODE_STREAMING:
3023 efs.id = 1;
3024 efs.stype = L2CAP_SERV_BESTEFFORT;
3025 efs.msdu = cpu_to_le16(chan->local_msdu);
3026 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3027 efs.acc_lat = 0;
3028 efs.flush_to = 0;
3029 break;
3030
3031 default:
3032 return;
3033 }
3034
3035 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3036 (unsigned long) &efs);
f89cef09
AE		 3037}
3038
721c4181 3039static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3040{
721c4181 3041 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3042 ack_timer.work);
3043 u16 frames_to_ack;
c1b4f43b 3044
2fb9b3d4
GP		 3045 BT_DBG("chan %p", chan);
3046
6be36555
AE		 3047 l2cap_chan_lock(chan);
3048
0362520b
MM		 3049 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3050 chan->last_acked_seq);
6be36555 3051
0362520b
MM		 3052 if (frames_to_ack)
3053 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3054
0362520b 3055 l2cap_chan_unlock(chan);
09bfb2ee 3056 l2cap_chan_put(chan);
c1b4f43b
GP		 3057}
3058
466f8004 3059int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3060{
3c588192
MM		 3061 int err;
3062
105bdf9e
MM		 3063 chan->next_tx_seq = 0;
3064 chan->expected_tx_seq = 0;
42e5c802 3065 chan->expected_ack_seq = 0;
6a026610 3066 chan->unacked_frames = 0;
42e5c802 3067 chan->buffer_seq = 0;
6a026610 3068 chan->frames_sent = 0;
105bdf9e
MM		 3069 chan->last_acked_seq = 0;
3070 chan->sdu = NULL;
3071 chan->sdu_last_frag = NULL;
3072 chan->sdu_len = 0;
3073
d34c34fb
MM		 3074 skb_queue_head_init(&chan->tx_q);
3075
6ed971ca
MH		 3076 chan->local_amp_id = AMP_ID_BREDR;
3077 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3078 chan->move_state = L2CAP_MOVE_STABLE;
3079 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3080
105bdf9e
MM		 3081 if (chan->mode != L2CAP_MODE_ERTM)
3082 return 0;
3083
3084 chan->rx_state = L2CAP_RX_STATE_RECV;
3085 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3086
721c4181
GP		 3087 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3088 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3089 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3090
f1c6775b 3091 skb_queue_head_init(&chan->srej_q);
1890d36b 3092
3c588192
MM		 3093 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3094 if (err < 0)
3095 return err;
3096
9dc9affc
MM		 3097 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3098 if (err < 0)
3099 l2cap_seq_list_free(&chan->srej_list);
3100
3101 return err;
0565c1c2
GP		 3102}
3103
f2fcfcd6
GP		 3104static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3105{
3106 switch (mode) {
3107 case L2CAP_MODE_STREAMING:
3108 case L2CAP_MODE_ERTM:
3109 if (l2cap_mode_supported(mode, remote_feat_mask))
3110 return mode;
3111 /* fall through */
3112 default:
3113 return L2CAP_MODE_BASIC;
3114 }
3115}
3116
848566b3 3117static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3118{
848566b3 3119 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3120}
3121
848566b3 3122static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3123{
848566b3 3124 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3125}
3126
36c86c85
MM		 3127static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3128 struct l2cap_conf_rfc *rfc)
3129{
6ed971ca 3130 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3131 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3132
3133 /* Class 1 devices have must have ERTM timeouts
3134 * exceeding the Link Supervision Timeout. The
3135 * default Link Supervision Timeout for AMP
3136 * controllers is 10 seconds.
3137 *
3138 * Class 1 devices use 0xffffffff for their
3139 * best-effort flush timeout, so the clamping logic
3140 * will result in a timeout that meets the above
3141 * requirement. ERTM timeouts are 16-bit values, so
3142 * the maximum timeout is 65.535 seconds.
3143 */
3144
3145 /* Convert timeout to milliseconds and round */
3146 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3147
3148 /* This is the recommended formula for class 2 devices
3149 * that start ERTM timers when packets are sent to the
3150 * controller.
3151 */
3152 ertm_to = 3 * ertm_to + 500;
3153
3154 if (ertm_to > 0xffff)
3155 ertm_to = 0xffff;
3156
3157 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3158 rfc->monitor_timeout = rfc->retrans_timeout;
3159 } else {
3160 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3161 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3162 }
3163}
3164
6327eb98
AE		 3165static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3166{
3167 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3168 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3169 /* use extended control field */
3170 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3171 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3172 } else {
6327eb98 3173 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3174 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3175 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3176 }
c20f8e35 3177 chan->ack_win = chan->tx_win;
6327eb98
AE		 3178}
3179
710f9b0a 3180static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3181{
1da177e4 3182 struct l2cap_conf_req *req = data;
0c1bc5c6 3183 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3184 void *ptr = req->data;
c8f79162 3185 u16 size;
1da177e4 3186
49208c9c 3187 BT_DBG("chan %p", chan);
1da177e4 3188
73ffa904 3189 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3190 goto done;
3191
0c1bc5c6 3192 switch (chan->mode) {
f2fcfcd6
GP		 3193 case L2CAP_MODE_STREAMING:
3194 case L2CAP_MODE_ERTM:
c1360a1c 3195 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3196 break;
85eb53c6 3197
848566b3 3198 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3199 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3200
2ba13ed6 3201 /* fall through */
f2fcfcd6 3202 default:
8c1d787b 3203 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3204 break;
3205 }
3206
3207done:
0c1bc5c6
GP		 3208 if (chan->imtu != L2CAP_DEFAULT_MTU)
3209 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3210
0c1bc5c6 3211 switch (chan->mode) {
65c7c491 3212 case L2CAP_MODE_BASIC:
8c1d787b 3213 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3214 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3215 break;
3216
62547752
GP		 3217 rfc.mode = L2CAP_MODE_BASIC;
3218 rfc.txwin_size = 0;
3219 rfc.max_transmit = 0;
3220 rfc.retrans_timeout = 0;
3221 rfc.monitor_timeout = 0;
3222 rfc.max_pdu_size = 0;
3223
63406504 3224 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3225 (unsigned long) &rfc);
65c7c491
MH		 3226 break;
3227
3228 case L2CAP_MODE_ERTM:
3229 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3230 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3231
3232 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3233
3234 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3235 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3236 L2CAP_FCS_SIZE);
c8f79162 3237 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3238
6327eb98
AE		 3239 l2cap_txwin_setup(chan);
3240
3241 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3242 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3243
63406504 3244 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3245 (unsigned long) &rfc);
63406504 3246
f89cef09
AE		 3247 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3248 l2cap_add_opt_efs(&ptr, chan);
3249
6327eb98
AE		 3250 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3251 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3252 chan->tx_win);
60918918
AE		 3253
3254 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3255 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3256 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3257 chan->fcs = L2CAP_FCS_NONE;
3258 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3259 chan->fcs);
3260 }
f2fcfcd6
GP		 3261 break;
3262
3263 case L2CAP_MODE_STREAMING:
273759e2 3264 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3265 rfc.mode = L2CAP_MODE_STREAMING;
3266 rfc.txwin_size = 0;
3267 rfc.max_transmit = 0;
3268 rfc.retrans_timeout = 0;
3269 rfc.monitor_timeout = 0;
c8f79162
AE		 3270
3271 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3272 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3273 L2CAP_FCS_SIZE);
c8f79162 3274 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3275
63406504 3276 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3277 (unsigned long) &rfc);
63406504 3278
f89cef09
AE		 3279 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3280 l2cap_add_opt_efs(&ptr, chan);
3281
60918918
AE		 3282 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3283 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3284 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3285 chan->fcs = L2CAP_FCS_NONE;
3286 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3287 chan->fcs);
3288 }
65c7c491
MH		 3289 break;
3290 }
1da177e4 3291
fe4128e0 3292 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3293 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3294
3295 return ptr - data;
3296}
3297
73ffa904 3298static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3299{
5dee9e7c
MH		 3300 struct l2cap_conf_rsp *rsp = data;
3301 void *ptr = rsp->data;
73ffa904
GP		 3302 void *req = chan->conf_req;
3303 int len = chan->conf_len;
5dee9e7c
MH		 3304 int type, hint, olen;
3305 unsigned long val;
6464f35f 3306 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3307 struct l2cap_conf_efs efs;
3308 u8 remote_efs = 0;
861d6882 3309 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3310 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3311 u16 size;
1da177e4 3312
73ffa904 3313 BT_DBG("chan %p", chan);
820ae1b8 3314
5dee9e7c
MH		 3315 while (len >= L2CAP_CONF_OPT_SIZE) {
3316 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3317
589d2746 3318 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3319 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3320
3321 switch (type) {
3322 case L2CAP_CONF_MTU:
861d6882 3323 mtu = val;
5dee9e7c
MH		 3324 break;
3325
3326 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3327 chan->flush_to = val;
5dee9e7c
MH		 3328 break;
3329
3330 case L2CAP_CONF_QOS:
3331 break;
3332
6464f35f
MH		 3333 case L2CAP_CONF_RFC:
3334 if (olen == sizeof(rfc))
3335 memcpy(&rfc, (void *) val, olen);
3336 break;
3337
fcc203c3
GP		 3338 case L2CAP_CONF_FCS:
3339 if (val == L2CAP_FCS_NONE)
f2592d3e 3340 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3341 break;
fcc203c3 3342
42dceae2
AE		 3343 case L2CAP_CONF_EFS:
3344 remote_efs = 1;
3345 if (olen == sizeof(efs))
3346 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3347 break;
3348
6327eb98 3349 case L2CAP_CONF_EWS:
848566b3 3350 if (!chan->conn->hs_enabled)
6327eb98 3351 return -ECONNREFUSED;
fcc203c3 3352
6327eb98
AE		 3353 set_bit(FLAG_EXT_CTRL, &chan->flags);
3354 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3355 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3356 chan->remote_tx_win = val;
fcc203c3
GP		 3357 break;
3358
5dee9e7c
MH		 3359 default:
3360 if (hint)
3361 break;
3362
3363 result = L2CAP_CONF_UNKNOWN;
3364 *((u8 *) ptr++) = type;
3365 break;
3366 }
3367 }
3368
73ffa904 3369 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3370 goto done;
3371
0c1bc5c6 3372 switch (chan->mode) {
f2fcfcd6
GP		 3373 case L2CAP_MODE_STREAMING:
3374 case L2CAP_MODE_ERTM:
c1360a1c 3375 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3376 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3377 chan->conn->feat_mask);
85eb53c6
GP		 3378 break;
3379 }
3380
42dceae2 3381 if (remote_efs) {
848566b3 3382 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3383 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3384 else
3385 return -ECONNREFUSED;
3386 }
3387
0c1bc5c6 3388 if (chan->mode != rfc.mode)
f2fcfcd6 3389 return -ECONNREFUSED;
742e519b 3390
f2fcfcd6 3391 break;
f2fcfcd6
GP		 3392 }
3393
3394done:
0c1bc5c6 3395 if (chan->mode != rfc.mode) {
f2fcfcd6 3396 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3397 rfc.mode = chan->mode;
f2fcfcd6 3398
73ffa904 3399 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3400 return -ECONNREFUSED;
3401
2d792818
GP		 3402 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3403 (unsigned long) &rfc);
f2fcfcd6
GP		 3404 }
3405
5dee9e7c
MH		 3406 if (result == L2CAP_CONF_SUCCESS) {
3407 /* Configure output options and let the other side know
3408 * which ones we don't like. */
3409
f2fcfcd6
GP		 3410 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3411 result = L2CAP_CONF_UNACCEPT;
3412 else {
0c1bc5c6 3413 chan->omtu = mtu;
c1360a1c 3414 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3415 }
0c1bc5c6 3416 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3417
42dceae2
AE		 3418 if (remote_efs) {
3419 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3420 efs.stype != L2CAP_SERV_NOTRAFIC &&
3421 efs.stype != chan->local_stype) {
42dceae2
AE		 3422
3423 result = L2CAP_CONF_UNACCEPT;
3424
3425 if (chan->num_conf_req >= 1)
3426 return -ECONNREFUSED;
3427
3428 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3429 sizeof(efs),
3430 (unsigned long) &efs);
0e8b207e 3431 } else {
3e6b3b95 3432 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3433 result = L2CAP_CONF_PENDING;
3434 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3435 }
3436 }
3437
f2fcfcd6
GP		 3438 switch (rfc.mode) {
3439 case L2CAP_MODE_BASIC:
47d1ec61 3440 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3441 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3442 break;
3443
3444 case L2CAP_MODE_ERTM:
6327eb98
AE		 3445 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3446 chan->remote_tx_win = rfc.txwin_size;
3447 else
3448 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3449
2c03a7a4 3450 chan->remote_max_tx = rfc.max_transmit;
1c762159 3451
c8f79162 3452 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3453 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3454 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3455 rfc.max_pdu_size = cpu_to_le16(size);
3456 chan->remote_mps = size;
f2fcfcd6 3457
36c86c85 3458 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3459
c1360a1c 3460 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3461
3462 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3463 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3464
42dceae2
AE		 3465 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3466 chan->remote_id = efs.id;
3467 chan->remote_stype = efs.stype;
3468 chan->remote_msdu = le16_to_cpu(efs.msdu);
3469 chan->remote_flush_to =
2d792818 3470 le32_to_cpu(efs.flush_to);
42dceae2 3471 chan->remote_acc_lat =
2d792818 3472 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3473 chan->remote_sdu_itime =
3474 le32_to_cpu(efs.sdu_itime);
3475 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3476 sizeof(efs),
3477 (unsigned long) &efs);
42dceae2 3478 }
f2fcfcd6
GP		 3479 break;
3480
3481 case L2CAP_MODE_STREAMING:
c8f79162 3482 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3483 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3484 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3485 rfc.max_pdu_size = cpu_to_le16(size);
3486 chan->remote_mps = size;
f2fcfcd6 3487
c1360a1c 3488 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3489
2d792818
GP		 3490 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3491 (unsigned long) &rfc);
68ae6639 3492
f2fcfcd6
GP		 3493 break;
3494
3495 default:
5dee9e7c 3496 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3497
6464f35f 3498 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3499 rfc.mode = chan->mode;
f2fcfcd6 3500 }
6464f35f 3501
f2fcfcd6 3502 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3503 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3504 }
fe4128e0 3505 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3506 rsp->result = cpu_to_le16(result);
59e54bd1 3507 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3508
3509 return ptr - data;
1da177e4
LT		 3510}
3511
2d792818
GP		 3512static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3513 void *data, u16 *result)
f2fcfcd6 3514{
f2fcfcd6
GP		 3515 struct l2cap_conf_req *req = data;
3516 void *ptr = req->data;
3517 int type, olen;
3518 unsigned long val;
36e999a8 3519 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3520 struct l2cap_conf_efs efs;
f2fcfcd6 3521
fe4128e0 3522 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3523
3524 while (len >= L2CAP_CONF_OPT_SIZE) {
3525 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3526
3527 switch (type) {
3528 case L2CAP_CONF_MTU:
3529 if (val < L2CAP_DEFAULT_MIN_MTU) {
3530 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3531 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3532 } else
0c1bc5c6
GP		 3533 chan->imtu = val;
3534 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3535 break;
3536
3537 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3538 chan->flush_to = val;
f2fcfcd6 3539 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3540 2, chan->flush_to);
f2fcfcd6
GP		 3541 break;
3542
3543 case L2CAP_CONF_RFC:
3544 if (olen == sizeof(rfc))
3545 memcpy(&rfc, (void *)val, olen);
3546
c1360a1c 3547 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3548 rfc.mode != chan->mode)
f2fcfcd6
GP		 3549 return -ECONNREFUSED;
3550
47d1ec61 3551 chan->fcs = 0;
f2fcfcd6
GP		 3552
3553 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3554 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3555 break;
6327eb98
AE		 3556
3557 case L2CAP_CONF_EWS:
c20f8e35 3558 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3559 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3560 chan->tx_win);
6327eb98 3561 break;
66af7aaf
AE		 3562
3563 case L2CAP_CONF_EFS:
3564 if (olen == sizeof(efs))
3565 memcpy(&efs, (void *)val, olen);
3566
3567 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3568 efs.stype != L2CAP_SERV_NOTRAFIC &&
3569 efs.stype != chan->local_stype)
66af7aaf
AE		 3570 return -ECONNREFUSED;
3571
2d792818
GP		 3572 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3573 (unsigned long) &efs);
66af7aaf 3574 break;
cbabee78
AE		 3575
3576 case L2CAP_CONF_FCS:
3577 if (*result == L2CAP_CONF_PENDING)
3578 if (val == L2CAP_FCS_NONE)
f2592d3e 3579 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3580 &chan->conf_state);
3581 break;
f2fcfcd6
GP		 3582 }
3583 }
3584
0c1bc5c6 3585 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3586 return -ECONNREFUSED;
3587
0c1bc5c6 3588 chan->mode = rfc.mode;
6c2ea7a8 3589
0e8b207e 3590 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3591 switch (rfc.mode) {
3592 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3593 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3594 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3595 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3596 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3597 chan->ack_win = min_t(u16, chan->ack_win,
3598 rfc.txwin_size);
66af7aaf
AE		 3599
3600 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3601 chan->local_msdu = le16_to_cpu(efs.msdu);
3602 chan->local_sdu_itime =
2d792818 3603 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3604 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3605 chan->local_flush_to =
2d792818 3606 le32_to_cpu(efs.flush_to);
66af7aaf 3607 }
f2fcfcd6 3608 break;
66af7aaf 3609
f2fcfcd6 3610 case L2CAP_MODE_STREAMING:
47d1ec61 3611 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3612 }
3613 }
3614
fe4128e0 3615 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3616 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3617
3618 return ptr - data;
3619}
3620
2d792818
GP		 3621static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3622 u16 result, u16 flags)
1da177e4
LT		 3623{
3624 struct l2cap_conf_rsp *rsp = data;
3625 void *ptr = rsp->data;
1da177e4 3626
fe4128e0 3627 BT_DBG("chan %p", chan);
1da177e4 3628
fe4128e0 3629 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3630 rsp->result = cpu_to_le16(result);
aca3192c 3631 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3632
3633 return ptr - data;
3634}
3635
27e2d4c8
JH		 3636void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3637{
3638 struct l2cap_le_conn_rsp rsp;
3639 struct l2cap_conn *conn = chan->conn;
3640
3641 BT_DBG("chan %p", chan);
3642
3643 rsp.dcid = cpu_to_le16(chan->scid);
3644 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 3645 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 3646 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 3647 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3648
3649 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3650 &rsp);
3651}
3652
8c1d787b 3653void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3654{
3655 struct l2cap_conn_rsp rsp;
8c1d787b 3656 struct l2cap_conn *conn = chan->conn;
710f9b0a 3657 u8 buf[128];
439f34ac 3658 u8 rsp_code;
710f9b0a 3659
fe4128e0
GP		 3660 rsp.scid = cpu_to_le16(chan->dcid);
3661 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3662 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3663 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3664
3665 if (chan->hs_hcon)
3666 rsp_code = L2CAP_CREATE_CHAN_RSP;
3667 else
3668 rsp_code = L2CAP_CONN_RSP;
3669
3670 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3671
3672 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3673
c1360a1c 3674 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3675 return;
3676
710f9b0a 3677 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3678 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3679 chan->num_conf_req++;
3680}
3681
47d1ec61 3682static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3683{
7b1c0049
GP		 3684 int type, olen;
3685 unsigned long val;
c20f8e35
MM		 3686 /* Use sane default values in case a misbehaving remote device
3687 * did not send an RFC or extended window size option.
