projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Improve data packing in SAR mode
[linux-2.6-block.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
0f1bfe4e
JH		 44#define LE_FLOWCTL_MAX_CREDITS 65535
45
d1de6d46 46bool disable_ertm;
f0709e03 47
547d1032 48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
a6801ca9 49static u8 l2cap_fixed_chan[8] = { L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS, };
1da177e4 50
b5ad8b7f
JB		 51static LIST_HEAD(chan_list);
52static DEFINE_RWLOCK(chan_list_lock);
1da177e4 53
f15b8ecf
JH		 54static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56
1da177e4 57static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 58 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 59static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 60 void *data);
710f9b0a 61static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 62static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 63
d660366d 64static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 65 struct sk_buff_head *skbs, u8 event);
608bcc6d 66
4f1654e0
MH		 67static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
68{
69 if (hcon->type == LE_LINK) {
70 if (type == ADDR_LE_DEV_PUBLIC)
71 return BDADDR_LE_PUBLIC;
72 else
73 return BDADDR_LE_RANDOM;
74 }
75
76 return BDADDR_BREDR;
77}
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
2d792818
GP		 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
82 u16 cid)
0139418c 83{
3df91ea2 84 struct l2cap_chan *c;
3d57dc68 85
3df91ea2
AE		 86 list_for_each_entry(c, &conn->chan_l, list) {
87 if (c->dcid == cid)
88 return c;
0139418c 89 }
3df91ea2 90 return NULL;
0139418c
MH		 91}
92
2d792818
GP		 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
94 u16 cid)
0139418c 95{
3df91ea2 96 struct l2cap_chan *c;
3d57dc68 97
3df91ea2
AE		 98 list_for_each_entry(c, &conn->chan_l, list) {
99 if (c->scid == cid)
100 return c;
0139418c 101 }
3df91ea2 102 return NULL;
0139418c
MH		 103}
104
105/* Find channel with given SCID.
ef191ade 106 * Returns locked channel. */
2d792818
GP		 107static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
108 u16 cid)
0139418c 109{
48454079 110 struct l2cap_chan *c;
baa7e1fa 111
3df91ea2 112 mutex_lock(&conn->chan_lock);
baa7e1fa 113 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 114 if (c)
115 l2cap_chan_lock(c);
3df91ea2
AE		 116 mutex_unlock(&conn->chan_lock);
117
48454079 118 return c;
0139418c
MH		 119}
120
b1a130b7
MM		 121/* Find channel with given DCID.
122 * Returns locked channel.
123 */
124static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
125 u16 cid)
126{
127 struct l2cap_chan *c;
128
129 mutex_lock(&conn->chan_lock);
130 c = __l2cap_get_chan_by_dcid(conn, cid);
131 if (c)
132 l2cap_chan_lock(c);
133 mutex_unlock(&conn->chan_lock);
134
135 return c;
136}
137
2d792818
GP		 138static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
139 u8 ident)
0139418c 140{
3df91ea2 141 struct l2cap_chan *c;
3d57dc68 142
3df91ea2
AE		 143 list_for_each_entry(c, &conn->chan_l, list) {
144 if (c->ident == ident)
145 return c;
0139418c 146 }
3df91ea2 147 return NULL;
0139418c
MH		 148}
149
5b155ef9
MM		 150static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
151 u8 ident)
152{
153 struct l2cap_chan *c;
154
155 mutex_lock(&conn->chan_lock);
156 c = __l2cap_get_chan_by_ident(conn, ident);
157 if (c)
158 l2cap_chan_lock(c);
159 mutex_unlock(&conn->chan_lock);
160
161 return c;
162}
163
23691d75 164static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 165{
23691d75 166 struct l2cap_chan *c;
9e4425ff 167
23691d75 168 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 169 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 170 return c;
9e4425ff 171 }
250938cb 172 return NULL;
9e4425ff
GP		 173}
174
175int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
176{
73b2ec18
GP		 177 int err;
178
333055f2 179 write_lock(&chan_list_lock);
9e4425ff 180
23691d75 181 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 182 err = -EADDRINUSE;
183 goto done;
9e4425ff
GP		 184 }
185
73b2ec18
GP		 186 if (psm) {
187 chan->psm = psm;
188 chan->sport = psm;
189 err = 0;
190 } else {
191 u16 p;
192
193 err = -EINVAL;
194 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 195 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 196 chan->psm = cpu_to_le16(p);
197 chan->sport = cpu_to_le16(p);
198 err = 0;
199 break;
200 }
201 }
9e4425ff 202
73b2ec18 203done:
333055f2 204 write_unlock(&chan_list_lock);
73b2ec18 205 return err;
9e4425ff 206}
6b8d4a6a 207EXPORT_SYMBOL_GPL(l2cap_add_psm);
9e4425ff
GP		 208
209int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
210{
333055f2 211 write_lock(&chan_list_lock);
9e4425ff 212
14824308
JH		 213 /* Override the defaults (which are for conn-oriented) */
214 chan->omtu = L2CAP_DEFAULT_MTU;
215 chan->chan_type = L2CAP_CHAN_FIXED;
216
9e4425ff
GP		 217 chan->scid = scid;
218
333055f2 219 write_unlock(&chan_list_lock);
9e4425ff
GP		 220
221 return 0;
222}
223
baa7e1fa 224static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 225{
e77af755 226 u16 cid, dyn_end;
0139418c 227
e77af755
JH		 228 if (conn->hcon->type == LE_LINK)
229 dyn_end = L2CAP_CID_LE_DYN_END;
230 else
231 dyn_end = L2CAP_CID_DYN_END;
232
233 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
baa7e1fa 234 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 235 return cid;
236 }
237
238 return 0;
239}
240
f93fa273 241static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 242{
42d2d87c 243 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 244 state_to_string(state));
badaaa00 245
89bc500e 246 chan->state = state;
53f52121 247 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 248}
249
f8e73017
GP		 250static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
251 int state, int err)
2e0052e4 252{
f8e73017 253 chan->state = state;
53f52121 254 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 255}
256
257static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
258{
f8e73017 259 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 260}
261
4239d16f
MM		 262static void __set_retrans_timer(struct l2cap_chan *chan)
263{
264 if (!delayed_work_pending(&chan->monitor_timer) &&
265 chan->retrans_timeout) {
266 l2cap_set_timer(chan, &chan->retrans_timer,
267 msecs_to_jiffies(chan->retrans_timeout));
268 }
269}
270
271static void __set_monitor_timer(struct l2cap_chan *chan)
272{
273 __clear_retrans_timer(chan);
274 if (chan->monitor_timeout) {
275 l2cap_set_timer(chan, &chan->monitor_timer,
276 msecs_to_jiffies(chan->monitor_timeout));
277 }
278}
279
608bcc6d
MM		 280static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
281 u16 seq)
282{
283 struct sk_buff *skb;
284
285 skb_queue_walk(head, skb) {
286 if (bt_cb(skb)->control.txseq == seq)
287 return skb;
288 }
289
290 return NULL;
291}
292
3c588192
MM		 293/* ---- L2CAP sequence number lists ---- */
294
295/* For ERTM, ordered lists of sequence numbers must be tracked for
296 * SREJ requests that are received and for frames that are to be
297 * retransmitted. These seq_list functions implement a singly-linked
298 * list in an array, where membership in the list can also be checked
299 * in constant time. Items can also be added to the tail of the list
300 * and removed from the head in constant time, without further memory
301 * allocs or frees.
302 */
303
304static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
305{
306 size_t alloc_size, i;
307
308 /* Allocated size is a power of 2 to map sequence numbers
309 * (which may be up to 14 bits) in to a smaller array that is
310 * sized for the negotiated ERTM transmit windows.
311 */
312 alloc_size = roundup_pow_of_two(size);
313
314 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
315 if (!seq_list->list)
316 return -ENOMEM;
317
318 seq_list->mask = alloc_size - 1;
319 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
320 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
321 for (i = 0; i < alloc_size; i++)
322 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
323
324 return 0;
325}
326
327static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
328{
329 kfree(seq_list->list);
330}
331
332static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
333 u16 seq)
334{
335 /* Constant-time check for list membership */
336 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
337}
338
03a0c5d6 339static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
3c588192 340{
03a0c5d6 341 u16 seq = seq_list->head;
3c588192
MM		 342 u16 mask = seq_list->mask;
343
03a0c5d6
JH		 344 seq_list->head = seq_list->list[seq & mask];
345 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
346
347 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
348 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
349 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192 350 }
3c588192 351
03a0c5d6 352 return seq;
3c588192
MM		 353}
354
355static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
356{
f522ae36 357 u16 i;
3c588192 358
f522ae36
GP		 359 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
360 return;
361
362 for (i = 0; i <= seq_list->mask; i++)
363 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
364
365 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
366 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 367}
368
369static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
370{
371 u16 mask = seq_list->mask;
372
373 /* All appends happen in constant time */
374
f522ae36
GP		 375 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
376 return;
3c588192 377
f522ae36
GP		 378 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
379 seq_list->head = seq;
380 else
381 seq_list->list[seq_list->tail & mask] = seq;
382
383 seq_list->tail = seq;
384 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 385}
386
721c4181 387static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 388{
721c4181 389 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 390 chan_timer.work);
3df91ea2 391 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 392 int reason;
393
e05dcc32 394 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 395
3df91ea2 396 mutex_lock(&conn->chan_lock);
6be36555 397 l2cap_chan_lock(chan);
ab07801d 398
89bc500e 399 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 400 reason = ECONNREFUSED;
89bc500e 401 else if (chan->state == BT_CONNECT &&
2d792818 402 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 403 reason = ECONNREFUSED;
404 else
405 reason = ETIMEDOUT;
406
0f852724 407 l2cap_chan_close(chan, reason);
ab07801d 408
6be36555 409 l2cap_chan_unlock(chan);
ab07801d 410
80b98027 411 chan->ops->close(chan);
3df91ea2
AE		 412 mutex_unlock(&conn->chan_lock);
413
371fd835 414 l2cap_chan_put(chan);
ab07801d
GP		 415}
416
eef1d9b6 417struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 418{
419 struct l2cap_chan *chan;
420
421 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
422 if (!chan)
423 return NULL;
424
c03b355e
AE		 425 mutex_init(&chan->lock);
426
333055f2 427 write_lock(&chan_list_lock);
23691d75 428 list_add(&chan->global_l, &chan_list);
333055f2 429 write_unlock(&chan_list_lock);
23691d75 430
721c4181 431 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 432
89bc500e
GP		 433 chan->state = BT_OPEN;
434
144ad330 435 kref_init(&chan->kref);
71ba0e56 436
2827011f
MM		 437 /* This flag is cleared in l2cap_chan_ready() */
438 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
439
eef1d9b6 440 BT_DBG("chan %p", chan);
abc545b8 441
48454079
GP		 442 return chan;
443}
6b8d4a6a 444EXPORT_SYMBOL_GPL(l2cap_chan_create);
48454079 445
144ad330 446static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 447{
144ad330
SS		 448 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
449
4af66c69
JK		 450 BT_DBG("chan %p", chan);
451
333055f2 452 write_lock(&chan_list_lock);
23691d75 453 list_del(&chan->global_l);
333055f2 454 write_unlock(&chan_list_lock);
23691d75 455
4af66c69 456 kfree(chan);
6ff5abbf
GP		 457}
458
30648372
JK		 459void l2cap_chan_hold(struct l2cap_chan *c)
460{
144ad330 461 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 462
144ad330 463 kref_get(&c->kref);
30648372
JK		 464}
465
466void l2cap_chan_put(struct l2cap_chan *c)
467{
144ad330 468 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 469
144ad330 470 kref_put(&c->kref, l2cap_chan_destroy);
30648372 471}
6b8d4a6a 472EXPORT_SYMBOL_GPL(l2cap_chan_put);
30648372 473
bd4b1653
AE		 474void l2cap_chan_set_defaults(struct l2cap_chan *chan)
475{
476 chan->fcs = L2CAP_FCS_CRC16;
477 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
478 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
479 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
6a5e8165
JR		 480 chan->remote_max_tx = chan->max_tx;
481 chan->remote_tx_win = chan->tx_win;
c20f8e35 482 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653 483 chan->sec_level = BT_SECURITY_LOW;
6a5e8165
JR		 484 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
485 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
486 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
487 chan->conf_state = 0;
bd4b1653
AE		 488
489 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
490}
6b8d4a6a 491EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
bd4b1653 492
0ce43ce6 493static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
38319713 494{
0ce43ce6
JH		 495 chan->sdu = NULL;
496 chan->sdu_last_frag = NULL;
497 chan->sdu_len = 0;
0cd75f7e 498 chan->tx_credits = 0;
f15b8ecf 499 chan->rx_credits = le_max_credits;
d1d79413 500 chan->mps = min_t(u16, chan->imtu, le_default_mps);
0ce43ce6
JH		 501
502 skb_queue_head_init(&chan->tx_q);
38319713
JH		 503}
504
93c3e8f5 505void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 506{
af05b30b 507 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 508 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 509
9f5a0d7b 510 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 511
8c1d787b 512 chan->conn = conn;
0139418c 513
5491120e
AE		 514 switch (chan->chan_type) {
515 case L2CAP_CHAN_CONN_ORIENTED:
21626e62
JH		 516 /* Alloc CID for connection-oriented socket */
517 chan->scid = l2cap_alloc_cid(conn);
518 if (conn->hcon->type == ACL_LINK)
0c1bc5c6 519 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 520 break;
521
522 case L2CAP_CHAN_CONN_LESS:
0139418c 523 /* Connectionless socket */
fe4128e0
GP		 524 chan->scid = L2CAP_CID_CONN_LESS;
525 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 526 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 527 break;
528
2338a7e0
JH		 529 case L2CAP_CHAN_FIXED:
530 /* Caller will set CID and CID specific MTU values */
416fa752
AE		 531 break;
532
5491120e 533 default:
0139418c 534 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 535 chan->scid = L2CAP_CID_SIGNALING;
536 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 537 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 538 }
539
8f7975b1
AE		 540 chan->local_id = L2CAP_BESTEFFORT_ID;
541 chan->local_stype = L2CAP_SERV_BESTEFFORT;
542 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
543 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
544 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 545 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 546
371fd835 547 l2cap_chan_hold(chan);
baa7e1fa 548
5ee9891d
JH		 549 hci_conn_hold(conn->hcon);
550
3df91ea2 551 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 552}
553
466f8004 554void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 555{
556 mutex_lock(&conn->chan_lock);
557 __l2cap_chan_add(conn, chan);
3df91ea2 558 mutex_unlock(&conn->chan_lock);
0139418c
MH		 559}
560
466f8004 561void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 562{
8c1d787b 563 struct l2cap_conn *conn = chan->conn;
0139418c 564
c9b66675 565 __clear_chan_timer(chan);
0139418c 566
49208c9c 567 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 568
72847ce0
JH		 569 chan->ops->teardown(chan, err);
570
8e87d142 571 if (conn) {
56f60984 572 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 573 /* Delete from channel list */
3df91ea2 574 list_del(&chan->list);
3d57dc68 575
371fd835 576 l2cap_chan_put(chan);
baa7e1fa 577
8c1d787b 578 chan->conn = NULL;
3cabbfda 579
2338a7e0 580 if (chan->scid != L2CAP_CID_A2MP)
76a68ba0 581 hci_conn_drop(conn->hcon);
56f60984
AE		 582
583 if (mgr && mgr->bredr_chan == chan)
584 mgr->bredr_chan = NULL;
0139418c
MH		 585 }
586
419e08c1
AE		 587 if (chan->hs_hchan) {
588 struct hci_chan *hs_hchan = chan->hs_hchan;
589
590 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
591 amp_disconnect_logical_link(hs_hchan);
592 }
593
2827011f 594 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 595 return;
2ead70b8 596
ee556f66
GP		 597 switch(chan->mode) {
598 case L2CAP_MODE_BASIC:
599 break;
c13ffa62 600
38319713 601 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b 602 skb_queue_purge(&chan->tx_q);
38319713
JH		 603 break;
604
ee556f66 605 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 606 __clear_retrans_timer(chan);
607 __clear_monitor_timer(chan);
608 __clear_ack_timer(chan);
c13ffa62 609
f1c6775b 610 skb_queue_purge(&chan->srej_q);
c13ffa62 611
3c588192
MM		 612 l2cap_seq_list_free(&chan->srej_list);
613 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 614
615 /* fall through */
616
617 case L2CAP_MODE_STREAMING:
618 skb_queue_purge(&chan->tx_q);
619 break;
c13ffa62 620 }
ee556f66
GP		 621
622 return;
0139418c 623}
6b8d4a6a 624EXPORT_SYMBOL_GPL(l2cap_chan_del);
0139418c 625
387a33e3
JH		 626void l2cap_conn_update_id_addr(struct hci_conn *hcon)
627{
628 struct l2cap_conn *conn = hcon->l2cap_data;
629 struct l2cap_chan *chan;
630
631 mutex_lock(&conn->chan_lock);
632
633 list_for_each_entry(chan, &conn->chan_l, list) {
634 l2cap_chan_lock(chan);
635 bacpy(&chan->dst, &hcon->dst);
636 chan->dst_type = bdaddr_type(hcon, hcon->dst_type);
637 l2cap_chan_unlock(chan);
638 }
639
640 mutex_unlock(&conn->chan_lock);
641}
642
27e2d4c8
JH		 643static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
644{
645 struct l2cap_conn *conn = chan->conn;
646 struct l2cap_le_conn_rsp rsp;
647 u16 result;
648
649 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
650 result = L2CAP_CR_AUTHORIZATION;
651 else
652 result = L2CAP_CR_BAD_PSM;
653
654 l2cap_state_change(chan, BT_DISCONN);
655
656 rsp.dcid = cpu_to_le16(chan->scid);
657 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 658 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 659 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 660 rsp.result = cpu_to_le16(result);
661
662 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
663 &rsp);
664}
665
791d60f7
JH		 666static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
667{
668 struct l2cap_conn *conn = chan->conn;
669 struct l2cap_conn_rsp rsp;
670 u16 result;
671
672 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
673 result = L2CAP_CR_SEC_BLOCK;
674 else
675 result = L2CAP_CR_BAD_PSM;
676
677 l2cap_state_change(chan, BT_DISCONN);
678
679 rsp.scid = cpu_to_le16(chan->dcid);
680 rsp.dcid = cpu_to_le16(chan->scid);
681 rsp.result = cpu_to_le16(result);
dcf4adbf 682 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
791d60f7
JH		 683
684 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
685}
686
0f852724 687void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 688{
689 struct l2cap_conn *conn = chan->conn;
4519de9a 690
7eafc59e 691 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 692
89bc500e 693 switch (chan->state) {
4519de9a 694 case BT_LISTEN:
b699ec0d 695 chan->ops->teardown(chan, 0);
4519de9a
GP		 696 break;
697
698 case BT_CONNECTED:
699 case BT_CONFIG:
7b25c9b3 700 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
8d836d71 701 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 702 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 703 } else
704 l2cap_chan_del(chan, reason);
705 break;
706
707 case BT_CONNECT2:
791d60f7
JH		 708 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
709 if (conn->hcon->type == ACL_LINK)
710 l2cap_chan_connect_reject(chan);
27e2d4c8
JH		 711 else if (conn->hcon->type == LE_LINK)
712 l2cap_chan_le_connect_reject(chan);
4519de9a
GP		 713 }
714
715 l2cap_chan_del(chan, reason);
716 break;
717
718 case BT_CONNECT:
719 case BT_DISCONN:
720 l2cap_chan_del(chan, reason);
721 break;
722
723 default:
b699ec0d 724 chan->ops->teardown(chan, 0);
4519de9a
GP		 725 break;
726 }
727}
6b8d4a6a 728EXPORT_SYMBOL(l2cap_chan_close);
4519de9a 729
4343478f 730static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 731{
6a974b50
MH		 732 switch (chan->chan_type) {
733 case L2CAP_CHAN_RAW:
4343478f 734 switch (chan->sec_level) {
8556edd3 735 case BT_SECURITY_HIGH:
7d513e92 736 case BT_SECURITY_FIPS:
8556edd3
JH		 737 return HCI_AT_DEDICATED_BONDING_MITM;
738 case BT_SECURITY_MEDIUM:
739 return HCI_AT_DEDICATED_BONDING;
740 default:
741 return HCI_AT_NO_BONDING;
742 }
6a974b50 743 break;
3124b843 744 case L2CAP_CHAN_CONN_LESS:
dcf4adbf 745 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
3124b843
MH		 746 if (chan->sec_level == BT_SECURITY_LOW)
747 chan->sec_level = BT_SECURITY_SDP;
748 }
7d513e92
MH		 749 if (chan->sec_level == BT_SECURITY_HIGH ||
750 chan->sec_level == BT_SECURITY_FIPS)
3124b843
MH		 751 return HCI_AT_NO_BONDING_MITM;
752 else
753 return HCI_AT_NO_BONDING;
754 break;
6a974b50 755 case L2CAP_CHAN_CONN_ORIENTED:
dcf4adbf 756 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
6a974b50
MH		 757 if (chan->sec_level == BT_SECURITY_LOW)
758 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 759
7d513e92
MH		 760 if (chan->sec_level == BT_SECURITY_HIGH ||
761 chan->sec_level == BT_SECURITY_FIPS)
6a974b50
MH		 762 return HCI_AT_NO_BONDING_MITM;
763 else
764 return HCI_AT_NO_BONDING;
765 }
766 /* fall through */
767 default:
4343478f 768 switch (chan->sec_level) {
00ae4af9 769 case BT_SECURITY_HIGH:
7d513e92 770 case BT_SECURITY_FIPS:
8556edd3 771 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 772 case BT_SECURITY_MEDIUM:
8556edd3 773 return HCI_AT_GENERAL_BONDING;
00ae4af9 774 default:
8556edd3 775 return HCI_AT_NO_BONDING;
00ae4af9 776 }
6a974b50 777 break;
0684e5f9 778 }
8556edd3
JH		 779}
780
781/* Service level security */
e7cafc45 782int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
8556edd3 783{
8c1d787b 784 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 785 __u8 auth_type;
786
a17de2fe
JH		 787 if (conn->hcon->type == LE_LINK)
788 return smp_conn_security(conn->hcon, chan->sec_level);
789
4343478f 790 auth_type = l2cap_get_auth_type(chan);
79d554a6 791
e7cafc45
JH		 792 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
793 initiator);
79d554a6
MH		 794}
795
b5ad8b7f 796static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 797{
798 u8 id;
799
800 /* Get next available identificator.
801 * 1 - 128 are used by kernel.
802 * 129 - 199 are reserved.
803 * 200 - 254 are used by utilities like l2ping, etc.
