projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Hold socket in defer callback in L2CAP socket
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
d1de6d46 44bool disable_ertm;
f0709e03 45
547d1032 46static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
d40bffbc 47static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP | L2CAP_FC_CONNLESS, };
1da177e4 48
b5ad8b7f
JB		 49static LIST_HEAD(chan_list);
50static DEFINE_RWLOCK(chan_list_lock);
1da177e4 51
1da177e4 52static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 53 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 54static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 55 void *data);
710f9b0a 56static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 57static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 58
d660366d 59static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 60 struct sk_buff_head *skbs, u8 event);
608bcc6d 61
4f1654e0
MH		 62static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
63{
64 if (hcon->type == LE_LINK) {
65 if (type == ADDR_LE_DEV_PUBLIC)
66 return BDADDR_LE_PUBLIC;
67 else
68 return BDADDR_LE_RANDOM;
69 }
70
71 return BDADDR_BREDR;
72}
73
0139418c 74/* ---- L2CAP channels ---- */
71ba0e56 75
2d792818
GP		 76static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
77 u16 cid)
0139418c 78{
3df91ea2 79 struct l2cap_chan *c;
3d57dc68 80
3df91ea2
AE		 81 list_for_each_entry(c, &conn->chan_l, list) {
82 if (c->dcid == cid)
83 return c;
0139418c 84 }
3df91ea2 85 return NULL;
0139418c
MH		 86}
87
2d792818
GP		 88static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
89 u16 cid)
0139418c 90{
3df91ea2 91 struct l2cap_chan *c;
3d57dc68 92
3df91ea2
AE		 93 list_for_each_entry(c, &conn->chan_l, list) {
94 if (c->scid == cid)
95 return c;
0139418c 96 }
3df91ea2 97 return NULL;
0139418c
MH		 98}
99
100/* Find channel with given SCID.
ef191ade 101 * Returns locked channel. */
2d792818
GP		 102static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
103 u16 cid)
0139418c 104{
48454079 105 struct l2cap_chan *c;
baa7e1fa 106
3df91ea2 107 mutex_lock(&conn->chan_lock);
baa7e1fa 108 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 109 if (c)
110 l2cap_chan_lock(c);
3df91ea2
AE		 111 mutex_unlock(&conn->chan_lock);
112
48454079 113 return c;
0139418c
MH		 114}
115
b1a130b7
MM		 116/* Find channel with given DCID.
117 * Returns locked channel.
118 */
119static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
120 u16 cid)
121{
122 struct l2cap_chan *c;
123
124 mutex_lock(&conn->chan_lock);
125 c = __l2cap_get_chan_by_dcid(conn, cid);
126 if (c)
127 l2cap_chan_lock(c);
128 mutex_unlock(&conn->chan_lock);
129
130 return c;
131}
132
2d792818
GP		 133static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
134 u8 ident)
0139418c 135{
3df91ea2 136 struct l2cap_chan *c;
3d57dc68 137
3df91ea2
AE		 138 list_for_each_entry(c, &conn->chan_l, list) {
139 if (c->ident == ident)
140 return c;
0139418c 141 }
3df91ea2 142 return NULL;
0139418c
MH		 143}
144
5b155ef9
MM		 145static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
146 u8 ident)
147{
148 struct l2cap_chan *c;
149
150 mutex_lock(&conn->chan_lock);
151 c = __l2cap_get_chan_by_ident(conn, ident);
152 if (c)
153 l2cap_chan_lock(c);
154 mutex_unlock(&conn->chan_lock);
155
156 return c;
157}
158
23691d75 159static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 160{
23691d75 161 struct l2cap_chan *c;
9e4425ff 162
23691d75 163 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 164 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 165 return c;
9e4425ff 166 }
250938cb 167 return NULL;
9e4425ff
GP		 168}
169
170int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
171{
73b2ec18
GP		 172 int err;
173
333055f2 174 write_lock(&chan_list_lock);
9e4425ff 175
23691d75 176 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 177 err = -EADDRINUSE;
178 goto done;
9e4425ff
GP		 179 }
180
73b2ec18
GP		 181 if (psm) {
182 chan->psm = psm;
183 chan->sport = psm;
184 err = 0;
185 } else {
186 u16 p;
187
188 err = -EINVAL;
189 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 190 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 191 chan->psm = cpu_to_le16(p);
192 chan->sport = cpu_to_le16(p);
193 err = 0;
194 break;
195 }
196 }
9e4425ff 197
73b2ec18 198done:
333055f2 199 write_unlock(&chan_list_lock);
73b2ec18 200 return err;
9e4425ff
GP		 201}
202
203int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
204{
333055f2 205 write_lock(&chan_list_lock);
9e4425ff
GP		 206
207 chan->scid = scid;
208
333055f2 209 write_unlock(&chan_list_lock);
9e4425ff
GP		 210
211 return 0;
212}
213
baa7e1fa 214static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 215{
8db4dc46 216 u16 cid = L2CAP_CID_DYN_START;
0139418c 217
8db4dc46 218 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 219 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 220 return cid;
221 }
222
223 return 0;
224}
225
0e587be7 226static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 227{
42d2d87c 228 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 229 state_to_string(state));
badaaa00 230
89bc500e 231 chan->state = state;
53f52121 232 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 233}
234
0e587be7
AE		 235static void l2cap_state_change(struct l2cap_chan *chan, int state)
236{
237 struct sock *sk = chan->sk;
238
239 lock_sock(sk);
240 __l2cap_state_change(chan, state);
241 release_sock(sk);
242}
243
f8e73017
GP		 244static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
245 int state, int err)
2e0052e4 246{
f8e73017
GP		 247 struct sock *sk = chan->sk;
248
249 lock_sock(sk);
250 chan->state = state;
53f52121 251 chan->ops->state_change(chan, chan->state, err);
f8e73017 252 release_sock(sk);
2e0052e4
AE		 253}
254
255static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
256{
257 struct sock *sk = chan->sk;
258
259 lock_sock(sk);
f8e73017 260 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 261 release_sock(sk);
262}
263
4239d16f
MM		 264static void __set_retrans_timer(struct l2cap_chan *chan)
265{
266 if (!delayed_work_pending(&chan->monitor_timer) &&
267 chan->retrans_timeout) {
268 l2cap_set_timer(chan, &chan->retrans_timer,
269 msecs_to_jiffies(chan->retrans_timeout));
270 }
271}
272
273static void __set_monitor_timer(struct l2cap_chan *chan)
274{
275 __clear_retrans_timer(chan);
276 if (chan->monitor_timeout) {
277 l2cap_set_timer(chan, &chan->monitor_timer,
278 msecs_to_jiffies(chan->monitor_timeout));
279 }
280}
281
608bcc6d
MM		 282static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
283 u16 seq)
284{
285 struct sk_buff *skb;
286
287 skb_queue_walk(head, skb) {
288 if (bt_cb(skb)->control.txseq == seq)
289 return skb;
290 }
291
292 return NULL;
293}
294
3c588192
MM		 295/* ---- L2CAP sequence number lists ---- */
296
297/* For ERTM, ordered lists of sequence numbers must be tracked for
298 * SREJ requests that are received and for frames that are to be
299 * retransmitted. These seq_list functions implement a singly-linked
300 * list in an array, where membership in the list can also be checked
301 * in constant time. Items can also be added to the tail of the list
302 * and removed from the head in constant time, without further memory
303 * allocs or frees.
304 */
305
306static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
307{
308 size_t alloc_size, i;
309
310 /* Allocated size is a power of 2 to map sequence numbers
311 * (which may be up to 14 bits) in to a smaller array that is
312 * sized for the negotiated ERTM transmit windows.
313 */
314 alloc_size = roundup_pow_of_two(size);
315
316 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
317 if (!seq_list->list)
318 return -ENOMEM;
319
320 seq_list->mask = alloc_size - 1;
321 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
322 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
323 for (i = 0; i < alloc_size; i++)
324 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
325
326 return 0;
327}
328
329static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
330{
331 kfree(seq_list->list);
332}
333
334static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
335 u16 seq)
336{
337 /* Constant-time check for list membership */
338 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
339}
340
341static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
342{
343 u16 mask = seq_list->mask;
344
345 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
346 /* In case someone tries to pop the head of an empty list */
347 return L2CAP_SEQ_LIST_CLEAR;
348 } else if (seq_list->head == seq) {
349 /* Head can be removed in constant time */
350 seq_list->head = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352
353 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
354 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
355 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
356 }
357 } else {
358 /* Walk the list to find the sequence number */
359 u16 prev = seq_list->head;
360 while (seq_list->list[prev & mask] != seq) {
361 prev = seq_list->list[prev & mask];
362 if (prev == L2CAP_SEQ_LIST_TAIL)
363 return L2CAP_SEQ_LIST_CLEAR;
364 }
365
366 /* Unlink the number from the list and clear it */
367 seq_list->list[prev & mask] = seq_list->list[seq & mask];
368 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
369 if (seq_list->tail == seq)
370 seq_list->tail = prev;
371 }
372 return seq;
373}
374
375static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
376{
377 /* Remove the head in constant time */
378 return l2cap_seq_list_remove(seq_list, seq_list->head);
379}
380
381static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
382{
f522ae36 383 u16 i;
3c588192 384
f522ae36
GP		 385 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
386 return;
387
388 for (i = 0; i <= seq_list->mask; i++)
389 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
390
391 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
392 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 393}
394
395static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
396{
397 u16 mask = seq_list->mask;
398
399 /* All appends happen in constant time */
400
f522ae36
GP		 401 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
402 return;
3c588192 403
f522ae36
GP		 404 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
405 seq_list->head = seq;
406 else
407 seq_list->list[seq_list->tail & mask] = seq;
408
409 seq_list->tail = seq;
410 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 411}
412
721c4181 413static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 414{
721c4181 415 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 416 chan_timer.work);
3df91ea2 417 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 418 int reason;
419
e05dcc32 420 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 421
3df91ea2 422 mutex_lock(&conn->chan_lock);
6be36555 423 l2cap_chan_lock(chan);
ab07801d 424
89bc500e 425 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 426 reason = ECONNREFUSED;
89bc500e 427 else if (chan->state == BT_CONNECT &&
2d792818 428 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 429 reason = ECONNREFUSED;
430 else
431 reason = ETIMEDOUT;
432
0f852724 433 l2cap_chan_close(chan, reason);
ab07801d 434
6be36555 435 l2cap_chan_unlock(chan);
ab07801d 436
80b98027 437 chan->ops->close(chan);
3df91ea2
AE		 438 mutex_unlock(&conn->chan_lock);
439
371fd835 440 l2cap_chan_put(chan);
ab07801d
GP		 441}
442
eef1d9b6 443struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 444{
445 struct l2cap_chan *chan;
446
447 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
448 if (!chan)
449 return NULL;
450
c03b355e
AE		 451 mutex_init(&chan->lock);
452
333055f2 453 write_lock(&chan_list_lock);
23691d75 454 list_add(&chan->global_l, &chan_list);
333055f2 455 write_unlock(&chan_list_lock);
23691d75 456
721c4181 457 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 458
89bc500e
GP		 459 chan->state = BT_OPEN;
460
144ad330 461 kref_init(&chan->kref);
71ba0e56 462
2827011f
MM		 463 /* This flag is cleared in l2cap_chan_ready() */
464 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
465
eef1d9b6 466 BT_DBG("chan %p", chan);
abc545b8 467
48454079
GP		 468 return chan;
469}
470
144ad330 471static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 472{
144ad330
SS		 473 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
474
4af66c69
JK		 475 BT_DBG("chan %p", chan);
476
333055f2 477 write_lock(&chan_list_lock);
23691d75 478 list_del(&chan->global_l);
333055f2 479 write_unlock(&chan_list_lock);
23691d75 480
4af66c69 481 kfree(chan);
6ff5abbf
GP		 482}
483
30648372
JK		 484void l2cap_chan_hold(struct l2cap_chan *c)
485{
144ad330 486 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 487
144ad330 488 kref_get(&c->kref);
30648372
JK		 489}
490
491void l2cap_chan_put(struct l2cap_chan *c)
492{
144ad330 493 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 494
144ad330 495 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 496}
497
bd4b1653
AE		 498void l2cap_chan_set_defaults(struct l2cap_chan *chan)
499{
500 chan->fcs = L2CAP_FCS_CRC16;
501 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
502 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
503 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 504 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 505 chan->sec_level = BT_SECURITY_LOW;
506
507 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
508}
509
93c3e8f5 510void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 511{
af05b30b 512 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 513 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 514
9f5a0d7b 515 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 516
8c1d787b 517 chan->conn = conn;
0139418c 518
5491120e
AE		 519 switch (chan->chan_type) {
520 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 521 if (conn->hcon->type == LE_LINK) {
522 /* LE connection */
6fcb06a2 523 chan->omtu = L2CAP_DEFAULT_MTU;
9f22398c
JH		 524 if (chan->dcid == L2CAP_CID_ATT)
525 chan->scid = L2CAP_CID_ATT;
526 else
527 chan->scid = l2cap_alloc_cid(conn);
b62f328b
VT		 528 } else {
529 /* Alloc CID for connection-oriented socket */
fe4128e0 530 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 531 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 532 }
5491120e
AE		 533 break;
534
535 case L2CAP_CHAN_CONN_LESS:
0139418c 536 /* Connectionless socket */
fe4128e0
GP		 537 chan->scid = L2CAP_CID_CONN_LESS;
538 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 539 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 540 break;
541
416fa752
AE		 542 case L2CAP_CHAN_CONN_FIX_A2MP:
543 chan->scid = L2CAP_CID_A2MP;
544 chan->dcid = L2CAP_CID_A2MP;
545 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
546 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
547 break;
548
5491120e 549 default:
0139418c 550 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 551 chan->scid = L2CAP_CID_SIGNALING;
552 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 553 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 554 }
555
8f7975b1
AE		 556 chan->local_id = L2CAP_BESTEFFORT_ID;
557 chan->local_stype = L2CAP_SERV_BESTEFFORT;
558 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
559 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
560 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 561 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 562
371fd835 563 l2cap_chan_hold(chan);
baa7e1fa 564
5ee9891d
JH		 565 hci_conn_hold(conn->hcon);
566
3df91ea2 567 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 568}
569
466f8004 570void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 571{
572 mutex_lock(&conn->chan_lock);
573 __l2cap_chan_add(conn, chan);
3df91ea2 574 mutex_unlock(&conn->chan_lock);
0139418c
MH		 575}
576
466f8004 577void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 578{
8c1d787b 579 struct l2cap_conn *conn = chan->conn;
0139418c 580
c9b66675 581 __clear_chan_timer(chan);
0139418c 582
49208c9c 583 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 584
8e87d142 585 if (conn) {
56f60984 586 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 587 /* Delete from channel list */
3df91ea2 588 list_del(&chan->list);
3d57dc68 589
371fd835 590 l2cap_chan_put(chan);
baa7e1fa 591
8c1d787b 592 chan->conn = NULL;
3cabbfda
AE		 593
594 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
76a68ba0 595 hci_conn_drop(conn->hcon);
56f60984
AE		 596
597 if (mgr && mgr->bredr_chan == chan)
598 mgr->bredr_chan = NULL;
0139418c
MH		 599 }
600
419e08c1
AE		 601 if (chan->hs_hchan) {
602 struct hci_chan *hs_hchan = chan->hs_hchan;
603
604 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
605 amp_disconnect_logical_link(hs_hchan);
606 }
607
b699ec0d 608 chan->ops->teardown(chan, err);
6be36555 609
2827011f 610 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 611 return;
2ead70b8 612
ee556f66
GP		 613 switch(chan->mode) {
614 case L2CAP_MODE_BASIC:
615 break;
c13ffa62 616
ee556f66 617 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 618 __clear_retrans_timer(chan);
619 __clear_monitor_timer(chan);
620 __clear_ack_timer(chan);
c13ffa62 621
f1c6775b 622 skb_queue_purge(&chan->srej_q);
c13ffa62 623
3c588192
MM		 624 l2cap_seq_list_free(&chan->srej_list);
625 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 626
627 /* fall through */
628
629 case L2CAP_MODE_STREAMING:
630 skb_queue_purge(&chan->tx_q);
631 break;
c13ffa62 632 }
ee556f66
GP		 633
634 return;
0139418c
MH		 635}
636
0f852724 637void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 638{
639 struct l2cap_conn *conn = chan->conn;
4519de9a 640
7eafc59e 641 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 642
89bc500e 643 switch (chan->state) {
4519de9a 644 case BT_LISTEN:
b699ec0d 645 chan->ops->teardown(chan, 0);
4519de9a
GP		 646 break;
647
648 case BT_CONNECTED:
649 case BT_CONFIG:
715ec005 650 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 651 conn->hcon->type == ACL_LINK) {
8d836d71 652 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 653 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 654 } else
655 l2cap_chan_del(chan, reason);
656 break;
657
658 case BT_CONNECT2:
715ec005 659 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 660 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 661 struct l2cap_conn_rsp rsp;
662 __u16 result;
663
bdc25783 664 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
4519de9a
GP		 665 result = L2CAP_CR_SEC_BLOCK;
666 else
667 result = L2CAP_CR_BAD_PSM;
bdc25783 668
89bc500e 669 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 670
671 rsp.scid = cpu_to_le16(chan->dcid);
672 rsp.dcid = cpu_to_le16(chan->scid);
673 rsp.result = cpu_to_le16(result);
ac73498c 674 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 675 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 676 sizeof(rsp), &rsp);
4519de9a
GP		 677 }
678
679 l2cap_chan_del(chan, reason);
680 break;
681
682 case BT_CONNECT:
683 case BT_DISCONN:
684 l2cap_chan_del(chan, reason);
685 break;
686
687 default:
b699ec0d 688 chan->ops->teardown(chan, 0);
4519de9a
GP		 689 break;
690 }
691}
692
4343478f 693static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 694{
6a974b50
MH		 695 switch (chan->chan_type) {
696 case L2CAP_CHAN_RAW:
4343478f 697 switch (chan->sec_level) {
8556edd3
JH		 698 case BT_SECURITY_HIGH:
699 return HCI_AT_DEDICATED_BONDING_MITM;
700 case BT_SECURITY_MEDIUM:
701 return HCI_AT_DEDICATED_BONDING;
702 default:
703 return HCI_AT_NO_BONDING;
704 }
6a974b50 705 break;
3124b843
MH		 706 case L2CAP_CHAN_CONN_LESS:
707 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_3DSP)) {
708 if (chan->sec_level == BT_SECURITY_LOW)
709 chan->sec_level = BT_SECURITY_SDP;
710 }
711 if (chan->sec_level == BT_SECURITY_HIGH)
712 return HCI_AT_NO_BONDING_MITM;
713 else
714 return HCI_AT_NO_BONDING;
715 break;
6a974b50
MH		 716 case L2CAP_CHAN_CONN_ORIENTED:
717 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
718 if (chan->sec_level == BT_SECURITY_LOW)
719 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 720
6a974b50
MH		 721 if (chan->sec_level == BT_SECURITY_HIGH)
722 return HCI_AT_NO_BONDING_MITM;
723 else
724 return HCI_AT_NO_BONDING;
725 }
726 /* fall through */
727 default:
4343478f 728 switch (chan->sec_level) {
00ae4af9 729 case BT_SECURITY_HIGH:
8556edd3 730 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 731 case BT_SECURITY_MEDIUM:
8556edd3 732 return HCI_AT_GENERAL_BONDING;
00ae4af9 733 default:
8556edd3 734 return HCI_AT_NO_BONDING;
00ae4af9 735 }
6a974b50 736 break;
0684e5f9 737 }
8556edd3
JH		 738}
739
740/* Service level security */
d45fc423 741int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 742{
8c1d787b 743 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 744 __u8 auth_type;
745
4343478f 746 auth_type = l2cap_get_auth_type(chan);
79d554a6 747
4343478f 748 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 749}
750
b5ad8b7f 751static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 752{
753 u8 id;
754
755 /* Get next available identificator.
756 * 1 - 128 are used by kernel.
757 * 129 - 199 are reserved.
758 * 200 - 254 are used by utilities like l2ping, etc.