3688 */
3689 u16 txwin_ext = chan->ack_win;
3690 struct l2cap_conf_rfc rfc = {
3691 .mode = chan->mode,
3692 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3693 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3694 .max_pdu_size = cpu_to_le16(chan->imtu),
3695 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3696 };
7b1c0049 3697
47d1ec61 3698 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3699
0c1bc5c6 3700 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3701 return;
3702
3703 while (len >= L2CAP_CONF_OPT_SIZE) {
3704 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3705
c20f8e35
MM		 3706 switch (type) {
3707 case L2CAP_CONF_RFC:
3708 if (olen == sizeof(rfc))
3709 memcpy(&rfc, (void *)val, olen);
8f321f85 3710 break;
c20f8e35
MM		 3711 case L2CAP_CONF_EWS:
3712 txwin_ext = val;
3713 break;
3714 }
7b1c0049
GP		 3715 }
3716
7b1c0049
GP		 3717 switch (rfc.mode) {
3718 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3719 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3720 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3721 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3722 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3723 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3724 else
3725 chan->ack_win = min_t(u16, chan->ack_win,
3726 rfc.txwin_size);
7b1c0049
GP		 3727 break;
3728 case L2CAP_MODE_STREAMING:
47d1ec61 3729 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3730 }
3731}
3732
2d792818 3733static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3734 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3735 u8 *data)
4e8402a3 3736{
e2fd318e 3737 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3738
cb3b3152
JH		 3739 if (cmd_len < sizeof(*rej))
3740 return -EPROTO;
3741
e2fd318e 3742 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3743 return 0;
3744
3745 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3746 cmd->ident == conn->info_ident) {
17cd3f37 3747 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3748
3749 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3750 conn->info_ident = 0;
984947dc 3751
4e8402a3
MH		 3752 l2cap_conn_start(conn);
3753 }
3754
3755 return 0;
3756}
3757
1700915f
MM		 3758static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3759 struct l2cap_cmd_hdr *cmd,
3760 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3761{
1da177e4
LT		 3762 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3763 struct l2cap_conn_rsp rsp;
23691d75 3764 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3765 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3766
3767 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3768 __le16 psm = req->psm;
1da177e4 3769
097db76c 3770 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3771
3772 /* Check if we have socket listening on psm */
6f59b904 3773 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
bf20fd4e 3774 &conn->hcon->dst, ACL_LINK);
23691d75 3775 if (!pchan) {
1da177e4
LT		 3776 result = L2CAP_CR_BAD_PSM;
3777 goto sendresp;
3778 }
3779
3df91ea2 3780 mutex_lock(&conn->chan_lock);
8ffb9290 3781 l2cap_chan_lock(pchan);
e0f0cb56 3782
e7c29cb1 3783 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3784 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3785 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3786 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3787 result = L2CAP_CR_SEC_BLOCK;
3788 goto response;
3789 }
3790
1da177e4
LT		 3791 result = L2CAP_CR_NO_MEM;
3792
2dfa1003
GP		 3793 /* Check if we already have channel with that dcid */
3794 if (__l2cap_get_chan_by_dcid(conn, scid))
3795 goto response;
3796
80b98027 3797 chan = pchan->ops->new_connection(pchan);
80808e43 3798 if (!chan)
1da177e4
LT		 3799 goto response;
3800
330b6c15
SS		 3801 /* For certain devices (ex: HID mouse), support for authentication,
3802 * pairing and bonding is optional. For such devices, inorder to avoid
3803 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3804 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3805 */
3806 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3807
7eafc59e
MH		 3808 bacpy(&chan->src, &conn->hcon->src);
3809 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3810 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3811 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3812 chan->psm = psm;
3813 chan->dcid = scid;
1700915f 3814 chan->local_amp_id = amp_id;
1da177e4 3815
6be36555 3816 __l2cap_chan_add(conn, chan);
48454079 3817
fe4128e0 3818 dcid = chan->scid;
1da177e4 3819
8d836d71 3820 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3821
fc7f8a7e 3822 chan->ident = cmd->ident;
1da177e4 3823
984947dc 3824 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3825 if (l2cap_chan_check_security(chan)) {
bdc25783 3826 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3827 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3828 result = L2CAP_CR_PEND;
3829 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3830 chan->ops->defer(chan);
f66dc81f 3831 } else {
1700915f
MM		 3832 /* Force pending result for AMP controllers.
3833 * The connection will succeed after the
3834 * physical link is up.
3835 */
6ed971ca 3836 if (amp_id == AMP_ID_BREDR) {
f93fa273 3837 l2cap_state_change(chan, BT_CONFIG);
1700915f 3838 result = L2CAP_CR_SUCCESS;
6ed971ca 3839 } else {
f93fa273 3840 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3841 result = L2CAP_CR_PEND;
1700915f 3842 }
f66dc81f
MH		 3843 status = L2CAP_CS_NO_INFO;
3844 }
79d554a6 3845 } else {
f93fa273 3846 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3847 result = L2CAP_CR_PEND;
3848 status = L2CAP_CS_AUTHEN_PEND;
3849 }
3850 } else {
f93fa273 3851 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3852 result = L2CAP_CR_PEND;
3853 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3854 }
3855
1da177e4 3856response:
8ffb9290 3857 l2cap_chan_unlock(pchan);
3df91ea2 3858 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3859
3860sendresp:
aca3192c
YH		 3861 rsp.scid = cpu_to_le16(scid);
3862 rsp.dcid = cpu_to_le16(dcid);
3863 rsp.result = cpu_to_le16(result);
3864 rsp.status = cpu_to_le16(status);
4c89b6aa 3865 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3866
3867 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3868 struct l2cap_info_req info;
ac73498c 3869 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3870
3871 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3872 conn->info_ident = l2cap_get_ident(conn);
3873
ba13ccd9 3874 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3875
2d792818
GP		 3876 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3877 sizeof(info), &info);
79d554a6
MH		 3878 }
3879
c1360a1c 3880 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3881 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3882 u8 buf[128];
c1360a1c 3883 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3884 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3885 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3886 chan->num_conf_req++;
e9aeb2dd 3887 }
1700915f
MM		 3888
3889 return chan;
4c89b6aa 3890}
e9aeb2dd 3891
4c89b6aa 3892static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3893 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3894{
7b064eda
JK		 3895 struct hci_dev *hdev = conn->hcon->hdev;
3896 struct hci_conn *hcon = conn->hcon;
3897
cb3b3152
JH		 3898 if (cmd_len < sizeof(struct l2cap_conn_req))
3899 return -EPROTO;
3900
7b064eda
JK		 3901 hci_dev_lock(hdev);
3902 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3903 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3904 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3905 hcon->dst_type, 0, NULL, 0,
3906 hcon->dev_class);
3907 hci_dev_unlock(hdev);
3908
300229f9 3909 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3910 return 0;
3911}
3912
5909cf30 3913static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3914 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3915 u8 *data)
1da177e4
LT		 3916{
3917 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3918 u16 scid, dcid, result, status;
48454079 3919 struct l2cap_chan *chan;
1da177e4 3920 u8 req[128];
3df91ea2 3921 int err;
1da177e4 3922
cb3b3152
JH		 3923 if (cmd_len < sizeof(*rsp))
3924 return -EPROTO;
3925
1da177e4
LT		 3926 scid = __le16_to_cpu(rsp->scid);
3927 dcid = __le16_to_cpu(rsp->dcid);
3928 result = __le16_to_cpu(rsp->result);
3929 status = __le16_to_cpu(rsp->status);
3930
1b009c98 3931 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3932 dcid, scid, result, status);
1da177e4 3933
3df91ea2
AE		 3934 mutex_lock(&conn->chan_lock);
3935
1da177e4 3936 if (scid) {
3df91ea2
AE		 3937 chan = __l2cap_get_chan_by_scid(conn, scid);
3938 if (!chan) {
21870b52 3939 err = -EBADSLT;
3df91ea2
AE		 3940 goto unlock;
3941 }
1da177e4 3942 } else {
3df91ea2
AE		 3943 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3944 if (!chan) {
21870b52 3945 err = -EBADSLT;
3df91ea2
AE		 3946 goto unlock;
3947 }
1da177e4
LT		 3948 }
3949
3df91ea2
AE		 3950 err = 0;
3951
6be36555 3952 l2cap_chan_lock(chan);
48454079 3953
1da177e4
LT		 3954 switch (result) {
3955 case L2CAP_CR_SUCCESS:
89bc500e 3956 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3957 chan->ident = 0;
fe4128e0 3958 chan->dcid = dcid;
c1360a1c 3959 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3960
c1360a1c 3961 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3962 break;
3963
1da177e4 3964 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3965 l2cap_build_conf_req(chan, req), req);
73ffa904 3966 chan->num_conf_req++;
1da177e4
LT		 3967 break;
3968
3969 case L2CAP_CR_PEND:
c1360a1c 3970 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3971 break;
3972
3973 default:
48454079 3974 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3975 break;
3976 }
3977
6be36555 3978 l2cap_chan_unlock(chan);
3df91ea2
AE		 3979
3980unlock:
3981 mutex_unlock(&conn->chan_lock);
3982
3983 return err;
1da177e4
LT		 3984}
3985
47d1ec61 3986static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3987{
3988 /* FCS is enabled only in ERTM or streaming mode, if one or both
3989 * sides request it.
