projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix duplicate call to l2cap_chan_ready()
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
5ce66b59 41#include <net/bluetooth/amp.h>
1da177e4 42
d1de6d46 43bool disable_ertm;
f0709e03 44
47ec1dcd 45static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 46static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 47
b5ad8b7f
JB		 48static LIST_HEAD(chan_list);
49static DEFINE_RWLOCK(chan_list_lock);
1da177e4 50
1da177e4 51static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 52 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 53static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 54 void *data);
710f9b0a 55static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 56static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 59 struct sk_buff_head *skbs, u8 event);
608bcc6d 60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
2d792818
GP		 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
64 u16 cid)
0139418c 65{
3df91ea2 66 struct l2cap_chan *c;
3d57dc68 67
3df91ea2
AE		 68 list_for_each_entry(c, &conn->chan_l, list) {
69 if (c->dcid == cid)
70 return c;
0139418c 71 }
3df91ea2 72 return NULL;
0139418c
MH		 73}
74
2d792818
GP		 75static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
76 u16 cid)
0139418c 77{
3df91ea2 78 struct l2cap_chan *c;
3d57dc68 79
3df91ea2
AE		 80 list_for_each_entry(c, &conn->chan_l, list) {
81 if (c->scid == cid)
82 return c;
0139418c 83 }
3df91ea2 84 return NULL;
0139418c
MH		 85}
86
87/* Find channel with given SCID.
ef191ade 88 * Returns locked channel. */
2d792818
GP		 89static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
90 u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa 93
3df91ea2 94 mutex_lock(&conn->chan_lock);
baa7e1fa 95 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 96 if (c)
97 l2cap_chan_lock(c);
3df91ea2
AE		 98 mutex_unlock(&conn->chan_lock);
99
48454079 100 return c;
0139418c
MH		 101}
102
b1a130b7
MM		 103/* Find channel with given DCID.
104 * Returns locked channel.
105 */
106static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
107 u16 cid)
108{
109 struct l2cap_chan *c;
110
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_dcid(conn, cid);
113 if (c)
114 l2cap_chan_lock(c);
115 mutex_unlock(&conn->chan_lock);
116
117 return c;
118}
119
2d792818
GP		 120static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
121 u8 ident)
0139418c 122{
3df91ea2 123 struct l2cap_chan *c;
3d57dc68 124
3df91ea2
AE		 125 list_for_each_entry(c, &conn->chan_l, list) {
126 if (c->ident == ident)
127 return c;
0139418c 128 }
3df91ea2 129 return NULL;
0139418c
MH		 130}
131
5b155ef9
MM		 132static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
133 u8 ident)
134{
135 struct l2cap_chan *c;
136
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_ident(conn, ident);
139 if (c)
140 l2cap_chan_lock(c);
141 mutex_unlock(&conn->chan_lock);
142
143 return c;
144}
145
23691d75 146static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 147{
23691d75 148 struct l2cap_chan *c;
9e4425ff 149
23691d75
GP		 150 list_for_each_entry(c, &chan_list, global_l) {
151 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 152 return c;
9e4425ff 153 }
250938cb 154 return NULL;
9e4425ff
GP		 155}
156
157int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
158{
73b2ec18
GP		 159 int err;
160
333055f2 161 write_lock(&chan_list_lock);
9e4425ff 162
23691d75 163 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 164 err = -EADDRINUSE;
165 goto done;
9e4425ff
GP		 166 }
167
73b2ec18
GP		 168 if (psm) {
169 chan->psm = psm;
170 chan->sport = psm;
171 err = 0;
172 } else {
173 u16 p;
174
175 err = -EINVAL;
176 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 177 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 178 chan->psm = cpu_to_le16(p);
179 chan->sport = cpu_to_le16(p);
180 err = 0;
181 break;
182 }
183 }
9e4425ff 184
73b2ec18 185done:
333055f2 186 write_unlock(&chan_list_lock);
73b2ec18 187 return err;
9e4425ff
GP		 188}
189
190int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
191{
333055f2 192 write_lock(&chan_list_lock);
9e4425ff
GP		 193
194 chan->scid = scid;
195
333055f2 196 write_unlock(&chan_list_lock);
9e4425ff
GP		 197
198 return 0;
199}
200
baa7e1fa 201static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 202{
8db4dc46 203 u16 cid = L2CAP_CID_DYN_START;
0139418c 204
8db4dc46 205 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 206 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 207 return cid;
208 }
209
210 return 0;
211}
212
0e587be7 213static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 214{
42d2d87c 215 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 216 state_to_string(state));
badaaa00 217
89bc500e 218 chan->state = state;
80b98027 219 chan->ops->state_change(chan, state);
89bc500e
GP		 220}
221
0e587be7
AE		 222static void l2cap_state_change(struct l2cap_chan *chan, int state)
223{
224 struct sock *sk = chan->sk;
225
226 lock_sock(sk);
227 __l2cap_state_change(chan, state);
228 release_sock(sk);
229}
230
2e0052e4
AE		 231static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
232{
233 struct sock *sk = chan->sk;
234
235 sk->sk_err = err;
236}
237
238static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
239{
240 struct sock *sk = chan->sk;
241
242 lock_sock(sk);
243 __l2cap_chan_set_err(chan, err);
244 release_sock(sk);
245}
246
4239d16f
MM		 247static void __set_retrans_timer(struct l2cap_chan *chan)
248{
249 if (!delayed_work_pending(&chan->monitor_timer) &&
250 chan->retrans_timeout) {
251 l2cap_set_timer(chan, &chan->retrans_timer,
252 msecs_to_jiffies(chan->retrans_timeout));
253 }
254}
255
256static void __set_monitor_timer(struct l2cap_chan *chan)
257{
258 __clear_retrans_timer(chan);
259 if (chan->monitor_timeout) {
260 l2cap_set_timer(chan, &chan->monitor_timer,
261 msecs_to_jiffies(chan->monitor_timeout));
262 }
263}
264
608bcc6d
MM		 265static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
266 u16 seq)
267{
268 struct sk_buff *skb;
269
270 skb_queue_walk(head, skb) {
271 if (bt_cb(skb)->control.txseq == seq)
272 return skb;
273 }
274
275 return NULL;
276}
277
3c588192
MM		 278/* ---- L2CAP sequence number lists ---- */
279
280/* For ERTM, ordered lists of sequence numbers must be tracked for
281 * SREJ requests that are received and for frames that are to be
282 * retransmitted. These seq_list functions implement a singly-linked
283 * list in an array, where membership in the list can also be checked
284 * in constant time. Items can also be added to the tail of the list
285 * and removed from the head in constant time, without further memory
286 * allocs or frees.
287 */
288
289static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
290{
291 size_t alloc_size, i;
292
293 /* Allocated size is a power of 2 to map sequence numbers
294 * (which may be up to 14 bits) in to a smaller array that is
295 * sized for the negotiated ERTM transmit windows.
296 */
297 alloc_size = roundup_pow_of_two(size);
298
299 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
300 if (!seq_list->list)
301 return -ENOMEM;
302
303 seq_list->mask = alloc_size - 1;
304 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
305 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
306 for (i = 0; i < alloc_size; i++)
307 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
308
309 return 0;
310}
311
312static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
313{
314 kfree(seq_list->list);
315}
316
317static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
318 u16 seq)
319{
320 /* Constant-time check for list membership */
321 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
322}
323
324static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
325{
326 u16 mask = seq_list->mask;
327
328 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
329 /* In case someone tries to pop the head of an empty list */
330 return L2CAP_SEQ_LIST_CLEAR;
331 } else if (seq_list->head == seq) {
332 /* Head can be removed in constant time */
333 seq_list->head = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
335
336 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
339 }
340 } else {
341 /* Walk the list to find the sequence number */
342 u16 prev = seq_list->head;
343 while (seq_list->list[prev & mask] != seq) {
344 prev = seq_list->list[prev & mask];
345 if (prev == L2CAP_SEQ_LIST_TAIL)
346 return L2CAP_SEQ_LIST_CLEAR;
347 }
348
349 /* Unlink the number from the list and clear it */
350 seq_list->list[prev & mask] = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352 if (seq_list->tail == seq)
353 seq_list->tail = prev;
354 }
355 return seq;
356}
357
358static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
359{
360 /* Remove the head in constant time */
361 return l2cap_seq_list_remove(seq_list, seq_list->head);
362}
363
364static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
365{
f522ae36 366 u16 i;
3c588192 367
f522ae36
GP		 368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
369 return;
370
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
373
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 376}
377
378static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
379{
380 u16 mask = seq_list->mask;
381
382 /* All appends happen in constant time */
383
f522ae36
GP		 384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
385 return;
3c588192 386
f522ae36
GP		 387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
389 else
390 seq_list->list[seq_list->tail & mask] = seq;
391
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 394}
395
721c4181 396static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 397{
721c4181 398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 399 chan_timer.work);
3df91ea2 400 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 401 int reason;
402
e05dcc32 403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 404
3df91ea2 405 mutex_lock(&conn->chan_lock);
6be36555 406 l2cap_chan_lock(chan);
ab07801d 407
89bc500e 408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 409 reason = ECONNREFUSED;
89bc500e 410 else if (chan->state == BT_CONNECT &&
2d792818 411 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 412 reason = ECONNREFUSED;
413 else
414 reason = ETIMEDOUT;
415
0f852724 416 l2cap_chan_close(chan, reason);
ab07801d 417
6be36555 418 l2cap_chan_unlock(chan);
ab07801d 419
80b98027 420 chan->ops->close(chan);
3df91ea2
AE		 421 mutex_unlock(&conn->chan_lock);
422
371fd835 423 l2cap_chan_put(chan);
ab07801d
GP		 424}
425
eef1d9b6 426struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 427{
428 struct l2cap_chan *chan;
429
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
431 if (!chan)
432 return NULL;
433
c03b355e
AE		 434 mutex_init(&chan->lock);
435
333055f2 436 write_lock(&chan_list_lock);
23691d75 437 list_add(&chan->global_l, &chan_list);
333055f2 438 write_unlock(&chan_list_lock);
23691d75 439
721c4181 440 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 441
89bc500e
GP		 442 chan->state = BT_OPEN;
443
144ad330 444 kref_init(&chan->kref);
71ba0e56 445
2827011f
MM		 446 /* This flag is cleared in l2cap_chan_ready() */
447 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
448
eef1d9b6 449 BT_DBG("chan %p", chan);
abc545b8 450
48454079
GP		 451 return chan;
452}
453
144ad330 454static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 455{
144ad330
SS		 456 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
457
4af66c69
JK		 458 BT_DBG("chan %p", chan);
459
333055f2 460 write_lock(&chan_list_lock);
23691d75 461 list_del(&chan->global_l);
333055f2 462 write_unlock(&chan_list_lock);
23691d75 463
4af66c69 464 kfree(chan);
6ff5abbf
GP		 465}
466
30648372
JK		 467void l2cap_chan_hold(struct l2cap_chan *c)
468{
144ad330 469 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 470
144ad330 471 kref_get(&c->kref);
30648372
JK		 472}
473
474void l2cap_chan_put(struct l2cap_chan *c)
475{
144ad330 476 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 477
144ad330 478 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 479}
480
bd4b1653
AE		 481void l2cap_chan_set_defaults(struct l2cap_chan *chan)
482{
483 chan->fcs = L2CAP_FCS_CRC16;
484 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
485 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
486 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 487 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 488 chan->sec_level = BT_SECURITY_LOW;
489
490 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
491}
492
93c3e8f5 493void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 494{
af05b30b 495 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 496 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 497
9f5a0d7b 498 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 499
8c1d787b 500 chan->conn = conn;
0139418c 501
5491120e
AE		 502 switch (chan->chan_type) {
503 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 504 if (conn->hcon->type == LE_LINK) {
505 /* LE connection */
6fcb06a2 506 chan->omtu = L2CAP_DEFAULT_MTU;
9f22398c
JH		 507 if (chan->dcid == L2CAP_CID_ATT)
508 chan->scid = L2CAP_CID_ATT;
509 else
510 chan->scid = l2cap_alloc_cid(conn);
b62f328b
VT		 511 } else {
512 /* Alloc CID for connection-oriented socket */
fe4128e0 513 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 514 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 515 }
5491120e
AE		 516 break;
517
518 case L2CAP_CHAN_CONN_LESS:
0139418c 519 /* Connectionless socket */
fe4128e0
GP		 520 chan->scid = L2CAP_CID_CONN_LESS;
521 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 522 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 523 break;
524
416fa752
AE		 525 case L2CAP_CHAN_CONN_FIX_A2MP:
526 chan->scid = L2CAP_CID_A2MP;
527 chan->dcid = L2CAP_CID_A2MP;
528 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
529 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
530 break;
531
5491120e 532 default:
0139418c 533 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 534 chan->scid = L2CAP_CID_SIGNALING;
535 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 536 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 537 }
538
8f7975b1
AE		 539 chan->local_id = L2CAP_BESTEFFORT_ID;
540 chan->local_stype = L2CAP_SERV_BESTEFFORT;
541 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
542 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
543 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 544 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 545
371fd835 546 l2cap_chan_hold(chan);
baa7e1fa 547
3df91ea2 548 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 549}
550
466f8004 551void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 552{
553 mutex_lock(&conn->chan_lock);
554 __l2cap_chan_add(conn, chan);
3df91ea2 555 mutex_unlock(&conn->chan_lock);
0139418c
MH		 556}
557
466f8004 558void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 559{
8c1d787b 560 struct l2cap_conn *conn = chan->conn;
0139418c 561
c9b66675 562 __clear_chan_timer(chan);
0139418c 563
49208c9c 564 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 565
8e87d142 566 if (conn) {
56f60984 567 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 568 /* Delete from channel list */
3df91ea2 569 list_del(&chan->list);
3d57dc68 570
371fd835 571 l2cap_chan_put(chan);
baa7e1fa 572
8c1d787b 573 chan->conn = NULL;
3cabbfda
AE		 574
575 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
76a68ba0 576 hci_conn_drop(conn->hcon);
56f60984
AE		 577
578 if (mgr && mgr->bredr_chan == chan)
579 mgr->bredr_chan = NULL;
0139418c
MH		 580 }
581
419e08c1
AE		 582 if (chan->hs_hchan) {
583 struct hci_chan *hs_hchan = chan->hs_hchan;
584
585 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
586 amp_disconnect_logical_link(hs_hchan);
587 }
588
b699ec0d 589 chan->ops->teardown(chan, err);
6be36555 590
2827011f 591 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 592 return;
2ead70b8 593
ee556f66
GP		 594 switch(chan->mode) {
595 case L2CAP_MODE_BASIC:
596 break;
c13ffa62 597
ee556f66 598 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 599 __clear_retrans_timer(chan);
600 __clear_monitor_timer(chan);
601 __clear_ack_timer(chan);
c13ffa62 602
f1c6775b 603 skb_queue_purge(&chan->srej_q);
c13ffa62 604
3c588192
MM		 605 l2cap_seq_list_free(&chan->srej_list);
606 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 607
608 /* fall through */
609
610 case L2CAP_MODE_STREAMING:
611 skb_queue_purge(&chan->tx_q);
612 break;
c13ffa62 613 }
ee556f66
GP		 614
615 return;
0139418c
MH		 616}
617
0f852724 618void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 619{
620 struct l2cap_conn *conn = chan->conn;
621 struct sock *sk = chan->sk;
622
2d792818
GP		 623 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
624 sk);
4519de9a 625
89bc500e 626 switch (chan->state) {
4519de9a 627 case BT_LISTEN:
b699ec0d 628 chan->ops->teardown(chan, 0);
4519de9a
GP		 629 break;
630
631 case BT_CONNECTED:
632 case BT_CONFIG:
715ec005 633 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 634 conn->hcon->type == ACL_LINK) {
c9b66675 635 __set_chan_timer(chan, sk->sk_sndtimeo);
5e4e3972 636 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 637 } else
638 l2cap_chan_del(chan, reason);
639 break;
640
641 case BT_CONNECT2:
715ec005 642 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 643 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 644 struct l2cap_conn_rsp rsp;
645 __u16 result;
646
c5daa683 647 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 648 result = L2CAP_CR_SEC_BLOCK;
649 else
650 result = L2CAP_CR_BAD_PSM;
89bc500e 651 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 652
653 rsp.scid = cpu_to_le16(chan->dcid);
654 rsp.dcid = cpu_to_le16(chan->scid);
655 rsp.result = cpu_to_le16(result);
ac73498c 656 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 657 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 658 sizeof(rsp), &rsp);
4519de9a
GP		 659 }
660
661 l2cap_chan_del(chan, reason);
662 break;
663
664 case BT_CONNECT:
665 case BT_DISCONN:
666 l2cap_chan_del(chan, reason);
667 break;
668
669 default:
b699ec0d 670 chan->ops->teardown(chan, 0);
4519de9a
GP		 671 break;
672 }
673}
674
4343478f 675static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 676{
715ec005 677 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 678 switch (chan->sec_level) {
8556edd3
JH		 679 case BT_SECURITY_HIGH:
680 return HCI_AT_DEDICATED_BONDING_MITM;
681 case BT_SECURITY_MEDIUM:
682 return HCI_AT_DEDICATED_BONDING;
683 default:
684 return HCI_AT_NO_BONDING;
685 }
2983fd68 686 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 687 if (chan->sec_level == BT_SECURITY_LOW)
688 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 689
4343478f 690 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 691 return HCI_AT_NO_BONDING_MITM;
00ae4af9 692 else
8556edd3 693 return HCI_AT_NO_BONDING;
00ae4af9 694 } else {
4343478f 695 switch (chan->sec_level) {
00ae4af9 696 case BT_SECURITY_HIGH:
8556edd3 697 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 698 case BT_SECURITY_MEDIUM:
8556edd3 699 return HCI_AT_GENERAL_BONDING;
00ae4af9 700 default:
8556edd3 701 return HCI_AT_NO_BONDING;
00ae4af9 702 }
0684e5f9 703 }
8556edd3
JH		 704}
705
706/* Service level security */
d45fc423 707int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 708{
8c1d787b 709 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 710 __u8 auth_type;
711
4343478f 712 auth_type = l2cap_get_auth_type(chan);
79d554a6 713
4343478f 714 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 715}
716
b5ad8b7f 717static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 718{
719 u8 id;
720
721 /* Get next available identificator.
722 * 1 - 128 are used by kernel.
723 * 129 - 199 are reserved.
724 * 200 - 254 are used by utilities like l2ping, etc.