759 */
760
333055f2 761 spin_lock(&conn->lock);
4e8402a3
MH		 762
763 if (++conn->tx_ident > 128)
764 conn->tx_ident = 1;
765
766 id = conn->tx_ident;
767
333055f2 768 spin_unlock(&conn->lock);
4e8402a3
MH		 769
770 return id;
771}
772
2d792818
GP		 773static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
774 void *data)
4e8402a3
MH		 775{
776 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 777 u8 flags;
4e8402a3
MH		 778
779 BT_DBG("code 0x%2.2x", code);
780
781 if (!skb)
9a9c6a34 782 return;
4e8402a3 783
e702112f
AE		 784 if (lmp_no_flush_capable(conn->hcon->hdev))
785 flags = ACL_START_NO_FLUSH;
786 else
787 flags = ACL_START;
788
14b12d0b 789 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 790 skb->priority = HCI_PRIO_MAX;
14b12d0b 791
73d80deb
LAD		 792 hci_send_acl(conn->hchan, skb, flags);
793}
794
02b0fbb9
MM		 795static bool __chan_is_moving(struct l2cap_chan *chan)
796{
797 return chan->move_state != L2CAP_MOVE_STABLE &&
798 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
799}
800
73d80deb
LAD		 801static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
802{
803 struct hci_conn *hcon = chan->conn->hcon;
804 u16 flags;
805
806 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 807 skb->priority);
73d80deb 808
d5f8a75d
MM		 809 if (chan->hs_hcon && !__chan_is_moving(chan)) {
810 if (chan->hs_hchan)
811 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
812 else
813 kfree_skb(skb);
814
815 return;
816 }
817
73d80deb 818 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 819 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 820 flags = ACL_START_NO_FLUSH;
821 else
822 flags = ACL_START;
14b12d0b 823
73d80deb
LAD		 824 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
825 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 826}
827
b76bbd66
MM		 828static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
829{
830 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
831 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
832
833 if (enh & L2CAP_CTRL_FRAME_TYPE) {
834 /* S-Frame */
835 control->sframe = 1;
836 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
837 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
838
839 control->sar = 0;
840 control->txseq = 0;
841 } else {
842 /* I-Frame */
843 control->sframe = 0;
844 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
845 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
846
847 control->poll = 0;
848 control->super = 0;
849 }
850}
851
b76bbd66
MM		 852static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
853{
854 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
855 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
856
857 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
858 /* S-Frame */
859 control->sframe = 1;
860 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
861 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
862
863 control->sar = 0;
864 control->txseq = 0;
865 } else {
866 /* I-Frame */
867 control->sframe = 0;
868 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
869 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
870
871 control->poll = 0;
872 control->super = 0;
873 }
874}
875
876static inline void __unpack_control(struct l2cap_chan *chan,
877 struct sk_buff *skb)
878{
879 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
880 __unpack_extended_control(get_unaligned_le32(skb->data),
881 &bt_cb(skb)->control);
cec8ab6e 882 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 883 } else {
884 __unpack_enhanced_control(get_unaligned_le16(skb->data),
885 &bt_cb(skb)->control);
cec8ab6e 886 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 887 }
888}
889
b5c6aaed
MM		 890static u32 __pack_extended_control(struct l2cap_ctrl *control)
891{
892 u32 packed;
893
894 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
895 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
896
897 if (control->sframe) {
898 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
899 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
900 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
901 } else {
902 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
903 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
904 }
905
906 return packed;
907}
908
909static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
910{
911 u16 packed;
912
913 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
914 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
915
916 if (control->sframe) {
917 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
918 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
919 packed |= L2CAP_CTRL_FRAME_TYPE;
920 } else {
921 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
922 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
923 }
924
925 return packed;
926}
927
b76bbd66
MM		 928static inline void __pack_control(struct l2cap_chan *chan,
929 struct l2cap_ctrl *control,
930 struct sk_buff *skb)
931{
932 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
933 put_unaligned_le32(__pack_extended_control(control),
934 skb->data + L2CAP_HDR_SIZE);
935 } else {
936 put_unaligned_le16(__pack_enhanced_control(control),
937 skb->data + L2CAP_HDR_SIZE);
938 }
939}
940
ba7aa64f
GP		 941static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
942{
943 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
944 return L2CAP_EXT_HDR_SIZE;
945 else
946 return L2CAP_ENH_HDR_SIZE;
947}
948
a67d7f6f
MM		 949static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
950 u32 control)
b5c6aaed
MM		 951{
952 struct sk_buff *skb;
953 struct l2cap_hdr *lh;
ba7aa64f 954 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 955
956 if (chan->fcs == L2CAP_FCS_CRC16)
957 hlen += L2CAP_FCS_SIZE;
958
a67d7f6f 959 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 960
b5c6aaed 961 if (!skb)
a67d7f6f 962 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 963
964 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
965 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
966 lh->cid = cpu_to_le16(chan->dcid);
967
a67d7f6f
MM		 968 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
969 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
970 else
971 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 972
973 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 974 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 975 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
976 }
977
978 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 979 return skb;
980}
981
982static void l2cap_send_sframe(struct l2cap_chan *chan,
983 struct l2cap_ctrl *control)
984{
985 struct sk_buff *skb;
986 u32 control_field;
987
988 BT_DBG("chan %p, control %p", chan, control);
989
990 if (!control->sframe)
991 return;
992
b99e13ad
MM		 993 if (__chan_is_moving(chan))
994 return;
995
a67d7f6f
MM		 996 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
997 !control->poll)
998 control->final = 1;
999
1000 if (control->super == L2CAP_SUPER_RR)
1001 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1002 else if (control->super == L2CAP_SUPER_RNR)
1003 set_bit(CONN_RNR_SENT, &chan->conn_state);
1004
1005 if (control->super != L2CAP_SUPER_SREJ) {
1006 chan->last_acked_seq = control->reqseq;
1007 __clear_ack_timer(chan);
1008 }
1009
1010 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1011 control->final, control->poll, control->super);
1012
1013 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1014 control_field = __pack_extended_control(control);
1015 else
1016 control_field = __pack_enhanced_control(control);
1017
1018 skb = l2cap_create_sframe_pdu(chan, control_field);
1019 if (!IS_ERR(skb))
1020 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1021}
1022
c9e3d5e0 1023static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1024{
c9e3d5e0
MM		 1025 struct l2cap_ctrl control;
1026
1027 BT_DBG("chan %p, poll %d", chan, poll);
1028
1029 memset(&control, 0, sizeof(control));
1030 control.sframe = 1;
1031 control.poll = poll;
1032
1033 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1034 control.super = L2CAP_SUPER_RNR;
1035 else
1036 control.super = L2CAP_SUPER_RR;
b5c6aaed 1037
c9e3d5e0
MM		 1038 control.reqseq = chan->buffer_seq;
1039 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1040}
1041
b4450035 1042static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1043{
c1360a1c 1044 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1045}
1046
1df7b17a 1047static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1048{
1df7b17a 1049 struct l2cap_conn *conn = chan->conn;
80d58d0b 1050 struct hci_dev *hdev;
1df7b17a
MH		 1051 bool amp_available = false;
1052
1053 if (!conn->hs_enabled)
1054 return false;
1055
1056 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1057 return false;
80d58d0b
MH		 1058
1059 read_lock(&hci_dev_list_lock);
1df7b17a 1060 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1061 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1062 test_bit(HCI_UP, &hdev->flags)) {
1063 amp_available = true;
1064 break;
1065 }
1066 }
80d58d0b
MH		 1067 read_unlock(&hci_dev_list_lock);
1068
1df7b17a
MH		 1069 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1070 return amp_available;
848566b3
MH		 1071
1072 return false;
93c3e8f5
AE		 1073}
1074
5ce66b59
AE		 1075static bool l2cap_check_efs(struct l2cap_chan *chan)
1076{
1077 /* Check EFS parameters */
1078 return true;
1079}
1080
2766be48 1081void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1082{
1083 struct l2cap_conn *conn = chan->conn;
1084 struct l2cap_conn_req req;
1085
1086 req.scid = cpu_to_le16(chan->scid);
1087 req.psm = chan->psm;
1088
1089 chan->ident = l2cap_get_ident(conn);
1090
1091 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1092
1093 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1094}
1095
8eb200bd
MM		 1096static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1097{
1098 struct l2cap_create_chan_req req;
1099 req.scid = cpu_to_le16(chan->scid);
1100 req.psm = chan->psm;
1101 req.amp_id = amp_id;
1102
1103 chan->ident = l2cap_get_ident(chan->conn);
1104
1105 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1106 sizeof(req), &req);
1107}
1108
02b0fbb9
MM		 1109static void l2cap_move_setup(struct l2cap_chan *chan)
1110{
1111 struct sk_buff *skb;
1112
1113 BT_DBG("chan %p", chan);
1114
1115 if (chan->mode != L2CAP_MODE_ERTM)
1116 return;
1117
1118 __clear_retrans_timer(chan);
1119 __clear_monitor_timer(chan);
1120 __clear_ack_timer(chan);
1121
1122 chan->retry_count = 0;
1123 skb_queue_walk(&chan->tx_q, skb) {
1124 if (bt_cb(skb)->control.retries)
1125 bt_cb(skb)->control.retries = 1;
1126 else
1127 break;
1128 }
1129
1130 chan->expected_tx_seq = chan->buffer_seq;
1131
1132 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1133 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1134 l2cap_seq_list_clear(&chan->retrans_list);
1135 l2cap_seq_list_clear(&chan->srej_list);
1136 skb_queue_purge(&chan->srej_q);
1137
1138 chan->tx_state = L2CAP_TX_STATE_XMIT;
1139 chan->rx_state = L2CAP_RX_STATE_MOVE;
1140
1141 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1142}
1143
5f3847a4
MM		 1144static void l2cap_move_done(struct l2cap_chan *chan)
1145{
1146 u8 move_role = chan->move_role;
1147 BT_DBG("chan %p", chan);
1148
1149 chan->move_state = L2CAP_MOVE_STABLE;
1150 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1151
1152 if (chan->mode != L2CAP_MODE_ERTM)
1153 return;
1154
1155 switch (move_role) {
1156 case L2CAP_MOVE_ROLE_INITIATOR:
1157 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1158 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1159 break;
1160 case L2CAP_MOVE_ROLE_RESPONDER:
1161 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1162 break;
1163 }
1164}
1165
9f0caeb1
VCG		 1166static void l2cap_chan_ready(struct l2cap_chan *chan)
1167{
2827011f 1168 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1169 chan->conf_state = 0;
1170 __clear_chan_timer(chan);
1171
54a59aa2 1172 chan->state = BT_CONNECTED;
9f0caeb1 1173
fd83e2c2 1174 chan->ops->ready(chan);
9f0caeb1
VCG		 1175}
1176
93c3e8f5
AE		 1177static void l2cap_start_connection(struct l2cap_chan *chan)
1178{
1179 if (__amp_capable(chan)) {
1180 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1181 a2mp_discover_amp(chan);
1182 } else {
1183 l2cap_send_conn_req(chan);
1184 }
1185}
1186
fc7f8a7e 1187static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1188{
8c1d787b 1189 struct l2cap_conn *conn = chan->conn;
79d554a6 1190
9f0caeb1
VCG		 1191 if (conn->hcon->type == LE_LINK) {
1192 l2cap_chan_ready(chan);
1193 return;
1194 }
1195
79d554a6 1196 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1197 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1198 return;
1199
d45fc423 1200 if (l2cap_chan_check_security(chan) &&
2d792818 1201 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1202 l2cap_start_connection(chan);
1203 }
79d554a6
MH		 1204 } else {
1205 struct l2cap_info_req req;
ac73498c 1206 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1207
1208 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1209 conn->info_ident = l2cap_get_ident(conn);
1210
ba13ccd9 1211 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1212
2d792818
GP		 1213 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1214 sizeof(req), &req);
79d554a6
MH		 1215 }
1216}
1217
cf6c2c0b
GP		 1218static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1219{
1220 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1221 if (!disable_ertm)
cf6c2c0b
GP		 1222 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1223
1224 switch (mode) {
1225 case L2CAP_MODE_ERTM:
1226 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1227 case L2CAP_MODE_STREAMING:
1228 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1229 default:
1230 return 0x00;
1231 }
1232}
1233
5e4e3972 1234static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1235{
5e4e3972 1236 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1237 struct l2cap_disconn_req req;
1238
c13ffa62
GP		 1239 if (!conn)
1240 return;
1241
aad3d0e3 1242 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1243 __clear_retrans_timer(chan);
1244 __clear_monitor_timer(chan);
1245 __clear_ack_timer(chan);
c13ffa62
GP		 1246 }
1247
416fa752 1248 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1249 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1250 return;
1251 }
1252
fe4128e0
GP		 1253 req.dcid = cpu_to_le16(chan->dcid);
1254 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1255 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1256 sizeof(req), &req);
c13ffa62 1257
f8e73017 1258 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1259}
1260
1da177e4 1261/* ---- L2CAP connections ---- */
4e8402a3
MH		 1262static void l2cap_conn_start(struct l2cap_conn *conn)
1263{
3df91ea2 1264 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1265
1266 BT_DBG("conn %p", conn);
1267
3df91ea2 1268 mutex_lock(&conn->chan_lock);
4e8402a3 1269
3df91ea2 1270 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1271 l2cap_chan_lock(chan);
4e8402a3 1272
715ec005 1273 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1274 l2cap_chan_unlock(chan);
79d554a6
MH		 1275 continue;
1276 }
1277
89bc500e 1278 if (chan->state == BT_CONNECT) {
d45fc423 1279 if (!l2cap_chan_check_security(chan) ||
2d792818 1280 !__l2cap_no_conn_pending(chan)) {
6be36555 1281 l2cap_chan_unlock(chan);
47731de7
GP		 1282 continue;
1283 }
79d554a6 1284
c1360a1c 1285 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1286 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1287 &chan->conf_state)) {
89bc500e 1288 l2cap_chan_close(chan, ECONNRESET);
6be36555 1289 l2cap_chan_unlock(chan);
47731de7 1290 continue;
b1235d79 1291 }
47731de7 1292
93c3e8f5 1293 l2cap_start_connection(chan);
47731de7 1294
89bc500e 1295 } else if (chan->state == BT_CONNECT2) {
79d554a6 1296 struct l2cap_conn_rsp rsp;
e9aeb2dd 1297 char buf[128];
fe4128e0
GP		 1298 rsp.scid = cpu_to_le16(chan->dcid);
1299 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1300
d45fc423 1301 if (l2cap_chan_check_security(chan)) {
bdc25783 1302 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
ac73498c
AE		 1303 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1304 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1305 chan->ops->defer(chan);
f66dc81f
MH		 1306
1307 } else {
acdcabf5 1308 l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1309 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1310 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1311 }
79d554a6 1312 } else {
ac73498c
AE		 1313 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1314 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1315 }
1316
fc7f8a7e 1317 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1318 sizeof(rsp), &rsp);
e9aeb2dd 1319
c1360a1c 1320 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1321 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1322 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1323 continue;
1324 }
1325
c1360a1c 1326 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1327 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1328 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1329 chan->num_conf_req++;
4e8402a3
MH		 1330 }
1331
6be36555 1332 l2cap_chan_unlock(chan);
4e8402a3
MH		 1333 }
1334
3df91ea2 1335 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1336}
1337
c2287681 1338/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1339 * Returns closest match, locked.
1340 */
d9b88702 1341static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1342 bdaddr_t *src,
1343 bdaddr_t *dst)
b62f328b 1344{
23691d75 1345 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1346
23691d75 1347 read_lock(&chan_list_lock);
b62f328b 1348
23691d75 1349 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1350 if (state && c->state != state)
b62f328b
VT		 1351 continue;
1352
23691d75 1353 if (c->scid == cid) {
c2287681
IY		 1354 int src_match, dst_match;
1355 int src_any, dst_any;
1356
b62f328b 1357 /* Exact match. */
7eafc59e
MH		 1358 src_match = !bacmp(&c->src, src);
1359 dst_match = !bacmp(&c->dst, dst);
c2287681 1360 if (src_match && dst_match) {
23691d75
GP		 1361 read_unlock(&chan_list_lock);
1362 return c;
1363 }
b62f328b
VT		 1364
1365 /* Closest match */
7eafc59e
MH		 1366 src_any = !bacmp(&c->src, BDADDR_ANY);
1367 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1368 if ((src_match && dst_any) || (src_any && dst_match) ||
1369 (src_any && dst_any))
23691d75 1370 c1 = c;
b62f328b
VT		 1371 }
1372 }
280f294f 1373
23691d75 1374 read_unlock(&chan_list_lock);
b62f328b 1375
23691d75 1376 return c1;
b62f328b
VT		 1377}
1378
1379static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1380{
cc8dba2b 1381 struct hci_conn *hcon = conn->hcon;
60bac184 1382 struct sock *parent;
23691d75 1383 struct l2cap_chan *chan, *pchan;
cc8dba2b 1384 u8 dst_type;
b62f328b
VT		 1385
1386 BT_DBG("");
1387
1388 /* Check if we have socket listening on cid */
073d1cf3 1389 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
cc8dba2b 1390 &hcon->src, &hcon->dst);
23691d75 1391 if (!pchan)
b62f328b
VT		 1392 return;
1393
44f3b0fb
JH		 1394 /* Client ATT sockets should override the server one */
1395 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1396 return;
1397
cc8dba2b
MH		 1398 dst_type = bdaddr_type(hcon, hcon->dst_type);
1399
1400 /* If device is blocked, do not create a channel for it */
1401 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, dst_type))
1402 return;
1403
23691d75
GP		 1404 parent = pchan->sk;
1405
aa2ac881 1406 lock_sock(parent);
62f3a2cf 1407
80b98027 1408 chan = pchan->ops->new_connection(pchan);
80808e43 1409 if (!chan)
b62f328b
VT		 1410 goto clean;
1411
9f22398c
JH		 1412 chan->dcid = L2CAP_CID_ATT;
1413
cc8dba2b
MH		 1414 bacpy(&chan->src, &hcon->src);
1415 bacpy(&chan->dst, &hcon->dst);
1416 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1417 chan->dst_type = dst_type;
b62f328b 1418
44f3b0fb 1419 __l2cap_chan_add(conn, chan);
48454079 1420
b62f328b 1421clean:
aa2ac881 1422 release_sock(parent);
b62f328b
VT		 1423}
1424
4e8402a3
MH		 1425static void l2cap_conn_ready(struct l2cap_conn *conn)
1426{
48454079 1427 struct l2cap_chan *chan;
cc110922 1428 struct hci_conn *hcon = conn->hcon;
4e8402a3 1429
79d554a6 1430 BT_DBG("conn %p", conn);
4e8402a3 1431
d8729922
JH		 1432 /* For outgoing pairing which doesn't necessarily have an
1433 * associated socket (e.g. mgmt_pair_device).
1434 */
cc110922
VCG		 1435 if (hcon->out && hcon->type == LE_LINK)
1436 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1437
3df91ea2 1438 mutex_lock(&conn->chan_lock);
4e8402a3 1439
44f3b0fb
JH		 1440 if (hcon->type == LE_LINK)
1441 l2cap_le_conn_ready(conn);
1442
3df91ea2 1443 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1444
6be36555 1445 l2cap_chan_lock(chan);
4e8402a3 1446
416fa752
AE		 1447 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1448 l2cap_chan_unlock(chan);
1449 continue;
1450 }
1451
cc110922
VCG		 1452 if (hcon->type == LE_LINK) {
1453 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1454 l2cap_chan_ready(chan);
acd7d370 1455
63128451 1456 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
74e75740 1457 l2cap_chan_ready(chan);
b501d6a1 1458
1c244f79 1459 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1460 l2cap_do_start(chan);
1c244f79 1461 }
4e8402a3 1462
6be36555 1463 l2cap_chan_unlock(chan);
4e8402a3 1464 }
79d554a6 1465
3df91ea2 1466 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1467}
1468
1469/* Notify sockets that we cannot guaranty reliability anymore */
1470static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1471{
48454079 1472 struct l2cap_chan *chan;
4e8402a3
MH		 1473
1474 BT_DBG("conn %p", conn);
1475
3df91ea2 1476 mutex_lock(&conn->chan_lock);
4e8402a3 1477
3df91ea2 1478 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1479 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1480 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1481 }
1482
3df91ea2 1483 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1484}
1485
f878fcad 1486static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1487{
f878fcad 1488 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1489 info_timer.work);
4e8402a3 1490
984947dc 1491 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1492 conn->info_ident = 0;
984947dc 1493
4e8402a3
MH		 1494 l2cap_conn_start(conn);
1495}
1496
2c8e1411
DH		 1497/*
1498 * l2cap_user
1499 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1500 * callback is called during registration. The ->remove callback is called
1501 * during unregistration.
1502 * An l2cap_user object can either be explicitly unregistered or when the
1503 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1504 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1505 * External modules must own a reference to the l2cap_conn object if they intend
1506 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1507 * any time if they don't.
1508 */
1509
1510int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1511{
1512 struct hci_dev *hdev = conn->hcon->hdev;
1513 int ret;
1514
1515 /* We need to check whether l2cap_conn is registered. If it is not, we
1516 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1517 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1518 * relies on the parent hci_conn object to be locked. This itself relies
1519 * on the hci_dev object to be locked. So we must lock the hci device
1520 * here, too. */
1521
1522 hci_dev_lock(hdev);
1523
1524 if (user->list.next || user->list.prev) {
1525 ret = -EINVAL;
1526 goto out_unlock;
1527 }
1528
1529 /* conn->hchan is NULL after l2cap_conn_del() was called */
1530 if (!conn->hchan) {
1531 ret = -ENODEV;
1532 goto out_unlock;
1533 }
1534
1535 ret = user->probe(conn, user);
1536 if (ret)
1537 goto out_unlock;
1538
1539 list_add(&user->list, &conn->users);
1540 ret = 0;
1541
1542out_unlock:
1543 hci_dev_unlock(hdev);
1544 return ret;
1545}
1546EXPORT_SYMBOL(l2cap_register_user);
1547
1548void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1549{
1550 struct hci_dev *hdev = conn->hcon->hdev;
1551
1552 hci_dev_lock(hdev);
1553
1554 if (!user->list.next || !user->list.prev)
1555 goto out_unlock;
1556
1557 list_del(&user->list);
1558 user->list.next = NULL;
1559 user->list.prev = NULL;
1560 user->remove(conn, user);
1561
1562out_unlock:
1563 hci_dev_unlock(hdev);
1564}
1565EXPORT_SYMBOL(l2cap_unregister_user);
1566
1567static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1568{
1569 struct l2cap_user *user;
1570
1571 while (!list_empty(&conn->users)) {
1572 user = list_first_entry(&conn->users, struct l2cap_user, list);
1573 list_del(&user->list);
1574 user->list.next = NULL;
1575 user->list.prev = NULL;
1576 user->remove(conn, user);
1577 }
1578}
1579
5d3de7df
VCG		 1580static void l2cap_conn_del(struct hci_conn *hcon, int err)
1581{
1582 struct l2cap_conn *conn = hcon->l2cap_data;
1583 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1584
1585 if (!conn)
1586 return;
1587
1588 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1589
1590 kfree_skb(conn->rx_skb);
1591
2c8e1411
DH		 1592 l2cap_unregister_all_users(conn);
1593
3df91ea2
AE		 1594 mutex_lock(&conn->chan_lock);
1595
5d3de7df
VCG		 1596 /* Kill channels */
1597 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1598 l2cap_chan_hold(chan);
6be36555
AE		 1599 l2cap_chan_lock(chan);
1600
5d3de7df 1601 l2cap_chan_del(chan, err);
6be36555
AE		 1602
1603 l2cap_chan_unlock(chan);
1604
80b98027 1605 chan->ops->close(chan);
61d6ef3e 1606 l2cap_chan_put(chan);
5d3de7df
VCG		 1607 }
1608
3df91ea2
AE		 1609 mutex_unlock(&conn->chan_lock);
1610
73d80deb
LAD		 1611 hci_chan_del(conn->hchan);
1612
5d3de7df 1613 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1614 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1615
51a8efd7 1616 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1617 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1618 smp_chan_destroy(conn);
d26a2345 1619 }
5d3de7df
VCG		 1620
1621 hcon->l2cap_data = NULL;
9c903e37
DH		 1622 conn->hchan = NULL;
1623 l2cap_conn_put(conn);
5d3de7df
VCG		 1624}
1625
6c9d42a1 1626static void security_timeout(struct work_struct *work)
5d3de7df 1627{
6c9d42a1 1628 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1629 security_timer.work);
5d3de7df 1630
d06cc416
JH		 1631 BT_DBG("conn %p", conn);
1632
1633 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1634 smp_chan_destroy(conn);
1635 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1636 }
5d3de7df
VCG		 1637}
1638
baf43251 1639static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1da177e4 1640{
0139418c 1641 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1642 struct hci_chan *hchan;
1da177e4 1643
baf43251 1644 if (conn)
1da177e4
LT		 1645 return conn;
1646
73d80deb
LAD		 1647 hchan = hci_chan_create(hcon);
1648 if (!hchan)
1649 return NULL;
1650
8bcde1f2 1651 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1652 if (!conn) {
1653 hci_chan_del(hchan);
1da177e4 1654 return NULL;
73d80deb 1655 }
1da177e4 1656
9c903e37 1657 kref_init(&conn->ref);
1da177e4
LT		 1658 hcon->l2cap_data = conn;
1659 conn->hcon = hcon;
9c903e37 1660 hci_conn_get(conn->hcon);
73d80deb 1661 conn->hchan = hchan;
1da177e4 1662
73d80deb 1663 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1664
dcc042d5 1665 switch (hcon->type) {
dcc042d5
AE		 1666 case LE_LINK:
1667 if (hcon->hdev->le_mtu) {
1668 conn->mtu = hcon->hdev->le_mtu;
1669 break;
1670 }
1671 /* fall through */
dcc042d5 1672 default:
acd7d370 1673 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1674 break;
1675 }
acd7d370 1676
4e8402a3
MH		 1677 conn->feat_mask = 0;
1678
848566b3
MH		 1679 if (hcon->type == ACL_LINK)
1680 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
1681 &hcon->hdev->dev_flags);
1682
1da177e4 1683 spin_lock_init(&conn->lock);
3df91ea2 1684 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1685
1686 INIT_LIST_HEAD(&conn->chan_l);
2c8e1411 1687 INIT_LIST_HEAD(&conn->users);
1da177e4 1688
5d3de7df 1689 if (hcon->type == LE_LINK)
6c9d42a1 1690 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1691 else
030013d8 1692 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1693
9f5a0d7b 1694 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1695
1da177e4
LT		 1696 return conn;
1697}
1698
9c903e37
DH		 1699static void l2cap_conn_free(struct kref *ref)
1700{
1701 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1702
1703 hci_conn_put(conn->hcon);
1704 kfree(conn);
1705}
1706
1707void l2cap_conn_get(struct l2cap_conn *conn)
1708{
1709 kref_get(&conn->ref);
1710}
1711EXPORT_SYMBOL(l2cap_conn_get);
1712
1713void l2cap_conn_put(struct l2cap_conn *conn)
1714{
1715 kref_put(&conn->ref, l2cap_conn_free);
1716}
1717EXPORT_SYMBOL(l2cap_conn_put);
1718
1da177e4 1719/* ---- Socket interface ---- */
1da177e4 1720
c2287681 1721/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1722 * Returns closest match.
