projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Configure appropriate timeouts for AMP controllers
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
1da177e4 41
d1de6d46 42bool disable_ertm;
f0709e03 43
47ec1dcd 44static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 45static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 46
b5ad8b7f
JB		 47static LIST_HEAD(chan_list);
48static DEFINE_RWLOCK(chan_list_lock);
1da177e4 49
1da177e4 50static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 51 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 52static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 53 void *data);
710f9b0a 54static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 55static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 56 struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 59 struct sk_buff_head *skbs, u8 event);
608bcc6d 60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
2d792818
GP		 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
64 u16 cid)
0139418c 65{
3df91ea2 66 struct l2cap_chan *c;
3d57dc68 67
3df91ea2
AE		 68 list_for_each_entry(c, &conn->chan_l, list) {
69 if (c->dcid == cid)
70 return c;
0139418c 71 }
3df91ea2 72 return NULL;
0139418c
MH		 73}
74
2d792818
GP		 75static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
76 u16 cid)
0139418c 77{
3df91ea2 78 struct l2cap_chan *c;
3d57dc68 79
3df91ea2
AE		 80 list_for_each_entry(c, &conn->chan_l, list) {
81 if (c->scid == cid)
82 return c;
0139418c 83 }
3df91ea2 84 return NULL;
0139418c
MH		 85}
86
87/* Find channel with given SCID.
ef191ade 88 * Returns locked channel. */
2d792818
GP		 89static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
90 u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa 93
3df91ea2 94 mutex_lock(&conn->chan_lock);
baa7e1fa 95 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 96 if (c)
97 l2cap_chan_lock(c);
3df91ea2
AE		 98 mutex_unlock(&conn->chan_lock);
99
48454079 100 return c;
0139418c
MH		 101}
102
b1a130b7
MM		 103/* Find channel with given DCID.
104 * Returns locked channel.
105 */
106static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
107 u16 cid)
108{
109 struct l2cap_chan *c;
110
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_dcid(conn, cid);
113 if (c)
114 l2cap_chan_lock(c);
115 mutex_unlock(&conn->chan_lock);
116
117 return c;
118}
119
2d792818
GP		 120static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
121 u8 ident)
0139418c 122{
3df91ea2 123 struct l2cap_chan *c;
3d57dc68 124
3df91ea2
AE		 125 list_for_each_entry(c, &conn->chan_l, list) {
126 if (c->ident == ident)
127 return c;
0139418c 128 }
3df91ea2 129 return NULL;
0139418c
MH		 130}
131
5b155ef9
MM		 132static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
133 u8 ident)
134{
135 struct l2cap_chan *c;
136
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_ident(conn, ident);
139 if (c)
140 l2cap_chan_lock(c);
141 mutex_unlock(&conn->chan_lock);
142
143 return c;
144}
145
23691d75 146static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 147{
23691d75 148 struct l2cap_chan *c;
9e4425ff 149
23691d75
GP		 150 list_for_each_entry(c, &chan_list, global_l) {
151 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 152 return c;
9e4425ff 153 }
250938cb 154 return NULL;
9e4425ff
GP		 155}
156
157int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
158{
73b2ec18
GP		 159 int err;
160
333055f2 161 write_lock(&chan_list_lock);
9e4425ff 162
23691d75 163 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 164 err = -EADDRINUSE;
165 goto done;
9e4425ff
GP		 166 }
167
73b2ec18
GP		 168 if (psm) {
169 chan->psm = psm;
170 chan->sport = psm;
171 err = 0;
172 } else {
173 u16 p;
174
175 err = -EINVAL;
176 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 177 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 178 chan->psm = cpu_to_le16(p);
179 chan->sport = cpu_to_le16(p);
180 err = 0;
181 break;
182 }
183 }
9e4425ff 184
73b2ec18 185done:
333055f2 186 write_unlock(&chan_list_lock);
73b2ec18 187 return err;
9e4425ff
GP		 188}
189
190int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
191{
333055f2 192 write_lock(&chan_list_lock);
9e4425ff
GP		 193
194 chan->scid = scid;
195
333055f2 196 write_unlock(&chan_list_lock);
9e4425ff
GP		 197
198 return 0;
199}
200
baa7e1fa 201static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 202{
8db4dc46 203 u16 cid = L2CAP_CID_DYN_START;
0139418c 204
8db4dc46 205 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 206 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 207 return cid;
208 }
209
210 return 0;
211}
212
0e587be7 213static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 214{
42d2d87c 215 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 216 state_to_string(state));
badaaa00 217
89bc500e 218 chan->state = state;
80b98027 219 chan->ops->state_change(chan, state);
89bc500e
GP		 220}
221
0e587be7
AE		 222static void l2cap_state_change(struct l2cap_chan *chan, int state)
223{
224 struct sock *sk = chan->sk;
225
226 lock_sock(sk);
227 __l2cap_state_change(chan, state);
228 release_sock(sk);
229}
230
2e0052e4
AE		 231static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
232{
233 struct sock *sk = chan->sk;
234
235 sk->sk_err = err;
236}
237
238static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
239{
240 struct sock *sk = chan->sk;
241
242 lock_sock(sk);
243 __l2cap_chan_set_err(chan, err);
244 release_sock(sk);
245}
246
4239d16f
MM		 247static void __set_retrans_timer(struct l2cap_chan *chan)
248{
249 if (!delayed_work_pending(&chan->monitor_timer) &&
250 chan->retrans_timeout) {
251 l2cap_set_timer(chan, &chan->retrans_timer,
252 msecs_to_jiffies(chan->retrans_timeout));
253 }
254}
255
256static void __set_monitor_timer(struct l2cap_chan *chan)
257{
258 __clear_retrans_timer(chan);
259 if (chan->monitor_timeout) {
260 l2cap_set_timer(chan, &chan->monitor_timer,
261 msecs_to_jiffies(chan->monitor_timeout));
262 }
263}
264
608bcc6d
MM		 265static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
266 u16 seq)
267{
268 struct sk_buff *skb;
269
270 skb_queue_walk(head, skb) {
271 if (bt_cb(skb)->control.txseq == seq)
272 return skb;
273 }
274
275 return NULL;
276}
277
3c588192
MM		 278/* ---- L2CAP sequence number lists ---- */
279
280/* For ERTM, ordered lists of sequence numbers must be tracked for
281 * SREJ requests that are received and for frames that are to be
282 * retransmitted. These seq_list functions implement a singly-linked
283 * list in an array, where membership in the list can also be checked
284 * in constant time. Items can also be added to the tail of the list
285 * and removed from the head in constant time, without further memory
286 * allocs or frees.
287 */
288
289static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
290{
291 size_t alloc_size, i;
292
293 /* Allocated size is a power of 2 to map sequence numbers
294 * (which may be up to 14 bits) in to a smaller array that is
295 * sized for the negotiated ERTM transmit windows.
296 */
297 alloc_size = roundup_pow_of_two(size);
298
299 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
300 if (!seq_list->list)
301 return -ENOMEM;
302
303 seq_list->mask = alloc_size - 1;
304 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
305 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
306 for (i = 0; i < alloc_size; i++)
307 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
308
309 return 0;
310}
311
312static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
313{
314 kfree(seq_list->list);
315}
316
317static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
318 u16 seq)
319{
320 /* Constant-time check for list membership */
321 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
322}
323
324static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
325{
326 u16 mask = seq_list->mask;
327
328 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
329 /* In case someone tries to pop the head of an empty list */
330 return L2CAP_SEQ_LIST_CLEAR;
331 } else if (seq_list->head == seq) {
332 /* Head can be removed in constant time */
333 seq_list->head = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
335
336 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
339 }
340 } else {
341 /* Walk the list to find the sequence number */
342 u16 prev = seq_list->head;
343 while (seq_list->list[prev & mask] != seq) {
344 prev = seq_list->list[prev & mask];
345 if (prev == L2CAP_SEQ_LIST_TAIL)
346 return L2CAP_SEQ_LIST_CLEAR;
347 }
348
349 /* Unlink the number from the list and clear it */
350 seq_list->list[prev & mask] = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352 if (seq_list->tail == seq)
353 seq_list->tail = prev;
354 }
355 return seq;
356}
357
358static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
359{
360 /* Remove the head in constant time */
361 return l2cap_seq_list_remove(seq_list, seq_list->head);
362}
363
364static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
365{
f522ae36 366 u16 i;
3c588192 367
f522ae36
GP		 368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
369 return;
370
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
373
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 376}
377
378static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
379{
380 u16 mask = seq_list->mask;
381
382 /* All appends happen in constant time */
383
f522ae36
GP		 384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
385 return;
3c588192 386
f522ae36
GP		 387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
389 else
390 seq_list->list[seq_list->tail & mask] = seq;
391
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 394}
395
721c4181 396static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 397{
721c4181 398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 399 chan_timer.work);
3df91ea2 400 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 401 int reason;
402
e05dcc32 403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 404
3df91ea2 405 mutex_lock(&conn->chan_lock);
6be36555 406 l2cap_chan_lock(chan);
ab07801d 407
89bc500e 408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 409 reason = ECONNREFUSED;
89bc500e 410 else if (chan->state == BT_CONNECT &&
2d792818 411 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 412 reason = ECONNREFUSED;
413 else
414 reason = ETIMEDOUT;
415
0f852724 416 l2cap_chan_close(chan, reason);
ab07801d 417
6be36555 418 l2cap_chan_unlock(chan);
ab07801d 419
80b98027 420 chan->ops->close(chan);
3df91ea2
AE		 421 mutex_unlock(&conn->chan_lock);
422
371fd835 423 l2cap_chan_put(chan);
ab07801d
GP		 424}
425
eef1d9b6 426struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 427{
428 struct l2cap_chan *chan;
429
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
431 if (!chan)
432 return NULL;
433
c03b355e
AE		 434 mutex_init(&chan->lock);
435
333055f2 436 write_lock(&chan_list_lock);
23691d75 437 list_add(&chan->global_l, &chan_list);
333055f2 438 write_unlock(&chan_list_lock);
23691d75 439
721c4181 440 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 441
89bc500e
GP		 442 chan->state = BT_OPEN;
443
144ad330 444 kref_init(&chan->kref);
71ba0e56 445
2827011f
MM		 446 /* This flag is cleared in l2cap_chan_ready() */
447 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
448
eef1d9b6 449 BT_DBG("chan %p", chan);
abc545b8 450
48454079
GP		 451 return chan;
452}
453
144ad330 454static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 455{
144ad330
SS		 456 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
457
4af66c69
JK		 458 BT_DBG("chan %p", chan);
459
333055f2 460 write_lock(&chan_list_lock);
23691d75 461 list_del(&chan->global_l);
333055f2 462 write_unlock(&chan_list_lock);
23691d75 463
4af66c69 464 kfree(chan);
6ff5abbf
GP		 465}
466
30648372
JK		 467void l2cap_chan_hold(struct l2cap_chan *c)
468{
144ad330 469 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 470
144ad330 471 kref_get(&c->kref);
30648372
JK		 472}
473
474void l2cap_chan_put(struct l2cap_chan *c)
475{
144ad330 476 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 477
144ad330 478 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 479}
480
bd4b1653
AE		 481void l2cap_chan_set_defaults(struct l2cap_chan *chan)
482{
483 chan->fcs = L2CAP_FCS_CRC16;
484 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
485 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
486 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 487 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 488 chan->sec_level = BT_SECURITY_LOW;
489
490 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
491}
492
93c3e8f5 493void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 494{
af05b30b 495 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 496 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 497
9f5a0d7b 498 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 499
8c1d787b 500 chan->conn = conn;
0139418c 501
5491120e
AE		 502 switch (chan->chan_type) {
503 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 504 if (conn->hcon->type == LE_LINK) {
505 /* LE connection */
6fcb06a2 506 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 507 chan->scid = L2CAP_CID_LE_DATA;
508 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 509 } else {
510 /* Alloc CID for connection-oriented socket */
fe4128e0 511 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 512 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 513 }
5491120e
AE		 514 break;
515
516 case L2CAP_CHAN_CONN_LESS:
0139418c 517 /* Connectionless socket */
fe4128e0
GP		 518 chan->scid = L2CAP_CID_CONN_LESS;
519 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 520 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 521 break;
522
416fa752
AE		 523 case L2CAP_CHAN_CONN_FIX_A2MP:
524 chan->scid = L2CAP_CID_A2MP;
525 chan->dcid = L2CAP_CID_A2MP;
526 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
527 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
528 break;
529
5491120e 530 default:
0139418c 531 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 532 chan->scid = L2CAP_CID_SIGNALING;
533 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 534 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 535 }
536
8f7975b1
AE		 537 chan->local_id = L2CAP_BESTEFFORT_ID;
538 chan->local_stype = L2CAP_SERV_BESTEFFORT;
539 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
540 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
541 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 542 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 543
371fd835 544 l2cap_chan_hold(chan);
baa7e1fa 545
3df91ea2 546 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 547}
548
466f8004 549void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 550{
551 mutex_lock(&conn->chan_lock);
552 __l2cap_chan_add(conn, chan);
3df91ea2 553 mutex_unlock(&conn->chan_lock);
0139418c
MH		 554}
555
466f8004 556void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 557{
8c1d787b 558 struct l2cap_conn *conn = chan->conn;
0139418c 559
c9b66675 560 __clear_chan_timer(chan);
0139418c 561
49208c9c 562 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 563
8e87d142 564 if (conn) {
56f60984 565 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 566 /* Delete from channel list */
3df91ea2 567 list_del(&chan->list);
3d57dc68 568
371fd835 569 l2cap_chan_put(chan);
baa7e1fa 570
8c1d787b 571 chan->conn = NULL;
3cabbfda
AE		 572
573 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
574 hci_conn_put(conn->hcon);
56f60984
AE		 575
576 if (mgr && mgr->bredr_chan == chan)
577 mgr->bredr_chan = NULL;
0139418c
MH		 578 }
579
b699ec0d 580 chan->ops->teardown(chan, err);
6be36555 581
2827011f 582 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 583 return;
2ead70b8 584
ee556f66
GP		 585 switch(chan->mode) {
586 case L2CAP_MODE_BASIC:
587 break;
c13ffa62 588
ee556f66 589 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 590 __clear_retrans_timer(chan);
591 __clear_monitor_timer(chan);
592 __clear_ack_timer(chan);
c13ffa62 593
f1c6775b 594 skb_queue_purge(&chan->srej_q);
c13ffa62 595
3c588192
MM		 596 l2cap_seq_list_free(&chan->srej_list);
597 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 598
599 /* fall through */
600
601 case L2CAP_MODE_STREAMING:
602 skb_queue_purge(&chan->tx_q);
603 break;
c13ffa62 604 }
ee556f66
GP		 605
606 return;
0139418c
MH		 607}
608
0f852724 609void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 610{
611 struct l2cap_conn *conn = chan->conn;
612 struct sock *sk = chan->sk;
613
2d792818
GP		 614 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
615 sk);
4519de9a 616
89bc500e 617 switch (chan->state) {
4519de9a 618 case BT_LISTEN:
b699ec0d 619 chan->ops->teardown(chan, 0);
4519de9a
GP		 620 break;
621
622 case BT_CONNECTED:
623 case BT_CONFIG:
715ec005 624 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 625 conn->hcon->type == ACL_LINK) {
c9b66675 626 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 627 l2cap_send_disconn_req(conn, chan, reason);
628 } else
629 l2cap_chan_del(chan, reason);
630 break;
631
632 case BT_CONNECT2:
715ec005 633 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 634 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 635 struct l2cap_conn_rsp rsp;
636 __u16 result;
637
c5daa683 638 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 639 result = L2CAP_CR_SEC_BLOCK;
640 else
641 result = L2CAP_CR_BAD_PSM;
89bc500e 642 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 643
644 rsp.scid = cpu_to_le16(chan->dcid);
645 rsp.dcid = cpu_to_le16(chan->scid);
646 rsp.result = cpu_to_le16(result);
ac73498c 647 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 648 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 649 sizeof(rsp), &rsp);
4519de9a
GP		 650 }
651
652 l2cap_chan_del(chan, reason);
653 break;
654
655 case BT_CONNECT:
656 case BT_DISCONN:
657 l2cap_chan_del(chan, reason);
658 break;
659
660 default:
b699ec0d 661 chan->ops->teardown(chan, 0);
4519de9a
GP		 662 break;
663 }
664}
665
4343478f 666static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 667{
715ec005 668 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 669 switch (chan->sec_level) {
8556edd3
JH		 670 case BT_SECURITY_HIGH:
671 return HCI_AT_DEDICATED_BONDING_MITM;
672 case BT_SECURITY_MEDIUM:
673 return HCI_AT_DEDICATED_BONDING;
674 default:
675 return HCI_AT_NO_BONDING;
676 }
2983fd68 677 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 678 if (chan->sec_level == BT_SECURITY_LOW)
679 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 680
4343478f 681 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 682 return HCI_AT_NO_BONDING_MITM;
00ae4af9 683 else
8556edd3 684 return HCI_AT_NO_BONDING;
00ae4af9 685 } else {
4343478f 686 switch (chan->sec_level) {
00ae4af9 687 case BT_SECURITY_HIGH:
8556edd3 688 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 689 case BT_SECURITY_MEDIUM:
8556edd3 690 return HCI_AT_GENERAL_BONDING;
00ae4af9 691 default:
8556edd3 692 return HCI_AT_NO_BONDING;
00ae4af9 693 }
0684e5f9 694 }
8556edd3
JH		 695}
696
697/* Service level security */
d45fc423 698int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 699{
8c1d787b 700 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 701 __u8 auth_type;
702
4343478f 703 auth_type = l2cap_get_auth_type(chan);
79d554a6 704
4343478f 705 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 706}
707
b5ad8b7f 708static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 709{
710 u8 id;
711
712 /* Get next available identificator.
713 * 1 - 128 are used by kernel.
714 * 129 - 199 are reserved.
715 * 200 - 254 are used by utilities like l2ping, etc.
