projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: 6lowpan: Fix lockdep splats
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
0f1bfe4e
JH		 44#define LE_FLOWCTL_MAX_CREDITS 65535
45
d1de6d46 46bool disable_ertm;
f0709e03 47
547d1032 48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
a6801ca9 49static u8 l2cap_fixed_chan[8] = { L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS, };
1da177e4 50
b5ad8b7f
JB		 51static LIST_HEAD(chan_list);
52static DEFINE_RWLOCK(chan_list_lock);
1da177e4 53
f15b8ecf
JH		 54static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56
1da177e4 57static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 58 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 59static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 60 void *data);
710f9b0a 61static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 62static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 63
d660366d 64static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 65 struct sk_buff_head *skbs, u8 event);
608bcc6d 66
4f1654e0
MH		 67static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
68{
69 if (hcon->type == LE_LINK) {
70 if (type == ADDR_LE_DEV_PUBLIC)
71 return BDADDR_LE_PUBLIC;
72 else
73 return BDADDR_LE_RANDOM;
74 }
75
76 return BDADDR_BREDR;
77}
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
2d792818
GP		 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
82 u16 cid)
0139418c 83{
3df91ea2 84 struct l2cap_chan *c;
3d57dc68 85
3df91ea2
AE		 86 list_for_each_entry(c, &conn->chan_l, list) {
87 if (c->dcid == cid)
88 return c;
0139418c 89 }
3df91ea2 90 return NULL;
0139418c
MH		 91}
92
2d792818
GP		 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
94 u16 cid)
0139418c 95{
3df91ea2 96 struct l2cap_chan *c;
3d57dc68 97
3df91ea2
AE		 98 list_for_each_entry(c, &conn->chan_l, list) {
99 if (c->scid == cid)
100 return c;
0139418c 101 }
3df91ea2 102 return NULL;
0139418c
MH		 103}
104
105/* Find channel with given SCID.
ef191ade 106 * Returns locked channel. */
2d792818
GP		 107static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
108 u16 cid)
0139418c 109{
48454079 110 struct l2cap_chan *c;
baa7e1fa 111
3df91ea2 112 mutex_lock(&conn->chan_lock);
baa7e1fa 113 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 114 if (c)
115 l2cap_chan_lock(c);
3df91ea2
AE		 116 mutex_unlock(&conn->chan_lock);
117
48454079 118 return c;
0139418c
MH		 119}
120
b1a130b7
MM		 121/* Find channel with given DCID.
122 * Returns locked channel.
123 */
124static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
125 u16 cid)
126{
127 struct l2cap_chan *c;
128
129 mutex_lock(&conn->chan_lock);
130 c = __l2cap_get_chan_by_dcid(conn, cid);
131 if (c)
132 l2cap_chan_lock(c);
133 mutex_unlock(&conn->chan_lock);
134
135 return c;
136}
137
2d792818
GP		 138static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
139 u8 ident)
0139418c 140{
3df91ea2 141 struct l2cap_chan *c;
3d57dc68 142
3df91ea2
AE		 143 list_for_each_entry(c, &conn->chan_l, list) {
144 if (c->ident == ident)
145 return c;
0139418c 146 }
3df91ea2 147 return NULL;
0139418c
MH		 148}
149
5b155ef9
MM		 150static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
151 u8 ident)
152{
153 struct l2cap_chan *c;
154
155 mutex_lock(&conn->chan_lock);
156 c = __l2cap_get_chan_by_ident(conn, ident);
157 if (c)
158 l2cap_chan_lock(c);
159 mutex_unlock(&conn->chan_lock);
160
161 return c;
162}
163
23691d75 164static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 165{
23691d75 166 struct l2cap_chan *c;
9e4425ff 167
23691d75 168 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 169 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 170 return c;
9e4425ff 171 }
250938cb 172 return NULL;
9e4425ff
GP		 173}
174
175int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
176{
73b2ec18
GP		 177 int err;
178
333055f2 179 write_lock(&chan_list_lock);
9e4425ff 180
23691d75 181 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 182 err = -EADDRINUSE;
183 goto done;
9e4425ff
GP		 184 }
185
73b2ec18
GP		 186 if (psm) {
187 chan->psm = psm;
188 chan->sport = psm;
189 err = 0;
190 } else {
191 u16 p;
192
193 err = -EINVAL;
194 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 195 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 196 chan->psm = cpu_to_le16(p);
197 chan->sport = cpu_to_le16(p);
198 err = 0;
199 break;
200 }
201 }
9e4425ff 202
73b2ec18 203done:
333055f2 204 write_unlock(&chan_list_lock);
73b2ec18 205 return err;
9e4425ff 206}
6b8d4a6a 207EXPORT_SYMBOL_GPL(l2cap_add_psm);
9e4425ff
GP		 208
209int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
210{
333055f2 211 write_lock(&chan_list_lock);
9e4425ff 212
14824308
JH		 213 /* Override the defaults (which are for conn-oriented) */
214 chan->omtu = L2CAP_DEFAULT_MTU;
215 chan->chan_type = L2CAP_CHAN_FIXED;
216
9e4425ff
GP		 217 chan->scid = scid;
218
333055f2 219 write_unlock(&chan_list_lock);
9e4425ff
GP		 220
221 return 0;
222}
223
baa7e1fa 224static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 225{
e77af755 226 u16 cid, dyn_end;
0139418c 227
e77af755
JH		 228 if (conn->hcon->type == LE_LINK)
229 dyn_end = L2CAP_CID_LE_DYN_END;
230 else
231 dyn_end = L2CAP_CID_DYN_END;
232
233 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
baa7e1fa 234 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 235 return cid;
236 }
237
238 return 0;
239}
240
f93fa273 241static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 242{
42d2d87c 243 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 244 state_to_string(state));
badaaa00 245
89bc500e 246 chan->state = state;
53f52121 247 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 248}
249
f8e73017
GP		 250static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
251 int state, int err)
2e0052e4 252{
f8e73017 253 chan->state = state;
53f52121 254 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 255}
256
257static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
258{
f8e73017 259 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 260}
261
4239d16f
MM		 262static void __set_retrans_timer(struct l2cap_chan *chan)
263{
264 if (!delayed_work_pending(&chan->monitor_timer) &&
265 chan->retrans_timeout) {
266 l2cap_set_timer(chan, &chan->retrans_timer,
267 msecs_to_jiffies(chan->retrans_timeout));
268 }
269}
270
271static void __set_monitor_timer(struct l2cap_chan *chan)
272{
273 __clear_retrans_timer(chan);
274 if (chan->monitor_timeout) {
275 l2cap_set_timer(chan, &chan->monitor_timer,
276 msecs_to_jiffies(chan->monitor_timeout));
277 }
278}
279
608bcc6d
MM		 280static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
281 u16 seq)
282{
283 struct sk_buff *skb;
284
285 skb_queue_walk(head, skb) {
286 if (bt_cb(skb)->control.txseq == seq)
287 return skb;
288 }
289
290 return NULL;
291}
292
3c588192
MM		 293/* ---- L2CAP sequence number lists ---- */
294
295/* For ERTM, ordered lists of sequence numbers must be tracked for
296 * SREJ requests that are received and for frames that are to be
297 * retransmitted. These seq_list functions implement a singly-linked
298 * list in an array, where membership in the list can also be checked
299 * in constant time. Items can also be added to the tail of the list
300 * and removed from the head in constant time, without further memory
301 * allocs or frees.
302 */
303
304static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
305{
306 size_t alloc_size, i;
307
308 /* Allocated size is a power of 2 to map sequence numbers
309 * (which may be up to 14 bits) in to a smaller array that is
310 * sized for the negotiated ERTM transmit windows.
311 */
312 alloc_size = roundup_pow_of_two(size);
313
314 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
315 if (!seq_list->list)
316 return -ENOMEM;
317
318 seq_list->mask = alloc_size - 1;
319 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
320 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
321 for (i = 0; i < alloc_size; i++)
322 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
323
324 return 0;
325}
326
327static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
328{
329 kfree(seq_list->list);
330}
331
332static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
333 u16 seq)
334{
335 /* Constant-time check for list membership */
336 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
337}
338
03a0c5d6 339static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
3c588192 340{
03a0c5d6 341 u16 seq = seq_list->head;
3c588192
MM		 342 u16 mask = seq_list->mask;
343
03a0c5d6
JH		 344 seq_list->head = seq_list->list[seq & mask];
345 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
346
347 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
348 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
349 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192 350 }
3c588192 351
03a0c5d6 352 return seq;
3c588192
MM		 353}
354
355static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
356{
f522ae36 357 u16 i;
3c588192 358
f522ae36
GP		 359 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
360 return;
361
362 for (i = 0; i <= seq_list->mask; i++)
363 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
364
365 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
366 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 367}
368
369static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
370{
371 u16 mask = seq_list->mask;
372
373 /* All appends happen in constant time */
374
f522ae36
GP		 375 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
376 return;
3c588192 377
f522ae36
GP		 378 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
379 seq_list->head = seq;
380 else
381 seq_list->list[seq_list->tail & mask] = seq;
382
383 seq_list->tail = seq;
384 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 385}
386
721c4181 387static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 388{
721c4181 389 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 390 chan_timer.work);
3df91ea2 391 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 392 int reason;
393
e05dcc32 394 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 395
3df91ea2 396 mutex_lock(&conn->chan_lock);
6be36555 397 l2cap_chan_lock(chan);
ab07801d 398
89bc500e 399 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 400 reason = ECONNREFUSED;
89bc500e 401 else if (chan->state == BT_CONNECT &&
2d792818 402 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 403 reason = ECONNREFUSED;
404 else
405 reason = ETIMEDOUT;
406
0f852724 407 l2cap_chan_close(chan, reason);
ab07801d 408
6be36555 409 l2cap_chan_unlock(chan);
ab07801d 410
80b98027 411 chan->ops->close(chan);
3df91ea2
AE		 412 mutex_unlock(&conn->chan_lock);
413
371fd835 414 l2cap_chan_put(chan);
ab07801d
GP		 415}
416
eef1d9b6 417struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 418{
419 struct l2cap_chan *chan;
420
421 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
422 if (!chan)
423 return NULL;
424
c03b355e
AE		 425 mutex_init(&chan->lock);
426
333055f2 427 write_lock(&chan_list_lock);
23691d75 428 list_add(&chan->global_l, &chan_list);
333055f2 429 write_unlock(&chan_list_lock);
23691d75 430
721c4181 431 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 432
89bc500e
GP		 433 chan->state = BT_OPEN;
434
144ad330 435 kref_init(&chan->kref);
71ba0e56 436
2827011f
MM		 437 /* This flag is cleared in l2cap_chan_ready() */
438 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
439
eef1d9b6 440 BT_DBG("chan %p", chan);
abc545b8 441
48454079
GP		 442 return chan;
443}
6b8d4a6a 444EXPORT_SYMBOL_GPL(l2cap_chan_create);
48454079 445
144ad330 446static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 447{
144ad330
SS		 448 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
449
4af66c69
JK		 450 BT_DBG("chan %p", chan);
451
333055f2 452 write_lock(&chan_list_lock);
23691d75 453 list_del(&chan->global_l);
333055f2 454 write_unlock(&chan_list_lock);
23691d75 455
4af66c69 456 kfree(chan);
6ff5abbf
GP		 457}
458
30648372
JK		 459void l2cap_chan_hold(struct l2cap_chan *c)
460{
144ad330 461 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 462
144ad330 463 kref_get(&c->kref);
30648372
JK		 464}
465
466void l2cap_chan_put(struct l2cap_chan *c)
467{
144ad330 468 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 469
144ad330 470 kref_put(&c->kref, l2cap_chan_destroy);
30648372 471}
6b8d4a6a 472EXPORT_SYMBOL_GPL(l2cap_chan_put);
30648372 473
bd4b1653
AE		 474void l2cap_chan_set_defaults(struct l2cap_chan *chan)
475{
476 chan->fcs = L2CAP_FCS_CRC16;
477 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
478 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
479 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
6a5e8165
JR		 480 chan->remote_max_tx = chan->max_tx;
481 chan->remote_tx_win = chan->tx_win;
c20f8e35 482 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653 483 chan->sec_level = BT_SECURITY_LOW;
6a5e8165
JR		 484 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
485 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
486 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
487 chan->conf_state = 0;
bd4b1653
AE		 488
489 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
490}
6b8d4a6a 491EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
bd4b1653 492
0ce43ce6 493static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
38319713 494{
0ce43ce6
JH		 495 chan->sdu = NULL;
496 chan->sdu_last_frag = NULL;
497 chan->sdu_len = 0;
0cd75f7e 498 chan->tx_credits = 0;
f15b8ecf 499 chan->rx_credits = le_max_credits;
d1d79413 500 chan->mps = min_t(u16, chan->imtu, le_default_mps);
0ce43ce6
JH		 501
502 skb_queue_head_init(&chan->tx_q);
38319713
JH		 503}
504
93c3e8f5 505void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 506{
af05b30b 507 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 508 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 509
9f5a0d7b 510 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 511
8c1d787b 512 chan->conn = conn;
0139418c 513
5491120e
AE		 514 switch (chan->chan_type) {
515 case L2CAP_CHAN_CONN_ORIENTED:
21626e62
JH		 516 /* Alloc CID for connection-oriented socket */
517 chan->scid = l2cap_alloc_cid(conn);
518 if (conn->hcon->type == ACL_LINK)
0c1bc5c6 519 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 520 break;
521
522 case L2CAP_CHAN_CONN_LESS:
0139418c 523 /* Connectionless socket */
fe4128e0
GP		 524 chan->scid = L2CAP_CID_CONN_LESS;
525 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 526 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 527 break;
528
2338a7e0
JH		 529 case L2CAP_CHAN_FIXED:
530 /* Caller will set CID and CID specific MTU values */
416fa752
AE		 531 break;
532
5491120e 533 default:
0139418c 534 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 535 chan->scid = L2CAP_CID_SIGNALING;
536 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 537 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 538 }
539
8f7975b1
AE		 540 chan->local_id = L2CAP_BESTEFFORT_ID;
541 chan->local_stype = L2CAP_SERV_BESTEFFORT;
542 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
543 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
544 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 545 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 546
371fd835 547 l2cap_chan_hold(chan);
baa7e1fa 548
c16900cf
JH		 549 /* Only keep a reference for fixed channels if they requested it */
550 if (chan->chan_type != L2CAP_CHAN_FIXED ||
551 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
552 hci_conn_hold(conn->hcon);
5ee9891d 553
3df91ea2 554 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 555}
556
466f8004 557void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 558{
559 mutex_lock(&conn->chan_lock);
560 __l2cap_chan_add(conn, chan);
3df91ea2 561 mutex_unlock(&conn->chan_lock);
0139418c
MH		 562}
563
466f8004 564void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 565{
8c1d787b 566 struct l2cap_conn *conn = chan->conn;
0139418c 567
c9b66675 568 __clear_chan_timer(chan);
0139418c 569
49208c9c 570 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 571
72847ce0
JH		 572 chan->ops->teardown(chan, err);
573
8e87d142 574 if (conn) {
56f60984 575 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 576 /* Delete from channel list */
3df91ea2 577 list_del(&chan->list);
3d57dc68 578
371fd835 579 l2cap_chan_put(chan);
baa7e1fa 580
8c1d787b 581 chan->conn = NULL;
3cabbfda 582
c16900cf
JH		 583 /* Reference was only held for non-fixed channels or
584 * fixed channels that explicitly requested it using the
585 * FLAG_HOLD_HCI_CONN flag.
586 */
587 if (chan->chan_type != L2CAP_CHAN_FIXED ||
588 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
76a68ba0 589 hci_conn_drop(conn->hcon);
56f60984
AE		 590
591 if (mgr && mgr->bredr_chan == chan)
592 mgr->bredr_chan = NULL;
0139418c
MH		 593 }
594
419e08c1
AE		 595 if (chan->hs_hchan) {
596 struct hci_chan *hs_hchan = chan->hs_hchan;
597
598 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
599 amp_disconnect_logical_link(hs_hchan);
600 }
601
2827011f 602 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 603 return;
2ead70b8 604
ee556f66
GP		 605 switch(chan->mode) {
606 case L2CAP_MODE_BASIC:
607 break;
c13ffa62 608
38319713 609 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b 610 skb_queue_purge(&chan->tx_q);
38319713
JH		 611 break;
612
ee556f66 613 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 614 __clear_retrans_timer(chan);
615 __clear_monitor_timer(chan);
616 __clear_ack_timer(chan);
c13ffa62 617
f1c6775b 618 skb_queue_purge(&chan->srej_q);
c13ffa62 619
3c588192
MM		 620 l2cap_seq_list_free(&chan->srej_list);
621 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 622
623 /* fall through */
624
625 case L2CAP_MODE_STREAMING:
626 skb_queue_purge(&chan->tx_q);
627 break;
c13ffa62 628 }
ee556f66
GP		 629
630 return;
0139418c 631}
6b8d4a6a 632EXPORT_SYMBOL_GPL(l2cap_chan_del);
0139418c 633
f3d82d0c 634static void l2cap_conn_update_id_addr(struct work_struct *work)
387a33e3 635{
f3d82d0c
JH		 636 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
637 id_addr_update_work);
638 struct hci_conn *hcon = conn->hcon;
387a33e3
JH		 639 struct l2cap_chan *chan;
640
641 mutex_lock(&conn->chan_lock);
642
643 list_for_each_entry(chan, &conn->chan_l, list) {
644 l2cap_chan_lock(chan);
645 bacpy(&chan->dst, &hcon->dst);
646 chan->dst_type = bdaddr_type(hcon, hcon->dst_type);
647 l2cap_chan_unlock(chan);
648 }
649
650 mutex_unlock(&conn->chan_lock);
651}
652
27e2d4c8
JH		 653static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
654{
655 struct l2cap_conn *conn = chan->conn;
656 struct l2cap_le_conn_rsp rsp;
657 u16 result;
658
659 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
660 result = L2CAP_CR_AUTHORIZATION;
661 else
662 result = L2CAP_CR_BAD_PSM;
663
664 l2cap_state_change(chan, BT_DISCONN);
665
666 rsp.dcid = cpu_to_le16(chan->scid);
667 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 668 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 669 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 670 rsp.result = cpu_to_le16(result);
671
672 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
673 &rsp);
674}
675
791d60f7
JH		 676static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
677{
678 struct l2cap_conn *conn = chan->conn;
679 struct l2cap_conn_rsp rsp;
680 u16 result;
681
682 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
683 result = L2CAP_CR_SEC_BLOCK;
684 else
685 result = L2CAP_CR_BAD_PSM;
686
687 l2cap_state_change(chan, BT_DISCONN);
688
689 rsp.scid = cpu_to_le16(chan->dcid);
690 rsp.dcid = cpu_to_le16(chan->scid);
691 rsp.result = cpu_to_le16(result);
dcf4adbf 692 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
791d60f7
JH		 693
694 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
695}
696
0f852724 697void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 698{
699 struct l2cap_conn *conn = chan->conn;
4519de9a 700
7eafc59e 701 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 702
89bc500e 703 switch (chan->state) {
4519de9a 704 case BT_LISTEN:
b699ec0d 705 chan->ops->teardown(chan, 0);
4519de9a
GP		 706 break;
707
708 case BT_CONNECTED:
709 case BT_CONFIG:
7b25c9b3 710 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
8d836d71 711 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 712 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 713 } else
714 l2cap_chan_del(chan, reason);
715 break;
716
717 case BT_CONNECT2:
791d60f7
JH		 718 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
719 if (conn->hcon->type == ACL_LINK)
720 l2cap_chan_connect_reject(chan);
27e2d4c8
JH		 721 else if (conn->hcon->type == LE_LINK)
722 l2cap_chan_le_connect_reject(chan);
4519de9a
GP		 723 }
724
725 l2cap_chan_del(chan, reason);
726 break;
727
728 case BT_CONNECT:
729 case BT_DISCONN:
730 l2cap_chan_del(chan, reason);
731 break;
732
733 default:
b699ec0d 734 chan->ops->teardown(chan, 0);
4519de9a
GP		 735 break;
736 }
737}
6b8d4a6a 738EXPORT_SYMBOL(l2cap_chan_close);
4519de9a 739
4343478f 740static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 741{
6a974b50
MH		 742 switch (chan->chan_type) {
743 case L2CAP_CHAN_RAW:
4343478f 744 switch (chan->sec_level) {
8556edd3 745 case BT_SECURITY_HIGH:
7d513e92 746 case BT_SECURITY_FIPS:
8556edd3
JH		 747 return HCI_AT_DEDICATED_BONDING_MITM;
748 case BT_SECURITY_MEDIUM:
749 return HCI_AT_DEDICATED_BONDING;
750 default:
751 return HCI_AT_NO_BONDING;
752 }
6a974b50 753 break;
3124b843 754 case L2CAP_CHAN_CONN_LESS:
dcf4adbf 755 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
3124b843
MH		 756 if (chan->sec_level == BT_SECURITY_LOW)
757 chan->sec_level = BT_SECURITY_SDP;
758 }
7d513e92
MH		 759 if (chan->sec_level == BT_SECURITY_HIGH ||
760 chan->sec_level == BT_SECURITY_FIPS)
3124b843
MH		 761 return HCI_AT_NO_BONDING_MITM;
762 else
763 return HCI_AT_NO_BONDING;
764 break;
6a974b50 765 case L2CAP_CHAN_CONN_ORIENTED:
dcf4adbf 766 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
6a974b50
MH		 767 if (chan->sec_level == BT_SECURITY_LOW)
768 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 769
7d513e92
MH		 770 if (chan->sec_level == BT_SECURITY_HIGH ||
771 chan->sec_level == BT_SECURITY_FIPS)
6a974b50
MH		 772 return HCI_AT_NO_BONDING_MITM;
773 else
774 return HCI_AT_NO_BONDING;
775 }
776 /* fall through */
777 default:
4343478f 778 switch (chan->sec_level) {
00ae4af9 779 case BT_SECURITY_HIGH:
7d513e92 780 case BT_SECURITY_FIPS:
8556edd3 781 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 782 case BT_SECURITY_MEDIUM:
8556edd3 783 return HCI_AT_GENERAL_BONDING;
00ae4af9 784 default:
8556edd3 785 return HCI_AT_NO_BONDING;
00ae4af9 786 }
6a974b50 787 break;
0684e5f9 788 }
8556edd3
JH		 789}
790
791/* Service level security */
e7cafc45 792int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
8556edd3 793{
8c1d787b 794 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 795 __u8 auth_type;
796
a17de2fe
JH		 797 if (conn->hcon->type == LE_LINK)
798 return smp_conn_security(conn->hcon, chan->sec_level);
799
4343478f 800 auth_type = l2cap_get_auth_type(chan);
79d554a6 801
e7cafc45
JH		 802 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
803 initiator);
79d554a6
MH		 804}
805
b5ad8b7f 806static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 807{
808 u8 id;
809
810 /* Get next available identificator.
811 * 1 - 128 are used by kernel.
812 * 129 - 199 are reserved.
813 * 200 - 254 are used by utilities like l2ping, etc.
