projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix allowing initiating pairing when not pairable
[linux-2.6-block.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
7ef9fbf0 39
ac4b7236 40#include "smp.h"
7024728e 41#include "a2mp.h"
7ef9fbf0 42#include "amp.h"
1da177e4 43
0f1bfe4e
JH		 44#define LE_FLOWCTL_MAX_CREDITS 65535
45
d1de6d46 46bool disable_ertm;
f0709e03 47
547d1032 48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
a6801ca9 49static u8 l2cap_fixed_chan[8] = { L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS, };
1da177e4 50
b5ad8b7f
JB		 51static LIST_HEAD(chan_list);
52static DEFINE_RWLOCK(chan_list_lock);
1da177e4 53
f15b8ecf
JH		 54static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56
1da177e4 57static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 58 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 59static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 60 void *data);
710f9b0a 61static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 62static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 63
d660366d 64static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 65 struct sk_buff_head *skbs, u8 event);
608bcc6d 66
4f1654e0
MH		 67static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
68{
69 if (hcon->type == LE_LINK) {
70 if (type == ADDR_LE_DEV_PUBLIC)
71 return BDADDR_LE_PUBLIC;
72 else
73 return BDADDR_LE_RANDOM;
74 }
75
76 return BDADDR_BREDR;
77}
78
0139418c 79/* ---- L2CAP channels ---- */
71ba0e56 80
2d792818
GP		 81static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
82 u16 cid)
0139418c 83{
3df91ea2 84 struct l2cap_chan *c;
3d57dc68 85
3df91ea2
AE		 86 list_for_each_entry(c, &conn->chan_l, list) {
87 if (c->dcid == cid)
88 return c;
0139418c 89 }
3df91ea2 90 return NULL;
0139418c
MH		 91}
92
2d792818
GP		 93static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
94 u16 cid)
0139418c 95{
3df91ea2 96 struct l2cap_chan *c;
3d57dc68 97
3df91ea2
AE		 98 list_for_each_entry(c, &conn->chan_l, list) {
99 if (c->scid == cid)
100 return c;
0139418c 101 }
3df91ea2 102 return NULL;
0139418c
MH		 103}
104
105/* Find channel with given SCID.
ef191ade 106 * Returns locked channel. */
2d792818
GP		 107static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
108 u16 cid)
0139418c 109{
48454079 110 struct l2cap_chan *c;
baa7e1fa 111
3df91ea2 112 mutex_lock(&conn->chan_lock);
baa7e1fa 113 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 114 if (c)
115 l2cap_chan_lock(c);
3df91ea2
AE		 116 mutex_unlock(&conn->chan_lock);
117
48454079 118 return c;
0139418c
MH		 119}
120
b1a130b7
MM		 121/* Find channel with given DCID.
122 * Returns locked channel.
123 */
124static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
125 u16 cid)
126{
127 struct l2cap_chan *c;
128
129 mutex_lock(&conn->chan_lock);
130 c = __l2cap_get_chan_by_dcid(conn, cid);
131 if (c)
132 l2cap_chan_lock(c);
133 mutex_unlock(&conn->chan_lock);
134
135 return c;
136}
137
2d792818
GP		 138static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
139 u8 ident)
0139418c 140{
3df91ea2 141 struct l2cap_chan *c;
3d57dc68 142
3df91ea2
AE		 143 list_for_each_entry(c, &conn->chan_l, list) {
144 if (c->ident == ident)
145 return c;
0139418c 146 }
3df91ea2 147 return NULL;
0139418c
MH		 148}
149
5b155ef9
MM		 150static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
151 u8 ident)
152{
153 struct l2cap_chan *c;
154
155 mutex_lock(&conn->chan_lock);
156 c = __l2cap_get_chan_by_ident(conn, ident);
157 if (c)
158 l2cap_chan_lock(c);
159 mutex_unlock(&conn->chan_lock);
160
161 return c;
162}
163
23691d75 164static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 165{
23691d75 166 struct l2cap_chan *c;
9e4425ff 167
23691d75 168 list_for_each_entry(c, &chan_list, global_l) {
7eafc59e 169 if (c->sport == psm && !bacmp(&c->src, src))
250938cb 170 return c;
9e4425ff 171 }
250938cb 172 return NULL;
9e4425ff
GP		 173}
174
175int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
176{
73b2ec18
GP		 177 int err;
178
333055f2 179 write_lock(&chan_list_lock);
9e4425ff 180
23691d75 181 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 182 err = -EADDRINUSE;
183 goto done;
9e4425ff
GP		 184 }
185
73b2ec18
GP		 186 if (psm) {
187 chan->psm = psm;
188 chan->sport = psm;
189 err = 0;
190 } else {
191 u16 p;
192
193 err = -EINVAL;
194 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 195 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 196 chan->psm = cpu_to_le16(p);
197 chan->sport = cpu_to_le16(p);
198 err = 0;
199 break;
200 }
201 }
9e4425ff 202
73b2ec18 203done:
333055f2 204 write_unlock(&chan_list_lock);
73b2ec18 205 return err;
9e4425ff 206}
6b8d4a6a 207EXPORT_SYMBOL_GPL(l2cap_add_psm);
9e4425ff
GP		 208
209int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
210{
333055f2 211 write_lock(&chan_list_lock);
9e4425ff
GP		 212
213 chan->scid = scid;
214
333055f2 215 write_unlock(&chan_list_lock);
9e4425ff
GP		 216
217 return 0;
218}
219
baa7e1fa 220static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 221{
e77af755 222 u16 cid, dyn_end;
0139418c 223
e77af755
JH		 224 if (conn->hcon->type == LE_LINK)
225 dyn_end = L2CAP_CID_LE_DYN_END;
226 else
227 dyn_end = L2CAP_CID_DYN_END;
228
229 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
baa7e1fa 230 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 231 return cid;
232 }
233
234 return 0;
235}
236
f93fa273 237static void l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 238{
42d2d87c 239 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 240 state_to_string(state));
badaaa00 241
89bc500e 242 chan->state = state;
53f52121 243 chan->ops->state_change(chan, state, 0);
89bc500e
GP		 244}
245
f8e73017
GP		 246static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
247 int state, int err)
2e0052e4 248{
f8e73017 249 chan->state = state;
53f52121 250 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 251}
252
253static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
254{
f8e73017 255 chan->ops->state_change(chan, chan->state, err);
2e0052e4
AE		 256}
257
4239d16f
MM		 258static void __set_retrans_timer(struct l2cap_chan *chan)
259{
260 if (!delayed_work_pending(&chan->monitor_timer) &&
261 chan->retrans_timeout) {
262 l2cap_set_timer(chan, &chan->retrans_timer,
263 msecs_to_jiffies(chan->retrans_timeout));
264 }
265}
266
267static void __set_monitor_timer(struct l2cap_chan *chan)
268{
269 __clear_retrans_timer(chan);
270 if (chan->monitor_timeout) {
271 l2cap_set_timer(chan, &chan->monitor_timer,
272 msecs_to_jiffies(chan->monitor_timeout));
273 }
274}
275
608bcc6d
MM		 276static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
277 u16 seq)
278{
279 struct sk_buff *skb;
280
281 skb_queue_walk(head, skb) {
282 if (bt_cb(skb)->control.txseq == seq)
283 return skb;
284 }
285
286 return NULL;
287}
288
3c588192
MM		 289/* ---- L2CAP sequence number lists ---- */
290
291/* For ERTM, ordered lists of sequence numbers must be tracked for
292 * SREJ requests that are received and for frames that are to be
293 * retransmitted. These seq_list functions implement a singly-linked
294 * list in an array, where membership in the list can also be checked
295 * in constant time. Items can also be added to the tail of the list
296 * and removed from the head in constant time, without further memory
297 * allocs or frees.
298 */
299
300static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
301{
302 size_t alloc_size, i;
303
304 /* Allocated size is a power of 2 to map sequence numbers
305 * (which may be up to 14 bits) in to a smaller array that is
306 * sized for the negotiated ERTM transmit windows.
307 */
308 alloc_size = roundup_pow_of_two(size);
309
310 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
311 if (!seq_list->list)
312 return -ENOMEM;
313
314 seq_list->mask = alloc_size - 1;
315 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
316 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
317 for (i = 0; i < alloc_size; i++)
318 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
319
320 return 0;
321}
322
323static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
324{
325 kfree(seq_list->list);
326}
327
328static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
329 u16 seq)
330{
331 /* Constant-time check for list membership */
332 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
333}
334
03a0c5d6 335static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
3c588192 336{
03a0c5d6 337 u16 seq = seq_list->head;
3c588192
MM		 338 u16 mask = seq_list->mask;
339
03a0c5d6
JH		 340 seq_list->head = seq_list->list[seq & mask];
341 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
342
343 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
344 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
345 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192 346 }
3c588192 347
03a0c5d6 348 return seq;
3c588192
MM		 349}
350
351static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
352{
f522ae36 353 u16 i;
3c588192 354
f522ae36
GP		 355 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
356 return;
357
358 for (i = 0; i <= seq_list->mask; i++)
359 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
360
361 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
362 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 363}
364
365static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
366{
367 u16 mask = seq_list->mask;
368
369 /* All appends happen in constant time */
370
f522ae36
GP		 371 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
372 return;
3c588192 373
f522ae36
GP		 374 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
375 seq_list->head = seq;
376 else
377 seq_list->list[seq_list->tail & mask] = seq;
378
379 seq_list->tail = seq;
380 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 381}
382
721c4181 383static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 384{
721c4181 385 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 386 chan_timer.work);
3df91ea2 387 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 388 int reason;
389
e05dcc32 390 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 391
3df91ea2 392 mutex_lock(&conn->chan_lock);
6be36555 393 l2cap_chan_lock(chan);
ab07801d 394
89bc500e 395 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 396 reason = ECONNREFUSED;
89bc500e 397 else if (chan->state == BT_CONNECT &&
2d792818 398 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 399 reason = ECONNREFUSED;
400 else
401 reason = ETIMEDOUT;
402
0f852724 403 l2cap_chan_close(chan, reason);
ab07801d 404
6be36555 405 l2cap_chan_unlock(chan);
ab07801d 406
80b98027 407 chan->ops->close(chan);
3df91ea2
AE		 408 mutex_unlock(&conn->chan_lock);
409
371fd835 410 l2cap_chan_put(chan);
ab07801d
GP		 411}
412
eef1d9b6 413struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 414{
415 struct l2cap_chan *chan;
416
417 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
418 if (!chan)
419 return NULL;
420
c03b355e
AE		 421 mutex_init(&chan->lock);
422
333055f2 423 write_lock(&chan_list_lock);
23691d75 424 list_add(&chan->global_l, &chan_list);
333055f2 425 write_unlock(&chan_list_lock);
23691d75 426
721c4181 427 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 428
89bc500e
GP		 429 chan->state = BT_OPEN;
430
144ad330 431 kref_init(&chan->kref);
71ba0e56 432
2827011f
MM		 433 /* This flag is cleared in l2cap_chan_ready() */
434 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
435
eef1d9b6 436 BT_DBG("chan %p", chan);
abc545b8 437
48454079
GP		 438 return chan;
439}
6b8d4a6a 440EXPORT_SYMBOL_GPL(l2cap_chan_create);
48454079 441
144ad330 442static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 443{
144ad330
SS		 444 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
445
4af66c69
JK		 446 BT_DBG("chan %p", chan);
447
333055f2 448 write_lock(&chan_list_lock);
23691d75 449 list_del(&chan->global_l);
333055f2 450 write_unlock(&chan_list_lock);
23691d75 451
4af66c69 452 kfree(chan);
6ff5abbf
GP		 453}
454
30648372
JK		 455void l2cap_chan_hold(struct l2cap_chan *c)
456{
144ad330 457 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 458
144ad330 459 kref_get(&c->kref);
30648372
JK		 460}
461
462void l2cap_chan_put(struct l2cap_chan *c)
463{
144ad330 464 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 465
144ad330 466 kref_put(&c->kref, l2cap_chan_destroy);
30648372 467}
6b8d4a6a 468EXPORT_SYMBOL_GPL(l2cap_chan_put);
30648372 469
bd4b1653
AE		 470void l2cap_chan_set_defaults(struct l2cap_chan *chan)
471{
472 chan->fcs = L2CAP_FCS_CRC16;
473 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
474 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
475 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
6a5e8165
JR		 476 chan->remote_max_tx = chan->max_tx;
477 chan->remote_tx_win = chan->tx_win;
c20f8e35 478 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653 479 chan->sec_level = BT_SECURITY_LOW;
6a5e8165
JR		 480 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
481 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
482 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
483 chan->conf_state = 0;
bd4b1653
AE		 484
485 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
486}
6b8d4a6a 487EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
bd4b1653 488
0ce43ce6 489static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
38319713 490{
0ce43ce6
JH		 491 chan->sdu = NULL;
492 chan->sdu_last_frag = NULL;
493 chan->sdu_len = 0;
0cd75f7e 494 chan->tx_credits = 0;
f15b8ecf 495 chan->rx_credits = le_max_credits;
d1d79413 496 chan->mps = min_t(u16, chan->imtu, le_default_mps);
0ce43ce6
JH		 497
498 skb_queue_head_init(&chan->tx_q);
38319713
JH		 499}
500
93c3e8f5 501void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 502{
af05b30b 503 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 504 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 505
9f5a0d7b 506 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 507
8c1d787b 508 chan->conn = conn;
0139418c 509
5491120e
AE		 510 switch (chan->chan_type) {
511 case L2CAP_CHAN_CONN_ORIENTED:
21626e62
JH		 512 /* Alloc CID for connection-oriented socket */
513 chan->scid = l2cap_alloc_cid(conn);
514 if (conn->hcon->type == ACL_LINK)
0c1bc5c6 515 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 516 break;
517
518 case L2CAP_CHAN_CONN_LESS:
0139418c 519 /* Connectionless socket */
fe4128e0
GP		 520 chan->scid = L2CAP_CID_CONN_LESS;
521 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 522 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 523 break;
524
2338a7e0
JH		 525 case L2CAP_CHAN_FIXED:
526 /* Caller will set CID and CID specific MTU values */
416fa752
AE		 527 break;
528
5491120e 529 default:
0139418c 530 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 531 chan->scid = L2CAP_CID_SIGNALING;
532 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 533 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 534 }
535
8f7975b1
AE		 536 chan->local_id = L2CAP_BESTEFFORT_ID;
537 chan->local_stype = L2CAP_SERV_BESTEFFORT;
538 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
539 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
540 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 541 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 542
371fd835 543 l2cap_chan_hold(chan);
baa7e1fa 544
5ee9891d
JH		 545 hci_conn_hold(conn->hcon);
546
3df91ea2 547 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 548}
549
466f8004 550void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 551{
552 mutex_lock(&conn->chan_lock);
553 __l2cap_chan_add(conn, chan);
3df91ea2 554 mutex_unlock(&conn->chan_lock);
0139418c
MH		 555}
556
466f8004 557void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 558{
8c1d787b 559 struct l2cap_conn *conn = chan->conn;
0139418c 560
c9b66675 561 __clear_chan_timer(chan);
0139418c 562
49208c9c 563 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 564
8e87d142 565 if (conn) {
56f60984 566 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 567 /* Delete from channel list */
3df91ea2 568 list_del(&chan->list);
3d57dc68 569
371fd835 570 l2cap_chan_put(chan);
baa7e1fa 571
8c1d787b 572 chan->conn = NULL;
3cabbfda 573
2338a7e0 574 if (chan->scid != L2CAP_CID_A2MP)
76a68ba0 575 hci_conn_drop(conn->hcon);
56f60984
AE		 576
577 if (mgr && mgr->bredr_chan == chan)
578 mgr->bredr_chan = NULL;
0139418c
MH		 579 }
580
419e08c1
AE		 581 if (chan->hs_hchan) {
582 struct hci_chan *hs_hchan = chan->hs_hchan;
583
584 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
585 amp_disconnect_logical_link(hs_hchan);
586 }
587
b699ec0d 588 chan->ops->teardown(chan, err);
6be36555 589
2827011f 590 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 591 return;
2ead70b8 592
ee556f66
GP		 593 switch(chan->mode) {
594 case L2CAP_MODE_BASIC:
595 break;
c13ffa62 596
38319713 597 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b 598 skb_queue_purge(&chan->tx_q);
38319713
JH		 599 break;
600
ee556f66 601 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 602 __clear_retrans_timer(chan);
603 __clear_monitor_timer(chan);
604 __clear_ack_timer(chan);
c13ffa62 605
f1c6775b 606 skb_queue_purge(&chan->srej_q);
c13ffa62 607
3c588192
MM		 608 l2cap_seq_list_free(&chan->srej_list);
609 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 610
611 /* fall through */
612
613 case L2CAP_MODE_STREAMING:
614 skb_queue_purge(&chan->tx_q);
615 break;
c13ffa62 616 }
ee556f66
GP		 617
618 return;
0139418c 619}
6b8d4a6a 620EXPORT_SYMBOL_GPL(l2cap_chan_del);
0139418c 621
387a33e3
JH		 622void l2cap_conn_update_id_addr(struct hci_conn *hcon)
623{
624 struct l2cap_conn *conn = hcon->l2cap_data;
625 struct l2cap_chan *chan;
626
627 mutex_lock(&conn->chan_lock);
628
629 list_for_each_entry(chan, &conn->chan_l, list) {
630 l2cap_chan_lock(chan);
631 bacpy(&chan->dst, &hcon->dst);
632 chan->dst_type = bdaddr_type(hcon, hcon->dst_type);
633 l2cap_chan_unlock(chan);
634 }
635
636 mutex_unlock(&conn->chan_lock);
637}
638
27e2d4c8
JH		 639static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
640{
641 struct l2cap_conn *conn = chan->conn;
642 struct l2cap_le_conn_rsp rsp;
643 u16 result;
644
645 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
646 result = L2CAP_CR_AUTHORIZATION;
647 else
648 result = L2CAP_CR_BAD_PSM;
649
650 l2cap_state_change(chan, BT_DISCONN);
651
652 rsp.dcid = cpu_to_le16(chan->scid);
653 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 654 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 655 rsp.credits = cpu_to_le16(chan->rx_credits);
27e2d4c8
JH		 656 rsp.result = cpu_to_le16(result);
657
658 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
659 &rsp);
660}
661
791d60f7
JH		 662static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
663{
664 struct l2cap_conn *conn = chan->conn;
665 struct l2cap_conn_rsp rsp;
666 u16 result;
667
668 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
669 result = L2CAP_CR_SEC_BLOCK;
670 else
671 result = L2CAP_CR_BAD_PSM;
672
673 l2cap_state_change(chan, BT_DISCONN);
674
675 rsp.scid = cpu_to_le16(chan->dcid);
676 rsp.dcid = cpu_to_le16(chan->scid);
677 rsp.result = cpu_to_le16(result);
dcf4adbf 678 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
791d60f7
JH		 679
680 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
681}
682
0f852724 683void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 684{
685 struct l2cap_conn *conn = chan->conn;
4519de9a 686
7eafc59e 687 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
4519de9a 688
89bc500e 689 switch (chan->state) {
4519de9a 690 case BT_LISTEN:
b699ec0d 691 chan->ops->teardown(chan, 0);
4519de9a
GP		 692 break;
693
694 case BT_CONNECTED:
695 case BT_CONFIG:
7b25c9b3 696 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
8d836d71 697 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5e4e3972 698 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 699 } else
700 l2cap_chan_del(chan, reason);
701 break;
702
703 case BT_CONNECT2:
791d60f7
JH		 704 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
705 if (conn->hcon->type == ACL_LINK)
706 l2cap_chan_connect_reject(chan);
27e2d4c8
JH		 707 else if (conn->hcon->type == LE_LINK)
708 l2cap_chan_le_connect_reject(chan);
4519de9a
GP		 709 }
710
711 l2cap_chan_del(chan, reason);
712 break;
713
714 case BT_CONNECT:
715 case BT_DISCONN:
716 l2cap_chan_del(chan, reason);
717 break;
718
719 default:
b699ec0d 720 chan->ops->teardown(chan, 0);
4519de9a
GP		 721 break;
722 }
723}
6b8d4a6a 724EXPORT_SYMBOL(l2cap_chan_close);
4519de9a 725
4343478f 726static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 727{
6a974b50
MH		 728 switch (chan->chan_type) {
729 case L2CAP_CHAN_RAW:
4343478f 730 switch (chan->sec_level) {
8556edd3 731 case BT_SECURITY_HIGH:
7d513e92 732 case BT_SECURITY_FIPS:
8556edd3
JH		 733 return HCI_AT_DEDICATED_BONDING_MITM;
734 case BT_SECURITY_MEDIUM:
735 return HCI_AT_DEDICATED_BONDING;
736 default:
737 return HCI_AT_NO_BONDING;
738 }
6a974b50 739 break;
3124b843 740 case L2CAP_CHAN_CONN_LESS:
dcf4adbf 741 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
3124b843
MH		 742 if (chan->sec_level == BT_SECURITY_LOW)
743 chan->sec_level = BT_SECURITY_SDP;
744 }
7d513e92
MH		 745 if (chan->sec_level == BT_SECURITY_HIGH ||
746 chan->sec_level == BT_SECURITY_FIPS)
3124b843
MH		 747 return HCI_AT_NO_BONDING_MITM;
748 else
749 return HCI_AT_NO_BONDING;
750 break;
6a974b50 751 case L2CAP_CHAN_CONN_ORIENTED:
dcf4adbf 752 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
6a974b50
MH		 753 if (chan->sec_level == BT_SECURITY_LOW)
754 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 755
7d513e92
MH		 756 if (chan->sec_level == BT_SECURITY_HIGH ||
757 chan->sec_level == BT_SECURITY_FIPS)
6a974b50
MH		 758 return HCI_AT_NO_BONDING_MITM;
759 else
760 return HCI_AT_NO_BONDING;
761 }
762 /* fall through */
763 default:
4343478f 764 switch (chan->sec_level) {
00ae4af9 765 case BT_SECURITY_HIGH:
7d513e92 766 case BT_SECURITY_FIPS:
8556edd3 767 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 768 case BT_SECURITY_MEDIUM:
8556edd3 769 return HCI_AT_GENERAL_BONDING;
00ae4af9 770 default:
8556edd3 771 return HCI_AT_NO_BONDING;
00ae4af9 772 }
6a974b50 773 break;
0684e5f9 774 }
8556edd3
JH		 775}
776
777/* Service level security */
e7cafc45 778int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
8556edd3 779{
8c1d787b 780 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 781 __u8 auth_type;
782
a17de2fe
JH		 783 if (conn->hcon->type == LE_LINK)
784 return smp_conn_security(conn->hcon, chan->sec_level);
785
4343478f 786 auth_type = l2cap_get_auth_type(chan);
79d554a6 787
e7cafc45
JH		 788 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
789 initiator);
79d554a6
MH		 790}
791
b5ad8b7f 792static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 793{
794 u8 id;
795
796 /* Get next available identificator.
797 * 1 - 128 are used by kernel.
798 * 129 - 199 are reserved.
799 * 200 - 254 are used by utilities like l2ping, etc.