804 */
805
5a54e7c8 806 mutex_lock(&conn->ident_lock);
4e8402a3
MH		 807
808 if (++conn->tx_ident > 128)
809 conn->tx_ident = 1;
810
811 id = conn->tx_ident;
812
5a54e7c8 813 mutex_unlock(&conn->ident_lock);
4e8402a3
MH		 814
815 return id;
816}
817
2d792818
GP		 818static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
819 void *data)
4e8402a3
MH		 820{
821 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 822 u8 flags;
4e8402a3
MH		 823
824 BT_DBG("code 0x%2.2x", code);
825
826 if (!skb)
9a9c6a34 827 return;
4e8402a3 828
e702112f
AE		 829 if (lmp_no_flush_capable(conn->hcon->hdev))
830 flags = ACL_START_NO_FLUSH;
831 else
832 flags = ACL_START;
833
14b12d0b 834 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 835 skb->priority = HCI_PRIO_MAX;
14b12d0b 836
73d80deb
LAD		 837 hci_send_acl(conn->hchan, skb, flags);
838}
839
02b0fbb9
MM		 840static bool __chan_is_moving(struct l2cap_chan *chan)
841{
842 return chan->move_state != L2CAP_MOVE_STABLE &&
843 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
844}
845
73d80deb
LAD		 846static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
847{
848 struct hci_conn *hcon = chan->conn->hcon;
849 u16 flags;
850
851 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 852 skb->priority);
73d80deb 853
d5f8a75d
MM		 854 if (chan->hs_hcon && !__chan_is_moving(chan)) {
855 if (chan->hs_hchan)
856 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
857 else
858 kfree_skb(skb);
859
860 return;
861 }
862
73d80deb 863 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 864 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 865 flags = ACL_START_NO_FLUSH;
866 else
867 flags = ACL_START;
14b12d0b 868
73d80deb
LAD		 869 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
870 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 871}
872
b76bbd66
MM		 873static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
874{
875 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
876 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
877
878 if (enh & L2CAP_CTRL_FRAME_TYPE) {
879 /* S-Frame */
880 control->sframe = 1;
881 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
882 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
883
884 control->sar = 0;
885 control->txseq = 0;
886 } else {
887 /* I-Frame */
888 control->sframe = 0;
889 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
890 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
891
892 control->poll = 0;
893 control->super = 0;
894 }
895}
896
b76bbd66
MM		 897static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
898{
899 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
900 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
901
902 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
903 /* S-Frame */
904 control->sframe = 1;
905 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
906 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
907
908 control->sar = 0;
909 control->txseq = 0;
910 } else {
911 /* I-Frame */
912 control->sframe = 0;
913 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
914 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
915
916 control->poll = 0;
917 control->super = 0;
918 }
919}
920
921static inline void __unpack_control(struct l2cap_chan *chan,
922 struct sk_buff *skb)
923{
924 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
925 __unpack_extended_control(get_unaligned_le32(skb->data),
926 &bt_cb(skb)->control);
cec8ab6e 927 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 928 } else {
929 __unpack_enhanced_control(get_unaligned_le16(skb->data),
930 &bt_cb(skb)->control);
cec8ab6e 931 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 932 }
933}
934
b5c6aaed
MM		 935static u32 __pack_extended_control(struct l2cap_ctrl *control)
936{
937 u32 packed;
938
939 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
940 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
941
942 if (control->sframe) {
943 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
944 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
945 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
946 } else {
947 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
948 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
949 }
950
951 return packed;
952}
953
954static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
955{
956 u16 packed;
957
958 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
959 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
960
961 if (control->sframe) {
962 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
963 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
964 packed |= L2CAP_CTRL_FRAME_TYPE;
965 } else {
966 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
967 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
968 }
969
970 return packed;
971}
972
b76bbd66
MM		 973static inline void __pack_control(struct l2cap_chan *chan,
974 struct l2cap_ctrl *control,
975 struct sk_buff *skb)
976{
977 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
978 put_unaligned_le32(__pack_extended_control(control),
979 skb->data + L2CAP_HDR_SIZE);
980 } else {
981 put_unaligned_le16(__pack_enhanced_control(control),
982 skb->data + L2CAP_HDR_SIZE);
983 }
984}
985
ba7aa64f
GP		 986static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
987{
988 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
989 return L2CAP_EXT_HDR_SIZE;
990 else
991 return L2CAP_ENH_HDR_SIZE;
992}
993
a67d7f6f
MM		 994static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
995 u32 control)
b5c6aaed
MM		 996{
997 struct sk_buff *skb;
998 struct l2cap_hdr *lh;
ba7aa64f 999 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 1000
1001 if (chan->fcs == L2CAP_FCS_CRC16)
1002 hlen += L2CAP_FCS_SIZE;
1003
a67d7f6f 1004 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 1005
b5c6aaed 1006 if (!skb)
a67d7f6f 1007 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 1008
1009 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1010 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1011 lh->cid = cpu_to_le16(chan->dcid);
1012
a67d7f6f
MM		 1013 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1014 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1015 else
1016 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 1017
1018 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 1019 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 1020 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1021 }
1022
1023 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 1024 return skb;
1025}
1026
1027static void l2cap_send_sframe(struct l2cap_chan *chan,
1028 struct l2cap_ctrl *control)
1029{
1030 struct sk_buff *skb;
1031 u32 control_field;
1032
1033 BT_DBG("chan %p, control %p", chan, control);
1034
1035 if (!control->sframe)
1036 return;
1037
b99e13ad
MM		 1038 if (__chan_is_moving(chan))
1039 return;
1040
a67d7f6f
MM		 1041 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1042 !control->poll)
1043 control->final = 1;
1044
1045 if (control->super == L2CAP_SUPER_RR)
1046 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1047 else if (control->super == L2CAP_SUPER_RNR)
1048 set_bit(CONN_RNR_SENT, &chan->conn_state);
1049
1050 if (control->super != L2CAP_SUPER_SREJ) {
1051 chan->last_acked_seq = control->reqseq;
1052 __clear_ack_timer(chan);
1053 }
1054
1055 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1056 control->final, control->poll, control->super);
1057
1058 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1059 control_field = __pack_extended_control(control);
1060 else
1061 control_field = __pack_enhanced_control(control);
1062
1063 skb = l2cap_create_sframe_pdu(chan, control_field);
1064 if (!IS_ERR(skb))
1065 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1066}
1067
c9e3d5e0 1068static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1069{
c9e3d5e0
MM		 1070 struct l2cap_ctrl control;
1071
1072 BT_DBG("chan %p, poll %d", chan, poll);
1073
1074 memset(&control, 0, sizeof(control));
1075 control.sframe = 1;
1076 control.poll = poll;
1077
1078 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1079 control.super = L2CAP_SUPER_RNR;
1080 else
1081 control.super = L2CAP_SUPER_RR;
b5c6aaed 1082
c9e3d5e0
MM		 1083 control.reqseq = chan->buffer_seq;
1084 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1085}
1086
b4450035 1087static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1088{
5ff6f34d
JH		 1089 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1090 return true;
1091
c1360a1c 1092 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1093}
1094
1df7b17a 1095static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1096{
1df7b17a 1097 struct l2cap_conn *conn = chan->conn;
80d58d0b 1098 struct hci_dev *hdev;
1df7b17a
MH		 1099 bool amp_available = false;
1100
1101 if (!conn->hs_enabled)
1102 return false;
1103
1104 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1105 return false;
80d58d0b
MH		 1106
1107 read_lock(&hci_dev_list_lock);
1df7b17a 1108 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1109 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1110 test_bit(HCI_UP, &hdev->flags)) {
1111 amp_available = true;
1112 break;
1113 }
1114 }
80d58d0b
MH		 1115 read_unlock(&hci_dev_list_lock);
1116
1df7b17a
MH		 1117 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1118 return amp_available;
848566b3
MH		 1119
1120 return false;
93c3e8f5
AE		 1121}
1122
5ce66b59
AE		 1123static bool l2cap_check_efs(struct l2cap_chan *chan)
1124{
1125 /* Check EFS parameters */
1126 return true;
1127}
1128
2766be48 1129void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1130{
1131 struct l2cap_conn *conn = chan->conn;
1132 struct l2cap_conn_req req;
1133
1134 req.scid = cpu_to_le16(chan->scid);
1135 req.psm = chan->psm;
1136
1137 chan->ident = l2cap_get_ident(conn);
1138
1139 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1140
1141 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1142}
1143
8eb200bd
MM		 1144static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1145{
1146 struct l2cap_create_chan_req req;
1147 req.scid = cpu_to_le16(chan->scid);
1148 req.psm = chan->psm;
1149 req.amp_id = amp_id;
1150
1151 chan->ident = l2cap_get_ident(chan->conn);
1152
1153 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1154 sizeof(req), &req);
1155}
1156
02b0fbb9
MM		 1157static void l2cap_move_setup(struct l2cap_chan *chan)
1158{
1159 struct sk_buff *skb;
1160
1161 BT_DBG("chan %p", chan);
1162
1163 if (chan->mode != L2CAP_MODE_ERTM)
1164 return;
1165
1166 __clear_retrans_timer(chan);
1167 __clear_monitor_timer(chan);
1168 __clear_ack_timer(chan);
1169
1170 chan->retry_count = 0;
1171 skb_queue_walk(&chan->tx_q, skb) {
1172 if (bt_cb(skb)->control.retries)
1173 bt_cb(skb)->control.retries = 1;
1174 else
1175 break;
1176 }
1177
1178 chan->expected_tx_seq = chan->buffer_seq;
1179
1180 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1181 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1182 l2cap_seq_list_clear(&chan->retrans_list);
1183 l2cap_seq_list_clear(&chan->srej_list);
1184 skb_queue_purge(&chan->srej_q);
1185
1186 chan->tx_state = L2CAP_TX_STATE_XMIT;
1187 chan->rx_state = L2CAP_RX_STATE_MOVE;
1188
1189 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1190}
1191
5f3847a4
MM		 1192static void l2cap_move_done(struct l2cap_chan *chan)
1193{
1194 u8 move_role = chan->move_role;
1195 BT_DBG("chan %p", chan);
1196
1197 chan->move_state = L2CAP_MOVE_STABLE;
1198 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1199
1200 if (chan->mode != L2CAP_MODE_ERTM)
1201 return;
1202
1203 switch (move_role) {
1204 case L2CAP_MOVE_ROLE_INITIATOR:
1205 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1206 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1207 break;
1208 case L2CAP_MOVE_ROLE_RESPONDER:
1209 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1210 break;
1211 }
1212}
1213
9f0caeb1
VCG		 1214static void l2cap_chan_ready(struct l2cap_chan *chan)
1215{
2827011f 1216 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1217 chan->conf_state = 0;
1218 __clear_chan_timer(chan);
1219
0ce43ce6
JH		 1220 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1221 chan->ops->suspend(chan);
177f8f2b 1222
54a59aa2 1223 chan->state = BT_CONNECTED;
9f0caeb1 1224
fd83e2c2 1225 chan->ops->ready(chan);
9f0caeb1
VCG		 1226}
1227
f1496dee
JH		 1228static void l2cap_le_connect(struct l2cap_chan *chan)
1229{
1230 struct l2cap_conn *conn = chan->conn;
1231 struct l2cap_le_conn_req req;
1232
595177f3
JH		 1233 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1234 return;
1235
f1496dee
JH		 1236 req.psm = chan->psm;
1237 req.scid = cpu_to_le16(chan->scid);
1238 req.mtu = cpu_to_le16(chan->imtu);
3916aed8 1239 req.mps = cpu_to_le16(chan->mps);
0cd75f7e 1240 req.credits = cpu_to_le16(chan->rx_credits);
f1496dee
JH		 1241
1242 chan->ident = l2cap_get_ident(conn);
1243
1244 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1245 sizeof(req), &req);
1246}
1247
1248static void l2cap_le_start(struct l2cap_chan *chan)
1249{
1250 struct l2cap_conn *conn = chan->conn;
1251
1252 if (!smp_conn_security(conn->hcon, chan->sec_level))
1253 return;
1254
1255 if (!chan->psm) {
1256 l2cap_chan_ready(chan);
1257 return;
1258 }
1259
1260 if (chan->state == BT_CONNECT)
1261 l2cap_le_connect(chan);
1262}
1263
93c3e8f5
AE		 1264static void l2cap_start_connection(struct l2cap_chan *chan)
1265{
1266 if (__amp_capable(chan)) {
1267 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1268 a2mp_discover_amp(chan);
f1496dee
JH		 1269 } else if (chan->conn->hcon->type == LE_LINK) {
1270 l2cap_le_start(chan);
93c3e8f5
AE		 1271 } else {
1272 l2cap_send_conn_req(chan);
1273 }
1274}
1275
fc7f8a7e 1276static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1277{
8c1d787b 1278 struct l2cap_conn *conn = chan->conn;
79d554a6 1279
9f0caeb1 1280 if (conn->hcon->type == LE_LINK) {
96ac34fb 1281 l2cap_le_start(chan);
9f0caeb1
VCG		 1282 return;
1283 }
1284
79d554a6 1285 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1286 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1287 return;
1288
e7cafc45 1289 if (l2cap_chan_check_security(chan, true) &&
2d792818 1290 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1291 l2cap_start_connection(chan);
1292 }
79d554a6
MH		 1293 } else {
1294 struct l2cap_info_req req;
dcf4adbf 1295 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1296
1297 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1298 conn->info_ident = l2cap_get_ident(conn);
1299
ba13ccd9 1300 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1301
2d792818
GP		 1302 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1303 sizeof(req), &req);
79d554a6
MH		 1304 }
1305}
1306
cf6c2c0b
GP		 1307static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1308{
1309 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1310 if (!disable_ertm)
cf6c2c0b
GP		 1311 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1312
1313 switch (mode) {
1314 case L2CAP_MODE_ERTM:
1315 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1316 case L2CAP_MODE_STREAMING:
1317 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1318 default:
1319 return 0x00;
1320 }
1321}
1322
5e4e3972 1323static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1324{
5e4e3972 1325 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1326 struct l2cap_disconn_req req;
1327
c13ffa62
GP		 1328 if (!conn)
1329 return;
1330
aad3d0e3 1331 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1332 __clear_retrans_timer(chan);
1333 __clear_monitor_timer(chan);
1334 __clear_ack_timer(chan);
c13ffa62
GP		 1335 }
1336
2338a7e0 1337 if (chan->scid == L2CAP_CID_A2MP) {
d117773c 1338 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1339 return;
1340 }
1341
fe4128e0
GP		 1342 req.dcid = cpu_to_le16(chan->dcid);
1343 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1344 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1345 sizeof(req), &req);
c13ffa62 1346
f8e73017 1347 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1348}
1349
1da177e4 1350/* ---- L2CAP connections ---- */
4e8402a3
MH		 1351static void l2cap_conn_start(struct l2cap_conn *conn)
1352{
3df91ea2 1353 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1354
1355 BT_DBG("conn %p", conn);
1356
3df91ea2 1357 mutex_lock(&conn->chan_lock);
4e8402a3 1358
3df91ea2 1359 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1360 l2cap_chan_lock(chan);
4e8402a3 1361
715ec005 1362 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1363 l2cap_chan_unlock(chan);
79d554a6
MH		 1364 continue;
1365 }
1366
89bc500e 1367 if (chan->state == BT_CONNECT) {
e7cafc45 1368 if (!l2cap_chan_check_security(chan, true) ||
2d792818 1369 !__l2cap_no_conn_pending(chan)) {
6be36555 1370 l2cap_chan_unlock(chan);
47731de7
GP		 1371 continue;
1372 }
79d554a6 1373
c1360a1c 1374 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1375 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1376 &chan->conf_state)) {
89bc500e 1377 l2cap_chan_close(chan, ECONNRESET);
6be36555 1378 l2cap_chan_unlock(chan);
47731de7 1379 continue;
b1235d79 1380 }
47731de7 1381
93c3e8f5 1382 l2cap_start_connection(chan);
47731de7 1383
89bc500e 1384 } else if (chan->state == BT_CONNECT2) {
79d554a6 1385 struct l2cap_conn_rsp rsp;
e9aeb2dd 1386 char buf[128];
fe4128e0
GP		 1387 rsp.scid = cpu_to_le16(chan->dcid);
1388 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1389
e7cafc45 1390 if (l2cap_chan_check_security(chan, false)) {
bdc25783 1391 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
dcf4adbf
JP		 1392 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1393 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1394 chan->ops->defer(chan);
f66dc81f
MH		 1395
1396 } else {
acdcabf5 1397 l2cap_state_change(chan, BT_CONFIG);
dcf4adbf
JP		 1398 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1399 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1400 }
79d554a6 1401 } else {
dcf4adbf
JP		 1402 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1403 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1404 }
1405
fc7f8a7e 1406 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1407 sizeof(rsp), &rsp);
e9aeb2dd 1408
c1360a1c 1409 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1410 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1411 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1412 continue;
1413 }
1414
c1360a1c 1415 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1416 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1417 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1418 chan->num_conf_req++;
4e8402a3
MH		 1419 }
1420
6be36555 1421 l2cap_chan_unlock(chan);
4e8402a3
MH		 1422 }
1423
3df91ea2 1424 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1425}
1426
b62f328b
VT		 1427static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1428{
cc8dba2b 1429 struct hci_conn *hcon = conn->hcon;
dcc36c16 1430 struct hci_dev *hdev = hcon->hdev;
b62f328b 1431
e760ec12 1432 BT_DBG("%s conn %p", hdev->name, conn);
b62f328b 1433
e760ec12
JH		 1434 /* For outgoing pairing which doesn't necessarily have an
1435 * associated socket (e.g. mgmt_pair_device).
1436 */
1437 if (hcon->out)
1438 smp_conn_security(hcon, hcon->pending_sec_level);
cc8dba2b 1439
80afeb6c
MH		 1440 /* For LE slave connections, make sure the connection interval
1441 * is in the range of the minium and maximum interval that has
1442 * been configured for this connection. If not, then trigger
1443 * the connection update procedure.
1444 */
40bef302 1445 if (hcon->role == HCI_ROLE_SLAVE &&
80afeb6c
MH		 1446 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1447 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1448 struct l2cap_conn_param_update_req req;
1449
1450 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1451 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1452 req.latency = cpu_to_le16(hcon->le_conn_latency);
1453 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1454
1455 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1456 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1457 }
b62f328b
VT		 1458}
1459
4e8402a3
MH		 1460static void l2cap_conn_ready(struct l2cap_conn *conn)
1461{
48454079 1462 struct l2cap_chan *chan;
cc110922 1463 struct hci_conn *hcon = conn->hcon;
4e8402a3 1464
79d554a6 1465 BT_DBG("conn %p", conn);
4e8402a3 1466
e760ec12
JH		 1467 mutex_lock(&conn->chan_lock);
1468
3df91ea2 1469 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1470
6be36555 1471 l2cap_chan_lock(chan);
4e8402a3 1472
2338a7e0 1473 if (chan->scid == L2CAP_CID_A2MP) {
416fa752
AE		 1474 l2cap_chan_unlock(chan);
1475 continue;
1476 }
1477
cc110922 1478 if (hcon->type == LE_LINK) {
f1496dee 1479 l2cap_le_start(chan);
63128451 1480 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
74e75740 1481 l2cap_chan_ready(chan);
b501d6a1 1482
1c244f79 1483 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1484 l2cap_do_start(chan);
1c244f79 1485 }
4e8402a3 1486
6be36555 1487 l2cap_chan_unlock(chan);
4e8402a3 1488 }
79d554a6 1489
3df91ea2 1490 mutex_unlock(&conn->chan_lock);
61a939c6 1491
79a05727
JH		 1492 if (hcon->type == LE_LINK)
1493 l2cap_le_conn_ready(conn);
1494
61a939c6 1495 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
4e8402a3
MH		 1496}
1497
1498/* Notify sockets that we cannot guaranty reliability anymore */
1499static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1500{
48454079 1501 struct l2cap_chan *chan;
4e8402a3
MH		 1502
1503 BT_DBG("conn %p", conn);
1504
3df91ea2 1505 mutex_lock(&conn->chan_lock);
4e8402a3 1506
3df91ea2 1507 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1508 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1509 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1510 }
1511
3df91ea2 1512 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1513}
1514
f878fcad 1515static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1516{
f878fcad 1517 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1518 info_timer.work);
4e8402a3 1519
984947dc 1520 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1521 conn->info_ident = 0;
984947dc 1522
4e8402a3
MH		 1523 l2cap_conn_start(conn);
1524}
1525
2c8e1411
DH		 1526/*
1527 * l2cap_user
1528 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1529 * callback is called during registration. The ->remove callback is called
1530 * during unregistration.
1531 * An l2cap_user object can either be explicitly unregistered or when the
1532 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1533 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1534 * External modules must own a reference to the l2cap_conn object if they intend
1535 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1536 * any time if they don't.
1537 */
1538
1539int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1540{
1541 struct hci_dev *hdev = conn->hcon->hdev;
1542 int ret;
1543
1544 /* We need to check whether l2cap_conn is registered. If it is not, we
1545 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1546 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1547 * relies on the parent hci_conn object to be locked. This itself relies
1548 * on the hci_dev object to be locked. So we must lock the hci device
1549 * here, too. */
1550
1551 hci_dev_lock(hdev);
1552
1553 if (user->list.next || user->list.prev) {
1554 ret = -EINVAL;
1555 goto out_unlock;
1556 }
1557
1558 /* conn->hchan is NULL after l2cap_conn_del() was called */
1559 if (!conn->hchan) {
1560 ret = -ENODEV;
1561 goto out_unlock;
1562 }
1563
1564 ret = user->probe(conn, user);
1565 if (ret)
1566 goto out_unlock;
1567
1568 list_add(&user->list, &conn->users);
1569 ret = 0;
1570
1571out_unlock:
1572 hci_dev_unlock(hdev);
1573 return ret;
1574}
1575EXPORT_SYMBOL(l2cap_register_user);
1576
1577void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1578{
1579 struct hci_dev *hdev = conn->hcon->hdev;
1580
1581 hci_dev_lock(hdev);
1582
1583 if (!user->list.next || !user->list.prev)
1584 goto out_unlock;
1585
1586 list_del(&user->list);
1587 user->list.next = NULL;
1588 user->list.prev = NULL;
1589 user->remove(conn, user);
1590
1591out_unlock:
1592 hci_dev_unlock(hdev);
1593}
1594EXPORT_SYMBOL(l2cap_unregister_user);
1595
1596static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1597{
1598 struct l2cap_user *user;
1599
1600 while (!list_empty(&conn->users)) {
1601 user = list_first_entry(&conn->users, struct l2cap_user, list);
1602 list_del(&user->list);
1603 user->list.next = NULL;
1604 user->list.prev = NULL;
1605 user->remove(conn, user);
1606 }
1607}
1608
5d3de7df
VCG		 1609static void l2cap_conn_del(struct hci_conn *hcon, int err)
1610{
1611 struct l2cap_conn *conn = hcon->l2cap_data;
1612 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1613
1614 if (!conn)
1615 return;
1616
1617 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1618
1619 kfree_skb(conn->rx_skb);
1620
61a939c6 1621 skb_queue_purge(&conn->pending_rx);
7ab56c3a
JT		 1622
1623 /* We can not call flush_work(&conn->pending_rx_work) here since we
1624 * might block if we are running on a worker from the same workqueue
1625 * pending_rx_work is waiting on.
1626 */
1627 if (work_pending(&conn->pending_rx_work))
1628 cancel_work_sync(&conn->pending_rx_work);
61a939c6 1629
dec5b492
JH		 1630 if (work_pending(&conn->disconn_work))
1631 cancel_work_sync(&conn->disconn_work);
1632
2c8e1411
DH		 1633 l2cap_unregister_all_users(conn);
1634
3df91ea2
AE		 1635 mutex_lock(&conn->chan_lock);
1636
5d3de7df
VCG		 1637 /* Kill channels */
1638 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1639 l2cap_chan_hold(chan);
6be36555
AE		 1640 l2cap_chan_lock(chan);
1641
5d3de7df 1642 l2cap_chan_del(chan, err);
6be36555
AE		 1643
1644 l2cap_chan_unlock(chan);
1645
80b98027 1646 chan->ops->close(chan);
61d6ef3e 1647 l2cap_chan_put(chan);
5d3de7df
VCG		 1648 }
1649
3df91ea2
AE		 1650 mutex_unlock(&conn->chan_lock);
1651
73d80deb
LAD		 1652 hci_chan_del(conn->hchan);
1653
5d3de7df 1654 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1655 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1656
5d3de7df 1657 hcon->l2cap_data = NULL;
9c903e37
DH		 1658 conn->hchan = NULL;
1659 l2cap_conn_put(conn);
5d3de7df
VCG		 1660}
1661
dec5b492
JH		 1662static void disconn_work(struct work_struct *work)
1663{
1664 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1665 disconn_work);
1666
1667 BT_DBG("conn %p", conn);
1668
1669 l2cap_conn_del(conn->hcon, conn->disconn_err);
1670}
1671
1672void l2cap_conn_shutdown(struct l2cap_conn *conn, int err)
1673{
1674 struct hci_dev *hdev = conn->hcon->hdev;
1675
1676 BT_DBG("conn %p err %d", conn, err);
1677
1678 conn->disconn_err = err;
1679 queue_work(hdev->workqueue, &conn->disconn_work);
1680}
1681
9c903e37
DH		 1682static void l2cap_conn_free(struct kref *ref)
1683{
1684 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1685
1686 hci_conn_put(conn->hcon);
1687 kfree(conn);
1688}
1689
1690void l2cap_conn_get(struct l2cap_conn *conn)
1691{
1692 kref_get(&conn->ref);
1693}
1694EXPORT_SYMBOL(l2cap_conn_get);
1695
1696void l2cap_conn_put(struct l2cap_conn *conn)
1697{
1698 kref_put(&conn->ref, l2cap_conn_free);
1699}
1700EXPORT_SYMBOL(l2cap_conn_put);
1701
1da177e4 1702/* ---- Socket interface ---- */
1da177e4 1703
c2287681 1704/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1705 * Returns closest match.
1706 */
c2287681
IY		 1707static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1708 bdaddr_t *src,
bf20fd4e
JH		 1709 bdaddr_t *dst,
1710 u8 link_type)
1da177e4 1711{
23691d75 1712 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1713
23691d75 1714 read_lock(&chan_list_lock);
e0f0cb56 1715
23691d75 1716 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1717 if (state && c->state != state)
1da177e4
LT		 1718 continue;
1719
bf20fd4e
JH		 1720 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1721 continue;
1722
1723 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1724 continue;
1725
23691d75 1726 if (c->psm == psm) {
c2287681
IY		 1727 int src_match, dst_match;
1728 int src_any, dst_any;
1729
1da177e4 1730 /* Exact match. */
7eafc59e
MH		 1731 src_match = !bacmp(&c->src, src);
1732 dst_match = !bacmp(&c->dst, dst);
c2287681 1733 if (src_match && dst_match) {
a24cce14 1734 l2cap_chan_hold(c);
a7567b20 1735 read_unlock(&chan_list_lock);
23691d75
GP		 1736 return c;
1737 }
1da177e4
LT		 1738
1739 /* Closest match */
7eafc59e
MH		 1740 src_any = !bacmp(&c->src, BDADDR_ANY);
1741 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1742 if ((src_match && dst_any) || (src_any && dst_match) ||
1743 (src_any && dst_any))
23691d75 1744 c1 = c;
1da177e4
LT		 1745 }
1746 }
1da177e4 1747
a24cce14
JH		 1748 if (c1)
1749 l2cap_chan_hold(c1);
1750
23691d75 1751 read_unlock(&chan_list_lock);
e0f0cb56 1752
23691d75 1753 return c1;
1da177e4
LT		 1754}
1755
721c4181 1756static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1757{
721c4181 1758 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1759 monitor_timer.work);
e90bac06 1760
525cd185 1761 BT_DBG("chan %p", chan);
0e98958d 1762
6be36555
AE		 1763 l2cap_chan_lock(chan);
1764
80909e04 1765 if (!chan->conn) {
6be36555 1766 l2cap_chan_unlock(chan);
8d7e1c7f 1767 l2cap_chan_put(chan);
e90bac06
GP		 1768 return;
1769 }
1770
401bb1f7 1771 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1772
6be36555 1773 l2cap_chan_unlock(chan);
8d7e1c7f 1774 l2cap_chan_put(chan);
e90bac06
GP		 1775}
1776
721c4181 1777static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1778{
721c4181 1779 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1780 retrans_timer.work);
e90bac06 1781
49208c9c 1782 BT_DBG("chan %p", chan);
0e98958d 1783
6be36555
AE		 1784 l2cap_chan_lock(chan);
1785
80909e04
MM		 1786 if (!chan->conn) {
1787 l2cap_chan_unlock(chan);
1788 l2cap_chan_put(chan);
1789 return;
1790 }
6be36555 1791
401bb1f7 1792 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1793 l2cap_chan_unlock(chan);
8d7e1c7f 1794 l2cap_chan_put(chan);
e90bac06
GP		 1795}
1796
d660366d
GP		 1797static void l2cap_streaming_send(struct l2cap_chan *chan,
1798 struct sk_buff_head *skbs)
6840ed07 1799{
ccbb84af 1800 struct sk_buff *skb;
3733937d 1801 struct l2cap_ctrl *control;
6840ed07 1802
3733937d
MM		 1803 BT_DBG("chan %p, skbs %p", chan, skbs);
1804
b99e13ad
MM		 1805 if (__chan_is_moving(chan))
1806 return;
1807
3733937d
MM		 1808 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1809
1810 while (!skb_queue_empty(&chan->tx_q)) {
1811
1812 skb = skb_dequeue(&chan->tx_q);
1813
1814 bt_cb(skb)->control.retries = 1;
1815 control = &bt_cb(skb)->control;
1816
1817 control->reqseq = 0;
1818 control->txseq = chan->next_tx_seq;
1819
1820 __pack_control(chan, control, skb);
6840ed07 1821
47d1ec61 1822 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1823 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1824 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1825 }
1826
4343478f 1827 l2cap_do_send(chan, skb);
6840ed07 1828
b4400672 1829 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1830
836be934 1831 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1832 chan->frames_sent++;
6840ed07 1833 }
6840ed07
GP		 1834}
1835
67c9e840 1836static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1837{
1838 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1839 struct l2cap_ctrl *control;
1840 int sent = 0;
1841
1842 BT_DBG("chan %p", chan);
1c2acffb 1843
89bc500e 1844 if (chan->state != BT_CONNECTED)
c13ffa62 1845 return -ENOTCONN;
e90bac06 1846
94122bbe
MM		 1847 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1848 return 0;
1849
b99e13ad
MM		 1850 if (__chan_is_moving(chan))
1851 return 0;
1852
18a48e76
MM		 1853 while (chan->tx_send_head &&
1854 chan->unacked_frames < chan->remote_tx_win &&
1855 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1856
18a48e76 1857 skb = chan->tx_send_head;
e90bac06 1858
18a48e76
MM		 1859 bt_cb(skb)->control.retries = 1;
1860 control = &bt_cb(skb)->control;
95ffa978 1861
e2ab4353 1862 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1863 control->final = 1;
e2ab4353 1864
18a48e76
MM		 1865 control->reqseq = chan->buffer_seq;
1866 chan->last_acked_seq = chan->buffer_seq;
1867 control->txseq = chan->next_tx_seq;
1c2acffb 1868
18a48e76 1869 __pack_control(chan, control, skb);
e90bac06 1870
47d1ec61 1871 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1872 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1873 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1874 }
1875
18a48e76
MM		 1876 /* Clone after data has been modified. Data is assumed to be
1877 read-only (for locking purposes) on cloned sk_buffs.