725 */
726
333055f2 727 spin_lock(&conn->lock);
4e8402a3
MH		 728
729 if (++conn->tx_ident > 128)
730 conn->tx_ident = 1;
731
732 id = conn->tx_ident;
733
333055f2 734 spin_unlock(&conn->lock);
4e8402a3
MH		 735
736 return id;
737}
738
2d792818
GP		 739static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
740 void *data)
4e8402a3
MH		 741{
742 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 743 u8 flags;
4e8402a3
MH		 744
745 BT_DBG("code 0x%2.2x", code);
746
747 if (!skb)
9a9c6a34 748 return;
4e8402a3 749
e702112f
AE		 750 if (lmp_no_flush_capable(conn->hcon->hdev))
751 flags = ACL_START_NO_FLUSH;
752 else
753 flags = ACL_START;
754
14b12d0b 755 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 756 skb->priority = HCI_PRIO_MAX;
14b12d0b 757
73d80deb
LAD		 758 hci_send_acl(conn->hchan, skb, flags);
759}
760
02b0fbb9
MM		 761static bool __chan_is_moving(struct l2cap_chan *chan)
762{
763 return chan->move_state != L2CAP_MOVE_STABLE &&
764 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
765}
766
73d80deb
LAD		 767static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
768{
769 struct hci_conn *hcon = chan->conn->hcon;
770 u16 flags;
771
772 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 773 skb->priority);
73d80deb 774
d5f8a75d
MM		 775 if (chan->hs_hcon && !__chan_is_moving(chan)) {
776 if (chan->hs_hchan)
777 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
778 else
779 kfree_skb(skb);
780
781 return;
782 }
783
73d80deb 784 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 785 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 786 flags = ACL_START_NO_FLUSH;
787 else
788 flags = ACL_START;
14b12d0b 789
73d80deb
LAD		 790 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
791 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 792}
793
b76bbd66
MM		 794static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
795{
796 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
797 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
798
799 if (enh & L2CAP_CTRL_FRAME_TYPE) {
800 /* S-Frame */
801 control->sframe = 1;
802 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
803 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
804
805 control->sar = 0;
806 control->txseq = 0;
807 } else {
808 /* I-Frame */
809 control->sframe = 0;
810 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
811 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
812
813 control->poll = 0;
814 control->super = 0;
815 }
816}
817
b76bbd66
MM		 818static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
819{
820 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
821 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
822
823 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
824 /* S-Frame */
825 control->sframe = 1;
826 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
827 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
828
829 control->sar = 0;
830 control->txseq = 0;
831 } else {
832 /* I-Frame */
833 control->sframe = 0;
834 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
835 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
836
837 control->poll = 0;
838 control->super = 0;
839 }
840}
841
842static inline void __unpack_control(struct l2cap_chan *chan,
843 struct sk_buff *skb)
844{
845 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
846 __unpack_extended_control(get_unaligned_le32(skb->data),
847 &bt_cb(skb)->control);
cec8ab6e 848 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 849 } else {
850 __unpack_enhanced_control(get_unaligned_le16(skb->data),
851 &bt_cb(skb)->control);
cec8ab6e 852 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 853 }
854}
855
b5c6aaed
MM		 856static u32 __pack_extended_control(struct l2cap_ctrl *control)
857{
858 u32 packed;
859
860 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
861 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
862
863 if (control->sframe) {
864 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
865 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
866 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
867 } else {
868 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
869 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
870 }
871
872 return packed;
873}
874
875static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
876{
877 u16 packed;
878
879 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
880 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
881
882 if (control->sframe) {
883 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
884 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
885 packed |= L2CAP_CTRL_FRAME_TYPE;
886 } else {
887 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
888 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
889 }
890
891 return packed;
892}
893
b76bbd66
MM		 894static inline void __pack_control(struct l2cap_chan *chan,
895 struct l2cap_ctrl *control,
896 struct sk_buff *skb)
897{
898 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
899 put_unaligned_le32(__pack_extended_control(control),
900 skb->data + L2CAP_HDR_SIZE);
901 } else {
902 put_unaligned_le16(__pack_enhanced_control(control),
903 skb->data + L2CAP_HDR_SIZE);
904 }
905}
906
ba7aa64f
GP		 907static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
908{
909 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
910 return L2CAP_EXT_HDR_SIZE;
911 else
912 return L2CAP_ENH_HDR_SIZE;
913}
914
a67d7f6f
MM		 915static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
916 u32 control)
b5c6aaed
MM		 917{
918 struct sk_buff *skb;
919 struct l2cap_hdr *lh;
ba7aa64f 920 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 921
922 if (chan->fcs == L2CAP_FCS_CRC16)
923 hlen += L2CAP_FCS_SIZE;
924
a67d7f6f 925 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 926
b5c6aaed 927 if (!skb)
a67d7f6f 928 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 929
930 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
931 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
932 lh->cid = cpu_to_le16(chan->dcid);
933
a67d7f6f
MM		 934 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
935 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
936 else
937 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 938
939 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 940 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 941 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
942 }
943
944 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 945 return skb;
946}
947
948static void l2cap_send_sframe(struct l2cap_chan *chan,
949 struct l2cap_ctrl *control)
950{
951 struct sk_buff *skb;
952 u32 control_field;
953
954 BT_DBG("chan %p, control %p", chan, control);
955
956 if (!control->sframe)
957 return;
958
b99e13ad
MM		 959 if (__chan_is_moving(chan))
960 return;
961
a67d7f6f
MM		 962 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
963 !control->poll)
964 control->final = 1;
965
966 if (control->super == L2CAP_SUPER_RR)
967 clear_bit(CONN_RNR_SENT, &chan->conn_state);
968 else if (control->super == L2CAP_SUPER_RNR)
969 set_bit(CONN_RNR_SENT, &chan->conn_state);
970
971 if (control->super != L2CAP_SUPER_SREJ) {
972 chan->last_acked_seq = control->reqseq;
973 __clear_ack_timer(chan);
974 }
975
976 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
977 control->final, control->poll, control->super);
978
979 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
980 control_field = __pack_extended_control(control);
981 else
982 control_field = __pack_enhanced_control(control);
983
984 skb = l2cap_create_sframe_pdu(chan, control_field);
985 if (!IS_ERR(skb))
986 l2cap_do_send(chan, skb);
b5c6aaed
MM		 987}
988
c9e3d5e0 989static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 990{
c9e3d5e0
MM		 991 struct l2cap_ctrl control;
992
993 BT_DBG("chan %p, poll %d", chan, poll);
994
995 memset(&control, 0, sizeof(control));
996 control.sframe = 1;
997 control.poll = poll;
998
999 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1000 control.super = L2CAP_SUPER_RNR;
1001 else
1002 control.super = L2CAP_SUPER_RR;
b5c6aaed 1003
c9e3d5e0
MM		 1004 control.reqseq = chan->buffer_seq;
1005 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1006}
1007
b4450035 1008static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1009{
c1360a1c 1010 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1011}
1012
93c3e8f5
AE		 1013static bool __amp_capable(struct l2cap_chan *chan)
1014{
1015 struct l2cap_conn *conn = chan->conn;
1016
1017 if (enable_hs &&
5d05416e 1018 hci_amp_capable() &&
93c3e8f5
AE		 1019 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
1020 conn->fixed_chan_mask & L2CAP_FC_A2MP)
1021 return true;
1022 else
1023 return false;
1024}
1025
5ce66b59
AE		 1026static bool l2cap_check_efs(struct l2cap_chan *chan)
1027{
1028 /* Check EFS parameters */
1029 return true;
1030}
1031
2766be48 1032void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1033{
1034 struct l2cap_conn *conn = chan->conn;
1035 struct l2cap_conn_req req;
1036
1037 req.scid = cpu_to_le16(chan->scid);
1038 req.psm = chan->psm;
1039
1040 chan->ident = l2cap_get_ident(conn);
1041
1042 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1043
1044 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1045}
1046
8eb200bd
MM		 1047static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1048{
1049 struct l2cap_create_chan_req req;
1050 req.scid = cpu_to_le16(chan->scid);
1051 req.psm = chan->psm;
1052 req.amp_id = amp_id;
1053
1054 chan->ident = l2cap_get_ident(chan->conn);
1055
1056 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1057 sizeof(req), &req);
1058}
1059
02b0fbb9
MM		 1060static void l2cap_move_setup(struct l2cap_chan *chan)
1061{
1062 struct sk_buff *skb;
1063
1064 BT_DBG("chan %p", chan);
1065
1066 if (chan->mode != L2CAP_MODE_ERTM)
1067 return;
1068
1069 __clear_retrans_timer(chan);
1070 __clear_monitor_timer(chan);
1071 __clear_ack_timer(chan);
1072
1073 chan->retry_count = 0;
1074 skb_queue_walk(&chan->tx_q, skb) {
1075 if (bt_cb(skb)->control.retries)
1076 bt_cb(skb)->control.retries = 1;
1077 else
1078 break;
1079 }
1080
1081 chan->expected_tx_seq = chan->buffer_seq;
1082
1083 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1084 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1085 l2cap_seq_list_clear(&chan->retrans_list);
1086 l2cap_seq_list_clear(&chan->srej_list);
1087 skb_queue_purge(&chan->srej_q);
1088
1089 chan->tx_state = L2CAP_TX_STATE_XMIT;
1090 chan->rx_state = L2CAP_RX_STATE_MOVE;
1091
1092 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1093}
1094
5f3847a4
MM		 1095static void l2cap_move_done(struct l2cap_chan *chan)
1096{
1097 u8 move_role = chan->move_role;
1098 BT_DBG("chan %p", chan);
1099
1100 chan->move_state = L2CAP_MOVE_STABLE;
1101 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1102
1103 if (chan->mode != L2CAP_MODE_ERTM)
1104 return;
1105
1106 switch (move_role) {
1107 case L2CAP_MOVE_ROLE_INITIATOR:
1108 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1109 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1110 break;
1111 case L2CAP_MOVE_ROLE_RESPONDER:
1112 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1113 break;
1114 }
1115}
1116
9f0caeb1
VCG		 1117static void l2cap_chan_ready(struct l2cap_chan *chan)
1118{
2827011f 1119 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1120 chan->conf_state = 0;
1121 __clear_chan_timer(chan);
1122
54a59aa2 1123 chan->state = BT_CONNECTED;
9f0caeb1 1124
fd83e2c2 1125 chan->ops->ready(chan);
9f0caeb1
VCG		 1126}
1127
93c3e8f5
AE		 1128static void l2cap_start_connection(struct l2cap_chan *chan)
1129{
1130 if (__amp_capable(chan)) {
1131 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1132 a2mp_discover_amp(chan);
1133 } else {
1134 l2cap_send_conn_req(chan);
1135 }
1136}
1137
fc7f8a7e 1138static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1139{
8c1d787b 1140 struct l2cap_conn *conn = chan->conn;
79d554a6 1141
9f0caeb1
VCG		 1142 if (conn->hcon->type == LE_LINK) {
1143 l2cap_chan_ready(chan);
1144 return;
1145 }
1146
79d554a6 1147 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1148 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1149 return;
1150
d45fc423 1151 if (l2cap_chan_check_security(chan) &&
2d792818 1152 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1153 l2cap_start_connection(chan);
1154 }
79d554a6
MH		 1155 } else {
1156 struct l2cap_info_req req;
ac73498c 1157 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1158
1159 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1160 conn->info_ident = l2cap_get_ident(conn);
1161
ba13ccd9 1162 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1163
2d792818
GP		 1164 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1165 sizeof(req), &req);
79d554a6
MH		 1166 }
1167}
1168
cf6c2c0b
GP		 1169static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1170{
1171 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1172 if (!disable_ertm)
cf6c2c0b
GP		 1173 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1174
1175 switch (mode) {
1176 case L2CAP_MODE_ERTM:
1177 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1178 case L2CAP_MODE_STREAMING:
1179 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1180 default:
1181 return 0x00;
1182 }
1183}
1184
5e4e3972 1185static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1186{
6be36555 1187 struct sock *sk = chan->sk;
5e4e3972 1188 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1189 struct l2cap_disconn_req req;
1190
c13ffa62
GP		 1191 if (!conn)
1192 return;
1193
aad3d0e3 1194 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1195 __clear_retrans_timer(chan);
1196 __clear_monitor_timer(chan);
1197 __clear_ack_timer(chan);
c13ffa62
GP		 1198 }
1199
416fa752 1200 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1201 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1202 return;
1203 }
1204
fe4128e0
GP		 1205 req.dcid = cpu_to_le16(chan->dcid);
1206 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1207 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1208 sizeof(req), &req);
c13ffa62 1209
6be36555 1210 lock_sock(sk);
0e587be7 1211 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1212 __l2cap_chan_set_err(chan, err);
6be36555 1213 release_sock(sk);
22121fc9
GP		 1214}
1215
1da177e4 1216/* ---- L2CAP connections ---- */
4e8402a3
MH		 1217static void l2cap_conn_start(struct l2cap_conn *conn)
1218{
3df91ea2 1219 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1220
1221 BT_DBG("conn %p", conn);
1222
3df91ea2 1223 mutex_lock(&conn->chan_lock);
4e8402a3 1224
3df91ea2 1225 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1226 struct sock *sk = chan->sk;
baa7e1fa 1227
6be36555 1228 l2cap_chan_lock(chan);
4e8402a3 1229
715ec005 1230 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1231 l2cap_chan_unlock(chan);
79d554a6
MH		 1232 continue;
1233 }
1234
89bc500e 1235 if (chan->state == BT_CONNECT) {
d45fc423 1236 if (!l2cap_chan_check_security(chan) ||
2d792818 1237 !__l2cap_no_conn_pending(chan)) {
6be36555 1238 l2cap_chan_unlock(chan);
47731de7
GP		 1239 continue;
1240 }
79d554a6 1241
c1360a1c 1242 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1243 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1244 &chan->conf_state)) {
89bc500e 1245 l2cap_chan_close(chan, ECONNRESET);
6be36555 1246 l2cap_chan_unlock(chan);
47731de7 1247 continue;
b1235d79 1248 }
47731de7 1249
93c3e8f5 1250 l2cap_start_connection(chan);
47731de7 1251
89bc500e 1252 } else if (chan->state == BT_CONNECT2) {
79d554a6 1253 struct l2cap_conn_rsp rsp;
e9aeb2dd 1254 char buf[128];
fe4128e0
GP		 1255 rsp.scid = cpu_to_le16(chan->dcid);
1256 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1257
d45fc423 1258 if (l2cap_chan_check_security(chan)) {
6be36555 1259 lock_sock(sk);
c5daa683
GP		 1260 if (test_bit(BT_SK_DEFER_SETUP,
1261 &bt_sk(sk)->flags)) {
ac73498c
AE		 1262 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1263 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1264 chan->ops->defer(chan);
f66dc81f
MH		 1265
1266 } else {
0e587be7 1267 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1268 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1269 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1270 }
6be36555 1271 release_sock(sk);
79d554a6 1272 } else {
ac73498c
AE		 1273 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1274 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1275 }
1276
fc7f8a7e 1277 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1278 sizeof(rsp), &rsp);
e9aeb2dd 1279
c1360a1c 1280 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1281 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1282 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1283 continue;
1284 }
1285
c1360a1c 1286 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1287 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1288 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1289 chan->num_conf_req++;
4e8402a3
MH		 1290 }
1291
6be36555 1292 l2cap_chan_unlock(chan);
4e8402a3
MH		 1293 }
1294
3df91ea2 1295 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1296}
1297
c2287681 1298/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1299 * Returns closest match, locked.
1300 */
d9b88702 1301static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1302 bdaddr_t *src,
1303 bdaddr_t *dst)
b62f328b 1304{
23691d75 1305 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1306
23691d75 1307 read_lock(&chan_list_lock);
b62f328b 1308
23691d75
GP		 1309 list_for_each_entry(c, &chan_list, global_l) {
1310 struct sock *sk = c->sk;
fe4128e0 1311
89bc500e 1312 if (state && c->state != state)
b62f328b
VT		 1313 continue;
1314
23691d75 1315 if (c->scid == cid) {
c2287681
IY		 1316 int src_match, dst_match;
1317 int src_any, dst_any;
1318
b62f328b 1319 /* Exact match. */
c2287681
IY		 1320 src_match = !bacmp(&bt_sk(sk)->src, src);
1321 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1322 if (src_match && dst_match) {
23691d75
GP		 1323 read_unlock(&chan_list_lock);
1324 return c;
1325 }
b62f328b
VT		 1326
1327 /* Closest match */
c2287681
IY		 1328 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1329 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1330 if ((src_match && dst_any) || (src_any && dst_match) ||
1331 (src_any && dst_any))
23691d75 1332 c1 = c;
b62f328b
VT		 1333 }
1334 }
280f294f 1335
23691d75 1336 read_unlock(&chan_list_lock);
b62f328b 1337
23691d75 1338 return c1;
b62f328b
VT		 1339}
1340
1341static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1342{
c916fbe4 1343 struct sock *parent, *sk;
23691d75 1344 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1345
1346 BT_DBG("");
1347
1348 /* Check if we have socket listening on cid */
073d1cf3 1349 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
c2287681 1350 conn->src, conn->dst);
23691d75 1351 if (!pchan)
b62f328b
VT		 1352 return;
1353
23691d75
GP		 1354 parent = pchan->sk;
1355
aa2ac881 1356 lock_sock(parent);
62f3a2cf 1357
80b98027 1358 chan = pchan->ops->new_connection(pchan);
80808e43 1359 if (!chan)
b62f328b
VT		 1360 goto clean;
1361
9f22398c
JH		 1362 chan->dcid = L2CAP_CID_ATT;
1363
80808e43 1364 sk = chan->sk;
5d41ce1d 1365
b62f328b 1366 hci_conn_hold(conn->hcon);
a9ea3ed9 1367 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1368
b62f328b
VT		 1369 bacpy(&bt_sk(sk)->src, conn->src);
1370 bacpy(&bt_sk(sk)->dst, conn->dst);
1371
3d57dc68 1372 l2cap_chan_add(conn, chan);
48454079 1373
b62f328b 1374clean:
aa2ac881 1375 release_sock(parent);
b62f328b
VT		 1376}
1377
4e8402a3
MH		 1378static void l2cap_conn_ready(struct l2cap_conn *conn)
1379{
48454079 1380 struct l2cap_chan *chan;
cc110922 1381 struct hci_conn *hcon = conn->hcon;
4e8402a3 1382
79d554a6 1383 BT_DBG("conn %p", conn);
4e8402a3 1384
cc110922 1385 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1386 l2cap_le_conn_ready(conn);
1387
d8729922
JH		 1388 /* For outgoing pairing which doesn't necessarily have an
1389 * associated socket (e.g. mgmt_pair_device).
1390 */
cc110922
VCG		 1391 if (hcon->out && hcon->type == LE_LINK)
1392 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1393
3df91ea2 1394 mutex_lock(&conn->chan_lock);
4e8402a3 1395
3df91ea2 1396 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1397
6be36555 1398 l2cap_chan_lock(chan);
4e8402a3 1399
416fa752
AE		 1400 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1401 l2cap_chan_unlock(chan);
1402 continue;
1403 }
1404
cc110922
VCG		 1405 if (hcon->type == LE_LINK) {
1406 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1407 l2cap_chan_ready(chan);
acd7d370 1408
63128451 1409 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1410 struct sock *sk = chan->sk;
c9b66675 1411 __clear_chan_timer(chan);
6be36555 1412 lock_sock(sk);
0e587be7 1413 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1414 sk->sk_state_change(sk);
6be36555 1415 release_sock(sk);
b501d6a1 1416
89bc500e 1417 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1418 l2cap_do_start(chan);
4e8402a3 1419
6be36555 1420 l2cap_chan_unlock(chan);
4e8402a3 1421 }
79d554a6 1422
3df91ea2 1423 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1424}
1425
1426/* Notify sockets that we cannot guaranty reliability anymore */
1427static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1428{
48454079 1429 struct l2cap_chan *chan;
4e8402a3
MH		 1430
1431 BT_DBG("conn %p", conn);
1432
3df91ea2 1433 mutex_lock(&conn->chan_lock);
4e8402a3 1434
3df91ea2 1435 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1436 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1437 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1438 }
1439
3df91ea2 1440 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1441}
1442
f878fcad 1443static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1444{
f878fcad 1445 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1446 info_timer.work);
4e8402a3 1447
984947dc 1448 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1449 conn->info_ident = 0;
984947dc 1450
4e8402a3
MH		 1451 l2cap_conn_start(conn);
1452}
1453
2c8e1411
DH		 1454/*
1455 * l2cap_user
1456 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1457 * callback is called during registration. The ->remove callback is called
1458 * during unregistration.
1459 * An l2cap_user object can either be explicitly unregistered or when the
1460 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1461 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1462 * External modules must own a reference to the l2cap_conn object if they intend
1463 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1464 * any time if they don't.
1465 */
1466
1467int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1468{
1469 struct hci_dev *hdev = conn->hcon->hdev;
1470 int ret;
1471
1472 /* We need to check whether l2cap_conn is registered. If it is not, we
1473 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1474 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1475 * relies on the parent hci_conn object to be locked. This itself relies
1476 * on the hci_dev object to be locked. So we must lock the hci device
1477 * here, too. */
1478
1479 hci_dev_lock(hdev);
1480
1481 if (user->list.next || user->list.prev) {
1482 ret = -EINVAL;
1483 goto out_unlock;
1484 }
1485
1486 /* conn->hchan is NULL after l2cap_conn_del() was called */
1487 if (!conn->hchan) {
1488 ret = -ENODEV;
1489 goto out_unlock;
1490 }
1491
1492 ret = user->probe(conn, user);
1493 if (ret)
1494 goto out_unlock;
1495
1496 list_add(&user->list, &conn->users);
1497 ret = 0;
1498
1499out_unlock:
1500 hci_dev_unlock(hdev);
1501 return ret;
1502}
1503EXPORT_SYMBOL(l2cap_register_user);
1504
1505void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1506{
1507 struct hci_dev *hdev = conn->hcon->hdev;
1508
1509 hci_dev_lock(hdev);
1510
1511 if (!user->list.next || !user->list.prev)
1512 goto out_unlock;
1513
1514 list_del(&user->list);
1515 user->list.next = NULL;
1516 user->list.prev = NULL;
1517 user->remove(conn, user);
1518
1519out_unlock:
1520 hci_dev_unlock(hdev);
1521}
1522EXPORT_SYMBOL(l2cap_unregister_user);
1523
1524static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1525{
1526 struct l2cap_user *user;
1527
1528 while (!list_empty(&conn->users)) {
1529 user = list_first_entry(&conn->users, struct l2cap_user, list);
1530 list_del(&user->list);
1531 user->list.next = NULL;
1532 user->list.prev = NULL;
1533 user->remove(conn, user);
1534 }
1535}
1536
5d3de7df
VCG		 1537static void l2cap_conn_del(struct hci_conn *hcon, int err)
1538{
1539 struct l2cap_conn *conn = hcon->l2cap_data;
1540 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1541
1542 if (!conn)
1543 return;
1544
1545 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1546
1547 kfree_skb(conn->rx_skb);
1548
2c8e1411
DH		 1549 l2cap_unregister_all_users(conn);
1550
3df91ea2
AE		 1551 mutex_lock(&conn->chan_lock);
1552
5d3de7df
VCG		 1553 /* Kill channels */
1554 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1555 l2cap_chan_hold(chan);
6be36555
AE		 1556 l2cap_chan_lock(chan);
1557
5d3de7df 1558 l2cap_chan_del(chan, err);
6be36555
AE		 1559
1560 l2cap_chan_unlock(chan);
1561
80b98027 1562 chan->ops->close(chan);
61d6ef3e 1563 l2cap_chan_put(chan);
5d3de7df
VCG		 1564 }
1565
3df91ea2
AE		 1566 mutex_unlock(&conn->chan_lock);
1567
73d80deb
LAD		 1568 hci_chan_del(conn->hchan);
1569
5d3de7df 1570 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1571 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1572
51a8efd7 1573 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1574 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1575 smp_chan_destroy(conn);
d26a2345 1576 }
5d3de7df
VCG		 1577
1578 hcon->l2cap_data = NULL;
9c903e37
DH		 1579 conn->hchan = NULL;
1580 l2cap_conn_put(conn);
5d3de7df
VCG		 1581}
1582
6c9d42a1 1583static void security_timeout(struct work_struct *work)
5d3de7df 1584{
6c9d42a1 1585 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1586 security_timer.work);
5d3de7df 1587
d06cc416
JH		 1588 BT_DBG("conn %p", conn);
1589
1590 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1591 smp_chan_destroy(conn);
1592 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1593 }
5d3de7df
VCG		 1594}
1595
baf43251 1596static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1da177e4 1597{
0139418c 1598 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1599 struct hci_chan *hchan;
1da177e4 1600
baf43251 1601 if (conn)
1da177e4
LT		 1602 return conn;
1603
73d80deb
LAD		 1604 hchan = hci_chan_create(hcon);
1605 if (!hchan)
1606 return NULL;
1607
8bcde1f2 1608 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1609 if (!conn) {
1610 hci_chan_del(hchan);
1da177e4 1611 return NULL;
73d80deb 1612 }
1da177e4 1613
9c903e37 1614 kref_init(&conn->ref);
1da177e4
LT		 1615 hcon->l2cap_data = conn;
1616 conn->hcon = hcon;
9c903e37 1617 hci_conn_get(conn->hcon);
73d80deb 1618 conn->hchan = hchan;
1da177e4 1619
73d80deb 1620 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1621
dcc042d5 1622 switch (hcon->type) {
dcc042d5
AE		 1623 case LE_LINK:
1624 if (hcon->hdev->le_mtu) {
1625 conn->mtu = hcon->hdev->le_mtu;
1626 break;
1627 }
1628 /* fall through */
dcc042d5 1629 default:
acd7d370 1630 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1631 break;
1632 }
acd7d370 1633
1da177e4
LT		 1634 conn->src = &hcon->hdev->bdaddr;
1635 conn->dst = &hcon->dst;
1636
4e8402a3
MH		 1637 conn->feat_mask = 0;
1638
1da177e4 1639 spin_lock_init(&conn->lock);
3df91ea2 1640 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1641
1642 INIT_LIST_HEAD(&conn->chan_l);
2c8e1411 1643 INIT_LIST_HEAD(&conn->users);
1da177e4 1644
5d3de7df 1645 if (hcon->type == LE_LINK)
6c9d42a1 1646 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1647 else
030013d8 1648 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1649
9f5a0d7b 1650 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1651
1da177e4
LT		 1652 return conn;
1653}
1654
9c903e37
DH		 1655static void l2cap_conn_free(struct kref *ref)
1656{
1657 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1658
1659 hci_conn_put(conn->hcon);
1660 kfree(conn);
1661}
1662
1663void l2cap_conn_get(struct l2cap_conn *conn)
1664{
1665 kref_get(&conn->ref);
1666}
1667EXPORT_SYMBOL(l2cap_conn_get);
1668
1669void l2cap_conn_put(struct l2cap_conn *conn)
1670{
1671 kref_put(&conn->ref, l2cap_conn_free);
1672}
1673EXPORT_SYMBOL(l2cap_conn_put);
1674
1da177e4 1675/* ---- Socket interface ---- */
1da177e4 1676
c2287681 1677/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1678 * Returns closest match.
