projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Move hci_amp_capable() function into L2CAP core
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
5ce66b59 41#include <net/bluetooth/amp.h>
1da177e4 42
d1de6d46 43bool disable_ertm;
f0709e03 44
47ec1dcd 45static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 46static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 47
b5ad8b7f
JB		 48static LIST_HEAD(chan_list);
49static DEFINE_RWLOCK(chan_list_lock);
1da177e4 50
1da177e4 51static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 52 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 53static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 54 void *data);
710f9b0a 55static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 56static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 59 struct sk_buff_head *skbs, u8 event);
608bcc6d 60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
2d792818
GP		 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
64 u16 cid)
0139418c 65{
3df91ea2 66 struct l2cap_chan *c;
3d57dc68 67
3df91ea2
AE		 68 list_for_each_entry(c, &conn->chan_l, list) {
69 if (c->dcid == cid)
70 return c;
0139418c 71 }
3df91ea2 72 return NULL;
0139418c
MH		 73}
74
2d792818
GP		 75static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
76 u16 cid)
0139418c 77{
3df91ea2 78 struct l2cap_chan *c;
3d57dc68 79
3df91ea2
AE		 80 list_for_each_entry(c, &conn->chan_l, list) {
81 if (c->scid == cid)
82 return c;
0139418c 83 }
3df91ea2 84 return NULL;
0139418c
MH		 85}
86
87/* Find channel with given SCID.
ef191ade 88 * Returns locked channel. */
2d792818
GP		 89static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
90 u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa 93
3df91ea2 94 mutex_lock(&conn->chan_lock);
baa7e1fa 95 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 96 if (c)
97 l2cap_chan_lock(c);
3df91ea2
AE		 98 mutex_unlock(&conn->chan_lock);
99
48454079 100 return c;
0139418c
MH		 101}
102
b1a130b7
MM		 103/* Find channel with given DCID.
104 * Returns locked channel.
105 */
106static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
107 u16 cid)
108{
109 struct l2cap_chan *c;
110
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_dcid(conn, cid);
113 if (c)
114 l2cap_chan_lock(c);
115 mutex_unlock(&conn->chan_lock);
116
117 return c;
118}
119
2d792818
GP		 120static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
121 u8 ident)
0139418c 122{
3df91ea2 123 struct l2cap_chan *c;
3d57dc68 124
3df91ea2
AE		 125 list_for_each_entry(c, &conn->chan_l, list) {
126 if (c->ident == ident)
127 return c;
0139418c 128 }
3df91ea2 129 return NULL;
0139418c
MH		 130}
131
5b155ef9
MM		 132static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
133 u8 ident)
134{
135 struct l2cap_chan *c;
136
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_ident(conn, ident);
139 if (c)
140 l2cap_chan_lock(c);
141 mutex_unlock(&conn->chan_lock);
142
143 return c;
144}
145
23691d75 146static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 147{
23691d75 148 struct l2cap_chan *c;
9e4425ff 149
23691d75
GP		 150 list_for_each_entry(c, &chan_list, global_l) {
151 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 152 return c;
9e4425ff 153 }
250938cb 154 return NULL;
9e4425ff
GP		 155}
156
157int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
158{
73b2ec18
GP		 159 int err;
160
333055f2 161 write_lock(&chan_list_lock);
9e4425ff 162
23691d75 163 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 164 err = -EADDRINUSE;
165 goto done;
9e4425ff
GP		 166 }
167
73b2ec18
GP		 168 if (psm) {
169 chan->psm = psm;
170 chan->sport = psm;
171 err = 0;
172 } else {
173 u16 p;
174
175 err = -EINVAL;
176 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 177 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 178 chan->psm = cpu_to_le16(p);
179 chan->sport = cpu_to_le16(p);
180 err = 0;
181 break;
182 }
183 }
9e4425ff 184
73b2ec18 185done:
333055f2 186 write_unlock(&chan_list_lock);
73b2ec18 187 return err;
9e4425ff
GP		 188}
189
190int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
191{
333055f2 192 write_lock(&chan_list_lock);
9e4425ff
GP		 193
194 chan->scid = scid;
195
333055f2 196 write_unlock(&chan_list_lock);
9e4425ff
GP		 197
198 return 0;
199}
200
baa7e1fa 201static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 202{
8db4dc46 203 u16 cid = L2CAP_CID_DYN_START;
0139418c 204
8db4dc46 205 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 206 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 207 return cid;
208 }
209
210 return 0;
211}
212
0e587be7 213static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 214{
42d2d87c 215 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 216 state_to_string(state));
badaaa00 217
89bc500e 218 chan->state = state;
80b98027 219 chan->ops->state_change(chan, state);
89bc500e
GP		 220}
221
0e587be7
AE		 222static void l2cap_state_change(struct l2cap_chan *chan, int state)
223{
224 struct sock *sk = chan->sk;
225
226 lock_sock(sk);
227 __l2cap_state_change(chan, state);
228 release_sock(sk);
229}
230
2e0052e4
AE		 231static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
232{
233 struct sock *sk = chan->sk;
234
235 sk->sk_err = err;
236}
237
238static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
239{
240 struct sock *sk = chan->sk;
241
242 lock_sock(sk);
243 __l2cap_chan_set_err(chan, err);
244 release_sock(sk);
245}
246
4239d16f
MM		 247static void __set_retrans_timer(struct l2cap_chan *chan)
248{
249 if (!delayed_work_pending(&chan->monitor_timer) &&
250 chan->retrans_timeout) {
251 l2cap_set_timer(chan, &chan->retrans_timer,
252 msecs_to_jiffies(chan->retrans_timeout));
253 }
254}
255
256static void __set_monitor_timer(struct l2cap_chan *chan)
257{
258 __clear_retrans_timer(chan);
259 if (chan->monitor_timeout) {
260 l2cap_set_timer(chan, &chan->monitor_timer,
261 msecs_to_jiffies(chan->monitor_timeout));
262 }
263}
264
608bcc6d
MM		 265static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
266 u16 seq)
267{
268 struct sk_buff *skb;
269
270 skb_queue_walk(head, skb) {
271 if (bt_cb(skb)->control.txseq == seq)
272 return skb;
273 }
274
275 return NULL;
276}
277
3c588192
MM		 278/* ---- L2CAP sequence number lists ---- */
279
280/* For ERTM, ordered lists of sequence numbers must be tracked for
281 * SREJ requests that are received and for frames that are to be
282 * retransmitted. These seq_list functions implement a singly-linked
283 * list in an array, where membership in the list can also be checked
284 * in constant time. Items can also be added to the tail of the list
285 * and removed from the head in constant time, without further memory
286 * allocs or frees.
287 */
288
289static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
290{
291 size_t alloc_size, i;
292
293 /* Allocated size is a power of 2 to map sequence numbers
294 * (which may be up to 14 bits) in to a smaller array that is
295 * sized for the negotiated ERTM transmit windows.
296 */
297 alloc_size = roundup_pow_of_two(size);
298
299 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
300 if (!seq_list->list)
301 return -ENOMEM;
302
303 seq_list->mask = alloc_size - 1;
304 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
305 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
306 for (i = 0; i < alloc_size; i++)
307 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
308
309 return 0;
310}
311
312static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
313{
314 kfree(seq_list->list);
315}
316
317static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
318 u16 seq)
319{
320 /* Constant-time check for list membership */
321 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
322}
323
324static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
325{
326 u16 mask = seq_list->mask;
327
328 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
329 /* In case someone tries to pop the head of an empty list */
330 return L2CAP_SEQ_LIST_CLEAR;
331 } else if (seq_list->head == seq) {
332 /* Head can be removed in constant time */
333 seq_list->head = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
335
336 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
339 }
340 } else {
341 /* Walk the list to find the sequence number */
342 u16 prev = seq_list->head;
343 while (seq_list->list[prev & mask] != seq) {
344 prev = seq_list->list[prev & mask];
345 if (prev == L2CAP_SEQ_LIST_TAIL)
346 return L2CAP_SEQ_LIST_CLEAR;
347 }
348
349 /* Unlink the number from the list and clear it */
350 seq_list->list[prev & mask] = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352 if (seq_list->tail == seq)
353 seq_list->tail = prev;
354 }
355 return seq;
356}
357
358static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
359{
360 /* Remove the head in constant time */
361 return l2cap_seq_list_remove(seq_list, seq_list->head);
362}
363
364static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
365{
f522ae36 366 u16 i;
3c588192 367
f522ae36
GP		 368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
369 return;
370
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
373
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 376}
377
378static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
379{
380 u16 mask = seq_list->mask;
381
382 /* All appends happen in constant time */
383
f522ae36
GP		 384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
385 return;
3c588192 386
f522ae36
GP		 387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
389 else
390 seq_list->list[seq_list->tail & mask] = seq;
391
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 394}
395
721c4181 396static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 397{
721c4181 398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 399 chan_timer.work);
3df91ea2 400 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 401 int reason;
402
e05dcc32 403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 404
3df91ea2 405 mutex_lock(&conn->chan_lock);
6be36555 406 l2cap_chan_lock(chan);
ab07801d 407
89bc500e 408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 409 reason = ECONNREFUSED;
89bc500e 410 else if (chan->state == BT_CONNECT &&
2d792818 411 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 412 reason = ECONNREFUSED;
413 else
414 reason = ETIMEDOUT;
415
0f852724 416 l2cap_chan_close(chan, reason);
ab07801d 417
6be36555 418 l2cap_chan_unlock(chan);
ab07801d 419
80b98027 420 chan->ops->close(chan);
3df91ea2
AE		 421 mutex_unlock(&conn->chan_lock);
422
371fd835 423 l2cap_chan_put(chan);
ab07801d
GP		 424}
425
eef1d9b6 426struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 427{
428 struct l2cap_chan *chan;
429
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
431 if (!chan)
432 return NULL;
433
c03b355e
AE		 434 mutex_init(&chan->lock);
435
333055f2 436 write_lock(&chan_list_lock);
23691d75 437 list_add(&chan->global_l, &chan_list);
333055f2 438 write_unlock(&chan_list_lock);
23691d75 439
721c4181 440 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 441
89bc500e
GP		 442 chan->state = BT_OPEN;
443
144ad330 444 kref_init(&chan->kref);
71ba0e56 445
2827011f
MM		 446 /* This flag is cleared in l2cap_chan_ready() */
447 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
448
eef1d9b6 449 BT_DBG("chan %p", chan);
abc545b8 450
48454079
GP		 451 return chan;
452}
453
144ad330 454static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 455{
144ad330
SS		 456 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
457
4af66c69
JK		 458 BT_DBG("chan %p", chan);
459
333055f2 460 write_lock(&chan_list_lock);
23691d75 461 list_del(&chan->global_l);
333055f2 462 write_unlock(&chan_list_lock);
23691d75 463
4af66c69 464 kfree(chan);
6ff5abbf
GP		 465}
466
30648372
JK		 467void l2cap_chan_hold(struct l2cap_chan *c)
468{
144ad330 469 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 470
144ad330 471 kref_get(&c->kref);
30648372
JK		 472}
473
474void l2cap_chan_put(struct l2cap_chan *c)
475{
144ad330 476 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 477
144ad330 478 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 479}
480
bd4b1653
AE		 481void l2cap_chan_set_defaults(struct l2cap_chan *chan)
482{
483 chan->fcs = L2CAP_FCS_CRC16;
484 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
485 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
486 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 487 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 488 chan->sec_level = BT_SECURITY_LOW;
489
490 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
491}
492
93c3e8f5 493void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 494{
af05b30b 495 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 496 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 497
9f5a0d7b 498 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 499
8c1d787b 500 chan->conn = conn;
0139418c 501
5491120e
AE		 502 switch (chan->chan_type) {
503 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 504 if (conn->hcon->type == LE_LINK) {
505 /* LE connection */
6fcb06a2 506 chan->omtu = L2CAP_DEFAULT_MTU;
9f22398c
JH		 507 if (chan->dcid == L2CAP_CID_ATT)
508 chan->scid = L2CAP_CID_ATT;
509 else
510 chan->scid = l2cap_alloc_cid(conn);
b62f328b
VT		 511 } else {
512 /* Alloc CID for connection-oriented socket */
fe4128e0 513 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 514 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 515 }
5491120e
AE		 516 break;
517
518 case L2CAP_CHAN_CONN_LESS:
0139418c 519 /* Connectionless socket */
fe4128e0
GP		 520 chan->scid = L2CAP_CID_CONN_LESS;
521 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 522 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 523 break;
524
416fa752
AE		 525 case L2CAP_CHAN_CONN_FIX_A2MP:
526 chan->scid = L2CAP_CID_A2MP;
527 chan->dcid = L2CAP_CID_A2MP;
528 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
529 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
530 break;
531
5491120e 532 default:
0139418c 533 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 534 chan->scid = L2CAP_CID_SIGNALING;
535 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 536 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 537 }
538
8f7975b1
AE		 539 chan->local_id = L2CAP_BESTEFFORT_ID;
540 chan->local_stype = L2CAP_SERV_BESTEFFORT;
541 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
542 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
543 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 544 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 545
371fd835 546 l2cap_chan_hold(chan);
baa7e1fa 547
5ee9891d
JH		 548 hci_conn_hold(conn->hcon);
549
3df91ea2 550 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 551}
552
466f8004 553void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 554{
555 mutex_lock(&conn->chan_lock);
556 __l2cap_chan_add(conn, chan);
3df91ea2 557 mutex_unlock(&conn->chan_lock);
0139418c
MH		 558}
559
466f8004 560void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 561{
8c1d787b 562 struct l2cap_conn *conn = chan->conn;
0139418c 563
c9b66675 564 __clear_chan_timer(chan);
0139418c 565
49208c9c 566 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 567
8e87d142 568 if (conn) {
56f60984 569 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 570 /* Delete from channel list */
3df91ea2 571 list_del(&chan->list);
3d57dc68 572
371fd835 573 l2cap_chan_put(chan);
baa7e1fa 574
8c1d787b 575 chan->conn = NULL;
3cabbfda
AE		 576
577 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
76a68ba0 578 hci_conn_drop(conn->hcon);
56f60984
AE		 579
580 if (mgr && mgr->bredr_chan == chan)
581 mgr->bredr_chan = NULL;
0139418c
MH		 582 }
583
419e08c1
AE		 584 if (chan->hs_hchan) {
585 struct hci_chan *hs_hchan = chan->hs_hchan;
586
587 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
588 amp_disconnect_logical_link(hs_hchan);
589 }
590
b699ec0d 591 chan->ops->teardown(chan, err);
6be36555 592
2827011f 593 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 594 return;
2ead70b8 595
ee556f66
GP		 596 switch(chan->mode) {
597 case L2CAP_MODE_BASIC:
598 break;
c13ffa62 599
ee556f66 600 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 601 __clear_retrans_timer(chan);
602 __clear_monitor_timer(chan);
603 __clear_ack_timer(chan);
c13ffa62 604
f1c6775b 605 skb_queue_purge(&chan->srej_q);
c13ffa62 606
3c588192
MM		 607 l2cap_seq_list_free(&chan->srej_list);
608 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 609
610 /* fall through */
611
612 case L2CAP_MODE_STREAMING:
613 skb_queue_purge(&chan->tx_q);
614 break;
c13ffa62 615 }
ee556f66
GP		 616
617 return;
0139418c
MH		 618}
619
0f852724 620void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 621{
622 struct l2cap_conn *conn = chan->conn;
623 struct sock *sk = chan->sk;
624
2d792818
GP		 625 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
626 sk);
4519de9a 627
89bc500e 628 switch (chan->state) {
4519de9a 629 case BT_LISTEN:
b699ec0d 630 chan->ops->teardown(chan, 0);
4519de9a
GP		 631 break;
632
633 case BT_CONNECTED:
634 case BT_CONFIG:
715ec005 635 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 636 conn->hcon->type == ACL_LINK) {
c9b66675 637 __set_chan_timer(chan, sk->sk_sndtimeo);
5e4e3972 638 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 639 } else
640 l2cap_chan_del(chan, reason);
641 break;
642
643 case BT_CONNECT2:
715ec005 644 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 645 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 646 struct l2cap_conn_rsp rsp;
647 __u16 result;
648
c5daa683 649 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 650 result = L2CAP_CR_SEC_BLOCK;
651 else
652 result = L2CAP_CR_BAD_PSM;
89bc500e 653 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 654
655 rsp.scid = cpu_to_le16(chan->dcid);
656 rsp.dcid = cpu_to_le16(chan->scid);
657 rsp.result = cpu_to_le16(result);
ac73498c 658 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 659 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 660 sizeof(rsp), &rsp);
4519de9a
GP		 661 }
662
663 l2cap_chan_del(chan, reason);
664 break;
665
666 case BT_CONNECT:
667 case BT_DISCONN:
668 l2cap_chan_del(chan, reason);
669 break;
670
671 default:
b699ec0d 672 chan->ops->teardown(chan, 0);
4519de9a
GP		 673 break;
674 }
675}
676
4343478f 677static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 678{
715ec005 679 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 680 switch (chan->sec_level) {
8556edd3
JH		 681 case BT_SECURITY_HIGH:
682 return HCI_AT_DEDICATED_BONDING_MITM;
683 case BT_SECURITY_MEDIUM:
684 return HCI_AT_DEDICATED_BONDING;
685 default:
686 return HCI_AT_NO_BONDING;
687 }
2983fd68 688 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 689 if (chan->sec_level == BT_SECURITY_LOW)
690 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 691
4343478f 692 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 693 return HCI_AT_NO_BONDING_MITM;
00ae4af9 694 else
8556edd3 695 return HCI_AT_NO_BONDING;
00ae4af9 696 } else {
4343478f 697 switch (chan->sec_level) {
00ae4af9 698 case BT_SECURITY_HIGH:
8556edd3 699 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 700 case BT_SECURITY_MEDIUM:
8556edd3 701 return HCI_AT_GENERAL_BONDING;
00ae4af9 702 default:
8556edd3 703 return HCI_AT_NO_BONDING;
00ae4af9 704 }
0684e5f9 705 }
8556edd3
JH		 706}
707
708/* Service level security */
d45fc423 709int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 710{
8c1d787b 711 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 712 __u8 auth_type;
713
4343478f 714 auth_type = l2cap_get_auth_type(chan);
79d554a6 715
4343478f 716 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 717}
718
b5ad8b7f 719static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 720{
721 u8 id;
722
723 /* Get next available identificator.
724 * 1 - 128 are used by kernel.
725 * 129 - 199 are reserved.
726 * 200 - 254 are used by utilities like l2ping, etc.
