projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix hardcoding ATT CID in __l2cap_chan_add()
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
5ce66b59 41#include <net/bluetooth/amp.h>
1da177e4 42
d1de6d46 43bool disable_ertm;
f0709e03 44
47ec1dcd 45static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 46static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 47
b5ad8b7f
JB		 48static LIST_HEAD(chan_list);
49static DEFINE_RWLOCK(chan_list_lock);
1da177e4 50
1da177e4 51static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 52 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 53static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 54 void *data);
710f9b0a 55static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 56static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 59 struct sk_buff_head *skbs, u8 event);
608bcc6d 60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
2d792818
GP		 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
64 u16 cid)
0139418c 65{
3df91ea2 66 struct l2cap_chan *c;
3d57dc68 67
3df91ea2
AE		 68 list_for_each_entry(c, &conn->chan_l, list) {
69 if (c->dcid == cid)
70 return c;
0139418c 71 }
3df91ea2 72 return NULL;
0139418c
MH		 73}
74
2d792818
GP		 75static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
76 u16 cid)
0139418c 77{
3df91ea2 78 struct l2cap_chan *c;
3d57dc68 79
3df91ea2
AE		 80 list_for_each_entry(c, &conn->chan_l, list) {
81 if (c->scid == cid)
82 return c;
0139418c 83 }
3df91ea2 84 return NULL;
0139418c
MH		 85}
86
87/* Find channel with given SCID.
ef191ade 88 * Returns locked channel. */
2d792818
GP		 89static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
90 u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa 93
3df91ea2 94 mutex_lock(&conn->chan_lock);
baa7e1fa 95 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 96 if (c)
97 l2cap_chan_lock(c);
3df91ea2
AE		 98 mutex_unlock(&conn->chan_lock);
99
48454079 100 return c;
0139418c
MH		 101}
102
b1a130b7
MM		 103/* Find channel with given DCID.
104 * Returns locked channel.
105 */
106static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
107 u16 cid)
108{
109 struct l2cap_chan *c;
110
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_dcid(conn, cid);
113 if (c)
114 l2cap_chan_lock(c);
115 mutex_unlock(&conn->chan_lock);
116
117 return c;
118}
119
2d792818
GP		 120static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
121 u8 ident)
0139418c 122{
3df91ea2 123 struct l2cap_chan *c;
3d57dc68 124
3df91ea2
AE		 125 list_for_each_entry(c, &conn->chan_l, list) {
126 if (c->ident == ident)
127 return c;
0139418c 128 }
3df91ea2 129 return NULL;
0139418c
MH		 130}
131
5b155ef9
MM		 132static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
133 u8 ident)
134{
135 struct l2cap_chan *c;
136
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_ident(conn, ident);
139 if (c)
140 l2cap_chan_lock(c);
141 mutex_unlock(&conn->chan_lock);
142
143 return c;
144}
145
23691d75 146static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 147{
23691d75 148 struct l2cap_chan *c;
9e4425ff 149
23691d75
GP		 150 list_for_each_entry(c, &chan_list, global_l) {
151 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 152 return c;
9e4425ff 153 }
250938cb 154 return NULL;
9e4425ff
GP		 155}
156
157int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
158{
73b2ec18
GP		 159 int err;
160
333055f2 161 write_lock(&chan_list_lock);
9e4425ff 162
23691d75 163 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 164 err = -EADDRINUSE;
165 goto done;
9e4425ff
GP		 166 }
167
73b2ec18
GP		 168 if (psm) {
169 chan->psm = psm;
170 chan->sport = psm;
171 err = 0;
172 } else {
173 u16 p;
174
175 err = -EINVAL;
176 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 177 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 178 chan->psm = cpu_to_le16(p);
179 chan->sport = cpu_to_le16(p);
180 err = 0;
181 break;
182 }
183 }
9e4425ff 184
73b2ec18 185done:
333055f2 186 write_unlock(&chan_list_lock);
73b2ec18 187 return err;
9e4425ff
GP		 188}
189
190int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
191{
333055f2 192 write_lock(&chan_list_lock);
9e4425ff
GP		 193
194 chan->scid = scid;
195
333055f2 196 write_unlock(&chan_list_lock);
9e4425ff
GP		 197
198 return 0;
199}
200
baa7e1fa 201static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 202{
8db4dc46 203 u16 cid = L2CAP_CID_DYN_START;
0139418c 204
8db4dc46 205 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 206 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 207 return cid;
208 }
209
210 return 0;
211}
212
0e587be7 213static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 214{
42d2d87c 215 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 216 state_to_string(state));
badaaa00 217
89bc500e 218 chan->state = state;
80b98027 219 chan->ops->state_change(chan, state);
89bc500e
GP		 220}
221
0e587be7
AE		 222static void l2cap_state_change(struct l2cap_chan *chan, int state)
223{
224 struct sock *sk = chan->sk;
225
226 lock_sock(sk);
227 __l2cap_state_change(chan, state);
228 release_sock(sk);
229}
230
2e0052e4
AE		 231static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
232{
233 struct sock *sk = chan->sk;
234
235 sk->sk_err = err;
236}
237
238static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
239{
240 struct sock *sk = chan->sk;
241
242 lock_sock(sk);
243 __l2cap_chan_set_err(chan, err);
244 release_sock(sk);
245}
246
4239d16f
MM		 247static void __set_retrans_timer(struct l2cap_chan *chan)
248{
249 if (!delayed_work_pending(&chan->monitor_timer) &&
250 chan->retrans_timeout) {
251 l2cap_set_timer(chan, &chan->retrans_timer,
252 msecs_to_jiffies(chan->retrans_timeout));
253 }
254}
255
256static void __set_monitor_timer(struct l2cap_chan *chan)
257{
258 __clear_retrans_timer(chan);
259 if (chan->monitor_timeout) {
260 l2cap_set_timer(chan, &chan->monitor_timer,
261 msecs_to_jiffies(chan->monitor_timeout));
262 }
263}
264
608bcc6d
MM		 265static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
266 u16 seq)
267{
268 struct sk_buff *skb;
269
270 skb_queue_walk(head, skb) {
271 if (bt_cb(skb)->control.txseq == seq)
272 return skb;
273 }
274
275 return NULL;
276}
277
3c588192
MM		 278/* ---- L2CAP sequence number lists ---- */
279
280/* For ERTM, ordered lists of sequence numbers must be tracked for
281 * SREJ requests that are received and for frames that are to be
282 * retransmitted. These seq_list functions implement a singly-linked
283 * list in an array, where membership in the list can also be checked
284 * in constant time. Items can also be added to the tail of the list
285 * and removed from the head in constant time, without further memory
286 * allocs or frees.
287 */
288
289static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
290{
291 size_t alloc_size, i;
292
293 /* Allocated size is a power of 2 to map sequence numbers
294 * (which may be up to 14 bits) in to a smaller array that is
295 * sized for the negotiated ERTM transmit windows.
296 */
297 alloc_size = roundup_pow_of_two(size);
298
299 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
300 if (!seq_list->list)
301 return -ENOMEM;
302
303 seq_list->mask = alloc_size - 1;
304 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
305 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
306 for (i = 0; i < alloc_size; i++)
307 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
308
309 return 0;
310}
311
312static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
313{
314 kfree(seq_list->list);
315}
316
317static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
318 u16 seq)
319{
320 /* Constant-time check for list membership */
321 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
322}
323
324static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
325{
326 u16 mask = seq_list->mask;
327
328 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
329 /* In case someone tries to pop the head of an empty list */
330 return L2CAP_SEQ_LIST_CLEAR;
331 } else if (seq_list->head == seq) {
332 /* Head can be removed in constant time */
333 seq_list->head = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
335
336 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
339 }
340 } else {
341 /* Walk the list to find the sequence number */
342 u16 prev = seq_list->head;
343 while (seq_list->list[prev & mask] != seq) {
344 prev = seq_list->list[prev & mask];
345 if (prev == L2CAP_SEQ_LIST_TAIL)
346 return L2CAP_SEQ_LIST_CLEAR;
347 }
348
349 /* Unlink the number from the list and clear it */
350 seq_list->list[prev & mask] = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352 if (seq_list->tail == seq)
353 seq_list->tail = prev;
354 }
355 return seq;
356}
357
358static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
359{
360 /* Remove the head in constant time */
361 return l2cap_seq_list_remove(seq_list, seq_list->head);
362}
363
364static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
365{
f522ae36 366 u16 i;
3c588192 367
f522ae36
GP		 368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
369 return;
370
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
373
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 376}
377
378static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
379{
380 u16 mask = seq_list->mask;
381
382 /* All appends happen in constant time */
383
f522ae36
GP		 384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
385 return;
3c588192 386
f522ae36
GP		 387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
389 else
390 seq_list->list[seq_list->tail & mask] = seq;
391
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 394}
395
721c4181 396static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 397{
721c4181 398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 399 chan_timer.work);
3df91ea2 400 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 401 int reason;
402
e05dcc32 403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 404
3df91ea2 405 mutex_lock(&conn->chan_lock);
6be36555 406 l2cap_chan_lock(chan);
ab07801d 407
89bc500e 408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 409 reason = ECONNREFUSED;
89bc500e 410 else if (chan->state == BT_CONNECT &&
2d792818 411 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 412 reason = ECONNREFUSED;
413 else
414 reason = ETIMEDOUT;
415
0f852724 416 l2cap_chan_close(chan, reason);
ab07801d 417
6be36555 418 l2cap_chan_unlock(chan);
ab07801d 419
80b98027 420 chan->ops->close(chan);
3df91ea2
AE		 421 mutex_unlock(&conn->chan_lock);
422
371fd835 423 l2cap_chan_put(chan);
ab07801d
GP		 424}
425
eef1d9b6 426struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 427{
428 struct l2cap_chan *chan;
429
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
431 if (!chan)
432 return NULL;
433
c03b355e
AE		 434 mutex_init(&chan->lock);
435
333055f2 436 write_lock(&chan_list_lock);
23691d75 437 list_add(&chan->global_l, &chan_list);
333055f2 438 write_unlock(&chan_list_lock);
23691d75 439
721c4181 440 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 441
89bc500e
GP		 442 chan->state = BT_OPEN;
443
144ad330 444 kref_init(&chan->kref);
71ba0e56 445
2827011f
MM		 446 /* This flag is cleared in l2cap_chan_ready() */
447 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
448
eef1d9b6 449 BT_DBG("chan %p", chan);
abc545b8 450
48454079
GP		 451 return chan;
452}
453
144ad330 454static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 455{
144ad330
SS		 456 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
457
4af66c69
JK		 458 BT_DBG("chan %p", chan);
459
333055f2 460 write_lock(&chan_list_lock);
23691d75 461 list_del(&chan->global_l);
333055f2 462 write_unlock(&chan_list_lock);
23691d75 463
4af66c69 464 kfree(chan);
6ff5abbf
GP		 465}
466
30648372
JK		 467void l2cap_chan_hold(struct l2cap_chan *c)
468{
144ad330 469 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 470
144ad330 471 kref_get(&c->kref);
30648372
JK		 472}
473
474void l2cap_chan_put(struct l2cap_chan *c)
475{
144ad330 476 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 477
144ad330 478 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 479}
480
bd4b1653
AE		 481void l2cap_chan_set_defaults(struct l2cap_chan *chan)
482{
483 chan->fcs = L2CAP_FCS_CRC16;
484 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
485 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
486 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 487 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 488 chan->sec_level = BT_SECURITY_LOW;
489
490 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
491}
492
93c3e8f5 493void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 494{
af05b30b 495 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 496 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 497
9f5a0d7b 498 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 499
8c1d787b 500 chan->conn = conn;
0139418c 501
5491120e
AE		 502 switch (chan->chan_type) {
503 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 504 if (conn->hcon->type == LE_LINK) {
505 /* LE connection */
6fcb06a2 506 chan->omtu = L2CAP_DEFAULT_MTU;
9f22398c
JH		 507 if (chan->dcid == L2CAP_CID_ATT)
508 chan->scid = L2CAP_CID_ATT;
509 else
510 chan->scid = l2cap_alloc_cid(conn);
b62f328b
VT		 511 } else {
512 /* Alloc CID for connection-oriented socket */
fe4128e0 513 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 514 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 515 }
5491120e
AE		 516 break;
517
518 case L2CAP_CHAN_CONN_LESS:
0139418c 519 /* Connectionless socket */
fe4128e0
GP		 520 chan->scid = L2CAP_CID_CONN_LESS;
521 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 522 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 523 break;
524
416fa752
AE		 525 case L2CAP_CHAN_CONN_FIX_A2MP:
526 chan->scid = L2CAP_CID_A2MP;
527 chan->dcid = L2CAP_CID_A2MP;
528 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
529 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
530 break;
531
5491120e 532 default:
0139418c 533 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 534 chan->scid = L2CAP_CID_SIGNALING;
535 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 536 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 537 }
538
8f7975b1
AE		 539 chan->local_id = L2CAP_BESTEFFORT_ID;
540 chan->local_stype = L2CAP_SERV_BESTEFFORT;
541 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
542 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
543 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 544 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 545
371fd835 546 l2cap_chan_hold(chan);
baa7e1fa 547
3df91ea2 548 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 549}
550
466f8004 551void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 552{
553 mutex_lock(&conn->chan_lock);
554 __l2cap_chan_add(conn, chan);
3df91ea2 555 mutex_unlock(&conn->chan_lock);
0139418c
MH		 556}
557
466f8004 558void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 559{
8c1d787b 560 struct l2cap_conn *conn = chan->conn;
0139418c 561
c9b66675 562 __clear_chan_timer(chan);
0139418c 563
49208c9c 564 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 565
8e87d142 566 if (conn) {
56f60984 567 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 568 /* Delete from channel list */
3df91ea2 569 list_del(&chan->list);
3d57dc68 570
371fd835 571 l2cap_chan_put(chan);
baa7e1fa 572
8c1d787b 573 chan->conn = NULL;
3cabbfda
AE		 574
575 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
76a68ba0 576 hci_conn_drop(conn->hcon);
56f60984
AE		 577
578 if (mgr && mgr->bredr_chan == chan)
579 mgr->bredr_chan = NULL;
0139418c
MH		 580 }
581
419e08c1
AE		 582 if (chan->hs_hchan) {
583 struct hci_chan *hs_hchan = chan->hs_hchan;
584
585 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
586 amp_disconnect_logical_link(hs_hchan);
587 }
588
b699ec0d 589 chan->ops->teardown(chan, err);
6be36555 590
2827011f 591 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 592 return;
2ead70b8 593
ee556f66
GP		 594 switch(chan->mode) {
595 case L2CAP_MODE_BASIC:
596 break;
c13ffa62 597
ee556f66 598 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 599 __clear_retrans_timer(chan);
600 __clear_monitor_timer(chan);
601 __clear_ack_timer(chan);
c13ffa62 602
f1c6775b 603 skb_queue_purge(&chan->srej_q);
c13ffa62 604
3c588192
MM		 605 l2cap_seq_list_free(&chan->srej_list);
606 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 607
608 /* fall through */
609
610 case L2CAP_MODE_STREAMING:
611 skb_queue_purge(&chan->tx_q);
612 break;
c13ffa62 613 }
ee556f66
GP		 614
615 return;
0139418c
MH		 616}
617
0f852724 618void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 619{
620 struct l2cap_conn *conn = chan->conn;
621 struct sock *sk = chan->sk;
622
2d792818
GP		 623 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
624 sk);
4519de9a 625
89bc500e 626 switch (chan->state) {
4519de9a 627 case BT_LISTEN:
b699ec0d 628 chan->ops->teardown(chan, 0);
4519de9a
GP		 629 break;
630
631 case BT_CONNECTED:
632 case BT_CONFIG:
715ec005 633 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 634 conn->hcon->type == ACL_LINK) {
c9b66675 635 __set_chan_timer(chan, sk->sk_sndtimeo);
5e4e3972 636 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 637 } else
638 l2cap_chan_del(chan, reason);
639 break;
640
641 case BT_CONNECT2:
715ec005 642 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 643 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 644 struct l2cap_conn_rsp rsp;
645 __u16 result;
646
c5daa683 647 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 648 result = L2CAP_CR_SEC_BLOCK;
649 else
650 result = L2CAP_CR_BAD_PSM;
89bc500e 651 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 652
653 rsp.scid = cpu_to_le16(chan->dcid);
654 rsp.dcid = cpu_to_le16(chan->scid);
655 rsp.result = cpu_to_le16(result);
ac73498c 656 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 657 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 658 sizeof(rsp), &rsp);
4519de9a
GP		 659 }
660
661 l2cap_chan_del(chan, reason);
662 break;
663
664 case BT_CONNECT:
665 case BT_DISCONN:
666 l2cap_chan_del(chan, reason);
667 break;
668
669 default:
b699ec0d 670 chan->ops->teardown(chan, 0);
4519de9a
GP		 671 break;
672 }
673}
674
4343478f 675static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 676{
715ec005 677 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 678 switch (chan->sec_level) {
8556edd3
JH		 679 case BT_SECURITY_HIGH:
680 return HCI_AT_DEDICATED_BONDING_MITM;
681 case BT_SECURITY_MEDIUM:
682 return HCI_AT_DEDICATED_BONDING;
683 default:
684 return HCI_AT_NO_BONDING;
685 }
2983fd68 686 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 687 if (chan->sec_level == BT_SECURITY_LOW)
688 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 689
4343478f 690 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 691 return HCI_AT_NO_BONDING_MITM;
00ae4af9 692 else
8556edd3 693 return HCI_AT_NO_BONDING;
00ae4af9 694 } else {
4343478f 695 switch (chan->sec_level) {
00ae4af9 696 case BT_SECURITY_HIGH:
8556edd3 697 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 698 case BT_SECURITY_MEDIUM:
8556edd3 699 return HCI_AT_GENERAL_BONDING;
00ae4af9 700 default:
8556edd3 701 return HCI_AT_NO_BONDING;
00ae4af9 702 }
0684e5f9 703 }
8556edd3
JH		 704}
705
706/* Service level security */
d45fc423 707int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 708{
8c1d787b 709 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 710 __u8 auth_type;
711
4343478f 712 auth_type = l2cap_get_auth_type(chan);
79d554a6 713
4343478f 714 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 715}
716
b5ad8b7f 717static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 718{
719 u8 id;
720
721 /* Get next available identificator.
722 * 1 - 128 are used by kernel.
723 * 129 - 199 are reserved.
724 * 200 - 254 are used by utilities like l2ping, etc.