1723 */
c2287681
IY		 1724static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1725 bdaddr_t *src,
1726 bdaddr_t *dst)
1da177e4 1727{
23691d75 1728 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1729
23691d75 1730 read_lock(&chan_list_lock);
e0f0cb56 1731
23691d75 1732 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1733 if (state && c->state != state)
1da177e4
LT		 1734 continue;
1735
23691d75 1736 if (c->psm == psm) {
c2287681
IY		 1737 int src_match, dst_match;
1738 int src_any, dst_any;
1739
1da177e4 1740 /* Exact match. */
7eafc59e
MH		 1741 src_match = !bacmp(&c->src, src);
1742 dst_match = !bacmp(&c->dst, dst);
c2287681 1743 if (src_match && dst_match) {
a7567b20 1744 read_unlock(&chan_list_lock);
23691d75
GP		 1745 return c;
1746 }
1da177e4
LT		 1747
1748 /* Closest match */
7eafc59e
MH		 1749 src_any = !bacmp(&c->src, BDADDR_ANY);
1750 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1751 if ((src_match && dst_any) || (src_any && dst_match) ||
1752 (src_any && dst_any))
23691d75 1753 c1 = c;
1da177e4
LT		 1754 }
1755 }
1da177e4 1756
23691d75 1757 read_unlock(&chan_list_lock);
e0f0cb56 1758
23691d75 1759 return c1;
1da177e4
LT		 1760}
1761
8e9f9892
AG		 1762int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1763 bdaddr_t *dst, u8 dst_type)
1da177e4 1764{
1da177e4
LT		 1765 struct l2cap_conn *conn;
1766 struct hci_conn *hcon;
1767 struct hci_dev *hdev;
09ab6f4c 1768 __u8 auth_type;
44d0e48e 1769 int err;
1da177e4 1770
7eafc59e 1771 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
ab19516a 1772 dst_type, __le16_to_cpu(psm));
1da177e4 1773
7eafc59e 1774 hdev = hci_get_route(dst, &chan->src);
af05b30b 1775 if (!hdev)
1da177e4
LT		 1776 return -EHOSTUNREACH;
1777
09fd0de5 1778 hci_dev_lock(hdev);
1da177e4 1779
6be36555 1780 l2cap_chan_lock(chan);
03a00194
GP		 1781
1782 /* PSM must be odd and lsb of upper byte must be 0 */
1783 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1784 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1785 err = -EINVAL;
1786 goto done;
1787 }
1788
1789 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1790 err = -EINVAL;
1791 goto done;
1792 }
1793
1794 switch (chan->mode) {
1795 case L2CAP_MODE_BASIC:
1796 break;
1797 case L2CAP_MODE_ERTM:
1798 case L2CAP_MODE_STREAMING:
1799 if (!disable_ertm)
1800 break;
1801 /* fall through */
1802 default:
1803 err = -ENOTSUPP;
1804 goto done;
1805 }
1806
0797e01d 1807 switch (chan->state) {
03a00194
GP		 1808 case BT_CONNECT:
1809 case BT_CONNECT2:
1810 case BT_CONFIG:
1811 /* Already connecting */
1812 err = 0;
1813 goto done;
1814
1815 case BT_CONNECTED:
1816 /* Already connected */
1817 err = -EISCONN;
1818 goto done;
1819
1820 case BT_OPEN:
1821 case BT_BOUND:
1822 /* Can connect */
1823 break;
1824
1825 default:
1826 err = -EBADFD;
1827 goto done;
1828 }
1829
1830 /* Set destination address and psm */
7eafc59e 1831 bacpy(&chan->dst, dst);
4f1654e0 1832 chan->dst_type = dst_type;
6be36555 1833
03a00194
GP		 1834 chan->psm = psm;
1835 chan->dcid = cid;
1da177e4 1836
4343478f 1837 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1838
f224ca5f 1839 if (bdaddr_type_is_le(dst_type))
8e9f9892 1840 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1841 chan->sec_level, auth_type);
acd7d370 1842 else
8e9f9892 1843 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1844 chan->sec_level, auth_type);
acd7d370 1845
30e76272
VT		 1846 if (IS_ERR(hcon)) {
1847 err = PTR_ERR(hcon);
1da177e4 1848 goto done;
30e76272 1849 }
1da177e4 1850
baf43251 1851 conn = l2cap_conn_add(hcon);
1da177e4 1852 if (!conn) {
76a68ba0 1853 hci_conn_drop(hcon);
30e76272 1854 err = -ENOMEM;
1da177e4
LT		 1855 goto done;
1856 }
1857
141d5706
JH		 1858 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
1859 hci_conn_drop(hcon);
1860 err = -EBUSY;
1861 goto done;
9f0caeb1
VCG		 1862 }
1863
1da177e4 1864 /* Update source addr of the socket */
7eafc59e 1865 bacpy(&chan->src, &hcon->src);
4f1654e0 1866 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1da177e4 1867
6be36555 1868 l2cap_chan_unlock(chan);
48454079 1869 l2cap_chan_add(conn, chan);
6be36555 1870 l2cap_chan_lock(chan);
48454079 1871
5ee9891d
JH		 1872 /* l2cap_chan_add takes its own ref so we can drop this one */
1873 hci_conn_drop(hcon);
1874
6be36555 1875 l2cap_state_change(chan, BT_CONNECT);
8d836d71 1876 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4
LT		 1877
1878 if (hcon->state == BT_CONNECTED) {
715ec005 1879 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1880 __clear_chan_timer(chan);
d45fc423 1881 if (l2cap_chan_check_security(chan))
6be36555 1882 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1883 } else
fc7f8a7e 1884 l2cap_do_start(chan);
1da177e4
LT		 1885 }
1886
30e76272
VT		 1887 err = 0;
1888
1da177e4 1889done:
6be36555 1890 l2cap_chan_unlock(chan);
09fd0de5 1891 hci_dev_unlock(hdev);
1da177e4
LT		 1892 hci_dev_put(hdev);
1893 return err;
1894}
1895
721c4181 1896static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1897{
721c4181 1898 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1899 monitor_timer.work);
e90bac06 1900
525cd185 1901 BT_DBG("chan %p", chan);
0e98958d 1902
6be36555
AE		 1903 l2cap_chan_lock(chan);
1904
80909e04 1905 if (!chan->conn) {
6be36555 1906 l2cap_chan_unlock(chan);
8d7e1c7f 1907 l2cap_chan_put(chan);
e90bac06
GP		 1908 return;
1909 }
1910
401bb1f7 1911 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1912
6be36555 1913 l2cap_chan_unlock(chan);
8d7e1c7f 1914 l2cap_chan_put(chan);
e90bac06
GP		 1915}
1916
721c4181 1917static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1918{
721c4181 1919 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1920 retrans_timer.work);
e90bac06 1921
49208c9c 1922 BT_DBG("chan %p", chan);
0e98958d 1923
6be36555
AE		 1924 l2cap_chan_lock(chan);
1925
80909e04
MM		 1926 if (!chan->conn) {
1927 l2cap_chan_unlock(chan);
1928 l2cap_chan_put(chan);
1929 return;
1930 }
6be36555 1931
401bb1f7 1932 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1933 l2cap_chan_unlock(chan);
8d7e1c7f 1934 l2cap_chan_put(chan);
e90bac06
GP		 1935}
1936
d660366d
GP		 1937static void l2cap_streaming_send(struct l2cap_chan *chan,
1938 struct sk_buff_head *skbs)
6840ed07 1939{
ccbb84af 1940 struct sk_buff *skb;
3733937d 1941 struct l2cap_ctrl *control;
6840ed07 1942
3733937d
MM		 1943 BT_DBG("chan %p, skbs %p", chan, skbs);
1944
b99e13ad
MM		 1945 if (__chan_is_moving(chan))
1946 return;
1947
3733937d
MM		 1948 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1949
1950 while (!skb_queue_empty(&chan->tx_q)) {
1951
1952 skb = skb_dequeue(&chan->tx_q);
1953
1954 bt_cb(skb)->control.retries = 1;
1955 control = &bt_cb(skb)->control;
1956
1957 control->reqseq = 0;
1958 control->txseq = chan->next_tx_seq;
1959
1960 __pack_control(chan, control, skb);
6840ed07 1961
47d1ec61 1962 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1963 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1964 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1965 }
1966
4343478f 1967 l2cap_do_send(chan, skb);
6840ed07 1968
b4400672 1969 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1970
836be934 1971 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1972 chan->frames_sent++;
6840ed07 1973 }
6840ed07
GP		 1974}
1975
67c9e840 1976static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1977{
1978 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1979 struct l2cap_ctrl *control;
1980 int sent = 0;
1981
1982 BT_DBG("chan %p", chan);
1c2acffb 1983
89bc500e 1984 if (chan->state != BT_CONNECTED)
c13ffa62 1985 return -ENOTCONN;
e90bac06 1986
94122bbe
MM		 1987 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1988 return 0;
1989
b99e13ad
MM		 1990 if (__chan_is_moving(chan))
1991 return 0;
1992
18a48e76
MM		 1993 while (chan->tx_send_head &&
1994 chan->unacked_frames < chan->remote_tx_win &&
1995 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1996
18a48e76 1997 skb = chan->tx_send_head;
e90bac06 1998
18a48e76
MM		 1999 bt_cb(skb)->control.retries = 1;
2000 control = &bt_cb(skb)->control;
95ffa978 2001
e2ab4353 2002 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 2003 control->final = 1;
e2ab4353 2004
18a48e76
MM		 2005 control->reqseq = chan->buffer_seq;
2006 chan->last_acked_seq = chan->buffer_seq;
2007 control->txseq = chan->next_tx_seq;
1c2acffb 2008
18a48e76 2009 __pack_control(chan, control, skb);
e90bac06 2010
47d1ec61 2011 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 2012 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2013 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 2014 }
2015
18a48e76
MM		 2016 /* Clone after data has been modified. Data is assumed to be
2017 read-only (for locking purposes) on cloned sk_buffs.
2018 */
2019 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 2020
18a48e76
MM		 2021 if (!tx_skb)
2022 break;
1c2acffb 2023
18a48e76 2024 __set_retrans_timer(chan);
836be934
AE		 2025
2026 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 2027 chan->unacked_frames++;
6a026610 2028 chan->frames_sent++;
18a48e76 2029 sent++;
1c2acffb 2030
58d35f87
GP		 2031 if (skb_queue_is_last(&chan->tx_q, skb))
2032 chan->tx_send_head = NULL;
1c2acffb 2033 else
58d35f87 2034 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 2035
2036 l2cap_do_send(chan, tx_skb);
b4400672 2037 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 2038 }
2039
b4400672
AE		 2040 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2041 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 2042
2043 return sent;
9e917af1
GP		 2044}
2045
e1fbd4c1
MM		 2046static void l2cap_ertm_resend(struct l2cap_chan *chan)
2047{
2048 struct l2cap_ctrl control;
2049 struct sk_buff *skb;
2050 struct sk_buff *tx_skb;
2051 u16 seq;
2052
2053 BT_DBG("chan %p", chan);
2054
2055 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2056 return;
2057
b99e13ad
MM		 2058 if (__chan_is_moving(chan))
2059 return;
2060
e1fbd4c1
MM		 2061 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2062 seq = l2cap_seq_list_pop(&chan->retrans_list);
2063
2064 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2065 if (!skb) {
2066 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 2067 seq);
e1fbd4c1
MM		 2068 continue;
2069 }
2070
2071 bt_cb(skb)->control.retries++;
2072 control = bt_cb(skb)->control;
2073
2074 if (chan->max_tx != 0 &&
2075 bt_cb(skb)->control.retries > chan->max_tx) {
2076 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 2077 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 2078 l2cap_seq_list_clear(&chan->retrans_list);
2079 break;
2080 }
2081
2082 control.reqseq = chan->buffer_seq;
2083 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2084 control.final = 1;
2085 else
2086 control.final = 0;
2087
2088 if (skb_cloned(skb)) {
2089 /* Cloned sk_buffs are read-only, so we need a
2090 * writeable copy
2091 */
8bcde1f2 2092 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 2093 } else {
8bcde1f2 2094 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 2095 }
2096
2097 if (!tx_skb) {
2098 l2cap_seq_list_clear(&chan->retrans_list);
2099 break;
2100 }
2101
2102 /* Update skb contents */
2103 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2104 put_unaligned_le32(__pack_extended_control(&control),
2105 tx_skb->data + L2CAP_HDR_SIZE);
2106 } else {
2107 put_unaligned_le16(__pack_enhanced_control(&control),
2108 tx_skb->data + L2CAP_HDR_SIZE);
2109 }
2110
2111 if (chan->fcs == L2CAP_FCS_CRC16) {
2112 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2113 put_unaligned_le16(fcs, skb_put(tx_skb,
2114 L2CAP_FCS_SIZE));
2115 }
2116
2117 l2cap_do_send(chan, tx_skb);
2118
2119 BT_DBG("Resent txseq %d", control.txseq);
2120
2121 chan->last_acked_seq = chan->buffer_seq;
2122 }
2123}
2124
f80842a8
MM		 2125static void l2cap_retransmit(struct l2cap_chan *chan,
2126 struct l2cap_ctrl *control)
2127{
2128 BT_DBG("chan %p, control %p", chan, control);
2129
2130 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2131 l2cap_ertm_resend(chan);
2132}
2133
d2a7ac5d
MM		 2134static void l2cap_retransmit_all(struct l2cap_chan *chan,
2135 struct l2cap_ctrl *control)
2136{
e1fbd4c1
MM		 2137 struct sk_buff *skb;
2138
2139 BT_DBG("chan %p, control %p", chan, control);
2140
2141 if (control->poll)
2142 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2143
2144 l2cap_seq_list_clear(&chan->retrans_list);
2145
2146 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2147 return;
2148
2149 if (chan->unacked_frames) {
2150 skb_queue_walk(&chan->tx_q, skb) {
2151 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2152 skb == chan->tx_send_head)
e1fbd4c1
MM		 2153 break;
2154 }
2155
2156 skb_queue_walk_from(&chan->tx_q, skb) {
2157 if (skb == chan->tx_send_head)
2158 break;
2159
2160 l2cap_seq_list_append(&chan->retrans_list,
2161 bt_cb(skb)->control.txseq);
2162 }
2163
2164 l2cap_ertm_resend(chan);
2165 }
d2a7ac5d
MM		 2166}
2167
0a0aba42 2168static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2169{
0a0aba42
MM		 2170 struct l2cap_ctrl control;
2171 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2172 chan->last_acked_seq);
2173 int threshold;
9e917af1 2174
0a0aba42
MM		 2175 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2176 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2177
0a0aba42
MM		 2178 memset(&control, 0, sizeof(control));
2179 control.sframe = 1;
dfc909be 2180
0a0aba42
MM		 2181 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2182 chan->rx_state == L2CAP_RX_STATE_RECV) {
2183 __clear_ack_timer(chan);
2184 control.super = L2CAP_SUPER_RNR;
2185 control.reqseq = chan->buffer_seq;
2186 l2cap_send_sframe(chan, &control);
2187 } else {
2188 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2189 l2cap_ertm_send(chan);
2190 /* If any i-frames were sent, they included an ack */
2191 if (chan->buffer_seq == chan->last_acked_seq)
2192 frames_to_ack = 0;
2193 }
dfc909be 2194
c20f8e35 2195 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2196 * Calculate without mul or div
2197 */
c20f8e35 2198 threshold = chan->ack_win;
0a0aba42
MM		 2199 threshold += threshold << 1;
2200 threshold >>= 2;
2201
b4400672 2202 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2203 threshold);
2204
2205 if (frames_to_ack >= threshold) {
2206 __clear_ack_timer(chan);
2207 control.super = L2CAP_SUPER_RR;
2208 control.reqseq = chan->buffer_seq;
2209 l2cap_send_sframe(chan, &control);
2210 frames_to_ack = 0;
2211 }
1c2acffb 2212
0a0aba42
MM		 2213 if (frames_to_ack)
2214 __set_ack_timer(chan);
2215 }
b17e73bb
SJ		 2216}
2217
04124681
GP		 2218static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2219 struct msghdr *msg, int len,
2220 int count, struct sk_buff *skb)
1c2acffb 2221{
0952a57a 2222 struct l2cap_conn *conn = chan->conn;
1c2acffb 2223 struct sk_buff **frag;
90338947 2224 int sent = 0;
1da177e4 2225
59203a21 2226 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2227 return -EFAULT;
1da177e4
LT		 2228
2229 sent += count;
2230 len -= count;
2231
2232 /* Continuation fragments (no L2CAP header) */
2233 frag = &skb_shinfo(skb)->frag_list;
2234 while (len) {
fbe00700
GP		 2235 struct sk_buff *tmp;
2236
1da177e4
LT		 2237 count = min_t(unsigned int, conn->mtu, len);
2238
fbe00700
GP		 2239 tmp = chan->ops->alloc_skb(chan, count,
2240 msg->msg_flags & MSG_DONTWAIT);
2241 if (IS_ERR(tmp))
2242 return PTR_ERR(tmp);
2243
2244 *frag = tmp;
2f7719ce 2245
1c2acffb
GP		 2246 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2247 return -EFAULT;
1da177e4 2248
5e59b791
LAD		 2249 (*frag)->priority = skb->priority;
2250
1da177e4
LT		 2251 sent += count;
2252 len -= count;
2253
2d0ed3d5
GP		 2254 skb->len += (*frag)->len;
2255 skb->data_len += (*frag)->len;
2256
1da177e4
LT		 2257 frag = &(*frag)->next;
2258 }
1da177e4
LT		 2259
2260 return sent;
1c2acffb 2261}
1da177e4 2262
5e59b791 2263static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2264 struct msghdr *msg, size_t len,
2265 u32 priority)
1c2acffb 2266{
8c1d787b 2267 struct l2cap_conn *conn = chan->conn;
1c2acffb 2268 struct sk_buff *skb;
03a51213 2269 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2270 struct l2cap_hdr *lh;
2271
43b1b8df
MH		 2272 BT_DBG("chan %p psm 0x%2.2x len %zu priority %u", chan,
2273 __le16_to_cpu(chan->psm), len, priority);
1c2acffb
GP		 2274
2275 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2276
2277 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2278 msg->msg_flags & MSG_DONTWAIT);
2279 if (IS_ERR(skb))
2280 return skb;
1c2acffb 2281
5e59b791
LAD		 2282 skb->priority = priority;
2283
1c2acffb
GP		 2284 /* Create L2CAP header */
2285 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2286 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2287 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2288 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2289
0952a57a 2290 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2291 if (unlikely(err < 0)) {
2292 kfree_skb(skb);
2293 return ERR_PTR(err);
2294 }
2295 return skb;
2296}
2297
5e59b791 2298static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2299 struct msghdr *msg, size_t len,
2300 u32 priority)
1c2acffb 2301{
8c1d787b 2302 struct l2cap_conn *conn = chan->conn;
1c2acffb 2303 struct sk_buff *skb;
f2ba7fae 2304 int err, count;
1c2acffb
GP		 2305 struct l2cap_hdr *lh;
2306
b4400672 2307 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2308
f2ba7fae 2309 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2310
f2ba7fae 2311 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2312 msg->msg_flags & MSG_DONTWAIT);
2313 if (IS_ERR(skb))
2314 return skb;
1c2acffb 2315
5e59b791
LAD		 2316 skb->priority = priority;
2317
1c2acffb
GP		 2318 /* Create L2CAP header */
2319 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2320 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2321 lh->len = cpu_to_le16(len);
1c2acffb 2322
0952a57a 2323 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2324 if (unlikely(err < 0)) {
2325 kfree_skb(skb);
2326 return ERR_PTR(err);
2327 }
2328 return skb;
2329}
2330
ab0ff76d 2331static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2332 struct msghdr *msg, size_t len,
2333 u16 sdulen)
1c2acffb 2334{
8c1d787b 2335 struct l2cap_conn *conn = chan->conn;
1c2acffb 2336 struct sk_buff *skb;
e4ca6d98 2337 int err, count, hlen;
1c2acffb
GP		 2338 struct l2cap_hdr *lh;
2339
b4400672 2340 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2341
0ee0d208
GP		 2342 if (!conn)
2343 return ERR_PTR(-ENOTCONN);
2344
ba7aa64f 2345 hlen = __ertm_hdr_size(chan);
e4ca6d98 2346
c74e560c 2347 if (sdulen)
03a51213 2348 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2349
47d1ec61 2350 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2351 hlen += L2CAP_FCS_SIZE;
fcc203c3 2352
1c2acffb 2353 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2354
2355 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2356 msg->msg_flags & MSG_DONTWAIT);
2357 if (IS_ERR(skb))
2358 return skb;
1c2acffb
GP		 2359
2360 /* Create L2CAP header */
2361 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2362 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2363 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2364
18a48e76
MM		 2365 /* Control header is populated later */
2366 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2367 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2368 else
2369 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2370
c74e560c 2371 if (sdulen)
03a51213 2372 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2373
0952a57a 2374 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2375 if (unlikely(err < 0)) {
2376 kfree_skb(skb);
2377 return ERR_PTR(err);
2378 }
e90bac06 2379
18a48e76 2380 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2381 bt_cb(skb)->control.retries = 0;
1c2acffb 2382 return skb;
1da177e4
LT		 2383}
2384
94122bbe
MM		 2385static int l2cap_segment_sdu(struct l2cap_chan *chan,
2386 struct sk_buff_head *seg_queue,
2387 struct msghdr *msg, size_t len)
c74e560c 2388{
c74e560c 2389 struct sk_buff *skb;
94122bbe
MM		 2390 u16 sdu_len;
2391 size_t pdu_len;
94122bbe 2392 u8 sar;
c74e560c 2393
b4400672 2394 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2395
94122bbe
MM		 2396 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2397 * so fragmented skbs are not used. The HCI layer's handling
2398 * of fragmented skbs is not compatible with ERTM's queueing.
2399 */
c74e560c 2400
94122bbe
MM		 2401 /* PDU size is derived from the HCI MTU */
2402 pdu_len = chan->conn->mtu;
c74e560c 2403
a549574d
MM		 2404 /* Constrain PDU size for BR/EDR connections */
2405 if (!chan->hs_hcon)
2406 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2407
2408 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2409 if (chan->fcs)
2410 pdu_len -= L2CAP_FCS_SIZE;
2411
ba7aa64f 2412 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2413
2414 /* Remote device may have requested smaller PDUs */
2415 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2416
2417 if (len <= pdu_len) {
2418 sar = L2CAP_SAR_UNSEGMENTED;
2419 sdu_len = 0;
2420 pdu_len = len;
2421 } else {
2422 sar = L2CAP_SAR_START;
2423 sdu_len = len;
2424 pdu_len -= L2CAP_SDULEN_SIZE;
2425 }
2426
2427 while (len > 0) {
2428 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2429
c74e560c 2430 if (IS_ERR(skb)) {
94122bbe 2431 __skb_queue_purge(seg_queue);
c74e560c
GP		 2432 return PTR_ERR(skb);
2433 }
2434
94122bbe
MM		 2435 bt_cb(skb)->control.sar = sar;
2436 __skb_queue_tail(seg_queue, skb);
2437
2438 len -= pdu_len;
2439 if (sdu_len) {
2440 sdu_len = 0;
2441 pdu_len += L2CAP_SDULEN_SIZE;
2442 }
2443
2444 if (len <= pdu_len) {
2445 sar = L2CAP_SAR_END;
2446 pdu_len = len;
2447 } else {
2448 sar = L2CAP_SAR_CONTINUE;
2449 }
c74e560c 2450 }
c74e560c 2451
f0f62799 2452 return 0;
c74e560c
GP		 2453}
2454
5e59b791 2455int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2456 u32 priority)
9a91a04a 2457{
9a91a04a 2458 struct sk_buff *skb;
9a91a04a 2459 int err;
94122bbe 2460 struct sk_buff_head seg_queue;
9a91a04a
GP		 2461
2462 /* Connectionless channel */
715ec005 2463 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2464 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2465 if (IS_ERR(skb))
2466 return PTR_ERR(skb);
2467
2468 l2cap_do_send(chan, skb);
2469 return len;
2470 }
2471
2472 switch (chan->mode) {
2473 case L2CAP_MODE_BASIC:
2474 /* Check outgoing MTU */
2475 if (len > chan->omtu)
2476 return -EMSGSIZE;
2477
2478 /* Create a basic PDU */
5e59b791 2479 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2480 if (IS_ERR(skb))
2481 return PTR_ERR(skb);
2482
2483 l2cap_do_send(chan, skb);
2484 err = len;
2485 break;
2486
2487 case L2CAP_MODE_ERTM:
2488 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2489 /* Check outgoing MTU */
2490 if (len > chan->omtu) {
2491 err = -EMSGSIZE;
2492 break;
2493 }
9a91a04a 2494
94122bbe 2495 __skb_queue_head_init(&seg_queue);
9a91a04a 2496
94122bbe
MM		 2497 /* Do segmentation before calling in to the state machine,
2498 * since it's possible to block while waiting for memory
2499 * allocation.
2500 */
2501 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2502
94122bbe
MM		 2503 /* The channel could have been closed while segmenting,
2504 * check that it is still connected.
2505 */
2506 if (chan->state != BT_CONNECTED) {
2507 __skb_queue_purge(&seg_queue);
2508 err = -ENOTCONN;
9a91a04a
GP		 2509 }
2510
94122bbe 2511 if (err)
9a91a04a 2512 break;
9a91a04a 2513
3733937d 2514 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2515 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2516 else
d660366d 2517 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2518
d660366d 2519 err = len;
9a91a04a 2520
94122bbe
MM		 2521 /* If the skbs were not queued for sending, they'll still be in
2522 * seg_queue and need to be purged.