3990 */
0c1bc5c6 3991 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3992 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3993 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3994 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3995}
3996
29d8a590
AE		 3997static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3998 u8 ident, u16 flags)
3999{
4000 struct l2cap_conn *conn = chan->conn;
4001
4002 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4003 flags);
4004
4005 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4006 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4007
4008 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4009 l2cap_build_conf_rsp(chan, data,
4010 L2CAP_CONF_SUCCESS, flags), data);
4011}
4012
662d652d
JH		 4013static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4014 u16 scid, u16 dcid)
4015{
4016 struct l2cap_cmd_rej_cid rej;
4017
4018 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
4019 rej.scid = __cpu_to_le16(scid);
4020 rej.dcid = __cpu_to_le16(dcid);
4021
4022 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4023}
4024
2d792818
GP		 4025static inline int l2cap_config_req(struct l2cap_conn *conn,
4026 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4027 u8 *data)
1da177e4
LT		 4028{
4029 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4030 u16 dcid, flags;
4031 u8 rsp[64];
48454079 4032 struct l2cap_chan *chan;
3c588192 4033 int len, err = 0;
1da177e4 4034
cb3b3152
JH		 4035 if (cmd_len < sizeof(*req))
4036 return -EPROTO;
4037
1da177e4
LT		 4038 dcid = __le16_to_cpu(req->dcid);
4039 flags = __le16_to_cpu(req->flags);
4040
4041 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4042
baa7e1fa 4043 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4044 if (!chan) {
4045 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4046 return 0;
4047 }
1da177e4 4048
033b1142 4049 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4050 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4051 chan->dcid);
354f60a9 4052 goto unlock;
df6bd743 4053 }
354f60a9 4054
5dee9e7c 4055 /* Reject if config buffer is too small. */
88219a0f 4056 len = cmd_len - sizeof(*req);
cb3b3152 4057 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4058 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4059 l2cap_build_conf_rsp(chan, rsp,
4060 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4061 goto unlock;
4062 }
4063
4064 /* Store config. */
73ffa904
GP		 4065 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4066 chan->conf_len += len;
1da177e4 4067
59e54bd1 4068 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4069 /* Incomplete config. Send empty response. */
4070 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4071 l2cap_build_conf_rsp(chan, rsp,
4072 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4073 goto unlock;
4074 }
4075
4076 /* Complete config. */
73ffa904 4077 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4078 if (len < 0) {
5e4e3972 4079 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4080 goto unlock;
f2fcfcd6 4081 }
1da177e4 4082
1500109b 4083 chan->ident = cmd->ident;
5dee9e7c 4084 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4085 chan->num_conf_rsp++;
5dee9e7c 4086
5dee9e7c 4087 /* Reset config buffer. */
73ffa904 4088 chan->conf_len = 0;
5dee9e7c 4089
c1360a1c 4090 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4091 goto unlock;
4092
c1360a1c 4093 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4094 set_default_fcs(chan);
fcc203c3 4095
105bdf9e
MM		 4096 if (chan->mode == L2CAP_MODE_ERTM ||
4097 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4098 err = l2cap_ertm_init(chan);
4099
4100 if (err < 0)
5e4e3972 4101 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4102 else
4103 l2cap_chan_ready(chan);
0565c1c2 4104
876d9484
MH		 4105 goto unlock;
4106 }
4107
c1360a1c 4108 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4109 u8 buf[64];
1da177e4 4110 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4111 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4112 chan->num_conf_req++;
1da177e4
LT		 4113 }
4114
0e8b207e
AE		 4115 /* Got Conf Rsp PENDING from remote side and asume we sent
4116 Conf Rsp PENDING in the code above */
4117 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4118 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4119
4120 /* check compatibility */
4121
79de886d 4122 /* Send rsp for BR/EDR channel */
f351bc72 4123 if (!chan->hs_hcon)
79de886d
AE		 4124 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4125 else
4126 chan->ident = cmd->ident;
0e8b207e
AE		 4127 }
4128
1da177e4 4129unlock:
6be36555 4130 l2cap_chan_unlock(chan);
3c588192 4131 return err;
1da177e4
LT		 4132}
4133
2d792818 4134static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4135 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4136 u8 *data)
1da177e4
LT		 4137{
4138 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4139 u16 scid, flags, result;
48454079 4140 struct l2cap_chan *chan;
cb3b3152 4141 int len = cmd_len - sizeof(*rsp);
3c588192 4142 int err = 0;
1da177e4 4143
cb3b3152
JH		 4144 if (cmd_len < sizeof(*rsp))
4145 return -EPROTO;
4146
1da177e4
LT		 4147 scid = __le16_to_cpu(rsp->scid);
4148 flags = __le16_to_cpu(rsp->flags);
4149 result = __le16_to_cpu(rsp->result);
4150
61386cba
AE		 4151 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4152 result, len);
1da177e4 4153
baa7e1fa 4154 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4155 if (!chan)
1da177e4
LT		 4156 return 0;
4157
4158 switch (result) {
4159 case L2CAP_CONF_SUCCESS:
47d1ec61 4160 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4161 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4162 break;
4163
0e8b207e
AE		 4164 case L2CAP_CONF_PENDING:
4165 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4166
4167 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4168 char buf[64];
4169
4170 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4171 buf, &result);
0e8b207e 4172 if (len < 0) {
5e4e3972 4173 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4174 goto done;
4175 }
4176
f351bc72 4177 if (!chan->hs_hcon) {
79de886d
AE		 4178 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4179 0);
5ce66b59
AE		 4180 } else {
4181 if (l2cap_check_efs(chan)) {
4182 amp_create_logical_link(chan);
4183 chan->ident = cmd->ident;
4184 }
4185 }
0e8b207e
AE		 4186 }
4187 goto done;
4188
1da177e4 4189 case L2CAP_CONF_UNACCEPT:
73ffa904 4190 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4191 char req[64];
4192
c2c77ec8 4193 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4194 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4195 goto done;
4196 }
4197
f2fcfcd6
GP		 4198 /* throw out any old stored conf requests */
4199 result = L2CAP_CONF_SUCCESS;
b4450035 4200 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4201 req, &result);
f2fcfcd6 4202 if (len < 0) {
5e4e3972 4203 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4204 goto done;
4205 }
4206
4207 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4208 L2CAP_CONF_REQ, len, req);
73ffa904 4209 chan->num_conf_req++;
f2fcfcd6
GP		 4210 if (result != L2CAP_CONF_SUCCESS)
4211 goto done;
4212 break;
1da177e4
LT		 4213 }
4214
8e87d142 4215 default:
6be36555 4216 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4217
ba13ccd9 4218 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4219 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4220 goto done;
4221 }
4222
59e54bd1 4223 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4224 goto done;
4225
c1360a1c 4226 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4227
c1360a1c 4228 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4229 set_default_fcs(chan);
fcc203c3 4230
105bdf9e
MM		 4231 if (chan->mode == L2CAP_MODE_ERTM ||
4232 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4233 err = l2cap_ertm_init(chan);
0565c1c2 4234
3c588192 4235 if (err < 0)
5e4e3972 4236 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4237 else
4238 l2cap_chan_ready(chan);
1da177e4
LT		 4239 }
4240
4241done:
6be36555 4242 l2cap_chan_unlock(chan);
3c588192 4243 return err;
1da177e4
LT		 4244}
4245
2d792818 4246static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4247 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4248 u8 *data)
1da177e4
LT		 4249{
4250 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4251 struct l2cap_disconn_rsp rsp;
4252 u16 dcid, scid;
48454079 4253 struct l2cap_chan *chan;
1da177e4 4254
cb3b3152
JH		 4255 if (cmd_len != sizeof(*req))
4256 return -EPROTO;
4257
1da177e4
LT		 4258 scid = __le16_to_cpu(req->scid);
4259 dcid = __le16_to_cpu(req->dcid);
4260
4261 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4262
3df91ea2
AE		 4263 mutex_lock(&conn->chan_lock);
4264
4265 chan = __l2cap_get_chan_by_scid(conn, dcid);
4266 if (!chan) {
4267 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4268 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4269 return 0;
3df91ea2 4270 }
1da177e4 4271
6be36555
AE		 4272 l2cap_chan_lock(chan);
4273
fe4128e0
GP		 4274 rsp.dcid = cpu_to_le16(chan->scid);
4275 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4276 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4277
5ec1bbe5 4278 chan->ops->set_shutdown(chan);
1da177e4 4279
61d6ef3e 4280 l2cap_chan_hold(chan);
48454079 4281 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4282
4283 l2cap_chan_unlock(chan);
1da177e4 4284
80b98027 4285 chan->ops->close(chan);
61d6ef3e 4286 l2cap_chan_put(chan);
3df91ea2
AE		 4287
4288 mutex_unlock(&conn->chan_lock);
4289
1da177e4
LT		 4290 return 0;
4291}
4292
2d792818 4293static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4294 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4295 u8 *data)
1da177e4
LT		 4296{
4297 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4298 u16 dcid, scid;
48454079 4299 struct l2cap_chan *chan;
1da177e4 4300
cb3b3152
JH		 4301 if (cmd_len != sizeof(*rsp))
4302 return -EPROTO;
4303
1da177e4
LT		 4304 scid = __le16_to_cpu(rsp->scid);
4305 dcid = __le16_to_cpu(rsp->dcid);
4306
4307 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4308
3df91ea2
AE		 4309 mutex_lock(&conn->chan_lock);
4310
4311 chan = __l2cap_get_chan_by_scid(conn, scid);
4312 if (!chan) {
4313 mutex_unlock(&conn->chan_lock);
1da177e4 4314 return 0;
3df91ea2 4315 }
1da177e4 4316
6be36555 4317 l2cap_chan_lock(chan);
48454079 4318
61d6ef3e 4319 l2cap_chan_hold(chan);
48454079 4320 l2cap_chan_del(chan, 0);
6be36555
AE		 4321
4322 l2cap_chan_unlock(chan);
1da177e4 4323
80b98027 4324 chan->ops->close(chan);
61d6ef3e 4325 l2cap_chan_put(chan);
3df91ea2
AE		 4326
4327 mutex_unlock(&conn->chan_lock);
4328
1da177e4
LT		 4329 return 0;
4330}
4331
2d792818 4332static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4333 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4334 u8 *data)
1da177e4
LT		 4335{
4336 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4337 u16 type;
4338
cb3b3152
JH		 4339 if (cmd_len != sizeof(*req))
4340 return -EPROTO;
4341
1da177e4
LT		 4342 type = __le16_to_cpu(req->type);
4343
4344 BT_DBG("type 0x%4.4x", type);
4345
f0709e03
MH		 4346 if (type == L2CAP_IT_FEAT_MASK) {
4347 u8 buf[8];
44dd46de 4348 u32 feat_mask = l2cap_feat_mask;
f0709e03 4349 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4350 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4351 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4352 if (!disable_ertm)
fcc203c3 4353 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4354 | L2CAP_FEAT_FCS;
848566b3 4355 if (conn->hs_enabled)
6327eb98 4356 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4357 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4358
1b7bf4ed 4359 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4360 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4361 buf);
e1027a7c
MH		 4362 } else if (type == L2CAP_IT_FIXED_CHAN) {
4363 u8 buf[12];
4364 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4365
848566b3 4366 if (conn->hs_enabled)
50a147cd
MM		 4367 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4368 else
4369 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4370
ac73498c
AE		 4371 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4372 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4373 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4374 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4375 buf);
f0709e03
MH		 4376 } else {
4377 struct l2cap_info_rsp rsp;
4378 rsp.type = cpu_to_le16(type);
ac73498c 4379 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4380 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4381 &rsp);
f0709e03 4382 }
1da177e4
LT		 4383
4384 return 0;
4385}
4386
2d792818 4387static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4388 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4389 u8 *data)
1da177e4
LT		 4390{
4391 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4392 u16 type, result;
4393
3f6fa3d4 4394 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4395 return -EPROTO;
4396
1da177e4
LT		 4397 type = __le16_to_cpu(rsp->type);
4398 result = __le16_to_cpu(rsp->result);
4399
4400 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4401
e90165be
AE		 4402 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4403 if (cmd->ident != conn->info_ident ||
2d792818 4404 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4405 return 0;
4406
17cd3f37 4407 cancel_delayed_work(&conn->info_timer);
4e8402a3 4408
adb08ede
VT		 4409 if (result != L2CAP_IR_SUCCESS) {
4410 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4411 conn->info_ident = 0;
4412
4413 l2cap_conn_start(conn);
4414
4415 return 0;
4416 }
4417
978c93b9
AE		 4418 switch (type) {
4419 case L2CAP_IT_FEAT_MASK:
83985319 4420 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4421
47ec1dcd 4422 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4423 struct l2cap_info_req req;
ac73498c 4424 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4425
4426 conn->info_ident = l2cap_get_ident(conn);
4427
4428 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4429 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4430 } else {
4431 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4432 conn->info_ident = 0;
4433
4434 l2cap_conn_start(conn);
4435 }
978c93b9
AE		 4436 break;
4437
4438 case L2CAP_IT_FIXED_CHAN:
4439 conn->fixed_chan_mask = rsp->data[0];
984947dc 4440 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4441 conn->info_ident = 0;
984947dc
MH		 4442
4443 l2cap_conn_start(conn);
978c93b9 4444 break;
984947dc 4445 }
4e8402a3 4446
1da177e4
LT		 4447 return 0;
4448}
4449
1700915f
MM		 4450static int l2cap_create_channel_req(struct l2cap_conn *conn,
4451 struct l2cap_cmd_hdr *cmd,
4452 u16 cmd_len, void *data)
f94ff6ff
MM		 4453{
4454 struct l2cap_create_chan_req *req = data;
6e1df6a6 4455 struct l2cap_create_chan_rsp rsp;
1700915f 4456 struct l2cap_chan *chan;
6e1df6a6 4457 struct hci_dev *hdev;
f94ff6ff
MM		 4458 u16 psm, scid;
4459
4460 if (cmd_len != sizeof(*req))
4461 return -EPROTO;
4462
848566b3 4463 if (!conn->hs_enabled)
f94ff6ff
MM		 4464 return -EINVAL;
4465
4466 psm = le16_to_cpu(req->psm);
4467 scid = le16_to_cpu(req->scid);
4468
ad0ac6ca 4469 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4470
6e1df6a6 4471 /* For controller id 0 make BR/EDR connection */
6ed971ca 4472 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4473 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4474 req->amp_id);
4475 return 0;
4476 }
1700915f 4477
6e1df6a6
AE		 4478 /* Validate AMP controller id */
4479 hdev = hci_dev_get(req->amp_id);
4480 if (!hdev)
4481 goto error;
1700915f 4482
6e1df6a6
AE		 4483 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4484 hci_dev_put(hdev);
4485 goto error;
4486 }
1700915f 4487
6e1df6a6
AE		 4488 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4489 req->amp_id);
4490 if (chan) {
4491 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4492 struct hci_conn *hs_hcon;
1700915f 4493
98e0f7ea
MH		 4494 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4495 &conn->hcon->dst);
6e1df6a6
AE		 4496 if (!hs_hcon) {
4497 hci_dev_put(hdev);
662d652d
JH		 4498 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4499 chan->dcid);
4500 return 0;
1700915f
MM		 4501 }
4502
6e1df6a6
AE		 4503 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4504
6e1df6a6
AE		 4505 mgr->bredr_chan = chan;
4506 chan->hs_hcon = hs_hcon;
fd45bf4c 4507 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4508 conn->mtu = hdev->block_mtu;
1700915f 4509 }
f94ff6ff 4510
6e1df6a6 4511 hci_dev_put(hdev);
f94ff6ff
MM		 4512
4513 return 0;
6e1df6a6
AE		 4514
4515error:
4516 rsp.dcid = 0;
4517 rsp.scid = cpu_to_le16(scid);
4518 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4519 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4520
4521 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4522 sizeof(rsp), &rsp);
4523
dc280801 4524 return 0;
f94ff6ff
MM		 4525}
4526
8eb200bd
MM		 4527static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4528{
4529 struct l2cap_move_chan_req req;
4530 u8 ident;
4531
4532 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4533
4534 ident = l2cap_get_ident(chan->conn);
4535 chan->ident = ident;
4536
4537 req.icid = cpu_to_le16(chan->scid);
4538 req.dest_amp_id = dest_amp_id;
4539
4540 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4541 &req);
4542
4543 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4544}
4545
1500109b 4546static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4547{
4548 struct l2cap_move_chan_rsp rsp;
4549
1500109b 4550 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4551
1500109b 4552 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4553 rsp.result = cpu_to_le16(result);
4554
1500109b
MM		 4555 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4556 sizeof(rsp), &rsp);
8d5a04a1
MM		 4557}
4558
5b155ef9 4559static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4560{
4561 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4562
5b155ef9 4563 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4564
5b155ef9 4565 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4566
5b155ef9 4567 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4568 cfm.result = cpu_to_le16(result);
4569
5b155ef9
MM		 4570 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4571 sizeof(cfm), &cfm);
4572
4573 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4574}
4575
4576static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4577{
4578 struct l2cap_move_chan_cfm cfm;
4579
4580 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4581
4582 cfm.icid = cpu_to_le16(icid);
4583 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4584
4585 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4586 sizeof(cfm), &cfm);