725 */
726
333055f2 727 spin_lock(&conn->lock);
4e8402a3
MH		 728
729 if (++conn->tx_ident > 128)
730 conn->tx_ident = 1;
731
732 id = conn->tx_ident;
733
333055f2 734 spin_unlock(&conn->lock);
4e8402a3
MH		 735
736 return id;
737}
738
2d792818
GP		 739static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
740 void *data)
4e8402a3
MH		 741{
742 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 743 u8 flags;
4e8402a3
MH		 744
745 BT_DBG("code 0x%2.2x", code);
746
747 if (!skb)
9a9c6a34 748 return;
4e8402a3 749
e702112f
AE		 750 if (lmp_no_flush_capable(conn->hcon->hdev))
751 flags = ACL_START_NO_FLUSH;
752 else
753 flags = ACL_START;
754
14b12d0b 755 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 756 skb->priority = HCI_PRIO_MAX;
14b12d0b 757
73d80deb
LAD		 758 hci_send_acl(conn->hchan, skb, flags);
759}
760
02b0fbb9
MM		 761static bool __chan_is_moving(struct l2cap_chan *chan)
762{
763 return chan->move_state != L2CAP_MOVE_STABLE &&
764 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
765}
766
73d80deb
LAD		 767static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
768{
769 struct hci_conn *hcon = chan->conn->hcon;
770 u16 flags;
771
772 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 773 skb->priority);
73d80deb 774
d5f8a75d
MM		 775 if (chan->hs_hcon && !__chan_is_moving(chan)) {
776 if (chan->hs_hchan)
777 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
778 else
779 kfree_skb(skb);
780
781 return;
782 }
783
73d80deb 784 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 785 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 786 flags = ACL_START_NO_FLUSH;
787 else
788 flags = ACL_START;
14b12d0b 789
73d80deb
LAD		 790 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
791 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 792}
793
b76bbd66
MM		 794static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
795{
796 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
797 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
798
799 if (enh & L2CAP_CTRL_FRAME_TYPE) {
800 /* S-Frame */
801 control->sframe = 1;
802 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
803 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
804
805 control->sar = 0;
806 control->txseq = 0;
807 } else {
808 /* I-Frame */
809 control->sframe = 0;
810 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
811 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
812
813 control->poll = 0;
814 control->super = 0;
815 }
816}
817
b76bbd66
MM		 818static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
819{
820 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
821 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
822
823 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
824 /* S-Frame */
825 control->sframe = 1;
826 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
827 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
828
829 control->sar = 0;
830 control->txseq = 0;
831 } else {
832 /* I-Frame */
833 control->sframe = 0;
834 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
835 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
836
837 control->poll = 0;
838 control->super = 0;
839 }
840}
841
842static inline void __unpack_control(struct l2cap_chan *chan,
843 struct sk_buff *skb)
844{
845 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
846 __unpack_extended_control(get_unaligned_le32(skb->data),
847 &bt_cb(skb)->control);
cec8ab6e 848 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 849 } else {
850 __unpack_enhanced_control(get_unaligned_le16(skb->data),
851 &bt_cb(skb)->control);
cec8ab6e 852 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 853 }
854}
855
b5c6aaed
MM		 856static u32 __pack_extended_control(struct l2cap_ctrl *control)
857{
858 u32 packed;
859
860 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
861 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
862
863 if (control->sframe) {
864 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
865 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
866 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
867 } else {
868 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
869 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
870 }
871
872 return packed;
873}
874
875static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
876{
877 u16 packed;
878
879 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
880 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
881
882 if (control->sframe) {
883 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
884 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
885 packed |= L2CAP_CTRL_FRAME_TYPE;
886 } else {
887 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
888 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
889 }
890
891 return packed;
892}
893
b76bbd66
MM		 894static inline void __pack_control(struct l2cap_chan *chan,
895 struct l2cap_ctrl *control,
896 struct sk_buff *skb)
897{
898 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
899 put_unaligned_le32(__pack_extended_control(control),
900 skb->data + L2CAP_HDR_SIZE);
901 } else {
902 put_unaligned_le16(__pack_enhanced_control(control),
903 skb->data + L2CAP_HDR_SIZE);
904 }
905}
906
ba7aa64f
GP		 907static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
908{
909 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
910 return L2CAP_EXT_HDR_SIZE;
911 else
912 return L2CAP_ENH_HDR_SIZE;
913}
914
a67d7f6f
MM		 915static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
916 u32 control)
b5c6aaed
MM		 917{
918 struct sk_buff *skb;
919 struct l2cap_hdr *lh;
ba7aa64f 920 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 921
922 if (chan->fcs == L2CAP_FCS_CRC16)
923 hlen += L2CAP_FCS_SIZE;
924
a67d7f6f 925 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 926
b5c6aaed 927 if (!skb)
a67d7f6f 928 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 929
930 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
931 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
932 lh->cid = cpu_to_le16(chan->dcid);
933
a67d7f6f
MM		 934 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
935 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
936 else
937 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 938
939 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 940 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 941 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
942 }
943
944 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 945 return skb;
946}
947
948static void l2cap_send_sframe(struct l2cap_chan *chan,
949 struct l2cap_ctrl *control)
950{
951 struct sk_buff *skb;
952 u32 control_field;
953
954 BT_DBG("chan %p, control %p", chan, control);
955
956 if (!control->sframe)
957 return;
958
b99e13ad
MM		 959 if (__chan_is_moving(chan))
960 return;
961
a67d7f6f
MM		 962 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
963 !control->poll)
964 control->final = 1;
965
966 if (control->super == L2CAP_SUPER_RR)
967 clear_bit(CONN_RNR_SENT, &chan->conn_state);
968 else if (control->super == L2CAP_SUPER_RNR)
969 set_bit(CONN_RNR_SENT, &chan->conn_state);
970
971 if (control->super != L2CAP_SUPER_SREJ) {
972 chan->last_acked_seq = control->reqseq;
973 __clear_ack_timer(chan);
974 }
975
976 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
977 control->final, control->poll, control->super);
978
979 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
980 control_field = __pack_extended_control(control);
981 else
982 control_field = __pack_enhanced_control(control);
983
984 skb = l2cap_create_sframe_pdu(chan, control_field);
985 if (!IS_ERR(skb))
986 l2cap_do_send(chan, skb);
b5c6aaed
MM		 987}
988
c9e3d5e0 989static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 990{
c9e3d5e0
MM		 991 struct l2cap_ctrl control;
992
993 BT_DBG("chan %p, poll %d", chan, poll);
994
995 memset(&control, 0, sizeof(control));
996 control.sframe = 1;
997 control.poll = poll;
998
999 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1000 control.super = L2CAP_SUPER_RNR;
1001 else
1002 control.super = L2CAP_SUPER_RR;
b5c6aaed 1003
c9e3d5e0
MM		 1004 control.reqseq = chan->buffer_seq;
1005 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1006}
1007
b4450035 1008static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1009{
c1360a1c 1010 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1011}
1012
93c3e8f5
AE		 1013static bool __amp_capable(struct l2cap_chan *chan)
1014{
1015 struct l2cap_conn *conn = chan->conn;
1016
1017 if (enable_hs &&
5d05416e 1018 hci_amp_capable() &&
93c3e8f5
AE		 1019 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
1020 conn->fixed_chan_mask & L2CAP_FC_A2MP)
1021 return true;
1022 else
1023 return false;
1024}
1025
5ce66b59
AE		 1026static bool l2cap_check_efs(struct l2cap_chan *chan)
1027{
1028 /* Check EFS parameters */
1029 return true;
1030}
1031
2766be48 1032void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1033{
1034 struct l2cap_conn *conn = chan->conn;
1035 struct l2cap_conn_req req;
1036
1037 req.scid = cpu_to_le16(chan->scid);
1038 req.psm = chan->psm;
1039
1040 chan->ident = l2cap_get_ident(conn);
1041
1042 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1043
1044 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1045}
1046
8eb200bd
MM		 1047static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1048{
1049 struct l2cap_create_chan_req req;
1050 req.scid = cpu_to_le16(chan->scid);
1051 req.psm = chan->psm;
1052 req.amp_id = amp_id;
1053
1054 chan->ident = l2cap_get_ident(chan->conn);
1055
1056 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1057 sizeof(req), &req);
1058}
1059
02b0fbb9
MM		 1060static void l2cap_move_setup(struct l2cap_chan *chan)
1061{
1062 struct sk_buff *skb;
1063
1064 BT_DBG("chan %p", chan);
1065
1066 if (chan->mode != L2CAP_MODE_ERTM)
1067 return;
1068
1069 __clear_retrans_timer(chan);
1070 __clear_monitor_timer(chan);
1071 __clear_ack_timer(chan);
1072
1073 chan->retry_count = 0;
1074 skb_queue_walk(&chan->tx_q, skb) {
1075 if (bt_cb(skb)->control.retries)
1076 bt_cb(skb)->control.retries = 1;
1077 else
1078 break;
1079 }
1080
1081 chan->expected_tx_seq = chan->buffer_seq;
1082
1083 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1084 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1085 l2cap_seq_list_clear(&chan->retrans_list);
1086 l2cap_seq_list_clear(&chan->srej_list);
1087 skb_queue_purge(&chan->srej_q);
1088
1089 chan->tx_state = L2CAP_TX_STATE_XMIT;
1090 chan->rx_state = L2CAP_RX_STATE_MOVE;
1091
1092 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1093}
1094
5f3847a4
MM		 1095static void l2cap_move_done(struct l2cap_chan *chan)
1096{
1097 u8 move_role = chan->move_role;
1098 BT_DBG("chan %p", chan);
1099
1100 chan->move_state = L2CAP_MOVE_STABLE;
1101 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1102
1103 if (chan->mode != L2CAP_MODE_ERTM)
1104 return;
1105
1106 switch (move_role) {
1107 case L2CAP_MOVE_ROLE_INITIATOR:
1108 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1109 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1110 break;
1111 case L2CAP_MOVE_ROLE_RESPONDER:
1112 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1113 break;
1114 }
1115}
1116
9f0caeb1
VCG		 1117static void l2cap_chan_ready(struct l2cap_chan *chan)
1118{
2827011f 1119 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1120 chan->conf_state = 0;
1121 __clear_chan_timer(chan);
1122
54a59aa2 1123 chan->state = BT_CONNECTED;
9f0caeb1 1124
fd83e2c2 1125 chan->ops->ready(chan);
9f0caeb1
VCG		 1126}
1127
93c3e8f5
AE		 1128static void l2cap_start_connection(struct l2cap_chan *chan)
1129{
1130 if (__amp_capable(chan)) {
1131 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1132 a2mp_discover_amp(chan);
1133 } else {
1134 l2cap_send_conn_req(chan);
1135 }
1136}
1137
fc7f8a7e 1138static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1139{
8c1d787b 1140 struct l2cap_conn *conn = chan->conn;
79d554a6 1141
9f0caeb1
VCG		 1142 if (conn->hcon->type == LE_LINK) {
1143 l2cap_chan_ready(chan);
1144 return;
1145 }
1146
79d554a6 1147 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1148 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1149 return;
1150
d45fc423 1151 if (l2cap_chan_check_security(chan) &&
2d792818 1152 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1153 l2cap_start_connection(chan);
1154 }
79d554a6
MH		 1155 } else {
1156 struct l2cap_info_req req;
ac73498c 1157 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1158
1159 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1160 conn->info_ident = l2cap_get_ident(conn);
1161
ba13ccd9 1162 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1163
2d792818
GP		 1164 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1165 sizeof(req), &req);
79d554a6
MH		 1166 }
1167}
1168
cf6c2c0b
GP		 1169static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1170{
1171 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1172 if (!disable_ertm)
cf6c2c0b
GP		 1173 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1174
1175 switch (mode) {
1176 case L2CAP_MODE_ERTM:
1177 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1178 case L2CAP_MODE_STREAMING:
1179 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1180 default:
1181 return 0x00;
1182 }
1183}
1184
5e4e3972 1185static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1186{
6be36555 1187 struct sock *sk = chan->sk;
5e4e3972 1188 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1189 struct l2cap_disconn_req req;
1190
c13ffa62
GP		 1191 if (!conn)
1192 return;
1193
aad3d0e3 1194 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1195 __clear_retrans_timer(chan);
1196 __clear_monitor_timer(chan);
1197 __clear_ack_timer(chan);
c13ffa62
GP		 1198 }
1199
416fa752 1200 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1201 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1202 return;
1203 }
1204
fe4128e0
GP		 1205 req.dcid = cpu_to_le16(chan->dcid);
1206 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1207 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1208 sizeof(req), &req);
c13ffa62 1209
6be36555 1210 lock_sock(sk);
0e587be7 1211 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1212 __l2cap_chan_set_err(chan, err);
6be36555 1213 release_sock(sk);
22121fc9
GP		 1214}
1215
1da177e4 1216/* ---- L2CAP connections ---- */
4e8402a3
MH		 1217static void l2cap_conn_start(struct l2cap_conn *conn)
1218{
3df91ea2 1219 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1220
1221 BT_DBG("conn %p", conn);
1222
3df91ea2 1223 mutex_lock(&conn->chan_lock);
4e8402a3 1224
3df91ea2 1225 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1226 struct sock *sk = chan->sk;
baa7e1fa 1227
6be36555 1228 l2cap_chan_lock(chan);
4e8402a3 1229
715ec005 1230 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1231 l2cap_chan_unlock(chan);
79d554a6
MH		 1232 continue;
1233 }
1234
89bc500e 1235 if (chan->state == BT_CONNECT) {
d45fc423 1236 if (!l2cap_chan_check_security(chan) ||
2d792818 1237 !__l2cap_no_conn_pending(chan)) {
6be36555 1238 l2cap_chan_unlock(chan);
47731de7
GP		 1239 continue;
1240 }
79d554a6 1241
c1360a1c 1242 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1243 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1244 &chan->conf_state)) {
89bc500e 1245 l2cap_chan_close(chan, ECONNRESET);
6be36555 1246 l2cap_chan_unlock(chan);
47731de7 1247 continue;
b1235d79 1248 }
47731de7 1249
93c3e8f5 1250 l2cap_start_connection(chan);
47731de7 1251
89bc500e 1252 } else if (chan->state == BT_CONNECT2) {
79d554a6 1253 struct l2cap_conn_rsp rsp;
e9aeb2dd 1254 char buf[128];
fe4128e0
GP		 1255 rsp.scid = cpu_to_le16(chan->dcid);
1256 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1257
d45fc423 1258 if (l2cap_chan_check_security(chan)) {
6be36555 1259 lock_sock(sk);
c5daa683
GP		 1260 if (test_bit(BT_SK_DEFER_SETUP,
1261 &bt_sk(sk)->flags)) {
ac73498c
AE		 1262 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1263 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1264 chan->ops->defer(chan);
f66dc81f
MH		 1265
1266 } else {
0e587be7 1267 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1268 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1269 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1270 }
6be36555 1271 release_sock(sk);
79d554a6 1272 } else {
ac73498c
AE		 1273 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1274 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1275 }
1276
fc7f8a7e 1277 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1278 sizeof(rsp), &rsp);
e9aeb2dd 1279
c1360a1c 1280 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1281 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1282 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1283 continue;
1284 }
1285
c1360a1c 1286 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1287 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1288 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1289 chan->num_conf_req++;
4e8402a3
MH		 1290 }
1291
6be36555 1292 l2cap_chan_unlock(chan);
4e8402a3
MH		 1293 }
1294
3df91ea2 1295 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1296}
1297
c2287681 1298/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1299 * Returns closest match, locked.
1300 */
d9b88702 1301static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1302 bdaddr_t *src,
1303 bdaddr_t *dst)
b62f328b 1304{
23691d75 1305 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1306
23691d75 1307 read_lock(&chan_list_lock);
b62f328b 1308
23691d75
GP		 1309 list_for_each_entry(c, &chan_list, global_l) {
1310 struct sock *sk = c->sk;
fe4128e0 1311
89bc500e 1312 if (state && c->state != state)
b62f328b
VT		 1313 continue;
1314
23691d75 1315 if (c->scid == cid) {
c2287681
IY		 1316 int src_match, dst_match;
1317 int src_any, dst_any;
1318
b62f328b 1319 /* Exact match. */
c2287681
IY		 1320 src_match = !bacmp(&bt_sk(sk)->src, src);
1321 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1322 if (src_match && dst_match) {
23691d75
GP		 1323 read_unlock(&chan_list_lock);
1324 return c;
1325 }
b62f328b
VT		 1326
1327 /* Closest match */
c2287681
IY		 1328 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1329 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1330 if ((src_match && dst_any) || (src_any && dst_match) ||
1331 (src_any && dst_any))
23691d75 1332 c1 = c;
b62f328b
VT		 1333 }
1334 }
280f294f 1335
23691d75 1336 read_unlock(&chan_list_lock);
b62f328b 1337
23691d75 1338 return c1;
b62f328b
VT		 1339}
1340
1341static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1342{
c916fbe4 1343 struct sock *parent, *sk;
23691d75 1344 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1345
1346 BT_DBG("");
1347
1348 /* Check if we have socket listening on cid */
073d1cf3 1349 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
c2287681 1350 conn->src, conn->dst);
23691d75 1351 if (!pchan)
b62f328b
VT		 1352 return;
1353
23691d75
GP		 1354 parent = pchan->sk;
1355
aa2ac881 1356 lock_sock(parent);
62f3a2cf 1357
80b98027 1358 chan = pchan->ops->new_connection(pchan);
80808e43 1359 if (!chan)
b62f328b
VT		 1360 goto clean;
1361
9f22398c
JH		 1362 chan->dcid = L2CAP_CID_ATT;
1363
80808e43 1364 sk = chan->sk;
5d41ce1d 1365
b62f328b 1366 hci_conn_hold(conn->hcon);
a9ea3ed9 1367 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1368
b62f328b
VT		 1369 bacpy(&bt_sk(sk)->src, conn->src);
1370 bacpy(&bt_sk(sk)->dst, conn->dst);
1371
3d57dc68 1372 l2cap_chan_add(conn, chan);
48454079 1373
6754e0df 1374 l2cap_chan_ready(chan);
b62f328b 1375
b62f328b 1376clean:
aa2ac881 1377 release_sock(parent);
b62f328b
VT		 1378}
1379
4e8402a3
MH		 1380static void l2cap_conn_ready(struct l2cap_conn *conn)
1381{
48454079 1382 struct l2cap_chan *chan;
cc110922 1383 struct hci_conn *hcon = conn->hcon;
4e8402a3 1384
79d554a6 1385 BT_DBG("conn %p", conn);
4e8402a3 1386
cc110922 1387 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1388 l2cap_le_conn_ready(conn);
1389
cc110922
VCG		 1390 if (hcon->out && hcon->type == LE_LINK)
1391 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1392
3df91ea2 1393 mutex_lock(&conn->chan_lock);
4e8402a3 1394
3df91ea2 1395 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1396
6be36555 1397 l2cap_chan_lock(chan);
4e8402a3 1398
416fa752
AE		 1399 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1400 l2cap_chan_unlock(chan);
1401 continue;
1402 }
1403
cc110922
VCG		 1404 if (hcon->type == LE_LINK) {
1405 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1406 l2cap_chan_ready(chan);
acd7d370 1407
63128451 1408 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1409 struct sock *sk = chan->sk;
c9b66675 1410 __clear_chan_timer(chan);
6be36555 1411 lock_sock(sk);
0e587be7 1412 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1413 sk->sk_state_change(sk);
6be36555 1414 release_sock(sk);
b501d6a1 1415
89bc500e 1416 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1417 l2cap_do_start(chan);
4e8402a3 1418
6be36555 1419 l2cap_chan_unlock(chan);
4e8402a3 1420 }
79d554a6 1421
3df91ea2 1422 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1423}
1424
1425/* Notify sockets that we cannot guaranty reliability anymore */
1426static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1427{
48454079 1428 struct l2cap_chan *chan;
4e8402a3
MH		 1429
1430 BT_DBG("conn %p", conn);
1431
3df91ea2 1432 mutex_lock(&conn->chan_lock);
4e8402a3 1433
3df91ea2 1434 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1435 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1436 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1437 }
1438
3df91ea2 1439 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1440}
1441
f878fcad 1442static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1443{
f878fcad 1444 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1445 info_timer.work);
4e8402a3 1446
984947dc 1447 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1448 conn->info_ident = 0;
984947dc 1449
4e8402a3
MH		 1450 l2cap_conn_start(conn);
1451}
1452
2c8e1411
DH		 1453/*
1454 * l2cap_user
1455 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1456 * callback is called during registration. The ->remove callback is called
1457 * during unregistration.
1458 * An l2cap_user object can either be explicitly unregistered or when the
1459 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1460 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1461 * External modules must own a reference to the l2cap_conn object if they intend
1462 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1463 * any time if they don't.
1464 */
1465
1466int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1467{
1468 struct hci_dev *hdev = conn->hcon->hdev;
1469 int ret;
1470
1471 /* We need to check whether l2cap_conn is registered. If it is not, we
1472 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1473 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1474 * relies on the parent hci_conn object to be locked. This itself relies
1475 * on the hci_dev object to be locked. So we must lock the hci device
1476 * here, too. */
1477
1478 hci_dev_lock(hdev);
1479
1480 if (user->list.next || user->list.prev) {
1481 ret = -EINVAL;
1482 goto out_unlock;
1483 }
1484
1485 /* conn->hchan is NULL after l2cap_conn_del() was called */
1486 if (!conn->hchan) {
1487 ret = -ENODEV;
1488 goto out_unlock;
1489 }
1490
1491 ret = user->probe(conn, user);
1492 if (ret)
1493 goto out_unlock;
1494
1495 list_add(&user->list, &conn->users);
1496 ret = 0;
1497
1498out_unlock:
1499 hci_dev_unlock(hdev);
1500 return ret;
1501}
1502EXPORT_SYMBOL(l2cap_register_user);
1503
1504void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1505{
1506 struct hci_dev *hdev = conn->hcon->hdev;
1507
1508 hci_dev_lock(hdev);
1509
1510 if (!user->list.next || !user->list.prev)
1511 goto out_unlock;
1512
1513 list_del(&user->list);
1514 user->list.next = NULL;
1515 user->list.prev = NULL;
1516 user->remove(conn, user);
1517
1518out_unlock:
1519 hci_dev_unlock(hdev);
1520}
1521EXPORT_SYMBOL(l2cap_unregister_user);
1522
1523static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1524{
1525 struct l2cap_user *user;
1526
1527 while (!list_empty(&conn->users)) {
1528 user = list_first_entry(&conn->users, struct l2cap_user, list);
1529 list_del(&user->list);
1530 user->list.next = NULL;
1531 user->list.prev = NULL;
1532 user->remove(conn, user);
1533 }
1534}
1535
5d3de7df
VCG		 1536static void l2cap_conn_del(struct hci_conn *hcon, int err)
1537{
1538 struct l2cap_conn *conn = hcon->l2cap_data;
1539 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1540
1541 if (!conn)
1542 return;
1543
1544 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1545
1546 kfree_skb(conn->rx_skb);
1547
2c8e1411
DH		 1548 l2cap_unregister_all_users(conn);
1549
3df91ea2
AE		 1550 mutex_lock(&conn->chan_lock);
1551
5d3de7df
VCG		 1552 /* Kill channels */
1553 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1554 l2cap_chan_hold(chan);
6be36555
AE		 1555 l2cap_chan_lock(chan);
1556
5d3de7df 1557 l2cap_chan_del(chan, err);
6be36555
AE		 1558
1559 l2cap_chan_unlock(chan);
1560
80b98027 1561 chan->ops->close(chan);
61d6ef3e 1562 l2cap_chan_put(chan);
5d3de7df
VCG		 1563 }
1564
3df91ea2
AE		 1565 mutex_unlock(&conn->chan_lock);
1566
73d80deb
LAD		 1567 hci_chan_del(conn->hchan);
1568
5d3de7df 1569 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1570 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1571
51a8efd7 1572 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1573 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1574 smp_chan_destroy(conn);
d26a2345 1575 }
5d3de7df
VCG		 1576
1577 hcon->l2cap_data = NULL;
9c903e37
DH		 1578 conn->hchan = NULL;
1579 l2cap_conn_put(conn);
5d3de7df
VCG		 1580}
1581
6c9d42a1 1582static void security_timeout(struct work_struct *work)
5d3de7df 1583{
6c9d42a1 1584 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1585 security_timer.work);
5d3de7df 1586
d06cc416
JH		 1587 BT_DBG("conn %p", conn);
1588
1589 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1590 smp_chan_destroy(conn);
1591 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1592 }
5d3de7df
VCG		 1593}
1594
baf43251 1595static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1da177e4 1596{
0139418c 1597 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1598 struct hci_chan *hchan;
1da177e4 1599
baf43251 1600 if (conn)
1da177e4
LT		 1601 return conn;
1602
73d80deb
LAD		 1603 hchan = hci_chan_create(hcon);
1604 if (!hchan)
1605 return NULL;
1606
8bcde1f2 1607 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1608 if (!conn) {
1609 hci_chan_del(hchan);
1da177e4 1610 return NULL;
73d80deb 1611 }
1da177e4 1612
9c903e37 1613 kref_init(&conn->ref);
1da177e4
LT		 1614 hcon->l2cap_data = conn;
1615 conn->hcon = hcon;
9c903e37 1616 hci_conn_get(conn->hcon);
73d80deb 1617 conn->hchan = hchan;
1da177e4 1618
73d80deb 1619 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1620
dcc042d5 1621 switch (hcon->type) {
dcc042d5
AE		 1622 case LE_LINK:
1623 if (hcon->hdev->le_mtu) {
1624 conn->mtu = hcon->hdev->le_mtu;
1625 break;
1626 }
1627 /* fall through */
dcc042d5 1628 default:
acd7d370 1629 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1630 break;
1631 }
acd7d370 1632
1da177e4
LT		 1633 conn->src = &hcon->hdev->bdaddr;
1634 conn->dst = &hcon->dst;
1635
4e8402a3
MH		 1636 conn->feat_mask = 0;
1637
1da177e4 1638 spin_lock_init(&conn->lock);
3df91ea2 1639 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1640
1641 INIT_LIST_HEAD(&conn->chan_l);
2c8e1411 1642 INIT_LIST_HEAD(&conn->users);
1da177e4 1643
5d3de7df 1644 if (hcon->type == LE_LINK)
6c9d42a1 1645 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1646 else
030013d8 1647 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1648
9f5a0d7b 1649 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1650
1da177e4
LT		 1651 return conn;
1652}
1653
9c903e37
DH		 1654static void l2cap_conn_free(struct kref *ref)
1655{
1656 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1657
1658 hci_conn_put(conn->hcon);
1659 kfree(conn);
1660}
1661
1662void l2cap_conn_get(struct l2cap_conn *conn)
1663{
1664 kref_get(&conn->ref);
1665}
1666EXPORT_SYMBOL(l2cap_conn_get);
1667
1668void l2cap_conn_put(struct l2cap_conn *conn)
1669{
1670 kref_put(&conn->ref, l2cap_conn_free);
1671}
1672EXPORT_SYMBOL(l2cap_conn_put);
1673
1da177e4 1674/* ---- Socket interface ---- */
1da177e4 1675
c2287681 1676/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1677 * Returns closest match.