1878 */
1879 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1880
18a48e76
MM		 1881 if (!tx_skb)
1882 break;
1c2acffb 1883
18a48e76 1884 __set_retrans_timer(chan);
836be934
AE		 1885
1886 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1887 chan->unacked_frames++;
6a026610 1888 chan->frames_sent++;
18a48e76 1889 sent++;
1c2acffb 1890
58d35f87
GP		 1891 if (skb_queue_is_last(&chan->tx_q, skb))
1892 chan->tx_send_head = NULL;
1c2acffb 1893 else
58d35f87 1894 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1895
1896 l2cap_do_send(chan, tx_skb);
b4400672 1897 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1898 }
1899
b4400672
AE		 1900 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1901 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1902
1903 return sent;
9e917af1
GP		 1904}
1905
e1fbd4c1
MM		 1906static void l2cap_ertm_resend(struct l2cap_chan *chan)
1907{
1908 struct l2cap_ctrl control;
1909 struct sk_buff *skb;
1910 struct sk_buff *tx_skb;
1911 u16 seq;
1912
1913 BT_DBG("chan %p", chan);
1914
1915 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1916 return;
1917
b99e13ad
MM		 1918 if (__chan_is_moving(chan))
1919 return;
1920
e1fbd4c1
MM		 1921 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1922 seq = l2cap_seq_list_pop(&chan->retrans_list);
1923
1924 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1925 if (!skb) {
1926 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1927 seq);
e1fbd4c1
MM		 1928 continue;
1929 }
1930
1931 bt_cb(skb)->control.retries++;
1932 control = bt_cb(skb)->control;
1933
1934 if (chan->max_tx != 0 &&
1935 bt_cb(skb)->control.retries > chan->max_tx) {
1936 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1937 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1938 l2cap_seq_list_clear(&chan->retrans_list);
1939 break;
1940 }
1941
1942 control.reqseq = chan->buffer_seq;
1943 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1944 control.final = 1;
1945 else
1946 control.final = 0;
1947
1948 if (skb_cloned(skb)) {
1949 /* Cloned sk_buffs are read-only, so we need a
1950 * writeable copy
1951 */
8bcde1f2 1952 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1953 } else {
8bcde1f2 1954 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1955 }
1956
1957 if (!tx_skb) {
1958 l2cap_seq_list_clear(&chan->retrans_list);
1959 break;
1960 }
1961
1962 /* Update skb contents */
1963 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1964 put_unaligned_le32(__pack_extended_control(&control),
1965 tx_skb->data + L2CAP_HDR_SIZE);
1966 } else {
1967 put_unaligned_le16(__pack_enhanced_control(&control),
1968 tx_skb->data + L2CAP_HDR_SIZE);
1969 }
1970
1971 if (chan->fcs == L2CAP_FCS_CRC16) {
1972 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1973 put_unaligned_le16(fcs, skb_put(tx_skb,
1974 L2CAP_FCS_SIZE));
1975 }
1976
1977 l2cap_do_send(chan, tx_skb);
1978
1979 BT_DBG("Resent txseq %d", control.txseq);
1980
1981 chan->last_acked_seq = chan->buffer_seq;
1982 }
1983}
1984
f80842a8
MM		 1985static void l2cap_retransmit(struct l2cap_chan *chan,
1986 struct l2cap_ctrl *control)
1987{
1988 BT_DBG("chan %p, control %p", chan, control);
1989
1990 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
1991 l2cap_ertm_resend(chan);
1992}
1993
d2a7ac5d
MM		 1994static void l2cap_retransmit_all(struct l2cap_chan *chan,
1995 struct l2cap_ctrl *control)
1996{
e1fbd4c1
MM		 1997 struct sk_buff *skb;
1998
1999 BT_DBG("chan %p, control %p", chan, control);
2000
2001 if (control->poll)
2002 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2003
2004 l2cap_seq_list_clear(&chan->retrans_list);
2005
2006 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2007 return;
2008
2009 if (chan->unacked_frames) {
2010 skb_queue_walk(&chan->tx_q, skb) {
2011 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2012 skb == chan->tx_send_head)
e1fbd4c1
MM		 2013 break;
2014 }
2015
2016 skb_queue_walk_from(&chan->tx_q, skb) {
2017 if (skb == chan->tx_send_head)
2018 break;
2019
2020 l2cap_seq_list_append(&chan->retrans_list,
2021 bt_cb(skb)->control.txseq);
2022 }
2023
2024 l2cap_ertm_resend(chan);
2025 }
d2a7ac5d
MM		 2026}
2027
0a0aba42 2028static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2029{
0a0aba42
MM		 2030 struct l2cap_ctrl control;
2031 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2032 chan->last_acked_seq);
2033 int threshold;
9e917af1 2034
0a0aba42
MM		 2035 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2036 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2037
0a0aba42
MM		 2038 memset(&control, 0, sizeof(control));
2039 control.sframe = 1;
dfc909be 2040
0a0aba42
MM		 2041 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2042 chan->rx_state == L2CAP_RX_STATE_RECV) {
2043 __clear_ack_timer(chan);
2044 control.super = L2CAP_SUPER_RNR;
2045 control.reqseq = chan->buffer_seq;
2046 l2cap_send_sframe(chan, &control);
2047 } else {
2048 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2049 l2cap_ertm_send(chan);
2050 /* If any i-frames were sent, they included an ack */
2051 if (chan->buffer_seq == chan->last_acked_seq)
2052 frames_to_ack = 0;
2053 }
dfc909be 2054
c20f8e35 2055 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2056 * Calculate without mul or div
2057 */
c20f8e35 2058 threshold = chan->ack_win;
0a0aba42
MM		 2059 threshold += threshold << 1;
2060 threshold >>= 2;
2061
b4400672 2062 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2063 threshold);
2064
2065 if (frames_to_ack >= threshold) {
2066 __clear_ack_timer(chan);
2067 control.super = L2CAP_SUPER_RR;
2068 control.reqseq = chan->buffer_seq;
2069 l2cap_send_sframe(chan, &control);
2070 frames_to_ack = 0;
2071 }
1c2acffb 2072
0a0aba42
MM		 2073 if (frames_to_ack)
2074 __set_ack_timer(chan);
2075 }
b17e73bb
SJ		 2076}
2077
04124681
GP		 2078static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2079 struct msghdr *msg, int len,
2080 int count, struct sk_buff *skb)
1c2acffb 2081{
0952a57a 2082 struct l2cap_conn *conn = chan->conn;
1c2acffb 2083 struct sk_buff **frag;
90338947 2084 int sent = 0;
1da177e4 2085
0498878b
JR		 2086 if (chan->ops->memcpy_fromiovec(chan, skb_put(skb, count),
2087 msg->msg_iov, count))
1c2acffb 2088 return -EFAULT;
1da177e4
LT		 2089
2090 sent += count;
2091 len -= count;
2092
2093 /* Continuation fragments (no L2CAP header) */
2094 frag = &skb_shinfo(skb)->frag_list;
2095 while (len) {
fbe00700
GP		 2096 struct sk_buff *tmp;
2097
1da177e4
LT		 2098 count = min_t(unsigned int, conn->mtu, len);
2099
d9fbd02b 2100 tmp = chan->ops->alloc_skb(chan, 0, count,
fbe00700
GP		 2101 msg->msg_flags & MSG_DONTWAIT);
2102 if (IS_ERR(tmp))
2103 return PTR_ERR(tmp);
2104
2105 *frag = tmp;
2f7719ce 2106
0498878b
JR		 2107 if (chan->ops->memcpy_fromiovec(chan, skb_put(*frag, count),
2108 msg->msg_iov, count))
1c2acffb 2109 return -EFAULT;
1da177e4
LT		 2110
2111 sent += count;
2112 len -= count;
2113
2d0ed3d5
GP		 2114 skb->len += (*frag)->len;
2115 skb->data_len += (*frag)->len;
2116
1da177e4
LT		 2117 frag = &(*frag)->next;
2118 }
1da177e4
LT		 2119
2120 return sent;
1c2acffb 2121}
1da177e4 2122
5e59b791 2123static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
8d46321c 2124 struct msghdr *msg, size_t len)
1c2acffb 2125{
8c1d787b 2126 struct l2cap_conn *conn = chan->conn;
1c2acffb 2127 struct sk_buff *skb;
03a51213 2128 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2129 struct l2cap_hdr *lh;
2130
8d46321c
MH		 2131 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2132 __le16_to_cpu(chan->psm), len);
1c2acffb
GP		 2133
2134 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2135
d9fbd02b 2136 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2137 msg->msg_flags & MSG_DONTWAIT);
2138 if (IS_ERR(skb))
2139 return skb;
1c2acffb
GP		 2140
2141 /* Create L2CAP header */
2142 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2143 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2144 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2145 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2146
0952a57a 2147 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2148 if (unlikely(err < 0)) {
2149 kfree_skb(skb);
2150 return ERR_PTR(err);
2151 }
2152 return skb;
2153}
2154
5e59b791 2155static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
8d46321c 2156 struct msghdr *msg, size_t len)
1c2acffb 2157{
8c1d787b 2158 struct l2cap_conn *conn = chan->conn;
1c2acffb 2159 struct sk_buff *skb;
f2ba7fae 2160 int err, count;
1c2acffb
GP		 2161 struct l2cap_hdr *lh;
2162
b4400672 2163 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2164
f2ba7fae 2165 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2166
d9fbd02b 2167 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
90338947
GP		 2168 msg->msg_flags & MSG_DONTWAIT);
2169 if (IS_ERR(skb))
2170 return skb;
1c2acffb
GP		 2171
2172 /* Create L2CAP header */
2173 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2174 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2175 lh->len = cpu_to_le16(len);
1c2acffb 2176
0952a57a 2177 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2178 if (unlikely(err < 0)) {
2179 kfree_skb(skb);
2180 return ERR_PTR(err);
2181 }
2182 return skb;
2183}
2184
ab0ff76d 2185static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2186 struct msghdr *msg, size_t len,
2187 u16 sdulen)
1c2acffb 2188{
8c1d787b 2189 struct l2cap_conn *conn = chan->conn;
1c2acffb 2190 struct sk_buff *skb;
e4ca6d98 2191 int err, count, hlen;
1c2acffb
GP		 2192 struct l2cap_hdr *lh;
2193
b4400672 2194 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2195
0ee0d208
GP		 2196 if (!conn)
2197 return ERR_PTR(-ENOTCONN);
2198
ba7aa64f 2199 hlen = __ertm_hdr_size(chan);
e4ca6d98 2200
c74e560c 2201 if (sdulen)
03a51213 2202 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2203
47d1ec61 2204 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2205 hlen += L2CAP_FCS_SIZE;
fcc203c3 2206
1c2acffb 2207 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2208
d9fbd02b 2209 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2210 msg->msg_flags & MSG_DONTWAIT);
2211 if (IS_ERR(skb))
2212 return skb;
1c2acffb
GP		 2213
2214 /* Create L2CAP header */
2215 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2216 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2217 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2218
18a48e76
MM		 2219 /* Control header is populated later */
2220 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2221 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2222 else
2223 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2224
c74e560c 2225 if (sdulen)
03a51213 2226 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2227
0952a57a 2228 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2229 if (unlikely(err < 0)) {
2230 kfree_skb(skb);
2231 return ERR_PTR(err);
2232 }
e90bac06 2233
18a48e76 2234 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2235 bt_cb(skb)->control.retries = 0;
1c2acffb 2236 return skb;
1da177e4
LT		 2237}
2238
94122bbe
MM		 2239static int l2cap_segment_sdu(struct l2cap_chan *chan,
2240 struct sk_buff_head *seg_queue,
2241 struct msghdr *msg, size_t len)
c74e560c 2242{
c74e560c 2243 struct sk_buff *skb;
94122bbe
MM		 2244 u16 sdu_len;
2245 size_t pdu_len;
94122bbe 2246 u8 sar;
c74e560c 2247
b4400672 2248 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2249
94122bbe
MM		 2250 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2251 * so fragmented skbs are not used. The HCI layer's handling
2252 * of fragmented skbs is not compatible with ERTM's queueing.
2253 */
c74e560c 2254
94122bbe
MM		 2255 /* PDU size is derived from the HCI MTU */
2256 pdu_len = chan->conn->mtu;
c74e560c 2257
a549574d
MM		 2258 /* Constrain PDU size for BR/EDR connections */
2259 if (!chan->hs_hcon)
2260 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2261
2262 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2263 if (chan->fcs)
2264 pdu_len -= L2CAP_FCS_SIZE;
2265
ba7aa64f 2266 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2267
2268 /* Remote device may have requested smaller PDUs */
2269 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2270
2271 if (len <= pdu_len) {
2272 sar = L2CAP_SAR_UNSEGMENTED;
2273 sdu_len = 0;
2274 pdu_len = len;
2275 } else {
2276 sar = L2CAP_SAR_START;
2277 sdu_len = len;
94122bbe
MM		 2278 }
2279
2280 while (len > 0) {
2281 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2282
c74e560c 2283 if (IS_ERR(skb)) {
94122bbe 2284 __skb_queue_purge(seg_queue);
c74e560c
GP		 2285 return PTR_ERR(skb);
2286 }
2287
94122bbe
MM		 2288 bt_cb(skb)->control.sar = sar;
2289 __skb_queue_tail(seg_queue, skb);
2290
2291 len -= pdu_len;
069cb270 2292 if (sdu_len)
94122bbe 2293 sdu_len = 0;
94122bbe
MM		 2294
2295 if (len <= pdu_len) {
2296 sar = L2CAP_SAR_END;
2297 pdu_len = len;
2298 } else {
2299 sar = L2CAP_SAR_CONTINUE;
2300 }
c74e560c 2301 }
c74e560c 2302
f0f62799 2303 return 0;
c74e560c
GP		 2304}
2305
177f8f2b
JH		 2306static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2307 struct msghdr *msg,
2308 size_t len, u16 sdulen)
2309{
2310 struct l2cap_conn *conn = chan->conn;
2311 struct sk_buff *skb;
2312 int err, count, hlen;
2313 struct l2cap_hdr *lh;
2314
2315 BT_DBG("chan %p len %zu", chan, len);
2316
2317 if (!conn)
2318 return ERR_PTR(-ENOTCONN);
2319
2320 hlen = L2CAP_HDR_SIZE;
2321
2322 if (sdulen)
2323 hlen += L2CAP_SDULEN_SIZE;
2324
2325 count = min_t(unsigned int, (conn->mtu - hlen), len);
2326
d9fbd02b 2327 skb = chan->ops->alloc_skb(chan, hlen, count,
177f8f2b
JH		 2328 msg->msg_flags & MSG_DONTWAIT);
2329 if (IS_ERR(skb))
2330 return skb;
2331
2332 /* Create L2CAP header */
2333 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2334 lh->cid = cpu_to_le16(chan->dcid);
2335 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2336
2337 if (sdulen)
2338 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2339
2340 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2341 if (unlikely(err < 0)) {
2342 kfree_skb(skb);
2343 return ERR_PTR(err);
2344 }
2345
2346 return skb;
2347}
2348
2349static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2350 struct sk_buff_head *seg_queue,
2351 struct msghdr *msg, size_t len)
2352{
2353 struct sk_buff *skb;
2354 size_t pdu_len;
2355 u16 sdu_len;
2356
2357 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2358
2359 pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE;
2360
2361 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2362
2363 sdu_len = len;
2364 pdu_len -= L2CAP_SDULEN_SIZE;
2365
2366 while (len > 0) {
2367 if (len <= pdu_len)
2368 pdu_len = len;
2369
2370 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2371 if (IS_ERR(skb)) {
2372 __skb_queue_purge(seg_queue);
2373 return PTR_ERR(skb);
2374 }
2375
2376 __skb_queue_tail(seg_queue, skb);
2377
2378 len -= pdu_len;
2379
2380 if (sdu_len) {
2381 sdu_len = 0;
2382 pdu_len += L2CAP_SDULEN_SIZE;
2383 }
2384 }
2385
2386 return 0;
2387}
2388
8d46321c 2389int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
9a91a04a 2390{
9a91a04a 2391 struct sk_buff *skb;
9a91a04a 2392 int err;
94122bbe 2393 struct sk_buff_head seg_queue;
9a91a04a 2394
31e8ce80
SWK		 2395 if (!chan->conn)
2396 return -ENOTCONN;
2397
9a91a04a 2398 /* Connectionless channel */
715ec005 2399 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
8d46321c 2400 skb = l2cap_create_connless_pdu(chan, msg, len);
9a91a04a
GP		 2401 if (IS_ERR(skb))
2402 return PTR_ERR(skb);
2403
ede81a2a
AK		 2404 /* Channel lock is released before requesting new skb and then
2405 * reacquired thus we need to recheck channel state.
2406 */
2407 if (chan->state != BT_CONNECTED) {
2408 kfree_skb(skb);
2409 return -ENOTCONN;
2410 }
2411
9a91a04a
GP		 2412 l2cap_do_send(chan, skb);
2413 return len;
2414 }
2415
2416 switch (chan->mode) {
38319713 2417 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b
JH		 2418 /* Check outgoing MTU */
2419 if (len > chan->omtu)
2420 return -EMSGSIZE;
2421
fad5fc89
JH		 2422 if (!chan->tx_credits)
2423 return -EAGAIN;
2424
177f8f2b
JH		 2425 __skb_queue_head_init(&seg_queue);
2426
2427 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2428
2429 if (chan->state != BT_CONNECTED) {
2430 __skb_queue_purge(&seg_queue);
2431 err = -ENOTCONN;
2432 }
2433
2434 if (err)
2435 return err;
2436
2437 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2438
2439 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2440 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2441 chan->tx_credits--;
2442 }
2443
2444 if (!chan->tx_credits)
2445 chan->ops->suspend(chan);
2446
2447 err = len;
2448
2449 break;
2450
fad5fc89 2451 case L2CAP_MODE_BASIC:
9a91a04a
GP		 2452 /* Check outgoing MTU */
2453 if (len > chan->omtu)
2454 return -EMSGSIZE;
2455
2456 /* Create a basic PDU */
8d46321c 2457 skb = l2cap_create_basic_pdu(chan, msg, len);
9a91a04a
GP		 2458 if (IS_ERR(skb))
2459 return PTR_ERR(skb);
2460
ede81a2a
AK		 2461 /* Channel lock is released before requesting new skb and then
2462 * reacquired thus we need to recheck channel state.
2463 */
2464 if (chan->state != BT_CONNECTED) {
2465 kfree_skb(skb);
2466 return -ENOTCONN;
2467 }
2468
9a91a04a
GP		 2469 l2cap_do_send(chan, skb);
2470 err = len;
2471 break;
2472
2473 case L2CAP_MODE_ERTM:
2474 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2475 /* Check outgoing MTU */
2476 if (len > chan->omtu) {
2477 err = -EMSGSIZE;
2478 break;
2479 }
9a91a04a 2480
94122bbe 2481 __skb_queue_head_init(&seg_queue);
9a91a04a 2482
94122bbe
MM		 2483 /* Do segmentation before calling in to the state machine,
2484 * since it's possible to block while waiting for memory
2485 * allocation.
2486 */
2487 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2488
94122bbe
MM		 2489 /* The channel could have been closed while segmenting,
2490 * check that it is still connected.
2491 */
2492 if (chan->state != BT_CONNECTED) {
2493 __skb_queue_purge(&seg_queue);
2494 err = -ENOTCONN;
9a91a04a
GP		 2495 }
2496
94122bbe 2497 if (err)
9a91a04a 2498 break;
9a91a04a 2499
3733937d 2500 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2501 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2502 else
d660366d 2503 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2504
d660366d 2505 err = len;
9a91a04a 2506
94122bbe
MM		 2507 /* If the skbs were not queued for sending, they'll still be in
2508 * seg_queue and need to be purged.
2509 */
2510 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2511 break;
2512
2513 default:
2514 BT_DBG("bad state %1.1x", chan->mode);
2515 err = -EBADFD;
2516 }
2517
2518 return err;
2519}
6b8d4a6a 2520EXPORT_SYMBOL_GPL(l2cap_chan_send);
9a91a04a 2521
d2a7ac5d
MM		 2522static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2523{
bed68bde
MM		 2524 struct l2cap_ctrl control;
2525 u16 seq;
2526
b4400672 2527 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2528
2529 memset(&control, 0, sizeof(control));
2530 control.sframe = 1;
2531 control.super = L2CAP_SUPER_SREJ;
2532
2533 for (seq = chan->expected_tx_seq; seq != txseq;
2534 seq = __next_seq(chan, seq)) {
2535 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2536 control.reqseq = seq;
2537 l2cap_send_sframe(chan, &control);
2538 l2cap_seq_list_append(&chan->srej_list, seq);
2539 }
2540 }
2541
2542 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2543}
2544
2545static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2546{
bed68bde
MM		 2547 struct l2cap_ctrl control;
2548
2549 BT_DBG("chan %p", chan);
2550
2551 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2552 return;
2553
2554 memset(&control, 0, sizeof(control));
2555 control.sframe = 1;
2556 control.super = L2CAP_SUPER_SREJ;
2557 control.reqseq = chan->srej_list.tail;
2558 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2559}
2560
2561static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2562{
bed68bde
MM		 2563 struct l2cap_ctrl control;
2564 u16 initial_head;
2565 u16 seq;
2566
b4400672 2567 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2568
2569 memset(&control, 0, sizeof(control));
2570 control.sframe = 1;
2571 control.super = L2CAP_SUPER_SREJ;
2572
2573 /* Capture initial list head to allow only one pass through the list. */
2574 initial_head = chan->srej_list.head;
2575
2576 do {
2577 seq = l2cap_seq_list_pop(&chan->srej_list);
2578 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2579 break;
2580
2581 control.reqseq = seq;
2582 l2cap_send_sframe(chan, &control);
2583 l2cap_seq_list_append(&chan->srej_list, seq);
2584 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2585}
2586
608bcc6d
MM		 2587static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2588{
2589 struct sk_buff *acked_skb;
2590 u16 ackseq;
2591
b4400672 2592 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2593
2594 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2595 return;
2596
b4400672 2597 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2598 chan->expected_ack_seq, chan->unacked_frames);
2599
2600 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2601 ackseq = __next_seq(chan, ackseq)) {
2602
2603 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2604 if (acked_skb) {
2605 skb_unlink(acked_skb, &chan->tx_q);
2606 kfree_skb(acked_skb);
2607 chan->unacked_frames--;
2608 }
2609 }
2610
2611 chan->expected_ack_seq = reqseq;
2612
2613 if (chan->unacked_frames == 0)
2614 __clear_retrans_timer(chan);
2615
b4400672 2616 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2617}
2618
2619static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2620{
2621 BT_DBG("chan %p", chan);
2622
2623 chan->expected_tx_seq = chan->buffer_seq;
2624 l2cap_seq_list_clear(&chan->srej_list);
2625 skb_queue_purge(&chan->srej_q);
2626 chan->rx_state = L2CAP_RX_STATE_RECV;
2627}
2628
d660366d
GP		 2629static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2630 struct l2cap_ctrl *control,
2631 struct sk_buff_head *skbs, u8 event)
608bcc6d 2632{
608bcc6d
MM		 2633 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2634 event);
2635
2636 switch (event) {
2637 case L2CAP_EV_DATA_REQUEST:
2638 if (chan->tx_send_head == NULL)
2639 chan->tx_send_head = skb_peek(skbs);
2640
2641 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2642 l2cap_ertm_send(chan);
2643 break;
2644 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2645 BT_DBG("Enter LOCAL_BUSY");
2646 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2647
2648 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2649 /* The SREJ_SENT state must be aborted if we are to
2650 * enter the LOCAL_BUSY state.
2651 */
2652 l2cap_abort_rx_srej_sent(chan);
2653 }
2654
2655 l2cap_send_ack(chan);
2656
2657 break;
2658 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2659 BT_DBG("Exit LOCAL_BUSY");
2660 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2661
2662 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2663 struct l2cap_ctrl local_control;
2664
2665 memset(&local_control, 0, sizeof(local_control));
2666 local_control.sframe = 1;
2667 local_control.super = L2CAP_SUPER_RR;
2668 local_control.poll = 1;
2669 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2670 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2671
2672 chan->retry_count = 1;
2673 __set_monitor_timer(chan);
2674 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2675 }
2676 break;
2677 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2678 l2cap_process_reqseq(chan, control->reqseq);
2679 break;
2680 case L2CAP_EV_EXPLICIT_POLL:
2681 l2cap_send_rr_or_rnr(chan, 1);
2682 chan->retry_count = 1;
2683 __set_monitor_timer(chan);
2684 __clear_ack_timer(chan);
2685 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2686 break;
2687 case L2CAP_EV_RETRANS_TO:
2688 l2cap_send_rr_or_rnr(chan, 1);
2689 chan->retry_count = 1;
2690 __set_monitor_timer(chan);
2691 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2692 break;
2693 case L2CAP_EV_RECV_FBIT:
2694 /* Nothing to process */
2695 break;
2696 default:
2697 break;
2698 }
608bcc6d
MM		 2699}
2700
d660366d
GP		 2701static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2702 struct l2cap_ctrl *control,
2703 struct sk_buff_head *skbs, u8 event)
608bcc6d 2704{
608bcc6d
MM		 2705 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2706 event);
2707
2708 switch (event) {
2709 case L2CAP_EV_DATA_REQUEST:
2710 if (chan->tx_send_head == NULL)
2711 chan->tx_send_head = skb_peek(skbs);
2712 /* Queue data, but don't send. */
2713 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2714 break;
2715 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2716 BT_DBG("Enter LOCAL_BUSY");
2717 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2718
2719 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2720 /* The SREJ_SENT state must be aborted if we are to
2721 * enter the LOCAL_BUSY state.