814 */
815
5a54e7c8 816 mutex_lock(&conn->ident_lock);
4e8402a3
MH		 817
818 if (++conn->tx_ident > 128)
819 conn->tx_ident = 1;
820
821 id = conn->tx_ident;
822
5a54e7c8 823 mutex_unlock(&conn->ident_lock);
4e8402a3
MH		 824
825 return id;
826}
827
2d792818
GP		 828static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
829 void *data)
4e8402a3
MH		 830{
831 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 832 u8 flags;
4e8402a3
MH		 833
834 BT_DBG("code 0x%2.2x", code);
835
836 if (!skb)
9a9c6a34 837 return;
4e8402a3 838
e702112f
AE		 839 if (lmp_no_flush_capable(conn->hcon->hdev))
840 flags = ACL_START_NO_FLUSH;
841 else
842 flags = ACL_START;
843
14b12d0b 844 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 845 skb->priority = HCI_PRIO_MAX;
14b12d0b 846
73d80deb
LAD		 847 hci_send_acl(conn->hchan, skb, flags);
848}
849
02b0fbb9
MM		 850static bool __chan_is_moving(struct l2cap_chan *chan)
851{
852 return chan->move_state != L2CAP_MOVE_STABLE &&
853 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
854}
855
73d80deb
LAD		 856static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
857{
858 struct hci_conn *hcon = chan->conn->hcon;
859 u16 flags;
860
861 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 862 skb->priority);
73d80deb 863
d5f8a75d
MM		 864 if (chan->hs_hcon && !__chan_is_moving(chan)) {
865 if (chan->hs_hchan)
866 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
867 else
868 kfree_skb(skb);
869
870 return;
871 }
872
73d80deb 873 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 874 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 875 flags = ACL_START_NO_FLUSH;
876 else
877 flags = ACL_START;
14b12d0b 878
73d80deb
LAD		 879 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
880 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 881}
882
b76bbd66
MM		 883static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
884{
885 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
886 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
887
888 if (enh & L2CAP_CTRL_FRAME_TYPE) {
889 /* S-Frame */
890 control->sframe = 1;
891 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
892 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
893
894 control->sar = 0;
895 control->txseq = 0;
896 } else {
897 /* I-Frame */
898 control->sframe = 0;
899 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
900 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
901
902 control->poll = 0;
903 control->super = 0;
904 }
905}
906
b76bbd66
MM		 907static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
908{
909 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
910 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
911
912 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
913 /* S-Frame */
914 control->sframe = 1;
915 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
916 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
917
918 control->sar = 0;
919 control->txseq = 0;
920 } else {
921 /* I-Frame */
922 control->sframe = 0;
923 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
924 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
925
926 control->poll = 0;
927 control->super = 0;
928 }
929}
930
931static inline void __unpack_control(struct l2cap_chan *chan,
932 struct sk_buff *skb)
933{
934 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
935 __unpack_extended_control(get_unaligned_le32(skb->data),
936 &bt_cb(skb)->control);
cec8ab6e 937 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 938 } else {
939 __unpack_enhanced_control(get_unaligned_le16(skb->data),
940 &bt_cb(skb)->control);
cec8ab6e 941 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 942 }
943}
944
b5c6aaed
MM		 945static u32 __pack_extended_control(struct l2cap_ctrl *control)
946{
947 u32 packed;
948
949 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
950 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
951
952 if (control->sframe) {
953 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
954 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
955 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
956 } else {
957 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
958 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
959 }
960
961 return packed;
962}
963
964static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
965{
966 u16 packed;
967
968 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
969 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
970
971 if (control->sframe) {
972 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
973 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
974 packed |= L2CAP_CTRL_FRAME_TYPE;
975 } else {
976 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
977 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
978 }
979
980 return packed;
981}
982
b76bbd66
MM		 983static inline void __pack_control(struct l2cap_chan *chan,
984 struct l2cap_ctrl *control,
985 struct sk_buff *skb)
986{
987 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
988 put_unaligned_le32(__pack_extended_control(control),
989 skb->data + L2CAP_HDR_SIZE);
990 } else {
991 put_unaligned_le16(__pack_enhanced_control(control),
992 skb->data + L2CAP_HDR_SIZE);
993 }
994}
995
ba7aa64f
GP		 996static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
997{
998 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
999 return L2CAP_EXT_HDR_SIZE;
1000 else
1001 return L2CAP_ENH_HDR_SIZE;
1002}
1003
a67d7f6f
MM		 1004static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1005 u32 control)
b5c6aaed
MM		 1006{
1007 struct sk_buff *skb;
1008 struct l2cap_hdr *lh;
ba7aa64f 1009 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 1010
1011 if (chan->fcs == L2CAP_FCS_CRC16)
1012 hlen += L2CAP_FCS_SIZE;
1013
a67d7f6f 1014 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 1015
b5c6aaed 1016 if (!skb)
a67d7f6f 1017 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 1018
1019 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1020 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1021 lh->cid = cpu_to_le16(chan->dcid);
1022
a67d7f6f
MM		 1023 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1024 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1025 else
1026 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 1027
1028 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 1029 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 1030 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1031 }
1032
1033 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 1034 return skb;
1035}
1036
1037static void l2cap_send_sframe(struct l2cap_chan *chan,
1038 struct l2cap_ctrl *control)
1039{
1040 struct sk_buff *skb;
1041 u32 control_field;
1042
1043 BT_DBG("chan %p, control %p", chan, control);
1044
1045 if (!control->sframe)
1046 return;
1047
b99e13ad
MM		 1048 if (__chan_is_moving(chan))
1049 return;
1050
a67d7f6f
MM		 1051 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1052 !control->poll)
1053 control->final = 1;
1054
1055 if (control->super == L2CAP_SUPER_RR)
1056 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1057 else if (control->super == L2CAP_SUPER_RNR)
1058 set_bit(CONN_RNR_SENT, &chan->conn_state);
1059
1060 if (control->super != L2CAP_SUPER_SREJ) {
1061 chan->last_acked_seq = control->reqseq;
1062 __clear_ack_timer(chan);
1063 }
1064
1065 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1066 control->final, control->poll, control->super);
1067
1068 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1069 control_field = __pack_extended_control(control);
1070 else
1071 control_field = __pack_enhanced_control(control);
1072
1073 skb = l2cap_create_sframe_pdu(chan, control_field);
1074 if (!IS_ERR(skb))
1075 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1076}
1077
c9e3d5e0 1078static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1079{
c9e3d5e0
MM		 1080 struct l2cap_ctrl control;
1081
1082 BT_DBG("chan %p, poll %d", chan, poll);
1083
1084 memset(&control, 0, sizeof(control));
1085 control.sframe = 1;
1086 control.poll = poll;
1087
1088 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1089 control.super = L2CAP_SUPER_RNR;
1090 else
1091 control.super = L2CAP_SUPER_RR;
b5c6aaed 1092
c9e3d5e0
MM		 1093 control.reqseq = chan->buffer_seq;
1094 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1095}
1096
b4450035 1097static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1098{
5ff6f34d
JH		 1099 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1100 return true;
1101
c1360a1c 1102 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1103}
1104
1df7b17a 1105static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1106{
1df7b17a 1107 struct l2cap_conn *conn = chan->conn;
80d58d0b 1108 struct hci_dev *hdev;
1df7b17a
MH		 1109 bool amp_available = false;
1110
1111 if (!conn->hs_enabled)
1112 return false;
1113
1114 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1115 return false;
80d58d0b
MH		 1116
1117 read_lock(&hci_dev_list_lock);
1df7b17a 1118 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1119 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1120 test_bit(HCI_UP, &hdev->flags)) {
1121 amp_available = true;
1122 break;
1123 }
1124 }
80d58d0b
MH		 1125 read_unlock(&hci_dev_list_lock);
1126
1df7b17a
MH		 1127 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1128 return amp_available;
848566b3
MH		 1129
1130 return false;
93c3e8f5
AE		 1131}
1132
5ce66b59
AE		 1133static bool l2cap_check_efs(struct l2cap_chan *chan)
1134{
1135 /* Check EFS parameters */
1136 return true;
1137}
1138
2766be48 1139void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1140{
1141 struct l2cap_conn *conn = chan->conn;
1142 struct l2cap_conn_req req;
1143
1144 req.scid = cpu_to_le16(chan->scid);
1145 req.psm = chan->psm;
1146
1147 chan->ident = l2cap_get_ident(conn);
1148
1149 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1150
1151 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1152}
1153
8eb200bd
MM		 1154static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1155{
1156 struct l2cap_create_chan_req req;
1157 req.scid = cpu_to_le16(chan->scid);
1158 req.psm = chan->psm;
1159 req.amp_id = amp_id;
1160
1161 chan->ident = l2cap_get_ident(chan->conn);
1162
1163 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1164 sizeof(req), &req);
1165}
1166
02b0fbb9
MM		 1167static void l2cap_move_setup(struct l2cap_chan *chan)
1168{
1169 struct sk_buff *skb;
1170
1171 BT_DBG("chan %p", chan);
1172
1173 if (chan->mode != L2CAP_MODE_ERTM)
1174 return;
1175
1176 __clear_retrans_timer(chan);
1177 __clear_monitor_timer(chan);
1178 __clear_ack_timer(chan);
1179
1180 chan->retry_count = 0;
1181 skb_queue_walk(&chan->tx_q, skb) {
1182 if (bt_cb(skb)->control.retries)
1183 bt_cb(skb)->control.retries = 1;
1184 else
1185 break;
1186 }
1187
1188 chan->expected_tx_seq = chan->buffer_seq;
1189
1190 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1191 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1192 l2cap_seq_list_clear(&chan->retrans_list);
1193 l2cap_seq_list_clear(&chan->srej_list);
1194 skb_queue_purge(&chan->srej_q);
1195
1196 chan->tx_state = L2CAP_TX_STATE_XMIT;
1197 chan->rx_state = L2CAP_RX_STATE_MOVE;
1198
1199 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1200}
1201
5f3847a4
MM		 1202static void l2cap_move_done(struct l2cap_chan *chan)
1203{
1204 u8 move_role = chan->move_role;
1205 BT_DBG("chan %p", chan);
1206
1207 chan->move_state = L2CAP_MOVE_STABLE;
1208 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1209
1210 if (chan->mode != L2CAP_MODE_ERTM)
1211 return;
1212
1213 switch (move_role) {
1214 case L2CAP_MOVE_ROLE_INITIATOR:
1215 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1216 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1217 break;
1218 case L2CAP_MOVE_ROLE_RESPONDER:
1219 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1220 break;
1221 }
1222}
1223
9f0caeb1
VCG		 1224static void l2cap_chan_ready(struct l2cap_chan *chan)
1225{
2827011f 1226 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1227 chan->conf_state = 0;
1228 __clear_chan_timer(chan);
1229
0ce43ce6
JH		 1230 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1231 chan->ops->suspend(chan);
177f8f2b 1232
54a59aa2 1233 chan->state = BT_CONNECTED;
9f0caeb1 1234
fd83e2c2 1235 chan->ops->ready(chan);
9f0caeb1
VCG		 1236}
1237
f1496dee
JH		 1238static void l2cap_le_connect(struct l2cap_chan *chan)
1239{
1240 struct l2cap_conn *conn = chan->conn;
1241 struct l2cap_le_conn_req req;
1242
595177f3
JH		 1243 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1244 return;
1245
f1496dee
JH		 1246 req.psm = chan->psm;
1247 req.scid = cpu_to_le16(chan->scid);
1248 req.mtu = cpu_to_le16(chan->imtu);
3916aed8 1249 req.mps = cpu_to_le16(chan->mps);
0cd75f7e 1250 req.credits = cpu_to_le16(chan->rx_credits);
f1496dee
JH		 1251
1252 chan->ident = l2cap_get_ident(conn);
1253
1254 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1255 sizeof(req), &req);
1256}
1257
1258static void l2cap_le_start(struct l2cap_chan *chan)
1259{
1260 struct l2cap_conn *conn = chan->conn;
1261
1262 if (!smp_conn_security(conn->hcon, chan->sec_level))
1263 return;
1264
1265 if (!chan->psm) {
1266 l2cap_chan_ready(chan);
1267 return;
1268 }
1269
1270 if (chan->state == BT_CONNECT)
1271 l2cap_le_connect(chan);
1272}
1273
93c3e8f5
AE		 1274static void l2cap_start_connection(struct l2cap_chan *chan)
1275{
1276 if (__amp_capable(chan)) {
1277 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1278 a2mp_discover_amp(chan);
f1496dee
JH		 1279 } else if (chan->conn->hcon->type == LE_LINK) {
1280 l2cap_le_start(chan);
93c3e8f5
AE		 1281 } else {
1282 l2cap_send_conn_req(chan);
1283 }
1284}
1285
aeaeb4bb
JH		 1286static void l2cap_request_info(struct l2cap_conn *conn)
1287{
1288 struct l2cap_info_req req;
1289
1290 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1291 return;
1292
1293 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1294
1295 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1296 conn->info_ident = l2cap_get_ident(conn);
1297
1298 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1299
1300 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1301 sizeof(req), &req);
1302}
1303
fc7f8a7e 1304static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1305{
8c1d787b 1306 struct l2cap_conn *conn = chan->conn;
79d554a6 1307
9f0caeb1 1308 if (conn->hcon->type == LE_LINK) {
96ac34fb 1309 l2cap_le_start(chan);
9f0caeb1
VCG		 1310 return;
1311 }
1312
aeaeb4bb
JH		 1313 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1314 l2cap_request_info(conn);
1315 return;
1316 }
79d554a6 1317
aeaeb4bb
JH		 1318 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1319 return;
79d554a6 1320
aeaeb4bb
JH		 1321 if (l2cap_chan_check_security(chan, true) &&
1322 __l2cap_no_conn_pending(chan))
1323 l2cap_start_connection(chan);
79d554a6
MH		 1324}
1325
cf6c2c0b
GP		 1326static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1327{
1328 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1329 if (!disable_ertm)
cf6c2c0b
GP		 1330 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1331
1332 switch (mode) {
1333 case L2CAP_MODE_ERTM:
1334 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1335 case L2CAP_MODE_STREAMING:
1336 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1337 default:
1338 return 0x00;
1339 }
1340}
1341
5e4e3972 1342static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1343{
5e4e3972 1344 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1345 struct l2cap_disconn_req req;
1346
c13ffa62
GP		 1347 if (!conn)
1348 return;
1349
aad3d0e3 1350 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1351 __clear_retrans_timer(chan);
1352 __clear_monitor_timer(chan);
1353 __clear_ack_timer(chan);
c13ffa62
GP		 1354 }
1355
2338a7e0 1356 if (chan->scid == L2CAP_CID_A2MP) {
d117773c 1357 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1358 return;
1359 }
1360
fe4128e0
GP		 1361 req.dcid = cpu_to_le16(chan->dcid);
1362 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1363 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1364 sizeof(req), &req);
c13ffa62 1365
f8e73017 1366 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1367}
1368
1da177e4 1369/* ---- L2CAP connections ---- */
4e8402a3
MH		 1370static void l2cap_conn_start(struct l2cap_conn *conn)
1371{
3df91ea2 1372 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1373
1374 BT_DBG("conn %p", conn);
1375
3df91ea2 1376 mutex_lock(&conn->chan_lock);
4e8402a3 1377
3df91ea2 1378 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1379 l2cap_chan_lock(chan);
4e8402a3 1380
715ec005 1381 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
aeaeb4bb 1382 l2cap_chan_ready(chan);
6be36555 1383 l2cap_chan_unlock(chan);
79d554a6
MH		 1384 continue;
1385 }
1386
89bc500e 1387 if (chan->state == BT_CONNECT) {
e7cafc45 1388 if (!l2cap_chan_check_security(chan, true) ||
2d792818 1389 !__l2cap_no_conn_pending(chan)) {
6be36555 1390 l2cap_chan_unlock(chan);
47731de7
GP		 1391 continue;
1392 }
79d554a6 1393
c1360a1c 1394 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1395 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1396 &chan->conf_state)) {
89bc500e 1397 l2cap_chan_close(chan, ECONNRESET);
6be36555 1398 l2cap_chan_unlock(chan);
47731de7 1399 continue;
b1235d79 1400 }
47731de7 1401
93c3e8f5 1402 l2cap_start_connection(chan);
47731de7 1403
89bc500e 1404 } else if (chan->state == BT_CONNECT2) {
79d554a6 1405 struct l2cap_conn_rsp rsp;
e9aeb2dd 1406 char buf[128];
fe4128e0
GP		 1407 rsp.scid = cpu_to_le16(chan->dcid);
1408 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1409
e7cafc45 1410 if (l2cap_chan_check_security(chan, false)) {
bdc25783 1411 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
dcf4adbf
JP		 1412 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1413 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1414 chan->ops->defer(chan);
f66dc81f
MH		 1415
1416 } else {
acdcabf5 1417 l2cap_state_change(chan, BT_CONFIG);
dcf4adbf
JP		 1418 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1419 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1420 }
79d554a6 1421 } else {
dcf4adbf
JP		 1422 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1423 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1424 }
1425
fc7f8a7e 1426 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1427 sizeof(rsp), &rsp);
e9aeb2dd 1428
c1360a1c 1429 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1430 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1431 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1432 continue;
1433 }
1434
c1360a1c 1435 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1436 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1437 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1438 chan->num_conf_req++;
4e8402a3
MH		 1439 }
1440
6be36555 1441 l2cap_chan_unlock(chan);
4e8402a3
MH		 1442 }
1443
3df91ea2 1444 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1445}
1446
b62f328b
VT		 1447static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1448{
cc8dba2b 1449 struct hci_conn *hcon = conn->hcon;
dcc36c16 1450 struct hci_dev *hdev = hcon->hdev;
b62f328b 1451
e760ec12 1452 BT_DBG("%s conn %p", hdev->name, conn);
b62f328b 1453
e760ec12
JH		 1454 /* For outgoing pairing which doesn't necessarily have an
1455 * associated socket (e.g. mgmt_pair_device).
1456 */
1457 if (hcon->out)
1458 smp_conn_security(hcon, hcon->pending_sec_level);
cc8dba2b 1459
80afeb6c
MH		 1460 /* For LE slave connections, make sure the connection interval
1461 * is in the range of the minium and maximum interval that has
1462 * been configured for this connection. If not, then trigger
1463 * the connection update procedure.
1464 */
40bef302 1465 if (hcon->role == HCI_ROLE_SLAVE &&
80afeb6c
MH		 1466 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1467 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1468 struct l2cap_conn_param_update_req req;
1469
1470 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1471 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1472 req.latency = cpu_to_le16(hcon->le_conn_latency);
1473 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1474
1475 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1476 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1477 }
b62f328b
VT		 1478}
1479
4e8402a3
MH		 1480static void l2cap_conn_ready(struct l2cap_conn *conn)
1481{
48454079 1482 struct l2cap_chan *chan;
cc110922 1483 struct hci_conn *hcon = conn->hcon;
4e8402a3 1484
79d554a6 1485 BT_DBG("conn %p", conn);
4e8402a3 1486
aeaeb4bb
JH		 1487 if (hcon->type == ACL_LINK)
1488 l2cap_request_info(conn);
1489
e760ec12
JH		 1490 mutex_lock(&conn->chan_lock);
1491
3df91ea2 1492 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1493
6be36555 1494 l2cap_chan_lock(chan);
4e8402a3 1495
2338a7e0 1496 if (chan->scid == L2CAP_CID_A2MP) {
416fa752
AE		 1497 l2cap_chan_unlock(chan);
1498 continue;
1499 }
1500
cc110922 1501 if (hcon->type == LE_LINK) {
f1496dee 1502 l2cap_le_start(chan);
63128451 1503 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
aeaeb4bb
JH		 1504 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1505 l2cap_chan_ready(chan);
1c244f79 1506 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1507 l2cap_do_start(chan);
1c244f79 1508 }
4e8402a3 1509
6be36555 1510 l2cap_chan_unlock(chan);
4e8402a3 1511 }
79d554a6 1512
3df91ea2 1513 mutex_unlock(&conn->chan_lock);
61a939c6 1514
79a05727
JH		 1515 if (hcon->type == LE_LINK)
1516 l2cap_le_conn_ready(conn);
1517
61a939c6 1518 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
4e8402a3
MH		 1519}
1520
1521/* Notify sockets that we cannot guaranty reliability anymore */
1522static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1523{
48454079 1524 struct l2cap_chan *chan;
4e8402a3
MH		 1525
1526 BT_DBG("conn %p", conn);
1527
3df91ea2 1528 mutex_lock(&conn->chan_lock);
4e8402a3 1529
3df91ea2 1530 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1531 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1532 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1533 }
1534
3df91ea2 1535 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1536}
1537
f878fcad 1538static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1539{
f878fcad 1540 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1541 info_timer.work);
4e8402a3 1542
984947dc 1543 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1544 conn->info_ident = 0;
984947dc 1545
4e8402a3
MH		 1546 l2cap_conn_start(conn);
1547}
1548
2c8e1411
DH		 1549/*
1550 * l2cap_user
1551 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1552 * callback is called during registration. The ->remove callback is called
1553 * during unregistration.
1554 * An l2cap_user object can either be explicitly unregistered or when the
1555 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1556 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1557 * External modules must own a reference to the l2cap_conn object if they intend
1558 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1559 * any time if they don't.
1560 */
1561
1562int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1563{
1564 struct hci_dev *hdev = conn->hcon->hdev;
1565 int ret;
1566
1567 /* We need to check whether l2cap_conn is registered. If it is not, we
1568 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1569 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1570 * relies on the parent hci_conn object to be locked. This itself relies
1571 * on the hci_dev object to be locked. So we must lock the hci device
1572 * here, too. */
1573
1574 hci_dev_lock(hdev);
1575
1576 if (user->list.next || user->list.prev) {
1577 ret = -EINVAL;
1578 goto out_unlock;
1579 }
1580
1581 /* conn->hchan is NULL after l2cap_conn_del() was called */
1582 if (!conn->hchan) {
1583 ret = -ENODEV;
1584 goto out_unlock;
1585 }
1586
1587 ret = user->probe(conn, user);
1588 if (ret)
1589 goto out_unlock;
1590
1591 list_add(&user->list, &conn->users);
1592 ret = 0;
1593
1594out_unlock:
1595 hci_dev_unlock(hdev);
1596 return ret;
1597}
1598EXPORT_SYMBOL(l2cap_register_user);
1599
1600void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1601{
1602 struct hci_dev *hdev = conn->hcon->hdev;
1603
1604 hci_dev_lock(hdev);
1605
1606 if (!user->list.next || !user->list.prev)
1607 goto out_unlock;
1608
1609 list_del(&user->list);
1610 user->list.next = NULL;
1611 user->list.prev = NULL;
1612 user->remove(conn, user);
1613
1614out_unlock:
1615 hci_dev_unlock(hdev);
1616}
1617EXPORT_SYMBOL(l2cap_unregister_user);
1618
1619static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1620{
1621 struct l2cap_user *user;
1622
1623 while (!list_empty(&conn->users)) {
1624 user = list_first_entry(&conn->users, struct l2cap_user, list);
1625 list_del(&user->list);
1626 user->list.next = NULL;
1627 user->list.prev = NULL;
1628 user->remove(conn, user);
1629 }
1630}
1631
5d3de7df
VCG		 1632static void l2cap_conn_del(struct hci_conn *hcon, int err)
1633{
1634 struct l2cap_conn *conn = hcon->l2cap_data;
1635 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1636
1637 if (!conn)
1638 return;
1639
1640 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1641
1642 kfree_skb(conn->rx_skb);
1643
61a939c6 1644 skb_queue_purge(&conn->pending_rx);
7ab56c3a
JT		 1645
1646 /* We can not call flush_work(&conn->pending_rx_work) here since we
1647 * might block if we are running on a worker from the same workqueue
1648 * pending_rx_work is waiting on.
1649 */
1650 if (work_pending(&conn->pending_rx_work))
1651 cancel_work_sync(&conn->pending_rx_work);
61a939c6 1652
f3d82d0c
JH		 1653 if (work_pending(&conn->id_addr_update_work))
1654 cancel_work_sync(&conn->id_addr_update_work);
1655
2c8e1411
DH		 1656 l2cap_unregister_all_users(conn);
1657
e31fb860
JH		 1658 /* Force the connection to be immediately dropped */
1659 hcon->disc_timeout = 0;
1660
3df91ea2
AE		 1661 mutex_lock(&conn->chan_lock);
1662
5d3de7df
VCG		 1663 /* Kill channels */
1664 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1665 l2cap_chan_hold(chan);
6be36555
AE		 1666 l2cap_chan_lock(chan);
1667
5d3de7df 1668 l2cap_chan_del(chan, err);
6be36555
AE		 1669
1670 l2cap_chan_unlock(chan);
1671
80b98027 1672 chan->ops->close(chan);
61d6ef3e 1673 l2cap_chan_put(chan);
5d3de7df
VCG		 1674 }
1675
3df91ea2
AE		 1676 mutex_unlock(&conn->chan_lock);
1677
73d80deb
LAD		 1678 hci_chan_del(conn->hchan);
1679
5d3de7df 1680 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1681 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1682
5d3de7df 1683 hcon->l2cap_data = NULL;
9c903e37
DH		 1684 conn->hchan = NULL;
1685 l2cap_conn_put(conn);
5d3de7df
VCG		 1686}
1687
9c903e37
DH		 1688static void l2cap_conn_free(struct kref *ref)
1689{
1690 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1691
1692 hci_conn_put(conn->hcon);
1693 kfree(conn);
1694}
1695
51bb8457 1696struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
9c903e37
DH		 1697{
1698 kref_get(&conn->ref);
51bb8457 1699 return conn;
9c903e37
DH		 1700}
1701EXPORT_SYMBOL(l2cap_conn_get);
1702
1703void l2cap_conn_put(struct l2cap_conn *conn)
1704{
1705 kref_put(&conn->ref, l2cap_conn_free);
1706}
1707EXPORT_SYMBOL(l2cap_conn_put);
1708
1da177e4 1709/* ---- Socket interface ---- */
1da177e4 1710
c2287681 1711/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1712 * Returns closest match.
1713 */
c2287681
IY		 1714static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1715 bdaddr_t *src,
bf20fd4e
JH		 1716 bdaddr_t *dst,
1717 u8 link_type)
1da177e4 1718{
23691d75 1719 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1720
23691d75 1721 read_lock(&chan_list_lock);
e0f0cb56 1722
23691d75 1723 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1724 if (state && c->state != state)
1da177e4
LT		 1725 continue;
1726
bf20fd4e
JH		 1727 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1728 continue;
1729
1730 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1731 continue;
1732
23691d75 1733 if (c->psm == psm) {
c2287681
IY		 1734 int src_match, dst_match;
1735 int src_any, dst_any;
1736
1da177e4 1737 /* Exact match. */
7eafc59e
MH		 1738 src_match = !bacmp(&c->src, src);
1739 dst_match = !bacmp(&c->dst, dst);
c2287681 1740 if (src_match && dst_match) {
a24cce14 1741 l2cap_chan_hold(c);
a7567b20 1742 read_unlock(&chan_list_lock);
23691d75
GP		 1743 return c;
1744 }
1da177e4
LT		 1745
1746 /* Closest match */
7eafc59e
MH		 1747 src_any = !bacmp(&c->src, BDADDR_ANY);
1748 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1749 if ((src_match && dst_any) || (src_any && dst_match) ||
1750 (src_any && dst_any))
23691d75 1751 c1 = c;
1da177e4
LT		 1752 }
1753 }
1da177e4 1754
a24cce14
JH		 1755 if (c1)
1756 l2cap_chan_hold(c1);
1757
23691d75 1758 read_unlock(&chan_list_lock);
e0f0cb56 1759
23691d75 1760 return c1;
1da177e4
LT		 1761}
1762
721c4181 1763static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1764{
721c4181 1765 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1766 monitor_timer.work);
e90bac06 1767
525cd185 1768 BT_DBG("chan %p", chan);
0e98958d 1769
6be36555
AE		 1770 l2cap_chan_lock(chan);
1771
80909e04 1772 if (!chan->conn) {
6be36555 1773 l2cap_chan_unlock(chan);
8d7e1c7f 1774 l2cap_chan_put(chan);
e90bac06
GP		 1775 return;
1776 }
1777
401bb1f7 1778 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1779
6be36555 1780 l2cap_chan_unlock(chan);
8d7e1c7f 1781 l2cap_chan_put(chan);
e90bac06
GP		 1782}
1783
721c4181 1784static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1785{
721c4181 1786 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1787 retrans_timer.work);
e90bac06 1788
49208c9c 1789 BT_DBG("chan %p", chan);
0e98958d 1790
6be36555
AE		 1791 l2cap_chan_lock(chan);
1792
80909e04
MM		 1793 if (!chan->conn) {
1794 l2cap_chan_unlock(chan);
1795 l2cap_chan_put(chan);
1796 return;
1797 }
6be36555 1798
401bb1f7 1799 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1800 l2cap_chan_unlock(chan);
8d7e1c7f 1801 l2cap_chan_put(chan);
e90bac06
GP		 1802}
1803
d660366d
GP		 1804static void l2cap_streaming_send(struct l2cap_chan *chan,
1805 struct sk_buff_head *skbs)
6840ed07 1806{
ccbb84af 1807 struct sk_buff *skb;
3733937d 1808 struct l2cap_ctrl *control;
6840ed07 1809
3733937d
MM		 1810 BT_DBG("chan %p, skbs %p", chan, skbs);
1811
b99e13ad
MM		 1812 if (__chan_is_moving(chan))
1813 return;
1814
3733937d
MM		 1815 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1816
1817 while (!skb_queue_empty(&chan->tx_q)) {
1818
1819 skb = skb_dequeue(&chan->tx_q);
1820
1821 bt_cb(skb)->control.retries = 1;
1822 control = &bt_cb(skb)->control;
1823
1824 control->reqseq = 0;
1825 control->txseq = chan->next_tx_seq;
1826
1827 __pack_control(chan, control, skb);
6840ed07 1828
47d1ec61 1829 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1830 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1831 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1832 }
1833
4343478f 1834 l2cap_do_send(chan, skb);
6840ed07 1835
b4400672 1836 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1837
836be934 1838 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1839 chan->frames_sent++;
6840ed07 1840 }
6840ed07
GP		 1841}
1842
67c9e840 1843static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1844{
1845 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1846 struct l2cap_ctrl *control;
1847 int sent = 0;
1848
1849 BT_DBG("chan %p", chan);
1c2acffb 1850
89bc500e 1851 if (chan->state != BT_CONNECTED)
c13ffa62 1852 return -ENOTCONN;
e90bac06 1853
94122bbe
MM		 1854 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1855 return 0;
1856
b99e13ad
MM		 1857 if (__chan_is_moving(chan))
1858 return 0;
1859
18a48e76
MM		 1860 while (chan->tx_send_head &&
1861 chan->unacked_frames < chan->remote_tx_win &&
1862 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1863
18a48e76 1864 skb = chan->tx_send_head;
e90bac06 1865
18a48e76
MM		 1866 bt_cb(skb)->control.retries = 1;
1867 control = &bt_cb(skb)->control;
95ffa978 1868
e2ab4353 1869 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1870 control->final = 1;
e2ab4353 1871
18a48e76
MM		 1872 control->reqseq = chan->buffer_seq;
1873 chan->last_acked_seq = chan->buffer_seq;
1874 control->txseq = chan->next_tx_seq;
1c2acffb 1875
18a48e76 1876 __pack_control(chan, control, skb);
e90bac06 1877
47d1ec61 1878 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1879 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1880 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1881 }
1882
18a48e76
MM		 1883 /* Clone after data has been modified. Data is assumed to be
1884 read-only (for locking purposes) on cloned sk_buffs.
