]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - net/bluetooth/l2cap_core.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
networking: introduce and use skb_put_data()
[mirror_ubuntu-artful-kernel.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
dbb50887 35#include <linux/filter.h>
1da177e4
LT		 36
37#include <net/bluetooth/bluetooth.h>
38#include <net/bluetooth/hci_core.h>
39#include <net/bluetooth/l2cap.h>
7ef9fbf0 40
ac4b7236 41#include "smp.h"
7024728e 42#include "a2mp.h"
7ef9fbf0 43#include "amp.h"
1da177e4 44
0f1bfe4e
JH		 45#define LE_FLOWCTL_MAX_CREDITS 65535
46
d1de6d46 47bool disable_ertm;
f0709e03 48
547d1032 49static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
1da177e4 50
b5ad8b7f
JB		 51static LIST_HEAD(chan_list);
52static DEFINE_RWLOCK(chan_list_lock);
1da177e4 53
f15b8ecf
JH		 54static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56
1da177e4 57static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 58 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 59static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 60 void *data);
710f9b0a 61static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 62static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 63
d660366d 64static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 65 struct sk_buff_head *skbs, u8 event);
608bcc6d 66
a250e048 67static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
4f1654e0 68{
a250e048
JH		 69 if (link_type == LE_LINK) {
70 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
4f1654e0
MH		 71 return BDADDR_LE_PUBLIC;
72 else
73 return BDADDR_LE_RANDOM;
74 }
75
76 return BDADDR_BREDR;
77}
78
a250e048
JH		 79static inline u8 bdaddr_src_type(struct hci_conn *hcon)
80{
81 return bdaddr_type(hcon->type, hcon->src_type);
82}
83
84static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
85{
86 return bdaddr_type(hcon->type, hcon->dst_type);
87}
88
0139418c 89/* ---- L2CAP channels ---- */
71ba0e56 90
2d792818
GP		 91static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
92 u16 cid)
0139418c 93{
3df91ea2 94 struct l2cap_chan *c;
3d57dc68 95
3df91ea2
AE		 96 list_for_each_entry(c, &conn->chan_l, list) {
97 if (c->dcid == cid)
98 return c;
0139418c 99 }
3df91ea2 100 return NULL;
0139418c
MH		 101}
102
2d792818
GP		 103static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
104 u16 cid)
0139418c 105{
3df91ea2 106 struct l2cap_chan *c;
3d57dc68 107
3df91ea2
AE		 108 list_for_each_entry(c, &conn->chan_l, list) {
109 if (c->scid == cid)
110 return c;
0139418c 111 }
3df91ea2 112 return NULL;
0139418c
MH		 113}
114
115/* Find channel with given SCID.
ef191ade 116 * Returns locked channel. */
2d792818
GP		 117static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
118 u16 cid)
0139418c 119{
48454079 120 struct l2cap_chan *c;
baa7e1fa 121
3df91ea2 122 mutex_lock(&conn->chan_lock);
baa7e1fa 123 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 124 if (c)
125 l2cap_chan_lock(c);
3df91ea2
AE		 126 mutex_unlock(&conn->chan_lock);
127
48454079 128 return c;
0139418c
MH		 129}
130
b1a130b7
MM		 131/* Find channel with given DCID.
132 * Returns locked channel.
133 */
134static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
135 u16 cid)
136{
137 struct l2cap_chan *c;
138
139 mutex_lock(&conn->chan_lock);
140 c = __l2cap_get_chan_by_dcid(conn, cid);
141 if (c)
142 l2cap_chan_lock(c);
143 mutex_unlock(&conn->chan_lock);
144
145 return c;
146}
147
2d792818
GP		 148static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
149 u8 ident)
0139418c 150{
3df91ea2 151 struct l2cap_chan *c;
3d57dc68 152
3df91ea2
AE		 153 list_for_each_entry(c, &conn->chan_l, list) {
154 if (c->ident == ident)
155 return c;
0139418c 156 }
3df91ea2 157 return NULL;
0139418c
MH		 158}
159
5b155ef9
MM		 160static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
161 u8 ident)
162{
163 struct l2cap_chan *c;
164
165 mutex_lock(&conn->chan_lock);
166 c = __l2cap_get_chan_by_ident(conn, ident);
167 if (c)
168 l2cap_chan_lock(c);
169 mutex_unlock(&conn->chan_lock);
170
171 return c;
172}
173
23691d75 174static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 175{
23691d75 176 struct l2cap_chan *c;
9e4425ff 177
23691d75 178 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 179 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 180 return c;
9e4425ff 181 }
250938cb 182 return NULL;
9e4425ff
GP		 183}
184
185int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
186{
73b2ec18
GP		 187 int err;
188
333055f2 189 write_lock(&chan_list_lock);
9e4425ff 190
23691d75 191 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 192 err = -EADDRINUSE;
193 goto done;
9e4425ff
GP		 194 }
195
73b2ec18
GP		 196 if (psm) {
197 chan->psm = psm;
198 chan->sport = psm;
199 err = 0;
200 } else {
92594a51
JH		 201 u16 p, start, end, incr;
202
203 if (chan->src_type == BDADDR_BREDR) {
204 start = L2CAP_PSM_DYN_START;
205 end = L2CAP_PSM_AUTO_END;
206 incr = 2;
207 } else {
208 start = L2CAP_PSM_LE_DYN_START;
209 end = L2CAP_PSM_LE_DYN_END;
210 incr = 1;
211 }
73b2ec18
GP		 212
213 err = -EINVAL;
92594a51 214 for (p = start; p <= end; p += incr)
23691d75 215 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 216 chan->psm = cpu_to_le16(p);
217 chan->sport = cpu_to_le16(p);
218 err = 0;
219 break;
220 }
221 }
9e4425ff 222
73b2ec18 223done:
333055f2 224 write_unlock(&chan_list_lock);
73b2ec18 225 return err;
9e4425ff 226}
6b8d4a6a 227EXPORT_SYMBOL_GPL(l2cap_add_psm);
9e4425ff
GP		 228
229int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
230{
333055f2 231 write_lock(&chan_list_lock);
9e4425ff 232
14824308
JH		 233 /* Override the defaults (which are for conn-oriented) */
234 chan->omtu = L2CAP_DEFAULT_MTU;
235 chan->chan_type = L2CAP_CHAN_FIXED;
236
9e4425ff
GP		 237 chan->scid = scid;
238
333055f2 239 write_unlock(&chan_list_lock);
9e4425ff
GP		 240
241 return 0;
242}
243
baa7e1fa 244static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 245{
e77af755 246 u16 cid, dyn_end;
0139418c 247
e77af755
JH		 248 if (conn->hcon->type == LE_LINK)
249 dyn_end = L2CAP_CID_LE_DYN_END;
250 else
251 dyn_end = L2CAP_CID_DYN_END;
252
ab0c127f 253 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
baa7e1fa 254 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 255 return cid;
256 }
257
258 return 0;
259}
260
f93fa273 261static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 262{
42d2d87c 263 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 264 state_to_string(state));
badaaa00 265
89bc500e 266 chan->state = state;
53f52121 267 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 268}
269
f8e73017
GP		 270static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
271 int state, int err)
2e0052e4 272{
f8e73017 273 chan->state = state;
53f52121 274 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 275}
276
277static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
278{
f8e73017 279 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 280}
281
4239d16f
MM		 282static void __set_retrans_timer(struct l2cap_chan *chan)
283{
284 if (!delayed_work_pending(&chan->monitor_timer) &&
285 chan->retrans_timeout) {
286 l2cap_set_timer(chan, &chan->retrans_timer,
287 msecs_to_jiffies(chan->retrans_timeout));
288 }
289}
290
291static void __set_monitor_timer(struct l2cap_chan *chan)
292{
293 __clear_retrans_timer(chan);
294 if (chan->monitor_timeout) {
295 l2cap_set_timer(chan, &chan->monitor_timer,
296 msecs_to_jiffies(chan->monitor_timeout));
297 }
298}
299
608bcc6d
MM		 300static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
301 u16 seq)
302{
303 struct sk_buff *skb;
304
305 skb_queue_walk(head, skb) {
a4368ff3 306 if (bt_cb(skb)->l2cap.txseq == seq)
608bcc6d
MM		 307 return skb;
308 }
309
310 return NULL;
311}
312
3c588192
MM		 313/* ---- L2CAP sequence number lists ---- */
314
315/* For ERTM, ordered lists of sequence numbers must be tracked for
316 * SREJ requests that are received and for frames that are to be
317 * retransmitted. These seq_list functions implement a singly-linked
318 * list in an array, where membership in the list can also be checked
319 * in constant time. Items can also be added to the tail of the list
320 * and removed from the head in constant time, without further memory
321 * allocs or frees.
322 */
323
324static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
325{
326 size_t alloc_size, i;
327
328 /* Allocated size is a power of 2 to map sequence numbers
329 * (which may be up to 14 bits) in to a smaller array that is
330 * sized for the negotiated ERTM transmit windows.
331 */
332 alloc_size = roundup_pow_of_two(size);
333
334 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
335 if (!seq_list->list)
336 return -ENOMEM;
337
338 seq_list->mask = alloc_size - 1;
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
341 for (i = 0; i < alloc_size; i++)
342 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
343
344 return 0;
345}
346
347static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
348{
349 kfree(seq_list->list);
350}
351
352static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
353 u16 seq)
354{
355 /* Constant-time check for list membership */
356 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
357}
358
03a0c5d6 359static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
3c588192 360{
03a0c5d6 361 u16 seq = seq_list->head;
3c588192
MM		 362 u16 mask = seq_list->mask;
363
03a0c5d6
JH		 364 seq_list->head = seq_list->list[seq & mask];
365 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
366
367 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
368 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
369 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192 370 }
3c588192 371
03a0c5d6 372 return seq;
3c588192
MM		 373}
374
375static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
376{
f522ae36 377 u16 i;
3c588192 378
f522ae36
GP		 379 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
380 return;
381
382 for (i = 0; i <= seq_list->mask; i++)
383 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
384
385 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
386 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 387}
388
389static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
390{
391 u16 mask = seq_list->mask;
392
393 /* All appends happen in constant time */
394
f522ae36
GP		 395 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
396 return;
3c588192 397
f522ae36
GP		 398 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
399 seq_list->head = seq;
400 else
401 seq_list->list[seq_list->tail & mask] = seq;
402
403 seq_list->tail = seq;
404 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 405}
406
721c4181 407static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 408{
721c4181 409 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 410 chan_timer.work);
3df91ea2 411 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 412 int reason;
413
e05dcc32 414 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 415
3df91ea2 416 mutex_lock(&conn->chan_lock);
6be36555 417 l2cap_chan_lock(chan);
ab07801d 418
89bc500e 419 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 420 reason = ECONNREFUSED;
89bc500e 421 else if (chan->state == BT_CONNECT &&
2d792818 422 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 423 reason = ECONNREFUSED;
424 else
425 reason = ETIMEDOUT;
426
0f852724 427 l2cap_chan_close(chan, reason);
ab07801d 428
6be36555 429 l2cap_chan_unlock(chan);
ab07801d 430
80b98027 431 chan->ops->close(chan);
3df91ea2
AE		 432 mutex_unlock(&conn->chan_lock);
433
371fd835 434 l2cap_chan_put(chan);
ab07801d
GP		 435}
436
eef1d9b6 437struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 438{
439 struct l2cap_chan *chan;
440
441 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
442 if (!chan)
443 return NULL;
444
c03b355e
AE		 445 mutex_init(&chan->lock);
446
ff714119
JH		 447 /* Set default lock nesting level */
448 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
449
333055f2 450 write_lock(&chan_list_lock);
23691d75 451 list_add(&chan->global_l, &chan_list);
333055f2 452 write_unlock(&chan_list_lock);
23691d75 453
721c4181 454 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 455
89bc500e
GP		 456 chan->state = BT_OPEN;
457
144ad330 458 kref_init(&chan->kref);
71ba0e56 459
2827011f
MM		 460 /* This flag is cleared in l2cap_chan_ready() */
461 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
462
eef1d9b6 463 BT_DBG("chan %p", chan);
abc545b8 464
48454079
GP		 465 return chan;
466}
6b8d4a6a 467EXPORT_SYMBOL_GPL(l2cap_chan_create);
48454079 468
144ad330 469static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 470{
144ad330
SS		 471 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
472
4af66c69
JK		 473 BT_DBG("chan %p", chan);
474
333055f2 475 write_lock(&chan_list_lock);
23691d75 476 list_del(&chan->global_l);
333055f2 477 write_unlock(&chan_list_lock);
23691d75 478
4af66c69 479 kfree(chan);
6ff5abbf
GP		 480}
481
30648372
JK		 482void l2cap_chan_hold(struct l2cap_chan *c)
483{
2c935bc5 484 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
30648372 485
144ad330 486 kref_get(&c->kref);
30648372
JK		 487}
488
489void l2cap_chan_put(struct l2cap_chan *c)
490{
2c935bc5 491 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
30648372 492
144ad330 493 kref_put(&c->kref, l2cap_chan_destroy);
30648372 494}
6b8d4a6a 495EXPORT_SYMBOL_GPL(l2cap_chan_put);
30648372 496
bd4b1653
AE		 497void l2cap_chan_set_defaults(struct l2cap_chan *chan)
498{
499 chan->fcs = L2CAP_FCS_CRC16;
500 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
501 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
502 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
6a5e8165
JR		 503 chan->remote_max_tx = chan->max_tx;
504 chan->remote_tx_win = chan->tx_win;
c20f8e35 505 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653 506 chan->sec_level = BT_SECURITY_LOW;
6a5e8165
JR		 507 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
508 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
509 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
510 chan->conf_state = 0;
bd4b1653
AE		 511
512 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
513}
6b8d4a6a 514EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
bd4b1653 515
0ce43ce6 516static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
38319713 517{
0ce43ce6
JH		 518 chan->sdu = NULL;
519 chan->sdu_last_frag = NULL;
520 chan->sdu_len = 0;
0cd75f7e 521 chan->tx_credits = 0;
f15b8ecf 522 chan->rx_credits = le_max_credits;
d1d79413 523 chan->mps = min_t(u16, chan->imtu, le_default_mps);
0ce43ce6
JH		 524
525 skb_queue_head_init(&chan->tx_q);
38319713
JH		 526}
527
93c3e8f5 528void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 529{
af05b30b 530 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 531 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 532
9f5a0d7b 533 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 534
8c1d787b 535 chan->conn = conn;
0139418c 536
5491120e
AE		 537 switch (chan->chan_type) {
538 case L2CAP_CHAN_CONN_ORIENTED:
21626e62
JH		 539 /* Alloc CID for connection-oriented socket */
540 chan->scid = l2cap_alloc_cid(conn);
541 if (conn->hcon->type == ACL_LINK)
0c1bc5c6 542 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 543 break;
544
545 case L2CAP_CHAN_CONN_LESS:
0139418c 546 /* Connectionless socket */
fe4128e0
GP		 547 chan->scid = L2CAP_CID_CONN_LESS;
548 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 549 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 550 break;
551
2338a7e0
JH		 552 case L2CAP_CHAN_FIXED:
553 /* Caller will set CID and CID specific MTU values */
416fa752
AE		 554 break;
555
5491120e 556 default:
0139418c 557 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 558 chan->scid = L2CAP_CID_SIGNALING;
559 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 560 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 561 }
562
8f7975b1
AE		 563 chan->local_id = L2CAP_BESTEFFORT_ID;
564 chan->local_stype = L2CAP_SERV_BESTEFFORT;
565 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
566 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
567 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 568 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 569
371fd835 570 l2cap_chan_hold(chan);
baa7e1fa 571
c16900cf
JH		 572 /* Only keep a reference for fixed channels if they requested it */
573 if (chan->chan_type != L2CAP_CHAN_FIXED ||
574 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
575 hci_conn_hold(conn->hcon);
5ee9891d 576
3df91ea2 577 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 578}
579
466f8004 580void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 581{
582 mutex_lock(&conn->chan_lock);
583 __l2cap_chan_add(conn, chan);
3df91ea2 584 mutex_unlock(&conn->chan_lock);
0139418c
MH		 585}
586
466f8004 587void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 588{
8c1d787b 589 struct l2cap_conn *conn = chan->conn;
0139418c 590
c9b66675 591 __clear_chan_timer(chan);
0139418c 592
49d11741
JH		 593 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
594 state_to_string(chan->state));
0139418c 595
72847ce0
JH		 596 chan->ops->teardown(chan, err);
597
8e87d142 598 if (conn) {
56f60984 599 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 600 /* Delete from channel list */
3df91ea2 601 list_del(&chan->list);
3d57dc68 602
371fd835 603 l2cap_chan_put(chan);
baa7e1fa 604
8c1d787b 605 chan->conn = NULL;
3cabbfda 606
c16900cf
JH		 607 /* Reference was only held for non-fixed channels or
608 * fixed channels that explicitly requested it using the
609 * FLAG_HOLD_HCI_CONN flag.
610 */
611 if (chan->chan_type != L2CAP_CHAN_FIXED ||
612 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
76a68ba0 613 hci_conn_drop(conn->hcon);
56f60984
AE		 614
615 if (mgr && mgr->bredr_chan == chan)
616 mgr->bredr_chan = NULL;
0139418c
MH		 617 }
618
419e08c1
AE		 619 if (chan->hs_hchan) {
620 struct hci_chan *hs_hchan = chan->hs_hchan;
621
622 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
623 amp_disconnect_logical_link(hs_hchan);
624 }
625
2827011f 626 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 627 return;
2ead70b8 628
ee556f66
GP		 629 switch(chan->mode) {
630 case L2CAP_MODE_BASIC:
631 break;
c13ffa62 632
38319713 633 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b 634 skb_queue_purge(&chan->tx_q);
38319713
JH		 635 break;
636
ee556f66 637 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 638 __clear_retrans_timer(chan);
639 __clear_monitor_timer(chan);
640 __clear_ack_timer(chan);
c13ffa62 641
f1c6775b 642 skb_queue_purge(&chan->srej_q);
c13ffa62 643
3c588192
MM		 644 l2cap_seq_list_free(&chan->srej_list);
645 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 646
647 /* fall through */
648
649 case L2CAP_MODE_STREAMING:
650 skb_queue_purge(&chan->tx_q);
651 break;
c13ffa62 652 }
ee556f66
GP		 653
654 return;
0139418c 655}
6b8d4a6a 656EXPORT_SYMBOL_GPL(l2cap_chan_del);
0139418c 657
f3d82d0c 658static void l2cap_conn_update_id_addr(struct work_struct *work)
387a33e3 659{
f3d82d0c
JH		 660 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
661 id_addr_update_work);
662 struct hci_conn *hcon = conn->hcon;
387a33e3
JH		 663 struct l2cap_chan *chan;
664
665 mutex_lock(&conn->chan_lock);
666
667 list_for_each_entry(chan, &conn->chan_l, list) {
668 l2cap_chan_lock(chan);
669 bacpy(&chan->dst, &hcon->dst);
a250e048 670 chan->dst_type = bdaddr_dst_type(hcon);
387a33e3
JH		 671 l2cap_chan_unlock(chan);
672 }
673
674 mutex_unlock(&conn->chan_lock);
675}
676
27e2d4c8
JH		 677static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
678{
679 struct l2cap_conn *conn = chan->conn;
680 struct l2cap_le_conn_rsp rsp;
681 u16 result;
682
683 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
684 result = L2CAP_CR_AUTHORIZATION;
685 else
686 result = L2CAP_CR_BAD_PSM;
687
688 l2cap_state_change(chan, BT_DISCONN);
689
690 rsp.dcid = cpu_to_le16(chan->scid);
691 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 692 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 693 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 694 rsp.result = cpu_to_le16(result);
695
696 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
697 &rsp);
698}
699
791d60f7
JH		 700static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
701{
702 struct l2cap_conn *conn = chan->conn;
703 struct l2cap_conn_rsp rsp;
704 u16 result;
705
706 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
707 result = L2CAP_CR_SEC_BLOCK;
708 else
709 result = L2CAP_CR_BAD_PSM;
710
711 l2cap_state_change(chan, BT_DISCONN);
712
713 rsp.scid = cpu_to_le16(chan->dcid);
714 rsp.dcid = cpu_to_le16(chan->scid);
715 rsp.result = cpu_to_le16(result);
dcf4adbf 716 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
791d60f7
JH		 717
718 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
719}
720
0f852724 721void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 722{
723 struct l2cap_conn *conn = chan->conn;
4519de9a 724
7eafc59e 725 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 726
89bc500e 727 switch (chan->state) {
4519de9a 728 case BT_LISTEN:
b699ec0d 729 chan->ops->teardown(chan, 0);
4519de9a
GP		 730 break;
731
732 case BT_CONNECTED:
733 case BT_CONFIG:
7b25c9b3 734 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
8d836d71 735 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 736 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 737 } else
738 l2cap_chan_del(chan, reason);
739 break;
740
741 case BT_CONNECT2:
791d60f7
JH		 742 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
743 if (conn->hcon->type == ACL_LINK)
744 l2cap_chan_connect_reject(chan);
27e2d4c8
JH		 745 else if (conn->hcon->type == LE_LINK)
746 l2cap_chan_le_connect_reject(chan);
4519de9a
GP		 747 }
748
749 l2cap_chan_del(chan, reason);
750 break;
751
752 case BT_CONNECT:
753 case BT_DISCONN:
754 l2cap_chan_del(chan, reason);
755 break;
756
757 default:
b699ec0d 758 chan->ops->teardown(chan, 0);
4519de9a
GP		 759 break;
760 }
761}
6b8d4a6a 762EXPORT_SYMBOL(l2cap_chan_close);
4519de9a 763
4343478f 764static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 765{
6a974b50
MH		 766 switch (chan->chan_type) {
767 case L2CAP_CHAN_RAW:
4343478f 768 switch (chan->sec_level) {
8556edd3 769 case BT_SECURITY_HIGH:
7d513e92 770 case BT_SECURITY_FIPS:
8556edd3
JH		 771 return HCI_AT_DEDICATED_BONDING_MITM;
772 case BT_SECURITY_MEDIUM:
773 return HCI_AT_DEDICATED_BONDING;
774 default:
775 return HCI_AT_NO_BONDING;
776 }
6a974b50 777 break;
3124b843 778 case L2CAP_CHAN_CONN_LESS:
dcf4adbf 779 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
3124b843
MH		 780 if (chan->sec_level == BT_SECURITY_LOW)
781 chan->sec_level = BT_SECURITY_SDP;
782 }
7d513e92
MH		 783 if (chan->sec_level == BT_SECURITY_HIGH ||
784 chan->sec_level == BT_SECURITY_FIPS)
3124b843
MH		 785 return HCI_AT_NO_BONDING_MITM;
786 else
787 return HCI_AT_NO_BONDING;
788 break;
6a974b50 789 case L2CAP_CHAN_CONN_ORIENTED:
dcf4adbf 790 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
6a974b50
MH		 791 if (chan->sec_level == BT_SECURITY_LOW)
792 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 793
7d513e92
MH		 794 if (chan->sec_level == BT_SECURITY_HIGH ||
795 chan->sec_level == BT_SECURITY_FIPS)
6a974b50
MH		 796 return HCI_AT_NO_BONDING_MITM;
797 else
798 return HCI_AT_NO_BONDING;
799 }
800 /* fall through */
801 default:
4343478f 802 switch (chan->sec_level) {
00ae4af9 803 case BT_SECURITY_HIGH:
7d513e92 804 case BT_SECURITY_FIPS:
8556edd3 805 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 806 case BT_SECURITY_MEDIUM:
8556edd3 807 return HCI_AT_GENERAL_BONDING;
00ae4af9 808 default:
8556edd3 809 return HCI_AT_NO_BONDING;
00ae4af9 810 }
6a974b50 811 break;
0684e5f9 812 }
8556edd3
JH		 813}
814
815/* Service level security */
e7cafc45 816int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
8556edd3 817{
8c1d787b 818 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 819 __u8 auth_type;
820
a17de2fe
JH		 821 if (conn->hcon->type == LE_LINK)
822 return smp_conn_security(conn->hcon, chan->sec_level);
823
4343478f 824 auth_type = l2cap_get_auth_type(chan);
79d554a6 825
e7cafc45
JH		 826 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
827 initiator);
79d554a6
MH		 828}
829
b5ad8b7f 830static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 831{
832 u8 id;
833
834 /* Get next available identificator.
835 * 1 - 128 are used by kernel.
836 * 129 - 199 are reserved.
837 * 200 - 254 are used by utilities like l2ping, etc.
838 */
839
5a54e7c8 840 mutex_lock(&conn->ident_lock);
4e8402a3
MH		 841
842 if (++conn->tx_ident > 128)
843 conn->tx_ident = 1;
844
845 id = conn->tx_ident;
846
5a54e7c8 847 mutex_unlock(&conn->ident_lock);
4e8402a3
MH		 848
849 return id;
850}
851
2d792818
GP		 852static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
853 void *data)
4e8402a3
MH		 854{
855 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 856 u8 flags;
4e8402a3
MH		 857
858 BT_DBG("code 0x%2.2x", code);
859
860 if (!skb)
9a9c6a34 861 return;
4e8402a3 862
f6af675e
SW		 863 /* Use NO_FLUSH if supported or we have an LE link (which does
864 * not support auto-flushing packets) */
865 if (lmp_no_flush_capable(conn->hcon->hdev) ||
866 conn->hcon->type == LE_LINK)
e702112f
AE		 867 flags = ACL_START_NO_FLUSH;
868 else
869 flags = ACL_START;
870
14b12d0b 871 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 872 skb->priority = HCI_PRIO_MAX;
14b12d0b 873
73d80deb
LAD		 874 hci_send_acl(conn->hchan, skb, flags);
875}
876
02b0fbb9
MM		 877static bool __chan_is_moving(struct l2cap_chan *chan)
878{
879 return chan->move_state != L2CAP_MOVE_STABLE &&
880 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
881}
882
73d80deb
LAD		 883static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
884{
885 struct hci_conn *hcon = chan->conn->hcon;
886 u16 flags;
887
888 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 889 skb->priority);
73d80deb 890
d5f8a75d
MM		 891 if (chan->hs_hcon && !__chan_is_moving(chan)) {
892 if (chan->hs_hchan)
893 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
894 else
895 kfree_skb(skb);
896
897 return;
898 }
899
f6af675e
SW		 900 /* Use NO_FLUSH for LE links (where this is the only option) or
901 * if the BR/EDR link supports it and flushing has not been
902 * explicitly requested (through FLAG_FLUSHABLE).