727 */
728
333055f2 729 spin_lock(&conn->lock);
4e8402a3
MH		 730
731 if (++conn->tx_ident > 128)
732 conn->tx_ident = 1;
733
734 id = conn->tx_ident;
735
333055f2 736 spin_unlock(&conn->lock);
4e8402a3
MH		 737
738 return id;
739}
740
2d792818
GP		 741static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
742 void *data)
4e8402a3
MH		 743{
744 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 745 u8 flags;
4e8402a3
MH		 746
747 BT_DBG("code 0x%2.2x", code);
748
749 if (!skb)
9a9c6a34 750 return;
4e8402a3 751
e702112f
AE		 752 if (lmp_no_flush_capable(conn->hcon->hdev))
753 flags = ACL_START_NO_FLUSH;
754 else
755 flags = ACL_START;
756
14b12d0b 757 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 758 skb->priority = HCI_PRIO_MAX;
14b12d0b 759
73d80deb
LAD		 760 hci_send_acl(conn->hchan, skb, flags);
761}
762
02b0fbb9
MM		 763static bool __chan_is_moving(struct l2cap_chan *chan)
764{
765 return chan->move_state != L2CAP_MOVE_STABLE &&
766 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
767}
768
73d80deb
LAD		 769static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
770{
771 struct hci_conn *hcon = chan->conn->hcon;
772 u16 flags;
773
774 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 775 skb->priority);
73d80deb 776
d5f8a75d
MM		 777 if (chan->hs_hcon && !__chan_is_moving(chan)) {
778 if (chan->hs_hchan)
779 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
780 else
781 kfree_skb(skb);
782
783 return;
784 }
785
73d80deb 786 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 787 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 788 flags = ACL_START_NO_FLUSH;
789 else
790 flags = ACL_START;
14b12d0b 791
73d80deb
LAD		 792 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
793 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 794}
795
b76bbd66
MM		 796static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
797{
798 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
799 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
800
801 if (enh & L2CAP_CTRL_FRAME_TYPE) {
802 /* S-Frame */
803 control->sframe = 1;
804 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
805 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
806
807 control->sar = 0;
808 control->txseq = 0;
809 } else {
810 /* I-Frame */
811 control->sframe = 0;
812 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
813 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
814
815 control->poll = 0;
816 control->super = 0;
817 }
818}
819
b76bbd66
MM		 820static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
821{
822 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
823 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
824
825 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
826 /* S-Frame */
827 control->sframe = 1;
828 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
829 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
830
831 control->sar = 0;
832 control->txseq = 0;
833 } else {
834 /* I-Frame */
835 control->sframe = 0;
836 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
837 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
838
839 control->poll = 0;
840 control->super = 0;
841 }
842}
843
844static inline void __unpack_control(struct l2cap_chan *chan,
845 struct sk_buff *skb)
846{
847 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
848 __unpack_extended_control(get_unaligned_le32(skb->data),
849 &bt_cb(skb)->control);
cec8ab6e 850 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 851 } else {
852 __unpack_enhanced_control(get_unaligned_le16(skb->data),
853 &bt_cb(skb)->control);
cec8ab6e 854 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 855 }
856}
857
b5c6aaed
MM		 858static u32 __pack_extended_control(struct l2cap_ctrl *control)
859{
860 u32 packed;
861
862 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
863 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
864
865 if (control->sframe) {
866 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
867 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
868 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
869 } else {
870 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
871 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
872 }
873
874 return packed;
875}
876
877static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
878{
879 u16 packed;
880
881 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
882 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
883
884 if (control->sframe) {
885 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
886 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
887 packed |= L2CAP_CTRL_FRAME_TYPE;
888 } else {
889 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
890 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
891 }
892
893 return packed;
894}
895
b76bbd66
MM		 896static inline void __pack_control(struct l2cap_chan *chan,
897 struct l2cap_ctrl *control,
898 struct sk_buff *skb)
899{
900 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
901 put_unaligned_le32(__pack_extended_control(control),
902 skb->data + L2CAP_HDR_SIZE);
903 } else {
904 put_unaligned_le16(__pack_enhanced_control(control),
905 skb->data + L2CAP_HDR_SIZE);
906 }
907}
908
ba7aa64f
GP		 909static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
910{
911 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
912 return L2CAP_EXT_HDR_SIZE;
913 else
914 return L2CAP_ENH_HDR_SIZE;
915}
916
a67d7f6f
MM		 917static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
918 u32 control)
b5c6aaed
MM		 919{
920 struct sk_buff *skb;
921 struct l2cap_hdr *lh;
ba7aa64f 922 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 923
924 if (chan->fcs == L2CAP_FCS_CRC16)
925 hlen += L2CAP_FCS_SIZE;
926
a67d7f6f 927 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 928
b5c6aaed 929 if (!skb)
a67d7f6f 930 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 931
932 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
933 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
934 lh->cid = cpu_to_le16(chan->dcid);
935
a67d7f6f
MM		 936 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
937 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
938 else
939 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 940
941 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 942 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 943 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
944 }
945
946 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 947 return skb;
948}
949
950static void l2cap_send_sframe(struct l2cap_chan *chan,
951 struct l2cap_ctrl *control)
952{
953 struct sk_buff *skb;
954 u32 control_field;
955
956 BT_DBG("chan %p, control %p", chan, control);
957
958 if (!control->sframe)
959 return;
960
b99e13ad
MM		 961 if (__chan_is_moving(chan))
962 return;
963
a67d7f6f
MM		 964 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
965 !control->poll)
966 control->final = 1;
967
968 if (control->super == L2CAP_SUPER_RR)
969 clear_bit(CONN_RNR_SENT, &chan->conn_state);
970 else if (control->super == L2CAP_SUPER_RNR)
971 set_bit(CONN_RNR_SENT, &chan->conn_state);
972
973 if (control->super != L2CAP_SUPER_SREJ) {
974 chan->last_acked_seq = control->reqseq;
975 __clear_ack_timer(chan);
976 }
977
978 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
979 control->final, control->poll, control->super);
980
981 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
982 control_field = __pack_extended_control(control);
983 else
984 control_field = __pack_enhanced_control(control);
985
986 skb = l2cap_create_sframe_pdu(chan, control_field);
987 if (!IS_ERR(skb))
988 l2cap_do_send(chan, skb);
b5c6aaed
MM		 989}
990
c9e3d5e0 991static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 992{
c9e3d5e0
MM		 993 struct l2cap_ctrl control;
994
995 BT_DBG("chan %p, poll %d", chan, poll);
996
997 memset(&control, 0, sizeof(control));
998 control.sframe = 1;
999 control.poll = poll;
1000
1001 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1002 control.super = L2CAP_SUPER_RNR;
1003 else
1004 control.super = L2CAP_SUPER_RR;
b5c6aaed 1005
c9e3d5e0
MM		 1006 control.reqseq = chan->buffer_seq;
1007 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1008}
1009
b4450035 1010static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1011{
c1360a1c 1012 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1013}
1014
80d58d0b
MH		 1015/* returns true if at least one AMP active */
1016static inline bool hci_amp_capable(void)
1017{
1018 struct hci_dev *hdev;
1019 bool ret = false;
1020
1021 read_lock(&hci_dev_list_lock);
1022 list_for_each_entry(hdev, &hci_dev_list, list)
1023 if (hdev->amp_type != AMP_TYPE_BREDR &&
1024 test_bit(HCI_UP, &hdev->flags))
1025 ret = true;
1026 read_unlock(&hci_dev_list_lock);
1027
1028 return ret;
1029}
1030
93c3e8f5
AE		 1031static bool __amp_capable(struct l2cap_chan *chan)
1032{
1033 struct l2cap_conn *conn = chan->conn;
1034
848566b3 1035 if (conn->hs_enabled && hci_amp_capable() &&
93c3e8f5
AE		 1036 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
1037 conn->fixed_chan_mask & L2CAP_FC_A2MP)
1038 return true;
848566b3
MH		 1039
1040 return false;
93c3e8f5
AE		 1041}
1042
5ce66b59
AE		 1043static bool l2cap_check_efs(struct l2cap_chan *chan)
1044{
1045 /* Check EFS parameters */
1046 return true;
1047}
1048
2766be48 1049void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1050{
1051 struct l2cap_conn *conn = chan->conn;
1052 struct l2cap_conn_req req;
1053
1054 req.scid = cpu_to_le16(chan->scid);
1055 req.psm = chan->psm;
1056
1057 chan->ident = l2cap_get_ident(conn);
1058
1059 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1060
1061 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1062}
1063
8eb200bd
MM		 1064static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1065{
1066 struct l2cap_create_chan_req req;
1067 req.scid = cpu_to_le16(chan->scid);
1068 req.psm = chan->psm;
1069 req.amp_id = amp_id;
1070
1071 chan->ident = l2cap_get_ident(chan->conn);
1072
1073 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1074 sizeof(req), &req);
1075}
1076
02b0fbb9
MM		 1077static void l2cap_move_setup(struct l2cap_chan *chan)
1078{
1079 struct sk_buff *skb;
1080
1081 BT_DBG("chan %p", chan);
1082
1083 if (chan->mode != L2CAP_MODE_ERTM)
1084 return;
1085
1086 __clear_retrans_timer(chan);
1087 __clear_monitor_timer(chan);
1088 __clear_ack_timer(chan);
1089
1090 chan->retry_count = 0;
1091 skb_queue_walk(&chan->tx_q, skb) {
1092 if (bt_cb(skb)->control.retries)
1093 bt_cb(skb)->control.retries = 1;
1094 else
1095 break;
1096 }
1097
1098 chan->expected_tx_seq = chan->buffer_seq;
1099
1100 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1101 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1102 l2cap_seq_list_clear(&chan->retrans_list);
1103 l2cap_seq_list_clear(&chan->srej_list);
1104 skb_queue_purge(&chan->srej_q);
1105
1106 chan->tx_state = L2CAP_TX_STATE_XMIT;
1107 chan->rx_state = L2CAP_RX_STATE_MOVE;
1108
1109 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1110}
1111
5f3847a4
MM		 1112static void l2cap_move_done(struct l2cap_chan *chan)
1113{
1114 u8 move_role = chan->move_role;
1115 BT_DBG("chan %p", chan);
1116
1117 chan->move_state = L2CAP_MOVE_STABLE;
1118 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1119
1120 if (chan->mode != L2CAP_MODE_ERTM)
1121 return;
1122
1123 switch (move_role) {
1124 case L2CAP_MOVE_ROLE_INITIATOR:
1125 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1126 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1127 break;
1128 case L2CAP_MOVE_ROLE_RESPONDER:
1129 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1130 break;
1131 }
1132}
1133
9f0caeb1
VCG		 1134static void l2cap_chan_ready(struct l2cap_chan *chan)
1135{
2827011f 1136 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1137 chan->conf_state = 0;
1138 __clear_chan_timer(chan);
1139
54a59aa2 1140 chan->state = BT_CONNECTED;
9f0caeb1 1141
fd83e2c2 1142 chan->ops->ready(chan);
9f0caeb1
VCG		 1143}
1144
93c3e8f5
AE		 1145static void l2cap_start_connection(struct l2cap_chan *chan)
1146{
1147 if (__amp_capable(chan)) {
1148 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1149 a2mp_discover_amp(chan);
1150 } else {
1151 l2cap_send_conn_req(chan);
1152 }
1153}
1154
fc7f8a7e 1155static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1156{
8c1d787b 1157 struct l2cap_conn *conn = chan->conn;
79d554a6 1158
9f0caeb1
VCG		 1159 if (conn->hcon->type == LE_LINK) {
1160 l2cap_chan_ready(chan);
1161 return;
1162 }
1163
79d554a6 1164 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1165 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1166 return;
1167
d45fc423 1168 if (l2cap_chan_check_security(chan) &&
2d792818 1169 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1170 l2cap_start_connection(chan);
1171 }
79d554a6
MH		 1172 } else {
1173 struct l2cap_info_req req;
ac73498c 1174 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1175
1176 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1177 conn->info_ident = l2cap_get_ident(conn);
1178
ba13ccd9 1179 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1180
2d792818
GP		 1181 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1182 sizeof(req), &req);
79d554a6
MH		 1183 }
1184}
1185
cf6c2c0b
GP		 1186static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1187{
1188 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1189 if (!disable_ertm)
cf6c2c0b
GP		 1190 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1191
1192 switch (mode) {
1193 case L2CAP_MODE_ERTM:
1194 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1195 case L2CAP_MODE_STREAMING:
1196 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1197 default:
1198 return 0x00;
1199 }
1200}
1201
5e4e3972 1202static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1203{
6be36555 1204 struct sock *sk = chan->sk;
5e4e3972 1205 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1206 struct l2cap_disconn_req req;
1207
c13ffa62
GP		 1208 if (!conn)
1209 return;
1210
aad3d0e3 1211 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1212 __clear_retrans_timer(chan);
1213 __clear_monitor_timer(chan);
1214 __clear_ack_timer(chan);
c13ffa62
GP		 1215 }
1216
416fa752 1217 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1218 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1219 return;
1220 }
1221
fe4128e0
GP		 1222 req.dcid = cpu_to_le16(chan->dcid);
1223 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1224 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1225 sizeof(req), &req);
c13ffa62 1226
6be36555 1227 lock_sock(sk);
0e587be7 1228 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1229 __l2cap_chan_set_err(chan, err);
6be36555 1230 release_sock(sk);
22121fc9
GP		 1231}
1232
1da177e4 1233/* ---- L2CAP connections ---- */
4e8402a3
MH		 1234static void l2cap_conn_start(struct l2cap_conn *conn)
1235{
3df91ea2 1236 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1237
1238 BT_DBG("conn %p", conn);
1239
3df91ea2 1240 mutex_lock(&conn->chan_lock);
4e8402a3 1241
3df91ea2 1242 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1243 struct sock *sk = chan->sk;
baa7e1fa 1244
6be36555 1245 l2cap_chan_lock(chan);
4e8402a3 1246
715ec005 1247 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1248 l2cap_chan_unlock(chan);
79d554a6
MH		 1249 continue;
1250 }
1251
89bc500e 1252 if (chan->state == BT_CONNECT) {
d45fc423 1253 if (!l2cap_chan_check_security(chan) ||
2d792818 1254 !__l2cap_no_conn_pending(chan)) {
6be36555 1255 l2cap_chan_unlock(chan);
47731de7
GP		 1256 continue;
1257 }
79d554a6 1258
c1360a1c 1259 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1260 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1261 &chan->conf_state)) {
89bc500e 1262 l2cap_chan_close(chan, ECONNRESET);
6be36555 1263 l2cap_chan_unlock(chan);
47731de7 1264 continue;
b1235d79 1265 }
47731de7 1266
93c3e8f5 1267 l2cap_start_connection(chan);
47731de7 1268
89bc500e 1269 } else if (chan->state == BT_CONNECT2) {
79d554a6 1270 struct l2cap_conn_rsp rsp;
e9aeb2dd 1271 char buf[128];
fe4128e0
GP		 1272 rsp.scid = cpu_to_le16(chan->dcid);
1273 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1274
d45fc423 1275 if (l2cap_chan_check_security(chan)) {
6be36555 1276 lock_sock(sk);
c5daa683
GP		 1277 if (test_bit(BT_SK_DEFER_SETUP,
1278 &bt_sk(sk)->flags)) {
ac73498c
AE		 1279 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1280 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1281 chan->ops->defer(chan);
f66dc81f
MH		 1282
1283 } else {
0e587be7 1284 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1285 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1286 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1287 }
6be36555 1288 release_sock(sk);
79d554a6 1289 } else {
ac73498c
AE		 1290 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1291 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1292 }
1293
fc7f8a7e 1294 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1295 sizeof(rsp), &rsp);
e9aeb2dd 1296
c1360a1c 1297 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1298 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1299 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1300 continue;
1301 }
1302
c1360a1c 1303 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1304 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1305 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1306 chan->num_conf_req++;
4e8402a3
MH		 1307 }
1308
6be36555 1309 l2cap_chan_unlock(chan);
4e8402a3
MH		 1310 }
1311
3df91ea2 1312 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1313}
1314
c2287681 1315/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1316 * Returns closest match, locked.
1317 */
d9b88702 1318static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1319 bdaddr_t *src,
1320 bdaddr_t *dst)
b62f328b 1321{
23691d75 1322 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1323
23691d75 1324 read_lock(&chan_list_lock);
b62f328b 1325
23691d75
GP		 1326 list_for_each_entry(c, &chan_list, global_l) {
1327 struct sock *sk = c->sk;
fe4128e0 1328
89bc500e 1329 if (state && c->state != state)
b62f328b
VT		 1330 continue;
1331
23691d75 1332 if (c->scid == cid) {
c2287681
IY		 1333 int src_match, dst_match;
1334 int src_any, dst_any;
1335
b62f328b 1336 /* Exact match. */
c2287681
IY		 1337 src_match = !bacmp(&bt_sk(sk)->src, src);
1338 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1339 if (src_match && dst_match) {
23691d75
GP		 1340 read_unlock(&chan_list_lock);
1341 return c;
1342 }
b62f328b
VT		 1343
1344 /* Closest match */
c2287681
IY		 1345 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1346 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1347 if ((src_match && dst_any) || (src_any && dst_match) ||
1348 (src_any && dst_any))
23691d75 1349 c1 = c;
b62f328b
VT		 1350 }
1351 }
280f294f 1352
23691d75 1353 read_unlock(&chan_list_lock);
b62f328b 1354
23691d75 1355 return c1;
b62f328b
VT		 1356}
1357
1358static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1359{
60bac184 1360 struct sock *parent;
23691d75 1361 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1362
1363 BT_DBG("");
1364
1365 /* Check if we have socket listening on cid */
073d1cf3 1366 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
c2287681 1367 conn->src, conn->dst);
23691d75 1368 if (!pchan)
b62f328b
VT		 1369 return;
1370
44f3b0fb
JH		 1371 /* Client ATT sockets should override the server one */
1372 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1373 return;
1374
23691d75
GP		 1375 parent = pchan->sk;
1376
aa2ac881 1377 lock_sock(parent);
62f3a2cf 1378
80b98027 1379 chan = pchan->ops->new_connection(pchan);
80808e43 1380 if (!chan)
b62f328b
VT		 1381 goto clean;
1382
9f22398c
JH		 1383 chan->dcid = L2CAP_CID_ATT;
1384
60bac184
JH		 1385 bacpy(&bt_sk(chan->sk)->src, conn->src);
1386 bacpy(&bt_sk(chan->sk)->dst, conn->dst);
b62f328b 1387
44f3b0fb 1388 __l2cap_chan_add(conn, chan);
48454079 1389
b62f328b 1390clean:
aa2ac881 1391 release_sock(parent);
b62f328b
VT		 1392}
1393
4e8402a3
MH		 1394static void l2cap_conn_ready(struct l2cap_conn *conn)
1395{
48454079 1396 struct l2cap_chan *chan;
cc110922 1397 struct hci_conn *hcon = conn->hcon;
4e8402a3 1398
79d554a6 1399 BT_DBG("conn %p", conn);
4e8402a3 1400
d8729922
JH		 1401 /* For outgoing pairing which doesn't necessarily have an
1402 * associated socket (e.g. mgmt_pair_device).
1403 */
cc110922
VCG		 1404 if (hcon->out && hcon->type == LE_LINK)
1405 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1406
3df91ea2 1407 mutex_lock(&conn->chan_lock);
4e8402a3 1408
44f3b0fb
JH		 1409 if (hcon->type == LE_LINK)
1410 l2cap_le_conn_ready(conn);
1411
3df91ea2 1412 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1413
6be36555 1414 l2cap_chan_lock(chan);
4e8402a3 1415
416fa752
AE		 1416 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1417 l2cap_chan_unlock(chan);
1418 continue;
1419 }
1420
cc110922
VCG		 1421 if (hcon->type == LE_LINK) {
1422 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1423 l2cap_chan_ready(chan);
acd7d370 1424
63128451 1425 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1426 struct sock *sk = chan->sk;
c9b66675 1427 __clear_chan_timer(chan);
6be36555 1428 lock_sock(sk);
0e587be7 1429 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1430 sk->sk_state_change(sk);
6be36555 1431 release_sock(sk);
b501d6a1 1432
1c244f79 1433 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1434 l2cap_do_start(chan);
1c244f79 1435 }
4e8402a3 1436
6be36555 1437 l2cap_chan_unlock(chan);
4e8402a3 1438 }
79d554a6 1439
3df91ea2 1440 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1441}
1442
1443/* Notify sockets that we cannot guaranty reliability anymore */
1444static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1445{
48454079 1446 struct l2cap_chan *chan;
4e8402a3
MH		 1447
1448 BT_DBG("conn %p", conn);
1449
3df91ea2 1450 mutex_lock(&conn->chan_lock);
4e8402a3 1451
3df91ea2 1452 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1453 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1454 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1455 }
1456
3df91ea2 1457 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1458}
1459
f878fcad 1460static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1461{
f878fcad 1462 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1463 info_timer.work);
4e8402a3 1464
984947dc 1465 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1466 conn->info_ident = 0;
984947dc 1467
4e8402a3
MH		 1468 l2cap_conn_start(conn);
1469}
1470
2c8e1411
DH		 1471/*
1472 * l2cap_user
1473 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1474 * callback is called during registration. The ->remove callback is called
1475 * during unregistration.
1476 * An l2cap_user object can either be explicitly unregistered or when the
1477 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1478 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1479 * External modules must own a reference to the l2cap_conn object if they intend
1480 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1481 * any time if they don't.
1482 */
1483
1484int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1485{
1486 struct hci_dev *hdev = conn->hcon->hdev;
1487 int ret;
1488
1489 /* We need to check whether l2cap_conn is registered. If it is not, we
1490 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1491 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1492 * relies on the parent hci_conn object to be locked. This itself relies
1493 * on the hci_dev object to be locked. So we must lock the hci device
1494 * here, too. */
1495
1496 hci_dev_lock(hdev);
1497
1498 if (user->list.next || user->list.prev) {
1499 ret = -EINVAL;
1500 goto out_unlock;
1501 }
1502
1503 /* conn->hchan is NULL after l2cap_conn_del() was called */
1504 if (!conn->hchan) {
1505 ret = -ENODEV;
1506 goto out_unlock;
1507 }
1508
1509 ret = user->probe(conn, user);
1510 if (ret)
1511 goto out_unlock;
1512
1513 list_add(&user->list, &conn->users);
1514 ret = 0;
1515
1516out_unlock:
1517 hci_dev_unlock(hdev);
1518 return ret;
1519}
1520EXPORT_SYMBOL(l2cap_register_user);
1521
1522void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1523{
1524 struct hci_dev *hdev = conn->hcon->hdev;
1525
1526 hci_dev_lock(hdev);
1527
1528 if (!user->list.next || !user->list.prev)
1529 goto out_unlock;
1530
1531 list_del(&user->list);
1532 user->list.next = NULL;
1533 user->list.prev = NULL;
1534 user->remove(conn, user);
1535
1536out_unlock:
1537 hci_dev_unlock(hdev);
1538}
1539EXPORT_SYMBOL(l2cap_unregister_user);
1540
1541static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1542{
1543 struct l2cap_user *user;
1544
1545 while (!list_empty(&conn->users)) {
1546 user = list_first_entry(&conn->users, struct l2cap_user, list);
1547 list_del(&user->list);
1548 user->list.next = NULL;
1549 user->list.prev = NULL;
1550 user->remove(conn, user);
1551 }
1552}
1553
5d3de7df
VCG		 1554static void l2cap_conn_del(struct hci_conn *hcon, int err)
1555{
1556 struct l2cap_conn *conn = hcon->l2cap_data;
1557 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1558
1559 if (!conn)
1560 return;
1561
1562 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1563
1564 kfree_skb(conn->rx_skb);
1565
2c8e1411
DH		 1566 l2cap_unregister_all_users(conn);
1567
3df91ea2
AE		 1568 mutex_lock(&conn->chan_lock);
1569
5d3de7df
VCG		 1570 /* Kill channels */
1571 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1572 l2cap_chan_hold(chan);
6be36555
AE		 1573 l2cap_chan_lock(chan);
1574
5d3de7df 1575 l2cap_chan_del(chan, err);
6be36555
AE		 1576
1577 l2cap_chan_unlock(chan);
1578
80b98027 1579 chan->ops->close(chan);
61d6ef3e 1580 l2cap_chan_put(chan);
5d3de7df
VCG		 1581 }
1582
3df91ea2
AE		 1583 mutex_unlock(&conn->chan_lock);
1584
73d80deb
LAD		 1585 hci_chan_del(conn->hchan);
1586
5d3de7df 1587 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1588 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1589
51a8efd7 1590 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1591 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1592 smp_chan_destroy(conn);
d26a2345 1593 }
5d3de7df
VCG		 1594
1595 hcon->l2cap_data = NULL;
9c903e37
DH		 1596 conn->hchan = NULL;
1597 l2cap_conn_put(conn);
5d3de7df
VCG		 1598}
1599
6c9d42a1 1600static void security_timeout(struct work_struct *work)
5d3de7df 1601{
6c9d42a1 1602 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1603 security_timer.work);
5d3de7df 1604
d06cc416
JH		 1605 BT_DBG("conn %p", conn);
1606
1607 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1608 smp_chan_destroy(conn);
1609 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1610 }
5d3de7df
VCG		 1611}
1612
baf43251 1613static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1da177e4 1614{
0139418c 1615 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1616 struct hci_chan *hchan;
1da177e4 1617
baf43251 1618 if (conn)
1da177e4
LT		 1619 return conn;
1620
73d80deb
LAD		 1621 hchan = hci_chan_create(hcon);
1622 if (!hchan)
1623 return NULL;
1624
8bcde1f2 1625 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1626 if (!conn) {
1627 hci_chan_del(hchan);
1da177e4 1628 return NULL;
73d80deb 1629 }
1da177e4 1630
9c903e37 1631 kref_init(&conn->ref);
1da177e4
LT		 1632 hcon->l2cap_data = conn;
1633 conn->hcon = hcon;
9c903e37 1634 hci_conn_get(conn->hcon);
73d80deb 1635 conn->hchan = hchan;
1da177e4 1636
73d80deb 1637 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1638
dcc042d5 1639 switch (hcon->type) {
dcc042d5
AE		 1640 case LE_LINK:
1641 if (hcon->hdev->le_mtu) {
1642 conn->mtu = hcon->hdev->le_mtu;
1643 break;
1644 }
1645 /* fall through */
dcc042d5 1646 default:
acd7d370 1647 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1648 break;
1649 }
acd7d370 1650
1da177e4
LT		 1651 conn->src = &hcon->hdev->bdaddr;
1652 conn->dst = &hcon->dst;
1653
4e8402a3
MH		 1654 conn->feat_mask = 0;
1655
848566b3
MH		 1656 if (hcon->type == ACL_LINK)
1657 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
1658 &hcon->hdev->dev_flags);
1659
1da177e4 1660 spin_lock_init(&conn->lock);
3df91ea2 1661 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1662
1663 INIT_LIST_HEAD(&conn->chan_l);
2c8e1411 1664 INIT_LIST_HEAD(&conn->users);
1da177e4 1665
5d3de7df 1666 if (hcon->type == LE_LINK)
6c9d42a1 1667 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1668 else
030013d8 1669 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1670
9f5a0d7b 1671 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1672
1da177e4
LT		 1673 return conn;
1674}
1675
9c903e37
DH		 1676static void l2cap_conn_free(struct kref *ref)
1677{
1678 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1679
1680 hci_conn_put(conn->hcon);
1681 kfree(conn);
1682}
1683
1684void l2cap_conn_get(struct l2cap_conn *conn)
1685{
1686 kref_get(&conn->ref);
1687}
1688EXPORT_SYMBOL(l2cap_conn_get);
1689
1690void l2cap_conn_put(struct l2cap_conn *conn)
1691{
1692 kref_put(&conn->ref, l2cap_conn_free);
1693}
1694EXPORT_SYMBOL(l2cap_conn_put);
1695
1da177e4 1696/* ---- Socket interface ---- */
1da177e4 1697
c2287681 1698/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1699 * Returns closest match.