800 */
801
5a54e7c8 802 mutex_lock(&conn->ident_lock);
4e8402a3
MH		 803
804 if (++conn->tx_ident > 128)
805 conn->tx_ident = 1;
806
807 id = conn->tx_ident;
808
5a54e7c8 809 mutex_unlock(&conn->ident_lock);
4e8402a3
MH		 810
811 return id;
812}
813
2d792818
GP		 814static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
815 void *data)
4e8402a3
MH		 816{
817 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 818 u8 flags;
4e8402a3
MH		 819
820 BT_DBG("code 0x%2.2x", code);
821
822 if (!skb)
9a9c6a34 823 return;
4e8402a3 824
e702112f
AE		 825 if (lmp_no_flush_capable(conn->hcon->hdev))
826 flags = ACL_START_NO_FLUSH;
827 else
828 flags = ACL_START;
829
14b12d0b 830 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 831 skb->priority = HCI_PRIO_MAX;
14b12d0b 832
73d80deb
LAD		 833 hci_send_acl(conn->hchan, skb, flags);
834}
835
02b0fbb9
MM		 836static bool __chan_is_moving(struct l2cap_chan *chan)
837{
838 return chan->move_state != L2CAP_MOVE_STABLE &&
839 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
840}
841
73d80deb
LAD		 842static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
843{
844 struct hci_conn *hcon = chan->conn->hcon;
845 u16 flags;
846
847 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 848 skb->priority);
73d80deb 849
d5f8a75d
MM		 850 if (chan->hs_hcon && !__chan_is_moving(chan)) {
851 if (chan->hs_hchan)
852 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
853 else
854 kfree_skb(skb);
855
856 return;
857 }
858
73d80deb 859 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 860 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 861 flags = ACL_START_NO_FLUSH;
862 else
863 flags = ACL_START;
14b12d0b 864
73d80deb
LAD		 865 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
866 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 867}
868
b76bbd66
MM		 869static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
870{
871 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
872 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
873
874 if (enh & L2CAP_CTRL_FRAME_TYPE) {
875 /* S-Frame */
876 control->sframe = 1;
877 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
878 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
879
880 control->sar = 0;
881 control->txseq = 0;
882 } else {
883 /* I-Frame */
884 control->sframe = 0;
885 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
886 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
887
888 control->poll = 0;
889 control->super = 0;
890 }
891}
892
b76bbd66
MM		 893static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
894{
895 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
896 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
897
898 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
899 /* S-Frame */
900 control->sframe = 1;
901 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
902 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
903
904 control->sar = 0;
905 control->txseq = 0;
906 } else {
907 /* I-Frame */
908 control->sframe = 0;
909 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
910 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
911
912 control->poll = 0;
913 control->super = 0;
914 }
915}
916
917static inline void __unpack_control(struct l2cap_chan *chan,
918 struct sk_buff *skb)
919{
920 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
921 __unpack_extended_control(get_unaligned_le32(skb->data),
922 &bt_cb(skb)->control);
cec8ab6e 923 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 924 } else {
925 __unpack_enhanced_control(get_unaligned_le16(skb->data),
926 &bt_cb(skb)->control);
cec8ab6e 927 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 928 }
929}
930
b5c6aaed
MM		 931static u32 __pack_extended_control(struct l2cap_ctrl *control)
932{
933 u32 packed;
934
935 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
936 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
937
938 if (control->sframe) {
939 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
940 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
941 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
942 } else {
943 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
944 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
945 }
946
947 return packed;
948}
949
950static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
951{
952 u16 packed;
953
954 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
955 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
956
957 if (control->sframe) {
958 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
959 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
960 packed |= L2CAP_CTRL_FRAME_TYPE;
961 } else {
962 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
963 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
964 }
965
966 return packed;
967}
968
b76bbd66
MM		 969static inline void __pack_control(struct l2cap_chan *chan,
970 struct l2cap_ctrl *control,
971 struct sk_buff *skb)
972{
973 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
974 put_unaligned_le32(__pack_extended_control(control),
975 skb->data + L2CAP_HDR_SIZE);
976 } else {
977 put_unaligned_le16(__pack_enhanced_control(control),
978 skb->data + L2CAP_HDR_SIZE);
979 }
980}
981
ba7aa64f
GP		 982static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
983{
984 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
985 return L2CAP_EXT_HDR_SIZE;
986 else
987 return L2CAP_ENH_HDR_SIZE;
988}
989
a67d7f6f
MM		 990static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
991 u32 control)
b5c6aaed
MM		 992{
993 struct sk_buff *skb;
994 struct l2cap_hdr *lh;
ba7aa64f 995 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 996
997 if (chan->fcs == L2CAP_FCS_CRC16)
998 hlen += L2CAP_FCS_SIZE;
999
a67d7f6f 1000 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 1001
b5c6aaed 1002 if (!skb)
a67d7f6f 1003 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 1004
1005 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1006 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1007 lh->cid = cpu_to_le16(chan->dcid);
1008
a67d7f6f
MM		 1009 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1010 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1011 else
1012 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 1013
1014 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 1015 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 1016 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1017 }
1018
1019 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 1020 return skb;
1021}
1022
1023static void l2cap_send_sframe(struct l2cap_chan *chan,
1024 struct l2cap_ctrl *control)
1025{
1026 struct sk_buff *skb;
1027 u32 control_field;
1028
1029 BT_DBG("chan %p, control %p", chan, control);
1030
1031 if (!control->sframe)
1032 return;
1033
b99e13ad
MM		 1034 if (__chan_is_moving(chan))
1035 return;
1036
a67d7f6f
MM		 1037 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1038 !control->poll)
1039 control->final = 1;
1040
1041 if (control->super == L2CAP_SUPER_RR)
1042 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1043 else if (control->super == L2CAP_SUPER_RNR)
1044 set_bit(CONN_RNR_SENT, &chan->conn_state);
1045
1046 if (control->super != L2CAP_SUPER_SREJ) {
1047 chan->last_acked_seq = control->reqseq;
1048 __clear_ack_timer(chan);
1049 }
1050
1051 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1052 control->final, control->poll, control->super);
1053
1054 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1055 control_field = __pack_extended_control(control);
1056 else
1057 control_field = __pack_enhanced_control(control);
1058
1059 skb = l2cap_create_sframe_pdu(chan, control_field);
1060 if (!IS_ERR(skb))
1061 l2cap_do_send(chan, skb);
b5c6aaed
MM		 1062}
1063
c9e3d5e0 1064static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 1065{
c9e3d5e0
MM		 1066 struct l2cap_ctrl control;
1067
1068 BT_DBG("chan %p, poll %d", chan, poll);
1069
1070 memset(&control, 0, sizeof(control));
1071 control.sframe = 1;
1072 control.poll = poll;
1073
1074 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1075 control.super = L2CAP_SUPER_RNR;
1076 else
1077 control.super = L2CAP_SUPER_RR;
b5c6aaed 1078
c9e3d5e0
MM		 1079 control.reqseq = chan->buffer_seq;
1080 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1081}
1082
b4450035 1083static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1084{
c1360a1c 1085 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1086}
1087
1df7b17a 1088static bool __amp_capable(struct l2cap_chan *chan)
80d58d0b 1089{
1df7b17a 1090 struct l2cap_conn *conn = chan->conn;
80d58d0b 1091 struct hci_dev *hdev;
1df7b17a
MH		 1092 bool amp_available = false;
1093
1094 if (!conn->hs_enabled)
1095 return false;
1096
1097 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1098 return false;
80d58d0b
MH		 1099
1100 read_lock(&hci_dev_list_lock);
1df7b17a 1101 list_for_each_entry(hdev, &hci_dev_list, list) {
80d58d0b 1102 if (hdev->amp_type != AMP_TYPE_BREDR &&
1df7b17a
MH		 1103 test_bit(HCI_UP, &hdev->flags)) {
1104 amp_available = true;
1105 break;
1106 }
1107 }
80d58d0b
MH		 1108 read_unlock(&hci_dev_list_lock);
1109
1df7b17a
MH		 1110 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1111 return amp_available;
848566b3
MH		 1112
1113 return false;
93c3e8f5
AE		 1114}
1115
5ce66b59
AE		 1116static bool l2cap_check_efs(struct l2cap_chan *chan)
1117{
1118 /* Check EFS parameters */
1119 return true;
1120}
1121
2766be48 1122void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1123{
1124 struct l2cap_conn *conn = chan->conn;
1125 struct l2cap_conn_req req;
1126
1127 req.scid = cpu_to_le16(chan->scid);
1128 req.psm = chan->psm;
1129
1130 chan->ident = l2cap_get_ident(conn);
1131
1132 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1133
1134 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1135}
1136
8eb200bd
MM		 1137static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1138{
1139 struct l2cap_create_chan_req req;
1140 req.scid = cpu_to_le16(chan->scid);
1141 req.psm = chan->psm;
1142 req.amp_id = amp_id;
1143
1144 chan->ident = l2cap_get_ident(chan->conn);
1145
1146 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1147 sizeof(req), &req);
1148}
1149
02b0fbb9
MM		 1150static void l2cap_move_setup(struct l2cap_chan *chan)
1151{
1152 struct sk_buff *skb;
1153
1154 BT_DBG("chan %p", chan);
1155
1156 if (chan->mode != L2CAP_MODE_ERTM)
1157 return;
1158
1159 __clear_retrans_timer(chan);
1160 __clear_monitor_timer(chan);
1161 __clear_ack_timer(chan);
1162
1163 chan->retry_count = 0;
1164 skb_queue_walk(&chan->tx_q, skb) {
1165 if (bt_cb(skb)->control.retries)
1166 bt_cb(skb)->control.retries = 1;
1167 else
1168 break;
1169 }
1170
1171 chan->expected_tx_seq = chan->buffer_seq;
1172
1173 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1174 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1175 l2cap_seq_list_clear(&chan->retrans_list);
1176 l2cap_seq_list_clear(&chan->srej_list);
1177 skb_queue_purge(&chan->srej_q);
1178
1179 chan->tx_state = L2CAP_TX_STATE_XMIT;
1180 chan->rx_state = L2CAP_RX_STATE_MOVE;
1181
1182 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1183}
1184
5f3847a4
MM		 1185static void l2cap_move_done(struct l2cap_chan *chan)
1186{
1187 u8 move_role = chan->move_role;
1188 BT_DBG("chan %p", chan);
1189
1190 chan->move_state = L2CAP_MOVE_STABLE;
1191 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1192
1193 if (chan->mode != L2CAP_MODE_ERTM)
1194 return;
1195
1196 switch (move_role) {
1197 case L2CAP_MOVE_ROLE_INITIATOR:
1198 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1199 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1200 break;
1201 case L2CAP_MOVE_ROLE_RESPONDER:
1202 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1203 break;
1204 }
1205}
1206
9f0caeb1
VCG		 1207static void l2cap_chan_ready(struct l2cap_chan *chan)
1208{
2827011f 1209 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1210 chan->conf_state = 0;
1211 __clear_chan_timer(chan);
1212
0ce43ce6
JH		 1213 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1214 chan->ops->suspend(chan);
177f8f2b 1215
54a59aa2 1216 chan->state = BT_CONNECTED;
9f0caeb1 1217
fd83e2c2 1218 chan->ops->ready(chan);
9f0caeb1
VCG		 1219}
1220
f1496dee
JH		 1221static void l2cap_le_connect(struct l2cap_chan *chan)
1222{
1223 struct l2cap_conn *conn = chan->conn;
1224 struct l2cap_le_conn_req req;
1225
595177f3
JH		 1226 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1227 return;
1228
f1496dee
JH		 1229 req.psm = chan->psm;
1230 req.scid = cpu_to_le16(chan->scid);
1231 req.mtu = cpu_to_le16(chan->imtu);
3916aed8 1232 req.mps = cpu_to_le16(chan->mps);
0cd75f7e 1233 req.credits = cpu_to_le16(chan->rx_credits);
f1496dee
JH		 1234
1235 chan->ident = l2cap_get_ident(conn);
1236
1237 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1238 sizeof(req), &req);
1239}
1240
1241static void l2cap_le_start(struct l2cap_chan *chan)
1242{
1243 struct l2cap_conn *conn = chan->conn;
1244
1245 if (!smp_conn_security(conn->hcon, chan->sec_level))
1246 return;
1247
1248 if (!chan->psm) {
1249 l2cap_chan_ready(chan);
1250 return;
1251 }
1252
1253 if (chan->state == BT_CONNECT)
1254 l2cap_le_connect(chan);
1255}
1256
93c3e8f5
AE		 1257static void l2cap_start_connection(struct l2cap_chan *chan)
1258{
1259 if (__amp_capable(chan)) {
1260 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1261 a2mp_discover_amp(chan);
f1496dee
JH		 1262 } else if (chan->conn->hcon->type == LE_LINK) {
1263 l2cap_le_start(chan);
93c3e8f5
AE		 1264 } else {
1265 l2cap_send_conn_req(chan);
1266 }
1267}
1268
fc7f8a7e 1269static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1270{
8c1d787b 1271 struct l2cap_conn *conn = chan->conn;
79d554a6 1272
9f0caeb1 1273 if (conn->hcon->type == LE_LINK) {
96ac34fb 1274 l2cap_le_start(chan);
9f0caeb1
VCG		 1275 return;
1276 }
1277
79d554a6 1278 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1279 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1280 return;
1281
e7cafc45 1282 if (l2cap_chan_check_security(chan, true) &&
2d792818 1283 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1284 l2cap_start_connection(chan);
1285 }
79d554a6
MH		 1286 } else {
1287 struct l2cap_info_req req;
dcf4adbf 1288 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1289
1290 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1291 conn->info_ident = l2cap_get_ident(conn);
1292
ba13ccd9 1293 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1294
2d792818
GP		 1295 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1296 sizeof(req), &req);
79d554a6
MH		 1297 }
1298}
1299
cf6c2c0b
GP		 1300static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1301{
1302 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1303 if (!disable_ertm)
cf6c2c0b
GP		 1304 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1305
1306 switch (mode) {
1307 case L2CAP_MODE_ERTM:
1308 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1309 case L2CAP_MODE_STREAMING:
1310 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1311 default:
1312 return 0x00;
1313 }
1314}
1315
5e4e3972 1316static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1317{
5e4e3972 1318 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1319 struct l2cap_disconn_req req;
1320
c13ffa62
GP		 1321 if (!conn)
1322 return;
1323
aad3d0e3 1324 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1325 __clear_retrans_timer(chan);
1326 __clear_monitor_timer(chan);
1327 __clear_ack_timer(chan);
c13ffa62
GP		 1328 }
1329
2338a7e0 1330 if (chan->scid == L2CAP_CID_A2MP) {
d117773c 1331 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1332 return;
1333 }
1334
fe4128e0
GP		 1335 req.dcid = cpu_to_le16(chan->dcid);
1336 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1337 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1338 sizeof(req), &req);
c13ffa62 1339
f8e73017 1340 l2cap_state_change_and_error(chan, BT_DISCONN, err);
22121fc9
GP		 1341}
1342
1da177e4 1343/* ---- L2CAP connections ---- */
4e8402a3
MH		 1344static void l2cap_conn_start(struct l2cap_conn *conn)
1345{
3df91ea2 1346 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1347
1348 BT_DBG("conn %p", conn);
1349
3df91ea2 1350 mutex_lock(&conn->chan_lock);
4e8402a3 1351
3df91ea2 1352 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6be36555 1353 l2cap_chan_lock(chan);
4e8402a3 1354
715ec005 1355 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1356 l2cap_chan_unlock(chan);
79d554a6
MH		 1357 continue;
1358 }
1359
89bc500e 1360 if (chan->state == BT_CONNECT) {
e7cafc45 1361 if (!l2cap_chan_check_security(chan, true) ||
2d792818 1362 !__l2cap_no_conn_pending(chan)) {
6be36555 1363 l2cap_chan_unlock(chan);
47731de7
GP		 1364 continue;
1365 }
79d554a6 1366
c1360a1c 1367 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1368 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1369 &chan->conf_state)) {
89bc500e 1370 l2cap_chan_close(chan, ECONNRESET);
6be36555 1371 l2cap_chan_unlock(chan);
47731de7 1372 continue;
b1235d79 1373 }
47731de7 1374
93c3e8f5 1375 l2cap_start_connection(chan);
47731de7 1376
89bc500e 1377 } else if (chan->state == BT_CONNECT2) {
79d554a6 1378 struct l2cap_conn_rsp rsp;
e9aeb2dd 1379 char buf[128];
fe4128e0
GP		 1380 rsp.scid = cpu_to_le16(chan->dcid);
1381 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1382
e7cafc45 1383 if (l2cap_chan_check_security(chan, false)) {
bdc25783 1384 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
dcf4adbf
JP		 1385 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1386 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1387 chan->ops->defer(chan);
f66dc81f
MH		 1388
1389 } else {
acdcabf5 1390 l2cap_state_change(chan, BT_CONFIG);
dcf4adbf
JP		 1391 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1392 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1393 }
79d554a6 1394 } else {
dcf4adbf
JP		 1395 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1396 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1397 }
1398
fc7f8a7e 1399 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1400 sizeof(rsp), &rsp);
e9aeb2dd 1401
c1360a1c 1402 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1403 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1404 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1405 continue;
1406 }
1407
c1360a1c 1408 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1409 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1410 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1411 chan->num_conf_req++;
4e8402a3
MH		 1412 }
1413
6be36555 1414 l2cap_chan_unlock(chan);
4e8402a3
MH		 1415 }
1416
3df91ea2 1417 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1418}
1419
c2287681 1420/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1421 * Returns closest match, locked.
1422 */
d9b88702 1423static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1424 bdaddr_t *src,
1425 bdaddr_t *dst)
b62f328b 1426{
23691d75 1427 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1428
23691d75 1429 read_lock(&chan_list_lock);
b62f328b 1430
23691d75 1431 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1432 if (state && c->state != state)
b62f328b
VT		 1433 continue;
1434
23691d75 1435 if (c->scid == cid) {
c2287681
IY		 1436 int src_match, dst_match;
1437 int src_any, dst_any;
1438
b62f328b 1439 /* Exact match. */
7eafc59e
MH		 1440 src_match = !bacmp(&c->src, src);
1441 dst_match = !bacmp(&c->dst, dst);
c2287681 1442 if (src_match && dst_match) {
23691d75
GP		 1443 read_unlock(&chan_list_lock);
1444 return c;
1445 }
b62f328b
VT		 1446
1447 /* Closest match */
7eafc59e
MH		 1448 src_any = !bacmp(&c->src, BDADDR_ANY);
1449 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1450 if ((src_match && dst_any) || (src_any && dst_match) ||
1451 (src_any && dst_any))
23691d75 1452 c1 = c;
b62f328b
VT		 1453 }
1454 }
280f294f 1455
23691d75 1456 read_unlock(&chan_list_lock);
b62f328b 1457
23691d75 1458 return c1;
b62f328b
VT		 1459}
1460
1461static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1462{
cc8dba2b 1463 struct hci_conn *hcon = conn->hcon;
dcc36c16 1464 struct hci_dev *hdev = hcon->hdev;
23691d75 1465 struct l2cap_chan *chan, *pchan;
cc8dba2b 1466 u8 dst_type;
b62f328b
VT		 1467
1468 BT_DBG("");
1469
1470 /* Check if we have socket listening on cid */
073d1cf3 1471 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
cc8dba2b 1472 &hcon->src, &hcon->dst);
23691d75 1473 if (!pchan)
b62f328b
VT		 1474 return;
1475
44f3b0fb
JH		 1476 /* Client ATT sockets should override the server one */
1477 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1478 return;
1479
cc8dba2b
MH		 1480 dst_type = bdaddr_type(hcon, hcon->dst_type);
1481
1482 /* If device is blocked, do not create a channel for it */
dcc36c16 1483 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
cc8dba2b
MH		 1484 return;
1485
80afeb6c
MH		 1486 /* For LE slave connections, make sure the connection interval
1487 * is in the range of the minium and maximum interval that has
1488 * been configured for this connection. If not, then trigger
1489 * the connection update procedure.
1490 */
40bef302 1491 if (hcon->role == HCI_ROLE_SLAVE &&
80afeb6c
MH		 1492 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1493 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1494 struct l2cap_conn_param_update_req req;
1495
1496 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1497 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1498 req.latency = cpu_to_le16(hcon->le_conn_latency);
1499 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1500
1501 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1502 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1503 }
1504
8ffb9290 1505 l2cap_chan_lock(pchan);
62f3a2cf 1506
80b98027 1507 chan = pchan->ops->new_connection(pchan);
80808e43 1508 if (!chan)
b62f328b
VT		 1509 goto clean;
1510
cc8dba2b
MH		 1511 bacpy(&chan->src, &hcon->src);
1512 bacpy(&chan->dst, &hcon->dst);
1513 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1514 chan->dst_type = dst_type;
b62f328b 1515
44f3b0fb 1516 __l2cap_chan_add(conn, chan);
48454079 1517
b62f328b 1518clean:
8ffb9290 1519 l2cap_chan_unlock(pchan);
b62f328b
VT		 1520}
1521
4e8402a3
MH		 1522static void l2cap_conn_ready(struct l2cap_conn *conn)
1523{
48454079 1524 struct l2cap_chan *chan;
cc110922 1525 struct hci_conn *hcon = conn->hcon;
4e8402a3 1526
79d554a6 1527 BT_DBG("conn %p", conn);
4e8402a3 1528
d8729922
JH		 1529 /* For outgoing pairing which doesn't necessarily have an
1530 * associated socket (e.g. mgmt_pair_device).
1531 */
cc110922
VCG		 1532 if (hcon->out && hcon->type == LE_LINK)
1533 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1534
3df91ea2 1535 mutex_lock(&conn->chan_lock);
4e8402a3 1536
44f3b0fb
JH		 1537 if (hcon->type == LE_LINK)
1538 l2cap_le_conn_ready(conn);
1539
3df91ea2 1540 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1541
6be36555 1542 l2cap_chan_lock(chan);
4e8402a3 1543
2338a7e0 1544 if (chan->scid == L2CAP_CID_A2MP) {
416fa752
AE		 1545 l2cap_chan_unlock(chan);
1546 continue;
1547 }
1548
cc110922 1549 if (hcon->type == LE_LINK) {
f1496dee 1550 l2cap_le_start(chan);
63128451 1551 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
74e75740 1552 l2cap_chan_ready(chan);
b501d6a1 1553
1c244f79 1554 } else if (chan->state == BT_CONNECT) {
fc7f8a7e 1555 l2cap_do_start(chan);
1c244f79 1556 }
4e8402a3 1557
6be36555 1558 l2cap_chan_unlock(chan);
4e8402a3 1559 }
79d554a6 1560
3df91ea2 1561 mutex_unlock(&conn->chan_lock);
61a939c6
JH		 1562
1563 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
4e8402a3
MH		 1564}
1565
1566/* Notify sockets that we cannot guaranty reliability anymore */
1567static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1568{
48454079 1569 struct l2cap_chan *chan;
4e8402a3
MH		 1570
1571 BT_DBG("conn %p", conn);
1572
3df91ea2 1573 mutex_lock(&conn->chan_lock);
4e8402a3 1574
3df91ea2 1575 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1576 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1577 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1578 }
1579
3df91ea2 1580 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1581}
1582
f878fcad 1583static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1584{
f878fcad 1585 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1586 info_timer.work);
4e8402a3 1587
984947dc 1588 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1589 conn->info_ident = 0;
984947dc 1590
4e8402a3
MH		 1591 l2cap_conn_start(conn);
1592}
1593
2c8e1411
DH		 1594/*
1595 * l2cap_user
1596 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1597 * callback is called during registration. The ->remove callback is called
1598 * during unregistration.
1599 * An l2cap_user object can either be explicitly unregistered or when the
1600 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1601 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1602 * External modules must own a reference to the l2cap_conn object if they intend
1603 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1604 * any time if they don't.
1605 */
1606
1607int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1608{
1609 struct hci_dev *hdev = conn->hcon->hdev;
1610 int ret;
1611
1612 /* We need to check whether l2cap_conn is registered. If it is not, we
1613 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1614 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1615 * relies on the parent hci_conn object to be locked. This itself relies
1616 * on the hci_dev object to be locked. So we must lock the hci device
1617 * here, too. */
1618
1619 hci_dev_lock(hdev);
1620
1621 if (user->list.next || user->list.prev) {
1622 ret = -EINVAL;
1623 goto out_unlock;
1624 }
1625
1626 /* conn->hchan is NULL after l2cap_conn_del() was called */
1627 if (!conn->hchan) {
1628 ret = -ENODEV;
1629 goto out_unlock;
1630 }
1631
1632 ret = user->probe(conn, user);
1633 if (ret)
1634 goto out_unlock;
1635
1636 list_add(&user->list, &conn->users);
1637 ret = 0;
1638
1639out_unlock:
1640 hci_dev_unlock(hdev);
1641 return ret;
1642}
1643EXPORT_SYMBOL(l2cap_register_user);
1644
1645void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1646{
1647 struct hci_dev *hdev = conn->hcon->hdev;
1648
1649 hci_dev_lock(hdev);
1650
1651 if (!user->list.next || !user->list.prev)
1652 goto out_unlock;
1653
1654 list_del(&user->list);
1655 user->list.next = NULL;
1656 user->list.prev = NULL;
1657 user->remove(conn, user);
1658
1659out_unlock:
1660 hci_dev_unlock(hdev);
1661}
1662EXPORT_SYMBOL(l2cap_unregister_user);
1663
1664static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1665{
1666 struct l2cap_user *user;
1667
1668 while (!list_empty(&conn->users)) {
1669 user = list_first_entry(&conn->users, struct l2cap_user, list);
1670 list_del(&user->list);
1671 user->list.next = NULL;
1672 user->list.prev = NULL;
1673 user->remove(conn, user);
1674 }
1675}
1676
5d3de7df
VCG		 1677static void l2cap_conn_del(struct hci_conn *hcon, int err)
1678{
1679 struct l2cap_conn *conn = hcon->l2cap_data;
1680 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1681
1682 if (!conn)
1683 return;
1684
1685 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1686
1687 kfree_skb(conn->rx_skb);
1688
61a939c6 1689 skb_queue_purge(&conn->pending_rx);
7ab56c3a
JT		 1690
1691 /* We can not call flush_work(&conn->pending_rx_work) here since we
1692 * might block if we are running on a worker from the same workqueue
1693 * pending_rx_work is waiting on.
1694 */
1695 if (work_pending(&conn->pending_rx_work))
1696 cancel_work_sync(&conn->pending_rx_work);
61a939c6 1697
2c8e1411
DH		 1698 l2cap_unregister_all_users(conn);
1699
3df91ea2
AE		 1700 mutex_lock(&conn->chan_lock);
1701
5d3de7df
VCG		 1702 /* Kill channels */
1703 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1704 l2cap_chan_hold(chan);
6be36555
AE		 1705 l2cap_chan_lock(chan);
1706
5d3de7df 1707 l2cap_chan_del(chan, err);
6be36555
AE		 1708
1709 l2cap_chan_unlock(chan);
1710
80b98027 1711 chan->ops->close(chan);
61d6ef3e 1712 l2cap_chan_put(chan);
5d3de7df
VCG		 1713 }
1714
3df91ea2
AE		 1715 mutex_unlock(&conn->chan_lock);
1716
73d80deb
LAD		 1717 hci_chan_del(conn->hchan);
1718
5d3de7df 1719 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1720 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1721
51a8efd7 1722 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1723 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1724 smp_chan_destroy(conn);
d26a2345 1725 }
5d3de7df
VCG		 1726
1727 hcon->l2cap_data = NULL;
9c903e37
DH		 1728 conn->hchan = NULL;
1729 l2cap_conn_put(conn);
5d3de7df
VCG		 1730}
1731
6c9d42a1 1732static void security_timeout(struct work_struct *work)
5d3de7df 1733{
6c9d42a1 1734 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1735 security_timer.work);
5d3de7df 1736
d06cc416
JH		 1737 BT_DBG("conn %p", conn);
1738
1739 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1740 smp_chan_destroy(conn);
1741 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1742 }
5d3de7df
VCG		 1743}
1744
9c903e37
DH		 1745static void l2cap_conn_free(struct kref *ref)
1746{
1747 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1748
1749 hci_conn_put(conn->hcon);
1750 kfree(conn);
1751}
1752
1753void l2cap_conn_get(struct l2cap_conn *conn)
1754{
1755 kref_get(&conn->ref);
1756}
1757EXPORT_SYMBOL(l2cap_conn_get);
1758
1759void l2cap_conn_put(struct l2cap_conn *conn)
1760{
1761 kref_put(&conn->ref, l2cap_conn_free);
1762}
1763EXPORT_SYMBOL(l2cap_conn_put);
1764
1da177e4 1765/* ---- Socket interface ---- */
1da177e4 1766
c2287681 1767/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1768 * Returns closest match.
1769 */
c2287681
IY		 1770static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1771 bdaddr_t *src,
bf20fd4e
JH		 1772 bdaddr_t *dst,
1773 u8 link_type)
1da177e4 1774{
23691d75 1775 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1776
23691d75 1777 read_lock(&chan_list_lock);
e0f0cb56 1778
23691d75 1779 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 1780 if (state && c->state != state)
1da177e4
LT		 1781 continue;
1782
bf20fd4e
JH		 1783 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1784 continue;
1785
1786 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1787 continue;
1788
23691d75 1789 if (c->psm == psm) {
c2287681
IY		 1790 int src_match, dst_match;
1791 int src_any, dst_any;
1792
1da177e4 1793 /* Exact match. */
7eafc59e
MH		 1794 src_match = !bacmp(&c->src, src);
1795 dst_match = !bacmp(&c->dst, dst);
c2287681 1796 if (src_match && dst_match) {
a7567b20 1797 read_unlock(&chan_list_lock);
23691d75
GP		 1798 return c;
1799 }
1da177e4
LT		 1800
1801 /* Closest match */
7eafc59e
MH		 1802 src_any = !bacmp(&c->src, BDADDR_ANY);
1803 dst_any = !bacmp(&c->dst, BDADDR_ANY);
c2287681
IY		 1804 if ((src_match && dst_any) || (src_any && dst_match) ||
1805 (src_any && dst_any))
23691d75 1806 c1 = c;
1da177e4
LT		 1807 }
1808 }
1da177e4 1809
23691d75 1810 read_unlock(&chan_list_lock);
e0f0cb56 1811
23691d75 1812 return c1;
1da177e4
LT		 1813}
1814
721c4181 1815static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1816{
721c4181 1817 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1818 monitor_timer.work);
e90bac06 1819
525cd185 1820 BT_DBG("chan %p", chan);
0e98958d 1821
6be36555
AE		 1822 l2cap_chan_lock(chan);
1823
80909e04 1824 if (!chan->conn) {
6be36555 1825 l2cap_chan_unlock(chan);
8d7e1c7f 1826 l2cap_chan_put(chan);
e90bac06
GP		 1827 return;
1828 }
1829
401bb1f7 1830 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1831
6be36555 1832 l2cap_chan_unlock(chan);
8d7e1c7f 1833 l2cap_chan_put(chan);
e90bac06
GP		 1834}
1835
721c4181 1836static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1837{
721c4181 1838 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1839 retrans_timer.work);
e90bac06 1840
49208c9c 1841 BT_DBG("chan %p", chan);
0e98958d 1842
6be36555
AE		 1843 l2cap_chan_lock(chan);
1844
80909e04
MM		 1845 if (!chan->conn) {
1846 l2cap_chan_unlock(chan);
1847 l2cap_chan_put(chan);
1848 return;
1849 }
6be36555 1850
401bb1f7 1851 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1852 l2cap_chan_unlock(chan);
8d7e1c7f 1853 l2cap_chan_put(chan);
e90bac06
GP		 1854}
1855
d660366d
GP		 1856static void l2cap_streaming_send(struct l2cap_chan *chan,
1857 struct sk_buff_head *skbs)
6840ed07 1858{
ccbb84af 1859 struct sk_buff *skb;
3733937d 1860 struct l2cap_ctrl *control;
6840ed07 1861
3733937d
MM		 1862 BT_DBG("chan %p, skbs %p", chan, skbs);
1863
b99e13ad
MM		 1864 if (__chan_is_moving(chan))
1865 return;
1866
3733937d
MM		 1867 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1868
1869 while (!skb_queue_empty(&chan->tx_q)) {
1870
1871 skb = skb_dequeue(&chan->tx_q);
1872
1873 bt_cb(skb)->control.retries = 1;
1874 control = &bt_cb(skb)->control;
1875
1876 control->reqseq = 0;
1877 control->txseq = chan->next_tx_seq;
1878
1879 __pack_control(chan, control, skb);
6840ed07 1880
47d1ec61 1881 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1882 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1883 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1884 }
1885
4343478f 1886 l2cap_do_send(chan, skb);
6840ed07 1887
b4400672 1888 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1889
836be934 1890 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1891 chan->frames_sent++;
6840ed07 1892 }
6840ed07
GP		 1893}
1894
67c9e840 1895static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1896{
1897 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1898 struct l2cap_ctrl *control;
1899 int sent = 0;
1900
1901 BT_DBG("chan %p", chan);
1c2acffb 1902
89bc500e 1903 if (chan->state != BT_CONNECTED)
c13ffa62 1904 return -ENOTCONN;
e90bac06 1905
94122bbe
MM		 1906 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1907 return 0;
1908
b99e13ad
MM		 1909 if (__chan_is_moving(chan))
1910 return 0;
1911
18a48e76
MM		 1912 while (chan->tx_send_head &&
1913 chan->unacked_frames < chan->remote_tx_win &&
1914 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1915
18a48e76 1916 skb = chan->tx_send_head;
e90bac06 1917
18a48e76
MM		 1918 bt_cb(skb)->control.retries = 1;
1919 control = &bt_cb(skb)->control;
95ffa978 1920
e2ab4353 1921 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1922 control->final = 1;
e2ab4353 1923
18a48e76
MM		 1924 control->reqseq = chan->buffer_seq;
1925 chan->last_acked_seq = chan->buffer_seq;
1926 control->txseq = chan->next_tx_seq;
1c2acffb 1927
18a48e76 1928 __pack_control(chan, control, skb);
e90bac06 1929
47d1ec61 1930 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1931 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1932 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1933 }
1934
18a48e76
MM		 1935 /* Clone after data has been modified. Data is assumed to be
1936 read-only (for locking purposes) on cloned sk_buffs.