903 */
904 if (hcon->type == LE_LINK ||
905 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
906 lmp_no_flush_capable(hcon->hdev)))
73d80deb
LAD		 907 flags = ACL_START_NO_FLUSH;
908 else
909 flags = ACL_START;
14b12d0b 910
73d80deb
LAD		 911 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
912 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 913}
914
b76bbd66
MM		 915static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
916{
917 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
918 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
919
920 if (enh & L2CAP_CTRL_FRAME_TYPE) {
921 /* S-Frame */
922 control->sframe = 1;
923 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
924 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
925
926 control->sar = 0;
927 control->txseq = 0;
928 } else {
929 /* I-Frame */
930 control->sframe = 0;
931 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
932 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
933
934 control->poll = 0;
935 control->super = 0;
936 }
937}
938
b76bbd66
MM		 939static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
940{
941 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
942 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
943
944 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
945 /* S-Frame */
946 control->sframe = 1;
947 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
948 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
949
950 control->sar = 0;
951 control->txseq = 0;
952 } else {
953 /* I-Frame */
954 control->sframe = 0;
955 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
956 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
957
958 control->poll = 0;
959 control->super = 0;
960 }
961}
962
963static inline void __unpack_control(struct l2cap_chan *chan,
964 struct sk_buff *skb)
965{
966 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
967 __unpack_extended_control(get_unaligned_le32(skb->data),
a4368ff3 968 &bt_cb(skb)->l2cap);
cec8ab6e 969 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 970 } else {
971 __unpack_enhanced_control(get_unaligned_le16(skb->data),
a4368ff3 972 &bt_cb(skb)->l2cap);
cec8ab6e 973 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 974 }
975}
976
b5c6aaed
MM		 977static u32 __pack_extended_control(struct l2cap_ctrl *control)
978{
979 u32 packed;
980
981 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
982 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
983
984 if (control->sframe) {
985 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
986 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
987 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
988 } else {
989 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
990 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
991 }
992
993 return packed;
994}
995
996static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
997{
998 u16 packed;
999
1000 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1001 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1002
1003 if (control->sframe) {
1004 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1005 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1006 packed |= L2CAP_CTRL_FRAME_TYPE;
1007 } else {
1008 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1009 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1010 }
1011
1012 return packed;
1013}
1014
b76bbd66
MM		 1015static inline void __pack_control(struct l2cap_chan *chan,
1016 struct l2cap_ctrl *control,
1017 struct sk_buff *skb)
1018{
1019 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1020 put_unaligned_le32(__pack_extended_control(control),
1021 skb->data + L2CAP_HDR_SIZE);
1022 } else {
1023 put_unaligned_le16(__pack_enhanced_control(control),
1024 skb->data + L2CAP_HDR_SIZE);
1025 }
1026}
1027
ba7aa64f
GP		 1028static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1029{
1030 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1031 return L2CAP_EXT_HDR_SIZE;
1032 else
1033 return L2CAP_ENH_HDR_SIZE;
1034}
1035
a67d7f6f
MM		 1036static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1037 u32 control)
b5c6aaed
MM		 1038{
1039 struct sk_buff *skb;
1040 struct l2cap_hdr *lh;
ba7aa64f 1041 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 1042
1043 if (chan->fcs == L2CAP_FCS_CRC16)
1044 hlen += L2CAP_FCS_SIZE;
1045
a67d7f6f 1046 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 1047
b5c6aaed 1048 if (!skb)
a67d7f6f 1049 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 1050
1051 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1052 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1053 lh->cid = cpu_to_le16(chan->dcid);
1054
a67d7f6f
MM		 1055 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1056 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1057 else
1058 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 1059
1060 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 1061 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 1062 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1063 }
1064
1065 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 1066 return skb;
1067}
1068
1069static void l2cap_send_sframe(struct l2cap_chan *chan,
1070 struct l2cap_ctrl *control)
1071{
1072 struct sk_buff *skb;
1073 u32 control_field;
1074
1075 BT_DBG("chan %p, control %p", chan, control);
1076
1077 if (!control->sframe)
1078 return;
1079
b99e13ad
MM		 1080 if (__chan_is_moving(chan))
1081 return;
1082
a67d7f6f
MM		 1083 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1084 !control->poll)
1085 control->final = 1;
1086
1087 if (control->super == L2CAP_SUPER_RR)
1088 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1089 else if (control->super == L2CAP_SUPER_RNR)
1090 set_bit(CONN_RNR_SENT, &chan->conn_state);
1091
1092 if (control->super != L2CAP_SUPER_SREJ) {
1093 chan->last_acked_seq = control->reqseq;
1094 __clear_ack_timer(chan);
1095 }
1096
1097 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1098 control->final, control->poll, control->super);
1099
1100 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1101 control_field = __pack_extended_control(control);
1102 else
1103 control_field = __pack_enhanced_control(control);
1104
1105 skb = l2cap_create_sframe_pdu(chan, control_field);
1106 if (!IS_ERR(skb))
1107 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1108}
1109
c9e3d5e0 1110static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1111{
c9e3d5e0
MM		 1112 struct l2cap_ctrl control;
1113
1114 BT_DBG("chan %p, poll %d", chan, poll);
1115
1116 memset(&control, 0, sizeof(control));
1117 control.sframe = 1;
1118 control.poll = poll;
1119
1120 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1121 control.super = L2CAP_SUPER_RNR;
1122 else
1123 control.super = L2CAP_SUPER_RR;
b5c6aaed 1124
c9e3d5e0
MM		 1125 control.reqseq = chan->buffer_seq;
1126 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1127}
1128
b4450035 1129static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1130{
5ff6f34d
JH		 1131 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1132 return true;
1133
c1360a1c 1134 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1135}
1136
1df7b17a 1137static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1138{
1df7b17a 1139 struct l2cap_conn *conn = chan->conn;
80d58d0b 1140 struct hci_dev *hdev;
1df7b17a
MH		 1141 bool amp_available = false;
1142
0bd49fc7 1143 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1df7b17a
MH		 1144 return false;
1145
0bd49fc7 1146 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1df7b17a 1147 return false;
80d58d0b
MH		 1148
1149 read_lock(&hci_dev_list_lock);
1df7b17a 1150 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1151 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1152 test_bit(HCI_UP, &hdev->flags)) {
1153 amp_available = true;
1154 break;
1155 }
1156 }
80d58d0b
MH		 1157 read_unlock(&hci_dev_list_lock);
1158
1df7b17a
MH		 1159 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1160 return amp_available;
848566b3
MH		 1161
1162 return false;
93c3e8f5
AE		 1163}
1164
5ce66b59
AE		 1165static bool l2cap_check_efs(struct l2cap_chan *chan)
1166{
1167 /* Check EFS parameters */
1168 return true;
1169}
1170
2766be48 1171void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1172{
1173 struct l2cap_conn *conn = chan->conn;
1174 struct l2cap_conn_req req;
1175
1176 req.scid = cpu_to_le16(chan->scid);
1177 req.psm = chan->psm;
1178
1179 chan->ident = l2cap_get_ident(conn);
1180
1181 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1182
1183 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1184}
1185
8eb200bd
MM		 1186static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1187{
1188 struct l2cap_create_chan_req req;
1189 req.scid = cpu_to_le16(chan->scid);
1190 req.psm = chan->psm;
1191 req.amp_id = amp_id;
1192
1193 chan->ident = l2cap_get_ident(chan->conn);
1194
1195 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1196 sizeof(req), &req);
1197}
1198
02b0fbb9
MM		 1199static void l2cap_move_setup(struct l2cap_chan *chan)
1200{
1201 struct sk_buff *skb;
1202
1203 BT_DBG("chan %p", chan);
1204
1205 if (chan->mode != L2CAP_MODE_ERTM)
1206 return;
1207
1208 __clear_retrans_timer(chan);
1209 __clear_monitor_timer(chan);
1210 __clear_ack_timer(chan);
1211
1212 chan->retry_count = 0;
1213 skb_queue_walk(&chan->tx_q, skb) {
a4368ff3
JH		 1214 if (bt_cb(skb)->l2cap.retries)
1215 bt_cb(skb)->l2cap.retries = 1;
02b0fbb9
MM		 1216 else
1217 break;
1218 }
1219
1220 chan->expected_tx_seq = chan->buffer_seq;
1221
1222 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1223 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1224 l2cap_seq_list_clear(&chan->retrans_list);
1225 l2cap_seq_list_clear(&chan->srej_list);
1226 skb_queue_purge(&chan->srej_q);
1227
1228 chan->tx_state = L2CAP_TX_STATE_XMIT;
1229 chan->rx_state = L2CAP_RX_STATE_MOVE;
1230
1231 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1232}
1233
5f3847a4
MM		 1234static void l2cap_move_done(struct l2cap_chan *chan)
1235{
1236 u8 move_role = chan->move_role;
1237 BT_DBG("chan %p", chan);
1238
1239 chan->move_state = L2CAP_MOVE_STABLE;
1240 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1241
1242 if (chan->mode != L2CAP_MODE_ERTM)
1243 return;
1244
1245 switch (move_role) {
1246 case L2CAP_MOVE_ROLE_INITIATOR:
1247 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1248 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1249 break;
1250 case L2CAP_MOVE_ROLE_RESPONDER:
1251 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1252 break;
1253 }
1254}
1255
9f0caeb1
VCG		 1256static void l2cap_chan_ready(struct l2cap_chan *chan)
1257{
315917e0
JH		 1258 /* The channel may have already been flagged as connected in
1259 * case of receiving data before the L2CAP info req/rsp
1260 * procedure is complete.
1261 */
1262 if (chan->state == BT_CONNECTED)
1263 return;
1264
2827011f 1265 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1266 chan->conf_state = 0;
1267 __clear_chan_timer(chan);
1268
0ce43ce6
JH		 1269 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1270 chan->ops->suspend(chan);
177f8f2b 1271
54a59aa2 1272 chan->state = BT_CONNECTED;
9f0caeb1 1273
fd83e2c2 1274 chan->ops->ready(chan);
9f0caeb1
VCG		 1275}
1276
f1496dee
JH		 1277static void l2cap_le_connect(struct l2cap_chan *chan)
1278{
1279 struct l2cap_conn *conn = chan->conn;
1280 struct l2cap_le_conn_req req;
1281
595177f3
JH		 1282 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1283 return;
1284
f1496dee
JH		 1285 req.psm = chan->psm;
1286 req.scid = cpu_to_le16(chan->scid);
1287 req.mtu = cpu_to_le16(chan->imtu);
3916aed8 1288 req.mps = cpu_to_le16(chan->mps);
0cd75f7e 1289 req.credits = cpu_to_le16(chan->rx_credits);
f1496dee
JH		 1290
1291 chan->ident = l2cap_get_ident(conn);
1292
1293 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1294 sizeof(req), &req);
1295}
1296
1297static void l2cap_le_start(struct l2cap_chan *chan)
1298{
1299 struct l2cap_conn *conn = chan->conn;
1300
1301 if (!smp_conn_security(conn->hcon, chan->sec_level))
1302 return;
1303
1304 if (!chan->psm) {
1305 l2cap_chan_ready(chan);
1306 return;
1307 }
1308
1309 if (chan->state == BT_CONNECT)
1310 l2cap_le_connect(chan);
1311}
1312
93c3e8f5
AE		 1313static void l2cap_start_connection(struct l2cap_chan *chan)
1314{
1315 if (__amp_capable(chan)) {
1316 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1317 a2mp_discover_amp(chan);
f1496dee
JH		 1318 } else if (chan->conn->hcon->type == LE_LINK) {
1319 l2cap_le_start(chan);
93c3e8f5
AE		 1320 } else {
1321 l2cap_send_conn_req(chan);
1322 }
1323}
1324
aeaeb4bb
JH		 1325static void l2cap_request_info(struct l2cap_conn *conn)
1326{
1327 struct l2cap_info_req req;
1328
1329 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1330 return;
1331
1332 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1333
1334 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1335 conn->info_ident = l2cap_get_ident(conn);
1336
1337 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1338
1339 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1340 sizeof(req), &req);
1341}
1342
fc7f8a7e 1343static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1344{
8c1d787b 1345 struct l2cap_conn *conn = chan->conn;
79d554a6 1346
9f0caeb1 1347 if (conn->hcon->type == LE_LINK) {
96ac34fb 1348 l2cap_le_start(chan);
9f0caeb1
VCG		 1349 return;
1350 }
1351
aeaeb4bb
JH		 1352 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1353 l2cap_request_info(conn);
1354 return;
1355 }
79d554a6 1356
aeaeb4bb
JH		 1357 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1358 return;
79d554a6 1359
aeaeb4bb
JH		 1360 if (l2cap_chan_check_security(chan, true) &&
1361 __l2cap_no_conn_pending(chan))
1362 l2cap_start_connection(chan);
79d554a6
MH		 1363}
1364
cf6c2c0b
GP		 1365static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1366{
1367 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1368 if (!disable_ertm)
cf6c2c0b
GP		 1369 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1370
1371 switch (mode) {
1372 case L2CAP_MODE_ERTM:
1373 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1374 case L2CAP_MODE_STREAMING:
1375 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1376 default:
1377 return 0x00;
1378 }
1379}
1380
5e4e3972 1381static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1382{
5e4e3972 1383 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1384 struct l2cap_disconn_req req;
1385
c13ffa62
GP		 1386 if (!conn)
1387 return;
1388
aad3d0e3 1389 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1390 __clear_retrans_timer(chan);
1391 __clear_monitor_timer(chan);
1392 __clear_ack_timer(chan);
c13ffa62
GP		 1393 }
1394
2338a7e0 1395 if (chan->scid == L2CAP_CID_A2MP) {
d117773c 1396 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1397 return;
1398 }
1399
fe4128e0
GP		 1400 req.dcid = cpu_to_le16(chan->dcid);
1401 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1402 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1403 sizeof(req), &req);
c13ffa62 1404
f8e73017 1405 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1406}
1407
1da177e4 1408/* ---- L2CAP connections ---- */
4e8402a3
MH		 1409static void l2cap_conn_start(struct l2cap_conn *conn)
1410{
3df91ea2 1411 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1412
1413 BT_DBG("conn %p", conn);
1414
3df91ea2 1415 mutex_lock(&conn->chan_lock);
4e8402a3 1416
3df91ea2 1417 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1418 l2cap_chan_lock(chan);
4e8402a3 1419
715ec005 1420 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
aeaeb4bb 1421 l2cap_chan_ready(chan);
6be36555 1422 l2cap_chan_unlock(chan);
79d554a6
MH		 1423 continue;
1424 }
1425
89bc500e 1426 if (chan->state == BT_CONNECT) {
e7cafc45 1427 if (!l2cap_chan_check_security(chan, true) ||
2d792818 1428 !__l2cap_no_conn_pending(chan)) {
6be36555 1429 l2cap_chan_unlock(chan);
47731de7
GP		 1430 continue;
1431 }
79d554a6 1432
c1360a1c 1433 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1434 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1435 &chan->conf_state)) {
89bc500e 1436 l2cap_chan_close(chan, ECONNRESET);
6be36555 1437 l2cap_chan_unlock(chan);
47731de7 1438 continue;
b1235d79 1439 }
47731de7 1440
93c3e8f5 1441 l2cap_start_connection(chan);
47731de7 1442
89bc500e 1443 } else if (chan->state == BT_CONNECT2) {
79d554a6 1444 struct l2cap_conn_rsp rsp;
e9aeb2dd 1445 char buf[128];
fe4128e0
GP		 1446 rsp.scid = cpu_to_le16(chan->dcid);
1447 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1448
e7cafc45 1449 if (l2cap_chan_check_security(chan, false)) {
bdc25783 1450 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
dcf4adbf
JP		 1451 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1452 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1453 chan->ops->defer(chan);
f66dc81f
MH		 1454
1455 } else {
acdcabf5 1456 l2cap_state_change(chan, BT_CONFIG);
dcf4adbf
JP		 1457 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1458 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1459 }
79d554a6 1460 } else {
dcf4adbf
JP		 1461 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1462 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1463 }
1464
fc7f8a7e 1465 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1466 sizeof(rsp), &rsp);
e9aeb2dd 1467
c1360a1c 1468 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1469 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1470 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1471 continue;
1472 }
1473
c1360a1c 1474 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1475 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1476 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1477 chan->num_conf_req++;
4e8402a3
MH		 1478 }
1479
6be36555 1480 l2cap_chan_unlock(chan);
4e8402a3
MH		 1481 }
1482
3df91ea2 1483 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1484}
1485
b62f328b
VT		 1486static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1487{
cc8dba2b 1488 struct hci_conn *hcon = conn->hcon;
dcc36c16 1489 struct hci_dev *hdev = hcon->hdev;
b62f328b 1490
e760ec12 1491 BT_DBG("%s conn %p", hdev->name, conn);
b62f328b 1492
e760ec12
JH		 1493 /* For outgoing pairing which doesn't necessarily have an
1494 * associated socket (e.g. mgmt_pair_device).
1495 */
1496 if (hcon->out)
1497 smp_conn_security(hcon, hcon->pending_sec_level);
cc8dba2b 1498
80afeb6c
MH		 1499 /* For LE slave connections, make sure the connection interval
1500 * is in the range of the minium and maximum interval that has
1501 * been configured for this connection. If not, then trigger
1502 * the connection update procedure.
1503 */
40bef302 1504 if (hcon->role == HCI_ROLE_SLAVE &&
80afeb6c
MH		 1505 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1506 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1507 struct l2cap_conn_param_update_req req;
1508
1509 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1510 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1511 req.latency = cpu_to_le16(hcon->le_conn_latency);
1512 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1513
1514 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1515 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1516 }
b62f328b
VT		 1517}
1518
4e8402a3
MH		 1519static void l2cap_conn_ready(struct l2cap_conn *conn)
1520{
48454079 1521 struct l2cap_chan *chan;
cc110922 1522 struct hci_conn *hcon = conn->hcon;
4e8402a3 1523
79d554a6 1524 BT_DBG("conn %p", conn);
4e8402a3 1525
aeaeb4bb
JH		 1526 if (hcon->type == ACL_LINK)
1527 l2cap_request_info(conn);
1528
e760ec12
JH		 1529 mutex_lock(&conn->chan_lock);
1530
3df91ea2 1531 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1532
6be36555 1533 l2cap_chan_lock(chan);
4e8402a3 1534
2338a7e0 1535 if (chan->scid == L2CAP_CID_A2MP) {
416fa752
AE		 1536 l2cap_chan_unlock(chan);
1537 continue;
1538 }
1539
cc110922 1540 if (hcon->type == LE_LINK) {
f1496dee 1541 l2cap_le_start(chan);
63128451 1542 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
aeaeb4bb
JH		 1543 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1544 l2cap_chan_ready(chan);
1c244f79 1545 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1546 l2cap_do_start(chan);
1c244f79 1547 }
4e8402a3 1548
6be36555 1549 l2cap_chan_unlock(chan);
4e8402a3 1550 }
79d554a6 1551
3df91ea2 1552 mutex_unlock(&conn->chan_lock);
61a939c6 1553
79a05727
JH		 1554 if (hcon->type == LE_LINK)
1555 l2cap_le_conn_ready(conn);
1556
61a939c6 1557 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
4e8402a3
MH		 1558}
1559
1560/* Notify sockets that we cannot guaranty reliability anymore */
1561static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1562{
48454079 1563 struct l2cap_chan *chan;
4e8402a3
MH		 1564
1565 BT_DBG("conn %p", conn);
1566
3df91ea2 1567 mutex_lock(&conn->chan_lock);
4e8402a3 1568
3df91ea2 1569 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1570 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1571 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1572 }
1573
3df91ea2 1574 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1575}
1576
f878fcad 1577static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1578{
f878fcad 1579 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1580 info_timer.work);
4e8402a3 1581
984947dc 1582 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1583 conn->info_ident = 0;
984947dc 1584
4e8402a3
MH		 1585 l2cap_conn_start(conn);
1586}
1587
2c8e1411
DH		 1588/*
1589 * l2cap_user
1590 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1591 * callback is called during registration. The ->remove callback is called
1592 * during unregistration.
1593 * An l2cap_user object can either be explicitly unregistered or when the
1594 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1595 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1596 * External modules must own a reference to the l2cap_conn object if they intend
1597 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1598 * any time if they don't.
1599 */
1600
1601int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1602{
1603 struct hci_dev *hdev = conn->hcon->hdev;
1604 int ret;
1605
1606 /* We need to check whether l2cap_conn is registered. If it is not, we
1607 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1608 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1609 * relies on the parent hci_conn object to be locked. This itself relies
1610 * on the hci_dev object to be locked. So we must lock the hci device
1611 * here, too. */
1612
1613 hci_dev_lock(hdev);
1614
835a6a2f 1615 if (!list_empty(&user->list)) {
2c8e1411
DH		 1616 ret = -EINVAL;
1617 goto out_unlock;
1618 }
1619
1620 /* conn->hchan is NULL after l2cap_conn_del() was called */
1621 if (!conn->hchan) {
1622 ret = -ENODEV;
1623 goto out_unlock;
1624 }
1625
1626 ret = user->probe(conn, user);
1627 if (ret)
1628 goto out_unlock;
1629
1630 list_add(&user->list, &conn->users);
1631 ret = 0;
1632
1633out_unlock:
1634 hci_dev_unlock(hdev);
1635 return ret;
1636}
1637EXPORT_SYMBOL(l2cap_register_user);
1638
1639void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1640{
1641 struct hci_dev *hdev = conn->hcon->hdev;
1642
1643 hci_dev_lock(hdev);
1644
835a6a2f 1645 if (list_empty(&user->list))
2c8e1411
DH		 1646 goto out_unlock;
1647
ab944c83 1648 list_del_init(&user->list);
2c8e1411
DH		 1649 user->remove(conn, user);
1650
1651out_unlock:
1652 hci_dev_unlock(hdev);
1653}
1654EXPORT_SYMBOL(l2cap_unregister_user);
1655
1656static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1657{
1658 struct l2cap_user *user;
1659
1660 while (!list_empty(&conn->users)) {
1661 user = list_first_entry(&conn->users, struct l2cap_user, list);
ab944c83 1662 list_del_init(&user->list);
2c8e1411
DH		 1663 user->remove(conn, user);
1664 }
1665}
1666
5d3de7df
VCG		 1667static void l2cap_conn_del(struct hci_conn *hcon, int err)
1668{
1669 struct l2cap_conn *conn = hcon->l2cap_data;
1670 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1671
1672 if (!conn)
1673 return;
1674
1675 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1676
1677 kfree_skb(conn->rx_skb);
1678
61a939c6 1679 skb_queue_purge(&conn->pending_rx);
7ab56c3a
JT		 1680
1681 /* We can not call flush_work(&conn->pending_rx_work) here since we
1682 * might block if we are running on a worker from the same workqueue
1683 * pending_rx_work is waiting on.
1684 */
1685 if (work_pending(&conn->pending_rx_work))
1686 cancel_work_sync(&conn->pending_rx_work);
61a939c6 1687
f3d82d0c
JH		 1688 if (work_pending(&conn->id_addr_update_work))
1689 cancel_work_sync(&conn->id_addr_update_work);
1690
2c8e1411
DH		 1691 l2cap_unregister_all_users(conn);
1692
e31fb860
JH		 1693 /* Force the connection to be immediately dropped */
1694 hcon->disc_timeout = 0;
1695
3df91ea2
AE		 1696 mutex_lock(&conn->chan_lock);
1697
5d3de7df
VCG		 1698 /* Kill channels */
1699 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1700 l2cap_chan_hold(chan);
6be36555
AE		 1701 l2cap_chan_lock(chan);
1702
5d3de7df 1703 l2cap_chan_del(chan, err);
6be36555
AE		 1704
1705 l2cap_chan_unlock(chan);
1706
80b98027 1707 chan->ops->close(chan);
61d6ef3e 1708 l2cap_chan_put(chan);
5d3de7df
VCG		 1709 }
1710
3df91ea2
AE		 1711 mutex_unlock(&conn->chan_lock);
1712
73d80deb
LAD		 1713 hci_chan_del(conn->hchan);
1714
5d3de7df 1715 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1716 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1717
5d3de7df 1718 hcon->l2cap_data = NULL;
9c903e37
DH		 1719 conn->hchan = NULL;
1720 l2cap_conn_put(conn);
5d3de7df
VCG		 1721}
1722
9c903e37
DH		 1723static void l2cap_conn_free(struct kref *ref)
1724{
1725 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1726
1727 hci_conn_put(conn->hcon);
1728 kfree(conn);
1729}
1730
51bb8457 1731struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
9c903e37
DH		 1732{
1733 kref_get(&conn->ref);
51bb8457 1734 return conn;
9c903e37
DH		 1735}
1736EXPORT_SYMBOL(l2cap_conn_get);
1737
1738void l2cap_conn_put(struct l2cap_conn *conn)
1739{
1740 kref_put(&conn->ref, l2cap_conn_free);
1741}
1742EXPORT_SYMBOL(l2cap_conn_put);
1743
1da177e4 1744/* ---- Socket interface ---- */
1da177e4 1745
c2287681 1746/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1747 * Returns closest match.
1748 */
c2287681
IY		 1749static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1750 bdaddr_t *src,
bf20fd4e
JH		 1751 bdaddr_t *dst,
1752 u8 link_type)
1da177e4 1753{
23691d75 1754 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1755
23691d75 1756 read_lock(&chan_list_lock);
e0f0cb56 1757
23691d75 1758 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1759 if (state && c->state != state)
1da177e4
LT		 1760 continue;
1761
bf20fd4e
JH		 1762 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1763 continue;
1764
1765 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1766 continue;
1767
23691d75 1768 if (c->psm == psm) {
c2287681
IY		 1769 int src_match, dst_match;
1770 int src_any, dst_any;
1771
1da177e4 1772 /* Exact match. */
7eafc59e
MH		 1773 src_match = !bacmp(&c->src, src);
1774 dst_match = !bacmp(&c->dst, dst);
c2287681 1775 if (src_match && dst_match) {
a24cce14 1776 l2cap_chan_hold(c);
a7567b20 1777 read_unlock(&chan_list_lock);
23691d75
GP		 1778 return c;
1779 }
1da177e4
LT		 1780
1781 /* Closest match */
7eafc59e
MH		 1782 src_any = !bacmp(&c->src, BDADDR_ANY);
1783 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1784 if ((src_match && dst_any) || (src_any && dst_match) ||
1785 (src_any && dst_any))
23691d75 1786 c1 = c;
1da177e4
LT		 1787 }
1788 }
1da177e4 1789
a24cce14
JH		 1790 if (c1)
1791 l2cap_chan_hold(c1);
1792
23691d75 1793 read_unlock(&chan_list_lock);
e0f0cb56 1794
23691d75 1795 return c1;
1da177e4
LT		 1796}
1797
721c4181 1798static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1799{
721c4181 1800 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1801 monitor_timer.work);
e90bac06 1802
525cd185 1803 BT_DBG("chan %p", chan);
0e98958d 1804
6be36555
AE		 1805 l2cap_chan_lock(chan);
1806
80909e04 1807 if (!chan->conn) {
6be36555 1808 l2cap_chan_unlock(chan);
8d7e1c7f 1809 l2cap_chan_put(chan);
e90bac06
GP		 1810 return;
1811 }
1812
401bb1f7 1813 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1814
6be36555 1815 l2cap_chan_unlock(chan);
8d7e1c7f 1816 l2cap_chan_put(chan);
e90bac06
GP		 1817}
1818
721c4181 1819static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1820{
721c4181 1821 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1822 retrans_timer.work);
e90bac06 1823
49208c9c 1824 BT_DBG("chan %p", chan);
0e98958d 1825
6be36555
AE		 1826 l2cap_chan_lock(chan);
1827
80909e04
MM		 1828 if (!chan->conn) {
1829 l2cap_chan_unlock(chan);
1830 l2cap_chan_put(chan);
1831 return;
1832 }
6be36555 1833
401bb1f7 1834 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1835 l2cap_chan_unlock(chan);
8d7e1c7f 1836 l2cap_chan_put(chan);
e90bac06
GP		 1837}
1838
d660366d
GP		 1839static void l2cap_streaming_send(struct l2cap_chan *chan,
1840 struct sk_buff_head *skbs)
6840ed07 1841{
ccbb84af 1842 struct sk_buff *skb;
3733937d 1843 struct l2cap_ctrl *control;
6840ed07 1844
3733937d
MM		 1845 BT_DBG("chan %p, skbs %p", chan, skbs);
1846
b99e13ad
MM		 1847 if (__chan_is_moving(chan))
1848 return;
1849
3733937d
MM		 1850 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1851
1852 while (!skb_queue_empty(&chan->tx_q)) {
1853
1854 skb = skb_dequeue(&chan->tx_q);
1855
a4368ff3
JH		 1856 bt_cb(skb)->l2cap.retries = 1;
1857 control = &bt_cb(skb)->l2cap;
3733937d
MM		 1858
1859 control->reqseq = 0;
1860 control->txseq = chan->next_tx_seq;
1861
1862 __pack_control(chan, control, skb);
6840ed07 1863
47d1ec61 1864 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1865 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1866 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1867 }
1868
4343478f 1869 l2cap_do_send(chan, skb);
6840ed07 1870
b4400672 1871 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1872
836be934 1873 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1874 chan->frames_sent++;
6840ed07 1875 }
6840ed07
GP		 1876}
1877
67c9e840 1878static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1879{
1880 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1881 struct l2cap_ctrl *control;
1882 int sent = 0;
1883
1884 BT_DBG("chan %p", chan);
1c2acffb 1885
89bc500e 1886 if (chan->state != BT_CONNECTED)
c13ffa62 1887 return -ENOTCONN;
e90bac06 1888
94122bbe
MM		 1889 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1890 return 0;
1891
b99e13ad
MM		 1892 if (__chan_is_moving(chan))
1893 return 0;
1894
18a48e76
MM		 1895 while (chan->tx_send_head &&
1896 chan->unacked_frames < chan->remote_tx_win &&
1897 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1898
18a48e76 1899 skb = chan->tx_send_head;
e90bac06 1900
a4368ff3
JH		 1901 bt_cb(skb)->l2cap.retries = 1;
1902 control = &bt_cb(skb)->l2cap;
95ffa978 1903
e2ab4353 1904 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1905 control->final = 1;
e2ab4353 1906
18a48e76
MM		 1907 control->reqseq = chan->buffer_seq;
1908 chan->last_acked_seq = chan->buffer_seq;
1909 control->txseq = chan->next_tx_seq;
1c2acffb 1910
18a48e76 1911 __pack_control(chan, control, skb);
e90bac06 1912
47d1ec61 1913 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1914 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1915 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1916 }
1917
18a48e76
MM		 1918 /* Clone after data has been modified. Data is assumed to be
1919 read-only (for locking purposes) on cloned sk_buffs.