1678 */
c2287681
IY		 1679static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1680 bdaddr_t *src,
1681 bdaddr_t *dst)
1da177e4 1682{
23691d75 1683 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1684
23691d75 1685 read_lock(&chan_list_lock);
e0f0cb56 1686
23691d75
GP		 1687 list_for_each_entry(c, &chan_list, global_l) {
1688 struct sock *sk = c->sk;
fe4128e0 1689
89bc500e 1690 if (state && c->state != state)
1da177e4
LT		 1691 continue;
1692
23691d75 1693 if (c->psm == psm) {
c2287681
IY		 1694 int src_match, dst_match;
1695 int src_any, dst_any;
1696
1da177e4 1697 /* Exact match. */
c2287681
IY		 1698 src_match = !bacmp(&bt_sk(sk)->src, src);
1699 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1700 if (src_match && dst_match) {
a7567b20 1701 read_unlock(&chan_list_lock);
23691d75
GP		 1702 return c;
1703 }
1da177e4
LT		 1704
1705 /* Closest match */
c2287681
IY		 1706 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1707 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1708 if ((src_match && dst_any) || (src_any && dst_match) ||
1709 (src_any && dst_any))
23691d75 1710 c1 = c;
1da177e4
LT		 1711 }
1712 }
1da177e4 1713
23691d75 1714 read_unlock(&chan_list_lock);
e0f0cb56 1715
23691d75 1716 return c1;
1da177e4
LT		 1717}
1718
8e9f9892
AG		 1719int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1720 bdaddr_t *dst, u8 dst_type)
1da177e4 1721{
5d41ce1d 1722 struct sock *sk = chan->sk;
1da177e4 1723 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1724 struct l2cap_conn *conn;
1725 struct hci_conn *hcon;
1726 struct hci_dev *hdev;
09ab6f4c 1727 __u8 auth_type;
44d0e48e 1728 int err;
1da177e4 1729
6ed93dc6 1730 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1731 dst_type, __le16_to_cpu(psm));
1da177e4 1732
af05b30b
GP		 1733 hdev = hci_get_route(dst, src);
1734 if (!hdev)
1da177e4
LT		 1735 return -EHOSTUNREACH;
1736
09fd0de5 1737 hci_dev_lock(hdev);
1da177e4 1738
6be36555 1739 l2cap_chan_lock(chan);
03a00194
GP		 1740
1741 /* PSM must be odd and lsb of upper byte must be 0 */
1742 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1743 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1744 err = -EINVAL;
1745 goto done;
1746 }
1747
1748 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1749 err = -EINVAL;
1750 goto done;
1751 }
1752
1753 switch (chan->mode) {
1754 case L2CAP_MODE_BASIC:
1755 break;
1756 case L2CAP_MODE_ERTM:
1757 case L2CAP_MODE_STREAMING:
1758 if (!disable_ertm)
1759 break;
1760 /* fall through */
1761 default:
1762 err = -ENOTSUPP;
1763 goto done;
1764 }
1765
0797e01d 1766 switch (chan->state) {
03a00194
GP		 1767 case BT_CONNECT:
1768 case BT_CONNECT2:
1769 case BT_CONFIG:
1770 /* Already connecting */
1771 err = 0;
1772 goto done;
1773
1774 case BT_CONNECTED:
1775 /* Already connected */
1776 err = -EISCONN;
1777 goto done;
1778
1779 case BT_OPEN:
1780 case BT_BOUND:
1781 /* Can connect */
1782 break;
1783
1784 default:
1785 err = -EBADFD;
1786 goto done;
1787 }
1788
1789 /* Set destination address and psm */
0797e01d 1790 lock_sock(sk);
9219b2a0 1791 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1792 release_sock(sk);
1793
03a00194
GP		 1794 chan->psm = psm;
1795 chan->dcid = cid;
1da177e4 1796
4343478f 1797 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1798
f224ca5f 1799 if (bdaddr_type_is_le(dst_type))
8e9f9892 1800 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1801 chan->sec_level, auth_type);
acd7d370 1802 else
8e9f9892 1803 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1804 chan->sec_level, auth_type);
acd7d370 1805
30e76272
VT		 1806 if (IS_ERR(hcon)) {
1807 err = PTR_ERR(hcon);
1da177e4 1808 goto done;
30e76272 1809 }
1da177e4 1810
baf43251 1811 conn = l2cap_conn_add(hcon);
1da177e4 1812 if (!conn) {
76a68ba0 1813 hci_conn_drop(hcon);
30e76272 1814 err = -ENOMEM;
1da177e4
LT		 1815 goto done;
1816 }
1817
141d5706
JH		 1818 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
1819 hci_conn_drop(hcon);
1820 err = -EBUSY;
1821 goto done;
9f0caeb1
VCG		 1822 }
1823
1da177e4
LT		 1824 /* Update source addr of the socket */
1825 bacpy(src, conn->src);
1826
6be36555 1827 l2cap_chan_unlock(chan);
48454079 1828 l2cap_chan_add(conn, chan);
6be36555 1829 l2cap_chan_lock(chan);
48454079 1830
6be36555 1831 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1832 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1833
1834 if (hcon->state == BT_CONNECTED) {
715ec005 1835 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1836 __clear_chan_timer(chan);
d45fc423 1837 if (l2cap_chan_check_security(chan))
6be36555 1838 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1839 } else
fc7f8a7e 1840 l2cap_do_start(chan);
1da177e4
LT		 1841 }
1842
30e76272
VT		 1843 err = 0;
1844
1da177e4 1845done:
6be36555 1846 l2cap_chan_unlock(chan);
09fd0de5 1847 hci_dev_unlock(hdev);
1da177e4
LT		 1848 hci_dev_put(hdev);
1849 return err;
1850}
1851
dcba0dba 1852int __l2cap_wait_ack(struct sock *sk)
6161c038 1853{
8c1d787b 1854 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1855 DECLARE_WAITQUEUE(wait, current);
1856 int err = 0;
1857 int timeo = HZ/5;
1858
2b0b05dd 1859 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1860 set_current_state(TASK_INTERRUPTIBLE);
1861 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1862 if (!timeo)
1863 timeo = HZ/5;
1864
1865 if (signal_pending(current)) {
1866 err = sock_intr_errno(timeo);
1867 break;
1868 }
1869
1870 release_sock(sk);
1871 timeo = schedule_timeout(timeo);
1872 lock_sock(sk);
a71a0cf4 1873 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1874
1875 err = sock_error(sk);
1876 if (err)
1877 break;
1878 }
1879 set_current_state(TASK_RUNNING);
2b0b05dd 1880 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1881 return err;
1882}
1883
721c4181 1884static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1885{
721c4181 1886 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1887 monitor_timer.work);
e90bac06 1888
525cd185 1889 BT_DBG("chan %p", chan);
0e98958d 1890
6be36555
AE		 1891 l2cap_chan_lock(chan);
1892
80909e04 1893 if (!chan->conn) {
6be36555 1894 l2cap_chan_unlock(chan);
8d7e1c7f 1895 l2cap_chan_put(chan);
e90bac06
GP		 1896 return;
1897 }
1898
401bb1f7 1899 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1900
6be36555 1901 l2cap_chan_unlock(chan);
8d7e1c7f 1902 l2cap_chan_put(chan);
e90bac06
GP		 1903}
1904
721c4181 1905static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1906{
721c4181 1907 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1908 retrans_timer.work);
e90bac06 1909
49208c9c 1910 BT_DBG("chan %p", chan);
0e98958d 1911
6be36555
AE		 1912 l2cap_chan_lock(chan);
1913
80909e04
MM		 1914 if (!chan->conn) {
1915 l2cap_chan_unlock(chan);
1916 l2cap_chan_put(chan);
1917 return;
1918 }
6be36555 1919
401bb1f7 1920 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1921 l2cap_chan_unlock(chan);
8d7e1c7f 1922 l2cap_chan_put(chan);
e90bac06
GP		 1923}
1924
d660366d
GP		 1925static void l2cap_streaming_send(struct l2cap_chan *chan,
1926 struct sk_buff_head *skbs)
6840ed07 1927{
ccbb84af 1928 struct sk_buff *skb;
3733937d 1929 struct l2cap_ctrl *control;
6840ed07 1930
3733937d
MM		 1931 BT_DBG("chan %p, skbs %p", chan, skbs);
1932
b99e13ad
MM		 1933 if (__chan_is_moving(chan))
1934 return;
1935
3733937d
MM		 1936 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1937
1938 while (!skb_queue_empty(&chan->tx_q)) {
1939
1940 skb = skb_dequeue(&chan->tx_q);
1941
1942 bt_cb(skb)->control.retries = 1;
1943 control = &bt_cb(skb)->control;
1944
1945 control->reqseq = 0;
1946 control->txseq = chan->next_tx_seq;
1947
1948 __pack_control(chan, control, skb);
6840ed07 1949
47d1ec61 1950 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1951 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1952 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1953 }
1954
4343478f 1955 l2cap_do_send(chan, skb);
6840ed07 1956
b4400672 1957 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1958
836be934 1959 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1960 chan->frames_sent++;
6840ed07 1961 }
6840ed07
GP		 1962}
1963
67c9e840 1964static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1965{
1966 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1967 struct l2cap_ctrl *control;
1968 int sent = 0;
1969
1970 BT_DBG("chan %p", chan);
1c2acffb 1971
89bc500e 1972 if (chan->state != BT_CONNECTED)
c13ffa62 1973 return -ENOTCONN;
e90bac06 1974
94122bbe
MM		 1975 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1976 return 0;
1977
b99e13ad
MM		 1978 if (__chan_is_moving(chan))
1979 return 0;
1980
18a48e76
MM		 1981 while (chan->tx_send_head &&
1982 chan->unacked_frames < chan->remote_tx_win &&
1983 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1984
18a48e76 1985 skb = chan->tx_send_head;
e90bac06 1986
18a48e76
MM		 1987 bt_cb(skb)->control.retries = 1;
1988 control = &bt_cb(skb)->control;
95ffa978 1989
e2ab4353 1990 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1991 control->final = 1;
e2ab4353 1992
18a48e76
MM		 1993 control->reqseq = chan->buffer_seq;
1994 chan->last_acked_seq = chan->buffer_seq;
1995 control->txseq = chan->next_tx_seq;
1c2acffb 1996
18a48e76 1997 __pack_control(chan, control, skb);
e90bac06 1998
47d1ec61 1999 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 2000 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2001 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 2002 }
2003
18a48e76
MM		 2004 /* Clone after data has been modified. Data is assumed to be
2005 read-only (for locking purposes) on cloned sk_buffs.
2006 */
2007 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 2008
18a48e76
MM		 2009 if (!tx_skb)
2010 break;
1c2acffb 2011
18a48e76 2012 __set_retrans_timer(chan);
836be934
AE		 2013
2014 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 2015 chan->unacked_frames++;
6a026610 2016 chan->frames_sent++;
18a48e76 2017 sent++;
1c2acffb 2018
58d35f87
GP		 2019 if (skb_queue_is_last(&chan->tx_q, skb))
2020 chan->tx_send_head = NULL;
1c2acffb 2021 else
58d35f87 2022 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 2023
2024 l2cap_do_send(chan, tx_skb);
b4400672 2025 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 2026 }
2027
b4400672
AE		 2028 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2029 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 2030
2031 return sent;
9e917af1
GP		 2032}
2033
e1fbd4c1
MM		 2034static void l2cap_ertm_resend(struct l2cap_chan *chan)
2035{
2036 struct l2cap_ctrl control;
2037 struct sk_buff *skb;
2038 struct sk_buff *tx_skb;
2039 u16 seq;
2040
2041 BT_DBG("chan %p", chan);
2042
2043 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2044 return;
2045
b99e13ad
MM		 2046 if (__chan_is_moving(chan))
2047 return;
2048
e1fbd4c1
MM		 2049 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2050 seq = l2cap_seq_list_pop(&chan->retrans_list);
2051
2052 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2053 if (!skb) {
2054 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 2055 seq);
e1fbd4c1
MM		 2056 continue;
2057 }
2058
2059 bt_cb(skb)->control.retries++;
2060 control = bt_cb(skb)->control;
2061
2062 if (chan->max_tx != 0 &&
2063 bt_cb(skb)->control.retries > chan->max_tx) {
2064 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 2065 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 2066 l2cap_seq_list_clear(&chan->retrans_list);
2067 break;
2068 }
2069
2070 control.reqseq = chan->buffer_seq;
2071 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2072 control.final = 1;
2073 else
2074 control.final = 0;
2075
2076 if (skb_cloned(skb)) {
2077 /* Cloned sk_buffs are read-only, so we need a
2078 * writeable copy
2079 */
8bcde1f2 2080 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 2081 } else {
8bcde1f2 2082 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 2083 }
2084
2085 if (!tx_skb) {
2086 l2cap_seq_list_clear(&chan->retrans_list);
2087 break;
2088 }
2089
2090 /* Update skb contents */
2091 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2092 put_unaligned_le32(__pack_extended_control(&control),
2093 tx_skb->data + L2CAP_HDR_SIZE);
2094 } else {
2095 put_unaligned_le16(__pack_enhanced_control(&control),
2096 tx_skb->data + L2CAP_HDR_SIZE);
2097 }
2098
2099 if (chan->fcs == L2CAP_FCS_CRC16) {
2100 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2101 put_unaligned_le16(fcs, skb_put(tx_skb,
2102 L2CAP_FCS_SIZE));
2103 }
2104
2105 l2cap_do_send(chan, tx_skb);
2106
2107 BT_DBG("Resent txseq %d", control.txseq);
2108
2109 chan->last_acked_seq = chan->buffer_seq;
2110 }
2111}
2112
f80842a8
MM		 2113static void l2cap_retransmit(struct l2cap_chan *chan,
2114 struct l2cap_ctrl *control)
2115{
2116 BT_DBG("chan %p, control %p", chan, control);
2117
2118 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2119 l2cap_ertm_resend(chan);
2120}
2121
d2a7ac5d
MM		 2122static void l2cap_retransmit_all(struct l2cap_chan *chan,
2123 struct l2cap_ctrl *control)
2124{
e1fbd4c1
MM		 2125 struct sk_buff *skb;
2126
2127 BT_DBG("chan %p, control %p", chan, control);
2128
2129 if (control->poll)
2130 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2131
2132 l2cap_seq_list_clear(&chan->retrans_list);
2133
2134 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2135 return;
2136
2137 if (chan->unacked_frames) {
2138 skb_queue_walk(&chan->tx_q, skb) {
2139 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2140 skb == chan->tx_send_head)
e1fbd4c1
MM		 2141 break;
2142 }
2143
2144 skb_queue_walk_from(&chan->tx_q, skb) {
2145 if (skb == chan->tx_send_head)
2146 break;
2147
2148 l2cap_seq_list_append(&chan->retrans_list,
2149 bt_cb(skb)->control.txseq);
2150 }
2151
2152 l2cap_ertm_resend(chan);
2153 }
d2a7ac5d
MM		 2154}
2155
0a0aba42 2156static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2157{
0a0aba42
MM		 2158 struct l2cap_ctrl control;
2159 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2160 chan->last_acked_seq);
2161 int threshold;
9e917af1 2162
0a0aba42
MM		 2163 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2164 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2165
0a0aba42
MM		 2166 memset(&control, 0, sizeof(control));
2167 control.sframe = 1;
dfc909be 2168
0a0aba42
MM		 2169 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2170 chan->rx_state == L2CAP_RX_STATE_RECV) {
2171 __clear_ack_timer(chan);
2172 control.super = L2CAP_SUPER_RNR;
2173 control.reqseq = chan->buffer_seq;
2174 l2cap_send_sframe(chan, &control);
2175 } else {
2176 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2177 l2cap_ertm_send(chan);
2178 /* If any i-frames were sent, they included an ack */
2179 if (chan->buffer_seq == chan->last_acked_seq)
2180 frames_to_ack = 0;
2181 }
dfc909be 2182
c20f8e35 2183 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2184 * Calculate without mul or div
2185 */
c20f8e35 2186 threshold = chan->ack_win;
0a0aba42
MM		 2187 threshold += threshold << 1;
2188 threshold >>= 2;
2189
b4400672 2190 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2191 threshold);
2192
2193 if (frames_to_ack >= threshold) {
2194 __clear_ack_timer(chan);
2195 control.super = L2CAP_SUPER_RR;
2196 control.reqseq = chan->buffer_seq;
2197 l2cap_send_sframe(chan, &control);
2198 frames_to_ack = 0;
2199 }
1c2acffb 2200
0a0aba42
MM		 2201 if (frames_to_ack)
2202 __set_ack_timer(chan);
2203 }
b17e73bb
SJ		 2204}
2205
04124681
GP		 2206static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2207 struct msghdr *msg, int len,
2208 int count, struct sk_buff *skb)
1c2acffb 2209{
0952a57a 2210 struct l2cap_conn *conn = chan->conn;
1c2acffb 2211 struct sk_buff **frag;
90338947 2212 int sent = 0;
1da177e4 2213
59203a21 2214 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2215 return -EFAULT;
1da177e4
LT		 2216
2217 sent += count;
2218 len -= count;
2219
2220 /* Continuation fragments (no L2CAP header) */
2221 frag = &skb_shinfo(skb)->frag_list;
2222 while (len) {
fbe00700
GP		 2223 struct sk_buff *tmp;
2224
1da177e4
LT		 2225 count = min_t(unsigned int, conn->mtu, len);
2226
fbe00700
GP		 2227 tmp = chan->ops->alloc_skb(chan, count,
2228 msg->msg_flags & MSG_DONTWAIT);
2229 if (IS_ERR(tmp))
2230 return PTR_ERR(tmp);
2231
2232 *frag = tmp;
2f7719ce 2233
1c2acffb
GP		 2234 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2235 return -EFAULT;
1da177e4 2236
5e59b791
LAD		 2237 (*frag)->priority = skb->priority;
2238
1da177e4
LT		 2239 sent += count;
2240 len -= count;
2241
2d0ed3d5
GP		 2242 skb->len += (*frag)->len;
2243 skb->data_len += (*frag)->len;
2244
1da177e4
LT		 2245 frag = &(*frag)->next;
2246 }
1da177e4
LT		 2247
2248 return sent;
1c2acffb 2249}
1da177e4 2250
5e59b791 2251static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2252 struct msghdr *msg, size_t len,
2253 u32 priority)
1c2acffb 2254{
8c1d787b 2255 struct l2cap_conn *conn = chan->conn;
1c2acffb 2256 struct sk_buff *skb;
03a51213 2257 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2258 struct l2cap_hdr *lh;
2259
b4400672 2260 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2261
2262 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2263
2264 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2265 msg->msg_flags & MSG_DONTWAIT);
2266 if (IS_ERR(skb))
2267 return skb;
1c2acffb 2268
5e59b791
LAD		 2269 skb->priority = priority;
2270
1c2acffb
GP		 2271 /* Create L2CAP header */
2272 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2273 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2274 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2275 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2276
0952a57a 2277 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2278 if (unlikely(err < 0)) {
2279 kfree_skb(skb);
2280 return ERR_PTR(err);
2281 }
2282 return skb;
2283}
2284
5e59b791 2285static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2286 struct msghdr *msg, size_t len,
2287 u32 priority)
1c2acffb 2288{
8c1d787b 2289 struct l2cap_conn *conn = chan->conn;
1c2acffb 2290 struct sk_buff *skb;
f2ba7fae 2291 int err, count;
1c2acffb
GP		 2292 struct l2cap_hdr *lh;
2293
b4400672 2294 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2295
f2ba7fae 2296 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2297
f2ba7fae 2298 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2299 msg->msg_flags & MSG_DONTWAIT);
2300 if (IS_ERR(skb))
2301 return skb;
1c2acffb 2302
5e59b791
LAD		 2303 skb->priority = priority;
2304
1c2acffb
GP		 2305 /* Create L2CAP header */
2306 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2307 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2308 lh->len = cpu_to_le16(len);
1c2acffb 2309
0952a57a 2310 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2311 if (unlikely(err < 0)) {
2312 kfree_skb(skb);
2313 return ERR_PTR(err);
2314 }
2315 return skb;
2316}
2317
ab0ff76d 2318static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2319 struct msghdr *msg, size_t len,
2320 u16 sdulen)
1c2acffb 2321{
8c1d787b 2322 struct l2cap_conn *conn = chan->conn;
1c2acffb 2323 struct sk_buff *skb;
e4ca6d98 2324 int err, count, hlen;
1c2acffb
GP		 2325 struct l2cap_hdr *lh;
2326
b4400672 2327 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2328
0ee0d208
GP		 2329 if (!conn)
2330 return ERR_PTR(-ENOTCONN);
2331
ba7aa64f 2332 hlen = __ertm_hdr_size(chan);
e4ca6d98 2333
c74e560c 2334 if (sdulen)
03a51213 2335 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2336
47d1ec61 2337 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2338 hlen += L2CAP_FCS_SIZE;
fcc203c3 2339
1c2acffb 2340 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2341
2342 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2343 msg->msg_flags & MSG_DONTWAIT);
2344 if (IS_ERR(skb))
2345 return skb;
1c2acffb
GP		 2346
2347 /* Create L2CAP header */
2348 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2349 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2350 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2351
18a48e76
MM		 2352 /* Control header is populated later */
2353 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2354 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2355 else
2356 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2357
c74e560c 2358 if (sdulen)
03a51213 2359 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2360
0952a57a 2361 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2362 if (unlikely(err < 0)) {
2363 kfree_skb(skb);
2364 return ERR_PTR(err);
2365 }
e90bac06 2366
18a48e76 2367 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2368 bt_cb(skb)->control.retries = 0;
1c2acffb 2369 return skb;
1da177e4
LT		 2370}
2371
94122bbe
MM		 2372static int l2cap_segment_sdu(struct l2cap_chan *chan,
2373 struct sk_buff_head *seg_queue,
2374 struct msghdr *msg, size_t len)
c74e560c 2375{
c74e560c 2376 struct sk_buff *skb;
94122bbe
MM		 2377 u16 sdu_len;
2378 size_t pdu_len;
94122bbe 2379 u8 sar;
c74e560c 2380
b4400672 2381 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2382
94122bbe
MM		 2383 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2384 * so fragmented skbs are not used. The HCI layer's handling
2385 * of fragmented skbs is not compatible with ERTM's queueing.
2386 */
c74e560c 2387
94122bbe
MM		 2388 /* PDU size is derived from the HCI MTU */
2389 pdu_len = chan->conn->mtu;
c74e560c 2390
a549574d
MM		 2391 /* Constrain PDU size for BR/EDR connections */
2392 if (!chan->hs_hcon)
2393 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2394
2395 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2396 if (chan->fcs)
2397 pdu_len -= L2CAP_FCS_SIZE;
2398
ba7aa64f 2399 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2400
2401 /* Remote device may have requested smaller PDUs */
2402 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2403
2404 if (len <= pdu_len) {
2405 sar = L2CAP_SAR_UNSEGMENTED;
2406 sdu_len = 0;
2407 pdu_len = len;
2408 } else {
2409 sar = L2CAP_SAR_START;
2410 sdu_len = len;
2411 pdu_len -= L2CAP_SDULEN_SIZE;
2412 }
2413
2414 while (len > 0) {
2415 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2416
c74e560c 2417 if (IS_ERR(skb)) {
94122bbe 2418 __skb_queue_purge(seg_queue);
c74e560c
GP		 2419 return PTR_ERR(skb);
2420 }
2421
94122bbe
MM		 2422 bt_cb(skb)->control.sar = sar;
2423 __skb_queue_tail(seg_queue, skb);
2424
2425 len -= pdu_len;
2426 if (sdu_len) {
2427 sdu_len = 0;
2428 pdu_len += L2CAP_SDULEN_SIZE;
2429 }
2430
2431 if (len <= pdu_len) {
2432 sar = L2CAP_SAR_END;
2433 pdu_len = len;
2434 } else {
2435 sar = L2CAP_SAR_CONTINUE;
2436 }
c74e560c 2437 }
c74e560c 2438
f0f62799 2439 return 0;
c74e560c
GP		 2440}
2441
5e59b791 2442int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2443 u32 priority)
9a91a04a 2444{
9a91a04a 2445 struct sk_buff *skb;
9a91a04a 2446 int err;
94122bbe 2447 struct sk_buff_head seg_queue;
9a91a04a
GP		 2448
2449 /* Connectionless channel */
715ec005 2450 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2451 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2452 if (IS_ERR(skb))
2453 return PTR_ERR(skb);
2454
2455 l2cap_do_send(chan, skb);
2456 return len;
2457 }
2458
2459 switch (chan->mode) {
2460 case L2CAP_MODE_BASIC:
2461 /* Check outgoing MTU */
2462 if (len > chan->omtu)
2463 return -EMSGSIZE;
2464
2465 /* Create a basic PDU */
5e59b791 2466 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2467 if (IS_ERR(skb))
2468 return PTR_ERR(skb);
2469
2470 l2cap_do_send(chan, skb);
2471 err = len;
2472 break;
2473
2474 case L2CAP_MODE_ERTM:
2475 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2476 /* Check outgoing MTU */
2477 if (len > chan->omtu) {
2478 err = -EMSGSIZE;
2479 break;
2480 }
9a91a04a 2481
94122bbe 2482 __skb_queue_head_init(&seg_queue);
9a91a04a 2483
94122bbe
MM		 2484 /* Do segmentation before calling in to the state machine,
2485 * since it's possible to block while waiting for memory
2486 * allocation.
2487 */
2488 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2489
94122bbe
MM		 2490 /* The channel could have been closed while segmenting,
2491 * check that it is still connected.
2492 */
2493 if (chan->state != BT_CONNECTED) {
2494 __skb_queue_purge(&seg_queue);
2495 err = -ENOTCONN;
9a91a04a
GP		 2496 }
2497
94122bbe 2498 if (err)
9a91a04a 2499 break;
9a91a04a 2500
3733937d 2501 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2502 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2503 else
d660366d 2504 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2505
d660366d 2506 err = len;
9a91a04a 2507
94122bbe
MM		 2508 /* If the skbs were not queued for sending, they'll still be in
2509 * seg_queue and need to be purged.
2510 */
2511 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2512 break;
2513
2514 default:
2515 BT_DBG("bad state %1.1x", chan->mode);
2516 err = -EBADFD;
2517 }
2518
2519 return err;
2520}
2521
d2a7ac5d
MM		 2522static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2523{
bed68bde
MM		 2524 struct l2cap_ctrl control;
2525 u16 seq;
2526
b4400672 2527 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2528
2529 memset(&control, 0, sizeof(control));
2530 control.sframe = 1;
2531 control.super = L2CAP_SUPER_SREJ;
2532
2533 for (seq = chan->expected_tx_seq; seq != txseq;
2534 seq = __next_seq(chan, seq)) {
2535 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2536 control.reqseq = seq;
2537 l2cap_send_sframe(chan, &control);
2538 l2cap_seq_list_append(&chan->srej_list, seq);
2539 }
2540 }
2541
2542 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2543}
2544
2545static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2546{
bed68bde
MM		 2547 struct l2cap_ctrl control;
2548
2549 BT_DBG("chan %p", chan);
2550
2551 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2552 return;
2553
2554 memset(&control, 0, sizeof(control));
2555 control.sframe = 1;
2556 control.super = L2CAP_SUPER_SREJ;
2557 control.reqseq = chan->srej_list.tail;
2558 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2559}
2560
2561static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2562{
bed68bde
MM		 2563 struct l2cap_ctrl control;
2564 u16 initial_head;
2565 u16 seq;
2566
b4400672 2567 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2568
2569 memset(&control, 0, sizeof(control));
2570 control.sframe = 1;
2571 control.super = L2CAP_SUPER_SREJ;
2572
2573 /* Capture initial list head to allow only one pass through the list. */
2574 initial_head = chan->srej_list.head;
2575
2576 do {
2577 seq = l2cap_seq_list_pop(&chan->srej_list);
2578 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2579 break;
2580
2581 control.reqseq = seq;
2582 l2cap_send_sframe(chan, &control);
2583 l2cap_seq_list_append(&chan->srej_list, seq);
2584 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2585}
2586
608bcc6d
MM		 2587static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2588{
2589 struct sk_buff *acked_skb;
2590 u16 ackseq;
2591
b4400672 2592 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2593
2594 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2595 return;
2596
b4400672 2597 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2598 chan->expected_ack_seq, chan->unacked_frames);
2599
2600 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2601 ackseq = __next_seq(chan, ackseq)) {
2602
2603 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2604 if (acked_skb) {
2605 skb_unlink(acked_skb, &chan->tx_q);
2606 kfree_skb(acked_skb);
2607 chan->unacked_frames--;
2608 }
2609 }
2610
2611 chan->expected_ack_seq = reqseq;
2612
2613 if (chan->unacked_frames == 0)
2614 __clear_retrans_timer(chan);
2615
b4400672 2616 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2617}
2618
2619static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2620{
2621 BT_DBG("chan %p", chan);
2622
2623 chan->expected_tx_seq = chan->buffer_seq;
2624 l2cap_seq_list_clear(&chan->srej_list);
2625 skb_queue_purge(&chan->srej_q);
2626 chan->rx_state = L2CAP_RX_STATE_RECV;
2627}
2628
d660366d
GP		 2629static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2630 struct l2cap_ctrl *control,
2631 struct sk_buff_head *skbs, u8 event)
608bcc6d 2632{
608bcc6d
MM		 2633 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2634 event);
2635
2636 switch (event) {
2637 case L2CAP_EV_DATA_REQUEST:
2638 if (chan->tx_send_head == NULL)
2639 chan->tx_send_head = skb_peek(skbs);
2640
2641 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2642 l2cap_ertm_send(chan);
2643 break;
2644 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2645 BT_DBG("Enter LOCAL_BUSY");
2646 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2647
2648 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2649 /* The SREJ_SENT state must be aborted if we are to
2650 * enter the LOCAL_BUSY state.