1937 */
1938 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1939
18a48e76
MM		 1940 if (!tx_skb)
1941 break;
1c2acffb 1942
18a48e76 1943 __set_retrans_timer(chan);
836be934
AE		 1944
1945 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1946 chan->unacked_frames++;
6a026610 1947 chan->frames_sent++;
18a48e76 1948 sent++;
1c2acffb 1949
58d35f87
GP		 1950 if (skb_queue_is_last(&chan->tx_q, skb))
1951 chan->tx_send_head = NULL;
1c2acffb 1952 else
58d35f87 1953 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1954
1955 l2cap_do_send(chan, tx_skb);
b4400672 1956 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1957 }
1958
b4400672
AE		 1959 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1960 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1961
1962 return sent;
9e917af1
GP		 1963}
1964
e1fbd4c1
MM		 1965static void l2cap_ertm_resend(struct l2cap_chan *chan)
1966{
1967 struct l2cap_ctrl control;
1968 struct sk_buff *skb;
1969 struct sk_buff *tx_skb;
1970 u16 seq;
1971
1972 BT_DBG("chan %p", chan);
1973
1974 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1975 return;
1976
b99e13ad
MM		 1977 if (__chan_is_moving(chan))
1978 return;
1979
e1fbd4c1
MM		 1980 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1981 seq = l2cap_seq_list_pop(&chan->retrans_list);
1982
1983 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1984 if (!skb) {
1985 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1986 seq);
e1fbd4c1
MM		 1987 continue;
1988 }
1989
1990 bt_cb(skb)->control.retries++;
1991 control = bt_cb(skb)->control;
1992
1993 if (chan->max_tx != 0 &&
1994 bt_cb(skb)->control.retries > chan->max_tx) {
1995 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1996 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1997 l2cap_seq_list_clear(&chan->retrans_list);
1998 break;
1999 }
2000
2001 control.reqseq = chan->buffer_seq;
2002 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2003 control.final = 1;
2004 else
2005 control.final = 0;
2006
2007 if (skb_cloned(skb)) {
2008 /* Cloned sk_buffs are read-only, so we need a
2009 * writeable copy
2010 */
8bcde1f2 2011 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 2012 } else {
8bcde1f2 2013 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 2014 }
2015
2016 if (!tx_skb) {
2017 l2cap_seq_list_clear(&chan->retrans_list);
2018 break;
2019 }
2020
2021 /* Update skb contents */
2022 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2023 put_unaligned_le32(__pack_extended_control(&control),
2024 tx_skb->data + L2CAP_HDR_SIZE);
2025 } else {
2026 put_unaligned_le16(__pack_enhanced_control(&control),
2027 tx_skb->data + L2CAP_HDR_SIZE);
2028 }
2029
2030 if (chan->fcs == L2CAP_FCS_CRC16) {
2031 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2032 put_unaligned_le16(fcs, skb_put(tx_skb,
2033 L2CAP_FCS_SIZE));
2034 }
2035
2036 l2cap_do_send(chan, tx_skb);
2037
2038 BT_DBG("Resent txseq %d", control.txseq);
2039
2040 chan->last_acked_seq = chan->buffer_seq;
2041 }
2042}
2043
f80842a8
MM		 2044static void l2cap_retransmit(struct l2cap_chan *chan,
2045 struct l2cap_ctrl *control)
2046{
2047 BT_DBG("chan %p, control %p", chan, control);
2048
2049 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2050 l2cap_ertm_resend(chan);
2051}
2052
d2a7ac5d
MM		 2053static void l2cap_retransmit_all(struct l2cap_chan *chan,
2054 struct l2cap_ctrl *control)
2055{
e1fbd4c1
MM		 2056 struct sk_buff *skb;
2057
2058 BT_DBG("chan %p, control %p", chan, control);
2059
2060 if (control->poll)
2061 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2062
2063 l2cap_seq_list_clear(&chan->retrans_list);
2064
2065 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2066 return;
2067
2068 if (chan->unacked_frames) {
2069 skb_queue_walk(&chan->tx_q, skb) {
2070 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2071 skb == chan->tx_send_head)
e1fbd4c1
MM		 2072 break;
2073 }
2074
2075 skb_queue_walk_from(&chan->tx_q, skb) {
2076 if (skb == chan->tx_send_head)
2077 break;
2078
2079 l2cap_seq_list_append(&chan->retrans_list,
2080 bt_cb(skb)->control.txseq);
2081 }
2082
2083 l2cap_ertm_resend(chan);
2084 }
d2a7ac5d
MM		 2085}
2086
0a0aba42 2087static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2088{
0a0aba42
MM		 2089 struct l2cap_ctrl control;
2090 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2091 chan->last_acked_seq);
2092 int threshold;
9e917af1 2093
0a0aba42
MM		 2094 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2095 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2096
0a0aba42
MM		 2097 memset(&control, 0, sizeof(control));
2098 control.sframe = 1;
dfc909be 2099
0a0aba42
MM		 2100 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2101 chan->rx_state == L2CAP_RX_STATE_RECV) {
2102 __clear_ack_timer(chan);
2103 control.super = L2CAP_SUPER_RNR;
2104 control.reqseq = chan->buffer_seq;
2105 l2cap_send_sframe(chan, &control);
2106 } else {
2107 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2108 l2cap_ertm_send(chan);
2109 /* If any i-frames were sent, they included an ack */
2110 if (chan->buffer_seq == chan->last_acked_seq)
2111 frames_to_ack = 0;
2112 }
dfc909be 2113
c20f8e35 2114 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2115 * Calculate without mul or div
2116 */
c20f8e35 2117 threshold = chan->ack_win;
0a0aba42
MM		 2118 threshold += threshold << 1;
2119 threshold >>= 2;
2120
b4400672 2121 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2122 threshold);
2123
2124 if (frames_to_ack >= threshold) {
2125 __clear_ack_timer(chan);
2126 control.super = L2CAP_SUPER_RR;
2127 control.reqseq = chan->buffer_seq;
2128 l2cap_send_sframe(chan, &control);
2129 frames_to_ack = 0;
2130 }
1c2acffb 2131
0a0aba42
MM		 2132 if (frames_to_ack)
2133 __set_ack_timer(chan);
2134 }
b17e73bb
SJ		 2135}
2136
04124681
GP		 2137static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2138 struct msghdr *msg, int len,
2139 int count, struct sk_buff *skb)
1c2acffb 2140{
0952a57a 2141 struct l2cap_conn *conn = chan->conn;
1c2acffb 2142 struct sk_buff **frag;
90338947 2143 int sent = 0;
1da177e4 2144
0498878b
JR		 2145 if (chan->ops->memcpy_fromiovec(chan, skb_put(skb, count),
2146 msg->msg_iov, count))
1c2acffb 2147 return -EFAULT;
1da177e4
LT		 2148
2149 sent += count;
2150 len -= count;
2151
2152 /* Continuation fragments (no L2CAP header) */
2153 frag = &skb_shinfo(skb)->frag_list;
2154 while (len) {
fbe00700
GP		 2155 struct sk_buff *tmp;
2156
1da177e4
LT		 2157 count = min_t(unsigned int, conn->mtu, len);
2158
d9fbd02b 2159 tmp = chan->ops->alloc_skb(chan, 0, count,
fbe00700
GP		 2160 msg->msg_flags & MSG_DONTWAIT);
2161 if (IS_ERR(tmp))
2162 return PTR_ERR(tmp);
2163
2164 *frag = tmp;
2f7719ce 2165
0498878b
JR		 2166 if (chan->ops->memcpy_fromiovec(chan, skb_put(*frag, count),
2167 msg->msg_iov, count))
1c2acffb 2168 return -EFAULT;
1da177e4
LT		 2169
2170 sent += count;
2171 len -= count;
2172
2d0ed3d5
GP		 2173 skb->len += (*frag)->len;
2174 skb->data_len += (*frag)->len;
2175
1da177e4
LT		 2176 frag = &(*frag)->next;
2177 }
1da177e4
LT		 2178
2179 return sent;
1c2acffb 2180}
1da177e4 2181
5e59b791 2182static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
8d46321c 2183 struct msghdr *msg, size_t len)
1c2acffb 2184{
8c1d787b 2185 struct l2cap_conn *conn = chan->conn;
1c2acffb 2186 struct sk_buff *skb;
03a51213 2187 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2188 struct l2cap_hdr *lh;
2189
8d46321c
MH		 2190 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2191 __le16_to_cpu(chan->psm), len);
1c2acffb
GP		 2192
2193 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2194
d9fbd02b 2195 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2196 msg->msg_flags & MSG_DONTWAIT);
2197 if (IS_ERR(skb))
2198 return skb;
1c2acffb
GP		 2199
2200 /* Create L2CAP header */
2201 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2202 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c 2203 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
43b1b8df 2204 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2205
0952a57a 2206 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2207 if (unlikely(err < 0)) {
2208 kfree_skb(skb);
2209 return ERR_PTR(err);
2210 }
2211 return skb;
2212}
2213
5e59b791 2214static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
8d46321c 2215 struct msghdr *msg, size_t len)
1c2acffb 2216{
8c1d787b 2217 struct l2cap_conn *conn = chan->conn;
1c2acffb 2218 struct sk_buff *skb;
f2ba7fae 2219 int err, count;
1c2acffb
GP		 2220 struct l2cap_hdr *lh;
2221
b4400672 2222 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2223
f2ba7fae 2224 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2225
d9fbd02b 2226 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
90338947
GP		 2227 msg->msg_flags & MSG_DONTWAIT);
2228 if (IS_ERR(skb))
2229 return skb;
1c2acffb
GP		 2230
2231 /* Create L2CAP header */
2232 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2233 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2234 lh->len = cpu_to_le16(len);
1c2acffb 2235
0952a57a 2236 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2237 if (unlikely(err < 0)) {
2238 kfree_skb(skb);
2239 return ERR_PTR(err);
2240 }
2241 return skb;
2242}
2243
ab0ff76d 2244static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2245 struct msghdr *msg, size_t len,
2246 u16 sdulen)
1c2acffb 2247{
8c1d787b 2248 struct l2cap_conn *conn = chan->conn;
1c2acffb 2249 struct sk_buff *skb;
e4ca6d98 2250 int err, count, hlen;
1c2acffb
GP		 2251 struct l2cap_hdr *lh;
2252
b4400672 2253 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2254
0ee0d208
GP		 2255 if (!conn)
2256 return ERR_PTR(-ENOTCONN);
2257
ba7aa64f 2258 hlen = __ertm_hdr_size(chan);
e4ca6d98 2259
c74e560c 2260 if (sdulen)
03a51213 2261 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2262
47d1ec61 2263 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2264 hlen += L2CAP_FCS_SIZE;
fcc203c3 2265
1c2acffb 2266 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce 2267
d9fbd02b 2268 skb = chan->ops->alloc_skb(chan, hlen, count,
90338947
GP		 2269 msg->msg_flags & MSG_DONTWAIT);
2270 if (IS_ERR(skb))
2271 return skb;
1c2acffb
GP		 2272
2273 /* Create L2CAP header */
2274 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2275 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2276 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2277
18a48e76
MM		 2278 /* Control header is populated later */
2279 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2280 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2281 else
2282 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2283
c74e560c 2284 if (sdulen)
03a51213 2285 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2286
0952a57a 2287 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2288 if (unlikely(err < 0)) {
2289 kfree_skb(skb);
2290 return ERR_PTR(err);
2291 }
e90bac06 2292
18a48e76 2293 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2294 bt_cb(skb)->control.retries = 0;
1c2acffb 2295 return skb;
1da177e4
LT		 2296}
2297
94122bbe
MM		 2298static int l2cap_segment_sdu(struct l2cap_chan *chan,
2299 struct sk_buff_head *seg_queue,
2300 struct msghdr *msg, size_t len)
c74e560c 2301{
c74e560c 2302 struct sk_buff *skb;
94122bbe
MM		 2303 u16 sdu_len;
2304 size_t pdu_len;
94122bbe 2305 u8 sar;
c74e560c 2306
b4400672 2307 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2308
94122bbe
MM		 2309 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2310 * so fragmented skbs are not used. The HCI layer's handling
2311 * of fragmented skbs is not compatible with ERTM's queueing.
2312 */
c74e560c 2313
94122bbe
MM		 2314 /* PDU size is derived from the HCI MTU */
2315 pdu_len = chan->conn->mtu;
c74e560c 2316
a549574d
MM		 2317 /* Constrain PDU size for BR/EDR connections */
2318 if (!chan->hs_hcon)
2319 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2320
2321 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2322 if (chan->fcs)
2323 pdu_len -= L2CAP_FCS_SIZE;
2324
ba7aa64f 2325 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2326
2327 /* Remote device may have requested smaller PDUs */
2328 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2329
2330 if (len <= pdu_len) {
2331 sar = L2CAP_SAR_UNSEGMENTED;
2332 sdu_len = 0;
2333 pdu_len = len;
2334 } else {
2335 sar = L2CAP_SAR_START;
2336 sdu_len = len;
2337 pdu_len -= L2CAP_SDULEN_SIZE;
2338 }
2339
2340 while (len > 0) {
2341 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2342
c74e560c 2343 if (IS_ERR(skb)) {
94122bbe 2344 __skb_queue_purge(seg_queue);
c74e560c
GP		 2345 return PTR_ERR(skb);
2346 }
2347
94122bbe
MM		 2348 bt_cb(skb)->control.sar = sar;
2349 __skb_queue_tail(seg_queue, skb);
2350
2351 len -= pdu_len;
2352 if (sdu_len) {
2353 sdu_len = 0;
2354 pdu_len += L2CAP_SDULEN_SIZE;
2355 }
2356
2357 if (len <= pdu_len) {
2358 sar = L2CAP_SAR_END;
2359 pdu_len = len;
2360 } else {
2361 sar = L2CAP_SAR_CONTINUE;
2362 }
c74e560c 2363 }
c74e560c 2364
f0f62799 2365 return 0;
c74e560c
GP		 2366}
2367
177f8f2b
JH		 2368static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2369 struct msghdr *msg,
2370 size_t len, u16 sdulen)
2371{
2372 struct l2cap_conn *conn = chan->conn;
2373 struct sk_buff *skb;
2374 int err, count, hlen;
2375 struct l2cap_hdr *lh;
2376
2377 BT_DBG("chan %p len %zu", chan, len);
2378
2379 if (!conn)
2380 return ERR_PTR(-ENOTCONN);
2381
2382 hlen = L2CAP_HDR_SIZE;
2383
2384 if (sdulen)
2385 hlen += L2CAP_SDULEN_SIZE;
2386
2387 count = min_t(unsigned int, (conn->mtu - hlen), len);
2388
d9fbd02b 2389 skb = chan->ops->alloc_skb(chan, hlen, count,
177f8f2b
JH		 2390 msg->msg_flags & MSG_DONTWAIT);
2391 if (IS_ERR(skb))
2392 return skb;
2393
2394 /* Create L2CAP header */
2395 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2396 lh->cid = cpu_to_le16(chan->dcid);
2397 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2398
2399 if (sdulen)
2400 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2401
2402 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2403 if (unlikely(err < 0)) {
2404 kfree_skb(skb);
2405 return ERR_PTR(err);
2406 }
2407
2408 return skb;
2409}
2410
2411static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2412 struct sk_buff_head *seg_queue,
2413 struct msghdr *msg, size_t len)
2414{
2415 struct sk_buff *skb;
2416 size_t pdu_len;
2417 u16 sdu_len;
2418
2419 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2420
2421 pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE;
2422
2423 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2424
2425 sdu_len = len;
2426 pdu_len -= L2CAP_SDULEN_SIZE;
2427
2428 while (len > 0) {
2429 if (len <= pdu_len)
2430 pdu_len = len;
2431
2432 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2433 if (IS_ERR(skb)) {
2434 __skb_queue_purge(seg_queue);
2435 return PTR_ERR(skb);
2436 }
2437
2438 __skb_queue_tail(seg_queue, skb);
2439
2440 len -= pdu_len;
2441
2442 if (sdu_len) {
2443 sdu_len = 0;
2444 pdu_len += L2CAP_SDULEN_SIZE;
2445 }
2446 }
2447
2448 return 0;
2449}
2450
8d46321c 2451int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
9a91a04a 2452{
9a91a04a 2453 struct sk_buff *skb;
9a91a04a 2454 int err;
94122bbe 2455 struct sk_buff_head seg_queue;
9a91a04a 2456
31e8ce80
SWK		 2457 if (!chan->conn)
2458 return -ENOTCONN;
2459
9a91a04a 2460 /* Connectionless channel */
715ec005 2461 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
8d46321c 2462 skb = l2cap_create_connless_pdu(chan, msg, len);
9a91a04a
GP		 2463 if (IS_ERR(skb))
2464 return PTR_ERR(skb);
2465
ede81a2a
AK		 2466 /* Channel lock is released before requesting new skb and then
2467 * reacquired thus we need to recheck channel state.
2468 */
2469 if (chan->state != BT_CONNECTED) {
2470 kfree_skb(skb);
2471 return -ENOTCONN;
2472 }
2473
9a91a04a
GP		 2474 l2cap_do_send(chan, skb);
2475 return len;
2476 }
2477
2478 switch (chan->mode) {
38319713 2479 case L2CAP_MODE_LE_FLOWCTL:
177f8f2b
JH		 2480 /* Check outgoing MTU */
2481 if (len > chan->omtu)
2482 return -EMSGSIZE;
2483
fad5fc89
JH		 2484 if (!chan->tx_credits)
2485 return -EAGAIN;
2486
177f8f2b
JH		 2487 __skb_queue_head_init(&seg_queue);
2488
2489 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2490
2491 if (chan->state != BT_CONNECTED) {
2492 __skb_queue_purge(&seg_queue);
2493 err = -ENOTCONN;
2494 }
2495
2496 if (err)
2497 return err;
2498
2499 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2500
2501 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2502 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2503 chan->tx_credits--;
2504 }
2505
2506 if (!chan->tx_credits)
2507 chan->ops->suspend(chan);
2508
2509 err = len;
2510
2511 break;
2512
fad5fc89 2513 case L2CAP_MODE_BASIC:
9a91a04a
GP		 2514 /* Check outgoing MTU */
2515 if (len > chan->omtu)
2516 return -EMSGSIZE;
2517
2518 /* Create a basic PDU */
8d46321c 2519 skb = l2cap_create_basic_pdu(chan, msg, len);
9a91a04a
GP		 2520 if (IS_ERR(skb))
2521 return PTR_ERR(skb);
2522
ede81a2a
AK		 2523 /* Channel lock is released before requesting new skb and then
2524 * reacquired thus we need to recheck channel state.
2525 */
2526 if (chan->state != BT_CONNECTED) {
2527 kfree_skb(skb);
2528 return -ENOTCONN;
2529 }
2530
9a91a04a
GP		 2531 l2cap_do_send(chan, skb);
2532 err = len;
2533 break;
2534
2535 case L2CAP_MODE_ERTM:
2536 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2537 /* Check outgoing MTU */
2538 if (len > chan->omtu) {
2539 err = -EMSGSIZE;
2540 break;
2541 }
9a91a04a 2542
94122bbe 2543 __skb_queue_head_init(&seg_queue);
9a91a04a 2544
94122bbe
MM		 2545 /* Do segmentation before calling in to the state machine,
2546 * since it's possible to block while waiting for memory
2547 * allocation.
2548 */
2549 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2550
94122bbe
MM		 2551 /* The channel could have been closed while segmenting,
2552 * check that it is still connected.
2553 */
2554 if (chan->state != BT_CONNECTED) {
2555 __skb_queue_purge(&seg_queue);
2556 err = -ENOTCONN;
9a91a04a
GP		 2557 }
2558
94122bbe 2559 if (err)
9a91a04a 2560 break;
9a91a04a 2561
3733937d 2562 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2563 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2564 else
d660366d 2565 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2566
d660366d 2567 err = len;
9a91a04a 2568
94122bbe
MM		 2569 /* If the skbs were not queued for sending, they'll still be in
2570 * seg_queue and need to be purged.
2571 */
2572 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2573 break;
2574
2575 default:
2576 BT_DBG("bad state %1.1x", chan->mode);
2577 err = -EBADFD;
2578 }
2579
2580 return err;
2581}
6b8d4a6a 2582EXPORT_SYMBOL_GPL(l2cap_chan_send);
9a91a04a 2583
d2a7ac5d
MM		 2584static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2585{
bed68bde
MM		 2586 struct l2cap_ctrl control;
2587 u16 seq;
2588
b4400672 2589 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2590
2591 memset(&control, 0, sizeof(control));
2592 control.sframe = 1;
2593 control.super = L2CAP_SUPER_SREJ;
2594
2595 for (seq = chan->expected_tx_seq; seq != txseq;
2596 seq = __next_seq(chan, seq)) {
2597 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2598 control.reqseq = seq;
2599 l2cap_send_sframe(chan, &control);
2600 l2cap_seq_list_append(&chan->srej_list, seq);
2601 }
2602 }
2603
2604 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2605}
2606
2607static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2608{
bed68bde
MM		 2609 struct l2cap_ctrl control;
2610
2611 BT_DBG("chan %p", chan);
2612
2613 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2614 return;
2615
2616 memset(&control, 0, sizeof(control));
2617 control.sframe = 1;
2618 control.super = L2CAP_SUPER_SREJ;
2619 control.reqseq = chan->srej_list.tail;
2620 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2621}
2622
2623static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2624{
bed68bde
MM		 2625 struct l2cap_ctrl control;
2626 u16 initial_head;
2627 u16 seq;
2628
b4400672 2629 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2630
2631 memset(&control, 0, sizeof(control));
2632 control.sframe = 1;
2633 control.super = L2CAP_SUPER_SREJ;
2634
2635 /* Capture initial list head to allow only one pass through the list. */
2636 initial_head = chan->srej_list.head;
2637
2638 do {
2639 seq = l2cap_seq_list_pop(&chan->srej_list);
2640 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2641 break;
2642
2643 control.reqseq = seq;
2644 l2cap_send_sframe(chan, &control);
2645 l2cap_seq_list_append(&chan->srej_list, seq);
2646 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2647}
2648
608bcc6d
MM		 2649static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2650{
2651 struct sk_buff *acked_skb;
2652 u16 ackseq;
2653
b4400672 2654 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2655
2656 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2657 return;
2658
b4400672 2659 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2660 chan->expected_ack_seq, chan->unacked_frames);
2661
2662 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2663 ackseq = __next_seq(chan, ackseq)) {
2664
2665 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2666 if (acked_skb) {
2667 skb_unlink(acked_skb, &chan->tx_q);
2668 kfree_skb(acked_skb);
2669 chan->unacked_frames--;
2670 }
2671 }
2672
2673 chan->expected_ack_seq = reqseq;
2674
2675 if (chan->unacked_frames == 0)
2676 __clear_retrans_timer(chan);
2677
b4400672 2678 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2679}
2680
2681static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2682{
2683 BT_DBG("chan %p", chan);
2684
2685 chan->expected_tx_seq = chan->buffer_seq;
2686 l2cap_seq_list_clear(&chan->srej_list);
2687 skb_queue_purge(&chan->srej_q);
2688 chan->rx_state = L2CAP_RX_STATE_RECV;
2689}
2690
d660366d
GP		 2691static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2692 struct l2cap_ctrl *control,
2693 struct sk_buff_head *skbs, u8 event)
608bcc6d 2694{
608bcc6d
MM		 2695 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2696 event);
2697
2698 switch (event) {
2699 case L2CAP_EV_DATA_REQUEST:
2700 if (chan->tx_send_head == NULL)
2701 chan->tx_send_head = skb_peek(skbs);
2702
2703 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2704 l2cap_ertm_send(chan);
2705 break;
2706 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2707 BT_DBG("Enter LOCAL_BUSY");
2708 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2709
2710 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2711 /* The SREJ_SENT state must be aborted if we are to
2712 * enter the LOCAL_BUSY state.
2713 */
2714 l2cap_abort_rx_srej_sent(chan);
2715 }
2716
2717 l2cap_send_ack(chan);
2718
2719 break;
2720 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2721 BT_DBG("Exit LOCAL_BUSY");
2722 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2723
2724 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2725 struct l2cap_ctrl local_control;
2726
2727 memset(&local_control, 0, sizeof(local_control));
2728 local_control.sframe = 1;
2729 local_control.super = L2CAP_SUPER_RR;
2730 local_control.poll = 1;
2731 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2732 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2733
2734 chan->retry_count = 1;
2735 __set_monitor_timer(chan);
2736 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2737 }
2738 break;
2739 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2740 l2cap_process_reqseq(chan, control->reqseq);
2741 break;
2742 case L2CAP_EV_EXPLICIT_POLL:
2743 l2cap_send_rr_or_rnr(chan, 1);
2744 chan->retry_count = 1;
2745 __set_monitor_timer(chan);
2746 __clear_ack_timer(chan);
2747 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2748 break;
2749 case L2CAP_EV_RETRANS_TO:
2750 l2cap_send_rr_or_rnr(chan, 1);
2751 chan->retry_count = 1;
2752 __set_monitor_timer(chan);
2753 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2754 break;
2755 case L2CAP_EV_RECV_FBIT:
2756 /* Nothing to process */
2757 break;
2758 default:
2759 break;
2760 }
608bcc6d
MM		 2761}
2762
d660366d
GP		 2763static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2764 struct l2cap_ctrl *control,
2765 struct sk_buff_head *skbs, u8 event)
608bcc6d 2766{
608bcc6d
MM		 2767 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2768 event);
2769
2770 switch (event) {
2771 case L2CAP_EV_DATA_REQUEST:
2772 if (chan->tx_send_head == NULL)
2773 chan->tx_send_head = skb_peek(skbs);
2774 /* Queue data, but don't send. */
2775 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2776 break;
2777 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2778 BT_DBG("Enter LOCAL_BUSY");
2779 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2780
2781 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2782 /* The SREJ_SENT state must be aborted if we are to
2783 * enter the LOCAL_BUSY state.