1920 */
1921 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1922
18a48e76
MM		 1923 if (!tx_skb)
1924 break;
1c2acffb 1925
18a48e76 1926 __set_retrans_timer(chan);
836be934
AE		 1927
1928 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1929 chan->unacked_frames++;
6a026610 1930 chan->frames_sent++;
18a48e76 1931 sent++;
1c2acffb 1932
58d35f87
GP		 1933 if (skb_queue_is_last(&chan->tx_q, skb))
1934 chan->tx_send_head = NULL;
1c2acffb 1935 else
58d35f87 1936 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1937
1938 l2cap_do_send(chan, tx_skb);
b4400672 1939 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1940 }
1941
b4400672
AE		 1942 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1943 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1944
1945 return sent;
9e917af1
GP		 1946}
1947
e1fbd4c1
MM		 1948static void l2cap_ertm_resend(struct l2cap_chan *chan)
1949{
1950 struct l2cap_ctrl control;
1951 struct sk_buff *skb;
1952 struct sk_buff *tx_skb;
1953 u16 seq;
1954
1955 BT_DBG("chan %p", chan);
1956
1957 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1958 return;
1959
b99e13ad
MM		 1960 if (__chan_is_moving(chan))
1961 return;
1962
e1fbd4c1
MM		 1963 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1964 seq = l2cap_seq_list_pop(&chan->retrans_list);
1965
1966 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1967 if (!skb) {
1968 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1969 seq);
e1fbd4c1
MM		 1970 continue;
1971 }
1972
a4368ff3
JH		 1973 bt_cb(skb)->l2cap.retries++;
1974 control = bt_cb(skb)->l2cap;
e1fbd4c1
MM		 1975
1976 if (chan->max_tx != 0 &&
a4368ff3 1977 bt_cb(skb)->l2cap.retries > chan->max_tx) {
e1fbd4c1 1978 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1979 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1980 l2cap_seq_list_clear(&chan->retrans_list);
1981 break;
1982 }
1983
1984 control.reqseq = chan->buffer_seq;
1985 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1986 control.final = 1;
1987 else
1988 control.final = 0;
1989
1990 if (skb_cloned(skb)) {
1991 /* Cloned sk_buffs are read-only, so we need a
1992 * writeable copy
1993 */
8bcde1f2 1994 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1995 } else {
8bcde1f2 1996 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1997 }
1998
1999 if (!tx_skb) {
2000 l2cap_seq_list_clear(&chan->retrans_list);
2001 break;
2002 }
2003
2004 /* Update skb contents */
2005 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2006 put_unaligned_le32(__pack_extended_control(&control),
2007 tx_skb->data + L2CAP_HDR_SIZE);
2008 } else {
2009 put_unaligned_le16(__pack_enhanced_control(&control),
2010 tx_skb->data + L2CAP_HDR_SIZE);
2011 }
2012
13cac152 2013 /* Update FCS */
e1fbd4c1 2014 if (chan->fcs == L2CAP_FCS_CRC16) {
13cac152
LR		 2015 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2016 tx_skb->len - L2CAP_FCS_SIZE);
2017 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2018 L2CAP_FCS_SIZE);
e1fbd4c1
MM		 2019 }
2020
2021 l2cap_do_send(chan, tx_skb);
2022
2023 BT_DBG("Resent txseq %d", control.txseq);
2024
2025 chan->last_acked_seq = chan->buffer_seq;
2026 }
2027}
2028
f80842a8
MM		 2029static void l2cap_retransmit(struct l2cap_chan *chan,
2030 struct l2cap_ctrl *control)
2031{
2032 BT_DBG("chan %p, control %p", chan, control);
2033
2034 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2035 l2cap_ertm_resend(chan);
2036}
2037
d2a7ac5d
MM		 2038static void l2cap_retransmit_all(struct l2cap_chan *chan,
2039 struct l2cap_ctrl *control)
2040{
e1fbd4c1
MM		 2041 struct sk_buff *skb;
2042
2043 BT_DBG("chan %p, control %p", chan, control);
2044
2045 if (control->poll)
2046 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2047
2048 l2cap_seq_list_clear(&chan->retrans_list);
2049
2050 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2051 return;
2052
2053 if (chan->unacked_frames) {
2054 skb_queue_walk(&chan->tx_q, skb) {
a4368ff3 2055 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2d792818 2056 skb == chan->tx_send_head)
e1fbd4c1
MM		 2057 break;
2058 }
2059
2060 skb_queue_walk_from(&chan->tx_q, skb) {
2061 if (skb == chan->tx_send_head)
2062 break;
2063
2064 l2cap_seq_list_append(&chan->retrans_list,
a4368ff3 2065 bt_cb(skb)->l2cap.txseq);
e1fbd4c1
MM		 2066 }
2067
2068 l2cap_ertm_resend(chan);
2069 }
d2a7ac5d
MM		 2070}
2071
0a0aba42 2072static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2073{
0a0aba42
MM		 2074 struct l2cap_ctrl control;
2075 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2076 chan->last_acked_seq);
2077 int threshold;
9e917af1 2078
0a0aba42
MM		 2079 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2080 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2081
0a0aba42
MM		 2082 memset(&control, 0, sizeof(control));
2083 control.sframe = 1;
dfc909be 2084
0a0aba42
MM		 2085 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2086 chan->rx_state == L2CAP_RX_STATE_RECV) {
2087 __clear_ack_timer(chan);
2088 control.super = L2CAP_SUPER_RNR;
2089 control.reqseq = chan->buffer_seq;
2090 l2cap_send_sframe(chan, &control);
2091 } else {
2092 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2093 l2cap_ertm_send(chan);
2094 /* If any i-frames were sent, they included an ack */
2095 if (chan->buffer_seq == chan->last_acked_seq)
2096 frames_to_ack = 0;
2097 }
dfc909be 2098
c20f8e35 2099 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2100 * Calculate without mul or div
2101 */
c20f8e35 2102 threshold = chan->ack_win;
0a0aba42
MM		 2103 threshold += threshold << 1;
2104 threshold >>= 2;
2105
b4400672 2106 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2107 threshold);
2108
2109 if (frames_to_ack >= threshold) {
2110 __clear_ack_timer(chan);
2111 control.super = L2CAP_SUPER_RR;
2112 control.reqseq = chan->buffer_seq;
2113 l2cap_send_sframe(chan, &control);
2114 frames_to_ack = 0;
2115 }
1c2acffb 2116
0a0aba42
MM		 2117 if (frames_to_ack)
2118 __set_ack_timer(chan);
2119 }
b17e73bb
SJ		 2120}
2121
04124681
GP		 2122static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2123 struct msghdr *msg, int len,
2124 int count, struct sk_buff *skb)
1c2acffb 2125{
0952a57a 2126 struct l2cap_conn *conn = chan->conn;
1c2acffb 2127 struct sk_buff **frag;
90338947 2128 int sent = 0;
1da177e4 2129
cbbd26b8 2130 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
1c2acffb 2131 return -EFAULT;
1da177e4
LT		 2132
2133 sent += count;
2134 len -= count;
2135
2136 /* Continuation fragments (no L2CAP header) */
2137 frag = &skb_shinfo(skb)->frag_list;
2138 while (len) {
fbe00700
GP		 2139 struct sk_buff *tmp;
2140
1da177e4
LT		 2141 count = min_t(unsigned int, conn->mtu, len);
2142
d9fbd02b 2143 tmp = chan->ops->alloc_skb(chan, 0, count,
fbe00700
GP		 2144 msg->msg_flags & MSG_DONTWAIT);
2145 if (IS_ERR(tmp))
2146 return PTR_ERR(tmp);
2147
2148 *frag = tmp;
2f7719ce 2149
cbbd26b8
AV		 2150 if (!copy_from_iter_full(skb_put(*frag, count), count,
2151 &msg->msg_iter))
1c2acffb 2152 return -EFAULT;
1da177e4
LT		 2153
2154 sent += count;
2155 len -= count;
2156
2d0ed3d5
GP		 2157 skb->len += (*frag)->len;
2158 skb->data_len += (*frag)->len;
2159
1da177e4
LT		 2160 frag = &(*frag)->next;
2161 }
1da177e4
LT		 2162
2163 return sent;
1c2acffb 2164}
1da177e4 2165
5e59b791 2166static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
8d46321c 2167 struct msghdr *msg, size_t len)
1c2acffb 2168{
8c1d787b 2169 struct l2cap_conn *conn = chan->conn;
1c2acffb 2170 struct sk_buff *skb;
03a51213 2171 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2172 struct l2cap_hdr *lh;
2173
8d46321c
MH		 2174 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2175 __le16_to_cpu(chan->psm), len);
1c2acffb
GP		 2176
2177 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2178
d9fbd02b 2179 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2180 msg->msg_flags & MSG_DONTWAIT);
2181 if (IS_ERR(skb))
2182 return skb;
1c2acffb
GP		 2183
2184 /* Create L2CAP header */
2185 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2186 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2187 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2188 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2189
0952a57a 2190 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2191 if (unlikely(err < 0)) {
2192 kfree_skb(skb);
2193 return ERR_PTR(err);
2194 }
2195 return skb;
2196}
2197
5e59b791 2198static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
8d46321c 2199 struct msghdr *msg, size_t len)
1c2acffb 2200{
8c1d787b 2201 struct l2cap_conn *conn = chan->conn;
1c2acffb 2202 struct sk_buff *skb;
f2ba7fae 2203 int err, count;
1c2acffb
GP		 2204 struct l2cap_hdr *lh;
2205
b4400672 2206 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2207
f2ba7fae 2208 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2209
d9fbd02b 2210 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
90338947
GP		 2211 msg->msg_flags & MSG_DONTWAIT);
2212 if (IS_ERR(skb))
2213 return skb;
1c2acffb
GP		 2214
2215 /* Create L2CAP header */
2216 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2217 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2218 lh->len = cpu_to_le16(len);
1c2acffb 2219
0952a57a 2220 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2221 if (unlikely(err < 0)) {
2222 kfree_skb(skb);
2223 return ERR_PTR(err);
2224 }
2225 return skb;
2226}
2227
ab0ff76d 2228static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2229 struct msghdr *msg, size_t len,
2230 u16 sdulen)
1c2acffb 2231{
8c1d787b 2232 struct l2cap_conn *conn = chan->conn;
1c2acffb 2233 struct sk_buff *skb;
e4ca6d98 2234 int err, count, hlen;
1c2acffb
GP		 2235 struct l2cap_hdr *lh;
2236
b4400672 2237 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2238
0ee0d208
GP		 2239 if (!conn)
2240 return ERR_PTR(-ENOTCONN);
2241
ba7aa64f 2242 hlen = __ertm_hdr_size(chan);
e4ca6d98 2243
c74e560c 2244 if (sdulen)
03a51213 2245 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2246
47d1ec61 2247 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2248 hlen += L2CAP_FCS_SIZE;
fcc203c3 2249
1c2acffb 2250 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2251
d9fbd02b 2252 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2253 msg->msg_flags & MSG_DONTWAIT);
2254 if (IS_ERR(skb))
2255 return skb;
1c2acffb
GP		 2256
2257 /* Create L2CAP header */
2258 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2259 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2260 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2261
18a48e76
MM		 2262 /* Control header is populated later */
2263 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2264 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2265 else
2266 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2267
c74e560c 2268 if (sdulen)
03a51213 2269 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2270
0952a57a 2271 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2272 if (unlikely(err < 0)) {
2273 kfree_skb(skb);
2274 return ERR_PTR(err);
2275 }
e90bac06 2276
a4368ff3
JH		 2277 bt_cb(skb)->l2cap.fcs = chan->fcs;
2278 bt_cb(skb)->l2cap.retries = 0;
1c2acffb 2279 return skb;
1da177e4
LT		 2280}
2281
94122bbe
MM		 2282static int l2cap_segment_sdu(struct l2cap_chan *chan,
2283 struct sk_buff_head *seg_queue,
2284 struct msghdr *msg, size_t len)
c74e560c 2285{
c74e560c 2286 struct sk_buff *skb;
94122bbe
MM		 2287 u16 sdu_len;
2288 size_t pdu_len;
94122bbe 2289 u8 sar;
c74e560c 2290
b4400672 2291 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2292
94122bbe
MM		 2293 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2294 * so fragmented skbs are not used. The HCI layer's handling
2295 * of fragmented skbs is not compatible with ERTM's queueing.
2296 */
c74e560c 2297
94122bbe
MM		 2298 /* PDU size is derived from the HCI MTU */
2299 pdu_len = chan->conn->mtu;
c74e560c 2300
a549574d
MM		 2301 /* Constrain PDU size for BR/EDR connections */
2302 if (!chan->hs_hcon)
2303 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2304
2305 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2306 if (chan->fcs)
2307 pdu_len -= L2CAP_FCS_SIZE;
2308
ba7aa64f 2309 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2310
2311 /* Remote device may have requested smaller PDUs */
2312 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2313
2314 if (len <= pdu_len) {
2315 sar = L2CAP_SAR_UNSEGMENTED;
2316 sdu_len = 0;
2317 pdu_len = len;
2318 } else {
2319 sar = L2CAP_SAR_START;
2320 sdu_len = len;
94122bbe
MM		 2321 }
2322
2323 while (len > 0) {
2324 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2325
c74e560c 2326 if (IS_ERR(skb)) {
94122bbe 2327 __skb_queue_purge(seg_queue);
c74e560c
GP		 2328 return PTR_ERR(skb);
2329 }
2330
a4368ff3 2331 bt_cb(skb)->l2cap.sar = sar;
94122bbe
MM		 2332 __skb_queue_tail(seg_queue, skb);
2333
2334 len -= pdu_len;
069cb270 2335 if (sdu_len)
94122bbe 2336 sdu_len = 0;
94122bbe
MM		 2337
2338 if (len <= pdu_len) {
2339 sar = L2CAP_SAR_END;
2340 pdu_len = len;
2341 } else {
2342 sar = L2CAP_SAR_CONTINUE;
2343 }
c74e560c 2344 }
c74e560c 2345
f0f62799 2346 return 0;
c74e560c
GP		 2347}
2348
177f8f2b
JH		 2349static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2350 struct msghdr *msg,
2351 size_t len, u16 sdulen)
2352{
2353 struct l2cap_conn *conn = chan->conn;
2354 struct sk_buff *skb;
2355 int err, count, hlen;
2356 struct l2cap_hdr *lh;
2357
2358 BT_DBG("chan %p len %zu", chan, len);
2359
2360 if (!conn)
2361 return ERR_PTR(-ENOTCONN);
2362
2363 hlen = L2CAP_HDR_SIZE;
2364
2365 if (sdulen)
2366 hlen += L2CAP_SDULEN_SIZE;
2367
2368 count = min_t(unsigned int, (conn->mtu - hlen), len);
2369
d9fbd02b 2370 skb = chan->ops->alloc_skb(chan, hlen, count,
177f8f2b
JH		 2371 msg->msg_flags & MSG_DONTWAIT);
2372 if (IS_ERR(skb))
2373 return skb;
2374
2375 /* Create L2CAP header */
2376 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2377 lh->cid = cpu_to_le16(chan->dcid);
2378 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2379
2380 if (sdulen)
2381 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2382
2383 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2384 if (unlikely(err < 0)) {
2385 kfree_skb(skb);
2386 return ERR_PTR(err);
2387 }
2388
2389 return skb;
2390}
2391
2392static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2393 struct sk_buff_head *seg_queue,
2394 struct msghdr *msg, size_t len)
2395{
2396 struct sk_buff *skb;
2397 size_t pdu_len;
2398 u16 sdu_len;
2399
2400 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2401
177f8f2b 2402 sdu_len = len;
72c6fb91 2403 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
177f8f2b
JH		 2404
2405 while (len > 0) {
2406 if (len <= pdu_len)
2407 pdu_len = len;
2408
2409 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2410 if (IS_ERR(skb)) {
2411 __skb_queue_purge(seg_queue);
2412 return PTR_ERR(skb);
2413 }
2414
2415 __skb_queue_tail(seg_queue, skb);
2416
2417 len -= pdu_len;
2418
2419 if (sdu_len) {
2420 sdu_len = 0;
2421 pdu_len += L2CAP_SDULEN_SIZE;
2422 }
2423 }
2424
2425 return 0;
2426}
2427
8a505b7f
LAD		 2428static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2429{
2430 int sent = 0;
2431
2432 BT_DBG("chan %p", chan);
2433
2434 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2435 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2436 chan->tx_credits--;
2437 sent++;
2438 }
2439
2440 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2441 skb_queue_len(&chan->tx_q));
2442}
2443
8d46321c 2444int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
9a91a04a 2445{
9a91a04a 2446 struct sk_buff *skb;
9a91a04a 2447 int err;
94122bbe 2448 struct sk_buff_head seg_queue;
9a91a04a 2449
31e8ce80
SWK		 2450 if (!chan->conn)
2451 return -ENOTCONN;
2452
9a91a04a 2453 /* Connectionless channel */
715ec005 2454 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
8d46321c 2455 skb = l2cap_create_connless_pdu(chan, msg, len);
9a91a04a
GP		 2456 if (IS_ERR(skb))
2457 return PTR_ERR(skb);
2458
ede81a2a
AK		 2459 /* Channel lock is released before requesting new skb and then
2460 * reacquired thus we need to recheck channel state.
2461 */
2462 if (chan->state != BT_CONNECTED) {
2463 kfree_skb(skb);
2464 return -ENOTCONN;
2465 }
2466
9a91a04a
GP		 2467 l2cap_do_send(chan, skb);
2468 return len;
2469 }
2470
2471 switch (chan->mode) {
38319713 2472 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b
JH		 2473 /* Check outgoing MTU */
2474 if (len > chan->omtu)
2475 return -EMSGSIZE;
2476
177f8f2b
JH		 2477 __skb_queue_head_init(&seg_queue);
2478
2479 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2480
2481 if (chan->state != BT_CONNECTED) {
2482 __skb_queue_purge(&seg_queue);
2483 err = -ENOTCONN;
2484 }
2485
2486 if (err)
2487 return err;
2488
2489 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2490
8a505b7f 2491 l2cap_le_flowctl_send(chan);
177f8f2b
JH		 2492
2493 if (!chan->tx_credits)
2494 chan->ops->suspend(chan);
2495
2496 err = len;
2497
2498 break;
2499
fad5fc89 2500 case L2CAP_MODE_BASIC:
9a91a04a
GP		 2501 /* Check outgoing MTU */
2502 if (len > chan->omtu)
2503 return -EMSGSIZE;
2504
2505 /* Create a basic PDU */
8d46321c 2506 skb = l2cap_create_basic_pdu(chan, msg, len);
9a91a04a
GP		 2507 if (IS_ERR(skb))
2508 return PTR_ERR(skb);
2509
ede81a2a
AK		 2510 /* Channel lock is released before requesting new skb and then
2511 * reacquired thus we need to recheck channel state.
2512 */
2513 if (chan->state != BT_CONNECTED) {
2514 kfree_skb(skb);
2515 return -ENOTCONN;
2516 }
2517
9a91a04a
GP		 2518 l2cap_do_send(chan, skb);
2519 err = len;
2520 break;
2521
2522 case L2CAP_MODE_ERTM:
2523 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2524 /* Check outgoing MTU */
2525 if (len > chan->omtu) {
2526 err = -EMSGSIZE;
2527 break;
2528 }
9a91a04a 2529
94122bbe 2530 __skb_queue_head_init(&seg_queue);
9a91a04a 2531
94122bbe
MM		 2532 /* Do segmentation before calling in to the state machine,
2533 * since it's possible to block while waiting for memory
2534 * allocation.
2535 */
2536 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2537
94122bbe
MM		 2538 /* The channel could have been closed while segmenting,
2539 * check that it is still connected.
2540 */
2541 if (chan->state != BT_CONNECTED) {
2542 __skb_queue_purge(&seg_queue);
2543 err = -ENOTCONN;
9a91a04a
GP		 2544 }
2545
94122bbe 2546 if (err)
9a91a04a 2547 break;
9a91a04a 2548
3733937d 2549 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2550 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2551 else
d660366d 2552 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2553
d660366d 2554 err = len;
9a91a04a 2555
94122bbe
MM		 2556 /* If the skbs were not queued for sending, they'll still be in
2557 * seg_queue and need to be purged.
2558 */
2559 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2560 break;
2561
2562 default:
2563 BT_DBG("bad state %1.1x", chan->mode);
2564 err = -EBADFD;
2565 }
2566
2567 return err;
2568}
6b8d4a6a 2569EXPORT_SYMBOL_GPL(l2cap_chan_send);
9a91a04a 2570
d2a7ac5d
MM		 2571static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2572{
bed68bde
MM		 2573 struct l2cap_ctrl control;
2574 u16 seq;
2575
b4400672 2576 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2577
2578 memset(&control, 0, sizeof(control));
2579 control.sframe = 1;
2580 control.super = L2CAP_SUPER_SREJ;
2581
2582 for (seq = chan->expected_tx_seq; seq != txseq;
2583 seq = __next_seq(chan, seq)) {
2584 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2585 control.reqseq = seq;
2586 l2cap_send_sframe(chan, &control);
2587 l2cap_seq_list_append(&chan->srej_list, seq);
2588 }
2589 }
2590
2591 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2592}
2593
2594static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2595{
bed68bde
MM		 2596 struct l2cap_ctrl control;
2597
2598 BT_DBG("chan %p", chan);
2599
2600 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2601 return;
2602
2603 memset(&control, 0, sizeof(control));
2604 control.sframe = 1;
2605 control.super = L2CAP_SUPER_SREJ;
2606 control.reqseq = chan->srej_list.tail;
2607 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2608}
2609
2610static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2611{
bed68bde
MM		 2612 struct l2cap_ctrl control;
2613 u16 initial_head;
2614 u16 seq;
2615
b4400672 2616 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2617
2618 memset(&control, 0, sizeof(control));
2619 control.sframe = 1;
2620 control.super = L2CAP_SUPER_SREJ;
2621
2622 /* Capture initial list head to allow only one pass through the list. */
2623 initial_head = chan->srej_list.head;
2624
2625 do {
2626 seq = l2cap_seq_list_pop(&chan->srej_list);
2627 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2628 break;
2629
2630 control.reqseq = seq;
2631 l2cap_send_sframe(chan, &control);
2632 l2cap_seq_list_append(&chan->srej_list, seq);
2633 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2634}
2635
608bcc6d
MM		 2636static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2637{
2638 struct sk_buff *acked_skb;
2639 u16 ackseq;
2640
b4400672 2641 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2642
2643 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2644 return;
2645
b4400672 2646 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2647 chan->expected_ack_seq, chan->unacked_frames);
2648
2649 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2650 ackseq = __next_seq(chan, ackseq)) {
2651
2652 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2653 if (acked_skb) {
2654 skb_unlink(acked_skb, &chan->tx_q);
2655 kfree_skb(acked_skb);
2656 chan->unacked_frames--;
2657 }
2658 }
2659
2660 chan->expected_ack_seq = reqseq;
2661
2662 if (chan->unacked_frames == 0)
2663 __clear_retrans_timer(chan);
2664
b4400672 2665 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2666}
2667
2668static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2669{
2670 BT_DBG("chan %p", chan);
2671
2672 chan->expected_tx_seq = chan->buffer_seq;
2673 l2cap_seq_list_clear(&chan->srej_list);
2674 skb_queue_purge(&chan->srej_q);
2675 chan->rx_state = L2CAP_RX_STATE_RECV;
2676}
2677
d660366d
GP		 2678static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2679 struct l2cap_ctrl *control,
2680 struct sk_buff_head *skbs, u8 event)
608bcc6d 2681{
608bcc6d
MM		 2682 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2683 event);
2684
2685 switch (event) {
2686 case L2CAP_EV_DATA_REQUEST:
2687 if (chan->tx_send_head == NULL)
2688 chan->tx_send_head = skb_peek(skbs);
2689
2690 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2691 l2cap_ertm_send(chan);
2692 break;
2693 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2694 BT_DBG("Enter LOCAL_BUSY");
2695 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2696
2697 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2698 /* The SREJ_SENT state must be aborted if we are to
2699 * enter the LOCAL_BUSY state.
2700 */
2701 l2cap_abort_rx_srej_sent(chan);
2702 }
2703
2704 l2cap_send_ack(chan);
2705
2706 break;
2707 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2708 BT_DBG("Exit LOCAL_BUSY");
2709 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2710
2711 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2712 struct l2cap_ctrl local_control;
2713
2714 memset(&local_control, 0, sizeof(local_control));
2715 local_control.sframe = 1;
2716 local_control.super = L2CAP_SUPER_RR;
2717 local_control.poll = 1;
2718 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2719 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2720
2721 chan->retry_count = 1;
2722 __set_monitor_timer(chan);
2723 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2724 }
2725 break;
2726 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2727 l2cap_process_reqseq(chan, control->reqseq);
2728 break;
2729 case L2CAP_EV_EXPLICIT_POLL:
2730 l2cap_send_rr_or_rnr(chan, 1);
2731 chan->retry_count = 1;
2732 __set_monitor_timer(chan);
2733 __clear_ack_timer(chan);
2734 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2735 break;
2736 case L2CAP_EV_RETRANS_TO:
2737 l2cap_send_rr_or_rnr(chan, 1);
2738 chan->retry_count = 1;
2739 __set_monitor_timer(chan);
2740 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2741 break;
2742 case L2CAP_EV_RECV_FBIT:
2743 /* Nothing to process */
2744 break;
2745 default:
2746 break;
2747 }
608bcc6d
MM		 2748}
2749
d660366d
GP		 2750static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2751 struct l2cap_ctrl *control,
2752 struct sk_buff_head *skbs, u8 event)
608bcc6d 2753{
608bcc6d
MM		 2754 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2755 event);
2756
2757 switch (event) {
2758 case L2CAP_EV_DATA_REQUEST:
2759 if (chan->tx_send_head == NULL)
2760 chan->tx_send_head = skb_peek(skbs);
2761 /* Queue data, but don't send. */
2762 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2763 break;
2764 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2765 BT_DBG("Enter LOCAL_BUSY");
2766 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2767
2768 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2769 /* The SREJ_SENT state must be aborted if we are to
2770 * enter the LOCAL_BUSY state.