1700 */
c2287681
IY		 1701static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1702 bdaddr_t *src,
1703 bdaddr_t *dst)
1da177e4 1704{
23691d75 1705 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1706
23691d75 1707 read_lock(&chan_list_lock);
e0f0cb56 1708
23691d75
GP		 1709 list_for_each_entry(c, &chan_list, global_l) {
1710 struct sock *sk = c->sk;
fe4128e0 1711
89bc500e 1712 if (state && c->state != state)
1da177e4
LT		 1713 continue;
1714
23691d75 1715 if (c->psm == psm) {
c2287681
IY		 1716 int src_match, dst_match;
1717 int src_any, dst_any;
1718
1da177e4 1719 /* Exact match. */
c2287681
IY		 1720 src_match = !bacmp(&bt_sk(sk)->src, src);
1721 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1722 if (src_match && dst_match) {
a7567b20 1723 read_unlock(&chan_list_lock);
23691d75
GP		 1724 return c;
1725 }
1da177e4
LT		 1726
1727 /* Closest match */
c2287681
IY		 1728 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1729 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1730 if ((src_match && dst_any) || (src_any && dst_match) ||
1731 (src_any && dst_any))
23691d75 1732 c1 = c;
1da177e4
LT		 1733 }
1734 }
1da177e4 1735
23691d75 1736 read_unlock(&chan_list_lock);
e0f0cb56 1737
23691d75 1738 return c1;
1da177e4
LT		 1739}
1740
8e9f9892
AG		 1741int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1742 bdaddr_t *dst, u8 dst_type)
1da177e4 1743{
5d41ce1d 1744 struct sock *sk = chan->sk;
1da177e4 1745 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1746 struct l2cap_conn *conn;
1747 struct hci_conn *hcon;
1748 struct hci_dev *hdev;
09ab6f4c 1749 __u8 auth_type;
44d0e48e 1750 int err;
1da177e4 1751
6ed93dc6 1752 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1753 dst_type, __le16_to_cpu(psm));
1da177e4 1754
af05b30b
GP		 1755 hdev = hci_get_route(dst, src);
1756 if (!hdev)
1da177e4
LT		 1757 return -EHOSTUNREACH;
1758
09fd0de5 1759 hci_dev_lock(hdev);
1da177e4 1760
6be36555 1761 l2cap_chan_lock(chan);
03a00194
GP		 1762
1763 /* PSM must be odd and lsb of upper byte must be 0 */
1764 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1765 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1766 err = -EINVAL;
1767 goto done;
1768 }
1769
1770 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1771 err = -EINVAL;
1772 goto done;
1773 }
1774
1775 switch (chan->mode) {
1776 case L2CAP_MODE_BASIC:
1777 break;
1778 case L2CAP_MODE_ERTM:
1779 case L2CAP_MODE_STREAMING:
1780 if (!disable_ertm)
1781 break;
1782 /* fall through */
1783 default:
1784 err = -ENOTSUPP;
1785 goto done;
1786 }
1787
0797e01d 1788 switch (chan->state) {
03a00194
GP		 1789 case BT_CONNECT:
1790 case BT_CONNECT2:
1791 case BT_CONFIG:
1792 /* Already connecting */
1793 err = 0;
1794 goto done;
1795
1796 case BT_CONNECTED:
1797 /* Already connected */
1798 err = -EISCONN;
1799 goto done;
1800
1801 case BT_OPEN:
1802 case BT_BOUND:
1803 /* Can connect */
1804 break;
1805
1806 default:
1807 err = -EBADFD;
1808 goto done;
1809 }
1810
1811 /* Set destination address and psm */
0797e01d 1812 lock_sock(sk);
9219b2a0 1813 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1814 release_sock(sk);
1815
03a00194
GP		 1816 chan->psm = psm;
1817 chan->dcid = cid;
1da177e4 1818
4343478f 1819 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1820
f224ca5f 1821 if (bdaddr_type_is_le(dst_type))
8e9f9892 1822 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1823 chan->sec_level, auth_type);
acd7d370 1824 else
8e9f9892 1825 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1826 chan->sec_level, auth_type);
acd7d370 1827
30e76272
VT		 1828 if (IS_ERR(hcon)) {
1829 err = PTR_ERR(hcon);
1da177e4 1830 goto done;
30e76272 1831 }
1da177e4 1832
baf43251 1833 conn = l2cap_conn_add(hcon);
1da177e4 1834 if (!conn) {
76a68ba0 1835 hci_conn_drop(hcon);
30e76272 1836 err = -ENOMEM;
1da177e4
LT		 1837 goto done;
1838 }
1839
141d5706
JH		 1840 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
1841 hci_conn_drop(hcon);
1842 err = -EBUSY;
1843 goto done;
9f0caeb1
VCG		 1844 }
1845
1da177e4
LT		 1846 /* Update source addr of the socket */
1847 bacpy(src, conn->src);
1848
6be36555 1849 l2cap_chan_unlock(chan);
48454079 1850 l2cap_chan_add(conn, chan);
6be36555 1851 l2cap_chan_lock(chan);
48454079 1852
5ee9891d
JH		 1853 /* l2cap_chan_add takes its own ref so we can drop this one */
1854 hci_conn_drop(hcon);
1855
6be36555 1856 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1857 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1858
1859 if (hcon->state == BT_CONNECTED) {
715ec005 1860 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1861 __clear_chan_timer(chan);
d45fc423 1862 if (l2cap_chan_check_security(chan))
6be36555 1863 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1864 } else
fc7f8a7e 1865 l2cap_do_start(chan);
1da177e4
LT		 1866 }
1867
30e76272
VT		 1868 err = 0;
1869
1da177e4 1870done:
6be36555 1871 l2cap_chan_unlock(chan);
09fd0de5 1872 hci_dev_unlock(hdev);
1da177e4
LT		 1873 hci_dev_put(hdev);
1874 return err;
1875}
1876
dcba0dba 1877int __l2cap_wait_ack(struct sock *sk)
6161c038 1878{
8c1d787b 1879 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1880 DECLARE_WAITQUEUE(wait, current);
1881 int err = 0;
1882 int timeo = HZ/5;
1883
2b0b05dd 1884 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1885 set_current_state(TASK_INTERRUPTIBLE);
1886 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1887 if (!timeo)
1888 timeo = HZ/5;
1889
1890 if (signal_pending(current)) {
1891 err = sock_intr_errno(timeo);
1892 break;
1893 }
1894
1895 release_sock(sk);
1896 timeo = schedule_timeout(timeo);
1897 lock_sock(sk);
a71a0cf4 1898 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1899
1900 err = sock_error(sk);
1901 if (err)
1902 break;
1903 }
1904 set_current_state(TASK_RUNNING);
2b0b05dd 1905 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1906 return err;
1907}
1908
721c4181 1909static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1910{
721c4181 1911 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1912 monitor_timer.work);
e90bac06 1913
525cd185 1914 BT_DBG("chan %p", chan);
0e98958d 1915
6be36555
AE		 1916 l2cap_chan_lock(chan);
1917
80909e04 1918 if (!chan->conn) {
6be36555 1919 l2cap_chan_unlock(chan);
8d7e1c7f 1920 l2cap_chan_put(chan);
e90bac06
GP		 1921 return;
1922 }
1923
401bb1f7 1924 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1925
6be36555 1926 l2cap_chan_unlock(chan);
8d7e1c7f 1927 l2cap_chan_put(chan);
e90bac06
GP		 1928}
1929
721c4181 1930static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1931{
721c4181 1932 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1933 retrans_timer.work);
e90bac06 1934
49208c9c 1935 BT_DBG("chan %p", chan);
0e98958d 1936
6be36555
AE		 1937 l2cap_chan_lock(chan);
1938
80909e04
MM		 1939 if (!chan->conn) {
1940 l2cap_chan_unlock(chan);
1941 l2cap_chan_put(chan);
1942 return;
1943 }
6be36555 1944
401bb1f7 1945 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1946 l2cap_chan_unlock(chan);
8d7e1c7f 1947 l2cap_chan_put(chan);
e90bac06
GP		 1948}
1949
d660366d
GP		 1950static void l2cap_streaming_send(struct l2cap_chan *chan,
1951 struct sk_buff_head *skbs)
6840ed07 1952{
ccbb84af 1953 struct sk_buff *skb;
3733937d 1954 struct l2cap_ctrl *control;
6840ed07 1955
3733937d
MM		 1956 BT_DBG("chan %p, skbs %p", chan, skbs);
1957
b99e13ad
MM		 1958 if (__chan_is_moving(chan))
1959 return;
1960
3733937d
MM		 1961 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1962
1963 while (!skb_queue_empty(&chan->tx_q)) {
1964
1965 skb = skb_dequeue(&chan->tx_q);
1966
1967 bt_cb(skb)->control.retries = 1;
1968 control = &bt_cb(skb)->control;
1969
1970 control->reqseq = 0;
1971 control->txseq = chan->next_tx_seq;
1972
1973 __pack_control(chan, control, skb);
6840ed07 1974
47d1ec61 1975 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1976 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1977 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1978 }
1979
4343478f 1980 l2cap_do_send(chan, skb);
6840ed07 1981
b4400672 1982 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1983
836be934 1984 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1985 chan->frames_sent++;
6840ed07 1986 }
6840ed07
GP		 1987}
1988
67c9e840 1989static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1990{
1991 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1992 struct l2cap_ctrl *control;
1993 int sent = 0;
1994
1995 BT_DBG("chan %p", chan);
1c2acffb 1996
89bc500e 1997 if (chan->state != BT_CONNECTED)
c13ffa62 1998 return -ENOTCONN;
e90bac06 1999
94122bbe
MM		 2000 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2001 return 0;
2002
b99e13ad
MM		 2003 if (__chan_is_moving(chan))
2004 return 0;
2005
18a48e76
MM		 2006 while (chan->tx_send_head &&
2007 chan->unacked_frames < chan->remote_tx_win &&
2008 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 2009
18a48e76 2010 skb = chan->tx_send_head;
e90bac06 2011
18a48e76
MM		 2012 bt_cb(skb)->control.retries = 1;
2013 control = &bt_cb(skb)->control;
95ffa978 2014
e2ab4353 2015 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 2016 control->final = 1;
e2ab4353 2017
18a48e76
MM		 2018 control->reqseq = chan->buffer_seq;
2019 chan->last_acked_seq = chan->buffer_seq;
2020 control->txseq = chan->next_tx_seq;
1c2acffb 2021
18a48e76 2022 __pack_control(chan, control, skb);
e90bac06 2023
47d1ec61 2024 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 2025 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2026 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 2027 }
2028
18a48e76
MM		 2029 /* Clone after data has been modified. Data is assumed to be
2030 read-only (for locking purposes) on cloned sk_buffs.
2031 */
2032 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 2033
18a48e76
MM		 2034 if (!tx_skb)
2035 break;
1c2acffb 2036
18a48e76 2037 __set_retrans_timer(chan);
836be934
AE		 2038
2039 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 2040 chan->unacked_frames++;
6a026610 2041 chan->frames_sent++;
18a48e76 2042 sent++;
1c2acffb 2043
58d35f87
GP		 2044 if (skb_queue_is_last(&chan->tx_q, skb))
2045 chan->tx_send_head = NULL;
1c2acffb 2046 else
58d35f87 2047 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 2048
2049 l2cap_do_send(chan, tx_skb);
b4400672 2050 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 2051 }
2052
b4400672
AE		 2053 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2054 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 2055
2056 return sent;
9e917af1
GP		 2057}
2058
e1fbd4c1
MM		 2059static void l2cap_ertm_resend(struct l2cap_chan *chan)
2060{
2061 struct l2cap_ctrl control;
2062 struct sk_buff *skb;
2063 struct sk_buff *tx_skb;
2064 u16 seq;
2065
2066 BT_DBG("chan %p", chan);
2067
2068 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2069 return;
2070
b99e13ad
MM		 2071 if (__chan_is_moving(chan))
2072 return;
2073
e1fbd4c1
MM		 2074 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2075 seq = l2cap_seq_list_pop(&chan->retrans_list);
2076
2077 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2078 if (!skb) {
2079 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 2080 seq);
e1fbd4c1
MM		 2081 continue;
2082 }
2083
2084 bt_cb(skb)->control.retries++;
2085 control = bt_cb(skb)->control;
2086
2087 if (chan->max_tx != 0 &&
2088 bt_cb(skb)->control.retries > chan->max_tx) {
2089 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 2090 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 2091 l2cap_seq_list_clear(&chan->retrans_list);
2092 break;
2093 }
2094
2095 control.reqseq = chan->buffer_seq;
2096 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2097 control.final = 1;
2098 else
2099 control.final = 0;
2100
2101 if (skb_cloned(skb)) {
2102 /* Cloned sk_buffs are read-only, so we need a
2103 * writeable copy
2104 */
8bcde1f2 2105 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 2106 } else {
8bcde1f2 2107 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 2108 }
2109
2110 if (!tx_skb) {
2111 l2cap_seq_list_clear(&chan->retrans_list);
2112 break;
2113 }
2114
2115 /* Update skb contents */
2116 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2117 put_unaligned_le32(__pack_extended_control(&control),
2118 tx_skb->data + L2CAP_HDR_SIZE);
2119 } else {
2120 put_unaligned_le16(__pack_enhanced_control(&control),
2121 tx_skb->data + L2CAP_HDR_SIZE);
2122 }
2123
2124 if (chan->fcs == L2CAP_FCS_CRC16) {
2125 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2126 put_unaligned_le16(fcs, skb_put(tx_skb,
2127 L2CAP_FCS_SIZE));
2128 }
2129
2130 l2cap_do_send(chan, tx_skb);
2131
2132 BT_DBG("Resent txseq %d", control.txseq);
2133
2134 chan->last_acked_seq = chan->buffer_seq;
2135 }
2136}
2137
f80842a8
MM		 2138static void l2cap_retransmit(struct l2cap_chan *chan,
2139 struct l2cap_ctrl *control)
2140{
2141 BT_DBG("chan %p, control %p", chan, control);
2142
2143 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2144 l2cap_ertm_resend(chan);
2145}
2146
d2a7ac5d
MM		 2147static void l2cap_retransmit_all(struct l2cap_chan *chan,
2148 struct l2cap_ctrl *control)
2149{
e1fbd4c1
MM		 2150 struct sk_buff *skb;
2151
2152 BT_DBG("chan %p, control %p", chan, control);
2153
2154 if (control->poll)
2155 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2156
2157 l2cap_seq_list_clear(&chan->retrans_list);
2158
2159 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2160 return;
2161
2162 if (chan->unacked_frames) {
2163 skb_queue_walk(&chan->tx_q, skb) {
2164 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2165 skb == chan->tx_send_head)
e1fbd4c1
MM		 2166 break;
2167 }
2168
2169 skb_queue_walk_from(&chan->tx_q, skb) {
2170 if (skb == chan->tx_send_head)
2171 break;
2172
2173 l2cap_seq_list_append(&chan->retrans_list,
2174 bt_cb(skb)->control.txseq);
2175 }
2176
2177 l2cap_ertm_resend(chan);
2178 }
d2a7ac5d
MM		 2179}
2180
0a0aba42 2181static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2182{
0a0aba42
MM		 2183 struct l2cap_ctrl control;
2184 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2185 chan->last_acked_seq);
2186 int threshold;
9e917af1 2187
0a0aba42
MM		 2188 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2189 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2190
0a0aba42
MM		 2191 memset(&control, 0, sizeof(control));
2192 control.sframe = 1;
dfc909be 2193
0a0aba42
MM		 2194 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2195 chan->rx_state == L2CAP_RX_STATE_RECV) {
2196 __clear_ack_timer(chan);
2197 control.super = L2CAP_SUPER_RNR;
2198 control.reqseq = chan->buffer_seq;
2199 l2cap_send_sframe(chan, &control);
2200 } else {
2201 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2202 l2cap_ertm_send(chan);
2203 /* If any i-frames were sent, they included an ack */
2204 if (chan->buffer_seq == chan->last_acked_seq)
2205 frames_to_ack = 0;
2206 }
dfc909be 2207
c20f8e35 2208 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2209 * Calculate without mul or div
2210 */
c20f8e35 2211 threshold = chan->ack_win;
0a0aba42
MM		 2212 threshold += threshold << 1;
2213 threshold >>= 2;
2214
b4400672 2215 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2216 threshold);
2217
2218 if (frames_to_ack >= threshold) {
2219 __clear_ack_timer(chan);
2220 control.super = L2CAP_SUPER_RR;
2221 control.reqseq = chan->buffer_seq;
2222 l2cap_send_sframe(chan, &control);
2223 frames_to_ack = 0;
2224 }
1c2acffb 2225
0a0aba42
MM		 2226 if (frames_to_ack)
2227 __set_ack_timer(chan);
2228 }
b17e73bb
SJ		 2229}
2230
04124681
GP		 2231static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2232 struct msghdr *msg, int len,
2233 int count, struct sk_buff *skb)
1c2acffb 2234{
0952a57a 2235 struct l2cap_conn *conn = chan->conn;
1c2acffb 2236 struct sk_buff **frag;
90338947 2237 int sent = 0;
1da177e4 2238
59203a21 2239 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2240 return -EFAULT;
1da177e4
LT		 2241
2242 sent += count;
2243 len -= count;
2244
2245 /* Continuation fragments (no L2CAP header) */
2246 frag = &skb_shinfo(skb)->frag_list;
2247 while (len) {
fbe00700
GP		 2248 struct sk_buff *tmp;
2249
1da177e4
LT		 2250 count = min_t(unsigned int, conn->mtu, len);
2251
fbe00700
GP		 2252 tmp = chan->ops->alloc_skb(chan, count,
2253 msg->msg_flags & MSG_DONTWAIT);
2254 if (IS_ERR(tmp))
2255 return PTR_ERR(tmp);
2256
2257 *frag = tmp;
2f7719ce 2258
1c2acffb
GP		 2259 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2260 return -EFAULT;
1da177e4 2261
5e59b791
LAD		 2262 (*frag)->priority = skb->priority;
2263
1da177e4
LT		 2264 sent += count;
2265 len -= count;
2266
2d0ed3d5
GP		 2267 skb->len += (*frag)->len;
2268 skb->data_len += (*frag)->len;
2269
1da177e4
LT		 2270 frag = &(*frag)->next;
2271 }
1da177e4
LT		 2272
2273 return sent;
1c2acffb 2274}
1da177e4 2275
5e59b791 2276static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2277 struct msghdr *msg, size_t len,
2278 u32 priority)
1c2acffb 2279{
8c1d787b 2280 struct l2cap_conn *conn = chan->conn;
1c2acffb 2281 struct sk_buff *skb;
03a51213 2282 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2283 struct l2cap_hdr *lh;
2284
b4400672 2285 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2286
2287 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2288
2289 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2290 msg->msg_flags & MSG_DONTWAIT);
2291 if (IS_ERR(skb))
2292 return skb;
1c2acffb 2293
5e59b791
LAD		 2294 skb->priority = priority;
2295
1c2acffb
GP		 2296 /* Create L2CAP header */
2297 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2298 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2299 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2300 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2301
0952a57a 2302 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2303 if (unlikely(err < 0)) {
2304 kfree_skb(skb);
2305 return ERR_PTR(err);
2306 }
2307 return skb;
2308}
2309
5e59b791 2310static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2311 struct msghdr *msg, size_t len,
2312 u32 priority)
1c2acffb 2313{
8c1d787b 2314 struct l2cap_conn *conn = chan->conn;
1c2acffb 2315 struct sk_buff *skb;
f2ba7fae 2316 int err, count;
1c2acffb
GP		 2317 struct l2cap_hdr *lh;
2318
b4400672 2319 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2320
f2ba7fae 2321 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2322
f2ba7fae 2323 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2324 msg->msg_flags & MSG_DONTWAIT);
2325 if (IS_ERR(skb))
2326 return skb;
1c2acffb 2327
5e59b791
LAD		 2328 skb->priority = priority;
2329
1c2acffb
GP		 2330 /* Create L2CAP header */
2331 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2332 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2333 lh->len = cpu_to_le16(len);
1c2acffb 2334
0952a57a 2335 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2336 if (unlikely(err < 0)) {
2337 kfree_skb(skb);
2338 return ERR_PTR(err);
2339 }
2340 return skb;
2341}
2342
ab0ff76d 2343static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2344 struct msghdr *msg, size_t len,
2345 u16 sdulen)
1c2acffb 2346{
8c1d787b 2347 struct l2cap_conn *conn = chan->conn;
1c2acffb 2348 struct sk_buff *skb;
e4ca6d98 2349 int err, count, hlen;
1c2acffb
GP		 2350 struct l2cap_hdr *lh;
2351
b4400672 2352 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2353
0ee0d208
GP		 2354 if (!conn)
2355 return ERR_PTR(-ENOTCONN);
2356
ba7aa64f 2357 hlen = __ertm_hdr_size(chan);
e4ca6d98 2358
c74e560c 2359 if (sdulen)
03a51213 2360 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2361
47d1ec61 2362 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2363 hlen += L2CAP_FCS_SIZE;
fcc203c3 2364
1c2acffb 2365 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2366
2367 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2368 msg->msg_flags & MSG_DONTWAIT);
2369 if (IS_ERR(skb))
2370 return skb;
1c2acffb
GP		 2371
2372 /* Create L2CAP header */
2373 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2374 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2375 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2376
18a48e76
MM		 2377 /* Control header is populated later */
2378 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2379 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2380 else
2381 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2382
c74e560c 2383 if (sdulen)
03a51213 2384 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2385
0952a57a 2386 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2387 if (unlikely(err < 0)) {
2388 kfree_skb(skb);
2389 return ERR_PTR(err);
2390 }
e90bac06 2391
18a48e76 2392 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2393 bt_cb(skb)->control.retries = 0;
1c2acffb 2394 return skb;
1da177e4
LT		 2395}
2396
94122bbe
MM		 2397static int l2cap_segment_sdu(struct l2cap_chan *chan,
2398 struct sk_buff_head *seg_queue,
2399 struct msghdr *msg, size_t len)
c74e560c 2400{
c74e560c 2401 struct sk_buff *skb;
94122bbe
MM		 2402 u16 sdu_len;
2403 size_t pdu_len;
94122bbe 2404 u8 sar;
c74e560c 2405
b4400672 2406 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2407
94122bbe
MM		 2408 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2409 * so fragmented skbs are not used. The HCI layer's handling
2410 * of fragmented skbs is not compatible with ERTM's queueing.
2411 */
c74e560c 2412
94122bbe
MM		 2413 /* PDU size is derived from the HCI MTU */
2414 pdu_len = chan->conn->mtu;
c74e560c 2415
a549574d
MM		 2416 /* Constrain PDU size for BR/EDR connections */
2417 if (!chan->hs_hcon)
2418 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2419
2420 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2421 if (chan->fcs)
2422 pdu_len -= L2CAP_FCS_SIZE;
2423
ba7aa64f 2424 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2425
2426 /* Remote device may have requested smaller PDUs */
2427 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2428
2429 if (len <= pdu_len) {
2430 sar = L2CAP_SAR_UNSEGMENTED;
2431 sdu_len = 0;
2432 pdu_len = len;
2433 } else {
2434 sar = L2CAP_SAR_START;
2435 sdu_len = len;
2436 pdu_len -= L2CAP_SDULEN_SIZE;
2437 }
2438
2439 while (len > 0) {
2440 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2441
c74e560c 2442 if (IS_ERR(skb)) {
94122bbe 2443 __skb_queue_purge(seg_queue);
c74e560c
GP		 2444 return PTR_ERR(skb);
2445 }
2446
94122bbe
MM		 2447 bt_cb(skb)->control.sar = sar;
2448 __skb_queue_tail(seg_queue, skb);
2449
2450 len -= pdu_len;
2451 if (sdu_len) {
2452 sdu_len = 0;
2453 pdu_len += L2CAP_SDULEN_SIZE;
2454 }
2455
2456 if (len <= pdu_len) {
2457 sar = L2CAP_SAR_END;
2458 pdu_len = len;
2459 } else {
2460 sar = L2CAP_SAR_CONTINUE;
2461 }
c74e560c 2462 }
c74e560c 2463
f0f62799 2464 return 0;
c74e560c
GP		 2465}
2466
5e59b791 2467int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2468 u32 priority)
9a91a04a 2469{
9a91a04a 2470 struct sk_buff *skb;
9a91a04a 2471 int err;
94122bbe 2472 struct sk_buff_head seg_queue;
9a91a04a
GP		 2473
2474 /* Connectionless channel */
715ec005 2475 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2476 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2477 if (IS_ERR(skb))
2478 return PTR_ERR(skb);
2479
2480 l2cap_do_send(chan, skb);
2481 return len;
2482 }
2483
2484 switch (chan->mode) {
2485 case L2CAP_MODE_BASIC:
2486 /* Check outgoing MTU */
2487 if (len > chan->omtu)
2488 return -EMSGSIZE;
2489
2490 /* Create a basic PDU */
5e59b791 2491 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2492 if (IS_ERR(skb))
2493 return PTR_ERR(skb);
2494
2495 l2cap_do_send(chan, skb);
2496 err = len;
2497 break;
2498
2499 case L2CAP_MODE_ERTM:
2500 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2501 /* Check outgoing MTU */
2502 if (len > chan->omtu) {
2503 err = -EMSGSIZE;
2504 break;
2505 }
9a91a04a 2506
94122bbe 2507 __skb_queue_head_init(&seg_queue);
9a91a04a 2508
94122bbe
MM		 2509 /* Do segmentation before calling in to the state machine,
2510 * since it's possible to block while waiting for memory
2511 * allocation.
2512 */
2513 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2514
94122bbe
MM		 2515 /* The channel could have been closed while segmenting,
2516 * check that it is still connected.
2517 */
2518 if (chan->state != BT_CONNECTED) {
2519 __skb_queue_purge(&seg_queue);
2520 err = -ENOTCONN;
9a91a04a
GP		 2521 }
2522
94122bbe 2523 if (err)
9a91a04a 2524 break;
9a91a04a 2525
3733937d 2526 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2527 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2528 else
d660366d 2529 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2530
d660366d 2531 err = len;
9a91a04a 2532
94122bbe
MM		 2533 /* If the skbs were not queued for sending, they'll still be in
2534 * seg_queue and need to be purged.
2535 */
2536 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2537 break;
2538
2539 default:
2540 BT_DBG("bad state %1.1x", chan->mode);
2541 err = -EBADFD;
2542 }
2543
2544 return err;
2545}
2546
d2a7ac5d
MM		 2547static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2548{
bed68bde
MM		 2549 struct l2cap_ctrl control;
2550 u16 seq;
2551
b4400672 2552 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2553
2554 memset(&control, 0, sizeof(control));
2555 control.sframe = 1;
2556 control.super = L2CAP_SUPER_SREJ;
2557
2558 for (seq = chan->expected_tx_seq; seq != txseq;
2559 seq = __next_seq(chan, seq)) {
2560 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2561 control.reqseq = seq;
2562 l2cap_send_sframe(chan, &control);
2563 l2cap_seq_list_append(&chan->srej_list, seq);
2564 }
2565 }
2566
2567 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2568}
2569
2570static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2571{
bed68bde
MM		 2572 struct l2cap_ctrl control;
2573
2574 BT_DBG("chan %p", chan);
2575
2576 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2577 return;
2578
2579 memset(&control, 0, sizeof(control));
2580 control.sframe = 1;
2581 control.super = L2CAP_SUPER_SREJ;
2582 control.reqseq = chan->srej_list.tail;
2583 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2584}
2585
2586static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2587{
bed68bde
MM		 2588 struct l2cap_ctrl control;
2589 u16 initial_head;
2590 u16 seq;
2591
b4400672 2592 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2593
2594 memset(&control, 0, sizeof(control));
2595 control.sframe = 1;
2596 control.super = L2CAP_SUPER_SREJ;
2597
2598 /* Capture initial list head to allow only one pass through the list. */
2599 initial_head = chan->srej_list.head;
2600
2601 do {
2602 seq = l2cap_seq_list_pop(&chan->srej_list);
2603 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2604 break;
2605
2606 control.reqseq = seq;
2607 l2cap_send_sframe(chan, &control);
2608 l2cap_seq_list_append(&chan->srej_list, seq);
2609 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2610}
2611
608bcc6d
MM		 2612static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2613{
2614 struct sk_buff *acked_skb;
2615 u16 ackseq;
2616
b4400672 2617 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2618
2619 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2620 return;
2621
b4400672 2622 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2623 chan->expected_ack_seq, chan->unacked_frames);
2624
2625 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2626 ackseq = __next_seq(chan, ackseq)) {
2627
2628 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2629 if (acked_skb) {
2630 skb_unlink(acked_skb, &chan->tx_q);
2631 kfree_skb(acked_skb);
2632 chan->unacked_frames--;
2633 }
2634 }
2635
2636 chan->expected_ack_seq = reqseq;
2637
2638 if (chan->unacked_frames == 0)
2639 __clear_retrans_timer(chan);
2640
b4400672 2641 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2642}
2643
2644static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2645{
2646 BT_DBG("chan %p", chan);
2647
2648 chan->expected_tx_seq = chan->buffer_seq;
2649 l2cap_seq_list_clear(&chan->srej_list);
2650 skb_queue_purge(&chan->srej_q);
2651 chan->rx_state = L2CAP_RX_STATE_RECV;
2652}
2653
d660366d
GP		 2654static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2655 struct l2cap_ctrl *control,
2656 struct sk_buff_head *skbs, u8 event)
608bcc6d 2657{
608bcc6d
MM		 2658 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2659 event);
2660
2661 switch (event) {
2662 case L2CAP_EV_DATA_REQUEST:
2663 if (chan->tx_send_head == NULL)
2664 chan->tx_send_head = skb_peek(skbs);
2665
2666 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2667 l2cap_ertm_send(chan);
2668 break;
2669 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2670 BT_DBG("Enter LOCAL_BUSY");
2671 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2672
2673 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2674 /* The SREJ_SENT state must be aborted if we are to
2675 * enter the LOCAL_BUSY state.