2523 */
2524 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2525 break;
2526
2527 default:
2528 BT_DBG("bad state %1.1x", chan->mode);
2529 err = -EBADFD;
2530 }
2531
2532 return err;
2533}
2534
d2a7ac5d
MM		 2535static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2536{
bed68bde
MM		 2537 struct l2cap_ctrl control;
2538 u16 seq;
2539
b4400672 2540 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2541
2542 memset(&control, 0, sizeof(control));
2543 control.sframe = 1;
2544 control.super = L2CAP_SUPER_SREJ;
2545
2546 for (seq = chan->expected_tx_seq; seq != txseq;
2547 seq = __next_seq(chan, seq)) {
2548 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2549 control.reqseq = seq;
2550 l2cap_send_sframe(chan, &control);
2551 l2cap_seq_list_append(&chan->srej_list, seq);
2552 }
2553 }
2554
2555 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2556}
2557
2558static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2559{
bed68bde
MM		 2560 struct l2cap_ctrl control;
2561
2562 BT_DBG("chan %p", chan);
2563
2564 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2565 return;
2566
2567 memset(&control, 0, sizeof(control));
2568 control.sframe = 1;
2569 control.super = L2CAP_SUPER_SREJ;
2570 control.reqseq = chan->srej_list.tail;
2571 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2572}
2573
2574static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2575{
bed68bde
MM		 2576 struct l2cap_ctrl control;
2577 u16 initial_head;
2578 u16 seq;
2579
b4400672 2580 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2581
2582 memset(&control, 0, sizeof(control));
2583 control.sframe = 1;
2584 control.super = L2CAP_SUPER_SREJ;
2585
2586 /* Capture initial list head to allow only one pass through the list. */
2587 initial_head = chan->srej_list.head;
2588
2589 do {
2590 seq = l2cap_seq_list_pop(&chan->srej_list);
2591 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2592 break;
2593
2594 control.reqseq = seq;
2595 l2cap_send_sframe(chan, &control);
2596 l2cap_seq_list_append(&chan->srej_list, seq);
2597 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2598}
2599
608bcc6d
MM		 2600static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2601{
2602 struct sk_buff *acked_skb;
2603 u16 ackseq;
2604
b4400672 2605 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2606
2607 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2608 return;
2609
b4400672 2610 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2611 chan->expected_ack_seq, chan->unacked_frames);
2612
2613 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2614 ackseq = __next_seq(chan, ackseq)) {
2615
2616 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2617 if (acked_skb) {
2618 skb_unlink(acked_skb, &chan->tx_q);
2619 kfree_skb(acked_skb);
2620 chan->unacked_frames--;
2621 }
2622 }
2623
2624 chan->expected_ack_seq = reqseq;
2625
2626 if (chan->unacked_frames == 0)
2627 __clear_retrans_timer(chan);
2628
b4400672 2629 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2630}
2631
2632static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2633{
2634 BT_DBG("chan %p", chan);
2635
2636 chan->expected_tx_seq = chan->buffer_seq;
2637 l2cap_seq_list_clear(&chan->srej_list);
2638 skb_queue_purge(&chan->srej_q);
2639 chan->rx_state = L2CAP_RX_STATE_RECV;
2640}
2641
d660366d
GP		 2642static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2643 struct l2cap_ctrl *control,
2644 struct sk_buff_head *skbs, u8 event)
608bcc6d 2645{
608bcc6d
MM		 2646 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2647 event);
2648
2649 switch (event) {
2650 case L2CAP_EV_DATA_REQUEST:
2651 if (chan->tx_send_head == NULL)
2652 chan->tx_send_head = skb_peek(skbs);
2653
2654 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2655 l2cap_ertm_send(chan);
2656 break;
2657 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2658 BT_DBG("Enter LOCAL_BUSY");
2659 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2660
2661 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2662 /* The SREJ_SENT state must be aborted if we are to
2663 * enter the LOCAL_BUSY state.
2664 */
2665 l2cap_abort_rx_srej_sent(chan);
2666 }
2667
2668 l2cap_send_ack(chan);
2669
2670 break;
2671 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2672 BT_DBG("Exit LOCAL_BUSY");
2673 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2674
2675 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2676 struct l2cap_ctrl local_control;
2677
2678 memset(&local_control, 0, sizeof(local_control));
2679 local_control.sframe = 1;
2680 local_control.super = L2CAP_SUPER_RR;
2681 local_control.poll = 1;
2682 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2683 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2684
2685 chan->retry_count = 1;
2686 __set_monitor_timer(chan);
2687 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2688 }
2689 break;
2690 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2691 l2cap_process_reqseq(chan, control->reqseq);
2692 break;
2693 case L2CAP_EV_EXPLICIT_POLL:
2694 l2cap_send_rr_or_rnr(chan, 1);
2695 chan->retry_count = 1;
2696 __set_monitor_timer(chan);
2697 __clear_ack_timer(chan);
2698 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2699 break;
2700 case L2CAP_EV_RETRANS_TO:
2701 l2cap_send_rr_or_rnr(chan, 1);
2702 chan->retry_count = 1;
2703 __set_monitor_timer(chan);
2704 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2705 break;
2706 case L2CAP_EV_RECV_FBIT:
2707 /* Nothing to process */
2708 break;
2709 default:
2710 break;
2711 }
608bcc6d
MM		 2712}
2713
d660366d
GP		 2714static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2715 struct l2cap_ctrl *control,
2716 struct sk_buff_head *skbs, u8 event)
608bcc6d 2717{
608bcc6d
MM		 2718 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2719 event);
2720
2721 switch (event) {
2722 case L2CAP_EV_DATA_REQUEST:
2723 if (chan->tx_send_head == NULL)
2724 chan->tx_send_head = skb_peek(skbs);
2725 /* Queue data, but don't send. */
2726 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2727 break;
2728 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2729 BT_DBG("Enter LOCAL_BUSY");
2730 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2731
2732 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2733 /* The SREJ_SENT state must be aborted if we are to
2734 * enter the LOCAL_BUSY state.
2735 */
2736 l2cap_abort_rx_srej_sent(chan);
2737 }
2738
2739 l2cap_send_ack(chan);
2740
2741 break;
2742 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2743 BT_DBG("Exit LOCAL_BUSY");
2744 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2745
2746 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2747 struct l2cap_ctrl local_control;
2748 memset(&local_control, 0, sizeof(local_control));
2749 local_control.sframe = 1;
2750 local_control.super = L2CAP_SUPER_RR;
2751 local_control.poll = 1;
2752 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2753 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2754
2755 chan->retry_count = 1;
2756 __set_monitor_timer(chan);
2757 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2758 }
2759 break;
2760 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2761 l2cap_process_reqseq(chan, control->reqseq);
2762
2763 /* Fall through */
2764
2765 case L2CAP_EV_RECV_FBIT:
2766 if (control && control->final) {
2767 __clear_monitor_timer(chan);
2768 if (chan->unacked_frames > 0)
2769 __set_retrans_timer(chan);
2770 chan->retry_count = 0;
2771 chan->tx_state = L2CAP_TX_STATE_XMIT;
2772 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2773 }
2774 break;
2775 case L2CAP_EV_EXPLICIT_POLL:
2776 /* Ignore */
2777 break;
2778 case L2CAP_EV_MONITOR_TO:
2779 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2780 l2cap_send_rr_or_rnr(chan, 1);
2781 __set_monitor_timer(chan);
2782 chan->retry_count++;
2783 } else {
5e4e3972 2784 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2785 }
2786 break;
2787 default:
2788 break;
2789 }
608bcc6d
MM		 2790}
2791
d660366d
GP		 2792static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2793 struct sk_buff_head *skbs, u8 event)
608bcc6d 2794{
608bcc6d
MM		 2795 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2796 chan, control, skbs, event, chan->tx_state);
2797
2798 switch (chan->tx_state) {
2799 case L2CAP_TX_STATE_XMIT:
d660366d 2800 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2801 break;
2802 case L2CAP_TX_STATE_WAIT_F:
d660366d 2803 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2804 break;
2805 default:
2806 /* Ignore event */
2807 break;
2808 }
608bcc6d
MM		 2809}
2810
4b51dae9
MM		 2811static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2812 struct l2cap_ctrl *control)
2813{
2814 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2815 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2816}
2817
f80842a8
MM		 2818static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2819 struct l2cap_ctrl *control)
2820{
2821 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2822 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2823}
2824
1da177e4
LT		 2825/* Copy frame to all raw sockets on that connection */
2826static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2827{
1da177e4 2828 struct sk_buff *nskb;
48454079 2829 struct l2cap_chan *chan;
1da177e4
LT		 2830
2831 BT_DBG("conn %p", conn);
2832
3df91ea2 2833 mutex_lock(&conn->chan_lock);
3d57dc68 2834
3df91ea2 2835 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2836 struct sock *sk = chan->sk;
715ec005 2837 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2838 continue;
2839
2840 /* Don't send frame to the socket it came from */
2841 if (skb->sk == sk)
2842 continue;
8bcde1f2 2843 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2844 if (!nskb)
1da177e4
LT		 2845 continue;
2846
80b98027 2847 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2848 kfree_skb(nskb);
2849 }
3d57dc68 2850
3df91ea2 2851 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2852}
2853
2854/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2855static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2856 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2857{
2858 struct sk_buff *skb, **frag;
2859 struct l2cap_cmd_hdr *cmd;
2860 struct l2cap_hdr *lh;
2861 int len, count;
2862
b4400672
AE		 2863 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2864 conn, code, ident, dlen);
1da177e4 2865
300b962e
AL		 2866 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2867 return NULL;
2868
1da177e4
LT		 2869 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2870 count = min_t(unsigned int, conn->mtu, len);
2871
8bcde1f2 2872 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2873 if (!skb)
2874 return NULL;
2875
2876 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2877 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2878
2879 if (conn->hcon->type == LE_LINK)
ac73498c 2880 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2881 else
ac73498c 2882 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2883
2884 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2885 cmd->code = code;
2886 cmd->ident = ident;
aca3192c 2887 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2888
2889 if (dlen) {
2890 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2891 memcpy(skb_put(skb, count), data, count);
2892 data += count;
2893 }
2894
2895 len -= skb->len;
2896
2897 /* Continuation fragments (no L2CAP header) */
2898 frag = &skb_shinfo(skb)->frag_list;
2899 while (len) {
2900 count = min_t(unsigned int, conn->mtu, len);
2901
8bcde1f2 2902 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2903 if (!*frag)
2904 goto fail;
2905
2906 memcpy(skb_put(*frag, count), data, count);
2907
2908 len -= count;
2909 data += count;
2910
2911 frag = &(*frag)->next;
2912 }
2913
2914 return skb;
2915
2916fail:
2917 kfree_skb(skb);
2918 return NULL;
2919}
2920
2d792818
GP		 2921static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2922 unsigned long *val)
1da177e4
LT		 2923{
2924 struct l2cap_conf_opt *opt = *ptr;
2925 int len;
2926
2927 len = L2CAP_CONF_OPT_SIZE + opt->len;
2928 *ptr += len;
2929
2930 *type = opt->type;
2931 *olen = opt->len;
2932
2933 switch (opt->len) {
2934 case 1:
2935 *val = *((u8 *) opt->val);
2936 break;
2937
2938 case 2:
bfaaeb3e 2939 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2940 break;
2941
2942 case 4:
bfaaeb3e 2943 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2944 break;
2945
2946 default:
2947 *val = (unsigned long) opt->val;
2948 break;
2949 }
2950
b4400672 2951 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2952 return len;
2953}
2954
1da177e4
LT		 2955static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2956{
2957 struct l2cap_conf_opt *opt = *ptr;
2958
b4400672 2959 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2960
2961 opt->type = type;
2962 opt->len = len;
2963
2964 switch (len) {
2965 case 1:
2966 *((u8 *) opt->val) = val;
2967 break;
2968
2969 case 2:
4f8b691c 2970 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2971 break;
2972
2973 case 4:
4f8b691c 2974 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2975 break;
2976
2977 default:
2978 memcpy(opt->val, (void *) val, len);
2979 break;
2980 }
2981
2982 *ptr += L2CAP_CONF_OPT_SIZE + len;
2983}
2984
f89cef09
AE		 2985static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2986{
2987 struct l2cap_conf_efs efs;
2988
1ec918ce 2989 switch (chan->mode) {
f89cef09
AE		 2990 case L2CAP_MODE_ERTM:
2991 efs.id = chan->local_id;
2992 efs.stype = chan->local_stype;
2993 efs.msdu = cpu_to_le16(chan->local_msdu);
2994 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2995 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2996 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2997 break;
2998
2999 case L2CAP_MODE_STREAMING:
3000 efs.id = 1;
3001 efs.stype = L2CAP_SERV_BESTEFFORT;
3002 efs.msdu = cpu_to_le16(chan->local_msdu);
3003 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3004 efs.acc_lat = 0;
3005 efs.flush_to = 0;
3006 break;
3007
3008 default:
3009 return;
3010 }
3011
3012 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3013 (unsigned long) &efs);
f89cef09
AE		 3014}
3015
721c4181 3016static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3017{
721c4181 3018 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3019 ack_timer.work);
3020 u16 frames_to_ack;
c1b4f43b 3021
2fb9b3d4
GP		 3022 BT_DBG("chan %p", chan);
3023
6be36555
AE		 3024 l2cap_chan_lock(chan);
3025
0362520b
MM		 3026 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3027 chan->last_acked_seq);
6be36555 3028
0362520b
MM		 3029 if (frames_to_ack)
3030 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3031
0362520b 3032 l2cap_chan_unlock(chan);
09bfb2ee 3033 l2cap_chan_put(chan);
c1b4f43b
GP		 3034}
3035
466f8004 3036int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3037{
3c588192
MM		 3038 int err;
3039
105bdf9e
MM		 3040 chan->next_tx_seq = 0;
3041 chan->expected_tx_seq = 0;
42e5c802 3042 chan->expected_ack_seq = 0;
6a026610 3043 chan->unacked_frames = 0;
42e5c802 3044 chan->buffer_seq = 0;
6a026610 3045 chan->frames_sent = 0;
105bdf9e
MM		 3046 chan->last_acked_seq = 0;
3047 chan->sdu = NULL;
3048 chan->sdu_last_frag = NULL;
3049 chan->sdu_len = 0;
3050
d34c34fb
MM		 3051 skb_queue_head_init(&chan->tx_q);
3052
6ed971ca
MH		 3053 chan->local_amp_id = AMP_ID_BREDR;
3054 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3055 chan->move_state = L2CAP_MOVE_STABLE;
3056 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3057
105bdf9e
MM		 3058 if (chan->mode != L2CAP_MODE_ERTM)
3059 return 0;
3060
3061 chan->rx_state = L2CAP_RX_STATE_RECV;
3062 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3063
721c4181
GP		 3064 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3065 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3066 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3067
f1c6775b 3068 skb_queue_head_init(&chan->srej_q);
1890d36b 3069
3c588192
MM		 3070 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3071 if (err < 0)
3072 return err;
3073
9dc9affc
MM		 3074 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3075 if (err < 0)
3076 l2cap_seq_list_free(&chan->srej_list);
3077
3078 return err;
0565c1c2
GP		 3079}
3080
f2fcfcd6
GP		 3081static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3082{
3083 switch (mode) {
3084 case L2CAP_MODE_STREAMING:
3085 case L2CAP_MODE_ERTM:
3086 if (l2cap_mode_supported(mode, remote_feat_mask))
3087 return mode;
3088 /* fall through */
3089 default:
3090 return L2CAP_MODE_BASIC;
3091 }
3092}
3093
848566b3 3094static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3095{
848566b3 3096 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3097}
3098
848566b3 3099static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3100{
848566b3 3101 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3102}
3103
36c86c85
MM		 3104static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3105 struct l2cap_conf_rfc *rfc)
3106{
6ed971ca 3107 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3108 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3109
3110 /* Class 1 devices have must have ERTM timeouts
3111 * exceeding the Link Supervision Timeout. The
3112 * default Link Supervision Timeout for AMP
3113 * controllers is 10 seconds.
3114 *
3115 * Class 1 devices use 0xffffffff for their
3116 * best-effort flush timeout, so the clamping logic
3117 * will result in a timeout that meets the above
3118 * requirement. ERTM timeouts are 16-bit values, so
3119 * the maximum timeout is 65.535 seconds.
3120 */
3121
3122 /* Convert timeout to milliseconds and round */
3123 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3124
3125 /* This is the recommended formula for class 2 devices
3126 * that start ERTM timers when packets are sent to the
3127 * controller.
3128 */
3129 ertm_to = 3 * ertm_to + 500;
3130
3131 if (ertm_to > 0xffff)
3132 ertm_to = 0xffff;
3133
3134 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3135 rfc->monitor_timeout = rfc->retrans_timeout;
3136 } else {
3137 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3138 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3139 }
3140}
3141
6327eb98
AE		 3142static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3143{
3144 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3145 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3146 /* use extended control field */
3147 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3148 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3149 } else {
6327eb98 3150 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3151 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3152 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3153 }
c20f8e35 3154 chan->ack_win = chan->tx_win;
6327eb98
AE		 3155}
3156
710f9b0a 3157static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3158{
1da177e4 3159 struct l2cap_conf_req *req = data;
0c1bc5c6 3160 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3161 void *ptr = req->data;
c8f79162 3162 u16 size;
1da177e4 3163
49208c9c 3164 BT_DBG("chan %p", chan);
1da177e4 3165
73ffa904 3166 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3167 goto done;
3168
0c1bc5c6 3169 switch (chan->mode) {
f2fcfcd6
GP		 3170 case L2CAP_MODE_STREAMING:
3171 case L2CAP_MODE_ERTM:
c1360a1c 3172 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3173 break;
85eb53c6 3174
848566b3 3175 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3176 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3177
2ba13ed6 3178 /* fall through */
f2fcfcd6 3179 default:
8c1d787b 3180 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3181 break;
3182 }
3183
3184done:
0c1bc5c6
GP		 3185 if (chan->imtu != L2CAP_DEFAULT_MTU)
3186 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3187
0c1bc5c6 3188 switch (chan->mode) {
65c7c491 3189 case L2CAP_MODE_BASIC:
8c1d787b 3190 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3191 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3192 break;
3193
62547752
GP		 3194 rfc.mode = L2CAP_MODE_BASIC;
3195 rfc.txwin_size = 0;
3196 rfc.max_transmit = 0;
3197 rfc.retrans_timeout = 0;
3198 rfc.monitor_timeout = 0;
3199 rfc.max_pdu_size = 0;
3200
63406504 3201 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3202 (unsigned long) &rfc);
65c7c491
MH		 3203 break;
3204
3205 case L2CAP_MODE_ERTM:
3206 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3207 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3208
3209 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3210
3211 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3212 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3213 L2CAP_FCS_SIZE);
c8f79162 3214 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3215
6327eb98
AE		 3216 l2cap_txwin_setup(chan);
3217
3218 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3219 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3220
63406504 3221 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3222 (unsigned long) &rfc);
63406504 3223
f89cef09
AE		 3224 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3225 l2cap_add_opt_efs(&ptr, chan);
3226
6327eb98
AE		 3227 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3228 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3229 chan->tx_win);
60918918
AE		 3230
3231 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3232 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3233 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3234 chan->fcs = L2CAP_FCS_NONE;
3235 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3236 chan->fcs);
3237 }
f2fcfcd6
GP		 3238 break;
3239
3240 case L2CAP_MODE_STREAMING:
273759e2 3241 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3242 rfc.mode = L2CAP_MODE_STREAMING;
3243 rfc.txwin_size = 0;
3244 rfc.max_transmit = 0;
3245 rfc.retrans_timeout = 0;
3246 rfc.monitor_timeout = 0;
c8f79162
AE		 3247
3248 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3249 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3250 L2CAP_FCS_SIZE);
c8f79162 3251 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3252
63406504 3253 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3254 (unsigned long) &rfc);
63406504 3255
f89cef09
AE		 3256 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3257 l2cap_add_opt_efs(&ptr, chan);
3258
60918918
AE		 3259 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3260 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3261 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3262 chan->fcs = L2CAP_FCS_NONE;
3263 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3264 chan->fcs);
3265 }
65c7c491
MH		 3266 break;
3267 }
1da177e4 3268
fe4128e0 3269 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3270 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3271
3272 return ptr - data;
3273}
3274
73ffa904 3275static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3276{
5dee9e7c
MH		 3277 struct l2cap_conf_rsp *rsp = data;
3278 void *ptr = rsp->data;
73ffa904
GP		 3279 void *req = chan->conf_req;
3280 int len = chan->conf_len;
5dee9e7c
MH		 3281 int type, hint, olen;
3282 unsigned long val;
6464f35f 3283 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3284 struct l2cap_conf_efs efs;
3285 u8 remote_efs = 0;
861d6882 3286 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3287 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3288 u16 size;
1da177e4 3289
73ffa904 3290 BT_DBG("chan %p", chan);
820ae1b8 3291
5dee9e7c
MH		 3292 while (len >= L2CAP_CONF_OPT_SIZE) {
3293 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3294
589d2746 3295 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3296 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3297
3298 switch (type) {
3299 case L2CAP_CONF_MTU:
861d6882 3300 mtu = val;
5dee9e7c
MH		 3301 break;
3302
3303 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3304 chan->flush_to = val;
5dee9e7c
MH		 3305 break;
3306
3307 case L2CAP_CONF_QOS:
3308 break;
3309
6464f35f
MH		 3310 case L2CAP_CONF_RFC:
3311 if (olen == sizeof(rfc))
3312 memcpy(&rfc, (void *) val, olen);
3313 break;
3314
fcc203c3
GP		 3315 case L2CAP_CONF_FCS:
3316 if (val == L2CAP_FCS_NONE)
f2592d3e 3317 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3318 break;
fcc203c3 3319
42dceae2
AE		 3320 case L2CAP_CONF_EFS:
3321 remote_efs = 1;
3322 if (olen == sizeof(efs))
3323 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3324 break;
3325
6327eb98 3326 case L2CAP_CONF_EWS:
848566b3 3327 if (!chan->conn->hs_enabled)
6327eb98 3328 return -ECONNREFUSED;
fcc203c3 3329
6327eb98
AE		 3330 set_bit(FLAG_EXT_CTRL, &chan->flags);
3331 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3332 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3333 chan->remote_tx_win = val;
fcc203c3
GP		 3334 break;
3335
5dee9e7c
MH		 3336 default:
3337 if (hint)
3338 break;
3339
3340 result = L2CAP_CONF_UNKNOWN;
3341 *((u8 *) ptr++) = type;
3342 break;
3343 }
3344 }
3345
73ffa904 3346 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3347 goto done;
3348
0c1bc5c6 3349 switch (chan->mode) {
f2fcfcd6
GP		 3350 case L2CAP_MODE_STREAMING:
3351 case L2CAP_MODE_ERTM:
c1360a1c 3352 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3353 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3354 chan->conn->feat_mask);
85eb53c6
GP		 3355 break;
3356 }
3357
42dceae2 3358 if (remote_efs) {
848566b3 3359 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3360 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3361 else
3362 return -ECONNREFUSED;
3363 }
3364
0c1bc5c6 3365 if (chan->mode != rfc.mode)
f2fcfcd6 3366 return -ECONNREFUSED;
742e519b 3367
f2fcfcd6 3368 break;
f2fcfcd6
GP		 3369 }
3370
3371done:
0c1bc5c6 3372 if (chan->mode != rfc.mode) {
f2fcfcd6 3373 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3374 rfc.mode = chan->mode;
f2fcfcd6 3375
73ffa904 3376 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3377 return -ECONNREFUSED;
3378
2d792818
GP		 3379 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3380 (unsigned long) &rfc);
f2fcfcd6
GP		 3381 }
3382
5dee9e7c
MH		 3383 if (result == L2CAP_CONF_SUCCESS) {
3384 /* Configure output options and let the other side know
3385 * which ones we don't like. */
3386
f2fcfcd6
GP		 3387 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3388 result = L2CAP_CONF_UNACCEPT;
3389 else {
0c1bc5c6 3390 chan->omtu = mtu;
c1360a1c 3391 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3392 }
0c1bc5c6 3393 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3394
42dceae2
AE		 3395 if (remote_efs) {
3396 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3397 efs.stype != L2CAP_SERV_NOTRAFIC &&
3398 efs.stype != chan->local_stype) {
42dceae2
AE		 3399
3400 result = L2CAP_CONF_UNACCEPT;
3401
3402 if (chan->num_conf_req >= 1)
3403 return -ECONNREFUSED;
3404
3405 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3406 sizeof(efs),
3407 (unsigned long) &efs);
0e8b207e 3408 } else {
3e6b3b95 3409 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3410 result = L2CAP_CONF_PENDING;
3411 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3412 }
3413 }
3414
f2fcfcd6
GP		 3415 switch (rfc.mode) {
3416 case L2CAP_MODE_BASIC:
47d1ec61 3417 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3418 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3419 break;
3420
3421 case L2CAP_MODE_ERTM:
6327eb98
AE		 3422 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3423 chan->remote_tx_win = rfc.txwin_size;
3424 else
3425 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3426
2c03a7a4 3427 chan->remote_max_tx = rfc.max_transmit;
1c762159 3428
c8f79162 3429 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3430 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3431 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3432 rfc.max_pdu_size = cpu_to_le16(size);
3433 chan->remote_mps = size;
f2fcfcd6 3434
36c86c85 3435 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3436
c1360a1c 3437 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3438
3439 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3440 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3441
42dceae2
AE		 3442 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3443 chan->remote_id = efs.id;
3444 chan->remote_stype = efs.stype;
3445 chan->remote_msdu = le16_to_cpu(efs.msdu);
3446 chan->remote_flush_to =
2d792818 3447 le32_to_cpu(efs.flush_to);
42dceae2 3448 chan->remote_acc_lat =
2d792818 3449 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3450 chan->remote_sdu_itime =
3451 le32_to_cpu(efs.sdu_itime);
3452 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3453 sizeof(efs),
3454 (unsigned long) &efs);
42dceae2 3455 }
f2fcfcd6
GP		 3456 break;
3457
3458 case L2CAP_MODE_STREAMING:
c8f79162 3459 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3460 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3461 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3462 rfc.max_pdu_size = cpu_to_le16(size);
3463 chan->remote_mps = size;
f2fcfcd6 3464
c1360a1c 3465 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3466
2d792818
GP		 3467 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3468 (unsigned long) &rfc);
68ae6639 3469
f2fcfcd6
GP		 3470 break;
3471
3472 default:
5dee9e7c 3473 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3474
6464f35f 3475 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3476 rfc.mode = chan->mode;
f2fcfcd6 3477 }
6464f35f 3478
f2fcfcd6 3479 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3480 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3481 }
fe4128e0 3482 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3483 rsp->result = cpu_to_le16(result);
59e54bd1 3484 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3485
3486 return ptr - data;
1da177e4
LT		 3487}
3488
2d792818
GP		 3489static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3490 void *data, u16 *result)
f2fcfcd6 3491{
f2fcfcd6
GP		 3492 struct l2cap_conf_req *req = data;
3493 void *ptr = req->data;
3494 int type, olen;
3495 unsigned long val;
36e999a8 3496 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3497 struct l2cap_conf_efs efs;
f2fcfcd6 3498
fe4128e0 3499 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3500
3501 while (len >= L2CAP_CONF_OPT_SIZE) {
3502 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3503
3504 switch (type) {
3505 case L2CAP_CONF_MTU:
3506 if (val < L2CAP_DEFAULT_MIN_MTU) {
3507 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3508 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3509 } else
0c1bc5c6
GP		 3510 chan->imtu = val;
3511 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3512 break;
3513
3514 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3515 chan->flush_to = val;
f2fcfcd6 3516 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3517 2, chan->flush_to);
f2fcfcd6
GP		 3518 break;
3519
3520 case L2CAP_CONF_RFC:
3521 if (olen == sizeof(rfc))
3522 memcpy(&rfc, (void *)val, olen);
3523
c1360a1c 3524 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3525 rfc.mode != chan->mode)
f2fcfcd6
GP		 3526 return -ECONNREFUSED;
3527
47d1ec61 3528 chan->fcs = 0;
f2fcfcd6
GP		 3529
3530 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3531 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3532 break;
6327eb98
AE		 3533
3534 case L2CAP_CONF_EWS:
c20f8e35 3535 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3536 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3537 chan->tx_win);
6327eb98 3538 break;
66af7aaf
AE		 3539
3540 case L2CAP_CONF_EFS:
3541 if (olen == sizeof(efs))
3542 memcpy(&efs, (void *)val, olen);
3543
3544 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3545 efs.stype != L2CAP_SERV_NOTRAFIC &&
3546 efs.stype != chan->local_stype)
66af7aaf
AE		 3547 return -ECONNREFUSED;
3548
2d792818
GP		 3549 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3550 (unsigned long) &efs);
66af7aaf 3551 break;
cbabee78
AE		 3552
3553 case L2CAP_CONF_FCS:
3554 if (*result == L2CAP_CONF_PENDING)
3555 if (val == L2CAP_FCS_NONE)
f2592d3e 3556 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3557 &chan->conf_state);
3558 break;
f2fcfcd6
GP		 3559 }
3560 }
3561
0c1bc5c6 3562 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3563 return -ECONNREFUSED;
3564
0c1bc5c6 3565 chan->mode = rfc.mode;
6c2ea7a8 3566
0e8b207e 3567 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3568 switch (rfc.mode) {
3569 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3570 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3571 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3572 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3573 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3574 chan->ack_win = min_t(u16, chan->ack_win,
3575 rfc.txwin_size);
66af7aaf
AE		 3576
3577 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3578 chan->local_msdu = le16_to_cpu(efs.msdu);
3579 chan->local_sdu_itime =
2d792818 3580 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3581 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3582 chan->local_flush_to =
2d792818 3583 le32_to_cpu(efs.flush_to);
66af7aaf 3584 }
f2fcfcd6 3585 break;
66af7aaf 3586
f2fcfcd6 3587 case L2CAP_MODE_STREAMING:
47d1ec61 3588 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3589 }
3590 }
3591
fe4128e0 3592 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3593 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3594
3595 return ptr - data;
3596}
3597
2d792818
GP		 3598static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3599 u16 result, u16 flags)
1da177e4
LT		 3600{
3601 struct l2cap_conf_rsp *rsp = data;
3602 void *ptr = rsp->data;
1da177e4 3603
fe4128e0 3604 BT_DBG("chan %p", chan);
1da177e4 3605
fe4128e0 3606 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3607 rsp->result = cpu_to_le16(result);
aca3192c 3608 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3609
3610 return ptr - data;
3611}
3612
8c1d787b 3613void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3614{
3615 struct l2cap_conn_rsp rsp;
8c1d787b 3616 struct l2cap_conn *conn = chan->conn;
710f9b0a 3617 u8 buf[128];
439f34ac 3618 u8 rsp_code;
710f9b0a 3619
fe4128e0
GP		 3620 rsp.scid = cpu_to_le16(chan->dcid);
3621 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3622 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3623 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3624
3625 if (chan->hs_hcon)
3626 rsp_code = L2CAP_CREATE_CHAN_RSP;
3627 else
3628 rsp_code = L2CAP_CONN_RSP;
3629
3630 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3631
3632 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3633
c1360a1c 3634 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3635 return;
3636
710f9b0a 3637 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3638 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3639 chan->num_conf_req++;
3640}
3641
47d1ec61 3642static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3643{
7b1c0049
GP		 3644 int type, olen;
3645 unsigned long val;
c20f8e35
MM		 3646 /* Use sane default values in case a misbehaving remote device
3647 * did not send an RFC or extended window size option.