1679 */
c2287681
IY		 1680static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1681 bdaddr_t *src,
1682 bdaddr_t *dst)
1da177e4 1683{
23691d75 1684 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1685
23691d75 1686 read_lock(&chan_list_lock);
e0f0cb56 1687
23691d75
GP		 1688 list_for_each_entry(c, &chan_list, global_l) {
1689 struct sock *sk = c->sk;
fe4128e0 1690
89bc500e 1691 if (state && c->state != state)
1da177e4
LT		 1692 continue;
1693
23691d75 1694 if (c->psm == psm) {
c2287681
IY		 1695 int src_match, dst_match;
1696 int src_any, dst_any;
1697
1da177e4 1698 /* Exact match. */
c2287681
IY		 1699 src_match = !bacmp(&bt_sk(sk)->src, src);
1700 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1701 if (src_match && dst_match) {
a7567b20 1702 read_unlock(&chan_list_lock);
23691d75
GP		 1703 return c;
1704 }
1da177e4
LT		 1705
1706 /* Closest match */
c2287681
IY		 1707 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1708 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1709 if ((src_match && dst_any) || (src_any && dst_match) ||
1710 (src_any && dst_any))
23691d75 1711 c1 = c;
1da177e4
LT		 1712 }
1713 }
1da177e4 1714
23691d75 1715 read_unlock(&chan_list_lock);
e0f0cb56 1716
23691d75 1717 return c1;
1da177e4
LT		 1718}
1719
8e9f9892
AG		 1720int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1721 bdaddr_t *dst, u8 dst_type)
1da177e4 1722{
5d41ce1d 1723 struct sock *sk = chan->sk;
1da177e4 1724 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1725 struct l2cap_conn *conn;
1726 struct hci_conn *hcon;
1727 struct hci_dev *hdev;
09ab6f4c 1728 __u8 auth_type;
44d0e48e 1729 int err;
1da177e4 1730
6ed93dc6 1731 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1732 dst_type, __le16_to_cpu(psm));
1da177e4 1733
af05b30b
GP		 1734 hdev = hci_get_route(dst, src);
1735 if (!hdev)
1da177e4
LT		 1736 return -EHOSTUNREACH;
1737
09fd0de5 1738 hci_dev_lock(hdev);
1da177e4 1739
6be36555 1740 l2cap_chan_lock(chan);
03a00194
GP		 1741
1742 /* PSM must be odd and lsb of upper byte must be 0 */
1743 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1744 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1745 err = -EINVAL;
1746 goto done;
1747 }
1748
1749 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1750 err = -EINVAL;
1751 goto done;
1752 }
1753
1754 switch (chan->mode) {
1755 case L2CAP_MODE_BASIC:
1756 break;
1757 case L2CAP_MODE_ERTM:
1758 case L2CAP_MODE_STREAMING:
1759 if (!disable_ertm)
1760 break;
1761 /* fall through */
1762 default:
1763 err = -ENOTSUPP;
1764 goto done;
1765 }
1766
0797e01d 1767 switch (chan->state) {
03a00194
GP		 1768 case BT_CONNECT:
1769 case BT_CONNECT2:
1770 case BT_CONFIG:
1771 /* Already connecting */
1772 err = 0;
1773 goto done;
1774
1775 case BT_CONNECTED:
1776 /* Already connected */
1777 err = -EISCONN;
1778 goto done;
1779
1780 case BT_OPEN:
1781 case BT_BOUND:
1782 /* Can connect */
1783 break;
1784
1785 default:
1786 err = -EBADFD;
1787 goto done;
1788 }
1789
1790 /* Set destination address and psm */
0797e01d 1791 lock_sock(sk);
9219b2a0 1792 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1793 release_sock(sk);
1794
03a00194
GP		 1795 chan->psm = psm;
1796 chan->dcid = cid;
1da177e4 1797
4343478f 1798 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1799
f224ca5f 1800 if (bdaddr_type_is_le(dst_type))
8e9f9892 1801 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1802 chan->sec_level, auth_type);
acd7d370 1803 else
8e9f9892 1804 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1805 chan->sec_level, auth_type);
acd7d370 1806
30e76272
VT		 1807 if (IS_ERR(hcon)) {
1808 err = PTR_ERR(hcon);
1da177e4 1809 goto done;
30e76272 1810 }
1da177e4 1811
baf43251 1812 conn = l2cap_conn_add(hcon);
1da177e4 1813 if (!conn) {
76a68ba0 1814 hci_conn_drop(hcon);
30e76272 1815 err = -ENOMEM;
1da177e4
LT		 1816 goto done;
1817 }
1818
141d5706
JH		 1819 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
1820 hci_conn_drop(hcon);
1821 err = -EBUSY;
1822 goto done;
9f0caeb1
VCG		 1823 }
1824
1da177e4
LT		 1825 /* Update source addr of the socket */
1826 bacpy(src, conn->src);
1827
6be36555 1828 l2cap_chan_unlock(chan);
48454079 1829 l2cap_chan_add(conn, chan);
6be36555 1830 l2cap_chan_lock(chan);
48454079 1831
6be36555 1832 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1833 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1834
1835 if (hcon->state == BT_CONNECTED) {
715ec005 1836 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1837 __clear_chan_timer(chan);
d45fc423 1838 if (l2cap_chan_check_security(chan))
6be36555 1839 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1840 } else
fc7f8a7e 1841 l2cap_do_start(chan);
1da177e4
LT		 1842 }
1843
30e76272
VT		 1844 err = 0;
1845
1da177e4 1846done:
6be36555 1847 l2cap_chan_unlock(chan);
09fd0de5 1848 hci_dev_unlock(hdev);
1da177e4
LT		 1849 hci_dev_put(hdev);
1850 return err;
1851}
1852
dcba0dba 1853int __l2cap_wait_ack(struct sock *sk)
6161c038 1854{
8c1d787b 1855 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1856 DECLARE_WAITQUEUE(wait, current);
1857 int err = 0;
1858 int timeo = HZ/5;
1859
2b0b05dd 1860 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1861 set_current_state(TASK_INTERRUPTIBLE);
1862 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1863 if (!timeo)
1864 timeo = HZ/5;
1865
1866 if (signal_pending(current)) {
1867 err = sock_intr_errno(timeo);
1868 break;
1869 }
1870
1871 release_sock(sk);
1872 timeo = schedule_timeout(timeo);
1873 lock_sock(sk);
a71a0cf4 1874 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1875
1876 err = sock_error(sk);
1877 if (err)
1878 break;
1879 }
1880 set_current_state(TASK_RUNNING);
2b0b05dd 1881 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1882 return err;
1883}
1884
721c4181 1885static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1886{
721c4181 1887 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1888 monitor_timer.work);
e90bac06 1889
525cd185 1890 BT_DBG("chan %p", chan);
0e98958d 1891
6be36555
AE		 1892 l2cap_chan_lock(chan);
1893
80909e04 1894 if (!chan->conn) {
6be36555 1895 l2cap_chan_unlock(chan);
8d7e1c7f 1896 l2cap_chan_put(chan);
e90bac06
GP		 1897 return;
1898 }
1899
401bb1f7 1900 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1901
6be36555 1902 l2cap_chan_unlock(chan);
8d7e1c7f 1903 l2cap_chan_put(chan);
e90bac06
GP		 1904}
1905
721c4181 1906static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1907{
721c4181 1908 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1909 retrans_timer.work);
e90bac06 1910
49208c9c 1911 BT_DBG("chan %p", chan);
0e98958d 1912
6be36555
AE		 1913 l2cap_chan_lock(chan);
1914
80909e04
MM		 1915 if (!chan->conn) {
1916 l2cap_chan_unlock(chan);
1917 l2cap_chan_put(chan);
1918 return;
1919 }
6be36555 1920
401bb1f7 1921 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1922 l2cap_chan_unlock(chan);
8d7e1c7f 1923 l2cap_chan_put(chan);
e90bac06
GP		 1924}
1925
d660366d
GP		 1926static void l2cap_streaming_send(struct l2cap_chan *chan,
1927 struct sk_buff_head *skbs)
6840ed07 1928{
ccbb84af 1929 struct sk_buff *skb;
3733937d 1930 struct l2cap_ctrl *control;
6840ed07 1931
3733937d
MM		 1932 BT_DBG("chan %p, skbs %p", chan, skbs);
1933
b99e13ad
MM		 1934 if (__chan_is_moving(chan))
1935 return;
1936
3733937d
MM		 1937 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1938
1939 while (!skb_queue_empty(&chan->tx_q)) {
1940
1941 skb = skb_dequeue(&chan->tx_q);
1942
1943 bt_cb(skb)->control.retries = 1;
1944 control = &bt_cb(skb)->control;
1945
1946 control->reqseq = 0;
1947 control->txseq = chan->next_tx_seq;
1948
1949 __pack_control(chan, control, skb);
6840ed07 1950
47d1ec61 1951 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1952 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1953 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1954 }
1955
4343478f 1956 l2cap_do_send(chan, skb);
6840ed07 1957
b4400672 1958 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1959
836be934 1960 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1961 chan->frames_sent++;
6840ed07 1962 }
6840ed07
GP		 1963}
1964
67c9e840 1965static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1966{
1967 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1968 struct l2cap_ctrl *control;
1969 int sent = 0;
1970
1971 BT_DBG("chan %p", chan);
1c2acffb 1972
89bc500e 1973 if (chan->state != BT_CONNECTED)
c13ffa62 1974 return -ENOTCONN;
e90bac06 1975
94122bbe
MM		 1976 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1977 return 0;
1978
b99e13ad
MM		 1979 if (__chan_is_moving(chan))
1980 return 0;
1981
18a48e76
MM		 1982 while (chan->tx_send_head &&
1983 chan->unacked_frames < chan->remote_tx_win &&
1984 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1985
18a48e76 1986 skb = chan->tx_send_head;
e90bac06 1987
18a48e76
MM		 1988 bt_cb(skb)->control.retries = 1;
1989 control = &bt_cb(skb)->control;
95ffa978 1990
e2ab4353 1991 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1992 control->final = 1;
e2ab4353 1993
18a48e76
MM		 1994 control->reqseq = chan->buffer_seq;
1995 chan->last_acked_seq = chan->buffer_seq;
1996 control->txseq = chan->next_tx_seq;
1c2acffb 1997
18a48e76 1998 __pack_control(chan, control, skb);
e90bac06 1999
47d1ec61 2000 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 2001 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2002 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 2003 }
2004
18a48e76
MM		 2005 /* Clone after data has been modified. Data is assumed to be
2006 read-only (for locking purposes) on cloned sk_buffs.
2007 */
2008 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 2009
18a48e76
MM		 2010 if (!tx_skb)
2011 break;
1c2acffb 2012
18a48e76 2013 __set_retrans_timer(chan);
836be934
AE		 2014
2015 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 2016 chan->unacked_frames++;
6a026610 2017 chan->frames_sent++;
18a48e76 2018 sent++;
1c2acffb 2019
58d35f87
GP		 2020 if (skb_queue_is_last(&chan->tx_q, skb))
2021 chan->tx_send_head = NULL;
1c2acffb 2022 else
58d35f87 2023 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 2024
2025 l2cap_do_send(chan, tx_skb);
b4400672 2026 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 2027 }
2028
b4400672
AE		 2029 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2030 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 2031
2032 return sent;
9e917af1
GP		 2033}
2034
e1fbd4c1
MM		 2035static void l2cap_ertm_resend(struct l2cap_chan *chan)
2036{
2037 struct l2cap_ctrl control;
2038 struct sk_buff *skb;
2039 struct sk_buff *tx_skb;
2040 u16 seq;
2041
2042 BT_DBG("chan %p", chan);
2043
2044 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2045 return;
2046
b99e13ad
MM		 2047 if (__chan_is_moving(chan))
2048 return;
2049
e1fbd4c1
MM		 2050 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2051 seq = l2cap_seq_list_pop(&chan->retrans_list);
2052
2053 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2054 if (!skb) {
2055 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 2056 seq);
e1fbd4c1
MM		 2057 continue;
2058 }
2059
2060 bt_cb(skb)->control.retries++;
2061 control = bt_cb(skb)->control;
2062
2063 if (chan->max_tx != 0 &&
2064 bt_cb(skb)->control.retries > chan->max_tx) {
2065 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 2066 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 2067 l2cap_seq_list_clear(&chan->retrans_list);
2068 break;
2069 }
2070
2071 control.reqseq = chan->buffer_seq;
2072 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2073 control.final = 1;
2074 else
2075 control.final = 0;
2076
2077 if (skb_cloned(skb)) {
2078 /* Cloned sk_buffs are read-only, so we need a
2079 * writeable copy
2080 */
8bcde1f2 2081 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 2082 } else {
8bcde1f2 2083 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 2084 }
2085
2086 if (!tx_skb) {
2087 l2cap_seq_list_clear(&chan->retrans_list);
2088 break;
2089 }
2090
2091 /* Update skb contents */
2092 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2093 put_unaligned_le32(__pack_extended_control(&control),
2094 tx_skb->data + L2CAP_HDR_SIZE);
2095 } else {
2096 put_unaligned_le16(__pack_enhanced_control(&control),
2097 tx_skb->data + L2CAP_HDR_SIZE);
2098 }
2099
2100 if (chan->fcs == L2CAP_FCS_CRC16) {
2101 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2102 put_unaligned_le16(fcs, skb_put(tx_skb,
2103 L2CAP_FCS_SIZE));
2104 }
2105
2106 l2cap_do_send(chan, tx_skb);
2107
2108 BT_DBG("Resent txseq %d", control.txseq);
2109
2110 chan->last_acked_seq = chan->buffer_seq;
2111 }
2112}
2113
f80842a8
MM		 2114static void l2cap_retransmit(struct l2cap_chan *chan,
2115 struct l2cap_ctrl *control)
2116{
2117 BT_DBG("chan %p, control %p", chan, control);
2118
2119 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2120 l2cap_ertm_resend(chan);
2121}
2122
d2a7ac5d
MM		 2123static void l2cap_retransmit_all(struct l2cap_chan *chan,
2124 struct l2cap_ctrl *control)
2125{
e1fbd4c1
MM		 2126 struct sk_buff *skb;
2127
2128 BT_DBG("chan %p, control %p", chan, control);
2129
2130 if (control->poll)
2131 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2132
2133 l2cap_seq_list_clear(&chan->retrans_list);
2134
2135 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2136 return;
2137
2138 if (chan->unacked_frames) {
2139 skb_queue_walk(&chan->tx_q, skb) {
2140 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2141 skb == chan->tx_send_head)
e1fbd4c1
MM		 2142 break;
2143 }
2144
2145 skb_queue_walk_from(&chan->tx_q, skb) {
2146 if (skb == chan->tx_send_head)
2147 break;
2148
2149 l2cap_seq_list_append(&chan->retrans_list,
2150 bt_cb(skb)->control.txseq);
2151 }
2152
2153 l2cap_ertm_resend(chan);
2154 }
d2a7ac5d
MM		 2155}
2156
0a0aba42 2157static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2158{
0a0aba42
MM		 2159 struct l2cap_ctrl control;
2160 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2161 chan->last_acked_seq);
2162 int threshold;
9e917af1 2163
0a0aba42
MM		 2164 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2165 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2166
0a0aba42
MM		 2167 memset(&control, 0, sizeof(control));
2168 control.sframe = 1;
dfc909be 2169
0a0aba42
MM		 2170 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2171 chan->rx_state == L2CAP_RX_STATE_RECV) {
2172 __clear_ack_timer(chan);
2173 control.super = L2CAP_SUPER_RNR;
2174 control.reqseq = chan->buffer_seq;
2175 l2cap_send_sframe(chan, &control);
2176 } else {
2177 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2178 l2cap_ertm_send(chan);
2179 /* If any i-frames were sent, they included an ack */
2180 if (chan->buffer_seq == chan->last_acked_seq)
2181 frames_to_ack = 0;
2182 }
dfc909be 2183
c20f8e35 2184 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2185 * Calculate without mul or div
2186 */
c20f8e35 2187 threshold = chan->ack_win;
0a0aba42
MM		 2188 threshold += threshold << 1;
2189 threshold >>= 2;
2190
b4400672 2191 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2192 threshold);
2193
2194 if (frames_to_ack >= threshold) {
2195 __clear_ack_timer(chan);
2196 control.super = L2CAP_SUPER_RR;
2197 control.reqseq = chan->buffer_seq;
2198 l2cap_send_sframe(chan, &control);
2199 frames_to_ack = 0;
2200 }
1c2acffb 2201
0a0aba42
MM		 2202 if (frames_to_ack)
2203 __set_ack_timer(chan);
2204 }
b17e73bb
SJ		 2205}
2206
04124681
GP		 2207static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2208 struct msghdr *msg, int len,
2209 int count, struct sk_buff *skb)
1c2acffb 2210{
0952a57a 2211 struct l2cap_conn *conn = chan->conn;
1c2acffb 2212 struct sk_buff **frag;
90338947 2213 int sent = 0;
1da177e4 2214
59203a21 2215 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2216 return -EFAULT;
1da177e4
LT		 2217
2218 sent += count;
2219 len -= count;
2220
2221 /* Continuation fragments (no L2CAP header) */
2222 frag = &skb_shinfo(skb)->frag_list;
2223 while (len) {
fbe00700
GP		 2224 struct sk_buff *tmp;
2225
1da177e4
LT		 2226 count = min_t(unsigned int, conn->mtu, len);
2227
fbe00700
GP		 2228 tmp = chan->ops->alloc_skb(chan, count,
2229 msg->msg_flags & MSG_DONTWAIT);
2230 if (IS_ERR(tmp))
2231 return PTR_ERR(tmp);
2232
2233 *frag = tmp;
2f7719ce 2234
1c2acffb
GP		 2235 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2236 return -EFAULT;
1da177e4 2237
5e59b791
LAD		 2238 (*frag)->priority = skb->priority;
2239
1da177e4
LT		 2240 sent += count;
2241 len -= count;
2242
2d0ed3d5
GP		 2243 skb->len += (*frag)->len;
2244 skb->data_len += (*frag)->len;
2245
1da177e4
LT		 2246 frag = &(*frag)->next;
2247 }
1da177e4
LT		 2248
2249 return sent;
1c2acffb 2250}
1da177e4 2251
5e59b791 2252static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2253 struct msghdr *msg, size_t len,
2254 u32 priority)
1c2acffb 2255{
8c1d787b 2256 struct l2cap_conn *conn = chan->conn;
1c2acffb 2257 struct sk_buff *skb;
03a51213 2258 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2259 struct l2cap_hdr *lh;
2260
b4400672 2261 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2262
2263 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2264
2265 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2266 msg->msg_flags & MSG_DONTWAIT);
2267 if (IS_ERR(skb))
2268 return skb;
1c2acffb 2269
5e59b791
LAD		 2270 skb->priority = priority;
2271
1c2acffb
GP		 2272 /* Create L2CAP header */
2273 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2274 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2275 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2276 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2277
0952a57a 2278 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2279 if (unlikely(err < 0)) {
2280 kfree_skb(skb);
2281 return ERR_PTR(err);
2282 }
2283 return skb;
2284}
2285
5e59b791 2286static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2287 struct msghdr *msg, size_t len,
2288 u32 priority)
1c2acffb 2289{
8c1d787b 2290 struct l2cap_conn *conn = chan->conn;
1c2acffb 2291 struct sk_buff *skb;
f2ba7fae 2292 int err, count;
1c2acffb
GP		 2293 struct l2cap_hdr *lh;
2294
b4400672 2295 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2296
f2ba7fae 2297 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2298
f2ba7fae 2299 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2300 msg->msg_flags & MSG_DONTWAIT);
2301 if (IS_ERR(skb))
2302 return skb;
1c2acffb 2303
5e59b791
LAD		 2304 skb->priority = priority;
2305
1c2acffb
GP		 2306 /* Create L2CAP header */
2307 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2308 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2309 lh->len = cpu_to_le16(len);
1c2acffb 2310
0952a57a 2311 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2312 if (unlikely(err < 0)) {
2313 kfree_skb(skb);
2314 return ERR_PTR(err);
2315 }
2316 return skb;
2317}
2318
ab0ff76d 2319static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2320 struct msghdr *msg, size_t len,
2321 u16 sdulen)
1c2acffb 2322{
8c1d787b 2323 struct l2cap_conn *conn = chan->conn;
1c2acffb 2324 struct sk_buff *skb;
e4ca6d98 2325 int err, count, hlen;
1c2acffb
GP		 2326 struct l2cap_hdr *lh;
2327
b4400672 2328 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2329
0ee0d208
GP		 2330 if (!conn)
2331 return ERR_PTR(-ENOTCONN);
2332
ba7aa64f 2333 hlen = __ertm_hdr_size(chan);
e4ca6d98 2334
c74e560c 2335 if (sdulen)
03a51213 2336 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2337
47d1ec61 2338 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2339 hlen += L2CAP_FCS_SIZE;
fcc203c3 2340
1c2acffb 2341 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2342
2343 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2344 msg->msg_flags & MSG_DONTWAIT);
2345 if (IS_ERR(skb))
2346 return skb;
1c2acffb
GP		 2347
2348 /* Create L2CAP header */
2349 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2350 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2351 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2352
18a48e76
MM		 2353 /* Control header is populated later */
2354 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2355 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2356 else
2357 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2358
c74e560c 2359 if (sdulen)
03a51213 2360 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2361
0952a57a 2362 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2363 if (unlikely(err < 0)) {
2364 kfree_skb(skb);
2365 return ERR_PTR(err);
2366 }
e90bac06 2367
18a48e76 2368 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2369 bt_cb(skb)->control.retries = 0;
1c2acffb 2370 return skb;
1da177e4
LT		 2371}
2372
94122bbe
MM		 2373static int l2cap_segment_sdu(struct l2cap_chan *chan,
2374 struct sk_buff_head *seg_queue,
2375 struct msghdr *msg, size_t len)
c74e560c 2376{
c74e560c 2377 struct sk_buff *skb;
94122bbe
MM		 2378 u16 sdu_len;
2379 size_t pdu_len;
94122bbe 2380 u8 sar;
c74e560c 2381
b4400672 2382 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2383
94122bbe
MM		 2384 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2385 * so fragmented skbs are not used. The HCI layer's handling
2386 * of fragmented skbs is not compatible with ERTM's queueing.
2387 */
c74e560c 2388
94122bbe
MM		 2389 /* PDU size is derived from the HCI MTU */
2390 pdu_len = chan->conn->mtu;
c74e560c 2391
a549574d
MM		 2392 /* Constrain PDU size for BR/EDR connections */
2393 if (!chan->hs_hcon)
2394 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2395
2396 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2397 if (chan->fcs)
2398 pdu_len -= L2CAP_FCS_SIZE;
2399
ba7aa64f 2400 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2401
2402 /* Remote device may have requested smaller PDUs */
2403 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2404
2405 if (len <= pdu_len) {
2406 sar = L2CAP_SAR_UNSEGMENTED;
2407 sdu_len = 0;
2408 pdu_len = len;
2409 } else {
2410 sar = L2CAP_SAR_START;
2411 sdu_len = len;
2412 pdu_len -= L2CAP_SDULEN_SIZE;
2413 }
2414
2415 while (len > 0) {
2416 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2417
c74e560c 2418 if (IS_ERR(skb)) {
94122bbe 2419 __skb_queue_purge(seg_queue);
c74e560c
GP		 2420 return PTR_ERR(skb);
2421 }
2422
94122bbe
MM		 2423 bt_cb(skb)->control.sar = sar;
2424 __skb_queue_tail(seg_queue, skb);
2425
2426 len -= pdu_len;
2427 if (sdu_len) {
2428 sdu_len = 0;
2429 pdu_len += L2CAP_SDULEN_SIZE;
2430 }
2431
2432 if (len <= pdu_len) {
2433 sar = L2CAP_SAR_END;
2434 pdu_len = len;
2435 } else {
2436 sar = L2CAP_SAR_CONTINUE;
2437 }
c74e560c 2438 }
c74e560c 2439
f0f62799 2440 return 0;
c74e560c
GP		 2441}
2442
5e59b791 2443int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2444 u32 priority)
9a91a04a 2445{
9a91a04a 2446 struct sk_buff *skb;
9a91a04a 2447 int err;
94122bbe 2448 struct sk_buff_head seg_queue;
9a91a04a
GP		 2449
2450 /* Connectionless channel */
715ec005 2451 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2452 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2453 if (IS_ERR(skb))
2454 return PTR_ERR(skb);
2455
2456 l2cap_do_send(chan, skb);
2457 return len;
2458 }
2459
2460 switch (chan->mode) {
2461 case L2CAP_MODE_BASIC:
2462 /* Check outgoing MTU */
2463 if (len > chan->omtu)
2464 return -EMSGSIZE;
2465
2466 /* Create a basic PDU */
5e59b791 2467 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2468 if (IS_ERR(skb))
2469 return PTR_ERR(skb);
2470
2471 l2cap_do_send(chan, skb);
2472 err = len;
2473 break;
2474
2475 case L2CAP_MODE_ERTM:
2476 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2477 /* Check outgoing MTU */
2478 if (len > chan->omtu) {
2479 err = -EMSGSIZE;
2480 break;
2481 }
9a91a04a 2482
94122bbe 2483 __skb_queue_head_init(&seg_queue);
9a91a04a 2484
94122bbe
MM		 2485 /* Do segmentation before calling in to the state machine,
2486 * since it's possible to block while waiting for memory
2487 * allocation.
2488 */
2489 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2490
94122bbe
MM		 2491 /* The channel could have been closed while segmenting,
2492 * check that it is still connected.
2493 */
2494 if (chan->state != BT_CONNECTED) {
2495 __skb_queue_purge(&seg_queue);
2496 err = -ENOTCONN;
9a91a04a
GP		 2497 }
2498
94122bbe 2499 if (err)
9a91a04a 2500 break;
9a91a04a 2501
3733937d 2502 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2503 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2504 else
d660366d 2505 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2506
d660366d 2507 err = len;
9a91a04a 2508
94122bbe
MM		 2509 /* If the skbs were not queued for sending, they'll still be in
2510 * seg_queue and need to be purged.
2511 */
2512 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2513 break;
2514
2515 default:
2516 BT_DBG("bad state %1.1x", chan->mode);
2517 err = -EBADFD;
2518 }
2519
2520 return err;
2521}
2522
d2a7ac5d
MM		 2523static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2524{
bed68bde
MM		 2525 struct l2cap_ctrl control;
2526 u16 seq;
2527
b4400672 2528 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2529
2530 memset(&control, 0, sizeof(control));
2531 control.sframe = 1;
2532 control.super = L2CAP_SUPER_SREJ;
2533
2534 for (seq = chan->expected_tx_seq; seq != txseq;
2535 seq = __next_seq(chan, seq)) {
2536 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2537 control.reqseq = seq;
2538 l2cap_send_sframe(chan, &control);
2539 l2cap_seq_list_append(&chan->srej_list, seq);
2540 }
2541 }
2542
2543 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2544}
2545
2546static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2547{
bed68bde
MM		 2548 struct l2cap_ctrl control;
2549
2550 BT_DBG("chan %p", chan);
2551
2552 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2553 return;
2554
2555 memset(&control, 0, sizeof(control));
2556 control.sframe = 1;
2557 control.super = L2CAP_SUPER_SREJ;
2558 control.reqseq = chan->srej_list.tail;
2559 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2560}
2561
2562static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2563{
bed68bde
MM		 2564 struct l2cap_ctrl control;
2565 u16 initial_head;
2566 u16 seq;
2567
b4400672 2568 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2569
2570 memset(&control, 0, sizeof(control));
2571 control.sframe = 1;
2572 control.super = L2CAP_SUPER_SREJ;
2573
2574 /* Capture initial list head to allow only one pass through the list. */
2575 initial_head = chan->srej_list.head;
2576
2577 do {
2578 seq = l2cap_seq_list_pop(&chan->srej_list);
2579 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2580 break;
2581
2582 control.reqseq = seq;
2583 l2cap_send_sframe(chan, &control);
2584 l2cap_seq_list_append(&chan->srej_list, seq);
2585 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2586}
2587
608bcc6d
MM		 2588static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2589{
2590 struct sk_buff *acked_skb;
2591 u16 ackseq;
2592
b4400672 2593 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2594
2595 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2596 return;
2597
b4400672 2598 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2599 chan->expected_ack_seq, chan->unacked_frames);
2600
2601 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2602 ackseq = __next_seq(chan, ackseq)) {
2603
2604 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2605 if (acked_skb) {
2606 skb_unlink(acked_skb, &chan->tx_q);
2607 kfree_skb(acked_skb);
2608 chan->unacked_frames--;
2609 }
2610 }
2611
2612 chan->expected_ack_seq = reqseq;
2613
2614 if (chan->unacked_frames == 0)
2615 __clear_retrans_timer(chan);
2616
b4400672 2617 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2618}
2619
2620static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2621{
2622 BT_DBG("chan %p", chan);
2623
2624 chan->expected_tx_seq = chan->buffer_seq;
2625 l2cap_seq_list_clear(&chan->srej_list);
2626 skb_queue_purge(&chan->srej_q);
2627 chan->rx_state = L2CAP_RX_STATE_RECV;
2628}
2629
d660366d
GP		 2630static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2631 struct l2cap_ctrl *control,
2632 struct sk_buff_head *skbs, u8 event)
608bcc6d 2633{
608bcc6d
MM		 2634 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2635 event);
2636
2637 switch (event) {
2638 case L2CAP_EV_DATA_REQUEST:
2639 if (chan->tx_send_head == NULL)
2640 chan->tx_send_head = skb_peek(skbs);
2641
2642 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2643 l2cap_ertm_send(chan);
2644 break;
2645 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2646 BT_DBG("Enter LOCAL_BUSY");
2647 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2648
2649 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2650 /* The SREJ_SENT state must be aborted if we are to
2651 * enter the LOCAL_BUSY state.
