projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
put iov_iter into msghdr
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
0f1bfe4e
JH		 44#define LE_FLOWCTL_MAX_CREDITS 65535
45
d1de6d46 46bool disable_ertm;
f0709e03 47
547d1032 48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
a6801ca9 49static u8 l2cap_fixed_chan[8] = { L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS, };
1da177e4 50
b5ad8b7f
JB		 51static LIST_HEAD(chan_list);
52static DEFINE_RWLOCK(chan_list_lock);
1da177e4 53
f15b8ecf
JH		 54static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56
1da177e4 57static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 58 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 59static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 60 void *data);
710f9b0a 61static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 62static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 63
d660366d 64static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 65 struct sk_buff_head *skbs, u8 event);
608bcc6d 66
4f1654e0
MH		 67static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
68{
69 if (hcon->type == LE_LINK) {
70 if (type == ADDR_LE_DEV_PUBLIC)
71 return BDADDR_LE_PUBLIC;
72 else
73 return BDADDR_LE_RANDOM;
74 }
75
76 return BDADDR_BREDR;
77}
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
2d792818
GP		 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
82 u16 cid)
0139418c 83{
3df91ea2 84 struct l2cap_chan *c;
3d57dc68 85
3df91ea2
AE		 86 list_for_each_entry(c, &conn->chan_l, list) {
87 if (c->dcid == cid)
88 return c;
0139418c 89 }
3df91ea2 90 return NULL;
0139418c
MH		 91}
92
2d792818
GP		 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
94 u16 cid)
0139418c 95{
3df91ea2 96 struct l2cap_chan *c;
3d57dc68 97
3df91ea2
AE		 98 list_for_each_entry(c, &conn->chan_l, list) {
99 if (c->scid == cid)
100 return c;
0139418c 101 }
3df91ea2 102 return NULL;
0139418c
MH		 103}
104
105/* Find channel with given SCID.
ef191ade 106 * Returns locked channel. */
2d792818
GP		 107static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
108 u16 cid)
0139418c 109{
48454079 110 struct l2cap_chan *c;
baa7e1fa 111
3df91ea2 112 mutex_lock(&conn->chan_lock);
baa7e1fa 113 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 114 if (c)
115 l2cap_chan_lock(c);
3df91ea2
AE		 116 mutex_unlock(&conn->chan_lock);
117
48454079 118 return c;
0139418c
MH		 119}
120
b1a130b7
MM		 121/* Find channel with given DCID.
122 * Returns locked channel.
123 */
124static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
125 u16 cid)
126{
127 struct l2cap_chan *c;
128
129 mutex_lock(&conn->chan_lock);
130 c = __l2cap_get_chan_by_dcid(conn, cid);
131 if (c)
132 l2cap_chan_lock(c);
133 mutex_unlock(&conn->chan_lock);
134
135 return c;
136}
137
2d792818
GP		 138static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
139 u8 ident)
0139418c 140{
3df91ea2 141 struct l2cap_chan *c;
3d57dc68 142
3df91ea2
AE		 143 list_for_each_entry(c, &conn->chan_l, list) {
144 if (c->ident == ident)
145 return c;
0139418c 146 }
3df91ea2 147 return NULL;
0139418c
MH		 148}
149
5b155ef9
MM		 150static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
151 u8 ident)
152{
153 struct l2cap_chan *c;
154
155 mutex_lock(&conn->chan_lock);
156 c = __l2cap_get_chan_by_ident(conn, ident);
157 if (c)
158 l2cap_chan_lock(c);
159 mutex_unlock(&conn->chan_lock);
160
161 return c;
162}
163
23691d75 164static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 165{
23691d75 166 struct l2cap_chan *c;
9e4425ff 167
23691d75 168 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 169 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 170 return c;
9e4425ff 171 }
250938cb 172 return NULL;
9e4425ff
GP		 173}
174
175int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
176{
73b2ec18
GP		 177 int err;
178
333055f2 179 write_lock(&chan_list_lock);
9e4425ff 180
23691d75 181 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 182 err = -EADDRINUSE;
183 goto done;
9e4425ff
GP		 184 }
185
73b2ec18
GP		 186 if (psm) {
187 chan->psm = psm;
188 chan->sport = psm;
189 err = 0;
190 } else {
191 u16 p;
192
193 err = -EINVAL;
194 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 195 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 196 chan->psm = cpu_to_le16(p);
197 chan->sport = cpu_to_le16(p);
198 err = 0;
199 break;
200 }
201 }
9e4425ff 202
73b2ec18 203done:
333055f2 204 write_unlock(&chan_list_lock);
73b2ec18 205 return err;
9e4425ff 206}
6b8d4a6a 207EXPORT_SYMBOL_GPL(l2cap_add_psm);
9e4425ff
GP		 208
209int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
210{
333055f2 211 write_lock(&chan_list_lock);
9e4425ff 212
14824308
JH		 213 /* Override the defaults (which are for conn-oriented) */
214 chan->omtu = L2CAP_DEFAULT_MTU;
215 chan->chan_type = L2CAP_CHAN_FIXED;
216
9e4425ff
GP		 217 chan->scid = scid;
218
333055f2 219 write_unlock(&chan_list_lock);
9e4425ff
GP		 220
221 return 0;
222}
223
baa7e1fa 224static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 225{
e77af755 226 u16 cid, dyn_end;
0139418c 227
e77af755
JH		 228 if (conn->hcon->type == LE_LINK)
229 dyn_end = L2CAP_CID_LE_DYN_END;
230 else
231 dyn_end = L2CAP_CID_DYN_END;
232
233 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
baa7e1fa 234 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 235 return cid;
236 }
237
238 return 0;
239}
240
f93fa273 241static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 242{
42d2d87c 243 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 244 state_to_string(state));
badaaa00 245
89bc500e 246 chan->state = state;
53f52121 247 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 248}
249
f8e73017
GP		 250static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
251 int state, int err)
2e0052e4 252{
f8e73017 253 chan->state = state;
53f52121 254 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 255}
256
257static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
258{
f8e73017 259 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 260}
261
4239d16f
MM		 262static void __set_retrans_timer(struct l2cap_chan *chan)
263{
264 if (!delayed_work_pending(&chan->monitor_timer) &&
265 chan->retrans_timeout) {
266 l2cap_set_timer(chan, &chan->retrans_timer,
267 msecs_to_jiffies(chan->retrans_timeout));
268 }
269}
270
271static void __set_monitor_timer(struct l2cap_chan *chan)
272{
273 __clear_retrans_timer(chan);
274 if (chan->monitor_timeout) {
275 l2cap_set_timer(chan, &chan->monitor_timer,
276 msecs_to_jiffies(chan->monitor_timeout));
277 }
278}
279
608bcc6d
MM		 280static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
281 u16 seq)
282{
283 struct sk_buff *skb;
284
285 skb_queue_walk(head, skb) {
286 if (bt_cb(skb)->control.txseq == seq)
287 return skb;
288 }
289
290 return NULL;
291}
292
3c588192
MM		 293/* ---- L2CAP sequence number lists ---- */
294
295/* For ERTM, ordered lists of sequence numbers must be tracked for
296 * SREJ requests that are received and for frames that are to be
297 * retransmitted. These seq_list functions implement a singly-linked
298 * list in an array, where membership in the list can also be checked
299 * in constant time. Items can also be added to the tail of the list
300 * and removed from the head in constant time, without further memory
301 * allocs or frees.
302 */
303
304static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
305{
306 size_t alloc_size, i;
307
308 /* Allocated size is a power of 2 to map sequence numbers
309 * (which may be up to 14 bits) in to a smaller array that is
310 * sized for the negotiated ERTM transmit windows.
311 */
312 alloc_size = roundup_pow_of_two(size);
313
314 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
315 if (!seq_list->list)
316 return -ENOMEM;
317
318 seq_list->mask = alloc_size - 1;
319 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
320 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
321 for (i = 0; i < alloc_size; i++)
322 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
323
324 return 0;
325}
326
327static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
328{
329 kfree(seq_list->list);
330}
331
332static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
333 u16 seq)
334{
335 /* Constant-time check for list membership */
336 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
337}
338
03a0c5d6 339static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
3c588192 340{
03a0c5d6 341 u16 seq = seq_list->head;
3c588192
MM		 342 u16 mask = seq_list->mask;
343
03a0c5d6
JH		 344 seq_list->head = seq_list->list[seq & mask];
345 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
346
347 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
348 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
349 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192 350 }
3c588192 351
03a0c5d6 352 return seq;
3c588192
MM		 353}
354
355static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
356{
f522ae36 357 u16 i;
3c588192 358
f522ae36
GP		 359 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
360 return;
361
362 for (i = 0; i <= seq_list->mask; i++)
363 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
364
365 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
366 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 367}
368
369static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
370{
371 u16 mask = seq_list->mask;
372
373 /* All appends happen in constant time */
374
f522ae36
GP		 375 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
376 return;
3c588192 377
f522ae36
GP		 378 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
379 seq_list->head = seq;
380 else
381 seq_list->list[seq_list->tail & mask] = seq;
382
383 seq_list->tail = seq;
384 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 385}
386
721c4181 387static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 388{
721c4181 389 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 390 chan_timer.work);
3df91ea2 391 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 392 int reason;
393
e05dcc32 394 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 395
3df91ea2 396 mutex_lock(&conn->chan_lock);
6be36555 397 l2cap_chan_lock(chan);
ab07801d 398
89bc500e 399 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 400 reason = ECONNREFUSED;
89bc500e 401 else if (chan->state == BT_CONNECT &&
2d792818 402 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 403 reason = ECONNREFUSED;
404 else
405 reason = ETIMEDOUT;
406
0f852724 407 l2cap_chan_close(chan, reason);
ab07801d 408
6be36555 409 l2cap_chan_unlock(chan);
ab07801d 410
80b98027 411 chan->ops->close(chan);
3df91ea2
AE		 412 mutex_unlock(&conn->chan_lock);
413
371fd835 414 l2cap_chan_put(chan);
ab07801d
GP		 415}
416
eef1d9b6 417struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 418{
419 struct l2cap_chan *chan;
420
421 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
422 if (!chan)
423 return NULL;
424
c03b355e
AE		 425 mutex_init(&chan->lock);
426
ff714119
JH		 427 /* Set default lock nesting level */
428 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
429
333055f2 430 write_lock(&chan_list_lock);
23691d75 431 list_add(&chan->global_l, &chan_list);
333055f2 432 write_unlock(&chan_list_lock);
23691d75 433
721c4181 434 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 435
89bc500e
GP		 436 chan->state = BT_OPEN;
437
144ad330 438 kref_init(&chan->kref);
71ba0e56 439
2827011f
MM		 440 /* This flag is cleared in l2cap_chan_ready() */
441 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
442
eef1d9b6 443 BT_DBG("chan %p", chan);
abc545b8 444
48454079
GP		 445 return chan;
446}
6b8d4a6a 447EXPORT_SYMBOL_GPL(l2cap_chan_create);
48454079 448
144ad330 449static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 450{
144ad330
SS		 451 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
452
4af66c69
JK		 453 BT_DBG("chan %p", chan);
454
333055f2 455 write_lock(&chan_list_lock);
23691d75 456 list_del(&chan->global_l);
333055f2 457 write_unlock(&chan_list_lock);
23691d75 458
4af66c69 459 kfree(chan);
6ff5abbf
GP		 460}
461
30648372
JK		 462void l2cap_chan_hold(struct l2cap_chan *c)
463{
144ad330 464 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 465
144ad330 466 kref_get(&c->kref);
30648372
JK		 467}
468
469void l2cap_chan_put(struct l2cap_chan *c)
470{
144ad330 471 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 472
144ad330 473 kref_put(&c->kref, l2cap_chan_destroy);
30648372 474}
6b8d4a6a 475EXPORT_SYMBOL_GPL(l2cap_chan_put);
30648372 476
bd4b1653
AE		 477void l2cap_chan_set_defaults(struct l2cap_chan *chan)
478{
479 chan->fcs = L2CAP_FCS_CRC16;
480 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
481 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
482 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
6a5e8165
JR		 483 chan->remote_max_tx = chan->max_tx;
484 chan->remote_tx_win = chan->tx_win;
c20f8e35 485 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653 486 chan->sec_level = BT_SECURITY_LOW;
6a5e8165
JR		 487 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
488 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
489 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
490 chan->conf_state = 0;
bd4b1653
AE		 491
492 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
493}
6b8d4a6a 494EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
bd4b1653 495
0ce43ce6 496static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
38319713 497{
0ce43ce6
JH		 498 chan->sdu = NULL;
499 chan->sdu_last_frag = NULL;
500 chan->sdu_len = 0;
0cd75f7e 501 chan->tx_credits = 0;
f15b8ecf 502 chan->rx_credits = le_max_credits;
d1d79413 503 chan->mps = min_t(u16, chan->imtu, le_default_mps);
0ce43ce6
JH		 504
505 skb_queue_head_init(&chan->tx_q);
38319713
JH		 506}
507
93c3e8f5 508void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 509{
af05b30b 510 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 511 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 512
9f5a0d7b 513 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 514
8c1d787b 515 chan->conn = conn;
0139418c 516
5491120e
AE		 517 switch (chan->chan_type) {
518 case L2CAP_CHAN_CONN_ORIENTED:
21626e62
JH		 519 /* Alloc CID for connection-oriented socket */
520 chan->scid = l2cap_alloc_cid(conn);
521 if (conn->hcon->type == ACL_LINK)
0c1bc5c6 522 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 523 break;
524
525 case L2CAP_CHAN_CONN_LESS:
0139418c 526 /* Connectionless socket */
fe4128e0
GP		 527 chan->scid = L2CAP_CID_CONN_LESS;
528 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 529 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 530 break;
531
2338a7e0
JH		 532 case L2CAP_CHAN_FIXED:
533 /* Caller will set CID and CID specific MTU values */
416fa752
AE		 534 break;
535
5491120e 536 default:
0139418c 537 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 538 chan->scid = L2CAP_CID_SIGNALING;
539 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 540 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 541 }
542
8f7975b1
AE		 543 chan->local_id = L2CAP_BESTEFFORT_ID;
544 chan->local_stype = L2CAP_SERV_BESTEFFORT;
545 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
546 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
547 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 548 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 549
371fd835 550 l2cap_chan_hold(chan);
baa7e1fa 551
c16900cf
JH		 552 /* Only keep a reference for fixed channels if they requested it */
553 if (chan->chan_type != L2CAP_CHAN_FIXED ||
554 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
555 hci_conn_hold(conn->hcon);
5ee9891d 556
3df91ea2 557 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 558}
559
466f8004 560void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 561{
562 mutex_lock(&conn->chan_lock);
563 __l2cap_chan_add(conn, chan);
3df91ea2 564 mutex_unlock(&conn->chan_lock);
0139418c
MH		 565}
566
466f8004 567void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 568{
8c1d787b 569 struct l2cap_conn *conn = chan->conn;
0139418c 570
c9b66675 571 __clear_chan_timer(chan);
0139418c 572
49d11741
JH		 573 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
574 state_to_string(chan->state));
0139418c 575
72847ce0
JH		 576 chan->ops->teardown(chan, err);
577
8e87d142 578 if (conn) {
56f60984 579 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 580 /* Delete from channel list */
3df91ea2 581 list_del(&chan->list);
3d57dc68 582
371fd835 583 l2cap_chan_put(chan);
baa7e1fa 584
8c1d787b 585 chan->conn = NULL;
3cabbfda 586
c16900cf
JH		 587 /* Reference was only held for non-fixed channels or
588 * fixed channels that explicitly requested it using the
589 * FLAG_HOLD_HCI_CONN flag.
590 */
591 if (chan->chan_type != L2CAP_CHAN_FIXED ||
592 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
76a68ba0 593 hci_conn_drop(conn->hcon);
56f60984
AE		 594
595 if (mgr && mgr->bredr_chan == chan)
596 mgr->bredr_chan = NULL;
0139418c
MH		 597 }
598
419e08c1
AE		 599 if (chan->hs_hchan) {
600 struct hci_chan *hs_hchan = chan->hs_hchan;
601
602 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
603 amp_disconnect_logical_link(hs_hchan);
604 }
605
2827011f 606 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 607 return;
2ead70b8 608
ee556f66
GP		 609 switch(chan->mode) {
610 case L2CAP_MODE_BASIC:
611 break;
c13ffa62 612
38319713 613 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b 614 skb_queue_purge(&chan->tx_q);
38319713
JH		 615 break;
616
ee556f66 617 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 618 __clear_retrans_timer(chan);
619 __clear_monitor_timer(chan);
620 __clear_ack_timer(chan);
c13ffa62 621
f1c6775b 622 skb_queue_purge(&chan->srej_q);
c13ffa62 623
3c588192
MM		 624 l2cap_seq_list_free(&chan->srej_list);
625 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 626
627 /* fall through */
628
629 case L2CAP_MODE_STREAMING:
630 skb_queue_purge(&chan->tx_q);
631 break;
c13ffa62 632 }
ee556f66
GP		 633
634 return;
0139418c 635}
6b8d4a6a 636EXPORT_SYMBOL_GPL(l2cap_chan_del);
0139418c 637
f3d82d0c 638static void l2cap_conn_update_id_addr(struct work_struct *work)
387a33e3 639{
f3d82d0c
JH		 640 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
641 id_addr_update_work);
642 struct hci_conn *hcon = conn->hcon;
387a33e3
JH		 643 struct l2cap_chan *chan;
644
645 mutex_lock(&conn->chan_lock);
646
647 list_for_each_entry(chan, &conn->chan_l, list) {
648 l2cap_chan_lock(chan);
649 bacpy(&chan->dst, &hcon->dst);
650 chan->dst_type = bdaddr_type(hcon, hcon->dst_type);
651 l2cap_chan_unlock(chan);
652 }
653
654 mutex_unlock(&conn->chan_lock);
655}
656
27e2d4c8
JH		 657static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
658{
659 struct l2cap_conn *conn = chan->conn;
660 struct l2cap_le_conn_rsp rsp;
661 u16 result;
662
663 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
664 result = L2CAP_CR_AUTHORIZATION;
665 else
666 result = L2CAP_CR_BAD_PSM;
667
668 l2cap_state_change(chan, BT_DISCONN);
669
670 rsp.dcid = cpu_to_le16(chan->scid);
671 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 672 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 673 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 674 rsp.result = cpu_to_le16(result);
675
676 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
677 &rsp);
678}
679
791d60f7
JH		 680static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
681{
682 struct l2cap_conn *conn = chan->conn;
683 struct l2cap_conn_rsp rsp;
684 u16 result;
685
686 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
687 result = L2CAP_CR_SEC_BLOCK;
688 else
689 result = L2CAP_CR_BAD_PSM;
690
691 l2cap_state_change(chan, BT_DISCONN);
692
693 rsp.scid = cpu_to_le16(chan->dcid);
694 rsp.dcid = cpu_to_le16(chan->scid);
695 rsp.result = cpu_to_le16(result);
dcf4adbf 696 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
791d60f7
JH		 697
698 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
699}
700
0f852724 701void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 702{
703 struct l2cap_conn *conn = chan->conn;
4519de9a 704
7eafc59e 705 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 706
89bc500e 707 switch (chan->state) {
4519de9a 708 case BT_LISTEN:
b699ec0d 709 chan->ops->teardown(chan, 0);
4519de9a
GP		 710 break;
711
712 case BT_CONNECTED:
713 case BT_CONFIG:
7b25c9b3 714 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
8d836d71 715 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 716 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 717 } else
718 l2cap_chan_del(chan, reason);
719 break;
720
721 case BT_CONNECT2:
791d60f7
JH		 722 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
723 if (conn->hcon->type == ACL_LINK)
724 l2cap_chan_connect_reject(chan);
27e2d4c8
JH		 725 else if (conn->hcon->type == LE_LINK)
726 l2cap_chan_le_connect_reject(chan);
4519de9a
GP		 727 }
728
729 l2cap_chan_del(chan, reason);
730 break;
731
732 case BT_CONNECT:
733 case BT_DISCONN:
734 l2cap_chan_del(chan, reason);
735 break;
736
737 default:
b699ec0d 738 chan->ops->teardown(chan, 0);
4519de9a
GP		 739 break;
740 }
741}
6b8d4a6a 742EXPORT_SYMBOL(l2cap_chan_close);
4519de9a 743
4343478f 744static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 745{
6a974b50
MH		 746 switch (chan->chan_type) {
747 case L2CAP_CHAN_RAW:
4343478f 748 switch (chan->sec_level) {
8556edd3 749 case BT_SECURITY_HIGH:
7d513e92 750 case BT_SECURITY_FIPS:
8556edd3
JH		 751 return HCI_AT_DEDICATED_BONDING_MITM;
752 case BT_SECURITY_MEDIUM:
753 return HCI_AT_DEDICATED_BONDING;
754 default:
755 return HCI_AT_NO_BONDING;
756 }
6a974b50 757 break;
3124b843 758 case L2CAP_CHAN_CONN_LESS:
dcf4adbf 759 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
3124b843
MH		 760 if (chan->sec_level == BT_SECURITY_LOW)
761 chan->sec_level = BT_SECURITY_SDP;
762 }
7d513e92
MH		 763 if (chan->sec_level == BT_SECURITY_HIGH ||
764 chan->sec_level == BT_SECURITY_FIPS)
3124b843
MH		 765 return HCI_AT_NO_BONDING_MITM;
766 else
767 return HCI_AT_NO_BONDING;
768 break;
6a974b50 769 case L2CAP_CHAN_CONN_ORIENTED:
dcf4adbf 770 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
6a974b50
MH		 771 if (chan->sec_level == BT_SECURITY_LOW)
772 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 773
7d513e92
MH		 774 if (chan->sec_level == BT_SECURITY_HIGH ||
775 chan->sec_level == BT_SECURITY_FIPS)
6a974b50
MH		 776 return HCI_AT_NO_BONDING_MITM;
777 else
778 return HCI_AT_NO_BONDING;
779 }
780 /* fall through */
781 default:
4343478f 782 switch (chan->sec_level) {
00ae4af9 783 case BT_SECURITY_HIGH:
7d513e92 784 case BT_SECURITY_FIPS:
8556edd3 785 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 786 case BT_SECURITY_MEDIUM:
8556edd3 787 return HCI_AT_GENERAL_BONDING;
00ae4af9 788 default:
8556edd3 789 return HCI_AT_NO_BONDING;
00ae4af9 790 }
6a974b50 791 break;
0684e5f9 792 }
8556edd3
JH		 793}
794
795/* Service level security */
e7cafc45 796int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
8556edd3 797{
8c1d787b 798 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 799 __u8 auth_type;
800
a17de2fe
JH		 801 if (conn->hcon->type == LE_LINK)
802 return smp_conn_security(conn->hcon, chan->sec_level);
803
4343478f 804 auth_type = l2cap_get_auth_type(chan);
79d554a6 805
e7cafc45
JH		 806 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
807 initiator);
79d554a6
MH		 808}
809
b5ad8b7f 810static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 811{
812 u8 id;
813
814 /* Get next available identificator.
815 * 1 - 128 are used by kernel.
816 * 129 - 199 are reserved.
817 * 200 - 254 are used by utilities like l2ping, etc.