8d5a04a1
MM		 4587}
4588
4589static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4590 u16 icid)
8d5a04a1
MM		 4591{
4592 struct l2cap_move_chan_cfm_rsp rsp;
4593
ad0ac6ca 4594 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4595
4596 rsp.icid = cpu_to_le16(icid);
4597 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4598}
4599
5f3847a4
MM		 4600static void __release_logical_link(struct l2cap_chan *chan)
4601{
4602 chan->hs_hchan = NULL;
4603 chan->hs_hcon = NULL;
4604
4605 /* Placeholder - release the logical link */
4606}
4607
1500109b
MM		 4608static void l2cap_logical_fail(struct l2cap_chan *chan)
4609{
4610 /* Logical link setup failed */
4611 if (chan->state != BT_CONNECTED) {
4612 /* Create channel failure, disconnect */
5e4e3972 4613 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4614 return;
4615 }
4616
4617 switch (chan->move_role) {
4618 case L2CAP_MOVE_ROLE_RESPONDER:
4619 l2cap_move_done(chan);
4620 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4621 break;
4622 case L2CAP_MOVE_ROLE_INITIATOR:
4623 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4624 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4625 /* Remote has only sent pending or
4626 * success responses, clean up
4627 */
4628 l2cap_move_done(chan);
4629 }
4630
4631 /* Other amp move states imply that the move
4632 * has already aborted
4633 */
4634 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4635 break;
4636 }
4637}
4638
4639static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4640 struct hci_chan *hchan)
4641{
4642 struct l2cap_conf_rsp rsp;
1500109b 4643
336178a3 4644 chan->hs_hchan = hchan;
1500109b
MM		 4645 chan->hs_hcon->l2cap_data = chan->conn;
4646
35ba9561 4647 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4648
4649 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4650 int err;
1500109b
MM		 4651
4652 set_default_fcs(chan);
4653
4654 err = l2cap_ertm_init(chan);
4655 if (err < 0)
5e4e3972 4656 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4657 else
4658 l2cap_chan_ready(chan);
4659 }
4660}
4661
4662static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4663 struct hci_chan *hchan)
4664{
4665 chan->hs_hcon = hchan->conn;
4666 chan->hs_hcon->l2cap_data = chan->conn;
4667
4668 BT_DBG("move_state %d", chan->move_state);
4669
4670 switch (chan->move_state) {
4671 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4672 /* Move confirm will be sent after a success
4673 * response is received
4674 */
4675 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4676 break;
4677 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4678 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4679 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4680 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4681 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4682 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4683 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4684 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4685 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4686 }
4687 break;
4688 default:
4689 /* Move was not in expected state, free the channel */
4690 __release_logical_link(chan);
4691
4692 chan->move_state = L2CAP_MOVE_STABLE;
4693 }
4694}
4695
4696/* Call with chan locked */
27695fb4
AE		 4697void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4698 u8 status)
5b155ef9 4699{
1500109b
MM		 4700 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4701
4702 if (status) {
4703 l2cap_logical_fail(chan);
4704 __release_logical_link(chan);
4705 return;
4706 }
4707
4708 if (chan->state != BT_CONNECTED) {
4709 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4710 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4711 l2cap_logical_finish_create(chan, hchan);
4712 } else {
4713 l2cap_logical_finish_move(chan, hchan);
4714 }
5b155ef9
MM		 4715}
4716
3f7a56c4
MM		 4717void l2cap_move_start(struct l2cap_chan *chan)
4718{
4719 BT_DBG("chan %p", chan);
4720
6ed971ca 4721 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4722 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4723 return;
4724 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4725 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4726 /* Placeholder - start physical link setup */
4727 } else {
4728 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4729 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4730 chan->move_id = 0;
4731 l2cap_move_setup(chan);
4732 l2cap_send_move_chan_req(chan, 0);
4733 }
4734}
4735
8eb200bd
MM		 4736static void l2cap_do_create(struct l2cap_chan *chan, int result,
4737 u8 local_amp_id, u8 remote_amp_id)
4738{
62748ca1
AE		 4739 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4740 local_amp_id, remote_amp_id);
4741
12d6cc60
AE		 4742 chan->fcs = L2CAP_FCS_NONE;
4743
62748ca1
AE		 4744 /* Outgoing channel on AMP */
4745 if (chan->state == BT_CONNECT) {
4746 if (result == L2CAP_CR_SUCCESS) {
4747 chan->local_amp_id = local_amp_id;
4748 l2cap_send_create_chan_req(chan, remote_amp_id);
4749 } else {
4750 /* Revert to BR/EDR connect */
4751 l2cap_send_conn_req(chan);
4752 }
4753
4754 return;
4755 }
4756
4757 /* Incoming channel on AMP */
4758 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4759 struct l2cap_conn_rsp rsp;
4760 char buf[128];
4761 rsp.scid = cpu_to_le16(chan->dcid);
4762 rsp.dcid = cpu_to_le16(chan->scid);
4763
8eb200bd
MM		 4764 if (result == L2CAP_CR_SUCCESS) {
4765 /* Send successful response */
62cd50e2
AE		 4766 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4767 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4768 } else {
4769 /* Send negative response */
62cd50e2
AE		 4770 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4771 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4772 }
4773
4774 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4775 sizeof(rsp), &rsp);
4776
4777 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4778 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4779 set_bit(CONF_REQ_SENT, &chan->conf_state);
4780 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4781 L2CAP_CONF_REQ,
4782 l2cap_build_conf_req(chan, buf), buf);
4783 chan->num_conf_req++;
4784 }
8eb200bd
MM		 4785 }
4786}
4787
4788static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4789 u8 remote_amp_id)
4790{
4791 l2cap_move_setup(chan);
4792 chan->move_id = local_amp_id;
4793 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4794
4795 l2cap_send_move_chan_req(chan, remote_amp_id);
4796}
4797
4798static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4799{
4800 struct hci_chan *hchan = NULL;
4801
4802 /* Placeholder - get hci_chan for logical link */
4803
4804 if (hchan) {
4805 if (hchan->state == BT_CONNECTED) {
4806 /* Logical link is ready to go */
4807 chan->hs_hcon = hchan->conn;
4808 chan->hs_hcon->l2cap_data = chan->conn;
4809 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4810 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4811
4812 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4813 } else {
4814 /* Wait for logical link to be ready */
4815 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4816 }
4817 } else {
4818 /* Logical link not available */
4819 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4820 }
4821}
4822
4823static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4824{
4825 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4826 u8 rsp_result;
4827 if (result == -EINVAL)
4828 rsp_result = L2CAP_MR_BAD_ID;
4829 else
4830 rsp_result = L2CAP_MR_NOT_ALLOWED;
4831
4832 l2cap_send_move_chan_rsp(chan, rsp_result);
4833 }
4834
4835 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4836 chan->move_state = L2CAP_MOVE_STABLE;
4837
4838 /* Restart data transmission */
4839 l2cap_ertm_send(chan);
4840}
4841
a514b17f
AE		 4842/* Invoke with locked chan */
4843void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4844{
770bfefa 4845 u8 local_amp_id = chan->local_amp_id;
fffadc08 4846 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4847
8eb200bd
MM		 4848 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4849 chan, result, local_amp_id, remote_amp_id);
4850
8eb200bd
MM		 4851 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4852 l2cap_chan_unlock(chan);
4853 return;
4854 }
4855
4856 if (chan->state != BT_CONNECTED) {
4857 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4858 } else if (result != L2CAP_MR_SUCCESS) {
4859 l2cap_do_move_cancel(chan, result);
4860 } else {
4861 switch (chan->move_role) {
4862 case L2CAP_MOVE_ROLE_INITIATOR:
4863 l2cap_do_move_initiate(chan, local_amp_id,
4864 remote_amp_id);
4865 break;
4866 case L2CAP_MOVE_ROLE_RESPONDER:
4867 l2cap_do_move_respond(chan, result);
4868 break;
4869 default:
4870 l2cap_do_move_cancel(chan, result);
4871 break;
4872 }
4873 }
8eb200bd
MM		 4874}
4875
8d5a04a1 4876static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4877 struct l2cap_cmd_hdr *cmd,
4878 u16 cmd_len, void *data)
8d5a04a1
MM		 4879{
4880 struct l2cap_move_chan_req *req = data;
1500109b 4881 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4882 struct l2cap_chan *chan;
8d5a04a1
MM		 4883 u16 icid = 0;
4884 u16 result = L2CAP_MR_NOT_ALLOWED;
4885
4886 if (cmd_len != sizeof(*req))
4887 return -EPROTO;
4888
4889 icid = le16_to_cpu(req->icid);
4890
ad0ac6ca 4891 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4892
848566b3 4893 if (!conn->hs_enabled)
8d5a04a1
MM		 4894 return -EINVAL;
4895
02b0fbb9
MM		 4896 chan = l2cap_get_chan_by_dcid(conn, icid);
4897 if (!chan) {
1500109b
MM		 4898 rsp.icid = cpu_to_le16(icid);
4899 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4900 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4901 sizeof(rsp), &rsp);
02b0fbb9
MM		 4902 return 0;
4903 }
4904
1500109b
MM		 4905 chan->ident = cmd->ident;
4906
02b0fbb9
MM		 4907 if (chan->scid < L2CAP_CID_DYN_START ||
4908 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4909 (chan->mode != L2CAP_MODE_ERTM &&
4910 chan->mode != L2CAP_MODE_STREAMING)) {
4911 result = L2CAP_MR_NOT_ALLOWED;
4912 goto send_move_response;
4913 }
4914
4915 if (chan->local_amp_id == req->dest_amp_id) {
4916 result = L2CAP_MR_SAME_ID;
4917 goto send_move_response;
4918 }
4919
6ed971ca 4920 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4921 struct hci_dev *hdev;
4922 hdev = hci_dev_get(req->dest_amp_id);
4923 if (!hdev || hdev->dev_type != HCI_AMP ||
4924 !test_bit(HCI_UP, &hdev->flags)) {
4925 if (hdev)
4926 hci_dev_put(hdev);
4927
4928 result = L2CAP_MR_BAD_ID;
4929 goto send_move_response;
4930 }
4931 hci_dev_put(hdev);
4932 }
4933
4934 /* Detect a move collision. Only send a collision response
4935 * if this side has "lost", otherwise proceed with the move.
4936 * The winner has the larger bd_addr.
4937 */
4938 if ((__chan_is_moving(chan) ||
4939 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4940 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4941 result = L2CAP_MR_COLLISION;
4942 goto send_move_response;
4943 }
4944
02b0fbb9
MM		 4945 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4946 l2cap_move_setup(chan);
4947 chan->move_id = req->dest_amp_id;
4948 icid = chan->dcid;
4949
6ed971ca 4950 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4951 /* Moving to BR/EDR */
4952 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4953 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4954 result = L2CAP_MR_PEND;
4955 } else {
4956 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4957 result = L2CAP_MR_SUCCESS;
4958 }
4959 } else {
4960 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4961 /* Placeholder - uncomment when amp functions are available */
4962 /*amp_accept_physical(chan, req->dest_amp_id);*/
4963 result = L2CAP_MR_PEND;
4964 }
4965
4966send_move_response:
1500109b 4967 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4968
02b0fbb9
MM		 4969 l2cap_chan_unlock(chan);
4970
8d5a04a1
MM		 4971 return 0;
4972}
4973
5b155ef9
MM		 4974static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4975{
4976 struct l2cap_chan *chan;
4977 struct hci_chan *hchan = NULL;
4978
4979 chan = l2cap_get_chan_by_scid(conn, icid);
4980 if (!chan) {
4981 l2cap_send_move_chan_cfm_icid(conn, icid);
4982 return;
4983 }
4984
4985 __clear_chan_timer(chan);
4986 if (result == L2CAP_MR_PEND)
4987 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4988
4989 switch (chan->move_state) {
4990 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4991 /* Move confirm will be sent when logical link
4992 * is complete.
4993 */
4994 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4995 break;
4996 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4997 if (result == L2CAP_MR_PEND) {
4998 break;
4999 } else if (test_bit(CONN_LOCAL_BUSY,
5000 &chan->conn_state)) {
5001 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5002 } else {
5003 /* Logical link is up or moving to BR/EDR,
5004 * proceed with move
5005 */
5006 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5007 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5008 }
5009 break;
5010 case L2CAP_MOVE_WAIT_RSP:
5011 /* Moving to AMP */
5012 if (result == L2CAP_MR_SUCCESS) {
5013 /* Remote is ready, send confirm immediately
5014 * after logical link is ready
5015 */
5016 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5017 } else {
5018 /* Both logical link and move success
5019 * are required to confirm
5020 */
5021 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5022 }
5023
5024 /* Placeholder - get hci_chan for logical link */
5025 if (!hchan) {
5026 /* Logical link not available */
5027 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5028 break;
5029 }
5030
5031 /* If the logical link is not yet connected, do not
5032 * send confirmation.
5033 */
5034 if (hchan->state != BT_CONNECTED)
5035 break;
5036
5037 /* Logical link is already ready to go */
5038
5039 chan->hs_hcon = hchan->conn;
5040 chan->hs_hcon->l2cap_data = chan->conn;
5041
5042 if (result == L2CAP_MR_SUCCESS) {
5043 /* Can confirm now */
5044 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5045 } else {
5046 /* Now only need move success
5047 * to confirm
5048 */
5049 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5050 }
5051
5052 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5053 break;
5054 default:
5055 /* Any other amp move state means the move failed. */
5056 chan->move_id = chan->local_amp_id;
5057 l2cap_move_done(chan);
5058 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5059 }
5060
5061 l2cap_chan_unlock(chan);
5062}
5063
5064static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5065 u16 result)
5066{
5067 struct l2cap_chan *chan;
5068
5069 chan = l2cap_get_chan_by_ident(conn, ident);
5070 if (!chan) {
5071 /* Could not locate channel, icid is best guess */
5072 l2cap_send_move_chan_cfm_icid(conn, icid);
5073 return;
5074 }
5075
5076 __clear_chan_timer(chan);
5077
5078 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5079 if (result == L2CAP_MR_COLLISION) {
5080 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5081 } else {
5082 /* Cleanup - cancel move */
5083 chan->move_id = chan->local_amp_id;
5084 l2cap_move_done(chan);
5085 }
5086 }
5087
5088 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5089
5090 l2cap_chan_unlock(chan);
5091}
5092
5093static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5094 struct l2cap_cmd_hdr *cmd,
5095 u16 cmd_len, void *data)
8d5a04a1
MM		 5096{
5097 struct l2cap_move_chan_rsp *rsp = data;
5098 u16 icid, result;
5099
5100 if (cmd_len != sizeof(*rsp))
5101 return -EPROTO;
5102
5103 icid = le16_to_cpu(rsp->icid);
5104 result = le16_to_cpu(rsp->result);
5105
ad0ac6ca 5106 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5107
5b155ef9
MM		 5108 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5109 l2cap_move_continue(conn, icid, result);
5110 else
5111 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5112
5113 return 0;
5114}
5115
5f3847a4
MM		 5116static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5117 struct l2cap_cmd_hdr *cmd,
5118 u16 cmd_len, void *data)
8d5a04a1
MM		 5119{
5120 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5121 struct l2cap_chan *chan;
8d5a04a1
MM		 5122 u16 icid, result;
5123
5124 if (cmd_len != sizeof(*cfm))
5125 return -EPROTO;
5126
5127 icid = le16_to_cpu(cfm->icid);
5128 result = le16_to_cpu(cfm->result);
5129
ad0ac6ca 5130 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5131
5f3847a4
MM		 5132 chan = l2cap_get_chan_by_dcid(conn, icid);
5133 if (!chan) {
5134 /* Spec requires a response even if the icid was not found */
5135 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5136 return 0;
5137 }
5138
5139 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5140 if (result == L2CAP_MC_CONFIRMED) {
5141 chan->local_amp_id = chan->move_id;
6ed971ca 5142 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5143 __release_logical_link(chan);
5144 } else {
5145 chan->move_id = chan->local_amp_id;
5146 }
5147
5148 l2cap_move_done(chan);
5149 }
5150
8d5a04a1
MM		 5151 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5152
5f3847a4
MM		 5153 l2cap_chan_unlock(chan);
5154
8d5a04a1
MM		 5155 return 0;
5156}
5157
5158static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5159 struct l2cap_cmd_hdr *cmd,
5160 u16 cmd_len, void *data)
8d5a04a1
MM		 5161{
5162 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5163 struct l2cap_chan *chan;
8d5a04a1
MM		 5164 u16 icid;
5165
5166 if (cmd_len != sizeof(*rsp))
5167 return -EPROTO;
5168
5169 icid = le16_to_cpu(rsp->icid);
5170
ad0ac6ca 5171 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5172
3fd71a0a
MM		 5173 chan = l2cap_get_chan_by_scid(conn, icid);
5174 if (!chan)
5175 return 0;
5176
5177 __clear_chan_timer(chan);
5178
5179 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5180 chan->local_amp_id = chan->move_id;
5181
6ed971ca 5182 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5183 __release_logical_link(chan);
5184
5185 l2cap_move_done(chan);
5186 }
5187
5188 l2cap_chan_unlock(chan);
5189
8d5a04a1
MM		 5190 return 0;
5191}
5192
e2174ca4 5193static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 5194 u16 to_multiplier)
de73115a
CT		 5195{
5196 u16 max_latency;
5197
5198 if (min > max || min < 6 || max > 3200)
5199 return -EINVAL;
5200
5201 if (to_multiplier < 10 || to_multiplier > 3200)
5202 return -EINVAL;
5203
5204 if (max >= to_multiplier * 8)
5205 return -EINVAL;
5206
5207 max_latency = (to_multiplier * 8 / max) - 1;
5208 if (latency > 499 || latency > max_latency)
5209 return -EINVAL;
5210
5211 return 0;
5212}
5213
5214static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818 5215 struct l2cap_cmd_hdr *cmd,
203e639e 5216 u16 cmd_len, u8 *data)
de73115a
CT		 5217{
5218 struct hci_conn *hcon = conn->hcon;
5219 struct l2cap_conn_param_update_req *req;
5220 struct l2cap_conn_param_update_rsp rsp;