2784 */
2785 l2cap_abort_rx_srej_sent(chan);
2786 }
2787
2788 l2cap_send_ack(chan);
2789
2790 break;
2791 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2792 BT_DBG("Exit LOCAL_BUSY");
2793 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2794
2795 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2796 struct l2cap_ctrl local_control;
2797 memset(&local_control, 0, sizeof(local_control));
2798 local_control.sframe = 1;
2799 local_control.super = L2CAP_SUPER_RR;
2800 local_control.poll = 1;
2801 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2802 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2803
2804 chan->retry_count = 1;
2805 __set_monitor_timer(chan);
2806 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2807 }
2808 break;
2809 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2810 l2cap_process_reqseq(chan, control->reqseq);
2811
2812 /* Fall through */
2813
2814 case L2CAP_EV_RECV_FBIT:
2815 if (control && control->final) {
2816 __clear_monitor_timer(chan);
2817 if (chan->unacked_frames > 0)
2818 __set_retrans_timer(chan);
2819 chan->retry_count = 0;
2820 chan->tx_state = L2CAP_TX_STATE_XMIT;
2821 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2822 }
2823 break;
2824 case L2CAP_EV_EXPLICIT_POLL:
2825 /* Ignore */
2826 break;
2827 case L2CAP_EV_MONITOR_TO:
2828 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2829 l2cap_send_rr_or_rnr(chan, 1);
2830 __set_monitor_timer(chan);
2831 chan->retry_count++;
2832 } else {
5e4e3972 2833 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2834 }
2835 break;
2836 default:
2837 break;
2838 }
608bcc6d
MM		 2839}
2840
d660366d
GP		 2841static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2842 struct sk_buff_head *skbs, u8 event)
608bcc6d 2843{
608bcc6d
MM		 2844 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2845 chan, control, skbs, event, chan->tx_state);
2846
2847 switch (chan->tx_state) {
2848 case L2CAP_TX_STATE_XMIT:
d660366d 2849 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2850 break;
2851 case L2CAP_TX_STATE_WAIT_F:
d660366d 2852 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2853 break;
2854 default:
2855 /* Ignore event */
2856 break;
2857 }
608bcc6d
MM		 2858}
2859
4b51dae9
MM		 2860static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2861 struct l2cap_ctrl *control)
2862{
2863 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2864 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2865}
2866
f80842a8
MM		 2867static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2868 struct l2cap_ctrl *control)
2869{
2870 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2871 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2872}
2873
1da177e4
LT		 2874/* Copy frame to all raw sockets on that connection */
2875static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2876{
1da177e4 2877 struct sk_buff *nskb;
48454079 2878 struct l2cap_chan *chan;
1da177e4
LT		 2879
2880 BT_DBG("conn %p", conn);
2881
3df91ea2 2882 mutex_lock(&conn->chan_lock);
3d57dc68 2883
3df91ea2 2884 list_for_each_entry(chan, &conn->chan_l, list) {
715ec005 2885 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2886 continue;
2887
7f5396a7
GP		 2888 /* Don't send frame to the channel it came from */
2889 if (bt_cb(skb)->chan == chan)
1da177e4 2890 continue;
7f5396a7 2891
8bcde1f2 2892 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2893 if (!nskb)
1da177e4 2894 continue;
80b98027 2895 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2896 kfree_skb(nskb);
2897 }
3d57dc68 2898
3df91ea2 2899 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2900}
2901
2902/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2903static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2904 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2905{
2906 struct sk_buff *skb, **frag;
2907 struct l2cap_cmd_hdr *cmd;
2908 struct l2cap_hdr *lh;
2909 int len, count;
2910
b4400672
AE		 2911 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2912 conn, code, ident, dlen);
1da177e4 2913
300b962e
AL		 2914 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2915 return NULL;
2916
1da177e4
LT		 2917 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2918 count = min_t(unsigned int, conn->mtu, len);
2919
8bcde1f2 2920 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2921 if (!skb)
2922 return NULL;
2923
2924 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2925 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2926
2927 if (conn->hcon->type == LE_LINK)
dcf4adbf 2928 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2929 else
dcf4adbf 2930 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2931
2932 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2933 cmd->code = code;
2934 cmd->ident = ident;
aca3192c 2935 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2936
2937 if (dlen) {
2938 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2939 memcpy(skb_put(skb, count), data, count);
2940 data += count;
2941 }
2942
2943 len -= skb->len;
2944
2945 /* Continuation fragments (no L2CAP header) */
2946 frag = &skb_shinfo(skb)->frag_list;
2947 while (len) {
2948 count = min_t(unsigned int, conn->mtu, len);
2949
8bcde1f2 2950 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2951 if (!*frag)
2952 goto fail;
2953
2954 memcpy(skb_put(*frag, count), data, count);
2955
2956 len -= count;
2957 data += count;
2958
2959 frag = &(*frag)->next;
2960 }
2961
2962 return skb;
2963
2964fail:
2965 kfree_skb(skb);
2966 return NULL;
2967}
2968
2d792818
GP		 2969static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2970 unsigned long *val)
1da177e4
LT		 2971{
2972 struct l2cap_conf_opt *opt = *ptr;
2973 int len;
2974
2975 len = L2CAP_CONF_OPT_SIZE + opt->len;
2976 *ptr += len;
2977
2978 *type = opt->type;
2979 *olen = opt->len;
2980
2981 switch (opt->len) {
2982 case 1:
2983 *val = *((u8 *) opt->val);
2984 break;
2985
2986 case 2:
bfaaeb3e 2987 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2988 break;
2989
2990 case 4:
bfaaeb3e 2991 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2992 break;
2993
2994 default:
2995 *val = (unsigned long) opt->val;
2996 break;
2997 }
2998
b4400672 2999 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 3000 return len;
3001}
3002
1da177e4
LT		 3003static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
3004{
3005 struct l2cap_conf_opt *opt = *ptr;
3006
b4400672 3007 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 3008
3009 opt->type = type;
3010 opt->len = len;
3011
3012 switch (len) {
3013 case 1:
3014 *((u8 *) opt->val) = val;
3015 break;
3016
3017 case 2:
4f8b691c 3018 put_unaligned_le16(val, opt->val);
1da177e4
LT		 3019 break;
3020
3021 case 4:
4f8b691c 3022 put_unaligned_le32(val, opt->val);
1da177e4
LT		 3023 break;
3024
3025 default:
3026 memcpy(opt->val, (void *) val, len);
3027 break;
3028 }
3029
3030 *ptr += L2CAP_CONF_OPT_SIZE + len;
3031}
3032
f89cef09
AE		 3033static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
3034{
3035 struct l2cap_conf_efs efs;
3036
1ec918ce 3037 switch (chan->mode) {
f89cef09
AE		 3038 case L2CAP_MODE_ERTM:
3039 efs.id = chan->local_id;
3040 efs.stype = chan->local_stype;
3041 efs.msdu = cpu_to_le16(chan->local_msdu);
3042 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
dcf4adbf
JP		 3043 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3044 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 3045 break;
3046
3047 case L2CAP_MODE_STREAMING:
3048 efs.id = 1;
3049 efs.stype = L2CAP_SERV_BESTEFFORT;
3050 efs.msdu = cpu_to_le16(chan->local_msdu);
3051 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3052 efs.acc_lat = 0;
3053 efs.flush_to = 0;
3054 break;
3055
3056 default:
3057 return;
3058 }
3059
3060 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3061 (unsigned long) &efs);
f89cef09
AE		 3062}
3063
721c4181 3064static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3065{
721c4181 3066 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3067 ack_timer.work);
3068 u16 frames_to_ack;
c1b4f43b 3069
2fb9b3d4
GP		 3070 BT_DBG("chan %p", chan);
3071
6be36555
AE		 3072 l2cap_chan_lock(chan);
3073
0362520b
MM		 3074 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3075 chan->last_acked_seq);
6be36555 3076
0362520b
MM		 3077 if (frames_to_ack)
3078 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3079
0362520b 3080 l2cap_chan_unlock(chan);
09bfb2ee 3081 l2cap_chan_put(chan);
c1b4f43b
GP		 3082}
3083
466f8004 3084int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3085{
3c588192
MM		 3086 int err;
3087
105bdf9e
MM		 3088 chan->next_tx_seq = 0;
3089 chan->expected_tx_seq = 0;
42e5c802 3090 chan->expected_ack_seq = 0;
6a026610 3091 chan->unacked_frames = 0;
42e5c802 3092 chan->buffer_seq = 0;
6a026610 3093 chan->frames_sent = 0;
105bdf9e
MM		 3094 chan->last_acked_seq = 0;
3095 chan->sdu = NULL;
3096 chan->sdu_last_frag = NULL;
3097 chan->sdu_len = 0;
3098
d34c34fb
MM		 3099 skb_queue_head_init(&chan->tx_q);
3100
6ed971ca
MH		 3101 chan->local_amp_id = AMP_ID_BREDR;
3102 chan->move_id = AMP_ID_BREDR;
08333283
MM		 3103 chan->move_state = L2CAP_MOVE_STABLE;
3104 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3105
105bdf9e
MM		 3106 if (chan->mode != L2CAP_MODE_ERTM)
3107 return 0;
3108
3109 chan->rx_state = L2CAP_RX_STATE_RECV;
3110 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3111
721c4181
GP		 3112 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3113 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3114 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3115
f1c6775b 3116 skb_queue_head_init(&chan->srej_q);
1890d36b 3117
3c588192
MM		 3118 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3119 if (err < 0)
3120 return err;
3121
9dc9affc
MM		 3122 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3123 if (err < 0)
3124 l2cap_seq_list_free(&chan->srej_list);
3125
3126 return err;
0565c1c2
GP		 3127}
3128
f2fcfcd6
GP		 3129static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3130{
3131 switch (mode) {
3132 case L2CAP_MODE_STREAMING:
3133 case L2CAP_MODE_ERTM:
3134 if (l2cap_mode_supported(mode, remote_feat_mask))
3135 return mode;
3136 /* fall through */
3137 default:
3138 return L2CAP_MODE_BASIC;
3139 }
3140}
3141
848566b3 3142static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
6327eb98 3143{
848566b3 3144 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
6327eb98
AE		 3145}
3146
848566b3 3147static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
f89cef09 3148{
848566b3 3149 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
f89cef09
AE		 3150}
3151
36c86c85
MM		 3152static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3153 struct l2cap_conf_rfc *rfc)
3154{
6ed971ca 3155 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
36c86c85
MM		 3156 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3157
3158 /* Class 1 devices have must have ERTM timeouts
3159 * exceeding the Link Supervision Timeout. The
3160 * default Link Supervision Timeout for AMP
3161 * controllers is 10 seconds.
3162 *
3163 * Class 1 devices use 0xffffffff for their
3164 * best-effort flush timeout, so the clamping logic
3165 * will result in a timeout that meets the above
3166 * requirement. ERTM timeouts are 16-bit values, so
3167 * the maximum timeout is 65.535 seconds.
3168 */
3169
3170 /* Convert timeout to milliseconds and round */
3171 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3172
3173 /* This is the recommended formula for class 2 devices
3174 * that start ERTM timers when packets are sent to the
3175 * controller.
3176 */
3177 ertm_to = 3 * ertm_to + 500;
3178
3179 if (ertm_to > 0xffff)
3180 ertm_to = 0xffff;
3181
3182 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3183 rfc->monitor_timeout = rfc->retrans_timeout;
3184 } else {
dcf4adbf
JP		 3185 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3186 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
36c86c85
MM		 3187 }
3188}
3189
6327eb98
AE		 3190static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3191{
3192 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
848566b3 3193 __l2cap_ews_supported(chan->conn)) {
6327eb98
AE		 3194 /* use extended control field */
3195 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3196 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3197 } else {
6327eb98 3198 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3199 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3200 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3201 }
c20f8e35 3202 chan->ack_win = chan->tx_win;
6327eb98
AE		 3203}
3204
710f9b0a 3205static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3206{
1da177e4 3207 struct l2cap_conf_req *req = data;
0c1bc5c6 3208 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3209 void *ptr = req->data;
c8f79162 3210 u16 size;
1da177e4 3211
49208c9c 3212 BT_DBG("chan %p", chan);
1da177e4 3213
73ffa904 3214 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3215 goto done;
3216
0c1bc5c6 3217 switch (chan->mode) {
f2fcfcd6
GP		 3218 case L2CAP_MODE_STREAMING:
3219 case L2CAP_MODE_ERTM:
c1360a1c 3220 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3221 break;
85eb53c6 3222
848566b3 3223 if (__l2cap_efs_supported(chan->conn))
f89cef09
AE		 3224 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3225
2ba13ed6 3226 /* fall through */
f2fcfcd6 3227 default:
8c1d787b 3228 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3229 break;
3230 }
3231
3232done:
0c1bc5c6
GP		 3233 if (chan->imtu != L2CAP_DEFAULT_MTU)
3234 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3235
0c1bc5c6 3236 switch (chan->mode) {
65c7c491 3237 case L2CAP_MODE_BASIC:
6fea7ad1
MH		 3238 if (disable_ertm)
3239 break;
3240
8c1d787b 3241 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3242 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3243 break;
3244
62547752
GP		 3245 rfc.mode = L2CAP_MODE_BASIC;
3246 rfc.txwin_size = 0;
3247 rfc.max_transmit = 0;
3248 rfc.retrans_timeout = 0;
3249 rfc.monitor_timeout = 0;
3250 rfc.max_pdu_size = 0;
3251
63406504 3252 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3253 (unsigned long) &rfc);
65c7c491
MH		 3254 break;
3255
3256 case L2CAP_MODE_ERTM:
3257 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3258 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3259
3260 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3261
3262 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3263 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3264 L2CAP_FCS_SIZE);
c8f79162 3265 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3266
6327eb98
AE		 3267 l2cap_txwin_setup(chan);
3268
3269 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3270 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3271
63406504 3272 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3273 (unsigned long) &rfc);
63406504 3274
f89cef09
AE		 3275 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3276 l2cap_add_opt_efs(&ptr, chan);
3277
6327eb98
AE		 3278 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3279 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3280 chan->tx_win);
60918918
AE		 3281
3282 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3283 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3284 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3285 chan->fcs = L2CAP_FCS_NONE;
3286 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3287 chan->fcs);
3288 }
f2fcfcd6
GP		 3289 break;
3290
3291 case L2CAP_MODE_STREAMING:
273759e2 3292 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3293 rfc.mode = L2CAP_MODE_STREAMING;
3294 rfc.txwin_size = 0;
3295 rfc.max_transmit = 0;
3296 rfc.retrans_timeout = 0;
3297 rfc.monitor_timeout = 0;
c8f79162
AE		 3298
3299 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3300 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3301 L2CAP_FCS_SIZE);
c8f79162 3302 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3303
63406504 3304 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3305 (unsigned long) &rfc);
63406504 3306
f89cef09
AE		 3307 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3308 l2cap_add_opt_efs(&ptr, chan);
3309
60918918
AE		 3310 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3311 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3312 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3313 chan->fcs = L2CAP_FCS_NONE;
3314 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3315 chan->fcs);
3316 }
65c7c491
MH		 3317 break;
3318 }
1da177e4 3319
fe4128e0 3320 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3321 req->flags = cpu_to_le16(0);
1da177e4
LT		 3322
3323 return ptr - data;
3324}
3325
73ffa904 3326static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3327{
5dee9e7c
MH		 3328 struct l2cap_conf_rsp *rsp = data;
3329 void *ptr = rsp->data;
73ffa904
GP		 3330 void *req = chan->conf_req;
3331 int len = chan->conf_len;
5dee9e7c
MH		 3332 int type, hint, olen;
3333 unsigned long val;
6464f35f 3334 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3335 struct l2cap_conf_efs efs;
3336 u8 remote_efs = 0;
861d6882 3337 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3338 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3339 u16 size;
1da177e4 3340
73ffa904 3341 BT_DBG("chan %p", chan);
820ae1b8 3342
5dee9e7c
MH		 3343 while (len >= L2CAP_CONF_OPT_SIZE) {
3344 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3345
589d2746 3346 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3347 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3348
3349 switch (type) {
3350 case L2CAP_CONF_MTU:
861d6882 3351 mtu = val;
5dee9e7c
MH		 3352 break;
3353
3354 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3355 chan->flush_to = val;
5dee9e7c
MH		 3356 break;
3357
3358 case L2CAP_CONF_QOS:
3359 break;
3360
6464f35f
MH		 3361 case L2CAP_CONF_RFC:
3362 if (olen == sizeof(rfc))
3363 memcpy(&rfc, (void *) val, olen);
3364 break;
3365
fcc203c3
GP		 3366 case L2CAP_CONF_FCS:
3367 if (val == L2CAP_FCS_NONE)
f2592d3e 3368 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3369 break;
fcc203c3 3370
42dceae2
AE		 3371 case L2CAP_CONF_EFS:
3372 remote_efs = 1;
3373 if (olen == sizeof(efs))
3374 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3375 break;
3376
6327eb98 3377 case L2CAP_CONF_EWS:
848566b3 3378 if (!chan->conn->hs_enabled)
6327eb98 3379 return -ECONNREFUSED;
fcc203c3 3380
6327eb98
AE		 3381 set_bit(FLAG_EXT_CTRL, &chan->flags);
3382 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3383 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3384 chan->remote_tx_win = val;
fcc203c3
GP		 3385 break;
3386
5dee9e7c
MH		 3387 default:
3388 if (hint)
3389 break;
3390
3391 result = L2CAP_CONF_UNKNOWN;
3392 *((u8 *) ptr++) = type;
3393 break;
3394 }
3395 }
3396
73ffa904 3397 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3398 goto done;
3399
0c1bc5c6 3400 switch (chan->mode) {
f2fcfcd6
GP		 3401 case L2CAP_MODE_STREAMING:
3402 case L2CAP_MODE_ERTM:
c1360a1c 3403 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3404 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3405 chan->conn->feat_mask);
85eb53c6
GP		 3406 break;
3407 }
3408
42dceae2 3409 if (remote_efs) {
848566b3 3410 if (__l2cap_efs_supported(chan->conn))
42dceae2
AE		 3411 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3412 else
3413 return -ECONNREFUSED;
3414 }
3415
0c1bc5c6 3416 if (chan->mode != rfc.mode)
f2fcfcd6 3417 return -ECONNREFUSED;
742e519b 3418
f2fcfcd6 3419 break;
f2fcfcd6
GP		 3420 }
3421
3422done:
0c1bc5c6 3423 if (chan->mode != rfc.mode) {
f2fcfcd6 3424 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3425 rfc.mode = chan->mode;
f2fcfcd6 3426
73ffa904 3427 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3428 return -ECONNREFUSED;
3429
2d792818
GP		 3430 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3431 (unsigned long) &rfc);
f2fcfcd6
GP		 3432 }
3433
5dee9e7c
MH		 3434 if (result == L2CAP_CONF_SUCCESS) {
3435 /* Configure output options and let the other side know
3436 * which ones we don't like. */
3437
f2fcfcd6
GP		 3438 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3439 result = L2CAP_CONF_UNACCEPT;
3440 else {
0c1bc5c6 3441 chan->omtu = mtu;
c1360a1c 3442 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3443 }
0c1bc5c6 3444 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3445
42dceae2
AE		 3446 if (remote_efs) {
3447 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3448 efs.stype != L2CAP_SERV_NOTRAFIC &&
3449 efs.stype != chan->local_stype) {
42dceae2
AE		 3450
3451 result = L2CAP_CONF_UNACCEPT;
3452
3453 if (chan->num_conf_req >= 1)
3454 return -ECONNREFUSED;
3455
3456 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3457 sizeof(efs),
3458 (unsigned long) &efs);
0e8b207e 3459 } else {
3e6b3b95 3460 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3461 result = L2CAP_CONF_PENDING;
3462 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3463 }
3464 }
3465
f2fcfcd6
GP		 3466 switch (rfc.mode) {
3467 case L2CAP_MODE_BASIC:
47d1ec61 3468 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3469 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3470 break;
3471
3472 case L2CAP_MODE_ERTM:
6327eb98
AE		 3473 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3474 chan->remote_tx_win = rfc.txwin_size;
3475 else
3476 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3477
2c03a7a4 3478 chan->remote_max_tx = rfc.max_transmit;
1c762159 3479
c8f79162 3480 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3481 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3482 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3483 rfc.max_pdu_size = cpu_to_le16(size);
3484 chan->remote_mps = size;
f2fcfcd6 3485
36c86c85 3486 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3487
c1360a1c 3488 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3489
3490 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3491 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3492
42dceae2
AE		 3493 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3494 chan->remote_id = efs.id;
3495 chan->remote_stype = efs.stype;
3496 chan->remote_msdu = le16_to_cpu(efs.msdu);
3497 chan->remote_flush_to =
2d792818 3498 le32_to_cpu(efs.flush_to);
42dceae2 3499 chan->remote_acc_lat =
2d792818 3500 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3501 chan->remote_sdu_itime =
3502 le32_to_cpu(efs.sdu_itime);
3503 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3504 sizeof(efs),
3505 (unsigned long) &efs);
42dceae2 3506 }
f2fcfcd6
GP		 3507 break;
3508
3509 case L2CAP_MODE_STREAMING:
c8f79162 3510 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3511 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3512 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3513 rfc.max_pdu_size = cpu_to_le16(size);
3514 chan->remote_mps = size;
f2fcfcd6 3515
c1360a1c 3516 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3517
2d792818
GP		 3518 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3519 (unsigned long) &rfc);
68ae6639 3520
f2fcfcd6
GP		 3521 break;
3522
3523 default:
5dee9e7c 3524 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3525
6464f35f 3526 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3527 rfc.mode = chan->mode;
f2fcfcd6 3528 }
6464f35f 3529
f2fcfcd6 3530 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3531 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3532 }
fe4128e0 3533 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3534 rsp->result = cpu_to_le16(result);
dcf4adbf 3535 rsp->flags = cpu_to_le16(0);
5dee9e7c
MH		 3536
3537 return ptr - data;
1da177e4
LT		 3538}
3539
2d792818
GP		 3540static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3541 void *data, u16 *result)
f2fcfcd6 3542{
f2fcfcd6
GP		 3543 struct l2cap_conf_req *req = data;
3544 void *ptr = req->data;
3545 int type, olen;
3546 unsigned long val;
36e999a8 3547 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3548 struct l2cap_conf_efs efs;
f2fcfcd6 3549
fe4128e0 3550 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3551
3552 while (len >= L2CAP_CONF_OPT_SIZE) {
3553 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3554
3555 switch (type) {
3556 case L2CAP_CONF_MTU:
3557 if (val < L2CAP_DEFAULT_MIN_MTU) {
3558 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3559 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3560 } else
0c1bc5c6
GP		 3561 chan->imtu = val;
3562 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3563 break;
3564
3565 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3566 chan->flush_to = val;
f2fcfcd6 3567 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3568 2, chan->flush_to);
f2fcfcd6
GP		 3569 break;
3570
3571 case L2CAP_CONF_RFC:
3572 if (olen == sizeof(rfc))
3573 memcpy(&rfc, (void *)val, olen);
3574
c1360a1c 3575 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3576 rfc.mode != chan->mode)
f2fcfcd6
GP		 3577 return -ECONNREFUSED;
3578
47d1ec61 3579 chan->fcs = 0;
f2fcfcd6
GP		 3580
3581 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3582 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3583 break;
6327eb98
AE		 3584
3585 case L2CAP_CONF_EWS:
c20f8e35 3586 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3587 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3588 chan->tx_win);
6327eb98 3589 break;
66af7aaf
AE		 3590
3591 case L2CAP_CONF_EFS:
3592 if (olen == sizeof(efs))
3593 memcpy(&efs, (void *)val, olen);
3594
3595 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3596 efs.stype != L2CAP_SERV_NOTRAFIC &&
3597 efs.stype != chan->local_stype)
66af7aaf
AE		 3598 return -ECONNREFUSED;
3599
2d792818
GP		 3600 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3601 (unsigned long) &efs);
66af7aaf 3602 break;
cbabee78
AE		 3603
3604 case L2CAP_CONF_FCS:
3605 if (*result == L2CAP_CONF_PENDING)
3606 if (val == L2CAP_FCS_NONE)
f2592d3e 3607 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3608 &chan->conf_state);
3609 break;
f2fcfcd6
GP		 3610 }
3611 }
3612
0c1bc5c6 3613 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3614 return -ECONNREFUSED;
3615
0c1bc5c6 3616 chan->mode = rfc.mode;
6c2ea7a8 3617
0e8b207e 3618 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3619 switch (rfc.mode) {
3620 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3621 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3622 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3623 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3624 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3625 chan->ack_win = min_t(u16, chan->ack_win,
3626 rfc.txwin_size);
66af7aaf
AE		 3627
3628 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3629 chan->local_msdu = le16_to_cpu(efs.msdu);
3630 chan->local_sdu_itime =
2d792818 3631 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3632 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3633 chan->local_flush_to =
2d792818 3634 le32_to_cpu(efs.flush_to);
66af7aaf 3635 }
f2fcfcd6 3636 break;
66af7aaf 3637
f2fcfcd6 3638 case L2CAP_MODE_STREAMING:
47d1ec61 3639 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3640 }
3641 }
3642
fe4128e0 3643 req->dcid = cpu_to_le16(chan->dcid);
dcf4adbf 3644 req->flags = cpu_to_le16(0);
f2fcfcd6
GP		 3645
3646 return ptr - data;
3647}
3648
2d792818
GP		 3649static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3650 u16 result, u16 flags)
1da177e4
LT		 3651{
3652 struct l2cap_conf_rsp *rsp = data;
3653 void *ptr = rsp->data;
1da177e4 3654
fe4128e0 3655 BT_DBG("chan %p", chan);
1da177e4 3656
fe4128e0 3657 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3658 rsp->result = cpu_to_le16(result);
aca3192c 3659 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3660
3661 return ptr - data;
3662}
3663
27e2d4c8
JH		 3664void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3665{
3666 struct l2cap_le_conn_rsp rsp;
3667 struct l2cap_conn *conn = chan->conn;
3668
3669 BT_DBG("chan %p", chan);
3670
3671 rsp.dcid = cpu_to_le16(chan->scid);
3672 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 3673 rsp.mps = cpu_to_le16(chan->mps);
0cd75f7e 3674 rsp.credits = cpu_to_le16(chan->rx_credits);
dcf4adbf 3675 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
27e2d4c8
JH		 3676
3677 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3678 &rsp);
3679}
3680
8c1d787b 3681void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3682{
3683 struct l2cap_conn_rsp rsp;
8c1d787b 3684 struct l2cap_conn *conn = chan->conn;
710f9b0a 3685 u8 buf[128];
439f34ac 3686 u8 rsp_code;
710f9b0a 3687
fe4128e0
GP		 3688 rsp.scid = cpu_to_le16(chan->dcid);
3689 rsp.dcid = cpu_to_le16(chan->scid);
dcf4adbf
JP		 3690 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3691 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3692
3693 if (chan->hs_hcon)
3694 rsp_code = L2CAP_CREATE_CHAN_RSP;
3695 else
3696 rsp_code = L2CAP_CONN_RSP;
3697
3698 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3699
3700 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3701
c1360a1c 3702 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3703 return;
3704
710f9b0a 3705 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3706 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3707 chan->num_conf_req++;
3708}
3709
47d1ec61 3710static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3711{
7b1c0049
GP		 3712 int type, olen;
3713 unsigned long val;
c20f8e35
MM		 3714 /* Use sane default values in case a misbehaving remote device
3715 * did not send an RFC or extended window size option.
3716 */
3717 u16 txwin_ext = chan->ack_win;
3718 struct l2cap_conf_rfc rfc = {
3719 .mode = chan->mode,
dcf4adbf
JP		 3720 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3721 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
c20f8e35
MM		 3722 .max_pdu_size = cpu_to_le16(chan->imtu),
3723 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3724 };
7b1c0049 3725
47d1ec61 3726 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3727
0c1bc5c6 3728 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3729 return;
3730
3731 while (len >= L2CAP_CONF_OPT_SIZE) {
3732 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3733
c20f8e35
MM		 3734 switch (type) {
3735 case L2CAP_CONF_RFC:
3736 if (olen == sizeof(rfc))
3737 memcpy(&rfc, (void *)val, olen);
8f321f85 3738 break;
c20f8e35
MM		 3739 case L2CAP_CONF_EWS:
3740 txwin_ext = val;
3741 break;
3742 }
7b1c0049
GP		 3743 }
3744
7b1c0049
GP		 3745 switch (rfc.mode) {
3746 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3747 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3748 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3749 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3750 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3751 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3752 else
3753 chan->ack_win = min_t(u16, chan->ack_win,
3754 rfc.txwin_size);
7b1c0049
GP		 3755 break;
3756 case L2CAP_MODE_STREAMING:
47d1ec61 3757 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3758 }
3759}
3760
2d792818 3761static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3762 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3763 u8 *data)
4e8402a3 3764{
e2fd318e 3765 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3766
cb3b3152
JH		 3767 if (cmd_len < sizeof(*rej))
3768 return -EPROTO;
3769
e2fd318e 3770 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3771 return 0;
3772
3773 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3774 cmd->ident == conn->info_ident) {
17cd3f37 3775 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3776
3777 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3778 conn->info_ident = 0;
984947dc 3779
4e8402a3
MH		 3780 l2cap_conn_start(conn);
3781 }
3782
3783 return 0;
3784}
3785
1700915f
MM		 3786static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3787 struct l2cap_cmd_hdr *cmd,
3788 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3789{
1da177e4
LT		 3790 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3791 struct l2cap_conn_rsp rsp;
23691d75 3792 struct l2cap_chan *chan = NULL, *pchan;
e7c29cb1 3793 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3794
3795 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3796 __le16 psm = req->psm;
1da177e4 3797
097db76c 3798 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3799
3800 /* Check if we have socket listening on psm */
6f59b904 3801 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
bf20fd4e 3802 &conn->hcon->dst, ACL_LINK);
23691d75 3803 if (!pchan) {
1da177e4
LT		 3804 result = L2CAP_CR_BAD_PSM;
3805 goto sendresp;
3806 }
3807
3df91ea2 3808 mutex_lock(&conn->chan_lock);
8ffb9290 3809 l2cap_chan_lock(pchan);
e0f0cb56 3810
e7c29cb1 3811 /* Check if the ACL is secure enough (if not SDP) */
dcf4adbf 3812 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3813 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3814 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3815 result = L2CAP_CR_SEC_BLOCK;
3816 goto response;
3817 }
3818
1da177e4
LT		 3819 result = L2CAP_CR_NO_MEM;
3820
2dfa1003
GP		 3821 /* Check if we already have channel with that dcid */
3822 if (__l2cap_get_chan_by_dcid(conn, scid))
3823 goto response;
3824
80b98027 3825 chan = pchan->ops->new_connection(pchan);
80808e43 3826 if (!chan)
1da177e4
LT		 3827 goto response;
3828
330b6c15
SS		 3829 /* For certain devices (ex: HID mouse), support for authentication,
3830 * pairing and bonding is optional. For such devices, inorder to avoid
3831 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3832 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3833 */
3834 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3835
7eafc59e
MH		 3836 bacpy(&chan->src, &conn->hcon->src);
3837 bacpy(&chan->dst, &conn->hcon->dst);
4f1654e0
MH		 3838 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3839 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
fe4128e0
GP		 3840 chan->psm = psm;
3841 chan->dcid = scid;
1700915f 3842 chan->local_amp_id = amp_id;
1da177e4 3843
6be36555 3844 __l2cap_chan_add(conn, chan);
48454079 3845
fe4128e0 3846 dcid = chan->scid;
1da177e4 3847
8d836d71 3848 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1da177e4 3849
fc7f8a7e 3850 chan->ident = cmd->ident;
1da177e4 3851
984947dc 3852 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
e7cafc45 3853 if (l2cap_chan_check_security(chan, false)) {
bdc25783 3854 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
f93fa273 3855 l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3856 result = L2CAP_CR_PEND;
3857 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3858 chan->ops->defer(chan);
f66dc81f 3859 } else {
1700915f
MM		 3860 /* Force pending result for AMP controllers.