818 */
819
5a54e7c8 820 mutex_lock(&conn->ident_lock);
4e8402a3
MH		 821
822 if (++conn->tx_ident > 128)
823 conn->tx_ident = 1;
824
825 id = conn->tx_ident;
826
5a54e7c8 827 mutex_unlock(&conn->ident_lock);
4e8402a3
MH		 828
829 return id;
830}
831
2d792818
GP		 832static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
833 void *data)
4e8402a3
MH		 834{
835 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 836 u8 flags;
4e8402a3
MH		 837
838 BT_DBG("code 0x%2.2x", code);
839
840 if (!skb)
9a9c6a34 841 return;
4e8402a3 842
e702112f
AE		 843 if (lmp_no_flush_capable(conn->hcon->hdev))
844 flags = ACL_START_NO_FLUSH;
845 else
846 flags = ACL_START;
847
14b12d0b 848 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 849 skb->priority = HCI_PRIO_MAX;
14b12d0b 850
73d80deb
LAD		 851 hci_send_acl(conn->hchan, skb, flags);
852}
853
02b0fbb9
MM		 854static bool __chan_is_moving(struct l2cap_chan *chan)
855{
856 return chan->move_state != L2CAP_MOVE_STABLE &&
857 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
858}
859
73d80deb
LAD		 860static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
861{
862 struct hci_conn *hcon = chan->conn->hcon;
863 u16 flags;
864
865 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 866 skb->priority);
73d80deb 867
d5f8a75d
MM		 868 if (chan->hs_hcon && !__chan_is_moving(chan)) {
869 if (chan->hs_hchan)
870 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
871 else
872 kfree_skb(skb);
873
874 return;
875 }
876
73d80deb 877 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 878 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 879 flags = ACL_START_NO_FLUSH;
880 else
881 flags = ACL_START;
14b12d0b 882
73d80deb
LAD		 883 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
884 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 885}
886
b76bbd66
MM		 887static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
888{
889 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
890 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
891
892 if (enh & L2CAP_CTRL_FRAME_TYPE) {
893 /* S-Frame */
894 control->sframe = 1;
895 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
896 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
897
898 control->sar = 0;
899 control->txseq = 0;
900 } else {
901 /* I-Frame */
902 control->sframe = 0;
903 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
904 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
905
906 control->poll = 0;
907 control->super = 0;
908 }
909}
910
b76bbd66
MM		 911static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
912{
913 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
914 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
915
916 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
917 /* S-Frame */
918 control->sframe = 1;
919 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
920 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
921
922 control->sar = 0;
923 control->txseq = 0;
924 } else {
925 /* I-Frame */
926 control->sframe = 0;
927 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
928 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
929
930 control->poll = 0;
931 control->super = 0;
932 }
933}
934
935static inline void __unpack_control(struct l2cap_chan *chan,
936 struct sk_buff *skb)
937{
938 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
939 __unpack_extended_control(get_unaligned_le32(skb->data),
940 &bt_cb(skb)->control);
cec8ab6e 941 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 942 } else {
943 __unpack_enhanced_control(get_unaligned_le16(skb->data),
944 &bt_cb(skb)->control);
cec8ab6e 945 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 946 }
947}
948
b5c6aaed
MM		 949static u32 __pack_extended_control(struct l2cap_ctrl *control)
950{
951 u32 packed;
952
953 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
954 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
955
956 if (control->sframe) {
957 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
958 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
959 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
960 } else {
961 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
962 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
963 }
964
965 return packed;
966}
967
968static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
969{
970 u16 packed;
971
972 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
973 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
974
975 if (control->sframe) {
976 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
977 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
978 packed |= L2CAP_CTRL_FRAME_TYPE;
979 } else {
980 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
981 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
982 }
983
984 return packed;
985}
986
b76bbd66
MM		 987static inline void __pack_control(struct l2cap_chan *chan,
988 struct l2cap_ctrl *control,
989 struct sk_buff *skb)
990{
991 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
992 put_unaligned_le32(__pack_extended_control(control),
993 skb->data + L2CAP_HDR_SIZE);
994 } else {
995 put_unaligned_le16(__pack_enhanced_control(control),
996 skb->data + L2CAP_HDR_SIZE);
997 }
998}
999
ba7aa64f
GP		 1000static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1001{
1002 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1003 return L2CAP_EXT_HDR_SIZE;
1004 else
1005 return L2CAP_ENH_HDR_SIZE;
1006}
1007
a67d7f6f
MM		 1008static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1009 u32 control)
b5c6aaed
MM		 1010{
1011 struct sk_buff *skb;
1012 struct l2cap_hdr *lh;
ba7aa64f 1013 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 1014
1015 if (chan->fcs == L2CAP_FCS_CRC16)
1016 hlen += L2CAP_FCS_SIZE;
1017
a67d7f6f 1018 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 1019
b5c6aaed 1020 if (!skb)
a67d7f6f 1021 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 1022
1023 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1024 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1025 lh->cid = cpu_to_le16(chan->dcid);
1026
a67d7f6f
MM		 1027 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1028 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1029 else
1030 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 1031
1032 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 1033 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 1034 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1035 }
1036
1037 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 1038 return skb;
1039}
1040
1041static void l2cap_send_sframe(struct l2cap_chan *chan,
1042 struct l2cap_ctrl *control)
1043{
1044 struct sk_buff *skb;
1045 u32 control_field;
1046
1047 BT_DBG("chan %p, control %p", chan, control);
1048
1049 if (!control->sframe)
1050 return;
1051
b99e13ad
MM		 1052 if (__chan_is_moving(chan))
1053 return;
1054
a67d7f6f
MM		 1055 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1056 !control->poll)
1057 control->final = 1;
1058
1059 if (control->super == L2CAP_SUPER_RR)
1060 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1061 else if (control->super == L2CAP_SUPER_RNR)
1062 set_bit(CONN_RNR_SENT, &chan->conn_state);
1063
1064 if (control->super != L2CAP_SUPER_SREJ) {
1065 chan->last_acked_seq = control->reqseq;
1066 __clear_ack_timer(chan);
1067 }
1068
1069 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1070 control->final, control->poll, control->super);
1071
1072 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1073 control_field = __pack_extended_control(control);
1074 else
1075 control_field = __pack_enhanced_control(control);
1076
1077 skb = l2cap_create_sframe_pdu(chan, control_field);
1078 if (!IS_ERR(skb))
1079 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1080}
1081
c9e3d5e0 1082static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1083{
c9e3d5e0
MM		 1084 struct l2cap_ctrl control;
1085
1086 BT_DBG("chan %p, poll %d", chan, poll);
1087
1088 memset(&control, 0, sizeof(control));
1089 control.sframe = 1;
1090 control.poll = poll;
1091
1092 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1093 control.super = L2CAP_SUPER_RNR;
1094 else
1095 control.super = L2CAP_SUPER_RR;
b5c6aaed 1096
c9e3d5e0
MM		 1097 control.reqseq = chan->buffer_seq;
1098 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1099}
1100
b4450035 1101static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1102{
5ff6f34d
JH		 1103 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1104 return true;
1105
c1360a1c 1106 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1107}
1108
1df7b17a 1109static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1110{
1df7b17a 1111 struct l2cap_conn *conn = chan->conn;
80d58d0b 1112 struct hci_dev *hdev;
1df7b17a
MH		 1113 bool amp_available = false;
1114
1115 if (!conn->hs_enabled)
1116 return false;
1117
1118 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1119 return false;
80d58d0b
MH		 1120
1121 read_lock(&hci_dev_list_lock);
1df7b17a 1122 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1123 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1124 test_bit(HCI_UP, &hdev->flags)) {
1125 amp_available = true;
1126 break;
1127 }
1128 }
80d58d0b
MH		 1129 read_unlock(&hci_dev_list_lock);
1130
1df7b17a
MH		 1131 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1132 return amp_available;
848566b3
MH		 1133
1134 return false;
93c3e8f5
AE		 1135}
1136
5ce66b59
AE		 1137static bool l2cap_check_efs(struct l2cap_chan *chan)
1138{
1139 /* Check EFS parameters */
1140 return true;
1141}
1142
2766be48 1143void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1144{
1145 struct l2cap_conn *conn = chan->conn;
1146 struct l2cap_conn_req req;
1147
1148 req.scid = cpu_to_le16(chan->scid);
1149 req.psm = chan->psm;
1150
1151 chan->ident = l2cap_get_ident(conn);
1152
1153 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1154
1155 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1156}
1157
8eb200bd
MM		 1158static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1159{
1160 struct l2cap_create_chan_req req;
1161 req.scid = cpu_to_le16(chan->scid);
1162 req.psm = chan->psm;
1163 req.amp_id = amp_id;
1164
1165 chan->ident = l2cap_get_ident(chan->conn);
1166
1167 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1168 sizeof(req), &req);
1169}
1170
02b0fbb9
MM		 1171static void l2cap_move_setup(struct l2cap_chan *chan)
1172{
1173 struct sk_buff *skb;
1174
1175 BT_DBG("chan %p", chan);
1176
1177 if (chan->mode != L2CAP_MODE_ERTM)
1178 return;
1179
1180 __clear_retrans_timer(chan);
1181 __clear_monitor_timer(chan);
1182 __clear_ack_timer(chan);
1183
1184 chan->retry_count = 0;
1185 skb_queue_walk(&chan->tx_q, skb) {
1186 if (bt_cb(skb)->control.retries)
1187 bt_cb(skb)->control.retries = 1;
1188 else
1189 break;
1190 }
1191
1192 chan->expected_tx_seq = chan->buffer_seq;
1193
1194 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1195 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1196 l2cap_seq_list_clear(&chan->retrans_list);
1197 l2cap_seq_list_clear(&chan->srej_list);
1198 skb_queue_purge(&chan->srej_q);
1199
1200 chan->tx_state = L2CAP_TX_STATE_XMIT;
1201 chan->rx_state = L2CAP_RX_STATE_MOVE;
1202
1203 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1204}
1205
5f3847a4
MM		 1206static void l2cap_move_done(struct l2cap_chan *chan)
1207{
1208 u8 move_role = chan->move_role;
1209 BT_DBG("chan %p", chan);
1210
1211 chan->move_state = L2CAP_MOVE_STABLE;
1212 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1213
1214 if (chan->mode != L2CAP_MODE_ERTM)
1215 return;
1216
1217 switch (move_role) {
1218 case L2CAP_MOVE_ROLE_INITIATOR:
1219 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1220 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1221 break;
1222 case L2CAP_MOVE_ROLE_RESPONDER:
1223 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1224 break;
1225 }
1226}
1227
9f0caeb1
VCG		 1228static void l2cap_chan_ready(struct l2cap_chan *chan)
1229{
2827011f 1230 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1231 chan->conf_state = 0;
1232 __clear_chan_timer(chan);
1233
0ce43ce6
JH		 1234 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1235 chan->ops->suspend(chan);
177f8f2b 1236
54a59aa2 1237 chan->state = BT_CONNECTED;
9f0caeb1 1238
fd83e2c2 1239 chan->ops->ready(chan);
9f0caeb1
VCG		 1240}
1241
f1496dee
JH		 1242static void l2cap_le_connect(struct l2cap_chan *chan)
1243{
1244 struct l2cap_conn *conn = chan->conn;
1245 struct l2cap_le_conn_req req;
1246
595177f3
JH		 1247 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1248 return;
1249
f1496dee
JH		 1250 req.psm = chan->psm;
1251 req.scid = cpu_to_le16(chan->scid);
1252 req.mtu = cpu_to_le16(chan->imtu);
3916aed8 1253 req.mps = cpu_to_le16(chan->mps);
0cd75f7e 1254 req.credits = cpu_to_le16(chan->rx_credits);
f1496dee
JH		 1255
1256 chan->ident = l2cap_get_ident(conn);
1257
1258 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1259 sizeof(req), &req);
1260}
1261
1262static void l2cap_le_start(struct l2cap_chan *chan)
1263{
1264 struct l2cap_conn *conn = chan->conn;
1265
1266 if (!smp_conn_security(conn->hcon, chan->sec_level))
1267 return;
1268
1269 if (!chan->psm) {
1270 l2cap_chan_ready(chan);
1271 return;
1272 }
1273
1274 if (chan->state == BT_CONNECT)
1275 l2cap_le_connect(chan);
1276}
1277
93c3e8f5
AE		 1278static void l2cap_start_connection(struct l2cap_chan *chan)
1279{
1280 if (__amp_capable(chan)) {
1281 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1282 a2mp_discover_amp(chan);
f1496dee
JH		 1283 } else if (chan->conn->hcon->type == LE_LINK) {
1284 l2cap_le_start(chan);
93c3e8f5
AE		 1285 } else {
1286 l2cap_send_conn_req(chan);
1287 }
1288}
1289
aeaeb4bb
JH		 1290static void l2cap_request_info(struct l2cap_conn *conn)
1291{
1292 struct l2cap_info_req req;
1293
1294 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1295 return;
1296
1297 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1298
1299 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1300 conn->info_ident = l2cap_get_ident(conn);
1301
1302 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1303
1304 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1305 sizeof(req), &req);
1306}
1307
fc7f8a7e 1308static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1309{
8c1d787b 1310 struct l2cap_conn *conn = chan->conn;
79d554a6 1311
9f0caeb1 1312 if (conn->hcon->type == LE_LINK) {
96ac34fb 1313 l2cap_le_start(chan);
9f0caeb1
VCG		 1314 return;
1315 }
1316
aeaeb4bb
JH		 1317 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1318 l2cap_request_info(conn);
1319 return;
1320 }
79d554a6 1321
aeaeb4bb
JH		 1322 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1323 return;
79d554a6 1324
aeaeb4bb
JH		 1325 if (l2cap_chan_check_security(chan, true) &&
1326 __l2cap_no_conn_pending(chan))
1327 l2cap_start_connection(chan);
79d554a6
MH		 1328}
1329
cf6c2c0b
GP		 1330static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1331{
1332 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1333 if (!disable_ertm)
cf6c2c0b
GP		 1334 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1335
1336 switch (mode) {
1337 case L2CAP_MODE_ERTM:
1338 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1339 case L2CAP_MODE_STREAMING:
1340 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1341 default:
1342 return 0x00;
1343 }
1344}
1345
5e4e3972 1346static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1347{
5e4e3972 1348 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1349 struct l2cap_disconn_req req;
1350
c13ffa62
GP		 1351 if (!conn)
1352 return;
1353
aad3d0e3 1354 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1355 __clear_retrans_timer(chan);
1356 __clear_monitor_timer(chan);
1357 __clear_ack_timer(chan);
c13ffa62
GP		 1358 }
1359
2338a7e0 1360 if (chan->scid == L2CAP_CID_A2MP) {
d117773c 1361 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1362 return;
1363 }
1364
fe4128e0
GP		 1365 req.dcid = cpu_to_le16(chan->dcid);
1366 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1367 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1368 sizeof(req), &req);
c13ffa62 1369
f8e73017 1370 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1371}
1372
1da177e4 1373/* ---- L2CAP connections ---- */
4e8402a3
MH		 1374static void l2cap_conn_start(struct l2cap_conn *conn)
1375{
3df91ea2 1376 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1377
1378 BT_DBG("conn %p", conn);
1379
3df91ea2 1380 mutex_lock(&conn->chan_lock);
4e8402a3 1381
3df91ea2 1382 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1383 l2cap_chan_lock(chan);
4e8402a3 1384
715ec005 1385 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
aeaeb4bb 1386 l2cap_chan_ready(chan);
6be36555 1387 l2cap_chan_unlock(chan);
79d554a6
MH		 1388 continue;
1389 }
1390
89bc500e 1391 if (chan->state == BT_CONNECT) {
e7cafc45 1392 if (!l2cap_chan_check_security(chan, true) ||
2d792818 1393 !__l2cap_no_conn_pending(chan)) {
6be36555 1394 l2cap_chan_unlock(chan);
47731de7
GP		 1395 continue;
1396 }
79d554a6 1397
c1360a1c 1398 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1399 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1400 &chan->conf_state)) {
89bc500e 1401 l2cap_chan_close(chan, ECONNRESET);
6be36555 1402 l2cap_chan_unlock(chan);
47731de7 1403 continue;
b1235d79 1404 }
47731de7 1405
93c3e8f5 1406 l2cap_start_connection(chan);
47731de7 1407
89bc500e 1408 } else if (chan->state == BT_CONNECT2) {
79d554a6 1409 struct l2cap_conn_rsp rsp;
e9aeb2dd 1410 char buf[128];
fe4128e0
GP		 1411 rsp.scid = cpu_to_le16(chan->dcid);
1412 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1413
e7cafc45 1414 if (l2cap_chan_check_security(chan, false)) {
bdc25783 1415 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
dcf4adbf
JP		 1416 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1417 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1418 chan->ops->defer(chan);
f66dc81f
MH		 1419
1420 } else {
acdcabf5 1421 l2cap_state_change(chan, BT_CONFIG);
dcf4adbf
JP		 1422 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1423 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1424 }
79d554a6 1425 } else {
dcf4adbf
JP		 1426 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1427 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1428 }
1429
fc7f8a7e 1430 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1431 sizeof(rsp), &rsp);
e9aeb2dd 1432
c1360a1c 1433 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1434 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1435 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1436 continue;
1437 }
1438
c1360a1c 1439 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1440 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1441 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1442 chan->num_conf_req++;
4e8402a3
MH		 1443 }
1444
6be36555 1445 l2cap_chan_unlock(chan);
4e8402a3
MH		 1446 }
1447
3df91ea2 1448 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1449}
1450
b62f328b
VT		 1451static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1452{
cc8dba2b 1453 struct hci_conn *hcon = conn->hcon;
dcc36c16 1454 struct hci_dev *hdev = hcon->hdev;
b62f328b 1455
e760ec12 1456 BT_DBG("%s conn %p", hdev->name, conn);
b62f328b 1457
e760ec12
JH		 1458 /* For outgoing pairing which doesn't necessarily have an
1459 * associated socket (e.g. mgmt_pair_device).
1460 */
1461 if (hcon->out)
1462 smp_conn_security(hcon, hcon->pending_sec_level);
cc8dba2b 1463
80afeb6c
MH		 1464 /* For LE slave connections, make sure the connection interval
1465 * is in the range of the minium and maximum interval that has
1466 * been configured for this connection. If not, then trigger
1467 * the connection update procedure.
1468 */
40bef302 1469 if (hcon->role == HCI_ROLE_SLAVE &&
80afeb6c
MH		 1470 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1471 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1472 struct l2cap_conn_param_update_req req;
1473
1474 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1475 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1476 req.latency = cpu_to_le16(hcon->le_conn_latency);
1477 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1478
1479 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1480 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1481 }
b62f328b
VT		 1482}
1483
4e8402a3
MH		 1484static void l2cap_conn_ready(struct l2cap_conn *conn)
1485{
48454079 1486 struct l2cap_chan *chan;
cc110922 1487 struct hci_conn *hcon = conn->hcon;
4e8402a3 1488
79d554a6 1489 BT_DBG("conn %p", conn);
4e8402a3 1490
aeaeb4bb
JH		 1491 if (hcon->type == ACL_LINK)
1492 l2cap_request_info(conn);
1493
e760ec12
JH		 1494 mutex_lock(&conn->chan_lock);
1495
3df91ea2 1496 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1497
6be36555 1498 l2cap_chan_lock(chan);
4e8402a3 1499
2338a7e0 1500 if (chan->scid == L2CAP_CID_A2MP) {
416fa752
AE		 1501 l2cap_chan_unlock(chan);
1502 continue;
1503 }
1504
cc110922 1505 if (hcon->type == LE_LINK) {
f1496dee 1506 l2cap_le_start(chan);
63128451 1507 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
aeaeb4bb
JH		 1508 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1509 l2cap_chan_ready(chan);
1c244f79 1510 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1511 l2cap_do_start(chan);
1c244f79 1512 }
4e8402a3 1513
6be36555 1514 l2cap_chan_unlock(chan);
4e8402a3 1515 }
79d554a6 1516
3df91ea2 1517 mutex_unlock(&conn->chan_lock);
61a939c6 1518
79a05727
JH		 1519 if (hcon->type == LE_LINK)
1520 l2cap_le_conn_ready(conn);
1521
61a939c6 1522 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
4e8402a3
MH		 1523}
1524
1525/* Notify sockets that we cannot guaranty reliability anymore */
1526static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1527{
48454079 1528 struct l2cap_chan *chan;
4e8402a3
MH		 1529
1530 BT_DBG("conn %p", conn);
1531
3df91ea2 1532 mutex_lock(&conn->chan_lock);
4e8402a3 1533
3df91ea2 1534 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1535 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1536 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1537 }
1538
3df91ea2 1539 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1540}
1541
f878fcad 1542static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1543{
f878fcad 1544 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1545 info_timer.work);
4e8402a3 1546
984947dc 1547 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1548 conn->info_ident = 0;
984947dc 1549
4e8402a3
MH		 1550 l2cap_conn_start(conn);
1551}
1552
2c8e1411
DH		 1553/*
1554 * l2cap_user
1555 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1556 * callback is called during registration. The ->remove callback is called
1557 * during unregistration.
1558 * An l2cap_user object can either be explicitly unregistered or when the
1559 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1560 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1561 * External modules must own a reference to the l2cap_conn object if they intend
1562 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1563 * any time if they don't.
1564 */
1565
1566int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1567{
1568 struct hci_dev *hdev = conn->hcon->hdev;
1569 int ret;
1570
1571 /* We need to check whether l2cap_conn is registered. If it is not, we
1572 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1573 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1574 * relies on the parent hci_conn object to be locked. This itself relies
1575 * on the hci_dev object to be locked. So we must lock the hci device
1576 * here, too. */
1577
1578 hci_dev_lock(hdev);
1579
1580 if (user->list.next || user->list.prev) {
1581 ret = -EINVAL;
1582 goto out_unlock;
1583 }
1584
1585 /* conn->hchan is NULL after l2cap_conn_del() was called */
1586 if (!conn->hchan) {
1587 ret = -ENODEV;
1588 goto out_unlock;
1589 }
1590
1591 ret = user->probe(conn, user);
1592 if (ret)
1593 goto out_unlock;
1594
1595 list_add(&user->list, &conn->users);
1596 ret = 0;
1597
1598out_unlock:
1599 hci_dev_unlock(hdev);
1600 return ret;
1601}
1602EXPORT_SYMBOL(l2cap_register_user);
1603
1604void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1605{
1606 struct hci_dev *hdev = conn->hcon->hdev;
1607
1608 hci_dev_lock(hdev);
1609
1610 if (!user->list.next || !user->list.prev)
1611 goto out_unlock;
1612
1613 list_del(&user->list);
1614 user->list.next = NULL;
1615 user->list.prev = NULL;
1616 user->remove(conn, user);
1617
1618out_unlock:
1619 hci_dev_unlock(hdev);
1620}
1621EXPORT_SYMBOL(l2cap_unregister_user);
1622
1623static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1624{
1625 struct l2cap_user *user;
1626
1627 while (!list_empty(&conn->users)) {
1628 user = list_first_entry(&conn->users, struct l2cap_user, list);
1629 list_del(&user->list);
1630 user->list.next = NULL;
1631 user->list.prev = NULL;
1632 user->remove(conn, user);
1633 }
1634}
1635
5d3de7df
VCG		 1636static void l2cap_conn_del(struct hci_conn *hcon, int err)
1637{
1638 struct l2cap_conn *conn = hcon->l2cap_data;
1639 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1640
1641 if (!conn)
1642 return;
1643
1644 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1645
1646 kfree_skb(conn->rx_skb);
1647
61a939c6 1648 skb_queue_purge(&conn->pending_rx);
7ab56c3a
JT		 1649
1650 /* We can not call flush_work(&conn->pending_rx_work) here since we
1651 * might block if we are running on a worker from the same workqueue
1652 * pending_rx_work is waiting on.
1653 */
1654 if (work_pending(&conn->pending_rx_work))
1655 cancel_work_sync(&conn->pending_rx_work);
61a939c6 1656
f3d82d0c
JH		 1657 if (work_pending(&conn->id_addr_update_work))
1658 cancel_work_sync(&conn->id_addr_update_work);
1659
2c8e1411
DH		 1660 l2cap_unregister_all_users(conn);
1661
e31fb860
JH		 1662 /* Force the connection to be immediately dropped */
1663 hcon->disc_timeout = 0;
1664
3df91ea2
AE		 1665 mutex_lock(&conn->chan_lock);
1666
5d3de7df
VCG		 1667 /* Kill channels */
1668 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1669 l2cap_chan_hold(chan);
6be36555
AE		 1670 l2cap_chan_lock(chan);
1671
5d3de7df 1672 l2cap_chan_del(chan, err);
6be36555
AE		 1673
1674 l2cap_chan_unlock(chan);
1675
80b98027 1676 chan->ops->close(chan);
61d6ef3e 1677 l2cap_chan_put(chan);
5d3de7df
VCG		 1678 }
1679
3df91ea2
AE		 1680 mutex_unlock(&conn->chan_lock);
1681
73d80deb
LAD		 1682 hci_chan_del(conn->hchan);
1683
5d3de7df 1684 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1685 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1686
5d3de7df 1687 hcon->l2cap_data = NULL;
9c903e37
DH		 1688 conn->hchan = NULL;
1689 l2cap_conn_put(conn);
5d3de7df
VCG		 1690}
1691
9c903e37
DH		 1692static void l2cap_conn_free(struct kref *ref)
1693{
1694 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1695
1696 hci_conn_put(conn->hcon);
1697 kfree(conn);
1698}
1699
51bb8457 1700struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
9c903e37
DH		 1701{
1702 kref_get(&conn->ref);
51bb8457 1703 return conn;
9c903e37
DH		 1704}
1705EXPORT_SYMBOL(l2cap_conn_get);
1706
1707void l2cap_conn_put(struct l2cap_conn *conn)
1708{
1709 kref_put(&conn->ref, l2cap_conn_free);
1710}
1711EXPORT_SYMBOL(l2cap_conn_put);
1712
1da177e4 1713/* ---- Socket interface ---- */
1da177e4 1714
c2287681 1715/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1716 * Returns closest match.
1717 */
c2287681
IY		 1718static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1719 bdaddr_t *src,
bf20fd4e
JH		 1720 bdaddr_t *dst,
1721 u8 link_type)
1da177e4 1722{
23691d75 1723 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1724
23691d75 1725 read_lock(&chan_list_lock);
e0f0cb56 1726
23691d75 1727 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1728 if (state && c->state != state)
1da177e4
LT		 1729 continue;
1730
bf20fd4e
JH		 1731 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1732 continue;
1733
1734 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1735 continue;
1736
23691d75 1737 if (c->psm == psm) {
c2287681
IY		 1738 int src_match, dst_match;
1739 int src_any, dst_any;
1740
1da177e4 1741 /* Exact match. */
7eafc59e
MH		 1742 src_match = !bacmp(&c->src, src);
1743 dst_match = !bacmp(&c->dst, dst);
c2287681 1744 if (src_match && dst_match) {
a24cce14 1745 l2cap_chan_hold(c);
a7567b20 1746 read_unlock(&chan_list_lock);
23691d75
GP		 1747 return c;
1748 }
1da177e4
LT		 1749
1750 /* Closest match */
7eafc59e
MH		 1751 src_any = !bacmp(&c->src, BDADDR_ANY);
1752 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1753 if ((src_match && dst_any) || (src_any && dst_match) ||
1754 (src_any && dst_any))
23691d75 1755 c1 = c;
1da177e4
LT		 1756 }
1757 }
1da177e4 1758
a24cce14
JH		 1759 if (c1)
1760 l2cap_chan_hold(c1);
1761
23691d75 1762 read_unlock(&chan_list_lock);
e0f0cb56 1763
23691d75 1764 return c1;
1da177e4
LT		 1765}
1766
721c4181 1767static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1768{
721c4181 1769 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1770 monitor_timer.work);
e90bac06 1771
525cd185 1772 BT_DBG("chan %p", chan);
0e98958d 1773
6be36555
AE		 1774 l2cap_chan_lock(chan);
1775
80909e04 1776 if (!chan->conn) {
6be36555 1777 l2cap_chan_unlock(chan);
8d7e1c7f 1778 l2cap_chan_put(chan);
e90bac06
GP		 1779 return;
1780 }
1781
401bb1f7 1782 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1783
6be36555 1784 l2cap_chan_unlock(chan);
8d7e1c7f 1785 l2cap_chan_put(chan);
e90bac06
GP		 1786}
1787
721c4181 1788static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1789{
721c4181 1790 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1791 retrans_timer.work);
e90bac06 1792
49208c9c 1793 BT_DBG("chan %p", chan);
0e98958d 1794
6be36555
AE		 1795 l2cap_chan_lock(chan);
1796
80909e04
MM		 1797 if (!chan->conn) {
1798 l2cap_chan_unlock(chan);
1799 l2cap_chan_put(chan);
1800 return;
1801 }
6be36555 1802
401bb1f7 1803 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1804 l2cap_chan_unlock(chan);
8d7e1c7f 1805 l2cap_chan_put(chan);
e90bac06
GP		 1806}
1807
d660366d
GP		 1808static void l2cap_streaming_send(struct l2cap_chan *chan,
1809 struct sk_buff_head *skbs)
6840ed07 1810{
ccbb84af 1811 struct sk_buff *skb;
3733937d 1812 struct l2cap_ctrl *control;
6840ed07 1813
3733937d
MM		 1814 BT_DBG("chan %p, skbs %p", chan, skbs);
1815
b99e13ad
MM		 1816 if (__chan_is_moving(chan))
1817 return;
1818
3733937d
MM		 1819 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1820
1821 while (!skb_queue_empty(&chan->tx_q)) {
1822
1823 skb = skb_dequeue(&chan->tx_q);
1824
1825 bt_cb(skb)->control.retries = 1;
1826 control = &bt_cb(skb)->control;
1827
1828 control->reqseq = 0;
1829 control->txseq = chan->next_tx_seq;
1830
1831 __pack_control(chan, control, skb);
6840ed07 1832
47d1ec61 1833 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1834 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1835 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1836 }
1837
4343478f 1838 l2cap_do_send(chan, skb);
6840ed07 1839
b4400672 1840 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1841
836be934 1842 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1843 chan->frames_sent++;
6840ed07 1844 }
6840ed07
GP		 1845}
1846
67c9e840 1847static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1848{
1849 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1850 struct l2cap_ctrl *control;
1851 int sent = 0;
1852
1853 BT_DBG("chan %p", chan);
1c2acffb 1854
89bc500e 1855 if (chan->state != BT_CONNECTED)
c13ffa62 1856 return -ENOTCONN;
e90bac06 1857
94122bbe
MM		 1858 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1859 return 0;
1860
b99e13ad
MM		 1861 if (__chan_is_moving(chan))
1862 return 0;
1863
18a48e76
MM		 1864 while (chan->tx_send_head &&
1865 chan->unacked_frames < chan->remote_tx_win &&
1866 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1867
18a48e76 1868 skb = chan->tx_send_head;
e90bac06 1869
18a48e76
MM		 1870 bt_cb(skb)->control.retries = 1;
1871 control = &bt_cb(skb)->control;
95ffa978 1872
e2ab4353 1873 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1874 control->final = 1;
e2ab4353 1875
18a48e76
MM		 1876 control->reqseq = chan->buffer_seq;
1877 chan->last_acked_seq = chan->buffer_seq;
1878 control->txseq = chan->next_tx_seq;
1c2acffb 1879
18a48e76 1880 __pack_control(chan, control, skb);
e90bac06 1881
47d1ec61 1882 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1883 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1884 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1885 }
1886
18a48e76
MM		 1887 /* Clone after data has been modified. Data is assumed to be
1888 read-only (for locking purposes) on cloned sk_buffs.