2771 */
2772 l2cap_abort_rx_srej_sent(chan);
2773 }
2774
2775 l2cap_send_ack(chan);
2776
2777 break;
2778 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2779 BT_DBG("Exit LOCAL_BUSY");
2780 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2781
2782 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2783 struct l2cap_ctrl local_control;
2784 memset(&local_control, 0, sizeof(local_control));
2785 local_control.sframe = 1;
2786 local_control.super = L2CAP_SUPER_RR;
2787 local_control.poll = 1;
2788 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2789 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2790
2791 chan->retry_count = 1;
2792 __set_monitor_timer(chan);
2793 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2794 }
2795 break;
2796 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2797 l2cap_process_reqseq(chan, control->reqseq);
2798
2799 /* Fall through */
2800
2801 case L2CAP_EV_RECV_FBIT:
2802 if (control && control->final) {
2803 __clear_monitor_timer(chan);
2804 if (chan->unacked_frames > 0)
2805 __set_retrans_timer(chan);
2806 chan->retry_count = 0;
2807 chan->tx_state = L2CAP_TX_STATE_XMIT;
2808 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2809 }
2810 break;
2811 case L2CAP_EV_EXPLICIT_POLL:
2812 /* Ignore */
2813 break;
2814 case L2CAP_EV_MONITOR_TO:
2815 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2816 l2cap_send_rr_or_rnr(chan, 1);
2817 __set_monitor_timer(chan);
2818 chan->retry_count++;
2819 } else {
5e4e3972 2820 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2821 }
2822 break;
2823 default:
2824 break;
2825 }
608bcc6d
MM		 2826}
2827
d660366d
GP		 2828static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2829 struct sk_buff_head *skbs, u8 event)
608bcc6d 2830{
608bcc6d
MM		 2831 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2832 chan, control, skbs, event, chan->tx_state);
2833
2834 switch (chan->tx_state) {
2835 case L2CAP_TX_STATE_XMIT:
d660366d 2836 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2837 break;
2838 case L2CAP_TX_STATE_WAIT_F:
d660366d 2839 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2840 break;
2841 default:
2842 /* Ignore event */
2843 break;
2844 }
608bcc6d
MM		 2845}
2846
4b51dae9
MM		 2847static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2848 struct l2cap_ctrl *control)
2849{
2850 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2851 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2852}
2853
f80842a8
MM		 2854static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2855 struct l2cap_ctrl *control)
2856{
2857 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2858 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2859}
2860
1da177e4
LT		 2861/* Copy frame to all raw sockets on that connection */
2862static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2863{
1da177e4 2864 struct sk_buff *nskb;
48454079 2865 struct l2cap_chan *chan;
1da177e4
LT		 2866
2867 BT_DBG("conn %p", conn);
2868
3df91ea2 2869 mutex_lock(&conn->chan_lock);
3d57dc68 2870
3df91ea2 2871 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2872 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2873 continue;
2874
7f5396a7 2875 /* Don't send frame to the channel it came from */
a4368ff3 2876 if (bt_cb(skb)->l2cap.chan == chan)
1da177e4 2877 continue;
7f5396a7 2878
8bcde1f2 2879 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2880 if (!nskb)
1da177e4 2881 continue;
80b98027 2882 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2883 kfree_skb(nskb);
2884 }
3d57dc68 2885
3df91ea2 2886 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2887}
2888
2889/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2890static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2891 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2892{
2893 struct sk_buff *skb, **frag;
2894 struct l2cap_cmd_hdr *cmd;
2895 struct l2cap_hdr *lh;
2896 int len, count;
2897
b4400672
AE		 2898 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2899 conn, code, ident, dlen);
1da177e4 2900
300b962e
AL		 2901 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2902 return NULL;
2903
1da177e4
LT		 2904 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2905 count = min_t(unsigned int, conn->mtu, len);
2906
8bcde1f2 2907 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2908 if (!skb)
2909 return NULL;
2910
2911 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2912 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2913
2914 if (conn->hcon->type == LE_LINK)
dcf4adbf 2915 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2916 else
dcf4adbf 2917 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2918
2919 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2920 cmd->code = code;
2921 cmd->ident = ident;
aca3192c 2922 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2923
2924 if (dlen) {
2925 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
59ae1d12 2926 skb_put_data(skb, data, count);
1da177e4
LT		 2927 data += count;
2928 }
2929
2930 len -= skb->len;
2931
2932 /* Continuation fragments (no L2CAP header) */
2933 frag = &skb_shinfo(skb)->frag_list;
2934 while (len) {
2935 count = min_t(unsigned int, conn->mtu, len);
2936
8bcde1f2 2937 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2938 if (!*frag)
2939 goto fail;
2940
59ae1d12 2941 skb_put_data(*frag, data, count);
1da177e4
LT		 2942
2943 len -= count;
2944 data += count;
2945
2946 frag = &(*frag)->next;
2947 }
2948
2949 return skb;
2950
2951fail:
2952 kfree_skb(skb);
2953 return NULL;
2954}
2955
2d792818
GP		 2956static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2957 unsigned long *val)
1da177e4
LT		 2958{
2959 struct l2cap_conf_opt *opt = *ptr;
2960 int len;
2961
2962 len = L2CAP_CONF_OPT_SIZE + opt->len;
2963 *ptr += len;
2964
2965 *type = opt->type;
2966 *olen = opt->len;
2967
2968 switch (opt->len) {
2969 case 1:
2970 *val = *((u8 *) opt->val);
2971 break;
2972
2973 case 2:
bfaaeb3e 2974 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2975 break;
2976
2977 case 4:
bfaaeb3e 2978 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2979 break;
2980
2981 default:
2982 *val = (unsigned long) opt->val;
2983 break;
2984 }
2985
b4400672 2986 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2987 return len;
2988}
2989
1da177e4
LT		 2990static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2991{
2992 struct l2cap_conf_opt *opt = *ptr;
2993
b4400672 2994 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2995
2996 opt->type = type;
2997 opt->len = len;
2998
2999 switch (len) {
3000 case 1:
3001 *((u8 *) opt->val) = val;
3002 break;
3003
3004 case 2:
4f8b691c 3005 put_unaligned_le16(val, opt->val);
1da177e4
LT		 3006 break;
3007
3008 case 4:
4f8b691c 3009 put_unaligned_le32(val, opt->val);
1da177e4
LT		 3010 break;
3011
3012 default:
3013 memcpy(opt->val, (void *) val, len);
3014 break;
3015 }
3016
3017 *ptr += L2CAP_CONF_OPT_SIZE + len;
3018}
3019
f89cef09
AE		 3020static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
3021{
3022 struct l2cap_conf_efs efs;
3023
1ec918ce 3024 switch (chan->mode) {
f89cef09
AE		 3025 case L2CAP_MODE_ERTM:
3026 efs.id = chan->local_id;
3027 efs.stype = chan->local_stype;
3028 efs.msdu = cpu_to_le16(chan->local_msdu);
3029 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
dcf4adbf
JP		 3030 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3031 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 3032 break;
3033
3034 case L2CAP_MODE_STREAMING:
3035 efs.id = 1;
3036 efs.stype = L2CAP_SERV_BESTEFFORT;
3037 efs.msdu = cpu_to_le16(chan->local_msdu);
3038 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3039 efs.acc_lat = 0;
3040 efs.flush_to = 0;
3041 break;
3042
3043 default:
3044 return;
3045 }
3046
3047 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3048 (unsigned long) &efs);
f89cef09
AE		 3049}
3050
721c4181 3051static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3052{
721c4181 3053 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3054 ack_timer.work);
3055 u16 frames_to_ack;
c1b4f43b 3056
2fb9b3d4
GP		 3057 BT_DBG("chan %p", chan);
3058
6be36555
AE		 3059 l2cap_chan_lock(chan);
3060
0362520b
MM		 3061 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3062 chan->last_acked_seq);
6be36555 3063
0362520b
MM		 3064 if (frames_to_ack)
3065 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3066
0362520b 3067 l2cap_chan_unlock(chan);
09bfb2ee 3068 l2cap_chan_put(chan);
c1b4f43b
GP		 3069}
3070
466f8004 3071int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3072{
3c588192
MM		 3073 int err;
3074
105bdf9e
MM		 3075 chan->next_tx_seq = 0;
3076 chan->expected_tx_seq = 0;
42e5c802 3077 chan->expected_ack_seq = 0;
6a026610 3078 chan->unacked_frames = 0;
42e5c802 3079 chan->buffer_seq = 0;
6a026610 3080 chan->frames_sent = 0;
105bdf9e
MM		 3081 chan->last_acked_seq = 0;
3082 chan->sdu = NULL;
3083 chan->sdu_last_frag = NULL;
3084 chan->sdu_len = 0;
3085
d34c34fb
MM		 3086 skb_queue_head_init(&chan->tx_q);
3087
6ed971ca
MH		 3088 chan->local_amp_id = AMP_ID_BREDR;
3089 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3090 chan->move_state = L2CAP_MOVE_STABLE;
3091 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3092
105bdf9e
MM		 3093 if (chan->mode != L2CAP_MODE_ERTM)
3094 return 0;
3095
3096 chan->rx_state = L2CAP_RX_STATE_RECV;
3097 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3098
721c4181
GP		 3099 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3100 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3101 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3102
f1c6775b 3103 skb_queue_head_init(&chan->srej_q);
1890d36b 3104
3c588192
MM		 3105 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3106 if (err < 0)
3107 return err;
3108
9dc9affc
MM		 3109 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3110 if (err < 0)
3111 l2cap_seq_list_free(&chan->srej_list);
3112
3113 return err;
0565c1c2
GP		 3114}
3115
f2fcfcd6
GP		 3116static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3117{
3118 switch (mode) {
3119 case L2CAP_MODE_STREAMING:
3120 case L2CAP_MODE_ERTM:
3121 if (l2cap_mode_supported(mode, remote_feat_mask))
3122 return mode;
3123 /* fall through */
3124 default:
3125 return L2CAP_MODE_BASIC;
3126 }
3127}
3128
848566b3 3129static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3130{
0bd49fc7
JH		 3131 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3132 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
6327eb98
AE		 3133}
3134
848566b3 3135static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3136{
0bd49fc7
JH		 3137 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3138 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
f89cef09
AE		 3139}
3140
36c86c85
MM		 3141static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3142 struct l2cap_conf_rfc *rfc)
3143{
6ed971ca 3144 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3145 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3146
3147 /* Class 1 devices have must have ERTM timeouts
3148 * exceeding the Link Supervision Timeout. The
3149 * default Link Supervision Timeout for AMP
3150 * controllers is 10 seconds.
3151 *
3152 * Class 1 devices use 0xffffffff for their
3153 * best-effort flush timeout, so the clamping logic
3154 * will result in a timeout that meets the above
3155 * requirement. ERTM timeouts are 16-bit values, so
3156 * the maximum timeout is 65.535 seconds.
3157 */
3158
3159 /* Convert timeout to milliseconds and round */
3160 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3161
3162 /* This is the recommended formula for class 2 devices
3163 * that start ERTM timers when packets are sent to the
3164 * controller.
3165 */
3166 ertm_to = 3 * ertm_to + 500;
3167
3168 if (ertm_to > 0xffff)
3169 ertm_to = 0xffff;
3170
3171 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3172 rfc->monitor_timeout = rfc->retrans_timeout;
3173 } else {
dcf4adbf
JP		 3174 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3175 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36c86c85
MM		 3176 }
3177}
3178
6327eb98
AE		 3179static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3180{
3181 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3182 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3183 /* use extended control field */
3184 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3185 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3186 } else {
6327eb98 3187 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3188 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3189 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3190 }
c20f8e35 3191 chan->ack_win = chan->tx_win;
6327eb98
AE		 3192}
3193
710f9b0a 3194static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3195{
1da177e4 3196 struct l2cap_conf_req *req = data;
0c1bc5c6 3197 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3198 void *ptr = req->data;
c8f79162 3199 u16 size;
1da177e4 3200
49208c9c 3201 BT_DBG("chan %p", chan);
1da177e4 3202
73ffa904 3203 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3204 goto done;
3205
0c1bc5c6 3206 switch (chan->mode) {
f2fcfcd6
GP		 3207 case L2CAP_MODE_STREAMING:
3208 case L2CAP_MODE_ERTM:
c1360a1c 3209 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3210 break;
85eb53c6 3211
848566b3 3212 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3213 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3214
2ba13ed6 3215 /* fall through */
f2fcfcd6 3216 default:
8c1d787b 3217 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3218 break;
3219 }
3220
3221done:
0c1bc5c6
GP		 3222 if (chan->imtu != L2CAP_DEFAULT_MTU)
3223 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3224
0c1bc5c6 3225 switch (chan->mode) {
65c7c491 3226 case L2CAP_MODE_BASIC:
6fea7ad1
MH		 3227 if (disable_ertm)
3228 break;
3229
8c1d787b 3230 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3231 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3232 break;
3233
62547752
GP		 3234 rfc.mode = L2CAP_MODE_BASIC;
3235 rfc.txwin_size = 0;
3236 rfc.max_transmit = 0;
3237 rfc.retrans_timeout = 0;
3238 rfc.monitor_timeout = 0;
3239 rfc.max_pdu_size = 0;
3240
63406504 3241 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3242 (unsigned long) &rfc);
65c7c491
MH		 3243 break;
3244
3245 case L2CAP_MODE_ERTM:
3246 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3247 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3248
3249 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3250
3251 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3252 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3253 L2CAP_FCS_SIZE);
c8f79162 3254 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3255
6327eb98
AE		 3256 l2cap_txwin_setup(chan);
3257
3258 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3259 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3260
63406504 3261 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3262 (unsigned long) &rfc);
63406504 3263
f89cef09
AE		 3264 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3265 l2cap_add_opt_efs(&ptr, chan);
3266
6327eb98
AE		 3267 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3268 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3269 chan->tx_win);
60918918
AE		 3270
3271 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3272 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3273 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3274 chan->fcs = L2CAP_FCS_NONE;
3275 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3276 chan->fcs);
3277 }
f2fcfcd6
GP		 3278 break;
3279
3280 case L2CAP_MODE_STREAMING:
273759e2 3281 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3282 rfc.mode = L2CAP_MODE_STREAMING;
3283 rfc.txwin_size = 0;
3284 rfc.max_transmit = 0;
3285 rfc.retrans_timeout = 0;
3286 rfc.monitor_timeout = 0;
c8f79162
AE		 3287
3288 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3289 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3290 L2CAP_FCS_SIZE);
c8f79162 3291 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3292
63406504 3293 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3294 (unsigned long) &rfc);
63406504 3295
f89cef09
AE		 3296 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3297 l2cap_add_opt_efs(&ptr, chan);
3298
60918918
AE		 3299 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3300 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3301 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3302 chan->fcs = L2CAP_FCS_NONE;
3303 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3304 chan->fcs);
3305 }
65c7c491
MH		 3306 break;
3307 }
1da177e4 3308
fe4128e0 3309 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3310 req->flags = cpu_to_le16(0);
1da177e4
LT		 3311
3312 return ptr - data;
3313}
3314
73ffa904 3315static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3316{
5dee9e7c
MH		 3317 struct l2cap_conf_rsp *rsp = data;
3318 void *ptr = rsp->data;
73ffa904
GP		 3319 void *req = chan->conf_req;
3320 int len = chan->conf_len;
5dee9e7c
MH		 3321 int type, hint, olen;
3322 unsigned long val;
6464f35f 3323 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3324 struct l2cap_conf_efs efs;
3325 u8 remote_efs = 0;
861d6882 3326 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3327 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3328 u16 size;
1da177e4 3329
73ffa904 3330 BT_DBG("chan %p", chan);
820ae1b8 3331
5dee9e7c
MH		 3332 while (len >= L2CAP_CONF_OPT_SIZE) {
3333 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3334
589d2746 3335 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3336 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3337
3338 switch (type) {
3339 case L2CAP_CONF_MTU:
861d6882 3340 mtu = val;
5dee9e7c
MH		 3341 break;
3342
3343 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3344 chan->flush_to = val;
5dee9e7c
MH		 3345 break;
3346
3347 case L2CAP_CONF_QOS:
3348 break;
3349
6464f35f
MH		 3350 case L2CAP_CONF_RFC:
3351 if (olen == sizeof(rfc))
3352 memcpy(&rfc, (void *) val, olen);
3353 break;
3354
fcc203c3
GP		 3355 case L2CAP_CONF_FCS:
3356 if (val == L2CAP_FCS_NONE)
f2592d3e 3357 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3358 break;
fcc203c3 3359
42dceae2
AE		 3360 case L2CAP_CONF_EFS:
3361 remote_efs = 1;
3362 if (olen == sizeof(efs))
3363 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3364 break;
3365
6327eb98 3366 case L2CAP_CONF_EWS:
0bd49fc7 3367 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
6327eb98 3368 return -ECONNREFUSED;
fcc203c3 3369
6327eb98
AE		 3370 set_bit(FLAG_EXT_CTRL, &chan->flags);
3371 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3372 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3373 chan->remote_tx_win = val;
fcc203c3
GP		 3374 break;
3375
5dee9e7c
MH		 3376 default:
3377 if (hint)
3378 break;
3379
3380 result = L2CAP_CONF_UNKNOWN;
3381 *((u8 *) ptr++) = type;
3382 break;
3383 }
3384 }
3385
73ffa904 3386 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3387 goto done;
3388
0c1bc5c6 3389 switch (chan->mode) {
f2fcfcd6
GP		 3390 case L2CAP_MODE_STREAMING:
3391 case L2CAP_MODE_ERTM:
c1360a1c 3392 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3393 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3394 chan->conn->feat_mask);
85eb53c6
GP		 3395 break;
3396 }
3397
42dceae2 3398 if (remote_efs) {
848566b3 3399 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3400 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3401 else
3402 return -ECONNREFUSED;
3403 }
3404
0c1bc5c6 3405 if (chan->mode != rfc.mode)
f2fcfcd6 3406 return -ECONNREFUSED;
742e519b 3407
f2fcfcd6 3408 break;
f2fcfcd6
GP		 3409 }
3410
3411done:
0c1bc5c6 3412 if (chan->mode != rfc.mode) {
f2fcfcd6 3413 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3414 rfc.mode = chan->mode;
f2fcfcd6 3415
73ffa904 3416 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3417 return -ECONNREFUSED;
3418
2d792818
GP		 3419 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3420 (unsigned long) &rfc);
f2fcfcd6
GP		 3421 }
3422
5dee9e7c
MH		 3423 if (result == L2CAP_CONF_SUCCESS) {
3424 /* Configure output options and let the other side know
3425 * which ones we don't like. */
3426
f2fcfcd6
GP		 3427 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3428 result = L2CAP_CONF_UNACCEPT;
3429 else {
0c1bc5c6 3430 chan->omtu = mtu;
c1360a1c 3431 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3432 }
0c1bc5c6 3433 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3434
42dceae2
AE		 3435 if (remote_efs) {
3436 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3437 efs.stype != L2CAP_SERV_NOTRAFIC &&
3438 efs.stype != chan->local_stype) {
42dceae2
AE		 3439
3440 result = L2CAP_CONF_UNACCEPT;
3441
3442 if (chan->num_conf_req >= 1)
3443 return -ECONNREFUSED;
3444
3445 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3446 sizeof(efs),
3447 (unsigned long) &efs);
0e8b207e 3448 } else {
3e6b3b95 3449 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3450 result = L2CAP_CONF_PENDING;
3451 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3452 }
3453 }
3454
f2fcfcd6
GP		 3455 switch (rfc.mode) {
3456 case L2CAP_MODE_BASIC:
47d1ec61 3457 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3458 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3459 break;
3460
3461 case L2CAP_MODE_ERTM:
6327eb98
AE		 3462 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3463 chan->remote_tx_win = rfc.txwin_size;
3464 else
3465 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3466
2c03a7a4 3467 chan->remote_max_tx = rfc.max_transmit;
1c762159 3468
c8f79162 3469 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3470 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3471 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3472 rfc.max_pdu_size = cpu_to_le16(size);
3473 chan->remote_mps = size;
f2fcfcd6 3474
36c86c85 3475 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3476
c1360a1c 3477 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3478
3479 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3480 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3481
42dceae2
AE		 3482 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3483 chan->remote_id = efs.id;
3484 chan->remote_stype = efs.stype;
3485 chan->remote_msdu = le16_to_cpu(efs.msdu);
3486 chan->remote_flush_to =
2d792818 3487 le32_to_cpu(efs.flush_to);
42dceae2 3488 chan->remote_acc_lat =
2d792818 3489 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3490 chan->remote_sdu_itime =
3491 le32_to_cpu(efs.sdu_itime);
3492 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3493 sizeof(efs),
3494 (unsigned long) &efs);
42dceae2 3495 }
f2fcfcd6
GP		 3496 break;
3497
3498 case L2CAP_MODE_STREAMING:
c8f79162 3499 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3500 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3501 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3502 rfc.max_pdu_size = cpu_to_le16(size);
3503 chan->remote_mps = size;
f2fcfcd6 3504
c1360a1c 3505 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3506
2d792818
GP		 3507 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3508 (unsigned long) &rfc);
68ae6639 3509
f2fcfcd6
GP		 3510 break;
3511
3512 default:
5dee9e7c 3513 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3514
6464f35f 3515 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3516 rfc.mode = chan->mode;
f2fcfcd6 3517 }
6464f35f 3518
f2fcfcd6 3519 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3520 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3521 }
fe4128e0 3522 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3523 rsp->result = cpu_to_le16(result);
dcf4adbf 3524 rsp->flags = cpu_to_le16(0);
5dee9e7c
MH		 3525
3526 return ptr - data;
1da177e4
LT		 3527}
3528
2d792818
GP		 3529static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3530 void *data, u16 *result)
f2fcfcd6 3531{
f2fcfcd6
GP		 3532 struct l2cap_conf_req *req = data;
3533 void *ptr = req->data;
3534 int type, olen;
3535 unsigned long val;
36e999a8 3536 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3537 struct l2cap_conf_efs efs;
f2fcfcd6 3538
fe4128e0 3539 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3540
3541 while (len >= L2CAP_CONF_OPT_SIZE) {
3542 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3543
3544 switch (type) {
3545 case L2CAP_CONF_MTU:
3546 if (val < L2CAP_DEFAULT_MIN_MTU) {
3547 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3548 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3549 } else
0c1bc5c6
GP		 3550 chan->imtu = val;
3551 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3552 break;
3553
3554 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3555 chan->flush_to = val;
f2fcfcd6 3556 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3557 2, chan->flush_to);
f2fcfcd6
GP		 3558 break;
3559
3560 case L2CAP_CONF_RFC:
3561 if (olen == sizeof(rfc))
3562 memcpy(&rfc, (void *)val, olen);
3563
c1360a1c 3564 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3565 rfc.mode != chan->mode)
f2fcfcd6
GP		 3566 return -ECONNREFUSED;
3567
47d1ec61 3568 chan->fcs = 0;
f2fcfcd6
GP		 3569
3570 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3571 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3572 break;
6327eb98
AE		 3573
3574 case L2CAP_CONF_EWS:
c20f8e35 3575 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3576 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3577 chan->tx_win);
6327eb98 3578 break;
66af7aaf
AE		 3579
3580 case L2CAP_CONF_EFS:
3581 if (olen == sizeof(efs))
3582 memcpy(&efs, (void *)val, olen);
3583
3584 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3585 efs.stype != L2CAP_SERV_NOTRAFIC &&
3586 efs.stype != chan->local_stype)
66af7aaf
AE		 3587 return -ECONNREFUSED;
3588
2d792818
GP		 3589 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3590 (unsigned long) &efs);
66af7aaf 3591 break;
cbabee78
AE		 3592
3593 case L2CAP_CONF_FCS:
3594 if (*result == L2CAP_CONF_PENDING)
3595 if (val == L2CAP_FCS_NONE)
f2592d3e 3596 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3597 &chan->conf_state);
3598 break;
f2fcfcd6
GP		 3599 }
3600 }
3601
0c1bc5c6 3602 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3603 return -ECONNREFUSED;
3604
0c1bc5c6 3605 chan->mode = rfc.mode;
6c2ea7a8 3606
0e8b207e 3607 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3608 switch (rfc.mode) {
3609 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3610 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3611 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3612 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3613 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3614 chan->ack_win = min_t(u16, chan->ack_win,
3615 rfc.txwin_size);
66af7aaf
AE		 3616
3617 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3618 chan->local_msdu = le16_to_cpu(efs.msdu);
3619 chan->local_sdu_itime =
2d792818 3620 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3621 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3622 chan->local_flush_to =
2d792818 3623 le32_to_cpu(efs.flush_to);
66af7aaf 3624 }
f2fcfcd6 3625 break;
66af7aaf 3626
f2fcfcd6 3627 case L2CAP_MODE_STREAMING:
47d1ec61 3628 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3629 }
3630 }
3631
fe4128e0 3632 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3633 req->flags = cpu_to_le16(0);
f2fcfcd6
GP		 3634
3635 return ptr - data;
3636}
3637
2d792818
GP		 3638static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3639 u16 result, u16 flags)
1da177e4
LT		 3640{
3641 struct l2cap_conf_rsp *rsp = data;
3642 void *ptr = rsp->data;
1da177e4 3643
fe4128e0 3644 BT_DBG("chan %p", chan);
1da177e4 3645
fe4128e0 3646 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3647 rsp->result = cpu_to_le16(result);
aca3192c 3648 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3649
3650 return ptr - data;
3651}
3652
27e2d4c8
JH		 3653void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3654{
3655 struct l2cap_le_conn_rsp rsp;
3656 struct l2cap_conn *conn = chan->conn;
3657
3658 BT_DBG("chan %p", chan);
3659
3660 rsp.dcid = cpu_to_le16(chan->scid);
3661 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 3662 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 3663 rsp.credits = cpu_to_le16(chan->rx_credits);
dcf4adbf 3664 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
27e2d4c8
JH		 3665
3666 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3667 &rsp);
3668}
3669
8c1d787b 3670void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3671{
3672 struct l2cap_conn_rsp rsp;
8c1d787b 3673 struct l2cap_conn *conn = chan->conn;
710f9b0a 3674 u8 buf[128];
439f34ac 3675 u8 rsp_code;
710f9b0a 3676
fe4128e0
GP		 3677 rsp.scid = cpu_to_le16(chan->dcid);
3678 rsp.dcid = cpu_to_le16(chan->scid);
dcf4adbf
JP		 3679 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3680 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3681
3682 if (chan->hs_hcon)
3683 rsp_code = L2CAP_CREATE_CHAN_RSP;
3684 else
3685 rsp_code = L2CAP_CONN_RSP;
3686
3687 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3688
3689 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3690
c1360a1c 3691 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3692 return;
3693
710f9b0a 3694 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3695 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3696 chan->num_conf_req++;
3697}
3698
47d1ec61 3699static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3700{
7b1c0049
GP		 3701 int type, olen;
3702 unsigned long val;
c20f8e35
MM		 3703 /* Use sane default values in case a misbehaving remote device
3704 * did not send an RFC or extended window size option.
3705 */
3706 u16 txwin_ext = chan->ack_win;
3707 struct l2cap_conf_rfc rfc = {
3708 .mode = chan->mode,
dcf4adbf
JP		 3709 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3710 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
c20f8e35
MM		 3711 .max_pdu_size = cpu_to_le16(chan->imtu),
3712 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3713 };
7b1c0049 3714
47d1ec61 3715 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3716
0c1bc5c6 3717 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3718 return;
3719
3720 while (len >= L2CAP_CONF_OPT_SIZE) {
3721 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3722
c20f8e35
MM		 3723 switch (type) {
3724 case L2CAP_CONF_RFC:
3725 if (olen == sizeof(rfc))
3726 memcpy(&rfc, (void *)val, olen);
8f321f85 3727 break;
c20f8e35
MM		 3728 case L2CAP_CONF_EWS:
3729 txwin_ext = val;
3730 break;
3731 }
7b1c0049
GP		 3732 }
3733
7b1c0049
GP		 3734 switch (rfc.mode) {
3735 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3736 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3737 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3738 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3739 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3740 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3741 else
3742 chan->ack_win = min_t(u16, chan->ack_win,
3743 rfc.txwin_size);
7b1c0049
GP		 3744 break;
3745 case L2CAP_MODE_STREAMING:
47d1ec61 3746 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3747 }
3748}
3749
2d792818 3750static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3751 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3752 u8 *data)
4e8402a3 3753{
e2fd318e 3754 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3755
cb3b3152
JH		 3756 if (cmd_len < sizeof(*rej))
3757 return -EPROTO;
3758
e2fd318e 3759 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3760 return 0;
3761
3762 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3763 cmd->ident == conn->info_ident) {
17cd3f37 3764 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3765
3766 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3767 conn->info_ident = 0;
984947dc 3768
4e8402a3
MH		 3769 l2cap_conn_start(conn);
3770 }
3771
3772 return 0;
3773}
3774
1700915f
MM		 3775static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3776 struct l2cap_cmd_hdr *cmd,
3777 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3778{
1da177e4
LT		 3779 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3780 struct l2cap_conn_rsp rsp;
23691d75 3781 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3782 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3783
3784 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3785 __le16 psm = req->psm;
1da177e4 3786
097db76c 3787 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3788
3789 /* Check if we have socket listening on psm */
6f59b904 3790 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
bf20fd4e 3791 &conn->hcon->dst, ACL_LINK);
23691d75 3792 if (!pchan) {
1da177e4
LT		 3793 result = L2CAP_CR_BAD_PSM;
3794 goto sendresp;
3795 }
3796
3df91ea2 3797 mutex_lock(&conn->chan_lock);
8ffb9290 3798 l2cap_chan_lock(pchan);
e0f0cb56 3799
e7c29cb1 3800 /* Check if the ACL is secure enough (if not SDP) */
dcf4adbf 3801 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3802 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3803 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3804 result = L2CAP_CR_SEC_BLOCK;
3805 goto response;
3806 }
3807
1da177e4
LT		 3808 result = L2CAP_CR_NO_MEM;
3809
2dfa1003
GP		 3810 /* Check if we already have channel with that dcid */
3811 if (__l2cap_get_chan_by_dcid(conn, scid))
3812 goto response;
3813
80b98027 3814 chan = pchan->ops->new_connection(pchan);
80808e43 3815 if (!chan)
1da177e4
LT		 3816 goto response;
3817
330b6c15
SS		 3818 /* For certain devices (ex: HID mouse), support for authentication,
3819 * pairing and bonding is optional. For such devices, inorder to avoid
3820 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3821 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3822 */
3823 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3824
7eafc59e
MH		 3825 bacpy(&chan->src, &conn->hcon->src);
3826 bacpy(&chan->dst, &conn->hcon->dst);
a250e048
JH		 3827 chan->src_type = bdaddr_src_type(conn->hcon);
3828 chan->dst_type = bdaddr_dst_type(conn->hcon);
fe4128e0
GP		 3829 chan->psm = psm;
3830 chan->dcid = scid;
1700915f 3831 chan->local_amp_id = amp_id;
1da177e4 3832
6be36555 3833 __l2cap_chan_add(conn, chan);
48454079 3834
fe4128e0 3835 dcid = chan->scid;
1da177e4 3836
8d836d71 3837 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3838
fc7f8a7e 3839 chan->ident = cmd->ident;
1da177e4 3840
984947dc 3841 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
e7cafc45 3842 if (l2cap_chan_check_security(chan, false)) {
bdc25783 3843 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3844 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3845 result = L2CAP_CR_PEND;
3846 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3847 chan->ops->defer(chan);
f66dc81f 3848 } else {
1700915f
MM		 3849 /* Force pending result for AMP controllers.
3850 * The connection will succeed after the
3851 * physical link is up.