3648 */
3649 u16 txwin_ext = chan->ack_win;
3650 struct l2cap_conf_rfc rfc = {
3651 .mode = chan->mode,
3652 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3653 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3654 .max_pdu_size = cpu_to_le16(chan->imtu),
3655 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3656 };
7b1c0049 3657
47d1ec61 3658 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3659
0c1bc5c6 3660 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3661 return;
3662
3663 while (len >= L2CAP_CONF_OPT_SIZE) {
3664 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3665
c20f8e35
MM		 3666 switch (type) {
3667 case L2CAP_CONF_RFC:
3668 if (olen == sizeof(rfc))
3669 memcpy(&rfc, (void *)val, olen);
8f321f85 3670 break;
c20f8e35
MM		 3671 case L2CAP_CONF_EWS:
3672 txwin_ext = val;
3673 break;
3674 }
7b1c0049
GP		 3675 }
3676
7b1c0049
GP		 3677 switch (rfc.mode) {
3678 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3679 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3680 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3681 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3682 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3683 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3684 else
3685 chan->ack_win = min_t(u16, chan->ack_win,
3686 rfc.txwin_size);
7b1c0049
GP		 3687 break;
3688 case L2CAP_MODE_STREAMING:
47d1ec61 3689 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3690 }
3691}
3692
2d792818 3693static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3694 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3695 u8 *data)
4e8402a3 3696{
e2fd318e 3697 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3698
cb3b3152
JH		 3699 if (cmd_len < sizeof(*rej))
3700 return -EPROTO;
3701
e2fd318e 3702 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3703 return 0;
3704
3705 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3706 cmd->ident == conn->info_ident) {
17cd3f37 3707 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3708
3709 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3710 conn->info_ident = 0;
984947dc 3711
4e8402a3
MH		 3712 l2cap_conn_start(conn);
3713 }
3714
3715 return 0;
3716}
3717
1700915f
MM		 3718static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3719 struct l2cap_cmd_hdr *cmd,
3720 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3721{
1da177e4
LT		 3722 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3723 struct l2cap_conn_rsp rsp;
23691d75 3724 struct l2cap_chan *chan = NULL, *pchan;
d42970f3 3725 struct sock *parent;
e7c29cb1 3726 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3727
3728 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3729 __le16 psm = req->psm;
1da177e4 3730
097db76c 3731 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3732
3733 /* Check if we have socket listening on psm */
6f59b904 3734 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
98e0f7ea 3735 &conn->hcon->dst);
23691d75 3736 if (!pchan) {
1da177e4
LT		 3737 result = L2CAP_CR_BAD_PSM;
3738 goto sendresp;
3739 }
3740
23691d75
GP		 3741 parent = pchan->sk;
3742
3df91ea2 3743 mutex_lock(&conn->chan_lock);
aa2ac881 3744 lock_sock(parent);
e0f0cb56 3745
e7c29cb1 3746 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3747 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3748 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3749 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3750 result = L2CAP_CR_SEC_BLOCK;
3751 goto response;
3752 }
3753
1da177e4
LT		 3754 result = L2CAP_CR_NO_MEM;
3755
2dfa1003
GP		 3756 /* Check if we already have channel with that dcid */
3757 if (__l2cap_get_chan_by_dcid(conn, scid))
3758 goto response;
3759
80b98027 3760 chan = pchan->ops->new_connection(pchan);
80808e43 3761 if (!chan)
1da177e4
LT		 3762 goto response;
3763
330b6c15
SS		 3764 /* For certain devices (ex: HID mouse), support for authentication,
3765 * pairing and bonding is optional. For such devices, inorder to avoid
3766 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3767 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3768 */
3769 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3770
7eafc59e
MH		 3771 bacpy(&chan->src, &conn->hcon->src);
3772 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3773 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3774 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3775 chan->psm = psm;
3776 chan->dcid = scid;
1700915f 3777 chan->local_amp_id = amp_id;
1da177e4 3778
6be36555 3779 __l2cap_chan_add(conn, chan);
48454079 3780
fe4128e0 3781 dcid = chan->scid;
1da177e4 3782
8d836d71 3783 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3784
fc7f8a7e 3785 chan->ident = cmd->ident;
1da177e4 3786
984947dc 3787 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3788 if (l2cap_chan_check_security(chan)) {
bdc25783 3789 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
0e587be7 3790 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3791 result = L2CAP_CR_PEND;
3792 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3793 chan->ops->defer(chan);
f66dc81f 3794 } else {
1700915f
MM		 3795 /* Force pending result for AMP controllers.
3796 * The connection will succeed after the
3797 * physical link is up.
3798 */
6ed971ca 3799 if (amp_id == AMP_ID_BREDR) {
1700915f
MM		 3800 __l2cap_state_change(chan, BT_CONFIG);
3801 result = L2CAP_CR_SUCCESS;
6ed971ca
MH		 3802 } else {
3803 __l2cap_state_change(chan, BT_CONNECT2);
3804 result = L2CAP_CR_PEND;
1700915f 3805 }
f66dc81f
MH		 3806 status = L2CAP_CS_NO_INFO;
3807 }
79d554a6 3808 } else {
0e587be7 3809 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3810 result = L2CAP_CR_PEND;
3811 status = L2CAP_CS_AUTHEN_PEND;
3812 }
3813 } else {
0e587be7 3814 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3815 result = L2CAP_CR_PEND;
3816 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3817 }
3818
1da177e4 3819response:
aa2ac881 3820 release_sock(parent);
3df91ea2 3821 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3822
3823sendresp:
aca3192c
YH		 3824 rsp.scid = cpu_to_le16(scid);
3825 rsp.dcid = cpu_to_le16(dcid);
3826 rsp.result = cpu_to_le16(result);
3827 rsp.status = cpu_to_le16(status);
4c89b6aa 3828 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3829
3830 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3831 struct l2cap_info_req info;
ac73498c 3832 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3833
3834 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3835 conn->info_ident = l2cap_get_ident(conn);
3836
ba13ccd9 3837 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3838
2d792818
GP		 3839 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3840 sizeof(info), &info);
79d554a6
MH		 3841 }
3842
c1360a1c 3843 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3844 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3845 u8 buf[128];
c1360a1c 3846 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3847 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3848 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3849 chan->num_conf_req++;
e9aeb2dd 3850 }
1700915f
MM		 3851
3852 return chan;
4c89b6aa 3853}
e9aeb2dd 3854
4c89b6aa 3855static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3856 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3857{
7b064eda
JK		 3858 struct hci_dev *hdev = conn->hcon->hdev;
3859 struct hci_conn *hcon = conn->hcon;
3860
cb3b3152
JH		 3861 if (cmd_len < sizeof(struct l2cap_conn_req))
3862 return -EPROTO;
3863
7b064eda
JK		 3864 hci_dev_lock(hdev);
3865 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3866 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3867 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3868 hcon->dst_type, 0, NULL, 0,
3869 hcon->dev_class);
3870 hci_dev_unlock(hdev);
3871
300229f9 3872 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3873 return 0;
3874}
3875
5909cf30 3876static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3877 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3878 u8 *data)
1da177e4
LT		 3879{
3880 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3881 u16 scid, dcid, result, status;
48454079 3882 struct l2cap_chan *chan;
1da177e4 3883 u8 req[128];
3df91ea2 3884 int err;
1da177e4 3885
cb3b3152
JH		 3886 if (cmd_len < sizeof(*rsp))
3887 return -EPROTO;
3888
1da177e4
LT		 3889 scid = __le16_to_cpu(rsp->scid);
3890 dcid = __le16_to_cpu(rsp->dcid);
3891 result = __le16_to_cpu(rsp->result);
3892 status = __le16_to_cpu(rsp->status);
3893
1b009c98 3894 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3895 dcid, scid, result, status);
1da177e4 3896
3df91ea2
AE		 3897 mutex_lock(&conn->chan_lock);
3898
1da177e4 3899 if (scid) {
3df91ea2
AE		 3900 chan = __l2cap_get_chan_by_scid(conn, scid);
3901 if (!chan) {
21870b52 3902 err = -EBADSLT;
3df91ea2
AE		 3903 goto unlock;
3904 }
1da177e4 3905 } else {
3df91ea2
AE		 3906 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3907 if (!chan) {
21870b52 3908 err = -EBADSLT;
3df91ea2
AE		 3909 goto unlock;
3910 }
1da177e4
LT		 3911 }
3912
3df91ea2
AE		 3913 err = 0;
3914
6be36555 3915 l2cap_chan_lock(chan);
48454079 3916
1da177e4
LT		 3917 switch (result) {
3918 case L2CAP_CR_SUCCESS:
89bc500e 3919 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3920 chan->ident = 0;
fe4128e0 3921 chan->dcid = dcid;
c1360a1c 3922 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3923
c1360a1c 3924 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3925 break;
3926
1da177e4 3927 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3928 l2cap_build_conf_req(chan, req), req);
73ffa904 3929 chan->num_conf_req++;
1da177e4
LT		 3930 break;
3931
3932 case L2CAP_CR_PEND:
c1360a1c 3933 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3934 break;
3935
3936 default:
48454079 3937 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3938 break;
3939 }
3940
6be36555 3941 l2cap_chan_unlock(chan);
3df91ea2
AE		 3942
3943unlock:
3944 mutex_unlock(&conn->chan_lock);
3945
3946 return err;
1da177e4
LT		 3947}
3948
47d1ec61 3949static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3950{
3951 /* FCS is enabled only in ERTM or streaming mode, if one or both
3952 * sides request it.
3953 */
0c1bc5c6 3954 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3955 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3956 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3957 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3958}
3959
29d8a590
AE		 3960static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3961 u8 ident, u16 flags)
3962{
3963 struct l2cap_conn *conn = chan->conn;
3964
3965 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3966 flags);
3967
3968 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3969 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3970
3971 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3972 l2cap_build_conf_rsp(chan, data,
3973 L2CAP_CONF_SUCCESS, flags), data);
3974}
3975
662d652d
JH		 3976static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
3977 u16 scid, u16 dcid)
3978{
3979 struct l2cap_cmd_rej_cid rej;
3980
3981 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
3982 rej.scid = __cpu_to_le16(scid);
3983 rej.dcid = __cpu_to_le16(dcid);
3984
3985 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3986}
3987
2d792818
GP		 3988static inline int l2cap_config_req(struct l2cap_conn *conn,
3989 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3990 u8 *data)
1da177e4
LT		 3991{
3992 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3993 u16 dcid, flags;
3994 u8 rsp[64];
48454079 3995 struct l2cap_chan *chan;
3c588192 3996 int len, err = 0;
1da177e4 3997
cb3b3152
JH		 3998 if (cmd_len < sizeof(*req))
3999 return -EPROTO;
4000
1da177e4
LT		 4001 dcid = __le16_to_cpu(req->dcid);
4002 flags = __le16_to_cpu(req->flags);
4003
4004 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4005
baa7e1fa 4006 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4007 if (!chan) {
4008 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4009 return 0;
4010 }
1da177e4 4011
033b1142 4012 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4013 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4014 chan->dcid);
354f60a9 4015 goto unlock;
df6bd743 4016 }
354f60a9 4017
5dee9e7c 4018 /* Reject if config buffer is too small. */
88219a0f 4019 len = cmd_len - sizeof(*req);
cb3b3152 4020 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4021 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4022 l2cap_build_conf_rsp(chan, rsp,
4023 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4024 goto unlock;
4025 }
4026
4027 /* Store config. */
73ffa904
GP		 4028 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4029 chan->conf_len += len;
1da177e4 4030
59e54bd1 4031 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4032 /* Incomplete config. Send empty response. */
4033 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4034 l2cap_build_conf_rsp(chan, rsp,
4035 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4036 goto unlock;
4037 }
4038
4039 /* Complete config. */
73ffa904 4040 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4041 if (len < 0) {
5e4e3972 4042 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4043 goto unlock;
f2fcfcd6 4044 }
1da177e4 4045
1500109b 4046 chan->ident = cmd->ident;
5dee9e7c 4047 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4048 chan->num_conf_rsp++;
5dee9e7c 4049
5dee9e7c 4050 /* Reset config buffer. */
73ffa904 4051 chan->conf_len = 0;
5dee9e7c 4052
c1360a1c 4053 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4054 goto unlock;
4055
c1360a1c 4056 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4057 set_default_fcs(chan);
fcc203c3 4058
105bdf9e
MM		 4059 if (chan->mode == L2CAP_MODE_ERTM ||
4060 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4061 err = l2cap_ertm_init(chan);
4062
4063 if (err < 0)
5e4e3972 4064 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4065 else
4066 l2cap_chan_ready(chan);
0565c1c2 4067
876d9484
MH		 4068 goto unlock;
4069 }
4070
c1360a1c 4071 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4072 u8 buf[64];
1da177e4 4073 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4074 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4075 chan->num_conf_req++;
1da177e4
LT		 4076 }
4077
0e8b207e
AE		 4078 /* Got Conf Rsp PENDING from remote side and asume we sent
4079 Conf Rsp PENDING in the code above */
4080 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4081 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4082
4083 /* check compatibility */
4084
79de886d 4085 /* Send rsp for BR/EDR channel */
f351bc72 4086 if (!chan->hs_hcon)
79de886d
AE		 4087 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4088 else
4089 chan->ident = cmd->ident;
0e8b207e
AE		 4090 }
4091
1da177e4 4092unlock:
6be36555 4093 l2cap_chan_unlock(chan);
3c588192 4094 return err;
1da177e4
LT		 4095}
4096
2d792818 4097static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4098 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4099 u8 *data)
1da177e4
LT		 4100{
4101 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4102 u16 scid, flags, result;
48454079 4103 struct l2cap_chan *chan;
cb3b3152 4104 int len = cmd_len - sizeof(*rsp);
3c588192 4105 int err = 0;
1da177e4 4106
cb3b3152
JH		 4107 if (cmd_len < sizeof(*rsp))
4108 return -EPROTO;
4109
1da177e4
LT		 4110 scid = __le16_to_cpu(rsp->scid);
4111 flags = __le16_to_cpu(rsp->flags);
4112 result = __le16_to_cpu(rsp->result);
4113
61386cba
AE		 4114 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4115 result, len);
1da177e4 4116
baa7e1fa 4117 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4118 if (!chan)
1da177e4
LT		 4119 return 0;
4120
4121 switch (result) {
4122 case L2CAP_CONF_SUCCESS:
47d1ec61 4123 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4124 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4125 break;
4126
0e8b207e
AE		 4127 case L2CAP_CONF_PENDING:
4128 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4129
4130 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4131 char buf[64];
4132
4133 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4134 buf, &result);
0e8b207e 4135 if (len < 0) {
5e4e3972 4136 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4137 goto done;
4138 }
4139
f351bc72 4140 if (!chan->hs_hcon) {
79de886d
AE		 4141 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4142 0);
5ce66b59
AE		 4143 } else {
4144 if (l2cap_check_efs(chan)) {
4145 amp_create_logical_link(chan);
4146 chan->ident = cmd->ident;
4147 }
4148 }
0e8b207e
AE		 4149 }
4150 goto done;
4151
1da177e4 4152 case L2CAP_CONF_UNACCEPT:
73ffa904 4153 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4154 char req[64];
4155
c2c77ec8 4156 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4157 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4158 goto done;
4159 }
4160
f2fcfcd6
GP		 4161 /* throw out any old stored conf requests */
4162 result = L2CAP_CONF_SUCCESS;
b4450035 4163 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4164 req, &result);
f2fcfcd6 4165 if (len < 0) {
5e4e3972 4166 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4167 goto done;
4168 }
4169
4170 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4171 L2CAP_CONF_REQ, len, req);
73ffa904 4172 chan->num_conf_req++;
f2fcfcd6
GP		 4173 if (result != L2CAP_CONF_SUCCESS)
4174 goto done;
4175 break;
1da177e4
LT		 4176 }
4177
8e87d142 4178 default:
6be36555 4179 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4180
ba13ccd9 4181 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4182 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4183 goto done;
4184 }
4185
59e54bd1 4186 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4187 goto done;
4188
c1360a1c 4189 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4190
c1360a1c 4191 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4192 set_default_fcs(chan);
fcc203c3 4193
105bdf9e
MM		 4194 if (chan->mode == L2CAP_MODE_ERTM ||
4195 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4196 err = l2cap_ertm_init(chan);
0565c1c2 4197
3c588192 4198 if (err < 0)
5e4e3972 4199 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4200 else
4201 l2cap_chan_ready(chan);
1da177e4
LT		 4202 }
4203
4204done:
6be36555 4205 l2cap_chan_unlock(chan);
3c588192 4206 return err;
1da177e4
LT		 4207}
4208
2d792818 4209static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4210 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4211 u8 *data)
1da177e4
LT		 4212{
4213 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4214 struct l2cap_disconn_rsp rsp;
4215 u16 dcid, scid;
48454079 4216 struct l2cap_chan *chan;
1da177e4 4217
cb3b3152
JH		 4218 if (cmd_len != sizeof(*req))
4219 return -EPROTO;
4220
1da177e4
LT		 4221 scid = __le16_to_cpu(req->scid);
4222 dcid = __le16_to_cpu(req->dcid);
4223
4224 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4225
3df91ea2
AE		 4226 mutex_lock(&conn->chan_lock);
4227
4228 chan = __l2cap_get_chan_by_scid(conn, dcid);
4229 if (!chan) {
4230 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4231 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4232 return 0;
3df91ea2 4233 }
1da177e4 4234
6be36555
AE		 4235 l2cap_chan_lock(chan);
4236
fe4128e0
GP		 4237 rsp.dcid = cpu_to_le16(chan->scid);
4238 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4239 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4240
5ec1bbe5 4241 chan->ops->set_shutdown(chan);
1da177e4 4242
61d6ef3e 4243 l2cap_chan_hold(chan);
48454079 4244 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4245
4246 l2cap_chan_unlock(chan);
1da177e4 4247
80b98027 4248 chan->ops->close(chan);
61d6ef3e 4249 l2cap_chan_put(chan);
3df91ea2
AE		 4250
4251 mutex_unlock(&conn->chan_lock);
4252
1da177e4
LT		 4253 return 0;
4254}
4255
2d792818 4256static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4257 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4258 u8 *data)
1da177e4
LT		 4259{
4260 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4261 u16 dcid, scid;
48454079 4262 struct l2cap_chan *chan;
1da177e4 4263
cb3b3152
JH		 4264 if (cmd_len != sizeof(*rsp))
4265 return -EPROTO;
4266
1da177e4
LT		 4267 scid = __le16_to_cpu(rsp->scid);
4268 dcid = __le16_to_cpu(rsp->dcid);
4269
4270 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4271
3df91ea2
AE		 4272 mutex_lock(&conn->chan_lock);
4273
4274 chan = __l2cap_get_chan_by_scid(conn, scid);
4275 if (!chan) {
4276 mutex_unlock(&conn->chan_lock);
1da177e4 4277 return 0;
3df91ea2 4278 }
1da177e4 4279
6be36555 4280 l2cap_chan_lock(chan);
48454079 4281
61d6ef3e 4282 l2cap_chan_hold(chan);
48454079 4283 l2cap_chan_del(chan, 0);
6be36555
AE		 4284
4285 l2cap_chan_unlock(chan);
1da177e4 4286
80b98027 4287 chan->ops->close(chan);
61d6ef3e 4288 l2cap_chan_put(chan);
3df91ea2
AE		 4289
4290 mutex_unlock(&conn->chan_lock);
4291
1da177e4
LT		 4292 return 0;
4293}
4294
2d792818 4295static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4296 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4297 u8 *data)
1da177e4
LT		 4298{
4299 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4300 u16 type;
4301
cb3b3152
JH		 4302 if (cmd_len != sizeof(*req))
4303 return -EPROTO;
4304
1da177e4
LT		 4305 type = __le16_to_cpu(req->type);
4306
4307 BT_DBG("type 0x%4.4x", type);
4308
f0709e03
