projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add skeleton for BR/EDR SMP channel
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
0f1bfe4e
JH		 44#define LE_FLOWCTL_MAX_CREDITS 65535
45
d1de6d46 46bool disable_ertm;
f0709e03 47
547d1032 48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
1da177e4 49
b5ad8b7f
JB		 50static LIST_HEAD(chan_list);
51static DEFINE_RWLOCK(chan_list_lock);
1da177e4 52
f15b8ecf
JH		 53static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
54static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
55
1da177e4 56static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 57 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 58static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 59 void *data);
710f9b0a 60static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 61static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 62
d660366d 63static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 64 struct sk_buff_head *skbs, u8 event);
608bcc6d 65
4f1654e0
MH		 66static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
67{
68 if (hcon->type == LE_LINK) {
69 if (type == ADDR_LE_DEV_PUBLIC)
70 return BDADDR_LE_PUBLIC;
71 else
72 return BDADDR_LE_RANDOM;
73 }
74
75 return BDADDR_BREDR;
76}
77
0139418c 78/* ---- L2CAP channels ---- */
71ba0e56 79
2d792818
GP		 80static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
81 u16 cid)
0139418c 82{
3df91ea2 83 struct l2cap_chan *c;
3d57dc68 84
3df91ea2
AE		 85 list_for_each_entry(c, &conn->chan_l, list) {
86 if (c->dcid == cid)
87 return c;
0139418c 88 }
3df91ea2 89 return NULL;
0139418c
MH		 90}
91
2d792818
GP		 92static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
93 u16 cid)
0139418c 94{
3df91ea2 95 struct l2cap_chan *c;
3d57dc68 96
3df91ea2
AE		 97 list_for_each_entry(c, &conn->chan_l, list) {
98 if (c->scid == cid)
99 return c;
0139418c 100 }
3df91ea2 101 return NULL;
0139418c
MH		 102}
103
104/* Find channel with given SCID.
ef191ade 105 * Returns locked channel. */
2d792818
GP		 106static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
107 u16 cid)
0139418c 108{
48454079 109 struct l2cap_chan *c;
baa7e1fa 110
3df91ea2 111 mutex_lock(&conn->chan_lock);
baa7e1fa 112 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 113 if (c)
114 l2cap_chan_lock(c);
3df91ea2
AE		 115 mutex_unlock(&conn->chan_lock);
116
48454079 117 return c;
0139418c
MH		 118}
119
b1a130b7
MM		 120/* Find channel with given DCID.
121 * Returns locked channel.
122 */
123static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
124 u16 cid)
125{
126 struct l2cap_chan *c;
127
128 mutex_lock(&conn->chan_lock);
129 c = __l2cap_get_chan_by_dcid(conn, cid);
130 if (c)
131 l2cap_chan_lock(c);
132 mutex_unlock(&conn->chan_lock);
133
134 return c;
135}
136
2d792818
GP		 137static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
138 u8 ident)
0139418c 139{
3df91ea2 140 struct l2cap_chan *c;
3d57dc68 141
3df91ea2
AE		 142 list_for_each_entry(c, &conn->chan_l, list) {
143 if (c->ident == ident)
144 return c;
0139418c 145 }
3df91ea2 146 return NULL;
0139418c
MH		 147}
148
5b155ef9
MM		 149static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
150 u8 ident)
151{
152 struct l2cap_chan *c;
153
154 mutex_lock(&conn->chan_lock);
155 c = __l2cap_get_chan_by_ident(conn, ident);
156 if (c)
157 l2cap_chan_lock(c);
158 mutex_unlock(&conn->chan_lock);
159
160 return c;
161}
162
23691d75 163static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 164{
23691d75 165 struct l2cap_chan *c;
9e4425ff 166
23691d75 167 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 168 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 169 return c;
9e4425ff 170 }
250938cb 171 return NULL;
9e4425ff
GP		 172}
173
174int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
175{
73b2ec18
GP		 176 int err;
177
333055f2 178 write_lock(&chan_list_lock);
9e4425ff 179
23691d75 180 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 181 err = -EADDRINUSE;
182 goto done;
9e4425ff
GP		 183 }
184
73b2ec18
GP		 185 if (psm) {
186 chan->psm = psm;
187 chan->sport = psm;
188 err = 0;
189 } else {
190 u16 p;
191
192 err = -EINVAL;
193 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 194 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 195 chan->psm = cpu_to_le16(p);
196 chan->sport = cpu_to_le16(p);
197 err = 0;
198 break;
199 }
200 }
9e4425ff 201
73b2ec18 202done:
333055f2 203 write_unlock(&chan_list_lock);
73b2ec18 204 return err;
9e4425ff 205}
6b8d4a6a 206EXPORT_SYMBOL_GPL(l2cap_add_psm);
9e4425ff
GP		 207
208int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
209{
333055f2 210 write_lock(&chan_list_lock);
9e4425ff 211
14824308
JH		 212 /* Override the defaults (which are for conn-oriented) */
213 chan->omtu = L2CAP_DEFAULT_MTU;
214 chan->chan_type = L2CAP_CHAN_FIXED;
215
9e4425ff
GP		 216 chan->scid = scid;
217
333055f2 218 write_unlock(&chan_list_lock);
9e4425ff
GP		 219
220 return 0;
221}
222
baa7e1fa 223static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 224{
e77af755 225 u16 cid, dyn_end;
0139418c 226
e77af755
JH		 227 if (conn->hcon->type == LE_LINK)
228 dyn_end = L2CAP_CID_LE_DYN_END;
229 else
230 dyn_end = L2CAP_CID_DYN_END;
231
232 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
baa7e1fa 233 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 234 return cid;
235 }
236
237 return 0;
238}
239
f93fa273 240static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 241{
42d2d87c 242 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 243 state_to_string(state));
badaaa00 244
89bc500e 245 chan->state = state;
53f52121 246 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 247}
248
f8e73017
GP		 249static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
250 int state, int err)
2e0052e4 251{
f8e73017 252 chan->state = state;
53f52121 253 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 254}
255
256static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
257{
f8e73017 258 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 259}
260
4239d16f
MM		 261static void __set_retrans_timer(struct l2cap_chan *chan)
262{
263 if (!delayed_work_pending(&chan->monitor_timer) &&
264 chan->retrans_timeout) {
265 l2cap_set_timer(chan, &chan->retrans_timer,
266 msecs_to_jiffies(chan->retrans_timeout));
267 }
268}
269
270static void __set_monitor_timer(struct l2cap_chan *chan)
271{
272 __clear_retrans_timer(chan);
273 if (chan->monitor_timeout) {
274 l2cap_set_timer(chan, &chan->monitor_timer,
275 msecs_to_jiffies(chan->monitor_timeout));
276 }
277}
278
608bcc6d
MM		 279static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
280 u16 seq)
281{
282 struct sk_buff *skb;
283
284 skb_queue_walk(head, skb) {
285 if (bt_cb(skb)->control.txseq == seq)
286 return skb;
287 }
288
289 return NULL;
290}
291
3c588192
MM		 292/* ---- L2CAP sequence number lists ---- */
293
294/* For ERTM, ordered lists of sequence numbers must be tracked for
295 * SREJ requests that are received and for frames that are to be
296 * retransmitted. These seq_list functions implement a singly-linked
297 * list in an array, where membership in the list can also be checked
298 * in constant time. Items can also be added to the tail of the list
299 * and removed from the head in constant time, without further memory
300 * allocs or frees.
301 */
302
303static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
304{
305 size_t alloc_size, i;
306
307 /* Allocated size is a power of 2 to map sequence numbers
308 * (which may be up to 14 bits) in to a smaller array that is
309 * sized for the negotiated ERTM transmit windows.
310 */
311 alloc_size = roundup_pow_of_two(size);
312
313 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
314 if (!seq_list->list)
315 return -ENOMEM;
316
317 seq_list->mask = alloc_size - 1;
318 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
319 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
320 for (i = 0; i < alloc_size; i++)
321 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
322
323 return 0;
324}
325
326static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
327{
328 kfree(seq_list->list);
329}
330
331static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
332 u16 seq)
333{
334 /* Constant-time check for list membership */
335 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
336}
337
03a0c5d6 338static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
3c588192 339{
03a0c5d6 340 u16 seq = seq_list->head;
3c588192
MM		 341 u16 mask = seq_list->mask;
342
03a0c5d6
JH		 343 seq_list->head = seq_list->list[seq & mask];
344 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
345
346 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
347 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
348 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192 349 }
3c588192 350
03a0c5d6 351 return seq;
3c588192
MM		 352}
353
354static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
355{
f522ae36 356 u16 i;
3c588192 357
f522ae36
GP		 358 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
359 return;
360
361 for (i = 0; i <= seq_list->mask; i++)
362 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
363
364 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
365 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 366}
367
368static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
369{
370 u16 mask = seq_list->mask;
371
372 /* All appends happen in constant time */
373
f522ae36
GP		 374 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
375 return;
3c588192 376
f522ae36
GP		 377 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
378 seq_list->head = seq;
379 else
380 seq_list->list[seq_list->tail & mask] = seq;
381
382 seq_list->tail = seq;
383 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 384}
385
721c4181 386static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 387{
721c4181 388 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 389 chan_timer.work);
3df91ea2 390 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 391 int reason;
392
e05dcc32 393 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 394
3df91ea2 395 mutex_lock(&conn->chan_lock);
6be36555 396 l2cap_chan_lock(chan);
ab07801d 397
89bc500e 398 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 399 reason = ECONNREFUSED;
89bc500e 400 else if (chan->state == BT_CONNECT &&
2d792818 401 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 402 reason = ECONNREFUSED;
403 else
404 reason = ETIMEDOUT;
405
0f852724 406 l2cap_chan_close(chan, reason);
ab07801d 407
6be36555 408 l2cap_chan_unlock(chan);
ab07801d 409
80b98027 410 chan->ops->close(chan);
3df91ea2
AE		 411 mutex_unlock(&conn->chan_lock);
412
371fd835 413 l2cap_chan_put(chan);
ab07801d
GP		 414}
415
eef1d9b6 416struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 417{
418 struct l2cap_chan *chan;
419
420 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
421 if (!chan)
422 return NULL;
423
c03b355e
AE		 424 mutex_init(&chan->lock);
425
ff714119
JH		 426 /* Set default lock nesting level */
427 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
428
333055f2 429 write_lock(&chan_list_lock);
23691d75 430 list_add(&chan->global_l, &chan_list);
333055f2 431 write_unlock(&chan_list_lock);
23691d75 432
721c4181 433 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 434
89bc500e
GP		 435 chan->state = BT_OPEN;
436
144ad330 437 kref_init(&chan->kref);
71ba0e56 438
2827011f
MM		 439 /* This flag is cleared in l2cap_chan_ready() */
440 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
441
eef1d9b6 442 BT_DBG("chan %p", chan);
abc545b8 443
48454079
GP		 444 return chan;
445}
6b8d4a6a 446EXPORT_SYMBOL_GPL(l2cap_chan_create);
48454079 447
144ad330 448static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 449{
144ad330
SS		 450 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
451
4af66c69
JK		 452 BT_DBG("chan %p", chan);
453
333055f2 454 write_lock(&chan_list_lock);
23691d75 455 list_del(&chan->global_l);
333055f2 456 write_unlock(&chan_list_lock);
23691d75 457
4af66c69 458 kfree(chan);
6ff5abbf
GP		 459}
460
30648372
JK		 461void l2cap_chan_hold(struct l2cap_chan *c)
462{
144ad330 463 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 464
144ad330 465 kref_get(&c->kref);
30648372
JK		 466}
467
468void l2cap_chan_put(struct l2cap_chan *c)
469{
144ad330 470 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 471
144ad330 472 kref_put(&c->kref, l2cap_chan_destroy);
30648372 473}
6b8d4a6a 474EXPORT_SYMBOL_GPL(l2cap_chan_put);
30648372 475
bd4b1653
AE		 476void l2cap_chan_set_defaults(struct l2cap_chan *chan)
477{
478 chan->fcs = L2CAP_FCS_CRC16;
479 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
480 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
481 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
6a5e8165
JR		 482 chan->remote_max_tx = chan->max_tx;
483 chan->remote_tx_win = chan->tx_win;
c20f8e35 484 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653 485 chan->sec_level = BT_SECURITY_LOW;
6a5e8165
JR		 486 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
487 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
488 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
489 chan->conf_state = 0;
bd4b1653
AE		 490
491 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
492}
6b8d4a6a 493EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
bd4b1653 494
0ce43ce6 495static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
38319713 496{
0ce43ce6
JH		 497 chan->sdu = NULL;
498 chan->sdu_last_frag = NULL;
499 chan->sdu_len = 0;
0cd75f7e 500 chan->tx_credits = 0;
f15b8ecf 501 chan->rx_credits = le_max_credits;
d1d79413 502 chan->mps = min_t(u16, chan->imtu, le_default_mps);
0ce43ce6
JH		 503
504 skb_queue_head_init(&chan->tx_q);
38319713
JH		 505}
506
93c3e8f5 507void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 508{
af05b30b 509 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 510 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 511
9f5a0d7b 512 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 513
8c1d787b 514 chan->conn = conn;
0139418c 515
5491120e
AE		 516 switch (chan->chan_type) {
517 case L2CAP_CHAN_CONN_ORIENTED:
21626e62
JH		 518 /* Alloc CID for connection-oriented socket */
519 chan->scid = l2cap_alloc_cid(conn);
520 if (conn->hcon->type == ACL_LINK)
0c1bc5c6 521 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 522 break;
523
524 case L2CAP_CHAN_CONN_LESS:
0139418c 525 /* Connectionless socket */
fe4128e0
GP		 526 chan->scid = L2CAP_CID_CONN_LESS;
527 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 528 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 529 break;
530
2338a7e0
JH		 531 case L2CAP_CHAN_FIXED:
532 /* Caller will set CID and CID specific MTU values */
416fa752
AE		 533 break;
534
5491120e 535 default:
0139418c 536 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 537 chan->scid = L2CAP_CID_SIGNALING;
538 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 539 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 540 }
541
8f7975b1
AE		 542 chan->local_id = L2CAP_BESTEFFORT_ID;
543 chan->local_stype = L2CAP_SERV_BESTEFFORT;
544 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
545 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
546 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 547 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 548
371fd835 549 l2cap_chan_hold(chan);
baa7e1fa 550
c16900cf
JH		 551 /* Only keep a reference for fixed channels if they requested it */
552 if (chan->chan_type != L2CAP_CHAN_FIXED ||
553 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
554 hci_conn_hold(conn->hcon);
5ee9891d 555
3df91ea2 556 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 557}
558
466f8004 559void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 560{
561 mutex_lock(&conn->chan_lock);
562 __l2cap_chan_add(conn, chan);
3df91ea2 563 mutex_unlock(&conn->chan_lock);
0139418c
MH		 564}
565
466f8004 566void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 567{
8c1d787b 568 struct l2cap_conn *conn = chan->conn;
0139418c 569
c9b66675 570 __clear_chan_timer(chan);
0139418c 571
49d11741
JH		 572 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
573 state_to_string(chan->state));
0139418c 574
72847ce0
JH		 575 chan->ops->teardown(chan, err);
576
8e87d142 577 if (conn) {
56f60984 578 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 579 /* Delete from channel list */
3df91ea2 580 list_del(&chan->list);
3d57dc68 581
371fd835 582 l2cap_chan_put(chan);
baa7e1fa 583
8c1d787b 584 chan->conn = NULL;
3cabbfda 585
c16900cf
JH		 586 /* Reference was only held for non-fixed channels or
587 * fixed channels that explicitly requested it using the
588 * FLAG_HOLD_HCI_CONN flag.
589 */
590 if (chan->chan_type != L2CAP_CHAN_FIXED ||
591 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
76a68ba0 592 hci_conn_drop(conn->hcon);
56f60984
AE		 593
594 if (mgr && mgr->bredr_chan == chan)
595 mgr->bredr_chan = NULL;
0139418c
MH		 596 }
597
419e08c1
AE		 598 if (chan->hs_hchan) {
599 struct hci_chan *hs_hchan = chan->hs_hchan;
600
601 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
602 amp_disconnect_logical_link(hs_hchan);
603 }
604
2827011f 605 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 606 return;
2ead70b8 607
ee556f66
GP		 608 switch(chan->mode) {
609 case L2CAP_MODE_BASIC:
610 break;
c13ffa62 611
38319713 612 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b 613 skb_queue_purge(&chan->tx_q);
38319713
JH		 614 break;
615
ee556f66 616 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 617 __clear_retrans_timer(chan);
618 __clear_monitor_timer(chan);
619 __clear_ack_timer(chan);
c13ffa62 620
f1c6775b 621 skb_queue_purge(&chan->srej_q);
c13ffa62 622
3c588192
MM		 623 l2cap_seq_list_free(&chan->srej_list);
624 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 625
626 /* fall through */
627
628 case L2CAP_MODE_STREAMING:
629 skb_queue_purge(&chan->tx_q);
630 break;
c13ffa62 631 }
ee556f66
GP		 632
633 return;
0139418c 634}
6b8d4a6a 635EXPORT_SYMBOL_GPL(l2cap_chan_del);
0139418c 636
f3d82d0c 637static void l2cap_conn_update_id_addr(struct work_struct *work)
387a33e3 638{
f3d82d0c
JH		 639 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
640 id_addr_update_work);
641 struct hci_conn *hcon = conn->hcon;
387a33e3
JH		 642 struct l2cap_chan *chan;
643
644 mutex_lock(&conn->chan_lock);
645
646 list_for_each_entry(chan, &conn->chan_l, list) {
647 l2cap_chan_lock(chan);
648 bacpy(&chan->dst, &hcon->dst);
649 chan->dst_type = bdaddr_type(hcon, hcon->dst_type);
650 l2cap_chan_unlock(chan);
651 }
652
653 mutex_unlock(&conn->chan_lock);
654}
655
27e2d4c8
JH		 656static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
657{
658 struct l2cap_conn *conn = chan->conn;
659 struct l2cap_le_conn_rsp rsp;
660 u16 result;
661
662 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
663 result = L2CAP_CR_AUTHORIZATION;
664 else
665 result = L2CAP_CR_BAD_PSM;
666
667 l2cap_state_change(chan, BT_DISCONN);
668
669 rsp.dcid = cpu_to_le16(chan->scid);
670 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 671 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 672 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 673 rsp.result = cpu_to_le16(result);
674
675 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
676 &rsp);
677}
678
791d60f7
JH		 679static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
680{
681 struct l2cap_conn *conn = chan->conn;
682 struct l2cap_conn_rsp rsp;
683 u16 result;
684
685 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
686 result = L2CAP_CR_SEC_BLOCK;
687 else
688 result = L2CAP_CR_BAD_PSM;
689
690 l2cap_state_change(chan, BT_DISCONN);
691
692 rsp.scid = cpu_to_le16(chan->dcid);
693 rsp.dcid = cpu_to_le16(chan->scid);
694 rsp.result = cpu_to_le16(result);
dcf4adbf 695 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
791d60f7
JH		 696
697 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
698}
699
0f852724 700void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 701{
702 struct l2cap_conn *conn = chan->conn;
4519de9a 703
7eafc59e 704 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 705
89bc500e 706 switch (chan->state) {
4519de9a 707 case BT_LISTEN:
b699ec0d 708 chan->ops->teardown(chan, 0);
4519de9a
GP		 709 break;
710
711 case BT_CONNECTED:
712 case BT_CONFIG:
7b25c9b3 713 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
8d836d71 714 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 715 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 716 } else
717 l2cap_chan_del(chan, reason);
718 break;
719
720 case BT_CONNECT2:
791d60f7
JH		 721 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
722 if (conn->hcon->type == ACL_LINK)
723 l2cap_chan_connect_reject(chan);
27e2d4c8
JH		 724 else if (conn->hcon->type == LE_LINK)
725 l2cap_chan_le_connect_reject(chan);
4519de9a
GP		 726 }
727
728 l2cap_chan_del(chan, reason);
729 break;
730
731 case BT_CONNECT:
732 case BT_DISCONN:
733 l2cap_chan_del(chan, reason);
734 break;
735
736 default:
b699ec0d 737 chan->ops->teardown(chan, 0);
4519de9a
GP		 738 break;
739 }
740}
6b8d4a6a 741EXPORT_SYMBOL(l2cap_chan_close);
4519de9a 742
4343478f 743static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 744{
6a974b50
MH		 745 switch (chan->chan_type) {
746 case L2CAP_CHAN_RAW:
4343478f 747 switch (chan->sec_level) {
8556edd3 748 case BT_SECURITY_HIGH:
7d513e92 749 case BT_SECURITY_FIPS:
8556edd3
JH		 750 return HCI_AT_DEDICATED_BONDING_MITM;
751 case BT_SECURITY_MEDIUM:
752 return HCI_AT_DEDICATED_BONDING;
753 default:
754 return HCI_AT_NO_BONDING;
755 }
6a974b50 756 break;
3124b843 757 case L2CAP_CHAN_CONN_LESS:
dcf4adbf 758 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
3124b843
MH		 759 if (chan->sec_level == BT_SECURITY_LOW)
760 chan->sec_level = BT_SECURITY_SDP;
761 }
7d513e92
MH		 762 if (chan->sec_level == BT_SECURITY_HIGH ||
763 chan->sec_level == BT_SECURITY_FIPS)
3124b843
MH		 764 return HCI_AT_NO_BONDING_MITM;
765 else
766 return HCI_AT_NO_BONDING;
767 break;
6a974b50 768 case L2CAP_CHAN_CONN_ORIENTED:
dcf4adbf 769 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
6a974b50
MH		 770 if (chan->sec_level == BT_SECURITY_LOW)
771 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 772
7d513e92
MH		 773 if (chan->sec_level == BT_SECURITY_HIGH ||
774 chan->sec_level == BT_SECURITY_FIPS)
6a974b50
MH		 775 return HCI_AT_NO_BONDING_MITM;
776 else
777 return HCI_AT_NO_BONDING;
778 }
779 /* fall through */
780 default:
4343478f 781 switch (chan->sec_level) {
00ae4af9 782 case BT_SECURITY_HIGH:
7d513e92 783 case BT_SECURITY_FIPS:
8556edd3 784 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 785 case BT_SECURITY_MEDIUM:
8556edd3 786 return HCI_AT_GENERAL_BONDING;
00ae4af9 787 default:
8556edd3 788 return HCI_AT_NO_BONDING;
00ae4af9 789 }
6a974b50 790 break;
0684e5f9 791 }
8556edd3
JH		 792}
793
794/* Service level security */
e7cafc45 795int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
8556edd3 796{
8c1d787b 797 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 798 __u8 auth_type;
799
a17de2fe
JH		 800 if (conn->hcon->type == LE_LINK)
801 return smp_conn_security(conn->hcon, chan->sec_level);
802
4343478f 803 auth_type = l2cap_get_auth_type(chan);
79d554a6 804
e7cafc45
JH		 805 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
806 initiator);
79d554a6
MH		 807}
808
b5ad8b7f 809static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 810{
811 u8 id;
812
813 /* Get next available identificator.
814 * 1 - 128 are used by kernel.
815 * 129 - 199 are reserved.
816 * 200 - 254 are used by utilities like l2ping, etc.
817 */
818
5a54e7c8 819 mutex_lock(&conn->ident_lock);
4e8402a3
MH		 820
821 if (++conn->tx_ident > 128)
822 conn->tx_ident = 1;
823
824 id = conn->tx_ident;
825
5a54e7c8 826 mutex_unlock(&conn->ident_lock);
4e8402a3
MH		 827
828 return id;
829}
830
2d792818
GP		 831static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
832 void *data)
4e8402a3
MH		 833{
834 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 835 u8 flags;
4e8402a3
MH		 836
837 BT_DBG("code 0x%2.2x", code);
838
839 if (!skb)
9a9c6a34 840 return;
4e8402a3 841
f6af675e
SW		 842 /* Use NO_FLUSH if supported or we have an LE link (which does
843 * not support auto-flushing packets) */
844 if (lmp_no_flush_capable(conn->hcon->hdev) ||
845 conn->hcon->type == LE_LINK)
e702112f
AE		 846 flags = ACL_START_NO_FLUSH;
847 else
848 flags = ACL_START;
849
14b12d0b 850 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 851 skb->priority = HCI_PRIO_MAX;
14b12d0b 852
73d80deb
LAD		 853 hci_send_acl(conn->hchan, skb, flags);
854}
855
02b0fbb9
MM		 856static bool __chan_is_moving(struct l2cap_chan *chan)
857{
858 return chan->move_state != L2CAP_MOVE_STABLE &&
859 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
860}
861
73d80deb
LAD		 862static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
863{
864 struct hci_conn *hcon = chan->conn->hcon;
865 u16 flags;
866
867 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 868 skb->priority);
73d80deb 869
d5f8a75d
MM		 870 if (chan->hs_hcon && !__chan_is_moving(chan)) {
871 if (chan->hs_hchan)
872 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
873 else
874 kfree_skb(skb);
875
876 return;
877 }
878
f6af675e
SW		 879 /* Use NO_FLUSH for LE links (where this is the only option) or
880 * if the BR/EDR link supports it and flushing has not been
881 * explicitly requested (through FLAG_FLUSHABLE).