2676 */
2677 l2cap_abort_rx_srej_sent(chan);
2678 }
2679
2680 l2cap_send_ack(chan);
2681
2682 break;
2683 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2684 BT_DBG("Exit LOCAL_BUSY");
2685 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2686
2687 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2688 struct l2cap_ctrl local_control;
2689
2690 memset(&local_control, 0, sizeof(local_control));
2691 local_control.sframe = 1;
2692 local_control.super = L2CAP_SUPER_RR;
2693 local_control.poll = 1;
2694 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2695 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2696
2697 chan->retry_count = 1;
2698 __set_monitor_timer(chan);
2699 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2700 }
2701 break;
2702 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2703 l2cap_process_reqseq(chan, control->reqseq);
2704 break;
2705 case L2CAP_EV_EXPLICIT_POLL:
2706 l2cap_send_rr_or_rnr(chan, 1);
2707 chan->retry_count = 1;
2708 __set_monitor_timer(chan);
2709 __clear_ack_timer(chan);
2710 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2711 break;
2712 case L2CAP_EV_RETRANS_TO:
2713 l2cap_send_rr_or_rnr(chan, 1);
2714 chan->retry_count = 1;
2715 __set_monitor_timer(chan);
2716 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2717 break;
2718 case L2CAP_EV_RECV_FBIT:
2719 /* Nothing to process */
2720 break;
2721 default:
2722 break;
2723 }
608bcc6d
MM		 2724}
2725
d660366d
GP		 2726static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2727 struct l2cap_ctrl *control,
2728 struct sk_buff_head *skbs, u8 event)
608bcc6d 2729{
608bcc6d
MM		 2730 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2731 event);
2732
2733 switch (event) {
2734 case L2CAP_EV_DATA_REQUEST:
2735 if (chan->tx_send_head == NULL)
2736 chan->tx_send_head = skb_peek(skbs);
2737 /* Queue data, but don't send. */
2738 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2739 break;
2740 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2741 BT_DBG("Enter LOCAL_BUSY");
2742 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2743
2744 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2745 /* The SREJ_SENT state must be aborted if we are to
2746 * enter the LOCAL_BUSY state.
2747 */
2748 l2cap_abort_rx_srej_sent(chan);
2749 }
2750
2751 l2cap_send_ack(chan);
2752
2753 break;
2754 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2755 BT_DBG("Exit LOCAL_BUSY");
2756 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2757
2758 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2759 struct l2cap_ctrl local_control;
2760 memset(&local_control, 0, sizeof(local_control));
2761 local_control.sframe = 1;
2762 local_control.super = L2CAP_SUPER_RR;
2763 local_control.poll = 1;
2764 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2765 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2766
2767 chan->retry_count = 1;
2768 __set_monitor_timer(chan);
2769 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2770 }
2771 break;
2772 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2773 l2cap_process_reqseq(chan, control->reqseq);
2774
2775 /* Fall through */
2776
2777 case L2CAP_EV_RECV_FBIT:
2778 if (control && control->final) {
2779 __clear_monitor_timer(chan);
2780 if (chan->unacked_frames > 0)
2781 __set_retrans_timer(chan);
2782 chan->retry_count = 0;
2783 chan->tx_state = L2CAP_TX_STATE_XMIT;
2784 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2785 }
2786 break;
2787 case L2CAP_EV_EXPLICIT_POLL:
2788 /* Ignore */
2789 break;
2790 case L2CAP_EV_MONITOR_TO:
2791 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2792 l2cap_send_rr_or_rnr(chan, 1);
2793 __set_monitor_timer(chan);
2794 chan->retry_count++;
2795 } else {
5e4e3972 2796 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2797 }
2798 break;
2799 default:
2800 break;
2801 }
608bcc6d
MM		 2802}
2803
d660366d
GP		 2804static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2805 struct sk_buff_head *skbs, u8 event)
608bcc6d 2806{
608bcc6d
MM		 2807 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2808 chan, control, skbs, event, chan->tx_state);
2809
2810 switch (chan->tx_state) {
2811 case L2CAP_TX_STATE_XMIT:
d660366d 2812 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2813 break;
2814 case L2CAP_TX_STATE_WAIT_F:
d660366d 2815 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2816 break;
2817 default:
2818 /* Ignore event */
2819 break;
2820 }
608bcc6d
MM		 2821}
2822
4b51dae9
MM		 2823static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2824 struct l2cap_ctrl *control)
2825{
2826 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2827 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2828}
2829
f80842a8
MM		 2830static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2831 struct l2cap_ctrl *control)
2832{
2833 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2834 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2835}
2836
1da177e4
LT		 2837/* Copy frame to all raw sockets on that connection */
2838static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2839{
1da177e4 2840 struct sk_buff *nskb;
48454079 2841 struct l2cap_chan *chan;
1da177e4
LT		 2842
2843 BT_DBG("conn %p", conn);
2844
3df91ea2 2845 mutex_lock(&conn->chan_lock);
3d57dc68 2846
3df91ea2 2847 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2848 struct sock *sk = chan->sk;
715ec005 2849 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2850 continue;
2851
2852 /* Don't send frame to the socket it came from */
2853 if (skb->sk == sk)
2854 continue;
8bcde1f2 2855 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2856 if (!nskb)
1da177e4
LT		 2857 continue;
2858
80b98027 2859 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2860 kfree_skb(nskb);
2861 }
3d57dc68 2862
3df91ea2 2863 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2864}
2865
2866/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2867static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2868 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2869{
2870 struct sk_buff *skb, **frag;
2871 struct l2cap_cmd_hdr *cmd;
2872 struct l2cap_hdr *lh;
2873 int len, count;
2874
b4400672
AE		 2875 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2876 conn, code, ident, dlen);
1da177e4 2877
300b962e
AL		 2878 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2879 return NULL;
2880
1da177e4
LT		 2881 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2882 count = min_t(unsigned int, conn->mtu, len);
2883
8bcde1f2 2884 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2885 if (!skb)
2886 return NULL;
2887
2888 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2889 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2890
2891 if (conn->hcon->type == LE_LINK)
ac73498c 2892 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2893 else
ac73498c 2894 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2895
2896 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2897 cmd->code = code;
2898 cmd->ident = ident;
aca3192c 2899 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2900
2901 if (dlen) {
2902 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2903 memcpy(skb_put(skb, count), data, count);
2904 data += count;
2905 }
2906
2907 len -= skb->len;
2908
2909 /* Continuation fragments (no L2CAP header) */
2910 frag = &skb_shinfo(skb)->frag_list;
2911 while (len) {
2912 count = min_t(unsigned int, conn->mtu, len);
2913
8bcde1f2 2914 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2915 if (!*frag)
2916 goto fail;
2917
2918 memcpy(skb_put(*frag, count), data, count);
2919
2920 len -= count;
2921 data += count;
2922
2923 frag = &(*frag)->next;
2924 }
2925
2926 return skb;
2927
2928fail:
2929 kfree_skb(skb);
2930 return NULL;
2931}
2932
2d792818
GP		 2933static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2934 unsigned long *val)
1da177e4
LT		 2935{
2936 struct l2cap_conf_opt *opt = *ptr;
2937 int len;
2938
2939 len = L2CAP_CONF_OPT_SIZE + opt->len;
2940 *ptr += len;
2941
2942 *type = opt->type;
2943 *olen = opt->len;
2944
2945 switch (opt->len) {
2946 case 1:
2947 *val = *((u8 *) opt->val);
2948 break;
2949
2950 case 2:
bfaaeb3e 2951 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2952 break;
2953
2954 case 4:
bfaaeb3e 2955 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2956 break;
2957
2958 default:
2959 *val = (unsigned long) opt->val;
2960 break;
2961 }
2962
b4400672 2963 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2964 return len;
2965}
2966
1da177e4
LT		 2967static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2968{
2969 struct l2cap_conf_opt *opt = *ptr;
2970
b4400672 2971 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2972
2973 opt->type = type;
2974 opt->len = len;
2975
2976 switch (len) {
2977 case 1:
2978 *((u8 *) opt->val) = val;
2979 break;
2980
2981 case 2:
4f8b691c 2982 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2983 break;
2984
2985 case 4:
4f8b691c 2986 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2987 break;
2988
2989 default:
2990 memcpy(opt->val, (void *) val, len);
2991 break;
2992 }
2993
2994 *ptr += L2CAP_CONF_OPT_SIZE + len;
2995}
2996
f89cef09
AE		 2997static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2998{
2999 struct l2cap_conf_efs efs;
3000
1ec918ce 3001 switch (chan->mode) {
f89cef09
AE		 3002 case L2CAP_MODE_ERTM:
3003 efs.id = chan->local_id;
3004 efs.stype = chan->local_stype;
3005 efs.msdu = cpu_to_le16(chan->local_msdu);
3006 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 3007 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 3008 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 3009 break;
3010
3011 case L2CAP_MODE_STREAMING:
3012 efs.id = 1;
3013 efs.stype = L2CAP_SERV_BESTEFFORT;
3014 efs.msdu = cpu_to_le16(chan->local_msdu);
3015 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3016 efs.acc_lat = 0;
3017 efs.flush_to = 0;
3018 break;
3019
3020 default:
3021 return;
3022 }
3023
3024 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3025 (unsigned long) &efs);
f89cef09
AE		 3026}
3027
721c4181 3028static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3029{
721c4181 3030 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3031 ack_timer.work);
3032 u16 frames_to_ack;
c1b4f43b 3033
2fb9b3d4
GP		 3034 BT_DBG("chan %p", chan);
3035
6be36555
AE		 3036 l2cap_chan_lock(chan);
3037
0362520b
MM		 3038 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3039 chan->last_acked_seq);
6be36555 3040
0362520b
MM		 3041 if (frames_to_ack)
3042 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3043
0362520b 3044 l2cap_chan_unlock(chan);
09bfb2ee 3045 l2cap_chan_put(chan);
c1b4f43b
GP		 3046}
3047
466f8004 3048int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3049{
3c588192
MM		 3050 int err;
3051
105bdf9e
MM		 3052 chan->next_tx_seq = 0;
3053 chan->expected_tx_seq = 0;
42e5c802 3054 chan->expected_ack_seq = 0;
6a026610 3055 chan->unacked_frames = 0;
42e5c802 3056 chan->buffer_seq = 0;
6a026610 3057 chan->frames_sent = 0;
105bdf9e
MM		 3058 chan->last_acked_seq = 0;
3059 chan->sdu = NULL;
3060 chan->sdu_last_frag = NULL;
3061 chan->sdu_len = 0;
3062
d34c34fb
MM		 3063 skb_queue_head_init(&chan->tx_q);
3064
6ed971ca
MH		 3065 chan->local_amp_id = AMP_ID_BREDR;
3066 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3067 chan->move_state = L2CAP_MOVE_STABLE;
3068 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3069
105bdf9e
MM		 3070 if (chan->mode != L2CAP_MODE_ERTM)
3071 return 0;
3072
3073 chan->rx_state = L2CAP_RX_STATE_RECV;
3074 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3075
721c4181
GP		 3076 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3077 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3078 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3079
f1c6775b 3080 skb_queue_head_init(&chan->srej_q);
1890d36b 3081
3c588192
MM		 3082 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3083 if (err < 0)
3084 return err;
3085
9dc9affc
MM		 3086 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3087 if (err < 0)
3088 l2cap_seq_list_free(&chan->srej_list);
3089
3090 return err;
0565c1c2
GP		 3091}
3092
f2fcfcd6
GP		 3093static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3094{
3095 switch (mode) {
3096 case L2CAP_MODE_STREAMING:
3097 case L2CAP_MODE_ERTM:
3098 if (l2cap_mode_supported(mode, remote_feat_mask))
3099 return mode;
3100 /* fall through */
3101 default:
3102 return L2CAP_MODE_BASIC;
3103 }
3104}
3105
848566b3 3106static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3107{
848566b3 3108 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3109}
3110
848566b3 3111static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3112{
848566b3 3113 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3114}
3115
36c86c85
MM		 3116static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3117 struct l2cap_conf_rfc *rfc)
3118{
6ed971ca 3119 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3120 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3121
3122 /* Class 1 devices have must have ERTM timeouts
3123 * exceeding the Link Supervision Timeout. The
3124 * default Link Supervision Timeout for AMP
3125 * controllers is 10 seconds.
3126 *
3127 * Class 1 devices use 0xffffffff for their
3128 * best-effort flush timeout, so the clamping logic
3129 * will result in a timeout that meets the above
3130 * requirement. ERTM timeouts are 16-bit values, so
3131 * the maximum timeout is 65.535 seconds.
3132 */
3133
3134 /* Convert timeout to milliseconds and round */
3135 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3136
3137 /* This is the recommended formula for class 2 devices
3138 * that start ERTM timers when packets are sent to the
3139 * controller.
3140 */
3141 ertm_to = 3 * ertm_to + 500;
3142
3143 if (ertm_to > 0xffff)
3144 ertm_to = 0xffff;
3145
3146 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3147 rfc->monitor_timeout = rfc->retrans_timeout;
3148 } else {
3149 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3150 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3151 }
3152}
3153
6327eb98
AE		 3154static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3155{
3156 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3157 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3158 /* use extended control field */
3159 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3160 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3161 } else {
6327eb98 3162 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3163 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3164 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3165 }
c20f8e35 3166 chan->ack_win = chan->tx_win;
6327eb98
AE		 3167}
3168
710f9b0a 3169static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3170{
1da177e4 3171 struct l2cap_conf_req *req = data;
0c1bc5c6 3172 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3173 void *ptr = req->data;
c8f79162 3174 u16 size;
1da177e4 3175
49208c9c 3176 BT_DBG("chan %p", chan);
1da177e4 3177
73ffa904 3178 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3179 goto done;
3180
0c1bc5c6 3181 switch (chan->mode) {
f2fcfcd6
GP		 3182 case L2CAP_MODE_STREAMING:
3183 case L2CAP_MODE_ERTM:
c1360a1c 3184 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3185 break;
85eb53c6 3186
848566b3 3187 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3188 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3189
2ba13ed6 3190 /* fall through */
f2fcfcd6 3191 default:
8c1d787b 3192 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3193 break;
3194 }
3195
3196done:
0c1bc5c6
GP		 3197 if (chan->imtu != L2CAP_DEFAULT_MTU)
3198 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3199
0c1bc5c6 3200 switch (chan->mode) {
65c7c491 3201 case L2CAP_MODE_BASIC:
8c1d787b 3202 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3203 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3204 break;
3205
62547752
GP		 3206 rfc.mode = L2CAP_MODE_BASIC;
3207 rfc.txwin_size = 0;
3208 rfc.max_transmit = 0;
3209 rfc.retrans_timeout = 0;
3210 rfc.monitor_timeout = 0;
3211 rfc.max_pdu_size = 0;
3212
63406504 3213 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3214 (unsigned long) &rfc);
65c7c491
MH		 3215 break;
3216
3217 case L2CAP_MODE_ERTM:
3218 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3219 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3220
3221 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3222
3223 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3224 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3225 L2CAP_FCS_SIZE);
c8f79162 3226 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3227
6327eb98
AE		 3228 l2cap_txwin_setup(chan);
3229
3230 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3231 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3232
63406504 3233 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3234 (unsigned long) &rfc);
63406504 3235
f89cef09
AE		 3236 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3237 l2cap_add_opt_efs(&ptr, chan);
3238
6327eb98
AE		 3239 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3240 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3241 chan->tx_win);
60918918
AE		 3242
3243 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3244 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3245 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3246 chan->fcs = L2CAP_FCS_NONE;
3247 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3248 chan->fcs);
3249 }
f2fcfcd6
GP		 3250 break;
3251
3252 case L2CAP_MODE_STREAMING:
273759e2 3253 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3254 rfc.mode = L2CAP_MODE_STREAMING;
3255 rfc.txwin_size = 0;
3256 rfc.max_transmit = 0;
3257 rfc.retrans_timeout = 0;
3258 rfc.monitor_timeout = 0;
c8f79162
AE		 3259
3260 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3261 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3262 L2CAP_FCS_SIZE);
c8f79162 3263 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3264
63406504 3265 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3266 (unsigned long) &rfc);
63406504 3267
f89cef09
AE		 3268 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3269 l2cap_add_opt_efs(&ptr, chan);
3270
60918918
AE		 3271 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3272 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3273 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3274 chan->fcs = L2CAP_FCS_NONE;
3275 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3276 chan->fcs);
3277 }
65c7c491
MH		 3278 break;
3279 }
1da177e4 3280
fe4128e0 3281 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3282 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3283
3284 return ptr - data;
3285}
3286
73ffa904 3287static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3288{
5dee9e7c
MH		 3289 struct l2cap_conf_rsp *rsp = data;
3290 void *ptr = rsp->data;
73ffa904
GP		 3291 void *req = chan->conf_req;
3292 int len = chan->conf_len;
5dee9e7c
MH		 3293 int type, hint, olen;
3294 unsigned long val;
6464f35f 3295 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3296 struct l2cap_conf_efs efs;
3297 u8 remote_efs = 0;
861d6882 3298 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3299 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3300 u16 size;
1da177e4 3301
73ffa904 3302 BT_DBG("chan %p", chan);
820ae1b8 3303
5dee9e7c
MH		 3304 while (len >= L2CAP_CONF_OPT_SIZE) {
3305 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3306
589d2746 3307 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3308 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3309
3310 switch (type) {
3311 case L2CAP_CONF_MTU:
861d6882 3312 mtu = val;
5dee9e7c
MH		 3313 break;
3314
3315 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3316 chan->flush_to = val;
5dee9e7c
MH		 3317 break;
3318
3319 case L2CAP_CONF_QOS:
3320 break;
3321
6464f35f
MH		 3322 case L2CAP_CONF_RFC:
3323 if (olen == sizeof(rfc))
3324 memcpy(&rfc, (void *) val, olen);
3325 break;
3326
fcc203c3
GP		 3327 case L2CAP_CONF_FCS:
3328 if (val == L2CAP_FCS_NONE)
f2592d3e 3329 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3330 break;
fcc203c3 3331
42dceae2
AE		 3332 case L2CAP_CONF_EFS:
3333 remote_efs = 1;
3334 if (olen == sizeof(efs))
3335 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3336 break;
3337
6327eb98 3338 case L2CAP_CONF_EWS:
848566b3 3339 if (!chan->conn->hs_enabled)
6327eb98 3340 return -ECONNREFUSED;
fcc203c3 3341
6327eb98
AE		 3342 set_bit(FLAG_EXT_CTRL, &chan->flags);
3343 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3344 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3345 chan->remote_tx_win = val;
fcc203c3
GP		 3346 break;
3347
5dee9e7c
MH		 3348 default:
3349 if (hint)
3350 break;
3351
3352 result = L2CAP_CONF_UNKNOWN;
3353 *((u8 *) ptr++) = type;
3354 break;
3355 }
3356 }
3357
73ffa904 3358 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3359 goto done;
3360
0c1bc5c6 3361 switch (chan->mode) {
f2fcfcd6
GP		 3362 case L2CAP_MODE_STREAMING:
3363 case L2CAP_MODE_ERTM:
c1360a1c 3364 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3365 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3366 chan->conn->feat_mask);
85eb53c6
GP		 3367 break;
3368 }
3369
42dceae2 3370 if (remote_efs) {
848566b3 3371 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3372 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3373 else
3374 return -ECONNREFUSED;
3375 }
3376
0c1bc5c6 3377 if (chan->mode != rfc.mode)
f2fcfcd6 3378 return -ECONNREFUSED;
742e519b 3379
f2fcfcd6 3380 break;
f2fcfcd6
GP		 3381 }
3382
3383done:
0c1bc5c6 3384 if (chan->mode != rfc.mode) {
f2fcfcd6 3385 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3386 rfc.mode = chan->mode;
f2fcfcd6 3387
73ffa904 3388 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3389 return -ECONNREFUSED;
3390
2d792818
GP		 3391 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3392 (unsigned long) &rfc);
f2fcfcd6
GP		 3393 }
3394
5dee9e7c
MH		 3395 if (result == L2CAP_CONF_SUCCESS) {
3396 /* Configure output options and let the other side know
3397 * which ones we don't like. */
3398
f2fcfcd6
GP		 3399 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3400 result = L2CAP_CONF_UNACCEPT;
3401 else {
0c1bc5c6 3402 chan->omtu = mtu;
c1360a1c 3403 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3404 }
0c1bc5c6 3405 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3406
42dceae2
AE		 3407 if (remote_efs) {
3408 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3409 efs.stype != L2CAP_SERV_NOTRAFIC &&
3410 efs.stype != chan->local_stype) {
42dceae2
AE		 3411
3412 result = L2CAP_CONF_UNACCEPT;
3413
3414 if (chan->num_conf_req >= 1)
3415 return -ECONNREFUSED;
3416
3417 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3418 sizeof(efs),
3419 (unsigned long) &efs);
0e8b207e 3420 } else {
3e6b3b95 3421 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3422 result = L2CAP_CONF_PENDING;
3423 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3424 }
3425 }
3426
f2fcfcd6
GP		 3427 switch (rfc.mode) {
3428 case L2CAP_MODE_BASIC:
47d1ec61 3429 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3430 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3431 break;
3432
3433 case L2CAP_MODE_ERTM:
6327eb98
AE		 3434 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3435 chan->remote_tx_win = rfc.txwin_size;
3436 else
3437 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3438
2c03a7a4 3439 chan->remote_max_tx = rfc.max_transmit;
1c762159 3440
c8f79162 3441 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3442 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3443 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3444 rfc.max_pdu_size = cpu_to_le16(size);
3445 chan->remote_mps = size;
f2fcfcd6 3446
36c86c85 3447 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3448
c1360a1c 3449 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3450
3451 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3452 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3453
42dceae2
AE		 3454 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3455 chan->remote_id = efs.id;
3456 chan->remote_stype = efs.stype;
3457 chan->remote_msdu = le16_to_cpu(efs.msdu);
3458 chan->remote_flush_to =
2d792818 3459 le32_to_cpu(efs.flush_to);
42dceae2 3460 chan->remote_acc_lat =
2d792818 3461 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3462 chan->remote_sdu_itime =
3463 le32_to_cpu(efs.sdu_itime);
3464 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3465 sizeof(efs),
3466 (unsigned long) &efs);
42dceae2 3467 }
f2fcfcd6
GP		 3468 break;
3469
3470 case L2CAP_MODE_STREAMING:
c8f79162 3471 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3472 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3473 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3474 rfc.max_pdu_size = cpu_to_le16(size);
3475 chan->remote_mps = size;
f2fcfcd6 3476
c1360a1c 3477 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3478
2d792818
GP		 3479 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3480 (unsigned long) &rfc);
68ae6639 3481
f2fcfcd6
GP		 3482 break;
3483
3484 default:
5dee9e7c 3485 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3486
6464f35f 3487 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3488 rfc.mode = chan->mode;
f2fcfcd6 3489 }
6464f35f 3490
f2fcfcd6 3491 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3492 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3493 }
fe4128e0 3494 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3495 rsp->result = cpu_to_le16(result);
59e54bd1 3496 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3497
3498 return ptr - data;
1da177e4
LT		 3499}
3500
2d792818
GP		 3501static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3502 void *data, u16 *result)
f2fcfcd6 3503{
f2fcfcd6
GP		 3504 struct l2cap_conf_req *req = data;
3505 void *ptr = req->data;
3506 int type, olen;
3507 unsigned long val;
36e999a8 3508 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3509 struct l2cap_conf_efs efs;
f2fcfcd6 3510
fe4128e0 3511 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3512
3513 while (len >= L2CAP_CONF_OPT_SIZE) {
3514 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3515
3516 switch (type) {
3517 case L2CAP_CONF_MTU:
3518 if (val < L2CAP_DEFAULT_MIN_MTU) {
3519 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3520 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3521 } else
0c1bc5c6
GP		 3522 chan->imtu = val;
3523 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3524 break;
3525
3526 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3527 chan->flush_to = val;
f2fcfcd6 3528 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3529 2, chan->flush_to);
f2fcfcd6
GP		 3530 break;
3531
3532 case L2CAP_CONF_RFC:
3533 if (olen == sizeof(rfc))
3534 memcpy(&rfc, (void *)val, olen);
3535
c1360a1c 3536 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3537 rfc.mode != chan->mode)
f2fcfcd6
GP		 3538 return -ECONNREFUSED;
3539
47d1ec61 3540 chan->fcs = 0;
f2fcfcd6
GP		 3541
3542 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3543 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3544 break;
6327eb98
AE		 3545
3546 case L2CAP_CONF_EWS:
c20f8e35 3547 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3548 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3549 chan->tx_win);
6327eb98 3550 break;
66af7aaf
AE		 3551
3552 case L2CAP_CONF_EFS:
3553 if (olen == sizeof(efs))
3554 memcpy(&efs, (void *)val, olen);
3555
3556 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3557 efs.stype != L2CAP_SERV_NOTRAFIC &&
3558 efs.stype != chan->local_stype)
66af7aaf
AE		 3559 return -ECONNREFUSED;
3560
2d792818
GP		 3561 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3562 (unsigned long) &efs);
66af7aaf 3563 break;
cbabee78
AE		 3564
3565 case L2CAP_CONF_FCS:
3566 if (*result == L2CAP_CONF_PENDING)
3567 if (val == L2CAP_FCS_NONE)
f2592d3e 3568 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3569 &chan->conf_state);
3570 break;
f2fcfcd6
GP		 3571 }
3572 }
3573
0c1bc5c6 3574 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3575 return -ECONNREFUSED;
3576
0c1bc5c6 3577 chan->mode = rfc.mode;
6c2ea7a8 3578
0e8b207e 3579 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3580 switch (rfc.mode) {
3581 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3582 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3583 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3584 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3585 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3586 chan->ack_win = min_t(u16, chan->ack_win,
3587 rfc.txwin_size);
66af7aaf
AE		 3588
3589 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3590 chan->local_msdu = le16_to_cpu(efs.msdu);
3591 chan->local_sdu_itime =
2d792818 3592 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3593 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3594 chan->local_flush_to =
2d792818 3595 le32_to_cpu(efs.flush_to);
66af7aaf 3596 }
f2fcfcd6 3597 break;
66af7aaf 3598
f2fcfcd6 3599 case L2CAP_MODE_STREAMING:
47d1ec61 3600 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3601 }
3602 }
3603
fe4128e0 3604 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3605 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3606
3607 return ptr - data;
3608}
3609
2d792818
GP		 3610static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3611 u16 result, u16 flags)
1da177e4
LT		 3612{
3613 struct l2cap_conf_rsp *rsp = data;
3614 void *ptr = rsp->data;
1da177e4 3615
fe4128e0 3616 BT_DBG("chan %p", chan);
1da177e4 3617
fe4128e0 3618 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3619 rsp->result = cpu_to_le16(result);
aca3192c 3620 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3621
3622 return ptr - data;
3623}
3624
8c1d787b 3625void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3626{
3627 struct l2cap_conn_rsp rsp;
8c1d787b 3628 struct l2cap_conn *conn = chan->conn;
710f9b0a 3629 u8 buf[128];
439f34ac 3630 u8 rsp_code;
710f9b0a 3631
fe4128e0
GP		 3632 rsp.scid = cpu_to_le16(chan->dcid);
3633 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3634 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3635 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3636
3637 if (chan->hs_hcon)
3638 rsp_code = L2CAP_CREATE_CHAN_RSP;
3639 else
3640 rsp_code = L2CAP_CONN_RSP;
3641
3642 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3643
3644 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3645
c1360a1c 3646 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3647 return;
3648
710f9b0a 3649 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3650 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3651 chan->num_conf_req++;
3652}
3653
47d1ec61 3654static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3655{
7b1c0049
GP		 3656 int type, olen;
3657 unsigned long val;
c20f8e35
MM		 3658 /* Use sane default values in case a misbehaving remote device
3659 * did not send an RFC or extended window size option.