MH		 4309 if (type == L2CAP_IT_FEAT_MASK) {
4310 u8 buf[8];
44dd46de 4311 u32 feat_mask = l2cap_feat_mask;
f0709e03 4312 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4313 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4314 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4315 if (!disable_ertm)
fcc203c3 4316 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4317 | L2CAP_FEAT_FCS;
848566b3 4318 if (conn->hs_enabled)
6327eb98 4319 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4320 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4321
1b7bf4ed 4322 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4323 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4324 buf);
e1027a7c
MH		 4325 } else if (type == L2CAP_IT_FIXED_CHAN) {
4326 u8 buf[12];
4327 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4328
848566b3 4329 if (conn->hs_enabled)
50a147cd
MM		 4330 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4331 else
4332 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4333
ac73498c
AE		 4334 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4335 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4336 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4337 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4338 buf);
f0709e03
MH		 4339 } else {
4340 struct l2cap_info_rsp rsp;
4341 rsp.type = cpu_to_le16(type);
ac73498c 4342 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4343 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4344 &rsp);
f0709e03 4345 }
1da177e4
LT		 4346
4347 return 0;
4348}
4349
2d792818 4350static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4351 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4352 u8 *data)
1da177e4
LT		 4353{
4354 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4355 u16 type, result;
4356
3f6fa3d4 4357 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4358 return -EPROTO;
4359
1da177e4
LT		 4360 type = __le16_to_cpu(rsp->type);
4361 result = __le16_to_cpu(rsp->result);
4362
4363 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4364
e90165be
AE		 4365 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4366 if (cmd->ident != conn->info_ident ||
2d792818 4367 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4368 return 0;
4369
17cd3f37 4370 cancel_delayed_work(&conn->info_timer);
4e8402a3 4371
adb08ede
VT		 4372 if (result != L2CAP_IR_SUCCESS) {
4373 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4374 conn->info_ident = 0;
4375
4376 l2cap_conn_start(conn);
4377
4378 return 0;
4379 }
4380
978c93b9
AE		 4381 switch (type) {
4382 case L2CAP_IT_FEAT_MASK:
83985319 4383 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4384
47ec1dcd 4385 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4386 struct l2cap_info_req req;
ac73498c 4387 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4388
4389 conn->info_ident = l2cap_get_ident(conn);
4390
4391 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4392 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4393 } else {
4394 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4395 conn->info_ident = 0;
4396
4397 l2cap_conn_start(conn);
4398 }
978c93b9
AE		 4399 break;
4400
4401 case L2CAP_IT_FIXED_CHAN:
4402 conn->fixed_chan_mask = rsp->data[0];
984947dc 4403 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4404 conn->info_ident = 0;
984947dc
MH		 4405
4406 l2cap_conn_start(conn);
978c93b9 4407 break;
984947dc 4408 }
4e8402a3 4409
1da177e4
LT		 4410 return 0;
4411}
4412
1700915f
MM		 4413static int l2cap_create_channel_req(struct l2cap_conn *conn,
4414 struct l2cap_cmd_hdr *cmd,
4415 u16 cmd_len, void *data)
f94ff6ff
MM		 4416{
4417 struct l2cap_create_chan_req *req = data;
6e1df6a6 4418 struct l2cap_create_chan_rsp rsp;
1700915f 4419 struct l2cap_chan *chan;
6e1df6a6 4420 struct hci_dev *hdev;
f94ff6ff
MM		 4421 u16 psm, scid;
4422
4423 if (cmd_len != sizeof(*req))
4424 return -EPROTO;
4425
848566b3 4426 if (!conn->hs_enabled)
f94ff6ff
MM		 4427 return -EINVAL;
4428
4429 psm = le16_to_cpu(req->psm);
4430 scid = le16_to_cpu(req->scid);
4431
ad0ac6ca 4432 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4433
6e1df6a6 4434 /* For controller id 0 make BR/EDR connection */
6ed971ca 4435 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4436 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4437 req->amp_id);
4438 return 0;
4439 }
1700915f 4440
6e1df6a6
AE		 4441 /* Validate AMP controller id */
4442 hdev = hci_dev_get(req->amp_id);
4443 if (!hdev)
4444 goto error;
1700915f 4445
6e1df6a6
AE		 4446 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4447 hci_dev_put(hdev);
4448 goto error;
4449 }
1700915f 4450
6e1df6a6
AE		 4451 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4452 req->amp_id);
4453 if (chan) {
4454 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4455 struct hci_conn *hs_hcon;
1700915f 4456
98e0f7ea
MH		 4457 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4458 &conn->hcon->dst);
6e1df6a6
AE		 4459 if (!hs_hcon) {
4460 hci_dev_put(hdev);
662d652d
JH		 4461 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4462 chan->dcid);
4463 return 0;
1700915f
MM		 4464 }
4465
6e1df6a6
AE		 4466 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4467
6e1df6a6
AE		 4468 mgr->bredr_chan = chan;
4469 chan->hs_hcon = hs_hcon;
fd45bf4c 4470 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4471 conn->mtu = hdev->block_mtu;
1700915f 4472 }
f94ff6ff 4473
6e1df6a6 4474 hci_dev_put(hdev);
f94ff6ff
MM		 4475
4476 return 0;
6e1df6a6
AE		 4477
4478error:
4479 rsp.dcid = 0;
4480 rsp.scid = cpu_to_le16(scid);
4481 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4482 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4483
4484 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4485 sizeof(rsp), &rsp);
4486
dc280801 4487 return 0;
f94ff6ff
MM		 4488}
4489
8eb200bd
MM		 4490static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4491{
4492 struct l2cap_move_chan_req req;
4493 u8 ident;
4494
4495 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4496
4497 ident = l2cap_get_ident(chan->conn);
4498 chan->ident = ident;
4499
4500 req.icid = cpu_to_le16(chan->scid);
4501 req.dest_amp_id = dest_amp_id;
4502
4503 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4504 &req);
4505
4506 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4507}
4508
1500109b 4509static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4510{
4511 struct l2cap_move_chan_rsp rsp;
4512
1500109b 4513 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4514
1500109b 4515 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4516 rsp.result = cpu_to_le16(result);
4517
1500109b
MM		 4518 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4519 sizeof(rsp), &rsp);
8d5a04a1
MM		 4520}
4521
5b155ef9 4522static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4523{
4524 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4525
5b155ef9 4526 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4527
5b155ef9 4528 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4529
5b155ef9 4530 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4531 cfm.result = cpu_to_le16(result);
4532
5b155ef9
MM		 4533 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4534 sizeof(cfm), &cfm);
4535
4536 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4537}
4538
4539static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4540{
4541 struct l2cap_move_chan_cfm cfm;
4542
4543 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4544
4545 cfm.icid = cpu_to_le16(icid);
4546 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4547
4548 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4549 sizeof(cfm), &cfm);
8d5a04a1
MM		 4550}
4551
4552static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4553 u16 icid)
8d5a04a1
MM		 4554{
4555 struct l2cap_move_chan_cfm_rsp rsp;
4556
ad0ac6ca 4557 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4558
4559 rsp.icid = cpu_to_le16(icid);
4560 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4561}
4562
5f3847a4
MM		 4563static void __release_logical_link(struct l2cap_chan *chan)
4564{
4565 chan->hs_hchan = NULL;
4566 chan->hs_hcon = NULL;
4567
4568 /* Placeholder - release the logical link */
4569}
4570
1500109b
MM		 4571static void l2cap_logical_fail(struct l2cap_chan *chan)
4572{
4573 /* Logical link setup failed */
4574 if (chan->state != BT_CONNECTED) {
4575 /* Create channel failure, disconnect */
5e4e3972 4576 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4577 return;
4578 }
4579
4580 switch (chan->move_role) {
4581 case L2CAP_MOVE_ROLE_RESPONDER:
4582 l2cap_move_done(chan);
4583 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4584 break;
4585 case L2CAP_MOVE_ROLE_INITIATOR:
4586 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4587 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4588 /* Remote has only sent pending or
4589 * success responses, clean up
4590 */
4591 l2cap_move_done(chan);
4592 }
4593
4594 /* Other amp move states imply that the move
4595 * has already aborted
4596 */
4597 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4598 break;
4599 }
4600}
4601
4602static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4603 struct hci_chan *hchan)
4604{
4605 struct l2cap_conf_rsp rsp;
1500109b 4606
336178a3 4607 chan->hs_hchan = hchan;
1500109b
MM		 4608 chan->hs_hcon->l2cap_data = chan->conn;
4609
35ba9561 4610 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4611
4612 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4613 int err;
1500109b
MM		 4614
4615 set_default_fcs(chan);
4616
4617 err = l2cap_ertm_init(chan);
4618 if (err < 0)
5e4e3972 4619 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4620 else
4621 l2cap_chan_ready(chan);
4622 }
4623}
4624
4625static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4626 struct hci_chan *hchan)
4627{
4628 chan->hs_hcon = hchan->conn;
4629 chan->hs_hcon->l2cap_data = chan->conn;
4630
4631 BT_DBG("move_state %d", chan->move_state);
4632
4633 switch (chan->move_state) {
4634 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4635 /* Move confirm will be sent after a success
4636 * response is received
4637 */
4638 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4639 break;
4640 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4641 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4642 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4643 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4644 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4645 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4646 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4647 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4648 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4649 }
4650 break;
4651 default:
4652 /* Move was not in expected state, free the channel */
4653 __release_logical_link(chan);
4654
4655 chan->move_state = L2CAP_MOVE_STABLE;
4656 }
4657}
4658
4659/* Call with chan locked */
27695fb4
AE		 4660void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4661 u8 status)
5b155ef9 4662{
1500109b
MM		 4663 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4664
4665 if (status) {
4666 l2cap_logical_fail(chan);
4667 __release_logical_link(chan);
4668 return;
4669 }
4670
4671 if (chan->state != BT_CONNECTED) {
4672 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4673 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4674 l2cap_logical_finish_create(chan, hchan);
4675 } else {
4676 l2cap_logical_finish_move(chan, hchan);
4677 }
5b155ef9
MM		 4678}
4679
3f7a56c4
MM		 4680void l2cap_move_start(struct l2cap_chan *chan)
4681{
4682 BT_DBG("chan %p", chan);
4683
6ed971ca 4684 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4685 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4686 return;
4687 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4688 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4689 /* Placeholder - start physical link setup */
4690 } else {
4691 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4692 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4693 chan->move_id = 0;
4694 l2cap_move_setup(chan);
4695 l2cap_send_move_chan_req(chan, 0);
4696 }
4697}
4698
8eb200bd
MM		 4699static void l2cap_do_create(struct l2cap_chan *chan, int result,
4700 u8 local_amp_id, u8 remote_amp_id)
4701{
62748ca1
AE		 4702 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4703 local_amp_id, remote_amp_id);
4704
12d6cc60
AE		 4705 chan->fcs = L2CAP_FCS_NONE;
4706
62748ca1
AE		 4707 /* Outgoing channel on AMP */
4708 if (chan->state == BT_CONNECT) {
4709 if (result == L2CAP_CR_SUCCESS) {
4710 chan->local_amp_id = local_amp_id;
4711 l2cap_send_create_chan_req(chan, remote_amp_id);
4712 } else {
4713 /* Revert to BR/EDR connect */
4714 l2cap_send_conn_req(chan);
4715 }
4716
4717 return;
4718 }
4719
4720 /* Incoming channel on AMP */
4721 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4722 struct l2cap_conn_rsp rsp;
4723 char buf[128];
4724 rsp.scid = cpu_to_le16(chan->dcid);
4725 rsp.dcid = cpu_to_le16(chan->scid);
4726
8eb200bd
MM		 4727 if (result == L2CAP_CR_SUCCESS) {
4728 /* Send successful response */
62cd50e2
AE		 4729 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4730 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4731 } else {
4732 /* Send negative response */
62cd50e2
AE		 4733 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4734 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4735 }
4736
4737 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4738 sizeof(rsp), &rsp);
4739
4740 if (result == L2CAP_CR_SUCCESS) {
4741 __l2cap_state_change(chan, BT_CONFIG);
4742 set_bit(CONF_REQ_SENT, &chan->conf_state);
4743 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4744 L2CAP_CONF_REQ,
4745 l2cap_build_conf_req(chan, buf), buf);
4746 chan->num_conf_req++;
4747 }
8eb200bd
MM		 4748 }
4749}
4750
4751static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4752 u8 remote_amp_id)
4753{
4754 l2cap_move_setup(chan);
4755 chan->move_id = local_amp_id;
4756 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4757
4758 l2cap_send_move_chan_req(chan, remote_amp_id);
4759}
4760
4761static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4762{
4763 struct hci_chan *hchan = NULL;
4764
4765 /* Placeholder - get hci_chan for logical link */
4766
4767 if (hchan) {
4768 if (hchan->state == BT_CONNECTED) {
4769 /* Logical link is ready to go */
4770 chan->hs_hcon = hchan->conn;
4771 chan->hs_hcon->l2cap_data = chan->conn;
4772 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4773 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4774
4775 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4776 } else {
4777 /* Wait for logical link to be ready */
4778 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4779 }
4780 } else {
4781 /* Logical link not available */
4782 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4783 }
4784}
4785
4786static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4787{
4788 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4789 u8 rsp_result;
4790 if (result == -EINVAL)
4791 rsp_result = L2CAP_MR_BAD_ID;
4792 else
4793 rsp_result = L2CAP_MR_NOT_ALLOWED;
4794
4795 l2cap_send_move_chan_rsp(chan, rsp_result);
4796 }
4797
4798 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4799 chan->move_state = L2CAP_MOVE_STABLE;
4800
4801 /* Restart data transmission */
4802 l2cap_ertm_send(chan);
4803}
4804
a514b17f
AE		 4805/* Invoke with locked chan */
4806void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4807{
770bfefa 4808 u8 local_amp_id = chan->local_amp_id;
fffadc08 4809 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4810
8eb200bd
MM		 4811 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4812 chan, result, local_amp_id, remote_amp_id);
4813
8eb200bd
MM		 4814 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4815 l2cap_chan_unlock(chan);
4816 return;
4817 }
4818
4819 if (chan->state != BT_CONNECTED) {
4820 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4821 } else if (result != L2CAP_MR_SUCCESS) {
4822 l2cap_do_move_cancel(chan, result);
4823 } else {
4824 switch (chan->move_role) {
4825 case L2CAP_MOVE_ROLE_INITIATOR:
4826 l2cap_do_move_initiate(chan, local_amp_id,
4827 remote_amp_id);
4828 break;
4829 case L2CAP_MOVE_ROLE_RESPONDER:
4830 l2cap_do_move_respond(chan, result);
4831 break;
4832 default:
4833 l2cap_do_move_cancel(chan, result);
4834 break;
4835 }
4836 }
8eb200bd
MM		 4837}
4838
8d5a04a1 4839static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4840 struct l2cap_cmd_hdr *cmd,
4841 u16 cmd_len, void *data)
8d5a04a1
MM		 4842{
4843 struct l2cap_move_chan_req *req = data;
1500109b 4844 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4845 struct l2cap_chan *chan;
8d5a04a1
MM		 4846 u16 icid = 0;
4847 u16 result = L2CAP_MR_NOT_ALLOWED;
4848
4849 if (cmd_len != sizeof(*req))
4850 return -EPROTO;
4851
4852 icid = le16_to_cpu(req->icid);
4853
ad0ac6ca 4854 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4855
848566b3 4856 if (!conn->hs_enabled)
8d5a04a1
MM		 4857 return -EINVAL;
4858
02b0fbb9
MM		 4859 chan = l2cap_get_chan_by_dcid(conn, icid);
4860 if (!chan) {
1500109b
MM		 4861 rsp.icid = cpu_to_le16(icid);
4862 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4863 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4864 sizeof(rsp), &rsp);
02b0fbb9
MM		 4865 return 0;
4866 }
4867
1500109b
MM		 4868 chan->ident = cmd->ident;
4869
02b0fbb9
MM		 4870 if (chan->scid < L2CAP_CID_DYN_START ||
4871 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4872 (chan->mode != L2CAP_MODE_ERTM &&
4873 chan->mode != L2CAP_MODE_STREAMING)) {
4874 result = L2CAP_MR_NOT_ALLOWED;
4875 goto send_move_response;
4876 }
4877
4878 if (chan->local_amp_id == req->dest_amp_id) {
4879 result = L2CAP_MR_SAME_ID;
4880 goto send_move_response;
4881 }
4882
6ed971ca 4883 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4884 struct hci_dev *hdev;
4885 hdev = hci_dev_get(req->dest_amp_id);
4886 if (!hdev || hdev->dev_type != HCI_AMP ||
4887 !test_bit(HCI_UP, &hdev->flags)) {
4888 if (hdev)
4889 hci_dev_put(hdev);
4890
4891 result = L2CAP_MR_BAD_ID;
4892 goto send_move_response;
4893 }
4894 hci_dev_put(hdev);
4895 }
4896
4897 /* Detect a move collision. Only send a collision response
4898 * if this side has "lost", otherwise proceed with the move.
4899 * The winner has the larger bd_addr.
4900 */
4901 if ((__chan_is_moving(chan) ||
4902 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4903 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4904 result = L2CAP_MR_COLLISION;
4905 goto send_move_response;
4906 }
4907
02b0fbb9
MM		 4908 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4909 l2cap_move_setup(chan);
4910 chan->move_id = req->dest_amp_id;
4911 icid = chan->dcid;
4912
6ed971ca 4913 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4914 /* Moving to BR/EDR */
4915 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4916 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4917 result = L2CAP_MR_PEND;
4918 } else {
4919 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4920 result = L2CAP_MR_SUCCESS;
4921 }
4922 } else {
4923 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4924 /* Placeholder - uncomment when amp functions are available */
4925 /*amp_accept_physical(chan, req->dest_amp_id);*/
4926 result = L2CAP_MR_PEND;
4927 }
4928
4929send_move_response:
1500109b 4930 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4931
02b0fbb9
MM		 4932 l2cap_chan_unlock(chan);
4933
8d5a04a1
MM		 4934 return 0;
4935}
4936
5b155ef9
MM		 4937static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4938{
4939 struct l2cap_chan *chan;
4940 struct hci_chan *hchan = NULL;
4941
4942 chan = l2cap_get_chan_by_scid(conn, icid);
4943 if (!chan) {
4944 l2cap_send_move_chan_cfm_icid(conn, icid);
4945 return;
4946 }
4947
4948 __clear_chan_timer(chan);
4949 if (result == L2CAP_MR_PEND)
4950 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4951
4952 switch (chan->move_state) {
4953 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4954 /* Move confirm will be sent when logical link
4955 * is complete.
4956 */
4957 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4958 break;
4959 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4960 if (result == L2CAP_MR_PEND) {
4961 break;
4962 } else if (test_bit(CONN_LOCAL_BUSY,
4963 &chan->conn_state)) {
4964 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4965 } else {
4966 /* Logical link is up or moving to BR/EDR,
4967 * proceed with move
4968 */
4969 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4970 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4971 }
4972 break;
4973 case L2CAP_MOVE_WAIT_RSP:
4974 /* Moving to AMP */
4975 if (result == L2CAP_MR_SUCCESS) {
4976 /* Remote is ready, send confirm immediately
4977 * after logical link is ready
4978 */
4979 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4980 } else {
4981 /* Both logical link and move success
4982 * are required to confirm
4983 */
4984 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4985 }
4986
4987 /* Placeholder - get hci_chan for logical link */
4988 if (!hchan) {
4989 /* Logical link not available */
4990 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4991 break;
4992 }
4993
4994 /* If the logical link is not yet connected, do not
4995 * send confirmation.