716 */
717
333055f2 718 spin_lock(&conn->lock);
4e8402a3
MH		 719
720 if (++conn->tx_ident > 128)
721 conn->tx_ident = 1;
722
723 id = conn->tx_ident;
724
333055f2 725 spin_unlock(&conn->lock);
4e8402a3
MH		 726
727 return id;
728}
729
2d792818
GP		 730static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
731 void *data)
4e8402a3
MH		 732{
733 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 734 u8 flags;
4e8402a3
MH		 735
736 BT_DBG("code 0x%2.2x", code);
737
738 if (!skb)
9a9c6a34 739 return;
4e8402a3 740
e702112f
AE		 741 if (lmp_no_flush_capable(conn->hcon->hdev))
742 flags = ACL_START_NO_FLUSH;
743 else
744 flags = ACL_START;
745
14b12d0b 746 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 747 skb->priority = HCI_PRIO_MAX;
14b12d0b 748
73d80deb
LAD		 749 hci_send_acl(conn->hchan, skb, flags);
750}
751
02b0fbb9
MM		 752static bool __chan_is_moving(struct l2cap_chan *chan)
753{
754 return chan->move_state != L2CAP_MOVE_STABLE &&
755 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
756}
757
73d80deb
LAD		 758static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
759{
760 struct hci_conn *hcon = chan->conn->hcon;
761 u16 flags;
762
763 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 764 skb->priority);
73d80deb 765
d5f8a75d
MM		 766 if (chan->hs_hcon && !__chan_is_moving(chan)) {
767 if (chan->hs_hchan)
768 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
769 else
770 kfree_skb(skb);
771
772 return;
773 }
774
73d80deb 775 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 776 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 777 flags = ACL_START_NO_FLUSH;
778 else
779 flags = ACL_START;
14b12d0b 780
73d80deb
LAD		 781 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
782 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 783}
784
b76bbd66
MM		 785static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
786{
787 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
788 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
789
790 if (enh & L2CAP_CTRL_FRAME_TYPE) {
791 /* S-Frame */
792 control->sframe = 1;
793 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
794 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
795
796 control->sar = 0;
797 control->txseq = 0;
798 } else {
799 /* I-Frame */
800 control->sframe = 0;
801 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
802 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
803
804 control->poll = 0;
805 control->super = 0;
806 }
807}
808
b76bbd66
MM		 809static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
810{
811 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
812 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
813
814 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
815 /* S-Frame */
816 control->sframe = 1;
817 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
818 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
819
820 control->sar = 0;
821 control->txseq = 0;
822 } else {
823 /* I-Frame */
824 control->sframe = 0;
825 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
826 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
827
828 control->poll = 0;
829 control->super = 0;
830 }
831}
832
833static inline void __unpack_control(struct l2cap_chan *chan,
834 struct sk_buff *skb)
835{
836 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
837 __unpack_extended_control(get_unaligned_le32(skb->data),
838 &bt_cb(skb)->control);
cec8ab6e 839 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 840 } else {
841 __unpack_enhanced_control(get_unaligned_le16(skb->data),
842 &bt_cb(skb)->control);
cec8ab6e 843 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 844 }
845}
846
b5c6aaed
MM		 847static u32 __pack_extended_control(struct l2cap_ctrl *control)
848{
849 u32 packed;
850
851 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
852 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
853
854 if (control->sframe) {
855 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
856 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
857 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
858 } else {
859 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
860 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
861 }
862
863 return packed;
864}
865
866static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
867{
868 u16 packed;
869
870 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
871 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
872
873 if (control->sframe) {
874 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
875 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
876 packed |= L2CAP_CTRL_FRAME_TYPE;
877 } else {
878 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
879 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
880 }
881
882 return packed;
883}
884
b76bbd66
MM		 885static inline void __pack_control(struct l2cap_chan *chan,
886 struct l2cap_ctrl *control,
887 struct sk_buff *skb)
888{
889 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
890 put_unaligned_le32(__pack_extended_control(control),
891 skb->data + L2CAP_HDR_SIZE);
892 } else {
893 put_unaligned_le16(__pack_enhanced_control(control),
894 skb->data + L2CAP_HDR_SIZE);
895 }
896}
897
ba7aa64f
GP		 898static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
899{
900 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
901 return L2CAP_EXT_HDR_SIZE;
902 else
903 return L2CAP_ENH_HDR_SIZE;
904}
905
a67d7f6f
MM		 906static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
907 u32 control)
b5c6aaed
MM		 908{
909 struct sk_buff *skb;
910 struct l2cap_hdr *lh;
ba7aa64f 911 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 912
913 if (chan->fcs == L2CAP_FCS_CRC16)
914 hlen += L2CAP_FCS_SIZE;
915
a67d7f6f 916 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 917
b5c6aaed 918 if (!skb)
a67d7f6f 919 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 920
921 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
922 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
923 lh->cid = cpu_to_le16(chan->dcid);
924
a67d7f6f
MM		 925 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
926 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
927 else
928 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 929
930 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 931 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 932 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
933 }
934
935 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 936 return skb;
937}
938
939static void l2cap_send_sframe(struct l2cap_chan *chan,
940 struct l2cap_ctrl *control)
941{
942 struct sk_buff *skb;
943 u32 control_field;
944
945 BT_DBG("chan %p, control %p", chan, control);
946
947 if (!control->sframe)
948 return;
949
b99e13ad
MM		 950 if (__chan_is_moving(chan))
951 return;
952
a67d7f6f
MM		 953 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
954 !control->poll)
955 control->final = 1;
956
957 if (control->super == L2CAP_SUPER_RR)
958 clear_bit(CONN_RNR_SENT, &chan->conn_state);
959 else if (control->super == L2CAP_SUPER_RNR)
960 set_bit(CONN_RNR_SENT, &chan->conn_state);
961
962 if (control->super != L2CAP_SUPER_SREJ) {
963 chan->last_acked_seq = control->reqseq;
964 __clear_ack_timer(chan);
965 }
966
967 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
968 control->final, control->poll, control->super);
969
970 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
971 control_field = __pack_extended_control(control);
972 else
973 control_field = __pack_enhanced_control(control);
974
975 skb = l2cap_create_sframe_pdu(chan, control_field);
976 if (!IS_ERR(skb))
977 l2cap_do_send(chan, skb);
b5c6aaed
MM		 978}
979
c9e3d5e0 980static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 981{
c9e3d5e0
MM		 982 struct l2cap_ctrl control;
983
984 BT_DBG("chan %p, poll %d", chan, poll);
985
986 memset(&control, 0, sizeof(control));
987 control.sframe = 1;
988 control.poll = poll;
989
990 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
991 control.super = L2CAP_SUPER_RNR;
992 else
993 control.super = L2CAP_SUPER_RR;
b5c6aaed 994
c9e3d5e0
MM		 995 control.reqseq = chan->buffer_seq;
996 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 997}
998
b4450035 999static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1000{
c1360a1c 1001 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1002}
1003
93c3e8f5
AE		 1004static bool __amp_capable(struct l2cap_chan *chan)
1005{
1006 struct l2cap_conn *conn = chan->conn;
1007
1008 if (enable_hs &&
1009 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
1010 conn->fixed_chan_mask & L2CAP_FC_A2MP)
1011 return true;
1012 else
1013 return false;
1014}
1015
2766be48 1016void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1017{
1018 struct l2cap_conn *conn = chan->conn;
1019 struct l2cap_conn_req req;
1020
1021 req.scid = cpu_to_le16(chan->scid);
1022 req.psm = chan->psm;
1023
1024 chan->ident = l2cap_get_ident(conn);
1025
1026 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1027
1028 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1029}
1030
8eb200bd
MM		 1031static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1032{
1033 struct l2cap_create_chan_req req;
1034 req.scid = cpu_to_le16(chan->scid);
1035 req.psm = chan->psm;
1036 req.amp_id = amp_id;
1037
1038 chan->ident = l2cap_get_ident(chan->conn);
1039
1040 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1041 sizeof(req), &req);
1042}
1043
02b0fbb9
MM		 1044static void l2cap_move_setup(struct l2cap_chan *chan)
1045{
1046 struct sk_buff *skb;
1047
1048 BT_DBG("chan %p", chan);
1049
1050 if (chan->mode != L2CAP_MODE_ERTM)
1051 return;
1052
1053 __clear_retrans_timer(chan);
1054 __clear_monitor_timer(chan);
1055 __clear_ack_timer(chan);
1056
1057 chan->retry_count = 0;
1058 skb_queue_walk(&chan->tx_q, skb) {
1059 if (bt_cb(skb)->control.retries)
1060 bt_cb(skb)->control.retries = 1;
1061 else
1062 break;
1063 }
1064
1065 chan->expected_tx_seq = chan->buffer_seq;
1066
1067 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1068 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1069 l2cap_seq_list_clear(&chan->retrans_list);
1070 l2cap_seq_list_clear(&chan->srej_list);
1071 skb_queue_purge(&chan->srej_q);
1072
1073 chan->tx_state = L2CAP_TX_STATE_XMIT;
1074 chan->rx_state = L2CAP_RX_STATE_MOVE;
1075
1076 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1077}
1078
5f3847a4
MM		 1079static void l2cap_move_done(struct l2cap_chan *chan)
1080{
1081 u8 move_role = chan->move_role;
1082 BT_DBG("chan %p", chan);
1083
1084 chan->move_state = L2CAP_MOVE_STABLE;
1085 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1086
1087 if (chan->mode != L2CAP_MODE_ERTM)
1088 return;
1089
1090 switch (move_role) {
1091 case L2CAP_MOVE_ROLE_INITIATOR:
1092 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1093 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1094 break;
1095 case L2CAP_MOVE_ROLE_RESPONDER:
1096 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1097 break;
1098 }
1099}
1100
9f0caeb1
VCG		 1101static void l2cap_chan_ready(struct l2cap_chan *chan)
1102{
2827011f 1103 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1104 chan->conf_state = 0;
1105 __clear_chan_timer(chan);
1106
54a59aa2 1107 chan->state = BT_CONNECTED;
9f0caeb1 1108
fd83e2c2 1109 chan->ops->ready(chan);
9f0caeb1
VCG		 1110}
1111
93c3e8f5
AE		 1112static void l2cap_start_connection(struct l2cap_chan *chan)
1113{
1114 if (__amp_capable(chan)) {
1115 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1116 a2mp_discover_amp(chan);
1117 } else {
1118 l2cap_send_conn_req(chan);
1119 }
1120}
1121
fc7f8a7e 1122static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1123{
8c1d787b 1124 struct l2cap_conn *conn = chan->conn;
79d554a6 1125
9f0caeb1
VCG		 1126 if (conn->hcon->type == LE_LINK) {
1127 l2cap_chan_ready(chan);
1128 return;
1129 }
1130
79d554a6 1131 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1132 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1133 return;
1134
d45fc423 1135 if (l2cap_chan_check_security(chan) &&
2d792818 1136 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1137 l2cap_start_connection(chan);
1138 }
79d554a6
MH		 1139 } else {
1140 struct l2cap_info_req req;
ac73498c 1141 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1142
1143 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1144 conn->info_ident = l2cap_get_ident(conn);
1145
ba13ccd9 1146 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1147
2d792818
GP		 1148 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1149 sizeof(req), &req);
79d554a6
MH		 1150 }
1151}
1152
cf6c2c0b
GP		 1153static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1154{
1155 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1156 if (!disable_ertm)
cf6c2c0b
GP		 1157 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1158
1159 switch (mode) {
1160 case L2CAP_MODE_ERTM:
1161 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1162 case L2CAP_MODE_STREAMING:
1163 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1164 default:
1165 return 0x00;
1166 }
1167}
1168
2d792818
GP		 1169static void l2cap_send_disconn_req(struct l2cap_conn *conn,
1170 struct l2cap_chan *chan, int err)
22121fc9 1171{
6be36555 1172 struct sock *sk = chan->sk;
22121fc9
GP		 1173 struct l2cap_disconn_req req;
1174
c13ffa62
GP		 1175 if (!conn)
1176 return;
1177
aad3d0e3 1178 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1179 __clear_retrans_timer(chan);
1180 __clear_monitor_timer(chan);
1181 __clear_ack_timer(chan);
c13ffa62
GP		 1182 }
1183
416fa752 1184 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1185 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1186 return;
1187 }
1188
fe4128e0
GP		 1189 req.dcid = cpu_to_le16(chan->dcid);
1190 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1191 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1192 sizeof(req), &req);
c13ffa62 1193
6be36555 1194 lock_sock(sk);
0e587be7 1195 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1196 __l2cap_chan_set_err(chan, err);
6be36555 1197 release_sock(sk);
22121fc9
GP		 1198}
1199
1da177e4 1200/* ---- L2CAP connections ---- */
4e8402a3
MH		 1201static void l2cap_conn_start(struct l2cap_conn *conn)
1202{
3df91ea2 1203 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1204
1205 BT_DBG("conn %p", conn);
1206
3df91ea2 1207 mutex_lock(&conn->chan_lock);
4e8402a3 1208
3df91ea2 1209 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1210 struct sock *sk = chan->sk;
baa7e1fa 1211
6be36555 1212 l2cap_chan_lock(chan);
4e8402a3 1213
715ec005 1214 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1215 l2cap_chan_unlock(chan);
79d554a6
MH		 1216 continue;
1217 }
1218
89bc500e 1219 if (chan->state == BT_CONNECT) {
d45fc423 1220 if (!l2cap_chan_check_security(chan) ||
2d792818 1221 !__l2cap_no_conn_pending(chan)) {
6be36555 1222 l2cap_chan_unlock(chan);
47731de7
GP		 1223 continue;
1224 }
79d554a6 1225
c1360a1c 1226 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1227 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1228 &chan->conf_state)) {
89bc500e 1229 l2cap_chan_close(chan, ECONNRESET);
6be36555 1230 l2cap_chan_unlock(chan);
47731de7 1231 continue;
b1235d79 1232 }
47731de7 1233
93c3e8f5 1234 l2cap_start_connection(chan);
47731de7 1235
89bc500e 1236 } else if (chan->state == BT_CONNECT2) {
79d554a6 1237 struct l2cap_conn_rsp rsp;
e9aeb2dd 1238 char buf[128];
fe4128e0
GP		 1239 rsp.scid = cpu_to_le16(chan->dcid);
1240 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1241
d45fc423 1242 if (l2cap_chan_check_security(chan)) {
6be36555 1243 lock_sock(sk);
c5daa683
GP		 1244 if (test_bit(BT_SK_DEFER_SETUP,
1245 &bt_sk(sk)->flags)) {
ac73498c
AE		 1246 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1247 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1248 chan->ops->defer(chan);
f66dc81f
MH		 1249
1250 } else {
0e587be7 1251 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1252 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1253 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1254 }
6be36555 1255 release_sock(sk);
79d554a6 1256 } else {
ac73498c
AE		 1257 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1258 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1259 }
1260
fc7f8a7e 1261 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1262 sizeof(rsp), &rsp);
e9aeb2dd 1263
c1360a1c 1264 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1265 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1266 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1267 continue;
1268 }
1269
c1360a1c 1270 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1271 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1272 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1273 chan->num_conf_req++;
4e8402a3
MH		 1274 }
1275
6be36555 1276 l2cap_chan_unlock(chan);
4e8402a3
MH		 1277 }
1278
3df91ea2 1279 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1280}
1281
c2287681 1282/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1283 * Returns closest match, locked.
1284 */
d9b88702 1285static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1286 bdaddr_t *src,
1287 bdaddr_t *dst)
b62f328b 1288{
23691d75 1289 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1290
23691d75 1291 read_lock(&chan_list_lock);
b62f328b 1292
23691d75
GP		 1293 list_for_each_entry(c, &chan_list, global_l) {
1294 struct sock *sk = c->sk;
fe4128e0 1295
89bc500e 1296 if (state && c->state != state)
b62f328b
VT		 1297 continue;
1298
23691d75 1299 if (c->scid == cid) {
c2287681
IY		 1300 int src_match, dst_match;
1301 int src_any, dst_any;
1302
b62f328b 1303 /* Exact match. */
c2287681
IY		 1304 src_match = !bacmp(&bt_sk(sk)->src, src);
1305 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1306 if (src_match && dst_match) {
23691d75
GP		 1307 read_unlock(&chan_list_lock);
1308 return c;
1309 }
b62f328b
VT		 1310
1311 /* Closest match */
c2287681
IY		 1312 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1313 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1314 if ((src_match && dst_any) || (src_any && dst_match) ||
1315 (src_any && dst_any))
23691d75 1316 c1 = c;
b62f328b
VT		 1317 }
1318 }
280f294f 1319
23691d75 1320 read_unlock(&chan_list_lock);
b62f328b 1321
23691d75 1322 return c1;
b62f328b
VT		 1323}
1324
1325static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1326{
c916fbe4 1327 struct sock *parent, *sk;
23691d75 1328 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1329
1330 BT_DBG("");
1331
1332 /* Check if we have socket listening on cid */
23691d75 1333 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1334 conn->src, conn->dst);
23691d75 1335 if (!pchan)
b62f328b
VT		 1336 return;
1337
23691d75
GP		 1338 parent = pchan->sk;
1339
aa2ac881 1340 lock_sock(parent);
62f3a2cf 1341
80b98027 1342 chan = pchan->ops->new_connection(pchan);
80808e43 1343 if (!chan)
b62f328b
VT		 1344 goto clean;
1345
80808e43 1346 sk = chan->sk;
5d41ce1d 1347
b62f328b 1348 hci_conn_hold(conn->hcon);
a9ea3ed9 1349 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1350
b62f328b
VT		 1351 bacpy(&bt_sk(sk)->src, conn->src);
1352 bacpy(&bt_sk(sk)->dst, conn->dst);
1353
3d57dc68 1354 l2cap_chan_add(conn, chan);
48454079 1355
6754e0df 1356 l2cap_chan_ready(chan);
b62f328b 1357
b62f328b 1358clean:
aa2ac881 1359 release_sock(parent);
b62f328b
VT		 1360}
1361
4e8402a3
MH		 1362static void l2cap_conn_ready(struct l2cap_conn *conn)
1363{
48454079 1364 struct l2cap_chan *chan;
cc110922 1365 struct hci_conn *hcon = conn->hcon;
4e8402a3 1366
79d554a6 1367 BT_DBG("conn %p", conn);
4e8402a3 1368
cc110922 1369 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1370 l2cap_le_conn_ready(conn);
1371
cc110922
VCG		 1372 if (hcon->out && hcon->type == LE_LINK)
1373 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1374
3df91ea2 1375 mutex_lock(&conn->chan_lock);
4e8402a3 1376
3df91ea2 1377 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1378
6be36555 1379 l2cap_chan_lock(chan);
4e8402a3 1380
416fa752
AE		 1381 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1382 l2cap_chan_unlock(chan);
1383 continue;
1384 }
1385
cc110922
VCG		 1386 if (hcon->type == LE_LINK) {
1387 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1388 l2cap_chan_ready(chan);
acd7d370 1389
63128451 1390 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1391 struct sock *sk = chan->sk;
c9b66675 1392 __clear_chan_timer(chan);
6be36555 1393 lock_sock(sk);
0e587be7 1394 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1395 sk->sk_state_change(sk);
6be36555 1396 release_sock(sk);
b501d6a1 1397
89bc500e 1398 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1399 l2cap_do_start(chan);
4e8402a3 1400
6be36555 1401 l2cap_chan_unlock(chan);
4e8402a3 1402 }
79d554a6 1403
3df91ea2 1404 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1405}
1406
1407/* Notify sockets that we cannot guaranty reliability anymore */
1408static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1409{
48454079 1410 struct l2cap_chan *chan;
4e8402a3
MH		 1411
1412 BT_DBG("conn %p", conn);
1413
3df91ea2 1414 mutex_lock(&conn->chan_lock);
4e8402a3 1415
3df91ea2 1416 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1417 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1418 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1419 }
1420
3df91ea2 1421 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1422}
1423
f878fcad 1424static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1425{
f878fcad 1426 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1427 info_timer.work);
4e8402a3 1428
984947dc 1429 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1430 conn->info_ident = 0;
984947dc 1431
4e8402a3
MH		 1432 l2cap_conn_start(conn);
1433}
1434
5d3de7df
VCG		 1435static void l2cap_conn_del(struct hci_conn *hcon, int err)
1436{
1437 struct l2cap_conn *conn = hcon->l2cap_data;
1438 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1439
1440 if (!conn)
1441 return;
1442
1443 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1444
1445 kfree_skb(conn->rx_skb);
1446
3df91ea2
AE		 1447 mutex_lock(&conn->chan_lock);
1448
5d3de7df
VCG		 1449 /* Kill channels */
1450 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1451 l2cap_chan_hold(chan);
6be36555
AE		 1452 l2cap_chan_lock(chan);
1453
5d3de7df 1454 l2cap_chan_del(chan, err);
6be36555
AE		 1455
1456 l2cap_chan_unlock(chan);
1457
80b98027 1458 chan->ops->close(chan);
61d6ef3e 1459 l2cap_chan_put(chan);
5d3de7df
VCG		 1460 }
1461
3df91ea2
AE		 1462 mutex_unlock(&conn->chan_lock);
1463
73d80deb
LAD		 1464 hci_chan_del(conn->hchan);
1465
5d3de7df 1466 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1467 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1468
51a8efd7 1469 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1470 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1471 smp_chan_destroy(conn);
d26a2345 1472 }
5d3de7df
VCG		 1473
1474 hcon->l2cap_data = NULL;
1475 kfree(conn);
1476}
1477
6c9d42a1 1478static void security_timeout(struct work_struct *work)
5d3de7df 1479{
6c9d42a1 1480 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1481 security_timer.work);
5d3de7df 1482
d06cc416
JH		 1483 BT_DBG("conn %p", conn);
1484
1485 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1486 smp_chan_destroy(conn);
1487 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1488 }
5d3de7df
VCG		 1489}
1490
1da177e4
LT		 1491static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1492{
0139418c 1493 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1494 struct hci_chan *hchan;
1da177e4 1495
0139418c 1496 if (conn || status)
1da177e4
LT		 1497 return conn;
1498
73d80deb
LAD		 1499 hchan = hci_chan_create(hcon);
1500 if (!hchan)
1501 return NULL;
1502
8bcde1f2 1503 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1504 if (!conn) {
1505 hci_chan_del(hchan);
1da177e4 1506 return NULL;
73d80deb 1507 }
1da177e4
LT		 1508
1509 hcon->l2cap_data = conn;
1510 conn->hcon = hcon;
73d80deb 1511 conn->hchan = hchan;
1da177e4 1512
73d80deb 1513 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1514
dcc042d5
AE		 1515 switch (hcon->type) {
1516 case AMP_LINK:
1517 conn->mtu = hcon->hdev->block_mtu;
1518 break;
1519
1520 case LE_LINK:
1521 if (hcon->hdev->le_mtu) {
1522 conn->mtu = hcon->hdev->le_mtu;
1523 break;
1524 }
1525 /* fall through */
1526
1527 default:
acd7d370 1528 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1529 break;
1530 }
acd7d370 1531
1da177e4
LT		 1532 conn->src = &hcon->hdev->bdaddr;
1533 conn->dst = &hcon->dst;
1534
4e8402a3
MH		 1535 conn->feat_mask = 0;
1536
1da177e4 1537 spin_lock_init(&conn->lock);
3df91ea2 1538 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1539
1540 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1541
5d3de7df 1542 if (hcon->type == LE_LINK)
6c9d42a1 1543 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1544 else
030013d8 1545 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1546
9f5a0d7b 1547 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1548
1da177e4
LT		 1549 return conn;
1550}
1551
1da177e4 1552/* ---- Socket interface ---- */
1da177e4 1553
c2287681 1554/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1555 * Returns closest match.
1556 */
c2287681
IY		 1557static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1558 bdaddr_t *src,
1559 bdaddr_t *dst)
1da177e4 1560{
23691d75 1561 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1562
23691d75 1563 read_lock(&chan_list_lock);
e0f0cb56 1564
23691d75
GP		 1565 list_for_each_entry(c, &chan_list, global_l) {
1566 struct sock *sk = c->sk;
fe4128e0 1567
89bc500e 1568 if (state && c->state != state)
1da177e4
LT		 1569 continue;
1570
23691d75 1571 if (c->psm == psm) {
c2287681
IY		 1572 int src_match, dst_match;
1573 int src_any, dst_any;
1574
1da177e4 1575 /* Exact match. */
c2287681
IY		 1576 src_match = !bacmp(&bt_sk(sk)->src, src);
1577 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1578 if (src_match && dst_match) {
a7567b20 1579 read_unlock(&chan_list_lock);
23691d75
GP		 1580 return c;
1581 }
1da177e4
LT		 1582
1583 /* Closest match */
c2287681
IY		 1584 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1585 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1586 if ((src_match && dst_any) || (src_any && dst_match) ||
1587 (src_any && dst_any))
23691d75 1588 c1 = c;
1da177e4
LT		 1589 }
1590 }
1da177e4 1591
23691d75 1592 read_unlock(&chan_list_lock);
e0f0cb56 1593
23691d75 1594 return c1;
1da177e4
LT		 1595}
1596
8e9f9892
AG		 1597int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1598 bdaddr_t *dst, u8 dst_type)
1da177e4 1599{
5d41ce1d 1600 struct sock *sk = chan->sk;
1da177e4 1601 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1602 struct l2cap_conn *conn;
1603 struct hci_conn *hcon;
1604 struct hci_dev *hdev;
09ab6f4c 1605 __u8 auth_type;
44d0e48e 1606 int err;
1da177e4 1607
6ed93dc6 1608 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1609 dst_type, __le16_to_cpu(psm));
1da177e4 1610
af05b30b
GP		 1611 hdev = hci_get_route(dst, src);
1612 if (!hdev)
1da177e4
LT		 1613 return -EHOSTUNREACH;
1614
09fd0de5 1615 hci_dev_lock(hdev);
1da177e4 1616
6be36555 1617 l2cap_chan_lock(chan);
03a00194
GP		 1618
1619 /* PSM must be odd and lsb of upper byte must be 0 */
1620 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1621 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1622 err = -EINVAL;
1623 goto done;
1624 }
1625
1626 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1627 err = -EINVAL;
1628 goto done;
1629 }
1630
1631 switch (chan->mode) {
1632 case L2CAP_MODE_BASIC:
1633 break;
1634 case L2CAP_MODE_ERTM:
1635 case L2CAP_MODE_STREAMING:
1636 if (!disable_ertm)
1637 break;
1638 /* fall through */
1639 default:
1640 err = -ENOTSUPP;
1641 goto done;
1642 }
1643
0797e01d 1644 switch (chan->state) {
03a00194
GP		 1645 case BT_CONNECT:
1646 case BT_CONNECT2:
1647 case BT_CONFIG:
1648 /* Already connecting */
1649 err = 0;
1650 goto done;
1651
1652 case BT_CONNECTED:
1653 /* Already connected */
1654 err = -EISCONN;
1655 goto done;
1656
1657 case BT_OPEN:
1658 case BT_BOUND:
1659 /* Can connect */
1660 break;
1661
1662 default:
1663 err = -EBADFD;
1664 goto done;
1665 }
1666
1667 /* Set destination address and psm */
0797e01d 1668 lock_sock(sk);
9219b2a0 1669 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1670 release_sock(sk);
1671
03a00194
GP		 1672 chan->psm = psm;
1673 chan->dcid = cid;
1da177e4 1674
4343478f 1675 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1676
fe4128e0 1677 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1678 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1679 chan->sec_level, auth_type);
acd7d370 1680 else
8e9f9892 1681 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1682 chan->sec_level, auth_type);
acd7d370 1683
30e76272
VT		 1684 if (IS_ERR(hcon)) {
1685 err = PTR_ERR(hcon);
1da177e4 1686 goto done;
30e76272 1687 }
1da177e4
LT		 1688
1689 conn = l2cap_conn_add(hcon, 0);
1690 if (!conn) {
1691 hci_conn_put(hcon);
30e76272 1692 err = -ENOMEM;
1da177e4
LT		 1693 goto done;
1694 }
1695
9f0caeb1
VCG		 1696 if (hcon->type == LE_LINK) {
1697 err = 0;
1698
1699 if (!list_empty(&conn->chan_l)) {
1700 err = -EBUSY;
1701 hci_conn_put(hcon);
1702 }
1703
1704 if (err)
1705 goto done;
1706 }
1707
1da177e4
LT		 1708 /* Update source addr of the socket */
1709 bacpy(src, conn->src);
1710
6be36555 1711 l2cap_chan_unlock(chan);
48454079 1712 l2cap_chan_add(conn, chan);
6be36555 1713 l2cap_chan_lock(chan);
48454079 1714
6be36555 1715 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1716 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1717
1718 if (hcon->state == BT_CONNECTED) {
715ec005 1719 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1720 __clear_chan_timer(chan);
d45fc423 1721 if (l2cap_chan_check_security(chan))
6be36555 1722 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1723 } else
fc7f8a7e 1724 l2cap_do_start(chan);
1da177e4
LT		 1725 }
1726
30e76272
VT		 1727 err = 0;
1728
1da177e4 1729done:
6be36555 1730 l2cap_chan_unlock(chan);
09fd0de5 1731 hci_dev_unlock(hdev);
1da177e4
LT		 1732 hci_dev_put(hdev);
1733 return err;
1734}
1735
dcba0dba 1736int __l2cap_wait_ack(struct sock *sk)
6161c038 1737{
8c1d787b 1738 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1739 DECLARE_WAITQUEUE(wait, current);
1740 int err = 0;
1741 int timeo = HZ/5;
1742
2b0b05dd 1743 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1744 set_current_state(TASK_INTERRUPTIBLE);
1745 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1746 if (!timeo)
1747 timeo = HZ/5;
1748
1749 if (signal_pending(current)) {
1750 err = sock_intr_errno(timeo);
1751 break;
1752 }
1753
1754 release_sock(sk);
1755 timeo = schedule_timeout(timeo);
1756 lock_sock(sk);
a71a0cf4 1757 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1758
1759 err = sock_error(sk);
1760 if (err)
1761 break;
1762 }
1763 set_current_state(TASK_RUNNING);
2b0b05dd 1764 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1765 return err;
1766}
1767
721c4181 1768static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1769{
721c4181 1770 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1771 monitor_timer.work);
e90bac06 1772
525cd185 1773 BT_DBG("chan %p", chan);
0e98958d 1774
6be36555
AE		 1775 l2cap_chan_lock(chan);
1776
80909e04 1777 if (!chan->conn) {
6be36555 1778 l2cap_chan_unlock(chan);
8d7e1c7f 1779 l2cap_chan_put(chan);
e90bac06
GP		 1780 return;
1781 }
1782
401bb1f7 1783 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1784
6be36555 1785 l2cap_chan_unlock(chan);
8d7e1c7f 1786 l2cap_chan_put(chan);
e90bac06
GP		 1787}
1788
721c4181 1789static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1790{
721c4181 1791 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1792 retrans_timer.work);
e90bac06 1793
49208c9c 1794 BT_DBG("chan %p", chan);
0e98958d 1795
6be36555
AE		 1796 l2cap_chan_lock(chan);
1797
80909e04
MM		 1798 if (!chan->conn) {
1799 l2cap_chan_unlock(chan);
1800 l2cap_chan_put(chan);
1801 return;
1802 }
6be36555 1803
401bb1f7 1804 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1805 l2cap_chan_unlock(chan);
8d7e1c7f 1806 l2cap_chan_put(chan);
e90bac06
GP		 1807}
1808
d660366d
GP		 1809static void l2cap_streaming_send(struct l2cap_chan *chan,
1810 struct sk_buff_head *skbs)
6840ed07 1811{
ccbb84af 1812 struct sk_buff *skb;
3733937d 1813 struct l2cap_ctrl *control;
6840ed07 1814
3733937d
MM		 1815 BT_DBG("chan %p, skbs %p", chan, skbs);
1816
b99e13ad
MM		 1817 if (__chan_is_moving(chan))
1818 return;
1819
3733937d
MM		 1820 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1821
1822 while (!skb_queue_empty(&chan->tx_q)) {
1823
1824 skb = skb_dequeue(&chan->tx_q);
1825
1826 bt_cb(skb)->control.retries = 1;
1827 control = &bt_cb(skb)->control;
1828
1829 control->reqseq = 0;
1830 control->txseq = chan->next_tx_seq;
1831
1832 __pack_control(chan, control, skb);
6840ed07 1833
47d1ec61 1834 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1835 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1836 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1837 }
1838
4343478f 1839 l2cap_do_send(chan, skb);
6840ed07 1840
b4400672 1841 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1842
836be934 1843 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1844 chan->frames_sent++;
6840ed07 1845 }
6840ed07
GP		 1846}
1847
67c9e840 1848static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1849{
1850 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1851 struct l2cap_ctrl *control;
1852 int sent = 0;
1853
1854 BT_DBG("chan %p", chan);
1c2acffb 1855
89bc500e 1856 if (chan->state != BT_CONNECTED)
c13ffa62 1857 return -ENOTCONN;
e90bac06 1858
94122bbe
MM		 1859 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1860 return 0;
1861
b99e13ad
MM		 1862 if (__chan_is_moving(chan))
1863 return 0;
1864
18a48e76
MM		 1865 while (chan->tx_send_head &&
1866 chan->unacked_frames < chan->remote_tx_win &&
1867 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1868
18a48e76 1869 skb = chan->tx_send_head;
e90bac06 1870
18a48e76
MM		 1871 bt_cb(skb)->control.retries = 1;
1872 control = &bt_cb(skb)->control;
95ffa978 1873
e2ab4353 1874 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1875 control->final = 1;
e2ab4353 1876
18a48e76
MM		 1877 control->reqseq = chan->buffer_seq;
1878 chan->last_acked_seq = chan->buffer_seq;
1879 control->txseq = chan->next_tx_seq;
1c2acffb 1880
18a48e76 1881 __pack_control(chan, control, skb);
e90bac06 1882
47d1ec61 1883 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1884 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1885 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1886 }
1887
18a48e76
MM		 1888 /* Clone after data has been modified. Data is assumed to be
1889 read-only (for locking purposes) on cloned sk_buffs.
