projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Remove hci_conn_hold/drop from hci_chan
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
0f1bfe4e
JH		 44#define LE_FLOWCTL_MAX_CREDITS 65535
45
d1de6d46 46bool disable_ertm;
f0709e03 47
547d1032 48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
a6801ca9 49static u8 l2cap_fixed_chan[8] = { L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS, };
1da177e4 50
b5ad8b7f
JB		 51static LIST_HEAD(chan_list);
52static DEFINE_RWLOCK(chan_list_lock);
1da177e4 53
f15b8ecf
JH		 54static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56
1da177e4 57static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 58 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 59static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 60 void *data);
710f9b0a 61static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 62static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 63
d660366d 64static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 65 struct sk_buff_head *skbs, u8 event);
608bcc6d 66
4f1654e0
MH		 67static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
68{
69 if (hcon->type == LE_LINK) {
70 if (type == ADDR_LE_DEV_PUBLIC)
71 return BDADDR_LE_PUBLIC;
72 else
73 return BDADDR_LE_RANDOM;
74 }
75
76 return BDADDR_BREDR;
77}
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
2d792818
GP		 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
82 u16 cid)
0139418c 83{
3df91ea2 84 struct l2cap_chan *c;
3d57dc68 85
3df91ea2
AE		 86 list_for_each_entry(c, &conn->chan_l, list) {
87 if (c->dcid == cid)
88 return c;
0139418c 89 }
3df91ea2 90 return NULL;
0139418c
MH		 91}
92
2d792818
GP		 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
94 u16 cid)
0139418c 95{
3df91ea2 96 struct l2cap_chan *c;
3d57dc68 97
3df91ea2
AE		 98 list_for_each_entry(c, &conn->chan_l, list) {
99 if (c->scid == cid)
100 return c;
0139418c 101 }
3df91ea2 102 return NULL;
0139418c
MH		 103}
104
105/* Find channel with given SCID.
ef191ade 106 * Returns locked channel. */
2d792818
GP		 107static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
108 u16 cid)
0139418c 109{
48454079 110 struct l2cap_chan *c;
baa7e1fa 111
3df91ea2 112 mutex_lock(&conn->chan_lock);
baa7e1fa 113 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 114 if (c)
115 l2cap_chan_lock(c);
3df91ea2
AE		 116 mutex_unlock(&conn->chan_lock);
117
48454079 118 return c;
0139418c
MH		 119}
120
b1a130b7
MM		 121/* Find channel with given DCID.
122 * Returns locked channel.
123 */
124static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
125 u16 cid)
126{
127 struct l2cap_chan *c;
128
129 mutex_lock(&conn->chan_lock);
130 c = __l2cap_get_chan_by_dcid(conn, cid);
131 if (c)
132 l2cap_chan_lock(c);
133 mutex_unlock(&conn->chan_lock);
134
135 return c;
136}
137
2d792818
GP		 138static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
139 u8 ident)
0139418c 140{
3df91ea2 141 struct l2cap_chan *c;
3d57dc68 142
3df91ea2
AE		 143 list_for_each_entry(c, &conn->chan_l, list) {
144 if (c->ident == ident)
145 return c;
0139418c 146 }
3df91ea2 147 return NULL;
0139418c
MH		 148}
149
5b155ef9
MM		 150static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
151 u8 ident)
152{
153 struct l2cap_chan *c;
154
155 mutex_lock(&conn->chan_lock);
156 c = __l2cap_get_chan_by_ident(conn, ident);
157 if (c)
158 l2cap_chan_lock(c);
159 mutex_unlock(&conn->chan_lock);
160
161 return c;
162}
163
23691d75 164static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 165{
23691d75 166 struct l2cap_chan *c;
9e4425ff 167
23691d75 168 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 169 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 170 return c;
9e4425ff 171 }
250938cb 172 return NULL;
9e4425ff
GP		 173}
174
175int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
176{
73b2ec18
GP		 177 int err;
178
333055f2 179 write_lock(&chan_list_lock);
9e4425ff 180
23691d75 181 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 182 err = -EADDRINUSE;
183 goto done;
9e4425ff
GP		 184 }
185
73b2ec18
GP		 186 if (psm) {
187 chan->psm = psm;
188 chan->sport = psm;
189 err = 0;
190 } else {
191 u16 p;
192
193 err = -EINVAL;
194 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 195 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 196 chan->psm = cpu_to_le16(p);
197 chan->sport = cpu_to_le16(p);
198 err = 0;
199 break;
200 }
201 }
9e4425ff 202
73b2ec18 203done:
333055f2 204 write_unlock(&chan_list_lock);
73b2ec18 205 return err;
9e4425ff 206}
6b8d4a6a 207EXPORT_SYMBOL_GPL(l2cap_add_psm);
9e4425ff
GP		 208
209int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
210{
333055f2 211 write_lock(&chan_list_lock);
9e4425ff 212
14824308
JH		 213 /* Override the defaults (which are for conn-oriented) */
214 chan->omtu = L2CAP_DEFAULT_MTU;
215 chan->chan_type = L2CAP_CHAN_FIXED;
216
9e4425ff
GP		 217 chan->scid = scid;
218
333055f2 219 write_unlock(&chan_list_lock);
9e4425ff
GP		 220
221 return 0;
222}
223
baa7e1fa 224static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 225{
e77af755 226 u16 cid, dyn_end;
0139418c 227
e77af755
JH		 228 if (conn->hcon->type == LE_LINK)
229 dyn_end = L2CAP_CID_LE_DYN_END;
230 else
231 dyn_end = L2CAP_CID_DYN_END;
232
233 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
baa7e1fa 234 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 235 return cid;
236 }
237
238 return 0;
239}
240
f93fa273 241static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 242{
42d2d87c 243 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 244 state_to_string(state));
badaaa00 245
89bc500e 246 chan->state = state;
53f52121 247 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 248}
249
f8e73017
GP		 250static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
251 int state, int err)
2e0052e4 252{
f8e73017 253 chan->state = state;
53f52121 254 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 255}
256
257static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
258{
f8e73017 259 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 260}
261
4239d16f
MM		 262static void __set_retrans_timer(struct l2cap_chan *chan)
263{
264 if (!delayed_work_pending(&chan->monitor_timer) &&
265 chan->retrans_timeout) {
266 l2cap_set_timer(chan, &chan->retrans_timer,
267 msecs_to_jiffies(chan->retrans_timeout));
268 }
269}
270
271static void __set_monitor_timer(struct l2cap_chan *chan)
272{
273 __clear_retrans_timer(chan);
274 if (chan->monitor_timeout) {
275 l2cap_set_timer(chan, &chan->monitor_timer,
276 msecs_to_jiffies(chan->monitor_timeout));
277 }
278}
279
608bcc6d
MM		 280static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
281 u16 seq)
282{
283 struct sk_buff *skb;
284
285 skb_queue_walk(head, skb) {
286 if (bt_cb(skb)->control.txseq == seq)
287 return skb;
288 }
289
290 return NULL;
291}
292
3c588192
MM		 293/* ---- L2CAP sequence number lists ---- */
294
295/* For ERTM, ordered lists of sequence numbers must be tracked for
296 * SREJ requests that are received and for frames that are to be
297 * retransmitted. These seq_list functions implement a singly-linked
298 * list in an array, where membership in the list can also be checked
299 * in constant time. Items can also be added to the tail of the list
300 * and removed from the head in constant time, without further memory
301 * allocs or frees.
302 */
303
304static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
305{
306 size_t alloc_size, i;
307
308 /* Allocated size is a power of 2 to map sequence numbers
309 * (which may be up to 14 bits) in to a smaller array that is
310 * sized for the negotiated ERTM transmit windows.
311 */
312 alloc_size = roundup_pow_of_two(size);
313
314 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
315 if (!seq_list->list)
316 return -ENOMEM;
317
318 seq_list->mask = alloc_size - 1;
319 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
320 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
321 for (i = 0; i < alloc_size; i++)
322 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
323
324 return 0;
325}
326
327static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
328{
329 kfree(seq_list->list);
330}
331
332static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
333 u16 seq)
334{
335 /* Constant-time check for list membership */
336 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
337}
338
03a0c5d6 339static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
3c588192 340{
03a0c5d6 341 u16 seq = seq_list->head;
3c588192
MM		 342 u16 mask = seq_list->mask;
343
03a0c5d6
JH		 344 seq_list->head = seq_list->list[seq & mask];
345 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
346
347 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
348 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
349 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192 350 }
3c588192 351
03a0c5d6 352 return seq;
3c588192
MM		 353}
354
355static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
356{
f522ae36 357 u16 i;
3c588192 358
f522ae36
GP		 359 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
360 return;
361
362 for (i = 0; i <= seq_list->mask; i++)
363 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
364
365 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
366 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 367}
368
369static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
370{
371 u16 mask = seq_list->mask;
372
373 /* All appends happen in constant time */
374
f522ae36
GP		 375 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
376 return;
3c588192 377
f522ae36
GP		 378 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
379 seq_list->head = seq;
380 else
381 seq_list->list[seq_list->tail & mask] = seq;
382
383 seq_list->tail = seq;
384 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 385}
386
721c4181 387static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 388{
721c4181 389 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 390 chan_timer.work);
3df91ea2 391 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 392 int reason;
393
e05dcc32 394 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 395
3df91ea2 396 mutex_lock(&conn->chan_lock);
6be36555 397 l2cap_chan_lock(chan);
ab07801d 398
89bc500e 399 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 400 reason = ECONNREFUSED;
89bc500e 401 else if (chan->state == BT_CONNECT &&
2d792818 402 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 403 reason = ECONNREFUSED;
404 else
405 reason = ETIMEDOUT;
406
0f852724 407 l2cap_chan_close(chan, reason);
ab07801d 408
6be36555 409 l2cap_chan_unlock(chan);
ab07801d 410
80b98027 411 chan->ops->close(chan);
3df91ea2
AE		 412 mutex_unlock(&conn->chan_lock);
413
371fd835 414 l2cap_chan_put(chan);
ab07801d
GP		 415}
416
eef1d9b6 417struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 418{
419 struct l2cap_chan *chan;
420
421 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
422 if (!chan)
423 return NULL;
424
c03b355e
AE		 425 mutex_init(&chan->lock);
426
333055f2 427 write_lock(&chan_list_lock);
23691d75 428 list_add(&chan->global_l, &chan_list);
333055f2 429 write_unlock(&chan_list_lock);
23691d75 430
721c4181 431 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 432
89bc500e
GP		 433 chan->state = BT_OPEN;
434
144ad330 435 kref_init(&chan->kref);
71ba0e56 436
2827011f
MM		 437 /* This flag is cleared in l2cap_chan_ready() */
438 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
439
eef1d9b6 440 BT_DBG("chan %p", chan);
abc545b8 441
48454079
GP		 442 return chan;
443}
6b8d4a6a 444EXPORT_SYMBOL_GPL(l2cap_chan_create);
48454079 445
144ad330 446static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 447{
144ad330
SS		 448 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
449
4af66c69
JK		 450 BT_DBG("chan %p", chan);
451
333055f2 452 write_lock(&chan_list_lock);
23691d75 453 list_del(&chan->global_l);
333055f2 454 write_unlock(&chan_list_lock);
23691d75 455
4af66c69 456 kfree(chan);
6ff5abbf
GP		 457}
458
30648372
JK		 459void l2cap_chan_hold(struct l2cap_chan *c)
460{
144ad330 461 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 462
144ad330 463 kref_get(&c->kref);
30648372
JK		 464}
465
466void l2cap_chan_put(struct l2cap_chan *c)
467{
144ad330 468 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 469
144ad330 470 kref_put(&c->kref, l2cap_chan_destroy);
30648372 471}
6b8d4a6a 472EXPORT_SYMBOL_GPL(l2cap_chan_put);
30648372 473
bd4b1653
AE		 474void l2cap_chan_set_defaults(struct l2cap_chan *chan)
475{
476 chan->fcs = L2CAP_FCS_CRC16;
477 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
478 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
479 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
6a5e8165
JR		 480 chan->remote_max_tx = chan->max_tx;
481 chan->remote_tx_win = chan->tx_win;
c20f8e35 482 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653 483 chan->sec_level = BT_SECURITY_LOW;
6a5e8165
JR		 484 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
485 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
486 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
487 chan->conf_state = 0;
bd4b1653
AE		 488
489 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
490}
6b8d4a6a 491EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
bd4b1653 492
0ce43ce6 493static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
38319713 494{
0ce43ce6
JH		 495 chan->sdu = NULL;
496 chan->sdu_last_frag = NULL;
497 chan->sdu_len = 0;
0cd75f7e 498 chan->tx_credits = 0;
f15b8ecf 499 chan->rx_credits = le_max_credits;
d1d79413 500 chan->mps = min_t(u16, chan->imtu, le_default_mps);
0ce43ce6
JH		 501
502 skb_queue_head_init(&chan->tx_q);
38319713
JH		 503}
504
93c3e8f5 505void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 506{
af05b30b 507 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 508 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 509
9f5a0d7b 510 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 511
8c1d787b 512 chan->conn = conn;
0139418c 513
5491120e
AE		 514 switch (chan->chan_type) {
515 case L2CAP_CHAN_CONN_ORIENTED:
21626e62
JH		 516 /* Alloc CID for connection-oriented socket */
517 chan->scid = l2cap_alloc_cid(conn);
518 if (conn->hcon->type == ACL_LINK)
0c1bc5c6 519 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 520 break;
521
522 case L2CAP_CHAN_CONN_LESS:
0139418c 523 /* Connectionless socket */
fe4128e0
GP		 524 chan->scid = L2CAP_CID_CONN_LESS;
525 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 526 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 527 break;
528
2338a7e0
JH		 529 case L2CAP_CHAN_FIXED:
530 /* Caller will set CID and CID specific MTU values */
416fa752
AE		 531 break;
532
5491120e 533 default:
0139418c 534 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 535 chan->scid = L2CAP_CID_SIGNALING;
536 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 537 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 538 }
539
8f7975b1
AE		 540 chan->local_id = L2CAP_BESTEFFORT_ID;
541 chan->local_stype = L2CAP_SERV_BESTEFFORT;
542 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
543 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
544 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 545 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 546
371fd835 547 l2cap_chan_hold(chan);
baa7e1fa 548
c16900cf
JH		 549 /* Only keep a reference for fixed channels if they requested it */
550 if (chan->chan_type != L2CAP_CHAN_FIXED ||
551 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
552 hci_conn_hold(conn->hcon);
5ee9891d 553
3df91ea2 554 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 555}
556
466f8004 557void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 558{
559 mutex_lock(&conn->chan_lock);
560 __l2cap_chan_add(conn, chan);
3df91ea2 561 mutex_unlock(&conn->chan_lock);
0139418c
MH		 562}
563
466f8004 564void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 565{
8c1d787b 566 struct l2cap_conn *conn = chan->conn;
0139418c 567
c9b66675 568 __clear_chan_timer(chan);
0139418c 569
49208c9c 570 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 571
72847ce0
JH		 572 chan->ops->teardown(chan, err);
573
8e87d142 574 if (conn) {
56f60984 575 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 576 /* Delete from channel list */
3df91ea2 577 list_del(&chan->list);
3d57dc68 578
371fd835 579 l2cap_chan_put(chan);
baa7e1fa 580
8c1d787b 581 chan->conn = NULL;
3cabbfda 582
c16900cf
JH		 583 /* Reference was only held for non-fixed channels or
584 * fixed channels that explicitly requested it using the
585 * FLAG_HOLD_HCI_CONN flag.
586 */
587 if (chan->chan_type != L2CAP_CHAN_FIXED ||
588 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
76a68ba0 589 hci_conn_drop(conn->hcon);
56f60984
AE		 590
591 if (mgr && mgr->bredr_chan == chan)
592 mgr->bredr_chan = NULL;
0139418c
MH		 593 }
594
419e08c1
AE		 595 if (chan->hs_hchan) {
596 struct hci_chan *hs_hchan = chan->hs_hchan;
597
598 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
599 amp_disconnect_logical_link(hs_hchan);
600 }
601
2827011f 602 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 603 return;
2ead70b8 604
ee556f66
GP		 605 switch(chan->mode) {
606 case L2CAP_MODE_BASIC:
607 break;
c13ffa62 608
38319713 609 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b 610 skb_queue_purge(&chan->tx_q);
38319713
JH		 611 break;
612
ee556f66 613 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 614 __clear_retrans_timer(chan);
615 __clear_monitor_timer(chan);
616 __clear_ack_timer(chan);
c13ffa62 617
f1c6775b 618 skb_queue_purge(&chan->srej_q);
c13ffa62 619
3c588192
MM		 620 l2cap_seq_list_free(&chan->srej_list);
621 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 622
623 /* fall through */
624
625 case L2CAP_MODE_STREAMING:
626 skb_queue_purge(&chan->tx_q);
627 break;
c13ffa62 628 }
ee556f66
GP		 629
630 return;
0139418c 631}
6b8d4a6a 632EXPORT_SYMBOL_GPL(l2cap_chan_del);
0139418c 633
387a33e3
JH		 634void l2cap_conn_update_id_addr(struct hci_conn *hcon)
635{
636 struct l2cap_conn *conn = hcon->l2cap_data;
637 struct l2cap_chan *chan;
638
639 mutex_lock(&conn->chan_lock);
640
641 list_for_each_entry(chan, &conn->chan_l, list) {
642 l2cap_chan_lock(chan);
643 bacpy(&chan->dst, &hcon->dst);
644 chan->dst_type = bdaddr_type(hcon, hcon->dst_type);
645 l2cap_chan_unlock(chan);
646 }
647
648 mutex_unlock(&conn->chan_lock);
649}
650
27e2d4c8
JH		 651static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
652{
653 struct l2cap_conn *conn = chan->conn;
654 struct l2cap_le_conn_rsp rsp;
655 u16 result;
656
657 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
658 result = L2CAP_CR_AUTHORIZATION;
659 else
660 result = L2CAP_CR_BAD_PSM;
661
662 l2cap_state_change(chan, BT_DISCONN);
663
664 rsp.dcid = cpu_to_le16(chan->scid);
665 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 666 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 667 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 668 rsp.result = cpu_to_le16(result);
669
670 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
671 &rsp);
672}
673
791d60f7
JH		 674static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
675{
676 struct l2cap_conn *conn = chan->conn;
677 struct l2cap_conn_rsp rsp;
678 u16 result;
679
680 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
681 result = L2CAP_CR_SEC_BLOCK;
682 else
683 result = L2CAP_CR_BAD_PSM;
684
685 l2cap_state_change(chan, BT_DISCONN);
686
687 rsp.scid = cpu_to_le16(chan->dcid);
688 rsp.dcid = cpu_to_le16(chan->scid);
689 rsp.result = cpu_to_le16(result);
dcf4adbf 690 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
791d60f7
JH		 691
692 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
693}
694
0f852724 695void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 696{
697 struct l2cap_conn *conn = chan->conn;
4519de9a 698
7eafc59e 699 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 700
89bc500e 701 switch (chan->state) {
4519de9a 702 case BT_LISTEN:
b699ec0d 703 chan->ops->teardown(chan, 0);
4519de9a
GP		 704 break;
705
706 case BT_CONNECTED:
707 case BT_CONFIG:
7b25c9b3 708 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
8d836d71 709 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 710 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 711 } else
712 l2cap_chan_del(chan, reason);
713 break;
714
715 case BT_CONNECT2:
791d60f7
JH		 716 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
717 if (conn->hcon->type == ACL_LINK)
718 l2cap_chan_connect_reject(chan);
27e2d4c8
JH		 719 else if (conn->hcon->type == LE_LINK)
720 l2cap_chan_le_connect_reject(chan);
4519de9a
GP		 721 }
722
723 l2cap_chan_del(chan, reason);
724 break;
725
726 case BT_CONNECT:
727 case BT_DISCONN:
728 l2cap_chan_del(chan, reason);
729 break;
730
731 default:
b699ec0d 732 chan->ops->teardown(chan, 0);
4519de9a
GP		 733 break;
734 }
735}
6b8d4a6a 736EXPORT_SYMBOL(l2cap_chan_close);
4519de9a 737
4343478f 738static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 739{
6a974b50
MH		 740 switch (chan->chan_type) {
741 case L2CAP_CHAN_RAW:
4343478f 742 switch (chan->sec_level) {
8556edd3 743 case BT_SECURITY_HIGH:
7d513e92 744 case BT_SECURITY_FIPS:
8556edd3
JH		 745 return HCI_AT_DEDICATED_BONDING_MITM;
746 case BT_SECURITY_MEDIUM:
747 return HCI_AT_DEDICATED_BONDING;
748 default:
749 return HCI_AT_NO_BONDING;
750 }
6a974b50 751 break;
3124b843 752 case L2CAP_CHAN_CONN_LESS:
dcf4adbf 753 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
3124b843
MH		 754 if (chan->sec_level == BT_SECURITY_LOW)
755 chan->sec_level = BT_SECURITY_SDP;
756 }
7d513e92
MH		 757 if (chan->sec_level == BT_SECURITY_HIGH ||
758 chan->sec_level == BT_SECURITY_FIPS)
3124b843
MH		 759 return HCI_AT_NO_BONDING_MITM;
760 else
761 return HCI_AT_NO_BONDING;
762 break;
6a974b50 763 case L2CAP_CHAN_CONN_ORIENTED:
dcf4adbf 764 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
6a974b50
MH		 765 if (chan->sec_level == BT_SECURITY_LOW)
766 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 767
7d513e92
MH		 768 if (chan->sec_level == BT_SECURITY_HIGH ||
769 chan->sec_level == BT_SECURITY_FIPS)
6a974b50
MH		 770 return HCI_AT_NO_BONDING_MITM;
771 else
772 return HCI_AT_NO_BONDING;
773 }
774 /* fall through */
775 default:
4343478f 776 switch (chan->sec_level) {
00ae4af9 777 case BT_SECURITY_HIGH:
7d513e92 778 case BT_SECURITY_FIPS:
8556edd3 779 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 780 case BT_SECURITY_MEDIUM:
8556edd3 781 return HCI_AT_GENERAL_BONDING;
00ae4af9 782 default:
8556edd3 783 return HCI_AT_NO_BONDING;
00ae4af9 784 }
6a974b50 785 break;
0684e5f9 786 }
8556edd3
JH		 787}
788
789/* Service level security */
e7cafc45 790int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
8556edd3 791{
8c1d787b 792 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 793 __u8 auth_type;
794
a17de2fe
JH		 795 if (conn->hcon->type == LE_LINK)
796 return smp_conn_security(conn->hcon, chan->sec_level);
797
4343478f 798 auth_type = l2cap_get_auth_type(chan);
79d554a6 799
e7cafc45
JH		 800 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
801 initiator);
79d554a6
MH		 802}
803
b5ad8b7f 804static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 805{
806 u8 id;
807
808 /* Get next available identificator.
809 * 1 - 128 are used by kernel.
810 * 129 - 199 are reserved.
811 * 200 - 254 are used by utilities like l2ping, etc.