2652 */
2653 l2cap_abort_rx_srej_sent(chan);
2654 }
2655
2656 l2cap_send_ack(chan);
2657
2658 break;
2659 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2660 BT_DBG("Exit LOCAL_BUSY");
2661 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2662
2663 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2664 struct l2cap_ctrl local_control;
2665
2666 memset(&local_control, 0, sizeof(local_control));
2667 local_control.sframe = 1;
2668 local_control.super = L2CAP_SUPER_RR;
2669 local_control.poll = 1;
2670 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2671 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2672
2673 chan->retry_count = 1;
2674 __set_monitor_timer(chan);
2675 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2676 }
2677 break;
2678 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2679 l2cap_process_reqseq(chan, control->reqseq);
2680 break;
2681 case L2CAP_EV_EXPLICIT_POLL:
2682 l2cap_send_rr_or_rnr(chan, 1);
2683 chan->retry_count = 1;
2684 __set_monitor_timer(chan);
2685 __clear_ack_timer(chan);
2686 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2687 break;
2688 case L2CAP_EV_RETRANS_TO:
2689 l2cap_send_rr_or_rnr(chan, 1);
2690 chan->retry_count = 1;
2691 __set_monitor_timer(chan);
2692 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2693 break;
2694 case L2CAP_EV_RECV_FBIT:
2695 /* Nothing to process */
2696 break;
2697 default:
2698 break;
2699 }
608bcc6d
MM		 2700}
2701
d660366d
GP		 2702static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2703 struct l2cap_ctrl *control,
2704 struct sk_buff_head *skbs, u8 event)
608bcc6d 2705{
608bcc6d
MM		 2706 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2707 event);
2708
2709 switch (event) {
2710 case L2CAP_EV_DATA_REQUEST:
2711 if (chan->tx_send_head == NULL)
2712 chan->tx_send_head = skb_peek(skbs);
2713 /* Queue data, but don't send. */
2714 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2715 break;
2716 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2717 BT_DBG("Enter LOCAL_BUSY");
2718 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2719
2720 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2721 /* The SREJ_SENT state must be aborted if we are to
2722 * enter the LOCAL_BUSY state.
2723 */
2724 l2cap_abort_rx_srej_sent(chan);
2725 }
2726
2727 l2cap_send_ack(chan);
2728
2729 break;
2730 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2731 BT_DBG("Exit LOCAL_BUSY");
2732 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2733
2734 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2735 struct l2cap_ctrl local_control;
2736 memset(&local_control, 0, sizeof(local_control));
2737 local_control.sframe = 1;
2738 local_control.super = L2CAP_SUPER_RR;
2739 local_control.poll = 1;
2740 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2741 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2742
2743 chan->retry_count = 1;
2744 __set_monitor_timer(chan);
2745 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2746 }
2747 break;
2748 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2749 l2cap_process_reqseq(chan, control->reqseq);
2750
2751 /* Fall through */
2752
2753 case L2CAP_EV_RECV_FBIT:
2754 if (control && control->final) {
2755 __clear_monitor_timer(chan);
2756 if (chan->unacked_frames > 0)
2757 __set_retrans_timer(chan);
2758 chan->retry_count = 0;
2759 chan->tx_state = L2CAP_TX_STATE_XMIT;
2760 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2761 }
2762 break;
2763 case L2CAP_EV_EXPLICIT_POLL:
2764 /* Ignore */
2765 break;
2766 case L2CAP_EV_MONITOR_TO:
2767 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2768 l2cap_send_rr_or_rnr(chan, 1);
2769 __set_monitor_timer(chan);
2770 chan->retry_count++;
2771 } else {
5e4e3972 2772 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2773 }
2774 break;
2775 default:
2776 break;
2777 }
608bcc6d
MM		 2778}
2779
d660366d
GP		 2780static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2781 struct sk_buff_head *skbs, u8 event)
608bcc6d 2782{
608bcc6d
MM		 2783 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2784 chan, control, skbs, event, chan->tx_state);
2785
2786 switch (chan->tx_state) {
2787 case L2CAP_TX_STATE_XMIT:
d660366d 2788 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2789 break;
2790 case L2CAP_TX_STATE_WAIT_F:
d660366d 2791 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2792 break;
2793 default:
2794 /* Ignore event */
2795 break;
2796 }
608bcc6d
MM		 2797}
2798
4b51dae9
MM		 2799static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2800 struct l2cap_ctrl *control)
2801{
2802 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2803 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2804}
2805
f80842a8
MM		 2806static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2807 struct l2cap_ctrl *control)
2808{
2809 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2810 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2811}
2812
1da177e4
LT		 2813/* Copy frame to all raw sockets on that connection */
2814static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2815{
1da177e4 2816 struct sk_buff *nskb;
48454079 2817 struct l2cap_chan *chan;
1da177e4
LT		 2818
2819 BT_DBG("conn %p", conn);
2820
3df91ea2 2821 mutex_lock(&conn->chan_lock);
3d57dc68 2822
3df91ea2 2823 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2824 struct sock *sk = chan->sk;
715ec005 2825 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2826 continue;
2827
2828 /* Don't send frame to the socket it came from */
2829 if (skb->sk == sk)
2830 continue;
8bcde1f2 2831 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2832 if (!nskb)
1da177e4
LT		 2833 continue;
2834
80b98027 2835 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2836 kfree_skb(nskb);
2837 }
3d57dc68 2838
3df91ea2 2839 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2840}
2841
2842/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2843static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2844 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2845{
2846 struct sk_buff *skb, **frag;
2847 struct l2cap_cmd_hdr *cmd;
2848 struct l2cap_hdr *lh;
2849 int len, count;
2850
b4400672
AE		 2851 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2852 conn, code, ident, dlen);
1da177e4 2853
300b962e
AL		 2854 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2855 return NULL;
2856
1da177e4
LT		 2857 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2858 count = min_t(unsigned int, conn->mtu, len);
2859
8bcde1f2 2860 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2861 if (!skb)
2862 return NULL;
2863
2864 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2865 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2866
2867 if (conn->hcon->type == LE_LINK)
ac73498c 2868 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2869 else
ac73498c 2870 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2871
2872 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2873 cmd->code = code;
2874 cmd->ident = ident;
aca3192c 2875 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2876
2877 if (dlen) {
2878 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2879 memcpy(skb_put(skb, count), data, count);
2880 data += count;
2881 }
2882
2883 len -= skb->len;
2884
2885 /* Continuation fragments (no L2CAP header) */
2886 frag = &skb_shinfo(skb)->frag_list;
2887 while (len) {
2888 count = min_t(unsigned int, conn->mtu, len);
2889
8bcde1f2 2890 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2891 if (!*frag)
2892 goto fail;
2893
2894 memcpy(skb_put(*frag, count), data, count);
2895
2896 len -= count;
2897 data += count;
2898
2899 frag = &(*frag)->next;
2900 }
2901
2902 return skb;
2903
2904fail:
2905 kfree_skb(skb);
2906 return NULL;
2907}
2908
2d792818
GP		 2909static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2910 unsigned long *val)
1da177e4
LT		 2911{
2912 struct l2cap_conf_opt *opt = *ptr;
2913 int len;
2914
2915 len = L2CAP_CONF_OPT_SIZE + opt->len;
2916 *ptr += len;
2917
2918 *type = opt->type;
2919 *olen = opt->len;
2920
2921 switch (opt->len) {
2922 case 1:
2923 *val = *((u8 *) opt->val);
2924 break;
2925
2926 case 2:
bfaaeb3e 2927 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2928 break;
2929
2930 case 4:
bfaaeb3e 2931 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2932 break;
2933
2934 default:
2935 *val = (unsigned long) opt->val;
2936 break;
2937 }
2938
b4400672 2939 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2940 return len;
2941}
2942
1da177e4
LT		 2943static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2944{
2945 struct l2cap_conf_opt *opt = *ptr;
2946
b4400672 2947 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2948
2949 opt->type = type;
2950 opt->len = len;
2951
2952 switch (len) {
2953 case 1:
2954 *((u8 *) opt->val) = val;
2955 break;
2956
2957 case 2:
4f8b691c 2958 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2959 break;
2960
2961 case 4:
4f8b691c 2962 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2963 break;
2964
2965 default:
2966 memcpy(opt->val, (void *) val, len);
2967 break;
2968 }
2969
2970 *ptr += L2CAP_CONF_OPT_SIZE + len;
2971}
2972
f89cef09
AE		 2973static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2974{
2975 struct l2cap_conf_efs efs;
2976
1ec918ce 2977 switch (chan->mode) {
f89cef09
AE		 2978 case L2CAP_MODE_ERTM:
2979 efs.id = chan->local_id;
2980 efs.stype = chan->local_stype;
2981 efs.msdu = cpu_to_le16(chan->local_msdu);
2982 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2983 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2984 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2985 break;
2986
2987 case L2CAP_MODE_STREAMING:
2988 efs.id = 1;
2989 efs.stype = L2CAP_SERV_BESTEFFORT;
2990 efs.msdu = cpu_to_le16(chan->local_msdu);
2991 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2992 efs.acc_lat = 0;
2993 efs.flush_to = 0;
2994 break;
2995
2996 default:
2997 return;
2998 }
2999
3000 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3001 (unsigned long) &efs);
f89cef09
AE		 3002}
3003
721c4181 3004static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3005{
721c4181 3006 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3007 ack_timer.work);
3008 u16 frames_to_ack;
c1b4f43b 3009
2fb9b3d4
GP		 3010 BT_DBG("chan %p", chan);
3011
6be36555
AE		 3012 l2cap_chan_lock(chan);
3013
0362520b
MM		 3014 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3015 chan->last_acked_seq);
6be36555 3016
0362520b
MM		 3017 if (frames_to_ack)
3018 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3019
0362520b 3020 l2cap_chan_unlock(chan);
09bfb2ee 3021 l2cap_chan_put(chan);
c1b4f43b
GP		 3022}
3023
466f8004 3024int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3025{
3c588192
MM		 3026 int err;
3027
105bdf9e
MM		 3028 chan->next_tx_seq = 0;
3029 chan->expected_tx_seq = 0;
42e5c802 3030 chan->expected_ack_seq = 0;
6a026610 3031 chan->unacked_frames = 0;
42e5c802 3032 chan->buffer_seq = 0;
6a026610 3033 chan->frames_sent = 0;
105bdf9e
MM		 3034 chan->last_acked_seq = 0;
3035 chan->sdu = NULL;
3036 chan->sdu_last_frag = NULL;
3037 chan->sdu_len = 0;
3038
d34c34fb
MM		 3039 skb_queue_head_init(&chan->tx_q);
3040
08333283
MM		 3041 chan->local_amp_id = 0;
3042 chan->move_id = 0;
3043 chan->move_state = L2CAP_MOVE_STABLE;
3044 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3045
105bdf9e
MM		 3046 if (chan->mode != L2CAP_MODE_ERTM)
3047 return 0;
3048
3049 chan->rx_state = L2CAP_RX_STATE_RECV;
3050 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3051
721c4181
GP		 3052 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3053 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3054 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3055
f1c6775b 3056 skb_queue_head_init(&chan->srej_q);
1890d36b 3057
3c588192
MM		 3058 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3059 if (err < 0)
3060 return err;
3061
9dc9affc
MM		 3062 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3063 if (err < 0)
3064 l2cap_seq_list_free(&chan->srej_list);
3065
3066 return err;
0565c1c2
GP		 3067}
3068
f2fcfcd6
GP		 3069static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3070{
3071 switch (mode) {
3072 case L2CAP_MODE_STREAMING:
3073 case L2CAP_MODE_ERTM:
3074 if (l2cap_mode_supported(mode, remote_feat_mask))
3075 return mode;
3076 /* fall through */
3077 default:
3078 return L2CAP_MODE_BASIC;
3079 }
3080}
3081
6327eb98
AE		 3082static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
3083{
3084 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
3085}
3086
f89cef09
AE		 3087static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
3088{
3089 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
3090}
3091
36c86c85
MM		 3092static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3093 struct l2cap_conf_rfc *rfc)
3094{
3095 if (chan->local_amp_id && chan->hs_hcon) {
3096 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3097
3098 /* Class 1 devices have must have ERTM timeouts
3099 * exceeding the Link Supervision Timeout. The
3100 * default Link Supervision Timeout for AMP
3101 * controllers is 10 seconds.
3102 *
3103 * Class 1 devices use 0xffffffff for their
3104 * best-effort flush timeout, so the clamping logic
3105 * will result in a timeout that meets the above
3106 * requirement. ERTM timeouts are 16-bit values, so
3107 * the maximum timeout is 65.535 seconds.
3108 */
3109
3110 /* Convert timeout to milliseconds and round */
3111 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3112
3113 /* This is the recommended formula for class 2 devices
3114 * that start ERTM timers when packets are sent to the
3115 * controller.
3116 */
3117 ertm_to = 3 * ertm_to + 500;
3118
3119 if (ertm_to > 0xffff)
3120 ertm_to = 0xffff;
3121
3122 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3123 rfc->monitor_timeout = rfc->retrans_timeout;
3124 } else {
3125 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3126 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3127 }
3128}
3129
6327eb98
AE		 3130static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3131{
3132 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 3133 __l2cap_ews_supported(chan)) {
6327eb98
AE		 3134 /* use extended control field */
3135 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3136 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3137 } else {
6327eb98 3138 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3139 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3140 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3141 }
c20f8e35 3142 chan->ack_win = chan->tx_win;
6327eb98
AE		 3143}
3144
710f9b0a 3145static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3146{
1da177e4 3147 struct l2cap_conf_req *req = data;
0c1bc5c6 3148 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3149 void *ptr = req->data;
c8f79162 3150 u16 size;
1da177e4 3151
49208c9c 3152 BT_DBG("chan %p", chan);
1da177e4 3153
73ffa904 3154 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3155 goto done;
3156
0c1bc5c6 3157 switch (chan->mode) {
f2fcfcd6
GP		 3158 case L2CAP_MODE_STREAMING:
3159 case L2CAP_MODE_ERTM:
c1360a1c 3160 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3161 break;
85eb53c6 3162
f89cef09
AE		 3163 if (__l2cap_efs_supported(chan))
3164 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3165
2ba13ed6 3166 /* fall through */
f2fcfcd6 3167 default:
8c1d787b 3168 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3169 break;
3170 }
3171
3172done:
0c1bc5c6
GP		 3173 if (chan->imtu != L2CAP_DEFAULT_MTU)
3174 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3175
0c1bc5c6 3176 switch (chan->mode) {
65c7c491 3177 case L2CAP_MODE_BASIC:
8c1d787b 3178 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3179 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3180 break;
3181
62547752
GP		 3182 rfc.mode = L2CAP_MODE_BASIC;
3183 rfc.txwin_size = 0;
3184 rfc.max_transmit = 0;
3185 rfc.retrans_timeout = 0;
3186 rfc.monitor_timeout = 0;
3187 rfc.max_pdu_size = 0;
3188
63406504 3189 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3190 (unsigned long) &rfc);
65c7c491
MH		 3191 break;
3192
3193 case L2CAP_MODE_ERTM:
3194 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3195 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3196
3197 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3198
3199 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3200 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3201 L2CAP_FCS_SIZE);
c8f79162 3202 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3203
6327eb98
AE		 3204 l2cap_txwin_setup(chan);
3205
3206 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3207 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3208
63406504 3209 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3210 (unsigned long) &rfc);
63406504 3211
f89cef09
AE		 3212 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3213 l2cap_add_opt_efs(&ptr, chan);
3214
6327eb98
AE		 3215 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3216 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3217 chan->tx_win);
60918918
AE		 3218
3219 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3220 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3221 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3222 chan->fcs = L2CAP_FCS_NONE;
3223 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3224 chan->fcs);
3225 }
f2fcfcd6
GP		 3226 break;
3227
3228 case L2CAP_MODE_STREAMING:
273759e2 3229 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3230 rfc.mode = L2CAP_MODE_STREAMING;
3231 rfc.txwin_size = 0;
3232 rfc.max_transmit = 0;
3233 rfc.retrans_timeout = 0;
3234 rfc.monitor_timeout = 0;
c8f79162
AE		 3235
3236 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3237 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3238 L2CAP_FCS_SIZE);
c8f79162 3239 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3240
63406504 3241 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3242 (unsigned long) &rfc);
63406504 3243
f89cef09
AE		 3244 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3245 l2cap_add_opt_efs(&ptr, chan);
3246
60918918
AE		 3247 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3248 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3249 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3250 chan->fcs = L2CAP_FCS_NONE;
3251 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3252 chan->fcs);
3253 }
65c7c491
MH		 3254 break;
3255 }
1da177e4 3256
fe4128e0 3257 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3258 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3259
3260 return ptr - data;
3261}
3262
73ffa904 3263static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3264{
5dee9e7c
MH		 3265 struct l2cap_conf_rsp *rsp = data;
3266 void *ptr = rsp->data;
73ffa904
GP		 3267 void *req = chan->conf_req;
3268 int len = chan->conf_len;
5dee9e7c
MH		 3269 int type, hint, olen;
3270 unsigned long val;
6464f35f 3271 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3272 struct l2cap_conf_efs efs;
3273 u8 remote_efs = 0;
861d6882 3274 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3275 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3276 u16 size;
1da177e4 3277
73ffa904 3278 BT_DBG("chan %p", chan);
820ae1b8 3279
5dee9e7c
MH		 3280 while (len >= L2CAP_CONF_OPT_SIZE) {
3281 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3282
589d2746 3283 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3284 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3285
3286 switch (type) {
3287 case L2CAP_CONF_MTU:
861d6882 3288 mtu = val;
5dee9e7c
MH		 3289 break;
3290
3291 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3292 chan->flush_to = val;
5dee9e7c
MH		 3293 break;
3294
3295 case L2CAP_CONF_QOS:
3296 break;
3297
6464f35f
MH		 3298 case L2CAP_CONF_RFC:
3299 if (olen == sizeof(rfc))
3300 memcpy(&rfc, (void *) val, olen);
3301 break;
3302
fcc203c3
GP		 3303 case L2CAP_CONF_FCS:
3304 if (val == L2CAP_FCS_NONE)
f2592d3e 3305 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3306 break;
fcc203c3 3307
42dceae2
AE		 3308 case L2CAP_CONF_EFS:
3309 remote_efs = 1;
3310 if (olen == sizeof(efs))
3311 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3312 break;
3313
6327eb98
AE		 3314 case L2CAP_CONF_EWS:
3315 if (!enable_hs)
3316 return -ECONNREFUSED;
fcc203c3 3317
6327eb98
AE		 3318 set_bit(FLAG_EXT_CTRL, &chan->flags);
3319 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3320 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3321 chan->remote_tx_win = val;
fcc203c3
GP		 3322 break;
3323
5dee9e7c
MH		 3324 default:
3325 if (hint)
3326 break;
3327
3328 result = L2CAP_CONF_UNKNOWN;
3329 *((u8 *) ptr++) = type;
3330 break;
3331 }
3332 }
3333
73ffa904 3334 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3335 goto done;
3336
0c1bc5c6 3337 switch (chan->mode) {
f2fcfcd6
GP		 3338 case L2CAP_MODE_STREAMING:
3339 case L2CAP_MODE_ERTM:
c1360a1c 3340 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3341 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3342 chan->conn->feat_mask);
85eb53c6
GP		 3343 break;
3344 }
3345
42dceae2
AE		 3346 if (remote_efs) {
3347 if (__l2cap_efs_supported(chan))
3348 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3349 else
3350 return -ECONNREFUSED;
3351 }
3352
0c1bc5c6 3353 if (chan->mode != rfc.mode)
f2fcfcd6 3354 return -ECONNREFUSED;
742e519b 3355
f2fcfcd6 3356 break;
f2fcfcd6
GP		 3357 }
3358
3359done:
0c1bc5c6 3360 if (chan->mode != rfc.mode) {
f2fcfcd6 3361 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3362 rfc.mode = chan->mode;
f2fcfcd6 3363
73ffa904 3364 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3365 return -ECONNREFUSED;
3366
2d792818
GP		 3367 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3368 (unsigned long) &rfc);
f2fcfcd6
GP		 3369 }
3370
5dee9e7c
MH		 3371 if (result == L2CAP_CONF_SUCCESS) {
3372 /* Configure output options and let the other side know
3373 * which ones we don't like. */
3374
f2fcfcd6
GP		 3375 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3376 result = L2CAP_CONF_UNACCEPT;
3377 else {
0c1bc5c6 3378 chan->omtu = mtu;
c1360a1c 3379 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3380 }
0c1bc5c6 3381 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3382
42dceae2
AE		 3383 if (remote_efs) {
3384 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3385 efs.stype != L2CAP_SERV_NOTRAFIC &&
3386 efs.stype != chan->local_stype) {
42dceae2
AE		 3387
3388 result = L2CAP_CONF_UNACCEPT;
3389
3390 if (chan->num_conf_req >= 1)
3391 return -ECONNREFUSED;
3392
3393 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3394 sizeof(efs),
3395 (unsigned long) &efs);
0e8b207e 3396 } else {
3e6b3b95 3397 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3398 result = L2CAP_CONF_PENDING;
3399 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3400 }
3401 }
3402
f2fcfcd6
GP		 3403 switch (rfc.mode) {
3404 case L2CAP_MODE_BASIC:
47d1ec61 3405 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3406 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3407 break;
3408
3409 case L2CAP_MODE_ERTM:
6327eb98
AE		 3410 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3411 chan->remote_tx_win = rfc.txwin_size;
3412 else
3413 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3414
2c03a7a4 3415 chan->remote_max_tx = rfc.max_transmit;
1c762159 3416
c8f79162 3417 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3418 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3419 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3420 rfc.max_pdu_size = cpu_to_le16(size);
3421 chan->remote_mps = size;
f2fcfcd6 3422
36c86c85 3423 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3424
c1360a1c 3425 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3426
3427 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3428 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3429
42dceae2
AE		 3430 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3431 chan->remote_id = efs.id;
3432 chan->remote_stype = efs.stype;
3433 chan->remote_msdu = le16_to_cpu(efs.msdu);
3434 chan->remote_flush_to =
2d792818 3435 le32_to_cpu(efs.flush_to);
42dceae2 3436 chan->remote_acc_lat =
2d792818 3437 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3438 chan->remote_sdu_itime =
3439 le32_to_cpu(efs.sdu_itime);
3440 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3441 sizeof(efs),
3442 (unsigned long) &efs);
42dceae2 3443 }
f2fcfcd6
GP		 3444 break;
3445
3446 case L2CAP_MODE_STREAMING:
c8f79162 3447 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3448 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3449 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3450 rfc.max_pdu_size = cpu_to_le16(size);
3451 chan->remote_mps = size;
f2fcfcd6 3452
c1360a1c 3453 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3454
2d792818
GP		 3455 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3456 (unsigned long) &rfc);
68ae6639 3457
f2fcfcd6
GP		 3458 break;
3459
3460 default:
5dee9e7c 3461 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3462
6464f35f 3463 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3464 rfc.mode = chan->mode;
f2fcfcd6 3465 }
6464f35f 3466
f2fcfcd6 3467 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3468 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3469 }
fe4128e0 3470 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3471 rsp->result = cpu_to_le16(result);
59e54bd1 3472 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3473
3474 return ptr - data;
1da177e4
LT		 3475}
3476
2d792818
GP		 3477static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3478 void *data, u16 *result)
f2fcfcd6 3479{
f2fcfcd6
GP		 3480 struct l2cap_conf_req *req = data;
3481 void *ptr = req->data;
3482 int type, olen;
3483 unsigned long val;
36e999a8 3484 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3485 struct l2cap_conf_efs efs;
f2fcfcd6 3486
fe4128e0 3487 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3488
3489 while (len >= L2CAP_CONF_OPT_SIZE) {
3490 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3491
3492 switch (type) {
3493 case L2CAP_CONF_MTU:
3494 if (val < L2CAP_DEFAULT_MIN_MTU) {
3495 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3496 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3497 } else
0c1bc5c6
GP		 3498 chan->imtu = val;
3499 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3500 break;
3501
3502 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3503 chan->flush_to = val;
f2fcfcd6 3504 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3505 2, chan->flush_to);
f2fcfcd6
GP		 3506 break;
3507
3508 case L2CAP_CONF_RFC:
3509 if (olen == sizeof(rfc))
3510 memcpy(&rfc, (void *)val, olen);
3511
c1360a1c 3512 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3513 rfc.mode != chan->mode)
f2fcfcd6
GP		 3514 return -ECONNREFUSED;
3515
47d1ec61 3516 chan->fcs = 0;
f2fcfcd6
GP		 3517
3518 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3519 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3520 break;
6327eb98
AE		 3521
3522 case L2CAP_CONF_EWS:
c20f8e35 3523 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3524 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3525 chan->tx_win);
6327eb98 3526 break;
66af7aaf
AE		 3527
3528 case L2CAP_CONF_EFS:
3529 if (olen == sizeof(efs))
3530 memcpy(&efs, (void *)val, olen);
3531
3532 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3533 efs.stype != L2CAP_SERV_NOTRAFIC &&
3534 efs.stype != chan->local_stype)
66af7aaf
AE		 3535 return -ECONNREFUSED;
3536
2d792818
GP		 3537 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3538 (unsigned long) &efs);
66af7aaf 3539 break;
cbabee78
AE		 3540
3541 case L2CAP_CONF_FCS:
3542 if (*result == L2CAP_CONF_PENDING)
3543 if (val == L2CAP_FCS_NONE)
f2592d3e 3544 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3545 &chan->conf_state);
3546 break;
f2fcfcd6
GP		 3547 }
3548 }
3549
0c1bc5c6 3550 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3551 return -ECONNREFUSED;
3552
0c1bc5c6 3553 chan->mode = rfc.mode;
6c2ea7a8 3554
0e8b207e 3555 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3556 switch (rfc.mode) {
3557 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3558 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3559 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3560 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3561 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3562 chan->ack_win = min_t(u16, chan->ack_win,
3563 rfc.txwin_size);
66af7aaf
AE		 3564
3565 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3566 chan->local_msdu = le16_to_cpu(efs.msdu);
3567 chan->local_sdu_itime =
2d792818 3568 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3569 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3570 chan->local_flush_to =
2d792818 3571 le32_to_cpu(efs.flush_to);
66af7aaf 3572 }
f2fcfcd6 3573 break;
66af7aaf 3574
f2fcfcd6 3575 case L2CAP_MODE_STREAMING:
47d1ec61 3576 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3577 }
3578 }
3579
fe4128e0 3580 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3581 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3582
3583 return ptr - data;
3584}
3585
2d792818
GP		 3586static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3587 u16 result, u16 flags)
1da177e4
LT		 3588{
3589 struct l2cap_conf_rsp *rsp = data;
3590 void *ptr = rsp->data;
1da177e4 3591
fe4128e0 3592 BT_DBG("chan %p", chan);
1da177e4 3593
fe4128e0 3594 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3595 rsp->result = cpu_to_le16(result);
aca3192c 3596 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3597
3598 return ptr - data;
3599}
3600
8c1d787b 3601void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3602{
3603 struct l2cap_conn_rsp rsp;
8c1d787b 3604 struct l2cap_conn *conn = chan->conn;
710f9b0a 3605 u8 buf[128];
439f34ac 3606 u8 rsp_code;
710f9b0a 3607
fe4128e0
GP		 3608 rsp.scid = cpu_to_le16(chan->dcid);
3609 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3610 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3611 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3612
3613 if (chan->hs_hcon)
3614 rsp_code = L2CAP_CREATE_CHAN_RSP;
3615 else
3616 rsp_code = L2CAP_CONN_RSP;
3617
3618 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3619
3620 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3621
c1360a1c 3622 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3623 return;
3624
710f9b0a 3625 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3626 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3627 chan->num_conf_req++;
3628}
3629
47d1ec61 3630static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3631{
7b1c0049
GP		 3632 int type, olen;
3633 unsigned long val;
c20f8e35
MM		 3634 /* Use sane default values in case a misbehaving remote device
3635 * did not send an RFC or extended window size option.