882 */
883 if (hcon->type == LE_LINK ||
884 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
885 lmp_no_flush_capable(hcon->hdev)))
73d80deb
LAD		 886 flags = ACL_START_NO_FLUSH;
887 else
888 flags = ACL_START;
14b12d0b 889
73d80deb
LAD		 890 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
891 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 892}
893
b76bbd66
MM		 894static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
895{
896 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
897 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
898
899 if (enh & L2CAP_CTRL_FRAME_TYPE) {
900 /* S-Frame */
901 control->sframe = 1;
902 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
903 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
904
905 control->sar = 0;
906 control->txseq = 0;
907 } else {
908 /* I-Frame */
909 control->sframe = 0;
910 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
911 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
912
913 control->poll = 0;
914 control->super = 0;
915 }
916}
917
b76bbd66
MM		 918static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
919{
920 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
921 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
922
923 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
924 /* S-Frame */
925 control->sframe = 1;
926 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
927 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
928
929 control->sar = 0;
930 control->txseq = 0;
931 } else {
932 /* I-Frame */
933 control->sframe = 0;
934 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
935 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
936
937 control->poll = 0;
938 control->super = 0;
939 }
940}
941
942static inline void __unpack_control(struct l2cap_chan *chan,
943 struct sk_buff *skb)
944{
945 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
946 __unpack_extended_control(get_unaligned_le32(skb->data),
947 &bt_cb(skb)->control);
cec8ab6e 948 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 949 } else {
950 __unpack_enhanced_control(get_unaligned_le16(skb->data),
951 &bt_cb(skb)->control);
cec8ab6e 952 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 953 }
954}
955
b5c6aaed
MM		 956static u32 __pack_extended_control(struct l2cap_ctrl *control)
957{
958 u32 packed;
959
960 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
961 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
962
963 if (control->sframe) {
964 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
965 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
966 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
967 } else {
968 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
969 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
970 }
971
972 return packed;
973}
974
975static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
976{
977 u16 packed;
978
979 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
980 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
981
982 if (control->sframe) {
983 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
984 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
985 packed |= L2CAP_CTRL_FRAME_TYPE;
986 } else {
987 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
988 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
989 }
990
991 return packed;
992}
993
b76bbd66
MM		 994static inline void __pack_control(struct l2cap_chan *chan,
995 struct l2cap_ctrl *control,
996 struct sk_buff *skb)
997{
998 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
999 put_unaligned_le32(__pack_extended_control(control),
1000 skb->data + L2CAP_HDR_SIZE);
1001 } else {
1002 put_unaligned_le16(__pack_enhanced_control(control),
1003 skb->data + L2CAP_HDR_SIZE);
1004 }
1005}
1006
ba7aa64f
GP		 1007static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1008{
1009 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1010 return L2CAP_EXT_HDR_SIZE;
1011 else
1012 return L2CAP_ENH_HDR_SIZE;
1013}
1014
a67d7f6f
MM		 1015static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1016 u32 control)
b5c6aaed
MM		 1017{
1018 struct sk_buff *skb;
1019 struct l2cap_hdr *lh;
ba7aa64f 1020 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 1021
1022 if (chan->fcs == L2CAP_FCS_CRC16)
1023 hlen += L2CAP_FCS_SIZE;
1024
a67d7f6f 1025 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 1026
b5c6aaed 1027 if (!skb)
a67d7f6f 1028 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 1029
1030 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1031 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1032 lh->cid = cpu_to_le16(chan->dcid);
1033
a67d7f6f
MM		 1034 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1035 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1036 else
1037 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 1038
1039 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 1040 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 1041 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1042 }
1043
1044 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 1045 return skb;
1046}
1047
1048static void l2cap_send_sframe(struct l2cap_chan *chan,
1049 struct l2cap_ctrl *control)
1050{
1051 struct sk_buff *skb;
1052 u32 control_field;
1053
1054 BT_DBG("chan %p, control %p", chan, control);
1055
1056 if (!control->sframe)
1057 return;
1058
b99e13ad
MM		 1059 if (__chan_is_moving(chan))
1060 return;
1061
a67d7f6f
MM		 1062 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1063 !control->poll)
1064 control->final = 1;
1065
1066 if (control->super == L2CAP_SUPER_RR)
1067 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1068 else if (control->super == L2CAP_SUPER_RNR)
1069 set_bit(CONN_RNR_SENT, &chan->conn_state);
1070
1071 if (control->super != L2CAP_SUPER_SREJ) {
1072 chan->last_acked_seq = control->reqseq;
1073 __clear_ack_timer(chan);
1074 }
1075
1076 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1077 control->final, control->poll, control->super);
1078
1079 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1080 control_field = __pack_extended_control(control);
1081 else
1082 control_field = __pack_enhanced_control(control);
1083
1084 skb = l2cap_create_sframe_pdu(chan, control_field);
1085 if (!IS_ERR(skb))
1086 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1087}
1088
c9e3d5e0 1089static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1090{
c9e3d5e0
MM		 1091 struct l2cap_ctrl control;
1092
1093 BT_DBG("chan %p, poll %d", chan, poll);
1094
1095 memset(&control, 0, sizeof(control));
1096 control.sframe = 1;
1097 control.poll = poll;
1098
1099 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1100 control.super = L2CAP_SUPER_RNR;
1101 else
1102 control.super = L2CAP_SUPER_RR;
b5c6aaed 1103
c9e3d5e0
MM		 1104 control.reqseq = chan->buffer_seq;
1105 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1106}
1107
b4450035 1108static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1109{
5ff6f34d
JH		 1110 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1111 return true;
1112
c1360a1c 1113 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1114}
1115
1df7b17a 1116static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1117{
1df7b17a 1118 struct l2cap_conn *conn = chan->conn;
80d58d0b 1119 struct hci_dev *hdev;
1df7b17a
MH		 1120 bool amp_available = false;
1121
0bd49fc7 1122 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1df7b17a
MH		 1123 return false;
1124
0bd49fc7 1125 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1df7b17a 1126 return false;
80d58d0b
MH		 1127
1128 read_lock(&hci_dev_list_lock);
1df7b17a 1129 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1130 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1131 test_bit(HCI_UP, &hdev->flags)) {
1132 amp_available = true;
1133 break;
1134 }
1135 }
80d58d0b
MH		 1136 read_unlock(&hci_dev_list_lock);
1137
1df7b17a
MH		 1138 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1139 return amp_available;
848566b3
MH		 1140
1141 return false;
93c3e8f5
AE		 1142}
1143
5ce66b59
AE		 1144static bool l2cap_check_efs(struct l2cap_chan *chan)
1145{
1146 /* Check EFS parameters */
1147 return true;
1148}
1149
2766be48 1150void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1151{
1152 struct l2cap_conn *conn = chan->conn;
1153 struct l2cap_conn_req req;
1154
1155 req.scid = cpu_to_le16(chan->scid);
1156 req.psm = chan->psm;
1157
1158 chan->ident = l2cap_get_ident(conn);
1159
1160 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1161
1162 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1163}
1164
8eb200bd
MM		 1165static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1166{
1167 struct l2cap_create_chan_req req;
1168 req.scid = cpu_to_le16(chan->scid);
1169 req.psm = chan->psm;
1170 req.amp_id = amp_id;
1171
1172 chan->ident = l2cap_get_ident(chan->conn);
1173
1174 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1175 sizeof(req), &req);
1176}
1177
02b0fbb9
MM		 1178static void l2cap_move_setup(struct l2cap_chan *chan)
1179{
1180 struct sk_buff *skb;
1181
1182 BT_DBG("chan %p", chan);
1183
1184 if (chan->mode != L2CAP_MODE_ERTM)
1185 return;
1186
1187 __clear_retrans_timer(chan);
1188 __clear_monitor_timer(chan);
1189 __clear_ack_timer(chan);
1190
1191 chan->retry_count = 0;
1192 skb_queue_walk(&chan->tx_q, skb) {
1193 if (bt_cb(skb)->control.retries)
1194 bt_cb(skb)->control.retries = 1;
1195 else
1196 break;
1197 }
1198
1199 chan->expected_tx_seq = chan->buffer_seq;
1200
1201 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1202 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1203 l2cap_seq_list_clear(&chan->retrans_list);
1204 l2cap_seq_list_clear(&chan->srej_list);
1205 skb_queue_purge(&chan->srej_q);
1206
1207 chan->tx_state = L2CAP_TX_STATE_XMIT;
1208 chan->rx_state = L2CAP_RX_STATE_MOVE;
1209
1210 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1211}
1212
5f3847a4
MM		 1213static void l2cap_move_done(struct l2cap_chan *chan)
1214{
1215 u8 move_role = chan->move_role;
1216 BT_DBG("chan %p", chan);
1217
1218 chan->move_state = L2CAP_MOVE_STABLE;
1219 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1220
1221 if (chan->mode != L2CAP_MODE_ERTM)
1222 return;
1223
1224 switch (move_role) {
1225 case L2CAP_MOVE_ROLE_INITIATOR:
1226 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1227 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1228 break;
1229 case L2CAP_MOVE_ROLE_RESPONDER:
1230 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1231 break;
1232 }
1233}
1234
9f0caeb1
VCG		 1235static void l2cap_chan_ready(struct l2cap_chan *chan)
1236{
2827011f 1237 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1238 chan->conf_state = 0;
1239 __clear_chan_timer(chan);
1240
0ce43ce6
JH		 1241 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1242 chan->ops->suspend(chan);
177f8f2b 1243
54a59aa2 1244 chan->state = BT_CONNECTED;
9f0caeb1 1245
fd83e2c2 1246 chan->ops->ready(chan);
9f0caeb1
VCG		 1247}
1248
f1496dee
JH		 1249static void l2cap_le_connect(struct l2cap_chan *chan)
1250{
1251 struct l2cap_conn *conn = chan->conn;
1252 struct l2cap_le_conn_req req;
1253
595177f3
JH		 1254 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1255 return;
1256
f1496dee
JH		 1257 req.psm = chan->psm;
1258 req.scid = cpu_to_le16(chan->scid);
1259 req.mtu = cpu_to_le16(chan->imtu);
3916aed8 1260 req.mps = cpu_to_le16(chan->mps);
0cd75f7e 1261 req.credits = cpu_to_le16(chan->rx_credits);
f1496dee
JH		 1262
1263 chan->ident = l2cap_get_ident(conn);
1264
1265 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1266 sizeof(req), &req);
1267}
1268
1269static void l2cap_le_start(struct l2cap_chan *chan)
1270{
1271 struct l2cap_conn *conn = chan->conn;
1272
1273 if (!smp_conn_security(conn->hcon, chan->sec_level))
1274 return;
1275
1276 if (!chan->psm) {
1277 l2cap_chan_ready(chan);
1278 return;
1279 }
1280
1281 if (chan->state == BT_CONNECT)
1282 l2cap_le_connect(chan);
1283}
1284
93c3e8f5
AE		 1285static void l2cap_start_connection(struct l2cap_chan *chan)
1286{
1287 if (__amp_capable(chan)) {
1288 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1289 a2mp_discover_amp(chan);
f1496dee
JH		 1290 } else if (chan->conn->hcon->type == LE_LINK) {
1291 l2cap_le_start(chan);
93c3e8f5
AE		 1292 } else {
1293 l2cap_send_conn_req(chan);
1294 }
1295}
1296
aeaeb4bb
JH		 1297static void l2cap_request_info(struct l2cap_conn *conn)
1298{
1299 struct l2cap_info_req req;
1300
1301 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1302 return;
1303
1304 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1305
1306 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1307 conn->info_ident = l2cap_get_ident(conn);
1308
1309 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1310
1311 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1312 sizeof(req), &req);
1313}
1314
fc7f8a7e 1315static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1316{
8c1d787b 1317 struct l2cap_conn *conn = chan->conn;
79d554a6 1318
9f0caeb1 1319 if (conn->hcon->type == LE_LINK) {
96ac34fb 1320 l2cap_le_start(chan);
9f0caeb1
VCG		 1321 return;
1322 }
1323
aeaeb4bb
JH		 1324 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1325 l2cap_request_info(conn);
1326 return;
1327 }
79d554a6 1328
aeaeb4bb
JH		 1329 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1330 return;
79d554a6 1331
aeaeb4bb
JH		 1332 if (l2cap_chan_check_security(chan, true) &&
1333 __l2cap_no_conn_pending(chan))
1334 l2cap_start_connection(chan);
79d554a6
MH		 1335}
1336
cf6c2c0b
GP		 1337static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1338{
1339 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1340 if (!disable_ertm)
cf6c2c0b
GP		 1341 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1342
1343 switch (mode) {
1344 case L2CAP_MODE_ERTM:
1345 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1346 case L2CAP_MODE_STREAMING:
1347 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1348 default:
1349 return 0x00;
1350 }
1351}
1352
5e4e3972 1353static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1354{
5e4e3972 1355 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1356 struct l2cap_disconn_req req;
1357
c13ffa62
GP		 1358 if (!conn)
1359 return;
1360
aad3d0e3 1361 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1362 __clear_retrans_timer(chan);
1363 __clear_monitor_timer(chan);
1364 __clear_ack_timer(chan);
c13ffa62
GP		 1365 }
1366
2338a7e0 1367 if (chan->scid == L2CAP_CID_A2MP) {
d117773c 1368 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1369 return;
1370 }
1371
fe4128e0
GP		 1372 req.dcid = cpu_to_le16(chan->dcid);
1373 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1374 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1375 sizeof(req), &req);
c13ffa62 1376
f8e73017 1377 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1378}
1379
1da177e4 1380/* ---- L2CAP connections ---- */
4e8402a3
MH		 1381static void l2cap_conn_start(struct l2cap_conn *conn)
1382{
3df91ea2 1383 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1384
1385 BT_DBG("conn %p", conn);
1386
3df91ea2 1387 mutex_lock(&conn->chan_lock);
4e8402a3 1388
3df91ea2 1389 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1390 l2cap_chan_lock(chan);
4e8402a3 1391
715ec005 1392 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
aeaeb4bb 1393 l2cap_chan_ready(chan);
6be36555 1394 l2cap_chan_unlock(chan);
79d554a6
MH		 1395 continue;
1396 }
1397
89bc500e 1398 if (chan->state == BT_CONNECT) {
e7cafc45 1399 if (!l2cap_chan_check_security(chan, true) ||
2d792818 1400 !__l2cap_no_conn_pending(chan)) {
6be36555 1401 l2cap_chan_unlock(chan);
47731de7
GP		 1402 continue;
1403 }
79d554a6 1404
c1360a1c 1405 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1406 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1407 &chan->conf_state)) {
89bc500e 1408 l2cap_chan_close(chan, ECONNRESET);
6be36555 1409 l2cap_chan_unlock(chan);
47731de7 1410 continue;
b1235d79 1411 }
47731de7 1412
93c3e8f5 1413 l2cap_start_connection(chan);
47731de7 1414
89bc500e 1415 } else if (chan->state == BT_CONNECT2) {
79d554a6 1416 struct l2cap_conn_rsp rsp;
e9aeb2dd 1417 char buf[128];
fe4128e0
GP		 1418 rsp.scid = cpu_to_le16(chan->dcid);
1419 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1420
e7cafc45 1421 if (l2cap_chan_check_security(chan, false)) {
bdc25783 1422 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
dcf4adbf
JP		 1423 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1424 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1425 chan->ops->defer(chan);
f66dc81f
MH		 1426
1427 } else {
acdcabf5 1428 l2cap_state_change(chan, BT_CONFIG);
dcf4adbf
JP		 1429 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1430 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1431 }
79d554a6 1432 } else {
dcf4adbf
JP		 1433 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1434 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1435 }
1436
fc7f8a7e 1437 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1438 sizeof(rsp), &rsp);
e9aeb2dd 1439
c1360a1c 1440 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1441 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1442 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1443 continue;
1444 }
1445
c1360a1c 1446 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1447 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1448 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1449 chan->num_conf_req++;
4e8402a3
MH		 1450 }
1451
6be36555 1452 l2cap_chan_unlock(chan);
4e8402a3
MH		 1453 }
1454
3df91ea2 1455 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1456}
1457
b62f328b
VT		 1458static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1459{
cc8dba2b 1460 struct hci_conn *hcon = conn->hcon;
dcc36c16 1461 struct hci_dev *hdev = hcon->hdev;
b62f328b 1462
e760ec12 1463 BT_DBG("%s conn %p", hdev->name, conn);
b62f328b 1464
e760ec12
JH		 1465 /* For outgoing pairing which doesn't necessarily have an
1466 * associated socket (e.g. mgmt_pair_device).
1467 */
1468 if (hcon->out)
1469 smp_conn_security(hcon, hcon->pending_sec_level);
cc8dba2b 1470
80afeb6c
MH		 1471 /* For LE slave connections, make sure the connection interval
1472 * is in the range of the minium and maximum interval that has
1473 * been configured for this connection. If not, then trigger
1474 * the connection update procedure.
1475 */
40bef302 1476 if (hcon->role == HCI_ROLE_SLAVE &&
80afeb6c
MH		 1477 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1478 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1479 struct l2cap_conn_param_update_req req;
1480
1481 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1482 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1483 req.latency = cpu_to_le16(hcon->le_conn_latency);
1484 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1485
1486 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1487 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1488 }
b62f328b
VT		 1489}
1490
4e8402a3
MH		 1491static void l2cap_conn_ready(struct l2cap_conn *conn)
1492{
48454079 1493 struct l2cap_chan *chan;
cc110922 1494 struct hci_conn *hcon = conn->hcon;
4e8402a3 1495
79d554a6 1496 BT_DBG("conn %p", conn);
4e8402a3 1497
aeaeb4bb
JH		 1498 if (hcon->type == ACL_LINK)
1499 l2cap_request_info(conn);
1500
e760ec12
JH		 1501 mutex_lock(&conn->chan_lock);
1502
3df91ea2 1503 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1504
6be36555 1505 l2cap_chan_lock(chan);
4e8402a3 1506
2338a7e0 1507 if (chan->scid == L2CAP_CID_A2MP) {
416fa752
AE		 1508 l2cap_chan_unlock(chan);
1509 continue;
1510 }
1511
cc110922 1512 if (hcon->type == LE_LINK) {
f1496dee 1513 l2cap_le_start(chan);
63128451 1514 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
aeaeb4bb
JH		 1515 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1516 l2cap_chan_ready(chan);
1c244f79 1517 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1518 l2cap_do_start(chan);
1c244f79 1519 }
4e8402a3 1520
6be36555 1521 l2cap_chan_unlock(chan);
4e8402a3 1522 }
79d554a6 1523
3df91ea2 1524 mutex_unlock(&conn->chan_lock);
61a939c6 1525
79a05727
JH		 1526 if (hcon->type == LE_LINK)
1527 l2cap_le_conn_ready(conn);
1528
61a939c6 1529 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
4e8402a3
MH		 1530}
1531
1532/* Notify sockets that we cannot guaranty reliability anymore */
1533static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1534{
48454079 1535 struct l2cap_chan *chan;
4e8402a3
MH		 1536
1537 BT_DBG("conn %p", conn);
1538
3df91ea2 1539 mutex_lock(&conn->chan_lock);
4e8402a3 1540
3df91ea2 1541 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1542 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1543 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1544 }
1545
3df91ea2 1546 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1547}
1548
f878fcad 1549static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1550{
f878fcad 1551 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1552 info_timer.work);
4e8402a3 1553
984947dc 1554 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1555 conn->info_ident = 0;
984947dc 1556
4e8402a3
MH		 1557 l2cap_conn_start(conn);
1558}
1559
2c8e1411
DH		 1560/*
1561 * l2cap_user
1562 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1563 * callback is called during registration. The ->remove callback is called
1564 * during unregistration.
1565 * An l2cap_user object can either be explicitly unregistered or when the
1566 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1567 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1568 * External modules must own a reference to the l2cap_conn object if they intend
1569 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1570 * any time if they don't.
1571 */
1572
1573int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1574{
1575 struct hci_dev *hdev = conn->hcon->hdev;
1576 int ret;
1577
1578 /* We need to check whether l2cap_conn is registered. If it is not, we
1579 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1580 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1581 * relies on the parent hci_conn object to be locked. This itself relies
1582 * on the hci_dev object to be locked. So we must lock the hci device
1583 * here, too. */
1584
1585 hci_dev_lock(hdev);
1586
1587 if (user->list.next || user->list.prev) {
1588 ret = -EINVAL;
1589 goto out_unlock;
1590 }
1591
1592 /* conn->hchan is NULL after l2cap_conn_del() was called */
1593 if (!conn->hchan) {
1594 ret = -ENODEV;
1595 goto out_unlock;
1596 }
1597
1598 ret = user->probe(conn, user);
1599 if (ret)
1600 goto out_unlock;
1601
1602 list_add(&user->list, &conn->users);
1603 ret = 0;
1604
1605out_unlock:
1606 hci_dev_unlock(hdev);
1607 return ret;
1608}
1609EXPORT_SYMBOL(l2cap_register_user);
1610
1611void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1612{
1613 struct hci_dev *hdev = conn->hcon->hdev;
1614
1615 hci_dev_lock(hdev);
1616
1617 if (!user->list.next || !user->list.prev)
1618 goto out_unlock;
1619
1620 list_del(&user->list);
1621 user->list.next = NULL;
1622 user->list.prev = NULL;
1623 user->remove(conn, user);
1624
1625out_unlock:
1626 hci_dev_unlock(hdev);
1627}
1628EXPORT_SYMBOL(l2cap_unregister_user);
1629
1630static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1631{
1632 struct l2cap_user *user;
1633
1634 while (!list_empty(&conn->users)) {
1635 user = list_first_entry(&conn->users, struct l2cap_user, list);
1636 list_del(&user->list);
1637 user->list.next = NULL;
1638 user->list.prev = NULL;
1639 user->remove(conn, user);
1640 }
1641}
1642
5d3de7df
VCG		 1643static void l2cap_conn_del(struct hci_conn *hcon, int err)
1644{
1645 struct l2cap_conn *conn = hcon->l2cap_data;
1646 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1647
1648 if (!conn)
1649 return;
1650
1651 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1652
1653 kfree_skb(conn->rx_skb);
1654
61a939c6 1655 skb_queue_purge(&conn->pending_rx);
7ab56c3a
JT		 1656
1657 /* We can not call flush_work(&conn->pending_rx_work) here since we
1658 * might block if we are running on a worker from the same workqueue
1659 * pending_rx_work is waiting on.
1660 */
1661 if (work_pending(&conn->pending_rx_work))
1662 cancel_work_sync(&conn->pending_rx_work);
61a939c6 1663
f3d82d0c
JH		 1664 if (work_pending(&conn->id_addr_update_work))
1665 cancel_work_sync(&conn->id_addr_update_work);
1666
2c8e1411
DH		 1667 l2cap_unregister_all_users(conn);
1668
e31fb860
JH		 1669 /* Force the connection to be immediately dropped */
1670 hcon->disc_timeout = 0;
1671
3df91ea2
AE		 1672 mutex_lock(&conn->chan_lock);
1673
5d3de7df
VCG		 1674 /* Kill channels */
1675 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1676 l2cap_chan_hold(chan);
6be36555
AE		 1677 l2cap_chan_lock(chan);
1678
5d3de7df 1679 l2cap_chan_del(chan, err);
6be36555
AE		 1680
1681 l2cap_chan_unlock(chan);
1682
80b98027 1683 chan->ops->close(chan);
61d6ef3e 1684 l2cap_chan_put(chan);
5d3de7df
VCG		 1685 }
1686
3df91ea2
AE		 1687 mutex_unlock(&conn->chan_lock);
1688
73d80deb
LAD		 1689 hci_chan_del(conn->hchan);
1690
5d3de7df 1691 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1692 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1693
5d3de7df 1694 hcon->l2cap_data = NULL;
9c903e37
DH		 1695 conn->hchan = NULL;
1696 l2cap_conn_put(conn);
5d3de7df
VCG		 1697}
1698
9c903e37
DH		 1699static void l2cap_conn_free(struct kref *ref)
1700{
1701 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1702
1703 hci_conn_put(conn->hcon);
1704 kfree(conn);
1705}
1706
51bb8457 1707struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
9c903e37
DH		 1708{
1709 kref_get(&conn->ref);
51bb8457 1710 return conn;
9c903e37
DH		 1711}
1712EXPORT_SYMBOL(l2cap_conn_get);
1713
1714void l2cap_conn_put(struct l2cap_conn *conn)
1715{
1716 kref_put(&conn->ref, l2cap_conn_free);
1717}
1718EXPORT_SYMBOL(l2cap_conn_put);
1719
1da177e4 1720/* ---- Socket interface ---- */
1da177e4 1721
c2287681 1722/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1723 * Returns closest match.
1724 */
c2287681
IY		 1725static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1726 bdaddr_t *src,
bf20fd4e
JH		 1727 bdaddr_t *dst,
1728 u8 link_type)
1da177e4 1729{
23691d75 1730 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1731
23691d75 1732 read_lock(&chan_list_lock);
e0f0cb56 1733
23691d75 1734 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1735 if (state && c->state != state)
1da177e4
LT		 1736 continue;
1737
bf20fd4e
JH		 1738 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1739 continue;
1740
1741 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1742 continue;
1743
23691d75 1744 if (c->psm == psm) {
c2287681
IY		 1745 int src_match, dst_match;
1746 int src_any, dst_any;
1747
1da177e4 1748 /* Exact match. */
7eafc59e
MH		 1749 src_match = !bacmp(&c->src, src);
1750 dst_match = !bacmp(&c->dst, dst);
c2287681 1751 if (src_match && dst_match) {
a24cce14 1752 l2cap_chan_hold(c);
a7567b20 1753 read_unlock(&chan_list_lock);
23691d75
GP		 1754 return c;
1755 }
1da177e4
LT		 1756
1757 /* Closest match */
7eafc59e
MH		 1758 src_any = !bacmp(&c->src, BDADDR_ANY);
1759 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1760 if ((src_match && dst_any) || (src_any && dst_match) ||
1761 (src_any && dst_any))
23691d75 1762 c1 = c;
1da177e4
LT		 1763 }
1764 }
1da177e4 1765
a24cce14
JH		 1766 if (c1)
1767 l2cap_chan_hold(c1);
1768
23691d75 1769 read_unlock(&chan_list_lock);
e0f0cb56 1770
23691d75 1771 return c1;
1da177e4
LT		 1772}
1773
721c4181 1774static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1775{
721c4181 1776 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1777 monitor_timer.work);
e90bac06 1778
525cd185 1779 BT_DBG("chan %p", chan);
0e98958d 1780
6be36555
AE		 1781 l2cap_chan_lock(chan);
1782
80909e04 1783 if (!chan->conn) {
6be36555 1784 l2cap_chan_unlock(chan);
8d7e1c7f 1785 l2cap_chan_put(chan);
e90bac06
GP		 1786 return;
1787 }
1788
401bb1f7 1789 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1790
6be36555 1791 l2cap_chan_unlock(chan);
8d7e1c7f 1792 l2cap_chan_put(chan);
e90bac06
GP		 1793}
1794
721c4181 1795static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1796{
721c4181 1797 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1798 retrans_timer.work);
e90bac06 1799
49208c9c 1800 BT_DBG("chan %p", chan);
0e98958d 1801
6be36555
AE		 1802 l2cap_chan_lock(chan);
1803
80909e04
MM		 1804 if (!chan->conn) {
1805 l2cap_chan_unlock(chan);
1806 l2cap_chan_put(chan);
1807 return;
1808 }
6be36555 1809
401bb1f7 1810 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1811 l2cap_chan_unlock(chan);
8d7e1c7f 1812 l2cap_chan_put(chan);
e90bac06
GP		 1813}
1814
d660366d
GP		 1815static void l2cap_streaming_send(struct l2cap_chan *chan,
1816 struct sk_buff_head *skbs)
6840ed07 1817{
ccbb84af 1818 struct sk_buff *skb;
3733937d 1819 struct l2cap_ctrl *control;
6840ed07 1820
3733937d
MM		 1821 BT_DBG("chan %p, skbs %p", chan, skbs);
1822
b99e13ad
MM		 1823 if (__chan_is_moving(chan))
1824 return;
1825
3733937d
MM		 1826 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1827
1828 while (!skb_queue_empty(&chan->tx_q)) {
1829
1830 skb = skb_dequeue(&chan->tx_q);
1831
1832 bt_cb(skb)->control.retries = 1;
1833 control = &bt_cb(skb)->control;
1834
1835 control->reqseq = 0;
1836 control->txseq = chan->next_tx_seq;
1837
1838 __pack_control(chan, control, skb);
6840ed07 1839
47d1ec61 1840 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1841 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1842 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1843 }
1844
4343478f 1845 l2cap_do_send(chan, skb);
6840ed07 1846
b4400672 1847 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1848
836be934 1849 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1850 chan->frames_sent++;
6840ed07 1851 }
6840ed07
GP		 1852}
1853
67c9e840 1854static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1855{
1856 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1857 struct l2cap_ctrl *control;
1858 int sent = 0;
1859
1860 BT_DBG("chan %p", chan);
1c2acffb 1861
89bc500e 1862 if (chan->state != BT_CONNECTED)
c13ffa62 1863 return -ENOTCONN;
e90bac06 1864
94122bbe
MM		 1865 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1866 return 0;
1867
b99e13ad
MM		 1868 if (__chan_is_moving(chan))
1869 return 0;
1870
18a48e76
MM		 1871 while (chan->tx_send_head &&
1872 chan->unacked_frames < chan->remote_tx_win &&
1873 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1874
18a48e76 1875 skb = chan->tx_send_head;
e90bac06 1876
18a48e76
MM		 1877 bt_cb(skb)->control.retries = 1;
1878 control = &bt_cb(skb)->control;
95ffa978 1879
e2ab4353 1880 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1881 control->final = 1;
e2ab4353 1882
18a48e76
MM		 1883 control->reqseq = chan->buffer_seq;
1884 chan->last_acked_seq = chan->buffer_seq;
1885 control->txseq = chan->next_tx_seq;
1c2acffb 1886
18a48e76 1887 __pack_control(chan, control, skb);
e90bac06 1888
47d1ec61 1889 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1890 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1891 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1892 }
1893
18a48e76
MM		 1894 /* Clone after data has been modified. Data is assumed to be
1895 read-only (for locking purposes) on cloned sk_buffs.