812 */
813
5a54e7c8 814 mutex_lock(&conn->ident_lock);
4e8402a3
MH		 815
816 if (++conn->tx_ident > 128)
817 conn->tx_ident = 1;
818
819 id = conn->tx_ident;
820
5a54e7c8 821 mutex_unlock(&conn->ident_lock);
4e8402a3
MH		 822
823 return id;
824}
825
2d792818
GP		 826static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
827 void *data)
4e8402a3
MH		 828{
829 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 830 u8 flags;
4e8402a3
MH		 831
832 BT_DBG("code 0x%2.2x", code);
833
834 if (!skb)
9a9c6a34 835 return;
4e8402a3 836
e702112f
AE		 837 if (lmp_no_flush_capable(conn->hcon->hdev))
838 flags = ACL_START_NO_FLUSH;
839 else
840 flags = ACL_START;
841
14b12d0b 842 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 843 skb->priority = HCI_PRIO_MAX;
14b12d0b 844
73d80deb
LAD		 845 hci_send_acl(conn->hchan, skb, flags);
846}
847
02b0fbb9
MM		 848static bool __chan_is_moving(struct l2cap_chan *chan)
849{
850 return chan->move_state != L2CAP_MOVE_STABLE &&
851 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
852}
853
73d80deb
LAD		 854static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
855{
856 struct hci_conn *hcon = chan->conn->hcon;
857 u16 flags;
858
859 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 860 skb->priority);
73d80deb 861
d5f8a75d
MM		 862 if (chan->hs_hcon && !__chan_is_moving(chan)) {
863 if (chan->hs_hchan)
864 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
865 else
866 kfree_skb(skb);
867
868 return;
869 }
870
73d80deb 871 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 872 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 873 flags = ACL_START_NO_FLUSH;
874 else
875 flags = ACL_START;
14b12d0b 876
73d80deb
LAD		 877 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
878 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 879}
880
b76bbd66
MM		 881static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
882{
883 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
884 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
885
886 if (enh & L2CAP_CTRL_FRAME_TYPE) {
887 /* S-Frame */
888 control->sframe = 1;
889 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
890 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
891
892 control->sar = 0;
893 control->txseq = 0;
894 } else {
895 /* I-Frame */
896 control->sframe = 0;
897 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
898 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
899
900 control->poll = 0;
901 control->super = 0;
902 }
903}
904
b76bbd66
MM		 905static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
906{
907 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
908 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
909
910 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
911 /* S-Frame */
912 control->sframe = 1;
913 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
914 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
915
916 control->sar = 0;
917 control->txseq = 0;
918 } else {
919 /* I-Frame */
920 control->sframe = 0;
921 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
922 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
923
924 control->poll = 0;
925 control->super = 0;
926 }
927}
928
929static inline void __unpack_control(struct l2cap_chan *chan,
930 struct sk_buff *skb)
931{
932 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
933 __unpack_extended_control(get_unaligned_le32(skb->data),
934 &bt_cb(skb)->control);
cec8ab6e 935 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 936 } else {
937 __unpack_enhanced_control(get_unaligned_le16(skb->data),
938 &bt_cb(skb)->control);
cec8ab6e 939 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 940 }
941}
942
b5c6aaed
MM		 943static u32 __pack_extended_control(struct l2cap_ctrl *control)
944{
945 u32 packed;
946
947 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
948 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
949
950 if (control->sframe) {
951 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
952 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
953 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
954 } else {
955 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
956 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
957 }
958
959 return packed;
960}
961
962static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
963{
964 u16 packed;
965
966 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
967 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
968
969 if (control->sframe) {
970 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
971 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
972 packed |= L2CAP_CTRL_FRAME_TYPE;
973 } else {
974 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
975 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
976 }
977
978 return packed;
979}
980
b76bbd66
MM		 981static inline void __pack_control(struct l2cap_chan *chan,
982 struct l2cap_ctrl *control,
983 struct sk_buff *skb)
984{
985 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
986 put_unaligned_le32(__pack_extended_control(control),
987 skb->data + L2CAP_HDR_SIZE);
988 } else {
989 put_unaligned_le16(__pack_enhanced_control(control),
990 skb->data + L2CAP_HDR_SIZE);
991 }
992}
993
ba7aa64f
GP		 994static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
995{
996 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
997 return L2CAP_EXT_HDR_SIZE;
998 else
999 return L2CAP_ENH_HDR_SIZE;
1000}
1001
a67d7f6f
MM		 1002static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1003 u32 control)
b5c6aaed
MM		 1004{
1005 struct sk_buff *skb;
1006 struct l2cap_hdr *lh;
ba7aa64f 1007 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 1008
1009 if (chan->fcs == L2CAP_FCS_CRC16)
1010 hlen += L2CAP_FCS_SIZE;
1011
a67d7f6f 1012 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 1013
b5c6aaed 1014 if (!skb)
a67d7f6f 1015 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 1016
1017 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1018 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1019 lh->cid = cpu_to_le16(chan->dcid);
1020
a67d7f6f
MM		 1021 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1022 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1023 else
1024 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 1025
1026 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 1027 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 1028 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1029 }
1030
1031 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 1032 return skb;
1033}
1034
1035static void l2cap_send_sframe(struct l2cap_chan *chan,
1036 struct l2cap_ctrl *control)
1037{
1038 struct sk_buff *skb;
1039 u32 control_field;
1040
1041 BT_DBG("chan %p, control %p", chan, control);
1042
1043 if (!control->sframe)
1044 return;
1045
b99e13ad
MM		 1046 if (__chan_is_moving(chan))
1047 return;
1048
a67d7f6f
MM		 1049 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1050 !control->poll)
1051 control->final = 1;
1052
1053 if (control->super == L2CAP_SUPER_RR)
1054 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1055 else if (control->super == L2CAP_SUPER_RNR)
1056 set_bit(CONN_RNR_SENT, &chan->conn_state);
1057
1058 if (control->super != L2CAP_SUPER_SREJ) {
1059 chan->last_acked_seq = control->reqseq;
1060 __clear_ack_timer(chan);
1061 }
1062
1063 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1064 control->final, control->poll, control->super);
1065
1066 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1067 control_field = __pack_extended_control(control);
1068 else
1069 control_field = __pack_enhanced_control(control);
1070
1071 skb = l2cap_create_sframe_pdu(chan, control_field);
1072 if (!IS_ERR(skb))
1073 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1074}
1075
c9e3d5e0 1076static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1077{
c9e3d5e0
MM		 1078 struct l2cap_ctrl control;
1079
1080 BT_DBG("chan %p, poll %d", chan, poll);
1081
1082 memset(&control, 0, sizeof(control));
1083 control.sframe = 1;
1084 control.poll = poll;
1085
1086 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1087 control.super = L2CAP_SUPER_RNR;
1088 else
1089 control.super = L2CAP_SUPER_RR;
b5c6aaed 1090
c9e3d5e0
MM		 1091 control.reqseq = chan->buffer_seq;
1092 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1093}
1094
b4450035 1095static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1096{
5ff6f34d
JH		 1097 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1098 return true;
1099
c1360a1c 1100 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1101}
1102
1df7b17a 1103static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1104{
1df7b17a 1105 struct l2cap_conn *conn = chan->conn;
80d58d0b 1106 struct hci_dev *hdev;
1df7b17a
MH		 1107 bool amp_available = false;
1108
1109 if (!conn->hs_enabled)
1110 return false;
1111
1112 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1113 return false;
80d58d0b
MH		 1114
1115 read_lock(&hci_dev_list_lock);
1df7b17a 1116 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1117 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1118 test_bit(HCI_UP, &hdev->flags)) {
1119 amp_available = true;
1120 break;
1121 }
1122 }
80d58d0b
MH		 1123 read_unlock(&hci_dev_list_lock);
1124
1df7b17a
MH		 1125 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1126 return amp_available;
848566b3
MH		 1127
1128 return false;
93c3e8f5
AE		 1129}
1130
5ce66b59
AE		 1131static bool l2cap_check_efs(struct l2cap_chan *chan)
1132{
1133 /* Check EFS parameters */
1134 return true;
1135}
1136
2766be48 1137void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1138{
1139 struct l2cap_conn *conn = chan->conn;
1140 struct l2cap_conn_req req;
1141
1142 req.scid = cpu_to_le16(chan->scid);
1143 req.psm = chan->psm;
1144
1145 chan->ident = l2cap_get_ident(conn);
1146
1147 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1148
1149 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1150}
1151
8eb200bd
MM		 1152static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1153{
1154 struct l2cap_create_chan_req req;
1155 req.scid = cpu_to_le16(chan->scid);
1156 req.psm = chan->psm;
1157 req.amp_id = amp_id;
1158
1159 chan->ident = l2cap_get_ident(chan->conn);
1160
1161 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1162 sizeof(req), &req);
1163}
1164
02b0fbb9
MM		 1165static void l2cap_move_setup(struct l2cap_chan *chan)
1166{
1167 struct sk_buff *skb;
1168
1169 BT_DBG("chan %p", chan);
1170
1171 if (chan->mode != L2CAP_MODE_ERTM)
1172 return;
1173
1174 __clear_retrans_timer(chan);
1175 __clear_monitor_timer(chan);
1176 __clear_ack_timer(chan);
1177
1178 chan->retry_count = 0;
1179 skb_queue_walk(&chan->tx_q, skb) {
1180 if (bt_cb(skb)->control.retries)
1181 bt_cb(skb)->control.retries = 1;
1182 else
1183 break;
1184 }
1185
1186 chan->expected_tx_seq = chan->buffer_seq;
1187
1188 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1189 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1190 l2cap_seq_list_clear(&chan->retrans_list);
1191 l2cap_seq_list_clear(&chan->srej_list);
1192 skb_queue_purge(&chan->srej_q);
1193
1194 chan->tx_state = L2CAP_TX_STATE_XMIT;
1195 chan->rx_state = L2CAP_RX_STATE_MOVE;
1196
1197 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1198}
1199
5f3847a4
MM		 1200static void l2cap_move_done(struct l2cap_chan *chan)
1201{
1202 u8 move_role = chan->move_role;
1203 BT_DBG("chan %p", chan);
1204
1205 chan->move_state = L2CAP_MOVE_STABLE;
1206 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1207
1208 if (chan->mode != L2CAP_MODE_ERTM)
1209 return;
1210
1211 switch (move_role) {
1212 case L2CAP_MOVE_ROLE_INITIATOR:
1213 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1214 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1215 break;
1216 case L2CAP_MOVE_ROLE_RESPONDER:
1217 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1218 break;
1219 }
1220}
1221
9f0caeb1
VCG		 1222static void l2cap_chan_ready(struct l2cap_chan *chan)
1223{
2827011f 1224 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1225 chan->conf_state = 0;
1226 __clear_chan_timer(chan);
1227
0ce43ce6
JH		 1228 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1229 chan->ops->suspend(chan);
177f8f2b 1230
54a59aa2 1231 chan->state = BT_CONNECTED;
9f0caeb1 1232
fd83e2c2 1233 chan->ops->ready(chan);
9f0caeb1
VCG		 1234}
1235
f1496dee
JH		 1236static void l2cap_le_connect(struct l2cap_chan *chan)
1237{
1238 struct l2cap_conn *conn = chan->conn;
1239 struct l2cap_le_conn_req req;
1240
595177f3
JH		 1241 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1242 return;
1243
f1496dee
JH		 1244 req.psm = chan->psm;
1245 req.scid = cpu_to_le16(chan->scid);
1246 req.mtu = cpu_to_le16(chan->imtu);
3916aed8 1247 req.mps = cpu_to_le16(chan->mps);
0cd75f7e 1248 req.credits = cpu_to_le16(chan->rx_credits);
f1496dee
JH		 1249
1250 chan->ident = l2cap_get_ident(conn);
1251
1252 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1253 sizeof(req), &req);
1254}
1255
1256static void l2cap_le_start(struct l2cap_chan *chan)
1257{
1258 struct l2cap_conn *conn = chan->conn;
1259
1260 if (!smp_conn_security(conn->hcon, chan->sec_level))
1261 return;
1262
1263 if (!chan->psm) {
1264 l2cap_chan_ready(chan);
1265 return;
1266 }
1267
1268 if (chan->state == BT_CONNECT)
1269 l2cap_le_connect(chan);
1270}
1271
93c3e8f5
AE		 1272static void l2cap_start_connection(struct l2cap_chan *chan)
1273{
1274 if (__amp_capable(chan)) {
1275 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1276 a2mp_discover_amp(chan);
f1496dee
JH		 1277 } else if (chan->conn->hcon->type == LE_LINK) {
1278 l2cap_le_start(chan);
93c3e8f5
AE		 1279 } else {
1280 l2cap_send_conn_req(chan);
1281 }
1282}
1283
fc7f8a7e 1284static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1285{
8c1d787b 1286 struct l2cap_conn *conn = chan->conn;
79d554a6 1287
9f0caeb1 1288 if (conn->hcon->type == LE_LINK) {
96ac34fb 1289 l2cap_le_start(chan);
9f0caeb1
VCG		 1290 return;
1291 }
1292
79d554a6 1293 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1294 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1295 return;
1296
e7cafc45 1297 if (l2cap_chan_check_security(chan, true) &&
2d792818 1298 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1299 l2cap_start_connection(chan);
1300 }
79d554a6
MH		 1301 } else {
1302 struct l2cap_info_req req;
dcf4adbf 1303 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1304
1305 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1306 conn->info_ident = l2cap_get_ident(conn);
1307
ba13ccd9 1308 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1309
2d792818
GP		 1310 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1311 sizeof(req), &req);
79d554a6
MH		 1312 }
1313}
1314
cf6c2c0b
GP		 1315static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1316{
1317 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1318 if (!disable_ertm)
cf6c2c0b
GP		 1319 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1320
1321 switch (mode) {
1322 case L2CAP_MODE_ERTM:
1323 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1324 case L2CAP_MODE_STREAMING:
1325 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1326 default:
1327 return 0x00;
1328 }
1329}
1330
5e4e3972 1331static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1332{
5e4e3972 1333 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1334 struct l2cap_disconn_req req;
1335
c13ffa62
GP		 1336 if (!conn)
1337 return;
1338
aad3d0e3 1339 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1340 __clear_retrans_timer(chan);
1341 __clear_monitor_timer(chan);
1342 __clear_ack_timer(chan);
c13ffa62
GP		 1343 }
1344
2338a7e0 1345 if (chan->scid == L2CAP_CID_A2MP) {
d117773c 1346 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1347 return;
1348 }
1349
fe4128e0
GP		 1350 req.dcid = cpu_to_le16(chan->dcid);
1351 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1352 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1353 sizeof(req), &req);
c13ffa62 1354
f8e73017 1355 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1356}
1357
1da177e4 1358/* ---- L2CAP connections ---- */
4e8402a3
MH		 1359static void l2cap_conn_start(struct l2cap_conn *conn)
1360{
3df91ea2 1361 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1362
1363 BT_DBG("conn %p", conn);
1364
3df91ea2 1365 mutex_lock(&conn->chan_lock);
4e8402a3 1366
3df91ea2 1367 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1368 l2cap_chan_lock(chan);
4e8402a3 1369
715ec005 1370 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1371 l2cap_chan_unlock(chan);
79d554a6
MH		 1372 continue;
1373 }
1374
89bc500e 1375 if (chan->state == BT_CONNECT) {
e7cafc45 1376 if (!l2cap_chan_check_security(chan, true) ||
2d792818 1377 !__l2cap_no_conn_pending(chan)) {
6be36555 1378 l2cap_chan_unlock(chan);
47731de7
GP		 1379 continue;
1380 }
79d554a6 1381
c1360a1c 1382 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1383 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1384 &chan->conf_state)) {
89bc500e 1385 l2cap_chan_close(chan, ECONNRESET);
6be36555 1386 l2cap_chan_unlock(chan);
47731de7 1387 continue;
b1235d79 1388 }
47731de7 1389
93c3e8f5 1390 l2cap_start_connection(chan);
47731de7 1391
89bc500e 1392 } else if (chan->state == BT_CONNECT2) {
79d554a6 1393 struct l2cap_conn_rsp rsp;
e9aeb2dd 1394 char buf[128];
fe4128e0
GP		 1395 rsp.scid = cpu_to_le16(chan->dcid);
1396 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1397
e7cafc45 1398 if (l2cap_chan_check_security(chan, false)) {
bdc25783 1399 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
dcf4adbf
JP		 1400 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1401 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1402 chan->ops->defer(chan);
f66dc81f
MH		 1403
1404 } else {
acdcabf5 1405 l2cap_state_change(chan, BT_CONFIG);
dcf4adbf
JP		 1406 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1407 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1408 }
79d554a6 1409 } else {
dcf4adbf
JP		 1410 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1411 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1412 }
1413
fc7f8a7e 1414 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1415 sizeof(rsp), &rsp);
e9aeb2dd 1416
c1360a1c 1417 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1418 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1419 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1420 continue;
1421 }
1422
c1360a1c 1423 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1424 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1425 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1426 chan->num_conf_req++;
4e8402a3
MH		 1427 }
1428
6be36555 1429 l2cap_chan_unlock(chan);
4e8402a3
MH		 1430 }
1431
3df91ea2 1432 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1433}
1434
b62f328b
VT		 1435static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1436{
cc8dba2b 1437 struct hci_conn *hcon = conn->hcon;
dcc36c16 1438 struct hci_dev *hdev = hcon->hdev;
b62f328b 1439
e760ec12 1440 BT_DBG("%s conn %p", hdev->name, conn);
b62f328b 1441
e760ec12
JH		 1442 /* For outgoing pairing which doesn't necessarily have an
1443 * associated socket (e.g. mgmt_pair_device).
1444 */
1445 if (hcon->out)
1446 smp_conn_security(hcon, hcon->pending_sec_level);
cc8dba2b 1447
80afeb6c
MH		 1448 /* For LE slave connections, make sure the connection interval
1449 * is in the range of the minium and maximum interval that has
1450 * been configured for this connection. If not, then trigger
1451 * the connection update procedure.
1452 */
40bef302 1453 if (hcon->role == HCI_ROLE_SLAVE &&
80afeb6c
MH		 1454 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1455 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1456 struct l2cap_conn_param_update_req req;
1457
1458 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1459 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1460 req.latency = cpu_to_le16(hcon->le_conn_latency);
1461 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1462
1463 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1464 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1465 }
b62f328b
VT		 1466}
1467
4e8402a3
MH		 1468static void l2cap_conn_ready(struct l2cap_conn *conn)
1469{
48454079 1470 struct l2cap_chan *chan;
cc110922 1471 struct hci_conn *hcon = conn->hcon;
4e8402a3 1472
79d554a6 1473 BT_DBG("conn %p", conn);
4e8402a3 1474
e760ec12
JH		 1475 mutex_lock(&conn->chan_lock);
1476
3df91ea2 1477 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1478
6be36555 1479 l2cap_chan_lock(chan);
4e8402a3 1480
2338a7e0 1481 if (chan->scid == L2CAP_CID_A2MP) {
416fa752
AE		 1482 l2cap_chan_unlock(chan);
1483 continue;
1484 }
1485
cc110922 1486 if (hcon->type == LE_LINK) {
f1496dee 1487 l2cap_le_start(chan);
63128451 1488 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
74e75740 1489 l2cap_chan_ready(chan);
b501d6a1 1490
1c244f79 1491 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1492 l2cap_do_start(chan);
1c244f79 1493 }
4e8402a3 1494
6be36555 1495 l2cap_chan_unlock(chan);
4e8402a3 1496 }
79d554a6 1497
3df91ea2 1498 mutex_unlock(&conn->chan_lock);
61a939c6 1499
79a05727
JH		 1500 if (hcon->type == LE_LINK)
1501 l2cap_le_conn_ready(conn);
1502
61a939c6 1503 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
4e8402a3
MH		 1504}
1505
1506/* Notify sockets that we cannot guaranty reliability anymore */
1507static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1508{
48454079 1509 struct l2cap_chan *chan;
4e8402a3
MH		 1510
1511 BT_DBG("conn %p", conn);
1512
3df91ea2 1513 mutex_lock(&conn->chan_lock);
4e8402a3 1514
3df91ea2 1515 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1516 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1517 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1518 }
1519
3df91ea2 1520 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1521}
1522
f878fcad 1523static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1524{
f878fcad 1525 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1526 info_timer.work);
4e8402a3 1527
984947dc 1528 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1529 conn->info_ident = 0;
984947dc 1530
4e8402a3
MH		 1531 l2cap_conn_start(conn);
1532}
1533
2c8e1411
DH		 1534/*
1535 * l2cap_user
1536 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1537 * callback is called during registration. The ->remove callback is called
1538 * during unregistration.
1539 * An l2cap_user object can either be explicitly unregistered or when the
1540 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1541 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1542 * External modules must own a reference to the l2cap_conn object if they intend
1543 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1544 * any time if they don't.
1545 */
1546
1547int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1548{
1549 struct hci_dev *hdev = conn->hcon->hdev;
1550 int ret;
1551
1552 /* We need to check whether l2cap_conn is registered. If it is not, we
1553 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1554 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1555 * relies on the parent hci_conn object to be locked. This itself relies
1556 * on the hci_dev object to be locked. So we must lock the hci device
1557 * here, too. */
1558
1559 hci_dev_lock(hdev);
1560
1561 if (user->list.next || user->list.prev) {
1562 ret = -EINVAL;
1563 goto out_unlock;
1564 }
1565
1566 /* conn->hchan is NULL after l2cap_conn_del() was called */
1567 if (!conn->hchan) {
1568 ret = -ENODEV;
1569 goto out_unlock;
1570 }
1571
1572 ret = user->probe(conn, user);
1573 if (ret)
1574 goto out_unlock;
1575
1576 list_add(&user->list, &conn->users);
1577 ret = 0;
1578
1579out_unlock:
1580 hci_dev_unlock(hdev);
1581 return ret;
1582}
1583EXPORT_SYMBOL(l2cap_register_user);
1584
1585void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1586{
1587 struct hci_dev *hdev = conn->hcon->hdev;
1588
1589 hci_dev_lock(hdev);
1590
1591 if (!user->list.next || !user->list.prev)
1592 goto out_unlock;
1593
1594 list_del(&user->list);
1595 user->list.next = NULL;
1596 user->list.prev = NULL;
1597 user->remove(conn, user);
1598
1599out_unlock:
1600 hci_dev_unlock(hdev);
1601}
1602EXPORT_SYMBOL(l2cap_unregister_user);
1603
1604static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1605{
1606 struct l2cap_user *user;
1607
1608 while (!list_empty(&conn->users)) {
1609 user = list_first_entry(&conn->users, struct l2cap_user, list);
1610 list_del(&user->list);
1611 user->list.next = NULL;
1612 user->list.prev = NULL;
1613 user->remove(conn, user);
1614 }
1615}
1616
5d3de7df
VCG		 1617static void l2cap_conn_del(struct hci_conn *hcon, int err)
1618{
1619 struct l2cap_conn *conn = hcon->l2cap_data;
1620 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1621
1622 if (!conn)
1623 return;
1624
1625 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1626
1627 kfree_skb(conn->rx_skb);
1628
61a939c6 1629 skb_queue_purge(&conn->pending_rx);
7ab56c3a
JT		 1630
1631 /* We can not call flush_work(&conn->pending_rx_work) here since we
1632 * might block if we are running on a worker from the same workqueue
1633 * pending_rx_work is waiting on.
1634 */
1635 if (work_pending(&conn->pending_rx_work))
1636 cancel_work_sync(&conn->pending_rx_work);
61a939c6 1637
dec5b492
JH		 1638 if (work_pending(&conn->disconn_work))
1639 cancel_work_sync(&conn->disconn_work);
1640
2c8e1411
DH		 1641 l2cap_unregister_all_users(conn);
1642
3df91ea2
AE		 1643 mutex_lock(&conn->chan_lock);
1644
5d3de7df
VCG		 1645 /* Kill channels */
1646 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1647 l2cap_chan_hold(chan);
6be36555
AE		 1648 l2cap_chan_lock(chan);
1649
5d3de7df 1650 l2cap_chan_del(chan, err);
6be36555
AE		 1651
1652 l2cap_chan_unlock(chan);
1653
80b98027 1654 chan->ops->close(chan);
61d6ef3e 1655 l2cap_chan_put(chan);
5d3de7df
VCG		 1656 }
1657
3df91ea2
AE		 1658 mutex_unlock(&conn->chan_lock);
1659
73d80deb
LAD		 1660 hci_chan_del(conn->hchan);
1661
5d3de7df 1662 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1663 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1664
5d3de7df 1665 hcon->l2cap_data = NULL;
9c903e37
DH		 1666 conn->hchan = NULL;
1667 l2cap_conn_put(conn);
5d3de7df
VCG		 1668}
1669
dec5b492
JH		 1670static void disconn_work(struct work_struct *work)
1671{
1672 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1673 disconn_work);
1674
1675 BT_DBG("conn %p", conn);
1676
1677 l2cap_conn_del(conn->hcon, conn->disconn_err);
1678}
1679
1680void l2cap_conn_shutdown(struct l2cap_conn *conn, int err)
1681{
1682 struct hci_dev *hdev = conn->hcon->hdev;
1683
1684 BT_DBG("conn %p err %d", conn, err);
1685
1686 conn->disconn_err = err;
1687 queue_work(hdev->workqueue, &conn->disconn_work);
1688}
1689
9c903e37
DH		 1690static void l2cap_conn_free(struct kref *ref)
1691{
1692 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1693
1694 hci_conn_put(conn->hcon);
1695 kfree(conn);
1696}
1697
51bb8457 1698struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
9c903e37
DH		 1699{
1700 kref_get(&conn->ref);
51bb8457 1701 return conn;
9c903e37
DH		 1702}
1703EXPORT_SYMBOL(l2cap_conn_get);
1704
1705void l2cap_conn_put(struct l2cap_conn *conn)
1706{
1707 kref_put(&conn->ref, l2cap_conn_free);
1708}
1709EXPORT_SYMBOL(l2cap_conn_put);
1710
1da177e4 1711/* ---- Socket interface ---- */
1da177e4 1712
c2287681 1713/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1714 * Returns closest match.
1715 */
c2287681
IY		 1716static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1717 bdaddr_t *src,
bf20fd4e
JH		 1718 bdaddr_t *dst,
1719 u8 link_type)
1da177e4 1720{
23691d75 1721 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1722
23691d75 1723 read_lock(&chan_list_lock);
e0f0cb56 1724
23691d75 1725 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1726 if (state && c->state != state)
1da177e4
LT		 1727 continue;
1728
bf20fd4e
JH		 1729 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1730 continue;
1731
1732 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1733 continue;
1734
23691d75 1735 if (c->psm == psm) {
c2287681
IY		 1736 int src_match, dst_match;
1737 int src_any, dst_any;
1738
1da177e4 1739 /* Exact match. */
7eafc59e
MH		 1740 src_match = !bacmp(&c->src, src);
1741 dst_match = !bacmp(&c->dst, dst);
c2287681 1742 if (src_match && dst_match) {
a24cce14 1743 l2cap_chan_hold(c);
a7567b20 1744 read_unlock(&chan_list_lock);
23691d75
GP		 1745 return c;
1746 }
1da177e4
LT		 1747
1748 /* Closest match */
7eafc59e
MH		 1749 src_any = !bacmp(&c->src, BDADDR_ANY);
1750 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1751 if ((src_match && dst_any) || (src_any && dst_match) ||
1752 (src_any && dst_any))
23691d75 1753 c1 = c;
1da177e4
LT		 1754 }
1755 }
1da177e4 1756
a24cce14
JH		 1757 if (c1)
1758 l2cap_chan_hold(c1);
1759
23691d75 1760 read_unlock(&chan_list_lock);
e0f0cb56 1761
23691d75 1762 return c1;
1da177e4
LT		 1763}
1764
721c4181 1765static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1766{
721c4181 1767 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1768 monitor_timer.work);
e90bac06 1769
525cd185 1770 BT_DBG("chan %p", chan);
0e98958d 1771
6be36555
AE		 1772 l2cap_chan_lock(chan);
1773
80909e04 1774 if (!chan->conn) {
6be36555 1775 l2cap_chan_unlock(chan);
8d7e1c7f 1776 l2cap_chan_put(chan);
e90bac06
GP		 1777 return;
1778 }
1779
401bb1f7 1780 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1781
6be36555 1782 l2cap_chan_unlock(chan);
8d7e1c7f 1783 l2cap_chan_put(chan);
e90bac06
GP		 1784}
1785
721c4181 1786static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1787{
721c4181 1788 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1789 retrans_timer.work);
e90bac06 1790
49208c9c 1791 BT_DBG("chan %p", chan);
0e98958d 1792
6be36555
AE		 1793 l2cap_chan_lock(chan);
1794
80909e04
MM		 1795 if (!chan->conn) {
1796 l2cap_chan_unlock(chan);
1797 l2cap_chan_put(chan);
1798 return;
1799 }
6be36555 1800
401bb1f7 1801 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1802 l2cap_chan_unlock(chan);
8d7e1c7f 1803 l2cap_chan_put(chan);
e90bac06
GP		 1804}
1805
d660366d
GP		 1806static void l2cap_streaming_send(struct l2cap_chan *chan,
1807 struct sk_buff_head *skbs)
6840ed07 1808{
ccbb84af 1809 struct sk_buff *skb;
3733937d 1810 struct l2cap_ctrl *control;
6840ed07 1811
3733937d
MM		 1812 BT_DBG("chan %p, skbs %p", chan, skbs);
1813
b99e13ad
MM		 1814 if (__chan_is_moving(chan))
1815 return;
1816
3733937d
MM		 1817 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1818
1819 while (!skb_queue_empty(&chan->tx_q)) {
1820
1821 skb = skb_dequeue(&chan->tx_q);
1822
1823 bt_cb(skb)->control.retries = 1;
1824 control = &bt_cb(skb)->control;
1825
1826 control->reqseq = 0;
1827 control->txseq = chan->next_tx_seq;
1828
1829 __pack_control(chan, control, skb);
6840ed07 1830
47d1ec61 1831 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1832 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1833 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1834 }
1835
4343478f 1836 l2cap_do_send(chan, skb);
6840ed07 1837
b4400672 1838 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1839
836be934 1840 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1841 chan->frames_sent++;
6840ed07 1842 }
6840ed07
GP		 1843}
1844
67c9e840 1845static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1846{
1847 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1848 struct l2cap_ctrl *control;
1849 int sent = 0;
1850
1851 BT_DBG("chan %p", chan);
1c2acffb 1852
89bc500e 1853 if (chan->state != BT_CONNECTED)
c13ffa62 1854 return -ENOTCONN;
e90bac06 1855
94122bbe
MM		 1856 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1857 return 0;
1858
b99e13ad
MM		 1859 if (__chan_is_moving(chan))
1860 return 0;
1861
18a48e76
MM		 1862 while (chan->tx_send_head &&
1863 chan->unacked_frames < chan->remote_tx_win &&
1864 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1865
18a48e76 1866 skb = chan->tx_send_head;
e90bac06 1867
18a48e76
MM		 1868 bt_cb(skb)->control.retries = 1;
1869 control = &bt_cb(skb)->control;
95ffa978 1870
e2ab4353 1871 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1872 control->final = 1;
e2ab4353 1873
18a48e76
MM		 1874 control->reqseq = chan->buffer_seq;
1875 chan->last_acked_seq = chan->buffer_seq;
1876 control->txseq = chan->next_tx_seq;
1c2acffb 1877
18a48e76 1878 __pack_control(chan, control, skb);
e90bac06 1879
47d1ec61 1880 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1881 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1882 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1883 }
1884
18a48e76
MM		 1885 /* Clone after data has been modified. Data is assumed to be
1886 read-only (for locking purposes) on cloned sk_buffs.