3861 * The connection will succeed after the
3862 * physical link is up.
3863 */
6ed971ca 3864 if (amp_id == AMP_ID_BREDR) {
f93fa273 3865 l2cap_state_change(chan, BT_CONFIG);
1700915f 3866 result = L2CAP_CR_SUCCESS;
6ed971ca 3867 } else {
f93fa273 3868 l2cap_state_change(chan, BT_CONNECT2);
6ed971ca 3869 result = L2CAP_CR_PEND;
1700915f 3870 }
f66dc81f
MH		 3871 status = L2CAP_CS_NO_INFO;
3872 }
79d554a6 3873 } else {
f93fa273 3874 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3875 result = L2CAP_CR_PEND;
3876 status = L2CAP_CS_AUTHEN_PEND;
3877 }
3878 } else {
f93fa273 3879 l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3880 result = L2CAP_CR_PEND;
3881 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3882 }
3883
1da177e4 3884response:
8ffb9290 3885 l2cap_chan_unlock(pchan);
3df91ea2 3886 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3887
3888sendresp:
aca3192c
YH		 3889 rsp.scid = cpu_to_le16(scid);
3890 rsp.dcid = cpu_to_le16(dcid);
3891 rsp.result = cpu_to_le16(result);
3892 rsp.status = cpu_to_le16(status);
4c89b6aa 3893 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3894
3895 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3896 struct l2cap_info_req info;
dcf4adbf 3897 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3898
3899 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3900 conn->info_ident = l2cap_get_ident(conn);
3901
ba13ccd9 3902 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3903
2d792818
GP		 3904 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3905 sizeof(info), &info);
79d554a6
MH		 3906 }
3907
c1360a1c 3908 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3909 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3910 u8 buf[128];
c1360a1c 3911 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3912 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3913 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3914 chan->num_conf_req++;
e9aeb2dd 3915 }
1700915f
MM		 3916
3917 return chan;
4c89b6aa 3918}
e9aeb2dd 3919
4c89b6aa 3920static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3921 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3922{
7b064eda
JK		 3923 struct hci_dev *hdev = conn->hcon->hdev;
3924 struct hci_conn *hcon = conn->hcon;
3925
cb3b3152
JH		 3926 if (cmd_len < sizeof(struct l2cap_conn_req))
3927 return -EPROTO;
3928
7b064eda
JK		 3929 hci_dev_lock(hdev);
3930 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3931 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3932 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3933 hcon->dst_type, 0, NULL, 0,
3934 hcon->dev_class);
3935 hci_dev_unlock(hdev);
3936
300229f9 3937 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3938 return 0;
3939}
3940
5909cf30 3941static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3942 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3943 u8 *data)
1da177e4
LT		 3944{
3945 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3946 u16 scid, dcid, result, status;
48454079 3947 struct l2cap_chan *chan;
1da177e4 3948 u8 req[128];
3df91ea2 3949 int err;
1da177e4 3950
cb3b3152
JH		 3951 if (cmd_len < sizeof(*rsp))
3952 return -EPROTO;
3953
1da177e4
LT		 3954 scid = __le16_to_cpu(rsp->scid);
3955 dcid = __le16_to_cpu(rsp->dcid);
3956 result = __le16_to_cpu(rsp->result);
3957 status = __le16_to_cpu(rsp->status);
3958
1b009c98 3959 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3960 dcid, scid, result, status);
1da177e4 3961
3df91ea2
AE		 3962 mutex_lock(&conn->chan_lock);
3963
1da177e4 3964 if (scid) {
3df91ea2
AE		 3965 chan = __l2cap_get_chan_by_scid(conn, scid);
3966 if (!chan) {
21870b52 3967 err = -EBADSLT;
3df91ea2
AE		 3968 goto unlock;
3969 }
1da177e4 3970 } else {
3df91ea2
AE		 3971 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3972 if (!chan) {
21870b52 3973 err = -EBADSLT;
3df91ea2
AE		 3974 goto unlock;
3975 }
1da177e4
LT		 3976 }
3977
3df91ea2
AE		 3978 err = 0;
3979
6be36555 3980 l2cap_chan_lock(chan);
48454079 3981
1da177e4
LT		 3982 switch (result) {
3983 case L2CAP_CR_SUCCESS:
89bc500e 3984 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3985 chan->ident = 0;
fe4128e0 3986 chan->dcid = dcid;
c1360a1c 3987 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3988
c1360a1c 3989 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3990 break;
3991
1da177e4 3992 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3993 l2cap_build_conf_req(chan, req), req);
73ffa904 3994 chan->num_conf_req++;
1da177e4
LT		 3995 break;
3996
3997 case L2CAP_CR_PEND:
c1360a1c 3998 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3999 break;
4000
4001 default:
48454079 4002 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 4003 break;
4004 }
4005
6be36555 4006 l2cap_chan_unlock(chan);
3df91ea2
AE		 4007
4008unlock:
4009 mutex_unlock(&conn->chan_lock);
4010
4011 return err;
1da177e4
LT		 4012}
4013
47d1ec61 4014static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 4015{
4016 /* FCS is enabled only in ERTM or streaming mode, if one or both
4017 * sides request it.
4018 */
0c1bc5c6 4019 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 4020 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 4021 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 4022 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 4023}
4024
29d8a590
AE		 4025static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4026 u8 ident, u16 flags)
4027{
4028 struct l2cap_conn *conn = chan->conn;
4029
4030 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4031 flags);
4032
4033 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4034 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4035
4036 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4037 l2cap_build_conf_rsp(chan, data,
4038 L2CAP_CONF_SUCCESS, flags), data);
4039}
4040
662d652d
JH		 4041static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4042 u16 scid, u16 dcid)
4043{
4044 struct l2cap_cmd_rej_cid rej;
4045
dcf4adbf 4046 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
662d652d
JH		 4047 rej.scid = __cpu_to_le16(scid);
4048 rej.dcid = __cpu_to_le16(dcid);
4049
4050 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4051}
4052
2d792818
GP		 4053static inline int l2cap_config_req(struct l2cap_conn *conn,
4054 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4055 u8 *data)
1da177e4
LT		 4056{
4057 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4058 u16 dcid, flags;
4059 u8 rsp[64];
48454079 4060 struct l2cap_chan *chan;
3c588192 4061 int len, err = 0;
1da177e4 4062
cb3b3152
JH		 4063 if (cmd_len < sizeof(*req))
4064 return -EPROTO;
4065
1da177e4
LT		 4066 dcid = __le16_to_cpu(req->dcid);
4067 flags = __le16_to_cpu(req->flags);
4068
4069 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4070
baa7e1fa 4071 chan = l2cap_get_chan_by_scid(conn, dcid);
662d652d
JH		 4072 if (!chan) {
4073 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4074 return 0;
4075 }
1da177e4 4076
033b1142 4077 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
662d652d
JH		 4078 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4079 chan->dcid);
354f60a9 4080 goto unlock;
df6bd743 4081 }
354f60a9 4082
5dee9e7c 4083 /* Reject if config buffer is too small. */
88219a0f 4084 len = cmd_len - sizeof(*req);
cb3b3152 4085 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 4086 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4087 l2cap_build_conf_rsp(chan, rsp,
4088 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 4089 goto unlock;
4090 }
4091
4092 /* Store config. */
73ffa904
GP		 4093 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4094 chan->conf_len += len;
1da177e4 4095
59e54bd1 4096 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4097 /* Incomplete config. Send empty response. */
4098 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4099 l2cap_build_conf_rsp(chan, rsp,
4100 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4101 goto unlock;
4102 }
4103
4104 /* Complete config. */
73ffa904 4105 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4106 if (len < 0) {
5e4e3972 4107 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4108 goto unlock;
f2fcfcd6 4109 }
1da177e4 4110
1500109b 4111 chan->ident = cmd->ident;
5dee9e7c 4112 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4113 chan->num_conf_rsp++;
5dee9e7c 4114
5dee9e7c 4115 /* Reset config buffer. */
73ffa904 4116 chan->conf_len = 0;
5dee9e7c 4117
c1360a1c 4118 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4119 goto unlock;
4120
c1360a1c 4121 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4122 set_default_fcs(chan);
fcc203c3 4123
105bdf9e
MM		 4124 if (chan->mode == L2CAP_MODE_ERTM ||
4125 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4126 err = l2cap_ertm_init(chan);
4127
4128 if (err < 0)
5e4e3972 4129 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4130 else
4131 l2cap_chan_ready(chan);
0565c1c2 4132
876d9484
MH		 4133 goto unlock;
4134 }
4135
c1360a1c 4136 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4137 u8 buf[64];
1da177e4 4138 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4139 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4140 chan->num_conf_req++;
1da177e4
LT		 4141 }
4142
0e8b207e
AE		 4143 /* Got Conf Rsp PENDING from remote side and asume we sent
4144 Conf Rsp PENDING in the code above */
4145 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4146 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4147
4148 /* check compatibility */
4149
79de886d 4150 /* Send rsp for BR/EDR channel */
f351bc72 4151 if (!chan->hs_hcon)
79de886d
AE		 4152 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4153 else
4154 chan->ident = cmd->ident;
0e8b207e
AE		 4155 }
4156
1da177e4 4157unlock:
6be36555 4158 l2cap_chan_unlock(chan);
3c588192 4159 return err;
1da177e4
LT		 4160}
4161
2d792818 4162static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4163 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4164 u8 *data)
1da177e4
LT		 4165{
4166 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4167 u16 scid, flags, result;
48454079 4168 struct l2cap_chan *chan;
cb3b3152 4169 int len = cmd_len - sizeof(*rsp);
3c588192 4170 int err = 0;
1da177e4 4171
cb3b3152
JH		 4172 if (cmd_len < sizeof(*rsp))
4173 return -EPROTO;
4174
1da177e4
LT		 4175 scid = __le16_to_cpu(rsp->scid);
4176 flags = __le16_to_cpu(rsp->flags);
4177 result = __le16_to_cpu(rsp->result);
4178
61386cba
AE		 4179 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4180 result, len);
1da177e4 4181
baa7e1fa 4182 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4183 if (!chan)
1da177e4
LT		 4184 return 0;
4185
4186 switch (result) {
4187 case L2CAP_CONF_SUCCESS:
47d1ec61 4188 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4189 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4190 break;
4191
0e8b207e
AE		 4192 case L2CAP_CONF_PENDING:
4193 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4194
4195 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4196 char buf[64];
4197
4198 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4199 buf, &result);
0e8b207e 4200 if (len < 0) {
5e4e3972 4201 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4202 goto done;
4203 }
4204
f351bc72 4205 if (!chan->hs_hcon) {
79de886d
AE		 4206 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4207 0);
5ce66b59
AE		 4208 } else {
4209 if (l2cap_check_efs(chan)) {
4210 amp_create_logical_link(chan);
4211 chan->ident = cmd->ident;
4212 }
4213 }
0e8b207e
AE		 4214 }
4215 goto done;
4216
1da177e4 4217 case L2CAP_CONF_UNACCEPT:
73ffa904 4218 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4219 char req[64];
4220
c2c77ec8 4221 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4222 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4223 goto done;
4224 }
4225
f2fcfcd6
GP		 4226 /* throw out any old stored conf requests */
4227 result = L2CAP_CONF_SUCCESS;
b4450035 4228 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4229 req, &result);
f2fcfcd6 4230 if (len < 0) {
5e4e3972 4231 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4232 goto done;
4233 }
4234
4235 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4236 L2CAP_CONF_REQ, len, req);
73ffa904 4237 chan->num_conf_req++;
f2fcfcd6
GP		 4238 if (result != L2CAP_CONF_SUCCESS)
4239 goto done;
4240 break;
1da177e4
LT		 4241 }
4242
8e87d142 4243 default:
6be36555 4244 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4245
ba13ccd9 4246 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4247 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4248 goto done;
4249 }
4250
59e54bd1 4251 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4252 goto done;
4253
c1360a1c 4254 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4255
c1360a1c 4256 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4257 set_default_fcs(chan);
fcc203c3 4258
105bdf9e
MM		 4259 if (chan->mode == L2CAP_MODE_ERTM ||
4260 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4261 err = l2cap_ertm_init(chan);
0565c1c2 4262
3c588192 4263 if (err < 0)
5e4e3972 4264 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4265 else
4266 l2cap_chan_ready(chan);
1da177e4
LT		 4267 }
4268
4269done:
6be36555 4270 l2cap_chan_unlock(chan);
3c588192 4271 return err;
1da177e4
LT		 4272}
4273
2d792818 4274static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4275 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4276 u8 *data)
1da177e4
LT		 4277{
4278 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4279 struct l2cap_disconn_rsp rsp;
4280 u16 dcid, scid;
48454079 4281 struct l2cap_chan *chan;
1da177e4 4282
cb3b3152
JH		 4283 if (cmd_len != sizeof(*req))
4284 return -EPROTO;
4285
1da177e4
LT		 4286 scid = __le16_to_cpu(req->scid);
4287 dcid = __le16_to_cpu(req->dcid);
4288
4289 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4290
3df91ea2
AE		 4291 mutex_lock(&conn->chan_lock);
4292
4293 chan = __l2cap_get_chan_by_scid(conn, dcid);
4294 if (!chan) {
4295 mutex_unlock(&conn->chan_lock);
662d652d
JH		 4296 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4297 return 0;
3df91ea2 4298 }
1da177e4 4299
6be36555
AE		 4300 l2cap_chan_lock(chan);
4301
fe4128e0
GP		 4302 rsp.dcid = cpu_to_le16(chan->scid);
4303 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4304 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4305
5ec1bbe5 4306 chan->ops->set_shutdown(chan);
1da177e4 4307
61d6ef3e 4308 l2cap_chan_hold(chan);
48454079 4309 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4310
4311 l2cap_chan_unlock(chan);
1da177e4 4312
80b98027 4313 chan->ops->close(chan);
61d6ef3e 4314 l2cap_chan_put(chan);
3df91ea2
AE		 4315
4316 mutex_unlock(&conn->chan_lock);
4317
1da177e4
LT		 4318 return 0;
4319}
4320
2d792818 4321static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4322 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4323 u8 *data)
1da177e4
LT		 4324{
4325 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4326 u16 dcid, scid;
48454079 4327 struct l2cap_chan *chan;
1da177e4 4328
cb3b3152
JH		 4329 if (cmd_len != sizeof(*rsp))
4330 return -EPROTO;
4331
1da177e4
LT		 4332 scid = __le16_to_cpu(rsp->scid);
4333 dcid = __le16_to_cpu(rsp->dcid);
4334
4335 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4336
3df91ea2
AE		 4337 mutex_lock(&conn->chan_lock);
4338
4339 chan = __l2cap_get_chan_by_scid(conn, scid);
4340 if (!chan) {
4341 mutex_unlock(&conn->chan_lock);
1da177e4 4342 return 0;
3df91ea2 4343 }
1da177e4 4344
6be36555 4345 l2cap_chan_lock(chan);
48454079 4346
61d6ef3e 4347 l2cap_chan_hold(chan);
48454079 4348 l2cap_chan_del(chan, 0);
6be36555
AE		 4349
4350 l2cap_chan_unlock(chan);
1da177e4 4351
80b98027 4352 chan->ops->close(chan);
61d6ef3e 4353 l2cap_chan_put(chan);
3df91ea2
AE		 4354
4355 mutex_unlock(&conn->chan_lock);
4356
1da177e4
LT		 4357 return 0;
4358}
4359
2d792818 4360static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4361 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4362 u8 *data)
1da177e4
LT		 4363{
4364 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4365 u16 type;
4366
cb3b3152
JH		 4367 if (cmd_len != sizeof(*req))
4368 return -EPROTO;
4369
1da177e4
LT		 4370 type = __le16_to_cpu(req->type);
4371
4372 BT_DBG("type 0x%4.4x", type);
4373
f0709e03
MH		 4374 if (type == L2CAP_IT_FEAT_MASK) {
4375 u8 buf[8];
44dd46de 4376 u32 feat_mask = l2cap_feat_mask;
f0709e03 4377 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
dcf4adbf
JP		 4378 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4379 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4380 if (!disable_ertm)
fcc203c3 4381 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4382 | L2CAP_FEAT_FCS;
848566b3 4383 if (conn->hs_enabled)
6327eb98 4384 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4385 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4386
1b7bf4ed 4387 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4388 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4389 buf);
e1027a7c
MH		 4390 } else if (type == L2CAP_IT_FIXED_CHAN) {
4391 u8 buf[12];
4392 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd 4393
848566b3 4394 if (conn->hs_enabled)
50a147cd
MM		 4395 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4396 else
4397 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4398
dcf4adbf
JP		 4399 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4400 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4401 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4402 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4403 buf);
f0709e03
MH		 4404 } else {
4405 struct l2cap_info_rsp rsp;
4406 rsp.type = cpu_to_le16(type);
dcf4adbf 4407 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4408 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4409 &rsp);
f0709e03 4410 }
1da177e4
LT		 4411
4412 return 0;
4413}
4414
2d792818 4415static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4416 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4417 u8 *data)
1da177e4
LT		 4418{
4419 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4420 u16 type, result;
4421
3f6fa3d4 4422 if (cmd_len < sizeof(*rsp))
cb3b3152
JH		 4423 return -EPROTO;
4424
1da177e4
LT		 4425 type = __le16_to_cpu(rsp->type);
4426 result = __le16_to_cpu(rsp->result);
4427
4428 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4429
e90165be
AE		 4430 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4431 if (cmd->ident != conn->info_ident ||
2d792818 4432 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4433 return 0;
4434
17cd3f37 4435 cancel_delayed_work(&conn->info_timer);
4e8402a3 4436
adb08ede
VT		 4437 if (result != L2CAP_IR_SUCCESS) {
4438 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4439 conn->info_ident = 0;
4440
4441 l2cap_conn_start(conn);
4442
4443 return 0;
4444 }
4445
978c93b9
AE		 4446 switch (type) {
4447 case L2CAP_IT_FEAT_MASK:
83985319 4448 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4449
47ec1dcd 4450 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4451 struct l2cap_info_req req;
dcf4adbf 4452 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4453
4454 conn->info_ident = l2cap_get_ident(conn);
4455
4456 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4457 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4458 } else {
4459 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4460 conn->info_ident = 0;
4461
4462 l2cap_conn_start(conn);
4463 }
978c93b9
AE		 4464 break;
4465
4466 case L2CAP_IT_FIXED_CHAN:
4467 conn->fixed_chan_mask = rsp->data[0];
984947dc 4468 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4469 conn->info_ident = 0;
984947dc
MH		 4470
4471 l2cap_conn_start(conn);
978c93b9 4472 break;
984947dc 4473 }
4e8402a3 4474
1da177e4
LT		 4475 return 0;
4476}
4477
1700915f
MM		 4478static int l2cap_create_channel_req(struct l2cap_conn *conn,
4479 struct l2cap_cmd_hdr *cmd,
4480 u16 cmd_len, void *data)
f94ff6ff
MM		 4481{
4482 struct l2cap_create_chan_req *req = data;
6e1df6a6 4483 struct l2cap_create_chan_rsp rsp;
1700915f 4484 struct l2cap_chan *chan;
6e1df6a6 4485 struct hci_dev *hdev;
f94ff6ff
MM		 4486 u16 psm, scid;
4487
4488 if (cmd_len != sizeof(*req))
4489 return -EPROTO;
4490
848566b3 4491 if (!conn->hs_enabled)
f94ff6ff
MM		 4492 return -EINVAL;
4493
4494 psm = le16_to_cpu(req->psm);
4495 scid = le16_to_cpu(req->scid);
4496
ad0ac6ca 4497 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4498
6e1df6a6 4499 /* For controller id 0 make BR/EDR connection */
6ed971ca 4500 if (req->amp_id == AMP_ID_BREDR) {
6e1df6a6
AE		 4501 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4502 req->amp_id);
4503 return 0;
4504 }
1700915f 4505
6e1df6a6
AE		 4506 /* Validate AMP controller id */
4507 hdev = hci_dev_get(req->amp_id);
4508 if (!hdev)
4509 goto error;
1700915f 4510
6e1df6a6
AE		 4511 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4512 hci_dev_put(hdev);
4513 goto error;
4514 }
1700915f 4515
6e1df6a6
AE		 4516 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4517 req->amp_id);
4518 if (chan) {
4519 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4520 struct hci_conn *hs_hcon;
1700915f 4521
98e0f7ea
MH		 4522 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4523 &conn->hcon->dst);
6e1df6a6
AE		 4524 if (!hs_hcon) {
4525 hci_dev_put(hdev);
662d652d
JH		 4526 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4527 chan->dcid);
4528 return 0;
1700915f
MM		 4529 }
4530
6e1df6a6
AE		 4531 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4532
6e1df6a6
AE		 4533 mgr->bredr_chan = chan;
4534 chan->hs_hcon = hs_hcon;
fd45bf4c 4535 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4536 conn->mtu = hdev->block_mtu;
1700915f 4537 }
f94ff6ff 4538
6e1df6a6 4539 hci_dev_put(hdev);
f94ff6ff
MM		 4540
4541 return 0;
6e1df6a6
AE		 4542
4543error:
4544 rsp.dcid = 0;
4545 rsp.scid = cpu_to_le16(scid);
dcf4adbf
JP		 4546 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4547 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
6e1df6a6
AE		 4548
4549 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4550 sizeof(rsp), &rsp);
4551
dc280801 4552 return 0;
f94ff6ff
MM		 4553}
4554
8eb200bd
MM		 4555static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4556{
4557 struct l2cap_move_chan_req req;
4558 u8 ident;
4559
4560 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4561
4562 ident = l2cap_get_ident(chan->conn);
4563 chan->ident = ident;
4564
4565 req.icid = cpu_to_le16(chan->scid);
4566 req.dest_amp_id = dest_amp_id;
4567
4568 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4569 &req);
4570
4571 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4572}
4573
1500109b 4574static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4575{
4576 struct l2cap_move_chan_rsp rsp;
4577
1500109b 4578 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4579
1500109b 4580 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4581 rsp.result = cpu_to_le16(result);
4582
1500109b
MM		 4583 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4584 sizeof(rsp), &rsp);
8d5a04a1
MM		 4585}
4586
5b155ef9 4587static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4588{
4589 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4590
5b155ef9 4591 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4592
5b155ef9 4593 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4594
5b155ef9 4595 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4596 cfm.result = cpu_to_le16(result);
4597
5b155ef9
MM		 4598 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4599 sizeof(cfm), &cfm);
4600
4601 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4602}
4603
4604static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4605{
4606 struct l2cap_move_chan_cfm cfm;
4607
4608 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4609
4610 cfm.icid = cpu_to_le16(icid);
dcf4adbf 4611 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
5b155ef9
MM		 4612
4613 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4614 sizeof(cfm), &cfm);
8d5a04a1
MM		 4615}
4616
4617static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4618 u16 icid)
8d5a04a1
MM		 4619{
4620 struct l2cap_move_chan_cfm_rsp rsp;
4621
ad0ac6ca 4622 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4623
4624 rsp.icid = cpu_to_le16(icid);
4625 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4626}
4627
5f3847a4
MM		 4628static void __release_logical_link(struct l2cap_chan *chan)
4629{
4630 chan->hs_hchan = NULL;
4631 chan->hs_hcon = NULL;
4632
4633 /* Placeholder - release the logical link */
4634}
4635
1500109b
MM		 4636static void l2cap_logical_fail(struct l2cap_chan *chan)
4637{
4638 /* Logical link setup failed */
4639 if (chan->state != BT_CONNECTED) {
4640 /* Create channel failure, disconnect */
5e4e3972 4641 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4642 return;
4643 }
4644
4645 switch (chan->move_role) {
4646 case L2CAP_MOVE_ROLE_RESPONDER:
4647 l2cap_move_done(chan);
4648 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4649 break;
4650 case L2CAP_MOVE_ROLE_INITIATOR:
4651 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4652 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4653 /* Remote has only sent pending or
4654 * success responses, clean up
4655 */
4656 l2cap_move_done(chan);
4657 }
4658
4659 /* Other amp move states imply that the move
4660 * has already aborted
4661 */
4662 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4663 break;
4664 }
4665}
4666
4667static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4668 struct hci_chan *hchan)
4669{
4670 struct l2cap_conf_rsp rsp;
1500109b 4671
336178a3 4672 chan->hs_hchan = hchan;
1500109b
MM		 4673 chan->hs_hcon->l2cap_data = chan->conn;
4674
35ba9561 4675 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4676
4677 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4678 int err;
1500109b
MM		 4679
4680 set_default_fcs(chan);
4681
4682 err = l2cap_ertm_init(chan);
4683 if (err < 0)
5e4e3972 4684 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4685 else
4686 l2cap_chan_ready(chan);
4687 }
4688}
4689
4690static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4691 struct hci_chan *hchan)
4692{
4693 chan->hs_hcon = hchan->conn;
4694 chan->hs_hcon->l2cap_data = chan->conn;
4695
4696 BT_DBG("move_state %d", chan->move_state);
4697
4698 switch (chan->move_state) {
4699 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4700 /* Move confirm will be sent after a success
4701 * response is received
4702 */
4703 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4704 break;
4705 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4706 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4707 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4708 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4709 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4710 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4711 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4712 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4713 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4714 }
4715 break;
4716 default:
4717 /* Move was not in expected state, free the channel */
4718 __release_logical_link(chan);
4719
4720 chan->move_state = L2CAP_MOVE_STABLE;
4721 }
4722}
4723
4724/* Call with chan locked */
27695fb4
AE		 4725void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4726 u8 status)
5b155ef9 4727{
1500109b
MM		 4728 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4729
4730 if (status) {
4731 l2cap_logical_fail(chan);
4732 __release_logical_link(chan);
4733 return;
4734 }
4735
4736 if (chan->state != BT_CONNECTED) {
4737 /* Ignore logical link if channel is on BR/EDR */
6ed971ca 4738 if (chan->local_amp_id != AMP_ID_BREDR)
1500109b
MM		 4739 l2cap_logical_finish_create(chan, hchan);
4740 } else {
4741 l2cap_logical_finish_move(chan, hchan);
4742 }
5b155ef9
MM		 4743}
4744
3f7a56c4
MM		 4745void l2cap_move_start(struct l2cap_chan *chan)
4746{
4747 BT_DBG("chan %p", chan);
4748
6ed971ca 4749 if (chan->local_amp_id == AMP_ID_BREDR) {
3f7a56c4
MM		 4750 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4751 return;
4752 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4753 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4754 /* Placeholder - start physical link setup */
4755 } else {
4756 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4757 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4758 chan->move_id = 0;
4759 l2cap_move_setup(chan);
4760 l2cap_send_move_chan_req(chan, 0);
4761 }
4762}
4763
8eb200bd
MM		 4764static void l2cap_do_create(struct l2cap_chan *chan, int result,
4765 u8 local_amp_id, u8 remote_amp_id)
4766{
62748ca1
AE		 4767 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4768 local_amp_id, remote_amp_id);
4769
12d6cc60
AE		 4770 chan->fcs = L2CAP_FCS_NONE;
4771
62748ca1
AE		 4772 /* Outgoing channel on AMP */
4773 if (chan->state == BT_CONNECT) {
4774 if (result == L2CAP_CR_SUCCESS) {
4775 chan->local_amp_id = local_amp_id;
4776 l2cap_send_create_chan_req(chan, remote_amp_id);
4777 } else {
4778 /* Revert to BR/EDR connect */
4779 l2cap_send_conn_req(chan);
4780 }
4781
4782 return;
4783 }
4784
4785 /* Incoming channel on AMP */
4786 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4787 struct l2cap_conn_rsp rsp;
4788 char buf[128];
4789 rsp.scid = cpu_to_le16(chan->dcid);
4790 rsp.dcid = cpu_to_le16(chan->scid);
4791
8eb200bd
MM		 4792 if (result == L2CAP_CR_SUCCESS) {
4793 /* Send successful response */
dcf4adbf
JP		 4794 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4795 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4796 } else {
4797 /* Send negative response */
dcf4adbf
JP		 4798 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4799 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4800 }
4801
4802 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4803 sizeof(rsp), &rsp);
4804
4805 if (result == L2CAP_CR_SUCCESS) {
f93fa273 4806 l2cap_state_change(chan, BT_CONFIG);
8eb200bd
MM		 4807 set_bit(CONF_REQ_SENT, &chan->conf_state);
4808 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4809 L2CAP_CONF_REQ,
4810 l2cap_build_conf_req(chan, buf), buf);
4811 chan->num_conf_req++;
4812 }
8eb200bd
MM		 4813 }
4814}
4815
4816static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4817 u8 remote_amp_id)
4818{
4819 l2cap_move_setup(chan);
4820 chan->move_id = local_amp_id;
4821 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4822
4823 l2cap_send_move_chan_req(chan, remote_amp_id);
4824}
4825
4826static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4827{
4828 struct hci_chan *hchan = NULL;
4829
4830 /* Placeholder - get hci_chan for logical link */
4831
4832 if (hchan) {
4833 if (hchan->state == BT_CONNECTED) {
4834 /* Logical link is ready to go */
4835 chan->hs_hcon = hchan->conn;
4836 chan->hs_hcon->l2cap_data = chan->conn;
4837 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4838 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4839
4840 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4841 } else {
4842 /* Wait for logical link to be ready */
4843 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4844 }
4845 } else {
4846 /* Logical link not available */
4847 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4848 }
4849}
4850
4851static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4852{
4853 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4854 u8 rsp_result;
4855 if (result == -EINVAL)
4856 rsp_result = L2CAP_MR_BAD_ID;
4857 else
4858 rsp_result = L2CAP_MR_NOT_ALLOWED;
4859
4860 l2cap_send_move_chan_rsp(chan, rsp_result);
4861 }
4862
4863 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4864 chan->move_state = L2CAP_MOVE_STABLE;
4865
4866 /* Restart data transmission */
4867 l2cap_ertm_send(chan);
4868}
4869
a514b17f
AE		 4870/* Invoke with locked chan */
4871void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4872{
770bfefa 4873 u8 local_amp_id = chan->local_amp_id;
fffadc08 4874 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4875
8eb200bd
MM		 4876 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4877 chan, result, local_amp_id, remote_amp_id);
4878
8eb200bd
MM		 4879 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4880 l2cap_chan_unlock(chan);
4881 return;
4882 }
4883
4884 if (chan->state != BT_CONNECTED) {
4885 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4886 } else if (result != L2CAP_MR_SUCCESS) {
4887 l2cap_do_move_cancel(chan, result);
4888 } else {
4889 switch (chan->move_role) {
4890 case L2CAP_MOVE_ROLE_INITIATOR:
4891 l2cap_do_move_initiate(chan, local_amp_id,
4892 remote_amp_id);
4893 break;
4894 case L2CAP_MOVE_ROLE_RESPONDER:
4895 l2cap_do_move_respond(chan, result);
4896 break;
4897 default:
4898 l2cap_do_move_cancel(chan, result);
4899 break;
4900 }
4901 }
8eb200bd
MM		 4902}
4903
8d5a04a1 4904static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4905 struct l2cap_cmd_hdr *cmd,
4906 u16 cmd_len, void *data)
8d5a04a1
MM		 4907{
4908 struct l2cap_move_chan_req *req = data;
1500109b 4909 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4910 struct l2cap_chan *chan;
8d5a04a1
MM		 4911 u16 icid = 0;
4912 u16 result = L2CAP_MR_NOT_ALLOWED;
4913
4914 if (cmd_len != sizeof(*req))
4915 return -EPROTO;
4916
4917 icid = le16_to_cpu(req->icid);
4918
ad0ac6ca 4919 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1 4920
848566b3 4921 if (!conn->hs_enabled)
8d5a04a1
MM		 4922 return -EINVAL;
4923
02b0fbb9
MM		 4924 chan = l2cap_get_chan_by_dcid(conn, icid);
4925 if (!chan) {
1500109b 4926 rsp.icid = cpu_to_le16(icid);
dcf4adbf 4927 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
1500109b
MM		 4928 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4929 sizeof(rsp), &rsp);
02b0fbb9
MM		 4930 return 0;
4931 }
4932
1500109b
MM		 4933 chan->ident = cmd->ident;
4934
02b0fbb9
MM		 4935 if (chan->scid < L2CAP_CID_DYN_START ||
4936 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4937 (chan->mode != L2CAP_MODE_ERTM &&
4938 chan->mode != L2CAP_MODE_STREAMING)) {
4939 result = L2CAP_MR_NOT_ALLOWED;
4940 goto send_move_response;
4941 }
4942
4943 if (chan->local_amp_id == req->dest_amp_id) {
4944 result = L2CAP_MR_SAME_ID;
4945 goto send_move_response;
4946 }
4947
6ed971ca 4948 if (req->dest_amp_id != AMP_ID_BREDR) {
02b0fbb9
MM		 4949 struct hci_dev *hdev;
4950 hdev = hci_dev_get(req->dest_amp_id);
4951 if (!hdev || hdev->dev_type != HCI_AMP ||
4952 !test_bit(HCI_UP, &hdev->flags)) {
4953 if (hdev)
4954 hci_dev_put(hdev);
4955
4956 result = L2CAP_MR_BAD_ID;
4957 goto send_move_response;
4958 }
4959 hci_dev_put(hdev);
4960 }
4961
4962 /* Detect a move collision. Only send a collision response
4963 * if this side has "lost", otherwise proceed with the move.