1896 */
1897 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1898
18a48e76
MM		 1899 if (!tx_skb)
1900 break;
1c2acffb 1901
18a48e76 1902 __set_retrans_timer(chan);
836be934
AE		 1903
1904 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1905 chan->unacked_frames++;
6a026610 1906 chan->frames_sent++;
18a48e76 1907 sent++;
1c2acffb 1908
58d35f87
GP		 1909 if (skb_queue_is_last(&chan->tx_q, skb))
1910 chan->tx_send_head = NULL;
1c2acffb 1911 else
58d35f87 1912 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1913
1914 l2cap_do_send(chan, tx_skb);
b4400672 1915 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1916 }
1917
b4400672
AE		 1918 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1919 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1920
1921 return sent;
9e917af1
GP		 1922}
1923
e1fbd4c1
MM		 1924static void l2cap_ertm_resend(struct l2cap_chan *chan)
1925{
1926 struct l2cap_ctrl control;
1927 struct sk_buff *skb;
1928 struct sk_buff *tx_skb;
1929 u16 seq;
1930
1931 BT_DBG("chan %p", chan);
1932
1933 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1934 return;
1935
b99e13ad
MM		 1936 if (__chan_is_moving(chan))
1937 return;
1938
e1fbd4c1
MM		 1939 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1940 seq = l2cap_seq_list_pop(&chan->retrans_list);
1941
1942 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1943 if (!skb) {
1944 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1945 seq);
e1fbd4c1
MM		 1946 continue;
1947 }
1948
1949 bt_cb(skb)->control.retries++;
1950 control = bt_cb(skb)->control;
1951
1952 if (chan->max_tx != 0 &&
1953 bt_cb(skb)->control.retries > chan->max_tx) {
1954 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1955 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1956 l2cap_seq_list_clear(&chan->retrans_list);
1957 break;
1958 }
1959
1960 control.reqseq = chan->buffer_seq;
1961 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1962 control.final = 1;
1963 else
1964 control.final = 0;
1965
1966 if (skb_cloned(skb)) {
1967 /* Cloned sk_buffs are read-only, so we need a
1968 * writeable copy
1969 */
8bcde1f2 1970 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1971 } else {
8bcde1f2 1972 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1973 }
1974
1975 if (!tx_skb) {
1976 l2cap_seq_list_clear(&chan->retrans_list);
1977 break;
1978 }
1979
1980 /* Update skb contents */
1981 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1982 put_unaligned_le32(__pack_extended_control(&control),
1983 tx_skb->data + L2CAP_HDR_SIZE);
1984 } else {
1985 put_unaligned_le16(__pack_enhanced_control(&control),
1986 tx_skb->data + L2CAP_HDR_SIZE);
1987 }
1988
13cac152 1989 /* Update FCS */
e1fbd4c1 1990 if (chan->fcs == L2CAP_FCS_CRC16) {
13cac152
LR		 1991 u16 fcs = crc16(0, (u8 *) tx_skb->data,
1992 tx_skb->len - L2CAP_FCS_SIZE);
1993 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
1994 L2CAP_FCS_SIZE);
e1fbd4c1
MM		 1995 }
1996
1997 l2cap_do_send(chan, tx_skb);
1998
1999 BT_DBG("Resent txseq %d", control.txseq);
2000
2001 chan->last_acked_seq = chan->buffer_seq;
2002 }
2003}
2004
f80842a8
MM		 2005static void l2cap_retransmit(struct l2cap_chan *chan,
2006 struct l2cap_ctrl *control)
2007{
2008 BT_DBG("chan %p, control %p", chan, control);
2009
2010 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2011 l2cap_ertm_resend(chan);
2012}
2013
d2a7ac5d
MM		 2014static void l2cap_retransmit_all(struct l2cap_chan *chan,
2015 struct l2cap_ctrl *control)
2016{
e1fbd4c1
MM		 2017 struct sk_buff *skb;
2018
2019 BT_DBG("chan %p, control %p", chan, control);
2020
2021 if (control->poll)
2022 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2023
2024 l2cap_seq_list_clear(&chan->retrans_list);
2025
2026 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2027 return;
2028
2029 if (chan->unacked_frames) {
2030 skb_queue_walk(&chan->tx_q, skb) {
2031 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2032 skb == chan->tx_send_head)
e1fbd4c1
MM		 2033 break;
2034 }
2035
2036 skb_queue_walk_from(&chan->tx_q, skb) {
2037 if (skb == chan->tx_send_head)
2038 break;
2039
2040 l2cap_seq_list_append(&chan->retrans_list,
2041 bt_cb(skb)->control.txseq);
2042 }
2043
2044 l2cap_ertm_resend(chan);
2045 }
d2a7ac5d
MM		 2046}
2047
0a0aba42 2048static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2049{
0a0aba42
MM		 2050 struct l2cap_ctrl control;
2051 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2052 chan->last_acked_seq);
2053 int threshold;
9e917af1 2054
0a0aba42
MM		 2055 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2056 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2057
0a0aba42
MM		 2058 memset(&control, 0, sizeof(control));
2059 control.sframe = 1;
dfc909be 2060
0a0aba42
MM		 2061 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2062 chan->rx_state == L2CAP_RX_STATE_RECV) {
2063 __clear_ack_timer(chan);
2064 control.super = L2CAP_SUPER_RNR;
2065 control.reqseq = chan->buffer_seq;
2066 l2cap_send_sframe(chan, &control);
2067 } else {
2068 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2069 l2cap_ertm_send(chan);
2070 /* If any i-frames were sent, they included an ack */
2071 if (chan->buffer_seq == chan->last_acked_seq)
2072 frames_to_ack = 0;
2073 }
dfc909be 2074
c20f8e35 2075 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2076 * Calculate without mul or div
2077 */
c20f8e35 2078 threshold = chan->ack_win;
0a0aba42
MM		 2079 threshold += threshold << 1;
2080 threshold >>= 2;
2081
b4400672 2082 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2083 threshold);
2084
2085 if (frames_to_ack >= threshold) {
2086 __clear_ack_timer(chan);
2087 control.super = L2CAP_SUPER_RR;
2088 control.reqseq = chan->buffer_seq;
2089 l2cap_send_sframe(chan, &control);
2090 frames_to_ack = 0;
2091 }
1c2acffb 2092
0a0aba42
MM		 2093 if (frames_to_ack)
2094 __set_ack_timer(chan);
2095 }
b17e73bb
SJ		 2096}
2097
04124681
GP		 2098static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2099 struct msghdr *msg, int len,
2100 int count, struct sk_buff *skb)
1c2acffb 2101{
0952a57a 2102 struct l2cap_conn *conn = chan->conn;
1c2acffb 2103 struct sk_buff **frag;
90338947 2104 int sent = 0;
1da177e4 2105
0498878b
JR		 2106 if (chan->ops->memcpy_fromiovec(chan, skb_put(skb, count),
2107 msg->msg_iov, count))
1c2acffb 2108 return -EFAULT;
1da177e4
LT		 2109
2110 sent += count;
2111 len -= count;
2112
2113 /* Continuation fragments (no L2CAP header) */
2114 frag = &skb_shinfo(skb)->frag_list;
2115 while (len) {
fbe00700
GP		 2116 struct sk_buff *tmp;
2117
1da177e4
LT		 2118 count = min_t(unsigned int, conn->mtu, len);
2119
d9fbd02b 2120 tmp = chan->ops->alloc_skb(chan, 0, count,
fbe00700
GP		 2121 msg->msg_flags & MSG_DONTWAIT);
2122 if (IS_ERR(tmp))
2123 return PTR_ERR(tmp);
2124
2125 *frag = tmp;
2f7719ce 2126
0498878b
JR		 2127 if (chan->ops->memcpy_fromiovec(chan, skb_put(*frag, count),
2128 msg->msg_iov, count))
1c2acffb 2129 return -EFAULT;
1da177e4
LT		 2130
2131 sent += count;
2132 len -= count;
2133
2d0ed3d5
GP		 2134 skb->len += (*frag)->len;
2135 skb->data_len += (*frag)->len;
2136
1da177e4
LT		 2137 frag = &(*frag)->next;
2138 }
1da177e4
LT		 2139
2140 return sent;
1c2acffb 2141}
1da177e4 2142
5e59b791 2143static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
8d46321c 2144 struct msghdr *msg, size_t len)
1c2acffb 2145{
8c1d787b 2146 struct l2cap_conn *conn = chan->conn;
1c2acffb 2147 struct sk_buff *skb;
03a51213 2148 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2149 struct l2cap_hdr *lh;
2150
8d46321c
MH		 2151 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2152 __le16_to_cpu(chan->psm), len);
1c2acffb
GP		 2153
2154 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2155
d9fbd02b 2156 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2157 msg->msg_flags & MSG_DONTWAIT);
2158 if (IS_ERR(skb))
2159 return skb;
1c2acffb
GP		 2160
2161 /* Create L2CAP header */
2162 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2163 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2164 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2165 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2166
0952a57a 2167 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2168 if (unlikely(err < 0)) {
2169 kfree_skb(skb);
2170 return ERR_PTR(err);
2171 }
2172 return skb;
2173}
2174
5e59b791 2175static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
8d46321c 2176 struct msghdr *msg, size_t len)
1c2acffb 2177{
8c1d787b 2178 struct l2cap_conn *conn = chan->conn;
1c2acffb 2179 struct sk_buff *skb;
f2ba7fae 2180 int err, count;
1c2acffb
GP		 2181 struct l2cap_hdr *lh;
2182
b4400672 2183 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2184
f2ba7fae 2185 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2186
d9fbd02b 2187 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
90338947
GP		 2188 msg->msg_flags & MSG_DONTWAIT);
2189 if (IS_ERR(skb))
2190 return skb;
1c2acffb
GP		 2191
2192 /* Create L2CAP header */
2193 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2194 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2195 lh->len = cpu_to_le16(len);
1c2acffb 2196
0952a57a 2197 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2198 if (unlikely(err < 0)) {
2199 kfree_skb(skb);
2200 return ERR_PTR(err);
2201 }
2202 return skb;
2203}
2204
ab0ff76d 2205static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2206 struct msghdr *msg, size_t len,
2207 u16 sdulen)
1c2acffb 2208{
8c1d787b 2209 struct l2cap_conn *conn = chan->conn;
1c2acffb 2210 struct sk_buff *skb;
e4ca6d98 2211 int err, count, hlen;
1c2acffb
GP		 2212 struct l2cap_hdr *lh;
2213
b4400672 2214 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2215
0ee0d208
GP		 2216 if (!conn)
2217 return ERR_PTR(-ENOTCONN);
2218
ba7aa64f 2219 hlen = __ertm_hdr_size(chan);
e4ca6d98 2220
c74e560c 2221 if (sdulen)
03a51213 2222 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2223
47d1ec61 2224 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2225 hlen += L2CAP_FCS_SIZE;
fcc203c3 2226
1c2acffb 2227 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2228
d9fbd02b 2229 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2230 msg->msg_flags & MSG_DONTWAIT);
2231 if (IS_ERR(skb))
2232 return skb;
1c2acffb
GP		 2233
2234 /* Create L2CAP header */
2235 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2236 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2237 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2238
18a48e76
MM		 2239 /* Control header is populated later */
2240 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2241 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2242 else
2243 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2244
c74e560c 2245 if (sdulen)
03a51213 2246 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2247
0952a57a 2248 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2249 if (unlikely(err < 0)) {
2250 kfree_skb(skb);
2251 return ERR_PTR(err);
2252 }
e90bac06 2253
18a48e76 2254 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2255 bt_cb(skb)->control.retries = 0;
1c2acffb 2256 return skb;
1da177e4
LT		 2257}
2258
94122bbe
MM		 2259static int l2cap_segment_sdu(struct l2cap_chan *chan,
2260 struct sk_buff_head *seg_queue,
2261 struct msghdr *msg, size_t len)
c74e560c 2262{
c74e560c 2263 struct sk_buff *skb;
94122bbe
MM		 2264 u16 sdu_len;
2265 size_t pdu_len;
94122bbe 2266 u8 sar;
c74e560c 2267
b4400672 2268 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2269
94122bbe
MM		 2270 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2271 * so fragmented skbs are not used. The HCI layer's handling
2272 * of fragmented skbs is not compatible with ERTM's queueing.
2273 */
c74e560c 2274
94122bbe
MM		 2275 /* PDU size is derived from the HCI MTU */
2276 pdu_len = chan->conn->mtu;
c74e560c 2277
a549574d
MM		 2278 /* Constrain PDU size for BR/EDR connections */
2279 if (!chan->hs_hcon)
2280 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2281
2282 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2283 if (chan->fcs)
2284 pdu_len -= L2CAP_FCS_SIZE;
2285
ba7aa64f 2286 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2287
2288 /* Remote device may have requested smaller PDUs */
2289 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2290
2291 if (len <= pdu_len) {
2292 sar = L2CAP_SAR_UNSEGMENTED;
2293 sdu_len = 0;
2294 pdu_len = len;
2295 } else {
2296 sar = L2CAP_SAR_START;
2297 sdu_len = len;
94122bbe
MM		 2298 }
2299
2300 while (len > 0) {
2301 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2302
c74e560c 2303 if (IS_ERR(skb)) {
94122bbe 2304 __skb_queue_purge(seg_queue);
c74e560c
GP		 2305 return PTR_ERR(skb);
2306 }
2307
94122bbe
MM		 2308 bt_cb(skb)->control.sar = sar;
2309 __skb_queue_tail(seg_queue, skb);
2310
2311 len -= pdu_len;
069cb270 2312 if (sdu_len)
94122bbe 2313 sdu_len = 0;
94122bbe
MM		 2314
2315 if (len <= pdu_len) {
2316 sar = L2CAP_SAR_END;
2317 pdu_len = len;
2318 } else {
2319 sar = L2CAP_SAR_CONTINUE;
2320 }
c74e560c 2321 }
c74e560c 2322
f0f62799 2323 return 0;
c74e560c
GP		 2324}
2325
177f8f2b
JH		 2326static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2327 struct msghdr *msg,
2328 size_t len, u16 sdulen)
2329{
2330 struct l2cap_conn *conn = chan->conn;
2331 struct sk_buff *skb;
2332 int err, count, hlen;
2333 struct l2cap_hdr *lh;
2334
2335 BT_DBG("chan %p len %zu", chan, len);
2336
2337 if (!conn)
2338 return ERR_PTR(-ENOTCONN);
2339
2340 hlen = L2CAP_HDR_SIZE;
2341
2342 if (sdulen)
2343 hlen += L2CAP_SDULEN_SIZE;
2344
2345 count = min_t(unsigned int, (conn->mtu - hlen), len);
2346
d9fbd02b 2347 skb = chan->ops->alloc_skb(chan, hlen, count,
177f8f2b
JH		 2348 msg->msg_flags & MSG_DONTWAIT);
2349 if (IS_ERR(skb))
2350 return skb;
2351
2352 /* Create L2CAP header */
2353 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2354 lh->cid = cpu_to_le16(chan->dcid);
2355 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2356
2357 if (sdulen)
2358 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2359
2360 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2361 if (unlikely(err < 0)) {
2362 kfree_skb(skb);
2363 return ERR_PTR(err);
2364 }
2365
2366 return skb;
2367}
2368
2369static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2370 struct sk_buff_head *seg_queue,
2371 struct msghdr *msg, size_t len)
2372{
2373 struct sk_buff *skb;
2374 size_t pdu_len;
2375 u16 sdu_len;
2376
2377 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2378
177f8f2b 2379 sdu_len = len;
72c6fb91 2380 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
177f8f2b
JH		 2381
2382 while (len > 0) {
2383 if (len <= pdu_len)
2384 pdu_len = len;
2385
2386 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2387 if (IS_ERR(skb)) {
2388 __skb_queue_purge(seg_queue);
2389 return PTR_ERR(skb);
2390 }
2391
2392 __skb_queue_tail(seg_queue, skb);
2393
2394 len -= pdu_len;
2395
2396 if (sdu_len) {
2397 sdu_len = 0;
2398 pdu_len += L2CAP_SDULEN_SIZE;
2399 }
2400 }
2401
2402 return 0;
2403}
2404
8d46321c 2405int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
9a91a04a 2406{
9a91a04a 2407 struct sk_buff *skb;
9a91a04a 2408 int err;
94122bbe 2409 struct sk_buff_head seg_queue;
9a91a04a 2410
31e8ce80
SWK		 2411 if (!chan->conn)
2412 return -ENOTCONN;
2413
9a91a04a 2414 /* Connectionless channel */
715ec005 2415 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
8d46321c 2416 skb = l2cap_create_connless_pdu(chan, msg, len);
9a91a04a
GP		 2417 if (IS_ERR(skb))
2418 return PTR_ERR(skb);
2419
ede81a2a
AK		 2420 /* Channel lock is released before requesting new skb and then
2421 * reacquired thus we need to recheck channel state.
2422 */
2423 if (chan->state != BT_CONNECTED) {
2424 kfree_skb(skb);
2425 return -ENOTCONN;
2426 }
2427
9a91a04a
GP		 2428 l2cap_do_send(chan, skb);
2429 return len;
2430 }
2431
2432 switch (chan->mode) {
38319713 2433 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b
JH		 2434 /* Check outgoing MTU */
2435 if (len > chan->omtu)
2436 return -EMSGSIZE;
2437
fad5fc89
JH		 2438 if (!chan->tx_credits)
2439 return -EAGAIN;
2440
177f8f2b
JH		 2441 __skb_queue_head_init(&seg_queue);
2442
2443 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2444
2445 if (chan->state != BT_CONNECTED) {
2446 __skb_queue_purge(&seg_queue);
2447 err = -ENOTCONN;
2448 }
2449
2450 if (err)
2451 return err;
2452
2453 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2454
2455 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2456 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2457 chan->tx_credits--;
2458 }
2459
2460 if (!chan->tx_credits)
2461 chan->ops->suspend(chan);
2462
2463 err = len;
2464
2465 break;
2466
fad5fc89 2467 case L2CAP_MODE_BASIC:
9a91a04a
GP		 2468 /* Check outgoing MTU */
2469 if (len > chan->omtu)
2470 return -EMSGSIZE;
2471
2472 /* Create a basic PDU */
8d46321c 2473 skb = l2cap_create_basic_pdu(chan, msg, len);
9a91a04a
GP		 2474 if (IS_ERR(skb))
2475 return PTR_ERR(skb);
2476
ede81a2a
AK		 2477 /* Channel lock is released before requesting new skb and then
2478 * reacquired thus we need to recheck channel state.
2479 */
2480 if (chan->state != BT_CONNECTED) {
2481 kfree_skb(skb);
2482 return -ENOTCONN;
2483 }
2484
9a91a04a
GP		 2485 l2cap_do_send(chan, skb);
2486 err = len;
2487 break;
2488
2489 case L2CAP_MODE_ERTM:
2490 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2491 /* Check outgoing MTU */
2492 if (len > chan->omtu) {
2493 err = -EMSGSIZE;
2494 break;
2495 }
9a91a04a 2496
94122bbe 2497 __skb_queue_head_init(&seg_queue);
9a91a04a 2498
94122bbe
MM		 2499 /* Do segmentation before calling in to the state machine,
2500 * since it's possible to block while waiting for memory
2501 * allocation.
2502 */
2503 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2504
94122bbe
MM		 2505 /* The channel could have been closed while segmenting,
2506 * check that it is still connected.
2507 */
2508 if (chan->state != BT_CONNECTED) {
2509 __skb_queue_purge(&seg_queue);
2510 err = -ENOTCONN;
9a91a04a
GP		 2511 }
2512
94122bbe 2513 if (err)
9a91a04a 2514 break;
9a91a04a 2515
3733937d 2516 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2517 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2518 else
d660366d 2519 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2520
d660366d 2521 err = len;
9a91a04a 2522
94122bbe
MM		 2523 /* If the skbs were not queued for sending, they'll still be in
2524 * seg_queue and need to be purged.
2525 */
2526 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2527 break;
2528
2529 default:
2530 BT_DBG("bad state %1.1x", chan->mode);
2531 err = -EBADFD;
2532 }
2533
2534 return err;
2535}
6b8d4a6a 2536EXPORT_SYMBOL_GPL(l2cap_chan_send);
9a91a04a 2537
d2a7ac5d
MM		 2538static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2539{
bed68bde
MM		 2540 struct l2cap_ctrl control;
2541 u16 seq;
2542
b4400672 2543 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2544
2545 memset(&control, 0, sizeof(control));
2546 control.sframe = 1;
2547 control.super = L2CAP_SUPER_SREJ;
2548
2549 for (seq = chan->expected_tx_seq; seq != txseq;
2550 seq = __next_seq(chan, seq)) {
2551 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2552 control.reqseq = seq;
2553 l2cap_send_sframe(chan, &control);
2554 l2cap_seq_list_append(&chan->srej_list, seq);
2555 }
2556 }
2557
2558 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2559}
2560
2561static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2562{
bed68bde
MM		 2563 struct l2cap_ctrl control;
2564
2565 BT_DBG("chan %p", chan);
2566
2567 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2568 return;
2569
2570 memset(&control, 0, sizeof(control));
2571 control.sframe = 1;
2572 control.super = L2CAP_SUPER_SREJ;
2573 control.reqseq = chan->srej_list.tail;
2574 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2575}
2576
2577static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2578{
bed68bde
MM		 2579 struct l2cap_ctrl control;
2580 u16 initial_head;
2581 u16 seq;
2582
b4400672 2583 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2584
2585 memset(&control, 0, sizeof(control));
2586 control.sframe = 1;
2587 control.super = L2CAP_SUPER_SREJ;
2588
2589 /* Capture initial list head to allow only one pass through the list. */
2590 initial_head = chan->srej_list.head;
2591
2592 do {
2593 seq = l2cap_seq_list_pop(&chan->srej_list);
2594 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2595 break;
2596
2597 control.reqseq = seq;
2598 l2cap_send_sframe(chan, &control);
2599 l2cap_seq_list_append(&chan->srej_list, seq);
2600 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2601}
2602
608bcc6d
MM		 2603static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2604{
2605 struct sk_buff *acked_skb;
2606 u16 ackseq;
2607
b4400672 2608 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2609
2610 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2611 return;
2612
b4400672 2613 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2614 chan->expected_ack_seq, chan->unacked_frames);
2615
2616 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2617 ackseq = __next_seq(chan, ackseq)) {
2618
2619 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2620 if (acked_skb) {
2621 skb_unlink(acked_skb, &chan->tx_q);
2622 kfree_skb(acked_skb);
2623 chan->unacked_frames--;
2624 }
2625 }
2626
2627 chan->expected_ack_seq = reqseq;
2628
2629 if (chan->unacked_frames == 0)
2630 __clear_retrans_timer(chan);
2631
b4400672 2632 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2633}
2634
2635static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2636{
2637 BT_DBG("chan %p", chan);
2638
2639 chan->expected_tx_seq = chan->buffer_seq;
2640 l2cap_seq_list_clear(&chan->srej_list);
2641 skb_queue_purge(&chan->srej_q);
2642 chan->rx_state = L2CAP_RX_STATE_RECV;
2643}
2644
d660366d
GP		 2645static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2646 struct l2cap_ctrl *control,
2647 struct sk_buff_head *skbs, u8 event)
608bcc6d 2648{
608bcc6d
MM		 2649 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2650 event);
2651
2652 switch (event) {
2653 case L2CAP_EV_DATA_REQUEST:
2654 if (chan->tx_send_head == NULL)
2655 chan->tx_send_head = skb_peek(skbs);
2656
2657 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2658 l2cap_ertm_send(chan);
2659 break;
2660 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2661 BT_DBG("Enter LOCAL_BUSY");
2662 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2663
2664 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2665 /* The SREJ_SENT state must be aborted if we are to
2666 * enter the LOCAL_BUSY state.
2667 */
2668 l2cap_abort_rx_srej_sent(chan);
2669 }
2670
2671 l2cap_send_ack(chan);
2672
2673 break;
2674 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2675 BT_DBG("Exit LOCAL_BUSY");
2676 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2677
2678 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2679 struct l2cap_ctrl local_control;
2680
2681 memset(&local_control, 0, sizeof(local_control));
2682 local_control.sframe = 1;
2683 local_control.super = L2CAP_SUPER_RR;
2684 local_control.poll = 1;
2685 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2686 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2687
2688 chan->retry_count = 1;
2689 __set_monitor_timer(chan);
2690 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2691 }
2692 break;
2693 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2694 l2cap_process_reqseq(chan, control->reqseq);
2695 break;
2696 case L2CAP_EV_EXPLICIT_POLL:
2697 l2cap_send_rr_or_rnr(chan, 1);
2698 chan->retry_count = 1;
2699 __set_monitor_timer(chan);
2700 __clear_ack_timer(chan);
2701 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2702 break;
2703 case L2CAP_EV_RETRANS_TO:
2704 l2cap_send_rr_or_rnr(chan, 1);
2705 chan->retry_count = 1;
2706 __set_monitor_timer(chan);
2707 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2708 break;
2709 case L2CAP_EV_RECV_FBIT:
2710 /* Nothing to process */
2711 break;
2712 default:
2713 break;
2714 }
608bcc6d
MM		 2715}
2716
d660366d
GP		 2717static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2718 struct l2cap_ctrl *control,
2719 struct sk_buff_head *skbs, u8 event)
608bcc6d 2720{
608bcc6d
MM		 2721 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2722 event);
2723
2724 switch (event) {
2725 case L2CAP_EV_DATA_REQUEST:
2726 if (chan->tx_send_head == NULL)
2727 chan->tx_send_head = skb_peek(skbs);
2728 /* Queue data, but don't send. */
2729 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2730 break;
2731 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2732 BT_DBG("Enter LOCAL_BUSY");
2733 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2734
2735 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2736 /* The SREJ_SENT state must be aborted if we are to
2737 * enter the LOCAL_BUSY state.