2722 */
2723 l2cap_abort_rx_srej_sent(chan);
2724 }
2725
2726 l2cap_send_ack(chan);
2727
2728 break;
2729 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2730 BT_DBG("Exit LOCAL_BUSY");
2731 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2732
2733 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2734 struct l2cap_ctrl local_control;
2735 memset(&local_control, 0, sizeof(local_control));
2736 local_control.sframe = 1;
2737 local_control.super = L2CAP_SUPER_RR;
2738 local_control.poll = 1;
2739 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2740 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2741
2742 chan->retry_count = 1;
2743 __set_monitor_timer(chan);
2744 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2745 }
2746 break;
2747 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2748 l2cap_process_reqseq(chan, control->reqseq);
2749
2750 /* Fall through */
2751
2752 case L2CAP_EV_RECV_FBIT:
2753 if (control && control->final) {
2754 __clear_monitor_timer(chan);
2755 if (chan->unacked_frames > 0)
2756 __set_retrans_timer(chan);
2757 chan->retry_count = 0;
2758 chan->tx_state = L2CAP_TX_STATE_XMIT;
2759 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2760 }
2761 break;
2762 case L2CAP_EV_EXPLICIT_POLL:
2763 /* Ignore */
2764 break;
2765 case L2CAP_EV_MONITOR_TO:
2766 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2767 l2cap_send_rr_or_rnr(chan, 1);
2768 __set_monitor_timer(chan);
2769 chan->retry_count++;
2770 } else {
5e4e3972 2771 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2772 }
2773 break;
2774 default:
2775 break;
2776 }
608bcc6d
MM		 2777}
2778
d660366d
GP		 2779static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2780 struct sk_buff_head *skbs, u8 event)
608bcc6d 2781{
608bcc6d
MM		 2782 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2783 chan, control, skbs, event, chan->tx_state);
2784
2785 switch (chan->tx_state) {
2786 case L2CAP_TX_STATE_XMIT:
d660366d 2787 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2788 break;
2789 case L2CAP_TX_STATE_WAIT_F:
d660366d 2790 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2791 break;
2792 default:
2793 /* Ignore event */
2794 break;
2795 }
608bcc6d
MM		 2796}
2797
4b51dae9
MM		 2798static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2799 struct l2cap_ctrl *control)
2800{
2801 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2802 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2803}
2804
f80842a8
MM		 2805static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2806 struct l2cap_ctrl *control)
2807{
2808 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2809 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2810}
2811
1da177e4
LT		 2812/* Copy frame to all raw sockets on that connection */
2813static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2814{
1da177e4 2815 struct sk_buff *nskb;
48454079 2816 struct l2cap_chan *chan;
1da177e4
LT		 2817
2818 BT_DBG("conn %p", conn);
2819
3df91ea2 2820 mutex_lock(&conn->chan_lock);
3d57dc68 2821
3df91ea2 2822 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2823 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2824 continue;
2825
7f5396a7
GP		 2826 /* Don't send frame to the channel it came from */
2827 if (bt_cb(skb)->chan == chan)
1da177e4 2828 continue;
7f5396a7 2829
8bcde1f2 2830 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2831 if (!nskb)
1da177e4 2832 continue;
80b98027 2833 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2834 kfree_skb(nskb);
2835 }
3d57dc68 2836
3df91ea2 2837 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2838}
2839
2840/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2841static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2842 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2843{
2844 struct sk_buff *skb, **frag;
2845 struct l2cap_cmd_hdr *cmd;
2846 struct l2cap_hdr *lh;
2847 int len, count;
2848
b4400672
AE		 2849 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2850 conn, code, ident, dlen);
1da177e4 2851
300b962e
AL		 2852 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2853 return NULL;
2854
1da177e4
LT		 2855 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2856 count = min_t(unsigned int, conn->mtu, len);
2857
8bcde1f2 2858 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2859 if (!skb)
2860 return NULL;
2861
2862 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2863 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2864
2865 if (conn->hcon->type == LE_LINK)
dcf4adbf 2866 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2867 else
dcf4adbf 2868 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2869
2870 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2871 cmd->code = code;
2872 cmd->ident = ident;
aca3192c 2873 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2874
2875 if (dlen) {
2876 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2877 memcpy(skb_put(skb, count), data, count);
2878 data += count;
2879 }
2880
2881 len -= skb->len;
2882
2883 /* Continuation fragments (no L2CAP header) */
2884 frag = &skb_shinfo(skb)->frag_list;
2885 while (len) {
2886 count = min_t(unsigned int, conn->mtu, len);
2887
8bcde1f2 2888 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2889 if (!*frag)
2890 goto fail;
2891
2892 memcpy(skb_put(*frag, count), data, count);
2893
2894 len -= count;
2895 data += count;
2896
2897 frag = &(*frag)->next;
2898 }
2899
2900 return skb;
2901
2902fail:
2903 kfree_skb(skb);
2904 return NULL;
2905}
2906
2d792818
GP		 2907static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2908 unsigned long *val)
1da177e4
LT		 2909{
2910 struct l2cap_conf_opt *opt = *ptr;
2911 int len;
2912
2913 len = L2CAP_CONF_OPT_SIZE + opt->len;
2914 *ptr += len;
2915
2916 *type = opt->type;
2917 *olen = opt->len;
2918
2919 switch (opt->len) {
2920 case 1:
2921 *val = *((u8 *) opt->val);
2922 break;
2923
2924 case 2:
bfaaeb3e 2925 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2926 break;
2927
2928 case 4:
bfaaeb3e 2929 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2930 break;
2931
2932 default:
2933 *val = (unsigned long) opt->val;
2934 break;
2935 }
2936
b4400672 2937 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2938 return len;
2939}
2940
1da177e4
LT		 2941static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2942{
2943 struct l2cap_conf_opt *opt = *ptr;
2944
b4400672 2945 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2946
2947 opt->type = type;
2948 opt->len = len;
2949
2950 switch (len) {
2951 case 1:
2952 *((u8 *) opt->val) = val;
2953 break;
2954
2955 case 2:
4f8b691c 2956 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2957 break;
2958
2959 case 4:
4f8b691c 2960 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2961 break;
2962
2963 default:
2964 memcpy(opt->val, (void *) val, len);
2965 break;
2966 }
2967
2968 *ptr += L2CAP_CONF_OPT_SIZE + len;
2969}
2970
f89cef09
AE		 2971static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2972{
2973 struct l2cap_conf_efs efs;
2974
1ec918ce 2975 switch (chan->mode) {
f89cef09
AE		 2976 case L2CAP_MODE_ERTM:
2977 efs.id = chan->local_id;
2978 efs.stype = chan->local_stype;
2979 efs.msdu = cpu_to_le16(chan->local_msdu);
2980 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
dcf4adbf
JP		 2981 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2982 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2983 break;
2984
2985 case L2CAP_MODE_STREAMING:
2986 efs.id = 1;
2987 efs.stype = L2CAP_SERV_BESTEFFORT;
2988 efs.msdu = cpu_to_le16(chan->local_msdu);
2989 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2990 efs.acc_lat = 0;
2991 efs.flush_to = 0;
2992 break;
2993
2994 default:
2995 return;
2996 }
2997
2998 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2999 (unsigned long) &efs);
f89cef09
AE		 3000}
3001
721c4181 3002static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3003{
721c4181 3004 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3005 ack_timer.work);
3006 u16 frames_to_ack;
c1b4f43b 3007
2fb9b3d4
GP		 3008 BT_DBG("chan %p", chan);
3009
6be36555
AE		 3010 l2cap_chan_lock(chan);
3011
0362520b
MM		 3012 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3013 chan->last_acked_seq);
6be36555 3014
0362520b
MM		 3015 if (frames_to_ack)
3016 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3017
0362520b 3018 l2cap_chan_unlock(chan);
09bfb2ee 3019 l2cap_chan_put(chan);
c1b4f43b
GP		 3020}
3021
466f8004 3022int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3023{
3c588192
MM		 3024 int err;
3025
105bdf9e
MM		 3026 chan->next_tx_seq = 0;
3027 chan->expected_tx_seq = 0;
42e5c802 3028 chan->expected_ack_seq = 0;
6a026610 3029 chan->unacked_frames = 0;
42e5c802 3030 chan->buffer_seq = 0;
6a026610 3031 chan->frames_sent = 0;
105bdf9e
MM		 3032 chan->last_acked_seq = 0;
3033 chan->sdu = NULL;
3034 chan->sdu_last_frag = NULL;
3035 chan->sdu_len = 0;
3036
d34c34fb
MM		 3037 skb_queue_head_init(&chan->tx_q);
3038
6ed971ca
MH		 3039 chan->local_amp_id = AMP_ID_BREDR;
3040 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3041 chan->move_state = L2CAP_MOVE_STABLE;
3042 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3043
105bdf9e
MM		 3044 if (chan->mode != L2CAP_MODE_ERTM)
3045 return 0;
3046
3047 chan->rx_state = L2CAP_RX_STATE_RECV;
3048 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3049
721c4181
GP		 3050 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3051 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3052 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3053
f1c6775b 3054 skb_queue_head_init(&chan->srej_q);
1890d36b 3055
3c588192
MM		 3056 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3057 if (err < 0)
3058 return err;
3059
9dc9affc
MM		 3060 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3061 if (err < 0)
3062 l2cap_seq_list_free(&chan->srej_list);
3063
3064 return err;
0565c1c2
GP		 3065}
3066
f2fcfcd6
GP		 3067static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3068{
3069 switch (mode) {
3070 case L2CAP_MODE_STREAMING:
3071 case L2CAP_MODE_ERTM:
3072 if (l2cap_mode_supported(mode, remote_feat_mask))
3073 return mode;
3074 /* fall through */
3075 default:
3076 return L2CAP_MODE_BASIC;
3077 }
3078}
3079
848566b3 3080static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3081{
848566b3 3082 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3083}
3084
848566b3 3085static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3086{
848566b3 3087 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3088}
3089
36c86c85
MM		 3090static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3091 struct l2cap_conf_rfc *rfc)
3092{
6ed971ca 3093 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3094 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3095
3096 /* Class 1 devices have must have ERTM timeouts
3097 * exceeding the Link Supervision Timeout. The
3098 * default Link Supervision Timeout for AMP
3099 * controllers is 10 seconds.
3100 *
3101 * Class 1 devices use 0xffffffff for their
3102 * best-effort flush timeout, so the clamping logic
3103 * will result in a timeout that meets the above
3104 * requirement. ERTM timeouts are 16-bit values, so
3105 * the maximum timeout is 65.535 seconds.
3106 */
3107
3108 /* Convert timeout to milliseconds and round */
3109 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3110
3111 /* This is the recommended formula for class 2 devices
3112 * that start ERTM timers when packets are sent to the
3113 * controller.
3114 */
3115 ertm_to = 3 * ertm_to + 500;
3116
3117 if (ertm_to > 0xffff)
3118 ertm_to = 0xffff;
3119
3120 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3121 rfc->monitor_timeout = rfc->retrans_timeout;
3122 } else {
dcf4adbf
JP		 3123 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3124 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36c86c85
MM		 3125 }
3126}
3127
6327eb98
AE		 3128static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3129{
3130 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3131 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3132 /* use extended control field */
3133 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3134 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3135 } else {
6327eb98 3136 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3137 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3138 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3139 }
c20f8e35 3140 chan->ack_win = chan->tx_win;
6327eb98
AE		 3141}
3142
710f9b0a 3143static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3144{
1da177e4 3145 struct l2cap_conf_req *req = data;
0c1bc5c6 3146 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3147 void *ptr = req->data;
c8f79162 3148 u16 size;
1da177e4 3149
49208c9c 3150 BT_DBG("chan %p", chan);
1da177e4 3151
73ffa904 3152 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3153 goto done;
3154
0c1bc5c6 3155 switch (chan->mode) {
f2fcfcd6
GP		 3156 case L2CAP_MODE_STREAMING:
3157 case L2CAP_MODE_ERTM:
c1360a1c 3158 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3159 break;
85eb53c6 3160
848566b3 3161 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3162 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3163
2ba13ed6 3164 /* fall through */
f2fcfcd6 3165 default:
8c1d787b 3166 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3167 break;
3168 }
3169
3170done:
0c1bc5c6
GP		 3171 if (chan->imtu != L2CAP_DEFAULT_MTU)
3172 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3173
0c1bc5c6 3174 switch (chan->mode) {
65c7c491 3175 case L2CAP_MODE_BASIC:
6fea7ad1
MH		 3176 if (disable_ertm)
3177 break;
3178
8c1d787b 3179 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3180 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3181 break;
3182
62547752
GP		 3183 rfc.mode = L2CAP_MODE_BASIC;
3184 rfc.txwin_size = 0;
3185 rfc.max_transmit = 0;
3186 rfc.retrans_timeout = 0;
3187 rfc.monitor_timeout = 0;
3188 rfc.max_pdu_size = 0;
3189
63406504 3190 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3191 (unsigned long) &rfc);
65c7c491
MH		 3192 break;
3193
3194 case L2CAP_MODE_ERTM:
3195 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3196 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3197
3198 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3199
3200 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3201 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3202 L2CAP_FCS_SIZE);
c8f79162 3203 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3204
6327eb98
AE		 3205 l2cap_txwin_setup(chan);
3206
3207 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3208 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3209
63406504 3210 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3211 (unsigned long) &rfc);
63406504 3212
f89cef09
AE		 3213 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3214 l2cap_add_opt_efs(&ptr, chan);
3215
6327eb98
AE		 3216 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3217 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3218 chan->tx_win);
60918918
AE		 3219
3220 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3221 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3222 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3223 chan->fcs = L2CAP_FCS_NONE;
3224 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3225 chan->fcs);
3226 }
f2fcfcd6
GP		 3227 break;
3228
3229 case L2CAP_MODE_STREAMING:
273759e2 3230 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3231 rfc.mode = L2CAP_MODE_STREAMING;
3232 rfc.txwin_size = 0;
3233 rfc.max_transmit = 0;
3234 rfc.retrans_timeout = 0;
3235 rfc.monitor_timeout = 0;
c8f79162
AE		 3236
3237 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3238 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3239 L2CAP_FCS_SIZE);
c8f79162 3240 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3241
63406504 3242 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3243 (unsigned long) &rfc);
63406504 3244
f89cef09
AE		 3245 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3246 l2cap_add_opt_efs(&ptr, chan);
3247
60918918
AE		 3248 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3249 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3250 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3251 chan->fcs = L2CAP_FCS_NONE;
3252 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3253 chan->fcs);
3254 }
65c7c491
MH		 3255 break;
3256 }
1da177e4 3257
fe4128e0 3258 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3259 req->flags = cpu_to_le16(0);
1da177e4
LT		 3260
3261 return ptr - data;
3262}
3263
73ffa904 3264static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3265{
5dee9e7c
MH		 3266 struct l2cap_conf_rsp *rsp = data;
3267 void *ptr = rsp->data;
73ffa904
GP		 3268 void *req = chan->conf_req;
3269 int len = chan->conf_len;
5dee9e7c
MH		 3270 int type, hint, olen;
3271 unsigned long val;
6464f35f 3272 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3273 struct l2cap_conf_efs efs;
3274 u8 remote_efs = 0;
861d6882 3275 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3276 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3277 u16 size;
1da177e4 3278
73ffa904 3279 BT_DBG("chan %p", chan);
820ae1b8 3280
5dee9e7c
MH		 3281 while (len >= L2CAP_CONF_OPT_SIZE) {
3282 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3283
589d2746 3284 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3285 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3286
3287 switch (type) {
3288 case L2CAP_CONF_MTU:
861d6882 3289 mtu = val;
5dee9e7c
MH		 3290 break;
3291
3292 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3293 chan->flush_to = val;
5dee9e7c
MH		 3294 break;
3295
3296 case L2CAP_CONF_QOS:
3297 break;
3298
6464f35f
MH		 3299 case L2CAP_CONF_RFC:
3300 if (olen == sizeof(rfc))
3301 memcpy(&rfc, (void *) val, olen);
3302 break;
3303
fcc203c3
GP		 3304 case L2CAP_CONF_FCS:
3305 if (val == L2CAP_FCS_NONE)
f2592d3e 3306 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3307 break;
fcc203c3 3308
42dceae2
AE		 3309 case L2CAP_CONF_EFS:
3310 remote_efs = 1;
3311 if (olen == sizeof(efs))
3312 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3313 break;
3314
6327eb98 3315 case L2CAP_CONF_EWS:
848566b3 3316 if (!chan->conn->hs_enabled)
6327eb98 3317 return -ECONNREFUSED;
fcc203c3 3318
6327eb98
AE		 3319 set_bit(FLAG_EXT_CTRL, &chan->flags);
3320 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3321 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3322 chan->remote_tx_win = val;
fcc203c3
GP		 3323 break;
3324
5dee9e7c
MH		 3325 default:
3326 if (hint)
3327 break;
3328
3329 result = L2CAP_CONF_UNKNOWN;
3330 *((u8 *) ptr++) = type;
3331 break;
3332 }
3333 }
3334
73ffa904 3335 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3336 goto done;
3337
0c1bc5c6 3338 switch (chan->mode) {
f2fcfcd6
GP		 3339 case L2CAP_MODE_STREAMING:
3340 case L2CAP_MODE_ERTM:
c1360a1c 3341 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3342 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3343 chan->conn->feat_mask);
85eb53c6
GP		 3344 break;
3345 }
3346
42dceae2 3347 if (remote_efs) {
848566b3 3348 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3349 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3350 else
3351 return -ECONNREFUSED;
3352 }
3353
0c1bc5c6 3354 if (chan->mode != rfc.mode)
f2fcfcd6 3355 return -ECONNREFUSED;
742e519b 3356
f2fcfcd6 3357 break;
f2fcfcd6
GP		 3358 }
3359
3360done:
0c1bc5c6 3361 if (chan->mode != rfc.mode) {
f2fcfcd6 3362 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3363 rfc.mode = chan->mode;
f2fcfcd6 3364
73ffa904 3365 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3366 return -ECONNREFUSED;
3367
2d792818
GP		 3368 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3369 (unsigned long) &rfc);
f2fcfcd6
GP		 3370 }
3371
5dee9e7c
MH		 3372 if (result == L2CAP_CONF_SUCCESS) {
3373 /* Configure output options and let the other side know
3374 * which ones we don't like. */
3375
f2fcfcd6
GP		 3376 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3377 result = L2CAP_CONF_UNACCEPT;
3378 else {
0c1bc5c6 3379 chan->omtu = mtu;
c1360a1c 3380 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3381 }
0c1bc5c6 3382 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3383
42dceae2
AE		 3384 if (remote_efs) {
3385 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3386 efs.stype != L2CAP_SERV_NOTRAFIC &&
3387 efs.stype != chan->local_stype) {
42dceae2
AE		 3388
3389 result = L2CAP_CONF_UNACCEPT;
3390
3391 if (chan->num_conf_req >= 1)
3392 return -ECONNREFUSED;
3393
3394 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3395 sizeof(efs),
3396 (unsigned long) &efs);
0e8b207e 3397 } else {
3e6b3b95 3398 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3399 result = L2CAP_CONF_PENDING;
3400 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3401 }
3402 }
3403
f2fcfcd6
GP		 3404 switch (rfc.mode) {
3405 case L2CAP_MODE_BASIC:
47d1ec61 3406 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3407 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3408 break;
3409
3410 case L2CAP_MODE_ERTM:
6327eb98
AE		 3411 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3412 chan->remote_tx_win = rfc.txwin_size;
3413 else
3414 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3415
2c03a7a4 3416 chan->remote_max_tx = rfc.max_transmit;
1c762159 3417
c8f79162 3418 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3419 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3420 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3421 rfc.max_pdu_size = cpu_to_le16(size);
3422 chan->remote_mps = size;
f2fcfcd6 3423
36c86c85 3424 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3425
c1360a1c 3426 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3427
3428 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3429 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3430
42dceae2
AE		 3431 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3432 chan->remote_id = efs.id;
3433 chan->remote_stype = efs.stype;
3434 chan->remote_msdu = le16_to_cpu(efs.msdu);
3435 chan->remote_flush_to =
2d792818 3436 le32_to_cpu(efs.flush_to);
42dceae2 3437 chan->remote_acc_lat =
2d792818 3438 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3439 chan->remote_sdu_itime =
3440 le32_to_cpu(efs.sdu_itime);
3441 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3442 sizeof(efs),
3443 (unsigned long) &efs);
42dceae2 3444 }
f2fcfcd6
GP		 3445 break;
3446
3447 case L2CAP_MODE_STREAMING:
c8f79162 3448 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3449 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3450 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3451 rfc.max_pdu_size = cpu_to_le16(size);
3452 chan->remote_mps = size;
f2fcfcd6 3453
c1360a1c 3454 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3455
2d792818
GP		 3456 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3457 (unsigned long) &rfc);
68ae6639 3458
f2fcfcd6
GP		 3459 break;
3460
3461 default:
5dee9e7c 3462 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3463
6464f35f 3464 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3465 rfc.mode = chan->mode;
f2fcfcd6 3466 }
6464f35f 3467
f2fcfcd6 3468 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3469 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3470 }
fe4128e0 3471 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3472 rsp->result = cpu_to_le16(result);
dcf4adbf 3473 rsp->flags = cpu_to_le16(0);
5dee9e7c
MH		 3474
3475 return ptr - data;
1da177e4
LT		 3476}
3477
2d792818
GP		 3478static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3479 void *data, u16 *result)
f2fcfcd6 3480{
f2fcfcd6
GP		 3481 struct l2cap_conf_req *req = data;
3482 void *ptr = req->data;
3483 int type, olen;
3484 unsigned long val;
36e999a8 3485 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3486 struct l2cap_conf_efs efs;
f2fcfcd6 3487
fe4128e0 3488 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3489
3490 while (len >= L2CAP_CONF_OPT_SIZE) {
3491 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3492
3493 switch (type) {
3494 case L2CAP_CONF_MTU:
3495 if (val < L2CAP_DEFAULT_MIN_MTU) {
3496 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3497 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3498 } else
0c1bc5c6
GP		 3499 chan->imtu = val;
3500 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3501 break;
3502
3503 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3504 chan->flush_to = val;
f2fcfcd6 3505 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3506 2, chan->flush_to);
f2fcfcd6
GP		 3507 break;
3508
3509 case L2CAP_CONF_RFC:
3510 if (olen == sizeof(rfc))
3511 memcpy(&rfc, (void *)val, olen);
3512
c1360a1c 3513 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3514 rfc.mode != chan->mode)
f2fcfcd6
GP		 3515 return -ECONNREFUSED;
3516
47d1ec61 3517 chan->fcs = 0;
f2fcfcd6
GP		 3518
3519 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3520 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3521 break;
6327eb98
AE		 3522
3523 case L2CAP_CONF_EWS:
c20f8e35 3524 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3525 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3526 chan->tx_win);
6327eb98 3527 break;
66af7aaf
AE		 3528
3529 case L2CAP_CONF_EFS:
3530 if (olen == sizeof(efs))
3531 memcpy(&efs, (void *)val, olen);
3532
3533 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3534 efs.stype != L2CAP_SERV_NOTRAFIC &&
3535 efs.stype != chan->local_stype)
66af7aaf
AE		 3536 return -ECONNREFUSED;
3537
2d792818
GP		 3538 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3539 (unsigned long) &efs);
66af7aaf 3540 break;
cbabee78
AE		 3541
3542 case L2CAP_CONF_FCS:
3543 if (*result == L2CAP_CONF_PENDING)
3544 if (val == L2CAP_FCS_NONE)
f2592d3e 3545 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3546 &chan->conf_state);
3547 break;
f2fcfcd6
GP		 3548 }
3549 }
3550
0c1bc5c6 3551 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3552 return -ECONNREFUSED;
3553
0c1bc5c6 3554 chan->mode = rfc.mode;
6c2ea7a8 3555
0e8b207e 3556 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3557 switch (rfc.mode) {
3558 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3559 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3560 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3561 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3562 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3563 chan->ack_win = min_t(u16, chan->ack_win,
3564 rfc.txwin_size);
66af7aaf
AE		 3565
3566 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3567 chan->local_msdu = le16_to_cpu(efs.msdu);
3568 chan->local_sdu_itime =
2d792818 3569 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3570 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3571 chan->local_flush_to =
2d792818 3572 le32_to_cpu(efs.flush_to);
66af7aaf 3573 }
f2fcfcd6 3574 break;
66af7aaf 3575
f2fcfcd6 3576 case L2CAP_MODE_STREAMING:
47d1ec61 3577 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3578 }
3579 }
3580
fe4128e0 3581 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3582 req->flags = cpu_to_le16(0);
f2fcfcd6
GP		 3583
3584 return ptr - data;
3585}
3586
2d792818
GP		 3587static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3588 u16 result, u16 flags)
1da177e4
LT		 3589{
3590 struct l2cap_conf_rsp *rsp = data;
3591 void *ptr = rsp->data;
1da177e4 3592
fe4128e0 3593 BT_DBG("chan %p", chan);
1da177e4 3594
fe4128e0 3595 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3596 rsp->result = cpu_to_le16(result);
aca3192c 3597 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3598
3599 return ptr - data;
3600}
3601
27e2d4c8
JH		 3602void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3603{
3604 struct l2cap_le_conn_rsp rsp;
3605 struct l2cap_conn *conn = chan->conn;
3606
3607 BT_DBG("chan %p", chan);
3608
3609 rsp.dcid = cpu_to_le16(chan->scid);
3610 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 3611 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 3612 rsp.credits = cpu_to_le16(chan->rx_credits);
dcf4adbf 3613 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
27e2d4c8
JH		 3614
3615 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3616 &rsp);
3617}
3618
8c1d787b 3619void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3620{
3621 struct l2cap_conn_rsp rsp;
8c1d787b 3622 struct l2cap_conn *conn = chan->conn;
710f9b0a 3623 u8 buf[128];
439f34ac 3624 u8 rsp_code;
710f9b0a 3625
fe4128e0
GP		 3626 rsp.scid = cpu_to_le16(chan->dcid);
3627 rsp.dcid = cpu_to_le16(chan->scid);
dcf4adbf
JP		 3628 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3629 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3630
3631 if (chan->hs_hcon)
3632 rsp_code = L2CAP_CREATE_CHAN_RSP;
3633 else
3634 rsp_code = L2CAP_CONN_RSP;
3635
3636 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3637
3638 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3639
c1360a1c 3640 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3641 return;
3642
710f9b0a 3643 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3644 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3645 chan->num_conf_req++;
3646}
3647
47d1ec61 3648static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3649{
7b1c0049
GP		 3650 int type, olen;
3651 unsigned long val;
c20f8e35
MM		 3652 /* Use sane default values in case a misbehaving remote device
3653 * did not send an RFC or extended window size option.
3654 */
3655 u16 txwin_ext = chan->ack_win;
3656 struct l2cap_conf_rfc rfc = {
3657 .mode = chan->mode,
dcf4adbf
JP		 3658 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3659 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
c20f8e35
MM		 3660 .max_pdu_size = cpu_to_le16(chan->imtu),
3661 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3662 };
7b1c0049 3663
47d1ec61 3664 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3665
0c1bc5c6 3666 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3667 return;
3668
3669 while (len >= L2CAP_CONF_OPT_SIZE) {
3670 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3671
c20f8e35
MM		 3672 switch (type) {
3673 case L2CAP_CONF_RFC:
3674 if (olen == sizeof(rfc))
3675 memcpy(&rfc, (void *)val, olen);
8f321f85 3676 break;
c20f8e35
MM		 3677 case L2CAP_CONF_EWS:
3678 txwin_ext = val;
3679 break;
3680 }
7b1c0049
GP		 3681 }
3682
7b1c0049
GP		 3683 switch (rfc.mode) {
3684 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3685 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3686 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3687 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3688 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3689 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3690 else
3691 chan->ack_win = min_t(u16, chan->ack_win,
3692 rfc.txwin_size);
7b1c0049
GP		 3693 break;
3694 case L2CAP_MODE_STREAMING:
47d1ec61 3695 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3696 }
3697}
3698
2d792818 3699static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3700 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3701 u8 *data)
4e8402a3 3702{
e2fd318e 3703 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3704
cb3b3152
JH		 3705 if (cmd_len < sizeof(*rej))
3706 return -EPROTO;
3707
e2fd318e 3708 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3709 return 0;
3710
3711 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3712 cmd->ident == conn->info_ident) {
17cd3f37 3713 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3714
3715 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3716 conn->info_ident = 0;
984947dc 3717
4e8402a3
MH		 3718 l2cap_conn_start(conn);
3719 }
3720
3721 return 0;
3722}
3723
1700915f
MM		 3724static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3725 struct l2cap_cmd_hdr *cmd,
3726 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3727{
1da177e4
LT		 3728 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3729 struct l2cap_conn_rsp rsp;
23691d75 3730 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3731 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3732
3733 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3734 __le16 psm = req->psm;
1da177e4 3735
097db76c 3736 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3737
3738 /* Check if we have socket listening on psm */
6f59b904 3739 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
bf20fd4e 3740 &conn->hcon->dst, ACL_LINK);
23691d75 3741 if (!pchan) {
1da177e4
LT		 3742 result = L2CAP_CR_BAD_PSM;
3743 goto sendresp;
3744 }
3745
3df91ea2 3746 mutex_lock(&conn->chan_lock);
8ffb9290 3747 l2cap_chan_lock(pchan);
e0f0cb56 3748
e7c29cb1 3749 /* Check if the ACL is secure enough (if not SDP) */
dcf4adbf 3750 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3751 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3752 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3753 result = L2CAP_CR_SEC_BLOCK;
3754 goto response;
3755 }
3756
1da177e4
LT		 3757 result = L2CAP_CR_NO_MEM;
3758
2dfa1003
GP		 3759 /* Check if we already have channel with that dcid */
3760 if (__l2cap_get_chan_by_dcid(conn, scid))
3761 goto response;
3762
80b98027 3763 chan = pchan->ops->new_connection(pchan);
80808e43 3764 if (!chan)
1da177e4
LT		 3765 goto response;
3766
330b6c15
SS		 3767 /* For certain devices (ex: HID mouse), support for authentication,
3768 * pairing and bonding is optional. For such devices, inorder to avoid
3769 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3770 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3771 */
3772 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3773
7eafc59e
MH		 3774 bacpy(&chan->src, &conn->hcon->src);
3775 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3776 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3777 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3778 chan->psm = psm;
3779 chan->dcid = scid;
1700915f 3780 chan->local_amp_id = amp_id;
1da177e4 3781
6be36555 3782 __l2cap_chan_add(conn, chan);
48454079 3783
fe4128e0 3784 dcid = chan->scid;
1da177e4 3785
8d836d71 3786 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3787
fc7f8a7e 3788 chan->ident = cmd->ident;
1da177e4 3789
984947dc 3790 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
e7cafc45 3791 if (l2cap_chan_check_security(chan, false)) {
bdc25783 3792 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3793 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3794 result = L2CAP_CR_PEND;
3795 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3796 chan->ops->defer(chan);
f66dc81f 3797 } else {
1700915f
MM		 3798 /* Force pending result for AMP controllers.
3799 * The connection will succeed after the
3800 * physical link is up.