4964 * The winner has the larger bd_addr.
4965 */
4966 if ((__chan_is_moving(chan) ||
4967 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
6f59b904 4968 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
02b0fbb9
MM		 4969 result = L2CAP_MR_COLLISION;
4970 goto send_move_response;
4971 }
4972
02b0fbb9
MM		 4973 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4974 l2cap_move_setup(chan);
4975 chan->move_id = req->dest_amp_id;
4976 icid = chan->dcid;
4977
6ed971ca 4978 if (req->dest_amp_id == AMP_ID_BREDR) {
02b0fbb9
MM		 4979 /* Moving to BR/EDR */
4980 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4981 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4982 result = L2CAP_MR_PEND;
4983 } else {
4984 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4985 result = L2CAP_MR_SUCCESS;
4986 }
4987 } else {
4988 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4989 /* Placeholder - uncomment when amp functions are available */
4990 /*amp_accept_physical(chan, req->dest_amp_id);*/
4991 result = L2CAP_MR_PEND;
4992 }
4993
4994send_move_response:
1500109b 4995 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4996
02b0fbb9
MM		 4997 l2cap_chan_unlock(chan);
4998
8d5a04a1
MM		 4999 return 0;
5000}
5001
5b155ef9
MM		 5002static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5003{
5004 struct l2cap_chan *chan;
5005 struct hci_chan *hchan = NULL;
5006
5007 chan = l2cap_get_chan_by_scid(conn, icid);
5008 if (!chan) {
5009 l2cap_send_move_chan_cfm_icid(conn, icid);
5010 return;
5011 }
5012
5013 __clear_chan_timer(chan);
5014 if (result == L2CAP_MR_PEND)
5015 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5016
5017 switch (chan->move_state) {
5018 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5019 /* Move confirm will be sent when logical link
5020 * is complete.
5021 */
5022 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5023 break;
5024 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5025 if (result == L2CAP_MR_PEND) {
5026 break;
5027 } else if (test_bit(CONN_LOCAL_BUSY,
5028 &chan->conn_state)) {
5029 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5030 } else {
5031 /* Logical link is up or moving to BR/EDR,
5032 * proceed with move
5033 */
5034 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5035 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5036 }
5037 break;
5038 case L2CAP_MOVE_WAIT_RSP:
5039 /* Moving to AMP */
5040 if (result == L2CAP_MR_SUCCESS) {
5041 /* Remote is ready, send confirm immediately
5042 * after logical link is ready
5043 */
5044 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5045 } else {
5046 /* Both logical link and move success
5047 * are required to confirm
5048 */
5049 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5050 }
5051
5052 /* Placeholder - get hci_chan for logical link */
5053 if (!hchan) {
5054 /* Logical link not available */
5055 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5056 break;
5057 }
5058
5059 /* If the logical link is not yet connected, do not
5060 * send confirmation.
5061 */
5062 if (hchan->state != BT_CONNECTED)
5063 break;
5064
5065 /* Logical link is already ready to go */
5066
5067 chan->hs_hcon = hchan->conn;
5068 chan->hs_hcon->l2cap_data = chan->conn;
5069
5070 if (result == L2CAP_MR_SUCCESS) {
5071 /* Can confirm now */
5072 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5073 } else {
5074 /* Now only need move success
5075 * to confirm
5076 */
5077 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5078 }
5079
5080 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5081 break;
5082 default:
5083 /* Any other amp move state means the move failed. */
5084 chan->move_id = chan->local_amp_id;
5085 l2cap_move_done(chan);
5086 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5087 }
5088
5089 l2cap_chan_unlock(chan);
5090}
5091
5092static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5093 u16 result)
5094{
5095 struct l2cap_chan *chan;
5096
5097 chan = l2cap_get_chan_by_ident(conn, ident);
5098 if (!chan) {
5099 /* Could not locate channel, icid is best guess */
5100 l2cap_send_move_chan_cfm_icid(conn, icid);
5101 return;
5102 }
5103
5104 __clear_chan_timer(chan);
5105
5106 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5107 if (result == L2CAP_MR_COLLISION) {
5108 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5109 } else {
5110 /* Cleanup - cancel move */
5111 chan->move_id = chan->local_amp_id;
5112 l2cap_move_done(chan);
5113 }
5114 }
5115
5116 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5117
5118 l2cap_chan_unlock(chan);
5119}
5120
5121static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5122 struct l2cap_cmd_hdr *cmd,
5123 u16 cmd_len, void *data)
8d5a04a1
MM		 5124{
5125 struct l2cap_move_chan_rsp *rsp = data;
5126 u16 icid, result;
5127
5128 if (cmd_len != sizeof(*rsp))
5129 return -EPROTO;
5130
5131 icid = le16_to_cpu(rsp->icid);
5132 result = le16_to_cpu(rsp->result);
5133
ad0ac6ca 5134 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5135
5b155ef9
MM		 5136 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5137 l2cap_move_continue(conn, icid, result);
5138 else
5139 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5140
5141 return 0;
5142}
5143
5f3847a4
MM		 5144static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5145 struct l2cap_cmd_hdr *cmd,
5146 u16 cmd_len, void *data)
8d5a04a1
MM		 5147{
5148 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5149 struct l2cap_chan *chan;
8d5a04a1
MM		 5150 u16 icid, result;
5151
5152 if (cmd_len != sizeof(*cfm))
5153 return -EPROTO;
5154
5155 icid = le16_to_cpu(cfm->icid);
5156 result = le16_to_cpu(cfm->result);
5157
ad0ac6ca 5158 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5159
5f3847a4
MM		 5160 chan = l2cap_get_chan_by_dcid(conn, icid);
5161 if (!chan) {
5162 /* Spec requires a response even if the icid was not found */
5163 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5164 return 0;
5165 }
5166
5167 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5168 if (result == L2CAP_MC_CONFIRMED) {
5169 chan->local_amp_id = chan->move_id;
6ed971ca 5170 if (chan->local_amp_id == AMP_ID_BREDR)
5f3847a4
MM		 5171 __release_logical_link(chan);
5172 } else {
5173 chan->move_id = chan->local_amp_id;
5174 }
5175
5176 l2cap_move_done(chan);
5177 }
5178
8d5a04a1
MM		 5179 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5180
5f3847a4
MM		 5181 l2cap_chan_unlock(chan);
5182
8d5a04a1
MM		 5183 return 0;
5184}
5185
5186static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5187 struct l2cap_cmd_hdr *cmd,
5188 u16 cmd_len, void *data)
8d5a04a1
MM		 5189{
5190 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5191 struct l2cap_chan *chan;
8d5a04a1
MM		 5192 u16 icid;
5193
5194 if (cmd_len != sizeof(*rsp))
5195 return -EPROTO;
5196
5197 icid = le16_to_cpu(rsp->icid);
5198
ad0ac6ca 5199 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5200
3fd71a0a
MM		 5201 chan = l2cap_get_chan_by_scid(conn, icid);
5202 if (!chan)
5203 return 0;
5204
5205 __clear_chan_timer(chan);
5206
5207 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5208 chan->local_amp_id = chan->move_id;
5209
6ed971ca 5210 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
3fd71a0a
MM		 5211 __release_logical_link(chan);
5212
5213 l2cap_move_done(chan);
5214 }
5215
5216 l2cap_chan_unlock(chan);
5217
8d5a04a1
MM		 5218 return 0;
5219}
5220
de73115a 5221static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818 5222 struct l2cap_cmd_hdr *cmd,
203e639e 5223 u16 cmd_len, u8 *data)
de73115a
CT		 5224{
5225 struct hci_conn *hcon = conn->hcon;
5226 struct l2cap_conn_param_update_req *req;
5227 struct l2cap_conn_param_update_rsp rsp;
203e639e 5228 u16 min, max, latency, to_multiplier;
2ce603eb 5229 int err;
de73115a 5230
40bef302 5231 if (hcon->role != HCI_ROLE_MASTER)
de73115a
CT		 5232 return -EINVAL;
5233
de73115a
CT		 5234 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5235 return -EPROTO;
5236
5237 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5238 min = __le16_to_cpu(req->min);
5239 max = __le16_to_cpu(req->max);
de73115a
CT		 5240 latency = __le16_to_cpu(req->latency);
5241 to_multiplier = __le16_to_cpu(req->to_multiplier);
5242
5243 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5244 min, max, latency, to_multiplier);
de73115a
CT		 5245
5246 memset(&rsp, 0, sizeof(rsp));
2ce603eb 5247
d4905f24 5248 err = hci_check_conn_params(min, max, latency, to_multiplier);
2ce603eb 5249 if (err)
dcf4adbf 5250 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5251 else
dcf4adbf 5252 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5253
5254 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5255 sizeof(rsp), &rsp);
de73115a 5256
ffb5a827 5257 if (!err) {
f4869e2a
JH		 5258 u8 store_hint;
5259
5260 store_hint = hci_le_conn_update(hcon, min, max, latency,
5261 to_multiplier);
ffb5a827 5262 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
f4869e2a
JH		 5263 store_hint, min, max, latency,
5264 to_multiplier);
ffb5a827 5265
ffb5a827 5266 }
2ce603eb 5267
de73115a
CT		 5268 return 0;
5269}
5270
f1496dee
JH		 5271static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5272 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5273 u8 *data)
5274{
5275 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5276 u16 dcid, mtu, mps, credits, result;
5277 struct l2cap_chan *chan;
5278 int err;
5279
5280 if (cmd_len < sizeof(*rsp))
5281 return -EPROTO;
5282
5283 dcid = __le16_to_cpu(rsp->dcid);
5284 mtu = __le16_to_cpu(rsp->mtu);
5285 mps = __le16_to_cpu(rsp->mps);
5286 credits = __le16_to_cpu(rsp->credits);
5287 result = __le16_to_cpu(rsp->result);
5288
5289 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5290 return -EPROTO;
5291
5292 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5293 dcid, mtu, mps, credits, result);
5294
5295 mutex_lock(&conn->chan_lock);
5296
5297 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5298 if (!chan) {
5299 err = -EBADSLT;
5300 goto unlock;
5301 }
5302
5303 err = 0;
5304
5305 l2cap_chan_lock(chan);
5306
5307 switch (result) {
5308 case L2CAP_CR_SUCCESS:
5309 chan->ident = 0;
5310 chan->dcid = dcid;
5311 chan->omtu = mtu;
5312 chan->remote_mps = mps;
0cd75f7e 5313 chan->tx_credits = credits;
f1496dee
JH		 5314 l2cap_chan_ready(chan);
5315 break;
5316
5317 default:
5318 l2cap_chan_del(chan, ECONNREFUSED);
5319 break;
5320 }
5321
5322 l2cap_chan_unlock(chan);
5323
5324unlock:
5325 mutex_unlock(&conn->chan_lock);
5326
5327 return err;
5328}
5329
3300d9a9 5330static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5331 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5332 u8 *data)
3300d9a9
CT		 5333{
5334 int err = 0;
5335
5336 switch (cmd->code) {
5337 case L2CAP_COMMAND_REJ:
cb3b3152 5338 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5339 break;
5340
5341 case L2CAP_CONN_REQ:
cb3b3152 5342 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5343 break;
5344
5345 case L2CAP_CONN_RSP:
f5a2598d 5346 case L2CAP_CREATE_CHAN_RSP:
9245e737 5347 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5348 break;
5349
5350 case L2CAP_CONF_REQ:
5351 err = l2cap_config_req(conn, cmd, cmd_len, data);
5352 break;
5353
5354 case L2CAP_CONF_RSP:
9245e737 5355 l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5356 break;
5357
5358 case L2CAP_DISCONN_REQ:
cb3b3152 5359 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5360 break;
5361
5362 case L2CAP_DISCONN_RSP:
9245e737 5363 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5364 break;
5365
5366 case L2CAP_ECHO_REQ:
5367 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5368 break;
5369
5370 case L2CAP_ECHO_RSP:
5371 break;
5372
5373 case L2CAP_INFO_REQ:
cb3b3152 5374 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5375 break;
5376
5377 case L2CAP_INFO_RSP:
9245e737 5378 l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5379 break;
5380
f94ff6ff
MM		 5381 case L2CAP_CREATE_CHAN_REQ:
5382 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5383 break;
5384
8d5a04a1
MM		 5385 case L2CAP_MOVE_CHAN_REQ:
5386 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5387 break;
5388
5389 case L2CAP_MOVE_CHAN_RSP:
9245e737 5390 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5391 break;
5392
5393 case L2CAP_MOVE_CHAN_CFM:
5394 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5395 break;
5396
5397 case L2CAP_MOVE_CHAN_CFM_RSP:
9245e737 5398 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
8d5a04a1
MM		 5399 break;
5400
3300d9a9
CT		 5401 default:
5402 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5403 err = -EINVAL;
5404 break;
5405 }
5406
5407 return err;
5408}
5409
27e2d4c8
JH		 5410static int l2cap_le_connect_req(struct l2cap_conn *conn,
5411 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5412 u8 *data)
5413{
5414 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5415 struct l2cap_le_conn_rsp rsp;
5416 struct l2cap_chan *chan, *pchan;
0cd75f7e 5417 u16 dcid, scid, credits, mtu, mps;
27e2d4c8
JH		 5418 __le16 psm;
5419 u8 result;
5420
5421 if (cmd_len != sizeof(*req))
5422 return -EPROTO;
5423
5424 scid = __le16_to_cpu(req->scid);
5425 mtu = __le16_to_cpu(req->mtu);
5426 mps = __le16_to_cpu(req->mps);
5427 psm = req->psm;
5428 dcid = 0;
0cd75f7e 5429 credits = 0;
27e2d4c8
JH		 5430
5431 if (mtu < 23 || mps < 23)
5432 return -EPROTO;
5433
5434 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5435 scid, mtu, mps);
5436
5437 /* Check if we have socket listening on psm */
5438 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5439 &conn->hcon->dst, LE_LINK);
5440 if (!pchan) {
5441 result = L2CAP_CR_BAD_PSM;
5442 chan = NULL;
5443 goto response;
5444 }
5445
5446 mutex_lock(&conn->chan_lock);
5447 l2cap_chan_lock(pchan);
5448
5449 if (!smp_sufficient_security(conn->hcon, pchan->sec_level)) {
5450 result = L2CAP_CR_AUTHENTICATION;
5451 chan = NULL;
5452 goto response_unlock;
5453 }
5454
5455 /* Check if we already have channel with that dcid */
5456 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5457 result = L2CAP_CR_NO_MEM;
5458 chan = NULL;
5459 goto response_unlock;
5460 }
5461
5462 chan = pchan->ops->new_connection(pchan);
5463 if (!chan) {
5464 result = L2CAP_CR_NO_MEM;
5465 goto response_unlock;
5466 }
5467
0ce43ce6
JH		 5468 l2cap_le_flowctl_init(chan);
5469
27e2d4c8
JH		 5470 bacpy(&chan->src, &conn->hcon->src);
5471 bacpy(&chan->dst, &conn->hcon->dst);
5472 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5473 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5474 chan->psm = psm;
5475 chan->dcid = scid;
5476 chan->omtu = mtu;
5477 chan->remote_mps = mps;
0cd75f7e 5478 chan->tx_credits = __le16_to_cpu(req->credits);
27e2d4c8
JH		 5479
5480 __l2cap_chan_add(conn, chan);
5481 dcid = chan->scid;
0cd75f7e 5482 credits = chan->rx_credits;
27e2d4c8
JH		 5483
5484 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5485
5486 chan->ident = cmd->ident;
5487
5488 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5489 l2cap_state_change(chan, BT_CONNECT2);
5490 result = L2CAP_CR_PEND;
5491 chan->ops->defer(chan);
5492 } else {
5493 l2cap_chan_ready(chan);
5494 result = L2CAP_CR_SUCCESS;
5495 }
5496
5497response_unlock:
5498 l2cap_chan_unlock(pchan);
5499 mutex_unlock(&conn->chan_lock);
5500
5501 if (result == L2CAP_CR_PEND)
5502 return 0;
5503
5504response:
5505 if (chan) {
5506 rsp.mtu = cpu_to_le16(chan->imtu);
3916aed8 5507 rsp.mps = cpu_to_le16(chan->mps);
27e2d4c8
JH		 5508 } else {
5509 rsp.mtu = 0;
5510 rsp.mps = 0;
5511 }
5512
5513 rsp.dcid = cpu_to_le16(dcid);
0cd75f7e 5514 rsp.credits = cpu_to_le16(credits);
27e2d4c8
JH		 5515 rsp.result = cpu_to_le16(result);
5516
5517 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5518
5519 return 0;
5520}
5521
fad5fc89
JH		 5522static inline int l2cap_le_credits(struct l2cap_conn *conn,
5523 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5524 u8 *data)
5525{
5526 struct l2cap_le_credits *pkt;
5527 struct l2cap_chan *chan;
0f1bfe4e 5528 u16 cid, credits, max_credits;
fad5fc89
JH		 5529
5530 if (cmd_len != sizeof(*pkt))
5531 return -EPROTO;
5532
5533 pkt = (struct l2cap_le_credits *) data;
5534 cid = __le16_to_cpu(pkt->cid);
5535 credits = __le16_to_cpu(pkt->credits);
5536
5537 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5538
5539 chan = l2cap_get_chan_by_dcid(conn, cid);
5540 if (!chan)
5541 return -EBADSLT;
5542
0f1bfe4e
JH		 5543 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5544 if (credits > max_credits) {
5545 BT_ERR("LE credits overflow");
5546 l2cap_send_disconn_req(chan, ECONNRESET);
5547
5548 /* Return 0 so that we don't trigger an unnecessary
5549 * command reject packet.
5550 */
5551 return 0;
5552 }
5553
fad5fc89
JH		 5554 chan->tx_credits += credits;
5555
5556 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5557 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5558 chan->tx_credits--;
5559 }
5560
5561 if (chan->tx_credits)
5562 chan->ops->resume(chan);
5563
5564 l2cap_chan_unlock(chan);
5565
5566 return 0;
5567}
5568
71fb4197
JH		 5569static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5570 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5571 u8 *data)
5572{
5573 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5574 struct l2cap_chan *chan;
5575
5576 if (cmd_len < sizeof(*rej))
5577 return -EPROTO;
5578
5579 mutex_lock(&conn->chan_lock);
5580
5581 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5582 if (!chan)
5583 goto done;
5584
5585 l2cap_chan_lock(chan);
5586 l2cap_chan_del(chan, ECONNREFUSED);
5587 l2cap_chan_unlock(chan);
5588
5589done:
5590 mutex_unlock(&conn->chan_lock);
5591 return 0;
5592}
5593
3300d9a9 5594static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
203e639e
JH		 5595 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5596 u8 *data)
3300d9a9 5597{
b5ecba64
JH		 5598 int err = 0;
5599
3300d9a9
CT		 5600 switch (cmd->code) {
5601 case L2CAP_COMMAND_REJ:
71fb4197 5602 l2cap_le_command_rej(conn, cmd, cmd_len, data);
b5ecba64 5603 break;
3300d9a9
CT		 5604
5605 case L2CAP_CONN_PARAM_UPDATE_REQ:
b5ecba64
JH		 5606 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5607 break;
3300d9a9
CT		 5608
5609 case L2CAP_CONN_PARAM_UPDATE_RSP:
b5ecba64 5610 break;
3300d9a9 5611
f1496dee
JH		 5612 case L2CAP_LE_CONN_RSP:
5613 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5614 break;
f1496dee 5615
27e2d4c8 5616 case L2CAP_LE_CONN_REQ:
b5ecba64
JH		 5617 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5618 break;
27e2d4c8 5619
fad5fc89
JH		 5620 case L2CAP_LE_CREDITS:
5621 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5622 break;
5623
3defe01a 5624 case L2CAP_DISCONN_REQ:
b5ecba64
JH		 5625 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5626 break;
3defe01a
JH		 5627
5628 case L2CAP_DISCONN_RSP:
5629 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
b5ecba64 5630 break;
3defe01a 5631
3300d9a9
CT		 5632 default:
5633 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
b5ecba64
JH		 5634 err = -EINVAL;
5635 break;
3300d9a9 5636 }
b5ecba64
JH		 5637
5638 return err;
3300d9a9
CT		 5639}
5640
c5623556
JH		 5641static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5642 struct sk_buff *skb)
5643{
69c4e4e8 5644 struct hci_conn *hcon = conn->hcon;
4f3e219d
MH		 5645 struct l2cap_cmd_hdr *cmd;
5646 u16 len;
c5623556
JH		 5647 int err;
5648
69c4e4e8 5649 if (hcon->type != LE_LINK)
3b166295 5650 goto drop;
69c4e4e8 5651
4f3e219d
MH		 5652 if (skb->len < L2CAP_CMD_HDR_SIZE)
5653 goto drop;
c5623556 5654
4f3e219d
MH		 5655 cmd = (void *) skb->data;
5656 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
c5623556 5657
4f3e219d 5658 len = le16_to_cpu(cmd->len);
c5623556 5659
4f3e219d 5660 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
c5623556 5661
4f3e219d
MH		 5662 if (len != skb->len || !cmd->ident) {
5663 BT_DBG("corrupted command");
5664 goto drop;
5665 }
c5623556 5666
203e639e 5667 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
4f3e219d
MH		 5668 if (err) {
5669 struct l2cap_cmd_rej_unk rej;
c5623556 5670
4f3e219d 5671 BT_ERR("Wrong link type (%d)", err);
c5623556 5672
dcf4adbf 5673 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
4f3e219d
MH		 5674 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5675 sizeof(rej), &rej);
c5623556
JH		 5676 }
5677
3b166295 5678drop:
c5623556
JH		 5679 kfree_skb(skb);
5680}
5681
3300d9a9 5682static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5683 struct sk_buff *skb)
1da177e4 5684{
69c4e4e8 5685 struct hci_conn *hcon = conn->hcon;
1da177e4
LT		 5686 u8 *data = skb->data;
5687 int len = skb->len;
5688 struct l2cap_cmd_hdr cmd;
3300d9a9 5689 int err;
1da177e4
LT		 5690
5691 l2cap_raw_recv(conn, skb);
5692
69c4e4e8 5693 if (hcon->type != ACL_LINK)
3b166295 5694 goto drop;
69c4e4e8 5695
1da177e4 5696 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5697 u16 cmd_len;
1da177e4
LT		 5698 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5699 data += L2CAP_CMD_HDR_SIZE;
5700 len -= L2CAP_CMD_HDR_SIZE;
5701
88219a0f 5702 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5703
2d792818
GP		 5704 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5705 cmd.ident);
1da177e4 5706
88219a0f 5707 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5708 BT_DBG("corrupted command");
5709 break;
5710 }
5711
c5623556 5712 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5713 if (err) {
e2fd318e 5714 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5715
5716 BT_ERR("Wrong link type (%d)", err);
1da177e4 5717
dcf4adbf 5718 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5719 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5720 sizeof(rej), &rej);
1da177e4
LT		 5721 }
5722
88219a0f
AV		 5723 data += cmd_len;
5724 len -= cmd_len;
1da177e4
LT		 5725 }
5726
3b166295 5727drop:
1da177e4
LT		 5728 kfree_skb(skb);
5729}
5730
47d1ec61 5731static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5732{
5733 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5734 int hdr_size;
5735
5736 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5737 hdr_size = L2CAP_EXT_HDR_SIZE;
5738 else
5739 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5740
47d1ec61 5741 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5742 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5743 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5744 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5745
5746 if (our_fcs != rcv_fcs)
7a560e5c 5747 return -EBADMSG;
fcc203c3
GP		 5748 }
5749 return 0;
5750}
5751
6ea00485 5752static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5753{
e31f7633 5754 struct l2cap_ctrl control;
d5392c8f 5755
e31f7633 5756 BT_DBG("chan %p", chan);
d5392c8f 5757
e31f7633
MM		 5758 memset(&control, 0, sizeof(control));
5759 control.sframe = 1;
5760 control.final = 1;
5761 control.reqseq = chan->buffer_seq;
5762 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5763
e2ab4353 5764 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5765 control.super = L2CAP_SUPER_RNR;
5766 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5767 }
5768
e31f7633
MM		 5769 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5770 chan->unacked_frames > 0)
5771 __set_retrans_timer(chan);
d5392c8f 5772
e31f7633 5773 /* Send pending iframes */
525cd185 5774 l2cap_ertm_send(chan);
d5392c8f 5775
e2ab4353 5776 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5777 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5778 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5779 * send it now.