1889 */
1890 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1891
18a48e76
MM		 1892 if (!tx_skb)
1893 break;
1c2acffb 1894
18a48e76 1895 __set_retrans_timer(chan);
836be934
AE		 1896
1897 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1898 chan->unacked_frames++;
6a026610 1899 chan->frames_sent++;
18a48e76 1900 sent++;
1c2acffb 1901
58d35f87
GP		 1902 if (skb_queue_is_last(&chan->tx_q, skb))
1903 chan->tx_send_head = NULL;
1c2acffb 1904 else
58d35f87 1905 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1906
1907 l2cap_do_send(chan, tx_skb);
b4400672 1908 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1909 }
1910
b4400672
AE		 1911 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1912 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1913
1914 return sent;
9e917af1
GP		 1915}
1916
e1fbd4c1
MM		 1917static void l2cap_ertm_resend(struct l2cap_chan *chan)
1918{
1919 struct l2cap_ctrl control;
1920 struct sk_buff *skb;
1921 struct sk_buff *tx_skb;
1922 u16 seq;
1923
1924 BT_DBG("chan %p", chan);
1925
1926 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1927 return;
1928
b99e13ad
MM		 1929 if (__chan_is_moving(chan))
1930 return;
1931
e1fbd4c1
MM		 1932 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1933 seq = l2cap_seq_list_pop(&chan->retrans_list);
1934
1935 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1936 if (!skb) {
1937 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1938 seq);
e1fbd4c1
MM		 1939 continue;
1940 }
1941
1942 bt_cb(skb)->control.retries++;
1943 control = bt_cb(skb)->control;
1944
1945 if (chan->max_tx != 0 &&
1946 bt_cb(skb)->control.retries > chan->max_tx) {
1947 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1948 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1949 l2cap_seq_list_clear(&chan->retrans_list);
1950 break;
1951 }
1952
1953 control.reqseq = chan->buffer_seq;
1954 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1955 control.final = 1;
1956 else
1957 control.final = 0;
1958
1959 if (skb_cloned(skb)) {
1960 /* Cloned sk_buffs are read-only, so we need a
1961 * writeable copy
1962 */
8bcde1f2 1963 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1964 } else {
8bcde1f2 1965 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1966 }
1967
1968 if (!tx_skb) {
1969 l2cap_seq_list_clear(&chan->retrans_list);
1970 break;
1971 }
1972
1973 /* Update skb contents */
1974 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1975 put_unaligned_le32(__pack_extended_control(&control),
1976 tx_skb->data + L2CAP_HDR_SIZE);
1977 } else {
1978 put_unaligned_le16(__pack_enhanced_control(&control),
1979 tx_skb->data + L2CAP_HDR_SIZE);
1980 }
1981
13cac152 1982 /* Update FCS */
e1fbd4c1 1983 if (chan->fcs == L2CAP_FCS_CRC16) {
13cac152
LR		 1984 u16 fcs = crc16(0, (u8 *) tx_skb->data,
1985 tx_skb->len - L2CAP_FCS_SIZE);
1986 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
1987 L2CAP_FCS_SIZE);
e1fbd4c1
MM		 1988 }
1989
1990 l2cap_do_send(chan, tx_skb);
1991
1992 BT_DBG("Resent txseq %d", control.txseq);
1993
1994 chan->last_acked_seq = chan->buffer_seq;
1995 }
1996}
1997
f80842a8
MM		 1998static void l2cap_retransmit(struct l2cap_chan *chan,
1999 struct l2cap_ctrl *control)
2000{
2001 BT_DBG("chan %p, control %p", chan, control);
2002
2003 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2004 l2cap_ertm_resend(chan);
2005}
2006
d2a7ac5d
MM		 2007static void l2cap_retransmit_all(struct l2cap_chan *chan,
2008 struct l2cap_ctrl *control)
2009{
e1fbd4c1
MM		 2010 struct sk_buff *skb;
2011
2012 BT_DBG("chan %p, control %p", chan, control);
2013
2014 if (control->poll)
2015 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2016
2017 l2cap_seq_list_clear(&chan->retrans_list);
2018
2019 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2020 return;
2021
2022 if (chan->unacked_frames) {
2023 skb_queue_walk(&chan->tx_q, skb) {
2024 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2025 skb == chan->tx_send_head)
e1fbd4c1
MM		 2026 break;
2027 }
2028
2029 skb_queue_walk_from(&chan->tx_q, skb) {
2030 if (skb == chan->tx_send_head)
2031 break;
2032
2033 l2cap_seq_list_append(&chan->retrans_list,
2034 bt_cb(skb)->control.txseq);
2035 }
2036
2037 l2cap_ertm_resend(chan);
2038 }
d2a7ac5d
MM		 2039}
2040
0a0aba42 2041static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2042{
0a0aba42
MM		 2043 struct l2cap_ctrl control;
2044 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2045 chan->last_acked_seq);
2046 int threshold;
9e917af1 2047
0a0aba42
MM		 2048 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2049 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2050
0a0aba42
MM		 2051 memset(&control, 0, sizeof(control));
2052 control.sframe = 1;
dfc909be 2053
0a0aba42
MM		 2054 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2055 chan->rx_state == L2CAP_RX_STATE_RECV) {
2056 __clear_ack_timer(chan);
2057 control.super = L2CAP_SUPER_RNR;
2058 control.reqseq = chan->buffer_seq;
2059 l2cap_send_sframe(chan, &control);
2060 } else {
2061 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2062 l2cap_ertm_send(chan);
2063 /* If any i-frames were sent, they included an ack */
2064 if (chan->buffer_seq == chan->last_acked_seq)
2065 frames_to_ack = 0;
2066 }
dfc909be 2067
c20f8e35 2068 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2069 * Calculate without mul or div
2070 */
c20f8e35 2071 threshold = chan->ack_win;
0a0aba42
MM		 2072 threshold += threshold << 1;
2073 threshold >>= 2;
2074
b4400672 2075 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2076 threshold);
2077
2078 if (frames_to_ack >= threshold) {
2079 __clear_ack_timer(chan);
2080 control.super = L2CAP_SUPER_RR;
2081 control.reqseq = chan->buffer_seq;
2082 l2cap_send_sframe(chan, &control);
2083 frames_to_ack = 0;
2084 }
1c2acffb 2085
0a0aba42
MM		 2086 if (frames_to_ack)
2087 __set_ack_timer(chan);
2088 }
b17e73bb
SJ		 2089}
2090
04124681
GP		 2091static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2092 struct msghdr *msg, int len,
2093 int count, struct sk_buff *skb)
1c2acffb 2094{
0952a57a 2095 struct l2cap_conn *conn = chan->conn;
1c2acffb 2096 struct sk_buff **frag;
90338947 2097 int sent = 0;
1da177e4 2098
0498878b 2099 if (chan->ops->memcpy_fromiovec(chan, skb_put(skb, count),
56c39fb6 2100 msg, count))
1c2acffb 2101 return -EFAULT;
1da177e4
LT		 2102
2103 sent += count;
2104 len -= count;
2105
2106 /* Continuation fragments (no L2CAP header) */
2107 frag = &skb_shinfo(skb)->frag_list;
2108 while (len) {
fbe00700
GP		 2109 struct sk_buff *tmp;
2110
1da177e4
LT		 2111 count = min_t(unsigned int, conn->mtu, len);
2112
d9fbd02b 2113 tmp = chan->ops->alloc_skb(chan, 0, count,
fbe00700
GP		 2114 msg->msg_flags & MSG_DONTWAIT);
2115 if (IS_ERR(tmp))
2116 return PTR_ERR(tmp);
2117
2118 *frag = tmp;
2f7719ce 2119
0498878b 2120 if (chan->ops->memcpy_fromiovec(chan, skb_put(*frag, count),
56c39fb6 2121 msg, count))
1c2acffb 2122 return -EFAULT;
1da177e4
LT		 2123
2124 sent += count;
2125 len -= count;
2126
2d0ed3d5
GP		 2127 skb->len += (*frag)->len;
2128 skb->data_len += (*frag)->len;
2129
1da177e4
LT		 2130 frag = &(*frag)->next;
2131 }
1da177e4
LT		 2132
2133 return sent;
1c2acffb 2134}
1da177e4 2135
5e59b791 2136static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
8d46321c 2137 struct msghdr *msg, size_t len)
1c2acffb 2138{
8c1d787b 2139 struct l2cap_conn *conn = chan->conn;
1c2acffb 2140 struct sk_buff *skb;
03a51213 2141 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2142 struct l2cap_hdr *lh;
2143
8d46321c
MH		 2144 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2145 __le16_to_cpu(chan->psm), len);
1c2acffb
GP		 2146
2147 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2148
d9fbd02b 2149 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2150 msg->msg_flags & MSG_DONTWAIT);
2151 if (IS_ERR(skb))
2152 return skb;
1c2acffb
GP		 2153
2154 /* Create L2CAP header */
2155 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2156 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2157 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2158 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2159
0952a57a 2160 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2161 if (unlikely(err < 0)) {
2162 kfree_skb(skb);
2163 return ERR_PTR(err);
2164 }
2165 return skb;
2166}
2167
5e59b791 2168static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
8d46321c 2169 struct msghdr *msg, size_t len)
1c2acffb 2170{
8c1d787b 2171 struct l2cap_conn *conn = chan->conn;
1c2acffb 2172 struct sk_buff *skb;
f2ba7fae 2173 int err, count;
1c2acffb
GP		 2174 struct l2cap_hdr *lh;
2175
b4400672 2176 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2177
f2ba7fae 2178 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2179
d9fbd02b 2180 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
90338947
GP		 2181 msg->msg_flags & MSG_DONTWAIT);
2182 if (IS_ERR(skb))
2183 return skb;
1c2acffb
GP		 2184
2185 /* Create L2CAP header */
2186 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2187 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2188 lh->len = cpu_to_le16(len);
1c2acffb 2189
0952a57a 2190 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2191 if (unlikely(err < 0)) {
2192 kfree_skb(skb);
2193 return ERR_PTR(err);
2194 }
2195 return skb;
2196}
2197
ab0ff76d 2198static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2199 struct msghdr *msg, size_t len,
2200 u16 sdulen)
1c2acffb 2201{
8c1d787b 2202 struct l2cap_conn *conn = chan->conn;
1c2acffb 2203 struct sk_buff *skb;
e4ca6d98 2204 int err, count, hlen;
1c2acffb
GP		 2205 struct l2cap_hdr *lh;
2206
b4400672 2207 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2208
0ee0d208
GP		 2209 if (!conn)
2210 return ERR_PTR(-ENOTCONN);
2211
ba7aa64f 2212 hlen = __ertm_hdr_size(chan);
e4ca6d98 2213
c74e560c 2214 if (sdulen)
03a51213 2215 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2216
47d1ec61 2217 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2218 hlen += L2CAP_FCS_SIZE;
fcc203c3 2219
1c2acffb 2220 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2221
d9fbd02b 2222 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2223 msg->msg_flags & MSG_DONTWAIT);
2224 if (IS_ERR(skb))
2225 return skb;
1c2acffb
GP		 2226
2227 /* Create L2CAP header */
2228 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2229 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2230 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2231
18a48e76
MM		 2232 /* Control header is populated later */
2233 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2234 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2235 else
2236 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2237
c74e560c 2238 if (sdulen)
03a51213 2239 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2240
0952a57a 2241 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2242 if (unlikely(err < 0)) {
2243 kfree_skb(skb);
2244 return ERR_PTR(err);
2245 }
e90bac06 2246
18a48e76 2247 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2248 bt_cb(skb)->control.retries = 0;
1c2acffb 2249 return skb;
1da177e4
LT		 2250}
2251
94122bbe
MM		 2252static int l2cap_segment_sdu(struct l2cap_chan *chan,
2253 struct sk_buff_head *seg_queue,
2254 struct msghdr *msg, size_t len)
c74e560c 2255{
c74e560c 2256 struct sk_buff *skb;
94122bbe
MM		 2257 u16 sdu_len;
2258 size_t pdu_len;
94122bbe 2259 u8 sar;
c74e560c 2260
b4400672 2261 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2262
94122bbe
MM		 2263 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2264 * so fragmented skbs are not used. The HCI layer's handling
2265 * of fragmented skbs is not compatible with ERTM's queueing.
2266 */
c74e560c 2267
94122bbe
MM		 2268 /* PDU size is derived from the HCI MTU */
2269 pdu_len = chan->conn->mtu;
c74e560c 2270
a549574d
MM		 2271 /* Constrain PDU size for BR/EDR connections */
2272 if (!chan->hs_hcon)
2273 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2274
2275 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2276 if (chan->fcs)
2277 pdu_len -= L2CAP_FCS_SIZE;
2278
ba7aa64f 2279 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2280
2281 /* Remote device may have requested smaller PDUs */
2282 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2283
2284 if (len <= pdu_len) {
2285 sar = L2CAP_SAR_UNSEGMENTED;
2286 sdu_len = 0;
2287 pdu_len = len;
2288 } else {
2289 sar = L2CAP_SAR_START;
2290 sdu_len = len;
94122bbe
MM		 2291 }
2292
2293 while (len > 0) {
2294 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2295
c74e560c 2296 if (IS_ERR(skb)) {
94122bbe 2297 __skb_queue_purge(seg_queue);
c74e560c
GP		 2298 return PTR_ERR(skb);
2299 }
2300
94122bbe
MM		 2301 bt_cb(skb)->control.sar = sar;
2302 __skb_queue_tail(seg_queue, skb);
2303
2304 len -= pdu_len;
069cb270 2305 if (sdu_len)
94122bbe 2306 sdu_len = 0;
94122bbe
MM		 2307
2308 if (len <= pdu_len) {
2309 sar = L2CAP_SAR_END;
2310 pdu_len = len;
2311 } else {
2312 sar = L2CAP_SAR_CONTINUE;
2313 }
c74e560c 2314 }
c74e560c 2315
f0f62799 2316 return 0;
c74e560c
GP		 2317}
2318
177f8f2b
JH		 2319static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2320 struct msghdr *msg,
2321 size_t len, u16 sdulen)
2322{
2323 struct l2cap_conn *conn = chan->conn;
2324 struct sk_buff *skb;
2325 int err, count, hlen;
2326 struct l2cap_hdr *lh;
2327
2328 BT_DBG("chan %p len %zu", chan, len);
2329
2330 if (!conn)
2331 return ERR_PTR(-ENOTCONN);
2332
2333 hlen = L2CAP_HDR_SIZE;
2334
2335 if (sdulen)
2336 hlen += L2CAP_SDULEN_SIZE;
2337
2338 count = min_t(unsigned int, (conn->mtu - hlen), len);
2339
d9fbd02b 2340 skb = chan->ops->alloc_skb(chan, hlen, count,
177f8f2b
JH		 2341 msg->msg_flags & MSG_DONTWAIT);
2342 if (IS_ERR(skb))
2343 return skb;
2344
2345 /* Create L2CAP header */
2346 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2347 lh->cid = cpu_to_le16(chan->dcid);
2348 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2349
2350 if (sdulen)
2351 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2352
2353 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2354 if (unlikely(err < 0)) {
2355 kfree_skb(skb);
2356 return ERR_PTR(err);
2357 }
2358
2359 return skb;
2360}
2361
2362static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2363 struct sk_buff_head *seg_queue,
2364 struct msghdr *msg, size_t len)
2365{
2366 struct sk_buff *skb;
2367 size_t pdu_len;
2368 u16 sdu_len;
2369
2370 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2371
177f8f2b 2372 sdu_len = len;
72c6fb91 2373 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
177f8f2b
JH		 2374
2375 while (len > 0) {
2376 if (len <= pdu_len)
2377 pdu_len = len;
2378
2379 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2380 if (IS_ERR(skb)) {
2381 __skb_queue_purge(seg_queue);
2382 return PTR_ERR(skb);
2383 }
2384
2385 __skb_queue_tail(seg_queue, skb);
2386
2387 len -= pdu_len;
2388
2389 if (sdu_len) {
2390 sdu_len = 0;
2391 pdu_len += L2CAP_SDULEN_SIZE;
2392 }
2393 }
2394
2395 return 0;
2396}
2397
8d46321c 2398int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
9a91a04a 2399{
9a91a04a 2400 struct sk_buff *skb;
9a91a04a 2401 int err;
94122bbe 2402 struct sk_buff_head seg_queue;
9a91a04a 2403
31e8ce80
SWK		 2404 if (!chan->conn)
2405 return -ENOTCONN;
2406
9a91a04a 2407 /* Connectionless channel */
715ec005 2408 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
8d46321c 2409 skb = l2cap_create_connless_pdu(chan, msg, len);
9a91a04a
GP		 2410 if (IS_ERR(skb))
2411 return PTR_ERR(skb);
2412
ede81a2a
AK		 2413 /* Channel lock is released before requesting new skb and then
2414 * reacquired thus we need to recheck channel state.
2415 */
2416 if (chan->state != BT_CONNECTED) {
2417 kfree_skb(skb);
2418 return -ENOTCONN;
2419 }
2420
9a91a04a
GP		 2421 l2cap_do_send(chan, skb);
2422 return len;
2423 }
2424
2425 switch (chan->mode) {
38319713 2426 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b
JH		 2427 /* Check outgoing MTU */
2428 if (len > chan->omtu)
2429 return -EMSGSIZE;
2430
fad5fc89
JH		 2431 if (!chan->tx_credits)
2432 return -EAGAIN;
2433
177f8f2b
JH		 2434 __skb_queue_head_init(&seg_queue);
2435
2436 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2437
2438 if (chan->state != BT_CONNECTED) {
2439 __skb_queue_purge(&seg_queue);
2440 err = -ENOTCONN;
2441 }
2442
2443 if (err)
2444 return err;
2445
2446 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2447
2448 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2449 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2450 chan->tx_credits--;
2451 }
2452
2453 if (!chan->tx_credits)
2454 chan->ops->suspend(chan);
2455
2456 err = len;
2457
2458 break;
2459
fad5fc89 2460 case L2CAP_MODE_BASIC:
9a91a04a
GP		 2461 /* Check outgoing MTU */
2462 if (len > chan->omtu)
2463 return -EMSGSIZE;
2464
2465 /* Create a basic PDU */
8d46321c 2466 skb = l2cap_create_basic_pdu(chan, msg, len);
9a91a04a
GP		 2467 if (IS_ERR(skb))
2468 return PTR_ERR(skb);
2469
ede81a2a
AK		 2470 /* Channel lock is released before requesting new skb and then
2471 * reacquired thus we need to recheck channel state.
2472 */
2473 if (chan->state != BT_CONNECTED) {
2474 kfree_skb(skb);
2475 return -ENOTCONN;
2476 }
2477
9a91a04a
GP		 2478 l2cap_do_send(chan, skb);
2479 err = len;
2480 break;
2481
2482 case L2CAP_MODE_ERTM:
2483 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2484 /* Check outgoing MTU */
2485 if (len > chan->omtu) {
2486 err = -EMSGSIZE;
2487 break;
2488 }
9a91a04a 2489
94122bbe 2490 __skb_queue_head_init(&seg_queue);
9a91a04a 2491
94122bbe
MM		 2492 /* Do segmentation before calling in to the state machine,
2493 * since it's possible to block while waiting for memory
2494 * allocation.
2495 */
2496 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2497
94122bbe
MM		 2498 /* The channel could have been closed while segmenting,
2499 * check that it is still connected.
2500 */
2501 if (chan->state != BT_CONNECTED) {
2502 __skb_queue_purge(&seg_queue);
2503 err = -ENOTCONN;
9a91a04a
GP		 2504 }
2505
94122bbe 2506 if (err)
9a91a04a 2507 break;
9a91a04a 2508
3733937d 2509 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2510 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2511 else
d660366d 2512 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2513
d660366d 2514 err = len;
9a91a04a 2515
94122bbe
MM		 2516 /* If the skbs were not queued for sending, they'll still be in
2517 * seg_queue and need to be purged.
2518 */
2519 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2520 break;
2521
2522 default:
2523 BT_DBG("bad state %1.1x", chan->mode);
2524 err = -EBADFD;
2525 }
2526
2527 return err;
2528}
6b8d4a6a 2529EXPORT_SYMBOL_GPL(l2cap_chan_send);
9a91a04a 2530
d2a7ac5d
MM		 2531static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2532{
bed68bde
MM		 2533 struct l2cap_ctrl control;
2534 u16 seq;
2535
b4400672 2536 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2537
2538 memset(&control, 0, sizeof(control));
2539 control.sframe = 1;
2540 control.super = L2CAP_SUPER_SREJ;
2541
2542 for (seq = chan->expected_tx_seq; seq != txseq;
2543 seq = __next_seq(chan, seq)) {
2544 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2545 control.reqseq = seq;
2546 l2cap_send_sframe(chan, &control);
2547 l2cap_seq_list_append(&chan->srej_list, seq);
2548 }
2549 }
2550
2551 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2552}
2553
2554static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2555{
bed68bde
MM		 2556 struct l2cap_ctrl control;
2557
2558 BT_DBG("chan %p", chan);
2559
2560 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2561 return;
2562
2563 memset(&control, 0, sizeof(control));
2564 control.sframe = 1;
2565 control.super = L2CAP_SUPER_SREJ;
2566 control.reqseq = chan->srej_list.tail;
2567 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2568}
2569
2570static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2571{
bed68bde
MM		 2572 struct l2cap_ctrl control;
2573 u16 initial_head;
2574 u16 seq;
2575
b4400672 2576 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2577
2578 memset(&control, 0, sizeof(control));
2579 control.sframe = 1;
2580 control.super = L2CAP_SUPER_SREJ;
2581
2582 /* Capture initial list head to allow only one pass through the list. */
2583 initial_head = chan->srej_list.head;
2584
2585 do {
2586 seq = l2cap_seq_list_pop(&chan->srej_list);
2587 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2588 break;
2589
2590 control.reqseq = seq;
2591 l2cap_send_sframe(chan, &control);
2592 l2cap_seq_list_append(&chan->srej_list, seq);
2593 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2594}
2595
608bcc6d
MM		 2596static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2597{
2598 struct sk_buff *acked_skb;
2599 u16 ackseq;
2600
b4400672 2601 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2602
2603 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2604 return;
2605
b4400672 2606 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2607 chan->expected_ack_seq, chan->unacked_frames);
2608
2609 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2610 ackseq = __next_seq(chan, ackseq)) {
2611
2612 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2613 if (acked_skb) {
2614 skb_unlink(acked_skb, &chan->tx_q);
2615 kfree_skb(acked_skb);
2616 chan->unacked_frames--;
2617 }
2618 }
2619
2620 chan->expected_ack_seq = reqseq;
2621
2622 if (chan->unacked_frames == 0)
2623 __clear_retrans_timer(chan);
2624
b4400672 2625 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2626}
2627
2628static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2629{
2630 BT_DBG("chan %p", chan);
2631
2632 chan->expected_tx_seq = chan->buffer_seq;
2633 l2cap_seq_list_clear(&chan->srej_list);
2634 skb_queue_purge(&chan->srej_q);
2635 chan->rx_state = L2CAP_RX_STATE_RECV;
2636}
2637
d660366d
GP		 2638static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2639 struct l2cap_ctrl *control,
2640 struct sk_buff_head *skbs, u8 event)
608bcc6d 2641{
608bcc6d
MM		 2642 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2643 event);
2644
2645 switch (event) {
2646 case L2CAP_EV_DATA_REQUEST:
2647 if (chan->tx_send_head == NULL)
2648 chan->tx_send_head = skb_peek(skbs);
2649
2650 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2651 l2cap_ertm_send(chan);
2652 break;
2653 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2654 BT_DBG("Enter LOCAL_BUSY");
2655 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2656
2657 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2658 /* The SREJ_SENT state must be aborted if we are to
2659 * enter the LOCAL_BUSY state.
2660 */
2661 l2cap_abort_rx_srej_sent(chan);
2662 }
2663
2664 l2cap_send_ack(chan);
2665
2666 break;
2667 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2668 BT_DBG("Exit LOCAL_BUSY");
2669 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2670
2671 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2672 struct l2cap_ctrl local_control;
2673
2674 memset(&local_control, 0, sizeof(local_control));
2675 local_control.sframe = 1;
2676 local_control.super = L2CAP_SUPER_RR;
2677 local_control.poll = 1;
2678 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2679 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2680
2681 chan->retry_count = 1;
2682 __set_monitor_timer(chan);
2683 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2684 }
2685 break;
2686 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2687 l2cap_process_reqseq(chan, control->reqseq);
2688 break;
2689 case L2CAP_EV_EXPLICIT_POLL:
2690 l2cap_send_rr_or_rnr(chan, 1);
2691 chan->retry_count = 1;
2692 __set_monitor_timer(chan);
2693 __clear_ack_timer(chan);
2694 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2695 break;
2696 case L2CAP_EV_RETRANS_TO:
2697 l2cap_send_rr_or_rnr(chan, 1);
2698 chan->retry_count = 1;
2699 __set_monitor_timer(chan);
2700 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2701 break;
2702 case L2CAP_EV_RECV_FBIT:
2703 /* Nothing to process */
2704 break;
2705 default:
2706 break;
2707 }
608bcc6d
MM		 2708}
2709
d660366d
GP		 2710static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2711 struct l2cap_ctrl *control,
2712 struct sk_buff_head *skbs, u8 event)
608bcc6d 2713{
608bcc6d
MM		 2714 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2715 event);
2716
2717 switch (event) {
2718 case L2CAP_EV_DATA_REQUEST:
2719 if (chan->tx_send_head == NULL)
2720 chan->tx_send_head = skb_peek(skbs);
2721 /* Queue data, but don't send. */
2722 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2723 break;
2724 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2725 BT_DBG("Enter LOCAL_BUSY");
2726 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2727
2728 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2729 /* The SREJ_SENT state must be aborted if we are to
2730 * enter the LOCAL_BUSY state.