1885 */
1886 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1887
18a48e76
MM		 1888 if (!tx_skb)
1889 break;
1c2acffb 1890
18a48e76 1891 __set_retrans_timer(chan);
836be934
AE		 1892
1893 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1894 chan->unacked_frames++;
6a026610 1895 chan->frames_sent++;
18a48e76 1896 sent++;
1c2acffb 1897
58d35f87
GP		 1898 if (skb_queue_is_last(&chan->tx_q, skb))
1899 chan->tx_send_head = NULL;
1c2acffb 1900 else
58d35f87 1901 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1902
1903 l2cap_do_send(chan, tx_skb);
b4400672 1904 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1905 }
1906
b4400672
AE		 1907 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1908 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1909
1910 return sent;
9e917af1
GP		 1911}
1912
e1fbd4c1
MM		 1913static void l2cap_ertm_resend(struct l2cap_chan *chan)
1914{
1915 struct l2cap_ctrl control;
1916 struct sk_buff *skb;
1917 struct sk_buff *tx_skb;
1918 u16 seq;
1919
1920 BT_DBG("chan %p", chan);
1921
1922 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1923 return;
1924
b99e13ad
MM		 1925 if (__chan_is_moving(chan))
1926 return;
1927
e1fbd4c1
MM		 1928 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1929 seq = l2cap_seq_list_pop(&chan->retrans_list);
1930
1931 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1932 if (!skb) {
1933 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1934 seq);
e1fbd4c1
MM		 1935 continue;
1936 }
1937
1938 bt_cb(skb)->control.retries++;
1939 control = bt_cb(skb)->control;
1940
1941 if (chan->max_tx != 0 &&
1942 bt_cb(skb)->control.retries > chan->max_tx) {
1943 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1944 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1945 l2cap_seq_list_clear(&chan->retrans_list);
1946 break;
1947 }
1948
1949 control.reqseq = chan->buffer_seq;
1950 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1951 control.final = 1;
1952 else
1953 control.final = 0;
1954
1955 if (skb_cloned(skb)) {
1956 /* Cloned sk_buffs are read-only, so we need a
1957 * writeable copy
1958 */
8bcde1f2 1959 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1960 } else {
8bcde1f2 1961 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1962 }
1963
1964 if (!tx_skb) {
1965 l2cap_seq_list_clear(&chan->retrans_list);
1966 break;
1967 }
1968
1969 /* Update skb contents */
1970 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1971 put_unaligned_le32(__pack_extended_control(&control),
1972 tx_skb->data + L2CAP_HDR_SIZE);
1973 } else {
1974 put_unaligned_le16(__pack_enhanced_control(&control),
1975 tx_skb->data + L2CAP_HDR_SIZE);
1976 }
1977
13cac152 1978 /* Update FCS */
e1fbd4c1 1979 if (chan->fcs == L2CAP_FCS_CRC16) {
13cac152
LR		 1980 u16 fcs = crc16(0, (u8 *) tx_skb->data,
1981 tx_skb->len - L2CAP_FCS_SIZE);
1982 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
1983 L2CAP_FCS_SIZE);
e1fbd4c1
MM		 1984 }
1985
1986 l2cap_do_send(chan, tx_skb);
1987
1988 BT_DBG("Resent txseq %d", control.txseq);
1989
1990 chan->last_acked_seq = chan->buffer_seq;
1991 }
1992}
1993
f80842a8
MM		 1994static void l2cap_retransmit(struct l2cap_chan *chan,
1995 struct l2cap_ctrl *control)
1996{
1997 BT_DBG("chan %p, control %p", chan, control);
1998
1999 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2000 l2cap_ertm_resend(chan);
2001}
2002
d2a7ac5d
MM		 2003static void l2cap_retransmit_all(struct l2cap_chan *chan,
2004 struct l2cap_ctrl *control)
2005{
e1fbd4c1
MM		 2006 struct sk_buff *skb;
2007
2008 BT_DBG("chan %p, control %p", chan, control);
2009
2010 if (control->poll)
2011 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2012
2013 l2cap_seq_list_clear(&chan->retrans_list);
2014
2015 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2016 return;
2017
2018 if (chan->unacked_frames) {
2019 skb_queue_walk(&chan->tx_q, skb) {
2020 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2021 skb == chan->tx_send_head)
e1fbd4c1
MM		 2022 break;
2023 }
2024
2025 skb_queue_walk_from(&chan->tx_q, skb) {
2026 if (skb == chan->tx_send_head)
2027 break;
2028
2029 l2cap_seq_list_append(&chan->retrans_list,
2030 bt_cb(skb)->control.txseq);
2031 }
2032
2033 l2cap_ertm_resend(chan);
2034 }
d2a7ac5d
MM		 2035}
2036
0a0aba42 2037static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2038{
0a0aba42
MM		 2039 struct l2cap_ctrl control;
2040 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2041 chan->last_acked_seq);
2042 int threshold;
9e917af1 2043
0a0aba42
MM		 2044 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2045 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2046
0a0aba42
MM		 2047 memset(&control, 0, sizeof(control));
2048 control.sframe = 1;
dfc909be 2049
0a0aba42
MM		 2050 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2051 chan->rx_state == L2CAP_RX_STATE_RECV) {
2052 __clear_ack_timer(chan);
2053 control.super = L2CAP_SUPER_RNR;
2054 control.reqseq = chan->buffer_seq;
2055 l2cap_send_sframe(chan, &control);
2056 } else {
2057 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2058 l2cap_ertm_send(chan);
2059 /* If any i-frames were sent, they included an ack */
2060 if (chan->buffer_seq == chan->last_acked_seq)
2061 frames_to_ack = 0;
2062 }
dfc909be 2063
c20f8e35 2064 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2065 * Calculate without mul or div
2066 */
c20f8e35 2067 threshold = chan->ack_win;
0a0aba42
MM		 2068 threshold += threshold << 1;
2069 threshold >>= 2;
2070
b4400672 2071 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2072 threshold);
2073
2074 if (frames_to_ack >= threshold) {
2075 __clear_ack_timer(chan);
2076 control.super = L2CAP_SUPER_RR;
2077 control.reqseq = chan->buffer_seq;
2078 l2cap_send_sframe(chan, &control);
2079 frames_to_ack = 0;
2080 }
1c2acffb 2081
0a0aba42
MM		 2082 if (frames_to_ack)
2083 __set_ack_timer(chan);
2084 }
b17e73bb
SJ		 2085}
2086
04124681
GP		 2087static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2088 struct msghdr *msg, int len,
2089 int count, struct sk_buff *skb)
1c2acffb 2090{
0952a57a 2091 struct l2cap_conn *conn = chan->conn;
1c2acffb 2092 struct sk_buff **frag;
90338947 2093 int sent = 0;
1da177e4 2094
0498878b
JR		 2095 if (chan->ops->memcpy_fromiovec(chan, skb_put(skb, count),
2096 msg->msg_iov, count))
1c2acffb 2097 return -EFAULT;
1da177e4
LT		 2098
2099 sent += count;
2100 len -= count;
2101
2102 /* Continuation fragments (no L2CAP header) */
2103 frag = &skb_shinfo(skb)->frag_list;
2104 while (len) {
fbe00700
GP		 2105 struct sk_buff *tmp;
2106
1da177e4
LT		 2107 count = min_t(unsigned int, conn->mtu, len);
2108
d9fbd02b 2109 tmp = chan->ops->alloc_skb(chan, 0, count,
fbe00700
GP		 2110 msg->msg_flags & MSG_DONTWAIT);
2111 if (IS_ERR(tmp))
2112 return PTR_ERR(tmp);
2113
2114 *frag = tmp;
2f7719ce 2115
0498878b
JR		 2116 if (chan->ops->memcpy_fromiovec(chan, skb_put(*frag, count),
2117 msg->msg_iov, count))
1c2acffb 2118 return -EFAULT;
1da177e4
LT		 2119
2120 sent += count;
2121 len -= count;
2122
2d0ed3d5
GP		 2123 skb->len += (*frag)->len;
2124 skb->data_len += (*frag)->len;
2125
1da177e4
LT		 2126 frag = &(*frag)->next;
2127 }
1da177e4
LT		 2128
2129 return sent;
1c2acffb 2130}
1da177e4 2131
5e59b791 2132static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
8d46321c 2133 struct msghdr *msg, size_t len)
1c2acffb 2134{
8c1d787b 2135 struct l2cap_conn *conn = chan->conn;
1c2acffb 2136 struct sk_buff *skb;
03a51213 2137 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2138 struct l2cap_hdr *lh;
2139
8d46321c
MH		 2140 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2141 __le16_to_cpu(chan->psm), len);
1c2acffb
GP		 2142
2143 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2144
d9fbd02b 2145 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2146 msg->msg_flags & MSG_DONTWAIT);
2147 if (IS_ERR(skb))
2148 return skb;
1c2acffb
GP		 2149
2150 /* Create L2CAP header */
2151 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2152 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2153 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2154 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2155
0952a57a 2156 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2157 if (unlikely(err < 0)) {
2158 kfree_skb(skb);
2159 return ERR_PTR(err);
2160 }
2161 return skb;
2162}
2163
5e59b791 2164static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
8d46321c 2165 struct msghdr *msg, size_t len)
1c2acffb 2166{
8c1d787b 2167 struct l2cap_conn *conn = chan->conn;
1c2acffb 2168 struct sk_buff *skb;
f2ba7fae 2169 int err, count;
1c2acffb
GP		 2170 struct l2cap_hdr *lh;
2171
b4400672 2172 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2173
f2ba7fae 2174 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2175
d9fbd02b 2176 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
90338947
GP		 2177 msg->msg_flags & MSG_DONTWAIT);
2178 if (IS_ERR(skb))
2179 return skb;
1c2acffb
GP		 2180
2181 /* Create L2CAP header */
2182 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2183 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2184 lh->len = cpu_to_le16(len);
1c2acffb 2185
0952a57a 2186 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2187 if (unlikely(err < 0)) {
2188 kfree_skb(skb);
2189 return ERR_PTR(err);
2190 }
2191 return skb;
2192}
2193
ab0ff76d 2194static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2195 struct msghdr *msg, size_t len,
2196 u16 sdulen)
1c2acffb 2197{
8c1d787b 2198 struct l2cap_conn *conn = chan->conn;
1c2acffb 2199 struct sk_buff *skb;
e4ca6d98 2200 int err, count, hlen;
1c2acffb
GP		 2201 struct l2cap_hdr *lh;
2202
b4400672 2203 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2204
0ee0d208
GP		 2205 if (!conn)
2206 return ERR_PTR(-ENOTCONN);
2207
ba7aa64f 2208 hlen = __ertm_hdr_size(chan);
e4ca6d98 2209
c74e560c 2210 if (sdulen)
03a51213 2211 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2212
47d1ec61 2213 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2214 hlen += L2CAP_FCS_SIZE;
fcc203c3 2215
1c2acffb 2216 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2217
d9fbd02b 2218 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2219 msg->msg_flags & MSG_DONTWAIT);
2220 if (IS_ERR(skb))
2221 return skb;
1c2acffb
GP		 2222
2223 /* Create L2CAP header */
2224 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2225 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2226 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2227
18a48e76
MM		 2228 /* Control header is populated later */
2229 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2230 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2231 else
2232 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2233
c74e560c 2234 if (sdulen)
03a51213 2235 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2236
0952a57a 2237 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2238 if (unlikely(err < 0)) {
2239 kfree_skb(skb);
2240 return ERR_PTR(err);
2241 }
e90bac06 2242
18a48e76 2243 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2244 bt_cb(skb)->control.retries = 0;
1c2acffb 2245 return skb;
1da177e4
LT		 2246}
2247
94122bbe
MM		 2248static int l2cap_segment_sdu(struct l2cap_chan *chan,
2249 struct sk_buff_head *seg_queue,
2250 struct msghdr *msg, size_t len)
c74e560c 2251{
c74e560c 2252 struct sk_buff *skb;
94122bbe
MM		 2253 u16 sdu_len;
2254 size_t pdu_len;
94122bbe 2255 u8 sar;
c74e560c 2256
b4400672 2257 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2258
94122bbe
MM		 2259 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2260 * so fragmented skbs are not used. The HCI layer's handling
2261 * of fragmented skbs is not compatible with ERTM's queueing.
2262 */
c74e560c 2263
94122bbe
MM		 2264 /* PDU size is derived from the HCI MTU */
2265 pdu_len = chan->conn->mtu;
c74e560c 2266
a549574d
MM		 2267 /* Constrain PDU size for BR/EDR connections */
2268 if (!chan->hs_hcon)
2269 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2270
2271 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2272 if (chan->fcs)
2273 pdu_len -= L2CAP_FCS_SIZE;
2274
ba7aa64f 2275 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2276
2277 /* Remote device may have requested smaller PDUs */
2278 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2279
2280 if (len <= pdu_len) {
2281 sar = L2CAP_SAR_UNSEGMENTED;
2282 sdu_len = 0;
2283 pdu_len = len;
2284 } else {
2285 sar = L2CAP_SAR_START;
2286 sdu_len = len;
94122bbe
MM		 2287 }
2288
2289 while (len > 0) {
2290 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2291
c74e560c 2292 if (IS_ERR(skb)) {
94122bbe 2293 __skb_queue_purge(seg_queue);
c74e560c
GP		 2294 return PTR_ERR(skb);
2295 }
2296
94122bbe
MM		 2297 bt_cb(skb)->control.sar = sar;
2298 __skb_queue_tail(seg_queue, skb);
2299
2300 len -= pdu_len;
069cb270 2301 if (sdu_len)
94122bbe 2302 sdu_len = 0;
94122bbe
MM		 2303
2304 if (len <= pdu_len) {
2305 sar = L2CAP_SAR_END;
2306 pdu_len = len;
2307 } else {
2308 sar = L2CAP_SAR_CONTINUE;
2309 }
c74e560c 2310 }
c74e560c 2311
f0f62799 2312 return 0;
c74e560c
GP		 2313}
2314
177f8f2b
JH		 2315static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2316 struct msghdr *msg,
2317 size_t len, u16 sdulen)
2318{
2319 struct l2cap_conn *conn = chan->conn;
2320 struct sk_buff *skb;
2321 int err, count, hlen;
2322 struct l2cap_hdr *lh;
2323
2324 BT_DBG("chan %p len %zu", chan, len);
2325
2326 if (!conn)
2327 return ERR_PTR(-ENOTCONN);
2328
2329 hlen = L2CAP_HDR_SIZE;
2330
2331 if (sdulen)
2332 hlen += L2CAP_SDULEN_SIZE;
2333
2334 count = min_t(unsigned int, (conn->mtu - hlen), len);
2335
d9fbd02b 2336 skb = chan->ops->alloc_skb(chan, hlen, count,
177f8f2b
JH		 2337 msg->msg_flags & MSG_DONTWAIT);
2338 if (IS_ERR(skb))
2339 return skb;
2340
2341 /* Create L2CAP header */
2342 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2343 lh->cid = cpu_to_le16(chan->dcid);
2344 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2345
2346 if (sdulen)
2347 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2348
2349 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2350 if (unlikely(err < 0)) {
2351 kfree_skb(skb);
2352 return ERR_PTR(err);
2353 }
2354
2355 return skb;
2356}
2357
2358static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2359 struct sk_buff_head *seg_queue,
2360 struct msghdr *msg, size_t len)
2361{
2362 struct sk_buff *skb;
2363 size_t pdu_len;
2364 u16 sdu_len;
2365
2366 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2367
177f8f2b 2368 sdu_len = len;
72c6fb91 2369 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
177f8f2b
JH		 2370
2371 while (len > 0) {
2372 if (len <= pdu_len)
2373 pdu_len = len;
2374
2375 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2376 if (IS_ERR(skb)) {
2377 __skb_queue_purge(seg_queue);
2378 return PTR_ERR(skb);
2379 }
2380
2381 __skb_queue_tail(seg_queue, skb);
2382
2383 len -= pdu_len;
2384
2385 if (sdu_len) {
2386 sdu_len = 0;
2387 pdu_len += L2CAP_SDULEN_SIZE;
2388 }
2389 }
2390
2391 return 0;
2392}
2393
8d46321c 2394int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
9a91a04a 2395{
9a91a04a 2396 struct sk_buff *skb;
9a91a04a 2397 int err;
94122bbe 2398 struct sk_buff_head seg_queue;
9a91a04a 2399
31e8ce80
SWK		 2400 if (!chan->conn)
2401 return -ENOTCONN;
2402
9a91a04a 2403 /* Connectionless channel */
715ec005 2404 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
8d46321c 2405 skb = l2cap_create_connless_pdu(chan, msg, len);
9a91a04a
GP		 2406 if (IS_ERR(skb))
2407 return PTR_ERR(skb);
2408
ede81a2a
AK		 2409 /* Channel lock is released before requesting new skb and then
2410 * reacquired thus we need to recheck channel state.
2411 */
2412 if (chan->state != BT_CONNECTED) {
2413 kfree_skb(skb);
2414 return -ENOTCONN;
2415 }
2416
9a91a04a
GP		 2417 l2cap_do_send(chan, skb);
2418 return len;
2419 }
2420
2421 switch (chan->mode) {
38319713 2422 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b
JH		 2423 /* Check outgoing MTU */
2424 if (len > chan->omtu)
2425 return -EMSGSIZE;
2426
fad5fc89
JH		 2427 if (!chan->tx_credits)
2428 return -EAGAIN;
2429
177f8f2b
JH		 2430 __skb_queue_head_init(&seg_queue);
2431
2432 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2433
2434 if (chan->state != BT_CONNECTED) {
2435 __skb_queue_purge(&seg_queue);
2436 err = -ENOTCONN;
2437 }
2438
2439 if (err)
2440 return err;
2441
2442 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2443
2444 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2445 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2446 chan->tx_credits--;
2447 }
2448
2449 if (!chan->tx_credits)
2450 chan->ops->suspend(chan);
2451
2452 err = len;
2453
2454 break;
2455
fad5fc89 2456 case L2CAP_MODE_BASIC:
9a91a04a
GP		 2457 /* Check outgoing MTU */
2458 if (len > chan->omtu)
2459 return -EMSGSIZE;
2460
2461 /* Create a basic PDU */
8d46321c 2462 skb = l2cap_create_basic_pdu(chan, msg, len);
9a91a04a
GP		 2463 if (IS_ERR(skb))
2464 return PTR_ERR(skb);
2465
ede81a2a
AK		 2466 /* Channel lock is released before requesting new skb and then
2467 * reacquired thus we need to recheck channel state.
2468 */
2469 if (chan->state != BT_CONNECTED) {
2470 kfree_skb(skb);
2471 return -ENOTCONN;
2472 }
2473
9a91a04a
GP		 2474 l2cap_do_send(chan, skb);
2475 err = len;
2476 break;
2477
2478 case L2CAP_MODE_ERTM:
2479 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2480 /* Check outgoing MTU */
2481 if (len > chan->omtu) {
2482 err = -EMSGSIZE;
2483 break;
2484 }
9a91a04a 2485
94122bbe 2486 __skb_queue_head_init(&seg_queue);
9a91a04a 2487
94122bbe
MM		 2488 /* Do segmentation before calling in to the state machine,
2489 * since it's possible to block while waiting for memory
2490 * allocation.
2491 */
2492 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2493
94122bbe
MM		 2494 /* The channel could have been closed while segmenting,
2495 * check that it is still connected.
2496 */
2497 if (chan->state != BT_CONNECTED) {
2498 __skb_queue_purge(&seg_queue);
2499 err = -ENOTCONN;
9a91a04a
GP		 2500 }
2501
94122bbe 2502 if (err)
9a91a04a 2503 break;
9a91a04a 2504
3733937d 2505 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2506 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2507 else
d660366d 2508 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2509
d660366d 2510 err = len;
9a91a04a 2511
94122bbe
MM		 2512 /* If the skbs were not queued for sending, they'll still be in
2513 * seg_queue and need to be purged.
2514 */
2515 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2516 break;
2517
2518 default:
2519 BT_DBG("bad state %1.1x", chan->mode);
2520 err = -EBADFD;
2521 }
2522
2523 return err;
2524}
6b8d4a6a 2525EXPORT_SYMBOL_GPL(l2cap_chan_send);
9a91a04a 2526
d2a7ac5d
MM		 2527static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2528{
bed68bde
MM		 2529 struct l2cap_ctrl control;
2530 u16 seq;
2531
b4400672 2532 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2533
2534 memset(&control, 0, sizeof(control));
2535 control.sframe = 1;
2536 control.super = L2CAP_SUPER_SREJ;
2537
2538 for (seq = chan->expected_tx_seq; seq != txseq;
2539 seq = __next_seq(chan, seq)) {
2540 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2541 control.reqseq = seq;
2542 l2cap_send_sframe(chan, &control);
2543 l2cap_seq_list_append(&chan->srej_list, seq);
2544 }
2545 }
2546
2547 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2548}
2549
2550static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2551{
bed68bde
MM		 2552 struct l2cap_ctrl control;
2553
2554 BT_DBG("chan %p", chan);
2555
2556 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2557 return;
2558
2559 memset(&control, 0, sizeof(control));
2560 control.sframe = 1;
2561 control.super = L2CAP_SUPER_SREJ;
2562 control.reqseq = chan->srej_list.tail;
2563 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2564}
2565
2566static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2567{
bed68bde
MM		 2568 struct l2cap_ctrl control;
2569 u16 initial_head;
2570 u16 seq;
2571
b4400672 2572 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2573
2574 memset(&control, 0, sizeof(control));
2575 control.sframe = 1;
2576 control.super = L2CAP_SUPER_SREJ;
2577
2578 /* Capture initial list head to allow only one pass through the list. */
2579 initial_head = chan->srej_list.head;
2580
2581 do {
2582 seq = l2cap_seq_list_pop(&chan->srej_list);
2583 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2584 break;
2585
2586 control.reqseq = seq;
2587 l2cap_send_sframe(chan, &control);
2588 l2cap_seq_list_append(&chan->srej_list, seq);
2589 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2590}
2591
608bcc6d
MM		 2592static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2593{
2594 struct sk_buff *acked_skb;
2595 u16 ackseq;
2596
b4400672 2597 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2598
2599 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2600 return;
2601
b4400672 2602 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2603 chan->expected_ack_seq, chan->unacked_frames);
2604
2605 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2606 ackseq = __next_seq(chan, ackseq)) {
2607
2608 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2609 if (acked_skb) {
2610 skb_unlink(acked_skb, &chan->tx_q);
2611 kfree_skb(acked_skb);
2612 chan->unacked_frames--;
2613 }
2614 }
2615
2616 chan->expected_ack_seq = reqseq;
2617
2618 if (chan->unacked_frames == 0)
2619 __clear_retrans_timer(chan);
2620
b4400672 2621 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2622}
2623
2624static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2625{
2626 BT_DBG("chan %p", chan);
2627
2628 chan->expected_tx_seq = chan->buffer_seq;
2629 l2cap_seq_list_clear(&chan->srej_list);
2630 skb_queue_purge(&chan->srej_q);
2631 chan->rx_state = L2CAP_RX_STATE_RECV;
2632}
2633
d660366d
GP		 2634static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2635 struct l2cap_ctrl *control,
2636 struct sk_buff_head *skbs, u8 event)
608bcc6d 2637{
608bcc6d
MM		 2638 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2639 event);
2640
2641 switch (event) {
2642 case L2CAP_EV_DATA_REQUEST:
2643 if (chan->tx_send_head == NULL)
2644 chan->tx_send_head = skb_peek(skbs);
2645
2646 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2647 l2cap_ertm_send(chan);
2648 break;
2649 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2650 BT_DBG("Enter LOCAL_BUSY");
2651 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2652
2653 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2654 /* The SREJ_SENT state must be aborted if we are to
2655 * enter the LOCAL_BUSY state.
2656 */
2657 l2cap_abort_rx_srej_sent(chan);
2658 }
2659
2660 l2cap_send_ack(chan);
2661
2662 break;
2663 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2664 BT_DBG("Exit LOCAL_BUSY");
2665 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2666
2667 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2668 struct l2cap_ctrl local_control;
2669
2670 memset(&local_control, 0, sizeof(local_control));
2671 local_control.sframe = 1;
2672 local_control.super = L2CAP_SUPER_RR;
2673 local_control.poll = 1;
2674 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2675 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2676
2677 chan->retry_count = 1;
2678 __set_monitor_timer(chan);
2679 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2680 }
2681 break;
2682 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2683 l2cap_process_reqseq(chan, control->reqseq);
2684 break;
2685 case L2CAP_EV_EXPLICIT_POLL:
2686 l2cap_send_rr_or_rnr(chan, 1);
2687 chan->retry_count = 1;
2688 __set_monitor_timer(chan);
2689 __clear_ack_timer(chan);
2690 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2691 break;
2692 case L2CAP_EV_RETRANS_TO:
2693 l2cap_send_rr_or_rnr(chan, 1);
2694 chan->retry_count = 1;
2695 __set_monitor_timer(chan);
2696 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2697 break;
2698 case L2CAP_EV_RECV_FBIT:
2699 /* Nothing to process */
2700 break;
2701 default:
2702 break;
2703 }
608bcc6d
MM		 2704}
2705
d660366d
GP		 2706static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2707 struct l2cap_ctrl *control,
2708 struct sk_buff_head *skbs, u8 event)
608bcc6d 2709{
608bcc6d
MM		 2710 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2711 event);
2712
2713 switch (event) {
2714 case L2CAP_EV_DATA_REQUEST:
2715 if (chan->tx_send_head == NULL)
2716 chan->tx_send_head = skb_peek(skbs);
2717 /* Queue data, but don't send. */
2718 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2719 break;
2720 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2721 BT_DBG("Enter LOCAL_BUSY");
2722 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2723
2724 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2725 /* The SREJ_SENT state must be aborted if we are to
2726 * enter the LOCAL_BUSY state.