3660 */
3661 u16 txwin_ext = chan->ack_win;
3662 struct l2cap_conf_rfc rfc = {
3663 .mode = chan->mode,
3664 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3665 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3666 .max_pdu_size = cpu_to_le16(chan->imtu),
3667 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3668 };
7b1c0049 3669
47d1ec61 3670 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3671
0c1bc5c6 3672 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3673 return;
3674
3675 while (len >= L2CAP_CONF_OPT_SIZE) {
3676 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3677
c20f8e35
MM		 3678 switch (type) {
3679 case L2CAP_CONF_RFC:
3680 if (olen == sizeof(rfc))
3681 memcpy(&rfc, (void *)val, olen);
8f321f85 3682 break;
c20f8e35
MM		 3683 case L2CAP_CONF_EWS:
3684 txwin_ext = val;
3685 break;
3686 }
7b1c0049
GP		 3687 }
3688
7b1c0049
GP		 3689 switch (rfc.mode) {
3690 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3691 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3692 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3693 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3694 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3695 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3696 else
3697 chan->ack_win = min_t(u16, chan->ack_win,
3698 rfc.txwin_size);
7b1c0049
GP		 3699 break;
3700 case L2CAP_MODE_STREAMING:
47d1ec61 3701 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3702 }
3703}
3704
2d792818 3705static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3706 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3707 u8 *data)
4e8402a3 3708{
e2fd318e 3709 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3710
cb3b3152
JH		 3711 if (cmd_len < sizeof(*rej))
3712 return -EPROTO;
3713
e2fd318e 3714 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3715 return 0;
3716
3717 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3718 cmd->ident == conn->info_ident) {
17cd3f37 3719 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3720
3721 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3722 conn->info_ident = 0;
984947dc 3723
4e8402a3
MH		 3724 l2cap_conn_start(conn);
3725 }
3726
3727 return 0;
3728}
3729
1700915f
MM		 3730static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3731 struct l2cap_cmd_hdr *cmd,
3732 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3733{
1da177e4
LT		 3734 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3735 struct l2cap_conn_rsp rsp;
23691d75 3736 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3737 struct sock *parent, *sk = NULL;
e7c29cb1 3738 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3739
3740 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3741 __le16 psm = req->psm;
1da177e4 3742
097db76c 3743 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3744
3745 /* Check if we have socket listening on psm */
c2287681 3746 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3747 if (!pchan) {
1da177e4
LT		 3748 result = L2CAP_CR_BAD_PSM;
3749 goto sendresp;
3750 }
3751
23691d75
GP		 3752 parent = pchan->sk;
3753
3df91ea2 3754 mutex_lock(&conn->chan_lock);
aa2ac881 3755 lock_sock(parent);
e0f0cb56 3756
e7c29cb1 3757 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3758 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3759 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3760 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3761 result = L2CAP_CR_SEC_BLOCK;
3762 goto response;
3763 }
3764
1da177e4
LT		 3765 result = L2CAP_CR_NO_MEM;
3766
2dfa1003
GP		 3767 /* Check if we already have channel with that dcid */
3768 if (__l2cap_get_chan_by_dcid(conn, scid))
3769 goto response;
3770
80b98027 3771 chan = pchan->ops->new_connection(pchan);
80808e43 3772 if (!chan)
1da177e4
LT		 3773 goto response;
3774
80808e43
GP		 3775 sk = chan->sk;
3776
330b6c15
SS		 3777 /* For certain devices (ex: HID mouse), support for authentication,
3778 * pairing and bonding is optional. For such devices, inorder to avoid
3779 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3780 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3781 */
3782 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3783
1da177e4
LT		 3784 bacpy(&bt_sk(sk)->src, conn->src);
3785 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3786 chan->psm = psm;
3787 chan->dcid = scid;
1700915f 3788 chan->local_amp_id = amp_id;
1da177e4 3789
6be36555 3790 __l2cap_chan_add(conn, chan);
48454079 3791
fe4128e0 3792 dcid = chan->scid;
1da177e4 3793
c9b66675 3794 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3795
fc7f8a7e 3796 chan->ident = cmd->ident;
1da177e4 3797
984947dc 3798 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3799 if (l2cap_chan_check_security(chan)) {
c5daa683 3800 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3801 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3802 result = L2CAP_CR_PEND;
3803 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3804 chan->ops->defer(chan);
f66dc81f 3805 } else {
1700915f
MM		 3806 /* Force pending result for AMP controllers.
3807 * The connection will succeed after the
3808 * physical link is up.
3809 */
6ed971ca 3810 if (amp_id == AMP_ID_BREDR) {
1700915f
MM		 3811 __l2cap_state_change(chan, BT_CONFIG);
3812 result = L2CAP_CR_SUCCESS;
6ed971ca
MH		 3813 } else {
3814 __l2cap_state_change(chan, BT_CONNECT2);
3815 result = L2CAP_CR_PEND;
1700915f 3816 }
f66dc81f
MH		 3817 status = L2CAP_CS_NO_INFO;
3818 }
79d554a6 3819 } else {
0e587be7 3820 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3821 result = L2CAP_CR_PEND;
3822 status = L2CAP_CS_AUTHEN_PEND;
3823 }
3824 } else {
0e587be7 3825 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3826 result = L2CAP_CR_PEND;
3827 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3828 }
3829
1da177e4 3830response:
aa2ac881 3831 release_sock(parent);
3df91ea2 3832 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3833
3834sendresp:
aca3192c
YH		 3835 rsp.scid = cpu_to_le16(scid);
3836 rsp.dcid = cpu_to_le16(dcid);
3837 rsp.result = cpu_to_le16(result);
3838 rsp.status = cpu_to_le16(status);
4c89b6aa 3839 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3840
3841 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3842 struct l2cap_info_req info;
ac73498c 3843 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3844
3845 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3846 conn->info_ident = l2cap_get_ident(conn);
3847
ba13ccd9 3848 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3849
2d792818
GP		 3850 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3851 sizeof(info), &info);
79d554a6
MH		 3852 }
3853
c1360a1c 3854 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3855 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3856 u8 buf[128];
c1360a1c 3857 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3858 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3859 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3860 chan->num_conf_req++;
e9aeb2dd 3861 }
1700915f
MM		 3862
3863 return chan;
4c89b6aa 3864}
e9aeb2dd 3865
4c89b6aa 3866static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3867 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3868{
7b064eda
JK		 3869 struct hci_dev *hdev = conn->hcon->hdev;
3870 struct hci_conn *hcon = conn->hcon;
3871
cb3b3152
JH		 3872 if (cmd_len < sizeof(struct l2cap_conn_req))
3873 return -EPROTO;
3874
7b064eda
JK		 3875 hci_dev_lock(hdev);
3876 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3877 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3878 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3879 hcon->dst_type, 0, NULL, 0,
3880 hcon->dev_class);
3881 hci_dev_unlock(hdev);
3882
300229f9 3883 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3884 return 0;
3885}
3886
5909cf30 3887static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3888 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3889 u8 *data)
1da177e4
LT		 3890{
3891 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3892 u16 scid, dcid, result, status;
48454079 3893 struct l2cap_chan *chan;
1da177e4 3894 u8 req[128];
3df91ea2 3895 int err;
1da177e4 3896
cb3b3152
JH		 3897 if (cmd_len < sizeof(*rsp))
3898 return -EPROTO;
3899
1da177e4
LT		 3900 scid = __le16_to_cpu(rsp->scid);
3901 dcid = __le16_to_cpu(rsp->dcid);
3902 result = __le16_to_cpu(rsp->result);
3903 status = __le16_to_cpu(rsp->status);
3904
1b009c98 3905 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3906 dcid, scid, result, status);
1da177e4 3907
3df91ea2
AE		 3908 mutex_lock(&conn->chan_lock);
3909
1da177e4 3910 if (scid) {
3df91ea2
AE		 3911 chan = __l2cap_get_chan_by_scid(conn, scid);
3912 if (!chan) {
21870b52 3913 err = -EBADSLT;
3df91ea2
AE		 3914 goto unlock;
3915 }
1da177e4 3916 } else {
3df91ea2
AE		 3917 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3918 if (!chan) {
21870b52 3919 err = -EBADSLT;
3df91ea2
AE		 3920 goto unlock;
3921 }
1da177e4
LT		 3922 }
3923
3df91ea2
AE		 3924 err = 0;
3925
6be36555 3926 l2cap_chan_lock(chan);
48454079 3927
1da177e4
LT		 3928 switch (result) {
3929 case L2CAP_CR_SUCCESS:
89bc500e 3930 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3931 chan->ident = 0;
fe4128e0 3932 chan->dcid = dcid;
c1360a1c 3933 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3934
c1360a1c 3935 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3936 break;
3937
1da177e4 3938 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3939 l2cap_build_conf_req(chan, req), req);
73ffa904 3940 chan->num_conf_req++;
1da177e4
LT		 3941 break;
3942
3943 case L2CAP_CR_PEND:
c1360a1c 3944 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3945 break;
3946
3947 default:
48454079 3948 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3949 break;
3950 }
3951
6be36555 3952 l2cap_chan_unlock(chan);
3df91ea2
AE		 3953
3954unlock:
3955 mutex_unlock(&conn->chan_lock);
3956
3957 return err;
1da177e4
LT		 3958}
3959
47d1ec61 3960static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3961{
3962 /* FCS is enabled only in ERTM or streaming mode, if one or both
3963 * sides request it.
3964 */
0c1bc5c6 3965 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3966 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3967 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3968 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3969}
3970
29d8a590
AE		 3971static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3972 u8 ident, u16 flags)
3973{
3974 struct l2cap_conn *conn = chan->conn;
3975
3976 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3977 flags);
3978
3979 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3980 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3981
3982 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3983 l2cap_build_conf_rsp(chan, data,
3984 L2CAP_CONF_SUCCESS, flags), data);
3985}
3986
2d792818
GP		 3987static inline int l2cap_config_req(struct l2cap_conn *conn,
3988 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3989 u8 *data)
1da177e4
LT		 3990{
3991 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3992 u16 dcid, flags;
3993 u8 rsp[64];
48454079 3994 struct l2cap_chan *chan;
3c588192 3995 int len, err = 0;
1da177e4 3996
cb3b3152
JH		 3997 if (cmd_len < sizeof(*req))
3998 return -EPROTO;
3999
1da177e4
LT		 4000 dcid = __le16_to_cpu(req->dcid);
4001 flags = __le16_to_cpu(req->flags);
4002
4003 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4004
baa7e1fa 4005 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 4006 if (!chan)
21870b52 4007 return -EBADSLT;
1da177e4 4008
033b1142 4009 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 4010 struct l2cap_cmd_rej_cid rej;
4011
ac73498c 4012 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 4013 rej.scid = cpu_to_le16(chan->scid);
4014 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 4015
df6bd743 4016 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 4017 sizeof(rej), &rej);
354f60a9 4018 goto unlock;
df6bd743 4019 }
354f60a9 4020
5dee9e7c 4021 /* Reject if config buffer is too small. */
88219a0f 4022 len = cmd_len - sizeof(*req);
cb3b3152 4023 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4024 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4025 l2cap_build_conf_rsp(chan, rsp,
4026 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4027 goto unlock;
4028 }
4029
4030 /* Store config. */
73ffa904
GP		 4031 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4032 chan->conf_len += len;
1da177e4 4033
59e54bd1 4034 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4035 /* Incomplete config. Send empty response. */
4036 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4037 l2cap_build_conf_rsp(chan, rsp,
4038 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4039 goto unlock;
4040 }
4041
4042 /* Complete config. */
73ffa904 4043 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4044 if (len < 0) {
5e4e3972 4045 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4046 goto unlock;
f2fcfcd6 4047 }
1da177e4 4048
1500109b 4049 chan->ident = cmd->ident;
5dee9e7c 4050 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4051 chan->num_conf_rsp++;
5dee9e7c 4052
5dee9e7c 4053 /* Reset config buffer. */
73ffa904 4054 chan->conf_len = 0;
5dee9e7c 4055
c1360a1c 4056 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4057 goto unlock;
4058
c1360a1c 4059 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4060 set_default_fcs(chan);
fcc203c3 4061
105bdf9e
MM		 4062 if (chan->mode == L2CAP_MODE_ERTM ||
4063 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4064 err = l2cap_ertm_init(chan);
4065
4066 if (err < 0)
5e4e3972 4067 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4068 else
4069 l2cap_chan_ready(chan);
0565c1c2 4070
876d9484
MH		 4071 goto unlock;
4072 }
4073
c1360a1c 4074 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4075 u8 buf[64];
1da177e4 4076 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4077 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4078 chan->num_conf_req++;
1da177e4
LT		 4079 }
4080
0e8b207e
AE		 4081 /* Got Conf Rsp PENDING from remote side and asume we sent
4082 Conf Rsp PENDING in the code above */
4083 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4084 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4085
4086 /* check compatibility */
4087
79de886d 4088 /* Send rsp for BR/EDR channel */
f351bc72 4089 if (!chan->hs_hcon)
79de886d
AE		 4090 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4091 else
4092 chan->ident = cmd->ident;
0e8b207e
AE		 4093 }
4094
1da177e4 4095unlock:
6be36555 4096 l2cap_chan_unlock(chan);
3c588192 4097 return err;
1da177e4
LT		 4098}
4099
2d792818 4100static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4101 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4102 u8 *data)
1da177e4
LT		 4103{
4104 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4105 u16 scid, flags, result;
48454079 4106 struct l2cap_chan *chan;
cb3b3152 4107 int len = cmd_len - sizeof(*rsp);
3c588192 4108 int err = 0;
1da177e4 4109
cb3b3152
JH		 4110 if (cmd_len < sizeof(*rsp))
4111 return -EPROTO;
4112
1da177e4
LT		 4113 scid = __le16_to_cpu(rsp->scid);
4114 flags = __le16_to_cpu(rsp->flags);
4115 result = __le16_to_cpu(rsp->result);
4116
61386cba
AE		 4117 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4118 result, len);
1da177e4 4119
baa7e1fa 4120 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4121 if (!chan)
1da177e4
LT		 4122 return 0;
4123
4124 switch (result) {
4125 case L2CAP_CONF_SUCCESS:
47d1ec61 4126 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4127 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4128 break;
4129
0e8b207e
AE		 4130 case L2CAP_CONF_PENDING:
4131 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4132
4133 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4134 char buf[64];
4135
4136 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4137 buf, &result);
0e8b207e 4138 if (len < 0) {
5e4e3972 4139 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4140 goto done;
4141 }
4142
f351bc72 4143 if (!chan->hs_hcon) {
79de886d
AE		 4144 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4145 0);
5ce66b59
AE		 4146 } else {
4147 if (l2cap_check_efs(chan)) {
4148 amp_create_logical_link(chan);
4149 chan->ident = cmd->ident;
4150 }
4151 }
0e8b207e
AE		 4152 }
4153 goto done;
4154
1da177e4 4155 case L2CAP_CONF_UNACCEPT:
73ffa904 4156 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4157 char req[64];
4158
c2c77ec8 4159 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4160 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4161 goto done;
4162 }
4163
f2fcfcd6
GP		 4164 /* throw out any old stored conf requests */
4165 result = L2CAP_CONF_SUCCESS;
b4450035 4166 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4167 req, &result);
f2fcfcd6 4168 if (len < 0) {
5e4e3972 4169 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4170 goto done;
4171 }
4172
4173 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4174 L2CAP_CONF_REQ, len, req);
73ffa904 4175 chan->num_conf_req++;
f2fcfcd6
GP		 4176 if (result != L2CAP_CONF_SUCCESS)
4177 goto done;
4178 break;
1da177e4
LT		 4179 }
4180
8e87d142 4181 default:
6be36555 4182 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4183
ba13ccd9 4184 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4185 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4186 goto done;
4187 }
4188
59e54bd1 4189 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4190 goto done;
4191
c1360a1c 4192 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4193
c1360a1c 4194 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4195 set_default_fcs(chan);
fcc203c3 4196
105bdf9e
MM		 4197 if (chan->mode == L2CAP_MODE_ERTM ||
4198 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4199 err = l2cap_ertm_init(chan);
0565c1c2 4200
3c588192 4201 if (err < 0)
5e4e3972 4202 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4203 else
4204 l2cap_chan_ready(chan);
1da177e4
LT		 4205 }
4206
4207done:
6be36555 4208 l2cap_chan_unlock(chan);
3c588192 4209 return err;
1da177e4
LT		 4210}
4211
2d792818 4212static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4213 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4214 u8 *data)
1da177e4
LT		 4215{
4216 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4217 struct l2cap_disconn_rsp rsp;
4218 u16 dcid, scid;
48454079 4219 struct l2cap_chan *chan;
1da177e4
LT		 4220 struct sock *sk;
4221
cb3b3152
JH		 4222 if (cmd_len != sizeof(*req))
4223 return -EPROTO;
4224
1da177e4
LT		 4225 scid = __le16_to_cpu(req->scid);
4226 dcid = __le16_to_cpu(req->dcid);
4227
4228 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4229
3df91ea2
AE		 4230 mutex_lock(&conn->chan_lock);
4231
4232 chan = __l2cap_get_chan_by_scid(conn, dcid);
4233 if (!chan) {
4234 mutex_unlock(&conn->chan_lock);
c4ea249f 4235 return -EBADSLT;
3df91ea2 4236 }
1da177e4 4237
6be36555
AE		 4238 l2cap_chan_lock(chan);
4239
48454079
GP		 4240 sk = chan->sk;
4241
fe4128e0
GP		 4242 rsp.dcid = cpu_to_le16(chan->scid);
4243 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4244 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4245
6be36555 4246 lock_sock(sk);
1da177e4 4247 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 4248 release_sock(sk);
1da177e4 4249
61d6ef3e 4250 l2cap_chan_hold(chan);
48454079 4251 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4252
4253 l2cap_chan_unlock(chan);
1da177e4 4254
80b98027 4255 chan->ops->close(chan);
61d6ef3e 4256 l2cap_chan_put(chan);
3df91ea2
AE		 4257
4258 mutex_unlock(&conn->chan_lock);
4259
1da177e4
LT		 4260 return 0;
4261}
4262
2d792818 4263static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4264 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4265 u8 *data)
1da177e4
LT		 4266{
4267 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4268 u16 dcid, scid;
48454079 4269 struct l2cap_chan *chan;
1da177e4 4270
cb3b3152
JH		 4271 if (cmd_len != sizeof(*rsp))
4272 return -EPROTO;
4273
1da177e4
LT		 4274 scid = __le16_to_cpu(rsp->scid);
4275 dcid = __le16_to_cpu(rsp->dcid);
4276
4277 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4278
3df91ea2
AE		 4279 mutex_lock(&conn->chan_lock);
4280
4281 chan = __l2cap_get_chan_by_scid(conn, scid);
4282 if (!chan) {
4283 mutex_unlock(&conn->chan_lock);
1da177e4 4284 return 0;
3df91ea2 4285 }
1da177e4 4286
6be36555 4287 l2cap_chan_lock(chan);
48454079 4288
61d6ef3e 4289 l2cap_chan_hold(chan);
48454079 4290 l2cap_chan_del(chan, 0);
6be36555
AE		 4291
4292 l2cap_chan_unlock(chan);
1da177e4 4293
80b98027 4294 chan->ops->close(chan);
61d6ef3e 4295 l2cap_chan_put(chan);
3df91ea2
AE		 4296
4297 mutex_unlock(&conn->chan_lock);
4298
1da177e4
LT		 4299 return 0;
4300}
4301
2d792818 4302static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4303 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4304 u8 *data)
1da177e4
LT		 4305{
4306 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4307 u16 type;
4308
cb3b3152
JH		 4309 if (cmd_len != sizeof(*req))
4310 return -EPROTO;
4311
1da177e4
LT		 4312 type = __le16_to_cpu(req->type);
4313
4314 BT_DBG("type 0x%4.4x", type);
4315
f0709e03
MH		 4316 if (type == L2CAP_IT_FEAT_MASK) {
4317 u8 buf[8];