1890 */
1891 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1892
18a48e76
MM		 1893 if (!tx_skb)
1894 break;
1c2acffb 1895
18a48e76 1896 __set_retrans_timer(chan);
836be934
AE		 1897
1898 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1899 chan->unacked_frames++;
6a026610 1900 chan->frames_sent++;
18a48e76 1901 sent++;
1c2acffb 1902
58d35f87
GP		 1903 if (skb_queue_is_last(&chan->tx_q, skb))
1904 chan->tx_send_head = NULL;
1c2acffb 1905 else
58d35f87 1906 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1907
1908 l2cap_do_send(chan, tx_skb);
b4400672 1909 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1910 }
1911
b4400672
AE		 1912 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1913 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1914
1915 return sent;
9e917af1
GP		 1916}
1917
e1fbd4c1
MM		 1918static void l2cap_ertm_resend(struct l2cap_chan *chan)
1919{
1920 struct l2cap_ctrl control;
1921 struct sk_buff *skb;
1922 struct sk_buff *tx_skb;
1923 u16 seq;
1924
1925 BT_DBG("chan %p", chan);
1926
1927 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1928 return;
1929
b99e13ad
MM		 1930 if (__chan_is_moving(chan))
1931 return;
1932
e1fbd4c1
MM		 1933 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1934 seq = l2cap_seq_list_pop(&chan->retrans_list);
1935
1936 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1937 if (!skb) {
1938 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1939 seq);
e1fbd4c1
MM		 1940 continue;
1941 }
1942
1943 bt_cb(skb)->control.retries++;
1944 control = bt_cb(skb)->control;
1945
1946 if (chan->max_tx != 0 &&
1947 bt_cb(skb)->control.retries > chan->max_tx) {
1948 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1949 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1950 l2cap_seq_list_clear(&chan->retrans_list);
1951 break;
1952 }
1953
1954 control.reqseq = chan->buffer_seq;
1955 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1956 control.final = 1;
1957 else
1958 control.final = 0;
1959
1960 if (skb_cloned(skb)) {
1961 /* Cloned sk_buffs are read-only, so we need a
1962 * writeable copy
1963 */
8bcde1f2 1964 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1965 } else {
8bcde1f2 1966 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1967 }
1968
1969 if (!tx_skb) {
1970 l2cap_seq_list_clear(&chan->retrans_list);
1971 break;
1972 }
1973
1974 /* Update skb contents */
1975 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1976 put_unaligned_le32(__pack_extended_control(&control),
1977 tx_skb->data + L2CAP_HDR_SIZE);
1978 } else {
1979 put_unaligned_le16(__pack_enhanced_control(&control),
1980 tx_skb->data + L2CAP_HDR_SIZE);
1981 }
1982
1983 if (chan->fcs == L2CAP_FCS_CRC16) {
1984 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1985 put_unaligned_le16(fcs, skb_put(tx_skb,
1986 L2CAP_FCS_SIZE));
1987 }
1988
1989 l2cap_do_send(chan, tx_skb);
1990
1991 BT_DBG("Resent txseq %d", control.txseq);
1992
1993 chan->last_acked_seq = chan->buffer_seq;
1994 }
1995}
1996
f80842a8
MM		 1997static void l2cap_retransmit(struct l2cap_chan *chan,
1998 struct l2cap_ctrl *control)
1999{
2000 BT_DBG("chan %p, control %p", chan, control);
2001
2002 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2003 l2cap_ertm_resend(chan);
2004}
2005
d2a7ac5d
MM		 2006static void l2cap_retransmit_all(struct l2cap_chan *chan,
2007 struct l2cap_ctrl *control)
2008{
e1fbd4c1
MM		 2009 struct sk_buff *skb;
2010
2011 BT_DBG("chan %p, control %p", chan, control);
2012
2013 if (control->poll)
2014 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2015
2016 l2cap_seq_list_clear(&chan->retrans_list);
2017
2018 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2019 return;
2020
2021 if (chan->unacked_frames) {
2022 skb_queue_walk(&chan->tx_q, skb) {
2023 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2024 skb == chan->tx_send_head)
e1fbd4c1
MM		 2025 break;
2026 }
2027
2028 skb_queue_walk_from(&chan->tx_q, skb) {
2029 if (skb == chan->tx_send_head)
2030 break;
2031
2032 l2cap_seq_list_append(&chan->retrans_list,
2033 bt_cb(skb)->control.txseq);
2034 }
2035
2036 l2cap_ertm_resend(chan);
2037 }
d2a7ac5d
MM		 2038}
2039
0a0aba42 2040static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2041{
0a0aba42
MM		 2042 struct l2cap_ctrl control;
2043 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2044 chan->last_acked_seq);
2045 int threshold;
9e917af1 2046
0a0aba42
MM		 2047 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2048 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2049
0a0aba42
MM		 2050 memset(&control, 0, sizeof(control));
2051 control.sframe = 1;
dfc909be 2052
0a0aba42
MM		 2053 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2054 chan->rx_state == L2CAP_RX_STATE_RECV) {
2055 __clear_ack_timer(chan);
2056 control.super = L2CAP_SUPER_RNR;
2057 control.reqseq = chan->buffer_seq;
2058 l2cap_send_sframe(chan, &control);
2059 } else {
2060 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2061 l2cap_ertm_send(chan);
2062 /* If any i-frames were sent, they included an ack */
2063 if (chan->buffer_seq == chan->last_acked_seq)
2064 frames_to_ack = 0;
2065 }
dfc909be 2066
c20f8e35 2067 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2068 * Calculate without mul or div
2069 */
c20f8e35 2070 threshold = chan->ack_win;
0a0aba42
MM		 2071 threshold += threshold << 1;
2072 threshold >>= 2;
2073
b4400672 2074 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2075 threshold);
2076
2077 if (frames_to_ack >= threshold) {
2078 __clear_ack_timer(chan);
2079 control.super = L2CAP_SUPER_RR;
2080 control.reqseq = chan->buffer_seq;
2081 l2cap_send_sframe(chan, &control);
2082 frames_to_ack = 0;
2083 }
1c2acffb 2084
0a0aba42
MM		 2085 if (frames_to_ack)
2086 __set_ack_timer(chan);
2087 }
b17e73bb
SJ		 2088}
2089
04124681
GP		 2090static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2091 struct msghdr *msg, int len,
2092 int count, struct sk_buff *skb)
1c2acffb 2093{
0952a57a 2094 struct l2cap_conn *conn = chan->conn;
1c2acffb 2095 struct sk_buff **frag;
90338947 2096 int sent = 0;
1da177e4 2097
59203a21 2098 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2099 return -EFAULT;
1da177e4
LT		 2100
2101 sent += count;
2102 len -= count;
2103
2104 /* Continuation fragments (no L2CAP header) */
2105 frag = &skb_shinfo(skb)->frag_list;
2106 while (len) {
fbe00700
GP		 2107 struct sk_buff *tmp;
2108
1da177e4
LT		 2109 count = min_t(unsigned int, conn->mtu, len);
2110
fbe00700
GP		 2111 tmp = chan->ops->alloc_skb(chan, count,
2112 msg->msg_flags & MSG_DONTWAIT);
2113 if (IS_ERR(tmp))
2114 return PTR_ERR(tmp);
2115
2116 *frag = tmp;
2f7719ce 2117
1c2acffb
GP		 2118 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2119 return -EFAULT;
1da177e4 2120
5e59b791
LAD		 2121 (*frag)->priority = skb->priority;
2122
1da177e4
LT		 2123 sent += count;
2124 len -= count;
2125
2d0ed3d5
GP		 2126 skb->len += (*frag)->len;
2127 skb->data_len += (*frag)->len;
2128
1da177e4
LT		 2129 frag = &(*frag)->next;
2130 }
1da177e4
LT		 2131
2132 return sent;
1c2acffb 2133}
1da177e4 2134
5e59b791 2135static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2136 struct msghdr *msg, size_t len,
2137 u32 priority)
1c2acffb 2138{
8c1d787b 2139 struct l2cap_conn *conn = chan->conn;
1c2acffb 2140 struct sk_buff *skb;
03a51213 2141 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2142 struct l2cap_hdr *lh;
2143
b4400672 2144 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2145
2146 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2147
2148 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2149 msg->msg_flags & MSG_DONTWAIT);
2150 if (IS_ERR(skb))
2151 return skb;
1c2acffb 2152
5e59b791
LAD		 2153 skb->priority = priority;
2154
1c2acffb
GP		 2155 /* Create L2CAP header */
2156 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2157 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2158 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2159 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2160
0952a57a 2161 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2162 if (unlikely(err < 0)) {
2163 kfree_skb(skb);
2164 return ERR_PTR(err);
2165 }
2166 return skb;
2167}
2168
5e59b791 2169static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2170 struct msghdr *msg, size_t len,
2171 u32 priority)
1c2acffb 2172{
8c1d787b 2173 struct l2cap_conn *conn = chan->conn;
1c2acffb 2174 struct sk_buff *skb;
f2ba7fae 2175 int err, count;
1c2acffb
GP		 2176 struct l2cap_hdr *lh;
2177
b4400672 2178 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2179
f2ba7fae 2180 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2181
f2ba7fae 2182 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2183 msg->msg_flags & MSG_DONTWAIT);
2184 if (IS_ERR(skb))
2185 return skb;
1c2acffb 2186
5e59b791
LAD		 2187 skb->priority = priority;
2188
1c2acffb
GP		 2189 /* Create L2CAP header */
2190 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2191 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2192 lh->len = cpu_to_le16(len);
1c2acffb 2193
0952a57a 2194 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2195 if (unlikely(err < 0)) {
2196 kfree_skb(skb);
2197 return ERR_PTR(err);
2198 }
2199 return skb;
2200}
2201
ab0ff76d 2202static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2203 struct msghdr *msg, size_t len,
2204 u16 sdulen)
1c2acffb 2205{
8c1d787b 2206 struct l2cap_conn *conn = chan->conn;
1c2acffb 2207 struct sk_buff *skb;
e4ca6d98 2208 int err, count, hlen;
1c2acffb
GP		 2209 struct l2cap_hdr *lh;
2210
b4400672 2211 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2212
0ee0d208
GP		 2213 if (!conn)
2214 return ERR_PTR(-ENOTCONN);
2215
ba7aa64f 2216 hlen = __ertm_hdr_size(chan);
e4ca6d98 2217
c74e560c 2218 if (sdulen)
03a51213 2219 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2220
47d1ec61 2221 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2222 hlen += L2CAP_FCS_SIZE;
fcc203c3 2223
1c2acffb 2224 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2225
2226 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2227 msg->msg_flags & MSG_DONTWAIT);
2228 if (IS_ERR(skb))
2229 return skb;
1c2acffb
GP		 2230
2231 /* Create L2CAP header */
2232 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2233 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2234 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2235
18a48e76
MM		 2236 /* Control header is populated later */
2237 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2238 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2239 else
2240 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2241
c74e560c 2242 if (sdulen)
03a51213 2243 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2244
0952a57a 2245 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2246 if (unlikely(err < 0)) {
2247 kfree_skb(skb);
2248 return ERR_PTR(err);
2249 }
e90bac06 2250
18a48e76 2251 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2252 bt_cb(skb)->control.retries = 0;
1c2acffb 2253 return skb;
1da177e4
LT		 2254}
2255
94122bbe
MM		 2256static int l2cap_segment_sdu(struct l2cap_chan *chan,
2257 struct sk_buff_head *seg_queue,
2258 struct msghdr *msg, size_t len)
c74e560c 2259{
c74e560c 2260 struct sk_buff *skb;
94122bbe
MM		 2261 u16 sdu_len;
2262 size_t pdu_len;
94122bbe 2263 u8 sar;
c74e560c 2264
b4400672 2265 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2266
94122bbe
MM		 2267 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2268 * so fragmented skbs are not used. The HCI layer's handling
2269 * of fragmented skbs is not compatible with ERTM's queueing.
2270 */
c74e560c 2271
94122bbe
MM		 2272 /* PDU size is derived from the HCI MTU */
2273 pdu_len = chan->conn->mtu;
c74e560c 2274
94122bbe
MM		 2275 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2276
2277 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2278 if (chan->fcs)
2279 pdu_len -= L2CAP_FCS_SIZE;
2280
ba7aa64f 2281 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2282
2283 /* Remote device may have requested smaller PDUs */
2284 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2285
2286 if (len <= pdu_len) {
2287 sar = L2CAP_SAR_UNSEGMENTED;
2288 sdu_len = 0;
2289 pdu_len = len;
2290 } else {
2291 sar = L2CAP_SAR_START;
2292 sdu_len = len;
2293 pdu_len -= L2CAP_SDULEN_SIZE;
2294 }
2295
2296 while (len > 0) {
2297 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2298
c74e560c 2299 if (IS_ERR(skb)) {
94122bbe 2300 __skb_queue_purge(seg_queue);
c74e560c
GP		 2301 return PTR_ERR(skb);
2302 }
2303
94122bbe
MM		 2304 bt_cb(skb)->control.sar = sar;
2305 __skb_queue_tail(seg_queue, skb);
2306
2307 len -= pdu_len;
2308 if (sdu_len) {
2309 sdu_len = 0;
2310 pdu_len += L2CAP_SDULEN_SIZE;
2311 }
2312
2313 if (len <= pdu_len) {
2314 sar = L2CAP_SAR_END;
2315 pdu_len = len;
2316 } else {
2317 sar = L2CAP_SAR_CONTINUE;
2318 }
c74e560c 2319 }
c74e560c 2320
f0f62799 2321 return 0;
c74e560c
GP		 2322}
2323
5e59b791 2324int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2325 u32 priority)
9a91a04a 2326{
9a91a04a 2327 struct sk_buff *skb;
9a91a04a 2328 int err;
94122bbe 2329 struct sk_buff_head seg_queue;
9a91a04a
GP		 2330
2331 /* Connectionless channel */
715ec005 2332 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2333 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2334 if (IS_ERR(skb))
2335 return PTR_ERR(skb);
2336
2337 l2cap_do_send(chan, skb);
2338 return len;
2339 }
2340
2341 switch (chan->mode) {
2342 case L2CAP_MODE_BASIC:
2343 /* Check outgoing MTU */
2344 if (len > chan->omtu)
2345 return -EMSGSIZE;
2346
2347 /* Create a basic PDU */
5e59b791 2348 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2349 if (IS_ERR(skb))
2350 return PTR_ERR(skb);
2351
2352 l2cap_do_send(chan, skb);
2353 err = len;
2354 break;
2355
2356 case L2CAP_MODE_ERTM:
2357 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2358 /* Check outgoing MTU */
2359 if (len > chan->omtu) {
2360 err = -EMSGSIZE;
2361 break;
2362 }
9a91a04a 2363
94122bbe 2364 __skb_queue_head_init(&seg_queue);
9a91a04a 2365
94122bbe
MM		 2366 /* Do segmentation before calling in to the state machine,
2367 * since it's possible to block while waiting for memory
2368 * allocation.
2369 */
2370 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2371
94122bbe
MM		 2372 /* The channel could have been closed while segmenting,
2373 * check that it is still connected.
2374 */
2375 if (chan->state != BT_CONNECTED) {
2376 __skb_queue_purge(&seg_queue);
2377 err = -ENOTCONN;
9a91a04a
GP		 2378 }
2379
94122bbe 2380 if (err)
9a91a04a 2381 break;
9a91a04a 2382
3733937d 2383 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2384 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2385 else
d660366d 2386 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2387
d660366d 2388 err = len;
9a91a04a 2389
94122bbe
MM		 2390 /* If the skbs were not queued for sending, they'll still be in
2391 * seg_queue and need to be purged.
2392 */
2393 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2394 break;
2395
2396 default:
2397 BT_DBG("bad state %1.1x", chan->mode);
2398 err = -EBADFD;
2399 }
2400
2401 return err;
2402}
2403
d2a7ac5d
MM		 2404static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2405{
bed68bde
MM		 2406 struct l2cap_ctrl control;
2407 u16 seq;
2408
b4400672 2409 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2410
2411 memset(&control, 0, sizeof(control));
2412 control.sframe = 1;
2413 control.super = L2CAP_SUPER_SREJ;
2414
2415 for (seq = chan->expected_tx_seq; seq != txseq;
2416 seq = __next_seq(chan, seq)) {
2417 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2418 control.reqseq = seq;
2419 l2cap_send_sframe(chan, &control);
2420 l2cap_seq_list_append(&chan->srej_list, seq);
2421 }
2422 }
2423
2424 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2425}
2426
2427static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2428{
bed68bde
MM		 2429 struct l2cap_ctrl control;
2430
2431 BT_DBG("chan %p", chan);
2432
2433 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2434 return;
2435
2436 memset(&control, 0, sizeof(control));
2437 control.sframe = 1;
2438 control.super = L2CAP_SUPER_SREJ;
2439 control.reqseq = chan->srej_list.tail;
2440 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2441}
2442
2443static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2444{
bed68bde
MM		 2445 struct l2cap_ctrl control;
2446 u16 initial_head;
2447 u16 seq;
2448
b4400672 2449 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2450
2451 memset(&control, 0, sizeof(control));
2452 control.sframe = 1;
2453 control.super = L2CAP_SUPER_SREJ;
2454
2455 /* Capture initial list head to allow only one pass through the list. */
2456 initial_head = chan->srej_list.head;
2457
2458 do {
2459 seq = l2cap_seq_list_pop(&chan->srej_list);
2460 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2461 break;
2462
2463 control.reqseq = seq;
2464 l2cap_send_sframe(chan, &control);
2465 l2cap_seq_list_append(&chan->srej_list, seq);
2466 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2467}
2468
608bcc6d
MM		 2469static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2470{
2471 struct sk_buff *acked_skb;
2472 u16 ackseq;
2473
b4400672 2474 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2475
2476 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2477 return;
2478
b4400672 2479 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2480 chan->expected_ack_seq, chan->unacked_frames);
2481
2482 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2483 ackseq = __next_seq(chan, ackseq)) {
2484
2485 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2486 if (acked_skb) {
2487 skb_unlink(acked_skb, &chan->tx_q);
2488 kfree_skb(acked_skb);
2489 chan->unacked_frames--;
2490 }
2491 }
2492
2493 chan->expected_ack_seq = reqseq;
2494
2495 if (chan->unacked_frames == 0)
2496 __clear_retrans_timer(chan);
2497
b4400672 2498 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2499}
2500
2501static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2502{
2503 BT_DBG("chan %p", chan);
2504
2505 chan->expected_tx_seq = chan->buffer_seq;
2506 l2cap_seq_list_clear(&chan->srej_list);
2507 skb_queue_purge(&chan->srej_q);
2508 chan->rx_state = L2CAP_RX_STATE_RECV;
2509}
2510
d660366d
GP		 2511static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2512 struct l2cap_ctrl *control,
2513 struct sk_buff_head *skbs, u8 event)
608bcc6d 2514{
608bcc6d
MM		 2515 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2516 event);
2517
2518 switch (event) {
2519 case L2CAP_EV_DATA_REQUEST:
2520 if (chan->tx_send_head == NULL)
2521 chan->tx_send_head = skb_peek(skbs);
2522
2523 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2524 l2cap_ertm_send(chan);
2525 break;
2526 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2527 BT_DBG("Enter LOCAL_BUSY");
2528 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2529
2530 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2531 /* The SREJ_SENT state must be aborted if we are to
2532 * enter the LOCAL_BUSY state.