2727 */
2728 l2cap_abort_rx_srej_sent(chan);
2729 }
2730
2731 l2cap_send_ack(chan);
2732
2733 break;
2734 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2735 BT_DBG("Exit LOCAL_BUSY");
2736 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2737
2738 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2739 struct l2cap_ctrl local_control;
2740 memset(&local_control, 0, sizeof(local_control));
2741 local_control.sframe = 1;
2742 local_control.super = L2CAP_SUPER_RR;
2743 local_control.poll = 1;
2744 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2745 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2746
2747 chan->retry_count = 1;
2748 __set_monitor_timer(chan);
2749 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2750 }
2751 break;
2752 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2753 l2cap_process_reqseq(chan, control->reqseq);
2754
2755 /* Fall through */
2756
2757 case L2CAP_EV_RECV_FBIT:
2758 if (control && control->final) {
2759 __clear_monitor_timer(chan);
2760 if (chan->unacked_frames > 0)
2761 __set_retrans_timer(chan);
2762 chan->retry_count = 0;
2763 chan->tx_state = L2CAP_TX_STATE_XMIT;
2764 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2765 }
2766 break;
2767 case L2CAP_EV_EXPLICIT_POLL:
2768 /* Ignore */
2769 break;
2770 case L2CAP_EV_MONITOR_TO:
2771 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2772 l2cap_send_rr_or_rnr(chan, 1);
2773 __set_monitor_timer(chan);
2774 chan->retry_count++;
2775 } else {
5e4e3972 2776 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2777 }
2778 break;
2779 default:
2780 break;
2781 }
608bcc6d
MM		 2782}
2783
d660366d
GP		 2784static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2785 struct sk_buff_head *skbs, u8 event)
608bcc6d 2786{
608bcc6d
MM		 2787 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2788 chan, control, skbs, event, chan->tx_state);
2789
2790 switch (chan->tx_state) {
2791 case L2CAP_TX_STATE_XMIT:
d660366d 2792 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2793 break;
2794 case L2CAP_TX_STATE_WAIT_F:
d660366d 2795 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2796 break;
2797 default:
2798 /* Ignore event */
2799 break;
2800 }
608bcc6d
MM		 2801}
2802
4b51dae9
MM		 2803static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2804 struct l2cap_ctrl *control)
2805{
2806 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2807 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2808}
2809
f80842a8
MM		 2810static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2811 struct l2cap_ctrl *control)
2812{
2813 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2814 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2815}
2816
1da177e4
LT		 2817/* Copy frame to all raw sockets on that connection */
2818static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2819{
1da177e4 2820 struct sk_buff *nskb;
48454079 2821 struct l2cap_chan *chan;
1da177e4
LT		 2822
2823 BT_DBG("conn %p", conn);
2824
3df91ea2 2825 mutex_lock(&conn->chan_lock);
3d57dc68 2826
3df91ea2 2827 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2828 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2829 continue;
2830
7f5396a7
GP		 2831 /* Don't send frame to the channel it came from */
2832 if (bt_cb(skb)->chan == chan)
1da177e4 2833 continue;
7f5396a7 2834
8bcde1f2 2835 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2836 if (!nskb)
1da177e4 2837 continue;
80b98027 2838 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2839 kfree_skb(nskb);
2840 }
3d57dc68 2841
3df91ea2 2842 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2843}
2844
2845/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2846static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2847 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2848{
2849 struct sk_buff *skb, **frag;
2850 struct l2cap_cmd_hdr *cmd;
2851 struct l2cap_hdr *lh;
2852 int len, count;
2853
b4400672
AE		 2854 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2855 conn, code, ident, dlen);
1da177e4 2856
300b962e
AL		 2857 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2858 return NULL;
2859
1da177e4
LT		 2860 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2861 count = min_t(unsigned int, conn->mtu, len);
2862
8bcde1f2 2863 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2864 if (!skb)
2865 return NULL;
2866
2867 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2868 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2869
2870 if (conn->hcon->type == LE_LINK)
dcf4adbf 2871 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2872 else
dcf4adbf 2873 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2874
2875 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2876 cmd->code = code;
2877 cmd->ident = ident;
aca3192c 2878 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2879
2880 if (dlen) {
2881 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2882 memcpy(skb_put(skb, count), data, count);
2883 data += count;
2884 }
2885
2886 len -= skb->len;
2887
2888 /* Continuation fragments (no L2CAP header) */
2889 frag = &skb_shinfo(skb)->frag_list;
2890 while (len) {
2891 count = min_t(unsigned int, conn->mtu, len);
2892
8bcde1f2 2893 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2894 if (!*frag)
2895 goto fail;
2896
2897 memcpy(skb_put(*frag, count), data, count);
2898
2899 len -= count;
2900 data += count;
2901
2902 frag = &(*frag)->next;
2903 }
2904
2905 return skb;
2906
2907fail:
2908 kfree_skb(skb);
2909 return NULL;
2910}
2911
2d792818
GP		 2912static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2913 unsigned long *val)
1da177e4
LT		 2914{
2915 struct l2cap_conf_opt *opt = *ptr;
2916 int len;
2917
2918 len = L2CAP_CONF_OPT_SIZE + opt->len;
2919 *ptr += len;
2920
2921 *type = opt->type;
2922 *olen = opt->len;
2923
2924 switch (opt->len) {
2925 case 1:
2926 *val = *((u8 *) opt->val);
2927 break;
2928
2929 case 2:
bfaaeb3e 2930 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2931 break;
2932
2933 case 4:
bfaaeb3e 2934 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2935 break;
2936
2937 default:
2938 *val = (unsigned long) opt->val;
2939 break;
2940 }
2941
b4400672 2942 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2943 return len;
2944}
2945
1da177e4
LT		 2946static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2947{
2948 struct l2cap_conf_opt *opt = *ptr;
2949
b4400672 2950 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2951
2952 opt->type = type;
2953 opt->len = len;
2954
2955 switch (len) {
2956 case 1:
2957 *((u8 *) opt->val) = val;
2958 break;
2959
2960 case 2:
4f8b691c 2961 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2962 break;
2963
2964 case 4:
4f8b691c 2965 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2966 break;
2967
2968 default:
2969 memcpy(opt->val, (void *) val, len);
2970 break;
2971 }
2972
2973 *ptr += L2CAP_CONF_OPT_SIZE + len;
2974}
2975
f89cef09
AE		 2976static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2977{
2978 struct l2cap_conf_efs efs;
2979
1ec918ce 2980 switch (chan->mode) {
f89cef09
AE		 2981 case L2CAP_MODE_ERTM:
2982 efs.id = chan->local_id;
2983 efs.stype = chan->local_stype;
2984 efs.msdu = cpu_to_le16(chan->local_msdu);
2985 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
dcf4adbf
JP		 2986 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2987 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2988 break;
2989
2990 case L2CAP_MODE_STREAMING:
2991 efs.id = 1;
2992 efs.stype = L2CAP_SERV_BESTEFFORT;
2993 efs.msdu = cpu_to_le16(chan->local_msdu);
2994 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2995 efs.acc_lat = 0;
2996 efs.flush_to = 0;
2997 break;
2998
2999 default:
3000 return;
3001 }
3002
3003 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3004 (unsigned long) &efs);
f89cef09
AE		 3005}
3006
721c4181 3007static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3008{
721c4181 3009 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3010 ack_timer.work);
3011 u16 frames_to_ack;
c1b4f43b 3012
2fb9b3d4
GP		 3013 BT_DBG("chan %p", chan);
3014
6be36555
AE		 3015 l2cap_chan_lock(chan);
3016
0362520b
MM		 3017 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3018 chan->last_acked_seq);
6be36555 3019
0362520b
MM		 3020 if (frames_to_ack)
3021 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3022
0362520b 3023 l2cap_chan_unlock(chan);
09bfb2ee 3024 l2cap_chan_put(chan);
c1b4f43b
GP		 3025}
3026
466f8004 3027int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3028{
3c588192
MM		 3029 int err;
3030
105bdf9e
MM		 3031 chan->next_tx_seq = 0;
3032 chan->expected_tx_seq = 0;
42e5c802 3033 chan->expected_ack_seq = 0;
6a026610 3034 chan->unacked_frames = 0;
42e5c802 3035 chan->buffer_seq = 0;
6a026610 3036 chan->frames_sent = 0;
105bdf9e
MM		 3037 chan->last_acked_seq = 0;
3038 chan->sdu = NULL;
3039 chan->sdu_last_frag = NULL;
3040 chan->sdu_len = 0;
3041
d34c34fb
MM		 3042 skb_queue_head_init(&chan->tx_q);
3043
6ed971ca
MH		 3044 chan->local_amp_id = AMP_ID_BREDR;
3045 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3046 chan->move_state = L2CAP_MOVE_STABLE;
3047 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3048
105bdf9e
MM		 3049 if (chan->mode != L2CAP_MODE_ERTM)
3050 return 0;
3051
3052 chan->rx_state = L2CAP_RX_STATE_RECV;
3053 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3054
721c4181
GP		 3055 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3056 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3057 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3058
f1c6775b 3059 skb_queue_head_init(&chan->srej_q);
1890d36b 3060
3c588192
MM		 3061 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3062 if (err < 0)
3063 return err;
3064
9dc9affc
MM		 3065 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3066 if (err < 0)
3067 l2cap_seq_list_free(&chan->srej_list);
3068
3069 return err;
0565c1c2
GP		 3070}
3071
f2fcfcd6
GP		 3072static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3073{
3074 switch (mode) {
3075 case L2CAP_MODE_STREAMING:
3076 case L2CAP_MODE_ERTM:
3077 if (l2cap_mode_supported(mode, remote_feat_mask))
3078 return mode;
3079 /* fall through */
3080 default:
3081 return L2CAP_MODE_BASIC;
3082 }
3083}
3084
848566b3 3085static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3086{
848566b3 3087 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3088}
3089
848566b3 3090static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3091{
848566b3 3092 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3093}
3094
36c86c85
MM		 3095static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3096 struct l2cap_conf_rfc *rfc)
3097{
6ed971ca 3098 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3099 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3100
3101 /* Class 1 devices have must have ERTM timeouts
3102 * exceeding the Link Supervision Timeout. The
3103 * default Link Supervision Timeout for AMP
3104 * controllers is 10 seconds.
3105 *
3106 * Class 1 devices use 0xffffffff for their
3107 * best-effort flush timeout, so the clamping logic
3108 * will result in a timeout that meets the above
3109 * requirement. ERTM timeouts are 16-bit values, so
3110 * the maximum timeout is 65.535 seconds.
3111 */
3112
3113 /* Convert timeout to milliseconds and round */
3114 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3115
3116 /* This is the recommended formula for class 2 devices
3117 * that start ERTM timers when packets are sent to the
3118 * controller.
3119 */
3120 ertm_to = 3 * ertm_to + 500;
3121
3122 if (ertm_to > 0xffff)
3123 ertm_to = 0xffff;
3124
3125 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3126 rfc->monitor_timeout = rfc->retrans_timeout;
3127 } else {
dcf4adbf
JP		 3128 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3129 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36c86c85
MM		 3130 }
3131}
3132
6327eb98
AE		 3133static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3134{
3135 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3136 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3137 /* use extended control field */
3138 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3139 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3140 } else {
6327eb98 3141 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3142 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3143 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3144 }
c20f8e35 3145 chan->ack_win = chan->tx_win;
6327eb98
AE		 3146}
3147
710f9b0a 3148static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3149{
1da177e4 3150 struct l2cap_conf_req *req = data;
0c1bc5c6 3151 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3152 void *ptr = req->data;
c8f79162 3153 u16 size;
1da177e4 3154
49208c9c 3155 BT_DBG("chan %p", chan);
1da177e4 3156
73ffa904 3157 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3158 goto done;
3159
0c1bc5c6 3160 switch (chan->mode) {
f2fcfcd6
GP		 3161 case L2CAP_MODE_STREAMING:
3162 case L2CAP_MODE_ERTM:
c1360a1c 3163 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3164 break;
85eb53c6 3165
848566b3 3166 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3167 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3168
2ba13ed6 3169 /* fall through */
f2fcfcd6 3170 default:
8c1d787b 3171 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3172 break;
3173 }
3174
3175done:
0c1bc5c6
GP		 3176 if (chan->imtu != L2CAP_DEFAULT_MTU)
3177 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3178
0c1bc5c6 3179 switch (chan->mode) {
65c7c491 3180 case L2CAP_MODE_BASIC:
6fea7ad1
MH		 3181 if (disable_ertm)
3182 break;
3183
8c1d787b 3184 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3185 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3186 break;
3187
62547752
GP		 3188 rfc.mode = L2CAP_MODE_BASIC;
3189 rfc.txwin_size = 0;
3190 rfc.max_transmit = 0;
3191 rfc.retrans_timeout = 0;
3192 rfc.monitor_timeout = 0;
3193 rfc.max_pdu_size = 0;
3194
63406504 3195 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3196 (unsigned long) &rfc);
65c7c491
MH		 3197 break;
3198
3199 case L2CAP_MODE_ERTM:
3200 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3201 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3202
3203 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3204
3205 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3206 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3207 L2CAP_FCS_SIZE);
c8f79162 3208 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3209
6327eb98
AE		 3210 l2cap_txwin_setup(chan);
3211
3212 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3213 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3214
63406504 3215 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3216 (unsigned long) &rfc);
63406504 3217
f89cef09
AE		 3218 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3219 l2cap_add_opt_efs(&ptr, chan);
3220
6327eb98
AE		 3221 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3222 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3223 chan->tx_win);
60918918
AE		 3224
3225 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3226 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3227 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3228 chan->fcs = L2CAP_FCS_NONE;
3229 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3230 chan->fcs);
3231 }
f2fcfcd6
GP		 3232 break;
3233
3234 case L2CAP_MODE_STREAMING:
273759e2 3235 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3236 rfc.mode = L2CAP_MODE_STREAMING;
3237 rfc.txwin_size = 0;
3238 rfc.max_transmit = 0;
3239 rfc.retrans_timeout = 0;
3240 rfc.monitor_timeout = 0;
c8f79162
AE		 3241
3242 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3243 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3244 L2CAP_FCS_SIZE);
c8f79162 3245 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3246
63406504 3247 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3248 (unsigned long) &rfc);
63406504 3249
f89cef09
AE		 3250 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3251 l2cap_add_opt_efs(&ptr, chan);
3252
60918918
AE		 3253 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3254 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3255 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3256 chan->fcs = L2CAP_FCS_NONE;
3257 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3258 chan->fcs);
3259 }
65c7c491
MH		 3260 break;
3261 }
1da177e4 3262
fe4128e0 3263 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3264 req->flags = cpu_to_le16(0);
1da177e4
LT		 3265
3266 return ptr - data;
3267}
3268
73ffa904 3269static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3270{
5dee9e7c
MH		 3271 struct l2cap_conf_rsp *rsp = data;
3272 void *ptr = rsp->data;
73ffa904
GP		 3273 void *req = chan->conf_req;
3274 int len = chan->conf_len;
5dee9e7c
MH		 3275 int type, hint, olen;
3276 unsigned long val;
6464f35f 3277 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3278 struct l2cap_conf_efs efs;
3279 u8 remote_efs = 0;
861d6882 3280 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3281 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3282 u16 size;
1da177e4 3283
73ffa904 3284 BT_DBG("chan %p", chan);
820ae1b8 3285
5dee9e7c
MH		 3286 while (len >= L2CAP_CONF_OPT_SIZE) {
3287 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3288
589d2746 3289 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3290 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3291
3292 switch (type) {
3293 case L2CAP_CONF_MTU:
861d6882 3294 mtu = val;
5dee9e7c
MH		 3295 break;
3296
3297 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3298 chan->flush_to = val;
5dee9e7c
MH		 3299 break;
3300
3301 case L2CAP_CONF_QOS:
3302 break;
3303
6464f35f
MH		 3304 case L2CAP_CONF_RFC:
3305 if (olen == sizeof(rfc))
3306 memcpy(&rfc, (void *) val, olen);
3307 break;
3308
fcc203c3
GP		 3309 case L2CAP_CONF_FCS:
3310 if (val == L2CAP_FCS_NONE)
f2592d3e 3311 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3312 break;
fcc203c3 3313
42dceae2
AE		 3314 case L2CAP_CONF_EFS:
3315 remote_efs = 1;
3316 if (olen == sizeof(efs))
3317 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3318 break;
3319
6327eb98 3320 case L2CAP_CONF_EWS:
848566b3 3321 if (!chan->conn->hs_enabled)
6327eb98 3322 return -ECONNREFUSED;
fcc203c3 3323
6327eb98
AE		 3324 set_bit(FLAG_EXT_CTRL, &chan->flags);
3325 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3326 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3327 chan->remote_tx_win = val;
fcc203c3
GP		 3328 break;
3329
5dee9e7c
MH		 3330 default:
3331 if (hint)
3332 break;
3333
3334 result = L2CAP_CONF_UNKNOWN;
3335 *((u8 *) ptr++) = type;
3336 break;
3337 }
3338 }
3339
73ffa904 3340 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3341 goto done;
3342
0c1bc5c6 3343 switch (chan->mode) {
f2fcfcd6
GP		 3344 case L2CAP_MODE_STREAMING:
3345 case L2CAP_MODE_ERTM:
c1360a1c 3346 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3347 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3348 chan->conn->feat_mask);
85eb53c6
GP		 3349 break;
3350 }
3351
42dceae2 3352 if (remote_efs) {
848566b3 3353 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3354 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3355 else
3356 return -ECONNREFUSED;
3357 }
3358
0c1bc5c6 3359 if (chan->mode != rfc.mode)
f2fcfcd6 3360 return -ECONNREFUSED;
742e519b 3361
f2fcfcd6 3362 break;
f2fcfcd6
GP		 3363 }
3364
3365done:
0c1bc5c6 3366 if (chan->mode != rfc.mode) {
f2fcfcd6 3367 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3368 rfc.mode = chan->mode;
f2fcfcd6 3369
73ffa904 3370 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3371 return -ECONNREFUSED;
3372
2d792818
GP		 3373 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3374 (unsigned long) &rfc);
f2fcfcd6
GP		 3375 }
3376
5dee9e7c
MH		 3377 if (result == L2CAP_CONF_SUCCESS) {
3378 /* Configure output options and let the other side know
3379 * which ones we don't like. */
3380
f2fcfcd6
GP		 3381 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3382 result = L2CAP_CONF_UNACCEPT;
3383 else {
0c1bc5c6 3384 chan->omtu = mtu;
c1360a1c 3385 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3386 }
0c1bc5c6 3387 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3388
42dceae2
AE		 3389 if (remote_efs) {
3390 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3391 efs.stype != L2CAP_SERV_NOTRAFIC &&
3392 efs.stype != chan->local_stype) {
42dceae2
AE		 3393
3394 result = L2CAP_CONF_UNACCEPT;
3395
3396 if (chan->num_conf_req >= 1)
3397 return -ECONNREFUSED;
3398
3399 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3400 sizeof(efs),
3401 (unsigned long) &efs);
0e8b207e 3402 } else {
3e6b3b95 3403 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3404 result = L2CAP_CONF_PENDING;
3405 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3406 }
3407 }
3408
f2fcfcd6
GP		 3409 switch (rfc.mode) {
3410 case L2CAP_MODE_BASIC:
47d1ec61 3411 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3412 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3413 break;
3414
3415 case L2CAP_MODE_ERTM:
6327eb98
AE		 3416 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3417 chan->remote_tx_win = rfc.txwin_size;
3418 else
3419 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3420
2c03a7a4 3421 chan->remote_max_tx = rfc.max_transmit;
1c762159 3422
c8f79162 3423 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3424 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3425 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3426 rfc.max_pdu_size = cpu_to_le16(size);
3427 chan->remote_mps = size;
f2fcfcd6 3428
36c86c85 3429 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3430
c1360a1c 3431 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3432
3433 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3434 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3435
42dceae2
AE		 3436 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3437 chan->remote_id = efs.id;
3438 chan->remote_stype = efs.stype;
3439 chan->remote_msdu = le16_to_cpu(efs.msdu);
3440 chan->remote_flush_to =
2d792818 3441 le32_to_cpu(efs.flush_to);
42dceae2 3442 chan->remote_acc_lat =
2d792818 3443 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3444 chan->remote_sdu_itime =
3445 le32_to_cpu(efs.sdu_itime);
3446 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3447 sizeof(efs),
3448 (unsigned long) &efs);
42dceae2 3449 }
f2fcfcd6
GP		 3450 break;
3451
3452 case L2CAP_MODE_STREAMING:
c8f79162 3453 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3454 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3455 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3456 rfc.max_pdu_size = cpu_to_le16(size);
3457 chan->remote_mps = size;
f2fcfcd6 3458
c1360a1c 3459 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3460
2d792818
GP		 3461 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3462 (unsigned long) &rfc);
68ae6639 3463
f2fcfcd6
GP		 3464 break;
3465
3466 default:
5dee9e7c 3467 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3468
6464f35f 3469 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3470 rfc.mode = chan->mode;
f2fcfcd6 3471 }
6464f35f 3472
f2fcfcd6 3473 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3474 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3475 }
fe4128e0 3476 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3477 rsp->result = cpu_to_le16(result);
dcf4adbf 3478 rsp->flags = cpu_to_le16(0);
5dee9e7c
MH		 3479
3480 return ptr - data;
1da177e4
LT		 3481}
3482
2d792818
GP		 3483static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3484 void *data, u16 *result)
f2fcfcd6 3485{
f2fcfcd6
GP		 3486 struct l2cap_conf_req *req = data;
3487 void *ptr = req->data;
3488 int type, olen;
3489 unsigned long val;
36e999a8 3490 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3491 struct l2cap_conf_efs efs;
f2fcfcd6 3492
fe4128e0 3493 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3494
3495 while (len >= L2CAP_CONF_OPT_SIZE) {
3496 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3497
3498 switch (type) {
3499 case L2CAP_CONF_MTU:
3500 if (val < L2CAP_DEFAULT_MIN_MTU) {
3501 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3502 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3503 } else
0c1bc5c6
GP		 3504 chan->imtu = val;
3505 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3506 break;
3507
3508 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3509 chan->flush_to = val;
f2fcfcd6 3510 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3511 2, chan->flush_to);
f2fcfcd6
GP		 3512 break;
3513
3514 case L2CAP_CONF_RFC:
3515 if (olen == sizeof(rfc))
3516 memcpy(&rfc, (void *)val, olen);
3517
c1360a1c 3518 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3519 rfc.mode != chan->mode)
f2fcfcd6
GP		 3520 return -ECONNREFUSED;
3521
47d1ec61 3522 chan->fcs = 0;
f2fcfcd6
GP		 3523
3524 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3525 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3526 break;
6327eb98
AE		 3527
3528 case L2CAP_CONF_EWS:
c20f8e35 3529 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3530 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3531 chan->tx_win);
6327eb98 3532 break;
66af7aaf
AE		 3533
3534 case L2CAP_CONF_EFS:
3535 if (olen == sizeof(efs))
3536 memcpy(&efs, (void *)val, olen);
3537
3538 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3539 efs.stype != L2CAP_SERV_NOTRAFIC &&
3540 efs.stype != chan->local_stype)
66af7aaf
AE		 3541 return -ECONNREFUSED;
3542
2d792818
GP		 3543 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3544 (unsigned long) &efs);
66af7aaf 3545 break;
cbabee78
AE		 3546
3547 case L2CAP_CONF_FCS:
3548 if (*result == L2CAP_CONF_PENDING)
3549 if (val == L2CAP_FCS_NONE)
f2592d3e 3550 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3551 &chan->conf_state);
3552 break;
f2fcfcd6
GP		 3553 }
3554 }
3555
0c1bc5c6 3556 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3557 return -ECONNREFUSED;
3558
0c1bc5c6 3559 chan->mode = rfc.mode;
6c2ea7a8 3560
0e8b207e 3561 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3562 switch (rfc.mode) {
3563 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3564 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3565 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3566 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3567 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3568 chan->ack_win = min_t(u16, chan->ack_win,
3569 rfc.txwin_size);
66af7aaf
AE		 3570
3571 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3572 chan->local_msdu = le16_to_cpu(efs.msdu);
3573 chan->local_sdu_itime =
2d792818 3574 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3575 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3576 chan->local_flush_to =
2d792818 3577 le32_to_cpu(efs.flush_to);
66af7aaf 3578 }
f2fcfcd6 3579 break;
66af7aaf 3580
f2fcfcd6 3581 case L2CAP_MODE_STREAMING:
47d1ec61 3582 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3583 }
3584 }
3585
fe4128e0 3586 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3587 req->flags = cpu_to_le16(0);
f2fcfcd6
GP		 3588
3589 return ptr - data;
3590}
3591
2d792818
GP		 3592static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3593 u16 result, u16 flags)
1da177e4
LT		 3594{
3595 struct l2cap_conf_rsp *rsp = data;
3596 void *ptr = rsp->data;
1da177e4 3597
fe4128e0 3598 BT_DBG("chan %p", chan);
1da177e4 3599
fe4128e0 3600 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3601 rsp->result = cpu_to_le16(result);
aca3192c 3602 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3603
3604 return ptr - data;
3605}
3606
27e2d4c8
JH		 3607void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3608{
3609 struct l2cap_le_conn_rsp rsp;
3610 struct l2cap_conn *conn = chan->conn;
3611
3612 BT_DBG("chan %p", chan);
3613
3614 rsp.dcid = cpu_to_le16(chan->scid);
3615 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 3616 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 3617 rsp.credits = cpu_to_le16(chan->rx_credits);
dcf4adbf 3618 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
27e2d4c8
JH		 3619
3620 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3621 &rsp);
3622}
3623
8c1d787b 3624void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3625{
3626 struct l2cap_conn_rsp rsp;
8c1d787b 3627 struct l2cap_conn *conn = chan->conn;
710f9b0a 3628 u8 buf[128];
439f34ac 3629 u8 rsp_code;
710f9b0a 3630
fe4128e0
GP		 3631 rsp.scid = cpu_to_le16(chan->dcid);
3632 rsp.dcid = cpu_to_le16(chan->scid);
dcf4adbf
JP		 3633 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3634 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3635
3636 if (chan->hs_hcon)
3637 rsp_code = L2CAP_CREATE_CHAN_RSP;
3638 else
3639 rsp_code = L2CAP_CONN_RSP;
3640
3641 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3642
3643 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3644
c1360a1c 3645 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3646 return;
3647
710f9b0a 3648 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3649 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3650 chan->num_conf_req++;
3651}
3652
47d1ec61 3653static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3654{
7b1c0049
GP		 3655 int type, olen;
3656 unsigned long val;
c20f8e35
MM		 3657 /* Use sane default values in case a misbehaving remote device
3658 * did not send an RFC or extended window size option.
3659 */
3660 u16 txwin_ext = chan->ack_win;
3661 struct l2cap_conf_rfc rfc = {
3662 .mode = chan->mode,
dcf4adbf
JP		 3663 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3664 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
c20f8e35
MM		 3665 .max_pdu_size = cpu_to_le16(chan->imtu),
3666 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3667 };
7b1c0049 3668
47d1ec61 3669 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3670
0c1bc5c6 3671 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3672 return;
3673
3674 while (len >= L2CAP_CONF_OPT_SIZE) {
3675 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3676
c20f8e35
MM		 3677 switch (type) {
3678 case L2CAP_CONF_RFC:
3679 if (olen == sizeof(rfc))
3680 memcpy(&rfc, (void *)val, olen);
8f321f85 3681 break;
c20f8e35
MM		 3682 case L2CAP_CONF_EWS:
3683 txwin_ext = val;
3684 break;
3685 }
7b1c0049
GP		 3686 }
3687
7b1c0049
GP		 3688 switch (rfc.mode) {
3689 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3690 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3691 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3692 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3693 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3694 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3695 else
3696 chan->ack_win = min_t(u16, chan->ack_win,
3697 rfc.txwin_size);
7b1c0049
GP		 3698 break;
3699 case L2CAP_MODE_STREAMING:
47d1ec61 3700 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3701 }
3702}
3703
2d792818 3704static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3705 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3706 u8 *data)
4e8402a3 3707{
e2fd318e 3708 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3709
cb3b3152
JH		 3710 if (cmd_len < sizeof(*rej))
3711 return -EPROTO;
3712
e2fd318e 3713 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3714 return 0;
3715
3716 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3717 cmd->ident == conn->info_ident) {
17cd3f37 3718 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3719
3720 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3721 conn->info_ident = 0;
984947dc 3722
4e8402a3
MH		 3723 l2cap_conn_start(conn);
3724 }
3725
3726 return 0;
3727}
3728
1700915f
MM		 3729static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3730 struct l2cap_cmd_hdr *cmd,
3731 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3732{
1da177e4
LT		 3733 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3734 struct l2cap_conn_rsp rsp;
23691d75 3735 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3736 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3737
3738 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3739 __le16 psm = req->psm;
1da177e4 3740
097db76c 3741 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3742
3743 /* Check if we have socket listening on psm */
6f59b904 3744 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
bf20fd4e 3745 &conn->hcon->dst, ACL_LINK);
23691d75 3746 if (!pchan) {
1da177e4
LT		 3747 result = L2CAP_CR_BAD_PSM;
3748 goto sendresp;
3749 }
3750
3df91ea2 3751 mutex_lock(&conn->chan_lock);
8ffb9290 3752 l2cap_chan_lock(pchan);
e0f0cb56 3753
e7c29cb1 3754 /* Check if the ACL is secure enough (if not SDP) */
dcf4adbf 3755 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3756 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3757 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3758 result = L2CAP_CR_SEC_BLOCK;
3759 goto response;
3760 }
3761
1da177e4
LT		 3762 result = L2CAP_CR_NO_MEM;
3763
2dfa1003
GP		 3764 /* Check if we already have channel with that dcid */
3765 if (__l2cap_get_chan_by_dcid(conn, scid))
3766 goto response;
3767
80b98027 3768 chan = pchan->ops->new_connection(pchan);
80808e43 3769 if (!chan)
1da177e4
LT		 3770 goto response;
3771
330b6c15
SS		 3772 /* For certain devices (ex: HID mouse), support for authentication,
3773 * pairing and bonding is optional. For such devices, inorder to avoid
3774 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3775 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3776 */
3777 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3778
7eafc59e
MH		 3779 bacpy(&chan->src, &conn->hcon->src);
3780 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3781 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3782 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3783 chan->psm = psm;
3784 chan->dcid = scid;
1700915f 3785 chan->local_amp_id = amp_id;
1da177e4 3786
6be36555 3787 __l2cap_chan_add(conn, chan);
48454079 3788
fe4128e0 3789 dcid = chan->scid;
1da177e4 3790
8d836d71 3791 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3792
fc7f8a7e 3793 chan->ident = cmd->ident;
1da177e4 3794
984947dc 3795 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
e7cafc45 3796 if (l2cap_chan_check_security(chan, false)) {
bdc25783 3797 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3798 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3799 result = L2CAP_CR_PEND;
3800 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3801 chan->ops->defer(chan);
f66dc81f 3802 } else {
1700915f
MM		 3803 /* Force pending result for AMP controllers.
3804 * The connection will succeed after the
3805 * physical link is up.