1887 */
1888 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1889
18a48e76
MM		 1890 if (!tx_skb)
1891 break;
1c2acffb 1892
18a48e76 1893 __set_retrans_timer(chan);
836be934
AE		 1894
1895 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1896 chan->unacked_frames++;
6a026610 1897 chan->frames_sent++;
18a48e76 1898 sent++;
1c2acffb 1899
58d35f87
GP		 1900 if (skb_queue_is_last(&chan->tx_q, skb))
1901 chan->tx_send_head = NULL;
1c2acffb 1902 else
58d35f87 1903 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1904
1905 l2cap_do_send(chan, tx_skb);
b4400672 1906 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1907 }
1908
b4400672
AE		 1909 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1910 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1911
1912 return sent;
9e917af1
GP		 1913}
1914
e1fbd4c1
MM		 1915static void l2cap_ertm_resend(struct l2cap_chan *chan)
1916{
1917 struct l2cap_ctrl control;
1918 struct sk_buff *skb;
1919 struct sk_buff *tx_skb;
1920 u16 seq;
1921
1922 BT_DBG("chan %p", chan);
1923
1924 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1925 return;
1926
b99e13ad
MM		 1927 if (__chan_is_moving(chan))
1928 return;
1929
e1fbd4c1
MM		 1930 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1931 seq = l2cap_seq_list_pop(&chan->retrans_list);
1932
1933 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1934 if (!skb) {
1935 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1936 seq);
e1fbd4c1
MM		 1937 continue;
1938 }
1939
1940 bt_cb(skb)->control.retries++;
1941 control = bt_cb(skb)->control;
1942
1943 if (chan->max_tx != 0 &&
1944 bt_cb(skb)->control.retries > chan->max_tx) {
1945 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1946 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1947 l2cap_seq_list_clear(&chan->retrans_list);
1948 break;
1949 }
1950
1951 control.reqseq = chan->buffer_seq;
1952 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1953 control.final = 1;
1954 else
1955 control.final = 0;
1956
1957 if (skb_cloned(skb)) {
1958 /* Cloned sk_buffs are read-only, so we need a
1959 * writeable copy
1960 */
8bcde1f2 1961 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1962 } else {
8bcde1f2 1963 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1964 }
1965
1966 if (!tx_skb) {
1967 l2cap_seq_list_clear(&chan->retrans_list);
1968 break;
1969 }
1970
1971 /* Update skb contents */
1972 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1973 put_unaligned_le32(__pack_extended_control(&control),
1974 tx_skb->data + L2CAP_HDR_SIZE);
1975 } else {
1976 put_unaligned_le16(__pack_enhanced_control(&control),
1977 tx_skb->data + L2CAP_HDR_SIZE);
1978 }
1979
13cac152 1980 /* Update FCS */
e1fbd4c1 1981 if (chan->fcs == L2CAP_FCS_CRC16) {
13cac152
LR		 1982 u16 fcs = crc16(0, (u8 *) tx_skb->data,
1983 tx_skb->len - L2CAP_FCS_SIZE);
1984 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
1985 L2CAP_FCS_SIZE);
e1fbd4c1
MM		 1986 }
1987
1988 l2cap_do_send(chan, tx_skb);
1989
1990 BT_DBG("Resent txseq %d", control.txseq);
1991
1992 chan->last_acked_seq = chan->buffer_seq;
1993 }
1994}
1995
f80842a8
MM		 1996static void l2cap_retransmit(struct l2cap_chan *chan,
1997 struct l2cap_ctrl *control)
1998{
1999 BT_DBG("chan %p, control %p", chan, control);
2000
2001 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2002 l2cap_ertm_resend(chan);
2003}
2004
d2a7ac5d
MM		 2005static void l2cap_retransmit_all(struct l2cap_chan *chan,
2006 struct l2cap_ctrl *control)
2007{
e1fbd4c1
MM		 2008 struct sk_buff *skb;
2009
2010 BT_DBG("chan %p, control %p", chan, control);
2011
2012 if (control->poll)
2013 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2014
2015 l2cap_seq_list_clear(&chan->retrans_list);
2016
2017 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2018 return;
2019
2020 if (chan->unacked_frames) {
2021 skb_queue_walk(&chan->tx_q, skb) {
2022 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2023 skb == chan->tx_send_head)
e1fbd4c1
MM		 2024 break;
2025 }
2026
2027 skb_queue_walk_from(&chan->tx_q, skb) {
2028 if (skb == chan->tx_send_head)
2029 break;
2030
2031 l2cap_seq_list_append(&chan->retrans_list,
2032 bt_cb(skb)->control.txseq);
2033 }
2034
2035 l2cap_ertm_resend(chan);
2036 }
d2a7ac5d
MM		 2037}
2038
0a0aba42 2039static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2040{
0a0aba42
MM		 2041 struct l2cap_ctrl control;
2042 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2043 chan->last_acked_seq);
2044 int threshold;
9e917af1 2045
0a0aba42
MM		 2046 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2047 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2048
0a0aba42
MM		 2049 memset(&control, 0, sizeof(control));
2050 control.sframe = 1;
dfc909be 2051
0a0aba42
MM		 2052 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2053 chan->rx_state == L2CAP_RX_STATE_RECV) {
2054 __clear_ack_timer(chan);
2055 control.super = L2CAP_SUPER_RNR;
2056 control.reqseq = chan->buffer_seq;
2057 l2cap_send_sframe(chan, &control);
2058 } else {
2059 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2060 l2cap_ertm_send(chan);
2061 /* If any i-frames were sent, they included an ack */
2062 if (chan->buffer_seq == chan->last_acked_seq)
2063 frames_to_ack = 0;
2064 }
dfc909be 2065
c20f8e35 2066 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2067 * Calculate without mul or div
2068 */
c20f8e35 2069 threshold = chan->ack_win;
0a0aba42
MM		 2070 threshold += threshold << 1;
2071 threshold >>= 2;
2072
b4400672 2073 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2074 threshold);
2075
2076 if (frames_to_ack >= threshold) {
2077 __clear_ack_timer(chan);
2078 control.super = L2CAP_SUPER_RR;
2079 control.reqseq = chan->buffer_seq;
2080 l2cap_send_sframe(chan, &control);
2081 frames_to_ack = 0;
2082 }
1c2acffb 2083
0a0aba42
MM		 2084 if (frames_to_ack)
2085 __set_ack_timer(chan);
2086 }
b17e73bb
SJ		 2087}
2088
04124681
GP		 2089static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2090 struct msghdr *msg, int len,
2091 int count, struct sk_buff *skb)
1c2acffb 2092{
0952a57a 2093 struct l2cap_conn *conn = chan->conn;
1c2acffb 2094 struct sk_buff **frag;
90338947 2095 int sent = 0;
1da177e4 2096
0498878b
JR		 2097 if (chan->ops->memcpy_fromiovec(chan, skb_put(skb, count),
2098 msg->msg_iov, count))
1c2acffb 2099 return -EFAULT;
1da177e4
LT		 2100
2101 sent += count;
2102 len -= count;
2103
2104 /* Continuation fragments (no L2CAP header) */
2105 frag = &skb_shinfo(skb)->frag_list;
2106 while (len) {
fbe00700
GP		 2107 struct sk_buff *tmp;
2108
1da177e4
LT		 2109 count = min_t(unsigned int, conn->mtu, len);
2110
d9fbd02b 2111 tmp = chan->ops->alloc_skb(chan, 0, count,
fbe00700
GP		 2112 msg->msg_flags & MSG_DONTWAIT);
2113 if (IS_ERR(tmp))
2114 return PTR_ERR(tmp);
2115
2116 *frag = tmp;
2f7719ce 2117
0498878b
JR		 2118 if (chan->ops->memcpy_fromiovec(chan, skb_put(*frag, count),
2119 msg->msg_iov, count))
1c2acffb 2120 return -EFAULT;
1da177e4
LT		 2121
2122 sent += count;
2123 len -= count;
2124
2d0ed3d5
GP		 2125 skb->len += (*frag)->len;
2126 skb->data_len += (*frag)->len;
2127
1da177e4
LT		 2128 frag = &(*frag)->next;
2129 }
1da177e4
LT		 2130
2131 return sent;
1c2acffb 2132}
1da177e4 2133
5e59b791 2134static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
8d46321c 2135 struct msghdr *msg, size_t len)
1c2acffb 2136{
8c1d787b 2137 struct l2cap_conn *conn = chan->conn;
1c2acffb 2138 struct sk_buff *skb;
03a51213 2139 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2140 struct l2cap_hdr *lh;
2141
8d46321c
MH		 2142 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2143 __le16_to_cpu(chan->psm), len);
1c2acffb
GP		 2144
2145 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2146
d9fbd02b 2147 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2148 msg->msg_flags & MSG_DONTWAIT);
2149 if (IS_ERR(skb))
2150 return skb;
1c2acffb
GP		 2151
2152 /* Create L2CAP header */
2153 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2154 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2155 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2156 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2157
0952a57a 2158 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2159 if (unlikely(err < 0)) {
2160 kfree_skb(skb);
2161 return ERR_PTR(err);
2162 }
2163 return skb;
2164}
2165
5e59b791 2166static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
8d46321c 2167 struct msghdr *msg, size_t len)
1c2acffb 2168{
8c1d787b 2169 struct l2cap_conn *conn = chan->conn;
1c2acffb 2170 struct sk_buff *skb;
f2ba7fae 2171 int err, count;
1c2acffb
GP		 2172 struct l2cap_hdr *lh;
2173
b4400672 2174 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2175
f2ba7fae 2176 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2177
d9fbd02b 2178 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
90338947
GP		 2179 msg->msg_flags & MSG_DONTWAIT);
2180 if (IS_ERR(skb))
2181 return skb;
1c2acffb
GP		 2182
2183 /* Create L2CAP header */
2184 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2185 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2186 lh->len = cpu_to_le16(len);
1c2acffb 2187
0952a57a 2188 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2189 if (unlikely(err < 0)) {
2190 kfree_skb(skb);
2191 return ERR_PTR(err);
2192 }
2193 return skb;
2194}
2195
ab0ff76d 2196static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2197 struct msghdr *msg, size_t len,
2198 u16 sdulen)
1c2acffb 2199{
8c1d787b 2200 struct l2cap_conn *conn = chan->conn;
1c2acffb 2201 struct sk_buff *skb;
e4ca6d98 2202 int err, count, hlen;
1c2acffb
GP		 2203 struct l2cap_hdr *lh;
2204
b4400672 2205 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2206
0ee0d208
GP		 2207 if (!conn)
2208 return ERR_PTR(-ENOTCONN);
2209
ba7aa64f 2210 hlen = __ertm_hdr_size(chan);
e4ca6d98 2211
c74e560c 2212 if (sdulen)
03a51213 2213 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2214
47d1ec61 2215 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2216 hlen += L2CAP_FCS_SIZE;
fcc203c3 2217
1c2acffb 2218 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2219
d9fbd02b 2220 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2221 msg->msg_flags & MSG_DONTWAIT);
2222 if (IS_ERR(skb))
2223 return skb;
1c2acffb
GP		 2224
2225 /* Create L2CAP header */
2226 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2227 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2228 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2229
18a48e76
MM		 2230 /* Control header is populated later */
2231 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2232 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2233 else
2234 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2235
c74e560c 2236 if (sdulen)
03a51213 2237 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2238
0952a57a 2239 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2240 if (unlikely(err < 0)) {
2241 kfree_skb(skb);
2242 return ERR_PTR(err);
2243 }
e90bac06 2244
18a48e76 2245 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2246 bt_cb(skb)->control.retries = 0;
1c2acffb 2247 return skb;
1da177e4
LT		 2248}
2249
94122bbe
MM		 2250static int l2cap_segment_sdu(struct l2cap_chan *chan,
2251 struct sk_buff_head *seg_queue,
2252 struct msghdr *msg, size_t len)
c74e560c 2253{
c74e560c 2254 struct sk_buff *skb;
94122bbe
MM		 2255 u16 sdu_len;
2256 size_t pdu_len;
94122bbe 2257 u8 sar;
c74e560c 2258
b4400672 2259 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2260
94122bbe
MM		 2261 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2262 * so fragmented skbs are not used. The HCI layer's handling
2263 * of fragmented skbs is not compatible with ERTM's queueing.
2264 */
c74e560c 2265
94122bbe
MM		 2266 /* PDU size is derived from the HCI MTU */
2267 pdu_len = chan->conn->mtu;
c74e560c 2268
a549574d
MM		 2269 /* Constrain PDU size for BR/EDR connections */
2270 if (!chan->hs_hcon)
2271 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2272
2273 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2274 if (chan->fcs)
2275 pdu_len -= L2CAP_FCS_SIZE;
2276
ba7aa64f 2277 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2278
2279 /* Remote device may have requested smaller PDUs */
2280 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2281
2282 if (len <= pdu_len) {
2283 sar = L2CAP_SAR_UNSEGMENTED;
2284 sdu_len = 0;
2285 pdu_len = len;
2286 } else {
2287 sar = L2CAP_SAR_START;
2288 sdu_len = len;
94122bbe
MM		 2289 }
2290
2291 while (len > 0) {
2292 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2293
c74e560c 2294 if (IS_ERR(skb)) {
94122bbe 2295 __skb_queue_purge(seg_queue);
c74e560c
GP		 2296 return PTR_ERR(skb);
2297 }
2298
94122bbe
MM		 2299 bt_cb(skb)->control.sar = sar;
2300 __skb_queue_tail(seg_queue, skb);
2301
2302 len -= pdu_len;
069cb270 2303 if (sdu_len)
94122bbe 2304 sdu_len = 0;
94122bbe
MM		 2305
2306 if (len <= pdu_len) {
2307 sar = L2CAP_SAR_END;
2308 pdu_len = len;
2309 } else {
2310 sar = L2CAP_SAR_CONTINUE;
2311 }
c74e560c 2312 }
c74e560c 2313
f0f62799 2314 return 0;
c74e560c
GP		 2315}
2316
177f8f2b
JH		 2317static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2318 struct msghdr *msg,
2319 size_t len, u16 sdulen)
2320{
2321 struct l2cap_conn *conn = chan->conn;
2322 struct sk_buff *skb;
2323 int err, count, hlen;
2324 struct l2cap_hdr *lh;
2325
2326 BT_DBG("chan %p len %zu", chan, len);
2327
2328 if (!conn)
2329 return ERR_PTR(-ENOTCONN);
2330
2331 hlen = L2CAP_HDR_SIZE;
2332
2333 if (sdulen)
2334 hlen += L2CAP_SDULEN_SIZE;
2335
2336 count = min_t(unsigned int, (conn->mtu - hlen), len);
2337
d9fbd02b 2338 skb = chan->ops->alloc_skb(chan, hlen, count,
177f8f2b
JH		 2339 msg->msg_flags & MSG_DONTWAIT);
2340 if (IS_ERR(skb))
2341 return skb;
2342
2343 /* Create L2CAP header */
2344 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2345 lh->cid = cpu_to_le16(chan->dcid);
2346 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2347
2348 if (sdulen)
2349 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2350
2351 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2352 if (unlikely(err < 0)) {
2353 kfree_skb(skb);
2354 return ERR_PTR(err);
2355 }
2356
2357 return skb;
2358}
2359
2360static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2361 struct sk_buff_head *seg_queue,
2362 struct msghdr *msg, size_t len)
2363{
2364 struct sk_buff *skb;
2365 size_t pdu_len;
2366 u16 sdu_len;
2367
2368 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2369
177f8f2b 2370 sdu_len = len;
72c6fb91 2371 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
177f8f2b
JH		 2372
2373 while (len > 0) {
2374 if (len <= pdu_len)
2375 pdu_len = len;
2376
2377 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2378 if (IS_ERR(skb)) {
2379 __skb_queue_purge(seg_queue);
2380 return PTR_ERR(skb);
2381 }
2382
2383 __skb_queue_tail(seg_queue, skb);
2384
2385 len -= pdu_len;
2386
2387 if (sdu_len) {
2388 sdu_len = 0;
2389 pdu_len += L2CAP_SDULEN_SIZE;
2390 }
2391 }
2392
2393 return 0;
2394}
2395
8d46321c 2396int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
9a91a04a 2397{
9a91a04a 2398 struct sk_buff *skb;
9a91a04a 2399 int err;
94122bbe 2400 struct sk_buff_head seg_queue;
9a91a04a 2401
31e8ce80
SWK		 2402 if (!chan->conn)
2403 return -ENOTCONN;
2404
9a91a04a 2405 /* Connectionless channel */
715ec005 2406 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
8d46321c 2407 skb = l2cap_create_connless_pdu(chan, msg, len);
9a91a04a
GP		 2408 if (IS_ERR(skb))
2409 return PTR_ERR(skb);
2410
ede81a2a
AK		 2411 /* Channel lock is released before requesting new skb and then
2412 * reacquired thus we need to recheck channel state.
2413 */
2414 if (chan->state != BT_CONNECTED) {
2415 kfree_skb(skb);
2416 return -ENOTCONN;
2417 }
2418
9a91a04a
GP		 2419 l2cap_do_send(chan, skb);
2420 return len;
2421 }
2422
2423 switch (chan->mode) {
38319713 2424 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b
JH		 2425 /* Check outgoing MTU */
2426 if (len > chan->omtu)
2427 return -EMSGSIZE;
2428
fad5fc89
JH		 2429 if (!chan->tx_credits)
2430 return -EAGAIN;
2431
177f8f2b
JH		 2432 __skb_queue_head_init(&seg_queue);
2433
2434 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2435
2436 if (chan->state != BT_CONNECTED) {
2437 __skb_queue_purge(&seg_queue);
2438 err = -ENOTCONN;
2439 }
2440
2441 if (err)
2442 return err;
2443
2444 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2445
2446 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2447 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2448 chan->tx_credits--;
2449 }
2450
2451 if (!chan->tx_credits)
2452 chan->ops->suspend(chan);
2453
2454 err = len;
2455
2456 break;
2457
fad5fc89 2458 case L2CAP_MODE_BASIC:
9a91a04a
GP		 2459 /* Check outgoing MTU */
2460 if (len > chan->omtu)
2461 return -EMSGSIZE;
2462
2463 /* Create a basic PDU */
8d46321c 2464 skb = l2cap_create_basic_pdu(chan, msg, len);
9a91a04a
GP		 2465 if (IS_ERR(skb))
2466 return PTR_ERR(skb);
2467
ede81a2a
AK		 2468 /* Channel lock is released before requesting new skb and then
2469 * reacquired thus we need to recheck channel state.
2470 */
2471 if (chan->state != BT_CONNECTED) {
2472 kfree_skb(skb);
2473 return -ENOTCONN;
2474 }
2475
9a91a04a
GP		 2476 l2cap_do_send(chan, skb);
2477 err = len;
2478 break;
2479
2480 case L2CAP_MODE_ERTM:
2481 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2482 /* Check outgoing MTU */
2483 if (len > chan->omtu) {
2484 err = -EMSGSIZE;
2485 break;
2486 }
9a91a04a 2487
94122bbe 2488 __skb_queue_head_init(&seg_queue);
9a91a04a 2489
94122bbe
MM		 2490 /* Do segmentation before calling in to the state machine,
2491 * since it's possible to block while waiting for memory
2492 * allocation.
2493 */
2494 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2495
94122bbe
MM		 2496 /* The channel could have been closed while segmenting,
2497 * check that it is still connected.
2498 */
2499 if (chan->state != BT_CONNECTED) {
2500 __skb_queue_purge(&seg_queue);
2501 err = -ENOTCONN;
9a91a04a
GP		 2502 }
2503
94122bbe 2504 if (err)
9a91a04a 2505 break;
9a91a04a 2506
3733937d 2507 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2508 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2509 else
d660366d 2510 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2511
d660366d 2512 err = len;
9a91a04a 2513
94122bbe
MM		 2514 /* If the skbs were not queued for sending, they'll still be in
2515 * seg_queue and need to be purged.
2516 */
2517 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2518 break;
2519
2520 default:
2521 BT_DBG("bad state %1.1x", chan->mode);
2522 err = -EBADFD;
2523 }
2524
2525 return err;
2526}
6b8d4a6a 2527EXPORT_SYMBOL_GPL(l2cap_chan_send);
9a91a04a 2528
d2a7ac5d
MM		 2529static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2530{
bed68bde
MM		 2531 struct l2cap_ctrl control;
2532 u16 seq;
2533
b4400672 2534 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2535
2536 memset(&control, 0, sizeof(control));
2537 control.sframe = 1;
2538 control.super = L2CAP_SUPER_SREJ;
2539
2540 for (seq = chan->expected_tx_seq; seq != txseq;
2541 seq = __next_seq(chan, seq)) {
2542 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2543 control.reqseq = seq;
2544 l2cap_send_sframe(chan, &control);
2545 l2cap_seq_list_append(&chan->srej_list, seq);
2546 }
2547 }
2548
2549 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2550}
2551
2552static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2553{
bed68bde
MM		 2554 struct l2cap_ctrl control;
2555
2556 BT_DBG("chan %p", chan);
2557
2558 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2559 return;
2560
2561 memset(&control, 0, sizeof(control));
2562 control.sframe = 1;
2563 control.super = L2CAP_SUPER_SREJ;
2564 control.reqseq = chan->srej_list.tail;
2565 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2566}
2567
2568static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2569{
bed68bde
MM		 2570 struct l2cap_ctrl control;
2571 u16 initial_head;
2572 u16 seq;
2573
b4400672 2574 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2575
2576 memset(&control, 0, sizeof(control));
2577 control.sframe = 1;
2578 control.super = L2CAP_SUPER_SREJ;
2579
2580 /* Capture initial list head to allow only one pass through the list. */
2581 initial_head = chan->srej_list.head;
2582
2583 do {
2584 seq = l2cap_seq_list_pop(&chan->srej_list);
2585 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2586 break;
2587
2588 control.reqseq = seq;
2589 l2cap_send_sframe(chan, &control);
2590 l2cap_seq_list_append(&chan->srej_list, seq);
2591 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2592}
2593
608bcc6d
MM		 2594static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2595{
2596 struct sk_buff *acked_skb;
2597 u16 ackseq;
2598
b4400672 2599 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2600
2601 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2602 return;
2603
b4400672 2604 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2605 chan->expected_ack_seq, chan->unacked_frames);
2606
2607 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2608 ackseq = __next_seq(chan, ackseq)) {
2609
2610 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2611 if (acked_skb) {
2612 skb_unlink(acked_skb, &chan->tx_q);
2613 kfree_skb(acked_skb);
2614 chan->unacked_frames--;
2615 }
2616 }
2617
2618 chan->expected_ack_seq = reqseq;
2619
2620 if (chan->unacked_frames == 0)
2621 __clear_retrans_timer(chan);
2622
b4400672 2623 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2624}
2625
2626static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2627{
2628 BT_DBG("chan %p", chan);
2629
2630 chan->expected_tx_seq = chan->buffer_seq;
2631 l2cap_seq_list_clear(&chan->srej_list);
2632 skb_queue_purge(&chan->srej_q);
2633 chan->rx_state = L2CAP_RX_STATE_RECV;
2634}
2635
d660366d
GP		 2636static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2637 struct l2cap_ctrl *control,
2638 struct sk_buff_head *skbs, u8 event)
608bcc6d 2639{
608bcc6d
MM		 2640 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2641 event);
2642
2643 switch (event) {
2644 case L2CAP_EV_DATA_REQUEST:
2645 if (chan->tx_send_head == NULL)
2646 chan->tx_send_head = skb_peek(skbs);
2647
2648 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2649 l2cap_ertm_send(chan);
2650 break;
2651 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2652 BT_DBG("Enter LOCAL_BUSY");
2653 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2654
2655 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2656 /* The SREJ_SENT state must be aborted if we are to
2657 * enter the LOCAL_BUSY state.
2658 */
2659 l2cap_abort_rx_srej_sent(chan);
2660 }
2661
2662 l2cap_send_ack(chan);
2663
2664 break;
2665 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2666 BT_DBG("Exit LOCAL_BUSY");
2667 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2668
2669 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2670 struct l2cap_ctrl local_control;
2671
2672 memset(&local_control, 0, sizeof(local_control));
2673 local_control.sframe = 1;
2674 local_control.super = L2CAP_SUPER_RR;
2675 local_control.poll = 1;
2676 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2677 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2678
2679 chan->retry_count = 1;
2680 __set_monitor_timer(chan);
2681 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2682 }
2683 break;
2684 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2685 l2cap_process_reqseq(chan, control->reqseq);
2686 break;
2687 case L2CAP_EV_EXPLICIT_POLL:
2688 l2cap_send_rr_or_rnr(chan, 1);
2689 chan->retry_count = 1;
2690 __set_monitor_timer(chan);
2691 __clear_ack_timer(chan);
2692 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2693 break;
2694 case L2CAP_EV_RETRANS_TO:
2695 l2cap_send_rr_or_rnr(chan, 1);
2696 chan->retry_count = 1;
2697 __set_monitor_timer(chan);
2698 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2699 break;
2700 case L2CAP_EV_RECV_FBIT:
2701 /* Nothing to process */
2702 break;
2703 default:
2704 break;
2705 }
608bcc6d
MM		 2706}
2707
d660366d
GP		 2708static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2709 struct l2cap_ctrl *control,
2710 struct sk_buff_head *skbs, u8 event)
608bcc6d 2711{
608bcc6d
MM		 2712 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2713 event);
2714
2715 switch (event) {
2716 case L2CAP_EV_DATA_REQUEST:
2717 if (chan->tx_send_head == NULL)
2718 chan->tx_send_head = skb_peek(skbs);
2719 /* Queue data, but don't send. */
2720 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2721 break;
2722 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2723 BT_DBG("Enter LOCAL_BUSY");
2724 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2725
2726 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2727 /* The SREJ_SENT state must be aborted if we are to
2728 * enter the LOCAL_BUSY state.