2738 */
2739 l2cap_abort_rx_srej_sent(chan);
2740 }
2741
2742 l2cap_send_ack(chan);
2743
2744 break;
2745 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2746 BT_DBG("Exit LOCAL_BUSY");
2747 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2748
2749 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2750 struct l2cap_ctrl local_control;
2751 memset(&local_control, 0, sizeof(local_control));
2752 local_control.sframe = 1;
2753 local_control.super = L2CAP_SUPER_RR;
2754 local_control.poll = 1;
2755 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2756 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2757
2758 chan->retry_count = 1;
2759 __set_monitor_timer(chan);
2760 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2761 }
2762 break;
2763 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2764 l2cap_process_reqseq(chan, control->reqseq);
2765
2766 /* Fall through */
2767
2768 case L2CAP_EV_RECV_FBIT:
2769 if (control && control->final) {
2770 __clear_monitor_timer(chan);
2771 if (chan->unacked_frames > 0)
2772 __set_retrans_timer(chan);
2773 chan->retry_count = 0;
2774 chan->tx_state = L2CAP_TX_STATE_XMIT;
2775 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2776 }
2777 break;
2778 case L2CAP_EV_EXPLICIT_POLL:
2779 /* Ignore */
2780 break;
2781 case L2CAP_EV_MONITOR_TO:
2782 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2783 l2cap_send_rr_or_rnr(chan, 1);
2784 __set_monitor_timer(chan);
2785 chan->retry_count++;
2786 } else {
5e4e3972 2787 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2788 }
2789 break;
2790 default:
2791 break;
2792 }
608bcc6d
MM		 2793}
2794
d660366d
GP		 2795static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2796 struct sk_buff_head *skbs, u8 event)
608bcc6d 2797{
608bcc6d
MM		 2798 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2799 chan, control, skbs, event, chan->tx_state);
2800
2801 switch (chan->tx_state) {
2802 case L2CAP_TX_STATE_XMIT:
d660366d 2803 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2804 break;
2805 case L2CAP_TX_STATE_WAIT_F:
d660366d 2806 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2807 break;
2808 default:
2809 /* Ignore event */
2810 break;
2811 }
608bcc6d
MM		 2812}
2813
4b51dae9
MM		 2814static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2815 struct l2cap_ctrl *control)
2816{
2817 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2818 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2819}
2820
f80842a8
MM		 2821static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2822 struct l2cap_ctrl *control)
2823{
2824 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2825 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2826}
2827
1da177e4
LT		 2828/* Copy frame to all raw sockets on that connection */
2829static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2830{
1da177e4 2831 struct sk_buff *nskb;
48454079 2832 struct l2cap_chan *chan;
1da177e4
LT		 2833
2834 BT_DBG("conn %p", conn);
2835
3df91ea2 2836 mutex_lock(&conn->chan_lock);
3d57dc68 2837
3df91ea2 2838 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2839 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2840 continue;
2841
7f5396a7
GP		 2842 /* Don't send frame to the channel it came from */
2843 if (bt_cb(skb)->chan == chan)
1da177e4 2844 continue;
7f5396a7 2845
8bcde1f2 2846 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2847 if (!nskb)
1da177e4 2848 continue;
80b98027 2849 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2850 kfree_skb(nskb);
2851 }
3d57dc68 2852
3df91ea2 2853 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2854}
2855
2856/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2857static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2858 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2859{
2860 struct sk_buff *skb, **frag;
2861 struct l2cap_cmd_hdr *cmd;
2862 struct l2cap_hdr *lh;
2863 int len, count;
2864
b4400672
AE		 2865 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2866 conn, code, ident, dlen);
1da177e4 2867
300b962e
AL		 2868 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2869 return NULL;
2870
1da177e4
LT		 2871 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2872 count = min_t(unsigned int, conn->mtu, len);
2873
8bcde1f2 2874 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2875 if (!skb)
2876 return NULL;
2877
2878 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2879 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2880
2881 if (conn->hcon->type == LE_LINK)
dcf4adbf 2882 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2883 else
dcf4adbf 2884 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2885
2886 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2887 cmd->code = code;
2888 cmd->ident = ident;
aca3192c 2889 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2890
2891 if (dlen) {
2892 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2893 memcpy(skb_put(skb, count), data, count);
2894 data += count;
2895 }
2896
2897 len -= skb->len;
2898
2899 /* Continuation fragments (no L2CAP header) */
2900 frag = &skb_shinfo(skb)->frag_list;
2901 while (len) {
2902 count = min_t(unsigned int, conn->mtu, len);
2903
8bcde1f2 2904 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2905 if (!*frag)
2906 goto fail;
2907
2908 memcpy(skb_put(*frag, count), data, count);
2909
2910 len -= count;
2911 data += count;
2912
2913 frag = &(*frag)->next;
2914 }
2915
2916 return skb;
2917
2918fail:
2919 kfree_skb(skb);
2920 return NULL;
2921}
2922
2d792818
GP		 2923static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2924 unsigned long *val)
1da177e4
LT		 2925{
2926 struct l2cap_conf_opt *opt = *ptr;
2927 int len;
2928
2929 len = L2CAP_CONF_OPT_SIZE + opt->len;
2930 *ptr += len;
2931
2932 *type = opt->type;
2933 *olen = opt->len;
2934
2935 switch (opt->len) {
2936 case 1:
2937 *val = *((u8 *) opt->val);
2938 break;
2939
2940 case 2:
bfaaeb3e 2941 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2942 break;
2943
2944 case 4:
bfaaeb3e 2945 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2946 break;
2947
2948 default:
2949 *val = (unsigned long) opt->val;
2950 break;
2951 }
2952
b4400672 2953 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2954 return len;
2955}
2956
1da177e4
LT		 2957static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2958{
2959 struct l2cap_conf_opt *opt = *ptr;
2960
b4400672 2961 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2962
2963 opt->type = type;
2964 opt->len = len;
2965
2966 switch (len) {
2967 case 1:
2968 *((u8 *) opt->val) = val;
2969 break;
2970
2971 case 2:
4f8b691c 2972 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2973 break;
2974
2975 case 4:
4f8b691c 2976 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2977 break;
2978
2979 default:
2980 memcpy(opt->val, (void *) val, len);
2981 break;
2982 }
2983
2984 *ptr += L2CAP_CONF_OPT_SIZE + len;
2985}
2986
f89cef09
AE		 2987static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2988{
2989 struct l2cap_conf_efs efs;
2990
1ec918ce 2991 switch (chan->mode) {
f89cef09
AE		 2992 case L2CAP_MODE_ERTM:
2993 efs.id = chan->local_id;
2994 efs.stype = chan->local_stype;
2995 efs.msdu = cpu_to_le16(chan->local_msdu);
2996 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
dcf4adbf
JP		 2997 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2998 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2999 break;
3000
3001 case L2CAP_MODE_STREAMING:
3002 efs.id = 1;
3003 efs.stype = L2CAP_SERV_BESTEFFORT;
3004 efs.msdu = cpu_to_le16(chan->local_msdu);
3005 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3006 efs.acc_lat = 0;
3007 efs.flush_to = 0;
3008 break;
3009
3010 default:
3011 return;
3012 }
3013
3014 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3015 (unsigned long) &efs);
f89cef09
AE		 3016}
3017
721c4181 3018static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3019{
721c4181 3020 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3021 ack_timer.work);
3022 u16 frames_to_ack;
c1b4f43b 3023
2fb9b3d4
GP		 3024 BT_DBG("chan %p", chan);
3025
6be36555
AE		 3026 l2cap_chan_lock(chan);
3027
0362520b
MM		 3028 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3029 chan->last_acked_seq);
6be36555 3030
0362520b
MM		 3031 if (frames_to_ack)
3032 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3033
0362520b 3034 l2cap_chan_unlock(chan);
09bfb2ee 3035 l2cap_chan_put(chan);
c1b4f43b
GP		 3036}
3037
466f8004 3038int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3039{
3c588192
MM		 3040 int err;
3041
105bdf9e
MM		 3042 chan->next_tx_seq = 0;
3043 chan->expected_tx_seq = 0;
42e5c802 3044 chan->expected_ack_seq = 0;
6a026610 3045 chan->unacked_frames = 0;
42e5c802 3046 chan->buffer_seq = 0;
6a026610 3047 chan->frames_sent = 0;
105bdf9e
MM		 3048 chan->last_acked_seq = 0;
3049 chan->sdu = NULL;
3050 chan->sdu_last_frag = NULL;
3051 chan->sdu_len = 0;
3052
d34c34fb
MM		 3053 skb_queue_head_init(&chan->tx_q);
3054
6ed971ca
MH		 3055 chan->local_amp_id = AMP_ID_BREDR;
3056 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3057 chan->move_state = L2CAP_MOVE_STABLE;
3058 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3059
105bdf9e
MM		 3060 if (chan->mode != L2CAP_MODE_ERTM)
3061 return 0;
3062
3063 chan->rx_state = L2CAP_RX_STATE_RECV;
3064 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3065
721c4181
GP		 3066 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3067 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3068 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3069
f1c6775b 3070 skb_queue_head_init(&chan->srej_q);
1890d36b 3071
3c588192
MM		 3072 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3073 if (err < 0)
3074 return err;
3075
9dc9affc
MM		 3076 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3077 if (err < 0)
3078 l2cap_seq_list_free(&chan->srej_list);
3079
3080 return err;
0565c1c2
GP		 3081}
3082
f2fcfcd6
GP		 3083static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3084{
3085 switch (mode) {
3086 case L2CAP_MODE_STREAMING:
3087 case L2CAP_MODE_ERTM:
3088 if (l2cap_mode_supported(mode, remote_feat_mask))
3089 return mode;
3090 /* fall through */
3091 default:
3092 return L2CAP_MODE_BASIC;
3093 }
3094}
3095
848566b3 3096static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3097{
0bd49fc7
JH		 3098 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3099 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
6327eb98
AE		 3100}
3101
848566b3 3102static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3103{
0bd49fc7
JH		 3104 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3105 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
f89cef09
AE		 3106}
3107
36c86c85
MM		 3108static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3109 struct l2cap_conf_rfc *rfc)
3110{
6ed971ca 3111 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3112 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3113
3114 /* Class 1 devices have must have ERTM timeouts
3115 * exceeding the Link Supervision Timeout. The
3116 * default Link Supervision Timeout for AMP
3117 * controllers is 10 seconds.
3118 *
3119 * Class 1 devices use 0xffffffff for their
3120 * best-effort flush timeout, so the clamping logic
3121 * will result in a timeout that meets the above
3122 * requirement. ERTM timeouts are 16-bit values, so
3123 * the maximum timeout is 65.535 seconds.
3124 */
3125
3126 /* Convert timeout to milliseconds and round */
3127 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3128
3129 /* This is the recommended formula for class 2 devices
3130 * that start ERTM timers when packets are sent to the
3131 * controller.
3132 */
3133 ertm_to = 3 * ertm_to + 500;
3134
3135 if (ertm_to > 0xffff)
3136 ertm_to = 0xffff;
3137
3138 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3139 rfc->monitor_timeout = rfc->retrans_timeout;
3140 } else {
dcf4adbf
JP		 3141 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3142 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36c86c85
MM		 3143 }
3144}
3145
6327eb98
AE		 3146static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3147{
3148 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3149 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3150 /* use extended control field */
3151 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3152 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3153 } else {
6327eb98 3154 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3155 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3156 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3157 }
c20f8e35 3158 chan->ack_win = chan->tx_win;
6327eb98
AE		 3159}
3160
710f9b0a 3161static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3162{
1da177e4 3163 struct l2cap_conf_req *req = data;
0c1bc5c6 3164 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3165 void *ptr = req->data;
c8f79162 3166 u16 size;
1da177e4 3167
49208c9c 3168 BT_DBG("chan %p", chan);
1da177e4 3169
73ffa904 3170 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3171 goto done;
3172
0c1bc5c6 3173 switch (chan->mode) {
f2fcfcd6
GP		 3174 case L2CAP_MODE_STREAMING:
3175 case L2CAP_MODE_ERTM:
c1360a1c 3176 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3177 break;
85eb53c6 3178
848566b3 3179 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3180 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3181
2ba13ed6 3182 /* fall through */
f2fcfcd6 3183 default:
8c1d787b 3184 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3185 break;
3186 }
3187
3188done:
0c1bc5c6
GP		 3189 if (chan->imtu != L2CAP_DEFAULT_MTU)
3190 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3191
0c1bc5c6 3192 switch (chan->mode) {
65c7c491 3193 case L2CAP_MODE_BASIC:
6fea7ad1
MH		 3194 if (disable_ertm)
3195 break;
3196
8c1d787b 3197 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3198 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3199 break;
3200
62547752
GP		 3201 rfc.mode = L2CAP_MODE_BASIC;
3202 rfc.txwin_size = 0;
3203 rfc.max_transmit = 0;
3204 rfc.retrans_timeout = 0;
3205 rfc.monitor_timeout = 0;
3206 rfc.max_pdu_size = 0;
3207
63406504 3208 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3209 (unsigned long) &rfc);
65c7c491
MH		 3210 break;
3211
3212 case L2CAP_MODE_ERTM:
3213 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3214 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3215
3216 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3217
3218 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3219 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3220 L2CAP_FCS_SIZE);
c8f79162 3221 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3222
6327eb98
AE		 3223 l2cap_txwin_setup(chan);
3224
3225 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3226 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3227
63406504 3228 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3229 (unsigned long) &rfc);
63406504 3230
f89cef09
AE		 3231 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3232 l2cap_add_opt_efs(&ptr, chan);
3233
6327eb98
AE		 3234 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3235 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3236 chan->tx_win);
60918918
AE		 3237
3238 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3239 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3240 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3241 chan->fcs = L2CAP_FCS_NONE;
3242 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3243 chan->fcs);
3244 }
f2fcfcd6
GP		 3245 break;
3246
3247 case L2CAP_MODE_STREAMING:
273759e2 3248 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3249 rfc.mode = L2CAP_MODE_STREAMING;
3250 rfc.txwin_size = 0;
3251 rfc.max_transmit = 0;
3252 rfc.retrans_timeout = 0;
3253 rfc.monitor_timeout = 0;
c8f79162
AE		 3254
3255 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3256 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3257 L2CAP_FCS_SIZE);
c8f79162 3258 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3259
63406504 3260 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3261 (unsigned long) &rfc);
63406504 3262
f89cef09
AE		 3263 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3264 l2cap_add_opt_efs(&ptr, chan);
3265
60918918
AE		 3266 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3267 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3268 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3269 chan->fcs = L2CAP_FCS_NONE;
3270 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3271 chan->fcs);
3272 }
65c7c491
MH		 3273 break;
3274 }
1da177e4 3275
fe4128e0 3276 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3277 req->flags = cpu_to_le16(0);
1da177e4
LT		 3278
3279 return ptr - data;
3280}
3281
73ffa904 3282static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3283{
5dee9e7c
MH		 3284 struct l2cap_conf_rsp *rsp = data;
3285 void *ptr = rsp->data;
73ffa904
GP		 3286 void *req = chan->conf_req;
3287 int len = chan->conf_len;
5dee9e7c
MH		 3288 int type, hint, olen;
3289 unsigned long val;
6464f35f 3290 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3291 struct l2cap_conf_efs efs;
3292 u8 remote_efs = 0;
861d6882 3293 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3294 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3295 u16 size;
1da177e4 3296
73ffa904 3297 BT_DBG("chan %p", chan);
820ae1b8 3298
5dee9e7c
MH		 3299 while (len >= L2CAP_CONF_OPT_SIZE) {
3300 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3301
589d2746 3302 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3303 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3304
3305 switch (type) {
3306 case L2CAP_CONF_MTU:
861d6882 3307 mtu = val;
5dee9e7c
MH		 3308 break;
3309
3310 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3311 chan->flush_to = val;
5dee9e7c
MH		 3312 break;
3313
3314 case L2CAP_CONF_QOS:
3315 break;
3316
6464f35f
MH		 3317 case L2CAP_CONF_RFC:
3318 if (olen == sizeof(rfc))
3319 memcpy(&rfc, (void *) val, olen);
3320 break;
3321
fcc203c3
GP		 3322 case L2CAP_CONF_FCS:
3323 if (val == L2CAP_FCS_NONE)
f2592d3e 3324 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3325 break;
fcc203c3 3326
42dceae2
AE		 3327 case L2CAP_CONF_EFS:
3328 remote_efs = 1;
3329 if (olen == sizeof(efs))
3330 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3331 break;
3332
6327eb98 3333 case L2CAP_CONF_EWS:
0bd49fc7 3334 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
6327eb98 3335 return -ECONNREFUSED;
fcc203c3 3336
6327eb98
AE		 3337 set_bit(FLAG_EXT_CTRL, &chan->flags);
3338 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3339 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3340 chan->remote_tx_win = val;
fcc203c3
GP		 3341 break;
3342
5dee9e7c
MH		 3343 default:
3344 if (hint)
3345 break;
3346
3347 result = L2CAP_CONF_UNKNOWN;
3348 *((u8 *) ptr++) = type;
3349 break;
3350 }
3351 }
3352
73ffa904 3353 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3354 goto done;
3355
0c1bc5c6 3356 switch (chan->mode) {
f2fcfcd6
GP		 3357 case L2CAP_MODE_STREAMING:
3358 case L2CAP_MODE_ERTM:
c1360a1c 3359 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3360 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3361 chan->conn->feat_mask);
85eb53c6
GP		 3362 break;
3363 }
3364
42dceae2 3365 if (remote_efs) {
848566b3 3366 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3367 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3368 else
3369 return -ECONNREFUSED;
3370 }
3371
0c1bc5c6 3372 if (chan->mode != rfc.mode)
f2fcfcd6 3373 return -ECONNREFUSED;
742e519b 3374
f2fcfcd6 3375 break;
f2fcfcd6
GP		 3376 }
3377
3378done:
0c1bc5c6 3379 if (chan->mode != rfc.mode) {
f2fcfcd6 3380 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3381 rfc.mode = chan->mode;
f2fcfcd6 3382
73ffa904 3383 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3384 return -ECONNREFUSED;
3385
2d792818
GP		 3386 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3387 (unsigned long) &rfc);
f2fcfcd6
GP		 3388 }
3389
5dee9e7c
MH		 3390 if (result == L2CAP_CONF_SUCCESS) {
3391 /* Configure output options and let the other side know
3392 * which ones we don't like. */
3393
f2fcfcd6
GP		 3394 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3395 result = L2CAP_CONF_UNACCEPT;
3396 else {
0c1bc5c6 3397 chan->omtu = mtu;
c1360a1c 3398 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3399 }
0c1bc5c6 3400 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3401
42dceae2
AE		 3402 if (remote_efs) {
3403 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3404 efs.stype != L2CAP_SERV_NOTRAFIC &&
3405 efs.stype != chan->local_stype) {
42dceae2
AE		 3406
3407 result = L2CAP_CONF_UNACCEPT;
3408
3409 if (chan->num_conf_req >= 1)
3410 return -ECONNREFUSED;
3411
3412 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3413 sizeof(efs),
3414 (unsigned long) &efs);
0e8b207e 3415 } else {
3e6b3b95 3416 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3417 result = L2CAP_CONF_PENDING;
3418 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3419 }
3420 }
3421
f2fcfcd6
GP		 3422 switch (rfc.mode) {
3423 case L2CAP_MODE_BASIC:
47d1ec61 3424 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3425 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3426 break;
3427
3428 case L2CAP_MODE_ERTM:
6327eb98
AE		 3429 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3430 chan->remote_tx_win = rfc.txwin_size;
3431 else
3432 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3433
2c03a7a4 3434 chan->remote_max_tx = rfc.max_transmit;
1c762159 3435
c8f79162 3436 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3437 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3438 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3439 rfc.max_pdu_size = cpu_to_le16(size);
3440 chan->remote_mps = size;
f2fcfcd6 3441
36c86c85 3442 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3443
c1360a1c 3444 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3445
3446 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3447 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3448
42dceae2
AE		 3449 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3450 chan->remote_id = efs.id;
3451 chan->remote_stype = efs.stype;
3452 chan->remote_msdu = le16_to_cpu(efs.msdu);
3453 chan->remote_flush_to =
2d792818 3454 le32_to_cpu(efs.flush_to);
42dceae2 3455 chan->remote_acc_lat =
2d792818 3456 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3457 chan->remote_sdu_itime =
3458 le32_to_cpu(efs.sdu_itime);
3459 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3460 sizeof(efs),
3461 (unsigned long) &efs);
42dceae2 3462 }
f2fcfcd6
GP		 3463 break;
3464
3465 case L2CAP_MODE_STREAMING:
c8f79162 3466 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3467 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3468 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3469 rfc.max_pdu_size = cpu_to_le16(size);
3470 chan->remote_mps = size;
f2fcfcd6 3471
c1360a1c 3472 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3473
2d792818
GP		 3474 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3475 (unsigned long) &rfc);
68ae6639 3476
f2fcfcd6
GP		 3477 break;
3478
3479 default:
5dee9e7c 3480 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3481
6464f35f 3482 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3483 rfc.mode = chan->mode;
f2fcfcd6 3484 }
6464f35f 3485
f2fcfcd6 3486 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3487 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3488 }
fe4128e0 3489 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3490 rsp->result = cpu_to_le16(result);
dcf4adbf 3491 rsp->flags = cpu_to_le16(0);
5dee9e7c
MH		 3492
3493 return ptr - data;
1da177e4
LT		 3494}
3495
2d792818
GP		 3496static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3497 void *data, u16 *result)
f2fcfcd6 3498{
f2fcfcd6
GP		 3499 struct l2cap_conf_req *req = data;
3500 void *ptr = req->data;
3501 int type, olen;
3502 unsigned long val;
36e999a8 3503 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3504 struct l2cap_conf_efs efs;
f2fcfcd6 3505
fe4128e0 3506 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3507
3508 while (len >= L2CAP_CONF_OPT_SIZE) {
3509 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3510
3511 switch (type) {
3512 case L2CAP_CONF_MTU:
3513 if (val < L2CAP_DEFAULT_MIN_MTU) {
3514 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3515 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3516 } else
0c1bc5c6
GP		 3517 chan->imtu = val;
3518 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3519 break;
3520
3521 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3522 chan->flush_to = val;
f2fcfcd6 3523 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3524 2, chan->flush_to);
f2fcfcd6
GP		 3525 break;
3526
3527 case L2CAP_CONF_RFC:
3528 if (olen == sizeof(rfc))
3529 memcpy(&rfc, (void *)val, olen);
3530
c1360a1c 3531 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3532 rfc.mode != chan->mode)
f2fcfcd6
GP		 3533 return -ECONNREFUSED;
3534
47d1ec61 3535 chan->fcs = 0;
f2fcfcd6
GP		 3536
3537 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3538 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3539 break;
6327eb98
AE		 3540
3541 case L2CAP_CONF_EWS:
c20f8e35 3542 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3543 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3544 chan->tx_win);
6327eb98 3545 break;
66af7aaf
AE		 3546
3547 case L2CAP_CONF_EFS:
3548 if (olen == sizeof(efs))
3549 memcpy(&efs, (void *)val, olen);
3550
3551 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3552 efs.stype != L2CAP_SERV_NOTRAFIC &&
3553 efs.stype != chan->local_stype)
66af7aaf
AE		 3554 return -ECONNREFUSED;
3555
2d792818
GP		 3556 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3557 (unsigned long) &efs);
66af7aaf 3558 break;
cbabee78
AE		 3559
3560 case L2CAP_CONF_FCS:
3561 if (*result == L2CAP_CONF_PENDING)
3562 if (val == L2CAP_FCS_NONE)
f2592d3e 3563 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3564 &chan->conf_state);
3565 break;
f2fcfcd6
GP		 3566 }
3567 }
3568
0c1bc5c6 3569 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3570 return -ECONNREFUSED;
3571
0c1bc5c6 3572 chan->mode = rfc.mode;
6c2ea7a8 3573
0e8b207e 3574 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3575 switch (rfc.mode) {
3576 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3577 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3578 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3579 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3580 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3581 chan->ack_win = min_t(u16, chan->ack_win,
3582 rfc.txwin_size);
66af7aaf
AE		 3583
3584 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3585 chan->local_msdu = le16_to_cpu(efs.msdu);
3586 chan->local_sdu_itime =
2d792818 3587 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3588 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3589 chan->local_flush_to =
2d792818 3590 le32_to_cpu(efs.flush_to);
66af7aaf 3591 }
f2fcfcd6 3592 break;
66af7aaf 3593
f2fcfcd6 3594 case L2CAP_MODE_STREAMING:
47d1ec61 3595 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3596 }
3597 }
3598
fe4128e0 3599 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3600 req->flags = cpu_to_le16(0);
f2fcfcd6
GP		 3601
3602 return ptr - data;
3603}
3604
2d792818
GP		 3605static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3606 u16 result, u16 flags)
1da177e4
LT		 3607{
3608 struct l2cap_conf_rsp *rsp = data;
3609 void *ptr = rsp->data;
1da177e4 3610
fe4128e0 3611 BT_DBG("chan %p", chan);
1da177e4 3612
fe4128e0 3613 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3614 rsp->result = cpu_to_le16(result);
aca3192c 3615 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3616
3617 return ptr - data;
3618}
3619
27e2d4c8
JH		 3620void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3621{
3622 struct l2cap_le_conn_rsp rsp;
3623 struct l2cap_conn *conn = chan->conn;
3624
3625 BT_DBG("chan %p", chan);
3626
3627 rsp.dcid = cpu_to_le16(chan->scid);
3628 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 3629 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 3630 rsp.credits = cpu_to_le16(chan->rx_credits);
dcf4adbf 3631 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
27e2d4c8
JH		 3632
3633 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3634 &rsp);
3635}
3636
8c1d787b 3637void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3638{
3639 struct l2cap_conn_rsp rsp;
8c1d787b 3640 struct l2cap_conn *conn = chan->conn;
710f9b0a 3641 u8 buf[128];
439f34ac 3642 u8 rsp_code;
710f9b0a 3643
fe4128e0
GP		 3644 rsp.scid = cpu_to_le16(chan->dcid);
3645 rsp.dcid = cpu_to_le16(chan->scid);
dcf4adbf
JP		 3646 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3647 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3648
3649 if (chan->hs_hcon)
3650 rsp_code = L2CAP_CREATE_CHAN_RSP;
3651 else
3652 rsp_code = L2CAP_CONN_RSP;
3653
3654 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3655
3656 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3657
c1360a1c 3658 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3659 return;
3660
710f9b0a 3661 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3662 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3663 chan->num_conf_req++;
3664}
3665
47d1ec61 3666static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3667{
7b1c0049
GP		 3668 int type, olen;
3669 unsigned long val;
c20f8e35
MM		 3670 /* Use sane default values in case a misbehaving remote device
3671 * did not send an RFC or extended window size option.
3672 */
3673 u16 txwin_ext = chan->ack_win;
3674 struct l2cap_conf_rfc rfc = {
3675 .mode = chan->mode,
dcf4adbf
JP		 3676 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3677 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
c20f8e35
MM		 3678 .max_pdu_size = cpu_to_le16(chan->imtu),
3679 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3680 };
7b1c0049 3681
47d1ec61 3682 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3683
0c1bc5c6 3684 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3685 return;
3686
3687 while (len >= L2CAP_CONF_OPT_SIZE) {
3688 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3689
c20f8e35
MM		 3690 switch (type) {
3691 case L2CAP_CONF_RFC:
3692 if (olen == sizeof(rfc))
3693 memcpy(&rfc, (void *)val, olen);
8f321f85 3694 break;
c20f8e35
MM		 3695 case L2CAP_CONF_EWS:
3696 txwin_ext = val;
3697 break;
3698 }
7b1c0049
GP		 3699 }
3700
7b1c0049
GP		 3701 switch (rfc.mode) {
3702 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3703 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3704 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3705 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3706 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3707 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3708 else
3709 chan->ack_win = min_t(u16, chan->ack_win,
3710 rfc.txwin_size);
7b1c0049
GP		 3711 break;
3712 case L2CAP_MODE_STREAMING:
47d1ec61 3713 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3714 }
3715}
3716
2d792818 3717static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3718 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3719 u8 *data)
4e8402a3 3720{
e2fd318e 3721 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3722
cb3b3152
JH		 3723 if (cmd_len < sizeof(*rej))
3724 return -EPROTO;
3725
e2fd318e 3726 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3727 return 0;
3728
3729 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3730 cmd->ident == conn->info_ident) {
17cd3f37 3731 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3732
3733 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3734 conn->info_ident = 0;
984947dc 3735
4e8402a3
MH		 3736 l2cap_conn_start(conn);
3737 }
3738
3739 return 0;
3740}
3741
1700915f
MM		 3742static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3743 struct l2cap_cmd_hdr *cmd,
3744 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3745{
1da177e4
LT		 3746 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3747 struct l2cap_conn_rsp rsp;
23691d75 3748 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3749 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3750
3751 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3752 __le16 psm = req->psm;
1da177e4 3753
097db76c 3754 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3755
3756 /* Check if we have socket listening on psm */
6f59b904 3757 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
bf20fd4e 3758 &conn->hcon->dst, ACL_LINK);
23691d75 3759 if (!pchan) {
1da177e4
LT		 3760 result = L2CAP_CR_BAD_PSM;
3761 goto sendresp;
3762 }
3763
3df91ea2 3764 mutex_lock(&conn->chan_lock);
8ffb9290 3765 l2cap_chan_lock(pchan);
e0f0cb56 3766
e7c29cb1 3767 /* Check if the ACL is secure enough (if not SDP) */
dcf4adbf 3768 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3769 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3770 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3771 result = L2CAP_CR_SEC_BLOCK;
3772 goto response;
3773 }
3774
1da177e4
LT		 3775 result = L2CAP_CR_NO_MEM;
3776
2dfa1003
GP		 3777 /* Check if we already have channel with that dcid */
3778 if (__l2cap_get_chan_by_dcid(conn, scid))
3779 goto response;
3780
80b98027 3781 chan = pchan->ops->new_connection(pchan);
80808e43 3782 if (!chan)
1da177e4
LT		 3783 goto response;
3784
330b6c15
SS		 3785 /* For certain devices (ex: HID mouse), support for authentication,
3786 * pairing and bonding is optional. For such devices, inorder to avoid
3787 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3788 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3789 */
3790 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3791
7eafc59e
MH		 3792 bacpy(&chan->src, &conn->hcon->src);
3793 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3794 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3795 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3796 chan->psm = psm;
3797 chan->dcid = scid;
1700915f 3798 chan->local_amp_id = amp_id;
1da177e4 3799
6be36555 3800 __l2cap_chan_add(conn, chan);
48454079 3801
fe4128e0 3802 dcid = chan->scid;
1da177e4 3803
8d836d71 3804 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3805
fc7f8a7e 3806 chan->ident = cmd->ident;
1da177e4 3807
984947dc 3808 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
e7cafc45 3809 if (l2cap_chan_check_security(chan, false)) {
bdc25783 3810 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3811 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3812 result = L2CAP_CR_PEND;
3813 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3814 chan->ops->defer(chan);
f66dc81f 3815 } else {
1700915f
MM		 3816 /* Force pending result for AMP controllers.
3817 * The connection will succeed after the
3818 * physical link is up.