44dd46de 4318 u32 feat_mask = l2cap_feat_mask;
f0709e03 4319 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4320 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4321 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4322 if (!disable_ertm)
fcc203c3 4323 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4324 | L2CAP_FEAT_FCS;
848566b3 4325 if (conn->hs_enabled)
6327eb98 4326 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4327 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4328
1b7bf4ed 4329 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4330 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4331 buf);
e1027a7c
MH		 4332 } else if (type == L2CAP_IT_FIXED_CHAN) {
4333 u8 buf[12];
4334 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4335
848566b3 4336 if (conn->hs_enabled)
50a147cd
MM		 4337 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4338 else
4339 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4340
ac73498c
AE		 4341 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4342 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4343 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4344 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4345 buf);
f0709e03
MH		 4346 } else {
4347 struct l2cap_info_rsp rsp;
4348 rsp.type = cpu_to_le16(type);
ac73498c 4349 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4350 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4351 &rsp);
f0709e03 4352 }
1da177e4
LT		 4353
4354 return 0;
4355}
4356
2d792818 4357static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4358 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4359 u8 *data)
1da177e4
LT		 4360{
4361 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4362 u16 type, result;
4363
3f6fa3d4 4364 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4365 return -EPROTO;
4366
1da177e4
LT		 4367 type = __le16_to_cpu(rsp->type);
4368 result = __le16_to_cpu(rsp->result);
4369
4370 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4371
e90165be
AE		 4372 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4373 if (cmd->ident != conn->info_ident ||
2d792818 4374 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4375 return 0;
4376
17cd3f37 4377 cancel_delayed_work(&conn->info_timer);
4e8402a3 4378
adb08ede
VT		 4379 if (result != L2CAP_IR_SUCCESS) {
4380 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4381 conn->info_ident = 0;
4382
4383 l2cap_conn_start(conn);
4384
4385 return 0;
4386 }
4387
978c93b9
AE		 4388 switch (type) {
4389 case L2CAP_IT_FEAT_MASK:
83985319 4390 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4391
47ec1dcd 4392 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4393 struct l2cap_info_req req;
ac73498c 4394 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4395
4396 conn->info_ident = l2cap_get_ident(conn);
4397
4398 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4399 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4400 } else {
4401 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4402 conn->info_ident = 0;
4403
4404 l2cap_conn_start(conn);
4405 }
978c93b9
AE		 4406 break;
4407
4408 case L2CAP_IT_FIXED_CHAN:
4409 conn->fixed_chan_mask = rsp->data[0];
984947dc 4410 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4411 conn->info_ident = 0;
984947dc
MH		 4412
4413 l2cap_conn_start(conn);
978c93b9 4414 break;
984947dc 4415 }
4e8402a3 4416
1da177e4
LT		 4417 return 0;
4418}
4419
1700915f
MM		 4420static int l2cap_create_channel_req(struct l2cap_conn *conn,
4421 struct l2cap_cmd_hdr *cmd,
4422 u16 cmd_len, void *data)
f94ff6ff
MM		 4423{
4424 struct l2cap_create_chan_req *req = data;
6e1df6a6 4425 struct l2cap_create_chan_rsp rsp;
1700915f 4426 struct l2cap_chan *chan;
6e1df6a6 4427 struct hci_dev *hdev;
f94ff6ff
MM		 4428 u16 psm, scid;
4429
4430 if (cmd_len != sizeof(*req))
4431 return -EPROTO;
4432
848566b3 4433 if (!conn->hs_enabled)
f94ff6ff
MM		 4434 return -EINVAL;
4435
4436 psm = le16_to_cpu(req->psm);
4437 scid = le16_to_cpu(req->scid);
4438
ad0ac6ca 4439 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4440
6e1df6a6 4441 /* For controller id 0 make BR/EDR connection */
6ed971ca 4442 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4443 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4444 req->amp_id);
4445 return 0;
4446 }
1700915f 4447
6e1df6a6
AE		 4448 /* Validate AMP controller id */
4449 hdev = hci_dev_get(req->amp_id);
4450 if (!hdev)
4451 goto error;
1700915f 4452
6e1df6a6
AE		 4453 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4454 hci_dev_put(hdev);
4455 goto error;
4456 }
1700915f 4457
6e1df6a6
AE		 4458 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4459 req->amp_id);
4460 if (chan) {
4461 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4462 struct hci_conn *hs_hcon;
1700915f 4463
6e1df6a6
AE		 4464 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, conn->dst);
4465 if (!hs_hcon) {
4466 hci_dev_put(hdev);
21870b52 4467 return -EBADSLT;
1700915f
MM		 4468 }
4469
6e1df6a6
AE		 4470 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4471
6e1df6a6
AE		 4472 mgr->bredr_chan = chan;
4473 chan->hs_hcon = hs_hcon;
fd45bf4c 4474 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4475 conn->mtu = hdev->block_mtu;
1700915f 4476 }
f94ff6ff 4477
6e1df6a6 4478 hci_dev_put(hdev);
f94ff6ff
MM		 4479
4480 return 0;
6e1df6a6
AE		 4481
4482error:
4483 rsp.dcid = 0;
4484 rsp.scid = cpu_to_le16(scid);
4485 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4486 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4487
4488 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4489 sizeof(rsp), &rsp);
4490
dc280801 4491 return 0;
f94ff6ff
MM		 4492}
4493
8eb200bd
MM		 4494static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4495{
4496 struct l2cap_move_chan_req req;
4497 u8 ident;
4498
4499 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4500
4501 ident = l2cap_get_ident(chan->conn);
4502 chan->ident = ident;
4503
4504 req.icid = cpu_to_le16(chan->scid);
4505 req.dest_amp_id = dest_amp_id;
4506
4507 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4508 &req);
4509
4510 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4511}
4512
1500109b 4513static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4514{
4515 struct l2cap_move_chan_rsp rsp;
4516
1500109b 4517 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4518
1500109b 4519 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4520 rsp.result = cpu_to_le16(result);
4521
1500109b
MM		 4522 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4523 sizeof(rsp), &rsp);
8d5a04a1
MM		 4524}
4525
5b155ef9 4526static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4527{
4528 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4529
5b155ef9 4530 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4531
5b155ef9 4532 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4533
5b155ef9 4534 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4535 cfm.result = cpu_to_le16(result);
4536
5b155ef9
MM		 4537 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4538 sizeof(cfm), &cfm);
4539
4540 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4541}
4542
4543static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4544{
4545 struct l2cap_move_chan_cfm cfm;
4546
4547 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4548
4549 cfm.icid = cpu_to_le16(icid);
4550 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4551
4552 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4553 sizeof(cfm), &cfm);
8d5a04a1
MM		 4554}
4555
4556static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4557 u16 icid)
8d5a04a1
MM		 4558{
4559 struct l2cap_move_chan_cfm_rsp rsp;
4560
ad0ac6ca 4561 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4562
4563 rsp.icid = cpu_to_le16(icid);
4564 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4565}
4566
5f3847a4
MM		 4567static void __release_logical_link(struct l2cap_chan *chan)
4568{
4569 chan->hs_hchan = NULL;
4570 chan->hs_hcon = NULL;
4571
4572 /* Placeholder - release the logical link */
4573}
4574
1500109b
MM		 4575static void l2cap_logical_fail(struct l2cap_chan *chan)
4576{
4577 /* Logical link setup failed */
4578 if (chan->state != BT_CONNECTED) {
4579 /* Create channel failure, disconnect */
5e4e3972 4580 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4581 return;
4582 }
4583
4584 switch (chan->move_role) {
4585 case L2CAP_MOVE_ROLE_RESPONDER:
4586 l2cap_move_done(chan);
4587 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4588 break;
4589 case L2CAP_MOVE_ROLE_INITIATOR:
4590 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4591 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4592 /* Remote has only sent pending or
4593 * success responses, clean up
4594 */
4595 l2cap_move_done(chan);
4596 }
4597
4598 /* Other amp move states imply that the move
4599 * has already aborted
4600 */
4601 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4602 break;
4603 }
4604}
4605
4606static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4607 struct hci_chan *hchan)
4608{
4609 struct l2cap_conf_rsp rsp;
1500109b 4610
336178a3 4611 chan->hs_hchan = hchan;
1500109b
MM		 4612 chan->hs_hcon->l2cap_data = chan->conn;
4613
35ba9561 4614 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4615
4616 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4617 int err;
1500109b
MM		 4618
4619 set_default_fcs(chan);
4620
4621 err = l2cap_ertm_init(chan);
4622 if (err < 0)
5e4e3972 4623 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4624 else
4625 l2cap_chan_ready(chan);
4626 }
4627}
4628
4629static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4630 struct hci_chan *hchan)
4631{
4632 chan->hs_hcon = hchan->conn;
4633 chan->hs_hcon->l2cap_data = chan->conn;
4634
4635 BT_DBG("move_state %d", chan->move_state);
4636
4637 switch (chan->move_state) {
4638 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4639 /* Move confirm will be sent after a success
4640 * response is received
4641 */
4642 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4643 break;
4644 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4645 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4646 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4647 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4648 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4649 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4650 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4651 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4652 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4653 }
4654 break;
4655 default:
4656 /* Move was not in expected state, free the channel */
4657 __release_logical_link(chan);
4658
4659 chan->move_state = L2CAP_MOVE_STABLE;
4660 }
4661}
4662
4663/* Call with chan locked */
27695fb4
AE		 4664void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4665 u8 status)
5b155ef9 4666{
1500109b
MM		 4667 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4668
4669 if (status) {
4670 l2cap_logical_fail(chan);
4671 __release_logical_link(chan);
4672 return;
4673 }
4674
4675 if (chan->state != BT_CONNECTED) {
4676 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4677 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4678 l2cap_logical_finish_create(chan, hchan);
4679 } else {
4680 l2cap_logical_finish_move(chan, hchan);
4681 }
5b155ef9
MM		 4682}
4683
3f7a56c4
MM		 4684void l2cap_move_start(struct l2cap_chan *chan)
4685{
4686 BT_DBG("chan %p", chan);
4687
6ed971ca 4688 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4689 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4690 return;
4691 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4692 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4693 /* Placeholder - start physical link setup */
4694 } else {
4695 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4696 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4697 chan->move_id = 0;
4698 l2cap_move_setup(chan);
4699 l2cap_send_move_chan_req(chan, 0);
4700 }
4701}
4702
8eb200bd
MM		 4703static void l2cap_do_create(struct l2cap_chan *chan, int result,
4704 u8 local_amp_id, u8 remote_amp_id)
4705{
62748ca1
AE		 4706 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4707 local_amp_id, remote_amp_id);
4708
12d6cc60
AE		 4709 chan->fcs = L2CAP_FCS_NONE;
4710
62748ca1
AE		 4711 /* Outgoing channel on AMP */
4712 if (chan->state == BT_CONNECT) {
4713 if (result == L2CAP_CR_SUCCESS) {
4714 chan->local_amp_id = local_amp_id;
4715 l2cap_send_create_chan_req(chan, remote_amp_id);
4716 } else {
4717 /* Revert to BR/EDR connect */
4718 l2cap_send_conn_req(chan);
4719 }
4720
4721 return;
4722 }
4723
4724 /* Incoming channel on AMP */
4725 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4726 struct l2cap_conn_rsp rsp;
4727 char buf[128];
4728 rsp.scid = cpu_to_le16(chan->dcid);
4729 rsp.dcid = cpu_to_le16(chan->scid);
4730
8eb200bd
MM		 4731 if (result == L2CAP_CR_SUCCESS) {
4732 /* Send successful response */
62cd50e2
AE		 4733 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4734 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4735 } else {
4736 /* Send negative response */
62cd50e2
AE		 4737 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4738 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4739 }
4740
4741 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4742 sizeof(rsp), &rsp);
4743
4744 if (result == L2CAP_CR_SUCCESS) {
4745 __l2cap_state_change(chan, BT_CONFIG);
4746 set_bit(CONF_REQ_SENT, &chan->conf_state);
4747 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4748 L2CAP_CONF_REQ,
4749 l2cap_build_conf_req(chan, buf), buf);
4750 chan->num_conf_req++;
4751 }
8eb200bd
MM		 4752 }
4753}
4754
4755static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4756 u8 remote_amp_id)
4757{
4758 l2cap_move_setup(chan);
4759 chan->move_id = local_amp_id;
4760 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4761
4762 l2cap_send_move_chan_req(chan, remote_amp_id);
4763}
4764
4765static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4766{
4767 struct hci_chan *hchan = NULL;
4768
4769 /* Placeholder - get hci_chan for logical link */
4770
4771 if (hchan) {
4772 if (hchan->state == BT_CONNECTED) {
4773 /* Logical link is ready to go */
4774 chan->hs_hcon = hchan->conn;
4775 chan->hs_hcon->l2cap_data = chan->conn;
4776 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4777 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4778
4779 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4780 } else {
4781 /* Wait for logical link to be ready */
4782 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4783 }
4784 } else {
4785 /* Logical link not available */
4786 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4787 }
4788}
4789
4790static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4791{
4792 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4793 u8 rsp_result;
4794 if (result == -EINVAL)
4795 rsp_result = L2CAP_MR_BAD_ID;
4796 else
4797 rsp_result = L2CAP_MR_NOT_ALLOWED;
4798
4799 l2cap_send_move_chan_rsp(chan, rsp_result);
4800 }
4801
4802 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4803 chan->move_state = L2CAP_MOVE_STABLE;
4804
4805 /* Restart data transmission */
4806 l2cap_ertm_send(chan);
4807}
4808
a514b17f
AE		 4809/* Invoke with locked chan */
4810void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4811{
770bfefa 4812 u8 local_amp_id = chan->local_amp_id;
fffadc08 4813 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4814
8eb200bd
MM		 4815 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4816 chan, result, local_amp_id, remote_amp_id);
4817
8eb200bd
MM		 4818 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4819 l2cap_chan_unlock(chan);
4820 return;
4821 }
4822
4823 if (chan->state != BT_CONNECTED) {
4824 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4825 } else if (result != L2CAP_MR_SUCCESS) {
4826 l2cap_do_move_cancel(chan, result);
4827 } else {
4828 switch (chan->move_role) {
4829 case L2CAP_MOVE_ROLE_INITIATOR:
4830 l2cap_do_move_initiate(chan, local_amp_id,
4831 remote_amp_id);
4832 break;
4833 case L2CAP_MOVE_ROLE_RESPONDER:
4834 l2cap_do_move_respond(chan, result);
4835 break;
4836 default:
4837 l2cap_do_move_cancel(chan, result);
4838 break;
4839 }
4840 }
8eb200bd
MM		 4841}
4842
8d5a04a1 4843static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4844 struct l2cap_cmd_hdr *cmd,
4845 u16 cmd_len, void *data)
8d5a04a1
MM		 4846{
4847 struct l2cap_move_chan_req *req = data;
1500109b 4848 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4849 struct l2cap_chan *chan;
8d5a04a1
MM		 4850 u16 icid = 0;
4851 u16 result = L2CAP_MR_NOT_ALLOWED;
4852
4853 if (cmd_len != sizeof(*req))
4854 return -EPROTO;
4855
4856 icid = le16_to_cpu(req->icid);
4857
ad0ac6ca 4858 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4859
848566b3 4860 if (!conn->hs_enabled)
8d5a04a1
MM		 4861 return -EINVAL;
4862
02b0fbb9
MM		 4863 chan = l2cap_get_chan_by_dcid(conn, icid);
4864 if (!chan) {
1500109b
MM		 4865 rsp.icid = cpu_to_le16(icid);
4866 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4867 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4868 sizeof(rsp), &rsp);
02b0fbb9
MM		 4869 return 0;
4870 }
4871
1500109b
MM		 4872 chan->ident = cmd->ident;
4873
02b0fbb9
MM		 4874 if (chan->scid < L2CAP_CID_DYN_START ||
4875 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4876 (chan->mode != L2CAP_MODE_ERTM &&
4877 chan->mode != L2CAP_MODE_STREAMING)) {
4878 result = L2CAP_MR_NOT_ALLOWED;
4879 goto send_move_response;
4880 }
4881
4882 if (chan->local_amp_id == req->dest_amp_id) {
4883 result = L2CAP_MR_SAME_ID;
4884 goto send_move_response;
4885 }
4886
6ed971ca 4887 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4888 struct hci_dev *hdev;
4889 hdev = hci_dev_get(req->dest_amp_id);
4890 if (!hdev || hdev->dev_type != HCI_AMP ||
4891 !test_bit(HCI_UP, &hdev->flags)) {
4892 if (hdev)
4893 hci_dev_put(hdev);
4894
4895 result = L2CAP_MR_BAD_ID;
4896 goto send_move_response;
4897 }
4898 hci_dev_put(hdev);
4899 }
4900
4901 /* Detect a move collision. Only send a collision response
4902 * if this side has "lost", otherwise proceed with the move.
4903 * The winner has the larger bd_addr.
4904 */
4905 if ((__chan_is_moving(chan) ||
4906 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4907 bacmp(conn->src, conn->dst) > 0) {
4908 result = L2CAP_MR_COLLISION;
4909 goto send_move_response;
4910 }
4911
02b0fbb9
MM		 4912 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4913 l2cap_move_setup(chan);
4914 chan->move_id = req->dest_amp_id;
4915 icid = chan->dcid;
4916
6ed971ca 4917 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4918 /* Moving to BR/EDR */
4919 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4920 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4921 result = L2CAP_MR_PEND;
4922 } else {
4923 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4924 result = L2CAP_MR_SUCCESS;
4925 }
4926 } else {
4927 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4928 /* Placeholder - uncomment when amp functions are available */
4929 /*amp_accept_physical(chan, req->dest_amp_id);*/
4930 result = L2CAP_MR_PEND;
4931 }
4932
4933send_move_response:
1500109b 4934 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4935
02b0fbb9
MM		 4936 l2cap_chan_unlock(chan);
4937
8d5a04a1
MM		 4938 return 0;
4939}
4940
5b155ef9
MM		 4941static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4942{
4943 struct l2cap_chan *chan;
4944 struct hci_chan *hchan = NULL;
4945
4946 chan = l2cap_get_chan_by_scid(conn, icid);
4947 if (!chan) {
4948 l2cap_send_move_chan_cfm_icid(conn, icid);
4949 return;
4950 }
4951
4952 __clear_chan_timer(chan);
4953 if (result == L2CAP_MR_PEND)
4954 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4955
4956 switch (chan->move_state) {
4957 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4958 /* Move confirm will be sent when logical link
4959 * is complete.
4960 */
4961 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4962 break;
4963 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4964 if (result == L2CAP_MR_PEND) {
4965 break;
4966 } else if (test_bit(CONN_LOCAL_BUSY,
4967 &chan->conn_state)) {
4968 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4969 } else {
4970 /* Logical link is up or moving to BR/EDR,
4971 * proceed with move
4972 */
4973 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4974 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4975 }
4976 break;
4977 case L2CAP_MOVE_WAIT_RSP:
4978 /* Moving to AMP */
4979 if (result == L2CAP_MR_SUCCESS) {
4980 /* Remote is ready, send confirm immediately
4981 * after logical link is ready
4982 */
4983 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4984 } else {
4985 /* Both logical link and move success
4986 * are required to confirm
4987 */
4988 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4989 }
4990
4991 /* Placeholder - get hci_chan for logical link */
4992 if (!hchan) {
4993 /* Logical link not available */
4994 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4995 break;
4996 }
4997
4998 /* If the logical link is not yet connected, do not
4999 * send confirmation.