3852 */
6ed971ca 3853 if (amp_id == AMP_ID_BREDR) {
f93fa273 3854 l2cap_state_change(chan, BT_CONFIG);
1700915f 3855 result = L2CAP_CR_SUCCESS;
6ed971ca 3856 } else {
f93fa273 3857 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3858 result = L2CAP_CR_PEND;
1700915f 3859 }
f66dc81f
MH		 3860 status = L2CAP_CS_NO_INFO;
3861 }
79d554a6 3862 } else {
f93fa273 3863 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3864 result = L2CAP_CR_PEND;
3865 status = L2CAP_CS_AUTHEN_PEND;
3866 }
3867 } else {
f93fa273 3868 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3869 result = L2CAP_CR_PEND;
3870 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3871 }
3872
1da177e4 3873response:
8ffb9290 3874 l2cap_chan_unlock(pchan);
3df91ea2 3875 mutex_unlock(&conn->chan_lock);
a24cce14 3876 l2cap_chan_put(pchan);
1da177e4
LT		 3877
3878sendresp:
aca3192c
YH		 3879 rsp.scid = cpu_to_le16(scid);
3880 rsp.dcid = cpu_to_le16(dcid);
3881 rsp.result = cpu_to_le16(result);
3882 rsp.status = cpu_to_le16(status);
4c89b6aa 3883 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3884
3885 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3886 struct l2cap_info_req info;
dcf4adbf 3887 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3888
3889 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3890 conn->info_ident = l2cap_get_ident(conn);
3891
ba13ccd9 3892 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3893
2d792818
GP		 3894 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3895 sizeof(info), &info);
79d554a6
MH		 3896 }
3897
c1360a1c 3898 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3899 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3900 u8 buf[128];
c1360a1c 3901 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3902 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3903 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3904 chan->num_conf_req++;
e9aeb2dd 3905 }
1700915f
MM		 3906
3907 return chan;
4c89b6aa 3908}
e9aeb2dd 3909
4c89b6aa 3910static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3911 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3912{
7b064eda
JK		 3913 struct hci_dev *hdev = conn->hcon->hdev;
3914 struct hci_conn *hcon = conn->hcon;
3915
cb3b3152
JH		 3916 if (cmd_len < sizeof(struct l2cap_conn_req))
3917 return -EPROTO;
3918
7b064eda 3919 hci_dev_lock(hdev);
d7a5a11d 3920 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
7b064eda 3921 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
48ec92fa 3922 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
7b064eda
JK		 3923 hci_dev_unlock(hdev);
3924
300229f9 3925 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3926 return 0;
3927}
3928
5909cf30 3929static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3930 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3931 u8 *data)
1da177e4
LT		 3932{
3933 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3934 u16 scid, dcid, result, status;
48454079 3935 struct l2cap_chan *chan;
1da177e4 3936 u8 req[128];
3df91ea2 3937 int err;
1da177e4 3938
cb3b3152
JH		 3939 if (cmd_len < sizeof(*rsp))
3940 return -EPROTO;
3941
1da177e4
LT		 3942 scid = __le16_to_cpu(rsp->scid);
3943 dcid = __le16_to_cpu(rsp->dcid);
3944 result = __le16_to_cpu(rsp->result);
3945 status = __le16_to_cpu(rsp->status);
3946
1b009c98 3947 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3948 dcid, scid, result, status);
1da177e4 3949
3df91ea2
AE		 3950 mutex_lock(&conn->chan_lock);
3951
1da177e4 3952 if (scid) {
3df91ea2
AE		 3953 chan = __l2cap_get_chan_by_scid(conn, scid);
3954 if (!chan) {
21870b52 3955 err = -EBADSLT;
3df91ea2
AE		 3956 goto unlock;
3957 }
1da177e4 3958 } else {
3df91ea2
AE		 3959 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3960 if (!chan) {
21870b52 3961 err = -EBADSLT;
3df91ea2
AE		 3962 goto unlock;
3963 }
1da177e4
LT		 3964 }
3965
3df91ea2
AE		 3966 err = 0;
3967
6be36555 3968 l2cap_chan_lock(chan);
48454079 3969
1da177e4
LT		 3970 switch (result) {
3971 case L2CAP_CR_SUCCESS:
89bc500e 3972 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3973 chan->ident = 0;
fe4128e0 3974 chan->dcid = dcid;
c1360a1c 3975 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3976
c1360a1c 3977 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3978 break;
3979
1da177e4 3980 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3981 l2cap_build_conf_req(chan, req), req);
73ffa904 3982 chan->num_conf_req++;
1da177e4
LT		 3983 break;
3984
3985 case L2CAP_CR_PEND:
c1360a1c 3986 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3987 break;
3988
3989 default:
48454079 3990 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3991 break;
3992 }
3993
6be36555 3994 l2cap_chan_unlock(chan);
3df91ea2
AE		 3995
3996unlock:
3997 mutex_unlock(&conn->chan_lock);
3998
3999 return err;
1da177e4
LT		 4000}
4001
47d1ec61 4002static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 4003{
4004 /* FCS is enabled only in ERTM or streaming mode, if one or both
4005 * sides request it.
4006 */
0c1bc5c6 4007 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 4008 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 4009 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 4010 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 4011}
4012
29d8a590
AE		 4013static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4014 u8 ident, u16 flags)
4015{
4016 struct l2cap_conn *conn = chan->conn;
4017
4018 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4019 flags);
4020
4021 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4022 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4023
4024 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4025 l2cap_build_conf_rsp(chan, data,
4026 L2CAP_CONF_SUCCESS, flags), data);
4027}
4028
662d652d
JH		 4029static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4030 u16 scid, u16 dcid)
4031{
4032 struct l2cap_cmd_rej_cid rej;
4033
dcf4adbf 4034 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
662d652d
JH		 4035 rej.scid = __cpu_to_le16(scid);
4036 rej.dcid = __cpu_to_le16(dcid);
4037
4038 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4039}
4040
2d792818
GP		 4041static inline int l2cap_config_req(struct l2cap_conn *conn,
4042 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4043 u8 *data)
1da177e4
LT		 4044{
4045 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4046 u16 dcid, flags;
4047 u8 rsp[64];
48454079 4048 struct l2cap_chan *chan;
3c588192 4049 int len, err = 0;
1da177e4 4050
cb3b3152
JH		 4051 if (cmd_len < sizeof(*req))
4052 return -EPROTO;
4053
1da177e4
LT		 4054 dcid = __le16_to_cpu(req->dcid);
4055 flags = __le16_to_cpu(req->flags);
4056
4057 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4058
baa7e1fa 4059 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4060 if (!chan) {
4061 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4062 return 0;
4063 }
1da177e4 4064
033b1142 4065 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4066 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4067 chan->dcid);
354f60a9 4068 goto unlock;
df6bd743 4069 }
354f60a9 4070
5dee9e7c 4071 /* Reject if config buffer is too small. */
88219a0f 4072 len = cmd_len - sizeof(*req);
cb3b3152 4073 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4074 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4075 l2cap_build_conf_rsp(chan, rsp,
4076 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4077 goto unlock;
4078 }
4079
4080 /* Store config. */
73ffa904
GP		 4081 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4082 chan->conf_len += len;
1da177e4 4083
59e54bd1 4084 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4085 /* Incomplete config. Send empty response. */
4086 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4087 l2cap_build_conf_rsp(chan, rsp,
4088 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4089 goto unlock;
4090 }
4091
4092 /* Complete config. */
73ffa904 4093 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4094 if (len < 0) {
5e4e3972 4095 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4096 goto unlock;
f2fcfcd6 4097 }
1da177e4 4098
1500109b 4099 chan->ident = cmd->ident;
5dee9e7c 4100 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4101 chan->num_conf_rsp++;
5dee9e7c 4102
5dee9e7c 4103 /* Reset config buffer. */
73ffa904 4104 chan->conf_len = 0;
5dee9e7c 4105
c1360a1c 4106 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4107 goto unlock;
4108
c1360a1c 4109 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4110 set_default_fcs(chan);
fcc203c3 4111
105bdf9e
MM		 4112 if (chan->mode == L2CAP_MODE_ERTM ||
4113 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4114 err = l2cap_ertm_init(chan);
4115
4116 if (err < 0)
5e4e3972 4117 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4118 else
4119 l2cap_chan_ready(chan);
0565c1c2 4120
876d9484
MH		 4121 goto unlock;
4122 }
4123
c1360a1c 4124 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4125 u8 buf[64];
1da177e4 4126 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4127 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4128 chan->num_conf_req++;
1da177e4
LT		 4129 }
4130
49c922bb 4131 /* Got Conf Rsp PENDING from remote side and assume we sent
0e8b207e
AE		 4132 Conf Rsp PENDING in the code above */
4133 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4134 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4135
4136 /* check compatibility */
4137
79de886d 4138 /* Send rsp for BR/EDR channel */
f351bc72 4139 if (!chan->hs_hcon)
79de886d
AE		 4140 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4141 else
4142 chan->ident = cmd->ident;
0e8b207e
AE		 4143 }
4144
1da177e4 4145unlock:
6be36555 4146 l2cap_chan_unlock(chan);
3c588192 4147 return err;
1da177e4
LT		 4148}
4149
2d792818 4150static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4151 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4152 u8 *data)
1da177e4
LT		 4153{
4154 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4155 u16 scid, flags, result;
48454079 4156 struct l2cap_chan *chan;
cb3b3152 4157 int len = cmd_len - sizeof(*rsp);
3c588192 4158 int err = 0;
1da177e4 4159
cb3b3152
JH		 4160 if (cmd_len < sizeof(*rsp))
4161 return -EPROTO;
4162
1da177e4
LT		 4163 scid = __le16_to_cpu(rsp->scid);
4164 flags = __le16_to_cpu(rsp->flags);
4165 result = __le16_to_cpu(rsp->result);
4166
61386cba
AE		 4167 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4168 result, len);
1da177e4 4169
baa7e1fa 4170 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4171 if (!chan)
1da177e4
LT		 4172 return 0;
4173
4174 switch (result) {
4175 case L2CAP_CONF_SUCCESS:
47d1ec61 4176 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4177 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4178 break;
4179
0e8b207e
AE		 4180 case L2CAP_CONF_PENDING:
4181 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4182
4183 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4184 char buf[64];
4185
4186 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4187 buf, &result);
0e8b207e 4188 if (len < 0) {
5e4e3972 4189 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4190 goto done;
4191 }
4192
f351bc72 4193 if (!chan->hs_hcon) {
79de886d
AE		 4194 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4195 0);
5ce66b59
AE		 4196 } else {
4197 if (l2cap_check_efs(chan)) {
4198 amp_create_logical_link(chan);
4199 chan->ident = cmd->ident;
4200 }
4201 }
0e8b207e
AE		 4202 }
4203 goto done;
4204
1da177e4 4205 case L2CAP_CONF_UNACCEPT:
73ffa904 4206 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4207 char req[64];
4208
c2c77ec8 4209 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4210 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4211 goto done;
4212 }
4213
f2fcfcd6
GP		 4214 /* throw out any old stored conf requests */
4215 result = L2CAP_CONF_SUCCESS;
b4450035 4216 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4217 req, &result);
f2fcfcd6 4218 if (len < 0) {
5e4e3972 4219 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4220 goto done;
4221 }
4222
4223 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4224 L2CAP_CONF_REQ, len, req);
73ffa904 4225 chan->num_conf_req++;
f2fcfcd6
GP		 4226 if (result != L2CAP_CONF_SUCCESS)
4227 goto done;
4228 break;
1da177e4
LT		 4229 }
4230
8e87d142 4231 default:
6be36555 4232 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4233
ba13ccd9 4234 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4235 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4236 goto done;
4237 }
4238
59e54bd1 4239 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4240 goto done;
4241
c1360a1c 4242 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4243
c1360a1c 4244 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4245 set_default_fcs(chan);
fcc203c3 4246
105bdf9e
MM		 4247 if (chan->mode == L2CAP_MODE_ERTM ||
4248 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4249 err = l2cap_ertm_init(chan);
0565c1c2 4250
3c588192 4251 if (err < 0)
5e4e3972 4252 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4253 else
4254 l2cap_chan_ready(chan);
1da177e4
LT		 4255 }
4256
4257done:
6be36555 4258 l2cap_chan_unlock(chan);
3c588192 4259 return err;
1da177e4
LT		 4260}
4261
2d792818 4262static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4263 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4264 u8 *data)
1da177e4
LT		 4265{
4266 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4267 struct l2cap_disconn_rsp rsp;
4268 u16 dcid, scid;
48454079 4269 struct l2cap_chan *chan;
1da177e4 4270
cb3b3152
JH		 4271 if (cmd_len != sizeof(*req))
4272 return -EPROTO;
4273
1da177e4
LT		 4274 scid = __le16_to_cpu(req->scid);
4275 dcid = __le16_to_cpu(req->dcid);
4276
4277 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4278
3df91ea2
AE		 4279 mutex_lock(&conn->chan_lock);
4280
4281 chan = __l2cap_get_chan_by_scid(conn, dcid);
4282 if (!chan) {
4283 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4284 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4285 return 0;
3df91ea2 4286 }
1da177e4 4287
6be36555
AE		 4288 l2cap_chan_lock(chan);
4289
fe4128e0
GP		 4290 rsp.dcid = cpu_to_le16(chan->scid);
4291 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4292 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4293
5ec1bbe5 4294 chan->ops->set_shutdown(chan);
1da177e4 4295
61d6ef3e 4296 l2cap_chan_hold(chan);
48454079 4297 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4298
4299 l2cap_chan_unlock(chan);
1da177e4 4300
80b98027 4301 chan->ops->close(chan);
61d6ef3e 4302 l2cap_chan_put(chan);
3df91ea2
AE		 4303
4304 mutex_unlock(&conn->chan_lock);
4305
1da177e4
LT		 4306 return 0;
4307}
4308
2d792818 4309static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4310 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4311 u8 *data)
1da177e4
LT		 4312{
4313 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4314 u16 dcid, scid;
48454079 4315 struct l2cap_chan *chan;
1da177e4 4316
cb3b3152
JH		 4317 if (cmd_len != sizeof(*rsp))
4318 return -EPROTO;
4319
1da177e4
LT		 4320 scid = __le16_to_cpu(rsp->scid);
4321 dcid = __le16_to_cpu(rsp->dcid);
4322
4323 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4324
3df91ea2
AE		 4325 mutex_lock(&conn->chan_lock);
4326
4327 chan = __l2cap_get_chan_by_scid(conn, scid);
4328 if (!chan) {
4329 mutex_unlock(&conn->chan_lock);
1da177e4 4330 return 0;
3df91ea2 4331 }
1da177e4 4332
6be36555 4333 l2cap_chan_lock(chan);
48454079 4334
61d6ef3e 4335 l2cap_chan_hold(chan);
48454079 4336 l2cap_chan_del(chan, 0);
6be36555
AE		 4337
4338 l2cap_chan_unlock(chan);
1da177e4 4339
80b98027 4340 chan->ops->close(chan);
61d6ef3e 4341 l2cap_chan_put(chan);
3df91ea2
AE		 4342
4343 mutex_unlock(&conn->chan_lock);
4344
1da177e4
LT		 4345 return 0;
4346}
4347
2d792818 4348static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4349 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4350 u8 *data)
1da177e4
LT		 4351{
4352 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4353 u16 type;
4354
cb3b3152
JH		 4355 if (cmd_len != sizeof(*req))
4356 return -EPROTO;
4357
1da177e4
LT		 4358 type = __le16_to_cpu(req->type);
4359
4360 BT_DBG("type 0x%4.4x", type);
4361
f0709e03
MH		 4362 if (type == L2CAP_IT_FEAT_MASK) {
4363 u8 buf[8];
44dd46de 4364 u32 feat_mask = l2cap_feat_mask;
f0709e03 4365 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
dcf4adbf
JP		 4366 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4367 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4368 if (!disable_ertm)
fcc203c3 4369 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4370 | L2CAP_FEAT_FCS;
0bd49fc7 4371 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
6327eb98 4372 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4373 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4374
1b7bf4ed 4375 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4376 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4377 buf);
e1027a7c
MH		 4378 } else if (type == L2CAP_IT_FIXED_CHAN) {
4379 u8 buf[12];
4380 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4381
dcf4adbf
JP		 4382 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4383 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
0bd49fc7
JH		 4384 rsp->data[0] = conn->local_fixed_chan;
4385 memset(rsp->data + 1, 0, 7);
2d792818
GP		 4386 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4387 buf);
f0709e03
MH		 4388 } else {
4389 struct l2cap_info_rsp rsp;
4390 rsp.type = cpu_to_le16(type);
dcf4adbf 4391 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4392 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4393 &rsp);
f0709e03 4394 }
1da177e4
LT		 4395
4396 return 0;
4397}
4398
2d792818 4399static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4400 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4401 u8 *data)
1da177e4
LT		 4402{
4403 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4404 u16 type, result;
4405
3f6fa3d4 4406 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4407 return -EPROTO;
4408
1da177e4
LT		 4409 type = __le16_to_cpu(rsp->type);
4410 result = __le16_to_cpu(rsp->result);
4411
4412 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4413
e90165be
AE		 4414 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4415 if (cmd->ident != conn->info_ident ||
2d792818 4416 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4417 return 0;
4418
17cd3f37 4419 cancel_delayed_work(&conn->info_timer);
4e8402a3 4420
adb08ede
VT		 4421 if (result != L2CAP_IR_SUCCESS) {
4422 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4423 conn->info_ident = 0;
4424
4425 l2cap_conn_start(conn);
4426
4427 return 0;
4428 }
4429
978c93b9
AE		 4430 switch (type) {
4431 case L2CAP_IT_FEAT_MASK:
83985319 4432 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4433
47ec1dcd 4434 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4435 struct l2cap_info_req req;
dcf4adbf 4436 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4437
4438 conn->info_ident = l2cap_get_ident(conn);
4439
4440 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4441 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4442 } else {
4443 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4444 conn->info_ident = 0;
4445
4446 l2cap_conn_start(conn);
4447 }
978c93b9
AE		 4448 break;
4449
4450 case L2CAP_IT_FIXED_CHAN:
0bd49fc7 4451 conn->remote_fixed_chan = rsp->data[0];
984947dc 4452 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4453 conn->info_ident = 0;
984947dc
MH		 4454
4455 l2cap_conn_start(conn);
978c93b9 4456 break;
984947dc 4457 }
4e8402a3 4458
1da177e4
LT		 4459 return 0;
4460}
4461
1700915f
MM		 4462static int l2cap_create_channel_req(struct l2cap_conn *conn,
4463 struct l2cap_cmd_hdr *cmd,
4464 u16 cmd_len, void *data)
f94ff6ff
MM		 4465{
4466 struct l2cap_create_chan_req *req = data;
6e1df6a6 4467 struct l2cap_create_chan_rsp rsp;
1700915f 4468 struct l2cap_chan *chan;
6e1df6a6 4469 struct hci_dev *hdev;
f94ff6ff
MM		 4470 u16 psm, scid;
4471
4472 if (cmd_len != sizeof(*req))
4473 return -EPROTO;
4474
0bd49fc7 4475 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
f94ff6ff
MM		 4476 return -EINVAL;
4477
4478 psm = le16_to_cpu(req->psm);
4479 scid = le16_to_cpu(req->scid);
4480
ad0ac6ca 4481 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4482
6e1df6a6 4483 /* For controller id 0 make BR/EDR connection */
6ed971ca 4484 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4485 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4486 req->amp_id);
4487 return 0;
4488 }
1700915f 4489
6e1df6a6
AE		 4490 /* Validate AMP controller id */
4491 hdev = hci_dev_get(req->amp_id);
4492 if (!hdev)
4493 goto error;
1700915f 4494
6e1df6a6
AE		 4495 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4496 hci_dev_put(hdev);
4497 goto error;
4498 }
1700915f 4499
6e1df6a6
AE		 4500 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4501 req->amp_id);
4502 if (chan) {
4503 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4504 struct hci_conn *hs_hcon;
1700915f 4505
98e0f7ea
MH		 4506 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4507 &conn->hcon->dst);
6e1df6a6
AE		 4508 if (!hs_hcon) {
4509 hci_dev_put(hdev);
662d652d
JH		 4510 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4511 chan->dcid);
4512 return 0;
1700915f
MM		 4513 }
4514
6e1df6a6
AE		 4515 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4516
6e1df6a6
AE		 4517 mgr->bredr_chan = chan;
4518 chan->hs_hcon = hs_hcon;
fd45bf4c 4519 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4520 conn->mtu = hdev->block_mtu;
1700915f 4521 }
f94ff6ff 4522
6e1df6a6 4523 hci_dev_put(hdev);
f94ff6ff
MM		 4524
4525 return 0;
6e1df6a6
AE		 4526
4527error:
4528 rsp.dcid = 0;
4529 rsp.scid = cpu_to_le16(scid);
dcf4adbf
JP		 4530 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4531 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
6e1df6a6
AE		 4532
4533 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4534 sizeof(rsp), &rsp);
4535
dc280801 4536 return 0;
f94ff6ff
MM		 4537}
4538
8eb200bd
MM		 4539static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4540{
4541 struct l2cap_move_chan_req req;
4542 u8 ident;
4543
4544 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4545
4546 ident = l2cap_get_ident(chan->conn);
4547 chan->ident = ident;
4548
4549 req.icid = cpu_to_le16(chan->scid);
4550 req.dest_amp_id = dest_amp_id;
4551
4552 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4553 &req);
4554
4555 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4556}
4557
1500109b 4558static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4559{
4560 struct l2cap_move_chan_rsp rsp;
4561
1500109b 4562 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4563
1500109b 4564 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4565 rsp.result = cpu_to_le16(result);
4566
1500109b
MM		 4567 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4568 sizeof(rsp), &rsp);
8d5a04a1
MM		 4569}
4570
5b155ef9 4571static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4572{
4573 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4574
5b155ef9 4575 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4576
5b155ef9 4577 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4578
5b155ef9 4579 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4580 cfm.result = cpu_to_le16(result);
4581
5b155ef9
MM		 4582 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4583 sizeof(cfm), &cfm);
4584
4585 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4586}
4587
4588static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4589{
4590 struct l2cap_move_chan_cfm cfm;
4591
4592 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4593
4594 cfm.icid = cpu_to_le16(icid);
dcf4adbf 4595 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
5b155ef9
MM		 4596
4597 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4598 sizeof(cfm), &cfm);
8d5a04a1
MM		 4599}
4600
4601static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4602 u16 icid)
8d5a04a1
MM		 4603{
4604 struct l2cap_move_chan_cfm_rsp rsp;
4605
ad0ac6ca 4606 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4607
4608 rsp.icid = cpu_to_le16(icid);
4609 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4610}
4611
5f3847a4
MM		 4612static void __release_logical_link(struct l2cap_chan *chan)
4613{
4614 chan->hs_hchan = NULL;
4615 chan->hs_hcon = NULL;
4616
4617 /* Placeholder - release the logical link */
4618}
4619
1500109b
MM		 4620static void l2cap_logical_fail(struct l2cap_chan *chan)
4621{
4622 /* Logical link setup failed */
4623 if (chan->state != BT_CONNECTED) {
4624 /* Create channel failure, disconnect */
5e4e3972 4625 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4626 return;
4627 }
4628
4629 switch (chan->move_role) {
4630 case L2CAP_MOVE_ROLE_RESPONDER:
4631 l2cap_move_done(chan);
4632 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4633 break;
4634 case L2CAP_MOVE_ROLE_INITIATOR:
4635 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4636 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4637 /* Remote has only sent pending or
4638 * success responses, clean up
4639 */
4640 l2cap_move_done(chan);
4641 }
4642
4643 /* Other amp move states imply that the move
4644 * has already aborted
4645 */
4646 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4647 break;
4648 }
4649}
4650
4651static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4652 struct hci_chan *hchan)
4653{
4654 struct l2cap_conf_rsp rsp;
1500109b 4655
336178a3 4656 chan->hs_hchan = hchan;
1500109b
MM		 4657 chan->hs_hcon->l2cap_data = chan->conn;
4658
35ba9561 4659 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4660
4661 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4662 int err;
1500109b
MM		 4663
4664 set_default_fcs(chan);
4665
4666 err = l2cap_ertm_init(chan);
4667 if (err < 0)
5e4e3972 4668 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4669 else
4670 l2cap_chan_ready(chan);
4671 }
4672}
4673
4674static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4675 struct hci_chan *hchan)
4676{
4677 chan->hs_hcon = hchan->conn;
4678 chan->hs_hcon->l2cap_data = chan->conn;
4679
4680 BT_DBG("move_state %d", chan->move_state);
4681
4682 switch (chan->move_state) {
4683 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4684 /* Move confirm will be sent after a success
4685 * response is received
4686 */
4687 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4688 break;
4689 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4690 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4691 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4692 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4693 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4694 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4695 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4696 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4697 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4698 }
4699 break;
4700 default:
4701 /* Move was not in expected state, free the channel */
4702 __release_logical_link(chan);
4703
4704 chan->move_state = L2CAP_MOVE_STABLE;
4705 }
4706}
4707
4708/* Call with chan locked */
27695fb4
AE		 4709void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4710 u8 status)
5b155ef9 4711{
1500109b
MM		 4712 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4713
4714 if (status) {
4715 l2cap_logical_fail(chan);
4716 __release_logical_link(chan);
4717 return;
4718 }
4719
4720 if (chan->state != BT_CONNECTED) {
4721 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4722 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4723 l2cap_logical_finish_create(chan, hchan);
4724 } else {
4725 l2cap_logical_finish_move(chan, hchan);
4726 }
5b155ef9
MM		 4727}
4728
3f7a56c4
MM		 4729void l2cap_move_start(struct l2cap_chan *chan)
4730{
4731 BT_DBG("chan %p", chan);
4732
6ed971ca 4733 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4734 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4735 return;
4736 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4737 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4738 /* Placeholder - start physical link setup */
4739 } else {
4740 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4741 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4742 chan->move_id = 0;
4743 l2cap_move_setup(chan);
4744 l2cap_send_move_chan_req(chan, 0);
4745 }
4746}
4747
8eb200bd
MM		 4748static void l2cap_do_create(struct l2cap_chan *chan, int result,
4749 u8 local_amp_id, u8 remote_amp_id)
4750{
62748ca1
AE		 4751 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4752 local_amp_id, remote_amp_id);
4753
12d6cc60
AE		 4754 chan->fcs = L2CAP_FCS_NONE;
4755
62748ca1
AE		 4756 /* Outgoing channel on AMP */
4757 if (chan->state == BT_CONNECT) {
4758 if (result == L2CAP_CR_SUCCESS) {
4759 chan->local_amp_id = local_amp_id;
4760 l2cap_send_create_chan_req(chan, remote_amp_id);
4761 } else {
4762 /* Revert to BR/EDR connect */
4763 l2cap_send_conn_req(chan);
4764 }
4765
4766 return;
4767 }
4768
4769 /* Incoming channel on AMP */
4770 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4771 struct l2cap_conn_rsp rsp;
4772 char buf[128];
4773 rsp.scid = cpu_to_le16(chan->dcid);
4774 rsp.dcid = cpu_to_le16(chan->scid);
4775
8eb200bd
MM		 4776 if (result == L2CAP_CR_SUCCESS) {
4777 /* Send successful response */
dcf4adbf
JP		 4778 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4779 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4780 } else {
4781 /* Send negative response */
dcf4adbf
JP		 4782 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4783 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4784 }
4785
4786 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4787 sizeof(rsp), &rsp);
4788
4789 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4790 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4791 set_bit(CONF_REQ_SENT, &chan->conf_state);
4792 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4793 L2CAP_CONF_REQ,
4794 l2cap_build_conf_req(chan, buf), buf);
4795 chan->num_conf_req++;
4796 }
8eb200bd
MM		 4797 }
4798}
4799
4800static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4801 u8 remote_amp_id)
4802{
4803 l2cap_move_setup(chan);
4804 chan->move_id = local_amp_id;
4805 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4806
4807 l2cap_send_move_chan_req(chan, remote_amp_id);
4808}
4809
4810static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4811{
4812 struct hci_chan *hchan = NULL;
4813
4814 /* Placeholder - get hci_chan for logical link */
4815
4816 if (hchan) {
4817 if (hchan->state == BT_CONNECTED) {
4818 /* Logical link is ready to go */
4819 chan->hs_hcon = hchan->conn;
4820 chan->hs_hcon->l2cap_data = chan->conn;
4821 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4822 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4823
4824 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4825 } else {
4826 /* Wait for logical link to be ready */
4827 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4828 }
4829 } else {
4830 /* Logical link not available */
4831 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4832 }
4833}
4834
4835static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4836{
4837 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4838 u8 rsp_result;
4839 if (result == -EINVAL)
4840 rsp_result = L2CAP_MR_BAD_ID;
4841 else
4842 rsp_result = L2CAP_MR_NOT_ALLOWED;
4843
4844 l2cap_send_move_chan_rsp(chan, rsp_result);
4845 }
4846
4847 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4848 chan->move_state = L2CAP_MOVE_STABLE;
4849
4850 /* Restart data transmission */
4851 l2cap_ertm_send(chan);
4852}
4853
a514b17f
AE		 4854/* Invoke with locked chan */
4855void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4856{
770bfefa 4857 u8 local_amp_id = chan->local_amp_id;
fffadc08 4858 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4859
8eb200bd
MM		 4860 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4861 chan, result, local_amp_id, remote_amp_id);
4862
8eb200bd
MM		 4863 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4864 l2cap_chan_unlock(chan);
4865 return;
4866 }
4867
4868 if (chan->state != BT_CONNECTED) {
4869 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4870 } else if (result != L2CAP_MR_SUCCESS) {
4871 l2cap_do_move_cancel(chan, result);
4872 } else {
4873 switch (chan->move_role) {
4874 case L2CAP_MOVE_ROLE_INITIATOR:
4875 l2cap_do_move_initiate(chan, local_amp_id,
4876 remote_amp_id);
4877 break;
4878 case L2CAP_MOVE_ROLE_RESPONDER:
4879 l2cap_do_move_respond(chan, result);
4880 break;
4881 default:
4882 l2cap_do_move_cancel(chan, result);
4883 break;
4884 }
4885 }
8eb200bd
MM		 4886}
4887
8d5a04a1 4888static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4889 struct l2cap_cmd_hdr *cmd,
4890 u16 cmd_len, void *data)
8d5a04a1
MM		 4891{
4892 struct l2cap_move_chan_req *req = data;
1500109b 4893 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4894 struct l2cap_chan *chan;
8d5a04a1
MM		 4895 u16 icid = 0;
4896 u16 result = L2CAP_MR_NOT_ALLOWED;
4897
4898 if (cmd_len != sizeof(*req))
4899 return -EPROTO;
4900
4901 icid = le16_to_cpu(req->icid);
4902
ad0ac6ca 4903 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4904
0bd49fc7 4905 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
8d5a04a1
MM		 4906 return -EINVAL;
4907
02b0fbb9
MM		 4908 chan = l2cap_get_chan_by_dcid(conn, icid);
4909 if (!chan) {
1500109b 4910 rsp.icid = cpu_to_le16(icid);
dcf4adbf 4911 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
1500109b
MM		 4912 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4913 sizeof(rsp), &rsp);
02b0fbb9
MM		 4914 return 0;
4915 }
4916
1500109b
MM		 4917 chan->ident = cmd->ident;
4918
02b0fbb9
MM		 4919 if (chan->scid < L2CAP_CID_DYN_START ||
4920 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4921 (chan->mode != L2CAP_MODE_ERTM &&
4922 chan->mode != L2CAP_MODE_STREAMING)) {
4923 result = L2CAP_MR_NOT_ALLOWED;
4924 goto send_move_response;
4925 }
4926
4927 if (chan->local_amp_id == req->dest_amp_id) {
4928 result = L2CAP_MR_SAME_ID;
4929 goto send_move_response;
4930 }
4931
6ed971ca 4932 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4933 struct hci_dev *hdev;
4934 hdev = hci_dev_get(req->dest_amp_id);
4935 if (!hdev || hdev->dev_type != HCI_AMP ||
4936 !test_bit(HCI_UP, &hdev->flags)) {
4937 if (hdev)
4938 hci_dev_put(hdev);
4939
4940 result = L2CAP_MR_BAD_ID;
4941 goto send_move_response;
4942 }
4943 hci_dev_put(hdev);
4944 }
4945
4946 /* Detect a move collision. Only send a collision response
4947 * if this side has "lost", otherwise proceed with the move.