3819 */
6ed971ca 3820 if (amp_id == AMP_ID_BREDR) {
f93fa273 3821 l2cap_state_change(chan, BT_CONFIG);
1700915f 3822 result = L2CAP_CR_SUCCESS;
6ed971ca 3823 } else {
f93fa273 3824 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3825 result = L2CAP_CR_PEND;
1700915f 3826 }
f66dc81f
MH		 3827 status = L2CAP_CS_NO_INFO;
3828 }
79d554a6 3829 } else {
f93fa273 3830 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3831 result = L2CAP_CR_PEND;
3832 status = L2CAP_CS_AUTHEN_PEND;
3833 }
3834 } else {
f93fa273 3835 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3836 result = L2CAP_CR_PEND;
3837 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3838 }
3839
1da177e4 3840response:
8ffb9290 3841 l2cap_chan_unlock(pchan);
3df91ea2 3842 mutex_unlock(&conn->chan_lock);
a24cce14 3843 l2cap_chan_put(pchan);
1da177e4
LT		 3844
3845sendresp:
aca3192c
YH		 3846 rsp.scid = cpu_to_le16(scid);
3847 rsp.dcid = cpu_to_le16(dcid);
3848 rsp.result = cpu_to_le16(result);
3849 rsp.status = cpu_to_le16(status);
4c89b6aa 3850 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3851
3852 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3853 struct l2cap_info_req info;
dcf4adbf 3854 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3855
3856 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3857 conn->info_ident = l2cap_get_ident(conn);
3858
ba13ccd9 3859 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3860
2d792818
GP		 3861 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3862 sizeof(info), &info);
79d554a6
MH		 3863 }
3864
c1360a1c 3865 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3866 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3867 u8 buf[128];
c1360a1c 3868 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3869 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3870 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3871 chan->num_conf_req++;
e9aeb2dd 3872 }
1700915f
MM		 3873
3874 return chan;
4c89b6aa 3875}
e9aeb2dd 3876
4c89b6aa 3877static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3878 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3879{
7b064eda
JK		 3880 struct hci_dev *hdev = conn->hcon->hdev;
3881 struct hci_conn *hcon = conn->hcon;
3882
cb3b3152
JH		 3883 if (cmd_len < sizeof(struct l2cap_conn_req))
3884 return -EPROTO;
3885
7b064eda
JK		 3886 hci_dev_lock(hdev);
3887 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3888 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
48ec92fa 3889 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
7b064eda
JK		 3890 hci_dev_unlock(hdev);
3891
300229f9 3892 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3893 return 0;
3894}
3895
5909cf30 3896static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3897 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3898 u8 *data)
1da177e4
LT		 3899{
3900 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3901 u16 scid, dcid, result, status;
48454079 3902 struct l2cap_chan *chan;
1da177e4 3903 u8 req[128];
3df91ea2 3904 int err;
1da177e4 3905
cb3b3152
JH		 3906 if (cmd_len < sizeof(*rsp))
3907 return -EPROTO;
3908
1da177e4
LT		 3909 scid = __le16_to_cpu(rsp->scid);
3910 dcid = __le16_to_cpu(rsp->dcid);
3911 result = __le16_to_cpu(rsp->result);
3912 status = __le16_to_cpu(rsp->status);
3913
1b009c98 3914 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3915 dcid, scid, result, status);
1da177e4 3916
3df91ea2
AE		 3917 mutex_lock(&conn->chan_lock);
3918
1da177e4 3919 if (scid) {
3df91ea2
AE		 3920 chan = __l2cap_get_chan_by_scid(conn, scid);
3921 if (!chan) {
21870b52 3922 err = -EBADSLT;
3df91ea2
AE		 3923 goto unlock;
3924 }
1da177e4 3925 } else {
3df91ea2
AE		 3926 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3927 if (!chan) {
21870b52 3928 err = -EBADSLT;
3df91ea2
AE		 3929 goto unlock;
3930 }
1da177e4
LT		 3931 }
3932
3df91ea2
AE		 3933 err = 0;
3934
6be36555 3935 l2cap_chan_lock(chan);
48454079 3936
1da177e4
LT		 3937 switch (result) {
3938 case L2CAP_CR_SUCCESS:
89bc500e 3939 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3940 chan->ident = 0;
fe4128e0 3941 chan->dcid = dcid;
c1360a1c 3942 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3943
c1360a1c 3944 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3945 break;
3946
1da177e4 3947 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3948 l2cap_build_conf_req(chan, req), req);
73ffa904 3949 chan->num_conf_req++;
1da177e4
LT		 3950 break;
3951
3952 case L2CAP_CR_PEND:
c1360a1c 3953 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3954 break;
3955
3956 default:
48454079 3957 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3958 break;
3959 }
3960
6be36555 3961 l2cap_chan_unlock(chan);
3df91ea2
AE		 3962
3963unlock:
3964 mutex_unlock(&conn->chan_lock);
3965
3966 return err;
1da177e4
LT		 3967}
3968
47d1ec61 3969static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3970{
3971 /* FCS is enabled only in ERTM or streaming mode, if one or both
3972 * sides request it.
3973 */
0c1bc5c6 3974 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3975 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3976 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3977 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3978}
3979
29d8a590
AE		 3980static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3981 u8 ident, u16 flags)
3982{
3983 struct l2cap_conn *conn = chan->conn;
3984
3985 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3986 flags);
3987
3988 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3989 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3990
3991 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3992 l2cap_build_conf_rsp(chan, data,
3993 L2CAP_CONF_SUCCESS, flags), data);
3994}
3995
662d652d
JH		 3996static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
3997 u16 scid, u16 dcid)
3998{
3999 struct l2cap_cmd_rej_cid rej;
4000
dcf4adbf 4001 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
662d652d
JH		 4002 rej.scid = __cpu_to_le16(scid);
4003 rej.dcid = __cpu_to_le16(dcid);
4004
4005 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4006}
4007
2d792818
GP		 4008static inline int l2cap_config_req(struct l2cap_conn *conn,
4009 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4010 u8 *data)
1da177e4
LT		 4011{
4012 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4013 u16 dcid, flags;
4014 u8 rsp[64];
48454079 4015 struct l2cap_chan *chan;
3c588192 4016 int len, err = 0;
1da177e4 4017
cb3b3152
JH		 4018 if (cmd_len < sizeof(*req))
4019 return -EPROTO;
4020
1da177e4
LT		 4021 dcid = __le16_to_cpu(req->dcid);
4022 flags = __le16_to_cpu(req->flags);
4023
4024 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4025
baa7e1fa 4026 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4027 if (!chan) {
4028 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4029 return 0;
4030 }
1da177e4 4031
033b1142 4032 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4033 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4034 chan->dcid);
354f60a9 4035 goto unlock;
df6bd743 4036 }
354f60a9 4037
5dee9e7c 4038 /* Reject if config buffer is too small. */
88219a0f 4039 len = cmd_len - sizeof(*req);
cb3b3152 4040 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4041 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4042 l2cap_build_conf_rsp(chan, rsp,
4043 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4044 goto unlock;
4045 }
4046
4047 /* Store config. */
73ffa904
GP		 4048 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4049 chan->conf_len += len;
1da177e4 4050
59e54bd1 4051 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4052 /* Incomplete config. Send empty response. */
4053 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4054 l2cap_build_conf_rsp(chan, rsp,
4055 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4056 goto unlock;
4057 }
4058
4059 /* Complete config. */
73ffa904 4060 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4061 if (len < 0) {
5e4e3972 4062 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4063 goto unlock;
f2fcfcd6 4064 }
1da177e4 4065
1500109b 4066 chan->ident = cmd->ident;
5dee9e7c 4067 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4068 chan->num_conf_rsp++;
5dee9e7c 4069
5dee9e7c 4070 /* Reset config buffer. */
73ffa904 4071 chan->conf_len = 0;
5dee9e7c 4072
c1360a1c 4073 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4074 goto unlock;
4075
c1360a1c 4076 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4077 set_default_fcs(chan);
fcc203c3 4078
105bdf9e
MM		 4079 if (chan->mode == L2CAP_MODE_ERTM ||
4080 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4081 err = l2cap_ertm_init(chan);
4082
4083 if (err < 0)
5e4e3972 4084 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4085 else
4086 l2cap_chan_ready(chan);
0565c1c2 4087
876d9484
MH		 4088 goto unlock;
4089 }
4090
c1360a1c 4091 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4092 u8 buf[64];
1da177e4 4093 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4094 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4095 chan->num_conf_req++;
1da177e4
LT		 4096 }
4097
49c922bb 4098 /* Got Conf Rsp PENDING from remote side and assume we sent
0e8b207e
AE		 4099 Conf Rsp PENDING in the code above */
4100 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4101 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4102
4103 /* check compatibility */
4104
79de886d 4105 /* Send rsp for BR/EDR channel */
f351bc72 4106 if (!chan->hs_hcon)
79de886d
AE		 4107 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4108 else
4109 chan->ident = cmd->ident;
0e8b207e
AE		 4110 }
4111
1da177e4 4112unlock:
6be36555 4113 l2cap_chan_unlock(chan);
3c588192 4114 return err;
1da177e4
LT		 4115}
4116
2d792818 4117static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4118 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4119 u8 *data)
1da177e4
LT		 4120{
4121 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4122 u16 scid, flags, result;
48454079 4123 struct l2cap_chan *chan;
cb3b3152 4124 int len = cmd_len - sizeof(*rsp);
3c588192 4125 int err = 0;
1da177e4 4126
cb3b3152
JH		 4127 if (cmd_len < sizeof(*rsp))
4128 return -EPROTO;
4129
1da177e4
LT		 4130 scid = __le16_to_cpu(rsp->scid);
4131 flags = __le16_to_cpu(rsp->flags);
4132 result = __le16_to_cpu(rsp->result);
4133
61386cba
AE		 4134 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4135 result, len);
1da177e4 4136
baa7e1fa 4137 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4138 if (!chan)
1da177e4
LT		 4139 return 0;
4140
4141 switch (result) {
4142 case L2CAP_CONF_SUCCESS:
47d1ec61 4143 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4144 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4145 break;
4146
0e8b207e
AE		 4147 case L2CAP_CONF_PENDING:
4148 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4149
4150 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4151 char buf[64];
4152
4153 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4154 buf, &result);
0e8b207e 4155 if (len < 0) {
5e4e3972 4156 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4157 goto done;
4158 }
4159
f351bc72 4160 if (!chan->hs_hcon) {
79de886d
AE		 4161 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4162 0);
5ce66b59
AE		 4163 } else {
4164 if (l2cap_check_efs(chan)) {
4165 amp_create_logical_link(chan);
4166 chan->ident = cmd->ident;
4167 }
4168 }
0e8b207e
AE		 4169 }
4170 goto done;
4171
1da177e4 4172 case L2CAP_CONF_UNACCEPT:
73ffa904 4173 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4174 char req[64];
4175
c2c77ec8 4176 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4177 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4178 goto done;
4179 }
4180
f2fcfcd6
GP		 4181 /* throw out any old stored conf requests */
4182 result = L2CAP_CONF_SUCCESS;
b4450035 4183 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4184 req, &result);
f2fcfcd6 4185 if (len < 0) {
5e4e3972 4186 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4187 goto done;
4188 }
4189
4190 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4191 L2CAP_CONF_REQ, len, req);
73ffa904 4192 chan->num_conf_req++;
f2fcfcd6
GP		 4193 if (result != L2CAP_CONF_SUCCESS)
4194 goto done;
4195 break;
1da177e4
LT		 4196 }
4197
8e87d142 4198 default:
6be36555 4199 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4200
ba13ccd9 4201 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4202 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4203 goto done;
4204 }
4205
59e54bd1 4206 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4207 goto done;
4208
c1360a1c 4209 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4210
c1360a1c 4211 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4212 set_default_fcs(chan);
fcc203c3 4213
105bdf9e
MM		 4214 if (chan->mode == L2CAP_MODE_ERTM ||
4215 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4216 err = l2cap_ertm_init(chan);
0565c1c2 4217
3c588192 4218 if (err < 0)
5e4e3972 4219 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4220 else
4221 l2cap_chan_ready(chan);
1da177e4
LT		 4222 }
4223
4224done:
6be36555 4225 l2cap_chan_unlock(chan);
3c588192 4226 return err;
1da177e4
LT		 4227}
4228
2d792818 4229static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4230 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4231 u8 *data)
1da177e4
LT		 4232{
4233 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4234 struct l2cap_disconn_rsp rsp;
4235 u16 dcid, scid;
48454079 4236 struct l2cap_chan *chan;
1da177e4 4237
cb3b3152
JH		 4238 if (cmd_len != sizeof(*req))
4239 return -EPROTO;
4240
1da177e4
LT		 4241 scid = __le16_to_cpu(req->scid);
4242 dcid = __le16_to_cpu(req->dcid);
4243
4244 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4245
3df91ea2
AE		 4246 mutex_lock(&conn->chan_lock);
4247
4248 chan = __l2cap_get_chan_by_scid(conn, dcid);
4249 if (!chan) {
4250 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4251 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4252 return 0;
3df91ea2 4253 }
1da177e4 4254
6be36555
AE		 4255 l2cap_chan_lock(chan);
4256
fe4128e0
GP		 4257 rsp.dcid = cpu_to_le16(chan->scid);
4258 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4259 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4260
5ec1bbe5 4261 chan->ops->set_shutdown(chan);
1da177e4 4262
61d6ef3e 4263 l2cap_chan_hold(chan);
48454079 4264 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4265
4266 l2cap_chan_unlock(chan);
1da177e4 4267
80b98027 4268 chan->ops->close(chan);
61d6ef3e 4269 l2cap_chan_put(chan);
3df91ea2
AE		 4270
4271 mutex_unlock(&conn->chan_lock);
4272
1da177e4
LT		 4273 return 0;
4274}
4275
2d792818 4276static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4277 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4278 u8 *data)
1da177e4
LT		 4279{
4280 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4281 u16 dcid, scid;
48454079 4282 struct l2cap_chan *chan;
1da177e4 4283
cb3b3152
JH		 4284 if (cmd_len != sizeof(*rsp))
4285 return -EPROTO;
4286
1da177e4
LT		 4287 scid = __le16_to_cpu(rsp->scid);
4288 dcid = __le16_to_cpu(rsp->dcid);
4289
4290 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4291
3df91ea2
AE		 4292 mutex_lock(&conn->chan_lock);
4293
4294 chan = __l2cap_get_chan_by_scid(conn, scid);
4295 if (!chan) {
4296 mutex_unlock(&conn->chan_lock);
1da177e4 4297 return 0;
3df91ea2 4298 }
1da177e4 4299
6be36555 4300 l2cap_chan_lock(chan);
48454079 4301
61d6ef3e 4302 l2cap_chan_hold(chan);
48454079 4303 l2cap_chan_del(chan, 0);
6be36555
AE		 4304
4305 l2cap_chan_unlock(chan);
1da177e4 4306
80b98027 4307 chan->ops->close(chan);
61d6ef3e 4308 l2cap_chan_put(chan);
3df91ea2
AE		 4309
4310 mutex_unlock(&conn->chan_lock);
4311
1da177e4
LT		 4312 return 0;
4313}
4314
2d792818 4315static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4316 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4317 u8 *data)
1da177e4
LT		 4318{
4319 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4320 u16 type;
4321
cb3b3152
JH		 4322 if (cmd_len != sizeof(*req))
4323 return -EPROTO;
4324
1da177e4
LT		 4325 type = __le16_to_cpu(req->type);
4326
4327 BT_DBG("type 0x%4.4x", type);
4328
f0709e03
MH		 4329 if (type == L2CAP_IT_FEAT_MASK) {
4330 u8 buf[8];
44dd46de 4331 u32 feat_mask = l2cap_feat_mask;
f0709e03 4332 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
dcf4adbf
JP		 4333 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4334 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4335 if (!disable_ertm)
fcc203c3 4336 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4337 | L2CAP_FEAT_FCS;
0bd49fc7 4338 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
6327eb98 4339 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4340 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4341
1b7bf4ed 4342 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4343 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4344 buf);
e1027a7c
MH		 4345 } else if (type == L2CAP_IT_FIXED_CHAN) {
4346 u8 buf[12];
4347 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4348
dcf4adbf
JP		 4349 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4350 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
0bd49fc7
JH		 4351 rsp->data[0] = conn->local_fixed_chan;
4352 memset(rsp->data + 1, 0, 7);
2d792818
GP		 4353 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4354 buf);
f0709e03
MH		 4355 } else {
4356 struct l2cap_info_rsp rsp;
4357 rsp.type = cpu_to_le16(type);
dcf4adbf 4358 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4359 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4360 &rsp);
f0709e03 4361 }
1da177e4
LT		 4362
4363 return 0;
4364}
4365
2d792818 4366static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4367 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4368 u8 *data)
1da177e4
LT		 4369{
4370 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4371 u16 type, result;
4372
3f6fa3d4 4373 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4374 return -EPROTO;
4375
1da177e4
LT		 4376 type = __le16_to_cpu(rsp->type);
4377 result = __le16_to_cpu(rsp->result);
4378
4379 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4380
e90165be
AE		 4381 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4382 if (cmd->ident != conn->info_ident ||
2d792818 4383 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4384 return 0;
4385
17cd3f37 4386 cancel_delayed_work(&conn->info_timer);
4e8402a3 4387
adb08ede
VT		 4388 if (result != L2CAP_IR_SUCCESS) {
4389 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4390 conn->info_ident = 0;
4391
4392 l2cap_conn_start(conn);
4393
4394 return 0;
4395 }
4396
978c93b9
AE		 4397 switch (type) {
4398 case L2CAP_IT_FEAT_MASK:
83985319 4399 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4400
47ec1dcd 4401 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4402 struct l2cap_info_req req;
dcf4adbf 4403 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4404
4405 conn->info_ident = l2cap_get_ident(conn);
4406
4407 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4408 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4409 } else {
4410 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4411 conn->info_ident = 0;
4412
4413 l2cap_conn_start(conn);
4414 }
978c93b9
AE		 4415 break;
4416
4417 case L2CAP_IT_FIXED_CHAN:
0bd49fc7 4418 conn->remote_fixed_chan = rsp->data[0];
984947dc 4419 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4420 conn->info_ident = 0;
984947dc
MH		 4421
4422 l2cap_conn_start(conn);
978c93b9 4423 break;
984947dc 4424 }
4e8402a3 4425
1da177e4
LT		 4426 return 0;
4427}
4428
1700915f
MM		 4429static int l2cap_create_channel_req(struct l2cap_conn *conn,
4430 struct l2cap_cmd_hdr *cmd,
4431 u16 cmd_len, void *data)
f94ff6ff
MM		 4432{
4433 struct l2cap_create_chan_req *req = data;
6e1df6a6 4434 struct l2cap_create_chan_rsp rsp;
1700915f 4435 struct l2cap_chan *chan;
6e1df6a6 4436 struct hci_dev *hdev;
f94ff6ff
MM		 4437 u16 psm, scid;
4438
4439 if (cmd_len != sizeof(*req))
4440 return -EPROTO;
4441
0bd49fc7 4442 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
f94ff6ff
MM		 4443 return -EINVAL;
4444
4445 psm = le16_to_cpu(req->psm);
4446 scid = le16_to_cpu(req->scid);
4447
ad0ac6ca 4448 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4449
6e1df6a6 4450 /* For controller id 0 make BR/EDR connection */
6ed971ca 4451 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4452 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4453 req->amp_id);
4454 return 0;
4455 }
1700915f 4456
6e1df6a6
AE		 4457 /* Validate AMP controller id */
4458 hdev = hci_dev_get(req->amp_id);
4459 if (!hdev)
4460 goto error;
1700915f 4461
6e1df6a6
AE		 4462 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4463 hci_dev_put(hdev);
4464 goto error;
4465 }
1700915f 4466
6e1df6a6
AE		 4467 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4468 req->amp_id);
4469 if (chan) {
4470 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4471 struct hci_conn *hs_hcon;
1700915f 4472
98e0f7ea
MH		 4473 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4474 &conn->hcon->dst);
6e1df6a6
AE		 4475 if (!hs_hcon) {
4476 hci_dev_put(hdev);
662d652d
JH		 4477 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4478 chan->dcid);
4479 return 0;
1700915f
MM		 4480 }
4481
6e1df6a6
AE		 4482 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4483
6e1df6a6
AE		 4484 mgr->bredr_chan = chan;
4485 chan->hs_hcon = hs_hcon;
fd45bf4c 4486 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4487 conn->mtu = hdev->block_mtu;
1700915f 4488 }
f94ff6ff 4489
6e1df6a6 4490 hci_dev_put(hdev);
f94ff6ff
MM		 4491
4492 return 0;
6e1df6a6
AE		 4493
4494error:
4495 rsp.dcid = 0;
4496 rsp.scid = cpu_to_le16(scid);
dcf4adbf
JP		 4497 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4498 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
6e1df6a6
AE		 4499
4500 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4501 sizeof(rsp), &rsp);
4502
dc280801 4503 return 0;
f94ff6ff
MM		 4504}
4505
8eb200bd
MM		 4506static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4507{
4508 struct l2cap_move_chan_req req;
4509 u8 ident;
4510
4511 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4512
4513 ident = l2cap_get_ident(chan->conn);
4514 chan->ident = ident;
4515
4516 req.icid = cpu_to_le16(chan->scid);
4517 req.dest_amp_id = dest_amp_id;
4518
4519 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4520 &req);
4521
4522 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4523}
4524
1500109b 4525static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4526{
4527 struct l2cap_move_chan_rsp rsp;
4528
1500109b 4529 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4530
1500109b 4531 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4532 rsp.result = cpu_to_le16(result);
4533
1500109b
MM		 4534 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4535 sizeof(rsp), &rsp);
8d5a04a1
MM		 4536}
4537
5b155ef9 4538static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4539{
4540 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4541
5b155ef9 4542 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4543
5b155ef9 4544 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4545
5b155ef9 4546 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4547 cfm.result = cpu_to_le16(result);
4548
5b155ef9
MM		 4549 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4550 sizeof(cfm), &cfm);
4551
4552 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4553}
4554
4555static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4556{
4557 struct l2cap_move_chan_cfm cfm;
4558
4559 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4560
4561 cfm.icid = cpu_to_le16(icid);
dcf4adbf 4562 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
5b155ef9
MM		 4563
4564 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4565 sizeof(cfm), &cfm);
8d5a04a1
MM		 4566}
4567
4568static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4569 u16 icid)
8d5a04a1
MM		 4570{
4571 struct l2cap_move_chan_cfm_rsp rsp;
4572
ad0ac6ca 4573 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4574
4575 rsp.icid = cpu_to_le16(icid);
4576 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4577}
4578
5f3847a4
MM		 4579static void __release_logical_link(struct l2cap_chan *chan)
4580{
4581 chan->hs_hchan = NULL;
4582 chan->hs_hcon = NULL;
4583
4584 /* Placeholder - release the logical link */
4585}
4586
1500109b
MM		 4587static void l2cap_logical_fail(struct l2cap_chan *chan)
4588{
4589 /* Logical link setup failed */
4590 if (chan->state != BT_CONNECTED) {
4591 /* Create channel failure, disconnect */
5e4e3972 4592 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4593 return;
4594 }
4595
4596 switch (chan->move_role) {
4597 case L2CAP_MOVE_ROLE_RESPONDER:
4598 l2cap_move_done(chan);
4599 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4600 break;
4601 case L2CAP_MOVE_ROLE_INITIATOR:
4602 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4603 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4604 /* Remote has only sent pending or
4605 * success responses, clean up
4606 */
4607 l2cap_move_done(chan);
4608 }
4609
4610 /* Other amp move states imply that the move
4611 * has already aborted
4612 */
4613 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4614 break;
4615 }
4616}
4617
4618static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4619 struct hci_chan *hchan)
4620{
4621 struct l2cap_conf_rsp rsp;
1500109b 4622
336178a3 4623 chan->hs_hchan = hchan;
1500109b
MM		 4624 chan->hs_hcon->l2cap_data = chan->conn;
4625
35ba9561 4626 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4627
4628 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4629 int err;
1500109b
MM		 4630
4631 set_default_fcs(chan);
4632
4633 err = l2cap_ertm_init(chan);
4634 if (err < 0)
5e4e3972 4635 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4636 else
4637 l2cap_chan_ready(chan);
4638 }
4639}
4640
4641static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4642 struct hci_chan *hchan)
4643{
4644 chan->hs_hcon = hchan->conn;
4645 chan->hs_hcon->l2cap_data = chan->conn;
4646
4647 BT_DBG("move_state %d", chan->move_state);
4648
4649 switch (chan->move_state) {
4650 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4651 /* Move confirm will be sent after a success
4652 * response is received
4653 */
4654 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4655 break;
4656 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4657 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4658 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4659 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4660 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4661 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4662 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4663 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4664 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4665 }
4666 break;
4667 default:
4668 /* Move was not in expected state, free the channel */
4669 __release_logical_link(chan);
4670
4671 chan->move_state = L2CAP_MOVE_STABLE;
4672 }
4673}
4674
4675/* Call with chan locked */
27695fb4
AE		 4676void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4677 u8 status)
5b155ef9 4678{
1500109b
MM		 4679 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4680
4681 if (status) {
4682 l2cap_logical_fail(chan);
4683 __release_logical_link(chan);
4684 return;
4685 }
4686
4687 if (chan->state != BT_CONNECTED) {
4688 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4689 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4690 l2cap_logical_finish_create(chan, hchan);
4691 } else {
4692 l2cap_logical_finish_move(chan, hchan);
4693 }
5b155ef9
MM		 4694}
4695
3f7a56c4
MM		 4696void l2cap_move_start(struct l2cap_chan *chan)
4697{
4698 BT_DBG("chan %p", chan);
4699
6ed971ca 4700 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4701 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4702 return;
4703 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4704 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4705 /* Placeholder - start physical link setup */
4706 } else {
4707 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4708 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4709 chan->move_id = 0;
4710 l2cap_move_setup(chan);
4711 l2cap_send_move_chan_req(chan, 0);
4712 }
4713}
4714
8eb200bd
MM		 4715static void l2cap_do_create(struct l2cap_chan *chan, int result,
4716 u8 local_amp_id, u8 remote_amp_id)
4717{
62748ca1
AE		 4718 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4719 local_amp_id, remote_amp_id);
4720
12d6cc60
AE		 4721 chan->fcs = L2CAP_FCS_NONE;
4722
62748ca1
AE		 4723 /* Outgoing channel on AMP */
4724 if (chan->state == BT_CONNECT) {
4725 if (result == L2CAP_CR_SUCCESS) {
4726 chan->local_amp_id = local_amp_id;
4727 l2cap_send_create_chan_req(chan, remote_amp_id);
4728 } else {
4729 /* Revert to BR/EDR connect */
4730 l2cap_send_conn_req(chan);
4731 }
4732
4733 return;
4734 }
4735
4736 /* Incoming channel on AMP */
4737 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4738 struct l2cap_conn_rsp rsp;
4739 char buf[128];
4740 rsp.scid = cpu_to_le16(chan->dcid);
4741 rsp.dcid = cpu_to_le16(chan->scid);
4742
8eb200bd
MM		 4743 if (result == L2CAP_CR_SUCCESS) {
4744 /* Send successful response */
dcf4adbf
JP		 4745 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4746 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4747 } else {
4748 /* Send negative response */
dcf4adbf
JP		 4749 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4750 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4751 }
4752
4753 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4754 sizeof(rsp), &rsp);
4755
4756 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4757 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4758 set_bit(CONF_REQ_SENT, &chan->conf_state);
4759 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4760 L2CAP_CONF_REQ,
4761 l2cap_build_conf_req(chan, buf), buf);
4762 chan->num_conf_req++;
4763 }
8eb200bd
MM		 4764 }
4765}
4766
4767static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4768 u8 remote_amp_id)
4769{
4770 l2cap_move_setup(chan);
4771 chan->move_id = local_amp_id;
4772 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4773
4774 l2cap_send_move_chan_req(chan, remote_amp_id);
4775}
4776
4777static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4778{
4779 struct hci_chan *hchan = NULL;
4780
4781 /* Placeholder - get hci_chan for logical link */
4782
4783 if (hchan) {
4784 if (hchan->state == BT_CONNECTED) {
4785 /* Logical link is ready to go */
4786 chan->hs_hcon = hchan->conn;
4787 chan->hs_hcon->l2cap_data = chan->conn;
4788 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4789 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4790
4791 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4792 } else {
4793 /* Wait for logical link to be ready */
4794 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4795 }
4796 } else {
4797 /* Logical link not available */
4798 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4799 }
4800}
4801
4802static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4803{
4804 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4805 u8 rsp_result;
4806 if (result == -EINVAL)
4807 rsp_result = L2CAP_MR_BAD_ID;
4808 else
4809 rsp_result = L2CAP_MR_NOT_ALLOWED;
4810
4811 l2cap_send_move_chan_rsp(chan, rsp_result);
4812 }
4813
4814 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4815 chan->move_state = L2CAP_MOVE_STABLE;
4816
4817 /* Restart data transmission */
4818 l2cap_ertm_send(chan);
4819}
4820
a514b17f
AE		 4821/* Invoke with locked chan */
4822void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4823{
770bfefa 4824 u8 local_amp_id = chan->local_amp_id;
fffadc08 4825 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4826
8eb200bd
MM		 4827 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4828 chan, result, local_amp_id, remote_amp_id);
4829
8eb200bd
MM		 4830 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4831 l2cap_chan_unlock(chan);
4832 return;
4833 }
4834
4835 if (chan->state != BT_CONNECTED) {
4836 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4837 } else if (result != L2CAP_MR_SUCCESS) {
4838 l2cap_do_move_cancel(chan, result);
4839 } else {
4840 switch (chan->move_role) {
4841 case L2CAP_MOVE_ROLE_INITIATOR:
4842 l2cap_do_move_initiate(chan, local_amp_id,
4843 remote_amp_id);
4844 break;
4845 case L2CAP_MOVE_ROLE_RESPONDER:
4846 l2cap_do_move_respond(chan, result);
4847 break;
4848 default:
4849 l2cap_do_move_cancel(chan, result);
4850 break;
4851 }
4852 }
8eb200bd
MM		 4853}
4854
8d5a04a1 4855static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4856 struct l2cap_cmd_hdr *cmd,
4857 u16 cmd_len, void *data)
8d5a04a1
MM		 4858{
4859 struct l2cap_move_chan_req *req = data;
1500109b 4860 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4861 struct l2cap_chan *chan;
8d5a04a1
MM		 4862 u16 icid = 0;
4863 u16 result = L2CAP_MR_NOT_ALLOWED;
4864
4865 if (cmd_len != sizeof(*req))
4866 return -EPROTO;
4867
4868 icid = le16_to_cpu(req->icid);
4869
ad0ac6ca 4870 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4871
0bd49fc7 4872 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
8d5a04a1
MM		 4873 return -EINVAL;
4874
02b0fbb9
MM		 4875 chan = l2cap_get_chan_by_dcid(conn, icid);
4876 if (!chan) {
1500109b 4877 rsp.icid = cpu_to_le16(icid);
dcf4adbf 4878 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
1500109b
MM		 4879 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4880 sizeof(rsp), &rsp);
02b0fbb9
MM		 4881 return 0;
4882 }
4883
1500109b
MM		 4884 chan->ident = cmd->ident;
4885
02b0fbb9
MM		 4886 if (chan->scid < L2CAP_CID_DYN_START ||
4887 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4888 (chan->mode != L2CAP_MODE_ERTM &&
4889 chan->mode != L2CAP_MODE_STREAMING)) {
4890 result = L2CAP_MR_NOT_ALLOWED;
4891 goto send_move_response;
4892 }
4893
4894 if (chan->local_amp_id == req->dest_amp_id) {
4895 result = L2CAP_MR_SAME_ID;
4896 goto send_move_response;
4897 }
4898
6ed971ca 4899 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4900 struct hci_dev *hdev;
4901 hdev = hci_dev_get(req->dest_amp_id);
4902 if (!hdev || hdev->dev_type != HCI_AMP ||
4903 !test_bit(HCI_UP, &hdev->flags)) {
4904 if (hdev)
4905 hci_dev_put(hdev);
4906
4907 result = L2CAP_MR_BAD_ID;
4908 goto send_move_response;
4909 }
4910 hci_dev_put(hdev);
4911 }
4912
4913 /* Detect a move collision. Only send a collision response
4914 * if this side has "lost", otherwise proceed with the move.