3636 */
3637 u16 txwin_ext = chan->ack_win;
3638 struct l2cap_conf_rfc rfc = {
3639 .mode = chan->mode,
3640 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3641 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3642 .max_pdu_size = cpu_to_le16(chan->imtu),
3643 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3644 };
7b1c0049 3645
47d1ec61 3646 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3647
0c1bc5c6 3648 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3649 return;
3650
3651 while (len >= L2CAP_CONF_OPT_SIZE) {
3652 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3653
c20f8e35
MM		 3654 switch (type) {
3655 case L2CAP_CONF_RFC:
3656 if (olen == sizeof(rfc))
3657 memcpy(&rfc, (void *)val, olen);
8f321f85 3658 break;
c20f8e35
MM		 3659 case L2CAP_CONF_EWS:
3660 txwin_ext = val;
3661 break;
3662 }
7b1c0049
GP		 3663 }
3664
7b1c0049
GP		 3665 switch (rfc.mode) {
3666 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3667 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3668 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3669 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3670 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3671 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3672 else
3673 chan->ack_win = min_t(u16, chan->ack_win,
3674 rfc.txwin_size);
7b1c0049
GP		 3675 break;
3676 case L2CAP_MODE_STREAMING:
47d1ec61 3677 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3678 }
3679}
3680
2d792818 3681static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3682 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3683 u8 *data)
4e8402a3 3684{
e2fd318e 3685 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3686
cb3b3152
JH		 3687 if (cmd_len < sizeof(*rej))
3688 return -EPROTO;
3689
e2fd318e 3690 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3691 return 0;
3692
3693 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3694 cmd->ident == conn->info_ident) {
17cd3f37 3695 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3696
3697 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3698 conn->info_ident = 0;
984947dc 3699
4e8402a3
MH		 3700 l2cap_conn_start(conn);
3701 }
3702
3703 return 0;
3704}
3705
1700915f
MM		 3706static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3707 struct l2cap_cmd_hdr *cmd,
3708 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3709{
1da177e4
LT		 3710 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3711 struct l2cap_conn_rsp rsp;
23691d75 3712 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3713 struct sock *parent, *sk = NULL;
e7c29cb1 3714 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3715
3716 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3717 __le16 psm = req->psm;
1da177e4 3718
097db76c 3719 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3720
3721 /* Check if we have socket listening on psm */
c2287681 3722 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3723 if (!pchan) {
1da177e4
LT		 3724 result = L2CAP_CR_BAD_PSM;
3725 goto sendresp;
3726 }
3727
23691d75
GP		 3728 parent = pchan->sk;
3729
3df91ea2 3730 mutex_lock(&conn->chan_lock);
aa2ac881 3731 lock_sock(parent);
e0f0cb56 3732
e7c29cb1 3733 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3734 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3735 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3736 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3737 result = L2CAP_CR_SEC_BLOCK;
3738 goto response;
3739 }
3740
1da177e4
LT		 3741 result = L2CAP_CR_NO_MEM;
3742
2dfa1003
GP		 3743 /* Check if we already have channel with that dcid */
3744 if (__l2cap_get_chan_by_dcid(conn, scid))
3745 goto response;
3746
80b98027 3747 chan = pchan->ops->new_connection(pchan);
80808e43 3748 if (!chan)
1da177e4
LT		 3749 goto response;
3750
80808e43
GP		 3751 sk = chan->sk;
3752
1da177e4
LT		 3753 hci_conn_hold(conn->hcon);
3754
1da177e4
LT		 3755 bacpy(&bt_sk(sk)->src, conn->src);
3756 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3757 chan->psm = psm;
3758 chan->dcid = scid;
1700915f 3759 chan->local_amp_id = amp_id;
1da177e4 3760
6be36555 3761 __l2cap_chan_add(conn, chan);
48454079 3762
fe4128e0 3763 dcid = chan->scid;
1da177e4 3764
c9b66675 3765 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3766
fc7f8a7e 3767 chan->ident = cmd->ident;
1da177e4 3768
984947dc 3769 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3770 if (l2cap_chan_check_security(chan)) {
c5daa683 3771 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3772 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3773 result = L2CAP_CR_PEND;
3774 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3775 chan->ops->defer(chan);
f66dc81f 3776 } else {
1700915f
MM		 3777 /* Force pending result for AMP controllers.
3778 * The connection will succeed after the
3779 * physical link is up.
3780 */
3781 if (amp_id) {
3782 __l2cap_state_change(chan, BT_CONNECT2);
3783 result = L2CAP_CR_PEND;
3784 } else {
3785 __l2cap_state_change(chan, BT_CONFIG);
3786 result = L2CAP_CR_SUCCESS;
3787 }
f66dc81f
MH		 3788 status = L2CAP_CS_NO_INFO;
3789 }
79d554a6 3790 } else {
0e587be7 3791 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3792 result = L2CAP_CR_PEND;
3793 status = L2CAP_CS_AUTHEN_PEND;
3794 }
3795 } else {
0e587be7 3796 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3797 result = L2CAP_CR_PEND;
3798 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3799 }
3800
1da177e4 3801response:
aa2ac881 3802 release_sock(parent);
3df91ea2 3803 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3804
3805sendresp:
aca3192c
YH		 3806 rsp.scid = cpu_to_le16(scid);
3807 rsp.dcid = cpu_to_le16(dcid);
3808 rsp.result = cpu_to_le16(result);
3809 rsp.status = cpu_to_le16(status);
4c89b6aa 3810 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3811
3812 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3813 struct l2cap_info_req info;
ac73498c 3814 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3815
3816 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3817 conn->info_ident = l2cap_get_ident(conn);
3818
ba13ccd9 3819 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3820
2d792818
GP		 3821 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3822 sizeof(info), &info);
79d554a6
MH		 3823 }
3824
c1360a1c 3825 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3826 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3827 u8 buf[128];
c1360a1c 3828 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3829 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3830 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3831 chan->num_conf_req++;
e9aeb2dd 3832 }
1700915f
MM		 3833
3834 return chan;
4c89b6aa 3835}
e9aeb2dd 3836
4c89b6aa 3837static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3838 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3839{
7b064eda
JK		 3840 struct hci_dev *hdev = conn->hcon->hdev;
3841 struct hci_conn *hcon = conn->hcon;
3842
cb3b3152
JH		 3843 if (cmd_len < sizeof(struct l2cap_conn_req))
3844 return -EPROTO;
3845
7b064eda
JK		 3846 hci_dev_lock(hdev);
3847 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3848 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3849 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3850 hcon->dst_type, 0, NULL, 0,
3851 hcon->dev_class);
3852 hci_dev_unlock(hdev);
3853
300229f9 3854 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3855 return 0;
3856}
3857
5909cf30 3858static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3859 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3860 u8 *data)
1da177e4
LT		 3861{
3862 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3863 u16 scid, dcid, result, status;
48454079 3864 struct l2cap_chan *chan;
1da177e4 3865 u8 req[128];
3df91ea2 3866 int err;
1da177e4 3867
cb3b3152
JH		 3868 if (cmd_len < sizeof(*rsp))
3869 return -EPROTO;
3870
1da177e4
LT		 3871 scid = __le16_to_cpu(rsp->scid);
3872 dcid = __le16_to_cpu(rsp->dcid);
3873 result = __le16_to_cpu(rsp->result);
3874 status = __le16_to_cpu(rsp->status);
3875
1b009c98 3876 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3877 dcid, scid, result, status);
1da177e4 3878
3df91ea2
AE		 3879 mutex_lock(&conn->chan_lock);
3880
1da177e4 3881 if (scid) {
3df91ea2
AE		 3882 chan = __l2cap_get_chan_by_scid(conn, scid);
3883 if (!chan) {
3884 err = -EFAULT;
3885 goto unlock;
3886 }
1da177e4 3887 } else {
3df91ea2
AE		 3888 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3889 if (!chan) {
3890 err = -EFAULT;
3891 goto unlock;
3892 }
1da177e4
LT		 3893 }
3894
3df91ea2
AE		 3895 err = 0;
3896
6be36555 3897 l2cap_chan_lock(chan);
48454079 3898
1da177e4
LT		 3899 switch (result) {
3900 case L2CAP_CR_SUCCESS:
89bc500e 3901 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3902 chan->ident = 0;
fe4128e0 3903 chan->dcid = dcid;
c1360a1c 3904 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3905
c1360a1c 3906 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3907 break;
3908
1da177e4 3909 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3910 l2cap_build_conf_req(chan, req), req);
73ffa904 3911 chan->num_conf_req++;
1da177e4
LT		 3912 break;
3913
3914 case L2CAP_CR_PEND:
c1360a1c 3915 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3916 break;
3917
3918 default:
48454079 3919 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3920 break;
3921 }
3922
6be36555 3923 l2cap_chan_unlock(chan);
3df91ea2
AE		 3924
3925unlock:
3926 mutex_unlock(&conn->chan_lock);
3927
3928 return err;
1da177e4
LT		 3929}
3930
47d1ec61 3931static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3932{
3933 /* FCS is enabled only in ERTM or streaming mode, if one or both
3934 * sides request it.
3935 */
0c1bc5c6 3936 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3937 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3938 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3939 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3940}
3941
29d8a590
AE		 3942static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3943 u8 ident, u16 flags)
3944{
3945 struct l2cap_conn *conn = chan->conn;
3946
3947 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3948 flags);
3949
3950 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3951 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3952
3953 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3954 l2cap_build_conf_rsp(chan, data,
3955 L2CAP_CONF_SUCCESS, flags), data);
3956}
3957
2d792818
GP		 3958static inline int l2cap_config_req(struct l2cap_conn *conn,
3959 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3960 u8 *data)
1da177e4
LT		 3961{
3962 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3963 u16 dcid, flags;
3964 u8 rsp[64];
48454079 3965 struct l2cap_chan *chan;
3c588192 3966 int len, err = 0;
1da177e4 3967
cb3b3152
JH		 3968 if (cmd_len < sizeof(*req))
3969 return -EPROTO;
3970
1da177e4
LT		 3971 dcid = __le16_to_cpu(req->dcid);
3972 flags = __le16_to_cpu(req->flags);
3973
3974 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3975
baa7e1fa 3976 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3977 if (!chan)
1da177e4
LT		 3978 return -ENOENT;
3979
033b1142 3980 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3981 struct l2cap_cmd_rej_cid rej;
3982
ac73498c 3983 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3984 rej.scid = cpu_to_le16(chan->scid);
3985 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3986
df6bd743 3987 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3988 sizeof(rej), &rej);
354f60a9 3989 goto unlock;
df6bd743 3990 }
354f60a9 3991
5dee9e7c 3992 /* Reject if config buffer is too small. */
88219a0f 3993 len = cmd_len - sizeof(*req);
cb3b3152 3994 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3995 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3996 l2cap_build_conf_rsp(chan, rsp,
3997 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 3998 goto unlock;
3999 }
4000
4001 /* Store config. */
73ffa904
GP		 4002 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4003 chan->conf_len += len;
1da177e4 4004
59e54bd1 4005 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4006 /* Incomplete config. Send empty response. */
4007 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4008 l2cap_build_conf_rsp(chan, rsp,
4009 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4010 goto unlock;
4011 }
4012
4013 /* Complete config. */
73ffa904 4014 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4015 if (len < 0) {
5e4e3972 4016 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4017 goto unlock;
f2fcfcd6 4018 }
1da177e4 4019
1500109b 4020 chan->ident = cmd->ident;
5dee9e7c 4021 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4022 chan->num_conf_rsp++;
5dee9e7c 4023
5dee9e7c 4024 /* Reset config buffer. */
73ffa904 4025 chan->conf_len = 0;
5dee9e7c 4026
c1360a1c 4027 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4028 goto unlock;
4029
c1360a1c 4030 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4031 set_default_fcs(chan);
fcc203c3 4032
105bdf9e
MM		 4033 if (chan->mode == L2CAP_MODE_ERTM ||
4034 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4035 err = l2cap_ertm_init(chan);
4036
4037 if (err < 0)
5e4e3972 4038 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4039 else
4040 l2cap_chan_ready(chan);
0565c1c2 4041
876d9484
MH		 4042 goto unlock;
4043 }
4044
c1360a1c 4045 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4046 u8 buf[64];
1da177e4 4047 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4048 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4049 chan->num_conf_req++;
1da177e4
LT		 4050 }
4051
0e8b207e
AE		 4052 /* Got Conf Rsp PENDING from remote side and asume we sent
4053 Conf Rsp PENDING in the code above */
4054 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4055 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4056
4057 /* check compatibility */
4058
79de886d 4059 /* Send rsp for BR/EDR channel */
f351bc72 4060 if (!chan->hs_hcon)
79de886d
AE		 4061 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4062 else
4063 chan->ident = cmd->ident;
0e8b207e
AE		 4064 }
4065
1da177e4 4066unlock:
6be36555 4067 l2cap_chan_unlock(chan);
3c588192 4068 return err;
1da177e4
LT		 4069}
4070
2d792818 4071static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4072 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4073 u8 *data)
1da177e4
LT		 4074{
4075 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4076 u16 scid, flags, result;
48454079 4077 struct l2cap_chan *chan;
cb3b3152 4078 int len = cmd_len - sizeof(*rsp);
3c588192 4079 int err = 0;
1da177e4 4080
cb3b3152
JH		 4081 if (cmd_len < sizeof(*rsp))
4082 return -EPROTO;
4083
1da177e4
LT		 4084 scid = __le16_to_cpu(rsp->scid);
4085 flags = __le16_to_cpu(rsp->flags);
4086 result = __le16_to_cpu(rsp->result);
4087
61386cba
AE		 4088 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4089 result, len);
1da177e4 4090
baa7e1fa 4091 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4092 if (!chan)
1da177e4
LT		 4093 return 0;
4094
4095 switch (result) {
4096 case L2CAP_CONF_SUCCESS:
47d1ec61 4097 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4098 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4099 break;
4100
0e8b207e
AE		 4101 case L2CAP_CONF_PENDING:
4102 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4103
4104 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4105 char buf[64];
4106
4107 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4108 buf, &result);
0e8b207e 4109 if (len < 0) {
5e4e3972 4110 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4111 goto done;
4112 }
4113
f351bc72 4114 if (!chan->hs_hcon) {
79de886d
AE		 4115 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4116 0);
5ce66b59
AE		 4117 } else {
4118 if (l2cap_check_efs(chan)) {
4119 amp_create_logical_link(chan);
4120 chan->ident = cmd->ident;
4121 }
4122 }
0e8b207e
AE		 4123 }
4124 goto done;
4125
1da177e4 4126 case L2CAP_CONF_UNACCEPT:
73ffa904 4127 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4128 char req[64];
4129
c2c77ec8 4130 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4131 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4132 goto done;
4133 }
4134
f2fcfcd6
GP		 4135 /* throw out any old stored conf requests */
4136 result = L2CAP_CONF_SUCCESS;
b4450035 4137 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4138 req, &result);
f2fcfcd6 4139 if (len < 0) {
5e4e3972 4140 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4141 goto done;
4142 }
4143
4144 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4145 L2CAP_CONF_REQ, len, req);
73ffa904 4146 chan->num_conf_req++;
f2fcfcd6
GP		 4147 if (result != L2CAP_CONF_SUCCESS)
4148 goto done;
4149 break;
1da177e4
LT		 4150 }
4151
8e87d142 4152 default:
6be36555 4153 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4154
ba13ccd9 4155 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4156 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4157 goto done;
4158 }
4159
59e54bd1 4160 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4161 goto done;
4162
c1360a1c 4163 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4164
c1360a1c 4165 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4166 set_default_fcs(chan);
fcc203c3 4167
105bdf9e
MM		 4168 if (chan->mode == L2CAP_MODE_ERTM ||
4169 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4170 err = l2cap_ertm_init(chan);
0565c1c2 4171
3c588192 4172 if (err < 0)
5e4e3972 4173 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4174 else
4175 l2cap_chan_ready(chan);
1da177e4
LT		 4176 }
4177
4178done:
6be36555 4179 l2cap_chan_unlock(chan);
3c588192 4180 return err;
1da177e4
LT		 4181}
4182
2d792818 4183static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4184 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4185 u8 *data)
1da177e4
LT		 4186{
4187 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4188 struct l2cap_disconn_rsp rsp;
4189 u16 dcid, scid;
48454079 4190 struct l2cap_chan *chan;
1da177e4
LT		 4191 struct sock *sk;
4192
cb3b3152
JH		 4193 if (cmd_len != sizeof(*req))
4194 return -EPROTO;
4195
1da177e4
LT		 4196 scid = __le16_to_cpu(req->scid);
4197 dcid = __le16_to_cpu(req->dcid);
4198
4199 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4200
3df91ea2
AE		 4201 mutex_lock(&conn->chan_lock);
4202
4203 chan = __l2cap_get_chan_by_scid(conn, dcid);
4204 if (!chan) {
4205 mutex_unlock(&conn->chan_lock);
1da177e4 4206 return 0;
3df91ea2 4207 }
1da177e4 4208
6be36555
AE		 4209 l2cap_chan_lock(chan);
4210
48454079
GP		 4211 sk = chan->sk;
4212
fe4128e0
GP		 4213 rsp.dcid = cpu_to_le16(chan->scid);
4214 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4215 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4216
6be36555 4217 lock_sock(sk);
1da177e4 4218 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 4219 release_sock(sk);
1da177e4 4220
61d6ef3e 4221 l2cap_chan_hold(chan);
48454079 4222 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4223
4224 l2cap_chan_unlock(chan);
1da177e4 4225
80b98027 4226 chan->ops->close(chan);
61d6ef3e 4227 l2cap_chan_put(chan);
3df91ea2
AE		 4228
4229 mutex_unlock(&conn->chan_lock);
4230
1da177e4
LT		 4231 return 0;
4232}
4233
2d792818 4234static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4235 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4236 u8 *data)
1da177e4
LT		 4237{
4238 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4239 u16 dcid, scid;
48454079 4240 struct l2cap_chan *chan;
1da177e4 4241
cb3b3152
JH		 4242 if (cmd_len != sizeof(*rsp))
4243 return -EPROTO;
4244
1da177e4
LT		 4245 scid = __le16_to_cpu(rsp->scid);
4246 dcid = __le16_to_cpu(rsp->dcid);
4247
4248 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4249
3df91ea2
AE		 4250 mutex_lock(&conn->chan_lock);
4251
4252 chan = __l2cap_get_chan_by_scid(conn, scid);
4253 if (!chan) {
4254 mutex_unlock(&conn->chan_lock);
1da177e4 4255 return 0;
3df91ea2 4256 }
1da177e4 4257
6be36555 4258 l2cap_chan_lock(chan);
48454079 4259
61d6ef3e 4260 l2cap_chan_hold(chan);
48454079 4261 l2cap_chan_del(chan, 0);
6be36555
AE		 4262
4263 l2cap_chan_unlock(chan);
1da177e4 4264
80b98027 4265 chan->ops->close(chan);
61d6ef3e 4266 l2cap_chan_put(chan);
3df91ea2
AE		 4267
4268 mutex_unlock(&conn->chan_lock);
4269
1da177e4
LT		 4270 return 0;
4271}
4272
2d792818 4273static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4274 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4275 u8 *data)
1da177e4
LT		 4276{
4277 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4278 u16 type;
4279
cb3b3152
JH		 4280 if (cmd_len != sizeof(*req))
4281 return -EPROTO;
4282
1da177e4
LT		 4283 type = __le16_to_cpu(req->type);
4284
4285 BT_DBG("type 0x%4.4x", type);
4286
f0709e03
MH		 4287 if (type == L2CAP_IT_FEAT_MASK) {
4288 u8 buf[8];
44dd46de 4289 u32 feat_mask = l2cap_feat_mask;