2729 */
2730 l2cap_abort_rx_srej_sent(chan);
2731 }
2732
2733 l2cap_send_ack(chan);
2734
2735 break;
2736 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2737 BT_DBG("Exit LOCAL_BUSY");
2738 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2739
2740 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2741 struct l2cap_ctrl local_control;
2742 memset(&local_control, 0, sizeof(local_control));
2743 local_control.sframe = 1;
2744 local_control.super = L2CAP_SUPER_RR;
2745 local_control.poll = 1;
2746 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2747 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2748
2749 chan->retry_count = 1;
2750 __set_monitor_timer(chan);
2751 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2752 }
2753 break;
2754 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2755 l2cap_process_reqseq(chan, control->reqseq);
2756
2757 /* Fall through */
2758
2759 case L2CAP_EV_RECV_FBIT:
2760 if (control && control->final) {
2761 __clear_monitor_timer(chan);
2762 if (chan->unacked_frames > 0)
2763 __set_retrans_timer(chan);
2764 chan->retry_count = 0;
2765 chan->tx_state = L2CAP_TX_STATE_XMIT;
2766 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2767 }
2768 break;
2769 case L2CAP_EV_EXPLICIT_POLL:
2770 /* Ignore */
2771 break;
2772 case L2CAP_EV_MONITOR_TO:
2773 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2774 l2cap_send_rr_or_rnr(chan, 1);
2775 __set_monitor_timer(chan);
2776 chan->retry_count++;
2777 } else {
5e4e3972 2778 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2779 }
2780 break;
2781 default:
2782 break;
2783 }
608bcc6d
MM		 2784}
2785
d660366d
GP		 2786static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2787 struct sk_buff_head *skbs, u8 event)
608bcc6d 2788{
608bcc6d
MM		 2789 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2790 chan, control, skbs, event, chan->tx_state);
2791
2792 switch (chan->tx_state) {
2793 case L2CAP_TX_STATE_XMIT:
d660366d 2794 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2795 break;
2796 case L2CAP_TX_STATE_WAIT_F:
d660366d 2797 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2798 break;
2799 default:
2800 /* Ignore event */
2801 break;
2802 }
608bcc6d
MM		 2803}
2804
4b51dae9
MM		 2805static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2806 struct l2cap_ctrl *control)
2807{
2808 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2809 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2810}
2811
f80842a8
MM		 2812static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2813 struct l2cap_ctrl *control)
2814{
2815 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2816 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2817}
2818
1da177e4
LT		 2819/* Copy frame to all raw sockets on that connection */
2820static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2821{
1da177e4 2822 struct sk_buff *nskb;
48454079 2823 struct l2cap_chan *chan;
1da177e4
LT		 2824
2825 BT_DBG("conn %p", conn);
2826
3df91ea2 2827 mutex_lock(&conn->chan_lock);
3d57dc68 2828
3df91ea2 2829 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2830 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2831 continue;
2832
7f5396a7
GP		 2833 /* Don't send frame to the channel it came from */
2834 if (bt_cb(skb)->chan == chan)
1da177e4 2835 continue;
7f5396a7 2836
8bcde1f2 2837 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2838 if (!nskb)
1da177e4 2839 continue;
80b98027 2840 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2841 kfree_skb(nskb);
2842 }
3d57dc68 2843
3df91ea2 2844 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2845}
2846
2847/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2848static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2849 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2850{
2851 struct sk_buff *skb, **frag;
2852 struct l2cap_cmd_hdr *cmd;
2853 struct l2cap_hdr *lh;
2854 int len, count;
2855
b4400672
AE		 2856 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2857 conn, code, ident, dlen);
1da177e4 2858
300b962e
AL		 2859 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2860 return NULL;
2861
1da177e4
LT		 2862 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2863 count = min_t(unsigned int, conn->mtu, len);
2864
8bcde1f2 2865 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2866 if (!skb)
2867 return NULL;
2868
2869 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2870 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2871
2872 if (conn->hcon->type == LE_LINK)
dcf4adbf 2873 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2874 else
dcf4adbf 2875 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2876
2877 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2878 cmd->code = code;
2879 cmd->ident = ident;
aca3192c 2880 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2881
2882 if (dlen) {
2883 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2884 memcpy(skb_put(skb, count), data, count);
2885 data += count;
2886 }
2887
2888 len -= skb->len;
2889
2890 /* Continuation fragments (no L2CAP header) */
2891 frag = &skb_shinfo(skb)->frag_list;
2892 while (len) {
2893 count = min_t(unsigned int, conn->mtu, len);
2894
8bcde1f2 2895 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2896 if (!*frag)
2897 goto fail;
2898
2899 memcpy(skb_put(*frag, count), data, count);
2900
2901 len -= count;
2902 data += count;
2903
2904 frag = &(*frag)->next;
2905 }
2906
2907 return skb;
2908
2909fail:
2910 kfree_skb(skb);
2911 return NULL;
2912}
2913
2d792818
GP		 2914static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2915 unsigned long *val)
1da177e4
LT		 2916{
2917 struct l2cap_conf_opt *opt = *ptr;
2918 int len;
2919
2920 len = L2CAP_CONF_OPT_SIZE + opt->len;
2921 *ptr += len;
2922
2923 *type = opt->type;
2924 *olen = opt->len;
2925
2926 switch (opt->len) {
2927 case 1:
2928 *val = *((u8 *) opt->val);
2929 break;
2930
2931 case 2:
bfaaeb3e 2932 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2933 break;
2934
2935 case 4:
bfaaeb3e 2936 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2937 break;
2938
2939 default:
2940 *val = (unsigned long) opt->val;
2941 break;
2942 }
2943
b4400672 2944 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2945 return len;
2946}
2947
1da177e4
LT		 2948static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2949{
2950 struct l2cap_conf_opt *opt = *ptr;
2951
b4400672 2952 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2953
2954 opt->type = type;
2955 opt->len = len;
2956
2957 switch (len) {
2958 case 1:
2959 *((u8 *) opt->val) = val;
2960 break;
2961
2962 case 2:
4f8b691c 2963 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2964 break;
2965
2966 case 4:
4f8b691c 2967 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2968 break;
2969
2970 default:
2971 memcpy(opt->val, (void *) val, len);
2972 break;
2973 }
2974
2975 *ptr += L2CAP_CONF_OPT_SIZE + len;
2976}
2977
f89cef09
AE		 2978static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2979{
2980 struct l2cap_conf_efs efs;
2981
1ec918ce 2982 switch (chan->mode) {
f89cef09
AE		 2983 case L2CAP_MODE_ERTM:
2984 efs.id = chan->local_id;
2985 efs.stype = chan->local_stype;
2986 efs.msdu = cpu_to_le16(chan->local_msdu);
2987 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
dcf4adbf
JP		 2988 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2989 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2990 break;
2991
2992 case L2CAP_MODE_STREAMING:
2993 efs.id = 1;
2994 efs.stype = L2CAP_SERV_BESTEFFORT;
2995 efs.msdu = cpu_to_le16(chan->local_msdu);
2996 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2997 efs.acc_lat = 0;
2998 efs.flush_to = 0;
2999 break;
3000
3001 default:
3002 return;
3003 }
3004
3005 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3006 (unsigned long) &efs);
f89cef09
AE		 3007}
3008
721c4181 3009static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3010{
721c4181 3011 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3012 ack_timer.work);
3013 u16 frames_to_ack;
c1b4f43b 3014
2fb9b3d4
GP		 3015 BT_DBG("chan %p", chan);
3016
6be36555
AE		 3017 l2cap_chan_lock(chan);
3018
0362520b
MM		 3019 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3020 chan->last_acked_seq);
6be36555 3021
0362520b
MM		 3022 if (frames_to_ack)
3023 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3024
0362520b 3025 l2cap_chan_unlock(chan);
09bfb2ee 3026 l2cap_chan_put(chan);
c1b4f43b
GP		 3027}
3028
466f8004 3029int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3030{
3c588192
MM		 3031 int err;
3032
105bdf9e
MM		 3033 chan->next_tx_seq = 0;
3034 chan->expected_tx_seq = 0;
42e5c802 3035 chan->expected_ack_seq = 0;
6a026610 3036 chan->unacked_frames = 0;
42e5c802 3037 chan->buffer_seq = 0;
6a026610 3038 chan->frames_sent = 0;
105bdf9e
MM		 3039 chan->last_acked_seq = 0;
3040 chan->sdu = NULL;
3041 chan->sdu_last_frag = NULL;
3042 chan->sdu_len = 0;
3043
d34c34fb
MM		 3044 skb_queue_head_init(&chan->tx_q);
3045
6ed971ca
MH		 3046 chan->local_amp_id = AMP_ID_BREDR;
3047 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3048 chan->move_state = L2CAP_MOVE_STABLE;
3049 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3050
105bdf9e
MM		 3051 if (chan->mode != L2CAP_MODE_ERTM)
3052 return 0;
3053
3054 chan->rx_state = L2CAP_RX_STATE_RECV;
3055 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3056
721c4181
GP		 3057 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3058 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3059 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3060
f1c6775b 3061 skb_queue_head_init(&chan->srej_q);
1890d36b 3062
3c588192
MM		 3063 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3064 if (err < 0)
3065 return err;
3066
9dc9affc
MM		 3067 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3068 if (err < 0)
3069 l2cap_seq_list_free(&chan->srej_list);
3070
3071 return err;
0565c1c2
GP		 3072}
3073
f2fcfcd6
GP		 3074static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3075{
3076 switch (mode) {
3077 case L2CAP_MODE_STREAMING:
3078 case L2CAP_MODE_ERTM:
3079 if (l2cap_mode_supported(mode, remote_feat_mask))
3080 return mode;
3081 /* fall through */
3082 default:
3083 return L2CAP_MODE_BASIC;
3084 }
3085}
3086
848566b3 3087static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3088{
848566b3 3089 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3090}
3091
848566b3 3092static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3093{
848566b3 3094 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3095}
3096
36c86c85
MM		 3097static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3098 struct l2cap_conf_rfc *rfc)
3099{
6ed971ca 3100 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3101 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3102
3103 /* Class 1 devices have must have ERTM timeouts
3104 * exceeding the Link Supervision Timeout. The
3105 * default Link Supervision Timeout for AMP
3106 * controllers is 10 seconds.
3107 *
3108 * Class 1 devices use 0xffffffff for their
3109 * best-effort flush timeout, so the clamping logic
3110 * will result in a timeout that meets the above
3111 * requirement. ERTM timeouts are 16-bit values, so
3112 * the maximum timeout is 65.535 seconds.
3113 */
3114
3115 /* Convert timeout to milliseconds and round */
3116 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3117
3118 /* This is the recommended formula for class 2 devices
3119 * that start ERTM timers when packets are sent to the
3120 * controller.
3121 */
3122 ertm_to = 3 * ertm_to + 500;
3123
3124 if (ertm_to > 0xffff)
3125 ertm_to = 0xffff;
3126
3127 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3128 rfc->monitor_timeout = rfc->retrans_timeout;
3129 } else {
dcf4adbf
JP		 3130 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3131 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36c86c85
MM		 3132 }
3133}
3134
6327eb98
AE		 3135static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3136{
3137 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3138 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3139 /* use extended control field */
3140 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3141 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3142 } else {
6327eb98 3143 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3144 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3145 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3146 }
c20f8e35 3147 chan->ack_win = chan->tx_win;
6327eb98
AE		 3148}
3149
710f9b0a 3150static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3151{
1da177e4 3152 struct l2cap_conf_req *req = data;
0c1bc5c6 3153 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3154 void *ptr = req->data;
c8f79162 3155 u16 size;
1da177e4 3156
49208c9c 3157 BT_DBG("chan %p", chan);
1da177e4 3158
73ffa904 3159 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3160 goto done;
3161
0c1bc5c6 3162 switch (chan->mode) {
f2fcfcd6
GP		 3163 case L2CAP_MODE_STREAMING:
3164 case L2CAP_MODE_ERTM:
c1360a1c 3165 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3166 break;
85eb53c6 3167
848566b3 3168 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3169 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3170
2ba13ed6 3171 /* fall through */
f2fcfcd6 3172 default:
8c1d787b 3173 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3174 break;
3175 }
3176
3177done:
0c1bc5c6
GP		 3178 if (chan->imtu != L2CAP_DEFAULT_MTU)
3179 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3180
0c1bc5c6 3181 switch (chan->mode) {
65c7c491 3182 case L2CAP_MODE_BASIC:
6fea7ad1
MH		 3183 if (disable_ertm)
3184 break;
3185
8c1d787b 3186 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3187 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3188 break;
3189
62547752
GP		 3190 rfc.mode = L2CAP_MODE_BASIC;
3191 rfc.txwin_size = 0;
3192 rfc.max_transmit = 0;
3193 rfc.retrans_timeout = 0;
3194 rfc.monitor_timeout = 0;
3195 rfc.max_pdu_size = 0;
3196
63406504 3197 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3198 (unsigned long) &rfc);
65c7c491
MH		 3199 break;
3200
3201 case L2CAP_MODE_ERTM:
3202 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3203 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3204
3205 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3206
3207 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3208 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3209 L2CAP_FCS_SIZE);
c8f79162 3210 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3211
6327eb98
AE		 3212 l2cap_txwin_setup(chan);
3213
3214 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3215 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3216
63406504 3217 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3218 (unsigned long) &rfc);
63406504 3219
f89cef09
AE		 3220 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3221 l2cap_add_opt_efs(&ptr, chan);
3222
6327eb98
AE		 3223 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3224 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3225 chan->tx_win);
60918918
AE		 3226
3227 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3228 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3229 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3230 chan->fcs = L2CAP_FCS_NONE;
3231 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3232 chan->fcs);
3233 }
f2fcfcd6
GP		 3234 break;
3235
3236 case L2CAP_MODE_STREAMING:
273759e2 3237 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3238 rfc.mode = L2CAP_MODE_STREAMING;
3239 rfc.txwin_size = 0;
3240 rfc.max_transmit = 0;
3241 rfc.retrans_timeout = 0;
3242 rfc.monitor_timeout = 0;
c8f79162
AE		 3243
3244 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3245 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3246 L2CAP_FCS_SIZE);
c8f79162 3247 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3248
63406504 3249 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3250 (unsigned long) &rfc);
63406504 3251
f89cef09
AE		 3252 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3253 l2cap_add_opt_efs(&ptr, chan);
3254
60918918
AE		 3255 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3256 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3257 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3258 chan->fcs = L2CAP_FCS_NONE;
3259 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3260 chan->fcs);
3261 }
65c7c491
MH		 3262 break;
3263 }
1da177e4 3264
fe4128e0 3265 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3266 req->flags = cpu_to_le16(0);
1da177e4
LT		 3267
3268 return ptr - data;
3269}
3270
73ffa904 3271static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3272{
5dee9e7c
MH		 3273 struct l2cap_conf_rsp *rsp = data;
3274 void *ptr = rsp->data;
73ffa904
GP		 3275 void *req = chan->conf_req;
3276 int len = chan->conf_len;
5dee9e7c
MH		 3277 int type, hint, olen;
3278 unsigned long val;
6464f35f 3279 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3280 struct l2cap_conf_efs efs;
3281 u8 remote_efs = 0;
861d6882 3282 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3283 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3284 u16 size;
1da177e4 3285
73ffa904 3286 BT_DBG("chan %p", chan);
820ae1b8 3287
5dee9e7c
MH		 3288 while (len >= L2CAP_CONF_OPT_SIZE) {
3289 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3290
589d2746 3291 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3292 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3293
3294 switch (type) {
3295 case L2CAP_CONF_MTU:
861d6882 3296 mtu = val;
5dee9e7c
MH		 3297 break;
3298
3299 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3300 chan->flush_to = val;
5dee9e7c
MH		 3301 break;
3302
3303 case L2CAP_CONF_QOS:
3304 break;
3305
6464f35f
MH		 3306 case L2CAP_CONF_RFC:
3307 if (olen == sizeof(rfc))
3308 memcpy(&rfc, (void *) val, olen);
3309 break;
3310
fcc203c3
GP		 3311 case L2CAP_CONF_FCS:
3312 if (val == L2CAP_FCS_NONE)
f2592d3e 3313 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3314 break;
fcc203c3 3315
42dceae2
AE		 3316 case L2CAP_CONF_EFS:
3317 remote_efs = 1;
3318 if (olen == sizeof(efs))
3319 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3320 break;
3321
6327eb98 3322 case L2CAP_CONF_EWS:
848566b3 3323 if (!chan->conn->hs_enabled)
6327eb98 3324 return -ECONNREFUSED;
fcc203c3 3325
6327eb98
AE		 3326 set_bit(FLAG_EXT_CTRL, &chan->flags);
3327 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3328 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3329 chan->remote_tx_win = val;
fcc203c3
GP		 3330 break;
3331
5dee9e7c
MH		 3332 default:
3333 if (hint)
3334 break;
3335
3336 result = L2CAP_CONF_UNKNOWN;
3337 *((u8 *) ptr++) = type;
3338 break;
3339 }
3340 }
3341
73ffa904 3342 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3343 goto done;
3344
0c1bc5c6 3345 switch (chan->mode) {
f2fcfcd6
GP		 3346 case L2CAP_MODE_STREAMING:
3347 case L2CAP_MODE_ERTM:
c1360a1c 3348 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3349 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3350 chan->conn->feat_mask);
85eb53c6
GP		 3351 break;
3352 }
3353
42dceae2 3354 if (remote_efs) {
848566b3 3355 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3356 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3357 else
3358 return -ECONNREFUSED;
3359 }
3360
0c1bc5c6 3361 if (chan->mode != rfc.mode)
f2fcfcd6 3362 return -ECONNREFUSED;
742e519b 3363
f2fcfcd6 3364 break;
f2fcfcd6
GP		 3365 }
3366
3367done:
0c1bc5c6 3368 if (chan->mode != rfc.mode) {
f2fcfcd6 3369 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3370 rfc.mode = chan->mode;
f2fcfcd6 3371
73ffa904 3372 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3373 return -ECONNREFUSED;
3374
2d792818
GP		 3375 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3376 (unsigned long) &rfc);
f2fcfcd6
GP		 3377 }
3378
5dee9e7c
MH		 3379 if (result == L2CAP_CONF_SUCCESS) {
3380 /* Configure output options and let the other side know
3381 * which ones we don't like. */
3382
f2fcfcd6
GP		 3383 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3384 result = L2CAP_CONF_UNACCEPT;
3385 else {
0c1bc5c6 3386 chan->omtu = mtu;
c1360a1c 3387 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3388 }
0c1bc5c6 3389 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3390
42dceae2
AE		 3391 if (remote_efs) {
3392 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3393 efs.stype != L2CAP_SERV_NOTRAFIC &&
3394 efs.stype != chan->local_stype) {
42dceae2
AE		 3395
3396 result = L2CAP_CONF_UNACCEPT;
3397
3398 if (chan->num_conf_req >= 1)
3399 return -ECONNREFUSED;
3400
3401 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3402 sizeof(efs),
3403 (unsigned long) &efs);
0e8b207e 3404 } else {
3e6b3b95 3405 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3406 result = L2CAP_CONF_PENDING;
3407 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3408 }
3409 }
3410
f2fcfcd6
GP		 3411 switch (rfc.mode) {
3412 case L2CAP_MODE_BASIC:
47d1ec61 3413 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3414 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3415 break;
3416
3417 case L2CAP_MODE_ERTM:
6327eb98
AE		 3418 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3419 chan->remote_tx_win = rfc.txwin_size;
3420 else
3421 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3422
2c03a7a4 3423 chan->remote_max_tx = rfc.max_transmit;
1c762159 3424
c8f79162 3425 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3426 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3427 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3428 rfc.max_pdu_size = cpu_to_le16(size);
3429 chan->remote_mps = size;
f2fcfcd6 3430
36c86c85 3431 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3432
c1360a1c 3433 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3434
3435 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3436 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3437
42dceae2
AE		 3438 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3439 chan->remote_id = efs.id;
3440 chan->remote_stype = efs.stype;
3441 chan->remote_msdu = le16_to_cpu(efs.msdu);
3442 chan->remote_flush_to =
2d792818 3443 le32_to_cpu(efs.flush_to);
42dceae2 3444 chan->remote_acc_lat =
2d792818 3445 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3446 chan->remote_sdu_itime =
3447 le32_to_cpu(efs.sdu_itime);
3448 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3449 sizeof(efs),
3450 (unsigned long) &efs);
42dceae2 3451 }
f2fcfcd6
GP		 3452 break;
3453
3454 case L2CAP_MODE_STREAMING:
c8f79162 3455 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3456 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3457 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3458 rfc.max_pdu_size = cpu_to_le16(size);
3459 chan->remote_mps = size;
f2fcfcd6 3460
c1360a1c 3461 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3462
2d792818
GP		 3463 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3464 (unsigned long) &rfc);
68ae6639 3465
f2fcfcd6
GP		 3466 break;
3467
3468 default:
5dee9e7c 3469 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3470
6464f35f 3471 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3472 rfc.mode = chan->mode;
f2fcfcd6 3473 }
6464f35f 3474
f2fcfcd6 3475 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3476 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3477 }
fe4128e0 3478 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3479 rsp->result = cpu_to_le16(result);
dcf4adbf 3480 rsp->flags = cpu_to_le16(0);
5dee9e7c
MH		 3481
3482 return ptr - data;
1da177e4
LT		 3483}
3484
2d792818
GP		 3485static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3486 void *data, u16 *result)
f2fcfcd6 3487{
f2fcfcd6
GP		 3488 struct l2cap_conf_req *req = data;
3489 void *ptr = req->data;
3490 int type, olen;
3491 unsigned long val;
36e999a8 3492 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3493 struct l2cap_conf_efs efs;
f2fcfcd6 3494
fe4128e0 3495 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3496
3497 while (len >= L2CAP_CONF_OPT_SIZE) {
3498 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3499
3500 switch (type) {
3501 case L2CAP_CONF_MTU:
3502 if (val < L2CAP_DEFAULT_MIN_MTU) {
3503 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3504 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3505 } else
0c1bc5c6
GP		 3506 chan->imtu = val;
3507 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3508 break;
3509
3510 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3511 chan->flush_to = val;
f2fcfcd6 3512 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3513 2, chan->flush_to);
f2fcfcd6
GP		 3514 break;
3515
3516 case L2CAP_CONF_RFC:
3517 if (olen == sizeof(rfc))
3518 memcpy(&rfc, (void *)val, olen);
3519
c1360a1c 3520 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3521 rfc.mode != chan->mode)
f2fcfcd6
GP		 3522 return -ECONNREFUSED;
3523
47d1ec61 3524 chan->fcs = 0;
f2fcfcd6
GP		 3525
3526 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3527 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3528 break;
6327eb98
AE		 3529
3530 case L2CAP_CONF_EWS:
c20f8e35 3531 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3532 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3533 chan->tx_win);
6327eb98 3534 break;
66af7aaf
AE		 3535
3536 case L2CAP_CONF_EFS:
3537 if (olen == sizeof(efs))
3538 memcpy(&efs, (void *)val, olen);
3539
3540 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3541 efs.stype != L2CAP_SERV_NOTRAFIC &&
3542 efs.stype != chan->local_stype)
66af7aaf
AE		 3543 return -ECONNREFUSED;
3544
2d792818
GP		 3545 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3546 (unsigned long) &efs);
66af7aaf 3547 break;
cbabee78
AE		 3548
3549 case L2CAP_CONF_FCS:
3550 if (*result == L2CAP_CONF_PENDING)
3551 if (val == L2CAP_FCS_NONE)
f2592d3e 3552 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3553 &chan->conf_state);
3554 break;
f2fcfcd6
GP		 3555 }
3556 }
3557
0c1bc5c6 3558 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3559 return -ECONNREFUSED;
3560
0c1bc5c6 3561 chan->mode = rfc.mode;
6c2ea7a8 3562
0e8b207e 3563 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3564 switch (rfc.mode) {
3565 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3566 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3567 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3568 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3569 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3570 chan->ack_win = min_t(u16, chan->ack_win,
3571 rfc.txwin_size);
66af7aaf
AE		 3572
3573 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3574 chan->local_msdu = le16_to_cpu(efs.msdu);
3575 chan->local_sdu_itime =
2d792818 3576 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3577 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3578 chan->local_flush_to =
2d792818 3579 le32_to_cpu(efs.flush_to);
66af7aaf 3580 }
f2fcfcd6 3581 break;
66af7aaf 3582
f2fcfcd6 3583 case L2CAP_MODE_STREAMING:
47d1ec61 3584 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3585 }
3586 }
3587
fe4128e0 3588 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3589 req->flags = cpu_to_le16(0);
f2fcfcd6
GP		 3590
3591 return ptr - data;
3592}
3593
2d792818
GP		 3594static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3595 u16 result, u16 flags)
1da177e4
LT		 3596{
3597 struct l2cap_conf_rsp *rsp = data;
3598 void *ptr = rsp->data;
1da177e4 3599
fe4128e0 3600 BT_DBG("chan %p", chan);
1da177e4 3601
fe4128e0 3602 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3603 rsp->result = cpu_to_le16(result);
aca3192c 3604 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3605
3606 return ptr - data;
3607}
3608
27e2d4c8
JH		 3609void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3610{
3611 struct l2cap_le_conn_rsp rsp;
3612 struct l2cap_conn *conn = chan->conn;
3613
3614 BT_DBG("chan %p", chan);
3615
3616 rsp.dcid = cpu_to_le16(chan->scid);
3617 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 3618 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 3619 rsp.credits = cpu_to_le16(chan->rx_credits);
dcf4adbf 3620 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
27e2d4c8
JH		 3621
3622 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3623 &rsp);
3624}
3625
8c1d787b 3626void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3627{
3628 struct l2cap_conn_rsp rsp;
8c1d787b 3629 struct l2cap_conn *conn = chan->conn;
710f9b0a 3630 u8 buf[128];
439f34ac 3631 u8 rsp_code;
710f9b0a 3632
fe4128e0
GP		 3633 rsp.scid = cpu_to_le16(chan->dcid);
3634 rsp.dcid = cpu_to_le16(chan->scid);
dcf4adbf
JP		 3635 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3636 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3637
3638 if (chan->hs_hcon)
3639 rsp_code = L2CAP_CREATE_CHAN_RSP;
3640 else
3641 rsp_code = L2CAP_CONN_RSP;
3642
3643 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3644
3645 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3646
c1360a1c 3647 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3648 return;
3649
710f9b0a 3650 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3651 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3652 chan->num_conf_req++;
3653}
3654
47d1ec61 3655static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3656{
7b1c0049
GP		 3657 int type, olen;
3658 unsigned long val;
c20f8e35
MM		 3659 /* Use sane default values in case a misbehaving remote device
3660 * did not send an RFC or extended window size option.
3661 */
3662 u16 txwin_ext = chan->ack_win;
3663 struct l2cap_conf_rfc rfc = {
3664 .mode = chan->mode,
dcf4adbf
JP		 3665 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3666 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
c20f8e35
MM		 3667 .max_pdu_size = cpu_to_le16(chan->imtu),
3668 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3669 };
7b1c0049 3670
47d1ec61 3671 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3672
0c1bc5c6 3673 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3674 return;
3675
3676 while (len >= L2CAP_CONF_OPT_SIZE) {
3677 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3678
c20f8e35
MM		 3679 switch (type) {
3680 case L2CAP_CONF_RFC:
3681 if (olen == sizeof(rfc))
3682 memcpy(&rfc, (void *)val, olen);
8f321f85 3683 break;
c20f8e35
MM		 3684 case L2CAP_CONF_EWS:
3685 txwin_ext = val;
3686 break;
3687 }
7b1c0049
GP		 3688 }
3689
7b1c0049
GP		 3690 switch (rfc.mode) {
3691 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3692 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3693 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3694 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3695 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3696 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3697 else
3698 chan->ack_win = min_t(u16, chan->ack_win,
3699 rfc.txwin_size);
7b1c0049
GP		 3700 break;
3701 case L2CAP_MODE_STREAMING:
47d1ec61 3702 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3703 }
3704}
3705
2d792818 3706static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3707 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3708 u8 *data)
4e8402a3 3709{
e2fd318e 3710 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3711
cb3b3152
JH		 3712 if (cmd_len < sizeof(*rej))
3713 return -EPROTO;
3714
e2fd318e 3715 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3716 return 0;
3717
3718 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3719 cmd->ident == conn->info_ident) {
17cd3f37 3720 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3721
3722 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3723 conn->info_ident = 0;
984947dc 3724
4e8402a3
MH		 3725 l2cap_conn_start(conn);
3726 }
3727
3728 return 0;
3729}
3730
1700915f
MM		 3731static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3732 struct l2cap_cmd_hdr *cmd,
3733 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3734{
1da177e4
LT		 3735 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3736 struct l2cap_conn_rsp rsp;
23691d75 3737 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3738 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3739
3740 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3741 __le16 psm = req->psm;
1da177e4 3742
097db76c 3743 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3744
3745 /* Check if we have socket listening on psm */
6f59b904 3746 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
bf20fd4e 3747 &conn->hcon->dst, ACL_LINK);
23691d75 3748 if (!pchan) {
1da177e4
LT		 3749 result = L2CAP_CR_BAD_PSM;
3750 goto sendresp;
3751 }
3752
3df91ea2 3753 mutex_lock(&conn->chan_lock);
8ffb9290 3754 l2cap_chan_lock(pchan);
e0f0cb56 3755
e7c29cb1 3756 /* Check if the ACL is secure enough (if not SDP) */
dcf4adbf 3757 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3758 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3759 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3760 result = L2CAP_CR_SEC_BLOCK;
3761 goto response;
3762 }
3763
1da177e4
LT		 3764 result = L2CAP_CR_NO_MEM;
3765
2dfa1003
GP		 3766 /* Check if we already have channel with that dcid */
3767 if (__l2cap_get_chan_by_dcid(conn, scid))
3768 goto response;
3769
80b98027 3770 chan = pchan->ops->new_connection(pchan);
80808e43 3771 if (!chan)
1da177e4
LT		 3772 goto response;
3773
330b6c15
SS		 3774 /* For certain devices (ex: HID mouse), support for authentication,
3775 * pairing and bonding is optional. For such devices, inorder to avoid
3776 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3777 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3778 */
3779 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3780
7eafc59e
MH		 3781 bacpy(&chan->src, &conn->hcon->src);
3782 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3783 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3784 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3785 chan->psm = psm;
3786 chan->dcid = scid;
1700915f 3787 chan->local_amp_id = amp_id;
1da177e4 3788
6be36555 3789 __l2cap_chan_add(conn, chan);
48454079 3790
fe4128e0 3791 dcid = chan->scid;
1da177e4 3792
8d836d71 3793 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3794
fc7f8a7e 3795 chan->ident = cmd->ident;
1da177e4 3796
984947dc 3797 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
e7cafc45 3798 if (l2cap_chan_check_security(chan, false)) {
bdc25783 3799 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3800 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3801 result = L2CAP_CR_PEND;
3802 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3803 chan->ops->defer(chan);
f66dc81f 3804 } else {
1700915f
MM		 3805 /* Force pending result for AMP controllers.
3806 * The connection will succeed after the
3807 * physical link is up.