203e639e 5221 u16 min, max, latency, to_multiplier;
2ce603eb 5222 int err;
de73115a
CT		 5223
5224 if (!(hcon->link_mode & HCI_LM_MASTER))
5225 return -EINVAL;
5226
de73115a
CT		 5227 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5228 return -EPROTO;
5229
5230 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5231 min = __le16_to_cpu(req->min);
5232 max = __le16_to_cpu(req->max);
de73115a
CT		 5233 latency = __le16_to_cpu(req->latency);
5234 to_multiplier = __le16_to_cpu(req->to_multiplier);
5235
5236 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5237 min, max, latency, to_multiplier);
de73115a
CT		 5238
5239 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5240
5241 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5242 if (err)
ac73498c 5243 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5244 else
ac73498c 5245 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5246
5247 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5248 sizeof(rsp), &rsp);
de73115a 5249
2ce603eb
CT		 5250 if (!err)
5251 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5252
de73115a
CT		 5253 return 0;
5254}
5255
f1496dee
JH		 5256static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5257 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5258 u8 *data)
5259{
5260 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5261 u16 dcid, mtu, mps, credits, result;
5262 struct l2cap_chan *chan;
5263 int err;
5264
5265 if (cmd_len < sizeof(*rsp))
5266 return -EPROTO;
5267
5268 dcid = __le16_to_cpu(rsp->dcid);
5269 mtu = __le16_to_cpu(rsp->mtu);
5270 mps = __le16_to_cpu(rsp->mps);
5271 credits = __le16_to_cpu(rsp->credits);
5272 result = __le16_to_cpu(rsp->result);
5273
5274 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5275 return -EPROTO;
5276
5277 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5278 dcid, mtu, mps, credits, result);
5279
5280 mutex_lock(&conn->chan_lock);
5281
5282 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5283 if (!chan) {
5284 err = -EBADSLT;
5285 goto unlock;
5286 }
5287
5288 err = 0;
5289
5290 l2cap_chan_lock(chan);
5291
5292 switch (result) {
5293 case L2CAP_CR_SUCCESS:
5294 chan->ident = 0;
5295 chan->dcid = dcid;
5296 chan->omtu = mtu;
5297 chan->remote_mps = mps;
0cd75f7e 5298 chan->tx_credits = credits;
f1496dee
JH		 5299 l2cap_chan_ready(chan);
5300 break;
5301
5302 default:
5303 l2cap_chan_del(chan, ECONNREFUSED);
5304 break;
5305 }
5306
5307 l2cap_chan_unlock(chan);
5308
5309unlock:
5310 mutex_unlock(&conn->chan_lock);
5311
5312 return err;
5313}
5314
3300d9a9 5315static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5316 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5317 u8 *data)
3300d9a9
CT		 5318{
5319 int err = 0;
5320
5321 switch (cmd->code) {
5322 case L2CAP_COMMAND_REJ:
cb3b3152 5323 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5324 break;
5325
5326 case L2CAP_CONN_REQ:
cb3b3152 5327 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5328 break;
5329
5330 case L2CAP_CONN_RSP:
f5a2598d 5331 case L2CAP_CREATE_CHAN_RSP:
9245e737 5332 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5333 break;
5334
5335 case L2CAP_CONF_REQ:
5336 err = l2cap_config_req(conn, cmd, cmd_len, data);
5337 break;
5338
5339 case L2CAP_CONF_RSP:
9245e737 5340 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5341 break;
5342
5343 case L2CAP_DISCONN_REQ:
cb3b3152 5344 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5345 break;
5346
5347 case L2CAP_DISCONN_RSP:
9245e737 5348 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5349 break;
5350
5351 case L2CAP_ECHO_REQ:
5352 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5353 break;
5354
5355 case L2CAP_ECHO_RSP:
5356 break;
5357
5358 case L2CAP_INFO_REQ:
cb3b3152 5359 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5360 break;
5361
5362 case L2CAP_INFO_RSP:
9245e737 5363 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5364 break;
5365
f94ff6ff
MM		 5366 case L2CAP_CREATE_CHAN_REQ:
5367 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5368 break;
5369
8d5a04a1
MM		 5370 case L2CAP_MOVE_CHAN_REQ:
5371 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5372 break;
5373
5374 case L2CAP_MOVE_CHAN_RSP:
9245e737 5375 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5376 break;
5377
5378 case L2CAP_MOVE_CHAN_CFM:
5379 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5380 break;
5381
5382 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5383 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5384 break;
5385
3300d9a9
CT		 5386 default:
5387 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5388 err = -EINVAL;
5389 break;
5390 }
5391
5392 return err;
5393}
5394
27e2d4c8
JH		 5395static int l2cap_le_connect_req(struct l2cap_conn *conn,
5396 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5397 u8 *data)
5398{
5399 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5400 struct l2cap_le_conn_rsp rsp;
5401 struct l2cap_chan *chan, *pchan;
0cd75f7e 5402 u16 dcid, scid, credits, mtu, mps;
27e2d4c8
JH		 5403 __le16 psm;
5404 u8 result;
5405
5406 if (cmd_len != sizeof(*req))
5407 return -EPROTO;
5408
5409 scid = __le16_to_cpu(req->scid);
5410 mtu = __le16_to_cpu(req->mtu);
5411 mps = __le16_to_cpu(req->mps);
5412 psm = req->psm;
5413 dcid = 0;
0cd75f7e 5414 credits = 0;
27e2d4c8
JH		 5415
5416 if (mtu < 23 || mps < 23)
5417 return -EPROTO;
5418
5419 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5420 scid, mtu, mps);
5421
5422 /* Check if we have socket listening on psm */
5423 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5424 &conn->hcon->dst, LE_LINK);
5425 if (!pchan) {
5426 result = L2CAP_CR_BAD_PSM;
5427 chan = NULL;
5428 goto response;
5429 }
5430
5431 mutex_lock(&conn->chan_lock);
5432 l2cap_chan_lock(pchan);
5433
5434 if (!smp_sufficient_security(conn->hcon, pchan->sec_level)) {
5435 result = L2CAP_CR_AUTHENTICATION;
5436 chan = NULL;
5437 goto response_unlock;
5438 }
5439
5440 /* Check if we already have channel with that dcid */
5441 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5442 result = L2CAP_CR_NO_MEM;
5443 chan = NULL;
5444 goto response_unlock;
5445 }
5446
5447 chan = pchan->ops->new_connection(pchan);
5448 if (!chan) {
5449 result = L2CAP_CR_NO_MEM;
5450 goto response_unlock;
5451 }
5452
0ce43ce6
JH		 5453 l2cap_le_flowctl_init(chan);
5454
27e2d4c8
JH		 5455 bacpy(&chan->src, &conn->hcon->src);
5456 bacpy(&chan->dst, &conn->hcon->dst);
5457 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5458 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5459 chan->psm = psm;
5460 chan->dcid = scid;
5461 chan->omtu = mtu;
5462 chan->remote_mps = mps;
0cd75f7e 5463 chan->tx_credits = __le16_to_cpu(req->credits);
27e2d4c8
JH		 5464
5465 __l2cap_chan_add(conn, chan);
5466 dcid = chan->scid;
0cd75f7e 5467 credits = chan->rx_credits;
27e2d4c8
JH		 5468
5469 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5470
5471 chan->ident = cmd->ident;
5472
5473 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5474 l2cap_state_change(chan, BT_CONNECT2);
5475 result = L2CAP_CR_PEND;
5476 chan->ops->defer(chan);
5477 } else {
5478 l2cap_chan_ready(chan);
5479 result = L2CAP_CR_SUCCESS;
5480 }
5481
5482response_unlock:
5483 l2cap_chan_unlock(pchan);
5484 mutex_unlock(&conn->chan_lock);
5485
5486 if (result == L2CAP_CR_PEND)
5487 return 0;
5488
5489response:
5490 if (chan) {
5491 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 5492 rsp.mps = cpu_to_le16(chan->mps);
27e2d4c8
JH		 5493 } else {
5494 rsp.mtu = 0;
5495 rsp.mps = 0;
5496 }
5497
5498 rsp.dcid = cpu_to_le16(dcid);
0cd75f7e 5499 rsp.credits = cpu_to_le16(credits);
27e2d4c8
JH		 5500 rsp.result = cpu_to_le16(result);
5501
5502 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5503
5504 return 0;
5505}
5506
fad5fc89
JH		 5507static inline int l2cap_le_credits(struct l2cap_conn *conn,
5508 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5509 u8 *data)
5510{
5511 struct l2cap_le_credits *pkt;
5512 struct l2cap_chan *chan;
5513 u16 cid, credits;
5514
5515 if (cmd_len != sizeof(*pkt))
5516 return -EPROTO;
5517
5518 pkt = (struct l2cap_le_credits *) data;
5519 cid = __le16_to_cpu(pkt->cid);
5520 credits = __le16_to_cpu(pkt->credits);
5521
5522 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5523
5524 chan = l2cap_get_chan_by_dcid(conn, cid);
5525 if (!chan)
5526 return -EBADSLT;
5527
5528 chan->tx_credits += credits;
5529
5530 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5531 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5532 chan->tx_credits--;
5533 }
5534
5535 if (chan->tx_credits)
5536 chan->ops->resume(chan);
5537
5538 l2cap_chan_unlock(chan);
5539
5540 return 0;
5541}
5542
71fb4197
JH		 5543static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5544 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5545 u8 *data)
5546{
5547 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5548 struct l2cap_chan *chan;
5549
5550 if (cmd_len < sizeof(*rej))
5551 return -EPROTO;
5552
5553 mutex_lock(&conn->chan_lock);
5554
5555 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5556 if (!chan)
5557 goto done;
5558
5559 l2cap_chan_lock(chan);
5560 l2cap_chan_del(chan, ECONNREFUSED);
5561 l2cap_chan_unlock(chan);
5562
5563done:
5564 mutex_unlock(&conn->chan_lock);
5565 return 0;
5566}
5567
3300d9a9 5568static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
203e639e
JH		 5569 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5570 u8 *data)
3300d9a9 5571{
b5ecba64
JH		 5572 int err = 0;
5573
3af8ace6
JH		 5574 if (!enable_lecoc) {
5575 switch (cmd->code) {
5576 case L2CAP_LE_CONN_REQ:
5577 case L2CAP_LE_CONN_RSP:
5578 case L2CAP_LE_CREDITS:
5579 case L2CAP_DISCONN_REQ:
5580 case L2CAP_DISCONN_RSP:
5581 return -EINVAL;
5582 }
5583 }
5584
3300d9a9
CT		 5585 switch (cmd->code) {
5586 case L2CAP_COMMAND_REJ:
71fb4197 5587 l2cap_le_command_rej(conn, cmd, cmd_len, data);
b5ecba64 5588 break;
3300d9a9
CT		 5589
5590 case L2CAP_CONN_PARAM_UPDATE_REQ:
b5ecba64
JH		 5591 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5592 break;
3300d9a9
CT		 5593
5594 case L2CAP_CONN_PARAM_UPDATE_RSP:
b5ecba64 5595 break;
3300d9a9 5596
f1496dee
JH		 5597 case L2CAP_LE_CONN_RSP:
5598 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5599 break;
f1496dee 5600
27e2d4c8 5601 case L2CAP_LE_CONN_REQ:
b5ecba64
JH		 5602 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5603 break;
27e2d4c8 5604
fad5fc89
JH		 5605 case L2CAP_LE_CREDITS:
5606 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5607 break;
5608
3defe01a 5609 case L2CAP_DISCONN_REQ:
b5ecba64
JH		 5610 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5611 break;
3defe01a
JH		 5612
5613 case L2CAP_DISCONN_RSP:
5614 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5615 break;
3defe01a 5616
3300d9a9
CT		 5617 default:
5618 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
b5ecba64
JH		 5619 err = -EINVAL;
5620 break;
3300d9a9 5621 }
b5ecba64
JH		 5622
5623 return err;
3300d9a9
CT		 5624}
5625
c5623556
JH		 5626static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5627 struct sk_buff *skb)
5628{
69c4e4e8 5629 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5630 struct l2cap_cmd_hdr *cmd;
5631 u16 len;
c5623556
JH		 5632 int err;
5633
69c4e4e8 5634 if (hcon->type != LE_LINK)
3b166295 5635 goto drop;
69c4e4e8 5636
4f3e219d
MH		 5637 if (skb->len < L2CAP_CMD_HDR_SIZE)
5638 goto drop;
c5623556 5639
4f3e219d
MH		 5640 cmd = (void *) skb->data;
5641 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5642
4f3e219d 5643 len = le16_to_cpu(cmd->len);
c5623556 5644
4f3e219d 5645 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5646
4f3e219d
MH		 5647 if (len != skb->len || !cmd->ident) {
5648 BT_DBG("corrupted command");
5649 goto drop;
5650 }
c5623556 5651
203e639e 5652 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
4f3e219d
MH		 5653 if (err) {
5654 struct l2cap_cmd_rej_unk rej;
c5623556 5655
4f3e219d 5656 BT_ERR("Wrong link type (%d)", err);
c5623556 5657
a521149a 5658 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5659 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5660 sizeof(rej), &rej);
c5623556
JH		 5661 }
5662
3b166295 5663drop:
c5623556
JH		 5664 kfree_skb(skb);
5665}
5666
3300d9a9 5667static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5668 struct sk_buff *skb)
1da177e4 5669{
69c4e4e8 5670 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5671 u8 *data = skb->data;
5672 int len = skb->len;
5673 struct l2cap_cmd_hdr cmd;
3300d9a9 5674 int err;
1da177e4
LT		 5675
5676 l2cap_raw_recv(conn, skb);
5677
69c4e4e8 5678 if (hcon->type != ACL_LINK)
3b166295 5679 goto drop;
69c4e4e8 5680
1da177e4 5681 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5682 u16 cmd_len;
1da177e4
LT		 5683 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5684 data += L2CAP_CMD_HDR_SIZE;
5685 len -= L2CAP_CMD_HDR_SIZE;
5686
88219a0f 5687 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5688
2d792818
GP		 5689 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5690 cmd.ident);
1da177e4 5691
88219a0f 5692 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5693 BT_DBG("corrupted command");
5694 break;
5695 }
5696
c5623556 5697 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5698 if (err) {
e2fd318e 5699 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5700
5701 BT_ERR("Wrong link type (%d)", err);
1da177e4 5702
a521149a 5703 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5704 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5705 sizeof(rej), &rej);
1da177e4
LT		 5706 }
5707
88219a0f
AV		 5708 data += cmd_len;
5709 len -= cmd_len;
1da177e4
LT		 5710 }
5711
3b166295 5712drop:
1da177e4
LT		 5713 kfree_skb(skb);
5714}
5715
47d1ec61 5716static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5717{
5718 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5719 int hdr_size;
5720
5721 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5722 hdr_size = L2CAP_EXT_HDR_SIZE;
5723 else
5724 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5725
47d1ec61 5726 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5727 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5728 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5729 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5730
5731 if (our_fcs != rcv_fcs)
7a560e5c 5732 return -EBADMSG;
fcc203c3
GP		 5733 }
5734 return 0;
5735}
5736
6ea00485 5737static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5738{
e31f7633 5739 struct l2cap_ctrl control;
d5392c8f 5740
e31f7633 5741 BT_DBG("chan %p", chan);
d5392c8f 5742
e31f7633
MM		 5743 memset(&control, 0, sizeof(control));
5744 control.sframe = 1;
5745 control.final = 1;
5746 control.reqseq = chan->buffer_seq;
5747 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5748
e2ab4353 5749 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5750 control.super = L2CAP_SUPER_RNR;
5751 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5752 }
5753
e31f7633
MM		 5754 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5755 chan->unacked_frames > 0)
5756 __set_retrans_timer(chan);
d5392c8f 5757
e31f7633 5758 /* Send pending iframes */
525cd185 5759 l2cap_ertm_send(chan);
d5392c8f 5760
e2ab4353 5761 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5762 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5763 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5764 * send it now.
5765 */
5766 control.super = L2CAP_SUPER_RR;
5767 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5768 }
5769}
5770
2d792818
GP		 5771static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5772 struct sk_buff **last_frag)
18778a63 5773{
84084a31
MM		 5774 /* skb->len reflects data in skb as well as all fragments
5775 * skb->data_len reflects only data in fragments
5776 */
5777 if (!skb_has_frag_list(skb))
5778 skb_shinfo(skb)->frag_list = new_frag;
5779
5780 new_frag->next = NULL;
5781
5782 (*last_frag)->next = new_frag;
5783 *last_frag = new_frag;
5784
5785 skb->len += new_frag->len;
5786 skb->data_len += new_frag->len;
5787 skb->truesize += new_frag->truesize;
5788}
5789
4b51dae9
MM		 5790static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5791 struct l2cap_ctrl *control)
84084a31
MM		 5792{
5793 int err = -EINVAL;
18778a63 5794
4b51dae9 5795 switch (control->sar) {
7e0ef6ee 5796 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5797 if (chan->sdu)
5798 break;
18778a63 5799
80b98027 5800 err = chan->ops->recv(chan, skb);
84084a31 5801 break;
18778a63 5802
7e0ef6ee 5803 case L2CAP_SAR_START:
84084a31
MM		 5804 if (chan->sdu)
5805 break;
18778a63 5806
6f61fd47 5807 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5808 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5809
84084a31
MM		 5810 if (chan->sdu_len > chan->imtu) {
5811 err = -EMSGSIZE;
5812 break;
5813 }
1890d36b 5814
84084a31
MM		 5815 if (skb->len >= chan->sdu_len)
5816 break;
18778a63 5817
84084a31
MM		 5818 chan->sdu = skb;
5819 chan->sdu_last_frag = skb;
18778a63 5820
84084a31
MM		 5821 skb = NULL;
5822 err = 0;
18778a63
GP		 5823 break;
5824
7e0ef6ee 5825 case L2CAP_SAR_CONTINUE:
6f61fd47 5826 if (!chan->sdu)
84084a31 5827 break;
18778a63 5828
84084a31
MM		 5829 append_skb_frag(chan->sdu, skb,
5830 &chan->sdu_last_frag);
5831 skb = NULL;
18778a63 5832
84084a31
MM		 5833 if (chan->sdu->len >= chan->sdu_len)
5834 break;
4178ba46 5835
84084a31 5836 err = 0;
18778a63
GP		 5837 break;
5838
7e0ef6ee 5839 case L2CAP_SAR_END:
6f61fd47 5840 if (!chan->sdu)
84084a31 5841 break;
18778a63 5842
84084a31
MM		 5843 append_skb_frag(chan->sdu, skb,
5844 &chan->sdu_last_frag);
5845 skb = NULL;
4178ba46 5846
84084a31
MM		 5847 if (chan->sdu->len != chan->sdu_len)
5848 break;
18778a63 5849
80b98027 5850 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5851
84084a31
MM		 5852 if (!err) {
5853 /* Reassembly complete */
5854 chan->sdu = NULL;
5855 chan->sdu_last_frag = NULL;
5856 chan->sdu_len = 0;
1890d36b 5857 }
18778a63
GP		 5858 break;
5859 }
5860
84084a31
MM		 5861 if (err) {
5862 kfree_skb(skb);
5863 kfree_skb(chan->sdu);
5864 chan->sdu = NULL;
5865 chan->sdu_last_frag = NULL;
5866 chan->sdu_len = 0;
5867 }
18778a63 5868
84084a31 5869 return err;
18778a63
GP		 5870}
5871
32b32735
MM		 5872static int l2cap_resegment(struct l2cap_chan *chan)
5873{
5874 /* Placeholder */
5875 return 0;
5876}
5877
61aa4f5b 5878void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5879{
61aa4f5b 5880 u8 event;
712132eb 5881
61aa4f5b
MM		 5882 if (chan->mode != L2CAP_MODE_ERTM)
5883 return;
712132eb 5884
61aa4f5b 5885 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5886 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5887}
5888
d2a7ac5d
MM		 5889static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5890{
63838725
MM		 5891 int err = 0;
5892 /* Pass sequential frames to l2cap_reassemble_sdu()
5893 * until a gap is encountered.