3801 */
6ed971ca 3802 if (amp_id == AMP_ID_BREDR) {
f93fa273 3803 l2cap_state_change(chan, BT_CONFIG);
1700915f 3804 result = L2CAP_CR_SUCCESS;
6ed971ca 3805 } else {
f93fa273 3806 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3807 result = L2CAP_CR_PEND;
1700915f 3808 }
f66dc81f
MH		 3809 status = L2CAP_CS_NO_INFO;
3810 }
79d554a6 3811 } else {
f93fa273 3812 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3813 result = L2CAP_CR_PEND;
3814 status = L2CAP_CS_AUTHEN_PEND;
3815 }
3816 } else {
f93fa273 3817 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3818 result = L2CAP_CR_PEND;
3819 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3820 }
3821
1da177e4 3822response:
8ffb9290 3823 l2cap_chan_unlock(pchan);
3df91ea2 3824 mutex_unlock(&conn->chan_lock);
a24cce14 3825 l2cap_chan_put(pchan);
1da177e4
LT		 3826
3827sendresp:
aca3192c
YH		 3828 rsp.scid = cpu_to_le16(scid);
3829 rsp.dcid = cpu_to_le16(dcid);
3830 rsp.result = cpu_to_le16(result);
3831 rsp.status = cpu_to_le16(status);
4c89b6aa 3832 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3833
3834 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3835 struct l2cap_info_req info;
dcf4adbf 3836 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3837
3838 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3839 conn->info_ident = l2cap_get_ident(conn);
3840
ba13ccd9 3841 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3842
2d792818
GP		 3843 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3844 sizeof(info), &info);
79d554a6
MH		 3845 }
3846
c1360a1c 3847 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3848 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3849 u8 buf[128];
c1360a1c 3850 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3851 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3852 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3853 chan->num_conf_req++;
e9aeb2dd 3854 }
1700915f
MM		 3855
3856 return chan;
4c89b6aa 3857}
e9aeb2dd 3858
4c89b6aa 3859static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3860 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3861{
7b064eda
JK		 3862 struct hci_dev *hdev = conn->hcon->hdev;
3863 struct hci_conn *hcon = conn->hcon;
3864
cb3b3152
JH		 3865 if (cmd_len < sizeof(struct l2cap_conn_req))
3866 return -EPROTO;
3867
7b064eda
JK		 3868 hci_dev_lock(hdev);
3869 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3870 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3871 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3872 hcon->dst_type, 0, NULL, 0,
3873 hcon->dev_class);
3874 hci_dev_unlock(hdev);
3875
300229f9 3876 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3877 return 0;
3878}
3879
5909cf30 3880static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3881 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3882 u8 *data)
1da177e4
LT		 3883{
3884 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3885 u16 scid, dcid, result, status;
48454079 3886 struct l2cap_chan *chan;
1da177e4 3887 u8 req[128];
3df91ea2 3888 int err;
1da177e4 3889
cb3b3152
JH		 3890 if (cmd_len < sizeof(*rsp))
3891 return -EPROTO;
3892
1da177e4
LT		 3893 scid = __le16_to_cpu(rsp->scid);
3894 dcid = __le16_to_cpu(rsp->dcid);
3895 result = __le16_to_cpu(rsp->result);
3896 status = __le16_to_cpu(rsp->status);
3897
1b009c98 3898 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3899 dcid, scid, result, status);
1da177e4 3900
3df91ea2
AE		 3901 mutex_lock(&conn->chan_lock);
3902
1da177e4 3903 if (scid) {
3df91ea2
AE		 3904 chan = __l2cap_get_chan_by_scid(conn, scid);
3905 if (!chan) {
21870b52 3906 err = -EBADSLT;
3df91ea2
AE		 3907 goto unlock;
3908 }
1da177e4 3909 } else {
3df91ea2
AE		 3910 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3911 if (!chan) {
21870b52 3912 err = -EBADSLT;
3df91ea2
AE		 3913 goto unlock;
3914 }
1da177e4
LT		 3915 }
3916
3df91ea2
AE		 3917 err = 0;
3918
6be36555 3919 l2cap_chan_lock(chan);
48454079 3920
1da177e4
LT		 3921 switch (result) {
3922 case L2CAP_CR_SUCCESS:
89bc500e 3923 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3924 chan->ident = 0;
fe4128e0 3925 chan->dcid = dcid;
c1360a1c 3926 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3927
c1360a1c 3928 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3929 break;
3930
1da177e4 3931 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3932 l2cap_build_conf_req(chan, req), req);
73ffa904 3933 chan->num_conf_req++;
1da177e4
LT		 3934 break;
3935
3936 case L2CAP_CR_PEND:
c1360a1c 3937 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3938 break;
3939
3940 default:
48454079 3941 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3942 break;
3943 }
3944
6be36555 3945 l2cap_chan_unlock(chan);
3df91ea2
AE		 3946
3947unlock:
3948 mutex_unlock(&conn->chan_lock);
3949
3950 return err;
1da177e4
LT		 3951}
3952
47d1ec61 3953static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3954{
3955 /* FCS is enabled only in ERTM or streaming mode, if one or both
3956 * sides request it.
3957 */
0c1bc5c6 3958 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3959 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3960 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3961 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3962}
3963
29d8a590
AE		 3964static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3965 u8 ident, u16 flags)
3966{
3967 struct l2cap_conn *conn = chan->conn;
3968
3969 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3970 flags);
3971
3972 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3973 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3974
3975 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3976 l2cap_build_conf_rsp(chan, data,
3977 L2CAP_CONF_SUCCESS, flags), data);
3978}
3979
662d652d
JH		 3980static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
3981 u16 scid, u16 dcid)
3982{
3983 struct l2cap_cmd_rej_cid rej;
3984
dcf4adbf 3985 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
662d652d
JH		 3986 rej.scid = __cpu_to_le16(scid);
3987 rej.dcid = __cpu_to_le16(dcid);
3988
3989 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3990}
3991
2d792818
GP		 3992static inline int l2cap_config_req(struct l2cap_conn *conn,
3993 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3994 u8 *data)
1da177e4
LT		 3995{
3996 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3997 u16 dcid, flags;
3998 u8 rsp[64];
48454079 3999 struct l2cap_chan *chan;
3c588192 4000 int len, err = 0;
1da177e4 4001
cb3b3152
JH		 4002 if (cmd_len < sizeof(*req))
4003 return -EPROTO;
4004
1da177e4
LT		 4005 dcid = __le16_to_cpu(req->dcid);
4006 flags = __le16_to_cpu(req->flags);
4007
4008 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4009
baa7e1fa 4010 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4011 if (!chan) {
4012 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4013 return 0;
4014 }
1da177e4 4015
033b1142 4016 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4017 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4018 chan->dcid);
354f60a9 4019 goto unlock;
df6bd743 4020 }
354f60a9 4021
5dee9e7c 4022 /* Reject if config buffer is too small. */
88219a0f 4023 len = cmd_len - sizeof(*req);
cb3b3152 4024 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4025 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4026 l2cap_build_conf_rsp(chan, rsp,
4027 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4028 goto unlock;
4029 }
4030
4031 /* Store config. */
73ffa904
GP		 4032 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4033 chan->conf_len += len;
1da177e4 4034
59e54bd1 4035 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4036 /* Incomplete config. Send empty response. */
4037 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4038 l2cap_build_conf_rsp(chan, rsp,
4039 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4040 goto unlock;
4041 }
4042
4043 /* Complete config. */
73ffa904 4044 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4045 if (len < 0) {
5e4e3972 4046 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4047 goto unlock;
f2fcfcd6 4048 }
1da177e4 4049
1500109b 4050 chan->ident = cmd->ident;
5dee9e7c 4051 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4052 chan->num_conf_rsp++;
5dee9e7c 4053
5dee9e7c 4054 /* Reset config buffer. */
73ffa904 4055 chan->conf_len = 0;
5dee9e7c 4056
c1360a1c 4057 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4058 goto unlock;
4059
c1360a1c 4060 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4061 set_default_fcs(chan);
fcc203c3 4062
105bdf9e
MM		 4063 if (chan->mode == L2CAP_MODE_ERTM ||
4064 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4065 err = l2cap_ertm_init(chan);
4066
4067 if (err < 0)
5e4e3972 4068 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4069 else
4070 l2cap_chan_ready(chan);
0565c1c2 4071
876d9484
MH		 4072 goto unlock;
4073 }
4074
c1360a1c 4075 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4076 u8 buf[64];
1da177e4 4077 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4078 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4079 chan->num_conf_req++;
1da177e4
LT		 4080 }
4081
0e8b207e
AE		 4082 /* Got Conf Rsp PENDING from remote side and asume we sent
4083 Conf Rsp PENDING in the code above */
4084 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4085 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4086
4087 /* check compatibility */
4088
79de886d 4089 /* Send rsp for BR/EDR channel */
f351bc72 4090 if (!chan->hs_hcon)
79de886d
AE		 4091 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4092 else
4093 chan->ident = cmd->ident;
0e8b207e
AE		 4094 }
4095
1da177e4 4096unlock:
6be36555 4097 l2cap_chan_unlock(chan);
3c588192 4098 return err;
1da177e4
LT		 4099}
4100
2d792818 4101static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4102 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4103 u8 *data)
1da177e4
LT		 4104{
4105 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4106 u16 scid, flags, result;
48454079 4107 struct l2cap_chan *chan;
cb3b3152 4108 int len = cmd_len - sizeof(*rsp);
3c588192 4109 int err = 0;
1da177e4 4110
cb3b3152
JH		 4111 if (cmd_len < sizeof(*rsp))
4112 return -EPROTO;
4113
1da177e4
LT		 4114 scid = __le16_to_cpu(rsp->scid);
4115 flags = __le16_to_cpu(rsp->flags);
4116 result = __le16_to_cpu(rsp->result);
4117
61386cba
AE		 4118 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4119 result, len);
1da177e4 4120
baa7e1fa 4121 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4122 if (!chan)
1da177e4
LT		 4123 return 0;
4124
4125 switch (result) {
4126 case L2CAP_CONF_SUCCESS:
47d1ec61 4127 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4128 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4129 break;
4130
0e8b207e
AE		 4131 case L2CAP_CONF_PENDING:
4132 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4133
4134 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4135 char buf[64];
4136
4137 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4138 buf, &result);
0e8b207e 4139 if (len < 0) {
5e4e3972 4140 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4141 goto done;
4142 }
4143
f351bc72 4144 if (!chan->hs_hcon) {
79de886d
AE		 4145 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4146 0);
5ce66b59
AE		 4147 } else {
4148 if (l2cap_check_efs(chan)) {
4149 amp_create_logical_link(chan);
4150 chan->ident = cmd->ident;
4151 }
4152 }
0e8b207e
AE		 4153 }
4154 goto done;
4155
1da177e4 4156 case L2CAP_CONF_UNACCEPT:
73ffa904 4157 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4158 char req[64];
4159
c2c77ec8 4160 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4161 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4162 goto done;
4163 }
4164
f2fcfcd6
GP		 4165 /* throw out any old stored conf requests */
4166 result = L2CAP_CONF_SUCCESS;
b4450035 4167 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4168 req, &result);
f2fcfcd6 4169 if (len < 0) {
5e4e3972 4170 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4171 goto done;
4172 }
4173
4174 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4175 L2CAP_CONF_REQ, len, req);
73ffa904 4176 chan->num_conf_req++;
f2fcfcd6
GP		 4177 if (result != L2CAP_CONF_SUCCESS)
4178 goto done;
4179 break;
1da177e4
LT		 4180 }
4181
8e87d142 4182 default:
6be36555 4183 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4184
ba13ccd9 4185 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4186 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4187 goto done;
4188 }
4189
59e54bd1 4190 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4191 goto done;
4192
c1360a1c 4193 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4194
c1360a1c 4195 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4196 set_default_fcs(chan);
fcc203c3 4197
105bdf9e
MM		 4198 if (chan->mode == L2CAP_MODE_ERTM ||
4199 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4200 err = l2cap_ertm_init(chan);
0565c1c2 4201
3c588192 4202 if (err < 0)
5e4e3972 4203 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4204 else
4205 l2cap_chan_ready(chan);
1da177e4
LT		 4206 }
4207
4208done:
6be36555 4209 l2cap_chan_unlock(chan);
3c588192 4210 return err;
1da177e4
LT		 4211}
4212
2d792818 4213static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4214 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4215 u8 *data)
1da177e4
LT		 4216{
4217 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4218 struct l2cap_disconn_rsp rsp;
4219 u16 dcid, scid;
48454079 4220 struct l2cap_chan *chan;
1da177e4 4221
cb3b3152
JH		 4222 if (cmd_len != sizeof(*req))
4223 return -EPROTO;
4224
1da177e4
LT		 4225 scid = __le16_to_cpu(req->scid);
4226 dcid = __le16_to_cpu(req->dcid);
4227
4228 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4229
3df91ea2
AE		 4230 mutex_lock(&conn->chan_lock);
4231
4232 chan = __l2cap_get_chan_by_scid(conn, dcid);
4233 if (!chan) {
4234 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4235 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4236 return 0;
3df91ea2 4237 }
1da177e4 4238
6be36555
AE		 4239 l2cap_chan_lock(chan);
4240
fe4128e0
GP		 4241 rsp.dcid = cpu_to_le16(chan->scid);
4242 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4243 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4244
5ec1bbe5 4245 chan->ops->set_shutdown(chan);
1da177e4 4246
61d6ef3e 4247 l2cap_chan_hold(chan);
48454079 4248 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4249
4250 l2cap_chan_unlock(chan);
1da177e4 4251
80b98027 4252 chan->ops->close(chan);
61d6ef3e 4253 l2cap_chan_put(chan);
3df91ea2
AE		 4254
4255 mutex_unlock(&conn->chan_lock);
4256
1da177e4
LT		 4257 return 0;
4258}
4259
2d792818 4260static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4261 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4262 u8 *data)
1da177e4
LT		 4263{
4264 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4265 u16 dcid, scid;
48454079 4266 struct l2cap_chan *chan;
1da177e4 4267
cb3b3152
JH		 4268 if (cmd_len != sizeof(*rsp))
4269 return -EPROTO;
4270
1da177e4
LT		 4271 scid = __le16_to_cpu(rsp->scid);
4272 dcid = __le16_to_cpu(rsp->dcid);
4273
4274 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4275
3df91ea2
AE		 4276 mutex_lock(&conn->chan_lock);
4277
4278 chan = __l2cap_get_chan_by_scid(conn, scid);
4279 if (!chan) {
4280 mutex_unlock(&conn->chan_lock);
1da177e4 4281 return 0;
3df91ea2 4282 }
1da177e4 4283
6be36555 4284 l2cap_chan_lock(chan);
48454079 4285
61d6ef3e 4286 l2cap_chan_hold(chan);
48454079 4287 l2cap_chan_del(chan, 0);
6be36555
AE		 4288
4289 l2cap_chan_unlock(chan);
1da177e4 4290
80b98027 4291 chan->ops->close(chan);
61d6ef3e 4292 l2cap_chan_put(chan);
3df91ea2
AE		 4293
4294 mutex_unlock(&conn->chan_lock);
4295
1da177e4
LT		 4296 return 0;
4297}
4298
2d792818 4299static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4300 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4301 u8 *data)
1da177e4
LT		 4302{
4303 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4304 u16 type;
4305
cb3b3152
JH		 4306 if (cmd_len != sizeof(*req))
4307 return -EPROTO;
4308
1da177e4
LT		 4309 type = __le16_to_cpu(req->type);
4310
4311 BT_DBG("type 0x%4.4x", type);
4312
f0709e03
MH		 4313 if (type == L2CAP_IT_FEAT_MASK) {
4314 u8 buf[8];
44dd46de 4315 u32 feat_mask = l2cap_feat_mask;
f0709e03 4316 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
dcf4adbf
JP		 4317 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4318 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4319 if (!disable_ertm)
fcc203c3 4320 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4321 | L2CAP_FEAT_FCS;
848566b3 4322 if (conn->hs_enabled)
6327eb98 4323 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4324 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4325
1b7bf4ed 4326 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4327 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4328 buf);
e1027a7c
MH		 4329 } else if (type == L2CAP_IT_FIXED_CHAN) {
4330 u8 buf[12];
4331 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4332
848566b3 4333 if (conn->hs_enabled)
50a147cd
MM		 4334 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4335 else
4336 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4337
dcf4adbf
JP		 4338 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4339 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4340 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4341 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4342 buf);
f0709e03
MH		 4343 } else {
4344 struct l2cap_info_rsp rsp;
4345 rsp.type = cpu_to_le16(type);
dcf4adbf 4346 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4347 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4348 &rsp);
f0709e03 4349 }
1da177e4
LT		 4350
4351 return 0;
4352}
4353
2d792818 4354static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4355 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4356 u8 *data)
1da177e4
LT		 4357{
4358 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4359 u16 type, result;
4360
3f6fa3d4 4361 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4362 return -EPROTO;
4363
1da177e4
LT		 4364 type = __le16_to_cpu(rsp->type);
4365 result = __le16_to_cpu(rsp->result);
4366
4367 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4368
e90165be
AE		 4369 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4370 if (cmd->ident != conn->info_ident ||
2d792818 4371 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4372 return 0;
4373
17cd3f37 4374 cancel_delayed_work(&conn->info_timer);
4e8402a3 4375
adb08ede
VT		 4376 if (result != L2CAP_IR_SUCCESS) {
4377 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4378 conn->info_ident = 0;
4379
4380 l2cap_conn_start(conn);
4381
4382 return 0;
4383 }
4384
978c93b9
AE		 4385 switch (type) {
4386 case L2CAP_IT_FEAT_MASK:
83985319 4387 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4388
47ec1dcd 4389 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4390 struct l2cap_info_req req;
dcf4adbf 4391 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4392
4393 conn->info_ident = l2cap_get_ident(conn);
4394
4395 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4396 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4397 } else {
4398 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4399 conn->info_ident = 0;
4400
4401 l2cap_conn_start(conn);
4402 }
978c93b9
AE		 4403 break;
4404
4405 case L2CAP_IT_FIXED_CHAN:
4406 conn->fixed_chan_mask = rsp->data[0];
984947dc 4407 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4408 conn->info_ident = 0;
984947dc
MH		 4409
4410 l2cap_conn_start(conn);
978c93b9 4411 break;
984947dc 4412 }
4e8402a3 4413
1da177e4
LT		 4414 return 0;
4415}
4416
1700915f
MM		 4417static int l2cap_create_channel_req(struct l2cap_conn *conn,
4418 struct l2cap_cmd_hdr *cmd,
4419 u16 cmd_len, void *data)
f94ff6ff
MM		 4420{
4421 struct l2cap_create_chan_req *req = data;
6e1df6a6 4422 struct l2cap_create_chan_rsp rsp;
1700915f 4423 struct l2cap_chan *chan;
6e1df6a6 4424 struct hci_dev *hdev;
f94ff6ff
MM		 4425 u16 psm, scid;
4426
4427 if (cmd_len != sizeof(*req))
4428 return -EPROTO;
4429
848566b3 4430 if (!conn->hs_enabled)
f94ff6ff
MM		 4431 return -EINVAL;
4432
4433 psm = le16_to_cpu(req->psm);
4434 scid = le16_to_cpu(req->scid);
4435
ad0ac6ca 4436 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4437
6e1df6a6 4438 /* For controller id 0 make BR/EDR connection */
6ed971ca 4439 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4440 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4441 req->amp_id);
4442 return 0;
4443 }
1700915f 4444
6e1df6a6
AE		 4445 /* Validate AMP controller id */
4446 hdev = hci_dev_get(req->amp_id);
4447 if (!hdev)
4448 goto error;
1700915f 4449
6e1df6a6
AE		 4450 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4451 hci_dev_put(hdev);
4452 goto error;
4453 }
1700915f 4454
6e1df6a6
AE		 4455 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4456 req->amp_id);
4457 if (chan) {
4458 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4459 struct hci_conn *hs_hcon;
1700915f 4460
98e0f7ea
MH		 4461 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4462 &conn->hcon->dst);
6e1df6a6
AE		 4463 if (!hs_hcon) {
4464 hci_dev_put(hdev);
662d652d
JH		 4465 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4466 chan->dcid);
4467 return 0;
1700915f
MM		 4468 }
4469
6e1df6a6
AE		 4470 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4471
6e1df6a6
AE		 4472 mgr->bredr_chan = chan;
4473 chan->hs_hcon = hs_hcon;
fd45bf4c 4474 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4475 conn->mtu = hdev->block_mtu;
1700915f 4476 }
f94ff6ff 4477
6e1df6a6 4478 hci_dev_put(hdev);
f94ff6ff
MM		 4479
4480 return 0;
6e1df6a6
AE		 4481
4482error:
4483 rsp.dcid = 0;
4484 rsp.scid = cpu_to_le16(scid);
dcf4adbf
JP		 4485 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4486 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
6e1df6a6
AE		 4487
4488 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4489 sizeof(rsp), &rsp);
4490
dc280801 4491 return 0;
f94ff6ff
MM		 4492}
4493
8eb200bd
MM		 4494static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4495{
4496 struct l2cap_move_chan_req req;
4497 u8 ident;
4498
4499 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4500
4501 ident = l2cap_get_ident(chan->conn);
4502 chan->ident = ident;
4503
4504 req.icid = cpu_to_le16(chan->scid);
4505 req.dest_amp_id = dest_amp_id;
4506
4507 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4508 &req);
4509
4510 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4511}
4512
1500109b 4513static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4514{
4515 struct l2cap_move_chan_rsp rsp;
4516
1500109b 4517 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4518
1500109b 4519 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4520 rsp.result = cpu_to_le16(result);
4521
1500109b
MM		 4522 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4523 sizeof(rsp), &rsp);
8d5a04a1
MM		 4524}
4525
5b155ef9 4526static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4527{
4528 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4529
5b155ef9 4530 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4531
5b155ef9 4532 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4533
5b155ef9 4534 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4535 cfm.result = cpu_to_le16(result);
4536
5b155ef9
MM		 4537 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4538 sizeof(cfm), &cfm);
4539
4540 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4541}
4542
4543static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4544{
4545 struct l2cap_move_chan_cfm cfm;
4546
4547 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4548
4549 cfm.icid = cpu_to_le16(icid);
dcf4adbf 4550 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
5b155ef9
MM		 4551
4552 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4553 sizeof(cfm), &cfm);
8d5a04a1
MM		 4554}
4555
4556static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4557 u16 icid)
8d5a04a1
MM		 4558{
4559 struct l2cap_move_chan_cfm_rsp rsp;
4560
ad0ac6ca 4561 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4562
4563 rsp.icid = cpu_to_le16(icid);
4564 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4565}
4566
5f3847a4
MM		 4567static void __release_logical_link(struct l2cap_chan *chan)
4568{
4569 chan->hs_hchan = NULL;
4570 chan->hs_hcon = NULL;
4571
4572 /* Placeholder - release the logical link */
4573}
4574
1500109b
MM		 4575static void l2cap_logical_fail(struct l2cap_chan *chan)
4576{
4577 /* Logical link setup failed */
4578 if (chan->state != BT_CONNECTED) {
4579 /* Create channel failure, disconnect */
5e4e3972 4580 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4581 return;
4582 }
4583
4584 switch (chan->move_role) {
4585 case L2CAP_MOVE_ROLE_RESPONDER:
4586 l2cap_move_done(chan);
4587 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4588 break;
4589 case L2CAP_MOVE_ROLE_INITIATOR:
4590 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4591 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4592 /* Remote has only sent pending or
4593 * success responses, clean up
4594 */
4595 l2cap_move_done(chan);
4596 }
4597
4598 /* Other amp move states imply that the move
4599 * has already aborted
4600 */
4601 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4602 break;
4603 }
4604}
4605
4606static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4607 struct hci_chan *hchan)
4608{
4609 struct l2cap_conf_rsp rsp;
1500109b 4610
336178a3 4611 chan->hs_hchan = hchan;
1500109b
MM		 4612 chan->hs_hcon->l2cap_data = chan->conn;
4613
35ba9561 4614 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4615
4616 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4617 int err;
1500109b
MM		 4618
4619 set_default_fcs(chan);
4620
4621 err = l2cap_ertm_init(chan);
4622 if (err < 0)
5e4e3972 4623 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4624 else
4625 l2cap_chan_ready(chan);
4626 }
4627}
4628
4629static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4630 struct hci_chan *hchan)
4631{
4632 chan->hs_hcon = hchan->conn;
4633 chan->hs_hcon->l2cap_data = chan->conn;
4634
4635 BT_DBG("move_state %d", chan->move_state);
4636
4637 switch (chan->move_state) {
4638 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4639 /* Move confirm will be sent after a success
4640 * response is received
4641 */
4642 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4643 break;
4644 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4645 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4646 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4647 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4648 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4649 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4650 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4651 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4652 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4653 }
4654 break;
4655 default:
4656 /* Move was not in expected state, free the channel */
4657 __release_logical_link(chan);
4658
4659 chan->move_state = L2CAP_MOVE_STABLE;
4660 }
4661}
4662
4663/* Call with chan locked */
27695fb4
AE		 4664void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4665 u8 status)
5b155ef9 4666{
1500109b
MM		 4667 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4668
4669 if (status) {
4670 l2cap_logical_fail(chan);
4671 __release_logical_link(chan);
4672 return;
4673 }
4674
4675 if (chan->state != BT_CONNECTED) {
4676 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4677 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4678 l2cap_logical_finish_create(chan, hchan);
4679 } else {
4680 l2cap_logical_finish_move(chan, hchan);
4681 }
5b155ef9
MM		 4682}
4683
3f7a56c4
MM		 4684void l2cap_move_start(struct l2cap_chan *chan)
4685{
4686 BT_DBG("chan %p", chan);
4687
6ed971ca 4688 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4689 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4690 return;
4691 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4692 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4693 /* Placeholder - start physical link setup */
4694 } else {
4695 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4696 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4697 chan->move_id = 0;
4698 l2cap_move_setup(chan);
4699 l2cap_send_move_chan_req(chan, 0);
4700 }
4701}
4702
8eb200bd
MM		 4703static void l2cap_do_create(struct l2cap_chan *chan, int result,
4704 u8 local_amp_id, u8 remote_amp_id)
4705{
62748ca1
AE		 4706 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4707 local_amp_id, remote_amp_id);
4708
12d6cc60
AE		 4709 chan->fcs = L2CAP_FCS_NONE;
4710
62748ca1
AE		 4711 /* Outgoing channel on AMP */
4712 if (chan->state == BT_CONNECT) {
4713 if (result == L2CAP_CR_SUCCESS) {
4714 chan->local_amp_id = local_amp_id;
4715 l2cap_send_create_chan_req(chan, remote_amp_id);
4716 } else {
4717 /* Revert to BR/EDR connect */
4718 l2cap_send_conn_req(chan);
4719 }
4720
4721 return;
4722 }
4723
4724 /* Incoming channel on AMP */
4725 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4726 struct l2cap_conn_rsp rsp;
4727 char buf[128];
4728 rsp.scid = cpu_to_le16(chan->dcid);
4729 rsp.dcid = cpu_to_le16(chan->scid);
4730
8eb200bd
MM		 4731 if (result == L2CAP_CR_SUCCESS) {
4732 /* Send successful response */
dcf4adbf
JP		 4733 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4734 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4735 } else {
4736 /* Send negative response */
dcf4adbf
JP		 4737 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4738 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4739 }
4740
4741 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4742 sizeof(rsp), &rsp);
4743
4744 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4745 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4746 set_bit(CONF_REQ_SENT, &chan->conf_state);
4747 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4748 L2CAP_CONF_REQ,
4749 l2cap_build_conf_req(chan, buf), buf);
4750 chan->num_conf_req++;
4751 }
8eb200bd
MM		 4752 }
4753}
4754
4755static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4756 u8 remote_amp_id)
4757{
4758 l2cap_move_setup(chan);
4759 chan->move_id = local_amp_id;
4760 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4761
4762 l2cap_send_move_chan_req(chan, remote_amp_id);
4763}
4764
4765static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4766{
4767 struct hci_chan *hchan = NULL;
4768
4769 /* Placeholder - get hci_chan for logical link */
4770
4771 if (hchan) {
4772 if (hchan->state == BT_CONNECTED) {
4773 /* Logical link is ready to go */
4774 chan->hs_hcon = hchan->conn;
4775 chan->hs_hcon->l2cap_data = chan->conn;
4776 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4777 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4778
4779 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4780 } else {
4781 /* Wait for logical link to be ready */
4782 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4783 }
4784 } else {
4785 /* Logical link not available */
4786 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4787 }
4788}
4789
4790static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4791{
4792 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4793 u8 rsp_result;
4794 if (result == -EINVAL)
4795 rsp_result = L2CAP_MR_BAD_ID;
4796 else
4797 rsp_result = L2CAP_MR_NOT_ALLOWED;
4798
4799 l2cap_send_move_chan_rsp(chan, rsp_result);
4800 }
4801
4802 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4803 chan->move_state = L2CAP_MOVE_STABLE;
4804
4805 /* Restart data transmission */
4806 l2cap_ertm_send(chan);
4807}
4808
a514b17f
AE		 4809/* Invoke with locked chan */
4810void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4811{
770bfefa 4812 u8 local_amp_id = chan->local_amp_id;
fffadc08 4813 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4814
8eb200bd
MM		 4815 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4816 chan, result, local_amp_id, remote_amp_id);
4817
8eb200bd
MM		 4818 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4819 l2cap_chan_unlock(chan);
4820 return;
4821 }
4822
4823 if (chan->state != BT_CONNECTED) {
4824 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4825 } else if (result != L2CAP_MR_SUCCESS) {
4826 l2cap_do_move_cancel(chan, result);
4827 } else {
4828 switch (chan->move_role) {
4829 case L2CAP_MOVE_ROLE_INITIATOR:
4830 l2cap_do_move_initiate(chan, local_amp_id,
4831 remote_amp_id);
4832 break;
4833 case L2CAP_MOVE_ROLE_RESPONDER:
4834 l2cap_do_move_respond(chan, result);
4835 break;
4836 default:
4837 l2cap_do_move_cancel(chan, result);
4838 break;
4839 }
4840 }
8eb200bd
MM		 4841}
4842
8d5a04a1 4843static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4844 struct l2cap_cmd_hdr *cmd,
4845 u16 cmd_len, void *data)
8d5a04a1
MM		 4846{
4847 struct l2cap_move_chan_req *req = data;
1500109b 4848 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4849 struct l2cap_chan *chan;
8d5a04a1
MM		 4850 u16 icid = 0;
4851 u16 result = L2CAP_MR_NOT_ALLOWED;
4852
4853 if (cmd_len != sizeof(*req))
4854 return -EPROTO;
4855
4856 icid = le16_to_cpu(req->icid);
4857
ad0ac6ca 4858 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4859
848566b3 4860 if (!conn->hs_enabled)
8d5a04a1
MM		 4861 return -EINVAL;
4862
02b0fbb9
MM		 4863 chan = l2cap_get_chan_by_dcid(conn, icid);
4864 if (!chan) {
1500109b 4865 rsp.icid = cpu_to_le16(icid);
dcf4adbf 4866 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
1500109b
MM		 4867 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4868 sizeof(rsp), &rsp);
02b0fbb9
MM		 4869 return 0;
4870 }
4871
1500109b
MM		 4872 chan->ident = cmd->ident;
4873
02b0fbb9
MM		 4874 if (chan->scid < L2CAP_CID_DYN_START ||
4875 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4876 (chan->mode != L2CAP_MODE_ERTM &&
4877 chan->mode != L2CAP_MODE_STREAMING)) {
4878 result = L2CAP_MR_NOT_ALLOWED;
4879 goto send_move_response;
4880 }
4881
4882 if (chan->local_amp_id == req->dest_amp_id) {
4883 result = L2CAP_MR_SAME_ID;
4884 goto send_move_response;
4885 }
4886
6ed971ca 4887 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4888 struct hci_dev *hdev;
4889 hdev = hci_dev_get(req->dest_amp_id);
4890 if (!hdev || hdev->dev_type != HCI_AMP ||
4891 !test_bit(HCI_UP, &hdev->flags)) {
4892 if (hdev)
4893 hci_dev_put(hdev);
4894
4895 result = L2CAP_MR_BAD_ID;
4896 goto send_move_response;
4897 }
4898 hci_dev_put(hdev);
4899 }
4900
4901 /* Detect a move collision. Only send a collision response
4902 * if this side has "lost", otherwise proceed with the move.