2533 */
2534 l2cap_abort_rx_srej_sent(chan);
2535 }
2536
2537 l2cap_send_ack(chan);
2538
2539 break;
2540 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2541 BT_DBG("Exit LOCAL_BUSY");
2542 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2543
2544 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2545 struct l2cap_ctrl local_control;
2546
2547 memset(&local_control, 0, sizeof(local_control));
2548 local_control.sframe = 1;
2549 local_control.super = L2CAP_SUPER_RR;
2550 local_control.poll = 1;
2551 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2552 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2553
2554 chan->retry_count = 1;
2555 __set_monitor_timer(chan);
2556 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2557 }
2558 break;
2559 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2560 l2cap_process_reqseq(chan, control->reqseq);
2561 break;
2562 case L2CAP_EV_EXPLICIT_POLL:
2563 l2cap_send_rr_or_rnr(chan, 1);
2564 chan->retry_count = 1;
2565 __set_monitor_timer(chan);
2566 __clear_ack_timer(chan);
2567 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2568 break;
2569 case L2CAP_EV_RETRANS_TO:
2570 l2cap_send_rr_or_rnr(chan, 1);
2571 chan->retry_count = 1;
2572 __set_monitor_timer(chan);
2573 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2574 break;
2575 case L2CAP_EV_RECV_FBIT:
2576 /* Nothing to process */
2577 break;
2578 default:
2579 break;
2580 }
608bcc6d
MM		 2581}
2582
d660366d
GP		 2583static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2584 struct l2cap_ctrl *control,
2585 struct sk_buff_head *skbs, u8 event)
608bcc6d 2586{
608bcc6d
MM		 2587 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2588 event);
2589
2590 switch (event) {
2591 case L2CAP_EV_DATA_REQUEST:
2592 if (chan->tx_send_head == NULL)
2593 chan->tx_send_head = skb_peek(skbs);
2594 /* Queue data, but don't send. */
2595 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2596 break;
2597 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2598 BT_DBG("Enter LOCAL_BUSY");
2599 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2600
2601 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2602 /* The SREJ_SENT state must be aborted if we are to
2603 * enter the LOCAL_BUSY state.
2604 */
2605 l2cap_abort_rx_srej_sent(chan);
2606 }
2607
2608 l2cap_send_ack(chan);
2609
2610 break;
2611 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2612 BT_DBG("Exit LOCAL_BUSY");
2613 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2614
2615 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2616 struct l2cap_ctrl local_control;
2617 memset(&local_control, 0, sizeof(local_control));
2618 local_control.sframe = 1;
2619 local_control.super = L2CAP_SUPER_RR;
2620 local_control.poll = 1;
2621 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2622 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2623
2624 chan->retry_count = 1;
2625 __set_monitor_timer(chan);
2626 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2627 }
2628 break;
2629 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2630 l2cap_process_reqseq(chan, control->reqseq);
2631
2632 /* Fall through */
2633
2634 case L2CAP_EV_RECV_FBIT:
2635 if (control && control->final) {
2636 __clear_monitor_timer(chan);
2637 if (chan->unacked_frames > 0)
2638 __set_retrans_timer(chan);
2639 chan->retry_count = 0;
2640 chan->tx_state = L2CAP_TX_STATE_XMIT;
2641 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2642 }
2643 break;
2644 case L2CAP_EV_EXPLICIT_POLL:
2645 /* Ignore */
2646 break;
2647 case L2CAP_EV_MONITOR_TO:
2648 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2649 l2cap_send_rr_or_rnr(chan, 1);
2650 __set_monitor_timer(chan);
2651 chan->retry_count++;
2652 } else {
2653 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2654 }
2655 break;
2656 default:
2657 break;
2658 }
608bcc6d
MM		 2659}
2660
d660366d
GP		 2661static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2662 struct sk_buff_head *skbs, u8 event)
608bcc6d 2663{
608bcc6d
MM		 2664 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2665 chan, control, skbs, event, chan->tx_state);
2666
2667 switch (chan->tx_state) {
2668 case L2CAP_TX_STATE_XMIT:
d660366d 2669 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2670 break;
2671 case L2CAP_TX_STATE_WAIT_F:
d660366d 2672 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2673 break;
2674 default:
2675 /* Ignore event */
2676 break;
2677 }
608bcc6d
MM		 2678}
2679
4b51dae9
MM		 2680static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2681 struct l2cap_ctrl *control)
2682{
2683 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2684 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2685}
2686
f80842a8
MM		 2687static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2688 struct l2cap_ctrl *control)
2689{
2690 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2691 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2692}
2693
1da177e4
LT		 2694/* Copy frame to all raw sockets on that connection */
2695static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2696{
1da177e4 2697 struct sk_buff *nskb;
48454079 2698 struct l2cap_chan *chan;
1da177e4
LT		 2699
2700 BT_DBG("conn %p", conn);
2701
3df91ea2 2702 mutex_lock(&conn->chan_lock);
3d57dc68 2703
3df91ea2 2704 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2705 struct sock *sk = chan->sk;
715ec005 2706 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2707 continue;
2708
2709 /* Don't send frame to the socket it came from */
2710 if (skb->sk == sk)
2711 continue;
8bcde1f2 2712 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2713 if (!nskb)
1da177e4
LT		 2714 continue;
2715
80b98027 2716 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2717 kfree_skb(nskb);
2718 }
3d57dc68 2719
3df91ea2 2720 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2721}
2722
2723/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2724static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2725 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2726{
2727 struct sk_buff *skb, **frag;
2728 struct l2cap_cmd_hdr *cmd;
2729 struct l2cap_hdr *lh;
2730 int len, count;
2731
b4400672
AE		 2732 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2733 conn, code, ident, dlen);
1da177e4
LT		 2734
2735 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2736 count = min_t(unsigned int, conn->mtu, len);
2737
8bcde1f2 2738 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2739 if (!skb)
2740 return NULL;
2741
2742 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2743 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2744
2745 if (conn->hcon->type == LE_LINK)
ac73498c 2746 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2747 else
ac73498c 2748 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2749
2750 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2751 cmd->code = code;
2752 cmd->ident = ident;
aca3192c 2753 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2754
2755 if (dlen) {
2756 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2757 memcpy(skb_put(skb, count), data, count);
2758 data += count;
2759 }
2760
2761 len -= skb->len;
2762
2763 /* Continuation fragments (no L2CAP header) */
2764 frag = &skb_shinfo(skb)->frag_list;
2765 while (len) {
2766 count = min_t(unsigned int, conn->mtu, len);
2767
8bcde1f2 2768 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2769 if (!*frag)
2770 goto fail;
2771
2772 memcpy(skb_put(*frag, count), data, count);
2773
2774 len -= count;
2775 data += count;
2776
2777 frag = &(*frag)->next;
2778 }
2779
2780 return skb;
2781
2782fail:
2783 kfree_skb(skb);
2784 return NULL;
2785}
2786
2d792818
GP		 2787static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2788 unsigned long *val)
1da177e4
LT		 2789{
2790 struct l2cap_conf_opt *opt = *ptr;
2791 int len;
2792
2793 len = L2CAP_CONF_OPT_SIZE + opt->len;
2794 *ptr += len;
2795
2796 *type = opt->type;
2797 *olen = opt->len;
2798
2799 switch (opt->len) {
2800 case 1:
2801 *val = *((u8 *) opt->val);
2802 break;
2803
2804 case 2:
bfaaeb3e 2805 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2806 break;
2807
2808 case 4:
bfaaeb3e 2809 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2810 break;
2811
2812 default:
2813 *val = (unsigned long) opt->val;
2814 break;
2815 }
2816
b4400672 2817 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2818 return len;
2819}
2820
1da177e4
LT		 2821static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2822{
2823 struct l2cap_conf_opt *opt = *ptr;
2824
b4400672 2825 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2826
2827 opt->type = type;
2828 opt->len = len;
2829
2830 switch (len) {
2831 case 1:
2832 *((u8 *) opt->val) = val;
2833 break;
2834
2835 case 2:
4f8b691c 2836 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2837 break;
2838
2839 case 4:
4f8b691c 2840 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2841 break;
2842
2843 default:
2844 memcpy(opt->val, (void *) val, len);
2845 break;
2846 }
2847
2848 *ptr += L2CAP_CONF_OPT_SIZE + len;
2849}
2850
f89cef09
AE		 2851static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2852{
2853 struct l2cap_conf_efs efs;
2854
1ec918ce 2855 switch (chan->mode) {
f89cef09
AE		 2856 case L2CAP_MODE_ERTM:
2857 efs.id = chan->local_id;
2858 efs.stype = chan->local_stype;
2859 efs.msdu = cpu_to_le16(chan->local_msdu);
2860 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2861 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2862 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2863 break;
2864
2865 case L2CAP_MODE_STREAMING:
2866 efs.id = 1;
2867 efs.stype = L2CAP_SERV_BESTEFFORT;
2868 efs.msdu = cpu_to_le16(chan->local_msdu);
2869 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2870 efs.acc_lat = 0;
2871 efs.flush_to = 0;
2872 break;
2873
2874 default:
2875 return;
2876 }
2877
2878 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2879 (unsigned long) &efs);
f89cef09
AE		 2880}
2881
721c4181 2882static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2883{
721c4181 2884 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2885 ack_timer.work);
2886 u16 frames_to_ack;
c1b4f43b 2887
2fb9b3d4
GP		 2888 BT_DBG("chan %p", chan);
2889
6be36555
AE		 2890 l2cap_chan_lock(chan);
2891
0362520b
MM		 2892 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2893 chan->last_acked_seq);
6be36555 2894
0362520b
MM		 2895 if (frames_to_ack)
2896 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2897
0362520b 2898 l2cap_chan_unlock(chan);
09bfb2ee 2899 l2cap_chan_put(chan);
c1b4f43b
GP		 2900}
2901
466f8004 2902int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2903{
3c588192
MM		 2904 int err;
2905
105bdf9e
MM		 2906 chan->next_tx_seq = 0;
2907 chan->expected_tx_seq = 0;
42e5c802 2908 chan->expected_ack_seq = 0;
6a026610 2909 chan->unacked_frames = 0;
42e5c802 2910 chan->buffer_seq = 0;
6a026610 2911 chan->frames_sent = 0;
105bdf9e
MM		 2912 chan->last_acked_seq = 0;
2913 chan->sdu = NULL;
2914 chan->sdu_last_frag = NULL;
2915 chan->sdu_len = 0;
2916
d34c34fb
MM		 2917 skb_queue_head_init(&chan->tx_q);
2918
08333283
MM		 2919 chan->local_amp_id = 0;
2920 chan->move_id = 0;
2921 chan->move_state = L2CAP_MOVE_STABLE;
2922 chan->move_role = L2CAP_MOVE_ROLE_NONE;
2923
105bdf9e
MM		 2924 if (chan->mode != L2CAP_MODE_ERTM)
2925 return 0;
2926
2927 chan->rx_state = L2CAP_RX_STATE_RECV;
2928 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2929
721c4181
GP		 2930 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2931 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2932 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2933
f1c6775b 2934 skb_queue_head_init(&chan->srej_q);
1890d36b 2935
3c588192
MM		 2936 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2937 if (err < 0)
2938 return err;
2939
9dc9affc
MM		 2940 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2941 if (err < 0)
2942 l2cap_seq_list_free(&chan->srej_list);
2943
2944 return err;
0565c1c2
GP		 2945}
2946
f2fcfcd6
GP		 2947static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2948{
2949 switch (mode) {
2950 case L2CAP_MODE_STREAMING:
2951 case L2CAP_MODE_ERTM:
2952 if (l2cap_mode_supported(mode, remote_feat_mask))
2953 return mode;
2954 /* fall through */
2955 default:
2956 return L2CAP_MODE_BASIC;
2957 }
2958}
2959
6327eb98
AE		 2960static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2961{
2962 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2963}
2964
f89cef09
AE		 2965static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2966{
2967 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2968}
2969
36c86c85
MM		 2970static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
2971 struct l2cap_conf_rfc *rfc)
2972{
2973 if (chan->local_amp_id && chan->hs_hcon) {
2974 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
2975
2976 /* Class 1 devices have must have ERTM timeouts
2977 * exceeding the Link Supervision Timeout. The
2978 * default Link Supervision Timeout for AMP
2979 * controllers is 10 seconds.
2980 *
2981 * Class 1 devices use 0xffffffff for their
2982 * best-effort flush timeout, so the clamping logic
2983 * will result in a timeout that meets the above
2984 * requirement. ERTM timeouts are 16-bit values, so
2985 * the maximum timeout is 65.535 seconds.
2986 */
2987
2988 /* Convert timeout to milliseconds and round */
2989 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
2990
2991 /* This is the recommended formula for class 2 devices
2992 * that start ERTM timers when packets are sent to the
2993 * controller.
2994 */
2995 ertm_to = 3 * ertm_to + 500;
2996
2997 if (ertm_to > 0xffff)
2998 ertm_to = 0xffff;
2999
3000 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3001 rfc->monitor_timeout = rfc->retrans_timeout;
3002 } else {
3003 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3004 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3005 }
3006}
3007
6327eb98
AE		 3008static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3009{
3010 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 3011 __l2cap_ews_supported(chan)) {
6327eb98
AE		 3012 /* use extended control field */
3013 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3014 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3015 } else {
6327eb98 3016 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3017 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3018 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3019 }
c20f8e35 3020 chan->ack_win = chan->tx_win;
6327eb98
AE		 3021}
3022
710f9b0a 3023static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3024{
1da177e4 3025 struct l2cap_conf_req *req = data;
0c1bc5c6 3026 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3027 void *ptr = req->data;
c8f79162 3028 u16 size;
1da177e4 3029
49208c9c 3030 BT_DBG("chan %p", chan);
1da177e4 3031
73ffa904 3032 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3033 goto done;
3034
0c1bc5c6 3035 switch (chan->mode) {
f2fcfcd6
GP		 3036 case L2CAP_MODE_STREAMING:
3037 case L2CAP_MODE_ERTM:
c1360a1c 3038 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3039 break;
85eb53c6 3040
f89cef09
AE		 3041 if (__l2cap_efs_supported(chan))
3042 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3043
2ba13ed6 3044 /* fall through */
f2fcfcd6 3045 default:
8c1d787b 3046 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3047 break;
3048 }
3049
3050done:
0c1bc5c6
GP		 3051 if (chan->imtu != L2CAP_DEFAULT_MTU)
3052 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3053
0c1bc5c6 3054 switch (chan->mode) {
65c7c491 3055 case L2CAP_MODE_BASIC:
8c1d787b 3056 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3057 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3058 break;
3059
62547752
GP		 3060 rfc.mode = L2CAP_MODE_BASIC;
3061 rfc.txwin_size = 0;
3062 rfc.max_transmit = 0;
3063 rfc.retrans_timeout = 0;
3064 rfc.monitor_timeout = 0;
3065 rfc.max_pdu_size = 0;
3066
63406504 3067 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3068 (unsigned long) &rfc);
65c7c491
MH		 3069 break;
3070
3071 case L2CAP_MODE_ERTM:
3072 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3073 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3074
3075 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3076
3077 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3078 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3079 L2CAP_FCS_SIZE);
c8f79162 3080 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3081
6327eb98
AE		 3082 l2cap_txwin_setup(chan);
3083
3084 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3085 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3086
63406504 3087 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3088 (unsigned long) &rfc);
63406504 3089
f89cef09
AE		 3090 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3091 l2cap_add_opt_efs(&ptr, chan);
3092
8c1d787b 3093 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 3094 break;
3095
47d1ec61 3096 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 3097 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 3098 chan->fcs = L2CAP_FCS_NONE;
3099 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 3100 }
6327eb98
AE		 3101
3102 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3103 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3104 chan->tx_win);
f2fcfcd6
GP		 3105 break;
3106
3107 case L2CAP_MODE_STREAMING:
273759e2 3108 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3109 rfc.mode = L2CAP_MODE_STREAMING;
3110 rfc.txwin_size = 0;
3111 rfc.max_transmit = 0;
3112 rfc.retrans_timeout = 0;
3113 rfc.monitor_timeout = 0;
c8f79162
AE		 3114
3115 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3116 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3117 L2CAP_FCS_SIZE);
c8f79162 3118 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3119
63406504 3120 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3121 (unsigned long) &rfc);
63406504 3122
f89cef09
AE		 3123 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3124 l2cap_add_opt_efs(&ptr, chan);
3125
8c1d787b 3126 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 3127 break;
3128
47d1ec61 3129 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 3130 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 3131 chan->fcs = L2CAP_FCS_NONE;
3132 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 3133 }
65c7c491
MH		 3134 break;
3135 }
1da177e4 3136
fe4128e0 3137 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3138 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3139
3140 return ptr - data;
3141}
3142
73ffa904 3143static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3144{
5dee9e7c
MH		 3145 struct l2cap_conf_rsp *rsp = data;
3146 void *ptr = rsp->data;
73ffa904
GP		 3147 void *req = chan->conf_req;
3148 int len = chan->conf_len;
5dee9e7c
MH		 3149 int type, hint, olen;
3150 unsigned long val;
6464f35f 3151 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3152 struct l2cap_conf_efs efs;
3153 u8 remote_efs = 0;
861d6882 3154 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3155 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3156 u16 size;
1da177e4 3157
73ffa904 3158 BT_DBG("chan %p", chan);
820ae1b8 3159
5dee9e7c
MH		 3160 while (len >= L2CAP_CONF_OPT_SIZE) {
3161 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3162
589d2746 3163 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3164 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3165
3166 switch (type) {
3167 case L2CAP_CONF_MTU:
861d6882 3168 mtu = val;
5dee9e7c
MH		 3169 break;
3170
3171 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3172 chan->flush_to = val;
5dee9e7c
MH		 3173 break;
3174
3175 case L2CAP_CONF_QOS:
3176 break;
3177
6464f35f
MH		 3178 case L2CAP_CONF_RFC:
3179 if (olen == sizeof(rfc))
3180 memcpy(&rfc, (void *) val, olen);
3181 break;
3182
fcc203c3
GP		 3183 case L2CAP_CONF_FCS:
3184 if (val == L2CAP_FCS_NONE)
c1360a1c 3185 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 3186 break;
fcc203c3 3187
42dceae2
AE		 3188 case L2CAP_CONF_EFS:
3189 remote_efs = 1;
3190 if (olen == sizeof(efs))
3191 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3192 break;
3193
6327eb98
AE		 3194 case L2CAP_CONF_EWS:
3195 if (!enable_hs)
3196 return -ECONNREFUSED;
fcc203c3 3197
6327eb98
AE		 3198 set_bit(FLAG_EXT_CTRL, &chan->flags);
3199 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3200 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3201 chan->remote_tx_win = val;
fcc203c3
GP		 3202 break;
3203
5dee9e7c
MH		 3204 default:
3205 if (hint)
3206 break;
3207
3208 result = L2CAP_CONF_UNKNOWN;
3209 *((u8 *) ptr++) = type;
3210 break;
3211 }
3212 }
3213
73ffa904 3214 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3215 goto done;
3216
0c1bc5c6 3217 switch (chan->mode) {
f2fcfcd6
GP		 3218 case L2CAP_MODE_STREAMING:
3219 case L2CAP_MODE_ERTM:
c1360a1c 3220 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3221 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3222 chan->conn->feat_mask);
85eb53c6
GP		 3223 break;
3224 }
3225
42dceae2
AE		 3226 if (remote_efs) {
3227 if (__l2cap_efs_supported(chan))
3228 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3229 else
3230 return -ECONNREFUSED;
3231 }
3232
0c1bc5c6 3233 if (chan->mode != rfc.mode)
f2fcfcd6 3234 return -ECONNREFUSED;
742e519b 3235
f2fcfcd6 3236 break;
f2fcfcd6
GP		 3237 }
3238
3239done:
0c1bc5c6 3240 if (chan->mode != rfc.mode) {
f2fcfcd6 3241 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3242 rfc.mode = chan->mode;
f2fcfcd6 3243
73ffa904 3244 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3245 return -ECONNREFUSED;
3246
2d792818
GP		 3247 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3248 (unsigned long) &rfc);
f2fcfcd6
GP		 3249 }
3250
5dee9e7c
MH		 3251 if (result == L2CAP_CONF_SUCCESS) {
3252 /* Configure output options and let the other side know
3253 * which ones we don't like. */
3254
f2fcfcd6
GP		 3255 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3256 result = L2CAP_CONF_UNACCEPT;
3257 else {
0c1bc5c6 3258 chan->omtu = mtu;
c1360a1c 3259 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3260 }
0c1bc5c6 3261 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3262
42dceae2
AE		 3263 if (remote_efs) {
3264 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3265 efs.stype != L2CAP_SERV_NOTRAFIC &&
3266 efs.stype != chan->local_stype) {
42dceae2
AE		 3267
3268 result = L2CAP_CONF_UNACCEPT;
3269
3270 if (chan->num_conf_req >= 1)
3271 return -ECONNREFUSED;
3272
3273 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3274 sizeof(efs),
3275 (unsigned long) &efs);
0e8b207e 3276 } else {
3e6b3b95 3277 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3278 result = L2CAP_CONF_PENDING;
3279 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3280 }
3281 }
3282
f2fcfcd6
GP		 3283 switch (rfc.mode) {
3284 case L2CAP_MODE_BASIC:
47d1ec61 3285 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3286 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3287 break;
3288
3289 case L2CAP_MODE_ERTM:
6327eb98
AE		 3290 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3291 chan->remote_tx_win = rfc.txwin_size;
3292 else
3293 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3294
2c03a7a4 3295 chan->remote_max_tx = rfc.max_transmit;
1c762159 3296
c8f79162 3297 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3298 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3299 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3300 rfc.max_pdu_size = cpu_to_le16(size);
3301 chan->remote_mps = size;
f2fcfcd6 3302
36c86c85 3303 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3304
c1360a1c 3305 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3306
3307 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3308 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3309
42dceae2
AE		 3310 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3311 chan->remote_id = efs.id;
3312 chan->remote_stype = efs.stype;
3313 chan->remote_msdu = le16_to_cpu(efs.msdu);
3314 chan->remote_flush_to =
2d792818 3315 le32_to_cpu(efs.flush_to);
42dceae2 3316 chan->remote_acc_lat =
2d792818 3317 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3318 chan->remote_sdu_itime =
3319 le32_to_cpu(efs.sdu_itime);
3320 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3321 sizeof(efs),
3322 (unsigned long) &efs);
42dceae2 3323 }
f2fcfcd6
GP		 3324 break;
3325
3326 case L2CAP_MODE_STREAMING:
c8f79162 3327 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3328 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3329 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3330 rfc.max_pdu_size = cpu_to_le16(size);
3331 chan->remote_mps = size;
f2fcfcd6 3332
c1360a1c 3333 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3334
2d792818
GP		 3335 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3336 (unsigned long) &rfc);
68ae6639 3337
f2fcfcd6
GP		 3338 break;
3339
3340 default:
5dee9e7c 3341 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3342
6464f35f 3343 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3344 rfc.mode = chan->mode;
f2fcfcd6 3345 }
6464f35f 3346
f2fcfcd6 3347 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3348 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3349 }
fe4128e0 3350 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3351 rsp->result = cpu_to_le16(result);
59e54bd1 3352 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3353
3354 return ptr - data;
1da177e4
LT		 3355}
3356
2d792818
GP		 3357static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3358 void *data, u16 *result)
f2fcfcd6 3359{
f2fcfcd6
GP		 3360 struct l2cap_conf_req *req = data;
3361 void *ptr = req->data;
3362 int type, olen;
3363 unsigned long val;
36e999a8 3364 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3365 struct l2cap_conf_efs efs;
f2fcfcd6 3366
fe4128e0 3367 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3368
3369 while (len >= L2CAP_CONF_OPT_SIZE) {
3370 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3371
3372 switch (type) {
3373 case L2CAP_CONF_MTU:
3374 if (val < L2CAP_DEFAULT_MIN_MTU) {
3375 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3376 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3377 } else
0c1bc5c6
GP		 3378 chan->imtu = val;
3379 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3380 break;
3381
3382 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3383 chan->flush_to = val;
f2fcfcd6 3384 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3385 2, chan->flush_to);
f2fcfcd6
GP		 3386 break;
3387
3388 case L2CAP_CONF_RFC:
3389 if (olen == sizeof(rfc))
3390 memcpy(&rfc, (void *)val, olen);
3391
c1360a1c 3392 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3393 rfc.mode != chan->mode)
f2fcfcd6
GP		 3394 return -ECONNREFUSED;
3395
47d1ec61 3396 chan->fcs = 0;
f2fcfcd6
GP		 3397
3398 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3399 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3400 break;
6327eb98
AE		 3401
3402 case L2CAP_CONF_EWS:
c20f8e35 3403 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3404 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3405 chan->tx_win);
6327eb98 3406 break;
66af7aaf
AE		 3407
3408 case L2CAP_CONF_EFS:
3409 if (olen == sizeof(efs))
3410 memcpy(&efs, (void *)val, olen);
3411
3412 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3413 efs.stype != L2CAP_SERV_NOTRAFIC &&
3414 efs.stype != chan->local_stype)
66af7aaf
AE		 3415 return -ECONNREFUSED;
3416
2d792818
GP		 3417 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3418 (unsigned long) &efs);
66af7aaf 3419 break;
f2fcfcd6
GP		 3420 }
3421 }
3422
0c1bc5c6 3423 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3424 return -ECONNREFUSED;
3425
0c1bc5c6 3426 chan->mode = rfc.mode;
6c2ea7a8 3427
0e8b207e 3428 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3429 switch (rfc.mode) {
3430 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3431 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3432 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3433 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3434 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3435 chan->ack_win = min_t(u16, chan->ack_win,
3436 rfc.txwin_size);
66af7aaf
AE		 3437
3438 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3439 chan->local_msdu = le16_to_cpu(efs.msdu);
3440 chan->local_sdu_itime =
2d792818 3441 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3442 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3443 chan->local_flush_to =
2d792818 3444 le32_to_cpu(efs.flush_to);
66af7aaf 3445 }
f2fcfcd6 3446 break;
66af7aaf 3447
f2fcfcd6 3448 case L2CAP_MODE_STREAMING:
47d1ec61 3449 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3450 }
3451 }
3452
fe4128e0 3453 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3454 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3455
3456 return ptr - data;
3457}
3458
2d792818
GP		 3459static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3460 u16 result, u16 flags)
1da177e4
LT		 3461{
3462 struct l2cap_conf_rsp *rsp = data;
3463 void *ptr = rsp->data;
1da177e4 3464
fe4128e0 3465 BT_DBG("chan %p", chan);
1da177e4 3466
fe4128e0 3467 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3468 rsp->result = cpu_to_le16(result);
aca3192c 3469 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3470
3471 return ptr - data;
3472}
3473
8c1d787b 3474void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3475{
3476 struct l2cap_conn_rsp rsp;
8c1d787b 3477 struct l2cap_conn *conn = chan->conn;
710f9b0a
GP		 3478 u8 buf[128];
3479
fe4128e0
GP		 3480 rsp.scid = cpu_to_le16(chan->dcid);
3481 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3482 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3483 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
2d792818 3484 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
710f9b0a 3485
c1360a1c 3486 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3487 return;
3488
710f9b0a 3489 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3490 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3491 chan->num_conf_req++;
3492}
3493
47d1ec61 3494static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3495{
7b1c0049
GP		 3496 int type, olen;
3497 unsigned long val;
c20f8e35
MM		 3498 /* Use sane default values in case a misbehaving remote device
3499 * did not send an RFC or extended window size option.