3806 */
6ed971ca 3807 if (amp_id == AMP_ID_BREDR) {
f93fa273 3808 l2cap_state_change(chan, BT_CONFIG);
1700915f 3809 result = L2CAP_CR_SUCCESS;
6ed971ca 3810 } else {
f93fa273 3811 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3812 result = L2CAP_CR_PEND;
1700915f 3813 }
f66dc81f
MH		 3814 status = L2CAP_CS_NO_INFO;
3815 }
79d554a6 3816 } else {
f93fa273 3817 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3818 result = L2CAP_CR_PEND;
3819 status = L2CAP_CS_AUTHEN_PEND;
3820 }
3821 } else {
f93fa273 3822 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3823 result = L2CAP_CR_PEND;
3824 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3825 }
3826
1da177e4 3827response:
8ffb9290 3828 l2cap_chan_unlock(pchan);
3df91ea2 3829 mutex_unlock(&conn->chan_lock);
a24cce14 3830 l2cap_chan_put(pchan);
1da177e4
LT		 3831
3832sendresp:
aca3192c
YH		 3833 rsp.scid = cpu_to_le16(scid);
3834 rsp.dcid = cpu_to_le16(dcid);
3835 rsp.result = cpu_to_le16(result);
3836 rsp.status = cpu_to_le16(status);
4c89b6aa 3837 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3838
3839 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3840 struct l2cap_info_req info;
dcf4adbf 3841 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3842
3843 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3844 conn->info_ident = l2cap_get_ident(conn);
3845
ba13ccd9 3846 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3847
2d792818
GP		 3848 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3849 sizeof(info), &info);
79d554a6
MH		 3850 }
3851
c1360a1c 3852 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3853 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3854 u8 buf[128];
c1360a1c 3855 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3856 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3857 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3858 chan->num_conf_req++;
e9aeb2dd 3859 }
1700915f
MM		 3860
3861 return chan;
4c89b6aa 3862}
e9aeb2dd 3863
4c89b6aa 3864static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3865 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3866{
7b064eda
JK		 3867 struct hci_dev *hdev = conn->hcon->hdev;
3868 struct hci_conn *hcon = conn->hcon;
3869
cb3b3152
JH		 3870 if (cmd_len < sizeof(struct l2cap_conn_req))
3871 return -EPROTO;
3872
7b064eda
JK		 3873 hci_dev_lock(hdev);
3874 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3875 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
48ec92fa 3876 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
7b064eda
JK		 3877 hci_dev_unlock(hdev);
3878
300229f9 3879 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3880 return 0;
3881}
3882
5909cf30 3883static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3884 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3885 u8 *data)
1da177e4
LT		 3886{
3887 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3888 u16 scid, dcid, result, status;
48454079 3889 struct l2cap_chan *chan;
1da177e4 3890 u8 req[128];
3df91ea2 3891 int err;
1da177e4 3892
cb3b3152
JH		 3893 if (cmd_len < sizeof(*rsp))
3894 return -EPROTO;
3895
1da177e4
LT		 3896 scid = __le16_to_cpu(rsp->scid);
3897 dcid = __le16_to_cpu(rsp->dcid);
3898 result = __le16_to_cpu(rsp->result);
3899 status = __le16_to_cpu(rsp->status);
3900
1b009c98 3901 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3902 dcid, scid, result, status);
1da177e4 3903
3df91ea2
AE		 3904 mutex_lock(&conn->chan_lock);
3905
1da177e4 3906 if (scid) {
3df91ea2
AE		 3907 chan = __l2cap_get_chan_by_scid(conn, scid);
3908 if (!chan) {
21870b52 3909 err = -EBADSLT;
3df91ea2
AE		 3910 goto unlock;
3911 }
1da177e4 3912 } else {
3df91ea2
AE		 3913 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3914 if (!chan) {
21870b52 3915 err = -EBADSLT;
3df91ea2
AE		 3916 goto unlock;
3917 }
1da177e4
LT		 3918 }
3919
3df91ea2
AE		 3920 err = 0;
3921
6be36555 3922 l2cap_chan_lock(chan);
48454079 3923
1da177e4
LT		 3924 switch (result) {
3925 case L2CAP_CR_SUCCESS:
89bc500e 3926 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3927 chan->ident = 0;
fe4128e0 3928 chan->dcid = dcid;
c1360a1c 3929 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3930
c1360a1c 3931 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3932 break;
3933
1da177e4 3934 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3935 l2cap_build_conf_req(chan, req), req);
73ffa904 3936 chan->num_conf_req++;
1da177e4
LT		 3937 break;
3938
3939 case L2CAP_CR_PEND:
c1360a1c 3940 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3941 break;
3942
3943 default:
48454079 3944 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3945 break;
3946 }
3947
6be36555 3948 l2cap_chan_unlock(chan);
3df91ea2
AE		 3949
3950unlock:
3951 mutex_unlock(&conn->chan_lock);
3952
3953 return err;
1da177e4
LT		 3954}
3955
47d1ec61 3956static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3957{
3958 /* FCS is enabled only in ERTM or streaming mode, if one or both
3959 * sides request it.
3960 */
0c1bc5c6 3961 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3962 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3963 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3964 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3965}
3966
29d8a590
AE		 3967static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3968 u8 ident, u16 flags)
3969{
3970 struct l2cap_conn *conn = chan->conn;
3971
3972 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3973 flags);
3974
3975 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3976 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3977
3978 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3979 l2cap_build_conf_rsp(chan, data,
3980 L2CAP_CONF_SUCCESS, flags), data);
3981}
3982
662d652d
JH		 3983static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
3984 u16 scid, u16 dcid)
3985{
3986 struct l2cap_cmd_rej_cid rej;
3987
dcf4adbf 3988 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
662d652d
JH		 3989 rej.scid = __cpu_to_le16(scid);
3990 rej.dcid = __cpu_to_le16(dcid);
3991
3992 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3993}
3994
2d792818
GP		 3995static inline int l2cap_config_req(struct l2cap_conn *conn,
3996 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3997 u8 *data)
1da177e4
LT		 3998{
3999 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4000 u16 dcid, flags;
4001 u8 rsp[64];
48454079 4002 struct l2cap_chan *chan;
3c588192 4003 int len, err = 0;
1da177e4 4004
cb3b3152
JH		 4005 if (cmd_len < sizeof(*req))
4006 return -EPROTO;
4007
1da177e4
LT		 4008 dcid = __le16_to_cpu(req->dcid);
4009 flags = __le16_to_cpu(req->flags);
4010
4011 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4012
baa7e1fa 4013 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4014 if (!chan) {
4015 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4016 return 0;
4017 }
1da177e4 4018
033b1142 4019 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4020 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4021 chan->dcid);
354f60a9 4022 goto unlock;
df6bd743 4023 }
354f60a9 4024
5dee9e7c 4025 /* Reject if config buffer is too small. */
88219a0f 4026 len = cmd_len - sizeof(*req);
cb3b3152 4027 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4028 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4029 l2cap_build_conf_rsp(chan, rsp,
4030 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4031 goto unlock;
4032 }
4033
4034 /* Store config. */
73ffa904
GP		 4035 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4036 chan->conf_len += len;
1da177e4 4037
59e54bd1 4038 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4039 /* Incomplete config. Send empty response. */
4040 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4041 l2cap_build_conf_rsp(chan, rsp,
4042 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4043 goto unlock;
4044 }
4045
4046 /* Complete config. */
73ffa904 4047 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4048 if (len < 0) {
5e4e3972 4049 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4050 goto unlock;
f2fcfcd6 4051 }
1da177e4 4052
1500109b 4053 chan->ident = cmd->ident;
5dee9e7c 4054 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4055 chan->num_conf_rsp++;
5dee9e7c 4056
5dee9e7c 4057 /* Reset config buffer. */
73ffa904 4058 chan->conf_len = 0;
5dee9e7c 4059
c1360a1c 4060 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4061 goto unlock;
4062
c1360a1c 4063 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4064 set_default_fcs(chan);
fcc203c3 4065
105bdf9e
MM		 4066 if (chan->mode == L2CAP_MODE_ERTM ||
4067 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4068 err = l2cap_ertm_init(chan);
4069
4070 if (err < 0)
5e4e3972 4071 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4072 else
4073 l2cap_chan_ready(chan);
0565c1c2 4074
876d9484
MH		 4075 goto unlock;
4076 }
4077
c1360a1c 4078 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4079 u8 buf[64];
1da177e4 4080 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4081 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4082 chan->num_conf_req++;
1da177e4
LT		 4083 }
4084
0e8b207e
AE		 4085 /* Got Conf Rsp PENDING from remote side and asume we sent
4086 Conf Rsp PENDING in the code above */
4087 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4088 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4089
4090 /* check compatibility */
4091
79de886d 4092 /* Send rsp for BR/EDR channel */
f351bc72 4093 if (!chan->hs_hcon)
79de886d
AE		 4094 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4095 else
4096 chan->ident = cmd->ident;
0e8b207e
AE		 4097 }
4098
1da177e4 4099unlock:
6be36555 4100 l2cap_chan_unlock(chan);
3c588192 4101 return err;
1da177e4
LT		 4102}
4103
2d792818 4104static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4105 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4106 u8 *data)
1da177e4
LT		 4107{
4108 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4109 u16 scid, flags, result;
48454079 4110 struct l2cap_chan *chan;
cb3b3152 4111 int len = cmd_len - sizeof(*rsp);
3c588192 4112 int err = 0;
1da177e4 4113
cb3b3152
JH		 4114 if (cmd_len < sizeof(*rsp))
4115 return -EPROTO;
4116
1da177e4
LT		 4117 scid = __le16_to_cpu(rsp->scid);
4118 flags = __le16_to_cpu(rsp->flags);
4119 result = __le16_to_cpu(rsp->result);
4120
61386cba
AE		 4121 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4122 result, len);
1da177e4 4123
baa7e1fa 4124 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4125 if (!chan)
1da177e4
LT		 4126 return 0;
4127
4128 switch (result) {
4129 case L2CAP_CONF_SUCCESS:
47d1ec61 4130 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4131 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4132 break;
4133
0e8b207e
AE		 4134 case L2CAP_CONF_PENDING:
4135 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4136
4137 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4138 char buf[64];
4139
4140 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4141 buf, &result);
0e8b207e 4142 if (len < 0) {
5e4e3972 4143 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4144 goto done;
4145 }
4146
f351bc72 4147 if (!chan->hs_hcon) {
79de886d
AE		 4148 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4149 0);
5ce66b59
AE		 4150 } else {
4151 if (l2cap_check_efs(chan)) {
4152 amp_create_logical_link(chan);
4153 chan->ident = cmd->ident;
4154 }
4155 }
0e8b207e
AE		 4156 }
4157 goto done;
4158
1da177e4 4159 case L2CAP_CONF_UNACCEPT:
73ffa904 4160 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4161 char req[64];
4162
c2c77ec8 4163 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4164 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4165 goto done;
4166 }
4167
f2fcfcd6
GP		 4168 /* throw out any old stored conf requests */
4169 result = L2CAP_CONF_SUCCESS;
b4450035 4170 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4171 req, &result);
f2fcfcd6 4172 if (len < 0) {
5e4e3972 4173 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4174 goto done;
4175 }
4176
4177 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4178 L2CAP_CONF_REQ, len, req);
73ffa904 4179 chan->num_conf_req++;
f2fcfcd6
GP		 4180 if (result != L2CAP_CONF_SUCCESS)
4181 goto done;
4182 break;
1da177e4
LT		 4183 }
4184
8e87d142 4185 default:
6be36555 4186 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4187
ba13ccd9 4188 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4189 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4190 goto done;
4191 }
4192
59e54bd1 4193 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4194 goto done;
4195
c1360a1c 4196 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4197
c1360a1c 4198 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4199 set_default_fcs(chan);
fcc203c3 4200
105bdf9e
MM		 4201 if (chan->mode == L2CAP_MODE_ERTM ||
4202 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4203 err = l2cap_ertm_init(chan);
0565c1c2 4204
3c588192 4205 if (err < 0)
5e4e3972 4206 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4207 else
4208 l2cap_chan_ready(chan);
1da177e4
LT		 4209 }
4210
4211done:
6be36555 4212 l2cap_chan_unlock(chan);
3c588192 4213 return err;
1da177e4
LT		 4214}
4215
2d792818 4216static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4217 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4218 u8 *data)
1da177e4
LT		 4219{
4220 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4221 struct l2cap_disconn_rsp rsp;
4222 u16 dcid, scid;
48454079 4223 struct l2cap_chan *chan;
1da177e4 4224
cb3b3152
JH		 4225 if (cmd_len != sizeof(*req))
4226 return -EPROTO;
4227
1da177e4
LT		 4228 scid = __le16_to_cpu(req->scid);
4229 dcid = __le16_to_cpu(req->dcid);
4230
4231 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4232
3df91ea2
AE		 4233 mutex_lock(&conn->chan_lock);
4234
4235 chan = __l2cap_get_chan_by_scid(conn, dcid);
4236 if (!chan) {
4237 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4238 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4239 return 0;
3df91ea2 4240 }
1da177e4 4241
6be36555
AE		 4242 l2cap_chan_lock(chan);
4243
fe4128e0
GP		 4244 rsp.dcid = cpu_to_le16(chan->scid);
4245 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4246 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4247
5ec1bbe5 4248 chan->ops->set_shutdown(chan);
1da177e4 4249
61d6ef3e 4250 l2cap_chan_hold(chan);
48454079 4251 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4252
4253 l2cap_chan_unlock(chan);
1da177e4 4254
80b98027 4255 chan->ops->close(chan);
61d6ef3e 4256 l2cap_chan_put(chan);
3df91ea2
AE		 4257
4258 mutex_unlock(&conn->chan_lock);
4259
1da177e4
LT		 4260 return 0;
4261}
4262
2d792818 4263static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4264 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4265 u8 *data)
1da177e4
LT		 4266{
4267 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4268 u16 dcid, scid;
48454079 4269 struct l2cap_chan *chan;
1da177e4 4270
cb3b3152
JH		 4271 if (cmd_len != sizeof(*rsp))
4272 return -EPROTO;
4273
1da177e4
LT		 4274 scid = __le16_to_cpu(rsp->scid);
4275 dcid = __le16_to_cpu(rsp->dcid);
4276
4277 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4278
3df91ea2
AE		 4279 mutex_lock(&conn->chan_lock);
4280
4281 chan = __l2cap_get_chan_by_scid(conn, scid);
4282 if (!chan) {
4283 mutex_unlock(&conn->chan_lock);
1da177e4 4284 return 0;
3df91ea2 4285 }
1da177e4 4286
6be36555 4287 l2cap_chan_lock(chan);
48454079 4288
61d6ef3e 4289 l2cap_chan_hold(chan);
48454079 4290 l2cap_chan_del(chan, 0);
6be36555
AE		 4291
4292 l2cap_chan_unlock(chan);
1da177e4 4293
80b98027 4294 chan->ops->close(chan);
61d6ef3e 4295 l2cap_chan_put(chan);
3df91ea2
AE		 4296
4297 mutex_unlock(&conn->chan_lock);
4298
1da177e4
LT		 4299 return 0;
4300}
4301
2d792818 4302static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4303 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4304 u8 *data)
1da177e4
LT		 4305{
4306 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4307 u16 type;
4308
cb3b3152
JH		 4309 if (cmd_len != sizeof(*req))
4310 return -EPROTO;
4311
1da177e4
LT		 4312 type = __le16_to_cpu(req->type);
4313
4314 BT_DBG("type 0x%4.4x", type);
4315
f0709e03
MH		 4316 if (type == L2CAP_IT_FEAT_MASK) {
4317 u8 buf[8];
44dd46de 4318 u32 feat_mask = l2cap_feat_mask;
f0709e03 4319 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
dcf4adbf
JP		 4320 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4321 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4322 if (!disable_ertm)
fcc203c3 4323 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4324 | L2CAP_FEAT_FCS;
848566b3 4325 if (conn->hs_enabled)
6327eb98 4326 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4327 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4328
1b7bf4ed 4329 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4330 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4331 buf);
e1027a7c
MH		 4332 } else if (type == L2CAP_IT_FIXED_CHAN) {
4333 u8 buf[12];
4334 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4335
848566b3 4336 if (conn->hs_enabled)
50a147cd
MM		 4337 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4338 else
4339 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4340
dcf4adbf
JP		 4341 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4342 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4343 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4344 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4345 buf);
f0709e03
MH		 4346 } else {
4347 struct l2cap_info_rsp rsp;
4348 rsp.type = cpu_to_le16(type);
dcf4adbf 4349 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4350 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4351 &rsp);
f0709e03 4352 }
1da177e4
LT		 4353
4354 return 0;
4355}
4356
2d792818 4357static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4358 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4359 u8 *data)
1da177e4
LT		 4360{
4361 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4362 u16 type, result;
4363
3f6fa3d4 4364 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4365 return -EPROTO;
4366
1da177e4
LT		 4367 type = __le16_to_cpu(rsp->type);
4368 result = __le16_to_cpu(rsp->result);
4369
4370 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4371
e90165be
AE		 4372 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4373 if (cmd->ident != conn->info_ident ||
2d792818 4374 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4375 return 0;
4376
17cd3f37 4377 cancel_delayed_work(&conn->info_timer);
4e8402a3 4378
adb08ede
VT		 4379 if (result != L2CAP_IR_SUCCESS) {
4380 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4381 conn->info_ident = 0;
4382
4383 l2cap_conn_start(conn);
4384
4385 return 0;
4386 }
4387
978c93b9
AE		 4388 switch (type) {
4389 case L2CAP_IT_FEAT_MASK:
83985319 4390 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4391
47ec1dcd 4392 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4393 struct l2cap_info_req req;
dcf4adbf 4394 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4395
4396 conn->info_ident = l2cap_get_ident(conn);
4397
4398 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4399 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4400 } else {
4401 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4402 conn->info_ident = 0;
4403
4404 l2cap_conn_start(conn);
4405 }
978c93b9
AE		 4406 break;
4407
4408 case L2CAP_IT_FIXED_CHAN:
4409 conn->fixed_chan_mask = rsp->data[0];
984947dc 4410 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4411 conn->info_ident = 0;
984947dc
MH		 4412
4413 l2cap_conn_start(conn);
978c93b9 4414 break;
984947dc 4415 }
4e8402a3 4416
1da177e4
LT		 4417 return 0;
4418}
4419
1700915f
MM		 4420static int l2cap_create_channel_req(struct l2cap_conn *conn,
4421 struct l2cap_cmd_hdr *cmd,
4422 u16 cmd_len, void *data)
f94ff6ff
MM		 4423{
4424 struct l2cap_create_chan_req *req = data;
6e1df6a6 4425 struct l2cap_create_chan_rsp rsp;
1700915f 4426 struct l2cap_chan *chan;
6e1df6a6 4427 struct hci_dev *hdev;
f94ff6ff
MM		 4428 u16 psm, scid;
4429
4430 if (cmd_len != sizeof(*req))
4431 return -EPROTO;
4432
848566b3 4433 if (!conn->hs_enabled)
f94ff6ff
MM		 4434 return -EINVAL;
4435
4436 psm = le16_to_cpu(req->psm);
4437 scid = le16_to_cpu(req->scid);
4438
ad0ac6ca 4439 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4440
6e1df6a6 4441 /* For controller id 0 make BR/EDR connection */
6ed971ca 4442 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4443 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4444 req->amp_id);
4445 return 0;
4446 }
1700915f 4447
6e1df6a6
AE		 4448 /* Validate AMP controller id */
4449 hdev = hci_dev_get(req->amp_id);
4450 if (!hdev)
4451 goto error;
1700915f 4452
6e1df6a6
AE		 4453 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4454 hci_dev_put(hdev);
4455 goto error;
4456 }
1700915f 4457
6e1df6a6
AE		 4458 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4459 req->amp_id);
4460 if (chan) {
4461 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4462 struct hci_conn *hs_hcon;
1700915f 4463
98e0f7ea
MH		 4464 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4465 &conn->hcon->dst);
6e1df6a6
AE		 4466 if (!hs_hcon) {
4467 hci_dev_put(hdev);
662d652d
JH		 4468 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4469 chan->dcid);
4470 return 0;
1700915f
MM		 4471 }
4472
6e1df6a6
AE		 4473 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4474
6e1df6a6
AE		 4475 mgr->bredr_chan = chan;
4476 chan->hs_hcon = hs_hcon;
fd45bf4c 4477 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4478 conn->mtu = hdev->block_mtu;
1700915f 4479 }
f94ff6ff 4480
6e1df6a6 4481 hci_dev_put(hdev);
f94ff6ff
MM		 4482
4483 return 0;
6e1df6a6
AE		 4484
4485error:
4486 rsp.dcid = 0;
4487 rsp.scid = cpu_to_le16(scid);
dcf4adbf
JP		 4488 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4489 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
6e1df6a6
AE		 4490
4491 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4492 sizeof(rsp), &rsp);
4493
dc280801 4494 return 0;
f94ff6ff
MM		 4495}
4496
8eb200bd
MM		 4497static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4498{
4499 struct l2cap_move_chan_req req;
4500 u8 ident;
4501
4502 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4503
4504 ident = l2cap_get_ident(chan->conn);
4505 chan->ident = ident;
4506
4507 req.icid = cpu_to_le16(chan->scid);
4508 req.dest_amp_id = dest_amp_id;
4509
4510 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4511 &req);
4512
4513 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4514}
4515
1500109b 4516static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4517{
4518 struct l2cap_move_chan_rsp rsp;
4519
1500109b 4520 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4521
1500109b 4522 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4523 rsp.result = cpu_to_le16(result);
4524
1500109b
MM		 4525 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4526 sizeof(rsp), &rsp);
8d5a04a1
MM		 4527}
4528
5b155ef9 4529static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4530{
4531 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4532
5b155ef9 4533 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4534
5b155ef9 4535 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4536
5b155ef9 4537 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4538 cfm.result = cpu_to_le16(result);
4539
5b155ef9
MM		 4540 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4541 sizeof(cfm), &cfm);
4542
4543 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4544}
4545
4546static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4547{
4548 struct l2cap_move_chan_cfm cfm;
4549
4550 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4551
4552 cfm.icid = cpu_to_le16(icid);
dcf4adbf 4553 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
5b155ef9
MM		 4554
4555 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4556 sizeof(cfm), &cfm);
8d5a04a1
MM		 4557}
4558
4559static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4560 u16 icid)
8d5a04a1
MM		 4561{
4562 struct l2cap_move_chan_cfm_rsp rsp;
4563
ad0ac6ca 4564 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4565
4566 rsp.icid = cpu_to_le16(icid);
4567 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4568}
4569
5f3847a4
MM		 4570static void __release_logical_link(struct l2cap_chan *chan)
4571{
4572 chan->hs_hchan = NULL;
4573 chan->hs_hcon = NULL;
4574
4575 /* Placeholder - release the logical link */
4576}
4577
1500109b
MM		 4578static void l2cap_logical_fail(struct l2cap_chan *chan)
4579{
4580 /* Logical link setup failed */
4581 if (chan->state != BT_CONNECTED) {
4582 /* Create channel failure, disconnect */
5e4e3972 4583 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4584 return;
4585 }
4586
4587 switch (chan->move_role) {
4588 case L2CAP_MOVE_ROLE_RESPONDER:
4589 l2cap_move_done(chan);
4590 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4591 break;
4592 case L2CAP_MOVE_ROLE_INITIATOR:
4593 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4594 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4595 /* Remote has only sent pending or
4596 * success responses, clean up
4597 */
4598 l2cap_move_done(chan);
4599 }
4600
4601 /* Other amp move states imply that the move
4602 * has already aborted
4603 */
4604 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4605 break;
4606 }
4607}
4608
4609static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4610 struct hci_chan *hchan)
4611{
4612 struct l2cap_conf_rsp rsp;
1500109b 4613
336178a3 4614 chan->hs_hchan = hchan;
1500109b
MM		 4615 chan->hs_hcon->l2cap_data = chan->conn;
4616
35ba9561 4617 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4618
4619 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4620 int err;
1500109b
MM		 4621
4622 set_default_fcs(chan);
4623
4624 err = l2cap_ertm_init(chan);
4625 if (err < 0)
5e4e3972 4626 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4627 else
4628 l2cap_chan_ready(chan);
4629 }
4630}
4631
4632static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4633 struct hci_chan *hchan)
4634{
4635 chan->hs_hcon = hchan->conn;
4636 chan->hs_hcon->l2cap_data = chan->conn;
4637
4638 BT_DBG("move_state %d", chan->move_state);
4639
4640 switch (chan->move_state) {
4641 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4642 /* Move confirm will be sent after a success
4643 * response is received
4644 */
4645 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4646 break;
4647 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4648 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4649 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4650 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4651 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4652 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4653 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4654 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4655 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4656 }
4657 break;
4658 default:
4659 /* Move was not in expected state, free the channel */
4660 __release_logical_link(chan);
4661
4662 chan->move_state = L2CAP_MOVE_STABLE;
4663 }
4664}
4665
4666/* Call with chan locked */
27695fb4
AE		 4667void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4668 u8 status)
5b155ef9 4669{
1500109b
MM		 4670 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4671
4672 if (status) {
4673 l2cap_logical_fail(chan);
4674 __release_logical_link(chan);
4675 return;
4676 }
4677
4678 if (chan->state != BT_CONNECTED) {
4679 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4680 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4681 l2cap_logical_finish_create(chan, hchan);
4682 } else {
4683 l2cap_logical_finish_move(chan, hchan);
4684 }
5b155ef9
MM		 4685}
4686
3f7a56c4
MM		 4687void l2cap_move_start(struct l2cap_chan *chan)
4688{
4689 BT_DBG("chan %p", chan);
4690
6ed971ca 4691 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4692 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4693 return;
4694 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4695 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4696 /* Placeholder - start physical link setup */
4697 } else {
4698 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4699 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4700 chan->move_id = 0;
4701 l2cap_move_setup(chan);
4702 l2cap_send_move_chan_req(chan, 0);
4703 }
4704}
4705
8eb200bd
MM		 4706static void l2cap_do_create(struct l2cap_chan *chan, int result,
4707 u8 local_amp_id, u8 remote_amp_id)
4708{
62748ca1
AE		 4709 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4710 local_amp_id, remote_amp_id);
4711
12d6cc60
AE		 4712 chan->fcs = L2CAP_FCS_NONE;
4713
62748ca1
AE		 4714 /* Outgoing channel on AMP */
4715 if (chan->state == BT_CONNECT) {
4716 if (result == L2CAP_CR_SUCCESS) {
4717 chan->local_amp_id = local_amp_id;
4718 l2cap_send_create_chan_req(chan, remote_amp_id);
4719 } else {
4720 /* Revert to BR/EDR connect */
4721 l2cap_send_conn_req(chan);
4722 }
4723
4724 return;
4725 }
4726
4727 /* Incoming channel on AMP */
4728 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4729 struct l2cap_conn_rsp rsp;
4730 char buf[128];
4731 rsp.scid = cpu_to_le16(chan->dcid);
4732 rsp.dcid = cpu_to_le16(chan->scid);
4733
8eb200bd
MM		 4734 if (result == L2CAP_CR_SUCCESS) {
4735 /* Send successful response */
dcf4adbf
JP		 4736 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4737 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4738 } else {
4739 /* Send negative response */
dcf4adbf
JP		 4740 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4741 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4742 }
4743
4744 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4745 sizeof(rsp), &rsp);
4746
4747 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4748 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4749 set_bit(CONF_REQ_SENT, &chan->conf_state);
4750 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4751 L2CAP_CONF_REQ,
4752 l2cap_build_conf_req(chan, buf), buf);
4753 chan->num_conf_req++;
4754 }
8eb200bd
MM		 4755 }
4756}
4757
4758static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4759 u8 remote_amp_id)
4760{
4761 l2cap_move_setup(chan);
4762 chan->move_id = local_amp_id;
4763 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4764
4765 l2cap_send_move_chan_req(chan, remote_amp_id);
4766}
4767
4768static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4769{
4770 struct hci_chan *hchan = NULL;
4771
4772 /* Placeholder - get hci_chan for logical link */
4773
4774 if (hchan) {
4775 if (hchan->state == BT_CONNECTED) {
4776 /* Logical link is ready to go */
4777 chan->hs_hcon = hchan->conn;
4778 chan->hs_hcon->l2cap_data = chan->conn;
4779 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4780 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4781
4782 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4783 } else {
4784 /* Wait for logical link to be ready */
4785 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4786 }
4787 } else {
4788 /* Logical link not available */
4789 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4790 }
4791}
4792
4793static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4794{
4795 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4796 u8 rsp_result;
4797 if (result == -EINVAL)
4798 rsp_result = L2CAP_MR_BAD_ID;
4799 else
4800 rsp_result = L2CAP_MR_NOT_ALLOWED;
4801
4802 l2cap_send_move_chan_rsp(chan, rsp_result);
4803 }
4804
4805 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4806 chan->move_state = L2CAP_MOVE_STABLE;
4807
4808 /* Restart data transmission */
4809 l2cap_ertm_send(chan);
4810}
4811
a514b17f
AE		 4812/* Invoke with locked chan */
4813void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4814{
770bfefa 4815 u8 local_amp_id = chan->local_amp_id;
fffadc08 4816 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4817
8eb200bd
MM		 4818 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4819 chan, result, local_amp_id, remote_amp_id);
4820
8eb200bd
MM		 4821 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4822 l2cap_chan_unlock(chan);
4823 return;
4824 }
4825
4826 if (chan->state != BT_CONNECTED) {
4827 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4828 } else if (result != L2CAP_MR_SUCCESS) {
4829 l2cap_do_move_cancel(chan, result);
4830 } else {
4831 switch (chan->move_role) {
4832 case L2CAP_MOVE_ROLE_INITIATOR:
4833 l2cap_do_move_initiate(chan, local_amp_id,
4834 remote_amp_id);
4835 break;
4836 case L2CAP_MOVE_ROLE_RESPONDER:
4837 l2cap_do_move_respond(chan, result);
4838 break;
4839 default:
4840 l2cap_do_move_cancel(chan, result);
4841 break;
4842 }
4843 }
8eb200bd
MM		 4844}
4845
8d5a04a1 4846static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4847 struct l2cap_cmd_hdr *cmd,
4848 u16 cmd_len, void *data)
8d5a04a1
MM		 4849{
4850 struct l2cap_move_chan_req *req = data;
1500109b 4851 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4852 struct l2cap_chan *chan;
8d5a04a1
MM		 4853 u16 icid = 0;
4854 u16 result = L2CAP_MR_NOT_ALLOWED;
4855
4856 if (cmd_len != sizeof(*req))
4857 return -EPROTO;
4858
4859 icid = le16_to_cpu(req->icid);
4860
ad0ac6ca 4861 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4862
848566b3 4863 if (!conn->hs_enabled)
8d5a04a1
MM		 4864 return -EINVAL;
4865
02b0fbb9
MM		 4866 chan = l2cap_get_chan_by_dcid(conn, icid);
4867 if (!chan) {
1500109b 4868 rsp.icid = cpu_to_le16(icid);
dcf4adbf 4869 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
1500109b
MM		 4870 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4871 sizeof(rsp), &rsp);
02b0fbb9
MM		 4872 return 0;
4873 }
4874
1500109b
MM		 4875 chan->ident = cmd->ident;
4876
02b0fbb9
MM		 4877 if (chan->scid < L2CAP_CID_DYN_START ||
4878 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4879 (chan->mode != L2CAP_MODE_ERTM &&
4880 chan->mode != L2CAP_MODE_STREAMING)) {
4881 result = L2CAP_MR_NOT_ALLOWED;
4882 goto send_move_response;
4883 }
4884
4885 if (chan->local_amp_id == req->dest_amp_id) {
4886 result = L2CAP_MR_SAME_ID;
4887 goto send_move_response;
4888 }
4889
6ed971ca 4890 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4891 struct hci_dev *hdev;
4892 hdev = hci_dev_get(req->dest_amp_id);
4893 if (!hdev || hdev->dev_type != HCI_AMP ||
4894 !test_bit(HCI_UP, &hdev->flags)) {
4895 if (hdev)
4896 hci_dev_put(hdev);
4897
4898 result = L2CAP_MR_BAD_ID;
4899 goto send_move_response;
4900 }
4901 hci_dev_put(hdev);
4902 }
4903
4904 /* Detect a move collision. Only send a collision response
4905 * if this side has "lost", otherwise proceed with the move.