3808 */
6ed971ca 3809 if (amp_id == AMP_ID_BREDR) {
f93fa273 3810 l2cap_state_change(chan, BT_CONFIG);
1700915f 3811 result = L2CAP_CR_SUCCESS;
6ed971ca 3812 } else {
f93fa273 3813 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3814 result = L2CAP_CR_PEND;
1700915f 3815 }
f66dc81f
MH		 3816 status = L2CAP_CS_NO_INFO;
3817 }
79d554a6 3818 } else {
f93fa273 3819 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3820 result = L2CAP_CR_PEND;
3821 status = L2CAP_CS_AUTHEN_PEND;
3822 }
3823 } else {
f93fa273 3824 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3825 result = L2CAP_CR_PEND;
3826 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3827 }
3828
1da177e4 3829response:
8ffb9290 3830 l2cap_chan_unlock(pchan);
3df91ea2 3831 mutex_unlock(&conn->chan_lock);
a24cce14 3832 l2cap_chan_put(pchan);
1da177e4
LT		 3833
3834sendresp:
aca3192c
YH		 3835 rsp.scid = cpu_to_le16(scid);
3836 rsp.dcid = cpu_to_le16(dcid);
3837 rsp.result = cpu_to_le16(result);
3838 rsp.status = cpu_to_le16(status);
4c89b6aa 3839 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3840
3841 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3842 struct l2cap_info_req info;
dcf4adbf 3843 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3844
3845 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3846 conn->info_ident = l2cap_get_ident(conn);
3847
ba13ccd9 3848 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3849
2d792818
GP		 3850 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3851 sizeof(info), &info);
79d554a6
MH		 3852 }
3853
c1360a1c 3854 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3855 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3856 u8 buf[128];
c1360a1c 3857 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3858 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3859 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3860 chan->num_conf_req++;
e9aeb2dd 3861 }
1700915f
MM		 3862
3863 return chan;
4c89b6aa 3864}
e9aeb2dd 3865
4c89b6aa 3866static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3867 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3868{
7b064eda
JK		 3869 struct hci_dev *hdev = conn->hcon->hdev;
3870 struct hci_conn *hcon = conn->hcon;
3871
cb3b3152
JH		 3872 if (cmd_len < sizeof(struct l2cap_conn_req))
3873 return -EPROTO;
3874
7b064eda
JK		 3875 hci_dev_lock(hdev);
3876 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3877 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3878 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3879 hcon->dst_type, 0, NULL, 0,
3880 hcon->dev_class);
3881 hci_dev_unlock(hdev);
3882
300229f9 3883 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3884 return 0;
3885}
3886
5909cf30 3887static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3888 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3889 u8 *data)
1da177e4
LT		 3890{
3891 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3892 u16 scid, dcid, result, status;
48454079 3893 struct l2cap_chan *chan;
1da177e4 3894 u8 req[128];
3df91ea2 3895 int err;
1da177e4 3896
cb3b3152
JH		 3897 if (cmd_len < sizeof(*rsp))
3898 return -EPROTO;
3899
1da177e4
LT		 3900 scid = __le16_to_cpu(rsp->scid);
3901 dcid = __le16_to_cpu(rsp->dcid);
3902 result = __le16_to_cpu(rsp->result);
3903 status = __le16_to_cpu(rsp->status);
3904
1b009c98 3905 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3906 dcid, scid, result, status);
1da177e4 3907
3df91ea2
AE		 3908 mutex_lock(&conn->chan_lock);
3909
1da177e4 3910 if (scid) {
3df91ea2
AE		 3911 chan = __l2cap_get_chan_by_scid(conn, scid);
3912 if (!chan) {
21870b52 3913 err = -EBADSLT;
3df91ea2
AE		 3914 goto unlock;
3915 }
1da177e4 3916 } else {
3df91ea2
AE		 3917 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3918 if (!chan) {
21870b52 3919 err = -EBADSLT;
3df91ea2
AE		 3920 goto unlock;
3921 }
1da177e4
LT		 3922 }
3923
3df91ea2
AE		 3924 err = 0;
3925
6be36555 3926 l2cap_chan_lock(chan);
48454079 3927
1da177e4
LT		 3928 switch (result) {
3929 case L2CAP_CR_SUCCESS:
89bc500e 3930 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3931 chan->ident = 0;
fe4128e0 3932 chan->dcid = dcid;
c1360a1c 3933 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3934
c1360a1c 3935 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3936 break;
3937
1da177e4 3938 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3939 l2cap_build_conf_req(chan, req), req);
73ffa904 3940 chan->num_conf_req++;
1da177e4
LT		 3941 break;
3942
3943 case L2CAP_CR_PEND:
c1360a1c 3944 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3945 break;
3946
3947 default:
48454079 3948 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3949 break;
3950 }
3951
6be36555 3952 l2cap_chan_unlock(chan);
3df91ea2
AE		 3953
3954unlock:
3955 mutex_unlock(&conn->chan_lock);
3956
3957 return err;
1da177e4
LT		 3958}
3959
47d1ec61 3960static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3961{
3962 /* FCS is enabled only in ERTM or streaming mode, if one or both
3963 * sides request it.
3964 */
0c1bc5c6 3965 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3966 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3967 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3968 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3969}
3970
29d8a590
AE		 3971static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3972 u8 ident, u16 flags)
3973{
3974 struct l2cap_conn *conn = chan->conn;
3975
3976 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3977 flags);
3978
3979 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3980 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3981
3982 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3983 l2cap_build_conf_rsp(chan, data,
3984 L2CAP_CONF_SUCCESS, flags), data);
3985}
3986
662d652d
JH		 3987static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
3988 u16 scid, u16 dcid)
3989{
3990 struct l2cap_cmd_rej_cid rej;
3991
dcf4adbf 3992 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
662d652d
JH		 3993 rej.scid = __cpu_to_le16(scid);
3994 rej.dcid = __cpu_to_le16(dcid);
3995
3996 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3997}
3998
2d792818
GP		 3999static inline int l2cap_config_req(struct l2cap_conn *conn,
4000 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4001 u8 *data)
1da177e4
LT		 4002{
4003 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4004 u16 dcid, flags;
4005 u8 rsp[64];
48454079 4006 struct l2cap_chan *chan;
3c588192 4007 int len, err = 0;
1da177e4 4008
cb3b3152
JH		 4009 if (cmd_len < sizeof(*req))
4010 return -EPROTO;
4011
1da177e4
LT		 4012 dcid = __le16_to_cpu(req->dcid);
4013 flags = __le16_to_cpu(req->flags);
4014
4015 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4016
baa7e1fa 4017 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4018 if (!chan) {
4019 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4020 return 0;
4021 }
1da177e4 4022
033b1142 4023 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4024 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4025 chan->dcid);
354f60a9 4026 goto unlock;
df6bd743 4027 }
354f60a9 4028
5dee9e7c 4029 /* Reject if config buffer is too small. */
88219a0f 4030 len = cmd_len - sizeof(*req);
cb3b3152 4031 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4032 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4033 l2cap_build_conf_rsp(chan, rsp,
4034 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4035 goto unlock;
4036 }
4037
4038 /* Store config. */
73ffa904
GP		 4039 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4040 chan->conf_len += len;
1da177e4 4041
59e54bd1 4042 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4043 /* Incomplete config. Send empty response. */
4044 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4045 l2cap_build_conf_rsp(chan, rsp,
4046 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4047 goto unlock;
4048 }
4049
4050 /* Complete config. */
73ffa904 4051 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4052 if (len < 0) {
5e4e3972 4053 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4054 goto unlock;
f2fcfcd6 4055 }
1da177e4 4056
1500109b 4057 chan->ident = cmd->ident;
5dee9e7c 4058 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4059 chan->num_conf_rsp++;
5dee9e7c 4060
5dee9e7c 4061 /* Reset config buffer. */
73ffa904 4062 chan->conf_len = 0;
5dee9e7c 4063
c1360a1c 4064 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4065 goto unlock;
4066
c1360a1c 4067 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4068 set_default_fcs(chan);
fcc203c3 4069
105bdf9e
MM		 4070 if (chan->mode == L2CAP_MODE_ERTM ||
4071 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4072 err = l2cap_ertm_init(chan);
4073
4074 if (err < 0)
5e4e3972 4075 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4076 else
4077 l2cap_chan_ready(chan);
0565c1c2 4078
876d9484
MH		 4079 goto unlock;
4080 }
4081
c1360a1c 4082 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4083 u8 buf[64];
1da177e4 4084 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4085 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4086 chan->num_conf_req++;
1da177e4
LT		 4087 }
4088
0e8b207e
AE		 4089 /* Got Conf Rsp PENDING from remote side and asume we sent
4090 Conf Rsp PENDING in the code above */
4091 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4092 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4093
4094 /* check compatibility */
4095
79de886d 4096 /* Send rsp for BR/EDR channel */
f351bc72 4097 if (!chan->hs_hcon)
79de886d
AE		 4098 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4099 else
4100 chan->ident = cmd->ident;
0e8b207e
AE		 4101 }
4102
1da177e4 4103unlock:
6be36555 4104 l2cap_chan_unlock(chan);
3c588192 4105 return err;
1da177e4
LT		 4106}
4107
2d792818 4108static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4109 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4110 u8 *data)
1da177e4
LT		 4111{
4112 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4113 u16 scid, flags, result;
48454079 4114 struct l2cap_chan *chan;
cb3b3152 4115 int len = cmd_len - sizeof(*rsp);
3c588192 4116 int err = 0;
1da177e4 4117
cb3b3152
JH		 4118 if (cmd_len < sizeof(*rsp))
4119 return -EPROTO;
4120
1da177e4
LT		 4121 scid = __le16_to_cpu(rsp->scid);
4122 flags = __le16_to_cpu(rsp->flags);
4123 result = __le16_to_cpu(rsp->result);
4124
61386cba
AE		 4125 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4126 result, len);
1da177e4 4127
baa7e1fa 4128 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4129 if (!chan)
1da177e4
LT		 4130 return 0;
4131
4132 switch (result) {
4133 case L2CAP_CONF_SUCCESS:
47d1ec61 4134 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4135 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4136 break;
4137
0e8b207e
AE		 4138 case L2CAP_CONF_PENDING:
4139 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4140
4141 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4142 char buf[64];
4143
4144 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4145 buf, &result);
0e8b207e 4146 if (len < 0) {
5e4e3972 4147 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4148 goto done;
4149 }
4150
f351bc72 4151 if (!chan->hs_hcon) {
79de886d
AE		 4152 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4153 0);
5ce66b59
AE		 4154 } else {
4155 if (l2cap_check_efs(chan)) {
4156 amp_create_logical_link(chan);
4157 chan->ident = cmd->ident;
4158 }
4159 }
0e8b207e
AE		 4160 }
4161 goto done;
4162
1da177e4 4163 case L2CAP_CONF_UNACCEPT:
73ffa904 4164 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4165 char req[64];
4166
c2c77ec8 4167 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4168 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4169 goto done;
4170 }
4171
f2fcfcd6
GP		 4172 /* throw out any old stored conf requests */
4173 result = L2CAP_CONF_SUCCESS;
b4450035 4174 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4175 req, &result);
f2fcfcd6 4176 if (len < 0) {
5e4e3972 4177 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4178 goto done;
4179 }
4180
4181 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4182 L2CAP_CONF_REQ, len, req);
73ffa904 4183 chan->num_conf_req++;
f2fcfcd6
GP		 4184 if (result != L2CAP_CONF_SUCCESS)
4185 goto done;
4186 break;
1da177e4
LT		 4187 }
4188
8e87d142 4189 default:
6be36555 4190 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4191
ba13ccd9 4192 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4193 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4194 goto done;
4195 }
4196
59e54bd1 4197 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4198 goto done;
4199
c1360a1c 4200 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4201
c1360a1c 4202 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4203 set_default_fcs(chan);
fcc203c3 4204
105bdf9e
MM		 4205 if (chan->mode == L2CAP_MODE_ERTM ||
4206 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4207 err = l2cap_ertm_init(chan);
0565c1c2 4208
3c588192 4209 if (err < 0)
5e4e3972 4210 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4211 else
4212 l2cap_chan_ready(chan);
1da177e4
LT		 4213 }
4214
4215done:
6be36555 4216 l2cap_chan_unlock(chan);
3c588192 4217 return err;
1da177e4
LT		 4218}
4219
2d792818 4220static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4221 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4222 u8 *data)
1da177e4
LT		 4223{
4224 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4225 struct l2cap_disconn_rsp rsp;
4226 u16 dcid, scid;
48454079 4227 struct l2cap_chan *chan;
1da177e4 4228
cb3b3152
JH		 4229 if (cmd_len != sizeof(*req))
4230 return -EPROTO;
4231
1da177e4
LT		 4232 scid = __le16_to_cpu(req->scid);
4233 dcid = __le16_to_cpu(req->dcid);
4234
4235 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4236
3df91ea2
AE		 4237 mutex_lock(&conn->chan_lock);
4238
4239 chan = __l2cap_get_chan_by_scid(conn, dcid);
4240 if (!chan) {
4241 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4242 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4243 return 0;
3df91ea2 4244 }
1da177e4 4245
6be36555
AE		 4246 l2cap_chan_lock(chan);
4247
fe4128e0
GP		 4248 rsp.dcid = cpu_to_le16(chan->scid);
4249 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4250 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4251
5ec1bbe5 4252 chan->ops->set_shutdown(chan);
1da177e4 4253
61d6ef3e 4254 l2cap_chan_hold(chan);
48454079 4255 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4256
4257 l2cap_chan_unlock(chan);
1da177e4 4258
80b98027 4259 chan->ops->close(chan);
61d6ef3e 4260 l2cap_chan_put(chan);
3df91ea2
AE		 4261
4262 mutex_unlock(&conn->chan_lock);
4263
1da177e4
LT		 4264 return 0;
4265}
4266
2d792818 4267static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4268 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4269 u8 *data)
1da177e4
LT		 4270{
4271 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4272 u16 dcid, scid;
48454079 4273 struct l2cap_chan *chan;
1da177e4 4274
cb3b3152
JH		 4275 if (cmd_len != sizeof(*rsp))
4276 return -EPROTO;
4277
1da177e4
LT		 4278 scid = __le16_to_cpu(rsp->scid);
4279 dcid = __le16_to_cpu(rsp->dcid);
4280
4281 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4282
3df91ea2
AE		 4283 mutex_lock(&conn->chan_lock);
4284
4285 chan = __l2cap_get_chan_by_scid(conn, scid);
4286 if (!chan) {
4287 mutex_unlock(&conn->chan_lock);
1da177e4 4288 return 0;
3df91ea2 4289 }
1da177e4 4290
6be36555 4291 l2cap_chan_lock(chan);
48454079 4292
61d6ef3e 4293 l2cap_chan_hold(chan);
48454079 4294 l2cap_chan_del(chan, 0);
6be36555
AE		 4295
4296 l2cap_chan_unlock(chan);
1da177e4 4297
80b98027 4298 chan->ops->close(chan);
61d6ef3e 4299 l2cap_chan_put(chan);
3df91ea2
AE		 4300
4301 mutex_unlock(&conn->chan_lock);
4302
1da177e4
LT		 4303 return 0;
4304}
4305
2d792818 4306static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4307 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4308 u8 *data)
1da177e4
LT		 4309{
4310 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4311 u16 type;
4312
cb3b3152
JH		 4313 if (cmd_len != sizeof(*req))
4314 return -EPROTO;
4315
1da177e4
LT		 4316 type = __le16_to_cpu(req->type);
4317
4318 BT_DBG("type 0x%4.4x", type);
4319
f0709e03
MH		 4320 if (type == L2CAP_IT_FEAT_MASK) {
4321 u8 buf[8];
44dd46de 4322 u32 feat_mask = l2cap_feat_mask;
f0709e03 4323 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
dcf4adbf
JP		 4324 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4325 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4326 if (!disable_ertm)
fcc203c3 4327 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4328 | L2CAP_FEAT_FCS;
848566b3 4329 if (conn->hs_enabled)
6327eb98 4330 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4331 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4332
1b7bf4ed 4333 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4334 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4335 buf);
e1027a7c
MH		 4336 } else if (type == L2CAP_IT_FIXED_CHAN) {
4337 u8 buf[12];
4338 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4339
848566b3 4340 if (conn->hs_enabled)
50a147cd
MM		 4341 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4342 else
4343 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4344
dcf4adbf
JP		 4345 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4346 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4347 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4348 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4349 buf);
f0709e03
MH		 4350 } else {
4351 struct l2cap_info_rsp rsp;
4352 rsp.type = cpu_to_le16(type);
dcf4adbf 4353 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4354 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4355 &rsp);
f0709e03 4356 }
1da177e4
LT		 4357
4358 return 0;
4359}
4360
2d792818 4361static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4362 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4363 u8 *data)
1da177e4
LT		 4364{
4365 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4366 u16 type, result;
4367
3f6fa3d4 4368 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4369 return -EPROTO;
4370
1da177e4
LT		 4371 type = __le16_to_cpu(rsp->type);
4372 result = __le16_to_cpu(rsp->result);
4373
4374 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4375
e90165be
AE		 4376 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4377 if (cmd->ident != conn->info_ident ||
2d792818 4378 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4379 return 0;
4380
17cd3f37 4381 cancel_delayed_work(&conn->info_timer);
4e8402a3 4382
adb08ede
VT		 4383 if (result != L2CAP_IR_SUCCESS) {
4384 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4385 conn->info_ident = 0;
4386
4387 l2cap_conn_start(conn);
4388
4389 return 0;
4390 }
4391
978c93b9
AE		 4392 switch (type) {
4393 case L2CAP_IT_FEAT_MASK:
83985319 4394 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4395
47ec1dcd 4396 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4397 struct l2cap_info_req req;
dcf4adbf 4398 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4399
4400 conn->info_ident = l2cap_get_ident(conn);
4401
4402 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4403 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4404 } else {
4405 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4406 conn->info_ident = 0;
4407
4408 l2cap_conn_start(conn);
4409 }
978c93b9
AE		 4410 break;
4411
4412 case L2CAP_IT_FIXED_CHAN:
4413 conn->fixed_chan_mask = rsp->data[0];
984947dc 4414 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4415 conn->info_ident = 0;
984947dc
MH		 4416
4417 l2cap_conn_start(conn);
978c93b9 4418 break;
984947dc 4419 }
4e8402a3 4420
1da177e4
LT		 4421 return 0;
4422}
4423
1700915f
MM		 4424static int l2cap_create_channel_req(struct l2cap_conn *conn,
4425 struct l2cap_cmd_hdr *cmd,
4426 u16 cmd_len, void *data)
f94ff6ff
MM		 4427{
4428 struct l2cap_create_chan_req *req = data;
6e1df6a6 4429 struct l2cap_create_chan_rsp rsp;
1700915f 4430 struct l2cap_chan *chan;
6e1df6a6 4431 struct hci_dev *hdev;
f94ff6ff
MM		 4432 u16 psm, scid;
4433
4434 if (cmd_len != sizeof(*req))
4435 return -EPROTO;
4436
848566b3 4437 if (!conn->hs_enabled)
f94ff6ff
MM		 4438 return -EINVAL;
4439
4440 psm = le16_to_cpu(req->psm);
4441 scid = le16_to_cpu(req->scid);
4442
ad0ac6ca 4443 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4444
6e1df6a6 4445 /* For controller id 0 make BR/EDR connection */
6ed971ca 4446 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4447 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4448 req->amp_id);
4449 return 0;
4450 }
1700915f 4451
6e1df6a6
AE		 4452 /* Validate AMP controller id */
4453 hdev = hci_dev_get(req->amp_id);
4454 if (!hdev)
4455 goto error;
1700915f 4456
6e1df6a6
AE		 4457 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4458 hci_dev_put(hdev);
4459 goto error;
4460 }
1700915f 4461
6e1df6a6
AE		 4462 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4463 req->amp_id);
4464 if (chan) {
4465 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4466 struct hci_conn *hs_hcon;
1700915f 4467
98e0f7ea
MH		 4468 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4469 &conn->hcon->dst);
6e1df6a6
AE		 4470 if (!hs_hcon) {
4471 hci_dev_put(hdev);
662d652d
JH		 4472 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4473 chan->dcid);
4474 return 0;
1700915f
MM		 4475 }
4476
6e1df6a6
AE		 4477 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4478
6e1df6a6
AE		 4479 mgr->bredr_chan = chan;
4480 chan->hs_hcon = hs_hcon;
fd45bf4c 4481 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4482 conn->mtu = hdev->block_mtu;
1700915f 4483 }
f94ff6ff 4484
6e1df6a6 4485 hci_dev_put(hdev);
f94ff6ff
MM		 4486
4487 return 0;
6e1df6a6
AE		 4488
4489error:
4490 rsp.dcid = 0;
4491 rsp.scid = cpu_to_le16(scid);
dcf4adbf
JP		 4492 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4493 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
6e1df6a6
AE		 4494
4495 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4496 sizeof(rsp), &rsp);
4497
dc280801 4498 return 0;
f94ff6ff
MM		 4499}
4500
8eb200bd
MM		 4501static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4502{
4503 struct l2cap_move_chan_req req;
4504 u8 ident;
4505
4506 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4507
4508 ident = l2cap_get_ident(chan->conn);
4509 chan->ident = ident;
4510
4511 req.icid = cpu_to_le16(chan->scid);
4512 req.dest_amp_id = dest_amp_id;
4513
4514 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4515 &req);
4516
4517 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4518}
4519
1500109b 4520static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4521{
4522 struct l2cap_move_chan_rsp rsp;
4523
1500109b 4524 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4525
1500109b 4526 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4527 rsp.result = cpu_to_le16(result);
4528
1500109b
MM		 4529 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4530 sizeof(rsp), &rsp);
8d5a04a1
MM		 4531}
4532
5b155ef9 4533static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4534{
4535 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4536
5b155ef9 4537 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4538
5b155ef9 4539 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4540
5b155ef9 4541 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4542 cfm.result = cpu_to_le16(result);
4543
5b155ef9
MM		 4544 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4545 sizeof(cfm), &cfm);
4546
4547 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4548}
4549
4550static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4551{
4552 struct l2cap_move_chan_cfm cfm;
4553
4554 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4555
4556 cfm.icid = cpu_to_le16(icid);
dcf4adbf 4557 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
5b155ef9
MM		 4558
4559 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4560 sizeof(cfm), &cfm);
8d5a04a1
MM		 4561}
4562
4563static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4564 u16 icid)
8d5a04a1
MM		 4565{
4566 struct l2cap_move_chan_cfm_rsp rsp;
4567
ad0ac6ca 4568 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4569
4570 rsp.icid = cpu_to_le16(icid);
4571 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4572}
4573
5f3847a4
MM		 4574static void __release_logical_link(struct l2cap_chan *chan)
4575{
4576 chan->hs_hchan = NULL;
4577 chan->hs_hcon = NULL;
4578
4579 /* Placeholder - release the logical link */
4580}
4581
1500109b
MM		 4582static void l2cap_logical_fail(struct l2cap_chan *chan)
4583{
4584 /* Logical link setup failed */
4585 if (chan->state != BT_CONNECTED) {
4586 /* Create channel failure, disconnect */
5e4e3972 4587 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4588 return;
4589 }
4590
4591 switch (chan->move_role) {
4592 case L2CAP_MOVE_ROLE_RESPONDER:
4593 l2cap_move_done(chan);
4594 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4595 break;
4596 case L2CAP_MOVE_ROLE_INITIATOR:
4597 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4598 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4599 /* Remote has only sent pending or
4600 * success responses, clean up
4601 */
4602 l2cap_move_done(chan);
4603 }
4604
4605 /* Other amp move states imply that the move
4606 * has already aborted
4607 */
4608 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4609 break;
4610 }
4611}
4612
4613static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4614 struct hci_chan *hchan)
4615{
4616 struct l2cap_conf_rsp rsp;
1500109b 4617
336178a3 4618 chan->hs_hchan = hchan;
1500109b
MM		 4619 chan->hs_hcon->l2cap_data = chan->conn;
4620
35ba9561 4621 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4622
4623 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4624 int err;
1500109b
MM		 4625
4626 set_default_fcs(chan);
4627
4628 err = l2cap_ertm_init(chan);
4629 if (err < 0)
5e4e3972 4630 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4631 else
4632 l2cap_chan_ready(chan);
4633 }
4634}
4635
4636static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4637 struct hci_chan *hchan)
4638{
4639 chan->hs_hcon = hchan->conn;
4640 chan->hs_hcon->l2cap_data = chan->conn;
4641
4642 BT_DBG("move_state %d", chan->move_state);
4643
4644 switch (chan->move_state) {
4645 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4646 /* Move confirm will be sent after a success
4647 * response is received
4648 */
4649 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4650 break;
4651 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4652 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4653 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4654 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4655 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4656 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4657 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4658 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4659 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4660 }
4661 break;
4662 default:
4663 /* Move was not in expected state, free the channel */
4664 __release_logical_link(chan);
4665
4666 chan->move_state = L2CAP_MOVE_STABLE;
4667 }
4668}
4669
4670/* Call with chan locked */
27695fb4
AE		 4671void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4672 u8 status)
5b155ef9 4673{
1500109b
MM		 4674 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4675
4676 if (status) {
4677 l2cap_logical_fail(chan);
4678 __release_logical_link(chan);
4679 return;
4680 }
4681
4682 if (chan->state != BT_CONNECTED) {
4683 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4684 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4685 l2cap_logical_finish_create(chan, hchan);
4686 } else {
4687 l2cap_logical_finish_move(chan, hchan);
4688 }
5b155ef9
MM		 4689}
4690
3f7a56c4
MM		 4691void l2cap_move_start(struct l2cap_chan *chan)
4692{
4693 BT_DBG("chan %p", chan);
4694
6ed971ca 4695 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4696 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4697 return;
4698 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4699 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4700 /* Placeholder - start physical link setup */
4701 } else {
4702 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4703 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4704 chan->move_id = 0;
4705 l2cap_move_setup(chan);
4706 l2cap_send_move_chan_req(chan, 0);
4707 }
4708}
4709
8eb200bd
MM		 4710static void l2cap_do_create(struct l2cap_chan *chan, int result,
4711 u8 local_amp_id, u8 remote_amp_id)
4712{
62748ca1
AE		 4713 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4714 local_amp_id, remote_amp_id);
4715
12d6cc60
AE		 4716 chan->fcs = L2CAP_FCS_NONE;
4717
62748ca1
AE		 4718 /* Outgoing channel on AMP */
4719 if (chan->state == BT_CONNECT) {
4720 if (result == L2CAP_CR_SUCCESS) {
4721 chan->local_amp_id = local_amp_id;
4722 l2cap_send_create_chan_req(chan, remote_amp_id);
4723 } else {
4724 /* Revert to BR/EDR connect */
4725 l2cap_send_conn_req(chan);
4726 }
4727
4728 return;
4729 }
4730
4731 /* Incoming channel on AMP */
4732 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4733 struct l2cap_conn_rsp rsp;
4734 char buf[128];
4735 rsp.scid = cpu_to_le16(chan->dcid);
4736 rsp.dcid = cpu_to_le16(chan->scid);
4737
8eb200bd
MM		 4738 if (result == L2CAP_CR_SUCCESS) {
4739 /* Send successful response */
dcf4adbf
JP		 4740 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4741 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4742 } else {
4743 /* Send negative response */
dcf4adbf
JP		 4744 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4745 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4746 }
4747
4748 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4749 sizeof(rsp), &rsp);
4750
4751 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4752 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4753 set_bit(CONF_REQ_SENT, &chan->conf_state);
4754 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4755 L2CAP_CONF_REQ,
4756 l2cap_build_conf_req(chan, buf), buf);
4757 chan->num_conf_req++;
4758 }
8eb200bd
MM		 4759 }
4760}
4761
4762static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4763 u8 remote_amp_id)
4764{
4765 l2cap_move_setup(chan);
4766 chan->move_id = local_amp_id;
4767 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4768
4769 l2cap_send_move_chan_req(chan, remote_amp_id);
4770}
4771
4772static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4773{
4774 struct hci_chan *hchan = NULL;
4775
4776 /* Placeholder - get hci_chan for logical link */
4777
4778 if (hchan) {
4779 if (hchan->state == BT_CONNECTED) {
4780 /* Logical link is ready to go */
4781 chan->hs_hcon = hchan->conn;
4782 chan->hs_hcon->l2cap_data = chan->conn;
4783 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4784 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4785
4786 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4787 } else {
4788 /* Wait for logical link to be ready */
4789 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4790 }
4791 } else {
4792 /* Logical link not available */
4793 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4794 }
4795}
4796
4797static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4798{
4799 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4800 u8 rsp_result;
4801 if (result == -EINVAL)
4802 rsp_result = L2CAP_MR_BAD_ID;
4803 else
4804 rsp_result = L2CAP_MR_NOT_ALLOWED;
4805
4806 l2cap_send_move_chan_rsp(chan, rsp_result);
4807 }
4808
4809 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4810 chan->move_state = L2CAP_MOVE_STABLE;
4811
4812 /* Restart data transmission */
4813 l2cap_ertm_send(chan);
4814}
4815
a514b17f
AE		 4816/* Invoke with locked chan */
4817void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4818{
770bfefa 4819 u8 local_amp_id = chan->local_amp_id;
fffadc08 4820 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4821
8eb200bd
MM		 4822 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4823 chan, result, local_amp_id, remote_amp_id);
4824
8eb200bd
MM		 4825 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4826 l2cap_chan_unlock(chan);
4827 return;
4828 }
4829
4830 if (chan->state != BT_CONNECTED) {
4831 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4832 } else if (result != L2CAP_MR_SUCCESS) {
4833 l2cap_do_move_cancel(chan, result);
4834 } else {
4835 switch (chan->move_role) {
4836 case L2CAP_MOVE_ROLE_INITIATOR:
4837 l2cap_do_move_initiate(chan, local_amp_id,
4838 remote_amp_id);
4839 break;
4840 case L2CAP_MOVE_ROLE_RESPONDER:
4841 l2cap_do_move_respond(chan, result);
4842 break;
4843 default:
4844 l2cap_do_move_cancel(chan, result);
4845 break;
4846 }
4847 }
8eb200bd
MM		 4848}
4849
8d5a04a1 4850static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4851 struct l2cap_cmd_hdr *cmd,
4852 u16 cmd_len, void *data)
8d5a04a1
MM		 4853{
4854 struct l2cap_move_chan_req *req = data;
1500109b 4855 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4856 struct l2cap_chan *chan;
8d5a04a1
MM		 4857 u16 icid = 0;
4858 u16 result = L2CAP_MR_NOT_ALLOWED;
4859
4860 if (cmd_len != sizeof(*req))
4861 return -EPROTO;
4862
4863 icid = le16_to_cpu(req->icid);
4864
ad0ac6ca 4865 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4866
848566b3 4867 if (!conn->hs_enabled)
8d5a04a1
MM		 4868 return -EINVAL;
4869
02b0fbb9
MM		 4870 chan = l2cap_get_chan_by_dcid(conn, icid);
4871 if (!chan) {
1500109b 4872 rsp.icid = cpu_to_le16(icid);
dcf4adbf 4873 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
1500109b
MM		 4874 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4875 sizeof(rsp), &rsp);
02b0fbb9
MM		 4876 return 0;
4877 }
4878
1500109b
MM		 4879 chan->ident = cmd->ident;
4880
02b0fbb9
MM		 4881 if (chan->scid < L2CAP_CID_DYN_START ||
4882 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4883 (chan->mode != L2CAP_MODE_ERTM &&
4884 chan->mode != L2CAP_MODE_STREAMING)) {
4885 result = L2CAP_MR_NOT_ALLOWED;
4886 goto send_move_response;
4887 }
4888
4889 if (chan->local_amp_id == req->dest_amp_id) {
4890 result = L2CAP_MR_SAME_ID;
4891 goto send_move_response;
4892 }
4893
6ed971ca 4894 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4895 struct hci_dev *hdev;
4896 hdev = hci_dev_get(req->dest_amp_id);
4897 if (!hdev || hdev->dev_type != HCI_AMP ||
4898 !test_bit(HCI_UP, &hdev->flags)) {
4899 if (hdev)
4900 hci_dev_put(hdev);
4901
4902 result = L2CAP_MR_BAD_ID;
4903 goto send_move_response;
4904 }
4905 hci_dev_put(hdev);
4906 }
4907
4908 /* Detect a move collision. Only send a collision response
4909 * if this side has "lost", otherwise proceed with the move.