4903 * The winner has the larger bd_addr.
4904 */
4905 if ((__chan_is_moving(chan) ||
4906 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4907 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4908 result = L2CAP_MR_COLLISION;
4909 goto send_move_response;
4910 }
4911
02b0fbb9
MM		 4912 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4913 l2cap_move_setup(chan);
4914 chan->move_id = req->dest_amp_id;
4915 icid = chan->dcid;
4916
6ed971ca 4917 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4918 /* Moving to BR/EDR */
4919 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4920 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4921 result = L2CAP_MR_PEND;
4922 } else {
4923 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4924 result = L2CAP_MR_SUCCESS;
4925 }
4926 } else {
4927 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4928 /* Placeholder - uncomment when amp functions are available */
4929 /*amp_accept_physical(chan, req->dest_amp_id);*/
4930 result = L2CAP_MR_PEND;
4931 }
4932
4933send_move_response:
1500109b 4934 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4935
02b0fbb9
MM		 4936 l2cap_chan_unlock(chan);
4937
8d5a04a1
MM		 4938 return 0;
4939}
4940
5b155ef9
MM		 4941static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4942{
4943 struct l2cap_chan *chan;
4944 struct hci_chan *hchan = NULL;
4945
4946 chan = l2cap_get_chan_by_scid(conn, icid);
4947 if (!chan) {
4948 l2cap_send_move_chan_cfm_icid(conn, icid);
4949 return;
4950 }
4951
4952 __clear_chan_timer(chan);
4953 if (result == L2CAP_MR_PEND)
4954 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4955
4956 switch (chan->move_state) {
4957 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4958 /* Move confirm will be sent when logical link
4959 * is complete.
4960 */
4961 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4962 break;
4963 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4964 if (result == L2CAP_MR_PEND) {
4965 break;
4966 } else if (test_bit(CONN_LOCAL_BUSY,
4967 &chan->conn_state)) {
4968 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4969 } else {
4970 /* Logical link is up or moving to BR/EDR,
4971 * proceed with move
4972 */
4973 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4974 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4975 }
4976 break;
4977 case L2CAP_MOVE_WAIT_RSP:
4978 /* Moving to AMP */
4979 if (result == L2CAP_MR_SUCCESS) {
4980 /* Remote is ready, send confirm immediately
4981 * after logical link is ready
4982 */
4983 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4984 } else {
4985 /* Both logical link and move success
4986 * are required to confirm
4987 */
4988 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4989 }
4990
4991 /* Placeholder - get hci_chan for logical link */
4992 if (!hchan) {
4993 /* Logical link not available */
4994 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4995 break;
4996 }
4997
4998 /* If the logical link is not yet connected, do not
4999 * send confirmation.
5000 */
5001 if (hchan->state != BT_CONNECTED)
5002 break;
5003
5004 /* Logical link is already ready to go */
5005
5006 chan->hs_hcon = hchan->conn;
5007 chan->hs_hcon->l2cap_data = chan->conn;
5008
5009 if (result == L2CAP_MR_SUCCESS) {
5010 /* Can confirm now */
5011 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5012 } else {
5013 /* Now only need move success
5014 * to confirm
5015 */
5016 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5017 }
5018
5019 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5020 break;
5021 default:
5022 /* Any other amp move state means the move failed. */
5023 chan->move_id = chan->local_amp_id;
5024 l2cap_move_done(chan);
5025 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5026 }
5027
5028 l2cap_chan_unlock(chan);
5029}
5030
5031static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5032 u16 result)
5033{
5034 struct l2cap_chan *chan;
5035
5036 chan = l2cap_get_chan_by_ident(conn, ident);
5037 if (!chan) {
5038 /* Could not locate channel, icid is best guess */
5039 l2cap_send_move_chan_cfm_icid(conn, icid);
5040 return;
5041 }
5042
5043 __clear_chan_timer(chan);
5044
5045 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5046 if (result == L2CAP_MR_COLLISION) {
5047 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5048 } else {
5049 /* Cleanup - cancel move */
5050 chan->move_id = chan->local_amp_id;
5051 l2cap_move_done(chan);
5052 }
5053 }
5054
5055 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5056
5057 l2cap_chan_unlock(chan);
5058}
5059
5060static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5061 struct l2cap_cmd_hdr *cmd,
5062 u16 cmd_len, void *data)
8d5a04a1
MM		 5063{
5064 struct l2cap_move_chan_rsp *rsp = data;
5065 u16 icid, result;
5066
5067 if (cmd_len != sizeof(*rsp))
5068 return -EPROTO;
5069
5070 icid = le16_to_cpu(rsp->icid);
5071 result = le16_to_cpu(rsp->result);
5072
ad0ac6ca 5073 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5074
5b155ef9
MM		 5075 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5076 l2cap_move_continue(conn, icid, result);
5077 else
5078 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5079
5080 return 0;
5081}
5082
5f3847a4
MM		 5083static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5084 struct l2cap_cmd_hdr *cmd,
5085 u16 cmd_len, void *data)
8d5a04a1
MM		 5086{
5087 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5088 struct l2cap_chan *chan;
8d5a04a1
MM		 5089 u16 icid, result;
5090
5091 if (cmd_len != sizeof(*cfm))
5092 return -EPROTO;
5093
5094 icid = le16_to_cpu(cfm->icid);
5095 result = le16_to_cpu(cfm->result);
5096
ad0ac6ca 5097 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5098
5f3847a4
MM		 5099 chan = l2cap_get_chan_by_dcid(conn, icid);
5100 if (!chan) {
5101 /* Spec requires a response even if the icid was not found */
5102 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5103 return 0;
5104 }
5105
5106 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5107 if (result == L2CAP_MC_CONFIRMED) {
5108 chan->local_amp_id = chan->move_id;
6ed971ca 5109 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5110 __release_logical_link(chan);
5111 } else {
5112 chan->move_id = chan->local_amp_id;
5113 }
5114
5115 l2cap_move_done(chan);
5116 }
5117
8d5a04a1
MM		 5118 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5119
5f3847a4
MM		 5120 l2cap_chan_unlock(chan);
5121
8d5a04a1
MM		 5122 return 0;
5123}
5124
5125static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5126 struct l2cap_cmd_hdr *cmd,
5127 u16 cmd_len, void *data)
8d5a04a1
MM		 5128{
5129 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5130 struct l2cap_chan *chan;
8d5a04a1
MM		 5131 u16 icid;
5132
5133 if (cmd_len != sizeof(*rsp))
5134 return -EPROTO;
5135
5136 icid = le16_to_cpu(rsp->icid);
5137
ad0ac6ca 5138 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5139
3fd71a0a
MM		 5140 chan = l2cap_get_chan_by_scid(conn, icid);
5141 if (!chan)
5142 return 0;
5143
5144 __clear_chan_timer(chan);
5145
5146 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5147 chan->local_amp_id = chan->move_id;
5148
6ed971ca 5149 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5150 __release_logical_link(chan);
5151
5152 l2cap_move_done(chan);
5153 }
5154
5155 l2cap_chan_unlock(chan);
5156
8d5a04a1
MM		 5157 return 0;
5158}
5159
de73115a 5160static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818 5161 struct l2cap_cmd_hdr *cmd,
203e639e 5162 u16 cmd_len, u8 *data)
de73115a
CT		 5163{
5164 struct hci_conn *hcon = conn->hcon;
5165 struct l2cap_conn_param_update_req *req;
5166 struct l2cap_conn_param_update_rsp rsp;
203e639e 5167 u16 min, max, latency, to_multiplier;
2ce603eb 5168 int err;
de73115a 5169
40bef302 5170 if (hcon->role != HCI_ROLE_MASTER)
de73115a
CT		 5171 return -EINVAL;
5172
de73115a
CT		 5173 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5174 return -EPROTO;
5175
5176 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5177 min = __le16_to_cpu(req->min);
5178 max = __le16_to_cpu(req->max);
de73115a
CT		 5179 latency = __le16_to_cpu(req->latency);
5180 to_multiplier = __le16_to_cpu(req->to_multiplier);
5181
5182 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5183 min, max, latency, to_multiplier);
de73115a
CT		 5184
5185 memset(&rsp, 0, sizeof(rsp));
2ce603eb 5186
d4905f24 5187 err = hci_check_conn_params(min, max, latency, to_multiplier);
2ce603eb 5188 if (err)
dcf4adbf 5189 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5190 else
dcf4adbf 5191 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5192
5193 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5194 sizeof(rsp), &rsp);
de73115a 5195
ffb5a827 5196 if (!err) {
f4869e2a
JH		 5197 u8 store_hint;
5198
5199 store_hint = hci_le_conn_update(hcon, min, max, latency,
5200 to_multiplier);
ffb5a827 5201 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
f4869e2a
JH		 5202 store_hint, min, max, latency,
5203 to_multiplier);
ffb5a827 5204
ffb5a827 5205 }
2ce603eb 5206
de73115a
CT		 5207 return 0;
5208}
5209
f1496dee
JH		 5210static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5211 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5212 u8 *data)
5213{
5214 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5215 u16 dcid, mtu, mps, credits, result;
5216 struct l2cap_chan *chan;
5217 int err;
5218
5219 if (cmd_len < sizeof(*rsp))
5220 return -EPROTO;
5221
5222 dcid = __le16_to_cpu(rsp->dcid);
5223 mtu = __le16_to_cpu(rsp->mtu);
5224 mps = __le16_to_cpu(rsp->mps);
5225 credits = __le16_to_cpu(rsp->credits);
5226 result = __le16_to_cpu(rsp->result);
5227
5228 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5229 return -EPROTO;
5230
5231 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5232 dcid, mtu, mps, credits, result);
5233
5234 mutex_lock(&conn->chan_lock);
5235
5236 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5237 if (!chan) {
5238 err = -EBADSLT;
5239 goto unlock;
5240 }
5241
5242 err = 0;
5243
5244 l2cap_chan_lock(chan);
5245
5246 switch (result) {
5247 case L2CAP_CR_SUCCESS:
5248 chan->ident = 0;
5249 chan->dcid = dcid;
5250 chan->omtu = mtu;
5251 chan->remote_mps = mps;
0cd75f7e 5252 chan->tx_credits = credits;
f1496dee
JH		 5253 l2cap_chan_ready(chan);
5254 break;
5255
5256 default:
5257 l2cap_chan_del(chan, ECONNREFUSED);
5258 break;
5259 }
5260
5261 l2cap_chan_unlock(chan);
5262
5263unlock:
5264 mutex_unlock(&conn->chan_lock);
5265
5266 return err;
5267}
5268
3300d9a9 5269static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5270 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5271 u8 *data)
3300d9a9
CT		 5272{
5273 int err = 0;
5274
5275 switch (cmd->code) {
5276 case L2CAP_COMMAND_REJ:
cb3b3152 5277 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5278 break;
5279
5280 case L2CAP_CONN_REQ:
cb3b3152 5281 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5282 break;
5283
5284 case L2CAP_CONN_RSP:
f5a2598d 5285 case L2CAP_CREATE_CHAN_RSP:
9245e737 5286 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5287 break;
5288
5289 case L2CAP_CONF_REQ:
5290 err = l2cap_config_req(conn, cmd, cmd_len, data);
5291 break;
5292
5293 case L2CAP_CONF_RSP:
9245e737 5294 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5295 break;
5296
5297 case L2CAP_DISCONN_REQ:
cb3b3152 5298 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5299 break;
5300
5301 case L2CAP_DISCONN_RSP:
9245e737 5302 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5303 break;
5304
5305 case L2CAP_ECHO_REQ:
5306 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5307 break;
5308
5309 case L2CAP_ECHO_RSP:
5310 break;
5311
5312 case L2CAP_INFO_REQ:
cb3b3152 5313 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5314 break;
5315
5316 case L2CAP_INFO_RSP:
9245e737 5317 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5318 break;
5319
f94ff6ff
MM		 5320 case L2CAP_CREATE_CHAN_REQ:
5321 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5322 break;
5323
8d5a04a1
MM		 5324 case L2CAP_MOVE_CHAN_REQ:
5325 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5326 break;
5327
5328 case L2CAP_MOVE_CHAN_RSP:
9245e737 5329 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5330 break;
5331
5332 case L2CAP_MOVE_CHAN_CFM:
5333 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5334 break;
5335
5336 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5337 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5338 break;
5339
3300d9a9
CT		 5340 default:
5341 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5342 err = -EINVAL;
5343 break;
5344 }
5345
5346 return err;
5347}
5348
27e2d4c8
JH		 5349static int l2cap_le_connect_req(struct l2cap_conn *conn,
5350 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5351 u8 *data)
5352{
5353 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5354 struct l2cap_le_conn_rsp rsp;
5355 struct l2cap_chan *chan, *pchan;
0cd75f7e 5356 u16 dcid, scid, credits, mtu, mps;
27e2d4c8
JH		 5357 __le16 psm;
5358 u8 result;
5359
5360 if (cmd_len != sizeof(*req))
5361 return -EPROTO;
5362
5363 scid = __le16_to_cpu(req->scid);
5364 mtu = __le16_to_cpu(req->mtu);
5365 mps = __le16_to_cpu(req->mps);
5366 psm = req->psm;
5367 dcid = 0;
0cd75f7e 5368 credits = 0;
27e2d4c8
JH		 5369
5370 if (mtu < 23 || mps < 23)
5371 return -EPROTO;
5372
5373 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5374 scid, mtu, mps);
5375
5376 /* Check if we have socket listening on psm */
5377 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5378 &conn->hcon->dst, LE_LINK);
5379 if (!pchan) {
5380 result = L2CAP_CR_BAD_PSM;
5381 chan = NULL;
5382 goto response;
5383 }
5384
5385 mutex_lock(&conn->chan_lock);
5386 l2cap_chan_lock(pchan);
5387
5388 if (!smp_sufficient_security(conn->hcon, pchan->sec_level)) {
5389 result = L2CAP_CR_AUTHENTICATION;
5390 chan = NULL;
5391 goto response_unlock;
5392 }
5393
5394 /* Check if we already have channel with that dcid */
5395 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5396 result = L2CAP_CR_NO_MEM;
5397 chan = NULL;
5398 goto response_unlock;
5399 }
5400
5401 chan = pchan->ops->new_connection(pchan);
5402 if (!chan) {
5403 result = L2CAP_CR_NO_MEM;
5404 goto response_unlock;
5405 }
5406
0ce43ce6
JH		 5407 l2cap_le_flowctl_init(chan);
5408
27e2d4c8
JH		 5409 bacpy(&chan->src, &conn->hcon->src);
5410 bacpy(&chan->dst, &conn->hcon->dst);
5411 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5412 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5413 chan->psm = psm;
5414 chan->dcid = scid;
5415 chan->omtu = mtu;
5416 chan->remote_mps = mps;
0cd75f7e 5417 chan->tx_credits = __le16_to_cpu(req->credits);
27e2d4c8
JH		 5418
5419 __l2cap_chan_add(conn, chan);
5420 dcid = chan->scid;
0cd75f7e 5421 credits = chan->rx_credits;
27e2d4c8
JH		 5422
5423 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5424
5425 chan->ident = cmd->ident;
5426
5427 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5428 l2cap_state_change(chan, BT_CONNECT2);
5429 result = L2CAP_CR_PEND;
5430 chan->ops->defer(chan);
5431 } else {
5432 l2cap_chan_ready(chan);
5433 result = L2CAP_CR_SUCCESS;
5434 }
5435
5436response_unlock:
5437 l2cap_chan_unlock(pchan);
5438 mutex_unlock(&conn->chan_lock);
a24cce14 5439 l2cap_chan_put(pchan);
27e2d4c8
JH		 5440
5441 if (result == L2CAP_CR_PEND)
5442 return 0;
5443
5444response:
5445 if (chan) {
5446 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 5447 rsp.mps = cpu_to_le16(chan->mps);
27e2d4c8
JH		 5448 } else {
5449 rsp.mtu = 0;
5450 rsp.mps = 0;
5451 }
5452
5453 rsp.dcid = cpu_to_le16(dcid);
0cd75f7e 5454 rsp.credits = cpu_to_le16(credits);
27e2d4c8
JH		 5455 rsp.result = cpu_to_le16(result);
5456
5457 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5458
5459 return 0;
5460}
5461
fad5fc89
JH		 5462static inline int l2cap_le_credits(struct l2cap_conn *conn,
5463 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5464 u8 *data)
5465{
5466 struct l2cap_le_credits *pkt;
5467 struct l2cap_chan *chan;
0f1bfe4e 5468 u16 cid, credits, max_credits;
fad5fc89
JH		 5469
5470 if (cmd_len != sizeof(*pkt))
5471 return -EPROTO;
5472
5473 pkt = (struct l2cap_le_credits *) data;
5474 cid = __le16_to_cpu(pkt->cid);
5475 credits = __le16_to_cpu(pkt->credits);
5476
5477 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5478
5479 chan = l2cap_get_chan_by_dcid(conn, cid);
5480 if (!chan)
5481 return -EBADSLT;
5482
0f1bfe4e
JH		 5483 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5484 if (credits > max_credits) {
5485 BT_ERR("LE credits overflow");
5486 l2cap_send_disconn_req(chan, ECONNRESET);
5487
5488 /* Return 0 so that we don't trigger an unnecessary
5489 * command reject packet.
5490 */
5491 return 0;
5492 }
5493
fad5fc89
JH		 5494 chan->tx_credits += credits;
5495
5496 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5497 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5498 chan->tx_credits--;
5499 }
5500
5501 if (chan->tx_credits)
5502 chan->ops->resume(chan);
5503
5504 l2cap_chan_unlock(chan);
5505
5506 return 0;
5507}
5508
71fb4197
JH		 5509static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5510 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5511 u8 *data)
5512{
5513 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5514 struct l2cap_chan *chan;
5515
5516 if (cmd_len < sizeof(*rej))
5517 return -EPROTO;
5518
5519 mutex_lock(&conn->chan_lock);
5520
5521 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5522 if (!chan)
5523 goto done;
5524
5525 l2cap_chan_lock(chan);
5526 l2cap_chan_del(chan, ECONNREFUSED);
5527 l2cap_chan_unlock(chan);
5528
5529done:
5530 mutex_unlock(&conn->chan_lock);
5531 return 0;
5532}
5533
3300d9a9 5534static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
203e639e
JH		 5535 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5536 u8 *data)
3300d9a9 5537{
b5ecba64
JH		 5538 int err = 0;
5539
3300d9a9
CT		 5540 switch (cmd->code) {
5541 case L2CAP_COMMAND_REJ:
71fb4197 5542 l2cap_le_command_rej(conn, cmd, cmd_len, data);
b5ecba64 5543 break;
3300d9a9
CT		 5544
5545 case L2CAP_CONN_PARAM_UPDATE_REQ:
b5ecba64
JH		 5546 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5547 break;
3300d9a9
CT		 5548
5549 case L2CAP_CONN_PARAM_UPDATE_RSP:
b5ecba64 5550 break;
3300d9a9 5551
f1496dee
JH		 5552 case L2CAP_LE_CONN_RSP:
5553 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5554 break;
f1496dee 5555
27e2d4c8 5556 case L2CAP_LE_CONN_REQ:
b5ecba64
JH		 5557 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5558 break;
27e2d4c8 5559
fad5fc89
JH		 5560 case L2CAP_LE_CREDITS:
5561 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5562 break;
5563
3defe01a 5564 case L2CAP_DISCONN_REQ:
b5ecba64
JH		 5565 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5566 break;
3defe01a
JH		 5567
5568 case L2CAP_DISCONN_RSP:
5569 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5570 break;
3defe01a 5571
3300d9a9
CT		 5572 default:
5573 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
b5ecba64
JH		 5574 err = -EINVAL;
5575 break;
3300d9a9 5576 }
b5ecba64
JH		 5577
5578 return err;
3300d9a9
CT		 5579}
5580
c5623556
JH		 5581static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5582 struct sk_buff *skb)
5583{
69c4e4e8 5584 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5585 struct l2cap_cmd_hdr *cmd;
5586 u16 len;
c5623556
JH		 5587 int err;
5588
69c4e4e8 5589 if (hcon->type != LE_LINK)
3b166295 5590 goto drop;
69c4e4e8 5591
4f3e219d
MH		 5592 if (skb->len < L2CAP_CMD_HDR_SIZE)
5593 goto drop;
c5623556 5594
4f3e219d
MH		 5595 cmd = (void *) skb->data;
5596 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5597
4f3e219d 5598 len = le16_to_cpu(cmd->len);
c5623556 5599
4f3e219d 5600 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5601
4f3e219d
MH		 5602 if (len != skb->len || !cmd->ident) {
5603 BT_DBG("corrupted command");
5604 goto drop;
5605 }
c5623556 5606
203e639e 5607 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
4f3e219d
MH		 5608 if (err) {
5609 struct l2cap_cmd_rej_unk rej;
c5623556 5610
4f3e219d 5611 BT_ERR("Wrong link type (%d)", err);
c5623556 5612
dcf4adbf 5613 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5614 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5615 sizeof(rej), &rej);
c5623556
JH		 5616 }
5617
3b166295 5618drop:
c5623556
JH		 5619 kfree_skb(skb);
5620}
5621
3300d9a9 5622static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5623 struct sk_buff *skb)
1da177e4 5624{
69c4e4e8 5625 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5626 u8 *data = skb->data;
5627 int len = skb->len;
5628 struct l2cap_cmd_hdr cmd;
3300d9a9 5629 int err;
1da177e4
LT		 5630
5631 l2cap_raw_recv(conn, skb);
5632
69c4e4e8 5633 if (hcon->type != ACL_LINK)
3b166295 5634 goto drop;
69c4e4e8 5635
1da177e4 5636 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5637 u16 cmd_len;
1da177e4
LT		 5638 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5639 data += L2CAP_CMD_HDR_SIZE;
5640 len -= L2CAP_CMD_HDR_SIZE;
5641
88219a0f 5642 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5643
2d792818
GP		 5644 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5645 cmd.ident);
1da177e4 5646
88219a0f 5647 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5648 BT_DBG("corrupted command");
5649 break;
5650 }
5651
c5623556 5652 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5653 if (err) {
e2fd318e 5654 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5655
5656 BT_ERR("Wrong link type (%d)", err);
1da177e4 5657
dcf4adbf 5658 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5659 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5660 sizeof(rej), &rej);
1da177e4
LT		 5661 }
5662
88219a0f
AV		 5663 data += cmd_len;
5664 len -= cmd_len;
1da177e4
LT		 5665 }
5666
3b166295 5667drop:
1da177e4
LT		 5668 kfree_skb(skb);
5669}
5670
47d1ec61 5671static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5672{
5673 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5674 int hdr_size;
5675
5676 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5677 hdr_size = L2CAP_EXT_HDR_SIZE;
5678 else
5679 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5680
47d1ec61 5681 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5682 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5683 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5684 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5685
5686 if (our_fcs != rcv_fcs)
7a560e5c 5687 return -EBADMSG;
fcc203c3
GP		 5688 }
5689 return 0;
5690}
5691
6ea00485 5692static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5693{
e31f7633 5694 struct l2cap_ctrl control;
d5392c8f 5695
e31f7633 5696 BT_DBG("chan %p", chan);
d5392c8f 5697
e31f7633
MM		 5698 memset(&control, 0, sizeof(control));
5699 control.sframe = 1;
5700 control.final = 1;
5701 control.reqseq = chan->buffer_seq;
5702 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5703
e2ab4353 5704 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5705 control.super = L2CAP_SUPER_RNR;
5706 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5707 }
5708
e31f7633
MM		 5709 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5710 chan->unacked_frames > 0)
5711 __set_retrans_timer(chan);
d5392c8f 5712
e31f7633 5713 /* Send pending iframes */
525cd185 5714 l2cap_ertm_send(chan);
d5392c8f 5715
e2ab4353 5716 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5717 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5718 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5719 * send it now.