4996 */
4997 if (hchan->state != BT_CONNECTED)
4998 break;
4999
5000 /* Logical link is already ready to go */
5001
5002 chan->hs_hcon = hchan->conn;
5003 chan->hs_hcon->l2cap_data = chan->conn;
5004
5005 if (result == L2CAP_MR_SUCCESS) {
5006 /* Can confirm now */
5007 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5008 } else {
5009 /* Now only need move success
5010 * to confirm
5011 */
5012 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5013 }
5014
5015 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5016 break;
5017 default:
5018 /* Any other amp move state means the move failed. */
5019 chan->move_id = chan->local_amp_id;
5020 l2cap_move_done(chan);
5021 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5022 }
5023
5024 l2cap_chan_unlock(chan);
5025}
5026
5027static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5028 u16 result)
5029{
5030 struct l2cap_chan *chan;
5031
5032 chan = l2cap_get_chan_by_ident(conn, ident);
5033 if (!chan) {
5034 /* Could not locate channel, icid is best guess */
5035 l2cap_send_move_chan_cfm_icid(conn, icid);
5036 return;
5037 }
5038
5039 __clear_chan_timer(chan);
5040
5041 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5042 if (result == L2CAP_MR_COLLISION) {
5043 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5044 } else {
5045 /* Cleanup - cancel move */
5046 chan->move_id = chan->local_amp_id;
5047 l2cap_move_done(chan);
5048 }
5049 }
5050
5051 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5052
5053 l2cap_chan_unlock(chan);
5054}
5055
5056static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5057 struct l2cap_cmd_hdr *cmd,
5058 u16 cmd_len, void *data)
8d5a04a1
MM		 5059{
5060 struct l2cap_move_chan_rsp *rsp = data;
5061 u16 icid, result;
5062
5063 if (cmd_len != sizeof(*rsp))
5064 return -EPROTO;
5065
5066 icid = le16_to_cpu(rsp->icid);
5067 result = le16_to_cpu(rsp->result);
5068
ad0ac6ca 5069 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5070
5b155ef9
MM		 5071 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5072 l2cap_move_continue(conn, icid, result);
5073 else
5074 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5075
5076 return 0;
5077}
5078
5f3847a4
MM		 5079static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5080 struct l2cap_cmd_hdr *cmd,
5081 u16 cmd_len, void *data)
8d5a04a1
MM		 5082{
5083 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5084 struct l2cap_chan *chan;
8d5a04a1
MM		 5085 u16 icid, result;
5086
5087 if (cmd_len != sizeof(*cfm))
5088 return -EPROTO;
5089
5090 icid = le16_to_cpu(cfm->icid);
5091 result = le16_to_cpu(cfm->result);
5092
ad0ac6ca 5093 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5094
5f3847a4
MM		 5095 chan = l2cap_get_chan_by_dcid(conn, icid);
5096 if (!chan) {
5097 /* Spec requires a response even if the icid was not found */
5098 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5099 return 0;
5100 }
5101
5102 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5103 if (result == L2CAP_MC_CONFIRMED) {
5104 chan->local_amp_id = chan->move_id;
6ed971ca 5105 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5106 __release_logical_link(chan);
5107 } else {
5108 chan->move_id = chan->local_amp_id;
5109 }
5110
5111 l2cap_move_done(chan);
5112 }
5113
8d5a04a1
MM		 5114 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5115
5f3847a4
MM		 5116 l2cap_chan_unlock(chan);
5117
8d5a04a1
MM		 5118 return 0;
5119}
5120
5121static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5122 struct l2cap_cmd_hdr *cmd,
5123 u16 cmd_len, void *data)
8d5a04a1
MM		 5124{
5125 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5126 struct l2cap_chan *chan;
8d5a04a1
MM		 5127 u16 icid;
5128
5129 if (cmd_len != sizeof(*rsp))
5130 return -EPROTO;
5131
5132 icid = le16_to_cpu(rsp->icid);
5133
ad0ac6ca 5134 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5135
3fd71a0a
MM		 5136 chan = l2cap_get_chan_by_scid(conn, icid);
5137 if (!chan)
5138 return 0;
5139
5140 __clear_chan_timer(chan);
5141
5142 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5143 chan->local_amp_id = chan->move_id;
5144
6ed971ca 5145 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5146 __release_logical_link(chan);
5147
5148 l2cap_move_done(chan);
5149 }
5150
5151 l2cap_chan_unlock(chan);
5152
8d5a04a1
MM		 5153 return 0;
5154}
5155
e2174ca4 5156static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 5157 u16 to_multiplier)
de73115a
CT		 5158{
5159 u16 max_latency;
5160
5161 if (min > max || min < 6 || max > 3200)
5162 return -EINVAL;
5163
5164 if (to_multiplier < 10 || to_multiplier > 3200)
5165 return -EINVAL;
5166
5167 if (max >= to_multiplier * 8)
5168 return -EINVAL;
5169
5170 max_latency = (to_multiplier * 8 / max) - 1;
5171 if (latency > 499 || latency > max_latency)
5172 return -EINVAL;
5173
5174 return 0;
5175}
5176
5177static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 5178 struct l2cap_cmd_hdr *cmd,
5179 u8 *data)
de73115a
CT		 5180{
5181 struct hci_conn *hcon = conn->hcon;
5182 struct l2cap_conn_param_update_req *req;
5183 struct l2cap_conn_param_update_rsp rsp;
5184 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 5185 int err;
de73115a
CT		 5186
5187 if (!(hcon->link_mode & HCI_LM_MASTER))
5188 return -EINVAL;
5189
5190 cmd_len = __le16_to_cpu(cmd->len);
5191 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5192 return -EPROTO;
5193
5194 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5195 min = __le16_to_cpu(req->min);
5196 max = __le16_to_cpu(req->max);
de73115a
CT		 5197 latency = __le16_to_cpu(req->latency);
5198 to_multiplier = __le16_to_cpu(req->to_multiplier);
5199
5200 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5201 min, max, latency, to_multiplier);
de73115a
CT		 5202
5203 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5204
5205 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5206 if (err)
ac73498c 5207 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5208 else
ac73498c 5209 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5210
5211 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5212 sizeof(rsp), &rsp);
de73115a 5213
2ce603eb
CT		 5214 if (!err)
5215 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5216
de73115a
CT		 5217 return 0;
5218}
5219
3300d9a9 5220static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5221 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5222 u8 *data)
3300d9a9
CT		 5223{
5224 int err = 0;
5225
5226 switch (cmd->code) {
5227 case L2CAP_COMMAND_REJ:
cb3b3152 5228 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5229 break;
5230
5231 case L2CAP_CONN_REQ:
cb3b3152 5232 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5233 break;
5234
5235 case L2CAP_CONN_RSP:
f5a2598d 5236 case L2CAP_CREATE_CHAN_RSP:
9245e737 5237 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5238 break;
5239
5240 case L2CAP_CONF_REQ:
5241 err = l2cap_config_req(conn, cmd, cmd_len, data);
5242 break;
5243
5244 case L2CAP_CONF_RSP:
9245e737 5245 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5246 break;
5247
5248 case L2CAP_DISCONN_REQ:
cb3b3152 5249 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5250 break;
5251
5252 case L2CAP_DISCONN_RSP:
9245e737 5253 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5254 break;
5255
5256 case L2CAP_ECHO_REQ:
5257 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5258 break;
5259
5260 case L2CAP_ECHO_RSP:
5261 break;
5262
5263 case L2CAP_INFO_REQ:
cb3b3152 5264 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5265 break;
5266
5267 case L2CAP_INFO_RSP:
9245e737 5268 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5269 break;
5270
f94ff6ff
MM		 5271 case L2CAP_CREATE_CHAN_REQ:
5272 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5273 break;
5274
8d5a04a1
MM		 5275 case L2CAP_MOVE_CHAN_REQ:
5276 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5277 break;
5278
5279 case L2CAP_MOVE_CHAN_RSP:
9245e737 5280 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5281 break;
5282
5283 case L2CAP_MOVE_CHAN_CFM:
5284 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5285 break;
5286
5287 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5288 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5289 break;
5290
3300d9a9
CT		 5291 default:
5292 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5293 err = -EINVAL;
5294 break;
5295 }
5296
5297 return err;
5298}
5299
5300static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5301 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5302{
5303 switch (cmd->code) {
5304 case L2CAP_COMMAND_REJ:
5305 return 0;
5306
5307 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5308 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5309
5310 case L2CAP_CONN_PARAM_UPDATE_RSP:
5311 return 0;
5312
5313 default:
5314 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5315 return -EINVAL;
5316 }
5317}
5318
c5623556
JH		 5319static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5320 struct sk_buff *skb)
5321{
69c4e4e8 5322 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5323 struct l2cap_cmd_hdr *cmd;
5324 u16 len;
c5623556
JH		 5325 int err;
5326
69c4e4e8 5327 if (hcon->type != LE_LINK)
3b166295 5328 goto drop;
69c4e4e8 5329
4f3e219d
MH		 5330 if (skb->len < L2CAP_CMD_HDR_SIZE)
5331 goto drop;
c5623556 5332
4f3e219d
MH		 5333 cmd = (void *) skb->data;
5334 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5335
4f3e219d 5336 len = le16_to_cpu(cmd->len);
c5623556 5337
4f3e219d 5338 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5339
4f3e219d
MH		 5340 if (len != skb->len || !cmd->ident) {
5341 BT_DBG("corrupted command");
5342 goto drop;
5343 }
c5623556 5344
4f3e219d
MH		 5345 err = l2cap_le_sig_cmd(conn, cmd, skb->data);
5346 if (err) {
5347 struct l2cap_cmd_rej_unk rej;
c5623556 5348
4f3e219d 5349 BT_ERR("Wrong link type (%d)", err);
c5623556 5350
a521149a 5351 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5352 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5353 sizeof(rej), &rej);
c5623556
JH		 5354 }
5355
3b166295 5356drop:
c5623556
JH		 5357 kfree_skb(skb);
5358}
5359
3300d9a9 5360static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5361 struct sk_buff *skb)
1da177e4 5362{
69c4e4e8 5363 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5364 u8 *data = skb->data;
5365 int len = skb->len;
5366 struct l2cap_cmd_hdr cmd;
3300d9a9 5367 int err;
1da177e4
LT		 5368
5369 l2cap_raw_recv(conn, skb);
5370
69c4e4e8 5371 if (hcon->type != ACL_LINK)
3b166295 5372 goto drop;
69c4e4e8 5373
1da177e4 5374 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5375 u16 cmd_len;
1da177e4
LT		 5376 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5377 data += L2CAP_CMD_HDR_SIZE;
5378 len -= L2CAP_CMD_HDR_SIZE;
5379
88219a0f 5380 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5381
2d792818
GP		 5382 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5383 cmd.ident);
1da177e4 5384
88219a0f 5385 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5386 BT_DBG("corrupted command");
5387 break;
5388 }
5389
c5623556 5390 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5391 if (err) {
e2fd318e 5392 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5393
5394 BT_ERR("Wrong link type (%d)", err);
1da177e4 5395
a521149a 5396 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5397 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5398 sizeof(rej), &rej);
1da177e4
LT		 5399 }
5400
88219a0f
AV		 5401 data += cmd_len;
5402 len -= cmd_len;
1da177e4
LT		 5403 }
5404
3b166295 5405drop:
1da177e4
LT		 5406 kfree_skb(skb);
5407}
5408
47d1ec61 5409static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5410{
5411 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5412 int hdr_size;
5413
5414 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5415 hdr_size = L2CAP_EXT_HDR_SIZE;
5416 else
5417 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5418
47d1ec61 5419 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5420 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5421 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5422 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5423
5424 if (our_fcs != rcv_fcs)
7a560e5c 5425 return -EBADMSG;
fcc203c3
GP		 5426 }
5427 return 0;
5428}
5429
6ea00485 5430static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5431{
e31f7633 5432 struct l2cap_ctrl control;
d5392c8f 5433
e31f7633 5434 BT_DBG("chan %p", chan);
d5392c8f 5435
e31f7633
MM		 5436 memset(&control, 0, sizeof(control));
5437 control.sframe = 1;
5438 control.final = 1;
5439 control.reqseq = chan->buffer_seq;
5440 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5441
e2ab4353 5442 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5443 control.super = L2CAP_SUPER_RNR;
5444 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5445 }
5446
e31f7633
MM		 5447 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5448 chan->unacked_frames > 0)
5449 __set_retrans_timer(chan);
d5392c8f 5450
e31f7633 5451 /* Send pending iframes */
525cd185 5452 l2cap_ertm_send(chan);
d5392c8f 5453
e2ab4353 5454 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5455 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5456 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5457 * send it now.
5458 */
5459 control.super = L2CAP_SUPER_RR;
5460 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5461 }
5462}
5463
2d792818
GP		 5464static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5465 struct sk_buff **last_frag)
18778a63 5466{
84084a31
MM		 5467 /* skb->len reflects data in skb as well as all fragments
5468 * skb->data_len reflects only data in fragments
5469 */
5470 if (!skb_has_frag_list(skb))
5471 skb_shinfo(skb)->frag_list = new_frag;
5472
5473 new_frag->next = NULL;
5474
5475 (*last_frag)->next = new_frag;
5476 *last_frag = new_frag;
5477
5478 skb->len += new_frag->len;
5479 skb->data_len += new_frag->len;
5480 skb->truesize += new_frag->truesize;
5481}
5482
4b51dae9
MM		 5483static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5484 struct l2cap_ctrl *control)
84084a31
MM		 5485{
5486 int err = -EINVAL;
18778a63 5487
4b51dae9 5488 switch (control->sar) {
7e0ef6ee 5489 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5490 if (chan->sdu)
5491 break;
18778a63 5492
80b98027 5493 err = chan->ops->recv(chan, skb);
84084a31 5494 break;
18778a63 5495
7e0ef6ee 5496 case L2CAP_SAR_START:
84084a31
MM		 5497 if (chan->sdu)
5498 break;
18778a63 5499
6f61fd47 5500 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5501 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5502
84084a31
MM		 5503 if (chan->sdu_len > chan->imtu) {
5504 err = -EMSGSIZE;
5505 break;
5506 }
1890d36b 5507
84084a31
MM		 5508 if (skb->len >= chan->sdu_len)
5509 break;
18778a63 5510
84084a31
MM		 5511 chan->sdu = skb;
5512 chan->sdu_last_frag = skb;
18778a63 5513
84084a31
MM		 5514 skb = NULL;
5515 err = 0;
18778a63
GP		 5516 break;
5517
7e0ef6ee 5518 case L2CAP_SAR_CONTINUE:
6f61fd47 5519 if (!chan->sdu)
84084a31 5520 break;
18778a63 5521
84084a31
MM		 5522 append_skb_frag(chan->sdu, skb,
5523 &chan->sdu_last_frag);
5524 skb = NULL;
18778a63 5525
84084a31
MM		 5526 if (chan->sdu->len >= chan->sdu_len)
5527 break;
4178ba46 5528
84084a31 5529 err = 0;
18778a63
GP		 5530 break;
5531
7e0ef6ee 5532 case L2CAP_SAR_END:
6f61fd47 5533 if (!chan->sdu)
84084a31 5534 break;
18778a63 5535
84084a31
MM		 5536 append_skb_frag(chan->sdu, skb,
5537 &chan->sdu_last_frag);
5538 skb = NULL;
4178ba46 5539
84084a31
MM		 5540 if (chan->sdu->len != chan->sdu_len)
5541 break;
18778a63 5542
80b98027 5543 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5544
84084a31
MM		 5545 if (!err) {
5546 /* Reassembly complete */
5547 chan->sdu = NULL;
5548 chan->sdu_last_frag = NULL;
5549 chan->sdu_len = 0;
1890d36b 5550 }
18778a63
GP		 5551 break;
5552 }
5553
84084a31
MM		 5554 if (err) {
5555 kfree_skb(skb);
5556 kfree_skb(chan->sdu);
5557 chan->sdu = NULL;
5558 chan->sdu_last_frag = NULL;
5559 chan->sdu_len = 0;
5560 }
18778a63 5561
84084a31 5562 return err;
18778a63
GP		 5563}
5564
32b32735
MM		 5565static int l2cap_resegment(struct l2cap_chan *chan)
5566{
5567 /* Placeholder */
5568 return 0;
5569}
5570
61aa4f5b 5571void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5572{
61aa4f5b 5573 u8 event;
712132eb 5574
61aa4f5b
MM		 5575 if (chan->mode != L2CAP_MODE_ERTM)
5576 return;
712132eb 5577
61aa4f5b 5578 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5579 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5580}
5581
d2a7ac5d
MM		 5582static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5583{
63838725
MM		 5584 int err = 0;
5585 /* Pass sequential frames to l2cap_reassemble_sdu()
5586 * until a gap is encountered.
5587 */
5588
5589 BT_DBG("chan %p", chan);
5590
5591 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5592 struct sk_buff *skb;
5593 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5594 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5595
5596 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5597
5598 if (!skb)
5599 break;
5600
5601 skb_unlink(skb, &chan->srej_q);
5602 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5603 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5604 if (err)
5605 break;
5606 }
5607
5608 if (skb_queue_empty(&chan->srej_q)) {
5609 chan->rx_state = L2CAP_RX_STATE_RECV;
5610 l2cap_send_ack(chan);
5611 }
5612
5613 return err;
d2a7ac5d
MM		 5614}
5615
5616static void l2cap_handle_srej(struct l2cap_chan *chan,
5617 struct l2cap_ctrl *control)
5618{
f80842a8
MM		 5619 struct sk_buff *skb;
5620
5621 BT_DBG("chan %p, control %p", chan, control);
5622
5623 if (control->reqseq == chan->next_tx_seq) {
5624 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5625 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5626 return;
5627 }
5628
5629 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5630
5631 if (skb == NULL) {
5632 BT_DBG("Seq %d not available for retransmission",
5633 control->reqseq);
5634 return;
5635 }
5636
5637 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5638 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5639 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5640 return;
5641 }
5642
5643 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5644
5645 if (control->poll) {
5646 l2cap_pass_to_tx(chan, control);
5647
5648 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5649 l2cap_retransmit(chan, control);
5650 l2cap_ertm_send(chan);
5651
5652 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5653 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5654 chan->srej_save_reqseq = control->reqseq;
5655 }
5656 } else {
5657 l2cap_pass_to_tx_fbit(chan, control);
5658
5659 if (control->final) {
5660 if (chan->srej_save_reqseq != control->reqseq ||
5661 !test_and_clear_bit(CONN_SREJ_ACT,
5662 &chan->conn_state))
5663 l2cap_retransmit(chan, control);
5664 } else {
5665 l2cap_retransmit(chan, control);
5666 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5667 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5668 chan->srej_save_reqseq = control->reqseq;
5669 }
5670 }
5671 }
d2a7ac5d
MM		 5672}
5673
5674static void l2cap_handle_rej(struct l2cap_chan *chan,
5675 struct l2cap_ctrl *control)
5676{
fcd289df
MM		 5677 struct sk_buff *skb;
5678
5679 BT_DBG("chan %p, control %p", chan, control);
5680
5681 if (control->reqseq == chan->next_tx_seq) {
5682 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5683 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5684 return;
5685 }
5686
5687 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5688
5689 if (chan->max_tx && skb &&
5690 bt_cb(skb)->control.retries >= chan->max_tx) {
5691 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5692 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5693 return;
5694 }
5695
5696 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5697
5698 l2cap_pass_to_tx(chan, control);
5699
5700 if (control->final) {
5701 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5702 l2cap_retransmit_all(chan, control);
5703 } else {
5704 l2cap_retransmit_all(chan, control);
5705 l2cap_ertm_send(chan);
5706 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5707 set_bit(CONN_REJ_ACT, &chan->conn_state);
5708 }
d2a7ac5d
MM		 5709}
5710
4b51dae9
MM		 5711static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5712{
5713 BT_DBG("chan %p, txseq %d", chan, txseq);
5714
5715 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5716 chan->expected_tx_seq);
5717
5718 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5719 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5720 chan->tx_win) {
4b51dae9
MM		 5721 /* See notes below regarding "double poll" and
5722 * invalid packets.
5723 */
5724 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5725 BT_DBG("Invalid/Ignore - after SREJ");
5726 return L2CAP_TXSEQ_INVALID_IGNORE;
5727 } else {
5728 BT_DBG("Invalid - in window after SREJ sent");
5729 return L2CAP_TXSEQ_INVALID;
5730 }
5731 }
5732
5733 if (chan->srej_list.head == txseq) {
5734 BT_DBG("Expected SREJ");
5735 return L2CAP_TXSEQ_EXPECTED_SREJ;
5736 }
5737
5738 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5739 BT_DBG("Duplicate SREJ - txseq already stored");
5740 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5741 }
5742
5743 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5744 BT_DBG("Unexpected SREJ - not requested");
5745 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5746 }
5747 }
5748
5749 if (chan->expected_tx_seq == txseq) {
5750 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5751 chan->tx_win) {
5752 BT_DBG("Invalid - txseq outside tx window");
5753 return L2CAP_TXSEQ_INVALID;
5754 } else {
5755 BT_DBG("Expected");
5756 return L2CAP_TXSEQ_EXPECTED;
5757 }
5758 }
5759
5760 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5761 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5762 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5763 return L2CAP_TXSEQ_DUPLICATE;
5764 }
5765
5766 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5767 /* A source of invalid packets is a "double poll" condition,
5768 * where delays cause us to send multiple poll packets. If
5769 * the remote stack receives and processes both polls,
5770 * sequence numbers can wrap around in such a way that a
5771 * resent frame has a sequence number that looks like new data
5772 * with a sequence gap. This would trigger an erroneous SREJ
5773 * request.
5774 *
5775 * Fortunately, this is impossible with a tx window that's
5776 * less than half of the maximum sequence number, which allows
5777 * invalid frames to be safely ignored.
5778 *
5779 * With tx window sizes greater than half of the tx window
5780 * maximum, the frame is invalid and cannot be ignored. This
5781 * causes a disconnect.
5782 */
5783
5784 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5785 BT_DBG("Invalid/Ignore - txseq outside tx window");
5786 return L2CAP_TXSEQ_INVALID_IGNORE;
5787 } else {
5788 BT_DBG("Invalid - txseq outside tx window");
5789 return L2CAP_TXSEQ_INVALID;
5790 }
5791 } else {
5792 BT_DBG("Unexpected - txseq indicates missing frames");
5793 return L2CAP_TXSEQ_UNEXPECTED;
5794 }
5795}
5796
d2a7ac5d
MM		 5797static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5798 struct l2cap_ctrl *control,
5799 struct sk_buff *skb, u8 event)
5800{
5801 int err = 0;
941247f9 5802 bool skb_in_use = false;
d2a7ac5d
MM		 5803
5804 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5805 event);
5806
5807 switch (event) {
5808 case L2CAP_EV_RECV_IFRAME:
5809 switch (l2cap_classify_txseq(chan, control->txseq)) {
5810 case L2CAP_TXSEQ_EXPECTED:
5811 l2cap_pass_to_tx(chan, control);
5812
5813 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5814 BT_DBG("Busy, discarding expected seq %d",
5815 control->txseq);
5816 break;
5817 }
5818
5819 chan->expected_tx_seq = __next_seq(chan,
5820 control->txseq);
5821
5822 chan->buffer_seq = chan->expected_tx_seq;
941247f9 5823 skb_in_use = true;
d2a7ac5d
MM		 5824
5825 err = l2cap_reassemble_sdu(chan, skb, control);
5826 if (err)
5827 break;
5828
5829 if (control->final) {
5830 if (!test_and_clear_bit(CONN_REJ_ACT,
5831 &chan->conn_state)) {
5832 control->final = 0;
5833 l2cap_retransmit_all(chan, control);
5834 l2cap_ertm_send(chan);
5835 }
5836 }
5837
5838 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5839 l2cap_send_ack(chan);
5840 break;
5841 case L2CAP_TXSEQ_UNEXPECTED:
5842 l2cap_pass_to_tx(chan, control);
5843
5844 /* Can't issue SREJ frames in the local busy state.
5845 * Drop this frame, it will be seen as missing
5846 * when local busy is exited.
5847 */
5848 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5849 BT_DBG("Busy, discarding unexpected seq %d",
5850 control->txseq);
5851 break;
5852 }
5853
5854 /* There was a gap in the sequence, so an SREJ
5855 * must be sent for each missing frame. The
5856 * current frame is stored for later use.
5857 */
5858 skb_queue_tail(&chan->srej_q, skb);
941247f9 5859 skb_in_use = true;
d2a7ac5d
MM		 5860 BT_DBG("Queued %p (queue len %d)", skb,
5861 skb_queue_len(&chan->srej_q));
5862
5863 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5864 l2cap_seq_list_clear(&chan->srej_list);
5865 l2cap_send_srej(chan, control->txseq);
5866
5867 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5868 break;
5869 case L2CAP_TXSEQ_DUPLICATE:
5870 l2cap_pass_to_tx(chan, control);
5871 break;
5872 case L2CAP_TXSEQ_INVALID_IGNORE:
5873 break;
5874 case L2CAP_TXSEQ_INVALID:
5875 default:
5e4e3972 5876 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5877 break;
5878 }
5879 break;
5880 case L2CAP_EV_RECV_RR:
5881 l2cap_pass_to_tx(chan, control);
5882 if (control->final) {
5883 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5884
e6a3ee6e
MM		 5885 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5886 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 5887 control->final = 0;
5888 l2cap_retransmit_all(chan, control);
5889 }
5890
5891 l2cap_ertm_send(chan);
5892 } else if (control->poll) {
5893 l2cap_send_i_or_rr_or_rnr(chan);
5894 } else {
5895 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5896 &chan->conn_state) &&
5897 chan->unacked_frames)
5898 __set_retrans_timer(chan);
5899
5900 l2cap_ertm_send(chan);
5901 }
5902 break;
5903 case L2CAP_EV_RECV_RNR:
5904 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5905 l2cap_pass_to_tx(chan, control);
5906 if (control && control->poll) {
5907 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5908 l2cap_send_rr_or_rnr(chan, 0);
5909 }
5910 __clear_retrans_timer(chan);
5911 l2cap_seq_list_clear(&chan->retrans_list);
5912 break;
5913 case L2CAP_EV_RECV_REJ:
5914 l2cap_handle_rej(chan, control);
5915 break;
5916 case L2CAP_EV_RECV_SREJ:
5917 l2cap_handle_srej(chan, control);
5918 break;
5919 default:
5920 break;
5921 }
5922
5923 if (skb && !skb_in_use) {
5924 BT_DBG("Freeing %p", skb);
5925 kfree_skb(skb);
5926 }
5927
5928 return err;
5929}
5930
5931static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5932 struct l2cap_ctrl *control,
5933 struct sk_buff *skb, u8 event)
5934{
5935 int err = 0;
5936 u16 txseq = control->txseq;
941247f9 5937 bool skb_in_use = false;
d2a7ac5d
MM		 5938
5939 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5940 event);
5941
5942 switch (event) {
5943 case L2CAP_EV_RECV_IFRAME:
5944 switch (l2cap_classify_txseq(chan, txseq)) {
5945 case L2CAP_TXSEQ_EXPECTED:
5946 /* Keep frame for reassembly later */
5947 l2cap_pass_to_tx(chan, control);
5948 skb_queue_tail(&chan->srej_q, skb);
941247f9 5949 skb_in_use = true;
d2a7ac5d
MM		 5950 BT_DBG("Queued %p (queue len %d)", skb,
5951 skb_queue_len(&chan->srej_q));
5952
5953 chan->expected_tx_seq = __next_seq(chan, txseq);
5954 break;
5955 case L2CAP_TXSEQ_EXPECTED_SREJ:
5956 l2cap_seq_list_pop(&chan->srej_list);
5957
5958 l2cap_pass_to_tx(chan, control);
5959 skb_queue_tail(&chan->srej_q, skb);
941247f9 5960 skb_in_use = true;
d2a7ac5d
MM		 5961 BT_DBG("Queued %p (queue len %d)", skb,
5962 skb_queue_len(&chan->srej_q));
5963
5964 err = l2cap_rx_queued_iframes(chan);
5965 if (err)
5966 break;
5967
5968 break;
5969 case L2CAP_TXSEQ_UNEXPECTED:
5970 /* Got a frame that can't be reassembled yet.
5971 * Save it for later, and send SREJs to cover
5972 * the missing frames.
5973 */
5974 skb_queue_tail(&chan->srej_q, skb);
941247f9 5975 skb_in_use = true;
d2a7ac5d
MM		 5976 BT_DBG("Queued %p (queue len %d)", skb,
5977 skb_queue_len(&chan->srej_q));
5978
5979 l2cap_pass_to_tx(chan, control);
5980 l2cap_send_srej(chan, control->txseq);
5981 break;
5982 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5983 /* This frame was requested with an SREJ, but
5984 * some expected retransmitted frames are
5985 * missing. Request retransmission of missing
5986 * SREJ'd frames.
5987 */
5988 skb_queue_tail(&chan->srej_q, skb);
941247f9 5989 skb_in_use = true;
d2a7ac5d
MM		 5990 BT_DBG("Queued %p (queue len %d)", skb,
5991 skb_queue_len(&chan->srej_q));
5992
5993 l2cap_pass_to_tx(chan, control);
5994 l2cap_send_srej_list(chan, control->txseq);
5995 break;
5996 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5997 /* We've already queued this frame. Drop this copy. */
5998 l2cap_pass_to_tx(chan, control);
5999 break;
6000 case L2CAP_TXSEQ_DUPLICATE:
6001 /* Expecting a later sequence number, so this frame
6002 * was already received. Ignore it completely.