f0709e03 4290 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4291 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4292 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4293 if (!disable_ertm)
fcc203c3 4294 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4295 | L2CAP_FEAT_FCS;
a5fd6f30 4296 if (enable_hs)
6327eb98 4297 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4298 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4299
1b7bf4ed 4300 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4301 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4302 buf);
e1027a7c
MH		 4303 } else if (type == L2CAP_IT_FIXED_CHAN) {
4304 u8 buf[12];
4305 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 4306
4307 if (enable_hs)
4308 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4309 else
4310 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4311
ac73498c
AE		 4312 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4313 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4314 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4315 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4316 buf);
f0709e03
MH		 4317 } else {
4318 struct l2cap_info_rsp rsp;
4319 rsp.type = cpu_to_le16(type);
ac73498c 4320 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4321 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4322 &rsp);
f0709e03 4323 }
1da177e4
LT		 4324
4325 return 0;
4326}
4327
2d792818 4328static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4329 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4330 u8 *data)
1da177e4
LT		 4331{
4332 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4333 u16 type, result;
4334
cb3b3152
JH		 4335 if (cmd_len != sizeof(*rsp))
4336 return -EPROTO;
4337
1da177e4
LT		 4338 type = __le16_to_cpu(rsp->type);
4339 result = __le16_to_cpu(rsp->result);
4340
4341 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4342
e90165be
AE		 4343 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4344 if (cmd->ident != conn->info_ident ||
2d792818 4345 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4346 return 0;
4347
17cd3f37 4348 cancel_delayed_work(&conn->info_timer);
4e8402a3 4349
adb08ede
VT		 4350 if (result != L2CAP_IR_SUCCESS) {
4351 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4352 conn->info_ident = 0;
4353
4354 l2cap_conn_start(conn);
4355
4356 return 0;
4357 }
4358
978c93b9
AE		 4359 switch (type) {
4360 case L2CAP_IT_FEAT_MASK:
83985319 4361 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4362
47ec1dcd 4363 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4364 struct l2cap_info_req req;
ac73498c 4365 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4366
4367 conn->info_ident = l2cap_get_ident(conn);
4368
4369 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4370 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4371 } else {
4372 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4373 conn->info_ident = 0;
4374
4375 l2cap_conn_start(conn);
4376 }
978c93b9
AE		 4377 break;
4378
4379 case L2CAP_IT_FIXED_CHAN:
4380 conn->fixed_chan_mask = rsp->data[0];
984947dc 4381 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4382 conn->info_ident = 0;
984947dc
MH		 4383
4384 l2cap_conn_start(conn);
978c93b9 4385 break;
984947dc 4386 }
4e8402a3 4387
1da177e4
LT		 4388 return 0;
4389}
4390
1700915f
MM		 4391static int l2cap_create_channel_req(struct l2cap_conn *conn,
4392 struct l2cap_cmd_hdr *cmd,
4393 u16 cmd_len, void *data)
f94ff6ff
MM		 4394{
4395 struct l2cap_create_chan_req *req = data;
6e1df6a6 4396 struct l2cap_create_chan_rsp rsp;
1700915f 4397 struct l2cap_chan *chan;
6e1df6a6 4398 struct hci_dev *hdev;
f94ff6ff
MM		 4399 u16 psm, scid;
4400
4401 if (cmd_len != sizeof(*req))
4402 return -EPROTO;
4403
4404 if (!enable_hs)
4405 return -EINVAL;
4406
4407 psm = le16_to_cpu(req->psm);
4408 scid = le16_to_cpu(req->scid);
4409
ad0ac6ca 4410 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4411
6e1df6a6
AE		 4412 /* For controller id 0 make BR/EDR connection */
4413 if (req->amp_id == HCI_BREDR_ID) {
4414 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4415 req->amp_id);
4416 return 0;
4417 }
1700915f 4418
6e1df6a6
AE		 4419 /* Validate AMP controller id */
4420 hdev = hci_dev_get(req->amp_id);
4421 if (!hdev)
4422 goto error;
1700915f 4423
6e1df6a6
AE		 4424 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4425 hci_dev_put(hdev);
4426 goto error;
4427 }
1700915f 4428
6e1df6a6
AE		 4429 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4430 req->amp_id);
4431 if (chan) {
4432 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4433 struct hci_conn *hs_hcon;
1700915f 4434
6e1df6a6
AE		 4435 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, conn->dst);
4436 if (!hs_hcon) {
4437 hci_dev_put(hdev);
4438 return -EFAULT;
1700915f
MM		 4439 }
4440
6e1df6a6
AE		 4441 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4442
6e1df6a6
AE		 4443 mgr->bredr_chan = chan;
4444 chan->hs_hcon = hs_hcon;
fd45bf4c 4445 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4446 conn->mtu = hdev->block_mtu;
1700915f 4447 }
f94ff6ff 4448
6e1df6a6 4449 hci_dev_put(hdev);
f94ff6ff
MM		 4450
4451 return 0;
6e1df6a6
AE		 4452
4453error:
4454 rsp.dcid = 0;
4455 rsp.scid = cpu_to_le16(scid);
4456 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4457 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4458
4459 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4460 sizeof(rsp), &rsp);
4461
4462 return -EFAULT;
f94ff6ff
MM		 4463}
4464
8eb200bd
MM		 4465static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4466{
4467 struct l2cap_move_chan_req req;
4468 u8 ident;
4469
4470 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4471
4472 ident = l2cap_get_ident(chan->conn);
4473 chan->ident = ident;
4474
4475 req.icid = cpu_to_le16(chan->scid);
4476 req.dest_amp_id = dest_amp_id;
4477
4478 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4479 &req);
4480
4481 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4482}
4483
1500109b 4484static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4485{
4486 struct l2cap_move_chan_rsp rsp;
4487
1500109b 4488 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4489
1500109b 4490 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4491 rsp.result = cpu_to_le16(result);
4492
1500109b
MM		 4493 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4494 sizeof(rsp), &rsp);
8d5a04a1
MM		 4495}
4496
5b155ef9 4497static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4498{
4499 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4500
5b155ef9 4501 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4502
5b155ef9 4503 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4504
5b155ef9 4505 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4506 cfm.result = cpu_to_le16(result);
4507
5b155ef9
MM		 4508 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4509 sizeof(cfm), &cfm);
4510
4511 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4512}
4513
4514static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4515{
4516 struct l2cap_move_chan_cfm cfm;
4517
4518 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4519
4520 cfm.icid = cpu_to_le16(icid);
4521 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4522
4523 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4524 sizeof(cfm), &cfm);
8d5a04a1
MM		 4525}
4526
4527static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4528 u16 icid)
8d5a04a1
MM		 4529{
4530 struct l2cap_move_chan_cfm_rsp rsp;
4531
ad0ac6ca 4532 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4533
4534 rsp.icid = cpu_to_le16(icid);
4535 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4536}
4537
5f3847a4
MM		 4538static void __release_logical_link(struct l2cap_chan *chan)
4539{
4540 chan->hs_hchan = NULL;
4541 chan->hs_hcon = NULL;
4542
4543 /* Placeholder - release the logical link */
4544}
4545
1500109b
MM		 4546static void l2cap_logical_fail(struct l2cap_chan *chan)
4547{
4548 /* Logical link setup failed */
4549 if (chan->state != BT_CONNECTED) {
4550 /* Create channel failure, disconnect */
5e4e3972 4551 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4552 return;
4553 }
4554
4555 switch (chan->move_role) {
4556 case L2CAP_MOVE_ROLE_RESPONDER:
4557 l2cap_move_done(chan);
4558 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4559 break;
4560 case L2CAP_MOVE_ROLE_INITIATOR:
4561 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4562 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4563 /* Remote has only sent pending or
4564 * success responses, clean up
4565 */
4566 l2cap_move_done(chan);
4567 }
4568
4569 /* Other amp move states imply that the move
4570 * has already aborted
4571 */
4572 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4573 break;
4574 }
4575}
4576
4577static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4578 struct hci_chan *hchan)
4579{
4580 struct l2cap_conf_rsp rsp;
1500109b 4581
336178a3 4582 chan->hs_hchan = hchan;
1500109b
MM		 4583 chan->hs_hcon->l2cap_data = chan->conn;
4584
35ba9561 4585 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4586
4587 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4588 int err;
1500109b
MM		 4589
4590 set_default_fcs(chan);
4591
4592 err = l2cap_ertm_init(chan);
4593 if (err < 0)
5e4e3972 4594 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4595 else
4596 l2cap_chan_ready(chan);
4597 }
4598}
4599
4600static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4601 struct hci_chan *hchan)
4602{
4603 chan->hs_hcon = hchan->conn;
4604 chan->hs_hcon->l2cap_data = chan->conn;
4605
4606 BT_DBG("move_state %d", chan->move_state);
4607
4608 switch (chan->move_state) {
4609 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4610 /* Move confirm will be sent after a success
4611 * response is received
4612 */
4613 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4614 break;
4615 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4616 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4617 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4618 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4619 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4620 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4621 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4622 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4623 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4624 }
4625 break;
4626 default:
4627 /* Move was not in expected state, free the channel */
4628 __release_logical_link(chan);
4629
4630 chan->move_state = L2CAP_MOVE_STABLE;
4631 }
4632}
4633
4634/* Call with chan locked */
27695fb4
AE		 4635void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4636 u8 status)
5b155ef9 4637{
1500109b
MM		 4638 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4639
4640 if (status) {
4641 l2cap_logical_fail(chan);
4642 __release_logical_link(chan);
4643 return;
4644 }
4645
4646 if (chan->state != BT_CONNECTED) {
4647 /* Ignore logical link if channel is on BR/EDR */
4648 if (chan->local_amp_id)
4649 l2cap_logical_finish_create(chan, hchan);
4650 } else {
4651 l2cap_logical_finish_move(chan, hchan);
4652 }
5b155ef9
MM		 4653}
4654
3f7a56c4
MM		 4655void l2cap_move_start(struct l2cap_chan *chan)
4656{
4657 BT_DBG("chan %p", chan);
4658
4659 if (chan->local_amp_id == HCI_BREDR_ID) {
4660 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4661 return;
4662 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4663 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4664 /* Placeholder - start physical link setup */
4665 } else {
4666 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4667 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4668 chan->move_id = 0;
4669 l2cap_move_setup(chan);
4670 l2cap_send_move_chan_req(chan, 0);
4671 }
4672}
4673
8eb200bd
MM		 4674static void l2cap_do_create(struct l2cap_chan *chan, int result,
4675 u8 local_amp_id, u8 remote_amp_id)
4676{
62748ca1
AE		 4677 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4678 local_amp_id, remote_amp_id);
4679
12d6cc60
AE		 4680 chan->fcs = L2CAP_FCS_NONE;
4681
62748ca1
AE		 4682 /* Outgoing channel on AMP */
4683 if (chan->state == BT_CONNECT) {
4684 if (result == L2CAP_CR_SUCCESS) {
4685 chan->local_amp_id = local_amp_id;
4686 l2cap_send_create_chan_req(chan, remote_amp_id);
4687 } else {
4688 /* Revert to BR/EDR connect */
4689 l2cap_send_conn_req(chan);
4690 }
4691
4692 return;
4693 }
4694
4695 /* Incoming channel on AMP */
4696 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4697 struct l2cap_conn_rsp rsp;
4698 char buf[128];
4699 rsp.scid = cpu_to_le16(chan->dcid);
4700 rsp.dcid = cpu_to_le16(chan->scid);
4701
8eb200bd
MM		 4702 if (result == L2CAP_CR_SUCCESS) {
4703 /* Send successful response */
62cd50e2
AE		 4704 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4705 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4706 } else {
4707 /* Send negative response */
62cd50e2
AE		 4708 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4709 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4710 }
4711
4712 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4713 sizeof(rsp), &rsp);
4714
4715 if (result == L2CAP_CR_SUCCESS) {
4716 __l2cap_state_change(chan, BT_CONFIG);
4717 set_bit(CONF_REQ_SENT, &chan->conf_state);
4718 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4719 L2CAP_CONF_REQ,
4720 l2cap_build_conf_req(chan, buf), buf);
4721 chan->num_conf_req++;
4722 }
8eb200bd
MM		 4723 }
4724}
4725
4726static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4727 u8 remote_amp_id)
4728{
4729 l2cap_move_setup(chan);
4730 chan->move_id = local_amp_id;
4731 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4732
4733 l2cap_send_move_chan_req(chan, remote_amp_id);
4734}
4735
4736static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4737{
4738 struct hci_chan *hchan = NULL;
4739
4740 /* Placeholder - get hci_chan for logical link */
4741
4742 if (hchan) {
4743 if (hchan->state == BT_CONNECTED) {
4744 /* Logical link is ready to go */
4745 chan->hs_hcon = hchan->conn;
4746 chan->hs_hcon->l2cap_data = chan->conn;
4747 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4748 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4749
4750 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4751 } else {
4752 /* Wait for logical link to be ready */
4753 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4754 }
4755 } else {
4756 /* Logical link not available */
4757 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4758 }
4759}
4760
4761static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4762{
4763 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4764 u8 rsp_result;
4765 if (result == -EINVAL)
4766 rsp_result = L2CAP_MR_BAD_ID;
4767 else
4768 rsp_result = L2CAP_MR_NOT_ALLOWED;
4769
4770 l2cap_send_move_chan_rsp(chan, rsp_result);
4771 }
4772
4773 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4774 chan->move_state = L2CAP_MOVE_STABLE;
4775
4776 /* Restart data transmission */
4777 l2cap_ertm_send(chan);
4778}
4779
a514b17f
AE		 4780/* Invoke with locked chan */
4781void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4782{
770bfefa 4783 u8 local_amp_id = chan->local_amp_id;
fffadc08 4784 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4785
8eb200bd
MM		 4786 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4787 chan, result, local_amp_id, remote_amp_id);
4788
8eb200bd
MM		 4789 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4790 l2cap_chan_unlock(chan);
4791 return;
4792 }
4793
4794 if (chan->state != BT_CONNECTED) {
4795 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4796 } else if (result != L2CAP_MR_SUCCESS) {
4797 l2cap_do_move_cancel(chan, result);
4798 } else {
4799 switch (chan->move_role) {
4800 case L2CAP_MOVE_ROLE_INITIATOR:
4801 l2cap_do_move_initiate(chan, local_amp_id,
4802 remote_amp_id);
4803 break;
4804 case L2CAP_MOVE_ROLE_RESPONDER:
4805 l2cap_do_move_respond(chan, result);
4806 break;
4807 default:
4808 l2cap_do_move_cancel(chan, result);
4809 break;
4810 }
4811 }
8eb200bd
MM		 4812}
4813
8d5a04a1 4814static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4815 struct l2cap_cmd_hdr *cmd,
4816 u16 cmd_len, void *data)
8d5a04a1
MM		 4817{
4818 struct l2cap_move_chan_req *req = data;
1500109b 4819 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4820 struct l2cap_chan *chan;
8d5a04a1
MM		 4821 u16 icid = 0;
4822 u16 result = L2CAP_MR_NOT_ALLOWED;
4823
4824 if (cmd_len != sizeof(*req))
4825 return -EPROTO;
4826
4827 icid = le16_to_cpu(req->icid);
4828
ad0ac6ca 4829 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4830
4831 if (!enable_hs)
4832 return -EINVAL;
4833
02b0fbb9
MM		 4834 chan = l2cap_get_chan_by_dcid(conn, icid);
4835 if (!chan) {
1500109b
MM		 4836 rsp.icid = cpu_to_le16(icid);
4837 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4838 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4839 sizeof(rsp), &rsp);
02b0fbb9
MM		 4840 return 0;
4841 }
4842
1500109b
MM		 4843 chan->ident = cmd->ident;
4844
02b0fbb9
MM		 4845 if (chan->scid < L2CAP_CID_DYN_START ||
4846 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4847 (chan->mode != L2CAP_MODE_ERTM &&
4848 chan->mode != L2CAP_MODE_STREAMING)) {
4849 result = L2CAP_MR_NOT_ALLOWED;
4850 goto send_move_response;
4851 }
4852
4853 if (chan->local_amp_id == req->dest_amp_id) {
4854 result = L2CAP_MR_SAME_ID;
4855 goto send_move_response;
4856 }
4857
4858 if (req->dest_amp_id) {
4859 struct hci_dev *hdev;
4860 hdev = hci_dev_get(req->dest_amp_id);
4861 if (!hdev || hdev->dev_type != HCI_AMP ||
4862 !test_bit(HCI_UP, &hdev->flags)) {
4863 if (hdev)
4864 hci_dev_put(hdev);
4865
4866 result = L2CAP_MR_BAD_ID;
4867 goto send_move_response;
4868 }
4869 hci_dev_put(hdev);
4870 }
4871
4872 /* Detect a move collision. Only send a collision response
4873 * if this side has "lost", otherwise proceed with the move.
4874 * The winner has the larger bd_addr.
4875 */
4876 if ((__chan_is_moving(chan) ||
4877 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4878 bacmp(conn->src, conn->dst) > 0) {
4879 result = L2CAP_MR_COLLISION;
4880 goto send_move_response;
4881 }
4882
02b0fbb9
MM		 4883 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4884 l2cap_move_setup(chan);
4885 chan->move_id = req->dest_amp_id;
4886 icid = chan->dcid;
4887
4888 if (!req->dest_amp_id) {
4889 /* Moving to BR/EDR */
4890 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4891 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4892 result = L2CAP_MR_PEND;
4893 } else {
4894 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4895 result = L2CAP_MR_SUCCESS;
4896 }
4897 } else {
4898 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4899 /* Placeholder - uncomment when amp functions are available */
4900 /*amp_accept_physical(chan, req->dest_amp_id);*/
4901 result = L2CAP_MR_PEND;
4902 }
4903
4904send_move_response:
1500109b 4905 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4906
02b0fbb9
MM		 4907 l2cap_chan_unlock(chan);
4908
8d5a04a1
MM		 4909 return 0;
4910}
4911
5b155ef9
MM		 4912static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4913{
4914 struct l2cap_chan *chan;
4915 struct hci_chan *hchan = NULL;
4916
4917 chan = l2cap_get_chan_by_scid(conn, icid);
4918 if (!chan) {
4919 l2cap_send_move_chan_cfm_icid(conn, icid);
4920 return;
4921 }
4922
4923 __clear_chan_timer(chan);
4924 if (result == L2CAP_MR_PEND)
4925 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4926
4927 switch (chan->move_state) {
4928 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4929 /* Move confirm will be sent when logical link
4930 * is complete.
4931 */
4932 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4933 break;
4934 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4935 if (result == L2CAP_MR_PEND) {
4936 break;
4937 } else if (test_bit(CONN_LOCAL_BUSY,
4938 &chan->conn_state)) {
4939 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4940 } else {
4941 /* Logical link is up or moving to BR/EDR,
4942 * proceed with move
4943 */
4944 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4945 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4946 }
4947 break;
4948 case L2CAP_MOVE_WAIT_RSP:
4949 /* Moving to AMP */
4950 if (result == L2CAP_MR_SUCCESS) {
4951 /* Remote is ready, send confirm immediately
4952 * after logical link is ready
4953 */
4954 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4955 } else {
4956 /* Both logical link and move success
4957 * are required to confirm
4958 */
4959 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4960 }
4961
4962 /* Placeholder - get hci_chan for logical link */
4963 if (!hchan) {
4964 /* Logical link not available */
4965 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4966 break;
4967 }
4968
4969 /* If the logical link is not yet connected, do not
4970 * send confirmation.