4906 * The winner has the larger bd_addr.
4907 */
4908 if ((__chan_is_moving(chan) ||
4909 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4910 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4911 result = L2CAP_MR_COLLISION;
4912 goto send_move_response;
4913 }
4914
02b0fbb9
MM		 4915 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4916 l2cap_move_setup(chan);
4917 chan->move_id = req->dest_amp_id;
4918 icid = chan->dcid;
4919
6ed971ca 4920 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4921 /* Moving to BR/EDR */
4922 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4923 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4924 result = L2CAP_MR_PEND;
4925 } else {
4926 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4927 result = L2CAP_MR_SUCCESS;
4928 }
4929 } else {
4930 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4931 /* Placeholder - uncomment when amp functions are available */
4932 /*amp_accept_physical(chan, req->dest_amp_id);*/
4933 result = L2CAP_MR_PEND;
4934 }
4935
4936send_move_response:
1500109b 4937 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4938
02b0fbb9
MM		 4939 l2cap_chan_unlock(chan);
4940
8d5a04a1
MM		 4941 return 0;
4942}
4943
5b155ef9
MM		 4944static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4945{
4946 struct l2cap_chan *chan;
4947 struct hci_chan *hchan = NULL;
4948
4949 chan = l2cap_get_chan_by_scid(conn, icid);
4950 if (!chan) {
4951 l2cap_send_move_chan_cfm_icid(conn, icid);
4952 return;
4953 }
4954
4955 __clear_chan_timer(chan);
4956 if (result == L2CAP_MR_PEND)
4957 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4958
4959 switch (chan->move_state) {
4960 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4961 /* Move confirm will be sent when logical link
4962 * is complete.
4963 */
4964 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4965 break;
4966 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4967 if (result == L2CAP_MR_PEND) {
4968 break;
4969 } else if (test_bit(CONN_LOCAL_BUSY,
4970 &chan->conn_state)) {
4971 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4972 } else {
4973 /* Logical link is up or moving to BR/EDR,
4974 * proceed with move
4975 */
4976 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4977 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4978 }
4979 break;
4980 case L2CAP_MOVE_WAIT_RSP:
4981 /* Moving to AMP */
4982 if (result == L2CAP_MR_SUCCESS) {
4983 /* Remote is ready, send confirm immediately
4984 * after logical link is ready
4985 */
4986 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4987 } else {
4988 /* Both logical link and move success
4989 * are required to confirm
4990 */
4991 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4992 }
4993
4994 /* Placeholder - get hci_chan for logical link */
4995 if (!hchan) {
4996 /* Logical link not available */
4997 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4998 break;
4999 }
5000
5001 /* If the logical link is not yet connected, do not
5002 * send confirmation.
5003 */
5004 if (hchan->state != BT_CONNECTED)
5005 break;
5006
5007 /* Logical link is already ready to go */
5008
5009 chan->hs_hcon = hchan->conn;
5010 chan->hs_hcon->l2cap_data = chan->conn;
5011
5012 if (result == L2CAP_MR_SUCCESS) {
5013 /* Can confirm now */
5014 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5015 } else {
5016 /* Now only need move success
5017 * to confirm
5018 */
5019 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5020 }
5021
5022 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5023 break;
5024 default:
5025 /* Any other amp move state means the move failed. */
5026 chan->move_id = chan->local_amp_id;
5027 l2cap_move_done(chan);
5028 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5029 }
5030
5031 l2cap_chan_unlock(chan);
5032}
5033
5034static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5035 u16 result)
5036{
5037 struct l2cap_chan *chan;
5038
5039 chan = l2cap_get_chan_by_ident(conn, ident);
5040 if (!chan) {
5041 /* Could not locate channel, icid is best guess */
5042 l2cap_send_move_chan_cfm_icid(conn, icid);
5043 return;
5044 }
5045
5046 __clear_chan_timer(chan);
5047
5048 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5049 if (result == L2CAP_MR_COLLISION) {
5050 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5051 } else {
5052 /* Cleanup - cancel move */
5053 chan->move_id = chan->local_amp_id;
5054 l2cap_move_done(chan);
5055 }
5056 }
5057
5058 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5059
5060 l2cap_chan_unlock(chan);
5061}
5062
5063static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5064 struct l2cap_cmd_hdr *cmd,
5065 u16 cmd_len, void *data)
8d5a04a1
MM		 5066{
5067 struct l2cap_move_chan_rsp *rsp = data;
5068 u16 icid, result;
5069
5070 if (cmd_len != sizeof(*rsp))
5071 return -EPROTO;
5072
5073 icid = le16_to_cpu(rsp->icid);
5074 result = le16_to_cpu(rsp->result);
5075
ad0ac6ca 5076 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5077
5b155ef9
MM		 5078 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5079 l2cap_move_continue(conn, icid, result);
5080 else
5081 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5082
5083 return 0;
5084}
5085
5f3847a4
MM		 5086static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5087 struct l2cap_cmd_hdr *cmd,
5088 u16 cmd_len, void *data)
8d5a04a1
MM		 5089{
5090 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5091 struct l2cap_chan *chan;
8d5a04a1
MM		 5092 u16 icid, result;
5093
5094 if (cmd_len != sizeof(*cfm))
5095 return -EPROTO;
5096
5097 icid = le16_to_cpu(cfm->icid);
5098 result = le16_to_cpu(cfm->result);
5099
ad0ac6ca 5100 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5101
5f3847a4
MM		 5102 chan = l2cap_get_chan_by_dcid(conn, icid);
5103 if (!chan) {
5104 /* Spec requires a response even if the icid was not found */
5105 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5106 return 0;
5107 }
5108
5109 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5110 if (result == L2CAP_MC_CONFIRMED) {
5111 chan->local_amp_id = chan->move_id;
6ed971ca 5112 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5113 __release_logical_link(chan);
5114 } else {
5115 chan->move_id = chan->local_amp_id;
5116 }
5117
5118 l2cap_move_done(chan);
5119 }
5120
8d5a04a1
MM		 5121 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5122
5f3847a4
MM		 5123 l2cap_chan_unlock(chan);
5124
8d5a04a1
MM		 5125 return 0;
5126}
5127
5128static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5129 struct l2cap_cmd_hdr *cmd,
5130 u16 cmd_len, void *data)
8d5a04a1
MM		 5131{
5132 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5133 struct l2cap_chan *chan;
8d5a04a1
MM		 5134 u16 icid;
5135
5136 if (cmd_len != sizeof(*rsp))
5137 return -EPROTO;
5138
5139 icid = le16_to_cpu(rsp->icid);
5140
ad0ac6ca 5141 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5142
3fd71a0a
MM		 5143 chan = l2cap_get_chan_by_scid(conn, icid);
5144 if (!chan)
5145 return 0;
5146
5147 __clear_chan_timer(chan);
5148
5149 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5150 chan->local_amp_id = chan->move_id;
5151
6ed971ca 5152 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5153 __release_logical_link(chan);
5154
5155 l2cap_move_done(chan);
5156 }
5157
5158 l2cap_chan_unlock(chan);
5159
8d5a04a1
MM		 5160 return 0;
5161}
5162
de73115a 5163static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818 5164 struct l2cap_cmd_hdr *cmd,
203e639e 5165 u16 cmd_len, u8 *data)
de73115a
CT		 5166{
5167 struct hci_conn *hcon = conn->hcon;
5168 struct l2cap_conn_param_update_req *req;
5169 struct l2cap_conn_param_update_rsp rsp;
203e639e 5170 u16 min, max, latency, to_multiplier;
2ce603eb 5171 int err;
de73115a 5172
40bef302 5173 if (hcon->role != HCI_ROLE_MASTER)
de73115a
CT		 5174 return -EINVAL;
5175
de73115a
CT		 5176 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5177 return -EPROTO;
5178
5179 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5180 min = __le16_to_cpu(req->min);
5181 max = __le16_to_cpu(req->max);
de73115a
CT		 5182 latency = __le16_to_cpu(req->latency);
5183 to_multiplier = __le16_to_cpu(req->to_multiplier);
5184
5185 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5186 min, max, latency, to_multiplier);
de73115a
CT		 5187
5188 memset(&rsp, 0, sizeof(rsp));
2ce603eb 5189
d4905f24 5190 err = hci_check_conn_params(min, max, latency, to_multiplier);
2ce603eb 5191 if (err)
dcf4adbf 5192 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5193 else
dcf4adbf 5194 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5195
5196 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5197 sizeof(rsp), &rsp);
de73115a 5198
ffb5a827 5199 if (!err) {
f4869e2a
JH		 5200 u8 store_hint;
5201
5202 store_hint = hci_le_conn_update(hcon, min, max, latency,
5203 to_multiplier);
ffb5a827 5204 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
f4869e2a
JH		 5205 store_hint, min, max, latency,
5206 to_multiplier);
ffb5a827 5207
ffb5a827 5208 }
2ce603eb 5209
de73115a
CT		 5210 return 0;
5211}
5212
f1496dee
JH		 5213static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5214 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5215 u8 *data)
5216{
5217 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5218 u16 dcid, mtu, mps, credits, result;
5219 struct l2cap_chan *chan;
5220 int err;
5221
5222 if (cmd_len < sizeof(*rsp))
5223 return -EPROTO;
5224
5225 dcid = __le16_to_cpu(rsp->dcid);
5226 mtu = __le16_to_cpu(rsp->mtu);
5227 mps = __le16_to_cpu(rsp->mps);
5228 credits = __le16_to_cpu(rsp->credits);
5229 result = __le16_to_cpu(rsp->result);
5230
5231 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5232 return -EPROTO;
5233
5234 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5235 dcid, mtu, mps, credits, result);
5236
5237 mutex_lock(&conn->chan_lock);
5238
5239 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5240 if (!chan) {
5241 err = -EBADSLT;
5242 goto unlock;
5243 }
5244
5245 err = 0;
5246
5247 l2cap_chan_lock(chan);
5248
5249 switch (result) {
5250 case L2CAP_CR_SUCCESS:
5251 chan->ident = 0;
5252 chan->dcid = dcid;
5253 chan->omtu = mtu;
5254 chan->remote_mps = mps;
0cd75f7e 5255 chan->tx_credits = credits;
f1496dee
JH		 5256 l2cap_chan_ready(chan);
5257 break;
5258
5259 default:
5260 l2cap_chan_del(chan, ECONNREFUSED);
5261 break;
5262 }
5263
5264 l2cap_chan_unlock(chan);
5265
5266unlock:
5267 mutex_unlock(&conn->chan_lock);
5268
5269 return err;
5270}
5271
3300d9a9 5272static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5273 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5274 u8 *data)
3300d9a9
CT		 5275{
5276 int err = 0;
5277
5278 switch (cmd->code) {
5279 case L2CAP_COMMAND_REJ:
cb3b3152 5280 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5281 break;
5282
5283 case L2CAP_CONN_REQ:
cb3b3152 5284 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5285 break;
5286
5287 case L2CAP_CONN_RSP:
f5a2598d 5288 case L2CAP_CREATE_CHAN_RSP:
9245e737 5289 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5290 break;
5291
5292 case L2CAP_CONF_REQ:
5293 err = l2cap_config_req(conn, cmd, cmd_len, data);
5294 break;
5295
5296 case L2CAP_CONF_RSP:
9245e737 5297 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5298 break;
5299
5300 case L2CAP_DISCONN_REQ:
cb3b3152 5301 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5302 break;
5303
5304 case L2CAP_DISCONN_RSP:
9245e737 5305 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5306 break;
5307
5308 case L2CAP_ECHO_REQ:
5309 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5310 break;
5311
5312 case L2CAP_ECHO_RSP:
5313 break;
5314
5315 case L2CAP_INFO_REQ:
cb3b3152 5316 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5317 break;
5318
5319 case L2CAP_INFO_RSP:
9245e737 5320 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5321 break;
5322
f94ff6ff
MM		 5323 case L2CAP_CREATE_CHAN_REQ:
5324 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5325 break;
5326
8d5a04a1
MM		 5327 case L2CAP_MOVE_CHAN_REQ:
5328 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5329 break;
5330
5331 case L2CAP_MOVE_CHAN_RSP:
9245e737 5332 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5333 break;
5334
5335 case L2CAP_MOVE_CHAN_CFM:
5336 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5337 break;
5338
5339 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5340 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5341 break;
5342
3300d9a9
CT		 5343 default:
5344 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5345 err = -EINVAL;
5346 break;
5347 }
5348
5349 return err;
5350}
5351
27e2d4c8
JH		 5352static int l2cap_le_connect_req(struct l2cap_conn *conn,
5353 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5354 u8 *data)
5355{
5356 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5357 struct l2cap_le_conn_rsp rsp;
5358 struct l2cap_chan *chan, *pchan;
0cd75f7e 5359 u16 dcid, scid, credits, mtu, mps;
27e2d4c8
JH		 5360 __le16 psm;
5361 u8 result;
5362
5363 if (cmd_len != sizeof(*req))
5364 return -EPROTO;
5365
5366 scid = __le16_to_cpu(req->scid);
5367 mtu = __le16_to_cpu(req->mtu);
5368 mps = __le16_to_cpu(req->mps);
5369 psm = req->psm;
5370 dcid = 0;
0cd75f7e 5371 credits = 0;
27e2d4c8
JH		 5372
5373 if (mtu < 23 || mps < 23)
5374 return -EPROTO;
5375
5376 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5377 scid, mtu, mps);
5378
5379 /* Check if we have socket listening on psm */
5380 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5381 &conn->hcon->dst, LE_LINK);
5382 if (!pchan) {
5383 result = L2CAP_CR_BAD_PSM;
5384 chan = NULL;
5385 goto response;
5386 }
5387
5388 mutex_lock(&conn->chan_lock);
5389 l2cap_chan_lock(pchan);
5390
5391 if (!smp_sufficient_security(conn->hcon, pchan->sec_level)) {
5392 result = L2CAP_CR_AUTHENTICATION;
5393 chan = NULL;
5394 goto response_unlock;
5395 }
5396
5397 /* Check if we already have channel with that dcid */
5398 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5399 result = L2CAP_CR_NO_MEM;
5400 chan = NULL;
5401 goto response_unlock;
5402 }
5403
5404 chan = pchan->ops->new_connection(pchan);
5405 if (!chan) {
5406 result = L2CAP_CR_NO_MEM;
5407 goto response_unlock;
5408 }
5409
0ce43ce6
JH		 5410 l2cap_le_flowctl_init(chan);
5411
27e2d4c8
JH		 5412 bacpy(&chan->src, &conn->hcon->src);
5413 bacpy(&chan->dst, &conn->hcon->dst);
5414 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5415 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5416 chan->psm = psm;
5417 chan->dcid = scid;
5418 chan->omtu = mtu;
5419 chan->remote_mps = mps;
0cd75f7e 5420 chan->tx_credits = __le16_to_cpu(req->credits);
27e2d4c8
JH		 5421
5422 __l2cap_chan_add(conn, chan);
5423 dcid = chan->scid;
0cd75f7e 5424 credits = chan->rx_credits;
27e2d4c8
JH		 5425
5426 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5427
5428 chan->ident = cmd->ident;
5429
5430 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5431 l2cap_state_change(chan, BT_CONNECT2);
434714dc
JH		 5432 /* The following result value is actually not defined
5433 * for LE CoC but we use it to let the function know
5434 * that it should bail out after doing its cleanup
5435 * instead of sending a response.
5436 */
27e2d4c8
JH		 5437 result = L2CAP_CR_PEND;
5438 chan->ops->defer(chan);
5439 } else {
5440 l2cap_chan_ready(chan);
5441 result = L2CAP_CR_SUCCESS;
5442 }
5443
5444response_unlock:
5445 l2cap_chan_unlock(pchan);
5446 mutex_unlock(&conn->chan_lock);
a24cce14 5447 l2cap_chan_put(pchan);
27e2d4c8
JH		 5448
5449 if (result == L2CAP_CR_PEND)
5450 return 0;
5451
5452response:
5453 if (chan) {
5454 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 5455 rsp.mps = cpu_to_le16(chan->mps);
27e2d4c8
JH		 5456 } else {
5457 rsp.mtu = 0;
5458 rsp.mps = 0;
5459 }
5460
5461 rsp.dcid = cpu_to_le16(dcid);
0cd75f7e 5462 rsp.credits = cpu_to_le16(credits);
27e2d4c8
JH		 5463 rsp.result = cpu_to_le16(result);
5464
5465 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5466
5467 return 0;
5468}
5469
fad5fc89
JH		 5470static inline int l2cap_le_credits(struct l2cap_conn *conn,
5471 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5472 u8 *data)
5473{
5474 struct l2cap_le_credits *pkt;
5475 struct l2cap_chan *chan;
0f1bfe4e 5476 u16 cid, credits, max_credits;
fad5fc89
JH		 5477
5478 if (cmd_len != sizeof(*pkt))
5479 return -EPROTO;
5480
5481 pkt = (struct l2cap_le_credits *) data;
5482 cid = __le16_to_cpu(pkt->cid);
5483 credits = __le16_to_cpu(pkt->credits);
5484
5485 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5486
5487 chan = l2cap_get_chan_by_dcid(conn, cid);
5488 if (!chan)
5489 return -EBADSLT;
5490
0f1bfe4e
JH		 5491 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5492 if (credits > max_credits) {
5493 BT_ERR("LE credits overflow");
5494 l2cap_send_disconn_req(chan, ECONNRESET);
ee93053d 5495 l2cap_chan_unlock(chan);
0f1bfe4e
JH		 5496
5497 /* Return 0 so that we don't trigger an unnecessary
5498 * command reject packet.
5499 */
5500 return 0;
5501 }
5502
fad5fc89
JH		 5503 chan->tx_credits += credits;
5504
5505 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5506 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5507 chan->tx_credits--;
5508 }
5509
5510 if (chan->tx_credits)
5511 chan->ops->resume(chan);
5512
5513 l2cap_chan_unlock(chan);
5514
5515 return 0;
5516}
5517
71fb4197
JH		 5518static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5519 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5520 u8 *data)
5521{
5522 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5523 struct l2cap_chan *chan;
5524
5525 if (cmd_len < sizeof(*rej))
5526 return -EPROTO;
5527
5528 mutex_lock(&conn->chan_lock);
5529
5530 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5531 if (!chan)
5532 goto done;
5533
5534 l2cap_chan_lock(chan);
5535 l2cap_chan_del(chan, ECONNREFUSED);
5536 l2cap_chan_unlock(chan);
5537
5538done:
5539 mutex_unlock(&conn->chan_lock);
5540 return 0;
5541}
5542
3300d9a9 5543static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
203e639e
JH		 5544 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5545 u8 *data)
3300d9a9 5546{
b5ecba64
JH		 5547 int err = 0;
5548
3300d9a9
CT		 5549 switch (cmd->code) {
5550 case L2CAP_COMMAND_REJ:
71fb4197 5551 l2cap_le_command_rej(conn, cmd, cmd_len, data);
b5ecba64 5552 break;
3300d9a9
CT		 5553
5554 case L2CAP_CONN_PARAM_UPDATE_REQ:
b5ecba64
JH		 5555 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5556 break;
3300d9a9
CT		 5557
5558 case L2CAP_CONN_PARAM_UPDATE_RSP:
b5ecba64 5559 break;
3300d9a9 5560
f1496dee
JH		 5561 case L2CAP_LE_CONN_RSP:
5562 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5563 break;
f1496dee 5564
27e2d4c8 5565 case L2CAP_LE_CONN_REQ:
b5ecba64
JH		 5566 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5567 break;
27e2d4c8 5568
fad5fc89
JH		 5569 case L2CAP_LE_CREDITS:
5570 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5571 break;
5572
3defe01a 5573 case L2CAP_DISCONN_REQ:
b5ecba64
JH		 5574 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5575 break;
3defe01a
JH		 5576
5577 case L2CAP_DISCONN_RSP:
5578 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5579 break;
3defe01a 5580
3300d9a9
CT		 5581 default:
5582 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
b5ecba64
JH		 5583 err = -EINVAL;
5584 break;
3300d9a9 5585 }
b5ecba64
JH		 5586
5587 return err;
3300d9a9
CT		 5588}
5589
c5623556
JH		 5590static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5591 struct sk_buff *skb)
5592{
69c4e4e8 5593 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5594 struct l2cap_cmd_hdr *cmd;
5595 u16 len;
c5623556
JH		 5596 int err;
5597
69c4e4e8 5598 if (hcon->type != LE_LINK)
3b166295 5599 goto drop;
69c4e4e8 5600
4f3e219d
MH		 5601 if (skb->len < L2CAP_CMD_HDR_SIZE)
5602 goto drop;
c5623556 5603
4f3e219d
MH		 5604 cmd = (void *) skb->data;
5605 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5606
4f3e219d 5607 len = le16_to_cpu(cmd->len);
c5623556 5608
4f3e219d 5609 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5610
4f3e219d
MH		 5611 if (len != skb->len || !cmd->ident) {
5612 BT_DBG("corrupted command");
5613 goto drop;
5614 }
c5623556 5615
203e639e 5616 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
4f3e219d
MH		 5617 if (err) {
5618 struct l2cap_cmd_rej_unk rej;
c5623556 5619
4f3e219d 5620 BT_ERR("Wrong link type (%d)", err);
c5623556 5621
dcf4adbf 5622 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5623 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5624 sizeof(rej), &rej);
c5623556
JH		 5625 }
5626
3b166295 5627drop:
c5623556
JH		 5628 kfree_skb(skb);
5629}
5630
3300d9a9 5631static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5632 struct sk_buff *skb)
1da177e4 5633{
69c4e4e8 5634 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5635 u8 *data = skb->data;
5636 int len = skb->len;
5637 struct l2cap_cmd_hdr cmd;
3300d9a9 5638 int err;
1da177e4
LT		 5639
5640 l2cap_raw_recv(conn, skb);
5641
69c4e4e8 5642 if (hcon->type != ACL_LINK)
3b166295 5643 goto drop;
69c4e4e8 5644
1da177e4 5645 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5646 u16 cmd_len;
1da177e4
LT		 5647 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5648 data += L2CAP_CMD_HDR_SIZE;
5649 len -= L2CAP_CMD_HDR_SIZE;
5650
88219a0f 5651 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5652
2d792818
GP		 5653 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5654 cmd.ident);
1da177e4 5655
88219a0f 5656 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5657 BT_DBG("corrupted command");
5658 break;
5659 }
5660
c5623556 5661 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5662 if (err) {
e2fd318e 5663 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5664
5665 BT_ERR("Wrong link type (%d)", err);
1da177e4 5666
dcf4adbf 5667 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5668 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5669 sizeof(rej), &rej);
1da177e4
LT		 5670 }
5671
88219a0f
AV		 5672 data += cmd_len;
5673 len -= cmd_len;
1da177e4
LT		 5674 }
5675
3b166295 5676drop:
1da177e4
LT		 5677 kfree_skb(skb);
5678}
5679
47d1ec61 5680static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5681{
5682 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5683 int hdr_size;
5684
5685 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5686 hdr_size = L2CAP_EXT_HDR_SIZE;
5687 else
5688 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5689
47d1ec61 5690 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5691 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5692 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5693 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5694
5695 if (our_fcs != rcv_fcs)
7a560e5c 5696 return -EBADMSG;
fcc203c3
GP		 5697 }
5698 return 0;
5699}
5700
6ea00485 5701static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5702{
e31f7633 5703 struct l2cap_ctrl control;
d5392c8f 5704
e31f7633 5705 BT_DBG("chan %p", chan);
d5392c8f 5706
e31f7633
MM		 5707 memset(&control, 0, sizeof(control));
5708 control.sframe = 1;
5709 control.final = 1;
5710 control.reqseq = chan->buffer_seq;
5711 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5712
e2ab4353 5713 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5714 control.super = L2CAP_SUPER_RNR;
5715 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5716 }
5717
e31f7633
MM		 5718 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5719 chan->unacked_frames > 0)
5720 __set_retrans_timer(chan);
d5392c8f 5721
e31f7633 5722 /* Send pending iframes */
525cd185 5723 l2cap_ertm_send(chan);
d5392c8f 5724
e2ab4353 5725 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5726 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5727 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5728 * send it now.