6003 */
6004 break;
6005 case L2CAP_TXSEQ_INVALID_IGNORE:
6006 break;
6007 case L2CAP_TXSEQ_INVALID:
6008 default:
5e4e3972 6009 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6010 break;
6011 }
6012 break;
6013 case L2CAP_EV_RECV_RR:
6014 l2cap_pass_to_tx(chan, control);
6015 if (control->final) {
6016 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6017
6018 if (!test_and_clear_bit(CONN_REJ_ACT,
6019 &chan->conn_state)) {
6020 control->final = 0;
6021 l2cap_retransmit_all(chan, control);
6022 }
6023
6024 l2cap_ertm_send(chan);
6025 } else if (control->poll) {
6026 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6027 &chan->conn_state) &&
6028 chan->unacked_frames) {
6029 __set_retrans_timer(chan);
6030 }
6031
6032 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6033 l2cap_send_srej_tail(chan);
6034 } else {
6035 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6036 &chan->conn_state) &&
6037 chan->unacked_frames)
6038 __set_retrans_timer(chan);
6039
6040 l2cap_send_ack(chan);
6041 }
6042 break;
6043 case L2CAP_EV_RECV_RNR:
6044 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6045 l2cap_pass_to_tx(chan, control);
6046 if (control->poll) {
6047 l2cap_send_srej_tail(chan);
6048 } else {
6049 struct l2cap_ctrl rr_control;
6050 memset(&rr_control, 0, sizeof(rr_control));
6051 rr_control.sframe = 1;
6052 rr_control.super = L2CAP_SUPER_RR;
6053 rr_control.reqseq = chan->buffer_seq;
6054 l2cap_send_sframe(chan, &rr_control);
6055 }
6056
6057 break;
6058 case L2CAP_EV_RECV_REJ:
6059 l2cap_handle_rej(chan, control);
6060 break;
6061 case L2CAP_EV_RECV_SREJ:
6062 l2cap_handle_srej(chan, control);
6063 break;
6064 }
6065
6066 if (skb && !skb_in_use) {
6067 BT_DBG("Freeing %p", skb);
6068 kfree_skb(skb);
6069 }
6070
6071 return err;
6072}
6073
32b32735
MM		 6074static int l2cap_finish_move(struct l2cap_chan *chan)
6075{
6076 BT_DBG("chan %p", chan);
6077
6078 chan->rx_state = L2CAP_RX_STATE_RECV;
6079
6080 if (chan->hs_hcon)
6081 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6082 else
6083 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6084
6085 return l2cap_resegment(chan);
6086}
6087
6088static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6089 struct l2cap_ctrl *control,
6090 struct sk_buff *skb, u8 event)
6091{
6092 int err;
6093
6094 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6095 event);
6096
6097 if (!control->poll)
6098 return -EPROTO;
6099
6100 l2cap_process_reqseq(chan, control->reqseq);
6101
6102 if (!skb_queue_empty(&chan->tx_q))
6103 chan->tx_send_head = skb_peek(&chan->tx_q);
6104 else
6105 chan->tx_send_head = NULL;
6106
6107 /* Rewind next_tx_seq to the point expected
6108 * by the receiver.
6109 */
6110 chan->next_tx_seq = control->reqseq;
6111 chan->unacked_frames = 0;
6112
6113 err = l2cap_finish_move(chan);
6114 if (err)
6115 return err;
6116
6117 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6118 l2cap_send_i_or_rr_or_rnr(chan);
6119
6120 if (event == L2CAP_EV_RECV_IFRAME)
6121 return -EPROTO;
6122
6123 return l2cap_rx_state_recv(chan, control, NULL, event);
6124}
6125
6126static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6127 struct l2cap_ctrl *control,
6128 struct sk_buff *skb, u8 event)
6129{
6130 int err;
6131
6132 if (!control->final)
6133 return -EPROTO;
6134
6135 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6136
6137 chan->rx_state = L2CAP_RX_STATE_RECV;
6138 l2cap_process_reqseq(chan, control->reqseq);
6139
6140 if (!skb_queue_empty(&chan->tx_q))
6141 chan->tx_send_head = skb_peek(&chan->tx_q);
6142 else
6143 chan->tx_send_head = NULL;
6144
6145 /* Rewind next_tx_seq to the point expected
6146 * by the receiver.
6147 */
6148 chan->next_tx_seq = control->reqseq;
6149 chan->unacked_frames = 0;
6150
6151 if (chan->hs_hcon)
6152 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6153 else
6154 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6155
6156 err = l2cap_resegment(chan);
6157
6158 if (!err)
6159 err = l2cap_rx_state_recv(chan, control, skb, event);
6160
6161 return err;
6162}
6163
d2a7ac5d
MM		 6164static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6165{
6166 /* Make sure reqseq is for a packet that has been sent but not acked */
6167 u16 unacked;
6168
6169 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6170 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6171}
6172
cec8ab6e
MM		 6173static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6174 struct sk_buff *skb, u8 event)
218bb9df 6175{
d2a7ac5d
MM		 6176 int err = 0;
6177
6178 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6179 control, skb, event, chan->rx_state);
6180
6181 if (__valid_reqseq(chan, control->reqseq)) {
6182 switch (chan->rx_state) {
6183 case L2CAP_RX_STATE_RECV:
6184 err = l2cap_rx_state_recv(chan, control, skb, event);
6185 break;
6186 case L2CAP_RX_STATE_SREJ_SENT:
6187 err = l2cap_rx_state_srej_sent(chan, control, skb,
6188 event);
6189 break;
32b32735
MM		 6190 case L2CAP_RX_STATE_WAIT_P:
6191 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6192 break;
6193 case L2CAP_RX_STATE_WAIT_F:
6194 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6195 break;
d2a7ac5d
MM		 6196 default:
6197 /* shut it down */
6198 break;
6199 }
6200 } else {
6201 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6202 control->reqseq, chan->next_tx_seq,
6203 chan->expected_ack_seq);
5e4e3972 6204 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6205 }
6206
6207 return err;
cec8ab6e
MM		 6208}
6209
6210static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6211 struct sk_buff *skb)
6212{
4b51dae9
MM		 6213 int err = 0;
6214
6215 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6216 chan->rx_state);
6217
6218 if (l2cap_classify_txseq(chan, control->txseq) ==
6219 L2CAP_TXSEQ_EXPECTED) {
6220 l2cap_pass_to_tx(chan, control);
6221
6222 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6223 __next_seq(chan, chan->buffer_seq));
6224
6225 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6226
6227 l2cap_reassemble_sdu(chan, skb, control);
6228 } else {
6229 if (chan->sdu) {
6230 kfree_skb(chan->sdu);
6231 chan->sdu = NULL;
6232 }
6233 chan->sdu_last_frag = NULL;
6234 chan->sdu_len = 0;
6235
6236 if (skb) {
6237 BT_DBG("Freeing %p", skb);
6238 kfree_skb(skb);
6239 }
6240 }
6241
6242 chan->last_acked_seq = control->txseq;
6243 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6244
6245 return err;
cec8ab6e
MM		 6246}
6247
6248static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6249{
6250 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6251 u16 len;
6252 u8 event;
218bb9df 6253
b76bbd66
MM		 6254 __unpack_control(chan, skb);
6255
218bb9df
GP		 6256 len = skb->len;
6257
6258 /*
6259 * We can just drop the corrupted I-frame here.
6260 * Receiver will miss it and start proper recovery
cec8ab6e 6261 * procedures and ask for retransmission.
218bb9df 6262 */
47d1ec61 6263 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6264 goto drop;
6265
cec8ab6e 6266 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6267 len -= L2CAP_SDULEN_SIZE;
218bb9df 6268
47d1ec61 6269 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6270 len -= L2CAP_FCS_SIZE;
218bb9df 6271
47d1ec61 6272 if (len > chan->mps) {
5e4e3972 6273 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6274 goto drop;
6275 }
6276
cec8ab6e
MM		 6277 if (!control->sframe) {
6278 int err;
218bb9df 6279
cec8ab6e
MM		 6280 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6281 control->sar, control->reqseq, control->final,
6282 control->txseq);
218bb9df 6283
cec8ab6e
MM		 6284 /* Validate F-bit - F=0 always valid, F=1 only
6285 * valid in TX WAIT_F
6286 */
6287 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6288 goto drop;
cec8ab6e
MM		 6289
6290 if (chan->mode != L2CAP_MODE_STREAMING) {
6291 event = L2CAP_EV_RECV_IFRAME;
6292 err = l2cap_rx(chan, control, skb, event);
6293 } else {
6294 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6295 }
6296
cec8ab6e 6297 if (err)
5e4e3972 6298 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6299 } else {
cec8ab6e
MM		 6300 const u8 rx_func_to_event[4] = {
6301 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6302 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6303 };
6304
6305 /* Only I-frames are expected in streaming mode */
6306 if (chan->mode == L2CAP_MODE_STREAMING)
6307 goto drop;
6308
6309 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6310 control->reqseq, control->final, control->poll,
6311 control->super);
6312
218bb9df 6313 if (len != 0) {
1bb166e6 6314 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6315 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6316 goto drop;
6317 }
6318
cec8ab6e
MM		 6319 /* Validate F and P bits */
6320 if (control->final && (control->poll ||
6321 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6322 goto drop;
6323
6324 event = rx_func_to_event[control->super];
6325 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6326 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6327 }
6328
6329 return 0;
6330
6331drop:
6332 kfree_skb(skb);
6333 return 0;
6334}
6335
13ca56e0
AE		 6336static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6337 struct sk_buff *skb)
1da177e4 6338{
48454079 6339 struct l2cap_chan *chan;
1da177e4 6340
baa7e1fa 6341 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6342 if (!chan) {
97e8e89d
AE		 6343 if (cid == L2CAP_CID_A2MP) {
6344 chan = a2mp_channel_create(conn, skb);
6345 if (!chan) {
6346 kfree_skb(skb);
13ca56e0 6347 return;
97e8e89d
AE		 6348 }
6349
6350 l2cap_chan_lock(chan);
6351 } else {
6352 BT_DBG("unknown cid 0x%4.4x", cid);
6353 /* Drop packet and return */
6354 kfree_skb(skb);
13ca56e0 6355 return;
97e8e89d 6356 }
1da177e4
LT		 6357 }
6358
49208c9c 6359 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6360
89bc500e 6361 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6362 goto drop;
6363
0c1bc5c6 6364 switch (chan->mode) {
1c2acffb
GP		 6365 case L2CAP_MODE_BASIC:
6366 /* If socket recv buffers overflows we drop data here
6367 * which is *bad* because L2CAP has to be reliable.
6368 * But we don't have any other choice. L2CAP doesn't
6369 * provide flow control mechanism. */
1da177e4 6370
0c1bc5c6 6371 if (chan->imtu < skb->len)
1c2acffb 6372 goto drop;
1da177e4 6373
80b98027 6374 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6375 goto done;
6376 break;
6377
6378 case L2CAP_MODE_ERTM:
6840ed07 6379 case L2CAP_MODE_STREAMING:
cec8ab6e 6380 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6381 goto done;
6382
1c2acffb 6383 default:
0c1bc5c6 6384 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6385 break;
6386 }
1da177e4
LT		 6387
6388drop:
6389 kfree_skb(skb);
6390
6391done:
6be36555 6392 l2cap_chan_unlock(chan);
1da177e4
LT		 6393}
6394
84104b24
AE		 6395static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6396 struct sk_buff *skb)
1da177e4 6397{
ae4fd2d3 6398 struct hci_conn *hcon = conn->hcon;
23691d75 6399 struct l2cap_chan *chan;
1da177e4 6400
ae4fd2d3
MH		 6401 if (hcon->type != ACL_LINK)
6402 goto drop;
6403
06ae3314 6404 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst);
23691d75 6405 if (!chan)
1da177e4
LT		 6406 goto drop;
6407
5b4cedaa 6408 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6409
89bc500e 6410 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6411 goto drop;
6412
e13e21dc 6413 if (chan->imtu < skb->len)
1da177e4
LT		 6414 goto drop;
6415
2edf870d 6416 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6417 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6418 bt_cb(skb)->psm = psm;
6419
80b98027 6420 if (!chan->ops->recv(chan, skb))
84104b24 6421 return;
1da177e4
LT		 6422
6423drop:
6424 kfree_skb(skb);
1da177e4
LT		 6425}
6426
72f78356 6427static void l2cap_att_channel(struct l2cap_conn *conn,
6810fca7 6428 struct sk_buff *skb)
9f69bda6 6429{
b99707d7 6430 struct hci_conn *hcon = conn->hcon;
23691d75 6431 struct l2cap_chan *chan;
9f69bda6 6432
b99707d7
MH		 6433 if (hcon->type != LE_LINK)
6434 goto drop;
6435
af1c0134 6436 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
06ae3314 6437 &hcon->src, &hcon->dst);
23691d75 6438 if (!chan)
9f69bda6
GP		 6439 goto drop;
6440
5b4cedaa 6441 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6442
cc8dba2b
MH		 6443 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, hcon->dst_type))
6444 goto drop;
6445
e13e21dc 6446 if (chan->imtu < skb->len)
9f69bda6
GP		 6447 goto drop;
6448
80b98027 6449 if (!chan->ops->recv(chan, skb))
6810fca7 6450 return;
9f69bda6
GP		 6451
6452drop:
6453 kfree_skb(skb);
9f69bda6
GP		 6454}
6455
1da177e4
LT		 6456static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6457{
6458 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6459 u16 cid, len;
6460 __le16 psm;
1da177e4
LT		 6461
6462 skb_pull(skb, L2CAP_HDR_SIZE);
6463 cid = __le16_to_cpu(lh->cid);
6464 len = __le16_to_cpu(lh->len);
6465
1c2acffb
GP		 6466 if (len != skb->len) {
6467 kfree_skb(skb);
6468 return;
6469 }
6470
1da177e4
LT		 6471 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6472
6473 switch (cid) {
8db4dc46 6474 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6475 l2cap_sig_channel(conn, skb);
6476 break;
6477
8db4dc46 6478 case L2CAP_CID_CONN_LESS:
097db76c 6479 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6480 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6481 l2cap_conless_channel(conn, psm, skb);
6482 break;
6483
073d1cf3 6484 case L2CAP_CID_ATT:
72f78356 6485 l2cap_att_channel(conn, skb);
9f69bda6
GP		 6486 break;
6487
a2877629
MH		 6488 case L2CAP_CID_LE_SIGNALING:
6489 l2cap_le_sig_channel(conn, skb);
6490 break;
6491
b501d6a1
AB		 6492 case L2CAP_CID_SMP:
6493 if (smp_sig_channel(conn, skb))
6494 l2cap_conn_del(conn->hcon, EACCES);
6495 break;
6496
1da177e4
LT		 6497 default:
6498 l2cap_data_channel(conn, cid, skb);
6499 break;
6500 }
6501}
6502
6503/* ---- L2CAP interface with lower layer (HCI) ---- */
6504
686ebf28 6505int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6506{
6507 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6508 struct l2cap_chan *c;
1da177e4 6509
6ed93dc6 6510 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6511
6512 /* Find listening sockets and check their link_mode */
23691d75
GP		 6513 read_lock(&chan_list_lock);
6514 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 6515 if (c->state != BT_LISTEN)
1da177e4
LT		 6516 continue;
6517
7eafc59e 6518 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 6519 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6520 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6521 lm1 |= HCI_LM_MASTER;
1da177e4 6522 exact++;
7eafc59e 6523 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 6524 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6525 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6526 lm2 |= HCI_LM_MASTER;
6527 }
1da177e4 6528 }
23691d75 6529 read_unlock(&chan_list_lock);
1da177e4
LT		 6530
6531 return exact ? lm1 : lm2;
6532}
6533
9e664631 6534void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6535{
0139418c
MH		 6536 struct l2cap_conn *conn;
6537
6ed93dc6 6538 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6539
1da177e4 6540 if (!status) {
baf43251 6541 conn = l2cap_conn_add(hcon);
1da177e4
LT		 6542 if (conn)
6543 l2cap_conn_ready(conn);
ba6fc317 6544 } else {
e175072f 6545 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 6546 }
1da177e4
LT		 6547}
6548
686ebf28 6549int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6550{
6551 struct l2cap_conn *conn = hcon->l2cap_data;
6552
6553 BT_DBG("hcon %p", hcon);
6554
686ebf28 6555 if (!conn)
9f5a0d7b 6556 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6557 return conn->disc_reason;
6558}
6559
9e664631 6560void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6561{
6562 BT_DBG("hcon %p reason %d", hcon, reason);
6563
e175072f 6564 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6565}
6566
4343478f 6567static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6568{
715ec005 6569 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6570 return;
6571
f62e4323 6572 if (encrypt == 0x00) {
4343478f 6573 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6574 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6575 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6576 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6577 } else {
4343478f 6578 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6579 __clear_chan_timer(chan);
f62e4323
MH		 6580 }
6581}
6582
686ebf28 6583int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6584{
0139418c 6585 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6586 struct l2cap_chan *chan;
1da177e4 6587
0139418c 6588 if (!conn)
1da177e4 6589 return 0;
0139418c 6590
89d8b407 6591 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6592
160dc6ac 6593 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6594 if (!status && encrypt)
6595 smp_distribute_keys(conn, 0);
17cd3f37 6596 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6597 }
6598
3df91ea2 6599 mutex_lock(&conn->chan_lock);
1da177e4 6600
3df91ea2 6601 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6602 l2cap_chan_lock(chan);
1da177e4 6603
89d8b407
AE		 6604 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6605 state_to_string(chan->state));
f1cb9af5 6606
78eb2f98
AE		 6607 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6608 l2cap_chan_unlock(chan);
6609 continue;
6610 }
6611
073d1cf3 6612 if (chan->scid == L2CAP_CID_ATT) {
f1cb9af5
VCG		 6613 if (!status && encrypt) {
6614 chan->sec_level = hcon->sec_level;
cf4cd009 6615 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6616 }
6617
6be36555 6618 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6619 continue;
6620 }
6621
96eff46e 6622 if (!__l2cap_no_conn_pending(chan)) {
6be36555 6623 l2cap_chan_unlock(chan);
6a8d3010
MH		 6624 continue;
6625 }
6626
89bc500e 6627 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6628 chan->state == BT_CONFIG)) {
d97c899b 6629 chan->ops->resume(chan);
4343478f 6630 l2cap_check_encryption(chan, encrypt);
6be36555 6631 l2cap_chan_unlock(chan);
9719f8af
MH		 6632 continue;
6633 }
6634
89bc500e 6635 if (chan->state == BT_CONNECT) {
b1235d79 6636 if (!status) {
93c3e8f5 6637 l2cap_start_connection(chan);
b1235d79 6638 } else {
ba13ccd9 6639 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6640 }
89bc500e 6641 } else if (chan->state == BT_CONNECT2) {
b1235d79 6642 struct l2cap_conn_rsp rsp;
df3c3931 6643 __u16 res, stat;
1da177e4 6644
b1235d79 6645 if (!status) {
bdc25783 6646 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 6647 res = L2CAP_CR_PEND;
6648 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6649 chan->ops->defer(chan);
df3c3931 6650 } else {
acdcabf5 6651 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6652 res = L2CAP_CR_SUCCESS;
6653 stat = L2CAP_CS_NO_INFO;
6654 }
b1235d79 6655 } else {
acdcabf5 6656 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6657 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6658 res = L2CAP_CR_SEC_BLOCK;
6659 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6660 }
6661
fe4128e0
GP		 6662 rsp.scid = cpu_to_le16(chan->dcid);
6663 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6664 rsp.result = cpu_to_le16(res);
6665 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6666 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6667 sizeof(rsp), &rsp);
2d369359
MM		 6668
6669 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6670 res == L2CAP_CR_SUCCESS) {
6671 char buf[128];
6672 set_bit(CONF_REQ_SENT, &chan->conf_state);
6673 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6674 L2CAP_CONF_REQ,
6675 l2cap_build_conf_req(chan, buf),
6676 buf);
6677 chan->num_conf_req++;
6678 }
b1235d79 6679 }
1da177e4 6680
6be36555 6681 l2cap_chan_unlock(chan);
1da177e4
LT		 6682 }
6683
3df91ea2 6684 mutex_unlock(&conn->chan_lock);
b1235d79 6685
1da177e4
LT		 6686 return 0;
6687}
6688
686ebf28 6689int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6690{
6691 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6692 struct l2cap_hdr *hdr;
6693 int len;
1da177e4 6694
1d13a254
AE		 6695 /* For AMP controller do not create l2cap conn */
6696 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6697 goto drop;
1da177e4 6698
5a08ecce 6699 if (!conn)
baf43251 6700 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 6701
6702 if (!conn)
1da177e4
LT		 6703 goto drop;
6704
6705 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6706
d73a0988
AE		 6707 switch (flags) {
6708 case ACL_START:
6709 case ACL_START_NO_FLUSH:
6710 case ACL_COMPLETE:
1da177e4
LT		 6711 if (conn->rx_len) {
6712 BT_ERR("Unexpected start frame (len %d)", skb->len);
6713 kfree_skb(conn->rx_skb);
6714 conn->rx_skb = NULL;
6715 conn->rx_len = 0;
6716 l2cap_conn_unreliable(conn, ECOMM);
6717 }
6718
aae7fe22
AE		 6719 /* Start fragment always begin with Basic L2CAP header */
6720 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6721 BT_ERR("Frame is too short (len %d)", skb->len);
6722 l2cap_conn_unreliable(conn, ECOMM);
6723 goto drop;
6724 }
6725
6726 hdr = (struct l2cap_hdr *) skb->data;
6727 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6728
6729 if (len == skb->len) {
6730 /* Complete frame received */
6731 l2cap_recv_frame(conn, skb);
6732 return 0;
6733 }
6734
6735 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6736
6737 if (skb->len > len) {
6738 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6739 skb->len, len);
1da177e4
LT		 6740 l2cap_conn_unreliable(conn, ECOMM);
6741 goto drop;
6742 }
6743
6744 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6745 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6746 if (!conn->rx_skb)
1da177e4
LT		 6747 goto drop;
6748
d626f62b 6749 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6750 skb->len);
1da177e4 6751 conn->rx_len = len - skb->len;
d73a0988
AE		 6752 break;
6753
6754 case ACL_CONT:
1da177e4
LT		 6755 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6756
6757 if (!conn->rx_len) {
6758 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6759 l2cap_conn_unreliable(conn, ECOMM);
6760 goto drop;
6761 }
6762
6763 if (skb->len > conn->rx_len) {
6764 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6765 skb->len, conn->rx_len);
1da177e4
LT		 6766 kfree_skb(conn->rx_skb);
6767 conn->rx_skb = NULL;
6768 conn->rx_len = 0;
6769 l2cap_conn_unreliable(conn, ECOMM);
6770 goto drop;
6771 }
6772
d626f62b 6773 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6774 skb->len);
1da177e4
LT		 6775 conn->rx_len -= skb->len;
6776
6777 if (!conn->rx_len) {
c4e5bafa
JH		 6778 /* Complete frame received. l2cap_recv_frame
6779 * takes ownership of the skb so set the global
6780 * rx_skb pointer to NULL first.
6781 */
6782 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 6783 conn->rx_skb = NULL;
c4e5bafa 6784 l2cap_recv_frame(conn, rx_skb);
1da177e4 6785 }
d73a0988 6786 break;
1da177e4
LT		 6787 }
6788
6789drop:
6790 kfree_skb(skb);
6791 return 0;
6792}
6793
aef7d97c 6794static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6795{
23691d75 6796 struct l2cap_chan *c;
1da177e4 6797
333055f2 6798 read_lock(&chan_list_lock);
1da177e4 6799
23691d75 6800 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 6801 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 6802 &c->src, &c->dst,
fcb73338
AE		 6803 c->state, __le16_to_cpu(c->psm),
6804 c->scid, c->dcid, c->imtu, c->omtu,
6805 c->sec_level, c->mode);
61e1b4b7 6806 }
1da177e4 6807
333055f2 6808 read_unlock(&chan_list_lock);
1da177e4 6809
aef7d97c 6810 return 0;
1da177e4
LT		 6811}
6812
aef7d97c
MH		 6813static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6814{
6815 return single_open(file, l2cap_debugfs_show, inode->i_private);
6816}
6817
6818static const struct file_operations l2cap_debugfs_fops = {
6819 .open = l2cap_debugfs_open,
6820 .read = seq_read,
6821 .llseek = seq_lseek,
6822 .release = single_release,
6823};
6824
6825static struct dentry *l2cap_debugfs;
1da177e4 6826
64274518 6827int __init l2cap_init(void)
1da177e4
LT		 6828{
6829 int err;
be9d1227 6830
bb58f747 6831 err = l2cap_init_sockets();
1da177e4
LT		 6832 if (err < 0)
6833 return err;
6834
1120e4bf
MH		 6835 if (IS_ERR_OR_NULL(bt_debugfs))
6836 return 0;
6837
6838 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6839 NULL, &l2cap_debugfs_fops);
1da177e4 6840
1da177e4 6841 return 0;
1da177e4
LT		 6842}
6843
64274518 6844void l2cap_exit(void)
1da177e4 6845{
aef7d97c 6846 debugfs_remove(l2cap_debugfs);
bb58f747 6847 l2cap_cleanup_sockets();
1da177e4
LT		 6848}
6849
d1c4a17d
GP		 6850module_param(disable_ertm, bool, 0644);
6851MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 2.053664 seconds and 5 git commands to generate.