3500 */
3501 u16 txwin_ext = chan->ack_win;
3502 struct l2cap_conf_rfc rfc = {
3503 .mode = chan->mode,
3504 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3505 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3506 .max_pdu_size = cpu_to_le16(chan->imtu),
3507 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3508 };
7b1c0049 3509
47d1ec61 3510 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3511
0c1bc5c6 3512 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3513 return;
3514
3515 while (len >= L2CAP_CONF_OPT_SIZE) {
3516 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3517
c20f8e35
MM		 3518 switch (type) {
3519 case L2CAP_CONF_RFC:
3520 if (olen == sizeof(rfc))
3521 memcpy(&rfc, (void *)val, olen);
8f321f85 3522 break;
c20f8e35
MM		 3523 case L2CAP_CONF_EWS:
3524 txwin_ext = val;
3525 break;
3526 }
7b1c0049
GP		 3527 }
3528
7b1c0049
GP		 3529 switch (rfc.mode) {
3530 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3531 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3532 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3533 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3534 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3535 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3536 else
3537 chan->ack_win = min_t(u16, chan->ack_win,
3538 rfc.txwin_size);
7b1c0049
GP		 3539 break;
3540 case L2CAP_MODE_STREAMING:
47d1ec61 3541 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3542 }
3543}
3544
2d792818
GP		 3545static inline int l2cap_command_rej(struct l2cap_conn *conn,
3546 struct l2cap_cmd_hdr *cmd, u8 *data)
4e8402a3 3547{
e2fd318e 3548 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3549
e2fd318e 3550 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3551 return 0;
3552
3553 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3554 cmd->ident == conn->info_ident) {
17cd3f37 3555 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3556
3557 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3558 conn->info_ident = 0;
984947dc 3559
4e8402a3
MH		 3560 l2cap_conn_start(conn);
3561 }
3562
3563 return 0;
3564}
3565
1700915f
MM		 3566static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3567 struct l2cap_cmd_hdr *cmd,
3568 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3569{
1da177e4
LT		 3570 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3571 struct l2cap_conn_rsp rsp;
23691d75 3572 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3573 struct sock *parent, *sk = NULL;
e7c29cb1 3574 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3575
3576 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3577 __le16 psm = req->psm;
1da177e4 3578
097db76c 3579 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3580
3581 /* Check if we have socket listening on psm */
c2287681 3582 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3583 if (!pchan) {
1da177e4
LT		 3584 result = L2CAP_CR_BAD_PSM;
3585 goto sendresp;
3586 }
3587
23691d75
GP		 3588 parent = pchan->sk;
3589
3df91ea2 3590 mutex_lock(&conn->chan_lock);
aa2ac881 3591 lock_sock(parent);
e0f0cb56 3592
e7c29cb1 3593 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3594 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3595 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3596 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3597 result = L2CAP_CR_SEC_BLOCK;
3598 goto response;
3599 }
3600
1da177e4
LT		 3601 result = L2CAP_CR_NO_MEM;
3602
2dfa1003
GP		 3603 /* Check if we already have channel with that dcid */
3604 if (__l2cap_get_chan_by_dcid(conn, scid))
3605 goto response;
3606
80b98027 3607 chan = pchan->ops->new_connection(pchan);
80808e43 3608 if (!chan)
1da177e4
LT		 3609 goto response;
3610
80808e43
GP		 3611 sk = chan->sk;
3612
1da177e4
LT		 3613 hci_conn_hold(conn->hcon);
3614
1da177e4
LT		 3615 bacpy(&bt_sk(sk)->src, conn->src);
3616 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3617 chan->psm = psm;
3618 chan->dcid = scid;
1700915f 3619 chan->local_amp_id = amp_id;
1da177e4 3620
6be36555 3621 __l2cap_chan_add(conn, chan);
48454079 3622
fe4128e0 3623 dcid = chan->scid;
1da177e4 3624
c9b66675 3625 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3626
fc7f8a7e 3627 chan->ident = cmd->ident;
1da177e4 3628
984947dc 3629 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3630 if (l2cap_chan_check_security(chan)) {
c5daa683 3631 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3632 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3633 result = L2CAP_CR_PEND;
3634 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3635 chan->ops->defer(chan);
f66dc81f 3636 } else {
1700915f
MM		 3637 /* Force pending result for AMP controllers.
3638 * The connection will succeed after the
3639 * physical link is up.
3640 */
3641 if (amp_id) {
3642 __l2cap_state_change(chan, BT_CONNECT2);
3643 result = L2CAP_CR_PEND;
3644 } else {
3645 __l2cap_state_change(chan, BT_CONFIG);
3646 result = L2CAP_CR_SUCCESS;
3647 }
f66dc81f
MH		 3648 status = L2CAP_CS_NO_INFO;
3649 }
79d554a6 3650 } else {
0e587be7 3651 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3652 result = L2CAP_CR_PEND;
3653 status = L2CAP_CS_AUTHEN_PEND;
3654 }
3655 } else {
0e587be7 3656 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3657 result = L2CAP_CR_PEND;
3658 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3659 }
3660
1da177e4 3661response:
aa2ac881 3662 release_sock(parent);
3df91ea2 3663 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3664
3665sendresp:
aca3192c
YH		 3666 rsp.scid = cpu_to_le16(scid);
3667 rsp.dcid = cpu_to_le16(dcid);
3668 rsp.result = cpu_to_le16(result);
3669 rsp.status = cpu_to_le16(status);
4c89b6aa 3670 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3671
3672 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3673 struct l2cap_info_req info;
ac73498c 3674 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3675
3676 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3677 conn->info_ident = l2cap_get_ident(conn);
3678
ba13ccd9 3679 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3680
2d792818
GP		 3681 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3682 sizeof(info), &info);
79d554a6
MH		 3683 }
3684
c1360a1c 3685 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3686 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3687 u8 buf[128];
c1360a1c 3688 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3689 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3690 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3691 chan->num_conf_req++;
e9aeb2dd 3692 }
1700915f
MM		 3693
3694 return chan;
4c89b6aa 3695}
e9aeb2dd 3696
4c89b6aa
MM		 3697static int l2cap_connect_req(struct l2cap_conn *conn,
3698 struct l2cap_cmd_hdr *cmd, u8 *data)
3699{
300229f9 3700 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3701 return 0;
3702}
3703
5909cf30 3704static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
2d792818 3705 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3706{
3707 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3708 u16 scid, dcid, result, status;
48454079 3709 struct l2cap_chan *chan;
1da177e4 3710 u8 req[128];
3df91ea2 3711 int err;
1da177e4
LT		 3712
3713 scid = __le16_to_cpu(rsp->scid);
3714 dcid = __le16_to_cpu(rsp->dcid);
3715 result = __le16_to_cpu(rsp->result);
3716 status = __le16_to_cpu(rsp->status);
3717
1b009c98 3718 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3719 dcid, scid, result, status);
1da177e4 3720
3df91ea2
AE		 3721 mutex_lock(&conn->chan_lock);
3722
1da177e4 3723 if (scid) {
3df91ea2
AE		 3724 chan = __l2cap_get_chan_by_scid(conn, scid);
3725 if (!chan) {
3726 err = -EFAULT;
3727 goto unlock;
3728 }
1da177e4 3729 } else {
3df91ea2
AE		 3730 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3731 if (!chan) {
3732 err = -EFAULT;
3733 goto unlock;
3734 }
1da177e4
LT		 3735 }
3736
3df91ea2
AE		 3737 err = 0;
3738
6be36555 3739 l2cap_chan_lock(chan);
48454079 3740
1da177e4
LT		 3741 switch (result) {
3742 case L2CAP_CR_SUCCESS:
89bc500e 3743 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3744 chan->ident = 0;
fe4128e0 3745 chan->dcid = dcid;
c1360a1c 3746 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3747
c1360a1c 3748 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3749 break;
3750
1da177e4 3751 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3752 l2cap_build_conf_req(chan, req), req);
73ffa904 3753 chan->num_conf_req++;
1da177e4
LT		 3754 break;
3755
3756 case L2CAP_CR_PEND:
c1360a1c 3757 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3758 break;
3759
3760 default:
48454079 3761 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3762 break;
3763 }
3764
6be36555 3765 l2cap_chan_unlock(chan);
3df91ea2
AE		 3766
3767unlock:
3768 mutex_unlock(&conn->chan_lock);
3769
3770 return err;
1da177e4
LT		 3771}
3772
47d1ec61 3773static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3774{
3775 /* FCS is enabled only in ERTM or streaming mode, if one or both
3776 * sides request it.
3777 */
0c1bc5c6 3778 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3779 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3780 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3781 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3782}
3783
29d8a590
AE		 3784static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3785 u8 ident, u16 flags)
3786{
3787 struct l2cap_conn *conn = chan->conn;
3788
3789 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3790 flags);
3791
3792 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3793 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3794
3795 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3796 l2cap_build_conf_rsp(chan, data,
3797 L2CAP_CONF_SUCCESS, flags), data);
3798}
3799
2d792818
GP		 3800static inline int l2cap_config_req(struct l2cap_conn *conn,
3801 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3802 u8 *data)
1da177e4
LT		 3803{
3804 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3805 u16 dcid, flags;
3806 u8 rsp[64];
48454079 3807 struct l2cap_chan *chan;
3c588192 3808 int len, err = 0;
1da177e4
LT		 3809
3810 dcid = __le16_to_cpu(req->dcid);
3811 flags = __le16_to_cpu(req->flags);
3812
3813 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3814
baa7e1fa 3815 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3816 if (!chan)
1da177e4
LT		 3817 return -ENOENT;
3818
033b1142 3819 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3820 struct l2cap_cmd_rej_cid rej;
3821
ac73498c 3822 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3823 rej.scid = cpu_to_le16(chan->scid);
3824 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3825
df6bd743 3826 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3827 sizeof(rej), &rej);
354f60a9 3828 goto unlock;
df6bd743 3829 }
354f60a9 3830
5dee9e7c 3831 /* Reject if config buffer is too small. */
88219a0f 3832 len = cmd_len - sizeof(*req);
7ac28817 3833 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3834 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3835 l2cap_build_conf_rsp(chan, rsp,
3836 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 3837 goto unlock;
3838 }
3839
3840 /* Store config. */
73ffa904
GP		 3841 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3842 chan->conf_len += len;
1da177e4 3843
59e54bd1 3844 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3845 /* Incomplete config. Send empty response. */
3846 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3847 l2cap_build_conf_rsp(chan, rsp,
3848 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3849 goto unlock;
3850 }
3851
3852 /* Complete config. */
73ffa904 3853 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3854 if (len < 0) {
e92c8e70 3855 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3856 goto unlock;
f2fcfcd6 3857 }
1da177e4 3858
1500109b 3859 chan->ident = cmd->ident;
5dee9e7c 3860 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3861 chan->num_conf_rsp++;
5dee9e7c 3862
5dee9e7c 3863 /* Reset config buffer. */
73ffa904 3864 chan->conf_len = 0;
5dee9e7c 3865
c1360a1c 3866 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3867 goto unlock;
3868
c1360a1c 3869 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3870 set_default_fcs(chan);
fcc203c3 3871
105bdf9e
MM		 3872 if (chan->mode == L2CAP_MODE_ERTM ||
3873 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3874 err = l2cap_ertm_init(chan);
3875
3876 if (err < 0)
3877 l2cap_send_disconn_req(chan->conn, chan, -err);
3878 else
3879 l2cap_chan_ready(chan);
0565c1c2 3880
876d9484
MH		 3881 goto unlock;
3882 }
3883
c1360a1c 3884 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3885 u8 buf[64];
1da177e4 3886 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3887 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3888 chan->num_conf_req++;
1da177e4
LT		 3889 }
3890
0e8b207e
AE		 3891 /* Got Conf Rsp PENDING from remote side and asume we sent
3892 Conf Rsp PENDING in the code above */
3893 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 3894 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 3895
3896 /* check compatibility */
3897
79de886d
AE		 3898 /* Send rsp for BR/EDR channel */
3899 if (!chan->ctrl_id)
3900 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
3901 else
3902 chan->ident = cmd->ident;
0e8b207e
AE		 3903 }
3904
1da177e4 3905unlock:
6be36555 3906 l2cap_chan_unlock(chan);
3c588192 3907 return err;
1da177e4
LT		 3908}
3909
2d792818
GP		 3910static inline int l2cap_config_rsp(struct l2cap_conn *conn,
3911 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3912{
3913 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3914 u16 scid, flags, result;
48454079 3915 struct l2cap_chan *chan;
61386cba 3916 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3917 int err = 0;
1da177e4
LT		 3918
3919 scid = __le16_to_cpu(rsp->scid);
3920 flags = __le16_to_cpu(rsp->flags);
3921 result = __le16_to_cpu(rsp->result);
3922
61386cba
AE		 3923 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3924 result, len);
1da177e4 3925
baa7e1fa 3926 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3927 if (!chan)
1da177e4
LT		 3928 return 0;
3929
3930 switch (result) {
3931 case L2CAP_CONF_SUCCESS:
47d1ec61 3932 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3933 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3934 break;
3935
0e8b207e
AE		 3936 case L2CAP_CONF_PENDING:
3937 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3938
3939 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3940 char buf[64];
3941
3942 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3943 buf, &result);
0e8b207e
AE		 3944 if (len < 0) {
3945 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3946 goto done;
3947 }
3948
3949 /* check compatibility */
3950
79de886d
AE		 3951 if (!chan->ctrl_id)
3952 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
3953 0);
3954 else
3955 chan->ident = cmd->ident;
0e8b207e
AE		 3956 }
3957 goto done;
3958
1da177e4 3959 case L2CAP_CONF_UNACCEPT:
73ffa904 3960 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3961 char req[64];
3962
c2c77ec8 3963 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3964 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3965 goto done;
3966 }
3967
f2fcfcd6
GP		 3968 /* throw out any old stored conf requests */
3969 result = L2CAP_CONF_SUCCESS;
b4450035 3970 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3971 req, &result);
f2fcfcd6 3972 if (len < 0) {
e92c8e70 3973 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3974 goto done;
3975 }
3976
3977 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 3978 L2CAP_CONF_REQ, len, req);
73ffa904 3979 chan->num_conf_req++;
f2fcfcd6
GP		 3980 if (result != L2CAP_CONF_SUCCESS)
3981 goto done;
3982 break;
1da177e4
LT		 3983 }
3984
8e87d142 3985 default:
6be36555 3986 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 3987
ba13ccd9 3988 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 3989 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 3990 goto done;
3991 }
3992
59e54bd1 3993 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 3994 goto done;
3995
c1360a1c 3996 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 3997
c1360a1c 3998 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 3999 set_default_fcs(chan);
fcc203c3 4000
105bdf9e
MM		 4001 if (chan->mode == L2CAP_MODE_ERTM ||
4002 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4003 err = l2cap_ertm_init(chan);
0565c1c2 4004
3c588192
MM		 4005 if (err < 0)
4006 l2cap_send_disconn_req(chan->conn, chan, -err);
4007 else
4008 l2cap_chan_ready(chan);
1da177e4
LT		 4009 }
4010
4011done:
6be36555 4012 l2cap_chan_unlock(chan);
3c588192 4013 return err;
1da177e4
LT		 4014}
4015
2d792818
GP		 4016static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4017 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4018{
4019 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4020 struct l2cap_disconn_rsp rsp;
4021 u16 dcid, scid;
48454079 4022 struct l2cap_chan *chan;
1da177e4
LT		 4023 struct sock *sk;
4024
4025 scid = __le16_to_cpu(req->scid);
4026 dcid = __le16_to_cpu(req->dcid);
4027
4028 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4029
3df91ea2
AE		 4030 mutex_lock(&conn->chan_lock);
4031
4032 chan = __l2cap_get_chan_by_scid(conn, dcid);
4033 if (!chan) {
4034 mutex_unlock(&conn->chan_lock);
1da177e4 4035 return 0;
3df91ea2 4036 }
1da177e4 4037
6be36555
AE		 4038 l2cap_chan_lock(chan);
4039
48454079
GP		 4040 sk = chan->sk;
4041
fe4128e0
GP		 4042 rsp.dcid = cpu_to_le16(chan->scid);
4043 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4044 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4045
6be36555 4046 lock_sock(sk);
1da177e4 4047 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 4048 release_sock(sk);
1da177e4 4049
61d6ef3e 4050 l2cap_chan_hold(chan);
48454079 4051 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4052
4053 l2cap_chan_unlock(chan);
1da177e4 4054
80b98027 4055 chan->ops->close(chan);
61d6ef3e 4056 l2cap_chan_put(chan);
3df91ea2
AE		 4057
4058 mutex_unlock(&conn->chan_lock);
4059
1da177e4
LT		 4060 return 0;
4061}
4062
2d792818
GP		 4063static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4064 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4065{
4066 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4067 u16 dcid, scid;
48454079 4068 struct l2cap_chan *chan;
1da177e4
LT		 4069
4070 scid = __le16_to_cpu(rsp->scid);
4071 dcid = __le16_to_cpu(rsp->dcid);
4072
4073 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4074
3df91ea2
AE		 4075 mutex_lock(&conn->chan_lock);
4076
4077 chan = __l2cap_get_chan_by_scid(conn, scid);
4078 if (!chan) {
4079 mutex_unlock(&conn->chan_lock);
1da177e4 4080 return 0;
3df91ea2 4081 }
1da177e4 4082
6be36555 4083 l2cap_chan_lock(chan);
48454079 4084
61d6ef3e 4085 l2cap_chan_hold(chan);
48454079 4086 l2cap_chan_del(chan, 0);
6be36555
AE		 4087
4088 l2cap_chan_unlock(chan);
1da177e4 4089
80b98027 4090 chan->ops->close(chan);
61d6ef3e 4091 l2cap_chan_put(chan);
3df91ea2
AE		 4092
4093 mutex_unlock(&conn->chan_lock);
4094
1da177e4
LT		 4095 return 0;
4096}
4097
2d792818
GP		 4098static inline int l2cap_information_req(struct l2cap_conn *conn,
4099 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4100{
4101 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4102 u16 type;
4103
4104 type = __le16_to_cpu(req->type);
4105
4106 BT_DBG("type 0x%4.4x", type);
4107
f0709e03
MH		 4108 if (type == L2CAP_IT_FEAT_MASK) {
4109 u8 buf[8];
44dd46de 4110 u32 feat_mask = l2cap_feat_mask;
f0709e03 4111 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4112 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4113 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4114 if (!disable_ertm)
fcc203c3 4115 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4116 | L2CAP_FEAT_FCS;
a5fd6f30 4117 if (enable_hs)
6327eb98 4118 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4119 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4120
1b7bf4ed 4121 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4122 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4123 buf);
e1027a7c
MH		 4124 } else if (type == L2CAP_IT_FIXED_CHAN) {
4125 u8 buf[12];
4126 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 4127
4128 if (enable_hs)
4129 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4130 else
4131 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4132
ac73498c
AE		 4133 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4134 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4135 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4136 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4137 buf);
f0709e03
MH		 4138 } else {
4139 struct l2cap_info_rsp rsp;
4140 rsp.type = cpu_to_le16(type);
ac73498c 4141 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4142 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4143 &rsp);
f0709e03 4144 }
1da177e4
LT		 4145
4146 return 0;
4147}
4148
2d792818
GP		 4149static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4150 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4151{
4152 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4153 u16 type, result;
4154
4155 type = __le16_to_cpu(rsp->type);
4156 result = __le16_to_cpu(rsp->result);
4157
4158 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4159
e90165be
AE		 4160 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4161 if (cmd->ident != conn->info_ident ||
2d792818 4162 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4163 return 0;
4164
17cd3f37 4165 cancel_delayed_work(&conn->info_timer);
4e8402a3 4166
adb08ede
VT		 4167 if (result != L2CAP_IR_SUCCESS) {
4168 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4169 conn->info_ident = 0;
4170
4171 l2cap_conn_start(conn);
4172
4173 return 0;
4174 }
4175
978c93b9
AE		 4176 switch (type) {
4177 case L2CAP_IT_FEAT_MASK:
83985319 4178 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4179
47ec1dcd 4180 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4181 struct l2cap_info_req req;
ac73498c 4182 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4183
4184 conn->info_ident = l2cap_get_ident(conn);
4185
4186 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4187 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4188 } else {
4189 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4190 conn->info_ident = 0;
4191
4192 l2cap_conn_start(conn);
4193 }
978c93b9
AE		 4194 break;
4195
4196 case L2CAP_IT_FIXED_CHAN:
4197 conn->fixed_chan_mask = rsp->data[0];
984947dc 4198 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4199 conn->info_ident = 0;
984947dc
MH		 4200
4201 l2cap_conn_start(conn);
978c93b9 4202 break;
984947dc 4203 }
4e8402a3 4204
1da177e4
LT		 4205 return 0;
4206}
4207
1700915f
MM		 4208static int l2cap_create_channel_req(struct l2cap_conn *conn,
4209 struct l2cap_cmd_hdr *cmd,
4210 u16 cmd_len, void *data)
f94ff6ff
MM		 4211{
4212 struct l2cap_create_chan_req *req = data;
1700915f 4213 struct l2cap_chan *chan;
f94ff6ff
MM		 4214 u16 psm, scid;
4215
4216 if (cmd_len != sizeof(*req))
4217 return -EPROTO;
4218
4219 if (!enable_hs)
4220 return -EINVAL;
4221
4222 psm = le16_to_cpu(req->psm);
4223 scid = le16_to_cpu(req->scid);
4224
ad0ac6ca 4225 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4226
1700915f
MM		 4227 if (req->amp_id) {
4228 struct hci_dev *hdev;
4229
4230 /* Validate AMP controller id */
4231 hdev = hci_dev_get(req->amp_id);
4232 if (!hdev || hdev->dev_type != HCI_AMP ||
4233 !test_bit(HCI_UP, &hdev->flags)) {
4234 struct l2cap_create_chan_rsp rsp;
4235
4236 rsp.dcid = 0;
4237 rsp.scid = cpu_to_le16(scid);
4238 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4239 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4240
4241 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4242 sizeof(rsp), &rsp);
4243
4244 if (hdev)
4245 hci_dev_put(hdev);
4246
4247 return 0;
4248 }
4249
4250 hci_dev_put(hdev);
4251 }
f94ff6ff 4252
1700915f
MM		 4253 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4254 req->amp_id);
f94ff6ff
MM		 4255
4256 return 0;
4257}
4258
8eb200bd
MM		 4259static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4260{
4261 struct l2cap_move_chan_req req;
4262 u8 ident;
4263
4264 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4265
4266 ident = l2cap_get_ident(chan->conn);
4267 chan->ident = ident;
4268
4269 req.icid = cpu_to_le16(chan->scid);
4270 req.dest_amp_id = dest_amp_id;
4271
4272 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4273 &req);
4274
4275 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4276}
4277
1500109b 4278static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4279{
4280 struct l2cap_move_chan_rsp rsp;
4281
1500109b 4282 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4283
1500109b 4284 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4285 rsp.result = cpu_to_le16(result);
4286
1500109b
MM		 4287 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4288 sizeof(rsp), &rsp);
8d5a04a1
MM		 4289}
4290
5b155ef9 4291static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4292{
4293 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4294