4948 * The winner has the larger bd_addr.
4949 */
4950 if ((__chan_is_moving(chan) ||
4951 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4952 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4953 result = L2CAP_MR_COLLISION;
4954 goto send_move_response;
4955 }
4956
02b0fbb9
MM		 4957 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4958 l2cap_move_setup(chan);
4959 chan->move_id = req->dest_amp_id;
4960 icid = chan->dcid;
4961
6ed971ca 4962 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4963 /* Moving to BR/EDR */
4964 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4965 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4966 result = L2CAP_MR_PEND;
4967 } else {
4968 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4969 result = L2CAP_MR_SUCCESS;
4970 }
4971 } else {
4972 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4973 /* Placeholder - uncomment when amp functions are available */
4974 /*amp_accept_physical(chan, req->dest_amp_id);*/
4975 result = L2CAP_MR_PEND;
4976 }
4977
4978send_move_response:
1500109b 4979 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4980
02b0fbb9
MM		 4981 l2cap_chan_unlock(chan);
4982
8d5a04a1
MM		 4983 return 0;
4984}
4985
5b155ef9
MM		 4986static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4987{
4988 struct l2cap_chan *chan;
4989 struct hci_chan *hchan = NULL;
4990
4991 chan = l2cap_get_chan_by_scid(conn, icid);
4992 if (!chan) {
4993 l2cap_send_move_chan_cfm_icid(conn, icid);
4994 return;
4995 }
4996
4997 __clear_chan_timer(chan);
4998 if (result == L2CAP_MR_PEND)
4999 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5000
5001 switch (chan->move_state) {
5002 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5003 /* Move confirm will be sent when logical link
5004 * is complete.
5005 */
5006 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5007 break;
5008 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5009 if (result == L2CAP_MR_PEND) {
5010 break;
5011 } else if (test_bit(CONN_LOCAL_BUSY,
5012 &chan->conn_state)) {
5013 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5014 } else {
5015 /* Logical link is up or moving to BR/EDR,
5016 * proceed with move
5017 */
5018 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5019 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5020 }
5021 break;
5022 case L2CAP_MOVE_WAIT_RSP:
5023 /* Moving to AMP */
5024 if (result == L2CAP_MR_SUCCESS) {
5025 /* Remote is ready, send confirm immediately
5026 * after logical link is ready
5027 */
5028 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5029 } else {
5030 /* Both logical link and move success
5031 * are required to confirm
5032 */
5033 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5034 }
5035
5036 /* Placeholder - get hci_chan for logical link */
5037 if (!hchan) {
5038 /* Logical link not available */
5039 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5040 break;
5041 }
5042
5043 /* If the logical link is not yet connected, do not
5044 * send confirmation.
5045 */
5046 if (hchan->state != BT_CONNECTED)
5047 break;
5048
5049 /* Logical link is already ready to go */
5050
5051 chan->hs_hcon = hchan->conn;
5052 chan->hs_hcon->l2cap_data = chan->conn;
5053
5054 if (result == L2CAP_MR_SUCCESS) {
5055 /* Can confirm now */
5056 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5057 } else {
5058 /* Now only need move success
5059 * to confirm
5060 */
5061 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5062 }
5063
5064 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5065 break;
5066 default:
5067 /* Any other amp move state means the move failed. */
5068 chan->move_id = chan->local_amp_id;
5069 l2cap_move_done(chan);
5070 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5071 }
5072
5073 l2cap_chan_unlock(chan);
5074}
5075
5076static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5077 u16 result)
5078{
5079 struct l2cap_chan *chan;
5080
5081 chan = l2cap_get_chan_by_ident(conn, ident);
5082 if (!chan) {
5083 /* Could not locate channel, icid is best guess */
5084 l2cap_send_move_chan_cfm_icid(conn, icid);
5085 return;
5086 }
5087
5088 __clear_chan_timer(chan);
5089
5090 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5091 if (result == L2CAP_MR_COLLISION) {
5092 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5093 } else {
5094 /* Cleanup - cancel move */
5095 chan->move_id = chan->local_amp_id;
5096 l2cap_move_done(chan);
5097 }
5098 }
5099
5100 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5101
5102 l2cap_chan_unlock(chan);
5103}
5104
5105static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5106 struct l2cap_cmd_hdr *cmd,
5107 u16 cmd_len, void *data)
8d5a04a1
MM		 5108{
5109 struct l2cap_move_chan_rsp *rsp = data;
5110 u16 icid, result;
5111
5112 if (cmd_len != sizeof(*rsp))
5113 return -EPROTO;
5114
5115 icid = le16_to_cpu(rsp->icid);
5116 result = le16_to_cpu(rsp->result);
5117
ad0ac6ca 5118 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5119
5b155ef9
MM		 5120 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5121 l2cap_move_continue(conn, icid, result);
5122 else
5123 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5124
5125 return 0;
5126}
5127
5f3847a4
MM		 5128static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5129 struct l2cap_cmd_hdr *cmd,
5130 u16 cmd_len, void *data)
8d5a04a1
MM		 5131{
5132 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5133 struct l2cap_chan *chan;
8d5a04a1
MM		 5134 u16 icid, result;
5135
5136 if (cmd_len != sizeof(*cfm))
5137 return -EPROTO;
5138
5139 icid = le16_to_cpu(cfm->icid);
5140 result = le16_to_cpu(cfm->result);
5141
ad0ac6ca 5142 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5143
5f3847a4
MM		 5144 chan = l2cap_get_chan_by_dcid(conn, icid);
5145 if (!chan) {
5146 /* Spec requires a response even if the icid was not found */
5147 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5148 return 0;
5149 }
5150
5151 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5152 if (result == L2CAP_MC_CONFIRMED) {
5153 chan->local_amp_id = chan->move_id;
6ed971ca 5154 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5155 __release_logical_link(chan);
5156 } else {
5157 chan->move_id = chan->local_amp_id;
5158 }
5159
5160 l2cap_move_done(chan);
5161 }
5162
8d5a04a1
MM		 5163 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5164
5f3847a4
MM		 5165 l2cap_chan_unlock(chan);
5166
8d5a04a1
MM		 5167 return 0;
5168}
5169
5170static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5171 struct l2cap_cmd_hdr *cmd,
5172 u16 cmd_len, void *data)
8d5a04a1
MM		 5173{
5174 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5175 struct l2cap_chan *chan;
8d5a04a1
MM		 5176 u16 icid;
5177
5178 if (cmd_len != sizeof(*rsp))
5179 return -EPROTO;
5180
5181 icid = le16_to_cpu(rsp->icid);
5182
ad0ac6ca 5183 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5184
3fd71a0a
MM		 5185 chan = l2cap_get_chan_by_scid(conn, icid);
5186 if (!chan)
5187 return 0;
5188
5189 __clear_chan_timer(chan);
5190
5191 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5192 chan->local_amp_id = chan->move_id;
5193
6ed971ca 5194 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5195 __release_logical_link(chan);
5196
5197 l2cap_move_done(chan);
5198 }
5199
5200 l2cap_chan_unlock(chan);
5201
8d5a04a1
MM		 5202 return 0;
5203}
5204
de73115a 5205static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818 5206 struct l2cap_cmd_hdr *cmd,
203e639e 5207 u16 cmd_len, u8 *data)
de73115a
CT		 5208{
5209 struct hci_conn *hcon = conn->hcon;
5210 struct l2cap_conn_param_update_req *req;
5211 struct l2cap_conn_param_update_rsp rsp;
203e639e 5212 u16 min, max, latency, to_multiplier;
2ce603eb 5213 int err;
de73115a 5214
40bef302 5215 if (hcon->role != HCI_ROLE_MASTER)
de73115a
CT		 5216 return -EINVAL;
5217
de73115a
CT		 5218 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5219 return -EPROTO;
5220
5221 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5222 min = __le16_to_cpu(req->min);
5223 max = __le16_to_cpu(req->max);
de73115a
CT		 5224 latency = __le16_to_cpu(req->latency);
5225 to_multiplier = __le16_to_cpu(req->to_multiplier);
5226
5227 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5228 min, max, latency, to_multiplier);
de73115a
CT		 5229
5230 memset(&rsp, 0, sizeof(rsp));
2ce603eb 5231
d4905f24 5232 err = hci_check_conn_params(min, max, latency, to_multiplier);
2ce603eb 5233 if (err)
dcf4adbf 5234 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5235 else
dcf4adbf 5236 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5237
5238 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5239 sizeof(rsp), &rsp);
de73115a 5240
ffb5a827 5241 if (!err) {
f4869e2a
JH		 5242 u8 store_hint;
5243
5244 store_hint = hci_le_conn_update(hcon, min, max, latency,
5245 to_multiplier);
ffb5a827 5246 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
f4869e2a
JH		 5247 store_hint, min, max, latency,
5248 to_multiplier);
ffb5a827 5249
ffb5a827 5250 }
2ce603eb 5251
de73115a
CT		 5252 return 0;
5253}
5254
f1496dee
JH		 5255static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5256 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5257 u8 *data)
5258{
5259 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
3e64b7bd 5260 struct hci_conn *hcon = conn->hcon;
f1496dee
JH		 5261 u16 dcid, mtu, mps, credits, result;
5262 struct l2cap_chan *chan;
3e64b7bd 5263 int err, sec_level;
f1496dee
JH		 5264
5265 if (cmd_len < sizeof(*rsp))
5266 return -EPROTO;
5267
5268 dcid = __le16_to_cpu(rsp->dcid);
5269 mtu = __le16_to_cpu(rsp->mtu);
5270 mps = __le16_to_cpu(rsp->mps);
5271 credits = __le16_to_cpu(rsp->credits);
5272 result = __le16_to_cpu(rsp->result);
5273
40624183
JH		 5274 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23 ||
5275 dcid < L2CAP_CID_DYN_START ||
5276 dcid > L2CAP_CID_LE_DYN_END))
f1496dee
JH		 5277 return -EPROTO;
5278
5279 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5280 dcid, mtu, mps, credits, result);
5281
5282 mutex_lock(&conn->chan_lock);
5283
5284 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5285 if (!chan) {
5286 err = -EBADSLT;
5287 goto unlock;
5288 }
5289
5290 err = 0;
5291
5292 l2cap_chan_lock(chan);
5293
5294 switch (result) {
5295 case L2CAP_CR_SUCCESS:
40624183
JH		 5296 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5297 err = -EBADSLT;
5298 break;
5299 }
5300
f1496dee
JH		 5301 chan->ident = 0;
5302 chan->dcid = dcid;
5303 chan->omtu = mtu;
5304 chan->remote_mps = mps;
0cd75f7e 5305 chan->tx_credits = credits;
f1496dee
JH		 5306 l2cap_chan_ready(chan);
5307 break;
5308
3e64b7bd
JH		 5309 case L2CAP_CR_AUTHENTICATION:
5310 case L2CAP_CR_ENCRYPTION:
5311 /* If we already have MITM protection we can't do
5312 * anything.
5313 */
5314 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5315 l2cap_chan_del(chan, ECONNREFUSED);
5316 break;
5317 }
5318
5319 sec_level = hcon->sec_level + 1;
5320 if (chan->sec_level < sec_level)
5321 chan->sec_level = sec_level;
5322
5323 /* We'll need to send a new Connect Request */
5324 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5325
5326 smp_conn_security(hcon, chan->sec_level);
5327 break;
5328
f1496dee
JH		 5329 default:
5330 l2cap_chan_del(chan, ECONNREFUSED);
5331 break;
5332 }
5333
5334 l2cap_chan_unlock(chan);
5335
5336unlock:
5337 mutex_unlock(&conn->chan_lock);
5338
5339 return err;
5340}
5341
3300d9a9 5342static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5343 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5344 u8 *data)
3300d9a9
CT		 5345{
5346 int err = 0;
5347
5348 switch (cmd->code) {
5349 case L2CAP_COMMAND_REJ:
cb3b3152 5350 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5351 break;
5352
5353 case L2CAP_CONN_REQ:
cb3b3152 5354 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5355 break;
5356
5357 case L2CAP_CONN_RSP:
f5a2598d 5358 case L2CAP_CREATE_CHAN_RSP:
9245e737 5359 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5360 break;
5361
5362 case L2CAP_CONF_REQ:
5363 err = l2cap_config_req(conn, cmd, cmd_len, data);
5364 break;
5365
5366 case L2CAP_CONF_RSP:
9245e737 5367 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5368 break;
5369
5370 case L2CAP_DISCONN_REQ:
cb3b3152 5371 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5372 break;
5373
5374 case L2CAP_DISCONN_RSP:
9245e737 5375 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5376 break;
5377
5378 case L2CAP_ECHO_REQ:
5379 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5380 break;
5381
5382 case L2CAP_ECHO_RSP:
5383 break;
5384
5385 case L2CAP_INFO_REQ:
cb3b3152 5386 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5387 break;
5388
5389 case L2CAP_INFO_RSP:
9245e737 5390 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5391 break;
5392
f94ff6ff
MM		 5393 case L2CAP_CREATE_CHAN_REQ:
5394 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5395 break;
5396
8d5a04a1
MM		 5397 case L2CAP_MOVE_CHAN_REQ:
5398 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5399 break;
5400
5401 case L2CAP_MOVE_CHAN_RSP:
9245e737 5402 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5403 break;
5404
5405 case L2CAP_MOVE_CHAN_CFM:
5406 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5407 break;
5408
5409 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5410 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5411 break;
5412
3300d9a9
CT		 5413 default:
5414 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5415 err = -EINVAL;
5416 break;
5417 }
5418
5419 return err;
5420}
5421
27e2d4c8
JH		 5422static int l2cap_le_connect_req(struct l2cap_conn *conn,
5423 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5424 u8 *data)
5425{
5426 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5427 struct l2cap_le_conn_rsp rsp;
5428 struct l2cap_chan *chan, *pchan;
0cd75f7e 5429 u16 dcid, scid, credits, mtu, mps;
27e2d4c8
JH		 5430 __le16 psm;
5431 u8 result;
5432
5433 if (cmd_len != sizeof(*req))
5434 return -EPROTO;
5435
5436 scid = __le16_to_cpu(req->scid);
5437 mtu = __le16_to_cpu(req->mtu);
5438 mps = __le16_to_cpu(req->mps);
5439 psm = req->psm;
5440 dcid = 0;
0cd75f7e 5441 credits = 0;
27e2d4c8
JH		 5442
5443 if (mtu < 23 || mps < 23)
5444 return -EPROTO;
5445
5446 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5447 scid, mtu, mps);
5448
5449 /* Check if we have socket listening on psm */
5450 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5451 &conn->hcon->dst, LE_LINK);
5452 if (!pchan) {
5453 result = L2CAP_CR_BAD_PSM;
5454 chan = NULL;
5455 goto response;
5456 }
5457
5458 mutex_lock(&conn->chan_lock);
5459 l2cap_chan_lock(pchan);
5460
35dc6f83
JH		 5461 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5462 SMP_ALLOW_STK)) {
27e2d4c8
JH		 5463 result = L2CAP_CR_AUTHENTICATION;
5464 chan = NULL;
5465 goto response_unlock;
5466 }
5467
8a7889cc
JH		 5468 /* Check for valid dynamic CID range */
5469 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5470 result = L2CAP_CR_INVALID_SCID;
5471 chan = NULL;
5472 goto response_unlock;
5473 }
5474
27e2d4c8
JH		 5475 /* Check if we already have channel with that dcid */
5476 if (__l2cap_get_chan_by_dcid(conn, scid)) {
8a7889cc 5477 result = L2CAP_CR_SCID_IN_USE;
27e2d4c8
JH		 5478 chan = NULL;
5479 goto response_unlock;
5480 }
5481
5482 chan = pchan->ops->new_connection(pchan);
5483 if (!chan) {
5484 result = L2CAP_CR_NO_MEM;
5485 goto response_unlock;
5486 }
5487
0ce43ce6
JH		 5488 l2cap_le_flowctl_init(chan);
5489
27e2d4c8
JH		 5490 bacpy(&chan->src, &conn->hcon->src);
5491 bacpy(&chan->dst, &conn->hcon->dst);
a250e048
JH		 5492 chan->src_type = bdaddr_src_type(conn->hcon);
5493 chan->dst_type = bdaddr_dst_type(conn->hcon);
27e2d4c8
JH		 5494 chan->psm = psm;
5495 chan->dcid = scid;
5496 chan->omtu = mtu;
5497 chan->remote_mps = mps;
0cd75f7e 5498 chan->tx_credits = __le16_to_cpu(req->credits);
27e2d4c8
JH		 5499
5500 __l2cap_chan_add(conn, chan);
5501 dcid = chan->scid;
0cd75f7e 5502 credits = chan->rx_credits;
27e2d4c8
JH		 5503
5504 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5505
5506 chan->ident = cmd->ident;
5507
5508 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5509 l2cap_state_change(chan, BT_CONNECT2);
434714dc
JH		 5510 /* The following result value is actually not defined
5511 * for LE CoC but we use it to let the function know
5512 * that it should bail out after doing its cleanup
5513 * instead of sending a response.
5514 */
27e2d4c8
JH		 5515 result = L2CAP_CR_PEND;
5516 chan->ops->defer(chan);
5517 } else {
5518 l2cap_chan_ready(chan);
5519 result = L2CAP_CR_SUCCESS;
5520 }
5521
5522response_unlock:
5523 l2cap_chan_unlock(pchan);
5524 mutex_unlock(&conn->chan_lock);
a24cce14 5525 l2cap_chan_put(pchan);
27e2d4c8
JH		 5526
5527 if (result == L2CAP_CR_PEND)
5528 return 0;
5529
5530response:
5531 if (chan) {
5532 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 5533 rsp.mps = cpu_to_le16(chan->mps);
27e2d4c8
JH		 5534 } else {
5535 rsp.mtu = 0;
5536 rsp.mps = 0;
5537 }
5538
5539 rsp.dcid = cpu_to_le16(dcid);
0cd75f7e 5540 rsp.credits = cpu_to_le16(credits);
27e2d4c8
JH		 5541 rsp.result = cpu_to_le16(result);
5542
5543 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5544
5545 return 0;
5546}
5547
fad5fc89
JH		 5548static inline int l2cap_le_credits(struct l2cap_conn *conn,
5549 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5550 u8 *data)
5551{
5552 struct l2cap_le_credits *pkt;
5553 struct l2cap_chan *chan;
0f1bfe4e 5554 u16 cid, credits, max_credits;
fad5fc89
JH		 5555
5556 if (cmd_len != sizeof(*pkt))
5557 return -EPROTO;
5558
5559 pkt = (struct l2cap_le_credits *) data;
5560 cid = __le16_to_cpu(pkt->cid);
5561 credits = __le16_to_cpu(pkt->credits);
5562
5563 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5564
5565 chan = l2cap_get_chan_by_dcid(conn, cid);
5566 if (!chan)
5567 return -EBADSLT;
5568
0f1bfe4e
JH		 5569 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5570 if (credits > max_credits) {
5571 BT_ERR("LE credits overflow");
5572 l2cap_send_disconn_req(chan, ECONNRESET);
ee93053d 5573 l2cap_chan_unlock(chan);
0f1bfe4e
JH		 5574
5575 /* Return 0 so that we don't trigger an unnecessary
5576 * command reject packet.
5577 */
5578 return 0;
5579 }
5580
fad5fc89
JH		 5581 chan->tx_credits += credits;
5582
8a505b7f
LAD		 5583 /* Resume sending */
5584 l2cap_le_flowctl_send(chan);
fad5fc89
JH		 5585
5586 if (chan->tx_credits)
5587 chan->ops->resume(chan);
5588
5589 l2cap_chan_unlock(chan);
5590
5591 return 0;
5592}
5593
71fb4197
JH		 5594static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5595 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5596 u8 *data)
5597{
5598 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5599 struct l2cap_chan *chan;
5600
5601 if (cmd_len < sizeof(*rej))
5602 return -EPROTO;
5603
5604 mutex_lock(&conn->chan_lock);
5605
5606 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5607 if (!chan)
5608 goto done;
5609
5610 l2cap_chan_lock(chan);
5611 l2cap_chan_del(chan, ECONNREFUSED);
5612 l2cap_chan_unlock(chan);
5613
5614done:
5615 mutex_unlock(&conn->chan_lock);
5616 return 0;
5617}
5618
3300d9a9 5619static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
203e639e
JH		 5620 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5621 u8 *data)
3300d9a9 5622{
b5ecba64
JH		 5623 int err = 0;
5624
3300d9a9
CT		 5625 switch (cmd->code) {
5626 case L2CAP_COMMAND_REJ:
71fb4197 5627 l2cap_le_command_rej(conn, cmd, cmd_len, data);
b5ecba64 5628 break;
3300d9a9
CT		 5629
5630 case L2CAP_CONN_PARAM_UPDATE_REQ:
b5ecba64
JH		 5631 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5632 break;
3300d9a9
CT		 5633
5634 case L2CAP_CONN_PARAM_UPDATE_RSP:
b5ecba64 5635 break;
3300d9a9 5636
f1496dee
JH		 5637 case L2CAP_LE_CONN_RSP:
5638 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5639 break;
f1496dee 5640
27e2d4c8 5641 case L2CAP_LE_CONN_REQ:
b5ecba64
JH		 5642 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5643 break;
27e2d4c8 5644
fad5fc89
JH		 5645 case L2CAP_LE_CREDITS:
5646 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5647 break;
5648
3defe01a 5649 case L2CAP_DISCONN_REQ:
b5ecba64
JH		 5650 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5651 break;
3defe01a
JH		 5652
5653 case L2CAP_DISCONN_RSP:
5654 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5655 break;
3defe01a 5656
3300d9a9
CT		 5657 default:
5658 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
b5ecba64
JH		 5659 err = -EINVAL;
5660 break;
3300d9a9 5661 }
b5ecba64
JH		 5662
5663 return err;
3300d9a9
CT		 5664}
5665
c5623556
JH		 5666static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5667 struct sk_buff *skb)
5668{
69c4e4e8 5669 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5670 struct l2cap_cmd_hdr *cmd;
5671 u16 len;
c5623556
JH		 5672 int err;
5673
69c4e4e8 5674 if (hcon->type != LE_LINK)
3b166295 5675 goto drop;
69c4e4e8 5676
4f3e219d
MH		 5677 if (skb->len < L2CAP_CMD_HDR_SIZE)
5678 goto drop;
c5623556 5679
4f3e219d
MH		 5680 cmd = (void *) skb->data;
5681 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5682
4f3e219d 5683 len = le16_to_cpu(cmd->len);
c5623556 5684
4f3e219d 5685 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5686
4f3e219d
MH		 5687 if (len != skb->len || !cmd->ident) {
5688 BT_DBG("corrupted command");
5689 goto drop;
5690 }
c5623556 5691
203e639e 5692 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
4f3e219d
MH		 5693 if (err) {
5694 struct l2cap_cmd_rej_unk rej;
c5623556 5695
4f3e219d 5696 BT_ERR("Wrong link type (%d)", err);
c5623556 5697
dcf4adbf 5698 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5699 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5700 sizeof(rej), &rej);
c5623556
JH		 5701 }
5702
3b166295 5703drop:
c5623556
JH		 5704 kfree_skb(skb);
5705}
5706
3300d9a9 5707static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5708 struct sk_buff *skb)
1da177e4 5709{
69c4e4e8 5710 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5711 u8 *data = skb->data;
5712 int len = skb->len;
5713 struct l2cap_cmd_hdr cmd;
3300d9a9 5714 int err;
1da177e4
LT		 5715
5716 l2cap_raw_recv(conn, skb);
5717
69c4e4e8 5718 if (hcon->type != ACL_LINK)
3b166295 5719 goto drop;
69c4e4e8 5720
1da177e4 5721 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5722 u16 cmd_len;
1da177e4
LT		 5723 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5724 data += L2CAP_CMD_HDR_SIZE;
5725 len -= L2CAP_CMD_HDR_SIZE;
5726
88219a0f 5727 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5728
2d792818
GP		 5729 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5730 cmd.ident);
1da177e4 5731
88219a0f 5732 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5733 BT_DBG("corrupted command");
5734 break;
5735 }
5736
c5623556 5737 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5738 if (err) {
e2fd318e 5739 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5740
5741 BT_ERR("Wrong link type (%d)", err);
1da177e4 5742
dcf4adbf 5743 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5744 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5745 sizeof(rej), &rej);
1da177e4
LT		 5746 }
5747
88219a0f
AV		 5748 data += cmd_len;
5749 len -= cmd_len;
1da177e4
LT		 5750 }
5751
3b166295 5752drop:
1da177e4
LT		 5753 kfree_skb(skb);
5754}
5755
47d1ec61 5756static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5757{
5758 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5759 int hdr_size;
5760
5761 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5762 hdr_size = L2CAP_EXT_HDR_SIZE;
5763 else
5764 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5765
47d1ec61 5766 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5767 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5768 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5769 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5770
5771 if (our_fcs != rcv_fcs)
7a560e5c 5772 return -EBADMSG;
fcc203c3
GP		 5773 }
5774 return 0;
5775}
5776
6ea00485 5777static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5778{
e31f7633 5779 struct l2cap_ctrl control;
d5392c8f 5780
e31f7633 5781 BT_DBG("chan %p", chan);
d5392c8f 5782
e31f7633
MM		 5783 memset(&control, 0, sizeof(control));
5784 control.sframe = 1;
5785 control.final = 1;
5786 control.reqseq = chan->buffer_seq;
5787 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5788
e2ab4353 5789 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5790 control.super = L2CAP_SUPER_RNR;
5791 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5792 }
5793
e31f7633
MM		 5794 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5795 chan->unacked_frames > 0)
5796 __set_retrans_timer(chan);
d5392c8f 5797
e31f7633 5798 /* Send pending iframes */
525cd185 5799 l2cap_ertm_send(chan);
d5392c8f 5800
e2ab4353 5801 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5802 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5803 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5804 * send it now.