2651 */
2652 l2cap_abort_rx_srej_sent(chan);
2653 }
2654
2655 l2cap_send_ack(chan);
2656
2657 break;
2658 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2659 BT_DBG("Exit LOCAL_BUSY");
2660 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2661
2662 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2663 struct l2cap_ctrl local_control;
2664
2665 memset(&local_control, 0, sizeof(local_control));
2666 local_control.sframe = 1;
2667 local_control.super = L2CAP_SUPER_RR;
2668 local_control.poll = 1;
2669 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2670 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2671
2672 chan->retry_count = 1;
2673 __set_monitor_timer(chan);
2674 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2675 }
2676 break;
2677 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2678 l2cap_process_reqseq(chan, control->reqseq);
2679 break;
2680 case L2CAP_EV_EXPLICIT_POLL:
2681 l2cap_send_rr_or_rnr(chan, 1);
2682 chan->retry_count = 1;
2683 __set_monitor_timer(chan);
2684 __clear_ack_timer(chan);
2685 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2686 break;
2687 case L2CAP_EV_RETRANS_TO:
2688 l2cap_send_rr_or_rnr(chan, 1);
2689 chan->retry_count = 1;
2690 __set_monitor_timer(chan);
2691 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2692 break;
2693 case L2CAP_EV_RECV_FBIT:
2694 /* Nothing to process */
2695 break;
2696 default:
2697 break;
2698 }
608bcc6d
MM		 2699}
2700
d660366d
GP		 2701static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2702 struct l2cap_ctrl *control,
2703 struct sk_buff_head *skbs, u8 event)
608bcc6d 2704{
608bcc6d
MM		 2705 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2706 event);
2707
2708 switch (event) {
2709 case L2CAP_EV_DATA_REQUEST:
2710 if (chan->tx_send_head == NULL)
2711 chan->tx_send_head = skb_peek(skbs);
2712 /* Queue data, but don't send. */
2713 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2714 break;
2715 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2716 BT_DBG("Enter LOCAL_BUSY");
2717 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2718
2719 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2720 /* The SREJ_SENT state must be aborted if we are to
2721 * enter the LOCAL_BUSY state.
2722 */
2723 l2cap_abort_rx_srej_sent(chan);
2724 }
2725
2726 l2cap_send_ack(chan);
2727
2728 break;
2729 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2730 BT_DBG("Exit LOCAL_BUSY");
2731 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2732
2733 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2734 struct l2cap_ctrl local_control;
2735 memset(&local_control, 0, sizeof(local_control));
2736 local_control.sframe = 1;
2737 local_control.super = L2CAP_SUPER_RR;
2738 local_control.poll = 1;
2739 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2740 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2741
2742 chan->retry_count = 1;
2743 __set_monitor_timer(chan);
2744 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2745 }
2746 break;
2747 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2748 l2cap_process_reqseq(chan, control->reqseq);
2749
2750 /* Fall through */
2751
2752 case L2CAP_EV_RECV_FBIT:
2753 if (control && control->final) {
2754 __clear_monitor_timer(chan);
2755 if (chan->unacked_frames > 0)
2756 __set_retrans_timer(chan);
2757 chan->retry_count = 0;
2758 chan->tx_state = L2CAP_TX_STATE_XMIT;
2759 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2760 }
2761 break;
2762 case L2CAP_EV_EXPLICIT_POLL:
2763 /* Ignore */
2764 break;
2765 case L2CAP_EV_MONITOR_TO:
2766 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2767 l2cap_send_rr_or_rnr(chan, 1);
2768 __set_monitor_timer(chan);
2769 chan->retry_count++;
2770 } else {
5e4e3972 2771 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2772 }
2773 break;
2774 default:
2775 break;
2776 }
608bcc6d
MM		 2777}
2778
d660366d
GP		 2779static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2780 struct sk_buff_head *skbs, u8 event)
608bcc6d 2781{
608bcc6d
MM		 2782 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2783 chan, control, skbs, event, chan->tx_state);
2784
2785 switch (chan->tx_state) {
2786 case L2CAP_TX_STATE_XMIT:
d660366d 2787 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2788 break;
2789 case L2CAP_TX_STATE_WAIT_F:
d660366d 2790 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2791 break;
2792 default:
2793 /* Ignore event */
2794 break;
2795 }
608bcc6d
MM		 2796}
2797
4b51dae9
MM		 2798static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2799 struct l2cap_ctrl *control)
2800{
2801 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2802 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2803}
2804
f80842a8
MM		 2805static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2806 struct l2cap_ctrl *control)
2807{
2808 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2809 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2810}
2811
1da177e4
LT		 2812/* Copy frame to all raw sockets on that connection */
2813static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2814{
1da177e4 2815 struct sk_buff *nskb;
48454079 2816 struct l2cap_chan *chan;
1da177e4
LT		 2817
2818 BT_DBG("conn %p", conn);
2819
3df91ea2 2820 mutex_lock(&conn->chan_lock);
3d57dc68 2821
3df91ea2 2822 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2823 struct sock *sk = chan->sk;
715ec005 2824 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2825 continue;
2826
2827 /* Don't send frame to the socket it came from */
2828 if (skb->sk == sk)
2829 continue;
8bcde1f2 2830 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2831 if (!nskb)
1da177e4
LT		 2832 continue;
2833
80b98027 2834 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2835 kfree_skb(nskb);
2836 }
3d57dc68 2837
3df91ea2 2838 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2839}
2840
2841/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2842static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2843 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2844{
2845 struct sk_buff *skb, **frag;
2846 struct l2cap_cmd_hdr *cmd;
2847 struct l2cap_hdr *lh;
2848 int len, count;
2849
b4400672
AE		 2850 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2851 conn, code, ident, dlen);
1da177e4 2852
300b962e
AL		 2853 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2854 return NULL;
2855
1da177e4
LT		 2856 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2857 count = min_t(unsigned int, conn->mtu, len);
2858
8bcde1f2 2859 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2860 if (!skb)
2861 return NULL;
2862
2863 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2864 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2865
2866 if (conn->hcon->type == LE_LINK)
ac73498c 2867 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2868 else
ac73498c 2869 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2870
2871 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2872 cmd->code = code;
2873 cmd->ident = ident;
aca3192c 2874 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2875
2876 if (dlen) {
2877 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2878 memcpy(skb_put(skb, count), data, count);
2879 data += count;
2880 }
2881
2882 len -= skb->len;
2883
2884 /* Continuation fragments (no L2CAP header) */
2885 frag = &skb_shinfo(skb)->frag_list;
2886 while (len) {
2887 count = min_t(unsigned int, conn->mtu, len);
2888
8bcde1f2 2889 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2890 if (!*frag)
2891 goto fail;
2892
2893 memcpy(skb_put(*frag, count), data, count);
2894
2895 len -= count;
2896 data += count;
2897
2898 frag = &(*frag)->next;
2899 }
2900
2901 return skb;
2902
2903fail:
2904 kfree_skb(skb);
2905 return NULL;
2906}
2907
2d792818
GP		 2908static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2909 unsigned long *val)
1da177e4
LT		 2910{
2911 struct l2cap_conf_opt *opt = *ptr;
2912 int len;
2913
2914 len = L2CAP_CONF_OPT_SIZE + opt->len;
2915 *ptr += len;
2916
2917 *type = opt->type;
2918 *olen = opt->len;
2919
2920 switch (opt->len) {
2921 case 1:
2922 *val = *((u8 *) opt->val);
2923 break;
2924
2925 case 2:
bfaaeb3e 2926 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2927 break;
2928
2929 case 4:
bfaaeb3e 2930 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2931 break;
2932
2933 default:
2934 *val = (unsigned long) opt->val;
2935 break;
2936 }
2937
b4400672 2938 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2939 return len;
2940}
2941
1da177e4
LT		 2942static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2943{
2944 struct l2cap_conf_opt *opt = *ptr;
2945
b4400672 2946 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2947
2948 opt->type = type;
2949 opt->len = len;
2950
2951 switch (len) {
2952 case 1:
2953 *((u8 *) opt->val) = val;
2954 break;
2955
2956 case 2:
4f8b691c 2957 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2958 break;
2959
2960 case 4:
4f8b691c 2961 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2962 break;
2963
2964 default:
2965 memcpy(opt->val, (void *) val, len);
2966 break;
2967 }
2968
2969 *ptr += L2CAP_CONF_OPT_SIZE + len;
2970}
2971
f89cef09
AE		 2972static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2973{
2974 struct l2cap_conf_efs efs;
2975
1ec918ce 2976 switch (chan->mode) {
f89cef09
AE		 2977 case L2CAP_MODE_ERTM:
2978 efs.id = chan->local_id;
2979 efs.stype = chan->local_stype;
2980 efs.msdu = cpu_to_le16(chan->local_msdu);
2981 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2982 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2983 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2984 break;
2985
2986 case L2CAP_MODE_STREAMING:
2987 efs.id = 1;
2988 efs.stype = L2CAP_SERV_BESTEFFORT;
2989 efs.msdu = cpu_to_le16(chan->local_msdu);
2990 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2991 efs.acc_lat = 0;
2992 efs.flush_to = 0;
2993 break;
2994
2995 default:
2996 return;
2997 }
2998
2999 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 3000 (unsigned long) &efs);
f89cef09
AE		 3001}
3002
721c4181 3003static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 3004{
721c4181 3005 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 3006 ack_timer.work);
3007 u16 frames_to_ack;
c1b4f43b 3008
2fb9b3d4
GP		 3009 BT_DBG("chan %p", chan);
3010
6be36555
AE		 3011 l2cap_chan_lock(chan);
3012
0362520b
MM		 3013 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3014 chan->last_acked_seq);
6be36555 3015
0362520b
MM		 3016 if (frames_to_ack)
3017 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 3018
0362520b 3019 l2cap_chan_unlock(chan);
09bfb2ee 3020 l2cap_chan_put(chan);
c1b4f43b
GP		 3021}
3022
466f8004 3023int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 3024{
3c588192
MM		 3025 int err;
3026
105bdf9e
MM		 3027 chan->next_tx_seq = 0;
3028 chan->expected_tx_seq = 0;
42e5c802 3029 chan->expected_ack_seq = 0;
6a026610 3030 chan->unacked_frames = 0;
42e5c802 3031 chan->buffer_seq = 0;
6a026610 3032 chan->frames_sent = 0;
105bdf9e
MM		 3033 chan->last_acked_seq = 0;
3034 chan->sdu = NULL;
3035 chan->sdu_last_frag = NULL;
3036 chan->sdu_len = 0;
3037
d34c34fb
MM		 3038 skb_queue_head_init(&chan->tx_q);
3039
08333283
MM		 3040 chan->local_amp_id = 0;
3041 chan->move_id = 0;
3042 chan->move_state = L2CAP_MOVE_STABLE;
3043 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3044
105bdf9e
MM		 3045 if (chan->mode != L2CAP_MODE_ERTM)
3046 return 0;
3047
3048 chan->rx_state = L2CAP_RX_STATE_RECV;
3049 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 3050
721c4181
GP		 3051 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3052 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3053 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 3054
f1c6775b 3055 skb_queue_head_init(&chan->srej_q);
1890d36b 3056
3c588192
MM		 3057 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3058 if (err < 0)
3059 return err;
3060
9dc9affc
MM		 3061 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3062 if (err < 0)
3063 l2cap_seq_list_free(&chan->srej_list);
3064
3065 return err;
0565c1c2
GP		 3066}
3067
f2fcfcd6
GP		 3068static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3069{
3070 switch (mode) {
3071 case L2CAP_MODE_STREAMING:
3072 case L2CAP_MODE_ERTM:
3073 if (l2cap_mode_supported(mode, remote_feat_mask))
3074 return mode;
3075 /* fall through */
3076 default:
3077 return L2CAP_MODE_BASIC;
3078 }
3079}
3080
6327eb98
AE		 3081static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
3082{
3083 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
3084}
3085
f89cef09
AE		 3086static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
3087{
3088 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
3089}
3090
36c86c85
MM		 3091static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3092 struct l2cap_conf_rfc *rfc)
3093{
3094 if (chan->local_amp_id && chan->hs_hcon) {
3095 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3096
3097 /* Class 1 devices have must have ERTM timeouts
3098 * exceeding the Link Supervision Timeout. The
3099 * default Link Supervision Timeout for AMP
3100 * controllers is 10 seconds.
3101 *
3102 * Class 1 devices use 0xffffffff for their
3103 * best-effort flush timeout, so the clamping logic
3104 * will result in a timeout that meets the above
3105 * requirement. ERTM timeouts are 16-bit values, so
3106 * the maximum timeout is 65.535 seconds.
3107 */
3108
3109 /* Convert timeout to milliseconds and round */
3110 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3111
3112 /* This is the recommended formula for class 2 devices
3113 * that start ERTM timers when packets are sent to the
3114 * controller.
3115 */
3116 ertm_to = 3 * ertm_to + 500;
3117
3118 if (ertm_to > 0xffff)
3119 ertm_to = 0xffff;
3120
3121 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3122 rfc->monitor_timeout = rfc->retrans_timeout;
3123 } else {
3124 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3125 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3126 }
3127}
3128
6327eb98
AE		 3129static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3130{
3131 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 3132 __l2cap_ews_supported(chan)) {
6327eb98
AE		 3133 /* use extended control field */
3134 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3135 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3136 } else {
6327eb98 3137 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3138 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3139 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3140 }
c20f8e35 3141 chan->ack_win = chan->tx_win;
6327eb98
AE		 3142}
3143
710f9b0a 3144static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3145{
1da177e4 3146 struct l2cap_conf_req *req = data;
0c1bc5c6 3147 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3148 void *ptr = req->data;
c8f79162 3149 u16 size;
1da177e4 3150
49208c9c 3151 BT_DBG("chan %p", chan);
1da177e4 3152
73ffa904 3153 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3154 goto done;
3155
0c1bc5c6 3156 switch (chan->mode) {
f2fcfcd6
GP		 3157 case L2CAP_MODE_STREAMING:
3158 case L2CAP_MODE_ERTM:
c1360a1c 3159 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3160 break;
85eb53c6 3161
f89cef09
AE		 3162 if (__l2cap_efs_supported(chan))
3163 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3164
2ba13ed6 3165 /* fall through */
f2fcfcd6 3166 default:
8c1d787b 3167 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3168 break;
3169 }
3170
3171done:
0c1bc5c6
GP		 3172 if (chan->imtu != L2CAP_DEFAULT_MTU)
3173 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3174
0c1bc5c6 3175 switch (chan->mode) {
65c7c491 3176 case L2CAP_MODE_BASIC:
8c1d787b 3177 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3178 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3179 break;
3180
62547752
GP		 3181 rfc.mode = L2CAP_MODE_BASIC;
3182 rfc.txwin_size = 0;
3183 rfc.max_transmit = 0;
3184 rfc.retrans_timeout = 0;
3185 rfc.monitor_timeout = 0;
3186 rfc.max_pdu_size = 0;
3187
63406504 3188 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3189 (unsigned long) &rfc);
65c7c491
MH		 3190 break;
3191
3192 case L2CAP_MODE_ERTM:
3193 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3194 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3195
3196 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3197
3198 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3199 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3200 L2CAP_FCS_SIZE);
c8f79162 3201 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3202
6327eb98
AE		 3203 l2cap_txwin_setup(chan);
3204
3205 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3206 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3207
63406504 3208 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3209 (unsigned long) &rfc);
63406504 3210
f89cef09
AE		 3211 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3212 l2cap_add_opt_efs(&ptr, chan);
3213
6327eb98
AE		 3214 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3215 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3216 chan->tx_win);
60918918
AE		 3217
3218 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3219 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3220 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3221 chan->fcs = L2CAP_FCS_NONE;
3222 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3223 chan->fcs);
3224 }
f2fcfcd6
GP		 3225 break;
3226
3227 case L2CAP_MODE_STREAMING:
273759e2 3228 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3229 rfc.mode = L2CAP_MODE_STREAMING;
3230 rfc.txwin_size = 0;
3231 rfc.max_transmit = 0;
3232 rfc.retrans_timeout = 0;
3233 rfc.monitor_timeout = 0;
c8f79162
AE		 3234
3235 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3236 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3237 L2CAP_FCS_SIZE);
c8f79162 3238 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3239
63406504 3240 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3241 (unsigned long) &rfc);
63406504 3242
f89cef09
AE		 3243 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3244 l2cap_add_opt_efs(&ptr, chan);
3245
60918918
AE		 3246 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3247 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3248 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3249 chan->fcs = L2CAP_FCS_NONE;
3250 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3251 chan->fcs);
3252 }
65c7c491
MH		 3253 break;
3254 }
1da177e4 3255
fe4128e0 3256 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3257 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3258
3259 return ptr - data;
3260}
3261
73ffa904 3262static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3263{
5dee9e7c
MH		 3264 struct l2cap_conf_rsp *rsp = data;
3265 void *ptr = rsp->data;
73ffa904
GP		 3266 void *req = chan->conf_req;
3267 int len = chan->conf_len;
5dee9e7c
MH		 3268 int type, hint, olen;
3269 unsigned long val;
6464f35f 3270 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3271 struct l2cap_conf_efs efs;
3272 u8 remote_efs = 0;
861d6882 3273 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3274 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3275 u16 size;
1da177e4 3276
73ffa904 3277 BT_DBG("chan %p", chan);
820ae1b8 3278
5dee9e7c
MH		 3279 while (len >= L2CAP_CONF_OPT_SIZE) {
3280 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3281
589d2746 3282 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3283 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3284
3285 switch (type) {
3286 case L2CAP_CONF_MTU:
861d6882 3287 mtu = val;
5dee9e7c
MH		 3288 break;
3289
3290 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3291 chan->flush_to = val;
5dee9e7c
MH		 3292 break;
3293
3294 case L2CAP_CONF_QOS:
3295 break;
3296
6464f35f
MH		 3297 case L2CAP_CONF_RFC:
3298 if (olen == sizeof(rfc))
3299 memcpy(&rfc, (void *) val, olen);
3300 break;
3301
fcc203c3
GP		 3302 case L2CAP_CONF_FCS:
3303 if (val == L2CAP_FCS_NONE)
f2592d3e 3304 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3305 break;
fcc203c3 3306
42dceae2
AE		 3307 case L2CAP_CONF_EFS:
3308 remote_efs = 1;
3309 if (olen == sizeof(efs))
3310 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3311 break;
3312
6327eb98
AE		 3313 case L2CAP_CONF_EWS:
3314 if (!enable_hs)
3315 return -ECONNREFUSED;
fcc203c3 3316
6327eb98
AE		 3317 set_bit(FLAG_EXT_CTRL, &chan->flags);
3318 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3319 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3320 chan->remote_tx_win = val;
fcc203c3
GP		 3321 break;
3322
5dee9e7c
MH		 3323 default:
3324 if (hint)
3325 break;
3326
3327 result = L2CAP_CONF_UNKNOWN;
3328 *((u8 *) ptr++) = type;
3329 break;
3330 }
3331 }
3332
73ffa904 3333 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3334 goto done;
3335
0c1bc5c6 3336 switch (chan->mode) {
f2fcfcd6
GP		 3337 case L2CAP_MODE_STREAMING:
3338 case L2CAP_MODE_ERTM:
c1360a1c 3339 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3340 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3341 chan->conn->feat_mask);
85eb53c6
GP		 3342 break;
3343 }
3344
42dceae2
AE		 3345 if (remote_efs) {
3346 if (__l2cap_efs_supported(chan))
3347 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3348 else
3349 return -ECONNREFUSED;
3350 }
3351
0c1bc5c6 3352 if (chan->mode != rfc.mode)
f2fcfcd6 3353 return -ECONNREFUSED;
742e519b 3354
f2fcfcd6 3355 break;
f2fcfcd6
GP		 3356 }
3357
3358done:
0c1bc5c6 3359 if (chan->mode != rfc.mode) {
f2fcfcd6 3360 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3361 rfc.mode = chan->mode;
f2fcfcd6 3362
73ffa904 3363 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3364 return -ECONNREFUSED;
3365
2d792818
GP		 3366 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3367 (unsigned long) &rfc);
f2fcfcd6
GP		 3368 }
3369
5dee9e7c
MH		 3370 if (result == L2CAP_CONF_SUCCESS) {
3371 /* Configure output options and let the other side know
3372 * which ones we don't like. */
3373
f2fcfcd6
GP		 3374 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3375 result = L2CAP_CONF_UNACCEPT;
3376 else {
0c1bc5c6 3377 chan->omtu = mtu;
c1360a1c 3378 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3379 }
0c1bc5c6 3380 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3381
42dceae2
AE		 3382 if (remote_efs) {
3383 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3384 efs.stype != L2CAP_SERV_NOTRAFIC &&
3385 efs.stype != chan->local_stype) {
42dceae2
AE		 3386
3387 result = L2CAP_CONF_UNACCEPT;
3388
3389 if (chan->num_conf_req >= 1)
3390 return -ECONNREFUSED;
3391
3392 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3393 sizeof(efs),
3394 (unsigned long) &efs);
0e8b207e 3395 } else {
3e6b3b95 3396 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3397 result = L2CAP_CONF_PENDING;
3398 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3399 }
3400 }
3401
f2fcfcd6
GP		 3402 switch (rfc.mode) {
3403 case L2CAP_MODE_BASIC:
47d1ec61 3404 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3405 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3406 break;
3407
3408 case L2CAP_MODE_ERTM:
6327eb98
AE		 3409 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3410 chan->remote_tx_win = rfc.txwin_size;
3411 else
3412 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3413
2c03a7a4 3414 chan->remote_max_tx = rfc.max_transmit;
1c762159 3415
c8f79162 3416 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3417 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3418 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3419 rfc.max_pdu_size = cpu_to_le16(size);
3420 chan->remote_mps = size;
f2fcfcd6 3421
36c86c85 3422 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3423
c1360a1c 3424 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3425
3426 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3427 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3428
42dceae2
AE		 3429 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3430 chan->remote_id = efs.id;
3431 chan->remote_stype = efs.stype;
3432 chan->remote_msdu = le16_to_cpu(efs.msdu);
3433 chan->remote_flush_to =
2d792818 3434 le32_to_cpu(efs.flush_to);
42dceae2 3435 chan->remote_acc_lat =
2d792818 3436 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3437 chan->remote_sdu_itime =
3438 le32_to_cpu(efs.sdu_itime);
3439 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3440 sizeof(efs),
3441 (unsigned long) &efs);
42dceae2 3442 }
f2fcfcd6
GP		 3443 break;
3444
3445 case L2CAP_MODE_STREAMING:
c8f79162 3446 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3447 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3448 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3449 rfc.max_pdu_size = cpu_to_le16(size);
3450 chan->remote_mps = size;
f2fcfcd6 3451
c1360a1c 3452 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3453
2d792818
GP		 3454 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3455 (unsigned long) &rfc);
68ae6639 3456
f2fcfcd6
GP		 3457 break;
3458
3459 default:
5dee9e7c 3460 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3461
6464f35f 3462 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3463 rfc.mode = chan->mode;
f2fcfcd6 3464 }
6464f35f 3465
f2fcfcd6 3466 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3467 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3468 }
fe4128e0 3469 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3470 rsp->result = cpu_to_le16(result);
59e54bd1 3471 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3472
3473 return ptr - data;
1da177e4
LT		 3474}
3475
2d792818
GP		 3476static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3477 void *data, u16 *result)
f2fcfcd6 3478{
f2fcfcd6
GP		 3479 struct l2cap_conf_req *req = data;
3480 void *ptr = req->data;
3481 int type, olen;
3482 unsigned long val;
36e999a8 3483 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3484 struct l2cap_conf_efs efs;
f2fcfcd6 3485
fe4128e0 3486 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3487
3488 while (len >= L2CAP_CONF_OPT_SIZE) {
3489 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3490
3491 switch (type) {
3492 case L2CAP_CONF_MTU:
3493 if (val < L2CAP_DEFAULT_MIN_MTU) {
3494 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3495 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3496 } else
0c1bc5c6
GP		 3497 chan->imtu = val;
3498 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3499 break;
3500
3501 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3502 chan->flush_to = val;
f2fcfcd6 3503 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3504 2, chan->flush_to);
f2fcfcd6
GP		 3505 break;
3506
3507 case L2CAP_CONF_RFC:
3508 if (olen == sizeof(rfc))
3509 memcpy(&rfc, (void *)val, olen);
3510
c1360a1c 3511 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3512 rfc.mode != chan->mode)
f2fcfcd6
GP		 3513 return -ECONNREFUSED;
3514
47d1ec61 3515 chan->fcs = 0;
f2fcfcd6
GP		 3516
3517 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3518 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3519 break;
6327eb98
AE		 3520
3521 case L2CAP_CONF_EWS:
c20f8e35 3522 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3523 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3524 chan->tx_win);
6327eb98 3525 break;
66af7aaf
AE		 3526
3527 case L2CAP_CONF_EFS:
3528 if (olen == sizeof(efs))
3529 memcpy(&efs, (void *)val, olen);
3530
3531 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3532 efs.stype != L2CAP_SERV_NOTRAFIC &&
3533 efs.stype != chan->local_stype)
66af7aaf
AE		 3534 return -ECONNREFUSED;
3535
2d792818
GP		 3536 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3537 (unsigned long) &efs);
66af7aaf 3538 break;
cbabee78
AE		 3539
3540 case L2CAP_CONF_FCS:
3541 if (*result == L2CAP_CONF_PENDING)
3542 if (val == L2CAP_FCS_NONE)
f2592d3e 3543 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3544 &chan->conf_state);
3545 break;
f2fcfcd6
GP		 3546 }
3547 }
3548
0c1bc5c6 3549 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3550 return -ECONNREFUSED;
3551
0c1bc5c6 3552 chan->mode = rfc.mode;
6c2ea7a8 3553
0e8b207e 3554 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3555 switch (rfc.mode) {
3556 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3557 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3558 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3559 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3560 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3561 chan->ack_win = min_t(u16, chan->ack_win,
3562 rfc.txwin_size);
66af7aaf
AE		 3563
3564 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3565 chan->local_msdu = le16_to_cpu(efs.msdu);
3566 chan->local_sdu_itime =
2d792818 3567 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3568 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3569 chan->local_flush_to =
2d792818 3570 le32_to_cpu(efs.flush_to);
66af7aaf 3571 }
f2fcfcd6 3572 break;
66af7aaf 3573
f2fcfcd6 3574 case L2CAP_MODE_STREAMING:
47d1ec61 3575 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3576 }
3577 }
3578
fe4128e0 3579 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3580 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3581
3582 return ptr - data;
3583}
3584
2d792818
GP		 3585static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3586 u16 result, u16 flags)
1da177e4
LT		 3587{
3588 struct l2cap_conf_rsp *rsp = data;
3589 void *ptr = rsp->data;
1da177e4 3590
fe4128e0 3591 BT_DBG("chan %p", chan);
1da177e4 3592
fe4128e0 3593 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3594 rsp->result = cpu_to_le16(result);
aca3192c 3595 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3596
3597 return ptr - data;
3598}
3599
8c1d787b 3600void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3601{
3602 struct l2cap_conn_rsp rsp;
8c1d787b 3603 struct l2cap_conn *conn = chan->conn;
710f9b0a 3604 u8 buf[128];
439f34ac 3605 u8 rsp_code;
710f9b0a 3606
fe4128e0
GP		 3607 rsp.scid = cpu_to_le16(chan->dcid);
3608 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3609 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3610 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3611
3612 if (chan->hs_hcon)
3613 rsp_code = L2CAP_CREATE_CHAN_RSP;
3614 else
3615 rsp_code = L2CAP_CONN_RSP;
3616
3617 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3618
3619 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3620
c1360a1c 3621 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3622 return;
3623
710f9b0a 3624 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3625 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3626 chan->num_conf_req++;
3627}
3628
47d1ec61 3629static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3630{
7b1c0049
GP		 3631 int type, olen;
3632 unsigned long val;
c20f8e35
MM		 3633 /* Use sane default values in case a misbehaving remote device
3634 * did not send an RFC or extended window size option.