5b155ef9 4295 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4296
5b155ef9 4297 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4298
5b155ef9 4299 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4300 cfm.result = cpu_to_le16(result);
4301
5b155ef9
MM		 4302 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4303 sizeof(cfm), &cfm);
4304
4305 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4306}
4307
4308static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4309{
4310 struct l2cap_move_chan_cfm cfm;
4311
4312 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4313
4314 cfm.icid = cpu_to_le16(icid);
4315 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4316
4317 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4318 sizeof(cfm), &cfm);
8d5a04a1
MM		 4319}
4320
4321static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4322 u16 icid)
8d5a04a1
MM		 4323{
4324 struct l2cap_move_chan_cfm_rsp rsp;
4325
ad0ac6ca 4326 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4327
4328 rsp.icid = cpu_to_le16(icid);
4329 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4330}
4331
5f3847a4
MM		 4332static void __release_logical_link(struct l2cap_chan *chan)
4333{
4334 chan->hs_hchan = NULL;
4335 chan->hs_hcon = NULL;
4336
4337 /* Placeholder - release the logical link */
4338}
4339
1500109b
MM		 4340static void l2cap_logical_fail(struct l2cap_chan *chan)
4341{
4342 /* Logical link setup failed */
4343 if (chan->state != BT_CONNECTED) {
4344 /* Create channel failure, disconnect */
4345 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4346 return;
4347 }
4348
4349 switch (chan->move_role) {
4350 case L2CAP_MOVE_ROLE_RESPONDER:
4351 l2cap_move_done(chan);
4352 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4353 break;
4354 case L2CAP_MOVE_ROLE_INITIATOR:
4355 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4356 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4357 /* Remote has only sent pending or
4358 * success responses, clean up
4359 */
4360 l2cap_move_done(chan);
4361 }
4362
4363 /* Other amp move states imply that the move
4364 * has already aborted
4365 */
4366 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4367 break;
4368 }
4369}
4370
4371static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4372 struct hci_chan *hchan)
4373{
4374 struct l2cap_conf_rsp rsp;
4375 u8 code;
4376
4377 chan->hs_hcon = hchan->conn;
4378 chan->hs_hcon->l2cap_data = chan->conn;
4379
4380 code = l2cap_build_conf_rsp(chan, &rsp,
4381 L2CAP_CONF_SUCCESS, 0);
4382 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CONF_RSP, code,
4383 &rsp);
4384 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4385
4386 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4387 int err = 0;
4388
4389 set_default_fcs(chan);
4390
4391 err = l2cap_ertm_init(chan);
4392 if (err < 0)
4393 l2cap_send_disconn_req(chan->conn, chan, -err);
4394 else
4395 l2cap_chan_ready(chan);
4396 }
4397}
4398
4399static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4400 struct hci_chan *hchan)
4401{
4402 chan->hs_hcon = hchan->conn;
4403 chan->hs_hcon->l2cap_data = chan->conn;
4404
4405 BT_DBG("move_state %d", chan->move_state);
4406
4407 switch (chan->move_state) {
4408 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4409 /* Move confirm will be sent after a success
4410 * response is received
4411 */
4412 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4413 break;
4414 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4415 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4416 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4417 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4418 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4419 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4420 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4421 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4422 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4423 }
4424 break;
4425 default:
4426 /* Move was not in expected state, free the channel */
4427 __release_logical_link(chan);
4428
4429 chan->move_state = L2CAP_MOVE_STABLE;
4430 }
4431}
4432
4433/* Call with chan locked */
5b155ef9
MM		 4434static void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4435 u8 status)
4436{
1500109b
MM		 4437 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4438
4439 if (status) {
4440 l2cap_logical_fail(chan);
4441 __release_logical_link(chan);
4442 return;
4443 }
4444
4445 if (chan->state != BT_CONNECTED) {
4446 /* Ignore logical link if channel is on BR/EDR */
4447 if (chan->local_amp_id)
4448 l2cap_logical_finish_create(chan, hchan);
4449 } else {
4450 l2cap_logical_finish_move(chan, hchan);
4451 }
5b155ef9
MM		 4452}
4453
8eb200bd
MM		 4454static void l2cap_do_create(struct l2cap_chan *chan, int result,
4455 u8 local_amp_id, u8 remote_amp_id)
4456{
4457 if (!test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
4458 struct l2cap_conn_rsp rsp;
4459 char buf[128];
4460 rsp.scid = cpu_to_le16(chan->dcid);
4461 rsp.dcid = cpu_to_le16(chan->scid);
4462
4463 /* Incoming channel on AMP */
4464 if (result == L2CAP_CR_SUCCESS) {
4465 /* Send successful response */
4466 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4467 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4468 } else {
4469 /* Send negative response */
4470 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4471 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4472 }
4473
4474 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4475 sizeof(rsp), &rsp);
4476
4477 if (result == L2CAP_CR_SUCCESS) {
4478 __l2cap_state_change(chan, BT_CONFIG);
4479 set_bit(CONF_REQ_SENT, &chan->conf_state);
4480 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4481 L2CAP_CONF_REQ,
4482 l2cap_build_conf_req(chan, buf), buf);
4483 chan->num_conf_req++;
4484 }
4485 } else {
4486 /* Outgoing channel on AMP */
4487 if (result == L2CAP_CR_SUCCESS) {
4488 chan->local_amp_id = local_amp_id;
4489 l2cap_send_create_chan_req(chan, remote_amp_id);
4490 } else {
4491 /* Revert to BR/EDR connect */
4492 l2cap_send_conn_req(chan);
4493 }
4494 }
4495}
4496
4497static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4498 u8 remote_amp_id)
4499{
4500 l2cap_move_setup(chan);
4501 chan->move_id = local_amp_id;
4502 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4503
4504 l2cap_send_move_chan_req(chan, remote_amp_id);
4505}
4506
4507static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4508{
4509 struct hci_chan *hchan = NULL;
4510
4511 /* Placeholder - get hci_chan for logical link */
4512
4513 if (hchan) {
4514 if (hchan->state == BT_CONNECTED) {
4515 /* Logical link is ready to go */
4516 chan->hs_hcon = hchan->conn;
4517 chan->hs_hcon->l2cap_data = chan->conn;
4518 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4519 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4520
4521 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4522 } else {
4523 /* Wait for logical link to be ready */
4524 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4525 }
4526 } else {
4527 /* Logical link not available */
4528 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4529 }
4530}
4531
4532static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4533{
4534 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4535 u8 rsp_result;
4536 if (result == -EINVAL)
4537 rsp_result = L2CAP_MR_BAD_ID;
4538 else
4539 rsp_result = L2CAP_MR_NOT_ALLOWED;
4540
4541 l2cap_send_move_chan_rsp(chan, rsp_result);
4542 }
4543
4544 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4545 chan->move_state = L2CAP_MOVE_STABLE;
4546
4547 /* Restart data transmission */
4548 l2cap_ertm_send(chan);
4549}
4550
4551void l2cap_physical_cfm(struct l2cap_chan *chan, int result, u8 local_amp_id,
4552 u8 remote_amp_id)
4553{
4554 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4555 chan, result, local_amp_id, remote_amp_id);
4556
4557 l2cap_chan_lock(chan);
4558
4559 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4560 l2cap_chan_unlock(chan);
4561 return;
4562 }
4563
4564 if (chan->state != BT_CONNECTED) {
4565 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4566 } else if (result != L2CAP_MR_SUCCESS) {
4567 l2cap_do_move_cancel(chan, result);
4568 } else {
4569 switch (chan->move_role) {
4570 case L2CAP_MOVE_ROLE_INITIATOR:
4571 l2cap_do_move_initiate(chan, local_amp_id,
4572 remote_amp_id);
4573 break;
4574 case L2CAP_MOVE_ROLE_RESPONDER:
4575 l2cap_do_move_respond(chan, result);
4576 break;
4577 default:
4578 l2cap_do_move_cancel(chan, result);
4579 break;
4580 }
4581 }
4582
4583 l2cap_chan_unlock(chan);
4584}
4585
8d5a04a1 4586static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4587 struct l2cap_cmd_hdr *cmd,
4588 u16 cmd_len, void *data)
8d5a04a1
MM		 4589{
4590 struct l2cap_move_chan_req *req = data;
1500109b 4591 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4592 struct l2cap_chan *chan;
8d5a04a1
MM		 4593 u16 icid = 0;
4594 u16 result = L2CAP_MR_NOT_ALLOWED;
4595
4596 if (cmd_len != sizeof(*req))
4597 return -EPROTO;
4598
4599 icid = le16_to_cpu(req->icid);
4600
ad0ac6ca 4601 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4602
4603 if (!enable_hs)
4604 return -EINVAL;
4605
02b0fbb9
MM		 4606 chan = l2cap_get_chan_by_dcid(conn, icid);
4607 if (!chan) {
1500109b
MM		 4608 rsp.icid = cpu_to_le16(icid);
4609 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4610 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4611 sizeof(rsp), &rsp);
02b0fbb9
MM		 4612 return 0;
4613 }
4614
1500109b
MM		 4615 chan->ident = cmd->ident;
4616
02b0fbb9
MM		 4617 if (chan->scid < L2CAP_CID_DYN_START ||
4618 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4619 (chan->mode != L2CAP_MODE_ERTM &&
4620 chan->mode != L2CAP_MODE_STREAMING)) {
4621 result = L2CAP_MR_NOT_ALLOWED;
4622 goto send_move_response;
4623 }
4624
4625 if (chan->local_amp_id == req->dest_amp_id) {
4626 result = L2CAP_MR_SAME_ID;
4627 goto send_move_response;
4628 }
4629
4630 if (req->dest_amp_id) {
4631 struct hci_dev *hdev;
4632 hdev = hci_dev_get(req->dest_amp_id);
4633 if (!hdev || hdev->dev_type != HCI_AMP ||
4634 !test_bit(HCI_UP, &hdev->flags)) {
4635 if (hdev)
4636 hci_dev_put(hdev);
4637
4638 result = L2CAP_MR_BAD_ID;
4639 goto send_move_response;
4640 }
4641 hci_dev_put(hdev);
4642 }
4643
4644 /* Detect a move collision. Only send a collision response
4645 * if this side has "lost", otherwise proceed with the move.
4646 * The winner has the larger bd_addr.
4647 */
4648 if ((__chan_is_moving(chan) ||
4649 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4650 bacmp(conn->src, conn->dst) > 0) {
4651 result = L2CAP_MR_COLLISION;
4652 goto send_move_response;
4653 }
4654
02b0fbb9
MM		 4655 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4656 l2cap_move_setup(chan);
4657 chan->move_id = req->dest_amp_id;
4658 icid = chan->dcid;
4659
4660 if (!req->dest_amp_id) {
4661 /* Moving to BR/EDR */
4662 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4663 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4664 result = L2CAP_MR_PEND;
4665 } else {
4666 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4667 result = L2CAP_MR_SUCCESS;
4668 }
4669 } else {
4670 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4671 /* Placeholder - uncomment when amp functions are available */
4672 /*amp_accept_physical(chan, req->dest_amp_id);*/
4673 result = L2CAP_MR_PEND;
4674 }
4675
4676send_move_response:
1500109b 4677 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4678
02b0fbb9
MM		 4679 l2cap_chan_unlock(chan);
4680
8d5a04a1
MM		 4681 return 0;
4682}
4683
5b155ef9
MM		 4684static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4685{
4686 struct l2cap_chan *chan;
4687 struct hci_chan *hchan = NULL;
4688
4689 chan = l2cap_get_chan_by_scid(conn, icid);
4690 if (!chan) {
4691 l2cap_send_move_chan_cfm_icid(conn, icid);
4692 return;
4693 }
4694
4695 __clear_chan_timer(chan);
4696 if (result == L2CAP_MR_PEND)
4697 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4698
4699 switch (chan->move_state) {
4700 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4701 /* Move confirm will be sent when logical link
4702 * is complete.
4703 */
4704 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4705 break;
4706 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4707 if (result == L2CAP_MR_PEND) {
4708 break;
4709 } else if (test_bit(CONN_LOCAL_BUSY,
4710 &chan->conn_state)) {
4711 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4712 } else {
4713 /* Logical link is up or moving to BR/EDR,
4714 * proceed with move
4715 */
4716 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4717 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4718 }
4719 break;
4720 case L2CAP_MOVE_WAIT_RSP:
4721 /* Moving to AMP */
4722 if (result == L2CAP_MR_SUCCESS) {
4723 /* Remote is ready, send confirm immediately
4724 * after logical link is ready
4725 */
4726 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4727 } else {
4728 /* Both logical link and move success
4729 * are required to confirm
4730 */
4731 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4732 }
4733
4734 /* Placeholder - get hci_chan for logical link */
4735 if (!hchan) {
4736 /* Logical link not available */
4737 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4738 break;
4739 }
4740
4741 /* If the logical link is not yet connected, do not
4742 * send confirmation.
4743 */
4744 if (hchan->state != BT_CONNECTED)
4745 break;
4746
4747 /* Logical link is already ready to go */
4748
4749 chan->hs_hcon = hchan->conn;
4750 chan->hs_hcon->l2cap_data = chan->conn;
4751
4752 if (result == L2CAP_MR_SUCCESS) {
4753 /* Can confirm now */
4754 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4755 } else {
4756 /* Now only need move success
4757 * to confirm
4758 */
4759 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4760 }
4761
4762 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4763 break;
4764 default:
4765 /* Any other amp move state means the move failed. */
4766 chan->move_id = chan->local_amp_id;
4767 l2cap_move_done(chan);
4768 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4769 }
4770
4771 l2cap_chan_unlock(chan);
4772}
4773
4774static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
4775 u16 result)
4776{
4777 struct l2cap_chan *chan;
4778
4779 chan = l2cap_get_chan_by_ident(conn, ident);
4780 if (!chan) {
4781 /* Could not locate channel, icid is best guess */
4782 l2cap_send_move_chan_cfm_icid(conn, icid);
4783 return;
4784 }
4785
4786 __clear_chan_timer(chan);
4787
4788 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4789 if (result == L2CAP_MR_COLLISION) {
4790 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4791 } else {
4792 /* Cleanup - cancel move */
4793 chan->move_id = chan->local_amp_id;
4794 l2cap_move_done(chan);
4795 }
4796 }
4797
4798 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4799
4800 l2cap_chan_unlock(chan);
4801}
4802
4803static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4804 struct l2cap_cmd_hdr *cmd,
4805 u16 cmd_len, void *data)
8d5a04a1
MM		 4806{
4807 struct l2cap_move_chan_rsp *rsp = data;
4808 u16 icid, result;
4809
4810 if (cmd_len != sizeof(*rsp))
4811 return -EPROTO;
4812
4813 icid = le16_to_cpu(rsp->icid);
4814 result = le16_to_cpu(rsp->result);
4815
ad0ac6ca 4816 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4817
5b155ef9
MM		 4818 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
4819 l2cap_move_continue(conn, icid, result);
4820 else
4821 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 4822
4823 return 0;
4824}
4825
5f3847a4
MM		 4826static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4827 struct l2cap_cmd_hdr *cmd,
4828 u16 cmd_len, void *data)
8d5a04a1
MM		 4829{
4830 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 4831 struct l2cap_chan *chan;
8d5a04a1
MM		 4832 u16 icid, result;
4833
4834 if (cmd_len != sizeof(*cfm))
4835 return -EPROTO;
4836
4837 icid = le16_to_cpu(cfm->icid);
4838 result = le16_to_cpu(cfm->result);
4839
ad0ac6ca 4840 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4841
5f3847a4
MM		 4842 chan = l2cap_get_chan_by_dcid(conn, icid);
4843 if (!chan) {
4844 /* Spec requires a response even if the icid was not found */
4845 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4846 return 0;
4847 }
4848
4849 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
4850 if (result == L2CAP_MC_CONFIRMED) {
4851 chan->local_amp_id = chan->move_id;
4852 if (!chan->local_amp_id)
4853 __release_logical_link(chan);
4854 } else {
4855 chan->move_id = chan->local_amp_id;
4856 }
4857
4858 l2cap_move_done(chan);
4859 }
4860
8d5a04a1
MM		 4861 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4862
5f3847a4
MM		 4863 l2cap_chan_unlock(chan);
4864
8d5a04a1
MM		 4865 return 0;
4866}
4867
4868static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4869 struct l2cap_cmd_hdr *cmd,
4870 u16 cmd_len, void *data)
8d5a04a1
MM		 4871{
4872 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 4873 struct l2cap_chan *chan;
8d5a04a1
MM		 4874 u16 icid;
4875
4876 if (cmd_len != sizeof(*rsp))
4877 return -EPROTO;
4878
4879 icid = le16_to_cpu(rsp->icid);
4880
ad0ac6ca 4881 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 4882
3fd71a0a
MM		 4883 chan = l2cap_get_chan_by_scid(conn, icid);
4884 if (!chan)
4885 return 0;
4886
4887 __clear_chan_timer(chan);
4888
4889 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
4890 chan->local_amp_id = chan->move_id;
4891
4892 if (!chan->local_amp_id && chan->hs_hchan)
4893 __release_logical_link(chan);
4894
4895 l2cap_move_done(chan);
4896 }
4897
4898 l2cap_chan_unlock(chan);
4899
8d5a04a1
MM		 4900 return 0;
4901}
4902
e2174ca4 4903static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 4904 u16 to_multiplier)
de73115a
CT		 4905{
4906 u16 max_latency;
4907
4908 if (min > max || min < 6 || max > 3200)
4909 return -EINVAL;
4910
4911 if (to_multiplier < 10 || to_multiplier > 3200)
4912 return -EINVAL;
4913
4914 if (max >= to_multiplier * 8)
4915 return -EINVAL;
4916
4917 max_latency = (to_multiplier * 8 / max) - 1;
4918 if (latency > 499 || latency > max_latency)
4919 return -EINVAL;
4920
4921 return 0;
4922}
4923
4924static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 4925 struct l2cap_cmd_hdr *cmd,
4926 u8 *data)
de73115a
CT		 4927{
4928 struct hci_conn *hcon = conn->hcon;
4929 struct l2cap_conn_param_update_req *req;
4930 struct l2cap_conn_param_update_rsp rsp;
4931 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4932 int err;
de73115a
CT		 4933
4934 if (!(hcon->link_mode & HCI_LM_MASTER))
4935 return -EINVAL;
4936
4937 cmd_len = __le16_to_cpu(cmd->len);
4938 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4939 return -EPROTO;
4940
4941 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4942 min = __le16_to_cpu(req->min);
4943 max = __le16_to_cpu(req->max);
de73115a
CT		 4944 latency = __le16_to_cpu(req->latency);
4945 to_multiplier = __le16_to_cpu(req->to_multiplier);
4946
4947 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 4948 min, max, latency, to_multiplier);
de73115a
CT		 4949
4950 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4951
4952 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4953 if (err)
ac73498c 4954 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4955 else
ac73498c 4956 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4957
4958 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 4959 sizeof(rsp), &rsp);
de73115a 4960
2ce603eb
CT		 4961 if (!err)
4962 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4963
de73115a
CT		 4964 return 0;
4965}
4966
3300d9a9 4967static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 4968 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4969 u8 *data)
3300d9a9
CT		 4970{
4971 int err = 0;
4972
4973 switch (cmd->code) {
4974 case L2CAP_COMMAND_REJ:
4975 l2cap_command_rej(conn, cmd, data);
4976 break;
4977
4978 case L2CAP_CONN_REQ:
4979 err = l2cap_connect_req(conn, cmd, data);
4980 break;
4981
4982 case L2CAP_CONN_RSP:
f5a2598d 4983 case L2CAP_CREATE_CHAN_RSP:
5909cf30 4984 err = l2cap_connect_create_rsp(conn, cmd, data);
3300d9a9
CT		 4985 break;
4986
4987 case L2CAP_CONF_REQ:
4988 err = l2cap_config_req(conn, cmd, cmd_len, data);
4989 break;
4990
4991 case L2CAP_CONF_RSP:
4992 err = l2cap_config_rsp(conn, cmd, data);
4993 break;
4994
4995 case L2CAP_DISCONN_REQ:
4996 err = l2cap_disconnect_req(conn, cmd, data);
4997 break;
4998
4999 case L2CAP_DISCONN_RSP:
5000 err = l2cap_disconnect_rsp(conn, cmd, data);
5001 break;
5002
5003 case L2CAP_ECHO_REQ:
5004 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5005 break;
5006
5007 case L2CAP_ECHO_RSP:
5008 break;
5009
5010 case L2CAP_INFO_REQ:
5011 err = l2cap_information_req(conn, cmd, data);
5012 break;
5013
5014 case L2CAP_INFO_RSP:
5015 err = l2cap_information_rsp(conn, cmd, data);
5016 break;
5017
f94ff6ff
MM		 5018 case L2CAP_CREATE_CHAN_REQ:
5019 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5020 break;
5021
8d5a04a1
MM		 5022 case L2CAP_MOVE_CHAN_REQ:
5023 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5024 break;
5025
5026 case L2CAP_MOVE_CHAN_RSP:
5027 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5028 break;
5029
5030 case L2CAP_MOVE_CHAN_CFM:
5031 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5032 break;
5033
5034 case L2CAP_MOVE_CHAN_CFM_RSP:
5035 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5036 break;
5037
3300d9a9
CT		 5038 default:
5039 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5040 err = -EINVAL;
5041 break;
5042 }
5043
5044 return err;
5045}
5046
5047static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5048 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5049{
5050 switch (cmd->code) {
5051 case L2CAP_COMMAND_REJ:
5052 return 0;
5053
5054 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5055 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5056
5057 case L2CAP_CONN_PARAM_UPDATE_RSP:
5058 return 0;
5059
5060 default:
5061 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5062 return -EINVAL;
5063 }
5064}
5065
5066static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5067 struct sk_buff *skb)
1da177e4
LT		 5068{
5069 u8 *data = skb->data;
5070 int len = skb->len;
5071 struct l2cap_cmd_hdr cmd;
3300d9a9 5072 int err;
1da177e4
LT		 5073
5074 l2cap_raw_recv(conn, skb);
5075
5076 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5077 u16 cmd_len;
1da177e4
LT		 5078 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5079 data += L2CAP_CMD_HDR_SIZE;
5080 len -= L2CAP_CMD_HDR_SIZE;
5081
88219a0f 5082 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5083
2d792818
GP		 5084 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5085 cmd.ident);
1da177e4 5086
88219a0f 5087 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5088 BT_DBG("corrupted command");
5089 break;
5090 }
5091
3300d9a9
CT		 5092 if (conn->hcon->type == LE_LINK)
5093 err = l2cap_le_sig_cmd(conn, &cmd, data);
5094 else
5095 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 5096
5097 if (err) {
e2fd318e 5098 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5099
5100 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 5101
5102 /* FIXME: Map err to a valid reason */
ac73498c 5103 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5104 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5105 sizeof(rej), &rej);
1da177e4
LT		 5106 }
5107
88219a0f
AV		 5108 data += cmd_len;
5109 len -= cmd_len;
1da177e4
LT		 5110 }
5111
5112 kfree_skb(skb);
5113}
5114
47d1ec61 5115static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5116{
5117 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5118 int hdr_size;
5119
5120 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5121 hdr_size = L2CAP_EXT_HDR_SIZE;
5122 else
5123 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5124
47d1ec61 5125 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5126 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5127 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5128 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5129
5130 if (our_fcs != rcv_fcs)
7a560e5c 5131 return -EBADMSG;
fcc203c3
GP		 5132 }
5133 return 0;
5134}
5135
6ea00485 5136static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5137{
e31f7633 5138 struct l2cap_ctrl control;
d5392c8f 5139
e31f7633 5140 BT_DBG("chan %p", chan);
d5392c8f 5141
e31f7633
MM		 5142 memset(&control, 0, sizeof(control));
5143 control.sframe = 1;
5144 control.final = 1;
5145 control.reqseq = chan->buffer_seq;
5146 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5147
e2ab4353 5148 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5149 control.super = L2CAP_SUPER_RNR;
5150 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5151 }
5152
e31f7633
MM		 5153 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5154 chan->unacked_frames > 0)
5155 __set_retrans_timer(chan);
d5392c8f 5156
e31f7633 5157 /* Send pending iframes */
525cd185 5158 l2cap_ertm_send(chan);
d5392c8f 5159
e2ab4353 5160 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5161 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5162 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5163 * send it now.