5729 */
5730 control.super = L2CAP_SUPER_RR;
5731 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5732 }
5733}
5734
2d792818
GP		 5735static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5736 struct sk_buff **last_frag)
18778a63 5737{
84084a31
MM		 5738 /* skb->len reflects data in skb as well as all fragments
5739 * skb->data_len reflects only data in fragments
5740 */
5741 if (!skb_has_frag_list(skb))
5742 skb_shinfo(skb)->frag_list = new_frag;
5743
5744 new_frag->next = NULL;
5745
5746 (*last_frag)->next = new_frag;
5747 *last_frag = new_frag;
5748
5749 skb->len += new_frag->len;
5750 skb->data_len += new_frag->len;
5751 skb->truesize += new_frag->truesize;
5752}
5753
4b51dae9
MM		 5754static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5755 struct l2cap_ctrl *control)
84084a31
MM		 5756{
5757 int err = -EINVAL;
18778a63 5758
4b51dae9 5759 switch (control->sar) {
7e0ef6ee 5760 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5761 if (chan->sdu)
5762 break;
18778a63 5763
80b98027 5764 err = chan->ops->recv(chan, skb);
84084a31 5765 break;
18778a63 5766
7e0ef6ee 5767 case L2CAP_SAR_START:
84084a31
MM		 5768 if (chan->sdu)
5769 break;
18778a63 5770
6f61fd47 5771 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5772 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5773
84084a31
MM		 5774 if (chan->sdu_len > chan->imtu) {
5775 err = -EMSGSIZE;
5776 break;
5777 }
1890d36b 5778
84084a31
MM		 5779 if (skb->len >= chan->sdu_len)
5780 break;
18778a63 5781
84084a31
MM		 5782 chan->sdu = skb;
5783 chan->sdu_last_frag = skb;
18778a63 5784
84084a31
MM		 5785 skb = NULL;
5786 err = 0;
18778a63
GP		 5787 break;
5788
7e0ef6ee 5789 case L2CAP_SAR_CONTINUE:
6f61fd47 5790 if (!chan->sdu)
84084a31 5791 break;
18778a63 5792
84084a31
MM		 5793 append_skb_frag(chan->sdu, skb,
5794 &chan->sdu_last_frag);
5795 skb = NULL;
18778a63 5796
84084a31
MM		 5797 if (chan->sdu->len >= chan->sdu_len)
5798 break;
4178ba46 5799
84084a31 5800 err = 0;
18778a63
GP		 5801 break;
5802
7e0ef6ee 5803 case L2CAP_SAR_END:
6f61fd47 5804 if (!chan->sdu)
84084a31 5805 break;
18778a63 5806
84084a31
MM		 5807 append_skb_frag(chan->sdu, skb,
5808 &chan->sdu_last_frag);
5809 skb = NULL;
4178ba46 5810
84084a31
MM		 5811 if (chan->sdu->len != chan->sdu_len)
5812 break;
18778a63 5813
80b98027 5814 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5815
84084a31
MM		 5816 if (!err) {
5817 /* Reassembly complete */
5818 chan->sdu = NULL;
5819 chan->sdu_last_frag = NULL;
5820 chan->sdu_len = 0;
1890d36b 5821 }
18778a63
GP		 5822 break;
5823 }
5824
84084a31
MM		 5825 if (err) {
5826 kfree_skb(skb);
5827 kfree_skb(chan->sdu);
5828 chan->sdu = NULL;
5829 chan->sdu_last_frag = NULL;
5830 chan->sdu_len = 0;
5831 }
18778a63 5832
84084a31 5833 return err;
18778a63
GP		 5834}
5835
32b32735
MM		 5836static int l2cap_resegment(struct l2cap_chan *chan)
5837{
5838 /* Placeholder */
5839 return 0;
5840}
5841
61aa4f5b 5842void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5843{
61aa4f5b 5844 u8 event;
712132eb 5845
61aa4f5b
MM		 5846 if (chan->mode != L2CAP_MODE_ERTM)
5847 return;
712132eb 5848
61aa4f5b 5849 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5850 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5851}
5852
d2a7ac5d
MM		 5853static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5854{
63838725
MM		 5855 int err = 0;
5856 /* Pass sequential frames to l2cap_reassemble_sdu()
5857 * until a gap is encountered.
5858 */
5859
5860 BT_DBG("chan %p", chan);
5861
5862 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5863 struct sk_buff *skb;
5864 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5865 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5866
5867 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5868
5869 if (!skb)
5870 break;
5871
5872 skb_unlink(skb, &chan->srej_q);
5873 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5874 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5875 if (err)
5876 break;
5877 }
5878
5879 if (skb_queue_empty(&chan->srej_q)) {
5880 chan->rx_state = L2CAP_RX_STATE_RECV;
5881 l2cap_send_ack(chan);
5882 }
5883
5884 return err;
d2a7ac5d
MM		 5885}
5886
5887static void l2cap_handle_srej(struct l2cap_chan *chan,
5888 struct l2cap_ctrl *control)
5889{
f80842a8
MM		 5890 struct sk_buff *skb;
5891
5892 BT_DBG("chan %p, control %p", chan, control);
5893
5894 if (control->reqseq == chan->next_tx_seq) {
5895 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5896 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5897 return;
5898 }
5899
5900 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5901
5902 if (skb == NULL) {
5903 BT_DBG("Seq %d not available for retransmission",
5904 control->reqseq);
5905 return;
5906 }
5907
5908 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5909 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5910 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5911 return;
5912 }
5913
5914 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5915
5916 if (control->poll) {
5917 l2cap_pass_to_tx(chan, control);
5918
5919 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5920 l2cap_retransmit(chan, control);
5921 l2cap_ertm_send(chan);
5922
5923 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5924 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5925 chan->srej_save_reqseq = control->reqseq;
5926 }
5927 } else {
5928 l2cap_pass_to_tx_fbit(chan, control);
5929
5930 if (control->final) {
5931 if (chan->srej_save_reqseq != control->reqseq ||
5932 !test_and_clear_bit(CONN_SREJ_ACT,
5933 &chan->conn_state))
5934 l2cap_retransmit(chan, control);
5935 } else {
5936 l2cap_retransmit(chan, control);
5937 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5938 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5939 chan->srej_save_reqseq = control->reqseq;
5940 }
5941 }
5942 }
d2a7ac5d
MM		 5943}
5944
5945static void l2cap_handle_rej(struct l2cap_chan *chan,
5946 struct l2cap_ctrl *control)
5947{
fcd289df
MM		 5948 struct sk_buff *skb;
5949
5950 BT_DBG("chan %p, control %p", chan, control);
5951
5952 if (control->reqseq == chan->next_tx_seq) {
5953 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5954 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5955 return;
5956 }
5957
5958 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5959
5960 if (chan->max_tx && skb &&
5961 bt_cb(skb)->control.retries >= chan->max_tx) {
5962 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5963 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5964 return;
5965 }
5966
5967 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5968
5969 l2cap_pass_to_tx(chan, control);
5970
5971 if (control->final) {
5972 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5973 l2cap_retransmit_all(chan, control);
5974 } else {
5975 l2cap_retransmit_all(chan, control);
5976 l2cap_ertm_send(chan);
5977 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5978 set_bit(CONN_REJ_ACT, &chan->conn_state);
5979 }
d2a7ac5d
MM		 5980}
5981
4b51dae9
MM		 5982static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5983{
5984 BT_DBG("chan %p, txseq %d", chan, txseq);
5985
5986 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5987 chan->expected_tx_seq);
5988
5989 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5990 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5991 chan->tx_win) {
4b51dae9
MM		 5992 /* See notes below regarding "double poll" and
5993 * invalid packets.
5994 */
5995 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5996 BT_DBG("Invalid/Ignore - after SREJ");
5997 return L2CAP_TXSEQ_INVALID_IGNORE;
5998 } else {
5999 BT_DBG("Invalid - in window after SREJ sent");
6000 return L2CAP_TXSEQ_INVALID;
6001 }
6002 }
6003
6004 if (chan->srej_list.head == txseq) {
6005 BT_DBG("Expected SREJ");
6006 return L2CAP_TXSEQ_EXPECTED_SREJ;
6007 }
6008
6009 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6010 BT_DBG("Duplicate SREJ - txseq already stored");
6011 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6012 }
6013
6014 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6015 BT_DBG("Unexpected SREJ - not requested");
6016 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6017 }
6018 }
6019
6020 if (chan->expected_tx_seq == txseq) {
6021 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6022 chan->tx_win) {
6023 BT_DBG("Invalid - txseq outside tx window");
6024 return L2CAP_TXSEQ_INVALID;
6025 } else {
6026 BT_DBG("Expected");
6027 return L2CAP_TXSEQ_EXPECTED;
6028 }
6029 }
6030
6031 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 6032 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 6033 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6034 return L2CAP_TXSEQ_DUPLICATE;
6035 }
6036
6037 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6038 /* A source of invalid packets is a "double poll" condition,
6039 * where delays cause us to send multiple poll packets. If
6040 * the remote stack receives and processes both polls,
6041 * sequence numbers can wrap around in such a way that a
6042 * resent frame has a sequence number that looks like new data
6043 * with a sequence gap. This would trigger an erroneous SREJ
6044 * request.
6045 *
6046 * Fortunately, this is impossible with a tx window that's
6047 * less than half of the maximum sequence number, which allows
6048 * invalid frames to be safely ignored.
6049 *
6050 * With tx window sizes greater than half of the tx window
6051 * maximum, the frame is invalid and cannot be ignored. This
6052 * causes a disconnect.
6053 */
6054
6055 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6056 BT_DBG("Invalid/Ignore - txseq outside tx window");
6057 return L2CAP_TXSEQ_INVALID_IGNORE;
6058 } else {
6059 BT_DBG("Invalid - txseq outside tx window");
6060 return L2CAP_TXSEQ_INVALID;
6061 }
6062 } else {
6063 BT_DBG("Unexpected - txseq indicates missing frames");
6064 return L2CAP_TXSEQ_UNEXPECTED;
6065 }
6066}
6067
d2a7ac5d
MM		 6068static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6069 struct l2cap_ctrl *control,
6070 struct sk_buff *skb, u8 event)
6071{
6072 int err = 0;
941247f9 6073 bool skb_in_use = false;
d2a7ac5d
MM		 6074
6075 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6076 event);
6077
6078 switch (event) {
6079 case L2CAP_EV_RECV_IFRAME:
6080 switch (l2cap_classify_txseq(chan, control->txseq)) {
6081 case L2CAP_TXSEQ_EXPECTED:
6082 l2cap_pass_to_tx(chan, control);
6083
6084 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6085 BT_DBG("Busy, discarding expected seq %d",
6086 control->txseq);
6087 break;
6088 }
6089
6090 chan->expected_tx_seq = __next_seq(chan,
6091 control->txseq);
6092
6093 chan->buffer_seq = chan->expected_tx_seq;
941247f9 6094 skb_in_use = true;
d2a7ac5d
MM		 6095
6096 err = l2cap_reassemble_sdu(chan, skb, control);
6097 if (err)
6098 break;
6099
6100 if (control->final) {
6101 if (!test_and_clear_bit(CONN_REJ_ACT,
6102 &chan->conn_state)) {
6103 control->final = 0;
6104 l2cap_retransmit_all(chan, control);
6105 l2cap_ertm_send(chan);
6106 }
6107 }
6108
6109 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6110 l2cap_send_ack(chan);
6111 break;
6112 case L2CAP_TXSEQ_UNEXPECTED:
6113 l2cap_pass_to_tx(chan, control);
6114
6115 /* Can't issue SREJ frames in the local busy state.
6116 * Drop this frame, it will be seen as missing
6117 * when local busy is exited.
6118 */
6119 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6120 BT_DBG("Busy, discarding unexpected seq %d",
6121 control->txseq);
6122 break;
6123 }
6124
6125 /* There was a gap in the sequence, so an SREJ
6126 * must be sent for each missing frame. The
6127 * current frame is stored for later use.
6128 */
6129 skb_queue_tail(&chan->srej_q, skb);
941247f9 6130 skb_in_use = true;
d2a7ac5d
MM		 6131 BT_DBG("Queued %p (queue len %d)", skb,
6132 skb_queue_len(&chan->srej_q));
6133
6134 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6135 l2cap_seq_list_clear(&chan->srej_list);
6136 l2cap_send_srej(chan, control->txseq);
6137
6138 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6139 break;
6140 case L2CAP_TXSEQ_DUPLICATE:
6141 l2cap_pass_to_tx(chan, control);
6142 break;
6143 case L2CAP_TXSEQ_INVALID_IGNORE:
6144 break;
6145 case L2CAP_TXSEQ_INVALID:
6146 default:
5e4e3972 6147 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6148 break;
6149 }
6150 break;
6151 case L2CAP_EV_RECV_RR:
6152 l2cap_pass_to_tx(chan, control);
6153 if (control->final) {
6154 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6155
e6a3ee6e
MM		 6156 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6157 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 6158 control->final = 0;
6159 l2cap_retransmit_all(chan, control);
6160 }
6161
6162 l2cap_ertm_send(chan);
6163 } else if (control->poll) {
6164 l2cap_send_i_or_rr_or_rnr(chan);
6165 } else {
6166 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6167 &chan->conn_state) &&
6168 chan->unacked_frames)
6169 __set_retrans_timer(chan);
6170
6171 l2cap_ertm_send(chan);
6172 }
6173 break;
6174 case L2CAP_EV_RECV_RNR:
6175 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6176 l2cap_pass_to_tx(chan, control);
6177 if (control && control->poll) {
6178 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6179 l2cap_send_rr_or_rnr(chan, 0);
6180 }
6181 __clear_retrans_timer(chan);
6182 l2cap_seq_list_clear(&chan->retrans_list);
6183 break;
6184 case L2CAP_EV_RECV_REJ:
6185 l2cap_handle_rej(chan, control);
6186 break;
6187 case L2CAP_EV_RECV_SREJ:
6188 l2cap_handle_srej(chan, control);
6189 break;
6190 default:
6191 break;
6192 }
6193
6194 if (skb && !skb_in_use) {
6195 BT_DBG("Freeing %p", skb);
6196 kfree_skb(skb);
6197 }
6198
6199 return err;
6200}
6201
6202static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6203 struct l2cap_ctrl *control,
6204 struct sk_buff *skb, u8 event)
6205{
6206 int err = 0;
6207 u16 txseq = control->txseq;
941247f9 6208 bool skb_in_use = false;
d2a7ac5d
MM		 6209
6210 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6211 event);
6212
6213 switch (event) {
6214 case L2CAP_EV_RECV_IFRAME:
6215 switch (l2cap_classify_txseq(chan, txseq)) {
6216 case L2CAP_TXSEQ_EXPECTED:
6217 /* Keep frame for reassembly later */
6218 l2cap_pass_to_tx(chan, control);
6219 skb_queue_tail(&chan->srej_q, skb);
941247f9 6220 skb_in_use = true;
d2a7ac5d
MM		 6221 BT_DBG("Queued %p (queue len %d)", skb,
6222 skb_queue_len(&chan->srej_q));
6223
6224 chan->expected_tx_seq = __next_seq(chan, txseq);
6225 break;
6226 case L2CAP_TXSEQ_EXPECTED_SREJ:
6227 l2cap_seq_list_pop(&chan->srej_list);
6228
6229 l2cap_pass_to_tx(chan, control);
6230 skb_queue_tail(&chan->srej_q, skb);
941247f9 6231 skb_in_use = true;
d2a7ac5d
MM		 6232 BT_DBG("Queued %p (queue len %d)", skb,
6233 skb_queue_len(&chan->srej_q));
6234
6235 err = l2cap_rx_queued_iframes(chan);
6236 if (err)
6237 break;
6238
6239 break;
6240 case L2CAP_TXSEQ_UNEXPECTED:
6241 /* Got a frame that can't be reassembled yet.
6242 * Save it for later, and send SREJs to cover
6243 * the missing frames.
6244 */
6245 skb_queue_tail(&chan->srej_q, skb);
941247f9 6246 skb_in_use = true;
d2a7ac5d
MM		 6247 BT_DBG("Queued %p (queue len %d)", skb,
6248 skb_queue_len(&chan->srej_q));
6249
6250 l2cap_pass_to_tx(chan, control);
6251 l2cap_send_srej(chan, control->txseq);
6252 break;
6253 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6254 /* This frame was requested with an SREJ, but
6255 * some expected retransmitted frames are
6256 * missing. Request retransmission of missing
6257 * SREJ'd frames.
6258 */
6259 skb_queue_tail(&chan->srej_q, skb);
941247f9 6260 skb_in_use = true;
d2a7ac5d
MM		 6261 BT_DBG("Queued %p (queue len %d)", skb,
6262 skb_queue_len(&chan->srej_q));
6263
6264 l2cap_pass_to_tx(chan, control);
6265 l2cap_send_srej_list(chan, control->txseq);
6266 break;
6267 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6268 /* We've already queued this frame. Drop this copy. */
6269 l2cap_pass_to_tx(chan, control);
6270 break;
6271 case L2CAP_TXSEQ_DUPLICATE:
6272 /* Expecting a later sequence number, so this frame
6273 * was already received. Ignore it completely.
6274 */
6275 break;
6276 case L2CAP_TXSEQ_INVALID_IGNORE:
6277 break;
6278 case L2CAP_TXSEQ_INVALID:
6279 default:
5e4e3972 6280 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6281 break;
6282 }
6283 break;
6284 case L2CAP_EV_RECV_RR:
6285 l2cap_pass_to_tx(chan, control);
6286 if (control->final) {
6287 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6288
6289 if (!test_and_clear_bit(CONN_REJ_ACT,
6290 &chan->conn_state)) {
6291 control->final = 0;
6292 l2cap_retransmit_all(chan, control);
6293 }
6294
6295 l2cap_ertm_send(chan);
6296 } else if (control->poll) {
6297 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6298 &chan->conn_state) &&
6299 chan->unacked_frames) {
6300 __set_retrans_timer(chan);
6301 }
6302
6303 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6304 l2cap_send_srej_tail(chan);
6305 } else {
6306 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6307 &chan->conn_state) &&
6308 chan->unacked_frames)
6309 __set_retrans_timer(chan);
6310
6311 l2cap_send_ack(chan);
6312 }
6313 break;
6314 case L2CAP_EV_RECV_RNR:
6315 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6316 l2cap_pass_to_tx(chan, control);
6317 if (control->poll) {
6318 l2cap_send_srej_tail(chan);
6319 } else {
6320 struct l2cap_ctrl rr_control;
6321 memset(&rr_control, 0, sizeof(rr_control));
6322 rr_control.sframe = 1;
6323 rr_control.super = L2CAP_SUPER_RR;
6324 rr_control.reqseq = chan->buffer_seq;
6325 l2cap_send_sframe(chan, &rr_control);
6326 }
6327
6328 break;
6329 case L2CAP_EV_RECV_REJ:
6330 l2cap_handle_rej(chan, control);
6331 break;
6332 case L2CAP_EV_RECV_SREJ:
6333 l2cap_handle_srej(chan, control);
6334 break;
6335 }
6336
6337 if (skb && !skb_in_use) {
6338 BT_DBG("Freeing %p", skb);
6339 kfree_skb(skb);
6340 }
6341
6342 return err;
6343}
6344
32b32735
MM		 6345static int l2cap_finish_move(struct l2cap_chan *chan)
6346{
6347 BT_DBG("chan %p", chan);
6348
6349 chan->rx_state = L2CAP_RX_STATE_RECV;
6350
6351 if (chan->hs_hcon)
6352 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6353 else
6354 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6355
6356 return l2cap_resegment(chan);
6357}
6358
6359static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6360 struct l2cap_ctrl *control,
6361 struct sk_buff *skb, u8 event)
6362{
6363 int err;
6364
6365 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6366 event);
6367
6368 if (!control->poll)
6369 return -EPROTO;
6370
6371 l2cap_process_reqseq(chan, control->reqseq);
6372
6373 if (!skb_queue_empty(&chan->tx_q))
6374 chan->tx_send_head = skb_peek(&chan->tx_q);
6375 else
6376 chan->tx_send_head = NULL;
6377
6378 /* Rewind next_tx_seq to the point expected
6379 * by the receiver.
6380 */
6381 chan->next_tx_seq = control->reqseq;
6382 chan->unacked_frames = 0;
6383
6384 err = l2cap_finish_move(chan);
6385 if (err)
6386 return err;
6387
6388 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6389 l2cap_send_i_or_rr_or_rnr(chan);
6390
6391 if (event == L2CAP_EV_RECV_IFRAME)
6392 return -EPROTO;
6393
6394 return l2cap_rx_state_recv(chan, control, NULL, event);
6395}
6396
6397static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6398 struct l2cap_ctrl *control,
6399 struct sk_buff *skb, u8 event)
6400{
6401 int err;
6402
6403 if (!control->final)
6404 return -EPROTO;
6405
6406 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6407
6408 chan->rx_state = L2CAP_RX_STATE_RECV;
6409 l2cap_process_reqseq(chan, control->reqseq);
6410
6411 if (!skb_queue_empty(&chan->tx_q))
6412 chan->tx_send_head = skb_peek(&chan->tx_q);
6413 else
6414 chan->tx_send_head = NULL;
6415
6416 /* Rewind next_tx_seq to the point expected
6417 * by the receiver.
6418 */
6419 chan->next_tx_seq = control->reqseq;
6420 chan->unacked_frames = 0;
6421
6422 if (chan->hs_hcon)
6423 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6424 else
6425 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6426
6427 err = l2cap_resegment(chan);
6428
6429 if (!err)
6430 err = l2cap_rx_state_recv(chan, control, skb, event);
6431
6432 return err;
6433}
6434
d2a7ac5d
MM		 6435static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6436{
6437 /* Make sure reqseq is for a packet that has been sent but not acked */
6438 u16 unacked;
6439
6440 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6441 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6442}
6443
cec8ab6e
MM		 6444static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6445 struct sk_buff *skb, u8 event)
218bb9df 6446{
d2a7ac5d
MM		 6447 int err = 0;
6448
6449 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6450 control, skb, event, chan->rx_state);
6451
6452 if (__valid_reqseq(chan, control->reqseq)) {
6453 switch (chan->rx_state) {
6454 case L2CAP_RX_STATE_RECV:
6455 err = l2cap_rx_state_recv(chan, control, skb, event);
6456 break;
6457 case L2CAP_RX_STATE_SREJ_SENT:
6458 err = l2cap_rx_state_srej_sent(chan, control, skb,
6459 event);
6460 break;
32b32735
MM		 6461 case L2CAP_RX_STATE_WAIT_P:
6462 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6463 break;
6464 case L2CAP_RX_STATE_WAIT_F:
6465 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6466 break;
d2a7ac5d
MM		 6467 default:
6468 /* shut it down */
6469 break;
6470 }
6471 } else {
6472 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6473 control->reqseq, chan->next_tx_seq,
6474 chan->expected_ack_seq);
5e4e3972 6475 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6476 }
6477
6478 return err;
cec8ab6e
MM		 6479}
6480
6481static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6482 struct sk_buff *skb)
6483{
4b51dae9
MM		 6484 int err = 0;
6485
6486 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6487 chan->rx_state);
6488
6489 if (l2cap_classify_txseq(chan, control->txseq) ==
6490 L2CAP_TXSEQ_EXPECTED) {
6491 l2cap_pass_to_tx(chan, control);
6492
6493 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6494 __next_seq(chan, chan->buffer_seq));
6495
6496 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6497
6498 l2cap_reassemble_sdu(chan, skb, control);
6499 } else {
6500 if (chan->sdu) {
6501 kfree_skb(chan->sdu);
6502 chan->sdu = NULL;
6503 }
6504 chan->sdu_last_frag = NULL;
6505 chan->sdu_len = 0;
6506
6507 if (skb) {
6508 BT_DBG("Freeing %p", skb);
6509 kfree_skb(skb);
6510 }
6511 }
6512
6513 chan->last_acked_seq = control->txseq;
6514 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6515
6516 return err;
cec8ab6e
MM		 6517}
6518
6519static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6520{
6521 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6522 u16 len;
6523 u8 event;
218bb9df 6524
b76bbd66
MM		 6525 __unpack_control(chan, skb);
6526
218bb9df
GP		 6527 len = skb->len;
6528
6529 /*
6530 * We can just drop the corrupted I-frame here.
6531 * Receiver will miss it and start proper recovery
cec8ab6e 6532 * procedures and ask for retransmission.
218bb9df 6533 */
47d1ec61 6534 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6535 goto drop;
6536
cec8ab6e 6537 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6538 len -= L2CAP_SDULEN_SIZE;
218bb9df 6539
47d1ec61 6540 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6541 len -= L2CAP_FCS_SIZE;
218bb9df 6542
47d1ec61 6543 if (len > chan->mps) {
5e4e3972 6544 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6545 goto drop;
6546 }
6547
cec8ab6e
MM		 6548 if (!control->sframe) {
6549 int err;
218bb9df 6550
cec8ab6e
MM		 6551 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6552 control->sar, control->reqseq, control->final,
6553 control->txseq);
218bb9df 6554
cec8ab6e
MM		 6555 /* Validate F-bit - F=0 always valid, F=1 only
6556 * valid in TX WAIT_F
6557 */
6558 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6559 goto drop;
cec8ab6e
MM		 6560
6561 if (chan->mode != L2CAP_MODE_STREAMING) {
6562 event = L2CAP_EV_RECV_IFRAME;
6563 err = l2cap_rx(chan, control, skb, event);
6564 } else {
6565 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6566 }
6567
cec8ab6e 6568 if (err)
5e4e3972 6569 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6570 } else {
cec8ab6e
MM		 6571 const u8 rx_func_to_event[4] = {
6572 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6573 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6574 };
6575
6576 /* Only I-frames are expected in streaming mode */
6577 if (chan->mode == L2CAP_MODE_STREAMING)
6578 goto drop;
6579
6580 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6581 control->reqseq, control->final, control->poll,
6582 control->super);
6583
218bb9df 6584 if (len != 0) {
1bb166e6 6585 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6586 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6587 goto drop;
6588 }
6589
cec8ab6e
MM		 6590 /* Validate F and P bits */
6591 if (control->final && (control->poll ||
6592 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6593 goto drop;
6594
6595 event = rx_func_to_event[control->super];
6596 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6597 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6598 }
6599
6600 return 0;
6601
6602drop:
6603 kfree_skb(skb);
6604 return 0;
6605}
6606
b1c325c2
JH		 6607static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6608{
6609 struct l2cap_conn *conn = chan->conn;
6610 struct l2cap_le_credits pkt;
6611 u16 return_credits;
6612
6613 /* We return more credits to the sender only after the amount of
6614 * credits falls below half of the initial amount.
6615 */
f15b8ecf 6616 if (chan->rx_credits >= (le_max_credits + 1) / 2)
b1c325c2
JH		 6617 return;
6618
f15b8ecf 6619 return_credits = le_max_credits - chan->rx_credits;
b1c325c2
JH		 6620
6621 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6622
6623 chan->rx_credits += return_credits;
6624
6625 pkt.cid = cpu_to_le16(chan->scid);
6626 pkt.credits = cpu_to_le16(return_credits);
6627
6628 chan->ident = l2cap_get_ident(conn);
6629
6630 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6631}
6632
fad5fc89
JH		 6633static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6634{
aac23bf6
JH		 6635 int err;
6636
6637 if (!chan->rx_credits) {
6638 BT_ERR("No credits to receive LE L2CAP data");
dfd9774c 6639 l2cap_send_disconn_req(chan, ECONNRESET);
fad5fc89 6640 return -ENOBUFS;
aac23bf6 6641 }
fad5fc89 6642
aac23bf6
JH		 6643 if (chan->imtu < skb->len) {
6644 BT_ERR("Too big LE L2CAP PDU");
fad5fc89 6645 return -ENOBUFS;
aac23bf6 6646 }
fad5fc89
JH		 6647
6648 chan->rx_credits--;
6649 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6650
6651 l2cap_chan_le_send_credits(chan);
6652
aac23bf6
JH		 6653 err = 0;
6654
6655 if (!chan->sdu) {
6656 u16 sdu_len;
6657
6658 sdu_len = get_unaligned_le16(skb->data);
6659 skb_pull(skb, L2CAP_SDULEN_SIZE);
6660
6661 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6662 sdu_len, skb->len, chan->imtu);
6663
6664 if (sdu_len > chan->imtu) {
6665 BT_ERR("Too big LE L2CAP SDU length received");
6666 err = -EMSGSIZE;
6667 goto failed;
6668 }
6669
6670 if (skb->len > sdu_len) {
6671 BT_ERR("Too much LE L2CAP data received");
6672 err = -EINVAL;
6673 goto failed;
6674 }
6675
6676 if (skb->len == sdu_len)
6677 return chan->ops->recv(chan, skb);
6678
6679 chan->sdu = skb;
6680 chan->sdu_len = sdu_len;
6681 chan->sdu_last_frag = skb;
6682
6683 return 0;
6684 }
6685
6686 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6687 chan->sdu->len, skb->len, chan->sdu_len);
6688
6689 if (chan->sdu->len + skb->len > chan->sdu_len) {
6690 BT_ERR("Too much LE L2CAP data received");
6691 err = -EINVAL;
6692 goto failed;
6693 }
6694
6695 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6696 skb = NULL;
6697
6698 if (chan->sdu->len == chan->sdu_len) {
6699 err = chan->ops->recv(chan, chan->sdu);
6700 if (!err) {
6701 chan->sdu = NULL;
6702 chan->sdu_last_frag = NULL;
6703 chan->sdu_len = 0;
6704 }
6705 }
6706
6707failed:
6708 if (err) {
6709 kfree_skb(skb);
6710 kfree_skb(chan->sdu);
6711 chan->sdu = NULL;
6712 chan->sdu_last_frag = NULL;
6713 chan->sdu_len = 0;
6714 }
6715
6716 /* We can't return an error here since we took care of the skb
6717 * freeing internally. An error return would cause the caller to
6718 * do a double-free of the skb.