4910 * The winner has the larger bd_addr.
4911 */
4912 if ((__chan_is_moving(chan) ||
4913 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4914 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4915 result = L2CAP_MR_COLLISION;
4916 goto send_move_response;
4917 }
4918
02b0fbb9
MM		 4919 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4920 l2cap_move_setup(chan);
4921 chan->move_id = req->dest_amp_id;
4922 icid = chan->dcid;
4923
6ed971ca 4924 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4925 /* Moving to BR/EDR */
4926 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4927 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4928 result = L2CAP_MR_PEND;
4929 } else {
4930 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4931 result = L2CAP_MR_SUCCESS;
4932 }
4933 } else {
4934 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4935 /* Placeholder - uncomment when amp functions are available */
4936 /*amp_accept_physical(chan, req->dest_amp_id);*/
4937 result = L2CAP_MR_PEND;
4938 }
4939
4940send_move_response:
1500109b 4941 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4942
02b0fbb9
MM		 4943 l2cap_chan_unlock(chan);
4944
8d5a04a1
MM		 4945 return 0;
4946}
4947
5b155ef9
MM		 4948static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4949{
4950 struct l2cap_chan *chan;
4951 struct hci_chan *hchan = NULL;
4952
4953 chan = l2cap_get_chan_by_scid(conn, icid);
4954 if (!chan) {
4955 l2cap_send_move_chan_cfm_icid(conn, icid);
4956 return;
4957 }
4958
4959 __clear_chan_timer(chan);
4960 if (result == L2CAP_MR_PEND)
4961 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4962
4963 switch (chan->move_state) {
4964 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4965 /* Move confirm will be sent when logical link
4966 * is complete.
4967 */
4968 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4969 break;
4970 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4971 if (result == L2CAP_MR_PEND) {
4972 break;
4973 } else if (test_bit(CONN_LOCAL_BUSY,
4974 &chan->conn_state)) {
4975 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4976 } else {
4977 /* Logical link is up or moving to BR/EDR,
4978 * proceed with move
4979 */
4980 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4981 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4982 }
4983 break;
4984 case L2CAP_MOVE_WAIT_RSP:
4985 /* Moving to AMP */
4986 if (result == L2CAP_MR_SUCCESS) {
4987 /* Remote is ready, send confirm immediately
4988 * after logical link is ready
4989 */
4990 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4991 } else {
4992 /* Both logical link and move success
4993 * are required to confirm
4994 */
4995 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4996 }
4997
4998 /* Placeholder - get hci_chan for logical link */
4999 if (!hchan) {
5000 /* Logical link not available */
5001 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5002 break;
5003 }
5004
5005 /* If the logical link is not yet connected, do not
5006 * send confirmation.
5007 */
5008 if (hchan->state != BT_CONNECTED)
5009 break;
5010
5011 /* Logical link is already ready to go */
5012
5013 chan->hs_hcon = hchan->conn;
5014 chan->hs_hcon->l2cap_data = chan->conn;
5015
5016 if (result == L2CAP_MR_SUCCESS) {
5017 /* Can confirm now */
5018 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5019 } else {
5020 /* Now only need move success
5021 * to confirm
5022 */
5023 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5024 }
5025
5026 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5027 break;
5028 default:
5029 /* Any other amp move state means the move failed. */
5030 chan->move_id = chan->local_amp_id;
5031 l2cap_move_done(chan);
5032 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5033 }
5034
5035 l2cap_chan_unlock(chan);
5036}
5037
5038static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5039 u16 result)
5040{
5041 struct l2cap_chan *chan;
5042
5043 chan = l2cap_get_chan_by_ident(conn, ident);
5044 if (!chan) {
5045 /* Could not locate channel, icid is best guess */
5046 l2cap_send_move_chan_cfm_icid(conn, icid);
5047 return;
5048 }
5049
5050 __clear_chan_timer(chan);
5051
5052 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5053 if (result == L2CAP_MR_COLLISION) {
5054 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5055 } else {
5056 /* Cleanup - cancel move */
5057 chan->move_id = chan->local_amp_id;
5058 l2cap_move_done(chan);
5059 }
5060 }
5061
5062 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5063
5064 l2cap_chan_unlock(chan);
5065}
5066
5067static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5068 struct l2cap_cmd_hdr *cmd,
5069 u16 cmd_len, void *data)
8d5a04a1
MM		 5070{
5071 struct l2cap_move_chan_rsp *rsp = data;
5072 u16 icid, result;
5073
5074 if (cmd_len != sizeof(*rsp))
5075 return -EPROTO;
5076
5077 icid = le16_to_cpu(rsp->icid);
5078 result = le16_to_cpu(rsp->result);
5079
ad0ac6ca 5080 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5081
5b155ef9
MM		 5082 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5083 l2cap_move_continue(conn, icid, result);
5084 else
5085 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5086
5087 return 0;
5088}
5089
5f3847a4
MM		 5090static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5091 struct l2cap_cmd_hdr *cmd,
5092 u16 cmd_len, void *data)
8d5a04a1
MM		 5093{
5094 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5095 struct l2cap_chan *chan;
8d5a04a1
MM		 5096 u16 icid, result;
5097
5098 if (cmd_len != sizeof(*cfm))
5099 return -EPROTO;
5100
5101 icid = le16_to_cpu(cfm->icid);
5102 result = le16_to_cpu(cfm->result);
5103
ad0ac6ca 5104 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5105
5f3847a4
MM		 5106 chan = l2cap_get_chan_by_dcid(conn, icid);
5107 if (!chan) {
5108 /* Spec requires a response even if the icid was not found */
5109 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5110 return 0;
5111 }
5112
5113 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5114 if (result == L2CAP_MC_CONFIRMED) {
5115 chan->local_amp_id = chan->move_id;
6ed971ca 5116 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5117 __release_logical_link(chan);
5118 } else {
5119 chan->move_id = chan->local_amp_id;
5120 }
5121
5122 l2cap_move_done(chan);
5123 }
5124
8d5a04a1
MM		 5125 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5126
5f3847a4
MM		 5127 l2cap_chan_unlock(chan);
5128
8d5a04a1
MM		 5129 return 0;
5130}
5131
5132static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5133 struct l2cap_cmd_hdr *cmd,
5134 u16 cmd_len, void *data)
8d5a04a1
MM		 5135{
5136 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5137 struct l2cap_chan *chan;
8d5a04a1
MM		 5138 u16 icid;
5139
5140 if (cmd_len != sizeof(*rsp))
5141 return -EPROTO;
5142
5143 icid = le16_to_cpu(rsp->icid);
5144
ad0ac6ca 5145 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5146
3fd71a0a
MM		 5147 chan = l2cap_get_chan_by_scid(conn, icid);
5148 if (!chan)
5149 return 0;
5150
5151 __clear_chan_timer(chan);
5152
5153 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5154 chan->local_amp_id = chan->move_id;
5155
6ed971ca 5156 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5157 __release_logical_link(chan);
5158
5159 l2cap_move_done(chan);
5160 }
5161
5162 l2cap_chan_unlock(chan);
5163
8d5a04a1
MM		 5164 return 0;
5165}
5166
de73115a 5167static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818 5168 struct l2cap_cmd_hdr *cmd,
203e639e 5169 u16 cmd_len, u8 *data)
de73115a
CT		 5170{
5171 struct hci_conn *hcon = conn->hcon;
5172 struct l2cap_conn_param_update_req *req;
5173 struct l2cap_conn_param_update_rsp rsp;
203e639e 5174 u16 min, max, latency, to_multiplier;
2ce603eb 5175 int err;
de73115a 5176
40bef302 5177 if (hcon->role != HCI_ROLE_MASTER)
de73115a
CT		 5178 return -EINVAL;
5179
de73115a
CT		 5180 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5181 return -EPROTO;
5182
5183 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5184 min = __le16_to_cpu(req->min);
5185 max = __le16_to_cpu(req->max);
de73115a
CT		 5186 latency = __le16_to_cpu(req->latency);
5187 to_multiplier = __le16_to_cpu(req->to_multiplier);
5188
5189 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5190 min, max, latency, to_multiplier);
de73115a
CT		 5191
5192 memset(&rsp, 0, sizeof(rsp));
2ce603eb 5193
d4905f24 5194 err = hci_check_conn_params(min, max, latency, to_multiplier);
2ce603eb 5195 if (err)
dcf4adbf 5196 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5197 else
dcf4adbf 5198 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5199
5200 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5201 sizeof(rsp), &rsp);
de73115a 5202
ffb5a827 5203 if (!err) {
f4869e2a
JH		 5204 u8 store_hint;
5205
5206 store_hint = hci_le_conn_update(hcon, min, max, latency,
5207 to_multiplier);
ffb5a827 5208 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
f4869e2a
JH		 5209 store_hint, min, max, latency,
5210 to_multiplier);
ffb5a827 5211
ffb5a827 5212 }
2ce603eb 5213
de73115a
CT		 5214 return 0;
5215}
5216
f1496dee
JH		 5217static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5218 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5219 u8 *data)
5220{
5221 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5222 u16 dcid, mtu, mps, credits, result;
5223 struct l2cap_chan *chan;
5224 int err;
5225
5226 if (cmd_len < sizeof(*rsp))
5227 return -EPROTO;
5228
5229 dcid = __le16_to_cpu(rsp->dcid);
5230 mtu = __le16_to_cpu(rsp->mtu);
5231 mps = __le16_to_cpu(rsp->mps);
5232 credits = __le16_to_cpu(rsp->credits);
5233 result = __le16_to_cpu(rsp->result);
5234
5235 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5236 return -EPROTO;
5237
5238 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5239 dcid, mtu, mps, credits, result);
5240
5241 mutex_lock(&conn->chan_lock);
5242
5243 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5244 if (!chan) {
5245 err = -EBADSLT;
5246 goto unlock;
5247 }
5248
5249 err = 0;
5250
5251 l2cap_chan_lock(chan);
5252
5253 switch (result) {
5254 case L2CAP_CR_SUCCESS:
5255 chan->ident = 0;
5256 chan->dcid = dcid;
5257 chan->omtu = mtu;
5258 chan->remote_mps = mps;
0cd75f7e 5259 chan->tx_credits = credits;
f1496dee
JH		 5260 l2cap_chan_ready(chan);
5261 break;
5262
5263 default:
5264 l2cap_chan_del(chan, ECONNREFUSED);
5265 break;
5266 }
5267
5268 l2cap_chan_unlock(chan);
5269
5270unlock:
5271 mutex_unlock(&conn->chan_lock);
5272
5273 return err;
5274}
5275
3300d9a9 5276static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5277 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5278 u8 *data)
3300d9a9
CT		 5279{
5280 int err = 0;
5281
5282 switch (cmd->code) {
5283 case L2CAP_COMMAND_REJ:
cb3b3152 5284 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5285 break;
5286
5287 case L2CAP_CONN_REQ:
cb3b3152 5288 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5289 break;
5290
5291 case L2CAP_CONN_RSP:
f5a2598d 5292 case L2CAP_CREATE_CHAN_RSP:
9245e737 5293 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5294 break;
5295
5296 case L2CAP_CONF_REQ:
5297 err = l2cap_config_req(conn, cmd, cmd_len, data);
5298 break;
5299
5300 case L2CAP_CONF_RSP:
9245e737 5301 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5302 break;
5303
5304 case L2CAP_DISCONN_REQ:
cb3b3152 5305 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5306 break;
5307
5308 case L2CAP_DISCONN_RSP:
9245e737 5309 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5310 break;
5311
5312 case L2CAP_ECHO_REQ:
5313 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5314 break;
5315
5316 case L2CAP_ECHO_RSP:
5317 break;
5318
5319 case L2CAP_INFO_REQ:
cb3b3152 5320 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5321 break;
5322
5323 case L2CAP_INFO_RSP:
9245e737 5324 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5325 break;
5326
f94ff6ff
MM		 5327 case L2CAP_CREATE_CHAN_REQ:
5328 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5329 break;
5330
8d5a04a1
MM		 5331 case L2CAP_MOVE_CHAN_REQ:
5332 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5333 break;
5334
5335 case L2CAP_MOVE_CHAN_RSP:
9245e737 5336 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5337 break;
5338
5339 case L2CAP_MOVE_CHAN_CFM:
5340 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5341 break;
5342
5343 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5344 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5345 break;
5346
3300d9a9
CT		 5347 default:
5348 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5349 err = -EINVAL;
5350 break;
5351 }
5352
5353 return err;
5354}
5355
27e2d4c8
JH		 5356static int l2cap_le_connect_req(struct l2cap_conn *conn,
5357 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5358 u8 *data)
5359{
5360 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5361 struct l2cap_le_conn_rsp rsp;
5362 struct l2cap_chan *chan, *pchan;
0cd75f7e 5363 u16 dcid, scid, credits, mtu, mps;
27e2d4c8
JH		 5364 __le16 psm;
5365 u8 result;
5366
5367 if (cmd_len != sizeof(*req))
5368 return -EPROTO;
5369
5370 scid = __le16_to_cpu(req->scid);
5371 mtu = __le16_to_cpu(req->mtu);
5372 mps = __le16_to_cpu(req->mps);
5373 psm = req->psm;
5374 dcid = 0;
0cd75f7e 5375 credits = 0;
27e2d4c8
JH		 5376
5377 if (mtu < 23 || mps < 23)
5378 return -EPROTO;
5379
5380 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5381 scid, mtu, mps);
5382
5383 /* Check if we have socket listening on psm */
5384 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5385 &conn->hcon->dst, LE_LINK);
5386 if (!pchan) {
5387 result = L2CAP_CR_BAD_PSM;
5388 chan = NULL;
5389 goto response;
5390 }
5391
5392 mutex_lock(&conn->chan_lock);
5393 l2cap_chan_lock(pchan);
5394
5395 if (!smp_sufficient_security(conn->hcon, pchan->sec_level)) {
5396 result = L2CAP_CR_AUTHENTICATION;
5397 chan = NULL;
5398 goto response_unlock;
5399 }
5400
5401 /* Check if we already have channel with that dcid */
5402 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5403 result = L2CAP_CR_NO_MEM;
5404 chan = NULL;
5405 goto response_unlock;
5406 }
5407
5408 chan = pchan->ops->new_connection(pchan);
5409 if (!chan) {
5410 result = L2CAP_CR_NO_MEM;
5411 goto response_unlock;
5412 }
5413
0ce43ce6
JH		 5414 l2cap_le_flowctl_init(chan);
5415
27e2d4c8
JH		 5416 bacpy(&chan->src, &conn->hcon->src);
5417 bacpy(&chan->dst, &conn->hcon->dst);
5418 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5419 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5420 chan->psm = psm;
5421 chan->dcid = scid;
5422 chan->omtu = mtu;
5423 chan->remote_mps = mps;
0cd75f7e 5424 chan->tx_credits = __le16_to_cpu(req->credits);
27e2d4c8
JH		 5425
5426 __l2cap_chan_add(conn, chan);
5427 dcid = chan->scid;
0cd75f7e 5428 credits = chan->rx_credits;
27e2d4c8
JH		 5429
5430 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5431
5432 chan->ident = cmd->ident;
5433
5434 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5435 l2cap_state_change(chan, BT_CONNECT2);
5436 result = L2CAP_CR_PEND;
5437 chan->ops->defer(chan);
5438 } else {
5439 l2cap_chan_ready(chan);
5440 result = L2CAP_CR_SUCCESS;
5441 }
5442
5443response_unlock:
5444 l2cap_chan_unlock(pchan);
5445 mutex_unlock(&conn->chan_lock);
a24cce14 5446 l2cap_chan_put(pchan);
27e2d4c8
JH		 5447
5448 if (result == L2CAP_CR_PEND)
5449 return 0;
5450
5451response:
5452 if (chan) {
5453 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 5454 rsp.mps = cpu_to_le16(chan->mps);
27e2d4c8
JH		 5455 } else {
5456 rsp.mtu = 0;
5457 rsp.mps = 0;
5458 }
5459
5460 rsp.dcid = cpu_to_le16(dcid);
0cd75f7e 5461 rsp.credits = cpu_to_le16(credits);
27e2d4c8
JH		 5462 rsp.result = cpu_to_le16(result);
5463
5464 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5465
5466 return 0;
5467}
5468
fad5fc89
JH		 5469static inline int l2cap_le_credits(struct l2cap_conn *conn,
5470 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5471 u8 *data)
5472{
5473 struct l2cap_le_credits *pkt;
5474 struct l2cap_chan *chan;
0f1bfe4e 5475 u16 cid, credits, max_credits;
fad5fc89
JH		 5476
5477 if (cmd_len != sizeof(*pkt))
5478 return -EPROTO;
5479
5480 pkt = (struct l2cap_le_credits *) data;
5481 cid = __le16_to_cpu(pkt->cid);
5482 credits = __le16_to_cpu(pkt->credits);
5483
5484 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5485
5486 chan = l2cap_get_chan_by_dcid(conn, cid);
5487 if (!chan)
5488 return -EBADSLT;
5489
0f1bfe4e
JH		 5490 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5491 if (credits > max_credits) {
5492 BT_ERR("LE credits overflow");
5493 l2cap_send_disconn_req(chan, ECONNRESET);
5494
5495 /* Return 0 so that we don't trigger an unnecessary
5496 * command reject packet.
5497 */
5498 return 0;
5499 }
5500
fad5fc89
JH		 5501 chan->tx_credits += credits;
5502
5503 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5504 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5505 chan->tx_credits--;
5506 }
5507
5508 if (chan->tx_credits)
5509 chan->ops->resume(chan);
5510
5511 l2cap_chan_unlock(chan);
5512
5513 return 0;
5514}
5515
71fb4197
JH		 5516static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5517 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5518 u8 *data)
5519{
5520 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5521 struct l2cap_chan *chan;
5522
5523 if (cmd_len < sizeof(*rej))
5524 return -EPROTO;
5525
5526 mutex_lock(&conn->chan_lock);
5527
5528 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5529 if (!chan)
5530 goto done;
5531
5532 l2cap_chan_lock(chan);
5533 l2cap_chan_del(chan, ECONNREFUSED);
5534 l2cap_chan_unlock(chan);
5535
5536done:
5537 mutex_unlock(&conn->chan_lock);
5538 return 0;
5539}
5540
3300d9a9 5541static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
203e639e
JH		 5542 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5543 u8 *data)
3300d9a9 5544{
b5ecba64
JH		 5545 int err = 0;
5546
3300d9a9
CT		 5547 switch (cmd->code) {
5548 case L2CAP_COMMAND_REJ:
71fb4197 5549 l2cap_le_command_rej(conn, cmd, cmd_len, data);
b5ecba64 5550 break;
3300d9a9
CT		 5551
5552 case L2CAP_CONN_PARAM_UPDATE_REQ:
b5ecba64
JH		 5553 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5554 break;
3300d9a9
CT		 5555
5556 case L2CAP_CONN_PARAM_UPDATE_RSP:
b5ecba64 5557 break;
3300d9a9 5558
f1496dee
JH		 5559 case L2CAP_LE_CONN_RSP:
5560 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5561 break;
f1496dee 5562
27e2d4c8 5563 case L2CAP_LE_CONN_REQ:
b5ecba64
JH		 5564 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5565 break;
27e2d4c8 5566
fad5fc89
JH		 5567 case L2CAP_LE_CREDITS:
5568 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5569 break;
5570
3defe01a 5571 case L2CAP_DISCONN_REQ:
b5ecba64
JH		 5572 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5573 break;
3defe01a
JH		 5574
5575 case L2CAP_DISCONN_RSP:
5576 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5577 break;
3defe01a 5578
3300d9a9
CT		 5579 default:
5580 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
b5ecba64
JH		 5581 err = -EINVAL;
5582 break;
3300d9a9 5583 }
b5ecba64
JH		 5584
5585 return err;
3300d9a9
CT		 5586}
5587
c5623556
JH		 5588static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5589 struct sk_buff *skb)
5590{
69c4e4e8 5591 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5592 struct l2cap_cmd_hdr *cmd;
5593 u16 len;
c5623556
JH		 5594 int err;
5595
69c4e4e8 5596 if (hcon->type != LE_LINK)
3b166295 5597 goto drop;
69c4e4e8 5598
4f3e219d
MH		 5599 if (skb->len < L2CAP_CMD_HDR_SIZE)
5600 goto drop;
c5623556 5601
4f3e219d
MH		 5602 cmd = (void *) skb->data;
5603 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5604
4f3e219d 5605 len = le16_to_cpu(cmd->len);
c5623556 5606
4f3e219d 5607 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5608
4f3e219d
MH		 5609 if (len != skb->len || !cmd->ident) {
5610 BT_DBG("corrupted command");
5611 goto drop;
5612 }
c5623556 5613
203e639e 5614 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
4f3e219d
MH		 5615 if (err) {
5616 struct l2cap_cmd_rej_unk rej;
c5623556 5617
4f3e219d 5618 BT_ERR("Wrong link type (%d)", err);
c5623556 5619
dcf4adbf 5620 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5621 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5622 sizeof(rej), &rej);
c5623556
JH		 5623 }
5624
3b166295 5625drop:
c5623556
JH		 5626 kfree_skb(skb);
5627}
5628
3300d9a9 5629static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5630 struct sk_buff *skb)
1da177e4 5631{
69c4e4e8 5632 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5633 u8 *data = skb->data;
5634 int len = skb->len;
5635 struct l2cap_cmd_hdr cmd;
3300d9a9 5636 int err;
1da177e4
LT		 5637
5638 l2cap_raw_recv(conn, skb);
5639
69c4e4e8 5640 if (hcon->type != ACL_LINK)
3b166295 5641 goto drop;
69c4e4e8 5642
1da177e4 5643 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5644 u16 cmd_len;
1da177e4
LT		 5645 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5646 data += L2CAP_CMD_HDR_SIZE;
5647 len -= L2CAP_CMD_HDR_SIZE;
5648
88219a0f 5649 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5650
2d792818
GP		 5651 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5652 cmd.ident);
1da177e4 5653
88219a0f 5654 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5655 BT_DBG("corrupted command");
5656 break;
5657 }
5658
c5623556 5659 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5660 if (err) {
e2fd318e 5661 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5662
5663 BT_ERR("Wrong link type (%d)", err);
1da177e4 5664
dcf4adbf 5665 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5666 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5667 sizeof(rej), &rej);
1da177e4
LT		 5668 }
5669
88219a0f
AV		 5670 data += cmd_len;
5671 len -= cmd_len;
1da177e4
LT		 5672 }
5673
3b166295 5674drop:
1da177e4
LT		 5675 kfree_skb(skb);
5676}
5677
47d1ec61 5678static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5679{
5680 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5681 int hdr_size;
5682
5683 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5684 hdr_size = L2CAP_EXT_HDR_SIZE;
5685 else
5686 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5687
47d1ec61 5688 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5689 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5690 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5691 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5692
5693 if (our_fcs != rcv_fcs)
7a560e5c 5694 return -EBADMSG;
fcc203c3
GP		 5695 }
5696 return 0;
5697}
5698
6ea00485 5699static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5700{
e31f7633 5701 struct l2cap_ctrl control;
d5392c8f 5702
e31f7633 5703 BT_DBG("chan %p", chan);
d5392c8f 5704
e31f7633
MM		 5705 memset(&control, 0, sizeof(control));
5706 control.sframe = 1;
5707 control.final = 1;
5708 control.reqseq = chan->buffer_seq;
5709 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5710
e2ab4353 5711 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5712 control.super = L2CAP_SUPER_RNR;
5713 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5714 }
5715
e31f7633
MM		 5716 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5717 chan->unacked_frames > 0)
5718 __set_retrans_timer(chan);
d5392c8f 5719
e31f7633 5720 /* Send pending iframes */
525cd185 5721 l2cap_ertm_send(chan);
d5392c8f 5722
e2ab4353 5723 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5724 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5725 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5726 * send it now.