5780 */
5781 control.super = L2CAP_SUPER_RR;
5782 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5783 }
5784}
5785
2d792818
GP		 5786static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5787 struct sk_buff **last_frag)
18778a63 5788{
84084a31
MM		 5789 /* skb->len reflects data in skb as well as all fragments
5790 * skb->data_len reflects only data in fragments
5791 */
5792 if (!skb_has_frag_list(skb))
5793 skb_shinfo(skb)->frag_list = new_frag;
5794
5795 new_frag->next = NULL;
5796
5797 (*last_frag)->next = new_frag;
5798 *last_frag = new_frag;
5799
5800 skb->len += new_frag->len;
5801 skb->data_len += new_frag->len;
5802 skb->truesize += new_frag->truesize;
5803}
5804
4b51dae9
MM		 5805static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5806 struct l2cap_ctrl *control)
84084a31
MM		 5807{
5808 int err = -EINVAL;
18778a63 5809
4b51dae9 5810 switch (control->sar) {
7e0ef6ee 5811 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5812 if (chan->sdu)
5813 break;
18778a63 5814
80b98027 5815 err = chan->ops->recv(chan, skb);
84084a31 5816 break;
18778a63 5817
7e0ef6ee 5818 case L2CAP_SAR_START:
84084a31
MM		 5819 if (chan->sdu)
5820 break;
18778a63 5821
6f61fd47 5822 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5823 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5824
84084a31
MM		 5825 if (chan->sdu_len > chan->imtu) {
5826 err = -EMSGSIZE;
5827 break;
5828 }
1890d36b 5829
84084a31
MM		 5830 if (skb->len >= chan->sdu_len)
5831 break;
18778a63 5832
84084a31
MM		 5833 chan->sdu = skb;
5834 chan->sdu_last_frag = skb;
18778a63 5835
84084a31
MM		 5836 skb = NULL;
5837 err = 0;
18778a63
GP		 5838 break;
5839
7e0ef6ee 5840 case L2CAP_SAR_CONTINUE:
6f61fd47 5841 if (!chan->sdu)
84084a31 5842 break;
18778a63 5843
84084a31
MM		 5844 append_skb_frag(chan->sdu, skb,
5845 &chan->sdu_last_frag);
5846 skb = NULL;
18778a63 5847
84084a31
MM		 5848 if (chan->sdu->len >= chan->sdu_len)
5849 break;
4178ba46 5850
84084a31 5851 err = 0;
18778a63
GP		 5852 break;
5853
7e0ef6ee 5854 case L2CAP_SAR_END:
6f61fd47 5855 if (!chan->sdu)
84084a31 5856 break;
18778a63 5857
84084a31
MM		 5858 append_skb_frag(chan->sdu, skb,
5859 &chan->sdu_last_frag);
5860 skb = NULL;
4178ba46 5861
84084a31
MM		 5862 if (chan->sdu->len != chan->sdu_len)
5863 break;
18778a63 5864
80b98027 5865 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5866
84084a31
MM		 5867 if (!err) {
5868 /* Reassembly complete */
5869 chan->sdu = NULL;
5870 chan->sdu_last_frag = NULL;
5871 chan->sdu_len = 0;
1890d36b 5872 }
18778a63
GP		 5873 break;
5874 }
5875
84084a31
MM		 5876 if (err) {
5877 kfree_skb(skb);
5878 kfree_skb(chan->sdu);
5879 chan->sdu = NULL;
5880 chan->sdu_last_frag = NULL;
5881 chan->sdu_len = 0;
5882 }
18778a63 5883
84084a31 5884 return err;
18778a63
GP		 5885}
5886
32b32735
MM		 5887static int l2cap_resegment(struct l2cap_chan *chan)
5888{
5889 /* Placeholder */
5890 return 0;
5891}
5892
61aa4f5b 5893void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5894{
61aa4f5b 5895 u8 event;
712132eb 5896
61aa4f5b
MM		 5897 if (chan->mode != L2CAP_MODE_ERTM)
5898 return;
712132eb 5899
61aa4f5b 5900 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5901 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5902}
5903
d2a7ac5d
MM		 5904static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5905{
63838725
MM		 5906 int err = 0;
5907 /* Pass sequential frames to l2cap_reassemble_sdu()
5908 * until a gap is encountered.
5909 */
5910
5911 BT_DBG("chan %p", chan);
5912
5913 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5914 struct sk_buff *skb;
5915 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5916 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5917
5918 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5919
5920 if (!skb)
5921 break;
5922
5923 skb_unlink(skb, &chan->srej_q);
5924 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5925 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5926 if (err)
5927 break;
5928 }
5929
5930 if (skb_queue_empty(&chan->srej_q)) {
5931 chan->rx_state = L2CAP_RX_STATE_RECV;
5932 l2cap_send_ack(chan);
5933 }
5934
5935 return err;
d2a7ac5d
MM		 5936}
5937
5938static void l2cap_handle_srej(struct l2cap_chan *chan,
5939 struct l2cap_ctrl *control)
5940{
f80842a8
MM		 5941 struct sk_buff *skb;
5942
5943 BT_DBG("chan %p, control %p", chan, control);
5944
5945 if (control->reqseq == chan->next_tx_seq) {
5946 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5947 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5948 return;
5949 }
5950
5951 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5952
5953 if (skb == NULL) {
5954 BT_DBG("Seq %d not available for retransmission",
5955 control->reqseq);
5956 return;
5957 }
5958
5959 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5960 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5961 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5962 return;
5963 }
5964
5965 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5966
5967 if (control->poll) {
5968 l2cap_pass_to_tx(chan, control);
5969
5970 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5971 l2cap_retransmit(chan, control);
5972 l2cap_ertm_send(chan);
5973
5974 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5975 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5976 chan->srej_save_reqseq = control->reqseq;
5977 }
5978 } else {
5979 l2cap_pass_to_tx_fbit(chan, control);
5980
5981 if (control->final) {
5982 if (chan->srej_save_reqseq != control->reqseq ||
5983 !test_and_clear_bit(CONN_SREJ_ACT,
5984 &chan->conn_state))
5985 l2cap_retransmit(chan, control);
5986 } else {
5987 l2cap_retransmit(chan, control);
5988 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5989 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5990 chan->srej_save_reqseq = control->reqseq;
5991 }
5992 }
5993 }
d2a7ac5d
MM		 5994}
5995
5996static void l2cap_handle_rej(struct l2cap_chan *chan,
5997 struct l2cap_ctrl *control)
5998{
fcd289df
MM		 5999 struct sk_buff *skb;
6000
6001 BT_DBG("chan %p, control %p", chan, control);
6002
6003 if (control->reqseq == chan->next_tx_seq) {
6004 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 6005 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 6006 return;
6007 }
6008
6009 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6010
6011 if (chan->max_tx && skb &&
6012 bt_cb(skb)->control.retries >= chan->max_tx) {
6013 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 6014 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 6015 return;
6016 }
6017
6018 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6019
6020 l2cap_pass_to_tx(chan, control);
6021
6022 if (control->final) {
6023 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6024 l2cap_retransmit_all(chan, control);
6025 } else {
6026 l2cap_retransmit_all(chan, control);
6027 l2cap_ertm_send(chan);
6028 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6029 set_bit(CONN_REJ_ACT, &chan->conn_state);
6030 }
d2a7ac5d
MM		 6031}
6032
4b51dae9
MM		 6033static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6034{
6035 BT_DBG("chan %p, txseq %d", chan, txseq);
6036
6037 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6038 chan->expected_tx_seq);
6039
6040 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6041 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 6042 chan->tx_win) {
4b51dae9
MM		 6043 /* See notes below regarding "double poll" and
6044 * invalid packets.
6045 */
6046 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6047 BT_DBG("Invalid/Ignore - after SREJ");
6048 return L2CAP_TXSEQ_INVALID_IGNORE;
6049 } else {
6050 BT_DBG("Invalid - in window after SREJ sent");
6051 return L2CAP_TXSEQ_INVALID;
6052 }
6053 }
6054
6055 if (chan->srej_list.head == txseq) {
6056 BT_DBG("Expected SREJ");
6057 return L2CAP_TXSEQ_EXPECTED_SREJ;
6058 }
6059
6060 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6061 BT_DBG("Duplicate SREJ - txseq already stored");
6062 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6063 }
6064
6065 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6066 BT_DBG("Unexpected SREJ - not requested");
6067 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6068 }
6069 }
6070
6071 if (chan->expected_tx_seq == txseq) {
6072 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6073 chan->tx_win) {
6074 BT_DBG("Invalid - txseq outside tx window");
6075 return L2CAP_TXSEQ_INVALID;
6076 } else {
6077 BT_DBG("Expected");
6078 return L2CAP_TXSEQ_EXPECTED;
6079 }
6080 }
6081
6082 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 6083 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 6084 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6085 return L2CAP_TXSEQ_DUPLICATE;
6086 }
6087
6088 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6089 /* A source of invalid packets is a "double poll" condition,
6090 * where delays cause us to send multiple poll packets. If
6091 * the remote stack receives and processes both polls,
6092 * sequence numbers can wrap around in such a way that a
6093 * resent frame has a sequence number that looks like new data
6094 * with a sequence gap. This would trigger an erroneous SREJ
6095 * request.
6096 *
6097 * Fortunately, this is impossible with a tx window that's
6098 * less than half of the maximum sequence number, which allows
6099 * invalid frames to be safely ignored.
6100 *
6101 * With tx window sizes greater than half of the tx window
6102 * maximum, the frame is invalid and cannot be ignored. This
6103 * causes a disconnect.
6104 */
6105
6106 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6107 BT_DBG("Invalid/Ignore - txseq outside tx window");
6108 return L2CAP_TXSEQ_INVALID_IGNORE;
6109 } else {
6110 BT_DBG("Invalid - txseq outside tx window");
6111 return L2CAP_TXSEQ_INVALID;
6112 }
6113 } else {
6114 BT_DBG("Unexpected - txseq indicates missing frames");
6115 return L2CAP_TXSEQ_UNEXPECTED;
6116 }
6117}
6118
d2a7ac5d
MM		 6119static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6120 struct l2cap_ctrl *control,
6121 struct sk_buff *skb, u8 event)
6122{
6123 int err = 0;
941247f9 6124 bool skb_in_use = false;
d2a7ac5d
MM		 6125
6126 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6127 event);
6128
6129 switch (event) {
6130 case L2CAP_EV_RECV_IFRAME:
6131 switch (l2cap_classify_txseq(chan, control->txseq)) {
6132 case L2CAP_TXSEQ_EXPECTED:
6133 l2cap_pass_to_tx(chan, control);
6134
6135 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6136 BT_DBG("Busy, discarding expected seq %d",
6137 control->txseq);
6138 break;
6139 }
6140
6141 chan->expected_tx_seq = __next_seq(chan,
6142 control->txseq);
6143
6144 chan->buffer_seq = chan->expected_tx_seq;
941247f9 6145 skb_in_use = true;
d2a7ac5d
MM		 6146
6147 err = l2cap_reassemble_sdu(chan, skb, control);
6148 if (err)
6149 break;
6150
6151 if (control->final) {
6152 if (!test_and_clear_bit(CONN_REJ_ACT,
6153 &chan->conn_state)) {
6154 control->final = 0;
6155 l2cap_retransmit_all(chan, control);
6156 l2cap_ertm_send(chan);
6157 }
6158 }
6159
6160 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6161 l2cap_send_ack(chan);
6162 break;
6163 case L2CAP_TXSEQ_UNEXPECTED:
6164 l2cap_pass_to_tx(chan, control);
6165
6166 /* Can't issue SREJ frames in the local busy state.
6167 * Drop this frame, it will be seen as missing
6168 * when local busy is exited.
6169 */
6170 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6171 BT_DBG("Busy, discarding unexpected seq %d",
6172 control->txseq);
6173 break;
6174 }
6175
6176 /* There was a gap in the sequence, so an SREJ
6177 * must be sent for each missing frame. The
6178 * current frame is stored for later use.
6179 */
6180 skb_queue_tail(&chan->srej_q, skb);
941247f9 6181 skb_in_use = true;
d2a7ac5d
MM		 6182 BT_DBG("Queued %p (queue len %d)", skb,
6183 skb_queue_len(&chan->srej_q));
6184
6185 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6186 l2cap_seq_list_clear(&chan->srej_list);
6187 l2cap_send_srej(chan, control->txseq);
6188
6189 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6190 break;
6191 case L2CAP_TXSEQ_DUPLICATE:
6192 l2cap_pass_to_tx(chan, control);
6193 break;
6194 case L2CAP_TXSEQ_INVALID_IGNORE:
6195 break;
6196 case L2CAP_TXSEQ_INVALID:
6197 default:
5e4e3972 6198 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6199 break;
6200 }
6201 break;
6202 case L2CAP_EV_RECV_RR:
6203 l2cap_pass_to_tx(chan, control);
6204 if (control->final) {
6205 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6206
e6a3ee6e
MM		 6207 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6208 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 6209 control->final = 0;
6210 l2cap_retransmit_all(chan, control);
6211 }
6212
6213 l2cap_ertm_send(chan);
6214 } else if (control->poll) {
6215 l2cap_send_i_or_rr_or_rnr(chan);
6216 } else {
6217 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6218 &chan->conn_state) &&
6219 chan->unacked_frames)
6220 __set_retrans_timer(chan);
6221
6222 l2cap_ertm_send(chan);
6223 }
6224 break;
6225 case L2CAP_EV_RECV_RNR:
6226 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6227 l2cap_pass_to_tx(chan, control);
6228 if (control && control->poll) {
6229 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6230 l2cap_send_rr_or_rnr(chan, 0);
6231 }
6232 __clear_retrans_timer(chan);
6233 l2cap_seq_list_clear(&chan->retrans_list);
6234 break;
6235 case L2CAP_EV_RECV_REJ:
6236 l2cap_handle_rej(chan, control);
6237 break;
6238 case L2CAP_EV_RECV_SREJ:
6239 l2cap_handle_srej(chan, control);
6240 break;
6241 default:
6242 break;
6243 }
6244
6245 if (skb && !skb_in_use) {
6246 BT_DBG("Freeing %p", skb);
6247 kfree_skb(skb);
6248 }
6249
6250 return err;
6251}
6252
6253static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6254 struct l2cap_ctrl *control,
6255 struct sk_buff *skb, u8 event)
6256{
6257 int err = 0;
6258 u16 txseq = control->txseq;
941247f9 6259 bool skb_in_use = false;
d2a7ac5d
MM		 6260
6261 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6262 event);
6263
6264 switch (event) {
6265 case L2CAP_EV_RECV_IFRAME:
6266 switch (l2cap_classify_txseq(chan, txseq)) {
6267 case L2CAP_TXSEQ_EXPECTED:
6268 /* Keep frame for reassembly later */
6269 l2cap_pass_to_tx(chan, control);
6270 skb_queue_tail(&chan->srej_q, skb);
941247f9 6271 skb_in_use = true;
d2a7ac5d
MM		 6272 BT_DBG("Queued %p (queue len %d)", skb,
6273 skb_queue_len(&chan->srej_q));
6274
6275 chan->expected_tx_seq = __next_seq(chan, txseq);
6276 break;
6277 case L2CAP_TXSEQ_EXPECTED_SREJ:
6278 l2cap_seq_list_pop(&chan->srej_list);
6279
6280 l2cap_pass_to_tx(chan, control);
6281 skb_queue_tail(&chan->srej_q, skb);
941247f9 6282 skb_in_use = true;
d2a7ac5d
MM		 6283 BT_DBG("Queued %p (queue len %d)", skb,
6284 skb_queue_len(&chan->srej_q));
6285
6286 err = l2cap_rx_queued_iframes(chan);
6287 if (err)
6288 break;
6289
6290 break;
6291 case L2CAP_TXSEQ_UNEXPECTED:
6292 /* Got a frame that can't be reassembled yet.
6293 * Save it for later, and send SREJs to cover
6294 * the missing frames.
6295 */
6296 skb_queue_tail(&chan->srej_q, skb);
941247f9 6297 skb_in_use = true;
d2a7ac5d
MM		 6298 BT_DBG("Queued %p (queue len %d)", skb,
6299 skb_queue_len(&chan->srej_q));
6300
6301 l2cap_pass_to_tx(chan, control);
6302 l2cap_send_srej(chan, control->txseq);
6303 break;
6304 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6305 /* This frame was requested with an SREJ, but
6306 * some expected retransmitted frames are
6307 * missing. Request retransmission of missing
6308 * SREJ'd frames.
6309 */
6310 skb_queue_tail(&chan->srej_q, skb);
941247f9 6311 skb_in_use = true;
d2a7ac5d
MM		 6312 BT_DBG("Queued %p (queue len %d)", skb,
6313 skb_queue_len(&chan->srej_q));
6314
6315 l2cap_pass_to_tx(chan, control);
6316 l2cap_send_srej_list(chan, control->txseq);
6317 break;
6318 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6319 /* We've already queued this frame. Drop this copy. */
6320 l2cap_pass_to_tx(chan, control);
6321 break;
6322 case L2CAP_TXSEQ_DUPLICATE:
6323 /* Expecting a later sequence number, so this frame
6324 * was already received. Ignore it completely.
6325 */
6326 break;
6327 case L2CAP_TXSEQ_INVALID_IGNORE:
6328 break;
6329 case L2CAP_TXSEQ_INVALID:
6330 default:
5e4e3972 6331 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6332 break;
6333 }
6334 break;
6335 case L2CAP_EV_RECV_RR:
6336 l2cap_pass_to_tx(chan, control);
6337 if (control->final) {
6338 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6339
6340 if (!test_and_clear_bit(CONN_REJ_ACT,
6341 &chan->conn_state)) {
6342 control->final = 0;
6343 l2cap_retransmit_all(chan, control);
6344 }
6345
6346 l2cap_ertm_send(chan);
6347 } else if (control->poll) {
6348 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6349 &chan->conn_state) &&
6350 chan->unacked_frames) {
6351 __set_retrans_timer(chan);
6352 }
6353
6354 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6355 l2cap_send_srej_tail(chan);
6356 } else {
6357 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6358 &chan->conn_state) &&
6359 chan->unacked_frames)
6360 __set_retrans_timer(chan);
6361
6362 l2cap_send_ack(chan);
6363 }
6364 break;
6365 case L2CAP_EV_RECV_RNR:
6366 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6367 l2cap_pass_to_tx(chan, control);
6368 if (control->poll) {
6369 l2cap_send_srej_tail(chan);
6370 } else {
6371 struct l2cap_ctrl rr_control;
6372 memset(&rr_control, 0, sizeof(rr_control));
6373 rr_control.sframe = 1;
6374 rr_control.super = L2CAP_SUPER_RR;
6375 rr_control.reqseq = chan->buffer_seq;
6376 l2cap_send_sframe(chan, &rr_control);
6377 }
6378
6379 break;
6380 case L2CAP_EV_RECV_REJ:
6381 l2cap_handle_rej(chan, control);
6382 break;
6383 case L2CAP_EV_RECV_SREJ:
6384 l2cap_handle_srej(chan, control);
6385 break;
6386 }
6387
6388 if (skb && !skb_in_use) {
6389 BT_DBG("Freeing %p", skb);
6390 kfree_skb(skb);
6391 }
6392
6393 return err;
6394}
6395
32b32735
MM		 6396static int l2cap_finish_move(struct l2cap_chan *chan)
6397{
6398 BT_DBG("chan %p", chan);
6399
6400 chan->rx_state = L2CAP_RX_STATE_RECV;
6401
6402 if (chan->hs_hcon)
6403 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6404 else
6405 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6406
6407 return l2cap_resegment(chan);
6408}
6409
6410static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6411 struct l2cap_ctrl *control,
6412 struct sk_buff *skb, u8 event)
6413{
6414 int err;
6415
6416 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6417 event);
6418
6419 if (!control->poll)
6420 return -EPROTO;
6421
6422 l2cap_process_reqseq(chan, control->reqseq);
6423
6424 if (!skb_queue_empty(&chan->tx_q))
6425 chan->tx_send_head = skb_peek(&chan->tx_q);
6426 else
6427 chan->tx_send_head = NULL;
6428
6429 /* Rewind next_tx_seq to the point expected
6430 * by the receiver.
6431 */
6432 chan->next_tx_seq = control->reqseq;
6433 chan->unacked_frames = 0;
6434
6435 err = l2cap_finish_move(chan);
6436 if (err)
6437 return err;
6438
6439 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6440 l2cap_send_i_or_rr_or_rnr(chan);
6441
6442 if (event == L2CAP_EV_RECV_IFRAME)
6443 return -EPROTO;
6444
6445 return l2cap_rx_state_recv(chan, control, NULL, event);
6446}
6447
6448static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6449 struct l2cap_ctrl *control,
6450 struct sk_buff *skb, u8 event)
6451{
6452 int err;
6453
6454 if (!control->final)
6455 return -EPROTO;
6456
6457 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6458
6459 chan->rx_state = L2CAP_RX_STATE_RECV;
6460 l2cap_process_reqseq(chan, control->reqseq);
6461
6462 if (!skb_queue_empty(&chan->tx_q))
6463 chan->tx_send_head = skb_peek(&chan->tx_q);
6464 else
6465 chan->tx_send_head = NULL;
6466
6467 /* Rewind next_tx_seq to the point expected
6468 * by the receiver.
6469 */
6470 chan->next_tx_seq = control->reqseq;
6471 chan->unacked_frames = 0;
6472
6473 if (chan->hs_hcon)
6474 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6475 else
6476 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6477
6478 err = l2cap_resegment(chan);
6479
6480 if (!err)
6481 err = l2cap_rx_state_recv(chan, control, skb, event);
6482
6483 return err;
6484}
6485
d2a7ac5d
MM		 6486static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6487{
6488 /* Make sure reqseq is for a packet that has been sent but not acked */
6489 u16 unacked;
6490
6491 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6492 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6493}
6494
cec8ab6e
MM		 6495static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6496 struct sk_buff *skb, u8 event)
218bb9df 6497{
d2a7ac5d
MM		 6498 int err = 0;
6499
6500 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6501 control, skb, event, chan->rx_state);
6502
6503 if (__valid_reqseq(chan, control->reqseq)) {
6504 switch (chan->rx_state) {
6505 case L2CAP_RX_STATE_RECV:
6506 err = l2cap_rx_state_recv(chan, control, skb, event);
6507 break;
6508 case L2CAP_RX_STATE_SREJ_SENT:
6509 err = l2cap_rx_state_srej_sent(chan, control, skb,
6510 event);
6511 break;
32b32735
MM		 6512 case L2CAP_RX_STATE_WAIT_P:
6513 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6514 break;
6515 case L2CAP_RX_STATE_WAIT_F:
6516 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6517 break;
d2a7ac5d
MM		 6518 default:
6519 /* shut it down */
6520 break;
6521 }
6522 } else {
6523 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6524 control->reqseq, chan->next_tx_seq,
6525 chan->expected_ack_seq);
5e4e3972 6526 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6527 }
6528
6529 return err;
cec8ab6e
MM		 6530}
6531
6532static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6533 struct sk_buff *skb)
6534{
4b51dae9
MM		 6535 int err = 0;
6536
6537 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6538 chan->rx_state);
6539
6540 if (l2cap_classify_txseq(chan, control->txseq) ==
6541 L2CAP_TXSEQ_EXPECTED) {
6542 l2cap_pass_to_tx(chan, control);
6543
6544 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6545 __next_seq(chan, chan->buffer_seq));
6546
6547 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6548
6549 l2cap_reassemble_sdu(chan, skb, control);
6550 } else {
6551 if (chan->sdu) {
6552 kfree_skb(chan->sdu);
6553 chan->sdu = NULL;
6554 }
6555 chan->sdu_last_frag = NULL;
6556 chan->sdu_len = 0;
6557
6558 if (skb) {
6559 BT_DBG("Freeing %p", skb);
6560 kfree_skb(skb);
6561 }
6562 }
6563
6564 chan->last_acked_seq = control->txseq;
6565 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6566
6567 return err;
cec8ab6e
MM		 6568}
6569
6570static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6571{
6572 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6573 u16 len;
6574 u8 event;
218bb9df 6575
b76bbd66
MM		 6576 __unpack_control(chan, skb);
6577
218bb9df
GP		 6578 len = skb->len;
6579
6580 /*
6581 * We can just drop the corrupted I-frame here.
6582 * Receiver will miss it and start proper recovery
cec8ab6e 6583 * procedures and ask for retransmission.
218bb9df 6584 */
47d1ec61 6585 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6586 goto drop;
6587
cec8ab6e 6588 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6589 len -= L2CAP_SDULEN_SIZE;
218bb9df 6590
47d1ec61 6591 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6592 len -= L2CAP_FCS_SIZE;
218bb9df 6593
47d1ec61 6594 if (len > chan->mps) {
5e4e3972 6595 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6596 goto drop;
6597 }
6598
cec8ab6e
MM		 6599 if (!control->sframe) {
6600 int err;
218bb9df 6601
cec8ab6e
MM		 6602 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6603 control->sar, control->reqseq, control->final,
6604 control->txseq);
218bb9df 6605
cec8ab6e
MM		 6606 /* Validate F-bit - F=0 always valid, F=1 only
6607 * valid in TX WAIT_F
6608 */
6609 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6610 goto drop;
cec8ab6e
MM		 6611
6612 if (chan->mode != L2CAP_MODE_STREAMING) {
6613 event = L2CAP_EV_RECV_IFRAME;
6614 err = l2cap_rx(chan, control, skb, event);
6615 } else {
6616 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6617 }
6618
cec8ab6e 6619 if (err)
5e4e3972 6620 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6621 } else {
cec8ab6e
MM		 6622 const u8 rx_func_to_event[4] = {
6623 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6624 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6625 };
6626
6627 /* Only I-frames are expected in streaming mode */
6628 if (chan->mode == L2CAP_MODE_STREAMING)
6629 goto drop;
6630
6631 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6632 control->reqseq, control->final, control->poll,
6633 control->super);
6634
218bb9df 6635 if (len != 0) {
1bb166e6 6636 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6637 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6638 goto drop;
6639 }
6640
cec8ab6e
MM		 6641 /* Validate F and P bits */
6642 if (control->final && (control->poll ||
6643 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6644 goto drop;
6645
6646 event = rx_func_to_event[control->super];
6647 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6648 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6649 }
6650
6651 return 0;
6652
6653drop:
6654 kfree_skb(skb);
6655 return 0;
6656}
6657
b1c325c2
JH		 6658static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6659{
6660 struct l2cap_conn *conn = chan->conn;
6661 struct l2cap_le_credits pkt;
6662 u16 return_credits;
6663
6664 /* We return more credits to the sender only after the amount of
6665 * credits falls below half of the initial amount.