5720 */
5721 control.super = L2CAP_SUPER_RR;
5722 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5723 }
5724}
5725
2d792818
GP		 5726static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5727 struct sk_buff **last_frag)
18778a63 5728{
84084a31
MM		 5729 /* skb->len reflects data in skb as well as all fragments
5730 * skb->data_len reflects only data in fragments
5731 */
5732 if (!skb_has_frag_list(skb))
5733 skb_shinfo(skb)->frag_list = new_frag;
5734
5735 new_frag->next = NULL;
5736
5737 (*last_frag)->next = new_frag;
5738 *last_frag = new_frag;
5739
5740 skb->len += new_frag->len;
5741 skb->data_len += new_frag->len;
5742 skb->truesize += new_frag->truesize;
5743}
5744
4b51dae9
MM		 5745static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5746 struct l2cap_ctrl *control)
84084a31
MM		 5747{
5748 int err = -EINVAL;
18778a63 5749
4b51dae9 5750 switch (control->sar) {
7e0ef6ee 5751 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5752 if (chan->sdu)
5753 break;
18778a63 5754
80b98027 5755 err = chan->ops->recv(chan, skb);
84084a31 5756 break;
18778a63 5757
7e0ef6ee 5758 case L2CAP_SAR_START:
84084a31
MM		 5759 if (chan->sdu)
5760 break;
18778a63 5761
6f61fd47 5762 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5763 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5764
84084a31
MM		 5765 if (chan->sdu_len > chan->imtu) {
5766 err = -EMSGSIZE;
5767 break;
5768 }
1890d36b 5769
84084a31
MM		 5770 if (skb->len >= chan->sdu_len)
5771 break;
18778a63 5772
84084a31
MM		 5773 chan->sdu = skb;
5774 chan->sdu_last_frag = skb;
18778a63 5775
84084a31
MM		 5776 skb = NULL;
5777 err = 0;
18778a63
GP		 5778 break;
5779
7e0ef6ee 5780 case L2CAP_SAR_CONTINUE:
6f61fd47 5781 if (!chan->sdu)
84084a31 5782 break;
18778a63 5783
84084a31
MM		 5784 append_skb_frag(chan->sdu, skb,
5785 &chan->sdu_last_frag);
5786 skb = NULL;
18778a63 5787
84084a31
MM		 5788 if (chan->sdu->len >= chan->sdu_len)
5789 break;
4178ba46 5790
84084a31 5791 err = 0;
18778a63
GP		 5792 break;
5793
7e0ef6ee 5794 case L2CAP_SAR_END:
6f61fd47 5795 if (!chan->sdu)
84084a31 5796 break;
18778a63 5797
84084a31
MM		 5798 append_skb_frag(chan->sdu, skb,
5799 &chan->sdu_last_frag);
5800 skb = NULL;
4178ba46 5801
84084a31
MM		 5802 if (chan->sdu->len != chan->sdu_len)
5803 break;
18778a63 5804
80b98027 5805 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5806
84084a31
MM		 5807 if (!err) {
5808 /* Reassembly complete */
5809 chan->sdu = NULL;
5810 chan->sdu_last_frag = NULL;
5811 chan->sdu_len = 0;
1890d36b 5812 }
18778a63
GP		 5813 break;
5814 }
5815
84084a31
MM		 5816 if (err) {
5817 kfree_skb(skb);
5818 kfree_skb(chan->sdu);
5819 chan->sdu = NULL;
5820 chan->sdu_last_frag = NULL;
5821 chan->sdu_len = 0;
5822 }
18778a63 5823
84084a31 5824 return err;
18778a63
GP		 5825}
5826
32b32735
MM		 5827static int l2cap_resegment(struct l2cap_chan *chan)
5828{
5829 /* Placeholder */
5830 return 0;
5831}
5832
61aa4f5b 5833void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5834{
61aa4f5b 5835 u8 event;
712132eb 5836
61aa4f5b
MM		 5837 if (chan->mode != L2CAP_MODE_ERTM)
5838 return;
712132eb 5839
61aa4f5b 5840 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5841 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5842}
5843
d2a7ac5d
MM		 5844static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5845{
63838725
MM		 5846 int err = 0;
5847 /* Pass sequential frames to l2cap_reassemble_sdu()
5848 * until a gap is encountered.
5849 */
5850
5851 BT_DBG("chan %p", chan);
5852
5853 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5854 struct sk_buff *skb;
5855 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5856 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5857
5858 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5859
5860 if (!skb)
5861 break;
5862
5863 skb_unlink(skb, &chan->srej_q);
5864 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5865 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5866 if (err)
5867 break;
5868 }
5869
5870 if (skb_queue_empty(&chan->srej_q)) {
5871 chan->rx_state = L2CAP_RX_STATE_RECV;
5872 l2cap_send_ack(chan);
5873 }
5874
5875 return err;
d2a7ac5d
MM		 5876}
5877
5878static void l2cap_handle_srej(struct l2cap_chan *chan,
5879 struct l2cap_ctrl *control)
5880{
f80842a8
MM		 5881 struct sk_buff *skb;
5882
5883 BT_DBG("chan %p, control %p", chan, control);
5884
5885 if (control->reqseq == chan->next_tx_seq) {
5886 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5887 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5888 return;
5889 }
5890
5891 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5892
5893 if (skb == NULL) {
5894 BT_DBG("Seq %d not available for retransmission",
5895 control->reqseq);
5896 return;
5897 }
5898
5899 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5900 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5901 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5902 return;
5903 }
5904
5905 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5906
5907 if (control->poll) {
5908 l2cap_pass_to_tx(chan, control);
5909
5910 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5911 l2cap_retransmit(chan, control);
5912 l2cap_ertm_send(chan);
5913
5914 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5915 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5916 chan->srej_save_reqseq = control->reqseq;
5917 }
5918 } else {
5919 l2cap_pass_to_tx_fbit(chan, control);
5920
5921 if (control->final) {
5922 if (chan->srej_save_reqseq != control->reqseq ||
5923 !test_and_clear_bit(CONN_SREJ_ACT,
5924 &chan->conn_state))
5925 l2cap_retransmit(chan, control);
5926 } else {
5927 l2cap_retransmit(chan, control);
5928 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5929 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5930 chan->srej_save_reqseq = control->reqseq;
5931 }
5932 }
5933 }
d2a7ac5d
MM		 5934}
5935
5936static void l2cap_handle_rej(struct l2cap_chan *chan,
5937 struct l2cap_ctrl *control)
5938{
fcd289df
MM		 5939 struct sk_buff *skb;
5940
5941 BT_DBG("chan %p, control %p", chan, control);
5942
5943 if (control->reqseq == chan->next_tx_seq) {
5944 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5945 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5946 return;
5947 }
5948
5949 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5950
5951 if (chan->max_tx && skb &&
5952 bt_cb(skb)->control.retries >= chan->max_tx) {
5953 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5954 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5955 return;
5956 }
5957
5958 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5959
5960 l2cap_pass_to_tx(chan, control);
5961
5962 if (control->final) {
5963 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5964 l2cap_retransmit_all(chan, control);
5965 } else {
5966 l2cap_retransmit_all(chan, control);
5967 l2cap_ertm_send(chan);
5968 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5969 set_bit(CONN_REJ_ACT, &chan->conn_state);
5970 }
d2a7ac5d
MM		 5971}
5972
4b51dae9
MM		 5973static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5974{
5975 BT_DBG("chan %p, txseq %d", chan, txseq);
5976
5977 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5978 chan->expected_tx_seq);
5979
5980 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5981 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5982 chan->tx_win) {
4b51dae9
MM		 5983 /* See notes below regarding "double poll" and
5984 * invalid packets.
5985 */
5986 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5987 BT_DBG("Invalid/Ignore - after SREJ");
5988 return L2CAP_TXSEQ_INVALID_IGNORE;
5989 } else {
5990 BT_DBG("Invalid - in window after SREJ sent");
5991 return L2CAP_TXSEQ_INVALID;
5992 }
5993 }
5994
5995 if (chan->srej_list.head == txseq) {
5996 BT_DBG("Expected SREJ");
5997 return L2CAP_TXSEQ_EXPECTED_SREJ;
5998 }
5999
6000 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6001 BT_DBG("Duplicate SREJ - txseq already stored");
6002 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6003 }
6004
6005 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6006 BT_DBG("Unexpected SREJ - not requested");
6007 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6008 }
6009 }
6010
6011 if (chan->expected_tx_seq == txseq) {
6012 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6013 chan->tx_win) {
6014 BT_DBG("Invalid - txseq outside tx window");
6015 return L2CAP_TXSEQ_INVALID;
6016 } else {
6017 BT_DBG("Expected");
6018 return L2CAP_TXSEQ_EXPECTED;
6019 }
6020 }
6021
6022 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 6023 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 6024 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6025 return L2CAP_TXSEQ_DUPLICATE;
6026 }
6027
6028 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6029 /* A source of invalid packets is a "double poll" condition,
6030 * where delays cause us to send multiple poll packets. If
6031 * the remote stack receives and processes both polls,
6032 * sequence numbers can wrap around in such a way that a
6033 * resent frame has a sequence number that looks like new data
6034 * with a sequence gap. This would trigger an erroneous SREJ
6035 * request.
6036 *
6037 * Fortunately, this is impossible with a tx window that's
6038 * less than half of the maximum sequence number, which allows
6039 * invalid frames to be safely ignored.
6040 *
6041 * With tx window sizes greater than half of the tx window
6042 * maximum, the frame is invalid and cannot be ignored. This
6043 * causes a disconnect.
6044 */
6045
6046 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6047 BT_DBG("Invalid/Ignore - txseq outside tx window");
6048 return L2CAP_TXSEQ_INVALID_IGNORE;
6049 } else {
6050 BT_DBG("Invalid - txseq outside tx window");
6051 return L2CAP_TXSEQ_INVALID;
6052 }
6053 } else {
6054 BT_DBG("Unexpected - txseq indicates missing frames");
6055 return L2CAP_TXSEQ_UNEXPECTED;
6056 }
6057}
6058
d2a7ac5d
MM		 6059static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6060 struct l2cap_ctrl *control,
6061 struct sk_buff *skb, u8 event)
6062{
6063 int err = 0;
941247f9 6064 bool skb_in_use = false;
d2a7ac5d
MM		 6065
6066 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6067 event);
6068
6069 switch (event) {
6070 case L2CAP_EV_RECV_IFRAME:
6071 switch (l2cap_classify_txseq(chan, control->txseq)) {
6072 case L2CAP_TXSEQ_EXPECTED:
6073 l2cap_pass_to_tx(chan, control);
6074
6075 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6076 BT_DBG("Busy, discarding expected seq %d",
6077 control->txseq);
6078 break;
6079 }
6080
6081 chan->expected_tx_seq = __next_seq(chan,
6082 control->txseq);
6083
6084 chan->buffer_seq = chan->expected_tx_seq;
941247f9 6085 skb_in_use = true;
d2a7ac5d
MM		 6086
6087 err = l2cap_reassemble_sdu(chan, skb, control);
6088 if (err)
6089 break;
6090
6091 if (control->final) {
6092 if (!test_and_clear_bit(CONN_REJ_ACT,
6093 &chan->conn_state)) {
6094 control->final = 0;
6095 l2cap_retransmit_all(chan, control);
6096 l2cap_ertm_send(chan);
6097 }
6098 }
6099
6100 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6101 l2cap_send_ack(chan);
6102 break;
6103 case L2CAP_TXSEQ_UNEXPECTED:
6104 l2cap_pass_to_tx(chan, control);
6105
6106 /* Can't issue SREJ frames in the local busy state.
6107 * Drop this frame, it will be seen as missing
6108 * when local busy is exited.
6109 */
6110 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6111 BT_DBG("Busy, discarding unexpected seq %d",
6112 control->txseq);
6113 break;
6114 }
6115
6116 /* There was a gap in the sequence, so an SREJ
6117 * must be sent for each missing frame. The
6118 * current frame is stored for later use.
6119 */
6120 skb_queue_tail(&chan->srej_q, skb);
941247f9 6121 skb_in_use = true;
d2a7ac5d
MM		 6122 BT_DBG("Queued %p (queue len %d)", skb,
6123 skb_queue_len(&chan->srej_q));
6124
6125 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6126 l2cap_seq_list_clear(&chan->srej_list);
6127 l2cap_send_srej(chan, control->txseq);
6128
6129 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6130 break;
6131 case L2CAP_TXSEQ_DUPLICATE:
6132 l2cap_pass_to_tx(chan, control);
6133 break;
6134 case L2CAP_TXSEQ_INVALID_IGNORE:
6135 break;
6136 case L2CAP_TXSEQ_INVALID:
6137 default:
5e4e3972 6138 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6139 break;
6140 }
6141 break;
6142 case L2CAP_EV_RECV_RR:
6143 l2cap_pass_to_tx(chan, control);
6144 if (control->final) {
6145 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6146
e6a3ee6e
MM		 6147 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6148 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 6149 control->final = 0;
6150 l2cap_retransmit_all(chan, control);
6151 }
6152
6153 l2cap_ertm_send(chan);
6154 } else if (control->poll) {
6155 l2cap_send_i_or_rr_or_rnr(chan);
6156 } else {
6157 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6158 &chan->conn_state) &&
6159 chan->unacked_frames)
6160 __set_retrans_timer(chan);
6161
6162 l2cap_ertm_send(chan);
6163 }
6164 break;
6165 case L2CAP_EV_RECV_RNR:
6166 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6167 l2cap_pass_to_tx(chan, control);
6168 if (control && control->poll) {
6169 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6170 l2cap_send_rr_or_rnr(chan, 0);
6171 }
6172 __clear_retrans_timer(chan);
6173 l2cap_seq_list_clear(&chan->retrans_list);
6174 break;
6175 case L2CAP_EV_RECV_REJ:
6176 l2cap_handle_rej(chan, control);
6177 break;
6178 case L2CAP_EV_RECV_SREJ:
6179 l2cap_handle_srej(chan, control);
6180 break;
6181 default:
6182 break;
6183 }
6184
6185 if (skb && !skb_in_use) {
6186 BT_DBG("Freeing %p", skb);
6187 kfree_skb(skb);
6188 }
6189
6190 return err;
6191}
6192
6193static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6194 struct l2cap_ctrl *control,
6195 struct sk_buff *skb, u8 event)
6196{
6197 int err = 0;
6198 u16 txseq = control->txseq;
941247f9 6199 bool skb_in_use = false;
d2a7ac5d
MM		 6200
6201 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6202 event);
6203
6204 switch (event) {
6205 case L2CAP_EV_RECV_IFRAME:
6206 switch (l2cap_classify_txseq(chan, txseq)) {
6207 case L2CAP_TXSEQ_EXPECTED:
6208 /* Keep frame for reassembly later */
6209 l2cap_pass_to_tx(chan, control);
6210 skb_queue_tail(&chan->srej_q, skb);
941247f9 6211 skb_in_use = true;
d2a7ac5d
MM		 6212 BT_DBG("Queued %p (queue len %d)", skb,
6213 skb_queue_len(&chan->srej_q));
6214
6215 chan->expected_tx_seq = __next_seq(chan, txseq);
6216 break;
6217 case L2CAP_TXSEQ_EXPECTED_SREJ:
6218 l2cap_seq_list_pop(&chan->srej_list);
6219
6220 l2cap_pass_to_tx(chan, control);
6221 skb_queue_tail(&chan->srej_q, skb);
941247f9 6222 skb_in_use = true;
d2a7ac5d
MM		 6223 BT_DBG("Queued %p (queue len %d)", skb,
6224 skb_queue_len(&chan->srej_q));
6225
6226 err = l2cap_rx_queued_iframes(chan);
6227 if (err)
6228 break;
6229
6230 break;
6231 case L2CAP_TXSEQ_UNEXPECTED:
6232 /* Got a frame that can't be reassembled yet.
6233 * Save it for later, and send SREJs to cover
6234 * the missing frames.
6235 */
6236 skb_queue_tail(&chan->srej_q, skb);
941247f9 6237 skb_in_use = true;
d2a7ac5d
MM		 6238 BT_DBG("Queued %p (queue len %d)", skb,
6239 skb_queue_len(&chan->srej_q));
6240
6241 l2cap_pass_to_tx(chan, control);
6242 l2cap_send_srej(chan, control->txseq);
6243 break;
6244 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6245 /* This frame was requested with an SREJ, but
6246 * some expected retransmitted frames are
6247 * missing. Request retransmission of missing
6248 * SREJ'd frames.
6249 */
6250 skb_queue_tail(&chan->srej_q, skb);
941247f9 6251 skb_in_use = true;
d2a7ac5d
MM		 6252 BT_DBG("Queued %p (queue len %d)", skb,
6253 skb_queue_len(&chan->srej_q));
6254
6255 l2cap_pass_to_tx(chan, control);
6256 l2cap_send_srej_list(chan, control->txseq);
6257 break;
6258 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6259 /* We've already queued this frame. Drop this copy. */
6260 l2cap_pass_to_tx(chan, control);
6261 break;
6262 case L2CAP_TXSEQ_DUPLICATE:
6263 /* Expecting a later sequence number, so this frame
6264 * was already received. Ignore it completely.
6265 */
6266 break;
6267 case L2CAP_TXSEQ_INVALID_IGNORE:
6268 break;
6269 case L2CAP_TXSEQ_INVALID:
6270 default:
5e4e3972 6271 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6272 break;
6273 }
6274 break;
6275 case L2CAP_EV_RECV_RR:
6276 l2cap_pass_to_tx(chan, control);
6277 if (control->final) {
6278 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6279
6280 if (!test_and_clear_bit(CONN_REJ_ACT,
6281 &chan->conn_state)) {
6282 control->final = 0;
6283 l2cap_retransmit_all(chan, control);
6284 }
6285
6286 l2cap_ertm_send(chan);
6287 } else if (control->poll) {
6288 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6289 &chan->conn_state) &&
6290 chan->unacked_frames) {
6291 __set_retrans_timer(chan);
6292 }
6293
6294 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6295 l2cap_send_srej_tail(chan);
6296 } else {
6297 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6298 &chan->conn_state) &&
6299 chan->unacked_frames)
6300 __set_retrans_timer(chan);
6301
6302 l2cap_send_ack(chan);
6303 }
6304 break;
6305 case L2CAP_EV_RECV_RNR:
6306 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6307 l2cap_pass_to_tx(chan, control);
6308 if (control->poll) {
6309 l2cap_send_srej_tail(chan);
6310 } else {
6311 struct l2cap_ctrl rr_control;
6312 memset(&rr_control, 0, sizeof(rr_control));
6313 rr_control.sframe = 1;
6314 rr_control.super = L2CAP_SUPER_RR;
6315 rr_control.reqseq = chan->buffer_seq;
6316 l2cap_send_sframe(chan, &rr_control);
6317 }
6318
6319 break;
6320 case L2CAP_EV_RECV_REJ:
6321 l2cap_handle_rej(chan, control);
6322 break;
6323 case L2CAP_EV_RECV_SREJ:
6324 l2cap_handle_srej(chan, control);
6325 break;
6326 }
6327
6328 if (skb && !skb_in_use) {
6329 BT_DBG("Freeing %p", skb);
6330 kfree_skb(skb);
6331 }
6332
6333 return err;
6334}
6335
32b32735
MM		 6336static int l2cap_finish_move(struct l2cap_chan *chan)
6337{
6338 BT_DBG("chan %p", chan);
6339
6340 chan->rx_state = L2CAP_RX_STATE_RECV;
6341
6342 if (chan->hs_hcon)
6343 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6344 else
6345 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6346
6347 return l2cap_resegment(chan);
6348}
6349
6350static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6351 struct l2cap_ctrl *control,
6352 struct sk_buff *skb, u8 event)
6353{
6354 int err;
6355
6356 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6357 event);
6358
6359 if (!control->poll)
6360 return -EPROTO;
6361
6362 l2cap_process_reqseq(chan, control->reqseq);
6363
6364 if (!skb_queue_empty(&chan->tx_q))
6365 chan->tx_send_head = skb_peek(&chan->tx_q);
6366 else
6367 chan->tx_send_head = NULL;
6368
6369 /* Rewind next_tx_seq to the point expected
6370 * by the receiver.
6371 */
6372 chan->next_tx_seq = control->reqseq;
6373 chan->unacked_frames = 0;
6374
6375 err = l2cap_finish_move(chan);
6376 if (err)
6377 return err;
6378
6379 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6380 l2cap_send_i_or_rr_or_rnr(chan);
6381
6382 if (event == L2CAP_EV_RECV_IFRAME)
6383 return -EPROTO;
6384
6385 return l2cap_rx_state_recv(chan, control, NULL, event);
6386}
6387
6388static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6389 struct l2cap_ctrl *control,
6390 struct sk_buff *skb, u8 event)
6391{
6392 int err;
6393
6394 if (!control->final)
6395 return -EPROTO;
6396
6397 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6398
6399 chan->rx_state = L2CAP_RX_STATE_RECV;
6400 l2cap_process_reqseq(chan, control->reqseq);
6401
6402 if (!skb_queue_empty(&chan->tx_q))
6403 chan->tx_send_head = skb_peek(&chan->tx_q);
6404 else
6405 chan->tx_send_head = NULL;
6406
6407 /* Rewind next_tx_seq to the point expected
6408 * by the receiver.
6409 */
6410 chan->next_tx_seq = control->reqseq;
6411 chan->unacked_frames = 0;
6412
6413 if (chan->hs_hcon)
6414 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6415 else
6416 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6417
6418 err = l2cap_resegment(chan);
6419
6420 if (!err)
6421 err = l2cap_rx_state_recv(chan, control, skb, event);
6422
6423 return err;
6424}
6425
d2a7ac5d
MM		 6426static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6427{
6428 /* Make sure reqseq is for a packet that has been sent but not acked */
6429 u16 unacked;
6430
6431 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6432 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6433}
6434
cec8ab6e
MM		 6435static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6436 struct sk_buff *skb, u8 event)
218bb9df 6437{
d2a7ac5d
MM		 6438 int err = 0;
6439
6440 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6441 control, skb, event, chan->rx_state);
6442
6443 if (__valid_reqseq(chan, control->reqseq)) {
6444 switch (chan->rx_state) {
6445 case L2CAP_RX_STATE_RECV:
6446 err = l2cap_rx_state_recv(chan, control, skb, event);
6447 break;
6448 case L2CAP_RX_STATE_SREJ_SENT:
6449 err = l2cap_rx_state_srej_sent(chan, control, skb,
6450 event);
6451 break;
32b32735
MM		 6452 case L2CAP_RX_STATE_WAIT_P:
6453 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6454 break;
6455 case L2CAP_RX_STATE_WAIT_F:
6456 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6457 break;
d2a7ac5d
MM		 6458 default:
6459 /* shut it down */
6460 break;
6461 }
6462 } else {
6463 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6464 control->reqseq, chan->next_tx_seq,
6465 chan->expected_ack_seq);
5e4e3972 6466 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6467 }
6468
6469 return err;
cec8ab6e
MM		 6470}
6471
6472static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6473 struct sk_buff *skb)
6474{
4b51dae9
MM		 6475 int err = 0;
6476
6477 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6478 chan->rx_state);
6479
6480 if (l2cap_classify_txseq(chan, control->txseq) ==
6481 L2CAP_TXSEQ_EXPECTED) {
6482 l2cap_pass_to_tx(chan, control);
6483
6484 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6485 __next_seq(chan, chan->buffer_seq));
6486
6487 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6488
6489 l2cap_reassemble_sdu(chan, skb, control);
6490 } else {
6491 if (chan->sdu) {
6492 kfree_skb(chan->sdu);
6493 chan->sdu = NULL;
6494 }
6495 chan->sdu_last_frag = NULL;
6496 chan->sdu_len = 0;
6497
6498 if (skb) {
6499 BT_DBG("Freeing %p", skb);
6500 kfree_skb(skb);
6501 }
6502 }
6503
6504 chan->last_acked_seq = control->txseq;
6505 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6506
6507 return err;
cec8ab6e
MM		 6508}
6509
6510static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6511{
6512 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6513 u16 len;
6514 u8 event;
218bb9df 6515
b76bbd66
MM		 6516 __unpack_control(chan, skb);
6517
218bb9df
GP		 6518 len = skb->len;
6519
6520 /*
6521 * We can just drop the corrupted I-frame here.
6522 * Receiver will miss it and start proper recovery
cec8ab6e 6523 * procedures and ask for retransmission.
218bb9df 6524 */
47d1ec61 6525 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6526 goto drop;
6527
cec8ab6e 6528 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6529 len -= L2CAP_SDULEN_SIZE;
218bb9df 6530
47d1ec61 6531 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6532 len -= L2CAP_FCS_SIZE;
218bb9df 6533
47d1ec61 6534 if (len > chan->mps) {
5e4e3972 6535 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6536 goto drop;
6537 }
6538
cec8ab6e
MM		 6539 if (!control->sframe) {
6540 int err;
218bb9df 6541
cec8ab6e
MM		 6542 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6543 control->sar, control->reqseq, control->final,
6544 control->txseq);
218bb9df 6545
cec8ab6e
MM		 6546 /* Validate F-bit - F=0 always valid, F=1 only
6547 * valid in TX WAIT_F
6548 */
6549 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6550 goto drop;
cec8ab6e
MM		 6551
6552 if (chan->mode != L2CAP_MODE_STREAMING) {
6553 event = L2CAP_EV_RECV_IFRAME;
6554 err = l2cap_rx(chan, control, skb, event);
6555 } else {
6556 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6557 }
6558
cec8ab6e 6559 if (err)
5e4e3972 6560 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6561 } else {
cec8ab6e
MM		 6562 const u8 rx_func_to_event[4] = {
6563 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6564 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6565 };
6566
6567 /* Only I-frames are expected in streaming mode */
6568 if (chan->mode == L2CAP_MODE_STREAMING)
6569 goto drop;
6570
6571 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6572 control->reqseq, control->final, control->poll,
6573 control->super);
6574
218bb9df 6575 if (len != 0) {
1bb166e6 6576 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6577 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6578 goto drop;
6579 }
6580
cec8ab6e
MM		 6581 /* Validate F and P bits */
6582 if (control->final && (control->poll ||
6583 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6584 goto drop;
6585
6586 event = rx_func_to_event[control->super];
6587 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6588 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6589 }
6590
6591 return 0;
6592
6593drop:
6594 kfree_skb(skb);
6595 return 0;
6596}
6597
b1c325c2
JH		 6598static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6599{
6600 struct l2cap_conn *conn = chan->conn;
6601 struct l2cap_le_credits pkt;
6602 u16 return_credits;
6603
6604 /* We return more credits to the sender only after the amount of
6605 * credits falls below half of the initial amount.
6606 */
f15b8ecf 6607 if (chan->rx_credits >= (le_max_credits + 1) / 2)
b1c325c2
JH		 6608 return;
6609
f15b8ecf 6610 return_credits = le_max_credits - chan->rx_credits;
b1c325c2
JH		 6611
6612 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6613
6614 chan->rx_credits += return_credits;
6615
6616 pkt.cid = cpu_to_le16(chan->scid);
6617 pkt.credits = cpu_to_le16(return_credits);
6618
6619 chan->ident = l2cap_get_ident(conn);
6620
6621 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6622}
6623
fad5fc89
JH		 6624static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6625{
aac23bf6
JH		 6626 int err;
6627
6628 if (!chan->rx_credits) {
6629 BT_ERR("No credits to receive LE L2CAP data");
dfd9774c 6630 l2cap_send_disconn_req(chan, ECONNRESET);
fad5fc89 6631 return -ENOBUFS;
aac23bf6 6632 }
fad5fc89 6633
aac23bf6
JH		 6634 if (chan->imtu < skb->len) {
6635 BT_ERR("Too big LE L2CAP PDU");
fad5fc89 6636 return -ENOBUFS;
aac23bf6 6637 }
fad5fc89
JH		 6638
6639 chan->rx_credits--;
6640 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6641
6642 l2cap_chan_le_send_credits(chan);
6643
aac23bf6
JH		 6644 err = 0;
6645
6646 if (!chan->sdu) {
6647 u16 sdu_len;
6648
6649 sdu_len = get_unaligned_le16(skb->data);
6650 skb_pull(skb, L2CAP_SDULEN_SIZE);
6651
6652 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6653 sdu_len, skb->len, chan->imtu);
6654
6655 if (sdu_len > chan->imtu) {
6656 BT_ERR("Too big LE L2CAP SDU length received");
6657 err = -EMSGSIZE;
6658 goto failed;
6659 }
6660
6661 if (skb->len > sdu_len) {
6662 BT_ERR("Too much LE L2CAP data received");
6663 err = -EINVAL;
6664 goto failed;
6665 }
6666
6667 if (skb->len == sdu_len)
6668 return chan->ops->recv(chan, skb);
6669
6670 chan->sdu = skb;
6671 chan->sdu_len = sdu_len;
6672 chan->sdu_last_frag = skb;
6673
6674 return 0;
6675 }
6676
6677 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6678 chan->sdu->len, skb->len, chan->sdu_len);
6679
6680 if (chan->sdu->len + skb->len > chan->sdu_len) {
6681 BT_ERR("Too much LE L2CAP data received");
6682 err = -EINVAL;
6683 goto failed;
6684 }
6685
6686 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6687 skb = NULL;
6688
6689 if (chan->sdu->len == chan->sdu_len) {
6690 err = chan->ops->recv(chan, chan->sdu);
6691 if (!err) {
6692 chan->sdu = NULL;
6693 chan->sdu_last_frag = NULL;
6694 chan->sdu_len = 0;
6695 }
6696 }
6697
6698failed:
6699 if (err) {
6700 kfree_skb(skb);
6701 kfree_skb(chan->sdu);
6702 chan->sdu = NULL;
6703 chan->sdu_last_frag = NULL;
6704 chan->sdu_len = 0;
6705 }
6706
6707 /* We can't return an error here since we took care of the skb
6708 * freeing internally. An error return would cause the caller to
6709 * do a double-free of the skb.