3635 */
3636 u16 txwin_ext = chan->ack_win;
3637 struct l2cap_conf_rfc rfc = {
3638 .mode = chan->mode,
3639 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3640 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3641 .max_pdu_size = cpu_to_le16(chan->imtu),
3642 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3643 };
7b1c0049 3644
47d1ec61 3645 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3646
0c1bc5c6 3647 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3648 return;
3649
3650 while (len >= L2CAP_CONF_OPT_SIZE) {
3651 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3652
c20f8e35
MM		 3653 switch (type) {
3654 case L2CAP_CONF_RFC:
3655 if (olen == sizeof(rfc))
3656 memcpy(&rfc, (void *)val, olen);
8f321f85 3657 break;
c20f8e35
MM		 3658 case L2CAP_CONF_EWS:
3659 txwin_ext = val;
3660 break;
3661 }
7b1c0049
GP		 3662 }
3663
7b1c0049
GP		 3664 switch (rfc.mode) {
3665 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3666 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3667 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3668 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3669 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3670 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3671 else
3672 chan->ack_win = min_t(u16, chan->ack_win,
3673 rfc.txwin_size);
7b1c0049
GP		 3674 break;
3675 case L2CAP_MODE_STREAMING:
47d1ec61 3676 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3677 }
3678}
3679
2d792818 3680static inline int l2cap_command_rej(struct l2cap_conn *conn,
cb3b3152
JH		 3681 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3682 u8 *data)
4e8402a3 3683{
e2fd318e 3684 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3685
cb3b3152
JH		 3686 if (cmd_len < sizeof(*rej))
3687 return -EPROTO;
3688
e2fd318e 3689 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3690 return 0;
3691
3692 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3693 cmd->ident == conn->info_ident) {
17cd3f37 3694 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3695
3696 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3697 conn->info_ident = 0;
984947dc 3698
4e8402a3
MH		 3699 l2cap_conn_start(conn);
3700 }
3701
3702 return 0;
3703}
3704
1700915f
MM		 3705static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3706 struct l2cap_cmd_hdr *cmd,
3707 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3708{
1da177e4
LT		 3709 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3710 struct l2cap_conn_rsp rsp;
23691d75 3711 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3712 struct sock *parent, *sk = NULL;
e7c29cb1 3713 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3714
3715 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3716 __le16 psm = req->psm;
1da177e4 3717
097db76c 3718 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3719
3720 /* Check if we have socket listening on psm */
c2287681 3721 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3722 if (!pchan) {
1da177e4
LT		 3723 result = L2CAP_CR_BAD_PSM;
3724 goto sendresp;
3725 }
3726
23691d75
GP		 3727 parent = pchan->sk;
3728
3df91ea2 3729 mutex_lock(&conn->chan_lock);
aa2ac881 3730 lock_sock(parent);
e0f0cb56 3731
e7c29cb1 3732 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3733 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3734 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3735 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3736 result = L2CAP_CR_SEC_BLOCK;
3737 goto response;
3738 }
3739
1da177e4
LT		 3740 result = L2CAP_CR_NO_MEM;
3741
2dfa1003
GP		 3742 /* Check if we already have channel with that dcid */
3743 if (__l2cap_get_chan_by_dcid(conn, scid))
3744 goto response;
3745
80b98027 3746 chan = pchan->ops->new_connection(pchan);
80808e43 3747 if (!chan)
1da177e4
LT		 3748 goto response;
3749
80808e43
GP		 3750 sk = chan->sk;
3751
1da177e4
LT		 3752 hci_conn_hold(conn->hcon);
3753
1da177e4
LT		 3754 bacpy(&bt_sk(sk)->src, conn->src);
3755 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3756 chan->psm = psm;
3757 chan->dcid = scid;
1700915f 3758 chan->local_amp_id = amp_id;
1da177e4 3759
6be36555 3760 __l2cap_chan_add(conn, chan);
48454079 3761
fe4128e0 3762 dcid = chan->scid;
1da177e4 3763
c9b66675 3764 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3765
fc7f8a7e 3766 chan->ident = cmd->ident;
1da177e4 3767
984947dc 3768 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3769 if (l2cap_chan_check_security(chan)) {
c5daa683 3770 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3771 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3772 result = L2CAP_CR_PEND;
3773 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3774 chan->ops->defer(chan);
f66dc81f 3775 } else {
1700915f
MM		 3776 /* Force pending result for AMP controllers.
3777 * The connection will succeed after the
3778 * physical link is up.
3779 */
3780 if (amp_id) {
3781 __l2cap_state_change(chan, BT_CONNECT2);
3782 result = L2CAP_CR_PEND;
3783 } else {
3784 __l2cap_state_change(chan, BT_CONFIG);
3785 result = L2CAP_CR_SUCCESS;
3786 }
f66dc81f
MH		 3787 status = L2CAP_CS_NO_INFO;
3788 }
79d554a6 3789 } else {
0e587be7 3790 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3791 result = L2CAP_CR_PEND;
3792 status = L2CAP_CS_AUTHEN_PEND;
3793 }
3794 } else {
0e587be7 3795 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3796 result = L2CAP_CR_PEND;
3797 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3798 }
3799
1da177e4 3800response:
aa2ac881 3801 release_sock(parent);
3df91ea2 3802 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3803
3804sendresp:
aca3192c
YH		 3805 rsp.scid = cpu_to_le16(scid);
3806 rsp.dcid = cpu_to_le16(dcid);
3807 rsp.result = cpu_to_le16(result);
3808 rsp.status = cpu_to_le16(status);
4c89b6aa 3809 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3810
3811 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3812 struct l2cap_info_req info;
ac73498c 3813 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3814
3815 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3816 conn->info_ident = l2cap_get_ident(conn);
3817
ba13ccd9 3818 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3819
2d792818
GP		 3820 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3821 sizeof(info), &info);
79d554a6
MH		 3822 }
3823
c1360a1c 3824 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3825 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3826 u8 buf[128];
c1360a1c 3827 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3828 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3829 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3830 chan->num_conf_req++;
e9aeb2dd 3831 }
1700915f
MM		 3832
3833 return chan;
4c89b6aa 3834}
e9aeb2dd 3835
4c89b6aa 3836static int l2cap_connect_req(struct l2cap_conn *conn,
cb3b3152 3837 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4c89b6aa 3838{
7b064eda
JK		 3839 struct hci_dev *hdev = conn->hcon->hdev;
3840 struct hci_conn *hcon = conn->hcon;
3841
cb3b3152
JH		 3842 if (cmd_len < sizeof(struct l2cap_conn_req))
3843 return -EPROTO;
3844
7b064eda
JK		 3845 hci_dev_lock(hdev);
3846 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3847 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3848 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3849 hcon->dst_type, 0, NULL, 0,
3850 hcon->dev_class);
3851 hci_dev_unlock(hdev);
3852
300229f9 3853 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3854 return 0;
3855}
3856
5909cf30 3857static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 3858 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3859 u8 *data)
1da177e4
LT		 3860{
3861 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3862 u16 scid, dcid, result, status;
48454079 3863 struct l2cap_chan *chan;
1da177e4 3864 u8 req[128];
3df91ea2 3865 int err;
1da177e4 3866
cb3b3152
JH		 3867 if (cmd_len < sizeof(*rsp))
3868 return -EPROTO;
3869
1da177e4
LT		 3870 scid = __le16_to_cpu(rsp->scid);
3871 dcid = __le16_to_cpu(rsp->dcid);
3872 result = __le16_to_cpu(rsp->result);
3873 status = __le16_to_cpu(rsp->status);
3874
1b009c98 3875 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3876 dcid, scid, result, status);
1da177e4 3877
3df91ea2
AE		 3878 mutex_lock(&conn->chan_lock);
3879
1da177e4 3880 if (scid) {
3df91ea2
AE		 3881 chan = __l2cap_get_chan_by_scid(conn, scid);
3882 if (!chan) {
3883 err = -EFAULT;
3884 goto unlock;
3885 }
1da177e4 3886 } else {
3df91ea2
AE		 3887 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3888 if (!chan) {
3889 err = -EFAULT;
3890 goto unlock;
3891 }
1da177e4
LT		 3892 }
3893
3df91ea2
AE		 3894 err = 0;
3895
6be36555 3896 l2cap_chan_lock(chan);
48454079 3897
1da177e4
LT		 3898 switch (result) {
3899 case L2CAP_CR_SUCCESS:
89bc500e 3900 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3901 chan->ident = 0;
fe4128e0 3902 chan->dcid = dcid;
c1360a1c 3903 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3904
c1360a1c 3905 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3906 break;
3907
1da177e4 3908 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3909 l2cap_build_conf_req(chan, req), req);
73ffa904 3910 chan->num_conf_req++;
1da177e4
LT		 3911 break;
3912
3913 case L2CAP_CR_PEND:
c1360a1c 3914 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3915 break;
3916
3917 default:
48454079 3918 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3919 break;
3920 }
3921
6be36555 3922 l2cap_chan_unlock(chan);
3df91ea2
AE		 3923
3924unlock:
3925 mutex_unlock(&conn->chan_lock);
3926
3927 return err;
1da177e4
LT		 3928}
3929
47d1ec61 3930static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3931{
3932 /* FCS is enabled only in ERTM or streaming mode, if one or both
3933 * sides request it.
3934 */
0c1bc5c6 3935 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3936 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3937 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3938 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3939}
3940
29d8a590
AE		 3941static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3942 u8 ident, u16 flags)
3943{
3944 struct l2cap_conn *conn = chan->conn;
3945
3946 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3947 flags);
3948
3949 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3950 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3951
3952 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3953 l2cap_build_conf_rsp(chan, data,
3954 L2CAP_CONF_SUCCESS, flags), data);
3955}
3956
2d792818
GP		 3957static inline int l2cap_config_req(struct l2cap_conn *conn,
3958 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3959 u8 *data)
1da177e4
LT		 3960{
3961 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3962 u16 dcid, flags;
3963 u8 rsp[64];
48454079 3964 struct l2cap_chan *chan;
3c588192 3965 int len, err = 0;
1da177e4 3966
cb3b3152
JH		 3967 if (cmd_len < sizeof(*req))
3968 return -EPROTO;
3969
1da177e4
LT		 3970 dcid = __le16_to_cpu(req->dcid);
3971 flags = __le16_to_cpu(req->flags);
3972
3973 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3974
baa7e1fa 3975 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3976 if (!chan)
1da177e4
LT		 3977 return -ENOENT;
3978
033b1142 3979 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3980 struct l2cap_cmd_rej_cid rej;
3981
ac73498c 3982 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3983 rej.scid = cpu_to_le16(chan->scid);
3984 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3985
df6bd743 3986 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3987 sizeof(rej), &rej);
354f60a9 3988 goto unlock;
df6bd743 3989 }
354f60a9 3990
5dee9e7c 3991 /* Reject if config buffer is too small. */
88219a0f 3992 len = cmd_len - sizeof(*req);
cb3b3152 3993 if (chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3994 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3995 l2cap_build_conf_rsp(chan, rsp,
3996 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 3997 goto unlock;
3998 }
3999
4000 /* Store config. */
73ffa904
GP		 4001 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4002 chan->conf_len += len;
1da177e4 4003
59e54bd1 4004 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 4005 /* Incomplete config. Send empty response. */
4006 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 4007 l2cap_build_conf_rsp(chan, rsp,
4008 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 4009 goto unlock;
4010 }
4011
4012 /* Complete config. */
73ffa904 4013 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 4014 if (len < 0) {
5e4e3972 4015 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 4016 goto unlock;
f2fcfcd6 4017 }
1da177e4 4018
1500109b 4019 chan->ident = cmd->ident;
5dee9e7c 4020 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 4021 chan->num_conf_rsp++;
5dee9e7c 4022
5dee9e7c 4023 /* Reset config buffer. */
73ffa904 4024 chan->conf_len = 0;
5dee9e7c 4025
c1360a1c 4026 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 4027 goto unlock;
4028
c1360a1c 4029 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 4030 set_default_fcs(chan);
fcc203c3 4031
105bdf9e
MM		 4032 if (chan->mode == L2CAP_MODE_ERTM ||
4033 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 4034 err = l2cap_ertm_init(chan);
4035
4036 if (err < 0)
5e4e3972 4037 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4038 else
4039 l2cap_chan_ready(chan);
0565c1c2 4040
876d9484
MH		 4041 goto unlock;
4042 }
4043
c1360a1c 4044 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 4045 u8 buf[64];
1da177e4 4046 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 4047 l2cap_build_conf_req(chan, buf), buf);
73ffa904 4048 chan->num_conf_req++;
1da177e4
LT		 4049 }
4050
0e8b207e
AE		 4051 /* Got Conf Rsp PENDING from remote side and asume we sent
4052 Conf Rsp PENDING in the code above */
4053 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 4054 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 4055
4056 /* check compatibility */
4057
79de886d 4058 /* Send rsp for BR/EDR channel */
f351bc72 4059 if (!chan->hs_hcon)
79de886d
AE		 4060 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4061 else
4062 chan->ident = cmd->ident;
0e8b207e
AE		 4063 }
4064
1da177e4 4065unlock:
6be36555 4066 l2cap_chan_unlock(chan);
3c588192 4067 return err;
1da177e4
LT		 4068}
4069
2d792818 4070static inline int l2cap_config_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4071 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4072 u8 *data)
1da177e4
LT		 4073{
4074 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4075 u16 scid, flags, result;
48454079 4076 struct l2cap_chan *chan;
cb3b3152 4077 int len = cmd_len - sizeof(*rsp);
3c588192 4078 int err = 0;
1da177e4 4079
cb3b3152
JH		 4080 if (cmd_len < sizeof(*rsp))
4081 return -EPROTO;
4082
1da177e4
LT		 4083 scid = __le16_to_cpu(rsp->scid);
4084 flags = __le16_to_cpu(rsp->flags);
4085 result = __le16_to_cpu(rsp->result);
4086
61386cba
AE		 4087 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4088 result, len);
1da177e4 4089
baa7e1fa 4090 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 4091 if (!chan)
1da177e4
LT		 4092 return 0;
4093
4094 switch (result) {
4095 case L2CAP_CONF_SUCCESS:
47d1ec61 4096 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 4097 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 4098 break;
4099
0e8b207e
AE		 4100 case L2CAP_CONF_PENDING:
4101 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4102
4103 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4104 char buf[64];
4105
4106 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4107 buf, &result);
0e8b207e 4108 if (len < 0) {
5e4e3972 4109 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4110 goto done;
4111 }
4112
f351bc72 4113 if (!chan->hs_hcon) {
79de886d
AE		 4114 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4115 0);
5ce66b59
AE		 4116 } else {
4117 if (l2cap_check_efs(chan)) {
4118 amp_create_logical_link(chan);
4119 chan->ident = cmd->ident;
4120 }
4121 }
0e8b207e
AE		 4122 }
4123 goto done;
4124
1da177e4 4125 case L2CAP_CONF_UNACCEPT:
73ffa904 4126 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4127 char req[64];
4128
c2c77ec8 4129 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4130 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4131 goto done;
4132 }
4133
f2fcfcd6
GP		 4134 /* throw out any old stored conf requests */
4135 result = L2CAP_CONF_SUCCESS;
b4450035 4136 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4137 req, &result);
f2fcfcd6 4138 if (len < 0) {
5e4e3972 4139 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4140 goto done;
4141 }
4142
4143 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4144 L2CAP_CONF_REQ, len, req);
73ffa904 4145 chan->num_conf_req++;
f2fcfcd6
GP		 4146 if (result != L2CAP_CONF_SUCCESS)
4147 goto done;
4148 break;
1da177e4
LT		 4149 }
4150
8e87d142 4151 default:
6be36555 4152 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4153
ba13ccd9 4154 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4155 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4156 goto done;
4157 }
4158
59e54bd1 4159 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4160 goto done;
4161
c1360a1c 4162 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4163
c1360a1c 4164 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4165 set_default_fcs(chan);
fcc203c3 4166
105bdf9e
MM		 4167 if (chan->mode == L2CAP_MODE_ERTM ||
4168 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4169 err = l2cap_ertm_init(chan);
0565c1c2 4170
3c588192 4171 if (err < 0)
5e4e3972 4172 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4173 else
4174 l2cap_chan_ready(chan);
1da177e4
LT		 4175 }
4176
4177done:
6be36555 4178 l2cap_chan_unlock(chan);
3c588192 4179 return err;
1da177e4
LT		 4180}
4181
2d792818 4182static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
cb3b3152
JH		 4183 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4184 u8 *data)
1da177e4
LT		 4185{
4186 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4187 struct l2cap_disconn_rsp rsp;
4188 u16 dcid, scid;
48454079 4189 struct l2cap_chan *chan;
1da177e4
LT		 4190 struct sock *sk;
4191
cb3b3152
JH		 4192 if (cmd_len != sizeof(*req))
4193 return -EPROTO;
4194
1da177e4
LT		 4195 scid = __le16_to_cpu(req->scid);
4196 dcid = __le16_to_cpu(req->dcid);
4197
4198 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4199
3df91ea2
AE		 4200 mutex_lock(&conn->chan_lock);
4201
4202 chan = __l2cap_get_chan_by_scid(conn, dcid);
4203 if (!chan) {
4204 mutex_unlock(&conn->chan_lock);
1da177e4 4205 return 0;
3df91ea2 4206 }
1da177e4 4207
6be36555
AE		 4208 l2cap_chan_lock(chan);
4209
48454079
GP		 4210 sk = chan->sk;
4211
fe4128e0
GP		 4212 rsp.dcid = cpu_to_le16(chan->scid);
4213 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4214 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4215
6be36555 4216 lock_sock(sk);
1da177e4 4217 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 4218 release_sock(sk);
1da177e4 4219
61d6ef3e 4220 l2cap_chan_hold(chan);
48454079 4221 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4222
4223 l2cap_chan_unlock(chan);
1da177e4 4224
80b98027 4225 chan->ops->close(chan);
61d6ef3e 4226 l2cap_chan_put(chan);
3df91ea2
AE		 4227
4228 mutex_unlock(&conn->chan_lock);
4229
1da177e4
LT		 4230 return 0;
4231}
4232
2d792818 4233static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4234 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4235 u8 *data)
1da177e4
LT		 4236{
4237 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4238 u16 dcid, scid;
48454079 4239 struct l2cap_chan *chan;
1da177e4 4240
cb3b3152
JH		 4241 if (cmd_len != sizeof(*rsp))
4242 return -EPROTO;
4243
1da177e4
LT		 4244 scid = __le16_to_cpu(rsp->scid);
4245 dcid = __le16_to_cpu(rsp->dcid);
4246
4247 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4248
3df91ea2
AE		 4249 mutex_lock(&conn->chan_lock);
4250
4251 chan = __l2cap_get_chan_by_scid(conn, scid);
4252 if (!chan) {
4253 mutex_unlock(&conn->chan_lock);
1da177e4 4254 return 0;
3df91ea2 4255 }
1da177e4 4256
6be36555 4257 l2cap_chan_lock(chan);
48454079 4258
61d6ef3e 4259 l2cap_chan_hold(chan);
48454079 4260 l2cap_chan_del(chan, 0);
6be36555
AE		 4261
4262 l2cap_chan_unlock(chan);
1da177e4 4263
80b98027 4264 chan->ops->close(chan);
61d6ef3e 4265 l2cap_chan_put(chan);
3df91ea2
AE		 4266
4267 mutex_unlock(&conn->chan_lock);
4268
1da177e4
LT		 4269 return 0;
4270}
4271
2d792818 4272static inline int l2cap_information_req(struct l2cap_conn *conn,
cb3b3152
JH		 4273 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4274 u8 *data)
1da177e4
LT		 4275{
4276 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4277 u16 type;
4278
cb3b3152
JH		 4279 if (cmd_len != sizeof(*req))
4280 return -EPROTO;
4281
1da177e4
LT		 4282 type = __le16_to_cpu(req->type);
4283
4284 BT_DBG("type 0x%4.4x", type);
4285
f0709e03
MH		 4286 if (type == L2CAP_IT_FEAT_MASK) {
4287 u8 buf[8];
44dd46de 4288 u32 feat_mask = l2cap_feat_mask;