2731 */
2732 l2cap_abort_rx_srej_sent(chan);
2733 }
2734
2735 l2cap_send_ack(chan);
2736
2737 break;
2738 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2739 BT_DBG("Exit LOCAL_BUSY");
2740 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2741
2742 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2743 struct l2cap_ctrl local_control;
2744 memset(&local_control, 0, sizeof(local_control));
2745 local_control.sframe = 1;
2746 local_control.super = L2CAP_SUPER_RR;
2747 local_control.poll = 1;
2748 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2749 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2750
2751 chan->retry_count = 1;
2752 __set_monitor_timer(chan);
2753 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2754 }
2755 break;
2756 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2757 l2cap_process_reqseq(chan, control->reqseq);
2758
2759 /* Fall through */
2760
2761 case L2CAP_EV_RECV_FBIT:
2762 if (control && control->final) {
2763 __clear_monitor_timer(chan);
2764 if (chan->unacked_frames > 0)
2765 __set_retrans_timer(chan);
2766 chan->retry_count = 0;
2767 chan->tx_state = L2CAP_TX_STATE_XMIT;
2768 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2769 }
2770 break;
2771 case L2CAP_EV_EXPLICIT_POLL:
2772 /* Ignore */
2773 break;
2774 case L2CAP_EV_MONITOR_TO:
2775 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2776 l2cap_send_rr_or_rnr(chan, 1);
2777 __set_monitor_timer(chan);
2778 chan->retry_count++;
2779 } else {
5e4e3972 2780 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2781 }
2782 break;
2783 default:
2784 break;
2785 }
608bcc6d
MM		 2786}
2787
d660366d
GP		 2788static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2789 struct sk_buff_head *skbs, u8 event)
608bcc6d 2790{
608bcc6d
MM		 2791 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2792 chan, control, skbs, event, chan->tx_state);
2793
2794 switch (chan->tx_state) {
2795 case L2CAP_TX_STATE_XMIT:
d660366d 2796 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2797 break;
2798 case L2CAP_TX_STATE_WAIT_F:
d660366d 2799 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2800 break;
2801 default:
2802 /* Ignore event */
2803 break;
2804 }
608bcc6d
MM		 2805}
2806
4b51dae9
MM		 2807static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2808 struct l2cap_ctrl *control)
2809{
2810 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2811 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2812}
2813
f80842a8
MM		 2814static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2815 struct l2cap_ctrl *control)
2816{
2817 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2818 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2819}
2820
1da177e4
LT		 2821/* Copy frame to all raw sockets on that connection */
2822static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2823{
1da177e4 2824 struct sk_buff *nskb;
48454079 2825 struct l2cap_chan *chan;
1da177e4
LT		 2826
2827 BT_DBG("conn %p", conn);
2828
3df91ea2 2829 mutex_lock(&conn->chan_lock);
3d57dc68 2830
3df91ea2 2831 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2832 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2833 continue;
2834
7f5396a7
GP		 2835 /* Don't send frame to the channel it came from */
2836 if (bt_cb(skb)->chan == chan)
1da177e4 2837 continue;
7f5396a7 2838
8bcde1f2 2839 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2840 if (!nskb)
1da177e4 2841 continue;
80b98027 2842 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2843 kfree_skb(nskb);
2844 }
3d57dc68 2845
3df91ea2 2846 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2847}
2848
2849/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2850static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2851 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2852{
2853 struct sk_buff *skb, **frag;
2854 struct l2cap_cmd_hdr *cmd;
2855 struct l2cap_hdr *lh;
2856 int len, count;
2857
b4400672
AE		 2858 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2859 conn, code, ident, dlen);
1da177e4 2860
300b962e
AL		 2861 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2862 return NULL;
2863
1da177e4
LT		 2864 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2865 count = min_t(unsigned int, conn->mtu, len);
2866
8bcde1f2 2867 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2868 if (!skb)
2869 return NULL;
2870
2871 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2872 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2873
2874 if (conn->hcon->type == LE_LINK)
dcf4adbf 2875 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2876 else
dcf4adbf 2877 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2878
2879 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2880 cmd->code = code;
2881 cmd->ident = ident;
aca3192c 2882 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2883
2884 if (dlen) {
2885 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2886 memcpy(skb_put(skb, count), data, count);
2887 data += count;
2888 }
2889
2890 len -= skb->len;
2891
2892 /* Continuation fragments (no L2CAP header) */
2893 frag = &skb_shinfo(skb)->frag_list;
2894 while (len) {
2895 count = min_t(unsigned int, conn->mtu, len);
2896
8bcde1f2 2897 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2898 if (!*frag)
2899 goto fail;
2900
2901 memcpy(skb_put(*frag, count), data, count);
2902
2903 len -= count;
2904 data += count;
2905
2906 frag = &(*frag)->next;
2907 }
2908
2909 return skb;
2910
2911fail:
2912 kfree_skb(skb);
2913 return NULL;
2914}
2915
2d792818
GP		 2916static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2917 unsigned long *val)
1da177e4
LT		 2918{
2919 struct l2cap_conf_opt *opt = *ptr;
2920 int len;
2921
2922 len = L2CAP_CONF_OPT_SIZE + opt->len;
2923 *ptr += len;
2924
2925 *type = opt->type;
2926 *olen = opt->len;
2927
2928 switch (opt->len) {
2929 case 1:
2930 *val = *((u8 *) opt->val);
2931 break;
2932
2933 case 2:
bfaaeb3e 2934 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2935 break;
2936
2937 case 4:
bfaaeb3e 2938 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2939 break;
2940
2941 default:
2942 *val = (unsigned long) opt->val;
2943 break;
2944 }
2945
b4400672 2946 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2947 return len;
2948}
2949
1da177e4
LT		 2950static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2951{
2952 struct l2cap_conf_opt *opt = *ptr;
2953
b4400672 2954 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2955
2956 opt->type = type;
2957 opt->len = len;
2958
2959 switch (len) {
2960 case 1:
2961 *((u8 *) opt->val) = val;
2962 break;
2963
2964 case 2:
4f8b691c 2965 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2966 break;
2967
2968 case 4:
4f8b691c 2969 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2970 break;
2971
2972 default:
2973 memcpy(opt->val, (void *) val, len);
2974 break;
2975 }
2976
2977 *ptr += L2CAP_CONF_OPT_SIZE + len;
2978}
2979
f89cef09
AE		 2980static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2981{
2982 struct l2cap_conf_efs efs;
2983
1ec918ce 2984 switch (chan->mode) {
f89cef09
AE		 2985 case L2CAP_MODE_ERTM:
2986 efs.id = chan->local_id;
2987 efs.stype = chan->local_stype;
2988 efs.msdu = cpu_to_le16(chan->local_msdu);
2989 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
dcf4adbf
JP		 2990 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2991 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2992 break;
2993
2994 case L2CAP_MODE_STREAMING:
2995 efs.id = 1;
2996 efs.stype = L2CAP_SERV_BESTEFFORT;
2997 efs.msdu = cpu_to_le16(chan->local_msdu);
2998 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2999 efs.acc_lat = 0;
3000 efs.flush_to = 0;
3001 break;
3002
3003 default:
3004 return;
3005 }
3006
3007 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3008 (unsigned long) &efs);
f89cef09
AE		 3009}
3010
721c4181 3011static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3012{
721c4181 3013 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3014 ack_timer.work);
3015 u16 frames_to_ack;
c1b4f43b 3016
2fb9b3d4
GP		 3017 BT_DBG("chan %p", chan);
3018
6be36555
AE		 3019 l2cap_chan_lock(chan);
3020
0362520b
MM		 3021 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3022 chan->last_acked_seq);
6be36555 3023
0362520b
MM		 3024 if (frames_to_ack)
3025 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3026
0362520b 3027 l2cap_chan_unlock(chan);
09bfb2ee 3028 l2cap_chan_put(chan);
c1b4f43b
GP		 3029}
3030
466f8004 3031int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3032{
3c588192
MM		 3033 int err;
3034
105bdf9e
MM		 3035 chan->next_tx_seq = 0;
3036 chan->expected_tx_seq = 0;
42e5c802 3037 chan->expected_ack_seq = 0;
6a026610 3038 chan->unacked_frames = 0;
42e5c802 3039 chan->buffer_seq = 0;
6a026610 3040 chan->frames_sent = 0;
105bdf9e
MM		 3041 chan->last_acked_seq = 0;
3042 chan->sdu = NULL;
3043 chan->sdu_last_frag = NULL;
3044 chan->sdu_len = 0;
3045
d34c34fb
MM		 3046 skb_queue_head_init(&chan->tx_q);
3047
6ed971ca
MH		 3048 chan->local_amp_id = AMP_ID_BREDR;
3049 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3050 chan->move_state = L2CAP_MOVE_STABLE;
3051 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3052
105bdf9e
MM		 3053 if (chan->mode != L2CAP_MODE_ERTM)
3054 return 0;
3055
3056 chan->rx_state = L2CAP_RX_STATE_RECV;
3057 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3058
721c4181
GP		 3059 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3060 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3061 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3062
f1c6775b 3063 skb_queue_head_init(&chan->srej_q);
1890d36b 3064
3c588192
MM		 3065 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3066 if (err < 0)
3067 return err;
3068
9dc9affc
MM		 3069 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3070 if (err < 0)
3071 l2cap_seq_list_free(&chan->srej_list);
3072
3073 return err;
0565c1c2
GP		 3074}
3075
f2fcfcd6
GP		 3076static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3077{
3078 switch (mode) {
3079 case L2CAP_MODE_STREAMING:
3080 case L2CAP_MODE_ERTM:
3081 if (l2cap_mode_supported(mode, remote_feat_mask))
3082 return mode;
3083 /* fall through */
3084 default:
3085 return L2CAP_MODE_BASIC;
3086 }
3087}
3088
848566b3 3089static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3090{
848566b3 3091 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3092}
3093
848566b3 3094static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3095{
848566b3 3096 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3097}
3098
36c86c85
MM		 3099static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3100 struct l2cap_conf_rfc *rfc)
3101{
6ed971ca 3102 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3103 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3104
3105 /* Class 1 devices have must have ERTM timeouts
3106 * exceeding the Link Supervision Timeout. The
3107 * default Link Supervision Timeout for AMP
3108 * controllers is 10 seconds.
3109 *
3110 * Class 1 devices use 0xffffffff for their
3111 * best-effort flush timeout, so the clamping logic
3112 * will result in a timeout that meets the above
3113 * requirement. ERTM timeouts are 16-bit values, so
3114 * the maximum timeout is 65.535 seconds.
3115 */
3116
3117 /* Convert timeout to milliseconds and round */
3118 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3119
3120 /* This is the recommended formula for class 2 devices
3121 * that start ERTM timers when packets are sent to the
3122 * controller.
3123 */
3124 ertm_to = 3 * ertm_to + 500;
3125
3126 if (ertm_to > 0xffff)
3127 ertm_to = 0xffff;
3128
3129 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3130 rfc->monitor_timeout = rfc->retrans_timeout;
3131 } else {
dcf4adbf
JP		 3132 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3133 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36c86c85
MM		 3134 }
3135}
3136
6327eb98
AE		 3137static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3138{
3139 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3140 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3141 /* use extended control field */
3142 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3143 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3144 } else {
6327eb98 3145 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3146 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3147 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3148 }
c20f8e35 3149 chan->ack_win = chan->tx_win;
6327eb98
AE		 3150}
3151
710f9b0a 3152static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3153{
1da177e4 3154 struct l2cap_conf_req *req = data;
0c1bc5c6 3155 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3156 void *ptr = req->data;
c8f79162 3157 u16 size;
1da177e4 3158
49208c9c 3159 BT_DBG("chan %p", chan);
1da177e4 3160
73ffa904 3161 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3162 goto done;
3163
0c1bc5c6 3164 switch (chan->mode) {
f2fcfcd6
GP		 3165 case L2CAP_MODE_STREAMING:
3166 case L2CAP_MODE_ERTM:
c1360a1c 3167 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3168 break;
85eb53c6 3169
848566b3 3170 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3171 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3172
2ba13ed6 3173 /* fall through */
f2fcfcd6 3174 default:
8c1d787b 3175 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3176 break;
3177 }
3178
3179done:
0c1bc5c6
GP		 3180 if (chan->imtu != L2CAP_DEFAULT_MTU)
3181 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3182
0c1bc5c6 3183 switch (chan->mode) {
65c7c491 3184 case L2CAP_MODE_BASIC:
6fea7ad1
MH		 3185 if (disable_ertm)
3186 break;
3187
8c1d787b 3188 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3189 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3190 break;
3191
62547752
GP		 3192 rfc.mode = L2CAP_MODE_BASIC;
3193 rfc.txwin_size = 0;
3194 rfc.max_transmit = 0;
3195 rfc.retrans_timeout = 0;
3196 rfc.monitor_timeout = 0;
3197 rfc.max_pdu_size = 0;
3198
63406504 3199 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3200 (unsigned long) &rfc);
65c7c491
MH		 3201 break;
3202
3203 case L2CAP_MODE_ERTM:
3204 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3205 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3206
3207 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3208
3209 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3210 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3211 L2CAP_FCS_SIZE);
c8f79162 3212 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3213
6327eb98
AE		 3214 l2cap_txwin_setup(chan);
3215
3216 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3217 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3218
63406504 3219 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3220 (unsigned long) &rfc);
63406504 3221
f89cef09
AE		 3222 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3223 l2cap_add_opt_efs(&ptr, chan);
3224
6327eb98
AE		 3225 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3226 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3227 chan->tx_win);
60918918
AE		 3228
3229 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3230 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3231 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3232 chan->fcs = L2CAP_FCS_NONE;
3233 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3234 chan->fcs);
3235 }
f2fcfcd6
GP		 3236 break;
3237
3238 case L2CAP_MODE_STREAMING:
273759e2 3239 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3240 rfc.mode = L2CAP_MODE_STREAMING;
3241 rfc.txwin_size = 0;
3242 rfc.max_transmit = 0;
3243 rfc.retrans_timeout = 0;
3244 rfc.monitor_timeout = 0;
c8f79162
AE		 3245
3246 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3247 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3248 L2CAP_FCS_SIZE);
c8f79162 3249 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3250
63406504 3251 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3252 (unsigned long) &rfc);
63406504 3253
f89cef09
AE		 3254 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3255 l2cap_add_opt_efs(&ptr, chan);
3256
60918918
AE		 3257 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3258 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3259 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3260 chan->fcs = L2CAP_FCS_NONE;
3261 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3262 chan->fcs);
3263 }
65c7c491
MH		 3264 break;
3265 }
1da177e4 3266
fe4128e0 3267 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3268 req->flags = cpu_to_le16(0);
1da177e4
LT		 3269
3270 return ptr - data;
3271}
3272
73ffa904 3273static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3274{
5dee9e7c
MH		 3275 struct l2cap_conf_rsp *rsp = data;
3276 void *ptr = rsp->data;
73ffa904
GP		 3277 void *req = chan->conf_req;
3278 int len = chan->conf_len;
5dee9e7c
MH		 3279 int type, hint, olen;
3280 unsigned long val;
6464f35f 3281 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3282 struct l2cap_conf_efs efs;
3283 u8 remote_efs = 0;
861d6882 3284 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3285 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3286 u16 size;
1da177e4 3287
73ffa904 3288 BT_DBG("chan %p", chan);
820ae1b8 3289
5dee9e7c
MH		 3290 while (len >= L2CAP_CONF_OPT_SIZE) {
3291 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3292
589d2746 3293 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3294 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3295
3296 switch (type) {
3297 case L2CAP_CONF_MTU:
861d6882 3298 mtu = val;
5dee9e7c
MH		 3299 break;
3300
3301 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3302 chan->flush_to = val;
5dee9e7c
MH		 3303 break;
3304
3305 case L2CAP_CONF_QOS:
3306 break;
3307
6464f35f
MH		 3308 case L2CAP_CONF_RFC:
3309 if (olen == sizeof(rfc))
3310 memcpy(&rfc, (void *) val, olen);
3311 break;
3312
fcc203c3
GP		 3313 case L2CAP_CONF_FCS:
3314 if (val == L2CAP_FCS_NONE)
f2592d3e 3315 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3316 break;
fcc203c3 3317
42dceae2
AE		 3318 case L2CAP_CONF_EFS:
3319 remote_efs = 1;
3320 if (olen == sizeof(efs))
3321 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3322 break;
3323
6327eb98 3324 case L2CAP_CONF_EWS:
848566b3 3325 if (!chan->conn->hs_enabled)
6327eb98 3326 return -ECONNREFUSED;
fcc203c3 3327
6327eb98
AE		 3328 set_bit(FLAG_EXT_CTRL, &chan->flags);
3329 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3330 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3331 chan->remote_tx_win = val;
fcc203c3
GP		 3332 break;
3333
5dee9e7c
MH		 3334 default:
3335 if (hint)
3336 break;
3337
3338 result = L2CAP_CONF_UNKNOWN;
3339 *((u8 *) ptr++) = type;
3340 break;
3341 }
3342 }
3343
73ffa904 3344 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3345 goto done;
3346
0c1bc5c6 3347 switch (chan->mode) {
f2fcfcd6
GP		 3348 case L2CAP_MODE_STREAMING:
3349 case L2CAP_MODE_ERTM:
c1360a1c 3350 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3351 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3352 chan->conn->feat_mask);
85eb53c6
GP		 3353 break;
3354 }
3355
42dceae2 3356 if (remote_efs) {
848566b3 3357 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3358 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3359 else
3360 return -ECONNREFUSED;
3361 }
3362
0c1bc5c6 3363 if (chan->mode != rfc.mode)
f2fcfcd6 3364 return -ECONNREFUSED;
742e519b 3365
f2fcfcd6 3366 break;
f2fcfcd6
GP		 3367 }
3368
3369done:
0c1bc5c6 3370 if (chan->mode != rfc.mode) {
f2fcfcd6 3371 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3372 rfc.mode = chan->mode;
f2fcfcd6 3373
73ffa904 3374 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3375 return -ECONNREFUSED;
3376
2d792818
GP		 3377 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3378 (unsigned long) &rfc);
f2fcfcd6
GP		 3379 }
3380
5dee9e7c
MH		 3381 if (result == L2CAP_CONF_SUCCESS) {
3382 /* Configure output options and let the other side know
3383 * which ones we don't like. */
3384
f2fcfcd6
GP		 3385 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3386 result = L2CAP_CONF_UNACCEPT;
3387 else {
0c1bc5c6 3388 chan->omtu = mtu;
c1360a1c 3389 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3390 }
0c1bc5c6 3391 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3392
42dceae2
AE		 3393 if (remote_efs) {
3394 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3395 efs.stype != L2CAP_SERV_NOTRAFIC &&
3396 efs.stype != chan->local_stype) {
42dceae2
AE		 3397
3398 result = L2CAP_CONF_UNACCEPT;
3399
3400 if (chan->num_conf_req >= 1)
3401 return -ECONNREFUSED;
3402
3403 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3404 sizeof(efs),
3405 (unsigned long) &efs);
0e8b207e 3406 } else {
3e6b3b95 3407 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3408 result = L2CAP_CONF_PENDING;
3409 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3410 }
3411 }
3412
f2fcfcd6
GP		 3413 switch (rfc.mode) {
3414 case L2CAP_MODE_BASIC:
47d1ec61 3415 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3416 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3417 break;
3418
3419 case L2CAP_MODE_ERTM:
6327eb98
AE		 3420 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3421 chan->remote_tx_win = rfc.txwin_size;
3422 else
3423 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3424
2c03a7a4 3425 chan->remote_max_tx = rfc.max_transmit;
1c762159 3426
c8f79162 3427 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3428 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3429 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3430 rfc.max_pdu_size = cpu_to_le16(size);
3431 chan->remote_mps = size;
f2fcfcd6 3432
36c86c85 3433 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3434
c1360a1c 3435 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3436
3437 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3438 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3439
42dceae2
AE		 3440 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3441 chan->remote_id = efs.id;
3442 chan->remote_stype = efs.stype;
3443 chan->remote_msdu = le16_to_cpu(efs.msdu);
3444 chan->remote_flush_to =
2d792818 3445 le32_to_cpu(efs.flush_to);
42dceae2 3446 chan->remote_acc_lat =
2d792818 3447 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3448 chan->remote_sdu_itime =
3449 le32_to_cpu(efs.sdu_itime);
3450 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3451 sizeof(efs),
3452 (unsigned long) &efs);
42dceae2 3453 }
f2fcfcd6
GP		 3454 break;
3455
3456 case L2CAP_MODE_STREAMING:
c8f79162 3457 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3458 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3459 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3460 rfc.max_pdu_size = cpu_to_le16(size);
3461 chan->remote_mps = size;
f2fcfcd6 3462
c1360a1c 3463 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3464
2d792818
GP		 3465 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3466 (unsigned long) &rfc);
68ae6639 3467
f2fcfcd6
GP		 3468 break;
3469
3470 default:
5dee9e7c 3471 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3472
6464f35f 3473 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3474 rfc.mode = chan->mode;
f2fcfcd6 3475 }
6464f35f 3476
f2fcfcd6 3477 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3478 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3479 }
fe4128e0 3480 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3481 rsp->result = cpu_to_le16(result);
dcf4adbf 3482 rsp->flags = cpu_to_le16(0);
5dee9e7c
MH		 3483
3484 return ptr - data;
1da177e4
LT		 3485}
3486
2d792818
GP		 3487static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3488 void *data, u16 *result)
f2fcfcd6 3489{
f2fcfcd6
GP		 3490 struct l2cap_conf_req *req = data;
3491 void *ptr = req->data;
3492 int type, olen;
3493 unsigned long val;
36e999a8 3494 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3495 struct l2cap_conf_efs efs;
f2fcfcd6 3496
fe4128e0 3497 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3498
3499 while (len >= L2CAP_CONF_OPT_SIZE) {
3500 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3501
3502 switch (type) {
3503 case L2CAP_CONF_MTU:
3504 if (val < L2CAP_DEFAULT_MIN_MTU) {
3505 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3506 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3507 } else
0c1bc5c6
GP		 3508 chan->imtu = val;
3509 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3510 break;
3511
3512 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3513 chan->flush_to = val;
f2fcfcd6 3514 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3515 2, chan->flush_to);
f2fcfcd6
GP		 3516 break;
3517
3518 case L2CAP_CONF_RFC:
3519 if (olen == sizeof(rfc))
3520 memcpy(&rfc, (void *)val, olen);
3521
c1360a1c 3522 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3523 rfc.mode != chan->mode)
f2fcfcd6
GP		 3524 return -ECONNREFUSED;
3525
47d1ec61 3526 chan->fcs = 0;
f2fcfcd6
GP		 3527
3528 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3529 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3530 break;
6327eb98
AE		 3531
3532 case L2CAP_CONF_EWS:
c20f8e35 3533 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3534 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3535 chan->tx_win);
6327eb98 3536 break;
66af7aaf
AE		 3537
3538 case L2CAP_CONF_EFS:
3539 if (olen == sizeof(efs))
3540 memcpy(&efs, (void *)val, olen);
3541
3542 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3543 efs.stype != L2CAP_SERV_NOTRAFIC &&
3544 efs.stype != chan->local_stype)
66af7aaf
AE		 3545 return -ECONNREFUSED;
3546
2d792818
GP		 3547 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3548 (unsigned long) &efs);
66af7aaf 3549 break;
cbabee78
AE		 3550
3551 case L2CAP_CONF_FCS:
3552 if (*result == L2CAP_CONF_PENDING)
3553 if (val == L2CAP_FCS_NONE)
f2592d3e 3554 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3555 &chan->conf_state);
3556 break;
f2fcfcd6
GP		 3557 }
3558 }
3559
0c1bc5c6 3560 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3561 return -ECONNREFUSED;
3562
0c1bc5c6 3563 chan->mode = rfc.mode;
6c2ea7a8 3564
0e8b207e 3565 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3566 switch (rfc.mode) {
3567 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3568 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3569 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3570 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3571 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3572 chan->ack_win = min_t(u16, chan->ack_win,
3573 rfc.txwin_size);
66af7aaf
AE		 3574
3575 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3576 chan->local_msdu = le16_to_cpu(efs.msdu);
3577 chan->local_sdu_itime =
2d792818 3578 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3579 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3580 chan->local_flush_to =
2d792818 3581 le32_to_cpu(efs.flush_to);
66af7aaf 3582 }
f2fcfcd6 3583 break;
66af7aaf 3584
f2fcfcd6 3585 case L2CAP_MODE_STREAMING:
47d1ec61 3586 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3587 }
3588 }
3589
fe4128e0 3590 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3591 req->flags = cpu_to_le16(0);
f2fcfcd6
GP		 3592
3593 return ptr - data;
3594}
3595
2d792818
GP		 3596static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3597 u16 result, u16 flags)
1da177e4
LT		 3598{
3599 struct l2cap_conf_rsp *rsp = data;
3600 void *ptr = rsp->data;
1da177e4 3601
fe4128e0 3602 BT_DBG("chan %p", chan);
1da177e4 3603
fe4128e0 3604 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3605 rsp->result = cpu_to_le16(result);
aca3192c 3606 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3607
3608 return ptr - data;
3609}
3610
27e2d4c8
JH		 3611void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3612{
3613 struct l2cap_le_conn_rsp rsp;
3614 struct l2cap_conn *conn = chan->conn;
3615
3616 BT_DBG("chan %p", chan);
3617
3618 rsp.dcid = cpu_to_le16(chan->scid);
3619 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 3620 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 3621 rsp.credits = cpu_to_le16(chan->rx_credits);
dcf4adbf 3622 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
27e2d4c8
JH		 3623
3624 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3625 &rsp);
3626}
3627
8c1d787b 3628void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3629{
3630 struct l2cap_conn_rsp rsp;
8c1d787b 3631 struct l2cap_conn *conn = chan->conn;
710f9b0a 3632 u8 buf[128];
439f34ac 3633 u8 rsp_code;
710f9b0a 3634
fe4128e0
GP		 3635 rsp.scid = cpu_to_le16(chan->dcid);
3636 rsp.dcid = cpu_to_le16(chan->scid);
dcf4adbf
JP		 3637 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3638 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3639
3640 if (chan->hs_hcon)
3641 rsp_code = L2CAP_CREATE_CHAN_RSP;
3642 else
3643 rsp_code = L2CAP_CONN_RSP;
3644
3645 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3646
3647 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3648
c1360a1c 3649 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3650 return;
3651
710f9b0a 3652 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3653 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3654 chan->num_conf_req++;
3655}
3656
47d1ec61 3657static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3658{
7b1c0049
GP		 3659 int type, olen;
3660 unsigned long val;
c20f8e35
MM		 3661 /* Use sane default values in case a misbehaving remote device
3662 * did not send an RFC or extended window size option.
3663 */
3664 u16 txwin_ext = chan->ack_win;
3665 struct l2cap_conf_rfc rfc = {
3666 .mode = chan->mode,
dcf4adbf
JP		 3667 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3668 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
c20f8e35
MM		 3669 .max_pdu_size = cpu_to_le16(chan->imtu),
3670 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3671 };
7b1c0049 3672
47d1ec61 3673 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3674
0c1bc5c6 3675 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3676 return;
3677
3678 while (len >= L2CAP_CONF_OPT_SIZE) {
3679 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3680
c20f8e35
MM		 3681 switch (type) {
3682 case L2CAP_CONF_RFC:
3683 if (olen == sizeof(rfc))
3684 memcpy(&rfc, (void *)val, olen);
8f321f85 3685 break;
c20f8e35
MM		 3686 case L2CAP_CONF_EWS:
3687 txwin_ext = val;
3688 break;
3689 }
7b1c0049
GP		 3690 }
3691
7b1c0049
GP		 3692 switch (rfc.mode) {
3693 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3694 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3695 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3696 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3697 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3698 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3699 else
3700 chan->ack_win = min_t(u16, chan->ack_win,
3701 rfc.txwin_size);
7b1c0049
GP		 3702 break;
3703 case L2CAP_MODE_STREAMING:
47d1ec61 3704 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3705 }
3706}
3707
2d792818 3708static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3709 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3710 u8 *data)
4e8402a3 3711{
e2fd318e 3712 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3713
cb3b3152
JH		 3714 if (cmd_len < sizeof(*rej))
3715 return -EPROTO;
3716
e2fd318e 3717 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3718 return 0;
3719
3720 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3721 cmd->ident == conn->info_ident) {
17cd3f37 3722 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3723
3724 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3725 conn->info_ident = 0;
984947dc 3726
4e8402a3
MH		 3727 l2cap_conn_start(conn);
3728 }
3729
3730 return 0;
3731}
3732
1700915f
MM		 3733static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3734 struct l2cap_cmd_hdr *cmd,
3735 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3736{
1da177e4
LT		 3737 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3738 struct l2cap_conn_rsp rsp;
23691d75 3739 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3740 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3741
3742 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3743 __le16 psm = req->psm;
1da177e4 3744
097db76c 3745 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3746
3747 /* Check if we have socket listening on psm */
6f59b904 3748 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
bf20fd4e 3749 &conn->hcon->dst, ACL_LINK);
23691d75 3750 if (!pchan) {
1da177e4
LT		 3751 result = L2CAP_CR_BAD_PSM;
3752 goto sendresp;
3753 }
3754
3df91ea2 3755 mutex_lock(&conn->chan_lock);
8ffb9290 3756 l2cap_chan_lock(pchan);
e0f0cb56 3757
e7c29cb1 3758 /* Check if the ACL is secure enough (if not SDP) */
dcf4adbf 3759 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3760 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3761 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3762 result = L2CAP_CR_SEC_BLOCK;
3763 goto response;
3764 }
3765
1da177e4
LT		 3766 result = L2CAP_CR_NO_MEM;
3767
2dfa1003
GP		 3768 /* Check if we already have channel with that dcid */
3769 if (__l2cap_get_chan_by_dcid(conn, scid))
3770 goto response;
3771
80b98027 3772 chan = pchan->ops->new_connection(pchan);
80808e43 3773 if (!chan)
1da177e4
LT		 3774 goto response;
3775
330b6c15
SS		 3776 /* For certain devices (ex: HID mouse), support for authentication,
3777 * pairing and bonding is optional. For such devices, inorder to avoid
3778 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3779 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3780 */
3781 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3782
7eafc59e
MH		 3783 bacpy(&chan->src, &conn->hcon->src);
3784 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3785 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3786 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3787 chan->psm = psm;
3788 chan->dcid = scid;
1700915f 3789 chan->local_amp_id = amp_id;
1da177e4 3790
6be36555 3791 __l2cap_chan_add(conn, chan);
48454079 3792
fe4128e0 3793 dcid = chan->scid;
1da177e4 3794
8d836d71 3795 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3796
fc7f8a7e 3797 chan->ident = cmd->ident;
1da177e4 3798
984947dc 3799 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
e7cafc45 3800 if (l2cap_chan_check_security(chan, false)) {
bdc25783 3801 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3802 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3803 result = L2CAP_CR_PEND;
3804 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3805 chan->ops->defer(chan);
f66dc81f 3806 } else {
1700915f
MM		 3807 /* Force pending result for AMP controllers.
3808 * The connection will succeed after the
3809 * physical link is up.