4971 */
4972 if (hchan->state != BT_CONNECTED)
4973 break;
4974
4975 /* Logical link is already ready to go */
4976
4977 chan->hs_hcon = hchan->conn;
4978 chan->hs_hcon->l2cap_data = chan->conn;
4979
4980 if (result == L2CAP_MR_SUCCESS) {
4981 /* Can confirm now */
4982 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4983 } else {
4984 /* Now only need move success
4985 * to confirm
4986 */
4987 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4988 }
4989
4990 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4991 break;
4992 default:
4993 /* Any other amp move state means the move failed. */
4994 chan->move_id = chan->local_amp_id;
4995 l2cap_move_done(chan);
4996 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4997 }
4998
4999 l2cap_chan_unlock(chan);
5000}
5001
5002static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5003 u16 result)
5004{
5005 struct l2cap_chan *chan;
5006
5007 chan = l2cap_get_chan_by_ident(conn, ident);
5008 if (!chan) {
5009 /* Could not locate channel, icid is best guess */
5010 l2cap_send_move_chan_cfm_icid(conn, icid);
5011 return;
5012 }
5013
5014 __clear_chan_timer(chan);
5015
5016 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5017 if (result == L2CAP_MR_COLLISION) {
5018 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5019 } else {
5020 /* Cleanup - cancel move */
5021 chan->move_id = chan->local_amp_id;
5022 l2cap_move_done(chan);
5023 }
5024 }
5025
5026 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5027
5028 l2cap_chan_unlock(chan);
5029}
5030
5031static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5032 struct l2cap_cmd_hdr *cmd,
5033 u16 cmd_len, void *data)
8d5a04a1
MM		 5034{
5035 struct l2cap_move_chan_rsp *rsp = data;
5036 u16 icid, result;
5037
5038 if (cmd_len != sizeof(*rsp))
5039 return -EPROTO;
5040
5041 icid = le16_to_cpu(rsp->icid);
5042 result = le16_to_cpu(rsp->result);
5043
ad0ac6ca 5044 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5045
5b155ef9
MM		 5046 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5047 l2cap_move_continue(conn, icid, result);
5048 else
5049 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5050
5051 return 0;
5052}
5053
5f3847a4
MM		 5054static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5055 struct l2cap_cmd_hdr *cmd,
5056 u16 cmd_len, void *data)
8d5a04a1
MM		 5057{
5058 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5059 struct l2cap_chan *chan;
8d5a04a1
MM		 5060 u16 icid, result;
5061
5062 if (cmd_len != sizeof(*cfm))
5063 return -EPROTO;
5064
5065 icid = le16_to_cpu(cfm->icid);
5066 result = le16_to_cpu(cfm->result);
5067
ad0ac6ca 5068 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5069
5f3847a4
MM		 5070 chan = l2cap_get_chan_by_dcid(conn, icid);
5071 if (!chan) {
5072 /* Spec requires a response even if the icid was not found */
5073 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5074 return 0;
5075 }
5076
5077 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5078 if (result == L2CAP_MC_CONFIRMED) {
5079 chan->local_amp_id = chan->move_id;
5080 if (!chan->local_amp_id)
5081 __release_logical_link(chan);
5082 } else {
5083 chan->move_id = chan->local_amp_id;
5084 }
5085
5086 l2cap_move_done(chan);
5087 }
5088
8d5a04a1
MM		 5089 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5090
5f3847a4
MM		 5091 l2cap_chan_unlock(chan);
5092
8d5a04a1
MM		 5093 return 0;
5094}
5095
5096static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5097 struct l2cap_cmd_hdr *cmd,
5098 u16 cmd_len, void *data)
8d5a04a1
MM		 5099{
5100 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5101 struct l2cap_chan *chan;
8d5a04a1
MM		 5102 u16 icid;
5103
5104 if (cmd_len != sizeof(*rsp))
5105 return -EPROTO;
5106
5107 icid = le16_to_cpu(rsp->icid);
5108
ad0ac6ca 5109 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5110
3fd71a0a
MM		 5111 chan = l2cap_get_chan_by_scid(conn, icid);
5112 if (!chan)
5113 return 0;
5114
5115 __clear_chan_timer(chan);
5116
5117 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5118 chan->local_amp_id = chan->move_id;
5119
5120 if (!chan->local_amp_id && chan->hs_hchan)
5121 __release_logical_link(chan);
5122
5123 l2cap_move_done(chan);
5124 }
5125
5126 l2cap_chan_unlock(chan);
5127
8d5a04a1
MM		 5128 return 0;
5129}
5130
e2174ca4 5131static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 5132 u16 to_multiplier)
de73115a
CT		 5133{
5134 u16 max_latency;
5135
5136 if (min > max || min < 6 || max > 3200)
5137 return -EINVAL;
5138
5139 if (to_multiplier < 10 || to_multiplier > 3200)
5140 return -EINVAL;
5141
5142 if (max >= to_multiplier * 8)
5143 return -EINVAL;
5144
5145 max_latency = (to_multiplier * 8 / max) - 1;
5146 if (latency > 499 || latency > max_latency)
5147 return -EINVAL;
5148
5149 return 0;
5150}
5151
5152static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 5153 struct l2cap_cmd_hdr *cmd,
5154 u8 *data)
de73115a
CT		 5155{
5156 struct hci_conn *hcon = conn->hcon;
5157 struct l2cap_conn_param_update_req *req;
5158 struct l2cap_conn_param_update_rsp rsp;
5159 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 5160 int err;
de73115a
CT		 5161
5162 if (!(hcon->link_mode & HCI_LM_MASTER))
5163 return -EINVAL;
5164
5165 cmd_len = __le16_to_cpu(cmd->len);
5166 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5167 return -EPROTO;
5168
5169 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5170 min = __le16_to_cpu(req->min);
5171 max = __le16_to_cpu(req->max);
de73115a
CT		 5172 latency = __le16_to_cpu(req->latency);
5173 to_multiplier = __le16_to_cpu(req->to_multiplier);
5174
5175 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5176 min, max, latency, to_multiplier);
de73115a
CT		 5177
5178 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5179
5180 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5181 if (err)
ac73498c 5182 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5183 else
ac73498c 5184 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5185
5186 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5187 sizeof(rsp), &rsp);
de73115a 5188
2ce603eb
CT		 5189 if (!err)
5190 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5191
de73115a
CT		 5192 return 0;
5193}
5194
3300d9a9 5195static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5196 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5197 u8 *data)
3300d9a9
CT		 5198{
5199 int err = 0;
5200
5201 switch (cmd->code) {
5202 case L2CAP_COMMAND_REJ:
cb3b3152 5203 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5204 break;
5205
5206 case L2CAP_CONN_REQ:
cb3b3152 5207 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5208 break;
5209
5210 case L2CAP_CONN_RSP:
f5a2598d 5211 case L2CAP_CREATE_CHAN_RSP:
cb3b3152 5212 err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5213 break;
5214
5215 case L2CAP_CONF_REQ:
5216 err = l2cap_config_req(conn, cmd, cmd_len, data);
5217 break;
5218
5219 case L2CAP_CONF_RSP:
cb3b3152 5220 err = l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5221 break;
5222
5223 case L2CAP_DISCONN_REQ:
cb3b3152 5224 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5225 break;
5226
5227 case L2CAP_DISCONN_RSP:
cb3b3152 5228 err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5229 break;
5230
5231 case L2CAP_ECHO_REQ:
5232 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5233 break;
5234
5235 case L2CAP_ECHO_RSP:
5236 break;
5237
5238 case L2CAP_INFO_REQ:
cb3b3152 5239 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5240 break;
5241
5242 case L2CAP_INFO_RSP:
cb3b3152 5243 err = l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5244 break;
5245
f94ff6ff
MM		 5246 case L2CAP_CREATE_CHAN_REQ:
5247 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5248 break;
5249
8d5a04a1
MM		 5250 case L2CAP_MOVE_CHAN_REQ:
5251 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5252 break;
5253
5254 case L2CAP_MOVE_CHAN_RSP:
5255 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5256 break;
5257
5258 case L2CAP_MOVE_CHAN_CFM:
5259 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5260 break;
5261
5262 case L2CAP_MOVE_CHAN_CFM_RSP:
5263 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5264 break;
5265
3300d9a9
CT		 5266 default:
5267 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5268 err = -EINVAL;
5269 break;
5270 }
5271
5272 return err;
5273}
5274
5275static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5276 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5277{
5278 switch (cmd->code) {
5279 case L2CAP_COMMAND_REJ:
5280 return 0;
5281
5282 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5283 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5284
5285 case L2CAP_CONN_PARAM_UPDATE_RSP:
5286 return 0;
5287
5288 default:
5289 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5290 return -EINVAL;
5291 }
5292}
5293
c5623556
JH		 5294static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5295 struct sk_buff *skb)
5296{
5297 u8 *data = skb->data;
5298 int len = skb->len;
5299 struct l2cap_cmd_hdr cmd;
5300 int err;
5301
5302 l2cap_raw_recv(conn, skb);
5303
5304 while (len >= L2CAP_CMD_HDR_SIZE) {
5305 u16 cmd_len;
5306 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5307 data += L2CAP_CMD_HDR_SIZE;
5308 len -= L2CAP_CMD_HDR_SIZE;
5309
5310 cmd_len = le16_to_cpu(cmd.len);
5311
5312 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5313 cmd.ident);
5314
5315 if (cmd_len > len || !cmd.ident) {
5316 BT_DBG("corrupted command");
5317 break;
5318 }
5319
5320 err = l2cap_le_sig_cmd(conn, &cmd, data);
5321 if (err) {
5322 struct l2cap_cmd_rej_unk rej;
5323
5324 BT_ERR("Wrong link type (%d)", err);
5325
5326 /* FIXME: Map err to a valid reason */
5327 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5328 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5329 sizeof(rej), &rej);
5330 }
5331
5332 data += cmd_len;
5333 len -= cmd_len;
5334 }
5335
5336 kfree_skb(skb);
5337}
5338
3300d9a9 5339static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5340 struct sk_buff *skb)
1da177e4
LT		 5341{
5342 u8 *data = skb->data;
5343 int len = skb->len;
5344 struct l2cap_cmd_hdr cmd;
3300d9a9 5345 int err;
1da177e4
LT		 5346
5347 l2cap_raw_recv(conn, skb);
5348
5349 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5350 u16 cmd_len;
1da177e4
LT		 5351 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5352 data += L2CAP_CMD_HDR_SIZE;
5353 len -= L2CAP_CMD_HDR_SIZE;
5354
88219a0f 5355 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5356
2d792818
GP		 5357 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5358 cmd.ident);
1da177e4 5359
88219a0f 5360 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5361 BT_DBG("corrupted command");
5362 break;
5363 }
5364
c5623556 5365 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5366 if (err) {
e2fd318e 5367 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5368
5369 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 5370
5371 /* FIXME: Map err to a valid reason */
ac73498c 5372 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5373 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5374 sizeof(rej), &rej);
1da177e4
LT		 5375 }
5376
88219a0f
AV		 5377 data += cmd_len;
5378 len -= cmd_len;
1da177e4
LT		 5379 }
5380
5381 kfree_skb(skb);
5382}
5383
47d1ec61 5384static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5385{
5386 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5387 int hdr_size;
5388
5389 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5390 hdr_size = L2CAP_EXT_HDR_SIZE;
5391 else
5392 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5393
47d1ec61 5394 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5395 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5396 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5397 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5398
5399 if (our_fcs != rcv_fcs)
7a560e5c 5400 return -EBADMSG;
fcc203c3
GP		 5401 }
5402 return 0;
5403}
5404
6ea00485 5405static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5406{
e31f7633 5407 struct l2cap_ctrl control;
d5392c8f 5408
e31f7633 5409 BT_DBG("chan %p", chan);
d5392c8f 5410
e31f7633
MM		 5411 memset(&control, 0, sizeof(control));
5412 control.sframe = 1;
5413 control.final = 1;
5414 control.reqseq = chan->buffer_seq;
5415 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5416
e2ab4353 5417 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5418 control.super = L2CAP_SUPER_RNR;
5419 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5420 }
5421
e31f7633
MM		 5422 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5423 chan->unacked_frames > 0)
5424 __set_retrans_timer(chan);
d5392c8f 5425
e31f7633 5426 /* Send pending iframes */
525cd185 5427 l2cap_ertm_send(chan);
d5392c8f 5428
e2ab4353 5429 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5430 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5431 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5432 * send it now.
5433 */
5434 control.super = L2CAP_SUPER_RR;
5435 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5436 }
5437}
5438
2d792818
GP		 5439static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5440 struct sk_buff **last_frag)
18778a63 5441{
84084a31
MM		 5442 /* skb->len reflects data in skb as well as all fragments
5443 * skb->data_len reflects only data in fragments
5444 */
5445 if (!skb_has_frag_list(skb))
5446 skb_shinfo(skb)->frag_list = new_frag;
5447
5448 new_frag->next = NULL;
5449
5450 (*last_frag)->next = new_frag;
5451 *last_frag = new_frag;
5452
5453 skb->len += new_frag->len;
5454 skb->data_len += new_frag->len;
5455 skb->truesize += new_frag->truesize;
5456}
5457
4b51dae9
MM		 5458static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5459 struct l2cap_ctrl *control)
84084a31
MM		 5460{
5461 int err = -EINVAL;
18778a63 5462
4b51dae9 5463 switch (control->sar) {
7e0ef6ee 5464 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5465 if (chan->sdu)
5466 break;
18778a63 5467
80b98027 5468 err = chan->ops->recv(chan, skb);
84084a31 5469 break;
18778a63 5470
7e0ef6ee 5471 case L2CAP_SAR_START:
84084a31
MM		 5472 if (chan->sdu)
5473 break;
18778a63 5474
6f61fd47 5475 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5476 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5477
84084a31
MM		 5478 if (chan->sdu_len > chan->imtu) {
5479 err = -EMSGSIZE;
5480 break;
5481 }
1890d36b 5482
84084a31
MM		 5483 if (skb->len >= chan->sdu_len)
5484 break;
18778a63 5485
84084a31
MM		 5486 chan->sdu = skb;
5487 chan->sdu_last_frag = skb;
18778a63 5488
84084a31
MM		 5489 skb = NULL;
5490 err = 0;
18778a63
GP		 5491 break;
5492
7e0ef6ee 5493 case L2CAP_SAR_CONTINUE:
6f61fd47 5494 if (!chan->sdu)
84084a31 5495 break;
18778a63 5496
84084a31
MM		 5497 append_skb_frag(chan->sdu, skb,
5498 &chan->sdu_last_frag);
5499 skb = NULL;
18778a63 5500
84084a31
MM		 5501 if (chan->sdu->len >= chan->sdu_len)
5502 break;
4178ba46 5503
84084a31 5504 err = 0;
18778a63
GP		 5505 break;
5506
7e0ef6ee 5507 case L2CAP_SAR_END:
6f61fd47 5508 if (!chan->sdu)
84084a31 5509 break;
18778a63 5510
84084a31
MM		 5511 append_skb_frag(chan->sdu, skb,
5512 &chan->sdu_last_frag);
5513 skb = NULL;
4178ba46 5514
84084a31
MM		 5515 if (chan->sdu->len != chan->sdu_len)
5516 break;
18778a63 5517
80b98027 5518 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5519
84084a31
MM		 5520 if (!err) {
5521 /* Reassembly complete */
5522 chan->sdu = NULL;
5523 chan->sdu_last_frag = NULL;
5524 chan->sdu_len = 0;
1890d36b 5525 }
18778a63
GP		 5526 break;
5527 }
5528
84084a31
MM		 5529 if (err) {
5530 kfree_skb(skb);
5531 kfree_skb(chan->sdu);
5532 chan->sdu = NULL;
5533 chan->sdu_last_frag = NULL;
5534 chan->sdu_len = 0;
5535 }
18778a63 5536
84084a31 5537 return err;
18778a63
GP		 5538}
5539
32b32735
MM		 5540static int l2cap_resegment(struct l2cap_chan *chan)
5541{
5542 /* Placeholder */
5543 return 0;
5544}
5545
61aa4f5b 5546void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5547{
61aa4f5b 5548 u8 event;
712132eb 5549
61aa4f5b
MM		 5550 if (chan->mode != L2CAP_MODE_ERTM)
5551 return;
712132eb 5552
61aa4f5b 5553 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5554 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5555}
5556
d2a7ac5d
MM		 5557static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5558{
63838725
MM		 5559 int err = 0;
5560 /* Pass sequential frames to l2cap_reassemble_sdu()
5561 * until a gap is encountered.
5562 */
5563
5564 BT_DBG("chan %p", chan);
5565
5566 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5567 struct sk_buff *skb;
5568 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5569 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5570
5571 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5572
5573 if (!skb)
5574 break;
5575
5576 skb_unlink(skb, &chan->srej_q);
5577 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5578 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5579 if (err)
5580 break;
5581 }
5582
5583 if (skb_queue_empty(&chan->srej_q)) {
5584 chan->rx_state = L2CAP_RX_STATE_RECV;
5585 l2cap_send_ack(chan);
5586 }
5587
5588 return err;
d2a7ac5d
MM		 5589}
5590
5591static void l2cap_handle_srej(struct l2cap_chan *chan,
5592 struct l2cap_ctrl *control)
5593{
f80842a8
MM		 5594 struct sk_buff *skb;
5595
5596 BT_DBG("chan %p, control %p", chan, control);
5597
5598 if (control->reqseq == chan->next_tx_seq) {
5599 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5600 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5601 return;
5602 }
5603
5604 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5605
5606 if (skb == NULL) {
5607 BT_DBG("Seq %d not available for retransmission",
5608 control->reqseq);
5609 return;
5610 }
5611
5612 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5613 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5614 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5615 return;
5616 }
5617
5618 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5619
5620 if (control->poll) {
5621 l2cap_pass_to_tx(chan, control);
5622
5623 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5624 l2cap_retransmit(chan, control);
5625 l2cap_ertm_send(chan);
5626
5627 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5628 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5629 chan->srej_save_reqseq = control->reqseq;
5630 }
5631 } else {
5632 l2cap_pass_to_tx_fbit(chan, control);
5633
5634 if (control->final) {
5635 if (chan->srej_save_reqseq != control->reqseq ||
5636 !test_and_clear_bit(CONN_SREJ_ACT,
5637 &chan->conn_state))
5638 l2cap_retransmit(chan, control);
5639 } else {
5640 l2cap_retransmit(chan, control);
5641 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5642 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5643 chan->srej_save_reqseq = control->reqseq;
5644 }
5645 }
5646 }
d2a7ac5d
MM		 5647}
5648
5649static void l2cap_handle_rej(struct l2cap_chan *chan,
5650 struct l2cap_ctrl *control)
5651{
fcd289df
MM		 5652 struct sk_buff *skb;
5653
5654 BT_DBG("chan %p, control %p", chan, control);
5655
5656 if (control->reqseq == chan->next_tx_seq) {
5657 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5658 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5659 return;
5660 }
5661
5662 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5663
5664 if (chan->max_tx && skb &&
5665 bt_cb(skb)->control.retries >= chan->max_tx) {
5666 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5667 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5668 return;
5669 }
5670
5671 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5672
5673 l2cap_pass_to_tx(chan, control);
5674
5675 if (control->final) {
5676 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5677 l2cap_retransmit_all(chan, control);
5678 } else {
5679 l2cap_retransmit_all(chan, control);
5680 l2cap_ertm_send(chan);
5681 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5682 set_bit(CONN_REJ_ACT, &chan->conn_state);
5683 }
d2a7ac5d
MM		 5684}
5685
4b51dae9
MM		 5686static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5687{
5688 BT_DBG("chan %p, txseq %d", chan, txseq);
5689
5690 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5691 chan->expected_tx_seq);
5692
5693 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5694 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5695 chan->tx_win) {
4b51dae9
MM		 5696 /* See notes below regarding "double poll" and
5697 * invalid packets.
5698 */
5699 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5700 BT_DBG("Invalid/Ignore - after SREJ");
5701 return L2CAP_TXSEQ_INVALID_IGNORE;
5702 } else {
5703 BT_DBG("Invalid - in window after SREJ sent");
5704 return L2CAP_TXSEQ_INVALID;
5705 }
5706 }
5707
5708 if (chan->srej_list.head == txseq) {
5709 BT_DBG("Expected SREJ");
5710 return L2CAP_TXSEQ_EXPECTED_SREJ;
5711 }
5712
5713 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5714 BT_DBG("Duplicate SREJ - txseq already stored");
5715 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5716 }
5717
5718 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5719 BT_DBG("Unexpected SREJ - not requested");
5720 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5721 }
5722 }
5723
5724 if (chan->expected_tx_seq == txseq) {
5725 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5726 chan->tx_win) {
5727 BT_DBG("Invalid - txseq outside tx window");
5728 return L2CAP_TXSEQ_INVALID;
5729 } else {
5730 BT_DBG("Expected");
5731 return L2CAP_TXSEQ_EXPECTED;
5732 }
5733 }
5734
5735 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5736 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5737 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5738 return L2CAP_TXSEQ_DUPLICATE;
5739 }
5740
5741 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5742 /* A source of invalid packets is a "double poll" condition,
5743 * where delays cause us to send multiple poll packets. If
5744 * the remote stack receives and processes both polls,
5745 * sequence numbers can wrap around in such a way that a
5746 * resent frame has a sequence number that looks like new data
5747 * with a sequence gap. This would trigger an erroneous SREJ
5748 * request.
5749 *
5750 * Fortunately, this is impossible with a tx window that's
5751 * less than half of the maximum sequence number, which allows
5752 * invalid frames to be safely ignored.
5753 *
5754 * With tx window sizes greater than half of the tx window
5755 * maximum, the frame is invalid and cannot be ignored. This
5756 * causes a disconnect.
5757 */
5758
5759 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5760 BT_DBG("Invalid/Ignore - txseq outside tx window");
5761 return L2CAP_TXSEQ_INVALID_IGNORE;
5762 } else {
5763 BT_DBG("Invalid - txseq outside tx window");
5764 return L2CAP_TXSEQ_INVALID;
5765 }
5766 } else {
5767 BT_DBG("Unexpected - txseq indicates missing frames");
5768 return L2CAP_TXSEQ_UNEXPECTED;
5769 }
5770}
5771
d2a7ac5d
MM		 5772static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5773 struct l2cap_ctrl *control,
5774 struct sk_buff *skb, u8 event)
5775{
5776 int err = 0;
5777 bool skb_in_use = 0;
5778
5779 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5780 event);
5781
5782 switch (event) {
5783 case L2CAP_EV_RECV_IFRAME:
5784 switch (l2cap_classify_txseq(chan, control->txseq)) {
5785 case L2CAP_TXSEQ_EXPECTED:
5786 l2cap_pass_to_tx(chan, control);
5787
5788 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5789 BT_DBG("Busy, discarding expected seq %d",
5790 control->txseq);
5791 break;
5792 }
5793
5794 chan->expected_tx_seq = __next_seq(chan,
5795 control->txseq);
5796
5797 chan->buffer_seq = chan->expected_tx_seq;
5798 skb_in_use = 1;
5799
5800 err = l2cap_reassemble_sdu(chan, skb, control);
5801 if (err)
5802 break;
5803
5804 if (control->final) {
5805 if (!test_and_clear_bit(CONN_REJ_ACT,
5806 &chan->conn_state)) {
5807 control->final = 0;
5808 l2cap_retransmit_all(chan, control);
5809 l2cap_ertm_send(chan);
5810 }
5811 }
5812
5813 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5814 l2cap_send_ack(chan);
5815 break;
5816 case L2CAP_TXSEQ_UNEXPECTED:
5817 l2cap_pass_to_tx(chan, control);
5818
5819 /* Can't issue SREJ frames in the local busy state.
5820 * Drop this frame, it will be seen as missing
5821 * when local busy is exited.
5822 */
5823 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5824 BT_DBG("Busy, discarding unexpected seq %d",
5825 control->txseq);
5826 break;
5827 }
5828
5829 /* There was a gap in the sequence, so an SREJ
5830 * must be sent for each missing frame. The
5831 * current frame is stored for later use.
5832 */
5833 skb_queue_tail(&chan->srej_q, skb);
5834 skb_in_use = 1;
5835 BT_DBG("Queued %p (queue len %d)", skb,
5836 skb_queue_len(&chan->srej_q));
5837
5838 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5839 l2cap_seq_list_clear(&chan->srej_list);
5840 l2cap_send_srej(chan, control->txseq);
5841
5842 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5843 break;
5844 case L2CAP_TXSEQ_DUPLICATE:
5845 l2cap_pass_to_tx(chan, control);
5846 break;
5847 case L2CAP_TXSEQ_INVALID_IGNORE:
5848 break;
5849 case L2CAP_TXSEQ_INVALID:
5850 default:
5e4e3972 5851 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5852 break;
5853 }
5854 break;
5855 case L2CAP_EV_RECV_RR:
5856 l2cap_pass_to_tx(chan, control);
5857 if (control->final) {
5858 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5859
e6a3ee6e
MM		 5860 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5861 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 5862 control->final = 0;
5863 l2cap_retransmit_all(chan, control);
5864 }
5865
5866 l2cap_ertm_send(chan);
5867 } else if (control->poll) {
5868 l2cap_send_i_or_rr_or_rnr(chan);
5869 } else {
5870 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5871 &chan->conn_state) &&
5872 chan->unacked_frames)
5873 __set_retrans_timer(chan);
5874
5875 l2cap_ertm_send(chan);
5876 }
5877 break;
5878 case L2CAP_EV_RECV_RNR:
5879 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5880 l2cap_pass_to_tx(chan, control);
5881 if (control && control->poll) {
5882 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5883 l2cap_send_rr_or_rnr(chan, 0);
5884 }
5885 __clear_retrans_timer(chan);
5886 l2cap_seq_list_clear(&chan->retrans_list);
5887 break;
5888 case L2CAP_EV_RECV_REJ:
5889 l2cap_handle_rej(chan, control);
5890 break;
5891 case L2CAP_EV_RECV_SREJ:
5892 l2cap_handle_srej(chan, control);
5893 break;
5894 default:
5895 break;
5896 }
5897
5898 if (skb && !skb_in_use) {
5899 BT_DBG("Freeing %p", skb);
5900 kfree_skb(skb);
5901 }
5902
5903 return err;
5904}
5905
5906static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5907 struct l2cap_ctrl *control,
5908 struct sk_buff *skb, u8 event)
5909{
5910 int err = 0;
5911 u16 txseq = control->txseq;
5912 bool skb_in_use = 0;
5913
5914 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5915 event);
5916
5917 switch (event) {
5918 case L2CAP_EV_RECV_IFRAME:
5919 switch (l2cap_classify_txseq(chan, txseq)) {
5920 case L2CAP_TXSEQ_EXPECTED:
5921 /* Keep frame for reassembly later */
5922 l2cap_pass_to_tx(chan, control);
5923 skb_queue_tail(&chan->srej_q, skb);
5924 skb_in_use = 1;
5925 BT_DBG("Queued %p (queue len %d)", skb,
5926 skb_queue_len(&chan->srej_q));
5927
5928 chan->expected_tx_seq = __next_seq(chan, txseq);
5929 break;
5930 case L2CAP_TXSEQ_EXPECTED_SREJ:
5931 l2cap_seq_list_pop(&chan->srej_list);
5932
5933 l2cap_pass_to_tx(chan, control);
5934 skb_queue_tail(&chan->srej_q, skb);
5935 skb_in_use = 1;
5936 BT_DBG("Queued %p (queue len %d)", skb,
5937 skb_queue_len(&chan->srej_q));
5938
5939 err = l2cap_rx_queued_iframes(chan);
5940 if (err)
5941 break;
5942
5943 break;
5944 case L2CAP_TXSEQ_UNEXPECTED:
5945 /* Got a frame that can't be reassembled yet.
5946 * Save it for later, and send SREJs to cover
5947 * the missing frames.
5948 */
5949 skb_queue_tail(&chan->srej_q, skb);
5950 skb_in_use = 1;
5951 BT_DBG("Queued %p (queue len %d)", skb,
5952 skb_queue_len(&chan->srej_q));
5953
5954 l2cap_pass_to_tx(chan, control);
5955 l2cap_send_srej(chan, control->txseq);
5956 break;
5957 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5958 /* This frame was requested with an SREJ, but
5959 * some expected retransmitted frames are
5960 * missing. Request retransmission of missing
5961 * SREJ'd frames.
5962 */
5963 skb_queue_tail(&chan->srej_q, skb);
5964 skb_in_use = 1;
5965 BT_DBG("Queued %p (queue len %d)", skb,
5966 skb_queue_len(&chan->srej_q));
5967
5968 l2cap_pass_to_tx(chan, control);
5969 l2cap_send_srej_list(chan, control->txseq);
5970 break;
5971 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5972 /* We've already queued this frame. Drop this copy. */
5973 l2cap_pass_to_tx(chan, control);
5974 break;
5975 case L2CAP_TXSEQ_DUPLICATE:
5976 /* Expecting a later sequence number, so this frame
5977 * was already received. Ignore it completely.