5727 */
5728 control.super = L2CAP_SUPER_RR;
5729 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5730 }
5731}
5732
2d792818
GP		 5733static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5734 struct sk_buff **last_frag)
18778a63 5735{
84084a31
MM		 5736 /* skb->len reflects data in skb as well as all fragments
5737 * skb->data_len reflects only data in fragments
5738 */
5739 if (!skb_has_frag_list(skb))
5740 skb_shinfo(skb)->frag_list = new_frag;
5741
5742 new_frag->next = NULL;
5743
5744 (*last_frag)->next = new_frag;
5745 *last_frag = new_frag;
5746
5747 skb->len += new_frag->len;
5748 skb->data_len += new_frag->len;
5749 skb->truesize += new_frag->truesize;
5750}
5751
4b51dae9
MM		 5752static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5753 struct l2cap_ctrl *control)
84084a31
MM		 5754{
5755 int err = -EINVAL;
18778a63 5756
4b51dae9 5757 switch (control->sar) {
7e0ef6ee 5758 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5759 if (chan->sdu)
5760 break;
18778a63 5761
80b98027 5762 err = chan->ops->recv(chan, skb);
84084a31 5763 break;
18778a63 5764
7e0ef6ee 5765 case L2CAP_SAR_START:
84084a31
MM		 5766 if (chan->sdu)
5767 break;
18778a63 5768
6f61fd47 5769 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5770 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5771
84084a31
MM		 5772 if (chan->sdu_len > chan->imtu) {
5773 err = -EMSGSIZE;
5774 break;
5775 }
1890d36b 5776
84084a31
MM		 5777 if (skb->len >= chan->sdu_len)
5778 break;
18778a63 5779
84084a31
MM		 5780 chan->sdu = skb;
5781 chan->sdu_last_frag = skb;
18778a63 5782
84084a31
MM		 5783 skb = NULL;
5784 err = 0;
18778a63
GP		 5785 break;
5786
7e0ef6ee 5787 case L2CAP_SAR_CONTINUE:
6f61fd47 5788 if (!chan->sdu)
84084a31 5789 break;
18778a63 5790
84084a31
MM		 5791 append_skb_frag(chan->sdu, skb,
5792 &chan->sdu_last_frag);
5793 skb = NULL;
18778a63 5794
84084a31
MM		 5795 if (chan->sdu->len >= chan->sdu_len)
5796 break;
4178ba46 5797
84084a31 5798 err = 0;
18778a63
GP		 5799 break;
5800
7e0ef6ee 5801 case L2CAP_SAR_END:
6f61fd47 5802 if (!chan->sdu)
84084a31 5803 break;
18778a63 5804
84084a31
MM		 5805 append_skb_frag(chan->sdu, skb,
5806 &chan->sdu_last_frag);
5807 skb = NULL;
4178ba46 5808
84084a31
MM		 5809 if (chan->sdu->len != chan->sdu_len)
5810 break;
18778a63 5811
80b98027 5812 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5813
84084a31
MM		 5814 if (!err) {
5815 /* Reassembly complete */
5816 chan->sdu = NULL;
5817 chan->sdu_last_frag = NULL;
5818 chan->sdu_len = 0;
1890d36b 5819 }
18778a63
GP		 5820 break;
5821 }
5822
84084a31
MM		 5823 if (err) {
5824 kfree_skb(skb);
5825 kfree_skb(chan->sdu);
5826 chan->sdu = NULL;
5827 chan->sdu_last_frag = NULL;
5828 chan->sdu_len = 0;
5829 }
18778a63 5830
84084a31 5831 return err;
18778a63
GP		 5832}
5833
32b32735
MM		 5834static int l2cap_resegment(struct l2cap_chan *chan)
5835{
5836 /* Placeholder */
5837 return 0;
5838}
5839
61aa4f5b 5840void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5841{
61aa4f5b 5842 u8 event;
712132eb 5843
61aa4f5b
MM		 5844 if (chan->mode != L2CAP_MODE_ERTM)
5845 return;
712132eb 5846
61aa4f5b 5847 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5848 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5849}
5850
d2a7ac5d
MM		 5851static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5852{
63838725
MM		 5853 int err = 0;
5854 /* Pass sequential frames to l2cap_reassemble_sdu()
5855 * until a gap is encountered.
5856 */
5857
5858 BT_DBG("chan %p", chan);
5859
5860 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5861 struct sk_buff *skb;
5862 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5863 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5864
5865 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5866
5867 if (!skb)
5868 break;
5869
5870 skb_unlink(skb, &chan->srej_q);
5871 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5872 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5873 if (err)
5874 break;
5875 }
5876
5877 if (skb_queue_empty(&chan->srej_q)) {
5878 chan->rx_state = L2CAP_RX_STATE_RECV;
5879 l2cap_send_ack(chan);
5880 }
5881
5882 return err;
d2a7ac5d
MM		 5883}
5884
5885static void l2cap_handle_srej(struct l2cap_chan *chan,
5886 struct l2cap_ctrl *control)
5887{
f80842a8
MM		 5888 struct sk_buff *skb;
5889
5890 BT_DBG("chan %p, control %p", chan, control);
5891
5892 if (control->reqseq == chan->next_tx_seq) {
5893 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5894 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5895 return;
5896 }
5897
5898 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5899
5900 if (skb == NULL) {
5901 BT_DBG("Seq %d not available for retransmission",
5902 control->reqseq);
5903 return;
5904 }
5905
5906 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5907 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5908 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5909 return;
5910 }
5911
5912 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5913
5914 if (control->poll) {
5915 l2cap_pass_to_tx(chan, control);
5916
5917 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5918 l2cap_retransmit(chan, control);
5919 l2cap_ertm_send(chan);
5920
5921 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5922 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5923 chan->srej_save_reqseq = control->reqseq;
5924 }
5925 } else {
5926 l2cap_pass_to_tx_fbit(chan, control);
5927
5928 if (control->final) {
5929 if (chan->srej_save_reqseq != control->reqseq ||
5930 !test_and_clear_bit(CONN_SREJ_ACT,
5931 &chan->conn_state))
5932 l2cap_retransmit(chan, control);
5933 } else {
5934 l2cap_retransmit(chan, control);
5935 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5936 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5937 chan->srej_save_reqseq = control->reqseq;
5938 }
5939 }
5940 }
d2a7ac5d
MM		 5941}
5942
5943static void l2cap_handle_rej(struct l2cap_chan *chan,
5944 struct l2cap_ctrl *control)
5945{
fcd289df
MM		 5946 struct sk_buff *skb;
5947
5948 BT_DBG("chan %p, control %p", chan, control);
5949
5950 if (control->reqseq == chan->next_tx_seq) {
5951 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5952 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5953 return;
5954 }
5955
5956 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5957
5958 if (chan->max_tx && skb &&
5959 bt_cb(skb)->control.retries >= chan->max_tx) {
5960 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5961 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5962 return;
5963 }
5964
5965 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5966
5967 l2cap_pass_to_tx(chan, control);
5968
5969 if (control->final) {
5970 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5971 l2cap_retransmit_all(chan, control);
5972 } else {
5973 l2cap_retransmit_all(chan, control);
5974 l2cap_ertm_send(chan);
5975 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5976 set_bit(CONN_REJ_ACT, &chan->conn_state);
5977 }
d2a7ac5d
MM		 5978}
5979
4b51dae9
MM		 5980static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5981{
5982 BT_DBG("chan %p, txseq %d", chan, txseq);
5983
5984 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5985 chan->expected_tx_seq);
5986
5987 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5988 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5989 chan->tx_win) {
4b51dae9
MM		 5990 /* See notes below regarding "double poll" and
5991 * invalid packets.
5992 */
5993 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5994 BT_DBG("Invalid/Ignore - after SREJ");
5995 return L2CAP_TXSEQ_INVALID_IGNORE;
5996 } else {
5997 BT_DBG("Invalid - in window after SREJ sent");
5998 return L2CAP_TXSEQ_INVALID;
5999 }
6000 }
6001
6002 if (chan->srej_list.head == txseq) {
6003 BT_DBG("Expected SREJ");
6004 return L2CAP_TXSEQ_EXPECTED_SREJ;
6005 }
6006
6007 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6008 BT_DBG("Duplicate SREJ - txseq already stored");
6009 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6010 }
6011
6012 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6013 BT_DBG("Unexpected SREJ - not requested");
6014 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6015 }
6016 }
6017
6018 if (chan->expected_tx_seq == txseq) {
6019 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6020 chan->tx_win) {
6021 BT_DBG("Invalid - txseq outside tx window");
6022 return L2CAP_TXSEQ_INVALID;
6023 } else {
6024 BT_DBG("Expected");
6025 return L2CAP_TXSEQ_EXPECTED;
6026 }
6027 }
6028
6029 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 6030 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 6031 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6032 return L2CAP_TXSEQ_DUPLICATE;
6033 }
6034
6035 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6036 /* A source of invalid packets is a "double poll" condition,
6037 * where delays cause us to send multiple poll packets. If
6038 * the remote stack receives and processes both polls,
6039 * sequence numbers can wrap around in such a way that a
6040 * resent frame has a sequence number that looks like new data
6041 * with a sequence gap. This would trigger an erroneous SREJ
6042 * request.
6043 *
6044 * Fortunately, this is impossible with a tx window that's
6045 * less than half of the maximum sequence number, which allows
6046 * invalid frames to be safely ignored.
6047 *
6048 * With tx window sizes greater than half of the tx window
6049 * maximum, the frame is invalid and cannot be ignored. This
6050 * causes a disconnect.
6051 */
6052
6053 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6054 BT_DBG("Invalid/Ignore - txseq outside tx window");
6055 return L2CAP_TXSEQ_INVALID_IGNORE;
6056 } else {
6057 BT_DBG("Invalid - txseq outside tx window");
6058 return L2CAP_TXSEQ_INVALID;
6059 }
6060 } else {
6061 BT_DBG("Unexpected - txseq indicates missing frames");
6062 return L2CAP_TXSEQ_UNEXPECTED;
6063 }
6064}
6065
d2a7ac5d
MM		 6066static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6067 struct l2cap_ctrl *control,
6068 struct sk_buff *skb, u8 event)
6069{
6070 int err = 0;
941247f9 6071 bool skb_in_use = false;
d2a7ac5d
MM		 6072
6073 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6074 event);
6075
6076 switch (event) {
6077 case L2CAP_EV_RECV_IFRAME:
6078 switch (l2cap_classify_txseq(chan, control->txseq)) {
6079 case L2CAP_TXSEQ_EXPECTED:
6080 l2cap_pass_to_tx(chan, control);
6081
6082 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6083 BT_DBG("Busy, discarding expected seq %d",
6084 control->txseq);
6085 break;
6086 }
6087
6088 chan->expected_tx_seq = __next_seq(chan,
6089 control->txseq);
6090
6091 chan->buffer_seq = chan->expected_tx_seq;
941247f9 6092 skb_in_use = true;
d2a7ac5d
MM		 6093
6094 err = l2cap_reassemble_sdu(chan, skb, control);
6095 if (err)
6096 break;
6097
6098 if (control->final) {
6099 if (!test_and_clear_bit(CONN_REJ_ACT,
6100 &chan->conn_state)) {
6101 control->final = 0;
6102 l2cap_retransmit_all(chan, control);
6103 l2cap_ertm_send(chan);
6104 }
6105 }
6106
6107 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6108 l2cap_send_ack(chan);
6109 break;
6110 case L2CAP_TXSEQ_UNEXPECTED:
6111 l2cap_pass_to_tx(chan, control);
6112
6113 /* Can't issue SREJ frames in the local busy state.
6114 * Drop this frame, it will be seen as missing
6115 * when local busy is exited.
6116 */
6117 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6118 BT_DBG("Busy, discarding unexpected seq %d",
6119 control->txseq);
6120 break;
6121 }
6122
6123 /* There was a gap in the sequence, so an SREJ
6124 * must be sent for each missing frame. The
6125 * current frame is stored for later use.
6126 */
6127 skb_queue_tail(&chan->srej_q, skb);
941247f9 6128 skb_in_use = true;
d2a7ac5d
MM		 6129 BT_DBG("Queued %p (queue len %d)", skb,
6130 skb_queue_len(&chan->srej_q));
6131
6132 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6133 l2cap_seq_list_clear(&chan->srej_list);
6134 l2cap_send_srej(chan, control->txseq);
6135
6136 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6137 break;
6138 case L2CAP_TXSEQ_DUPLICATE:
6139 l2cap_pass_to_tx(chan, control);
6140 break;
6141 case L2CAP_TXSEQ_INVALID_IGNORE:
6142 break;
6143 case L2CAP_TXSEQ_INVALID:
6144 default:
5e4e3972 6145 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6146 break;
6147 }
6148 break;
6149 case L2CAP_EV_RECV_RR:
6150 l2cap_pass_to_tx(chan, control);
6151 if (control->final) {
6152 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6153
e6a3ee6e
MM		 6154 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6155 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 6156 control->final = 0;
6157 l2cap_retransmit_all(chan, control);
6158 }
6159
6160 l2cap_ertm_send(chan);
6161 } else if (control->poll) {
6162 l2cap_send_i_or_rr_or_rnr(chan);
6163 } else {
6164 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6165 &chan->conn_state) &&
6166 chan->unacked_frames)
6167 __set_retrans_timer(chan);
6168
6169 l2cap_ertm_send(chan);
6170 }
6171 break;
6172 case L2CAP_EV_RECV_RNR:
6173 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6174 l2cap_pass_to_tx(chan, control);
6175 if (control && control->poll) {
6176 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6177 l2cap_send_rr_or_rnr(chan, 0);
6178 }
6179 __clear_retrans_timer(chan);
6180 l2cap_seq_list_clear(&chan->retrans_list);
6181 break;
6182 case L2CAP_EV_RECV_REJ:
6183 l2cap_handle_rej(chan, control);
6184 break;
6185 case L2CAP_EV_RECV_SREJ:
6186 l2cap_handle_srej(chan, control);
6187 break;
6188 default:
6189 break;
6190 }
6191
6192 if (skb && !skb_in_use) {
6193 BT_DBG("Freeing %p", skb);
6194 kfree_skb(skb);
6195 }
6196
6197 return err;
6198}
6199
6200static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6201 struct l2cap_ctrl *control,
6202 struct sk_buff *skb, u8 event)
6203{
6204 int err = 0;
6205 u16 txseq = control->txseq;
941247f9 6206 bool skb_in_use = false;
d2a7ac5d
MM		 6207
6208 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6209 event);
6210
6211 switch (event) {
6212 case L2CAP_EV_RECV_IFRAME:
6213 switch (l2cap_classify_txseq(chan, txseq)) {
6214 case L2CAP_TXSEQ_EXPECTED:
6215 /* Keep frame for reassembly later */
6216 l2cap_pass_to_tx(chan, control);
6217 skb_queue_tail(&chan->srej_q, skb);
941247f9 6218 skb_in_use = true;
d2a7ac5d
MM		 6219 BT_DBG("Queued %p (queue len %d)", skb,
6220 skb_queue_len(&chan->srej_q));
6221
6222 chan->expected_tx_seq = __next_seq(chan, txseq);
6223 break;
6224 case L2CAP_TXSEQ_EXPECTED_SREJ:
6225 l2cap_seq_list_pop(&chan->srej_list);
6226
6227 l2cap_pass_to_tx(chan, control);
6228 skb_queue_tail(&chan->srej_q, skb);
941247f9 6229 skb_in_use = true;
d2a7ac5d
MM		 6230 BT_DBG("Queued %p (queue len %d)", skb,
6231 skb_queue_len(&chan->srej_q));
6232
6233 err = l2cap_rx_queued_iframes(chan);
6234 if (err)
6235 break;
6236
6237 break;
6238 case L2CAP_TXSEQ_UNEXPECTED:
6239 /* Got a frame that can't be reassembled yet.
6240 * Save it for later, and send SREJs to cover
6241 * the missing frames.
6242 */
6243 skb_queue_tail(&chan->srej_q, skb);
941247f9 6244 skb_in_use = true;
d2a7ac5d
MM		 6245 BT_DBG("Queued %p (queue len %d)", skb,
6246 skb_queue_len(&chan->srej_q));
6247
6248 l2cap_pass_to_tx(chan, control);
6249 l2cap_send_srej(chan, control->txseq);
6250 break;
6251 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6252 /* This frame was requested with an SREJ, but
6253 * some expected retransmitted frames are
6254 * missing. Request retransmission of missing
6255 * SREJ'd frames.
6256 */
6257 skb_queue_tail(&chan->srej_q, skb);
941247f9 6258 skb_in_use = true;
d2a7ac5d
MM		 6259 BT_DBG("Queued %p (queue len %d)", skb,
6260 skb_queue_len(&chan->srej_q));
6261
6262 l2cap_pass_to_tx(chan, control);
6263 l2cap_send_srej_list(chan, control->txseq);
6264 break;
6265 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6266 /* We've already queued this frame. Drop this copy. */
6267 l2cap_pass_to_tx(chan, control);
6268 break;
6269 case L2CAP_TXSEQ_DUPLICATE:
6270 /* Expecting a later sequence number, so this frame
6271 * was already received. Ignore it completely.
6272 */
6273 break;
6274 case L2CAP_TXSEQ_INVALID_IGNORE:
6275 break;
6276 case L2CAP_TXSEQ_INVALID:
6277 default:
5e4e3972 6278 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6279 break;
6280 }
6281 break;
6282 case L2CAP_EV_RECV_RR:
6283 l2cap_pass_to_tx(chan, control);
6284 if (control->final) {
6285 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6286
6287 if (!test_and_clear_bit(CONN_REJ_ACT,
6288 &chan->conn_state)) {
6289 control->final = 0;
6290 l2cap_retransmit_all(chan, control);
6291 }
6292
6293 l2cap_ertm_send(chan);
6294 } else if (control->poll) {
6295 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6296 &chan->conn_state) &&
6297 chan->unacked_frames) {
6298 __set_retrans_timer(chan);
6299 }
6300
6301 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6302 l2cap_send_srej_tail(chan);
6303 } else {
6304 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6305 &chan->conn_state) &&
6306 chan->unacked_frames)
6307 __set_retrans_timer(chan);
6308
6309 l2cap_send_ack(chan);
6310 }
6311 break;
6312 case L2CAP_EV_RECV_RNR:
6313 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6314 l2cap_pass_to_tx(chan, control);
6315 if (control->poll) {
6316 l2cap_send_srej_tail(chan);
6317 } else {
6318 struct l2cap_ctrl rr_control;
6319 memset(&rr_control, 0, sizeof(rr_control));
6320 rr_control.sframe = 1;
6321 rr_control.super = L2CAP_SUPER_RR;
6322 rr_control.reqseq = chan->buffer_seq;
6323 l2cap_send_sframe(chan, &rr_control);
6324 }
6325
6326 break;
6327 case L2CAP_EV_RECV_REJ:
6328 l2cap_handle_rej(chan, control);
6329 break;
6330 case L2CAP_EV_RECV_SREJ:
6331 l2cap_handle_srej(chan, control);
6332 break;
6333 }
6334
6335 if (skb && !skb_in_use) {
6336 BT_DBG("Freeing %p", skb);
6337 kfree_skb(skb);
6338 }
6339
6340 return err;
6341}
6342
32b32735
MM		 6343static int l2cap_finish_move(struct l2cap_chan *chan)
6344{
6345 BT_DBG("chan %p", chan);
6346
6347 chan->rx_state = L2CAP_RX_STATE_RECV;
6348
6349 if (chan->hs_hcon)
6350 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6351 else
6352 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6353
6354 return l2cap_resegment(chan);
6355}
6356
6357static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6358 struct l2cap_ctrl *control,
6359 struct sk_buff *skb, u8 event)
6360{
6361 int err;
6362
6363 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6364 event);
6365
6366 if (!control->poll)
6367 return -EPROTO;
6368
6369 l2cap_process_reqseq(chan, control->reqseq);
6370
6371 if (!skb_queue_empty(&chan->tx_q))
6372 chan->tx_send_head = skb_peek(&chan->tx_q);
6373 else
6374 chan->tx_send_head = NULL;
6375
6376 /* Rewind next_tx_seq to the point expected
6377 * by the receiver.
6378 */
6379 chan->next_tx_seq = control->reqseq;
6380 chan->unacked_frames = 0;
6381
6382 err = l2cap_finish_move(chan);
6383 if (err)
6384 return err;
6385
6386 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6387 l2cap_send_i_or_rr_or_rnr(chan);
6388
6389 if (event == L2CAP_EV_RECV_IFRAME)
6390 return -EPROTO;
6391
6392 return l2cap_rx_state_recv(chan, control, NULL, event);
6393}
6394
6395static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6396 struct l2cap_ctrl *control,
6397 struct sk_buff *skb, u8 event)
6398{
6399 int err;
6400
6401 if (!control->final)
6402 return -EPROTO;
6403
6404 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6405
6406 chan->rx_state = L2CAP_RX_STATE_RECV;
6407 l2cap_process_reqseq(chan, control->reqseq);
6408
6409 if (!skb_queue_empty(&chan->tx_q))
6410 chan->tx_send_head = skb_peek(&chan->tx_q);
6411 else
6412 chan->tx_send_head = NULL;
6413
6414 /* Rewind next_tx_seq to the point expected
6415 * by the receiver.
6416 */
6417 chan->next_tx_seq = control->reqseq;
6418 chan->unacked_frames = 0;
6419
6420 if (chan->hs_hcon)
6421 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6422 else
6423 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6424
6425 err = l2cap_resegment(chan);
6426
6427 if (!err)
6428 err = l2cap_rx_state_recv(chan, control, skb, event);
6429
6430 return err;
6431}
6432
d2a7ac5d
MM		 6433static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6434{
6435 /* Make sure reqseq is for a packet that has been sent but not acked */
6436 u16 unacked;
6437
6438 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6439 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6440}
6441
cec8ab6e
MM		 6442static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6443 struct sk_buff *skb, u8 event)
218bb9df 6444{
d2a7ac5d
MM		 6445 int err = 0;
6446
6447 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6448 control, skb, event, chan->rx_state);
6449
6450 if (__valid_reqseq(chan, control->reqseq)) {
6451 switch (chan->rx_state) {
6452 case L2CAP_RX_STATE_RECV:
6453 err = l2cap_rx_state_recv(chan, control, skb, event);
6454 break;
6455 case L2CAP_RX_STATE_SREJ_SENT:
6456 err = l2cap_rx_state_srej_sent(chan, control, skb,
6457 event);
6458 break;
32b32735
MM		 6459 case L2CAP_RX_STATE_WAIT_P:
6460 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6461 break;
6462 case L2CAP_RX_STATE_WAIT_F:
6463 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6464 break;
d2a7ac5d
MM		 6465 default:
6466 /* shut it down */
6467 break;
6468 }
6469 } else {
6470 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6471 control->reqseq, chan->next_tx_seq,
6472 chan->expected_ack_seq);
5e4e3972 6473 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6474 }
6475
6476 return err;
cec8ab6e
MM		 6477}
6478
6479static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6480 struct sk_buff *skb)
6481{
4b51dae9
MM		 6482 int err = 0;
6483
6484 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6485 chan->rx_state);
6486
6487 if (l2cap_classify_txseq(chan, control->txseq) ==
6488 L2CAP_TXSEQ_EXPECTED) {
6489 l2cap_pass_to_tx(chan, control);
6490
6491 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6492 __next_seq(chan, chan->buffer_seq));
6493
6494 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6495
6496 l2cap_reassemble_sdu(chan, skb, control);
6497 } else {
6498 if (chan->sdu) {
6499 kfree_skb(chan->sdu);
6500 chan->sdu = NULL;
6501 }
6502 chan->sdu_last_frag = NULL;
6503 chan->sdu_len = 0;
6504
6505 if (skb) {
6506 BT_DBG("Freeing %p", skb);
6507 kfree_skb(skb);
6508 }
6509 }
6510
6511 chan->last_acked_seq = control->txseq;
6512 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6513
6514 return err;
cec8ab6e
MM		 6515}
6516
6517static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6518{
6519 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6520 u16 len;
6521 u8 event;
218bb9df 6522
b76bbd66
MM		 6523 __unpack_control(chan, skb);
6524
218bb9df
GP		 6525 len = skb->len;
6526
6527 /*
6528 * We can just drop the corrupted I-frame here.
6529 * Receiver will miss it and start proper recovery
cec8ab6e 6530 * procedures and ask for retransmission.
218bb9df 6531 */
47d1ec61 6532 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6533 goto drop;
6534
cec8ab6e 6535 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6536 len -= L2CAP_SDULEN_SIZE;
218bb9df 6537
47d1ec61 6538 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6539 len -= L2CAP_FCS_SIZE;
218bb9df 6540
47d1ec61 6541 if (len > chan->mps) {
5e4e3972 6542 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6543 goto drop;
6544 }
6545
cec8ab6e
MM		 6546 if (!control->sframe) {
6547 int err;
218bb9df 6548
cec8ab6e
MM		 6549 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6550 control->sar, control->reqseq, control->final,
6551 control->txseq);
218bb9df 6552
cec8ab6e
MM		 6553 /* Validate F-bit - F=0 always valid, F=1 only
6554 * valid in TX WAIT_F
6555 */
6556 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6557 goto drop;
cec8ab6e
MM		 6558
6559 if (chan->mode != L2CAP_MODE_STREAMING) {
6560 event = L2CAP_EV_RECV_IFRAME;
6561 err = l2cap_rx(chan, control, skb, event);
6562 } else {
6563 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6564 }
6565
cec8ab6e 6566 if (err)
5e4e3972 6567 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6568 } else {
cec8ab6e
MM		 6569 const u8 rx_func_to_event[4] = {
6570 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6571 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6572 };
6573
6574 /* Only I-frames are expected in streaming mode */
6575 if (chan->mode == L2CAP_MODE_STREAMING)
6576 goto drop;
6577
6578 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6579 control->reqseq, control->final, control->poll,
6580 control->super);
6581
218bb9df 6582 if (len != 0) {
1bb166e6 6583 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6584 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6585 goto drop;
6586 }
6587
cec8ab6e
MM		 6588 /* Validate F and P bits */
6589 if (control->final && (control->poll ||
6590 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6591 goto drop;
6592
6593 event = rx_func_to_event[control->super];
6594 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6595 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6596 }
6597
6598 return 0;
6599
6600drop:
6601 kfree_skb(skb);
6602 return 0;
6603}
6604
b1c325c2
JH		 6605static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6606{
6607 struct l2cap_conn *conn = chan->conn;
6608 struct l2cap_le_credits pkt;
6609 u16 return_credits;
6610
6611 /* We return more credits to the sender only after the amount of
6612 * credits falls below half of the initial amount.
6613 */
f15b8ecf 6614 if (chan->rx_credits >= (le_max_credits + 1) / 2)
b1c325c2
JH		 6615 return;
6616
f15b8ecf 6617 return_credits = le_max_credits - chan->rx_credits;
b1c325c2
JH		 6618
6619 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6620
6621 chan->rx_credits += return_credits;
6622
6623 pkt.cid = cpu_to_le16(chan->scid);
6624 pkt.credits = cpu_to_le16(return_credits);
6625
6626 chan->ident = l2cap_get_ident(conn);
6627
6628 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6629}
6630
fad5fc89
JH		 6631static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6632{
aac23bf6
JH		 6633 int err;
6634
6635 if (!chan->rx_credits) {
6636 BT_ERR("No credits to receive LE L2CAP data");
dfd9774c 6637 l2cap_send_disconn_req(chan, ECONNRESET);
fad5fc89 6638 return -ENOBUFS;
aac23bf6 6639 }
fad5fc89 6640
aac23bf6
JH		 6641 if (chan->imtu < skb->len) {
6642 BT_ERR("Too big LE L2CAP PDU");
fad5fc89 6643 return -ENOBUFS;
aac23bf6 6644 }
fad5fc89
JH		 6645
6646 chan->rx_credits--;
6647 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6648
6649 l2cap_chan_le_send_credits(chan);
6650
aac23bf6
JH		 6651 err = 0;
6652
6653 if (!chan->sdu) {
6654 u16 sdu_len;
6655
6656 sdu_len = get_unaligned_le16(skb->data);
6657 skb_pull(skb, L2CAP_SDULEN_SIZE);
6658
6659 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6660 sdu_len, skb->len, chan->imtu);
6661
6662 if (sdu_len > chan->imtu) {
6663 BT_ERR("Too big LE L2CAP SDU length received");
6664 err = -EMSGSIZE;
6665 goto failed;
6666 }
6667
6668 if (skb->len > sdu_len) {
6669 BT_ERR("Too much LE L2CAP data received");
6670 err = -EINVAL;
6671 goto failed;
6672 }
6673
6674 if (skb->len == sdu_len)
6675 return chan->ops->recv(chan, skb);
6676
6677 chan->sdu = skb;
6678 chan->sdu_len = sdu_len;
6679 chan->sdu_last_frag = skb;
6680
6681 return 0;
6682 }
6683
6684 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6685 chan->sdu->len, skb->len, chan->sdu_len);
6686
6687 if (chan->sdu->len + skb->len > chan->sdu_len) {
6688 BT_ERR("Too much LE L2CAP data received");
6689 err = -EINVAL;
6690 goto failed;
6691 }
6692
6693 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6694 skb = NULL;
6695
6696 if (chan->sdu->len == chan->sdu_len) {
6697 err = chan->ops->recv(chan, chan->sdu);
6698 if (!err) {
6699 chan->sdu = NULL;
6700 chan->sdu_last_frag = NULL;
6701 chan->sdu_len = 0;
6702 }
6703 }
6704
6705failed:
6706 if (err) {
6707 kfree_skb(skb);
6708 kfree_skb(chan->sdu);
6709 chan->sdu = NULL;
6710 chan->sdu_last_frag = NULL;
6711 chan->sdu_len = 0;
6712 }
6713
6714 /* We can't return an error here since we took care of the skb
6715 * freeing internally. An error return would cause the caller to
6716 * do a double-free of the skb.