6666 */
f15b8ecf 6667 if (chan->rx_credits >= (le_max_credits + 1) / 2)
b1c325c2
JH		 6668 return;
6669
f15b8ecf 6670 return_credits = le_max_credits - chan->rx_credits;
b1c325c2
JH		 6671
6672 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6673
6674 chan->rx_credits += return_credits;
6675
6676 pkt.cid = cpu_to_le16(chan->scid);
6677 pkt.credits = cpu_to_le16(return_credits);
6678
6679 chan->ident = l2cap_get_ident(conn);
6680
6681 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6682}
6683
fad5fc89
JH		 6684static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6685{
aac23bf6
JH		 6686 int err;
6687
6688 if (!chan->rx_credits) {
6689 BT_ERR("No credits to receive LE L2CAP data");
dfd9774c 6690 l2cap_send_disconn_req(chan, ECONNRESET);
fad5fc89 6691 return -ENOBUFS;
aac23bf6 6692 }
fad5fc89 6693
aac23bf6
JH		 6694 if (chan->imtu < skb->len) {
6695 BT_ERR("Too big LE L2CAP PDU");
fad5fc89 6696 return -ENOBUFS;
aac23bf6 6697 }
fad5fc89
JH		 6698
6699 chan->rx_credits--;
6700 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6701
6702 l2cap_chan_le_send_credits(chan);
6703
aac23bf6
JH		 6704 err = 0;
6705
6706 if (!chan->sdu) {
6707 u16 sdu_len;
6708
6709 sdu_len = get_unaligned_le16(skb->data);
6710 skb_pull(skb, L2CAP_SDULEN_SIZE);
6711
6712 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6713 sdu_len, skb->len, chan->imtu);
6714
6715 if (sdu_len > chan->imtu) {
6716 BT_ERR("Too big LE L2CAP SDU length received");
6717 err = -EMSGSIZE;
6718 goto failed;
6719 }
6720
6721 if (skb->len > sdu_len) {
6722 BT_ERR("Too much LE L2CAP data received");
6723 err = -EINVAL;
6724 goto failed;
6725 }
6726
6727 if (skb->len == sdu_len)
6728 return chan->ops->recv(chan, skb);
6729
6730 chan->sdu = skb;
6731 chan->sdu_len = sdu_len;
6732 chan->sdu_last_frag = skb;
6733
6734 return 0;
6735 }
6736
6737 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6738 chan->sdu->len, skb->len, chan->sdu_len);
6739
6740 if (chan->sdu->len + skb->len > chan->sdu_len) {
6741 BT_ERR("Too much LE L2CAP data received");
6742 err = -EINVAL;
6743 goto failed;
6744 }
6745
6746 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6747 skb = NULL;
6748
6749 if (chan->sdu->len == chan->sdu_len) {
6750 err = chan->ops->recv(chan, chan->sdu);
6751 if (!err) {
6752 chan->sdu = NULL;
6753 chan->sdu_last_frag = NULL;
6754 chan->sdu_len = 0;
6755 }
6756 }
6757
6758failed:
6759 if (err) {
6760 kfree_skb(skb);
6761 kfree_skb(chan->sdu);
6762 chan->sdu = NULL;
6763 chan->sdu_last_frag = NULL;
6764 chan->sdu_len = 0;
6765 }
6766
6767 /* We can't return an error here since we took care of the skb
6768 * freeing internally. An error return would cause the caller to
6769 * do a double-free of the skb.
6770 */
6771 return 0;
fad5fc89
JH		 6772}
6773
13ca56e0
AE		 6774static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6775 struct sk_buff *skb)
1da177e4 6776{
48454079 6777 struct l2cap_chan *chan;
1da177e4 6778
baa7e1fa 6779 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6780 if (!chan) {
97e8e89d
AE		 6781 if (cid == L2CAP_CID_A2MP) {
6782 chan = a2mp_channel_create(conn, skb);
6783 if (!chan) {
6784 kfree_skb(skb);
13ca56e0 6785 return;
97e8e89d
AE		 6786 }
6787
6788 l2cap_chan_lock(chan);
6789 } else {
6790 BT_DBG("unknown cid 0x%4.4x", cid);
6791 /* Drop packet and return */
6792 kfree_skb(skb);
13ca56e0 6793 return;
97e8e89d 6794 }
1da177e4
LT		 6795 }
6796
49208c9c 6797 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6798
89bc500e 6799 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6800 goto drop;
6801
0c1bc5c6 6802 switch (chan->mode) {
38319713 6803 case L2CAP_MODE_LE_FLOWCTL:
fad5fc89
JH		 6804 if (l2cap_le_data_rcv(chan, skb) < 0)
6805 goto drop;
6806
6807 goto done;
6808
1c2acffb
GP		 6809 case L2CAP_MODE_BASIC:
6810 /* If socket recv buffers overflows we drop data here
6811 * which is *bad* because L2CAP has to be reliable.
6812 * But we don't have any other choice. L2CAP doesn't
6813 * provide flow control mechanism. */
1da177e4 6814
2c96e03d
SJ		 6815 if (chan->imtu < skb->len) {
6816 BT_ERR("Dropping L2CAP data: receive buffer overflow");
1c2acffb 6817 goto drop;
2c96e03d 6818 }
1da177e4 6819
80b98027 6820 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6821 goto done;
6822 break;
6823
6824 case L2CAP_MODE_ERTM:
6840ed07 6825 case L2CAP_MODE_STREAMING:
cec8ab6e 6826 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6827 goto done;
6828
1c2acffb 6829 default:
0c1bc5c6 6830 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6831 break;
6832 }
1da177e4
LT		 6833
6834drop:
6835 kfree_skb(skb);
6836
6837done:
6be36555 6838 l2cap_chan_unlock(chan);
1da177e4
LT		 6839}
6840
84104b24
AE		 6841static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6842 struct sk_buff *skb)
1da177e4 6843{
ae4fd2d3 6844 struct hci_conn *hcon = conn->hcon;
23691d75 6845 struct l2cap_chan *chan;
1da177e4 6846
ae4fd2d3
MH		 6847 if (hcon->type != ACL_LINK)
6848 goto drop;
6849
bf20fd4e
JH		 6850 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6851 ACL_LINK);
23691d75 6852 if (!chan)
1da177e4
LT		 6853 goto drop;
6854
5b4cedaa 6855 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6856
89bc500e 6857 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6858 goto drop;
6859
e13e21dc 6860 if (chan->imtu < skb->len)
1da177e4
LT		 6861 goto drop;
6862
2edf870d 6863 /* Store remote BD_ADDR and PSM for msg_name */
06ae3314 6864 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
2edf870d
MH		 6865 bt_cb(skb)->psm = psm;
6866
80b98027 6867 if (!chan->ops->recv(chan, skb))
84104b24 6868 return;
1da177e4
LT		 6869
6870drop:
6871 kfree_skb(skb);
1da177e4
LT		 6872}
6873
72f78356 6874static void l2cap_att_channel(struct l2cap_conn *conn,
6810fca7 6875 struct sk_buff *skb)
9f69bda6 6876{
b99707d7 6877 struct hci_conn *hcon = conn->hcon;
23691d75 6878 struct l2cap_chan *chan;
9f69bda6 6879
b99707d7
MH		 6880 if (hcon->type != LE_LINK)
6881 goto drop;
6882
af1c0134 6883 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
06ae3314 6884 &hcon->src, &hcon->dst);
23691d75 6885 if (!chan)
9f69bda6
GP		 6886 goto drop;
6887
5b4cedaa 6888 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6889
e13e21dc 6890 if (chan->imtu < skb->len)
9f69bda6
GP		 6891 goto drop;
6892
80b98027 6893 if (!chan->ops->recv(chan, skb))
6810fca7 6894 return;
9f69bda6
GP		 6895
6896drop:
6897 kfree_skb(skb);
9f69bda6
GP		 6898}
6899
1da177e4
LT		 6900static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6901{
6902 struct l2cap_hdr *lh = (void *) skb->data;
61a939c6 6903 struct hci_conn *hcon = conn->hcon;
8e036fc3
AV		 6904 u16 cid, len;
6905 __le16 psm;
1da177e4 6906
61a939c6
JH		 6907 if (hcon->state != BT_CONNECTED) {
6908 BT_DBG("queueing pending rx skb");
6909 skb_queue_tail(&conn->pending_rx, skb);
6910 return;
6911 }
6912
1da177e4
LT		 6913 skb_pull(skb, L2CAP_HDR_SIZE);
6914 cid = __le16_to_cpu(lh->cid);
6915 len = __le16_to_cpu(lh->len);
6916
1c2acffb
GP		 6917 if (len != skb->len) {
6918 kfree_skb(skb);
6919 return;
6920 }
6921
9e1d7e15
JH		 6922 /* Since we can't actively block incoming LE connections we must
6923 * at least ensure that we ignore incoming data from them.
6924 */
6925 if (hcon->type == LE_LINK &&
dcc36c16
JH		 6926 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6927 bdaddr_type(hcon, hcon->dst_type))) {
e493150e
JH		 6928 kfree_skb(skb);
6929 return;
6930 }
6931
1da177e4
LT		 6932 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6933
6934 switch (cid) {
8db4dc46 6935 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6936 l2cap_sig_channel(conn, skb);
6937 break;
6938
8db4dc46 6939 case L2CAP_CID_CONN_LESS:
097db76c 6940 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6941 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6942 l2cap_conless_channel(conn, psm, skb);
6943 break;
6944
073d1cf3 6945 case L2CAP_CID_ATT:
72f78356 6946 l2cap_att_channel(conn, skb);
9f69bda6
GP		 6947 break;
6948
a2877629
MH		 6949 case L2CAP_CID_LE_SIGNALING:
6950 l2cap_le_sig_channel(conn, skb);
6951 break;
6952
b501d6a1
AB		 6953 case L2CAP_CID_SMP:
6954 if (smp_sig_channel(conn, skb))
6955 l2cap_conn_del(conn->hcon, EACCES);
6956 break;
6957
1da177e4
LT		 6958 default:
6959 l2cap_data_channel(conn, cid, skb);
6960 break;
6961 }
6962}
6963
61a939c6
JH		 6964static void process_pending_rx(struct work_struct *work)
6965{
6966 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6967 pending_rx_work);
6968 struct sk_buff *skb;
6969
6970 BT_DBG("");
6971
6972 while ((skb = skb_dequeue(&conn->pending_rx)))
6973 l2cap_recv_frame(conn, skb);
6974}
6975
162b49e7
JH		 6976static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6977{
6978 struct l2cap_conn *conn = hcon->l2cap_data;
6979 struct hci_chan *hchan;
6980
6981 if (conn)
6982 return conn;
6983
6984 hchan = hci_chan_create(hcon);
6985 if (!hchan)
6986 return NULL;
6987
6988 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
6989 if (!conn) {
6990 hci_chan_del(hchan);
6991 return NULL;
6992 }
6993
6994 kref_init(&conn->ref);
6995 hcon->l2cap_data = conn;
6996 conn->hcon = hcon;
6997 hci_conn_get(conn->hcon);
6998 conn->hchan = hchan;
6999
7000 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7001
7002 switch (hcon->type) {
7003 case LE_LINK:
7004 if (hcon->hdev->le_mtu) {
7005 conn->mtu = hcon->hdev->le_mtu;
7006 break;
7007 }
7008 /* fall through */
7009 default:
7010 conn->mtu = hcon->hdev->acl_mtu;
7011 break;
7012 }
7013
7014 conn->feat_mask = 0;
7015
7016 if (hcon->type == ACL_LINK)
7017 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
7018 &hcon->hdev->dev_flags);
7019
5a54e7c8 7020 mutex_init(&conn->ident_lock);
162b49e7
JH		 7021 mutex_init(&conn->chan_lock);
7022
7023 INIT_LIST_HEAD(&conn->chan_l);
7024 INIT_LIST_HEAD(&conn->users);
7025
7026 if (hcon->type == LE_LINK)
7027 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
7028 else
7029 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7030
61a939c6
JH		 7031 skb_queue_head_init(&conn->pending_rx);
7032 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7033
162b49e7
JH		 7034 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7035
7036 return conn;
7037}
7038
7039static bool is_valid_psm(u16 psm, u8 dst_type) {
7040 if (!psm)
7041 return false;
7042
7043 if (bdaddr_type_is_le(dst_type))
7044 return (psm <= 0x00ff);
7045
7046 /* PSM must be odd and lsb of upper byte must be 0 */
7047 return ((psm & 0x0101) == 0x0001);
7048}
7049
7050int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7051 bdaddr_t *dst, u8 dst_type)
7052{
7053 struct l2cap_conn *conn;
7054 struct hci_conn *hcon;
7055 struct hci_dev *hdev;
162b49e7
JH		 7056 int err;
7057
7058 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7059 dst_type, __le16_to_cpu(psm));
7060
7061 hdev = hci_get_route(dst, &chan->src);
7062 if (!hdev)
7063 return -EHOSTUNREACH;
7064
7065 hci_dev_lock(hdev);
7066
7067 l2cap_chan_lock(chan);
7068
7069 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7070 chan->chan_type != L2CAP_CHAN_RAW) {
7071 err = -EINVAL;
7072 goto done;
7073 }
7074
21626e62
JH		 7075 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7076 err = -EINVAL;
7077 goto done;
7078 }
7079
7080 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
162b49e7
JH		 7081 err = -EINVAL;
7082 goto done;
7083 }
7084
7085 switch (chan->mode) {
7086 case L2CAP_MODE_BASIC:
7087 break;
7088 case L2CAP_MODE_LE_FLOWCTL:
7089 l2cap_le_flowctl_init(chan);
7090 break;
7091 case L2CAP_MODE_ERTM:
7092 case L2CAP_MODE_STREAMING:
7093 if (!disable_ertm)
7094 break;
7095 /* fall through */
7096 default:
7097 err = -ENOTSUPP;
7098 goto done;
7099 }
7100
7101 switch (chan->state) {
7102 case BT_CONNECT:
7103 case BT_CONNECT2:
7104 case BT_CONFIG:
7105 /* Already connecting */
7106 err = 0;
7107 goto done;
7108
7109 case BT_CONNECTED:
7110 /* Already connected */
7111 err = -EISCONN;
7112 goto done;
7113
7114 case BT_OPEN:
7115 case BT_BOUND:
7116 /* Can connect */
7117 break;
7118
7119 default:
7120 err = -EBADFD;
7121 goto done;
7122 }
7123
7124 /* Set destination address and psm */
7125 bacpy(&chan->dst, dst);
7126 chan->dst_type = dst_type;
7127
7128 chan->psm = psm;
7129 chan->dcid = cid;
7130
6f77d8c7 7131 if (bdaddr_type_is_le(dst_type)) {
e804d25d 7132 u8 role;
cdd6275e 7133
6f77d8c7
AG		 7134 /* Convert from L2CAP channel address type to HCI address type
7135 */
7136 if (dst_type == BDADDR_LE_PUBLIC)
7137 dst_type = ADDR_LE_DEV_PUBLIC;
7138 else
7139 dst_type = ADDR_LE_DEV_RANDOM;
7140
e804d25d
JH		 7141 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
7142 role = HCI_ROLE_SLAVE;
7143 else
7144 role = HCI_ROLE_MASTER;
cdd6275e 7145
04a6c589 7146 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
e804d25d 7147 HCI_LE_CONN_TIMEOUT, role);
6f77d8c7 7148 } else {
d93375a8 7149 u8 auth_type = l2cap_get_auth_type(chan);
04a6c589 7150 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
6f77d8c7 7151 }
162b49e7
JH		 7152
7153 if (IS_ERR(hcon)) {
7154 err = PTR_ERR(hcon);
7155 goto done;
7156 }
7157
7158 conn = l2cap_conn_add(hcon);
7159 if (!conn) {
7160 hci_conn_drop(hcon);
7161 err = -ENOMEM;
7162 goto done;
7163 }
7164
7165 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7166 hci_conn_drop(hcon);
7167 err = -EBUSY;
7168 goto done;
7169 }
7170
7171 /* Update source addr of the socket */
7172 bacpy(&chan->src, &hcon->src);
7173 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7174
7175 l2cap_chan_unlock(chan);
7176 l2cap_chan_add(conn, chan);
7177 l2cap_chan_lock(chan);
7178
7179 /* l2cap_chan_add takes its own ref so we can drop this one */
7180 hci_conn_drop(hcon);
7181
7182 l2cap_state_change(chan, BT_CONNECT);
7183 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7184
61202e4d
JH		 7185 /* Release chan->sport so that it can be reused by other
7186 * sockets (as it's only used for listening sockets).
7187 */
7188 write_lock(&chan_list_lock);
7189 chan->sport = 0;
7190 write_unlock(&chan_list_lock);
7191
162b49e7
JH		 7192 if (hcon->state == BT_CONNECTED) {
7193 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7194 __clear_chan_timer(chan);
e7cafc45 7195 if (l2cap_chan_check_security(chan, true))
162b49e7
JH		 7196 l2cap_state_change(chan, BT_CONNECTED);
7197 } else
7198 l2cap_do_start(chan);
7199 }
7200
7201 err = 0;
7202
7203done:
7204 l2cap_chan_unlock(chan);
7205 hci_dev_unlock(hdev);
7206 hci_dev_put(hdev);
7207 return err;
7208}
6b8d4a6a 7209EXPORT_SYMBOL_GPL(l2cap_chan_connect);
162b49e7 7210
1da177e4
LT		 7211/* ---- L2CAP interface with lower layer (HCI) ---- */
7212
686ebf28 7213int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 7214{
7215 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 7216 struct l2cap_chan *c;
1da177e4 7217
6ed93dc6 7218 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 7219
7220 /* Find listening sockets and check their link_mode */
23691d75
GP		 7221 read_lock(&chan_list_lock);
7222 list_for_each_entry(c, &chan_list, global_l) {
89bc500e 7223 if (c->state != BT_LISTEN)
1da177e4
LT		 7224 continue;
7225
7eafc59e 7226 if (!bacmp(&c->src, &hdev->bdaddr)) {
2af6b9d5 7227 lm1 |= HCI_LM_ACCEPT;
43bd0f32 7228 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 7229 lm1 |= HCI_LM_MASTER;
1da177e4 7230 exact++;
7eafc59e 7231 } else if (!bacmp(&c->src, BDADDR_ANY)) {
2af6b9d5 7232 lm2 |= HCI_LM_ACCEPT;
43bd0f32 7233 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 7234 lm2 |= HCI_LM_MASTER;
7235 }
1da177e4 7236 }
23691d75 7237 read_unlock(&chan_list_lock);
1da177e4
LT		 7238
7239 return exact ? lm1 : lm2;
7240}
7241
9e664631 7242void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 7243{
0139418c
MH		 7244 struct l2cap_conn *conn;
7245
6ed93dc6 7246 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 7247
1da177e4 7248 if (!status) {
baf43251 7249 conn = l2cap_conn_add(hcon);
1da177e4
LT		 7250 if (conn)
7251 l2cap_conn_ready(conn);
ba6fc317 7252 } else {
e175072f 7253 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 7254 }
1da177e4
LT		 7255}
7256
686ebf28 7257int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 7258{
7259 struct l2cap_conn *conn = hcon->l2cap_data;
7260
7261 BT_DBG("hcon %p", hcon);
7262
686ebf28 7263 if (!conn)
9f5a0d7b 7264 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 7265 return conn->disc_reason;
7266}
7267
9e664631 7268void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 7269{
7270 BT_DBG("hcon %p reason %d", hcon, reason);
7271
e175072f 7272 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 7273}
7274
4343478f 7275static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 7276{
715ec005 7277 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 7278 return;
7279
f62e4323 7280 if (encrypt == 0x00) {
4343478f 7281 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 7282 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7d513e92
MH		 7283 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7284 chan->sec_level == BT_SECURITY_FIPS)
0f852724 7285 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 7286 } else {
4343478f 7287 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 7288 __clear_chan_timer(chan);
f62e4323
MH		 7289 }
7290}
7291
686ebf28 7292int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 7293{
0139418c 7294 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 7295 struct l2cap_chan *chan;
1da177e4 7296
0139418c 7297 if (!conn)
1da177e4 7298 return 0;
0139418c 7299
89d8b407 7300 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 7301
160dc6ac 7302 if (hcon->type == LE_LINK) {
35d4adcc 7303 if (!status && encrypt)
4bd6d38e 7304 smp_distribute_keys(conn);
17cd3f37 7305 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 7306 }
7307
3df91ea2 7308 mutex_lock(&conn->chan_lock);
1da177e4 7309
3df91ea2 7310 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 7311 l2cap_chan_lock(chan);
1da177e4 7312
89d8b407
AE		 7313 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7314 state_to_string(chan->state));
f1cb9af5 7315
2338a7e0 7316 if (chan->scid == L2CAP_CID_A2MP) {
78eb2f98
AE		 7317 l2cap_chan_unlock(chan);
7318 continue;
7319 }
7320
073d1cf3 7321 if (chan->scid == L2CAP_CID_ATT) {
f1cb9af5
VCG		 7322 if (!status && encrypt) {
7323 chan->sec_level = hcon->sec_level;
cf4cd009 7324 l2cap_chan_ready(chan);
f1cb9af5
VCG		 7325 }
7326
6be36555 7327 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 7328 continue;
7329 }
7330
96eff46e 7331 if (!__l2cap_no_conn_pending(chan)) {
6be36555 7332 l2cap_chan_unlock(chan);
6a8d3010
MH		 7333 continue;
7334 }
7335
89bc500e 7336 if (!status && (chan->state == BT_CONNECTED ||
2d792818 7337 chan->state == BT_CONFIG)) {
d97c899b 7338 chan->ops->resume(chan);
4343478f 7339 l2cap_check_encryption(chan, encrypt);
6be36555 7340 l2cap_chan_unlock(chan);
9719f8af
MH		 7341 continue;
7342 }
7343
89bc500e 7344 if (chan->state == BT_CONNECT) {
6d3c15da 7345 if (!status)
93c3e8f5 7346 l2cap_start_connection(chan);
6d3c15da 7347 else
ba13ccd9 7348 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
89bc500e 7349 } else if (chan->state == BT_CONNECT2) {
b1235d79 7350 struct l2cap_conn_rsp rsp;
df3c3931 7351 __u16 res, stat;
1da177e4 7352
b1235d79 7353 if (!status) {
bdc25783 7354 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
df3c3931
JH		 7355 res = L2CAP_CR_PEND;
7356 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 7357 chan->ops->defer(chan);
df3c3931 7358 } else {
acdcabf5 7359 l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 7360 res = L2CAP_CR_SUCCESS;
7361 stat = L2CAP_CS_NO_INFO;
7362 }
b1235d79 7363 } else {
acdcabf5 7364 l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 7365 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 7366 res = L2CAP_CR_SEC_BLOCK;
7367 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 7368 }
7369
fe4128e0
GP		 7370 rsp.scid = cpu_to_le16(chan->dcid);
7371 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 7372 rsp.result = cpu_to_le16(res);
7373 rsp.status = cpu_to_le16(stat);
fc7f8a7e 7374 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 7375 sizeof(rsp), &rsp);
2d369359
MM		 7376
7377 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7378 res == L2CAP_CR_SUCCESS) {
7379 char buf[128];
7380 set_bit(CONF_REQ_SENT, &chan->conf_state);
7381 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7382 L2CAP_CONF_REQ,
7383 l2cap_build_conf_req(chan, buf),
7384 buf);
7385 chan->num_conf_req++;
7386 }
b1235d79 7387 }
1da177e4 7388
6be36555 7389 l2cap_chan_unlock(chan);
1da177e4
LT		 7390 }
7391
3df91ea2 7392 mutex_unlock(&conn->chan_lock);
b1235d79 7393
1da177e4
LT		 7394 return 0;
7395}
7396
686ebf28 7397int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 7398{
7399 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 7400 struct l2cap_hdr *hdr;
7401 int len;
1da177e4 7402
1d13a254
AE		 7403 /* For AMP controller do not create l2cap conn */
7404 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7405 goto drop;
1da177e4 7406
5a08ecce 7407 if (!conn)
baf43251 7408 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 7409
7410 if (!conn)
1da177e4
LT		 7411 goto drop;
7412
7413 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7414
d73a0988
AE		 7415 switch (flags) {
7416 case ACL_START:
7417 case ACL_START_NO_FLUSH:
7418 case ACL_COMPLETE:
1da177e4
LT		 7419 if (conn->rx_len) {
7420 BT_ERR("Unexpected start frame (len %d)", skb->len);
7421 kfree_skb(conn->rx_skb);
7422 conn->rx_skb = NULL;
7423 conn->rx_len = 0;
7424 l2cap_conn_unreliable(conn, ECOMM);
7425 }
7426
aae7fe22
AE		 7427 /* Start fragment always begin with Basic L2CAP header */
7428 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 7429 BT_ERR("Frame is too short (len %d)", skb->len);
7430 l2cap_conn_unreliable(conn, ECOMM);
7431 goto drop;
7432 }
7433
7434 hdr = (struct l2cap_hdr *) skb->data;
7435 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7436
7437 if (len == skb->len) {
7438 /* Complete frame received */
7439 l2cap_recv_frame(conn, skb);
7440 return 0;
7441 }
7442
7443 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7444
7445 if (skb->len > len) {
7446 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 7447 skb->len, len);
1da177e4
LT		 7448 l2cap_conn_unreliable(conn, ECOMM);
7449 goto drop;
7450 }
7451
7452 /* Allocate skb for the complete frame (with header) */
8bcde1f2 7453 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 7454 if (!conn->rx_skb)
1da177e4
LT		 7455 goto drop;
7456
d626f62b 7457 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7458 skb->len);
1da177e4 7459 conn->rx_len = len - skb->len;
d73a0988
AE		 7460 break;
7461
7462 case ACL_CONT:
1da177e4
LT		 7463 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7464
7465 if (!conn->rx_len) {
7466 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7467 l2cap_conn_unreliable(conn, ECOMM);
7468 goto drop;
7469 }
7470
7471 if (skb->len > conn->rx_len) {
7472 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 7473 skb->len, conn->rx_len);
1da177e4
LT		 7474 kfree_skb(conn->rx_skb);
7475 conn->rx_skb = NULL;
7476 conn->rx_len = 0;
7477 l2cap_conn_unreliable(conn, ECOMM);
7478 goto drop;
7479 }
7480
d626f62b 7481 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 7482 skb->len);
1da177e4
LT		 7483 conn->rx_len -= skb->len;
7484
7485 if (!conn->rx_len) {
c4e5bafa
JH		 7486 /* Complete frame received. l2cap_recv_frame
7487 * takes ownership of the skb so set the global
7488 * rx_skb pointer to NULL first.
7489 */
7490 struct sk_buff *rx_skb = conn->rx_skb;
1da177e4 7491 conn->rx_skb = NULL;
c4e5bafa 7492 l2cap_recv_frame(conn, rx_skb);
1da177e4 7493 }
d73a0988 7494 break;
1da177e4
LT		 7495 }
7496
7497drop:
7498 kfree_skb(skb);
7499 return 0;
7500}
7501
aef7d97c 7502static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 7503{
23691d75 7504 struct l2cap_chan *c;
1da177e4 7505
333055f2 7506 read_lock(&chan_list_lock);
1da177e4 7507
23691d75 7508 list_for_each_entry(c, &chan_list, global_l) {
fcb73338 7509 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7eafc59e 7510 &c->src, &c->dst,
fcb73338
AE		 7511 c->state, __le16_to_cpu(c->psm),
7512 c->scid, c->dcid, c->imtu, c->omtu,
7513 c->sec_level, c->mode);
61e1b4b7 7514 }
1da177e4 7515
333055f2 7516 read_unlock(&chan_list_lock);
1da177e4 7517
aef7d97c 7518 return 0;
1da177e4
LT		 7519}
7520
aef7d97c
MH		 7521static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7522{
7523 return single_open(file, l2cap_debugfs_show, inode->i_private);
7524}
7525
7526static const struct file_operations l2cap_debugfs_fops = {
7527 .open = l2cap_debugfs_open,
7528 .read = seq_read,
7529 .llseek = seq_lseek,
7530 .release = single_release,
7531};
7532
7533static struct dentry *l2cap_debugfs;
1da177e4 7534
64274518 7535int __init l2cap_init(void)
1da177e4
LT		 7536{
7537 int err;
be9d1227 7538
bb58f747 7539 err = l2cap_init_sockets();
1da177e4
LT		 7540 if (err < 0)
7541 return err;
7542
1120e4bf
MH		 7543 if (IS_ERR_OR_NULL(bt_debugfs))
7544 return 0;
7545
7546 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7547 NULL, &l2cap_debugfs_fops);
1da177e4 7548
40b9397a 7549 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
f15b8ecf 7550 &le_max_credits);
40b9397a 7551 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
f15b8ecf
JH		 7552 &le_default_mps);
7553
1da177e4 7554 return 0;
1da177e4
LT		 7555}
7556
64274518 7557void l2cap_exit(void)
1da177e4 7558{
aef7d97c 7559 debugfs_remove(l2cap_debugfs);
bb58f747 7560 l2cap_cleanup_sockets();
1da177e4
LT		 7561}
7562
d1c4a17d
GP		 7563module_param(disable_ertm, bool, 0644);
7564MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux 6.x block layer and io_uring tree(s)