5978 */
5979 break;
5980 case L2CAP_TXSEQ_INVALID_IGNORE:
5981 break;
5982 case L2CAP_TXSEQ_INVALID:
5983 default:
5e4e3972 5984 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5985 break;
5986 }
5987 break;
5988 case L2CAP_EV_RECV_RR:
5989 l2cap_pass_to_tx(chan, control);
5990 if (control->final) {
5991 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5992
5993 if (!test_and_clear_bit(CONN_REJ_ACT,
5994 &chan->conn_state)) {
5995 control->final = 0;
5996 l2cap_retransmit_all(chan, control);
5997 }
5998
5999 l2cap_ertm_send(chan);
6000 } else if (control->poll) {
6001 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6002 &chan->conn_state) &&
6003 chan->unacked_frames) {
6004 __set_retrans_timer(chan);
6005 }
6006
6007 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6008 l2cap_send_srej_tail(chan);
6009 } else {
6010 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6011 &chan->conn_state) &&
6012 chan->unacked_frames)
6013 __set_retrans_timer(chan);
6014
6015 l2cap_send_ack(chan);
6016 }
6017 break;
6018 case L2CAP_EV_RECV_RNR:
6019 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6020 l2cap_pass_to_tx(chan, control);
6021 if (control->poll) {
6022 l2cap_send_srej_tail(chan);
6023 } else {
6024 struct l2cap_ctrl rr_control;
6025 memset(&rr_control, 0, sizeof(rr_control));
6026 rr_control.sframe = 1;
6027 rr_control.super = L2CAP_SUPER_RR;
6028 rr_control.reqseq = chan->buffer_seq;
6029 l2cap_send_sframe(chan, &rr_control);
6030 }
6031
6032 break;
6033 case L2CAP_EV_RECV_REJ:
6034 l2cap_handle_rej(chan, control);
6035 break;
6036 case L2CAP_EV_RECV_SREJ:
6037 l2cap_handle_srej(chan, control);
6038 break;
6039 }
6040
6041 if (skb && !skb_in_use) {
6042 BT_DBG("Freeing %p", skb);
6043 kfree_skb(skb);
6044 }
6045
6046 return err;
6047}
6048
32b32735
MM		 6049static int l2cap_finish_move(struct l2cap_chan *chan)
6050{
6051 BT_DBG("chan %p", chan);
6052
6053 chan->rx_state = L2CAP_RX_STATE_RECV;
6054
6055 if (chan->hs_hcon)
6056 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6057 else
6058 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6059
6060 return l2cap_resegment(chan);
6061}
6062
6063static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6064 struct l2cap_ctrl *control,
6065 struct sk_buff *skb, u8 event)
6066{
6067 int err;
6068
6069 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6070 event);
6071
6072 if (!control->poll)
6073 return -EPROTO;
6074
6075 l2cap_process_reqseq(chan, control->reqseq);
6076
6077 if (!skb_queue_empty(&chan->tx_q))
6078 chan->tx_send_head = skb_peek(&chan->tx_q);
6079 else
6080 chan->tx_send_head = NULL;
6081
6082 /* Rewind next_tx_seq to the point expected
6083 * by the receiver.
6084 */
6085 chan->next_tx_seq = control->reqseq;
6086 chan->unacked_frames = 0;
6087
6088 err = l2cap_finish_move(chan);
6089 if (err)
6090 return err;
6091
6092 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6093 l2cap_send_i_or_rr_or_rnr(chan);
6094
6095 if (event == L2CAP_EV_RECV_IFRAME)
6096 return -EPROTO;
6097
6098 return l2cap_rx_state_recv(chan, control, NULL, event);
6099}
6100
6101static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6102 struct l2cap_ctrl *control,
6103 struct sk_buff *skb, u8 event)
6104{
6105 int err;
6106
6107 if (!control->final)
6108 return -EPROTO;
6109
6110 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6111
6112 chan->rx_state = L2CAP_RX_STATE_RECV;
6113 l2cap_process_reqseq(chan, control->reqseq);
6114
6115 if (!skb_queue_empty(&chan->tx_q))
6116 chan->tx_send_head = skb_peek(&chan->tx_q);
6117 else
6118 chan->tx_send_head = NULL;
6119
6120 /* Rewind next_tx_seq to the point expected
6121 * by the receiver.
6122 */
6123 chan->next_tx_seq = control->reqseq;
6124 chan->unacked_frames = 0;
6125
6126 if (chan->hs_hcon)
6127 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6128 else
6129 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6130
6131 err = l2cap_resegment(chan);
6132
6133 if (!err)
6134 err = l2cap_rx_state_recv(chan, control, skb, event);
6135
6136 return err;
6137}
6138
d2a7ac5d
MM		 6139static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6140{
6141 /* Make sure reqseq is for a packet that has been sent but not acked */
6142 u16 unacked;
6143
6144 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6145 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6146}
6147
cec8ab6e
MM		 6148static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6149 struct sk_buff *skb, u8 event)
218bb9df 6150{
d2a7ac5d
MM		 6151 int err = 0;
6152
6153 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6154 control, skb, event, chan->rx_state);
6155
6156 if (__valid_reqseq(chan, control->reqseq)) {
6157 switch (chan->rx_state) {
6158 case L2CAP_RX_STATE_RECV:
6159 err = l2cap_rx_state_recv(chan, control, skb, event);
6160 break;
6161 case L2CAP_RX_STATE_SREJ_SENT:
6162 err = l2cap_rx_state_srej_sent(chan, control, skb,
6163 event);
6164 break;
32b32735
MM		 6165 case L2CAP_RX_STATE_WAIT_P:
6166 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6167 break;
6168 case L2CAP_RX_STATE_WAIT_F:
6169 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6170 break;
d2a7ac5d
MM		 6171 default:
6172 /* shut it down */
6173 break;
6174 }
6175 } else {
6176 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6177 control->reqseq, chan->next_tx_seq,
6178 chan->expected_ack_seq);
5e4e3972 6179 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6180 }
6181
6182 return err;
cec8ab6e
MM		 6183}
6184
6185static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6186 struct sk_buff *skb)
6187{
4b51dae9
MM		 6188 int err = 0;
6189
6190 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6191 chan->rx_state);
6192
6193 if (l2cap_classify_txseq(chan, control->txseq) ==
6194 L2CAP_TXSEQ_EXPECTED) {
6195 l2cap_pass_to_tx(chan, control);
6196
6197 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6198 __next_seq(chan, chan->buffer_seq));
6199
6200 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6201
6202 l2cap_reassemble_sdu(chan, skb, control);
6203 } else {
6204 if (chan->sdu) {
6205 kfree_skb(chan->sdu);
6206 chan->sdu = NULL;
6207 }
6208 chan->sdu_last_frag = NULL;
6209 chan->sdu_len = 0;
6210
6211 if (skb) {
6212 BT_DBG("Freeing %p", skb);
6213 kfree_skb(skb);
6214 }
6215 }
6216
6217 chan->last_acked_seq = control->txseq;
6218 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6219
6220 return err;
cec8ab6e
MM		 6221}
6222
6223static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6224{
6225 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6226 u16 len;
6227 u8 event;
218bb9df 6228
b76bbd66
MM		 6229 __unpack_control(chan, skb);
6230
218bb9df
GP		 6231 len = skb->len;
6232
6233 /*
6234 * We can just drop the corrupted I-frame here.
6235 * Receiver will miss it and start proper recovery
cec8ab6e 6236 * procedures and ask for retransmission.
218bb9df 6237 */
47d1ec61 6238 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6239 goto drop;
6240
cec8ab6e 6241 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6242 len -= L2CAP_SDULEN_SIZE;
218bb9df 6243
47d1ec61 6244 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6245 len -= L2CAP_FCS_SIZE;
218bb9df 6246
47d1ec61 6247 if (len > chan->mps) {
5e4e3972 6248 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6249 goto drop;
6250 }
6251
cec8ab6e
MM		 6252 if (!control->sframe) {
6253 int err;
218bb9df 6254
cec8ab6e
MM		 6255 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6256 control->sar, control->reqseq, control->final,
6257 control->txseq);
218bb9df 6258
cec8ab6e
MM		 6259 /* Validate F-bit - F=0 always valid, F=1 only
6260 * valid in TX WAIT_F
6261 */
6262 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6263 goto drop;
cec8ab6e
MM		 6264
6265 if (chan->mode != L2CAP_MODE_STREAMING) {
6266 event = L2CAP_EV_RECV_IFRAME;
6267 err = l2cap_rx(chan, control, skb, event);
6268 } else {
6269 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6270 }
6271
cec8ab6e 6272 if (err)
5e4e3972 6273 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6274 } else {
cec8ab6e
MM		 6275 const u8 rx_func_to_event[4] = {
6276 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6277 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6278 };
6279
6280 /* Only I-frames are expected in streaming mode */
6281 if (chan->mode == L2CAP_MODE_STREAMING)
6282 goto drop;
6283
6284 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6285 control->reqseq, control->final, control->poll,
6286 control->super);
6287
218bb9df 6288 if (len != 0) {
1bb166e6 6289 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6290 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6291 goto drop;
6292 }
6293
cec8ab6e
MM		 6294 /* Validate F and P bits */
6295 if (control->final && (control->poll ||
6296 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6297 goto drop;
6298
6299 event = rx_func_to_event[control->super];
6300 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6301 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6302 }
6303
6304 return 0;
6305
6306drop:
6307 kfree_skb(skb);
6308 return 0;
6309}
6310
13ca56e0
AE		 6311static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6312 struct sk_buff *skb)
1da177e4 6313{
48454079 6314 struct l2cap_chan *chan;
1da177e4 6315
baa7e1fa 6316 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6317 if (!chan) {
97e8e89d
AE		 6318 if (cid == L2CAP_CID_A2MP) {
6319 chan = a2mp_channel_create(conn, skb);
6320 if (!chan) {
6321 kfree_skb(skb);
13ca56e0 6322 return;
97e8e89d
AE		 6323 }
6324
6325 l2cap_chan_lock(chan);
6326 } else {
6327 BT_DBG("unknown cid 0x%4.4x", cid);
6328 /* Drop packet and return */
6329 kfree_skb(skb);
13ca56e0 6330 return;
97e8e89d 6331 }
1da177e4
LT		 6332 }
6333
49208c9c 6334 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6335
89bc500e 6336 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6337 goto drop;
6338
0c1bc5c6 6339 switch (chan->mode) {
1c2acffb
GP		 6340 case L2CAP_MODE_BASIC:
6341 /* If socket recv buffers overflows we drop data here
6342 * which is *bad* because L2CAP has to be reliable.
6343 * But we don't have any other choice. L2CAP doesn't
6344 * provide flow control mechanism. */
1da177e4 6345
0c1bc5c6 6346 if (chan->imtu < skb->len)
1c2acffb 6347 goto drop;
1da177e4 6348
80b98027 6349 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6350 goto done;
6351 break;
6352
6353 case L2CAP_MODE_ERTM:
6840ed07 6354 case L2CAP_MODE_STREAMING:
cec8ab6e 6355 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6356 goto done;
6357
1c2acffb 6358 default:
0c1bc5c6 6359 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6360 break;
6361 }
1da177e4
LT		 6362
6363drop:
6364 kfree_skb(skb);
6365
6366done:
6be36555 6367 l2cap_chan_unlock(chan);
1da177e4
LT		 6368}
6369
84104b24
AE		 6370static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6371 struct sk_buff *skb)
1da177e4 6372{
23691d75 6373 struct l2cap_chan *chan;
1da177e4 6374
c2287681 6375 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 6376 if (!chan)
1da177e4
LT		 6377 goto drop;
6378
5b4cedaa 6379 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6380
89bc500e 6381 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6382 goto drop;
6383
e13e21dc 6384 if (chan->imtu < skb->len)
1da177e4
LT		 6385 goto drop;
6386
80b98027 6387 if (!chan->ops->recv(chan, skb))
84104b24 6388 return;
1da177e4
LT		 6389
6390drop:
6391 kfree_skb(skb);
1da177e4
LT		 6392}
6393
72f78356 6394static void l2cap_att_channel(struct l2cap_conn *conn,
6810fca7 6395 struct sk_buff *skb)
9f69bda6 6396{
23691d75 6397 struct l2cap_chan *chan;
9f69bda6 6398
073d1cf3 6399 chan = l2cap_global_chan_by_scid(0, L2CAP_CID_ATT,
72f78356 6400 conn->src, conn->dst);
23691d75 6401 if (!chan)
9f69bda6
GP		 6402 goto drop;
6403
5b4cedaa 6404 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6405
89bc500e 6406 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 6407 goto drop;
6408
e13e21dc 6409 if (chan->imtu < skb->len)
9f69bda6
GP		 6410 goto drop;
6411
80b98027 6412 if (!chan->ops->recv(chan, skb))
6810fca7 6413 return;
9f69bda6
GP		 6414
6415drop:
6416 kfree_skb(skb);
9f69bda6
GP		 6417}
6418
1da177e4
LT		 6419static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6420{
6421 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6422 u16 cid, len;
6423 __le16 psm;
1da177e4
LT		 6424
6425 skb_pull(skb, L2CAP_HDR_SIZE);
6426 cid = __le16_to_cpu(lh->cid);
6427 len = __le16_to_cpu(lh->len);
6428
1c2acffb
GP		 6429 if (len != skb->len) {
6430 kfree_skb(skb);
6431 return;
6432 }
6433
1da177e4
LT		 6434 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6435
6436 switch (cid) {
3300d9a9 6437 case L2CAP_CID_LE_SIGNALING:
c5623556
JH		 6438 l2cap_le_sig_channel(conn, skb);
6439 break;
8db4dc46 6440 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6441 l2cap_sig_channel(conn, skb);
6442 break;
6443
8db4dc46 6444 case L2CAP_CID_CONN_LESS:
097db76c 6445 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6446 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6447 l2cap_conless_channel(conn, psm, skb);
6448 break;
6449
073d1cf3 6450 case L2CAP_CID_ATT:
72f78356 6451 l2cap_att_channel(conn, skb);
9f69bda6
GP		 6452 break;
6453
b501d6a1
AB		 6454 case L2CAP_CID_SMP:
6455 if (smp_sig_channel(conn, skb))
6456 l2cap_conn_del(conn->hcon, EACCES);
6457 break;
6458
1da177e4
LT		 6459 default:
6460 l2cap_data_channel(conn, cid, skb);
6461 break;
6462 }
6463}
6464
6465/* ---- L2CAP interface with lower layer (HCI) ---- */
6466
686ebf28 6467int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6468{
6469 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6470 struct l2cap_chan *c;
1da177e4 6471
6ed93dc6 6472 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6473
6474 /* Find listening sockets and check their link_mode */
23691d75
GP		 6475 read_lock(&chan_list_lock);
6476 list_for_each_entry(c, &chan_list, global_l) {
6477 struct sock *sk = c->sk;
4343478f 6478
89bc500e 6479 if (c->state != BT_LISTEN)
1da177e4
LT		 6480 continue;
6481
6482 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 6483 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6484 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6485 lm1 |= HCI_LM_MASTER;
1da177e4 6486 exact++;
2af6b9d5
MH		 6487 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
6488 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6489 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6490 lm2 |= HCI_LM_MASTER;
6491 }
1da177e4 6492 }
23691d75 6493 read_unlock(&chan_list_lock);
1da177e4
LT		 6494
6495 return exact ? lm1 : lm2;
6496}
6497
9e664631 6498void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6499{
0139418c
MH		 6500 struct l2cap_conn *conn;
6501
6ed93dc6 6502 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6503
1da177e4 6504 if (!status) {
baf43251 6505 conn = l2cap_conn_add(hcon);
1da177e4
LT		 6506 if (conn)
6507 l2cap_conn_ready(conn);
ba6fc317 6508 } else {
e175072f 6509 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 6510 }
1da177e4
LT		 6511}
6512
686ebf28 6513int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6514{
6515 struct l2cap_conn *conn = hcon->l2cap_data;
6516
6517 BT_DBG("hcon %p", hcon);
6518
686ebf28 6519 if (!conn)
9f5a0d7b 6520 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6521 return conn->disc_reason;
6522}
6523
9e664631 6524void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6525{
6526 BT_DBG("hcon %p reason %d", hcon, reason);
6527
e175072f 6528 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6529}
6530
4343478f 6531static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6532{
715ec005 6533 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6534 return;
6535
f62e4323 6536 if (encrypt == 0x00) {
4343478f 6537 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6538 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6539 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6540 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6541 } else {
4343478f 6542 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6543 __clear_chan_timer(chan);
f62e4323
MH		 6544 }
6545}
6546
686ebf28 6547int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6548{
0139418c 6549 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6550 struct l2cap_chan *chan;
1da177e4 6551
0139418c 6552 if (!conn)
1da177e4 6553 return 0;
0139418c 6554
89d8b407 6555 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6556
160dc6ac 6557 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6558 if (!status && encrypt)
6559 smp_distribute_keys(conn, 0);
17cd3f37 6560 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6561 }
6562
3df91ea2 6563 mutex_lock(&conn->chan_lock);
1da177e4 6564
3df91ea2 6565 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6566 l2cap_chan_lock(chan);
1da177e4 6567
89d8b407
AE		 6568 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6569 state_to_string(chan->state));
f1cb9af5 6570
78eb2f98
AE		 6571 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6572 l2cap_chan_unlock(chan);
6573 continue;
6574 }
6575
073d1cf3 6576 if (chan->scid == L2CAP_CID_ATT) {
f1cb9af5
VCG		 6577 if (!status && encrypt) {
6578 chan->sec_level = hcon->sec_level;
cf4cd009 6579 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6580 }
6581
6be36555 6582 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6583 continue;
6584 }
6585
96eff46e 6586 if (!__l2cap_no_conn_pending(chan)) {
6be36555 6587 l2cap_chan_unlock(chan);
6a8d3010
MH		 6588 continue;
6589 }
6590
89bc500e 6591 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6592 chan->state == BT_CONFIG)) {
a7d7723a
GP		 6593 struct sock *sk = chan->sk;
6594
c5daa683 6595 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 6596 sk->sk_state_change(sk);
6597
4343478f 6598 l2cap_check_encryption(chan, encrypt);
6be36555 6599 l2cap_chan_unlock(chan);
9719f8af
MH		 6600 continue;
6601 }
6602
89bc500e 6603 if (chan->state == BT_CONNECT) {
b1235d79 6604 if (!status) {
93c3e8f5 6605 l2cap_start_connection(chan);
b1235d79 6606 } else {
ba13ccd9 6607 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6608 }
89bc500e 6609 } else if (chan->state == BT_CONNECT2) {
6be36555 6610 struct sock *sk = chan->sk;
b1235d79 6611 struct l2cap_conn_rsp rsp;
df3c3931 6612 __u16 res, stat;
1da177e4 6613
6be36555
AE		 6614 lock_sock(sk);
6615
b1235d79 6616 if (!status) {
c5daa683
GP		 6617 if (test_bit(BT_SK_DEFER_SETUP,
6618 &bt_sk(sk)->flags)) {
df3c3931
JH		 6619 res = L2CAP_CR_PEND;
6620 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6621 chan->ops->defer(chan);
df3c3931 6622 } else {
0e587be7 6623 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6624 res = L2CAP_CR_SUCCESS;
6625 stat = L2CAP_CS_NO_INFO;
6626 }
b1235d79 6627 } else {
0e587be7 6628 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6629 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6630 res = L2CAP_CR_SEC_BLOCK;
6631 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6632 }
6633
6be36555
AE		 6634 release_sock(sk);
6635
fe4128e0
GP		 6636 rsp.scid = cpu_to_le16(chan->dcid);
6637 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6638 rsp.result = cpu_to_le16(res);
6639 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6640 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6641 sizeof(rsp), &rsp);
2d369359
MM		 6642
6643 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6644 res == L2CAP_CR_SUCCESS) {
6645 char buf[128];
6646 set_bit(CONF_REQ_SENT, &chan->conf_state);
6647 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6648 L2CAP_CONF_REQ,
6649 l2cap_build_conf_req(chan, buf),
6650 buf);
6651 chan->num_conf_req++;
6652 }
b1235d79 6653 }
1da177e4 6654
6be36555 6655 l2cap_chan_unlock(chan);
1da177e4
LT		 6656 }
6657
3df91ea2 6658 mutex_unlock(&conn->chan_lock);
b1235d79 6659
1da177e4
LT		 6660 return 0;
6661}
6662
686ebf28 6663int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6664{
6665 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6666 struct l2cap_hdr *hdr;
6667 int len;
1da177e4 6668
1d13a254
AE		 6669 /* For AMP controller do not create l2cap conn */
6670 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6671 goto drop;
1da177e4 6672
5a08ecce 6673 if (!conn)
baf43251 6674 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 6675
6676 if (!conn)
1da177e4
LT		 6677 goto drop;
6678
6679 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6680
d73a0988
AE		 6681 switch (flags) {
6682 case ACL_START:
6683 case ACL_START_NO_FLUSH:
6684 case ACL_COMPLETE:
1da177e4
LT		 6685 if (conn->rx_len) {
6686 BT_ERR("Unexpected start frame (len %d)", skb->len);
6687 kfree_skb(conn->rx_skb);
6688 conn->rx_skb = NULL;
6689 conn->rx_len = 0;
6690 l2cap_conn_unreliable(conn, ECOMM);
6691 }
6692
aae7fe22
AE		 6693 /* Start fragment always begin with Basic L2CAP header */
6694 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6695 BT_ERR("Frame is too short (len %d)", skb->len);
6696 l2cap_conn_unreliable(conn, ECOMM);
6697 goto drop;
6698 }
6699
6700 hdr = (struct l2cap_hdr *) skb->data;
6701 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6702
6703 if (len == skb->len) {
6704 /* Complete frame received */
6705 l2cap_recv_frame(conn, skb);
6706 return 0;
6707 }
6708
6709 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6710
6711 if (skb->len > len) {
6712 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6713 skb->len, len);
1da177e4
LT		 6714 l2cap_conn_unreliable(conn, ECOMM);
6715 goto drop;
6716 }
6717
6718 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6719 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6720 if (!conn->rx_skb)
1da177e4
LT		 6721 goto drop;
6722
d626f62b 6723 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6724 skb->len);
1da177e4 6725 conn->rx_len = len - skb->len;
d73a0988
AE		 6726 break;
6727
6728 case ACL_CONT:
1da177e4
LT		 6729 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6730
6731 if (!conn->rx_len) {
6732 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6733 l2cap_conn_unreliable(conn, ECOMM);
6734 goto drop;
6735 }
6736
6737 if (skb->len > conn->rx_len) {
6738 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6739 skb->len, conn->rx_len);
1da177e4
LT		 6740 kfree_skb(conn->rx_skb);
6741 conn->rx_skb = NULL;
6742 conn->rx_len = 0;
6743 l2cap_conn_unreliable(conn, ECOMM);
6744 goto drop;
6745 }
6746
d626f62b 6747 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6748 skb->len);
1da177e4
LT		 6749 conn->rx_len -= skb->len;
6750
6751 if (!conn->rx_len) {
6752 /* Complete frame received */
6753 l2cap_recv_frame(conn, conn->rx_skb);
6754 conn->rx_skb = NULL;
6755 }
d73a0988 6756 break;
1da177e4
LT		 6757 }
6758
6759drop:
6760 kfree_skb(skb);
6761 return 0;
6762}
6763
aef7d97c 6764static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6765{
23691d75 6766 struct l2cap_chan *c;
1da177e4 6767
333055f2 6768 read_lock(&chan_list_lock);
1da177e4 6769
23691d75
GP		 6770 list_for_each_entry(c, &chan_list, global_l) {
6771 struct sock *sk = c->sk;
101545f6 6772
fcb73338
AE		 6773 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6774 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6775 c->state, __le16_to_cpu(c->psm),
6776 c->scid, c->dcid, c->imtu, c->omtu,
6777 c->sec_level, c->mode);
61e1b4b7 6778 }
1da177e4 6779
333055f2 6780 read_unlock(&chan_list_lock);
1da177e4 6781
aef7d97c 6782 return 0;
1da177e4
LT		 6783}
6784
aef7d97c
MH		 6785static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6786{
6787 return single_open(file, l2cap_debugfs_show, inode->i_private);
6788}
6789
6790static const struct file_operations l2cap_debugfs_fops = {
6791 .open = l2cap_debugfs_open,
6792 .read = seq_read,
6793 .llseek = seq_lseek,
6794 .release = single_release,
6795};
6796
6797static struct dentry *l2cap_debugfs;
1da177e4 6798
64274518 6799int __init l2cap_init(void)
1da177e4
LT		 6800{
6801 int err;
be9d1227 6802
bb58f747 6803 err = l2cap_init_sockets();
1da177e4
LT		 6804 if (err < 0)
6805 return err;
6806
aef7d97c 6807 if (bt_debugfs) {
2d792818
GP		 6808 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6809 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 6810 if (!l2cap_debugfs)
6811 BT_ERR("Failed to create L2CAP debug file");
6812 }
1da177e4 6813
1da177e4 6814 return 0;
1da177e4
LT		 6815}
6816
64274518 6817void l2cap_exit(void)
1da177e4 6818{
aef7d97c 6819 debugfs_remove(l2cap_debugfs);
bb58f747 6820 l2cap_cleanup_sockets();
1da177e4
LT		 6821}
6822
d1c4a17d
GP		 6823module_param(disable_ertm, bool, 0644);
6824MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.591197 seconds and 5 git commands to generate.