6717 */
6718 return 0;
fad5fc89
JH		 6719}
6720
13ca56e0
AE		 6721static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6722 struct sk_buff *skb)
1da177e4 6723{
48454079 6724 struct l2cap_chan *chan;
1da177e4 6725
baa7e1fa 6726 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6727 if (!chan) {
97e8e89d
AE		 6728 if (cid == L2CAP_CID_A2MP) {
6729 chan = a2mp_channel_create(conn, skb);
6730 if (!chan) {
6731 kfree_skb(skb);
13ca56e0 6732 return;
97e8e89d
AE		 6733 }
6734
6735 l2cap_chan_lock(chan);
6736 } else {
6737 BT_DBG("unknown cid 0x%4.4x", cid);
6738 /* Drop packet and return */
6739 kfree_skb(skb);
13ca56e0 6740 return;
97e8e89d 6741 }
1da177e4
LT		 6742 }
6743
49208c9c 6744 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6745
89bc500e 6746 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6747 goto drop;
6748
0c1bc5c6 6749 switch (chan->mode) {
38319713 6750 case L2CAP_MODE_LE_FLOWCTL:
fad5fc89
JH		 6751 if (l2cap_le_data_rcv(chan, skb) < 0)
6752 goto drop;
6753
6754 goto done;
6755
1c2acffb
GP		 6756 case L2CAP_MODE_BASIC:
6757 /* If socket recv buffers overflows we drop data here
6758 * which is *bad* because L2CAP has to be reliable.
6759 * But we don't have any other choice. L2CAP doesn't
6760 * provide flow control mechanism. */
1da177e4 6761
2c96e03d
SJ		 6762 if (chan->imtu < skb->len) {
6763 BT_ERR("Dropping L2CAP data: receive buffer overflow");
1c2acffb 6764 goto drop;
2c96e03d 6765 }
1da177e4 6766
80b98027 6767 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6768 goto done;
6769 break;
6770
6771 case L2CAP_MODE_ERTM:
6840ed07 6772 case L2CAP_MODE_STREAMING:
cec8ab6e 6773 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6774 goto done;
6775
1c2acffb 6776 default:
0c1bc5c6 6777 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6778 break;
6779 }
1da177e4
LT		 6780
6781drop:
6782 kfree_skb(skb);
6783
6784done:
6be36555 6785 l2cap_chan_unlock(chan);
1da177e4
LT		 6786}
6787
84104b24
AE		 6788static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6789 struct sk_buff *skb)
1da177e4 6790{
ae4fd2d3 6791 struct hci_conn *hcon = conn->hcon;
23691d75 6792 struct l2cap_chan *chan;
1da177e4 6793
ae4fd2d3 6794 if (hcon->type != ACL_LINK)
a24cce14 6795 goto free_skb;
ae4fd2d3 6796
bf20fd4e
JH		 6797 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6798 ACL_LINK);
23691d75 6799 if (!chan)
a24cce14 6800 goto free_skb;
1da177e4 6801
5b4cedaa 6802 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6803
89bc500e 6804 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6805 goto drop;
6806
e13e21dc 6807 if (chan->imtu < skb->len)
1da177e4
LT		 6808 goto drop;
6809
2edf870d 6810 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6811 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6812 bt_cb(skb)->psm = psm;
6813
a24cce14
JH		 6814 if (!chan->ops->recv(chan, skb)) {
6815 l2cap_chan_put(chan);
84104b24 6816 return;
a24cce14 6817 }
1da177e4
LT		 6818
6819drop:
a24cce14
JH		 6820 l2cap_chan_put(chan);
6821free_skb:
1da177e4 6822 kfree_skb(skb);
1da177e4
LT		 6823}
6824
6825static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6826{
6827 struct l2cap_hdr *lh = (void *) skb->data;
61a939c6 6828 struct hci_conn *hcon = conn->hcon;
8e036fc3
AV		 6829 u16 cid, len;
6830 __le16 psm;
1da177e4 6831
61a939c6
JH		 6832 if (hcon->state != BT_CONNECTED) {
6833 BT_DBG("queueing pending rx skb");
6834 skb_queue_tail(&conn->pending_rx, skb);
6835 return;
6836 }
6837
1da177e4
LT		 6838 skb_pull(skb, L2CAP_HDR_SIZE);
6839 cid = __le16_to_cpu(lh->cid);
6840 len = __le16_to_cpu(lh->len);
6841
1c2acffb
GP		 6842 if (len != skb->len) {
6843 kfree_skb(skb);
6844 return;
6845 }
6846
9e1d7e15
JH		 6847 /* Since we can't actively block incoming LE connections we must
6848 * at least ensure that we ignore incoming data from them.
6849 */
6850 if (hcon->type == LE_LINK &&
dcc36c16
JH		 6851 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6852 bdaddr_type(hcon, hcon->dst_type))) {
e493150e
JH		 6853 kfree_skb(skb);
6854 return;
6855 }
6856
1da177e4
LT		 6857 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6858
6859 switch (cid) {
8db4dc46 6860 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6861 l2cap_sig_channel(conn, skb);
6862 break;
6863
8db4dc46 6864 case L2CAP_CID_CONN_LESS:
097db76c 6865 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6866 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6867 l2cap_conless_channel(conn, psm, skb);
6868 break;
6869
a2877629
MH		 6870 case L2CAP_CID_LE_SIGNALING:
6871 l2cap_le_sig_channel(conn, skb);
6872 break;
6873
1da177e4
LT		 6874 default:
6875 l2cap_data_channel(conn, cid, skb);
6876 break;
6877 }
6878}
6879
61a939c6
JH		 6880static void process_pending_rx(struct work_struct *work)
6881{
6882 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6883 pending_rx_work);
6884 struct sk_buff *skb;
6885
6886 BT_DBG("");
6887
6888 while ((skb = skb_dequeue(&conn->pending_rx)))
6889 l2cap_recv_frame(conn, skb);
6890}
6891
162b49e7
JH		 6892static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6893{
6894 struct l2cap_conn *conn = hcon->l2cap_data;
6895 struct hci_chan *hchan;
6896
6897 if (conn)
6898 return conn;
6899
6900 hchan = hci_chan_create(hcon);
6901 if (!hchan)
6902 return NULL;
6903
27f70f3e 6904 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
162b49e7
JH		 6905 if (!conn) {
6906 hci_chan_del(hchan);
6907 return NULL;
6908 }
6909
6910 kref_init(&conn->ref);
6911 hcon->l2cap_data = conn;
51bb8457 6912 conn->hcon = hci_conn_get(hcon);
162b49e7
JH		 6913 conn->hchan = hchan;
6914
6915 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6916
6917 switch (hcon->type) {
6918 case LE_LINK:
6919 if (hcon->hdev->le_mtu) {
6920 conn->mtu = hcon->hdev->le_mtu;
6921 break;
6922 }
6923 /* fall through */
6924 default:
6925 conn->mtu = hcon->hdev->acl_mtu;
6926 break;
6927 }
6928
6929 conn->feat_mask = 0;
6930
6931 if (hcon->type == ACL_LINK)
6932 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
6933 &hcon->hdev->dev_flags);
6934
5a54e7c8 6935 mutex_init(&conn->ident_lock);
162b49e7
JH		 6936 mutex_init(&conn->chan_lock);
6937
6938 INIT_LIST_HEAD(&conn->chan_l);
6939 INIT_LIST_HEAD(&conn->users);
6940
276d8073 6941 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
162b49e7 6942
dec5b492
JH		 6943 INIT_WORK(&conn->disconn_work, disconn_work);
6944
61a939c6
JH		 6945 skb_queue_head_init(&conn->pending_rx);
6946 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
6947
162b49e7
JH		 6948 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6949
6950 return conn;
6951}
6952
6953static bool is_valid_psm(u16 psm, u8 dst_type) {
6954 if (!psm)
6955 return false;
6956
6957 if (bdaddr_type_is_le(dst_type))
6958 return (psm <= 0x00ff);
6959
6960 /* PSM must be odd and lsb of upper byte must be 0 */
6961 return ((psm & 0x0101) == 0x0001);
6962}
6963
6964int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
6965 bdaddr_t *dst, u8 dst_type)
6966{
6967 struct l2cap_conn *conn;
6968 struct hci_conn *hcon;
6969 struct hci_dev *hdev;
162b49e7
JH		 6970 int err;
6971
6972 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
6973 dst_type, __le16_to_cpu(psm));
6974
6975 hdev = hci_get_route(dst, &chan->src);
6976 if (!hdev)
6977 return -EHOSTUNREACH;
6978
6979 hci_dev_lock(hdev);
6980
6981 l2cap_chan_lock(chan);
6982
6983 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
6984 chan->chan_type != L2CAP_CHAN_RAW) {
6985 err = -EINVAL;
6986 goto done;
6987 }
6988
21626e62
JH		 6989 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
6990 err = -EINVAL;
6991 goto done;
6992 }
6993
6994 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
162b49e7
JH		 6995 err = -EINVAL;
6996 goto done;
6997 }
6998
6999 switch (chan->mode) {
7000 case L2CAP_MODE_BASIC:
7001 break;
7002 case L2CAP_MODE_LE_FLOWCTL:
7003 l2cap_le_flowctl_init(chan);
7004 break;
7005 case L2CAP_MODE_ERTM:
7006 case L2CAP_MODE_STREAMING:
7007 if (!disable_ertm)
7008 break;
7009 /* fall through */
7010 default:
beb19e4c 7011 err = -EOPNOTSUPP;
162b49e7
JH		 7012 goto done;
7013 }
7014
7015 switch (chan->state) {
7016 case BT_CONNECT:
7017 case BT_CONNECT2:
7018 case BT_CONFIG:
7019 /* Already connecting */
7020 err = 0;
7021 goto done;
7022
7023 case BT_CONNECTED:
7024 /* Already connected */
7025 err = -EISCONN;
7026 goto done;
7027
7028 case BT_OPEN:
7029 case BT_BOUND:
7030 /* Can connect */
7031 break;
7032
7033 default:
7034 err = -EBADFD;
7035 goto done;
7036 }
7037
7038 /* Set destination address and psm */
7039 bacpy(&chan->dst, dst);
7040 chan->dst_type = dst_type;
7041
7042 chan->psm = psm;
7043 chan->dcid = cid;
7044
6f77d8c7 7045 if (bdaddr_type_is_le(dst_type)) {
e804d25d 7046 u8 role;
cdd6275e 7047
6f77d8c7
AG		 7048 /* Convert from L2CAP channel address type to HCI address type
7049 */
7050 if (dst_type == BDADDR_LE_PUBLIC)
7051 dst_type = ADDR_LE_DEV_PUBLIC;
7052 else
7053 dst_type = ADDR_LE_DEV_RANDOM;
7054
e804d25d
JH		 7055 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
7056 role = HCI_ROLE_SLAVE;
7057 else
7058 role = HCI_ROLE_MASTER;
cdd6275e 7059
04a6c589 7060 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
e804d25d 7061 HCI_LE_CONN_TIMEOUT, role);
6f77d8c7 7062 } else {
d93375a8 7063 u8 auth_type = l2cap_get_auth_type(chan);
04a6c589 7064 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
6f77d8c7 7065 }
162b49e7
JH		 7066
7067 if (IS_ERR(hcon)) {
7068 err = PTR_ERR(hcon);
7069 goto done;
7070 }
7071
7072 conn = l2cap_conn_add(hcon);
7073 if (!conn) {
7074 hci_conn_drop(hcon);
7075 err = -ENOMEM;
7076 goto done;
7077 }
7078
7079 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7080 hci_conn_drop(hcon);
7081 err = -EBUSY;
7082 goto done;
7083 }
7084
7085 /* Update source addr of the socket */
7086 bacpy(&chan->src, &hcon->src);
7087 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7088
162b49e7 7089 l2cap_chan_add(conn, chan);
162b49e7
JH		 7090
7091 /* l2cap_chan_add takes its own ref so we can drop this one */
7092 hci_conn_drop(hcon);
7093
7094 l2cap_state_change(chan, BT_CONNECT);
7095 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7096
61202e4d
JH		 7097 /* Release chan->sport so that it can be reused by other
7098 * sockets (as it's only used for listening sockets).
7099 */
7100 write_lock(&chan_list_lock);
7101 chan->sport = 0;
7102 write_unlock(&chan_list_lock);
7103
162b49e7
JH		 7104 if (hcon->state == BT_CONNECTED) {
7105 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7106 __clear_chan_timer(chan);
e7cafc45 7107 if (l2cap_chan_check_security(chan, true))
162b49e7
JH		 7108 l2cap_state_change(chan, BT_CONNECTED);
7109 } else
7110 l2cap_do_start(chan);
7111 }
7112
7113 err = 0;
7114
7115done:
7116 l2cap_chan_unlock(chan);
7117 hci_dev_unlock(hdev);
7118 hci_dev_put(hdev);
7119 return err;
7120}
6b8d4a6a 7121EXPORT_SYMBOL_GPL(l2cap_chan_connect);
162b49e7 7122
1da177e4
LT		 7123/* ---- L2CAP interface with lower layer (HCI) ---- */
7124
686ebf28 7125int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 7126{
7127 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 7128 struct l2cap_chan *c;
1da177e4 7129
6ed93dc6 7130 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 7131
7132 /* Find listening sockets and check their link_mode */
23691d75
GP		 7133 read_lock(&chan_list_lock);
7134 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 7135 if (c->state != BT_LISTEN)
1da177e4
LT		 7136 continue;
7137
7eafc59e 7138 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 7139 lm1 |= HCI_LM_ACCEPT;
43bd0f32 7140 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 7141 lm1 |= HCI_LM_MASTER;
1da177e4 7142 exact++;
7eafc59e 7143 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 7144 lm2 |= HCI_LM_ACCEPT;
43bd0f32 7145 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 7146 lm2 |= HCI_LM_MASTER;
7147 }
1da177e4 7148 }
23691d75 7149 read_unlock(&chan_list_lock);
1da177e4
LT		 7150
7151 return exact ? lm1 : lm2;
7152}
7153
e760ec12
JH		 7154/* Find the next fixed channel in BT_LISTEN state, continue iteration
7155 * from an existing channel in the list or from the beginning of the
7156 * global list (by passing NULL as first parameter).
7157 */
7158static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
54a1b626 7159 bdaddr_t *src, u8 link_type)
e760ec12
JH		 7160{
7161 read_lock(&chan_list_lock);
7162
7163 if (c)
7164 c = list_next_entry(c, global_l);
7165 else
7166 c = list_entry(chan_list.next, typeof(*c), global_l);
7167
7168 list_for_each_entry_from(c, &chan_list, global_l) {
7169 if (c->chan_type != L2CAP_CHAN_FIXED)
7170 continue;
7171 if (c->state != BT_LISTEN)
7172 continue;
7173 if (bacmp(&c->src, src) && bacmp(&c->src, BDADDR_ANY))
7174 continue;
54a1b626
JH		 7175 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
7176 continue;
7177 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
7178 continue;
e760ec12
JH		 7179
7180 l2cap_chan_hold(c);
7181 read_unlock(&chan_list_lock);
7182 return c;
7183 }
7184
7185 read_unlock(&chan_list_lock);
7186
7187 return NULL;
7188}
7189
9e664631 7190void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 7191{
e760ec12 7192 struct hci_dev *hdev = hcon->hdev;
0139418c 7193 struct l2cap_conn *conn;
e760ec12
JH		 7194 struct l2cap_chan *pchan;
7195 u8 dst_type;
0139418c 7196
6ed93dc6 7197 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 7198
dc0f5088 7199 if (status) {
e175072f 7200 l2cap_conn_del(hcon, bt_to_errno(status));
dc0f5088 7201 return;
ba6fc317 7202 }
dc0f5088
JH		 7203
7204 conn = l2cap_conn_add(hcon);
7205 if (!conn)
7206 return;
7207
e760ec12
JH		 7208 dst_type = bdaddr_type(hcon, hcon->dst_type);
7209
7210 /* If device is blocked, do not create channels for it */
7211 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7212 return;
7213
7214 /* Find fixed channels and notify them of the new connection. We
7215 * use multiple individual lookups, continuing each time where
7216 * we left off, because the list lock would prevent calling the
7217 * potentially sleeping l2cap_chan_lock() function.
7218 */
54a1b626 7219 pchan = l2cap_global_fixed_chan(NULL, &hdev->bdaddr, hcon->type);
e760ec12
JH		 7220 while (pchan) {
7221 struct l2cap_chan *chan, *next;
7222
7223 /* Client fixed channels should override server ones */
7224 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7225 goto next;
7226
7227 l2cap_chan_lock(pchan);
7228 chan = pchan->ops->new_connection(pchan);
7229 if (chan) {
7230 bacpy(&chan->src, &hcon->src);
7231 bacpy(&chan->dst, &hcon->dst);
7232 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7233 chan->dst_type = dst_type;
7234
7235 __l2cap_chan_add(conn, chan);
7236 }
7237
7238 l2cap_chan_unlock(pchan);
7239next:
54a1b626
JH		 7240 next = l2cap_global_fixed_chan(pchan, &hdev->bdaddr,
7241 hcon->type);
e760ec12
JH		 7242 l2cap_chan_put(pchan);
7243 pchan = next;
7244 }
7245
dc0f5088 7246 l2cap_conn_ready(conn);
1da177e4
LT		 7247}
7248
686ebf28 7249int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 7250{
7251 struct l2cap_conn *conn = hcon->l2cap_data;
7252
7253 BT_DBG("hcon %p", hcon);
7254
686ebf28 7255 if (!conn)
9f5a0d7b 7256 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 7257 return conn->disc_reason;
7258}
7259
9e664631 7260void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 7261{
7262 BT_DBG("hcon %p reason %d", hcon, reason);
7263
e175072f 7264 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 7265}
7266
4343478f 7267static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 7268{
715ec005 7269 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 7270 return;
7271
f62e4323 7272 if (encrypt == 0x00) {
4343478f 7273 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 7274 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7d513e92
MH		 7275 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7276 chan->sec_level == BT_SECURITY_FIPS)
0f852724 7277 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 7278 } else {
4343478f 7279 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 7280 __clear_chan_timer(chan);
f62e4323
MH		 7281 }
7282}
7283
686ebf28 7284int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 7285{
0139418c 7286 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 7287 struct l2cap_chan *chan;
1da177e4 7288
0139418c 7289 if (!conn)
1da177e4 7290 return 0;
0139418c 7291
89d8b407 7292 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 7293
3df91ea2 7294 mutex_lock(&conn->chan_lock);
1da177e4 7295
3df91ea2 7296 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 7297 l2cap_chan_lock(chan);
1da177e4 7298
89d8b407
AE		 7299 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7300 state_to_string(chan->state));
f1cb9af5 7301
2338a7e0 7302 if (chan->scid == L2CAP_CID_A2MP) {
78eb2f98
AE		 7303 l2cap_chan_unlock(chan);
7304 continue;
7305 }
7306
191eb398
JH		 7307 if (!status && encrypt)
7308 chan->sec_level = hcon->sec_level;
f1cb9af5 7309
96eff46e 7310 if (!__l2cap_no_conn_pending(chan)) {
6be36555 7311 l2cap_chan_unlock(chan);
6a8d3010
MH		 7312 continue;
7313 }
7314
89bc500e 7315 if (!status && (chan->state == BT_CONNECTED ||
2d792818 7316 chan->state == BT_CONFIG)) {
d97c899b 7317 chan->ops->resume(chan);
4343478f 7318 l2cap_check_encryption(chan, encrypt);
6be36555 7319 l2cap_chan_unlock(chan);
9719f8af
MH		 7320 continue;
7321 }
7322
89bc500e 7323 if (chan->state == BT_CONNECT) {
6d3c15da 7324 if (!status)
93c3e8f5 7325 l2cap_start_connection(chan);
6d3c15da 7326 else
ba13ccd9 7327 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
89bc500e 7328 } else if (chan->state == BT_CONNECT2) {
b1235d79 7329 struct l2cap_conn_rsp rsp;
df3c3931 7330 __u16 res, stat;
1da177e4 7331
b1235d79 7332 if (!status) {
bdc25783 7333 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 7334 res = L2CAP_CR_PEND;
7335 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 7336 chan->ops->defer(chan);
df3c3931 7337 } else {
acdcabf5 7338 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 7339 res = L2CAP_CR_SUCCESS;
7340 stat = L2CAP_CS_NO_INFO;
7341 }
b1235d79 7342 } else {
acdcabf5 7343 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 7344 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 7345 res = L2CAP_CR_SEC_BLOCK;
7346 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 7347 }
7348
fe4128e0
GP		 7349 rsp.scid = cpu_to_le16(chan->dcid);
7350 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 7351 rsp.result = cpu_to_le16(res);
7352 rsp.status = cpu_to_le16(stat);
fc7f8a7e 7353 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 7354 sizeof(rsp), &rsp);
2d369359
MM		 7355
7356 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7357 res == L2CAP_CR_SUCCESS) {
7358 char buf[128];
7359 set_bit(CONF_REQ_SENT, &chan->conf_state);
7360 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7361 L2CAP_CONF_REQ,
7362 l2cap_build_conf_req(chan, buf),
7363 buf);
7364 chan->num_conf_req++;
7365 }
b1235d79 7366 }
1da177e4 7367
6be36555 7368 l2cap_chan_unlock(chan);
1da177e4
LT		 7369 }
7370
3df91ea2 7371 mutex_unlock(&conn->chan_lock);
b1235d79 7372
1da177e4
LT		 7373 return 0;
7374}
7375
686ebf28 7376int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 7377{
7378 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 7379 struct l2cap_hdr *hdr;
7380 int len;
1da177e4 7381
1d13a254
AE		 7382 /* For AMP controller do not create l2cap conn */
7383 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7384 goto drop;
1da177e4 7385
5a08ecce 7386 if (!conn)
baf43251 7387 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 7388
7389 if (!conn)
1da177e4
LT		 7390 goto drop;
7391
7392 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7393
d73a0988
AE		 7394 switch (flags) {
7395 case ACL_START:
7396 case ACL_START_NO_FLUSH:
7397 case ACL_COMPLETE:
1da177e4
LT		 7398 if (conn->rx_len) {
7399 BT_ERR("Unexpected start frame (len %d)", skb->len);
7400 kfree_skb(conn->rx_skb);
7401 conn->rx_skb = NULL;
7402 conn->rx_len = 0;
7403 l2cap_conn_unreliable(conn, ECOMM);
7404 }
7405
aae7fe22
AE		 7406 /* Start fragment always begin with Basic L2CAP header */
7407 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 7408 BT_ERR("Frame is too short (len %d)", skb->len);
7409 l2cap_conn_unreliable(conn, ECOMM);
7410 goto drop;
7411 }
7412
7413 hdr = (struct l2cap_hdr *) skb->data;
7414 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7415
7416 if (len == skb->len) {
7417 /* Complete frame received */
7418 l2cap_recv_frame(conn, skb);
7419 return 0;
7420 }
7421
7422 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7423
7424 if (skb->len > len) {
7425 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 7426 skb->len, len);
1da177e4
LT		 7427 l2cap_conn_unreliable(conn, ECOMM);
7428 goto drop;
7429 }
7430
7431 /* Allocate skb for the complete frame (with header) */
8bcde1f2 7432 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 7433 if (!conn->rx_skb)
1da177e4
LT		 7434 goto drop;
7435
d626f62b 7436 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7437 skb->len);
1da177e4 7438 conn->rx_len = len - skb->len;
d73a0988
AE		 7439 break;
7440
7441 case ACL_CONT:
1da177e4
LT		 7442 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7443
7444 if (!conn->rx_len) {
7445 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7446 l2cap_conn_unreliable(conn, ECOMM);
7447 goto drop;
7448 }
7449
7450 if (skb->len > conn->rx_len) {
7451 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 7452 skb->len, conn->rx_len);
1da177e4
LT		 7453 kfree_skb(conn->rx_skb);
7454 conn->rx_skb = NULL;
7455 conn->rx_len = 0;
7456 l2cap_conn_unreliable(conn, ECOMM);
7457 goto drop;
7458 }
7459
d626f62b 7460 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7461 skb->len);
1da177e4
LT		 7462 conn->rx_len -= skb->len;
7463
7464 if (!conn->rx_len) {
c4e5bafa
JH		 7465 /* Complete frame received. l2cap_recv_frame
7466 * takes ownership of the skb so set the global
7467 * rx_skb pointer to NULL first.
7468 */
7469 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 7470 conn->rx_skb = NULL;
c4e5bafa 7471 l2cap_recv_frame(conn, rx_skb);
1da177e4 7472 }
d73a0988 7473 break;
1da177e4
LT		 7474 }
7475
7476drop:
7477 kfree_skb(skb);
7478 return 0;
7479}
7480
aef7d97c 7481static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 7482{
23691d75 7483 struct l2cap_chan *c;
1da177e4 7484
333055f2 7485 read_lock(&chan_list_lock);
1da177e4 7486
23691d75 7487 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 7488 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 7489 &c->src, &c->dst,
fcb73338
AE		 7490 c->state, __le16_to_cpu(c->psm),
7491 c->scid, c->dcid, c->imtu, c->omtu,
7492 c->sec_level, c->mode);
61e1b4b7 7493 }
1da177e4 7494
333055f2 7495 read_unlock(&chan_list_lock);
1da177e4 7496
aef7d97c 7497 return 0;
1da177e4
LT		 7498}
7499
aef7d97c
MH		 7500static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7501{
7502 return single_open(file, l2cap_debugfs_show, inode->i_private);
7503}
7504
7505static const struct file_operations l2cap_debugfs_fops = {
7506 .open = l2cap_debugfs_open,
7507 .read = seq_read,
7508 .llseek = seq_lseek,
7509 .release = single_release,
7510};
7511
7512static struct dentry *l2cap_debugfs;
1da177e4 7513
64274518 7514int __init l2cap_init(void)
1da177e4
LT		 7515{
7516 int err;
be9d1227 7517
bb58f747 7518 err = l2cap_init_sockets();
1da177e4
LT		 7519 if (err < 0)
7520 return err;
7521
1120e4bf
MH		 7522 if (IS_ERR_OR_NULL(bt_debugfs))
7523 return 0;
7524
7525 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7526 NULL, &l2cap_debugfs_fops);
1da177e4 7527
40b9397a 7528 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
f15b8ecf 7529 &le_max_credits);
40b9397a 7530 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
f15b8ecf
JH		 7531 &le_default_mps);
7532
1da177e4 7533 return 0;
1da177e4
LT		 7534}
7535
64274518 7536void l2cap_exit(void)
1da177e4 7537{
aef7d97c 7538 debugfs_remove(l2cap_debugfs);
bb58f747 7539 l2cap_cleanup_sockets();
1da177e4
LT		 7540}
7541
d1c4a17d
GP		 7542module_param(disable_ertm, bool, 0644);
7543MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 2.387858 seconds and 5 git commands to generate.