6719 */
6720 return 0;
fad5fc89
JH		 6721}
6722
13ca56e0
AE		 6723static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6724 struct sk_buff *skb)
1da177e4 6725{
48454079 6726 struct l2cap_chan *chan;
1da177e4 6727
baa7e1fa 6728 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6729 if (!chan) {
97e8e89d
AE		 6730 if (cid == L2CAP_CID_A2MP) {
6731 chan = a2mp_channel_create(conn, skb);
6732 if (!chan) {
6733 kfree_skb(skb);
13ca56e0 6734 return;
97e8e89d
AE		 6735 }
6736
6737 l2cap_chan_lock(chan);
6738 } else {
6739 BT_DBG("unknown cid 0x%4.4x", cid);
6740 /* Drop packet and return */
6741 kfree_skb(skb);
13ca56e0 6742 return;
97e8e89d 6743 }
1da177e4
LT		 6744 }
6745
49208c9c 6746 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6747
89bc500e 6748 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6749 goto drop;
6750
0c1bc5c6 6751 switch (chan->mode) {
38319713 6752 case L2CAP_MODE_LE_FLOWCTL:
fad5fc89
JH		 6753 if (l2cap_le_data_rcv(chan, skb) < 0)
6754 goto drop;
6755
6756 goto done;
6757
1c2acffb
GP		 6758 case L2CAP_MODE_BASIC:
6759 /* If socket recv buffers overflows we drop data here
6760 * which is *bad* because L2CAP has to be reliable.
6761 * But we don't have any other choice. L2CAP doesn't
6762 * provide flow control mechanism. */
1da177e4 6763
2c96e03d
SJ		 6764 if (chan->imtu < skb->len) {
6765 BT_ERR("Dropping L2CAP data: receive buffer overflow");
1c2acffb 6766 goto drop;
2c96e03d 6767 }
1da177e4 6768
80b98027 6769 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6770 goto done;
6771 break;
6772
6773 case L2CAP_MODE_ERTM:
6840ed07 6774 case L2CAP_MODE_STREAMING:
cec8ab6e 6775 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6776 goto done;
6777
1c2acffb 6778 default:
0c1bc5c6 6779 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6780 break;
6781 }
1da177e4
LT		 6782
6783drop:
6784 kfree_skb(skb);
6785
6786done:
6be36555 6787 l2cap_chan_unlock(chan);
1da177e4
LT		 6788}
6789
84104b24
AE		 6790static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6791 struct sk_buff *skb)
1da177e4 6792{
ae4fd2d3 6793 struct hci_conn *hcon = conn->hcon;
23691d75 6794 struct l2cap_chan *chan;
1da177e4 6795
ae4fd2d3 6796 if (hcon->type != ACL_LINK)
a24cce14 6797 goto free_skb;
ae4fd2d3 6798
bf20fd4e
JH		 6799 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6800 ACL_LINK);
23691d75 6801 if (!chan)
a24cce14 6802 goto free_skb;
1da177e4 6803
5b4cedaa 6804 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6805
89bc500e 6806 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6807 goto drop;
6808
e13e21dc 6809 if (chan->imtu < skb->len)
1da177e4
LT		 6810 goto drop;
6811
2edf870d 6812 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6813 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6814 bt_cb(skb)->psm = psm;
6815
a24cce14
JH		 6816 if (!chan->ops->recv(chan, skb)) {
6817 l2cap_chan_put(chan);
84104b24 6818 return;
a24cce14 6819 }
1da177e4
LT		 6820
6821drop:
a24cce14
JH		 6822 l2cap_chan_put(chan);
6823free_skb:
1da177e4 6824 kfree_skb(skb);
1da177e4
LT		 6825}
6826
6827static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6828{
6829 struct l2cap_hdr *lh = (void *) skb->data;
61a939c6 6830 struct hci_conn *hcon = conn->hcon;
8e036fc3
AV		 6831 u16 cid, len;
6832 __le16 psm;
1da177e4 6833
61a939c6
JH		 6834 if (hcon->state != BT_CONNECTED) {
6835 BT_DBG("queueing pending rx skb");
6836 skb_queue_tail(&conn->pending_rx, skb);
6837 return;
6838 }
6839
1da177e4
LT		 6840 skb_pull(skb, L2CAP_HDR_SIZE);
6841 cid = __le16_to_cpu(lh->cid);
6842 len = __le16_to_cpu(lh->len);
6843
1c2acffb
GP		 6844 if (len != skb->len) {
6845 kfree_skb(skb);
6846 return;
6847 }
6848
9e1d7e15
JH		 6849 /* Since we can't actively block incoming LE connections we must
6850 * at least ensure that we ignore incoming data from them.
6851 */
6852 if (hcon->type == LE_LINK &&
dcc36c16
JH		 6853 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6854 bdaddr_type(hcon, hcon->dst_type))) {
e493150e
JH		 6855 kfree_skb(skb);
6856 return;
6857 }
6858
1da177e4
LT		 6859 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6860
6861 switch (cid) {
8db4dc46 6862 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6863 l2cap_sig_channel(conn, skb);
6864 break;
6865
8db4dc46 6866 case L2CAP_CID_CONN_LESS:
097db76c 6867 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6868 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6869 l2cap_conless_channel(conn, psm, skb);
6870 break;
6871
a2877629
MH		 6872 case L2CAP_CID_LE_SIGNALING:
6873 l2cap_le_sig_channel(conn, skb);
6874 break;
6875
1da177e4
LT		 6876 default:
6877 l2cap_data_channel(conn, cid, skb);
6878 break;
6879 }
6880}
6881
61a939c6
JH		 6882static void process_pending_rx(struct work_struct *work)
6883{
6884 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6885 pending_rx_work);
6886 struct sk_buff *skb;
6887
6888 BT_DBG("");
6889
6890 while ((skb = skb_dequeue(&conn->pending_rx)))
6891 l2cap_recv_frame(conn, skb);
6892}
6893
162b49e7
JH		 6894static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6895{
6896 struct l2cap_conn *conn = hcon->l2cap_data;
6897 struct hci_chan *hchan;
6898
6899 if (conn)
6900 return conn;
6901
6902 hchan = hci_chan_create(hcon);
6903 if (!hchan)
6904 return NULL;
6905
27f70f3e 6906 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
162b49e7
JH		 6907 if (!conn) {
6908 hci_chan_del(hchan);
6909 return NULL;
6910 }
6911
6912 kref_init(&conn->ref);
6913 hcon->l2cap_data = conn;
51bb8457 6914 conn->hcon = hci_conn_get(hcon);
162b49e7
JH		 6915 conn->hchan = hchan;
6916
6917 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6918
6919 switch (hcon->type) {
6920 case LE_LINK:
6921 if (hcon->hdev->le_mtu) {
6922 conn->mtu = hcon->hdev->le_mtu;
6923 break;
6924 }
6925 /* fall through */
6926 default:
6927 conn->mtu = hcon->hdev->acl_mtu;
6928 break;
6929 }
6930
6931 conn->feat_mask = 0;
6932
6933 if (hcon->type == ACL_LINK)
6934 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
6935 &hcon->hdev->dev_flags);
6936
5a54e7c8 6937 mutex_init(&conn->ident_lock);
162b49e7
JH		 6938 mutex_init(&conn->chan_lock);
6939
6940 INIT_LIST_HEAD(&conn->chan_l);
6941 INIT_LIST_HEAD(&conn->users);
6942
276d8073 6943 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
162b49e7 6944
61a939c6
JH		 6945 skb_queue_head_init(&conn->pending_rx);
6946 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
f3d82d0c 6947 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
61a939c6 6948
162b49e7
JH		 6949 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6950
6951 return conn;
6952}
6953
6954static bool is_valid_psm(u16 psm, u8 dst_type) {
6955 if (!psm)
6956 return false;
6957
6958 if (bdaddr_type_is_le(dst_type))
6959 return (psm <= 0x00ff);
6960
6961 /* PSM must be odd and lsb of upper byte must be 0 */
6962 return ((psm & 0x0101) == 0x0001);
6963}
6964
6965int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
6966 bdaddr_t *dst, u8 dst_type)
6967{
6968 struct l2cap_conn *conn;
6969 struct hci_conn *hcon;
6970 struct hci_dev *hdev;
162b49e7
JH		 6971 int err;
6972
6973 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
6974 dst_type, __le16_to_cpu(psm));
6975
6976 hdev = hci_get_route(dst, &chan->src);
6977 if (!hdev)
6978 return -EHOSTUNREACH;
6979
6980 hci_dev_lock(hdev);
6981
162b49e7
JH		 6982 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
6983 chan->chan_type != L2CAP_CHAN_RAW) {
6984 err = -EINVAL;
6985 goto done;
6986 }
6987
21626e62
JH		 6988 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
6989 err = -EINVAL;
6990 goto done;
6991 }
6992
6993 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
162b49e7
JH		 6994 err = -EINVAL;
6995 goto done;
6996 }
6997
6998 switch (chan->mode) {
6999 case L2CAP_MODE_BASIC:
7000 break;
7001 case L2CAP_MODE_LE_FLOWCTL:
7002 l2cap_le_flowctl_init(chan);
7003 break;
7004 case L2CAP_MODE_ERTM:
7005 case L2CAP_MODE_STREAMING:
7006 if (!disable_ertm)
7007 break;
7008 /* fall through */
7009 default:
beb19e4c 7010 err = -EOPNOTSUPP;
162b49e7
JH		 7011 goto done;
7012 }
7013
7014 switch (chan->state) {
7015 case BT_CONNECT:
7016 case BT_CONNECT2:
7017 case BT_CONFIG:
7018 /* Already connecting */
7019 err = 0;
7020 goto done;
7021
7022 case BT_CONNECTED:
7023 /* Already connected */
7024 err = -EISCONN;
7025 goto done;
7026
7027 case BT_OPEN:
7028 case BT_BOUND:
7029 /* Can connect */
7030 break;
7031
7032 default:
7033 err = -EBADFD;
7034 goto done;
7035 }
7036
7037 /* Set destination address and psm */
7038 bacpy(&chan->dst, dst);
7039 chan->dst_type = dst_type;
7040
7041 chan->psm = psm;
7042 chan->dcid = cid;
7043
6f77d8c7 7044 if (bdaddr_type_is_le(dst_type)) {
e804d25d 7045 u8 role;
cdd6275e 7046
6f77d8c7
AG		 7047 /* Convert from L2CAP channel address type to HCI address type
7048 */
7049 if (dst_type == BDADDR_LE_PUBLIC)
7050 dst_type = ADDR_LE_DEV_PUBLIC;
7051 else
7052 dst_type = ADDR_LE_DEV_RANDOM;
7053
e804d25d
JH		 7054 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
7055 role = HCI_ROLE_SLAVE;
7056 else
7057 role = HCI_ROLE_MASTER;
cdd6275e 7058
04a6c589 7059 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
e804d25d 7060 HCI_LE_CONN_TIMEOUT, role);
6f77d8c7 7061 } else {
d93375a8 7062 u8 auth_type = l2cap_get_auth_type(chan);
04a6c589 7063 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
6f77d8c7 7064 }
162b49e7
JH		 7065
7066 if (IS_ERR(hcon)) {
7067 err = PTR_ERR(hcon);
7068 goto done;
7069 }
7070
7071 conn = l2cap_conn_add(hcon);
7072 if (!conn) {
7073 hci_conn_drop(hcon);
7074 err = -ENOMEM;
7075 goto done;
7076 }
7077
02e246ae
JH		 7078 mutex_lock(&conn->chan_lock);
7079 l2cap_chan_lock(chan);
7080
162b49e7
JH		 7081 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7082 hci_conn_drop(hcon);
7083 err = -EBUSY;
02e246ae 7084 goto chan_unlock;
162b49e7
JH		 7085 }
7086
7087 /* Update source addr of the socket */
7088 bacpy(&chan->src, &hcon->src);
7089 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7090
02e246ae 7091 __l2cap_chan_add(conn, chan);
162b49e7
JH		 7092
7093 /* l2cap_chan_add takes its own ref so we can drop this one */
7094 hci_conn_drop(hcon);
7095
7096 l2cap_state_change(chan, BT_CONNECT);
7097 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7098
61202e4d
JH		 7099 /* Release chan->sport so that it can be reused by other
7100 * sockets (as it's only used for listening sockets).
7101 */
7102 write_lock(&chan_list_lock);
7103 chan->sport = 0;
7104 write_unlock(&chan_list_lock);
7105
162b49e7
JH		 7106 if (hcon->state == BT_CONNECTED) {
7107 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7108 __clear_chan_timer(chan);
e7cafc45 7109 if (l2cap_chan_check_security(chan, true))
162b49e7
JH		 7110 l2cap_state_change(chan, BT_CONNECTED);
7111 } else
7112 l2cap_do_start(chan);
7113 }
7114
7115 err = 0;
7116
02e246ae 7117chan_unlock:
162b49e7 7118 l2cap_chan_unlock(chan);
02e246ae
JH		 7119 mutex_unlock(&conn->chan_lock);
7120done:
162b49e7
JH		 7121 hci_dev_unlock(hdev);
7122 hci_dev_put(hdev);
7123 return err;
7124}
6b8d4a6a 7125EXPORT_SYMBOL_GPL(l2cap_chan_connect);
162b49e7 7126
1da177e4
LT		 7127/* ---- L2CAP interface with lower layer (HCI) ---- */
7128
686ebf28 7129int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 7130{
7131 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 7132 struct l2cap_chan *c;
1da177e4 7133
6ed93dc6 7134 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 7135
7136 /* Find listening sockets and check their link_mode */
23691d75
GP		 7137 read_lock(&chan_list_lock);
7138 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 7139 if (c->state != BT_LISTEN)
1da177e4
LT		 7140 continue;
7141
7eafc59e 7142 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 7143 lm1 |= HCI_LM_ACCEPT;
43bd0f32 7144 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 7145 lm1 |= HCI_LM_MASTER;
1da177e4 7146 exact++;
7eafc59e 7147 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 7148 lm2 |= HCI_LM_ACCEPT;
43bd0f32 7149 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 7150 lm2 |= HCI_LM_MASTER;
7151 }
1da177e4 7152 }
23691d75 7153 read_unlock(&chan_list_lock);
1da177e4
LT		 7154
7155 return exact ? lm1 : lm2;
7156}
7157
e760ec12
JH		 7158/* Find the next fixed channel in BT_LISTEN state, continue iteration
7159 * from an existing channel in the list or from the beginning of the
7160 * global list (by passing NULL as first parameter).
7161 */
7162static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
54a1b626 7163 bdaddr_t *src, u8 link_type)
e760ec12
JH		 7164{
7165 read_lock(&chan_list_lock);
7166
7167 if (c)
7168 c = list_next_entry(c, global_l);
7169 else
7170 c = list_entry(chan_list.next, typeof(*c), global_l);
7171
7172 list_for_each_entry_from(c, &chan_list, global_l) {
7173 if (c->chan_type != L2CAP_CHAN_FIXED)
7174 continue;
7175 if (c->state != BT_LISTEN)
7176 continue;
7177 if (bacmp(&c->src, src) && bacmp(&c->src, BDADDR_ANY))
7178 continue;
54a1b626
JH		 7179 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
7180 continue;
7181 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
7182 continue;
e760ec12
JH		 7183
7184 l2cap_chan_hold(c);
7185 read_unlock(&chan_list_lock);
7186 return c;
7187 }
7188
7189 read_unlock(&chan_list_lock);
7190
7191 return NULL;
7192}
7193
9e664631 7194void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 7195{
e760ec12 7196 struct hci_dev *hdev = hcon->hdev;
0139418c 7197 struct l2cap_conn *conn;
e760ec12
JH		 7198 struct l2cap_chan *pchan;
7199 u8 dst_type;
0139418c 7200
6ed93dc6 7201 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 7202
dc0f5088 7203 if (status) {
e175072f 7204 l2cap_conn_del(hcon, bt_to_errno(status));
dc0f5088 7205 return;
ba6fc317 7206 }
dc0f5088
JH		 7207
7208 conn = l2cap_conn_add(hcon);
7209 if (!conn)
7210 return;
7211
e760ec12
JH		 7212 dst_type = bdaddr_type(hcon, hcon->dst_type);
7213
7214 /* If device is blocked, do not create channels for it */
7215 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7216 return;
7217
7218 /* Find fixed channels and notify them of the new connection. We
7219 * use multiple individual lookups, continuing each time where
7220 * we left off, because the list lock would prevent calling the
7221 * potentially sleeping l2cap_chan_lock() function.
7222 */
54a1b626 7223 pchan = l2cap_global_fixed_chan(NULL, &hdev->bdaddr, hcon->type);
e760ec12
JH		 7224 while (pchan) {
7225 struct l2cap_chan *chan, *next;
7226
7227 /* Client fixed channels should override server ones */
7228 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7229 goto next;
7230
7231 l2cap_chan_lock(pchan);
7232 chan = pchan->ops->new_connection(pchan);
7233 if (chan) {
7234 bacpy(&chan->src, &hcon->src);
7235 bacpy(&chan->dst, &hcon->dst);
7236 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7237 chan->dst_type = dst_type;
7238
7239 __l2cap_chan_add(conn, chan);
7240 }
7241
7242 l2cap_chan_unlock(pchan);
7243next:
54a1b626
JH		 7244 next = l2cap_global_fixed_chan(pchan, &hdev->bdaddr,
7245 hcon->type);
e760ec12
JH		 7246 l2cap_chan_put(pchan);
7247 pchan = next;
7248 }
7249
dc0f5088 7250 l2cap_conn_ready(conn);
1da177e4
LT		 7251}
7252
686ebf28 7253int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 7254{
7255 struct l2cap_conn *conn = hcon->l2cap_data;
7256
7257 BT_DBG("hcon %p", hcon);
7258
686ebf28 7259 if (!conn)
9f5a0d7b 7260 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 7261 return conn->disc_reason;
7262}
7263
9e664631 7264void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 7265{
7266 BT_DBG("hcon %p reason %d", hcon, reason);
7267
e175072f 7268 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 7269}
7270
4343478f 7271static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 7272{
715ec005 7273 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 7274 return;
7275
f62e4323 7276 if (encrypt == 0x00) {
4343478f 7277 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 7278 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7d513e92
MH		 7279 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7280 chan->sec_level == BT_SECURITY_FIPS)
0f852724 7281 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 7282 } else {
4343478f 7283 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 7284 __clear_chan_timer(chan);
f62e4323
MH		 7285 }
7286}
7287
686ebf28 7288int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 7289{
0139418c 7290 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 7291 struct l2cap_chan *chan;
1da177e4 7292
0139418c 7293 if (!conn)
1da177e4 7294 return 0;
0139418c 7295
89d8b407 7296 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 7297
3df91ea2 7298 mutex_lock(&conn->chan_lock);
1da177e4 7299
3df91ea2 7300 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 7301 l2cap_chan_lock(chan);
1da177e4 7302
89d8b407
AE		 7303 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7304 state_to_string(chan->state));
f1cb9af5 7305
2338a7e0 7306 if (chan->scid == L2CAP_CID_A2MP) {
78eb2f98
AE		 7307 l2cap_chan_unlock(chan);
7308 continue;
7309 }
7310
191eb398
JH		 7311 if (!status && encrypt)
7312 chan->sec_level = hcon->sec_level;
f1cb9af5 7313
96eff46e 7314 if (!__l2cap_no_conn_pending(chan)) {
6be36555 7315 l2cap_chan_unlock(chan);
6a8d3010
MH		 7316 continue;
7317 }
7318
89bc500e 7319 if (!status && (chan->state == BT_CONNECTED ||
2d792818 7320 chan->state == BT_CONFIG)) {
d97c899b 7321 chan->ops->resume(chan);
4343478f 7322 l2cap_check_encryption(chan, encrypt);
6be36555 7323 l2cap_chan_unlock(chan);
9719f8af
MH		 7324 continue;
7325 }
7326
89bc500e 7327 if (chan->state == BT_CONNECT) {
6d3c15da 7328 if (!status)
93c3e8f5 7329 l2cap_start_connection(chan);
6d3c15da 7330 else
ba13ccd9 7331 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
89bc500e 7332 } else if (chan->state == BT_CONNECT2) {
b1235d79 7333 struct l2cap_conn_rsp rsp;
df3c3931 7334 __u16 res, stat;
1da177e4 7335
b1235d79 7336 if (!status) {
bdc25783 7337 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 7338 res = L2CAP_CR_PEND;
7339 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 7340 chan->ops->defer(chan);
df3c3931 7341 } else {
acdcabf5 7342 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 7343 res = L2CAP_CR_SUCCESS;
7344 stat = L2CAP_CS_NO_INFO;
7345 }
b1235d79 7346 } else {
acdcabf5 7347 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 7348 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 7349 res = L2CAP_CR_SEC_BLOCK;
7350 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 7351 }
7352
fe4128e0
GP		 7353 rsp.scid = cpu_to_le16(chan->dcid);
7354 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 7355 rsp.result = cpu_to_le16(res);
7356 rsp.status = cpu_to_le16(stat);
fc7f8a7e 7357 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 7358 sizeof(rsp), &rsp);
2d369359
MM		 7359
7360 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7361 res == L2CAP_CR_SUCCESS) {
7362 char buf[128];
7363 set_bit(CONF_REQ_SENT, &chan->conf_state);
7364 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7365 L2CAP_CONF_REQ,
7366 l2cap_build_conf_req(chan, buf),
7367 buf);
7368 chan->num_conf_req++;
7369 }
b1235d79 7370 }
1da177e4 7371
6be36555 7372 l2cap_chan_unlock(chan);
1da177e4
LT		 7373 }
7374
3df91ea2 7375 mutex_unlock(&conn->chan_lock);
b1235d79 7376
1da177e4
LT		 7377 return 0;
7378}
7379
686ebf28 7380int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 7381{
7382 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 7383 struct l2cap_hdr *hdr;
7384 int len;
1da177e4 7385
1d13a254
AE		 7386 /* For AMP controller do not create l2cap conn */
7387 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7388 goto drop;
1da177e4 7389
5a08ecce 7390 if (!conn)
baf43251 7391 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 7392
7393 if (!conn)
1da177e4
LT		 7394 goto drop;
7395
7396 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7397
d73a0988
AE		 7398 switch (flags) {
7399 case ACL_START:
7400 case ACL_START_NO_FLUSH:
7401 case ACL_COMPLETE:
1da177e4
LT		 7402 if (conn->rx_len) {
7403 BT_ERR("Unexpected start frame (len %d)", skb->len);
7404 kfree_skb(conn->rx_skb);
7405 conn->rx_skb = NULL;
7406 conn->rx_len = 0;
7407 l2cap_conn_unreliable(conn, ECOMM);
7408 }
7409
aae7fe22
AE		 7410 /* Start fragment always begin with Basic L2CAP header */
7411 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 7412 BT_ERR("Frame is too short (len %d)", skb->len);
7413 l2cap_conn_unreliable(conn, ECOMM);
7414 goto drop;
7415 }
7416
7417 hdr = (struct l2cap_hdr *) skb->data;
7418 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7419
7420 if (len == skb->len) {
7421 /* Complete frame received */
7422 l2cap_recv_frame(conn, skb);
7423 return 0;
7424 }
7425
7426 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7427
7428 if (skb->len > len) {
7429 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 7430 skb->len, len);
1da177e4
LT		 7431 l2cap_conn_unreliable(conn, ECOMM);
7432 goto drop;
7433 }
7434
7435 /* Allocate skb for the complete frame (with header) */
8bcde1f2 7436 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 7437 if (!conn->rx_skb)
1da177e4
LT		 7438 goto drop;
7439
d626f62b 7440 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7441 skb->len);
1da177e4 7442 conn->rx_len = len - skb->len;
d73a0988
AE		 7443 break;
7444
7445 case ACL_CONT:
1da177e4
LT		 7446 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7447
7448 if (!conn->rx_len) {
7449 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7450 l2cap_conn_unreliable(conn, ECOMM);
7451 goto drop;
7452 }
7453
7454 if (skb->len > conn->rx_len) {
7455 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 7456 skb->len, conn->rx_len);
1da177e4
LT		 7457 kfree_skb(conn->rx_skb);
7458 conn->rx_skb = NULL;
7459 conn->rx_len = 0;
7460 l2cap_conn_unreliable(conn, ECOMM);
7461 goto drop;
7462 }
7463
d626f62b 7464 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7465 skb->len);
1da177e4
LT		 7466 conn->rx_len -= skb->len;
7467
7468 if (!conn->rx_len) {
c4e5bafa
JH		 7469 /* Complete frame received. l2cap_recv_frame
7470 * takes ownership of the skb so set the global
7471 * rx_skb pointer to NULL first.
7472 */
7473 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 7474 conn->rx_skb = NULL;
c4e5bafa 7475 l2cap_recv_frame(conn, rx_skb);
1da177e4 7476 }
d73a0988 7477 break;
1da177e4
LT		 7478 }
7479
7480drop:
7481 kfree_skb(skb);
7482 return 0;
7483}
7484
aef7d97c 7485static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 7486{
23691d75 7487 struct l2cap_chan *c;
1da177e4 7488
333055f2 7489 read_lock(&chan_list_lock);
1da177e4 7490
23691d75 7491 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 7492 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 7493 &c->src, &c->dst,
fcb73338
AE		 7494 c->state, __le16_to_cpu(c->psm),
7495 c->scid, c->dcid, c->imtu, c->omtu,
7496 c->sec_level, c->mode);
61e1b4b7 7497 }
1da177e4 7498
333055f2 7499 read_unlock(&chan_list_lock);
1da177e4 7500
aef7d97c 7501 return 0;
1da177e4
LT		 7502}
7503
aef7d97c
MH		 7504static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7505{
7506 return single_open(file, l2cap_debugfs_show, inode->i_private);
7507}
7508
7509static const struct file_operations l2cap_debugfs_fops = {
7510 .open = l2cap_debugfs_open,
7511 .read = seq_read,
7512 .llseek = seq_lseek,
7513 .release = single_release,
7514};
7515
7516static struct dentry *l2cap_debugfs;
1da177e4 7517
64274518 7518int __init l2cap_init(void)
1da177e4
LT		 7519{
7520 int err;
be9d1227 7521
bb58f747 7522 err = l2cap_init_sockets();
1da177e4
LT		 7523 if (err < 0)
7524 return err;
7525
1120e4bf
MH		 7526 if (IS_ERR_OR_NULL(bt_debugfs))
7527 return 0;
7528
7529 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7530 NULL, &l2cap_debugfs_fops);
1da177e4 7531
40b9397a 7532 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
f15b8ecf 7533 &le_max_credits);
40b9397a 7534 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
f15b8ecf
JH		 7535 &le_default_mps);
7536
1da177e4 7537 return 0;
1da177e4
LT		 7538}
7539
64274518 7540void l2cap_exit(void)
1da177e4 7541{
aef7d97c 7542 debugfs_remove(l2cap_debugfs);
bb58f747 7543 l2cap_cleanup_sockets();
1da177e4
LT		 7544}
7545
d1c4a17d
GP		 7546module_param(disable_ertm, bool, 0644);
7547MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.724111 seconds and 5 git commands to generate.