f0709e03 4289 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4290 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4291 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4292 if (!disable_ertm)
fcc203c3 4293 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4294 | L2CAP_FEAT_FCS;
a5fd6f30 4295 if (enable_hs)
6327eb98 4296 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4297 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4298
1b7bf4ed 4299 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4300 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4301 buf);
e1027a7c
MH		 4302 } else if (type == L2CAP_IT_FIXED_CHAN) {
4303 u8 buf[12];
4304 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 4305
4306 if (enable_hs)
4307 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4308 else
4309 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4310
ac73498c
AE		 4311 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4312 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4313 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4314 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4315 buf);
f0709e03
MH		 4316 } else {
4317 struct l2cap_info_rsp rsp;
4318 rsp.type = cpu_to_le16(type);
ac73498c 4319 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4320 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4321 &rsp);
f0709e03 4322 }
1da177e4
LT		 4323
4324 return 0;
4325}
4326
2d792818 4327static inline int l2cap_information_rsp(struct l2cap_conn *conn,
cb3b3152
JH		 4328 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4329 u8 *data)
1da177e4
LT		 4330{
4331 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4332 u16 type, result;
4333
cb3b3152
JH		 4334 if (cmd_len != sizeof(*rsp))
4335 return -EPROTO;
4336
1da177e4
LT		 4337 type = __le16_to_cpu(rsp->type);
4338 result = __le16_to_cpu(rsp->result);
4339
4340 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4341
e90165be
AE		 4342 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4343 if (cmd->ident != conn->info_ident ||
2d792818 4344 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4345 return 0;
4346
17cd3f37 4347 cancel_delayed_work(&conn->info_timer);
4e8402a3 4348
adb08ede
VT		 4349 if (result != L2CAP_IR_SUCCESS) {
4350 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4351 conn->info_ident = 0;
4352
4353 l2cap_conn_start(conn);
4354
4355 return 0;
4356 }
4357
978c93b9
AE		 4358 switch (type) {
4359 case L2CAP_IT_FEAT_MASK:
83985319 4360 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4361
47ec1dcd 4362 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4363 struct l2cap_info_req req;
ac73498c 4364 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4365
4366 conn->info_ident = l2cap_get_ident(conn);
4367
4368 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4369 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4370 } else {
4371 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4372 conn->info_ident = 0;
4373
4374 l2cap_conn_start(conn);
4375 }
978c93b9
AE		 4376 break;
4377
4378 case L2CAP_IT_FIXED_CHAN:
4379 conn->fixed_chan_mask = rsp->data[0];
984947dc 4380 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4381 conn->info_ident = 0;
984947dc
MH		 4382
4383 l2cap_conn_start(conn);
978c93b9 4384 break;
984947dc 4385 }
4e8402a3 4386
1da177e4
LT		 4387 return 0;
4388}
4389
1700915f
MM		 4390static int l2cap_create_channel_req(struct l2cap_conn *conn,
4391 struct l2cap_cmd_hdr *cmd,
4392 u16 cmd_len, void *data)
f94ff6ff
MM		 4393{
4394 struct l2cap_create_chan_req *req = data;
6e1df6a6 4395 struct l2cap_create_chan_rsp rsp;
1700915f 4396 struct l2cap_chan *chan;
6e1df6a6 4397 struct hci_dev *hdev;
f94ff6ff
MM		 4398 u16 psm, scid;
4399
4400 if (cmd_len != sizeof(*req))
4401 return -EPROTO;
4402
4403 if (!enable_hs)
4404 return -EINVAL;
4405
4406 psm = le16_to_cpu(req->psm);
4407 scid = le16_to_cpu(req->scid);
4408
ad0ac6ca 4409 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4410
6e1df6a6
AE		 4411 /* For controller id 0 make BR/EDR connection */
4412 if (req->amp_id == HCI_BREDR_ID) {
4413 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4414 req->amp_id);
4415 return 0;
4416 }
1700915f 4417
6e1df6a6
AE		 4418 /* Validate AMP controller id */
4419 hdev = hci_dev_get(req->amp_id);
4420 if (!hdev)
4421 goto error;
1700915f 4422
6e1df6a6
AE		 4423 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4424 hci_dev_put(hdev);
4425 goto error;
4426 }
1700915f 4427
6e1df6a6
AE		 4428 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4429 req->amp_id);
4430 if (chan) {
4431 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4432 struct hci_conn *hs_hcon;
1700915f 4433
6e1df6a6
AE		 4434 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, conn->dst);
4435 if (!hs_hcon) {
4436 hci_dev_put(hdev);
4437 return -EFAULT;
1700915f
MM		 4438 }
4439
6e1df6a6
AE		 4440 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4441
6e1df6a6
AE		 4442 mgr->bredr_chan = chan;
4443 chan->hs_hcon = hs_hcon;
fd45bf4c 4444 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4445 conn->mtu = hdev->block_mtu;
1700915f 4446 }
f94ff6ff 4447
6e1df6a6 4448 hci_dev_put(hdev);
f94ff6ff
MM		 4449
4450 return 0;
6e1df6a6
AE		 4451
4452error:
4453 rsp.dcid = 0;
4454 rsp.scid = cpu_to_le16(scid);
4455 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4456 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4457
4458 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4459 sizeof(rsp), &rsp);
4460
4461 return -EFAULT;
f94ff6ff
MM		 4462}
4463
8eb200bd
MM		 4464static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4465{
4466 struct l2cap_move_chan_req req;
4467 u8 ident;
4468
4469 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4470
4471 ident = l2cap_get_ident(chan->conn);
4472 chan->ident = ident;
4473
4474 req.icid = cpu_to_le16(chan->scid);
4475 req.dest_amp_id = dest_amp_id;
4476
4477 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4478 &req);
4479
4480 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4481}
4482
1500109b 4483static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4484{
4485 struct l2cap_move_chan_rsp rsp;
4486
1500109b 4487 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4488
1500109b 4489 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4490 rsp.result = cpu_to_le16(result);
4491
1500109b
MM		 4492 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4493 sizeof(rsp), &rsp);
8d5a04a1
MM		 4494}
4495
5b155ef9 4496static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4497{
4498 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4499
5b155ef9 4500 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4501
5b155ef9 4502 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4503
5b155ef9 4504 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4505 cfm.result = cpu_to_le16(result);
4506
5b155ef9
MM		 4507 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4508 sizeof(cfm), &cfm);
4509
4510 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4511}
4512
4513static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4514{
4515 struct l2cap_move_chan_cfm cfm;
4516
4517 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4518
4519 cfm.icid = cpu_to_le16(icid);
4520 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4521
4522 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4523 sizeof(cfm), &cfm);
8d5a04a1
MM		 4524}
4525
4526static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4527 u16 icid)
8d5a04a1
MM		 4528{
4529 struct l2cap_move_chan_cfm_rsp rsp;
4530
ad0ac6ca 4531 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4532
4533 rsp.icid = cpu_to_le16(icid);
4534 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4535}
4536
5f3847a4
MM		 4537static void __release_logical_link(struct l2cap_chan *chan)
4538{
4539 chan->hs_hchan = NULL;
4540 chan->hs_hcon = NULL;
4541
4542 /* Placeholder - release the logical link */
4543}
4544
1500109b
MM		 4545static void l2cap_logical_fail(struct l2cap_chan *chan)
4546{
4547 /* Logical link setup failed */
4548 if (chan->state != BT_CONNECTED) {
4549 /* Create channel failure, disconnect */
5e4e3972 4550 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4551 return;
4552 }
4553
4554 switch (chan->move_role) {
4555 case L2CAP_MOVE_ROLE_RESPONDER:
4556 l2cap_move_done(chan);
4557 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4558 break;
4559 case L2CAP_MOVE_ROLE_INITIATOR:
4560 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4561 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4562 /* Remote has only sent pending or
4563 * success responses, clean up
4564 */
4565 l2cap_move_done(chan);
4566 }
4567
4568 /* Other amp move states imply that the move
4569 * has already aborted
4570 */
4571 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4572 break;
4573 }
4574}
4575
4576static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4577 struct hci_chan *hchan)
4578{
4579 struct l2cap_conf_rsp rsp;
1500109b 4580
336178a3 4581 chan->hs_hchan = hchan;
1500109b
MM		 4582 chan->hs_hcon->l2cap_data = chan->conn;
4583
35ba9561 4584 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4585
4586 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4587 int err;
1500109b
MM		 4588
4589 set_default_fcs(chan);
4590
4591 err = l2cap_ertm_init(chan);
4592 if (err < 0)
5e4e3972 4593 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4594 else
4595 l2cap_chan_ready(chan);
4596 }
4597}
4598
4599static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4600 struct hci_chan *hchan)
4601{
4602 chan->hs_hcon = hchan->conn;
4603 chan->hs_hcon->l2cap_data = chan->conn;
4604
4605 BT_DBG("move_state %d", chan->move_state);
4606
4607 switch (chan->move_state) {
4608 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4609 /* Move confirm will be sent after a success
4610 * response is received
4611 */
4612 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4613 break;
4614 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4615 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4616 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4617 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4618 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4619 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4620 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4621 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4622 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4623 }
4624 break;
4625 default:
4626 /* Move was not in expected state, free the channel */
4627 __release_logical_link(chan);
4628
4629 chan->move_state = L2CAP_MOVE_STABLE;
4630 }
4631}
4632
4633/* Call with chan locked */
27695fb4
AE		 4634void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4635 u8 status)
5b155ef9 4636{
1500109b
MM		 4637 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4638
4639 if (status) {
4640 l2cap_logical_fail(chan);
4641 __release_logical_link(chan);
4642 return;
4643 }
4644
4645 if (chan->state != BT_CONNECTED) {
4646 /* Ignore logical link if channel is on BR/EDR */
4647 if (chan->local_amp_id)
4648 l2cap_logical_finish_create(chan, hchan);
4649 } else {
4650 l2cap_logical_finish_move(chan, hchan);
4651 }
5b155ef9
MM		 4652}
4653
3f7a56c4
MM		 4654void l2cap_move_start(struct l2cap_chan *chan)
4655{
4656 BT_DBG("chan %p", chan);
4657
4658 if (chan->local_amp_id == HCI_BREDR_ID) {
4659 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4660 return;
4661 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4662 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4663 /* Placeholder - start physical link setup */
4664 } else {
4665 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4666 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4667 chan->move_id = 0;
4668 l2cap_move_setup(chan);
4669 l2cap_send_move_chan_req(chan, 0);
4670 }
4671}
4672
8eb200bd
MM		 4673static void l2cap_do_create(struct l2cap_chan *chan, int result,
4674 u8 local_amp_id, u8 remote_amp_id)
4675{
62748ca1
AE		 4676 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4677 local_amp_id, remote_amp_id);
4678
12d6cc60
AE		 4679 chan->fcs = L2CAP_FCS_NONE;
4680
62748ca1
AE		 4681 /* Outgoing channel on AMP */
4682 if (chan->state == BT_CONNECT) {
4683 if (result == L2CAP_CR_SUCCESS) {
4684 chan->local_amp_id = local_amp_id;
4685 l2cap_send_create_chan_req(chan, remote_amp_id);
4686 } else {
4687 /* Revert to BR/EDR connect */
4688 l2cap_send_conn_req(chan);
4689 }
4690
4691 return;
4692 }
4693
4694 /* Incoming channel on AMP */
4695 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4696 struct l2cap_conn_rsp rsp;
4697 char buf[128];
4698 rsp.scid = cpu_to_le16(chan->dcid);
4699 rsp.dcid = cpu_to_le16(chan->scid);
4700
8eb200bd
MM		 4701 if (result == L2CAP_CR_SUCCESS) {
4702 /* Send successful response */
62cd50e2
AE		 4703 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4704 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4705 } else {
4706 /* Send negative response */
62cd50e2
AE		 4707 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4708 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4709 }
4710
4711 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4712 sizeof(rsp), &rsp);
4713
4714 if (result == L2CAP_CR_SUCCESS) {
4715 __l2cap_state_change(chan, BT_CONFIG);
4716 set_bit(CONF_REQ_SENT, &chan->conf_state);
4717 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4718 L2CAP_CONF_REQ,
4719 l2cap_build_conf_req(chan, buf), buf);
4720 chan->num_conf_req++;
4721 }
8eb200bd
MM		 4722 }
4723}
4724
4725static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4726 u8 remote_amp_id)
4727{
4728 l2cap_move_setup(chan);
4729 chan->move_id = local_amp_id;
4730 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4731
4732 l2cap_send_move_chan_req(chan, remote_amp_id);
4733}
4734
4735static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4736{
4737 struct hci_chan *hchan = NULL;
4738
4739 /* Placeholder - get hci_chan for logical link */
4740
4741 if (hchan) {
4742 if (hchan->state == BT_CONNECTED) {
4743 /* Logical link is ready to go */
4744 chan->hs_hcon = hchan->conn;
4745 chan->hs_hcon->l2cap_data = chan->conn;
4746 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4747 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4748
4749 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4750 } else {
4751 /* Wait for logical link to be ready */
4752 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4753 }
4754 } else {
4755 /* Logical link not available */
4756 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4757 }
4758}
4759
4760static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4761{
4762 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4763 u8 rsp_result;
4764 if (result == -EINVAL)
4765 rsp_result = L2CAP_MR_BAD_ID;
4766 else
4767 rsp_result = L2CAP_MR_NOT_ALLOWED;
4768
4769 l2cap_send_move_chan_rsp(chan, rsp_result);
4770 }
4771
4772 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4773 chan->move_state = L2CAP_MOVE_STABLE;
4774
4775 /* Restart data transmission */
4776 l2cap_ertm_send(chan);
4777}
4778
a514b17f
AE		 4779/* Invoke with locked chan */
4780void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4781{
770bfefa 4782 u8 local_amp_id = chan->local_amp_id;
fffadc08 4783 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4784
8eb200bd
MM		 4785 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4786 chan, result, local_amp_id, remote_amp_id);
4787
8eb200bd
MM		 4788 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4789 l2cap_chan_unlock(chan);
4790 return;
4791 }
4792
4793 if (chan->state != BT_CONNECTED) {
4794 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4795 } else if (result != L2CAP_MR_SUCCESS) {
4796 l2cap_do_move_cancel(chan, result);
4797 } else {
4798 switch (chan->move_role) {
4799 case L2CAP_MOVE_ROLE_INITIATOR:
4800 l2cap_do_move_initiate(chan, local_amp_id,
4801 remote_amp_id);
4802 break;
4803 case L2CAP_MOVE_ROLE_RESPONDER:
4804 l2cap_do_move_respond(chan, result);
4805 break;
4806 default:
4807 l2cap_do_move_cancel(chan, result);
4808 break;
4809 }
4810 }
8eb200bd
MM		 4811}
4812
8d5a04a1 4813static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4814 struct l2cap_cmd_hdr *cmd,
4815 u16 cmd_len, void *data)
8d5a04a1
MM		 4816{
4817 struct l2cap_move_chan_req *req = data;
1500109b 4818 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4819 struct l2cap_chan *chan;
8d5a04a1
MM		 4820 u16 icid = 0;
4821 u16 result = L2CAP_MR_NOT_ALLOWED;
4822
4823 if (cmd_len != sizeof(*req))
4824 return -EPROTO;
4825
4826 icid = le16_to_cpu(req->icid);
4827
ad0ac6ca 4828 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4829
4830 if (!enable_hs)
4831 return -EINVAL;
4832
02b0fbb9
MM		 4833 chan = l2cap_get_chan_by_dcid(conn, icid);
4834 if (!chan) {
1500109b
MM		 4835 rsp.icid = cpu_to_le16(icid);
4836 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4837 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4838 sizeof(rsp), &rsp);
02b0fbb9
MM		 4839 return 0;
4840 }
4841
1500109b
MM		 4842 chan->ident = cmd->ident;
4843
02b0fbb9
MM		 4844 if (chan->scid < L2CAP_CID_DYN_START ||
4845 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4846 (chan->mode != L2CAP_MODE_ERTM &&
4847 chan->mode != L2CAP_MODE_STREAMING)) {
4848 result = L2CAP_MR_NOT_ALLOWED;
4849 goto send_move_response;
4850 }
4851
4852 if (chan->local_amp_id == req->dest_amp_id) {
4853 result = L2CAP_MR_SAME_ID;
4854 goto send_move_response;
4855 }
4856
4857 if (req->dest_amp_id) {
4858 struct hci_dev *hdev;
4859 hdev = hci_dev_get(req->dest_amp_id);
4860 if (!hdev || hdev->dev_type != HCI_AMP ||
4861 !test_bit(HCI_UP, &hdev->flags)) {
4862 if (hdev)
4863 hci_dev_put(hdev);
4864
4865 result = L2CAP_MR_BAD_ID;
4866 goto send_move_response;
4867 }
4868 hci_dev_put(hdev);
4869 }
4870
4871 /* Detect a move collision. Only send a collision response
4872 * if this side has "lost", otherwise proceed with the move.
4873 * The winner has the larger bd_addr.
4874 */
4875 if ((__chan_is_moving(chan) ||
4876 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4877 bacmp(conn->src, conn->dst) > 0) {
4878 result = L2CAP_MR_COLLISION;
4879 goto send_move_response;
4880 }
4881
02b0fbb9
MM		 4882 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4883 l2cap_move_setup(chan);
4884 chan->move_id = req->dest_amp_id;
4885 icid = chan->dcid;
4886
4887 if (!req->dest_amp_id) {
4888 /* Moving to BR/EDR */
4889 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4890 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4891 result = L2CAP_MR_PEND;
4892 } else {
4893 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4894 result = L2CAP_MR_SUCCESS;
4895 }
4896 } else {
4897 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4898 /* Placeholder - uncomment when amp functions are available */
4899 /*amp_accept_physical(chan, req->dest_amp_id);*/
4900 result = L2CAP_MR_PEND;
4901 }
4902
4903send_move_response:
1500109b 4904 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4905
02b0fbb9
MM		 4906 l2cap_chan_unlock(chan);
4907
8d5a04a1
MM		 4908 return 0;
4909}
4910
5b155ef9
MM		 4911static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4912{
4913 struct l2cap_chan *chan;
4914 struct hci_chan *hchan = NULL;
4915
4916 chan = l2cap_get_chan_by_scid(conn, icid);
4917 if (!chan) {
4918 l2cap_send_move_chan_cfm_icid(conn, icid);
4919 return;
4920 }
4921
4922 __clear_chan_timer(chan);
4923 if (result == L2CAP_MR_PEND)
4924 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4925
4926 switch (chan->move_state) {
4927 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4928 /* Move confirm will be sent when logical link
4929 * is complete.
4930 */
4931 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4932 break;
4933 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4934 if (result == L2CAP_MR_PEND) {
4935 break;
4936 } else if (test_bit(CONN_LOCAL_BUSY,
4937 &chan->conn_state)) {
4938 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4939 } else {
4940 /* Logical link is up or moving to BR/EDR,
4941 * proceed with move
4942 */
4943 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4944 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4945 }
4946 break;
4947 case L2CAP_MOVE_WAIT_RSP:
4948 /* Moving to AMP */
4949 if (result == L2CAP_MR_SUCCESS) {
4950 /* Remote is ready, send confirm immediately
4951 * after logical link is ready
4952 */
4953 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4954 } else {
4955 /* Both logical link and move success
4956 * are required to confirm
4957 */
4958 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4959 }
4960
4961 /* Placeholder - get hci_chan for logical link */
4962 if (!hchan) {
4963 /* Logical link not available */
4964 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4965 break;
4966 }
4967
4968 /* If the logical link is not yet connected, do not
4969 * send confirmation.