3810 */
6ed971ca 3811 if (amp_id == AMP_ID_BREDR) {
f93fa273 3812 l2cap_state_change(chan, BT_CONFIG);
1700915f 3813 result = L2CAP_CR_SUCCESS;
6ed971ca 3814 } else {
f93fa273 3815 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3816 result = L2CAP_CR_PEND;
1700915f 3817 }
f66dc81f
MH		 3818 status = L2CAP_CS_NO_INFO;
3819 }
79d554a6 3820 } else {
f93fa273 3821 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3822 result = L2CAP_CR_PEND;
3823 status = L2CAP_CS_AUTHEN_PEND;
3824 }
3825 } else {
f93fa273 3826 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3827 result = L2CAP_CR_PEND;
3828 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3829 }
3830
1da177e4 3831response:
8ffb9290 3832 l2cap_chan_unlock(pchan);
3df91ea2 3833 mutex_unlock(&conn->chan_lock);
a24cce14 3834 l2cap_chan_put(pchan);
1da177e4
LT		 3835
3836sendresp:
aca3192c
YH		 3837 rsp.scid = cpu_to_le16(scid);
3838 rsp.dcid = cpu_to_le16(dcid);
3839 rsp.result = cpu_to_le16(result);
3840 rsp.status = cpu_to_le16(status);
4c89b6aa 3841 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3842
3843 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3844 struct l2cap_info_req info;
dcf4adbf 3845 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3846
3847 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3848 conn->info_ident = l2cap_get_ident(conn);
3849
ba13ccd9 3850 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3851
2d792818
GP		 3852 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3853 sizeof(info), &info);
79d554a6
MH		 3854 }
3855
c1360a1c 3856 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3857 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3858 u8 buf[128];
c1360a1c 3859 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3860 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3861 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3862 chan->num_conf_req++;
e9aeb2dd 3863 }
1700915f
MM		 3864
3865 return chan;
4c89b6aa 3866}
e9aeb2dd 3867
4c89b6aa 3868static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3869 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3870{
7b064eda
JK		 3871 struct hci_dev *hdev = conn->hcon->hdev;
3872 struct hci_conn *hcon = conn->hcon;
3873
cb3b3152
JH		 3874 if (cmd_len < sizeof(struct l2cap_conn_req))
3875 return -EPROTO;
3876
7b064eda
JK		 3877 hci_dev_lock(hdev);
3878 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3879 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
48ec92fa 3880 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
7b064eda
JK		 3881 hci_dev_unlock(hdev);
3882
300229f9 3883 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3884 return 0;
3885}
3886
5909cf30 3887static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3888 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3889 u8 *data)
1da177e4
LT		 3890{
3891 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3892 u16 scid, dcid, result, status;
48454079 3893 struct l2cap_chan *chan;
1da177e4 3894 u8 req[128];
3df91ea2 3895 int err;
1da177e4 3896
cb3b3152
JH		 3897 if (cmd_len < sizeof(*rsp))
3898 return -EPROTO;
3899
1da177e4
LT		 3900 scid = __le16_to_cpu(rsp->scid);
3901 dcid = __le16_to_cpu(rsp->dcid);
3902 result = __le16_to_cpu(rsp->result);
3903 status = __le16_to_cpu(rsp->status);
3904
1b009c98 3905 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3906 dcid, scid, result, status);
1da177e4 3907
3df91ea2
AE		 3908 mutex_lock(&conn->chan_lock);
3909
1da177e4 3910 if (scid) {
3df91ea2
AE		 3911 chan = __l2cap_get_chan_by_scid(conn, scid);
3912 if (!chan) {
21870b52 3913 err = -EBADSLT;
3df91ea2
AE		 3914 goto unlock;
3915 }
1da177e4 3916 } else {
3df91ea2
AE		 3917 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3918 if (!chan) {
21870b52 3919 err = -EBADSLT;
3df91ea2
AE		 3920 goto unlock;
3921 }
1da177e4
LT		 3922 }
3923
3df91ea2
AE		 3924 err = 0;
3925
6be36555 3926 l2cap_chan_lock(chan);
48454079 3927
1da177e4
LT		 3928 switch (result) {
3929 case L2CAP_CR_SUCCESS:
89bc500e 3930 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3931 chan->ident = 0;
fe4128e0 3932 chan->dcid = dcid;
c1360a1c 3933 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3934
c1360a1c 3935 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3936 break;
3937
1da177e4 3938 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3939 l2cap_build_conf_req(chan, req), req);
73ffa904 3940 chan->num_conf_req++;
1da177e4
LT		 3941 break;
3942
3943 case L2CAP_CR_PEND:
c1360a1c 3944 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3945 break;
3946
3947 default:
48454079 3948 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3949 break;
3950 }
3951
6be36555 3952 l2cap_chan_unlock(chan);
3df91ea2
AE		 3953
3954unlock:
3955 mutex_unlock(&conn->chan_lock);
3956
3957 return err;
1da177e4
LT		 3958}
3959
47d1ec61 3960static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3961{
3962 /* FCS is enabled only in ERTM or streaming mode, if one or both
3963 * sides request it.
3964 */
0c1bc5c6 3965 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3966 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3967 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3968 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3969}
3970
29d8a590
AE		 3971static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3972 u8 ident, u16 flags)
3973{
3974 struct l2cap_conn *conn = chan->conn;
3975
3976 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3977 flags);
3978
3979 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3980 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3981
3982 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3983 l2cap_build_conf_rsp(chan, data,
3984 L2CAP_CONF_SUCCESS, flags), data);
3985}
3986
662d652d
JH		 3987static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
3988 u16 scid, u16 dcid)
3989{
3990 struct l2cap_cmd_rej_cid rej;
3991
dcf4adbf 3992 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
662d652d
JH		 3993 rej.scid = __cpu_to_le16(scid);
3994 rej.dcid = __cpu_to_le16(dcid);
3995
3996 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3997}
3998
2d792818
GP		 3999static inline int l2cap_config_req(struct l2cap_conn *conn,
4000 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4001 u8 *data)
1da177e4
LT		 4002{
4003 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4004 u16 dcid, flags;
4005 u8 rsp[64];
48454079 4006 struct l2cap_chan *chan;
3c588192 4007 int len, err = 0;
1da177e4 4008
cb3b3152
JH		 4009 if (cmd_len < sizeof(*req))
4010 return -EPROTO;
4011
1da177e4
LT		 4012 dcid = __le16_to_cpu(req->dcid);
4013 flags = __le16_to_cpu(req->flags);
4014
4015 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4016
baa7e1fa 4017 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4018 if (!chan) {
4019 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4020 return 0;
4021 }
1da177e4 4022
033b1142 4023 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4024 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4025 chan->dcid);
354f60a9 4026 goto unlock;
df6bd743 4027 }
354f60a9 4028
5dee9e7c 4029 /* Reject if config buffer is too small. */
88219a0f 4030 len = cmd_len - sizeof(*req);
cb3b3152 4031 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4032 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4033 l2cap_build_conf_rsp(chan, rsp,
4034 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4035 goto unlock;
4036 }
4037
4038 /* Store config. */
73ffa904
GP		 4039 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4040 chan->conf_len += len;
1da177e4 4041
59e54bd1 4042 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4043 /* Incomplete config. Send empty response. */
4044 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4045 l2cap_build_conf_rsp(chan, rsp,
4046 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4047 goto unlock;
4048 }
4049
4050 /* Complete config. */
73ffa904 4051 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4052 if (len < 0) {
5e4e3972 4053 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4054 goto unlock;
f2fcfcd6 4055 }
1da177e4 4056
1500109b 4057 chan->ident = cmd->ident;
5dee9e7c 4058 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4059 chan->num_conf_rsp++;
5dee9e7c 4060
5dee9e7c 4061 /* Reset config buffer. */
73ffa904 4062 chan->conf_len = 0;
5dee9e7c 4063
c1360a1c 4064 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4065 goto unlock;
4066
c1360a1c 4067 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4068 set_default_fcs(chan);
fcc203c3 4069
105bdf9e
MM		 4070 if (chan->mode == L2CAP_MODE_ERTM ||
4071 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4072 err = l2cap_ertm_init(chan);
4073
4074 if (err < 0)
5e4e3972 4075 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4076 else
4077 l2cap_chan_ready(chan);
0565c1c2 4078
876d9484
MH		 4079 goto unlock;
4080 }
4081
c1360a1c 4082 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4083 u8 buf[64];
1da177e4 4084 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4085 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4086 chan->num_conf_req++;
1da177e4
LT		 4087 }
4088
49c922bb 4089 /* Got Conf Rsp PENDING from remote side and assume we sent
0e8b207e
AE		 4090 Conf Rsp PENDING in the code above */
4091 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4092 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4093
4094 /* check compatibility */
4095
79de886d 4096 /* Send rsp for BR/EDR channel */
f351bc72 4097 if (!chan->hs_hcon)
79de886d
AE		 4098 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4099 else
4100 chan->ident = cmd->ident;
0e8b207e
AE		 4101 }
4102
1da177e4 4103unlock:
6be36555 4104 l2cap_chan_unlock(chan);
3c588192 4105 return err;
1da177e4
LT		 4106}
4107
2d792818 4108static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4109 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4110 u8 *data)
1da177e4
LT		 4111{
4112 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4113 u16 scid, flags, result;
48454079 4114 struct l2cap_chan *chan;
cb3b3152 4115 int len = cmd_len - sizeof(*rsp);
3c588192 4116 int err = 0;
1da177e4 4117
cb3b3152
JH		 4118 if (cmd_len < sizeof(*rsp))
4119 return -EPROTO;
4120
1da177e4
LT		 4121 scid = __le16_to_cpu(rsp->scid);
4122 flags = __le16_to_cpu(rsp->flags);
4123 result = __le16_to_cpu(rsp->result);
4124
61386cba
AE		 4125 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4126 result, len);
1da177e4 4127
baa7e1fa 4128 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4129 if (!chan)
1da177e4
LT		 4130 return 0;
4131
4132 switch (result) {
4133 case L2CAP_CONF_SUCCESS:
47d1ec61 4134 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4135 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4136 break;
4137
0e8b207e
AE		 4138 case L2CAP_CONF_PENDING:
4139 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4140
4141 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4142 char buf[64];
4143
4144 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4145 buf, &result);
0e8b207e 4146 if (len < 0) {
5e4e3972 4147 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4148 goto done;
4149 }
4150
f351bc72 4151 if (!chan->hs_hcon) {
79de886d
AE		 4152 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4153 0);
5ce66b59
AE		 4154 } else {
4155 if (l2cap_check_efs(chan)) {
4156 amp_create_logical_link(chan);
4157 chan->ident = cmd->ident;
4158 }
4159 }
0e8b207e
AE		 4160 }
4161 goto done;
4162
1da177e4 4163 case L2CAP_CONF_UNACCEPT:
73ffa904 4164 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4165 char req[64];
4166
c2c77ec8 4167 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4168 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4169 goto done;
4170 }
4171
f2fcfcd6
GP		 4172 /* throw out any old stored conf requests */
4173 result = L2CAP_CONF_SUCCESS;
b4450035 4174 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4175 req, &result);
f2fcfcd6 4176 if (len < 0) {
5e4e3972 4177 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4178 goto done;
4179 }
4180
4181 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4182 L2CAP_CONF_REQ, len, req);
73ffa904 4183 chan->num_conf_req++;
f2fcfcd6
GP		 4184 if (result != L2CAP_CONF_SUCCESS)
4185 goto done;
4186 break;
1da177e4
LT		 4187 }
4188
8e87d142 4189 default:
6be36555 4190 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4191
ba13ccd9 4192 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4193 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4194 goto done;
4195 }
4196
59e54bd1 4197 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4198 goto done;
4199
c1360a1c 4200 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4201
c1360a1c 4202 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4203 set_default_fcs(chan);
fcc203c3 4204
105bdf9e
MM		 4205 if (chan->mode == L2CAP_MODE_ERTM ||
4206 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4207 err = l2cap_ertm_init(chan);
0565c1c2 4208
3c588192 4209 if (err < 0)
5e4e3972 4210 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4211 else
4212 l2cap_chan_ready(chan);
1da177e4
LT		 4213 }
4214
4215done:
6be36555 4216 l2cap_chan_unlock(chan);
3c588192 4217 return err;
1da177e4
LT		 4218}
4219
2d792818 4220static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4221 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4222 u8 *data)
1da177e4
LT		 4223{
4224 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4225 struct l2cap_disconn_rsp rsp;
4226 u16 dcid, scid;
48454079 4227 struct l2cap_chan *chan;
1da177e4 4228
cb3b3152
JH		 4229 if (cmd_len != sizeof(*req))
4230 return -EPROTO;
4231
1da177e4
LT		 4232 scid = __le16_to_cpu(req->scid);
4233 dcid = __le16_to_cpu(req->dcid);
4234
4235 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4236
3df91ea2
AE		 4237 mutex_lock(&conn->chan_lock);
4238
4239 chan = __l2cap_get_chan_by_scid(conn, dcid);
4240 if (!chan) {
4241 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4242 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4243 return 0;
3df91ea2 4244 }
1da177e4 4245
6be36555
AE		 4246 l2cap_chan_lock(chan);
4247
fe4128e0
GP		 4248 rsp.dcid = cpu_to_le16(chan->scid);
4249 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4250 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4251
5ec1bbe5 4252 chan->ops->set_shutdown(chan);
1da177e4 4253
61d6ef3e 4254 l2cap_chan_hold(chan);
48454079 4255 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4256
4257 l2cap_chan_unlock(chan);
1da177e4 4258
80b98027 4259 chan->ops->close(chan);
61d6ef3e 4260 l2cap_chan_put(chan);
3df91ea2
AE		 4261
4262 mutex_unlock(&conn->chan_lock);
4263
1da177e4
LT		 4264 return 0;
4265}
4266
2d792818 4267static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4268 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4269 u8 *data)
1da177e4
LT		 4270{
4271 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4272 u16 dcid, scid;
48454079 4273 struct l2cap_chan *chan;
1da177e4 4274
cb3b3152
JH		 4275 if (cmd_len != sizeof(*rsp))
4276 return -EPROTO;
4277
1da177e4
LT		 4278 scid = __le16_to_cpu(rsp->scid);
4279 dcid = __le16_to_cpu(rsp->dcid);
4280
4281 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4282
3df91ea2
AE		 4283 mutex_lock(&conn->chan_lock);
4284
4285 chan = __l2cap_get_chan_by_scid(conn, scid);
4286 if (!chan) {
4287 mutex_unlock(&conn->chan_lock);
1da177e4 4288 return 0;
3df91ea2 4289 }
1da177e4 4290
6be36555 4291 l2cap_chan_lock(chan);
48454079 4292
61d6ef3e 4293 l2cap_chan_hold(chan);
48454079 4294 l2cap_chan_del(chan, 0);
6be36555
AE		 4295
4296 l2cap_chan_unlock(chan);
1da177e4 4297
80b98027 4298 chan->ops->close(chan);
61d6ef3e 4299 l2cap_chan_put(chan);
3df91ea2
AE		 4300
4301 mutex_unlock(&conn->chan_lock);
4302
1da177e4
LT		 4303 return 0;
4304}
4305
2d792818 4306static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4307 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4308 u8 *data)
1da177e4
LT		 4309{
4310 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4311 u16 type;
4312
cb3b3152
JH		 4313 if (cmd_len != sizeof(*req))
4314 return -EPROTO;
4315
1da177e4
LT		 4316 type = __le16_to_cpu(req->type);
4317
4318 BT_DBG("type 0x%4.4x", type);
4319
f0709e03
MH		 4320 if (type == L2CAP_IT_FEAT_MASK) {
4321 u8 buf[8];
44dd46de 4322 u32 feat_mask = l2cap_feat_mask;
f0709e03 4323 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
dcf4adbf
JP		 4324 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4325 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4326 if (!disable_ertm)
fcc203c3 4327 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4328 | L2CAP_FEAT_FCS;
848566b3 4329 if (conn->hs_enabled)
6327eb98 4330 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4331 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4332
1b7bf4ed 4333 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4334 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4335 buf);
e1027a7c
MH		 4336 } else if (type == L2CAP_IT_FIXED_CHAN) {
4337 u8 buf[12];
4338 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4339
848566b3 4340 if (conn->hs_enabled)
50a147cd
MM		 4341 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4342 else
4343 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4344
dcf4adbf
JP		 4345 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4346 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4347 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4348 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4349 buf);
f0709e03
MH		 4350 } else {
4351 struct l2cap_info_rsp rsp;
4352 rsp.type = cpu_to_le16(type);
dcf4adbf 4353 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4354 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4355 &rsp);
f0709e03 4356 }
1da177e4
LT		 4357
4358 return 0;
4359}
4360
2d792818 4361static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4362 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4363 u8 *data)
1da177e4
LT		 4364{
4365 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4366 u16 type, result;
4367
3f6fa3d4 4368 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4369 return -EPROTO;
4370
1da177e4
LT		 4371 type = __le16_to_cpu(rsp->type);
4372 result = __le16_to_cpu(rsp->result);
4373
4374 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4375
e90165be
AE		 4376 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4377 if (cmd->ident != conn->info_ident ||
2d792818 4378 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4379 return 0;
4380
17cd3f37 4381 cancel_delayed_work(&conn->info_timer);
4e8402a3 4382
adb08ede
VT		 4383 if (result != L2CAP_IR_SUCCESS) {
4384 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4385 conn->info_ident = 0;
4386
4387 l2cap_conn_start(conn);
4388
4389 return 0;
4390 }
4391
978c93b9
AE		 4392 switch (type) {
4393 case L2CAP_IT_FEAT_MASK:
83985319 4394 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4395
47ec1dcd 4396 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4397 struct l2cap_info_req req;
dcf4adbf 4398 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4399
4400 conn->info_ident = l2cap_get_ident(conn);
4401
4402 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4403 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4404 } else {
4405 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4406 conn->info_ident = 0;
4407
4408 l2cap_conn_start(conn);
4409 }
978c93b9
AE		 4410 break;
4411
4412 case L2CAP_IT_FIXED_CHAN:
4413 conn->fixed_chan_mask = rsp->data[0];
984947dc 4414 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4415 conn->info_ident = 0;
984947dc
MH		 4416
4417 l2cap_conn_start(conn);
978c93b9 4418 break;
984947dc 4419 }
4e8402a3 4420
1da177e4
LT		 4421 return 0;
4422}
4423
1700915f
MM		 4424static int l2cap_create_channel_req(struct l2cap_conn *conn,
4425 struct l2cap_cmd_hdr *cmd,
4426 u16 cmd_len, void *data)
f94ff6ff
MM		 4427{
4428 struct l2cap_create_chan_req *req = data;
6e1df6a6 4429 struct l2cap_create_chan_rsp rsp;
1700915f 4430 struct l2cap_chan *chan;
6e1df6a6 4431 struct hci_dev *hdev;
f94ff6ff
MM		 4432 u16 psm, scid;
4433
4434 if (cmd_len != sizeof(*req))
4435 return -EPROTO;
4436
848566b3 4437 if (!conn->hs_enabled)
f94ff6ff
MM		 4438 return -EINVAL;
4439
4440 psm = le16_to_cpu(req->psm);
4441 scid = le16_to_cpu(req->scid);
4442
ad0ac6ca 4443 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4444
6e1df6a6 4445 /* For controller id 0 make BR/EDR connection */
6ed971ca 4446 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4447 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4448 req->amp_id);
4449 return 0;
4450 }
1700915f 4451
6e1df6a6
AE		 4452 /* Validate AMP controller id */
4453 hdev = hci_dev_get(req->amp_id);
4454 if (!hdev)
4455 goto error;
1700915f 4456
6e1df6a6
AE		 4457 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4458 hci_dev_put(hdev);
4459 goto error;
4460 }
1700915f 4461
6e1df6a6
AE		 4462 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4463 req->amp_id);
4464 if (chan) {
4465 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4466 struct hci_conn *hs_hcon;
1700915f 4467
98e0f7ea
MH		 4468 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4469 &conn->hcon->dst);
6e1df6a6
AE		 4470 if (!hs_hcon) {
4471 hci_dev_put(hdev);
662d652d
JH		 4472 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4473 chan->dcid);
4474 return 0;
1700915f
MM		 4475 }
4476
6e1df6a6
AE		 4477 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4478
6e1df6a6
AE		 4479 mgr->bredr_chan = chan;
4480 chan->hs_hcon = hs_hcon;
fd45bf4c 4481 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4482 conn->mtu = hdev->block_mtu;
1700915f 4483 }
f94ff6ff 4484
6e1df6a6 4485 hci_dev_put(hdev);
f94ff6ff
MM		 4486
4487 return 0;
6e1df6a6
AE		 4488
4489error:
4490 rsp.dcid = 0;
4491 rsp.scid = cpu_to_le16(scid);
dcf4adbf
JP		 4492 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4493 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
6e1df6a6
AE		 4494
4495 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4496 sizeof(rsp), &rsp);
4497
dc280801 4498 return 0;
f94ff6ff
MM		 4499}
4500
8eb200bd
MM		 4501static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4502{
4503 struct l2cap_move_chan_req req;
4504 u8 ident;
4505
4506 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4507
4508 ident = l2cap_get_ident(chan->conn);
4509 chan->ident = ident;
4510
4511 req.icid = cpu_to_le16(chan->scid);
4512 req.dest_amp_id = dest_amp_id;
4513
4514 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4515 &req);
4516
4517 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4518}
4519
1500109b 4520static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4521{
4522 struct l2cap_move_chan_rsp rsp;
4523
1500109b 4524 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4525
1500109b 4526 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4527 rsp.result = cpu_to_le16(result);
4528
1500109b
MM		 4529 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4530 sizeof(rsp), &rsp);
8d5a04a1
MM		 4531}
4532
5b155ef9 4533static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4534{
4535 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4536
5b155ef9 4537 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4538
5b155ef9 4539 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4540
5b155ef9 4541 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4542 cfm.result = cpu_to_le16(result);
4543
5b155ef9
MM		 4544 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4545 sizeof(cfm), &cfm);
4546
4547 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4548}
4549
4550static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4551{
4552 struct l2cap_move_chan_cfm cfm;
4553
4554 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4555
4556 cfm.icid = cpu_to_le16(icid);
dcf4adbf 4557 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
5b155ef9
MM		 4558
4559 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4560 sizeof(cfm), &cfm);
8d5a04a1
MM		 4561}
4562
4563static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4564 u16 icid)
8d5a04a1
MM		 4565{
4566 struct l2cap_move_chan_cfm_rsp rsp;
4567
ad0ac6ca 4568 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4569
4570 rsp.icid = cpu_to_le16(icid);
4571 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4572}
4573
5f3847a4
MM		 4574static void __release_logical_link(struct l2cap_chan *chan)
4575{
4576 chan->hs_hchan = NULL;
4577 chan->hs_hcon = NULL;
4578
4579 /* Placeholder - release the logical link */
4580}
4581
1500109b
MM		 4582static void l2cap_logical_fail(struct l2cap_chan *chan)
4583{
4584 /* Logical link setup failed */
4585 if (chan->state != BT_CONNECTED) {
4586 /* Create channel failure, disconnect */
5e4e3972 4587 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4588 return;
4589 }
4590
4591 switch (chan->move_role) {
4592 case L2CAP_MOVE_ROLE_RESPONDER:
4593 l2cap_move_done(chan);
4594 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4595 break;
4596 case L2CAP_MOVE_ROLE_INITIATOR:
4597 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4598 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4599 /* Remote has only sent pending or
4600 * success responses, clean up
4601 */
4602 l2cap_move_done(chan);
4603 }
4604
4605 /* Other amp move states imply that the move
4606 * has already aborted
4607 */
4608 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4609 break;
4610 }
4611}
4612
4613static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4614 struct hci_chan *hchan)
4615{
4616 struct l2cap_conf_rsp rsp;
1500109b 4617
336178a3 4618 chan->hs_hchan = hchan;
1500109b
MM		 4619 chan->hs_hcon->l2cap_data = chan->conn;
4620
35ba9561 4621 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4622
4623 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4624 int err;
1500109b
MM		 4625
4626 set_default_fcs(chan);
4627
4628 err = l2cap_ertm_init(chan);
4629 if (err < 0)
5e4e3972 4630 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4631 else
4632 l2cap_chan_ready(chan);
4633 }
4634}
4635
4636static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4637 struct hci_chan *hchan)
4638{
4639 chan->hs_hcon = hchan->conn;
4640 chan->hs_hcon->l2cap_data = chan->conn;
4641
4642 BT_DBG("move_state %d", chan->move_state);
4643
4644 switch (chan->move_state) {
4645 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4646 /* Move confirm will be sent after a success
4647 * response is received
4648 */
4649 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4650 break;
4651 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4652 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4653 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4654 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4655 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4656 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4657 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4658 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4659 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4660 }
4661 break;
4662 default:
4663 /* Move was not in expected state, free the channel */
4664 __release_logical_link(chan);
4665
4666 chan->move_state = L2CAP_MOVE_STABLE;
4667 }
4668}
4669
4670/* Call with chan locked */
27695fb4
AE		 4671void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4672 u8 status)
5b155ef9 4673{
1500109b
MM		 4674 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4675
4676 if (status) {
4677 l2cap_logical_fail(chan);
4678 __release_logical_link(chan);
4679 return;
4680 }
4681
4682 if (chan->state != BT_CONNECTED) {
4683 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4684 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4685 l2cap_logical_finish_create(chan, hchan);
4686 } else {
4687 l2cap_logical_finish_move(chan, hchan);
4688 }
5b155ef9
MM		 4689}
4690
3f7a56c4
MM		 4691void l2cap_move_start(struct l2cap_chan *chan)
4692{
4693 BT_DBG("chan %p", chan);
4694
6ed971ca 4695 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4696 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4697 return;
4698 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4699 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4700 /* Placeholder - start physical link setup */
4701 } else {
4702 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4703 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4704 chan->move_id = 0;
4705 l2cap_move_setup(chan);
4706 l2cap_send_move_chan_req(chan, 0);
4707 }
4708}
4709
8eb200bd
MM		 4710static void l2cap_do_create(struct l2cap_chan *chan, int result,
4711 u8 local_amp_id, u8 remote_amp_id)
4712{
62748ca1
AE		 4713 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4714 local_amp_id, remote_amp_id);
4715
12d6cc60
AE		 4716 chan->fcs = L2CAP_FCS_NONE;
4717
62748ca1
AE		 4718 /* Outgoing channel on AMP */
4719 if (chan->state == BT_CONNECT) {
4720 if (result == L2CAP_CR_SUCCESS) {
4721 chan->local_amp_id = local_amp_id;
4722 l2cap_send_create_chan_req(chan, remote_amp_id);
4723 } else {
4724 /* Revert to BR/EDR connect */
4725 l2cap_send_conn_req(chan);
4726 }
4727
4728 return;
4729 }
4730
4731 /* Incoming channel on AMP */
4732 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4733 struct l2cap_conn_rsp rsp;
4734 char buf[128];
4735 rsp.scid = cpu_to_le16(chan->dcid);
4736 rsp.dcid = cpu_to_le16(chan->scid);
4737
8eb200bd
MM		 4738 if (result == L2CAP_CR_SUCCESS) {
4739 /* Send successful response */
dcf4adbf
JP		 4740 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4741 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4742 } else {
4743 /* Send negative response */
dcf4adbf
JP		 4744 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4745 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4746 }
4747
4748 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4749 sizeof(rsp), &rsp);
4750
4751 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4752 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4753 set_bit(CONF_REQ_SENT, &chan->conf_state);
4754 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4755 L2CAP_CONF_REQ,
4756 l2cap_build_conf_req(chan, buf), buf);
4757 chan->num_conf_req++;
4758 }
8eb200bd
MM		 4759 }
4760}
4761
4762static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4763 u8 remote_amp_id)
4764{
4765 l2cap_move_setup(chan);
4766 chan->move_id = local_amp_id;
4767 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4768
4769 l2cap_send_move_chan_req(chan, remote_amp_id);
4770}
4771
4772static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4773{
4774 struct hci_chan *hchan = NULL;
4775
4776 /* Placeholder - get hci_chan for logical link */
4777
4778 if (hchan) {
4779 if (hchan->state == BT_CONNECTED) {
4780 /* Logical link is ready to go */
4781 chan->hs_hcon = hchan->conn;
4782 chan->hs_hcon->l2cap_data = chan->conn;
4783 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4784 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4785
4786 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4787 } else {
4788 /* Wait for logical link to be ready */
4789 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4790 }
4791 } else {
4792 /* Logical link not available */
4793 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4794 }
4795}
4796
4797static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4798{
4799 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4800 u8 rsp_result;
4801 if (result == -EINVAL)
4802 rsp_result = L2CAP_MR_BAD_ID;
4803 else
4804 rsp_result = L2CAP_MR_NOT_ALLOWED;
4805
4806 l2cap_send_move_chan_rsp(chan, rsp_result);
4807 }
4808
4809 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4810 chan->move_state = L2CAP_MOVE_STABLE;
4811
4812 /* Restart data transmission */
4813 l2cap_ertm_send(chan);
4814}
4815
a514b17f
AE		 4816/* Invoke with locked chan */
4817void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4818{
770bfefa 4819 u8 local_amp_id = chan->local_amp_id;
fffadc08 4820 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4821
8eb200bd
MM		 4822 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4823 chan, result, local_amp_id, remote_amp_id);
4824
8eb200bd
MM		 4825 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4826 l2cap_chan_unlock(chan);
4827 return;
4828 }
4829
4830 if (chan->state != BT_CONNECTED) {
4831 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4832 } else if (result != L2CAP_MR_SUCCESS) {
4833 l2cap_do_move_cancel(chan, result);
4834 } else {
4835 switch (chan->move_role) {
4836 case L2CAP_MOVE_ROLE_INITIATOR:
4837 l2cap_do_move_initiate(chan, local_amp_id,
4838 remote_amp_id);
4839 break;
4840 case L2CAP_MOVE_ROLE_RESPONDER:
4841 l2cap_do_move_respond(chan, result);
4842 break;
4843 default:
4844 l2cap_do_move_cancel(chan, result);
4845 break;
4846 }
4847 }
8eb200bd
MM		 4848}
4849
8d5a04a1 4850static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4851 struct l2cap_cmd_hdr *cmd,
4852 u16 cmd_len, void *data)
8d5a04a1
MM		 4853{
4854 struct l2cap_move_chan_req *req = data;
1500109b 4855 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4856 struct l2cap_chan *chan;
8d5a04a1
MM		 4857 u16 icid = 0;
4858 u16 result = L2CAP_MR_NOT_ALLOWED;
4859
4860 if (cmd_len != sizeof(*req))
4861 return -EPROTO;
4862
4863 icid = le16_to_cpu(req->icid);
4864
ad0ac6ca 4865 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4866
848566b3 4867 if (!conn->hs_enabled)
8d5a04a1
MM		 4868 return -EINVAL;
4869
02b0fbb9
MM		 4870 chan = l2cap_get_chan_by_dcid(conn, icid);
4871 if (!chan) {
1500109b 4872 rsp.icid = cpu_to_le16(icid);
dcf4adbf 4873 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
1500109b
MM		 4874 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4875 sizeof(rsp), &rsp);
02b0fbb9
MM		 4876 return 0;
4877 }
4878
1500109b
MM		 4879 chan->ident = cmd->ident;
4880
02b0fbb9
MM		 4881 if (chan->scid < L2CAP_CID_DYN_START ||
4882 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4883 (chan->mode != L2CAP_MODE_ERTM &&
4884 chan->mode != L2CAP_MODE_STREAMING)) {
4885 result = L2CAP_MR_NOT_ALLOWED;
4886 goto send_move_response;
4887 }
4888
4889 if (chan->local_amp_id == req->dest_amp_id) {
4890 result = L2CAP_MR_SAME_ID;
4891 goto send_move_response;
4892 }
4893
6ed971ca 4894 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4895 struct hci_dev *hdev;
4896 hdev = hci_dev_get(req->dest_amp_id);
4897 if (!hdev || hdev->dev_type != HCI_AMP ||
4898 !test_bit(HCI_UP, &hdev->flags)) {
4899 if (hdev)
4900 hci_dev_put(hdev);
4901
4902 result = L2CAP_MR_BAD_ID;
4903 goto send_move_response;
4904 }
4905 hci_dev_put(hdev);
4906 }
4907
4908 /* Detect a move collision. Only send a collision response
4909 * if this side has "lost", otherwise proceed with the move.