4915 * The winner has the larger bd_addr.
4916 */
4917 if ((__chan_is_moving(chan) ||
4918 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4919 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4920 result = L2CAP_MR_COLLISION;
4921 goto send_move_response;
4922 }
4923
02b0fbb9
MM		 4924 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4925 l2cap_move_setup(chan);
4926 chan->move_id = req->dest_amp_id;
4927 icid = chan->dcid;
4928
6ed971ca 4929 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4930 /* Moving to BR/EDR */
4931 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4932 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4933 result = L2CAP_MR_PEND;
4934 } else {
4935 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4936 result = L2CAP_MR_SUCCESS;
4937 }
4938 } else {
4939 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4940 /* Placeholder - uncomment when amp functions are available */
4941 /*amp_accept_physical(chan, req->dest_amp_id);*/
4942 result = L2CAP_MR_PEND;
4943 }
4944
4945send_move_response:
1500109b 4946 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4947
02b0fbb9
MM		 4948 l2cap_chan_unlock(chan);
4949
8d5a04a1
MM		 4950 return 0;
4951}
4952
5b155ef9
MM		 4953static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4954{
4955 struct l2cap_chan *chan;
4956 struct hci_chan *hchan = NULL;
4957
4958 chan = l2cap_get_chan_by_scid(conn, icid);
4959 if (!chan) {
4960 l2cap_send_move_chan_cfm_icid(conn, icid);
4961 return;
4962 }
4963
4964 __clear_chan_timer(chan);
4965 if (result == L2CAP_MR_PEND)
4966 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4967
4968 switch (chan->move_state) {
4969 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4970 /* Move confirm will be sent when logical link
4971 * is complete.
4972 */
4973 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4974 break;
4975 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4976 if (result == L2CAP_MR_PEND) {
4977 break;
4978 } else if (test_bit(CONN_LOCAL_BUSY,
4979 &chan->conn_state)) {
4980 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4981 } else {
4982 /* Logical link is up or moving to BR/EDR,
4983 * proceed with move
4984 */
4985 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4986 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4987 }
4988 break;
4989 case L2CAP_MOVE_WAIT_RSP:
4990 /* Moving to AMP */
4991 if (result == L2CAP_MR_SUCCESS) {
4992 /* Remote is ready, send confirm immediately
4993 * after logical link is ready
4994 */
4995 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4996 } else {
4997 /* Both logical link and move success
4998 * are required to confirm
4999 */
5000 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5001 }
5002
5003 /* Placeholder - get hci_chan for logical link */
5004 if (!hchan) {
5005 /* Logical link not available */
5006 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5007 break;
5008 }
5009
5010 /* If the logical link is not yet connected, do not
5011 * send confirmation.
5012 */
5013 if (hchan->state != BT_CONNECTED)
5014 break;
5015
5016 /* Logical link is already ready to go */
5017
5018 chan->hs_hcon = hchan->conn;
5019 chan->hs_hcon->l2cap_data = chan->conn;
5020
5021 if (result == L2CAP_MR_SUCCESS) {
5022 /* Can confirm now */
5023 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5024 } else {
5025 /* Now only need move success
5026 * to confirm
5027 */
5028 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5029 }
5030
5031 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5032 break;
5033 default:
5034 /* Any other amp move state means the move failed. */
5035 chan->move_id = chan->local_amp_id;
5036 l2cap_move_done(chan);
5037 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5038 }
5039
5040 l2cap_chan_unlock(chan);
5041}
5042
5043static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5044 u16 result)
5045{
5046 struct l2cap_chan *chan;
5047
5048 chan = l2cap_get_chan_by_ident(conn, ident);
5049 if (!chan) {
5050 /* Could not locate channel, icid is best guess */
5051 l2cap_send_move_chan_cfm_icid(conn, icid);
5052 return;
5053 }
5054
5055 __clear_chan_timer(chan);
5056
5057 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5058 if (result == L2CAP_MR_COLLISION) {
5059 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5060 } else {
5061 /* Cleanup - cancel move */
5062 chan->move_id = chan->local_amp_id;
5063 l2cap_move_done(chan);
5064 }
5065 }
5066
5067 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5068
5069 l2cap_chan_unlock(chan);
5070}
5071
5072static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5073 struct l2cap_cmd_hdr *cmd,
5074 u16 cmd_len, void *data)
8d5a04a1
MM		 5075{
5076 struct l2cap_move_chan_rsp *rsp = data;
5077 u16 icid, result;
5078
5079 if (cmd_len != sizeof(*rsp))
5080 return -EPROTO;
5081
5082 icid = le16_to_cpu(rsp->icid);
5083 result = le16_to_cpu(rsp->result);
5084
ad0ac6ca 5085 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5086
5b155ef9
MM		 5087 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5088 l2cap_move_continue(conn, icid, result);
5089 else
5090 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5091
5092 return 0;
5093}
5094
5f3847a4
MM		 5095static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5096 struct l2cap_cmd_hdr *cmd,
5097 u16 cmd_len, void *data)
8d5a04a1
MM		 5098{
5099 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5100 struct l2cap_chan *chan;
8d5a04a1
MM		 5101 u16 icid, result;
5102
5103 if (cmd_len != sizeof(*cfm))
5104 return -EPROTO;
5105
5106 icid = le16_to_cpu(cfm->icid);
5107 result = le16_to_cpu(cfm->result);
5108
ad0ac6ca 5109 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5110
5f3847a4
MM		 5111 chan = l2cap_get_chan_by_dcid(conn, icid);
5112 if (!chan) {
5113 /* Spec requires a response even if the icid was not found */
5114 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5115 return 0;
5116 }
5117
5118 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5119 if (result == L2CAP_MC_CONFIRMED) {
5120 chan->local_amp_id = chan->move_id;
6ed971ca 5121 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5122 __release_logical_link(chan);
5123 } else {
5124 chan->move_id = chan->local_amp_id;
5125 }
5126
5127 l2cap_move_done(chan);
5128 }
5129
8d5a04a1
MM		 5130 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5131
5f3847a4
MM		 5132 l2cap_chan_unlock(chan);
5133
8d5a04a1
MM		 5134 return 0;
5135}
5136
5137static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5138 struct l2cap_cmd_hdr *cmd,
5139 u16 cmd_len, void *data)
8d5a04a1
MM		 5140{
5141 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5142 struct l2cap_chan *chan;
8d5a04a1
MM		 5143 u16 icid;
5144
5145 if (cmd_len != sizeof(*rsp))
5146 return -EPROTO;
5147
5148 icid = le16_to_cpu(rsp->icid);
5149
ad0ac6ca 5150 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5151
3fd71a0a
MM		 5152 chan = l2cap_get_chan_by_scid(conn, icid);
5153 if (!chan)
5154 return 0;
5155
5156 __clear_chan_timer(chan);
5157
5158 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5159 chan->local_amp_id = chan->move_id;
5160
6ed971ca 5161 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5162 __release_logical_link(chan);
5163
5164 l2cap_move_done(chan);
5165 }
5166
5167 l2cap_chan_unlock(chan);
5168
8d5a04a1
MM		 5169 return 0;
5170}
5171
de73115a 5172static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818 5173 struct l2cap_cmd_hdr *cmd,
203e639e 5174 u16 cmd_len, u8 *data)
de73115a
CT		 5175{
5176 struct hci_conn *hcon = conn->hcon;
5177 struct l2cap_conn_param_update_req *req;
5178 struct l2cap_conn_param_update_rsp rsp;
203e639e 5179 u16 min, max, latency, to_multiplier;
2ce603eb 5180 int err;
de73115a 5181
40bef302 5182 if (hcon->role != HCI_ROLE_MASTER)
de73115a
CT		 5183 return -EINVAL;
5184
de73115a
CT		 5185 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5186 return -EPROTO;
5187
5188 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5189 min = __le16_to_cpu(req->min);
5190 max = __le16_to_cpu(req->max);
de73115a
CT		 5191 latency = __le16_to_cpu(req->latency);
5192 to_multiplier = __le16_to_cpu(req->to_multiplier);
5193
5194 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5195 min, max, latency, to_multiplier);
de73115a
CT		 5196
5197 memset(&rsp, 0, sizeof(rsp));
2ce603eb 5198
d4905f24 5199 err = hci_check_conn_params(min, max, latency, to_multiplier);
2ce603eb 5200 if (err)
dcf4adbf 5201 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5202 else
dcf4adbf 5203 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5204
5205 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5206 sizeof(rsp), &rsp);
de73115a 5207
ffb5a827 5208 if (!err) {
f4869e2a
JH		 5209 u8 store_hint;
5210
5211 store_hint = hci_le_conn_update(hcon, min, max, latency,
5212 to_multiplier);
ffb5a827 5213 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
f4869e2a
JH		 5214 store_hint, min, max, latency,
5215 to_multiplier);
ffb5a827 5216
ffb5a827 5217 }
2ce603eb 5218
de73115a
CT		 5219 return 0;
5220}
5221
f1496dee
JH		 5222static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5223 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5224 u8 *data)
5225{
5226 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
3e64b7bd 5227 struct hci_conn *hcon = conn->hcon;
f1496dee
JH		 5228 u16 dcid, mtu, mps, credits, result;
5229 struct l2cap_chan *chan;
3e64b7bd 5230 int err, sec_level;
f1496dee
JH		 5231
5232 if (cmd_len < sizeof(*rsp))
5233 return -EPROTO;
5234
5235 dcid = __le16_to_cpu(rsp->dcid);
5236 mtu = __le16_to_cpu(rsp->mtu);
5237 mps = __le16_to_cpu(rsp->mps);
5238 credits = __le16_to_cpu(rsp->credits);
5239 result = __le16_to_cpu(rsp->result);
5240
5241 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5242 return -EPROTO;
5243
5244 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5245 dcid, mtu, mps, credits, result);
5246
5247 mutex_lock(&conn->chan_lock);
5248
5249 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5250 if (!chan) {
5251 err = -EBADSLT;
5252 goto unlock;
5253 }
5254
5255 err = 0;
5256
5257 l2cap_chan_lock(chan);
5258
5259 switch (result) {
5260 case L2CAP_CR_SUCCESS:
5261 chan->ident = 0;
5262 chan->dcid = dcid;
5263 chan->omtu = mtu;
5264 chan->remote_mps = mps;
0cd75f7e 5265 chan->tx_credits = credits;
f1496dee
JH		 5266 l2cap_chan_ready(chan);
5267 break;
5268
3e64b7bd
JH		 5269 case L2CAP_CR_AUTHENTICATION:
5270 case L2CAP_CR_ENCRYPTION:
5271 /* If we already have MITM protection we can't do
5272 * anything.
5273 */
5274 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5275 l2cap_chan_del(chan, ECONNREFUSED);
5276 break;
5277 }
5278
5279 sec_level = hcon->sec_level + 1;
5280 if (chan->sec_level < sec_level)
5281 chan->sec_level = sec_level;
5282
5283 /* We'll need to send a new Connect Request */
5284 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5285
5286 smp_conn_security(hcon, chan->sec_level);
5287 break;
5288
f1496dee
JH		 5289 default:
5290 l2cap_chan_del(chan, ECONNREFUSED);
5291 break;
5292 }
5293
5294 l2cap_chan_unlock(chan);
5295
5296unlock:
5297 mutex_unlock(&conn->chan_lock);
5298
5299 return err;
5300}
5301
3300d9a9 5302static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5303 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5304 u8 *data)
3300d9a9
CT		 5305{
5306 int err = 0;
5307
5308 switch (cmd->code) {
5309 case L2CAP_COMMAND_REJ:
cb3b3152 5310 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5311 break;
5312
5313 case L2CAP_CONN_REQ:
cb3b3152 5314 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5315 break;
5316
5317 case L2CAP_CONN_RSP:
f5a2598d 5318 case L2CAP_CREATE_CHAN_RSP:
9245e737 5319 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5320 break;
5321
5322 case L2CAP_CONF_REQ:
5323 err = l2cap_config_req(conn, cmd, cmd_len, data);
5324 break;
5325
5326 case L2CAP_CONF_RSP:
9245e737 5327 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5328 break;
5329
5330 case L2CAP_DISCONN_REQ:
cb3b3152 5331 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5332 break;
5333
5334 case L2CAP_DISCONN_RSP:
9245e737 5335 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5336 break;
5337
5338 case L2CAP_ECHO_REQ:
5339 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5340 break;
5341
5342 case L2CAP_ECHO_RSP:
5343 break;
5344
5345 case L2CAP_INFO_REQ:
cb3b3152 5346 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5347 break;
5348
5349 case L2CAP_INFO_RSP:
9245e737 5350 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5351 break;
5352
f94ff6ff
MM		 5353 case L2CAP_CREATE_CHAN_REQ:
5354 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5355 break;
5356
8d5a04a1
MM		 5357 case L2CAP_MOVE_CHAN_REQ:
5358 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5359 break;
5360
5361 case L2CAP_MOVE_CHAN_RSP:
9245e737 5362 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5363 break;
5364
5365 case L2CAP_MOVE_CHAN_CFM:
5366 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5367 break;
5368
5369 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5370 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5371 break;
5372
3300d9a9
CT		 5373 default:
5374 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5375 err = -EINVAL;
5376 break;
5377 }
5378
5379 return err;
5380}
5381
27e2d4c8
JH		 5382static int l2cap_le_connect_req(struct l2cap_conn *conn,
5383 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5384 u8 *data)
5385{
5386 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5387 struct l2cap_le_conn_rsp rsp;
5388 struct l2cap_chan *chan, *pchan;
0cd75f7e 5389 u16 dcid, scid, credits, mtu, mps;
27e2d4c8
JH		 5390 __le16 psm;
5391 u8 result;
5392
5393 if (cmd_len != sizeof(*req))
5394 return -EPROTO;
5395
5396 scid = __le16_to_cpu(req->scid);
5397 mtu = __le16_to_cpu(req->mtu);
5398 mps = __le16_to_cpu(req->mps);
5399 psm = req->psm;
5400 dcid = 0;
0cd75f7e 5401 credits = 0;
27e2d4c8
JH		 5402
5403 if (mtu < 23 || mps < 23)
5404 return -EPROTO;
5405
5406 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5407 scid, mtu, mps);
5408
5409 /* Check if we have socket listening on psm */
5410 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5411 &conn->hcon->dst, LE_LINK);
5412 if (!pchan) {
5413 result = L2CAP_CR_BAD_PSM;
5414 chan = NULL;
5415 goto response;
5416 }
5417
5418 mutex_lock(&conn->chan_lock);
5419 l2cap_chan_lock(pchan);
5420
35dc6f83
JH		 5421 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5422 SMP_ALLOW_STK)) {
27e2d4c8
JH		 5423 result = L2CAP_CR_AUTHENTICATION;
5424 chan = NULL;
5425 goto response_unlock;
5426 }
5427
5428 /* Check if we already have channel with that dcid */
5429 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5430 result = L2CAP_CR_NO_MEM;
5431 chan = NULL;
5432 goto response_unlock;
5433 }
5434
5435 chan = pchan->ops->new_connection(pchan);
5436 if (!chan) {
5437 result = L2CAP_CR_NO_MEM;
5438 goto response_unlock;
5439 }
5440
0ce43ce6
JH		 5441 l2cap_le_flowctl_init(chan);
5442
27e2d4c8
JH		 5443 bacpy(&chan->src, &conn->hcon->src);
5444 bacpy(&chan->dst, &conn->hcon->dst);
5445 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5446 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5447 chan->psm = psm;
5448 chan->dcid = scid;
5449 chan->omtu = mtu;
5450 chan->remote_mps = mps;
0cd75f7e 5451 chan->tx_credits = __le16_to_cpu(req->credits);
27e2d4c8
JH		 5452
5453 __l2cap_chan_add(conn, chan);
5454 dcid = chan->scid;
0cd75f7e 5455 credits = chan->rx_credits;
27e2d4c8
JH		 5456
5457 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5458
5459 chan->ident = cmd->ident;
5460
5461 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5462 l2cap_state_change(chan, BT_CONNECT2);
434714dc
JH		 5463 /* The following result value is actually not defined
5464 * for LE CoC but we use it to let the function know
5465 * that it should bail out after doing its cleanup
5466 * instead of sending a response.
5467 */
27e2d4c8
JH		 5468 result = L2CAP_CR_PEND;
5469 chan->ops->defer(chan);
5470 } else {
5471 l2cap_chan_ready(chan);
5472 result = L2CAP_CR_SUCCESS;
5473 }
5474
5475response_unlock:
5476 l2cap_chan_unlock(pchan);
5477 mutex_unlock(&conn->chan_lock);
a24cce14 5478 l2cap_chan_put(pchan);
27e2d4c8
JH		 5479
5480 if (result == L2CAP_CR_PEND)
5481 return 0;
5482
5483response:
5484 if (chan) {
5485 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 5486 rsp.mps = cpu_to_le16(chan->mps);
27e2d4c8
JH		 5487 } else {
5488 rsp.mtu = 0;
5489 rsp.mps = 0;
5490 }
5491
5492 rsp.dcid = cpu_to_le16(dcid);
0cd75f7e 5493 rsp.credits = cpu_to_le16(credits);
27e2d4c8
JH		 5494 rsp.result = cpu_to_le16(result);
5495
5496 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5497
5498 return 0;
5499}
5500
fad5fc89
JH		 5501static inline int l2cap_le_credits(struct l2cap_conn *conn,
5502 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5503 u8 *data)
5504{
5505 struct l2cap_le_credits *pkt;
5506 struct l2cap_chan *chan;
0f1bfe4e 5507 u16 cid, credits, max_credits;
fad5fc89
JH		 5508
5509 if (cmd_len != sizeof(*pkt))
5510 return -EPROTO;
5511
5512 pkt = (struct l2cap_le_credits *) data;
5513 cid = __le16_to_cpu(pkt->cid);
5514 credits = __le16_to_cpu(pkt->credits);
5515
5516 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5517
5518 chan = l2cap_get_chan_by_dcid(conn, cid);
5519 if (!chan)
5520 return -EBADSLT;
5521
0f1bfe4e
JH		 5522 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5523 if (credits > max_credits) {
5524 BT_ERR("LE credits overflow");
5525 l2cap_send_disconn_req(chan, ECONNRESET);
ee93053d 5526 l2cap_chan_unlock(chan);
0f1bfe4e
JH		 5527
5528 /* Return 0 so that we don't trigger an unnecessary
5529 * command reject packet.
5530 */
5531 return 0;
5532 }
5533
fad5fc89
JH		 5534 chan->tx_credits += credits;
5535
5536 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5537 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5538 chan->tx_credits--;
5539 }
5540
5541 if (chan->tx_credits)
5542 chan->ops->resume(chan);
5543
5544 l2cap_chan_unlock(chan);
5545
5546 return 0;
5547}
5548
71fb4197
JH		 5549static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5550 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5551 u8 *data)
5552{
5553 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5554 struct l2cap_chan *chan;
5555
5556 if (cmd_len < sizeof(*rej))
5557 return -EPROTO;
5558
5559 mutex_lock(&conn->chan_lock);
5560
5561 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5562 if (!chan)
5563 goto done;
5564
5565 l2cap_chan_lock(chan);
5566 l2cap_chan_del(chan, ECONNREFUSED);
5567 l2cap_chan_unlock(chan);
5568
5569done:
5570 mutex_unlock(&conn->chan_lock);
5571 return 0;
5572}
5573
3300d9a9 5574static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
203e639e
JH		 5575 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5576 u8 *data)
3300d9a9 5577{
b5ecba64
JH		 5578 int err = 0;
5579
3300d9a9
CT		 5580 switch (cmd->code) {
5581 case L2CAP_COMMAND_REJ:
71fb4197 5582 l2cap_le_command_rej(conn, cmd, cmd_len, data);
b5ecba64 5583 break;
3300d9a9
CT		 5584
5585 case L2CAP_CONN_PARAM_UPDATE_REQ:
b5ecba64
JH		 5586 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5587 break;
3300d9a9
CT		 5588
5589 case L2CAP_CONN_PARAM_UPDATE_RSP:
b5ecba64 5590 break;
3300d9a9 5591
f1496dee
JH		 5592 case L2CAP_LE_CONN_RSP:
5593 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5594 break;
f1496dee 5595
27e2d4c8 5596 case L2CAP_LE_CONN_REQ:
b5ecba64
JH		 5597 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5598 break;
27e2d4c8 5599
fad5fc89
JH		 5600 case L2CAP_LE_CREDITS:
5601 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5602 break;
5603
3defe01a 5604 case L2CAP_DISCONN_REQ:
b5ecba64
JH		 5605 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5606 break;
3defe01a
JH		 5607
5608 case L2CAP_DISCONN_RSP:
5609 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5610 break;
3defe01a 5611
3300d9a9
CT		 5612 default:
5613 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
b5ecba64
JH		 5614 err = -EINVAL;
5615 break;
3300d9a9 5616 }
b5ecba64
JH		 5617
5618 return err;
3300d9a9
CT		 5619}
5620
c5623556
JH		 5621static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5622 struct sk_buff *skb)
5623{
69c4e4e8 5624 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5625 struct l2cap_cmd_hdr *cmd;
5626 u16 len;
c5623556
JH		 5627 int err;
5628
69c4e4e8 5629 if (hcon->type != LE_LINK)
3b166295 5630 goto drop;
69c4e4e8 5631
4f3e219d
MH		 5632 if (skb->len < L2CAP_CMD_HDR_SIZE)
5633 goto drop;
c5623556 5634
4f3e219d
MH		 5635 cmd = (void *) skb->data;
5636 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5637
4f3e219d 5638 len = le16_to_cpu(cmd->len);
c5623556 5639
4f3e219d 5640 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5641
4f3e219d
MH		 5642 if (len != skb->len || !cmd->ident) {
5643 BT_DBG("corrupted command");
5644 goto drop;
5645 }
c5623556 5646
203e639e 5647 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
4f3e219d
MH		 5648 if (err) {
5649 struct l2cap_cmd_rej_unk rej;
c5623556 5650
4f3e219d 5651 BT_ERR("Wrong link type (%d)", err);
c5623556 5652
dcf4adbf 5653 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5654 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5655 sizeof(rej), &rej);
c5623556
JH		 5656 }
5657
3b166295 5658drop:
c5623556
JH		 5659 kfree_skb(skb);
5660}
5661
3300d9a9 5662static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5663 struct sk_buff *skb)
1da177e4 5664{
69c4e4e8 5665 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5666 u8 *data = skb->data;
5667 int len = skb->len;
5668 struct l2cap_cmd_hdr cmd;
3300d9a9 5669 int err;
1da177e4
LT		 5670
5671 l2cap_raw_recv(conn, skb);
5672
69c4e4e8 5673 if (hcon->type != ACL_LINK)
3b166295 5674 goto drop;
69c4e4e8 5675
1da177e4 5676 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5677 u16 cmd_len;
1da177e4
LT		 5678 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5679 data += L2CAP_CMD_HDR_SIZE;
5680 len -= L2CAP_CMD_HDR_SIZE;
5681
88219a0f 5682 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5683
2d792818
GP		 5684 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5685 cmd.ident);
1da177e4 5686
88219a0f 5687 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5688 BT_DBG("corrupted command");
5689 break;
5690 }
5691
c5623556 5692 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5693 if (err) {
e2fd318e 5694 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5695
5696 BT_ERR("Wrong link type (%d)", err);
1da177e4 5697
dcf4adbf 5698 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5699 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5700 sizeof(rej), &rej);
1da177e4
LT		 5701 }
5702
88219a0f
AV		 5703 data += cmd_len;
5704 len -= cmd_len;
1da177e4
LT		 5705 }
5706
3b166295 5707drop:
1da177e4
LT		 5708 kfree_skb(skb);
5709}
5710
47d1ec61 5711static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5712{
5713 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5714 int hdr_size;
5715
5716 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5717 hdr_size = L2CAP_EXT_HDR_SIZE;
5718 else
5719 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5720
47d1ec61 5721 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5722 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5723 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5724 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5725
5726 if (our_fcs != rcv_fcs)
7a560e5c 5727 return -EBADMSG;
fcc203c3
GP		 5728 }
5729 return 0;
5730}
5731
6ea00485 5732static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5733{
e31f7633 5734 struct l2cap_ctrl control;
d5392c8f 5735
e31f7633 5736 BT_DBG("chan %p", chan);
d5392c8f 5737
e31f7633
MM		 5738 memset(&control, 0, sizeof(control));
5739 control.sframe = 1;
5740 control.final = 1;
5741 control.reqseq = chan->buffer_seq;
5742 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5743
e2ab4353 5744 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5745 control.super = L2CAP_SUPER_RNR;
5746 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5747 }
5748
e31f7633
MM		 5749 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5750 chan->unacked_frames > 0)
5751 __set_retrans_timer(chan);
d5392c8f 5752
e31f7633 5753 /* Send pending iframes */
525cd185 5754 l2cap_ertm_send(chan);
d5392c8f 5755
e2ab4353 5756 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5757 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5758 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5759 * send it now.