5164 */
5165 control.super = L2CAP_SUPER_RR;
5166 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5167 }
5168}
5169
2d792818
GP		 5170static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5171 struct sk_buff **last_frag)
18778a63 5172{
84084a31
MM		 5173 /* skb->len reflects data in skb as well as all fragments
5174 * skb->data_len reflects only data in fragments
5175 */
5176 if (!skb_has_frag_list(skb))
5177 skb_shinfo(skb)->frag_list = new_frag;
5178
5179 new_frag->next = NULL;
5180
5181 (*last_frag)->next = new_frag;
5182 *last_frag = new_frag;
5183
5184 skb->len += new_frag->len;
5185 skb->data_len += new_frag->len;
5186 skb->truesize += new_frag->truesize;
5187}
5188
4b51dae9
MM		 5189static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5190 struct l2cap_ctrl *control)
84084a31
MM		 5191{
5192 int err = -EINVAL;
18778a63 5193
4b51dae9 5194 switch (control->sar) {
7e0ef6ee 5195 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5196 if (chan->sdu)
5197 break;
18778a63 5198
80b98027 5199 err = chan->ops->recv(chan, skb);
84084a31 5200 break;
18778a63 5201
7e0ef6ee 5202 case L2CAP_SAR_START:
84084a31
MM		 5203 if (chan->sdu)
5204 break;
18778a63 5205
6f61fd47 5206 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5207 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5208
84084a31
MM		 5209 if (chan->sdu_len > chan->imtu) {
5210 err = -EMSGSIZE;
5211 break;
5212 }
1890d36b 5213
84084a31
MM		 5214 if (skb->len >= chan->sdu_len)
5215 break;
18778a63 5216
84084a31
MM		 5217 chan->sdu = skb;
5218 chan->sdu_last_frag = skb;
18778a63 5219
84084a31
MM		 5220 skb = NULL;
5221 err = 0;
18778a63
GP		 5222 break;
5223
7e0ef6ee 5224 case L2CAP_SAR_CONTINUE:
6f61fd47 5225 if (!chan->sdu)
84084a31 5226 break;
18778a63 5227
84084a31
MM		 5228 append_skb_frag(chan->sdu, skb,
5229 &chan->sdu_last_frag);
5230 skb = NULL;
18778a63 5231
84084a31
MM		 5232 if (chan->sdu->len >= chan->sdu_len)
5233 break;
4178ba46 5234
84084a31 5235 err = 0;
18778a63
GP		 5236 break;
5237
7e0ef6ee 5238 case L2CAP_SAR_END:
6f61fd47 5239 if (!chan->sdu)
84084a31 5240 break;
18778a63 5241
84084a31
MM		 5242 append_skb_frag(chan->sdu, skb,
5243 &chan->sdu_last_frag);
5244 skb = NULL;
4178ba46 5245
84084a31
MM		 5246 if (chan->sdu->len != chan->sdu_len)
5247 break;
18778a63 5248
80b98027 5249 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5250
84084a31
MM		 5251 if (!err) {
5252 /* Reassembly complete */
5253 chan->sdu = NULL;
5254 chan->sdu_last_frag = NULL;
5255 chan->sdu_len = 0;
1890d36b 5256 }
18778a63
GP		 5257 break;
5258 }
5259
84084a31
MM		 5260 if (err) {
5261 kfree_skb(skb);
5262 kfree_skb(chan->sdu);
5263 chan->sdu = NULL;
5264 chan->sdu_last_frag = NULL;
5265 chan->sdu_len = 0;
5266 }
18778a63 5267
84084a31 5268 return err;
18778a63
GP		 5269}
5270
32b32735
MM		 5271static int l2cap_resegment(struct l2cap_chan *chan)
5272{
5273 /* Placeholder */
5274 return 0;
5275}
5276
61aa4f5b 5277void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5278{
61aa4f5b 5279 u8 event;
712132eb 5280
61aa4f5b
MM		 5281 if (chan->mode != L2CAP_MODE_ERTM)
5282 return;
712132eb 5283
61aa4f5b 5284 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5285 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5286}
5287
d2a7ac5d
MM		 5288static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5289{
63838725
MM		 5290 int err = 0;
5291 /* Pass sequential frames to l2cap_reassemble_sdu()
5292 * until a gap is encountered.
5293 */
5294
5295 BT_DBG("chan %p", chan);
5296
5297 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5298 struct sk_buff *skb;
5299 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5300 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5301
5302 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5303
5304 if (!skb)
5305 break;
5306
5307 skb_unlink(skb, &chan->srej_q);
5308 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5309 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5310 if (err)
5311 break;
5312 }
5313
5314 if (skb_queue_empty(&chan->srej_q)) {
5315 chan->rx_state = L2CAP_RX_STATE_RECV;
5316 l2cap_send_ack(chan);
5317 }
5318
5319 return err;
d2a7ac5d
MM		 5320}
5321
5322static void l2cap_handle_srej(struct l2cap_chan *chan,
5323 struct l2cap_ctrl *control)
5324{
f80842a8
MM		 5325 struct sk_buff *skb;
5326
5327 BT_DBG("chan %p, control %p", chan, control);
5328
5329 if (control->reqseq == chan->next_tx_seq) {
5330 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5331 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5332 return;
5333 }
5334
5335 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5336
5337 if (skb == NULL) {
5338 BT_DBG("Seq %d not available for retransmission",
5339 control->reqseq);
5340 return;
5341 }
5342
5343 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5344 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5345 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5346 return;
5347 }
5348
5349 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5350
5351 if (control->poll) {
5352 l2cap_pass_to_tx(chan, control);
5353
5354 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5355 l2cap_retransmit(chan, control);
5356 l2cap_ertm_send(chan);
5357
5358 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5359 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5360 chan->srej_save_reqseq = control->reqseq;
5361 }
5362 } else {
5363 l2cap_pass_to_tx_fbit(chan, control);
5364
5365 if (control->final) {
5366 if (chan->srej_save_reqseq != control->reqseq ||
5367 !test_and_clear_bit(CONN_SREJ_ACT,
5368 &chan->conn_state))
5369 l2cap_retransmit(chan, control);
5370 } else {
5371 l2cap_retransmit(chan, control);
5372 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5373 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5374 chan->srej_save_reqseq = control->reqseq;
5375 }
5376 }
5377 }
d2a7ac5d
MM		 5378}
5379
5380static void l2cap_handle_rej(struct l2cap_chan *chan,
5381 struct l2cap_ctrl *control)
5382{
fcd289df
MM		 5383 struct sk_buff *skb;
5384
5385 BT_DBG("chan %p, control %p", chan, control);
5386
5387 if (control->reqseq == chan->next_tx_seq) {
5388 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5389 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5390 return;
5391 }
5392
5393 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5394
5395 if (chan->max_tx && skb &&
5396 bt_cb(skb)->control.retries >= chan->max_tx) {
5397 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5398 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5399 return;
5400 }
5401
5402 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5403
5404 l2cap_pass_to_tx(chan, control);
5405
5406 if (control->final) {
5407 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5408 l2cap_retransmit_all(chan, control);
5409 } else {
5410 l2cap_retransmit_all(chan, control);
5411 l2cap_ertm_send(chan);
5412 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5413 set_bit(CONN_REJ_ACT, &chan->conn_state);
5414 }
d2a7ac5d
MM		 5415}
5416
4b51dae9
MM		 5417static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5418{
5419 BT_DBG("chan %p, txseq %d", chan, txseq);
5420
5421 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5422 chan->expected_tx_seq);
5423
5424 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5425 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5426 chan->tx_win) {
4b51dae9
MM		 5427 /* See notes below regarding "double poll" and
5428 * invalid packets.
5429 */
5430 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5431 BT_DBG("Invalid/Ignore - after SREJ");
5432 return L2CAP_TXSEQ_INVALID_IGNORE;
5433 } else {
5434 BT_DBG("Invalid - in window after SREJ sent");
5435 return L2CAP_TXSEQ_INVALID;
5436 }
5437 }
5438
5439 if (chan->srej_list.head == txseq) {
5440 BT_DBG("Expected SREJ");
5441 return L2CAP_TXSEQ_EXPECTED_SREJ;
5442 }
5443
5444 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5445 BT_DBG("Duplicate SREJ - txseq already stored");
5446 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5447 }
5448
5449 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5450 BT_DBG("Unexpected SREJ - not requested");
5451 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5452 }
5453 }
5454
5455 if (chan->expected_tx_seq == txseq) {
5456 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5457 chan->tx_win) {
5458 BT_DBG("Invalid - txseq outside tx window");
5459 return L2CAP_TXSEQ_INVALID;
5460 } else {
5461 BT_DBG("Expected");
5462 return L2CAP_TXSEQ_EXPECTED;
5463 }
5464 }
5465
5466 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5467 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5468 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5469 return L2CAP_TXSEQ_DUPLICATE;
5470 }
5471
5472 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5473 /* A source of invalid packets is a "double poll" condition,
5474 * where delays cause us to send multiple poll packets. If
5475 * the remote stack receives and processes both polls,
5476 * sequence numbers can wrap around in such a way that a
5477 * resent frame has a sequence number that looks like new data
5478 * with a sequence gap. This would trigger an erroneous SREJ
5479 * request.
5480 *
5481 * Fortunately, this is impossible with a tx window that's
5482 * less than half of the maximum sequence number, which allows
5483 * invalid frames to be safely ignored.
5484 *
5485 * With tx window sizes greater than half of the tx window
5486 * maximum, the frame is invalid and cannot be ignored. This
5487 * causes a disconnect.
5488 */
5489
5490 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5491 BT_DBG("Invalid/Ignore - txseq outside tx window");
5492 return L2CAP_TXSEQ_INVALID_IGNORE;
5493 } else {
5494 BT_DBG("Invalid - txseq outside tx window");
5495 return L2CAP_TXSEQ_INVALID;
5496 }
5497 } else {
5498 BT_DBG("Unexpected - txseq indicates missing frames");
5499 return L2CAP_TXSEQ_UNEXPECTED;
5500 }
5501}
5502
d2a7ac5d
MM		 5503static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5504 struct l2cap_ctrl *control,
5505 struct sk_buff *skb, u8 event)
5506{
5507 int err = 0;
5508 bool skb_in_use = 0;
5509
5510 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5511 event);
5512
5513 switch (event) {
5514 case L2CAP_EV_RECV_IFRAME:
5515 switch (l2cap_classify_txseq(chan, control->txseq)) {
5516 case L2CAP_TXSEQ_EXPECTED:
5517 l2cap_pass_to_tx(chan, control);
5518
5519 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5520 BT_DBG("Busy, discarding expected seq %d",
5521 control->txseq);
5522 break;
5523 }
5524
5525 chan->expected_tx_seq = __next_seq(chan,
5526 control->txseq);
5527
5528 chan->buffer_seq = chan->expected_tx_seq;
5529 skb_in_use = 1;
5530
5531 err = l2cap_reassemble_sdu(chan, skb, control);
5532 if (err)
5533 break;
5534
5535 if (control->final) {
5536 if (!test_and_clear_bit(CONN_REJ_ACT,
5537 &chan->conn_state)) {
5538 control->final = 0;
5539 l2cap_retransmit_all(chan, control);
5540 l2cap_ertm_send(chan);
5541 }
5542 }
5543
5544 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5545 l2cap_send_ack(chan);
5546 break;
5547 case L2CAP_TXSEQ_UNEXPECTED:
5548 l2cap_pass_to_tx(chan, control);
5549
5550 /* Can't issue SREJ frames in the local busy state.
5551 * Drop this frame, it will be seen as missing
5552 * when local busy is exited.
5553 */
5554 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5555 BT_DBG("Busy, discarding unexpected seq %d",
5556 control->txseq);
5557 break;
5558 }
5559
5560 /* There was a gap in the sequence, so an SREJ
5561 * must be sent for each missing frame. The
5562 * current frame is stored for later use.
5563 */
5564 skb_queue_tail(&chan->srej_q, skb);
5565 skb_in_use = 1;
5566 BT_DBG("Queued %p (queue len %d)", skb,
5567 skb_queue_len(&chan->srej_q));
5568
5569 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5570 l2cap_seq_list_clear(&chan->srej_list);
5571 l2cap_send_srej(chan, control->txseq);
5572
5573 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5574 break;
5575 case L2CAP_TXSEQ_DUPLICATE:
5576 l2cap_pass_to_tx(chan, control);
5577 break;
5578 case L2CAP_TXSEQ_INVALID_IGNORE:
5579 break;
5580 case L2CAP_TXSEQ_INVALID:
5581 default:
5582 l2cap_send_disconn_req(chan->conn, chan,
5583 ECONNRESET);
5584 break;
5585 }
5586 break;
5587 case L2CAP_EV_RECV_RR:
5588 l2cap_pass_to_tx(chan, control);
5589 if (control->final) {
5590 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5591
5592 if (!test_and_clear_bit(CONN_REJ_ACT,
5593 &chan->conn_state)) {
5594 control->final = 0;
5595 l2cap_retransmit_all(chan, control);
5596 }
5597
5598 l2cap_ertm_send(chan);
5599 } else if (control->poll) {
5600 l2cap_send_i_or_rr_or_rnr(chan);
5601 } else {
5602 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5603 &chan->conn_state) &&
5604 chan->unacked_frames)
5605 __set_retrans_timer(chan);
5606
5607 l2cap_ertm_send(chan);
5608 }
5609 break;
5610 case L2CAP_EV_RECV_RNR:
5611 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5612 l2cap_pass_to_tx(chan, control);
5613 if (control && control->poll) {
5614 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5615 l2cap_send_rr_or_rnr(chan, 0);
5616 }
5617 __clear_retrans_timer(chan);
5618 l2cap_seq_list_clear(&chan->retrans_list);
5619 break;
5620 case L2CAP_EV_RECV_REJ:
5621 l2cap_handle_rej(chan, control);
5622 break;
5623 case L2CAP_EV_RECV_SREJ:
5624 l2cap_handle_srej(chan, control);
5625 break;
5626 default:
5627 break;
5628 }
5629
5630 if (skb && !skb_in_use) {
5631 BT_DBG("Freeing %p", skb);
5632 kfree_skb(skb);
5633 }
5634
5635 return err;
5636}
5637
5638static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5639 struct l2cap_ctrl *control,
5640 struct sk_buff *skb, u8 event)
5641{
5642 int err = 0;
5643 u16 txseq = control->txseq;
5644 bool skb_in_use = 0;
5645
5646 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5647 event);
5648
5649 switch (event) {
5650 case L2CAP_EV_RECV_IFRAME:
5651 switch (l2cap_classify_txseq(chan, txseq)) {
5652 case L2CAP_TXSEQ_EXPECTED:
5653 /* Keep frame for reassembly later */
5654 l2cap_pass_to_tx(chan, control);
5655 skb_queue_tail(&chan->srej_q, skb);
5656 skb_in_use = 1;
5657 BT_DBG("Queued %p (queue len %d)", skb,
5658 skb_queue_len(&chan->srej_q));
5659
5660 chan->expected_tx_seq = __next_seq(chan, txseq);
5661 break;
5662 case L2CAP_TXSEQ_EXPECTED_SREJ:
5663 l2cap_seq_list_pop(&chan->srej_list);
5664
5665 l2cap_pass_to_tx(chan, control);
5666 skb_queue_tail(&chan->srej_q, skb);
5667 skb_in_use = 1;
5668 BT_DBG("Queued %p (queue len %d)", skb,
5669 skb_queue_len(&chan->srej_q));
5670
5671 err = l2cap_rx_queued_iframes(chan);
5672 if (err)
5673 break;
5674
5675 break;
5676 case L2CAP_TXSEQ_UNEXPECTED:
5677 /* Got a frame that can't be reassembled yet.
5678 * Save it for later, and send SREJs to cover
5679 * the missing frames.
5680 */
5681 skb_queue_tail(&chan->srej_q, skb);
5682 skb_in_use = 1;
5683 BT_DBG("Queued %p (queue len %d)", skb,
5684 skb_queue_len(&chan->srej_q));
5685
5686 l2cap_pass_to_tx(chan, control);
5687 l2cap_send_srej(chan, control->txseq);
5688 break;
5689 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5690 /* This frame was requested with an SREJ, but
5691 * some expected retransmitted frames are
5692 * missing. Request retransmission of missing
5693 * SREJ'd frames.
5694 */
5695 skb_queue_tail(&chan->srej_q, skb);
5696 skb_in_use = 1;
5697 BT_DBG("Queued %p (queue len %d)", skb,
5698 skb_queue_len(&chan->srej_q));
5699
5700 l2cap_pass_to_tx(chan, control);
5701 l2cap_send_srej_list(chan, control->txseq);
5702 break;
5703 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5704 /* We've already queued this frame. Drop this copy. */
5705 l2cap_pass_to_tx(chan, control);
5706 break;
5707 case L2CAP_TXSEQ_DUPLICATE:
5708 /* Expecting a later sequence number, so this frame
5709 * was already received. Ignore it completely.
5710 */
5711 break;
5712 case L2CAP_TXSEQ_INVALID_IGNORE:
5713 break;
5714 case L2CAP_TXSEQ_INVALID:
5715 default:
5716 l2cap_send_disconn_req(chan->conn, chan,
5717 ECONNRESET);
5718 break;
5719 }
5720 break;
5721 case L2CAP_EV_RECV_RR:
5722 l2cap_pass_to_tx(chan, control);
5723 if (control->final) {
5724 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5725
5726 if (!test_and_clear_bit(CONN_REJ_ACT,
5727 &chan->conn_state)) {
5728 control->final = 0;
5729 l2cap_retransmit_all(chan, control);
5730 }
5731
5732 l2cap_ertm_send(chan);
5733 } else if (control->poll) {
5734 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5735 &chan->conn_state) &&
5736 chan->unacked_frames) {
5737 __set_retrans_timer(chan);
5738 }
5739
5740 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5741 l2cap_send_srej_tail(chan);
5742 } else {
5743 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5744 &chan->conn_state) &&
5745 chan->unacked_frames)
5746 __set_retrans_timer(chan);
5747
5748 l2cap_send_ack(chan);
5749 }
5750 break;
5751 case L2CAP_EV_RECV_RNR:
5752 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5753 l2cap_pass_to_tx(chan, control);
5754 if (control->poll) {
5755 l2cap_send_srej_tail(chan);
5756 } else {
5757 struct l2cap_ctrl rr_control;
5758 memset(&rr_control, 0, sizeof(rr_control));
5759 rr_control.sframe = 1;
5760 rr_control.super = L2CAP_SUPER_RR;
5761 rr_control.reqseq = chan->buffer_seq;
5762 l2cap_send_sframe(chan, &rr_control);
5763 }
5764
5765 break;
5766 case L2CAP_EV_RECV_REJ:
5767 l2cap_handle_rej(chan, control);
5768 break;
5769 case L2CAP_EV_RECV_SREJ:
5770 l2cap_handle_srej(chan, control);
5771 break;
5772 }
5773
5774 if (skb && !skb_in_use) {
5775 BT_DBG("Freeing %p", skb);
5776 kfree_skb(skb);
5777 }
5778
5779 return err;
5780}
5781
32b32735
MM		 5782static int l2cap_finish_move(struct l2cap_chan *chan)
5783{
5784 BT_DBG("chan %p", chan);
5785
5786 chan->rx_state = L2CAP_RX_STATE_RECV;
5787
5788 if (chan->hs_hcon)
5789 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5790 else
5791 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5792
5793 return l2cap_resegment(chan);
5794}
5795
5796static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
5797 struct l2cap_ctrl *control,
5798 struct sk_buff *skb, u8 event)
5799{
5800 int err;
5801
5802 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5803 event);
5804
5805 if (!control->poll)
5806 return -EPROTO;
5807
5808 l2cap_process_reqseq(chan, control->reqseq);
5809
5810 if (!skb_queue_empty(&chan->tx_q))
5811 chan->tx_send_head = skb_peek(&chan->tx_q);
5812 else
5813 chan->tx_send_head = NULL;
5814
5815 /* Rewind next_tx_seq to the point expected
5816 * by the receiver.