4970 */
4971 if (hchan->state != BT_CONNECTED)
4972 break;
4973
4974 /* Logical link is already ready to go */
4975
4976 chan->hs_hcon = hchan->conn;
4977 chan->hs_hcon->l2cap_data = chan->conn;
4978
4979 if (result == L2CAP_MR_SUCCESS) {
4980 /* Can confirm now */
4981 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4982 } else {
4983 /* Now only need move success
4984 * to confirm
4985 */
4986 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4987 }
4988
4989 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4990 break;
4991 default:
4992 /* Any other amp move state means the move failed. */
4993 chan->move_id = chan->local_amp_id;
4994 l2cap_move_done(chan);
4995 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4996 }
4997
4998 l2cap_chan_unlock(chan);
4999}
5000
5001static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5002 u16 result)
5003{
5004 struct l2cap_chan *chan;
5005
5006 chan = l2cap_get_chan_by_ident(conn, ident);
5007 if (!chan) {
5008 /* Could not locate channel, icid is best guess */
5009 l2cap_send_move_chan_cfm_icid(conn, icid);
5010 return;
5011 }
5012
5013 __clear_chan_timer(chan);
5014
5015 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5016 if (result == L2CAP_MR_COLLISION) {
5017 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5018 } else {
5019 /* Cleanup - cancel move */
5020 chan->move_id = chan->local_amp_id;
5021 l2cap_move_done(chan);
5022 }
5023 }
5024
5025 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5026
5027 l2cap_chan_unlock(chan);
5028}
5029
5030static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5031 struct l2cap_cmd_hdr *cmd,
5032 u16 cmd_len, void *data)
8d5a04a1
MM		 5033{
5034 struct l2cap_move_chan_rsp *rsp = data;
5035 u16 icid, result;
5036
5037 if (cmd_len != sizeof(*rsp))
5038 return -EPROTO;
5039
5040 icid = le16_to_cpu(rsp->icid);
5041 result = le16_to_cpu(rsp->result);
5042
ad0ac6ca 5043 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5044
5b155ef9
MM		 5045 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5046 l2cap_move_continue(conn, icid, result);
5047 else
5048 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 5049
5050 return 0;
5051}
5052
5f3847a4
MM		 5053static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5054 struct l2cap_cmd_hdr *cmd,
5055 u16 cmd_len, void *data)
8d5a04a1
MM		 5056{
5057 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 5058 struct l2cap_chan *chan;
8d5a04a1
MM		 5059 u16 icid, result;
5060
5061 if (cmd_len != sizeof(*cfm))
5062 return -EPROTO;
5063
5064 icid = le16_to_cpu(cfm->icid);
5065 result = le16_to_cpu(cfm->result);
5066
ad0ac6ca 5067 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 5068
5f3847a4
MM		 5069 chan = l2cap_get_chan_by_dcid(conn, icid);
5070 if (!chan) {
5071 /* Spec requires a response even if the icid was not found */
5072 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5073 return 0;
5074 }
5075
5076 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5077 if (result == L2CAP_MC_CONFIRMED) {
5078 chan->local_amp_id = chan->move_id;
5079 if (!chan->local_amp_id)
5080 __release_logical_link(chan);
5081 } else {
5082 chan->move_id = chan->local_amp_id;
5083 }
5084
5085 l2cap_move_done(chan);
5086 }
5087
8d5a04a1
MM		 5088 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5089
5f3847a4
MM		 5090 l2cap_chan_unlock(chan);
5091
8d5a04a1
MM		 5092 return 0;
5093}
5094
5095static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 5096 struct l2cap_cmd_hdr *cmd,
5097 u16 cmd_len, void *data)
8d5a04a1
MM		 5098{
5099 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 5100 struct l2cap_chan *chan;
8d5a04a1
MM		 5101 u16 icid;
5102
5103 if (cmd_len != sizeof(*rsp))
5104 return -EPROTO;
5105
5106 icid = le16_to_cpu(rsp->icid);
5107
ad0ac6ca 5108 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 5109
3fd71a0a
MM		 5110 chan = l2cap_get_chan_by_scid(conn, icid);
5111 if (!chan)
5112 return 0;
5113
5114 __clear_chan_timer(chan);
5115
5116 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5117 chan->local_amp_id = chan->move_id;
5118
5119 if (!chan->local_amp_id && chan->hs_hchan)
5120 __release_logical_link(chan);
5121
5122 l2cap_move_done(chan);
5123 }
5124
5125 l2cap_chan_unlock(chan);
5126
8d5a04a1
MM		 5127 return 0;
5128}
5129
e2174ca4 5130static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 5131 u16 to_multiplier)
de73115a
CT		 5132{
5133 u16 max_latency;
5134
5135 if (min > max || min < 6 || max > 3200)
5136 return -EINVAL;
5137
5138 if (to_multiplier < 10 || to_multiplier > 3200)
5139 return -EINVAL;
5140
5141 if (max >= to_multiplier * 8)
5142 return -EINVAL;
5143
5144 max_latency = (to_multiplier * 8 / max) - 1;
5145 if (latency > 499 || latency > max_latency)
5146 return -EINVAL;
5147
5148 return 0;
5149}
5150
5151static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 5152 struct l2cap_cmd_hdr *cmd,
5153 u8 *data)
de73115a
CT		 5154{
5155 struct hci_conn *hcon = conn->hcon;
5156 struct l2cap_conn_param_update_req *req;
5157 struct l2cap_conn_param_update_rsp rsp;
5158 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 5159 int err;
de73115a
CT		 5160
5161 if (!(hcon->link_mode & HCI_LM_MASTER))
5162 return -EINVAL;
5163
5164 cmd_len = __le16_to_cpu(cmd->len);
5165 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5166 return -EPROTO;
5167
5168 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5169 min = __le16_to_cpu(req->min);
5170 max = __le16_to_cpu(req->max);
de73115a
CT		 5171 latency = __le16_to_cpu(req->latency);
5172 to_multiplier = __le16_to_cpu(req->to_multiplier);
5173
5174 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5175 min, max, latency, to_multiplier);
de73115a
CT		 5176
5177 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5178
5179 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5180 if (err)
ac73498c 5181 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5182 else
ac73498c 5183 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5184
5185 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5186 sizeof(rsp), &rsp);
de73115a 5187
2ce603eb
CT		 5188 if (!err)
5189 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5190
de73115a
CT		 5191 return 0;
5192}
5193
3300d9a9 5194static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5195 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5196 u8 *data)
3300d9a9
CT		 5197{
5198 int err = 0;
5199
5200 switch (cmd->code) {
5201 case L2CAP_COMMAND_REJ:
cb3b3152 5202 l2cap_command_rej(conn, cmd, cmd_len, data);
3300d9a9
CT		 5203 break;
5204
5205 case L2CAP_CONN_REQ:
cb3b3152 5206 err = l2cap_connect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5207 break;
5208
5209 case L2CAP_CONN_RSP:
f5a2598d 5210 case L2CAP_CREATE_CHAN_RSP:
cb3b3152 5211 err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5212 break;
5213
5214 case L2CAP_CONF_REQ:
5215 err = l2cap_config_req(conn, cmd, cmd_len, data);
5216 break;
5217
5218 case L2CAP_CONF_RSP:
cb3b3152 5219 err = l2cap_config_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5220 break;
5221
5222 case L2CAP_DISCONN_REQ:
cb3b3152 5223 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5224 break;
5225
5226 case L2CAP_DISCONN_RSP:
cb3b3152 5227 err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5228 break;
5229
5230 case L2CAP_ECHO_REQ:
5231 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5232 break;
5233
5234 case L2CAP_ECHO_RSP:
5235 break;
5236
5237 case L2CAP_INFO_REQ:
cb3b3152 5238 err = l2cap_information_req(conn, cmd, cmd_len, data);
3300d9a9
CT		 5239 break;
5240
5241 case L2CAP_INFO_RSP:
cb3b3152 5242 err = l2cap_information_rsp(conn, cmd, cmd_len, data);
3300d9a9
CT		 5243 break;
5244
f94ff6ff
MM		 5245 case L2CAP_CREATE_CHAN_REQ:
5246 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5247 break;
5248
8d5a04a1
MM		 5249 case L2CAP_MOVE_CHAN_REQ:
5250 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5251 break;
5252
5253 case L2CAP_MOVE_CHAN_RSP:
5254 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5255 break;
5256
5257 case L2CAP_MOVE_CHAN_CFM:
5258 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5259 break;
5260
5261 case L2CAP_MOVE_CHAN_CFM_RSP:
5262 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5263 break;
5264
3300d9a9
CT		 5265 default:
5266 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5267 err = -EINVAL;
5268 break;
5269 }
5270
5271 return err;
5272}
5273
5274static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5275 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5276{
5277 switch (cmd->code) {
5278 case L2CAP_COMMAND_REJ:
5279 return 0;
5280
5281 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5282 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5283
5284 case L2CAP_CONN_PARAM_UPDATE_RSP:
5285 return 0;
5286
5287 default:
5288 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5289 return -EINVAL;
5290 }
5291}
5292
c5623556
JH		 5293static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5294 struct sk_buff *skb)
5295{
5296 u8 *data = skb->data;
5297 int len = skb->len;
5298 struct l2cap_cmd_hdr cmd;
5299 int err;
5300
5301 l2cap_raw_recv(conn, skb);
5302
5303 while (len >= L2CAP_CMD_HDR_SIZE) {
5304 u16 cmd_len;
5305 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5306 data += L2CAP_CMD_HDR_SIZE;
5307 len -= L2CAP_CMD_HDR_SIZE;
5308
5309 cmd_len = le16_to_cpu(cmd.len);
5310
5311 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5312 cmd.ident);
5313
5314 if (cmd_len > len || !cmd.ident) {
5315 BT_DBG("corrupted command");
5316 break;
5317 }
5318
5319 err = l2cap_le_sig_cmd(conn, &cmd, data);
5320 if (err) {
5321 struct l2cap_cmd_rej_unk rej;
5322
5323 BT_ERR("Wrong link type (%d)", err);
5324
5325 /* FIXME: Map err to a valid reason */
5326 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5327 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5328 sizeof(rej), &rej);
5329 }
5330
5331 data += cmd_len;
5332 len -= cmd_len;
5333 }
5334
5335 kfree_skb(skb);
5336}
5337
3300d9a9 5338static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5339 struct sk_buff *skb)
1da177e4
LT		 5340{
5341 u8 *data = skb->data;
5342 int len = skb->len;
5343 struct l2cap_cmd_hdr cmd;
3300d9a9 5344 int err;
1da177e4
LT		 5345
5346 l2cap_raw_recv(conn, skb);
5347
5348 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5349 u16 cmd_len;
1da177e4
LT		 5350 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5351 data += L2CAP_CMD_HDR_SIZE;
5352 len -= L2CAP_CMD_HDR_SIZE;
5353
88219a0f 5354 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5355
2d792818
GP		 5356 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5357 cmd.ident);
1da177e4 5358
88219a0f 5359 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5360 BT_DBG("corrupted command");
5361 break;
5362 }
5363
c5623556 5364 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4 5365 if (err) {
e2fd318e 5366 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5367
5368 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 5369
5370 /* FIXME: Map err to a valid reason */
ac73498c 5371 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5372 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5373 sizeof(rej), &rej);
1da177e4
LT		 5374 }
5375
88219a0f
AV		 5376 data += cmd_len;
5377 len -= cmd_len;
1da177e4
LT		 5378 }
5379
5380 kfree_skb(skb);
5381}
5382
47d1ec61 5383static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5384{
5385 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5386 int hdr_size;
5387
5388 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5389 hdr_size = L2CAP_EXT_HDR_SIZE;
5390 else
5391 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5392
47d1ec61 5393 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5394 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5395 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5396 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5397
5398 if (our_fcs != rcv_fcs)
7a560e5c 5399 return -EBADMSG;
fcc203c3
GP		 5400 }
5401 return 0;
5402}
5403
6ea00485 5404static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5405{
e31f7633 5406 struct l2cap_ctrl control;
d5392c8f 5407
e31f7633 5408 BT_DBG("chan %p", chan);
d5392c8f 5409
e31f7633
MM		 5410 memset(&control, 0, sizeof(control));
5411 control.sframe = 1;
5412 control.final = 1;
5413 control.reqseq = chan->buffer_seq;
5414 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5415
e2ab4353 5416 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5417 control.super = L2CAP_SUPER_RNR;
5418 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5419 }
5420
e31f7633
MM		 5421 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5422 chan->unacked_frames > 0)
5423 __set_retrans_timer(chan);
d5392c8f 5424
e31f7633 5425 /* Send pending iframes */
525cd185 5426 l2cap_ertm_send(chan);
d5392c8f 5427
e2ab4353 5428 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5429 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5430 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5431 * send it now.
5432 */
5433 control.super = L2CAP_SUPER_RR;
5434 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5435 }
5436}
5437
2d792818
GP		 5438static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5439 struct sk_buff **last_frag)
18778a63 5440{
84084a31
MM		 5441 /* skb->len reflects data in skb as well as all fragments
5442 * skb->data_len reflects only data in fragments
5443 */
5444 if (!skb_has_frag_list(skb))
5445 skb_shinfo(skb)->frag_list = new_frag;
5446
5447 new_frag->next = NULL;
5448
5449 (*last_frag)->next = new_frag;
5450 *last_frag = new_frag;
5451
5452 skb->len += new_frag->len;
5453 skb->data_len += new_frag->len;
5454 skb->truesize += new_frag->truesize;
5455}
5456
4b51dae9
MM		 5457static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5458 struct l2cap_ctrl *control)
84084a31
MM		 5459{
5460 int err = -EINVAL;
18778a63 5461
4b51dae9 5462 switch (control->sar) {
7e0ef6ee 5463 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5464 if (chan->sdu)
5465 break;
18778a63 5466
80b98027 5467 err = chan->ops->recv(chan, skb);
84084a31 5468 break;
18778a63 5469
7e0ef6ee 5470 case L2CAP_SAR_START:
84084a31
MM		 5471 if (chan->sdu)
5472 break;
18778a63 5473
6f61fd47 5474 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5475 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5476
84084a31
MM		 5477 if (chan->sdu_len > chan->imtu) {
5478 err = -EMSGSIZE;
5479 break;
5480 }
1890d36b 5481
84084a31
MM		 5482 if (skb->len >= chan->sdu_len)
5483 break;
18778a63 5484
84084a31
MM		 5485 chan->sdu = skb;
5486 chan->sdu_last_frag = skb;
18778a63 5487
84084a31
MM		 5488 skb = NULL;
5489 err = 0;
18778a63
GP		 5490 break;
5491
7e0ef6ee 5492 case L2CAP_SAR_CONTINUE:
6f61fd47 5493 if (!chan->sdu)
84084a31 5494 break;
18778a63 5495
84084a31
MM		 5496 append_skb_frag(chan->sdu, skb,
5497 &chan->sdu_last_frag);
5498 skb = NULL;
18778a63 5499
84084a31
MM		 5500 if (chan->sdu->len >= chan->sdu_len)
5501 break;
4178ba46 5502
84084a31 5503 err = 0;
18778a63
GP		 5504 break;
5505
7e0ef6ee 5506 case L2CAP_SAR_END:
6f61fd47 5507 if (!chan->sdu)
84084a31 5508 break;
18778a63 5509
84084a31
MM		 5510 append_skb_frag(chan->sdu, skb,
5511 &chan->sdu_last_frag);
5512 skb = NULL;
4178ba46 5513
84084a31
MM		 5514 if (chan->sdu->len != chan->sdu_len)
5515 break;
18778a63 5516
80b98027 5517 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5518
84084a31
MM		 5519 if (!err) {
5520 /* Reassembly complete */
5521 chan->sdu = NULL;
5522 chan->sdu_last_frag = NULL;
5523 chan->sdu_len = 0;
1890d36b 5524 }
18778a63
GP		 5525 break;
5526 }
5527
84084a31
MM		 5528 if (err) {
5529 kfree_skb(skb);
5530 kfree_skb(chan->sdu);
5531 chan->sdu = NULL;
5532 chan->sdu_last_frag = NULL;
5533 chan->sdu_len = 0;
5534 }
18778a63 5535
84084a31 5536 return err;
18778a63
GP		 5537}
5538
32b32735
MM		 5539static int l2cap_resegment(struct l2cap_chan *chan)
5540{
5541 /* Placeholder */
5542 return 0;
5543}
5544
61aa4f5b 5545void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5546{
61aa4f5b 5547 u8 event;
712132eb 5548
61aa4f5b
MM		 5549 if (chan->mode != L2CAP_MODE_ERTM)
5550 return;
712132eb 5551
61aa4f5b 5552 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5553 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5554}
5555
d2a7ac5d
MM		 5556static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5557{
63838725
MM		 5558 int err = 0;
5559 /* Pass sequential frames to l2cap_reassemble_sdu()
5560 * until a gap is encountered.
5561 */
5562
5563 BT_DBG("chan %p", chan);
5564
5565 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5566 struct sk_buff *skb;
5567 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5568 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5569
5570 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5571
5572 if (!skb)
5573 break;
5574
5575 skb_unlink(skb, &chan->srej_q);
5576 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5577 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5578 if (err)
5579 break;
5580 }
5581
5582 if (skb_queue_empty(&chan->srej_q)) {
5583 chan->rx_state = L2CAP_RX_STATE_RECV;
5584 l2cap_send_ack(chan);
5585 }
5586
5587 return err;
d2a7ac5d
MM		 5588}
5589
5590static void l2cap_handle_srej(struct l2cap_chan *chan,
5591 struct l2cap_ctrl *control)
5592{
f80842a8
MM		 5593 struct sk_buff *skb;
5594
5595 BT_DBG("chan %p, control %p", chan, control);
5596
5597 if (control->reqseq == chan->next_tx_seq) {
5598 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5599 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5600 return;
5601 }
5602
5603 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5604
5605 if (skb == NULL) {
5606 BT_DBG("Seq %d not available for retransmission",
5607 control->reqseq);
5608 return;
5609 }
5610
5611 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5612 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5613 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5614 return;
5615 }
5616
5617 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5618
5619 if (control->poll) {
5620 l2cap_pass_to_tx(chan, control);
5621
5622 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5623 l2cap_retransmit(chan, control);
5624 l2cap_ertm_send(chan);
5625
5626 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5627 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5628 chan->srej_save_reqseq = control->reqseq;
5629 }
5630 } else {
5631 l2cap_pass_to_tx_fbit(chan, control);
5632
5633 if (control->final) {
5634 if (chan->srej_save_reqseq != control->reqseq ||
5635 !test_and_clear_bit(CONN_SREJ_ACT,
5636 &chan->conn_state))
5637 l2cap_retransmit(chan, control);
5638 } else {
5639 l2cap_retransmit(chan, control);
5640 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5641 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5642 chan->srej_save_reqseq = control->reqseq;
5643 }
5644 }
5645 }
d2a7ac5d
MM		 5646}
5647
5648static void l2cap_handle_rej(struct l2cap_chan *chan,
5649 struct l2cap_ctrl *control)
5650{
fcd289df
MM		 5651 struct sk_buff *skb;
5652
5653 BT_DBG("chan %p, control %p", chan, control);
5654
5655 if (control->reqseq == chan->next_tx_seq) {
5656 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5657 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5658 return;
5659 }
5660
5661 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5662
5663 if (chan->max_tx && skb &&
5664 bt_cb(skb)->control.retries >= chan->max_tx) {
5665 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5666 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5667 return;
5668 }
5669
5670 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5671
5672 l2cap_pass_to_tx(chan, control);
5673
5674 if (control->final) {
5675 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5676 l2cap_retransmit_all(chan, control);
5677 } else {
5678 l2cap_retransmit_all(chan, control);
5679 l2cap_ertm_send(chan);
5680 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5681 set_bit(CONN_REJ_ACT, &chan->conn_state);
5682 }
d2a7ac5d
MM		 5683}
5684
4b51dae9
MM		 5685static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5686{
5687 BT_DBG("chan %p, txseq %d", chan, txseq);
5688
5689 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5690 chan->expected_tx_seq);
5691
5692 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5693 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5694 chan->tx_win) {
4b51dae9
MM		 5695 /* See notes below regarding "double poll" and
5696 * invalid packets.
5697 */
5698 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5699 BT_DBG("Invalid/Ignore - after SREJ");
5700 return L2CAP_TXSEQ_INVALID_IGNORE;
5701 } else {
5702 BT_DBG("Invalid - in window after SREJ sent");
5703 return L2CAP_TXSEQ_INVALID;
5704 }
5705 }
5706
5707 if (chan->srej_list.head == txseq) {
5708 BT_DBG("Expected SREJ");
5709 return L2CAP_TXSEQ_EXPECTED_SREJ;
5710 }
5711
5712 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5713 BT_DBG("Duplicate SREJ - txseq already stored");
5714 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5715 }
5716
5717 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5718 BT_DBG("Unexpected SREJ - not requested");
5719 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5720 }
5721 }
5722
5723 if (chan->expected_tx_seq == txseq) {
5724 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5725 chan->tx_win) {
5726 BT_DBG("Invalid - txseq outside tx window");
5727 return L2CAP_TXSEQ_INVALID;
5728 } else {
5729 BT_DBG("Expected");
5730 return L2CAP_TXSEQ_EXPECTED;
5731 }
5732 }
5733
5734 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5735 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5736 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5737 return L2CAP_TXSEQ_DUPLICATE;
5738 }
5739
5740 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5741 /* A source of invalid packets is a "double poll" condition,
5742 * where delays cause us to send multiple poll packets. If
5743 * the remote stack receives and processes both polls,
5744 * sequence numbers can wrap around in such a way that a
5745 * resent frame has a sequence number that looks like new data
5746 * with a sequence gap. This would trigger an erroneous SREJ
5747 * request.
5748 *
5749 * Fortunately, this is impossible with a tx window that's
5750 * less than half of the maximum sequence number, which allows
5751 * invalid frames to be safely ignored.
5752 *
5753 * With tx window sizes greater than half of the tx window
5754 * maximum, the frame is invalid and cannot be ignored. This
5755 * causes a disconnect.
5756 */
5757
5758 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5759 BT_DBG("Invalid/Ignore - txseq outside tx window");
5760 return L2CAP_TXSEQ_INVALID_IGNORE;
5761 } else {
5762 BT_DBG("Invalid - txseq outside tx window");
5763 return L2CAP_TXSEQ_INVALID;
5764 }
5765 } else {
5766 BT_DBG("Unexpected - txseq indicates missing frames");
5767 return L2CAP_TXSEQ_UNEXPECTED;
5768 }
5769}
5770
d2a7ac5d
MM		 5771static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5772 struct l2cap_ctrl *control,
5773 struct sk_buff *skb, u8 event)
5774{
5775 int err = 0;
5776 bool skb_in_use = 0;
5777
5778 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5779 event);
5780
5781 switch (event) {
5782 case L2CAP_EV_RECV_IFRAME:
5783 switch (l2cap_classify_txseq(chan, control->txseq)) {
5784 case L2CAP_TXSEQ_EXPECTED:
5785 l2cap_pass_to_tx(chan, control);
5786
5787 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5788 BT_DBG("Busy, discarding expected seq %d",
5789 control->txseq);
5790 break;
5791 }
5792
5793 chan->expected_tx_seq = __next_seq(chan,
5794 control->txseq);
5795
5796 chan->buffer_seq = chan->expected_tx_seq;
5797 skb_in_use = 1;
5798
5799 err = l2cap_reassemble_sdu(chan, skb, control);
5800 if (err)
5801 break;
5802
5803 if (control->final) {
5804 if (!test_and_clear_bit(CONN_REJ_ACT,
5805 &chan->conn_state)) {
5806 control->final = 0;
5807 l2cap_retransmit_all(chan, control);
5808 l2cap_ertm_send(chan);
5809 }
5810 }
5811
5812 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5813 l2cap_send_ack(chan);
5814 break;
5815 case L2CAP_TXSEQ_UNEXPECTED:
5816 l2cap_pass_to_tx(chan, control);
5817
5818 /* Can't issue SREJ frames in the local busy state.
5819 * Drop this frame, it will be seen as missing
5820 * when local busy is exited.
5821 */
5822 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5823 BT_DBG("Busy, discarding unexpected seq %d",
5824 control->txseq);
5825 break;
5826 }
5827
5828 /* There was a gap in the sequence, so an SREJ
5829 * must be sent for each missing frame. The
5830 * current frame is stored for later use.
5831 */
5832 skb_queue_tail(&chan->srej_q, skb);
5833 skb_in_use = 1;
5834 BT_DBG("Queued %p (queue len %d)", skb,
5835 skb_queue_len(&chan->srej_q));
5836
5837 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5838 l2cap_seq_list_clear(&chan->srej_list);
5839 l2cap_send_srej(chan, control->txseq);
5840
5841 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5842 break;
5843 case L2CAP_TXSEQ_DUPLICATE:
5844 l2cap_pass_to_tx(chan, control);
5845 break;
5846 case L2CAP_TXSEQ_INVALID_IGNORE:
5847 break;
5848 case L2CAP_TXSEQ_INVALID:
5849 default:
5e4e3972 5850 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5851 break;
5852 }
5853 break;
5854 case L2CAP_EV_RECV_RR:
5855 l2cap_pass_to_tx(chan, control);
5856 if (control->final) {
5857 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5858
e6a3ee6e
MM		 5859 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5860 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 5861 control->final = 0;
5862 l2cap_retransmit_all(chan, control);
5863 }
5864
5865 l2cap_ertm_send(chan);
5866 } else if (control->poll) {
5867 l2cap_send_i_or_rr_or_rnr(chan);
5868 } else {
5869 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5870 &chan->conn_state) &&
5871 chan->unacked_frames)
5872 __set_retrans_timer(chan);
5873
5874 l2cap_ertm_send(chan);
5875 }
5876 break;
5877 case L2CAP_EV_RECV_RNR:
5878 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5879 l2cap_pass_to_tx(chan, control);
5880 if (control && control->poll) {
5881 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5882 l2cap_send_rr_or_rnr(chan, 0);
5883 }
5884 __clear_retrans_timer(chan);
5885 l2cap_seq_list_clear(&chan->retrans_list);
5886 break;
5887 case L2CAP_EV_RECV_REJ:
5888 l2cap_handle_rej(chan, control);
5889 break;
5890 case L2CAP_EV_RECV_SREJ:
5891 l2cap_handle_srej(chan, control);
5892 break;
5893 default:
5894 break;
5895 }
5896
5897 if (skb && !skb_in_use) {
5898 BT_DBG("Freeing %p", skb);
5899 kfree_skb(skb);
5900 }
5901
5902 return err;
5903}
5904
5905static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5906 struct l2cap_ctrl *control,
5907 struct sk_buff *skb, u8 event)
5908{
5909 int err = 0;
5910 u16 txseq = control->txseq;
5911 bool skb_in_use = 0;
5912
5913 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5914 event);
5915
5916 switch (event) {
5917 case L2CAP_EV_RECV_IFRAME:
5918 switch (l2cap_classify_txseq(chan, txseq)) {
5919 case L2CAP_TXSEQ_EXPECTED:
5920 /* Keep frame for reassembly later */
5921 l2cap_pass_to_tx(chan, control);
5922 skb_queue_tail(&chan->srej_q, skb);
5923 skb_in_use = 1;
5924 BT_DBG("Queued %p (queue len %d)", skb,
5925 skb_queue_len(&chan->srej_q));
5926
5927 chan->expected_tx_seq = __next_seq(chan, txseq);
5928 break;
5929 case L2CAP_TXSEQ_EXPECTED_SREJ:
5930 l2cap_seq_list_pop(&chan->srej_list);
5931
5932 l2cap_pass_to_tx(chan, control);
5933 skb_queue_tail(&chan->srej_q, skb);
5934 skb_in_use = 1;
5935 BT_DBG("Queued %p (queue len %d)", skb,
5936 skb_queue_len(&chan->srej_q));
5937
5938 err = l2cap_rx_queued_iframes(chan);
5939 if (err)
5940 break;
5941
5942 break;
5943 case L2CAP_TXSEQ_UNEXPECTED:
5944 /* Got a frame that can't be reassembled yet.
5945 * Save it for later, and send SREJs to cover
5946 * the missing frames.
5947 */
5948 skb_queue_tail(&chan->srej_q, skb);
5949 skb_in_use = 1;
5950 BT_DBG("Queued %p (queue len %d)", skb,
5951 skb_queue_len(&chan->srej_q));
5952
5953 l2cap_pass_to_tx(chan, control);
5954 l2cap_send_srej(chan, control->txseq);
5955 break;
5956 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5957 /* This frame was requested with an SREJ, but
5958 * some expected retransmitted frames are
5959 * missing. Request retransmission of missing
5960 * SREJ'd frames.
5961 */
5962 skb_queue_tail(&chan->srej_q, skb);
5963 skb_in_use = 1;
5964 BT_DBG("Queued %p (queue len %d)", skb,
5965 skb_queue_len(&chan->srej_q));
5966
5967 l2cap_pass_to_tx(chan, control);
5968 l2cap_send_srej_list(chan, control->txseq);
5969 break;
5970 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5971 /* We've already queued this frame. Drop this copy. */
5972 l2cap_pass_to_tx(chan, control);
5973 break;
5974 case L2CAP_TXSEQ_DUPLICATE:
5975 /* Expecting a later sequence number, so this frame
5976 * was already received. Ignore it completely.