5760 */
5761 control.super = L2CAP_SUPER_RR;
5762 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5763 }
5764}
5765
2d792818
GP		 5766static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5767 struct sk_buff **last_frag)
18778a63 5768{
84084a31
MM		 5769 /* skb->len reflects data in skb as well as all fragments
5770 * skb->data_len reflects only data in fragments
5771 */
5772 if (!skb_has_frag_list(skb))
5773 skb_shinfo(skb)->frag_list = new_frag;
5774
5775 new_frag->next = NULL;
5776
5777 (*last_frag)->next = new_frag;
5778 *last_frag = new_frag;
5779
5780 skb->len += new_frag->len;
5781 skb->data_len += new_frag->len;
5782 skb->truesize += new_frag->truesize;
5783}
5784
4b51dae9
MM		 5785static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5786 struct l2cap_ctrl *control)
84084a31
MM		 5787{
5788 int err = -EINVAL;
18778a63 5789
4b51dae9 5790 switch (control->sar) {
7e0ef6ee 5791 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5792 if (chan->sdu)
5793 break;
18778a63 5794
80b98027 5795 err = chan->ops->recv(chan, skb);
84084a31 5796 break;
18778a63 5797
7e0ef6ee 5798 case L2CAP_SAR_START:
84084a31
MM		 5799 if (chan->sdu)
5800 break;
18778a63 5801
6f61fd47 5802 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5803 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5804
84084a31
MM		 5805 if (chan->sdu_len > chan->imtu) {
5806 err = -EMSGSIZE;
5807 break;
5808 }
1890d36b 5809
84084a31
MM		 5810 if (skb->len >= chan->sdu_len)
5811 break;
18778a63 5812
84084a31
MM		 5813 chan->sdu = skb;
5814 chan->sdu_last_frag = skb;
18778a63 5815
84084a31
MM		 5816 skb = NULL;
5817 err = 0;
18778a63
GP		 5818 break;
5819
7e0ef6ee 5820 case L2CAP_SAR_CONTINUE:
6f61fd47 5821 if (!chan->sdu)
84084a31 5822 break;
18778a63 5823
84084a31
MM		 5824 append_skb_frag(chan->sdu, skb,
5825 &chan->sdu_last_frag);
5826 skb = NULL;
18778a63 5827
84084a31
MM		 5828 if (chan->sdu->len >= chan->sdu_len)
5829 break;
4178ba46 5830
84084a31 5831 err = 0;
18778a63
GP		 5832 break;
5833
7e0ef6ee 5834 case L2CAP_SAR_END:
6f61fd47 5835 if (!chan->sdu)
84084a31 5836 break;
18778a63 5837
84084a31
MM		 5838 append_skb_frag(chan->sdu, skb,
5839 &chan->sdu_last_frag);
5840 skb = NULL;
4178ba46 5841
84084a31
MM		 5842 if (chan->sdu->len != chan->sdu_len)
5843 break;
18778a63 5844
80b98027 5845 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5846
84084a31
MM		 5847 if (!err) {
5848 /* Reassembly complete */
5849 chan->sdu = NULL;
5850 chan->sdu_last_frag = NULL;
5851 chan->sdu_len = 0;
1890d36b 5852 }
18778a63
GP		 5853 break;
5854 }
5855
84084a31
MM		 5856 if (err) {
5857 kfree_skb(skb);
5858 kfree_skb(chan->sdu);
5859 chan->sdu = NULL;
5860 chan->sdu_last_frag = NULL;
5861 chan->sdu_len = 0;
5862 }
18778a63 5863
84084a31 5864 return err;
18778a63
GP		 5865}
5866
32b32735
MM		 5867static int l2cap_resegment(struct l2cap_chan *chan)
5868{
5869 /* Placeholder */
5870 return 0;
5871}
5872
61aa4f5b 5873void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5874{
61aa4f5b 5875 u8 event;
712132eb 5876
61aa4f5b
MM		 5877 if (chan->mode != L2CAP_MODE_ERTM)
5878 return;
712132eb 5879
61aa4f5b 5880 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5881 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5882}
5883
d2a7ac5d
MM		 5884static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5885{
63838725
MM		 5886 int err = 0;
5887 /* Pass sequential frames to l2cap_reassemble_sdu()
5888 * until a gap is encountered.
5889 */
5890
5891 BT_DBG("chan %p", chan);
5892
5893 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5894 struct sk_buff *skb;
5895 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5896 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5897
5898 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5899
5900 if (!skb)
5901 break;
5902
5903 skb_unlink(skb, &chan->srej_q);
5904 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5905 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5906 if (err)
5907 break;
5908 }
5909
5910 if (skb_queue_empty(&chan->srej_q)) {
5911 chan->rx_state = L2CAP_RX_STATE_RECV;
5912 l2cap_send_ack(chan);
5913 }
5914
5915 return err;
d2a7ac5d
MM		 5916}
5917
5918static void l2cap_handle_srej(struct l2cap_chan *chan,
5919 struct l2cap_ctrl *control)
5920{
f80842a8
MM		 5921 struct sk_buff *skb;
5922
5923 BT_DBG("chan %p, control %p", chan, control);
5924
5925 if (control->reqseq == chan->next_tx_seq) {
5926 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5927 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5928 return;
5929 }
5930
5931 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5932
5933 if (skb == NULL) {
5934 BT_DBG("Seq %d not available for retransmission",
5935 control->reqseq);
5936 return;
5937 }
5938
5939 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5940 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5941 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5942 return;
5943 }
5944
5945 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5946
5947 if (control->poll) {
5948 l2cap_pass_to_tx(chan, control);
5949
5950 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5951 l2cap_retransmit(chan, control);
5952 l2cap_ertm_send(chan);
5953
5954 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5955 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5956 chan->srej_save_reqseq = control->reqseq;
5957 }
5958 } else {
5959 l2cap_pass_to_tx_fbit(chan, control);
5960
5961 if (control->final) {
5962 if (chan->srej_save_reqseq != control->reqseq ||
5963 !test_and_clear_bit(CONN_SREJ_ACT,
5964 &chan->conn_state))
5965 l2cap_retransmit(chan, control);
5966 } else {
5967 l2cap_retransmit(chan, control);
5968 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5969 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5970 chan->srej_save_reqseq = control->reqseq;
5971 }
5972 }
5973 }
d2a7ac5d
MM		 5974}
5975
5976static void l2cap_handle_rej(struct l2cap_chan *chan,
5977 struct l2cap_ctrl *control)
5978{
fcd289df
MM		 5979 struct sk_buff *skb;
5980
5981 BT_DBG("chan %p, control %p", chan, control);
5982
5983 if (control->reqseq == chan->next_tx_seq) {
5984 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5985 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5986 return;
5987 }
5988
5989 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5990
5991 if (chan->max_tx && skb &&
5992 bt_cb(skb)->control.retries >= chan->max_tx) {
5993 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5994 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5995 return;
5996 }
5997
5998 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5999
6000 l2cap_pass_to_tx(chan, control);
6001
6002 if (control->final) {
6003 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6004 l2cap_retransmit_all(chan, control);
6005 } else {
6006 l2cap_retransmit_all(chan, control);
6007 l2cap_ertm_send(chan);
6008 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6009 set_bit(CONN_REJ_ACT, &chan->conn_state);
6010 }
d2a7ac5d
MM		 6011}
6012
4b51dae9
MM		 6013static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6014{
6015 BT_DBG("chan %p, txseq %d", chan, txseq);
6016
6017 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6018 chan->expected_tx_seq);
6019
6020 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6021 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 6022 chan->tx_win) {
4b51dae9
MM		 6023 /* See notes below regarding "double poll" and
6024 * invalid packets.
6025 */
6026 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6027 BT_DBG("Invalid/Ignore - after SREJ");
6028 return L2CAP_TXSEQ_INVALID_IGNORE;
6029 } else {
6030 BT_DBG("Invalid - in window after SREJ sent");
6031 return L2CAP_TXSEQ_INVALID;
6032 }
6033 }
6034
6035 if (chan->srej_list.head == txseq) {
6036 BT_DBG("Expected SREJ");
6037 return L2CAP_TXSEQ_EXPECTED_SREJ;
6038 }
6039
6040 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6041 BT_DBG("Duplicate SREJ - txseq already stored");
6042 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6043 }
6044
6045 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6046 BT_DBG("Unexpected SREJ - not requested");
6047 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6048 }
6049 }
6050
6051 if (chan->expected_tx_seq == txseq) {
6052 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6053 chan->tx_win) {
6054 BT_DBG("Invalid - txseq outside tx window");
6055 return L2CAP_TXSEQ_INVALID;
6056 } else {
6057 BT_DBG("Expected");
6058 return L2CAP_TXSEQ_EXPECTED;
6059 }
6060 }
6061
6062 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 6063 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 6064 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6065 return L2CAP_TXSEQ_DUPLICATE;
6066 }
6067
6068 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6069 /* A source of invalid packets is a "double poll" condition,
6070 * where delays cause us to send multiple poll packets. If
6071 * the remote stack receives and processes both polls,
6072 * sequence numbers can wrap around in such a way that a
6073 * resent frame has a sequence number that looks like new data
6074 * with a sequence gap. This would trigger an erroneous SREJ
6075 * request.
6076 *
6077 * Fortunately, this is impossible with a tx window that's
6078 * less than half of the maximum sequence number, which allows
6079 * invalid frames to be safely ignored.
6080 *
6081 * With tx window sizes greater than half of the tx window
6082 * maximum, the frame is invalid and cannot be ignored. This
6083 * causes a disconnect.
6084 */
6085
6086 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6087 BT_DBG("Invalid/Ignore - txseq outside tx window");
6088 return L2CAP_TXSEQ_INVALID_IGNORE;
6089 } else {
6090 BT_DBG("Invalid - txseq outside tx window");
6091 return L2CAP_TXSEQ_INVALID;
6092 }
6093 } else {
6094 BT_DBG("Unexpected - txseq indicates missing frames");
6095 return L2CAP_TXSEQ_UNEXPECTED;
6096 }
6097}
6098
d2a7ac5d
MM		 6099static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6100 struct l2cap_ctrl *control,
6101 struct sk_buff *skb, u8 event)
6102{
6103 int err = 0;
941247f9 6104 bool skb_in_use = false;
d2a7ac5d
MM		 6105
6106 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6107 event);
6108
6109 switch (event) {
6110 case L2CAP_EV_RECV_IFRAME:
6111 switch (l2cap_classify_txseq(chan, control->txseq)) {
6112 case L2CAP_TXSEQ_EXPECTED:
6113 l2cap_pass_to_tx(chan, control);
6114
6115 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6116 BT_DBG("Busy, discarding expected seq %d",
6117 control->txseq);
6118 break;
6119 }
6120
6121 chan->expected_tx_seq = __next_seq(chan,
6122 control->txseq);
6123
6124 chan->buffer_seq = chan->expected_tx_seq;
941247f9 6125 skb_in_use = true;
d2a7ac5d
MM		 6126
6127 err = l2cap_reassemble_sdu(chan, skb, control);
6128 if (err)
6129 break;
6130
6131 if (control->final) {
6132 if (!test_and_clear_bit(CONN_REJ_ACT,
6133 &chan->conn_state)) {
6134 control->final = 0;
6135 l2cap_retransmit_all(chan, control);
6136 l2cap_ertm_send(chan);
6137 }
6138 }
6139
6140 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6141 l2cap_send_ack(chan);
6142 break;
6143 case L2CAP_TXSEQ_UNEXPECTED:
6144 l2cap_pass_to_tx(chan, control);
6145
6146 /* Can't issue SREJ frames in the local busy state.
6147 * Drop this frame, it will be seen as missing
6148 * when local busy is exited.
6149 */
6150 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6151 BT_DBG("Busy, discarding unexpected seq %d",
6152 control->txseq);
6153 break;
6154 }
6155
6156 /* There was a gap in the sequence, so an SREJ
6157 * must be sent for each missing frame. The
6158 * current frame is stored for later use.
6159 */
6160 skb_queue_tail(&chan->srej_q, skb);
941247f9 6161 skb_in_use = true;
d2a7ac5d
MM		 6162 BT_DBG("Queued %p (queue len %d)", skb,
6163 skb_queue_len(&chan->srej_q));
6164
6165 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6166 l2cap_seq_list_clear(&chan->srej_list);
6167 l2cap_send_srej(chan, control->txseq);
6168
6169 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6170 break;
6171 case L2CAP_TXSEQ_DUPLICATE:
6172 l2cap_pass_to_tx(chan, control);
6173 break;
6174 case L2CAP_TXSEQ_INVALID_IGNORE:
6175 break;
6176 case L2CAP_TXSEQ_INVALID:
6177 default:
5e4e3972 6178 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6179 break;
6180 }
6181 break;
6182 case L2CAP_EV_RECV_RR:
6183 l2cap_pass_to_tx(chan, control);
6184 if (control->final) {
6185 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6186
e6a3ee6e
MM		 6187 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6188 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 6189 control->final = 0;
6190 l2cap_retransmit_all(chan, control);
6191 }
6192
6193 l2cap_ertm_send(chan);
6194 } else if (control->poll) {
6195 l2cap_send_i_or_rr_or_rnr(chan);
6196 } else {
6197 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6198 &chan->conn_state) &&
6199 chan->unacked_frames)
6200 __set_retrans_timer(chan);
6201
6202 l2cap_ertm_send(chan);
6203 }
6204 break;
6205 case L2CAP_EV_RECV_RNR:
6206 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6207 l2cap_pass_to_tx(chan, control);
6208 if (control && control->poll) {
6209 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6210 l2cap_send_rr_or_rnr(chan, 0);
6211 }
6212 __clear_retrans_timer(chan);
6213 l2cap_seq_list_clear(&chan->retrans_list);
6214 break;
6215 case L2CAP_EV_RECV_REJ:
6216 l2cap_handle_rej(chan, control);
6217 break;
6218 case L2CAP_EV_RECV_SREJ:
6219 l2cap_handle_srej(chan, control);
6220 break;
6221 default:
6222 break;
6223 }
6224
6225 if (skb && !skb_in_use) {
6226 BT_DBG("Freeing %p", skb);
6227 kfree_skb(skb);
6228 }
6229
6230 return err;
6231}
6232
6233static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6234 struct l2cap_ctrl *control,
6235 struct sk_buff *skb, u8 event)
6236{
6237 int err = 0;
6238 u16 txseq = control->txseq;
941247f9 6239 bool skb_in_use = false;
d2a7ac5d
MM		 6240
6241 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6242 event);
6243
6244 switch (event) {
6245 case L2CAP_EV_RECV_IFRAME:
6246 switch (l2cap_classify_txseq(chan, txseq)) {
6247 case L2CAP_TXSEQ_EXPECTED:
6248 /* Keep frame for reassembly later */
6249 l2cap_pass_to_tx(chan, control);
6250 skb_queue_tail(&chan->srej_q, skb);
941247f9 6251 skb_in_use = true;
d2a7ac5d
MM		 6252 BT_DBG("Queued %p (queue len %d)", skb,
6253 skb_queue_len(&chan->srej_q));
6254
6255 chan->expected_tx_seq = __next_seq(chan, txseq);
6256 break;
6257 case L2CAP_TXSEQ_EXPECTED_SREJ:
6258 l2cap_seq_list_pop(&chan->srej_list);
6259
6260 l2cap_pass_to_tx(chan, control);
6261 skb_queue_tail(&chan->srej_q, skb);
941247f9 6262 skb_in_use = true;
d2a7ac5d
MM		 6263 BT_DBG("Queued %p (queue len %d)", skb,
6264 skb_queue_len(&chan->srej_q));
6265
6266 err = l2cap_rx_queued_iframes(chan);
6267 if (err)
6268 break;
6269
6270 break;
6271 case L2CAP_TXSEQ_UNEXPECTED:
6272 /* Got a frame that can't be reassembled yet.
6273 * Save it for later, and send SREJs to cover
6274 * the missing frames.
6275 */
6276 skb_queue_tail(&chan->srej_q, skb);
941247f9 6277 skb_in_use = true;
d2a7ac5d
MM		 6278 BT_DBG("Queued %p (queue len %d)", skb,
6279 skb_queue_len(&chan->srej_q));
6280
6281 l2cap_pass_to_tx(chan, control);
6282 l2cap_send_srej(chan, control->txseq);
6283 break;
6284 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6285 /* This frame was requested with an SREJ, but
6286 * some expected retransmitted frames are
6287 * missing. Request retransmission of missing
6288 * SREJ'd frames.
6289 */
6290 skb_queue_tail(&chan->srej_q, skb);
941247f9 6291 skb_in_use = true;
d2a7ac5d
MM		 6292 BT_DBG("Queued %p (queue len %d)", skb,
6293 skb_queue_len(&chan->srej_q));
6294
6295 l2cap_pass_to_tx(chan, control);
6296 l2cap_send_srej_list(chan, control->txseq);
6297 break;
6298 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6299 /* We've already queued this frame. Drop this copy. */
6300 l2cap_pass_to_tx(chan, control);
6301 break;
6302 case L2CAP_TXSEQ_DUPLICATE:
6303 /* Expecting a later sequence number, so this frame
6304 * was already received. Ignore it completely.
6305 */
6306 break;
6307 case L2CAP_TXSEQ_INVALID_IGNORE:
6308 break;
6309 case L2CAP_TXSEQ_INVALID:
6310 default:
5e4e3972 6311 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6312 break;
6313 }
6314 break;
6315 case L2CAP_EV_RECV_RR:
6316 l2cap_pass_to_tx(chan, control);
6317 if (control->final) {
6318 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6319
6320 if (!test_and_clear_bit(CONN_REJ_ACT,
6321 &chan->conn_state)) {
6322 control->final = 0;
6323 l2cap_retransmit_all(chan, control);
6324 }
6325
6326 l2cap_ertm_send(chan);
6327 } else if (control->poll) {
6328 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6329 &chan->conn_state) &&
6330 chan->unacked_frames) {
6331 __set_retrans_timer(chan);
6332 }
6333
6334 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6335 l2cap_send_srej_tail(chan);
6336 } else {
6337 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6338 &chan->conn_state) &&
6339 chan->unacked_frames)
6340 __set_retrans_timer(chan);
6341
6342 l2cap_send_ack(chan);
6343 }
6344 break;
6345 case L2CAP_EV_RECV_RNR:
6346 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6347 l2cap_pass_to_tx(chan, control);
6348 if (control->poll) {
6349 l2cap_send_srej_tail(chan);
6350 } else {
6351 struct l2cap_ctrl rr_control;
6352 memset(&rr_control, 0, sizeof(rr_control));
6353 rr_control.sframe = 1;
6354 rr_control.super = L2CAP_SUPER_RR;
6355 rr_control.reqseq = chan->buffer_seq;
6356 l2cap_send_sframe(chan, &rr_control);
6357 }
6358
6359 break;
6360 case L2CAP_EV_RECV_REJ:
6361 l2cap_handle_rej(chan, control);
6362 break;
6363 case L2CAP_EV_RECV_SREJ:
6364 l2cap_handle_srej(chan, control);
6365 break;
6366 }
6367
6368 if (skb && !skb_in_use) {
6369 BT_DBG("Freeing %p", skb);
6370 kfree_skb(skb);
6371 }
6372
6373 return err;
6374}
6375
32b32735
MM		 6376static int l2cap_finish_move(struct l2cap_chan *chan)
6377{
6378 BT_DBG("chan %p", chan);
6379
6380 chan->rx_state = L2CAP_RX_STATE_RECV;
6381
6382 if (chan->hs_hcon)
6383 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6384 else
6385 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6386
6387 return l2cap_resegment(chan);
6388}
6389
6390static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6391 struct l2cap_ctrl *control,
6392 struct sk_buff *skb, u8 event)
6393{
6394 int err;
6395
6396 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6397 event);
6398
6399 if (!control->poll)
6400 return -EPROTO;
6401
6402 l2cap_process_reqseq(chan, control->reqseq);
6403
6404 if (!skb_queue_empty(&chan->tx_q))
6405 chan->tx_send_head = skb_peek(&chan->tx_q);
6406 else
6407 chan->tx_send_head = NULL;
6408
6409 /* Rewind next_tx_seq to the point expected
6410 * by the receiver.
6411 */
6412 chan->next_tx_seq = control->reqseq;
6413 chan->unacked_frames = 0;
6414
6415 err = l2cap_finish_move(chan);
6416 if (err)
6417 return err;
6418
6419 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6420 l2cap_send_i_or_rr_or_rnr(chan);
6421
6422 if (event == L2CAP_EV_RECV_IFRAME)
6423 return -EPROTO;
6424
6425 return l2cap_rx_state_recv(chan, control, NULL, event);
6426}
6427
6428static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6429 struct l2cap_ctrl *control,
6430 struct sk_buff *skb, u8 event)
6431{
6432 int err;
6433
6434 if (!control->final)
6435 return -EPROTO;
6436
6437 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6438
6439 chan->rx_state = L2CAP_RX_STATE_RECV;
6440 l2cap_process_reqseq(chan, control->reqseq);
6441
6442 if (!skb_queue_empty(&chan->tx_q))
6443 chan->tx_send_head = skb_peek(&chan->tx_q);
6444 else
6445 chan->tx_send_head = NULL;
6446
6447 /* Rewind next_tx_seq to the point expected
6448 * by the receiver.
6449 */
6450 chan->next_tx_seq = control->reqseq;
6451 chan->unacked_frames = 0;
6452
6453 if (chan->hs_hcon)
6454 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6455 else
6456 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6457
6458 err = l2cap_resegment(chan);
6459
6460 if (!err)
6461 err = l2cap_rx_state_recv(chan, control, skb, event);
6462
6463 return err;
6464}
6465
d2a7ac5d
MM		 6466static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6467{
6468 /* Make sure reqseq is for a packet that has been sent but not acked */
6469 u16 unacked;
6470
6471 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6472 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6473}
6474
cec8ab6e
MM		 6475static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6476 struct sk_buff *skb, u8 event)
218bb9df 6477{
d2a7ac5d
MM		 6478 int err = 0;
6479
6480 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6481 control, skb, event, chan->rx_state);
6482
6483 if (__valid_reqseq(chan, control->reqseq)) {
6484 switch (chan->rx_state) {
6485 case L2CAP_RX_STATE_RECV:
6486 err = l2cap_rx_state_recv(chan, control, skb, event);
6487 break;
6488 case L2CAP_RX_STATE_SREJ_SENT:
6489 err = l2cap_rx_state_srej_sent(chan, control, skb,
6490 event);
6491 break;
32b32735
MM		 6492 case L2CAP_RX_STATE_WAIT_P:
6493 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6494 break;
6495 case L2CAP_RX_STATE_WAIT_F:
6496 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6497 break;
d2a7ac5d
MM		 6498 default:
6499 /* shut it down */
6500 break;
6501 }
6502 } else {
6503 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6504 control->reqseq, chan->next_tx_seq,
6505 chan->expected_ack_seq);
5e4e3972 6506 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6507 }
6508
6509 return err;
cec8ab6e
MM		 6510}
6511
6512static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6513 struct sk_buff *skb)
6514{
4b51dae9
MM		 6515 int err = 0;
6516
6517 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6518 chan->rx_state);
6519
6520 if (l2cap_classify_txseq(chan, control->txseq) ==
6521 L2CAP_TXSEQ_EXPECTED) {
6522 l2cap_pass_to_tx(chan, control);
6523
6524 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6525 __next_seq(chan, chan->buffer_seq));
6526
6527 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6528
6529 l2cap_reassemble_sdu(chan, skb, control);
6530 } else {
6531 if (chan->sdu) {
6532 kfree_skb(chan->sdu);
6533 chan->sdu = NULL;
6534 }
6535 chan->sdu_last_frag = NULL;
6536 chan->sdu_len = 0;
6537
6538 if (skb) {
6539 BT_DBG("Freeing %p", skb);
6540 kfree_skb(skb);
6541 }
6542 }
6543
6544 chan->last_acked_seq = control->txseq;
6545 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6546
6547 return err;
cec8ab6e
MM		 6548}
6549
6550static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6551{
6552 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6553 u16 len;
6554 u8 event;
218bb9df 6555
b76bbd66
MM		 6556 __unpack_control(chan, skb);
6557
218bb9df
GP		 6558 len = skb->len;
6559
6560 /*
6561 * We can just drop the corrupted I-frame here.
6562 * Receiver will miss it and start proper recovery
cec8ab6e 6563 * procedures and ask for retransmission.
218bb9df 6564 */
47d1ec61 6565 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6566 goto drop;
6567
cec8ab6e 6568 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6569 len -= L2CAP_SDULEN_SIZE;
218bb9df 6570
47d1ec61 6571 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6572 len -= L2CAP_FCS_SIZE;
218bb9df 6573
47d1ec61 6574 if (len > chan->mps) {
5e4e3972 6575 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6576 goto drop;
6577 }
6578
cec8ab6e
MM		 6579 if (!control->sframe) {
6580 int err;
218bb9df 6581
cec8ab6e
MM		 6582 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6583 control->sar, control->reqseq, control->final,
6584 control->txseq);
218bb9df 6585
cec8ab6e
MM		 6586 /* Validate F-bit - F=0 always valid, F=1 only
6587 * valid in TX WAIT_F
6588 */
6589 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6590 goto drop;
cec8ab6e
MM		 6591
6592 if (chan->mode != L2CAP_MODE_STREAMING) {
6593 event = L2CAP_EV_RECV_IFRAME;
6594 err = l2cap_rx(chan, control, skb, event);
6595 } else {
6596 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6597 }
6598
cec8ab6e 6599 if (err)
5e4e3972 6600 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6601 } else {
cec8ab6e
MM		 6602 const u8 rx_func_to_event[4] = {
6603 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6604 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6605 };
6606
6607 /* Only I-frames are expected in streaming mode */
6608 if (chan->mode == L2CAP_MODE_STREAMING)
6609 goto drop;
6610
6611 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6612 control->reqseq, control->final, control->poll,
6613 control->super);
6614
218bb9df 6615 if (len != 0) {
1bb166e6 6616 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6617 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6618 goto drop;
6619 }
6620
cec8ab6e
MM		 6621 /* Validate F and P bits */
6622 if (control->final && (control->poll ||
6623 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6624 goto drop;
6625
6626 event = rx_func_to_event[control->super];
6627 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6628 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6629 }
6630
6631 return 0;
6632
6633drop:
6634 kfree_skb(skb);
6635 return 0;
6636}
6637
b1c325c2
JH		 6638static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6639{
6640 struct l2cap_conn *conn = chan->conn;
6641 struct l2cap_le_credits pkt;
6642 u16 return_credits;
6643
6644 /* We return more credits to the sender only after the amount of
6645 * credits falls below half of the initial amount.
6646 */
f15b8ecf 6647 if (chan->rx_credits >= (le_max_credits + 1) / 2)
b1c325c2
JH		 6648 return;
6649
f15b8ecf 6650 return_credits = le_max_credits - chan->rx_credits;
b1c325c2
JH		 6651
6652 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6653
6654 chan->rx_credits += return_credits;
6655
6656 pkt.cid = cpu_to_le16(chan->scid);
6657 pkt.credits = cpu_to_le16(return_credits);
6658
6659 chan->ident = l2cap_get_ident(conn);
6660
6661 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6662}
6663
fad5fc89
JH		 6664static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6665{
aac23bf6
JH		 6666 int err;
6667
6668 if (!chan->rx_credits) {
6669 BT_ERR("No credits to receive LE L2CAP data");
dfd9774c 6670 l2cap_send_disconn_req(chan, ECONNRESET);
fad5fc89 6671 return -ENOBUFS;
aac23bf6 6672 }
fad5fc89 6673
aac23bf6
JH		 6674 if (chan->imtu < skb->len) {
6675 BT_ERR("Too big LE L2CAP PDU");
fad5fc89 6676 return -ENOBUFS;
aac23bf6 6677 }
fad5fc89
JH		 6678
6679 chan->rx_credits--;
6680 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6681
6682 l2cap_chan_le_send_credits(chan);
6683
aac23bf6
JH		 6684 err = 0;
6685
6686 if (!chan->sdu) {
6687 u16 sdu_len;
6688
6689 sdu_len = get_unaligned_le16(skb->data);
6690 skb_pull(skb, L2CAP_SDULEN_SIZE);
6691
6692 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6693 sdu_len, skb->len, chan->imtu);
6694
6695 if (sdu_len > chan->imtu) {
6696 BT_ERR("Too big LE L2CAP SDU length received");
6697 err = -EMSGSIZE;
6698 goto failed;
6699 }
6700
6701 if (skb->len > sdu_len) {
6702 BT_ERR("Too much LE L2CAP data received");
6703 err = -EINVAL;
6704 goto failed;
6705 }
6706
6707 if (skb->len == sdu_len)
6708 return chan->ops->recv(chan, skb);
6709
6710 chan->sdu = skb;
6711 chan->sdu_len = sdu_len;
6712 chan->sdu_last_frag = skb;
6713
6714 return 0;
6715 }
6716
6717 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6718 chan->sdu->len, skb->len, chan->sdu_len);
6719
6720 if (chan->sdu->len + skb->len > chan->sdu_len) {
6721 BT_ERR("Too much LE L2CAP data received");
6722 err = -EINVAL;
6723 goto failed;
6724 }
6725
6726 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6727 skb = NULL;
6728
6729 if (chan->sdu->len == chan->sdu_len) {
6730 err = chan->ops->recv(chan, chan->sdu);
6731 if (!err) {
6732 chan->sdu = NULL;
6733 chan->sdu_last_frag = NULL;
6734 chan->sdu_len = 0;
6735 }
6736 }
6737
6738failed:
6739 if (err) {
6740 kfree_skb(skb);
6741 kfree_skb(chan->sdu);
6742 chan->sdu = NULL;
6743 chan->sdu_last_frag = NULL;
6744 chan->sdu_len = 0;
6745 }
6746
6747 /* We can't return an error here since we took care of the skb
6748 * freeing internally. An error return would cause the caller to
6749 * do a double-free of the skb.