6710 */
6711 return 0;
fad5fc89
JH		 6712}
6713
13ca56e0
AE		 6714static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6715 struct sk_buff *skb)
1da177e4 6716{
48454079 6717 struct l2cap_chan *chan;
1da177e4 6718
baa7e1fa 6719 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6720 if (!chan) {
97e8e89d
AE		 6721 if (cid == L2CAP_CID_A2MP) {
6722 chan = a2mp_channel_create(conn, skb);
6723 if (!chan) {
6724 kfree_skb(skb);
13ca56e0 6725 return;
97e8e89d
AE		 6726 }
6727
6728 l2cap_chan_lock(chan);
6729 } else {
6730 BT_DBG("unknown cid 0x%4.4x", cid);
6731 /* Drop packet and return */
6732 kfree_skb(skb);
13ca56e0 6733 return;
97e8e89d 6734 }
1da177e4
LT		 6735 }
6736
49208c9c 6737 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6738
89bc500e 6739 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6740 goto drop;
6741
0c1bc5c6 6742 switch (chan->mode) {
38319713 6743 case L2CAP_MODE_LE_FLOWCTL:
fad5fc89
JH		 6744 if (l2cap_le_data_rcv(chan, skb) < 0)
6745 goto drop;
6746
6747 goto done;
6748
1c2acffb
GP		 6749 case L2CAP_MODE_BASIC:
6750 /* If socket recv buffers overflows we drop data here
6751 * which is *bad* because L2CAP has to be reliable.
6752 * But we don't have any other choice. L2CAP doesn't
6753 * provide flow control mechanism. */
1da177e4 6754
2c96e03d
SJ		 6755 if (chan->imtu < skb->len) {
6756 BT_ERR("Dropping L2CAP data: receive buffer overflow");
1c2acffb 6757 goto drop;
2c96e03d 6758 }
1da177e4 6759
80b98027 6760 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6761 goto done;
6762 break;
6763
6764 case L2CAP_MODE_ERTM:
6840ed07 6765 case L2CAP_MODE_STREAMING:
cec8ab6e 6766 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6767 goto done;
6768
1c2acffb 6769 default:
0c1bc5c6 6770 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6771 break;
6772 }
1da177e4
LT		 6773
6774drop:
6775 kfree_skb(skb);
6776
6777done:
6be36555 6778 l2cap_chan_unlock(chan);
1da177e4
LT		 6779}
6780
84104b24
AE		 6781static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6782 struct sk_buff *skb)
1da177e4 6783{
ae4fd2d3 6784 struct hci_conn *hcon = conn->hcon;
23691d75 6785 struct l2cap_chan *chan;
1da177e4 6786
ae4fd2d3 6787 if (hcon->type != ACL_LINK)
a24cce14 6788 goto free_skb;
ae4fd2d3 6789
bf20fd4e
JH		 6790 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6791 ACL_LINK);
23691d75 6792 if (!chan)
a24cce14 6793 goto free_skb;
1da177e4 6794
5b4cedaa 6795 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6796
89bc500e 6797 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6798 goto drop;
6799
e13e21dc 6800 if (chan->imtu < skb->len)
1da177e4
LT		 6801 goto drop;
6802
2edf870d 6803 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6804 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6805 bt_cb(skb)->psm = psm;
6806
a24cce14
JH		 6807 if (!chan->ops->recv(chan, skb)) {
6808 l2cap_chan_put(chan);
84104b24 6809 return;
a24cce14 6810 }
1da177e4
LT		 6811
6812drop:
a24cce14
JH		 6813 l2cap_chan_put(chan);
6814free_skb:
1da177e4 6815 kfree_skb(skb);
1da177e4
LT		 6816}
6817
6818static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6819{
6820 struct l2cap_hdr *lh = (void *) skb->data;
61a939c6 6821 struct hci_conn *hcon = conn->hcon;
8e036fc3
AV		 6822 u16 cid, len;
6823 __le16 psm;
1da177e4 6824
61a939c6
JH		 6825 if (hcon->state != BT_CONNECTED) {
6826 BT_DBG("queueing pending rx skb");
6827 skb_queue_tail(&conn->pending_rx, skb);
6828 return;
6829 }
6830
1da177e4
LT		 6831 skb_pull(skb, L2CAP_HDR_SIZE);
6832 cid = __le16_to_cpu(lh->cid);
6833 len = __le16_to_cpu(lh->len);
6834
1c2acffb
GP		 6835 if (len != skb->len) {
6836 kfree_skb(skb);
6837 return;
6838 }
6839
9e1d7e15
JH		 6840 /* Since we can't actively block incoming LE connections we must
6841 * at least ensure that we ignore incoming data from them.
6842 */
6843 if (hcon->type == LE_LINK &&
dcc36c16
JH		 6844 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6845 bdaddr_type(hcon, hcon->dst_type))) {
e493150e
JH		 6846 kfree_skb(skb);
6847 return;
6848 }
6849
1da177e4
LT		 6850 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6851
6852 switch (cid) {
8db4dc46 6853 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6854 l2cap_sig_channel(conn, skb);
6855 break;
6856
8db4dc46 6857 case L2CAP_CID_CONN_LESS:
097db76c 6858 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6859 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6860 l2cap_conless_channel(conn, psm, skb);
6861 break;
6862
a2877629
MH		 6863 case L2CAP_CID_LE_SIGNALING:
6864 l2cap_le_sig_channel(conn, skb);
6865 break;
6866
1da177e4
LT		 6867 default:
6868 l2cap_data_channel(conn, cid, skb);
6869 break;
6870 }
6871}
6872
61a939c6
JH		 6873static void process_pending_rx(struct work_struct *work)
6874{
6875 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6876 pending_rx_work);
6877 struct sk_buff *skb;
6878
6879 BT_DBG("");
6880
6881 while ((skb = skb_dequeue(&conn->pending_rx)))
6882 l2cap_recv_frame(conn, skb);
6883}
6884
162b49e7
JH		 6885static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6886{
6887 struct l2cap_conn *conn = hcon->l2cap_data;
6888 struct hci_chan *hchan;
6889
6890 if (conn)
6891 return conn;
6892
6893 hchan = hci_chan_create(hcon);
6894 if (!hchan)
6895 return NULL;
6896
27f70f3e 6897 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
162b49e7
JH		 6898 if (!conn) {
6899 hci_chan_del(hchan);
6900 return NULL;
6901 }
6902
6903 kref_init(&conn->ref);
6904 hcon->l2cap_data = conn;
6905 conn->hcon = hcon;
6906 hci_conn_get(conn->hcon);
6907 conn->hchan = hchan;
6908
6909 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6910
6911 switch (hcon->type) {
6912 case LE_LINK:
6913 if (hcon->hdev->le_mtu) {
6914 conn->mtu = hcon->hdev->le_mtu;
6915 break;
6916 }
6917 /* fall through */
6918 default:
6919 conn->mtu = hcon->hdev->acl_mtu;
6920 break;
6921 }
6922
6923 conn->feat_mask = 0;
6924
6925 if (hcon->type == ACL_LINK)
6926 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
6927 &hcon->hdev->dev_flags);
6928
5a54e7c8 6929 mutex_init(&conn->ident_lock);
162b49e7
JH		 6930 mutex_init(&conn->chan_lock);
6931
6932 INIT_LIST_HEAD(&conn->chan_l);
6933 INIT_LIST_HEAD(&conn->users);
6934
276d8073 6935 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
162b49e7 6936
dec5b492
JH		 6937 INIT_WORK(&conn->disconn_work, disconn_work);
6938
61a939c6
JH		 6939 skb_queue_head_init(&conn->pending_rx);
6940 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
6941
162b49e7
JH		 6942 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6943
6944 return conn;
6945}
6946
6947static bool is_valid_psm(u16 psm, u8 dst_type) {
6948 if (!psm)
6949 return false;
6950
6951 if (bdaddr_type_is_le(dst_type))
6952 return (psm <= 0x00ff);
6953
6954 /* PSM must be odd and lsb of upper byte must be 0 */
6955 return ((psm & 0x0101) == 0x0001);
6956}
6957
6958int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
6959 bdaddr_t *dst, u8 dst_type)
6960{
6961 struct l2cap_conn *conn;
6962 struct hci_conn *hcon;
6963 struct hci_dev *hdev;
162b49e7
JH		 6964 int err;
6965
6966 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
6967 dst_type, __le16_to_cpu(psm));
6968
6969 hdev = hci_get_route(dst, &chan->src);
6970 if (!hdev)
6971 return -EHOSTUNREACH;
6972
6973 hci_dev_lock(hdev);
6974
6975 l2cap_chan_lock(chan);
6976
6977 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
6978 chan->chan_type != L2CAP_CHAN_RAW) {
6979 err = -EINVAL;
6980 goto done;
6981 }
6982
21626e62
JH		 6983 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
6984 err = -EINVAL;
6985 goto done;
6986 }
6987
6988 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
162b49e7
JH		 6989 err = -EINVAL;
6990 goto done;
6991 }
6992
6993 switch (chan->mode) {
6994 case L2CAP_MODE_BASIC:
6995 break;
6996 case L2CAP_MODE_LE_FLOWCTL:
6997 l2cap_le_flowctl_init(chan);
6998 break;
6999 case L2CAP_MODE_ERTM:
7000 case L2CAP_MODE_STREAMING:
7001 if (!disable_ertm)
7002 break;
7003 /* fall through */
7004 default:
beb19e4c 7005 err = -EOPNOTSUPP;
162b49e7
JH		 7006 goto done;
7007 }
7008
7009 switch (chan->state) {
7010 case BT_CONNECT:
7011 case BT_CONNECT2:
7012 case BT_CONFIG:
7013 /* Already connecting */
7014 err = 0;
7015 goto done;
7016
7017 case BT_CONNECTED:
7018 /* Already connected */
7019 err = -EISCONN;
7020 goto done;
7021
7022 case BT_OPEN:
7023 case BT_BOUND:
7024 /* Can connect */
7025 break;
7026
7027 default:
7028 err = -EBADFD;
7029 goto done;
7030 }
7031
7032 /* Set destination address and psm */
7033 bacpy(&chan->dst, dst);
7034 chan->dst_type = dst_type;
7035
7036 chan->psm = psm;
7037 chan->dcid = cid;
7038
6f77d8c7 7039 if (bdaddr_type_is_le(dst_type)) {
e804d25d 7040 u8 role;
cdd6275e 7041
6f77d8c7
AG		 7042 /* Convert from L2CAP channel address type to HCI address type
7043 */
7044 if (dst_type == BDADDR_LE_PUBLIC)
7045 dst_type = ADDR_LE_DEV_PUBLIC;
7046 else
7047 dst_type = ADDR_LE_DEV_RANDOM;
7048
e804d25d
JH		 7049 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
7050 role = HCI_ROLE_SLAVE;
7051 else
7052 role = HCI_ROLE_MASTER;
cdd6275e 7053
04a6c589 7054 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
e804d25d 7055 HCI_LE_CONN_TIMEOUT, role);
6f77d8c7 7056 } else {
d93375a8 7057 u8 auth_type = l2cap_get_auth_type(chan);
04a6c589 7058 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
6f77d8c7 7059 }
162b49e7
JH		 7060
7061 if (IS_ERR(hcon)) {
7062 err = PTR_ERR(hcon);
7063 goto done;
7064 }
7065
7066 conn = l2cap_conn_add(hcon);
7067 if (!conn) {
7068 hci_conn_drop(hcon);
7069 err = -ENOMEM;
7070 goto done;
7071 }
7072
7073 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7074 hci_conn_drop(hcon);
7075 err = -EBUSY;
7076 goto done;
7077 }
7078
7079 /* Update source addr of the socket */
7080 bacpy(&chan->src, &hcon->src);
7081 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7082
7083 l2cap_chan_unlock(chan);
7084 l2cap_chan_add(conn, chan);
7085 l2cap_chan_lock(chan);
7086
7087 /* l2cap_chan_add takes its own ref so we can drop this one */
7088 hci_conn_drop(hcon);
7089
7090 l2cap_state_change(chan, BT_CONNECT);
7091 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7092
61202e4d
JH		 7093 /* Release chan->sport so that it can be reused by other
7094 * sockets (as it's only used for listening sockets).
7095 */
7096 write_lock(&chan_list_lock);
7097 chan->sport = 0;
7098 write_unlock(&chan_list_lock);
7099
162b49e7
JH		 7100 if (hcon->state == BT_CONNECTED) {
7101 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7102 __clear_chan_timer(chan);
e7cafc45 7103 if (l2cap_chan_check_security(chan, true))
162b49e7
JH		 7104 l2cap_state_change(chan, BT_CONNECTED);
7105 } else
7106 l2cap_do_start(chan);
7107 }
7108
7109 err = 0;
7110
7111done:
7112 l2cap_chan_unlock(chan);
7113 hci_dev_unlock(hdev);
7114 hci_dev_put(hdev);
7115 return err;
7116}
6b8d4a6a 7117EXPORT_SYMBOL_GPL(l2cap_chan_connect);
162b49e7 7118
1da177e4
LT		 7119/* ---- L2CAP interface with lower layer (HCI) ---- */
7120
686ebf28 7121int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 7122{
7123 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 7124 struct l2cap_chan *c;
1da177e4 7125
6ed93dc6 7126 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 7127
7128 /* Find listening sockets and check their link_mode */
23691d75
GP		 7129 read_lock(&chan_list_lock);
7130 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 7131 if (c->state != BT_LISTEN)
1da177e4
LT		 7132 continue;
7133
7eafc59e 7134 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 7135 lm1 |= HCI_LM_ACCEPT;
43bd0f32 7136 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 7137 lm1 |= HCI_LM_MASTER;
1da177e4 7138 exact++;
7eafc59e 7139 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 7140 lm2 |= HCI_LM_ACCEPT;
43bd0f32 7141 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 7142 lm2 |= HCI_LM_MASTER;
7143 }
1da177e4 7144 }
23691d75 7145 read_unlock(&chan_list_lock);
1da177e4
LT		 7146
7147 return exact ? lm1 : lm2;
7148}
7149
e760ec12
JH		 7150/* Find the next fixed channel in BT_LISTEN state, continue iteration
7151 * from an existing channel in the list or from the beginning of the
7152 * global list (by passing NULL as first parameter).
7153 */
7154static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
54a1b626 7155 bdaddr_t *src, u8 link_type)
e760ec12
JH		 7156{
7157 read_lock(&chan_list_lock);
7158
7159 if (c)
7160 c = list_next_entry(c, global_l);
7161 else
7162 c = list_entry(chan_list.next, typeof(*c), global_l);
7163
7164 list_for_each_entry_from(c, &chan_list, global_l) {
7165 if (c->chan_type != L2CAP_CHAN_FIXED)
7166 continue;
7167 if (c->state != BT_LISTEN)
7168 continue;
7169 if (bacmp(&c->src, src) && bacmp(&c->src, BDADDR_ANY))
7170 continue;
54a1b626
JH		 7171 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
7172 continue;
7173 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
7174 continue;
e760ec12
JH		 7175
7176 l2cap_chan_hold(c);
7177 read_unlock(&chan_list_lock);
7178 return c;
7179 }
7180
7181 read_unlock(&chan_list_lock);
7182
7183 return NULL;
7184}
7185
9e664631 7186void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 7187{
e760ec12 7188 struct hci_dev *hdev = hcon->hdev;
0139418c 7189 struct l2cap_conn *conn;
e760ec12
JH		 7190 struct l2cap_chan *pchan;
7191 u8 dst_type;
0139418c 7192
6ed93dc6 7193 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 7194
dc0f5088 7195 if (status) {
e175072f 7196 l2cap_conn_del(hcon, bt_to_errno(status));
dc0f5088 7197 return;
ba6fc317 7198 }
dc0f5088
JH		 7199
7200 conn = l2cap_conn_add(hcon);
7201 if (!conn)
7202 return;
7203
e760ec12
JH		 7204 dst_type = bdaddr_type(hcon, hcon->dst_type);
7205
7206 /* If device is blocked, do not create channels for it */
7207 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7208 return;
7209
7210 /* Find fixed channels and notify them of the new connection. We
7211 * use multiple individual lookups, continuing each time where
7212 * we left off, because the list lock would prevent calling the
7213 * potentially sleeping l2cap_chan_lock() function.
7214 */
54a1b626 7215 pchan = l2cap_global_fixed_chan(NULL, &hdev->bdaddr, hcon->type);
e760ec12
JH		 7216 while (pchan) {
7217 struct l2cap_chan *chan, *next;
7218
7219 /* Client fixed channels should override server ones */
7220 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7221 goto next;
7222
7223 l2cap_chan_lock(pchan);
7224 chan = pchan->ops->new_connection(pchan);
7225 if (chan) {
7226 bacpy(&chan->src, &hcon->src);
7227 bacpy(&chan->dst, &hcon->dst);
7228 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7229 chan->dst_type = dst_type;
7230
7231 __l2cap_chan_add(conn, chan);
7232 }
7233
7234 l2cap_chan_unlock(pchan);
7235next:
54a1b626
JH		 7236 next = l2cap_global_fixed_chan(pchan, &hdev->bdaddr,
7237 hcon->type);
e760ec12
JH		 7238 l2cap_chan_put(pchan);
7239 pchan = next;
7240 }
7241
dc0f5088 7242 l2cap_conn_ready(conn);
1da177e4
LT		 7243}
7244
686ebf28 7245int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 7246{
7247 struct l2cap_conn *conn = hcon->l2cap_data;
7248
7249 BT_DBG("hcon %p", hcon);
7250
686ebf28 7251 if (!conn)
9f5a0d7b 7252 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 7253 return conn->disc_reason;
7254}
7255
9e664631 7256void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 7257{
7258 BT_DBG("hcon %p reason %d", hcon, reason);
7259
e175072f 7260 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 7261}
7262
4343478f 7263static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 7264{
715ec005 7265 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 7266 return;
7267
f62e4323 7268 if (encrypt == 0x00) {
4343478f 7269 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 7270 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7d513e92
MH		 7271 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7272 chan->sec_level == BT_SECURITY_FIPS)
0f852724 7273 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 7274 } else {
4343478f 7275 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 7276 __clear_chan_timer(chan);
f62e4323
MH		 7277 }
7278}
7279
686ebf28 7280int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 7281{
0139418c 7282 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 7283 struct l2cap_chan *chan;
1da177e4 7284
0139418c 7285 if (!conn)
1da177e4 7286 return 0;
0139418c 7287
89d8b407 7288 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 7289
3df91ea2 7290 mutex_lock(&conn->chan_lock);
1da177e4 7291
3df91ea2 7292 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 7293 l2cap_chan_lock(chan);
1da177e4 7294
89d8b407
AE		 7295 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7296 state_to_string(chan->state));
f1cb9af5 7297
2338a7e0 7298 if (chan->scid == L2CAP_CID_A2MP) {
78eb2f98
AE		 7299 l2cap_chan_unlock(chan);
7300 continue;
7301 }
7302
191eb398
JH		 7303 if (!status && encrypt)
7304 chan->sec_level = hcon->sec_level;
f1cb9af5 7305
96eff46e 7306 if (!__l2cap_no_conn_pending(chan)) {
6be36555 7307 l2cap_chan_unlock(chan);
6a8d3010
MH		 7308 continue;
7309 }
7310
89bc500e 7311 if (!status && (chan->state == BT_CONNECTED ||
2d792818 7312 chan->state == BT_CONFIG)) {
d97c899b 7313 chan->ops->resume(chan);
4343478f 7314 l2cap_check_encryption(chan, encrypt);
6be36555 7315 l2cap_chan_unlock(chan);
9719f8af
MH		 7316 continue;
7317 }
7318
89bc500e 7319 if (chan->state == BT_CONNECT) {
6d3c15da 7320 if (!status)
93c3e8f5 7321 l2cap_start_connection(chan);
6d3c15da 7322 else
ba13ccd9 7323 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
89bc500e 7324 } else if (chan->state == BT_CONNECT2) {
b1235d79 7325 struct l2cap_conn_rsp rsp;
df3c3931 7326 __u16 res, stat;
1da177e4 7327
b1235d79 7328 if (!status) {
bdc25783 7329 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 7330 res = L2CAP_CR_PEND;
7331 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 7332 chan->ops->defer(chan);
df3c3931 7333 } else {
acdcabf5 7334 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 7335 res = L2CAP_CR_SUCCESS;
7336 stat = L2CAP_CS_NO_INFO;
7337 }
b1235d79 7338 } else {
acdcabf5 7339 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 7340 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 7341 res = L2CAP_CR_SEC_BLOCK;
7342 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 7343 }
7344
fe4128e0
GP		 7345 rsp.scid = cpu_to_le16(chan->dcid);
7346 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 7347 rsp.result = cpu_to_le16(res);
7348 rsp.status = cpu_to_le16(stat);
fc7f8a7e 7349 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 7350 sizeof(rsp), &rsp);
2d369359
MM		 7351
7352 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7353 res == L2CAP_CR_SUCCESS) {
7354 char buf[128];
7355 set_bit(CONF_REQ_SENT, &chan->conf_state);
7356 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7357 L2CAP_CONF_REQ,
7358 l2cap_build_conf_req(chan, buf),
7359 buf);
7360 chan->num_conf_req++;
7361 }
b1235d79 7362 }
1da177e4 7363
6be36555 7364 l2cap_chan_unlock(chan);
1da177e4
LT		 7365 }
7366
3df91ea2 7367 mutex_unlock(&conn->chan_lock);
b1235d79 7368
1da177e4
LT		 7369 return 0;
7370}
7371
686ebf28 7372int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 7373{
7374 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 7375 struct l2cap_hdr *hdr;
7376 int len;
1da177e4 7377
1d13a254
AE		 7378 /* For AMP controller do not create l2cap conn */
7379 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7380 goto drop;
1da177e4 7381
5a08ecce 7382 if (!conn)
baf43251 7383 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 7384
7385 if (!conn)
1da177e4
LT		 7386 goto drop;
7387
7388 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7389
d73a0988
AE		 7390 switch (flags) {
7391 case ACL_START:
7392 case ACL_START_NO_FLUSH:
7393 case ACL_COMPLETE:
1da177e4
LT		 7394 if (conn->rx_len) {
7395 BT_ERR("Unexpected start frame (len %d)", skb->len);
7396 kfree_skb(conn->rx_skb);
7397 conn->rx_skb = NULL;
7398 conn->rx_len = 0;
7399 l2cap_conn_unreliable(conn, ECOMM);
7400 }
7401
aae7fe22
AE		 7402 /* Start fragment always begin with Basic L2CAP header */
7403 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 7404 BT_ERR("Frame is too short (len %d)", skb->len);
7405 l2cap_conn_unreliable(conn, ECOMM);
7406 goto drop;
7407 }
7408
7409 hdr = (struct l2cap_hdr *) skb->data;
7410 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7411
7412 if (len == skb->len) {
7413 /* Complete frame received */
7414 l2cap_recv_frame(conn, skb);
7415 return 0;
7416 }
7417
7418 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7419
7420 if (skb->len > len) {
7421 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 7422 skb->len, len);
1da177e4
LT		 7423 l2cap_conn_unreliable(conn, ECOMM);
7424 goto drop;
7425 }
7426
7427 /* Allocate skb for the complete frame (with header) */
8bcde1f2 7428 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 7429 if (!conn->rx_skb)
1da177e4
LT		 7430 goto drop;
7431
d626f62b 7432 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7433 skb->len);
1da177e4 7434 conn->rx_len = len - skb->len;
d73a0988
AE		 7435 break;
7436
7437 case ACL_CONT:
1da177e4
LT		 7438 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7439
7440 if (!conn->rx_len) {
7441 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7442 l2cap_conn_unreliable(conn, ECOMM);
7443 goto drop;
7444 }
7445
7446 if (skb->len > conn->rx_len) {
7447 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 7448 skb->len, conn->rx_len);
1da177e4
LT		 7449 kfree_skb(conn->rx_skb);
7450 conn->rx_skb = NULL;
7451 conn->rx_len = 0;
7452 l2cap_conn_unreliable(conn, ECOMM);
7453 goto drop;
7454 }
7455
d626f62b 7456 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7457 skb->len);
1da177e4
LT		 7458 conn->rx_len -= skb->len;
7459
7460 if (!conn->rx_len) {
c4e5bafa
JH		 7461 /* Complete frame received. l2cap_recv_frame
7462 * takes ownership of the skb so set the global
7463 * rx_skb pointer to NULL first.
7464 */
7465 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 7466 conn->rx_skb = NULL;
c4e5bafa 7467 l2cap_recv_frame(conn, rx_skb);
1da177e4 7468 }
d73a0988 7469 break;
1da177e4
LT		 7470 }
7471
7472drop:
7473 kfree_skb(skb);
7474 return 0;
7475}
7476
aef7d97c 7477static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 7478{
23691d75 7479 struct l2cap_chan *c;
1da177e4 7480
333055f2 7481 read_lock(&chan_list_lock);
1da177e4 7482
23691d75 7483 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 7484 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 7485 &c->src, &c->dst,
fcb73338
AE		 7486 c->state, __le16_to_cpu(c->psm),
7487 c->scid, c->dcid, c->imtu, c->omtu,
7488 c->sec_level, c->mode);
61e1b4b7 7489 }
1da177e4 7490
333055f2 7491 read_unlock(&chan_list_lock);
1da177e4 7492
aef7d97c 7493 return 0;
1da177e4
LT		 7494}
7495
aef7d97c
MH		 7496static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7497{
7498 return single_open(file, l2cap_debugfs_show, inode->i_private);
7499}
7500
7501static const struct file_operations l2cap_debugfs_fops = {
7502 .open = l2cap_debugfs_open,
7503 .read = seq_read,
7504 .llseek = seq_lseek,
7505 .release = single_release,
7506};
7507
7508static struct dentry *l2cap_debugfs;
1da177e4 7509
64274518 7510int __init l2cap_init(void)
1da177e4
LT		 7511{
7512 int err;
be9d1227 7513
bb58f747 7514 err = l2cap_init_sockets();
1da177e4
LT		 7515 if (err < 0)
7516 return err;
7517
1120e4bf
MH		 7518 if (IS_ERR_OR_NULL(bt_debugfs))
7519 return 0;
7520
7521 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7522 NULL, &l2cap_debugfs_fops);
1da177e4 7523
40b9397a 7524 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
f15b8ecf 7525 &le_max_credits);
40b9397a 7526 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
f15b8ecf
JH		 7527 &le_default_mps);
7528
1da177e4 7529 return 0;
1da177e4
LT		 7530}
7531
64274518 7532void l2cap_exit(void)
1da177e4 7533{
aef7d97c 7534 debugfs_remove(l2cap_debugfs);
bb58f747 7535 l2cap_cleanup_sockets();
1da177e4
LT		 7536}
7537
d1c4a17d
GP		 7538module_param(disable_ertm, bool, 0644);
7539MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux 6.x block layer and io_uring tree(s)