5977 */
5978 break;
5979 case L2CAP_TXSEQ_INVALID_IGNORE:
5980 break;
5981 case L2CAP_TXSEQ_INVALID:
5982 default:
5e4e3972 5983 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5984 break;
5985 }
5986 break;
5987 case L2CAP_EV_RECV_RR:
5988 l2cap_pass_to_tx(chan, control);
5989 if (control->final) {
5990 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5991
5992 if (!test_and_clear_bit(CONN_REJ_ACT,
5993 &chan->conn_state)) {
5994 control->final = 0;
5995 l2cap_retransmit_all(chan, control);
5996 }
5997
5998 l2cap_ertm_send(chan);
5999 } else if (control->poll) {
6000 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6001 &chan->conn_state) &&
6002 chan->unacked_frames) {
6003 __set_retrans_timer(chan);
6004 }
6005
6006 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6007 l2cap_send_srej_tail(chan);
6008 } else {
6009 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6010 &chan->conn_state) &&
6011 chan->unacked_frames)
6012 __set_retrans_timer(chan);
6013
6014 l2cap_send_ack(chan);
6015 }
6016 break;
6017 case L2CAP_EV_RECV_RNR:
6018 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6019 l2cap_pass_to_tx(chan, control);
6020 if (control->poll) {
6021 l2cap_send_srej_tail(chan);
6022 } else {
6023 struct l2cap_ctrl rr_control;
6024 memset(&rr_control, 0, sizeof(rr_control));
6025 rr_control.sframe = 1;
6026 rr_control.super = L2CAP_SUPER_RR;
6027 rr_control.reqseq = chan->buffer_seq;
6028 l2cap_send_sframe(chan, &rr_control);
6029 }
6030
6031 break;
6032 case L2CAP_EV_RECV_REJ:
6033 l2cap_handle_rej(chan, control);
6034 break;
6035 case L2CAP_EV_RECV_SREJ:
6036 l2cap_handle_srej(chan, control);
6037 break;
6038 }
6039
6040 if (skb && !skb_in_use) {
6041 BT_DBG("Freeing %p", skb);
6042 kfree_skb(skb);
6043 }
6044
6045 return err;
6046}
6047
32b32735
MM		 6048static int l2cap_finish_move(struct l2cap_chan *chan)
6049{
6050 BT_DBG("chan %p", chan);
6051
6052 chan->rx_state = L2CAP_RX_STATE_RECV;
6053
6054 if (chan->hs_hcon)
6055 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6056 else
6057 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6058
6059 return l2cap_resegment(chan);
6060}
6061
6062static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6063 struct l2cap_ctrl *control,
6064 struct sk_buff *skb, u8 event)
6065{
6066 int err;
6067
6068 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6069 event);
6070
6071 if (!control->poll)
6072 return -EPROTO;
6073
6074 l2cap_process_reqseq(chan, control->reqseq);
6075
6076 if (!skb_queue_empty(&chan->tx_q))
6077 chan->tx_send_head = skb_peek(&chan->tx_q);
6078 else
6079 chan->tx_send_head = NULL;
6080
6081 /* Rewind next_tx_seq to the point expected
6082 * by the receiver.
6083 */
6084 chan->next_tx_seq = control->reqseq;
6085 chan->unacked_frames = 0;
6086
6087 err = l2cap_finish_move(chan);
6088 if (err)
6089 return err;
6090
6091 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6092 l2cap_send_i_or_rr_or_rnr(chan);
6093
6094 if (event == L2CAP_EV_RECV_IFRAME)
6095 return -EPROTO;
6096
6097 return l2cap_rx_state_recv(chan, control, NULL, event);
6098}
6099
6100static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6101 struct l2cap_ctrl *control,
6102 struct sk_buff *skb, u8 event)
6103{
6104 int err;
6105
6106 if (!control->final)
6107 return -EPROTO;
6108
6109 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6110
6111 chan->rx_state = L2CAP_RX_STATE_RECV;
6112 l2cap_process_reqseq(chan, control->reqseq);
6113
6114 if (!skb_queue_empty(&chan->tx_q))
6115 chan->tx_send_head = skb_peek(&chan->tx_q);
6116 else
6117 chan->tx_send_head = NULL;
6118
6119 /* Rewind next_tx_seq to the point expected
6120 * by the receiver.
6121 */
6122 chan->next_tx_seq = control->reqseq;
6123 chan->unacked_frames = 0;
6124
6125 if (chan->hs_hcon)
6126 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6127 else
6128 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6129
6130 err = l2cap_resegment(chan);
6131
6132 if (!err)
6133 err = l2cap_rx_state_recv(chan, control, skb, event);
6134
6135 return err;
6136}
6137
d2a7ac5d
MM		 6138static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6139{
6140 /* Make sure reqseq is for a packet that has been sent but not acked */
6141 u16 unacked;
6142
6143 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6144 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6145}
6146
cec8ab6e
MM		 6147static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6148 struct sk_buff *skb, u8 event)
218bb9df 6149{
d2a7ac5d
MM		 6150 int err = 0;
6151
6152 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6153 control, skb, event, chan->rx_state);
6154
6155 if (__valid_reqseq(chan, control->reqseq)) {
6156 switch (chan->rx_state) {
6157 case L2CAP_RX_STATE_RECV:
6158 err = l2cap_rx_state_recv(chan, control, skb, event);
6159 break;
6160 case L2CAP_RX_STATE_SREJ_SENT:
6161 err = l2cap_rx_state_srej_sent(chan, control, skb,
6162 event);
6163 break;
32b32735
MM		 6164 case L2CAP_RX_STATE_WAIT_P:
6165 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6166 break;
6167 case L2CAP_RX_STATE_WAIT_F:
6168 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6169 break;
d2a7ac5d
MM		 6170 default:
6171 /* shut it down */
6172 break;
6173 }
6174 } else {
6175 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6176 control->reqseq, chan->next_tx_seq,
6177 chan->expected_ack_seq);
5e4e3972 6178 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6179 }
6180
6181 return err;
cec8ab6e
MM		 6182}
6183
6184static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6185 struct sk_buff *skb)
6186{
4b51dae9
MM		 6187 int err = 0;
6188
6189 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6190 chan->rx_state);
6191
6192 if (l2cap_classify_txseq(chan, control->txseq) ==
6193 L2CAP_TXSEQ_EXPECTED) {
6194 l2cap_pass_to_tx(chan, control);
6195
6196 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6197 __next_seq(chan, chan->buffer_seq));
6198
6199 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6200
6201 l2cap_reassemble_sdu(chan, skb, control);
6202 } else {
6203 if (chan->sdu) {
6204 kfree_skb(chan->sdu);
6205 chan->sdu = NULL;
6206 }
6207 chan->sdu_last_frag = NULL;
6208 chan->sdu_len = 0;
6209
6210 if (skb) {
6211 BT_DBG("Freeing %p", skb);
6212 kfree_skb(skb);
6213 }
6214 }
6215
6216 chan->last_acked_seq = control->txseq;
6217 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6218
6219 return err;
cec8ab6e
MM		 6220}
6221
6222static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6223{
6224 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6225 u16 len;
6226 u8 event;
218bb9df 6227
b76bbd66
MM		 6228 __unpack_control(chan, skb);
6229
218bb9df
GP		 6230 len = skb->len;
6231
6232 /*
6233 * We can just drop the corrupted I-frame here.
6234 * Receiver will miss it and start proper recovery
cec8ab6e 6235 * procedures and ask for retransmission.
218bb9df 6236 */
47d1ec61 6237 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6238 goto drop;
6239
cec8ab6e 6240 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6241 len -= L2CAP_SDULEN_SIZE;
218bb9df 6242
47d1ec61 6243 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6244 len -= L2CAP_FCS_SIZE;
218bb9df 6245
47d1ec61 6246 if (len > chan->mps) {
5e4e3972 6247 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6248 goto drop;
6249 }
6250
cec8ab6e
MM		 6251 if (!control->sframe) {
6252 int err;
218bb9df 6253
cec8ab6e
MM		 6254 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6255 control->sar, control->reqseq, control->final,
6256 control->txseq);
218bb9df 6257
cec8ab6e
MM		 6258 /* Validate F-bit - F=0 always valid, F=1 only
6259 * valid in TX WAIT_F
6260 */
6261 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6262 goto drop;
cec8ab6e
MM		 6263
6264 if (chan->mode != L2CAP_MODE_STREAMING) {
6265 event = L2CAP_EV_RECV_IFRAME;
6266 err = l2cap_rx(chan, control, skb, event);
6267 } else {
6268 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6269 }
6270
cec8ab6e 6271 if (err)
5e4e3972 6272 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6273 } else {
cec8ab6e
MM		 6274 const u8 rx_func_to_event[4] = {
6275 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6276 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6277 };
6278
6279 /* Only I-frames are expected in streaming mode */
6280 if (chan->mode == L2CAP_MODE_STREAMING)
6281 goto drop;
6282
6283 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6284 control->reqseq, control->final, control->poll,
6285 control->super);
6286
218bb9df 6287 if (len != 0) {
1bb166e6 6288 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6289 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6290 goto drop;
6291 }
6292
cec8ab6e
MM		 6293 /* Validate F and P bits */
6294 if (control->final && (control->poll ||
6295 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6296 goto drop;
6297
6298 event = rx_func_to_event[control->super];
6299 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6300 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6301 }
6302
6303 return 0;
6304
6305drop:
6306 kfree_skb(skb);
6307 return 0;
6308}
6309
13ca56e0
AE		 6310static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6311 struct sk_buff *skb)
1da177e4 6312{
48454079 6313 struct l2cap_chan *chan;
1da177e4 6314
baa7e1fa 6315 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6316 if (!chan) {
97e8e89d
AE		 6317 if (cid == L2CAP_CID_A2MP) {
6318 chan = a2mp_channel_create(conn, skb);
6319 if (!chan) {
6320 kfree_skb(skb);
13ca56e0 6321 return;
97e8e89d
AE		 6322 }
6323
6324 l2cap_chan_lock(chan);
6325 } else {
6326 BT_DBG("unknown cid 0x%4.4x", cid);
6327 /* Drop packet and return */
6328 kfree_skb(skb);
13ca56e0 6329 return;
97e8e89d 6330 }
1da177e4
LT		 6331 }
6332
49208c9c 6333 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6334
89bc500e 6335 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6336 goto drop;
6337
0c1bc5c6 6338 switch (chan->mode) {
1c2acffb
GP		 6339 case L2CAP_MODE_BASIC:
6340 /* If socket recv buffers overflows we drop data here
6341 * which is *bad* because L2CAP has to be reliable.
6342 * But we don't have any other choice. L2CAP doesn't
6343 * provide flow control mechanism. */
1da177e4 6344
0c1bc5c6 6345 if (chan->imtu < skb->len)
1c2acffb 6346 goto drop;
1da177e4 6347
80b98027 6348 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6349 goto done;
6350 break;
6351
6352 case L2CAP_MODE_ERTM:
6840ed07 6353 case L2CAP_MODE_STREAMING:
cec8ab6e 6354 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6355 goto done;
6356
1c2acffb 6357 default:
0c1bc5c6 6358 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6359 break;
6360 }
1da177e4
LT		 6361
6362drop:
6363 kfree_skb(skb);
6364
6365done:
6be36555 6366 l2cap_chan_unlock(chan);
1da177e4
LT		 6367}
6368
84104b24
AE		 6369static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6370 struct sk_buff *skb)
1da177e4 6371{
23691d75 6372 struct l2cap_chan *chan;
1da177e4 6373
c2287681 6374 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 6375 if (!chan)
1da177e4
LT		 6376 goto drop;
6377
5b4cedaa 6378 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6379
89bc500e 6380 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6381 goto drop;
6382
e13e21dc 6383 if (chan->imtu < skb->len)
1da177e4
LT		 6384 goto drop;
6385
80b98027 6386 if (!chan->ops->recv(chan, skb))
84104b24 6387 return;
1da177e4
LT		 6388
6389drop:
6390 kfree_skb(skb);
1da177e4
LT		 6391}
6392
72f78356 6393static void l2cap_att_channel(struct l2cap_conn *conn,
6810fca7 6394 struct sk_buff *skb)
9f69bda6 6395{
23691d75 6396 struct l2cap_chan *chan;
9f69bda6 6397
073d1cf3 6398 chan = l2cap_global_chan_by_scid(0, L2CAP_CID_ATT,
72f78356 6399 conn->src, conn->dst);
23691d75 6400 if (!chan)
9f69bda6
GP		 6401 goto drop;
6402
5b4cedaa 6403 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6404
89bc500e 6405 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 6406 goto drop;
6407
e13e21dc 6408 if (chan->imtu < skb->len)
9f69bda6
GP		 6409 goto drop;
6410
80b98027 6411 if (!chan->ops->recv(chan, skb))
6810fca7 6412 return;
9f69bda6
GP		 6413
6414drop:
6415 kfree_skb(skb);
9f69bda6
GP		 6416}
6417
1da177e4
LT		 6418static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6419{
6420 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6421 u16 cid, len;
6422 __le16 psm;
1da177e4
LT		 6423
6424 skb_pull(skb, L2CAP_HDR_SIZE);
6425 cid = __le16_to_cpu(lh->cid);
6426 len = __le16_to_cpu(lh->len);
6427
1c2acffb
GP		 6428 if (len != skb->len) {
6429 kfree_skb(skb);
6430 return;
6431 }
6432
1da177e4
LT		 6433 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6434
6435 switch (cid) {
3300d9a9 6436 case L2CAP_CID_LE_SIGNALING:
c5623556
JH		 6437 l2cap_le_sig_channel(conn, skb);
6438 break;
8db4dc46 6439 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6440 l2cap_sig_channel(conn, skb);
6441 break;
6442
8db4dc46 6443 case L2CAP_CID_CONN_LESS:
097db76c 6444 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6445 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6446 l2cap_conless_channel(conn, psm, skb);
6447 break;
6448
073d1cf3 6449 case L2CAP_CID_ATT:
72f78356 6450 l2cap_att_channel(conn, skb);
9f69bda6
GP		 6451 break;
6452
b501d6a1
AB		 6453 case L2CAP_CID_SMP:
6454 if (smp_sig_channel(conn, skb))
6455 l2cap_conn_del(conn->hcon, EACCES);
6456 break;
6457
1da177e4
LT		 6458 default:
6459 l2cap_data_channel(conn, cid, skb);
6460 break;
6461 }
6462}
6463
6464/* ---- L2CAP interface with lower layer (HCI) ---- */
6465
686ebf28 6466int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6467{
6468 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6469 struct l2cap_chan *c;
1da177e4 6470
6ed93dc6 6471 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6472
6473 /* Find listening sockets and check their link_mode */
23691d75
GP		 6474 read_lock(&chan_list_lock);
6475 list_for_each_entry(c, &chan_list, global_l) {
6476 struct sock *sk = c->sk;
4343478f 6477
89bc500e 6478 if (c->state != BT_LISTEN)
1da177e4
LT		 6479 continue;
6480
6481 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 6482 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6483 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6484 lm1 |= HCI_LM_MASTER;
1da177e4 6485 exact++;
2af6b9d5
MH		 6486 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
6487 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6488 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6489 lm2 |= HCI_LM_MASTER;
6490 }
1da177e4 6491 }
23691d75 6492 read_unlock(&chan_list_lock);
1da177e4
LT		 6493
6494 return exact ? lm1 : lm2;
6495}
6496
9e664631 6497void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6498{
0139418c
MH		 6499 struct l2cap_conn *conn;
6500
6ed93dc6 6501 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6502
1da177e4 6503 if (!status) {
baf43251 6504 conn = l2cap_conn_add(hcon);
1da177e4
LT		 6505 if (conn)
6506 l2cap_conn_ready(conn);
ba6fc317 6507 } else {
e175072f 6508 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 6509 }
1da177e4
LT		 6510}
6511
686ebf28 6512int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6513{
6514 struct l2cap_conn *conn = hcon->l2cap_data;
6515
6516 BT_DBG("hcon %p", hcon);
6517
686ebf28 6518 if (!conn)
9f5a0d7b 6519 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6520 return conn->disc_reason;
6521}
6522
9e664631 6523void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6524{
6525 BT_DBG("hcon %p reason %d", hcon, reason);
6526
e175072f 6527 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6528}
6529
4343478f 6530static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6531{
715ec005 6532 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6533 return;
6534
f62e4323 6535 if (encrypt == 0x00) {
4343478f 6536 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6537 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6538 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6539 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6540 } else {
4343478f 6541 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6542 __clear_chan_timer(chan);
f62e4323
MH		 6543 }
6544}
6545
686ebf28 6546int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6547{
0139418c 6548 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6549 struct l2cap_chan *chan;
1da177e4 6550
0139418c 6551 if (!conn)
1da177e4 6552 return 0;
0139418c 6553
89d8b407 6554 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6555
160dc6ac 6556 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6557 if (!status && encrypt)
6558 smp_distribute_keys(conn, 0);
17cd3f37 6559 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6560 }
6561
3df91ea2 6562 mutex_lock(&conn->chan_lock);
1da177e4 6563
3df91ea2 6564 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6565 l2cap_chan_lock(chan);
1da177e4 6566
89d8b407
AE		 6567 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6568 state_to_string(chan->state));
f1cb9af5 6569
78eb2f98
AE		 6570 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6571 l2cap_chan_unlock(chan);
6572 continue;
6573 }
6574
073d1cf3 6575 if (chan->scid == L2CAP_CID_ATT) {
f1cb9af5
VCG		 6576 if (!status && encrypt) {
6577 chan->sec_level = hcon->sec_level;
cf4cd009 6578 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6579 }
6580
6be36555 6581 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6582 continue;
6583 }
6584
96eff46e 6585 if (!__l2cap_no_conn_pending(chan)) {
6be36555 6586 l2cap_chan_unlock(chan);
6a8d3010
MH		 6587 continue;
6588 }
6589
89bc500e 6590 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6591 chan->state == BT_CONFIG)) {
a7d7723a
GP		 6592 struct sock *sk = chan->sk;
6593
c5daa683 6594 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 6595 sk->sk_state_change(sk);
6596
4343478f 6597 l2cap_check_encryption(chan, encrypt);
6be36555 6598 l2cap_chan_unlock(chan);
9719f8af
MH		 6599 continue;
6600 }
6601
89bc500e 6602 if (chan->state == BT_CONNECT) {
b1235d79 6603 if (!status) {
93c3e8f5 6604 l2cap_start_connection(chan);
b1235d79 6605 } else {
ba13ccd9 6606 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6607 }
89bc500e 6608 } else if (chan->state == BT_CONNECT2) {
6be36555 6609 struct sock *sk = chan->sk;
b1235d79 6610 struct l2cap_conn_rsp rsp;
df3c3931 6611 __u16 res, stat;
1da177e4 6612
6be36555
AE		 6613 lock_sock(sk);
6614
b1235d79 6615 if (!status) {
c5daa683
GP		 6616 if (test_bit(BT_SK_DEFER_SETUP,
6617 &bt_sk(sk)->flags)) {
df3c3931
JH		 6618 res = L2CAP_CR_PEND;
6619 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6620 chan->ops->defer(chan);
df3c3931 6621 } else {
0e587be7 6622 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6623 res = L2CAP_CR_SUCCESS;
6624 stat = L2CAP_CS_NO_INFO;
6625 }
b1235d79 6626 } else {
0e587be7 6627 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6628 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6629 res = L2CAP_CR_SEC_BLOCK;
6630 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6631 }
6632
6be36555
AE		 6633 release_sock(sk);
6634
fe4128e0
GP		 6635 rsp.scid = cpu_to_le16(chan->dcid);
6636 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6637 rsp.result = cpu_to_le16(res);
6638 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6639 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6640 sizeof(rsp), &rsp);
2d369359
MM		 6641
6642 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6643 res == L2CAP_CR_SUCCESS) {
6644 char buf[128];
6645 set_bit(CONF_REQ_SENT, &chan->conf_state);
6646 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6647 L2CAP_CONF_REQ,
6648 l2cap_build_conf_req(chan, buf),
6649 buf);
6650 chan->num_conf_req++;
6651 }
b1235d79 6652 }
1da177e4 6653
6be36555 6654 l2cap_chan_unlock(chan);
1da177e4
LT		 6655 }
6656
3df91ea2 6657 mutex_unlock(&conn->chan_lock);
b1235d79 6658
1da177e4
LT		 6659 return 0;
6660}
6661
686ebf28 6662int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6663{
6664 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6665 struct l2cap_hdr *hdr;
6666 int len;
1da177e4 6667
1d13a254
AE		 6668 /* For AMP controller do not create l2cap conn */
6669 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6670 goto drop;
1da177e4 6671
5a08ecce 6672 if (!conn)
baf43251 6673 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 6674
6675 if (!conn)
1da177e4
LT		 6676 goto drop;
6677
6678 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6679
d73a0988
AE		 6680 switch (flags) {
6681 case ACL_START:
6682 case ACL_START_NO_FLUSH:
6683 case ACL_COMPLETE:
1da177e4
LT		 6684 if (conn->rx_len) {
6685 BT_ERR("Unexpected start frame (len %d)", skb->len);
6686 kfree_skb(conn->rx_skb);
6687 conn->rx_skb = NULL;
6688 conn->rx_len = 0;
6689 l2cap_conn_unreliable(conn, ECOMM);
6690 }
6691
aae7fe22
AE		 6692 /* Start fragment always begin with Basic L2CAP header */
6693 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6694 BT_ERR("Frame is too short (len %d)", skb->len);
6695 l2cap_conn_unreliable(conn, ECOMM);
6696 goto drop;
6697 }
6698
6699 hdr = (struct l2cap_hdr *) skb->data;
6700 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6701
6702 if (len == skb->len) {
6703 /* Complete frame received */
6704 l2cap_recv_frame(conn, skb);
6705 return 0;
6706 }
6707
6708 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6709
6710 if (skb->len > len) {
6711 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6712 skb->len, len);
1da177e4
LT		 6713 l2cap_conn_unreliable(conn, ECOMM);
6714 goto drop;
6715 }
6716
6717 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6718 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6719 if (!conn->rx_skb)
1da177e4
LT		 6720 goto drop;
6721
d626f62b 6722 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6723 skb->len);
1da177e4 6724 conn->rx_len = len - skb->len;
d73a0988
AE		 6725 break;
6726
6727 case ACL_CONT:
1da177e4
LT		 6728 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6729
6730 if (!conn->rx_len) {
6731 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6732 l2cap_conn_unreliable(conn, ECOMM);
6733 goto drop;
6734 }
6735
6736 if (skb->len > conn->rx_len) {
6737 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6738 skb->len, conn->rx_len);
1da177e4
LT		 6739 kfree_skb(conn->rx_skb);
6740 conn->rx_skb = NULL;
6741 conn->rx_len = 0;
6742 l2cap_conn_unreliable(conn, ECOMM);
6743 goto drop;
6744 }
6745
d626f62b 6746 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6747 skb->len);
1da177e4
LT		 6748 conn->rx_len -= skb->len;
6749
6750 if (!conn->rx_len) {
6751 /* Complete frame received */
6752 l2cap_recv_frame(conn, conn->rx_skb);
6753 conn->rx_skb = NULL;
6754 }
d73a0988 6755 break;
1da177e4
LT		 6756 }
6757
6758drop:
6759 kfree_skb(skb);
6760 return 0;
6761}
6762
aef7d97c 6763static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6764{
23691d75 6765 struct l2cap_chan *c;
1da177e4 6766
333055f2 6767 read_lock(&chan_list_lock);
1da177e4 6768
23691d75
GP		 6769 list_for_each_entry(c, &chan_list, global_l) {
6770 struct sock *sk = c->sk;
101545f6 6771
fcb73338
AE		 6772 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6773 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6774 c->state, __le16_to_cpu(c->psm),
6775 c->scid, c->dcid, c->imtu, c->omtu,
6776 c->sec_level, c->mode);
61e1b4b7 6777 }
1da177e4 6778
333055f2 6779 read_unlock(&chan_list_lock);
1da177e4 6780
aef7d97c 6781 return 0;
1da177e4
LT		 6782}
6783
aef7d97c
MH		 6784static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6785{
6786 return single_open(file, l2cap_debugfs_show, inode->i_private);
6787}
6788
6789static const struct file_operations l2cap_debugfs_fops = {
6790 .open = l2cap_debugfs_open,
6791 .read = seq_read,
6792 .llseek = seq_lseek,
6793 .release = single_release,
6794};
6795
6796static struct dentry *l2cap_debugfs;
1da177e4 6797
64274518 6798int __init l2cap_init(void)
1da177e4
LT		 6799{
6800 int err;
be9d1227 6801
bb58f747 6802 err = l2cap_init_sockets();
1da177e4
LT		 6803 if (err < 0)
6804 return err;
6805
aef7d97c 6806 if (bt_debugfs) {
2d792818
GP		 6807 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6808 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 6809 if (!l2cap_debugfs)
6810 BT_ERR("Failed to create L2CAP debug file");
6811 }
1da177e4 6812
1da177e4 6813 return 0;
1da177e4
LT		 6814}
6815
64274518 6816void l2cap_exit(void)
1da177e4 6817{
aef7d97c 6818 debugfs_remove(l2cap_debugfs);
bb58f747 6819 l2cap_cleanup_sockets();
1da177e4
LT		 6820}
6821
d1c4a17d
GP		 6822module_param(disable_ertm, bool, 0644);
6823MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 1.294322 seconds and 5 git commands to generate.