6750 */
6751 return 0;
fad5fc89
JH		 6752}
6753
13ca56e0
AE		 6754static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6755 struct sk_buff *skb)
1da177e4 6756{
48454079 6757 struct l2cap_chan *chan;
1da177e4 6758
baa7e1fa 6759 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6760 if (!chan) {
97e8e89d
AE		 6761 if (cid == L2CAP_CID_A2MP) {
6762 chan = a2mp_channel_create(conn, skb);
6763 if (!chan) {
6764 kfree_skb(skb);
13ca56e0 6765 return;
97e8e89d
AE		 6766 }
6767
6768 l2cap_chan_lock(chan);
6769 } else {
6770 BT_DBG("unknown cid 0x%4.4x", cid);
6771 /* Drop packet and return */
6772 kfree_skb(skb);
13ca56e0 6773 return;
97e8e89d 6774 }
1da177e4
LT		 6775 }
6776
49208c9c 6777 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6778
89bc500e 6779 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6780 goto drop;
6781
0c1bc5c6 6782 switch (chan->mode) {
38319713 6783 case L2CAP_MODE_LE_FLOWCTL:
fad5fc89
JH		 6784 if (l2cap_le_data_rcv(chan, skb) < 0)
6785 goto drop;
6786
6787 goto done;
6788
1c2acffb
GP		 6789 case L2CAP_MODE_BASIC:
6790 /* If socket recv buffers overflows we drop data here
6791 * which is *bad* because L2CAP has to be reliable.
6792 * But we don't have any other choice. L2CAP doesn't
6793 * provide flow control mechanism. */
1da177e4 6794
2c96e03d
SJ		 6795 if (chan->imtu < skb->len) {
6796 BT_ERR("Dropping L2CAP data: receive buffer overflow");
1c2acffb 6797 goto drop;
2c96e03d 6798 }
1da177e4 6799
80b98027 6800 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6801 goto done;
6802 break;
6803
6804 case L2CAP_MODE_ERTM:
6840ed07 6805 case L2CAP_MODE_STREAMING:
cec8ab6e 6806 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6807 goto done;
6808
1c2acffb 6809 default:
0c1bc5c6 6810 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6811 break;
6812 }
1da177e4
LT		 6813
6814drop:
6815 kfree_skb(skb);
6816
6817done:
6be36555 6818 l2cap_chan_unlock(chan);
1da177e4
LT		 6819}
6820
84104b24
AE		 6821static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6822 struct sk_buff *skb)
1da177e4 6823{
ae4fd2d3 6824 struct hci_conn *hcon = conn->hcon;
23691d75 6825 struct l2cap_chan *chan;
1da177e4 6826
ae4fd2d3 6827 if (hcon->type != ACL_LINK)
a24cce14 6828 goto free_skb;
ae4fd2d3 6829
bf20fd4e
JH		 6830 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6831 ACL_LINK);
23691d75 6832 if (!chan)
a24cce14 6833 goto free_skb;
1da177e4 6834
5b4cedaa 6835 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6836
89bc500e 6837 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6838 goto drop;
6839
e13e21dc 6840 if (chan->imtu < skb->len)
1da177e4
LT		 6841 goto drop;
6842
2edf870d 6843 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6844 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6845 bt_cb(skb)->psm = psm;
6846
a24cce14
JH		 6847 if (!chan->ops->recv(chan, skb)) {
6848 l2cap_chan_put(chan);
84104b24 6849 return;
a24cce14 6850 }
1da177e4
LT		 6851
6852drop:
a24cce14
JH		 6853 l2cap_chan_put(chan);
6854free_skb:
1da177e4 6855 kfree_skb(skb);
1da177e4
LT		 6856}
6857
6858static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6859{
6860 struct l2cap_hdr *lh = (void *) skb->data;
61a939c6 6861 struct hci_conn *hcon = conn->hcon;
8e036fc3
AV		 6862 u16 cid, len;
6863 __le16 psm;
1da177e4 6864
61a939c6
JH		 6865 if (hcon->state != BT_CONNECTED) {
6866 BT_DBG("queueing pending rx skb");
6867 skb_queue_tail(&conn->pending_rx, skb);
6868 return;
6869 }
6870
1da177e4
LT		 6871 skb_pull(skb, L2CAP_HDR_SIZE);
6872 cid = __le16_to_cpu(lh->cid);
6873 len = __le16_to_cpu(lh->len);
6874
1c2acffb
GP		 6875 if (len != skb->len) {
6876 kfree_skb(skb);
6877 return;
6878 }
6879
9e1d7e15
JH		 6880 /* Since we can't actively block incoming LE connections we must
6881 * at least ensure that we ignore incoming data from them.
6882 */
6883 if (hcon->type == LE_LINK &&
dcc36c16
JH		 6884 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6885 bdaddr_type(hcon, hcon->dst_type))) {
e493150e
JH		 6886 kfree_skb(skb);
6887 return;
6888 }
6889
1da177e4
LT		 6890 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6891
6892 switch (cid) {
8db4dc46 6893 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6894 l2cap_sig_channel(conn, skb);
6895 break;
6896
8db4dc46 6897 case L2CAP_CID_CONN_LESS:
097db76c 6898 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6899 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6900 l2cap_conless_channel(conn, psm, skb);
6901 break;
6902
a2877629
MH		 6903 case L2CAP_CID_LE_SIGNALING:
6904 l2cap_le_sig_channel(conn, skb);
6905 break;
6906
1da177e4
LT		 6907 default:
6908 l2cap_data_channel(conn, cid, skb);
6909 break;
6910 }
6911}
6912
61a939c6
JH		 6913static void process_pending_rx(struct work_struct *work)
6914{
6915 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6916 pending_rx_work);
6917 struct sk_buff *skb;
6918
6919 BT_DBG("");
6920
6921 while ((skb = skb_dequeue(&conn->pending_rx)))
6922 l2cap_recv_frame(conn, skb);
6923}
6924
162b49e7
JH		 6925static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6926{
6927 struct l2cap_conn *conn = hcon->l2cap_data;
6928 struct hci_chan *hchan;
6929
6930 if (conn)
6931 return conn;
6932
6933 hchan = hci_chan_create(hcon);
6934 if (!hchan)
6935 return NULL;
6936
27f70f3e 6937 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
162b49e7
JH		 6938 if (!conn) {
6939 hci_chan_del(hchan);
6940 return NULL;
6941 }
6942
6943 kref_init(&conn->ref);
6944 hcon->l2cap_data = conn;
51bb8457 6945 conn->hcon = hci_conn_get(hcon);
162b49e7
JH		 6946 conn->hchan = hchan;
6947
6948 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6949
6950 switch (hcon->type) {
6951 case LE_LINK:
6952 if (hcon->hdev->le_mtu) {
6953 conn->mtu = hcon->hdev->le_mtu;
6954 break;
6955 }
6956 /* fall through */
6957 default:
6958 conn->mtu = hcon->hdev->acl_mtu;
6959 break;
6960 }
6961
6962 conn->feat_mask = 0;
6963
0bd49fc7
JH		 6964 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
6965
6966 if (hcon->type == ACL_LINK &&
6967 test_bit(HCI_HS_ENABLED, &hcon->hdev->dev_flags))
6968 conn->local_fixed_chan |= L2CAP_FC_A2MP;
162b49e7 6969
5a54e7c8 6970 mutex_init(&conn->ident_lock);
162b49e7
JH		 6971 mutex_init(&conn->chan_lock);
6972
6973 INIT_LIST_HEAD(&conn->chan_l);
6974 INIT_LIST_HEAD(&conn->users);
6975
276d8073 6976 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
162b49e7 6977
61a939c6
JH		 6978 skb_queue_head_init(&conn->pending_rx);
6979 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
f3d82d0c 6980 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
61a939c6 6981
162b49e7
JH		 6982 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6983
6984 return conn;
6985}
6986
6987static bool is_valid_psm(u16 psm, u8 dst_type) {
6988 if (!psm)
6989 return false;
6990
6991 if (bdaddr_type_is_le(dst_type))
6992 return (psm <= 0x00ff);
6993
6994 /* PSM must be odd and lsb of upper byte must be 0 */
6995 return ((psm & 0x0101) == 0x0001);
6996}
6997
6998int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
6999 bdaddr_t *dst, u8 dst_type)
7000{
7001 struct l2cap_conn *conn;
7002 struct hci_conn *hcon;
7003 struct hci_dev *hdev;
162b49e7
JH		 7004 int err;
7005
7006 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7007 dst_type, __le16_to_cpu(psm));
7008
7009 hdev = hci_get_route(dst, &chan->src);
7010 if (!hdev)
7011 return -EHOSTUNREACH;
7012
7013 hci_dev_lock(hdev);
7014
162b49e7
JH		 7015 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7016 chan->chan_type != L2CAP_CHAN_RAW) {
7017 err = -EINVAL;
7018 goto done;
7019 }
7020
21626e62
JH		 7021 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7022 err = -EINVAL;
7023 goto done;
7024 }
7025
7026 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
162b49e7
JH		 7027 err = -EINVAL;
7028 goto done;
7029 }
7030
7031 switch (chan->mode) {
7032 case L2CAP_MODE_BASIC:
7033 break;
7034 case L2CAP_MODE_LE_FLOWCTL:
7035 l2cap_le_flowctl_init(chan);
7036 break;
7037 case L2CAP_MODE_ERTM:
7038 case L2CAP_MODE_STREAMING:
7039 if (!disable_ertm)
7040 break;
7041 /* fall through */
7042 default:
beb19e4c 7043 err = -EOPNOTSUPP;
162b49e7
JH		 7044 goto done;
7045 }
7046
7047 switch (chan->state) {
7048 case BT_CONNECT:
7049 case BT_CONNECT2:
7050 case BT_CONFIG:
7051 /* Already connecting */
7052 err = 0;
7053 goto done;
7054
7055 case BT_CONNECTED:
7056 /* Already connected */
7057 err = -EISCONN;
7058 goto done;
7059
7060 case BT_OPEN:
7061 case BT_BOUND:
7062 /* Can connect */
7063 break;
7064
7065 default:
7066 err = -EBADFD;
7067 goto done;
7068 }
7069
7070 /* Set destination address and psm */
7071 bacpy(&chan->dst, dst);
7072 chan->dst_type = dst_type;
7073
7074 chan->psm = psm;
7075 chan->dcid = cid;
7076
6f77d8c7 7077 if (bdaddr_type_is_le(dst_type)) {
e804d25d 7078 u8 role;
cdd6275e 7079
6f77d8c7
AG		 7080 /* Convert from L2CAP channel address type to HCI address type
7081 */
7082 if (dst_type == BDADDR_LE_PUBLIC)
7083 dst_type = ADDR_LE_DEV_PUBLIC;
7084 else
7085 dst_type = ADDR_LE_DEV_RANDOM;
7086
e804d25d
JH		 7087 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
7088 role = HCI_ROLE_SLAVE;
7089 else
7090 role = HCI_ROLE_MASTER;
cdd6275e 7091
04a6c589 7092 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
e804d25d 7093 HCI_LE_CONN_TIMEOUT, role);
6f77d8c7 7094 } else {
d93375a8 7095 u8 auth_type = l2cap_get_auth_type(chan);
04a6c589 7096 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
6f77d8c7 7097 }
162b49e7
JH		 7098
7099 if (IS_ERR(hcon)) {
7100 err = PTR_ERR(hcon);
7101 goto done;
7102 }
7103
7104 conn = l2cap_conn_add(hcon);
7105 if (!conn) {
7106 hci_conn_drop(hcon);
7107 err = -ENOMEM;
7108 goto done;
7109 }
7110
02e246ae
JH		 7111 mutex_lock(&conn->chan_lock);
7112 l2cap_chan_lock(chan);
7113
162b49e7
JH		 7114 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7115 hci_conn_drop(hcon);
7116 err = -EBUSY;
02e246ae 7117 goto chan_unlock;
162b49e7
JH		 7118 }
7119
7120 /* Update source addr of the socket */
7121 bacpy(&chan->src, &hcon->src);
7122 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7123
02e246ae 7124 __l2cap_chan_add(conn, chan);
162b49e7
JH		 7125
7126 /* l2cap_chan_add takes its own ref so we can drop this one */
7127 hci_conn_drop(hcon);
7128
7129 l2cap_state_change(chan, BT_CONNECT);
7130 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7131
61202e4d
JH		 7132 /* Release chan->sport so that it can be reused by other
7133 * sockets (as it's only used for listening sockets).
7134 */
7135 write_lock(&chan_list_lock);
7136 chan->sport = 0;
7137 write_unlock(&chan_list_lock);
7138
162b49e7
JH		 7139 if (hcon->state == BT_CONNECTED) {
7140 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7141 __clear_chan_timer(chan);
e7cafc45 7142 if (l2cap_chan_check_security(chan, true))
162b49e7
JH		 7143 l2cap_state_change(chan, BT_CONNECTED);
7144 } else
7145 l2cap_do_start(chan);
7146 }
7147
7148 err = 0;
7149
02e246ae 7150chan_unlock:
162b49e7 7151 l2cap_chan_unlock(chan);
02e246ae
JH		 7152 mutex_unlock(&conn->chan_lock);
7153done:
162b49e7
JH		 7154 hci_dev_unlock(hdev);
7155 hci_dev_put(hdev);
7156 return err;
7157}
6b8d4a6a 7158EXPORT_SYMBOL_GPL(l2cap_chan_connect);
162b49e7 7159
1da177e4
LT		 7160/* ---- L2CAP interface with lower layer (HCI) ---- */
7161
686ebf28 7162int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 7163{
7164 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 7165 struct l2cap_chan *c;
1da177e4 7166
6ed93dc6 7167 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 7168
7169 /* Find listening sockets and check their link_mode */
23691d75
GP		 7170 read_lock(&chan_list_lock);
7171 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 7172 if (c->state != BT_LISTEN)
1da177e4
LT		 7173 continue;
7174
7eafc59e 7175 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 7176 lm1 |= HCI_LM_ACCEPT;
43bd0f32 7177 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 7178 lm1 |= HCI_LM_MASTER;
1da177e4 7179 exact++;
7eafc59e 7180 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 7181 lm2 |= HCI_LM_ACCEPT;
43bd0f32 7182 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 7183 lm2 |= HCI_LM_MASTER;
7184 }
1da177e4 7185 }
23691d75 7186 read_unlock(&chan_list_lock);
1da177e4
LT		 7187
7188 return exact ? lm1 : lm2;
7189}
7190
e760ec12
JH		 7191/* Find the next fixed channel in BT_LISTEN state, continue iteration
7192 * from an existing channel in the list or from the beginning of the
7193 * global list (by passing NULL as first parameter).
7194 */
7195static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
54a1b626 7196 bdaddr_t *src, u8 link_type)
e760ec12
JH		 7197{
7198 read_lock(&chan_list_lock);
7199
7200 if (c)
7201 c = list_next_entry(c, global_l);
7202 else
7203 c = list_entry(chan_list.next, typeof(*c), global_l);
7204
7205 list_for_each_entry_from(c, &chan_list, global_l) {
7206 if (c->chan_type != L2CAP_CHAN_FIXED)
7207 continue;
7208 if (c->state != BT_LISTEN)
7209 continue;
7210 if (bacmp(&c->src, src) && bacmp(&c->src, BDADDR_ANY))
7211 continue;
54a1b626
JH		 7212 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
7213 continue;
7214 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
7215 continue;
e760ec12
JH		 7216
7217 l2cap_chan_hold(c);
7218 read_unlock(&chan_list_lock);
7219 return c;
7220 }
7221
7222 read_unlock(&chan_list_lock);
7223
7224 return NULL;
7225}
7226
9e664631 7227void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 7228{
e760ec12 7229 struct hci_dev *hdev = hcon->hdev;
0139418c 7230 struct l2cap_conn *conn;
e760ec12
JH		 7231 struct l2cap_chan *pchan;
7232 u8 dst_type;
0139418c 7233
6ed93dc6 7234 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 7235
dc0f5088 7236 if (status) {
e175072f 7237 l2cap_conn_del(hcon, bt_to_errno(status));
dc0f5088 7238 return;
ba6fc317 7239 }
dc0f5088
JH		 7240
7241 conn = l2cap_conn_add(hcon);
7242 if (!conn)
7243 return;
7244
e760ec12
JH		 7245 dst_type = bdaddr_type(hcon, hcon->dst_type);
7246
7247 /* If device is blocked, do not create channels for it */
7248 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7249 return;
7250
7251 /* Find fixed channels and notify them of the new connection. We
7252 * use multiple individual lookups, continuing each time where
7253 * we left off, because the list lock would prevent calling the
7254 * potentially sleeping l2cap_chan_lock() function.
7255 */
54a1b626 7256 pchan = l2cap_global_fixed_chan(NULL, &hdev->bdaddr, hcon->type);
e760ec12
JH		 7257 while (pchan) {
7258 struct l2cap_chan *chan, *next;
7259
7260 /* Client fixed channels should override server ones */
7261 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7262 goto next;
7263
7264 l2cap_chan_lock(pchan);
7265 chan = pchan->ops->new_connection(pchan);
7266 if (chan) {
7267 bacpy(&chan->src, &hcon->src);
7268 bacpy(&chan->dst, &hcon->dst);
7269 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7270 chan->dst_type = dst_type;
7271
7272 __l2cap_chan_add(conn, chan);
7273 }
7274
7275 l2cap_chan_unlock(pchan);
7276next:
54a1b626
JH		 7277 next = l2cap_global_fixed_chan(pchan, &hdev->bdaddr,
7278 hcon->type);
e760ec12
JH		 7279 l2cap_chan_put(pchan);
7280 pchan = next;
7281 }
7282
dc0f5088 7283 l2cap_conn_ready(conn);
1da177e4
LT		 7284}
7285
686ebf28 7286int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 7287{
7288 struct l2cap_conn *conn = hcon->l2cap_data;
7289
7290 BT_DBG("hcon %p", hcon);
7291
686ebf28 7292 if (!conn)
9f5a0d7b 7293 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 7294 return conn->disc_reason;
7295}
7296
9e664631 7297void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 7298{
7299 BT_DBG("hcon %p reason %d", hcon, reason);
7300
e175072f 7301 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 7302}
7303
4343478f 7304static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 7305{
715ec005 7306 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 7307 return;
7308
f62e4323 7309 if (encrypt == 0x00) {
4343478f 7310 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 7311 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7d513e92
MH		 7312 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7313 chan->sec_level == BT_SECURITY_FIPS)
0f852724 7314 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 7315 } else {
4343478f 7316 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 7317 __clear_chan_timer(chan);
f62e4323
MH		 7318 }
7319}
7320
686ebf28 7321int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 7322{
0139418c 7323 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 7324 struct l2cap_chan *chan;
1da177e4 7325
0139418c 7326 if (!conn)
1da177e4 7327 return 0;
0139418c 7328
89d8b407 7329 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 7330
3df91ea2 7331 mutex_lock(&conn->chan_lock);
1da177e4 7332
3df91ea2 7333 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 7334 l2cap_chan_lock(chan);
1da177e4 7335
89d8b407
AE		 7336 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7337 state_to_string(chan->state));
f1cb9af5 7338
2338a7e0 7339 if (chan->scid == L2CAP_CID_A2MP) {
78eb2f98
AE		 7340 l2cap_chan_unlock(chan);
7341 continue;
7342 }
7343
191eb398
JH		 7344 if (!status && encrypt)
7345 chan->sec_level = hcon->sec_level;
f1cb9af5 7346
96eff46e 7347 if (!__l2cap_no_conn_pending(chan)) {
6be36555 7348 l2cap_chan_unlock(chan);
6a8d3010
MH		 7349 continue;
7350 }
7351
89bc500e 7352 if (!status && (chan->state == BT_CONNECTED ||
2d792818 7353 chan->state == BT_CONFIG)) {
d97c899b 7354 chan->ops->resume(chan);
4343478f 7355 l2cap_check_encryption(chan, encrypt);
6be36555 7356 l2cap_chan_unlock(chan);
9719f8af
MH		 7357 continue;
7358 }
7359
89bc500e 7360 if (chan->state == BT_CONNECT) {
6d3c15da 7361 if (!status)
93c3e8f5 7362 l2cap_start_connection(chan);
6d3c15da 7363 else
ba13ccd9 7364 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
fa37c1aa
JH		 7365 } else if (chan->state == BT_CONNECT2 &&
7366 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
b1235d79 7367 struct l2cap_conn_rsp rsp;
df3c3931 7368 __u16 res, stat;
1da177e4 7369
b1235d79 7370 if (!status) {
bdc25783 7371 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 7372 res = L2CAP_CR_PEND;
7373 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 7374 chan->ops->defer(chan);
df3c3931 7375 } else {
acdcabf5 7376 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 7377 res = L2CAP_CR_SUCCESS;
7378 stat = L2CAP_CS_NO_INFO;
7379 }
b1235d79 7380 } else {
acdcabf5 7381 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 7382 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 7383 res = L2CAP_CR_SEC_BLOCK;
7384 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 7385 }
7386
fe4128e0
GP		 7387 rsp.scid = cpu_to_le16(chan->dcid);
7388 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 7389 rsp.result = cpu_to_le16(res);
7390 rsp.status = cpu_to_le16(stat);
fc7f8a7e 7391 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 7392 sizeof(rsp), &rsp);
2d369359
MM		 7393
7394 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7395 res == L2CAP_CR_SUCCESS) {
7396 char buf[128];
7397 set_bit(CONF_REQ_SENT, &chan->conf_state);
7398 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7399 L2CAP_CONF_REQ,
7400 l2cap_build_conf_req(chan, buf),
7401 buf);
7402 chan->num_conf_req++;
7403 }
b1235d79 7404 }
1da177e4 7405
6be36555 7406 l2cap_chan_unlock(chan);
1da177e4
LT		 7407 }
7408
3df91ea2 7409 mutex_unlock(&conn->chan_lock);
b1235d79 7410
1da177e4
LT		 7411 return 0;
7412}
7413
686ebf28 7414int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 7415{
7416 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 7417 struct l2cap_hdr *hdr;
7418 int len;
1da177e4 7419
1d13a254
AE		 7420 /* For AMP controller do not create l2cap conn */
7421 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7422 goto drop;
1da177e4 7423
5a08ecce 7424 if (!conn)
baf43251 7425 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 7426
7427 if (!conn)
1da177e4
LT		 7428 goto drop;
7429
7430 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7431
d73a0988
AE		 7432 switch (flags) {
7433 case ACL_START:
7434 case ACL_START_NO_FLUSH:
7435 case ACL_COMPLETE:
1da177e4
LT		 7436 if (conn->rx_len) {
7437 BT_ERR("Unexpected start frame (len %d)", skb->len);
7438 kfree_skb(conn->rx_skb);
7439 conn->rx_skb = NULL;
7440 conn->rx_len = 0;
7441 l2cap_conn_unreliable(conn, ECOMM);
7442 }
7443
aae7fe22
AE		 7444 /* Start fragment always begin with Basic L2CAP header */
7445 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 7446 BT_ERR("Frame is too short (len %d)", skb->len);
7447 l2cap_conn_unreliable(conn, ECOMM);
7448 goto drop;
7449 }
7450
7451 hdr = (struct l2cap_hdr *) skb->data;
7452 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7453
7454 if (len == skb->len) {
7455 /* Complete frame received */
7456 l2cap_recv_frame(conn, skb);
7457 return 0;
7458 }
7459
7460 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7461
7462 if (skb->len > len) {
7463 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 7464 skb->len, len);
1da177e4
LT		 7465 l2cap_conn_unreliable(conn, ECOMM);
7466 goto drop;
7467 }
7468
7469 /* Allocate skb for the complete frame (with header) */
8bcde1f2 7470 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 7471 if (!conn->rx_skb)
1da177e4
LT		 7472 goto drop;
7473
d626f62b 7474 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7475 skb->len);
1da177e4 7476 conn->rx_len = len - skb->len;
d73a0988
AE		 7477 break;
7478
7479 case ACL_CONT:
1da177e4
LT		 7480 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7481
7482 if (!conn->rx_len) {
7483 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7484 l2cap_conn_unreliable(conn, ECOMM);
7485 goto drop;
7486 }
7487
7488 if (skb->len > conn->rx_len) {
7489 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 7490 skb->len, conn->rx_len);
1da177e4
LT		 7491 kfree_skb(conn->rx_skb);
7492 conn->rx_skb = NULL;
7493 conn->rx_len = 0;
7494 l2cap_conn_unreliable(conn, ECOMM);
7495 goto drop;
7496 }
7497
d626f62b 7498 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7499 skb->len);
1da177e4
LT		 7500 conn->rx_len -= skb->len;
7501
7502 if (!conn->rx_len) {
c4e5bafa
JH		 7503 /* Complete frame received. l2cap_recv_frame
7504 * takes ownership of the skb so set the global
7505 * rx_skb pointer to NULL first.
7506 */
7507 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 7508 conn->rx_skb = NULL;
c4e5bafa 7509 l2cap_recv_frame(conn, rx_skb);
1da177e4 7510 }
d73a0988 7511 break;
1da177e4
LT		 7512 }
7513
7514drop:
7515 kfree_skb(skb);
7516 return 0;
7517}
7518
aef7d97c 7519static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 7520{
23691d75 7521 struct l2cap_chan *c;
1da177e4 7522
333055f2 7523 read_lock(&chan_list_lock);
1da177e4 7524
23691d75 7525 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 7526 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 7527 &c->src, &c->dst,
fcb73338
AE		 7528 c->state, __le16_to_cpu(c->psm),
7529 c->scid, c->dcid, c->imtu, c->omtu,
7530 c->sec_level, c->mode);
61e1b4b7 7531 }
1da177e4 7532
333055f2 7533 read_unlock(&chan_list_lock);
1da177e4 7534
aef7d97c 7535 return 0;
1da177e4
LT		 7536}
7537
aef7d97c
MH		 7538static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7539{
7540 return single_open(file, l2cap_debugfs_show, inode->i_private);
7541}
7542
7543static const struct file_operations l2cap_debugfs_fops = {
7544 .open = l2cap_debugfs_open,
7545 .read = seq_read,
7546 .llseek = seq_lseek,
7547 .release = single_release,
7548};
7549
7550static struct dentry *l2cap_debugfs;
1da177e4 7551
64274518 7552int __init l2cap_init(void)
1da177e4
LT		 7553{
7554 int err;
be9d1227 7555
bb58f747 7556 err = l2cap_init_sockets();
1da177e4
LT		 7557 if (err < 0)
7558 return err;
7559
1120e4bf
MH		 7560 if (IS_ERR_OR_NULL(bt_debugfs))
7561 return 0;
7562
7563 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7564 NULL, &l2cap_debugfs_fops);
1da177e4 7565
40b9397a 7566 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
f15b8ecf 7567 &le_max_credits);
40b9397a 7568 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
f15b8ecf
JH		 7569 &le_default_mps);
7570
1da177e4 7571 return 0;
1da177e4
LT		 7572}
7573
64274518 7574void l2cap_exit(void)
1da177e4 7575{
aef7d97c 7576 debugfs_remove(l2cap_debugfs);
bb58f747 7577 l2cap_cleanup_sockets();
1da177e4
LT		 7578}
7579
d1c4a17d
GP		 7580module_param(disable_ertm, bool, 0644);
7581MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.967807 seconds and 5 git commands to generate.