4910 * The winner has the larger bd_addr.
4911 */
4912 if ((__chan_is_moving(chan) ||
4913 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4914 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4915 result = L2CAP_MR_COLLISION;
4916 goto send_move_response;
4917 }
4918
02b0fbb9
MM		 4919 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4920 l2cap_move_setup(chan);
4921 chan->move_id = req->dest_amp_id;
4922 icid = chan->dcid;
4923
6ed971ca 4924 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4925 /* Moving to BR/EDR */
4926 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4927 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4928 result = L2CAP_MR_PEND;
4929 } else {
4930 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4931 result = L2CAP_MR_SUCCESS;
4932 }
4933 } else {
4934 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4935 /* Placeholder - uncomment when amp functions are available */
4936 /*amp_accept_physical(chan, req->dest_amp_id);*/
4937 result = L2CAP_MR_PEND;
4938 }
4939
4940send_move_response:
1500109b 4941 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4942
02b0fbb9
MM		 4943 l2cap_chan_unlock(chan);
4944
8d5a04a1
MM		 4945 return 0;
4946}
4947
5b155ef9
MM		 4948static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4949{
4950 struct l2cap_chan *chan;
4951 struct hci_chan *hchan = NULL;
4952
4953 chan = l2cap_get_chan_by_scid(conn, icid);
4954 if (!chan) {
4955 l2cap_send_move_chan_cfm_icid(conn, icid);
4956 return;
4957 }
4958
4959 __clear_chan_timer(chan);
4960 if (result == L2CAP_MR_PEND)
4961 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4962
4963 switch (chan->move_state) {
4964 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4965 /* Move confirm will be sent when logical link
4966 * is complete.
4967 */
4968 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4969 break;
4970 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4971 if (result == L2CAP_MR_PEND) {
4972 break;
4973 } else if (test_bit(CONN_LOCAL_BUSY,
4974 &chan->conn_state)) {
4975 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4976 } else {
4977 /* Logical link is up or moving to BR/EDR,
4978 * proceed with move
4979 */
4980 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4981 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4982 }
4983 break;
4984 case L2CAP_MOVE_WAIT_RSP:
4985 /* Moving to AMP */
4986 if (result == L2CAP_MR_SUCCESS) {
4987 /* Remote is ready, send confirm immediately
4988 * after logical link is ready
4989 */
4990 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4991 } else {
4992 /* Both logical link and move success
4993 * are required to confirm
4994 */
4995 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4996 }
4997
4998 /* Placeholder - get hci_chan for logical link */
4999 if (!hchan) {
5000 /* Logical link not available */
5001 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5002 break;
5003 }
5004
5005 /* If the logical link is not yet connected, do not
5006 * send confirmation.
5007 */
5008 if (hchan->state != BT_CONNECTED)
5009 break;
5010
5011 /* Logical link is already ready to go */
5012
5013 chan->hs_hcon = hchan->conn;
5014 chan->hs_hcon->l2cap_data = chan->conn;
5015
5016 if (result == L2CAP_MR_SUCCESS) {
5017 /* Can confirm now */
5018 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5019 } else {
5020 /* Now only need move success
5021 * to confirm
5022 */
5023 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5024 }
5025
5026 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5027 break;
5028 default:
5029 /* Any other amp move state means the move failed. */
5030 chan->move_id = chan->local_amp_id;
5031 l2cap_move_done(chan);
5032 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5033 }
5034
5035 l2cap_chan_unlock(chan);
5036}
5037
5038static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5039 u16 result)
5040{
5041 struct l2cap_chan *chan;
5042
5043 chan = l2cap_get_chan_by_ident(conn, ident);
5044 if (!chan) {
5045 /* Could not locate channel, icid is best guess */
5046 l2cap_send_move_chan_cfm_icid(conn, icid);
5047 return;
5048 }
5049
5050 __clear_chan_timer(chan);
5051
5052 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5053 if (result == L2CAP_MR_COLLISION) {
5054 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5055 } else {
5056 /* Cleanup - cancel move */
5057 chan->move_id = chan->local_amp_id;
5058 l2cap_move_done(chan);
5059 }
5060 }
5061
5062 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5063
5064 l2cap_chan_unlock(chan);
5065}
5066
5067static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5068 struct l2cap_cmd_hdr *cmd,
5069 u16 cmd_len, void *data)
8d5a04a1
MM		 5070{
5071 struct l2cap_move_chan_rsp *rsp = data;
5072 u16 icid, result;
5073
5074 if (cmd_len != sizeof(*rsp))
5075 return -EPROTO;
5076
5077 icid = le16_to_cpu(rsp->icid);
5078 result = le16_to_cpu(rsp->result);
5079
ad0ac6ca 5080 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5081
5b155ef9
MM		 5082 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5083 l2cap_move_continue(conn, icid, result);
5084 else
5085 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5086
5087 return 0;
5088}
5089
5f3847a4
MM		 5090static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5091 struct l2cap_cmd_hdr *cmd,
5092 u16 cmd_len, void *data)
8d5a04a1
MM		 5093{
5094 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5095 struct l2cap_chan *chan;
8d5a04a1
MM		 5096 u16 icid, result;
5097
5098 if (cmd_len != sizeof(*cfm))
5099 return -EPROTO;
5100
5101 icid = le16_to_cpu(cfm->icid);
5102 result = le16_to_cpu(cfm->result);
5103
ad0ac6ca 5104 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5105
5f3847a4
MM		 5106 chan = l2cap_get_chan_by_dcid(conn, icid);
5107 if (!chan) {
5108 /* Spec requires a response even if the icid was not found */
5109 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5110 return 0;
5111 }
5112
5113 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5114 if (result == L2CAP_MC_CONFIRMED) {
5115 chan->local_amp_id = chan->move_id;
6ed971ca 5116 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5117 __release_logical_link(chan);
5118 } else {
5119 chan->move_id = chan->local_amp_id;
5120 }
5121
5122 l2cap_move_done(chan);
5123 }
5124
8d5a04a1
MM		 5125 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5126
5f3847a4
MM		 5127 l2cap_chan_unlock(chan);
5128
8d5a04a1
MM		 5129 return 0;
5130}
5131
5132static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5133 struct l2cap_cmd_hdr *cmd,
5134 u16 cmd_len, void *data)
8d5a04a1
MM		 5135{
5136 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5137 struct l2cap_chan *chan;
8d5a04a1
MM		 5138 u16 icid;
5139
5140 if (cmd_len != sizeof(*rsp))
5141 return -EPROTO;
5142
5143 icid = le16_to_cpu(rsp->icid);
5144
ad0ac6ca 5145 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5146
3fd71a0a
MM		 5147 chan = l2cap_get_chan_by_scid(conn, icid);
5148 if (!chan)
5149 return 0;
5150
5151 __clear_chan_timer(chan);
5152
5153 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5154 chan->local_amp_id = chan->move_id;
5155
6ed971ca 5156 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5157 __release_logical_link(chan);
5158
5159 l2cap_move_done(chan);
5160 }
5161
5162 l2cap_chan_unlock(chan);
5163
8d5a04a1
MM		 5164 return 0;
5165}
5166
de73115a 5167static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818 5168 struct l2cap_cmd_hdr *cmd,
203e639e 5169 u16 cmd_len, u8 *data)
de73115a
CT		 5170{
5171 struct hci_conn *hcon = conn->hcon;
5172 struct l2cap_conn_param_update_req *req;
5173 struct l2cap_conn_param_update_rsp rsp;
203e639e 5174 u16 min, max, latency, to_multiplier;
2ce603eb 5175 int err;
de73115a 5176
40bef302 5177 if (hcon->role != HCI_ROLE_MASTER)
de73115a
CT		 5178 return -EINVAL;
5179
de73115a
CT		 5180 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5181 return -EPROTO;
5182
5183 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5184 min = __le16_to_cpu(req->min);
5185 max = __le16_to_cpu(req->max);
de73115a
CT		 5186 latency = __le16_to_cpu(req->latency);
5187 to_multiplier = __le16_to_cpu(req->to_multiplier);
5188
5189 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5190 min, max, latency, to_multiplier);
de73115a
CT		 5191
5192 memset(&rsp, 0, sizeof(rsp));
2ce603eb 5193
d4905f24 5194 err = hci_check_conn_params(min, max, latency, to_multiplier);
2ce603eb 5195 if (err)
dcf4adbf 5196 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5197 else
dcf4adbf 5198 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5199
5200 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5201 sizeof(rsp), &rsp);
de73115a 5202
ffb5a827 5203 if (!err) {
f4869e2a
JH		 5204 u8 store_hint;
5205
5206 store_hint = hci_le_conn_update(hcon, min, max, latency,
5207 to_multiplier);
ffb5a827 5208 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
f4869e2a
JH		 5209 store_hint, min, max, latency,
5210 to_multiplier);
ffb5a827 5211
ffb5a827 5212 }
2ce603eb 5213
de73115a
CT		 5214 return 0;
5215}
5216
f1496dee
JH		 5217static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5218 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5219 u8 *data)
5220{
5221 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
3e64b7bd 5222 struct hci_conn *hcon = conn->hcon;
f1496dee
JH		 5223 u16 dcid, mtu, mps, credits, result;
5224 struct l2cap_chan *chan;
3e64b7bd 5225 int err, sec_level;
f1496dee
JH		 5226
5227 if (cmd_len < sizeof(*rsp))
5228 return -EPROTO;
5229
5230 dcid = __le16_to_cpu(rsp->dcid);
5231 mtu = __le16_to_cpu(rsp->mtu);
5232 mps = __le16_to_cpu(rsp->mps);
5233 credits = __le16_to_cpu(rsp->credits);
5234 result = __le16_to_cpu(rsp->result);
5235
5236 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5237 return -EPROTO;
5238
5239 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5240 dcid, mtu, mps, credits, result);
5241
5242 mutex_lock(&conn->chan_lock);
5243
5244 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5245 if (!chan) {
5246 err = -EBADSLT;
5247 goto unlock;
5248 }
5249
5250 err = 0;
5251
5252 l2cap_chan_lock(chan);
5253
5254 switch (result) {
5255 case L2CAP_CR_SUCCESS:
5256 chan->ident = 0;
5257 chan->dcid = dcid;
5258 chan->omtu = mtu;
5259 chan->remote_mps = mps;
0cd75f7e 5260 chan->tx_credits = credits;
f1496dee
JH		 5261 l2cap_chan_ready(chan);
5262 break;
5263
3e64b7bd
JH		 5264 case L2CAP_CR_AUTHENTICATION:
5265 case L2CAP_CR_ENCRYPTION:
5266 /* If we already have MITM protection we can't do
5267 * anything.
5268 */
5269 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5270 l2cap_chan_del(chan, ECONNREFUSED);
5271 break;
5272 }
5273
5274 sec_level = hcon->sec_level + 1;
5275 if (chan->sec_level < sec_level)
5276 chan->sec_level = sec_level;
5277
5278 /* We'll need to send a new Connect Request */
5279 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5280
5281 smp_conn_security(hcon, chan->sec_level);
5282 break;
5283
f1496dee
JH		 5284 default:
5285 l2cap_chan_del(chan, ECONNREFUSED);
5286 break;
5287 }
5288
5289 l2cap_chan_unlock(chan);
5290
5291unlock:
5292 mutex_unlock(&conn->chan_lock);
5293
5294 return err;
5295}
5296
3300d9a9 5297static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5298 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5299 u8 *data)
3300d9a9
CT		 5300{
5301 int err = 0;
5302
5303 switch (cmd->code) {
5304 case L2CAP_COMMAND_REJ:
cb3b3152 5305 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5306 break;
5307
5308 case L2CAP_CONN_REQ:
cb3b3152 5309 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5310 break;
5311
5312 case L2CAP_CONN_RSP:
f5a2598d 5313 case L2CAP_CREATE_CHAN_RSP:
9245e737 5314 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5315 break;
5316
5317 case L2CAP_CONF_REQ:
5318 err = l2cap_config_req(conn, cmd, cmd_len, data);
5319 break;
5320
5321 case L2CAP_CONF_RSP:
9245e737 5322 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5323 break;
5324
5325 case L2CAP_DISCONN_REQ:
cb3b3152 5326 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5327 break;
5328
5329 case L2CAP_DISCONN_RSP:
9245e737 5330 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5331 break;
5332
5333 case L2CAP_ECHO_REQ:
5334 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5335 break;
5336
5337 case L2CAP_ECHO_RSP:
5338 break;
5339
5340 case L2CAP_INFO_REQ:
cb3b3152 5341 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5342 break;
5343
5344 case L2CAP_INFO_RSP:
9245e737 5345 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5346 break;
5347
f94ff6ff
MM		 5348 case L2CAP_CREATE_CHAN_REQ:
5349 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5350 break;
5351
8d5a04a1
MM		 5352 case L2CAP_MOVE_CHAN_REQ:
5353 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5354 break;
5355
5356 case L2CAP_MOVE_CHAN_RSP:
9245e737 5357 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5358 break;
5359
5360 case L2CAP_MOVE_CHAN_CFM:
5361 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5362 break;
5363
5364 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5365 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5366 break;
5367
3300d9a9
CT		 5368 default:
5369 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5370 err = -EINVAL;
5371 break;
5372 }
5373
5374 return err;
5375}
5376
27e2d4c8
JH		 5377static int l2cap_le_connect_req(struct l2cap_conn *conn,
5378 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5379 u8 *data)
5380{
5381 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5382 struct l2cap_le_conn_rsp rsp;
5383 struct l2cap_chan *chan, *pchan;
0cd75f7e 5384 u16 dcid, scid, credits, mtu, mps;
27e2d4c8
JH		 5385 __le16 psm;
5386 u8 result;
5387
5388 if (cmd_len != sizeof(*req))
5389 return -EPROTO;
5390
5391 scid = __le16_to_cpu(req->scid);
5392 mtu = __le16_to_cpu(req->mtu);
5393 mps = __le16_to_cpu(req->mps);
5394 psm = req->psm;
5395 dcid = 0;
0cd75f7e 5396 credits = 0;
27e2d4c8
JH		 5397
5398 if (mtu < 23 || mps < 23)
5399 return -EPROTO;
5400
5401 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5402 scid, mtu, mps);
5403
5404 /* Check if we have socket listening on psm */
5405 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5406 &conn->hcon->dst, LE_LINK);
5407 if (!pchan) {
5408 result = L2CAP_CR_BAD_PSM;
5409 chan = NULL;
5410 goto response;
5411 }
5412
5413 mutex_lock(&conn->chan_lock);
5414 l2cap_chan_lock(pchan);
5415
35dc6f83
JH		 5416 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5417 SMP_ALLOW_STK)) {
27e2d4c8
JH		 5418 result = L2CAP_CR_AUTHENTICATION;
5419 chan = NULL;
5420 goto response_unlock;
5421 }
5422
5423 /* Check if we already have channel with that dcid */
5424 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5425 result = L2CAP_CR_NO_MEM;
5426 chan = NULL;
5427 goto response_unlock;
5428 }
5429
5430 chan = pchan->ops->new_connection(pchan);
5431 if (!chan) {
5432 result = L2CAP_CR_NO_MEM;
5433 goto response_unlock;
5434 }
5435
0ce43ce6
JH		 5436 l2cap_le_flowctl_init(chan);
5437
27e2d4c8
JH		 5438 bacpy(&chan->src, &conn->hcon->src);
5439 bacpy(&chan->dst, &conn->hcon->dst);
5440 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5441 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5442 chan->psm = psm;
5443 chan->dcid = scid;
5444 chan->omtu = mtu;
5445 chan->remote_mps = mps;
0cd75f7e 5446 chan->tx_credits = __le16_to_cpu(req->credits);
27e2d4c8
JH		 5447
5448 __l2cap_chan_add(conn, chan);
5449 dcid = chan->scid;
0cd75f7e 5450 credits = chan->rx_credits;
27e2d4c8
JH		 5451
5452 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5453
5454 chan->ident = cmd->ident;
5455
5456 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5457 l2cap_state_change(chan, BT_CONNECT2);
434714dc
JH		 5458 /* The following result value is actually not defined
5459 * for LE CoC but we use it to let the function know
5460 * that it should bail out after doing its cleanup
5461 * instead of sending a response.
5462 */
27e2d4c8
JH		 5463 result = L2CAP_CR_PEND;
5464 chan->ops->defer(chan);
5465 } else {
5466 l2cap_chan_ready(chan);
5467 result = L2CAP_CR_SUCCESS;
5468 }
5469
5470response_unlock:
5471 l2cap_chan_unlock(pchan);
5472 mutex_unlock(&conn->chan_lock);
a24cce14 5473 l2cap_chan_put(pchan);
27e2d4c8
JH		 5474
5475 if (result == L2CAP_CR_PEND)
5476 return 0;
5477
5478response:
5479 if (chan) {
5480 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 5481 rsp.mps = cpu_to_le16(chan->mps);
27e2d4c8
JH		 5482 } else {
5483 rsp.mtu = 0;
5484 rsp.mps = 0;
5485 }
5486
5487 rsp.dcid = cpu_to_le16(dcid);
0cd75f7e 5488 rsp.credits = cpu_to_le16(credits);
27e2d4c8
JH		 5489 rsp.result = cpu_to_le16(result);
5490
5491 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5492
5493 return 0;
5494}
5495
fad5fc89
JH		 5496static inline int l2cap_le_credits(struct l2cap_conn *conn,
5497 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5498 u8 *data)
5499{
5500 struct l2cap_le_credits *pkt;
5501 struct l2cap_chan *chan;
0f1bfe4e 5502 u16 cid, credits, max_credits;
fad5fc89
JH		 5503
5504 if (cmd_len != sizeof(*pkt))
5505 return -EPROTO;
5506
5507 pkt = (struct l2cap_le_credits *) data;
5508 cid = __le16_to_cpu(pkt->cid);
5509 credits = __le16_to_cpu(pkt->credits);
5510
5511 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5512
5513 chan = l2cap_get_chan_by_dcid(conn, cid);
5514 if (!chan)
5515 return -EBADSLT;
5516
0f1bfe4e
JH		 5517 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5518 if (credits > max_credits) {
5519 BT_ERR("LE credits overflow");
5520 l2cap_send_disconn_req(chan, ECONNRESET);
ee93053d 5521 l2cap_chan_unlock(chan);
0f1bfe4e
JH		 5522
5523 /* Return 0 so that we don't trigger an unnecessary
5524 * command reject packet.
5525 */
5526 return 0;
5527 }
5528
fad5fc89
JH		 5529 chan->tx_credits += credits;
5530
5531 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5532 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5533 chan->tx_credits--;
5534 }
5535
5536 if (chan->tx_credits)
5537 chan->ops->resume(chan);
5538
5539 l2cap_chan_unlock(chan);
5540
5541 return 0;
5542}
5543
71fb4197
JH		 5544static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5545 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5546 u8 *data)
5547{
5548 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5549 struct l2cap_chan *chan;
5550
5551 if (cmd_len < sizeof(*rej))
5552 return -EPROTO;
5553
5554 mutex_lock(&conn->chan_lock);
5555
5556 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5557 if (!chan)
5558 goto done;
5559
5560 l2cap_chan_lock(chan);
5561 l2cap_chan_del(chan, ECONNREFUSED);
5562 l2cap_chan_unlock(chan);
5563
5564done:
5565 mutex_unlock(&conn->chan_lock);
5566 return 0;
5567}
5568
3300d9a9 5569static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
203e639e
JH		 5570 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5571 u8 *data)
3300d9a9 5572{
b5ecba64
JH		 5573 int err = 0;
5574
3300d9a9
CT		 5575 switch (cmd->code) {
5576 case L2CAP_COMMAND_REJ:
71fb4197 5577 l2cap_le_command_rej(conn, cmd, cmd_len, data);
b5ecba64 5578 break;
3300d9a9
CT		 5579
5580 case L2CAP_CONN_PARAM_UPDATE_REQ:
b5ecba64
JH		 5581 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5582 break;
3300d9a9
CT		 5583
5584 case L2CAP_CONN_PARAM_UPDATE_RSP:
b5ecba64 5585 break;
3300d9a9 5586
f1496dee
JH		 5587 case L2CAP_LE_CONN_RSP:
5588 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5589 break;
f1496dee 5590
27e2d4c8 5591 case L2CAP_LE_CONN_REQ:
b5ecba64
JH		 5592 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5593 break;
27e2d4c8 5594
fad5fc89
JH		 5595 case L2CAP_LE_CREDITS:
5596 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5597 break;
5598
3defe01a 5599 case L2CAP_DISCONN_REQ:
b5ecba64
JH		 5600 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5601 break;
3defe01a
JH		 5602
5603 case L2CAP_DISCONN_RSP:
5604 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5605 break;
3defe01a 5606
3300d9a9
CT		 5607 default:
5608 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
b5ecba64
JH		 5609 err = -EINVAL;
5610 break;
3300d9a9 5611 }
b5ecba64
JH		 5612
5613 return err;
3300d9a9
CT		 5614}
5615
c5623556
JH		 5616static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5617 struct sk_buff *skb)
5618{
69c4e4e8 5619 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5620 struct l2cap_cmd_hdr *cmd;
5621 u16 len;
c5623556
JH		 5622 int err;
5623
69c4e4e8 5624 if (hcon->type != LE_LINK)
3b166295 5625 goto drop;
69c4e4e8 5626
4f3e219d
MH		 5627 if (skb->len < L2CAP_CMD_HDR_SIZE)
5628 goto drop;
c5623556 5629
4f3e219d
MH		 5630 cmd = (void *) skb->data;
5631 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5632
4f3e219d 5633 len = le16_to_cpu(cmd->len);
c5623556 5634
4f3e219d 5635 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5636
4f3e219d
MH		 5637 if (len != skb->len || !cmd->ident) {
5638 BT_DBG("corrupted command");
5639 goto drop;
5640 }
c5623556 5641
203e639e 5642 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
4f3e219d
MH		 5643 if (err) {
5644 struct l2cap_cmd_rej_unk rej;
c5623556 5645
4f3e219d 5646 BT_ERR("Wrong link type (%d)", err);
c5623556 5647
dcf4adbf 5648 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5649 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5650 sizeof(rej), &rej);
c5623556
JH		 5651 }
5652
3b166295 5653drop:
c5623556
JH		 5654 kfree_skb(skb);
5655}
5656
3300d9a9 5657static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5658 struct sk_buff *skb)
1da177e4 5659{
69c4e4e8 5660 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5661 u8 *data = skb->data;
5662 int len = skb->len;
5663 struct l2cap_cmd_hdr cmd;
3300d9a9 5664 int err;
1da177e4
LT		 5665
5666 l2cap_raw_recv(conn, skb);
5667
69c4e4e8 5668 if (hcon->type != ACL_LINK)
3b166295 5669 goto drop;
69c4e4e8 5670
1da177e4 5671 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5672 u16 cmd_len;
1da177e4
LT		 5673 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5674 data += L2CAP_CMD_HDR_SIZE;
5675 len -= L2CAP_CMD_HDR_SIZE;
5676
88219a0f 5677 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5678
2d792818
GP		 5679 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5680 cmd.ident);
1da177e4 5681
88219a0f 5682 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5683 BT_DBG("corrupted command");
5684 break;
5685 }
5686
c5623556 5687 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5688 if (err) {
e2fd318e 5689 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5690
5691 BT_ERR("Wrong link type (%d)", err);
1da177e4 5692
dcf4adbf 5693 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5694 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5695 sizeof(rej), &rej);
1da177e4
LT		 5696 }
5697
88219a0f
AV		 5698 data += cmd_len;
5699 len -= cmd_len;
1da177e4
LT		 5700 }
5701
3b166295 5702drop:
1da177e4
LT		 5703 kfree_skb(skb);
5704}
5705
47d1ec61 5706static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5707{
5708 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5709 int hdr_size;
5710
5711 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5712 hdr_size = L2CAP_EXT_HDR_SIZE;
5713 else
5714 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5715
47d1ec61 5716 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5717 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5718 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5719 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5720
5721 if (our_fcs != rcv_fcs)
7a560e5c 5722 return -EBADMSG;
fcc203c3
GP		 5723 }
5724 return 0;
5725}
5726
6ea00485 5727static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5728{
e31f7633 5729 struct l2cap_ctrl control;
d5392c8f 5730
e31f7633 5731 BT_DBG("chan %p", chan);
d5392c8f 5732
e31f7633
MM		 5733 memset(&control, 0, sizeof(control));
5734 control.sframe = 1;
5735 control.final = 1;
5736 control.reqseq = chan->buffer_seq;
5737 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5738
e2ab4353 5739 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5740 control.super = L2CAP_SUPER_RNR;
5741 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5742 }
5743
e31f7633
MM		 5744 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5745 chan->unacked_frames > 0)
5746 __set_retrans_timer(chan);
d5392c8f 5747
e31f7633 5748 /* Send pending iframes */
525cd185 5749 l2cap_ertm_send(chan);
d5392c8f 5750
e2ab4353 5751 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5752 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5753 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5754 * send it now.