5894 */
5895
5896 BT_DBG("chan %p", chan);
5897
5898 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5899 struct sk_buff *skb;
5900 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5901 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5902
5903 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5904
5905 if (!skb)
5906 break;
5907
5908 skb_unlink(skb, &chan->srej_q);
5909 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5910 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5911 if (err)
5912 break;
5913 }
5914
5915 if (skb_queue_empty(&chan->srej_q)) {
5916 chan->rx_state = L2CAP_RX_STATE_RECV;
5917 l2cap_send_ack(chan);
5918 }
5919
5920 return err;
d2a7ac5d
MM		 5921}
5922
5923static void l2cap_handle_srej(struct l2cap_chan *chan,
5924 struct l2cap_ctrl *control)
5925{
f80842a8
MM		 5926 struct sk_buff *skb;
5927
5928 BT_DBG("chan %p, control %p", chan, control);
5929
5930 if (control->reqseq == chan->next_tx_seq) {
5931 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5932 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5933 return;
5934 }
5935
5936 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5937
5938 if (skb == NULL) {
5939 BT_DBG("Seq %d not available for retransmission",
5940 control->reqseq);
5941 return;
5942 }
5943
5944 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5945 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5946 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5947 return;
5948 }
5949
5950 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5951
5952 if (control->poll) {
5953 l2cap_pass_to_tx(chan, control);
5954
5955 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5956 l2cap_retransmit(chan, control);
5957 l2cap_ertm_send(chan);
5958
5959 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5960 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5961 chan->srej_save_reqseq = control->reqseq;
5962 }
5963 } else {
5964 l2cap_pass_to_tx_fbit(chan, control);
5965
5966 if (control->final) {
5967 if (chan->srej_save_reqseq != control->reqseq ||
5968 !test_and_clear_bit(CONN_SREJ_ACT,
5969 &chan->conn_state))
5970 l2cap_retransmit(chan, control);
5971 } else {
5972 l2cap_retransmit(chan, control);
5973 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5974 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5975 chan->srej_save_reqseq = control->reqseq;
5976 }
5977 }
5978 }
d2a7ac5d
MM		 5979}
5980
5981static void l2cap_handle_rej(struct l2cap_chan *chan,
5982 struct l2cap_ctrl *control)
5983{
fcd289df
MM		 5984 struct sk_buff *skb;
5985
5986 BT_DBG("chan %p, control %p", chan, control);
5987
5988 if (control->reqseq == chan->next_tx_seq) {
5989 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5990 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5991 return;
5992 }
5993
5994 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5995
5996 if (chan->max_tx && skb &&
5997 bt_cb(skb)->control.retries >= chan->max_tx) {
5998 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5999 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 6000 return;
6001 }
6002
6003 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6004
6005 l2cap_pass_to_tx(chan, control);
6006
6007 if (control->final) {
6008 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6009 l2cap_retransmit_all(chan, control);
6010 } else {
6011 l2cap_retransmit_all(chan, control);
6012 l2cap_ertm_send(chan);
6013 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6014 set_bit(CONN_REJ_ACT, &chan->conn_state);
6015 }
d2a7ac5d
MM		 6016}
6017
4b51dae9
MM		 6018static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6019{
6020 BT_DBG("chan %p, txseq %d", chan, txseq);
6021
6022 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6023 chan->expected_tx_seq);
6024
6025 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6026 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 6027 chan->tx_win) {
4b51dae9
MM		 6028 /* See notes below regarding "double poll" and
6029 * invalid packets.
6030 */
6031 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6032 BT_DBG("Invalid/Ignore - after SREJ");
6033 return L2CAP_TXSEQ_INVALID_IGNORE;
6034 } else {
6035 BT_DBG("Invalid - in window after SREJ sent");
6036 return L2CAP_TXSEQ_INVALID;
6037 }
6038 }
6039
6040 if (chan->srej_list.head == txseq) {
6041 BT_DBG("Expected SREJ");
6042 return L2CAP_TXSEQ_EXPECTED_SREJ;
6043 }
6044
6045 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6046 BT_DBG("Duplicate SREJ - txseq already stored");
6047 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6048 }
6049
6050 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6051 BT_DBG("Unexpected SREJ - not requested");
6052 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6053 }
6054 }
6055
6056 if (chan->expected_tx_seq == txseq) {
6057 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6058 chan->tx_win) {
6059 BT_DBG("Invalid - txseq outside tx window");
6060 return L2CAP_TXSEQ_INVALID;
6061 } else {
6062 BT_DBG("Expected");
6063 return L2CAP_TXSEQ_EXPECTED;
6064 }
6065 }
6066
6067 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 6068 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 6069 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6070 return L2CAP_TXSEQ_DUPLICATE;
6071 }
6072
6073 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6074 /* A source of invalid packets is a "double poll" condition,
6075 * where delays cause us to send multiple poll packets. If
6076 * the remote stack receives and processes both polls,
6077 * sequence numbers can wrap around in such a way that a
6078 * resent frame has a sequence number that looks like new data
6079 * with a sequence gap. This would trigger an erroneous SREJ
6080 * request.
6081 *
6082 * Fortunately, this is impossible with a tx window that's
6083 * less than half of the maximum sequence number, which allows
6084 * invalid frames to be safely ignored.
6085 *
6086 * With tx window sizes greater than half of the tx window
6087 * maximum, the frame is invalid and cannot be ignored. This
6088 * causes a disconnect.
6089 */
6090
6091 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6092 BT_DBG("Invalid/Ignore - txseq outside tx window");
6093 return L2CAP_TXSEQ_INVALID_IGNORE;
6094 } else {
6095 BT_DBG("Invalid - txseq outside tx window");
6096 return L2CAP_TXSEQ_INVALID;
6097 }
6098 } else {
6099 BT_DBG("Unexpected - txseq indicates missing frames");
6100 return L2CAP_TXSEQ_UNEXPECTED;
6101 }
6102}
6103
d2a7ac5d
MM		 6104static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6105 struct l2cap_ctrl *control,
6106 struct sk_buff *skb, u8 event)
6107{
6108 int err = 0;
941247f9 6109 bool skb_in_use = false;
d2a7ac5d
MM		 6110
6111 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6112 event);
6113
6114 switch (event) {
6115 case L2CAP_EV_RECV_IFRAME:
6116 switch (l2cap_classify_txseq(chan, control->txseq)) {
6117 case L2CAP_TXSEQ_EXPECTED:
6118 l2cap_pass_to_tx(chan, control);
6119
6120 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6121 BT_DBG("Busy, discarding expected seq %d",
6122 control->txseq);
6123 break;
6124 }
6125
6126 chan->expected_tx_seq = __next_seq(chan,
6127 control->txseq);
6128
6129 chan->buffer_seq = chan->expected_tx_seq;
941247f9 6130 skb_in_use = true;
d2a7ac5d
MM		 6131
6132 err = l2cap_reassemble_sdu(chan, skb, control);
6133 if (err)
6134 break;
6135
6136 if (control->final) {
6137 if (!test_and_clear_bit(CONN_REJ_ACT,
6138 &chan->conn_state)) {
6139 control->final = 0;
6140 l2cap_retransmit_all(chan, control);
6141 l2cap_ertm_send(chan);
6142 }
6143 }
6144
6145 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6146 l2cap_send_ack(chan);
6147 break;
6148 case L2CAP_TXSEQ_UNEXPECTED:
6149 l2cap_pass_to_tx(chan, control);
6150
6151 /* Can't issue SREJ frames in the local busy state.
6152 * Drop this frame, it will be seen as missing
6153 * when local busy is exited.
6154 */
6155 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6156 BT_DBG("Busy, discarding unexpected seq %d",
6157 control->txseq);
6158 break;
6159 }
6160
6161 /* There was a gap in the sequence, so an SREJ
6162 * must be sent for each missing frame. The
6163 * current frame is stored for later use.
6164 */
6165 skb_queue_tail(&chan->srej_q, skb);
941247f9 6166 skb_in_use = true;
d2a7ac5d
MM		 6167 BT_DBG("Queued %p (queue len %d)", skb,
6168 skb_queue_len(&chan->srej_q));
6169
6170 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6171 l2cap_seq_list_clear(&chan->srej_list);
6172 l2cap_send_srej(chan, control->txseq);
6173
6174 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6175 break;
6176 case L2CAP_TXSEQ_DUPLICATE:
6177 l2cap_pass_to_tx(chan, control);
6178 break;
6179 case L2CAP_TXSEQ_INVALID_IGNORE:
6180 break;
6181 case L2CAP_TXSEQ_INVALID:
6182 default:
5e4e3972 6183 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6184 break;
6185 }
6186 break;
6187 case L2CAP_EV_RECV_RR:
6188 l2cap_pass_to_tx(chan, control);
6189 if (control->final) {
6190 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6191
e6a3ee6e
MM		 6192 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6193 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 6194 control->final = 0;
6195 l2cap_retransmit_all(chan, control);
6196 }
6197
6198 l2cap_ertm_send(chan);
6199 } else if (control->poll) {
6200 l2cap_send_i_or_rr_or_rnr(chan);
6201 } else {
6202 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6203 &chan->conn_state) &&
6204 chan->unacked_frames)
6205 __set_retrans_timer(chan);
6206
6207 l2cap_ertm_send(chan);
6208 }
6209 break;
6210 case L2CAP_EV_RECV_RNR:
6211 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6212 l2cap_pass_to_tx(chan, control);
6213 if (control && control->poll) {
6214 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6215 l2cap_send_rr_or_rnr(chan, 0);
6216 }
6217 __clear_retrans_timer(chan);
6218 l2cap_seq_list_clear(&chan->retrans_list);
6219 break;
6220 case L2CAP_EV_RECV_REJ:
6221 l2cap_handle_rej(chan, control);
6222 break;
6223 case L2CAP_EV_RECV_SREJ:
6224 l2cap_handle_srej(chan, control);
6225 break;
6226 default:
6227 break;
6228 }
6229
6230 if (skb && !skb_in_use) {
6231 BT_DBG("Freeing %p", skb);
6232 kfree_skb(skb);
6233 }
6234
6235 return err;
6236}
6237
6238static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6239 struct l2cap_ctrl *control,
6240 struct sk_buff *skb, u8 event)
6241{
6242 int err = 0;
6243 u16 txseq = control->txseq;
941247f9 6244 bool skb_in_use = false;
d2a7ac5d
MM		 6245
6246 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6247 event);
6248
6249 switch (event) {
6250 case L2CAP_EV_RECV_IFRAME:
6251 switch (l2cap_classify_txseq(chan, txseq)) {
6252 case L2CAP_TXSEQ_EXPECTED:
6253 /* Keep frame for reassembly later */
6254 l2cap_pass_to_tx(chan, control);
6255 skb_queue_tail(&chan->srej_q, skb);
941247f9 6256 skb_in_use = true;
d2a7ac5d
MM		 6257 BT_DBG("Queued %p (queue len %d)", skb,
6258 skb_queue_len(&chan->srej_q));
6259
6260 chan->expected_tx_seq = __next_seq(chan, txseq);
6261 break;
6262 case L2CAP_TXSEQ_EXPECTED_SREJ:
6263 l2cap_seq_list_pop(&chan->srej_list);
6264
6265 l2cap_pass_to_tx(chan, control);
6266 skb_queue_tail(&chan->srej_q, skb);
941247f9 6267 skb_in_use = true;
d2a7ac5d
MM		 6268 BT_DBG("Queued %p (queue len %d)", skb,
6269 skb_queue_len(&chan->srej_q));
6270
6271 err = l2cap_rx_queued_iframes(chan);
6272 if (err)
6273 break;
6274
6275 break;
6276 case L2CAP_TXSEQ_UNEXPECTED:
6277 /* Got a frame that can't be reassembled yet.
6278 * Save it for later, and send SREJs to cover
6279 * the missing frames.
6280 */
6281 skb_queue_tail(&chan->srej_q, skb);
941247f9 6282 skb_in_use = true;
d2a7ac5d
MM		 6283 BT_DBG("Queued %p (queue len %d)", skb,
6284 skb_queue_len(&chan->srej_q));
6285
6286 l2cap_pass_to_tx(chan, control);
6287 l2cap_send_srej(chan, control->txseq);
6288 break;
6289 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6290 /* This frame was requested with an SREJ, but
6291 * some expected retransmitted frames are
6292 * missing. Request retransmission of missing
6293 * SREJ'd frames.
6294 */
6295 skb_queue_tail(&chan->srej_q, skb);
941247f9 6296 skb_in_use = true;
d2a7ac5d
MM		 6297 BT_DBG("Queued %p (queue len %d)", skb,
6298 skb_queue_len(&chan->srej_q));
6299
6300 l2cap_pass_to_tx(chan, control);
6301 l2cap_send_srej_list(chan, control->txseq);
6302 break;
6303 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6304 /* We've already queued this frame. Drop this copy. */
6305 l2cap_pass_to_tx(chan, control);
6306 break;
6307 case L2CAP_TXSEQ_DUPLICATE:
6308 /* Expecting a later sequence number, so this frame
6309 * was already received. Ignore it completely.
6310 */
6311 break;
6312 case L2CAP_TXSEQ_INVALID_IGNORE:
6313 break;
6314 case L2CAP_TXSEQ_INVALID:
6315 default:
5e4e3972 6316 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6317 break;
6318 }
6319 break;
6320 case L2CAP_EV_RECV_RR:
6321 l2cap_pass_to_tx(chan, control);
6322 if (control->final) {
6323 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6324
6325 if (!test_and_clear_bit(CONN_REJ_ACT,
6326 &chan->conn_state)) {
6327 control->final = 0;
6328 l2cap_retransmit_all(chan, control);
6329 }
6330
6331 l2cap_ertm_send(chan);
6332 } else if (control->poll) {
6333 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6334 &chan->conn_state) &&
6335 chan->unacked_frames) {
6336 __set_retrans_timer(chan);
6337 }
6338
6339 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6340 l2cap_send_srej_tail(chan);
6341 } else {
6342 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6343 &chan->conn_state) &&
6344 chan->unacked_frames)
6345 __set_retrans_timer(chan);
6346
6347 l2cap_send_ack(chan);
6348 }
6349 break;
6350 case L2CAP_EV_RECV_RNR:
6351 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6352 l2cap_pass_to_tx(chan, control);
6353 if (control->poll) {
6354 l2cap_send_srej_tail(chan);
6355 } else {
6356 struct l2cap_ctrl rr_control;
6357 memset(&rr_control, 0, sizeof(rr_control));
6358 rr_control.sframe = 1;
6359 rr_control.super = L2CAP_SUPER_RR;
6360 rr_control.reqseq = chan->buffer_seq;
6361 l2cap_send_sframe(chan, &rr_control);
6362 }
6363
6364 break;
6365 case L2CAP_EV_RECV_REJ:
6366 l2cap_handle_rej(chan, control);
6367 break;
6368 case L2CAP_EV_RECV_SREJ:
6369 l2cap_handle_srej(chan, control);
6370 break;
6371 }
6372
6373 if (skb && !skb_in_use) {
6374 BT_DBG("Freeing %p", skb);
6375 kfree_skb(skb);
6376 }
6377
6378 return err;
6379}
6380
32b32735
MM		 6381static int l2cap_finish_move(struct l2cap_chan *chan)
6382{
6383 BT_DBG("chan %p", chan);
6384
6385 chan->rx_state = L2CAP_RX_STATE_RECV;
6386
6387 if (chan->hs_hcon)
6388 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6389 else
6390 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6391
6392 return l2cap_resegment(chan);
6393}
6394
6395static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6396 struct l2cap_ctrl *control,
6397 struct sk_buff *skb, u8 event)
6398{
6399 int err;
6400
6401 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6402 event);
6403
6404 if (!control->poll)
6405 return -EPROTO;
6406
6407 l2cap_process_reqseq(chan, control->reqseq);
6408
6409 if (!skb_queue_empty(&chan->tx_q))
6410 chan->tx_send_head = skb_peek(&chan->tx_q);
6411 else
6412 chan->tx_send_head = NULL;
6413
6414 /* Rewind next_tx_seq to the point expected
6415 * by the receiver.