5000 */
5001 if (hchan->state != BT_CONNECTED)
5002 break;
5003
5004 /* Logical link is already ready to go */
5005
5006 chan->hs_hcon = hchan->conn;
5007 chan->hs_hcon->l2cap_data = chan->conn;
5008
5009 if (result == L2CAP_MR_SUCCESS) {
5010 /* Can confirm now */
5011 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5012 } else {
5013 /* Now only need move success
5014 * to confirm
5015 */
5016 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5017 }
5018
5019 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5020 break;
5021 default:
5022 /* Any other amp move state means the move failed. */
5023 chan->move_id = chan->local_amp_id;
5024 l2cap_move_done(chan);
5025 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5026 }
5027
5028 l2cap_chan_unlock(chan);
5029}
5030
5031static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5032 u16 result)
5033{
5034 struct l2cap_chan *chan;
5035
5036 chan = l2cap_get_chan_by_ident(conn, ident);
5037 if (!chan) {
5038 /* Could not locate channel, icid is best guess */
5039 l2cap_send_move_chan_cfm_icid(conn, icid);
5040 return;
5041 }
5042
5043 __clear_chan_timer(chan);
5044
5045 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5046 if (result == L2CAP_MR_COLLISION) {
5047 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5048 } else {
5049 /* Cleanup - cancel move */
5050 chan->move_id = chan->local_amp_id;
5051 l2cap_move_done(chan);
5052 }
5053 }
5054
5055 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5056
5057 l2cap_chan_unlock(chan);
5058}
5059
5060static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5061 struct l2cap_cmd_hdr *cmd,
5062 u16 cmd_len, void *data)
8d5a04a1
MM		 5063{
5064 struct l2cap_move_chan_rsp *rsp = data;
5065 u16 icid, result;
5066
5067 if (cmd_len != sizeof(*rsp))
5068 return -EPROTO;
5069
5070 icid = le16_to_cpu(rsp->icid);
5071 result = le16_to_cpu(rsp->result);
5072
ad0ac6ca 5073 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5074
5b155ef9
MM		 5075 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5076 l2cap_move_continue(conn, icid, result);
5077 else
5078 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5079
5080 return 0;
5081}
5082
5f3847a4
MM		 5083static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5084 struct l2cap_cmd_hdr *cmd,
5085 u16 cmd_len, void *data)
8d5a04a1
MM		 5086{
5087 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5088 struct l2cap_chan *chan;
8d5a04a1
MM		 5089 u16 icid, result;
5090
5091 if (cmd_len != sizeof(*cfm))
5092 return -EPROTO;
5093
5094 icid = le16_to_cpu(cfm->icid);
5095 result = le16_to_cpu(cfm->result);
5096
ad0ac6ca 5097 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5098
5f3847a4
MM		 5099 chan = l2cap_get_chan_by_dcid(conn, icid);
5100 if (!chan) {
5101 /* Spec requires a response even if the icid was not found */
5102 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5103 return 0;
5104 }
5105
5106 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5107 if (result == L2CAP_MC_CONFIRMED) {
5108 chan->local_amp_id = chan->move_id;
6ed971ca 5109 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5110 __release_logical_link(chan);
5111 } else {
5112 chan->move_id = chan->local_amp_id;
5113 }
5114
5115 l2cap_move_done(chan);
5116 }
5117
8d5a04a1
MM		 5118 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5119
5f3847a4
MM		 5120 l2cap_chan_unlock(chan);
5121
8d5a04a1
MM		 5122 return 0;
5123}
5124
5125static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5126 struct l2cap_cmd_hdr *cmd,
5127 u16 cmd_len, void *data)
8d5a04a1
MM		 5128{
5129 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5130 struct l2cap_chan *chan;
8d5a04a1
MM		 5131 u16 icid;
5132
5133 if (cmd_len != sizeof(*rsp))
5134 return -EPROTO;
5135
5136 icid = le16_to_cpu(rsp->icid);
5137
ad0ac6ca 5138 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5139
3fd71a0a
MM		 5140 chan = l2cap_get_chan_by_scid(conn, icid);
5141 if (!chan)
5142 return 0;
5143
5144 __clear_chan_timer(chan);
5145
5146 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5147 chan->local_amp_id = chan->move_id;
5148
6ed971ca 5149 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5150 __release_logical_link(chan);
5151
5152 l2cap_move_done(chan);
5153 }
5154
5155 l2cap_chan_unlock(chan);
5156
8d5a04a1
MM		 5157 return 0;
5158}
5159
e2174ca4 5160static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 5161 u16 to_multiplier)
de73115a
CT		 5162{
5163 u16 max_latency;
5164
5165 if (min > max || min < 6 || max > 3200)
5166 return -EINVAL;
5167
5168 if (to_multiplier < 10 || to_multiplier > 3200)
5169 return -EINVAL;
5170
5171 if (max >= to_multiplier * 8)
5172 return -EINVAL;
5173
5174 max_latency = (to_multiplier * 8 / max) - 1;
5175 if (latency > 499 || latency > max_latency)
5176 return -EINVAL;
5177
5178 return 0;
5179}
5180
5181static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 5182 struct l2cap_cmd_hdr *cmd,
5183 u8 *data)
de73115a
CT		 5184{
5185 struct hci_conn *hcon = conn->hcon;
5186 struct l2cap_conn_param_update_req *req;
5187 struct l2cap_conn_param_update_rsp rsp;
5188 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 5189 int err;
de73115a
CT		 5190
5191 if (!(hcon->link_mode & HCI_LM_MASTER))
5192 return -EINVAL;
5193
5194 cmd_len = __le16_to_cpu(cmd->len);
5195 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5196 return -EPROTO;
5197
5198 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5199 min = __le16_to_cpu(req->min);
5200 max = __le16_to_cpu(req->max);
de73115a
CT		 5201 latency = __le16_to_cpu(req->latency);
5202 to_multiplier = __le16_to_cpu(req->to_multiplier);
5203
5204 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5205 min, max, latency, to_multiplier);
de73115a
CT		 5206
5207 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5208
5209 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5210 if (err)
ac73498c 5211 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5212 else
ac73498c 5213 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5214
5215 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5216 sizeof(rsp), &rsp);
de73115a 5217
2ce603eb
CT		 5218 if (!err)
5219 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5220
de73115a
CT		 5221 return 0;
5222}
5223
3300d9a9 5224static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5225 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5226 u8 *data)
3300d9a9
CT		 5227{
5228 int err = 0;
5229
5230 switch (cmd->code) {
5231 case L2CAP_COMMAND_REJ:
cb3b3152 5232 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5233 break;
5234
5235 case L2CAP_CONN_REQ:
cb3b3152 5236 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5237 break;
5238
5239 case L2CAP_CONN_RSP:
f5a2598d 5240 case L2CAP_CREATE_CHAN_RSP:
9245e737 5241 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5242 break;
5243
5244 case L2CAP_CONF_REQ:
5245 err = l2cap_config_req(conn, cmd, cmd_len, data);
5246 break;
5247
5248 case L2CAP_CONF_RSP:
9245e737 5249 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5250 break;
5251
5252 case L2CAP_DISCONN_REQ:
cb3b3152 5253 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5254 break;
5255
5256 case L2CAP_DISCONN_RSP:
9245e737 5257 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5258 break;
5259
5260 case L2CAP_ECHO_REQ:
5261 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5262 break;
5263
5264 case L2CAP_ECHO_RSP:
5265 break;
5266
5267 case L2CAP_INFO_REQ:
cb3b3152 5268 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5269 break;
5270
5271 case L2CAP_INFO_RSP:
9245e737 5272 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5273 break;
5274
f94ff6ff
MM		 5275 case L2CAP_CREATE_CHAN_REQ:
5276 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5277 break;
5278
8d5a04a1
MM		 5279 case L2CAP_MOVE_CHAN_REQ:
5280 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5281 break;
5282
5283 case L2CAP_MOVE_CHAN_RSP:
9245e737 5284 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5285 break;
5286
5287 case L2CAP_MOVE_CHAN_CFM:
5288 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5289 break;
5290
5291 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5292 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5293 break;
5294
3300d9a9
CT		 5295 default:
5296 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5297 err = -EINVAL;
5298 break;
5299 }
5300
5301 return err;
5302}
5303
5304static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5305 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5306{
5307 switch (cmd->code) {
5308 case L2CAP_COMMAND_REJ:
5309 return 0;
5310
5311 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5312 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5313
5314 case L2CAP_CONN_PARAM_UPDATE_RSP:
5315 return 0;
5316
5317 default:
5318 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5319 return -EINVAL;
5320 }
5321}
5322
7c2005d6
JH		 5323static __le16 l2cap_err_to_reason(int err)
5324{
5325 switch (err) {
5326 case -EBADSLT:
5327 return __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
5328 case -EMSGSIZE:
5329 return __constant_cpu_to_le16(L2CAP_REJ_MTU_EXCEEDED);
5330 case -EINVAL:
5331 case -EPROTO:
5332 default:
5333 return __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5334 }
5335}
5336
c5623556
JH		 5337static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5338 struct sk_buff *skb)
5339{
69c4e4e8 5340 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5341 struct l2cap_cmd_hdr *cmd;
5342 u16 len;
c5623556
JH		 5343 int err;
5344
69c4e4e8 5345 if (hcon->type != LE_LINK)
3b166295 5346 goto drop;
69c4e4e8 5347
4f3e219d
MH		 5348 if (skb->len < L2CAP_CMD_HDR_SIZE)
5349 goto drop;
c5623556 5350
4f3e219d
MH		 5351 cmd = (void *) skb->data;
5352 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5353
4f3e219d 5354 len = le16_to_cpu(cmd->len);
c5623556 5355
4f3e219d 5356 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5357
4f3e219d
MH		 5358 if (len != skb->len || !cmd->ident) {
5359 BT_DBG("corrupted command");
5360 goto drop;
5361 }
c5623556 5362
4f3e219d
MH		 5363 err = l2cap_le_sig_cmd(conn, cmd, skb->data);
5364 if (err) {
5365 struct l2cap_cmd_rej_unk rej;
c5623556 5366
4f3e219d 5367 BT_ERR("Wrong link type (%d)", err);
c5623556 5368
4f3e219d
MH		 5369 rej.reason = l2cap_err_to_reason(err);
5370 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5371 sizeof(rej), &rej);
c5623556
JH		 5372 }
5373
3b166295 5374drop:
c5623556
JH		 5375 kfree_skb(skb);
5376}
5377
3300d9a9 5378static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5379 struct sk_buff *skb)
1da177e4 5380{
69c4e4e8 5381 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5382 u8 *data = skb->data;
5383 int len = skb->len;
5384 struct l2cap_cmd_hdr cmd;
3300d9a9 5385 int err;
1da177e4
LT		 5386
5387 l2cap_raw_recv(conn, skb);
5388
69c4e4e8 5389 if (hcon->type != ACL_LINK)
3b166295 5390 goto drop;
69c4e4e8 5391
1da177e4 5392 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5393 u16 cmd_len;
1da177e4
LT		 5394 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5395 data += L2CAP_CMD_HDR_SIZE;
5396 len -= L2CAP_CMD_HDR_SIZE;
5397
88219a0f 5398 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5399
2d792818
GP		 5400 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5401 cmd.ident);
1da177e4 5402
88219a0f 5403 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5404 BT_DBG("corrupted command");
5405 break;
5406 }
5407
c5623556 5408 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5409 if (err) {
e2fd318e 5410 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5411
5412 BT_ERR("Wrong link type (%d)", err);
1da177e4 5413
7c2005d6 5414 rej.reason = l2cap_err_to_reason(err);
2d792818
GP		 5415 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5416 sizeof(rej), &rej);
1da177e4
LT		 5417 }
5418
88219a0f
AV		 5419 data += cmd_len;
5420 len -= cmd_len;
1da177e4
LT		 5421 }
5422
3b166295 5423drop:
1da177e4
LT		 5424 kfree_skb(skb);
5425}
5426
47d1ec61 5427static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5428{
5429 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5430 int hdr_size;
5431
5432 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5433 hdr_size = L2CAP_EXT_HDR_SIZE;
5434 else
5435 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5436
47d1ec61 5437 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5438 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5439 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5440 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5441
5442 if (our_fcs != rcv_fcs)
7a560e5c 5443 return -EBADMSG;
fcc203c3
GP		 5444 }
5445 return 0;
5446}
5447
6ea00485 5448static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5449{
e31f7633 5450 struct l2cap_ctrl control;
d5392c8f 5451
e31f7633 5452 BT_DBG("chan %p", chan);
d5392c8f 5453
e31f7633
MM		 5454 memset(&control, 0, sizeof(control));
5455 control.sframe = 1;
5456 control.final = 1;
5457 control.reqseq = chan->buffer_seq;
5458 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5459
e2ab4353 5460 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5461 control.super = L2CAP_SUPER_RNR;
5462 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5463 }
5464
e31f7633
MM		 5465 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5466 chan->unacked_frames > 0)
5467 __set_retrans_timer(chan);
d5392c8f 5468
e31f7633 5469 /* Send pending iframes */
525cd185 5470 l2cap_ertm_send(chan);
d5392c8f 5471
e2ab4353 5472 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5473 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5474 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5475 * send it now.
5476 */
5477 control.super = L2CAP_SUPER_RR;
5478 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5479 }
5480}
5481
2d792818
GP		 5482static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5483 struct sk_buff **last_frag)
18778a63 5484{
84084a31
MM		 5485 /* skb->len reflects data in skb as well as all fragments
5486 * skb->data_len reflects only data in fragments
5487 */
5488 if (!skb_has_frag_list(skb))
5489 skb_shinfo(skb)->frag_list = new_frag;
5490
5491 new_frag->next = NULL;
5492
5493 (*last_frag)->next = new_frag;
5494 *last_frag = new_frag;
5495
5496 skb->len += new_frag->len;
5497 skb->data_len += new_frag->len;
5498 skb->truesize += new_frag->truesize;
5499}
5500
4b51dae9
MM		 5501static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5502 struct l2cap_ctrl *control)
84084a31
MM		 5503{
5504 int err = -EINVAL;
18778a63 5505
4b51dae9 5506 switch (control->sar) {
7e0ef6ee 5507 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5508 if (chan->sdu)
5509 break;
18778a63 5510
80b98027 5511 err = chan->ops->recv(chan, skb);
84084a31 5512 break;
18778a63 5513
7e0ef6ee 5514 case L2CAP_SAR_START:
84084a31
MM		 5515 if (chan->sdu)
5516 break;
18778a63 5517
6f61fd47 5518 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5519 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5520
84084a31
MM		 5521 if (chan->sdu_len > chan->imtu) {
5522 err = -EMSGSIZE;
5523 break;
5524 }
1890d36b 5525
84084a31
MM		 5526 if (skb->len >= chan->sdu_len)
5527 break;
18778a63 5528
84084a31
MM		 5529 chan->sdu = skb;
5530 chan->sdu_last_frag = skb;
18778a63 5531
84084a31
MM		 5532 skb = NULL;
5533 err = 0;
18778a63
GP		 5534 break;
5535
7e0ef6ee 5536 case L2CAP_SAR_CONTINUE:
6f61fd47 5537 if (!chan->sdu)
84084a31 5538 break;
18778a63 5539
84084a31
MM		 5540 append_skb_frag(chan->sdu, skb,
5541 &chan->sdu_last_frag);
5542 skb = NULL;
18778a63 5543
84084a31
MM		 5544 if (chan->sdu->len >= chan->sdu_len)
5545 break;
4178ba46 5546
84084a31 5547 err = 0;
18778a63
GP		 5548 break;
5549
7e0ef6ee 5550 case L2CAP_SAR_END:
6f61fd47 5551 if (!chan->sdu)
84084a31 5552 break;
18778a63 5553
84084a31
MM		 5554 append_skb_frag(chan->sdu, skb,
5555 &chan->sdu_last_frag);
5556 skb = NULL;
4178ba46 5557
84084a31
MM		 5558 if (chan->sdu->len != chan->sdu_len)
5559 break;
18778a63 5560
80b98027 5561 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5562
84084a31
MM		 5563 if (!err) {
5564 /* Reassembly complete */
5565 chan->sdu = NULL;
5566 chan->sdu_last_frag = NULL;
5567 chan->sdu_len = 0;
1890d36b 5568 }
18778a63
GP		 5569 break;
5570 }
5571
84084a31
MM		 5572 if (err) {
5573 kfree_skb(skb);
5574 kfree_skb(chan->sdu);
5575 chan->sdu = NULL;
5576 chan->sdu_last_frag = NULL;
5577 chan->sdu_len = 0;
5578 }
18778a63 5579
84084a31 5580 return err;
18778a63
GP		 5581}
5582
32b32735
MM		 5583static int l2cap_resegment(struct l2cap_chan *chan)
5584{
5585 /* Placeholder */
5586 return 0;
5587}
5588
61aa4f5b 5589void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5590{
61aa4f5b 5591 u8 event;
712132eb 5592
61aa4f5b
MM		 5593 if (chan->mode != L2CAP_MODE_ERTM)
5594 return;
712132eb 5595
61aa4f5b 5596 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5597 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5598}
5599
d2a7ac5d
MM		 5600static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5601{
63838725
MM		 5602 int err = 0;
5603 /* Pass sequential frames to l2cap_reassemble_sdu()
5604 * until a gap is encountered.
5605 */
5606
5607 BT_DBG("chan %p", chan);
5608
5609 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5610 struct sk_buff *skb;
5611 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5612 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5613
5614 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5615
5616 if (!skb)
5617 break;
5618
5619 skb_unlink(skb, &chan->srej_q);
5620 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5621 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5622 if (err)
5623 break;
5624 }
5625
5626 if (skb_queue_empty(&chan->srej_q)) {
5627 chan->rx_state = L2CAP_RX_STATE_RECV;
5628 l2cap_send_ack(chan);
5629 }
5630
5631 return err;
d2a7ac5d
MM		 5632}
5633
5634static void l2cap_handle_srej(struct l2cap_chan *chan,
5635 struct l2cap_ctrl *control)
5636{
f80842a8
MM		 5637 struct sk_buff *skb;
5638
5639 BT_DBG("chan %p, control %p", chan, control);
5640
5641 if (control->reqseq == chan->next_tx_seq) {
5642 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5643 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5644 return;
5645 }
5646
5647 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5648
5649 if (skb == NULL) {
5650 BT_DBG("Seq %d not available for retransmission",
5651 control->reqseq);
5652 return;
5653 }
5654
5655 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5656 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5657 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5658 return;
5659 }
5660
5661 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5662
5663 if (control->poll) {
5664 l2cap_pass_to_tx(chan, control);
5665
5666 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5667 l2cap_retransmit(chan, control);
5668 l2cap_ertm_send(chan);
5669
5670 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5671 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5672 chan->srej_save_reqseq = control->reqseq;
5673 }
5674 } else {
5675 l2cap_pass_to_tx_fbit(chan, control);
5676
5677 if (control->final) {
5678 if (chan->srej_save_reqseq != control->reqseq ||
5679 !test_and_clear_bit(CONN_SREJ_ACT,
5680 &chan->conn_state))
5681 l2cap_retransmit(chan, control);
5682 } else {
5683 l2cap_retransmit(chan, control);
5684 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5685 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5686 chan->srej_save_reqseq = control->reqseq;
5687 }
5688 }
5689 }
d2a7ac5d
MM		 5690}
5691
5692static void l2cap_handle_rej(struct l2cap_chan *chan,
5693 struct l2cap_ctrl *control)
5694{
fcd289df
MM		 5695 struct sk_buff *skb;
5696
5697 BT_DBG("chan %p, control %p", chan, control);
5698
5699 if (control->reqseq == chan->next_tx_seq) {
5700 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5701 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5702 return;
5703 }
5704
5705 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5706
5707 if (chan->max_tx && skb &&
5708 bt_cb(skb)->control.retries >= chan->max_tx) {
5709 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5710 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5711 return;
5712 }
5713
5714 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5715
5716 l2cap_pass_to_tx(chan, control);
5717
5718 if (control->final) {
5719 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5720 l2cap_retransmit_all(chan, control);
5721 } else {
5722 l2cap_retransmit_all(chan, control);
5723 l2cap_ertm_send(chan);
5724 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5725 set_bit(CONN_REJ_ACT, &chan->conn_state);
5726 }
d2a7ac5d
MM		 5727}
5728
4b51dae9
MM		 5729static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5730{
5731 BT_DBG("chan %p, txseq %d", chan, txseq);
5732
5733 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5734 chan->expected_tx_seq);
5735
5736 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5737 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5738 chan->tx_win) {
4b51dae9
MM		 5739 /* See notes below regarding "double poll" and
5740 * invalid packets.
5741 */
5742 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5743 BT_DBG("Invalid/Ignore - after SREJ");
5744 return L2CAP_TXSEQ_INVALID_IGNORE;
5745 } else {
5746 BT_DBG("Invalid - in window after SREJ sent");
5747 return L2CAP_TXSEQ_INVALID;
5748 }
5749 }
5750
5751 if (chan->srej_list.head == txseq) {
5752 BT_DBG("Expected SREJ");
5753 return L2CAP_TXSEQ_EXPECTED_SREJ;
5754 }
5755
5756 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5757 BT_DBG("Duplicate SREJ - txseq already stored");
5758 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5759 }
5760
5761 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5762 BT_DBG("Unexpected SREJ - not requested");
5763 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5764 }
5765 }
5766
5767 if (chan->expected_tx_seq == txseq) {
5768 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5769 chan->tx_win) {
5770 BT_DBG("Invalid - txseq outside tx window");
5771 return L2CAP_TXSEQ_INVALID;
5772 } else {
5773 BT_DBG("Expected");
5774 return L2CAP_TXSEQ_EXPECTED;
5775 }
5776 }
5777
5778 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5779 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5780 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5781 return L2CAP_TXSEQ_DUPLICATE;
5782 }
5783
5784 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5785 /* A source of invalid packets is a "double poll" condition,
5786 * where delays cause us to send multiple poll packets. If
5787 * the remote stack receives and processes both polls,
5788 * sequence numbers can wrap around in such a way that a
5789 * resent frame has a sequence number that looks like new data
5790 * with a sequence gap. This would trigger an erroneous SREJ
5791 * request.
5792 *
5793 * Fortunately, this is impossible with a tx window that's
5794 * less than half of the maximum sequence number, which allows
5795 * invalid frames to be safely ignored.
5796 *
5797 * With tx window sizes greater than half of the tx window
5798 * maximum, the frame is invalid and cannot be ignored. This
5799 * causes a disconnect.
5800 */
5801
5802 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5803 BT_DBG("Invalid/Ignore - txseq outside tx window");
5804 return L2CAP_TXSEQ_INVALID_IGNORE;
5805 } else {
5806 BT_DBG("Invalid - txseq outside tx window");
5807 return L2CAP_TXSEQ_INVALID;
5808 }
5809 } else {
5810 BT_DBG("Unexpected - txseq indicates missing frames");
5811 return L2CAP_TXSEQ_UNEXPECTED;
5812 }
5813}
5814
d2a7ac5d
MM		 5815static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5816 struct l2cap_ctrl *control,
5817 struct sk_buff *skb, u8 event)
5818{
5819 int err = 0;
941247f9 5820 bool skb_in_use = false;
d2a7ac5d
MM		 5821
5822 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5823 event);
5824
5825 switch (event) {
5826 case L2CAP_EV_RECV_IFRAME:
5827 switch (l2cap_classify_txseq(chan, control->txseq)) {
5828 case L2CAP_TXSEQ_EXPECTED:
5829 l2cap_pass_to_tx(chan, control);
5830
5831 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5832 BT_DBG("Busy, discarding expected seq %d",
5833 control->txseq);
5834 break;
5835 }
5836
5837 chan->expected_tx_seq = __next_seq(chan,
5838 control->txseq);
5839
5840 chan->buffer_seq = chan->expected_tx_seq;
941247f9 5841 skb_in_use = true;
d2a7ac5d
MM		 5842
5843 err = l2cap_reassemble_sdu(chan, skb, control);
5844 if (err)
5845 break;
5846
5847 if (control->final) {
5848 if (!test_and_clear_bit(CONN_REJ_ACT,
5849 &chan->conn_state)) {
5850 control->final = 0;
5851 l2cap_retransmit_all(chan, control);
5852 l2cap_ertm_send(chan);
5853 }
5854 }
5855
5856 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5857 l2cap_send_ack(chan);
5858 break;
5859 case L2CAP_TXSEQ_UNEXPECTED:
5860 l2cap_pass_to_tx(chan, control);
5861
5862 /* Can't issue SREJ frames in the local busy state.
5863 * Drop this frame, it will be seen as missing
5864 * when local busy is exited.
5865 */
5866 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5867 BT_DBG("Busy, discarding unexpected seq %d",
5868 control->txseq);
5869 break;
5870 }
5871
5872 /* There was a gap in the sequence, so an SREJ
5873 * must be sent for each missing frame. The
5874 * current frame is stored for later use.
5875 */
5876 skb_queue_tail(&chan->srej_q, skb);
941247f9 5877 skb_in_use = true;
d2a7ac5d
MM		 5878 BT_DBG("Queued %p (queue len %d)", skb,
5879 skb_queue_len(&chan->srej_q));
5880
5881 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5882 l2cap_seq_list_clear(&chan->srej_list);
5883 l2cap_send_srej(chan, control->txseq);
5884
5885 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5886 break;
5887 case L2CAP_TXSEQ_DUPLICATE:
5888 l2cap_pass_to_tx(chan, control);
5889 break;
5890 case L2CAP_TXSEQ_INVALID_IGNORE:
5891 break;
5892 case L2CAP_TXSEQ_INVALID:
5893 default:
5e4e3972 5894 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5895 break;
5896 }
5897 break;
5898 case L2CAP_EV_RECV_RR:
5899 l2cap_pass_to_tx(chan, control);
5900 if (control->final) {
5901 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5902
e6a3ee6e
MM		 5903 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5904 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 5905 control->final = 0;
5906 l2cap_retransmit_all(chan, control);
5907 }
5908
5909 l2cap_ertm_send(chan);
5910 } else if (control->poll) {
5911 l2cap_send_i_or_rr_or_rnr(chan);
5912 } else {
5913 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5914 &chan->conn_state) &&
5915 chan->unacked_frames)
5916 __set_retrans_timer(chan);
5917
5918 l2cap_ertm_send(chan);
5919 }
5920 break;
5921 case L2CAP_EV_RECV_RNR:
5922 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5923 l2cap_pass_to_tx(chan, control);
5924 if (control && control->poll) {
5925 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5926 l2cap_send_rr_or_rnr(chan, 0);
5927 }
5928 __clear_retrans_timer(chan);
5929 l2cap_seq_list_clear(&chan->retrans_list);
5930 break;
5931 case L2CAP_EV_RECV_REJ:
5932 l2cap_handle_rej(chan, control);
5933 break;
5934 case L2CAP_EV_RECV_SREJ:
5935 l2cap_handle_srej(chan, control);
5936 break;
5937 default:
5938 break;
5939 }
5940
5941 if (skb && !skb_in_use) {
5942 BT_DBG("Freeing %p", skb);
5943 kfree_skb(skb);
5944 }
5945
5946 return err;
5947}
5948
5949static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5950 struct l2cap_ctrl *control,
5951 struct sk_buff *skb, u8 event)
5952{
5953 int err = 0;
5954 u16 txseq = control->txseq;
941247f9 5955 bool skb_in_use = false;
d2a7ac5d
MM		 5956
5957 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5958 event);
5959
5960 switch (event) {
5961 case L2CAP_EV_RECV_IFRAME:
5962 switch (l2cap_classify_txseq(chan, txseq)) {
5963 case L2CAP_TXSEQ_EXPECTED:
5964 /* Keep frame for reassembly later */
5965 l2cap_pass_to_tx(chan, control);
5966 skb_queue_tail(&chan->srej_q, skb);
941247f9 5967 skb_in_use = true;
d2a7ac5d
MM		 5968 BT_DBG("Queued %p (queue len %d)", skb,
5969 skb_queue_len(&chan->srej_q));
5970
5971 chan->expected_tx_seq = __next_seq(chan, txseq);
5972 break;
5973 case L2CAP_TXSEQ_EXPECTED_SREJ:
5974 l2cap_seq_list_pop(&chan->srej_list);
5975
5976 l2cap_pass_to_tx(chan, control);
5977 skb_queue_tail(&chan->srej_q, skb);
941247f9 5978 skb_in_use = true;
d2a7ac5d
MM		 5979 BT_DBG("Queued %p (queue len %d)", skb,
5980 skb_queue_len(&chan->srej_q));
5981
5982 err = l2cap_rx_queued_iframes(chan);
5983 if (err)
5984 break;
5985
5986 break;
5987 case L2CAP_TXSEQ_UNEXPECTED:
5988 /* Got a frame that can't be reassembled yet.
5989 * Save it for later, and send SREJs to cover
5990 * the missing frames.
5991 */
5992 skb_queue_tail(&chan->srej_q, skb);
941247f9 5993 skb_in_use = true;
d2a7ac5d
MM		 5994 BT_DBG("Queued %p (queue len %d)", skb,
5995 skb_queue_len(&chan->srej_q));
5996
5997 l2cap_pass_to_tx(chan, control);
5998 l2cap_send_srej(chan, control->txseq);
5999 break;
6000 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6001 /* This frame was requested with an SREJ, but
6002 * some expected retransmitted frames are
6003 * missing. Request retransmission of missing
6004 * SREJ'd frames.
6005 */
6006 skb_queue_tail(&chan->srej_q, skb);
941247f9 6007 skb_in_use = true;
d2a7ac5d
MM		 6008 BT_DBG("Queued %p (queue len %d)", skb,
6009 skb_queue_len(&chan->srej_q));
6010
6011 l2cap_pass_to_tx(chan, control);
6012 l2cap_send_srej_list(chan, control->txseq);
6013 break;
6014 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6015 /* We've already queued this frame. Drop this copy. */
6016 l2cap_pass_to_tx(chan, control);
6017 break;
6018 case L2CAP_TXSEQ_DUPLICATE:
6019 /* Expecting a later sequence number, so this frame
6020 * was already received. Ignore it completely.