5755 */
5756 control.super = L2CAP_SUPER_RR;
5757 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5758 }
5759}
5760
2d792818
GP		 5761static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5762 struct sk_buff **last_frag)
18778a63 5763{
84084a31
MM		 5764 /* skb->len reflects data in skb as well as all fragments
5765 * skb->data_len reflects only data in fragments
5766 */
5767 if (!skb_has_frag_list(skb))
5768 skb_shinfo(skb)->frag_list = new_frag;
5769
5770 new_frag->next = NULL;
5771
5772 (*last_frag)->next = new_frag;
5773 *last_frag = new_frag;
5774
5775 skb->len += new_frag->len;
5776 skb->data_len += new_frag->len;
5777 skb->truesize += new_frag->truesize;
5778}
5779
4b51dae9
MM		 5780static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5781 struct l2cap_ctrl *control)
84084a31
MM		 5782{
5783 int err = -EINVAL;
18778a63 5784
4b51dae9 5785 switch (control->sar) {
7e0ef6ee 5786 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5787 if (chan->sdu)
5788 break;
18778a63 5789
80b98027 5790 err = chan->ops->recv(chan, skb);
84084a31 5791 break;
18778a63 5792
7e0ef6ee 5793 case L2CAP_SAR_START:
84084a31
MM		 5794 if (chan->sdu)
5795 break;
18778a63 5796
6f61fd47 5797 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5798 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5799
84084a31
MM		 5800 if (chan->sdu_len > chan->imtu) {
5801 err = -EMSGSIZE;
5802 break;
5803 }
1890d36b 5804
84084a31
MM		 5805 if (skb->len >= chan->sdu_len)
5806 break;
18778a63 5807
84084a31
MM		 5808 chan->sdu = skb;
5809 chan->sdu_last_frag = skb;
18778a63 5810
84084a31
MM		 5811 skb = NULL;
5812 err = 0;
18778a63
GP		 5813 break;
5814
7e0ef6ee 5815 case L2CAP_SAR_CONTINUE:
6f61fd47 5816 if (!chan->sdu)
84084a31 5817 break;
18778a63 5818
84084a31
MM		 5819 append_skb_frag(chan->sdu, skb,
5820 &chan->sdu_last_frag);
5821 skb = NULL;
18778a63 5822
84084a31
MM		 5823 if (chan->sdu->len >= chan->sdu_len)
5824 break;
4178ba46 5825
84084a31 5826 err = 0;
18778a63
GP		 5827 break;
5828
7e0ef6ee 5829 case L2CAP_SAR_END:
6f61fd47 5830 if (!chan->sdu)
84084a31 5831 break;
18778a63 5832
84084a31
MM		 5833 append_skb_frag(chan->sdu, skb,
5834 &chan->sdu_last_frag);
5835 skb = NULL;
4178ba46 5836
84084a31
MM		 5837 if (chan->sdu->len != chan->sdu_len)
5838 break;
18778a63 5839
80b98027 5840 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5841
84084a31
MM		 5842 if (!err) {
5843 /* Reassembly complete */
5844 chan->sdu = NULL;
5845 chan->sdu_last_frag = NULL;
5846 chan->sdu_len = 0;
1890d36b 5847 }
18778a63
GP		 5848 break;
5849 }
5850
84084a31
MM		 5851 if (err) {
5852 kfree_skb(skb);
5853 kfree_skb(chan->sdu);
5854 chan->sdu = NULL;
5855 chan->sdu_last_frag = NULL;
5856 chan->sdu_len = 0;
5857 }
18778a63 5858
84084a31 5859 return err;
18778a63
GP		 5860}
5861
32b32735
MM		 5862static int l2cap_resegment(struct l2cap_chan *chan)
5863{
5864 /* Placeholder */
5865 return 0;
5866}
5867
61aa4f5b 5868void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5869{
61aa4f5b 5870 u8 event;
712132eb 5871
61aa4f5b
MM		 5872 if (chan->mode != L2CAP_MODE_ERTM)
5873 return;
712132eb 5874
61aa4f5b 5875 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5876 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5877}
5878
d2a7ac5d
MM		 5879static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5880{
63838725
MM		 5881 int err = 0;
5882 /* Pass sequential frames to l2cap_reassemble_sdu()
5883 * until a gap is encountered.
5884 */
5885
5886 BT_DBG("chan %p", chan);
5887
5888 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5889 struct sk_buff *skb;
5890 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5891 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5892
5893 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5894
5895 if (!skb)
5896 break;
5897
5898 skb_unlink(skb, &chan->srej_q);
5899 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5900 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5901 if (err)
5902 break;
5903 }
5904
5905 if (skb_queue_empty(&chan->srej_q)) {
5906 chan->rx_state = L2CAP_RX_STATE_RECV;
5907 l2cap_send_ack(chan);
5908 }
5909
5910 return err;
d2a7ac5d
MM		 5911}
5912
5913static void l2cap_handle_srej(struct l2cap_chan *chan,
5914 struct l2cap_ctrl *control)
5915{
f80842a8
MM		 5916 struct sk_buff *skb;
5917
5918 BT_DBG("chan %p, control %p", chan, control);
5919
5920 if (control->reqseq == chan->next_tx_seq) {
5921 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5922 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5923 return;
5924 }
5925
5926 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5927
5928 if (skb == NULL) {
5929 BT_DBG("Seq %d not available for retransmission",
5930 control->reqseq);
5931 return;
5932 }
5933
5934 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5935 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5936 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5937 return;
5938 }
5939
5940 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5941
5942 if (control->poll) {
5943 l2cap_pass_to_tx(chan, control);
5944
5945 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5946 l2cap_retransmit(chan, control);
5947 l2cap_ertm_send(chan);
5948
5949 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5950 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5951 chan->srej_save_reqseq = control->reqseq;
5952 }
5953 } else {
5954 l2cap_pass_to_tx_fbit(chan, control);
5955
5956 if (control->final) {
5957 if (chan->srej_save_reqseq != control->reqseq ||
5958 !test_and_clear_bit(CONN_SREJ_ACT,
5959 &chan->conn_state))
5960 l2cap_retransmit(chan, control);
5961 } else {
5962 l2cap_retransmit(chan, control);
5963 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5964 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5965 chan->srej_save_reqseq = control->reqseq;
5966 }
5967 }
5968 }
d2a7ac5d
MM		 5969}
5970
5971static void l2cap_handle_rej(struct l2cap_chan *chan,
5972 struct l2cap_ctrl *control)
5973{
fcd289df
MM		 5974 struct sk_buff *skb;
5975
5976 BT_DBG("chan %p, control %p", chan, control);
5977
5978 if (control->reqseq == chan->next_tx_seq) {
5979 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5980 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5981 return;
5982 }
5983
5984 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5985
5986 if (chan->max_tx && skb &&
5987 bt_cb(skb)->control.retries >= chan->max_tx) {
5988 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5989 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5990 return;
5991 }
5992
5993 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5994
5995 l2cap_pass_to_tx(chan, control);
5996
5997 if (control->final) {
5998 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5999 l2cap_retransmit_all(chan, control);
6000 } else {
6001 l2cap_retransmit_all(chan, control);
6002 l2cap_ertm_send(chan);
6003 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6004 set_bit(CONN_REJ_ACT, &chan->conn_state);
6005 }
d2a7ac5d
MM		 6006}
6007
4b51dae9
MM		 6008static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6009{
6010 BT_DBG("chan %p, txseq %d", chan, txseq);
6011
6012 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6013 chan->expected_tx_seq);
6014
6015 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6016 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 6017 chan->tx_win) {
4b51dae9
MM		 6018 /* See notes below regarding "double poll" and
6019 * invalid packets.
6020 */
6021 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6022 BT_DBG("Invalid/Ignore - after SREJ");
6023 return L2CAP_TXSEQ_INVALID_IGNORE;
6024 } else {
6025 BT_DBG("Invalid - in window after SREJ sent");
6026 return L2CAP_TXSEQ_INVALID;
6027 }
6028 }
6029
6030 if (chan->srej_list.head == txseq) {
6031 BT_DBG("Expected SREJ");
6032 return L2CAP_TXSEQ_EXPECTED_SREJ;
6033 }
6034
6035 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6036 BT_DBG("Duplicate SREJ - txseq already stored");
6037 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6038 }
6039
6040 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6041 BT_DBG("Unexpected SREJ - not requested");
6042 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6043 }
6044 }
6045
6046 if (chan->expected_tx_seq == txseq) {
6047 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6048 chan->tx_win) {
6049 BT_DBG("Invalid - txseq outside tx window");
6050 return L2CAP_TXSEQ_INVALID;
6051 } else {
6052 BT_DBG("Expected");
6053 return L2CAP_TXSEQ_EXPECTED;
6054 }
6055 }
6056
6057 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 6058 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 6059 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6060 return L2CAP_TXSEQ_DUPLICATE;
6061 }
6062
6063 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6064 /* A source of invalid packets is a "double poll" condition,
6065 * where delays cause us to send multiple poll packets. If
6066 * the remote stack receives and processes both polls,
6067 * sequence numbers can wrap around in such a way that a
6068 * resent frame has a sequence number that looks like new data
6069 * with a sequence gap. This would trigger an erroneous SREJ
6070 * request.
6071 *
6072 * Fortunately, this is impossible with a tx window that's
6073 * less than half of the maximum sequence number, which allows
6074 * invalid frames to be safely ignored.
6075 *
6076 * With tx window sizes greater than half of the tx window
6077 * maximum, the frame is invalid and cannot be ignored. This
6078 * causes a disconnect.
6079 */
6080
6081 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6082 BT_DBG("Invalid/Ignore - txseq outside tx window");
6083 return L2CAP_TXSEQ_INVALID_IGNORE;
6084 } else {
6085 BT_DBG("Invalid - txseq outside tx window");
6086 return L2CAP_TXSEQ_INVALID;
6087 }
6088 } else {
6089 BT_DBG("Unexpected - txseq indicates missing frames");
6090 return L2CAP_TXSEQ_UNEXPECTED;
6091 }
6092}
6093
d2a7ac5d
MM		 6094static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6095 struct l2cap_ctrl *control,
6096 struct sk_buff *skb, u8 event)
6097{
6098 int err = 0;
941247f9 6099 bool skb_in_use = false;
d2a7ac5d
MM		 6100
6101 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6102 event);
6103
6104 switch (event) {
6105 case L2CAP_EV_RECV_IFRAME:
6106 switch (l2cap_classify_txseq(chan, control->txseq)) {
6107 case L2CAP_TXSEQ_EXPECTED:
6108 l2cap_pass_to_tx(chan, control);
6109
6110 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6111 BT_DBG("Busy, discarding expected seq %d",
6112 control->txseq);
6113 break;
6114 }
6115
6116 chan->expected_tx_seq = __next_seq(chan,
6117 control->txseq);
6118
6119 chan->buffer_seq = chan->expected_tx_seq;
941247f9 6120 skb_in_use = true;
d2a7ac5d
MM		 6121
6122 err = l2cap_reassemble_sdu(chan, skb, control);
6123 if (err)
6124 break;
6125
6126 if (control->final) {
6127 if (!test_and_clear_bit(CONN_REJ_ACT,
6128 &chan->conn_state)) {
6129 control->final = 0;
6130 l2cap_retransmit_all(chan, control);
6131 l2cap_ertm_send(chan);
6132 }
6133 }
6134
6135 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6136 l2cap_send_ack(chan);
6137 break;
6138 case L2CAP_TXSEQ_UNEXPECTED:
6139 l2cap_pass_to_tx(chan, control);
6140
6141 /* Can't issue SREJ frames in the local busy state.
6142 * Drop this frame, it will be seen as missing
6143 * when local busy is exited.
6144 */
6145 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6146 BT_DBG("Busy, discarding unexpected seq %d",
6147 control->txseq);
6148 break;
6149 }
6150
6151 /* There was a gap in the sequence, so an SREJ
6152 * must be sent for each missing frame. The
6153 * current frame is stored for later use.
6154 */
6155 skb_queue_tail(&chan->srej_q, skb);
941247f9 6156 skb_in_use = true;
d2a7ac5d
MM		 6157 BT_DBG("Queued %p (queue len %d)", skb,
6158 skb_queue_len(&chan->srej_q));
6159
6160 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6161 l2cap_seq_list_clear(&chan->srej_list);
6162 l2cap_send_srej(chan, control->txseq);
6163
6164 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6165 break;
6166 case L2CAP_TXSEQ_DUPLICATE:
6167 l2cap_pass_to_tx(chan, control);
6168 break;
6169 case L2CAP_TXSEQ_INVALID_IGNORE:
6170 break;
6171 case L2CAP_TXSEQ_INVALID:
6172 default:
5e4e3972 6173 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6174 break;
6175 }
6176 break;
6177 case L2CAP_EV_RECV_RR:
6178 l2cap_pass_to_tx(chan, control);
6179 if (control->final) {
6180 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6181
e6a3ee6e
MM		 6182 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6183 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 6184 control->final = 0;
6185 l2cap_retransmit_all(chan, control);
6186 }
6187
6188 l2cap_ertm_send(chan);
6189 } else if (control->poll) {
6190 l2cap_send_i_or_rr_or_rnr(chan);
6191 } else {
6192 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6193 &chan->conn_state) &&
6194 chan->unacked_frames)
6195 __set_retrans_timer(chan);
6196
6197 l2cap_ertm_send(chan);
6198 }
6199 break;
6200 case L2CAP_EV_RECV_RNR:
6201 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6202 l2cap_pass_to_tx(chan, control);
6203 if (control && control->poll) {
6204 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6205 l2cap_send_rr_or_rnr(chan, 0);
6206 }
6207 __clear_retrans_timer(chan);
6208 l2cap_seq_list_clear(&chan->retrans_list);
6209 break;
6210 case L2CAP_EV_RECV_REJ:
6211 l2cap_handle_rej(chan, control);
6212 break;
6213 case L2CAP_EV_RECV_SREJ:
6214 l2cap_handle_srej(chan, control);
6215 break;
6216 default:
6217 break;
6218 }
6219
6220 if (skb && !skb_in_use) {
6221 BT_DBG("Freeing %p", skb);
6222 kfree_skb(skb);
6223 }
6224
6225 return err;
6226}
6227
6228static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6229 struct l2cap_ctrl *control,
6230 struct sk_buff *skb, u8 event)
6231{
6232 int err = 0;
6233 u16 txseq = control->txseq;
941247f9 6234 bool skb_in_use = false;
d2a7ac5d
MM		 6235
6236 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6237 event);
6238
6239 switch (event) {
6240 case L2CAP_EV_RECV_IFRAME:
6241 switch (l2cap_classify_txseq(chan, txseq)) {
6242 case L2CAP_TXSEQ_EXPECTED:
6243 /* Keep frame for reassembly later */
6244 l2cap_pass_to_tx(chan, control);
6245 skb_queue_tail(&chan->srej_q, skb);
941247f9 6246 skb_in_use = true;
d2a7ac5d
MM		 6247 BT_DBG("Queued %p (queue len %d)", skb,
6248 skb_queue_len(&chan->srej_q));
6249
6250 chan->expected_tx_seq = __next_seq(chan, txseq);
6251 break;
6252 case L2CAP_TXSEQ_EXPECTED_SREJ:
6253 l2cap_seq_list_pop(&chan->srej_list);
6254
6255 l2cap_pass_to_tx(chan, control);
6256 skb_queue_tail(&chan->srej_q, skb);
941247f9 6257 skb_in_use = true;
d2a7ac5d
MM		 6258 BT_DBG("Queued %p (queue len %d)", skb,
6259 skb_queue_len(&chan->srej_q));
6260
6261 err = l2cap_rx_queued_iframes(chan);
6262 if (err)
6263 break;
6264
6265 break;
6266 case L2CAP_TXSEQ_UNEXPECTED:
6267 /* Got a frame that can't be reassembled yet.
6268 * Save it for later, and send SREJs to cover
6269 * the missing frames.
6270 */
6271 skb_queue_tail(&chan->srej_q, skb);
941247f9 6272 skb_in_use = true;
d2a7ac5d
MM		 6273 BT_DBG("Queued %p (queue len %d)", skb,
6274 skb_queue_len(&chan->srej_q));
6275
6276 l2cap_pass_to_tx(chan, control);
6277 l2cap_send_srej(chan, control->txseq);
6278 break;
6279 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6280 /* This frame was requested with an SREJ, but
6281 * some expected retransmitted frames are
6282 * missing. Request retransmission of missing
6283 * SREJ'd frames.
6284 */
6285 skb_queue_tail(&chan->srej_q, skb);
941247f9 6286 skb_in_use = true;
d2a7ac5d
MM		 6287 BT_DBG("Queued %p (queue len %d)", skb,
6288 skb_queue_len(&chan->srej_q));
6289
6290 l2cap_pass_to_tx(chan, control);
6291 l2cap_send_srej_list(chan, control->txseq);
6292 break;
6293 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6294 /* We've already queued this frame. Drop this copy. */
6295 l2cap_pass_to_tx(chan, control);
6296 break;
6297 case L2CAP_TXSEQ_DUPLICATE:
6298 /* Expecting a later sequence number, so this frame
6299 * was already received. Ignore it completely.
6300 */
6301 break;
6302 case L2CAP_TXSEQ_INVALID_IGNORE:
6303 break;
6304 case L2CAP_TXSEQ_INVALID:
6305 default:
5e4e3972 6306 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6307 break;
6308 }
6309 break;
6310 case L2CAP_EV_RECV_RR:
6311 l2cap_pass_to_tx(chan, control);
6312 if (control->final) {
6313 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6314
6315 if (!test_and_clear_bit(CONN_REJ_ACT,
6316 &chan->conn_state)) {
6317 control->final = 0;
6318 l2cap_retransmit_all(chan, control);
6319 }
6320
6321 l2cap_ertm_send(chan);
6322 } else if (control->poll) {
6323 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6324 &chan->conn_state) &&
6325 chan->unacked_frames) {
6326 __set_retrans_timer(chan);
6327 }
6328
6329 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6330 l2cap_send_srej_tail(chan);
6331 } else {
6332 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6333 &chan->conn_state) &&
6334 chan->unacked_frames)
6335 __set_retrans_timer(chan);
6336
6337 l2cap_send_ack(chan);
6338 }
6339 break;
6340 case L2CAP_EV_RECV_RNR:
6341 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6342 l2cap_pass_to_tx(chan, control);
6343 if (control->poll) {
6344 l2cap_send_srej_tail(chan);
6345 } else {
6346 struct l2cap_ctrl rr_control;
6347 memset(&rr_control, 0, sizeof(rr_control));
6348 rr_control.sframe = 1;
6349 rr_control.super = L2CAP_SUPER_RR;
6350 rr_control.reqseq = chan->buffer_seq;
6351 l2cap_send_sframe(chan, &rr_control);
6352 }
6353
6354 break;
6355 case L2CAP_EV_RECV_REJ:
6356 l2cap_handle_rej(chan, control);
6357 break;
6358 case L2CAP_EV_RECV_SREJ:
6359 l2cap_handle_srej(chan, control);
6360 break;
6361 }
6362
6363 if (skb && !skb_in_use) {
6364 BT_DBG("Freeing %p", skb);
6365 kfree_skb(skb);
6366 }
6367
6368 return err;
6369}
6370
32b32735
MM		 6371static int l2cap_finish_move(struct l2cap_chan *chan)
6372{
6373 BT_DBG("chan %p", chan);
6374
6375 chan->rx_state = L2CAP_RX_STATE_RECV;
6376
6377 if (chan->hs_hcon)
6378 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6379 else
6380 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6381
6382 return l2cap_resegment(chan);
6383}
6384
6385static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6386 struct l2cap_ctrl *control,
6387 struct sk_buff *skb, u8 event)
6388{
6389 int err;
6390
6391 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6392 event);
6393
6394 if (!control->poll)
6395 return -EPROTO;
6396
6397 l2cap_process_reqseq(chan, control->reqseq);
6398
6399 if (!skb_queue_empty(&chan->tx_q))
6400 chan->tx_send_head = skb_peek(&chan->tx_q);
6401 else
6402 chan->tx_send_head = NULL;
6403
6404 /* Rewind next_tx_seq to the point expected
6405 * by the receiver.
6406 */
6407 chan->next_tx_seq = control->reqseq;
6408 chan->unacked_frames = 0;
6409
6410 err = l2cap_finish_move(chan);
6411 if (err)
6412 return err;
6413
6414 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6415 l2cap_send_i_or_rr_or_rnr(chan);
6416
6417 if (event == L2CAP_EV_RECV_IFRAME)
6418 return -EPROTO;
6419
6420 return l2cap_rx_state_recv(chan, control, NULL, event);
6421}
6422
6423static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6424 struct l2cap_ctrl *control,
6425 struct sk_buff *skb, u8 event)
6426{
6427 int err;
6428
6429 if (!control->final)
6430 return -EPROTO;
6431
6432 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6433
6434 chan->rx_state = L2CAP_RX_STATE_RECV;
6435 l2cap_process_reqseq(chan, control->reqseq);
6436
6437 if (!skb_queue_empty(&chan->tx_q))
6438 chan->tx_send_head = skb_peek(&chan->tx_q);
6439 else
6440 chan->tx_send_head = NULL;
6441
6442 /* Rewind next_tx_seq to the point expected
6443 * by the receiver.
6444 */
6445 chan->next_tx_seq = control->reqseq;
6446 chan->unacked_frames = 0;
6447
6448 if (chan->hs_hcon)
6449 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6450 else
6451 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6452
6453 err = l2cap_resegment(chan);
6454
6455 if (!err)
6456 err = l2cap_rx_state_recv(chan, control, skb, event);
6457
6458 return err;
6459}
6460
d2a7ac5d
MM		 6461static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6462{
6463 /* Make sure reqseq is for a packet that has been sent but not acked */
6464 u16 unacked;
6465
6466 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6467 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6468}
6469
cec8ab6e
MM		 6470static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6471 struct sk_buff *skb, u8 event)
218bb9df 6472{
d2a7ac5d
MM		 6473 int err = 0;
6474
6475 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6476 control, skb, event, chan->rx_state);
6477
6478 if (__valid_reqseq(chan, control->reqseq)) {
6479 switch (chan->rx_state) {
6480 case L2CAP_RX_STATE_RECV:
6481 err = l2cap_rx_state_recv(chan, control, skb, event);
6482 break;
6483 case L2CAP_RX_STATE_SREJ_SENT:
6484 err = l2cap_rx_state_srej_sent(chan, control, skb,
6485 event);
6486 break;
32b32735
MM		 6487 case L2CAP_RX_STATE_WAIT_P:
6488 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6489 break;
6490 case L2CAP_RX_STATE_WAIT_F:
6491 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6492 break;
d2a7ac5d
MM		 6493 default:
6494 /* shut it down */
6495 break;
6496 }
6497 } else {
6498 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6499 control->reqseq, chan->next_tx_seq,
6500 chan->expected_ack_seq);
5e4e3972 6501 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6502 }
6503
6504 return err;
cec8ab6e
MM		 6505}
6506
6507static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6508 struct sk_buff *skb)
6509{
4b51dae9
MM		 6510 int err = 0;
6511
6512 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6513 chan->rx_state);
6514
6515 if (l2cap_classify_txseq(chan, control->txseq) ==
6516 L2CAP_TXSEQ_EXPECTED) {
6517 l2cap_pass_to_tx(chan, control);
6518
6519 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6520 __next_seq(chan, chan->buffer_seq));
6521
6522 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6523
6524 l2cap_reassemble_sdu(chan, skb, control);
6525 } else {
6526 if (chan->sdu) {
6527 kfree_skb(chan->sdu);
6528 chan->sdu = NULL;
6529 }
6530 chan->sdu_last_frag = NULL;
6531 chan->sdu_len = 0;
6532
6533 if (skb) {
6534 BT_DBG("Freeing %p", skb);
6535 kfree_skb(skb);
6536 }
6537 }
6538
6539 chan->last_acked_seq = control->txseq;
6540 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6541
6542 return err;
cec8ab6e
MM		 6543}
6544
6545static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6546{
6547 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6548 u16 len;
6549 u8 event;
218bb9df 6550
b76bbd66
MM		 6551 __unpack_control(chan, skb);
6552
218bb9df
GP		 6553 len = skb->len;
6554
6555 /*
6556 * We can just drop the corrupted I-frame here.
6557 * Receiver will miss it and start proper recovery
cec8ab6e 6558 * procedures and ask for retransmission.
218bb9df 6559 */
47d1ec61 6560 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6561 goto drop;
6562
cec8ab6e 6563 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6564 len -= L2CAP_SDULEN_SIZE;
218bb9df 6565
47d1ec61 6566 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6567 len -= L2CAP_FCS_SIZE;
218bb9df 6568
47d1ec61 6569 if (len > chan->mps) {
5e4e3972 6570 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6571 goto drop;
6572 }
6573
cec8ab6e
MM		 6574 if (!control->sframe) {
6575 int err;
218bb9df 6576
cec8ab6e
MM		 6577 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6578 control->sar, control->reqseq, control->final,
6579 control->txseq);
218bb9df 6580
cec8ab6e
MM		 6581 /* Validate F-bit - F=0 always valid, F=1 only
6582 * valid in TX WAIT_F
6583 */
6584 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6585 goto drop;
cec8ab6e
MM		 6586
6587 if (chan->mode != L2CAP_MODE_STREAMING) {
6588 event = L2CAP_EV_RECV_IFRAME;
6589 err = l2cap_rx(chan, control, skb, event);
6590 } else {
6591 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6592 }
6593
cec8ab6e 6594 if (err)
5e4e3972 6595 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6596 } else {
cec8ab6e
MM		 6597 const u8 rx_func_to_event[4] = {
6598 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6599 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6600 };
6601
6602 /* Only I-frames are expected in streaming mode */
6603 if (chan->mode == L2CAP_MODE_STREAMING)
6604 goto drop;
6605
6606 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6607 control->reqseq, control->final, control->poll,
6608 control->super);
6609
218bb9df 6610 if (len != 0) {
1bb166e6 6611 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6612 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6613 goto drop;
6614 }
6615
cec8ab6e
MM		 6616 /* Validate F and P bits */
6617 if (control->final && (control->poll ||
6618 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6619 goto drop;
6620
6621 event = rx_func_to_event[control->super];
6622 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6623 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6624 }
6625
6626 return 0;
6627
6628drop:
6629 kfree_skb(skb);
6630 return 0;
6631}
6632
b1c325c2
JH		 6633static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6634{
6635 struct l2cap_conn *conn = chan->conn;
6636 struct l2cap_le_credits pkt;
6637 u16 return_credits;
6638
6639 /* We return more credits to the sender only after the amount of
6640 * credits falls below half of the initial amount.
6641 */
f15b8ecf 6642 if (chan->rx_credits >= (le_max_credits + 1) / 2)
b1c325c2
JH		 6643 return;
6644
f15b8ecf 6645 return_credits = le_max_credits - chan->rx_credits;
b1c325c2
JH		 6646
6647 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6648
6649 chan->rx_credits += return_credits;
6650
6651 pkt.cid = cpu_to_le16(chan->scid);
6652 pkt.credits = cpu_to_le16(return_credits);
6653
6654 chan->ident = l2cap_get_ident(conn);
6655
6656 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6657}
6658
fad5fc89
JH		 6659static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6660{
aac23bf6
JH		 6661 int err;
6662
6663 if (!chan->rx_credits) {
6664 BT_ERR("No credits to receive LE L2CAP data");
dfd9774c 6665 l2cap_send_disconn_req(chan, ECONNRESET);
fad5fc89 6666 return -ENOBUFS;
aac23bf6 6667 }
fad5fc89 6668
aac23bf6
JH		 6669 if (chan->imtu < skb->len) {
6670 BT_ERR("Too big LE L2CAP PDU");
fad5fc89 6671 return -ENOBUFS;
aac23bf6 6672 }
fad5fc89
JH		 6673
6674 chan->rx_credits--;
6675 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6676
6677 l2cap_chan_le_send_credits(chan);
6678
aac23bf6
JH		 6679 err = 0;
6680
6681 if (!chan->sdu) {
6682 u16 sdu_len;
6683
6684 sdu_len = get_unaligned_le16(skb->data);
6685 skb_pull(skb, L2CAP_SDULEN_SIZE);
6686
6687 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6688 sdu_len, skb->len, chan->imtu);
6689
6690 if (sdu_len > chan->imtu) {
6691 BT_ERR("Too big LE L2CAP SDU length received");
6692 err = -EMSGSIZE;
6693 goto failed;
6694 }
6695
6696 if (skb->len > sdu_len) {
6697 BT_ERR("Too much LE L2CAP data received");
6698 err = -EINVAL;
6699 goto failed;
6700 }
6701
6702 if (skb->len == sdu_len)
6703 return chan->ops->recv(chan, skb);
6704
6705 chan->sdu = skb;
6706 chan->sdu_len = sdu_len;
6707 chan->sdu_last_frag = skb;
6708
6709 return 0;
6710 }
6711
6712 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6713 chan->sdu->len, skb->len, chan->sdu_len);
6714
6715 if (chan->sdu->len + skb->len > chan->sdu_len) {
6716 BT_ERR("Too much LE L2CAP data received");
6717 err = -EINVAL;
6718 goto failed;
6719 }
6720
6721 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6722 skb = NULL;
6723
6724 if (chan->sdu->len == chan->sdu_len) {
6725 err = chan->ops->recv(chan, chan->sdu);
6726 if (!err) {
6727 chan->sdu = NULL;
6728 chan->sdu_last_frag = NULL;
6729 chan->sdu_len = 0;
6730 }
6731 }
6732
6733failed:
6734 if (err) {
6735 kfree_skb(skb);
6736 kfree_skb(chan->sdu);
6737 chan->sdu = NULL;
6738 chan->sdu_last_frag = NULL;
6739 chan->sdu_len = 0;
6740 }
6741
6742 /* We can't return an error here since we took care of the skb
6743 * freeing internally. An error return would cause the caller to
6744 * do a double-free of the skb.