6416 */
6417 chan->next_tx_seq = control->reqseq;
6418 chan->unacked_frames = 0;
6419
6420 err = l2cap_finish_move(chan);
6421 if (err)
6422 return err;
6423
6424 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6425 l2cap_send_i_or_rr_or_rnr(chan);
6426
6427 if (event == L2CAP_EV_RECV_IFRAME)
6428 return -EPROTO;
6429
6430 return l2cap_rx_state_recv(chan, control, NULL, event);
6431}
6432
6433static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6434 struct l2cap_ctrl *control,
6435 struct sk_buff *skb, u8 event)
6436{
6437 int err;
6438
6439 if (!control->final)
6440 return -EPROTO;
6441
6442 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6443
6444 chan->rx_state = L2CAP_RX_STATE_RECV;
6445 l2cap_process_reqseq(chan, control->reqseq);
6446
6447 if (!skb_queue_empty(&chan->tx_q))
6448 chan->tx_send_head = skb_peek(&chan->tx_q);
6449 else
6450 chan->tx_send_head = NULL;
6451
6452 /* Rewind next_tx_seq to the point expected
6453 * by the receiver.
6454 */
6455 chan->next_tx_seq = control->reqseq;
6456 chan->unacked_frames = 0;
6457
6458 if (chan->hs_hcon)
6459 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6460 else
6461 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6462
6463 err = l2cap_resegment(chan);
6464
6465 if (!err)
6466 err = l2cap_rx_state_recv(chan, control, skb, event);
6467
6468 return err;
6469}
6470
d2a7ac5d
MM		 6471static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6472{
6473 /* Make sure reqseq is for a packet that has been sent but not acked */
6474 u16 unacked;
6475
6476 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6477 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6478}
6479
cec8ab6e
MM		 6480static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6481 struct sk_buff *skb, u8 event)
218bb9df 6482{
d2a7ac5d
MM		 6483 int err = 0;
6484
6485 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6486 control, skb, event, chan->rx_state);
6487
6488 if (__valid_reqseq(chan, control->reqseq)) {
6489 switch (chan->rx_state) {
6490 case L2CAP_RX_STATE_RECV:
6491 err = l2cap_rx_state_recv(chan, control, skb, event);
6492 break;
6493 case L2CAP_RX_STATE_SREJ_SENT:
6494 err = l2cap_rx_state_srej_sent(chan, control, skb,
6495 event);
6496 break;
32b32735
MM		 6497 case L2CAP_RX_STATE_WAIT_P:
6498 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6499 break;
6500 case L2CAP_RX_STATE_WAIT_F:
6501 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6502 break;
d2a7ac5d
MM		 6503 default:
6504 /* shut it down */
6505 break;
6506 }
6507 } else {
6508 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6509 control->reqseq, chan->next_tx_seq,
6510 chan->expected_ack_seq);
5e4e3972 6511 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6512 }
6513
6514 return err;
cec8ab6e
MM		 6515}
6516
6517static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6518 struct sk_buff *skb)
6519{
4b51dae9
MM		 6520 int err = 0;
6521
6522 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6523 chan->rx_state);
6524
6525 if (l2cap_classify_txseq(chan, control->txseq) ==
6526 L2CAP_TXSEQ_EXPECTED) {
6527 l2cap_pass_to_tx(chan, control);
6528
6529 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6530 __next_seq(chan, chan->buffer_seq));
6531
6532 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6533
6534 l2cap_reassemble_sdu(chan, skb, control);
6535 } else {
6536 if (chan->sdu) {
6537 kfree_skb(chan->sdu);
6538 chan->sdu = NULL;
6539 }
6540 chan->sdu_last_frag = NULL;
6541 chan->sdu_len = 0;
6542
6543 if (skb) {
6544 BT_DBG("Freeing %p", skb);
6545 kfree_skb(skb);
6546 }
6547 }
6548
6549 chan->last_acked_seq = control->txseq;
6550 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6551
6552 return err;
cec8ab6e
MM		 6553}
6554
6555static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6556{
6557 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6558 u16 len;
6559 u8 event;
218bb9df 6560
b76bbd66
MM		 6561 __unpack_control(chan, skb);
6562
218bb9df
GP		 6563 len = skb->len;
6564
6565 /*
6566 * We can just drop the corrupted I-frame here.
6567 * Receiver will miss it and start proper recovery
cec8ab6e 6568 * procedures and ask for retransmission.
218bb9df 6569 */
47d1ec61 6570 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6571 goto drop;
6572
cec8ab6e 6573 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6574 len -= L2CAP_SDULEN_SIZE;
218bb9df 6575
47d1ec61 6576 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6577 len -= L2CAP_FCS_SIZE;
218bb9df 6578
47d1ec61 6579 if (len > chan->mps) {
5e4e3972 6580 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6581 goto drop;
6582 }
6583
cec8ab6e
MM		 6584 if (!control->sframe) {
6585 int err;
218bb9df 6586
cec8ab6e
MM		 6587 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6588 control->sar, control->reqseq, control->final,
6589 control->txseq);
218bb9df 6590
cec8ab6e
MM		 6591 /* Validate F-bit - F=0 always valid, F=1 only
6592 * valid in TX WAIT_F
6593 */
6594 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6595 goto drop;
cec8ab6e
MM		 6596
6597 if (chan->mode != L2CAP_MODE_STREAMING) {
6598 event = L2CAP_EV_RECV_IFRAME;
6599 err = l2cap_rx(chan, control, skb, event);
6600 } else {
6601 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6602 }
6603
cec8ab6e 6604 if (err)
5e4e3972 6605 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6606 } else {
cec8ab6e
MM		 6607 const u8 rx_func_to_event[4] = {
6608 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6609 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6610 };
6611
6612 /* Only I-frames are expected in streaming mode */
6613 if (chan->mode == L2CAP_MODE_STREAMING)
6614 goto drop;
6615
6616 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6617 control->reqseq, control->final, control->poll,
6618 control->super);
6619
218bb9df 6620 if (len != 0) {
1bb166e6 6621 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6622 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6623 goto drop;
6624 }
6625
cec8ab6e
MM		 6626 /* Validate F and P bits */
6627 if (control->final && (control->poll ||
6628 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6629 goto drop;
6630
6631 event = rx_func_to_event[control->super];
6632 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6633 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6634 }
6635
6636 return 0;
6637
6638drop:
6639 kfree_skb(skb);
6640 return 0;
6641}
6642
b1c325c2
JH		 6643static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6644{
6645 struct l2cap_conn *conn = chan->conn;
6646 struct l2cap_le_credits pkt;
6647 u16 return_credits;
6648
6649 /* We return more credits to the sender only after the amount of
6650 * credits falls below half of the initial amount.
6651 */
f15b8ecf 6652 if (chan->rx_credits >= (le_max_credits + 1) / 2)
b1c325c2
JH		 6653 return;
6654
f15b8ecf 6655 return_credits = le_max_credits - chan->rx_credits;
b1c325c2
JH		 6656
6657 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6658
6659 chan->rx_credits += return_credits;
6660
6661 pkt.cid = cpu_to_le16(chan->scid);
6662 pkt.credits = cpu_to_le16(return_credits);
6663
6664 chan->ident = l2cap_get_ident(conn);
6665
6666 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6667}
6668
fad5fc89
JH		 6669static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6670{
aac23bf6
JH		 6671 int err;
6672
6673 if (!chan->rx_credits) {
6674 BT_ERR("No credits to receive LE L2CAP data");
fad5fc89 6675 return -ENOBUFS;
aac23bf6 6676 }
fad5fc89 6677
aac23bf6
JH		 6678 if (chan->imtu < skb->len) {
6679 BT_ERR("Too big LE L2CAP PDU");
fad5fc89 6680 return -ENOBUFS;
aac23bf6 6681 }
fad5fc89
JH		 6682
6683 chan->rx_credits--;
6684 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6685
6686 l2cap_chan_le_send_credits(chan);
6687
aac23bf6
JH		 6688 err = 0;
6689
6690 if (!chan->sdu) {
6691 u16 sdu_len;
6692
6693 sdu_len = get_unaligned_le16(skb->data);
6694 skb_pull(skb, L2CAP_SDULEN_SIZE);
6695
6696 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6697 sdu_len, skb->len, chan->imtu);
6698
6699 if (sdu_len > chan->imtu) {
6700 BT_ERR("Too big LE L2CAP SDU length received");
6701 err = -EMSGSIZE;
6702 goto failed;
6703 }
6704
6705 if (skb->len > sdu_len) {
6706 BT_ERR("Too much LE L2CAP data received");
6707 err = -EINVAL;
6708 goto failed;
6709 }
6710
6711 if (skb->len == sdu_len)
6712 return chan->ops->recv(chan, skb);
6713
6714 chan->sdu = skb;
6715 chan->sdu_len = sdu_len;
6716 chan->sdu_last_frag = skb;
6717
6718 return 0;
6719 }
6720
6721 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6722 chan->sdu->len, skb->len, chan->sdu_len);
6723
6724 if (chan->sdu->len + skb->len > chan->sdu_len) {
6725 BT_ERR("Too much LE L2CAP data received");
6726 err = -EINVAL;
6727 goto failed;
6728 }
6729
6730 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6731 skb = NULL;
6732
6733 if (chan->sdu->len == chan->sdu_len) {
6734 err = chan->ops->recv(chan, chan->sdu);
6735 if (!err) {
6736 chan->sdu = NULL;
6737 chan->sdu_last_frag = NULL;
6738 chan->sdu_len = 0;
6739 }
6740 }
6741
6742failed:
6743 if (err) {
6744 kfree_skb(skb);
6745 kfree_skb(chan->sdu);
6746 chan->sdu = NULL;
6747 chan->sdu_last_frag = NULL;
6748 chan->sdu_len = 0;
6749 }
6750
6751 /* We can't return an error here since we took care of the skb
6752 * freeing internally. An error return would cause the caller to
6753 * do a double-free of the skb.
6754 */
6755 return 0;
fad5fc89
JH		 6756}
6757
13ca56e0
AE		 6758static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6759 struct sk_buff *skb)
1da177e4 6760{
48454079 6761 struct l2cap_chan *chan;
1da177e4 6762
baa7e1fa 6763 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6764 if (!chan) {
97e8e89d
AE		 6765 if (cid == L2CAP_CID_A2MP) {
6766 chan = a2mp_channel_create(conn, skb);
6767 if (!chan) {
6768 kfree_skb(skb);
13ca56e0 6769 return;
97e8e89d
AE		 6770 }
6771
6772 l2cap_chan_lock(chan);
6773 } else {
6774 BT_DBG("unknown cid 0x%4.4x", cid);
6775 /* Drop packet and return */
6776 kfree_skb(skb);
13ca56e0 6777 return;
97e8e89d 6778 }
1da177e4
LT		 6779 }
6780
49208c9c 6781 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6782
89bc500e 6783 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6784 goto drop;
6785
0c1bc5c6 6786 switch (chan->mode) {
38319713 6787 case L2CAP_MODE_LE_FLOWCTL:
fad5fc89
JH		 6788 if (l2cap_le_data_rcv(chan, skb) < 0)
6789 goto drop;
6790
6791 goto done;
6792
1c2acffb
GP		 6793 case L2CAP_MODE_BASIC:
6794 /* If socket recv buffers overflows we drop data here
6795 * which is *bad* because L2CAP has to be reliable.
6796 * But we don't have any other choice. L2CAP doesn't
6797 * provide flow control mechanism. */
1da177e4 6798
0c1bc5c6 6799 if (chan->imtu < skb->len)
1c2acffb 6800 goto drop;
1da177e4 6801
80b98027 6802 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6803 goto done;
6804 break;
6805
6806 case L2CAP_MODE_ERTM:
6840ed07 6807 case L2CAP_MODE_STREAMING:
cec8ab6e 6808 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6809 goto done;
6810
1c2acffb 6811 default:
0c1bc5c6 6812 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6813 break;
6814 }
1da177e4
LT		 6815
6816drop:
6817 kfree_skb(skb);
6818
6819done:
6be36555 6820 l2cap_chan_unlock(chan);
1da177e4
LT		 6821}
6822
84104b24
AE		 6823static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6824 struct sk_buff *skb)
1da177e4 6825{
ae4fd2d3 6826 struct hci_conn *hcon = conn->hcon;
23691d75 6827 struct l2cap_chan *chan;
1da177e4 6828
ae4fd2d3
MH		 6829 if (hcon->type != ACL_LINK)
6830 goto drop;
6831
bf20fd4e
JH		 6832 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6833 ACL_LINK);
23691d75 6834 if (!chan)
1da177e4
LT		 6835 goto drop;
6836
5b4cedaa 6837 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6838
89bc500e 6839 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6840 goto drop;
6841
e13e21dc 6842 if (chan->imtu < skb->len)
1da177e4
LT		 6843 goto drop;
6844
2edf870d 6845 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6846 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6847 bt_cb(skb)->psm = psm;
6848
80b98027 6849 if (!chan->ops->recv(chan, skb))
84104b24 6850 return;
1da177e4
LT		 6851
6852drop:
6853 kfree_skb(skb);
1da177e4
LT		 6854}
6855
72f78356 6856static void l2cap_att_channel(struct l2cap_conn *conn,
6810fca7 6857 struct sk_buff *skb)
9f69bda6 6858{
b99707d7 6859 struct hci_conn *hcon = conn->hcon;
23691d75 6860 struct l2cap_chan *chan;
9f69bda6 6861
b99707d7
MH		 6862 if (hcon->type != LE_LINK)
6863 goto drop;
6864
af1c0134 6865 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
06ae3314 6866 &hcon->src, &hcon->dst);
23691d75 6867 if (!chan)
9f69bda6
GP		 6868 goto drop;
6869
5b4cedaa 6870 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6871
cc8dba2b
MH		 6872 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, hcon->dst_type))
6873 goto drop;
6874
e13e21dc 6875 if (chan->imtu < skb->len)
9f69bda6
GP		 6876 goto drop;
6877
80b98027 6878 if (!chan->ops->recv(chan, skb))
6810fca7 6879 return;
9f69bda6
GP		 6880
6881drop:
6882 kfree_skb(skb);
9f69bda6
GP		 6883}
6884
1da177e4
LT		 6885static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6886{
6887 struct l2cap_hdr *lh = (void *) skb->data;
61a939c6 6888 struct hci_conn *hcon = conn->hcon;
8e036fc3
AV		 6889 u16 cid, len;
6890 __le16 psm;
1da177e4 6891
61a939c6
JH		 6892 if (hcon->state != BT_CONNECTED) {
6893 BT_DBG("queueing pending rx skb");
6894 skb_queue_tail(&conn->pending_rx, skb);
6895 return;
6896 }
6897
1da177e4
LT		 6898 skb_pull(skb, L2CAP_HDR_SIZE);
6899 cid = __le16_to_cpu(lh->cid);
6900 len = __le16_to_cpu(lh->len);
6901
1c2acffb
GP		 6902 if (len != skb->len) {
6903 kfree_skb(skb);
6904 return;
6905 }
6906
1da177e4
LT		 6907 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6908
6909 switch (cid) {
8db4dc46 6910 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6911 l2cap_sig_channel(conn, skb);
6912 break;
6913
8db4dc46 6914 case L2CAP_CID_CONN_LESS:
097db76c 6915 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6916 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6917 l2cap_conless_channel(conn, psm, skb);
6918 break;
6919
073d1cf3 6920 case L2CAP_CID_ATT:
72f78356 6921 l2cap_att_channel(conn, skb);
9f69bda6
GP		 6922 break;
6923
a2877629
MH		 6924 case L2CAP_CID_LE_SIGNALING:
6925 l2cap_le_sig_channel(conn, skb);
6926 break;
6927
b501d6a1
AB		 6928 case L2CAP_CID_SMP:
6929 if (smp_sig_channel(conn, skb))
6930 l2cap_conn_del(conn->hcon, EACCES);
6931 break;
6932
18722c24
JR		 6933 case L2CAP_FC_6LOWPAN:
6934 bt_6lowpan_recv(conn, skb);
6935 break;
6936
1da177e4
LT		 6937 default:
6938 l2cap_data_channel(conn, cid, skb);
6939 break;
6940 }
6941}
6942
61a939c6
JH		 6943static void process_pending_rx(struct work_struct *work)
6944{
6945 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6946 pending_rx_work);
6947 struct sk_buff *skb;
6948
6949 BT_DBG("");
6950
6951 while ((skb = skb_dequeue(&conn->pending_rx)))
6952 l2cap_recv_frame(conn, skb);
6953}
6954
162b49e7
JH		 6955static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6956{
6957 struct l2cap_conn *conn = hcon->l2cap_data;
6958 struct hci_chan *hchan;
6959
6960 if (conn)
6961 return conn;
6962
6963 hchan = hci_chan_create(hcon);
6964 if (!hchan)
6965 return NULL;
6966
6967 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
6968 if (!conn) {
6969 hci_chan_del(hchan);
6970 return NULL;
6971 }
6972
6973 kref_init(&conn->ref);
6974 hcon->l2cap_data = conn;
6975 conn->hcon = hcon;
6976 hci_conn_get(conn->hcon);
6977 conn->hchan = hchan;
6978
6979 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6980