6021 */
6022 break;
6023 case L2CAP_TXSEQ_INVALID_IGNORE:
6024 break;
6025 case L2CAP_TXSEQ_INVALID:
6026 default:
5e4e3972 6027 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6028 break;
6029 }
6030 break;
6031 case L2CAP_EV_RECV_RR:
6032 l2cap_pass_to_tx(chan, control);
6033 if (control->final) {
6034 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6035
6036 if (!test_and_clear_bit(CONN_REJ_ACT,
6037 &chan->conn_state)) {
6038 control->final = 0;
6039 l2cap_retransmit_all(chan, control);
6040 }
6041
6042 l2cap_ertm_send(chan);
6043 } else if (control->poll) {
6044 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6045 &chan->conn_state) &&
6046 chan->unacked_frames) {
6047 __set_retrans_timer(chan);
6048 }
6049
6050 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6051 l2cap_send_srej_tail(chan);
6052 } else {
6053 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6054 &chan->conn_state) &&
6055 chan->unacked_frames)
6056 __set_retrans_timer(chan);
6057
6058 l2cap_send_ack(chan);
6059 }
6060 break;
6061 case L2CAP_EV_RECV_RNR:
6062 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6063 l2cap_pass_to_tx(chan, control);
6064 if (control->poll) {
6065 l2cap_send_srej_tail(chan);
6066 } else {
6067 struct l2cap_ctrl rr_control;
6068 memset(&rr_control, 0, sizeof(rr_control));
6069 rr_control.sframe = 1;
6070 rr_control.super = L2CAP_SUPER_RR;
6071 rr_control.reqseq = chan->buffer_seq;
6072 l2cap_send_sframe(chan, &rr_control);
6073 }
6074
6075 break;
6076 case L2CAP_EV_RECV_REJ:
6077 l2cap_handle_rej(chan, control);
6078 break;
6079 case L2CAP_EV_RECV_SREJ:
6080 l2cap_handle_srej(chan, control);
6081 break;
6082 }
6083
6084 if (skb && !skb_in_use) {
6085 BT_DBG("Freeing %p", skb);
6086 kfree_skb(skb);
6087 }
6088
6089 return err;
6090}
6091
32b32735
MM		 6092static int l2cap_finish_move(struct l2cap_chan *chan)
6093{
6094 BT_DBG("chan %p", chan);
6095
6096 chan->rx_state = L2CAP_RX_STATE_RECV;
6097
6098 if (chan->hs_hcon)
6099 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6100 else
6101 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6102
6103 return l2cap_resegment(chan);
6104}
6105
6106static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6107 struct l2cap_ctrl *control,
6108 struct sk_buff *skb, u8 event)
6109{
6110 int err;
6111
6112 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6113 event);
6114
6115 if (!control->poll)
6116 return -EPROTO;
6117
6118 l2cap_process_reqseq(chan, control->reqseq);
6119
6120 if (!skb_queue_empty(&chan->tx_q))
6121 chan->tx_send_head = skb_peek(&chan->tx_q);
6122 else
6123 chan->tx_send_head = NULL;
6124
6125 /* Rewind next_tx_seq to the point expected
6126 * by the receiver.
6127 */
6128 chan->next_tx_seq = control->reqseq;
6129 chan->unacked_frames = 0;
6130
6131 err = l2cap_finish_move(chan);
6132 if (err)
6133 return err;
6134
6135 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6136 l2cap_send_i_or_rr_or_rnr(chan);
6137
6138 if (event == L2CAP_EV_RECV_IFRAME)
6139 return -EPROTO;
6140
6141 return l2cap_rx_state_recv(chan, control, NULL, event);
6142}
6143
6144static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6145 struct l2cap_ctrl *control,
6146 struct sk_buff *skb, u8 event)
6147{
6148 int err;
6149
6150 if (!control->final)
6151 return -EPROTO;
6152
6153 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6154
6155 chan->rx_state = L2CAP_RX_STATE_RECV;
6156 l2cap_process_reqseq(chan, control->reqseq);
6157
6158 if (!skb_queue_empty(&chan->tx_q))
6159 chan->tx_send_head = skb_peek(&chan->tx_q);
6160 else
6161 chan->tx_send_head = NULL;
6162
6163 /* Rewind next_tx_seq to the point expected
6164 * by the receiver.
6165 */
6166 chan->next_tx_seq = control->reqseq;
6167 chan->unacked_frames = 0;
6168
6169 if (chan->hs_hcon)
6170 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6171 else
6172 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6173
6174 err = l2cap_resegment(chan);
6175
6176 if (!err)
6177 err = l2cap_rx_state_recv(chan, control, skb, event);
6178
6179 return err;
6180}
6181
d2a7ac5d
MM		 6182static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6183{
6184 /* Make sure reqseq is for a packet that has been sent but not acked */
6185 u16 unacked;
6186
6187 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6188 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6189}
6190
cec8ab6e
MM		 6191static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6192 struct sk_buff *skb, u8 event)
218bb9df 6193{
d2a7ac5d
MM		 6194 int err = 0;
6195
6196 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6197 control, skb, event, chan->rx_state);
6198
6199 if (__valid_reqseq(chan, control->reqseq)) {
6200 switch (chan->rx_state) {
6201 case L2CAP_RX_STATE_RECV:
6202 err = l2cap_rx_state_recv(chan, control, skb, event);
6203 break;
6204 case L2CAP_RX_STATE_SREJ_SENT:
6205 err = l2cap_rx_state_srej_sent(chan, control, skb,
6206 event);
6207 break;
32b32735
MM		 6208 case L2CAP_RX_STATE_WAIT_P:
6209 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6210 break;
6211 case L2CAP_RX_STATE_WAIT_F:
6212 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6213 break;
d2a7ac5d
MM		 6214 default:
6215 /* shut it down */
6216 break;
6217 }
6218 } else {
6219 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6220 control->reqseq, chan->next_tx_seq,
6221 chan->expected_ack_seq);
5e4e3972 6222 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6223 }
6224
6225 return err;
cec8ab6e
MM		 6226}
6227
6228static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6229 struct sk_buff *skb)
6230{
4b51dae9
MM		 6231 int err = 0;
6232
6233 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6234 chan->rx_state);
6235
6236 if (l2cap_classify_txseq(chan, control->txseq) ==
6237 L2CAP_TXSEQ_EXPECTED) {
6238 l2cap_pass_to_tx(chan, control);
6239
6240 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6241 __next_seq(chan, chan->buffer_seq));
6242
6243 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6244
6245 l2cap_reassemble_sdu(chan, skb, control);
6246 } else {
6247 if (chan->sdu) {
6248 kfree_skb(chan->sdu);
6249 chan->sdu = NULL;
6250 }
6251 chan->sdu_last_frag = NULL;
6252 chan->sdu_len = 0;
6253
6254 if (skb) {
6255 BT_DBG("Freeing %p", skb);
6256 kfree_skb(skb);
6257 }
6258 }
6259
6260 chan->last_acked_seq = control->txseq;
6261 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6262
6263 return err;
cec8ab6e
MM		 6264}
6265
6266static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6267{
6268 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6269 u16 len;
6270 u8 event;
218bb9df 6271
b76bbd66
MM		 6272 __unpack_control(chan, skb);
6273
218bb9df
GP		 6274 len = skb->len;
6275
6276 /*
6277 * We can just drop the corrupted I-frame here.
6278 * Receiver will miss it and start proper recovery
cec8ab6e 6279 * procedures and ask for retransmission.
218bb9df 6280 */
47d1ec61 6281 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6282 goto drop;
6283
cec8ab6e 6284 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6285 len -= L2CAP_SDULEN_SIZE;
218bb9df 6286
47d1ec61 6287 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6288 len -= L2CAP_FCS_SIZE;
218bb9df 6289
47d1ec61 6290 if (len > chan->mps) {
5e4e3972 6291 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6292 goto drop;
6293 }
6294
cec8ab6e
MM		 6295 if (!control->sframe) {
6296 int err;
218bb9df 6297
cec8ab6e
MM		 6298 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6299 control->sar, control->reqseq, control->final,
6300 control->txseq);
218bb9df 6301
cec8ab6e
MM		 6302 /* Validate F-bit - F=0 always valid, F=1 only
6303 * valid in TX WAIT_F
6304 */
6305 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6306 goto drop;
cec8ab6e
MM		 6307
6308 if (chan->mode != L2CAP_MODE_STREAMING) {
6309 event = L2CAP_EV_RECV_IFRAME;
6310 err = l2cap_rx(chan, control, skb, event);
6311 } else {
6312 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6313 }
6314
cec8ab6e 6315 if (err)
5e4e3972 6316 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6317 } else {
cec8ab6e
MM		 6318 const u8 rx_func_to_event[4] = {
6319 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6320 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6321 };
6322
6323 /* Only I-frames are expected in streaming mode */
6324 if (chan->mode == L2CAP_MODE_STREAMING)
6325 goto drop;
6326
6327 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6328 control->reqseq, control->final, control->poll,
6329 control->super);
6330
218bb9df 6331 if (len != 0) {
1bb166e6 6332 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6333 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6334 goto drop;
6335 }
6336
cec8ab6e
MM		 6337 /* Validate F and P bits */
6338 if (control->final && (control->poll ||
6339 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6340 goto drop;
6341
6342 event = rx_func_to_event[control->super];
6343 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6344 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6345 }
6346
6347 return 0;
6348
6349drop:
6350 kfree_skb(skb);
6351 return 0;
6352}
6353
13ca56e0
AE		 6354static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6355 struct sk_buff *skb)
1da177e4 6356{
48454079 6357 struct l2cap_chan *chan;
1da177e4 6358
baa7e1fa 6359 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6360 if (!chan) {
97e8e89d
AE		 6361 if (cid == L2CAP_CID_A2MP) {
6362 chan = a2mp_channel_create(conn, skb);
6363 if (!chan) {
6364 kfree_skb(skb);
13ca56e0 6365 return;
97e8e89d
AE		 6366 }
6367
6368 l2cap_chan_lock(chan);
6369 } else {
6370 BT_DBG("unknown cid 0x%4.4x", cid);
6371 /* Drop packet and return */
6372 kfree_skb(skb);
13ca56e0 6373 return;
97e8e89d 6374 }
1da177e4
LT		 6375 }
6376
49208c9c 6377 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6378
89bc500e 6379 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6380 goto drop;
6381
0c1bc5c6 6382 switch (chan->mode) {
1c2acffb
GP		 6383 case L2CAP_MODE_BASIC:
6384 /* If socket recv buffers overflows we drop data here
6385 * which is *bad* because L2CAP has to be reliable.
6386 * But we don't have any other choice. L2CAP doesn't
6387 * provide flow control mechanism. */
1da177e4 6388
0c1bc5c6 6389 if (chan->imtu < skb->len)
1c2acffb 6390 goto drop;
1da177e4 6391
80b98027 6392 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6393 goto done;
6394 break;
6395
6396 case L2CAP_MODE_ERTM:
6840ed07 6397 case L2CAP_MODE_STREAMING:
cec8ab6e 6398 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6399 goto done;
6400
1c2acffb 6401 default:
0c1bc5c6 6402 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6403 break;
6404 }
1da177e4
LT		 6405
6406drop:
6407 kfree_skb(skb);
6408
6409done:
6be36555 6410 l2cap_chan_unlock(chan);
1da177e4
LT		 6411}
6412
84104b24
AE		 6413static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6414 struct sk_buff *skb)
1da177e4 6415{
ae4fd2d3 6416 struct hci_conn *hcon = conn->hcon;
23691d75 6417 struct l2cap_chan *chan;
1da177e4 6418
ae4fd2d3
MH		 6419 if (hcon->type != ACL_LINK)
6420 goto drop;
6421
c2287681 6422 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 6423 if (!chan)
1da177e4
LT		 6424 goto drop;
6425
5b4cedaa 6426 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6427
89bc500e 6428 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6429 goto drop;
6430
e13e21dc 6431 if (chan->imtu < skb->len)
1da177e4
LT		 6432 goto drop;
6433
80b98027 6434 if (!chan->ops->recv(chan, skb))
84104b24 6435 return;
1da177e4
LT		 6436
6437drop:
6438 kfree_skb(skb);
1da177e4
LT		 6439}
6440
72f78356 6441static void l2cap_att_channel(struct l2cap_conn *conn,
6810fca7 6442 struct sk_buff *skb)
9f69bda6 6443{
b99707d7 6444 struct hci_conn *hcon = conn->hcon;
23691d75 6445 struct l2cap_chan *chan;
9f69bda6 6446
b99707d7
MH		 6447 if (hcon->type != LE_LINK)
6448 goto drop;
6449
af1c0134 6450 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
72f78356 6451 conn->src, conn->dst);
23691d75 6452 if (!chan)
9f69bda6
GP		 6453 goto drop;
6454
5b4cedaa 6455 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6456
e13e21dc 6457 if (chan->imtu < skb->len)
9f69bda6
GP		 6458 goto drop;
6459
80b98027 6460 if (!chan->ops->recv(chan, skb))
6810fca7 6461 return;
9f69bda6
GP		 6462
6463drop:
6464 kfree_skb(skb);
9f69bda6
GP		 6465}
6466
1da177e4
LT		 6467static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6468{
6469 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6470 u16 cid, len;
6471 __le16 psm;
1da177e4
LT		 6472
6473 skb_pull(skb, L2CAP_HDR_SIZE);
6474 cid = __le16_to_cpu(lh->cid);
6475 len = __le16_to_cpu(lh->len);
6476
1c2acffb
GP		 6477 if (len != skb->len) {
6478 kfree_skb(skb);
6479 return;
6480 }
6481
1da177e4
LT		 6482 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6483
6484 switch (cid) {
8db4dc46 6485 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6486 l2cap_sig_channel(conn, skb);
6487 break;
6488
8db4dc46 6489 case L2CAP_CID_CONN_LESS:
097db76c 6490 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6491 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6492 l2cap_conless_channel(conn, psm, skb);
6493 break;
6494
073d1cf3 6495 case L2CAP_CID_ATT:
72f78356 6496 l2cap_att_channel(conn, skb);
9f69bda6
GP		 6497 break;
6498
a2877629
MH		 6499 case L2CAP_CID_LE_SIGNALING:
6500 l2cap_le_sig_channel(conn, skb);
6501 break;
6502
b501d6a1
AB		 6503 case L2CAP_CID_SMP:
6504 if (smp_sig_channel(conn, skb))
6505 l2cap_conn_del(conn->hcon, EACCES);
6506 break;
6507
1da177e4
LT		 6508 default:
6509 l2cap_data_channel(conn, cid, skb);
6510 break;
6511 }
6512}
6513
6514/* ---- L2CAP interface with lower layer (HCI) ---- */
6515
686ebf28 6516int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6517{
6518 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6519 struct l2cap_chan *c;
1da177e4 6520
6ed93dc6 6521 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6522
6523 /* Find listening sockets and check their link_mode */
23691d75
GP		 6524 read_lock(&chan_list_lock);
6525 list_for_each_entry(c, &chan_list, global_l) {
6526 struct sock *sk = c->sk;
4343478f 6527
89bc500e 6528 if (c->state != BT_LISTEN)
1da177e4
LT		 6529 continue;
6530
6531 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 6532 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6533 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6534 lm1 |= HCI_LM_MASTER;
1da177e4 6535 exact++;
2af6b9d5
MH		 6536 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
6537 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6538 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6539 lm2 |= HCI_LM_MASTER;
6540 }
1da177e4 6541 }
23691d75 6542 read_unlock(&chan_list_lock);
1da177e4
LT		 6543
6544 return exact ? lm1 : lm2;
6545}
6546
9e664631 6547void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6548{
0139418c
MH		 6549 struct l2cap_conn *conn;
6550
6ed93dc6 6551 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6552
1da177e4 6553 if (!status) {
baf43251 6554 conn = l2cap_conn_add(hcon);
1da177e4
LT		 6555 if (conn)
6556 l2cap_conn_ready(conn);
ba6fc317 6557 } else {
e175072f 6558 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 6559 }
1da177e4
LT		 6560}
6561
686ebf28 6562int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6563{
6564 struct l2cap_conn *conn = hcon->l2cap_data;
6565
6566 BT_DBG("hcon %p", hcon);
6567
686ebf28 6568 if (!conn)
9f5a0d7b 6569 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6570 return conn->disc_reason;
6571}
6572
9e664631 6573void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6574{
6575 BT_DBG("hcon %p reason %d", hcon, reason);
6576
e175072f 6577 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6578}
6579
4343478f 6580static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6581{
715ec005 6582 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6583 return;
6584
f62e4323 6585 if (encrypt == 0x00) {
4343478f 6586 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6587 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6588 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6589 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6590 } else {
4343478f 6591 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6592 __clear_chan_timer(chan);
f62e4323
MH		 6593 }
6594}
6595
686ebf28 6596int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6597{
0139418c 6598 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6599 struct l2cap_chan *chan;
1da177e4 6600
0139418c 6601 if (!conn)
1da177e4 6602 return 0;
0139418c 6603
89d8b407 6604 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6605
160dc6ac 6606 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6607 if (!status && encrypt)
6608 smp_distribute_keys(conn, 0);
17cd3f37 6609 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6610 }
6611
3df91ea2 6612 mutex_lock(&conn->chan_lock);
1da177e4 6613
3df91ea2 6614 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6615 l2cap_chan_lock(chan);
1da177e4 6616
89d8b407
AE		 6617 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6618 state_to_string(chan->state));
f1cb9af5 6619
78eb2f98
AE		 6620 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6621 l2cap_chan_unlock(chan);
6622 continue;
6623 }
6624
073d1cf3 6625 if (chan->scid == L2CAP_CID_ATT) {
f1cb9af5
VCG		 6626 if (!status && encrypt) {
6627 chan->sec_level = hcon->sec_level;
cf4cd009 6628 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6629 }
6630
6be36555 6631 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6632 continue;
6633 }
6634
96eff46e 6635 if (!__l2cap_no_conn_pending(chan)) {
6be36555 6636 l2cap_chan_unlock(chan);
6a8d3010
MH		 6637 continue;
6638 }
6639
89bc500e 6640 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6641 chan->state == BT_CONFIG)) {
a7d7723a
GP		 6642 struct sock *sk = chan->sk;
6643
c5daa683 6644 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 6645 sk->sk_state_change(sk);
6646
4343478f 6647 l2cap_check_encryption(chan, encrypt);
6be36555 6648 l2cap_chan_unlock(chan);
9719f8af
MH		 6649 continue;
6650 }
6651
89bc500e 6652 if (chan->state == BT_CONNECT) {
b1235d79 6653 if (!status) {
93c3e8f5 6654 l2cap_start_connection(chan);
b1235d79 6655 } else {
ba13ccd9 6656 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6657 }
89bc500e 6658 } else if (chan->state == BT_CONNECT2) {
6be36555 6659 struct sock *sk = chan->sk;
b1235d79 6660 struct l2cap_conn_rsp rsp;
df3c3931 6661 __u16 res, stat;
1da177e4 6662
6be36555
AE		 6663 lock_sock(sk);
6664
b1235d79 6665 if (!status) {
c5daa683
GP		 6666 if (test_bit(BT_SK_DEFER_SETUP,
6667 &bt_sk(sk)->flags)) {
df3c3931
JH		 6668 res = L2CAP_CR_PEND;
6669 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6670 chan->ops->defer(chan);
df3c3931 6671 } else {
0e587be7 6672 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6673 res = L2CAP_CR_SUCCESS;
6674 stat = L2CAP_CS_NO_INFO;
6675 }
b1235d79 6676 } else {
0e587be7 6677 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6678 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6679 res = L2CAP_CR_SEC_BLOCK;
6680 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6681 }
6682
6be36555
AE		 6683 release_sock(sk);
6684
fe4128e0
GP		 6685 rsp.scid = cpu_to_le16(chan->dcid);
6686 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6687 rsp.result = cpu_to_le16(res);
6688 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6689 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6690 sizeof(rsp), &rsp);
2d369359
MM		 6691
6692 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6693 res == L2CAP_CR_SUCCESS) {
6694 char buf[128];
6695 set_bit(CONF_REQ_SENT, &chan->conf_state);
6696 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6697 L2CAP_CONF_REQ,
6698 l2cap_build_conf_req(chan, buf),
6699 buf);
6700 chan->num_conf_req++;
6701 }
b1235d79 6702 }
1da177e4 6703
6be36555 6704 l2cap_chan_unlock(chan);
1da177e4
LT		 6705 }
6706
3df91ea2 6707 mutex_unlock(&conn->chan_lock);
b1235d79 6708
1da177e4
LT		 6709 return 0;
6710}
6711
686ebf28 6712int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6713{
6714 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6715 struct l2cap_hdr *hdr;
6716 int len;
1da177e4 6717
1d13a254
AE		 6718 /* For AMP controller do not create l2cap conn */
6719 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6720 goto drop;
1da177e4 6721
5a08ecce 6722 if (!conn)
baf43251 6723 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 6724
6725 if (!conn)
1da177e4
LT		 6726 goto drop;
6727
6728 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6729
d73a0988
AE		 6730 switch (flags) {
6731 case ACL_START:
6732 case ACL_START_NO_FLUSH:
6733 case ACL_COMPLETE:
1da177e4
LT		 6734 if (conn->rx_len) {
6735 BT_ERR("Unexpected start frame (len %d)", skb->len);
6736 kfree_skb(conn->rx_skb);
6737 conn->rx_skb = NULL;
6738 conn->rx_len = 0;
6739 l2cap_conn_unreliable(conn, ECOMM);
6740 }
6741
aae7fe22
AE		 6742 /* Start fragment always begin with Basic L2CAP header */
6743 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6744 BT_ERR("Frame is too short (len %d)", skb->len);
6745 l2cap_conn_unreliable(conn, ECOMM);
6746 goto drop;
6747 }
6748
6749 hdr = (struct l2cap_hdr *) skb->data;
6750 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6751
6752 if (len == skb->len) {
6753 /* Complete frame received */
6754 l2cap_recv_frame(conn, skb);
6755 return 0;
6756 }
6757
6758 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6759
6760 if (skb->len > len) {
6761 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6762 skb->len, len);
1da177e4
LT		 6763 l2cap_conn_unreliable(conn, ECOMM);
6764 goto drop;
6765 }
6766
6767 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6768 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6769 if (!conn->rx_skb)
1da177e4
LT		 6770 goto drop;
6771
d626f62b 6772 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6773 skb->len);
1da177e4 6774 conn->rx_len = len - skb->len;
d73a0988
AE		 6775 break;
6776
6777 case ACL_CONT:
1da177e4
LT		 6778 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6779
6780 if (!conn->rx_len) {
6781 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6782 l2cap_conn_unreliable(conn, ECOMM);
6783 goto drop;
6784 }
6785
6786 if (skb->len > conn->rx_len) {
6787 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6788 skb->len, conn->rx_len);
1da177e4
LT		 6789 kfree_skb(conn->rx_skb);
6790 conn->rx_skb = NULL;
6791 conn->rx_len = 0;
6792 l2cap_conn_unreliable(conn, ECOMM);
6793 goto drop;
6794 }
6795
d626f62b 6796 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6797 skb->len);
1da177e4
LT		 6798 conn->rx_len -= skb->len;
6799
6800 if (!conn->rx_len) {
6801 /* Complete frame received */
6802 l2cap_recv_frame(conn, conn->rx_skb);
6803 conn->rx_skb = NULL;
6804 }
d73a0988 6805 break;
1da177e4
LT		 6806 }
6807
6808drop:
6809 kfree_skb(skb);
6810 return 0;
6811}
6812
aef7d97c 6813static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6814{
23691d75 6815 struct l2cap_chan *c;
1da177e4 6816
333055f2 6817 read_lock(&chan_list_lock);
1da177e4 6818
23691d75
GP		 6819 list_for_each_entry(c, &chan_list, global_l) {
6820 struct sock *sk = c->sk;
101545f6 6821
fcb73338
AE		 6822 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6823 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6824 c->state, __le16_to_cpu(c->psm),
6825 c->scid, c->dcid, c->imtu, c->omtu,
6826 c->sec_level, c->mode);
61e1b4b7 6827 }
1da177e4 6828
333055f2 6829 read_unlock(&chan_list_lock);
1da177e4 6830
aef7d97c 6831 return 0;
1da177e4
LT		 6832}
6833
aef7d97c
MH		 6834static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6835{
6836 return single_open(file, l2cap_debugfs_show, inode->i_private);
6837}
6838
6839static const struct file_operations l2cap_debugfs_fops = {
6840 .open = l2cap_debugfs_open,
6841 .read = seq_read,
6842 .llseek = seq_lseek,
6843 .release = single_release,
6844};
6845
6846static struct dentry *l2cap_debugfs;
1da177e4 6847
64274518 6848int __init l2cap_init(void)
1da177e4
LT		 6849{
6850 int err;
be9d1227 6851
bb58f747 6852 err = l2cap_init_sockets();
1da177e4
LT		 6853 if (err < 0)
6854 return err;
6855
aef7d97c 6856 if (bt_debugfs) {
2d792818
GP		 6857 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6858 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 6859 if (!l2cap_debugfs)
6860 BT_ERR("Failed to create L2CAP debug file");
6861 }
1da177e4 6862
1da177e4 6863 return 0;
1da177e4
LT		 6864}
6865
64274518 6866void l2cap_exit(void)
1da177e4 6867{
aef7d97c 6868 debugfs_remove(l2cap_debugfs);
bb58f747 6869 l2cap_cleanup_sockets();
1da177e4
LT		 6870}
6871
d1c4a17d
GP		 6872module_param(disable_ertm, bool, 0644);
6873MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.279036 seconds and 5 git commands to generate.