5805 */
5806 control.super = L2CAP_SUPER_RR;
5807 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5808 }
5809}
5810
2d792818
GP		 5811static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5812 struct sk_buff **last_frag)
18778a63 5813{
84084a31
MM		 5814 /* skb->len reflects data in skb as well as all fragments
5815 * skb->data_len reflects only data in fragments
5816 */
5817 if (!skb_has_frag_list(skb))
5818 skb_shinfo(skb)->frag_list = new_frag;
5819
5820 new_frag->next = NULL;
5821
5822 (*last_frag)->next = new_frag;
5823 *last_frag = new_frag;
5824
5825 skb->len += new_frag->len;
5826 skb->data_len += new_frag->len;
5827 skb->truesize += new_frag->truesize;
5828}
5829
4b51dae9
MM		 5830static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5831 struct l2cap_ctrl *control)
84084a31
MM		 5832{
5833 int err = -EINVAL;
18778a63 5834
4b51dae9 5835 switch (control->sar) {
7e0ef6ee 5836 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5837 if (chan->sdu)
5838 break;
18778a63 5839
80b98027 5840 err = chan->ops->recv(chan, skb);
84084a31 5841 break;
18778a63 5842
7e0ef6ee 5843 case L2CAP_SAR_START:
84084a31
MM		 5844 if (chan->sdu)
5845 break;
18778a63 5846
dbb50887
DB		 5847 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
5848 break;
5849
6f61fd47 5850 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5851 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5852
84084a31
MM		 5853 if (chan->sdu_len > chan->imtu) {
5854 err = -EMSGSIZE;
5855 break;
5856 }
1890d36b 5857
84084a31
MM		 5858 if (skb->len >= chan->sdu_len)
5859 break;
18778a63 5860
84084a31
MM		 5861 chan->sdu = skb;
5862 chan->sdu_last_frag = skb;
18778a63 5863
84084a31
MM		 5864 skb = NULL;
5865 err = 0;
18778a63
GP		 5866 break;
5867
7e0ef6ee 5868 case L2CAP_SAR_CONTINUE:
6f61fd47 5869 if (!chan->sdu)
84084a31 5870 break;
18778a63 5871
84084a31
MM		 5872 append_skb_frag(chan->sdu, skb,
5873 &chan->sdu_last_frag);
5874 skb = NULL;
18778a63 5875
84084a31
MM		 5876 if (chan->sdu->len >= chan->sdu_len)
5877 break;
4178ba46 5878
84084a31 5879 err = 0;
18778a63
GP		 5880 break;
5881
7e0ef6ee 5882 case L2CAP_SAR_END:
6f61fd47 5883 if (!chan->sdu)
84084a31 5884 break;
18778a63 5885
84084a31
MM		 5886 append_skb_frag(chan->sdu, skb,
5887 &chan->sdu_last_frag);
5888 skb = NULL;
4178ba46 5889
84084a31
MM		 5890 if (chan->sdu->len != chan->sdu_len)
5891 break;
18778a63 5892
80b98027 5893 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5894
84084a31
MM		 5895 if (!err) {
5896 /* Reassembly complete */
5897 chan->sdu = NULL;
5898 chan->sdu_last_frag = NULL;
5899 chan->sdu_len = 0;
1890d36b 5900 }
18778a63
GP		 5901 break;
5902 }
5903
84084a31
MM		 5904 if (err) {
5905 kfree_skb(skb);
5906 kfree_skb(chan->sdu);
5907 chan->sdu = NULL;
5908 chan->sdu_last_frag = NULL;
5909 chan->sdu_len = 0;
5910 }
18778a63 5911
84084a31 5912 return err;
18778a63
GP		 5913}
5914
32b32735
MM		 5915static int l2cap_resegment(struct l2cap_chan *chan)
5916{
5917 /* Placeholder */
5918 return 0;
5919}
5920
61aa4f5b 5921void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5922{
61aa4f5b 5923 u8 event;
712132eb 5924
61aa4f5b
MM		 5925 if (chan->mode != L2CAP_MODE_ERTM)
5926 return;
712132eb 5927
61aa4f5b 5928 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5929 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5930}
5931
d2a7ac5d
MM		 5932static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5933{
63838725
MM		 5934 int err = 0;
5935 /* Pass sequential frames to l2cap_reassemble_sdu()
5936 * until a gap is encountered.
5937 */
5938
5939 BT_DBG("chan %p", chan);
5940
5941 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5942 struct sk_buff *skb;
5943 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5944 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5945
5946 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5947
5948 if (!skb)
5949 break;
5950
5951 skb_unlink(skb, &chan->srej_q);
5952 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
a4368ff3 5953 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
63838725
MM		 5954 if (err)
5955 break;
5956 }
5957
5958 if (skb_queue_empty(&chan->srej_q)) {
5959 chan->rx_state = L2CAP_RX_STATE_RECV;
5960 l2cap_send_ack(chan);
5961 }
5962
5963 return err;
d2a7ac5d
MM		 5964}
5965
5966static void l2cap_handle_srej(struct l2cap_chan *chan,
5967 struct l2cap_ctrl *control)
5968{
f80842a8
MM		 5969 struct sk_buff *skb;
5970
5971 BT_DBG("chan %p, control %p", chan, control);
5972
5973 if (control->reqseq == chan->next_tx_seq) {
5974 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5975 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5976 return;
5977 }
5978
5979 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5980
5981 if (skb == NULL) {
5982 BT_DBG("Seq %d not available for retransmission",
5983 control->reqseq);
5984 return;
5985 }
5986
a4368ff3 5987 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
f80842a8 5988 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5989 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5990 return;
5991 }
5992
5993 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5994
5995 if (control->poll) {
5996 l2cap_pass_to_tx(chan, control);
5997
5998 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5999 l2cap_retransmit(chan, control);
6000 l2cap_ertm_send(chan);
6001
6002 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6003 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6004 chan->srej_save_reqseq = control->reqseq;
6005 }
6006 } else {
6007 l2cap_pass_to_tx_fbit(chan, control);
6008
6009 if (control->final) {
6010 if (chan->srej_save_reqseq != control->reqseq ||
6011 !test_and_clear_bit(CONN_SREJ_ACT,
6012 &chan->conn_state))
6013 l2cap_retransmit(chan, control);
6014 } else {
6015 l2cap_retransmit(chan, control);
6016 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6017 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6018 chan->srej_save_reqseq = control->reqseq;
6019 }
6020 }
6021 }
d2a7ac5d
MM		 6022}
6023
6024static void l2cap_handle_rej(struct l2cap_chan *chan,
6025 struct l2cap_ctrl *control)
6026{
fcd289df
MM		 6027 struct sk_buff *skb;
6028
6029 BT_DBG("chan %p, control %p", chan, control);
6030
6031 if (control->reqseq == chan->next_tx_seq) {
6032 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 6033 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 6034 return;
6035 }
6036
6037 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6038
6039 if (chan->max_tx && skb &&
a4368ff3 6040 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
fcd289df 6041 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 6042 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 6043 return;
6044 }
6045
6046 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6047
6048 l2cap_pass_to_tx(chan, control);
6049
6050 if (control->final) {
6051 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6052 l2cap_retransmit_all(chan, control);
6053 } else {
6054 l2cap_retransmit_all(chan, control);
6055 l2cap_ertm_send(chan);
6056 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6057 set_bit(CONN_REJ_ACT, &chan->conn_state);
6058 }
d2a7ac5d
MM		 6059}
6060
4b51dae9
MM		 6061static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6062{
6063 BT_DBG("chan %p, txseq %d", chan, txseq);
6064
6065 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6066 chan->expected_tx_seq);
6067
6068 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6069 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 6070 chan->tx_win) {
4b51dae9
MM		 6071 /* See notes below regarding "double poll" and
6072 * invalid packets.
6073 */
6074 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6075 BT_DBG("Invalid/Ignore - after SREJ");
6076 return L2CAP_TXSEQ_INVALID_IGNORE;
6077 } else {
6078 BT_DBG("Invalid - in window after SREJ sent");
6079 return L2CAP_TXSEQ_INVALID;
6080 }
6081 }
6082
6083 if (chan->srej_list.head == txseq) {
6084 BT_DBG("Expected SREJ");
6085 return L2CAP_TXSEQ_EXPECTED_SREJ;
6086 }
6087
6088 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6089 BT_DBG("Duplicate SREJ - txseq already stored");
6090 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6091 }
6092
6093 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6094 BT_DBG("Unexpected SREJ - not requested");
6095 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6096 }
6097 }
6098
6099 if (chan->expected_tx_seq == txseq) {
6100 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6101 chan->tx_win) {
6102 BT_DBG("Invalid - txseq outside tx window");
6103 return L2CAP_TXSEQ_INVALID;
6104 } else {
6105 BT_DBG("Expected");
6106 return L2CAP_TXSEQ_EXPECTED;
6107 }
6108 }
6109
6110 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 6111 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 6112 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6113 return L2CAP_TXSEQ_DUPLICATE;
6114 }
6115
6116 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6117 /* A source of invalid packets is a "double poll" condition,
6118 * where delays cause us to send multiple poll packets. If
6119 * the remote stack receives and processes both polls,
6120 * sequence numbers can wrap around in such a way that a
6121 * resent frame has a sequence number that looks like new data
6122 * with a sequence gap. This would trigger an erroneous SREJ
6123 * request.
6124 *
6125 * Fortunately, this is impossible with a tx window that's
6126 * less than half of the maximum sequence number, which allows
6127 * invalid frames to be safely ignored.
6128 *
6129 * With tx window sizes greater than half of the tx window
6130 * maximum, the frame is invalid and cannot be ignored. This
6131 * causes a disconnect.
6132 */
6133
6134 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6135 BT_DBG("Invalid/Ignore - txseq outside tx window");
6136 return L2CAP_TXSEQ_INVALID_IGNORE;
6137 } else {
6138 BT_DBG("Invalid - txseq outside tx window");
6139 return L2CAP_TXSEQ_INVALID;
6140 }
6141 } else {
6142 BT_DBG("Unexpected - txseq indicates missing frames");
6143 return L2CAP_TXSEQ_UNEXPECTED;
6144 }
6145}
6146
d2a7ac5d
MM		 6147static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6148 struct l2cap_ctrl *control,
6149 struct sk_buff *skb, u8 event)
6150{
6151 int err = 0;
941247f9 6152 bool skb_in_use = false;
d2a7ac5d
MM		 6153
6154 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6155 event);
6156
6157 switch (event) {
6158 case L2CAP_EV_RECV_IFRAME:
6159 switch (l2cap_classify_txseq(chan, control->txseq)) {
6160 case L2CAP_TXSEQ_EXPECTED:
6161 l2cap_pass_to_tx(chan, control);
6162
6163 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6164 BT_DBG("Busy, discarding expected seq %d",
6165 control->txseq);
6166 break;
6167 }
6168
6169 chan->expected_tx_seq = __next_seq(chan,
6170 control->txseq);
6171
6172 chan->buffer_seq = chan->expected_tx_seq;
941247f9 6173 skb_in_use = true;
d2a7ac5d
MM		 6174
6175 err = l2cap_reassemble_sdu(chan, skb, control);
6176 if (err)
6177 break;
6178
6179 if (control->final) {
6180 if (!test_and_clear_bit(CONN_REJ_ACT,
6181 &chan->conn_state)) {
6182 control->final = 0;
6183 l2cap_retransmit_all(chan, control);
6184 l2cap_ertm_send(chan);
6185 }
6186 }
6187
6188 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6189 l2cap_send_ack(chan);
6190 break;
6191 case L2CAP_TXSEQ_UNEXPECTED:
6192 l2cap_pass_to_tx(chan, control);
6193
6194 /* Can't issue SREJ frames in the local busy state.
6195 * Drop this frame, it will be seen as missing
6196 * when local busy is exited.
6197 */
6198 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6199 BT_DBG("Busy, discarding unexpected seq %d",
6200 control->txseq);
6201 break;
6202 }
6203
6204 /* There was a gap in the sequence, so an SREJ
6205 * must be sent for each missing frame. The
6206 * current frame is stored for later use.
6207 */
6208 skb_queue_tail(&chan->srej_q, skb);
941247f9 6209 skb_in_use = true;
d2a7ac5d
MM		 6210 BT_DBG("Queued %p (queue len %d)", skb,
6211 skb_queue_len(&chan->srej_q));
6212
6213 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6214 l2cap_seq_list_clear(&chan->srej_list);
6215 l2cap_send_srej(chan, control->txseq);
6216
6217 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6218 break;
6219 case L2CAP_TXSEQ_DUPLICATE:
6220 l2cap_pass_to_tx(chan, control);
6221 break;
6222 case L2CAP_TXSEQ_INVALID_IGNORE:
6223 break;
6224 case L2CAP_TXSEQ_INVALID:
6225 default:
5e4e3972 6226 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6227 break;
6228 }
6229 break;
6230 case L2CAP_EV_RECV_RR:
6231 l2cap_pass_to_tx(chan, control);
6232 if (control->final) {
6233 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6234
e6a3ee6e
MM		 6235 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6236 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 6237 control->final = 0;
6238 l2cap_retransmit_all(chan, control);
6239 }
6240
6241 l2cap_ertm_send(chan);
6242 } else if (control->poll) {
6243 l2cap_send_i_or_rr_or_rnr(chan);
6244 } else {
6245 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6246 &chan->conn_state) &&
6247 chan->unacked_frames)
6248 __set_retrans_timer(chan);
6249
6250 l2cap_ertm_send(chan);
6251 }
6252 break;
6253 case L2CAP_EV_RECV_RNR:
6254 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6255 l2cap_pass_to_tx(chan, control);
6256 if (control && control->poll) {
6257 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6258 l2cap_send_rr_or_rnr(chan, 0);
6259 }
6260 __clear_retrans_timer(chan);
6261 l2cap_seq_list_clear(&chan->retrans_list);
6262 break;
6263 case L2CAP_EV_RECV_REJ:
6264 l2cap_handle_rej(chan, control);
6265 break;
6266 case L2CAP_EV_RECV_SREJ:
6267 l2cap_handle_srej(chan, control);
6268 break;
6269 default:
6270 break;
6271 }
6272
6273 if (skb && !skb_in_use) {
6274 BT_DBG("Freeing %p", skb);
6275 kfree_skb(skb);
6276 }
6277
6278 return err;
6279}
6280
6281static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6282 struct l2cap_ctrl *control,
6283 struct sk_buff *skb, u8 event)
6284{
6285 int err = 0;
6286 u16 txseq = control->txseq;
941247f9 6287 bool skb_in_use = false;
d2a7ac5d
MM		 6288
6289 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6290 event);
6291
6292 switch (event) {
6293 case L2CAP_EV_RECV_IFRAME:
6294 switch (l2cap_classify_txseq(chan, txseq)) {
6295 case L2CAP_TXSEQ_EXPECTED:
6296 /* Keep frame for reassembly later */
6297 l2cap_pass_to_tx(chan, control);
6298 skb_queue_tail(&chan->srej_q, skb);
941247f9 6299 skb_in_use = true;
d2a7ac5d
MM		 6300 BT_DBG("Queued %p (queue len %d)", skb,
6301 skb_queue_len(&chan->srej_q));
6302
6303 chan->expected_tx_seq = __next_seq(chan, txseq);
6304 break;
6305 case L2CAP_TXSEQ_EXPECTED_SREJ:
6306 l2cap_seq_list_pop(&chan->srej_list);
6307
6308 l2cap_pass_to_tx(chan, control);
6309 skb_queue_tail(&chan->srej_q, skb);
941247f9 6310 skb_in_use = true;
d2a7ac5d
MM		 6311 BT_DBG("Queued %p (queue len %d)", skb,
6312 skb_queue_len(&chan->srej_q));
6313
6314 err = l2cap_rx_queued_iframes(chan);
6315 if (err)
6316 break;
6317
6318 break;
6319 case L2CAP_TXSEQ_UNEXPECTED:
6320 /* Got a frame that can't be reassembled yet.
6321 * Save it for later, and send SREJs to cover
6322 * the missing frames.
6323 */
6324 skb_queue_tail(&chan->srej_q, skb);
941247f9 6325 skb_in_use = true;
d2a7ac5d
MM		 6326 BT_DBG("Queued %p (queue len %d)", skb,
6327 skb_queue_len(&chan->srej_q));
6328
6329 l2cap_pass_to_tx(chan, control);
6330 l2cap_send_srej(chan, control->txseq);
6331 break;
6332 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6333 /* This frame was requested with an SREJ, but
6334 * some expected retransmitted frames are
6335 * missing. Request retransmission of missing
6336 * SREJ'd frames.
6337 */
6338 skb_queue_tail(&chan->srej_q, skb);
941247f9 6339 skb_in_use = true;
d2a7ac5d
MM		 6340 BT_DBG("Queued %p (queue len %d)", skb,
6341 skb_queue_len(&chan->srej_q));
6342
6343 l2cap_pass_to_tx(chan, control);
6344 l2cap_send_srej_list(chan, control->txseq);
6345 break;
6346 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6347 /* We've already queued this frame. Drop this copy. */
6348 l2cap_pass_to_tx(chan, control);
6349 break;
6350 case L2CAP_TXSEQ_DUPLICATE:
6351 /* Expecting a later sequence number, so this frame
6352 * was already received. Ignore it completely.
6353 */
6354 break;
6355 case L2CAP_TXSEQ_INVALID_IGNORE:
6356 break;
6357 case L2CAP_TXSEQ_INVALID:
6358 default:
5e4e3972 6359 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6360 break;
6361 }
6362 break;
6363 case L2CAP_EV_RECV_RR:
6364 l2cap_pass_to_tx(chan, control);
6365 if (control->final) {
6366 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6367
6368 if (!test_and_clear_bit(CONN_REJ_ACT,
6369 &chan->conn_state)) {
6370 control->final = 0;
6371 l2cap_retransmit_all(chan, control);
6372 }
6373
6374 l2cap_ertm_send(chan);
6375 } else if (control->poll) {
6376 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6377 &chan->conn_state) &&
6378 chan->unacked_frames) {
6379 __set_retrans_timer(chan);
6380 }
6381
6382 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6383 l2cap_send_srej_tail(chan);
6384 } else {
6385 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6386 &chan->conn_state) &&
6387 chan->unacked_frames)
6388 __set_retrans_timer(chan);
6389
6390 l2cap_send_ack(chan);
6391 }
6392 break;
6393 case L2CAP_EV_RECV_RNR:
6394 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6395 l2cap_pass_to_tx(chan, control);
6396 if (control->poll) {
6397 l2cap_send_srej_tail(chan);
6398 } else {
6399 struct l2cap_ctrl rr_control;
6400 memset(&rr_control, 0, sizeof(rr_control));
6401 rr_control.sframe = 1;
6402 rr_control.super = L2CAP_SUPER_RR;
6403 rr_control.reqseq = chan->buffer_seq;
6404 l2cap_send_sframe(chan, &rr_control);
6405 }
6406
6407 break;
6408 case L2CAP_EV_RECV_REJ:
6409 l2cap_handle_rej(chan, control);
6410 break;
6411 case L2CAP_EV_RECV_SREJ:
6412 l2cap_handle_srej(chan, control);
6413 break;
6414 }
6415
6416 if (skb && !skb_in_use) {
6417 BT_DBG("Freeing %p", skb);
6418 kfree_skb(skb);
6419 }
6420
6421 return err;
6422}
6423
32b32735
MM		 6424static int l2cap_finish_move(struct l2cap_chan *chan)
6425{
6426 BT_DBG("chan %p", chan);
6427
6428 chan->rx_state = L2CAP_RX_STATE_RECV;
6429
6430 if (chan->hs_hcon)
6431 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6432 else
6433 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6434
6435 return l2cap_resegment(chan);
6436}
6437
6438static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6439 struct l2cap_ctrl *control,
6440 struct sk_buff *skb, u8 event)
6441{
6442 int err;
6443
6444 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6445 event);
6446
6447 if (!control->poll)
6448 return -EPROTO;
6449
6450 l2cap_process_reqseq(chan, control->reqseq);
6451
6452 if (!skb_queue_empty(&chan->tx_q))
6453 chan->tx_send_head = skb_peek(&chan->tx_q);
6454 else
6455 chan->tx_send_head = NULL;
6456
6457 /* Rewind next_tx_seq to the point expected
6458 * by the receiver.
6459 */
6460 chan->next_tx_seq = control->reqseq;
6461 chan->unacked_frames = 0;
6462
6463 err = l2cap_finish_move(chan);
6464 if (err)
6465 return err;
6466
6467 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6468 l2cap_send_i_or_rr_or_rnr(chan);
6469
6470 if (event == L2CAP_EV_RECV_IFRAME)
6471 return -EPROTO;
6472
6473 return l2cap_rx_state_recv(chan, control, NULL, event);
6474}
6475
6476static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6477 struct l2cap_ctrl *control,
6478 struct sk_buff *skb, u8 event)
6479{
6480 int err;
6481
6482 if (!control->final)
6483 return -EPROTO;
6484
6485 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6486
6487 chan->rx_state = L2CAP_RX_STATE_RECV;
6488 l2cap_process_reqseq(chan, control->reqseq);
6489
6490 if (!skb_queue_empty(&chan->tx_q))
6491 chan->tx_send_head = skb_peek(&chan->tx_q);
6492 else
6493 chan->tx_send_head = NULL;
6494
6495 /* Rewind next_tx_seq to the point expected
6496 * by the receiver.
6497 */
6498 chan->next_tx_seq = control->reqseq;
6499 chan->unacked_frames = 0;
6500
6501 if (chan->hs_hcon)
6502 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6503 else
6504 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6505
6506 err = l2cap_resegment(chan);
6507
6508 if (!err)
6509 err = l2cap_rx_state_recv(chan, control, skb, event);
6510
6511 return err;
6512}
6513
d2a7ac5d
MM		 6514static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6515{
6516 /* Make sure reqseq is for a packet that has been sent but not acked */
6517 u16 unacked;
6518
6519 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6520 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6521}
6522
cec8ab6e
MM		 6523static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6524 struct sk_buff *skb, u8 event)
218bb9df 6525{
d2a7ac5d
MM		 6526 int err = 0;
6527
6528 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6529 control, skb, event, chan->rx_state);
6530
6531 if (__valid_reqseq(chan, control->reqseq)) {
6532 switch (chan->rx_state) {
6533 case L2CAP_RX_STATE_RECV:
6534 err = l2cap_rx_state_recv(chan, control, skb, event);
6535 break;
6536 case L2CAP_RX_STATE_SREJ_SENT:
6537 err = l2cap_rx_state_srej_sent(chan, control, skb,
6538 event);
6539 break;
32b32735
MM		 6540 case L2CAP_RX_STATE_WAIT_P:
6541 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6542 break;
6543 case L2CAP_RX_STATE_WAIT_F:
6544 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6545 break;
d2a7ac5d
MM		 6546 default:
6547 /* shut it down */
6548 break;
6549 }
6550 } else {
6551 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6552 control->reqseq, chan->next_tx_seq,
6553 chan->expected_ack_seq);
5e4e3972 6554 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6555 }
6556
6557 return err;
cec8ab6e
MM		 6558}
6559
6560static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6561 struct sk_buff *skb)
6562{
4b51dae9
MM		 6563 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6564 chan->rx_state);
6565
6566 if (l2cap_classify_txseq(chan, control->txseq) ==
6567 L2CAP_TXSEQ_EXPECTED) {
6568 l2cap_pass_to_tx(chan, control);
6569
6570 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6571 __next_seq(chan, chan->buffer_seq));
6572
6573 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6574
6575 l2cap_reassemble_sdu(chan, skb, control);
6576 } else {
6577 if (chan->sdu) {
6578 kfree_skb(chan->sdu);
6579 chan->sdu = NULL;
6580 }
6581 chan->sdu_last_frag = NULL;
6582 chan->sdu_len = 0;
6583
6584 if (skb) {
6585 BT_DBG("Freeing %p", skb);
6586 kfree_skb(skb);
6587 }
6588 }
6589
6590 chan->last_acked_seq = control->txseq;
6591 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6592
9a544210 6593 return 0;
cec8ab6e
MM		 6594}
6595
6596static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6597{
a4368ff3 6598 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
cec8ab6e
MM		 6599 u16 len;
6600 u8 event;
218bb9df 6601
b76bbd66
MM		 6602 __unpack_control(chan, skb);
6603
218bb9df
GP		 6604 len = skb->len;
6605
6606 /*
6607 * We can just drop the corrupted I-frame here.
6608 * Receiver will miss it and start proper recovery
cec8ab6e 6609 * procedures and ask for retransmission.
218bb9df 6610 */
47d1ec61 6611 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6612 goto drop;
6613
cec8ab6e 6614 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6615 len -= L2CAP_SDULEN_SIZE;
218bb9df 6616
47d1ec61 6617 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6618 len -= L2CAP_FCS_SIZE;
218bb9df 6619
47d1ec61 6620 if (len > chan->mps) {
5e4e3972 6621 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6622 goto drop;
6623 }
6624
dbb50887
DB		 6625 if ((chan->mode == L2CAP_MODE_ERTM ||
6626 chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
6627 goto drop;
6628
cec8ab6e
MM		 6629 if (!control->sframe) {
6630 int err;
218bb9df 6631
cec8ab6e
MM		 6632 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6633 control->sar, control->reqseq, control->final,
6634 control->txseq);
218bb9df 6635
cec8ab6e
MM		 6636 /* Validate F-bit - F=0 always valid, F=1 only
6637 * valid in TX WAIT_F
6638 */
6639 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6640 goto drop;
cec8ab6e
MM		 6641
6642 if (chan->mode != L2CAP_MODE_STREAMING) {
6643 event = L2CAP_EV_RECV_IFRAME;
6644 err = l2cap_rx(chan, control, skb, event);
6645 } else {
6646 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6647 }
6648
cec8ab6e 6649 if (err)
5e4e3972 6650 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6651 } else {
cec8ab6e
MM		 6652 const u8 rx_func_to_event[4] = {
6653 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6654 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6655 };
6656
6657 /* Only I-frames are expected in streaming mode */
6658 if (chan->mode == L2CAP_MODE_STREAMING)
6659 goto drop;
6660
6661 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6662 control->reqseq, control->final, control->poll,
6663 control->super);
6664
218bb9df 6665 if (len != 0) {
1bb166e6 6666 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6667 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6668 goto drop;
6669 }
6670
cec8ab6e
MM		 6671 /* Validate F and P bits */
6672 if (control->final && (control->poll ||
6673 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6674 goto drop;
6675
6676 event = rx_func_to_event[control->super];
6677 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6678 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6679 }
6680
6681 return 0;
6682
6683drop:
6684 kfree_skb(skb);
6685 return 0;
6686}
6687
b1c325c2
JH		 6688static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6689{
6690 struct l2cap_conn *conn = chan->conn;
6691 struct l2cap_le_credits pkt;
6692 u16 return_credits;
6693
6694 /* We return more credits to the sender only after the amount of
6695 * credits falls below half of the initial amount.
6696 */
f15b8ecf 6697 if (chan->rx_credits >= (le_max_credits + 1) / 2)
b1c325c2
JH		 6698 return;
6699
f15b8ecf 6700 return_credits = le_max_credits - chan->rx_credits;
b1c325c2
JH		 6701
6702 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6703
6704 chan->rx_credits += return_credits;
6705
6706 pkt.cid = cpu_to_le16(chan->scid);
6707 pkt.credits = cpu_to_le16(return_credits);
6708
6709 chan->ident = l2cap_get_ident(conn);
6710
6711 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6712}
6713
fad5fc89
JH		 6714static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6715{
aac23bf6
JH		 6716 int err;
6717
6718 if (!chan->rx_credits) {
6719 BT_ERR("No credits to receive LE L2CAP data");
dfd9774c 6720 l2cap_send_disconn_req(chan, ECONNRESET);
fad5fc89 6721 return -ENOBUFS;
aac23bf6 6722 }
fad5fc89 6723
aac23bf6
JH		 6724 if (chan->imtu < skb->len) {
6725 BT_ERR("Too big LE L2CAP PDU");
fad5fc89 6726 return -ENOBUFS;
aac23bf6 6727 }
fad5fc89
JH		 6728
6729 chan->rx_credits--;
6730 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6731
6732 l2cap_chan_le_send_credits(chan);
6733
aac23bf6
JH		 6734 err = 0;
6735
6736 if (!chan->sdu) {
6737 u16 sdu_len;
6738
6739 sdu_len = get_unaligned_le16(skb->data);
6740 skb_pull(skb, L2CAP_SDULEN_SIZE);
6741
6742 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6743 sdu_len, skb->len, chan->imtu);
6744
6745 if (sdu_len > chan->imtu) {
6746 BT_ERR("Too big LE L2CAP SDU length received");
6747 err = -EMSGSIZE;
6748 goto failed;
6749 }
6750
6751 if (skb->len > sdu_len) {
6752 BT_ERR("Too much LE L2CAP data received");
6753 err = -EINVAL;
6754 goto failed;
6755 }
6756
6757 if (skb->len == sdu_len)
6758 return chan->ops->recv(chan, skb);
6759
6760 chan->sdu = skb;
6761 chan->sdu_len = sdu_len;
6762 chan->sdu_last_frag = skb;
6763
6764 return 0;
6765 }
6766
6767 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6768 chan->sdu->len, skb->len, chan->sdu_len);
6769
6770 if (chan->sdu->len + skb->len > chan->sdu_len) {
6771 BT_ERR("Too much LE L2CAP data received");
6772 err = -EINVAL;
6773 goto failed;
6774 }
6775
6776 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6777 skb = NULL;
6778
6779 if (chan->sdu->len == chan->sdu_len) {
6780 err = chan->ops->recv(chan, chan->sdu);
6781 if (!err) {
6782 chan->sdu = NULL;
6783 chan->sdu_last_frag = NULL;
6784 chan->sdu_len = 0;
6785 }
6786 }
6787
6788failed:
6789 if (err) {
6790 kfree_skb(skb);
6791 kfree_skb(chan->sdu);
6792 chan->sdu = NULL;
6793 chan->sdu_last_frag = NULL;
6794 chan->sdu_len = 0;
6795 }
6796
6797 /* We can't return an error here since we took care of the skb
6798 * freeing internally. An error return would cause the caller to
6799 * do a double-free of the skb.