6981 switch (hcon->type) {
6982 case LE_LINK:
6983 if (hcon->hdev->le_mtu) {
6984 conn->mtu = hcon->hdev->le_mtu;
6985 break;
6986 }
6987 /* fall through */
6988 default:
6989 conn->mtu = hcon->hdev->acl_mtu;
6990 break;
6991 }
6992
6993 conn->feat_mask = 0;
6994
6995 if (hcon->type == ACL_LINK)
6996 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
6997 &hcon->hdev->dev_flags);
6998
6999 spin_lock_init(&conn->lock);
7000 mutex_init(&conn->chan_lock);
7001
7002 INIT_LIST_HEAD(&conn->chan_l);
7003 INIT_LIST_HEAD(&conn->users);
7004
7005 if (hcon->type == LE_LINK)
7006 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
7007 else
7008 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7009
61a939c6
JH		 7010 skb_queue_head_init(&conn->pending_rx);
7011 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7012
162b49e7
JH		 7013 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7014
7015 return conn;
7016}
7017
7018static bool is_valid_psm(u16 psm, u8 dst_type) {
7019 if (!psm)
7020 return false;
7021
7022 if (bdaddr_type_is_le(dst_type))
7023 return (psm <= 0x00ff);
7024
7025 /* PSM must be odd and lsb of upper byte must be 0 */
7026 return ((psm & 0x0101) == 0x0001);
7027}
7028
7029int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7030 bdaddr_t *dst, u8 dst_type)
7031{
7032 struct l2cap_conn *conn;
7033 struct hci_conn *hcon;
7034 struct hci_dev *hdev;
7035 __u8 auth_type;
7036 int err;
7037
7038 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7039 dst_type, __le16_to_cpu(psm));
7040
7041 hdev = hci_get_route(dst, &chan->src);
7042 if (!hdev)
7043 return -EHOSTUNREACH;
7044
7045 hci_dev_lock(hdev);
7046
7047 l2cap_chan_lock(chan);
7048
7049 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7050 chan->chan_type != L2CAP_CHAN_RAW) {
7051 err = -EINVAL;
7052 goto done;
7053 }
7054
7055 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
7056 err = -EINVAL;
7057 goto done;
7058 }
7059
7060 switch (chan->mode) {
7061 case L2CAP_MODE_BASIC:
7062 break;
7063 case L2CAP_MODE_LE_FLOWCTL:
7064 l2cap_le_flowctl_init(chan);
7065 break;
7066 case L2CAP_MODE_ERTM:
7067 case L2CAP_MODE_STREAMING:
7068 if (!disable_ertm)
7069 break;
7070 /* fall through */
7071 default:
7072 err = -ENOTSUPP;
7073 goto done;
7074 }
7075
7076 switch (chan->state) {
7077 case BT_CONNECT:
7078 case BT_CONNECT2:
7079 case BT_CONFIG:
7080 /* Already connecting */
7081 err = 0;
7082 goto done;
7083
7084 case BT_CONNECTED:
7085 /* Already connected */
7086 err = -EISCONN;
7087 goto done;
7088
7089 case BT_OPEN:
7090 case BT_BOUND:
7091 /* Can connect */
7092 break;
7093
7094 default:
7095 err = -EBADFD;
7096 goto done;
7097 }
7098
7099 /* Set destination address and psm */
7100 bacpy(&chan->dst, dst);
7101 chan->dst_type = dst_type;
7102
7103 chan->psm = psm;
7104 chan->dcid = cid;
7105
7106 auth_type = l2cap_get_auth_type(chan);
7107
7108 if (bdaddr_type_is_le(dst_type))
7109 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
7110 chan->sec_level, auth_type);
7111 else
7112 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
7113 chan->sec_level, auth_type);
7114
7115 if (IS_ERR(hcon)) {
7116 err = PTR_ERR(hcon);
7117 goto done;
7118 }
7119
7120 conn = l2cap_conn_add(hcon);
7121 if (!conn) {
7122 hci_conn_drop(hcon);
7123 err = -ENOMEM;
7124 goto done;
7125 }
7126
7127 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7128 hci_conn_drop(hcon);
7129 err = -EBUSY;
7130 goto done;
7131 }
7132
7133 /* Update source addr of the socket */
7134 bacpy(&chan->src, &hcon->src);
7135 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7136
7137 l2cap_chan_unlock(chan);
7138 l2cap_chan_add(conn, chan);
7139 l2cap_chan_lock(chan);
7140
7141 /* l2cap_chan_add takes its own ref so we can drop this one */
7142 hci_conn_drop(hcon);
7143
7144 l2cap_state_change(chan, BT_CONNECT);
7145 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7146
7147 if (hcon->state == BT_CONNECTED) {
7148 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7149 __clear_chan_timer(chan);
7150 if (l2cap_chan_check_security(chan))
7151 l2cap_state_change(chan, BT_CONNECTED);
7152 } else
7153 l2cap_do_start(chan);
7154 }
7155
7156 err = 0;
7157
7158done:
7159 l2cap_chan_unlock(chan);
7160 hci_dev_unlock(hdev);
7161 hci_dev_put(hdev);
7162 return err;
7163}
7164
1da177e4
LT		 7165/* ---- L2CAP interface with lower layer (HCI) ---- */
7166
686ebf28 7167int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 7168{
7169 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 7170 struct l2cap_chan *c;
1da177e4 7171
6ed93dc6 7172 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 7173
7174 /* Find listening sockets and check their link_mode */
23691d75
GP		 7175 read_lock(&chan_list_lock);
7176 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 7177 if (c->state != BT_LISTEN)
1da177e4
LT		 7178 continue;
7179
7eafc59e 7180 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 7181 lm1 |= HCI_LM_ACCEPT;
43bd0f32 7182 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 7183 lm1 |= HCI_LM_MASTER;
1da177e4 7184 exact++;
7eafc59e 7185 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 7186 lm2 |= HCI_LM_ACCEPT;
43bd0f32 7187 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 7188 lm2 |= HCI_LM_MASTER;
7189 }
1da177e4 7190 }
23691d75 7191 read_unlock(&chan_list_lock);
1da177e4
LT		 7192
7193 return exact ? lm1 : lm2;
7194}
7195
9e664631 7196void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 7197{
0139418c
MH		 7198 struct l2cap_conn *conn;
7199
6ed93dc6 7200 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 7201
1da177e4 7202 if (!status) {
baf43251 7203 conn = l2cap_conn_add(hcon);
1da177e4
LT		 7204 if (conn)
7205 l2cap_conn_ready(conn);
ba6fc317 7206 } else {
e175072f 7207 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 7208 }
1da177e4
LT		 7209}
7210
686ebf28 7211int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 7212{
7213 struct l2cap_conn *conn = hcon->l2cap_data;
7214
7215 BT_DBG("hcon %p", hcon);
7216
686ebf28 7217 if (!conn)
9f5a0d7b 7218 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 7219 return conn->disc_reason;
7220}
7221
9e664631 7222void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 7223{
7224 BT_DBG("hcon %p reason %d", hcon, reason);
7225
18722c24
JR		 7226 bt_6lowpan_del_conn(hcon->l2cap_data);
7227
e175072f 7228 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 7229}
7230
4343478f 7231static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 7232{
715ec005 7233 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 7234 return;
7235
f62e4323 7236 if (encrypt == 0x00) {
4343478f 7237 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 7238 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7d513e92
MH		 7239 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7240 chan->sec_level == BT_SECURITY_FIPS)
0f852724 7241 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 7242 } else {
4343478f 7243 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 7244 __clear_chan_timer(chan);
f62e4323
MH		 7245 }
7246}
7247
686ebf28 7248int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 7249{
0139418c 7250 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 7251 struct l2cap_chan *chan;
1da177e4 7252
0139418c 7253 if (!conn)
1da177e4 7254 return 0;
0139418c 7255
89d8b407 7256 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 7257
160dc6ac 7258 if (hcon->type == LE_LINK) {
35d4adcc
HG		 7259 if (!status && encrypt)
7260 smp_distribute_keys(conn, 0);
17cd3f37 7261 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 7262 }
7263
3df91ea2 7264 mutex_lock(&conn->chan_lock);
1da177e4 7265
3df91ea2 7266 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 7267 l2cap_chan_lock(chan);
1da177e4 7268
89d8b407
AE		 7269 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7270 state_to_string(chan->state));
f1cb9af5 7271
78eb2f98
AE		 7272 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
7273 l2cap_chan_unlock(chan);
7274 continue;
7275 }
7276
073d1cf3 7277 if (chan->scid == L2CAP_CID_ATT) {
f1cb9af5
VCG		 7278 if (!status && encrypt) {
7279 chan->sec_level = hcon->sec_level;
cf4cd009 7280 l2cap_chan_ready(chan);
f1cb9af5
VCG		 7281 }
7282
6be36555 7283 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 7284 continue;
7285 }
7286
96eff46e 7287 if (!__l2cap_no_conn_pending(chan)) {
6be36555 7288 l2cap_chan_unlock(chan);
6a8d3010
MH		 7289 continue;
7290 }
7291
89bc500e 7292 if (!status && (chan->state == BT_CONNECTED ||
2d792818 7293 chan->state == BT_CONFIG)) {
d97c899b 7294 chan->ops->resume(chan);
4343478f 7295 l2cap_check_encryption(chan, encrypt);
6be36555 7296 l2cap_chan_unlock(chan);
9719f8af
MH		 7297 continue;
7298 }
7299
89bc500e 7300 if (chan->state == BT_CONNECT) {
6d3c15da 7301 if (!status)
93c3e8f5 7302 l2cap_start_connection(chan);
6d3c15da 7303 else
ba13ccd9 7304 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
89bc500e 7305 } else if (chan->state == BT_CONNECT2) {
b1235d79 7306 struct l2cap_conn_rsp rsp;
df3c3931 7307 __u16 res, stat;
1da177e4 7308
b1235d79 7309 if (!status) {
bdc25783 7310 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 7311 res = L2CAP_CR_PEND;
7312 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 7313 chan->ops->defer(chan);
df3c3931 7314 } else {
acdcabf5 7315 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 7316 res = L2CAP_CR_SUCCESS;
7317 stat = L2CAP_CS_NO_INFO;
7318 }
b1235d79 7319 } else {
acdcabf5 7320 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 7321 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 7322 res = L2CAP_CR_SEC_BLOCK;
7323 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 7324 }
7325
fe4128e0
GP		 7326 rsp.scid = cpu_to_le16(chan->dcid);
7327 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 7328 rsp.result = cpu_to_le16(res);
7329 rsp.status = cpu_to_le16(stat);
fc7f8a7e 7330 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 7331 sizeof(rsp), &rsp);
2d369359
MM		 7332
7333 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7334 res == L2CAP_CR_SUCCESS) {
7335 char buf[128];
7336 set_bit(CONF_REQ_SENT, &chan->conf_state);
7337 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7338 L2CAP_CONF_REQ,
7339 l2cap_build_conf_req(chan, buf),
7340 buf);
7341 chan->num_conf_req++;
7342 }
b1235d79 7343 }
1da177e4 7344
6be36555 7345 l2cap_chan_unlock(chan);
1da177e4
LT		 7346 }
7347
3df91ea2 7348 mutex_unlock(&conn->chan_lock);
b1235d79 7349
1da177e4
LT		 7350 return 0;
7351}
7352
686ebf28 7353int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 7354{
7355 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 7356 struct l2cap_hdr *hdr;
7357 int len;
1da177e4 7358
1d13a254
AE		 7359 /* For AMP controller do not create l2cap conn */
7360 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7361 goto drop;
1da177e4 7362
5a08ecce 7363 if (!conn)
baf43251 7364 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 7365
7366 if (!conn)
1da177e4
LT		 7367 goto drop;
7368
7369 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7370
d73a0988
AE		 7371 switch (flags) {
7372 case ACL_START:
7373 case ACL_START_NO_FLUSH:
7374 case ACL_COMPLETE:
1da177e4
LT		 7375 if (conn->rx_len) {
7376 BT_ERR("Unexpected start frame (len %d)", skb->len);
7377 kfree_skb(conn->rx_skb);
7378 conn->rx_skb = NULL;
7379 conn->rx_len = 0;
7380 l2cap_conn_unreliable(conn, ECOMM);
7381 }
7382
aae7fe22
AE		 7383 /* Start fragment always begin with Basic L2CAP header */
7384 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 7385 BT_ERR("Frame is too short (len %d)", skb->len);
7386 l2cap_conn_unreliable(conn, ECOMM);
7387 goto drop;
7388 }
7389
7390 hdr = (struct l2cap_hdr *) skb->data;
7391 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7392
7393 if (len == skb->len) {
7394 /* Complete frame received */
7395 l2cap_recv_frame(conn, skb);
7396 return 0;
7397 }
7398
7399 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7400
7401 if (skb->len > len) {
7402 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 7403 skb->len, len);
1da177e4
LT		 7404 l2cap_conn_unreliable(conn, ECOMM);
7405 goto drop;
7406 }
7407
7408 /* Allocate skb for the complete frame (with header) */
8bcde1f2 7409 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 7410 if (!conn->rx_skb)
1da177e4
LT		 7411 goto drop;
7412
d626f62b 7413 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7414 skb->len);
1da177e4 7415 conn->rx_len = len - skb->len;
d73a0988
AE		 7416 break;
7417
7418 case ACL_CONT:
1da177e4
LT		 7419 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7420
7421 if (!conn->rx_len) {
7422 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7423 l2cap_conn_unreliable(conn, ECOMM);
7424 goto drop;
7425 }
7426
7427 if (skb->len > conn->rx_len) {
7428 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 7429 skb->len, conn->rx_len);
1da177e4
LT		 7430 kfree_skb(conn->rx_skb);
7431 conn->rx_skb = NULL;
7432 conn->rx_len = 0;
7433 l2cap_conn_unreliable(conn, ECOMM);
7434 goto drop;
7435 }
7436
d626f62b 7437 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7438 skb->len);
1da177e4
LT		 7439 conn->rx_len -= skb->len;
7440
7441 if (!conn->rx_len) {
c4e5bafa
JH		 7442 /* Complete frame received. l2cap_recv_frame
7443 * takes ownership of the skb so set the global
7444 * rx_skb pointer to NULL first.
7445 */
7446 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 7447 conn->rx_skb = NULL;
c4e5bafa 7448 l2cap_recv_frame(conn, rx_skb);
1da177e4 7449 }
d73a0988 7450 break;
1da177e4
LT		 7451 }
7452
7453drop:
7454 kfree_skb(skb);
7455 return 0;
7456}
7457
aef7d97c 7458static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 7459{
23691d75 7460 struct l2cap_chan *c;
1da177e4 7461
333055f2 7462 read_lock(&chan_list_lock);
1da177e4 7463
23691d75 7464 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 7465 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 7466 &c->src, &c->dst,
fcb73338
AE		 7467 c->state, __le16_to_cpu(c->psm),
7468 c->scid, c->dcid, c->imtu, c->omtu,
7469 c->sec_level, c->mode);
61e1b4b7 7470 }
1da177e4 7471
333055f2 7472 read_unlock(&chan_list_lock);
1da177e4 7473
aef7d97c 7474 return 0;
1da177e4
LT		 7475}
7476
aef7d97c
MH		 7477static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7478{
7479 return single_open(file, l2cap_debugfs_show, inode->i_private);
7480}
7481
7482static const struct file_operations l2cap_debugfs_fops = {
7483 .open = l2cap_debugfs_open,
7484 .read = seq_read,
7485 .llseek = seq_lseek,
7486 .release = single_release,
7487};
7488
7489static struct dentry *l2cap_debugfs;
1da177e4 7490
64274518 7491int __init l2cap_init(void)
1da177e4
LT		 7492{
7493 int err;
be9d1227 7494
bb58f747 7495 err = l2cap_init_sockets();
1da177e4
LT		 7496 if (err < 0)
7497 return err;
7498
1120e4bf
MH		 7499 if (IS_ERR_OR_NULL(bt_debugfs))
7500 return 0;
7501
7502 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7503 NULL, &l2cap_debugfs_fops);
1da177e4 7504
f15b8ecf
JH		 7505 debugfs_create_u16("l2cap_le_max_credits", 0466, bt_debugfs,
7506 &le_max_credits);
7507 debugfs_create_u16("l2cap_le_default_mps", 0466, bt_debugfs,
7508 &le_default_mps);
7509
18722c24
JR		 7510 bt_6lowpan_init();
7511
1da177e4 7512 return 0;
1da177e4
LT		 7513}
7514
64274518 7515void l2cap_exit(void)
1da177e4 7516{
18722c24 7517 bt_6lowpan_cleanup();
aef7d97c 7518 debugfs_remove(l2cap_debugfs);
bb58f747 7519 l2cap_cleanup_sockets();
1da177e4
LT		 7520}
7521
d1c4a17d
GP		 7522module_param(disable_ertm, bool, 0644);
7523MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.909416 seconds and 5 git commands to generate.