6745 */
6746 return 0;
fad5fc89
JH		 6747}
6748
13ca56e0
AE		 6749static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6750 struct sk_buff *skb)
1da177e4 6751{
48454079 6752 struct l2cap_chan *chan;
1da177e4 6753
baa7e1fa 6754 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6755 if (!chan) {
97e8e89d
AE		 6756 if (cid == L2CAP_CID_A2MP) {
6757 chan = a2mp_channel_create(conn, skb);
6758 if (!chan) {
6759 kfree_skb(skb);
13ca56e0 6760 return;
97e8e89d
AE		 6761 }
6762
6763 l2cap_chan_lock(chan);
6764 } else {
6765 BT_DBG("unknown cid 0x%4.4x", cid);
6766 /* Drop packet and return */
6767 kfree_skb(skb);
13ca56e0 6768 return;
97e8e89d 6769 }
1da177e4
LT		 6770 }
6771
49208c9c 6772 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6773
89bc500e 6774 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6775 goto drop;
6776
0c1bc5c6 6777 switch (chan->mode) {
38319713 6778 case L2CAP_MODE_LE_FLOWCTL:
fad5fc89
JH		 6779 if (l2cap_le_data_rcv(chan, skb) < 0)
6780 goto drop;
6781
6782 goto done;
6783
1c2acffb
GP		 6784 case L2CAP_MODE_BASIC:
6785 /* If socket recv buffers overflows we drop data here
6786 * which is *bad* because L2CAP has to be reliable.
6787 * But we don't have any other choice. L2CAP doesn't
6788 * provide flow control mechanism. */
1da177e4 6789
2c96e03d
SJ		 6790 if (chan->imtu < skb->len) {
6791 BT_ERR("Dropping L2CAP data: receive buffer overflow");
1c2acffb 6792 goto drop;
2c96e03d 6793 }
1da177e4 6794
80b98027 6795 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6796 goto done;
6797 break;
6798
6799 case L2CAP_MODE_ERTM:
6840ed07 6800 case L2CAP_MODE_STREAMING:
cec8ab6e 6801 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6802 goto done;
6803
1c2acffb 6804 default:
0c1bc5c6 6805 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6806 break;
6807 }
1da177e4
LT		 6808
6809drop:
6810 kfree_skb(skb);
6811
6812done:
6be36555 6813 l2cap_chan_unlock(chan);
1da177e4
LT		 6814}
6815
84104b24
AE		 6816static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6817 struct sk_buff *skb)
1da177e4 6818{
ae4fd2d3 6819 struct hci_conn *hcon = conn->hcon;
23691d75 6820 struct l2cap_chan *chan;
1da177e4 6821
ae4fd2d3 6822 if (hcon->type != ACL_LINK)
a24cce14 6823 goto free_skb;
ae4fd2d3 6824
bf20fd4e
JH		 6825 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6826 ACL_LINK);
23691d75 6827 if (!chan)
a24cce14 6828 goto free_skb;
1da177e4 6829
5b4cedaa 6830 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6831
89bc500e 6832 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6833 goto drop;
6834
e13e21dc 6835 if (chan->imtu < skb->len)
1da177e4
LT		 6836 goto drop;
6837
2edf870d 6838 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6839 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6840 bt_cb(skb)->psm = psm;
6841
a24cce14
JH		 6842 if (!chan->ops->recv(chan, skb)) {
6843 l2cap_chan_put(chan);
84104b24 6844 return;
a24cce14 6845 }
1da177e4
LT		 6846
6847drop:
a24cce14
JH		 6848 l2cap_chan_put(chan);
6849free_skb:
1da177e4 6850 kfree_skb(skb);
1da177e4
LT		 6851}
6852
6853static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6854{
6855 struct l2cap_hdr *lh = (void *) skb->data;
61a939c6 6856 struct hci_conn *hcon = conn->hcon;
8e036fc3
AV		 6857 u16 cid, len;
6858 __le16 psm;
1da177e4 6859
61a939c6
JH		 6860 if (hcon->state != BT_CONNECTED) {
6861 BT_DBG("queueing pending rx skb");
6862 skb_queue_tail(&conn->pending_rx, skb);
6863 return;
6864 }
6865
1da177e4
LT		 6866 skb_pull(skb, L2CAP_HDR_SIZE);
6867 cid = __le16_to_cpu(lh->cid);
6868 len = __le16_to_cpu(lh->len);
6869
1c2acffb
GP		 6870 if (len != skb->len) {
6871 kfree_skb(skb);
6872 return;
6873 }
6874
9e1d7e15
JH		 6875 /* Since we can't actively block incoming LE connections we must
6876 * at least ensure that we ignore incoming data from them.
6877 */
6878 if (hcon->type == LE_LINK &&
dcc36c16
JH		 6879 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6880 bdaddr_type(hcon, hcon->dst_type))) {
e493150e
JH		 6881 kfree_skb(skb);
6882 return;
6883 }
6884
1da177e4
LT		 6885 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6886
6887 switch (cid) {
8db4dc46 6888 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6889 l2cap_sig_channel(conn, skb);
6890 break;
6891
8db4dc46 6892 case L2CAP_CID_CONN_LESS:
097db76c 6893 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6894 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6895 l2cap_conless_channel(conn, psm, skb);
6896 break;
6897
a2877629
MH		 6898 case L2CAP_CID_LE_SIGNALING:
6899 l2cap_le_sig_channel(conn, skb);
6900 break;
6901
1da177e4
LT		 6902 default:
6903 l2cap_data_channel(conn, cid, skb);
6904 break;
6905 }
6906}
6907
61a939c6
JH		 6908static void process_pending_rx(struct work_struct *work)
6909{
6910 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6911 pending_rx_work);
6912 struct sk_buff *skb;
6913
6914 BT_DBG("");
6915
6916 while ((skb = skb_dequeue(&conn->pending_rx)))
6917 l2cap_recv_frame(conn, skb);
6918}
6919
162b49e7
JH		 6920static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6921{
6922 struct l2cap_conn *conn = hcon->l2cap_data;
6923 struct hci_chan *hchan;
6924
6925 if (conn)
6926 return conn;
6927
6928 hchan = hci_chan_create(hcon);
6929 if (!hchan)
6930 return NULL;
6931
27f70f3e 6932 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
162b49e7
JH		 6933 if (!conn) {
6934 hci_chan_del(hchan);
6935 return NULL;
6936 }
6937
6938 kref_init(&conn->ref);
6939 hcon->l2cap_data = conn;
51bb8457 6940 conn->hcon = hci_conn_get(hcon);
162b49e7
JH		 6941 conn->hchan = hchan;
6942
6943 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6944
6945 switch (hcon->type) {
6946 case LE_LINK:
6947 if (hcon->hdev->le_mtu) {
6948 conn->mtu = hcon->hdev->le_mtu;
6949 break;
6950 }
6951 /* fall through */
6952 default:
6953 conn->mtu = hcon->hdev->acl_mtu;
6954 break;
6955 }
6956
6957 conn->feat_mask = 0;
6958
6959 if (hcon->type == ACL_LINK)
6960 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
6961 &hcon->hdev->dev_flags);
6962
5a54e7c8 6963 mutex_init(&conn->ident_lock);
162b49e7
JH		 6964 mutex_init(&conn->chan_lock);
6965
6966 INIT_LIST_HEAD(&conn->chan_l);
6967 INIT_LIST_HEAD(&conn->users);
6968
276d8073 6969 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
162b49e7 6970
61a939c6
JH		 6971 skb_queue_head_init(&conn->pending_rx);
6972 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
f3d82d0c 6973 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
61a939c6 6974
162b49e7
JH		 6975 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6976
6977 return conn;
6978}
6979
6980static bool is_valid_psm(u16 psm, u8 dst_type) {
6981 if (!psm)
6982 return false;
6983
6984 if (bdaddr_type_is_le(dst_type))
6985 return (psm <= 0x00ff);
6986
6987 /* PSM must be odd and lsb of upper byte must be 0 */
6988 return ((psm & 0x0101) == 0x0001);
6989}
6990
6991int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
6992 bdaddr_t *dst, u8 dst_type)
6993{
6994 struct l2cap_conn *conn;
6995 struct hci_conn *hcon;
6996 struct hci_dev *hdev;
162b49e7
JH		 6997 int err;
6998
6999 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7000 dst_type, __le16_to_cpu(psm));
7001
7002 hdev = hci_get_route(dst, &chan->src);
7003 if (!hdev)
7004 return -EHOSTUNREACH;
7005
7006 hci_dev_lock(hdev);
7007
162b49e7
JH		 7008 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7009 chan->chan_type != L2CAP_CHAN_RAW) {
7010 err = -EINVAL;
7011 goto done;
7012 }
7013
21626e62
JH		 7014 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7015 err = -EINVAL;
7016 goto done;
7017 }
7018
7019 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
162b49e7
JH		 7020 err = -EINVAL;
7021 goto done;
7022 }
7023
7024 switch (chan->mode) {
7025 case L2CAP_MODE_BASIC:
7026 break;
7027 case L2CAP_MODE_LE_FLOWCTL:
7028 l2cap_le_flowctl_init(chan);
7029 break;
7030 case L2CAP_MODE_ERTM:
7031 case L2CAP_MODE_STREAMING:
7032 if (!disable_ertm)
7033 break;
7034 /* fall through */
7035 default:
beb19e4c 7036 err = -EOPNOTSUPP;
162b49e7
JH		 7037 goto done;
7038 }
7039
7040 switch (chan->state) {
7041 case BT_CONNECT:
7042 case BT_CONNECT2:
7043 case BT_CONFIG:
7044 /* Already connecting */
7045 err = 0;
7046 goto done;
7047
7048 case BT_CONNECTED:
7049 /* Already connected */
7050 err = -EISCONN;
7051 goto done;
7052
7053 case BT_OPEN:
7054 case BT_BOUND:
7055 /* Can connect */
7056 break;
7057
7058 default:
7059 err = -EBADFD;
7060 goto done;
7061 }
7062
7063 /* Set destination address and psm */
7064 bacpy(&chan->dst, dst);
7065 chan->dst_type = dst_type;
7066
7067 chan->psm = psm;
7068 chan->dcid = cid;
7069
6f77d8c7 7070 if (bdaddr_type_is_le(dst_type)) {
e804d25d 7071 u8 role;
cdd6275e 7072
6f77d8c7
AG		 7073 /* Convert from L2CAP channel address type to HCI address type
7074 */
7075 if (dst_type == BDADDR_LE_PUBLIC)
7076 dst_type = ADDR_LE_DEV_PUBLIC;
7077 else
7078 dst_type = ADDR_LE_DEV_RANDOM;
7079
e804d25d
JH		 7080 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
7081 role = HCI_ROLE_SLAVE;
7082 else
7083 role = HCI_ROLE_MASTER;
cdd6275e 7084
04a6c589 7085 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
e804d25d 7086 HCI_LE_CONN_TIMEOUT, role);
6f77d8c7 7087 } else {
d93375a8 7088 u8 auth_type = l2cap_get_auth_type(chan);
04a6c589 7089 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
6f77d8c7 7090 }
162b49e7
JH		 7091
7092 if (IS_ERR(hcon)) {
7093 err = PTR_ERR(hcon);
7094 goto done;
7095 }
7096
7097 conn = l2cap_conn_add(hcon);
7098 if (!conn) {
7099 hci_conn_drop(hcon);
7100 err = -ENOMEM;
7101 goto done;
7102 }
7103
02e246ae
JH		 7104 mutex_lock(&conn->chan_lock);
7105 l2cap_chan_lock(chan);
7106
162b49e7
JH		 7107 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7108 hci_conn_drop(hcon);
7109 err = -EBUSY;
02e246ae 7110 goto chan_unlock;
162b49e7
JH		 7111 }
7112
7113 /* Update source addr of the socket */
7114 bacpy(&chan->src, &hcon->src);
7115 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7116
02e246ae 7117 __l2cap_chan_add(conn, chan);
162b49e7
JH		 7118
7119 /* l2cap_chan_add takes its own ref so we can drop this one */
7120 hci_conn_drop(hcon);
7121
7122 l2cap_state_change(chan, BT_CONNECT);
7123 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7124
61202e4d
JH		 7125 /* Release chan->sport so that it can be reused by other
7126 * sockets (as it's only used for listening sockets).
7127 */
7128 write_lock(&chan_list_lock);
7129 chan->sport = 0;
7130 write_unlock(&chan_list_lock);
7131
162b49e7
JH		 7132 if (hcon->state == BT_CONNECTED) {
7133 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7134 __clear_chan_timer(chan);
e7cafc45 7135 if (l2cap_chan_check_security(chan, true))
162b49e7
JH		 7136 l2cap_state_change(chan, BT_CONNECTED);
7137 } else
7138 l2cap_do_start(chan);
7139 }
7140
7141 err = 0;
7142
02e246ae 7143chan_unlock:
162b49e7 7144 l2cap_chan_unlock(chan);
02e246ae
JH		 7145 mutex_unlock(&conn->chan_lock);
7146done:
162b49e7
JH		 7147 hci_dev_unlock(hdev);
7148 hci_dev_put(hdev);
7149 return err;
7150}
6b8d4a6a 7151EXPORT_SYMBOL_GPL(l2cap_chan_connect);
162b49e7 7152
1da177e4
LT		 7153/* ---- L2CAP interface with lower layer (HCI) ---- */
7154
686ebf28 7155int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 7156{
7157 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 7158 struct l2cap_chan *c;
1da177e4 7159
6ed93dc6 7160 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 7161
7162 /* Find listening sockets and check their link_mode */
23691d75
GP		 7163 read_lock(&chan_list_lock);
7164 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 7165 if (c->state != BT_LISTEN)
1da177e4
LT		 7166 continue;
7167
7eafc59e 7168 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 7169 lm1 |= HCI_LM_ACCEPT;
43bd0f32 7170 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 7171 lm1 |= HCI_LM_MASTER;
1da177e4 7172 exact++;
7eafc59e 7173 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 7174 lm2 |= HCI_LM_ACCEPT;
43bd0f32 7175 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 7176 lm2 |= HCI_LM_MASTER;
7177 }
1da177e4 7178 }
23691d75 7179 read_unlock(&chan_list_lock);
1da177e4
LT		 7180
7181 return exact ? lm1 : lm2;
7182}
7183
e760ec12
JH		 7184/* Find the next fixed channel in BT_LISTEN state, continue iteration
7185 * from an existing channel in the list or from the beginning of the
7186 * global list (by passing NULL as first parameter).
7187 */
7188static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
54a1b626 7189 bdaddr_t *src, u8 link_type)
e760ec12
JH		 7190{
7191 read_lock(&chan_list_lock);
7192
7193 if (c)
7194 c = list_next_entry(c, global_l);
7195 else
7196 c = list_entry(chan_list.next, typeof(*c), global_l);
7197
7198 list_for_each_entry_from(c, &chan_list, global_l) {
7199 if (c->chan_type != L2CAP_CHAN_FIXED)
7200 continue;
7201 if (c->state != BT_LISTEN)
7202 continue;
7203 if (bacmp(&c->src, src) && bacmp(&c->src, BDADDR_ANY))
7204 continue;
54a1b626
JH		 7205 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
7206 continue;
7207 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
7208 continue;
e760ec12
JH		 7209
7210 l2cap_chan_hold(c);
7211 read_unlock(&chan_list_lock);
7212 return c;
7213 }
7214
7215 read_unlock(&chan_list_lock);
7216
7217 return NULL;
7218}
7219
9e664631 7220void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 7221{
e760ec12 7222 struct hci_dev *hdev = hcon->hdev;
0139418c 7223 struct l2cap_conn *conn;
e760ec12
JH		 7224 struct l2cap_chan *pchan;
7225 u8 dst_type;
0139418c 7226
6ed93dc6 7227 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 7228
dc0f5088 7229 if (status) {
e175072f 7230 l2cap_conn_del(hcon, bt_to_errno(status));
dc0f5088 7231 return;
ba6fc317 7232 }
dc0f5088
JH		 7233
7234 conn = l2cap_conn_add(hcon);
7235 if (!conn)
7236 return;
7237
e760ec12
JH		 7238 dst_type = bdaddr_type(hcon, hcon->dst_type);
7239
7240 /* If device is blocked, do not create channels for it */
7241 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7242 return;
7243
7244 /* Find fixed channels and notify them of the new connection. We
7245 * use multiple individual lookups, continuing each time where
7246 * we left off, because the list lock would prevent calling the
7247 * potentially sleeping l2cap_chan_lock() function.
7248 */
54a1b626 7249 pchan = l2cap_global_fixed_chan(NULL, &hdev->bdaddr, hcon->type);
e760ec12
JH		 7250 while (pchan) {
7251 struct l2cap_chan *chan, *next;
7252
7253 /* Client fixed channels should override server ones */
7254 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7255 goto next;
7256
7257 l2cap_chan_lock(pchan);
7258 chan = pchan->ops->new_connection(pchan);
7259 if (chan) {
7260 bacpy(&chan->src, &hcon->src);
7261 bacpy(&chan->dst, &hcon->dst);
7262 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7263 chan->dst_type = dst_type;
7264
7265 __l2cap_chan_add(conn, chan);
7266 }
7267
7268 l2cap_chan_unlock(pchan);
7269next:
54a1b626
JH		 7270 next = l2cap_global_fixed_chan(pchan, &hdev->bdaddr,
7271 hcon->type);
e760ec12
JH		 7272 l2cap_chan_put(pchan);
7273 pchan = next;
7274 }
7275
dc0f5088 7276 l2cap_conn_ready(conn);
1da177e4
LT		 7277}
7278
686ebf28 7279int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 7280{
7281 struct l2cap_conn *conn = hcon->l2cap_data;
7282
7283 BT_DBG("hcon %p", hcon);
7284
686ebf28 7285 if (!conn)
9f5a0d7b 7286 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 7287 return conn->disc_reason;
7288}
7289
9e664631 7290void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 7291{
7292 BT_DBG("hcon %p reason %d", hcon, reason);
7293
e175072f 7294 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 7295}
7296
4343478f 7297static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 7298{
715ec005 7299 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 7300 return;
7301
f62e4323 7302 if (encrypt == 0x00) {
4343478f 7303 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 7304 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7d513e92
MH		 7305 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7306 chan->sec_level == BT_SECURITY_FIPS)
0f852724 7307 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 7308 } else {
4343478f 7309 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 7310 __clear_chan_timer(chan);
f62e4323
MH		 7311 }
7312}
7313
686ebf28 7314int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 7315{
0139418c 7316 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 7317 struct l2cap_chan *chan;
1da177e4 7318
0139418c 7319 if (!conn)
1da177e4 7320 return 0;
0139418c 7321
89d8b407 7322 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 7323
3df91ea2 7324 mutex_lock(&conn->chan_lock);
1da177e4 7325
3df91ea2 7326 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 7327 l2cap_chan_lock(chan);
1da177e4 7328
89d8b407
AE		 7329 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7330 state_to_string(chan->state));
f1cb9af5 7331
2338a7e0 7332 if (chan->scid == L2CAP_CID_A2MP) {
78eb2f98
AE		 7333 l2cap_chan_unlock(chan);
7334 continue;
7335 }
7336
191eb398
JH		 7337 if (!status && encrypt)
7338 chan->sec_level = hcon->sec_level;
f1cb9af5 7339
96eff46e 7340 if (!__l2cap_no_conn_pending(chan)) {
6be36555 7341 l2cap_chan_unlock(chan);
6a8d3010
MH		 7342 continue;
7343 }
7344
89bc500e 7345 if (!status && (chan->state == BT_CONNECTED ||
2d792818 7346 chan->state == BT_CONFIG)) {
d97c899b 7347 chan->ops->resume(chan);
4343478f 7348 l2cap_check_encryption(chan, encrypt);
6be36555 7349 l2cap_chan_unlock(chan);
9719f8af
MH		 7350 continue;
7351 }
7352
89bc500e 7353 if (chan->state == BT_CONNECT) {
6d3c15da 7354 if (!status)
93c3e8f5 7355 l2cap_start_connection(chan);
6d3c15da 7356 else
ba13ccd9 7357 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
fa37c1aa
JH		 7358 } else if (chan->state == BT_CONNECT2 &&
7359 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
b1235d79 7360 struct l2cap_conn_rsp rsp;
df3c3931 7361 __u16 res, stat;
1da177e4 7362
b1235d79 7363 if (!status) {
bdc25783 7364 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 7365 res = L2CAP_CR_PEND;
7366 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 7367 chan->ops->defer(chan);
df3c3931 7368 } else {
acdcabf5 7369 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 7370 res = L2CAP_CR_SUCCESS;
7371 stat = L2CAP_CS_NO_INFO;
7372 }
b1235d79 7373 } else {
acdcabf5 7374 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 7375 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 7376 res = L2CAP_CR_SEC_BLOCK;
7377 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 7378 }
7379
fe4128e0
GP		 7380 rsp.scid = cpu_to_le16(chan->dcid);
7381 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 7382 rsp.result = cpu_to_le16(res);
7383 rsp.status = cpu_to_le16(stat);
fc7f8a7e 7384 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 7385 sizeof(rsp), &rsp);
2d369359
MM		 7386
7387 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7388 res == L2CAP_CR_SUCCESS) {
7389 char buf[128];
7390 set_bit(CONF_REQ_SENT, &chan->conf_state);
7391 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7392 L2CAP_CONF_REQ,
7393 l2cap_build_conf_req(chan, buf),
7394 buf);
7395 chan->num_conf_req++;
7396 }
b1235d79 7397 }
1da177e4 7398
6be36555 7399 l2cap_chan_unlock(chan);
1da177e4
LT		 7400 }
7401
3df91ea2 7402 mutex_unlock(&conn->chan_lock);
b1235d79 7403
1da177e4
LT		 7404 return 0;
7405}
7406
686ebf28 7407int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 7408{
7409 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 7410 struct l2cap_hdr *hdr;
7411 int len;
1da177e4 7412
1d13a254
AE		 7413 /* For AMP controller do not create l2cap conn */
7414 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7415 goto drop;
1da177e4 7416
5a08ecce 7417 if (!conn)
baf43251 7418 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 7419
7420 if (!conn)
1da177e4
LT		 7421 goto drop;
7422
7423 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7424
d73a0988
AE		 7425 switch (flags) {
7426 case ACL_START:
7427 case ACL_START_NO_FLUSH:
7428 case ACL_COMPLETE:
1da177e4
LT		 7429 if (conn->rx_len) {
7430 BT_ERR("Unexpected start frame (len %d)", skb->len);
7431 kfree_skb(conn->rx_skb);
7432 conn->rx_skb = NULL;
7433 conn->rx_len = 0;
7434 l2cap_conn_unreliable(conn, ECOMM);
7435 }
7436
aae7fe22
AE		 7437 /* Start fragment always begin with Basic L2CAP header */
7438 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 7439 BT_ERR("Frame is too short (len %d)", skb->len);
7440 l2cap_conn_unreliable(conn, ECOMM);
7441 goto drop;
7442 }
7443
7444 hdr = (struct l2cap_hdr *) skb->data;
7445 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7446
7447 if (len == skb->len) {
7448 /* Complete frame received */
7449 l2cap_recv_frame(conn, skb);
7450 return 0;
7451 }
7452
7453 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7454
7455 if (skb->len > len) {
7456 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 7457 skb->len, len);
1da177e4
LT		 7458 l2cap_conn_unreliable(conn, ECOMM);
7459 goto drop;
7460 }
7461
7462 /* Allocate skb for the complete frame (with header) */
8bcde1f2 7463 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 7464 if (!conn->rx_skb)
1da177e4
LT		 7465 goto drop;
7466
d626f62b 7467 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7468 skb->len);
1da177e4 7469 conn->rx_len = len - skb->len;
d73a0988
AE		 7470 break;
7471
7472 case ACL_CONT:
1da177e4
LT		 7473 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7474
7475 if (!conn->rx_len) {
7476 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7477 l2cap_conn_unreliable(conn, ECOMM);
7478 goto drop;
7479 }
7480
7481 if (skb->len > conn->rx_len) {
7482 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 7483 skb->len, conn->rx_len);
1da177e4
LT		 7484 kfree_skb(conn->rx_skb);
7485 conn->rx_skb = NULL;
7486 conn->rx_len = 0;
7487 l2cap_conn_unreliable(conn, ECOMM);
7488 goto drop;
7489 }
7490
d626f62b 7491 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7492 skb->len);
1da177e4
LT		 7493 conn->rx_len -= skb->len;
7494
7495 if (!conn->rx_len) {
c4e5bafa
JH		 7496 /* Complete frame received. l2cap_recv_frame
7497 * takes ownership of the skb so set the global
7498 * rx_skb pointer to NULL first.
7499 */
7500 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 7501 conn->rx_skb = NULL;
c4e5bafa 7502 l2cap_recv_frame(conn, rx_skb);
1da177e4 7503 }
d73a0988 7504 break;
1da177e4
LT		 7505 }
7506
7507drop:
7508 kfree_skb(skb);
7509 return 0;
7510}
7511
aef7d97c 7512static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 7513{
23691d75 7514 struct l2cap_chan *c;
1da177e4 7515
333055f2 7516 read_lock(&chan_list_lock);
1da177e4 7517
23691d75 7518 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 7519 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 7520 &c->src, &c->dst,
fcb73338
AE		 7521 c->state, __le16_to_cpu(c->psm),
7522 c->scid, c->dcid, c->imtu, c->omtu,
7523 c->sec_level, c->mode);
61e1b4b7 7524 }
1da177e4 7525
333055f2 7526 read_unlock(&chan_list_lock);
1da177e4 7527
aef7d97c 7528 return 0;
1da177e4
LT		 7529}
7530
aef7d97c
MH		 7531static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7532{
7533 return single_open(file, l2cap_debugfs_show, inode->i_private);
7534}
7535
7536static const struct file_operations l2cap_debugfs_fops = {
7537 .open = l2cap_debugfs_open,
7538 .read = seq_read,
7539 .llseek = seq_lseek,
7540 .release = single_release,
7541};
7542
7543static struct dentry *l2cap_debugfs;
1da177e4 7544
64274518 7545int __init l2cap_init(void)
1da177e4
LT		 7546{
7547 int err;
be9d1227 7548
bb58f747 7549 err = l2cap_init_sockets();
1da177e4
LT		 7550 if (err < 0)
7551 return err;
7552
1120e4bf
MH		 7553 if (IS_ERR_OR_NULL(bt_debugfs))
7554 return 0;
7555
7556 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7557 NULL, &l2cap_debugfs_fops);
1da177e4 7558
40b9397a 7559 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
f15b8ecf 7560 &le_max_credits);
40b9397a 7561 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
f15b8ecf
JH		 7562 &le_default_mps);
7563
1da177e4 7564 return 0;
1da177e4
LT		 7565}
7566
64274518 7567void l2cap_exit(void)
1da177e4 7568{
aef7d97c 7569 debugfs_remove(l2cap_debugfs);
bb58f747 7570 l2cap_cleanup_sockets();
1da177e4
LT		 7571}
7572
d1c4a17d
GP		 7573module_param(disable_ertm, bool, 0644);
7574MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.497537 seconds and 5 git commands to generate.