6800 */
6801 return 0;
fad5fc89
JH		 6802}
6803
13ca56e0
AE		 6804static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6805 struct sk_buff *skb)
1da177e4 6806{
48454079 6807 struct l2cap_chan *chan;
1da177e4 6808
baa7e1fa 6809 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6810 if (!chan) {
97e8e89d
AE		 6811 if (cid == L2CAP_CID_A2MP) {
6812 chan = a2mp_channel_create(conn, skb);
6813 if (!chan) {
6814 kfree_skb(skb);
13ca56e0 6815 return;
97e8e89d
AE		 6816 }
6817
6818 l2cap_chan_lock(chan);
6819 } else {
6820 BT_DBG("unknown cid 0x%4.4x", cid);
6821 /* Drop packet and return */
6822 kfree_skb(skb);
13ca56e0 6823 return;
97e8e89d 6824 }
1da177e4
LT		 6825 }
6826
49208c9c 6827 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6828
315917e0
JH		 6829 /* If we receive data on a fixed channel before the info req/rsp
6830 * procdure is done simply assume that the channel is supported
6831 * and mark it as ready.
6832 */
6833 if (chan->chan_type == L2CAP_CHAN_FIXED)
6834 l2cap_chan_ready(chan);
6835
89bc500e 6836 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6837 goto drop;
6838
0c1bc5c6 6839 switch (chan->mode) {
38319713 6840 case L2CAP_MODE_LE_FLOWCTL:
fad5fc89
JH		 6841 if (l2cap_le_data_rcv(chan, skb) < 0)
6842 goto drop;
6843
6844 goto done;
6845
1c2acffb
GP		 6846 case L2CAP_MODE_BASIC:
6847 /* If socket recv buffers overflows we drop data here
6848 * which is *bad* because L2CAP has to be reliable.
6849 * But we don't have any other choice. L2CAP doesn't
6850 * provide flow control mechanism. */
1da177e4 6851
2c96e03d
SJ		 6852 if (chan->imtu < skb->len) {
6853 BT_ERR("Dropping L2CAP data: receive buffer overflow");
1c2acffb 6854 goto drop;
2c96e03d 6855 }
1da177e4 6856
80b98027 6857 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6858 goto done;
6859 break;
6860
6861 case L2CAP_MODE_ERTM:
6840ed07 6862 case L2CAP_MODE_STREAMING:
cec8ab6e 6863 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6864 goto done;
6865
1c2acffb 6866 default:
0c1bc5c6 6867 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6868 break;
6869 }
1da177e4
LT		 6870
6871drop:
6872 kfree_skb(skb);
6873
6874done:
6be36555 6875 l2cap_chan_unlock(chan);
1da177e4
LT		 6876}
6877
84104b24
AE		 6878static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6879 struct sk_buff *skb)
1da177e4 6880{
ae4fd2d3 6881 struct hci_conn *hcon = conn->hcon;
23691d75 6882 struct l2cap_chan *chan;
1da177e4 6883
ae4fd2d3 6884 if (hcon->type != ACL_LINK)
a24cce14 6885 goto free_skb;
ae4fd2d3 6886
bf20fd4e
JH		 6887 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6888 ACL_LINK);
23691d75 6889 if (!chan)
a24cce14 6890 goto free_skb;
1da177e4 6891
5b4cedaa 6892 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6893
89bc500e 6894 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6895 goto drop;
6896
e13e21dc 6897 if (chan->imtu < skb->len)
1da177e4
LT		 6898 goto drop;
6899
2edf870d 6900 /* Store remote BD_ADDR and PSM for msg_name */
a4368ff3
JH		 6901 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
6902 bt_cb(skb)->l2cap.psm = psm;
2edf870d 6903
a24cce14
JH		 6904 if (!chan->ops->recv(chan, skb)) {
6905 l2cap_chan_put(chan);
84104b24 6906 return;
a24cce14 6907 }
1da177e4
LT		 6908
6909drop:
a24cce14
JH		 6910 l2cap_chan_put(chan);
6911free_skb:
1da177e4 6912 kfree_skb(skb);
1da177e4
LT		 6913}
6914
6915static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6916{
6917 struct l2cap_hdr *lh = (void *) skb->data;
61a939c6 6918 struct hci_conn *hcon = conn->hcon;
8e036fc3
AV		 6919 u16 cid, len;
6920 __le16 psm;
1da177e4 6921
61a939c6
JH		 6922 if (hcon->state != BT_CONNECTED) {
6923 BT_DBG("queueing pending rx skb");
6924 skb_queue_tail(&conn->pending_rx, skb);
6925 return;
6926 }
6927
1da177e4
LT		 6928 skb_pull(skb, L2CAP_HDR_SIZE);
6929 cid = __le16_to_cpu(lh->cid);
6930 len = __le16_to_cpu(lh->len);
6931
1c2acffb
GP		 6932 if (len != skb->len) {
6933 kfree_skb(skb);
6934 return;
6935 }
6936
9e1d7e15
JH		 6937 /* Since we can't actively block incoming LE connections we must
6938 * at least ensure that we ignore incoming data from them.
6939 */
6940 if (hcon->type == LE_LINK &&
dcc36c16 6941 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
a250e048 6942 bdaddr_dst_type(hcon))) {
e493150e
JH		 6943 kfree_skb(skb);
6944 return;
6945 }
6946
1da177e4
LT		 6947 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6948
6949 switch (cid) {
8db4dc46 6950 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6951 l2cap_sig_channel(conn, skb);
6952 break;
6953
8db4dc46 6954 case L2CAP_CID_CONN_LESS:
097db76c 6955 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6956 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6957 l2cap_conless_channel(conn, psm, skb);
6958 break;
6959
a2877629
MH		 6960 case L2CAP_CID_LE_SIGNALING:
6961 l2cap_le_sig_channel(conn, skb);
6962 break;
6963
1da177e4
LT		 6964 default:
6965 l2cap_data_channel(conn, cid, skb);
6966 break;
6967 }
6968}
6969
61a939c6
JH		 6970static void process_pending_rx(struct work_struct *work)
6971{
6972 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6973 pending_rx_work);
6974 struct sk_buff *skb;
6975
6976 BT_DBG("");
6977
6978 while ((skb = skb_dequeue(&conn->pending_rx)))
6979 l2cap_recv_frame(conn, skb);
6980}
6981
162b49e7
JH		 6982static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6983{
6984 struct l2cap_conn *conn = hcon->l2cap_data;
6985 struct hci_chan *hchan;
6986
6987 if (conn)
6988 return conn;
6989
6990 hchan = hci_chan_create(hcon);
6991 if (!hchan)
6992 return NULL;
6993
27f70f3e 6994 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
162b49e7
JH		 6995 if (!conn) {
6996 hci_chan_del(hchan);
6997 return NULL;
6998 }
6999
7000 kref_init(&conn->ref);
7001 hcon->l2cap_data = conn;
51bb8457 7002 conn->hcon = hci_conn_get(hcon);
162b49e7
JH		 7003 conn->hchan = hchan;
7004
7005 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7006
7007 switch (hcon->type) {
7008 case LE_LINK:
7009 if (hcon->hdev->le_mtu) {
7010 conn->mtu = hcon->hdev->le_mtu;
7011 break;
7012 }
7013 /* fall through */
7014 default:
7015 conn->mtu = hcon->hdev->acl_mtu;
7016 break;
7017 }
7018
7019 conn->feat_mask = 0;
7020
0bd49fc7
JH		 7021 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7022
7023 if (hcon->type == ACL_LINK &&
d7a5a11d 7024 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
0bd49fc7 7025 conn->local_fixed_chan |= L2CAP_FC_A2MP;
162b49e7 7026
d7a5a11d 7027 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
f9be9e86 7028 (bredr_sc_enabled(hcon->hdev) ||
b7cb93e5 7029 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
b5ae344d
JH		 7030 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7031
5a54e7c8 7032 mutex_init(&conn->ident_lock);
162b49e7
JH		 7033 mutex_init(&conn->chan_lock);
7034
7035 INIT_LIST_HEAD(&conn->chan_l);
7036 INIT_LIST_HEAD(&conn->users);
7037
276d8073 7038 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
162b49e7 7039
61a939c6
JH		 7040 skb_queue_head_init(&conn->pending_rx);
7041 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
f3d82d0c 7042 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
61a939c6 7043
162b49e7
JH		 7044 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7045
7046 return conn;
7047}
7048
7049static bool is_valid_psm(u16 psm, u8 dst_type) {
7050 if (!psm)
7051 return false;
7052
7053 if (bdaddr_type_is_le(dst_type))
7054 return (psm <= 0x00ff);
7055
7056 /* PSM must be odd and lsb of upper byte must be 0 */
7057 return ((psm & 0x0101) == 0x0001);
7058}
7059
7060int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7061 bdaddr_t *dst, u8 dst_type)
7062{
7063 struct l2cap_conn *conn;
7064 struct hci_conn *hcon;
7065 struct hci_dev *hdev;
162b49e7
JH		 7066 int err;
7067
7068 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7069 dst_type, __le16_to_cpu(psm));
7070
39385cb5 7071 hdev = hci_get_route(dst, &chan->src, chan->src_type);
162b49e7
JH		 7072 if (!hdev)
7073 return -EHOSTUNREACH;
7074
7075 hci_dev_lock(hdev);
7076
162b49e7
JH		 7077 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7078 chan->chan_type != L2CAP_CHAN_RAW) {
7079 err = -EINVAL;
7080 goto done;
7081 }
7082
21626e62
JH		 7083 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7084 err = -EINVAL;
7085 goto done;
7086 }
7087
7088 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
162b49e7
JH		 7089 err = -EINVAL;
7090 goto done;
7091 }
7092
7093 switch (chan->mode) {
7094 case L2CAP_MODE_BASIC:
7095 break;
7096 case L2CAP_MODE_LE_FLOWCTL:
7097 l2cap_le_flowctl_init(chan);
7098 break;
7099 case L2CAP_MODE_ERTM:
7100 case L2CAP_MODE_STREAMING:
7101 if (!disable_ertm)
7102 break;
7103 /* fall through */
7104 default:
beb19e4c 7105 err = -EOPNOTSUPP;
162b49e7
JH		 7106 goto done;
7107 }
7108
7109 switch (chan->state) {
7110 case BT_CONNECT:
7111 case BT_CONNECT2:
7112 case BT_CONFIG:
7113 /* Already connecting */
7114 err = 0;
7115 goto done;
7116
7117 case BT_CONNECTED:
7118 /* Already connected */
7119 err = -EISCONN;
7120 goto done;
7121
7122 case BT_OPEN:
7123 case BT_BOUND:
7124 /* Can connect */
7125 break;
7126
7127 default:
7128 err = -EBADFD;
7129 goto done;
7130 }
7131
7132 /* Set destination address and psm */
7133 bacpy(&chan->dst, dst);
7134 chan->dst_type = dst_type;
7135
7136 chan->psm = psm;
7137 chan->dcid = cid;
7138
6f77d8c7
AG		 7139 if (bdaddr_type_is_le(dst_type)) {
7140 /* Convert from L2CAP channel address type to HCI address type
7141 */
7142 if (dst_type == BDADDR_LE_PUBLIC)
7143 dst_type = ADDR_LE_DEV_PUBLIC;
7144 else
7145 dst_type = ADDR_LE_DEV_RANDOM;
7146
d7a5a11d 7147 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
0ad06aa6
JH		 7148 hcon = hci_connect_le(hdev, dst, dst_type,
7149 chan->sec_level,
7150 HCI_LE_CONN_TIMEOUT,
7151 HCI_ROLE_SLAVE);
e804d25d 7152 else
0ad06aa6
JH		 7153 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7154 chan->sec_level,
7155 HCI_LE_CONN_TIMEOUT);
cdd6275e 7156
6f77d8c7 7157 } else {
d93375a8 7158 u8 auth_type = l2cap_get_auth_type(chan);
04a6c589 7159 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
6f77d8c7 7160 }
162b49e7
JH		 7161
7162 if (IS_ERR(hcon)) {
7163 err = PTR_ERR(hcon);
7164 goto done;
7165 }
7166
7167 conn = l2cap_conn_add(hcon);
7168 if (!conn) {
7169 hci_conn_drop(hcon);
7170 err = -ENOMEM;
7171 goto done;
7172 }
7173
02e246ae
JH		 7174 mutex_lock(&conn->chan_lock);
7175 l2cap_chan_lock(chan);
7176
162b49e7
JH		 7177 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7178 hci_conn_drop(hcon);
7179 err = -EBUSY;
02e246ae 7180 goto chan_unlock;
162b49e7
JH		 7181 }
7182
7183 /* Update source addr of the socket */
7184 bacpy(&chan->src, &hcon->src);
a250e048 7185 chan->src_type = bdaddr_src_type(hcon);
162b49e7 7186
02e246ae 7187 __l2cap_chan_add(conn, chan);
162b49e7
JH		 7188
7189 /* l2cap_chan_add takes its own ref so we can drop this one */
7190 hci_conn_drop(hcon);
7191
7192 l2cap_state_change(chan, BT_CONNECT);
7193 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7194
61202e4d
JH		 7195 /* Release chan->sport so that it can be reused by other
7196 * sockets (as it's only used for listening sockets).
7197 */
7198 write_lock(&chan_list_lock);
7199 chan->sport = 0;
7200 write_unlock(&chan_list_lock);
7201
162b49e7
JH		 7202 if (hcon->state == BT_CONNECTED) {
7203 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7204 __clear_chan_timer(chan);
e7cafc45 7205 if (l2cap_chan_check_security(chan, true))
162b49e7
JH		 7206 l2cap_state_change(chan, BT_CONNECTED);
7207 } else
7208 l2cap_do_start(chan);
7209 }
7210
7211 err = 0;
7212
02e246ae 7213chan_unlock:
162b49e7 7214 l2cap_chan_unlock(chan);
02e246ae
JH		 7215 mutex_unlock(&conn->chan_lock);
7216done:
162b49e7
JH		 7217 hci_dev_unlock(hdev);
7218 hci_dev_put(hdev);
7219 return err;
7220}
6b8d4a6a 7221EXPORT_SYMBOL_GPL(l2cap_chan_connect);
162b49e7 7222
1da177e4
LT		 7223/* ---- L2CAP interface with lower layer (HCI) ---- */
7224
686ebf28 7225int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 7226{
7227 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 7228 struct l2cap_chan *c;
1da177e4 7229
6ed93dc6 7230 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 7231
7232 /* Find listening sockets and check their link_mode */
23691d75
GP		 7233 read_lock(&chan_list_lock);
7234 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 7235 if (c->state != BT_LISTEN)
1da177e4
LT		 7236 continue;
7237
7eafc59e 7238 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 7239 lm1 |= HCI_LM_ACCEPT;
43bd0f32 7240 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 7241 lm1 |= HCI_LM_MASTER;
1da177e4 7242 exact++;
7eafc59e 7243 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 7244 lm2 |= HCI_LM_ACCEPT;
43bd0f32 7245 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 7246 lm2 |= HCI_LM_MASTER;
7247 }
1da177e4 7248 }
23691d75 7249 read_unlock(&chan_list_lock);
1da177e4
LT		 7250
7251 return exact ? lm1 : lm2;
7252}
7253
e760ec12
JH		 7254/* Find the next fixed channel in BT_LISTEN state, continue iteration
7255 * from an existing channel in the list or from the beginning of the
7256 * global list (by passing NULL as first parameter).
7257 */
7258static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
327a7191 7259 struct hci_conn *hcon)
e760ec12 7260{
327a7191
JH		 7261 u8 src_type = bdaddr_src_type(hcon);
7262
e760ec12
JH		 7263 read_lock(&chan_list_lock);
7264
7265 if (c)
7266 c = list_next_entry(c, global_l);
7267 else
7268 c = list_entry(chan_list.next, typeof(*c), global_l);
7269
7270 list_for_each_entry_from(c, &chan_list, global_l) {
7271 if (c->chan_type != L2CAP_CHAN_FIXED)
7272 continue;
7273 if (c->state != BT_LISTEN)
7274 continue;
327a7191 7275 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
54a1b626 7276 continue;
327a7191 7277 if (src_type != c->src_type)
54a1b626 7278 continue;
e760ec12
JH		 7279
7280 l2cap_chan_hold(c);
7281 read_unlock(&chan_list_lock);
7282 return c;
7283 }
7284
7285 read_unlock(&chan_list_lock);
7286
7287 return NULL;
7288}
7289
539c496d 7290static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 7291{
e760ec12 7292 struct hci_dev *hdev = hcon->hdev;
0139418c 7293 struct l2cap_conn *conn;
e760ec12
JH		 7294 struct l2cap_chan *pchan;
7295 u8 dst_type;
0139418c 7296
539c496d
JH		 7297 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7298 return;
7299
6ed93dc6 7300 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 7301
dc0f5088 7302 if (status) {
e175072f 7303 l2cap_conn_del(hcon, bt_to_errno(status));
dc0f5088 7304 return;
ba6fc317 7305 }
dc0f5088
JH		 7306
7307 conn = l2cap_conn_add(hcon);
7308 if (!conn)
7309 return;
7310
a250e048 7311 dst_type = bdaddr_dst_type(hcon);
e760ec12
JH		 7312
7313 /* If device is blocked, do not create channels for it */
7314 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7315 return;
7316
7317 /* Find fixed channels and notify them of the new connection. We
7318 * use multiple individual lookups, continuing each time where
7319 * we left off, because the list lock would prevent calling the
7320 * potentially sleeping l2cap_chan_lock() function.
7321 */
327a7191 7322 pchan = l2cap_global_fixed_chan(NULL, hcon);
e760ec12
JH		 7323 while (pchan) {
7324 struct l2cap_chan *chan, *next;
7325
7326 /* Client fixed channels should override server ones */
7327 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7328 goto next;
7329
7330 l2cap_chan_lock(pchan);
7331 chan = pchan->ops->new_connection(pchan);
7332 if (chan) {
7333 bacpy(&chan->src, &hcon->src);
7334 bacpy(&chan->dst, &hcon->dst);
a250e048 7335 chan->src_type = bdaddr_src_type(hcon);
e760ec12
JH		 7336 chan->dst_type = dst_type;
7337
7338 __l2cap_chan_add(conn, chan);
7339 }
7340
7341 l2cap_chan_unlock(pchan);
7342next:
327a7191 7343 next = l2cap_global_fixed_chan(pchan, hcon);
e760ec12
JH		 7344 l2cap_chan_put(pchan);
7345 pchan = next;
7346 }
7347
dc0f5088 7348 l2cap_conn_ready(conn);
1da177e4
LT		 7349}
7350
686ebf28 7351int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 7352{
7353 struct l2cap_conn *conn = hcon->l2cap_data;
7354
7355 BT_DBG("hcon %p", hcon);
7356
686ebf28 7357 if (!conn)
9f5a0d7b 7358 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 7359 return conn->disc_reason;
7360}
7361
3a6d576b 7362static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4 7363{
3a6d576b
JH		 7364 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7365 return;
7366
1da177e4
LT		 7367 BT_DBG("hcon %p reason %d", hcon, reason);
7368
e175072f 7369 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 7370}
7371
4343478f 7372static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 7373{
715ec005 7374 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 7375 return;
7376
f62e4323 7377 if (encrypt == 0x00) {
4343478f 7378 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 7379 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7d513e92
MH		 7380 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7381 chan->sec_level == BT_SECURITY_FIPS)
0f852724 7382 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 7383 } else {
4343478f 7384 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 7385 __clear_chan_timer(chan);
f62e4323
MH		 7386 }
7387}
7388
354fe804 7389static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 7390{
0139418c 7391 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 7392 struct l2cap_chan *chan;
1da177e4 7393
0139418c 7394 if (!conn)
354fe804 7395 return;
0139418c 7396
89d8b407 7397 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 7398
3df91ea2 7399 mutex_lock(&conn->chan_lock);
1da177e4 7400
3df91ea2 7401 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 7402 l2cap_chan_lock(chan);
1da177e4 7403
89d8b407
AE		 7404 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7405 state_to_string(chan->state));
f1cb9af5 7406
2338a7e0 7407 if (chan->scid == L2CAP_CID_A2MP) {
78eb2f98
AE		 7408 l2cap_chan_unlock(chan);
7409 continue;
7410 }
7411
191eb398
JH		 7412 if (!status && encrypt)
7413 chan->sec_level = hcon->sec_level;
f1cb9af5 7414
96eff46e 7415 if (!__l2cap_no_conn_pending(chan)) {
6be36555 7416 l2cap_chan_unlock(chan);
6a8d3010
MH		 7417 continue;
7418 }
7419
89bc500e 7420 if (!status && (chan->state == BT_CONNECTED ||
2d792818 7421 chan->state == BT_CONFIG)) {
d97c899b 7422 chan->ops->resume(chan);
4343478f 7423 l2cap_check_encryption(chan, encrypt);
6be36555 7424 l2cap_chan_unlock(chan);
9719f8af
MH		 7425 continue;
7426 }
7427
89bc500e 7428 if (chan->state == BT_CONNECT) {
6d3c15da 7429 if (!status)
93c3e8f5 7430 l2cap_start_connection(chan);
6d3c15da 7431 else
ba13ccd9 7432 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
fa37c1aa
JH		 7433 } else if (chan->state == BT_CONNECT2 &&
7434 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
b1235d79 7435 struct l2cap_conn_rsp rsp;
df3c3931 7436 __u16 res, stat;
1da177e4 7437
b1235d79 7438 if (!status) {
bdc25783 7439 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 7440 res = L2CAP_CR_PEND;
7441 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 7442 chan->ops->defer(chan);
df3c3931 7443 } else {
acdcabf5 7444 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 7445 res = L2CAP_CR_SUCCESS;
7446 stat = L2CAP_CS_NO_INFO;
7447 }
b1235d79 7448 } else {
acdcabf5 7449 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 7450 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 7451 res = L2CAP_CR_SEC_BLOCK;
7452 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 7453 }
7454
fe4128e0
GP		 7455 rsp.scid = cpu_to_le16(chan->dcid);
7456 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 7457 rsp.result = cpu_to_le16(res);
7458 rsp.status = cpu_to_le16(stat);
fc7f8a7e 7459 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 7460 sizeof(rsp), &rsp);
2d369359
MM		 7461
7462 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7463 res == L2CAP_CR_SUCCESS) {
7464 char buf[128];
7465 set_bit(CONF_REQ_SENT, &chan->conf_state);
7466 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7467 L2CAP_CONF_REQ,
7468 l2cap_build_conf_req(chan, buf),
7469 buf);
7470 chan->num_conf_req++;
7471 }
b1235d79 7472 }
1da177e4 7473
6be36555 7474 l2cap_chan_unlock(chan);
1da177e4
LT		 7475 }
7476
3df91ea2 7477 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 7478}
7479
9b4c3336 7480void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 7481{
7482 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 7483 struct l2cap_hdr *hdr;
7484 int len;
1da177e4 7485
1d13a254 7486 /* For AMP controller do not create l2cap conn */
ca8bee5d 7487 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
1d13a254 7488 goto drop;
1da177e4 7489
5a08ecce 7490 if (!conn)
baf43251 7491 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 7492
7493 if (!conn)
1da177e4
LT		 7494 goto drop;
7495
7496 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7497
d73a0988
AE		 7498 switch (flags) {
7499 case ACL_START:
7500 case ACL_START_NO_FLUSH:
7501 case ACL_COMPLETE:
1da177e4
LT		 7502 if (conn->rx_len) {
7503 BT_ERR("Unexpected start frame (len %d)", skb->len);
7504 kfree_skb(conn->rx_skb);
7505 conn->rx_skb = NULL;
7506 conn->rx_len = 0;
7507 l2cap_conn_unreliable(conn, ECOMM);
7508 }
7509
aae7fe22
AE		 7510 /* Start fragment always begin with Basic L2CAP header */
7511 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 7512 BT_ERR("Frame is too short (len %d)", skb->len);
7513 l2cap_conn_unreliable(conn, ECOMM);
7514 goto drop;
7515 }
7516
7517 hdr = (struct l2cap_hdr *) skb->data;
7518 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7519
7520 if (len == skb->len) {
7521 /* Complete frame received */
7522 l2cap_recv_frame(conn, skb);
9b4c3336 7523 return;
1da177e4
LT		 7524 }
7525
7526 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7527
7528 if (skb->len > len) {
7529 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 7530 skb->len, len);
1da177e4
LT		 7531 l2cap_conn_unreliable(conn, ECOMM);
7532 goto drop;
7533 }
7534
7535 /* Allocate skb for the complete frame (with header) */
8bcde1f2 7536 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 7537 if (!conn->rx_skb)
1da177e4
LT		 7538 goto drop;
7539
d626f62b 7540 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7541 skb->len);
1da177e4 7542 conn->rx_len = len - skb->len;
d73a0988
AE		 7543 break;
7544
7545 case ACL_CONT:
1da177e4
LT		 7546 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7547
7548 if (!conn->rx_len) {
7549 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7550 l2cap_conn_unreliable(conn, ECOMM);
7551 goto drop;
7552 }
7553
7554 if (skb->len > conn->rx_len) {
7555 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 7556 skb->len, conn->rx_len);
1da177e4
LT		 7557 kfree_skb(conn->rx_skb);
7558 conn->rx_skb = NULL;
7559 conn->rx_len = 0;
7560 l2cap_conn_unreliable(conn, ECOMM);
7561 goto drop;
7562 }
7563
d626f62b 7564 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7565 skb->len);
1da177e4
LT		 7566 conn->rx_len -= skb->len;
7567
7568 if (!conn->rx_len) {
c4e5bafa
JH		 7569 /* Complete frame received. l2cap_recv_frame
7570 * takes ownership of the skb so set the global
7571 * rx_skb pointer to NULL first.
7572 */
7573 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 7574 conn->rx_skb = NULL;
c4e5bafa 7575 l2cap_recv_frame(conn, rx_skb);
1da177e4 7576 }
d73a0988 7577 break;
1da177e4
LT		 7578 }
7579
7580drop:
7581 kfree_skb(skb);
1da177e4
LT		 7582}
7583
354fe804
JH		 7584static struct hci_cb l2cap_cb = {
7585 .name = "L2CAP",
539c496d 7586 .connect_cfm = l2cap_connect_cfm,
3a6d576b 7587 .disconn_cfm = l2cap_disconn_cfm,
354fe804
JH		 7588 .security_cfm = l2cap_security_cfm,
7589};
7590
aef7d97c 7591static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 7592{
23691d75 7593 struct l2cap_chan *c;
1da177e4 7594
333055f2 7595 read_lock(&chan_list_lock);
1da177e4 7596
23691d75 7597 list_for_each_entry(c, &chan_list, global_l) {
eeb5a067
MH		 7598 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7599 &c->src, c->src_type, &c->dst, c->dst_type,
fcb73338
AE		 7600 c->state, __le16_to_cpu(c->psm),
7601 c->scid, c->dcid, c->imtu, c->omtu,
7602 c->sec_level, c->mode);
61e1b4b7 7603 }
1da177e4 7604
333055f2 7605 read_unlock(&chan_list_lock);
1da177e4 7606
aef7d97c 7607 return 0;
1da177e4
LT		 7608}
7609
aef7d97c
MH		 7610static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7611{
7612 return single_open(file, l2cap_debugfs_show, inode->i_private);
7613}
7614
7615static const struct file_operations l2cap_debugfs_fops = {
7616 .open = l2cap_debugfs_open,
7617 .read = seq_read,
7618 .llseek = seq_lseek,
7619 .release = single_release,
7620};
7621
7622static struct dentry *l2cap_debugfs;
1da177e4 7623
64274518 7624int __init l2cap_init(void)
1da177e4
LT		 7625{
7626 int err;
be9d1227 7627
bb58f747 7628 err = l2cap_init_sockets();
1da177e4
LT		 7629 if (err < 0)
7630 return err;
7631
354fe804
JH		 7632 hci_register_cb(&l2cap_cb);
7633
1120e4bf
MH		 7634 if (IS_ERR_OR_NULL(bt_debugfs))
7635 return 0;
7636
7637 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7638 NULL, &l2cap_debugfs_fops);
1da177e4 7639
40b9397a 7640 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
f15b8ecf 7641 &le_max_credits);
40b9397a 7642 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
f15b8ecf
JH		 7643 &le_default_mps);
7644
1da177e4 7645 return 0;
1da177e4
LT		 7646}
7647
64274518 7648void l2cap_exit(void)
1da177e4 7649{
aef7d97c 7650 debugfs_remove(l2cap_debugfs);
354fe804 7651 hci_unregister_cb(&l2cap_cb);
bb58f747 7652 l2cap_cleanup_sockets();
1da177e4
LT		 7653}
7654
d1c4a17d
GP		 7655module_param(disable_ertm, bool, 0644);
7656MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Ubuntu Artful kernel mirror