5817 */
5818 chan->next_tx_seq = control->reqseq;
5819 chan->unacked_frames = 0;
5820
5821 err = l2cap_finish_move(chan);
5822 if (err)
5823 return err;
5824
5825 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5826 l2cap_send_i_or_rr_or_rnr(chan);
5827
5828 if (event == L2CAP_EV_RECV_IFRAME)
5829 return -EPROTO;
5830
5831 return l2cap_rx_state_recv(chan, control, NULL, event);
5832}
5833
5834static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
5835 struct l2cap_ctrl *control,
5836 struct sk_buff *skb, u8 event)
5837{
5838 int err;
5839
5840 if (!control->final)
5841 return -EPROTO;
5842
5843 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5844
5845 chan->rx_state = L2CAP_RX_STATE_RECV;
5846 l2cap_process_reqseq(chan, control->reqseq);
5847
5848 if (!skb_queue_empty(&chan->tx_q))
5849 chan->tx_send_head = skb_peek(&chan->tx_q);
5850 else
5851 chan->tx_send_head = NULL;
5852
5853 /* Rewind next_tx_seq to the point expected
5854 * by the receiver.
5855 */
5856 chan->next_tx_seq = control->reqseq;
5857 chan->unacked_frames = 0;
5858
5859 if (chan->hs_hcon)
5860 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5861 else
5862 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5863
5864 err = l2cap_resegment(chan);
5865
5866 if (!err)
5867 err = l2cap_rx_state_recv(chan, control, skb, event);
5868
5869 return err;
5870}
5871
d2a7ac5d
MM		 5872static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5873{
5874 /* Make sure reqseq is for a packet that has been sent but not acked */
5875 u16 unacked;
5876
5877 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5878 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5879}
5880
cec8ab6e
MM		 5881static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5882 struct sk_buff *skb, u8 event)
218bb9df 5883{
d2a7ac5d
MM		 5884 int err = 0;
5885
5886 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5887 control, skb, event, chan->rx_state);
5888
5889 if (__valid_reqseq(chan, control->reqseq)) {
5890 switch (chan->rx_state) {
5891 case L2CAP_RX_STATE_RECV:
5892 err = l2cap_rx_state_recv(chan, control, skb, event);
5893 break;
5894 case L2CAP_RX_STATE_SREJ_SENT:
5895 err = l2cap_rx_state_srej_sent(chan, control, skb,
5896 event);
5897 break;
32b32735
MM		 5898 case L2CAP_RX_STATE_WAIT_P:
5899 err = l2cap_rx_state_wait_p(chan, control, skb, event);
5900 break;
5901 case L2CAP_RX_STATE_WAIT_F:
5902 err = l2cap_rx_state_wait_f(chan, control, skb, event);
5903 break;
d2a7ac5d
MM		 5904 default:
5905 /* shut it down */
5906 break;
5907 }
5908 } else {
5909 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5910 control->reqseq, chan->next_tx_seq,
5911 chan->expected_ack_seq);
5912 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5913 }
5914
5915 return err;
cec8ab6e
MM		 5916}
5917
5918static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5919 struct sk_buff *skb)
5920{
4b51dae9
MM		 5921 int err = 0;
5922
5923 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5924 chan->rx_state);
5925
5926 if (l2cap_classify_txseq(chan, control->txseq) ==
5927 L2CAP_TXSEQ_EXPECTED) {
5928 l2cap_pass_to_tx(chan, control);
5929
5930 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5931 __next_seq(chan, chan->buffer_seq));
5932
5933 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5934
5935 l2cap_reassemble_sdu(chan, skb, control);
5936 } else {
5937 if (chan->sdu) {
5938 kfree_skb(chan->sdu);
5939 chan->sdu = NULL;
5940 }
5941 chan->sdu_last_frag = NULL;
5942 chan->sdu_len = 0;
5943
5944 if (skb) {
5945 BT_DBG("Freeing %p", skb);
5946 kfree_skb(skb);
5947 }
5948 }
5949
5950 chan->last_acked_seq = control->txseq;
5951 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5952
5953 return err;
cec8ab6e
MM		 5954}
5955
5956static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5957{
5958 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5959 u16 len;
5960 u8 event;
218bb9df 5961
b76bbd66
MM		 5962 __unpack_control(chan, skb);
5963
218bb9df
GP		 5964 len = skb->len;
5965
5966 /*
5967 * We can just drop the corrupted I-frame here.
5968 * Receiver will miss it and start proper recovery
cec8ab6e 5969 * procedures and ask for retransmission.
218bb9df 5970 */
47d1ec61 5971 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 5972 goto drop;
5973
cec8ab6e 5974 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 5975 len -= L2CAP_SDULEN_SIZE;
218bb9df 5976
47d1ec61 5977 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 5978 len -= L2CAP_FCS_SIZE;
218bb9df 5979
47d1ec61 5980 if (len > chan->mps) {
8c1d787b 5981 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 5982 goto drop;
5983 }
5984
cec8ab6e
MM		 5985 if (!control->sframe) {
5986 int err;
218bb9df 5987
cec8ab6e
MM		 5988 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
5989 control->sar, control->reqseq, control->final,
5990 control->txseq);
218bb9df 5991
cec8ab6e
MM		 5992 /* Validate F-bit - F=0 always valid, F=1 only
5993 * valid in TX WAIT_F
5994 */
5995 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 5996 goto drop;
cec8ab6e
MM		 5997
5998 if (chan->mode != L2CAP_MODE_STREAMING) {
5999 event = L2CAP_EV_RECV_IFRAME;
6000 err = l2cap_rx(chan, control, skb, event);
6001 } else {
6002 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6003 }
6004
cec8ab6e
MM		 6005 if (err)
6006 l2cap_send_disconn_req(chan->conn, chan,
6007 ECONNRESET);
218bb9df 6008 } else {
cec8ab6e
MM		 6009 const u8 rx_func_to_event[4] = {
6010 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6011 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6012 };
6013
6014 /* Only I-frames are expected in streaming mode */
6015 if (chan->mode == L2CAP_MODE_STREAMING)
6016 goto drop;
6017
6018 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6019 control->reqseq, control->final, control->poll,
6020 control->super);
6021
218bb9df
GP		 6022 if (len != 0) {
6023 BT_ERR("%d", len);
8c1d787b 6024 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 6025 goto drop;
6026 }
6027
cec8ab6e
MM		 6028 /* Validate F and P bits */
6029 if (control->final && (control->poll ||
6030 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6031 goto drop;
6032
6033 event = rx_func_to_event[control->super];
6034 if (l2cap_rx(chan, control, skb, event))
6035 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 6036 }
6037
6038 return 0;
6039
6040drop:
6041 kfree_skb(skb);
6042 return 0;
6043}
6044
13ca56e0
AE		 6045static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6046 struct sk_buff *skb)
1da177e4 6047{
48454079 6048 struct l2cap_chan *chan;
1da177e4 6049
baa7e1fa 6050 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6051 if (!chan) {
97e8e89d
AE		 6052 if (cid == L2CAP_CID_A2MP) {
6053 chan = a2mp_channel_create(conn, skb);
6054 if (!chan) {
6055 kfree_skb(skb);
13ca56e0 6056 return;
97e8e89d
AE		 6057 }
6058
6059 l2cap_chan_lock(chan);
6060 } else {
6061 BT_DBG("unknown cid 0x%4.4x", cid);
6062 /* Drop packet and return */
6063 kfree_skb(skb);
13ca56e0 6064 return;
97e8e89d 6065 }
1da177e4
LT		 6066 }
6067
49208c9c 6068 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6069
89bc500e 6070 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6071 goto drop;
6072
0c1bc5c6 6073 switch (chan->mode) {
1c2acffb
GP		 6074 case L2CAP_MODE_BASIC:
6075 /* If socket recv buffers overflows we drop data here
6076 * which is *bad* because L2CAP has to be reliable.
6077 * But we don't have any other choice. L2CAP doesn't
6078 * provide flow control mechanism. */
1da177e4 6079
0c1bc5c6 6080 if (chan->imtu < skb->len)
1c2acffb 6081 goto drop;
1da177e4 6082
80b98027 6083 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6084 goto done;
6085 break;
6086
6087 case L2CAP_MODE_ERTM:
6840ed07 6088 case L2CAP_MODE_STREAMING:
cec8ab6e 6089 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6090 goto done;
6091
1c2acffb 6092 default:
0c1bc5c6 6093 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6094 break;
6095 }
1da177e4
LT		 6096
6097drop:
6098 kfree_skb(skb);
6099
6100done:
6be36555 6101 l2cap_chan_unlock(chan);
1da177e4
LT		 6102}
6103
84104b24
AE		 6104static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6105 struct sk_buff *skb)
1da177e4 6106{
23691d75 6107 struct l2cap_chan *chan;
1da177e4 6108
c2287681 6109 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 6110 if (!chan)
1da177e4
LT		 6111 goto drop;
6112
5b4cedaa 6113 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6114
89bc500e 6115 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6116 goto drop;
6117
e13e21dc 6118 if (chan->imtu < skb->len)
1da177e4
LT		 6119 goto drop;
6120
80b98027 6121 if (!chan->ops->recv(chan, skb))
84104b24 6122 return;
1da177e4
LT		 6123
6124drop:
6125 kfree_skb(skb);
1da177e4
LT		 6126}
6127
6810fca7
AE		 6128static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
6129 struct sk_buff *skb)
9f69bda6 6130{
23691d75 6131 struct l2cap_chan *chan;
9f69bda6 6132
c2287681 6133 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 6134 if (!chan)
9f69bda6
GP		 6135 goto drop;
6136
5b4cedaa 6137 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6138
89bc500e 6139 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 6140 goto drop;
6141
e13e21dc 6142 if (chan->imtu < skb->len)
9f69bda6
GP		 6143 goto drop;
6144
80b98027 6145 if (!chan->ops->recv(chan, skb))
6810fca7 6146 return;
9f69bda6
GP		 6147
6148drop:
6149 kfree_skb(skb);
9f69bda6
GP		 6150}
6151
1da177e4
LT		 6152static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6153{
6154 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6155 u16 cid, len;
6156 __le16 psm;
1da177e4
LT		 6157
6158 skb_pull(skb, L2CAP_HDR_SIZE);
6159 cid = __le16_to_cpu(lh->cid);
6160 len = __le16_to_cpu(lh->len);
6161
1c2acffb
GP		 6162 if (len != skb->len) {
6163 kfree_skb(skb);
6164 return;
6165 }
6166
1da177e4
LT		 6167 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6168
6169 switch (cid) {
3300d9a9 6170 case L2CAP_CID_LE_SIGNALING:
8db4dc46 6171 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6172 l2cap_sig_channel(conn, skb);
6173 break;
6174
8db4dc46 6175 case L2CAP_CID_CONN_LESS:
097db76c 6176 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6177 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6178 l2cap_conless_channel(conn, psm, skb);
6179 break;
6180
9f69bda6
GP		 6181 case L2CAP_CID_LE_DATA:
6182 l2cap_att_channel(conn, cid, skb);
6183 break;
6184
b501d6a1
AB		 6185 case L2CAP_CID_SMP:
6186 if (smp_sig_channel(conn, skb))
6187 l2cap_conn_del(conn->hcon, EACCES);
6188 break;
6189
1da177e4
LT		 6190 default:
6191 l2cap_data_channel(conn, cid, skb);
6192 break;
6193 }
6194}
6195
6196/* ---- L2CAP interface with lower layer (HCI) ---- */
6197
686ebf28 6198int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6199{
6200 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6201 struct l2cap_chan *c;
1da177e4 6202
6ed93dc6 6203 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6204
6205 /* Find listening sockets and check their link_mode */
23691d75
GP		 6206 read_lock(&chan_list_lock);
6207 list_for_each_entry(c, &chan_list, global_l) {
6208 struct sock *sk = c->sk;
4343478f 6209
89bc500e 6210 if (c->state != BT_LISTEN)
1da177e4
LT		 6211 continue;
6212
6213 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 6214 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6215 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6216 lm1 |= HCI_LM_MASTER;
1da177e4 6217 exact++;
2af6b9d5
MH		 6218 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
6219 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6220 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6221 lm2 |= HCI_LM_MASTER;
6222 }
1da177e4 6223 }
23691d75 6224 read_unlock(&chan_list_lock);
1da177e4
LT		 6225
6226 return exact ? lm1 : lm2;
6227}
6228
9e664631 6229void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6230{
0139418c
MH		 6231 struct l2cap_conn *conn;
6232
6ed93dc6 6233 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6234
1da177e4 6235 if (!status) {
1da177e4
LT		 6236 conn = l2cap_conn_add(hcon, status);
6237 if (conn)
6238 l2cap_conn_ready(conn);
0139418c 6239 } else
e175072f 6240 l2cap_conn_del(hcon, bt_to_errno(status));
1da177e4 6241
1da177e4
LT		 6242}
6243
686ebf28 6244int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6245{
6246 struct l2cap_conn *conn = hcon->l2cap_data;
6247
6248 BT_DBG("hcon %p", hcon);
6249
686ebf28 6250 if (!conn)
9f5a0d7b 6251 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6252 return conn->disc_reason;
6253}
6254
9e664631 6255void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6256{
6257 BT_DBG("hcon %p reason %d", hcon, reason);
6258
e175072f 6259 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6260}
6261
4343478f 6262static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6263{
715ec005 6264 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6265 return;
6266
f62e4323 6267 if (encrypt == 0x00) {
4343478f 6268 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6269 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6270 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6271 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6272 } else {
4343478f 6273 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6274 __clear_chan_timer(chan);
f62e4323
MH		 6275 }
6276}
6277
686ebf28 6278int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6279{
0139418c 6280 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6281 struct l2cap_chan *chan;
1da177e4 6282
0139418c 6283 if (!conn)
1da177e4 6284 return 0;
0139418c 6285
89d8b407 6286 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6287
160dc6ac 6288 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6289 if (!status && encrypt)
6290 smp_distribute_keys(conn, 0);
17cd3f37 6291 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6292 }
6293
3df91ea2 6294 mutex_lock(&conn->chan_lock);
1da177e4 6295
3df91ea2 6296 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6297 l2cap_chan_lock(chan);
1da177e4 6298
89d8b407
AE		 6299 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6300 state_to_string(chan->state));
f1cb9af5 6301
78eb2f98
AE		 6302 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6303 l2cap_chan_unlock(chan);
6304 continue;
6305 }
6306
f1cb9af5
VCG		 6307 if (chan->scid == L2CAP_CID_LE_DATA) {
6308 if (!status && encrypt) {
6309 chan->sec_level = hcon->sec_level;
cf4cd009 6310 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6311 }
6312
6be36555 6313 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6314 continue;
6315 }
6316
c1360a1c 6317 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 6318 l2cap_chan_unlock(chan);
6a8d3010
MH		 6319 continue;
6320 }
6321
89bc500e 6322 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6323 chan->state == BT_CONFIG)) {
a7d7723a
GP		 6324 struct sock *sk = chan->sk;
6325
c5daa683 6326 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 6327 sk->sk_state_change(sk);
6328
4343478f 6329 l2cap_check_encryption(chan, encrypt);
6be36555 6330 l2cap_chan_unlock(chan);
9719f8af
MH		 6331 continue;
6332 }
6333
89bc500e 6334 if (chan->state == BT_CONNECT) {
b1235d79 6335 if (!status) {
93c3e8f5 6336 l2cap_start_connection(chan);
b1235d79 6337 } else {
ba13ccd9 6338 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6339 }
89bc500e 6340 } else if (chan->state == BT_CONNECT2) {
6be36555 6341 struct sock *sk = chan->sk;
b1235d79 6342 struct l2cap_conn_rsp rsp;
df3c3931 6343 __u16 res, stat;
1da177e4 6344
6be36555
AE		 6345 lock_sock(sk);
6346
b1235d79 6347 if (!status) {
c5daa683
GP		 6348 if (test_bit(BT_SK_DEFER_SETUP,
6349 &bt_sk(sk)->flags)) {
df3c3931
JH		 6350 res = L2CAP_CR_PEND;
6351 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6352 chan->ops->defer(chan);
df3c3931 6353 } else {
0e587be7 6354 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6355 res = L2CAP_CR_SUCCESS;
6356 stat = L2CAP_CS_NO_INFO;
6357 }
b1235d79 6358 } else {
0e587be7 6359 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6360 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6361 res = L2CAP_CR_SEC_BLOCK;
6362 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6363 }
6364
6be36555
AE		 6365 release_sock(sk);
6366
fe4128e0
GP		 6367 rsp.scid = cpu_to_le16(chan->dcid);
6368 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6369 rsp.result = cpu_to_le16(res);
6370 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6371 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6372 sizeof(rsp), &rsp);
2d369359
MM		 6373
6374 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6375 res == L2CAP_CR_SUCCESS) {
6376 char buf[128];
6377 set_bit(CONF_REQ_SENT, &chan->conf_state);
6378 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6379 L2CAP_CONF_REQ,
6380 l2cap_build_conf_req(chan, buf),
6381 buf);
6382 chan->num_conf_req++;
6383 }
b1235d79 6384 }
1da177e4 6385
6be36555 6386 l2cap_chan_unlock(chan);
1da177e4
LT		 6387 }
6388
3df91ea2 6389 mutex_unlock(&conn->chan_lock);
b1235d79 6390
1da177e4
LT		 6391 return 0;
6392}
6393
686ebf28 6394int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6395{
6396 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6397 struct l2cap_hdr *hdr;
6398 int len;
1da177e4 6399
1d13a254
AE		 6400 /* For AMP controller do not create l2cap conn */
6401 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6402 goto drop;
1da177e4 6403
5a08ecce
AE		 6404 if (!conn)
6405 conn = l2cap_conn_add(hcon, 0);
6406
6407 if (!conn)
1da177e4
LT		 6408 goto drop;
6409
6410 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6411
d73a0988
AE		 6412 switch (flags) {
6413 case ACL_START:
6414 case ACL_START_NO_FLUSH:
6415 case ACL_COMPLETE:
1da177e4
LT		 6416 if (conn->rx_len) {
6417 BT_ERR("Unexpected start frame (len %d)", skb->len);
6418 kfree_skb(conn->rx_skb);
6419 conn->rx_skb = NULL;
6420 conn->rx_len = 0;
6421 l2cap_conn_unreliable(conn, ECOMM);
6422 }
6423
aae7fe22
AE		 6424 /* Start fragment always begin with Basic L2CAP header */
6425 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6426 BT_ERR("Frame is too short (len %d)", skb->len);
6427 l2cap_conn_unreliable(conn, ECOMM);
6428 goto drop;
6429 }
6430
6431 hdr = (struct l2cap_hdr *) skb->data;
6432 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6433
6434 if (len == skb->len) {
6435 /* Complete frame received */
6436 l2cap_recv_frame(conn, skb);
6437 return 0;
6438 }
6439
6440 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6441
6442 if (skb->len > len) {
6443 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6444 skb->len, len);
1da177e4
LT		 6445 l2cap_conn_unreliable(conn, ECOMM);
6446 goto drop;
6447 }
6448
6449 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6450 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6451 if (!conn->rx_skb)
1da177e4
LT		 6452 goto drop;
6453
d626f62b 6454 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6455 skb->len);
1da177e4 6456 conn->rx_len = len - skb->len;
d73a0988
AE		 6457 break;
6458
6459 case ACL_CONT:
1da177e4
LT		 6460 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6461
6462 if (!conn->rx_len) {
6463 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6464 l2cap_conn_unreliable(conn, ECOMM);
6465 goto drop;
6466 }
6467
6468 if (skb->len > conn->rx_len) {
6469 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6470 skb->len, conn->rx_len);
1da177e4
LT		 6471 kfree_skb(conn->rx_skb);
6472 conn->rx_skb = NULL;
6473 conn->rx_len = 0;
6474 l2cap_conn_unreliable(conn, ECOMM);
6475 goto drop;
6476 }
6477
d626f62b 6478 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6479 skb->len);
1da177e4
LT		 6480 conn->rx_len -= skb->len;
6481
6482 if (!conn->rx_len) {
6483 /* Complete frame received */
6484 l2cap_recv_frame(conn, conn->rx_skb);
6485 conn->rx_skb = NULL;
6486 }
d73a0988 6487 break;
1da177e4
LT		 6488 }
6489
6490drop:
6491 kfree_skb(skb);
6492 return 0;
6493}
6494
aef7d97c 6495static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6496{
23691d75 6497 struct l2cap_chan *c;
1da177e4 6498
333055f2 6499 read_lock(&chan_list_lock);
1da177e4 6500
23691d75
GP		 6501 list_for_each_entry(c, &chan_list, global_l) {
6502 struct sock *sk = c->sk;
101545f6 6503
fcb73338
AE		 6504 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6505 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6506 c->state, __le16_to_cpu(c->psm),
6507 c->scid, c->dcid, c->imtu, c->omtu,
6508 c->sec_level, c->mode);
61e1b4b7 6509 }
1da177e4 6510
333055f2 6511 read_unlock(&chan_list_lock);
1da177e4 6512
aef7d97c 6513 return 0;
1da177e4
LT		 6514}
6515
aef7d97c
MH		 6516static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6517{
6518 return single_open(file, l2cap_debugfs_show, inode->i_private);
6519}
6520
6521static const struct file_operations l2cap_debugfs_fops = {
6522 .open = l2cap_debugfs_open,
6523 .read = seq_read,
6524 .llseek = seq_lseek,
6525 .release = single_release,
6526};
6527
6528static struct dentry *l2cap_debugfs;
1da177e4 6529
64274518 6530int __init l2cap_init(void)
1da177e4
LT		 6531{
6532 int err;
be9d1227 6533
bb58f747 6534 err = l2cap_init_sockets();
1da177e4
LT		 6535 if (err < 0)
6536 return err;
6537
aef7d97c 6538 if (bt_debugfs) {
2d792818
GP		 6539 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6540 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 6541 if (!l2cap_debugfs)
6542 BT_ERR("Failed to create L2CAP debug file");
6543 }
1da177e4 6544
1da177e4 6545 return 0;
1da177e4
LT		 6546}
6547
64274518 6548void l2cap_exit(void)
1da177e4 6549{
aef7d97c 6550 debugfs_remove(l2cap_debugfs);
bb58f747 6551 l2cap_cleanup_sockets();
1da177e4
LT		 6552}
6553
d1c4a17d
GP		 6554module_param(disable_ertm, bool, 0644);
6555MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)